diff options
| author | Steven Fackler <[email protected]> | 2015-03-23 23:29:44 -0400 |
|---|---|---|
| committer | Steven Fackler <[email protected]> | 2015-03-23 23:29:44 -0400 |
| commit | f664444ac58f03b6ea37996f44a81f3804cf938a (patch) | |
| tree | 8f85163aa252370b00a0b6dff4b72778c52e266b | |
| parent | Merge pull request #187 from manuels/x509_sign (diff) | |
| parent | openssl: Add tests for server-side NPN (diff) | |
| download | rust-openssl-f664444ac58f03b6ea37996f44a81f3804cf938a.tar.xz rust-openssl-f664444ac58f03b6ea37996f44a81f3804cf938a.zip | |
Merge pull request #185 from mlalic/npn-bindings
Add TLS Next Protocol Negotiation
| -rw-r--r-- | .travis.yml | 3 | ||||
| -rw-r--r-- | openssl-sys/Cargo.toml | 1 | ||||
| -rw-r--r-- | openssl-sys/src/lib.rs | 34 | ||||
| -rw-r--r-- | openssl/Cargo.toml | 1 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 154 | ||||
| -rw-r--r-- | openssl/src/ssl/tests.rs | 117 |
6 files changed, 306 insertions, 4 deletions
diff --git a/.travis.yml b/.travis.yml index c383cbc1..3292dcdb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,9 +5,10 @@ os: env: global: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - - FEATURES="tlsv1_1 tlsv1_2 aes_xts" + - FEATURES="tlsv1_1 tlsv1_2 aes_xts npn" before_script: - openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & +- openssl s_server -accept 15419 -www -cert openssl/test/cert.pem -key openssl/test/key.pem -nextprotoneg "http/1.1,spdy/3.1" >/dev/null 2>&1 & script: - (cd openssl && cargo test) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && cargo test --features "$FEATURES")) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index cabde957..8dd3d1b2 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -16,6 +16,7 @@ tlsv1_2 = [] tlsv1_1 = [] sslv2 = [] aes_xts = [] +npn = [] [dependencies] libc = "0.1" diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 1b404d14..59f11b65 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -134,6 +134,18 @@ pub const SSL_VERIFY_PEER: c_int = 1; pub const TLSEXT_NAMETYPE_host_name: c_long = 0; +pub const SSL_TLSEXT_ERR_OK: c_int = 0; +pub const SSL_TLSEXT_ERR_ALERT_WARNING: c_int = 1; +pub const SSL_TLSEXT_ERR_ALERT_FATAL: c_int = 2; +pub const SSL_TLSEXT_ERR_NOACK: c_int = 3; + +#[cfg(feature = "npn")] +pub const OPENSSL_NPN_UNSUPPORTED: c_int = 0; +#[cfg(feature = "npn")] +pub const OPENSSL_NPN_NEGOTIATED: c_int = 1; +#[cfg(feature = "npn")] +pub const OPENSSL_NPN_NO_OVERLAP: c_int = 2; + pub const V_ASN1_GENERALIZEDTIME: c_int = 24; pub const V_ASN1_UTCTIME: c_int = 23; @@ -490,6 +502,28 @@ extern "C" { pub fn SSL_CTX_set_cipher_list(ssl: *mut SSL_CTX, s: *const c_char) -> c_int; pub fn SSL_CTX_ctrl(ssl: *mut SSL_CTX, cmd: c_int, larg: c_long, parg: *mut c_void) -> c_long; + #[cfg(feature = "npn")] + pub fn SSL_CTX_set_next_protos_advertised_cb(ssl: *mut SSL_CTX, + cb: extern "C" fn(ssl: *mut SSL, + out: *mut *const c_uchar, + outlen: *mut c_uint, + arg: *mut c_void) -> c_int, + arg: *mut c_void); + #[cfg(feature = "npn")] + pub fn SSL_CTX_set_next_proto_select_cb(ssl: *mut SSL_CTX, + cb: extern "C" fn(ssl: *mut SSL, + out: *mut *mut c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + arg: *mut c_void) -> c_int, + arg: *mut c_void); + #[cfg(feature = "npn")] + pub fn SSL_select_next_proto(out: *mut *mut c_uchar, outlen: *mut c_uchar, + inbuf: *const c_uchar, inlen: c_uint, + client: *const c_uchar, client_len: c_uint) -> c_int; + #[cfg(feature = "npn")] + pub fn SSL_get0_next_proto_negotiated(s: *const SSL, data: *mut *const c_uchar, len: *mut c_uint); pub fn X509_add_ext(x: *mut X509, ext: *mut X509_EXTENSION, loc: c_int) -> c_int; pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 951fa958..8a1f5115 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -14,6 +14,7 @@ tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] +npn = ["openssl-sys/npn"] [dependencies.openssl-sys] path = "../openssl-sys" diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d19f6678..3aa01d41 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -1,4 +1,4 @@ -use libc::{c_int, c_void, c_long}; +use libc::{c_int, c_void, c_long, c_uint, c_uchar}; use std::ffi::{CStr, CString}; use std::fmt; use std::io; @@ -6,6 +6,7 @@ use std::io::prelude::*; use std::ffi::AsOsStr; use std::mem; use std::net; +use std::slice; use std::num::FromPrimitive; use std::num::Int; use std::path::Path; @@ -145,6 +146,34 @@ fn get_verify_data_idx<T>() -> c_int { } } +/// Creates a static index for the list of NPN protocols. +/// Registers a destructor for the data which will be called +/// when the context is freed. +#[cfg(feature = "npn")] +fn get_npn_protos_idx() -> c_int { + static mut NPN_PROTOS_IDX: c_int = -1; + static mut INIT: Once = ONCE_INIT; + + extern fn free_data_box(_parent: *mut c_void, ptr: *mut c_void, + _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, + _argl: c_long, _argp: *mut c_void) { + if !ptr.is_null() { + let _: Box<Vec<u8>> = unsafe { mem::transmute(ptr) }; + } + } + + unsafe { + INIT.call_once(|| { + let f: ffi::CRYPTO_EX_free = free_data_box; + let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, + None, Some(f)); + assert!(idx >= 0); + NPN_PROTOS_IDX = idx; + }); + NPN_PROTOS_IDX + } +} + extern fn raw_verify(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int { unsafe { @@ -192,6 +221,64 @@ extern fn raw_verify_with_data<T>(preverify_ok: c_int, } } +/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. +/// +/// It chooses the protocol that the client wishes to use, out of the given list of protocols +/// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` +/// function. The list of protocols supported by the client is found in the extra data of the +/// OpenSSL context. +#[cfg(feature = "npn")] +extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, + out: *mut *mut c_uchar, outlen: *mut c_uchar, + inbuf: *const c_uchar, inlen: c_uint, + _arg: *mut c_void) -> c_int { + unsafe { + // First, get the list of protocols (that the client should support) saved in the context + // extra data. + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); + let protocols: &Vec<u8> = mem::transmute(protocols); + // Prepare the client list parameters to be passed to the OpenSSL function... + let client = protocols.as_ptr(); + let client_len = protocols.len() as c_uint; + // Finally, let OpenSSL find a protocol to be used, by matching the given server and + // client lists. + ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len); + } + + ffi::SSL_TLSEXT_ERR_OK +} + +/// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. +/// +/// It causes the parameter `out` to point at a `*const c_uchar` instance that +/// represents the list of protocols that the server should advertise as those +/// that it supports. +/// The list of supported protocols is found in the extra data of the OpenSSL +/// context. +#[cfg(feature = "npn")] +extern fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, + out: *mut *const c_uchar, outlen: *mut c_uint, + _arg: *mut c_void) -> c_int { + unsafe { + // First, get the list of (supported) protocols saved in the context extra data. + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); + if protocols.is_null() { + *out = b"".as_ptr(); + *outlen = 0; + } else { + // If the pointer is valid, put the pointer to the actual byte array into the + // output parameter `out`, as well as its length into `outlen`. + let protocols: &Vec<u8> = mem::transmute(protocols); + *out = protocols.as_ptr(); + *outlen = protocols.len() as c_uint; + } + } + + ffi::SSL_TLSEXT_ERR_OK +} + /// The signature of functions that can be used to manually verify certificates pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; @@ -342,6 +429,38 @@ impl SslContext { }; SslContextOptions::from_bits(ret).unwrap() } + + /// Set the protocols to be used during Next Protocol Negotiation (the protocols + /// supported by the application). + /// + /// This method needs the `npn` feature. + #[cfg(feature = "npn")] + pub fn set_npn_protocols(&mut self, protocols: &[&[u8]]) { + // Firstly, convert the list of protocols to a byte-array that can be passed to OpenSSL + // APIs -- a list of length-prefixed strings. + let mut npn_protocols = Vec::new(); + for protocol in protocols { + let len = protocol.len() as u8; + npn_protocols.push(len); + // If the length is greater than the max `u8`, this truncates the protocol name. + npn_protocols.extend(protocol[..len as usize].to_vec()); + } + let protocols: Box<Vec<u8>> = Box::new(npn_protocols); + + unsafe { + // Attach the protocol list to the OpenSSL context structure, + // so that we can refer to it within the callback. + ffi::SSL_CTX_set_ex_data(*self.ctx, get_npn_protos_idx(), + mem::transmute(protocols)); + // Now register the callback that performs the default protocol + // matching based on the client-supported list of protocols that + // has been saved. + ffi::SSL_CTX_set_next_proto_select_cb(*self.ctx, raw_next_proto_select_cb, ptr::null_mut()); + // Also register the callback to advertise these protocols, if a server socket is + // created with the context. + ffi::SSL_CTX_set_next_protos_advertised_cb(*self.ctx, raw_next_protos_advertise_cb, ptr::null_mut()); + } + } } #[allow(dead_code)] @@ -470,6 +589,28 @@ impl Ssl { } } + /// Returns the protocol selected by performing Next Protocol Negotiation, if any. + /// + /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client + /// to interpret it. + /// + /// This method needs the `npn` feature. + #[cfg(feature = "npn")] + pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> { + unsafe { + let mut data: *const c_uchar = ptr::null(); + let mut len: c_uint = 0; + // Get the negotiated protocol from the SSL instance. + // `data` will point at a `c_uchar` array; `len` will contain the length of this array. + ffi::SSL_get0_next_proto_negotiated(*self.ssl, &mut data, &mut len); + + if data.is_null() { + None + } else { + Some(slice::from_raw_parts(data, len as usize)) + } + } + } } #[derive(FromPrimitive, Debug)] @@ -623,6 +764,17 @@ impl<S: Read+Write> SslStream<S> { Some(s) } + + /// Returns the protocol selected by performing Next Protocol Negotiation, if any. + /// + /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client + /// to interpret it. + /// + /// This method needs the `npn` feature. + #[cfg(feature = "npn")] + pub fn get_selected_npn_protocol(&self) -> Option<&[u8]> { + self.ssl.get_selected_npn_protocol() + } } impl<S: Read+Write> Read for SslStream<S> { diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 5196b870..468b1053 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -1,15 +1,16 @@ use serialize::hex::FromHex; -use std::net::TcpStream; +use std::net::{TcpStream, TcpListener}; use std::io; use std::io::prelude::*; use std::path::Path; +use std::thread; use crypto::hash::Type::{SHA256}; use ssl; use ssl::SslMethod::Sslv23; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SslVerifyMode::SslVerifyPeer; -use x509::{X509StoreContext}; +use x509::{X509StoreContext, X509FileType}; #[test] fn test_new_ctx() { @@ -220,3 +221,115 @@ fn test_read() { println!("written"); io::copy(&mut stream, &mut io::sink()).ok().expect("read error"); } + +/// Tests that connecting with the client using NPN, but the server not does not +/// break the existing connection behavior. +#[test] +#[cfg(feature = "npn")] +fn test_connect_with_unilateral_npn() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SslVerifyPeer, None); + ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { + None => {} + Some(err) => panic!("Unexpected error {:?}", err) + } + let stream = match SslStream::new(&ctx, stream) { + Ok(stream) => stream, + Err(err) => panic!("Expected success, got {:?}", err) + }; + // Since the socket to which we connected is not configured to use NPN, + // there should be no selected protocol... + assert!(stream.get_selected_npn_protocol().is_none()); +} + +/// Tests that when both the client as well as the server use NPN and their +/// lists of supported protocols have an overlap, the correct protocol is chosen. +#[test] +#[cfg(feature = "npn")] +fn test_connect_with_npn_successful_multiple_matching() { + // A different port than the other tests: an `openssl` process that has + // NPN enabled. + let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SslVerifyPeer, None); + ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { + None => {} + Some(err) => panic!("Unexpected error {:?}", err) + } + let stream = match SslStream::new(&ctx, stream) { + Ok(stream) => stream, + Err(err) => panic!("Expected success, got {:?}", err) + }; + // The server prefers "http/1.1", so that is chosen, even though the client + // would prefer "spdy/3.1" + assert_eq!(b"http/1.1", stream.get_selected_npn_protocol().unwrap()); +} + +/// Tests that when both the client as well as the server use NPN and their +/// lists of supported protocols have an overlap -- with only ONE protocol +/// being valid for both. +#[test] +#[cfg(feature = "npn")] +fn test_connect_with_npn_successful_single_match() { + // A different port than the other tests: an `openssl` process that has + // NPN enabled. + let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SslVerifyPeer, None); + ctx.set_npn_protocols(&[b"spdy/3.1"]); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { + None => {} + Some(err) => panic!("Unexpected error {:?}", err) + } + let stream = match SslStream::new(&ctx, stream) { + Ok(stream) => stream, + Err(err) => panic!("Expected success, got {:?}", err) + }; + // The client now only supports one of the server's protocols, so that one + // is used. + assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); +} + +/// Tests that when the `SslStream` is created as a server stream, the protocols +/// are correctly advertised to the client. +#[test] +#[cfg(feature = "npn")] +fn test_npn_server_advertise_multiple() { + let localhost = "127.0.0.1:15420"; + let listener = TcpListener::bind(localhost).unwrap(); + // We create a different context instance for the server... + let listener_ctx = { + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SslVerifyPeer, None); + ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); + ctx.set_certificate_file( + &Path::new("test/cert.pem"), X509FileType::PEM); + ctx.set_private_key_file( + &Path::new("test/key.pem"), X509FileType::PEM); + ctx + }; + // Have the listener wait on the connection in a different thread. + thread::spawn(move || { + let (stream, _) = listener.accept().unwrap(); + let _ = SslStream::new_server(&listener_ctx, stream).unwrap(); + }); + + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SslVerifyPeer, None); + ctx.set_npn_protocols(&[b"spdy/3.1"]); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { + None => {} + Some(err) => panic!("Unexpected error {:?}", err) + } + // Now connect to the socket and make sure the protocol negotiation works... + let stream = TcpStream::connect(localhost).unwrap(); + let stream = match SslStream::new(&ctx, stream) { + Ok(stream) => stream, + Err(err) => panic!("Expected success, got {:?}", err) + }; + // SPDY is selected since that's the only thing the client supports. + assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); +} |