native-ossl 0.1.1

Native Rust idiomatic bindings to OpenSSL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! TLS example — in-process TLS 1.3 handshake using paired memory BIOs.
//!
//! Creates a self-signed Ed25519 certificate, configures client and server
//! `SslCtx` objects, and drives a full TLS 1.3 handshake in a single thread
//! using `BIO_new_bio_pair` (via `Bio::new_pair`).
//!
//! Run with: cargo run --example ssl -p native-ossl

use native_ossl::bio::Bio;
use native_ossl::pkey::KeygenCtx;
use native_ossl::ssl::{SslCtx, SslIoError, SslVerifyMode, TlsVersion};
use native_ossl::x509::{X509Builder, X509NameOwned};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // ── Key pair and self-signed certificate ───────────────────────────────────

    let mut kgen = KeygenCtx::new(c"ED25519")?;
    let priv_key = kgen.generate()?;
    let pub_key = native_ossl::pkey::Pkey::<native_ossl::pkey::Public>::from(priv_key.clone());

    let mut name = X509NameOwned::new()?;
    name.add_entry_by_txt(c"CN", b"localhost")?;

    let cert = X509Builder::new()?
        .set_version(2)?
        .set_serial_number(1)?
        .set_not_before_offset(0)?
        .set_not_after_offset(86400)?
        .set_subject_name(&name)?
        .set_issuer_name(&name)?
        .set_public_key(&pub_key)?
        .sign(&priv_key, None)?
        .build();

    // ── Server context ─────────────────────────────────────────────────────────

    let server_ctx = SslCtx::new_server()?;
    server_ctx.set_min_proto_version(TlsVersion::Tls13)?;
    server_ctx.use_certificate(&cert)?;
    server_ctx.use_private_key(&priv_key)?;
    server_ctx.check_private_key()?;

    // ── Client context ─────────────────────────────────────────────────────────

    let client_ctx = SslCtx::new_client()?;
    client_ctx.set_min_proto_version(TlsVersion::Tls13)?;
    // Skip certificate verification for this self-signed example.
    client_ctx.set_verify(SslVerifyMode::NONE);

    // ── SSL objects ────────────────────────────────────────────────────────────

    let mut client = client_ctx.new_ssl()?;
    let mut server = server_ctx.new_ssl()?;

    client.set_connect_state();
    client.set_hostname(c"localhost")?;
    server.set_accept_state();

    // ── In-process BIO pair ────────────────────────────────────────────────────
    // Data written to client_bio is readable from server_bio and vice-versa.

    let (client_bio, server_bio) = Bio::new_pair()?;
    client.set_bio_duplex(client_bio);
    server.set_bio_duplex(server_bio);

    // ── Drive the handshake ────────────────────────────────────────────────────
    // Alternate between client and server until both report success.

    let mut client_done = false;
    let mut server_done = false;

    for step in 0..20 {
        if !client_done {
            match client.connect() {
                Ok(()) => {
                    client_done = true;
                    println!("Client handshake done at step {step}");
                }
                Err(SslIoError::WantRead | SslIoError::WantWrite) => {}
                Err(e) => return Err(format!("client error: {e}").into()),
            }
        }
        if !server_done {
            match server.accept() {
                Ok(()) => {
                    server_done = true;
                    println!("Server handshake done at step {step}");
                }
                Err(SslIoError::WantRead | SslIoError::WantWrite) => {}
                Err(e) => return Err(format!("server error: {e}").into()),
            }
        }
        if client_done && server_done {
            break;
        }
    }
    assert!(client_done && server_done, "handshake did not complete");

    // ── Inspect the peer certificate on the client ─────────────────────────────

    if let Some(peer_cert) = client.peer_certificate() {
        if let Some(subject) = peer_cert.subject_name().to_string() {
            println!("Server cert subject: {subject}");
        }
    }

    // ── Application data exchange ──────────────────────────────────────────────

    let request = b"GET / HTTP/1.0\r\n\r\n";
    let response = b"HTTP/1.0 200 OK\r\n\r\nHello, TLS!";

    let written = client.write(request)?;
    assert_eq!(written, request.len());

    let mut rbuf = [0u8; 64];
    let n = server.read(&mut rbuf)?;
    assert_eq!(&rbuf[..n], request);
    println!("Server received: {:?}", std::str::from_utf8(&rbuf[..n])?);

    let written = server.write(response)?;
    assert_eq!(written, response.len());

    let n = client.read(&mut rbuf)?;
    assert_eq!(&rbuf[..n], response);
    println!("Client received: {:?}", std::str::from_utf8(&rbuf[..n])?);

    println!("In-process TLS 1.3 round-trip: OK");

    Ok(())
}