use hex; use std::io; use std::io::prelude::*; use std::mem; use std::net::{TcpListener, TcpStream}; use std::path::Path; use std::sync::atomic::{AtomicBool, Ordering}; use std::thread; use crate::error::ErrorStack; use crate::hash::MessageDigest; use crate::pkey::PKey; use crate::srtp::SrtpProfileId; use crate::ssl; use crate::ssl::test::server::Server; use crate::ssl::SslVersion; use crate::ssl::{ ExtensionType, ShutdownResult, ShutdownState, Ssl, SslAcceptor, SslAcceptorBuilder, SslConnector, SslContext, SslFiletype, SslMethod, SslOptions, SslStream, SslVerifyMode, }; use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509CheckFlags; use crate::x509::{X509Name, X509}; mod private_key_method; mod server; mod session; static ROOT_CERT: &[u8] = include_bytes!("../../../test/root-ca.pem"); static CERT: &[u8] = include_bytes!("../../../test/cert.pem"); static KEY: &[u8] = include_bytes!("../../../test/key.pem"); #[test] fn verify_untrusted() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut client = server.client(); client.ctx().set_verify(SslVerifyMode::PEER); client.connect_err(); } #[test] fn verify_trusted() { let server = Server::builder().build(); let client = server.client_with_root_ca(); client.connect(); } #[test] fn verify_trusted_with_set_cert() { let server = Server::builder().build(); let mut store = X509StoreBuilder::new().unwrap(); let x509 = X509::from_pem(ROOT_CERT).unwrap(); store.add_cert(x509).unwrap(); let mut client = server.client(); client.ctx().set_verify(SslVerifyMode::PEER); client.ctx().set_verify_cert_store(store.build()).unwrap(); client.connect(); } #[test] fn verify_untrusted_callback_override_ok() { let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { assert!(x509.current_cert().is_some()); true }); client.connect(); } #[test] fn verify_untrusted_callback_override_bad() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, _| false); client.connect_err(); } #[test] fn verify_trusted_callback_override_ok() { let server = Server::builder().build(); let mut client = server.client_with_root_ca(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { assert!(x509.current_cert().is_some()); true }); client.connect(); } #[test] fn verify_trusted_callback_override_bad() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut client = server.client_with_root_ca(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, _| false); client.connect_err(); } #[test] fn verify_callback_load_certs() { let server = Server::builder().build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { assert!(x509.current_cert().is_some()); true }); client.connect(); } #[test] fn verify_trusted_get_error_ok() { let server = Server::builder().build(); let mut client = server.client_with_root_ca(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { assert_eq!(x509.verify_result(), Ok(())); true }); client.connect(); } #[test] fn verify_trusted_get_error_err() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut client = server.client(); client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { assert!(x509.verify_result().is_err()); false }); client.connect_err(); } #[test] fn verify_callback() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); let server = Server::builder().build(); let mut client = server.client(); let expected = "59172d9313e84459bcff27f967e79e6e9217e584"; client .ctx() .set_verify_callback(SslVerifyMode::PEER, move |_, x509| { CALLED_BACK.store(true, Ordering::SeqCst); let cert = x509.current_cert().unwrap(); let digest = cert.digest(MessageDigest::sha1()).unwrap(); assert_eq!(hex::encode(digest), expected); true }); client.connect(); assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] fn ssl_verify_callback() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); let server = Server::builder().build(); let mut client = server.client().build().builder(); let expected = "59172d9313e84459bcff27f967e79e6e9217e584"; client .ssl() .set_verify_callback(SslVerifyMode::PEER, move |_, x509| { CALLED_BACK.store(true, Ordering::SeqCst); let cert = x509.current_cert().unwrap(); let digest = cert.digest(MessageDigest::sha1()).unwrap(); assert_eq!(hex::encode(digest), expected); true }); client.connect(); assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[test] fn get_ctx_options() { let ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.options(); } #[test] fn set_ctx_options() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); let opts = ctx.set_options(SslOptions::NO_TICKET); assert!(opts.contains(SslOptions::NO_TICKET)); } #[test] fn clear_ctx_options() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_options(SslOptions::NO_TICKET); let opts = ctx.clear_options(SslOptions::NO_TICKET); assert!(!opts.contains(SslOptions::NO_TICKET)); } #[test] fn zero_length_buffers() { let server = Server::builder().build(); let mut s = server.client().connect(); assert_eq!(s.write(&[]).unwrap(), 0); assert_eq!(s.read(&mut []).unwrap(), 0); } #[test] fn peer_certificate() { let server = Server::builder().build(); let s = server.client().connect(); let cert = s.ssl().peer_certificate().unwrap(); let fingerprint = cert.digest(MessageDigest::sha1()).unwrap(); assert_eq!( hex::encode(fingerprint), "59172d9313e84459bcff27f967e79e6e9217e584" ); } #[test] fn pending() { let mut server = Server::builder(); server.io_cb(|mut s| s.write_all(&[0; 10]).unwrap()); let server = server.build(); let mut s = server.client().connect(); s.read_exact(&mut [0]).unwrap(); assert_eq!(s.ssl().pending(), 9); assert_eq!(s.read(&mut [0; 10]).unwrap(), 9); } #[test] fn state() { let server = Server::builder().build(); let s = server.client().connect(); // NOTE: Boring returs a placeholder string for state_string assert_eq!(s.ssl().state_string(), "!!!!!!"); assert_eq!( s.ssl().state_string_long(), "SSL negotiation finished successfully" ); } /// Tests that when both the client as well as the server use SRTP and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] fn test_connect_with_srtp_ctx() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") .unwrap(); ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) .unwrap(); ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) .unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_mtu(1500).unwrap(); let mut stream = ssl.accept(stream).unwrap(); let mut buf = [0; 60]; stream .ssl() .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) .unwrap(); stream.write_all(&[0]).unwrap(); buf }); let stream = TcpStream::connect(addr).unwrap(); let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); ctx.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") .unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_mtu(1500).unwrap(); let mut stream = ssl.connect(stream).unwrap(); let mut buf = [1; 60]; { let srtp_profile = stream.ssl().selected_srtp_profile().unwrap(); assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name()); assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id()); } stream .ssl() .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) .expect("extract"); stream.read_exact(&mut [0]).unwrap(); let buf2 = guard.join().unwrap(); assert_eq!(buf[..], buf2[..]); } /// Tests that when both the client as well as the server use SRTP and their /// lists of supported protocols have an overlap -- with only ONE protocol /// being valid for both. #[test] fn test_connect_with_srtp_ssl() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) .unwrap(); ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) .unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") .unwrap(); let mut profilenames = String::new(); for profile in ssl.srtp_profiles().unwrap() { if !profilenames.is_empty() { profilenames.push(':'); } profilenames += profile.name(); } assert_eq!( "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32", profilenames ); ssl.set_mtu(1500).unwrap(); let mut stream = ssl.accept(stream).unwrap(); let mut buf = [0; 60]; stream .ssl() .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) .unwrap(); stream.write_all(&[0]).unwrap(); buf }); let stream = TcpStream::connect(addr).unwrap(); let ctx = SslContext::builder(SslMethod::dtls()).unwrap(); let mut ssl = Ssl::new(&ctx.build()).unwrap(); ssl.set_tlsext_use_srtp("SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32") .unwrap(); ssl.set_mtu(1500).unwrap(); let mut stream = ssl.connect(stream).unwrap(); let mut buf = [1; 60]; { let srtp_profile = stream.ssl().selected_srtp_profile().unwrap(); assert_eq!("SRTP_AES128_CM_SHA1_80", srtp_profile.name()); assert_eq!(SrtpProfileId::SRTP_AES128_CM_SHA1_80, srtp_profile.id()); } stream .ssl() .export_keying_material(&mut buf, "EXTRACTOR-dtls_srtp", None) .expect("extract"); stream.read_exact(&mut [0]).unwrap(); let buf2 = guard.join().unwrap(); assert_eq!(buf[..], buf2[..]); } /// Tests that when the `SslStream` is created as a server stream, the protocols /// are correctly advertised to the client. #[test] fn test_alpn_server_advertise_multiple() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) }); let server = server.build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x08spdy/3.1").unwrap(); let s = client.connect(); assert_eq!(s.ssl().selected_alpn_protocol(), Some(&b"spdy/3.1"[..])); } #[test] fn test_alpn_server_select_none_fatal() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client) .ok_or(ssl::AlpnError::ALERT_FATAL) }); server.should_error(); let server = server.build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); client.connect_err(); } #[test] fn test_alpn_server_select_none() { let mut server = Server::builder(); server.ctx().set_alpn_select_callback(|_, client| { ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK) }); let server = server.build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); let s = client.connect(); assert_eq!(None, s.ssl().selected_alpn_protocol()); } #[test] fn test_alpn_server_unilateral() { let server = Server::builder().build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); let s = client.connect(); assert_eq!(None, s.ssl().selected_alpn_protocol()); } #[test] fn test_select_cert_ok() { let mut server = Server::builder(); server .ctx() .set_select_certificate_callback(|_client_hello| Ok(())); let server = server.build(); let client = server.client(); client.connect(); } #[test] fn test_select_cert_error() { let mut server = Server::builder(); server.should_error(); server .ctx() .set_select_certificate_callback(|_client_hello| Err(ssl::SelectCertError::ERROR)); let server = server.build(); let client = server.client(); client.connect_err(); } #[test] fn test_select_cert_unknown_extension() { let mut server = Server::builder(); let unknown_extension = std::sync::Arc::new(std::sync::Mutex::new(Some(vec![]))); server.ctx().set_select_certificate_callback({ let unknown = unknown_extension.clone(); move |client_hello| { let ext = client_hello .get_extension(ExtensionType::SERVER_NAME) .map(ToOwned::to_owned); assert!(ext.is_none()); *unknown.lock().unwrap() = ext; Ok(()) } }); let server = server.build(); let client = server.client(); client.connect(); assert_eq!(unknown_extension.lock().unwrap().as_deref(), None); } #[test] fn test_select_cert_alpn_extension() { let mut server = Server::builder(); let alpn_extension = std::sync::Arc::new(std::sync::Mutex::new(None)); server.ctx().set_select_certificate_callback({ let alpn = alpn_extension.clone(); move |client_hello| { *alpn.lock().unwrap() = Some( client_hello .get_extension(ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION) .unwrap() .to_owned(), ); Ok(()) } }); let server = server.build(); let mut client = server.client(); client.ctx().set_alpn_protos(b"\x06http/2").unwrap(); client.connect(); assert_eq!( alpn_extension.lock().unwrap().as_deref(), Some(&b"\x00\x07\x06http/2"[..]), ); } #[test] #[should_panic(expected = "blammo")] fn write_panic() { struct ExplodingStream(TcpStream); impl Read for ExplodingStream { fn read(&mut self, buf: &mut [u8]) -> io::Result { self.0.read(buf) } } impl Write for ExplodingStream { fn write(&mut self, _: &[u8]) -> io::Result { panic!("blammo"); } fn flush(&mut self) -> io::Result<()> { self.0.flush() } } let mut server = Server::builder(); server.should_error(); let server = server.build(); let stream = ExplodingStream(server.connect_tcp()); let ctx = SslContext::builder(SslMethod::tls()).unwrap(); let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); } #[test] #[should_panic(expected = "blammo")] fn read_panic() { struct ExplodingStream(TcpStream); impl Read for ExplodingStream { fn read(&mut self, _: &mut [u8]) -> io::Result { panic!("blammo"); } } impl Write for ExplodingStream { fn write(&mut self, buf: &[u8]) -> io::Result { self.0.write(buf) } fn flush(&mut self) -> io::Result<()> { self.0.flush() } } let mut server = Server::builder(); server.should_error(); let server = server.build(); let stream = ExplodingStream(server.connect_tcp()); let ctx = SslContext::builder(SslMethod::tls()).unwrap(); let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); } #[test] #[should_panic(expected = "blammo")] fn flush_panic() { struct ExplodingStream(TcpStream); impl Read for ExplodingStream { fn read(&mut self, buf: &mut [u8]) -> io::Result { self.0.read(buf) } } impl Write for ExplodingStream { fn write(&mut self, buf: &[u8]) -> io::Result { self.0.write(buf) } fn flush(&mut self) -> io::Result<()> { panic!("blammo"); } } let mut server = Server::builder(); server.should_error(); let server = server.build(); let stream = ExplodingStream(server.connect_tcp()); let ctx = SslContext::builder(SslMethod::tls()).unwrap(); let _ = Ssl::new(&ctx.build()).unwrap().connect(stream); } #[test] fn refcount_ssl_context() { let mut ssl = { let ctx = SslContext::builder(SslMethod::tls()).unwrap(); ssl::Ssl::new(&ctx.build()).unwrap() }; { let new_ctx_a = SslContext::builder(SslMethod::tls()).unwrap().build(); let _new_ctx_b = ssl.set_ssl_context(&new_ctx_a); } } #[test] #[cfg_attr(target_os = "windows", ignore)] #[cfg_attr(all(target_os = "macos", feature = "vendored"), ignore)] fn default_verify_paths() { let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_default_verify_paths().unwrap(); ctx.set_verify(SslVerifyMode::PEER); let ctx = ctx.build(); let s = match TcpStream::connect("google.com:443") { Ok(s) => s, Err(_) => return, }; let mut ssl = Ssl::new(&ctx).unwrap(); ssl.set_hostname("google.com").unwrap(); let mut socket = ssl.connect(s).unwrap(); socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap(); let mut result = vec![]; socket.read_to_end(&mut result).unwrap(); println!("{}", String::from_utf8_lossy(&result)); assert!(result.starts_with(b"HTTP/1.0")); assert!(result.ends_with(b"\r\n") || result.ends_with(b"")); } #[test] fn add_extra_chain_cert() { let cert = X509::from_pem(CERT).unwrap(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.add_extra_chain_cert(cert).unwrap(); } #[test] fn verify_valid_hostname() { let server = Server::builder().build(); let mut client = server.client_with_root_ca(); client.ctx().set_verify(SslVerifyMode::PEER); let mut client = client.build().builder(); client .ssl() .param_mut() .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); client.ssl().param_mut().set_host("foobar.com").unwrap(); client.connect(); } #[test] fn verify_invalid_hostname() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut client = server.client_with_root_ca(); client.ctx().set_verify(SslVerifyMode::PEER); let mut client = client.build().builder(); client .ssl() .param_mut() .set_hostflags(X509CheckFlags::NO_PARTIAL_WILDCARDS); client.ssl().param_mut().set_host("bogus.com").unwrap(); client.connect_err(); } #[test] fn connector_valid_hostname() { let server = Server::builder().build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); connector.set_ca_file("test/root-ca.pem").unwrap(); let s = server.connect_tcp(); let mut s = connector.build().connect("foobar.com", s).unwrap(); s.read_exact(&mut [0]).unwrap(); } #[test] fn connector_invalid_hostname() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); connector.set_ca_file("test/root-ca.pem").unwrap(); let s = server.connect_tcp(); connector.build().connect("bogus.com", s).unwrap_err(); } #[test] fn connector_invalid_no_hostname_verification() { let server = Server::builder().build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); connector.set_ca_file("test/root-ca.pem").unwrap(); let s = server.connect_tcp(); let mut s = connector .build() .configure() .unwrap() .verify_hostname(false) .connect("bogus.com", s) .unwrap(); s.read_exact(&mut [0]).unwrap(); } #[test] fn connector_no_hostname_still_verifies() { let mut server = Server::builder(); server.should_error(); let server = server.build(); let connector = SslConnector::builder(SslMethod::tls()).unwrap().build(); let s = server.connect_tcp(); assert!(connector .configure() .unwrap() .verify_hostname(false) .connect("fizzbuzz.com", s) .is_err()); } #[test] fn connector_no_hostname_can_disable_verify() { let server = Server::builder().build(); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); connector.set_verify(SslVerifyMode::NONE); let connector = connector.build(); let s = server.connect_tcp(); let mut s = connector .configure() .unwrap() .verify_hostname(false) .connect("foobar.com", s) .unwrap(); s.read_exact(&mut [0]).unwrap(); } fn test_mozilla_server(new: fn(SslMethod) -> Result) { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let port = listener.local_addr().unwrap().port(); let t = thread::spawn(move || { let key = PKey::private_key_from_pem(KEY).unwrap(); let cert = X509::from_pem(CERT).unwrap(); let mut acceptor = new(SslMethod::tls()).unwrap(); acceptor.set_private_key(&key).unwrap(); acceptor.set_certificate(&cert).unwrap(); let acceptor = acceptor.build(); let stream = listener.accept().unwrap().0; let mut stream = acceptor.accept(stream).unwrap(); stream.write_all(b"hello").unwrap(); }); let mut connector = SslConnector::builder(SslMethod::tls()).unwrap(); connector.set_ca_file("test/root-ca.pem").unwrap(); let connector = connector.build(); let stream = TcpStream::connect(("127.0.0.1", port)).unwrap(); let mut stream = connector.connect("foobar.com", stream).unwrap(); let mut buf = [0; 5]; stream.read_exact(&mut buf).unwrap(); assert_eq!(b"hello", &buf); t.join().unwrap(); } #[test] fn connector_client_server_mozilla_intermediate() { test_mozilla_server(SslAcceptor::mozilla_intermediate); } #[test] fn connector_client_server_mozilla_modern() { test_mozilla_server(SslAcceptor::mozilla_modern); } #[test] fn connector_client_server_mozilla_intermediate_v5() { test_mozilla_server(SslAcceptor::mozilla_intermediate_v5); } #[test] fn shutdown() { let mut server = Server::builder(); server.io_cb(|mut s| { assert_eq!(s.read(&mut [0]).unwrap(), 0); assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received); }); let server = server.build(); let mut s = server.client().connect(); assert_eq!(s.get_shutdown(), ShutdownState::empty()); assert_eq!(s.shutdown().unwrap(), ShutdownResult::Sent); assert_eq!(s.get_shutdown(), ShutdownState::SENT); assert_eq!(s.shutdown().unwrap(), ShutdownResult::Received); assert_eq!( s.get_shutdown(), ShutdownState::SENT | ShutdownState::RECEIVED ); } #[test] fn client_ca_list() { let names = X509Name::load_client_ca_file("test/root-ca.pem").unwrap(); assert_eq!(names.len(), 1); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_client_ca_list(names); } #[test] fn cert_store() { let server = Server::builder().build(); let mut client = server.client(); let cert = X509::from_pem(ROOT_CERT).unwrap(); client.ctx().cert_store_mut().add_cert(cert).unwrap(); client.ctx().set_verify(SslVerifyMode::PEER); client.connect(); } #[test] fn keying_export() { let listener = TcpListener::bind("127.0.0.1:0").unwrap(); let addr = listener.local_addr().unwrap(); let label = "EXPERIMENTAL test"; let context = b"my context"; let guard = thread::spawn(move || { let stream = listener.accept().unwrap().0; let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_certificate_file(Path::new("test/cert.pem"), SslFiletype::PEM) .unwrap(); ctx.set_private_key_file(Path::new("test/key.pem"), SslFiletype::PEM) .unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); let mut stream = ssl.accept(stream).unwrap(); let mut buf = [0; 32]; stream .ssl() .export_keying_material(&mut buf, label, Some(context)) .unwrap(); stream.write_all(&[0]).unwrap(); buf }); let stream = TcpStream::connect(addr).unwrap(); let ctx = SslContext::builder(SslMethod::tls()).unwrap(); let ssl = Ssl::new(&ctx.build()).unwrap(); let mut stream = ssl.connect(stream).unwrap(); let mut buf = [1; 32]; stream .ssl() .export_keying_material(&mut buf, label, Some(context)) .unwrap(); stream.read_exact(&mut [0]).unwrap(); let buf2 = guard.join().unwrap(); assert_eq!(buf, buf2); } #[test] fn no_version_overlap() { let mut server = Server::builder(); server.ctx().set_min_proto_version(None).unwrap(); server .ctx() .set_max_proto_version(Some(SslVersion::TLS1_1)) .unwrap(); assert_eq!(server.ctx().max_proto_version(), Some(SslVersion::TLS1_1)); server.should_error(); let server = server.build(); let mut client = server.client(); client .ctx() .set_min_proto_version(Some(SslVersion::TLS1_2)) .unwrap(); assert_eq!(client.ctx().min_proto_version(), Some(SslVersion::TLS1_2)); client.ctx().set_max_proto_version(None).unwrap(); client.connect_err(); } fn _check_kinds() { fn is_send() {} fn is_sync() {} is_send::>(); is_sync::>(); } #[test] fn psk_ciphers() { const CIPHER: &str = "PSK-AES128-CBC-SHA"; const PSK: &[u8] = b"thisisaverysecurekey"; const CLIENT_IDENT: &[u8] = b"thisisaclient"; static CLIENT_CALLED: AtomicBool = AtomicBool::new(false); static SERVER_CALLED: AtomicBool = AtomicBool::new(false); let mut server = Server::builder(); server.ctx().set_cipher_list(CIPHER).unwrap(); server.ctx().set_psk_server_callback(|_, identity, psk| { assert!(identity.unwrap_or(&[]) == CLIENT_IDENT); psk[..PSK.len()].copy_from_slice(PSK); SERVER_CALLED.store(true, Ordering::SeqCst); Ok(PSK.len()) }); let server = server.build(); let mut client = server.client(); // This test relies on TLS 1.2 suites client.ctx().set_options(super::SslOptions::NO_TLSV1_3); client.ctx().set_cipher_list(CIPHER).unwrap(); client .ctx() .set_psk_client_callback(move |_, _, identity, psk| { identity[..CLIENT_IDENT.len()].copy_from_slice(CLIENT_IDENT); identity[CLIENT_IDENT.len()] = 0; psk[..PSK.len()].copy_from_slice(PSK); CLIENT_CALLED.store(true, Ordering::SeqCst); Ok(PSK.len()) }); client.connect(); assert!(CLIENT_CALLED.load(Ordering::SeqCst) && SERVER_CALLED.load(Ordering::SeqCst)); } #[test] fn sni_callback_swapped_ctx() { static CALLED_BACK: AtomicBool = AtomicBool::new(false); let mut server = Server::builder(); let mut ctx = SslContext::builder(SslMethod::tls()).unwrap(); ctx.set_servername_callback(|_, _| { CALLED_BACK.store(true, Ordering::SeqCst); Ok(()) }); let keyed_ctx = mem::replace(server.ctx(), ctx).build(); server.ssl_cb(move |ssl| ssl.set_ssl_context(&keyed_ctx).unwrap()); let server = server.build(); server.client().connect(); assert!(CALLED_BACK.load(Ordering::SeqCst)); } #[cfg(feature = "kx-safe-default")] #[test] fn client_set_default_curves_list() { let ssl_ctx = crate::ssl::SslContextBuilder::new(SslMethod::tls()) .unwrap() .build(); let mut ssl = Ssl::new(&ssl_ctx).unwrap(); // Panics if Kyber768 missing in boringSSL. ssl.client_set_default_curves_list(); } #[cfg(feature = "kx-safe-default")] #[test] fn server_set_default_curves_list() { let ssl_ctx = crate::ssl::SslContextBuilder::new(SslMethod::tls()) .unwrap() .build(); let mut ssl = Ssl::new(&ssl_ctx).unwrap(); // Panics if Kyber768 missing in boringSSL. ssl.server_set_default_curves_list(); } #[test] fn drop_ex_data_in_context() { let index = SslContext::new_ex_index::<&'static str>().unwrap(); let mut ctx = SslContext::builder(SslMethod::dtls()).unwrap(); assert_eq!(ctx.replace_ex_data(index, "comté"), None); assert_eq!(ctx.replace_ex_data(index, "camembert"), Some("comté")); assert_eq!(ctx.replace_ex_data(index, "raclette"), Some("camembert")); } #[test] fn drop_ex_data_in_ssl() { let index = Ssl::new_ex_index::<&'static str>().unwrap(); let ctx = SslContext::builder(SslMethod::dtls()).unwrap().build(); let mut ssl = Ssl::new(&ctx).unwrap(); assert_eq!(ssl.replace_ex_data(index, "comté"), None); assert_eq!(ssl.replace_ex_data(index, "camembert"), Some("comté")); assert_eq!(ssl.replace_ex_data(index, "raclette"), Some("camembert")); }