Merge pull request #194 from MarnixKuijs/alpn

Alpn Support

Author: sfackler

.circleci/config.yml

@@ -21,7 +21,7 @@ jobs:
             - /usr/local/cargo/registry/index
       - restore_cache:
           key: deps-<< parameters.image >>-{{ checksum "Cargo.lock" }}
-      - run: cargo test
+      - run: cargo test --features alpn
       - run: rustdoc --test README.md -L target/debug/deps -L target/debug
       - save_cache:
           key: deps-<< parameters.image >>-{{ checksum "Cargo.lock" }}
@@ -34,7 +34,7 @@ jobs:
       version:
         type: string
     macos:
-      xcode: "9.4.1"
+      xcode: "10.0.0"
     environment:
       RUST_BACKTRACE: 1
       RUSTFLAGS: -D warnings
@@ -51,7 +51,7 @@ jobs:
             - ~/.cargo/registry/index
       - restore_cache:
           key: macos-deps-<< parameters.version >>
-      - run: cargo test
+      - run: cargo test --features alpn
       - save_cache:
           key: macos-deps-<< parameters.version >>
           paths:

Cargo.toml

@@ -9,6 +9,7 @@ readme = "README.md"
 
 [features]
 vendored = ["openssl/vendored"]
+alpn = ["security-framework/alpn", "openssl/v102"] 
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 security-framework = "2.0.0"

src/imp/openssl.rs

@@ -10,14 +10,14 @@ use self::openssl::ssl::{
     self, MidHandshakeSslStream, SslAcceptor, SslConnector, SslContextBuilder, SslMethod,
     SslVerifyMode,
 };
-use self::openssl::x509::{X509, store::X509StoreBuilder, X509VerifyResult};
+use self::openssl::x509::{store::X509StoreBuilder, X509VerifyResult, X509};
 use std::error;
 use std::fmt;
 use std::io;
 use std::sync::Once;
 
-use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 use self::openssl::pkey::Private;
+use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
 #[cfg(have_min_max_version)]
 fn supported_protocols(
@@ -274,6 +274,26 @@ impl TlsConnector {
             }
         }
 
+        #[cfg(feature = "alpn")]
+        {
+            if !builder.alpn.is_empty() {
+                // Wire format is each alpn preceded by its length as a byte.
+                let mut alpn_wire_format = Vec::with_capacity(
+                    builder
+                        .alpn
+                        .iter()
+                        .map(|s| s.as_bytes().len())
+                        .sum::<usize>()
+                        + builder.alpn.len(),
+                );
+                for alpn in builder.alpn.iter().map(|s| s.as_bytes()) {
+                    alpn_wire_format.push(alpn.len() as u8);
+                    alpn_wire_format.extend(alpn);
+                }
+                connector.set_alpn_protos(&alpn_wire_format)?;
+            }
+        }
+
         #[cfg(target_os = "android")]
         load_android_root_certs(&mut connector)?;
 
@@ -305,8 +325,7 @@ impl TlsConnector {
 
 impl fmt::Debug for TlsConnector {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        fmt
-            .debug_struct("TlsConnector")
+        fmt.debug_struct("TlsConnector")
             // n.b. SslConnector is a newtype on SslContext which implements a noop Debug so it's omitted
             .field("use_sni", &self.use_sni)
             .field("accept_invalid_hostnames", &self.accept_invalid_hostnames)
@@ -367,6 +386,15 @@ impl<S: io::Read + io::Write> TlsStream<S> {
         Ok(self.0.ssl().peer_certificate().map(Certificate))
     }
 
+    #[cfg(feature = "alpn")]
+    pub fn negotiated_alpn(&self) -> Result<Option<Vec<u8>>, Error> {
+        Ok(self
+            .0
+            .ssl()
+            .selected_alpn_protocol()
+            .map(|alpn| alpn.to_vec()))
+    }
+
     pub fn tls_server_end_point(&self) -> Result<Option<Vec<u8>>, Error> {
         let cert = if self.0.ssl().is_server() {
             self.0.ssl().certificate().map(|x| x.to_owned())

src/imp/schannel.rs

@@ -86,7 +86,8 @@ impl Identity {
                 return Err(io::Error::new(
                     io::ErrorKind::InvalidInput,
                     "No identity found in PKCS #12 archive",
-                ).into());
+                )
+                .into());
             }
         };
 
@@ -112,7 +113,8 @@ impl Certificate {
             Err(_) => Err(io::Error::new(
                 io::ErrorKind::InvalidInput,
                 "PEM representation contains non-UTF-8 bytes",
-            ).into()),
+            )
+            .into()),
         }
     }
 
@@ -186,6 +188,7 @@ pub struct TlsConnector {
     accept_invalid_hostnames: bool,
     accept_invalid_certs: bool,
     disable_built_in_roots: bool,
+    alpn: Vec<String>,
 }
 
 impl TlsConnector {
@@ -205,6 +208,7 @@ impl TlsConnector {
             accept_invalid_hostnames: builder.accept_invalid_hostnames,
             accept_invalid_certs: builder.accept_invalid_certs,
             disable_built_in_roots: builder.disable_built_in_roots,
+            alpn: builder.alpn.clone(),
         })
     }
 
@@ -249,6 +253,14 @@ impl TlsConnector {
                 ))
             });
         }
+        #[cfg(feature = "alpn")]
+        {
+            if !self.alpn.is_empty() {
+                builder.request_application_protocols(
+                    &self.alpn.iter().map(|s| s.as_bytes()).collect::<Vec<_>>(),
+                );
+            }
+        }
         match builder.connect(cred, stream) {
             Ok(s) => Ok(TlsStream(s)),
             Err(e) => Err(e.into()),
@@ -319,6 +331,11 @@ impl<S: io::Read + io::Write> TlsStream<S> {
         }
     }
 
+    #[cfg(feature = "alpn")]
+    pub fn negotiated_alpn(&self) -> Result<Option<Vec<u8>>, Error> {
+        Ok(self.0.negotiated_application_protocol()?)
+    }
+
     pub fn tls_server_end_point(&self) -> Result<Option<Vec<u8>>, Error> {
         let cert = if self.0.is_server() {
             self.0.certificate()

src/imp/security_framework.rs

@@ -10,11 +10,12 @@ use self::security_framework::import_export::{ImportedIdentity, Pkcs12ImportOpti
 use self::security_framework::secure_transport::{
     self, ClientBuilder, SslConnectionType, SslContext, SslProtocol, SslProtocolSide,
 };
-use self::security_framework_sys::base::errSecIO;
+use self::security_framework_sys::base::{errSecIO, errSecParam};
 use self::tempfile::TempDir;
 use std::error;
 use std::fmt;
 use std::io;
+use std::str;
 use std::sync::Mutex;
 use std::sync::Once;
 
@@ -23,11 +24,11 @@ use self::security_framework::os::macos::certificate::{PropertyType, SecCertific
 #[cfg(not(target_os = "ios"))]
 use self::security_framework::os::macos::certificate_oids::CertificateOid;
 #[cfg(not(target_os = "ios"))]
-use self::security_framework::os::macos::import_export::{ImportOptions, SecItems, Pkcs12ImportOptionsExt};
+use self::security_framework::os::macos::import_export::{
+    ImportOptions, Pkcs12ImportOptionsExt, SecItems,
+};
 #[cfg(not(target_os = "ios"))]
 use self::security_framework::os::macos::keychain::{self, KeychainSettings, SecKeychain};
-#[cfg(not(target_os = "ios"))]
-use self::security_framework_sys::base::errSecParam;
 
 use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
@@ -128,10 +129,10 @@ impl Identity {
                 keychain
             }
         };
-        let imports = Pkcs12ImportOptions::new()
-            .passphrase(pass)
-            .keychain(keychain)
-            .import(buf)?;
+        let mut import_opts = Pkcs12ImportOptions::new();
+        // Method shadowed by deprecated method.
+        <Pkcs12ImportOptions as Pkcs12ImportOptionsExt>::keychain(&mut import_opts, keychain);
+        let imports = import_opts.passphrase(pass).import(buf)?;
         Ok(imports)
     }
 
@@ -263,6 +264,7 @@ pub struct TlsConnector {
     danger_accept_invalid_hostnames: bool,
     danger_accept_invalid_certs: bool,
     disable_built_in_roots: bool,
+    alpn: Vec<String>,
 }
 
 impl TlsConnector {
@@ -280,6 +282,7 @@ impl TlsConnector {
             danger_accept_invalid_hostnames: builder.accept_invalid_hostnames,
             danger_accept_invalid_certs: builder.accept_invalid_certs,
             disable_built_in_roots: builder.disable_built_in_roots,
+            alpn: builder.alpn.clone(),
         })
     }
 
@@ -303,6 +306,13 @@ impl TlsConnector {
         builder.danger_accept_invalid_certs(self.danger_accept_invalid_certs);
         builder.trust_anchor_certificates_only(self.disable_built_in_roots);
 
+        #[cfg(feature = "alpn")]
+        {
+            if !self.alpn.is_empty() {
+                builder.alpn_protocols(&self.alpn.iter().map(String::as_str).collect::<Vec<_>>());
+            }
+        }
+
         match builder.handshake(domain, stream) {
             Ok(stream) => Ok(TlsStream { stream, cert: None }),
             Err(e) => Err(e.into()),
@@ -388,6 +398,27 @@ impl<S: io::Read + io::Write> TlsStream<S> {
         Ok(trust.certificate_at_index(0).map(Certificate))
     }
 
+    #[cfg(feature = "alpn")]
+    pub fn negotiated_alpn(&self) -> Result<Option<Vec<u8>>, Error> {
+        match self.stream.context().alpn_protocols() {
+            Ok(protocols) => {
+                // Per RFC7301, "ProtocolNameList" MUST contain exactly one "ProtocolName".
+                assert!(protocols.len() < 2);
+
+                if protocols.is_empty() {
+                    // Not sure this is actually possible.
+                    Ok(None)
+                } else {
+                    Ok(Some(protocols.into_iter().next().unwrap().into_bytes()))
+                }
+            }
+            // The macOS API appears to return `errSecParam` whenever no ALPN was negotiated, both
+            // when it isn't attempted and when it isn't successful.
+            Err(e) if e.code() == errSecParam => Ok(None),
+            Err(other) => Err(Error::from(other)),
+        }
+    }
+
     #[cfg(target_os = "ios")]
     pub fn tls_server_end_point(&self) -> Result<Option<Vec<u8>>, Error> {
         Ok(None)

src/lib.rs

@@ -328,6 +328,7 @@ pub struct TlsConnectorBuilder {
     accept_invalid_hostnames: bool,
     use_sni: bool,
     disable_built_in_roots: bool,
+    alpn: Vec<String>,
 }
 
 impl TlsConnectorBuilder {
@@ -376,6 +377,15 @@ impl TlsConnectorBuilder {
         self
     }
 
+    /// Request specific protocols through ALPN (Application-Layer Protocol Negotiation).
+    ///
+    /// Defaults to none
+    #[cfg(feature = "alpn")]
+    pub fn request_alpns(&mut self, protocols: &[&str]) -> &mut TlsConnectorBuilder {
+        self.alpn = protocols.iter().map(|s| (*s).to_owned()).collect();
+        self
+    }
+
     /// Controls the use of certificate validation.
     ///
     /// Defaults to `false`.
@@ -464,6 +474,7 @@ impl TlsConnector {
             accept_invalid_certs: false,
             accept_invalid_hostnames: false,
             disable_built_in_roots: false,
+            alpn: vec![],
         }
     }
 
@@ -644,6 +655,12 @@ impl<S: io::Read + io::Write> TlsStream<S> {
         Ok(self.0.tls_server_end_point()?)
     }
 
+    /// Returns the negotiated ALPN protocols
+    #[cfg(feature = "alpn")]
+    pub fn negotiated_alpn(&self) -> Result<Option<Vec<u8>>> {
+        Ok(self.0.negotiated_alpn()?)
+    }
+
     /// Shuts down the TLS session.
     pub fn shutdown(&mut self) -> io::Result<()> {
         self.0.shutdown()?;

src/test.rs

@@ -2,6 +2,7 @@ use hex;
 #[allow(unused_imports)]
 use std::io::{Read, Write};
 use std::net::{TcpListener, TcpStream};
+use std::string::String;
 use std::thread;
 
 use super::*;
@@ -417,4 +418,34 @@ mod tests {
 
         p!(j.join());
     }
+
+    #[test]
+    #[cfg(feature = "alpn")]
+    fn alpn_google_h2() {
+        let builder = p!(TlsConnector::builder().request_alpns(&["h2"]).build());
+        let s = p!(TcpStream::connect("google.com:443"));
+        let socket = p!(builder.connect("google.com", s));
+        let alpn = p!(socket.negotiated_alpn());
+        assert_eq!(alpn, Some(b"h2".to_vec()));
+    }
+
+    #[test]
+    #[cfg(feature = "alpn")]
+    fn alpn_google_invalid() {
+        let builder = p!(TlsConnector::builder().request_alpns(&["h2c"]).build());
+        let s = p!(TcpStream::connect("google.com:443"));
+        let socket = p!(builder.connect("google.com", s));
+        let alpn = p!(socket.negotiated_alpn());
+        assert_eq!(alpn, None);
+    }
+
+    #[test]
+    #[cfg(feature = "alpn")]
+    fn alpn_google_none() {
+        let builder = p!(TlsConnector::new());
+        let s = p!(TcpStream::connect("google.com:443"));
+        let socket = p!(builder.connect("google.com", s));
+        let alpn = p!(socket.negotiated_alpn());
+        assert_eq!(alpn, None);
+    }
 }