SNI (RFC 6066) support

conn.go

@@ -28,6 +28,9 @@ package openssl
 // long SSL_set_tlsext_host_name_not_a_macro(SSL *ssl, const char *name) {
 //    return SSL_set_tlsext_host_name(ssl, name);
 // }
+// const char * SSL_get_cipher_name_not_a_macro(const SSL *ssl) {
+//    return SSL_get_cipher_name(ssl);
+// }
 import "C"
 
 import (
@@ -60,6 +63,56 @@ type Conn struct {
 	want_read_future *utils.Future
 }
 
+type VerifyResult int
+
+const (
+	Ok                            VerifyResult = C.X509_V_OK
+	UnableToGetIssuerCert         VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+	UnableToGetCrl                VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL
+	UnableToDecryptCertSignature  VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+	UnableToDecryptCrlSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+	UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+	CertSignatureFailure          VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE
+	CrlSignatureFailure           VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE
+	CertNotYetValid               VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID
+	CertHasExpired                VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED
+	CrlNotYetValid                VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID
+	CrlHasExpired                 VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED
+	ErrorInCertNotBeforeField     VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+	ErrorInCertNotAfterField      VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+	ErrorInCrlLastUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+	ErrorInCrlNextUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+	OutOfMem                      VerifyResult = C.X509_V_ERR_OUT_OF_MEM
+	DepthZeroSelfSignedCert       VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+	SelfSignedCertInChain         VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+	UnableToGetIssuerCertLocally  VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+	UnableToVerifyLeafSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+	CertChainTooLong              VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG
+	CertRevoked                   VerifyResult = C.X509_V_ERR_CERT_REVOKED
+	InvalidCa                     VerifyResult = C.X509_V_ERR_INVALID_CA
+	PathLengthExceeded            VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED
+	InvalidPurpose                VerifyResult = C.X509_V_ERR_INVALID_PURPOSE
+	CertUntrusted                 VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED
+	CertRejected                  VerifyResult = C.X509_V_ERR_CERT_REJECTED
+	SubjectIssuerMismatch         VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+	AkidSkidMismatch              VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH
+	AkidIssuerSerialMismatch      VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+	KeyusageNoCertsign            VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+	UnableToGetCrlIssuer          VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+	UnhandledCriticalExtension    VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+	KeyusageNoCrlSign             VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+	UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+	InvalidNonCa                  VerifyResult = C.X509_V_ERR_INVALID_NON_CA
+	ProxyPathLengthExceeded       VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+	KeyusageNoDigitalSignature    VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+	ProxyCertificatesNotAllowed   VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+	InvalidExtension              VerifyResult = C.X509_V_ERR_INVALID_EXTENSION
+	InvalidPolicyExtension        VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION
+	NoExplicitPolicy              VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY
+	UnnestedResource              VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE
+	ApplicationVerification       VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION
+)
+
 func newSSL(ctx *C.SSL_CTX) (*C.SSL, error) {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
@@ -144,6 +197,15 @@ func Server(conn net.Conn, ctx *Ctx) (*Conn, error) {
 	return c, nil
 }
 
+func (c *Conn) CurrentCipher() (string, error) {
+	p := C.SSL_get_cipher_name_not_a_macro(c.ssl)
+	if p == nil {
+		return "", errors.New("Session not established")
+	}
+
+	return C.GoString(p), nil
+}
+
 func (c *Conn) fillInputBuffer() error {
 	for {
 		n, err := c.into_ssl.ReadFromOnce(c.conn)
@@ -500,3 +562,7 @@ func (c *Conn) SetTlsExtHostName(name string) error {
 	}
 	return nil
 }
+
+func (c *Conn) VerifyResult() VerifyResult {
+	return VerifyResult(C.SSL_get_verify_result(c.ssl))
+}

ctx.go

@@ -30,6 +30,10 @@ static long SSL_CTX_clear_options_not_a_macro(SSL_CTX* ctx, long options) {
    return SSL_CTX_clear_options(ctx, options);
 }
 
+static long SSL_CTX_get_options_not_a_macro(SSL_CTX* ctx) {
+   return SSL_CTX_get_options(ctx);
+}
+
 static long SSL_CTX_set_mode_not_a_macro(SSL_CTX* ctx, long modes) {
    return SSL_CTX_set_mode(ctx, modes);
 }
@@ -54,6 +58,11 @@ static long SSL_CTX_set_tmp_ecdh_not_a_macro(SSL_CTX* ctx, EC_KEY *key) {
     return SSL_CTX_set_tmp_ecdh(ctx, key);
 }
 
+static long SSL_CTX_set_tlsext_servername_callback_not_a_macro(
+		SSL_CTX* ctx, int (*cb)(SSL *con, int *ad, void *args)) {
+	return SSL_CTX_set_tlsext_servername_callback(ctx, cb);
+}
+
 #ifndef SSL_MODE_RELEASE_BUFFERS
 #define SSL_MODE_RELEASE_BUFFERS 0
 #endif
@@ -78,6 +87,10 @@ static const SSL_METHOD *OUR_TLSv1_2_method() {
 #endif
 }
 
+#if defined SSL_CTRL_SET_TLSEXT_HOSTNAME
+	extern int sni_cb(SSL *ssl_conn, int *ad, void *arg);
+#endif
+
 extern int verify_cb(int ok, X509_STORE_CTX* store);
 */
 import "C"
@@ -102,6 +115,7 @@ var (
 type Ctx struct {
 	ctx       *C.SSL_CTX
 	verify_cb VerifyCallback
+	sni_cb    TLSExtServernameCallback
 }
 
 //export get_ssl_ctx_idx
@@ -127,10 +141,13 @@ func newCtx(method *C.SSL_METHOD) (*Ctx, error) {
 type SSLVersion int
 
 const (
-	SSLv3      SSLVersion = 0x02
-	TLSv1      SSLVersion = 0x03
-	TLSv1_1    SSLVersion = 0x04
-	TLSv1_2    SSLVersion = 0x05
+	SSLv3   SSLVersion = 0x02 // Vulnerable to "POODLE" attack.
+	TLSv1   SSLVersion = 0x03
+	TLSv1_1 SSLVersion = 0x04
+	TLSv1_2 SSLVersion = 0x05
+
+	// Make sure to disable SSLv2 and SSLv3 if you use this. SSLv3 is vulnerable
+	// to the "POODLE" attack, and SSLv2 is what, just don't even.
 	AnyVersion SSLVersion = 0x06
 )
 
@@ -361,8 +378,6 @@ const (
 	NoSSLv2                            Options = C.SSL_OP_NO_SSLv2
 	NoSSLv3                            Options = C.SSL_OP_NO_SSLv3
 	NoTLSv1                            Options = C.SSL_OP_NO_TLSv1
-	NoTLSv1_1                          Options = C.SSL_OP_NO_TLSv1_1
-	NoTLSv1_2                          Options = C.SSL_OP_NO_TLSv1_2
 	CipherServerPreference             Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE
 	NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
 	NoTicket                           Options = C.SSL_OP_NO_TICKET
@@ -380,6 +395,12 @@ func (c *Ctx) ClearOptions(options Options) Options {
 		c.ctx, C.long(options)))
 }
 
+// GetOptions returns context options. See
+// https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
+func (c *Ctx) GetOptions() Options {
+	return Options(C.SSL_CTX_get_options_not_a_macro(c.ctx))
+}
+
 type Modes int
 
 const (
@@ -450,6 +471,10 @@ func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback) {
 	c.SetVerify(c.VerifyMode(), verify_cb)
 }
 
+func (c *Ctx) GetVerifyCallback() VerifyCallback {
+	return c.verify_cb
+}
+
 func (c *Ctx) VerifyMode() VerifyOptions {
 	return VerifyOptions(C.SSL_CTX_get_verify_mode(c.ctx))
 }
@@ -461,6 +486,23 @@ func (c *Ctx) SetVerifyDepth(depth int) {
 	C.SSL_CTX_set_verify_depth(c.ctx, C.int(depth))
 }
 
+// GetVerifyDepth controls how many certificates deep the certificate
+// verification logic is willing to follow a certificate chain. See
+// https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
+func (c *Ctx) GetVerifyDepth() int {
+	return int(C.SSL_CTX_get_verify_depth(c.ctx))
+}
+
+type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr
+
+// SetTLSExtServernameCallback sets callback function for Server Name Indication
+// (SNI) rfc6066 (http://tools.ietf.org/html/rfc6066). See
+// http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
+func (c *Ctx) SetTLSExtServernameCallback(sni_cb TLSExtServernameCallback) {
+	c.sni_cb = sni_cb
+	C.SSL_CTX_set_tlsext_servername_callback_not_a_macro(c.ctx, (*[0]byte)(C.sni_cb))
+}
+
 func (c *Ctx) SetSessionId(session_id []byte) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()

old_openssl_compat.go

@@ -0,0 +1,44 @@
+// Copyright (C) 2014 Space Monkey, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !darwin brew
+// +build cgo
+
+package openssl
+
+// #include <openssl/ssl.h>
+import "C"
+
+// these constants do not exist in the openssl version packaged with os x. when
+// darwin decides to update the base openssl version, we can move these back
+// to the appropriate spots in the source. as a workaround, if you need access
+// to these constants on darwin, use homebrew or whatever to install a more
+// recent version of os x, and build the package with the '-tags brew' flag
+
+const (
+	UnsupportedConstraintSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+	UnsupportedConstraintType   VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+	UnsupportedExtensionFeature VerifyResult = C.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+	ExcludedViolation           VerifyResult = C.X509_V_ERR_EXCLUDED_VIOLATION
+	SubtreeMinmax               VerifyResult = C.X509_V_ERR_SUBTREE_MINMAX
+	UnsupportedNameSyntax       VerifyResult = C.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+	DifferentCrlScope           VerifyResult = C.X509_V_ERR_DIFFERENT_CRL_SCOPE
+	PermittedViolation          VerifyResult = C.X509_V_ERR_PERMITTED_VIOLATION
+	CrlPathValidationError      VerifyResult = C.X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+)
+
+const (
+	NoTLSv1_1 Options = C.SSL_OP_NO_TLSv1_1
+	NoTLSv1_2 Options = C.SSL_OP_NO_TLSv1_2
+)

sni.c

@@ -0,0 +1,23 @@
+// Copyright (C) 2014 Space Monkey, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <openssl/ssl.h>
+#include "_cgo_export.h"
+#include <stdio.h>
+
+int sni_cb(SSL *con, int *ad, void *arg) {
+	SSL_CTX* ssl_ctx = ssl_ctx = SSL_get_SSL_CTX(con);
+	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
+	return sni_cb_thunk(p, con, ad, arg);
+}

sni_test.go

@@ -0,0 +1,23 @@
+// Copyright (C) 2014 Space Monkey, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package openssl
+
+import "fmt"
+
+// We can implemant SNI rfc6066 (http://tools.ietf.org/html/rfc6066) on the server side using foolowing callback.
+// You should implement context storage (tlsCtxStorage) by your self.
+func ExampleSetTLSExtServernameCallback() {
+	fmt.Println("Hello")
+}