Implement and test SSL_CTX_set_client_hello_cb

Author: ctz

MATRIX.md

@@ -143,7 +143,7 @@
 | `SSL_CTX_set_client_CA_list`  |  | :white_check_mark: | :white_check_mark: | :exclamation: [^stub] |
 | `SSL_CTX_set_client_cert_cb`  |  |  |  | :exclamation: [^stub] |
 | `SSL_CTX_set_client_cert_engine` [^engine] |  |  |  |  |
-| `SSL_CTX_set_client_hello_cb`  |  |  | :white_check_mark: | :exclamation: [^stub] |
+| `SSL_CTX_set_client_hello_cb`  |  |  | :white_check_mark: | :white_check_mark: |
 | `SSL_CTX_set_cookie_generate_cb`  |  |  |  |  |
 | `SSL_CTX_set_cookie_verify_cb`  |  |  |  |  |
 | `SSL_CTX_set_ct_validation_callback` [^ct] |  |  |  |  |

src/callbacks.rs

@@ -9,7 +9,7 @@ use rustls::AlertDescription;
 use crate::entry::{
     SSL_CTX_alpn_select_cb_func, SSL_CTX_cert_cb_func, SSL_CTX_info_callback_func,
     SSL_CTX_new_session_cb, SSL_CTX_servername_callback_func, SSL_CTX_sess_get_cb,
-    SSL_CTX_sess_remove_cb, _SSL_SESSION_free, SSL, SSL_CTX, SSL_SESSION,
+    SSL_CTX_sess_remove_cb, SSL_client_hello_cb_func, _SSL_SESSION_free, SSL, SSL_CTX, SSL_SESSION,
 };
 use crate::error::Error;
 use crate::ffi;
@@ -281,3 +281,38 @@ impl Info {
 const SSL_CB_ALERT: c_int = 0x4000;
 const SSL_CB_READ: c_int = 0x0004;
 const SSL_CB_WRITE: c_int = 0x0008;
+
+/// Configuration needed to call a client hello callback later
+#[derive(Debug, Default, Clone)]
+pub struct ClientHelloCallbackConfig {
+    pub cb: SSL_client_hello_cb_func,
+    pub context: *mut c_void,
+}
+
+impl ClientHelloCallbackConfig {
+    pub fn invoke(&self) -> Result<(), Error> {
+        let Some(callback) = self.cb else {
+            return Ok(());
+        };
+
+        let internal_error = u8::from(AlertDescription::InternalError) as c_int;
+
+        let ssl = SslCallbackContext::ssl_ptr();
+        let mut alert = internal_error;
+        let result = unsafe { callback(ssl, &mut alert as *mut c_int, self.context) };
+
+        if alert != internal_error {
+            log::trace!("NYI: customised alert during client hello callback");
+        }
+
+        match result {
+            i if i < 0 => Err(Error::not_supported(
+                "SSL_client_hello_cb_func requesting suspension",
+            )),
+            0 => Err(Error::not_supported(
+                "SSL_client_hello_cb_func returning error",
+            )),
+            _ => Ok(()),
+        }
+    }
+}

src/entry.rs

@@ -901,6 +901,21 @@ pub type custom_ext_parse_cb = Option<
     ) -> c_int,
 >;
 
+entry! {
+    pub fn _SSL_CTX_set_client_hello_cb(
+        ctx: *mut SSL_CTX,
+        cb: SSL_client_hello_cb_func,
+        arg: *mut c_void,
+    ) {
+        try_clone_arc!(ctx)
+            .get_mut()
+            .set_client_hello_callback(cb, arg);
+    }
+}
+
+pub type SSL_client_hello_cb_func =
+    Option<unsafe extern "C" fn(_ssl: *mut SSL, _al: *mut c_int, _arg: *mut c_void) -> c_int>;
+
 impl Castable for SSL_CTX {
     type Ownership = OwnershipArc;
     type RustType = NotThreadSafe<Self>;
@@ -2247,17 +2262,6 @@ pub type SSL_CTX_tlsext_ticket_key_evp_cb_func = Option<
     ) -> c_int,
 >;
 
-entry_stub! {
-    pub fn _SSL_CTX_set_client_hello_cb(
-        _ctx: *mut SSL_CTX,
-        _cb: SSL_client_hello_cb_func,
-        _arg: *mut c_void,
-    );
-}
-
-pub type SSL_client_hello_cb_func =
-    Option<unsafe extern "C" fn(_ssl: *mut SSL, _al: *mut c_int, _arg: *mut c_void) -> c_int>;
-
 entry_stub! {
     pub fn _SSL_state_string(_ssl: *const SSL) -> *const c_char;
 }

src/lib.rs

@@ -457,6 +457,7 @@ pub struct SslContext {
     cert_callback: callbacks::CertCallbackConfig,
     servername_callback: callbacks::ServerNameCallbackConfig,
     info_callback: callbacks::InfoCallbackConfig,
+    client_hello_callback: callbacks::ClientHelloCallbackConfig,
     auth_keys: sign::CertifiedKeySet,
     max_early_data: u32,
 }
@@ -488,6 +489,7 @@ impl SslContext {
             cert_callback: callbacks::CertCallbackConfig::default(),
             servername_callback: callbacks::ServerNameCallbackConfig::default(),
             info_callback: callbacks::InfoCallbackConfig::default(),
+            client_hello_callback: callbacks::ClientHelloCallbackConfig::default(),
             auth_keys: sign::CertifiedKeySet::default(),
             max_early_data: 0,
         }
@@ -606,6 +608,15 @@ impl SslContext {
         self.info_callback.cb = callback;
     }
 
+    fn set_client_hello_callback(
+        &mut self,
+        callback: entry::SSL_client_hello_cb_func,
+        arg: *mut c_void,
+    ) {
+        self.client_hello_callback.cb = callback;
+        self.client_hello_callback.context = arg;
+    }
+
     fn set_max_early_data(&mut self, max: u32) {
         self.max_early_data = max;
     }
@@ -784,6 +795,7 @@ struct Ssl {
     cert_callback: callbacks::CertCallbackConfig,
     info_callback: callbacks::InfoCallbackConfig,
     servername_callback: callbacks::ServerNameCallbackConfig,
+    client_hello_callback: callbacks::ClientHelloCallbackConfig,
     sni_server_name: Option<ServerName<'static>>,
     server_name: Option<CString>,
     bio: Option<bio::Bio>,
@@ -826,6 +838,7 @@ impl Ssl {
             cert_callback: inner.cert_callback.clone(),
             info_callback: inner.info_callback.clone(),
             servername_callback: inner.servername_callback.clone(),
+            client_hello_callback: inner.client_hello_callback.clone(),
             sni_server_name: None,
             server_name: None,
             bio: None,
@@ -1152,6 +1165,8 @@ impl Ssl {
             unreachable!();
         };
 
+        self.client_hello_callback.invoke()?;
+
         self.server_name = accepted
             .client_hello()
             .server_name()

tests/server.c

@@ -69,6 +69,21 @@ static int sni_callback(SSL *ssl, int *al, void *arg) {
   return SSL_TLSEXT_ERR_OK;
 }
 
+static int client_hello_cookie = 98765;
+
+static int client_hello_callback(SSL *ssl, int *alert, void *arg) {
+  printf("in client_hello_callback\n");
+  assert(ssl != NULL);
+  assert(arg == &client_hello_cookie);
+  printf("  *alert = %d\n", *alert);
+  printf("  SSL_get_servername: %s (%d)\n",
+         SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name),
+         SSL_get_servername_type(ssl));
+  printf("  ssl_ex_data_idx_message: %s\n",
+         (const char *)SSL_get_ex_data(ssl, ssl_ex_data_idx_message));
+  return 1;
+}
+
 static int sess_new_callback(SSL *ssl, SSL_SESSION *sess) {
   printf("in sess_new_callback\n");
   assert(ssl != NULL);
@@ -158,6 +173,9 @@ int main(int argc, char **argv) {
   SSL_CTX_set_tlsext_servername_arg(ctx, &sni_cookie);
   dump_openssl_error_stack();
 
+  SSL_CTX_set_client_hello_cb(ctx, client_hello_callback, &client_hello_cookie);
+  dump_openssl_error_stack();
+
   // Default to no tickets.
   SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
   TRACE(SSL_CTX_set_num_tickets(ctx, 0));