diff options
| author | Manuel Schölling <[email protected]> | 2015-03-10 14:31:54 +0100 |
|---|---|---|
| committer | Manuel Schölling <[email protected]> | 2015-04-06 12:22:50 +0200 |
| commit | 664600eadff8a0388bc9ab2544b382e56e4fae9d (patch) | |
| tree | 782893fbf9232424f4d67f374012da6f33f6262f /openssl | |
| parent | Add connect() support for UDP sockets (diff) | |
| download | rust-openssl-664600eadff8a0388bc9ab2544b382e56e4fae9d.tar.xz rust-openssl-664600eadff8a0388bc9ab2544b382e56e4fae9d.zip | |
Add DTLSv1 and DTLSv1.2 support
Diffstat (limited to 'openssl')
| -rw-r--r-- | openssl/Cargo.toml | 1 | ||||
| -rw-r--r-- | openssl/src/lib.rs | 2 | ||||
| -rw-r--r-- | openssl/src/ssl/connected_socket.rs | 19 | ||||
| -rw-r--r-- | openssl/src/ssl/mod.rs | 47 | ||||
| -rw-r--r-- | openssl/src/ssl/tests.rs | 215 |
5 files changed, 190 insertions, 94 deletions
diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml index ca3bd417..796beef2 100644 --- a/openssl/Cargo.toml +++ b/openssl/Cargo.toml @@ -13,6 +13,7 @@ keywords = ["crypto", "tls", "ssl", "dtls"] tlsv1_2 = ["openssl-sys/tlsv1_2"] tlsv1_1 = ["openssl-sys/tlsv1_1"] dtlsv1 = ["openssl-sys/dtlsv1"] +dtlsv1_2 = ["openssl-sys/dtlsv1_2"] sslv2 = ["openssl-sys/sslv2"] aes_xts = ["openssl-sys/aes_xts"] npn = ["openssl-sys/npn"] diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs index 2ceafcd7..fae9aa12 100644 --- a/openssl/src/lib.rs +++ b/openssl/src/lib.rs @@ -18,3 +18,5 @@ pub mod bio; pub mod crypto; pub mod ssl; pub mod x509; +#[macro_use] +extern crate log; diff --git a/openssl/src/ssl/connected_socket.rs b/openssl/src/ssl/connected_socket.rs index 1ae5fc8d..55788465 100644 --- a/openssl/src/ssl/connected_socket.rs +++ b/openssl/src/ssl/connected_socket.rs @@ -81,7 +81,6 @@ impl IntoSockaddrIn for SocketAddr { if res == 1 { Ok(SockaddrIn::V4(addr)) } else { - warn!("inet_pton() failed for IPv4: {}", ip); Err(Error::new(ErrorKind::Other, "calling inet_pton() for ipv4", None)) } @@ -158,12 +157,10 @@ impl<S: AsRawFd+?Sized> Read for ConnectedSocket<S> { let flags = 0; let ptr = buf.as_mut_ptr() as *mut c_void; - debug!("recv'ing..."); let len = unsafe { recv(self.as_raw_fd(), ptr, buf.len() as u64, flags) }; - debug!("recv'ed len={:?}", len); match len { -1 => { match errno() { @@ -184,14 +181,12 @@ impl<S: AsRawFd+?Sized> Write for ConnectedSocket<S> { let flags = 0; let ptr = buf.as_ptr() as *const c_void; - debug!("sending {:?}", buf.len()); let res = unsafe { send(self.as_raw_fd(), ptr, buf.len() as u64, flags) }; if res == (buf.len() as i64) { Ok(res as usize) } else { - warn!("send() found {}, expected {}", res, buf.len()); Err(Error::new(ErrorKind::Other, "send() failed", Some(os::error_string(os::errno() as i32)))) } } @@ -223,8 +218,8 @@ impl<S:AsRawFd> SetTimeout for S { fn connect4_works() { let socket1 = UdpSocket::bind("127.0.0.1:34200").unwrap(); let socket2 = UdpSocket::bind("127.0.0.1:34201").unwrap(); - let conn1 = socket1.connect("127.0.0.1:34200").unwrap(); - let conn2 = socket2.connect("127.0.0.1:34201").unwrap(); + socket1.connect("127.0.0.1:34200").unwrap(); + socket2.connect("127.0.0.1:34201").unwrap(); } #[test] @@ -273,26 +268,26 @@ fn sendrecv_respects_packet_borders() { fn connect6_works() { let socket1 = UdpSocket::bind("::1:34200").unwrap(); let socket2 = UdpSocket::bind("::1:34201").unwrap(); - let conn1 = socket1.connect("::1:34200").unwrap(); - let conn2 = socket2.connect("::1:34201").unwrap(); + socket1.connect("::1:34200").unwrap(); + socket2.connect("::1:34201").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn detect_invalid_ipv4() { let s = UdpSocket::bind("127.0.0.1:34300").unwrap(); s.connect("254.254.254.254:34200").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn detect_invalid_ipv6() { let s = UdpSocket::bind("::1:34300").unwrap(); s.connect("1200::AB00:1234::2552:7777:1313:34300").unwrap(); } #[test] -#[should_fail] +#[should_panic] fn double_bind() { let socket1 = UdpSocket::bind("127.0.0.1:34301").unwrap(); let socket2 = UdpSocket::bind("127.0.0.1:34301").unwrap(); diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 710a287d..9cf09bc8 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -101,6 +101,9 @@ pub enum SslMethod { #[cfg(feature = "dtlsv1")] /// Support DTLSv1 protocol, requires the `dtlsv1` feature. Dtlsv1, + #[cfg(feature = "dtlsv1_2")] + /// Support DTLSv1.2 protocol, requires the `dtlsv1_2` feature. + Dtlsv1_2, } impl SslMethod { @@ -116,9 +119,35 @@ impl SslMethod { #[cfg(feature = "tlsv1_2")] SslMethod::Tlsv1_2 => ffi::TLSv1_2_method(), #[cfg(feature = "dtlsv1")] - SslMethod::Dtlsv1 => ffi::TLSv1_method(), + SslMethod::Dtlsv1 => ffi::DTLSv1_method(), + #[cfg(feature = "dtlsv1_2")] + SslMethod::Dtlsv1_2 => ffi::DTLSv1_2_method(), } } + + #[cfg(feature = "dtlsv1")] + pub fn is_dtlsv1(&self) -> bool { + *self == SslMethod::Dtlsv1 + } + + #[cfg(feature = "dtlsv1_2")] + pub fn is_dtlsv1_2(&self) -> bool { + *self == SslMethod::Dtlsv1 + } + + pub fn is_dtls(&self) -> bool { + self.is_dtlsv1() || self.is_dtlsv1_2() + } + + #[cfg(not(feature = "dtlsv1"))] + pub fn is_dtlsv1(&self) -> bool { + false + } + + #[cfg(not(feature = "dtlsv1_2"))] + pub fn is_dtlsv1_2(&self) -> bool { + false + } } /// Determines the type of certificate verification used @@ -345,7 +374,13 @@ impl SslContext { return Err(SslError::get()); } - Ok(SslContext { ctx: ctx }) + let ctx = SslContext { ctx: ctx }; + + if method.is_dtls() { + ctx.set_read_ahead(); + } + + Ok(ctx) } /// Configures the certificate verification method for new connections. @@ -356,6 +391,7 @@ impl SslContext { mem::transmute(verify)); let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = raw_verify; + ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f)); } } @@ -376,6 +412,7 @@ impl SslContext { mem::transmute(data)); let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int = raw_verify_with_data::<T>; + ffi::SSL_CTX_set_verify(self.ctx, mode.bits as c_int, Some(f)); } } @@ -387,6 +424,12 @@ impl SslContext { } } + pub fn set_read_ahead(&self) { + unsafe { + ffi::SSL_CTX_ctrl(*self.ctx, ffi::SSL_CTRL_SET_READ_AHEAD, 1, ptr::null_mut()); + } + } + #[allow(non_snake_case)] /// Specifies the file that contains trusted CA certificates. pub fn set_CA_file(&mut self, file: &Path) -> Result<(),SslError> { diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 1da42082..4d78e182 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -1,4 +1,5 @@ -use serialize::hex::FromHex; +#![allow(unused_imports)] + use std::net::TcpStream; use std::io; use std::io::prelude::*; @@ -13,6 +14,8 @@ use crypto::hash::Type::{SHA256}; use ssl; use ssl::SslMethod; use ssl::SslMethod::Sslv23; +#[cfg(feature="dtlsv1")] +use ssl::SslMethod::Dtlsv1; use ssl::{SslContext, SslStream, VerifyCallback}; use ssl::SSL_VERIFY_PEER; use x509::X509StoreContext; @@ -21,34 +24,89 @@ use x509::X509FileType; use x509::X509; use crypto::pkey::PKey; +#[cfg(feature="dtlsv1")] +use ssl::connected_socket::Connect; +#[cfg(feature="dtlsv1")] +use std::net::UdpSocket; + const PROTOCOL:SslMethod = Sslv23; +mod udp { + static mut udp_port:u16 = 15410; + + pub fn next_server<'a>() -> String { + unsafe { + udp_port += 1; + format!("127.0.0.1:{}", udp_port) + } + } +} + #[test] fn test_new_ctx() { SslContext::new(PROTOCOL).unwrap(); } -#[test] -fn test_new_sslstream() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); -} +macro_rules! run_test( + ($module:ident, $blk:expr) => ( + #[cfg(test)] + mod $module { + use ssl::tests::udp; + use std::io; + use std::io::prelude::*; + use std::path::Path; + use std::net::UdpSocket; + use std::net::TcpStream; + use ssl::SslMethod::Sslv23; + #[cfg(feature="dtlsv1")] + use ssl; + use ssl::SslMethod::Dtlsv1; + use ssl::{SslContext, SslStream, VerifyCallback}; + use ssl::connected_socket::Connect; + use ssl::SslVerifyMode::SSL_VERIFY_PEER; + use crypto::hash::Type::SHA256; + use x509::X509StoreContext; + use serialize::hex::FromHex; + use std::time::duration::Duration; + + #[test] + fn sslv23() { + let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + $blk(Sslv23, stream); + } + + #[test] + #[cfg(feature="dtlsv1")] + fn dtlsv1() { + let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); + let stream = sock.connect(udp::next_server().as_slice()).unwrap(); + + $blk(Dtlsv1, stream); + } + } + ); +); -#[test] -fn test_verify_untrusted() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); +run_test!(new_ctx, |method, _| { + SslContext::new(method).unwrap(); +}); + +run_test!(new_sslstream, |method, stream| { + SslStream::new(&SslContext::new(method).unwrap(), stream).unwrap(); +}); + +run_test!(verify_untrusted, |method, stream| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); + match SslStream::new(&ctx, stream) { Ok(_) => panic!("expected failure"), Err(err) => println!("error {:?}", err) } -} +}); -#[test] -fn test_verify_trusted() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); +run_test!(verify_trusted, |method, stream| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -59,42 +117,39 @@ fn test_verify_trusted() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_untrusted_callback_override_ok() { +run_test!(verify_untrusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match SslStream::new(&ctx, stream) { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_untrusted_callback_override_bad() { +run_test!(verify_untrusted_callback_override_bad, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_trusted_callback_override_ok() { +run_test!(verify_trusted_callback_override_ok, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -105,15 +160,14 @@ fn test_verify_trusted_callback_override_ok() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); -#[test] -fn test_verify_trusted_callback_override_bad() { +run_test!(verify_trusted_callback_override_bad, |method, stream| { fn callback(_preverify_ok: bool, _x509_ctx: &X509StoreContext) -> bool { false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -121,29 +175,27 @@ fn test_verify_trusted_callback_override_bad() { Err(err) => panic!("Unexpected error {:?}", err) } assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_callback_load_certs() { +run_test!(verify_callback_load_certs, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_current_cert().is_some()); true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_ok()); -} +}); -#[test] -fn test_verify_trusted_get_error_ok() { +run_test!(verify_trusted_get_error_ok, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_error().is_none()); true } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); match ctx.set_CA_file(&Path::new("test/cert.pem")) { @@ -151,23 +203,21 @@ fn test_verify_trusted_get_error_ok() { Err(err) => panic!("Unexpected error {:?}", err) } assert!(SslStream::new(&ctx, stream).is_ok()); -} +}); -#[test] -fn test_verify_trusted_get_error_err() { +run_test!(verify_trusted_get_error_err, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext) -> bool { assert!(x509_ctx.get_error().is_some()); false } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + + let mut ctx = SslContext::new(method).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback)); assert!(SslStream::new(&ctx, stream).is_err()); -} +}); -#[test] -fn test_verify_callback_data() { +run_test!(verify_callback_data, |method, stream| { fn callback(_preverify_ok: bool, x509_ctx: &X509StoreContext, node_id: &Vec<u8>) -> bool { let cert = x509_ctx.get_current_cert(); match cert { @@ -178,8 +228,7 @@ fn test_verify_callback_data() { } } } - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut ctx = SslContext::new(PROTOCOL).unwrap(); + let mut ctx = SslContext::new(method).unwrap(); // Node id was generated as SHA256 hash of certificate "test/cert.pem" // in DER format. @@ -194,7 +243,7 @@ fn test_verify_callback_data() { Ok(_) => (), Err(err) => panic!("Expected success, got {:?}", err) } -} +}); #[test] fn test_set_certificate_and_private_key() { @@ -217,51 +266,46 @@ fn test_set_certificate_and_private_key() { assert!(ctx.check_private_key().is_ok()); } -#[test] -fn test_get_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(get_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); ctx.get_options(); -} +}); -#[test] -fn test_set_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(set_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); let opts = ctx.set_options(ssl::SSL_OP_NO_TICKET); assert!(opts.contains(ssl::SSL_OP_NO_TICKET)); assert!(!opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); let more_opts = ctx.set_options(ssl::SSL_OP_CISCO_ANYCONNECT); assert!(more_opts.contains(ssl::SSL_OP_NO_TICKET)); assert!(more_opts.contains(ssl::SSL_OP_CISCO_ANYCONNECT)); -} +}); -#[test] -fn test_clear_ctx_options() { - let mut ctx = SslContext::new(Sslv23).unwrap(); +run_test!(clear_ctx_options, |method, _| { + let mut ctx = SslContext::new(method).unwrap(); ctx.set_options(ssl::SSL_OP_ALL); let opts = ctx.clear_options(ssl::SSL_OP_ALL); assert!(!opts.contains(ssl::SSL_OP_ALL)); -} +}); -#[test] -fn test_write() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); - stream.write_all("hello".as_bytes()).unwrap(); - stream.flush().unwrap(); - stream.write_all(" there".as_bytes()).unwrap(); - stream.flush().unwrap(); -} +run_test!(write, |method, stream| { + let mut s = SslStream::new(&SslContext::new(method).unwrap(), stream).unwrap(); + s.write_all("hello".as_bytes()).unwrap(); + s.flush().unwrap(); + s.write_all(" there".as_bytes()).unwrap(); + s.flush().unwrap(); +}); #[test] fn test_read() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); - let mut stream = SslStream::new(&SslContext::new(PROTOCOL).unwrap(), stream).unwrap(); + let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let mut stream = SslStream::new(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); - println!("written"); io::copy(&mut stream, &mut io::sink()).ok().expect("read error"); } + /// Tests that connecting with the client using NPN, but the server not does not /// break the existing connection behavior. #[test] @@ -396,3 +440,14 @@ mod dtlsv1 { SslContext::new(PROTOCOL).unwrap(); } } + +#[test] +#[cfg(feature = "dtlsv1")] +fn test_read_dtlsv1() { + let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); + let stream = sock.connect(udp::next_server().as_slice()).unwrap(); + + let mut stream = SslStream::new(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); + let mut buf = [0u8;100]; + assert!(stream.read(&mut buf).is_ok()); +} |