Commit 33cce627 authored by Steven Fackler's avatar Steven Fackler Committed by GitHub
Browse files

Merge pull request #503 from sfackler/ecdhe 

ECDHE support
parents eb735f51 ee79db61

openssl-sys/src/lib.rs

+9 −1
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ pub enum ASN1_TYPE {} 
pub enum BN_CTX {}

pub enum BN_GENCB {}

pub enum COMP_METHOD {}

pub enum EC_KEY {}

pub enum ENGINE {}

pub enum EVP_CIPHER_CTX {}

pub enum EVP_MD {}
@@ -1042,6 +1043,7 @@ pub const RSA_PKCS1_OAEP_PADDING: c_int = 4; 
pub const RSA_X931_PADDING: c_int = 5;



pub const SSL_CTRL_SET_TMP_DH: c_int = 3;

pub const SSL_CTRL_SET_TMP_ECDH: c_int = 4;

pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14;

pub const SSL_CTRL_MODE: c_int = 33;

pub const SSL_CTRL_SET_READ_AHEAD: c_int = 41;
@@ -1213,6 +1215,10 @@ pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long { 
    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void)

}



pub unsafe fn SSL_CTX_set_tmp_ecdh(ctx: *mut SSL_CTX, key: *mut EC_KEY) -> c_long {

    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, key as *mut c_void)

}



pub unsafe fn SSL_CTX_add_extra_chain_cert(ctx: *mut SSL_CTX, x509: *mut X509) -> c_long {

    SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, x509 as *mut c_void)

}
@@ -1341,8 +1347,10 @@ extern { 
    #[cfg(not(ossl101))]

    pub fn DH_get_2048_256() -> *mut DH;



    pub fn ERR_get_error() -> c_ulong;

    pub fn EC_KEY_new_by_curve_name(nid: c_int) -> *mut EC_KEY;

    pub fn EC_KEY_free(key: *mut EC_KEY);



    pub fn ERR_get_error() -> c_ulong;

    pub fn ERR_lib_error_string(err: c_ulong) -> *const c_char;

    pub fn ERR_func_error_string(err: c_ulong) -> *const c_char;

    pub fn ERR_reason_error_string(err: c_ulong) -> *const c_char;

openssl/src/dh.rs

+26 −6
Original line number Diff line number Diff line
@@ -2,10 +2,24 @@ use ffi; 
use error::ErrorStack;

use bio::MemBioSlice;

use std::ptr;

use std::mem;

use std::ops::Deref;



use {cvt, cvt_p};

use bn::BigNum;

use std::mem;

use opaque::Opaque;



pub struct DhRef(Opaque);



impl DhRef {

    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::DH) -> &'a DhRef {

        &*(ptr as *mut _)

    }



    pub fn as_ptr(&self) -> *mut ffi::DH {

        self as *const _ as *mut _

    }

}



pub struct Dh(*mut ffi::DH);
@@ -56,16 +70,22 @@ impl Dh { 
            cvt_p(ffi::DH_get_2048_256()).map(Dh)

        }

    }



    pub fn as_ptr(&self) -> *mut ffi::DH {

        self.0

    }

}



impl Drop for Dh {

    fn drop(&mut self) {

        unsafe {

            ffi::DH_free(self.as_ptr())

            ffi::DH_free(self.0)

        }

    }

}



impl Deref for Dh {

    type Target = DhRef;



    fn deref(&self) -> &DhRef {

        unsafe {

            DhRef::from_ptr(self.0)

        }

    }

}

openssl/src/ec_key.rs

0 → 100644
+62 −0
Original line number Diff line number Diff line 
use ffi;

use std::ops::Deref;



use cvt_p;

use error::ErrorStack;

use nid::Nid;

use opaque::Opaque;



pub struct EcKeyRef(Opaque);



impl EcKeyRef {

    pub unsafe fn from_ptr<'a>(ptr: *mut ffi::EC_KEY) -> &'a EcKeyRef {

        &*(ptr as *mut _)

    }



    pub fn as_ptr(&self) -> *mut ffi::EC_KEY {

        self as *const _ as *mut _

    }

}



pub struct EcKey(*mut ffi::EC_KEY);



impl Drop for EcKey {

    fn drop(&mut self) {

        unsafe {

            ffi::EC_KEY_free(self.0);

        }

    }

}



impl EcKey {

    pub fn new_by_curve_name(nid: Nid) -> Result<EcKey, ErrorStack> {

        unsafe {

            cvt_p(ffi::EC_KEY_new_by_curve_name(nid.as_raw())).map(EcKey)

        }

    }



    pub unsafe fn from_ptr(ptr: *mut ffi::EC_KEY) -> EcKey {

        EcKey(ptr)

    }

}



impl Deref for EcKey {

    type Target = EcKeyRef;



    fn deref(&self) -> &EcKeyRef {

        unsafe {

            EcKeyRef::from_ptr(self.0)

        }

    }

}



#[cfg(test)]

mod test {

    use nid;

    use super::*;



    #[test]

    fn new_by_curve_name() {

        EcKey::new_by_curve_name(nid::X9_62_PRIME256V1).unwrap();

    }

}

openssl/src/lib.rs

+1 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ pub mod bn; 
pub mod crypto;

pub mod dh;

pub mod dsa;

pub mod ec_key;

pub mod error;

pub mod hash;

pub mod memcmp;

openssl/src/ssl/connector.rs

+19 −1
Original line number Diff line number Diff line
@@ -126,9 +126,11 @@ impl ServerConnectorBuilder { 
              I::Item: AsRef<X509Ref>

    {

        let mut ctx = try!(ctx(method));

        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);

        ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_SINGLE_ECDH_USE |

            ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);

        let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));

        try!(ctx.set_tmp_dh(&dh));

        try!(setup_curves(&mut ctx));

        try!(ctx.set_cipher_list(

            "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\

             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
@@ -165,6 +167,22 @@ impl ServerConnectorBuilder { 
    }

}



#[cfg(ossl101)]

fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {

    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));

    ctx.set_tmp_ecdh(&curve)

}



#[cfg(ossl102)]

fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {

    ctx._set_ecdh_auto(true)

}



#[cfg(ossl110)]

fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {

    Ok(())

}



/// A type which wraps server-side streams in a TLS session.

///

/// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL