diff options
| author | Steven Fackler <[email protected]> | 2016-10-30 14:16:17 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2016-10-30 14:16:17 -0700 |
| commit | 33cce627dac04fb3a59e3440eb997d7b99025924 (patch) | |
| tree | c4804097d96d4d3993190e3fd9ad440fca3f28f4 /openssl/src | |
| parent | Clean up generics a bit (diff) | |
| parent | Enable single ECDH use (diff) | |
| download | rust-openssl-33cce627dac04fb3a59e3440eb997d7b99025924.tar.xz rust-openssl-33cce627dac04fb3a59e3440eb997d7b99025924.zip | |
Merge pull request #503 from sfackler/ecdhe
ECDHE support
Diffstat (limited to 'openssl/src')
| -rw-r--r-- | openssl/src/dh.rs | 32 | ||||
| -rw-r--r-- | openssl/src/ec_key.rs | 62 | ||||
| -rw-r--r-- | openssl/src/lib.rs | 1 | ||||
| -rw-r--r-- | openssl/src/ssl/connector.rs | 20 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 16 |
5 files changed, 122 insertions, 9 deletions
diff --git a/openssl/src/dh.rs b/openssl/src/dh.rs index 755e3e6b..b0c9737b 100644 --- a/openssl/src/dh.rs +++ b/openssl/src/dh.rs @@ -2,10 +2,24 @@ use ffi; use error::ErrorStack; use bio::MemBioSlice; use std::ptr; +use std::mem; +use std::ops::Deref; use {cvt, cvt_p}; use bn::BigNum; -use std::mem; +use opaque::Opaque; + +pub struct DhRef(Opaque); + +impl DhRef { + pub unsafe fn from_ptr<'a>(ptr: *mut ffi::DH) -> &'a DhRef { + &*(ptr as *mut _) + } + + pub fn as_ptr(&self) -> *mut ffi::DH { + self as *const _ as *mut _ + } +} pub struct Dh(*mut ffi::DH); @@ -56,16 +70,22 @@ impl Dh { cvt_p(ffi::DH_get_2048_256()).map(Dh) } } - - pub fn as_ptr(&self) -> *mut ffi::DH { - self.0 - } } impl Drop for Dh { fn drop(&mut self) { unsafe { - ffi::DH_free(self.as_ptr()) + ffi::DH_free(self.0) + } + } +} + +impl Deref for Dh { + type Target = DhRef; + + fn deref(&self) -> &DhRef { + unsafe { + DhRef::from_ptr(self.0) } } } diff --git a/openssl/src/ec_key.rs b/openssl/src/ec_key.rs new file mode 100644 index 00000000..5d634c5a --- /dev/null +++ b/openssl/src/ec_key.rs @@ -0,0 +1,62 @@ +use ffi; +use std::ops::Deref; + +use cvt_p; +use error::ErrorStack; +use nid::Nid; +use opaque::Opaque; + +pub struct EcKeyRef(Opaque); + +impl EcKeyRef { + pub unsafe fn from_ptr<'a>(ptr: *mut ffi::EC_KEY) -> &'a EcKeyRef { + &*(ptr as *mut _) + } + + pub fn as_ptr(&self) -> *mut ffi::EC_KEY { + self as *const _ as *mut _ + } +} + +pub struct EcKey(*mut ffi::EC_KEY); + +impl Drop for EcKey { + fn drop(&mut self) { + unsafe { + ffi::EC_KEY_free(self.0); + } + } +} + +impl EcKey { + pub fn new_by_curve_name(nid: Nid) -> Result<EcKey, ErrorStack> { + unsafe { + cvt_p(ffi::EC_KEY_new_by_curve_name(nid.as_raw())).map(EcKey) + } + } + + pub unsafe fn from_ptr(ptr: *mut ffi::EC_KEY) -> EcKey { + EcKey(ptr) + } +} + +impl Deref for EcKey { + type Target = EcKeyRef; + + fn deref(&self) -> &EcKeyRef { + unsafe { + EcKeyRef::from_ptr(self.0) + } + } +} + +#[cfg(test)] +mod test { + use nid; + use super::*; + + #[test] + fn new_by_curve_name() { + EcKey::new_by_curve_name(nid::X9_62_PRIME256V1).unwrap(); + } +} diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index acdc2ea8..4212e9de 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -28,6 +28,7 @@ pub mod bn; pub mod crypto; pub mod dh; pub mod dsa; +pub mod ec_key; pub mod error; pub mod hash; pub mod memcmp; diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs index 7d0bc4cd..0ec6526e 100644 --- a/openssl/src/ssl/connector.rs +++ b/openssl/src/ssl/connector.rs @@ -126,9 +126,11 @@ impl ServerConnectorBuilder { I::Item: AsRef<X509Ref> { let mut ctx = try!(ctx(method)); - ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE); + ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE | + ssl::SSL_OP_CIPHER_SERVER_PREFERENCE); let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes())); try!(ctx.set_tmp_dh(&dh)); + try!(setup_curves(&mut ctx)); try!(ctx.set_cipher_list( "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\ @@ -165,6 +167,22 @@ impl ServerConnectorBuilder { } } +#[cfg(ossl101)] +fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { + let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1)); + ctx.set_tmp_ecdh(&curve) +} + +#[cfg(ossl102)] +fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> { + ctx._set_ecdh_auto(true) +} + +#[cfg(ossl110)] +fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> { + Ok(()) +} + /// A type which wraps server-side streams in a TLS session. /// /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index cd7c1426..ffcc61ab 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -89,7 +89,8 @@ use std::marker::PhantomData; use ffi; use {init, cvt, cvt_p}; -use dh::Dh; +use dh::DhRef; +use ec_key::EcKeyRef; use x509::{X509StoreContextRef, X509FileType, X509, X509Ref, X509VerifyError}; #[cfg(any(ossl102, ossl110))] use verify::X509VerifyParamRef; @@ -498,12 +499,18 @@ impl SslContextBuilder { } } - pub fn set_tmp_dh(&mut self, dh: &Dh) -> Result<(), ErrorStack> { + pub fn set_tmp_dh(&mut self, dh: &DhRef) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_tmp_dh(self.as_ptr(), dh.as_ptr()) as c_int).map(|_| ()) } } + pub fn set_tmp_ecdh(&mut self, key: &EcKeyRef) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::SSL_CTX_set_tmp_ecdh(self.as_ptr(), key.as_ptr()) as c_int).map(|_| ()) + } + } + /// Use the default locations of trusted certificates for verification. /// /// These locations are read from the `SSL_CERT_FILE` and `SSL_CERT_DIR` @@ -623,6 +630,11 @@ impl SslContextBuilder { /// Requires the `v102` feature and OpenSSL 1.0.2. #[cfg(all(feature = "v102", ossl102))] pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> { + self._set_ecdh_auto(onoff) + } + + #[cfg(ossl102)] + fn _set_ecdh_auto(&mut self, onoff: bool) -> Result<(), ErrorStack> { unsafe { cvt(ffi::SSL_CTX_set_ecdh_auto(self.as_ptr(), onoff as c_int)).map(|_| ()) } |