diff options
Diffstat (limited to 'openssl/src/ssl')
| -rw-r--r-- | openssl/src/ssl/mod.rs | 44 | ||||
| -rw-r--r-- | openssl/src/ssl/tests.rs | 261 |
2 files changed, 235 insertions, 70 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs index 35180d3a..360f3f3e 100644 --- a/openssl/src/ssl/mod.rs +++ b/openssl/src/ssl/mod.rs @@ -21,6 +21,7 @@ use std::slice; use bio::{MemBio}; use ffi; +use dh::DH; use ssl::error::{SslError, SslSessionClosed, StreamError, OpenSslErrors}; use x509::{X509StoreContext, X509FileType, X509}; use crypto::pkey::PKey; @@ -105,7 +106,8 @@ pub enum SslMethod { #[cfg(feature = "sslv2")] /// Only support the SSLv2 protocol, requires the `sslv2` feature. Sslv2, - /// Support the SSLv2, SSLv3 and TLSv1 protocols. + /// Support the SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2 protocols depending on what the + /// linked OpenSSL library supports. Sslv23, /// Only support the SSLv3 protocol. Sslv3, @@ -307,8 +309,11 @@ unsafe fn select_proto_using(ssl: *mut ffi::SSL, let client_len = protocols.len() as c_uint; // Finally, let OpenSSL find a protocol to be used, by matching the given server and // client lists. - ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len); - ffi::SSL_TLSEXT_ERR_OK + if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != ffi::OPENSSL_NPN_NEGOTIATED { + ffi::SSL_TLSEXT_ERR_NOACK + } else { + ffi::SSL_TLSEXT_ERR_OK + } } /// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`. @@ -431,10 +436,7 @@ impl SslContext { pub fn new(method: SslMethod) -> Result<SslContext, SslError> { init(); - let ctx = unsafe { ffi::SSL_CTX_new(method.to_raw()) }; - if ctx == ptr::null_mut() { - return Err(SslError::get()); - } + let ctx = try_ssl_null!(unsafe { ffi::SSL_CTX_new(method.to_raw()) }); let ctx = SslContext { ctx: ctx }; @@ -492,6 +494,12 @@ impl SslContext { } } + pub fn set_tmp_dh(&self, dh: DH) -> Result<(),SslError> { + wrap_ssl_result(unsafe { + ffi::SSL_CTX_set_tmp_dh(self.ctx, dh.raw()) as i32 + }) + } + #[allow(non_snake_case)] /// Specifies the file that contains trusted CA certificates. pub fn set_CA_file<P: AsRef<Path>>(&mut self, file: P) -> Result<(),SslError> { @@ -563,6 +571,18 @@ impl SslContext { }) } + /// If `onoff` is set to `true`, enable ECDHE for key exchange with compatible + /// clients, and automatically select an appropriate elliptic curve. + /// + /// This method requires OpenSSL >= 1.2.0 or LibreSSL and the `ecdh_auto` feature. + #[cfg(feature = "ecdh_auto")] + pub fn set_ecdh_auto(&mut self, onoff: bool) -> Result<(),SslError> { + wrap_ssl_result( + unsafe { + ffi::SSL_CTX_set_ecdh_auto(self.ctx, onoff as c_int) + }) + } + pub fn set_options(&mut self, option: SslContextOptions) -> SslContextOptions { let raw_bits = option.bits(); let ret = unsafe { @@ -683,10 +703,7 @@ impl Drop for Ssl { impl Ssl { pub fn new(ctx: &SslContext) -> Result<Ssl, SslError> { - let ssl = unsafe { ffi::SSL_new(ctx.ctx) }; - if ssl == ptr::null_mut() { - return Err(SslError::get()); - } + let ssl = try_ssl_null!(unsafe { ffi::SSL_new(ctx.ctx) }); let ssl = Ssl { ssl: ssl }; Ok(ssl) } @@ -1012,10 +1029,7 @@ impl DirectStream<net::TcpStream> { impl<S> DirectStream<S> { fn new_base(ssl: Ssl, stream: S, sock: c_int) -> Result<DirectStream<S>, SslError> { unsafe { - let bio = ffi::BIO_new_socket(sock, 0); - if bio == ptr::null_mut() { - return Err(SslError::get()); - } + let bio = try_ssl_null!(ffi::BIO_new_socket(sock, 0)); ffi::SSL_set_bio(ssl.ssl, bio, bio); } diff --git a/openssl/src/ssl/tests.rs b/openssl/src/ssl/tests.rs index 9198a642..033a3b86 100644 --- a/openssl/src/ssl/tests.rs +++ b/openssl/src/ssl/tests.rs @@ -1,12 +1,13 @@ #![allow(unused_imports)] -use std::net::TcpStream; -use std::io; +use std::fs::File; use std::io::prelude::*; +use std::io::{self, BufReader}; +use std::iter; +use std::net::{TcpStream, TcpListener, SocketAddr}; use std::path::Path; -use std::net::TcpListener; +use std::process::{Command, Child, Stdio, ChildStdin}; use std::thread; -use std::fs::File; use crypto::hash::Type::{SHA256}; use ssl; @@ -26,20 +27,140 @@ use ssl::SslMethod::Dtlsv1; #[cfg(feature="sslv2")] use ssl::SslMethod::Sslv2; #[cfg(feature="dtlsv1")] -use connected_socket::Connect; +use net2::UdpSocketExt; -#[cfg(feature = "dtlsv1")] -mod udp { +fn next_addr() -> SocketAddr { use std::sync::atomic::{AtomicUsize, ATOMIC_USIZE_INIT, Ordering}; + static PORT: AtomicUsize = ATOMIC_USIZE_INIT; + let port = 15411 + PORT.fetch_add(1, Ordering::SeqCst); + + format!("127.0.0.1:{}", port).parse().unwrap() +} + +struct Server { + p: Child, +} + +impl Server { + fn spawn(args: &[&str], input: Option<Box<FnMut(ChildStdin) + Send>>) + -> (Server, SocketAddr) { + let addr = next_addr(); + let mut child = Command::new("openssl").arg("s_server") + .arg("-accept").arg(addr.port().to_string()) + .args(args) + .arg("-cert").arg("cert.pem") + .arg("-key").arg("key.pem") + .arg("-no_dhe") + .current_dir("test") + .stdout(Stdio::null()) + .stderr(Stdio::null()) + .stdin(Stdio::piped()) + .spawn().unwrap(); + let stdin = child.stdin.take().unwrap(); + if let Some(mut input) = input { + thread::spawn(move || input(stdin)); + } + (Server { p: child }, addr) + } - static UDP_PORT: AtomicUsize = ATOMIC_USIZE_INIT; + fn new_tcp(args: &[&str]) -> (Server, TcpStream) { + let (server, addr) = Server::spawn(args, None); + loop { + match TcpStream::connect(&addr) { + Ok(s) => return (server, s), + Err(ref e) if e.kind() == io::ErrorKind::ConnectionRefused => { + thread::sleep_ms(100); + } + Err(e) => panic!("wut: {}", e), + } + } + } + + fn new() -> (Server, TcpStream) { + Server::new_tcp(&["-www"]) + } - pub fn next_server<'a>() -> String { - let diff = UDP_PORT.fetch_add(1, Ordering::SeqCst); - format!("127.0.0.1:{}", 15411 + diff) + #[cfg(any(feature = "alpn", feature = "npn"))] + fn new_alpn() -> (Server, TcpStream) { + Server::new_tcp(&["-www", "-nextprotoneg", "http/1.1,spdy/3.1", + "-alpn", "http/1.1,spdy/3.1"]) + } + + #[cfg(feature = "dtlsv1")] + fn new_dtlsv1<I>(input: I) -> (Server, UdpConnected) + where I: IntoIterator<Item=&'static str>, + I::IntoIter: Send + 'static + { + let mut input = input.into_iter(); + let (s, addr) = Server::spawn(&["-dtls1"], Some(Box::new(move |mut io| { + for s in input.by_ref() { + if io.write_all(s.as_bytes()).is_err() { + break + } + } + }))); + // Need to wait for the UDP socket to get bound in our child process, + // but don't currently have a great way to do that so just wait for a + // bit. + thread::sleep_ms(100); + let socket = UdpSocket::bind(next_addr()).unwrap(); + socket.connect(&addr).unwrap(); + (s, UdpConnected(socket)) } } +impl Drop for Server { + fn drop(&mut self) { + let _ = self.p.kill(); + let _ = self.p.wait(); + } +} + +#[cfg(feature = "dtlsv1")] +struct UdpConnected(UdpSocket); + +#[cfg(feature = "dtlsv1")] +impl Read for UdpConnected { + fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> { + self.0.recv_from(buf).map(|(s, _)| s) + } +} + +#[cfg(feature = "dtlsv1")] +impl Write for UdpConnected { + #[cfg(unix)] + fn write(&mut self, buf: &[u8]) -> io::Result<usize> { + use std::os::unix::prelude::*; + use libc; + let n = unsafe { + libc::send(self.0.as_raw_fd(), buf.as_ptr() as *const _, + buf.len() as libc::size_t, 0) + }; + if n < 0 { + Err(io::Error::last_os_error()) + } else { + Ok(n as usize) + } + } + + #[cfg(windows)] + fn write(&mut self, buf: &[u8]) -> io::Result<usize> { + use std::os::windows::prelude::*; + use libc; + let n = unsafe { + libc::send(self.0.as_raw_socket(), buf.as_ptr() as *const _, + buf.len() as libc::c_int, 0) + }; + if n < 0 { + Err(io::Error::last_os_error()) + } else { + Ok(n as usize) + } + } + + fn flush(&mut self) -> io::Result<()> { Ok(()) } +} + macro_rules! run_test( ($module:ident, $blk:expr) => ( #[cfg(test)] @@ -56,22 +177,18 @@ macro_rules! run_test( use crypto::hash::Type::SHA256; use x509::X509StoreContext; use serialize::hex::FromHex; + use super::Server; #[test] fn sslv23() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, stream) = Server::new(); $blk(SslMethod::Sslv23, stream); } #[test] #[cfg(feature="dtlsv1")] fn dtlsv1() { - use connected_socket::Connect; - - let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); - let server = super::udp::next_server(); - let stream = sock.connect(&server[..]).unwrap(); - + let (_s, stream) = Server::new_dtlsv1(Some("hello")); $blk(SslMethod::Dtlsv1, stream); } } @@ -244,7 +361,7 @@ run_test!(verify_callback_data, |method, stream| { // Make sure every write call translates to a write call to the underlying socket. #[test] fn test_write_hits_stream() { - let listener = TcpListener::bind("localhost:0").unwrap(); + let listener = TcpListener::bind(next_addr()).unwrap(); let addr = listener.local_addr().unwrap(); let guard = thread::spawn(move || { @@ -314,7 +431,7 @@ run_test!(clear_ctx_options, |method, _| { #[test] fn test_write() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, stream) = Server::new(); let mut stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write_all("hello".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -324,7 +441,7 @@ fn test_write() { #[test] fn test_write_direct() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, stream) = Server::new(); let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), stream).unwrap(); stream.write_all("hello".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -333,7 +450,8 @@ fn test_write_direct() { } run_test!(get_peer_certificate, |method, stream| { - let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), stream).unwrap(); + let stream = SslStream::connect_generic(&SslContext::new(method).unwrap(), + stream).unwrap(); let cert = stream.get_peer_certificate().unwrap(); let fingerprint = cert.fingerprint(SHA256).unwrap(); let node_hash_str = "db400bb62f1b1f29c3b8f323b8f7d9dea724fdcd67104ef549c772ae3749655b"; @@ -344,19 +462,19 @@ run_test!(get_peer_certificate, |method, stream| { #[test] #[cfg(feature = "dtlsv1")] fn test_write_dtlsv1() { - let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); - let stream = sock.connect("127.0.0.1:15410").unwrap(); + let (_s, stream) = Server::new_dtlsv1(iter::repeat("y\n")); - let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); - stream.write_all("hello".as_bytes()).unwrap(); + let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), + stream).unwrap(); + stream.write_all(b"hello").unwrap(); stream.flush().unwrap(); - stream.write_all(" there".as_bytes()).unwrap(); + stream.write_all(b" there").unwrap(); stream.flush().unwrap(); } #[test] fn test_read() { - let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, tcp) = Server::new(); let mut stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -365,7 +483,7 @@ fn test_read() { #[test] fn test_read_direct() { - let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, tcp) = Server::new(); let mut stream = SslStream::connect(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -374,7 +492,7 @@ fn test_read_direct() { #[test] fn test_pending() { - let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, tcp) = Server::new(); let mut stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); stream.write_all("GET /\r\n\r\n".as_bytes()).unwrap(); stream.flush().unwrap(); @@ -397,18 +515,18 @@ fn test_pending() { #[test] fn test_state() { - let tcp = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, tcp) = Server::new(); let stream = SslStream::connect_generic(&SslContext::new(Sslv23).unwrap(), tcp).unwrap(); assert_eq!(stream.get_state_string(), "SSLOK "); assert_eq!(stream.get_state_string_long(), "SSL negotiation finished successfully"); } -/// Tests that connecting with the client using NPN, but the server not does not +/// Tests that connecting with the client using ALPN, but the server not does not /// break the existing connection behavior. #[test] #[cfg(feature = "alpn")] fn test_connect_with_unilateral_alpn() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, stream) = Server::new(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); @@ -420,7 +538,7 @@ fn test_connect_with_unilateral_alpn() { Ok(stream) => stream, Err(err) => panic!("Expected success, got {:?}", err) }; - // Since the socket to which we connected is not configured to use NPN, + // Since the socket to which we connected is not configured to use ALPN, // there should be no selected protocol... assert!(stream.get_selected_alpn_protocol().is_none()); } @@ -430,7 +548,7 @@ fn test_connect_with_unilateral_alpn() { #[test] #[cfg(feature = "npn")] fn test_connect_with_unilateral_npn() { - let stream = TcpStream::connect("127.0.0.1:15418").unwrap(); + let (_s, stream) = Server::new(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]); @@ -452,9 +570,7 @@ fn test_connect_with_unilateral_npn() { #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_multiple_matching() { - // A different port than the other tests: an `openssl` process that has - // NPN enabled. - let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]); @@ -476,9 +592,7 @@ fn test_connect_with_alpn_successful_multiple_matching() { #[test] #[cfg(feature = "npn")] fn test_connect_with_npn_successful_multiple_matching() { - // A different port than the other tests: an `openssl` process that has - // NPN enabled. - let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]); @@ -501,9 +615,7 @@ fn test_connect_with_npn_successful_multiple_matching() { #[test] #[cfg(feature = "alpn")] fn test_connect_with_alpn_successful_single_match() { - // A different port than the other tests: an `openssl` process that has - // ALPN enabled. - let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_alpn_protocols(&[b"spdy/3.1"]); @@ -527,9 +639,7 @@ fn test_connect_with_alpn_successful_single_match() { #[test] #[cfg(feature = "npn")] fn test_connect_with_npn_successful_single_match() { - // A different port than the other tests: an `openssl` process that has - // NPN enabled. - let stream = TcpStream::connect("127.0.0.1:15419").unwrap(); + let (_s, stream) = Server::new_alpn(); let mut ctx = SslContext::new(Sslv23).unwrap(); ctx.set_verify(SSL_VERIFY_PEER, None); ctx.set_npn_protocols(&[b"spdy/3.1"]); @@ -551,8 +661,8 @@ fn test_connect_with_npn_successful_single_match() { #[test] #[cfg(feature = "npn")] fn test_npn_server_advertise_multiple() { - let localhost = "127.0.0.1:15450"; - let listener = TcpListener::bind(localhost).unwrap(); + let listener = TcpListener::bind(next_addr()).unwrap(); + let localhost = listener.local_addr().unwrap(); // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::new(Sslv23).unwrap(); @@ -592,8 +702,8 @@ fn test_npn_server_advertise_multiple() { #[test] #[cfg(feature = "alpn")] fn test_alpn_server_advertise_multiple() { - let localhost = "127.0.0.1:15421"; - let listener = TcpListener::bind(localhost).unwrap(); + let listener = TcpListener::bind(next_addr()).unwrap(); + let localhost = listener.local_addr().unwrap(); // We create a different context instance for the server... let listener_ctx = { let mut ctx = SslContext::new(Sslv23).unwrap(); @@ -628,6 +738,49 @@ fn test_alpn_server_advertise_multiple() { assert_eq!(b"spdy/3.1", stream.get_selected_alpn_protocol().unwrap()); } +/// Test that Servers supporting ALPN don't report a protocol when none of their protocols match +/// the client's reported protocol. +#[test] +#[cfg(feature = "alpn")] +fn test_alpn_server_select_none() { + let listener = TcpListener::bind(next_addr()).unwrap(); + let localhost = listener.local_addr().unwrap(); + // We create a different context instance for the server... + let listener_ctx = { + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SSL_VERIFY_PEER, None); + ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]); + assert!(ctx.set_certificate_file( + &Path::new("test/cert.pem"), X509FileType::PEM).is_ok()); + ctx.set_private_key_file( + &Path::new("test/key.pem"), X509FileType::PEM).unwrap(); + ctx + }; + // Have the listener wait on the connection in a different thread. + thread::spawn(move || { + let (stream, _) = listener.accept().unwrap(); + let _ = SslStream::accept(&listener_ctx, stream).unwrap(); + }); + + let mut ctx = SslContext::new(Sslv23).unwrap(); + ctx.set_verify(SSL_VERIFY_PEER, None); + ctx.set_alpn_protocols(&[b"http/2"]); + match ctx.set_CA_file(&Path::new("test/cert.pem")) { + Ok(_) => {} + Err(err) => panic!("Unexpected error {:?}", err) + } + // Now connect to the socket and make sure the protocol negotiation works... + let stream = TcpStream::connect(localhost).unwrap(); + let stream = match SslStream::new(&ctx, stream) { + Ok(stream) => stream, + Err(err) => panic!("Expected success, got {:?}", err) + }; + + // Since the protocols from the server and client don't overlap at all, no protocol is selected + assert_eq!(None, stream.get_selected_alpn_protocol()); +} + + #[cfg(feature="dtlsv1")] #[cfg(test)] mod dtlsv1 { @@ -653,9 +806,7 @@ mod dtlsv1 { #[test] #[cfg(feature = "dtlsv1")] fn test_read_dtlsv1() { - let sock = UdpSocket::bind("127.0.0.1:0").unwrap(); - let server = udp::next_server(); - let stream = sock.connect(&server[..]).unwrap(); + let (_s, stream) = Server::new_dtlsv1(Some("hello")); let mut stream = SslStream::connect_generic(&SslContext::new(Dtlsv1).unwrap(), stream).unwrap(); let mut buf = [0u8;100]; @@ -665,6 +816,6 @@ fn test_read_dtlsv1() { #[test] #[cfg(feature = "sslv2")] fn test_sslv2_connect_failure() { - let tcp = TcpStream::connect("127.0.0.1:15420").unwrap(); + let (_s, tcp) = Server::new_tcp(&["-no_ssl2", "-www"]); SslStream::connect_generic(&SslContext::new(Sslv2).unwrap(), tcp).err().unwrap(); } |