From aa0040125b4006bd7520220cb8330b5b3d24ffb4 Mon Sep 17 00:00:00 2001 From: Steven Fackler Date: Tue, 1 Nov 2016 22:50:22 -0700 Subject: [PATCH] Use built in DH parameters when available Fall back to a hardcoded PEM blob on 1.0.1, but serialized from DH_get_2048_256. --- openssl-sys/src/lib.rs | 4 +-- openssl/src/dh.rs | 16 ++++++++- openssl/src/ssl/connector.rs | 64 +++++++++++++++++++++++++++--------- 3 files changed, 66 insertions(+), 18 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index f30d9f03..f5de44b6 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -1346,8 +1346,8 @@ extern { pub fn CRYPTO_memcmp(a: *const c_void, b: *const c_void, len: size_t) -> c_int; + pub fn DH_new() -> *mut DH; pub fn DH_free(dh: *mut DH); - #[cfg(not(ossl101))] pub fn DH_get_1024_160() -> *mut DH; #[cfg(not(ossl101))] @@ -1471,6 +1471,7 @@ extern { pub fn PEM_read_bio_RSAPrivateKey(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option, user_data: *mut c_void) -> *mut RSA; pub fn PEM_read_bio_RSA_PUBKEY(bio: *mut BIO, rsa: *mut *mut RSA, callback: Option, user_data: *mut c_void) -> *mut RSA; + pub fn PEM_write_bio_DHparams(bio: *mut BIO, x: *mut DH) -> c_int; pub fn PEM_write_bio_PrivateKey(bio: *mut BIO, pkey: *mut EVP_PKEY, cipher: *const EVP_CIPHER, kstr: *mut c_uchar, klen: c_int, callback: Option, @@ -1724,5 +1725,4 @@ extern { pub fn HMAC_Final(ctx: *mut HMAC_CTX, md: *mut c_uchar, len: *mut c_uint) -> c_int; - pub fn DH_new() -> *mut DH; } diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 4ae145d6..4dfe26cb 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -5,11 +5,25 @@ use std::ptr; use std::mem; use {cvt, cvt_p}; +use bio::MemBio; use bn::BigNum; -use types::OpenSslType; +use types::{OpenSslType, Ref}; type_!(Dh, ffi::DH, ffi::DH_free); +impl Ref { + /// Encodes the parameters to PEM. + pub fn to_pem(&self) -> Result, ErrorStack> { + let mem_bio = try!(MemBio::new()); + + unsafe { + try!(cvt(ffi::PEM_write_bio_DHparams(mem_bio.as_ptr(), self.as_ptr()))); + } + + Ok(mem_bio.get_buf().to_owned()) + } +} + impl Dh { pub fn from_params(p: BigNum, g: BigNum, q: BigNum) -> Result { unsafe { diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index c95b0fa1..75a1a03c 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -8,22 +8,23 @@ use pkey::PKey; use x509::X509; use types::Ref; -// apps/dh2048.pem +// Serialized form of DH_get_2048_256 +#[cfg(any(ossl101, all(test, any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))))] const DHPARAM_PEM: &'static str = r#" -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb -IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft -awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT -mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh -fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq -5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== +MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX +1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY +wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3 +kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG +9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv +EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex +jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo ++MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5 +gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7 +cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU +KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ -----END DH PARAMETERS----- - -These are the 2048-bit DH parameters from "More Modular Exponential -(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": -https://tools.ietf.org/html/rfc3526 - -See https://tools.ietf.org/html/rfc2412 for how they were generated."#; +"#; fn ctx(method: SslMethod) -> Result { let mut ctx = try!(SslContextBuilder::new(method)); @@ -125,7 +126,7 @@ impl SslAcceptorBuilder { I::Item: AsRef> { let mut ctx = try!(ctx(method)); - let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes())); + let dh = try!(get_dh()); try!(ctx.set_tmp_dh(&dh)); try!(setup_curves(&mut ctx)); try!(ctx.set_cipher_list("ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ @@ -202,9 +203,30 @@ impl SslAcceptorBuilder { } } +#[cfg(ossl101)] +fn get_dh() -> Result { + Dh::from_pem(DHPARAM_PEM.as_bytes()) +} + +#[cfg(not(ossl101))] +fn get_dh() -> Result { + use ffi; + + use cvt_p; + use types::OpenSslType; + + // manually call into ffi to avoid forcing the features + unsafe { + cvt_p(ffi::DH_get_2048_256()).map(|p| Dh::from_ptr(p)) + } +} + #[cfg(ossl101)] fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { - let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1)); + use ec_key::EcKey; + use nid; + + let curve = try!(EcKey::new_by_curve_name(nid::X9_62_PRIME256V1)); ctx.set_tmp_ecdh(&curve) } @@ -420,3 +442,15 @@ mod verify { } } } + +#[cfg(test)] +mod test { + #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] + #[test] + fn check_dhparam() { + use dh::Dh; + + let expected = String::from_utf8(Dh::get_2048_256().unwrap().to_pem().unwrap()).unwrap(); + assert_eq!(expected.trim(), super::DHPARAM_PEM.trim()); + } +}