[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream

Maxim Dounin Sat, 18 Mar 2023 07:18:41 -0700

# HG changeset patch
# User Maxim Dounin <mdou...@mdounin.ru>
# Date 1679140351 -10800
#      Sat Mar 18 14:52:31 2023 +0300
# Node ID 530336cb449dcb028a55a5a401a122d07521e3a4
# Parent  3ab3b2d1c2e67bc1f05e386218ceb08da873a477
Tests: separate SSL session reuse tests in stream.


Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.

diff --git a/stream_ssl.t b/stream_ssl.t
--- a/stream_ssl.t
+++ b/stream_ssl.t
@@ -37,7 +37,7 @@ plan(skip_all => 'win32') if $^O eq 'MSW
 
 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl');
 
-$t->plan(7)->write_file_expand('nginx.conf', <<'EOF');
+$t->plan(5)->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
 
@@ -51,40 +51,35 @@ stream {
 
     ssl_certificate_key localhost.key;
     ssl_certificate localhost.crt;
-    ssl_session_tickets off;
 
     # inherited by server "inherits"
     ssl_password_file password_stream;
 
     server {
-        listen      127.0.0.1:8080 ssl;
+        listen      127.0.0.1:8443 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache builtin;
         ssl_password_file password;
     }
 
     server {
-        listen      127.0.0.1:8082 ssl;
+        listen      127.0.0.1:8444 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache off;
         ssl_password_file password_many;
     }
 
     server {
-        listen      127.0.0.1:8083 ssl;
+        listen      127.0.0.1:8445 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache builtin:1000;
         ssl_password_file password_fifo;
     }
 
     server {
-        listen      127.0.0.1:8084 ssl;
+        listen      127.0.0.1:8446 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache shared:SSL:1m;
         ssl_certificate_key inherits.key;
         ssl_certificate inherits.crt;
     }
@@ -138,52 +133,26 @@ kill 'INT', $p if $@;
 
 ###############################################################################
 
-my ($s, $ssl, $ses);
+my ($s, $ssl);
 
-($s, $ssl) = get_ssl_socket(port(8080));
+($s, $ssl) = get_ssl_socket(8443);
 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl');
 
-# ssl_session_cache
-
-($s, $ssl) = get_ssl_socket(port(8080));
+($s, $ssl) = get_ssl_socket(8444);
 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8080), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(port(8082));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
+like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many');
 
-($s, $ssl) = get_ssl_socket(port(8082), $ses);
-isnt(Net::SSLeay::session_reused($ssl), 1, 'session not reused');
-
-($s, $ssl) = get_ssl_socket(port(8083));
+($s, $ssl) = get_ssl_socket(8444);
 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8083), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(port(8084));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8084), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
+like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo');
 
 # ssl_certificate inheritance
 
-($s, $ssl) = get_ssl_socket(port(8080));
+($s, $ssl) = get_ssl_socket(8443);
 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
 
-($s, $ssl) = get_ssl_socket(port(8084));
+($s, $ssl) = get_ssl_socket(8446);
 like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
 
 ###############################################################################
@@ -191,7 +160,7 @@ like(Net::SSLeay::dump_peer_certificate(
 sub get_ssl_socket {
        my ($port, $ses) = @_;
 
-       my $s = IO::Socket::INET->new('127.0.0.1:' . $port);
+       my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
        my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
        Net::SSLeay::set_session($ssl, $ses) if defined $ses;
        Net::SSLeay::set_fd($ssl, fileno($s));
diff --git a/stream_ssl.t b/stream_ssl_session_reuse.t
copy from stream_ssl.t
copy to stream_ssl_session_reuse.t
--- a/stream_ssl.t
+++ b/stream_ssl_session_reuse.t
@@ -1,6 +1,7 @@
 #!/usr/bin/perl
 
 # (C) Sergey Kandaurov
+# (C) Maxim Dounin
 # (C) Nginx, Inc.
 
 # Tests for stream ssl module.
@@ -12,7 +13,6 @@ use strict;
 
 use Test::More;
 
-use POSIX qw/ mkfifo /;
 use Socket qw/ $CRLF /;
 
 BEGIN { use FindBin; chdir($FindBin::Bin); }
@@ -49,44 +49,60 @@ events {
 stream {
     %%TEST_GLOBALS_STREAM%%
 
+    ssl_certificate localhost.crt;
     ssl_certificate_key localhost.key;
-    ssl_certificate localhost.crt;
-    ssl_session_tickets off;
 
-    # inherited by server "inherits"
-    ssl_password_file password_stream;
+    server {
+        listen      127.0.0.1:8443 ssl;
+        proxy_pass  127.0.0.1:8081;
+    }
 
     server {
-        listen      127.0.0.1:8080 ssl;
+        listen      127.0.0.1:8444 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache builtin;
-        ssl_password_file password;
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets on;
+    }
+
+    server {
+        listen      127.0.0.1:8445 ssl;
+        proxy_pass  127.0.0.1:8081;
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets off;
     }
 
     server {
-        listen      127.0.0.1:8082 ssl;
+        listen      127.0.0.1:8446 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache off;
-        ssl_password_file password_many;
+        ssl_session_cache builtin;
+        ssl_session_tickets off;
     }
 
     server {
-        listen      127.0.0.1:8083 ssl;
+        listen      127.0.0.1:8447 ssl;
         proxy_pass  127.0.0.1:8081;
 
         ssl_session_cache builtin:1000;
-        ssl_password_file password_fifo;
+        ssl_session_tickets off;
     }
 
     server {
-        listen      127.0.0.1:8084 ssl;
+        listen      127.0.0.1:8448 ssl;
         proxy_pass  127.0.0.1:8081;
 
-        ssl_session_cache shared:SSL:1m;
-        ssl_certificate_key inherits.key;
-        ssl_certificate inherits.crt;
+        ssl_session_cache none;
+        ssl_session_tickets off;
+    }
+
+    server {
+        listen      127.0.0.1:8449 ssl;
+        proxy_pass  127.0.0.1:8081;
+
+        ssl_session_cache off;
+        ssl_session_tickets off;
     }
 }
 
@@ -101,16 +117,11 @@ distinguished_name = req_distinguished_n
 EOF
 
 my $d = $t->testdir();
-mkfifo("$d/password_fifo", 0700);
 
-foreach my $name ('localhost', 'inherits') {
-       system("openssl genrsa -out $d/$name.key -passout pass:$name "
-               . "-aes128 2048 >>$d/openssl.out 2>&1") == 0
-               or die "Can't create private key: $!\n";
+foreach my $name ('localhost') {
        system('openssl req -x509 -new '
                . "-config $d/openssl.conf -subj /CN=$name/ "
-               . "-out $d/$name.crt "
-               . "-key $d/$name.key -passin pass:$name"
+               . "-out $d/$name.crt -keyout $d/$name.key "
                . ">>$d/openssl.out 2>&1") == 0
                or die "Can't create certificate for $name: $!\n";
 }
@@ -118,80 +129,48 @@ foreach my $name ('localhost', 'inherits
 
 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
 
-$t->write_file('password', 'localhost');
-$t->write_file('password_many', "wrong$CRLF" . "localhost$CRLF");
-$t->write_file('password_stream', 'inherits');
-
-my $p = fork();
-exec("echo localhost > $d/password_fifo") if $p == 0;
-
 $t->run_daemon(\&http_daemon);
 
-eval {
-       open OLDERR, ">&", \*STDERR; close STDERR;
-       $t->run();
-       open STDERR, ">&", \*OLDERR;
-};
-kill 'INT', $p if $@;
+$t->run();
 
 $t->waitforsocket('127.0.0.1:' . port(8081));
 
 ###############################################################################
 
-my ($s, $ssl, $ses);
-
-($s, $ssl) = get_ssl_socket(port(8080));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl');
-
-# ssl_session_cache
-
-($s, $ssl) = get_ssl_socket(port(8080));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8080), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(port(8082));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8082), $ses);
-isnt(Net::SSLeay::session_reused($ssl), 1, 'session not reused');
+# session reuse:
+#
+# - only tickets, the default
+# - tickets and shared cache, should work always
+# - only shared cache
+# - only builtin cache
+# - only builtin cache with explicitly configured size
+# - only cache none
+# - only cache off
 
-($s, $ssl) = get_ssl_socket(port(8083));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8083), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(port(8084));
-Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(port(8084), $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
-
-# ssl_certificate inheritance
-
-($s, $ssl) = get_ssl_socket(port(8080));
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
-
-($s, $ssl) = get_ssl_socket(port(8084));
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
+is(test_reuse(8443), 1, 'tickets reused');
+is(test_reuse(8444), 1, 'tickets and cache reused');
+is(test_reuse(8445), 1, 'cache shared reused');
+is(test_reuse(8446), 1, 'cache builtin reused');
+is(test_reuse(8447), 1, 'cache builtin size reused');
+is(test_reuse(8448), 0, 'cache none not reused');
+is(test_reuse(8449), 0, 'cache off not reused');
 
 ###############################################################################
 
+sub test_reuse {
+       my ($port) = @_;
+       my ($s, $ssl) = get_ssl_socket($port);
+       Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
+       Net::SSLeay::read($ssl);
+       my $ses = Net::SSLeay::get_session($ssl);
+       ($s, $ssl) = get_ssl_socket($port, $ses);
+       return Net::SSLeay::session_reused($ssl);
+}
+
 sub get_ssl_socket {
        my ($port, $ses) = @_;
 
-       my $s = IO::Socket::INET->new('127.0.0.1:' . $port);
+       my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
        my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
        Net::SSLeay::set_session($ssl, $ses) if defined $ses;
        Net::SSLeay::set_fd($ssl, fileno($s));
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream

Reply via email to