File: ClientSNITests.swift

package info (click to toggle)
swiftlang 6.0.3-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,519,992 kB
  • sloc: cpp: 9,107,863; ansic: 2,040,022; asm: 1,135,751; python: 296,500; objc: 82,456; f90: 60,502; lisp: 34,951; pascal: 19,946; sh: 18,133; perl: 7,482; ml: 4,937; javascript: 4,117; makefile: 3,840; awk: 3,535; xml: 914; fortran: 619; cs: 573; ruby: 573
file content (160 lines) | stat: -rw-r--r-- 6,777 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
 
//===----------------------------------------------------------------------===//
//
// This source file is part of the SwiftNIO open source project
//
// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//

import XCTest
import NIO
import NIOTLS
import NIOSSL


class ClientSNITests: XCTestCase {
    static var cert: NIOSSLCertificate!
    static var key: NIOSSLPrivateKey!

    override class func setUp() {
        super.setUp()
        let (cert, key) = generateSelfSignedCert()
        NIOSSLIntegrationTest.cert = cert
        NIOSSLIntegrationTest.key = key
    }

    private func configuredSSLContext() throws -> NIOSSLContext {
        var config = TLSConfiguration.makeServerConfiguration(
            certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],
            privateKey: .privateKey(NIOSSLIntegrationTest.key)
        )
        config.trustRoots = .certificates([NIOSSLIntegrationTest.cert])
        let context = try NIOSSLContext(configuration: config)
        return context
    }

    private func assertSniResult(sniField: String?, expectedResult: SNIResult) throws {
        let context = try configuredSSLContext()

        let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)
        defer {
            try? group.syncShutdownGracefully()
        }

        let sniPromise: EventLoopPromise<SNIResult> = group.next().makePromise()
        let sniHandler = ByteToMessageHandler(SNIHandler {
            sniPromise.succeed($0)
            return group.next().makeSucceededFuture(())
        })
        let serverChannel = try serverTLSChannel(context: context, preHandlers: [sniHandler], postHandlers: [], group: group)
        defer {
            _ = try? serverChannel.close().wait()
        }

        let clientChannel = try clientTLSChannel(context: context,
                                                 preHandlers: [],
                                                 postHandlers: [],
                                                 group: group,
                                                 connectingTo: serverChannel.localAddress!,
                                                 serverHostname: sniField)
        defer {
            _ = try? clientChannel.close().wait()
        }

        let sniResult = try sniPromise.futureResult.wait()
        XCTAssertEqual(sniResult, expectedResult)
    }

    func testSNIIsTransmitted() throws {
        try assertSniResult(sniField: "httpbin.org", expectedResult: .hostname("httpbin.org"))
    }

    func testNoSNILeadsToNoExtension() throws {
        try assertSniResult(sniField: nil, expectedResult: .fallback)
    }

    func testSNIIsRejectedForIPv4Addresses() throws {
        let context = try configuredSSLContext()

        let testString = "192.168.0.1"
        XCTAssertThrowsError(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)
        }
        XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)){ error in
            XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)
        }
    }

    func testSNIIsRejectedForIPv6Addresses() throws {
        let context = try configuredSSLContext()
        
        let testString = "fe80::200:f8ff:fe21:67cf"
        XCTAssertThrowsError(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)
        }
        XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)){ error in
            XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)
        }

    }

    func testSNIIsRejectedForEmptyHostname() throws {
        let context = try configuredSSLContext()

        let testString = ""
        XCTAssertThrowsError(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
        XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)){ error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
    }

    func testSNIIsRejectedForTooLongHostname() throws {
        let context = try configuredSSLContext()

        let testString = String(repeating: "x", count: 256)
        XCTAssertThrowsError(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
        XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)){ error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
    }

    func testSNIIsRejectedFor0Byte() throws {
        let context = try configuredSSLContext()

        let testString = String(UnicodeScalar(0)!)
        XCTAssertThrowsError(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
        XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in
            XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)
        }
    }

    func testSNIIsNotRejectedForAnyOfTheFirst1000CodeUnits() throws {
        let context = try configuredSSLContext()

        for testString in (1...Int(1000)).compactMap({ UnicodeScalar($0).map { String($0) } }) {
            XCTAssertNoThrow(try NIOSSLClientHandler(context: context, serverHostname: testString))
            XCTAssertNoThrow(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString))
        }
    }

    func testSNIIsNotRejectedForVeryWeirdCharacters() throws {
        let context = try configuredSSLContext()

        let testString = "😎🥶💥🏴󠁧󠁢󠁥󠁮󠁧󠁿👩‍💻"
        XCTAssertLessThanOrEqual(testString.utf8.count, 255) // just to check we didn't make this too large.
        XCTAssertNoThrow(try NIOSSLClientHandler(context: context, serverHostname: testString))
        XCTAssertNoThrow(try NIOSSLClientTLSProvider<ClientBootstrap>(context: context, serverHostname: testString))
    }
}