Implement SSL_CTX_set_info_callback and SSL_set_info_callback

This fires only for received alerts, and alerts sent at the start
of the server's handshake.

Author: ctz

MATRIX.md

@@ -158,7 +158,7 @@
 | `SSL_CTX_set_default_verify_store`  |  |  |  | :exclamation: [^stub] |
 | `SSL_CTX_set_ex_data`  |  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
 | `SSL_CTX_set_generate_session_id`  |  |  |  |  |
-| `SSL_CTX_set_info_callback`  |  | :white_check_mark: | :white_check_mark: | :exclamation: [^stub] |
+| `SSL_CTX_set_info_callback`  |  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
 | `SSL_CTX_set_keylog_callback`  | :white_check_mark: | :white_check_mark: | :white_check_mark: | :exclamation: [^stub] |
 | `SSL_CTX_set_max_early_data`  |  | :white_check_mark: |  | :white_check_mark: |
 | `SSL_CTX_set_msg_callback`  | :white_check_mark: |  | :white_check_mark: | :exclamation: [^stub] |
@@ -440,7 +440,7 @@
 | `SSL_set_fd` [^sock] | :white_check_mark: | :white_check_mark: |  | :white_check_mark: |
 | `SSL_set_generate_session_id`  |  |  |  |  |
 | `SSL_set_hostflags`  |  |  |  |  |
-| `SSL_set_info_callback`  |  |  |  |  |
+| `SSL_set_info_callback`  |  |  |  | :white_check_mark: |
 | `SSL_set_max_early_data`  |  | :white_check_mark: | :white_check_mark: | :white_check_mark: |
 | `SSL_set_msg_callback`  |  | :white_check_mark: | :white_check_mark: | :exclamation: [^stub] |
 | `SSL_set_not_resumable_session_callback`  |  |  |  |  |

build.rs

@@ -230,6 +230,7 @@ const ENTRYPOINTS: &[&str] = &[
     "SSL_set_connect_state",
     "SSL_set_ex_data",
     "SSL_set_fd",
+    "SSL_set_info_callback",
     "SSL_set_max_early_data",
     "SSL_set_msg_callback",
     "SSL_set_num_tickets",

src/callbacks.rs

@@ -7,9 +7,9 @@ use openssl_sys::{SSL_TLSEXT_ERR_NOACK, SSL_TLSEXT_ERR_OK};
 use rustls::AlertDescription;
 
 use crate::entry::{
-    SSL_CTX_alpn_select_cb_func, SSL_CTX_cert_cb_func, SSL_CTX_new_session_cb,
-    SSL_CTX_servername_callback_func, SSL_CTX_sess_get_cb, SSL_CTX_sess_remove_cb,
-    _SSL_SESSION_free, SSL, SSL_CTX, SSL_SESSION,
+    SSL_CTX_alpn_select_cb_func, SSL_CTX_cert_cb_func, SSL_CTX_info_callback_func,
+    SSL_CTX_new_session_cb, SSL_CTX_servername_callback_func, SSL_CTX_sess_get_cb,
+    SSL_CTX_sess_remove_cb, _SSL_SESSION_free, SSL, SSL_CTX, SSL_SESSION,
 };
 use crate::error::Error;
 use crate::ffi;
@@ -237,3 +237,47 @@ pub fn invoke_session_remove_callback(
 
     _SSL_SESSION_free(sess_ptr);
 }
+
+/// Configuration needed to call an [`SSL_CTX_info_callback_func`] later
+#[derive(Debug, Default, Clone)]
+pub struct InfoCallbackConfig {
+    pub cb: SSL_CTX_info_callback_func,
+}
+
+impl InfoCallbackConfig {
+    pub fn invoke(&self, info: Info) {
+        let Some(callback) = self.cb else {
+            return;
+        };
+
+        let ssl = SslCallbackContext::ssl_ptr();
+        unsafe { callback(ssl, info.typ(), info.val()) };
+    }
+}
+
+pub enum Info {
+    /// `SSL_CB_ALERT | SSL_CB_READ`
+    AlertReceived(AlertDescription),
+
+    /// `SSL_CB_ALERT | SSL_CB_WRITE`
+    AlertSent(AlertDescription),
+}
+
+impl Info {
+    fn typ(&self) -> c_int {
+        match self {
+            Self::AlertReceived(_) => SSL_CB_ALERT | SSL_CB_READ,
+            Self::AlertSent(_) => SSL_CB_ALERT | SSL_CB_WRITE,
+        }
+    }
+
+    fn val(&self) -> c_int {
+        match self {
+            Self::AlertReceived(a) | Self::AlertSent(a) => u8::from(*a) as c_int,
+        }
+    }
+}
+
+const SSL_CB_ALERT: c_int = 0x4000;
+const SSL_CB_READ: c_int = 0x0004;
+const SSL_CB_WRITE: c_int = 0x0008;

src/entry.rs

@@ -703,6 +703,15 @@ entry! {
     }
 }
 
+entry! {
+    pub fn _SSL_CTX_set_info_callback(ctx: *mut SSL_CTX, cb: SSL_CTX_info_callback_func) {
+        try_clone_arc!(ctx).get_mut().set_info_callback(cb);
+    }
+}
+
+pub type SSL_CTX_info_callback_func =
+    Option<unsafe extern "C" fn(ssl: *mut SSL, type_: c_int, val: c_int)>;
+
 entry! {
     pub fn _SSL_CTX_get_max_early_data(ctx: *const SSL_CTX) -> u32 {
         try_clone_arc!(ctx).get().get_max_early_data()
@@ -1047,6 +1056,12 @@ entry! {
     }
 }
 
+entry! {
+    pub fn _SSL_set_info_callback(ssl: *mut SSL, cb: SSL_CTX_info_callback_func) {
+        try_clone_arc!(ssl).get_mut().set_info_callback(cb);
+    }
+}
+
 entry! {
     pub fn _SSL_set_alpn_protos(
         ssl: *mut SSL,
@@ -2327,15 +2342,6 @@ pub type SSL_CTX_msg_cb_func = Option<
     ),
 >;
 
-// no state machine observation
-
-entry_stub! {
-    pub fn _SSL_CTX_set_info_callback(
-        _ctx: *mut SSL_CTX,
-        _cb: Option<unsafe extern "C" fn(ssl: *const SSL, type_: c_int, val: c_int)>,
-    );
-}
-
 // no NPN (obsolete precursor to ALPN)
 
 entry_stub! {

src/lib.rs

@@ -16,8 +16,8 @@ use rustls::crypto::{aws_lc_rs as provider, SupportedKxGroup};
 use rustls::pki_types::{CertificateDer, ServerName};
 use rustls::server::{Accepted, Acceptor, ProducesTickets};
 use rustls::{
-    CipherSuite, ClientConfig, ClientConnection, Connection, HandshakeKind, ProtocolVersion,
-    ServerConfig, SignatureScheme, SupportedProtocolVersion,
+    AlertDescription, CipherSuite, ClientConfig, ClientConnection, Connection, HandshakeKind,
+    ProtocolVersion, ServerConfig, SignatureScheme, SupportedProtocolVersion,
 };
 
 use not_thread_safe::NotThreadSafe;
@@ -456,6 +456,7 @@ pub struct SslContext {
     alpn_callback: callbacks::AlpnCallbackConfig,
     cert_callback: callbacks::CertCallbackConfig,
     servername_callback: callbacks::ServerNameCallbackConfig,
+    info_callback: callbacks::InfoCallbackConfig,
     auth_keys: sign::CertifiedKeySet,
     max_early_data: u32,
 }
@@ -486,6 +487,7 @@ impl SslContext {
             alpn_callback: callbacks::AlpnCallbackConfig::default(),
             cert_callback: callbacks::CertCallbackConfig::default(),
             servername_callback: callbacks::ServerNameCallbackConfig::default(),
+            info_callback: callbacks::InfoCallbackConfig::default(),
             auth_keys: sign::CertifiedKeySet::default(),
             max_early_data: 0,
         }
@@ -600,6 +602,10 @@ impl SslContext {
         self.caches.flush_all();
     }
 
+    fn set_info_callback(&mut self, callback: entry::SSL_CTX_info_callback_func) {
+        self.info_callback.cb = callback;
+    }
+
     fn set_max_early_data(&mut self, max: u32) {
         self.max_early_data = max;
     }
@@ -776,6 +782,7 @@ struct Ssl {
     alpn: Vec<Vec<u8>>,
     alpn_callback: callbacks::AlpnCallbackConfig,
     cert_callback: callbacks::CertCallbackConfig,
+    info_callback: callbacks::InfoCallbackConfig,
     servername_callback: callbacks::ServerNameCallbackConfig,
     sni_server_name: Option<ServerName<'static>>,
     server_name: Option<CString>,
@@ -817,6 +824,7 @@ impl Ssl {
             alpn: inner.alpn.clone(),
             alpn_callback: inner.alpn_callback.clone(),
             cert_callback: inner.cert_callback.clone(),
+            info_callback: inner.info_callback.clone(),
             servername_callback: inner.servername_callback.clone(),
             sni_server_name: None,
             server_name: None,
@@ -927,6 +935,10 @@ impl Ssl {
             .unwrap_or_default()
     }
 
+    fn set_info_callback(&mut self, cb: entry::SSL_CTX_info_callback_func) {
+        self.info_callback.cb = cb;
+    }
+
     fn set_alpn_offer(&mut self, alpn: Vec<Vec<u8>>) {
         self.alpn = alpn;
     }
@@ -1301,6 +1313,10 @@ impl Ssl {
                         // obtain underlying TLS protocol error (if any), and let it stamp
                         // out the one wrapped in io::Error.
                         if let Some(tls_err) = conn.process_new_packets().err() {
+                            if let rustls::Error::AlertReceived(alert) = &tls_err {
+                                self.info_callback
+                                    .invoke(callbacks::Info::AlertReceived(*alert));
+                            }
                             return Err(error::Error::from_rustls(tls_err));
                         }
                         return Err(error::Error::from_io(e));
@@ -1326,7 +1342,17 @@ impl Ssl {
                         self.invoke_accepted_callbacks()
                     }
                     Err((error, mut alert)) => {
-                        alert.write_all(bio).map_err(error::Error::from_io)?;
+                        let mut buffer = Vec::new();
+                        alert.write_all(&mut buffer).unwrap();
+
+                        // this only works for unencrypted alerts (header plus `Alert` structure)
+                        if buffer.len() == (5 + 2) {
+                            self.info_callback.invoke(callbacks::Info::AlertSent(
+                                AlertDescription::from(buffer[6]),
+                            ));
+                        }
+
+                        bio.write_all(&buffer).map_err(error::Error::from_io)?;
                         Err(error::Error::from_rustls(error))
                     }
                 }