From e06a209e72bf79a4089992dedec4011295af45c0 Mon Sep 17 00:00:00 2001 From: Benjamin Saunders Date: Sun, 25 Feb 2018 19:22:33 -0800 Subject: [PATCH 1/2] Expose FFI bindings needed for SSL_stateless --- openssl-sys/src/lib.rs | 36 ++++++++++++++++++++++++++++++++++++ openssl-sys/src/ossl111.rs | 11 +++++++++++ 2 files changed, 47 insertions(+) create mode 100644 openssl-sys/src/ossl111.rs diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 7f3af1d7..77f69188 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -18,6 +18,11 @@ mod ossl110; #[cfg(ossl110)] pub use ossl110::*; +#[cfg(ossl111)] +mod ossl111; +#[cfg(ossl111)] +pub use ossl111::*; + #[cfg(libressl)] mod libressl; #[cfg(libressl)] @@ -1430,6 +1435,8 @@ pub const GEN_URI: c_int = 6; pub const GEN_IPADD: c_int = 7; pub const GEN_RID: c_int = 8; +pub const DTLS1_COOKIE_LENGTH: c_uint = 256; + // macros pub unsafe fn BIO_get_mem_data(b: *mut BIO, pp: *mut *mut c_char) -> c_long { BIO_ctrl(b, BIO_CTRL_INFO, 0, pp as *mut c_void) @@ -2762,4 +2769,33 @@ extern "C" { pub fn FIPS_mode_set(onoff: c_int) -> c_int; #[cfg(not(libressl))] pub fn FIPS_mode() -> c_int; + + pub fn SSL_CTX_set_cookie_generate_cb( + s: *mut SSL_CTX, + cb: Option c_int> + ); + + #[cfg(ossl110)] + pub fn SSL_CTX_set_cookie_verify_cb( + s: *mut SSL_CTX, + cb: Option c_int> + ); + + #[cfg(not(ossl110))] + pub fn SSL_CTX_set_cookie_verify_cb( + s: *mut SSL_CTX, + cb: Option c_int> + ); } diff --git a/openssl-sys/src/ossl111.rs b/openssl-sys/src/ossl111.rs new file mode 100644 index 00000000..c22d506c --- /dev/null +++ b/openssl-sys/src/ossl111.rs @@ -0,0 +1,11 @@ +use libc::{c_int, c_ulong}; + +use ossl110::*; + +pub const SSL_COOKIE_LENGTH: c_int = 255; + +pub const SSL_OP_ENABLE_MIDDLEBOX_COMPAT: c_ulong = 0x00100000; + +extern "C" { + pub fn SSL_stateless(s: *mut SSL) -> c_int; +} From e04dbfa3ee47741d7f74987803e0a8405550f5f3 Mon Sep 17 00:00:00 2001 From: Benjamin Saunders Date: Sun, 25 Feb 2018 19:36:47 -0800 Subject: [PATCH 2/2] Expose cookie generate/verify callback setters --- openssl/src/ssl/callbacks.rs | 50 ++++++++++++++++++++++++++++++++++++ openssl/src/ssl/mod.rs | 45 ++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs index c06d32a0..424bdc1a 100644 --- a/openssl/src/ssl/callbacks.rs +++ b/openssl/src/ssl/callbacks.rs @@ -361,3 +361,53 @@ where callback(ssl, line); } + +pub extern "C" fn raw_cookie_generate( + ssl: *mut ffi::SSL, + cookie: *mut c_uchar, + cookie_len: *mut c_uint +) -> c_int +where + F: Fn(&mut SslRef, &mut [u8]) -> Result + 'static + Sync + Send +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::()); + let ssl = SslRef::from_ptr_mut(ssl); + let callback = &*(callback as *mut F); + // We subtract 1 from DTLS1_COOKIE_LENGTH as the ostensible value, 256, is erroneous but retained for + // compatibility. See comments in dtls1.h. + let slice = slice::from_raw_parts_mut(cookie as *mut u8, ffi::DTLS1_COOKIE_LENGTH as usize - 1); + match callback(ssl, slice) { + Ok(len) => { + *cookie_len = len as c_uint; + 1 + } + Err(_) => 0, + } + } +} + +#[cfg(ossl110)] +type CookiePtr = *const c_uchar; + +#[cfg(not(ossl110))] +type CookiePtr = *mut c_uchar; + +pub extern "C" fn raw_cookie_verify( + ssl: *mut ffi::SSL, + cookie: CookiePtr, + cookie_len: c_uint +) -> c_int +where + F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::()); + let ssl = SslRef::from_ptr_mut(ssl); + let callback = &*(callback as *mut F); + let slice = slice::from_raw_parts(cookie as *const c_uchar as *const u8, cookie_len as usize); + callback(ssl, slice) as c_int + } +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index fb7db988..91b97818 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1311,6 +1311,51 @@ impl SslContextBuilder { } } + /// Sets the callback for generating an application cookie for stateless handshakes. + /// + /// The callback will be called with the SSL context and a slice into which the cookie + /// should be written. The callback should return the number of bytes written. + /// + /// This corresponds to `SSL_CTX_set_cookie_generate_cb`. + pub fn set_cookie_generate_cb(&mut self, callback: F) + where + F: Fn(&mut SslRef, &mut [u8]) -> Result + 'static + Sync + Send + { + unsafe { + let callback = Box::new(callback); + ffi::SSL_CTX_set_ex_data( + self.as_ptr(), + get_callback_idx::(), + mem::transmute(callback), + ); + ffi::SSL_CTX_set_cookie_generate_cb(self.as_ptr(), Some(raw_cookie_generate::)) + } + } + + /// Sets the callback for verifying an application cookie for stateless handshakes. + /// + /// The callback will be called with the SSL context and the cookie supplied by the + /// client. It should return true if and only if the cookie is valid. + /// + /// Note that the OpenSSL implementation independently verifies the integrity of + /// application cookies using an HMAC before invoking the supplied callback. + /// + /// This corresponds to `SSL_CTX_set_cookie_verify_cb`. + pub fn set_cookie_verify_cb(&mut self, callback: F) + where + F: Fn(&mut SslRef, &[u8]) -> bool + 'static + Sync + Send + { + unsafe { + let callback = Box::new(callback); + ffi::SSL_CTX_set_ex_data( + self.as_ptr(), + get_callback_idx::(), + mem::transmute(callback), + ); + ffi::SSL_CTX_set_cookie_verify_cb(self.as_ptr(), Some(raw_cookie_verify::)) + } + } + /// Sets the extra data at the specified index. /// /// This can be used to provide data to callbacks registered with the context. Use the