1#![allow(unused_imports)] 2 3use std::env; 4use std::fs::File; 5use std::io::prelude::*; 6use std::io::{self, BufReader}; 7use std::iter; 8use std::mem; 9use std::net::UdpSocket; 10use std::net::{SocketAddr, TcpListener, TcpStream}; 11use std::path::Path; 12use std::process::{Child, ChildStdin, Command, Stdio}; 13use std::sync::atomic::{AtomicBool, Ordering}; 14use std::thread; 15use std::time::Duration; 16 17use crate::dh::Dh; 18use crate::error::ErrorStack; 19use crate::hash::MessageDigest; 20#[cfg(not(boringssl))] 21use crate::ocsp::{OcspResponse, OcspResponseStatus}; 22use crate::pkey::PKey; 23use crate::srtp::SrtpProfileId; 24use crate::ssl::test::server::Server; 25#[cfg(any(ossl110, ossl111, libressl261))] 26use crate::ssl::SslVersion; 27use crate::ssl::{self, NameType, SslConnectorBuilder}; 28#[cfg(ossl111)] 29use crate::ssl::{ClientHelloResponse, ExtensionContext}; 30use crate::ssl::{ 31 Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor, 32 SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod, 33 SslOptions, SslSessionCacheMode, SslStream, SslVerifyMode, StatusType, 34}; 35#[cfg(ossl102)] 36use crate::x509::store::X509StoreBuilder; 37#[cfg(ossl102)] 38use crate::x509::verify::X509CheckFlags; 39use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509}; 40 41mod server; 42 43static ROOT_CERT: &[u8] = include_bytes!("../../../test/root-ca.pem"); 44static CERT: &[u8] = include_bytes!("../../../test/cert.pem"); 45static KEY: &[u8] = include_bytes!("../../../test/key.pem"); 46 47#[test] 48fn verify_untrusted() { 49 let mut server = Server::builder(); 50 server.should_error(); 51 let server = server.build(); 52 53 let mut client = server.client(); 54 client.ctx().set_verify(SslVerifyMode::PEER); 55 56 client.connect_err(); 57} 58 59#[test] 60fn verify_trusted() { 61 let server = Server::builder().build(); 62 63 let mut client = server.client(); 64 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 65 66 client.connect(); 67} 68 69#[test] 70#[cfg(ossl102)] 71fn verify_trusted_with_set_cert() { 72 let server = Server::builder().build(); 73 74 let mut store = X509StoreBuilder::new().unwrap(); 75 let x509 = X509::from_pem(ROOT_CERT).unwrap(); 76 store.add_cert(x509).unwrap(); 77 78 let mut client = server.client(); 79 client.ctx().set_verify(SslVerifyMode::PEER); 80 client.ctx().set_verify_cert_store(store.build()).unwrap(); 81 82 client.connect(); 83} 84 85#[test] 86fn verify_untrusted_callback_override_ok() { 87 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 88 89 let server = Server::builder().build(); 90 91 let mut client = server.client(); 92 client 93 .ctx() 94 .set_verify_callback(SslVerifyMode::PEER, |_, x509| { 95 CALLED_BACK.store(true, Ordering::SeqCst); 96 assert!(x509.current_cert().is_some()); 97 true 98 }); 99 100 client.connect(); 101 assert!(CALLED_BACK.load(Ordering::SeqCst)); 102} 103 104#[test] 105fn verify_untrusted_callback_override_bad() { 106 let mut server = Server::builder(); 107 server.should_error(); 108 let server = server.build(); 109 110 let mut client = server.client(); 111 client 112 .ctx() 113 .set_verify_callback(SslVerifyMode::PEER, |_, _| false); 114 115 client.connect_err(); 116} 117 118#[test] 119fn verify_trusted_callback_override_ok() { 120 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 121 122 let server = Server::builder().build(); 123 124 let mut client = server.client(); 125 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 126 client 127 .ctx() 128 .set_verify_callback(SslVerifyMode::PEER, |_, x509| { 129 CALLED_BACK.store(true, Ordering::SeqCst); 130 assert!(x509.current_cert().is_some()); 131 true 132 }); 133 134 client.connect(); 135 assert!(CALLED_BACK.load(Ordering::SeqCst)); 136} 137 138#[test] 139fn verify_trusted_callback_override_bad() { 140 let mut server = Server::builder(); 141 server.should_error(); 142 let server = server.build(); 143 144 let mut client = server.client(); 145 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 146 client 147 .ctx() 148 .set_verify_callback(SslVerifyMode::PEER, |_, _| false); 149 150 client.connect_err(); 151} 152 153#[test] 154fn verify_callback_load_certs() { 155 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 156 157 let server = Server::builder().build(); 158 159 let mut client = server.client(); 160 client 161 .ctx() 162 .set_verify_callback(SslVerifyMode::PEER, |_, x509| { 163 CALLED_BACK.store(true, Ordering::SeqCst); 164 assert!(x509.current_cert().is_some()); 165 true 166 }); 167 168 client.connect(); 169 assert!(CALLED_BACK.load(Ordering::SeqCst)); 170} 171 172#[test] 173fn verify_trusted_get_error_ok() { 174 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 175 176 let server = Server::builder().build(); 177 178 let mut client = server.client(); 179 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 180 client 181 .ctx() 182 .set_verify_callback(SslVerifyMode::PEER, |_, x509| { 183 CALLED_BACK.store(true, Ordering::SeqCst); 184 assert_eq!(x509.error(), X509VerifyResult::OK); 185 true 186 }); 187 188 client.connect(); 189 assert!(CALLED_BACK.load(Ordering::SeqCst)); 190} 191 192#[test] 193fn verify_trusted_get_error_err() { 194 let mut server = Server::builder(); 195 server.should_error(); 196 let server = server.build(); 197 198 let mut client = server.client(); 199 client 200 .ctx() 201 .set_verify_callback(SslVerifyMode::PEER, |_, x509| { 202 assert_ne!(x509.error(), X509VerifyResult::OK); 203 false 204 }); 205 206 client.connect_err(); 207} 208 209#[test] 210fn verify_callback() { 211 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 212 213 let server = Server::builder().build(); 214 215 let mut client = server.client(); 216 let expected = "59172d9313e84459bcff27f967e79e6e9217e584"; 217 client 218 .ctx() 219 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| { 220 CALLED_BACK.store(true, Ordering::SeqCst); 221 let cert = x509.current_cert().unwrap(); 222 let digest = cert.digest(MessageDigest::sha1()).unwrap(); 223 assert_eq!(hex::encode(digest), expected); 224 true 225 }); 226 227 client.connect(); 228 assert!(CALLED_BACK.load(Ordering::SeqCst)); 229} 230 231#[test] 232fn ssl_verify_callback() { 233 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 234 235 let server = Server::builder().build(); 236 237 let mut client = server.client().build().builder(); 238 let expected = "59172d9313e84459bcff27f967e79e6e9217e584"; 239 client 240 .ssl() 241 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| { 242 CALLED_BACK.store(true, Ordering::SeqCst); 243 let cert = x509.current_cert().unwrap(); 244 let digest = cert.digest(MessageDigest::sha1()).unwrap(); 245 assert_eq!(hex::encode(digest), expected); 246 true 247 }); 248 249 client.connect(); 250 assert!(CALLED_BACK.load(Ordering::SeqCst)); 251} 252 253#[test] 254fn get_ctx_options() { 255 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 256 ctx.options(); 257} 258 259#[test] 260fn set_ctx_options() { 261 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 262 let opts = ctx.set_options(SslOptions::NO_TICKET); 263 assert!(opts.contains(SslOptions::NO_TICKET)); 264} 265 266#[test] 267#[cfg(not(boringssl))] 268fn clear_ctx_options() { 269 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 270 ctx.set_options(SslOptions::ALL); 271 let opts = ctx.clear_options(SslOptions::ALL); 272 assert!(!opts.contains(SslOptions::ALL)); 273} 274 275#[test] 276fn zero_length_buffers() { 277 let server = Server::builder().build(); 278 279 let mut s = server.client().connect(); 280 assert_eq!(s.write(&[]).unwrap(), 0); 281 assert_eq!(s.read(&mut []).unwrap(), 0); 282} 283 284#[test] 285fn peer_certificate() { 286 let server = Server::builder().build(); 287 288 let s = server.client().connect(); 289 let cert = s.ssl().peer_certificate().unwrap(); 290 let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); 291 assert_eq!( 292 hex::encode(fingerprint), 293 "59172d9313e84459bcff27f967e79e6e9217e584" 294 ); 295} 296 297#[test] 298fn pending() { 299 let mut server = Server::builder(); 300 server.io_cb(|mut s| s.write_all(&[0; 10]).unwrap()); 301 let server = server.build(); 302 303 let mut s = server.client().connect(); 304 s.read_exact(&mut [0]).unwrap(); 305 306 assert_eq!(s.ssl().pending(), 9); 307 assert_eq!(s.read(&mut [0; 10]).unwrap(), 9); 308} 309 310#[test] 311fn state() { 312 let server = Server::builder().build(); 313 314 let s = server.client().connect(); 315 #[cfg(not(boringssl))] 316 assert_eq!(s.ssl().state_string().trim(), "SSLOK"); 317 #[cfg(boringssl)] 318 assert_eq!(s.ssl().state_string(), "!!!!!!"); 319 assert_eq!( 320 s.ssl().state_string_long(), 321 "SSL negotiation finished successfully" 322 ); 323} 324 325/// Tests that when both the client as well as the server use SRTP and their 326/// lists of supported protocols have an overlap -- with only ONE protocol 327/// being valid for both. 328#[test] 329fn test_connect_with_srtp_ctx() { 330 let listener = TcpListener::bind("127.0.0.1:0").unwrap(); 331 let addr = listener.local_addr().unwrap(); 332 333 let guard = thread::spawn(move || { 334 let stream = listener.accept().unwrap().0; 335 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); 336 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") 337 .unwrap(); 338 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) 339 .unwrap(); 340 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) 341 .unwrap(); 342 let mut ssl = Ssl::new(&ctx.build()).unwrap(); 343 ssl.set_mtu(1500).unwrap(); 344 let mut stream = ssl.accept(stream).unwrap(); 345 346 let mut buf = [0; 60]; 347 stream 348 .ssl() 349 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) 350 .unwrap(); 351 352 stream.write_all(&[0]).unwrap(); 353 354 buf 355 }); 356 357 let stream = TcpStream::connect(addr).unwrap(); 358 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); 359 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") 360 .unwrap(); 361 let mut ssl = Ssl::new(&ctx.build()).unwrap(); 362 ssl.set_mtu(1500).unwrap(); 363 let mut stream = ssl.connect(stream).unwrap(); 364 365 let mut buf = [1; 60]; 366 { 367 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap(); 368 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name()); 369 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id()); 370 } 371 stream 372 .ssl() 373 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) 374 .expect("extract"); 375 376 stream.read_exact(&mut [0]).unwrap(); 377 378 let buf2 = guard.join().unwrap(); 379 380 assert_eq!(buf[..], buf2[..]); 381} 382 383/// Tests that when both the client as well as the server use SRTP and their 384/// lists of supported protocols have an overlap -- with only ONE protocol 385/// being valid for both. 386#[test] 387fn test_connect_with_srtp_ssl() { 388 let listener = TcpListener::bind("127.0.0.1:0").unwrap(); 389 let addr = listener.local_addr().unwrap(); 390 391 let guard = thread::spawn(move || { 392 let stream = listener.accept().unwrap().0; 393 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); 394 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) 395 .unwrap(); 396 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) 397 .unwrap(); 398 let mut ssl = Ssl::new(&ctx.build()).unwrap(); 399 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") 400 .unwrap(); 401 let mut profilenames = String::new(); 402 for profile in ssl.srtp_profiles().unwrap() { 403 if !profilenames.is_empty() { 404 profilenames.push(':'); 405 } 406 profilenames += profile.name(); 407 } 408 assert_eq!( 409 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", 410 profilenames 411 ); 412 ssl.set_mtu(1500).unwrap(); 413 let mut stream = ssl.accept(stream).unwrap(); 414 415 let mut buf = [0; 60]; 416 stream 417 .ssl() 418 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) 419 .unwrap(); 420 421 stream.write_all(&[0]).unwrap(); 422 423 buf 424 }); 425 426 let stream = TcpStream::connect(addr).unwrap(); 427 let ctx = SslContext::builder(SslMethod::dtls()).unwrap(); 428 let mut ssl = Ssl::new(&ctx.build()).unwrap(); 429 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") 430 .unwrap(); 431 ssl.set_mtu(1500).unwrap(); 432 let mut stream = ssl.connect(stream).unwrap(); 433 434 let mut buf = [1; 60]; 435 { 436 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap(); 437 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name()); 438 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id()); 439 } 440 stream 441 .ssl() 442 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) 443 .expect("extract"); 444 445 stream.read_exact(&mut [0]).unwrap(); 446 447 let buf2 = guard.join().unwrap(); 448 449 assert_eq!(buf[..], buf2[..]); 450} 451 452/// Tests that when the `SslStream` is created as a server stream, the protocols 453/// are correctly advertised to the client. 454#[test] 455#[cfg(any(ossl102, libressl261))] 456fn test_alpn_server_advertise_multiple() { 457 let mut server = Server::builder(); 458 server.ctx().set_alpn_select_callback(|_, client| { 459 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) 460 }); 461 let server = server.build(); 462 463 let mut client = server.client(); 464 client.ctx().set_alpn_protos(b"\x08spdy/3.1").unwrap(); 465 let s = client.connect(); 466 assert_eq!(s.ssl().selected_alpn_protocol(), Some(&b"spdy/3.1"[..])); 467} 468 469#[test] 470#[cfg(ossl110)] 471fn test_alpn_server_select_none_fatal() { 472 let mut server = Server::builder(); 473 server.ctx().set_alpn_select_callback(|_, client| { 474 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client) 475 .ok_or(ssl::AlpnError::ALERT_FATAL) 476 }); 477 server.should_error(); 478 let server = server.build(); 479 480 let mut client = server.client(); 481 client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); 482 client.connect_err(); 483} 484 485#[test] 486#[cfg(any(ossl102, libressl261))] 487fn test_alpn_server_select_none() { 488 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 489 490 let mut server = Server::builder(); 491 server.ctx().set_alpn_select_callback(|_, client| { 492 CALLED_BACK.store(true, Ordering::SeqCst); 493 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) 494 }); 495 let server = server.build(); 496 497 let mut client = server.client(); 498 client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); 499 let s = client.connect(); 500 assert_eq!(None, s.ssl().selected_alpn_protocol()); 501 assert!(CALLED_BACK.load(Ordering::SeqCst)); 502} 503 504#[test] 505#[cfg(any(ossl102, libressl261))] 506fn test_alpn_server_unilateral() { 507 let server = Server::builder().build(); 508 509 let mut client = server.client(); 510 client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); 511 let s = client.connect(); 512 assert_eq!(None, s.ssl().selected_alpn_protocol()); 513} 514 515#[test] 516#[should_panic(expected = "blammo")] 517fn write_panic() { 518 struct ExplodingStream(TcpStream); 519 520 impl Read for ExplodingStream { 521 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { 522 self.0.read(buf) 523 } 524 } 525 526 impl Write for ExplodingStream { 527 fn write(&mut self, _: &[u8]) -> io::Result<usize> { 528 panic!("blammo"); 529 } 530 531 fn flush(&mut self) -> io::Result<()> { 532 self.0.flush() 533 } 534 } 535 536 let mut server = Server::builder(); 537 server.should_error(); 538 let server = server.build(); 539 540 let stream = ExplodingStream(server.connect_tcp()); 541 542 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 543 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); 544} 545 546#[test] 547#[should_panic(expected = "blammo")] 548fn read_panic() { 549 struct ExplodingStream(TcpStream); 550 551 impl Read for ExplodingStream { 552 fn read(&mut self, _: &mut [u8]) -> io::Result<usize> { 553 panic!("blammo"); 554 } 555 } 556 557 impl Write for ExplodingStream { 558 fn write(&mut self, buf: &[u8]) -> io::Result<usize> { 559 self.0.write(buf) 560 } 561 562 fn flush(&mut self) -> io::Result<()> { 563 self.0.flush() 564 } 565 } 566 567 let mut server = Server::builder(); 568 server.should_error(); 569 let server = server.build(); 570 571 let stream = ExplodingStream(server.connect_tcp()); 572 573 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 574 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); 575} 576 577#[test] 578#[cfg_attr(all(libressl321, not(libressl340)), ignore)] 579#[should_panic(expected = "blammo")] 580fn flush_panic() { 581 struct ExplodingStream(TcpStream); 582 583 impl Read for ExplodingStream { 584 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { 585 self.0.read(buf) 586 } 587 } 588 589 impl Write for ExplodingStream { 590 fn write(&mut self, buf: &[u8]) -> io::Result<usize> { 591 self.0.write(buf) 592 } 593 594 fn flush(&mut self) -> io::Result<()> { 595 panic!("blammo"); 596 } 597 } 598 599 let mut server = Server::builder(); 600 server.should_error(); 601 let server = server.build(); 602 603 let stream = ExplodingStream(server.connect_tcp()); 604 605 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 606 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); 607} 608 609#[test] 610fn refcount_ssl_context() { 611 let mut ssl = { 612 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 613 ssl::Ssl::new(&ctx.build()).unwrap() 614 }; 615 616 { 617 let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build(); 618 ssl.set_ssl_context(&new_ctx_a).unwrap(); 619 } 620} 621 622#[test] 623#[cfg_attr(libressl250, ignore)] 624#[cfg_attr(target_os = "windows", ignore)] 625#[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)] 626fn default_verify_paths() { 627 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 628 ctx.set_default_verify_paths().unwrap(); 629 ctx.set_verify(SslVerifyMode::PEER); 630 let ctx = ctx.build(); 631 let s = match TcpStream::connect("google.com:443") { 632 Ok(s) => s, 633 Err(_) => return, 634 }; 635 let mut ssl = Ssl::new(&ctx).unwrap(); 636 ssl.set_hostname("google.com").unwrap(); 637 let mut socket = ssl.connect(s).unwrap(); 638 639 socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); 640 let mut result = vec![]; 641 socket.read_to_end(&mut result).unwrap(); 642 643 println!("{}", String::from_utf8_lossy(&result)); 644 assert!(result.starts_with(b"HTTP/1.0")); 645 assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>")); 646} 647 648#[test] 649fn add_extra_chain_cert() { 650 let cert = X509::from_pem(CERT).unwrap(); 651 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 652 ctx.add_extra_chain_cert(cert).unwrap(); 653} 654 655#[test] 656#[cfg(ossl102)] 657fn verify_valid_hostname() { 658 let server = Server::builder().build(); 659 660 let mut client = server.client(); 661 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 662 client.ctx().set_verify(SslVerifyMode::PEER); 663 664 let mut client = client.build().builder(); 665 client 666 .ssl() 667 .param_mut() 668 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); 669 client.ssl().param_mut().set_host("foobar.com").unwrap(); 670 client.connect(); 671} 672 673#[test] 674#[cfg(ossl102)] 675fn verify_invalid_hostname() { 676 let mut server = Server::builder(); 677 server.should_error(); 678 let server = server.build(); 679 680 let mut client = server.client(); 681 client.ctx().set_ca_file("test/root-ca.pem").unwrap(); 682 client.ctx().set_verify(SslVerifyMode::PEER); 683 684 let mut client = client.build().builder(); 685 client 686 .ssl() 687 .param_mut() 688 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); 689 client.ssl().param_mut().set_host("bogus.com").unwrap(); 690 client.connect_err(); 691} 692 693#[test] 694fn connector_valid_hostname() { 695 let server = Server::builder().build(); 696 697 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 698 connector.set_ca_file("test/root-ca.pem").unwrap(); 699 700 let s = server.connect_tcp(); 701 let mut s = connector.build().connect("foobar.com", s).unwrap(); 702 s.read_exact(&mut [0]).unwrap(); 703} 704 705#[test] 706fn connector_invalid_hostname() { 707 let mut server = Server::builder(); 708 server.should_error(); 709 let server = server.build(); 710 711 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 712 connector.set_ca_file("test/root-ca.pem").unwrap(); 713 714 let s = server.connect_tcp(); 715 connector.build().connect("bogus.com", s).unwrap_err(); 716} 717 718#[test] 719fn connector_invalid_no_hostname_verification() { 720 let server = Server::builder().build(); 721 722 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 723 connector.set_ca_file("test/root-ca.pem").unwrap(); 724 725 let s = server.connect_tcp(); 726 let mut s = connector 727 .build() 728 .configure() 729 .unwrap() 730 .verify_hostname(false) 731 .connect("bogus.com", s) 732 .unwrap(); 733 s.read_exact(&mut [0]).unwrap(); 734} 735 736#[test] 737fn connector_no_hostname_still_verifies() { 738 let mut server = Server::builder(); 739 server.should_error(); 740 let server = server.build(); 741 742 let connector = SslConnector::builder(SslMethod::tls()).unwrap().build(); 743 744 let s = server.connect_tcp(); 745 assert!(connector 746 .configure() 747 .unwrap() 748 .verify_hostname(false) 749 .connect("fizzbuzz.com", s) 750 .is_err()); 751} 752 753#[test] 754fn connector_can_disable_verify() { 755 let server = Server::builder().build(); 756 757 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 758 connector.set_verify(SslVerifyMode::NONE); 759 let connector = connector.build(); 760 761 let s = server.connect_tcp(); 762 let mut s = connector 763 .configure() 764 .unwrap() 765 .connect("fizzbuzz.com", s) 766 .unwrap(); 767 s.read_exact(&mut [0]).unwrap(); 768} 769 770#[test] 771fn connector_does_use_sni_with_dnsnames() { 772 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 773 774 let mut builder = Server::builder(); 775 builder.ctx().set_servername_callback(|ssl, _| { 776 assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com")); 777 CALLED_BACK.store(true, Ordering::SeqCst); 778 Ok(()) 779 }); 780 let server = builder.build(); 781 782 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 783 connector.set_ca_file("test/root-ca.pem").unwrap(); 784 785 let s = server.connect_tcp(); 786 let mut s = connector 787 .build() 788 .configure() 789 .unwrap() 790 .connect("foobar.com", s) 791 .unwrap(); 792 s.read_exact(&mut [0]).unwrap(); 793 794 assert!(CALLED_BACK.load(Ordering::SeqCst)); 795} 796 797#[test] 798fn connector_doesnt_use_sni_with_ips() { 799 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 800 801 let mut builder = Server::builder(); 802 builder.ctx().set_servername_callback(|ssl, _| { 803 assert_eq!(ssl.servername(NameType::HOST_NAME), None); 804 CALLED_BACK.store(true, Ordering::SeqCst); 805 Ok(()) 806 }); 807 let server = builder.build(); 808 809 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 810 // The server's cert isn't issued for 127.0.0.1 but we don't care for this test. 811 connector.set_verify(SslVerifyMode::NONE); 812 813 let s = server.connect_tcp(); 814 let mut s = connector 815 .build() 816 .configure() 817 .unwrap() 818 .connect("127.0.0.1", s) 819 .unwrap(); 820 s.read_exact(&mut [0]).unwrap(); 821 822 assert!(CALLED_BACK.load(Ordering::SeqCst)); 823} 824 825fn test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>) { 826 let listener = TcpListener::bind("127.0.0.1:0").unwrap(); 827 let port = listener.local_addr().unwrap().port(); 828 829 let t = thread::spawn(move || { 830 let key = PKey::private_key_from_pem(KEY).unwrap(); 831 let cert = X509::from_pem(CERT).unwrap(); 832 let mut acceptor = new(SslMethod::tls()).unwrap(); 833 acceptor.set_private_key(&key).unwrap(); 834 acceptor.set_certificate(&cert).unwrap(); 835 let acceptor = acceptor.build(); 836 let stream = listener.accept().unwrap().0; 837 let mut stream = acceptor.accept(stream).unwrap(); 838 839 stream.write_all(b"hello").unwrap(); 840 }); 841 842 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); 843 connector.set_ca_file("test/root-ca.pem").unwrap(); 844 let connector = connector.build(); 845 846 let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); 847 let mut stream = connector.connect("foobar.com", stream).unwrap(); 848 849 let mut buf = [0; 5]; 850 stream.read_exact(&mut buf).unwrap(); 851 assert_eq!(b"hello", &buf); 852 853 t.join().unwrap(); 854} 855 856#[test] 857fn connector_client_server_mozilla_intermediate() { 858 test_mozilla_server(SslAcceptor::mozilla_intermediate); 859} 860 861#[test] 862fn connector_client_server_mozilla_modern() { 863 test_mozilla_server(SslAcceptor::mozilla_modern); 864} 865 866#[test] 867fn connector_client_server_mozilla_intermediate_v5() { 868 test_mozilla_server(SslAcceptor::mozilla_intermediate_v5); 869} 870 871#[test] 872#[cfg(any(ossl111, libressl340))] 873fn connector_client_server_mozilla_modern_v5() { 874 test_mozilla_server(SslAcceptor::mozilla_modern_v5); 875} 876 877#[test] 878fn shutdown() { 879 let mut server = Server::builder(); 880 server.io_cb(|mut s| { 881 assert_eq!(s.read(&mut [0]).unwrap(), 0); 882 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received); 883 }); 884 let server = server.build(); 885 886 let mut s = server.client().connect(); 887 888 assert_eq!(s.get_shutdown(), ShutdownState::empty()); 889 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Sent); 890 assert_eq!(s.get_shutdown(), ShutdownState::SENT); 891 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received); 892 assert_eq!( 893 s.get_shutdown(), 894 ShutdownState::SENT | ShutdownState::RECEIVED 895 ); 896} 897 898#[test] 899fn client_ca_list() { 900 let names = X509Name::load_client_ca_file("test/root-ca.pem").unwrap(); 901 assert_eq!(names.len(), 1); 902 903 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 904 ctx.set_client_ca_list(names); 905} 906 907#[test] 908fn cert_store() { 909 let server = Server::builder().build(); 910 911 let mut client = server.client(); 912 let cert = X509::from_pem(ROOT_CERT).unwrap(); 913 client.ctx().cert_store_mut().add_cert(cert).unwrap(); 914 client.ctx().set_verify(SslVerifyMode::PEER); 915 916 client.connect(); 917} 918 919#[test] 920#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)] 921fn tmp_dh_callback() { 922 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 923 924 let mut server = Server::builder(); 925 server.ctx().set_tmp_dh_callback(|_, _, _| { 926 CALLED_BACK.store(true, Ordering::SeqCst); 927 let dh = include_bytes!("../../../test/dhparams.pem"); 928 Dh::params_from_pem(dh) 929 }); 930 931 let server = server.build(); 932 933 let mut client = server.client(); 934 // TLS 1.3 has no DH suites, so make sure we don't pick that version 935 #[cfg(any(ossl111, libressl340))] 936 client.ctx().set_options(super::SslOptions::NO_TLSV1_3); 937 client.ctx().set_cipher_list("EDH").unwrap(); 938 client.connect(); 939 940 assert!(CALLED_BACK.load(Ordering::SeqCst)); 941} 942 943#[test] 944#[cfg(all(ossl101, not(ossl110)))] 945#[allow(deprecated)] 946fn tmp_ecdh_callback() { 947 use crate::ec::EcKey; 948 use crate::nid::Nid; 949 950 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 951 952 let mut server = Server::builder(); 953 server.ctx().set_tmp_ecdh_callback(|_, _, _| { 954 CALLED_BACK.store(true, Ordering::SeqCst); 955 EcKey::from_curve_name(Nid::X9_62_PRIME256V1) 956 }); 957 958 let server = server.build(); 959 960 let mut client = server.client(); 961 client.ctx().set_cipher_list("ECDH").unwrap(); 962 client.connect(); 963 964 assert!(CALLED_BACK.load(Ordering::SeqCst)); 965} 966 967#[test] 968#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)] 969fn tmp_dh_callback_ssl() { 970 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 971 972 let mut server = Server::builder(); 973 server.ssl_cb(|ssl| { 974 ssl.set_tmp_dh_callback(|_, _, _| { 975 CALLED_BACK.store(true, Ordering::SeqCst); 976 let dh = include_bytes!("../../../test/dhparams.pem"); 977 Dh::params_from_pem(dh) 978 }); 979 }); 980 981 let server = server.build(); 982 983 let mut client = server.client(); 984 // TLS 1.3 has no DH suites, so make sure we don't pick that version 985 #[cfg(any(ossl111, libressl340))] 986 client.ctx().set_options(super::SslOptions::NO_TLSV1_3); 987 client.ctx().set_cipher_list("EDH").unwrap(); 988 client.connect(); 989 990 assert!(CALLED_BACK.load(Ordering::SeqCst)); 991} 992 993#[test] 994#[cfg(all(ossl101, not(ossl110)))] 995#[allow(deprecated)] 996fn tmp_ecdh_callback_ssl() { 997 use crate::ec::EcKey; 998 use crate::nid::Nid; 999 1000 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 1001 1002 let mut server = Server::builder(); 1003 server.ssl_cb(|ssl| { 1004 ssl.set_tmp_ecdh_callback(|_, _, _| { 1005 CALLED_BACK.store(true, Ordering::SeqCst); 1006 EcKey::from_curve_name(Nid::X9_62_PRIME256V1) 1007 }); 1008 }); 1009 1010 let server = server.build(); 1011 1012 let mut client = server.client(); 1013 client.ctx().set_cipher_list("ECDH").unwrap(); 1014 client.connect(); 1015 1016 assert!(CALLED_BACK.load(Ordering::SeqCst)); 1017} 1018 1019#[test] 1020fn idle_session() { 1021 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); 1022 let ssl = Ssl::new(&ctx).unwrap(); 1023 assert!(ssl.session().is_none()); 1024} 1025 1026/// possible LibreSSL bug since 3.2.1 1027#[test] 1028#[cfg_attr(libressl321, ignore)] 1029fn active_session() { 1030 let server = Server::builder().build(); 1031 1032 let s = server.client().connect(); 1033 1034 let session = s.ssl().session().unwrap(); 1035 let len = session.master_key_len(); 1036 let mut buf = vec![0; len - 1]; 1037 let copied = session.master_key(&mut buf); 1038 assert_eq!(copied, buf.len()); 1039 let mut buf = vec![0; len + 1]; 1040 let copied = session.master_key(&mut buf); 1041 assert_eq!(copied, len); 1042} 1043 1044#[test] 1045#[cfg(not(boringssl))] 1046fn status_callbacks() { 1047 static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false); 1048 static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false); 1049 1050 let mut server = Server::builder(); 1051 server 1052 .ctx() 1053 .set_status_callback(|ssl| { 1054 CALLED_BACK_SERVER.store(true, Ordering::SeqCst); 1055 let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap(); 1056 let response = response.to_der().unwrap(); 1057 ssl.set_ocsp_status(&response).unwrap(); 1058 Ok(true) 1059 }) 1060 .unwrap(); 1061 1062 let server = server.build(); 1063 1064 let mut client = server.client(); 1065 client 1066 .ctx() 1067 .set_status_callback(|ssl| { 1068 CALLED_BACK_CLIENT.store(true, Ordering::SeqCst); 1069 let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap(); 1070 assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED); 1071 Ok(true) 1072 }) 1073 .unwrap(); 1074 1075 let mut client = client.build().builder(); 1076 client.ssl().set_status_type(StatusType::OCSP).unwrap(); 1077 1078 client.connect(); 1079 1080 assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst)); 1081 assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst)); 1082} 1083 1084/// possible LibreSSL bug since 3.2.1 1085#[test] 1086#[cfg_attr(libressl321, ignore)] 1087fn new_session_callback() { 1088 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 1089 1090 let mut server = Server::builder(); 1091 server.ctx().set_session_id_context(b"foo").unwrap(); 1092 1093 let server = server.build(); 1094 1095 let mut client = server.client(); 1096 1097 client 1098 .ctx() 1099 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL); 1100 client 1101 .ctx() 1102 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst)); 1103 1104 client.connect(); 1105 1106 assert!(CALLED_BACK.load(Ordering::SeqCst)); 1107} 1108 1109/// possible LibreSSL bug since 3.2.1 1110#[test] 1111#[cfg_attr(libressl321, ignore)] 1112fn new_session_callback_swapped_ctx() { 1113 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 1114 1115 let mut server = Server::builder(); 1116 server.ctx().set_session_id_context(b"foo").unwrap(); 1117 1118 let server = server.build(); 1119 1120 let mut client = server.client(); 1121 1122 client 1123 .ctx() 1124 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL); 1125 client 1126 .ctx() 1127 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst)); 1128 1129 let mut client = client.build().builder(); 1130 1131 let ctx = SslContextBuilder::new(SslMethod::tls()).unwrap().build(); 1132 client.ssl().set_ssl_context(&ctx).unwrap(); 1133 1134 client.connect(); 1135 1136 assert!(CALLED_BACK.load(Ordering::SeqCst)); 1137} 1138 1139#[test] 1140fn keying_export() { 1141 let listener = TcpListener::bind("127.0.0.1:0").unwrap(); 1142 let addr = listener.local_addr().unwrap(); 1143 1144 let label = "EXPERIMENTAL test"; 1145 let context = b"my context"; 1146 1147 let guard = thread::spawn(move || { 1148 let stream = listener.accept().unwrap().0; 1149 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1150 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) 1151 .unwrap(); 1152 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) 1153 .unwrap(); 1154 let ssl = Ssl::new(&ctx.build()).unwrap(); 1155 let mut stream = ssl.accept(stream).unwrap(); 1156 1157 let mut buf = [0; 32]; 1158 stream 1159 .ssl() 1160 .export_keying_material(&mut buf, label, Some(context)) 1161 .unwrap(); 1162 1163 stream.write_all(&[0]).unwrap(); 1164 1165 buf 1166 }); 1167 1168 let stream = TcpStream::connect(addr).unwrap(); 1169 let ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1170 let ssl = Ssl::new(&ctx.build()).unwrap(); 1171 let mut stream = ssl.connect(stream).unwrap(); 1172 1173 let mut buf = [1; 32]; 1174 stream 1175 .ssl() 1176 .export_keying_material(&mut buf, label, Some(context)) 1177 .unwrap(); 1178 1179 stream.read_exact(&mut [0]).unwrap(); 1180 1181 let buf2 = guard.join().unwrap(); 1182 1183 assert_eq!(buf, buf2); 1184} 1185 1186#[test] 1187#[cfg(any(ossl110, libressl261))] 1188fn no_version_overlap() { 1189 let mut server = Server::builder(); 1190 server.ctx().set_min_proto_version(None).unwrap(); 1191 server 1192 .ctx() 1193 .set_max_proto_version(Some(SslVersion::TLS1_1)) 1194 .unwrap(); 1195 #[cfg(any(ossl110g, libressl270))] 1196 assert_eq!(server.ctx().max_proto_version(), Some(SslVersion::TLS1_1)); 1197 server.should_error(); 1198 let server = server.build(); 1199 1200 let mut client = server.client(); 1201 client 1202 .ctx() 1203 .set_min_proto_version(Some(SslVersion::TLS1_2)) 1204 .unwrap(); 1205 #[cfg(ossl110g)] 1206 assert_eq!(client.ctx().min_proto_version(), Some(SslVersion::TLS1_2)); 1207 client.ctx().set_max_proto_version(None).unwrap(); 1208 1209 client.connect_err(); 1210} 1211 1212#[test] 1213#[cfg(ossl111)] 1214fn custom_extensions() { 1215 static FOUND_EXTENSION: AtomicBool = AtomicBool::new(false); 1216 1217 let mut server = Server::builder(); 1218 server 1219 .ctx() 1220 .add_custom_ext( 1221 12345, 1222 ExtensionContext::CLIENT_HELLO, 1223 |_, _, _| -> Result<Option<&'static [u8]>, _> { unreachable!() }, 1224 |_, _, data, _| { 1225 FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst); 1226 Ok(()) 1227 }, 1228 ) 1229 .unwrap(); 1230 1231 let server = server.build(); 1232 1233 let mut client = server.client(); 1234 client 1235 .ctx() 1236 .add_custom_ext( 1237 12345, 1238 ssl::ExtensionContext::CLIENT_HELLO, 1239 |_, _, _| Ok(Some(b"hello")), 1240 |_, _, _, _| unreachable!(), 1241 ) 1242 .unwrap(); 1243 1244 client.connect(); 1245 1246 assert!(FOUND_EXTENSION.load(Ordering::SeqCst)); 1247} 1248 1249fn _check_kinds() { 1250 fn is_send<T: Send>() {} 1251 fn is_sync<T: Sync>() {} 1252 1253 is_send::<SslStream<TcpStream>>(); 1254 is_sync::<SslStream<TcpStream>>(); 1255} 1256 1257#[test] 1258#[cfg(ossl111)] 1259fn stateless() { 1260 use super::SslOptions; 1261 1262 #[derive(Debug)] 1263 struct MemoryStream { 1264 incoming: io::Cursor<Vec<u8>>, 1265 outgoing: Vec<u8>, 1266 } 1267 1268 impl MemoryStream { 1269 pub fn new() -> Self { 1270 Self { 1271 incoming: io::Cursor::new(Vec::new()), 1272 outgoing: Vec::new(), 1273 } 1274 } 1275 1276 pub fn extend_incoming(&mut self, data: &[u8]) { 1277 self.incoming.get_mut().extend_from_slice(data); 1278 } 1279 1280 pub fn take_outgoing(&mut self) -> Outgoing<'_> { 1281 Outgoing(&mut self.outgoing) 1282 } 1283 } 1284 1285 impl Read for MemoryStream { 1286 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { 1287 let n = self.incoming.read(buf)?; 1288 if self.incoming.position() == self.incoming.get_ref().len() as u64 { 1289 self.incoming.set_position(0); 1290 self.incoming.get_mut().clear(); 1291 } 1292 if n == 0 { 1293 return Err(io::Error::new( 1294 io::ErrorKind::WouldBlock, 1295 "no data available", 1296 )); 1297 } 1298 Ok(n) 1299 } 1300 } 1301 1302 impl Write for MemoryStream { 1303 fn write(&mut self, buf: &[u8]) -> io::Result<usize> { 1304 self.outgoing.write(buf) 1305 } 1306 1307 fn flush(&mut self) -> io::Result<()> { 1308 Ok(()) 1309 } 1310 } 1311 1312 pub struct Outgoing<'a>(&'a mut Vec<u8>); 1313 1314 impl<'a> Drop for Outgoing<'a> { 1315 fn drop(&mut self) { 1316 self.0.clear(); 1317 } 1318 } 1319 1320 impl<'a> ::std::ops::Deref for Outgoing<'a> { 1321 type Target = [u8]; 1322 fn deref(&self) -> &[u8] { 1323 self.0 1324 } 1325 } 1326 1327 impl<'a> AsRef<[u8]> for Outgoing<'a> { 1328 fn as_ref(&self) -> &[u8] { 1329 self.0 1330 } 1331 } 1332 1333 fn send(from: &mut MemoryStream, to: &mut MemoryStream) { 1334 to.extend_incoming(&from.take_outgoing()); 1335 } 1336 1337 // 1338 // Setup 1339 // 1340 1341 let mut client_ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1342 client_ctx.clear_options(SslOptions::ENABLE_MIDDLEBOX_COMPAT); 1343 let mut client_stream = 1344 SslStream::new(Ssl::new(&client_ctx.build()).unwrap(), MemoryStream::new()).unwrap(); 1345 1346 let mut server_ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1347 server_ctx 1348 .set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) 1349 .unwrap(); 1350 server_ctx 1351 .set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) 1352 .unwrap(); 1353 const COOKIE: &[u8] = b"chocolate chip"; 1354 server_ctx.set_stateless_cookie_generate_cb(|_tls, buf| { 1355 buf[0..COOKIE.len()].copy_from_slice(COOKIE); 1356 Ok(COOKIE.len()) 1357 }); 1358 server_ctx.set_stateless_cookie_verify_cb(|_tls, buf| buf == COOKIE); 1359 let mut server_stream = 1360 SslStream::new(Ssl::new(&server_ctx.build()).unwrap(), MemoryStream::new()).unwrap(); 1361 1362 // 1363 // Handshake 1364 // 1365 1366 // Initial ClientHello 1367 client_stream.connect().unwrap_err(); 1368 send(client_stream.get_mut(), server_stream.get_mut()); 1369 // HelloRetryRequest 1370 assert!(!server_stream.stateless().unwrap()); 1371 send(server_stream.get_mut(), client_stream.get_mut()); 1372 // Second ClientHello 1373 client_stream.do_handshake().unwrap_err(); 1374 send(client_stream.get_mut(), server_stream.get_mut()); 1375 // OldServerHello 1376 assert!(server_stream.stateless().unwrap()); 1377 server_stream.accept().unwrap_err(); 1378 send(server_stream.get_mut(), client_stream.get_mut()); 1379 // Finished 1380 client_stream.do_handshake().unwrap(); 1381 send(client_stream.get_mut(), server_stream.get_mut()); 1382 server_stream.do_handshake().unwrap(); 1383} 1384 1385#[cfg(not(osslconf = "OPENSSL_NO_PSK"))] 1386#[test] 1387fn psk_ciphers() { 1388 const CIPHER: &str = "PSK-AES256-CBC-SHA"; 1389 const PSK: &[u8] = b"thisisaverysecurekey"; 1390 const CLIENT_IDENT: &[u8] = b"thisisaclient"; 1391 static CLIENT_CALLED: AtomicBool = AtomicBool::new(false); 1392 static SERVER_CALLED: AtomicBool = AtomicBool::new(false); 1393 1394 let mut server = Server::builder(); 1395 server.ctx().set_cipher_list(CIPHER).unwrap(); 1396 server.ctx().set_psk_server_callback(|_, identity, psk| { 1397 assert!(identity.unwrap_or(&[]) == CLIENT_IDENT); 1398 psk[..PSK.len()].copy_from_slice(PSK); 1399 SERVER_CALLED.store(true, Ordering::SeqCst); 1400 Ok(PSK.len()) 1401 }); 1402 1403 let server = server.build(); 1404 1405 let mut client = server.client(); 1406 // This test relies on TLS 1.2 suites 1407 #[cfg(any(boringssl, ossl111))] 1408 client.ctx().set_options(super::SslOptions::NO_TLSV1_3); 1409 client.ctx().set_cipher_list(CIPHER).unwrap(); 1410 client 1411 .ctx() 1412 .set_psk_client_callback(move |_, _, identity, psk| { 1413 identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT); 1414 identity[CLIENT_IDENT.len()] = 0; 1415 psk[..PSK.len()].copy_from_slice(PSK); 1416 CLIENT_CALLED.store(true, Ordering::SeqCst); 1417 Ok(PSK.len()) 1418 }); 1419 1420 client.connect(); 1421 1422 assert!(SERVER_CALLED.load(Ordering::SeqCst)); 1423 assert!(CLIENT_CALLED.load(Ordering::SeqCst)); 1424} 1425 1426#[test] 1427fn sni_callback_swapped_ctx() { 1428 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 1429 1430 let mut server = Server::builder(); 1431 1432 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1433 ctx.set_servername_callback(|_, _| { 1434 CALLED_BACK.store(true, Ordering::SeqCst); 1435 Ok(()) 1436 }); 1437 1438 let keyed_ctx = mem::replace(server.ctx(), ctx).build(); 1439 server.ssl_cb(move |ssl| ssl.set_ssl_context(&keyed_ctx).unwrap()); 1440 1441 let server = server.build(); 1442 1443 server.client().connect(); 1444 1445 assert!(CALLED_BACK.load(Ordering::SeqCst)); 1446} 1447 1448#[test] 1449#[cfg(ossl111)] 1450fn client_hello() { 1451 static CALLED_BACK: AtomicBool = AtomicBool::new(false); 1452 1453 let mut server = Server::builder(); 1454 server.ctx().set_client_hello_callback(|ssl, _| { 1455 assert!(!ssl.client_hello_isv2()); 1456 assert_eq!(ssl.client_hello_legacy_version(), Some(SslVersion::TLS1_2)); 1457 assert!(ssl.client_hello_random().is_some()); 1458 assert!(ssl.client_hello_session_id().is_some()); 1459 assert!(ssl.client_hello_ciphers().is_some()); 1460 assert!(ssl.client_hello_compression_methods().is_some()); 1461 assert!(ssl 1462 .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2()) 1463 .is_ok()); 1464 1465 CALLED_BACK.store(true, Ordering::SeqCst); 1466 Ok(ClientHelloResponse::SUCCESS) 1467 }); 1468 1469 let server = server.build(); 1470 server.client().connect(); 1471 1472 assert!(CALLED_BACK.load(Ordering::SeqCst)); 1473} 1474 1475#[test] 1476#[cfg(ossl111)] 1477fn openssl_cipher_name() { 1478 assert_eq!( 1479 super::cipher_name("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"), 1480 "ECDHE-RSA-AES256-SHA384", 1481 ); 1482 1483 assert_eq!(super::cipher_name("asdf"), "(NONE)"); 1484} 1485 1486#[test] 1487fn session_cache_size() { 1488 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); 1489 ctx.set_session_cache_size(1234); 1490 let ctx = ctx.build(); 1491 assert_eq!(ctx.session_cache_size(), 1234); 1492} 1493 1494#[test] 1495#[cfg(ossl102)] 1496fn add_chain_cert() { 1497 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); 1498 let cert = X509::from_pem(CERT).unwrap(); 1499 let mut ssl = Ssl::new(&ctx).unwrap(); 1500 assert!(ssl.add_chain_cert(cert).is_ok()); 1501} 1502#[test] 1503#[cfg(ossl111)] 1504fn set_ssl_certificate_key_related_api() { 1505 let cert_str: &str = include_str!("../../../test/cert.pem"); 1506 let key_str: &str = include_str!("../../../test/key.pem"); 1507 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); 1508 let cert_x509 = X509::from_pem(CERT).unwrap(); 1509 let mut ssl = Ssl::new(&ctx).unwrap(); 1510 assert!(ssl.set_method(SslMethod::tls()).is_ok()); 1511 ssl.set_private_key_file("test/key.pem", SslFiletype::PEM) 1512 .unwrap(); 1513 { 1514 let pkey = String::from_utf8( 1515 ssl.private_key() 1516 .unwrap() 1517 .private_key_to_pem_pkcs8() 1518 .unwrap(), 1519 ) 1520 .unwrap(); 1521 assert!(pkey.lines().eq(key_str.lines())); 1522 } 1523 let pkey = PKey::private_key_from_pem(KEY).unwrap(); 1524 ssl.set_private_key(pkey.as_ref()).unwrap(); 1525 { 1526 let pkey = String::from_utf8( 1527 ssl.private_key() 1528 .unwrap() 1529 .private_key_to_pem_pkcs8() 1530 .unwrap(), 1531 ) 1532 .unwrap(); 1533 assert!(pkey.lines().eq(key_str.lines())); 1534 } 1535 ssl.set_certificate(cert_x509.as_ref()).unwrap(); 1536 let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap(); 1537 assert!(cert.lines().eq(cert_str.lines())); 1538 ssl.add_client_ca(cert_x509.as_ref()).unwrap(); 1539 ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap(); 1540 ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap(); 1541 ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap(); 1542 ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap(); 1543 let x509 = X509::from_pem(ROOT_CERT).unwrap(); 1544 let mut builder = X509StoreBuilder::new().unwrap(); 1545 builder.add_cert(x509).unwrap(); 1546 let store = builder.build(); 1547 ssl.set_verify_cert_store(store).unwrap(); 1548} 1549 1550#[test] 1551#[cfg(ossl110)] 1552fn test_ssl_set_cert_chain_file() { 1553 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build(); 1554 let mut ssl = Ssl::new(&ctx).unwrap(); 1555 ssl.set_certificate_chain_file("test/cert.pem").unwrap(); 1556} 1557 1558#[test] 1559#[cfg(ossl111)] 1560fn set_num_tickets() { 1561 let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap(); 1562 ctx.set_num_tickets(3).unwrap(); 1563 let ctx = ctx.build(); 1564 assert_eq!(3, ctx.num_tickets()); 1565 1566 let mut ssl = Ssl::new(&ctx).unwrap(); 1567 ssl.set_num_tickets(5).unwrap(); 1568 let ssl = ssl; 1569 assert_eq!(5, ssl.num_tickets()); 1570} 1571