diff options
| author | Steven Fackler <[email protected]> | 2017-07-15 18:37:20 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2017-07-15 18:37:20 -0700 |
| commit | 0408f75b17d57a072561c25a8a660035b61d68c5 (patch) | |
| tree | a972a946b2e9ef0babd28967a24e03fc0c97573f /openssl/src | |
| parent | Merge pull request #657 from sfackler/rsa-pkcs1 (diff) | |
| parent | Fix build (diff) | |
| download | rust-openssl-0408f75b17d57a072561c25a8a660035b61d68c5.tar.xz rust-openssl-0408f75b17d57a072561c25a8a660035b61d68c5.zip | |
Merge pull request #662 from sfackler/verify-cleanup
Don't force overwrite verification mode in SslConnector
Diffstat (limited to 'openssl/src')
| -rw-r--r-- | openssl/src/ex_data.rs | 26 | ||||
| -rw-r--r-- | openssl/src/lib.rs | 1 | ||||
| -rw-r--r-- | openssl/src/ssl/callbacks.rs | 339 | ||||
| -rw-r--r-- | openssl/src/ssl/connector.rs | 42 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 384 | ||||
| -rw-r--r-- | openssl/src/x509/mod.rs | 20 |
6 files changed, 493 insertions, 319 deletions
diff --git a/openssl/src/ex_data.rs b/openssl/src/ex_data.rs new file mode 100644 index 00000000..450dd113 --- /dev/null +++ b/openssl/src/ex_data.rs @@ -0,0 +1,26 @@ +use libc::c_int; +use std::marker::PhantomData; + +/// A slot in a type's "extra data" structure. +/// +/// It is parameterized over the type containing the extra data as well as the +/// type of the data in the slot. +pub struct Index<T, U>(c_int, PhantomData<(T, U)>); + +impl<T, U> Copy for Index<T, U> {} + +impl<T, U> Clone for Index<T, U> { + fn clone(&self) -> Index<T, U> { + *self + } +} + +impl<T, U> Index<T, U> { + pub unsafe fn from_raw(idx: c_int) -> Index<T, U> { + Index(idx, PhantomData) + } + + pub fn as_raw(&self) -> c_int { + self.0 + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 0c7a9bdb..84947281 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -36,6 +36,7 @@ pub mod dsa; pub mod ec; pub mod ec_key; pub mod error; +pub mod ex_data; pub mod hash; pub mod memcmp; pub mod nid; diff --git a/openssl/src/ssl/callbacks.rs b/openssl/src/ssl/callbacks.rs new file mode 100644 index 00000000..d7c48050 --- /dev/null +++ b/openssl/src/ssl/callbacks.rs @@ -0,0 +1,339 @@ +use ffi; +use libc::{c_int, c_uint, c_char, c_uchar, c_void}; +use std::any::Any; +use std::ffi::CStr; +use std::ptr; +use std::slice; +use std::mem; +use foreign_types::ForeignTypeRef; + +use error::ErrorStack; +use dh::Dh; +#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] +use ec_key::EcKey; +use ssl::{get_callback_idx, get_ssl_callback_idx, SslRef, SniError, NPN_PROTOS_IDX}; +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +use ssl::ALPN_PROTOS_IDX; +use x509::X509StoreContextRef; + +pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int +where + F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send, +{ + unsafe { + let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); + let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); + let verify: &F = &*(verify as *mut F); + + let ctx = X509StoreContextRef::from_ptr(x509_ctx); + + verify(preverify_ok != 0, ctx) as c_int + } +} + +#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] +pub extern "C" fn raw_psk<F>( + ssl: *mut ffi::SSL, + hint: *const c_char, + identity: *mut c_char, + max_identity_len: c_uint, + psk: *mut c_uchar, + max_psk_len: c_uint, +) -> c_uint +where + F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack> + + Any + + 'static + + Sync + + Send, +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); + let ssl = SslRef::from_ptr_mut(ssl); + let callback = &*(callback as *mut F); + let hint = if hint != ptr::null() { + Some(CStr::from_ptr(hint).to_bytes()) + } else { + None + }; + // Give the callback mutable slices into which it can write the identity and psk. + let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize); + let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); + match callback(ssl, hint, identity_sl, psk_sl) { + Ok(psk_len) => psk_len as u32, + _ => 0, + } + } +} + +pub extern "C" fn ssl_raw_verify<F>( + preverify_ok: c_int, + x509_ctx: *mut ffi::X509_STORE_CTX, +) -> c_int +where + F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send, +{ + unsafe { + let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); + let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); + let verify = ffi::SSL_get_ex_data(ssl as *const _, get_ssl_callback_idx::<F>()); + let verify: &F = &*(verify as *mut F); + + let ctx = X509StoreContextRef::from_ptr(x509_ctx); + + verify(preverify_ok != 0, ctx) as c_int + } +} + +pub extern "C" fn raw_sni<F>(ssl: *mut ffi::SSL, al: *mut c_int, _arg: *mut c_void) -> c_int +where + F: Fn(&mut SslRef) -> Result<(), SniError> + Any + 'static + Sync + Send, +{ + unsafe { + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); + let callback: &F = &*(callback as *mut F); + let ssl = SslRef::from_ptr_mut(ssl); + + match callback(ssl) { + Ok(()) => ffi::SSL_TLSEXT_ERR_OK, + Err(SniError::Fatal(e)) => { + *al = e; + ffi::SSL_TLSEXT_ERR_ALERT_FATAL + } + Err(SniError::Warning(e)) => { + *al = e; + ffi::SSL_TLSEXT_ERR_ALERT_WARNING + } + Err(SniError::NoAck) => ffi::SSL_TLSEXT_ERR_NOACK, + } + } +} + +pub unsafe fn select_proto_using( + ssl: *mut ffi::SSL, + out: *mut *mut c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + ex_data: c_int, +) -> c_int { + + // First, get the list of protocols (that the client should support) saved in the context + // extra data. + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data); + let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); + // Prepare the client list parameters to be passed to the OpenSSL function... + let client = protocols.as_ptr(); + let client_len = protocols.len() as c_uint; + // Finally, let OpenSSL find a protocol to be used, by matching the given server and + // client lists. + if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != + ffi::OPENSSL_NPN_NEGOTIATED + { + ffi::SSL_TLSEXT_ERR_NOACK + } else { + ffi::SSL_TLSEXT_ERR_OK + } +} + +/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. +/// +/// It chooses the protocol that the client wishes to use, out of the given list of protocols +/// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` +/// function. The list of protocols supported by the client is found in the extra data of the +/// OpenSSL context. +pub extern "C" fn raw_next_proto_select_cb( + ssl: *mut ffi::SSL, + out: *mut *mut c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + _arg: *mut c_void, +) -> c_int { + unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } +} + +#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] +pub extern "C" fn raw_alpn_select_cb( + ssl: *mut ffi::SSL, + out: *mut *const c_uchar, + outlen: *mut c_uchar, + inbuf: *const c_uchar, + inlen: c_uint, + _arg: *mut c_void, +) -> c_int { + unsafe { select_proto_using(ssl, out as *mut _, outlen, inbuf, inlen, *ALPN_PROTOS_IDX) } +} + +pub unsafe extern "C" fn raw_tmp_dh<F>( + ssl: *mut ffi::SSL, + is_export: c_int, + keylength: c_int, +) -> *mut ffi::DH +where + F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send, +{ + let ctx = ffi::SSL_get_SSL_CTX(ssl); + let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); + let callback = &*(callback as *mut F); + + let ssl = SslRef::from_ptr_mut(ssl); + match callback(ssl, is_export != 0, keylength as u32) { + Ok(dh) => { + let ptr = dh.as_ptr(); + mem::forget(dh); + ptr + } + Err(_) => { + // FIXME reset error stack + ptr::null_mut() + } + } +} + +#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] +pub unsafe extern "C" fn raw_tmp_ecdh<F>( + ssl: *mut ffi::SSL, + is_export: c_int, + keylength: c_int, +) -> *mut ffi::EC_KEY +where + F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send, +{ + let ctx = ffi::SSL_get_SSL_CTX(ssl); + let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); + let callback = &*(callback as *mut F); + + let ssl = SslRef::from_ptr_mut(ssl); + match callback(ssl, is_export != 0, keylength as u32) { + Ok(ec_key) => { + let ptr = ec_key.as_ptr(); + mem::forget(ec_key); + ptr + } + Err(_) => { + // FIXME reset error stack + ptr::null_mut() + } + } +} + +pub unsafe extern "C" fn raw_tmp_dh_ssl<F>( + ssl: *mut ffi::SSL, + is_export: c_int, + keylength: c_int, +) -> *mut ffi::DH +where + F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send, +{ + let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); + let callback = &*(callback as *mut F); + + let ssl = SslRef::from_ptr_mut(ssl); + match callback(ssl, is_export != 0, keylength as u32) { + Ok(dh) => { + let ptr = dh.as_ptr(); + mem::forget(dh); + ptr + } + Err(_) => { + // FIXME reset error stack + ptr::null_mut() + } + } +} + +#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] +pub unsafe extern "C" fn raw_tmp_ecdh_ssl<F>( + ssl: *mut ffi::SSL, + is_export: c_int, + keylength: c_int, +) -> *mut ffi::EC_KEY +where + F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send, +{ + let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); + let callback = &*(callback as *mut F); + + let ssl = SslRef::from_ptr_mut(ssl); + match callback(ssl, is_export != 0, keylength as u32) { + Ok(ec_key) => { + let ptr = ec_key.as_ptr(); + mem::forget(ec_key); + ptr + } + Err(_) => { + // FIXME reset error stack + ptr::null_mut() + } + } +} + +pub unsafe extern "C" fn raw_tlsext_status<F>(ssl: *mut ffi::SSL, _: *mut c_void) -> c_int +where + F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + Any + 'static + Sync + Send, +{ + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); + let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); + let callback = &*(callback as *mut F); + + let ssl = SslRef::from_ptr_mut(ssl); + let ret = callback(ssl); + + if ssl.is_server() { + match ret { + Ok(true) => ffi::SSL_TLSEXT_ERR_OK, + Ok(false) => ffi::SSL_TLSEXT_ERR_NOACK, + Err(_) => { + // FIXME reset error stack + ffi::SSL_TLSEXT_ERR_ALERT_FATAL + } + } + } else { + match ret { + Ok(true) => 1, + Ok(false) => 0, + Err(_) => { + // FIXME reset error stack + -1 + } + } + } +} + +/// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. +/// +/// It causes the parameter `out` to point at a `*const c_uchar` instance that +/// represents the list of protocols that the server should advertise as those +/// that it supports. +/// The list of supported protocols is found in the extra data of the OpenSSL +/// context. +pub extern "C" fn raw_next_protos_advertise_cb( + ssl: *mut ffi::SSL, + out: *mut *const c_uchar, + outlen: *mut c_uint, + _arg: *mut c_void, +) -> c_int { + unsafe { + // First, get the list of (supported) protocols saved in the context extra data. + let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); + let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX); + if protocols.is_null() { + *out = b"".as_ptr(); + *outlen = 0; + } else { + // If the pointer is valid, put the pointer to the actual byte array into the + // output parameter `out`, as well as its length into `outlen`. + let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); + *out = protocols.as_ptr(); + *outlen = protocols.len() as c_uint; + } + } + + ffi::SSL_TLSEXT_ERR_OK +} diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 548e3e97..e4500c6e 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -7,6 +7,11 @@ use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER, use pkey::PKeyRef; use x509::X509Ref; +#[cfg(ossl101)] +lazy_static! { + static ref HOSTNAME_IDX: ::ex_data::Index<Ssl, String> = Ssl::new_ex_index().unwrap(); +} + // ffdhe2048 from https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe2048 const DHPARAM_PEM: &'static str = " -----BEGIN DH PARAMETERS----- @@ -55,7 +60,7 @@ impl SslConnectorBuilder { try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\ DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\ RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES")); - ctx.set_verify(SSL_VERIFY_PEER); + setup_verify(&mut ctx); Ok(SslConnectorBuilder(ctx)) } @@ -98,8 +103,6 @@ impl SslConnector { /// Initiates a client-side TLS session on a stream without performing hostname verification. /// - /// The verification configuration of the connector's `SslContext` is not overridden. - /// /// # Warning /// /// You should think very carefully before you use this method. If hostname verification is not @@ -140,7 +143,7 @@ impl ConnectConfiguration { where S: Read + Write { try!(self.0.set_hostname(domain)); - try!(setup_verify(&mut self.0, domain)); + try!(setup_verify_hostname(&mut self.0, domain)); self.0.connect(stream) } @@ -308,20 +311,35 @@ impl SslAcceptor { } #[cfg(any(ossl102, ossl110))] -fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { - // pass a noop closure in here to ensure that we consistently override any callback on the - // context - ssl.set_verify_callback(SSL_VERIFY_PEER, |p, _| p); +fn setup_verify(ctx: &mut SslContextBuilder) { + ctx.set_verify(SSL_VERIFY_PEER); +} + +#[cfg(ossl101)] +fn setup_verify(ctx: &mut SslContextBuilder) { + ctx.set_verify_callback(SSL_VERIFY_PEER, |p, x509| { + let hostname = match x509.ssl() { + Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX), + _ => None + }; + match hostname { + Some(hostname) => verify::verify_callback(hostname, p, x509), + None => p, + } + }); +} + +#[cfg(any(ossl102, ossl110))] +fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { let param = ssl._param_mut(); param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); param.set_host(domain) } #[cfg(ossl101)] -fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { - let domain = domain.to_owned(); - ssl.set_verify_callback(SSL_VERIFY_PEER, - move |p, x| verify::verify_callback(&domain, p, x)); +fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> { + let domain = domain.to_string(); + ssl.set_ex_data(*HOSTNAME_IDX, domain); Ok(()) } diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 8dd2b455..4f888f9d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -73,7 +73,7 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_void, c_long, c_ulong}; -use libc::{c_char, c_uchar, c_uint}; +use libc::{c_uchar, c_uint}; use std::any::Any; use std::any::TypeId; use std::borrow::Borrow; @@ -93,7 +93,7 @@ use std::slice; use std::str; use std::sync::Mutex; -use {init, cvt, cvt_p}; +use {init, cvt, cvt_p, cvt_n}; use dh::{Dh, DhRef}; use ec::EcKeyRef; #[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] @@ -106,21 +106,23 @@ use x509::store::X509Store; use verify::X509VerifyParamRef; use pkey::PKeyRef; use error::ErrorStack; +use ex_data::Index; use util::Opaque; use stack::{Stack, StackRef}; +use ssl::bio::BioMethod; +use ssl::callbacks::*; + +pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor, + ConnectConfiguration}; +pub use ssl::error::{Error, HandshakeError}; mod error; +mod callbacks; mod connector; mod bio; #[cfg(test)] mod tests; -use self::bio::BioMethod; - -pub use ssl::connector::{SslConnectorBuilder, SslConnector, SslAcceptorBuilder, SslAcceptor, - ConnectConfiguration}; -pub use ssl::error::{Error, HandshakeError}; - // FIXME drop SSL_ prefix // FIXME remvove flags not used in OpenSSL 1.1 bitflags! { @@ -301,302 +303,6 @@ fn get_new_ssl_idx<T>() -> c_int { } } -extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int - where F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send -{ - unsafe { - let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); - let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let verify: &F = &*(verify as *mut F); - - let ctx = X509StoreContextRef::from_ptr(x509_ctx); - - verify(preverify_ok != 0, ctx) as c_int - } -} - -#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] -extern "C" fn raw_psk<F>(ssl: *mut ffi::SSL, - hint: *const c_char, - identity: *mut c_char, - max_identity_len: c_uint, - psk: *mut c_uchar, - max_psk_len: c_uint) -> c_uint - where F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack> + Any + 'static + Sync + Send -{ - unsafe { - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let ssl = SslRef::from_ptr_mut(ssl); - let callback = &*(callback as *mut F); - let hint = if hint != ptr::null() { - Some(CStr::from_ptr(hint).to_bytes()) - } else { - None - }; - // Give the callback mutable slices into which it can write the identity and psk. - let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, - max_identity_len as usize); - let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize); - match callback(ssl, hint, identity_sl, psk_sl) { - Ok(psk_len) => psk_len as u32, - _ => 0, - } - } -} - -extern "C" fn ssl_raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int - where F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send -{ - unsafe { - let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx(); - let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx); - let verify = ffi::SSL_get_ex_data(ssl as *const _, get_ssl_callback_idx::<F>()); - let verify: &F = &*(verify as *mut F); - - let ctx = X509StoreContextRef::from_ptr(x509_ctx); - - verify(preverify_ok != 0, ctx) as c_int - } -} - -extern "C" fn raw_sni<F>(ssl: *mut ffi::SSL, al: *mut c_int, _arg: *mut c_void) -> c_int - where F: Fn(&mut SslRef) -> Result<(), SniError> + Any + 'static + Sync + Send -{ - unsafe { - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let callback: &F = &*(callback as *mut F); - let ssl = SslRef::from_ptr_mut(ssl); - - match callback(ssl) { - Ok(()) => ffi::SSL_TLSEXT_ERR_OK, - Err(SniError::Fatal(e)) => { - *al = e; - ffi::SSL_TLSEXT_ERR_ALERT_FATAL - } - Err(SniError::Warning(e)) => { - *al = e; - ffi::SSL_TLSEXT_ERR_ALERT_WARNING - } - Err(SniError::NoAck) => ffi::SSL_TLSEXT_ERR_NOACK, - } - } -} - -unsafe fn select_proto_using(ssl: *mut ffi::SSL, - out: *mut *mut c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - ex_data: c_int) - -> c_int { - - // First, get the list of protocols (that the client should support) saved in the context - // extra data. - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data); - let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); - // Prepare the client list parameters to be passed to the OpenSSL function... - let client = protocols.as_ptr(); - let client_len = protocols.len() as c_uint; - // Finally, let OpenSSL find a protocol to be used, by matching the given server and - // client lists. - if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != - ffi::OPENSSL_NPN_NEGOTIATED { - ffi::SSL_TLSEXT_ERR_NOACK - } else { - ffi::SSL_TLSEXT_ERR_OK - } -} - -/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. -/// -/// It chooses the protocol that the client wishes to use, out of the given list of protocols -/// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` -/// function. The list of protocols supported by the client is found in the extra data of the -/// OpenSSL context. -extern "C" fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, - out: *mut *mut c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } -} - -#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))] -extern "C" fn raw_alpn_select_cb(ssl: *mut ffi::SSL, - out: *mut *const c_uchar, - outlen: *mut c_uchar, - inbuf: *const c_uchar, - inlen: c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { select_proto_using(ssl, out as *mut _, outlen, inbuf, inlen, *ALPN_PROTOS_IDX) } -} - -unsafe extern "C" fn raw_tmp_dh<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::DH - where F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send -{ - let ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] -unsafe extern "C" fn raw_tmp_ecdh<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::EC_KEY - where F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send -{ - let ctx = ffi::SSL_get_SSL_CTX(ssl); - let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(ec_key) => { - let ptr = ec_key.as_ptr(); - mem::forget(ec_key); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -unsafe extern "C" fn raw_tmp_dh_ssl<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::DH - where F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send -{ - let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(dh) => { - let ptr = dh.as_ptr(); - mem::forget(dh); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))] -unsafe extern "C" fn raw_tmp_ecdh_ssl<F>(ssl: *mut ffi::SSL, - is_export: c_int, - keylength: c_int) - -> *mut ffi::EC_KEY - where F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send -{ - let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - match callback(ssl, is_export != 0, keylength as u32) { - Ok(ec_key) => { - let ptr = ec_key.as_ptr(); - mem::forget(ec_key); - ptr - } - Err(_) => { - // FIXME reset error stack - ptr::null_mut() - } - } -} - -unsafe extern "C" fn raw_tlsext_status<F>(ssl: *mut ffi::SSL, _: *mut c_void) -> c_int - where F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + Any + 'static + Sync + Send -{ - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); - let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); - let callback = &*(callback as *mut F); - - let ssl = SslRef::from_ptr_mut(ssl); - let ret = callback(ssl); - - if ssl.is_server() { - match ret { - Ok(true) => ffi::SSL_TLSEXT_ERR_OK, - Ok(false) => ffi::SSL_TLSEXT_ERR_NOACK, - Err(_) => { - // FIXME reset error stack - ffi::SSL_TLSEXT_ERR_ALERT_FATAL - } - } - } else { - match ret { - Ok(true) => 1, - Ok(false) => 0, - Err(_) => { - // FIXME reset error stack - -1 - } - } - } -} - -/// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. -/// -/// It causes the parameter `out` to point at a `*const c_uchar` instance that -/// represents the list of protocols that the server should advertise as those -/// that it supports. -/// The list of supported protocols is found in the extra data of the OpenSSL -/// context. -extern "C" fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, - out: *mut *const c_uchar, - outlen: *mut c_uint, - _arg: *mut c_void) - -> c_int { - unsafe { - // First, get the list of (supported) protocols saved in the context extra data. - let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); - let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX); - if protocols.is_null() { - *out = b"".as_ptr(); - *outlen = 0; - } else { - // If the pointer is valid, put the pointer to the actual byte array into the - // output parameter `out`, as well as its length into `outlen`. - let protocols: &Vec<u8> = &*(protocols as *mut Vec<u8>); - *out = protocols.as_ptr(); - *outlen = protocols.len() as c_uint; - } - } - - ffi::SSL_TLSEXT_ERR_OK -} - /// Convert a set of byte slices into a series of byte strings encoded for SSL. Encoding is a byte /// containing the length followed by the string. fn ssl_encode_byte_strings(strings: &[&[u8]]) -> Vec<u8> { @@ -1035,6 +741,14 @@ impl SslContextBuilder { } } + /// Sets the extra data at the specified index. + pub fn set_ex_data<T>(&mut self, index: Index<SslContext, T>, data: T) { + unsafe { + let data = Box::new(data); + ffi::SSL_CTX_set_ex_data(self.as_ptr(), index.as_raw(), Box::into_raw(data) as *mut c_void); + } + } + pub fn build(self) -> SslContext { let ctx = SslContext(self.0); mem::forget(self); @@ -1073,6 +787,20 @@ impl SslContext { pub fn builder(method: SslMethod) -> Result<SslContextBuilder, ErrorStack> { SslContextBuilder::new(method) } + + /// Returns a new extra data index. + /// + /// Each invocation of this function is guaranteed to return a distinct + /// index. + pub fn new_ex_index<T>() -> Result<Index<SslContext, T>, ErrorStack> + where + T: 'static + Sync + Send + { + unsafe { + let idx = try!(cvt_n(compat::get_new_idx(free_data_box::<T>))); + Ok(Index::from_raw(idx)) + } + } } impl SslContextRef { @@ -1119,6 +847,18 @@ impl SslContextRef { StackRef::from_ptr(chain) } } + + /// Returns a reference to the extra data at the specified index. + pub fn ex_data<T>(&self, index: Index<SslContext, T>) -> Option<&T> { + unsafe { + let data = ffi::SSL_CTX_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&*(data as *const T)) + } + } + } } pub struct CipherBits { @@ -1275,6 +1015,22 @@ foreign_type! { pub struct SslRef; } +impl Ssl { + /// Returns a new extra data index. + /// + /// Each invocation of this function is guaranteed to return a distinct + /// index. + pub fn new_ex_index<T>() -> Result<Index<Ssl, T>, ErrorStack> + where + T: 'static + Sync + Send + { + unsafe { + let idx = try!(cvt_n(compat::get_new_ssl_idx(free_data_box::<T>))); + Ok(Index::from_raw(idx)) + } + } +} + impl fmt::Debug for SslRef { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { let mut builder = fmt.debug_struct("Ssl"); @@ -1647,6 +1403,26 @@ impl SslRef { pub fn is_server(&self) -> bool { unsafe { compat::SSL_is_server(self.as_ptr()) != 0 } } + + /// Sets the extra data at the specified index. + pub fn set_ex_data<T>(&mut self, index: Index<Ssl, T>, data: T) { + unsafe { + let data = Box::new(data); + ffi::SSL_set_ex_data(self.as_ptr(), index.as_raw(), Box::into_raw(data) as *mut c_void); + } + } + + /// Returns a reference to the extra data at the specified index. + pub fn ex_data<T>(&self, index: Index<Ssl, T>) -> Option<&T> { + unsafe { + let data = ffi::SSL_get_ex_data(self.as_ptr(), index.as_raw()); + if data.is_null() { + None + } else { + Some(&*(data as *const T)) + } + } + } } unsafe impl Sync for Ssl {} diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index bab1d711..2bbadd95 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -14,7 +14,7 @@ use std::ptr; use std::slice; use std::str; -use {cvt, cvt_p}; +use {cvt, cvt_p, cvt_n}; use asn1::{Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1BitStringRef, Asn1IntegerRef, Asn1ObjectRef}; use bio::MemBioSlice; use bn::{BigNum, MSB_MAYBE_ZERO}; @@ -25,6 +25,7 @@ use nid::{self, Nid}; use pkey::{PKey, PKeyRef}; use stack::{Stack, StackRef, Stackable}; use string::OpensslString; +use ssl::SslRef; #[cfg(ossl10x)] use ffi::{X509_set_notBefore, X509_set_notAfter, ASN1_STRING_data, X509_STORE_CTX_get_chain}; @@ -95,6 +96,19 @@ impl X509StoreContextRef { Some(StackRef::from_ptr(chain)) } } + + /// Returns a reference to the `Ssl` associated with this context. + pub fn ssl(&self) -> Result<Option<&SslRef>, ErrorStack> { + unsafe { + let idx = try!(cvt_n(ffi::SSL_get_ex_data_X509_STORE_CTX_idx())); + let ssl = ffi::X509_STORE_CTX_get_ex_data(self.as_ptr(), idx); + if ssl.is_null() { + Ok(None) + } else { + Ok(Some(SslRef::from_ptr(ssl as *mut ffi::SSL))) + } + } + } } #[deprecated(since = "0.9.7", note = "use X509Builder and X509ReqBuilder instead")] @@ -1142,9 +1156,9 @@ mod compat { { (*(*x).req_info).subject } - + pub unsafe fn X509_get0_signature(psig: *mut *const ffi::ASN1_BIT_STRING, - palg: *mut *const ffi::X509_ALGOR, + palg: *mut *const ffi::X509_ALGOR, x: *const ffi::X509) { if !psig.is_null() { *psig = (*x).signature; |