Loading openssl-sys/Cargo.toml +1 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ dtlsv1_2 = [] sslv2 = [] aes_xts = [] npn = [] alpn = [] [dependencies] libc = "0.1" Loading openssl-sys/src/lib.rs +19 −1 Original line number Diff line number Diff line Loading @@ -547,13 +547,31 @@ extern "C" { inlen: c_uint, arg: *mut c_void) -> c_int, arg: *mut c_void); #[cfg(feature = "npn")] #[cfg(any(feature = "alpn", feature = "npn"))] pub fn SSL_select_next_proto(out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, client: *const c_uchar, client_len: c_uint) -> c_int; #[cfg(feature = "npn")] pub fn SSL_get0_next_proto_negotiated(s: *const SSL, data: *mut *const c_uchar, len: *mut c_uint); #[cfg(feature = "alpn")] pub fn SSL_CTX_set_alpn_protos(s: *mut SSL_CTX, data: *const c_uchar, len: c_uint) -> c_int; #[cfg(feature = "alpn")] pub fn SSL_set_alpn_protos(s: *mut SSL, data: *const c_uchar, len: c_uint) -> c_int; #[cfg(feature = "alpn")] pub fn SSL_CTX_set_alpn_select_cb(ssl: *mut SSL_CTX, cb: extern "C" fn(ssl: *mut SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, arg: *mut c_void) -> c_int, arg: *mut c_void); #[cfg(feature = "alpn")] pub fn SSL_get0_alpn_selected(s: *const SSL, data: *mut *const c_uchar, len: *mut c_uint); pub fn X509_add_ext(x: *mut X509, ext: *mut X509_EXTENSION, loc: c_int) -> c_int; pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; pub fn X509_free(x: *mut X509); Loading openssl/Cargo.toml +1 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] alpn = ["openssl-sys/alpn"] [dependencies.openssl-sys] path = "../openssl-sys" Loading openssl/src/ssl/mod.rs +134 −54 Original line number Diff line number Diff line Loading @@ -13,9 +13,9 @@ use std::sync::{Once, ONCE_INIT, Arc, Mutex}; use std::ops::{Deref, DerefMut}; use std::cmp; use std::any::Any; #[cfg(feature = "npn")] #[cfg(any(feature = "npn", feature = "alpn"))] use libc::{c_uchar, c_uint}; #[cfg(feature = "npn")] #[cfg(any(feature = "npn", feature = "alpn"))] use std::slice; use bio::{MemBio}; Loading Loading @@ -170,49 +170,37 @@ lazy_static! { // Registers a destructor for the data which will be called // when context is freed fn get_verify_data_idx<T: Any + 'static>() -> c_int { extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, _argl: c_long, _argp: *mut c_void) { if ptr != 0 as *mut _ { let _: Box<T> = unsafe { mem::transmute(ptr) }; } } *INDEXES.lock().unwrap().entry(TypeId::of::<T>()).or_insert_with(|| { unsafe { let f: ffi::CRYPTO_EX_free = free_data_box::<T>; let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, Some(f)); assert!(idx >= 0); idx } get_new_idx::<T>() }) } /// Creates a static index for the list of NPN protocols. /// Registers a destructor for the data which will be called /// when the context is freed. #[cfg(feature = "npn")] fn get_npn_protos_idx() -> c_int { static mut NPN_PROTOS_IDX: c_int = -1; static mut INIT: Once = ONCE_INIT; lazy_static! { static ref NPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } #[cfg(feature = "alpn")] lazy_static! { static ref ALPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } extern fn free_data_box(_parent: *mut c_void, ptr: *mut c_void, /// Determine a new index to use for SSL CTX ex data. /// Registers a destruct for the data which will be called by openssl when the context is freed. fn get_new_idx<T>() -> c_int { extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, _argl: c_long, _argp: *mut c_void) { if !ptr.is_null() { let _: Box<Vec<u8>> = unsafe { mem::transmute(ptr) }; let _: Box<T> = unsafe { mem::transmute(ptr) }; } } unsafe { INIT.call_once(|| { let f: ffi::CRYPTO_EX_free = free_data_box; let f: ffi::CRYPTO_EX_free = free_data_box::<T>; let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, Some(f)); assert!(idx >= 0); NPN_PROTOS_IDX = idx; }); NPN_PROTOS_IDX idx } } Loading Loading @@ -264,22 +252,16 @@ extern fn raw_verify_with_data<T>(preverify_ok: c_int, } } /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. /// /// It chooses the protocol that the client wishes to use, out of the given list of protocols /// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` /// function. The list of protocols supported by the client is found in the extra data of the /// OpenSSL context. #[cfg(feature = "npn")] extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, #[cfg(any(feature = "npn", feature = "alpn"))] unsafe fn select_proto_using(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { ex_data: c_int) -> c_int { // First, get the list of protocols (that the client should support) saved in the context // extra data. let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data); let protocols: &Vec<u8> = mem::transmute(protocols); // Prepare the client list parameters to be passed to the OpenSSL function... let client = protocols.as_ptr(); Loading @@ -287,9 +269,33 @@ extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, // Finally, let OpenSSL find a protocol to be used, by matching the given server and // client lists. ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len); ffi::SSL_TLSEXT_ERR_OK } ffi::SSL_TLSEXT_ERR_OK /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. /// /// It chooses the protocol that the client wishes to use, out of the given list of protocols /// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` /// function. The list of protocols supported by the client is found in the extra data of the /// OpenSSL context. #[cfg(feature = "npn")] extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } } #[cfg(feature = "alpn")] extern fn raw_alpn_select_cb(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *ALPN_PROTOS_IDX) } } /// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. Loading @@ -306,7 +312,7 @@ extern fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, unsafe { // First, get the list of (supported) protocols saved in the context extra data. let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX); if protocols.is_null() { *out = b"".as_ptr(); *outlen = 0; Loading @@ -322,6 +328,24 @@ extern fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, ffi::SSL_TLSEXT_ERR_OK } /// Convert a set of byte slices into a series of byte strings encoded for SSL. Encoding is a byte /// containing the length followed by the string. #[cfg(any(feature = "npn", feature = "alpn"))] fn ssl_encode_byte_strings(strings: &[&[u8]]) -> Vec<u8> { let mut enc = Vec::new(); for string in strings { let len = string.len() as u8; if len as usize != string.len() { // If the item does not fit, discard it continue; } enc.push(len); enc.extend(string[..len as usize].to_vec()); } enc } /// The signature of functions that can be used to manually verify certificates pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; Loading Loading @@ -531,19 +555,12 @@ impl SslContext { pub fn set_npn_protocols(&mut self, protocols: &[&[u8]]) { // Firstly, convert the list of protocols to a byte-array that can be passed to OpenSSL // APIs -- a list of length-prefixed strings. let mut npn_protocols = Vec::new(); for protocol in protocols { let len = protocol.len() as u8; npn_protocols.push(len); // If the length is greater than the max `u8`, this truncates the protocol name. npn_protocols.extend(protocol[..len as usize].to_vec()); } let protocols: Box<Vec<u8>> = Box::new(npn_protocols); let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { // Attach the protocol list to the OpenSSL context structure, // so that we can refer to it within the callback. ffi::SSL_CTX_set_ex_data(self.ctx, get_npn_protos_idx(), ffi::SSL_CTX_set_ex_data(self.ctx, *NPN_PROTOS_IDX, mem::transmute(protocols)); // Now register the callback that performs the default protocol // matching based on the client-supported list of protocols that Loading @@ -554,6 +571,35 @@ impl SslContext { ffi::SSL_CTX_set_next_protos_advertised_cb(self.ctx, raw_next_protos_advertise_cb, ptr::null_mut()); } } /// Set the protocols to be used during ALPN (application layer protocol negotiation). /// If this is a server, these are the protocols we report to the client. /// If this is a client, these are the protocols we try to match with those reported by the /// server. /// /// Note that ordering of the protocols controls the priority with which they are chosen. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) { let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { // Set the context's internal protocol list for use if we are a server ffi::SSL_CTX_set_alpn_protos(self.ctx, protocols.as_ptr(), protocols.len() as c_uint); // Rather than use the argument to the callback to contain our data, store it in the // ssl ctx's ex_data so that we can configure a function to free it later. In the // future, it might make sense to pull this into our internal struct Ssl instead of // leaning on openssl and using function pointers. ffi::SSL_CTX_set_ex_data(self.ctx, *ALPN_PROTOS_IDX, mem::transmute(protocols)); // Now register the callback that performs the default protocol // matching based on the client-supported list of protocols that // has been saved. ffi::SSL_CTX_set_alpn_select_cb(self.ctx, raw_alpn_select_cb, ptr::null_mut()); } } } #[allow(dead_code)] Loading Loading @@ -695,6 +741,29 @@ impl Ssl { } } /// Returns the protocol selected by performing ALPN, if any. /// /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); let mut len: c_uint = 0; // Get the negotiated protocol from the SSL instance. // `data` will point at a `c_uchar` array; `len` will contain the length of this array. ffi::SSL_get0_alpn_selected(self.ssl, &mut data, &mut len); if data.is_null() { None } else { Some(slice::from_raw_parts(data, len as usize)) } } } /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). pub fn pending(&self) -> usize { unsafe { Loading Loading @@ -1176,6 +1245,17 @@ impl<S: Read+Write> SslStream<S> { self.kind.ssl().get_selected_npn_protocol() } /// Returns the protocol selected by performing ALPN, if any. /// /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { self.ssl.get_selected_alpn_protocol() } /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). pub fn pending(&self) -> usize { self.kind.ssl().pending() Loading openssl/src/ssl/tests.rs +113 −0 Original line number Diff line number Diff line Loading @@ -390,6 +390,28 @@ fn test_pending() { assert_eq!(pending, len); } /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] #[cfg(feature = "alpn")] fn test_connect_with_unilateral_alpn() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // Since the socket to which we connected is not configured to use NPN, // there should be no selected protocol... assert!(stream.get_selected_alpn_protocol().is_none()); } /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] Loading @@ -412,6 +434,30 @@ fn test_connect_with_unilateral_npn() { assert!(stream.get_selected_npn_protocol().is_none()); } /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_multiple_matching() { // A different port than the other tests: an `openssl` process that has // NPN enabled. let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The server prefers "http/1.1", so that is chosen, even though the client // would prefer "spdy/3.1" assert_eq!(b"http/1.1", stream.get_selected_alpn_protocol().unwrap()); } /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] Loading @@ -436,6 +482,32 @@ fn test_connect_with_npn_successful_multiple_matching() { assert_eq!(b"http/1.1", stream.get_selected_npn_protocol().unwrap()); } /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_single_match() { // A different port than the other tests: an `openssl` process that has // ALPN enabled. let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The client now only supports one of the server's protocols, so that one // is used. assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); } /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. Loading Loading @@ -502,6 +574,47 @@ fn test_npn_server_advertise_multiple() { assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); } /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] #[cfg(feature = "alpn")] fn test_alpn_server_advertise_multiple() { let localhost = "127.0.0.1:15420"; let listener = TcpListener::bind(localhost).unwrap(); // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); assert!(ctx.set_certificate_file( &Path::new("test/cert.pem"), X509FileType::PEM).is_ok()); ctx.set_private_key_file( &Path::new("test/key.pem"), X509FileType::PEM).unwrap(); ctx }; // Have the listener wait on the connection in a different thread. thread::spawn(move || { let (stream, _) = listener.accept().unwrap(); let _ = SslStream::new_server(&listener_ctx, stream).unwrap(); }); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } // Now connect to the socket and make sure the protocol negotiation works... let stream = TcpStream::connect(localhost).unwrap(); let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // SPDY is selected since that's the only thing the client supports. assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); } #[cfg(feature="dtlsv1")] #[cfg(test)] mod dtlsv1 { Loading Loading
openssl-sys/Cargo.toml +1 −0 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ dtlsv1_2 = [] sslv2 = [] aes_xts = [] npn = [] alpn = [] [dependencies] libc = "0.1" Loading
openssl-sys/src/lib.rs +19 −1 Original line number Diff line number Diff line Loading @@ -547,13 +547,31 @@ extern "C" { inlen: c_uint, arg: *mut c_void) -> c_int, arg: *mut c_void); #[cfg(feature = "npn")] #[cfg(any(feature = "alpn", feature = "npn"))] pub fn SSL_select_next_proto(out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, client: *const c_uchar, client_len: c_uint) -> c_int; #[cfg(feature = "npn")] pub fn SSL_get0_next_proto_negotiated(s: *const SSL, data: *mut *const c_uchar, len: *mut c_uint); #[cfg(feature = "alpn")] pub fn SSL_CTX_set_alpn_protos(s: *mut SSL_CTX, data: *const c_uchar, len: c_uint) -> c_int; #[cfg(feature = "alpn")] pub fn SSL_set_alpn_protos(s: *mut SSL, data: *const c_uchar, len: c_uint) -> c_int; #[cfg(feature = "alpn")] pub fn SSL_CTX_set_alpn_select_cb(ssl: *mut SSL_CTX, cb: extern "C" fn(ssl: *mut SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, arg: *mut c_void) -> c_int, arg: *mut c_void); #[cfg(feature = "alpn")] pub fn SSL_get0_alpn_selected(s: *const SSL, data: *mut *const c_uchar, len: *mut c_uint); pub fn X509_add_ext(x: *mut X509, ext: *mut X509_EXTENSION, loc: c_int) -> c_int; pub fn X509_digest(x: *mut X509, digest: *const EVP_MD, buf: *mut c_char, len: *mut c_uint) -> c_int; pub fn X509_free(x: *mut X509); Loading
openssl/Cargo.toml +1 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] alpn = ["openssl-sys/alpn"] [dependencies.openssl-sys] path = "../openssl-sys" Loading
openssl/src/ssl/mod.rs +134 −54 Original line number Diff line number Diff line Loading @@ -13,9 +13,9 @@ use std::sync::{Once, ONCE_INIT, Arc, Mutex}; use std::ops::{Deref, DerefMut}; use std::cmp; use std::any::Any; #[cfg(feature = "npn")] #[cfg(any(feature = "npn", feature = "alpn"))] use libc::{c_uchar, c_uint}; #[cfg(feature = "npn")] #[cfg(any(feature = "npn", feature = "alpn"))] use std::slice; use bio::{MemBio}; Loading Loading @@ -170,49 +170,37 @@ lazy_static! { // Registers a destructor for the data which will be called // when context is freed fn get_verify_data_idx<T: Any + 'static>() -> c_int { extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, _argl: c_long, _argp: *mut c_void) { if ptr != 0 as *mut _ { let _: Box<T> = unsafe { mem::transmute(ptr) }; } } *INDEXES.lock().unwrap().entry(TypeId::of::<T>()).or_insert_with(|| { unsafe { let f: ffi::CRYPTO_EX_free = free_data_box::<T>; let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, Some(f)); assert!(idx >= 0); idx } get_new_idx::<T>() }) } /// Creates a static index for the list of NPN protocols. /// Registers a destructor for the data which will be called /// when the context is freed. #[cfg(feature = "npn")] fn get_npn_protos_idx() -> c_int { static mut NPN_PROTOS_IDX: c_int = -1; static mut INIT: Once = ONCE_INIT; lazy_static! { static ref NPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } #[cfg(feature = "alpn")] lazy_static! { static ref ALPN_PROTOS_IDX: c_int = get_new_idx::<Vec<u8>>(); } extern fn free_data_box(_parent: *mut c_void, ptr: *mut c_void, /// Determine a new index to use for SSL CTX ex data. /// Registers a destruct for the data which will be called by openssl when the context is freed. fn get_new_idx<T>() -> c_int { extern fn free_data_box<T>(_parent: *mut c_void, ptr: *mut c_void, _ad: *mut ffi::CRYPTO_EX_DATA, _idx: c_int, _argl: c_long, _argp: *mut c_void) { if !ptr.is_null() { let _: Box<Vec<u8>> = unsafe { mem::transmute(ptr) }; let _: Box<T> = unsafe { mem::transmute(ptr) }; } } unsafe { INIT.call_once(|| { let f: ffi::CRYPTO_EX_free = free_data_box; let f: ffi::CRYPTO_EX_free = free_data_box::<T>; let idx = ffi::SSL_CTX_get_ex_new_index(0, ptr::null(), None, None, Some(f)); assert!(idx >= 0); NPN_PROTOS_IDX = idx; }); NPN_PROTOS_IDX idx } } Loading Loading @@ -264,22 +252,16 @@ extern fn raw_verify_with_data<T>(preverify_ok: c_int, } } /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. /// /// It chooses the protocol that the client wishes to use, out of the given list of protocols /// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` /// function. The list of protocols supported by the client is found in the extra data of the /// OpenSSL context. #[cfg(feature = "npn")] extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, #[cfg(any(feature = "npn", feature = "alpn"))] unsafe fn select_proto_using(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { ex_data: c_int) -> c_int { // First, get the list of protocols (that the client should support) saved in the context // extra data. let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, ex_data); let protocols: &Vec<u8> = mem::transmute(protocols); // Prepare the client list parameters to be passed to the OpenSSL function... let client = protocols.as_ptr(); Loading @@ -287,9 +269,33 @@ extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, // Finally, let OpenSSL find a protocol to be used, by matching the given server and // client lists. ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len); ffi::SSL_TLSEXT_ERR_OK } ffi::SSL_TLSEXT_ERR_OK /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. /// /// It chooses the protocol that the client wishes to use, out of the given list of protocols /// supported by the server. It achieves this by delegating to the `SSL_select_next_proto` /// function. The list of protocols supported by the client is found in the extra data of the /// OpenSSL context. #[cfg(feature = "npn")] extern fn raw_next_proto_select_cb(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *NPN_PROTOS_IDX) } } #[cfg(feature = "alpn")] extern fn raw_alpn_select_cb(ssl: *mut ffi::SSL, out: *mut *mut c_uchar, outlen: *mut c_uchar, inbuf: *const c_uchar, inlen: c_uint, _arg: *mut c_void) -> c_int { unsafe { select_proto_using(ssl, out, outlen, inbuf, inlen, *ALPN_PROTOS_IDX) } } /// The function is given as the callback to `SSL_CTX_set_next_protos_advertised_cb`. Loading @@ -306,7 +312,7 @@ extern fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, unsafe { // First, get the list of (supported) protocols saved in the context extra data. let ssl_ctx = ffi::SSL_get_SSL_CTX(ssl); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, get_npn_protos_idx()); let protocols = ffi::SSL_CTX_get_ex_data(ssl_ctx, *NPN_PROTOS_IDX); if protocols.is_null() { *out = b"".as_ptr(); *outlen = 0; Loading @@ -322,6 +328,24 @@ extern fn raw_next_protos_advertise_cb(ssl: *mut ffi::SSL, ffi::SSL_TLSEXT_ERR_OK } /// Convert a set of byte slices into a series of byte strings encoded for SSL. Encoding is a byte /// containing the length followed by the string. #[cfg(any(feature = "npn", feature = "alpn"))] fn ssl_encode_byte_strings(strings: &[&[u8]]) -> Vec<u8> { let mut enc = Vec::new(); for string in strings { let len = string.len() as u8; if len as usize != string.len() { // If the item does not fit, discard it continue; } enc.push(len); enc.extend(string[..len as usize].to_vec()); } enc } /// The signature of functions that can be used to manually verify certificates pub type VerifyCallback = fn(preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool; Loading Loading @@ -531,19 +555,12 @@ impl SslContext { pub fn set_npn_protocols(&mut self, protocols: &[&[u8]]) { // Firstly, convert the list of protocols to a byte-array that can be passed to OpenSSL // APIs -- a list of length-prefixed strings. let mut npn_protocols = Vec::new(); for protocol in protocols { let len = protocol.len() as u8; npn_protocols.push(len); // If the length is greater than the max `u8`, this truncates the protocol name. npn_protocols.extend(protocol[..len as usize].to_vec()); } let protocols: Box<Vec<u8>> = Box::new(npn_protocols); let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { // Attach the protocol list to the OpenSSL context structure, // so that we can refer to it within the callback. ffi::SSL_CTX_set_ex_data(self.ctx, get_npn_protos_idx(), ffi::SSL_CTX_set_ex_data(self.ctx, *NPN_PROTOS_IDX, mem::transmute(protocols)); // Now register the callback that performs the default protocol // matching based on the client-supported list of protocols that Loading @@ -554,6 +571,35 @@ impl SslContext { ffi::SSL_CTX_set_next_protos_advertised_cb(self.ctx, raw_next_protos_advertise_cb, ptr::null_mut()); } } /// Set the protocols to be used during ALPN (application layer protocol negotiation). /// If this is a server, these are the protocols we report to the client. /// If this is a client, these are the protocols we try to match with those reported by the /// server. /// /// Note that ordering of the protocols controls the priority with which they are chosen. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn set_alpn_protocols(&mut self, protocols: &[&[u8]]) { let protocols: Box<Vec<u8>> = Box::new(ssl_encode_byte_strings(protocols)); unsafe { // Set the context's internal protocol list for use if we are a server ffi::SSL_CTX_set_alpn_protos(self.ctx, protocols.as_ptr(), protocols.len() as c_uint); // Rather than use the argument to the callback to contain our data, store it in the // ssl ctx's ex_data so that we can configure a function to free it later. In the // future, it might make sense to pull this into our internal struct Ssl instead of // leaning on openssl and using function pointers. ffi::SSL_CTX_set_ex_data(self.ctx, *ALPN_PROTOS_IDX, mem::transmute(protocols)); // Now register the callback that performs the default protocol // matching based on the client-supported list of protocols that // has been saved. ffi::SSL_CTX_set_alpn_select_cb(self.ctx, raw_alpn_select_cb, ptr::null_mut()); } } } #[allow(dead_code)] Loading Loading @@ -695,6 +741,29 @@ impl Ssl { } } /// Returns the protocol selected by performing ALPN, if any. /// /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { unsafe { let mut data: *const c_uchar = ptr::null(); let mut len: c_uint = 0; // Get the negotiated protocol from the SSL instance. // `data` will point at a `c_uchar` array; `len` will contain the length of this array. ffi::SSL_get0_alpn_selected(self.ssl, &mut data, &mut len); if data.is_null() { None } else { Some(slice::from_raw_parts(data, len as usize)) } } } /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). pub fn pending(&self) -> usize { unsafe { Loading Loading @@ -1176,6 +1245,17 @@ impl<S: Read+Write> SslStream<S> { self.kind.ssl().get_selected_npn_protocol() } /// Returns the protocol selected by performing ALPN, if any. /// /// The protocol's name is returned is an opaque sequence of bytes. It is up to the client /// to interpret it. /// /// This method needs the `alpn` feature. #[cfg(feature = "alpn")] pub fn get_selected_alpn_protocol(&self) -> Option<&[u8]> { self.ssl.get_selected_alpn_protocol() } /// pending() takes into account only bytes from the TLS/SSL record that is currently being processed (if any). pub fn pending(&self) -> usize { self.kind.ssl().pending() Loading
openssl/src/ssl/tests.rs +113 −0 Original line number Diff line number Diff line Loading @@ -390,6 +390,28 @@ fn test_pending() { assert_eq!(pending, len); } /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] #[cfg(feature = "alpn")] fn test_connect_with_unilateral_alpn() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // Since the socket to which we connected is not configured to use NPN, // there should be no selected protocol... assert!(stream.get_selected_alpn_protocol().is_none()); } /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] Loading @@ -412,6 +434,30 @@ fn test_connect_with_unilateral_npn() { assert!(stream.get_selected_npn_protocol().is_none()); } /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_multiple_matching() { // A different port than the other tests: an `openssl` process that has // NPN enabled. let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The server prefers "http/1.1", so that is chosen, even though the client // would prefer "spdy/3.1" assert_eq!(b"http/1.1", stream.get_selected_alpn_protocol().unwrap()); } /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap, the correct protocol is chosen. #[test] Loading @@ -436,6 +482,32 @@ fn test_connect_with_npn_successful_multiple_matching() { assert_eq!(b"http/1.1", stream.get_selected_npn_protocol().unwrap()); } /// Tests that when both the client as well as the server use ALPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_single_match() { // A different port than the other tests: an `openssl` process that has // ALPN enabled. let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // The client now only supports one of the server's protocols, so that one // is used. assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); } /// Tests that when both the client as well as the server use NPN and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. Loading Loading @@ -502,6 +574,47 @@ fn test_npn_server_advertise_multiple() { assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); } /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] #[cfg(feature = "alpn")] fn test_alpn_server_advertise_multiple() { let localhost = "127.0.0.1:15420"; let listener = TcpListener::bind(localhost).unwrap(); // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); assert!(ctx.set_certificate_file( &Path::new("test/cert.pem"), X509FileType::PEM).is_ok()); ctx.set_private_key_file( &Path::new("test/key.pem"), X509FileType::PEM).unwrap(); ctx }; // Have the listener wait on the connection in a different thread. thread::spawn(move || { let (stream, _) = listener.accept().unwrap(); let _ = SslStream::new_server(&listener_ctx, stream).unwrap(); }); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } // Now connect to the socket and make sure the protocol negotiation works... let stream = TcpStream::connect(localhost).unwrap(); let stream = match SslStream::new(&ctx, stream) { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; // SPDY is selected since that's the only thing the client supports. assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); } #[cfg(feature="dtlsv1")] #[cfg(test)] mod dtlsv1 { Loading
