Merge pull request #804 from sfackler/alpn-overhaul

Overhaul ALPN
author: Steven Fackler <[email protected]> 2017-12-27 16:30:28 -0700
committer: GitHub <[email protected]> 2017-12-27 16:30:28 -0700
commit: e1d442e65b3553e17d78f12c4fc3ebb96058d9d8 (patch)
tree: 4ae5545289c2730f161aee630a0f20adbcda63c1 /openssl/src/ssl/test.rs
parent: Merge pull request #802 from sfackler/ssl-error (diff)
parent: Overhaul ALPN (diff)
download: rust-openssl-e1d442e65b3553e17d78f12c4fc3ebb96058d9d8.tar.xz
rust-openssl-e1d442e65b3553e17d78f12c4fc3ebb96058d9d8.zip
1 files changed, 23 insertions, 99 deletions
diff --git a/openssl/src/ssl/test.rs b/openssl/src/ssl/test.rs
index 3beaf846..f4e5b11b 100644
--- a/openssl/src/ssl/test.rs
+++ b/openssl/src/ssl/test.rs
@@ -479,7 +479,7 @@ fn test_connect_with_unilateral_alpn() {
     let (_s, stream) = Server::new();
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
+    ctx.set_alpn_protos(b"\x08http/1.1\x08spdy/3.1").unwrap();
     match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
         Ok(_) => {}
         Err(err) => panic!("Unexpected error {:?}", err),
@@ -493,28 +493,6 @@ fn test_connect_with_unilateral_alpn() {
     assert!(stream.ssl().selected_alpn_protocol().is_none());
 }
 
-/// Tests that connecting with the client using NPN, but the server not does not
-/// break the existing connection behavior.
-#[test]
-#[cfg(not(any(libressl261, libressl262, libressl26x)))]
-fn test_connect_with_unilateral_npn() {
-    let (_s, stream) = Server::new();
-    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
-    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
-        Ok(_) => {}
-        Err(err) => panic!("Unexpected error {:?}", err),
-    }
-    let stream = match Ssl::new(&ctx.build()).unwrap().connect(stream) {
-        Ok(stream) => stream,
-        Err(err) => panic!("Expected success, got {:?}", err),
-    };
-    // Since the socket to which we connected is not configured to use NPN,
-    // there should be no selected protocol...
-    assert!(stream.ssl().selected_npn_protocol().is_none());
-}
-
 /// Tests that when both the client as well as the server use ALPN and their
 /// lists of supported protocols have an overlap, the correct protocol is chosen.
 #[test]
@@ -523,7 +501,7 @@ fn test_connect_with_alpn_successful_multiple_matching() {
     let (_s, stream) = Server::new_alpn();
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_alpn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
+    ctx.set_alpn_protos(b"\x08http/1.1\x08spdy/3.1").unwrap();
     match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
         Ok(_) => {}
         Err(err) => panic!("Unexpected error {:?}", err),
@@ -537,28 +515,6 @@ fn test_connect_with_alpn_successful_multiple_matching() {
     assert_eq!(b"http/1.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 
-/// Tests that when both the client as well as the server use NPN and their
-/// lists of supported protocols have an overlap, the correct protocol is chosen.
-#[test]
-#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-fn test_connect_with_npn_successful_multiple_matching() {
-    let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_npn_protocols(&[b"spdy/3.1", b"http/1.1"]).unwrap();
-    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
-        Ok(_) => {}
-        Err(err) => panic!("Unexpected error {:?}", err),
-    }
-    let stream = match Ssl::new(&ctx.build()).unwrap().connect(stream) {
-        Ok(stream) => stream,
-        Err(err) => panic!("Expected success, got {:?}", err),
-    };
-    // The server prefers "http/1.1", so that is chosen, even though the client
-    // would prefer "spdy/3.1"
-    assert_eq!(b"http/1.1", stream.ssl().selected_npn_protocol().unwrap());
-}
-
 /// Tests that when both the client as well as the server use ALPN and their
 /// lists of supported protocols have an overlap -- with only ONE protocol
 /// being valid for both.
@@ -568,7 +524,7 @@ fn test_connect_with_alpn_successful_single_match() {
     let (_s, stream) = Server::new_alpn();
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
+    ctx.set_alpn_protos(b"\x08spdy/3.1").unwrap();
     match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
         Ok(_) => {}
         Err(err) => panic!("Unexpected error {:?}", err),
@@ -582,41 +538,19 @@ fn test_connect_with_alpn_successful_single_match() {
     assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 
-/// Tests that when both the client as well as the server use NPN and their
-/// lists of supported protocols have an overlap -- with only ONE protocol
-/// being valid for both.
-#[test]
-#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-fn test_connect_with_npn_successful_single_match() {
-    let (_s, stream) = Server::new_alpn();
-    let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-    ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
-    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
-        Ok(_) => {}
-        Err(err) => panic!("Unexpected error {:?}", err),
-    }
-    let stream = match Ssl::new(&ctx.build()).unwrap().connect(stream) {
-        Ok(stream) => stream,
-        Err(err) => panic!("Expected success, got {:?}", err),
-    };
-    // The client now only supports one of the server's protocols, so that one
-    // is used.
-    assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap());
-}
-
 /// Tests that when the `SslStream` is created as a server stream, the protocols
 /// are correctly advertised to the client.
 #[test]
-#[cfg(not(any(libressl261, libressl262, libressl26x)))]
-fn test_npn_server_advertise_multiple() {
+#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
+fn test_alpn_server_advertise_multiple() {
     let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let localhost = listener.local_addr().unwrap();
     // We create a different context instance for the server...
     let listener_ctx = {
         let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SslVerifyMode::PEER);
-        ctx.set_npn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
+        ctx.set_alpn_select_callback(|_, client| {
+            ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
+        });
         assert!(
             ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
                 .is_ok()
@@ -633,7 +567,7 @@ fn test_npn_server_advertise_multiple() {
 
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_npn_protocols(&[b"spdy/3.1"]).unwrap();
+    ctx.set_alpn_protos(b"\x08spdy/3.1").unwrap();
     match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
         Ok(_) => {}
         Err(err) => panic!("Unexpected error {:?}", err),
@@ -645,21 +579,21 @@ fn test_npn_server_advertise_multiple() {
         Err(err) => panic!("Expected success, got {:?}", err),
     };
     // SPDY is selected since that's the only thing the client supports.
-    assert_eq!(b"spdy/3.1", stream.ssl().selected_npn_protocol().unwrap());
+    assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
 }
 
-/// Tests that when the `SslStream` is created as a server stream, the protocols
-/// are correctly advertised to the client.
 #[test]
-#[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
-fn test_alpn_server_advertise_multiple() {
+#[cfg(all(feature = "v110", ossl110))]
+fn test_alpn_server_select_none_fatal() {
     let listener = TcpListener::bind("127.0.0.1:0").unwrap();
     let localhost = listener.local_addr().unwrap();
     // We create a different context instance for the server...
     let listener_ctx = {
         let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SslVerifyMode::PEER);
-        ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
+        ctx.set_alpn_select_callback(|_, client| {
+            ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client)
+                .ok_or(ssl::AlpnError::ALERT_FATAL)
+        });
         assert!(
             ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
                 .is_ok()
@@ -676,23 +610,12 @@ fn test_alpn_server_advertise_multiple() {
 
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_alpn_protocols(&[b"spdy/3.1"]).unwrap();
-    match ctx.set_ca_file(&Path::new("test/root-ca.pem")) {
-        Ok(_) => {}
-        Err(err) => panic!("Unexpected error {:?}", err),
-    }
-    // Now connect to the socket and make sure the protocol negotiation works...
+    ctx.set_alpn_protos(b"\x06http/2").unwrap();
+    ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap();
     let stream = TcpStream::connect(localhost).unwrap();
-    let stream = match Ssl::new(&ctx.build()).unwrap().connect(stream) {
-        Ok(stream) => stream,
-        Err(err) => panic!("Expected success, got {:?}", err),
-    };
-    // SPDY is selected since that's the only thing the client supports.
-    assert_eq!(b"spdy/3.1", stream.ssl().selected_alpn_protocol().unwrap());
+    Ssl::new(&ctx.build()).unwrap().connect(stream).unwrap_err();
 }
 
-/// Test that Servers supporting ALPN don't report a protocol when none of their protocols match
-/// the client's reported protocol.
 #[test]
 #[cfg(any(all(feature = "v102", ossl102), all(feature = "v110", ossl110)))]
 fn test_alpn_server_select_none() {
@@ -701,8 +624,9 @@ fn test_alpn_server_select_none() {
     // We create a different context instance for the server...
     let listener_ctx = {
         let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
-        ctx.set_verify(SslVerifyMode::PEER);
-        ctx.set_alpn_protocols(&[b"http/1.1", b"spdy/3.1"]).unwrap();
+        ctx.set_alpn_select_callback(|_, client| {
+            ssl::select_next_proto(b"\x08http/1.1\x08spdy/3.1", client).ok_or(ssl::AlpnError::NOACK)
+        });
         assert!(
             ctx.set_certificate_file(&Path::new("test/cert.pem"), X509Filetype::PEM)
                 .is_ok()
@@ -719,7 +643,7 @@ fn test_alpn_server_select_none() {
 
     let mut ctx = SslContext::builder(SslMethod::tls()).unwrap();
     ctx.set_verify(SslVerifyMode::PEER);
-    ctx.set_alpn_protocols(&[b"http/2"]).unwrap();
+    ctx.set_alpn_protos(b"\x06http/2").unwrap();
     ctx.set_ca_file(&Path::new("test/root-ca.pem")).unwrap();
     // Now connect to the socket and make sure the protocol negotiation works...
     let stream = TcpStream::connect(localhost).unwrap();
author	Steven Fackler <[email protected]>	2017-12-27 16:30:28 -0700
committer	GitHub <[email protected]>	2017-12-27 16:30:28 -0700
commit	e1d442e65b3553e17d78f12c4fc3ebb96058d9d8 (patch)
tree	4ae5545289c2730f161aee630a0f20adbcda63c1 /openssl/src/ssl/test.rs
parent	Merge pull request #802 from sfackler/ssl-error (diff)
parent	Overhaul ALPN (diff)
download	rust-openssl-e1d442e65b3553e17d78f12c4fc3ebb96058d9d8.tar.xz rust-openssl-e1d442e65b3553e17d78f12c4fc3ebb96058d9d8.zip