kris
/
th5
1
0
Fork 0
Código Incidencias 0 Pull Requests 0 Lanzamientos 0 Wiki Actividad
Alternative TLS implementation in Go
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
549 Commits
3 Ramas
2.6 MiB
 
 
Árbol: 36f2800cb3
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '36f2800cb3'
${ noResults }
th5/_dev/interop_test_runner

294 líneas
11 KiB
Original Blame Histórico 

  1. #!/usr/bin/env python2

  2. 

  3. import docker

  4. import unittest

  5. import re

  6. import time

  7. 

  8. # Regex patterns used for testing

  9. 

  10. # Checks if TLS 1.3 was negotiated

  11. RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$"

  12. # Checks if TLS 1.3 was resumed

  13. RE_PATTERN_HELLO_TLS_13_RESUME   = "Hello TLS 1.3 \[resumed\] _o/"

  14. # Checks if 0-RTT was used and NOT confirmed

  15. RE_PATTERN_HELLO_0RTT            = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$"

  16. # Checks if 0-RTT was used and confirmed

  17. RE_PATTERN_HELLO_0RTT_CONFIRMED  = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$"

  18. # ALPN

  19. RE_PATTERN_ALPN = "ALPN protocol: npn_proto$"

  20. # Successful TLS establishement from TRIS

  21. RE_TRIS_ALL_PASSED = ".*All handshakes passed.*"

  22. # TLS handshake from BoringSSL with SIDH/P503-X25519

  23. RE_BORINGSSL_P503 = "ECDHE curve: x25519sidh503"

  24. 

  25. class Docker(object):

  26.     ''' Utility class used for starting/stoping servers and clients during tests'''

  27.     def __init__(self):

  28.         self.d = docker.from_env()

  29. 

  30.     def get_ip(self, server):

  31.         tris_localserver_container = self.d.containers.get(server)

  32.         return tris_localserver_container.attrs['NetworkSettings']['IPAddress']

  33. 

  34.     def run_client(self, image_name, cmd):

  35.         ''' Runs client and returns tuple (status_code, logs) '''

  36.         c = self.d.containers.create(image=image_name, command=cmd)

  37.         c.start()

  38.         res = c.wait()

  39.         ret = c.logs()

  40.         c.remove()

  41.         return (res['StatusCode'], ret)

  42. 

  43.     def run_server(self, image_name, cmd=None, ports=None, entrypoint=None):

  44.         ''' Starts server and returns docker container '''

  45.         c = self.d.containers.create(image=image_name, detach=True, command=cmd, ports=ports, entrypoint=entrypoint)

  46.         c.start()

  47.         # TODO: maybe can be done better?

  48.         time.sleep(3)

  49.         return c

  50. 

  51. class RegexSelfTest(unittest.TestCase):

  52.     ''' Ensures that those regexe's actually work '''

  53. 

  54.     LINE_HELLO_TLS      ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"

  55.     LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff"

  56. 

  57.     LINE_HELLO_RESUMED  ="\nsomestuff\nHello TLS 1.3 [resumed] _o/\nsomestuff"

  58.     LINE_HELLO_MIXED    ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"

  59.     LINE_HELLO_TLS_12   ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"

  60.     LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"

  61.     LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff"

  62.     def test_regexes(self):

  63.         self.assertIsNotNone(

  64.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE))

  65.         self.assertIsNotNone(

  66.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_DRAFT_TLS, re.MULTILINE))

  67.         self.assertIsNotNone(

  68.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_RESUMED, re.MULTILINE))

  69.         self.assertIsNotNone(

  70.             re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))

  71.         self.assertIsNotNone(

  72.             re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))

  73. 

  74.         # negative cases

  75. 

  76.         # expects 1.3, but 1.2 received

  77.         self.assertIsNone(

  78.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS_12, re.MULTILINE))

  79.         # expects 0-RTT

  80.         self.assertIsNone(

  81.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))

  82.         # expectes 0-RTT confirmed

  83.         self.assertIsNone(

  84.             re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))

  85.         # expects resume without 0-RTT

  86.         self.assertIsNone(

  87.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))

  88. 

  89. 

  90. class InteropServer(object):

  91.     ''' Instantiates TRIS as a server '''

  92. 

  93.     TRIS_SERVER_NAME = "tris-localserver"

  94. 

  95.     @classmethod

  96.     def setUpClass(self):

  97.         self.d = Docker()

  98.         self.server = self.d.run_server(self.TRIS_SERVER_NAME)

  99. 

  100.     @classmethod

  101.     def tearDownClass(self):

  102.         self.server.kill()

  103.         self.server.remove()

  104. 

  105.     @property

  106.     def server_ip(self):

  107.         return self.d.get_ip(self.server.name)

  108. 

  109. # Mixins for testing server functionality

  110. 

  111. class ServerNominalMixin(object):

  112.     ''' Nominal tests for TLS 1.3 - client tries to perform handshake with server '''

  113.     def test_rsa(self):

  114.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'1443')

  115.         self.assertTrue(res[0] == 0)

  116.         # Check there was TLS hello without resume

  117.         self.assertIsNotNone(

  118.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))

  119.         # Check there was TLS hello with resume

  120.         self.assertIsNotNone(

  121.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))

  122. 

  123.     def test_ecdsa(self):

  124.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'2443')

  125.         self.assertTrue(res[0] == 0)

  126.         # Check there was TLS hello without resume

  127.         self.assertIsNotNone(

  128.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))

  129.         # Check there was TLS hello with resume

  130.         self.assertIsNotNone(

  131.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))

  132. 

  133. class ServerClientAuthMixin(object):

  134.     ''' Client authentication testing '''

  135.     def test_client_auth(self):

  136.         args = ''.join([self.server_ip+':6443',' -key client_rsa.key -cert client_rsa.crt -debug'])

  137.         res = self.d.run_client(self.CLIENT_NAME, args)

  138.         self.assertEqual(res[0], 0)

  139.         # Check there was TLS hello without resume

  140.         self.assertIsNotNone(

  141.             re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))

  142.         # Check there was TLS hello with resume

  143.         self.assertIsNotNone(

  144.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))

  145. 

  146. class ClientNominalMixin(object):

  147. 

  148.     def test_rsa(self):

  149.         res = self.d.run_client(self.CLIENT_NAME, '-ecdsa=false '+self.server_ip+":1443")

  150.         self.assertEqual(res[0], 0)

  151. 

  152.     def test_ecdsa(self):

  153.         res = self.d.run_client(self.CLIENT_NAME, '-rsa=false '+self.server_ip+":2443")

  154.         self.assertEqual(res[0], 0)

  155. 

  156. 

  157. class ClientClientAuthMixin(object):

  158.     ''' Client authentication testing - tris on client side '''

  159. 

  160.     def test_client_auth(self):

  161.         res = self.d.run_client('tris-testclient', '-rsa=false -cliauth '+self.server_ip+":6443")

  162.         self.assertTrue(res[0] == 0)

  163. 

  164. class ServerZeroRttMixin(object):

  165.     ''' Zero RTT testing '''

  166. 

  167.     def test_zero_rtt(self):

  168.         # rejecting 0-RTT

  169.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":3443")

  170.         self.assertEqual(res[0], 0)

  171.         self.assertIsNotNone(

  172.             re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))

  173.         self.assertIsNone(

  174.             re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))

  175. 

  176.         # accepting 0-RTT

  177.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":4443")

  178.         self.assertEqual(res[0], 0)

  179.         self.assertIsNotNone(

  180.             re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))

  181. 

  182.         # confirming 0-RTT

  183.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":5443")

  184.         self.assertEqual(res[0], 0)

  185.         self.assertIsNotNone(

  186.             re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, res[1], re.MULTILINE))

  187. 

  188. class InteropClient(object):

  189.     ''' Instantiates TRIS as a client '''

  190. 

  191.     CLIENT_NAME = "tris-testclient"

  192. 

  193.     @classmethod

  194.     def setUpClass(self):

  195.         self.d = Docker()

  196.         self.server = self.d.run_server(

  197.                             self.SERVER_NAME,

  198.                             ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443, '7443/tcp': 7443},

  199.                             entrypoint="/server.sh")

  200. 

  201.     @classmethod

  202.     def tearDownClass(self):

  203.         self.server.kill()

  204.         self.server.remove()

  205. 

  206.     @property

  207.     def server_ip(self):

  208.         return self.d.get_ip(self.server.name)

  209. 

  210. # Actual test definition

  211. 

  212. # TRIS as a server, BoringSSL as a client

  213. class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase):

  214. 

  215.     CLIENT_NAME = "tls-tris:boring"

  216. 

  217.     def test_ALPN(self):

  218.         '''

  219.         Checks wether ALPN is sent back by tris server in EncryptedExtensions in case of TLS 1.3. The

  220.         ALPN protocol is set to 'npn_proto', which is hardcoded in TRIS test server.

  221.         '''

  222.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":1443 "+'-alpn-protos npn_proto')

  223.         self.assertEqual(res[0], 0)

  224.         self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE))

  225. 

  226.     def test_SIDH(self):

  227.         '''

  228.         Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519

  229.         '''

  230.         res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":7443 "+'-curves x25519sidh503')

  231.         self.assertEqual(res[0], 0)

  232.         self.assertIsNotNone(re.search(RE_BORINGSSL_P503, res[1], re.MULTILINE))

  233.         self.assertIsNotNone(re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))

  234. 

  235. # PicoTLS doesn't seem to implement draft-23 correctly. It will

  236. # be enabled when draft-28 is implemented.

  237. # class InteropServer_PicoTLS(

  238. #         InteropServer,

  239. #         ServerNominalMixin,

  240. #         ServerZeroRttMixin,

  241. #         unittest.TestCase

  242. #     ): CLIENT_NAME = "tls-tris:picotls"

  243. 

  244. class InteropServer_NSS(

  245.         InteropServer,

  246.         ServerNominalMixin,

  247.         ServerZeroRttMixin,

  248.         unittest.TestCase

  249.     ): CLIENT_NAME = "tls-tris:tstclnt"

  250. 

  251. # TRIS as a client, BoringSSL as a server

  252. class InteropClient_BoringSSL(InteropClient, ClientNominalMixin, ClientClientAuthMixin, unittest.TestCase):

  253. 

  254.     SERVER_NAME = "boring-localserver"

  255. 

  256.     def test_SIDH(self):

  257.         '''

  258.         Connects to BoringSSL server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519

  259.         '''

  260.         res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 ' + self.server_ip+":7443")

  261.         self.assertEqual(res[0], 0)

  262.         self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))

  263. 

  264. class InteropClient_NSS(

  265.         InteropClient,

  266.         ClientNominalMixin,

  267.         unittest.TestCase

  268.     ): SERVER_NAME = "tstclnt-localserver"

  269. 

  270. # TRIS as a client

  271. class InteropServer_TRIS(ClientNominalMixin, InteropServer, unittest.TestCase):

  272. 

  273.     CLIENT_NAME = 'tris-testclient'

  274. 

  275.     def test_client_auth(self):

  276.         # I need to block TLS v1.2 as test server needs some rework

  277.         res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443")

  278.         self.assertEqual(res[0], 0)

  279. 

  280.     def test_SIDH(self):

  281.         res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 '+self.server_ip+":7443")

  282.         self.assertEqual(res[0], 0)

  283. 

  284.     def test_server_doesnt_support_SIDH(self):

  285.         '''

  286.         Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather

  287.         TLS session can still be established.

  288.         '''

  289.         res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true '+self.server_ip+":7443")

  290.         self.assertEqual(res[0], 0)

  291. 

  292. if __name__ == '__main__':

  293.     unittest.main()