1 #![allow(unused_imports)]
2
3 use std::env;
4 use std::fs::File;
5 use std::io::prelude::*;
6 use std::io::{self, BufReader};
7 use std::iter;
8 use std::mem;
9 use std::net::UdpSocket;
10 use std::net::{SocketAddr, TcpListener, TcpStream};
11 use std::path::Path;
12 use std::process::{Child, ChildStdin, Command, Stdio};
13 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
14 use std::thread;
15 use std::time::Duration;
16
17 use crate::dh::Dh;
18 use crate::error::ErrorStack;
19 use crate::hash::MessageDigest;
20 #[cfg(not(boringssl))]
21 use crate::ocsp::{OcspResponse, OcspResponseStatus};
22 use crate::pkey::{Id, PKey};
23 use crate::srtp::SrtpProfileId;
24 use crate::ssl::test::server::Server;
25 #[cfg(any(ossl110, ossl111, libressl261))]
26 use crate::ssl::SslVersion;
27 use crate::ssl::{self, NameType, SslConnectorBuilder};
28 #[cfg(ossl111)]
29 use crate::ssl::{ClientHelloResponse, ExtensionContext};
30 use crate::ssl::{
31 Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor,
32 SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod,
33 SslOptions, SslSessionCacheMode, SslStream, SslVerifyMode, StatusType,
34 };
35 #[cfg(ossl102)]
36 use crate::x509::store::X509StoreBuilder;
37 #[cfg(ossl102)]
38 use crate::x509::verify::X509CheckFlags;
39 use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509};
40
41 mod server;
42
43 static ROOT_CERT: &[u8] = include_bytes!("../../../test/root-ca.pem");
44 static CERT: &[u8] = include_bytes!("../../../test/cert.pem");
45 static KEY: &[u8] = include_bytes!("../../../test/key.pem");
46
47 #[test]
verify_untrusted()48 fn verify_untrusted() {
49 let mut server = Server::builder();
50 server.should_error();
51 let server = server.build();
52
53 let mut client = server.client();
54 client.ctx().set_verify(SslVerifyMode::PEER);
55
56 client.connect_err();
57 }
58
59 #[test]
verify_trusted()60 fn verify_trusted() {
61 let server = Server::builder().build();
62
63 let mut client = server.client();
64 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
65
66 client.connect();
67 }
68
69 #[test]
70 #[cfg(ossl102)]
verify_trusted_with_set_cert()71 fn verify_trusted_with_set_cert() {
72 let server = Server::builder().build();
73
74 let mut store = X509StoreBuilder::new().unwrap();
75 let x509 = X509::from_pem(ROOT_CERT).unwrap();
76 store.add_cert(x509).unwrap();
77
78 let mut client = server.client();
79 client.ctx().set_verify(SslVerifyMode::PEER);
80 client.ctx().set_verify_cert_store(store.build()).unwrap();
81
82 client.connect();
83 }
84
85 #[test]
verify_untrusted_callback_override_ok()86 fn verify_untrusted_callback_override_ok() {
87 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
88
89 let server = Server::builder().build();
90
91 let mut client = server.client();
92 client
93 .ctx()
94 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
95 CALLED_BACK.store(true, Ordering::SeqCst);
96 assert!(x509.current_cert().is_some());
97 true
98 });
99
100 client.connect();
101 assert!(CALLED_BACK.load(Ordering::SeqCst));
102 }
103
104 #[test]
verify_untrusted_callback_override_bad()105 fn verify_untrusted_callback_override_bad() {
106 let mut server = Server::builder();
107 server.should_error();
108 let server = server.build();
109
110 let mut client = server.client();
111 client
112 .ctx()
113 .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
114
115 client.connect_err();
116 }
117
118 #[test]
verify_trusted_callback_override_ok()119 fn verify_trusted_callback_override_ok() {
120 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
121
122 let server = Server::builder().build();
123
124 let mut client = server.client();
125 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
126 client
127 .ctx()
128 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
129 CALLED_BACK.store(true, Ordering::SeqCst);
130 assert!(x509.current_cert().is_some());
131 true
132 });
133
134 client.connect();
135 assert!(CALLED_BACK.load(Ordering::SeqCst));
136 }
137
138 #[test]
verify_trusted_callback_override_bad()139 fn verify_trusted_callback_override_bad() {
140 let mut server = Server::builder();
141 server.should_error();
142 let server = server.build();
143
144 let mut client = server.client();
145 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
146 client
147 .ctx()
148 .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
149
150 client.connect_err();
151 }
152
153 #[test]
verify_callback_load_certs()154 fn verify_callback_load_certs() {
155 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
156
157 let server = Server::builder().build();
158
159 let mut client = server.client();
160 client
161 .ctx()
162 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
163 CALLED_BACK.store(true, Ordering::SeqCst);
164 assert!(x509.current_cert().is_some());
165 true
166 });
167
168 client.connect();
169 assert!(CALLED_BACK.load(Ordering::SeqCst));
170 }
171
172 #[test]
verify_trusted_get_error_ok()173 fn verify_trusted_get_error_ok() {
174 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
175
176 let server = Server::builder().build();
177
178 let mut client = server.client();
179 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
180 client
181 .ctx()
182 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
183 CALLED_BACK.store(true, Ordering::SeqCst);
184 assert_eq!(x509.error(), X509VerifyResult::OK);
185 true
186 });
187
188 client.connect();
189 assert!(CALLED_BACK.load(Ordering::SeqCst));
190 }
191
192 #[test]
verify_trusted_get_error_err()193 fn verify_trusted_get_error_err() {
194 let mut server = Server::builder();
195 server.should_error();
196 let server = server.build();
197
198 let mut client = server.client();
199 client
200 .ctx()
201 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
202 assert_ne!(x509.error(), X509VerifyResult::OK);
203 false
204 });
205
206 client.connect_err();
207 }
208
209 #[test]
verify_callback()210 fn verify_callback() {
211 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
212
213 let server = Server::builder().build();
214
215 let mut client = server.client();
216 let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
217 client
218 .ctx()
219 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
220 CALLED_BACK.store(true, Ordering::SeqCst);
221 let cert = x509.current_cert().unwrap();
222 let digest = cert.digest(MessageDigest::sha1()).unwrap();
223 assert_eq!(hex::encode(digest), expected);
224 true
225 });
226
227 client.connect();
228 assert!(CALLED_BACK.load(Ordering::SeqCst));
229 }
230
231 #[test]
ssl_verify_callback()232 fn ssl_verify_callback() {
233 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
234
235 let server = Server::builder().build();
236
237 let mut client = server.client().build().builder();
238 let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
239 client
240 .ssl()
241 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
242 CALLED_BACK.store(true, Ordering::SeqCst);
243 let cert = x509.current_cert().unwrap();
244 let digest = cert.digest(MessageDigest::sha1()).unwrap();
245 assert_eq!(hex::encode(digest), expected);
246 true
247 });
248
249 client.connect();
250 assert!(CALLED_BACK.load(Ordering::SeqCst));
251 }
252
253 #[test]
get_ctx_options()254 fn get_ctx_options() {
255 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
256 ctx.options();
257 }
258
259 #[test]
set_ctx_options()260 fn set_ctx_options() {
261 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
262 let opts = ctx.set_options(SslOptions::NO_TICKET);
263 assert!(opts.contains(SslOptions::NO_TICKET));
264 }
265
266 #[test]
267 #[cfg(not(boringssl))]
clear_ctx_options()268 fn clear_ctx_options() {
269 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
270 ctx.set_options(SslOptions::ALL);
271 let opts = ctx.clear_options(SslOptions::ALL);
272 assert!(!opts.contains(SslOptions::ALL));
273 }
274
275 #[test]
zero_length_buffers()276 fn zero_length_buffers() {
277 let server = Server::builder().build();
278
279 let mut s = server.client().connect();
280 assert_eq!(s.write(&[]).unwrap(), 0);
281 assert_eq!(s.read(&mut []).unwrap(), 0);
282 }
283
284 #[test]
peer_certificate()285 fn peer_certificate() {
286 let server = Server::builder().build();
287
288 let s = server.client().connect();
289 let cert = s.ssl().peer_certificate().unwrap();
290 let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
291 assert_eq!(
292 hex::encode(fingerprint),
293 "59172d9313e84459bcff27f967e79e6e9217e584"
294 );
295 }
296
297 #[test]
pending()298 fn pending() {
299 let mut server = Server::builder();
300 server.io_cb(|mut s| s.write_all(&[0; 10]).unwrap());
301 let server = server.build();
302
303 let mut s = server.client().connect();
304 s.read_exact(&mut [0]).unwrap();
305
306 assert_eq!(s.ssl().pending(), 9);
307 assert_eq!(s.read(&mut [0; 10]).unwrap(), 9);
308 }
309
310 #[test]
state()311 fn state() {
312 let server = Server::builder().build();
313
314 let s = server.client().connect();
315 #[cfg(not(boringssl))]
316 assert_eq!(s.ssl().state_string().trim(), "SSLOK");
317 #[cfg(boringssl)]
318 assert_eq!(s.ssl().state_string(), "!!!!!!");
319 assert_eq!(
320 s.ssl().state_string_long(),
321 "SSL negotiation finished successfully"
322 );
323 }
324
325 // when a connection uses ECDHE P-384 key exchange, then the temp key APIs
326 // return P-384 keys, and the peer and local keys are different.
327 #[test]
328 #[cfg(ossl300)]
peer_tmp_key_p384()329 fn peer_tmp_key_p384() {
330 let mut server = Server::builder();
331 server.ctx().set_groups_list("P-384").unwrap();
332 let server = server.build();
333 let s = server.client().connect();
334 let peer_temp = s.ssl().peer_tmp_key().unwrap();
335 assert_eq!(peer_temp.id(), Id::EC);
336 assert_eq!(peer_temp.bits(), 384);
337
338 let local_temp = s.ssl().tmp_key().unwrap();
339 assert_eq!(local_temp.id(), Id::EC);
340 assert_eq!(local_temp.bits(), 384);
341
342 assert_ne!(
343 peer_temp.ec_key().unwrap().public_key_to_der().unwrap(),
344 local_temp.ec_key().unwrap().public_key_to_der().unwrap(),
345 );
346 }
347
348 // when a connection uses RSA key exchange, then the peer (server) temp key is
349 // an Error because there is no temp key, and the local (client) temp key is the
350 // temp key sent in the initial key share.
351 #[test]
352 #[cfg(ossl300)]
peer_tmp_key_rsa()353 fn peer_tmp_key_rsa() {
354 let mut server = Server::builder();
355 server.ctx().set_cipher_list("RSA").unwrap();
356 // RSA key exchange is not allowed in TLS 1.3, so force the connection
357 // to negotiate TLS 1.2
358 server
359 .ctx()
360 .set_max_proto_version(Some(SslVersion::TLS1_2))
361 .unwrap();
362 let server = server.build();
363 let mut client = server.client();
364 client.ctx().set_groups_list("P-521").unwrap();
365 let s = client.connect();
366 let peer_temp = s.ssl().peer_tmp_key();
367 assert!(peer_temp.is_err());
368
369 // this is the temp key that the client sent in the initial key share
370 let local_temp = s.ssl().tmp_key().unwrap();
371 assert_eq!(local_temp.id(), Id::EC);
372 assert_eq!(local_temp.bits(), 521);
373 }
374
375 /// Tests that when both the client as well as the server use SRTP and their
376 /// lists of supported protocols have an overlap -- with only ONE protocol
377 /// being valid for both.
378 #[test]
test_connect_with_srtp_ctx()379 fn test_connect_with_srtp_ctx() {
380 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
381 let addr = listener.local_addr().unwrap();
382
383 let guard = thread::spawn(move || {
384 let stream = listener.accept().unwrap().0;
385 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
386 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
387 .unwrap();
388 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
389 .unwrap();
390 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
391 .unwrap();
392 let mut ssl = Ssl::new(&ctx.build()).unwrap();
393 ssl.set_mtu(1500).unwrap();
394 let mut stream = ssl.accept(stream).unwrap();
395
396 let mut buf = [0; 60];
397 stream
398 .ssl()
399 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
400 .unwrap();
401
402 stream.write_all(&[0]).unwrap();
403
404 buf
405 });
406
407 let stream = TcpStream::connect(addr).unwrap();
408 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
409 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
410 .unwrap();
411 let mut ssl = Ssl::new(&ctx.build()).unwrap();
412 ssl.set_mtu(1500).unwrap();
413 let mut stream = ssl.connect(stream).unwrap();
414
415 let mut buf = [1; 60];
416 {
417 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
418 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
419 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
420 }
421 stream
422 .ssl()
423 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
424 .expect("extract");
425
426 stream.read_exact(&mut [0]).unwrap();
427
428 let buf2 = guard.join().unwrap();
429
430 assert_eq!(buf[..], buf2[..]);
431 }
432
433 /// Tests that when both the client as well as the server use SRTP and their
434 /// lists of supported protocols have an overlap -- with only ONE protocol
435 /// being valid for both.
436 #[test]
test_connect_with_srtp_ssl()437 fn test_connect_with_srtp_ssl() {
438 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
439 let addr = listener.local_addr().unwrap();
440
441 let guard = thread::spawn(move || {
442 let stream = listener.accept().unwrap().0;
443 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
444 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
445 .unwrap();
446 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
447 .unwrap();
448 let mut ssl = Ssl::new(&ctx.build()).unwrap();
449 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
450 .unwrap();
451 let mut profilenames = String::new();
452 for profile in ssl.srtp_profiles().unwrap() {
453 if !profilenames.is_empty() {
454 profilenames.push(':');
455 }
456 profilenames += profile.name();
457 }
458 assert_eq!(
459 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
460 profilenames
461 );
462 ssl.set_mtu(1500).unwrap();
463 let mut stream = ssl.accept(stream).unwrap();
464
465 let mut buf = [0; 60];
466 stream
467 .ssl()
468 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
469 .unwrap();
470
471 stream.write_all(&[0]).unwrap();
472
473 buf
474 });
475
476 let stream = TcpStream::connect(addr).unwrap();
477 let ctx = SslContext::builder(SslMethod::dtls()).unwrap();
478 let mut ssl = Ssl::new(&ctx.build()).unwrap();
479 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
480 .unwrap();
481 ssl.set_mtu(1500).unwrap();
482 let mut stream = ssl.connect(stream).unwrap();
483
484 let mut buf = [1; 60];
485 {
486 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
487 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
488 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
489 }
490 stream
491 .ssl()
492 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
493 .expect("extract");
494
495 stream.read_exact(&mut [0]).unwrap();
496
497 let buf2 = guard.join().unwrap();
498
499 assert_eq!(buf[..], buf2[..]);
500 }
501
502 /// Tests that when the `SslStream` is created as a server stream, the protocols
503 /// are correctly advertised to the client.
504 #[test]
505 #[cfg(any(ossl102, libressl261))]
test_alpn_server_advertise_multiple()506 fn test_alpn_server_advertise_multiple() {
507 let mut server = Server::builder();
508 server.ctx().set_alpn_select_callback(|_, client| {
509 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
510 });
511 let server = server.build();
512
513 let mut client = server.client();
514 client.ctx().set_alpn_protos(b"\x08spdy/3.1").unwrap();
515 let s = client.connect();
516 assert_eq!(s.ssl().selected_alpn_protocol(), Some(&b"spdy/3.1"[..]));
517 }
518
519 #[test]
520 #[cfg(ossl110)]
test_alpn_server_select_none_fatal()521 fn test_alpn_server_select_none_fatal() {
522 let mut server = Server::builder();
523 server.ctx().set_alpn_select_callback(|_, client| {
524 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client)
525 .ok_or(ssl::AlpnError::ALERT_FATAL)
526 });
527 server.should_error();
528 let server = server.build();
529
530 let mut client = server.client();
531 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
532 client.connect_err();
533 }
534
535 #[test]
536 #[cfg(any(ossl102, libressl261))]
test_alpn_server_select_none()537 fn test_alpn_server_select_none() {
538 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
539
540 let mut server = Server::builder();
541 server.ctx().set_alpn_select_callback(|_, client| {
542 CALLED_BACK.store(true, Ordering::SeqCst);
543 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
544 });
545 let server = server.build();
546
547 let mut client = server.client();
548 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
549 let s = client.connect();
550 assert_eq!(None, s.ssl().selected_alpn_protocol());
551 assert!(CALLED_BACK.load(Ordering::SeqCst));
552 }
553
554 #[test]
555 #[cfg(any(boringssl, ossl102, libressl261))]
test_alpn_server_unilateral()556 fn test_alpn_server_unilateral() {
557 let server = Server::builder().build();
558
559 let mut client = server.client();
560 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
561 let s = client.connect();
562 assert_eq!(None, s.ssl().selected_alpn_protocol());
563 }
564
565 #[test]
566 #[should_panic(expected = "blammo")]
write_panic()567 fn write_panic() {
568 struct ExplodingStream(TcpStream);
569
570 impl Read for ExplodingStream {
571 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
572 self.0.read(buf)
573 }
574 }
575
576 impl Write for ExplodingStream {
577 fn write(&mut self, _: &[u8]) -> io::Result<usize> {
578 panic!("blammo");
579 }
580
581 fn flush(&mut self) -> io::Result<()> {
582 self.0.flush()
583 }
584 }
585
586 let mut server = Server::builder();
587 server.should_error();
588 let server = server.build();
589
590 let stream = ExplodingStream(server.connect_tcp());
591
592 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
593 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
594 }
595
596 #[test]
597 #[should_panic(expected = "blammo")]
read_panic()598 fn read_panic() {
599 struct ExplodingStream(TcpStream);
600
601 impl Read for ExplodingStream {
602 fn read(&mut self, _: &mut [u8]) -> io::Result<usize> {
603 panic!("blammo");
604 }
605 }
606
607 impl Write for ExplodingStream {
608 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
609 self.0.write(buf)
610 }
611
612 fn flush(&mut self) -> io::Result<()> {
613 self.0.flush()
614 }
615 }
616
617 let mut server = Server::builder();
618 server.should_error();
619 let server = server.build();
620
621 let stream = ExplodingStream(server.connect_tcp());
622
623 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
624 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
625 }
626
627 #[test]
628 #[cfg_attr(all(libressl321, not(libressl340)), ignore)]
629 #[should_panic(expected = "blammo")]
flush_panic()630 fn flush_panic() {
631 struct ExplodingStream(TcpStream);
632
633 impl Read for ExplodingStream {
634 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
635 self.0.read(buf)
636 }
637 }
638
639 impl Write for ExplodingStream {
640 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
641 self.0.write(buf)
642 }
643
644 fn flush(&mut self) -> io::Result<()> {
645 panic!("blammo");
646 }
647 }
648
649 let mut server = Server::builder();
650 server.should_error();
651 let server = server.build();
652
653 let stream = ExplodingStream(server.connect_tcp());
654
655 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
656 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
657 }
658
659 #[test]
refcount_ssl_context()660 fn refcount_ssl_context() {
661 let mut ssl = {
662 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
663 ssl::Ssl::new(&ctx.build()).unwrap()
664 };
665
666 {
667 let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build();
668 ssl.set_ssl_context(&new_ctx_a).unwrap();
669 }
670 }
671
672 #[test]
673 #[cfg_attr(libressl250, ignore)]
674 #[cfg_attr(target_os = "windows", ignore)]
675 #[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)]
default_verify_paths()676 fn default_verify_paths() {
677 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
678 ctx.set_default_verify_paths().unwrap();
679 ctx.set_verify(SslVerifyMode::PEER);
680 let ctx = ctx.build();
681 let s = match TcpStream::connect("google.com:443") {
682 Ok(s) => s,
683 Err(_) => return,
684 };
685 let mut ssl = Ssl::new(&ctx).unwrap();
686 ssl.set_hostname("google.com").unwrap();
687 let mut socket = ssl.connect(s).unwrap();
688
689 socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
690 let mut result = vec![];
691 socket.read_to_end(&mut result).unwrap();
692
693 println!("{}", String::from_utf8_lossy(&result));
694 assert!(result.starts_with(b"HTTP/1.0"));
695 assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
696 }
697
698 #[test]
add_extra_chain_cert()699 fn add_extra_chain_cert() {
700 let cert = X509::from_pem(CERT).unwrap();
701 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
702 ctx.add_extra_chain_cert(cert).unwrap();
703 }
704
705 #[test]
706 #[cfg(ossl102)]
verify_valid_hostname()707 fn verify_valid_hostname() {
708 let server = Server::builder().build();
709
710 let mut client = server.client();
711 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
712 client.ctx().set_verify(SslVerifyMode::PEER);
713
714 let mut client = client.build().builder();
715 client
716 .ssl()
717 .param_mut()
718 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
719 client.ssl().param_mut().set_host("foobar.com").unwrap();
720 client.connect();
721 }
722
723 #[test]
724 #[cfg(ossl102)]
verify_invalid_hostname()725 fn verify_invalid_hostname() {
726 let mut server = Server::builder();
727 server.should_error();
728 let server = server.build();
729
730 let mut client = server.client();
731 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
732 client.ctx().set_verify(SslVerifyMode::PEER);
733
734 let mut client = client.build().builder();
735 client
736 .ssl()
737 .param_mut()
738 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
739 client.ssl().param_mut().set_host("bogus.com").unwrap();
740 client.connect_err();
741 }
742
743 #[test]
connector_valid_hostname()744 fn connector_valid_hostname() {
745 let server = Server::builder().build();
746
747 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
748 connector.set_ca_file("test/root-ca.pem").unwrap();
749
750 let s = server.connect_tcp();
751 let mut s = connector.build().connect("foobar.com", s).unwrap();
752 s.read_exact(&mut [0]).unwrap();
753 }
754
755 #[test]
connector_invalid_hostname()756 fn connector_invalid_hostname() {
757 let mut server = Server::builder();
758 server.should_error();
759 let server = server.build();
760
761 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
762 connector.set_ca_file("test/root-ca.pem").unwrap();
763
764 let s = server.connect_tcp();
765 connector.build().connect("bogus.com", s).unwrap_err();
766 }
767
768 #[test]
connector_invalid_no_hostname_verification()769 fn connector_invalid_no_hostname_verification() {
770 let server = Server::builder().build();
771
772 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
773 connector.set_ca_file("test/root-ca.pem").unwrap();
774
775 let s = server.connect_tcp();
776 let mut s = connector
777 .build()
778 .configure()
779 .unwrap()
780 .verify_hostname(false)
781 .connect("bogus.com", s)
782 .unwrap();
783 s.read_exact(&mut [0]).unwrap();
784 }
785
786 #[test]
connector_no_hostname_still_verifies()787 fn connector_no_hostname_still_verifies() {
788 let mut server = Server::builder();
789 server.should_error();
790 let server = server.build();
791
792 let connector = SslConnector::builder(SslMethod::tls()).unwrap().build();
793
794 let s = server.connect_tcp();
795 assert!(connector
796 .configure()
797 .unwrap()
798 .verify_hostname(false)
799 .connect("fizzbuzz.com", s)
800 .is_err());
801 }
802
803 #[test]
connector_can_disable_verify()804 fn connector_can_disable_verify() {
805 let server = Server::builder().build();
806
807 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
808 connector.set_verify(SslVerifyMode::NONE);
809 let connector = connector.build();
810
811 let s = server.connect_tcp();
812 let mut s = connector
813 .configure()
814 .unwrap()
815 .connect("fizzbuzz.com", s)
816 .unwrap();
817 s.read_exact(&mut [0]).unwrap();
818 }
819
820 #[test]
connector_does_use_sni_with_dnsnames()821 fn connector_does_use_sni_with_dnsnames() {
822 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
823
824 let mut builder = Server::builder();
825 builder.ctx().set_servername_callback(|ssl, _| {
826 assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com"));
827 CALLED_BACK.store(true, Ordering::SeqCst);
828 Ok(())
829 });
830 let server = builder.build();
831
832 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
833 connector.set_ca_file("test/root-ca.pem").unwrap();
834
835 let s = server.connect_tcp();
836 let mut s = connector
837 .build()
838 .configure()
839 .unwrap()
840 .connect("foobar.com", s)
841 .unwrap();
842 s.read_exact(&mut [0]).unwrap();
843
844 assert!(CALLED_BACK.load(Ordering::SeqCst));
845 }
846
847 #[test]
connector_doesnt_use_sni_with_ips()848 fn connector_doesnt_use_sni_with_ips() {
849 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
850
851 let mut builder = Server::builder();
852 builder.ctx().set_servername_callback(|ssl, _| {
853 assert_eq!(ssl.servername(NameType::HOST_NAME), None);
854 CALLED_BACK.store(true, Ordering::SeqCst);
855 Ok(())
856 });
857 let server = builder.build();
858
859 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
860 // The server's cert isn't issued for 127.0.0.1 but we don't care for this test.
861 connector.set_verify(SslVerifyMode::NONE);
862
863 let s = server.connect_tcp();
864 let mut s = connector
865 .build()
866 .configure()
867 .unwrap()
868 .connect("127.0.0.1", s)
869 .unwrap();
870 s.read_exact(&mut [0]).unwrap();
871
872 assert!(CALLED_BACK.load(Ordering::SeqCst));
873 }
874
test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>)875 fn test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>) {
876 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
877 let port = listener.local_addr().unwrap().port();
878
879 let t = thread::spawn(move || {
880 let key = PKey::private_key_from_pem(KEY).unwrap();
881 let cert = X509::from_pem(CERT).unwrap();
882 let mut acceptor = new(SslMethod::tls()).unwrap();
883 acceptor.set_private_key(&key).unwrap();
884 acceptor.set_certificate(&cert).unwrap();
885 let acceptor = acceptor.build();
886 let stream = listener.accept().unwrap().0;
887 let mut stream = acceptor.accept(stream).unwrap();
888
889 stream.write_all(b"hello").unwrap();
890 });
891
892 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
893 connector.set_ca_file("test/root-ca.pem").unwrap();
894 let connector = connector.build();
895
896 let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
897 let mut stream = connector.connect("foobar.com", stream).unwrap();
898
899 let mut buf = [0; 5];
900 stream.read_exact(&mut buf).unwrap();
901 assert_eq!(b"hello", &buf);
902
903 t.join().unwrap();
904 }
905
906 #[test]
connector_client_server_mozilla_intermediate()907 fn connector_client_server_mozilla_intermediate() {
908 test_mozilla_server(SslAcceptor::mozilla_intermediate);
909 }
910
911 #[test]
connector_client_server_mozilla_modern()912 fn connector_client_server_mozilla_modern() {
913 test_mozilla_server(SslAcceptor::mozilla_modern);
914 }
915
916 #[test]
connector_client_server_mozilla_intermediate_v5()917 fn connector_client_server_mozilla_intermediate_v5() {
918 test_mozilla_server(SslAcceptor::mozilla_intermediate_v5);
919 }
920
921 #[test]
922 #[cfg(any(ossl111, libressl340))]
connector_client_server_mozilla_modern_v5()923 fn connector_client_server_mozilla_modern_v5() {
924 test_mozilla_server(SslAcceptor::mozilla_modern_v5);
925 }
926
927 #[test]
shutdown()928 fn shutdown() {
929 let mut server = Server::builder();
930 server.io_cb(|mut s| {
931 assert_eq!(s.read(&mut [0]).unwrap(), 0);
932 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
933 });
934 let server = server.build();
935
936 let mut s = server.client().connect();
937
938 assert_eq!(s.get_shutdown(), ShutdownState::empty());
939 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Sent);
940 assert_eq!(s.get_shutdown(), ShutdownState::SENT);
941 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
942 assert_eq!(
943 s.get_shutdown(),
944 ShutdownState::SENT | ShutdownState::RECEIVED
945 );
946 }
947
948 #[test]
client_ca_list()949 fn client_ca_list() {
950 let names = X509Name::load_client_ca_file("test/root-ca.pem").unwrap();
951 assert_eq!(names.len(), 1);
952
953 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
954 ctx.set_client_ca_list(names);
955 }
956
957 #[test]
cert_store()958 fn cert_store() {
959 let server = Server::builder().build();
960
961 let mut client = server.client();
962 let cert = X509::from_pem(ROOT_CERT).unwrap();
963 client.ctx().cert_store_mut().add_cert(cert).unwrap();
964 client.ctx().set_verify(SslVerifyMode::PEER);
965
966 client.connect();
967 }
968
969 #[test]
970 #[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
tmp_dh_callback()971 fn tmp_dh_callback() {
972 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
973
974 let mut server = Server::builder();
975 server.ctx().set_tmp_dh_callback(|_, _, _| {
976 CALLED_BACK.store(true, Ordering::SeqCst);
977 let dh = include_bytes!("../../../test/dhparams.pem");
978 Dh::params_from_pem(dh)
979 });
980
981 let server = server.build();
982
983 let mut client = server.client();
984 // TLS 1.3 has no DH suites, so make sure we don't pick that version
985 #[cfg(any(ossl111, libressl340))]
986 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
987 client.ctx().set_cipher_list("EDH").unwrap();
988 client.connect();
989
990 assert!(CALLED_BACK.load(Ordering::SeqCst));
991 }
992
993 #[test]
994 #[cfg(all(ossl101, not(ossl110)))]
995 #[allow(deprecated)]
tmp_ecdh_callback()996 fn tmp_ecdh_callback() {
997 use crate::ec::EcKey;
998 use crate::nid::Nid;
999
1000 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1001
1002 let mut server = Server::builder();
1003 server.ctx().set_tmp_ecdh_callback(|_, _, _| {
1004 CALLED_BACK.store(true, Ordering::SeqCst);
1005 EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
1006 });
1007
1008 let server = server.build();
1009
1010 let mut client = server.client();
1011 client.ctx().set_cipher_list("ECDH").unwrap();
1012 client.connect();
1013
1014 assert!(CALLED_BACK.load(Ordering::SeqCst));
1015 }
1016
1017 #[test]
1018 #[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
tmp_dh_callback_ssl()1019 fn tmp_dh_callback_ssl() {
1020 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1021
1022 let mut server = Server::builder();
1023 server.ssl_cb(|ssl| {
1024 ssl.set_tmp_dh_callback(|_, _, _| {
1025 CALLED_BACK.store(true, Ordering::SeqCst);
1026 let dh = include_bytes!("../../../test/dhparams.pem");
1027 Dh::params_from_pem(dh)
1028 });
1029 });
1030
1031 let server = server.build();
1032
1033 let mut client = server.client();
1034 // TLS 1.3 has no DH suites, so make sure we don't pick that version
1035 #[cfg(any(ossl111, libressl340))]
1036 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
1037 client.ctx().set_cipher_list("EDH").unwrap();
1038 client.connect();
1039
1040 assert!(CALLED_BACK.load(Ordering::SeqCst));
1041 }
1042
1043 #[test]
1044 #[cfg(all(ossl101, not(ossl110)))]
1045 #[allow(deprecated)]
tmp_ecdh_callback_ssl()1046 fn tmp_ecdh_callback_ssl() {
1047 use crate::ec::EcKey;
1048 use crate::nid::Nid;
1049
1050 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1051
1052 let mut server = Server::builder();
1053 server.ssl_cb(|ssl| {
1054 ssl.set_tmp_ecdh_callback(|_, _, _| {
1055 CALLED_BACK.store(true, Ordering::SeqCst);
1056 EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
1057 });
1058 });
1059
1060 let server = server.build();
1061
1062 let mut client = server.client();
1063 client.ctx().set_cipher_list("ECDH").unwrap();
1064 client.connect();
1065
1066 assert!(CALLED_BACK.load(Ordering::SeqCst));
1067 }
1068
1069 #[test]
idle_session()1070 fn idle_session() {
1071 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1072 let ssl = Ssl::new(&ctx).unwrap();
1073 assert!(ssl.session().is_none());
1074 }
1075
1076 /// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do
1077 /// not work due to lack of PSK support. The test passes with NO_TLSV1_3,
1078 /// but let's ignore it until LibreSSL supports it out of the box.
1079 #[test]
1080 #[cfg_attr(libressl321, ignore)]
active_session()1081 fn active_session() {
1082 let server = Server::builder().build();
1083
1084 let s = server.client().connect();
1085
1086 let session = s.ssl().session().unwrap();
1087 let len = session.master_key_len();
1088 let mut buf = vec![0; len - 1];
1089 let copied = session.master_key(&mut buf);
1090 assert_eq!(copied, buf.len());
1091 let mut buf = vec![0; len + 1];
1092 let copied = session.master_key(&mut buf);
1093 assert_eq!(copied, len);
1094 }
1095
1096 #[test]
1097 #[cfg(not(boringssl))]
status_callbacks()1098 fn status_callbacks() {
1099 static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false);
1100 static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false);
1101
1102 let mut server = Server::builder();
1103 server
1104 .ctx()
1105 .set_status_callback(|ssl| {
1106 CALLED_BACK_SERVER.store(true, Ordering::SeqCst);
1107 let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap();
1108 let response = response.to_der().unwrap();
1109 ssl.set_ocsp_status(&response).unwrap();
1110 Ok(true)
1111 })
1112 .unwrap();
1113
1114 let server = server.build();
1115
1116 let mut client = server.client();
1117 client
1118 .ctx()
1119 .set_status_callback(|ssl| {
1120 CALLED_BACK_CLIENT.store(true, Ordering::SeqCst);
1121 let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
1122 assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED);
1123 Ok(true)
1124 })
1125 .unwrap();
1126
1127 let mut client = client.build().builder();
1128 client.ssl().set_status_type(StatusType::OCSP).unwrap();
1129
1130 client.connect();
1131
1132 assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst));
1133 assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst));
1134 }
1135
1136 /// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do
1137 /// not work due to lack of PSK support. The test passes with NO_TLSV1_3,
1138 /// but let's ignore it until LibreSSL supports it out of the box.
1139 #[test]
1140 #[cfg_attr(libressl321, ignore)]
new_session_callback()1141 fn new_session_callback() {
1142 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1143
1144 let mut server = Server::builder();
1145 server.ctx().set_session_id_context(b"foo").unwrap();
1146
1147 let server = server.build();
1148
1149 let mut client = server.client();
1150
1151 client
1152 .ctx()
1153 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
1154 client
1155 .ctx()
1156 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
1157
1158 client.connect();
1159
1160 assert!(CALLED_BACK.load(Ordering::SeqCst));
1161 }
1162
1163 /// LibreSSL 3.2.1 enabled TLSv1.3 by default for clients and sessions do
1164 /// not work due to lack of PSK support. The test passes with NO_TLSV1_3,
1165 /// but let's ignore it until LibreSSL supports it out of the box.
1166 #[test]
1167 #[cfg_attr(libressl321, ignore)]
new_session_callback_swapped_ctx()1168 fn new_session_callback_swapped_ctx() {
1169 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1170
1171 let mut server = Server::builder();
1172 server.ctx().set_session_id_context(b"foo").unwrap();
1173
1174 let server = server.build();
1175
1176 let mut client = server.client();
1177
1178 client
1179 .ctx()
1180 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
1181 client
1182 .ctx()
1183 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
1184
1185 let mut client = client.build().builder();
1186
1187 let ctx = SslContextBuilder::new(SslMethod::tls()).unwrap().build();
1188 client.ssl().set_ssl_context(&ctx).unwrap();
1189
1190 client.connect();
1191
1192 assert!(CALLED_BACK.load(Ordering::SeqCst));
1193 }
1194
1195 #[test]
keying_export()1196 fn keying_export() {
1197 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
1198 let addr = listener.local_addr().unwrap();
1199
1200 let label = "EXPERIMENTAL test";
1201 let context = b"my context";
1202
1203 let guard = thread::spawn(move || {
1204 let stream = listener.accept().unwrap().0;
1205 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1206 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
1207 .unwrap();
1208 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
1209 .unwrap();
1210 let ssl = Ssl::new(&ctx.build()).unwrap();
1211 let mut stream = ssl.accept(stream).unwrap();
1212
1213 let mut buf = [0; 32];
1214 stream
1215 .ssl()
1216 .export_keying_material(&mut buf, label, Some(context))
1217 .unwrap();
1218
1219 stream.write_all(&[0]).unwrap();
1220
1221 buf
1222 });
1223
1224 let stream = TcpStream::connect(addr).unwrap();
1225 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
1226 let ssl = Ssl::new(&ctx.build()).unwrap();
1227 let mut stream = ssl.connect(stream).unwrap();
1228
1229 let mut buf = [1; 32];
1230 stream
1231 .ssl()
1232 .export_keying_material(&mut buf, label, Some(context))
1233 .unwrap();
1234
1235 stream.read_exact(&mut [0]).unwrap();
1236
1237 let buf2 = guard.join().unwrap();
1238
1239 assert_eq!(buf, buf2);
1240 }
1241
1242 #[test]
1243 #[cfg(any(ossl110, libressl261))]
no_version_overlap()1244 fn no_version_overlap() {
1245 let mut server = Server::builder();
1246 server.ctx().set_min_proto_version(None).unwrap();
1247 server
1248 .ctx()
1249 .set_max_proto_version(Some(SslVersion::TLS1_1))
1250 .unwrap();
1251 #[cfg(any(ossl110g, libressl270))]
1252 assert_eq!(server.ctx().max_proto_version(), Some(SslVersion::TLS1_1));
1253 server.should_error();
1254 let server = server.build();
1255
1256 let mut client = server.client();
1257 client
1258 .ctx()
1259 .set_min_proto_version(Some(SslVersion::TLS1_2))
1260 .unwrap();
1261 #[cfg(ossl110g)]
1262 assert_eq!(client.ctx().min_proto_version(), Some(SslVersion::TLS1_2));
1263 client.ctx().set_max_proto_version(None).unwrap();
1264
1265 client.connect_err();
1266 }
1267
1268 #[test]
1269 #[cfg(ossl111)]
custom_extensions()1270 fn custom_extensions() {
1271 static FOUND_EXTENSION: AtomicBool = AtomicBool::new(false);
1272
1273 let mut server = Server::builder();
1274 server
1275 .ctx()
1276 .add_custom_ext(
1277 12345,
1278 ExtensionContext::CLIENT_HELLO,
1279 |_, _, _| -> Result<Option<&'static [u8]>, _> { unreachable!() },
1280 |_, _, data, _| {
1281 FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst);
1282 Ok(())
1283 },
1284 )
1285 .unwrap();
1286
1287 let server = server.build();
1288
1289 let mut client = server.client();
1290 client
1291 .ctx()
1292 .add_custom_ext(
1293 12345,
1294 ssl::ExtensionContext::CLIENT_HELLO,
1295 |_, _, _| Ok(Some(b"hello")),
1296 |_, _, _, _| unreachable!(),
1297 )
1298 .unwrap();
1299
1300 client.connect();
1301
1302 assert!(FOUND_EXTENSION.load(Ordering::SeqCst));
1303 }
1304
_check_kinds()1305 fn _check_kinds() {
1306 fn is_send<T: Send>() {}
1307 fn is_sync<T: Sync>() {}
1308
1309 is_send::<SslStream<TcpStream>>();
1310 is_sync::<SslStream<TcpStream>>();
1311 }
1312
1313 #[test]
1314 #[cfg(ossl111)]
stateless()1315 fn stateless() {
1316 use super::SslOptions;
1317
1318 #[derive(Debug)]
1319 struct MemoryStream {
1320 incoming: io::Cursor<Vec<u8>>,
1321 outgoing: Vec<u8>,
1322 }
1323
1324 impl MemoryStream {
1325 pub fn new() -> Self {
1326 Self {
1327 incoming: io::Cursor::new(Vec::new()),
1328 outgoing: Vec::new(),
1329 }
1330 }
1331
1332 pub fn extend_incoming(&mut self, data: &[u8]) {
1333 self.incoming.get_mut().extend_from_slice(data);
1334 }
1335
1336 pub fn take_outgoing(&mut self) -> Outgoing<'_> {
1337 Outgoing(&mut self.outgoing)
1338 }
1339 }
1340
1341 impl Read for MemoryStream {
1342 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
1343 let n = self.incoming.read(buf)?;
1344 if self.incoming.position() == self.incoming.get_ref().len() as u64 {
1345 self.incoming.set_position(0);
1346 self.incoming.get_mut().clear();
1347 }
1348 if n == 0 {
1349 return Err(io::Error::new(
1350 io::ErrorKind::WouldBlock,
1351 "no data available",
1352 ));
1353 }
1354 Ok(n)
1355 }
1356 }
1357
1358 impl Write for MemoryStream {
1359 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
1360 self.outgoing.write(buf)
1361 }
1362
1363 fn flush(&mut self) -> io::Result<()> {
1364 Ok(())
1365 }
1366 }
1367
1368 pub struct Outgoing<'a>(&'a mut Vec<u8>);
1369
1370 impl<'a> Drop for Outgoing<'a> {
1371 fn drop(&mut self) {
1372 self.0.clear();
1373 }
1374 }
1375
1376 impl<'a> ::std::ops::Deref for Outgoing<'a> {
1377 type Target = [u8];
1378 fn deref(&self) -> &[u8] {
1379 self.0
1380 }
1381 }
1382
1383 impl<'a> AsRef<[u8]> for Outgoing<'a> {
1384 fn as_ref(&self) -> &[u8] {
1385 self.0
1386 }
1387 }
1388
1389 fn send(from: &mut MemoryStream, to: &mut MemoryStream) {
1390 to.extend_incoming(&from.take_outgoing());
1391 }
1392
1393 //
1394 // Setup
1395 //
1396
1397 let mut client_ctx = SslContext::builder(SslMethod::tls()).unwrap();
1398 client_ctx.clear_options(SslOptions::ENABLE_MIDDLEBOX_COMPAT);
1399 let mut client_stream =
1400 SslStream::new(Ssl::new(&client_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
1401
1402 let mut server_ctx = SslContext::builder(SslMethod::tls()).unwrap();
1403 server_ctx
1404 .set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
1405 .unwrap();
1406 server_ctx
1407 .set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
1408 .unwrap();
1409 const COOKIE: &[u8] = b"chocolate chip";
1410 server_ctx.set_stateless_cookie_generate_cb(|_tls, buf| {
1411 buf[0..COOKIE.len()].copy_from_slice(COOKIE);
1412 Ok(COOKIE.len())
1413 });
1414 server_ctx.set_stateless_cookie_verify_cb(|_tls, buf| buf == COOKIE);
1415 let mut server_stream =
1416 SslStream::new(Ssl::new(&server_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
1417
1418 //
1419 // Handshake
1420 //
1421
1422 // Initial ClientHello
1423 client_stream.connect().unwrap_err();
1424 send(client_stream.get_mut(), server_stream.get_mut());
1425 // HelloRetryRequest
1426 assert!(!server_stream.stateless().unwrap());
1427 send(server_stream.get_mut(), client_stream.get_mut());
1428 // Second ClientHello
1429 client_stream.do_handshake().unwrap_err();
1430 send(client_stream.get_mut(), server_stream.get_mut());
1431 // OldServerHello
1432 assert!(server_stream.stateless().unwrap());
1433 server_stream.accept().unwrap_err();
1434 send(server_stream.get_mut(), client_stream.get_mut());
1435 // Finished
1436 client_stream.do_handshake().unwrap();
1437 send(client_stream.get_mut(), server_stream.get_mut());
1438 server_stream.do_handshake().unwrap();
1439 }
1440
1441 #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
1442 #[test]
psk_ciphers()1443 fn psk_ciphers() {
1444 const CIPHER: &str = "PSK-AES256-CBC-SHA";
1445 const PSK: &[u8] = b"thisisaverysecurekey";
1446 const CLIENT_IDENT: &[u8] = b"thisisaclient";
1447 static CLIENT_CALLED: AtomicBool = AtomicBool::new(false);
1448 static SERVER_CALLED: AtomicBool = AtomicBool::new(false);
1449
1450 let mut server = Server::builder();
1451 server.ctx().set_cipher_list(CIPHER).unwrap();
1452 server.ctx().set_psk_server_callback(|_, identity, psk| {
1453 assert!(identity.unwrap_or(&[]) == CLIENT_IDENT);
1454 psk[..PSK.len()].copy_from_slice(PSK);
1455 SERVER_CALLED.store(true, Ordering::SeqCst);
1456 Ok(PSK.len())
1457 });
1458
1459 let server = server.build();
1460
1461 let mut client = server.client();
1462 // This test relies on TLS 1.2 suites
1463 #[cfg(any(boringssl, ossl111))]
1464 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
1465 client.ctx().set_cipher_list(CIPHER).unwrap();
1466 client
1467 .ctx()
1468 .set_psk_client_callback(move |_, _, identity, psk| {
1469 identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT);
1470 identity[CLIENT_IDENT.len()] = 0;
1471 psk[..PSK.len()].copy_from_slice(PSK);
1472 CLIENT_CALLED.store(true, Ordering::SeqCst);
1473 Ok(PSK.len())
1474 });
1475
1476 client.connect();
1477
1478 assert!(SERVER_CALLED.load(Ordering::SeqCst));
1479 assert!(CLIENT_CALLED.load(Ordering::SeqCst));
1480 }
1481
1482 #[test]
sni_callback_swapped_ctx()1483 fn sni_callback_swapped_ctx() {
1484 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1485
1486 let mut server = Server::builder();
1487
1488 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1489 ctx.set_servername_callback(|_, _| {
1490 CALLED_BACK.store(true, Ordering::SeqCst);
1491 Ok(())
1492 });
1493
1494 let keyed_ctx = mem::replace(server.ctx(), ctx).build();
1495 server.ssl_cb(move |ssl| ssl.set_ssl_context(&keyed_ctx).unwrap());
1496
1497 let server = server.build();
1498
1499 server.client().connect();
1500
1501 assert!(CALLED_BACK.load(Ordering::SeqCst));
1502 }
1503
1504 #[test]
1505 #[cfg(ossl111)]
client_hello()1506 fn client_hello() {
1507 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1508
1509 let mut server = Server::builder();
1510 server.ctx().set_client_hello_callback(|ssl, _| {
1511 assert!(!ssl.client_hello_isv2());
1512 assert_eq!(ssl.client_hello_legacy_version(), Some(SslVersion::TLS1_2));
1513 assert!(ssl.client_hello_random().is_some());
1514 assert!(ssl.client_hello_session_id().is_some());
1515 assert!(ssl.client_hello_ciphers().is_some());
1516 assert!(ssl.client_hello_compression_methods().is_some());
1517 assert!(ssl
1518 .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2())
1519 .is_ok());
1520
1521 CALLED_BACK.store(true, Ordering::SeqCst);
1522 Ok(ClientHelloResponse::SUCCESS)
1523 });
1524
1525 let server = server.build();
1526 server.client().connect();
1527
1528 assert!(CALLED_BACK.load(Ordering::SeqCst));
1529 }
1530
1531 #[test]
1532 #[cfg(ossl111)]
openssl_cipher_name()1533 fn openssl_cipher_name() {
1534 assert_eq!(
1535 super::cipher_name("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"),
1536 "ECDHE-RSA-AES256-SHA384",
1537 );
1538
1539 assert_eq!(super::cipher_name("asdf"), "(NONE)");
1540 }
1541
1542 #[test]
session_cache_size()1543 fn session_cache_size() {
1544 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1545 ctx.set_session_cache_size(1234);
1546 let ctx = ctx.build();
1547 assert_eq!(ctx.session_cache_size(), 1234);
1548 }
1549
1550 #[test]
1551 #[cfg(ossl102)]
add_chain_cert()1552 fn add_chain_cert() {
1553 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1554 let cert = X509::from_pem(CERT).unwrap();
1555 let mut ssl = Ssl::new(&ctx).unwrap();
1556 assert!(ssl.add_chain_cert(cert).is_ok());
1557 }
1558 #[test]
1559 #[cfg(ossl111)]
set_ssl_certificate_key_related_api()1560 fn set_ssl_certificate_key_related_api() {
1561 let cert_str: &str = include_str!("../../../test/cert.pem");
1562 let key_str: &str = include_str!("../../../test/key.pem");
1563 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1564 let cert_x509 = X509::from_pem(CERT).unwrap();
1565 let mut ssl = Ssl::new(&ctx).unwrap();
1566 assert!(ssl.set_method(SslMethod::tls()).is_ok());
1567 ssl.set_private_key_file("test/key.pem", SslFiletype::PEM)
1568 .unwrap();
1569 {
1570 let pkey = String::from_utf8(
1571 ssl.private_key()
1572 .unwrap()
1573 .private_key_to_pem_pkcs8()
1574 .unwrap(),
1575 )
1576 .unwrap();
1577 assert!(pkey.lines().eq(key_str.lines()));
1578 }
1579 let pkey = PKey::private_key_from_pem(KEY).unwrap();
1580 ssl.set_private_key(pkey.as_ref()).unwrap();
1581 {
1582 let pkey = String::from_utf8(
1583 ssl.private_key()
1584 .unwrap()
1585 .private_key_to_pem_pkcs8()
1586 .unwrap(),
1587 )
1588 .unwrap();
1589 assert!(pkey.lines().eq(key_str.lines()));
1590 }
1591 ssl.set_certificate(cert_x509.as_ref()).unwrap();
1592 let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap();
1593 assert!(cert.lines().eq(cert_str.lines()));
1594 ssl.add_client_ca(cert_x509.as_ref()).unwrap();
1595 ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap();
1596 ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap();
1597 ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap();
1598 ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap();
1599 let x509 = X509::from_pem(ROOT_CERT).unwrap();
1600 let mut builder = X509StoreBuilder::new().unwrap();
1601 builder.add_cert(x509).unwrap();
1602 let store = builder.build();
1603 ssl.set_verify_cert_store(store).unwrap();
1604 }
1605
1606 #[test]
1607 #[cfg(ossl110)]
test_ssl_set_cert_chain_file()1608 fn test_ssl_set_cert_chain_file() {
1609 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1610 let mut ssl = Ssl::new(&ctx).unwrap();
1611 ssl.set_certificate_chain_file("test/cert.pem").unwrap();
1612 }
1613
1614 #[test]
1615 #[cfg(ossl111)]
set_num_tickets()1616 fn set_num_tickets() {
1617 let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap();
1618 ctx.set_num_tickets(3).unwrap();
1619 let ctx = ctx.build();
1620 assert_eq!(3, ctx.num_tickets());
1621
1622 let mut ssl = Ssl::new(&ctx).unwrap();
1623 ssl.set_num_tickets(5).unwrap();
1624 let ssl = ssl;
1625 assert_eq!(5, ssl.num_tickets());
1626 }
1627
1628 #[test]
1629 #[cfg(ossl110)]
set_security_level()1630 fn set_security_level() {
1631 let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap();
1632 ctx.set_security_level(3);
1633 let ctx = ctx.build();
1634 assert_eq!(3, ctx.security_level());
1635
1636 let mut ssl = Ssl::new(&ctx).unwrap();
1637 ssl.set_security_level(4);
1638 let ssl = ssl;
1639 assert_eq!(4, ssl.security_level());
1640 }
1641
1642 #[test]
ssl_ctx_ex_data_leak()1643 fn ssl_ctx_ex_data_leak() {
1644 static DROPS: AtomicUsize = AtomicUsize::new(0);
1645
1646 struct DropTest;
1647
1648 impl Drop for DropTest {
1649 fn drop(&mut self) {
1650 DROPS.fetch_add(1, Ordering::Relaxed);
1651 }
1652 }
1653
1654 let idx = SslContext::new_ex_index().unwrap();
1655
1656 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1657 ctx.set_ex_data(idx, DropTest);
1658 ctx.set_ex_data(idx, DropTest);
1659 assert_eq!(DROPS.load(Ordering::Relaxed), 1);
1660
1661 drop(ctx);
1662 assert_eq!(DROPS.load(Ordering::Relaxed), 2);
1663 }
1664
1665 #[test]
ssl_ex_data_leak()1666 fn ssl_ex_data_leak() {
1667 static DROPS: AtomicUsize = AtomicUsize::new(0);
1668
1669 struct DropTest;
1670
1671 impl Drop for DropTest {
1672 fn drop(&mut self) {
1673 DROPS.fetch_add(1, Ordering::Relaxed);
1674 }
1675 }
1676
1677 let idx = Ssl::new_ex_index().unwrap();
1678
1679 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1680 let mut ssl = Ssl::new(&ctx).unwrap();
1681 ssl.set_ex_data(idx, DropTest);
1682 ssl.set_ex_data(idx, DropTest);
1683 assert_eq!(DROPS.load(Ordering::Relaxed), 1);
1684
1685 drop(ssl);
1686 assert_eq!(DROPS.load(Ordering::Relaxed), 2);
1687 }
1688