Commit Graph

56 Commits

Author SHA1 Message Date
81871bbad5
tls tris server: allow custom server keypairs (#128) 2018-08-19 20:59:43 +01:00
2bcf6466b4
removes old draft version indicators (#127) 2018-08-19 10:27:33 +01:00
242e89da1b refactoring of the tris test client 2018-08-15 17:50:01 +01:00
63ec8fff02 refactoring of the tris test server 2018-08-15 16:25:21 +01:00
d3e18f99e2
Minimal number of changes needed to udpate to draft-28 (#115)
* includes AD in authentication check of TLS records

As per 5.2 of TLS 1.3 draft-28, the additional data is record header.

* tests: Update tests in order to support draft-28

* Interoperability: Updates NSS and BoringSSL versions to the
  one supporting draft-28
* Bogo: Updates revision number to use tests for draft-28
* FIX: makefile was using test-compat target instead of
  test-interop

* DC test: constify

* Use binary interface to encode in big-endian
2018-08-09 20:47:50 +01:00
3ff71dcdc5 tests: enable client authentication in bogo 2018-06-29 08:12:15 +01:00
6e4abe2d07 TLSv1.3 draft-23: align tests
* Changes tests so that they pass with draft-23
* BoringSSL interoperability: uses code at most recent commit. It uses
  "-tls13-variant draft23" flag to indicate compatibility with draft23
* NSS interoperability: Uses release 3.35
* PicoTLS interoperability: blocked. Doesn't seem to implement draft23
* Uses updated bogo from
  https://github.com/henrydcase/crypto-tls-bogo-shim
2018-06-29 07:47:50 +01:00
91d6db578b CI: Fail build if code is wrongly formatted 2018-06-26 09:56:45 +01:00
3f720fc50c Code formatting for TRIS test client and server 2018-06-26 09:56:45 +01:00
Christopher Patton
d485f39ca9 Update _dev/Makefile so that the code builds on Ubuntu 2018-05-24 10:06:54 +01:00
b7765d14c4 (test) Interoperability tris with tris 2018-03-29 13:15:52 +01:00
e5c37bded5 Testing rework
Goal of this PR is to rework testing script so that actual testing is
easy to extend and perform during development cycle.

* For interoperability testing I use python script and test framework,
  instead of complicated bsah scripts. Script itself is not yet perfect
  but it makes it much easier to extend tests and work with them during
  development time

* Makefile has been extended and now includes all steps needed to build
  the library and run tests. It's now possible to run any kind of tests
  without exporting environment variables.  Thanks to this change it is
  stupid-easy to run any kind of tests.

* There are 3 kinds of tests implemented in the library - unittests,
  interoperability tests and bogo. Travis has been changed and now
  dashbord will show only results for those 3 targets.
2018-03-29 13:15:52 +01:00
01c3b768fe (fix) Client MUST send certificate msg if requested by server 2018-03-27 08:52:44 +01:00
68c9776eb9 (tests) Expose 6443 in docker for client auth 2018-03-27 08:52:44 +01:00
c4dfbb897c (tests) Removes 'set -u' from bash as some variables may be unset in the script 2018-03-27 08:52:44 +01:00
1f3a180f14 (tests) Test for client authentication on server side 2018-03-27 08:52:44 +01:00
cd14ae86b4 (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
58e1a66838 (tests) Makes tstclnt tests passing again 2018-03-27 08:52:44 +01:00
adeb1a5868 (tests) Fixes error: standard_init_linux.go:195: exec user process caused no such file or directory 2018-03-27 08:52:44 +01:00
80fe037aa8 (tests) Client Authentication: Tests against boringssl 2018-03-27 08:52:44 +01:00
ddfc58e5be Changes dependency from go v1.9 to go v1.10 2018-03-21 17:44:28 +00:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
1313809b2b (CI) Use go 1.10 also for bogo testing 2018-03-13 08:38:50 +00:00
cb443468e8 Makefile improvement
Following things where added/changed:
* Builds correctly tls-tris. Previously go had a problem with
  a symbolic link resulting in not building tls-tris at all. I've
  used `rsync' instead.
* Can build for selected platform with "ARCH=platform make -f Makefile"
* Possible to build from any directory. Previously ``cd _dev; make``
  was required, it's possible to ``cd /whever/you/want; make -f /tris/Makefile``
2018-03-01 16:12:07 +00:00
Filippo Valsorda
05688e56f4 tris: make Travis-CI use Go 1.9 2018-02-08 15:53:53 +01:00
Filippo Valsorda
844036d474 tris: remove github.com/cloudflare/go
Over time the amount of custom Go patches reduced, and tris got less
tangled to the underlying Go. Finally sever the link.

This allows more flexibility in what base Go is used (the system one),
doesn't require coordinating two repositories, and simplifies the black
magic considerably.

Make sure to use tris with Go 1.9.X.
2018-02-08 15:44:25 +01:00
Peter Wu
8db472667b tris: update tests to track draft 22
Force boringssl client and server to use draft 22 instead of draft 18.
Other clients (tstclnt from NSS, picotls) support only draft 22.

Disable mint, it only supports draft 21.
2017-12-13 20:16:48 +00:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00
Peter Wu
fd93e9ecf6 tris: implement D19 and D20 changes for secrets
D19 added an additional pre-extract Derive-Secret stage. D20 shortened
labels. Bump from D18 to D21 with no backwards compat option for now
since older drafts are considered undeployable.
2017-12-13 17:49:25 +00:00
Peter Wu
ac01048c5e tris: add NSS server to client interop tests
Similar to boringssl, reuse the NSS client image for the NSS server test
against the tris client. Bump the NSS version to 3.34.1 gain support
for TLS 1.3 keylogging which is useful while debugging.

Adjust read check to fix intermittent NSS test failures:
https://github.com/cloudflare/tls-tris/issues/58
2017-12-13 17:39:53 +00:00
Peter Wu
c89a0a5f3a tris: Add initial client interoperability tests
Prepare framework for testing tls-tris as client against other servers.
Currently only boringssl is implemented, but the idea is to add support
for others too (NSS, OpenSSL, picotls, tris, ...).

To test multiple certificate types, copy ecdsa.pem and rsa.pem from
tris-localserver for boringssl. The boringssl image is reused for the
server since the binaries were built anyway. Revision is bumped to
something to fix a build error and make the -loop and -www options work.
2017-12-13 17:39:53 +00:00
Peter Wu
dee13626ef tris: enable client tests with bogo shim 2017-12-13 17:39:53 +00:00
Peter Wu
d16cde640d tris: enable TLS 1.3 for tris-localserver again.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-09-29 12:47:55 +01:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Peter Wu
25f2efc996 tris: update Go to 1.9
Use Go 1.9 (go1.9) with a patch to enable users to access the 0RTT API:

    net/http: attach TLSConnContextKey to the request Context
2017-09-07 17:40:17 +01:00
Filippo Valsorda
44343a1e4d tris: make the boring incremental build deterministic
HEAD is currently breaking the build.
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7d575cd9ba tris: add Dockerfile to run unit tests with -update 2017-09-05 21:06:35 +01:00
Tom Thorogood
bc76e35b75 tris-localserver: fix Content-Type header for /ch endpoint (#21) 2017-09-05 21:06:35 +01:00
Filippo Valsorda
ba45c1a5ca tris: add echo.filippo.io 2017-09-05 21:06:35 +01:00
Filippo Valsorda
2ace09e9b4 tris: upgrade to Go 1.8 2017-09-05 21:06:35 +01:00
Filippo Valsorda
815d56e5a7 tris: update README for public consumption 2017-09-05 21:06:35 +01:00
Filippo Valsorda
563bf91c28 tris: update to Go 1.8rc3+ 2017-09-05 21:06:35 +01:00
Filippo Valsorda
7aa542753f tris: update to Go 1.8rc2 2017-09-05 21:06:35 +01:00
Filippo Valsorda
6bff168a06 tris: add proper BoGo tests 2017-09-05 21:06:35 +01:00
Filippo Valsorda
147d78ad99 tris: switch to Go 1.8beta1 2017-09-05 21:06:34 +01:00
Filippo Valsorda
faefac5f1a crypto/tls: stop ConfirmHandshake from locking on any Read
ConfirmHandshake should block on a Read until the handshakeConfirmed
state is reached, but past that it shouldn't.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
f3fe024dc7 crypto/tls: do not drain 0-RTT data on Close
There is no reason a server can't just send a CloseNotify in its first
flight, and then close the connection without reading the 0-RTT data.

Also, it's not expected of Close to block on reading, and interlocking
with a Read can cause a deadlock.

Fixes NCC-2016-001
2017-09-05 21:06:34 +01:00
Filippo Valsorda
831410a948 tris: fix cross-compilation and relocation 2017-09-05 21:06:34 +01:00
Filippo Valsorda
345fbe2a39 tris: fix http2 tls.Conn context 2017-09-05 21:06:34 +01:00
Filippo Valsorda
df557b2b05 tris: fix NSS 0-RTT interop 2017-09-05 21:06:34 +01:00