min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't ignore errors in NPN/ALPN logic 

Closes #479
This commit is contained in:
Steven Fackler 2016-10-18 21:05:37 -07:00
parent d377b50349
commit f7e6d7fce6
2 changed files with 32 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
openssl/src/ssl/mod.rs
View File

@ -571,7 +571,7 @@ impl<'a> SslContextRef<'a> {
/// Set the protocols to be used during Next Protocol Negotiation (the protocols /// Set the protocols to be used during Next Protocol Negotiation (the protocols
/// supported by the application). /// supported by the application).
pub fn set_npn_protocols(&mut self, protocols: &[&[u8]]) { pub fn set_npn_protocols(&mut self, protocols: &[&[u8]]) -> Result<(), ErrorStack> {
// Firstly, convert the list of protocols to a byte-array that can be passed to OpenSSL // Firstly, convert the list of protocols to a byte-array that can be passed to OpenSSL
// APIs -- a list of length-prefixed strings. // APIs -- a list of length-prefixed strings.
let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols));
@ -579,7 +579,9 @@ impl<'a> SslContextRef<'a> {
unsafe { unsafe {
// Attach the protocol list to the OpenSSL context structure, // Attach the protocol list to the OpenSSL context structure,
// so that we can refer to it within the callback. // so that we can refer to it within the callback.
ffi::SSL_CTX_set_ex_data(self.as_ptr(), *NPN_PROTOS_IDX, mem::transmute(protocols)); try!(cvt(ffi::SSL_CTX_set_ex_data(self.as_ptr(),
*NPN_PROTOS_IDX,
Box::into_raw(protocols) as *mut c_void)));
// Now register the callback that performs the default protocol // Now register the callback that performs the default protocol
// matching based on the client-supported list of protocols that // matching based on the client-supported list of protocols that
// has been saved. // has been saved.
@ -591,6 +593,7 @@ impl<'a> SslContextRef<'a> {
ffi::SSL_CTX_set_next_protos_advertised_cb(self.as_ptr(), ffi::SSL_CTX_set_next_protos_advertised_cb(self.as_ptr(),
raw_next_protos_advertise_cb, raw_next_protos_advertise_cb,
ptr::null_mut()); ptr::null_mut());
Ok(())
} }
} }
@ -603,22 +606,32 @@ impl<'a> SslContextRef<'a> {
/// ///
/// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0. /// Requires the `v102` or `v110` features and OpenSSL 1.0.2 or OpenSSL 1.1.0.
#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) { pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) -> Result<(), ErrorStack> {
let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols));
unsafe { unsafe {
// Set the context's internal protocol list for use if we are a server // Set the context's internal protocol list for use if we are a server
ffi::SSL_CTX_set_alpn_protos(self.as_ptr(), protocols.as_ptr(), protocols.len() as c_uint); let r = ffi::SSL_CTX_set_alpn_protos(self.as_ptr(),
protocols.as_ptr(),
protocols.len() as c_uint);
// fun fact, SSL_CTX_set_alpn_protos has a reversed return code D:
if r != 0 {
return Err(ErrorStack::get());
}
// Rather than use the argument to the callback to contain our data, store it in the // Rather than use the argument to the callback to contain our data, store it in the
// ssl ctx's ex_data so that we can configure a function to free it later. In the // ssl ctx's ex_data so that we can configure a function to free it later. In the
// future, it might make sense to pull this into our internal struct Ssl instead of // future, it might make sense to pull this into our internal struct Ssl instead of
// leaning on openssl and using function pointers. // leaning on openssl and using function pointers.
ffi::SSL_CTX_set_ex_data(self.as_ptr(), *ALPN_PROTOS_IDX, mem::transmute(protocols)); try!(cvt(ffi::SSL_CTX_set_ex_data(self.as_ptr(),
*ALPN_PROTOS_IDX,
Box::into_raw(protocols) as *mut c_void)));
// Now register the callback that performs the default protocol // Now register the callback that performs the default protocol
// matching based on the client-supported list of protocols that // matching based on the client-supported list of protocols that
// has been saved. // has been saved.
ffi::SSL_CTX_set_alpn_select_cb(self.as_ptr(), raw_alpn_select_cb, ptr::null_mut()); ffi::SSL_CTX_set_alpn_select_cb(self.as_ptr(), raw_alpn_select_cb, ptr::null_mut());
Ok(())
} }
} }
} }

28
openssl/src/ssl/tests/mod.rs
View File

@ -514,7 +514,7 @@ fn test_connect_with_unilateral_alpn() {
let (_s, stream) = Server::new(); let (_s, stream) = Server::new();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -535,7 +535,7 @@ fn test_connect_with_unilateral_npn() {
let (_s, stream) = Server::new(); let (_s, stream) = Server::new();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -557,7 +557,7 @@ fn test_connect_with_alpn_successful_multiple_matching() {
let (_s, stream) = Server::new_alpn(); let (_s, stream) = Server::new_alpn();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -579,7 +579,7 @@ fn test_connect_with_npn_successful_multiple_matching() {
let (_s, stream) = Server::new_alpn(); let (_s, stream) = Server::new_alpn();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]); ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -602,7 +602,7 @@ fn test_connect_with_alpn_successful_single_match() {
let (_s, stream) = Server::new_alpn(); let (_s, stream) = Server::new_alpn();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -626,7 +626,7 @@ fn test_connect_with_npn_successful_single_match() {
let (_s, stream) = Server::new_alpn(); let (_s, stream) = Server::new_alpn();
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_npn_protocols(&[b"spdy/3.1"]); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -650,7 +650,7 @@ fn test_npn_server_advertise_multiple() {
let listener_ctx = { let listener_ctx = {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM) assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
.is_ok()); .is_ok());
ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM) ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM)
@ -665,7 +665,7 @@ fn test_npn_server_advertise_multiple() {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_npn_protocols(&[b"spdy/3.1"]); ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -691,7 +691,7 @@ fn test_alpn_server_advertise_multiple() {
let listener_ctx = { let listener_ctx = {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM) assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
.is_ok()); .is_ok());
ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM) ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM)
@ -706,7 +706,7 @@ fn test_alpn_server_advertise_multiple() {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
match ctx.set_CA_file(&Path::new("test/root-ca.pem")) { match ctx.set_CA_file(&Path::new("test/root-ca.pem")) {
Ok(_) => {} Ok(_) => {}
Err(err) => panic!("Unexpected error {:?}", err), Err(err) => panic!("Unexpected error {:?}", err),
@ -732,7 +732,7 @@ fn test_alpn_server_select_none() {
let listener_ctx = { let listener_ctx = {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM) assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
.is_ok()); .is_ok());
ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM) ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM)
@ -747,7 +747,7 @@ fn test_alpn_server_select_none() {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/2"]); ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
ctx.set_CA_file(&Path::new("test/root-ca.pem")).unwrap(); ctx.set_CA_file(&Path::new("test/root-ca.pem")).unwrap();
// Now connect to the socket and make sure the protocol negotiation works... // Now connect to the socket and make sure the protocol negotiation works...
let stream = TcpStream::connect(localhost).unwrap(); let stream = TcpStream::connect(localhost).unwrap();
@ -767,7 +767,7 @@ fn test_alpn_server_select_none() {
let listener_ctx = { let listener_ctx = {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM) assert!(ctx.set_certificate_file(&Path::new("test/cert.pem"), X509FileType::PEM)
.is_ok()); .is_ok());
ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM) ctx.set_private_key_file(&Path::new("test/key.pem"), X509FileType::PEM)
@ -782,7 +782,7 @@ fn test_alpn_server_select_none() {
let mut ctx = SslContext::new(SslMethod::tls()).unwrap(); let mut ctx = SslContext::new(SslMethod::tls()).unwrap();
ctx.set_verify(SSL_VERIFY_PEER); ctx.set_verify(SSL_VERIFY_PEER);
ctx.set_alpn_protocols(&[b"http/2"]); ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
ctx.set_CA_file(&Path::new("test/root-ca.pem")).unwrap(); ctx.set_CA_file(&Path::new("test/root-ca.pem")).unwrap();
// Now connect to the socket and make sure the protocol negotiation works... // Now connect to the socket and make sure the protocol negotiation works...
let stream = TcpStream::connect(localhost).unwrap(); let stream = TcpStream::connect(localhost).unwrap();