Merge pull request #662 from sfackler/verify-cleanup (0408f75b) · Commits · Public Repositories / Rust Openssl

.gitignore

+1 −0

Original line number	Diff line number	Diff line
		@@ -2,3 +2,4 @@ target/
		Cargo.lock
		.idea/
		*.iml
		.vscode/

openssl/src/ex_data.rs

0 → 100644

+26 −0

Original line number	Diff line number	Diff line
		use libc::c_int;
		use std::marker::PhantomData;

		/// A slot in a type's "extra data" structure.
		///
		/// It is parameterized over the type containing the extra data as well as the
		/// type of the data in the slot.
		pub struct Index<T, U>(c_int, PhantomData<(T, U)>);

		impl<T, U> Copy for Index<T, U> {}

		impl<T, U> Clone for Index<T, U> {
		fn clone(&self) -> Index<T, U> {
		*self
		}
		}

		impl<T, U> Index<T, U> {
		pub unsafe fn from_raw(idx: c_int) -> Index<T, U> {
		Index(idx, PhantomData)
		}

		pub fn as_raw(&self) -> c_int {
		self.0
		}
		}

openssl/src/lib.rs

+1 −0

Original line number	Diff line number	Diff line
		@@ -36,6 +36,7 @@ pub mod dsa;
		pub mod ec;
		pub mod ec_key;
		pub mod error;
		pub mod ex_data;
		pub mod hash;
		pub mod memcmp;
		pub mod nid;

openssl/src/ssl/callbacks.rs

0 → 100644

+339 −0

Original line number	Diff line number	Diff line
		use ffi;
		use libc::{c_int, c_uint, c_char, c_uchar, c_void};
		use std::any::Any;
		use std::ffi::CStr;
		use std::ptr;
		use std::slice;
		use std::mem;
		use foreign_types::ForeignTypeRef;

		use error::ErrorStack;
		use dh::Dh;
		#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
		use ec_key::EcKey;
		use ssl::{get_callback_idx, get_ssl_callback_idx, SslRef, SniError, NPN_PROTOS_IDX};
		#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
		use ssl::ALPN_PROTOS_IDX;
		use x509::X509StoreContextRef;

		pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int
		where
		F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send,
		{
		unsafe {
		let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx();
		let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx);
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
		let verify = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
		let verify: &F = &(verify as mut F);

		let ctx = X509StoreContextRef::from_ptr(x509_ctx);

		verify(preverify_ok != 0, ctx) as c_int
		}
		}

		#[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
		pub extern "C" fn raw_psk<F>(
		ssl: *mut ffi::SSL,
		hint: *const c_char,
		identity: *mut c_char,
		max_identity_len: c_uint,
		psk: *mut c_uchar,
		max_psk_len: c_uint,
		) -> c_uint
		where
		F: Fn(&mut SslRef, Option<&[u8]>, &mut [u8], &mut [u8]) -> Result<usize, ErrorStack>
		+ Any
		+ 'static
		+ Sync
		+ Send,
		{
		unsafe {
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
		let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
		let ssl = SslRef::from_ptr_mut(ssl);
		let callback = &(callback as mut F);
		let hint = if hint != ptr::null() {
		Some(CStr::from_ptr(hint).to_bytes())
		} else {
		None
		};
		// Give the callback mutable slices into which it can write the identity and psk.
		let identity_sl = slice::from_raw_parts_mut(identity as *mut u8, max_identity_len as usize);
		let psk_sl = slice::from_raw_parts_mut(psk as *mut u8, max_psk_len as usize);
		match callback(ssl, hint, identity_sl, psk_sl) {
		Ok(psk_len) => psk_len as u32,
		_ => 0,
		}
		}
		}

		pub extern "C" fn ssl_raw_verify<F>(
		preverify_ok: c_int,
		x509_ctx: *mut ffi::X509_STORE_CTX,
		) -> c_int
		where
		F: Fn(bool, &X509StoreContextRef) -> bool + Any + 'static + Sync + Send,
		{
		unsafe {
		let idx = ffi::SSL_get_ex_data_X509_STORE_CTX_idx();
		let ssl = ffi::X509_STORE_CTX_get_ex_data(x509_ctx, idx);
		let verify = ffi::SSL_get_ex_data(ssl as *const _, get_ssl_callback_idx::<F>());
		let verify: &F = &(verify as mut F);

		let ctx = X509StoreContextRef::from_ptr(x509_ctx);

		verify(preverify_ok != 0, ctx) as c_int
		}
		}

		pub extern "C" fn raw_sni<F>(ssl: mut ffi::SSL, al: mut c_int, _arg: *mut c_void) -> c_int
		where
		F: Fn(&mut SslRef) -> Result<(), SniError> + Any + 'static + Sync + Send,
		{
		unsafe {
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl);
		let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
		let callback: &F = &(callback as mut F);
		let ssl = SslRef::from_ptr_mut(ssl);

		match callback(ssl) {
		Ok(()) => ffi::SSL_TLSEXT_ERR_OK,
		Err(SniError::Fatal(e)) => {
		*al = e;
		ffi::SSL_TLSEXT_ERR_ALERT_FATAL
		}
		Err(SniError::Warning(e)) => {
		*al = e;
		ffi::SSL_TLSEXT_ERR_ALERT_WARNING
		}
		Err(SniError::NoAck) => ffi::SSL_TLSEXT_ERR_NOACK,
		}
		}
		}

		pub unsafe fn select_proto_using(
		ssl: *mut ffi::SSL,
		out: mut mut c_uchar,
		outlen: *mut c_uchar,
		inbuf: *const c_uchar,
		inlen: c_uint,
		ex_data: c_int,
		) -> c_int {

		// First, get the list of protocols (that the client should support) saved in the context
		// extra data.
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl);
		let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data);
		let protocols: &Vec<u8> = &(protocols as mut Vec<u8>);
		// Prepare the client list parameters to be passed to the OpenSSL function...
		let client = protocols.as_ptr();
		let client_len = protocols.len() as c_uint;
		// Finally, let OpenSSL find a protocol to be used, by matching the given server and
		// client lists.
		if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) !=
		ffi::OPENSSL_NPN_NEGOTIATED
		{
		ffi::SSL_TLSEXT_ERR_NOACK
		} else {
		ffi::SSL_TLSEXT_ERR_OK
		}
		}

		/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`.
		///
		/// It chooses the protocol that the client wishes to use, out of the given list of protocols
		/// supported by the server. It achieves this by delegating to the `SSL_select_next_proto`
		/// function. The list of protocols supported by the client is found in the extra data of the
		/// OpenSSL context.
		pub extern "C" fn raw_next_proto_select_cb(
		ssl: *mut ffi::SSL,
		out: mut mut c_uchar,
		outlen: *mut c_uchar,
		inbuf: *const c_uchar,
		inlen: c_uint,
		_arg: *mut c_void,
		) -> c_int {
		unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) }
		}

		#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
		pub extern "C" fn raw_alpn_select_cb(
		ssl: *mut ffi::SSL,
		out: mut const c_uchar,
		outlen: *mut c_uchar,
		inbuf: *const c_uchar,
		inlen: c_uint,
		_arg: *mut c_void,
		) -> c_int {
		unsafe { select_proto_using(ssl, out as mut _, outlen, inbuf, inlen, ALPN_PROTOS_IDX) }
		}

		pub unsafe extern "C" fn raw_tmp_dh<F>(
		ssl: *mut ffi::SSL,
		is_export: c_int,
		keylength: c_int,
		) -> *mut ffi::DH
		where
		F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send,
		{
		let ctx = ffi::SSL_get_SSL_CTX(ssl);
		let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>());
		let callback = &(callback as mut F);

		let ssl = SslRef::from_ptr_mut(ssl);
		match callback(ssl, is_export != 0, keylength as u32) {
		Ok(dh) => {
		let ptr = dh.as_ptr();
		mem::forget(dh);
		ptr
		}
		Err(_) => {
		// FIXME reset error stack
		ptr::null_mut()
		}
		}
		}

		#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
		pub unsafe extern "C" fn raw_tmp_ecdh<F>(
		ssl: *mut ffi::SSL,
		is_export: c_int,
		keylength: c_int,
		) -> *mut ffi::EC_KEY
		where
		F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send,
		{
		let ctx = ffi::SSL_get_SSL_CTX(ssl);
		let callback = ffi::SSL_CTX_get_ex_data(ctx, get_callback_idx::<F>());
		let callback = &(callback as mut F);

		let ssl = SslRef::from_ptr_mut(ssl);
		match callback(ssl, is_export != 0, keylength as u32) {
		Ok(ec_key) => {
		let ptr = ec_key.as_ptr();
		mem::forget(ec_key);
		ptr
		}
		Err(_) => {
		// FIXME reset error stack
		ptr::null_mut()
		}
		}
		}

		pub unsafe extern "C" fn raw_tmp_dh_ssl<F>(
		ssl: *mut ffi::SSL,
		is_export: c_int,
		keylength: c_int,
		) -> *mut ffi::DH
		where
		F: Fn(&mut SslRef, bool, u32) -> Result<Dh, ErrorStack> + Any + 'static + Sync + Send,
		{
		let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>());
		let callback = &(callback as mut F);

		let ssl = SslRef::from_ptr_mut(ssl);
		match callback(ssl, is_export != 0, keylength as u32) {
		Ok(dh) => {
		let ptr = dh.as_ptr();
		mem::forget(dh);
		ptr
		}
		Err(_) => {
		// FIXME reset error stack
		ptr::null_mut()
		}
		}
		}

		#[cfg(any(all(feature = "v101", ossl101), all(feature = "v102", ossl102)))]
		pub unsafe extern "C" fn raw_tmp_ecdh_ssl<F>(
		ssl: *mut ffi::SSL,
		is_export: c_int,
		keylength: c_int,
		) -> *mut ffi::EC_KEY
		where
		F: Fn(&mut SslRef, bool, u32) -> Result<EcKey, ErrorStack> + Any + 'static + Sync + Send,
		{
		let callback = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<F>());
		let callback = &(callback as mut F);

		let ssl = SslRef::from_ptr_mut(ssl);
		match callback(ssl, is_export != 0, keylength as u32) {
		Ok(ec_key) => {
		let ptr = ec_key.as_ptr();
		mem::forget(ec_key);
		ptr
		}
		Err(_) => {
		// FIXME reset error stack
		ptr::null_mut()
		}
		}
		}

		pub unsafe extern "C" fn raw_tlsext_status<F>(ssl: mut ffi::SSL, _: mut c_void) -> c_int
		where
		F: Fn(&mut SslRef) -> Result<bool, ErrorStack> + Any + 'static + Sync + Send,
		{
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _);
		let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>());
		let callback = &(callback as mut F);

		let ssl = SslRef::from_ptr_mut(ssl);
		let ret = callback(ssl);

		if ssl.is_server() {
		match ret {
		Ok(true) => ffi::SSL_TLSEXT_ERR_OK,
		Ok(false) => ffi::SSL_TLSEXT_ERR_NOACK,
		Err(_) => {
		// FIXME reset error stack
		ffi::SSL_TLSEXT_ERR_ALERT_FATAL
		}
		}
		} else {
		match ret {
		Ok(true) => 1,
		Ok(false) => 0,
		Err(_) => {
		// FIXME reset error stack
		-1
		}
		}
		}
		}

		/// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`.
		///
		/// It causes the parameter `out` to point at a `*const c_uchar` instance that
		/// represents the list of protocols that the server should advertise as those
		/// that it supports.
		/// The list of supported protocols is found in the extra data of the OpenSSL
		/// context.
		pub extern "C" fn raw_next_protos_advertise_cb(
		ssl: *mut ffi::SSL,
		out: mut const c_uchar,
		outlen: *mut c_uint,
		_arg: *mut c_void,
		) -> c_int {
		unsafe {
		// First, get the list of (supported) protocols saved in the context extra data.
		let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl);
		let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX);
		if protocols.is_null() {
		*out = b"".as_ptr();
		*outlen = 0;
		} else {
		// If the pointer is valid, put the pointer to the actual byte array into the
		// output parameter `out`, as well as its length into `outlen`.
		let protocols: &Vec<u8> = &(protocols as mut Vec<u8>);
		*out = protocols.as_ptr();
		*outlen = protocols.len() as c_uint;
		}
		}

		ffi::SSL_TLSEXT_ERR_OK
		}

openssl/src/ssl/connector.rs

+30 −12

Original line number	Diff line number	Diff line
		@@ -7,6 +7,11 @@ use ssl::{self, SslMethod, SslContextBuilder, SslContext, Ssl, SSL_VERIFY_PEER,
		use pkey::PKeyRef;
		use x509::X509Ref;

		#[cfg(ossl101)]
		lazy_static! {
		static ref HOSTNAME_IDX: ::ex_data::Index<Ssl, String> = Ssl::new_ex_index().unwrap();
		}

		// ffdhe2048 from https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe2048
		const DHPARAM_PEM: &'static str = "
		-----BEGIN DH PARAMETERS-----
		@@ -55,7 +60,7 @@ impl SslConnectorBuilder {
		try!(ctx.set_cipher_list("ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:\
		DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:\
		RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DES"));
		ctx.set_verify(SSL_VERIFY_PEER);
		setup_verify(&mut ctx);

		Ok(SslConnectorBuilder(ctx))
		}
		@@ -98,8 +103,6 @@ impl SslConnector {

		/// Initiates a client-side TLS session on a stream without performing hostname verification.
		///
		/// The verification configuration of the connector's `SslContext` is not overridden.
		///
		/// # Warning
		///
		/// You should think very carefully before you use this method. If hostname verification is not
		@@ -140,7 +143,7 @@ impl ConnectConfiguration {
		where S: Read + Write
		{
		try!(self.0.set_hostname(domain));
		try!(setup_verify(&mut self.0, domain));
		try!(setup_verify_hostname(&mut self.0, domain));

		self.0.connect(stream)
		}
		@@ -308,20 +311,35 @@ impl SslAcceptor {
		}

		#[cfg(any(ossl102, ossl110))]
		fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
		// pass a noop closure in here to ensure that we consistently override any callback on the
		// context
		ssl.set_verify_callback(SSL_VERIFY_PEER, \|p, _\| p);
		fn setup_verify(ctx: &mut SslContextBuilder) {
		ctx.set_verify(SSL_VERIFY_PEER);
		}

		#[cfg(ossl101)]
		fn setup_verify(ctx: &mut SslContextBuilder) {
		ctx.set_verify_callback(SSL_VERIFY_PEER, \|p, x509\| {
		let hostname = match x509.ssl() {
		Ok(Some(ssl)) => ssl.ex_data(*HOSTNAME_IDX),
		_ => None
		};
		match hostname {
		Some(hostname) => verify::verify_callback(hostname, p, x509),
		None => p,
		}
		});
		}

		#[cfg(any(ossl102, ossl110))]
		fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
		let param = ssl._param_mut();
		param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
		param.set_host(domain)
		}

		#[cfg(ossl101)]
		fn setup_verify(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
		let domain = domain.to_owned();
		ssl.set_verify_callback(SSL_VERIFY_PEER,
		move \|p, x\| verify::verify_callback(&domain, p, x));
		fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
		let domain = domain.to_string();
		ssl.set_ex_data(*HOSTNAME_IDX, domain);
		Ok(())
		}