Configure ECDH parameters in connector
This commit is contained in:
Steven Fackler
parent
8c58ecc2fa
commit
677718f8da
|
|
@ -1043,6 +1043,7 @@ pub const RSA_PKCS1_OAEP_PADDING: c_int = 4;
|
|||
pub const RSA_X931_PADDING: c_int = 5;
|
||||
|
||||
pub const SSL_CTRL_SET_TMP_DH: c_int = 3;
|
||||
pub const SSL_CTRL_SET_TMP_ECDH: c_int = 4;
|
||||
pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14;
|
||||
pub const SSL_CTRL_MODE: c_int = 33;
|
||||
pub const SSL_CTRL_SET_READ_AHEAD: c_int = 41;
|
||||
|
|
@ -1214,6 +1215,10 @@ pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long {
|
|||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void)
|
||||
}
|
||||
|
||||
pub unsafe fn SSL_CTX_set_tmp_ecdh(ctx: *mut SSL_CTX, key: *mut EC_KEY) -> c_long {
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, key as *mut c_void)
|
||||
}
|
||||
|
||||
pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long {
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,24 @@ use ffi;
|
|||
use error::ErrorStack;
|
||||
use bio::MemBioSlice;
|
||||
use std::ptr;
|
||||
use std::mem;
|
||||
use std::ops::Deref;
|
||||
|
||||
use {cvt, cvt_p};
|
||||
use bn::BigNum;
|
||||
use std::mem;
|
||||
use opaque::Opaque;
|
||||
|
||||
pub struct DhRef(Opaque);
|
||||
|
||||
impl DhRef {
|
||||
pub unsafe fn from_ptr<'a>(ptr: *mut ffi::DH) -> &'a DhRef {
|
||||
&*(ptr as *mut _)
|
||||
}
|
||||
|
||||
pub fn as_ptr(&self) -> *mut ffi::DH {
|
||||
self as *const _ as *mut _
|
||||
}
|
||||
}
|
||||
|
||||
pub struct Dh(*mut ffi::DH);
|
||||
|
||||
|
|
@ -56,16 +70,22 @@ impl Dh {
|
|||
cvt_p(ffi::DH_get_2048_256()).map(Dh)
|
||||
}
|
||||
}
|
||||
|
||||
pub fn as_ptr(&self) -> *mut ffi::DH {
|
||||
self.0
|
||||
}
|
||||
}
|
||||
|
||||
impl Drop for Dh {
|
||||
fn drop(&mut self) {
|
||||
unsafe {
|
||||
ffi::DH_free(self.as_ptr())
|
||||
ffi::DH_free(self.0)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Deref for Dh {
|
||||
type Target = DhRef;
|
||||
|
||||
fn deref(&self) -> &DhRef {
|
||||
unsafe {
|
||||
DhRef::from_ptr(self.0)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -129,6 +129,7 @@ impl ServerConnectorBuilder {
|
|||
ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
|
||||
try!(ctx.set_tmp_dh(&dh));
|
||||
try!(setup_curves(&mut ctx));
|
||||
try!(ctx.set_cipher_list(
|
||||
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
|
||||
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
|
||||
|
|
@ -165,6 +166,22 @@ impl ServerConnectorBuilder {
|
|||
}
|
||||
}
|
||||
|
||||
#[cfg(ossl101)]
|
||||
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
||||
let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
|
||||
ctx.set_tmp_ecdh(&curve)
|
||||
}
|
||||
|
||||
#[cfg(ossl102)]
|
||||
fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
||||
ctx._set_ecdh_auto(true)
|
||||
}
|
||||
|
||||
#[cfg(ossl110)]
|
||||
fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// A type which wraps server-side streams in a TLS session.
|
||||
///
|
||||
/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL
|
||||
|
|
|
|||
|
|
@ -89,7 +89,8 @@ use std::marker::PhantomData;
|
|||
use ffi;
|
||||
|
||||
use {init, cvt, cvt_p};
|
||||
use dh::Dh;
|
||||
use dh::DhRef;
|
||||
use ec_key::EcKeyRef;
|
||||
use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError};
|
||||
#[cfg(any(ossl102, ossl110))]
|
||||
use verify::X509VerifyParamRef;
|
||||
|
|
@ -498,12 +499,18 @@ impl SslContextBuilder {
|
|||
}
|
||||
}
|
||||
|
||||
pub fn set_tmp_dh(&mut self, dh: &Dh) -> Result<(), ErrorStack> {
|
||||
pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> {
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ())
|
||||
}
|
||||
}
|
||||
|
||||
pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> {
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ())
|
||||
}
|
||||
}
|
||||
|
||||
/// Use the default locations of trusted certificates for verification.
|
||||
///
|
||||
/// These locations are read from the `SSL_CERT_FILE` and `SSL_CERT_DIR`
|
||||
|
|
@ -623,6 +630,11 @@ impl SslContextBuilder {
|
|||
/// Requires the `v102` feature and OpenSSL 1.0.2.
|
||||
#[cfg(all(feature = "v102", ossl102))]
|
||||
pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
|
||||
self._set_ecdh_auto(onoff)
|
||||
}
|
||||
|
||||
#[cfg(ossl102)]
|
||||
fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> {
|
||||
unsafe {
|
||||
cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ())
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue