1 #![allow(unused_imports)]
2
3 use std::env;
4 use std::fs::File;
5 use std::io::prelude::*;
6 use std::io::{self, BufReader};
7 use std::iter;
8 use std::mem;
9 use std::net::UdpSocket;
10 use std::net::{SocketAddr, TcpListener, TcpStream};
11 use std::path::Path;
12 use std::process::{Child, ChildStdin, Command, Stdio};
13 use std::sync::atomic::{AtomicBool, Ordering};
14 use std::thread;
15 use std::time::Duration;
16
17 use crate::dh::Dh;
18 use crate::error::ErrorStack;
19 use crate::hash::MessageDigest;
20 #[cfg(not(boringssl))]
21 use crate::ocsp::{OcspResponse, OcspResponseStatus};
22 use crate::pkey::PKey;
23 use crate::srtp::SrtpProfileId;
24 use crate::ssl::test::server::Server;
25 #[cfg(any(ossl110, ossl111, libressl261))]
26 use crate::ssl::SslVersion;
27 use crate::ssl::{self, NameType, SslConnectorBuilder};
28 #[cfg(ossl111)]
29 use crate::ssl::{ClientHelloResponse, ExtensionContext};
30 use crate::ssl::{
31 Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor,
32 SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod,
33 SslOptions, SslSessionCacheMode, SslStream, SslVerifyMode, StatusType,
34 };
35 #[cfg(ossl102)]
36 use crate::x509::store::X509StoreBuilder;
37 #[cfg(ossl102)]
38 use crate::x509::verify::X509CheckFlags;
39 use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509};
40
41 mod server;
42
43 static ROOT_CERT: &[u8] = include_bytes!("../../../test/root-ca.pem");
44 static CERT: &[u8] = include_bytes!("../../../test/cert.pem");
45 static KEY: &[u8] = include_bytes!("../../../test/key.pem");
46
47 #[test]
verify_untrusted()48 fn verify_untrusted() {
49 let mut server = Server::builder();
50 server.should_error();
51 let server = server.build();
52
53 let mut client = server.client();
54 client.ctx().set_verify(SslVerifyMode::PEER);
55
56 client.connect_err();
57 }
58
59 #[test]
verify_trusted()60 fn verify_trusted() {
61 let server = Server::builder().build();
62
63 let mut client = server.client();
64 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
65
66 client.connect();
67 }
68
69 #[test]
70 #[cfg(ossl102)]
verify_trusted_with_set_cert()71 fn verify_trusted_with_set_cert() {
72 let server = Server::builder().build();
73
74 let mut store = X509StoreBuilder::new().unwrap();
75 let x509 = X509::from_pem(ROOT_CERT).unwrap();
76 store.add_cert(x509).unwrap();
77
78 let mut client = server.client();
79 client.ctx().set_verify(SslVerifyMode::PEER);
80 client.ctx().set_verify_cert_store(store.build()).unwrap();
81
82 client.connect();
83 }
84
85 #[test]
verify_untrusted_callback_override_ok()86 fn verify_untrusted_callback_override_ok() {
87 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
88
89 let server = Server::builder().build();
90
91 let mut client = server.client();
92 client
93 .ctx()
94 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
95 CALLED_BACK.store(true, Ordering::SeqCst);
96 assert!(x509.current_cert().is_some());
97 true
98 });
99
100 client.connect();
101 assert!(CALLED_BACK.load(Ordering::SeqCst));
102 }
103
104 #[test]
verify_untrusted_callback_override_bad()105 fn verify_untrusted_callback_override_bad() {
106 let mut server = Server::builder();
107 server.should_error();
108 let server = server.build();
109
110 let mut client = server.client();
111 client
112 .ctx()
113 .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
114
115 client.connect_err();
116 }
117
118 #[test]
verify_trusted_callback_override_ok()119 fn verify_trusted_callback_override_ok() {
120 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
121
122 let server = Server::builder().build();
123
124 let mut client = server.client();
125 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
126 client
127 .ctx()
128 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
129 CALLED_BACK.store(true, Ordering::SeqCst);
130 assert!(x509.current_cert().is_some());
131 true
132 });
133
134 client.connect();
135 assert!(CALLED_BACK.load(Ordering::SeqCst));
136 }
137
138 #[test]
verify_trusted_callback_override_bad()139 fn verify_trusted_callback_override_bad() {
140 let mut server = Server::builder();
141 server.should_error();
142 let server = server.build();
143
144 let mut client = server.client();
145 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
146 client
147 .ctx()
148 .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
149
150 client.connect_err();
151 }
152
153 #[test]
verify_callback_load_certs()154 fn verify_callback_load_certs() {
155 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
156
157 let server = Server::builder().build();
158
159 let mut client = server.client();
160 client
161 .ctx()
162 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
163 CALLED_BACK.store(true, Ordering::SeqCst);
164 assert!(x509.current_cert().is_some());
165 true
166 });
167
168 client.connect();
169 assert!(CALLED_BACK.load(Ordering::SeqCst));
170 }
171
172 #[test]
verify_trusted_get_error_ok()173 fn verify_trusted_get_error_ok() {
174 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
175
176 let server = Server::builder().build();
177
178 let mut client = server.client();
179 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
180 client
181 .ctx()
182 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
183 CALLED_BACK.store(true, Ordering::SeqCst);
184 assert_eq!(x509.error(), X509VerifyResult::OK);
185 true
186 });
187
188 client.connect();
189 assert!(CALLED_BACK.load(Ordering::SeqCst));
190 }
191
192 #[test]
verify_trusted_get_error_err()193 fn verify_trusted_get_error_err() {
194 let mut server = Server::builder();
195 server.should_error();
196 let server = server.build();
197
198 let mut client = server.client();
199 client
200 .ctx()
201 .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
202 assert_ne!(x509.error(), X509VerifyResult::OK);
203 false
204 });
205
206 client.connect_err();
207 }
208
209 #[test]
verify_callback()210 fn verify_callback() {
211 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
212
213 let server = Server::builder().build();
214
215 let mut client = server.client();
216 let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
217 client
218 .ctx()
219 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
220 CALLED_BACK.store(true, Ordering::SeqCst);
221 let cert = x509.current_cert().unwrap();
222 let digest = cert.digest(MessageDigest::sha1()).unwrap();
223 assert_eq!(hex::encode(digest), expected);
224 true
225 });
226
227 client.connect();
228 assert!(CALLED_BACK.load(Ordering::SeqCst));
229 }
230
231 #[test]
ssl_verify_callback()232 fn ssl_verify_callback() {
233 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
234
235 let server = Server::builder().build();
236
237 let mut client = server.client().build().builder();
238 let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
239 client
240 .ssl()
241 .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
242 CALLED_BACK.store(true, Ordering::SeqCst);
243 let cert = x509.current_cert().unwrap();
244 let digest = cert.digest(MessageDigest::sha1()).unwrap();
245 assert_eq!(hex::encode(digest), expected);
246 true
247 });
248
249 client.connect();
250 assert!(CALLED_BACK.load(Ordering::SeqCst));
251 }
252
253 #[test]
get_ctx_options()254 fn get_ctx_options() {
255 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
256 ctx.options();
257 }
258
259 #[test]
set_ctx_options()260 fn set_ctx_options() {
261 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
262 let opts = ctx.set_options(SslOptions::NO_TICKET);
263 assert!(opts.contains(SslOptions::NO_TICKET));
264 }
265
266 #[test]
267 #[cfg(not(boringssl))]
clear_ctx_options()268 fn clear_ctx_options() {
269 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
270 ctx.set_options(SslOptions::ALL);
271 let opts = ctx.clear_options(SslOptions::ALL);
272 assert!(!opts.contains(SslOptions::ALL));
273 }
274
275 #[test]
zero_length_buffers()276 fn zero_length_buffers() {
277 let server = Server::builder().build();
278
279 let mut s = server.client().connect();
280 assert_eq!(s.write(&[]).unwrap(), 0);
281 assert_eq!(s.read(&mut []).unwrap(), 0);
282 }
283
284 #[test]
peer_certificate()285 fn peer_certificate() {
286 let server = Server::builder().build();
287
288 let s = server.client().connect();
289 let cert = s.ssl().peer_certificate().unwrap();
290 let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
291 assert_eq!(
292 hex::encode(fingerprint),
293 "59172d9313e84459bcff27f967e79e6e9217e584"
294 );
295 }
296
297 #[test]
pending()298 fn pending() {
299 let mut server = Server::builder();
300 server.io_cb(|mut s| s.write_all(&[0; 10]).unwrap());
301 let server = server.build();
302
303 let mut s = server.client().connect();
304 s.read_exact(&mut [0]).unwrap();
305
306 assert_eq!(s.ssl().pending(), 9);
307 assert_eq!(s.read(&mut [0; 10]).unwrap(), 9);
308 }
309
310 #[test]
state()311 fn state() {
312 let server = Server::builder().build();
313
314 let s = server.client().connect();
315 #[cfg(not(boringssl))]
316 assert_eq!(s.ssl().state_string().trim(), "SSLOK");
317 #[cfg(boringssl)]
318 assert_eq!(s.ssl().state_string(), "!!!!!!");
319 assert_eq!(
320 s.ssl().state_string_long(),
321 "SSL negotiation finished successfully"
322 );
323 }
324
325 /// Tests that when both the client as well as the server use SRTP and their
326 /// lists of supported protocols have an overlap -- with only ONE protocol
327 /// being valid for both.
328 #[test]
test_connect_with_srtp_ctx()329 fn test_connect_with_srtp_ctx() {
330 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
331 let addr = listener.local_addr().unwrap();
332
333 let guard = thread::spawn(move || {
334 let stream = listener.accept().unwrap().0;
335 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
336 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
337 .unwrap();
338 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
339 .unwrap();
340 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
341 .unwrap();
342 let mut ssl = Ssl::new(&ctx.build()).unwrap();
343 ssl.set_mtu(1500).unwrap();
344 let mut stream = ssl.accept(stream).unwrap();
345
346 let mut buf = [0; 60];
347 stream
348 .ssl()
349 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
350 .unwrap();
351
352 stream.write_all(&[0]).unwrap();
353
354 buf
355 });
356
357 let stream = TcpStream::connect(addr).unwrap();
358 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
359 ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
360 .unwrap();
361 let mut ssl = Ssl::new(&ctx.build()).unwrap();
362 ssl.set_mtu(1500).unwrap();
363 let mut stream = ssl.connect(stream).unwrap();
364
365 let mut buf = [1; 60];
366 {
367 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
368 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
369 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
370 }
371 stream
372 .ssl()
373 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
374 .expect("extract");
375
376 stream.read_exact(&mut [0]).unwrap();
377
378 let buf2 = guard.join().unwrap();
379
380 assert_eq!(buf[..], buf2[..]);
381 }
382
383 /// Tests that when both the client as well as the server use SRTP and their
384 /// lists of supported protocols have an overlap -- with only ONE protocol
385 /// being valid for both.
386 #[test]
test_connect_with_srtp_ssl()387 fn test_connect_with_srtp_ssl() {
388 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
389 let addr = listener.local_addr().unwrap();
390
391 let guard = thread::spawn(move || {
392 let stream = listener.accept().unwrap().0;
393 let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
394 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
395 .unwrap();
396 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
397 .unwrap();
398 let mut ssl = Ssl::new(&ctx.build()).unwrap();
399 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
400 .unwrap();
401 let mut profilenames = String::new();
402 for profile in ssl.srtp_profiles().unwrap() {
403 if !profilenames.is_empty() {
404 profilenames.push(':');
405 }
406 profilenames += profile.name();
407 }
408 assert_eq!(
409 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
410 profilenames
411 );
412 ssl.set_mtu(1500).unwrap();
413 let mut stream = ssl.accept(stream).unwrap();
414
415 let mut buf = [0; 60];
416 stream
417 .ssl()
418 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
419 .unwrap();
420
421 stream.write_all(&[0]).unwrap();
422
423 buf
424 });
425
426 let stream = TcpStream::connect(addr).unwrap();
427 let ctx = SslContext::builder(SslMethod::dtls()).unwrap();
428 let mut ssl = Ssl::new(&ctx.build()).unwrap();
429 ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
430 .unwrap();
431 ssl.set_mtu(1500).unwrap();
432 let mut stream = ssl.connect(stream).unwrap();
433
434 let mut buf = [1; 60];
435 {
436 let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
437 assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
438 assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
439 }
440 stream
441 .ssl()
442 .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
443 .expect("extract");
444
445 stream.read_exact(&mut [0]).unwrap();
446
447 let buf2 = guard.join().unwrap();
448
449 assert_eq!(buf[..], buf2[..]);
450 }
451
452 /// Tests that when the `SslStream` is created as a server stream, the protocols
453 /// are correctly advertised to the client.
454 #[test]
455 #[cfg(any(ossl102, libressl261))]
test_alpn_server_advertise_multiple()456 fn test_alpn_server_advertise_multiple() {
457 let mut server = Server::builder();
458 server.ctx().set_alpn_select_callback(|_, client| {
459 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
460 });
461 let server = server.build();
462
463 let mut client = server.client();
464 client.ctx().set_alpn_protos(b"\x08spdy/3.1").unwrap();
465 let s = client.connect();
466 assert_eq!(s.ssl().selected_alpn_protocol(), Some(&b"spdy/3.1"[..]));
467 }
468
469 #[test]
470 #[cfg(ossl110)]
test_alpn_server_select_none_fatal()471 fn test_alpn_server_select_none_fatal() {
472 let mut server = Server::builder();
473 server.ctx().set_alpn_select_callback(|_, client| {
474 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client)
475 .ok_or(ssl::AlpnError::ALERT_FATAL)
476 });
477 server.should_error();
478 let server = server.build();
479
480 let mut client = server.client();
481 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
482 client.connect_err();
483 }
484
485 #[test]
486 #[cfg(any(ossl102, libressl261))]
test_alpn_server_select_none()487 fn test_alpn_server_select_none() {
488 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
489
490 let mut server = Server::builder();
491 server.ctx().set_alpn_select_callback(|_, client| {
492 CALLED_BACK.store(true, Ordering::SeqCst);
493 ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
494 });
495 let server = server.build();
496
497 let mut client = server.client();
498 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
499 let s = client.connect();
500 assert_eq!(None, s.ssl().selected_alpn_protocol());
501 assert!(CALLED_BACK.load(Ordering::SeqCst));
502 }
503
504 #[test]
505 #[cfg(any(ossl102, libressl261))]
test_alpn_server_unilateral()506 fn test_alpn_server_unilateral() {
507 let server = Server::builder().build();
508
509 let mut client = server.client();
510 client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
511 let s = client.connect();
512 assert_eq!(None, s.ssl().selected_alpn_protocol());
513 }
514
515 #[test]
516 #[should_panic(expected = "blammo")]
write_panic()517 fn write_panic() {
518 struct ExplodingStream(TcpStream);
519
520 impl Read for ExplodingStream {
521 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
522 self.0.read(buf)
523 }
524 }
525
526 impl Write for ExplodingStream {
527 fn write(&mut self, _: &[u8]) -> io::Result<usize> {
528 panic!("blammo");
529 }
530
531 fn flush(&mut self) -> io::Result<()> {
532 self.0.flush()
533 }
534 }
535
536 let mut server = Server::builder();
537 server.should_error();
538 let server = server.build();
539
540 let stream = ExplodingStream(server.connect_tcp());
541
542 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
543 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
544 }
545
546 #[test]
547 #[should_panic(expected = "blammo")]
read_panic()548 fn read_panic() {
549 struct ExplodingStream(TcpStream);
550
551 impl Read for ExplodingStream {
552 fn read(&mut self, _: &mut [u8]) -> io::Result<usize> {
553 panic!("blammo");
554 }
555 }
556
557 impl Write for ExplodingStream {
558 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
559 self.0.write(buf)
560 }
561
562 fn flush(&mut self) -> io::Result<()> {
563 self.0.flush()
564 }
565 }
566
567 let mut server = Server::builder();
568 server.should_error();
569 let server = server.build();
570
571 let stream = ExplodingStream(server.connect_tcp());
572
573 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
574 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
575 }
576
577 #[test]
578 #[cfg_attr(all(libressl321, not(libressl340)), ignore)]
579 #[should_panic(expected = "blammo")]
flush_panic()580 fn flush_panic() {
581 struct ExplodingStream(TcpStream);
582
583 impl Read for ExplodingStream {
584 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
585 self.0.read(buf)
586 }
587 }
588
589 impl Write for ExplodingStream {
590 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
591 self.0.write(buf)
592 }
593
594 fn flush(&mut self) -> io::Result<()> {
595 panic!("blammo");
596 }
597 }
598
599 let mut server = Server::builder();
600 server.should_error();
601 let server = server.build();
602
603 let stream = ExplodingStream(server.connect_tcp());
604
605 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
606 let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
607 }
608
609 #[test]
refcount_ssl_context()610 fn refcount_ssl_context() {
611 let mut ssl = {
612 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
613 ssl::Ssl::new(&ctx.build()).unwrap()
614 };
615
616 {
617 let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build();
618 ssl.set_ssl_context(&new_ctx_a).unwrap();
619 }
620 }
621
622 #[test]
623 #[cfg_attr(libressl250, ignore)]
624 #[cfg_attr(target_os = "windows", ignore)]
625 #[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)]
default_verify_paths()626 fn default_verify_paths() {
627 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
628 ctx.set_default_verify_paths().unwrap();
629 ctx.set_verify(SslVerifyMode::PEER);
630 let ctx = ctx.build();
631 let s = match TcpStream::connect("google.com:443") {
632 Ok(s) => s,
633 Err(_) => return,
634 };
635 let mut ssl = Ssl::new(&ctx).unwrap();
636 ssl.set_hostname("google.com").unwrap();
637 let mut socket = ssl.connect(s).unwrap();
638
639 socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
640 let mut result = vec![];
641 socket.read_to_end(&mut result).unwrap();
642
643 println!("{}", String::from_utf8_lossy(&result));
644 assert!(result.starts_with(b"HTTP/1.0"));
645 assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
646 }
647
648 #[test]
add_extra_chain_cert()649 fn add_extra_chain_cert() {
650 let cert = X509::from_pem(CERT).unwrap();
651 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
652 ctx.add_extra_chain_cert(cert).unwrap();
653 }
654
655 #[test]
656 #[cfg(ossl102)]
verify_valid_hostname()657 fn verify_valid_hostname() {
658 let server = Server::builder().build();
659
660 let mut client = server.client();
661 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
662 client.ctx().set_verify(SslVerifyMode::PEER);
663
664 let mut client = client.build().builder();
665 client
666 .ssl()
667 .param_mut()
668 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
669 client.ssl().param_mut().set_host("foobar.com").unwrap();
670 client.connect();
671 }
672
673 #[test]
674 #[cfg(ossl102)]
verify_invalid_hostname()675 fn verify_invalid_hostname() {
676 let mut server = Server::builder();
677 server.should_error();
678 let server = server.build();
679
680 let mut client = server.client();
681 client.ctx().set_ca_file("test/root-ca.pem").unwrap();
682 client.ctx().set_verify(SslVerifyMode::PEER);
683
684 let mut client = client.build().builder();
685 client
686 .ssl()
687 .param_mut()
688 .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
689 client.ssl().param_mut().set_host("bogus.com").unwrap();
690 client.connect_err();
691 }
692
693 #[test]
connector_valid_hostname()694 fn connector_valid_hostname() {
695 let server = Server::builder().build();
696
697 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
698 connector.set_ca_file("test/root-ca.pem").unwrap();
699
700 let s = server.connect_tcp();
701 let mut s = connector.build().connect("foobar.com", s).unwrap();
702 s.read_exact(&mut [0]).unwrap();
703 }
704
705 #[test]
connector_invalid_hostname()706 fn connector_invalid_hostname() {
707 let mut server = Server::builder();
708 server.should_error();
709 let server = server.build();
710
711 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
712 connector.set_ca_file("test/root-ca.pem").unwrap();
713
714 let s = server.connect_tcp();
715 connector.build().connect("bogus.com", s).unwrap_err();
716 }
717
718 #[test]
connector_invalid_no_hostname_verification()719 fn connector_invalid_no_hostname_verification() {
720 let server = Server::builder().build();
721
722 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
723 connector.set_ca_file("test/root-ca.pem").unwrap();
724
725 let s = server.connect_tcp();
726 let mut s = connector
727 .build()
728 .configure()
729 .unwrap()
730 .verify_hostname(false)
731 .connect("bogus.com", s)
732 .unwrap();
733 s.read_exact(&mut [0]).unwrap();
734 }
735
736 #[test]
connector_no_hostname_still_verifies()737 fn connector_no_hostname_still_verifies() {
738 let mut server = Server::builder();
739 server.should_error();
740 let server = server.build();
741
742 let connector = SslConnector::builder(SslMethod::tls()).unwrap().build();
743
744 let s = server.connect_tcp();
745 assert!(connector
746 .configure()
747 .unwrap()
748 .verify_hostname(false)
749 .connect("fizzbuzz.com", s)
750 .is_err());
751 }
752
753 #[test]
connector_can_disable_verify()754 fn connector_can_disable_verify() {
755 let server = Server::builder().build();
756
757 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
758 connector.set_verify(SslVerifyMode::NONE);
759 let connector = connector.build();
760
761 let s = server.connect_tcp();
762 let mut s = connector
763 .configure()
764 .unwrap()
765 .connect("fizzbuzz.com", s)
766 .unwrap();
767 s.read_exact(&mut [0]).unwrap();
768 }
769
770 #[test]
connector_does_use_sni_with_dnsnames()771 fn connector_does_use_sni_with_dnsnames() {
772 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
773
774 let mut builder = Server::builder();
775 builder.ctx().set_servername_callback(|ssl, _| {
776 assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com"));
777 CALLED_BACK.store(true, Ordering::SeqCst);
778 Ok(())
779 });
780 let server = builder.build();
781
782 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
783 connector.set_ca_file("test/root-ca.pem").unwrap();
784
785 let s = server.connect_tcp();
786 let mut s = connector
787 .build()
788 .configure()
789 .unwrap()
790 .connect("foobar.com", s)
791 .unwrap();
792 s.read_exact(&mut [0]).unwrap();
793
794 assert!(CALLED_BACK.load(Ordering::SeqCst));
795 }
796
797 #[test]
connector_doesnt_use_sni_with_ips()798 fn connector_doesnt_use_sni_with_ips() {
799 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
800
801 let mut builder = Server::builder();
802 builder.ctx().set_servername_callback(|ssl, _| {
803 assert_eq!(ssl.servername(NameType::HOST_NAME), None);
804 CALLED_BACK.store(true, Ordering::SeqCst);
805 Ok(())
806 });
807 let server = builder.build();
808
809 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
810 // The server's cert isn't issued for 127.0.0.1 but we don't care for this test.
811 connector.set_verify(SslVerifyMode::NONE);
812
813 let s = server.connect_tcp();
814 let mut s = connector
815 .build()
816 .configure()
817 .unwrap()
818 .connect("127.0.0.1", s)
819 .unwrap();
820 s.read_exact(&mut [0]).unwrap();
821
822 assert!(CALLED_BACK.load(Ordering::SeqCst));
823 }
824
test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>)825 fn test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>) {
826 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
827 let port = listener.local_addr().unwrap().port();
828
829 let t = thread::spawn(move || {
830 let key = PKey::private_key_from_pem(KEY).unwrap();
831 let cert = X509::from_pem(CERT).unwrap();
832 let mut acceptor = new(SslMethod::tls()).unwrap();
833 acceptor.set_private_key(&key).unwrap();
834 acceptor.set_certificate(&cert).unwrap();
835 let acceptor = acceptor.build();
836 let stream = listener.accept().unwrap().0;
837 let mut stream = acceptor.accept(stream).unwrap();
838
839 stream.write_all(b"hello").unwrap();
840 });
841
842 let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
843 connector.set_ca_file("test/root-ca.pem").unwrap();
844 let connector = connector.build();
845
846 let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
847 let mut stream = connector.connect("foobar.com", stream).unwrap();
848
849 let mut buf = [0; 5];
850 stream.read_exact(&mut buf).unwrap();
851 assert_eq!(b"hello", &buf);
852
853 t.join().unwrap();
854 }
855
856 #[test]
connector_client_server_mozilla_intermediate()857 fn connector_client_server_mozilla_intermediate() {
858 test_mozilla_server(SslAcceptor::mozilla_intermediate);
859 }
860
861 #[test]
connector_client_server_mozilla_modern()862 fn connector_client_server_mozilla_modern() {
863 test_mozilla_server(SslAcceptor::mozilla_modern);
864 }
865
866 #[test]
connector_client_server_mozilla_intermediate_v5()867 fn connector_client_server_mozilla_intermediate_v5() {
868 test_mozilla_server(SslAcceptor::mozilla_intermediate_v5);
869 }
870
871 #[test]
872 #[cfg(any(ossl111, libressl340))]
connector_client_server_mozilla_modern_v5()873 fn connector_client_server_mozilla_modern_v5() {
874 test_mozilla_server(SslAcceptor::mozilla_modern_v5);
875 }
876
877 #[test]
shutdown()878 fn shutdown() {
879 let mut server = Server::builder();
880 server.io_cb(|mut s| {
881 assert_eq!(s.read(&mut [0]).unwrap(), 0);
882 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
883 });
884 let server = server.build();
885
886 let mut s = server.client().connect();
887
888 assert_eq!(s.get_shutdown(), ShutdownState::empty());
889 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Sent);
890 assert_eq!(s.get_shutdown(), ShutdownState::SENT);
891 assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
892 assert_eq!(
893 s.get_shutdown(),
894 ShutdownState::SENT | ShutdownState::RECEIVED
895 );
896 }
897
898 #[test]
client_ca_list()899 fn client_ca_list() {
900 let names = X509Name::load_client_ca_file("test/root-ca.pem").unwrap();
901 assert_eq!(names.len(), 1);
902
903 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
904 ctx.set_client_ca_list(names);
905 }
906
907 #[test]
cert_store()908 fn cert_store() {
909 let server = Server::builder().build();
910
911 let mut client = server.client();
912 let cert = X509::from_pem(ROOT_CERT).unwrap();
913 client.ctx().cert_store_mut().add_cert(cert).unwrap();
914 client.ctx().set_verify(SslVerifyMode::PEER);
915
916 client.connect();
917 }
918
919 #[test]
920 #[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
tmp_dh_callback()921 fn tmp_dh_callback() {
922 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
923
924 let mut server = Server::builder();
925 server.ctx().set_tmp_dh_callback(|_, _, _| {
926 CALLED_BACK.store(true, Ordering::SeqCst);
927 let dh = include_bytes!("../../../test/dhparams.pem");
928 Dh::params_from_pem(dh)
929 });
930
931 let server = server.build();
932
933 let mut client = server.client();
934 // TLS 1.3 has no DH suites, so make sure we don't pick that version
935 #[cfg(any(ossl111, libressl340))]
936 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
937 client.ctx().set_cipher_list("EDH").unwrap();
938 client.connect();
939
940 assert!(CALLED_BACK.load(Ordering::SeqCst));
941 }
942
943 #[test]
944 #[cfg(all(ossl101, not(ossl110)))]
945 #[allow(deprecated)]
tmp_ecdh_callback()946 fn tmp_ecdh_callback() {
947 use crate::ec::EcKey;
948 use crate::nid::Nid;
949
950 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
951
952 let mut server = Server::builder();
953 server.ctx().set_tmp_ecdh_callback(|_, _, _| {
954 CALLED_BACK.store(true, Ordering::SeqCst);
955 EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
956 });
957
958 let server = server.build();
959
960 let mut client = server.client();
961 client.ctx().set_cipher_list("ECDH").unwrap();
962 client.connect();
963
964 assert!(CALLED_BACK.load(Ordering::SeqCst));
965 }
966
967 #[test]
968 #[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
tmp_dh_callback_ssl()969 fn tmp_dh_callback_ssl() {
970 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
971
972 let mut server = Server::builder();
973 server.ssl_cb(|ssl| {
974 ssl.set_tmp_dh_callback(|_, _, _| {
975 CALLED_BACK.store(true, Ordering::SeqCst);
976 let dh = include_bytes!("../../../test/dhparams.pem");
977 Dh::params_from_pem(dh)
978 });
979 });
980
981 let server = server.build();
982
983 let mut client = server.client();
984 // TLS 1.3 has no DH suites, so make sure we don't pick that version
985 #[cfg(any(ossl111, libressl340))]
986 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
987 client.ctx().set_cipher_list("EDH").unwrap();
988 client.connect();
989
990 assert!(CALLED_BACK.load(Ordering::SeqCst));
991 }
992
993 #[test]
994 #[cfg(all(ossl101, not(ossl110)))]
995 #[allow(deprecated)]
tmp_ecdh_callback_ssl()996 fn tmp_ecdh_callback_ssl() {
997 use crate::ec::EcKey;
998 use crate::nid::Nid;
999
1000 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1001
1002 let mut server = Server::builder();
1003 server.ssl_cb(|ssl| {
1004 ssl.set_tmp_ecdh_callback(|_, _, _| {
1005 CALLED_BACK.store(true, Ordering::SeqCst);
1006 EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
1007 });
1008 });
1009
1010 let server = server.build();
1011
1012 let mut client = server.client();
1013 client.ctx().set_cipher_list("ECDH").unwrap();
1014 client.connect();
1015
1016 assert!(CALLED_BACK.load(Ordering::SeqCst));
1017 }
1018
1019 #[test]
idle_session()1020 fn idle_session() {
1021 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1022 let ssl = Ssl::new(&ctx).unwrap();
1023 assert!(ssl.session().is_none());
1024 }
1025
1026 /// possible LibreSSL bug since 3.2.1
1027 #[test]
1028 #[cfg_attr(libressl321, ignore)]
active_session()1029 fn active_session() {
1030 let server = Server::builder().build();
1031
1032 let s = server.client().connect();
1033
1034 let session = s.ssl().session().unwrap();
1035 let len = session.master_key_len();
1036 let mut buf = vec![0; len - 1];
1037 let copied = session.master_key(&mut buf);
1038 assert_eq!(copied, buf.len());
1039 let mut buf = vec![0; len + 1];
1040 let copied = session.master_key(&mut buf);
1041 assert_eq!(copied, len);
1042 }
1043
1044 #[test]
1045 #[cfg(not(boringssl))]
status_callbacks()1046 fn status_callbacks() {
1047 static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false);
1048 static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false);
1049
1050 let mut server = Server::builder();
1051 server
1052 .ctx()
1053 .set_status_callback(|ssl| {
1054 CALLED_BACK_SERVER.store(true, Ordering::SeqCst);
1055 let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap();
1056 let response = response.to_der().unwrap();
1057 ssl.set_ocsp_status(&response).unwrap();
1058 Ok(true)
1059 })
1060 .unwrap();
1061
1062 let server = server.build();
1063
1064 let mut client = server.client();
1065 client
1066 .ctx()
1067 .set_status_callback(|ssl| {
1068 CALLED_BACK_CLIENT.store(true, Ordering::SeqCst);
1069 let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
1070 assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED);
1071 Ok(true)
1072 })
1073 .unwrap();
1074
1075 let mut client = client.build().builder();
1076 client.ssl().set_status_type(StatusType::OCSP).unwrap();
1077
1078 client.connect();
1079
1080 assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst));
1081 assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst));
1082 }
1083
1084 /// possible LibreSSL bug since 3.2.1
1085 #[test]
1086 #[cfg_attr(libressl321, ignore)]
new_session_callback()1087 fn new_session_callback() {
1088 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1089
1090 let mut server = Server::builder();
1091 server.ctx().set_session_id_context(b"foo").unwrap();
1092
1093 let server = server.build();
1094
1095 let mut client = server.client();
1096
1097 client
1098 .ctx()
1099 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
1100 client
1101 .ctx()
1102 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
1103
1104 client.connect();
1105
1106 assert!(CALLED_BACK.load(Ordering::SeqCst));
1107 }
1108
1109 /// possible LibreSSL bug since 3.2.1
1110 #[test]
1111 #[cfg_attr(libressl321, ignore)]
new_session_callback_swapped_ctx()1112 fn new_session_callback_swapped_ctx() {
1113 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1114
1115 let mut server = Server::builder();
1116 server.ctx().set_session_id_context(b"foo").unwrap();
1117
1118 let server = server.build();
1119
1120 let mut client = server.client();
1121
1122 client
1123 .ctx()
1124 .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
1125 client
1126 .ctx()
1127 .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
1128
1129 let mut client = client.build().builder();
1130
1131 let ctx = SslContextBuilder::new(SslMethod::tls()).unwrap().build();
1132 client.ssl().set_ssl_context(&ctx).unwrap();
1133
1134 client.connect();
1135
1136 assert!(CALLED_BACK.load(Ordering::SeqCst));
1137 }
1138
1139 #[test]
keying_export()1140 fn keying_export() {
1141 let listener = TcpListener::bind("127.0.0.1:0").unwrap();
1142 let addr = listener.local_addr().unwrap();
1143
1144 let label = "EXPERIMENTAL test";
1145 let context = b"my context";
1146
1147 let guard = thread::spawn(move || {
1148 let stream = listener.accept().unwrap().0;
1149 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1150 ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
1151 .unwrap();
1152 ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
1153 .unwrap();
1154 let ssl = Ssl::new(&ctx.build()).unwrap();
1155 let mut stream = ssl.accept(stream).unwrap();
1156
1157 let mut buf = [0; 32];
1158 stream
1159 .ssl()
1160 .export_keying_material(&mut buf, label, Some(context))
1161 .unwrap();
1162
1163 stream.write_all(&[0]).unwrap();
1164
1165 buf
1166 });
1167
1168 let stream = TcpStream::connect(addr).unwrap();
1169 let ctx = SslContext::builder(SslMethod::tls()).unwrap();
1170 let ssl = Ssl::new(&ctx.build()).unwrap();
1171 let mut stream = ssl.connect(stream).unwrap();
1172
1173 let mut buf = [1; 32];
1174 stream
1175 .ssl()
1176 .export_keying_material(&mut buf, label, Some(context))
1177 .unwrap();
1178
1179 stream.read_exact(&mut [0]).unwrap();
1180
1181 let buf2 = guard.join().unwrap();
1182
1183 assert_eq!(buf, buf2);
1184 }
1185
1186 #[test]
1187 #[cfg(any(ossl110, libressl261))]
no_version_overlap()1188 fn no_version_overlap() {
1189 let mut server = Server::builder();
1190 server.ctx().set_min_proto_version(None).unwrap();
1191 server
1192 .ctx()
1193 .set_max_proto_version(Some(SslVersion::TLS1_1))
1194 .unwrap();
1195 #[cfg(any(ossl110g, libressl270))]
1196 assert_eq!(server.ctx().max_proto_version(), Some(SslVersion::TLS1_1));
1197 server.should_error();
1198 let server = server.build();
1199
1200 let mut client = server.client();
1201 client
1202 .ctx()
1203 .set_min_proto_version(Some(SslVersion::TLS1_2))
1204 .unwrap();
1205 #[cfg(ossl110g)]
1206 assert_eq!(client.ctx().min_proto_version(), Some(SslVersion::TLS1_2));
1207 client.ctx().set_max_proto_version(None).unwrap();
1208
1209 client.connect_err();
1210 }
1211
1212 #[test]
1213 #[cfg(ossl111)]
custom_extensions()1214 fn custom_extensions() {
1215 static FOUND_EXTENSION: AtomicBool = AtomicBool::new(false);
1216
1217 let mut server = Server::builder();
1218 server
1219 .ctx()
1220 .add_custom_ext(
1221 12345,
1222 ExtensionContext::CLIENT_HELLO,
1223 |_, _, _| -> Result<Option<&'static [u8]>, _> { unreachable!() },
1224 |_, _, data, _| {
1225 FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst);
1226 Ok(())
1227 },
1228 )
1229 .unwrap();
1230
1231 let server = server.build();
1232
1233 let mut client = server.client();
1234 client
1235 .ctx()
1236 .add_custom_ext(
1237 12345,
1238 ssl::ExtensionContext::CLIENT_HELLO,
1239 |_, _, _| Ok(Some(b"hello")),
1240 |_, _, _, _| unreachable!(),
1241 )
1242 .unwrap();
1243
1244 client.connect();
1245
1246 assert!(FOUND_EXTENSION.load(Ordering::SeqCst));
1247 }
1248
_check_kinds()1249 fn _check_kinds() {
1250 fn is_send<T: Send>() {}
1251 fn is_sync<T: Sync>() {}
1252
1253 is_send::<SslStream<TcpStream>>();
1254 is_sync::<SslStream<TcpStream>>();
1255 }
1256
1257 #[test]
1258 #[cfg(ossl111)]
stateless()1259 fn stateless() {
1260 use super::SslOptions;
1261
1262 #[derive(Debug)]
1263 struct MemoryStream {
1264 incoming: io::Cursor<Vec<u8>>,
1265 outgoing: Vec<u8>,
1266 }
1267
1268 impl MemoryStream {
1269 pub fn new() -> Self {
1270 Self {
1271 incoming: io::Cursor::new(Vec::new()),
1272 outgoing: Vec::new(),
1273 }
1274 }
1275
1276 pub fn extend_incoming(&mut self, data: &[u8]) {
1277 self.incoming.get_mut().extend_from_slice(data);
1278 }
1279
1280 pub fn take_outgoing(&mut self) -> Outgoing<'_> {
1281 Outgoing(&mut self.outgoing)
1282 }
1283 }
1284
1285 impl Read for MemoryStream {
1286 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
1287 let n = self.incoming.read(buf)?;
1288 if self.incoming.position() == self.incoming.get_ref().len() as u64 {
1289 self.incoming.set_position(0);
1290 self.incoming.get_mut().clear();
1291 }
1292 if n == 0 {
1293 return Err(io::Error::new(
1294 io::ErrorKind::WouldBlock,
1295 "no data available",
1296 ));
1297 }
1298 Ok(n)
1299 }
1300 }
1301
1302 impl Write for MemoryStream {
1303 fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
1304 self.outgoing.write(buf)
1305 }
1306
1307 fn flush(&mut self) -> io::Result<()> {
1308 Ok(())
1309 }
1310 }
1311
1312 pub struct Outgoing<'a>(&'a mut Vec<u8>);
1313
1314 impl<'a> Drop for Outgoing<'a> {
1315 fn drop(&mut self) {
1316 self.0.clear();
1317 }
1318 }
1319
1320 impl<'a> ::std::ops::Deref for Outgoing<'a> {
1321 type Target = [u8];
1322 fn deref(&self) -> &[u8] {
1323 self.0
1324 }
1325 }
1326
1327 impl<'a> AsRef<[u8]> for Outgoing<'a> {
1328 fn as_ref(&self) -> &[u8] {
1329 self.0
1330 }
1331 }
1332
1333 fn send(from: &mut MemoryStream, to: &mut MemoryStream) {
1334 to.extend_incoming(&from.take_outgoing());
1335 }
1336
1337 //
1338 // Setup
1339 //
1340
1341 let mut client_ctx = SslContext::builder(SslMethod::tls()).unwrap();
1342 client_ctx.clear_options(SslOptions::ENABLE_MIDDLEBOX_COMPAT);
1343 let mut client_stream =
1344 SslStream::new(Ssl::new(&client_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
1345
1346 let mut server_ctx = SslContext::builder(SslMethod::tls()).unwrap();
1347 server_ctx
1348 .set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
1349 .unwrap();
1350 server_ctx
1351 .set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
1352 .unwrap();
1353 const COOKIE: &[u8] = b"chocolate chip";
1354 server_ctx.set_stateless_cookie_generate_cb(|_tls, buf| {
1355 buf[0..COOKIE.len()].copy_from_slice(COOKIE);
1356 Ok(COOKIE.len())
1357 });
1358 server_ctx.set_stateless_cookie_verify_cb(|_tls, buf| buf == COOKIE);
1359 let mut server_stream =
1360 SslStream::new(Ssl::new(&server_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
1361
1362 //
1363 // Handshake
1364 //
1365
1366 // Initial ClientHello
1367 client_stream.connect().unwrap_err();
1368 send(client_stream.get_mut(), server_stream.get_mut());
1369 // HelloRetryRequest
1370 assert!(!server_stream.stateless().unwrap());
1371 send(server_stream.get_mut(), client_stream.get_mut());
1372 // Second ClientHello
1373 client_stream.do_handshake().unwrap_err();
1374 send(client_stream.get_mut(), server_stream.get_mut());
1375 // OldServerHello
1376 assert!(server_stream.stateless().unwrap());
1377 server_stream.accept().unwrap_err();
1378 send(server_stream.get_mut(), client_stream.get_mut());
1379 // Finished
1380 client_stream.do_handshake().unwrap();
1381 send(client_stream.get_mut(), server_stream.get_mut());
1382 server_stream.do_handshake().unwrap();
1383 }
1384
1385 #[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
1386 #[test]
psk_ciphers()1387 fn psk_ciphers() {
1388 const CIPHER: &str = "PSK-AES256-CBC-SHA";
1389 const PSK: &[u8] = b"thisisaverysecurekey";
1390 const CLIENT_IDENT: &[u8] = b"thisisaclient";
1391 static CLIENT_CALLED: AtomicBool = AtomicBool::new(false);
1392 static SERVER_CALLED: AtomicBool = AtomicBool::new(false);
1393
1394 let mut server = Server::builder();
1395 server.ctx().set_cipher_list(CIPHER).unwrap();
1396 server.ctx().set_psk_server_callback(|_, identity, psk| {
1397 assert!(identity.unwrap_or(&[]) == CLIENT_IDENT);
1398 psk[..PSK.len()].copy_from_slice(PSK);
1399 SERVER_CALLED.store(true, Ordering::SeqCst);
1400 Ok(PSK.len())
1401 });
1402
1403 let server = server.build();
1404
1405 let mut client = server.client();
1406 // This test relies on TLS 1.2 suites
1407 #[cfg(any(boringssl, ossl111))]
1408 client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
1409 client.ctx().set_cipher_list(CIPHER).unwrap();
1410 client
1411 .ctx()
1412 .set_psk_client_callback(move |_, _, identity, psk| {
1413 identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT);
1414 identity[CLIENT_IDENT.len()] = 0;
1415 psk[..PSK.len()].copy_from_slice(PSK);
1416 CLIENT_CALLED.store(true, Ordering::SeqCst);
1417 Ok(PSK.len())
1418 });
1419
1420 client.connect();
1421
1422 assert!(SERVER_CALLED.load(Ordering::SeqCst));
1423 assert!(CLIENT_CALLED.load(Ordering::SeqCst));
1424 }
1425
1426 #[test]
sni_callback_swapped_ctx()1427 fn sni_callback_swapped_ctx() {
1428 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1429
1430 let mut server = Server::builder();
1431
1432 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1433 ctx.set_servername_callback(|_, _| {
1434 CALLED_BACK.store(true, Ordering::SeqCst);
1435 Ok(())
1436 });
1437
1438 let keyed_ctx = mem::replace(server.ctx(), ctx).build();
1439 server.ssl_cb(move |ssl| ssl.set_ssl_context(&keyed_ctx).unwrap());
1440
1441 let server = server.build();
1442
1443 server.client().connect();
1444
1445 assert!(CALLED_BACK.load(Ordering::SeqCst));
1446 }
1447
1448 #[test]
1449 #[cfg(ossl111)]
client_hello()1450 fn client_hello() {
1451 static CALLED_BACK: AtomicBool = AtomicBool::new(false);
1452
1453 let mut server = Server::builder();
1454 server.ctx().set_client_hello_callback(|ssl, _| {
1455 assert!(!ssl.client_hello_isv2());
1456 assert_eq!(ssl.client_hello_legacy_version(), Some(SslVersion::TLS1_2));
1457 assert!(ssl.client_hello_random().is_some());
1458 assert!(ssl.client_hello_session_id().is_some());
1459 assert!(ssl.client_hello_ciphers().is_some());
1460 assert!(ssl.client_hello_compression_methods().is_some());
1461 assert!(ssl
1462 .bytes_to_cipher_list(ssl.client_hello_ciphers().unwrap(), ssl.client_hello_isv2())
1463 .is_ok());
1464
1465 CALLED_BACK.store(true, Ordering::SeqCst);
1466 Ok(ClientHelloResponse::SUCCESS)
1467 });
1468
1469 let server = server.build();
1470 server.client().connect();
1471
1472 assert!(CALLED_BACK.load(Ordering::SeqCst));
1473 }
1474
1475 #[test]
1476 #[cfg(ossl111)]
openssl_cipher_name()1477 fn openssl_cipher_name() {
1478 assert_eq!(
1479 super::cipher_name("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"),
1480 "ECDHE-RSA-AES256-SHA384",
1481 );
1482
1483 assert_eq!(super::cipher_name("asdf"), "(NONE)");
1484 }
1485
1486 #[test]
session_cache_size()1487 fn session_cache_size() {
1488 let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
1489 ctx.set_session_cache_size(1234);
1490 let ctx = ctx.build();
1491 assert_eq!(ctx.session_cache_size(), 1234);
1492 }
1493
1494 #[test]
1495 #[cfg(ossl102)]
add_chain_cert()1496 fn add_chain_cert() {
1497 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1498 let cert = X509::from_pem(CERT).unwrap();
1499 let mut ssl = Ssl::new(&ctx).unwrap();
1500 assert!(ssl.add_chain_cert(cert).is_ok());
1501 }
1502 #[test]
1503 #[cfg(ossl111)]
set_ssl_certificate_key_related_api()1504 fn set_ssl_certificate_key_related_api() {
1505 let cert_str: &str = include_str!("../../../test/cert.pem");
1506 let key_str: &str = include_str!("../../../test/key.pem");
1507 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1508 let cert_x509 = X509::from_pem(CERT).unwrap();
1509 let mut ssl = Ssl::new(&ctx).unwrap();
1510 assert!(ssl.set_method(SslMethod::tls()).is_ok());
1511 ssl.set_private_key_file("test/key.pem", SslFiletype::PEM)
1512 .unwrap();
1513 {
1514 let pkey = String::from_utf8(
1515 ssl.private_key()
1516 .unwrap()
1517 .private_key_to_pem_pkcs8()
1518 .unwrap(),
1519 )
1520 .unwrap();
1521 assert!(pkey.lines().eq(key_str.lines()));
1522 }
1523 let pkey = PKey::private_key_from_pem(KEY).unwrap();
1524 ssl.set_private_key(pkey.as_ref()).unwrap();
1525 {
1526 let pkey = String::from_utf8(
1527 ssl.private_key()
1528 .unwrap()
1529 .private_key_to_pem_pkcs8()
1530 .unwrap(),
1531 )
1532 .unwrap();
1533 assert!(pkey.lines().eq(key_str.lines()));
1534 }
1535 ssl.set_certificate(cert_x509.as_ref()).unwrap();
1536 let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap();
1537 assert!(cert.lines().eq(cert_str.lines()));
1538 ssl.add_client_ca(cert_x509.as_ref()).unwrap();
1539 ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap();
1540 ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap();
1541 ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap();
1542 ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap();
1543 let x509 = X509::from_pem(ROOT_CERT).unwrap();
1544 let mut builder = X509StoreBuilder::new().unwrap();
1545 builder.add_cert(x509).unwrap();
1546 let store = builder.build();
1547 ssl.set_verify_cert_store(store).unwrap();
1548 }
1549
1550 #[test]
1551 #[cfg(ossl110)]
test_ssl_set_cert_chain_file()1552 fn test_ssl_set_cert_chain_file() {
1553 let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
1554 let mut ssl = Ssl::new(&ctx).unwrap();
1555 ssl.set_certificate_chain_file("test/cert.pem").unwrap();
1556 }
1557
1558 #[test]
1559 #[cfg(ossl111)]
set_num_tickets()1560 fn set_num_tickets() {
1561 let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap();
1562 ctx.set_num_tickets(3).unwrap();
1563 let ctx = ctx.build();
1564 assert_eq!(3, ctx.num_tickets());
1565
1566 let mut ssl = Ssl::new(&ctx).unwrap();
1567 ssl.set_num_tickets(5).unwrap();
1568 let ssl = ssl;
1569 assert_eq!(5, ssl.num_tickets());
1570 }
1571