From ff3c6e540e6a9172651ff4498881f60882a9a791 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Fri, 21 Jun 2024 16:19:56 -0400
Subject: [PATCH] tests: add nginx 1.24 specific tests

We want to test the `ssl_conf_command` directive, but this is only
available in nginx 1.24+.

This commit adds a 1.24 specific config file and updates the test runner
so we can spin up and test a nginx 1.24 server with this config when
available.

For now we test the `MinProtocol` and `MaxProtocol` OpenSSL CONF_CTX
commands that the compat shim supports.
---
 rustls-libssl/tests/nginx_1_24.conf |  50 +++++++++++++
 rustls-libssl/tests/runner.rs       | 105 ++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
 create mode 100644 rustls-libssl/tests/nginx_1_24.conf

diff --git a/rustls-libssl/tests/nginx_1_24.conf b/rustls-libssl/tests/nginx_1_24.conf
new file mode 100644
index 0000000..1bcf8b3
--- /dev/null
+++ b/rustls-libssl/tests/nginx_1_24.conf
@@ -0,0 +1,50 @@
+daemon off;
+master_process off;
+pid nginx.pid;
+
+events {
+}
+
+http {
+    # Default to both supported protocols enabled.
+    ssl_protocols TLSv1.2 TLSv1.3;
+    access_log access.log;
+
+    server {
+       # Custom configuration w/ ssl_conf_command:
+       #  * TLS 1.3 or greater only
+       listen 8447 ssl;
+       ssl_certificate ../../../test-ca/rsa/server.cert;
+       ssl_certificate_key ../../../test-ca/rsa/server.key;
+       server_name localhost;
+
+       ssl_conf_command MinProtocol TLSv1.3;
+
+       location = / {
+           return 200 "hello world\n";
+       }
+
+       location /ssl-agreed {
+           return 200 "protocol:$ssl_protocol,cipher:$ssl_cipher\n";
+       }
+   }
+
+   server {
+       # Custom configuration w/ ssl_conf_command:
+       #  * TLS 1.2 or less only
+       listen 8448 ssl;
+       ssl_certificate ../../../test-ca/rsa/server.cert;
+       ssl_certificate_key ../../../test-ca/rsa/server.key;
+       server_name localhost;
+
+       ssl_conf_command MaxProtocol TLSv1.2;
+
+       location = / {
+           return 200 "hello world\n";
+       }
+
+       location /ssl-agreed {
+           return 200 "protocol:$ssl_protocol,cipher:$ssl_cipher\n";
+       }
+   }
+}
diff --git a/rustls-libssl/tests/runner.rs b/rustls-libssl/tests/runner.rs
index e2047ef..a9bab0e 100644
--- a/rustls-libssl/tests/runner.rs
+++ b/rustls-libssl/tests/runner.rs
@@ -561,6 +561,111 @@ fn nginx() {
     drop(nginx_server);
 }
 
+#[test]
+#[ignore]
+fn nginx_1_24() {
+    let (major, minor) = nginx_version();
+    if major != 1 || minor < 24 {
+        println!("skipping Nginx 1.24 tests, installed version is {major}.{minor}.x");
+        return;
+    }
+
+    fs::create_dir_all("target/nginx-tmp/1_24/html").unwrap();
+    fs::write(
+        "target/nginx-tmp/1_24/server.conf",
+        include_str!("nginx_1_24.conf"),
+    )
+    .unwrap();
+
+    let nginx_server = KillOnDrop(Some(
+        Command::new("tests/maybe-valgrind.sh")
+            .args([
+                "nginx",
+                "-g",
+                &format!("error_log stderr {NGINX_LOG_LEVEL};"),
+                "-p",
+                "./target/nginx-tmp/1_24",
+                "-c",
+                "server.conf",
+            ])
+            .spawn()
+            .unwrap(),
+    ));
+    wait_for_port(8447);
+    wait_for_port(8448);
+
+    // TLS 1.2 to the TLS 1.3 only port should fail w/ exit code 35
+    assert_eq!(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "--tls-max",
+                "1.2",
+                "https://localhost:8447/ssl-agreed"
+            ])
+            .stdout(Stdio::piped())
+            .status()
+            .unwrap()
+            .code()
+            .unwrap(),
+        35
+    );
+    // TLS 1.3 to the TLS 1.3 only port should succeed.
+    assert_eq!(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "--tlsv1.3",
+                "https://localhost:8447/ssl-agreed"
+            ])
+            .stdout(Stdio::piped())
+            .output()
+            .unwrap()
+            .stdout,
+        "protocol:TLSv1.3,cipher:TLS_AES_256_GCM_SHA384\n".as_bytes()
+    );
+
+    // TLS 1.3 to the TLS 1.2 only port should fail w/ exit code 35
+    assert_eq!(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "--tlsv1.3",
+                "https://localhost:8448/ssl-agreed"
+            ])
+            .stdout(Stdio::piped())
+            .status()
+            .unwrap()
+            .code()
+            .unwrap(),
+        35
+    );
+    // TLS 1.2 to the TLS 1.2 only port should succeed.
+    assert_eq!(
+        Command::new("curl")
+            .env("LD_LIBRARY_PATH", "")
+            .args([
+                "--cacert",
+                "test-ca/rsa/ca.cert",
+                "--tlsv1.2",
+                "https://localhost:8448/ssl-agreed"
+            ])
+            .stdout(Stdio::piped())
+            .output()
+            .unwrap()
+            .stdout,
+        "protocol:TLSv1.2,cipher:ECDHE-RSA-AES256-GCM-SHA384\n".as_bytes()
+    );
+
+    drop(nginx_server);
+}
+
 // Return the major and minor version components of the Nginx binary in `$PATH`.
 fn nginx_version() -> (u32, u32) {
     let nginx_version_output = Command::new("nginx").args(["-v"]).output().unwrap();