From 5408b641ddbddd9f40ec203901dd7cb1a7afa3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Wed, 4 Mar 2015 22:32:16 +0100 Subject: [PATCH 01/21] Add connect() support for UDP sockets --- openssl-sys/Cargo.toml | 1 + openssl-sys/src/lib.rs | 2 + openssl/Cargo.toml | 3 +- openssl/src/ssl/connected_socket.rs | 301 ++++++++++++++++++++++++++++ openssl/src/ssl/mod.rs | 8 +- openssl/src/ssl/tests.rs | 70 +++++-- 6 files changed, 365 insertions(+), 20 deletions(-) create mode 100644 openssl/src/ssl/connected_socket.rs diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index ffea6211..7b06dfed 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -14,6 +14,7 @@ build = "build.rs" [features] tlsv1_2 = [] tlsv1_1 = [] +dtlsv1 = [] sslv2 = [] aes_xts = [] npn = [] diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index a4accc29..c782f816 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -482,6 +482,8 @@ extern "C" { pub fn TLSv1_1_method() -> *const SSL_METHOD; #[cfg(feature = "tlsv1_2")] pub fn TLSv1_2_method() -> *const SSL_METHOD; + #[cfg(feature = "dtlsv1")] + pub fn DTLSv1_method() -> *const SSL_METHOD; pub fn SSLv23_method() -> *const SSL_METHOD; pub fn SSL_new(ctx: *mut SSL_CTX) -> *mut SSL; diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 691b3d18..ca3bd417 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -7,11 +7,12 @@ description = "OpenSSL bindings" repository = "https://github.com/sfackler/rust-openssl" documentation = "https://sfackler.github.io/rust-openssl/doc/openssl" readme = "../README.md" -keywords = ["crypto", "tls", "ssl"] +keywords = ["crypto", "tls", "ssl", "dtls"] [features] tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] +dtlsv1 = ["openssl-sys/dtlsv1"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs new file mode 100644 index 00000000..1ae5fc8d --- /dev/null +++ b/openssl/src/ssl/connected_socket.rs @@ -0,0 +1,301 @@ +use libc::funcs::bsd43::connect; +use std::os; +use std::os::unix::AsRawFd; +use std::os::unix::Fd; +use std::net::UdpSocket; +use std::net::ToSocketAddrs; +use std::net::SocketAddr; +use std::io::Error; +use std::io::ErrorKind; +use std::io::Read; +use std::io::Write; +use std::mem; +use std::time::duration::Duration; +use libc::types::os::common::bsd44::socklen_t; +use libc::types::os::common::bsd44::sockaddr_in; +use libc::types::os::common::bsd44::sockaddr_in6; +use libc::types::os::common::bsd44::in_addr; +use libc::types::os::common::bsd44::in6_addr; +use libc::types::os::common::posix01::timeval; +use libc::funcs::bsd43::setsockopt; +use libc::consts::os::bsd44::SOL_SOCKET; +use libc::consts::os::bsd44::AF_INET; +use libc::consts::os::bsd44::AF_INET6; +use libc::consts::os::posix88::EAGAIN; +use std::net::IpAddr; +use libc::types::os::arch::c95::c_int; +use libc::types::os::arch::c95::c_char; +use libc::types::common::c95::c_void; +use libc::funcs::bsd43::send; +use libc::funcs::bsd43::recv; +use std::num::Int; +use std::os::errno; +use std::ffi::CString; + +const SO_RCVTIMEO:c_int = 20; + +extern { + fn inet_pton(family: c_int, src: *const c_char, dst: *mut c_void) -> c_int; +} + +pub struct ConnectedSocket { + sock: S +} + +impl AsRawFd for ConnectedSocket { + fn as_raw_fd(&self) -> Fd { + self.sock.as_raw_fd() + } +} + +enum SockaddrIn { + V4(sockaddr_in), + V6(sockaddr_in6), +} + +trait IntoSockaddrIn { + fn into_sockaddr_in(self) -> Result; +} + +impl IntoSockaddrIn for SocketAddr { + fn into_sockaddr_in(self) -> Result { + let ip = format!("{}", self.ip()); + + match self.ip() { + IpAddr::V4(_) => { + let mut addr = sockaddr_in { + sin_zero: [0; 8], + sin_family: AF_INET as u16, + sin_port: Int::to_be(self.port()), + sin_addr: in_addr { + s_addr: 0 + } + }; + let cstr = CString::new(ip.clone()).unwrap(); + let res = unsafe { + inet_pton(addr.sin_family as c_int, + cstr.as_ptr() as *const i8, + mem::transmute(&mut addr.sin_addr)) + }; + + if res == 1 { + Ok(SockaddrIn::V4(addr)) + } else { + warn!("inet_pton() failed for IPv4: {}", ip); + Err(Error::new(ErrorKind::Other, + "calling inet_pton() for ipv4", None)) + } + }, + + IpAddr::V6(_) => { + let mut addr = sockaddr_in6 { + sin6_family: AF_INET6 as u16, + sin6_port: Int::to_be(self.port()), + sin6_flowinfo: 0, + sin6_scope_id: 0, + sin6_addr: in6_addr { + s6_addr: [0; 8], + } + }; + let cstr = CString::new(ip.clone()).unwrap(); + let res = unsafe { + inet_pton(addr.sin6_family as c_int, + cstr.as_ptr() as *const i8, + mem::transmute(&mut addr.sin6_addr)) + }; + + if res > 0 { + Ok(SockaddrIn::V6(addr)) + } else { + Err(Error::new(ErrorKind::Other, + "calling inet_pton() for ipv6", None)) + } + } + } + } +} + +pub trait Connect { + fn connect(self, addr: &A) -> Result,Error>; +} + +impl Connect for UdpSocket { + fn connect(self, address: &A) -> Result,Error> { + let fd = self.as_raw_fd(); + + let addr = try!(address.to_socket_addrs()).next(); + if addr.is_none() { + return Err(Error::new(ErrorKind::InvalidInput, + "no addresses to connect to", None)); + } + + let saddr = try!(addr.unwrap().into_sockaddr_in()); + + let res = match saddr { + SockaddrIn::V4(s) => unsafe { + let len = mem::size_of_val(&s) as socklen_t; + let addrp = Box::new(s); + connect(fd, mem::transmute(&*addrp), len) + }, + SockaddrIn::V6(s) => unsafe { + let len = mem::size_of_val(&s) as socklen_t; + let addrp = Box::new(s); + connect(fd, mem::transmute(&*addrp), len) + }, + }; + + if res == 0 { + Ok(ConnectedSocket { sock: self }) + } else { + Err(Error::new(ErrorKind::Other, + "error calling connect()", None)) + } + } +} + +impl Read for ConnectedSocket { + fn read(&mut self, buf: &mut [u8]) -> Result { + let flags = 0; + let ptr = buf.as_mut_ptr() as *mut c_void; + + debug!("recv'ing..."); + let len = unsafe { + recv(self.as_raw_fd(), ptr, buf.len() as u64, flags) + }; + + debug!("recv'ed len={:?}", len); + match len { + -1 => { + match errno() { + EAGAIN => Err(Error::new(ErrorKind::Interrupted, "EAGAIN", None)), + _ => Err(Error::new(ErrorKind::Other, + "recv() returned -1", None)), + } + }, + 0 => Err(Error::new(ErrorKind::Other, + "connection is closed", None)), + _ => Ok(len as usize), + } + } +} + +impl Write for ConnectedSocket { + fn write(&mut self, buf: &[u8]) -> Result { + let flags = 0; + let ptr = buf.as_ptr() as *const c_void; + + debug!("sending {:?}", buf.len()); + let res = unsafe { + send(self.as_raw_fd(), ptr, buf.len() as u64, flags) + }; + if res == (buf.len() as i64) { + Ok(res as usize) + } else { + warn!("send() found {}, expected {}", res, buf.len()); + Err(Error::new(ErrorKind::Other, "send() failed", Some(os::error_string(os::errno() as i32)))) + } + } + + fn flush(&mut self) -> Result<(),Error> { + Ok(()) + } +} + +pub trait SetTimeout { + fn set_timeout(&self, timeout: Duration); +} + +impl SetTimeout for S { + fn set_timeout(&self, timeout: Duration) { + let tv = timeval { + tv_sec: timeout.num_seconds(), + tv_usec: 0, + }; + + unsafe { + setsockopt(self.as_raw_fd(), SOL_SOCKET, SO_RCVTIMEO, + mem::transmute(&tv), mem::size_of_val(&tv) as u32) + }; + } +} + +#[test] +fn connect4_works() { + let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); + let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); + let conn1 = socket1.connect("127.0.0.1:34200").unwrap(); + let conn2 = socket2.connect("127.0.0.1:34201").unwrap(); +} + +#[test] +fn sendrecv_works() { + let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); + let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); + let mut conn1 = socket1.connect("127.0.0.1:34201").unwrap(); + let mut conn2 = socket2.connect("127.0.0.1:34200").unwrap(); + + let send1 = [0,1,2,3]; + let send2 = [9,8,7,6]; + conn1.write(&send1).unwrap(); + conn2.write(&send2).unwrap(); + + let mut recv1 = [0;4]; + let mut recv2 = [0;4]; + conn1.read(&mut recv1).unwrap(); + conn2.read(&mut recv2).unwrap(); + + assert_eq!(send1, recv2); + assert_eq!(send2, recv1); +} + +#[test] +fn sendrecv_respects_packet_borders() { + let socket1 = UdpSocket::bind("127.0.0.1:34202").unwrap(); + let socket2 = UdpSocket::bind("127.0.0.1:34203").unwrap(); + let mut conn1 = socket1.connect("127.0.0.1:34203").unwrap(); + let mut conn2 = socket2.connect("127.0.0.1:34202").unwrap(); + + let send1 = [0,1,2,3]; + let send2 = [9,8,7,6]; + conn1.write(&send1).unwrap(); + conn1.write(&send2).unwrap(); + + let mut recv1 = [0;3]; + let mut recv2 = [0;3]; + conn2.read(&mut recv1).unwrap(); + conn2.read(&mut recv2).unwrap(); + + assert!(send1[0..3] == recv1[0..3]); + assert!(send2[0..3] == recv2[0..3]); +} + +#[test] +fn connect6_works() { + let socket1 = UdpSocket::bind("::1:34200").unwrap(); + let socket2 = UdpSocket::bind("::1:34201").unwrap(); + let conn1 = socket1.connect("::1:34200").unwrap(); + let conn2 = socket2.connect("::1:34201").unwrap(); +} + +#[test] +#[should_fail] +fn detect_invalid_ipv4() { + let s = UdpSocket::bind("127.0.0.1:34300").unwrap(); + s.connect("254.254.254.254:34200").unwrap(); +} + +#[test] +#[should_fail] +fn detect_invalid_ipv6() { + let s = UdpSocket::bind("::1:34300").unwrap(); + s.connect("1200::AB00:1234::2552:7777:1313:34300").unwrap(); +} + +#[test] +#[should_fail] +fn double_bind() { + let socket1 = UdpSocket::bind("127.0.0.1:34301").unwrap(); + let socket2 = UdpSocket::bind("127.0.0.1:34301").unwrap(); + drop(socket1); + drop(socket2); +} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 4c0b13f1..710a287d 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -25,6 +25,7 @@ use x509::{X509StoreContext, X509FileType, X509}; use crypto::pkey::PKey; pub mod error; +pub mod connected_socket; #[cfg(test)] mod tests; @@ -97,6 +98,9 @@ pub enum SslMethod { #[cfg(feature = "tlsv1_2")] /// Support TLSv1.2 protocol, requires the `tlsv1_2` feature. Tlsv1_2, + #[cfg(feature = "dtlsv1")] + /// Support DTLSv1 protocol, requires the `dtlsv1` feature. + Dtlsv1, } impl SslMethod { @@ -110,7 +114,9 @@ impl SslMethod { #[cfg(feature = "tlsv1_1")] SslMethod::Tlsv1_1 => ffi::TLSv1_1_method(), #[cfg(feature = "tlsv1_2")] - SslMethod::Tlsv1_2 => ffi::TLSv1_2_method() + SslMethod::Tlsv1_2 => ffi::TLSv1_2_method(), + #[cfg(feature = "dtlsv1")] + SslMethod::Dtlsv1 => ffi::TLSv1_method(), } } } diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 05c9fe79..1da42082 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -11,6 +11,7 @@ use std::fs::File; use crypto::hash::Type::{SHA256}; use ssl; +use ssl::SslMethod; use ssl::SslMethod::Sslv23; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; @@ -20,21 +21,23 @@ use x509::X509FileType; use x509::X509; use crypto::pkey::PKey; +const PROTOCOL:SslMethod = Sslv23; + #[test] fn test_new_ctx() { - SslContext::new(Sslv23).unwrap(); + SslContext::new(PROTOCOL).unwrap(); } #[test] fn test_new_sslstream() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); } #[test] fn test_verify_untrusted() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); match SslStream::new(&ctx, stream) { Ok(_) => panic!("expected failure"), @@ -45,8 +48,9 @@ fn test_verify_untrusted() { #[test] fn test_verify_trusted() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) @@ -63,8 +67,9 @@ fn test_verify_untrusted_callback_override_ok() { true } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + match SslStream::new(&ctx, stream) { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) @@ -77,8 +82,9 @@ fn test_verify_untrusted_callback_override_bad() { false } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + assert!(SslStream::new(&ctx, stream).is_err()); } @@ -88,8 +94,9 @@ fn test_verify_trusted_callback_override_ok() { true } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) @@ -106,8 +113,9 @@ fn test_verify_trusted_callback_override_bad() { false } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) @@ -122,8 +130,9 @@ fn test_verify_callback_load_certs() { true } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + assert!(SslStream::new(&ctx, stream).is_ok()); } @@ -134,8 +143,9 @@ fn test_verify_trusted_get_error_ok() { true } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) @@ -150,8 +160,9 @@ fn test_verify_trusted_get_error_err() { false } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); + assert!(SslStream::new(&ctx, stream).is_err()); } @@ -168,7 +179,7 @@ fn test_verify_callback_data() { } } let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(Sslv23).unwrap(); + let mut ctx = SslContext::new(PROTOCOL).unwrap(); // Node id was generated as SHA256 hash of certificate "test/cert.pem" // in DER format. @@ -234,7 +245,7 @@ fn test_clear_ctx_options() { #[test] fn test_write() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); stream.write_all("hello".as_bytes()).unwrap(); stream.flush().unwrap(); stream.write_all(" there".as_bytes()).unwrap(); @@ -244,7 +255,7 @@ fn test_write() { #[test] fn test_read() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); println!("written"); @@ -261,7 +272,7 @@ fn test_connect_with_unilateral_npn() { ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { - Ok(_)=> {} + Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { @@ -285,7 +296,7 @@ fn test_connect_with_npn_successful_multiple_matching() { ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { - Ok(_)=> {} + Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { @@ -310,7 +321,7 @@ fn test_connect_with_npn_successful_single_match() { ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { - Ok(_)=> {} + Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } let stream = match SslStream::new(&ctx, stream) { @@ -350,7 +361,7 @@ fn test_npn_server_advertise_multiple() { ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"spdy/3.1"]); match ctx.set_CA_file(&Path::new("test/cert.pem")) { - Ok(_)=> {} + Ok(_) => {} Err(err) => panic!("Unexpected error {:?}", err) } // Now connect to the socket and make sure the protocol negotiation works... @@ -362,3 +373,26 @@ fn test_npn_server_advertise_multiple() { // SPDY is selected since that's the only thing the client supports. assert_eq!(b"spdy/3.1", stream.get_selected_npn_protocol().unwrap()); } + +#[cfg(feature="dtlsv1")] +#[cfg(test)] +mod dtlsv1 { + use serialize::hex::FromHex; + use std::old_io::net::tcp::TcpStream; + use std::old_io::{Writer}; + use std::thread; + + use crypto::hash::Type::{SHA256}; + use ssl::SslMethod; + use ssl::SslMethod::Dtlsv1; + use ssl::{SslContext, SslStream, VerifyCallback}; + use ssl::SslVerifyMode::SSL_VERIFY_PEER; + use x509::{X509StoreContext}; + + const PROTOCOL:SslMethod = Dtlsv1; + + #[test] + fn test_new_ctx() { + SslContext::new(PROTOCOL).unwrap(); + } +} From 664600eadff8a0388bc9ab2544b382e56e4fae9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Tue, 10 Mar 2015 14:31:54 +0100 Subject: [PATCH 02/21] Add DTLSv1 and DTLSv1.2 support --- openssl-sys/Cargo.toml | 1 + openssl-sys/src/lib.rs | 4 + openssl/Cargo.toml | 1 + openssl/src/lib.rs | 2 + openssl/src/ssl/connected_socket.rs | 19 +-- openssl/src/ssl/mod.rs | 47 +++++- openssl/src/ssl/tests.rs | 215 +++++++++++++++++----------- 7 files changed, 195 insertions(+), 94 deletions(-) diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml index 7b06dfed..334216e9 100644 --- a/openssl-sys/Cargo.toml +++ b/openssl-sys/Cargo.toml @@ -15,6 +15,7 @@ build = "build.rs" tlsv1_2 = [] tlsv1_1 = [] dtlsv1 = [] +dtlsv1_2 = [] sslv2 = [] aes_xts = [] npn = [] diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index c782f816..89b03e7d 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -134,6 +134,7 @@ pub const SSL_CTRL_CLEAR_OPTIONS: c_int = 77; pub const SSL_CTRL_SET_TLSEXT_HOSTNAME: c_int = 55; pub const SSL_CTRL_EXTRA_CHAIN_CERT: c_int = 14; +pub const SSL_CTRL_SET_READ_AHEAD: c_int = 41; pub const SSL_ERROR_NONE: c_int = 0; pub const SSL_ERROR_SSL: c_int = 1; pub const SSL_ERROR_SYSCALL: c_int = 5; @@ -484,6 +485,8 @@ extern "C" { pub fn TLSv1_2_method() -> *const SSL_METHOD; #[cfg(feature = "dtlsv1")] pub fn DTLSv1_method() -> *const SSL_METHOD; + #[cfg(feature = "dtlsv1_2")] + pub fn DTLSv1_2_method() -> *const SSL_METHOD; pub fn SSLv23_method() -> *const SSL_METHOD; pub fn SSL_new(ctx: *mut SSL_CTX) -> *mut SSL; @@ -507,6 +510,7 @@ extern "C" { pub fn SSL_CTX_new(method: *const SSL_METHOD) -> *mut SSL_CTX; pub fn SSL_CTX_free(ctx: *mut SSL_CTX); + pub fn SSL_CTX_ctrl(ctx: *mut SSL_CTX, cmd: c_int, mode: c_long, parg: *mut c_void) -> c_long; pub fn SSL_CTX_set_verify(ctx: *mut SSL_CTX, mode: c_int, verify_callback: Option c_int>); pub fn SSL_CTX_set_verify_depth(ctx: *mut SSL_CTX, depth: c_int); diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ca3bd417..796beef2 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -13,6 +13,7 @@ keywords = ["crypto", "tls", "ssl", "dtls"] tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] dtlsv1 = ["openssl-sys/dtlsv1"] +dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 2ceafcd7..fae9aa12 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -18,3 +18,5 @@ pub mod bio; pub mod crypto; pub mod ssl; pub mod x509; +#[macro_use] +extern crate log; diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 1ae5fc8d..55788465 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -81,7 +81,6 @@ impl IntoSockaddrIn for SocketAddr { if res == 1 { Ok(SockaddrIn::V4(addr)) } else { - warn!("inet_pton() failed for IPv4: {}", ip); Err(Error::new(ErrorKind::Other, "calling inet_pton() for ipv4", None)) } @@ -158,12 +157,10 @@ impl Read for ConnectedSocket { let flags = 0; let ptr = buf.as_mut_ptr() as *mut c_void; - debug!("recv'ing..."); let len = unsafe { recv(self.as_raw_fd(), ptr, buf.len() as u64, flags) }; - debug!("recv'ed len={:?}", len); match len { -1 => { match errno() { @@ -184,14 +181,12 @@ impl Write for ConnectedSocket { let flags = 0; let ptr = buf.as_ptr() as *const c_void; - debug!("sending {:?}", buf.len()); let res = unsafe { send(self.as_raw_fd(), ptr, buf.len() as u64, flags) }; if res == (buf.len() as i64) { Ok(res as usize) } else { - warn!("send() found {}, expected {}", res, buf.len()); Err(Error::new(ErrorKind::Other, "send() failed", Some(os::error_string(os::errno() as i32)))) } } @@ -223,8 +218,8 @@ impl SetTimeout for S { fn connect4_works() { let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); - let conn1 = socket1.connect("127.0.0.1:34200").unwrap(); - let conn2 = socket2.connect("127.0.0.1:34201").unwrap(); + socket1.connect("127.0.0.1:34200").unwrap(); + socket2.connect("127.0.0.1:34201").unwrap(); } #[test] @@ -273,26 +268,26 @@ fn sendrecv_respects_packet_borders() { fn connect6_works() { let socket1 = UdpSocket::bind("::1:34200").unwrap(); let socket2 = UdpSocket::bind("::1:34201").unwrap(); - let conn1 = socket1.connect("::1:34200").unwrap(); - let conn2 = socket2.connect("::1:34201").unwrap(); + socket1.connect("::1:34200").unwrap(); + socket2.connect("::1:34201").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn detect_invalid_ipv4() { let s = UdpSocket::bind("127.0.0.1:34300").unwrap(); s.connect("254.254.254.254:34200").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn detect_invalid_ipv6() { let s = UdpSocket::bind("::1:34300").unwrap(); s.connect("1200::AB00:1234::2552:7777:1313:34300").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn double_bind() { let socket1 = UdpSocket::bind("127.0.0.1:34301").unwrap(); let socket2 = UdpSocket::bind("127.0.0.1:34301").unwrap(); diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 710a287d..9cf09bc8 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -101,6 +101,9 @@ pub enum SslMethod { #[cfg(feature = "dtlsv1")] /// Support DTLSv1 protocol, requires the `dtlsv1` feature. Dtlsv1, + #[cfg(feature = "dtlsv1_2")] + /// Support DTLSv1.2 protocol, requires the `dtlsv1_2` feature. + Dtlsv1_2, } impl SslMethod { @@ -116,9 +119,35 @@ impl SslMethod { #[cfg(feature = "tlsv1_2")] SslMethod::Tlsv1_2 => ffi::TLSv1_2_method(), #[cfg(feature = "dtlsv1")] - SslMethod::Dtlsv1 => ffi::TLSv1_method(), + SslMethod::Dtlsv1 => ffi::DTLSv1_method(), + #[cfg(feature = "dtlsv1_2")] + SslMethod::Dtlsv1_2 => ffi::DTLSv1_2_method(), } } + + #[cfg(feature = "dtlsv1")] + pub fn is_dtlsv1(&self) -> bool { + *self == SslMethod::Dtlsv1 + } + + #[cfg(feature = "dtlsv1_2")] + pub fn is_dtlsv1_2(&self) -> bool { + *self == SslMethod::Dtlsv1 + } + + pub fn is_dtls(&self) -> bool { + self.is_dtlsv1() || self.is_dtlsv1_2() + } + + #[cfg(not(feature = "dtlsv1"))] + pub fn is_dtlsv1(&self) -> bool { + false + } + + #[cfg(not(feature = "dtlsv1_2"))] + pub fn is_dtlsv1_2(&self) -> bool { + false + } } /// Determines the type of certificate verification used @@ -345,7 +374,13 @@ impl SslContext { return Err(SslError::get()); } - Ok(SslContext { ctx: ctx }) + let ctx = SslContext { ctx: ctx }; + + if method.is_dtls() { + ctx.set_read_ahead(); + } + + Ok(ctx) } /// Configures the certificate verification method for new connections. @@ -356,6 +391,7 @@ impl SslContext { mem::transmute(verify)); let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = raw_verify; + ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f)); } } @@ -376,6 +412,7 @@ impl SslContext { mem::transmute(data)); let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = raw_verify_with_data::; + ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f)); } } @@ -387,6 +424,12 @@ impl SslContext { } } + pub fn set_read_ahead(&self) { + unsafe { + ffi::SSL_CTX_ctrl(*self.ctx, ffi::SSL_CTRL_SET_READ_AHEAD, 1, ptr::null_mut()); + } + } + #[allow(non_snake_case)] /// Specifies the file that contains trusted CA certificates. pub fn set_CA_file(&mut self, file: &Path) -> Result<(),SslError> { diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 1da42082..4d78e182 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -1,4 +1,5 @@ -use serialize::hex::FromHex; +#![allow(unused_imports)] + use std::net::TcpStream; use std::io; use std::io::prelude::*; @@ -13,6 +14,8 @@ use crypto::hash::Type::{SHA256}; use ssl; use ssl::SslMethod; use ssl::SslMethod::Sslv23; +#[cfg(feature="dtlsv1")] +use ssl::SslMethod::Dtlsv1; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; use x509::X509StoreContext; @@ -21,34 +24,89 @@ use x509::X509FileType; use x509::X509; use crypto::pkey::PKey; +#[cfg(feature="dtlsv1")] +use ssl::connected_socket::Connect; +#[cfg(feature="dtlsv1")] +use std::net::UdpSocket; + const PROTOCOL:SslMethod = Sslv23; +mod udp { + static mut udp_port:u16 = 15410; + + pub fn next_server<'a>() -> String { + unsafe { + udp_port += 1; + format!("127.0.0.1:{}", udp_port) + } + } +} + #[test] fn test_new_ctx() { SslContext::new(PROTOCOL).unwrap(); } -#[test] -fn test_new_sslstream() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); -} +macro_rules! run_test( + ($module:ident, $blk:expr) => ( + #[cfg(test)] + mod $module { + use ssl::tests::udp; + use std::io; + use std::io::prelude::*; + use std::path::Path; + use std::net::UdpSocket; + use std::net::TcpStream; + use ssl::SslMethod::Sslv23; + #[cfg(feature="dtlsv1")] + use ssl; + use ssl::SslMethod::Dtlsv1; + use ssl::{SslContext, SslStream, VerifyCallback}; + use ssl::connected_socket::Connect; + use ssl::SslVerifyMode::SSL_VERIFY_PEER; + use crypto::hash::Type::SHA256; + use x509::X509StoreContext; + use serialize::hex::FromHex; + use std::time::duration::Duration; + + #[test] + fn sslv23() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + $blk(Sslv23, stream); + } + + #[test] + #[cfg(feature="dtlsv1")] + fn dtlsv1() { + let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); + let stream = sock.connect(udp::next_server().as_slice()).unwrap(); -#[test] -fn test_verify_untrusted() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + $blk(Dtlsv1, stream); + } + } + ); +); + +run_test!(new_ctx, |method, _| { + SslContext::new(method).unwrap(); +}); + +run_test!(new_sslstream, |method, stream| { + SslStream::new(&SslContext::new(method).unwrap(), stream).unwrap(); +}); + +run_test!(verify_untrusted, |method, stream| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); + match SslStream::new(&ctx, stream) { Ok(_) => panic!("expected failure"), Err(err) => println!("error {:?}", err) } -} +}); -#[test] -fn test_verify_trusted() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); +run_test!(verify_trusted, |method, stream| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -59,42 +117,39 @@ fn test_verify_trusted() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_untrusted_callback_override_ok() { +run_test!(verify_untrusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match SslStream::new(&ctx, stream) { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_untrusted_callback_override_bad() { +run_test!(verify_untrusted_callback_override_bad, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_trusted_callback_override_ok() { +run_test!(verify_trusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -105,15 +160,14 @@ fn test_verify_trusted_callback_override_ok() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_trusted_callback_override_bad() { +run_test!(verify_trusted_callback_override_bad, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -121,29 +175,27 @@ fn test_verify_trusted_callback_override_bad() { Err(err) => panic!("Unexpected error {:?}", err) } assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_callback_load_certs() { +run_test!(verify_callback_load_certs, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_current_cert().is_some()); true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_ok()); -} +}); -#[test] -fn test_verify_trusted_get_error_ok() { +run_test!(verify_trusted_get_error_ok, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_error().is_none()); true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -151,23 +203,21 @@ fn test_verify_trusted_get_error_ok() { Err(err) => panic!("Unexpected error {:?}", err) } assert!(SslStream::new(&ctx, stream).is_ok()); -} +}); -#[test] -fn test_verify_trusted_get_error_err() { +run_test!(verify_trusted_get_error_err, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_error().is_some()); false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_callback_data() { +run_test!(verify_callback_data, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec) -> bool { let cert = x509_ctx.get_current_cert(); match cert { @@ -178,8 +228,7 @@ fn test_verify_callback_data() { } } } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + let mut ctx = SslContext::new(method).unwrap(); // Node id was generated as SHA256 hash of certificate "test/cert.pem" // in DER format. @@ -194,7 +243,7 @@ fn test_verify_callback_data() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); #[test] fn test_set_certificate_and_private_key() { @@ -217,51 +266,46 @@ fn test_set_certificate_and_private_key() { assert!(ctx.check_private_key().is_ok()); } -#[test] -fn test_get_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(get_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); ctx.get_options(); -} +}); -#[test] -fn test_set_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(set_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET); assert!(opts.contains(ssl::SSL_OP_NO_TICKET)); assert!(!opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); let more_opts = ctx.set_options(ssl::SSL_OP_CISCO_ANYCONNECT); assert!(more_opts.contains(ssl::SSL_OP_NO_TICKET)); assert!(more_opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); -} +}); -#[test] -fn test_clear_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(clear_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_options(ssl::SSL_OP_ALL); let opts = ctx.clear_options(ssl::SSL_OP_ALL); assert!(!opts.contains(ssl::SSL_OP_ALL)); -} +}); -#[test] -fn test_write() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); - stream.write_all("hello".as_bytes()).unwrap(); - stream.flush().unwrap(); - stream.write_all(" there".as_bytes()).unwrap(); - stream.flush().unwrap(); -} +run_test!(write, |method, stream| { + let mut s = SslStream::new(&SslContext::new(method).unwrap(), stream).unwrap(); + s.write_all("hello".as_bytes()).unwrap(); + s.flush().unwrap(); + s.write_all(" there".as_bytes()).unwrap(); + s.flush().unwrap(); +}); #[test] fn test_read() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); + let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); - println!("written"); io::copy(&mut stream, &mut io::sink()).ok().expect("read error"); } + /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] @@ -396,3 +440,14 @@ mod dtlsv1 { SslContext::new(PROTOCOL).unwrap(); } } + +#[test] +#[cfg(feature = "dtlsv1")] +fn test_read_dtlsv1() { + let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); + let stream = sock.connect(udp::next_server().as_slice()).unwrap(); + + let mut stream = SslStream::new(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); + let mut buf = [0u8;100]; + assert!(stream.read(&mut buf).is_ok()); +} From a47241c88f2a75d510f26bd163c562715db6acf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Tue, 10 Mar 2015 17:48:14 +0100 Subject: [PATCH 03/21] Add DTLS docs --- README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 289b61f8..7a0c02b3 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ rust-openssl directory. Then run one of the following commands: * Windows: `openssl s_server -accept 15418 -www -cert test/cert.pem -key test/key.pem > NUL` -* Linux: `openssl s_server -accept 15418 -www -cert test/cert.pem -key +* Linux: `openssl s_server -accept 15418 -www -cert test/cert.pem -key \ test/key.pem >/dev/null` Then in the original terminal, run `cargo test`. If everything is set up @@ -71,4 +71,19 @@ correctly, all tests should pass. You might get some warnings in the `openssl s_server` window. Those aren't anything to worry about. You can stop the server using Control-C. +For DTLS testing each test requires its own instance of OpenSSL's s_server. On +Linux you can start them like this: + + for port in `seq 15410 15450`; do + echo hello | openssl s_server -accept $port -dtls1 -cert test/cert.pem \ + -key test/key.pem -msg -debug & >/dev/null; + done + +Note that the test ssl::tests::write::dtlsv1 should be started individually and +requires an interactive instance: + + openssl s_server -accept 15411 -dtls1 -cert test/cert.pem -key test/key.pem + + + [1]: http://slproweb.com/products/Win32OpenSSL.html From 8a0e9d6cca4459dd0d256fc2e1b9453a9e0c48f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Wed, 11 Mar 2015 14:08:48 +0100 Subject: [PATCH 04/21] Fix travis test setup for DTLS --- .travis.yml | 5 ++--- README.md | 14 +------------- openssl/src/ssl/tests.rs | 31 +++++++++++++++++++++++-------- openssl/test/test.sh | 13 +++++++++++++ 4 files changed, 39 insertions(+), 24 deletions(-) create mode 100755 openssl/test/test.sh diff --git a/.travis.yml b/.travis.yml index 3292dcdb..7961026a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,10 +5,9 @@ os: env: global: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - - FEATURES="tlsv1_1 tlsv1_2 aes_xts npn" + - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 dtlsv1_2 aes_xts npn" before_script: -- openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & -- openssl s_server -accept 15419 -www -cert openssl/test/cert.pem -key openssl/test/key.pem -nextprotoneg "http/1.1,spdy/3.1" >/dev/null 2>&1 & + - ./openssl/tests/test.sh & script: - (cd openssl && cargo test) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && cargo test --features "$FEATURES")) diff --git a/README.md b/README.md index 7a0c02b3..d38ead28 100644 --- a/README.md +++ b/README.md @@ -72,18 +72,6 @@ s_server` window. Those aren't anything to worry about. You can stop the server using Control-C. For DTLS testing each test requires its own instance of OpenSSL's s_server. On -Linux you can start them like this: - - for port in `seq 15410 15450`; do - echo hello | openssl s_server -accept $port -dtls1 -cert test/cert.pem \ - -key test/key.pem -msg -debug & >/dev/null; - done - -Note that the test ssl::tests::write::dtlsv1 should be started individually and -requires an interactive instance: - - openssl s_server -accept 15411 -dtls1 -cert test/cert.pem -key test/key.pem - - +Linux you can run the bash script in `openssl/tests/test.sh`. [1]: http://slproweb.com/products/Win32OpenSSL.html diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 4d78e182..5a0ff9b5 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -58,8 +58,8 @@ macro_rules! run_test( use std::net::UdpSocket; use std::net::TcpStream; use ssl::SslMethod::Sslv23; - #[cfg(feature="dtlsv1")] use ssl; + #[cfg(feature="dtlsv1")] use ssl::SslMethod::Dtlsv1; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::connected_socket::Connect; @@ -288,13 +288,28 @@ run_test!(clear_ctx_options, |method, _| { assert!(!opts.contains(ssl::SSL_OP_ALL)); }); -run_test!(write, |method, stream| { - let mut s = SslStream::new(&SslContext::new(method).unwrap(), stream).unwrap(); - s.write_all("hello".as_bytes()).unwrap(); - s.flush().unwrap(); - s.write_all(" there".as_bytes()).unwrap(); - s.flush().unwrap(); -}); +#[test] +fn test_write() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); + stream.write_all("hello".as_bytes()).unwrap(); + stream.flush().unwrap(); + stream.write_all(" there".as_bytes()).unwrap(); + stream.flush().unwrap(); +} + +#[test] +#[cfg(feature = "dtlsv1")] +fn test_write_dtlsv1() { + let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); + let stream = sock.connect("127.0.0.1:15410").unwrap(); + + let mut stream = SslStream::new(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); + stream.write_all("hello".as_bytes()).unwrap(); + stream.flush().unwrap(); + stream.write_all(" there".as_bytes()).unwrap(); + stream.flush().unwrap(); +} #[test] fn test_read() { diff --git a/openssl/test/test.sh b/openssl/test/test.sh new file mode 100755 index 00000000..3d035905 --- /dev/null +++ b/openssl/test/test.sh @@ -0,0 +1,13 @@ +#!/bin/bash +trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT + +openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & + +for port in `seq 15411 15430`; do + echo hello | openssl s_server -accept $port -dtls1 -cert openssl/test/cert.pem \ + -key openssl/test/key.pem 2>&1 >/dev/null & +done +# the server for the test ssl::tests::test_write_dtlsv1 must wait to receive +# data from the client +openssl s_server -accept 15410 -dtls1 -cert openssl/test/cert.pem \ + -key openssl/test/key.pem 2>&1 >/dev/null From efbd4eee05d7f21ce2ffd1b1beaae1cde1de36ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 12 Mar 2015 19:24:16 +0100 Subject: [PATCH 05/21] Fix portability issue and typo --- .travis.yml | 2 +- openssl/src/ssl/connected_socket.rs | 80 +++++++++++++++++++++++------ openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/tests.rs | 9 ++-- 4 files changed, 69 insertions(+), 24 deletions(-) diff --git a/.travis.yml b/.travis.yml index 7961026a..2e6ecb9b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ os: env: global: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 dtlsv1_2 aes_xts npn" + - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npn" before_script: - ./openssl/tests/test.sh & script: diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 55788465..ce4f990b 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -16,6 +16,7 @@ use libc::types::os::common::bsd44::sockaddr_in; use libc::types::os::common::bsd44::sockaddr_in6; use libc::types::os::common::bsd44::in_addr; use libc::types::os::common::bsd44::in6_addr; +use libc::types::os::common::bsd44::sa_family_t; use libc::types::os::common::posix01::timeval; use libc::funcs::bsd43::setsockopt; use libc::consts::os::bsd44::SOL_SOCKET; @@ -53,6 +54,62 @@ enum SockaddrIn { V6(sockaddr_in6), } +#[cfg(any(target_os = "linux", target_os = "android", target_os = "nacl", + target_os = "windows"))] +fn new_sockaddr_in() -> sockaddr_in { + sockaddr_in { + sin_family: AF_INET as sa_family_t, + sin_port: 9, + sin_zero: [0; 8], + sin_addr: in_addr { + s_addr: 0 + } + } +} + +#[cfg(not(any(target_os = "linux", target_os = "android", target_os = "nacl", + target_os = "windows")))] +fn new_sockaddr_in() -> sockaddr_in { + sockaddr_in { + sin_len: 0, + sin_family: AF_INET as sa_family_t, + sin_port: 0, + sin_zero: [0; 8], + sin_addr: in_addr { + s_addr: 0 + } + } +} + +#[cfg(any(target_os = "linux", target_os = "android", target_os = "nacl", + target_os = "windows"))] +fn new_sockaddr_in6() -> sockaddr_in6 { + sockaddr_in6 { + sin6_family: AF_INET6 as sa_family_t, + sin6_port: 0, + sin6_flowinfo: 0, + sin6_scope_id: 0, + sin6_addr: in6_addr { + s6_addr: [0; 8], + } + } +} + +#[cfg(not(any(target_os = "linux", target_os = "android", target_os = "nacl", + target_os = "windows")))] +fn new_sockaddr_in6() -> sockaddr_in6 { + sockaddr_in6 { + sin6_family: AF_INET6 as sa_family_t, + sin6_port: 0, + sin6_flowinfo: 0, + sin6_scope_id: 0, + sin6_addr: in6_addr { + s6_addr: [0; 8], + } + } +} + + trait IntoSockaddrIn { fn into_sockaddr_in(self) -> Result; } @@ -63,14 +120,9 @@ impl IntoSockaddrIn for SocketAddr { match self.ip() { IpAddr::V4(_) => { - let mut addr = sockaddr_in { - sin_zero: [0; 8], - sin_family: AF_INET as u16, - sin_port: Int::to_be(self.port()), - sin_addr: in_addr { - s_addr: 0 - } - }; + let mut addr = new_sockaddr_in(); + addr.sin_port = Int::to_be(self.port()); + let cstr = CString::new(ip.clone()).unwrap(); let res = unsafe { inet_pton(addr.sin_family as c_int, @@ -87,15 +139,9 @@ impl IntoSockaddrIn for SocketAddr { }, IpAddr::V6(_) => { - let mut addr = sockaddr_in6 { - sin6_family: AF_INET6 as u16, - sin6_port: Int::to_be(self.port()), - sin6_flowinfo: 0, - sin6_scope_id: 0, - sin6_addr: in6_addr { - s6_addr: [0; 8], - } - }; + let mut addr = new_sockaddr_in6(); + addr.sin6_port = Int::to_be(self.port()); + let cstr = CString::new(ip.clone()).unwrap(); let res = unsafe { inet_pton(addr.sin6_family as c_int, diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 9cf09bc8..fa388c3a 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -132,7 +132,7 @@ impl SslMethod { #[cfg(feature = "dtlsv1_2")] pub fn is_dtlsv1_2(&self) -> bool { - *self == SslMethod::Dtlsv1 + *self == SslMethod::Dtlsv1_2 } pub fn is_dtls(&self) -> bool { diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 5a0ff9b5..dcdc3c05 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -31,6 +31,7 @@ use std::net::UdpSocket; const PROTOCOL:SslMethod = Sslv23; +#[cfg(test)] mod udp { static mut udp_port:u16 = 15410; @@ -57,10 +58,8 @@ macro_rules! run_test( use std::path::Path; use std::net::UdpSocket; use std::net::TcpStream; - use ssl::SslMethod::Sslv23; use ssl; - #[cfg(feature="dtlsv1")] - use ssl::SslMethod::Dtlsv1; + use ssl::SslMethod; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::connected_socket::Connect; use ssl::SslVerifyMode::SSL_VERIFY_PEER; @@ -72,7 +71,7 @@ macro_rules! run_test( #[test] fn sslv23() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - $blk(Sslv23, stream); + $blk(SslMethod::Sslv23, stream); } #[test] @@ -81,7 +80,7 @@ macro_rules! run_test( let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); let stream = sock.connect(udp::next_server().as_slice()).unwrap(); - $blk(Dtlsv1, stream); + $blk(SslMethod::Dtlsv1, stream); } } ); From 4f2978bbd312985bee7220ba26e2b6280734c5c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 12 Mar 2015 19:38:45 +0100 Subject: [PATCH 06/21] Adjust sin_len/sin6_len for non-linux platforms Fixing errors for platforms you don't own is really annoying ;) Fixing errors --- openssl/src/ssl/connected_socket.rs | 3 ++- openssl/src/ssl/tests.rs | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index ce4f990b..825e29ca 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -71,7 +71,7 @@ fn new_sockaddr_in() -> sockaddr_in { target_os = "windows")))] fn new_sockaddr_in() -> sockaddr_in { sockaddr_in { - sin_len: 0, + sin_len: mem::size_of::(), sin_family: AF_INET as sa_family_t, sin_port: 0, sin_zero: [0; 8], @@ -99,6 +99,7 @@ fn new_sockaddr_in6() -> sockaddr_in6 { target_os = "windows")))] fn new_sockaddr_in6() -> sockaddr_in6 { sockaddr_in6 { + sin6_len: mem::size_of::(), sin6_family: AF_INET6 as sa_family_t, sin6_port: 0, sin6_flowinfo: 0, diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index dcdc3c05..fd587e30 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -52,7 +52,7 @@ macro_rules! run_test( ($module:ident, $blk:expr) => ( #[cfg(test)] mod $module { - use ssl::tests::udp; + use super::udp; use std::io; use std::io::prelude::*; use std::path::Path; From 3abce328f1e94fb3f36955157a2c36195bfb225f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 12 Mar 2015 19:48:45 +0100 Subject: [PATCH 07/21] Fix travis path to test bash script --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2e6ecb9b..ed6fdbb7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,9 +7,10 @@ env: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npn" before_script: - - ./openssl/tests/test.sh & + - ./openssl/test/test.sh & script: - (cd openssl && cargo test) +- ./openssl/test/test.sh & - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && cargo test --features "$FEATURES")) - ./.travis/build_docs.sh after_success: From 3680763906eff20ffb39bff114b17330afac9563 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 12 Mar 2015 20:17:47 +0100 Subject: [PATCH 08/21] Fix OSX related compiler error and correct travis OpenSSL setup --- .travis.yml | 2 +- openssl/src/ssl/connected_socket.rs | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index ed6fdbb7..fe201ba6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ env: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npn" before_script: - - ./openssl/test/test.sh & + - openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & script: - (cd openssl && cargo test) - ./openssl/test/test.sh & diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 825e29ca..45991bc4 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -71,7 +71,7 @@ fn new_sockaddr_in() -> sockaddr_in { target_os = "windows")))] fn new_sockaddr_in() -> sockaddr_in { sockaddr_in { - sin_len: mem::size_of::(), + sin_len: mem::size_of::() as u8, sin_family: AF_INET as sa_family_t, sin_port: 0, sin_zero: [0; 8], @@ -99,7 +99,7 @@ fn new_sockaddr_in6() -> sockaddr_in6 { target_os = "windows")))] fn new_sockaddr_in6() -> sockaddr_in6 { sockaddr_in6 { - sin6_len: mem::size_of::(), + sin6_len: mem::size_of::() as u8, sin6_family: AF_INET6 as sa_family_t, sin6_port: 0, sin6_flowinfo: 0, @@ -256,7 +256,7 @@ impl SetTimeout for S { unsafe { setsockopt(self.as_raw_fd(), SOL_SOCKET, SO_RCVTIMEO, - mem::transmute(&tv), mem::size_of_val(&tv) as u32) + mem::transmute(&tv), mem::size_of_val(&tv) as socklen_t) }; } } From 014f59ae60e5f1197cb29dde08838f88f2a9124b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 12 Mar 2015 21:05:33 +0100 Subject: [PATCH 09/21] Fix detect_invalid_ipv4 test on OSX Looks like the invalid IP 254.254.254.254 is fine for OSX --- openssl/src/ssl/connected_socket.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 45991bc4..59b5cb7b 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -323,7 +323,7 @@ fn connect6_works() { #[should_panic] fn detect_invalid_ipv4() { let s = UdpSocket::bind("127.0.0.1:34300").unwrap(); - s.connect("254.254.254.254:34200").unwrap(); + s.connect("255.255.255.255:34200").unwrap(); } #[test] From 5788f3bec8d7d2594e63f869b265e234b7b38279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Sun, 15 Mar 2015 12:52:49 +0100 Subject: [PATCH 10/21] Use latest OpenSSL version in travis tests and more verbose error message in ConnectedSocket --- .travis.yml | 18 ++++++++++++++---- openssl/src/ssl/connected_socket.rs | 7 +++++-- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index fe201ba6..9cf46d93 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,13 +5,23 @@ os: env: global: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npn" + - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npp" +before_install: + - DIR=`pwd` + - (test $TRAVIS_OS_NAME == "osx" || (sudo apt-get install gcc make)) + - (test $TRAVIS_OS_NAME == "osx" || (wget http://openssl.org/source/openssl-1.0.2.tar.gz -O /tmp/openssl-1.0.2.tar.gz)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp && tar xzf openssl-1.0.2.tar.gz)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && ./config --prefix=/usr/ shared)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && make)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && sudo make install)) + - cd ${DIR} before_script: + - openssl version - openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & script: -- (cd openssl && cargo test) -- ./openssl/test/test.sh & -- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && cargo test --features "$FEATURES")) +- (cd openssl && LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test) +- (test $TRAVIS_OS_NAME == "osx" || (./openssl/test/test.sh &)) +- (test $TRAVIS_OS_NAME == "osx" || (cd openssl && LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES")) - ./.travis/build_docs.sh after_success: - test $TRAVIS_PULL_REQUEST == "false" && test $TRAVIS_BRANCH == "master" && ./.travis/update_docs.sh diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 59b5cb7b..84414940 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -213,7 +213,8 @@ impl Read for ConnectedSocket { match errno() { EAGAIN => Err(Error::new(ErrorKind::Interrupted, "EAGAIN", None)), _ => Err(Error::new(ErrorKind::Other, - "recv() returned -1", None)), + "recv() returned -1", + Some(os::error_string(os::errno() as i32)))), } }, 0 => Err(Error::new(ErrorKind::Other, @@ -234,7 +235,9 @@ impl Write for ConnectedSocket { if res == (buf.len() as i64) { Ok(res as usize) } else { - Err(Error::new(ErrorKind::Other, "send() failed", Some(os::error_string(os::errno() as i32)))) + Err(Error::new(ErrorKind::Other, + "send() failed", + Some(os::error_string(os::errno() as i32)))) } } From dbef985e328f97905ce58ef14914100bd7e55e62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Sun, 15 Mar 2015 15:52:09 +0100 Subject: [PATCH 11/21] Move connected_socket to its own crate and fix SSL_CTX_set_read_ahead() --- openssl-sys/src/lib.rs | 3 + openssl/Cargo.toml | 11 +- openssl/src/lib.rs | 3 + openssl/src/ssl/connected_socket.rs | 346 ---------------------------- openssl/src/ssl/mod.rs | 7 +- openssl/src/ssl/tests.rs | 11 +- 6 files changed, 24 insertions(+), 357 deletions(-) delete mode 100644 openssl/src/ssl/connected_socket.rs diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 89b03e7d..0e41a682 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -283,6 +283,9 @@ pub unsafe fn SSL_CTX_add_extra_chain_cert(ssl: *mut SSL_CTX, cert: *mut X509) - SSL_CTX_ctrl(ssl, SSL_CTRL_EXTRA_CHAIN_CERT, 0, cert) } +pub unsafe fn SSL_CTX_set_read_ahead(ctx: *mut SSL_CTX, m: c_long) -> c_long { + SSL_CTX_ctrl(ctx, SSL_CTRL_SET_READ_AHEAD, m, ptr::null_mut()) +} // True functions extern "C" { diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 796beef2..0dd59ea5 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -12,8 +12,8 @@ keywords = ["crypto", "tls", "ssl", "dtls"] [features] tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] -dtlsv1 = ["openssl-sys/dtlsv1"] -dtlsv1_2 = ["openssl-sys/dtlsv1_2"] +dtlsv1 = ["openssl-sys/dtlsv1", "connected_socket"] +dtlsv1_2 = ["openssl-sys/dtlsv1_2", "connected_socket"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] @@ -29,3 +29,10 @@ libc = "0.1" [dev-dependencies] rustc-serialize = "0.3" + +[dependencies] +bitflags = "0.1.1" + +[dependencies-dev.connected_socket] +connected_socket = "0.0.1" +optional = true diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index fae9aa12..3162f9b4 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -10,6 +10,9 @@ extern crate openssl_sys as ffi; #[cfg(test)] extern crate rustc_serialize as serialize; +#[cfg(any(feature="dtlsv1", feature="dtlsv1_2"))] +extern crate connected_socket; + mod macros; pub mod asn1; diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs deleted file mode 100644 index 84414940..00000000 --- a/openssl/src/ssl/connected_socket.rs +++ /dev/null @@ -1,346 +0,0 @@ -use libc::funcs::bsd43::connect; -use std::os; -use std::os::unix::AsRawFd; -use std::os::unix::Fd; -use std::net::UdpSocket; -use std::net::ToSocketAddrs; -use std::net::SocketAddr; -use std::io::Error; -use std::io::ErrorKind; -use std::io::Read; -use std::io::Write; -use std::mem; -use std::time::duration::Duration; -use libc::types::os::common::bsd44::socklen_t; -use libc::types::os::common::bsd44::sockaddr_in; -use libc::types::os::common::bsd44::sockaddr_in6; -use libc::types::os::common::bsd44::in_addr; -use libc::types::os::common::bsd44::in6_addr; -use libc::types::os::common::bsd44::sa_family_t; -use libc::types::os::common::posix01::timeval; -use libc::funcs::bsd43::setsockopt; -use libc::consts::os::bsd44::SOL_SOCKET; -use libc::consts::os::bsd44::AF_INET; -use libc::consts::os::bsd44::AF_INET6; -use libc::consts::os::posix88::EAGAIN; -use std::net::IpAddr; -use libc::types::os::arch::c95::c_int; -use libc::types::os::arch::c95::c_char; -use libc::types::common::c95::c_void; -use libc::funcs::bsd43::send; -use libc::funcs::bsd43::recv; -use std::num::Int; -use std::os::errno; -use std::ffi::CString; - -const SO_RCVTIMEO:c_int = 20; - -extern { - fn inet_pton(family: c_int, src: *const c_char, dst: *mut c_void) -> c_int; -} - -pub struct ConnectedSocket { - sock: S -} - -impl AsRawFd for ConnectedSocket { - fn as_raw_fd(&self) -> Fd { - self.sock.as_raw_fd() - } -} - -enum SockaddrIn { - V4(sockaddr_in), - V6(sockaddr_in6), -} - -#[cfg(any(target_os = "linux", target_os = "android", target_os = "nacl", - target_os = "windows"))] -fn new_sockaddr_in() -> sockaddr_in { - sockaddr_in { - sin_family: AF_INET as sa_family_t, - sin_port: 9, - sin_zero: [0; 8], - sin_addr: in_addr { - s_addr: 0 - } - } -} - -#[cfg(not(any(target_os = "linux", target_os = "android", target_os = "nacl", - target_os = "windows")))] -fn new_sockaddr_in() -> sockaddr_in { - sockaddr_in { - sin_len: mem::size_of::() as u8, - sin_family: AF_INET as sa_family_t, - sin_port: 0, - sin_zero: [0; 8], - sin_addr: in_addr { - s_addr: 0 - } - } -} - -#[cfg(any(target_os = "linux", target_os = "android", target_os = "nacl", - target_os = "windows"))] -fn new_sockaddr_in6() -> sockaddr_in6 { - sockaddr_in6 { - sin6_family: AF_INET6 as sa_family_t, - sin6_port: 0, - sin6_flowinfo: 0, - sin6_scope_id: 0, - sin6_addr: in6_addr { - s6_addr: [0; 8], - } - } -} - -#[cfg(not(any(target_os = "linux", target_os = "android", target_os = "nacl", - target_os = "windows")))] -fn new_sockaddr_in6() -> sockaddr_in6 { - sockaddr_in6 { - sin6_len: mem::size_of::() as u8, - sin6_family: AF_INET6 as sa_family_t, - sin6_port: 0, - sin6_flowinfo: 0, - sin6_scope_id: 0, - sin6_addr: in6_addr { - s6_addr: [0; 8], - } - } -} - - -trait IntoSockaddrIn { - fn into_sockaddr_in(self) -> Result; -} - -impl IntoSockaddrIn for SocketAddr { - fn into_sockaddr_in(self) -> Result { - let ip = format!("{}", self.ip()); - - match self.ip() { - IpAddr::V4(_) => { - let mut addr = new_sockaddr_in(); - addr.sin_port = Int::to_be(self.port()); - - let cstr = CString::new(ip.clone()).unwrap(); - let res = unsafe { - inet_pton(addr.sin_family as c_int, - cstr.as_ptr() as *const i8, - mem::transmute(&mut addr.sin_addr)) - }; - - if res == 1 { - Ok(SockaddrIn::V4(addr)) - } else { - Err(Error::new(ErrorKind::Other, - "calling inet_pton() for ipv4", None)) - } - }, - - IpAddr::V6(_) => { - let mut addr = new_sockaddr_in6(); - addr.sin6_port = Int::to_be(self.port()); - - let cstr = CString::new(ip.clone()).unwrap(); - let res = unsafe { - inet_pton(addr.sin6_family as c_int, - cstr.as_ptr() as *const i8, - mem::transmute(&mut addr.sin6_addr)) - }; - - if res > 0 { - Ok(SockaddrIn::V6(addr)) - } else { - Err(Error::new(ErrorKind::Other, - "calling inet_pton() for ipv6", None)) - } - } - } - } -} - -pub trait Connect { - fn connect(self, addr: &A) -> Result,Error>; -} - -impl Connect for UdpSocket { - fn connect(self, address: &A) -> Result,Error> { - let fd = self.as_raw_fd(); - - let addr = try!(address.to_socket_addrs()).next(); - if addr.is_none() { - return Err(Error::new(ErrorKind::InvalidInput, - "no addresses to connect to", None)); - } - - let saddr = try!(addr.unwrap().into_sockaddr_in()); - - let res = match saddr { - SockaddrIn::V4(s) => unsafe { - let len = mem::size_of_val(&s) as socklen_t; - let addrp = Box::new(s); - connect(fd, mem::transmute(&*addrp), len) - }, - SockaddrIn::V6(s) => unsafe { - let len = mem::size_of_val(&s) as socklen_t; - let addrp = Box::new(s); - connect(fd, mem::transmute(&*addrp), len) - }, - }; - - if res == 0 { - Ok(ConnectedSocket { sock: self }) - } else { - Err(Error::new(ErrorKind::Other, - "error calling connect()", None)) - } - } -} - -impl Read for ConnectedSocket { - fn read(&mut self, buf: &mut [u8]) -> Result { - let flags = 0; - let ptr = buf.as_mut_ptr() as *mut c_void; - - let len = unsafe { - recv(self.as_raw_fd(), ptr, buf.len() as u64, flags) - }; - - match len { - -1 => { - match errno() { - EAGAIN => Err(Error::new(ErrorKind::Interrupted, "EAGAIN", None)), - _ => Err(Error::new(ErrorKind::Other, - "recv() returned -1", - Some(os::error_string(os::errno() as i32)))), - } - }, - 0 => Err(Error::new(ErrorKind::Other, - "connection is closed", None)), - _ => Ok(len as usize), - } - } -} - -impl Write for ConnectedSocket { - fn write(&mut self, buf: &[u8]) -> Result { - let flags = 0; - let ptr = buf.as_ptr() as *const c_void; - - let res = unsafe { - send(self.as_raw_fd(), ptr, buf.len() as u64, flags) - }; - if res == (buf.len() as i64) { - Ok(res as usize) - } else { - Err(Error::new(ErrorKind::Other, - "send() failed", - Some(os::error_string(os::errno() as i32)))) - } - } - - fn flush(&mut self) -> Result<(),Error> { - Ok(()) - } -} - -pub trait SetTimeout { - fn set_timeout(&self, timeout: Duration); -} - -impl SetTimeout for S { - fn set_timeout(&self, timeout: Duration) { - let tv = timeval { - tv_sec: timeout.num_seconds(), - tv_usec: 0, - }; - - unsafe { - setsockopt(self.as_raw_fd(), SOL_SOCKET, SO_RCVTIMEO, - mem::transmute(&tv), mem::size_of_val(&tv) as socklen_t) - }; - } -} - -#[test] -fn connect4_works() { - let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); - let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); - socket1.connect("127.0.0.1:34200").unwrap(); - socket2.connect("127.0.0.1:34201").unwrap(); -} - -#[test] -fn sendrecv_works() { - let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); - let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); - let mut conn1 = socket1.connect("127.0.0.1:34201").unwrap(); - let mut conn2 = socket2.connect("127.0.0.1:34200").unwrap(); - - let send1 = [0,1,2,3]; - let send2 = [9,8,7,6]; - conn1.write(&send1).unwrap(); - conn2.write(&send2).unwrap(); - - let mut recv1 = [0;4]; - let mut recv2 = [0;4]; - conn1.read(&mut recv1).unwrap(); - conn2.read(&mut recv2).unwrap(); - - assert_eq!(send1, recv2); - assert_eq!(send2, recv1); -} - -#[test] -fn sendrecv_respects_packet_borders() { - let socket1 = UdpSocket::bind("127.0.0.1:34202").unwrap(); - let socket2 = UdpSocket::bind("127.0.0.1:34203").unwrap(); - let mut conn1 = socket1.connect("127.0.0.1:34203").unwrap(); - let mut conn2 = socket2.connect("127.0.0.1:34202").unwrap(); - - let send1 = [0,1,2,3]; - let send2 = [9,8,7,6]; - conn1.write(&send1).unwrap(); - conn1.write(&send2).unwrap(); - - let mut recv1 = [0;3]; - let mut recv2 = [0;3]; - conn2.read(&mut recv1).unwrap(); - conn2.read(&mut recv2).unwrap(); - - assert!(send1[0..3] == recv1[0..3]); - assert!(send2[0..3] == recv2[0..3]); -} - -#[test] -fn connect6_works() { - let socket1 = UdpSocket::bind("::1:34200").unwrap(); - let socket2 = UdpSocket::bind("::1:34201").unwrap(); - socket1.connect("::1:34200").unwrap(); - socket2.connect("::1:34201").unwrap(); -} - -#[test] -#[should_panic] -fn detect_invalid_ipv4() { - let s = UdpSocket::bind("127.0.0.1:34300").unwrap(); - s.connect("255.255.255.255:34200").unwrap(); -} - -#[test] -#[should_panic] -fn detect_invalid_ipv6() { - let s = UdpSocket::bind("::1:34300").unwrap(); - s.connect("1200::AB00:1234::2552:7777:1313:34300").unwrap(); -} - -#[test] -#[should_panic] -fn double_bind() { - let socket1 = UdpSocket::bind("127.0.0.1:34301").unwrap(); - let socket2 = UdpSocket::bind("127.0.0.1:34301").unwrap(); - drop(socket1); - drop(socket2); -} diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index fa388c3a..01d65220 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -25,7 +25,6 @@ use x509::{X509StoreContext, X509FileType, X509}; use crypto::pkey::PKey; pub mod error; -pub mod connected_socket; #[cfg(test)] mod tests; @@ -377,7 +376,7 @@ impl SslContext { let ctx = SslContext { ctx: ctx }; if method.is_dtls() { - ctx.set_read_ahead(); + ctx.set_read_ahead(1); } Ok(ctx) @@ -424,9 +423,9 @@ impl SslContext { } } - pub fn set_read_ahead(&self) { + pub fn set_read_ahead(&self, m: c_long) { unsafe { - ffi::SSL_CTX_ctrl(*self.ctx, ffi::SSL_CTRL_SET_READ_AHEAD, 1, ptr::null_mut()); + ffi::SSL_CTX_set_read_ahead(*self.ctx, m); } } diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index fd587e30..d1a91500 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -14,8 +14,6 @@ use crypto::hash::Type::{SHA256}; use ssl; use ssl::SslMethod; use ssl::SslMethod::Sslv23; -#[cfg(feature="dtlsv1")] -use ssl::SslMethod::Dtlsv1; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; use x509::X509StoreContext; @@ -29,7 +27,10 @@ use ssl::connected_socket::Connect; #[cfg(feature="dtlsv1")] use std::net::UdpSocket; -const PROTOCOL:SslMethod = Sslv23; +#[cfg(feature="dtlsv1")] +use ssl::SslMethod::Dtlsv1; +#[cfg(feature="dtlsv1")] +use connected_socket::Connect; #[cfg(test)] mod udp { @@ -61,7 +62,8 @@ macro_rules! run_test( use ssl; use ssl::SslMethod; use ssl::{SslContext, SslStream, VerifyCallback}; - use ssl::connected_socket::Connect; + #[cfg(feature="dtlsv1")] + use connected_socket::Connect; use ssl::SslVerifyMode::SSL_VERIFY_PEER; use crypto::hash::Type::SHA256; use x509::X509StoreContext; @@ -319,7 +321,6 @@ fn test_read() { io::copy(&mut stream, &mut io::sink()).ok().expect("read error"); } - /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] From e239cd21e751ab75068fabfefee3bf477e86217c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Sun, 15 Mar 2015 16:08:13 +0100 Subject: [PATCH 12/21] Postpone custom openssl build --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9cf46d93..cc4e0425 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ os: env: global: - secure: J4i75AV4KMrU/UQrLIzzIh35Xix40Ki0uWjm8j05oxlXVl5aPU2zB30AemDne2QXYzkN4kRG/iRnNORE/8D0lF7YipQNSNxgfiBVoOEfj/NSogvI2BftYX9vlLZJUvt+s/nbE3xa/Pyge1IPv7itDYGO7SMe8RTSqitgqyfE2Eg= - - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npp" + - FEATURES="tlsv1_1 tlsv1_2 dtlsv1 aes_xts npn" before_install: - DIR=`pwd` - (test $TRAVIS_OS_NAME == "osx" || (sudo apt-get install gcc make)) From 362a7dfc935bcace9d4d249e2bed853c315e256d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Sun, 15 Mar 2015 16:09:33 +0100 Subject: [PATCH 13/21] Debug halteproblem with tests --- openssl/src/ssl/tests.rs | 4 ++-- openssl/test/test.sh | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index d1a91500..b9442010 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -119,7 +119,7 @@ run_test!(verify_trusted, |method, stream| { Err(err) => panic!("Expected success, got {:?}", err) } }); - +/* run_test!(verify_untrusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true @@ -288,7 +288,7 @@ run_test!(clear_ctx_options, |method, _| { let opts = ctx.clear_options(ssl::SSL_OP_ALL); assert!(!opts.contains(ssl::SSL_OP_ALL)); }); - +*/ #[test] fn test_write() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); diff --git a/openssl/test/test.sh b/openssl/test/test.sh index 3d035905..c0a0b855 100755 --- a/openssl/test/test.sh +++ b/openssl/test/test.sh @@ -7,7 +7,10 @@ for port in `seq 15411 15430`; do echo hello | openssl s_server -accept $port -dtls1 -cert openssl/test/cert.pem \ -key openssl/test/key.pem 2>&1 >/dev/null & done + +rm -f /tmp/rust_openssl_test_pipe +mkfifo /tmp/rust_openssl_test_pipe # the server for the test ssl::tests::test_write_dtlsv1 must wait to receive # data from the client openssl s_server -accept 15410 -dtls1 -cert openssl/test/cert.pem \ - -key openssl/test/key.pem 2>&1 >/dev/null + -key openssl/test/key.pem 2>&1 >/dev/null Date: Tue, 17 Mar 2015 18:13:50 +0100 Subject: [PATCH 14/21] Fix preemtively exiting openssl dtls server for tests --- openssl/test/test.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/openssl/test/test.sh b/openssl/test/test.sh index c0a0b855..c61511fd 100755 --- a/openssl/test/test.sh +++ b/openssl/test/test.sh @@ -1,4 +1,8 @@ #!/bin/bash +if test "$TRAVIS_OS_NAME" == "osx"; then + return +fi + trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & @@ -8,9 +12,7 @@ for port in `seq 15411 15430`; do -key openssl/test/key.pem 2>&1 >/dev/null & done -rm -f /tmp/rust_openssl_test_pipe -mkfifo /tmp/rust_openssl_test_pipe # the server for the test ssl::tests::test_write_dtlsv1 must wait to receive # data from the client -openssl s_server -accept 15410 -dtls1 -cert openssl/test/cert.pem \ - -key openssl/test/key.pem 2>&1 >/dev/null &1 >/dev/null From 114253c55ec5dea618b839a39d1bc7ab02ab524c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 19 Mar 2015 09:18:20 +0100 Subject: [PATCH 15/21] Change SslContext::set_read_ahead(c_long) to SslContext::set_read_ahead(u32) --- openssl/src/ssl/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 01d65220..d47915b2 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -423,9 +423,9 @@ impl SslContext { } } - pub fn set_read_ahead(&self, m: c_long) { + pub fn set_read_ahead(&self, m: u32) { unsafe { - ffi::SSL_CTX_set_read_ahead(*self.ctx, m); + ffi::SSL_CTX_set_read_ahead(*self.ctx, m as c_long); } } From 3c03dd9535f473c1553e6774e2f9a30516d066a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 19 Mar 2015 10:15:02 +0100 Subject: [PATCH 16/21] Add ability to load private keys from files and use raw keys and certificates for SslContext Conflicts: openssl/src/ssl/tests.rs --- openssl/src/ssl/tests.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index b9442010..8de0d448 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -26,6 +26,9 @@ use crypto::pkey::PKey; use ssl::connected_socket::Connect; #[cfg(feature="dtlsv1")] use std::net::UdpSocket; +use ssl::SslVerifyMode::SslVerifyPeer; +use x509::{X509StoreContext,X509}; +use crypto::pkey::PKey; #[cfg(feature="dtlsv1")] use ssl::SslMethod::Dtlsv1; @@ -119,7 +122,7 @@ run_test!(verify_trusted, |method, stream| { Err(err) => panic!("Expected success, got {:?}", err) } }); -/* + run_test!(verify_untrusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true @@ -288,7 +291,7 @@ run_test!(clear_ctx_options, |method, _| { let opts = ctx.clear_options(ssl::SSL_OP_ALL); assert!(!opts.contains(ssl::SSL_OP_ALL)); }); -*/ + #[test] fn test_write() { let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); From fb98f482e23a7283458d44289db51c99fa74e480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Thu, 19 Mar 2015 10:15:02 +0100 Subject: [PATCH 17/21] Add ability to load private keys from files and use raw keys and certificates for SslContext Conflicts: openssl/src/crypto/pkey.rs openssl/src/ssl/tests.rs --- openssl/src/ssl/tests.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 8de0d448..609bb3ce 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -26,7 +26,7 @@ use crypto::pkey::PKey; use ssl::connected_socket::Connect; #[cfg(feature="dtlsv1")] use std::net::UdpSocket; -use ssl::SslVerifyMode::SslVerifyPeer; +use ssl::SSL_VERIFY_PEER; use x509::{X509StoreContext,X509}; use crypto::pkey::PKey; From 912cacf4bc3ea28003c5aa41f6cfd7a5989ba7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Fri, 3 Apr 2015 16:58:05 +0200 Subject: [PATCH 18/21] Fix rebase errors --- openssl-sys/src/lib.rs | 1 - openssl/Cargo.toml | 5 +---- openssl/src/lib.rs | 2 -- openssl/src/ssl/mod.rs | 2 +- openssl/src/ssl/tests.rs | 9 +-------- 5 files changed, 3 insertions(+), 16 deletions(-) diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs index 0e41a682..109c4168 100644 --- a/openssl-sys/src/lib.rs +++ b/openssl-sys/src/lib.rs @@ -513,7 +513,6 @@ extern "C" { pub fn SSL_CTX_new(method: *const SSL_METHOD) -> *mut SSL_CTX; pub fn SSL_CTX_free(ctx: *mut SSL_CTX); - pub fn SSL_CTX_ctrl(ctx: *mut SSL_CTX, cmd: c_int, mode: c_long, parg: *mut c_void) -> c_long; pub fn SSL_CTX_set_verify(ctx: *mut SSL_CTX, mode: c_int, verify_callback: Option c_int>); pub fn SSL_CTX_set_verify_depth(ctx: *mut SSL_CTX, depth: c_int); diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 0dd59ea5..50ce2e99 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -30,9 +30,6 @@ libc = "0.1" [dev-dependencies] rustc-serialize = "0.3" -[dependencies] -bitflags = "0.1.1" - -[dependencies-dev.connected_socket] +[dependencies.connected_socket] connected_socket = "0.0.1" optional = true diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 3162f9b4..5826e486 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -21,5 +21,3 @@ pub mod bio; pub mod crypto; pub mod ssl; pub mod x509; -#[macro_use] -extern crate log; diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index d47915b2..0dd2b3cb 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -425,7 +425,7 @@ impl SslContext { pub fn set_read_ahead(&self, m: u32) { unsafe { - ffi::SSL_CTX_set_read_ahead(*self.ctx, m as c_long); + ffi::SSL_CTX_set_read_ahead(self.ctx, m as c_long); } } diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 609bb3ce..2b3a007c 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -26,8 +26,6 @@ use crypto::pkey::PKey; use ssl::connected_socket::Connect; #[cfg(feature="dtlsv1")] use std::net::UdpSocket; -use ssl::SSL_VERIFY_PEER; -use x509::{X509StoreContext,X509}; use crypto::pkey::PKey; #[cfg(feature="dtlsv1")] @@ -47,11 +45,6 @@ mod udp { } } -#[test] -fn test_new_ctx() { - SslContext::new(PROTOCOL).unwrap(); -} - macro_rules! run_test( ($module:ident, $blk:expr) => ( #[cfg(test)] @@ -67,7 +60,7 @@ macro_rules! run_test( use ssl::{SslContext, SslStream, VerifyCallback}; #[cfg(feature="dtlsv1")] use connected_socket::Connect; - use ssl::SslVerifyMode::SSL_VERIFY_PEER; + use ssl::SSL_VERIFY_PEER; use crypto::hash::Type::SHA256; use x509::X509StoreContext; use serialize::hex::FromHex; From b3eae0e3f64a636eb7e4d121f8ef4d3de111956d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Mon, 6 Apr 2015 12:56:38 +0200 Subject: [PATCH 19/21] Adapt code for rust-1.0.0-beta --- openssl/src/ssl/tests.rs | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 2b3a007c..334482df 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -22,12 +22,8 @@ use x509::X509FileType; use x509::X509; use crypto::pkey::PKey; -#[cfg(feature="dtlsv1")] -use ssl::connected_socket::Connect; #[cfg(feature="dtlsv1")] use std::net::UdpSocket; -use crypto::pkey::PKey; - #[cfg(feature="dtlsv1")] use ssl::SslMethod::Dtlsv1; #[cfg(feature="dtlsv1")] @@ -64,7 +60,6 @@ macro_rules! run_test( use crypto::hash::Type::SHA256; use x509::X509StoreContext; use serialize::hex::FromHex; - use std::time::duration::Duration; #[test] fn sslv23() { @@ -76,7 +71,8 @@ macro_rules! run_test( #[cfg(feature="dtlsv1")] fn dtlsv1() { let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); - let stream = sock.connect(udp::next_server().as_slice()).unwrap(); + let server = udp::next_server(); + let stream = sock.connect(&server[..]).unwrap(); $blk(SslMethod::Dtlsv1, stream); } @@ -433,7 +429,7 @@ fn test_npn_server_advertise_multiple() { #[cfg(test)] mod dtlsv1 { use serialize::hex::FromHex; - use std::old_io::net::tcp::TcpStream; + use std::net::TcpStream; use std::old_io::{Writer}; use std::thread; @@ -441,7 +437,7 @@ mod dtlsv1 { use ssl::SslMethod; use ssl::SslMethod::Dtlsv1; use ssl::{SslContext, SslStream, VerifyCallback}; - use ssl::SslVerifyMode::SSL_VERIFY_PEER; + use ssl::SSL_VERIFY_PEER; use x509::{X509StoreContext}; const PROTOCOL:SslMethod = Dtlsv1; @@ -456,7 +452,8 @@ mod dtlsv1 { #[cfg(feature = "dtlsv1")] fn test_read_dtlsv1() { let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); - let stream = sock.connect(udp::next_server().as_slice()).unwrap(); + let server = udp::next_server(); + let stream = sock.connect(&server[..]).unwrap(); let mut stream = SslStream::new(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); let mut buf = [0u8;100]; From 6f1e9cf47c29615f37627c6c12e5f34ce132b8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Mon, 6 Apr 2015 13:00:12 +0200 Subject: [PATCH 20/21] Make connected_socket a dev-dependency --- openssl/Cargo.toml | 7 +++---- openssl/src/lib.rs | 1 + 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index 50ce2e99..38ca4545 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -12,8 +12,8 @@ keywords = ["crypto", "tls", "ssl", "dtls"] [features] tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] -dtlsv1 = ["openssl-sys/dtlsv1", "connected_socket"] -dtlsv1_2 = ["openssl-sys/dtlsv1_2", "connected_socket"] +dtlsv1 = ["openssl-sys/dtlsv1"] +dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] @@ -30,6 +30,5 @@ libc = "0.1" [dev-dependencies] rustc-serialize = "0.3" -[dependencies.connected_socket] +[dev-dependencies.connected_socket] connected_socket = "0.0.1" -optional = true diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 5826e486..1d131010 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -10,6 +10,7 @@ extern crate openssl_sys as ffi; #[cfg(test)] extern crate rustc_serialize as serialize; +#[cfg(test)] #[cfg(any(feature="dtlsv1", feature="dtlsv1_2"))] extern crate connected_socket; From 637e981e77a0fff1469e64e5f7159fb8ca1636de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Sch=C3=B6lling?= Date: Mon, 6 Apr 2015 13:04:46 +0200 Subject: [PATCH 21/21] Use latest openssl library (v1.0.2) --- .travis.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index cc4e0425..d9c5f951 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,19 +9,21 @@ env: before_install: - DIR=`pwd` - (test $TRAVIS_OS_NAME == "osx" || (sudo apt-get install gcc make)) - - (test $TRAVIS_OS_NAME == "osx" || (wget http://openssl.org/source/openssl-1.0.2.tar.gz -O /tmp/openssl-1.0.2.tar.gz)) - - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp && tar xzf openssl-1.0.2.tar.gz)) - - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && ./config --prefix=/usr/ shared)) - - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && make)) - - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2/ && sudo make install)) + - (test $TRAVIS_OS_NAME == "osx" || (wget https://openssl.org/source/openssl-1.0.2-latest.tar.gz -O /tmp/openssl-1.0.2-latest.tar.gz)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp && tar xzf openssl-1.0.2-latest.tar.gz)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2*/ && ./config --prefix=/usr/ shared)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2*/ && make)) + - (test $TRAVIS_OS_NAME == "osx" || (cd /tmp/openssl-1.0.2*/ && sudo make install)) - cd ${DIR} before_script: - openssl version - openssl s_server -accept 15418 -www -cert openssl/test/cert.pem -key openssl/test/key.pem >/dev/null 2>&1 & + - openssl s_server -accept 15419 -www -cert openssl/test/cert.pem -key openssl/test/key.pem -nextprotoneg "http/1.1,spdy/3.1" >/dev/null 2>&1 & script: - (cd openssl && LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test) - (test $TRAVIS_OS_NAME == "osx" || (./openssl/test/test.sh &)) - (test $TRAVIS_OS_NAME == "osx" || (cd openssl && LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH cargo test --features "$FEATURES")) +- (test $TRAVIS_OS_NAME == "osx" || killall openssl) - ./.travis/build_docs.sh after_success: - test $TRAVIS_PULL_REQUEST == "false" && test $TRAVIS_BRANCH == "master" && ./.travis/update_docs.sh