summaryrefslogtreecommitdiffstats
path: root/vendor/openssl/src/ssl/test
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 12:41:35 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 12:41:35 +0000
commit7e5d7eea9c580ef4b41a765bde624af431942b96 (patch)
tree2c0d9ca12878fc4525650aa4e54d77a81a07cc09 /vendor/openssl/src/ssl/test
parentAdding debian version 1.70.0+dfsg1-9. (diff)
downloadrustc-7e5d7eea9c580ef4b41a765bde624af431942b96.tar.xz
rustc-7e5d7eea9c580ef4b41a765bde624af431942b96.zip
Merging upstream version 1.70.0+dfsg2.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'vendor/openssl/src/ssl/test')
-rw-r--r--vendor/openssl/src/ssl/test/mod.rs1567
-rw-r--r--vendor/openssl/src/ssl/test/server.rs167
2 files changed, 1734 insertions, 0 deletions
diff --git a/vendor/openssl/src/ssl/test/mod.rs b/vendor/openssl/src/ssl/test/mod.rs
new file mode 100644
index 000000000..a34309a7d
--- /dev/null
+++ b/vendor/openssl/src/ssl/test/mod.rs
@@ -0,0 +1,1567 @@
+#![allow(unused_imports)]
+
+use std::env;
+use std::fs::File;
+use std::io::prelude::*;
+use std::io::{self, BufReader};
+use std::iter;
+use std::mem;
+use std::net::UdpSocket;
+use std::net::{SocketAddr, TcpListener, TcpStream};
+use std::path::Path;
+use std::process::{Child, ChildStdin, Command, Stdio};
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::thread;
+use std::time::Duration;
+
+use crate::dh::Dh;
+use crate::error::ErrorStack;
+use crate::hash::MessageDigest;
+#[cfg(not(boringssl))]
+use crate::ocsp::{OcspResponse, OcspResponseStatus};
+use crate::pkey::PKey;
+use crate::srtp::SrtpProfileId;
+use crate::ssl::test::server::Server;
+#[cfg(any(ossl110, ossl111, libressl261))]
+use crate::ssl::SslVersion;
+use crate::ssl::{self, NameType, SslConnectorBuilder};
+#[cfg(ossl111)]
+use crate::ssl::{ClientHelloResponse, ExtensionContext};
+use crate::ssl::{
+ Error, HandshakeError, MidHandshakeSslStream, ShutdownResult, ShutdownState, Ssl, SslAcceptor,
+ SslAcceptorBuilder, SslConnector, SslContext, SslContextBuilder, SslFiletype, SslMethod,
+ SslOptions, SslSessionCacheMode, SslStream, SslVerifyMode, StatusType,
+};
+#[cfg(ossl102)]
+use crate::x509::store::X509StoreBuilder;
+#[cfg(ossl102)]
+use crate::x509::verify::X509CheckFlags;
+use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509};
+
+mod server;
+
+static ROOT_CERT: &[u8] = include_bytes!("../../../test/root-ca.pem");
+static CERT: &[u8] = include_bytes!("../../../test/cert.pem");
+static KEY: &[u8] = include_bytes!("../../../test/key.pem");
+
+#[test]
+fn verify_untrusted() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_verify(SslVerifyMode::PEER);
+
+ client.connect_err();
+}
+
+#[test]
+fn verify_trusted() {
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+
+ client.connect();
+}
+
+#[test]
+#[cfg(ossl102)]
+fn verify_trusted_with_set_cert() {
+ let server = Server::builder().build();
+
+ let mut store = X509StoreBuilder::new().unwrap();
+ let x509 = X509::from_pem(ROOT_CERT).unwrap();
+ store.add_cert(x509).unwrap();
+
+ let mut client = server.client();
+ client.ctx().set_verify(SslVerifyMode::PEER);
+ client.ctx().set_verify_cert_store(store.build()).unwrap();
+
+ client.connect();
+}
+
+#[test]
+fn verify_untrusted_callback_override_ok() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ assert!(x509.current_cert().is_some());
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn verify_untrusted_callback_override_bad() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
+
+ client.connect_err();
+}
+
+#[test]
+fn verify_trusted_callback_override_ok() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ assert!(x509.current_cert().is_some());
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn verify_trusted_callback_override_bad() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, _| false);
+
+ client.connect_err();
+}
+
+#[test]
+fn verify_callback_load_certs() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ assert!(x509.current_cert().is_some());
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn verify_trusted_get_error_ok() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ assert_eq!(x509.error(), X509VerifyResult::OK);
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn verify_trusted_get_error_err() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, |_, x509| {
+ assert_ne!(x509.error(), X509VerifyResult::OK);
+ false
+ });
+
+ client.connect_err();
+}
+
+#[test]
+fn verify_callback() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
+ client
+ .ctx()
+ .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ let cert = x509.current_cert().unwrap();
+ let digest = cert.digest(MessageDigest::sha1()).unwrap();
+ assert_eq!(hex::encode(digest), expected);
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn ssl_verify_callback() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let server = Server::builder().build();
+
+ let mut client = server.client().build().builder();
+ let expected = "59172d9313e84459bcff27f967e79e6e9217e584";
+ client
+ .ssl()
+ .set_verify_callback(SslVerifyMode::PEER, move |_, x509| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ let cert = x509.current_cert().unwrap();
+ let digest = cert.digest(MessageDigest::sha1()).unwrap();
+ assert_eq!(hex::encode(digest), expected);
+ true
+ });
+
+ client.connect();
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn get_ctx_options() {
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.options();
+}
+
+#[test]
+fn set_ctx_options() {
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ let opts = ctx.set_options(SslOptions::NO_TICKET);
+ assert!(opts.contains(SslOptions::NO_TICKET));
+}
+
+#[test]
+#[cfg(not(boringssl))]
+fn clear_ctx_options() {
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_options(SslOptions::ALL);
+ let opts = ctx.clear_options(SslOptions::ALL);
+ assert!(!opts.contains(SslOptions::ALL));
+}
+
+#[test]
+fn zero_length_buffers() {
+ let server = Server::builder().build();
+
+ let mut s = server.client().connect();
+ assert_eq!(s.write(&[]).unwrap(), 0);
+ assert_eq!(s.read(&mut []).unwrap(), 0);
+}
+
+#[test]
+fn peer_certificate() {
+ let server = Server::builder().build();
+
+ let s = server.client().connect();
+ let cert = s.ssl().peer_certificate().unwrap();
+ let fingerprint = cert.digest(MessageDigest::sha1()).unwrap();
+ assert_eq!(
+ hex::encode(fingerprint),
+ "59172d9313e84459bcff27f967e79e6e9217e584"
+ );
+}
+
+#[test]
+fn pending() {
+ let mut server = Server::builder();
+ server.io_cb(|mut s| s.write_all(&[0; 10]).unwrap());
+ let server = server.build();
+
+ let mut s = server.client().connect();
+ s.read_exact(&mut [0]).unwrap();
+
+ assert_eq!(s.ssl().pending(), 9);
+ assert_eq!(s.read(&mut [0; 10]).unwrap(), 9);
+}
+
+#[test]
+fn state() {
+ let server = Server::builder().build();
+
+ let s = server.client().connect();
+ #[cfg(not(boringssl))]
+ assert_eq!(s.ssl().state_string().trim(), "SSLOK");
+ #[cfg(boringssl)]
+ assert_eq!(s.ssl().state_string(), "!!!!!!");
+ assert_eq!(
+ s.ssl().state_string_long(),
+ "SSL negotiation finished successfully"
+ );
+}
+
+/// Tests that when both the client as well as the server use SRTP and their
+/// lists of supported protocols have an overlap -- with only ONE protocol
+/// being valid for both.
+#[test]
+fn test_connect_with_srtp_ctx() {
+ let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+ let addr = listener.local_addr().unwrap();
+
+ let guard = thread::spawn(move || {
+ let stream = listener.accept().unwrap().0;
+ let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
+ ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
+ .unwrap();
+ ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
+ .unwrap();
+ ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
+ .unwrap();
+ let mut ssl = Ssl::new(&ctx.build()).unwrap();
+ ssl.set_mtu(1500).unwrap();
+ let mut stream = ssl.accept(stream).unwrap();
+
+ let mut buf = [0; 60];
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
+ .unwrap();
+
+ stream.write_all(&[0]).unwrap();
+
+ buf
+ });
+
+ let stream = TcpStream::connect(addr).unwrap();
+ let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
+ ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
+ .unwrap();
+ let mut ssl = Ssl::new(&ctx.build()).unwrap();
+ ssl.set_mtu(1500).unwrap();
+ let mut stream = ssl.connect(stream).unwrap();
+
+ let mut buf = [1; 60];
+ {
+ let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
+ assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
+ assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
+ }
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
+ .expect("extract");
+
+ stream.read_exact(&mut [0]).unwrap();
+
+ let buf2 = guard.join().unwrap();
+
+ assert_eq!(buf[..], buf2[..]);
+}
+
+/// Tests that when both the client as well as the server use SRTP and their
+/// lists of supported protocols have an overlap -- with only ONE protocol
+/// being valid for both.
+#[test]
+fn test_connect_with_srtp_ssl() {
+ let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+ let addr = listener.local_addr().unwrap();
+
+ let guard = thread::spawn(move || {
+ let stream = listener.accept().unwrap().0;
+ let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap();
+ ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
+ .unwrap();
+ ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
+ .unwrap();
+ let mut ssl = Ssl::new(&ctx.build()).unwrap();
+ ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
+ .unwrap();
+ let mut profilenames = String::new();
+ for profile in ssl.srtp_profiles().unwrap() {
+ if !profilenames.is_empty() {
+ profilenames.push(':');
+ }
+ profilenames += profile.name();
+ }
+ assert_eq!(
+ "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
+ profilenames
+ );
+ ssl.set_mtu(1500).unwrap();
+ let mut stream = ssl.accept(stream).unwrap();
+
+ let mut buf = [0; 60];
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
+ .unwrap();
+
+ stream.write_all(&[0]).unwrap();
+
+ buf
+ });
+
+ let stream = TcpStream::connect(addr).unwrap();
+ let ctx = SslContext::builder(SslMethod::dtls()).unwrap();
+ let mut ssl = Ssl::new(&ctx.build()).unwrap();
+ ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32")
+ .unwrap();
+ ssl.set_mtu(1500).unwrap();
+ let mut stream = ssl.connect(stream).unwrap();
+
+ let mut buf = [1; 60];
+ {
+ let srtp_profile = stream.ssl().selected_srtp_profile().unwrap();
+ assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name());
+ assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id());
+ }
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None)
+ .expect("extract");
+
+ stream.read_exact(&mut [0]).unwrap();
+
+ let buf2 = guard.join().unwrap();
+
+ assert_eq!(buf[..], buf2[..]);
+}
+
+/// Tests that when the `SslStream` is created as a server stream, the protocols
+/// are correctly advertised to the client.
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_alpn_server_advertise_multiple() {
+ let mut server = Server::builder();
+ server.ctx().set_alpn_select_callback(|_, client| {
+ ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
+ });
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_alpn_protos(b"\x08spdy/3.1").unwrap();
+ let s = client.connect();
+ assert_eq!(s.ssl().selected_alpn_protocol(), Some(&b"spdy/3.1"[..]));
+}
+
+#[test]
+#[cfg(any(ossl110))]
+fn test_alpn_server_select_none_fatal() {
+ let mut server = Server::builder();
+ server.ctx().set_alpn_select_callback(|_, client| {
+ ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client)
+ .ok_or(ssl::AlpnError::ALERT_FATAL)
+ });
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
+ client.connect_err();
+}
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_alpn_server_select_none() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_alpn_select_callback(|_, client| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
+ });
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
+ let s = client.connect();
+ assert_eq!(None, s.ssl().selected_alpn_protocol());
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg(any(ossl102, libressl261))]
+fn test_alpn_server_unilateral() {
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client.ctx().set_alpn_protos(b"\x06http/2").unwrap();
+ let s = client.connect();
+ assert_eq!(None, s.ssl().selected_alpn_protocol());
+}
+
+#[test]
+#[should_panic(expected = "blammo")]
+fn write_panic() {
+ struct ExplodingStream(TcpStream);
+
+ impl Read for ExplodingStream {
+ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+ self.0.read(buf)
+ }
+ }
+
+ impl Write for ExplodingStream {
+ fn write(&mut self, _: &[u8]) -> io::Result<usize> {
+ panic!("blammo");
+ }
+
+ fn flush(&mut self) -> io::Result<()> {
+ self.0.flush()
+ }
+ }
+
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let stream = ExplodingStream(server.connect_tcp());
+
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
+}
+
+#[test]
+#[should_panic(expected = "blammo")]
+fn read_panic() {
+ struct ExplodingStream(TcpStream);
+
+ impl Read for ExplodingStream {
+ fn read(&mut self, _: &mut [u8]) -> io::Result<usize> {
+ panic!("blammo");
+ }
+ }
+
+ impl Write for ExplodingStream {
+ fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+ self.0.write(buf)
+ }
+
+ fn flush(&mut self) -> io::Result<()> {
+ self.0.flush()
+ }
+ }
+
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let stream = ExplodingStream(server.connect_tcp());
+
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
+}
+
+#[test]
+#[cfg_attr(all(libressl321, not(libressl340)), ignore)]
+#[should_panic(expected = "blammo")]
+fn flush_panic() {
+ struct ExplodingStream(TcpStream);
+
+ impl Read for ExplodingStream {
+ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+ self.0.read(buf)
+ }
+ }
+
+ impl Write for ExplodingStream {
+ fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+ self.0.write(buf)
+ }
+
+ fn flush(&mut self) -> io::Result<()> {
+ panic!("blammo");
+ }
+ }
+
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let stream = ExplodingStream(server.connect_tcp());
+
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ let _ = Ssl::new(&ctx.build()).unwrap().connect(stream);
+}
+
+#[test]
+fn refcount_ssl_context() {
+ let mut ssl = {
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ssl::Ssl::new(&ctx.build()).unwrap()
+ };
+
+ {
+ let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build();
+ ssl.set_ssl_context(&new_ctx_a).unwrap();
+ }
+}
+
+#[test]
+#[cfg_attr(libressl250, ignore)]
+#[cfg_attr(target_os = "windows", ignore)]
+#[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)]
+fn default_verify_paths() {
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_default_verify_paths().unwrap();
+ ctx.set_verify(SslVerifyMode::PEER);
+ let ctx = ctx.build();
+ let s = match TcpStream::connect("google.com:443") {
+ Ok(s) => s,
+ Err(_) => return,
+ };
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ ssl.set_hostname("google.com").unwrap();
+ let mut socket = ssl.connect(s).unwrap();
+
+ socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
+ let mut result = vec![];
+ socket.read_to_end(&mut result).unwrap();
+
+ println!("{}", String::from_utf8_lossy(&result));
+ assert!(result.starts_with(b"HTTP/1.0"));
+ assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
+}
+
+#[test]
+fn add_extra_chain_cert() {
+ let cert = X509::from_pem(CERT).unwrap();
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.add_extra_chain_cert(cert).unwrap();
+}
+
+#[test]
+#[cfg(ossl102)]
+fn verify_valid_hostname() {
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+ client.ctx().set_verify(SslVerifyMode::PEER);
+
+ let mut client = client.build().builder();
+ client
+ .ssl()
+ .param_mut()
+ .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
+ client.ssl().param_mut().set_host("foobar.com").unwrap();
+ client.connect();
+}
+
+#[test]
+#[cfg(ossl102)]
+fn verify_invalid_hostname() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_ca_file("test/root-ca.pem").unwrap();
+ client.ctx().set_verify(SslVerifyMode::PEER);
+
+ let mut client = client.build().builder();
+ client
+ .ssl()
+ .param_mut()
+ .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS);
+ client.ssl().param_mut().set_host("bogus.com").unwrap();
+ client.connect_err();
+}
+
+#[test]
+fn connector_valid_hostname() {
+ let server = Server::builder().build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_ca_file("test/root-ca.pem").unwrap();
+
+ let s = server.connect_tcp();
+ let mut s = connector.build().connect("foobar.com", s).unwrap();
+ s.read_exact(&mut [0]).unwrap();
+}
+
+#[test]
+fn connector_invalid_hostname() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_ca_file("test/root-ca.pem").unwrap();
+
+ let s = server.connect_tcp();
+ connector.build().connect("bogus.com", s).unwrap_err();
+}
+
+#[test]
+fn connector_invalid_no_hostname_verification() {
+ let server = Server::builder().build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_ca_file("test/root-ca.pem").unwrap();
+
+ let s = server.connect_tcp();
+ let mut s = connector
+ .build()
+ .configure()
+ .unwrap()
+ .verify_hostname(false)
+ .connect("bogus.com", s)
+ .unwrap();
+ s.read_exact(&mut [0]).unwrap();
+}
+
+#[test]
+fn connector_no_hostname_still_verifies() {
+ let mut server = Server::builder();
+ server.should_error();
+ let server = server.build();
+
+ let connector = SslConnector::builder(SslMethod::tls()).unwrap().build();
+
+ let s = server.connect_tcp();
+ assert!(connector
+ .configure()
+ .unwrap()
+ .verify_hostname(false)
+ .connect("fizzbuzz.com", s)
+ .is_err());
+}
+
+#[test]
+fn connector_can_disable_verify() {
+ let server = Server::builder().build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_verify(SslVerifyMode::NONE);
+ let connector = connector.build();
+
+ let s = server.connect_tcp();
+ let mut s = connector
+ .configure()
+ .unwrap()
+ .connect("fizzbuzz.com", s)
+ .unwrap();
+ s.read_exact(&mut [0]).unwrap();
+}
+
+#[test]
+fn connector_does_use_sni_with_dnsnames() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut builder = Server::builder();
+ builder.ctx().set_servername_callback(|ssl, _| {
+ assert_eq!(ssl.servername(NameType::HOST_NAME), Some("foobar.com"));
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ Ok(())
+ });
+ let server = builder.build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_ca_file("test/root-ca.pem").unwrap();
+
+ let s = server.connect_tcp();
+ let mut s = connector
+ .build()
+ .configure()
+ .unwrap()
+ .connect("foobar.com", s)
+ .unwrap();
+ s.read_exact(&mut [0]).unwrap();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn connector_doesnt_use_sni_with_ips() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut builder = Server::builder();
+ builder.ctx().set_servername_callback(|ssl, _| {
+ assert_eq!(ssl.servername(NameType::HOST_NAME), None);
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ Ok(())
+ });
+ let server = builder.build();
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ // The server's cert isn't issued for 127.0.0.1 but we don't care for this test.
+ connector.set_verify(SslVerifyMode::NONE);
+
+ let s = server.connect_tcp();
+ let mut s = connector
+ .build()
+ .configure()
+ .unwrap()
+ .connect("127.0.0.1", s)
+ .unwrap();
+ s.read_exact(&mut [0]).unwrap();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+fn test_mozilla_server(new: fn(SslMethod) -> Result<SslAcceptorBuilder, ErrorStack>) {
+ let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+ let port = listener.local_addr().unwrap().port();
+
+ let t = thread::spawn(move || {
+ let key = PKey::private_key_from_pem(KEY).unwrap();
+ let cert = X509::from_pem(CERT).unwrap();
+ let mut acceptor = new(SslMethod::tls()).unwrap();
+ acceptor.set_private_key(&key).unwrap();
+ acceptor.set_certificate(&cert).unwrap();
+ let acceptor = acceptor.build();
+ let stream = listener.accept().unwrap().0;
+ let mut stream = acceptor.accept(stream).unwrap();
+
+ stream.write_all(b"hello").unwrap();
+ });
+
+ let mut connector = SslConnector::builder(SslMethod::tls()).unwrap();
+ connector.set_ca_file("test/root-ca.pem").unwrap();
+ let connector = connector.build();
+
+ let stream = TcpStream::connect(("127.0.0.1", port)).unwrap();
+ let mut stream = connector.connect("foobar.com", stream).unwrap();
+
+ let mut buf = [0; 5];
+ stream.read_exact(&mut buf).unwrap();
+ assert_eq!(b"hello", &buf);
+
+ t.join().unwrap();
+}
+
+#[test]
+fn connector_client_server_mozilla_intermediate() {
+ test_mozilla_server(SslAcceptor::mozilla_intermediate);
+}
+
+#[test]
+fn connector_client_server_mozilla_modern() {
+ test_mozilla_server(SslAcceptor::mozilla_modern);
+}
+
+#[test]
+fn connector_client_server_mozilla_intermediate_v5() {
+ test_mozilla_server(SslAcceptor::mozilla_intermediate_v5);
+}
+
+#[test]
+#[cfg(any(ossl111, libressl340))]
+fn connector_client_server_mozilla_modern_v5() {
+ test_mozilla_server(SslAcceptor::mozilla_modern_v5);
+}
+
+#[test]
+fn shutdown() {
+ let mut server = Server::builder();
+ server.io_cb(|mut s| {
+ assert_eq!(s.read(&mut [0]).unwrap(), 0);
+ assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
+ });
+ let server = server.build();
+
+ let mut s = server.client().connect();
+
+ assert_eq!(s.get_shutdown(), ShutdownState::empty());
+ assert_eq!(s.shutdown().unwrap(), ShutdownResult::Sent);
+ assert_eq!(s.get_shutdown(), ShutdownState::SENT);
+ assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received);
+ assert_eq!(
+ s.get_shutdown(),
+ ShutdownState::SENT | ShutdownState::RECEIVED
+ );
+}
+
+#[test]
+fn client_ca_list() {
+ let names = X509Name::load_client_ca_file("test/root-ca.pem").unwrap();
+ assert_eq!(names.len(), 1);
+
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_client_ca_list(names);
+}
+
+#[test]
+fn cert_store() {
+ let server = Server::builder().build();
+
+ let mut client = server.client();
+ let cert = X509::from_pem(ROOT_CERT).unwrap();
+ client.ctx().cert_store_mut().add_cert(cert).unwrap();
+ client.ctx().set_verify(SslVerifyMode::PEER);
+
+ client.connect();
+}
+
+#[test]
+#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
+fn tmp_dh_callback() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_tmp_dh_callback(|_, _, _| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ let dh = include_bytes!("../../../test/dhparams.pem");
+ Dh::params_from_pem(dh)
+ });
+
+ let server = server.build();
+
+ let mut client = server.client();
+ // TLS 1.3 has no DH suites, so make sure we don't pick that version
+ #[cfg(any(ossl111, libressl340))]
+ client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
+ client.ctx().set_cipher_list("EDH").unwrap();
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg(all(ossl101, not(ossl110)))]
+#[allow(deprecated)]
+fn tmp_ecdh_callback() {
+ use crate::ec::EcKey;
+ use crate::nid::Nid;
+
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_tmp_ecdh_callback(|_, _, _| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
+ });
+
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_cipher_list("ECDH").unwrap();
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg_attr(any(all(libressl321, not(libressl340)), boringssl), ignore)]
+fn tmp_dh_callback_ssl() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ssl_cb(|ssl| {
+ ssl.set_tmp_dh_callback(|_, _, _| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ let dh = include_bytes!("../../../test/dhparams.pem");
+ Dh::params_from_pem(dh)
+ });
+ });
+
+ let server = server.build();
+
+ let mut client = server.client();
+ // TLS 1.3 has no DH suites, so make sure we don't pick that version
+ #[cfg(any(ossl111, libressl340))]
+ client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
+ client.ctx().set_cipher_list("EDH").unwrap();
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg(all(ossl101, not(ossl110)))]
+#[allow(deprecated)]
+fn tmp_ecdh_callback_ssl() {
+ use crate::ec::EcKey;
+ use crate::nid::Nid;
+
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ssl_cb(|ssl| {
+ ssl.set_tmp_ecdh_callback(|_, _, _| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ EcKey::from_curve_name(Nid::X9_62_PRIME256V1)
+ });
+ });
+
+ let server = server.build();
+
+ let mut client = server.client();
+ client.ctx().set_cipher_list("ECDH").unwrap();
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn idle_session() {
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
+ let ssl = Ssl::new(&ctx).unwrap();
+ assert!(ssl.session().is_none());
+}
+
+/// possible LibreSSL bug since 3.2.1
+#[test]
+#[cfg_attr(libressl321, ignore)]
+fn active_session() {
+ let server = Server::builder().build();
+
+ let s = server.client().connect();
+
+ let session = s.ssl().session().unwrap();
+ let len = session.master_key_len();
+ let mut buf = vec![0; len - 1];
+ let copied = session.master_key(&mut buf);
+ assert_eq!(copied, buf.len());
+ let mut buf = vec![0; len + 1];
+ let copied = session.master_key(&mut buf);
+ assert_eq!(copied, len);
+}
+
+#[test]
+#[cfg(not(boringssl))]
+fn status_callbacks() {
+ static CALLED_BACK_SERVER: AtomicBool = AtomicBool::new(false);
+ static CALLED_BACK_CLIENT: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server
+ .ctx()
+ .set_status_callback(|ssl| {
+ CALLED_BACK_SERVER.store(true, Ordering::SeqCst);
+ let response = OcspResponse::create(OcspResponseStatus::UNAUTHORIZED, None).unwrap();
+ let response = response.to_der().unwrap();
+ ssl.set_ocsp_status(&response).unwrap();
+ Ok(true)
+ })
+ .unwrap();
+
+ let server = server.build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_status_callback(|ssl| {
+ CALLED_BACK_CLIENT.store(true, Ordering::SeqCst);
+ let response = OcspResponse::from_der(ssl.ocsp_status().unwrap()).unwrap();
+ assert_eq!(response.status(), OcspResponseStatus::UNAUTHORIZED);
+ Ok(true)
+ })
+ .unwrap();
+
+ let mut client = client.build().builder();
+ client.ssl().set_status_type(StatusType::OCSP).unwrap();
+
+ client.connect();
+
+ assert!(CALLED_BACK_SERVER.load(Ordering::SeqCst));
+ assert!(CALLED_BACK_CLIENT.load(Ordering::SeqCst));
+}
+
+/// possible LibreSSL bug since 3.2.1
+#[test]
+#[cfg_attr(libressl321, ignore)]
+fn new_session_callback() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_session_id_context(b"foo").unwrap();
+
+ let server = server.build();
+
+ let mut client = server.client();
+
+ client
+ .ctx()
+ .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
+ client
+ .ctx()
+ .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
+
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+/// possible LibreSSL bug since 3.2.1
+#[test]
+#[cfg_attr(libressl321, ignore)]
+fn new_session_callback_swapped_ctx() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_session_id_context(b"foo").unwrap();
+
+ let server = server.build();
+
+ let mut client = server.client();
+
+ client
+ .ctx()
+ .set_session_cache_mode(SslSessionCacheMode::CLIENT | SslSessionCacheMode::NO_INTERNAL);
+ client
+ .ctx()
+ .set_new_session_callback(|_, _| CALLED_BACK.store(true, Ordering::SeqCst));
+
+ let mut client = client.build().builder();
+
+ let ctx = SslContextBuilder::new(SslMethod::tls()).unwrap().build();
+ client.ssl().set_ssl_context(&ctx).unwrap();
+
+ client.connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+fn keying_export() {
+ let listener = TcpListener::bind("127.0.0.1:0").unwrap();
+ let addr = listener.local_addr().unwrap();
+
+ let label = "EXPERIMENTAL test";
+ let context = b"my context";
+
+ let guard = thread::spawn(move || {
+ let stream = listener.accept().unwrap().0;
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
+ .unwrap();
+ ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
+ .unwrap();
+ let ssl = Ssl::new(&ctx.build()).unwrap();
+ let mut stream = ssl.accept(stream).unwrap();
+
+ let mut buf = [0; 32];
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, label, Some(context))
+ .unwrap();
+
+ stream.write_all(&[0]).unwrap();
+
+ buf
+ });
+
+ let stream = TcpStream::connect(addr).unwrap();
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ let ssl = Ssl::new(&ctx.build()).unwrap();
+ let mut stream = ssl.connect(stream).unwrap();
+
+ let mut buf = [1; 32];
+ stream
+ .ssl()
+ .export_keying_material(&mut buf, label, Some(context))
+ .unwrap();
+
+ stream.read_exact(&mut [0]).unwrap();
+
+ let buf2 = guard.join().unwrap();
+
+ assert_eq!(buf, buf2);
+}
+
+#[test]
+#[cfg(any(ossl110, libressl261))]
+fn no_version_overlap() {
+ let mut server = Server::builder();
+ server.ctx().set_min_proto_version(None).unwrap();
+ server
+ .ctx()
+ .set_max_proto_version(Some(SslVersion::TLS1_1))
+ .unwrap();
+ #[cfg(any(ossl110g, libressl270))]
+ assert_eq!(server.ctx().max_proto_version(), Some(SslVersion::TLS1_1));
+ server.should_error();
+ let server = server.build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .set_min_proto_version(Some(SslVersion::TLS1_2))
+ .unwrap();
+ #[cfg(ossl110g)]
+ assert_eq!(client.ctx().min_proto_version(), Some(SslVersion::TLS1_2));
+ client.ctx().set_max_proto_version(None).unwrap();
+
+ client.connect_err();
+}
+
+#[test]
+#[cfg(ossl111)]
+fn custom_extensions() {
+ static FOUND_EXTENSION: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server
+ .ctx()
+ .add_custom_ext(
+ 12345,
+ ExtensionContext::CLIENT_HELLO,
+ |_, _, _| -> Result<Option<&'static [u8]>, _> { unreachable!() },
+ |_, _, data, _| {
+ FOUND_EXTENSION.store(data == b"hello", Ordering::SeqCst);
+ Ok(())
+ },
+ )
+ .unwrap();
+
+ let server = server.build();
+
+ let mut client = server.client();
+ client
+ .ctx()
+ .add_custom_ext(
+ 12345,
+ ssl::ExtensionContext::CLIENT_HELLO,
+ |_, _, _| Ok(Some(b"hello")),
+ |_, _, _, _| unreachable!(),
+ )
+ .unwrap();
+
+ client.connect();
+
+ assert!(FOUND_EXTENSION.load(Ordering::SeqCst));
+}
+
+fn _check_kinds() {
+ fn is_send<T: Send>() {}
+ fn is_sync<T: Sync>() {}
+
+ is_send::<SslStream<TcpStream>>();
+ is_sync::<SslStream<TcpStream>>();
+}
+
+#[test]
+#[cfg(ossl111)]
+fn stateless() {
+ use super::SslOptions;
+
+ #[derive(Debug)]
+ struct MemoryStream {
+ incoming: io::Cursor<Vec<u8>>,
+ outgoing: Vec<u8>,
+ }
+
+ impl MemoryStream {
+ pub fn new() -> Self {
+ Self {
+ incoming: io::Cursor::new(Vec::new()),
+ outgoing: Vec::new(),
+ }
+ }
+
+ pub fn extend_incoming(&mut self, data: &[u8]) {
+ self.incoming.get_mut().extend_from_slice(data);
+ }
+
+ pub fn take_outgoing(&mut self) -> Outgoing<'_> {
+ Outgoing(&mut self.outgoing)
+ }
+ }
+
+ impl Read for MemoryStream {
+ fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+ let n = self.incoming.read(buf)?;
+ if self.incoming.position() == self.incoming.get_ref().len() as u64 {
+ self.incoming.set_position(0);
+ self.incoming.get_mut().clear();
+ }
+ if n == 0 {
+ return Err(io::Error::new(
+ io::ErrorKind::WouldBlock,
+ "no data available",
+ ));
+ }
+ Ok(n)
+ }
+ }
+
+ impl Write for MemoryStream {
+ fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
+ self.outgoing.write(buf)
+ }
+
+ fn flush(&mut self) -> io::Result<()> {
+ Ok(())
+ }
+ }
+
+ pub struct Outgoing<'a>(&'a mut Vec<u8>);
+
+ impl<'a> Drop for Outgoing<'a> {
+ fn drop(&mut self) {
+ self.0.clear();
+ }
+ }
+
+ impl<'a> ::std::ops::Deref for Outgoing<'a> {
+ type Target = [u8];
+ fn deref(&self) -> &[u8] {
+ self.0
+ }
+ }
+
+ impl<'a> AsRef<[u8]> for Outgoing<'a> {
+ fn as_ref(&self) -> &[u8] {
+ self.0
+ }
+ }
+
+ fn send(from: &mut MemoryStream, to: &mut MemoryStream) {
+ to.extend_incoming(&from.take_outgoing());
+ }
+
+ //
+ // Setup
+ //
+
+ let mut client_ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ client_ctx.clear_options(SslOptions::ENABLE_MIDDLEBOX_COMPAT);
+ let mut client_stream =
+ SslStream::new(Ssl::new(&client_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
+
+ let mut server_ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ server_ctx
+ .set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM)
+ .unwrap();
+ server_ctx
+ .set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM)
+ .unwrap();
+ const COOKIE: &[u8] = b"chocolate chip";
+ server_ctx.set_stateless_cookie_generate_cb(|_tls, buf| {
+ buf[0..COOKIE.len()].copy_from_slice(COOKIE);
+ Ok(COOKIE.len())
+ });
+ server_ctx.set_stateless_cookie_verify_cb(|_tls, buf| buf == COOKIE);
+ let mut server_stream =
+ SslStream::new(Ssl::new(&server_ctx.build()).unwrap(), MemoryStream::new()).unwrap();
+
+ //
+ // Handshake
+ //
+
+ // Initial ClientHello
+ client_stream.connect().unwrap_err();
+ send(client_stream.get_mut(), server_stream.get_mut());
+ // HelloRetryRequest
+ assert!(!server_stream.stateless().unwrap());
+ send(server_stream.get_mut(), client_stream.get_mut());
+ // Second ClientHello
+ client_stream.do_handshake().unwrap_err();
+ send(client_stream.get_mut(), server_stream.get_mut());
+ // OldServerHello
+ assert!(server_stream.stateless().unwrap());
+ server_stream.accept().unwrap_err();
+ send(server_stream.get_mut(), client_stream.get_mut());
+ // Finished
+ client_stream.do_handshake().unwrap();
+ send(client_stream.get_mut(), server_stream.get_mut());
+ server_stream.do_handshake().unwrap();
+}
+
+#[cfg(not(osslconf = "OPENSSL_NO_PSK"))]
+#[test]
+fn psk_ciphers() {
+ const CIPHER: &str = "PSK-AES256-CBC-SHA";
+ const PSK: &[u8] = b"thisisaverysecurekey";
+ const CLIENT_IDENT: &[u8] = b"thisisaclient";
+ static CLIENT_CALLED: AtomicBool = AtomicBool::new(false);
+ static SERVER_CALLED: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_cipher_list(CIPHER).unwrap();
+ server.ctx().set_psk_server_callback(|_, identity, psk| {
+ assert!(identity.unwrap_or(&[]) == CLIENT_IDENT);
+ psk[..PSK.len()].copy_from_slice(PSK);
+ SERVER_CALLED.store(true, Ordering::SeqCst);
+ Ok(PSK.len())
+ });
+
+ let server = server.build();
+
+ let mut client = server.client();
+ // This test relies on TLS 1.2 suites
+ #[cfg(any(boringssl, ossl111))]
+ client.ctx().set_options(super::SslOptions::NO_TLSV1_3);
+ client.ctx().set_cipher_list(CIPHER).unwrap();
+ client
+ .ctx()
+ .set_psk_client_callback(move |_, _, identity, psk| {
+ identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT);
+ identity[CLIENT_IDENT.len()] = 0;
+ psk[..PSK.len()].copy_from_slice(PSK);
+ CLIENT_CALLED.store(true, Ordering::SeqCst);
+ Ok(PSK.len())
+ });
+
+ client.connect();
+
+ assert!(SERVER_CALLED.load(Ordering::SeqCst));
+ assert!(CLIENT_CALLED.load(Ordering::SeqCst));
+}
+
+#[test]
+fn sni_callback_swapped_ctx() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_servername_callback(|_, _| {
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ Ok(())
+ });
+
+ let keyed_ctx = mem::replace(server.ctx(), ctx).build();
+ server.ssl_cb(move |ssl| ssl.set_ssl_context(&keyed_ctx).unwrap());
+
+ let server = server.build();
+
+ server.client().connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg(ossl111)]
+fn client_hello() {
+ static CALLED_BACK: AtomicBool = AtomicBool::new(false);
+
+ let mut server = Server::builder();
+ server.ctx().set_client_hello_callback(|ssl, _| {
+ assert!(!ssl.client_hello_isv2());
+ assert_eq!(ssl.client_hello_legacy_version(), Some(SslVersion::TLS1_2));
+ assert!(ssl.client_hello_random().is_some());
+ assert!(ssl.client_hello_session_id().is_some());
+ assert!(ssl.client_hello_ciphers().is_some());
+ assert!(ssl.client_hello_compression_methods().is_some());
+
+ CALLED_BACK.store(true, Ordering::SeqCst);
+ Ok(ClientHelloResponse::SUCCESS)
+ });
+
+ let server = server.build();
+ server.client().connect();
+
+ assert!(CALLED_BACK.load(Ordering::SeqCst));
+}
+
+#[test]
+#[cfg(ossl111)]
+fn openssl_cipher_name() {
+ assert_eq!(
+ super::cipher_name("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"),
+ "ECDHE-RSA-AES256-SHA384",
+ );
+
+ assert_eq!(super::cipher_name("asdf"), "(NONE)");
+}
+
+#[test]
+fn session_cache_size() {
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_session_cache_size(1234);
+ let ctx = ctx.build();
+ assert_eq!(ctx.session_cache_size(), 1234);
+}
+
+#[test]
+#[cfg(ossl102)]
+fn add_chain_cert() {
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
+ let cert = X509::from_pem(CERT).unwrap();
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ assert!(ssl.add_chain_cert(cert).is_ok());
+}
+#[test]
+#[cfg(ossl111)]
+fn set_ssl_certificate_key_related_api() {
+ let cert_str: &str = include_str!("../../../test/cert.pem");
+ let key_str: &str = include_str!("../../../test/key.pem");
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
+ let cert_x509 = X509::from_pem(CERT).unwrap();
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ assert!(ssl.set_method(SslMethod::tls()).is_ok());
+ ssl.set_private_key_file("test/key.pem", SslFiletype::PEM)
+ .unwrap();
+ {
+ let pkey = String::from_utf8(
+ ssl.private_key()
+ .unwrap()
+ .private_key_to_pem_pkcs8()
+ .unwrap(),
+ )
+ .unwrap();
+ assert!(pkey.lines().eq(key_str.lines()));
+ }
+ let pkey = PKey::private_key_from_pem(KEY).unwrap();
+ ssl.set_private_key(pkey.as_ref()).unwrap();
+ {
+ let pkey = String::from_utf8(
+ ssl.private_key()
+ .unwrap()
+ .private_key_to_pem_pkcs8()
+ .unwrap(),
+ )
+ .unwrap();
+ assert!(pkey.lines().eq(key_str.lines()));
+ }
+ ssl.set_certificate(cert_x509.as_ref()).unwrap();
+ let cert = String::from_utf8(ssl.certificate().unwrap().to_pem().unwrap()).unwrap();
+ assert!(cert.lines().eq(cert_str.lines()));
+ ssl.add_client_ca(cert_x509.as_ref()).unwrap();
+ ssl.set_min_proto_version(Some(SslVersion::TLS1_2)).unwrap();
+ ssl.set_max_proto_version(Some(SslVersion::TLS1_3)).unwrap();
+ ssl.set_cipher_list("HIGH:!aNULL:!MD5").unwrap();
+ ssl.set_ciphersuites("TLS_AES_128_GCM_SHA256").unwrap();
+ let x509 = X509::from_pem(ROOT_CERT).unwrap();
+ let mut builder = X509StoreBuilder::new().unwrap();
+ builder.add_cert(x509).unwrap();
+ let store = builder.build();
+ ssl.set_verify_cert_store(store).unwrap();
+}
+
+#[test]
+#[cfg(ossl110)]
+fn test_ssl_set_cert_chain_file() {
+ let ctx = SslContext::builder(SslMethod::tls()).unwrap().build();
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ ssl.set_certificate_chain_file("test/cert.pem").unwrap();
+}
+
+#[test]
+#[cfg(ossl111)]
+fn set_num_tickets() {
+ let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap();
+ ctx.set_num_tickets(3).unwrap();
+ let ctx = ctx.build();
+ assert_eq!(3, ctx.num_tickets());
+
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ ssl.set_num_tickets(5).unwrap();
+ let ssl = ssl;
+ assert_eq!(5, ssl.num_tickets());
+}
diff --git a/vendor/openssl/src/ssl/test/server.rs b/vendor/openssl/src/ssl/test/server.rs
new file mode 100644
index 000000000..41677e576
--- /dev/null
+++ b/vendor/openssl/src/ssl/test/server.rs
@@ -0,0 +1,167 @@
+use std::io::{Read, Write};
+use std::net::{SocketAddr, TcpListener, TcpStream};
+use std::thread::{self, JoinHandle};
+
+use crate::ssl::{Ssl, SslContext, SslContextBuilder, SslFiletype, SslMethod, SslRef, SslStream};
+
+pub struct Server {
+ handle: Option<JoinHandle<()>>,
+ addr: SocketAddr,
+}
+
+impl Drop for Server {
+ fn drop(&mut self) {
+ if !thread::panicking() {
+ self.handle.take().unwrap().join().unwrap();
+ }
+ }
+}
+
+impl Server {
+ pub fn builder() -> Builder {
+ let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
+ ctx.set_certificate_chain_file("test/cert.pem").unwrap();
+ ctx.set_private_key_file("test/key.pem", SslFiletype::PEM)
+ .unwrap();
+
+ Builder {
+ ctx,
+ ssl_cb: Box::new(|_| {}),
+ io_cb: Box::new(|_| {}),
+ should_error: false,
+ }
+ }
+
+ pub fn client(&self) -> ClientBuilder {
+ ClientBuilder {
+ ctx: SslContext::builder(SslMethod::tls()).unwrap(),
+ addr: self.addr,
+ }
+ }
+
+ pub fn connect_tcp(&self) -> TcpStream {
+ TcpStream::connect(self.addr).unwrap()
+ }
+}
+
+pub struct Builder {
+ ctx: SslContextBuilder,
+ ssl_cb: Box<dyn FnMut(&mut SslRef) + Send>,
+ io_cb: Box<dyn FnMut(SslStream<TcpStream>) + Send>,
+ should_error: bool,
+}
+
+impl Builder {
+ pub fn ctx(&mut self) -> &mut SslContextBuilder {
+ &mut self.ctx
+ }
+
+ pub fn ssl_cb<F>(&mut self, cb: F)
+ where
+ F: 'static + FnMut(&mut SslRef) + Send,
+ {
+ self.ssl_cb = Box::new(cb);
+ }
+
+ pub fn io_cb<F>(&mut self, cb: F)
+ where
+ F: 'static + FnMut(SslStream<TcpStream>) + Send,
+ {
+ self.io_cb = Box::new(cb);
+ }
+
+ pub fn should_error(&mut self) {
+ self.should_error = true;
+ }
+
+ pub fn build(self) -> Server {
+ let ctx = self.ctx.build();
+ let socket = TcpListener::bind("127.0.0.1:0").unwrap();
+ let addr = socket.local_addr().unwrap();
+ let mut ssl_cb = self.ssl_cb;
+ let mut io_cb = self.io_cb;
+ let should_error = self.should_error;
+
+ let handle = thread::spawn(move || {
+ let socket = socket.accept().unwrap().0;
+ let mut ssl = Ssl::new(&ctx).unwrap();
+ ssl_cb(&mut ssl);
+ let r = ssl.accept(socket);
+ if should_error {
+ r.unwrap_err();
+ } else {
+ let mut socket = r.unwrap();
+ socket.write_all(&[0]).unwrap();
+ io_cb(socket);
+ }
+ });
+
+ Server {
+ handle: Some(handle),
+ addr,
+ }
+ }
+}
+
+pub struct ClientBuilder {
+ ctx: SslContextBuilder,
+ addr: SocketAddr,
+}
+
+impl ClientBuilder {
+ pub fn ctx(&mut self) -> &mut SslContextBuilder {
+ &mut self.ctx
+ }
+
+ pub fn build(self) -> Client {
+ Client {
+ ctx: self.ctx.build(),
+ addr: self.addr,
+ }
+ }
+
+ pub fn connect(self) -> SslStream<TcpStream> {
+ self.build().builder().connect()
+ }
+
+ pub fn connect_err(self) {
+ self.build().builder().connect_err();
+ }
+}
+
+pub struct Client {
+ ctx: SslContext,
+ addr: SocketAddr,
+}
+
+impl Client {
+ pub fn builder(&self) -> ClientSslBuilder {
+ ClientSslBuilder {
+ ssl: Ssl::new(&self.ctx).unwrap(),
+ addr: self.addr,
+ }
+ }
+}
+
+pub struct ClientSslBuilder {
+ ssl: Ssl,
+ addr: SocketAddr,
+}
+
+impl ClientSslBuilder {
+ pub fn ssl(&mut self) -> &mut SslRef {
+ &mut self.ssl
+ }
+
+ pub fn connect(self) -> SslStream<TcpStream> {
+ let socket = TcpStream::connect(self.addr).unwrap();
+ let mut s = self.ssl.connect(socket).unwrap();
+ s.read_exact(&mut [0]).unwrap();
+ s
+ }
+
+ pub fn connect_err(self) {
+ let socket = TcpStream::connect(self.addr).unwrap();
+ self.ssl.connect(socket).unwrap_err();
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-25 14:37:16 +0000