kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Removes _dev

Browse Source
This commit is contained in:
Henry Case 2019-04-05 13:54:54 +01:00
parent c1c7bfa053
commit 3c361d8664
44 changed files with 1 additions and 7138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.travis.yml
View File

@ -18,8 +18,5 @@ matrix:
before_install:
- make -f _dev/Makefile fmtcheck
install:
- sudo pip install docker
script:
- make -f _dev/Makefile build-all && make -f _dev/Makefile "$TEST_SUITE"
- go test -v -r=.

6
_dev/.gitignore vendored
View File

@ -1,6 +0,0 @@
/GOROOT
/go
/tris-localserver/tris-localserver
/tris-testclient/tris-testclient
/caddy/caddy
/caddy/echo

140
_dev/Makefile
View File

@ -1,140 +0,0 @@
# Constants
MK_FILE_PATH = $(lastword $(MAKEFILE_LIST))
PRJ_DIR = $(abspath $(dir $(MK_FILE_PATH))/..)
DEV_DIR = $(PRJ_DIR)/_dev
# Results will be produced in this directory (can be provided by a caller)
BUILD_DIR ?= $(PRJ_DIR)/_dev/GOROOT
# Compiler
GO ?= go
DOCKER ?= docker
GIT ?= git
# Build environment
OS ?= $(shell $(GO) env GOHOSTOS)
ARCH ?= $(shell $(GO) env GOHOSTARCH)
OS_ARCH := $(OS)_$(ARCH)
VER_OS_ARCH := $(shell $(GO) version | cut -d' ' -f 3)_$(OS)_$(ARCH)
GOROOT_ENV ?= $(shell $(GO) env GOROOT)
GOROOT_LOCAL = $(BUILD_DIR)/$(OS_ARCH)
# Flag indicates wheter invoke "go install -race std". Supported only on amd64 with CGO enabled
INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1))
TMP_DIR := $(shell mktemp -d)
# Test targets used for compatibility testing
TARGET_TEST_COMPAT=boring picotls tstclnt
# Some target-specific constants
BORINGSSL_REVISION=ff433815b51c34496bb6bea13e73e29e5c278238
BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris
# SIDH repository
SIDH_REPO ?= https://github.com/cloudflare/sidh.git
SIDH_REPO_TAG ?= Release_1.0
# NOBS repo (SIKE depends on SHA3)
NOBS_REPO ?= https://github.com/henrydcase/nobscrypto.git
NOBS_REPO_TAG ?= Release_0.1
###############
#
# Build targets
#
##############################
$(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH): clean
# Create clean directory structure
mkdir -p "$(GOROOT_LOCAL)/pkg"
# Copy src/tools from system GOROOT
cp -Hr $(GOROOT_ENV)/src $(GOROOT_LOCAL)/src
cp -Hr $(GOROOT_ENV)/pkg/include $(GOROOT_LOCAL)/pkg/include
cp -Hr $(GOROOT_ENV)/pkg/tool $(GOROOT_LOCAL)/pkg/tool
# Swap TLS implementation
rm -r $(GOROOT_LOCAL)/src/crypto/tls/*
rsync -rltgoD $(PRJ_DIR)/ $(GOROOT_LOCAL)/src/crypto/tls/ --exclude=$(lastword $(subst /, ,$(DEV_DIR)))
# Apply additional patches
for p in $(wildcard $(DEV_DIR)/patches/*); do patch -d "$(GOROOT_LOCAL)" -p1 < "$$p"; done
# Vendor NOBS library
$(GIT) clone $(NOBS_REPO) $(TMP_DIR)/nobs
cd $(TMP_DIR)/nobs; $(GIT) checkout tags/$(NOBS_REPO_TAG)
cd $(TMP_DIR)/nobs; make vendor-sidh-for-tls
cp -rf $(TMP_DIR)/nobs/tls_vendor/* $(GOROOT_LOCAL)/src/vendor/
# Vendor SIDH library
$(GIT) clone $(SIDH_REPO) $(TMP_DIR)/sidh
cd $(TMP_DIR)/sidh; $(GIT) checkout tags/$(SIDH_REPO_TAG)
cd $(TMP_DIR)/sidh; make vendor
cp -rf $(TMP_DIR)/sidh/build/vendor/* $(GOROOT_LOCAL)/src/vendor/
# Create go package
GOARCH=$(ARCH) GOROOT="$(GOROOT_LOCAL)" $(GO) install -v std
ifeq ($(INSTALL_RACE),1)
GOARCH=$(ARCH) GOROOT="$(GOROOT_LOCAL)" $(GO) install -race -v std
endif
rm -rf $(TMP_DIR)
@touch "$@"
build-test-%: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
$(DOCKER) build $(BUILDARG) -t tls-tris:$* $(DEV_DIR)/$*
$(DOCKER) build $(BUILDARG) -t $(*)-localserver $(DEV_DIR)/$*
build-all: \
build-test-tris-client \
build-test-tris-server \
build-test-bogo \
$(addprefix build-test-,$(TARGET_TEST_COMPAT))
# Builds TRIS client
build-test-tris-client: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
cd $(DEV_DIR)/tris-testclient; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
$(DOCKER) build -t tris-testclient $(DEV_DIR)/tris-testclient
# Builds TRIS server
build-test-tris-server: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
cd $(DEV_DIR)/tris-localserver; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
$(DOCKER) build -t tris-localserver $(DEV_DIR)/tris-localserver
# BoringSSL specific stuff
build-test-boring: BUILDARG=--build-arg REVISION=$(BORINGSSL_REVISION)
# TODO: This probably doesn't work
build-caddy: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build github.com/mholt/caddy
###############
#
# Test targets
#
##############################
test: \
test-unit \
test-bogo \
test-interop
test-unit: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
GOROOT="$(GOROOT_LOCAL)" $(GO) test -race crypto/tls
test-bogo:
$(DOCKER) run --rm -v $(PRJ_DIR):$(BOGO_DOCKER_TRIS_LOCATION) tls-tris:bogo
test-interop:
$(DEV_DIR)/interop_test_runner -v
###############
#
# Utils
#
##############################
clean:
rm -rf $(BUILD_DIR)/$(OS_ARCH)
clean-all: clean
rm -rf $(BUILD_DIR)
fmtcheck:
$(DEV_DIR)/utils/fmtcheck.sh
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop

38
_dev/bogo/Dockerfile
View File

@ -1,38 +0,0 @@
FROM golang:1.11-alpine
RUN apk add --update \
git \
make \
bash \
patch \
rsync \
&& rm -rf /var/cache/apk/*
ENV CGO_ENABLED=0
RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
/go/src/github.com/henrydcase/crypto-tls-bogo-shim
# Draft 18 with client-tests branch
#ARG REVISION=3f5e87d6a1931b6f6930e4eadb7b2d0b2aa7c588
# Draft 22 with draft22 branch
#ARG REVISION=81cc32b846c9fe2ea32613287e57a6a0db7bbb9a
# Draft 22 with draft22-client branch (client-tests + draft22)
# ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734
# Draft 23
#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
# Draft 23 (+ client authentication)
# ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
# Draft 28
ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3
RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
git checkout $REVISION
WORKDIR /go/src/github.com/henrydcase/crypto-tls-bogo-shim
CMD ["make", "run"]

69
_dev/boring/Dockerfile
View File

@ -1,69 +0,0 @@
FROM alpine
RUN apk add --update \
git \
cmake \
patch \
perl \
python \
build-base \
go \
ninja \
&& rm -rf /var/cache/apk/*
RUN git clone https://boringssl.googlesource.com/boringssl
RUN mkdir boringssl/build
# Draft 14
# ARG REVISION=88536c3
# Draft 15
# RUN cd boringssl && git fetch https://boringssl.googlesource.com/boringssl refs/changes/40/10840/18:draft15
# ARG REVISION=cae930d
# Draft "14.25" (sigalg renumbering)
# ARG REVISION=af56fbd
# Draft "14.25" w/ x25519 only
# ARG REVISION=c8b6b4f
# Draft "14.5" (sigalg, x25519, version ext)
# ARG REVISION=54afdab
# Draft 16
# ARG REVISION=89917a5
# Draft 18
# ARG REVISION=9b885c5
# Draft 18, but with "bssl server -loop -www" support and build fix
# ARG REVISION=40b24c8154
# Draft 21
# ARG REVISION=cd8470f
# Draft 22
# ARG REVISION=1530ef3e
# Draft 23
# ARG REVISION=cb15cfda29c0c60d8d74145b17c93b43a7667837
# Draft 28
# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30
# TLS 1.3
ARG REVISION=ff433815b51c34496bb6bea13e73e29e5c278238
ADD sidh_$REVISION.patch /
RUN cd boringssl && git fetch
RUN cd boringssl && git checkout $REVISION
RUN cd boringssl && patch -p1 < /sidh_$REVISION.patch
RUN cd boringssl/build && cmake -GNinja ..
RUN cd boringssl && ninja -C build
ADD httpreq.txt /httpreq.txt
ADD run.sh /run.sh
ADD server.sh rsa.pem ecdsa.pem /
ADD client_rsa.key client_rsa.crt client_ca.crt /
ENTRYPOINT ["/run.sh"]

34
_dev/boring/client_ca.crt
View File

@ -1,34 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
-----END CERTIFICATE-----

31
_dev/boring/client_rsa.crt
View File

@ -1,31 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFSjCCAzKgAwIBAgIUCKk2npLYEX2Z3Ceu1CwSKK50j04wDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDMz
MloXDTQ2MDcwOTAwNDMzMlowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA0DQrWlCfijylutz28aTB
T9WDnvBWpJ535t/Clt4o2nv3Cp6JxvUVzYkdKuaLR295gyEBx9JSHiZxPiJoPVfp
wigmG0R9HvByAG5rhaQbQt99npoBaHMps1i12VxxFy1yaqZW6mrwrHMfV716rZ2M
AzWx7UfhutloBYeeluiziDWUSEuGeJG7kHdvUtGYlbRd/ElFWHOfAQ7Oc8UUjEHW
sorkqciqyAERV/H9hr5Rap/J/ERcFC8bNecS4t1Yh98WgIun/MbcBKQzo1LsWmOQ
dmaMBoG8g1mYRbNap8G/+aQbjfRi1zN0yaW1wtlLoBJmNgLjwYgaS/5Uey5NZMdb
NwIBA6OBwzCBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAxBglghkgB
hvhCAQ0EJBYiQ2VydCBUZXN0aW5nIEludGVybWVkaWF0ZSAtIENsaWVudDAdBgNV
HQ4EFgQULlrGFPbxwz525ywQYPs72P7YnL4wHwYDVR0jBBgwFoAU0uJLph7MfZta
JndM1uRDMygEEHYwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAwLc+Xg5Fyfbgu5iFs1y7E0Et
4E/5lF0A4iqDVX3e7/upoUIBFZFv2PlAqIlhQ49NgGlIfrBlwEijZJ9kgVmUcKDS
UrqBvKUn+99dTC8Zn/Py9ofLNcJy+qNJg4TpbpBxXaP1MXdZYXdYkGtyyPIGo31U
oHibNLQDCtKFMoEPCvFuCBtJgyT46l5KN7VQCA0ZDm84fVmIgEEOXWwz0mDIhGWm
hDhmqONznl0+aHirqJxsBaplBaFVV1N02ksR53sPPy/UfDsAD3Fpp8R1DAMEyy0o
kTqm8QINVL961YT1Y/oI+GlypjPq9cL0dEHdxwu6gyCHPMMGGGIDHmLoqJJuj/Kr
/T08jhtDv8D7e9m3wfSW/RqHKE31Yy21SXv/gpcHGunwzDoj/QUvRl/xTjJfx+S8
2NHxSU8QOdexhJumsNFJe8kH8cRJMCMB8/hfiBpI0QANkUBJ1aaa/p7vZuEKJm+/
85m3Yz+zn58/Bube06z6QzFeR8Edi+6hXk4/WoHltgXiNowD3d4xI48sPWEbe+QZ
6u60sEdpY2a+3Xwt9m9R2R+sGP3QyDFd9GVaUPt21TeeLdfS3kPqwO2k+UXB8nV3
Yh1Hvyx67u0tX3wBVe40CNaAu7iW+e4aXjksG2dxk71lNq5CHJCOtbRK4LUArjy5
cw4KAXWoaR8YIC3BWgg=
-----END CERTIFICATE-----

28
_dev/boring/client_rsa.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQNCtaUJ+KPKW6
3PbxpMFP1YOe8Faknnfm38KW3ijae/cKnonG9RXNiR0q5otHb3mDIQHH0lIeJnE+
Img9V+nCKCYbRH0e8HIAbmuFpBtC332emgFocymzWLXZXHEXLXJqplbqavCscx9X
vXqtnYwDNbHtR+G62WgFh56W6LOINZRIS4Z4kbuQd29S0ZiVtF38SUVYc58BDs5z
xRSMQdayiuSpyKrIARFX8f2GvlFqn8n8RFwULxs15xLi3ViH3xaAi6f8xtwEpDOj
UuxaY5B2ZowGgbyDWZhFs1qnwb/5pBuN9GLXM3TJpbXC2UugEmY2AuPBiBpL/lR7
Lk1kx1s3AgEDAoIBAQCKzXI8Nb+xfcPR6KShGIDf460UoDnDFE/vP9cPPsXm/U9c
abEvTg6JBhNx7weE9PuswKvajDa+xEt+wZrTj/EsGsQSLai/Svaq9EeubWeB6lO/
EVZFohvM5c6Q6EtkyPbxxDnxnKBy92o6flHJE7KsznaeL+vR5kVZBRRkmyJazS4s
Z5rbrN9AhSIfyHs9GCQGgsXT6HMsyoJYFastwQ2qj+9L2ypcM8TW+KGzGfJipoJb
l/N/8WHb4ZumA67lfWq4v5JTA5qAUKcfPszEBrUfQ34Tk+73Iiov9f7SXPYxWxVJ
g9PuzfewvJrp6CPv+/mKNt8PmBYkaXlnyjr9tCwLAoGBAPjAVZapQVuIqftcOZtf
Re9fAV9Vvv1FEO8bKJeIsPDlRkdg+TfTMgxhZU0I3P4XdEj7Fa87w4wkA6GkIrOO
W9/usPOYzSdTP5aVEsdGbT8yD2vTST7Aw/GESKTRJA/Fe1PIb5Nz3OijyTusvFE+
XSR3EXb1myX+2rFS0Wbiz2U5AoGBANZFWoeFzREnBcDG60RayjiTg71E1/T4zhvU
e/w+71FNbLZXBrNqgV20F73xOme/Mb13yr+YgXxIEQfFtR6hRxZ8u1jndEzw66Jf
YfHt7EGVceMV2pdP4md5ebebEj7qICfXPxF9IZicwZG3QMR5u0tvnx40iNMWhW0M
rY4FabPvAoGBAKXVjmRw1j0FxqeS0RI/g/TqAOo5Kf4uC0oSGw+wdfXuLtpApiU3
drLrmN4F6Klk+DCnY8on17LCrRZtbHe0PT/0dfe7M2+M1Q8ODITZniohX503hinV
1/ZYMG3gwrUuUjfa9Qz36JsX230d0uDUPhhPYPn5EhlUkcuMi5nsikN7AoGBAI7Y
5wUD3gtvWSsvR4LnMXsNAn4t5U37NBKNp/1/SjYznc7kryJHAOkiun6g0Zp/dn5P
3H+7AP2FYK/ZI2nA2g790jtE+DNLR8GU6/aenYEOS+y5PGTf7ET7pnpnYX9GwBqP
f2D+FmW91mEk1dhRJ4efv2l4WzdkWPNdyQlY8SKfAoGAEIWmowo7EpbR5Boxc2o3
Tl0JbGi1CNJAHtDjEJCd1OxKrMUrK07hOeEKF6y8K/WBuQhFvI2pu16oT4sMal9Z
mEiJdJAFErefPLQGomHLXfq9mDEY13Ug/xAd9aMyYcubIg5XjAqLMrB60HcrLr7Q
2hMCSDdVP2V/F3QVh8DEirE=
-----END PRIVATE KEY-----

15
_dev/boring/ecdsa.pem
View File

@ -1,15 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==
-----END EC PRIVATE KEY-----

5
_dev/boring/httpreq.txt
View File

@ -1,5 +0,0 @@
GET / HTTP/1.1
Host: example.com
Connection: close

45
_dev/boring/rsa.pem
View File

@ -1,45 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh
OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne
RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu
H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2
SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb
wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl
2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw
i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43
z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z
NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq
BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs
UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU
49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz
b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR
u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ
8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/
QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY
gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G
ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2
g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP
Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc
xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP
TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG
LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq
/cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw
EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5
MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI
+gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId
FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ
S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65
U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF
ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK
Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj
MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb
ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX
98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX
46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==
-----END CERTIFICATE-----

8
_dev/boring/run.sh
View File

@ -1,8 +0,0 @@
#! /bin/sh
set -e
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-session-out /session -connect "$@" < /httpreq.txt
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-session-in /session -connect "$@" < /httpreq.txt

32
_dev/boring/server.sh
View File

@ -1,32 +0,0 @@
#!/bin/sh
PATH=/boringssl/build/tool:$PATH
set -x
# RSA
bssl server \
-key rsa.pem \
-min-version tls1.2 -max-version tls1.3 \
-accept 1443 -loop -www 2>&1 &
# ECDSA
bssl server \
-key ecdsa.pem \
-min-version tls1.2 -max-version tls1.3 \
-accept 2443 -loop -www 2>&1 &
# Require client authentication (with ECDSA)
bssl server \
-key ecdsa.pem \
-min-version tls1.2 -max-version tls1.3 \
-accept 6443 -loop -www \
-require-any-client-cert -debug 2>&1 &
# ECDSA and SIDH/P503-X25519
bssl server \
-key ecdsa.pem \
-curves X25519-SIDHp503:X25519:P-256:P-384:P-521 \
-min-version tls1.2 -max-version tls1.3 \
-accept 7443 -loop -www \
-debug 2>&1 &
wait

5176
_dev/boring/sidh_ff433815b51c34496bb6bea13e73e29e5c278238.patch
View File

File diff suppressed because it is too large Load Diff

13
_dev/caddy/Caddyfile
View File

@ -1,13 +0,0 @@
tris.filippo.io {
tls bip@filippo.io
log stdout
proxy / https://blog.filippo.io
}
echo.filippo.io {
tls bip@filippo.io
log stdout
proxy / http://{$ECHO_PORT_80_TCP_ADDR}:{$ECHO_PORT_80_TCP_PORT} {
transparent
}
}

17
_dev/caddy/Dockerfile
View File

@ -1,17 +0,0 @@
FROM scratch
# docker create -v /root/.caddy --name caddy-data caddy /bin/true
# docker run --restart=always -d --volumes-from caddy-data --link echo -p 80:80 -p 443:443 caddy
# GOOS=linux ../go.sh build -v -i github.com/mholt/caddy/caddy
ADD caddy caddy
ADD Caddyfile Caddyfile
ADD https://mkcert.org/generate/ /etc/ssl/certs/ca-certificates.crt
EXPOSE 80
EXPOSE 443
ENV TLSDEBUG short
ENV HOME /root/
CMD [ "/caddy" ]

7
_dev/caddy/Dockerfile.echo
View File

@ -1,7 +0,0 @@
FROM scratch
# docker run --restart=always -d --name echo -P echo
ADD echo echo
EXPOSE 80
CMD [ "/echo", "0.0.0.0:80" ]

21
_dev/caddy/caddy.patch
View File

@ -1,21 +0,0 @@
diff --git a/caddytls/config.go b/caddytls/config.go
index 6632aed..767886c 100644
--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -372,7 +372,7 @@ func SetDefaultTLSParams(config *Config) {
config.ProtocolMinVersion = tls.VersionTLS11
}
if config.ProtocolMaxVersion == 0 {
- config.ProtocolMaxVersion = tls.VersionTLS12
+ config.ProtocolMaxVersion = tls.VersionTLS13
}
// Prefer server cipher suites
@@ -394,6 +394,7 @@ var supportedProtocols = map[string]uint16{
"tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11,
"tls1.2": tls.VersionTLS12,
+ "tls1.3": tls.VersionTLS13,
}
// Map of supported ciphers, used only for parsing config.

25
_dev/caddy/echo.go
View File

@ -1,25 +0,0 @@
package main
import (
"fmt"
"html"
"log"
"net/http"
"os"
)
var htmlBody = []byte(`
<!DOCTYPE html>
<p>Hello!
<code><pre>
`)
func main() {
http.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) {
rw.Write(htmlBody)
for name, value := range r.Header {
fmt.Fprintf(rw, "%s: %s\n", name, html.EscapeString(value[0]))
}
})
log.Println(http.ListenAndServe(os.Args[1], nil))
}

12
_dev/go.sh
View File

@ -1,12 +0,0 @@
#!/usr/bin/env bash
#
# THIS FILE IS ONLY USED BY _dev/bogo. It will be removed in future
set -e
BASEDIR=$(cd "$(dirname "$0")" && pwd)
GOENV="$(go env GOHOSTOS)_$(go env GOHOSTARCH)"
BUILD_DIR=${BASEDIR}/GOROOT make -f $BASEDIR/Makefile >&2
export GOROOT="$BASEDIR/GOROOT/$GOENV"
exec go "$@"

308
_dev/interop_test_runner
View File

@ -1,308 +0,0 @@
#!/usr/bin/env python2
import docker
import unittest
import re
import time
# Regex patterns used for testing
# Checks if TLS 1.3 was negotiated
RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$"
# Checks if TLS 1.3 was resumed
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \[resumed\] _o/"
# Checks if 0-RTT was used and NOT confirmed
RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$"
# Checks if 0-RTT was used and confirmed
RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$"
# ALPN
RE_PATTERN_ALPN = "ALPN protocol: npn_proto$"
# Successful TLS establishement from TRIS
RE_TRIS_ALL_PASSED = ".*All handshakes passed.*"
# TLS handshake from BoringSSL with SIDH/P503-X25519
RE_BORINGSSL_P503 = "ECDHE curve: X25519-SIDHp503"
class Docker(object):
''' Utility class used for starting/stoping servers and clients during tests'''
def __init__(self):
self.d = docker.from_env()
def get_ip(self, server):
tris_localserver_container = self.d.containers.get(server)
return tris_localserver_container.attrs['NetworkSettings']['IPAddress']
def run_client(self, image_name, cmd):
''' Runs client and returns tuple (status_code, logs) '''
c = self.d.containers.create(image=image_name, command=cmd)
c.start()
res = c.wait()
ret = c.logs()
c.remove()
return (res['StatusCode'], ret)
def run_server(self, image_name, cmd=None, ports=None, entrypoint=None):
''' Starts server and returns docker container '''
c = self.d.containers.create(image=image_name, detach=True, command=cmd, ports=ports, entrypoint=entrypoint)
c.start()
# TODO: maybe can be done better?
time.sleep(3)
return c
class RegexSelfTest(unittest.TestCase):
''' Ensures that those regexe's actually work '''
LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"
LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff"
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 [resumed] _o/\nsomestuff"
LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"
LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"
LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff"
def test_regexes(self):
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE))
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_DRAFT_TLS, re.MULTILINE))
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_RESUMED, re.MULTILINE))
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
# negative cases
# expects 1.3, but 1.2 received
self.assertIsNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS_12, re.MULTILINE))
# expects 0-RTT
self.assertIsNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
# expectes 0-RTT confirmed
self.assertIsNone(
re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
# expects resume without 0-RTT
self.assertIsNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
class InteropServer(object):
''' Instantiates TRIS as a server '''
TRIS_SERVER_NAME = "tris-localserver"
@classmethod
def setUpClass(self):
self.d = Docker()
self.server = self.d.run_server(self.TRIS_SERVER_NAME)
@classmethod
def tearDownClass(self):
self.server.kill()
self.server.remove()
@property
def server_ip(self):
return self.d.get_ip(self.server.name)
# Mixins for testing server functionality
class ServerNominalMixin(object):
''' Nominal tests for TLS 1.3 - client tries to perform handshake with server '''
def test_rsa(self):
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'1443')
self.assertTrue(res[0] == 0)
# Check there was TLS hello without resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
# Check there was TLS hello with resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
def test_ecdsa(self):
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'2443')
self.assertTrue(res[0] == 0)
# Check there was TLS hello without resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
# Check there was TLS hello with resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
class ServerClientAuthMixin(object):
''' Client authentication testing '''
def test_client_auth(self):
args = ''.join([self.server_ip+':6443',' -key client_rsa.key -cert client_rsa.crt -debug'])
res = self.d.run_client(self.CLIENT_NAME, args)
self.assertEqual(res[0], 0)
# Check there was TLS hello without resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
# Check there was TLS hello with resume
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
class ClientNominalMixin(object):
def test_rsa(self):
res = self.d.run_client(self.CLIENT_NAME, '-ecdsa=false '+self.server_ip+":1443")
self.assertEqual(res[0], 0)
def test_ecdsa(self):
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false '+self.server_ip+":2443")
self.assertEqual(res[0], 0)
class ClientClientAuthMixin(object):
''' Client authentication testing - tris on client side '''
def test_client_auth(self):
res = self.d.run_client('tris-testclient', '-rsa=false -cliauth '+self.server_ip+":6443")
self.assertTrue(res[0] == 0)
class ServerZeroRttMixin(object):
''' Zero RTT testing '''
def test_zero_rtt(self):
# rejecting 0-RTT
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":3443")
self.assertEqual(res[0], 0)
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
self.assertIsNone(
re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
# accepting 0-RTT
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":4443")
self.assertEqual(res[0], 0)
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
# confirming 0-RTT
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":5443")
self.assertEqual(res[0], 0)
self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, res[1], re.MULTILINE))
class InteropClient(object):
''' Instantiates TRIS as a client '''
CLIENT_NAME = "tris-testclient"
@classmethod
def setUpClass(self):
self.d = Docker()
self.server = self.d.run_server(
self.SERVER_NAME,
ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443, '7443/tcp': 7443},
entrypoint="/server.sh")
@classmethod
def tearDownClass(self):
self.server.kill()
self.server.remove()
@property
def server_ip(self):
return self.d.get_ip(self.server.name)
# Actual test definition
# TRIS as a server, BoringSSL as a client
class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase):
CLIENT_NAME = "tls-tris:boring"
def test_ALPN(self):
'''
Checks wether ALPN is sent back by tris server in EncryptedExtensions in case of TLS 1.3. The
ALPN protocol is set to 'npn_proto', which is hardcoded in TRIS test server.
'''
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":1443 "+'-alpn-protos npn_proto')
self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE))
def test_SIDH(self):
'''
Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
'''
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":7443 "+'-curves X25519-SIDHp503')
self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_BORINGSSL_P503, res[1], re.MULTILINE))
self.assertIsNotNone(re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
# PicoTLS doesn't seem to implement draft-23 correctly. It will
# be enabled when draft-28 is implemented.
# class InteropServer_PicoTLS(
# InteropServer,
# ServerNominalMixin,
# ServerZeroRttMixin,
# unittest.TestCase
# ): CLIENT_NAME = "tls-tris:picotls"
class InteropServer_NSS(
InteropServer,
ServerNominalMixin,
ServerZeroRttMixin,
unittest.TestCase
): CLIENT_NAME = "tls-tris:tstclnt"
# TRIS as a client, BoringSSL as a server
class InteropClient_BoringSSL(InteropClient, ClientNominalMixin, ClientClientAuthMixin, unittest.TestCase):
SERVER_NAME = "boring-localserver"
def test_SIDH(self):
'''
Connects to BoringSSL server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
'''
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIDHp503 ' + self.server_ip+":7443")
self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))
def test_SIDH_TLSv12(self):
'''
Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
This connection will be over TLSv12 and hence it should fall back to X25519
'''
res = self.d.run_client(self.CLIENT_NAME, '-tls_version=1.2 -rsa=false -ecdsa=true -groups X25519-SIDHp503:P-256 -ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ' + self.server_ip+":7443")
self.assertEqual(res[0], 0)
# Go doesn't provide API to get NamedGroup ID, but boringssl on port 7443 accepts only TLS1.2
# so if handshake was successful, then that's all what we need
self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))
class InteropClient_NSS(
InteropClient,
ClientNominalMixin,
unittest.TestCase
): SERVER_NAME = "tstclnt-localserver"
# TRIS as a client
class InteropServer_TRIS(ClientNominalMixin, InteropServer, unittest.TestCase):
CLIENT_NAME = 'tris-testclient'
def test_client_auth(self):
# I need to block TLS v1.2 as test server needs some rework
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443")
self.assertEqual(res[0], 0)
def test_SIDH(self):
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIDHp503 '+self.server_ip+":7443")
self.assertEqual(res[0], 0)
def test_SIKE(self):
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIKEp503 '+self.server_ip+":7443")
self.assertEqual(res[0], 0)
def test_server_doesnt_support_SIDH(self):
'''
Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather
TLS session can still be established.
'''
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true '+self.server_ip+":7443")
self.assertEqual(res[0], 0)
if __name__ == '__main__':
unittest.main()

21
_dev/mint/Dockerfile
View File

@ -1,21 +0,0 @@
FROM golang:1.7-alpine
RUN apk add --update \
git \
&& rm -rf /var/cache/apk/*
RUN go get github.com/bifurcation/mint
# Draft 18
ARG REVISION=52f9f98
RUN cd /go/src/github.com/bifurcation/mint && git fetch https://github.com/FiloSottile/mint
RUN cd /go/src/github.com/bifurcation/mint && git checkout $REVISION
ADD mint-client.go /mint-client.go
RUN GOBIN=/ go install /mint-client.go
ENV MINT_LOG=*
ADD run.sh /run.sh
ENTRYPOINT ["/run.sh"]

41
_dev/mint/mint-client.go
View File

@ -1,41 +0,0 @@
package main
import (
"log"
"net"
"net/http"
"os"
"github.com/bifurcation/mint"
)
func main() {
c := &mint.Config{
PSKs: &mint.PSKMapCache{},
}
tr := &http.Transport{
DialTLS: func(network, addr string) (net.Conn, error) {
return mint.Dial(network, addr, c)
},
DisableKeepAlives: true,
}
client := &http.Client{Transport: tr}
resp, err := client.Get("https://" + os.Args[1])
if err != nil {
log.Fatal(err)
}
if err := resp.Write(os.Stdout); err != nil {
log.Fatal(err)
}
// Resumption
resp, err = client.Get("https://" + os.Args[1])
if err != nil {
log.Fatal(err)
}
if err := resp.Write(os.Stdout); err != nil {
log.Fatal(err)
}
}

3
_dev/mint/run.sh
View File

@ -1,3 +0,0 @@
#! /bin/sh
exec /mint-client "$@"

63
_dev/patches/88253a956a753213617d95af3f42a23a78798473.patch
View File

@ -1,63 +0,0 @@
From 88253a956a753213617d95af3f42a23a78798473 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@cloudflare.com>
Date: Mon, 28 Nov 2016 05:24:21 +0000
Subject: [PATCH] net/http: attach TLSConnContextKey to the request Context
Change-Id: Ic59c84f992c829dc7da741b128dd6899366fa1d2
---
src/net/http/request.go | 4 +++-
src/net/http/server.go | 12 ++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/net/http/request.go b/src/net/http/request.go
index 13f367c1a8..b2827ff123 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -275,7 +275,9 @@ type Request struct {
// was received. This field is not filled in by ReadRequest.
// The HTTP server in this package sets the field for
// TLS-enabled connections before invoking a handler;
- // otherwise it leaves the field nil.
+ // otherwise it leaves the field nil. The value is fixed
+ // at the state of the connection immediately after Handshake,
+ // for an immediate value use TLSConnContextKey.
// This field is ignored by the HTTP client.
TLS *tls.ConnectionState
diff --git a/src/net/http/server.go b/src/net/http/server.go
index 2fa8ab23d8..b0542cdbc3 100644
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -223,6 +223,12 @@ var (
// the local address the connection arrived on.
// The associated value will be of type net.Addr.
LocalAddrContextKey = &contextKey{"local-addr"}
+
+ // TLSConnContextKey is a context key. It can be used in
+ // HTTP handlers with context.WithValue to access the
+ // underlying *tls.Conn being served. If the connection
+ // is not TLS, the key is not set.
+ TLSConnContextKey = &contextKey{"tls-conn"}
)
// A conn represents the server side of an HTTP connection.
@@ -969,6 +975,9 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
delete(req.Header, "Host")
ctx, cancelCtx := context.WithCancel(ctx)
+ if tlsConn, ok := c.rwc.(*tls.Conn); ok {
+ ctx = context.WithValue(ctx, TLSConnContextKey, tlsConn)
+ }
req.ctx = ctx
req.RemoteAddr = c.remoteAddr
req.TLS = c.tlsState
@@ -3161,6 +3170,9 @@ func (h initNPNRequest) ServeHTTP(rw ResponseWriter, req *Request) {
if req.RemoteAddr == "" {
req.RemoteAddr = h.c.RemoteAddr().String()
}
+ if req.ctx != nil && req.ctx.Value(TLSConnContextKey) == nil {
+ req.ctx = context.WithValue(req.ctx, TLSConnContextKey, h.c)
+ }
h.h.ServeHTTP(rw, req)
}

26
_dev/picotls/Dockerfile
View File

@ -1,26 +0,0 @@
FROM alpine
RUN apk add --update \
git \
cmake \
build-base \
openssl-dev \
bash \
&& rm -rf /var/cache/apk/*
RUN git clone https://github.com/h2o/picotls
# Draft -18
#ARG REVISION=a6c1c65
# Draft -22
ARG REVISION=843ccdc
RUN cd picotls && git fetch && git checkout $REVISION
RUN cd picotls && git submodule update --init
RUN cd picotls && cmake . && make
ADD httpreq.txt /httpreq.txt
ADD run.sh /run.sh
ENTRYPOINT ["/run.sh"]

5
_dev/picotls/httpreq.txt
View File

@ -1,5 +0,0 @@
GET / HTTP/1.1
Host: example.com
Connection: close

10
_dev/picotls/run.sh
View File

@ -1,10 +0,0 @@
#! /bin/bash
set -e
IFS=':' read -ra ADDR <<< "$1"
shift
HOST="${ADDR[0]}"
PORT="${ADDR[1]}"
/picotls/cli -s /session -e "$@" $HOST $PORT < /httpreq.txt
/picotls/cli -s /session -e "$@" $HOST $PORT < /httpreq.txt

26
_dev/testdata/Dockerfile vendored
View File

@ -1,26 +0,0 @@
# docker build -t tls-tris:testdata _dev/testdata
# GOOS=linux ./_dev/go.sh test -c crypto/tls
# docker run -it --rm -v "$(pwd):$(pwd)" -w "$(pwd)" tls-tris:testdata
# ./tls.test -update -test.v -test.run SCTs
## === RUN TestHandshakClientSCTs
## Wrote testdata/Client-TLSv12-SCT
## --- PASS: TestHandshakClientSCTs (0.62s)
## PASS
FROM alpine
RUN apk add --update \
wget \
build-base \
perl \
ca-certificates \
linux-headers \
&& rm -rf /var/cache/apk/*
RUN wget https://www.openssl.org/source/openssl-1.1.0c.tar.gz
RUN tar xvf openssl-1.1.0c.tar.gz
RUN cd openssl-1.1.0c && perl ./Configure enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method -static linux-x86_64
RUN cd openssl-1.1.0c && make
RUN cd openssl-1.1.0c && make install
ENTRYPOINT ["/bin/sh"]

7
_dev/tls_examples/Makefile
View File

@ -1,7 +0,0 @@
# Used to build examples. Must be compiled from current directory and after "make build-all"
build:
GOROOT=../GOROOT/linux_amd64 go build ems_client.go
run:
./ems_client google.com:443

75
_dev/tls_examples/ems_client.go
View File

@ -1,75 +0,0 @@
package main
import (
"bufio"
"crypto/tls"
"flag"
"fmt"
"io"
"net/http"
"net/url"
"os"
)
var tlsVersionToName = map[string]uint16{
"tls10": tls.VersionTLS10,
"tls11": tls.VersionTLS11,
"tls12": tls.VersionTLS12,
"tls13": tls.VersionTLS13,
}
// Usage client args host:port
func main() {
var version string
var addr string
var enableEMS bool
var resume bool
var config tls.Config
var cache tls.ClientSessionCache
cache = tls.NewLRUClientSessionCache(0)
flag.StringVar(&version, "version", "tls12", "Version of TLS to use")
flag.BoolVar(&enableEMS, "m", false, "Enable EMS")
flag.BoolVar(&resume, "r", false, "Attempt Resumption")
flag.Parse()
config.MinVersion = tlsVersionToName[version]
config.MaxVersion = tlsVersionToName[version]
config.InsecureSkipVerify = true
config.UseExtendedMasterSecret = !enableEMS
config.ClientSessionCache = cache
var iters int
if resume {
iters = 2
} else {
iters = 1
}
addr = flag.Arg(0)
for ; iters > 0; iters-- {
conn, err := tls.Dial("tcp", addr, &config)
if err != nil {
fmt.Println("Error %s", err)
os.Exit(1)
}
var req http.Request
var response *http.Response
req.Method = "GET"
req.URL, err = url.Parse("https://" + addr + "/")
if err != nil {
fmt.Println("Failed to parse url")
os.Exit(1)
}
req.Write(conn)
reader := bufio.NewReader(conn)
response, err = http.ReadResponse(reader, nil)
if err != nil {
fmt.Println("HTTP problem")
fmt.Println(err)
os.Exit(1)
}
io.Copy(os.Stdout, response.Body)
conn.Close()
if resume && iters == 2 {
fmt.Println("Attempting resumption")
}
}
os.Exit(0)
}

16
_dev/tris-localserver/Dockerfile
View File

@ -1,16 +0,0 @@
FROM buildpack-deps
ENV TLSDEBUG error
EXPOSE 1443
EXPOSE 2443
EXPOSE 3443
EXPOSE 4443
EXPOSE 5443
EXPOSE 6443
EXPOSE 7443
ADD tris-localserver /
ADD runner.sh /
CMD [ "./runner.sh" ]

11
_dev/tris-localserver/runner.sh
View File

@ -1,11 +0,0 @@
#!/bin/sh
./tris-localserver -b 0.0.0.0:1443 -cert=rsa -rtt0=n 2>&1 & # first port: ECDSA (and no 0-RTT)
./tris-localserver -b 0.0.0.0:2443 -cert=ecdsa -rtt0=a 2>&1 & # second port: RSA (and accept 0-RTT but not offer it)
./tris-localserver -b 0.0.0.0:3443 -cert=ecdsa -rtt0=o 2>&1 & # third port: offer and reject 0-RTT
./tris-localserver -b 0.0.0.0:4443 -cert=ecdsa -rtt0=oa 2>&1 & # fourth port: offer and accept 0-RTT
./tris-localserver -b 0.0.0.0:5443 -cert=ecdsa -rtt0=oa -rtt0ack 2>&1 & # fifth port: offer and accept 0-RTT but confirm
./tris-localserver -b 0.0.0.0:6443 -cert=rsa -cliauth 2>&1 & # sixth port: RSA with required client authentication
./tris-localserver -b 0.0.0.0:7443 -cert=ecdsa -pq=c & # Enables support for both - post-quantum and classical KEX algorithms
wait

316
_dev/tris-localserver/server.go
View File

@ -1,316 +0,0 @@
package main
import (
"crypto/x509"
"encoding/hex"
"errors"
"flag"
"fmt"
"github.com/henrydcase/trs"
"io/ioutil"
"log"
"net/http"
"os"
"strings"
"time"
)
type ZeroRTT_t int
type PubKeyAlgo_t int
// Bitset
const (
ZeroRTT_None ZeroRTT_t = 0
ZeroRTT_Offer = 1 << 0
ZeroRTT_Accept = 1 << 1
)
type server struct {
Address string
ZeroRTT ZeroRTT_t
TLS tls.Config
}
var tlsVersionToName = map[uint16]string{
tls.VersionTLS10: "1.0",
tls.VersionTLS11: "1.1",
tls.VersionTLS12: "1.2",
tls.VersionTLS13: "1.3",
}
func NewServer() *server {
s := new(server)
s.ZeroRTT = ZeroRTT_None
s.Address = "0.0.0.0:443"
s.TLS = tls.Config{
GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {
// If we send the first flight too fast, NSS sends empty early data.
time.Sleep(500 * time.Millisecond)
return nil, nil
},
MaxVersion: tls.VersionTLS13,
ClientAuth: tls.NoClientCert,
}
return s
}
func enablePQ(s *server, enableDefault bool) {
var pqGroups = []tls.CurveID{tls.HybridSIDHp503Curve25519, tls.HybridSIKEp503Curve25519}
if enableDefault {
var defaultCurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521}
s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, defaultCurvePreferences...)
}
s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, pqGroups...)
}
func (s *server) start() {
var err error
if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer {
s.TLS.Max0RTTDataSize = 100 * 1024
}
if keyLogFile := os.Getenv("SSLKEYLOGFILE"); keyLogFile != "" {
s.TLS.KeyLogWriter, err = os.OpenFile(keyLogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
if err != nil {
log.Fatalf("Cannot open keylog file: %v", err)
}
log.Println("Enabled keylog")
}
s.TLS.ClientCAs = x509.NewCertPool()
s.TLS.ClientCAs.AppendCertsFromPEM([]byte(rsaCa_client))
s.TLS.Accept0RTTData = ((s.ZeroRTT & ZeroRTT_Accept) == ZeroRTT_Accept)
s.TLS.NextProtos = []string{"npn_proto"}
httpServer := &http.Server{
Addr: s.Address,
TLSConfig: &s.TLS,
}
log.Fatal(httpServer.ListenAndServeTLS("", ""))
}
// setServerCertificateFromArgs sets server certificate from an argument provided by the caller. Possible values
// for arg_cert:
// * "rsa": sets hardcoded RSA keypair
// * "ecdsa": sets hardcoded ECDSA keypair
// * FILE1:FILE2: Uses private key from FILE1 and public key from FILE2. Both must be in PEM format. FILE2 can
// be single certificate or certificate chain.
// * nil: fallbacks to "rsa"
//
// Function generate a panic in case certificate can't be correctly set
func (s *server) setServerCertificateFromArgs(arg_cert *string) {
var certStr, keyStr []byte
var cert tls.Certificate
var err error
if arg_cert == nil {
// set rsa by default
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
} else {
switch *arg_cert {
case "rsa":
certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
case "ecdsa":
certStr, keyStr = []byte(ecdsaCert), []byte(ecdsaKey)
default:
files := strings.Split(*arg_cert, ":")
if len(files) != 2 {
err = errors.New("Wrong format provided after -cert.")
goto err
}
keyStr, err = ioutil.ReadFile(files[0])
if err != nil {
goto err
}
certStr, err = ioutil.ReadFile(files[1])
if err != nil {
goto err
}
}
}
cert, err = tls.X509KeyPair(certStr, keyStr)
if err != nil {
goto err
}
s.TLS.Certificates = []tls.Certificate{cert}
err:
if err != nil {
// Not possible to proceed really
log.Fatal(err)
panic(err)
}
}
func main() {
s := NewServer()
arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")
arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")
arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)
arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")
arg_pq := flag.String("pq", "", "Enable quantum-resistant algorithms [c: Support classical and Quantum-Resistant, q: Enable Quantum-Resistant only]")
flag.Parse()
s.Address = *arg_addr
s.setServerCertificateFromArgs(arg_cert)
if *arg_zerortt == "a" {
s.ZeroRTT = ZeroRTT_Accept
} else if *arg_zerortt == "o" {
s.ZeroRTT = ZeroRTT_Offer
} else if *arg_zerortt == "oa" {
s.ZeroRTT = ZeroRTT_Offer | ZeroRTT_Accept
}
if *arg_clientauth {
s.TLS.ClientAuth = tls.RequireAndVerifyClientCert
}
if *arg_pq == "c" {
enablePQ(s, true)
} else if *arg_pq == "q" {
enablePQ(s, false)
}
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
tlsConn := r.Context().Value(http.TLSConnContextKey).(*tls.Conn)
with0RTT := ""
if !tlsConn.ConnectionState().HandshakeConfirmed {
with0RTT = " [0-RTT]"
}
if *arg_confirm || r.URL.Path == "/confirm" {
if err := tlsConn.ConfirmHandshake(); err != nil {
log.Fatal(err)
}
if with0RTT != "" {
with0RTT = " [0-RTT confirmed]"
}
if !tlsConn.ConnectionState().HandshakeConfirmed {
panic("HandshakeConfirmed false after ConfirmHandshake")
}
}
resumed := ""
if r.TLS.DidResume {
resumed = " [resumed]"
}
http2 := ""
if r.ProtoMajor == 2 {
http2 = " [HTTP/2]"
}
fmt.Fprintf(w, "<!DOCTYPE html><p>Hello TLS %s%s%s%s _o/\n", tlsVersionToName[r.TLS.Version], resumed, with0RTT, http2)
})
http.HandleFunc("/ch", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/plain")
fmt.Fprintf(w, "Client Hello packet (%d bytes):\n%s", len(r.TLS.ClientHello), hex.Dump(r.TLS.ClientHello))
})
s.start()
}
const (
rsaKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh
OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne
RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu
H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2
SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb
wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl
2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw
i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43
z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z
NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq
BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs
UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU
49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz
b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR
u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ
8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/
QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY
gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G
ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2
g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP
Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc
xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP
TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG
LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq
/cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==
-----END RSA PRIVATE KEY-----`
rsaCert = `-----BEGIN CERTIFICATE-----
MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw
EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5
MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI
+gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId
FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ
S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65
U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF
ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK
Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj
MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb
ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX
98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX
46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==
-----END CERTIFICATE-----`
rsaCa_client = `-----BEGIN CERTIFICATE-----
MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
-----END CERTIFICATE-----`
ecdsaCert = `-----BEGIN CERTIFICATE-----
MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
-----END CERTIFICATE-----`
ecdsaKey = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==
-----END EC PRIVATE KEY-----`
)

5
_dev/tris-localserver/start.sh
View File

@ -1,5 +0,0 @@
#! /bin/sh
set -e
exec docker run --name tris-localserver --env TLSDEBUG=error "$@" tris-localserver

7
_dev/tris-testclient/Dockerfile
View File

@ -1,7 +0,0 @@
FROM buildpack-deps
ENV TLSDEBUG error
ADD tris-testclient /
ENTRYPOINT ["/tris-testclient"]

303
_dev/tris-testclient/client.go
View File

@ -1,303 +0,0 @@
package main
import (
"crypto/x509"
"errors"
"flag"
"fmt"
"github.com/henrydcase/trs"
"io"
"log"
"os"
"strings"
)
var tlsVersionToName = map[uint16]string{
tls.VersionTLS10: "1.0",
tls.VersionTLS11: "1.1",
tls.VersionTLS12: "1.2",
tls.VersionTLS13: "1.3",
}
var cipherSuiteIdToName = map[uint16]string{
tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA",
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
tls.TLS_AES_128_GCM_SHA256: "TLS_AES_128_GCM_SHA256",
tls.TLS_AES_256_GCM_SHA384: "TLS_AES_256_GCM_SHA384",
tls.TLS_CHACHA20_POLY1305_SHA256: "TLS_CHACHA20_POLY1305_SHA256",
}
var namedGroupsToName = map[uint16]string{
uint16(tls.HybridSIDHp503Curve25519): "X25519-SIDHp503",
uint16(tls.HybridSIKEp503Curve25519): "X25519-SIKEp503",
uint16(tls.X25519): "X25519",
uint16(tls.CurveP256): "P-256",
uint16(tls.CurveP384): "P-384",
uint16(tls.CurveP521): "P-521",
}
func getIDByName(m map[uint16]string, name string) (uint16, error) {
for key, value := range m {
if value == name {
return key, nil
}
}
return 0, errors.New("Unknown value")
}
var failed uint
type Client struct {
TLS tls.Config
addr string
}
func NewClient() *Client {
var c Client
c.TLS.InsecureSkipVerify = true
return &c
}
func (c *Client) clone() *Client {
var clone Client
clone.TLS = *c.TLS.Clone()
clone.addr = c.addr
return &clone
}
func (c *Client) setMinMaxTLS(ver uint16) {
c.TLS.MinVersion = ver
c.TLS.MaxVersion = ver
}
func (c *Client) run() {
fmt.Printf("TLS %s with %s\n", tlsVersionToName[c.TLS.MinVersion], cipherSuiteIdToName[c.TLS.CipherSuites[0]])
con, err := tls.Dial("tcp", c.addr, &c.TLS)
if err != nil {
fmt.Printf("handshake failed: %v\n\n", err)
failed++
return
}
defer con.Close()
_, err = con.Write([]byte("GET / HTTP/1.1\r\nHost: localhost\r\n\r\n"))
if err != nil {
fmt.Printf("Write failed: %v\n\n", err)
failed++
return
}
buf := make([]byte, 1024)
n, err := con.Read(buf)
// A non-zero read with EOF is acceptable and occurs when a close_notify
// is received right after reading data (observed with NSS selfserv).
if !(n > 0 && err == io.EOF) && err != nil {
fmt.Printf("Read failed: %v\n\n", err)
failed++
return
}
fmt.Printf("[TLS: %s] Read %d bytes\n", tlsVersionToName[con.ConnectionState().Version], n)
fmt.Println("OK\n")
}
func result() {
if failed > 0 {
log.Fatalf("Failed handshakes: %d\n", failed)
} else {
fmt.Println("All handshakes passed")
}
}
// Usage client args host:port
func main() {
var keylog_file, tls_version, named_groups, named_ciphers string
var enable_rsa, enable_ecdsa, client_auth bool
flag.StringVar(&keylog_file, "keylogfile", "", "Secrets will be logged here")
flag.BoolVar(&enable_rsa, "rsa", true, "Whether to enable RSA cipher suites")
flag.BoolVar(&enable_ecdsa, "ecdsa", true, "Whether to enable ECDSA cipher suites")
flag.BoolVar(&client_auth, "cliauth", false, "Whether to enable client authentication")
flag.StringVar(&tls_version, "tls_version", "1.3", "TLS version to use")
flag.StringVar(&named_groups, "groups", "X25519:P-256:P-384:P-521", "NamedGroups IDs to use")
flag.StringVar(&named_ciphers, "ciphers", "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", "Named cipher IDs to use")
flag.Parse()
if flag.NArg() != 1 {
flag.Usage()
os.Exit(1)
}
client := NewClient()
client.addr = flag.Arg(0)
if !strings.Contains(client.addr, ":") {
client.addr += ":443"
}
if keylog_file == "" {
keylog_file = os.Getenv("SSLKEYLOGFILE")
}
if keylog_file != "" {
keylog_writer, err := os.OpenFile(keylog_file, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
if err != nil {
log.Fatalf("Cannot open keylog file: %v", err)
}
client.TLS.KeyLogWriter = keylog_writer
log.Println("Enabled keylog")
}
if client_auth {
var err error
client_cert, err := tls.X509KeyPair([]byte(client_crt), []byte(client_key))
if err != nil {
panic("Can't load client certificate")
}
client.TLS.Certificates = []tls.Certificate{client_cert}
client.TLS.RootCAs = x509.NewCertPool()
if !client.TLS.RootCAs.AppendCertsFromPEM([]byte(client_ca)) {
panic("Can't load client CA cert")
}
}
if enable_rsa {
// Sanity check: TLS 1.2 with the mandatory cipher suite from RFC 5246
c := client.clone()
c.TLS.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}
c.setMinMaxTLS(tls.VersionTLS12)
c.run()
}
if enable_ecdsa {
// Sane cipher suite for TLS 1.2 with an ECDSA cert (as used by boringssl)
c := client.clone()
c.TLS.CipherSuites = []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
c.setMinMaxTLS(tls.VersionTLS12)
c.run()
}
// Set requested DH groups
client.TLS.CurvePreferences = []tls.CurveID{}
for _, ng := range strings.Split(named_groups, ":") {
id, err := getIDByName(namedGroupsToName, ng)
if err != nil {
panic("Wrong group name provided")
}
client.TLS.CurvePreferences = append(client.TLS.CurvePreferences, tls.CurveID(id))
}
// Perform TLS handshake with each each requested CipherSuite
tlsID, err := getIDByName(tlsVersionToName, tls_version)
if err != nil {
panic("Unknown TLS version")
}
for _, cn := range strings.Split(named_ciphers, ":") {
id, err := getIDByName(cipherSuiteIdToName, cn)
if err != nil {
panic("Wrong cipher name provided")
}
client.setMinMaxTLS(tlsID)
client.TLS.CipherSuites = []uint16{id}
client.run()
}
// TODO test other kex methods besides X25519, like MTI secp256r1
// TODO limit supported groups?
result()
}
const (
client_ca = `-----BEGIN CERTIFICATE-----
MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
-----END CERTIFICATE-----`
client_crt = `-----BEGIN CERTIFICATE-----
MIIFSjCCAzKgAwIBAgIUCKk2npLYEX2Z3Ceu1CwSKK50j04wDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDMz
MloXDTQ2MDcwOTAwNDMzMlowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA0DQrWlCfijylutz28aTB
T9WDnvBWpJ535t/Clt4o2nv3Cp6JxvUVzYkdKuaLR295gyEBx9JSHiZxPiJoPVfp
wigmG0R9HvByAG5rhaQbQt99npoBaHMps1i12VxxFy1yaqZW6mrwrHMfV716rZ2M
AzWx7UfhutloBYeeluiziDWUSEuGeJG7kHdvUtGYlbRd/ElFWHOfAQ7Oc8UUjEHW
sorkqciqyAERV/H9hr5Rap/J/ERcFC8bNecS4t1Yh98WgIun/MbcBKQzo1LsWmOQ
dmaMBoG8g1mYRbNap8G/+aQbjfRi1zN0yaW1wtlLoBJmNgLjwYgaS/5Uey5NZMdb
NwIBA6OBwzCBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAxBglghkgB
hvhCAQ0EJBYiQ2VydCBUZXN0aW5nIEludGVybWVkaWF0ZSAtIENsaWVudDAdBgNV
HQ4EFgQULlrGFPbxwz525ywQYPs72P7YnL4wHwYDVR0jBBgwFoAU0uJLph7MfZta
JndM1uRDMygEEHYwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAwLc+Xg5Fyfbgu5iFs1y7E0Et
4E/5lF0A4iqDVX3e7/upoUIBFZFv2PlAqIlhQ49NgGlIfrBlwEijZJ9kgVmUcKDS
UrqBvKUn+99dTC8Zn/Py9ofLNcJy+qNJg4TpbpBxXaP1MXdZYXdYkGtyyPIGo31U
oHibNLQDCtKFMoEPCvFuCBtJgyT46l5KN7VQCA0ZDm84fVmIgEEOXWwz0mDIhGWm
hDhmqONznl0+aHirqJxsBaplBaFVV1N02ksR53sPPy/UfDsAD3Fpp8R1DAMEyy0o
kTqm8QINVL961YT1Y/oI+GlypjPq9cL0dEHdxwu6gyCHPMMGGGIDHmLoqJJuj/Kr
/T08jhtDv8D7e9m3wfSW/RqHKE31Yy21SXv/gpcHGunwzDoj/QUvRl/xTjJfx+S8
2NHxSU8QOdexhJumsNFJe8kH8cRJMCMB8/hfiBpI0QANkUBJ1aaa/p7vZuEKJm+/
85m3Yz+zn58/Bube06z6QzFeR8Edi+6hXk4/WoHltgXiNowD3d4xI48sPWEbe+QZ
6u60sEdpY2a+3Xwt9m9R2R+sGP3QyDFd9GVaUPt21TeeLdfS3kPqwO2k+UXB8nV3
Yh1Hvyx67u0tX3wBVe40CNaAu7iW+e4aXjksG2dxk71lNq5CHJCOtbRK4LUArjy5
cw4KAXWoaR8YIC3BWgg=
-----END CERTIFICATE-----`
client_key = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQNCtaUJ+KPKW6
3PbxpMFP1YOe8Faknnfm38KW3ijae/cKnonG9RXNiR0q5otHb3mDIQHH0lIeJnE+
Img9V+nCKCYbRH0e8HIAbmuFpBtC332emgFocymzWLXZXHEXLXJqplbqavCscx9X
vXqtnYwDNbHtR+G62WgFh56W6LOINZRIS4Z4kbuQd29S0ZiVtF38SUVYc58BDs5z
xRSMQdayiuSpyKrIARFX8f2GvlFqn8n8RFwULxs15xLi3ViH3xaAi6f8xtwEpDOj
UuxaY5B2ZowGgbyDWZhFs1qnwb/5pBuN9GLXM3TJpbXC2UugEmY2AuPBiBpL/lR7
Lk1kx1s3AgEDAoIBAQCKzXI8Nb+xfcPR6KShGIDf460UoDnDFE/vP9cPPsXm/U9c
abEvTg6JBhNx7weE9PuswKvajDa+xEt+wZrTj/EsGsQSLai/Svaq9EeubWeB6lO/
EVZFohvM5c6Q6EtkyPbxxDnxnKBy92o6flHJE7KsznaeL+vR5kVZBRRkmyJazS4s
Z5rbrN9AhSIfyHs9GCQGgsXT6HMsyoJYFastwQ2qj+9L2ypcM8TW+KGzGfJipoJb
l/N/8WHb4ZumA67lfWq4v5JTA5qAUKcfPszEBrUfQ34Tk+73Iiov9f7SXPYxWxVJ
g9PuzfewvJrp6CPv+/mKNt8PmBYkaXlnyjr9tCwLAoGBAPjAVZapQVuIqftcOZtf
Re9fAV9Vvv1FEO8bKJeIsPDlRkdg+TfTMgxhZU0I3P4XdEj7Fa87w4wkA6GkIrOO
W9/usPOYzSdTP5aVEsdGbT8yD2vTST7Aw/GESKTRJA/Fe1PIb5Nz3OijyTusvFE+
XSR3EXb1myX+2rFS0Wbiz2U5AoGBANZFWoeFzREnBcDG60RayjiTg71E1/T4zhvU
e/w+71FNbLZXBrNqgV20F73xOme/Mb13yr+YgXxIEQfFtR6hRxZ8u1jndEzw66Jf
YfHt7EGVceMV2pdP4md5ebebEj7qICfXPxF9IZicwZG3QMR5u0tvnx40iNMWhW0M
rY4FabPvAoGBAKXVjmRw1j0FxqeS0RI/g/TqAOo5Kf4uC0oSGw+wdfXuLtpApiU3
drLrmN4F6Klk+DCnY8on17LCrRZtbHe0PT/0dfe7M2+M1Q8ODITZniohX503hinV
1/ZYMG3gwrUuUjfa9Qz36JsX230d0uDUPhhPYPn5EhlUkcuMi5nsikN7AoGBAI7Y
5wUD3gtvWSsvR4LnMXsNAn4t5U37NBKNp/1/SjYznc7kryJHAOkiun6g0Zp/dn5P
3H+7AP2FYK/ZI2nA2g790jtE+DNLR8GU6/aenYEOS+y5PGTf7ET7pnpnYX9GwBqP
f2D+FmW91mEk1dhRJ4efv2l4WzdkWPNdyQlY8SKfAoGAEIWmowo7EpbR5Boxc2o3
Tl0JbGi1CNJAHtDjEJCd1OxKrMUrK07hOeEKF6y8K/WBuQhFvI2pu16oT4sMal9Z
mEiJdJAFErefPLQGomHLXfq9mDEY13Ug/xAd9aMyYcubIg5XjAqLMrB60HcrLr7Q
2hMCSDdVP2V/F3QVh8DEirE=
-----END PRIVATE KEY-----`
)

61
_dev/tstclnt/Dockerfile
View File

@ -1,61 +0,0 @@
FROM buildpack-deps
RUN hg clone https://hg.mozilla.org/projects/nspr
RUN hg clone https://hg.mozilla.org/projects/nss
ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
# Incremental build snapshot disabled as dependencies don't seem to be solid:
# the same value changed in a header file would apply to one .c file and not another
# RUN cd nss && make nss_build_all
# Draft 15
# ARG REVISION=c483e5f9e0bc
# Draft 16
# ARG REVISION=3e7b53b18112
# Draft 18
# ARG REVISION=b6dfef6d0ff0
# Draft 18, NSS_3_34_1_RTM (with TLS 1.3 keylogging support)
# ARG REVISION=e61c0f657100
# Draft 22
#ARG REVISION=88c3f3fa581b
# Draft 23
# ARG REVISION=16c622c9e1cc
# Latest
ARG REVISION=ee357b00f2e6
RUN cd nss && hg pull
RUN cd nss && hg checkout -C $REVISION
ADD *.patch ./
RUN for p in *.patch; do patch -p1 -d nss < $p; done
RUN cd nss && make nss_build_all
# ENV HOST=localhost
# RUN cd nss/tests/ssl_gtests && ./ssl_gtests.sh
RUN cd nss && make install
RUN mv /dist/$(uname -s)$(uname -r | cut -f 1-2 -d . -)_$(uname -m)_${CC:-cc}_glibc_PTH_64_$([ -n "$BUILD_OPT" ] && echo OPT || echo DBG).OBJ /dist/OBJ-PATH
ENV LD_LIBRARY_PATH=/dist/OBJ-PATH/lib
ENV SSLTRACE=100 SSLDEBUG=100
# Init test key using an empty noise (seed) file (-z /dev/null).
# Use different subjects, otherwise NSS seems to merge keys under the same nickname.
RUN mkdir /certdb && \
/dist/OBJ-PATH/bin/certutil -d /certdb -N --empty-password && \
/dist/OBJ-PATH/bin/certutil -d /certdb -S -n rsa-server -t u -x -s CN=localhost -k rsa -z /dev/null && \
/dist/OBJ-PATH/bin/certutil -d /certdb -S -n ecdsa-server -t u -x -s CN=localhost,O=EC -k ec -z /dev/null -q nistp256
ADD httpreq.txt /httpreq.txt
ADD run.sh /run.sh
ADD server.sh /server.sh
ENTRYPOINT ["/run.sh"]

5
_dev/tstclnt/httpreq.txt
View File

@ -1,5 +0,0 @@
GET / HTTP/1.1
Host: example.com
Connection: close

37
_dev/tstclnt/poll.patch
View File

@ -1,37 +0,0 @@
diff -r 15c6a01b9fe8 cmd/tstclnt/tstclnt.c
--- a/cmd/tstclnt/tstclnt.c Fri Jun 10 18:34:00 2016 +0100
+++ b/cmd/tstclnt/tstclnt.c Thu Jun 16 16:26:29 2016 +0100
@@ -713,7 +713,6 @@
return NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
}
-#if defined(WIN32) || defined(OS2)
void
thread_main(void *arg)
{
@@ -746,7 +745,6 @@
PR_Close(ps);
}
-#endif
static void
printHostNameAndAddr(const char *host, const PRNetAddr *addr)
@@ -1545,7 +1543,8 @@
npds = 2;
std_out = PR_GetSpecialFD(PR_StandardOutput);
-#if defined(WIN32) || defined(OS2)
+ // Enabled PR_Poll compatibility mode for running in docker run. (sigh).
+
/* PR_Poll cannot be used with stdin on Windows or OS/2. (sigh).
** But use of PR_Poll and non-blocking sockets is a major feature
** of this program. So, we simulate a pollable stdin with a
@@ -1573,7 +1572,6 @@
goto done;
}
}
-#endif
if (serverCertAuth.testFreshStatusFromSideChannel) {
SSL_ForceHandshake(s);

8
_dev/tstclnt/run.sh
View File

@ -1,8 +0,0 @@
#! /bin/bash
IFS=':' read -ra ADDR <<< "$1"
shift
HOST="${ADDR[0]}"
PORT="${ADDR[1]}"
exec /dist/OBJ-PATH/bin/tstclnt -D -V tls1.3:tls1.3 -o -O -h $HOST -p $PORT -v -A /httpreq.txt -L 2 -Z "$@"

11
_dev/tstclnt/server.sh
View File

@ -1,11 +0,0 @@
#!/bin/sh
PATH=/dist/OBJ-PATH/bin:$PATH
set -x
# RSA
selfserv -n rsa-server -p 1443 -d /certdb -V tls1.2:tls1.3 -v -Z &
# ECDSA
selfserv -n ecdsa-server -p 2443 -d /certdb -V tls1.2:tls1.3 -v -Z &
wait

20
_dev/utils/fmtcheck.sh
View File

@ -1,20 +0,0 @@
#!/bin/sh
# Copyright 2012 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
gofiles=$(find . -iname "*.go" ! -path "*/_dev/*")
#[ -z "$gofiles" ] && exit 0
unformatted=$(gofmt -l $gofiles)
[ -z "$unformatted" ] && exit 0
# Some files are not gofmt'd. Print message and fail.
echo >&2 "Go files must be formatted with gofmt. Please run:"
for fn in $unformatted; do
echo >&2 " gofmt -w $PWD/$fn"
done
exit 1

27
_dev/utils/pre-commit
View File

@ -1,27 +0,0 @@
#!/bin/sh
# Copyright 2012 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# git gofmt pre-commit hook
#
# To use, store as .git/hooks/pre-commit inside your repository and make sure
# it has execute permissions.
#
# This script does not handle file names that contain spaces.
gofiles=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$')
[ -z "$gofiles" ] && exit 0
unformatted=$(gofmt -l $gofiles)
[ -z "$unformatted" ] && exit 0
# Some files are not gofmt'd. Print message and fail.
echo >&2 "Go files must be formatted with gofmt. Please run:"
for fn in $unformatted; do
echo >&2 " gofmt -w $PWD/$fn"
done
exit 1