factor/basis/io/sockets/secure/openssl/openssl-tests.factor

USING: accessors alien continuations http.client http.server io.servers
io.sockets io.sockets.private io.sockets.secure io.sockets.secure.openssl
kernel openssl.libcrypto openssl.libssl sequences system tools.test urls
vocabs.parser ;
IN: io.sockets.secure.openssl.tests

<< os windows? [ "windows.winsock" ] [ "unix.ffi" ] if use-vocab >>

: new-ssl ( -- ssl )
    SSLv23_client_method SSL_CTX_new SSL_new ;

! This word creates blocking sockets for testing purposes. Factor by
! default prefers to use non-blocking ones.
: inet-socket ( -- socket )
    AF_INET SOCK_STREAM IPPROTO_TCP socket ;

: socket-connect ( remote -- socket )
    inet-socket swap dupd make-sockaddr/size connect 0 assert= ;

: ssl-socket-connect ( remote -- ssl-socket )
    socket-connect os windows? [ alien-address ] when
    BIO_NOCLOSE BIO_new_socket ;

: remote ( url -- remote )
    url-addr addrspec>> resolve-host first ;

! These tests break if any of the sites change their certs or go
! down. But that should never ever happen. :)
[ "www.google.com" ] [
    new-ssl dup URL" https://www.google.com" remote
    ssl-socket-connect dup SSL_set_bio
    dup do-ssl-connect-once f assert=
    SSL_get_peer_certificate subject-name
] unit-test

[ "*.facebook.com" ] [
    new-ssl dup URL" https://www.facebook.com" remote
    ssl-socket-connect dup SSL_set_bio
    dup do-ssl-connect-once f assert=
    SSL_get_peer_certificate subject-name
] unit-test

[ "github.com" ] [
    new-ssl dup URL" https://www.github.com" remote
    ssl-socket-connect dup SSL_set_bio
    dup do-ssl-connect-once f assert=
    SSL_get_peer_certificate subject-name
] unit-test

{ 200 } [ "https://www.google.se" http-get drop code>> ] unit-test

[
    <http-server> 8887 >>insecure f >>secure [
        "https://localhost:8887" http-get
    ] with-threaded-server
] [ certificate-missing-error? ] must-fail-with

[ "test" 33 <ssl-handle> handle>> check-subject-name ]
[ certificate-missing-error? ] must-fail-with
io.sockets.secure.openssl: guard against SSL_get_peer_certificate returning null 2014-03-06 12:41:37 -05:00			`USING: accessors alien continuations http.client http.server io.servers`
			`io.sockets io.sockets.private io.sockets.secure io.sockets.secure.openssl`
			`kernel openssl.libcrypto openssl.libssl sequences system tools.test urls`
io.sockets.secure.openssl: Fix using list. 2014-04-03 00:11:52 -04:00			`vocabs.parser ;`
io.sockets.secure, io.sockets.secure.openssl: improved host name verification that takes into account a certificates subject alternative names. 2013-09-14 15:18:13 -04:00			`IN: io.sockets.secure.openssl.tests`

Merge: io.sockets.secure.windows: use non-blocking sockets to prevent SSL_connect from blocking On Windows, SSL_connect may hang forever if the server doesn't send any data. To counteract that we temporarily set the socket non-blocking and then call select in the wait-for-fd method. Conflicts: basis/io/sockets/secure/openssl/openssl-tests.factor 2014-04-02 11:44:19 -04:00			`<< os windows? [ "windows.winsock" ] [ "unix.ffi" ] if use-vocab >>`

openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00			`: new-ssl ( -- ssl )`
			`SSLv23_client_method SSL_CTX_new SSL_new ;`

io.sockets.secure.openssl: guard against SSL_get_peer_certificate returning null 2014-03-06 12:41:37 -05:00			`! This word creates blocking sockets for testing purposes. Factor by`
			`! default prefers to use non-blocking ones.`
			`: inet-socket ( -- socket )`
			`AF_INET SOCK_STREAM IPPROTO_TCP socket ;`

openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00			`: socket-connect ( remote -- socket )`
io.sockets.secure.openssl: use must-fail-with. 2014-04-22 10:41:23 -04:00			`inet-socket swap dupd make-sockaddr/size connect 0 assert= ;`
openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00
			`: ssl-socket-connect ( remote -- ssl-socket )`
io.sockets.secure.openssl: guard against SSL_get_peer_certificate returning null 2014-03-06 12:41:37 -05:00			`socket-connect os windows? [ alien-address ] when`
			`BIO_NOCLOSE BIO_new_socket ;`
openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00
io.sockets.secure.openssl.tests: more and better SSL_connect tests Better error handling so it should be easier to see why the tests fail on the build server (#1036). 2014-04-18 12:46:12 -04:00			`: remote ( url -- remote )`
			`url-addr addrspec>> resolve-host first ;`

			`! These tests break if any of the sites change their certs or go`
			`! down. But that should never ever happen. :)`
openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00			`[ "www.google.com" ] [`
io.sockets.secure.openssl.tests: more and better SSL_connect tests Better error handling so it should be easier to see why the tests fail on the build server (#1036). 2014-04-18 12:46:12 -04:00			`new-ssl dup URL" https://www.google.com" remote`
			`ssl-socket-connect dup SSL_set_bio`
			`dup do-ssl-connect-once f assert=`
			`SSL_get_peer_certificate subject-name`
			`] unit-test`

			`[ "*.facebook.com" ] [`
			`new-ssl dup URL" https://www.facebook.com" remote`
			`ssl-socket-connect dup SSL_set_bio`
			`dup do-ssl-connect-once f assert=`
			`SSL_get_peer_certificate subject-name`
			`] unit-test`

			`[ "github.com" ] [`
			`new-ssl dup URL" https://www.github.com" remote`
			`ssl-socket-connect dup SSL_set_bio`
			`dup do-ssl-connect-once f assert=`
			`SSL_get_peer_certificate subject-name`
openssl.libssl: on windows the X509_* family of functions is in a different dll than the other functions in libssl 2013-10-10 11:03:17 -04:00			`] unit-test`
io.sockets.secure.openssl.tests: remove windows.winsock import and another test for subject-name 2013-10-10 12:41:33 -04:00
io.sockets.secure.openssl: use must-fail-with. 2014-04-22 10:41:23 -04:00			`{ 200 } [ "https://www.google.se" http-get drop code>> ] unit-test`

			`[`
io.sockets.secure.openssl: guard against SSL_get_peer_certificate returning null 2014-03-06 12:41:37 -05:00			`<http-server> 8887 >>insecure f >>secure [`
io.sockets.secure.openssl: use must-fail-with. 2014-04-22 10:41:23 -04:00			`"https://localhost:8887" http-get`
io.sockets.secure.openssl: guard against SSL_get_peer_certificate returning null 2014-03-06 12:41:37 -05:00			`] with-threaded-server`
io.sockets.secure.openssl: use must-fail-with. 2014-04-22 10:41:23 -04:00			`] [ certificate-missing-error? ] must-fail-with`
io.sockets.secure.windows: secure socket implementation for windows, it works reasonably but certificate validation is not working correctly yet 2013-10-11 12:26:44 -04:00
io.sockets.secure.openssl: use must-fail-with. 2014-04-22 10:41:23 -04:00			`[ "test" 33 <ssl-handle> handle>> check-subject-name ]`
			`[ certificate-missing-error? ] must-fail-with`