Merge pull request #845 from sfackler/ssl-version

Ssl version

openssl-sys/src/lib.rs

@@ -1307,6 +1307,11 @@ pub const SSL_SESS_CACHE_NO_INTERNAL_STORE: c_long = 0x200;
 pub const SSL_SESS_CACHE_NO_INTERNAL: c_long =
     SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE;
 
+pub const SSL3_VERSION: c_int = 0x300;
+pub const TLS1_VERSION: c_int = 0x301;
+pub const TLS1_1_VERSION: c_int = 0x302;
+pub const TLS1_2_VERSION: c_int = 0x303;
+
 pub const TLSEXT_NAMETYPE_host_name: c_int = 0;
 
 pub const TLSEXT_STATUSTYPE_ocsp: c_int = 1;
@@ -2374,6 +2379,7 @@ extern "C" {
     pub fn SSL_get_peer_cert_chain(ssl: *const SSL) -> *mut stack_st_X509;
     pub fn SSL_get_ssl_method(ssl: *mut SSL) -> *const SSL_METHOD;
     pub fn SSL_get_version(ssl: *const SSL) -> *const c_char;
+    pub fn SSL_version(ssl: *const SSL) -> c_int;
     pub fn SSL_state_string(ssl: *const SSL) -> *const c_char;
     pub fn SSL_state_string_long(ssl: *const SSL) -> *const c_char;
     pub fn SSL_set_verify(

openssl-sys/src/ossl110.rs

@@ -33,6 +33,10 @@ pub enum X509_ALGOR {}
 pub enum X509_VERIFY_PARAM {}
 pub enum X509_REQ {}
 
+#[cfg(ossl111)]
+pub type SSL_CTX_keylog_cb_func =
+    Option<unsafe extern "C" fn(ssl: *const SSL, line: *const c_char)>;
+
 pub const SSL_OP_MICROSOFT_SESS_ID_BUG: c_ulong = 0x00000000;
 pub const SSL_OP_NETSCAPE_CHALLENGE_BUG: c_ulong = 0x00000000;
 pub const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG: c_ulong = 0x00000000;
@@ -44,6 +48,9 @@ pub const SSL_OP_SINGLE_ECDH_USE: c_ulong = 0x00000000;
 pub const SSL_OP_SINGLE_DH_USE: c_ulong = 0x00000000;
 pub const SSL_OP_NO_SSLv2: c_ulong = 0x00000000;
 
+#[cfg(ossl111)]
+pub const TLS1_3_VERSION: c_int = 0x304;
+
 pub const OPENSSL_VERSION: c_int = 0;
 pub const OPENSSL_CFLAGS: c_int = 1;
 pub const OPENSSL_BUILT_ON: c_int = 2;
@@ -212,6 +219,10 @@ extern "C" {
             unsafe extern "C" fn(*mut ::SSL, *const c_uchar, c_int, *mut c_int) -> *mut SSL_SESSION,
         >,
     );
+    pub fn SSL_get_client_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t;
+    pub fn SSL_get_server_random(ssl: *const SSL, out: *mut c_uchar, len: size_t) -> size_t;
+    #[cfg(ossl111)]
+    pub fn SSL_CTX_set_keylog_callback(ctx: *mut ::SSL_CTX, cb: SSL_CTX_keylog_cb_func);
     pub fn X509_getm_notAfter(x: *const ::X509) -> *mut ::ASN1_TIME;
     pub fn X509_getm_notBefore(x: *const ::X509) -> *mut ::ASN1_TIME;
     pub fn X509_get0_signature(

openssl/src/ssl/callbacks.rs

@@ -4,6 +4,8 @@ use std::ffi::CStr;
 use std::ptr;
 use std::slice;
 use std::mem;
+#[cfg(all(feature = "v111", ossl111))]
+use std::str;
 use foreign_types::ForeignTypeRef;
 use foreign_types::ForeignType;
 
@@ -343,3 +345,19 @@ where
         None => ptr::null_mut(),
     }
 }
+
+#[cfg(all(feature = "v111", ossl111))]
+pub unsafe extern "C" fn raw_keylog<F>(ssl: *const ffi::SSL, line: *const c_char)
+where
+    F: Fn(&SslRef, &str) + 'static + Sync + Send,
+{
+    let ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
+    let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>());
+    let callback = &*(callback as *mut F);
+
+    let ssl = SslRef::from_ptr(ssl as *mut _);
+    let line = CStr::from_ptr(line).to_bytes();
+    let line = str::from_utf8_unchecked(line);
+
+    callback(ssl, line);
+}

openssl/src/ssl/mod.rs

@@ -475,7 +475,7 @@ fn get_new_ssl_idx<T>() -> c_int {
 }
 
 /// An error returned from the SNI callback.
-#[derive(Debug, Copy, Clone)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub struct SniError(c_int);
 
 impl SniError {
@@ -489,7 +489,7 @@ impl SniError {
 }
 
 /// An SSL/TLS alert.
-#[derive(Debug, Copy, Clone)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub struct SslAlert(c_int);
 
 impl SslAlert {
@@ -502,7 +502,7 @@ impl SslAlert {
 /// Requires OpenSSL 1.0.2, 1.1.0, or 1.1.1 and the corresponding Cargo feature.
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110),
           all(feature = "v111", ossl111)))]
-#[derive(Debug, Copy, Clone)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
 pub struct AlpnError(c_int);
 
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110),
@@ -518,6 +518,30 @@ impl AlpnError {
     pub const NOACK: AlpnError = AlpnError(ffi::SSL_TLSEXT_ERR_NOACK);
 }
 
+/// An SSL/TLS protocol version.
+#[derive(Debug, Copy, Clone, PartialEq, Eq)]
+pub struct SslVersion(c_int);
+
+impl SslVersion {
+    /// SSLv3
+    pub const SSL3: SslVersion = SslVersion(ffi::SSL3_VERSION);
+
+    /// TLSv1.0
+    pub const TLS1: SslVersion = SslVersion(ffi::TLS1_VERSION);
+
+    /// TLSv1.1
+    pub const TLS1_1: SslVersion = SslVersion(ffi::TLS1_1_VERSION);
+
+    /// TLSv1.2
+    pub const TLS1_2: SslVersion = SslVersion(ffi::TLS1_2_VERSION);
+
+    /// TLSv1.3
+    ///
+    /// Requires OpenSSL 1.1.1 and the corresponding Cargo feature.
+    #[cfg(all(feature = "v111", ossl111))]
+    pub const TLS1_3: SslVersion = SslVersion(ffi::TLS1_3_VERSION);
+}
+
 /// A standard implementation of protocol selection for Application Layer Protocol Negotiation
 /// (ALPN).
 ///
@@ -1247,6 +1271,33 @@ impl SslContextBuilder {
         ffi::SSL_CTX_sess_set_get_cb(self.as_ptr(), Some(callbacks::raw_get_session::<F>));
     }
 
+    /// Sets the TLS key logging callback.
+    ///
+    /// The callback is invoked whenever TLS key material is generated, and is passed a line of NSS
+    /// SSLKEYLOGFILE-formatted text. This can be used by tools like Wireshark to decrypt message
+    /// traffic. The line does not contain a trailing newline.
+    ///
+    /// Requires OpenSSL 1.1.1 and the corresponding Cargo feature.
+    ///
+    /// This corresponds to [`SSL_CTX_set_keylog_callback`].
+    ///
+    /// [`SSL_CTX_set_keylog_callback`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_keylog_callback.html
+    #[cfg(all(feature = "v111", ossl111))]
+    pub fn set_keylog_callback<F>(&mut self, callback: F)
+    where
+        F: Fn(&SslRef, &str) + 'static + Sync + Send,
+    {
+        unsafe {
+            let callback = Box::new(callback);
+            ffi::SSL_CTX_set_ex_data(
+                self.as_ptr(),
+                get_callback_idx::<F>(),
+                Box::into_raw(callback) as *mut _,
+            );
+            ffi::SSL_CTX_set_keylog_callback(self.as_ptr(), Some(callbacks::raw_keylog::<F>));
+        }
+    }
+
     /// Sets the session caching mode use for connections made with the context.
     ///
     /// Returns the previous session caching mode.
@@ -1593,7 +1644,7 @@ impl SslSessionRef {
 
     /// Copies the master key into the provided buffer.
     ///
-    /// Returns the number of bytes written.
+    /// Returns the number of bytes written, or the size of the master key if the buffer is empty.
     ///
     /// This corresponds to [`SSL_SESSION_get_master_key`].
     ///
@@ -2042,6 +2093,40 @@ impl SslRef {
         }
     }
 
+    /// Copies the client_random value sent by the client in the TLS handshake into a buffer.
+    ///
+    /// Returns the number of bytes copied, or if the buffer is empty, the size of the client_random
+    /// value.
+    ///
+    /// Requires OpenSSL 1.1.0 or 1.1.1 and the corresponding Cargo feature.
+    ///
+    /// This corresponds to [`SSL_get_client_random`].
+    ///
+    /// [`SSL_get_client_random`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_client_random.html
+    #[cfg(any(all(feature = "v110", ossl110), all(feature = "v111", ossl111)))]
+    pub fn client_random(&self, buf: &mut [u8]) -> usize {
+        unsafe {
+            ffi::SSL_get_client_random(self.as_ptr(), buf.as_mut_ptr() as *mut c_uchar, buf.len())
+        }
+    }
+
+    /// Copies the server_random value sent by the server in the TLS handshake into a buffer.
+    ///
+    /// Returns the number of bytes copied, or if the buffer is empty, the size of the server_random
+    /// value.
+    ///
+    /// Requires OpenSSL 1.1.0 or 1.1.1 and the corresponding Cargo feature.
+    ///
+    /// This corresponds to [`SSL_get_server_random`].
+    ///
+    /// [`SSL_get_server_random`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_client_random.html
+    #[cfg(any(all(feature = "v110", ossl110), all(feature = "v111", ossl111)))]
+    pub fn server_random(&self, buf: &mut [u8]) -> usize {
+        unsafe {
+            ffi::SSL_get_server_random(self.as_ptr(), buf.as_mut_ptr() as *mut c_uchar, buf.len())
+        }
+    }
+
     /// Sets the session to be used.
     ///
     /// This should be called before the handshake to attempt to reuse a previously established
@@ -2082,7 +2167,7 @@ impl SslRef {
 
     /// Returns the server's OCSP response, if present.
     ///
-    /// This corresponds to [`SSL_get_tlsext_status_oscp_resp`].
+    /// This corresponds to [`SSL_get_tlsext_status_ocsp_resp`].
     ///
     /// [`SSL_get_tlsext_status_ocsp_resp`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_tlsext_status_type.html
     pub fn ocsp_status(&self) -> Option<&[u8]> {
@@ -2100,7 +2185,7 @@ impl SslRef {
 
     /// Sets the OCSP response to be returned to the client.
     ///
-    /// This corresponds to [`SSL_set_tlsext_status_oscp_resp`].
+    /// This corresponds to [`SSL_set_tlsext_status_ocsp_resp`].
     ///
     /// [`SSL_set_tlsext_status_ocsp_resp`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_tlsext_status_type.html
     pub fn set_ocsp_status(&mut self, response: &[u8]) -> Result<(), ErrorStack> {

systest/build.rs

@@ -109,6 +109,7 @@ fn main() {
     cfg.skip_signededness(|s| {
         s.ends_with("_cb") || s.ends_with("_CB") || s.ends_with("_cb_fn")
             || s.starts_with("CRYPTO_") || s == "PasswordCallback"
+            || s.ends_with("_cb_func")
     });
     cfg.field_name(|_s, field| {
         if field == "type_" {