actix/actix-net
1
0
Fork 0
mirror of https://github.com/fafhrd91/actix-net synced 2025-02-17 13:33:31 +01:00
Code Issues Releases Wiki Activity

test(tls): fix accept-openssl test

Browse Source
This commit is contained in:
Rob Ede 2024-02-03 17:01:47 +00:00
parent e427911cdb
commit 9a3f3eef6a
No known key found for this signature in database
GPG Key ID: 97C636207D3EF933
5 changed files with 30 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.cargo/config.toml
View File

@ -15,8 +15,9 @@ ci-check-linux = "hack --workspace --feature-powerset --depth=2 check --tests --
# tests avoiding io-uring feature # tests avoiding io-uring feature
ci-test = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture" ci-test = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture"
ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture" ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture"
ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20 test --lib --tests --no-fail-fast -- --nocapture" ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture"
ci-test-rustls-022 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture"
# tests avoiding io-uring feature on Windows # tests avoiding io-uring feature on Windows
ci-test-win = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture" ci-test-win = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture"

4
actix-tls/Cargo.toml
View File

@ -117,11 +117,11 @@ bytes = "1"
env_logger = "0.10" env_logger = "0.10"
futures-util = { version = "0.3.17", default-features = false, features = ["sink"] } futures-util = { version = "0.3.17", default-features = false, features = ["sink"] }
itertools = "0.12" itertools = "0.12"
rcgen = "0.11" rcgen = "0.12"
rustls-pemfile = "2" rustls-pemfile = "2"
tokio-rustls-025 = { package = "tokio-rustls", version = "0.25" } tokio-rustls-025 = { package = "tokio-rustls", version = "0.25" }
trust-dns-resolver = "0.23" trust-dns-resolver = "0.23"
[[example]] [[example]]
name = "accept-rustls" name = "accept-rustls"
required-features = ["accept", "rustls-0_22-webpki-roots"] required-features = ["accept", "rustls-0_22"]

5
actix-tls/src/connect/mod.rs
View File

@ -46,10 +46,7 @@ pub use rustls_0_20 as rustls;
))] ))]
pub mod rustls_0_21; pub mod rustls_0_21;
#[cfg(any( #[cfg(feature = "rustls-0_22")]
feature = "rustls-0_22-webpki-roots",
feature = "rustls-0_22-native-roots",
))]
pub mod rustls_0_22; pub mod rustls_0_22;
#[cfg(feature = "native-tls")] #[cfg(feature = "native-tls")]

37
actix-tls/tests/accept-openssl.rs
View File

@ -12,11 +12,13 @@ use std::{io::Write as _, sync::Arc};
use actix_rt::net::TcpStream; use actix_rt::net::TcpStream;
use actix_server::TestServer; use actix_server::TestServer;
use actix_service::ServiceFactoryExt as _; use actix_service::ServiceFactoryExt as _;
use actix_tls::accept::openssl::{Acceptor, TlsStream}; use actix_tls::{
accept::openssl::{Acceptor, TlsStream},
connect::rustls_0_22::reexports::ClientConfig,
};
use actix_utils::future::ok; use actix_utils::future::ok;
use rustls_pki_types_1::ServerName; use rustls_pki_types_1::ServerName;
use tokio_rustls::rustls::{ClientConfig, RootCertStore}; use tokio_rustls_025::rustls::RootCertStore;
use tokio_rustls_025 as tokio_rustls;
fn new_cert_and_key() -> (String, String) { fn new_cert_and_key() -> (String, String) {
let cert = let cert =
@ -47,39 +49,40 @@ fn openssl_acceptor(cert: String, key: String) -> tls_openssl::ssl::SslAcceptor
builder.build() builder.build()
} }
#[allow(dead_code)]
mod danger { mod danger {
use rustls_pki_types_1::{CertificateDer, ServerName, UnixTime};
use tokio_rustls_025::rustls; use tokio_rustls_025::rustls;
/// Disables certificate verification to allow self-signed certs from rcgen.
#[derive(Debug)] #[derive(Debug)]
pub struct NoCertificateVerification; pub struct NoCertificateVerification;
impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert( fn verify_server_cert(
&self, &self,
end_entity: &rustls_pki_types_1::CertificateDer::CertificateDer<'_>, _end_entity: &CertificateDer<'_>,
intermediates: &[rustls_pki_types_1::CertificateDer::CertificateDer<'_>], _intermediates: &[CertificateDer<'_>],
server_name: &rustls_pki_types_1::CertificateDer::ServerName<'_>, _server_name: &ServerName<'_>,
ocsp_response: &[u8], _ocsp_response: &[u8],
now: rustls_pki_types_1::CertificateDer::UnixTime, _now: UnixTime,
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> { ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
Ok(rustls::client::danger::ServerCertVerified::assertion()) Ok(rustls::client::danger::ServerCertVerified::assertion())
} }
fn verify_tls12_signature( fn verify_tls12_signature(
&self, &self,
message: &[u8], _message: &[u8],
cert: &rustls_pki_types_1::CertificateDer<'_>, _cert: &rustls_pki_types_1::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct, _dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> { ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
} }
fn verify_tls13_signature( fn verify_tls13_signature(
&self, &self,
message: &[u8], _message: &[u8],
cert: &rustls_pki_types_1::CertificateDer<'_>, _cert: &rustls_pki_types_1::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct, _dss: &rustls::DigitallySignedStruct,
) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> { ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
} }
@ -134,13 +137,13 @@ async fn accepts_connections() {
let config = rustls_connector(cert, key); let config = rustls_connector(cert, key);
let config = Arc::new(config); let config = Arc::new(config);
let mut conn = tokio_rustls::rustls::ClientConnection::new( let mut conn = tokio_rustls_025::rustls::ClientConnection::new(
config, config,
ServerName::try_from("localhost").unwrap(), ServerName::try_from("localhost").unwrap(),
) )
.unwrap(); .unwrap();
let mut stream = tokio_rustls::rustls::Stream::new(&mut conn, &mut sock); let mut stream = tokio_rustls_025::rustls::Stream::new(&mut conn, &mut sock);
stream.flush().expect("TLS handshake failed"); stream.flush().expect("TLS handshake failed");
} }

10
actix-tls/tests/accept-rustls.rs
View File

@ -15,14 +15,13 @@ use actix_rt::net::TcpStream;
use actix_server::TestServer; use actix_server::TestServer;
use actix_service::ServiceFactoryExt as _; use actix_service::ServiceFactoryExt as _;
use actix_tls::{ use actix_tls::{
accept::rustls_0_21::{Acceptor, TlsStream}, accept::rustls_0_22::{reexports::ServerConfig, Acceptor, TlsStream},
connect::openssl::reexports::SslConnector, connect::openssl::reexports::SslConnector,
}; };
use actix_utils::future::ok; use actix_utils::future::ok;
use rustls_pemfile::{certs, pkcs8_private_keys}; use rustls_pemfile::{certs, pkcs8_private_keys};
use rustls_pki_types_1::PrivateKeyDer;
use tls_openssl::ssl::SslVerifyMode; use tls_openssl::ssl::SslVerifyMode;
use tokio_rustls::rustls::{self, Certificate, PrivateKey, ServerConfig};
use tokio_rustls_024 as tokio_rustls;
fn new_cert_and_key() -> (String, String) { fn new_cert_and_key() -> (String, String) {
let cert = let cert =
@ -35,7 +34,7 @@ fn new_cert_and_key() -> (String, String) {
(cert, key) (cert, key)
} }
fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig { fn rustls_server_config(cert: String, key: String) -> ServerConfig {
// Load TLS key and cert files // Load TLS key and cert files
let cert = &mut BufReader::new(cert.as_bytes()); let cert = &mut BufReader::new(cert.as_bytes());
@ -47,9 +46,8 @@ fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig {
.unwrap(); .unwrap();
let mut config = ServerConfig::builder() let mut config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert(cert_chain, PrivateKey(keys.remove(0))) .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0)))
.unwrap(); .unwrap();
config.alpn_protocols = vec![b"http/1.1".to_vec()]; config.alpn_protocols = vec![b"http/1.1".to_vec()];