From a33ffdafda55ce6e631dedcce63dd0fb578505e6 Mon Sep 17 00:00:00 2001
From: Joseph Birr-Pixton <jpixton@gmail.com>
Date: Sat, 8 Oct 2016 19:27:35 +0100
Subject: [PATCH] Run TryTLS tests

---
 .travis.yml              |  1 +
 admin/covbin/trytls_shim |  1 +
 admin/coverage           |  3 ++
 examples/trytls_shim.rs  | 99 ++++++++++++++++++++++++++++++++++++++++
 trytls/.gitignore        |  1 +
 trytls/runme             | 18 ++++++++
 6 files changed, 123 insertions(+)
 create mode 120000 admin/covbin/trytls_shim
 create mode 100644 examples/trytls_shim.rs
 create mode 100644 trytls/.gitignore
 create mode 100755 trytls/runme

diff --git a/.travis.yml b/.travis.yml
index 86f2da99..c90815b7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,6 +15,7 @@ script:
   - cargo test --release --no-run
   - ./target/release/examples/bench
   - ( cd bogo && ./runme )
+  - ( cd trytls && ./runme )
   - cargo build --no-default-features
   - cargo test --no-default-features --no-run
   - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then ./admin/coverage   ; fi
diff --git a/admin/covbin/trytls_shim b/admin/covbin/trytls_shim
new file mode 120000
index 00000000..22cb46f8
--- /dev/null
+++ b/admin/covbin/trytls_shim
@@ -0,0 +1 @@
+wrapper
\ No newline at end of file
diff --git a/admin/coverage b/admin/coverage
index d1bbc857..cd28d418 100755
--- a/admin/coverage
+++ b/admin/coverage
@@ -15,4 +15,7 @@ done
 # bogo tests
 ( cd bogo && ./runme )
 
+# trytls tests
+( cd trytls && ./runme )
+
 $KCOV_OPTIONS --coveralls-id=$TRAVIS_JOB_ID --report-only target/coverage/ ./target/debug/examples/tlsclient
diff --git a/examples/trytls_shim.rs b/examples/trytls_shim.rs
new file mode 100644
index 00000000..6aff32d1
--- /dev/null
+++ b/examples/trytls_shim.rs
@@ -0,0 +1,99 @@
+/*
+ * A Rustls stub for TryTLS
+ *
+ * Author: Joachim Viide
+ * See: https://github.com/HowNetWorks/trytls-rustls-stub
+ */
+
+extern crate rustls;
+extern crate webpki_roots;
+
+use std::io::{Read, Write, BufReader};
+use std::net::TcpStream;
+use std::sync::Arc;
+use std::fs::File;
+use std::error::Error;
+use std::process;
+use std::env;
+use rustls::{ClientConfig, ClientSession, Session, TLSError};
+
+enum Verdict {
+    Accept,
+    Reject(TLSError),
+}
+
+fn parse_args(args: &Vec<String>) -> Result<(String, u16, ClientConfig), Box<Error>> {
+    let mut config = ClientConfig::new();
+    match args.len() {
+        3 => {
+            config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
+        }
+        4 => {
+            let f = try!(File::open(&args[3]));
+            let mut f = BufReader::new(f);
+            if let Err(_) = config.root_store.add_pem_file(&mut f) {
+                return Err(From::from("Could not load PEM data"));
+            }
+        }
+        _ => {
+            return Err(From::from("Incorrect number of arguments"));
+        }
+    };
+    let port = try!(args[2].parse());
+    Ok((args[1].clone(), port, config))
+}
+
+fn communicate(host: String, port: u16, config: ClientConfig) -> Result<Verdict, Box<Error>> {
+    let rc_config = Arc::new(config);
+    let mut client = ClientSession::new(&rc_config, &host);
+    let mut stream = try!(TcpStream::connect((&*host, port)));
+
+    try!(client.write(b"GET / HTTP/1.0\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"));
+    loop {
+        while client.wants_write() {
+            try!(client.write_tls(&mut stream));
+        }
+
+        if client.wants_read() {
+            if try!(client.read_tls(&mut stream)) == 0 {
+                return Err(From::from("Connection closed"));
+            }
+
+            if let Err(err) = client.process_new_packets() {
+                return match err {
+                    TLSError::WebPKIError(_) |
+                    TLSError::AlertReceived(_) => Ok(Verdict::Reject(err)),
+                    _ => Err(From::from(format!("{:?}", err))),
+                };
+            }
+
+            if try!(client.read(&mut [0])) > 0 {
+                return Ok(Verdict::Accept);
+            }
+        }
+    }
+}
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    let (host, port, config) = parse_args(&args).unwrap_or_else(|err| {
+        println!("Argument error: {}", err);
+        process::exit(2);
+    });
+
+    match communicate(host, port, config) {
+        Ok(Verdict::Accept) => {
+            println!("ACCEPT");
+            process::exit(0);
+        }
+        Ok(Verdict::Reject(reason)) => {
+            println!("{:?}", reason);
+            println!("REJECT");
+            process::exit(0);
+        }
+        Err(err) => {
+            println!("{}", err);
+            process::exit(1);
+        }
+    }
+}
diff --git a/trytls/.gitignore b/trytls/.gitignore
new file mode 100644
index 00000000..98061960
--- /dev/null
+++ b/trytls/.gitignore
@@ -0,0 +1 @@
+trytls/
diff --git a/trytls/runme b/trytls/runme
new file mode 100755
index 00000000..d09647f8
--- /dev/null
+++ b/trytls/runme
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# This script fetches, builds, and runs the TryTLS
+# TLS test tool against rustls.  The rustls-TryTLS test stub is
+# by Joachim Viide -- https://github.com/HowNetWorks/trytls-rustls-stub
+
+set -xe
+
+if [ ! -e trytls/ ] ; then
+  pip install --system --prefix trytls/ trytls
+fi
+
+export PYTHONPATH=trytls/lib/python2.7/site-packages/
+./trytls/bin/trytls https ../admin/covbin/trytls_shim || true
+
+# nb, currently expected to fail:
+# - tlsfun.de has a now-untrusted CA due to misissuance (StartCom)
+# - {cve,cve2}.freakattack.com no longer resolves