Merging upstream version 1.73.0+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

6 files changed, 393 insertions, 0 deletions

diff --git a/vendor/tokio-native-tls/tests/bad.rs b/vendor/tokio-native-tls/tests/bad.rs
new file mode 100644
index 000000000..862d99845
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/bad.rs
@@ -0,0 +1,122 @@
+#![warn(rust_2018_idioms)]
+
+use cfg_if::cfg_if;
+use native_tls::TlsConnector;
+use std::io::{self, Error};
+use std::net::ToSocketAddrs;
+use tokio::net::TcpStream;
+
+macro_rules! t {
+    ($e:expr) => {
+        match $e {
+            Ok(e) => e,
+            Err(e) => panic!("{} failed with {:?}", stringify!($e), e),
+        }
+    };
+}
+
+cfg_if! {
+    if #[cfg(feature = "force-rustls")] {
+        fn verify_failed(err: &Error, s:  &str) {
+            let err = err.to_string();
+            assert!(err.contains(s), "bad error: {}", err);
+        }
+
+        fn assert_expired_error(err: &Error) {
+            verify_failed(err, "CertExpired");
+        }
+
+        fn assert_wrong_host(err: &Error) {
+            verify_failed(err, "CertNotValidForName");
+        }
+
+        fn assert_self_signed(err: &Error) {
+            verify_failed(err, "UnknownIssuer");
+        }
+
+        fn assert_untrusted_root(err: &Error) {
+            verify_failed(err, "UnknownIssuer");
+        }
+    } else if #[cfg(any(feature = "force-openssl",
+                        all(not(target_os = "macos"),
+                            not(target_os = "windows"),
+                            not(target_os = "ios"))))] {
+        fn verify_failed(err: &Error) {
+            assert!(format!("{}", err).contains("certificate verify failed"))
+        }
+
+        use verify_failed as assert_expired_error;
+        use verify_failed as assert_wrong_host;
+        use verify_failed as assert_self_signed;
+        use verify_failed as assert_untrusted_root;
+    } else if #[cfg(any(target_os = "macos", target_os = "ios"))] {
+
+        fn assert_invalid_cert_chain(err: &Error) {
+            assert!(format!("{}", err).contains("was not trusted."))
+        }
+
+        use crate::assert_invalid_cert_chain as assert_expired_error;
+        use crate::assert_invalid_cert_chain as assert_wrong_host;
+        use crate::assert_invalid_cert_chain as assert_self_signed;
+        use crate::assert_invalid_cert_chain as assert_untrusted_root;
+    } else {
+        fn assert_expired_error(err: &Error) {
+            let s = err.to_string();
+            assert!(s.contains("system clock"), "error = {:?}", s);
+        }
+
+        fn assert_wrong_host(err: &Error) {
+            let s = err.to_string();
+            assert!(s.contains("CN name"), "error = {:?}", s);
+        }
+
+        fn assert_self_signed(err: &Error) {
+            let s = err.to_string();
+            assert!(s.contains("root certificate which is not trusted"), "error = {:?}", s);
+        }
+
+        use assert_self_signed as assert_untrusted_root;
+    }
+}
+
+async fn get_host(host: &'static str) -> Error {
+    drop(env_logger::try_init());
+
+    let addr = format!("{}:443", host);
+    let addr = t!(addr.to_socket_addrs()).next().unwrap();
+
+    let socket = t!(TcpStream::connect(&addr).await);
+    let builder = TlsConnector::builder();
+    let cx = t!(builder.build());
+    let cx = tokio_native_tls::TlsConnector::from(cx);
+    let res = cx
+        .connect(host, socket)
+        .await
+        .map_err(|e| Error::new(io::ErrorKind::Other, e));
+
+    assert!(res.is_err());
+    res.err().unwrap()
+}
+
+#[tokio::test]
+async fn expired() {
+    assert_expired_error(&get_host("expired.badssl.com").await)
+}
+
+// TODO: the OSX builders on Travis apparently fail this tests spuriously?
+//       passes locally though? Seems... bad!
+#[tokio::test]
+#[cfg_attr(all(target_os = "macos", feature = "force-openssl"), ignore)]
+async fn wrong_host() {
+    assert_wrong_host(&get_host("wrong.host.badssl.com").await)
+}
+
+#[tokio::test]
+async fn self_signed() {
+    assert_self_signed(&get_host("self-signed.badssl.com").await)
+}
+
+#[tokio::test]
+async fn untrusted_root() {
+    assert_untrusted_root(&get_host("untrusted-root.badssl.com").await)
+}
diff --git a/vendor/tokio-native-tls/tests/cert.der b/vendor/tokio-native-tls/tests/cert.der
new file mode 100644
index 000000000..e1f964d6b
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/cert.der
diff --git a/vendor/tokio-native-tls/tests/google.rs b/vendor/tokio-native-tls/tests/google.rs
new file mode 100644
index 000000000..179358e3c
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/google.rs
@@ -0,0 +1,99 @@
+#![warn(rust_2018_idioms)]
+
+use cfg_if::cfg_if;
+use native_tls::TlsConnector;
+use std::io;
+use std::net::ToSocketAddrs;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::TcpStream;
+
+macro_rules! t {
+    ($e:expr) => {
+        match $e {
+            Ok(e) => e,
+            Err(e) => panic!("{} failed with {:?}", stringify!($e), e),
+        }
+    };
+}
+
+cfg_if! {
+    if #[cfg(feature = "force-rustls")] {
+        fn assert_bad_hostname_error(err: &io::Error) {
+            let err = err.to_string();
+            assert!(err.contains("CertNotValidForName"), "bad error: {}", err);
+        }
+    } else if #[cfg(any(feature = "force-openssl",
+                        all(not(target_os = "macos"),
+                            not(target_os = "windows"),
+                            not(target_os = "ios"))))] {
+        fn assert_bad_hostname_error(err: &io::Error) {
+            let err = err.get_ref().unwrap();
+            let err = err.downcast_ref::<native_tls::Error>().unwrap();
+            assert!(format!("{}", err).contains("certificate verify failed"));
+        }
+    } else if #[cfg(any(target_os = "macos", target_os = "ios"))] {
+        fn assert_bad_hostname_error(err: &io::Error) {
+            let err = err.get_ref().unwrap();
+            let err = err.downcast_ref::<native_tls::Error>().unwrap();
+            assert!(format!("{}", err).contains("was not trusted."));
+        }
+    } else {
+        fn assert_bad_hostname_error(err: &io::Error) {
+            let err = err.get_ref().unwrap();
+            let err = err.downcast_ref::<native_tls::Error>().unwrap();
+            assert!(format!("{}", err).contains("CN name"));
+        }
+    }
+}
+
+#[tokio::test]
+async fn fetch_google() {
+    drop(env_logger::try_init());
+
+    // First up, resolve google.com
+    let addr = t!("google.com:443".to_socket_addrs()).next().unwrap();
+
+    let socket = TcpStream::connect(&addr).await.unwrap();
+
+    // Send off the request by first negotiating an SSL handshake, then writing
+    // of our request, then flushing, then finally read off the response.
+    let builder = TlsConnector::builder();
+    let connector = t!(builder.build());
+    let connector = tokio_native_tls::TlsConnector::from(connector);
+    let mut socket = t!(connector.connect("google.com", socket).await);
+    t!(socket.write_all(b"GET / HTTP/1.0\r\n\r\n").await);
+    let mut data = Vec::new();
+    t!(socket.read_to_end(&mut data).await);
+
+    // any response code is fine
+    assert!(data.starts_with(b"HTTP/1.0 "));
+
+    let data = String::from_utf8_lossy(&data);
+    let data = data.trim_end();
+    assert!(data.ends_with("</html>") || data.ends_with("</HTML>"));
+}
+
+fn native2io(e: native_tls::Error) -> io::Error {
+    io::Error::new(io::ErrorKind::Other, e)
+}
+
+// see comment in bad.rs for ignore reason
+#[cfg_attr(all(target_os = "macos", feature = "force-openssl"), ignore)]
+#[tokio::test]
+async fn wrong_hostname_error() {
+    drop(env_logger::try_init());
+
+    let addr = t!("google.com:443".to_socket_addrs()).next().unwrap();
+
+    let socket = t!(TcpStream::connect(&addr).await);
+    let builder = TlsConnector::builder();
+    let connector = t!(builder.build());
+    let connector = tokio_native_tls::TlsConnector::from(connector);
+    let res = connector
+        .connect("rust-lang.org", socket)
+        .await
+        .map_err(native2io);
+
+    assert!(res.is_err());
+    assert_bad_hostname_error(&res.err().unwrap());
+}
diff --git a/vendor/tokio-native-tls/tests/identity.p12 b/vendor/tokio-native-tls/tests/identity.p12
new file mode 100644
index 000000000..d16abb8c7
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/identity.p12
diff --git a/vendor/tokio-native-tls/tests/root-ca.der b/vendor/tokio-native-tls/tests/root-ca.der
new file mode 100644
index 000000000..a9335c6fc
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/root-ca.der
diff --git a/vendor/tokio-native-tls/tests/smoke.rs b/vendor/tokio-native-tls/tests/smoke.rs
new file mode 100644
index 000000000..994fddee3
--- /dev/null
+++ b/vendor/tokio-native-tls/tests/smoke.rs
@@ -0,0 +1,172 @@
+use futures::join;
+use lazy_static::lazy_static;
+use native_tls::{Certificate, Identity};
+use std::{fs, io::Error, path::PathBuf, process::Command};
+use tokio::{
+    io::{AsyncReadExt, AsyncWrite, AsyncWriteExt},
+    net::{TcpListener, TcpStream},
+};
+use tokio_native_tls::{TlsAcceptor, TlsConnector};
+
+lazy_static! {
+    static ref CERT_DIR: PathBuf = {
+        if cfg!(unix) {
+            let dir = tempfile::TempDir::new().unwrap();
+            let path = dir.path().to_str().unwrap();
+
+            Command::new("sh")
+                .arg("-c")
+                .arg(format!("./scripts/generate-certificate.sh {}", path))
+                .output()
+                .expect("failed to execute process");
+
+            dir.into_path()
+        } else {
+            PathBuf::from("tests")
+        }
+    };
+}
+
+#[tokio::test]
+async fn client_to_server() {
+    let srv = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = srv.local_addr().unwrap();
+
+    let (server_tls, client_tls) = context();
+
+    // Create a future to accept one socket, connect the ssl stream, and then
+    // read all the data from it.
+    let server = async move {
+        let (socket, _) = srv.accept().await.unwrap();
+        let mut socket = server_tls.accept(socket).await.unwrap();
+
+        // Verify access to all of the nested inner streams (e.g. so that peer
+        // certificates can be accessed). This is just a compile check.
+        let native_tls_stream: &native_tls::TlsStream<_> = socket.get_ref();
+        let _peer_cert = native_tls_stream.peer_certificate().unwrap();
+        let allow_std_stream: &tokio_native_tls::AllowStd<_> = native_tls_stream.get_ref();
+        let _tokio_tcp_stream: &tokio::net::TcpStream = allow_std_stream.get_ref();
+
+        let mut data = Vec::new();
+        socket.read_to_end(&mut data).await.unwrap();
+        data
+    };
+
+    // Create a future to connect to our server, connect the ssl stream, and
+    // then write a bunch of data to it.
+    let client = async move {
+        let socket = TcpStream::connect(&addr).await.unwrap();
+        let socket = client_tls.connect("foobar.com", socket).await.unwrap();
+        copy_data(socket).await
+    };
+
+    // Finally, run everything!
+    let (data, _) = join!(server, client);
+    // assert_eq!(amt, AMT);
+    assert!(data == vec![9; AMT]);
+}
+
+#[tokio::test]
+async fn server_to_client() {
+    // Create a server listening on a port, then figure out what that port is
+    let srv = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = srv.local_addr().unwrap();
+
+    let (server_tls, client_tls) = context();
+
+    let server = async move {
+        let (socket, _) = srv.accept().await.unwrap();
+        let socket = server_tls.accept(socket).await.unwrap();
+        copy_data(socket).await
+    };
+
+    let client = async move {
+        let socket = TcpStream::connect(&addr).await.unwrap();
+        let mut socket = client_tls.connect("foobar.com", socket).await.unwrap();
+        let mut data = Vec::new();
+        socket.read_to_end(&mut data).await.unwrap();
+        data
+    };
+
+    // Finally, run everything!
+    let (_, data) = join!(server, client);
+    assert!(data == vec![9; AMT]);
+}
+
+#[tokio::test]
+async fn one_byte_at_a_time() {
+    const AMT: usize = 1024;
+
+    let srv = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = srv.local_addr().unwrap();
+
+    let (server_tls, client_tls) = context();
+
+    let server = async move {
+        let (socket, _) = srv.accept().await.unwrap();
+        let mut socket = server_tls.accept(socket).await.unwrap();
+        let mut amt = 0;
+        for b in std::iter::repeat(9).take(AMT) {
+            let data = [b as u8];
+            socket.write_all(&data).await.unwrap();
+            amt += 1;
+        }
+        amt
+    };
+
+    let client = async move {
+        let socket = TcpStream::connect(&addr).await.unwrap();
+        let mut socket = client_tls.connect("foobar.com", socket).await.unwrap();
+        let mut data = Vec::new();
+        loop {
+            let mut buf = [0; 1];
+            match socket.read_exact(&mut buf).await {
+                Ok(_) => data.extend_from_slice(&buf),
+                Err(ref err) if err.kind() == std::io::ErrorKind::UnexpectedEof => break,
+                Err(err) => panic!("{}", err),
+            }
+        }
+        data
+    };
+
+    let (amt, data) = join!(server, client);
+    assert_eq!(amt, AMT);
+    assert!(data == vec![9; AMT as usize]);
+}
+
+fn context() -> (TlsAcceptor, TlsConnector) {
+    let pkcs12 = fs::read(CERT_DIR.join("identity.p12")).unwrap();
+    let der = fs::read(CERT_DIR.join("root-ca.der")).unwrap();
+
+    let identity = Identity::from_pkcs12(&pkcs12, "mypass").unwrap();
+    let acceptor = native_tls::TlsAcceptor::builder(identity).build().unwrap();
+
+    let cert = Certificate::from_der(&der).unwrap();
+    let connector = native_tls::TlsConnector::builder()
+        .add_root_certificate(cert)
+        .build()
+        .unwrap();
+
+    (acceptor.into(), connector.into())
+}
+
+const AMT: usize = 128 * 1024;
+
+async fn copy_data<W: AsyncWrite + Unpin>(mut w: W) -> Result<usize, Error> {
+    let mut data = vec![9; AMT as usize];
+    let mut amt = 0;
+    while !data.is_empty() {
+        let written = w.write(&data).await?;
+        if written <= data.len() {
+            amt += written;
+            data.resize(data.len() - written, 0);
+        } else {
+            w.write_all(&data).await?;
+            amt += data.len();
+            break;
+        }
+
+        println!("remaining: {}", data.len());
+    }
+    Ok(amt)
+}