diff options
| author | Steven Fackler <[email protected]> | 2016-10-30 14:16:17 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2016-10-30 14:16:17 -0700 |
| commit | 33cce627dac04fb3a59e3440eb997d7b99025924 (patch) | |
| tree | c4804097d96d4d3993190e3fd9ad440fca3f28f4 /openssl/src/ssl | |
| parent | Clean up generics a bit (diff) | |
| parent | Enable single ECDH use (diff) | |
| download | rust-openssl-33cce627dac04fb3a59e3440eb997d7b99025924.tar.xz rust-openssl-33cce627dac04fb3a59e3440eb997d7b99025924.zip | |
Merge pull request #503 from sfackler/ecdhe
ECDHE support
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/connector.rs | 20 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 16 |
2 files changed, 33 insertions, 3 deletions
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 7d0bc4cd..0ec6526e 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -126,9 +126,11 @@ impl ServerConnectorBuilder { I::Item: AsRef<X509Ref> { let mut ctx = try!(ctx(method)); - ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE); + ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE | + ssl::SSL_OP_CIPHER_SERVER_PREFERENCE); let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes())); try!(ctx.set_tmp_dh(&dh)); + try!(setup_curves(&mut ctx)); try!(ctx.set_cipher_list( "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ @@ -165,6 +167,22 @@ impl ServerConnectorBuilder { } } +#[cfg(ossl101)] +fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { + let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1)); + ctx.set_tmp_ecdh(&curve) +} + +#[cfg(ossl102)] +fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { + ctx._set_ecdh_auto(true) +} + +#[cfg(ossl110)] +fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> { + Ok(()) +} + /// A type which wraps server-side streams in a TLS session. /// /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index cd7c1426..ffcc61ab 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -89,7 +89,8 @@ use std::marker::PhantomData; use ffi; use {init, cvt, cvt_p}; -use dh::Dh; +use dh::DhRef; +use ec_key::EcKeyRef; use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError}; #[cfg(any(ossl102, ossl110))] use verify::X509VerifyParamRef; @@ -498,12 +499,18 @@ impl SslContextBuilder { } } - pub fn set_tmp_dh(&mut self, dh: &Dh) -> Result<(), ErrorStack> { + pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ()) } } + pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ()) + } + } + /// Use the default locations of trusted certificates for verification. /// /// These locations are read from the `SSL_CERT_FILE` and `SSL_CERT_DIR` @@ -623,6 +630,11 @@ impl SslContextBuilder { /// Requires the `v102` feature and OpenSSL 1.0.2. #[cfg(all(feature = "v102", ossl102))] pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> { + self._set_ecdh_auto(onoff) + } + + #[cfg(ossl102)] + fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) } |