tls-tris

Henry D. Case e5c37bded5 Testing rework Goal of this PR is to rework testing script so that actual testing is easy to extend and perform during development cycle. * For interoperability testing I use python script and test framework, instead of complicated bsah scripts. Script itself is not yet perfect but it makes it much easier to extend tests and work with them during development time * Makefile has been extended and now includes all steps needed to build the library and run tests. It's now possible to run any kind of tests without exporting environment variables. Thanks to this change it is stupid-easy to run any kind of tests. * There are 3 kinds of tests implemented in the library - unittests, interoperability tests and bogo. Travis has been changed and now dashbord will show only results for those 3 targets.		vor 6 Jahren
_dev	Testing rework	vor 6 Jahren
testdata	crypto/tls: advertise support for SHA-512 signatures in 1.2	vor 7 Jahren
.travis.yml	Testing rework	vor 6 Jahren
13.go	Cleanup	vor 6 Jahren
README.md	Testing rework	vor 6 Jahren
alert.go	Adds 'certificate required' alert	vor 6 Jahren
auth.go	crypto/tls: enable certificate validation on the client	vor 6 Jahren
cipher_suites.go	Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)	vor 6 Jahren
common.go	Set default MinVersion of protocol to TLSv12	vor 6 Jahren
conn.go	Use certificate_request specific to TLS 1.3	vor 6 Jahren
conn_test.go	crypto/tls: fix first byte test for 255 CBC padding bytes	vor 7 Jahren
example_test.go	Set default MinVersion of protocol to TLSv12	vor 6 Jahren
generate_cert.go	Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)	vor 6 Jahren
handshake_client.go	crypto/tls: optional "certificate_status" with OCSP	vor 6 Jahren
handshake_client_test.go	Enable TLS 1.3 (draft-22) as default	vor 6 Jahren
handshake_messages.go	Adds structure for certificate_request in TLS 1.3	vor 6 Jahren
handshake_messages_test.go	Adds structure for certificate_request in TLS 1.3	vor 6 Jahren
handshake_server.go	tris: implement draft-22 middlebox compatibility mode	vor 6 Jahren
handshake_server_test.go	Set default MinVersion of protocol to TLSv12	vor 6 Jahren
handshake_test.go	crypto/tls: advertise support for SHA-512 signatures in 1.2	vor 7 Jahren
hkdf.go	crypto/tls: implement TLS 1.3 minimal server	vor 7 Jahren
key_agreement.go	crypto/tls: add RSASSA-PSS support for handshake messages	vor 6 Jahren
prf.go	crypto/tls: add RSASSA-PSS support for handshake messages	vor 6 Jahren
prf_test.go	crypto/tls: decouple handshake signatures from the handshake hash.	vor 9 Jahren
ticket.go	tris: update NewSessionTicket for draft -19 and -21	vor 6 Jahren
tls.go	crypto/tls: disable CBC cipher suites with SHA-256 by default	vor 7 Jahren
tls_test.go	Enable TLS 1.3 (draft-22) as default	vor 6 Jahren

README.md

 _____ _     ____        _        _
|_   _| |   / ___|      | |_ _ __(_)___
  | | | |   \___ \ _____| __| '__| / __|
  | | | |___ ___) |_____| |_| |  | \__ \
  |_| |_____|____/       \__|_|  |_|___/

crypto/tls, now with 100% more 1.3.

THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.

Usage

Since crypto/tls is very deeply (and not that elegantly) coupled with the Go stdlib, tls-tris shouldn’t be used as an external package. It is also impossible to vendor it as crypto/tls because stdlib packages would import the standard one and mismatch.

So, to build with tls-tris, you need to use a custom GOROOT.

A script is provided that will take care of it for you: ./_dev/go.sh. Just use that instead of the go tool.

The script also transparently fetches the custom Cloudflare Go 1.10 compiler with the required backports.

Development

Dependencies

Copy paste line bellow to install all required dependencies:

ArchLinux:

pacman -S go docker gcc git make patch python2 python-docker rsync

Debian:

apt-get install build-essential docker go patch python python-pip rsync
pip install setuptools
pip install docker

Similar dependencies can be found on any UNIX based system/distribution.

Building

There are number of things that need to be setup before running tests. Most important step is to copy go env GOROOT directory to _dev and swap TLS implementation and recompile GO. Then for testing we use go implementation from _dev/GOROOT.

make -f _dev/Makefile build-all

Testing

We run 3 kinds of test:.

Unit testing:
make -f _dev/Makefile test-unit
Testing against BoringSSL test suite:
make -f _dev/Makefile test-bogo
Compatibility testing (see below):
make -f _dev/Makefile test-compat

To run all the tests in one go use:

make -f _dev/Makefile test

Testing interoperability with 3rd party libraries

In order to ensure compatibility we are testing our implementation against BoringSSL, NSS and PicoTLS.

Makefile has a specific target for testing interoperability with external libraries. Following command can be used in order to run such test:

make -f _dev/Makefile test-interop

The makefile target is just a wrapper and it executes _dev/interop_test_runner script written in python. The script implements interoperability tests using python unittest framework.

Script can be started from command line directly. For example:

> ./interop_test_runner -v InteropServer_NSS.test_zero_rtt
test_zero_rtt (__main__.InteropServer_NSS) ... ok

----------------------------------------------------------------------
Ran 1 test in 8.765s

OK

Debugging

When the environment variable TLSDEBUG is set to error, Tris will print a hexdump of the Client Hello and a stack trace if an handshake error occurs. If the value is short, only the error and the first meaningful stack frame are printed.