Testing rework
Goal of this PR is to rework testing script so that actual testing is easy to extend and perform during development cycle. * For interoperability testing I use python script and test framework, instead of complicated bsah scripts. Script itself is not yet perfect but it makes it much easier to extend tests and work with them during development time * Makefile has been extended and now includes all steps needed to build the library and run tests. It's now possible to run any kind of tests without exporting environment variables. Thanks to this change it is stupid-easy to run any kind of tests. * There are 3 kinds of tests implemented in the library - unittests, interoperability tests and bogo. Travis has been changed and now dashbord will show only results for those 3 targets.
This commit is contained in:
parent
42d5f61fd6
commit
e5c37bded5
34
.travis.yml
34
.travis.yml
@ -8,39 +8,15 @@ go:
|
||||
- 1.10.x
|
||||
|
||||
env:
|
||||
# CLIAUTH is used for client authentication testing. If string contains letter:
|
||||
# - "C" - tris client will be tested against $SERVER
|
||||
# - "S" - tris server will be tested against $CLIENT
|
||||
# - none of them, client authentication is not tested
|
||||
- MODE=interop CLIENT=boring SERVER=boring CLIAUTH=NONE # Without client authentication
|
||||
- MODE=interop CLIENT=boring SERVER=boring CLIAUTH=SC # Client authentication
|
||||
- MODE=interop CLIENT=tstclnt SERVER=tstclnt
|
||||
- MODE=interop CLIENT=picotls ZRTT=1
|
||||
# - MODE=interop CLIENT=mint # does not support draft 22
|
||||
- MODE=bogo
|
||||
- MODE=gotest
|
||||
- MODE=interop CLIENT=tstclnt ZRTT=1
|
||||
- MODE=interop CLIENT=boring REVISION=origin/master
|
||||
- MODE=interop CLIENT=tstclnt REVISION=default ZRTT=1
|
||||
- TEST_SUITE=test-unit
|
||||
- TEST_SUITE=test-bogo
|
||||
- TEST_SUITE=test-interop
|
||||
|
||||
matrix:
|
||||
fast_finish: true
|
||||
allow_failures:
|
||||
- env: MODE=interop CLIENT=boring REVISION=origin/master
|
||||
- env: MODE=interop CLIENT=tstclnt REVISION=default ZRTT=1
|
||||
|
||||
install:
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/tris-localserver/start.sh -d && docker ps -a; fi
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/interop.sh INSTALL $CLIENT $REVISION; fi
|
||||
- if [ -n "$SERVER" -a "$CLIENT" != "$SERVER" ]; then ./_dev/interop.sh INSTALL $SERVER $REVISION; fi
|
||||
- if [ -n "$SERVER" ]; then ./_dev/interop.sh INSTALL-CLIENT; fi
|
||||
- sudo pip install docker
|
||||
|
||||
script:
|
||||
- if [ "$MODE" = "interop" ]; then ./_dev/interop.sh RUN $CLIENT $CLIAUTH; fi
|
||||
- if [ "$MODE" = "interop" ] && [ "$ZRTT" = "1" ]; then ./_dev/interop.sh 0-RTT $CLIENT; fi
|
||||
- if [ -n "$SERVER" ]; then ./_dev/interop.sh RUN-CLIENT $SERVER $CLIAUTH; fi
|
||||
- if [ "$MODE" = "gotest" ]; then ./_dev/go.sh test -race crypto/tls; fi
|
||||
- if [ "$MODE" = "bogo" ]; then ./_dev/bogo.sh; fi
|
||||
|
||||
after_script:
|
||||
- if [ "$MODE" = "interop" ]; then docker ps -a; docker logs tris-localserver; fi
|
||||
- make -f _dev/Makefile build-all && make -f _dev/Makefile "$TEST_SUITE"
|
||||
|
100
README.md
100
README.md
@ -20,47 +20,77 @@ tls-tris shouldn't be used as an external package. It is also impossible to ven
|
||||
as `crypto/tls` because stdlib packages would import the standard one and mismatch.
|
||||
|
||||
So, to build with tls-tris, you need to use a custom GOROOT.
|
||||
|
||||
A script is provided that will take care of it for you: `./_dev/go.sh`.
|
||||
Just use that instead of the `go` tool.
|
||||
|
||||
The script also transparently fetches the custom Cloudflare Go 1.9 compiler with the required backports.
|
||||
The script also transparently fetches the custom Cloudflare Go 1.10 compiler with the required backports.
|
||||
|
||||
## Development
|
||||
|
||||
### Dependencies
|
||||
|
||||
Copy paste line bellow to install all required dependencies:
|
||||
|
||||
* ArchLinux:
|
||||
```
|
||||
./_dev/go.sh build ./_dev/tris-localserver
|
||||
TLSDEBUG=error ./tris-localserver -b 127.0.0.1:4443
|
||||
pacman -S go docker gcc git make patch python2 python-docker rsync
|
||||
```
|
||||
|
||||
## Debugging
|
||||
* Debian:
|
||||
```
|
||||
apt-get install build-essential docker go patch python python-pip rsync
|
||||
pip install setuptools
|
||||
pip install docker
|
||||
```
|
||||
|
||||
Similar dependencies can be found on any UNIX based system/distribution.
|
||||
|
||||
### Building
|
||||
|
||||
There are number of things that need to be setup before running tests. Most important step is to copy ``go env GOROOT`` directory to ``_dev`` and swap TLS implementation and recompile GO. Then for testing we use go implementation from ``_dev/GOROOT``.
|
||||
|
||||
```
|
||||
make -f _dev/Makefile build-all
|
||||
```
|
||||
|
||||
### Testing
|
||||
|
||||
We run 3 kinds of test:.
|
||||
|
||||
* Unit testing: <br/>``make -f _dev/Makefile test-unit``
|
||||
* Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo``
|
||||
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-compat``
|
||||
|
||||
To run all the tests in one go use:
|
||||
```
|
||||
make -f _dev/Makefile test
|
||||
```
|
||||
|
||||
### Testing interoperability with 3rd party libraries
|
||||
|
||||
In order to ensure compatibility we are testing our implementation against BoringSSL, NSS and PicoTLS.
|
||||
|
||||
Makefile has a specific target for testing interoperability with external libraries. Following command can be used in order to run such test:
|
||||
|
||||
```
|
||||
make -f _dev/Makefile test-interop
|
||||
```
|
||||
|
||||
The makefile target is just a wrapper and it executes ``_dev/interop_test_runner`` script written in python. The script implements interoperability tests using ``python unittest`` framework.
|
||||
|
||||
Script can be started from command line directly. For example:
|
||||
|
||||
```
|
||||
> ./interop_test_runner -v InteropServer_NSS.test_zero_rtt
|
||||
test_zero_rtt (__main__.InteropServer_NSS) ... ok
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Ran 1 test in 8.765s
|
||||
|
||||
OK
|
||||
```
|
||||
|
||||
### Debugging
|
||||
|
||||
When the environment variable `TLSDEBUG` is set to `error`, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is `short`, only the error and the first meaningful stack frame are printed.
|
||||
|
||||
## Building Caddy
|
||||
|
||||
```
|
||||
./_dev/go.sh build github.com/mholt/caddy
|
||||
```
|
||||
|
||||
*Note: to get Caddy to use TLS 1.3 you'll have to apply the patch at `_dev/caddy/caddy.patch`.*
|
||||
|
||||
## Testing with BoringSSL/NSS/Mint/...
|
||||
|
||||
```
|
||||
./_dev/tris-localserver/start.sh --rm
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:boring _dev/boring
|
||||
docker run -i --rm tls-tris:boring $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:tstclnt _dev/tstclnt
|
||||
docker run -i --rm tls-tris:tstclnt $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
```
|
||||
docker build -t tls-tris:mint _dev/mint
|
||||
docker run -i --rm tls-tris:mint $(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver):443
|
||||
```
|
||||
|
||||
To build a specific revision, use `--build-arg REVISION=abcdef1234`.
|
||||
|
@ -7,6 +7,7 @@ BUILD_DIR ?= $(PRJ_DIR)/_dev/GOROOT
|
||||
|
||||
# Compiler
|
||||
GO ?= go
|
||||
DOCKER ?= docker
|
||||
|
||||
# Build environment
|
||||
OS ?= $(shell $(GO) env GOHOSTOS)
|
||||
@ -18,12 +19,18 @@ GOROOT_LOCAL = $(BUILD_DIR)/$(OS_ARCH)
|
||||
# Flag indicates wheter invoke "go install -race std". Supported only on amd64 with CGO enabled
|
||||
INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1))
|
||||
|
||||
# TODO: I'm not sure why we would remove it at the end
|
||||
# but I comment this code as tls.a is exactly what
|
||||
# I try to build here
|
||||
#GOROOT: GOROOT/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
# rm -f GOROOT/$(OS_ARCH)/pkg/*/crypto/tls.a
|
||||
# Test targets used for compatibility testing
|
||||
TARGET_TEST_COMPAT=boring picotls tstclnt
|
||||
|
||||
# Some target-specific constants
|
||||
BORINGSSL_REVISION=1530ef3e
|
||||
BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris
|
||||
|
||||
###############
|
||||
#
|
||||
# Build targets
|
||||
#
|
||||
##############################
|
||||
$(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH): clean
|
||||
|
||||
# Create clean directory structure
|
||||
@ -36,7 +43,7 @@ $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH): clean
|
||||
|
||||
# Swap TLS implementation
|
||||
rm -r $(GOROOT_LOCAL)/src/crypto/tls/*
|
||||
rsync -a $(PRJ_DIR)/ $(GOROOT_LOCAL)/src/crypto/tls/ --exclude=$(lastword $(subst /, ,$(DEV_DIR)))
|
||||
rsync -rltgoD $(PRJ_DIR)/ $(GOROOT_LOCAL)/src/crypto/tls/ --exclude=$(lastword $(subst /, ,$(DEV_DIR)))
|
||||
|
||||
# Apply additional patches
|
||||
for p in $(wildcard $(DEV_DIR)/patches/*); do patch -d "$(GOROOT_LOCAL)" -p1 < "$$p"; done
|
||||
@ -48,11 +55,62 @@ ifeq ($(INSTALL_RACE),1)
|
||||
endif
|
||||
@touch "$@"
|
||||
|
||||
build-test-%: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
$(DOCKER) build $(BUILDARG) -t tls-tris:$* $(DEV_DIR)/$*
|
||||
$(DOCKER) build $(BUILDARG) -t $(*)-localserver $(DEV_DIR)/$*
|
||||
|
||||
build-all: \
|
||||
build-test-tris-client \
|
||||
build-test-tris-server \
|
||||
build-test-bogo \
|
||||
$(addprefix build-test-,$(TARGET_TEST_COMPAT))
|
||||
|
||||
# Builds TRIS client
|
||||
build-test-tris-client: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
cd $(DEV_DIR)/tris-testclient; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
|
||||
$(DOCKER) build -t tris-testclient $(DEV_DIR)/tris-testclient
|
||||
|
||||
# Builds TRIS server
|
||||
build-test-tris-server: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
cd $(DEV_DIR)/tris-localserver; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
|
||||
$(DOCKER) build -t tris-localserver $(DEV_DIR)/tris-localserver
|
||||
|
||||
# BoringSSL specific stuff
|
||||
build-test-boring: BUILDARG=--build-arg REVISION=$(BORINGSSL_REVISION)
|
||||
|
||||
# TODO: This probably doesn't work
|
||||
build-caddy: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build github.com/mholt/caddy
|
||||
|
||||
###############
|
||||
#
|
||||
# Test targets
|
||||
#
|
||||
##############################
|
||||
test: \
|
||||
test-unit \
|
||||
test-bogo \
|
||||
test-interop
|
||||
|
||||
test-unit: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
|
||||
GOROOT="$(GOROOT_LOCAL)" $(GO) test -race crypto/tls
|
||||
|
||||
test-bogo:
|
||||
$(DOCKER) run --rm -v $(PRJ_DIR):$(BOGO_DOCKER_TRIS_LOCATION) tls-tris:bogo
|
||||
|
||||
test-interop:
|
||||
$(DEV_DIR)/interop_test_runner -v
|
||||
|
||||
###############
|
||||
#
|
||||
# Utils
|
||||
#
|
||||
##############################
|
||||
clean:
|
||||
rm -rf $(BUILD_DIR)/$(OS_ARCH)
|
||||
|
||||
clean-all:
|
||||
clean-all: clean
|
||||
rm -rf $(BUILD_DIR)
|
||||
|
||||
# PHONY targets
|
||||
.PHONY: $(BUILD_DIR) clean
|
||||
|
||||
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-compat
|
||||
|
@ -1,7 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
set -xeuo pipefail
|
||||
|
||||
BASEDIR=$(cd "$(dirname "$0")" && pwd)
|
||||
|
||||
docker build -t tls-tris:bogo _dev/bogo
|
||||
docker run --rm -v $BASEDIR/..:/go/src/github.com/cloudflare/tls-tris tls-tris:bogo
|
@ -1,4 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# THIS FILE IS ONLY USED BY _dev/bogo. It will be removed in future
|
||||
set -e
|
||||
|
||||
BASEDIR=$(cd "$(dirname "$0")" && pwd)
|
||||
|
@ -1,71 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
set -xeo pipefail
|
||||
|
||||
if [ "$1" = "INSTALL" ]; then
|
||||
# INSTALL <client> [<revision>]
|
||||
if [ -n "${3:-}" ]; then
|
||||
REVISION="--build-arg REVISION=$3"
|
||||
else
|
||||
REVISION=""
|
||||
fi
|
||||
docker build $REVISION -t tls-tris:$2 _dev/$2
|
||||
|
||||
elif [ "$1" = "RUN" ]; then
|
||||
# RUN <client>
|
||||
IP=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver)
|
||||
|
||||
docker run --rm tls-tris:$2 $IP:1443 | tee output.txt # RSA
|
||||
grep "Hello TLS 1.3" output.txt | grep -v "resumed" | grep -v "0-RTT"
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep -v "0-RTT"
|
||||
|
||||
docker run --rm tls-tris:$2 $IP:2443 | tee output.txt # ECDSA
|
||||
grep "Hello TLS 1.3" output.txt | grep -v "resumed" | grep -v "0-RTT"
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep -v "0-RTT"
|
||||
|
||||
if [[ $3 =~ .*S.* ]]; then
|
||||
# Client auth - tris is a server
|
||||
docker run --rm tls-tris:$2 $IP:6443 -key client_rsa.key -cert client_rsa.crt -debug 2>&1 | tee output.txt
|
||||
grep "send_client_certificate_verify" output.txt # Checks if client cert was requested and sent
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep -v "0-RTT"
|
||||
fi
|
||||
|
||||
elif [ "$1" = "0-RTT" ]; then
|
||||
# 0-RTT <client>
|
||||
IP=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' tris-localserver)
|
||||
|
||||
docker run --rm tls-tris:$2 $IP:3443 | tee output.txt # rejecting 0-RTT
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep -v "0-RTT"
|
||||
|
||||
docker run --rm tls-tris:$2 $IP:4443 | tee output.txt # accepting 0-RTT
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep "0-RTT"
|
||||
|
||||
docker run --rm tls-tris:$2 $IP:5443 | tee output.txt # confirming 0-RTT
|
||||
grep "Hello TLS 1.3" output.txt | grep "resumed" | grep "0-RTT confirmed"
|
||||
|
||||
elif [ "$1" = "INSTALL-CLIENT" ]; then
|
||||
cd "$(dirname "$0")/tris-testclient"
|
||||
./build.sh
|
||||
|
||||
elif [ "$1" = "RUN-CLIENT" ]; then
|
||||
# RUN-CLIENT <target-server>
|
||||
cd "$(dirname "$0")/tris-testclient"
|
||||
|
||||
SERVERNAME="$2-localserver"
|
||||
docker run --rm --detach --name "$SERVERNAME" \
|
||||
--entrypoint /server.sh \
|
||||
--expose 1443 --expose 2443 --expose 6443 \
|
||||
tls-tris:$2
|
||||
IP=$(docker inspect -f '{{ .NetworkSettings.IPAddress }}' "$SERVERNAME")
|
||||
# Obtain information and stop server on exit
|
||||
trap 'docker ps -a; docker logs "$SERVERNAME"; docker kill "$SERVERNAME"' EXIT
|
||||
|
||||
# RSA
|
||||
docker run --rm tris-testclient -ecdsa=false $IP:1443
|
||||
# ECDSA
|
||||
docker run --rm tris-testclient -rsa=false $IP:2443
|
||||
|
||||
# Test client authentication if requested (tris is a client)
|
||||
[[ $3 =~ .*C.* ]] && docker run --rm tris-testclient -rsa=false -cliauth $IP:6443; true
|
||||
|
||||
# TODO maybe check server logs for expected output?
|
||||
fi
|
243
_dev/interop_test_runner
Executable file
243
_dev/interop_test_runner
Executable file
@ -0,0 +1,243 @@
|
||||
#!/usr/bin/env python2
|
||||
|
||||
import docker
|
||||
import unittest
|
||||
import re
|
||||
import time
|
||||
|
||||
# Regex patterns used for testing
|
||||
|
||||
# Checks if TLS 1.3 was negotiated
|
||||
RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$"
|
||||
# Checks if TLS 1.3 was resumed
|
||||
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \(draft .*\) \[resumed\] _o/"
|
||||
# Checks if 0-RTT was used and NOT confirmed
|
||||
RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$"
|
||||
# Checks if 0-RTT was used and confirmed
|
||||
RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$"
|
||||
|
||||
class Docker(object):
|
||||
''' Utility class used for starting/stoping servers and clients during tests'''
|
||||
def __init__(self):
|
||||
self.d = docker.from_env()
|
||||
|
||||
def get_ip(self, server):
|
||||
tris_localserver_container = self.d.containers.get(server)
|
||||
return tris_localserver_container.attrs['NetworkSettings']['IPAddress']
|
||||
|
||||
def run_client(self, image_name, cmd):
|
||||
''' Runs client and returns tuple (status_code, logs) '''
|
||||
c = self.d.containers.create(image=image_name, command=cmd)
|
||||
c.start()
|
||||
res = c.wait()
|
||||
ret = c.logs()
|
||||
c.remove()
|
||||
return (res['StatusCode'], ret)
|
||||
|
||||
def run_server(self, image_name, cmd=None, ports=None, entrypoint=None):
|
||||
''' Starts server and returns docker container '''
|
||||
c = self.d.containers.create(image=image_name, detach=True, command=cmd, ports=ports, entrypoint=entrypoint)
|
||||
c.start()
|
||||
# TODO: maybe can be done better?
|
||||
time.sleep(3)
|
||||
return c
|
||||
|
||||
class RegexSelfTest(unittest.TestCase):
|
||||
''' Ensures that those regexe's actually work '''
|
||||
|
||||
LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"
|
||||
LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nsomestuff"
|
||||
|
||||
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 22) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT] _o/\nsomestuff"
|
||||
LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT confirmed] _o/\nsomestuff"
|
||||
|
||||
def test_regexes(self):
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE))
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_DRAFT_TLS, re.MULTILINE))
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_RESUMED, re.MULTILINE))
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
|
||||
|
||||
# negative cases
|
||||
|
||||
# expects 1.3, but 1.2 received
|
||||
self.assertIsNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS_12, re.MULTILINE))
|
||||
# expects 0-RTT
|
||||
self.assertIsNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
|
||||
# expectes 0-RTT confirmed
|
||||
self.assertIsNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
|
||||
# expects resume without 0-RTT
|
||||
self.assertIsNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
|
||||
|
||||
|
||||
class InteropServer(object):
|
||||
''' Instantiates TRIS as a server '''
|
||||
|
||||
TRIS_SERVER_NAME = "tris-localserver"
|
||||
|
||||
@classmethod
|
||||
def setUpClass(self):
|
||||
self.d = Docker()
|
||||
self.server = self.d.run_server(self.TRIS_SERVER_NAME)
|
||||
|
||||
@classmethod
|
||||
def tearDownClass(self):
|
||||
self.server.kill()
|
||||
self.server.remove()
|
||||
|
||||
@property
|
||||
def server_ip(self):
|
||||
return self.d.get_ip(self.server.name)
|
||||
|
||||
# Mixins for testing server functionality
|
||||
|
||||
class ServerNominalMixin(object):
|
||||
''' Nominal tests for TLS 1.3 - client tries to perform handshake with server '''
|
||||
def test_rsa(self):
|
||||
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'1443')
|
||||
self.assertTrue(res[0] == 0)
|
||||
# Check there was TLS hello without resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
|
||||
# Check there was TLS hello with resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
|
||||
|
||||
def test_ecdsa(self):
|
||||
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'2443')
|
||||
self.assertTrue(res[0] == 0)
|
||||
# Check there was TLS hello without resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
|
||||
# Check there was TLS hello with resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
|
||||
|
||||
class ServerClientAuthMixin(object):
|
||||
''' Client authentication testing '''
|
||||
def test_client_auth(self):
|
||||
args = ''.join([self.server_ip+':6443',' -key client_rsa.key -cert client_rsa.crt -debug'])
|
||||
res = self.d.run_client(self.CLIENT_NAME, args)
|
||||
self.assertEqual(res[0], 0)
|
||||
# Check there was TLS hello without resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
|
||||
# Check there was TLS hello with resume
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
|
||||
|
||||
class ClientNominalMixin(object):
|
||||
|
||||
def test_rsa(self):
|
||||
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false '+self.server_ip+":2443")
|
||||
self.assertEqual(res[0], 0)
|
||||
|
||||
def test_ecdsa(self):
|
||||
res = self.d.run_client(self.CLIENT_NAME, '-ecdsa=false '+self.server_ip+":1443")
|
||||
self.assertEqual(res[0], 0)
|
||||
|
||||
class ClientClientAuthMixin(object):
|
||||
''' Client authentication testing - tris on client side '''
|
||||
|
||||
def test_client_auth(self):
|
||||
res = self.d.run_client('tris-testclient', '-rsa=false -cliauth '+self.server_ip+":6443")
|
||||
self.assertTrue(res[0] == 0)
|
||||
|
||||
class ServerZeroRttMixin(object):
|
||||
''' Zero RTT testing '''
|
||||
|
||||
def test_zero_rtt(self):
|
||||
# rejecting 0-RTT
|
||||
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":3443")
|
||||
self.assertEqual(res[0], 0)
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
|
||||
self.assertIsNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
|
||||
|
||||
# accepting 0-RTT
|
||||
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":4443")
|
||||
self.assertEqual(res[0], 0)
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
|
||||
|
||||
# confirming 0-RTT
|
||||
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":5443")
|
||||
self.assertEqual(res[0], 0)
|
||||
self.assertIsNotNone(
|
||||
re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, res[1], re.MULTILINE))
|
||||
|
||||
class InteropClient(object):
|
||||
''' Instantiates TRIS as a client '''
|
||||
|
||||
CLIENT_NAME = "tris-testclient"
|
||||
|
||||
@classmethod
|
||||
def setUpClass(self):
|
||||
self.d = Docker()
|
||||
self.server = self.d.run_server(
|
||||
self.SERVER_NAME,
|
||||
ports={'1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443},
|
||||
entrypoint="/server.sh")
|
||||
|
||||
@classmethod
|
||||
def tearDownClass(self):
|
||||
self.server.kill()
|
||||
self.server.remove()
|
||||
|
||||
@property
|
||||
def server_ip(self):
|
||||
return self.d.get_ip(self.server.name)
|
||||
|
||||
# Actual test definition
|
||||
|
||||
# TRIS as a server
|
||||
class InteropServer_BoringSSL(
|
||||
InteropServer,
|
||||
ServerNominalMixin,
|
||||
ServerClientAuthMixin,
|
||||
unittest.TestCase
|
||||
): CLIENT_NAME = "tls-tris:boring"
|
||||
|
||||
class InteropServer_PicoTLS(
|
||||
InteropServer,
|
||||
ServerNominalMixin,
|
||||
ServerZeroRttMixin,
|
||||
unittest.TestCase
|
||||
): CLIENT_NAME = "tls-tris:picotls"
|
||||
|
||||
class InteropServer_NSS(
|
||||
InteropServer,
|
||||
ServerNominalMixin,
|
||||
ServerZeroRttMixin,
|
||||
unittest.TestCase
|
||||
): CLIENT_NAME = "tls-tris:tstclnt"
|
||||
|
||||
# TRIS as a client
|
||||
class InteropClient_BoringSSL(
|
||||
InteropClient,
|
||||
ClientNominalMixin,
|
||||
ClientClientAuthMixin,
|
||||
unittest.TestCase
|
||||
): SERVER_NAME = "boring-localserver"
|
||||
|
||||
class InteropClient_NSS(
|
||||
InteropClient,
|
||||
ClientNominalMixin,
|
||||
unittest.TestCase
|
||||
): SERVER_NAME = "tstclnt-localserver"
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
@ -9,7 +9,6 @@ EXPOSE 4443
|
||||
EXPOSE 5443
|
||||
EXPOSE 6443
|
||||
|
||||
# GOOS=linux ../go.sh build -v -i .
|
||||
ADD tris-localserver /
|
||||
ADD runner.sh /
|
||||
|
||||
|
@ -1,9 +1,5 @@
|
||||
#! /bin/sh
|
||||
set -e
|
||||
|
||||
cd "$(dirname $0)"
|
||||
|
||||
CGO_ENABLED=0 GOOS=linux ../go.sh build -v -i .
|
||||
docker build -t tris-localserver .
|
||||
exec docker run --name tris-localserver --env TLSDEBUG=error "$@" tris-localserver
|
||||
|
||||
|
@ -1,5 +0,0 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
cd "$(dirname "$0")"
|
||||
CGO_ENABLED=0 GOOS=linux ../go.sh build -v -i .
|
||||
docker build -t tris-testclient .
|
Loading…
Reference in New Issue
Block a user