Add a test that covers a libtls client talking to a Go TLS server with

varying minimum and maximum protocol versions. This gives us protocol version test coverage against an independent TLS stack.
author: jsing <> 2017-03-07 13:22:39 +0000
committer: jsing <> 2017-03-07 13:22:39 +0000
commit: 8f3432a06f852cd787898bca11abb5707354176f (patch)
tree: b1bc3f81acb48088ada8326894156bcdec46a851
parent: 88851c9f464f181aee8ae8a0b7bd0eb063540ec8 (diff)
download: openbsd-8f3432a06f852cd787898bca11abb5707354176f.tar.gz
openbsd-8f3432a06f852cd787898bca11abb5707354176f.tar.bz2
openbsd-8f3432a06f852cd787898bca11abb5707354176f.zip
1 files changed, 107 insertions, 5 deletions
diff --git a/src/regress/lib/libtls/gotls/tls_test.go b/src/regress/lib/libtls/gotls/tls_test.go
index f48be5ddda..077dd86e82 100644
--- a/src/regress/lib/libtls/gotls/tls_test.go
+++ b/src/regress/lib/libtls/gotls/tls_test.go
@@ -1,6 +1,7 @@
 package tls
 import (
+        "crypto/tls"
        "encoding/pem"
        "fmt"
        "io/ioutil"
@@ -24,6 +25,12 @@ var (
        certNotAfter  = certNotBefore.Add(1000000 * time.Hour)
 )
+type handshakeError string
+func (he handshakeError) Error() string {
+        return string(he)
+}
 // createCAFile writes a PEM encoded version of the certificate out to a
 // temporary file, for use by libtls.
 func createCAFile(cert []byte) (string, error) {
@@ -42,14 +49,16 @@ func createCAFile(cert []byte) (string, error) {
        return f.Name(), nil
 }
-func newTestServer() (*httptest.Server, *url.URL, string, error) {
+func newTestServer(tlsCfg *tls.Config) (*httptest.Server, *url.URL, string, error) {
-        ts := httptest.NewTLSServer(
+        ts := httptest.NewUnstartedServer(
                http.HandlerFunc(
                        func(w http.ResponseWriter, r *http.Request) {
                                fmt.Fprintln(w, httpContent)
                        },
                ),
        )
+        ts.TLS = tlsCfg
+        ts.StartTLS()
        u, err := url.Parse(ts.URL)
        if err != nil {
@@ -64,8 +73,57 @@ func newTestServer() (*httptest.Server, *url.URL, string, error) {
        return ts, u, caFile, nil
 }
+func handshakeVersionTest(tlsCfg *tls.Config) (ProtocolVersion, error) {
+        ts, u, caFile, err := newTestServer(tlsCfg)
+        if err != nil {
+                return 0, fmt.Errorf("failed to start test server: %v", err)
+        }
+        defer os.Remove(caFile)
+        defer ts.Close()
+        if err := Init(); err != nil {
+                return 0, err
+        }
+        cfg, err := NewConfig()
+        if err != nil {
+                return 0, err
+        }
+        defer cfg.Free()
+        if err := cfg.SetCAFile(caFile); err != nil {
+                return 0, err
+        }
+        if err := cfg.SetCiphers("compat"); err != nil {
+                return 0, err
+        }
+        if err := cfg.SetProtocols(ProtocolsAll); err != nil {
+                return 0, err
+        }
+        tls, err := NewClient(cfg)
+        if err != nil {
+                return 0, err
+        }
+        defer tls.Free()
+        if err := tls.Connect(u.Host, ""); err != nil {
+                return 0, err
+        }
+        if err := tls.Handshake(); err != nil {
+                return 0, handshakeError(err.Error())
+        }
+        version, err := tls.ConnVersion()
+        if err != nil {
+                return 0, err
+        }
+        if err := tls.Close(); err != nil {
+                return 0, err
+        }
+        return version, nil
+}
 func TestTLSBasic(t *testing.T) {
-        ts, u, caFile, err := newTestServer()
+        ts, u, caFile, err := newTestServer(nil)
        if err != nil {
                t.Fatalf("Failed to start test server: %v", err)
        }
@@ -120,8 +178,52 @@ func TestTLSBasic(t *testing.T) {
        }
 }
+func TestTLSVersions(t *testing.T) {
+        tests := []struct {
+                minVersion       uint16
+                maxVersion       uint16
+                wantVersion      ProtocolVersion
+                wantHandshakeErr bool
+        }{
+                {tls.VersionSSL30, tls.VersionTLS12, ProtocolTLSv12, false},
+                {tls.VersionTLS10, tls.VersionTLS12, ProtocolTLSv12, false},
+                {tls.VersionTLS11, tls.VersionTLS12, ProtocolTLSv12, false},
+                {tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, false},
+                {tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, false},
+                {tls.VersionSSL30, tls.VersionSSL30, 0, true},
+                {tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, false},
+                {tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, false},
+                {tls.VersionTLS12, tls.VersionTLS12, ProtocolTLSv12, false},
+        }
+        for i, test := range tests {
+                t.Logf("Testing handshake with protocols %x:%x", test.minVersion, test.maxVersion)
+                tlsCfg := &tls.Config{
+                        MinVersion: test.minVersion,
+                        MaxVersion: test.maxVersion,
+                }
+                version, err := handshakeVersionTest(tlsCfg)
+                switch {
+                case test.wantHandshakeErr && err == nil:
+                        t.Errorf("Test %d - handshake %x:%x succeeded, want handshake error",
+                                i, test.minVersion, test.maxVersion)
+                case test.wantHandshakeErr && err != nil:
+                        if _, ok := err.(handshakeError); !ok {
+                                t.Errorf("Test %d - handshake %x:%x; got unknown error, want handshake error: %v",
+                                        i, test.minVersion, test.maxVersion, err)
+                        }
+                case !test.wantHandshakeErr && err != nil:
+                        t.Errorf("Test %d - handshake %x:%x failed: %v", i, test.minVersion, test.maxVersion, err)
+                case !test.wantHandshakeErr && err == nil:
+                        if got, want := version, test.wantVersion; got != want {
+                                t.Errorf("Test %d - handshake %x:%x; got protocol version %v, want %v",
+                                        i, test.minVersion, test.maxVersion, got, want)
+                        }
+                }
+        }
+}
 func TestTLSSingleByteReadWrite(t *testing.T) {
-        ts, u, caFile, err := newTestServer()
+        ts, u, caFile, err := newTestServer(nil)
        if err != nil {
                t.Fatalf("Failed to start test server: %v", err)
        }
@@ -190,7 +292,7 @@ func TestTLSSingleByteReadWrite(t *testing.T) {
 }
 func TestTLSInfo(t *testing.T) {
-        ts, u, caFile, err := newTestServer()
+        ts, u, caFile, err := newTestServer(nil)
        if err != nil {
                t.Fatalf("Failed to start test server: %v", err)
        }
author	jsing <>	2017-03-07 13:22:39 +0000
committer	jsing <>	2017-03-07 13:22:39 +0000
commit	8f3432a06f852cd787898bca11abb5707354176f (patch)
tree	b1bc3f81acb48088ada8326894156bcdec46a851
parent	88851c9f464f181aee8ae8a0b7bd0eb063540ec8 (diff)
download	openbsd-8f3432a06f852cd787898bca11abb5707354176f.tar.gz openbsd-8f3432a06f852cd787898bca11abb5707354176f.tar.bz2 openbsd-8f3432a06f852cd787898bca11abb5707354176f.zip

diff --git a/src/regress/lib/libtls/gotls/tls_test.go b/src/regress/lib/libtls/gotls/tls_test.go index f48be5ddda..077dd86e82 100644 --- a/src/regress/lib/libtls/gotls/tls_test.go +++ b/src/regress/lib/libtls/gotls/tls_test.go
@@ -1,6 +1,7 @@
1	package tls	1	package tls
2		2
3	import (	3	import (
		4	"crypto/tls"
4	"encoding/pem"	5	"encoding/pem"
5	"fmt"	6	"fmt"
6	"io/ioutil"	7	"io/ioutil"
@@ -24,6 +25,12 @@ var (
24	certNotAfter = certNotBefore.Add(1000000 * time.Hour)	25	certNotAfter = certNotBefore.Add(1000000 * time.Hour)
25	)	26	)
26		27
		28	type handshakeError string
		29
		30	func (he handshakeError) Error() string {
		31	return string(he)
		32	}
		33
27	// createCAFile writes a PEM encoded version of the certificate out to a	34	// createCAFile writes a PEM encoded version of the certificate out to a
28	// temporary file, for use by libtls.	35	// temporary file, for use by libtls.
29	func createCAFile(cert []byte) (string, error) {	36	func createCAFile(cert []byte) (string, error) {
@@ -42,14 +49,16 @@ func createCAFile(cert []byte) (string, error) {
42	return f.Name(), nil	49	return f.Name(), nil
43	}	50	}
44		51
45	func newTestServer() (httptest.Server, url.URL, string, error) {	52	func newTestServer(tlsCfg tls.Config) (httptest.Server, *url.URL, string, error) {
46	ts := httptest.NewTLSServer(	53	ts := httptest.NewUnstartedServer(
47	http.HandlerFunc(	54	http.HandlerFunc(
48	func(w http.ResponseWriter, r *http.Request) {	55	func(w http.ResponseWriter, r *http.Request) {
49	fmt.Fprintln(w, httpContent)	56	fmt.Fprintln(w, httpContent)
50	},	57	},
51	),	58	),
52	)	59	)
		60	ts.TLS = tlsCfg
		61	ts.StartTLS()
53		62
54	u, err := url.Parse(ts.URL)	63	u, err := url.Parse(ts.URL)
55	if err != nil {	64	if err != nil {
@@ -64,8 +73,57 @@ func newTestServer() (httptest.Server, url.URL, string, error) {
64	return ts, u, caFile, nil	73	return ts, u, caFile, nil
65	}	74	}
66		75
		76	func handshakeVersionTest(tlsCfg *tls.Config) (ProtocolVersion, error) {
		77	ts, u, caFile, err := newTestServer(tlsCfg)
		78	if err != nil {
		79	return 0, fmt.Errorf("failed to start test server: %v", err)
		80	}
		81	defer os.Remove(caFile)
		82	defer ts.Close()
		83
		84	if err := Init(); err != nil {
		85	return 0, err
		86	}
		87
		88	cfg, err := NewConfig()
		89	if err != nil {
		90	return 0, err
		91	}
		92	defer cfg.Free()
		93	if err := cfg.SetCAFile(caFile); err != nil {
		94	return 0, err
		95	}
		96	if err := cfg.SetCiphers("compat"); err != nil {
		97	return 0, err
		98	}
		99	if err := cfg.SetProtocols(ProtocolsAll); err != nil {
		100	return 0, err
		101	}
		102
		103	tls, err := NewClient(cfg)
		104	if err != nil {
		105	return 0, err
		106	}
		107	defer tls.Free()
		108
		109	if err := tls.Connect(u.Host, ""); err != nil {
		110	return 0, err
		111	}
		112	if err := tls.Handshake(); err != nil {
		113	return 0, handshakeError(err.Error())
		114	}
		115	version, err := tls.ConnVersion()
		116	if err != nil {
		117	return 0, err
		118	}
		119	if err := tls.Close(); err != nil {
		120	return 0, err
		121	}
		122	return version, nil
		123	}
		124
67	func TestTLSBasic(t *testing.T) {	125	func TestTLSBasic(t *testing.T) {
68	ts, u, caFile, err := newTestServer()	126	ts, u, caFile, err := newTestServer(nil)
69	if err != nil {	127	if err != nil {
70	t.Fatalf("Failed to start test server: %v", err)	128	t.Fatalf("Failed to start test server: %v", err)
71	}	129	}
@@ -120,8 +178,52 @@ func TestTLSBasic(t *testing.T) {
120	}	178	}
121	}	179	}
122		180
		181	func TestTLSVersions(t *testing.T) {
		182	tests := []struct {
		183	minVersion uint16
		184	maxVersion uint16
		185	wantVersion ProtocolVersion
		186	wantHandshakeErr bool
		187	}{
		188	{tls.VersionSSL30, tls.VersionTLS12, ProtocolTLSv12, false},
		189	{tls.VersionTLS10, tls.VersionTLS12, ProtocolTLSv12, false},
		190	{tls.VersionTLS11, tls.VersionTLS12, ProtocolTLSv12, false},
		191	{tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, false},
		192	{tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, false},
		193	{tls.VersionSSL30, tls.VersionSSL30, 0, true},
		194	{tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, false},
		195	{tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, false},
		196	{tls.VersionTLS12, tls.VersionTLS12, ProtocolTLSv12, false},
		197	}
		198	for i, test := range tests {
		199	t.Logf("Testing handshake with protocols %x:%x", test.minVersion, test.maxVersion)
		200	tlsCfg := &tls.Config{
		201	MinVersion: test.minVersion,
		202	MaxVersion: test.maxVersion,
		203	}
		204	version, err := handshakeVersionTest(tlsCfg)
		205	switch {
		206	case test.wantHandshakeErr && err == nil:
		207	t.Errorf("Test %d - handshake %x:%x succeeded, want handshake error",
		208	i, test.minVersion, test.maxVersion)
		209	case test.wantHandshakeErr && err != nil:
		210	if _, ok := err.(handshakeError); !ok {
		211	t.Errorf("Test %d - handshake %x:%x; got unknown error, want handshake error: %v",
		212	i, test.minVersion, test.maxVersion, err)
		213	}
		214	case !test.wantHandshakeErr && err != nil:
		215	t.Errorf("Test %d - handshake %x:%x failed: %v", i, test.minVersion, test.maxVersion, err)
		216	case !test.wantHandshakeErr && err == nil:
		217	if got, want := version, test.wantVersion; got != want {
		218	t.Errorf("Test %d - handshake %x:%x; got protocol version %v, want %v",
		219	i, test.minVersion, test.maxVersion, got, want)
		220	}
		221	}
		222	}
		223	}
		224
123	func TestTLSSingleByteReadWrite(t *testing.T) {	225	func TestTLSSingleByteReadWrite(t *testing.T) {
124	ts, u, caFile, err := newTestServer()	226	ts, u, caFile, err := newTestServer(nil)
125	if err != nil {	227	if err != nil {
126	t.Fatalf("Failed to start test server: %v", err)	228	t.Fatalf("Failed to start test server: %v", err)
127	}	229	}
@@ -190,7 +292,7 @@ func TestTLSSingleByteReadWrite(t *testing.T) {
190	}	292	}
191		293
192	func TestTLSInfo(t *testing.T) {	294	func TestTLSInfo(t *testing.T) {
193	ts, u, caFile, err := newTestServer()	295	ts, u, caFile, err := newTestServer(nil)
194	if err != nil {	296	if err != nil {
195	t.Fatalf("Failed to start test server: %v", err)	297	t.Fatalf("Failed to start test server: %v", err)
196	}	298	}