Loading openssl/src/ssl/callbacks.rs +93 −0 Original line number Diff line number Diff line use ffi; use libc::{c_char, c_int, c_uchar, c_uint, c_void}; #[cfg(all(feature = "v111", ossl111))] use libc::size_t; #[cfg(all(feature = "v111", ossl111))] use std::borrow::Cow; use std::ffi::CStr; use std::ptr; use std::slice; Loading @@ -20,6 +24,10 @@ use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslContext all(feature = "v111", ossl111)))] use ssl::AlpnError; use x509::X509StoreContextRef; #[cfg(all(feature = "v111", ossl111))] use ssl::ExtensionContext; #[cfg(all(feature = "v111", ossl111))] use x509::X509Ref; pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int where Loading Loading @@ -416,3 +424,88 @@ where callback(ssl, slice) as c_int } } #[cfg(all(feature = "v111", ossl111))] pub struct CustomExtAddState(Option<Cow<'static, [u8]>>); #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_add<F>(ssl: *mut ffi::SSL, _: c_uint, context: c_uint, out: *mut *const c_uchar, outlen: *mut size_t, x: *mut ffi::X509, chainidx: size_t, al: *mut c_int, _: *mut c_void) -> c_int where F: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static { unsafe { let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); let callback = &*(callback as *mut F); let ssl = SslRef::from_ptr_mut(ssl); let ectx = ExtensionContext::from_bits_truncate(context); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; match (callback)(ssl, ectx, cert) { Ok(None) => 0, Ok(Some(buf)) => { *outlen = buf.len() as size_t; *out = buf.as_ptr(); let idx = get_ssl_callback_idx::<CustomExtAddState>(); let ptr = ffi::SSL_get_ex_data(ssl.as_ptr(), idx); if ptr.is_null() { let x = Box::into_raw(Box::<CustomExtAddState>::new(CustomExtAddState(Some(buf)))) as *mut c_void; ffi::SSL_set_ex_data(ssl.as_ptr(), idx, x); } else { *(ptr as *mut _) = CustomExtAddState(Some(buf)) } 1 } Err(alert) => { *al = alert.0; -1 } } } } #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_free(ssl: *mut ffi::SSL, _: c_uint, _: c_uint, _: *mut *const c_uchar, _: *mut c_void) { unsafe { let state = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<CustomExtAddState>()); let state = &mut (*(state as *mut CustomExtAddState)).0; state.take(); } } #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_parse<F>(ssl: *mut ffi::SSL, _: c_uint, context: c_uint, input: *const c_uchar, inlen: size_t, x: *mut ffi::X509, chainidx: size_t, al: *mut c_int, _: *mut c_void) -> c_int where F: FnMut(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static { unsafe { let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); let ssl = SslRef::from_ptr_mut(ssl); let callback = &mut *(callback as *mut F); let ectx = ExtensionContext::from_bits_truncate(context); let slice = slice::from_raw_parts(input as *const u8, inlen as usize); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; match callback(ssl, ectx, slice, cert) { Ok(()) => 1, Err(alert) => { *al = alert.0; 0 } } } } openssl/src/ssl/mod.rs +76 −0 Original line number Diff line number Diff line Loading @@ -61,6 +61,8 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void}; use std::any::TypeId; #[cfg(all(feature = "v111", ossl111))] use std::borrow::Cow; use std::cmp; use std::collections::HashMap; use std::ffi::{CStr, CString}; Loading Loading @@ -363,6 +365,36 @@ bitflags! { } } #[cfg(all(feature = "v111", ossl111))] bitflags! { /// Which messages and under which conditions an extension should be added or expected. pub struct ExtensionContext: c_uint { /// This extension is only allowed in TLS const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; /// This extension is only allowed in DTLS const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY; /// Some extensions may be allowed in DTLS but we don't implement them for it const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY; /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED; /// Extension is only defined for TLS1.2 and below const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY; /// Extension is only defined for TLS1.3 and above const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY; /// Ignore this extension during parsing if we are resuming const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION; const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO; /// Really means TLS1.2 or below const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO; const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO; const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST; const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE; const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET; const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST; } } /// An identifier of the format of a certificate or key file. #[derive(Copy, Clone)] pub struct SslFiletype(c_int); Loading Loading @@ -501,6 +533,8 @@ pub struct SslAlert(c_int); impl SslAlert { /// Alert 112 - `unrecognized_name`. pub const UNRECOGNIZED_NAME: SslAlert = SslAlert(ffi::SSL_AD_UNRECOGNIZED_NAME); pub const ILLEGAL_PARAMETER: SslAlert = SslAlert(ffi::SSL_AD_ILLEGAL_PARAMETER); pub const DECODE_ERROR: SslAlert = SslAlert(ffi::SSL_AD_DECODE_ERROR); } /// An error returned from an ALPN selection callback. Loading Loading @@ -1471,6 +1505,48 @@ impl SslContextBuilder { } } /// Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions. /// /// This corresponds to [`SSL_CTX_add_custom_ext`]. /// /// [`SSL_CTX_add_custom_ext`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html #[cfg(all(feature = "v111", ossl111))] pub fn add_custom_ext<AddFn, ParseFn>(&mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn) -> Result<(), ErrorStack> where AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static + Sync + Send, ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static + Sync + Send, { let ret = unsafe { let add_cb = Box::new(add_cb); ffi::SSL_CTX_set_ex_data( self.as_ptr(), get_callback_idx::<AddFn>(), Box::into_raw(add_cb) as *mut _ ); let parse_cb = Box::new(parse_cb); ffi::SSL_CTX_set_ex_data( self.as_ptr(), get_callback_idx::<ParseFn>(), Box::into_raw(parse_cb) as *mut _, ); ffi::SSL_CTX_add_custom_ext(self.as_ptr(), ext_type as c_uint, context.bits(), Some(raw_custom_ext_add::<AddFn>), Some(raw_custom_ext_free), ptr::null_mut(), Some(raw_custom_ext_parse::<ParseFn>), ptr::null_mut()) }; if ret == 1 { Ok(()) } else { Err(ErrorStack::get()) } } /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 Loading openssl/src/ssl/test.rs +38 −0 Original line number Diff line number Diff line Loading @@ -1353,6 +1353,44 @@ fn no_version_overlap() { guard.join().unwrap(); } #[test] #[cfg(all(feature = "v111", ossl111))] fn custom_extensions() { static FOUND_EXTENSION: AtomicBool = ATOMIC_BOOL_INIT; let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_certificate_file(&Path::new("test/cert.pem"), SslFiletype::PEM) .unwrap(); ctx.set_private_key_file(&Path::new("test/key.pem"), SslFiletype::PEM) .unwrap(); ctx.add_custom_ext( 12345, ssl::ExtensionContext::CLIENT_HELLO, |_, _, _| unreachable!(), |_, _, data, _| { FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); Ok(()) } ).unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.accept(stream).unwrap(); }); let stream = TcpStream::connect(addr).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.add_custom_ext( 12345, ssl::ExtensionContext::CLIENT_HELLO, |_, _, _| Ok(Some(b"hello"[..].into())), |_, _, _, _| unreachable!() ).unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); guard.join().unwrap(); assert!(FOUND_EXTENSION.load(Ordering::SeqCst)); } fn _check_kinds() { fn is_send<T: Send>() {} fn is_sync<T: Sync>() {} Loading Loading
openssl/src/ssl/callbacks.rs +93 −0 Original line number Diff line number Diff line use ffi; use libc::{c_char, c_int, c_uchar, c_uint, c_void}; #[cfg(all(feature = "v111", ossl111))] use libc::size_t; #[cfg(all(feature = "v111", ossl111))] use std::borrow::Cow; use std::ffi::CStr; use std::ptr; use std::slice; Loading @@ -20,6 +24,10 @@ use ssl::{get_callback_idx, get_ssl_callback_idx, SniError, SslAlert, SslContext all(feature = "v111", ossl111)))] use ssl::AlpnError; use x509::X509StoreContextRef; #[cfg(all(feature = "v111", ossl111))] use ssl::ExtensionContext; #[cfg(all(feature = "v111", ossl111))] use x509::X509Ref; pub extern "C" fn raw_verify<F>(preverify_ok: c_int, x509_ctx: *mut ffi::X509_STORE_CTX) -> c_int where Loading Loading @@ -416,3 +424,88 @@ where callback(ssl, slice) as c_int } } #[cfg(all(feature = "v111", ossl111))] pub struct CustomExtAddState(Option<Cow<'static, [u8]>>); #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_add<F>(ssl: *mut ffi::SSL, _: c_uint, context: c_uint, out: *mut *const c_uchar, outlen: *mut size_t, x: *mut ffi::X509, chainidx: size_t, al: *mut c_int, _: *mut c_void) -> c_int where F: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static { unsafe { let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); let callback = &*(callback as *mut F); let ssl = SslRef::from_ptr_mut(ssl); let ectx = ExtensionContext::from_bits_truncate(context); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; match (callback)(ssl, ectx, cert) { Ok(None) => 0, Ok(Some(buf)) => { *outlen = buf.len() as size_t; *out = buf.as_ptr(); let idx = get_ssl_callback_idx::<CustomExtAddState>(); let ptr = ffi::SSL_get_ex_data(ssl.as_ptr(), idx); if ptr.is_null() { let x = Box::into_raw(Box::<CustomExtAddState>::new(CustomExtAddState(Some(buf)))) as *mut c_void; ffi::SSL_set_ex_data(ssl.as_ptr(), idx, x); } else { *(ptr as *mut _) = CustomExtAddState(Some(buf)) } 1 } Err(alert) => { *al = alert.0; -1 } } } } #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_free(ssl: *mut ffi::SSL, _: c_uint, _: c_uint, _: *mut *const c_uchar, _: *mut c_void) { unsafe { let state = ffi::SSL_get_ex_data(ssl, get_ssl_callback_idx::<CustomExtAddState>()); let state = &mut (*(state as *mut CustomExtAddState)).0; state.take(); } } #[cfg(all(feature = "v111", ossl111))] pub extern "C" fn raw_custom_ext_parse<F>(ssl: *mut ffi::SSL, _: c_uint, context: c_uint, input: *const c_uchar, inlen: size_t, x: *mut ffi::X509, chainidx: size_t, al: *mut c_int, _: *mut c_void) -> c_int where F: FnMut(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static { unsafe { let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl as *const _); let callback = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_callback_idx::<F>()); let ssl = SslRef::from_ptr_mut(ssl); let callback = &mut *(callback as *mut F); let ectx = ExtensionContext::from_bits_truncate(context); let slice = slice::from_raw_parts(input as *const u8, inlen as usize); let cert = if ectx.contains(ExtensionContext::TLS1_3_CERTIFICATE) { Some((chainidx, X509Ref::from_ptr(x))) } else { None }; match callback(ssl, ectx, slice, cert) { Ok(()) => 1, Err(alert) => { *al = alert.0; 0 } } } }
openssl/src/ssl/mod.rs +76 −0 Original line number Diff line number Diff line Loading @@ -61,6 +61,8 @@ use ffi; use foreign_types::{ForeignType, ForeignTypeRef, Opaque}; use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_void}; use std::any::TypeId; #[cfg(all(feature = "v111", ossl111))] use std::borrow::Cow; use std::cmp; use std::collections::HashMap; use std::ffi::{CStr, CString}; Loading Loading @@ -363,6 +365,36 @@ bitflags! { } } #[cfg(all(feature = "v111", ossl111))] bitflags! { /// Which messages and under which conditions an extension should be added or expected. pub struct ExtensionContext: c_uint { /// This extension is only allowed in TLS const TLS_ONLY = ffi::SSL_EXT_TLS_ONLY; /// This extension is only allowed in DTLS const DTLS_ONLY = ffi::SSL_EXT_DTLS_ONLY; /// Some extensions may be allowed in DTLS but we don't implement them for it const TLS_IMPLEMENTATION_ONLY = ffi::SSL_EXT_TLS_IMPLEMENTATION_ONLY; /// Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is const SSL3_ALLOWED = ffi::SSL_EXT_SSL3_ALLOWED; /// Extension is only defined for TLS1.2 and below const TLS1_2_AND_BELOW_ONLY = ffi::SSL_EXT_TLS1_2_AND_BELOW_ONLY; /// Extension is only defined for TLS1.3 and above const TLS1_3_ONLY = ffi::SSL_EXT_TLS1_3_ONLY; /// Ignore this extension during parsing if we are resuming const IGNORE_ON_RESUMPTION = ffi::SSL_EXT_IGNORE_ON_RESUMPTION; const CLIENT_HELLO = ffi::SSL_EXT_CLIENT_HELLO; /// Really means TLS1.2 or below const TLS1_2_SERVER_HELLO = ffi::SSL_EXT_TLS1_2_SERVER_HELLO; const TLS1_3_SERVER_HELLO = ffi::SSL_EXT_TLS1_3_SERVER_HELLO; const TLS1_3_ENCRYPTED_EXTENSIONS = ffi::SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS; const TLS1_3_HELLO_RETRY_REQUEST = ffi::SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST; const TLS1_3_CERTIFICATE = ffi::SSL_EXT_TLS1_3_CERTIFICATE; const TLS1_3_NEW_SESSION_TICKET = ffi::SSL_EXT_TLS1_3_NEW_SESSION_TICKET; const TLS1_3_CERTIFICATE_REQUEST = ffi::SSL_EXT_TLS1_3_CERTIFICATE_REQUEST; } } /// An identifier of the format of a certificate or key file. #[derive(Copy, Clone)] pub struct SslFiletype(c_int); Loading Loading @@ -501,6 +533,8 @@ pub struct SslAlert(c_int); impl SslAlert { /// Alert 112 - `unrecognized_name`. pub const UNRECOGNIZED_NAME: SslAlert = SslAlert(ffi::SSL_AD_UNRECOGNIZED_NAME); pub const ILLEGAL_PARAMETER: SslAlert = SslAlert(ffi::SSL_AD_ILLEGAL_PARAMETER); pub const DECODE_ERROR: SslAlert = SslAlert(ffi::SSL_AD_DECODE_ERROR); } /// An error returned from an ALPN selection callback. Loading Loading @@ -1471,6 +1505,48 @@ impl SslContextBuilder { } } /// Adds a custom extension for a TLS/DTLS client or server for all supported protocol versions. /// /// This corresponds to [`SSL_CTX_add_custom_ext`]. /// /// [`SSL_CTX_add_custom_ext`]: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_add_custom_ext.html #[cfg(all(feature = "v111", ossl111))] pub fn add_custom_ext<AddFn, ParseFn>(&mut self, ext_type: u16, context: ExtensionContext, add_cb: AddFn, parse_cb: ParseFn) -> Result<(), ErrorStack> where AddFn: Fn(&mut SslRef, ExtensionContext, Option<(usize, &X509Ref)>) -> Result<Option<Cow<'static, [u8]>>, SslAlert> + 'static + Sync + Send, ParseFn: Fn(&mut SslRef, ExtensionContext, &[u8], Option<(usize, &X509Ref)>) -> Result<(), SslAlert> + 'static + Sync + Send, { let ret = unsafe { let add_cb = Box::new(add_cb); ffi::SSL_CTX_set_ex_data( self.as_ptr(), get_callback_idx::<AddFn>(), Box::into_raw(add_cb) as *mut _ ); let parse_cb = Box::new(parse_cb); ffi::SSL_CTX_set_ex_data( self.as_ptr(), get_callback_idx::<ParseFn>(), Box::into_raw(parse_cb) as *mut _, ); ffi::SSL_CTX_add_custom_ext(self.as_ptr(), ext_type as c_uint, context.bits(), Some(raw_custom_ext_add::<AddFn>), Some(raw_custom_ext_free), ptr::null_mut(), Some(raw_custom_ext_parse::<ParseFn>), ptr::null_mut()) }; if ret == 1 { Ok(()) } else { Err(ErrorStack::get()) } } /// Consumes the builder, returning a new `SslContext`. pub fn build(self) -> SslContext { self.0 Loading
openssl/src/ssl/test.rs +38 −0 Original line number Diff line number Diff line Loading @@ -1353,6 +1353,44 @@ fn no_version_overlap() { guard.join().unwrap(); } #[test] #[cfg(all(feature = "v111", ossl111))] fn custom_extensions() { static FOUND_EXTENSION: AtomicBool = ATOMIC_BOOL_INIT; let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_certificate_file(&Path::new("test/cert.pem"), SslFiletype::PEM) .unwrap(); ctx.set_private_key_file(&Path::new("test/key.pem"), SslFiletype::PEM) .unwrap(); ctx.add_custom_ext( 12345, ssl::ExtensionContext::CLIENT_HELLO, |_, _, _| unreachable!(), |_, _, data, _| { FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); Ok(()) } ).unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.accept(stream).unwrap(); }); let stream = TcpStream::connect(addr).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.add_custom_ext( 12345, ssl::ExtensionContext::CLIENT_HELLO, |_, _, _| Ok(Some(b"hello"[..].into())), |_, _, _, _| unreachable!() ).unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); ssl.connect(stream).unwrap(); guard.join().unwrap(); assert!(FOUND_EXTENSION.load(Ordering::SeqCst)); } fn _check_kinds() { fn is_send<T: Send>() {} fn is_sync<T: Sync>() {} Loading
