From 9a3f3eef6ab2e245bed4b565b336bfbaf3acc6dd Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sat, 3 Feb 2024 17:01:47 +0000 Subject: [PATCH] test(tls): fix accept-openssl test --- .cargo/config.toml | 5 +++-- actix-tls/Cargo.toml | 4 ++-- actix-tls/src/connect/mod.rs | 5 +---- actix-tls/tests/accept-openssl.rs | 37 +++++++++++++++++-------------- actix-tls/tests/accept-rustls.rs | 10 ++++----- 5 files changed, 30 insertions(+), 31 deletions(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 8f1ff8a7..537e721c 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -15,8 +15,9 @@ ci-check-linux = "hack --workspace --feature-powerset --depth=2 check --tests -- # tests avoiding io-uring feature ci-test = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture" -ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture" -ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20 test --lib --tests --no-fail-fast -- --nocapture" +ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture" +ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture" +ci-test-rustls-022 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture" # tests avoiding io-uring feature on Windows ci-test-win = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture" diff --git a/actix-tls/Cargo.toml b/actix-tls/Cargo.toml index cbfa0f12..f103d447 100755 --- a/actix-tls/Cargo.toml +++ b/actix-tls/Cargo.toml @@ -117,11 +117,11 @@ bytes = "1" env_logger = "0.10" futures-util = { version = "0.3.17", default-features = false, features = ["sink"] } itertools = "0.12" -rcgen = "0.11" +rcgen = "0.12" rustls-pemfile = "2" tokio-rustls-025 = { package = "tokio-rustls", version = "0.25" } trust-dns-resolver = "0.23" [[example]] name = "accept-rustls" -required-features = ["accept", "rustls-0_22-webpki-roots"] +required-features = ["accept", "rustls-0_22"] diff --git a/actix-tls/src/connect/mod.rs b/actix-tls/src/connect/mod.rs index b742e76e..1e77d98a 100644 --- a/actix-tls/src/connect/mod.rs +++ b/actix-tls/src/connect/mod.rs @@ -46,10 +46,7 @@ pub use rustls_0_20 as rustls; ))] pub mod rustls_0_21; -#[cfg(any( - feature = "rustls-0_22-webpki-roots", - feature = "rustls-0_22-native-roots", -))] +#[cfg(feature = "rustls-0_22")] pub mod rustls_0_22; #[cfg(feature = "native-tls")] diff --git a/actix-tls/tests/accept-openssl.rs b/actix-tls/tests/accept-openssl.rs index a3506b1b..e571a282 100644 --- a/actix-tls/tests/accept-openssl.rs +++ b/actix-tls/tests/accept-openssl.rs @@ -12,11 +12,13 @@ use std::{io::Write as _, sync::Arc}; use actix_rt::net::TcpStream; use actix_server::TestServer; use actix_service::ServiceFactoryExt as _; -use actix_tls::accept::openssl::{Acceptor, TlsStream}; +use actix_tls::{ + accept::openssl::{Acceptor, TlsStream}, + connect::rustls_0_22::reexports::ClientConfig, +}; use actix_utils::future::ok; use rustls_pki_types_1::ServerName; -use tokio_rustls::rustls::{ClientConfig, RootCertStore}; -use tokio_rustls_025 as tokio_rustls; +use tokio_rustls_025::rustls::RootCertStore; fn new_cert_and_key() -> (String, String) { let cert = @@ -47,39 +49,40 @@ fn openssl_acceptor(cert: String, key: String) -> tls_openssl::ssl::SslAcceptor builder.build() } -#[allow(dead_code)] mod danger { + use rustls_pki_types_1::{CertificateDer, ServerName, UnixTime}; use tokio_rustls_025::rustls; + /// Disables certificate verification to allow self-signed certs from rcgen. #[derive(Debug)] pub struct NoCertificateVerification; impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, - end_entity: &rustls_pki_types_1::CertificateDer::CertificateDer<'_>, - intermediates: &[rustls_pki_types_1::CertificateDer::CertificateDer<'_>], - server_name: &rustls_pki_types_1::CertificateDer::ServerName<'_>, - ocsp_response: &[u8], - now: rustls_pki_types_1::CertificateDer::UnixTime, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName<'_>, + _ocsp_response: &[u8], + _now: UnixTime, ) -> Result { Ok(rustls::client::danger::ServerCertVerified::assertion()) } fn verify_tls12_signature( &self, - message: &[u8], - cert: &rustls_pki_types_1::CertificateDer<'_>, - dss: &rustls::DigitallySignedStruct, + _message: &[u8], + _cert: &rustls_pki_types_1::CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, ) -> Result { Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) } fn verify_tls13_signature( &self, - message: &[u8], - cert: &rustls_pki_types_1::CertificateDer<'_>, - dss: &rustls::DigitallySignedStruct, + _message: &[u8], + _cert: &rustls_pki_types_1::CertificateDer<'_>, + _dss: &rustls::DigitallySignedStruct, ) -> Result { Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) } @@ -134,13 +137,13 @@ async fn accepts_connections() { let config = rustls_connector(cert, key); let config = Arc::new(config); - let mut conn = tokio_rustls::rustls::ClientConnection::new( + let mut conn = tokio_rustls_025::rustls::ClientConnection::new( config, ServerName::try_from("localhost").unwrap(), ) .unwrap(); - let mut stream = tokio_rustls::rustls::Stream::new(&mut conn, &mut sock); + let mut stream = tokio_rustls_025::rustls::Stream::new(&mut conn, &mut sock); stream.flush().expect("TLS handshake failed"); } diff --git a/actix-tls/tests/accept-rustls.rs b/actix-tls/tests/accept-rustls.rs index 554f0fc1..bed2f6c3 100644 --- a/actix-tls/tests/accept-rustls.rs +++ b/actix-tls/tests/accept-rustls.rs @@ -15,14 +15,13 @@ use actix_rt::net::TcpStream; use actix_server::TestServer; use actix_service::ServiceFactoryExt as _; use actix_tls::{ - accept::rustls_0_21::{Acceptor, TlsStream}, + accept::rustls_0_22::{reexports::ServerConfig, Acceptor, TlsStream}, connect::openssl::reexports::SslConnector, }; use actix_utils::future::ok; use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls_pki_types_1::PrivateKeyDer; use tls_openssl::ssl::SslVerifyMode; -use tokio_rustls::rustls::{self, Certificate, PrivateKey, ServerConfig}; -use tokio_rustls_024 as tokio_rustls; fn new_cert_and_key() -> (String, String) { let cert = @@ -35,7 +34,7 @@ fn new_cert_and_key() -> (String, String) { (cert, key) } -fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig { +fn rustls_server_config(cert: String, key: String) -> ServerConfig { // Load TLS key and cert files let cert = &mut BufReader::new(cert.as_bytes()); @@ -47,9 +46,8 @@ fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig { .unwrap(); let mut config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() - .with_single_cert(cert_chain, PrivateKey(keys.remove(0))) + .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0))) .unwrap(); config.alpn_protocols = vec![b"http/1.1".to_vec()];