wj_eventmachine 1.3.0.dev.1

data/tests/test_ssl_args.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+require 'tempfile'
+
+class TestSSLArgs < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  def test_tls_params_file_doesnt_exist
+    priv_file, cert_file = 'foo_priv_key', 'bar_cert_file'
+    [priv_file, cert_file].all? do |f|
+      assert(!File.exist?(f), "Cert file #{f} seems to exist, and should not for the tests")
+    end
+
+    assert_raises EM::FileNotFoundException do
+      client_server client: { private_key_file: priv_file }
+    end
+
+    assert_raises EM::FileNotFoundException do
+      client_server client: { cert_chain_file: cert_file }
+    end
+
+    assert_raises EM::FileNotFoundException do
+      client_server client: { private_key_file: priv_file, cert_chain_file: cert_file }
+    end
+  end
+
+  def _test_tls_params_file_improper
+    priv_file_path = Tempfile.new('em_test').path
+    cert_file_path = Tempfile.new('em_test').path
+    params = { private_key_file: priv_file_path,
+                cert_chain_file: cert_file_path }
+    begin
+      client_server client: params
+    rescue Object
+      assert false, 'should not have raised an exception'
+    end
+  end
+end if EM.ssl?

data/tests/test_ssl_dhparam.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+class TestSSLDhParam < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  DH_PARAM_FILE = File.join(__dir__, 'dhparam.pem')
+
+  DH_1_2 =   { cipher_list: "DHE,EDH", ssl_version: %w(TLSv1_2) }
+  CLIENT_1_2 = { client_unbind: true,  ssl_version: %w(TLSv1_2) }
+
+  def test_no_dhparam
+    omit_if(EM.library_type == :pure_ruby) # DH will work with defaults
+    omit_if(rbx?)
+
+    client_server client: CLIENT_1_2, server: DH_1_2
+
+    refute Client.handshake_completed?
+    refute Server.handshake_completed?
+  end
+
+  def test_dhparam_1_2
+    omit_if(rbx?)
+
+    client_server client: CLIENT_1_2, server: DH_1_2.merge(dhparam: DH_PARAM_FILE)
+
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+
+    assert Client.cipher_name.length > 0
+    assert_equal Client.cipher_name, Server.cipher_name
+
+    assert_match(/^(DHE|EDH)/, Client.cipher_name)
+  end
+
+  def test_dhparam_1_3
+    omit_if(rbx?)
+    omit("TLSv1_3 is unavailable") unless EM.const_defined? :EM_PROTO_TLSv1_3
+
+    client = { client_unbind: true, ssl_version: %w(TLSv1_3) }
+    server = { dhparam: DH_PARAM_FILE, cipher_list: "DHE,EDH", ssl_version: %w(TLSv1_3) }
+    client_server client: client, server: server
+
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+
+    assert Client.cipher_name.length > 0
+    assert_equal Client.cipher_name, Server.cipher_name
+
+    # see https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
+    # may depend on OpenSSL build options
+    assert_equal "TLS_AES_256_GCM_SHA384", Client.cipher_name
+  end
+end if EM.ssl?

data/tests/test_ssl_ecdh_curve.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+class TestSSLEcdhCurve < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  def test_no_ecdh_curve
+    omit_if(rbx?)
+    omit("OpenSSL 1.1.x (and later) auto selects curve") if IS_SSL_GE_1_1
+
+    client_server server: { cipher_list: "ECDH", ssl_version: %w(TLSv1_2) }
+
+    refute Client.handshake_completed?
+    refute Server.handshake_completed?
+  end
+
+  def test_ecdh_curve_tlsv1_2
+    omit_if(EM.library_type == :pure_ruby && RUBY_VERSION < "2.3.0")
+    omit_if(rbx?)
+
+    server = { cipher_list: "ECDH", ssl_version: %w(TLSv1_2) }
+    server.merge!(ecdh_curve: "prime256v1") unless IS_SSL_GE_1_1
+
+    client_server server: server
+
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+
+    assert Client.cipher_name.length > 0
+    assert_equal Client.cipher_name, Server.cipher_name
+
+    assert_match(/^(AECDH|ECDHE)/, Client.cipher_name)
+  end
+
+  def test_ecdh_curve_tlsv1_3
+    omit_if(EM.library_type == :pure_ruby && RUBY_VERSION < "2.3.0")
+    omit_if(rbx?)
+    omit("TLSv1_3 is unavailable") unless EM.const_defined? :EM_PROTO_TLSv1_3
+
+    tls = { cipher_list: "ECDH", ssl_version: %w(TLSv1_3) }
+
+    client_server server: tls
+
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+
+    assert Client.cipher_name.length > 0
+    assert_equal Client.cipher_name, Server.cipher_name
+
+    # see https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
+    # may depend on OpenSSL build options
+    assert_equal "TLS_AES_256_GCM_SHA384", Client.cipher_name
+  end
+end if EM.ssl?

data/tests/test_ssl_extensions.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+class TestSSLExtensions < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  def test_tlsext_sni_hostname_1_2
+    client = { sni_hostname: 'example.com', ssl_version: %w(TLSv1_2) }
+    client_server client: client
+    assert Server.handshake_completed?
+    assert_equal 'example.com', Server.sni_hostname
+  end
+  
+  def test_tlsext_sni_hostname_1_3
+    omit("TLSv1_3 is unavailable") unless EM.const_defined? :EM_PROTO_TLSv1_3
+    client = { sni_hostname: 'example.com', ssl_version: %w(TLSv1_3) }
+    client_server client: client
+    assert Server.handshake_completed?
+    assert_equal 'example.com', Server.sni_hostname
+  end
+end if EM.ssl?

data/tests/test_ssl_methods.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+class TestSSLMethods < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  def test_ssl_methods
+    omit_if(rbx?)
+
+    client_server
+    
+    assert Server.handshake_completed?
+    assert Client.handshake_completed?
+
+    assert Server.cert_value.is_a? NilClass
+    assert Client.cert_value.is_a? String
+
+    assert Client.cipher_bits > 0
+    assert_equal Client.cipher_bits, Server.cipher_bits
+
+    assert Client.cipher_name.length > 0
+    assert_match(/AES/, Client.cipher_name)
+    assert_equal Client.cipher_name, Server.cipher_name
+
+    assert Client.cipher_protocol.start_with? "TLS"
+    assert_equal Client.cipher_protocol, Server.cipher_protocol
+  end
+end  if EM.ssl?

data/tests/test_ssl_protocols.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+# For OpenSSL 1.1.0 and later, cipher_protocol returns single cipher, older
+# versions return "TLSv1/SSLv3"
+# TLSv1.1 handshake_completed Server/Client callback order is reversed from
+# older protocols
+
+class TestSSLProtocols < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  # We're checking for whether Context min_version= & max_version= are defined, but
+  # JRuby has a bug where they're defined, but the private method they call isn't
+  RUBY_SSL_GE_2_1 = OpenSSL::SSL::SSLContext.private_instance_methods(false).include?(:set_minmax_proto_version)
+
+  def test_invalid_ssl_version
+    assert_raises(RuntimeError, "Unrecognized SSL/TLS Version: badinput") do
+      client = { ssl_version: %w(tlsv1 badinput) }
+      server = { ssl_version: %w(tlsv1 badinput) }
+      client_server client: client, server: server
+    end
+  end
+
+  def test_any_to_v3
+    omit("SSLv3 is (correctly) unavailable") if EM::OPENSSL_NO_SSL3
+    client_server client: TLS_ALL, server: SSL_3
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+  end
+
+  def test_any_to_tlsv1_2
+    client_server client: TLS_ALL, server: TLS_1_2
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    if IS_SSL_GE_1_1
+      assert_equal "TLSv1.2", Client.cipher_protocol
+    end
+  end
+
+  def test_case_insensitivity
+    lower_case = SSL_AVAIL.map { |p| p.downcase }
+    client = { ssl_version: %w(tlsv1_2) }
+    server = { ssl_version: lower_case  }
+    client_server client: client, server: server
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+  end
+
+  def test_v3_to_any
+    omit("SSLv3 is (correctly) unavailable") if EM::OPENSSL_NO_SSL3
+    client_server client: SSL_3, server: TLS_ALL
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+  end
+
+  def test_tlsv1_2_to_any
+    client_server client: TLS_1_2, server: TLS_ALL
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    if IS_SSL_GE_1_1
+      assert_equal "TLSv1.2", Server.cipher_protocol
+    end
+  end
+
+  def test_v3_to_v3
+    omit("SSLv3 is (correctly) unavailable") if EM::OPENSSL_NO_SSL3
+    client_server client: SSL_3, server: SSL_3
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+  end
+
+  def test_tlsv1_2_to_tlsv1_2
+    client_server client: TLS_1_2, server: TLS_1_2
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    if IS_SSL_GE_1_1
+      assert_equal "TLSv1.2", Client.cipher_protocol
+      assert_equal "TLSv1.2", Server.cipher_protocol
+    end
+  end
+
+  def test_tlsv1_3_to_tlsv1_3
+    omit("TLSv1_3 is unavailable") unless EM.const_defined? :EM_PROTO_TLSv1_3
+    client_server client: TLS_1_3, server: TLS_1_3
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    assert_equal "TLSv1.3", Client.cipher_protocol
+    assert_equal "TLSv1.3", Server.cipher_protocol
+  end
+
+  def test_any_to_any
+    client_server client: TLS_ALL, server: TLS_ALL
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    if IS_SSL_GE_1_1
+      best_protocol = SSL_AVAIL.last.tr "_", "."
+      assert_equal best_protocol, Client.cipher_protocol
+      assert_equal best_protocol, Server.cipher_protocol
+    end
+  end
+
+  def test_default_to_default
+    client_server
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+    if IS_SSL_GE_1_1
+      best_protocol = SSL_AVAIL.last.tr "_", "."
+      assert_equal best_protocol, Client.cipher_protocol
+      assert_equal best_protocol, Server.cipher_protocol
+    end
+  end
+
+  def external_client(ext_min, ext_max, ext_ssl, server)
+    EM.run do
+#        setup_timeout 2
+      EM.start_server IP, PORT, Server, server.merge( { stop_after_handshake: true} )
+      EM.defer do
+        sock = TCPSocket.new IP, PORT
+        ctx = OpenSSL::SSL::SSLContext.new
+        if RUBY_SSL_GE_2_1
+          ctx.min_version = ext_min if ext_min
+          ctx.max_version = ext_max if ext_max
+        else
+          ctx.ssl_version = ext_ssl
+        end
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.connect
+        ssl.close rescue nil
+        sock.close rescue nil
+      end
+    end
+    assert Server.handshake_completed?
+  end
+
+  def test_v3_with_external_client
+    omit("SSLv3 is (correctly) unavailable") if EM::OPENSSL_NO_SSL3
+    external_client nil, nil, :SSLv3_client, SSL_3
+  end
+
+  # Fixed Server
+  def test_tlsv1_2_with_external_client
+    external_client nil, nil, :SSLv23_client, TLS_1_2
+  end
+
+  def test_tlsv1_3_with_external_client
+    omit("TLSv1_3 is unavailable") unless EM.const_defined?(:EM_PROTO_TLSv1_3) &&
+      OpenSSL::SSL.const_defined?(:TLS1_3_VERSION)
+    external_client nil, nil, :SSLv23_client, TLS_1_3
+  end
+
+  # Fixed Client
+  def test_any_with_external_client_tlsv1_2
+    external_client :TLS1_2, :TLS1_2, :TLSv1_2_client, TLS_ALL
+  end
+
+  def test_any_with_external_client_tlsv1_3
+    omit("TLSv1_3 is unavailable") unless EM.const_defined? :EM_PROTO_TLSv1_3
+    external_client :TLS1_3, :TLS1_3, :TLSv1_2_client, TLS_ALL
+  end
+
+  # Refuse a client?
+  def test_tlsv1_2_required_with_external_client
+    EM.run do
+      n = 0
+      EM.add_periodic_timer(0.5) do
+        n += 1
+        (EM.stop rescue nil) if n == 2
+      end
+      EM.start_server IP, PORT, Server, TLS_1_2.merge( { stop_after_handshake: true} )
+      EM.defer do
+        sock = TCPSocket.new IP, PORT
+        ctx = OpenSSL::SSL::SSLContext.new
+        if RUBY_SSL_GE_2_1
+          ctx.max_version = :TLS1_1
+        else
+          ctx.ssl_version = :TLSv1_client
+        end
+        ssl = OpenSSL::SSL::SSLSocket.new sock, ctx
+        assert_raise(OpenSSL::SSL::SSLError) { ssl.connect }
+        ssl.close  rescue nil
+        sock.close rescue nil
+        EM.stop    rescue nil
+      end
+    end
+    refute Server.handshake_completed?
+  end
+end if EM.ssl?

data/tests/test_ssl_verify.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative 'em_test_helper'
+
+class TestSSLVerify < Test::Unit::TestCase
+
+  require_relative 'em_ssl_handlers'
+  include EMSSLHandlers
+
+  CERT_FROM_FILE = File.read "#{__dir__}/client.crt"
+
+  CLIENT_CERT = { private_key_file: "#{__dir__}/client.key",
+                  cert_chain_file:  "#{__dir__}/client.crt" }
+
+  def test_fail_no_peer_cert
+    omit_if(rbx?)
+
+    server = { verify_peer: true, fail_if_no_peer_cert: true,
+      ssl_verify_result: "|RAISE|Verify peer should not get called for a client without a certificate" }
+
+    client_server Client, Server, server: server
+
+    refute Client.handshake_completed? unless "TLSv1.3" == Client.cipher_protocol
+    refute Server.handshake_completed?
+  end
+
+  def test_accept_server
+    omit_if(EM.library_type == :pure_ruby) # Server has a default cert chain
+    omit_if(rbx?)
+
+    server = { verify_peer: true, ssl_verify_result: true }
+
+    client_server Client, Server, client: CLIENT_CERT, server: server
+
+    assert_equal CERT_FROM_FILE, Server.cert
+    assert Client.handshake_completed?
+    assert Server.handshake_completed?
+  end
+
+  def test_deny_server
+    omit_if(EM.library_type == :pure_ruby) # Server has a default cert chain
+    omit_if(rbx?)
+
+    server = { verify_peer: true, ssl_verify_result: false }
+
+    client_server Client, Server, client: CLIENT_CERT, server: server
+
+    assert_equal CERT_FROM_FILE, Server.cert
+    refute Client.handshake_completed? unless "TLSv1.3" == Client.cipher_protocol
+    refute Server.handshake_completed?
+  end
+end if EM.ssl?