diff options
| author | Steven Fackler <[email protected]> | 2017-07-15 18:37:20 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2017-07-15 18:37:20 -0700 |
| commit | 0408f75b17d57a072561c25a8a660035b61d68c5 (patch) | |
| tree | a972a946b2e9ef0babd28967a24e03fc0c97573f /openssl/src/ssl/mod.rs | |
| parent | Merge pull request #657 from sfackler/rsa-pkcs1 (diff) | |
| parent | Fix build (diff) | |
| download | rust-openssl-0408f75b17d57a072561c25a8a660035b61d68c5.tar.xz rust-openssl-0408f75b17d57a072561c25a8a660035b61d68c5.zip | |
Merge pull request #662 from sfackler/verify-cleanup
Don't force overwrite verification mode in SslConnector
Diffstat (limited to 'openssl/src/ssl/mod.rs')
| -rw-r--r-- | openssl/src/ssl/mod.rs | 384 |
1 files changed, 80 insertions, 304 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8dd2b455..4f888f9d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -73,7 +73,7 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_void, c_long, c_ulong}; -use libc::{c_char, c_uchar, c_uint}; +use libc::{c_uchar, c_uint}; use std::any::Any; use std::any::TypeId; use std::borrow::Borrow; @@ -93,7 +93,7 @@ use std::slice; use std::str; use std::sync::Mutex; -use {init, cvt, cvt_p}; +use {init, cvt, cvt_p, cvt_n}; use dh::{Dh, DhRef}; use ec::EcKeyRef; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] @@ -106,21 +106,23 @@ use x509::store::X509Store; use verify::X509VerifyParamRef; use pkey::PKeyRef; use error::ErrorStack; +use ex_data::Index; use util::Opaque; use stack::{Stack, StackRef}; +use ssl::bio::BioMethod; +use ssl::callbacks::*; + +pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor, + ConnectConfiguration}; +pub use ssl::error::{Error, HandshakeError}; mod error; +mod callbacks; mod connector; mod bio; #[cfg(test)] mod tests; -use self::bio::BioMethod; - -pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor, - ConnectConfiguration}; -pub use ssl::error::{Error, HandshakeError}; - // FIXME drop SSL_ prefix // FIXME remvove flags not used in OpenSSL 1.1 bitflags! { @@ -301,302 +303,6 @@ fn get_new_ssl_idx<T>() -> c_int { } } -extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int - where F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send -{ - unsafe { - let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); - let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let verify: &F = &*(verify as *mut F); - - let ctx = X509StoreContextRef::from_ptr(x509_ctx); - - verify(preverify_ok != 0, ctx) as c_int - } -} - -#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] -extern "C" fn raw_psk<F>(ssl: *mut ffi::SSL, - hint: *const c_char, - identity: *mut c_char, - max_identity_len: c_uint, - psk: *mut c_uchar, - max_psk_len: c_uint) -> c_uint - where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack> + Any + 'static + Sync + Send -{ - unsafe { - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let ssl = SslRef::from_ptr_mut(ssl); - let callback = &*(callback as *mut F); - let hint = if hint != ptr::null() { - Some(CStr::from_ptr(hint).to_bytes()) - } else { - None - }; - // Give the callback mutable slices into which it can write the identity and psk. - let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, - max_identity_len as usize); - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); - match callback(ssl, hint, identity_sl, psk_sl) { - Ok(psk_len) => psk_len as u32, - _ => 0, - } - } -} - -extern "C" fn ssl_raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int - where F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send -{ - unsafe { - let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); - let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); - let verify = ffi::SSL_get_ex_data(ssl as *const _, get_ssl_callback_idx::<F>()); - let verify: &F = &*(verify as *mut F); - - let ctx = X509StoreContextRef::from_ptr(x509_ctx); - - verify(preverify_ok != 0, ctx) as c_int - } -} - -extern "C" fn raw_sni<F>(ssl: *mut ffi::SSL, al: *mut c_int, _arg: *mut c_void) -> c_int - where F: Fn(&mut SslRef) -> Result<(), SniError> + Any + 'static + Sync + Send -{ - unsafe { - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let callback: &F = &*(callback as *mut F); - let ssl = SslRef::from_ptr_mut(ssl); - - match callback(ssl) { - Ok(()) => ffi::SSL_TLSEXT_ERR_OK, - Err(SniError::Fatal(e)) => { - *al = e; - ffi::SSL_TLSEXT_ERR_ALERT_FATAL - } - Err(SniError::Warning(e)) => { - *al = e; - ffi::SSL_TLSEXT_ERR_ALERT_WARNING - } - Err(SniError::NoAck) => ffi::SSL_TLSEXT_ERR_NOACK, - } - } -} - -unsafe fn select_proto_using(ssl: *mut ffi::SSL, - out: *mut *mut c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - ex_data: c_int) - -> c_int { - - // First, get the list of protocols (that the client should support) saved in the context - // extra data. - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data); - let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); - // Prepare the client list parameters to be passed to the OpenSSL function... - let client = protocols.as_ptr(); - let client_len = protocols.len() as c_uint; - // Finally, let OpenSSL find a protocol to be used, by matching the given server and - // client lists. - if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != - ffi::OPENSSL_NPN_NEGOTIATED { - ffi::SSL_TLSEXT_ERR_NOACK - } else { - ffi::SSL_TLSEXT_ERR_OK - } -} - -/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. -/// -/// It chooses the protocol that the client wishes to use, out of the given list of protocols -/// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` -/// function. The list of protocols supported by the client is found in the extra data of the -/// OpenSSL context. -extern "C" fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, - out: *mut *mut c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } -} - -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] -extern "C" fn raw_alpn_select_cb(ssl: *mut ffi::SSL, - out: *mut *const c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { select_proto_using(ssl, out as *mut _, outlen, inbuf, inlen, *ALPN_PROTOS_IDX) } -} - -unsafe extern "C" fn raw_tmp_dh<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::DH - where F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send -{ - let ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] -unsafe extern "C" fn raw_tmp_ecdh<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::EC_KEY - where F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send -{ - let ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(ec_key) => { - let ptr = ec_key.as_ptr(); - mem::forget(ec_key); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -unsafe extern "C" fn raw_tmp_dh_ssl<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::DH - where F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send -{ - let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] -unsafe extern "C" fn raw_tmp_ecdh_ssl<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::EC_KEY - where F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send -{ - let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(ec_key) => { - let ptr = ec_key.as_ptr(); - mem::forget(ec_key); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -unsafe extern "C" fn raw_tlsext_status<F>(ssl: *mut ffi::SSL, _: *mut c_void) -> c_int - where F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + Any + 'static + Sync + Send -{ - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - let ret = callback(ssl); - - if ssl.is_server() { - match ret { - Ok(true) => ffi::SSL_TLSEXT_ERR_OK, - Ok(false) => ffi::SSL_TLSEXT_ERR_NOACK, - Err(_) => { - // FIXME reset error stack - ffi::SSL_TLSEXT_ERR_ALERT_FATAL - } - } - } else { - match ret { - Ok(true) => 1, - Ok(false) => 0, - Err(_) => { - // FIXME reset error stack - -1 - } - } - } -} - -/// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. -/// -/// It causes the parameter `out` to point at a `*const c_uchar` instance that -/// represents the list of protocols that the server should advertise as those -/// that it supports. -/// The list of supported protocols is found in the extra data of the OpenSSL -/// context. -extern "C" fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, - out: *mut *const c_uchar, - outlen: *mut c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { - // First, get the list of (supported) protocols saved in the context extra data. - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX); - if protocols.is_null() { - *out = b"".as_ptr(); - *outlen = 0; - } else { - // If the pointer is valid, put the pointer to the actual byte array into the - // output parameter `out`, as well as its length into `outlen`. - let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); - *out = protocols.as_ptr(); - *outlen = protocols.len() as c_uint; - } - } - - ffi::SSL_TLSEXT_ERR_OK -} - /// Convert a set of byte slices into a series of byte strings encoded for SSL. Encoding is a byte /// containing the length followed by the string. fn ssl_encode_byte_strings(strings: &[&[u8]]) -> Vec<u8> { @@ -1035,6 +741,14 @@ impl SslContextBuilder { } } + /// Sets the extra data at the specified index. + pub fn set_ex_data<T>(&mut self, index: Index<SslContext, T>, data: T) { + unsafe { + let data = Box::new(data); + ffi::SSL_CTX_set_ex_data(self.as_ptr(), index.as_raw(), Box::into_raw(data) as *mut c_void); + } + } + pub fn build(self) -> SslContext { let ctx = SslContext(self.0); mem::forget(self); @@ -1073,6 +787,20 @@ impl SslContext { pub fn builder(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { SslContextBuilder::new(method) } + + /// Returns a new extra data index. + /// + /// Each invocation of this function is guaranteed to return a distinct + /// index. + pub fn new_ex_index<T>() -> Result<Index<SslContext, T>, ErrorStack> + where + T: 'static + Sync + Send + { + unsafe { + let idx = try!(cvt_n(compat::get_new_idx(free_data_box::<T>))); + Ok(Index::from_raw(idx)) + } + } } impl SslContextRef { @@ -1119,6 +847,18 @@ impl SslContextRef { StackRef::from_ptr(chain) } } + + /// Returns a reference to the extra data at the specified index. + pub fn ex_data<T>(&self, index: Index<SslContext, T>) -> Option<&T> { + unsafe { + let data = ffi::SSL_CTX_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&*(data as *const T)) + } + } + } } pub struct CipherBits { @@ -1275,6 +1015,22 @@ foreign_type! { pub struct SslRef; } +impl Ssl { + /// Returns a new extra data index. + /// + /// Each invocation of this function is guaranteed to return a distinct + /// index. + pub fn new_ex_index<T>() -> Result<Index<Ssl, T>, ErrorStack> + where + T: 'static + Sync + Send + { + unsafe { + let idx = try!(cvt_n(compat::get_new_ssl_idx(free_data_box::<T>))); + Ok(Index::from_raw(idx)) + } + } +} + impl fmt::Debug for SslRef { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { let mut builder = fmt.debug_struct("Ssl"); @@ -1647,6 +1403,26 @@ impl SslRef { pub fn is_server(&self) -> bool { unsafe { compat::SSL_is_server(self.as_ptr()) != 0 } } + + /// Sets the extra data at the specified index. + pub fn set_ex_data<T>(&mut self, index: Index<Ssl, T>, data: T) { + unsafe { + let data = Box::new(data); + ffi::SSL_set_ex_data(self.as_ptr(), index.as_raw(), Box::into_raw(data) as *mut c_void); + } + } + + /// Returns a reference to the extra data at the specified index. + pub fn ex_data<T>(&self, index: Index<Ssl, T>) -> Option<&T> { + unsafe { + let data = ffi::SSL_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&*(data as *const T)) + } + } + } } unsafe impl Sync for Ssl {} |