tls-async 0.3.0-alpha.7

TLS support for AsyncRead/AsyncWrite using native-tls
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

#![feature(async_await)]
use std::net::ToSocketAddrs;

use cfg_if::cfg_if;
use futures::{FutureExt, TryFutureExt};
use romio::TcpStream;
use tls_async::{Error, TlsConnector};

fn check_cause(err: Error, s: &str) {
    match err {
        Error::Handshake(e) => {
            let err = e.to_string();
            assert!(e.to_string().contains(s), "Error {} did not contain {}", err, s);
        }
        _ => panic!("Error {:?} was not a handshake error")
    }
}

macro_rules! t {
    ($e:expr) => (match $e {
        Ok(e) => e,
        Err(e) => panic!("{} failed with {:?}", stringify!($e), e),
    })
}

cfg_if! {
    if #[cfg(feature = "force-rustls")] {
        fn assert_expired_error(err: Error) {
            check_cause(err, "CertExpired");
        }

        fn assert_wrong_host(err: Error) {
            check_cause(err, "CertNotValidForName");
        }

        fn assert_self_signed(err: Error) {
            check_cause(err, "UnknownIssuer");
        }

        fn assert_untrusted_root(err: Error) {
            check_cause(err, "UnknownIssuer");
        }
    } else if #[cfg(any(feature = "force-openssl",
                        all(not(target_os = "macos"),
                            not(target_os = "windows"),
                            not(target_os = "ios"))))] {
        use openssl;

        fn verify_failed(err: Error) {
            check_cause(err, "certificate verify failed")        ;
        }

        use self::verify_failed as assert_expired_error;
        use self::verify_failed as assert_wrong_host;
        use self::verify_failed as assert_self_signed;
        use self::verify_failed as assert_untrusted_root;
    } else if #[cfg(any(target_os = "macos", target_os = "ios"))] {

        fn assert_invalid_cert_chain(err: Error) {
            check_cause(err, "was not trusted.");
        }

        use self::assert_invalid_cert_chain as assert_expired_error;
        use self::assert_invalid_cert_chain as assert_wrong_host;
        use self::assert_invalid_cert_chain as assert_self_signed;
        use self::assert_invalid_cert_chain as assert_untrusted_root;
    } else {
        fn assert_expired_error(err: Error) {
            check_cause(err, "system clock");
        }

        fn assert_wrong_host(err: Error) {
            check_cause(err, "CN name");
        }

        fn assert_self_signed(err: Error) {
            check_cause(err, "root certificate which is not trusted");
        }

        use self::assert_self_signed as assert_untrusted_root;
    }
}

async fn get_host(host: String) -> Result<(), Error> {
    drop(env_logger::try_init());

    let addr = format!("{}:443", host);
    let addr = t!(addr.to_socket_addrs()).next().unwrap();

    let socket = t!(TcpStream::connect(&addr).await);
    let builder = TlsConnector::builder();
    let cx = t!(builder.build());
    cx.connect(&host, socket).await?;
    Ok(())
}

#[test]
fn expired() {
    let fut_res = async {
        get_host("expired.badssl.com".to_owned()).await
    };
    let mut rt = t!(tokio::runtime::Runtime::new());
    let res = rt.block_on(fut_res.boxed().compat());

    assert!(res.is_err());
    assert_expired_error(res.err().unwrap());
}

// TODO: the OSX builders on Travis apparently fail this tests spuriously?
//       passes locally though? Seems... bad!
#[test]
#[cfg_attr(all(target_os = "macos", feature = "force-openssl"), ignore)]
fn wrong_host() {
    let fut_res = async {
        get_host("wrong.host.badssl.com".to_owned()).await
    };
    let mut rt = t!(tokio::runtime::Runtime::new());
    let res = rt.block_on(fut_res.boxed().compat());

    assert!(res.is_err());
    assert_wrong_host(res.err().unwrap());
}

#[test]
fn self_signed() {
    let fut_res = async {
        get_host("self-signed.badssl.com".to_owned()).await
    };
    let mut rt = t!(tokio::runtime::Runtime::new());
    let res = rt.block_on(fut_res.boxed().compat());

    assert!(res.is_err());
    assert_self_signed(res.err().unwrap());
}

#[test]
fn untrusted_root() {
    let fut_res = async {
        get_host("untrusted-root.badssl.com".to_owned()).await
    };
    let mut rt = t!(tokio::runtime::Runtime::new());
    let res = rt.block_on(fut_res.boxed().compat());

    assert!(res.is_err());
    assert_untrusted_root(res.err().unwrap());
}