High-level API for OpenSSL 1.1.1 custom extension support

2018-03-05 01:27:36 -08:00 · 2018-03-05 01:27:36 -08:00 · b0bc1c770e
parent 38f4705b1d
commit b0bc1c770e
3 changed files with 207 additions and 0 deletions
--- a/openssl/src/ssl/callbacks.rs
+++ b/openssl/src/ssl/callbacks.rs
@ -1,5 +1,9 @@
 use ffi;
 use libc::{c_char, c_int, c_uchar, c_uint, c_void};
+#[cfg(all(feature = "v111", ossl111))]
+use libc::size_t;
+#[cfg(all(feature = "v111", ossl111))]
+use std::borrow::Cow;
 use std::ffi::CStr;
 use std::ptr;
 use std::slice;
@ -20,6 +24,10 @@ use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslContext
          all(feature = "v111", ossl111)))]
 use ssl::AlpnError;
 use x509::X509StoreContextRef;
+#[cfg(all(feature = "v111", ossl111))]
+use ssl::ExtensionContext;
+#[cfg(all(feature = "v111", ossl111))]
+use x509::X509Ref;

 pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int
 where
@ -416,3 +424,88 @@ where
        callback(ssl, slice) as c_int
    }
 }
+
+#[cfg(all(feature = "v111", ossl111))]
+pub struct CustomExtAddState(Option<Cow<'static, [u8]>>);
+
+#[cfg(all(feature = "v111", ossl111))]
+pub extern "C" fn raw_custom_ext_add<F>(ssl: *mut ffi::SSL, _: c_uint,
+                                        context: c_uint,
+                                        out: *mut *const c_uchar,
+                                        outlen: *mut size_t, x: *mut ffi::X509,
+                                        chainidx: size_t, al: *mut c_int,
+                                        _: *mut c_void)
+                                        -> c_int
+    where F: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static
+{
+    unsafe {
+        let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
+        let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
+        let callback = &*(callback as *mut F);
+        let ssl = SslRef::from_ptr_mut(ssl);
+        let ectx = ExtensionContext::from_bits_truncate(context);
+        let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None };
+        match (callback)(ssl, ectx, cert) {
+            Ok(None) => 0,
+            Ok(Some(buf)) => {
+                *outlen = buf.len() as size_t;
+                *out = buf.as_ptr();
+
+                let idx = get_ssl_callback_idx::<CustomExtAddState>();
+                let ptr = ffi::SSL_get_ex_data(ssl.as_ptr(), idx);
+                if ptr.is_null() {
+                    let x = Box::into_raw(Box::<CustomExtAddState>::new(CustomExtAddState(Some(buf)))) as *mut c_void;
+                    ffi::SSL_set_ex_data(ssl.as_ptr(), idx, x);
+                } else {
+                    *(ptr as *mut _) = CustomExtAddState(Some(buf))
+                }
+                1
+            }
+            Err(alert) => {
+                *al = alert.0;
+                -1
+            }
+        }
+    }
+}
+
+#[cfg(all(feature = "v111", ossl111))]
+pub extern "C" fn raw_custom_ext_free(ssl: *mut ffi::SSL, _: c_uint,
+                                      _: c_uint,
+                                      _: *mut *const c_uchar,
+                                      _: *mut c_void)
+{
+    unsafe {
+        let state = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<CustomExtAddState>());
+        let state = &mut (*(state as *mut CustomExtAddState)).0;
+        state.take();
+    }
+}
+
+#[cfg(all(feature = "v111", ossl111))]
+pub extern "C" fn raw_custom_ext_parse<F>(ssl: *mut ffi::SSL, _: c_uint,
+                                          context: c_uint,
+                                          input: *const c_uchar,
+                                          inlen: size_t, x: *mut ffi::X509,
+                                          chainidx: size_t, al: *mut c_int,
+                                          _: *mut c_void)
+                                        -> c_int
+    where F: FnMut(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static
+{
+    unsafe {
+        let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
+        let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
+        let ssl = SslRef::from_ptr_mut(ssl);
+        let callback = &mut *(callback as *mut F);
+        let ectx = ExtensionContext::from_bits_truncate(context);
+        let slice = slice::from_raw_parts(input as *const u8, inlen as usize);
+        let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None };
+        match callback(ssl, ectx, slice, cert) {
+            Ok(()) => 1,
+            Err(alert) => {
+                *al = alert.0;
+                0
+            }
+        }
+    }
+}
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@ -61,6 +61,8 @@ use ffi;
 use foreign_types::{ForeignType, ForeignTypeRef, Opaque};
 use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void};
 use std::any::TypeId;
+#[cfg(all(feature = "v111", ossl111))]
+use std::borrow::Cow;
 use std::cmp;
 use std::collections::HashMap;
 use std::ffi::{CStr, CString};
@ -363,6 +365,36 @@ bitflags! {
    }
 }

+#[cfg(all(feature = "v111", ossl111))]
+bitflags! {
+    /// Which messages and under which conditions an extension should be added or expected.
+    pub struct ExtensionContext: c_uint {
+        /// This extension is only allowed in TLS
+        const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY;
+        /// This extension is only allowed in DTLS
+        const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY;
+        /// Some extensions may be allowed in DTLS but we don't implement them for it
+        const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY;
+        /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is
+        const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED;
+        /// Extension is only defined for TLS1.2 and below
+        const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY;
+        /// Extension is only defined for TLS1.3 and above
+        const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY;
+        /// Ignore this extension during parsing if we are resuming
+        const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION;
+        const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO;
+        /// Really means TLS1.2 or below
+        const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO;
+        const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO;
+        const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS;
+        const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST;
+        const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE;
+        const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET;
+        const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST;
+    }
+}
+
 /// An identifier of the format of a certificate or key file.
 #[derive(Copy, Clone)]
 pub struct SslFiletype(c_int);
@ -501,6 +533,8 @@ pub struct SslAlert(c_int);
 impl SslAlert {
    /// Alert 112 - `unrecognized_name`.
    pub const UNRECOGNIZED_NAME: SslAlert = SslAlert(ffi::SSL_AD_UNRECOGNIZED_NAME);
+    pub const ILLEGAL_PARAMETER: SslAlert = SslAlert(ffi::SSL_AD_ILLEGAL_PARAMETER);
+    pub const DECODE_ERROR: SslAlert = SslAlert(ffi::SSL_AD_DECODE_ERROR);
 }

 /// An error returned from an ALPN selection callback.
@ -1471,6 +1505,48 @@ impl SslContextBuilder {
        }
    }

+    /// Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions.
+    ///
+    /// This corresponds to [`SSL_CTX_add_custom_ext`].
+    ///
+    /// [`SSL_CTX_add_custom_ext`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html
+    #[cfg(all(feature = "v111", ossl111))]
+    pub fn add_custom_ext<AddFn, ParseFn>(&mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn)
+                                          -> Result<(), ErrorStack>
+        where AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>)
+                        -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static + Sync + Send,
+              ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>)
+                          -> Result<(), SslAlert> + 'static + Sync + Send,
+    {
+        let ret = unsafe {
+            let add_cb = Box::new(add_cb);
+            ffi::SSL_CTX_set_ex_data(
+                self.as_ptr(),
+                get_callback_idx::<AddFn>(),
+                Box::into_raw(add_cb) as *mut _
+            );
+
+            let parse_cb = Box::new(parse_cb);
+            ffi::SSL_CTX_set_ex_data(
+                self.as_ptr(),
+                get_callback_idx::<ParseFn>(),
+                Box::into_raw(parse_cb) as *mut _,
+            );
+
+            ffi::SSL_CTX_add_custom_ext(self.as_ptr(), ext_type as c_uint, context.bits(),
+                                        Some(raw_custom_ext_add::<AddFn>),
+                                        Some(raw_custom_ext_free),
+                                        ptr::null_mut(),
+                                        Some(raw_custom_ext_parse::<ParseFn>),
+                                        ptr::null_mut())
+        };
+        if ret == 1 {
+            Ok(())
+        } else {
+            Err(ErrorStack::get())
+        }
+    }
+
    /// Consumes the builder, returning a new `SslContext`.
    pub fn build(self) -> SslContext {
        self.0
--- a/openssl/src/ssl/test.rs
+++ b/openssl/src/ssl/test.rs
@ -1353,6 +1353,44 @@ fn no_version_overlap() {
    guard.join().unwrap();
 }

+#[test]
+#[cfg(all(feature = "v111", ossl111))]
+fn custom_extensions() {
+    static FOUND_EXTENSION: AtomicBool = ATOMIC_BOOL_INIT;
+
+    let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let guard = thread::spawn(move || {
+        let stream = listener.accept().unwrap().0;
+        let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+        ctx.set_certificate_file(&Path::new("test/cert.pem"), SslFiletype::PEM)
+            .unwrap();
+        ctx.set_private_key_file(&Path::new("test/key.pem"), SslFiletype::PEM)
+            .unwrap();
+        ctx.add_custom_ext(
+            12345, ssl::ExtensionContext::CLIENT_HELLO,
+            |_, _, _| unreachable!(),
+            |_, _, data, _| { FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); Ok(()) }
+        ).unwrap();
+        let ssl = Ssl::new(&ctx.build()).unwrap();
+        ssl.accept(stream).unwrap();
+    });
+
+    let stream = TcpStream::connect(addr).unwrap();
+    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+    ctx.add_custom_ext(
+        12345, ssl::ExtensionContext::CLIENT_HELLO,
+        |_, _, _| Ok(Some(b"hello"[..].into())),
+        |_, _, _, _| unreachable!()
+    ).unwrap();
+    let ssl = Ssl::new(&ctx.build()).unwrap();
+    ssl.connect(stream).unwrap();
+
+    guard.join().unwrap();
+    assert!(FOUND_EXTENSION.load(Ordering::SeqCst));
+}
+
 fn _check_kinds() {
    fn is_send<T: Send>() {}
    fn is_sync<T: Sync>() {}