1 use super::base::{Payload, PayloadU16, PayloadU24, PayloadU8};
2 use super::codec::{put_u16, Codec, Reader};
3 use super::enums::*;
4 use super::handshake::*;
5 use crate::key::Certificate;
6 use webpki::DnsNameRef;
7
8 use std::mem;
9
10 #[test]
rejects_short_random()11 fn rejects_short_random() {
12 let bytes = [0x01; 31];
13 let mut rd = Reader::init(&bytes);
14 assert_eq!(Random::read(&mut rd), None);
15 }
16
17 #[test]
reads_random()18 fn reads_random() {
19 let bytes = [0x01; 32];
20 let mut rd = Reader::init(&bytes);
21 let rnd = Random::read(&mut rd).unwrap();
22 println!("{:?}", rnd);
23
24 assert_eq!(rd.any_left(), false);
25 }
26
27 #[test]
rejects_truncated_sessionid()28 fn rejects_truncated_sessionid() {
29 let bytes = [32; 32];
30 let mut rd = Reader::init(&bytes);
31 assert_eq!(SessionID::read(&mut rd), None);
32 }
33
34 #[test]
rejects_sessionid_with_bad_length()35 fn rejects_sessionid_with_bad_length() {
36 let bytes = [33; 33];
37 let mut rd = Reader::init(&bytes);
38 assert_eq!(SessionID::read(&mut rd), None);
39 }
40
41 #[test]
sessionid_with_different_lengths_are_unequal()42 fn sessionid_with_different_lengths_are_unequal() {
43 let a = SessionID::read(&mut Reader::init(&[1u8, 1])).unwrap();
44 let b = SessionID::read(&mut Reader::init(&[2u8, 1, 2])).unwrap();
45 assert_eq!(a, a);
46 assert_eq!(b, b);
47 assert_ne!(a, b);
48 }
49
50 #[test]
accepts_short_sessionid()51 fn accepts_short_sessionid() {
52 let bytes = [1; 2];
53 let mut rd = Reader::init(&bytes);
54 let sess = SessionID::read(&mut rd).unwrap();
55 println!("{:?}", sess);
56
57 assert_eq!(sess.is_empty(), false);
58 assert_eq!(sess.len(), 1);
59 assert_eq!(rd.any_left(), false);
60 }
61
62 #[test]
accepts_empty_sessionid()63 fn accepts_empty_sessionid() {
64 let bytes = [0; 1];
65 let mut rd = Reader::init(&bytes);
66 let sess = SessionID::read(&mut rd).unwrap();
67 println!("{:?}", sess);
68
69 assert_eq!(sess.is_empty(), true);
70 assert_eq!(sess.len(), 0);
71 assert_eq!(rd.any_left(), false);
72 }
73
74 #[test]
can_roundtrip_unknown_client_ext()75 fn can_roundtrip_unknown_client_ext() {
76 let bytes = [0x12u8, 0x34u8, 0, 3, 1, 2, 3];
77 let mut rd = Reader::init(&bytes);
78 let ext = ClientExtension::read(&mut rd).unwrap();
79
80 println!("{:?}", ext);
81 assert_eq!(ext.get_type(), ExtensionType::Unknown(0x1234));
82 assert_eq!(bytes.to_vec(), ext.get_encoding());
83 }
84
85 #[test]
refuses_client_ext_with_unparsed_bytes()86 fn refuses_client_ext_with_unparsed_bytes() {
87 let bytes = [0x00u8, 0x0b, 0x00, 0x04, 0x02, 0xf8, 0x01, 0x02];
88 let mut rd = Reader::init(&bytes);
89 assert!(ClientExtension::read(&mut rd).is_none());
90 }
91
92 #[test]
refuses_server_ext_with_unparsed_bytes()93 fn refuses_server_ext_with_unparsed_bytes() {
94 let bytes = [0x00u8, 0x0b, 0x00, 0x04, 0x02, 0xf8, 0x01, 0x02];
95 let mut rd = Reader::init(&bytes);
96 assert!(ServerExtension::read(&mut rd).is_none());
97 }
98
99 #[test]
refuses_certificate_ext_with_unparsed_bytes()100 fn refuses_certificate_ext_with_unparsed_bytes() {
101 let bytes = [0x00u8, 0x12, 0x00, 0x03, 0x00, 0x00, 0x01];
102 let mut rd = Reader::init(&bytes);
103 assert!(CertificateExtension::read(&mut rd).is_none());
104 }
105
106 #[test]
refuses_certificate_req_ext_with_unparsed_bytes()107 fn refuses_certificate_req_ext_with_unparsed_bytes() {
108 let bytes = [0x00u8, 0x0d, 0x00, 0x05, 0x00, 0x02, 0x01, 0x02, 0xff];
109 let mut rd = Reader::init(&bytes);
110 assert!(CertReqExtension::read(&mut rd).is_none());
111 }
112
113 #[test]
refuses_helloreq_ext_with_unparsed_bytes()114 fn refuses_helloreq_ext_with_unparsed_bytes() {
115 let bytes = [0x00u8, 0x2b, 0x00, 0x03, 0x00, 0x00, 0x01];
116 let mut rd = Reader::init(&bytes);
117 assert!(HelloRetryExtension::read(&mut rd).is_none());
118 }
119
120 #[test]
refuses_newsessionticket_ext_with_unparsed_bytes()121 fn refuses_newsessionticket_ext_with_unparsed_bytes() {
122 let bytes = [0x00u8, 0x2a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x01];
123 let mut rd = Reader::init(&bytes);
124 assert!(NewSessionTicketExtension::read(&mut rd).is_none());
125 }
126
127 #[test]
can_roundtrip_single_sni()128 fn can_roundtrip_single_sni() {
129 let bytes = [0, 0, 0, 7, 0, 5, 0, 0, 2, 0x6c, 0x6f];
130 let mut rd = Reader::init(&bytes);
131 let ext = ClientExtension::read(&mut rd).unwrap();
132 println!("{:?}", ext);
133
134 assert_eq!(ext.get_type(), ExtensionType::ServerName);
135 assert_eq!(bytes.to_vec(), ext.get_encoding());
136 }
137
138 #[test]
can_round_trip_mixed_case_sni()139 fn can_round_trip_mixed_case_sni() {
140 let bytes = [0, 0, 0, 7, 0, 5, 0, 0, 2, 0x4c, 0x6f];
141 let mut rd = Reader::init(&bytes);
142 let ext = ClientExtension::read(&mut rd).unwrap();
143 println!("{:?}", ext);
144
145 assert_eq!(ext.get_type(), ExtensionType::ServerName);
146 assert_eq!(bytes.to_vec(), ext.get_encoding());
147 }
148
149 #[test]
can_roundtrip_other_sni_name_types()150 fn can_roundtrip_other_sni_name_types() {
151 let bytes = [0, 0, 0, 7, 0, 5, 1, 0, 02, 0x6c, 0x6f];
152 let mut rd = Reader::init(&bytes);
153 let ext = ClientExtension::read(&mut rd).unwrap();
154 println!("{:?}", ext);
155
156 assert_eq!(ext.get_type(), ExtensionType::ServerName);
157 assert_eq!(bytes.to_vec(), ext.get_encoding());
158 }
159
160 #[test]
get_single_hostname_returns_none_for_other_sni_name_types()161 fn get_single_hostname_returns_none_for_other_sni_name_types() {
162 let bytes = [0, 0, 0, 7, 0, 5, 1, 0, 02, 0x6c, 0x6f];
163 let mut rd = Reader::init(&bytes);
164 let ext = ClientExtension::read(&mut rd).unwrap();
165 println!("{:?}", ext);
166
167 assert_eq!(ext.get_type(), ExtensionType::ServerName);
168 if let ClientExtension::ServerName(snr) = ext {
169 assert!(!snr.has_duplicate_names_for_type());
170 assert!(snr.get_single_hostname().is_none());
171 } else {
172 unreachable!();
173 }
174 }
175
176 #[test]
can_roundtrip_multiname_sni()177 fn can_roundtrip_multiname_sni() {
178 let bytes = [0, 0, 0, 12, 0, 10, 0, 0, 2, 0x68, 0x69, 0, 0, 2, 0x6c, 0x6f];
179 let mut rd = Reader::init(&bytes);
180 let ext = ClientExtension::read(&mut rd).unwrap();
181 println!("{:?}", ext);
182
183 assert_eq!(ext.get_type(), ExtensionType::ServerName);
184 assert_eq!(bytes.to_vec(), ext.get_encoding());
185 match ext {
186 ClientExtension::ServerName(req) => {
187 assert_eq!(2, req.len());
188
189 assert!(req.has_duplicate_names_for_type());
190
191 let dns_name_str: &str = req
192 .get_single_hostname()
193 .unwrap()
194 .into();
195 assert_eq!(dns_name_str, "hi");
196
197 assert_eq!(req[0].typ, ServerNameType::HostName);
198 assert_eq!(req[1].typ, ServerNameType::HostName);
199 }
200 _ => unreachable!(),
201 }
202 }
203
204 #[test]
rejects_truncated_sni()205 fn rejects_truncated_sni() {
206 let bytes = [0, 0, 0, 1, 0];
207 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
208
209 let bytes = [0, 0, 0, 2, 0, 1];
210 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
211
212 let bytes = [0, 0, 0, 3, 0, 1, 0];
213 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
214
215 let bytes = [0, 0, 0, 4, 0, 2, 0, 0];
216 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
217
218 let bytes = [0, 0, 0, 5, 0, 3, 0, 0, 0];
219 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
220
221 let bytes = [0, 0, 0, 5, 0, 3, 0, 0, 1];
222 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
223
224 let bytes = [0, 0, 0, 6, 0, 4, 0, 0, 2, 0x68];
225 assert!(ClientExtension::read(&mut Reader::init(&bytes)).is_none());
226 }
227
228 #[test]
can_roundtrip_psk_identity()229 fn can_roundtrip_psk_identity() {
230 let bytes = [0, 0, 0x11, 0x22, 0x33, 0x44];
231 let psk_id = PresharedKeyIdentity::read(&mut Reader::init(&bytes)).unwrap();
232 println!("{:?}", psk_id);
233 assert_eq!(psk_id.obfuscated_ticket_age, 0x11223344);
234 assert_eq!(psk_id.get_encoding(), bytes.to_vec());
235
236 let bytes = [0, 5, 0x1, 0x2, 0x3, 0x4, 0x5, 0x11, 0x22, 0x33, 0x44];
237 let psk_id = PresharedKeyIdentity::read(&mut Reader::init(&bytes)).unwrap();
238 println!("{:?}", psk_id);
239 assert_eq!(psk_id.identity.0, vec![0x1, 0x2, 0x3, 0x4, 0x5]);
240 assert_eq!(psk_id.obfuscated_ticket_age, 0x11223344);
241 assert_eq!(psk_id.get_encoding(), bytes.to_vec());
242 }
243
244 #[test]
can_roundtrip_psk_offer()245 fn can_roundtrip_psk_offer() {
246 let bytes = [
247 0, 7, 0, 1, 0x99, 0x11, 0x22, 0x33, 0x44, 0, 4, 3, 0x01, 0x02, 0x3,
248 ];
249 let psko = PresharedKeyOffer::read(&mut Reader::init(&bytes)).unwrap();
250 println!("{:?}", psko);
251
252 assert_eq!(psko.identities.len(), 1);
253 assert_eq!(psko.identities[0].identity.0, vec![0x99]);
254 assert_eq!(psko.identities[0].obfuscated_ticket_age, 0x11223344);
255 assert_eq!(psko.binders.len(), 1);
256 assert_eq!(psko.binders[0].0, vec![1, 2, 3]);
257 assert_eq!(psko.get_encoding(), bytes.to_vec());
258 }
259
260 #[test]
can_roundtrip_certstatusreq_for_ocsp()261 fn can_roundtrip_certstatusreq_for_ocsp() {
262 let ext = ClientExtension::CertificateStatusRequest(CertificateStatusRequest::build_ocsp());
263 println!("{:?}", ext);
264
265 let bytes = [
266 0, 5, // CertificateStatusRequest
267 0, 11, 1, // OCSP
268 0, 5, 0, 3, 0, 1, 1, 0, 1, 2,
269 ];
270
271 let csr = ClientExtension::read(&mut Reader::init(&bytes)).unwrap();
272 println!("{:?}", csr);
273 assert_eq!(csr.get_encoding(), bytes.to_vec());
274 }
275
276 #[test]
can_roundtrip_certstatusreq_for_other()277 fn can_roundtrip_certstatusreq_for_other() {
278 let bytes = [
279 0, 5, // CertificateStatusRequest
280 0, 5, 2, // !OCSP
281 1, 2, 3, 4,
282 ];
283
284 let csr = ClientExtension::read(&mut Reader::init(&bytes)).unwrap();
285 println!("{:?}", csr);
286 assert_eq!(csr.get_encoding(), bytes.to_vec());
287 }
288
289 #[test]
can_roundtrip_multi_proto()290 fn can_roundtrip_multi_proto() {
291 let bytes = [0, 16, 0, 8, 0, 6, 2, 0x68, 0x69, 2, 0x6c, 0x6f];
292 let mut rd = Reader::init(&bytes);
293 let ext = ClientExtension::read(&mut rd).unwrap();
294 println!("{:?}", ext);
295
296 assert_eq!(ext.get_type(), ExtensionType::ALProtocolNegotiation);
297 assert_eq!(ext.get_encoding(), bytes.to_vec());
298 match ext {
299 ClientExtension::Protocols(prot) => {
300 assert_eq!(2, prot.len());
301 assert_eq!(vec![b"hi", b"lo"], prot.to_slices());
302 assert_eq!(prot.as_single_slice(), None);
303 }
304 _ => unreachable!(),
305 }
306 }
307
308 #[test]
can_roundtrip_single_proto()309 fn can_roundtrip_single_proto() {
310 let bytes = [0, 16, 0, 5, 0, 3, 2, 0x68, 0x69];
311 let mut rd = Reader::init(&bytes);
312 let ext = ClientExtension::read(&mut rd).unwrap();
313 println!("{:?}", ext);
314
315 assert_eq!(ext.get_type(), ExtensionType::ALProtocolNegotiation);
316 assert_eq!(bytes.to_vec(), ext.get_encoding());
317 match ext {
318 ClientExtension::Protocols(prot) => {
319 assert_eq!(1, prot.len());
320 assert_eq!(vec![b"hi"], prot.to_slices());
321 assert_eq!(prot.as_single_slice(), Some(&b"hi"[..]));
322 }
323 _ => unreachable!(),
324 }
325 }
326
327 #[test]
decomposed_signature_scheme_has_correct_mappings()328 fn decomposed_signature_scheme_has_correct_mappings() {
329 assert_eq!(
330 SignatureScheme::make(SignatureAlgorithm::RSA, HashAlgorithm::SHA1),
331 SignatureScheme::RSA_PKCS1_SHA1
332 );
333 assert_eq!(
334 SignatureScheme::make(SignatureAlgorithm::RSA, HashAlgorithm::SHA256),
335 SignatureScheme::RSA_PKCS1_SHA256
336 );
337 assert_eq!(
338 SignatureScheme::make(SignatureAlgorithm::RSA, HashAlgorithm::SHA384),
339 SignatureScheme::RSA_PKCS1_SHA384
340 );
341 assert_eq!(
342 SignatureScheme::make(SignatureAlgorithm::RSA, HashAlgorithm::SHA512),
343 SignatureScheme::RSA_PKCS1_SHA512
344 );
345
346 assert_eq!(
347 SignatureScheme::make(SignatureAlgorithm::ECDSA, HashAlgorithm::SHA256),
348 SignatureScheme::ECDSA_NISTP256_SHA256
349 );
350 assert_eq!(
351 SignatureScheme::make(SignatureAlgorithm::ECDSA, HashAlgorithm::SHA384),
352 SignatureScheme::ECDSA_NISTP384_SHA384
353 );
354 assert_eq!(
355 SignatureScheme::make(SignatureAlgorithm::ECDSA, HashAlgorithm::SHA512),
356 SignatureScheme::ECDSA_NISTP521_SHA512
357 );
358 }
359
get_sample_clienthellopayload() -> ClientHelloPayload360 fn get_sample_clienthellopayload() -> ClientHelloPayload {
361 ClientHelloPayload {
362 client_version: ProtocolVersion::TLSv1_2,
363 random: Random::from([0; 32]),
364 session_id: SessionID::empty(),
365 cipher_suites: vec![CipherSuite::TLS_NULL_WITH_NULL_NULL],
366 compression_methods: vec![Compression::Null],
367 extensions: vec![
368 ClientExtension::ECPointFormats(ECPointFormatList::supported()),
369 ClientExtension::NamedGroups(vec![NamedGroup::X25519]),
370 ClientExtension::SignatureAlgorithms(vec![SignatureScheme::ECDSA_NISTP256_SHA256]),
371 ClientExtension::make_sni(DnsNameRef::try_from_ascii_str("hello").unwrap()),
372 ClientExtension::SessionTicket(ClientSessionTicket::Request),
373 ClientExtension::SessionTicket(ClientSessionTicket::Offer(Payload(vec![]))),
374 ClientExtension::Protocols(vec![PayloadU8(vec![0])]),
375 ClientExtension::SupportedVersions(vec![ProtocolVersion::TLSv1_3]),
376 ClientExtension::KeyShare(vec![KeyShareEntry::new(NamedGroup::X25519, &[1, 2, 3])]),
377 ClientExtension::PresharedKeyModes(vec![PSKKeyExchangeMode::PSK_DHE_KE]),
378 ClientExtension::PresharedKey(PresharedKeyOffer {
379 identities: vec![
380 PresharedKeyIdentity::new(vec![3, 4, 5], 123456),
381 PresharedKeyIdentity::new(vec![6, 7, 8], 7891011),
382 ],
383 binders: vec![
384 PresharedKeyBinder::new(vec![1, 2, 3]),
385 PresharedKeyBinder::new(vec![3, 4, 5]),
386 ],
387 }),
388 ClientExtension::Cookie(PayloadU16(vec![1, 2, 3])),
389 ClientExtension::ExtendedMasterSecretRequest,
390 ClientExtension::CertificateStatusRequest(CertificateStatusRequest::build_ocsp()),
391 ClientExtension::SignedCertificateTimestampRequest,
392 ClientExtension::TransportParameters(vec![1, 2, 3]),
393 ClientExtension::Unknown(UnknownExtension {
394 typ: ExtensionType::Unknown(12345),
395 payload: Payload(vec![1, 2, 3]),
396 }),
397 ],
398 }
399 }
400
401 #[test]
can_print_all_clientextensions()402 fn can_print_all_clientextensions() {
403 println!("client hello {:?}", get_sample_clienthellopayload());
404 }
405
406 #[test]
can_clone_all_clientextensions()407 fn can_clone_all_clientextensions() {
408 let _ = get_sample_serverhellopayload()
409 .extensions
410 .clone();
411 }
412
413 #[test]
client_has_duplicate_extensions_works()414 fn client_has_duplicate_extensions_works() {
415 let mut chp = get_sample_clienthellopayload();
416 assert!(chp.has_duplicate_extension()); // due to SessionTicketRequest/SessionTicketOffer
417
418 chp.extensions.drain(1..);
419 assert!(!chp.has_duplicate_extension());
420
421 chp.extensions = vec![];
422 assert!(!chp.has_duplicate_extension());
423 }
424
425 #[test]
test_truncated_psk_offer()426 fn test_truncated_psk_offer() {
427 let ext = ClientExtension::PresharedKey(PresharedKeyOffer {
428 identities: vec![PresharedKeyIdentity::new(vec![3, 4, 5], 123456)],
429 binders: vec![PresharedKeyBinder::new(vec![1, 2, 3])],
430 });
431
432 let mut enc = ext.get_encoding();
433 println!("testing {:?} enc {:?}", ext, enc);
434 for l in 0..enc.len() {
435 if l == 9 {
436 continue;
437 }
438 put_u16(l as u16, &mut enc[4..]);
439 let rc = ClientExtension::read_bytes(&enc);
440 assert!(rc.is_none());
441 }
442 }
443
444 #[test]
test_truncated_client_hello_is_detected()445 fn test_truncated_client_hello_is_detected() {
446 let ch = get_sample_clienthellopayload();
447 let enc = ch.get_encoding();
448 println!("testing {:?} enc {:?}", ch, enc);
449
450 for l in 0..enc.len() {
451 println!("len {:?} enc {:?}", l, &enc[..l]);
452 if l == 41 {
453 continue; // where extensions are empty
454 }
455 assert!(ClientHelloPayload::read_bytes(&enc[..l]).is_none());
456 }
457 }
458
459 #[test]
test_truncated_client_extension_is_detected()460 fn test_truncated_client_extension_is_detected() {
461 let chp = get_sample_clienthellopayload();
462
463 for ext in &chp.extensions {
464 let mut enc = ext.get_encoding();
465 println!("testing {:?} enc {:?}", ext, enc);
466
467 // "outer" truncation, i.e., where the extension-level length is longer than
468 // the input
469 for l in 0..enc.len() {
470 assert!(ClientExtension::read_bytes(&enc[..l]).is_none());
471 }
472
473 // these extension types don't have any internal encoding that rustls validates:
474 match ext.get_type() {
475 ExtensionType::TransportParameters | ExtensionType::Unknown(_) => {
476 continue;
477 }
478 _ => {}
479 };
480
481 // "inner" truncation, where the extension-level length agrees with the input
482 // length, but isn't long enough for the type of extension
483 for l in 0..(enc.len() - 4) {
484 put_u16(l as u16, &mut enc[2..]);
485 println!(" encoding {:?} len {:?}", enc, l);
486 assert!(ClientExtension::read_bytes(&enc).is_none());
487 }
488 }
489 }
490
test_client_extension_getter(typ: ExtensionType, getter: fn(&ClientHelloPayload) -> bool)491 fn test_client_extension_getter(typ: ExtensionType, getter: fn(&ClientHelloPayload) -> bool) {
492 let mut chp = get_sample_clienthellopayload();
493 let ext = chp.find_extension(typ).unwrap().clone();
494
495 chp.extensions = vec![];
496 assert!(!getter(&chp));
497
498 chp.extensions = vec![ext];
499 assert!(getter(&chp));
500
501 chp.extensions = vec![ClientExtension::Unknown(UnknownExtension {
502 typ,
503 payload: Payload(vec![]),
504 })];
505 assert!(!getter(&chp));
506 }
507
508 #[test]
client_get_sni_extension()509 fn client_get_sni_extension() {
510 test_client_extension_getter(ExtensionType::ServerName, |chp| {
511 chp.get_sni_extension().is_some()
512 });
513 }
514
515 #[test]
client_get_sigalgs_extension()516 fn client_get_sigalgs_extension() {
517 test_client_extension_getter(ExtensionType::SignatureAlgorithms, |chp| {
518 chp.get_sigalgs_extension().is_some()
519 });
520 }
521
522 #[test]
client_get_namedgroups_extension()523 fn client_get_namedgroups_extension() {
524 test_client_extension_getter(ExtensionType::EllipticCurves, |chp| {
525 chp.get_namedgroups_extension()
526 .is_some()
527 });
528 }
529
530 #[test]
client_get_ecpoints_extension()531 fn client_get_ecpoints_extension() {
532 test_client_extension_getter(ExtensionType::ECPointFormats, |chp| {
533 chp.get_ecpoints_extension().is_some()
534 });
535 }
536
537 #[test]
client_get_alpn_extension()538 fn client_get_alpn_extension() {
539 test_client_extension_getter(ExtensionType::ALProtocolNegotiation, |chp| {
540 chp.get_alpn_extension().is_some()
541 });
542 }
543
544 #[test]
client_get_quic_params_extension()545 fn client_get_quic_params_extension() {
546 test_client_extension_getter(ExtensionType::TransportParameters, |chp| {
547 chp.get_quic_params_extension()
548 .is_some()
549 });
550 }
551
552 #[test]
client_get_versions_extension()553 fn client_get_versions_extension() {
554 test_client_extension_getter(ExtensionType::SupportedVersions, |chp| {
555 chp.get_versions_extension().is_some()
556 });
557 }
558
559 #[test]
client_get_keyshare_extension()560 fn client_get_keyshare_extension() {
561 test_client_extension_getter(ExtensionType::KeyShare, |chp| {
562 chp.get_keyshare_extension().is_some()
563 });
564 }
565
566 #[test]
client_get_psk()567 fn client_get_psk() {
568 test_client_extension_getter(ExtensionType::PreSharedKey, |chp| chp.get_psk().is_some());
569 }
570
571 #[test]
client_get_psk_modes()572 fn client_get_psk_modes() {
573 test_client_extension_getter(ExtensionType::PSKKeyExchangeModes, |chp| {
574 chp.get_psk_modes().is_some()
575 });
576 }
577
578 #[test]
test_truncated_helloretry_extension_is_detected()579 fn test_truncated_helloretry_extension_is_detected() {
580 let hrr = get_sample_helloretryrequest();
581
582 for ext in &hrr.extensions {
583 let mut enc = ext.get_encoding();
584 println!("testing {:?} enc {:?}", ext, enc);
585
586 // "outer" truncation, i.e., where the extension-level length is longer than
587 // the input
588 for l in 0..enc.len() {
589 assert!(HelloRetryExtension::read_bytes(&enc[..l]).is_none());
590 }
591
592 // these extension types don't have any internal encoding that rustls validates:
593 match ext.get_type() {
594 ExtensionType::Unknown(_) => {
595 continue;
596 }
597 _ => {}
598 };
599
600 // "inner" truncation, where the extension-level length agrees with the input
601 // length, but isn't long enough for the type of extension
602 for l in 0..(enc.len() - 4) {
603 put_u16(l as u16, &mut enc[2..]);
604 println!(" encoding {:?} len {:?}", enc, l);
605 assert!(HelloRetryExtension::read_bytes(&enc).is_none());
606 }
607 }
608 }
609
test_helloretry_extension_getter(typ: ExtensionType, getter: fn(&HelloRetryRequest) -> bool)610 fn test_helloretry_extension_getter(typ: ExtensionType, getter: fn(&HelloRetryRequest) -> bool) {
611 let mut hrr = get_sample_helloretryrequest();
612 let mut exts = mem::replace(&mut hrr.extensions, vec![]);
613 exts.retain(|ext| ext.get_type() == typ);
614
615 assert!(!getter(&hrr));
616
617 hrr.extensions = exts;
618 assert!(getter(&hrr));
619
620 hrr.extensions = vec![HelloRetryExtension::Unknown(UnknownExtension {
621 typ,
622 payload: Payload(vec![]),
623 })];
624 assert!(!getter(&hrr));
625 }
626
627 #[test]
helloretry_get_requested_key_share_group()628 fn helloretry_get_requested_key_share_group() {
629 test_helloretry_extension_getter(ExtensionType::KeyShare, |hrr| {
630 hrr.get_requested_key_share_group()
631 .is_some()
632 });
633 }
634
635 #[test]
helloretry_get_cookie()636 fn helloretry_get_cookie() {
637 test_helloretry_extension_getter(ExtensionType::Cookie, |hrr| hrr.get_cookie().is_some());
638 }
639
640 #[test]
helloretry_get_supported_versions()641 fn helloretry_get_supported_versions() {
642 test_helloretry_extension_getter(ExtensionType::SupportedVersions, |hrr| {
643 hrr.get_supported_versions().is_some()
644 });
645 }
646
647 #[test]
test_truncated_server_extension_is_detected()648 fn test_truncated_server_extension_is_detected() {
649 let shp = get_sample_serverhellopayload();
650
651 for ext in &shp.extensions {
652 let mut enc = ext.get_encoding();
653 println!("testing {:?} enc {:?}", ext, enc);
654
655 // "outer" truncation, i.e., where the extension-level length is longer than
656 // the input
657 for l in 0..enc.len() {
658 assert!(ServerExtension::read_bytes(&enc[..l]).is_none());
659 }
660
661 // these extension types don't have any internal encoding that rustls validates:
662 match ext.get_type() {
663 ExtensionType::TransportParameters | ExtensionType::Unknown(_) => {
664 continue;
665 }
666 _ => {}
667 };
668
669 // "inner" truncation, where the extension-level length agrees with the input
670 // length, but isn't long enough for the type of extension
671 for l in 0..(enc.len() - 4) {
672 put_u16(l as u16, &mut enc[2..]);
673 println!(" encoding {:?} len {:?}", enc, l);
674 assert!(ServerExtension::read_bytes(&enc).is_none());
675 }
676 }
677 }
678
test_server_extension_getter(typ: ExtensionType, getter: fn(&ServerHelloPayload) -> bool)679 fn test_server_extension_getter(typ: ExtensionType, getter: fn(&ServerHelloPayload) -> bool) {
680 let mut shp = get_sample_serverhellopayload();
681 let ext = shp.find_extension(typ).unwrap().clone();
682
683 shp.extensions = vec![];
684 assert!(!getter(&shp));
685
686 shp.extensions = vec![ext];
687 assert!(getter(&shp));
688
689 shp.extensions = vec![ServerExtension::Unknown(UnknownExtension {
690 typ,
691 payload: Payload(vec![]),
692 })];
693 assert!(!getter(&shp));
694 }
695
696 #[test]
server_get_key_share()697 fn server_get_key_share() {
698 test_server_extension_getter(ExtensionType::KeyShare, |shp| shp.get_key_share().is_some());
699 }
700
701 #[test]
server_get_psk_index()702 fn server_get_psk_index() {
703 test_server_extension_getter(ExtensionType::PreSharedKey, |shp| {
704 shp.get_psk_index().is_some()
705 });
706 }
707
708 #[test]
server_get_ecpoints_extension()709 fn server_get_ecpoints_extension() {
710 test_server_extension_getter(ExtensionType::ECPointFormats, |shp| {
711 shp.get_ecpoints_extension().is_some()
712 });
713 }
714
715 #[test]
server_get_sct_list()716 fn server_get_sct_list() {
717 test_server_extension_getter(ExtensionType::SCT, |shp| shp.get_sct_list().is_some());
718 }
719
720 #[test]
server_get_supported_versions()721 fn server_get_supported_versions() {
722 test_server_extension_getter(ExtensionType::SupportedVersions, |shp| {
723 shp.get_supported_versions().is_some()
724 });
725 }
726
test_cert_extension_getter(typ: ExtensionType, getter: fn(&CertificateEntry) -> bool)727 fn test_cert_extension_getter(typ: ExtensionType, getter: fn(&CertificateEntry) -> bool) {
728 let mut ce = get_sample_certificatepayloadtls13()
729 .entries
730 .remove(0);
731 let mut exts = mem::replace(&mut ce.exts, vec![]);
732 exts.retain(|ext| ext.get_type() == typ);
733
734 assert!(!getter(&ce));
735
736 ce.exts = exts;
737 assert!(getter(&ce));
738
739 ce.exts = vec![CertificateExtension::Unknown(UnknownExtension {
740 typ,
741 payload: Payload(vec![]),
742 })];
743 assert!(!getter(&ce));
744 }
745
746 #[test]
certentry_get_ocsp_response()747 fn certentry_get_ocsp_response() {
748 test_cert_extension_getter(ExtensionType::StatusRequest, |ce| {
749 ce.get_ocsp_response().is_some()
750 });
751 }
752
753 #[test]
certentry_get_scts()754 fn certentry_get_scts() {
755 test_cert_extension_getter(ExtensionType::SCT, |ce| ce.get_scts().is_some());
756 }
757
get_sample_serverhellopayload() -> ServerHelloPayload758 fn get_sample_serverhellopayload() -> ServerHelloPayload {
759 ServerHelloPayload {
760 legacy_version: ProtocolVersion::TLSv1_2,
761 random: Random::from([0; 32]),
762 session_id: SessionID::empty(),
763 cipher_suite: CipherSuite::TLS_NULL_WITH_NULL_NULL,
764 compression_method: Compression::Null,
765 extensions: vec![
766 ServerExtension::ECPointFormats(ECPointFormatList::supported()),
767 ServerExtension::ServerNameAck,
768 ServerExtension::SessionTicketAck,
769 ServerExtension::RenegotiationInfo(PayloadU8(vec![0])),
770 ServerExtension::Protocols(vec![PayloadU8(vec![0])]),
771 ServerExtension::KeyShare(KeyShareEntry::new(NamedGroup::X25519, &[1, 2, 3])),
772 ServerExtension::PresharedKey(3),
773 ServerExtension::ExtendedMasterSecretAck,
774 ServerExtension::CertificateStatusAck,
775 ServerExtension::SignedCertificateTimestamp(vec![PayloadU16(vec![0])]),
776 ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_2),
777 ServerExtension::TransportParameters(vec![1, 2, 3]),
778 ServerExtension::Unknown(UnknownExtension {
779 typ: ExtensionType::Unknown(12345),
780 payload: Payload(vec![1, 2, 3]),
781 }),
782 ],
783 }
784 }
785
786 #[test]
can_print_all_serverextensions()787 fn can_print_all_serverextensions() {
788 println!("server hello {:?}", get_sample_serverhellopayload());
789 }
790
791 #[test]
can_clone_all_serverextensions()792 fn can_clone_all_serverextensions() {
793 let _ = get_sample_serverhellopayload()
794 .extensions
795 .clone();
796 }
797
get_sample_helloretryrequest() -> HelloRetryRequest798 fn get_sample_helloretryrequest() -> HelloRetryRequest {
799 HelloRetryRequest {
800 legacy_version: ProtocolVersion::TLSv1_2,
801 session_id: SessionID::empty(),
802 cipher_suite: CipherSuite::TLS_NULL_WITH_NULL_NULL,
803 extensions: vec![
804 HelloRetryExtension::KeyShare(NamedGroup::X25519),
805 HelloRetryExtension::Cookie(PayloadU16(vec![0])),
806 HelloRetryExtension::SupportedVersions(ProtocolVersion::TLSv1_2),
807 HelloRetryExtension::Unknown(UnknownExtension {
808 typ: ExtensionType::Unknown(12345),
809 payload: Payload(vec![1, 2, 3]),
810 }),
811 ],
812 }
813 }
814
get_sample_certificatepayloadtls13() -> CertificatePayloadTLS13815 fn get_sample_certificatepayloadtls13() -> CertificatePayloadTLS13 {
816 CertificatePayloadTLS13 {
817 context: PayloadU8(vec![1, 2, 3]),
818 entries: vec![CertificateEntry {
819 cert: Certificate(vec![3, 4, 5]),
820 exts: vec![
821 CertificateExtension::CertificateStatus(CertificateStatus {
822 ocsp_response: PayloadU24(vec![1, 2, 3]),
823 }),
824 CertificateExtension::SignedCertificateTimestamp(vec![PayloadU16(vec![0])]),
825 CertificateExtension::Unknown(UnknownExtension {
826 typ: ExtensionType::Unknown(12345),
827 payload: Payload(vec![1, 2, 3]),
828 }),
829 ],
830 }],
831 }
832 }
833
get_sample_serverkeyexchangepayload_ecdhe() -> ServerKeyExchangePayload834 fn get_sample_serverkeyexchangepayload_ecdhe() -> ServerKeyExchangePayload {
835 ServerKeyExchangePayload::ECDHE(ECDHEServerKeyExchange {
836 params: ServerECDHParams {
837 curve_params: ECParameters {
838 curve_type: ECCurveType::NamedCurve,
839 named_group: NamedGroup::X25519,
840 },
841 public: PayloadU8(vec![1, 2, 3]),
842 },
843 dss: DigitallySignedStruct {
844 scheme: SignatureScheme::RSA_PSS_SHA256,
845 sig: PayloadU16(vec![1, 2, 3]),
846 },
847 })
848 }
849
get_sample_serverkeyexchangepayload_unknown() -> ServerKeyExchangePayload850 fn get_sample_serverkeyexchangepayload_unknown() -> ServerKeyExchangePayload {
851 ServerKeyExchangePayload::Unknown(Payload(vec![1, 2, 3]))
852 }
853
get_sample_certificaterequestpayload() -> CertificateRequestPayload854 fn get_sample_certificaterequestpayload() -> CertificateRequestPayload {
855 CertificateRequestPayload {
856 certtypes: vec![ClientCertificateType::RSASign],
857 sigschemes: vec![SignatureScheme::ECDSA_NISTP256_SHA256],
858 canames: vec![PayloadU16(vec![1, 2, 3])],
859 }
860 }
861
get_sample_certificaterequestpayloadtls13() -> CertificateRequestPayloadTLS13862 fn get_sample_certificaterequestpayloadtls13() -> CertificateRequestPayloadTLS13 {
863 CertificateRequestPayloadTLS13 {
864 context: PayloadU8(vec![1, 2, 3]),
865 extensions: vec![
866 CertReqExtension::SignatureAlgorithms(vec![SignatureScheme::ECDSA_NISTP256_SHA256]),
867 CertReqExtension::AuthorityNames(vec![PayloadU16(vec![1, 2, 3])]),
868 CertReqExtension::Unknown(UnknownExtension {
869 typ: ExtensionType::Unknown(12345),
870 payload: Payload(vec![1, 2, 3]),
871 }),
872 ],
873 }
874 }
875
get_sample_newsessionticketpayload() -> NewSessionTicketPayload876 fn get_sample_newsessionticketpayload() -> NewSessionTicketPayload {
877 NewSessionTicketPayload {
878 lifetime_hint: 1234,
879 ticket: PayloadU16(vec![1, 2, 3]),
880 }
881 }
882
get_sample_newsessionticketpayloadtls13() -> NewSessionTicketPayloadTLS13883 fn get_sample_newsessionticketpayloadtls13() -> NewSessionTicketPayloadTLS13 {
884 NewSessionTicketPayloadTLS13 {
885 lifetime: 123,
886 age_add: 1234,
887 nonce: PayloadU8(vec![1, 2, 3]),
888 ticket: PayloadU16(vec![4, 5, 6]),
889 exts: vec![NewSessionTicketExtension::Unknown(UnknownExtension {
890 typ: ExtensionType::Unknown(12345),
891 payload: Payload(vec![1, 2, 3]),
892 })],
893 }
894 }
895
get_sample_encryptedextensions() -> EncryptedExtensions896 fn get_sample_encryptedextensions() -> EncryptedExtensions {
897 get_sample_serverhellopayload().extensions
898 }
899
get_sample_certificatestatus() -> CertificateStatus900 fn get_sample_certificatestatus() -> CertificateStatus {
901 CertificateStatus {
902 ocsp_response: PayloadU24(vec![1, 2, 3]),
903 }
904 }
905
get_all_tls12_handshake_payloads() -> Vec<HandshakeMessagePayload>906 fn get_all_tls12_handshake_payloads() -> Vec<HandshakeMessagePayload> {
907 vec![
908 HandshakeMessagePayload {
909 typ: HandshakeType::HelloRequest,
910 payload: HandshakePayload::HelloRequest,
911 },
912 HandshakeMessagePayload {
913 typ: HandshakeType::ClientHello,
914 payload: HandshakePayload::ClientHello(get_sample_clienthellopayload()),
915 },
916 HandshakeMessagePayload {
917 typ: HandshakeType::ServerHello,
918 payload: HandshakePayload::ServerHello(get_sample_serverhellopayload()),
919 },
920 HandshakeMessagePayload {
921 typ: HandshakeType::HelloRetryRequest,
922 payload: HandshakePayload::HelloRetryRequest(get_sample_helloretryrequest()),
923 },
924 HandshakeMessagePayload {
925 typ: HandshakeType::Certificate,
926 payload: HandshakePayload::Certificate(vec![Certificate(vec![1, 2, 3])]),
927 },
928 HandshakeMessagePayload {
929 typ: HandshakeType::ServerKeyExchange,
930 payload: HandshakePayload::ServerKeyExchange(
931 get_sample_serverkeyexchangepayload_ecdhe(),
932 ),
933 },
934 HandshakeMessagePayload {
935 typ: HandshakeType::ServerKeyExchange,
936 payload: HandshakePayload::ServerKeyExchange(
937 get_sample_serverkeyexchangepayload_unknown(),
938 ),
939 },
940 HandshakeMessagePayload {
941 typ: HandshakeType::CertificateRequest,
942 payload: HandshakePayload::CertificateRequest(get_sample_certificaterequestpayload()),
943 },
944 HandshakeMessagePayload {
945 typ: HandshakeType::ServerHelloDone,
946 payload: HandshakePayload::ServerHelloDone,
947 },
948 HandshakeMessagePayload {
949 typ: HandshakeType::ClientKeyExchange,
950 payload: HandshakePayload::ClientKeyExchange(Payload(vec![1, 2, 3])),
951 },
952 HandshakeMessagePayload {
953 typ: HandshakeType::NewSessionTicket,
954 payload: HandshakePayload::NewSessionTicket(get_sample_newsessionticketpayload()),
955 },
956 HandshakeMessagePayload {
957 typ: HandshakeType::EncryptedExtensions,
958 payload: HandshakePayload::EncryptedExtensions(get_sample_encryptedextensions()),
959 },
960 HandshakeMessagePayload {
961 typ: HandshakeType::KeyUpdate,
962 payload: HandshakePayload::KeyUpdate(KeyUpdateRequest::UpdateRequested),
963 },
964 HandshakeMessagePayload {
965 typ: HandshakeType::KeyUpdate,
966 payload: HandshakePayload::KeyUpdate(KeyUpdateRequest::UpdateNotRequested),
967 },
968 HandshakeMessagePayload {
969 typ: HandshakeType::Finished,
970 payload: HandshakePayload::Finished(Payload(vec![1, 2, 3])),
971 },
972 HandshakeMessagePayload {
973 typ: HandshakeType::CertificateStatus,
974 payload: HandshakePayload::CertificateStatus(get_sample_certificatestatus()),
975 },
976 HandshakeMessagePayload {
977 typ: HandshakeType::Unknown(99),
978 payload: HandshakePayload::Unknown(Payload(vec![1, 2, 3])),
979 },
980 ]
981 }
982
983 #[test]
can_roundtrip_all_tls12_handshake_payloads()984 fn can_roundtrip_all_tls12_handshake_payloads() {
985 for ref hm in get_all_tls12_handshake_payloads().iter() {
986 println!("{:?}", hm.typ);
987 let bytes = hm.get_encoding();
988 let mut rd = Reader::init(&bytes);
989 let other = HandshakeMessagePayload::read(&mut rd).unwrap();
990 assert_eq!(rd.any_left(), false);
991 assert_eq!(hm.get_encoding(), other.get_encoding());
992
993 println!("{:?}", hm);
994 println!("{:?}", other);
995 }
996 }
997
998 #[test]
can_detect_truncation_of_all_tls12_handshake_payloads()999 fn can_detect_truncation_of_all_tls12_handshake_payloads() {
1000 for hm in get_all_tls12_handshake_payloads().iter() {
1001 let mut enc = hm.get_encoding();
1002 println!("test {:?} enc {:?}", hm, enc);
1003
1004 // outer truncation
1005 for l in 0..enc.len() {
1006 assert!(HandshakeMessagePayload::read_bytes(&enc[..l]).is_none())
1007 }
1008
1009 // inner truncation
1010 for l in 0..enc.len() - 4 {
1011 put_u24(l as u32, &mut enc[1..]);
1012 println!(" check len {:?} enc {:?}", l, enc);
1013
1014 match (hm.typ, l) {
1015 (HandshakeType::ClientHello, 41)
1016 | (HandshakeType::ServerHello, 38)
1017 | (HandshakeType::ServerKeyExchange, _)
1018 | (HandshakeType::ClientKeyExchange, _)
1019 | (HandshakeType::Finished, _)
1020 | (HandshakeType::Unknown(_), _) => continue,
1021 _ => {}
1022 };
1023
1024 assert!(HandshakeMessagePayload::read_version(
1025 &mut Reader::init(&enc),
1026 ProtocolVersion::TLSv1_2
1027 )
1028 .is_none());
1029 assert!(HandshakeMessagePayload::read_bytes(&enc).is_none());
1030 }
1031 }
1032 }
1033
get_all_tls13_handshake_payloads() -> Vec<HandshakeMessagePayload>1034 fn get_all_tls13_handshake_payloads() -> Vec<HandshakeMessagePayload> {
1035 vec![
1036 HandshakeMessagePayload {
1037 typ: HandshakeType::HelloRequest,
1038 payload: HandshakePayload::HelloRequest,
1039 },
1040 HandshakeMessagePayload {
1041 typ: HandshakeType::ClientHello,
1042 payload: HandshakePayload::ClientHello(get_sample_clienthellopayload()),
1043 },
1044 HandshakeMessagePayload {
1045 typ: HandshakeType::ServerHello,
1046 payload: HandshakePayload::ServerHello(get_sample_serverhellopayload()),
1047 },
1048 HandshakeMessagePayload {
1049 typ: HandshakeType::HelloRetryRequest,
1050 payload: HandshakePayload::HelloRetryRequest(get_sample_helloretryrequest()),
1051 },
1052 HandshakeMessagePayload {
1053 typ: HandshakeType::Certificate,
1054 payload: HandshakePayload::CertificateTLS13(get_sample_certificatepayloadtls13()),
1055 },
1056 HandshakeMessagePayload {
1057 typ: HandshakeType::ServerKeyExchange,
1058 payload: HandshakePayload::ServerKeyExchange(
1059 get_sample_serverkeyexchangepayload_ecdhe(),
1060 ),
1061 },
1062 HandshakeMessagePayload {
1063 typ: HandshakeType::ServerKeyExchange,
1064 payload: HandshakePayload::ServerKeyExchange(
1065 get_sample_serverkeyexchangepayload_unknown(),
1066 ),
1067 },
1068 HandshakeMessagePayload {
1069 typ: HandshakeType::CertificateRequest,
1070 payload: HandshakePayload::CertificateRequestTLS13(
1071 get_sample_certificaterequestpayloadtls13(),
1072 ),
1073 },
1074 HandshakeMessagePayload {
1075 typ: HandshakeType::CertificateVerify,
1076 payload: HandshakePayload::CertificateVerify(DigitallySignedStruct::new(
1077 SignatureScheme::ECDSA_NISTP256_SHA256,
1078 vec![1, 2, 3],
1079 )),
1080 },
1081 HandshakeMessagePayload {
1082 typ: HandshakeType::ServerHelloDone,
1083 payload: HandshakePayload::ServerHelloDone,
1084 },
1085 HandshakeMessagePayload {
1086 typ: HandshakeType::ClientKeyExchange,
1087 payload: HandshakePayload::ClientKeyExchange(Payload(vec![1, 2, 3])),
1088 },
1089 HandshakeMessagePayload {
1090 typ: HandshakeType::NewSessionTicket,
1091 payload: HandshakePayload::NewSessionTicketTLS13(
1092 get_sample_newsessionticketpayloadtls13(),
1093 ),
1094 },
1095 HandshakeMessagePayload {
1096 typ: HandshakeType::EncryptedExtensions,
1097 payload: HandshakePayload::EncryptedExtensions(get_sample_encryptedextensions()),
1098 },
1099 HandshakeMessagePayload {
1100 typ: HandshakeType::KeyUpdate,
1101 payload: HandshakePayload::KeyUpdate(KeyUpdateRequest::UpdateRequested),
1102 },
1103 HandshakeMessagePayload {
1104 typ: HandshakeType::KeyUpdate,
1105 payload: HandshakePayload::KeyUpdate(KeyUpdateRequest::UpdateNotRequested),
1106 },
1107 HandshakeMessagePayload {
1108 typ: HandshakeType::Finished,
1109 payload: HandshakePayload::Finished(Payload(vec![1, 2, 3])),
1110 },
1111 HandshakeMessagePayload {
1112 typ: HandshakeType::CertificateStatus,
1113 payload: HandshakePayload::CertificateStatus(get_sample_certificatestatus()),
1114 },
1115 HandshakeMessagePayload {
1116 typ: HandshakeType::Unknown(99),
1117 payload: HandshakePayload::Unknown(Payload(vec![1, 2, 3])),
1118 },
1119 ]
1120 }
1121
1122 #[test]
can_roundtrip_all_tls13_handshake_payloads()1123 fn can_roundtrip_all_tls13_handshake_payloads() {
1124 for ref hm in get_all_tls13_handshake_payloads().iter() {
1125 println!("{:?}", hm.typ);
1126 let bytes = hm.get_encoding();
1127 let mut rd = Reader::init(&bytes);
1128
1129 let other =
1130 HandshakeMessagePayload::read_version(&mut rd, ProtocolVersion::TLSv1_3).unwrap();
1131 assert_eq!(rd.any_left(), false);
1132 assert_eq!(hm.get_encoding(), other.get_encoding());
1133
1134 println!("{:?}", hm);
1135 println!("{:?}", other);
1136 }
1137 }
1138
put_u24(u: u32, b: &mut [u8])1139 fn put_u24(u: u32, b: &mut [u8]) {
1140 b[0] = (u >> 16) as u8;
1141 b[1] = (u >> 8) as u8;
1142 b[2] = u as u8;
1143 }
1144
1145 #[test]
can_detect_truncation_of_all_tls13_handshake_payloads()1146 fn can_detect_truncation_of_all_tls13_handshake_payloads() {
1147 for hm in get_all_tls13_handshake_payloads().iter() {
1148 let mut enc = hm.get_encoding();
1149 println!("test {:?} enc {:?}", hm, enc);
1150
1151 // outer truncation
1152 for l in 0..enc.len() {
1153 assert!(HandshakeMessagePayload::read_bytes(&enc[..l]).is_none())
1154 }
1155
1156 // inner truncation
1157 for l in 0..enc.len() - 4 {
1158 put_u24(l as u32, &mut enc[1..]);
1159 println!(" check len {:?} enc {:?}", l, enc);
1160
1161 match (hm.typ, l) {
1162 (HandshakeType::ClientHello, 41)
1163 | (HandshakeType::ServerHello, 38)
1164 | (HandshakeType::ServerKeyExchange, _)
1165 | (HandshakeType::ClientKeyExchange, _)
1166 | (HandshakeType::Finished, _)
1167 | (HandshakeType::Unknown(_), _) => continue,
1168 _ => {}
1169 };
1170
1171 assert!(HandshakeMessagePayload::read_version(
1172 &mut Reader::init(&enc),
1173 ProtocolVersion::TLSv1_3
1174 )
1175 .is_none());
1176 }
1177 }
1178 }
1179
1180 #[test]
cannot_read_messagehash_from_network()1181 fn cannot_read_messagehash_from_network() {
1182 let mh = HandshakeMessagePayload {
1183 typ: HandshakeType::MessageHash,
1184 payload: HandshakePayload::MessageHash(Payload::new(vec![1, 2, 3])),
1185 };
1186 println!("mh {:?}", mh);
1187 let enc = mh.get_encoding();
1188 assert!(HandshakeMessagePayload::read_bytes(&enc).is_none());
1189 }
1190
1191 #[test]
cannot_decode_huge_certificate()1192 fn cannot_decode_huge_certificate() {
1193 let mut buf = [0u8; 65 * 1024];
1194 // exactly 64KB decodes fine
1195 buf[0] = 0x0b;
1196 buf[1] = 0x01;
1197 buf[2] = 0x00;
1198 buf[3] = 0x03;
1199 buf[4] = 0x01;
1200 buf[5] = 0x00;
1201 buf[6] = 0x00;
1202 buf[7] = 0x00;
1203 buf[8] = 0xff;
1204 buf[9] = 0xfd;
1205 HandshakeMessagePayload::read_bytes(&buf).unwrap();
1206
1207 // however 64KB + 1 byte does not
1208 buf[1] = 0x01;
1209 buf[2] = 0x00;
1210 buf[3] = 0x04;
1211 buf[4] = 0x01;
1212 buf[5] = 0x00;
1213 buf[6] = 0x01;
1214 assert!(HandshakeMessagePayload::read_bytes(&buf).is_none());
1215 }
1216