From e8ee73d9dfc9efbcbd85b3f5178235361bf80213 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Thu, 26 Sep 2024 17:49:06 -0400 Subject: [PATCH 1/9] proj: restore gitignore When the `rustls-libssl` code was moved to the root of the repo I think the `.gitignore` got nuked. This commit restores the content we had before the move. --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01de0fb --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +target/ +/.idea From 8e7276808774ca4aa0e539cd851d2c5329b9a304 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 11:58:45 -0400 Subject: [PATCH 2/9] ci: try to fix dependabot This repo hasn't been receiving any dependabot PRs despite there being updates available (e.g. Rustls). Spot checking against a config in a repo that is working I _think_ the issue might be YAML whitespace related... Let's try to match to the other repo's config exactly. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c7b634c..577ef9f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,11 @@ version: 2 updates: -- package-ecosystem: cargo - directory: "/" - schedule: - interval: daily - open-pull-requests-limit: 10 -- package-ecosystem: github-actions - directory: "/" - schedule: - interval: weekly + - package-ecosystem: cargo + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 10 + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly From b37847ed55209d900f0a518dfe92aacc17b207cb Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:13:03 -0400 Subject: [PATCH 3/9] Cargo: specify only major openssl-sys version We don't need a specific minimum version of the 0.9 release stream. --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index a1e0c25..c7c70c8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,6 +13,6 @@ crate-type = ["cdylib"] env_logger = "0.10" log = "0.4" openssl-probe = "0.1" -openssl-sys = "0.9.98" +openssl-sys = "0.9" rustls = "0.23.5" rustls-pemfile = "2" From 85ed713155a8aacc499c976bbd212d99735501f2 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:14:01 -0400 Subject: [PATCH 4/9] Cargo: update rustls 0.23.11 -> 0.23.13 --- Cargo.lock | 31 +++++++++++++++++++++---------- Cargo.toml | 2 +- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index c8aea55..197936f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -13,9 +13,9 @@ dependencies = [ [[package]] name = "aws-lc-rs" -version = "1.7.0" +version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5509d663b2c00ee421bda8d6a24d6c42e15970957de1701b8df9f6fbe5707df1" +checksum = "2f95446d919226d587817a7d21379e6eb099b97b45110a7f272a444ca5c54070" dependencies = [ "aws-lc-sys", "mirai-annotations", @@ -25,9 +25,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.15.0" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d5d317212c2a78d86ba6622e969413c38847b62f48111f8b763af3dac2f9840" +checksum = "b3ddc4a5b231dd6958b140ff3151b6412b3f4321fab354f399eec8f14b06df62" dependencies = [ "bindgen", "cc", @@ -75,11 +75,13 @@ checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "cc" -version = "1.0.86" +version = "1.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9fa1897e4325be0d68d48df6aa1a71ac2ed4d27723887e7754192705350730" +checksum = "9540e661f81799159abee814118cc139a2004b3a3aa3ea37724a1b66530b90e0" dependencies = [ + "jobserver", "libc", + "shlex", ] [[package]] @@ -216,6 +218,15 @@ dependencies = [ "either", ] +[[package]] +name = "jobserver" +version = "0.1.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" +dependencies = [ + "libc", +] + [[package]] name = "lazy_static" version = "1.4.0" @@ -413,9 +424,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.11" +version = "0.23.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4828ea528154ae444e5a642dbb7d5623354030dc9822b83fd9bb79683c7399d0" +checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8" dependencies = [ "aws-lc-rs", "log", @@ -456,9 +467,9 @@ checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" [[package]] name = "rustls-webpki" -version = "0.102.5" +version = "0.102.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9a6fccd794a42c2c105b513a2f62bc3fd8f3ba57a4593677ceb0bd035164d78" +checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" dependencies = [ "aws-lc-rs", "ring", diff --git a/Cargo.toml b/Cargo.toml index c7c70c8..cfd5c34 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,5 +14,5 @@ env_logger = "0.10" log = "0.4" openssl-probe = "0.1" openssl-sys = "0.9" -rustls = "0.23.5" +rustls = "0.23" rustls-pemfile = "2" From 3891f91512971368c9e36806b923fe37835b1bbe Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:14:54 -0400 Subject: [PATCH 5/9] Makefile: run admin/format as part of make format --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 728d7c2..ce2edfc 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,7 @@ format: find src tests \ -name '*.[c|h]' | \ xargs clang-format -i + admin/format format-check: find src tests \ From 1ea8cac1206a5145ebcea10a293f383bbf8639c6 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:17:19 -0400 Subject: [PATCH 6/9] implement SSL_alert_type_string[_long] This commit implements `SSL_alert_type_string()` and `SSL_alert_type_string_long()`. These functions act similarly to the existing `SSL_alert_desc_string()` and `SSL_alert_desc_string_long()` functions except returning a (short or long) string for the alert level (fatal, warning, unknown) instead of the alert description. --- MATRIX.md | 4 ++-- build.rs | 2 ++ src/constants.rs | 17 +++++++++++++++++ src/entry.rs | 14 ++++++++++++++ 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/MATRIX.md b/MATRIX.md index d63a586..4072caf 100644 --- a/MATRIX.md +++ b/MATRIX.md @@ -265,8 +265,8 @@ | `SSL_add_store_cert_subjects_to_stack` | | | | | `SSL_alert_desc_string` | | | :white_check_mark: | | `SSL_alert_desc_string_long` | :white_check_mark: | | :white_check_mark: | -| `SSL_alert_type_string` | | | | -| `SSL_alert_type_string_long` | | | | +| `SSL_alert_type_string` | | | :white_check_mark: | +| `SSL_alert_type_string_long` | | | :white_check_mark: | | `SSL_alloc_buffers` | | | | | `SSL_bytes_to_cipher_list` | | | | | `SSL_callback_ctrl` | | | | diff --git a/build.rs b/build.rs index 54a44b5..bdda599 100644 --- a/build.rs +++ b/build.rs @@ -49,6 +49,8 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_accept", "SSL_alert_desc_string", "SSL_alert_desc_string_long", + "SSL_alert_type_string", + "SSL_alert_type_string_long", "SSL_check_private_key", "SSL_CIPHER_description", "SSL_CIPHER_find", diff --git a/src/constants.rs b/src/constants.rs index f316acf..df0dbeb 100644 --- a/src/constants.rs +++ b/src/constants.rs @@ -4,6 +4,7 @@ use openssl_sys::{ NID_ED25519, NID_ED448, NID_X25519, NID_X448, }; +use rustls::internal::msgs::enums::AlertLevel; use rustls::{AlertDescription, NamedGroup, SignatureScheme}; pub fn alert_desc_to_long_string(value: c_int) -> &'static CStr { @@ -88,6 +89,22 @@ pub fn alert_desc_to_short_string(value: c_int) -> &'static CStr { } } +pub fn alert_level_to_short_string(value: u8) -> &'static CStr { + match AlertLevel::from(value) { + AlertLevel::Warning => c"W", + AlertLevel::Fatal => c"F", + _ => c"U", + } +} + +pub fn alert_level_to_long_string(value: u8) -> &'static CStr { + match AlertLevel::from(value) { + AlertLevel::Warning => c"warning", + AlertLevel::Fatal => c"fatal", + _ => c"unknown", + } +} + pub fn sig_scheme_to_nid(scheme: SignatureScheme) -> Option { use SignatureScheme::*; match scheme { diff --git a/src/entry.rs b/src/entry.rs index 922bc43..b065593 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -77,6 +77,20 @@ entry! { } } +entry! { + pub fn _SSL_alert_type_string(value: c_int) -> *const c_char { + crate::constants::alert_level_to_short_string(u8::try_from(value).unwrap_or_default()) + .as_ptr() as *const c_char + } +} + +entry! { + pub fn _SSL_alert_type_string_long(value: c_int) -> *const c_char { + crate::constants::alert_level_to_long_string(u8::try_from(value).unwrap_or_default()) + .as_ptr() as *const c_char + } +} + entry! { pub fn _BIO_f_ssl() -> *const BIO_METHOD { &crate::bio::SSL_BIO_METHOD From 923f70edfebad1a65017657cf600168d5d2ef1f7 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:21:30 -0400 Subject: [PATCH 7/9] implement SSL_set_cipher_list This commit adds a very simple implementation of `SSL_set_cipher_list` that only returns success for the string "HIGH:!aNULL:!MD5", and otherwise raises a not supported error. This matches the pre-existing `SSL_CTX_set_cipher_list` that operated similarly for a `SSL_CTX` as this new fn operates for a `SSL`. --- MATRIX.md | 2 +- build.rs | 1 + src/entry.rs | 9 +++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/MATRIX.md b/MATRIX.md index 4072caf..db03042 100644 --- a/MATRIX.md +++ b/MATRIX.md @@ -427,7 +427,7 @@ | `SSL_set_bio` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_set_block_padding` | | | | | `SSL_set_cert_cb` | | | | -| `SSL_set_cipher_list` | | | | +| `SSL_set_cipher_list` | | | :white_check_mark: | | `SSL_set_ciphersuites` | | | | | `SSL_set_client_CA_list` | | | | | `SSL_set_connect_state` | :white_check_mark: | :white_check_mark: | :white_check_mark: | diff --git a/build.rs b/build.rs index bdda599..0d4789b 100644 --- a/build.rs +++ b/build.rs @@ -194,6 +194,7 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_set_accept_state", "SSL_set_alpn_protos", "SSL_set_bio", + "SSL_set_cipher_list", "SSL_set_connect_state", "SSL_set_ex_data", "SSL_set_fd", diff --git a/src/entry.rs b/src/entry.rs index b065593..4f62f2d 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -955,6 +955,15 @@ entry! { } } +entry! { + pub fn _SSL_set_cipher_list(_ssl: *mut SSL, str: *const c_char) -> c_int { + match try_str!(str) { + "HIGH:!aNULL:!MD5" => C_INT_SUCCESS, + _ => Error::not_supported("SSL_set_cipher_list").raise().into(), + } + } +} + entry! { pub fn _SSL_set_connect_state(ssl: *mut SSL) { try_clone_arc!(ssl).get_mut().set_client_mode() From 0f6989c54a4e1ada25a731f6a3b7cb9a9e52a3e4 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:29:44 -0400 Subject: [PATCH 8/9] implement SSL_set_verify_result Overrides the value that will be returned by `SSL_get_verify_result()`. Is this smart to do? Probably not. --- MATRIX.md | 2 +- build.rs | 1 + src/entry.rs | 6 ++++++ src/lib.rs | 8 ++++++++ src/verifier.rs | 8 ++++++++ 5 files changed, 24 insertions(+), 1 deletion(-) diff --git a/MATRIX.md b/MATRIX.md index db03042..cfdc1db 100644 --- a/MATRIX.md +++ b/MATRIX.md @@ -475,7 +475,7 @@ | `SSL_set_trust` | | | | | `SSL_set_verify` | | :white_check_mark: | :white_check_mark: | | `SSL_set_verify_depth` | | :white_check_mark: | :white_check_mark: | -| `SSL_set_verify_result` | | | | +| `SSL_set_verify_result` | | | :white_check_mark: | | `SSL_set_wfd` [^sock] | | | | | `SSL_shutdown` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_srp_server_param_with_username` [^deprecatedin_3_0] [^srp] | | | | diff --git a/build.rs b/build.rs index 0d4789b..9b2fc9f 100644 --- a/build.rs +++ b/build.rs @@ -209,6 +209,7 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_set_SSL_CTX", "SSL_set_verify", "SSL_set_verify_depth", + "SSL_set_verify_result", "SSL_shutdown", "SSL_up_ref", "SSL_use_certificate", diff --git a/src/entry.rs b/src/entry.rs index 4f62f2d..81fc432 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -1294,6 +1294,12 @@ entry! { } } +entry! { + pub fn _SSL_set_verify_result(ssl: *mut SSL, v: c_long) { + try_clone_arc!(ssl).get().set_last_verification_result(v) + } +} + entry! { pub fn _SSL_get_certificate(ssl: *const SSL) -> *mut X509 { try_clone_arc!(ssl).get().get_certificate() diff --git a/src/lib.rs b/src/lib.rs index ff28608..4e8b75c 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1395,6 +1395,14 @@ impl Ssl { } } + fn set_last_verification_result(&self, v: i64) { + match &self.conn { + ConnState::Client(_, verifier) => verifier.update_last_result(v), + ConnState::Server(_, verifier, _) => verifier.update_last_result(v), + _ => {} + } + } + fn get_last_verification_sig_scheme(&self) -> Option { match &self.conn { ConnState::Client(_, verifier) => verifier.last_sig_scheme(), diff --git a/src/verifier.rs b/src/verifier.rs index 641d583..770afbf 100644 --- a/src/verifier.rs +++ b/src/verifier.rs @@ -66,6 +66,10 @@ impl ServerVerifier { self.last_result.load(Ordering::Acquire) } + pub fn update_last_result(&self, v: i64) { + self.last_result.store(v, Ordering::Relaxed); + } + pub fn last_sig_scheme(&self) -> Option { self.last_sig_scheme.read().ok().map(|scheme| *scheme)? } @@ -202,6 +206,10 @@ impl ClientVerifier { self.last_result.load(Ordering::Acquire) } + pub fn update_last_result(&self, v: i64) { + self.last_result.store(v, Ordering::Relaxed); + } + pub fn last_sig_scheme(&self) -> Option { self.last_sig_scheme.read().ok().map(|scheme| *scheme)? } From ca165c736a1d807c0f1f79186b0d1dfb22f0b2a1 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 27 Sep 2024 12:39:00 -0400 Subject: [PATCH 9/9] stub a number of API functions Adds stub implementations for a variety of functions HTTPD's `mod_ssl.so` expects to be able to resolve: SSL_add_file_cert_subjects_to_stack SSL_client_hello_get0_ext, SSL_COMP_get_compression_methods, SSL_CTX_set0_tmp_dh_pkey, SSL_CTX_set_client_cert_cb, SSL_CTX_set_client_hello_cb, SSL_CTX_set_srp_cb_arg SSL_CTX_set_srp_username_callback, SSL_CTX_set_tlsext_ticket_key_evp_cb, SSL_get_ciphers, SSL_get_client_CA_list, SSL_get_finished, SSL_get_peer_finished, SSL_get_shared_ciphers, SSL_get_srp_userinfo, SSL_get_srp_username, SSL_peek, SSL_renegotiate, SSL_SESSION_get_compress_id, SSL_set_session_id_context, SSL_set_srp_server_param, SSL_state_string, SSL_state_string_long, SSL_verify_client_post_handshake, --- MATRIX.md | 48 +++++++-------- build.rs | 24 ++++++++ src/entry.rs | 166 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 212 insertions(+), 26 deletions(-) diff --git a/MATRIX.md b/MATRIX.md index cfdc1db..0c4f81a 100644 --- a/MATRIX.md +++ b/MATRIX.md @@ -44,7 +44,7 @@ | `SSL_CIPHER_standard_name` | | | :white_check_mark: | | `SSL_COMP_add_compression_method` | | | | | `SSL_COMP_get0_name` | | | | -| `SSL_COMP_get_compression_methods` | | | | +| `SSL_COMP_get_compression_methods` | | | :exclamation: [^stub] | | `SSL_COMP_get_id` | | | | | `SSL_COMP_get_name` | | | | | `SSL_COMP_set0_compression_methods` | | | | @@ -126,7 +126,7 @@ | `SSL_CTX_set0_CA_list` | | | | | `SSL_CTX_set0_ctlog_store` [^ct] | | | | | `SSL_CTX_set0_security_ex_data` | | | | -| `SSL_CTX_set0_tmp_dh_pkey` | | | | +| `SSL_CTX_set0_tmp_dh_pkey` | | | :exclamation: [^stub] | | `SSL_CTX_set1_cert_store` | | | | | `SSL_CTX_set1_param` | | | | | `SSL_CTX_set_allow_early_data_cb` | | | | @@ -141,9 +141,9 @@ | `SSL_CTX_set_cipher_list` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_CTX_set_ciphersuites` | :white_check_mark: | | :exclamation: [^stub] | | `SSL_CTX_set_client_CA_list` | | :white_check_mark: | :exclamation: [^stub] | -| `SSL_CTX_set_client_cert_cb` | | | | +| `SSL_CTX_set_client_cert_cb` | | | :exclamation: [^stub] | | `SSL_CTX_set_client_cert_engine` [^engine] | | | | -| `SSL_CTX_set_client_hello_cb` | | | | +| `SSL_CTX_set_client_hello_cb` | | | :exclamation: [^stub] | | `SSL_CTX_set_cookie_generate_cb` | | | | | `SSL_CTX_set_cookie_verify_cb` | | | | | `SSL_CTX_set_ct_validation_callback` [^ct] | | | | @@ -181,19 +181,19 @@ | `SSL_CTX_set_security_level` | | | | | `SSL_CTX_set_session_id_context` | | :white_check_mark: | :white_check_mark: | | `SSL_CTX_set_session_ticket_cb` | | | | -| `SSL_CTX_set_srp_cb_arg` [^deprecatedin_3_0] [^srp] | | | | +| `SSL_CTX_set_srp_cb_arg` [^deprecatedin_3_0] [^srp] | | | :exclamation: [^stub] | | `SSL_CTX_set_srp_client_pwd_callback` [^deprecatedin_3_0] [^srp] | | | | | `SSL_CTX_set_srp_password` [^deprecatedin_3_0] [^srp] | :white_check_mark: | | :exclamation: [^stub] | | `SSL_CTX_set_srp_strength` [^deprecatedin_3_0] [^srp] | | | | | `SSL_CTX_set_srp_username` [^deprecatedin_3_0] [^srp] | :white_check_mark: | | :exclamation: [^stub] | -| `SSL_CTX_set_srp_username_callback` [^deprecatedin_3_0] [^srp] | | | | +| `SSL_CTX_set_srp_username_callback` [^deprecatedin_3_0] [^srp] | | | :exclamation: [^stub] | | `SSL_CTX_set_srp_verify_param_callback` [^deprecatedin_3_0] [^srp] | | | | | `SSL_CTX_set_ssl_version` [^deprecatedin_3_0] | | | | | `SSL_CTX_set_stateless_cookie_generate_cb` | | | | | `SSL_CTX_set_stateless_cookie_verify_cb` | | | | | `SSL_CTX_set_timeout` | | :white_check_mark: | :white_check_mark: | | `SSL_CTX_set_tlsext_max_fragment_length` | | | | -| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | | | | +| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | | | :exclamation: [^stub] | | `SSL_CTX_set_tlsext_use_srtp` [^srtp] | | | | | `SSL_CTX_set_tmp_dh_callback` [^deprecatedin_3_0] [^dh] | | | | | `SSL_CTX_set_trust` | | | | @@ -224,7 +224,7 @@ | `SSL_SESSION_get0_peer` | | | | | `SSL_SESSION_get0_ticket` | | | | | `SSL_SESSION_get0_ticket_appdata` | | | | -| `SSL_SESSION_get_compress_id` | | | | +| `SSL_SESSION_get_compress_id` | | | :exclamation: [^stub] | | `SSL_SESSION_get_ex_data` | | | | | `SSL_SESSION_get_id` | | :white_check_mark: | :white_check_mark: | | `SSL_SESSION_get_master_key` | | | | @@ -260,7 +260,7 @@ | `SSL_add1_to_CA_list` | | | | | `SSL_add_client_CA` | | | | | `SSL_add_dir_cert_subjects_to_stack` | | | | -| `SSL_add_file_cert_subjects_to_stack` | | | | +| `SSL_add_file_cert_subjects_to_stack` | | | :exclamation: [^stub] | | `SSL_add_ssl_module` | | | | | `SSL_add_store_cert_subjects_to_stack` | | | | | `SSL_alert_desc_string` | | | :white_check_mark: | @@ -277,7 +277,7 @@ | `SSL_clear_options` | | :white_check_mark: | :white_check_mark: | | `SSL_client_hello_get0_ciphers` | | | | | `SSL_client_hello_get0_compression_methods` | | | | -| `SSL_client_hello_get0_ext` | | | | +| `SSL_client_hello_get0_ext` | | | :exclamation: [^stub] | | `SSL_client_hello_get0_legacy_version` | | | | | `SSL_client_hello_get0_random` | | | | | `SSL_client_hello_get0_session_id` | | | | @@ -324,8 +324,8 @@ | `SSL_get_certificate` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_get_changed_async_fds` | | | | | `SSL_get_cipher_list` | | | | -| `SSL_get_ciphers` | | | | -| `SSL_get_client_CA_list` | | | | +| `SSL_get_ciphers` | | | :exclamation: [^stub] | +| `SSL_get_client_CA_list` | | | :exclamation: [^stub] | | `SSL_get_client_ciphers` | | | | | `SSL_get_client_random` | | | | | `SSL_get_current_cipher` | :white_check_mark: | :white_check_mark: | :white_check_mark: | @@ -339,14 +339,14 @@ | `SSL_get_ex_data` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_get_ex_data_X509_STORE_CTX_idx` | | :white_check_mark: | :exclamation: [^stub] | | `SSL_get_fd` | | | | -| `SSL_get_finished` | | | | +| `SSL_get_finished` | | | :exclamation: [^stub] | | `SSL_get_info_callback` | | | | | `SSL_get_key_update_type` | | | | | `SSL_get_max_early_data` | | | | | `SSL_get_num_tickets` | | | :white_check_mark: | | `SSL_get_options` | | :white_check_mark: | :white_check_mark: | | `SSL_get_peer_cert_chain` | :white_check_mark: | :white_check_mark: | :white_check_mark: | -| `SSL_get_peer_finished` | | | | +| `SSL_get_peer_finished` | | | :exclamation: [^stub] | | `SSL_get_peer_signature_type_nid` | :white_check_mark: | | :white_check_mark: | | `SSL_get_pending_cipher` | | | | | `SSL_get_privatekey` | :white_check_mark: | | :white_check_mark: | @@ -365,15 +365,15 @@ | `SSL_get_servername` | | :white_check_mark: | :white_check_mark: | | `SSL_get_servername_type` | | | :white_check_mark: | | `SSL_get_session` | | :white_check_mark: | :white_check_mark: | -| `SSL_get_shared_ciphers` | | | | +| `SSL_get_shared_ciphers` | | | :exclamation: [^stub] | | `SSL_get_shared_sigalgs` | | | | | `SSL_get_shutdown` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_get_sigalgs` | | | | | `SSL_get_signature_type_nid` | | | | | `SSL_get_srp_N` [^deprecatedin_3_0] [^srp] | | | | | `SSL_get_srp_g` [^deprecatedin_3_0] [^srp] | | | | -| `SSL_get_srp_userinfo` [^deprecatedin_3_0] [^srp] | | | | -| `SSL_get_srp_username` [^deprecatedin_3_0] [^srp] | | | | +| `SSL_get_srp_userinfo` [^deprecatedin_3_0] [^srp] | | | :exclamation: [^stub] | +| `SSL_get_srp_username` [^deprecatedin_3_0] [^srp] | | | :exclamation: [^stub] | | `SSL_get_srtp_profiles` [^srtp] | | | | | `SSL_get_ssl_method` | | | | | `SSL_get_state` | | | :white_check_mark: | @@ -397,13 +397,13 @@ | `SSL_load_client_CA_file_ex` | | | | | `SSL_new` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_new_session_ticket` | | | | -| `SSL_peek` | | | | +| `SSL_peek` | | | :exclamation: [^stub] | | `SSL_peek_ex` | | | | | `SSL_pending` | :white_check_mark: | | :white_check_mark: | | `SSL_read` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_read_early_data` | | :white_check_mark: | :exclamation: [^stub] | | `SSL_read_ex` | | | | -| `SSL_renegotiate` | | | | +| `SSL_renegotiate` | | | :exclamation: [^stub] | | `SSL_renegotiate_abbreviated` | | | | | `SSL_renegotiate_pending` | | | | | `SSL_rstate_string` | | | | @@ -461,12 +461,12 @@ | `SSL_set_security_callback` | | | | | `SSL_set_security_level` | | | | | `SSL_set_session` | :white_check_mark: | :white_check_mark: | :exclamation: [^stub] | -| `SSL_set_session_id_context` | | | | +| `SSL_set_session_id_context` | | | :exclamation: [^stub] | | `SSL_set_session_secret_cb` | | | | | `SSL_set_session_ticket_ext` | | | | | `SSL_set_session_ticket_ext_cb` | | | | | `SSL_set_shutdown` | | :white_check_mark: | :white_check_mark: | -| `SSL_set_srp_server_param` [^deprecatedin_3_0] [^srp] | | | | +| `SSL_set_srp_server_param` [^deprecatedin_3_0] [^srp] | | | :exclamation: [^stub] | | `SSL_set_srp_server_param_pw` [^deprecatedin_3_0] [^srp] | | | | | `SSL_set_ssl_method` | | | | | `SSL_set_tlsext_max_fragment_length` | | | | @@ -479,8 +479,8 @@ | `SSL_set_wfd` [^sock] | | | | | `SSL_shutdown` | :white_check_mark: | :white_check_mark: | :white_check_mark: | | `SSL_srp_server_param_with_username` [^deprecatedin_3_0] [^srp] | | | | -| `SSL_state_string` | | | | -| `SSL_state_string_long` | | | | +| `SSL_state_string` | | | :exclamation: [^stub] | +| `SSL_state_string_long` | | | :exclamation: [^stub] | | `SSL_stateless` | | | | | `SSL_test_functions` [^unit_test] | | | | | `SSL_trace` [^ssl_trace] | | | | @@ -497,7 +497,7 @@ | `SSL_use_certificate_chain_file` | | | | | `SSL_use_certificate_file` | | | | | `SSL_use_psk_identity_hint` [^psk] | | | | -| `SSL_verify_client_post_handshake` | | | | +| `SSL_verify_client_post_handshake` | | | :exclamation: [^stub] | | `SSL_version` | | :white_check_mark: | :white_check_mark: | | `SSL_waiting_for_async` | | | | | `SSL_want` | | | :white_check_mark: | diff --git a/build.rs b/build.rs index 9b2fc9f..6de4542 100644 --- a/build.rs +++ b/build.rs @@ -47,6 +47,7 @@ const ENTRYPOINTS: &[&str] = &[ "i2d_SSL_SESSION", "OPENSSL_init_ssl", "SSL_accept", + "SSL_add_file_cert_subjects_to_stack", "SSL_alert_desc_string", "SSL_alert_desc_string_long", "SSL_alert_type_string", @@ -61,6 +62,8 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_CIPHER_get_version", "SSL_CIPHER_standard_name", "SSL_clear_options", + "SSL_client_hello_get0_ext", + "SSL_COMP_get_compression_methods", "SSL_CONF_cmd", "SSL_CONF_cmd_value_type", "SSL_CONF_CTX_clear_flags", @@ -101,6 +104,7 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_CTX_sess_set_get_cb", "SSL_CTX_sess_set_new_cb", "SSL_CTX_sess_set_remove_cb", + "SSL_CTX_set0_tmp_dh_pkey", "SSL_CTX_set_alpn_protos", "SSL_CTX_set_alpn_select_cb", "SSL_CTX_set_cert_cb", @@ -108,6 +112,8 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_CTX_set_cipher_list", "SSL_CTX_set_ciphersuites", "SSL_CTX_set_client_CA_list", + "SSL_CTX_set_client_cert_cb", + "SSL_CTX_set_client_hello_cb", "SSL_CTX_set_default_passwd_cb", "SSL_CTX_set_default_passwd_cb_userdata", "SSL_CTX_set_default_verify_dir", @@ -125,9 +131,12 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_CTX_set_options", "SSL_CTX_set_post_handshake_auth", "SSL_CTX_set_session_id_context", + "SSL_CTX_set_srp_cb_arg", "SSL_CTX_set_srp_password", "SSL_CTX_set_srp_username", + "SSL_CTX_set_srp_username_callback", "SSL_CTX_set_timeout", + "SSL_CTX_set_tlsext_ticket_key_evp_cb", "SSL_CTX_set_verify", "SSL_CTX_set_verify_depth", "SSL_CTX_up_ref", @@ -145,21 +154,28 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_get1_peer_certificate", "SSL_get1_session", "SSL_get_certificate", + "SSL_get_ciphers", + "SSL_get_client_CA_list", "SSL_get_current_cipher", "SSL_get_current_compression", "SSL_get_error", "SSL_get_ex_data", "SSL_get_ex_data_X509_STORE_CTX_idx", + "SSL_get_finished", "SSL_get_num_tickets", "SSL_get_options", "SSL_get_peer_cert_chain", + "SSL_get_peer_finished", "SSL_get_peer_signature_type_nid", "SSL_get_privatekey", "SSL_get_rbio", "SSL_get_servername", "SSL_get_servername_type", "SSL_get_session", + "SSL_get_shared_ciphers", "SSL_get_shutdown", + "SSL_get_srp_userinfo", + "SSL_get_srp_username", "SSL_get_SSL_CTX", "SSL_get_state", "SSL_get_verify_depth", @@ -174,12 +190,15 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_is_server", "SSL_load_client_CA_file", "SSL_new", + "SSL_peek", "SSL_pending", "SSL_read", "SSL_read_early_data", + "SSL_renegotiate", "SSL_select_next_proto", "SSL_sendfile", "SSL_SESSION_free", + "SSL_SESSION_get_compress_id", "SSL_SESSION_get_id", "SSL_SESSION_get_time", "SSL_SESSION_get_timeout", @@ -205,16 +224,21 @@ const ENTRYPOINTS: &[&str] = &[ "SSL_set_post_handshake_auth", "SSL_set_quiet_shutdown", "SSL_set_session", + "SSL_set_session_id_context", "SSL_set_shutdown", + "SSL_set_srp_server_param", "SSL_set_SSL_CTX", "SSL_set_verify", "SSL_set_verify_depth", "SSL_set_verify_result", "SSL_shutdown", + "SSL_state_string", + "SSL_state_string_long", "SSL_up_ref", "SSL_use_certificate", "SSL_use_PrivateKey", "SSL_use_PrivateKey_file", + "SSL_verify_client_post_handshake", "SSL_version", "SSL_want", "SSL_write", diff --git a/src/entry.rs b/src/entry.rs index 81fc432..4a26b39 100644 --- a/src/entry.rs +++ b/src/entry.rs @@ -10,8 +10,9 @@ use std::sync::Arc; use std::{fs, path::PathBuf}; use openssl_sys::{ - stack_st_X509, stack_st_X509_NAME, NID_undef, OPENSSL_malloc, TLSEXT_NAMETYPE_host_name, - EVP_PKEY, OPENSSL_NPN_NEGOTIATED, OPENSSL_NPN_NO_OVERLAP, X509, X509_STORE, X509_STORE_CTX, + stack_st_SSL_CIPHER, stack_st_X509, stack_st_X509_NAME, stack_st_void, NID_undef, + OPENSSL_malloc, TLSEXT_NAMETYPE_host_name, BIGNUM, EVP_CIPHER_CTX, EVP_PKEY, HMAC_CTX, + OPENSSL_NPN_NEGOTIATED, OPENSSL_NPN_NO_OVERLAP, X509, X509_STORE, X509_STORE_CTX, }; use rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer}; @@ -1997,6 +1998,14 @@ entry_stub! { pub fn _SSL_set_session(_ssl: *mut SSL, _session: *mut SSL_SESSION) -> c_int; } +entry_stub! { + pub fn _SSL_set_session_id_context( + _ssl: *mut SSL, + _sid_ctx: *const c_uchar, + _sid_ctx_len: c_uint, + ) -> c_int; +} + entry_stub! { pub fn _SSL_CTX_remove_session(_ssl: *const SSL, _session: *mut SSL_SESSION) -> c_int; } @@ -2024,6 +2033,67 @@ entry_stub! { ) -> c_int; } +entry_stub! { + pub fn _SSL_CTX_set_tlsext_ticket_key_evp_cb( + _ctx: *mut SSL_CTX, + _fp: SSL_CTX_tlsext_ticket_key_evp_cb_func, + ) -> c_int; +} + +pub type SSL_CTX_tlsext_ticket_key_evp_cb_func = Option< + unsafe extern "C" fn( + _ssl: *mut SSL, + _key_name: *mut c_uchar, + _iv: *mut c_uchar, + _ctx: *mut EVP_CIPHER_CTX, + _hctx: *mut HMAC_CTX, + _enc: c_int, + ) -> c_int, +>; + +entry_stub! { + pub fn _SSL_CTX_set_client_hello_cb( + _ctx: *mut SSL_CTX, + _cb: SSL_client_hello_cb_func, + _arg: *mut c_void, + ); +} + +pub type SSL_client_hello_cb_func = + Option c_int>; + +entry_stub! { + pub fn _SSL_state_string(_ssl: *const SSL) -> *const c_char; +} + +entry_stub! { + pub fn _SSL_state_string_long(_ssl: *const SSL) -> *const c_char; +} + +entry_stub! { + pub fn _SSL_peek(_ssl: *mut SSL, _buf: *mut c_void, _num: c_int) -> c_int; +} + +entry_stub! { + pub fn _SSL_get_shared_ciphers( + _ssl: *const SSL, + _buf: *mut c_char, + _size: c_int, + ) -> *mut c_char; +} + +entry_stub! { + pub fn _SSL_get_ciphers(_ssl: *const SSL) -> *mut stack_st_SSL_CIPHER; +} + +entry_stub! { + pub fn _SSL_CTX_set_client_cert_cb(_ctx: *mut SSL_CTX, _cb: SSL_client_cert_cb_func); +} + +pub type SSL_client_cert_cb_func = Option< + unsafe extern "C" fn(_ssl: *mut SSL, _x509: *mut *mut X509, _pkey: *mut *mut EVP_PKEY) -> c_int, +>; + // The SSL_CTX X509_STORE isn't being meaningfully used yet. entry_stub! { pub fn _SSL_CTX_set_default_verify_store(_ctx: *mut SSL_CTX) -> c_int; @@ -2059,6 +2129,17 @@ entry_stub! { pub fn _SSL_load_client_CA_file(_file: *const c_char) -> *mut stack_st_X509_NAME; } +entry_stub! { + pub fn _SSL_get_client_CA_list(_ssl: *const SSL) -> *mut stack_st_X509_NAME; +} + +entry_stub! { + pub fn _SSL_add_file_cert_subjects_to_stack( + _stack: *mut stack_st_X509_NAME, + _file: *const c_char, + ) -> c_int; +} + // no individual message logging entry_stub! { @@ -2165,6 +2246,45 @@ entry_stub! { pub fn _SSL_CTX_set_srp_username(_ctx: *mut SSL_CTX, _name: *mut c_char) -> c_int; } +entry_stub! { + pub fn _SSL_CTX_set_srp_username_callback( + _ctx: *mut SSL_CTX, + _cb: SSL_srp_username_cb_func, + ) -> c_int; +} + +pub type SSL_srp_username_cb_func = + Option c_int>; + +entry_stub! { + pub fn _SSL_set_srp_server_param( + _s: *mut SSL, + _n: *const BIGNUM, + _g: *const BIGNUM, + _sa: *const BIGNUM, + _v: *const BIGNUM, + _info: *const c_char, + ) -> c_int; +} + +entry_stub! { + pub fn _SSL_CTX_set_srp_cb_arg(_ctx: *mut SSL_CTX, _arg: *mut c_void) -> c_int; +} + +entry_stub! { + pub fn _SSL_get_srp_username(_ssl: *mut SSL) -> *mut c_char; +} + +entry_stub! { + pub fn _SSL_get_srp_userinfo(_ssl: *mut SSL) -> *mut c_char; +} + +// no DH ciphersuites + +entry_stub! { + pub fn _SSL_CTX_set0_tmp_dh_pkey(_ctx: *mut SSL_CTX, _dhpkey: *mut EVP_PKEY) -> c_int; +} + // no post-handshake auth entry_stub! { @@ -2175,6 +2295,16 @@ entry_stub! { pub fn _SSL_set_post_handshake_auth(_s: *mut SSL, _val: c_int); } +entry_stub! { + pub fn _SSL_verify_client_post_handshake(_ssl: *mut SSL) -> c_int; +} + +// no renegotiation + +entry_stub! { + pub fn _SSL_renegotiate(_ssl: *mut SSL) -> c_int; +} + // No kTLS/sendfile support entry_stub! { @@ -2187,6 +2317,17 @@ entry_stub! { ) -> c_long; } +// No access to individual certificate extensions + +entry_stub! { + pub fn _SSL_client_hello_get0_ext( + _ssl: *mut SSL, + _type: c_uint, + _out: *mut *const c_uchar, + _outlen: *mut usize, + ) -> c_int; +} + // No custom extension support // (used by nginx to implement quic) @@ -2245,6 +2386,27 @@ type SSL_custom_ext_free_cb_ex = Option< ), >; +// No low level protocol details. + +entry_stub! { + pub fn _SSL_get_finished(_ssl: *const SSL, _buf: *mut c_void, _count: usize) -> usize; +} + +entry_stub! { + pub fn _SSL_get_peer_finished(_ssl: *const SSL, _buf: *mut c_void, _count: usize) -> usize; +} + +// No TLS 1.2 protocol compression. + +entry_stub! { + pub fn _SSL_SESSION_get_compress_id(_ssl: *mut SSL) -> c_int; +} + +entry_stub! { + // nb: should return stack_st_SSL_COMP, but this isn't defined in openssl-sys + pub fn _SSL_COMP_get_compression_methods() -> *mut stack_st_void; +} + // --------------------- #[cfg(test)]