-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic server support #7
Conversation
Requiring use of `Bio::new_pair(Some(a), Some(a))` to donate two refs of `a` is not what is required by `SSL_set_bio`. Instead make an object backed by `BIO_s_null()`, and then call `update()` on it.
ebed86a
to
9c13e8e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's some initial feedback. I started my review later in the day and lost steam by around "Implement SSL_accept and associated server support". I'll come back and do a second pass starting from there in the next day or so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finishing up where I left off in the first pass. Thanks!
We mishandled non-blocking writes in several respects: - `SSL_get_error()` would say to retry the read if the write BIO was the same as the read BIO. - raise the correct `io::Error` in `impl io::Write for Bio`. - the current IO `Want` was was ignored: give `Want::write` primacy because rustls tends to always want to read in idle conditions (for alert receipt).
9c13e8e
to
0b6fc8b
Compare
Because `SSL_CTX_use_PrivateKey` implies we have to use an `EVP_PKEY` as-is, `evp_pkey.rs` implements a wrapper over OpenSSL `EVP_PKEY`s, and `sign.rs` uses that wrapper to implement `rustls::sign::SigningKey` and `Signer` traits.
These should not be put on the openssl error stack, and should not be logged either.
Engineer a typical case: the server requires auth, but the client has no credentials. To make this work: - match `SSL_read` return code (docs say <= 0, implementation does 0, we chose -1 previously). - print (and therefore validate against openssl) ERR_peek_error(). - ensure the error from rustls is the one that is propagated (by retrieving it from `process_new_packets()`) rather than one already wrapped in `std::io::Error`.
"SSL_set_SSL_CTX is a bad idea" says the openssl issue tracker :)
This is for new APIs around alerts from server `Acceptor`.
Plus the `SSL_CTX` equivalents.
0b6fc8b
to
0a50edf
Compare
This is a collection of bug-fixes and server groundwork from the nginx branch. Along the way, client auth starts to work & is tested.
At the end of this branch the basic test of server behaviour
tests/server.c
is passing.