diff --git a/internal/engine/legacy/netx/dialer.go b/internal/engine/legacy/netx/dialer.go index 1b0d048..508a655 100644 --- a/internal/engine/legacy/netx/dialer.go +++ b/internal/engine/legacy/netx/dialer.go @@ -13,6 +13,7 @@ import ( "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/handlers" "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx" "github.com/ooni/probe-cli/v3/internal/engine/netx/dialer" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" ) // Dialer performs measurements while dialing. @@ -101,14 +102,14 @@ func (d *Dialer) DialTLS(network, address string) (net.Conn, error) { // - SystemTLSHandshaker // // If you have others needs, manually build the chain you need. -func newTLSDialer(d dialer.Dialer, config *tls.Config) dialer.TLSDialer { - return dialer.TLSDialer{ +func newTLSDialer(d dialer.Dialer, config *tls.Config) tlsdialer.TLSDialer { + return tlsdialer.TLSDialer{ Config: config, Dialer: d, - TLSHandshaker: dialer.EmitterTLSHandshaker{ - TLSHandshaker: dialer.ErrorWrapperTLSHandshaker{ - TLSHandshaker: dialer.TimeoutTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, + TLSHandshaker: tlsdialer.EmitterTLSHandshaker{ + TLSHandshaker: tlsdialer.ErrorWrapperTLSHandshaker{ + TLSHandshaker: tlsdialer.TimeoutTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, }, }, }, diff --git a/internal/engine/legacy/netxlogger/netxlogger.go b/internal/engine/legacy/netxlogger/netxlogger.go index 95ba796..be31ec2 100644 --- a/internal/engine/legacy/netxlogger/netxlogger.go +++ b/internal/engine/legacy/netxlogger/netxlogger.go @@ -8,8 +8,8 @@ import ( "net/http" "strings" - "github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx" "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" ) // Logger is the interface we expect from a logger diff --git a/internal/engine/legacy/oonidatamodel/oonidatamodel.go b/internal/engine/legacy/oonidatamodel/oonidatamodel.go index 949269d..1026391 100644 --- a/internal/engine/legacy/oonidatamodel/oonidatamodel.go +++ b/internal/engine/legacy/oonidatamodel/oonidatamodel.go @@ -16,11 +16,11 @@ import ( "strings" "unicode/utf8" - "github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx" "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx" "github.com/ooni/probe-cli/v3/internal/engine/legacy/oonitemplates" "github.com/ooni/probe-cli/v3/internal/engine/model" "github.com/ooni/probe-cli/v3/internal/engine/netx/errorx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" ) // ExtSpec describes a data format extension diff --git a/internal/engine/netx/dialer/eof_test.go b/internal/engine/netx/dialer/eof_test.go index 9016658..c629a69 100644 --- a/internal/engine/netx/dialer/eof_test.go +++ b/internal/engine/netx/dialer/eof_test.go @@ -2,7 +2,6 @@ package dialer import ( "context" - "crypto/tls" "io" "net" "time" @@ -69,12 +68,3 @@ func (EOFAddr) Network() string { func (EOFAddr) String() string { return "127.0.0.1:1234" } - -type EOFTLSHandshaker struct{} - -func (EOFTLSHandshaker) Handshake( - ctx context.Context, conn net.Conn, config *tls.Config, -) (net.Conn, tls.ConnectionState, error) { - time.Sleep(10 * time.Microsecond) - return nil, tls.ConnectionState{}, io.EOF -} diff --git a/internal/engine/netx/dialer/integration_test.go b/internal/engine/netx/dialer/integration_test.go index 2072a01..df3fe4c 100644 --- a/internal/engine/netx/dialer/integration_test.go +++ b/internal/engine/netx/dialer/integration_test.go @@ -1,7 +1,6 @@ package dialer_test import ( - "context" "net" "net/http" "testing" @@ -10,31 +9,6 @@ import ( "github.com/ooni/probe-cli/v3/internal/engine/netx/dialer" ) -func TestTLSDialerSuccess(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - log.SetLevel(log.DebugLevel) - dialer := dialer.TLSDialer{Dialer: new(net.Dialer), - TLSHandshaker: dialer.LoggingTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Logger: log.Log, - }, - } - txp := &http.Transport{DialTLS: func(network, address string) (net.Conn, error) { - // AlpineLinux edge is still using Go 1.13. We cannot switch to - // using DialTLSContext here as we'd like to until either Alpine - // switches to Go 1.14 or we drop the MK dependency. - return dialer.DialTLSContext(context.Background(), network, address) - }} - client := &http.Client{Transport: txp} - resp, err := client.Get("https://www.google.com") - if err != nil { - t.Fatal(err) - } - resp.Body.Close() -} - func TestDNSDialerSuccess(t *testing.T) { if testing.Short() { t.Skip("skip test in short mode") diff --git a/internal/engine/netx/dialer/logging.go b/internal/engine/netx/dialer/logging.go index c998122..7c448ed 100644 --- a/internal/engine/netx/dialer/logging.go +++ b/internal/engine/netx/dialer/logging.go @@ -2,11 +2,8 @@ package dialer import ( "context" - "crypto/tls" "net" "time" - - "github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx" ) // Logger is the logger assumed by this package @@ -30,27 +27,3 @@ func (d LoggingDialer) DialContext(ctx context.Context, network, address string) d.Logger.Debugf("dial %s/%s... %+v in %s", address, network, err, stop.Sub(start)) return conn, err } - -// LoggingTLSHandshaker is a TLSHandshaker with logging -type LoggingTLSHandshaker struct { - TLSHandshaker - Logger Logger -} - -// Handshake implements Handshaker.Handshake -func (h LoggingTLSHandshaker) Handshake( - ctx context.Context, conn net.Conn, config *tls.Config, -) (net.Conn, tls.ConnectionState, error) { - h.Logger.Debugf("tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos) - start := time.Now() - tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config) - stop := time.Now() - h.Logger.Debugf( - "tls {sni=%s next=%+v}... %+v in %s {next=%s cipher=%s v=%s}", config.ServerName, - config.NextProtos, err, stop.Sub(start), state.NegotiatedProtocol, - tlsx.CipherSuiteString(state.CipherSuite), tlsx.VersionString(state.Version)) - return tlsconn, state, err -} - -var _ Dialer = LoggingDialer{} -var _ TLSHandshaker = LoggingTLSHandshaker{} diff --git a/internal/engine/netx/dialer/logging_test.go b/internal/engine/netx/dialer/logging_test.go index 9f58836..ba262e4 100644 --- a/internal/engine/netx/dialer/logging_test.go +++ b/internal/engine/netx/dialer/logging_test.go @@ -2,7 +2,6 @@ package dialer_test import ( "context" - "crypto/tls" "errors" "io" "testing" @@ -24,19 +23,3 @@ func TestLoggingDialerFailure(t *testing.T) { t.Fatal("expected nil conn here") } } - -func TestLoggingTLSHandshakerFailure(t *testing.T) { - h := dialer.LoggingTLSHandshaker{ - TLSHandshaker: dialer.EOFTLSHandshaker{}, - Logger: log.Log, - } - tlsconn, _, err := h.Handshake(context.Background(), dialer.EOFConn{}, &tls.Config{ - ServerName: "www.google.com", - }) - if !errors.Is(err, io.EOF) { - t.Fatal("not the error we expected") - } - if tlsconn != nil { - t.Fatal("expected nil tlsconn here") - } -} diff --git a/internal/engine/netx/dialer/saver.go b/internal/engine/netx/dialer/saver.go index db18076..82592ef 100644 --- a/internal/engine/netx/dialer/saver.go +++ b/internal/engine/netx/dialer/saver.go @@ -2,11 +2,9 @@ package dialer import ( "context" - "crypto/tls" "net" "time" - "github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx" "github.com/ooni/probe-cli/v3/internal/engine/netx/errorx" "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" ) @@ -33,42 +31,6 @@ func (d SaverDialer) DialContext(ctx context.Context, network, address string) ( return conn, err } -// SaverTLSHandshaker saves events occurring during the handshake -type SaverTLSHandshaker struct { - TLSHandshaker - Saver *trace.Saver -} - -// Handshake implements TLSHandshaker.Handshake -func (h SaverTLSHandshaker) Handshake( - ctx context.Context, conn net.Conn, config *tls.Config, -) (net.Conn, tls.ConnectionState, error) { - start := time.Now() - h.Saver.Write(trace.Event{ - Name: "tls_handshake_start", - NoTLSVerify: config.InsecureSkipVerify, - TLSNextProtos: config.NextProtos, - TLSServerName: config.ServerName, - Time: start, - }) - tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config) - stop := time.Now() - h.Saver.Write(trace.Event{ - Duration: stop.Sub(start), - Err: err, - Name: "tls_handshake_done", - NoTLSVerify: config.InsecureSkipVerify, - TLSCipherSuite: tlsx.CipherSuiteString(state.CipherSuite), - TLSNegotiatedProto: state.NegotiatedProtocol, - TLSNextProtos: config.NextProtos, - TLSPeerCerts: trace.PeerCerts(state, err), - TLSServerName: config.ServerName, - TLSVersion: tlsx.VersionString(state.Version), - Time: stop, - }) - return tlsconn, state, err -} - // SaverConnDialer wraps the returned connection such that we // collect all the read/write events that occur. type SaverConnDialer struct { @@ -121,5 +83,4 @@ func (c saverConn) Write(p []byte) (int, error) { } var _ Dialer = SaverDialer{} -var _ TLSHandshaker = SaverTLSHandshaker{} var _ net.Conn = saverConn{} diff --git a/internal/engine/netx/dialer/saver_test.go b/internal/engine/netx/dialer/saver_test.go index 8d30323..a256b3a 100644 --- a/internal/engine/netx/dialer/saver_test.go +++ b/internal/engine/netx/dialer/saver_test.go @@ -2,10 +2,7 @@ package dialer_test import ( "context" - "crypto/tls" "errors" - "net" - "reflect" "testing" "time" @@ -71,301 +68,3 @@ func TestSaverConnDialerFailure(t *testing.T) { t.Fatal("expected nil conn here") } } - -func TestSaverTLSHandshakerSuccessWithReadWrite(t *testing.T) { - // This is the most common use case for collecting reads, writes - if testing.Short() { - t.Skip("skip test in short mode") - } - nextprotos := []string{"h2"} - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Config: &tls.Config{NextProtos: nextprotos}, - Dialer: dialer.SaverConnDialer{ - Dialer: new(net.Dialer), - Saver: saver, - }, - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - // Implementation note: we don't close the connection here because it is - // very handy to have the last event being the end of the handshake - _, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443") - if err != nil { - t.Fatal(err) - } - ev := saver.Read() - if len(ev) < 4 { - // it's a bit tricky to be sure about the right number of - // events because network conditions may influence that - t.Fatal("unexpected number of events") - } - if ev[0].Name != "tls_handshake_start" { - t.Fatal("unexpected Name") - } - if ev[0].TLSServerName != "www.google.com" { - t.Fatal("unexpected TLSServerName") - } - if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) { - t.Fatal("unexpected TLSNextProtos") - } - if ev[0].Time.After(time.Now()) { - t.Fatal("unexpected Time") - } - last := len(ev) - 1 - for idx := 1; idx < last; idx++ { - if ev[idx].Data == nil { - t.Fatal("unexpected Data") - } - if ev[idx].Duration <= 0 { - t.Fatal("unexpected Duration") - } - if ev[idx].Err != nil { - t.Fatal("unexpected Err") - } - if ev[idx].NumBytes <= 0 { - t.Fatal("unexpected NumBytes") - } - switch ev[idx].Name { - case errorx.ReadOperation, errorx.WriteOperation: - default: - t.Fatal("unexpected Name") - } - if ev[idx].Time.Before(ev[idx-1].Time) { - t.Fatal("unexpected Time") - } - } - if ev[last].Duration <= 0 { - t.Fatal("unexpected Duration") - } - if ev[last].Err != nil { - t.Fatal("unexpected Err") - } - if ev[last].Name != "tls_handshake_done" { - t.Fatal("unexpected Name") - } - if ev[last].TLSCipherSuite == "" { - t.Fatal("unexpected TLSCipherSuite") - } - if ev[last].TLSNegotiatedProto != "h2" { - t.Fatal("unexpected TLSNegotiatedProto") - } - if !reflect.DeepEqual(ev[last].TLSNextProtos, nextprotos) { - t.Fatal("unexpected TLSNextProtos") - } - if ev[last].TLSPeerCerts == nil { - t.Fatal("unexpected TLSPeerCerts") - } - if ev[last].TLSServerName != "www.google.com" { - t.Fatal("unexpected TLSServerName") - } - if ev[last].TLSVersion == "" { - t.Fatal("unexpected TLSVersion") - } - if ev[last].Time.Before(ev[last-1].Time) { - t.Fatal("unexpected Time") - } -} - -func TestSaverTLSHandshakerSuccess(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - nextprotos := []string{"h2"} - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Config: &tls.Config{NextProtos: nextprotos}, - Dialer: new(net.Dialer), - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - conn, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443") - if err != nil { - t.Fatal(err) - } - conn.Close() - ev := saver.Read() - if len(ev) != 2 { - t.Fatal("unexpected number of events") - } - if ev[0].Name != "tls_handshake_start" { - t.Fatal("unexpected Name") - } - if ev[0].TLSServerName != "www.google.com" { - t.Fatal("unexpected TLSServerName") - } - if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) { - t.Fatal("unexpected TLSNextProtos") - } - if ev[0].Time.After(time.Now()) { - t.Fatal("unexpected Time") - } - if ev[1].Duration <= 0 { - t.Fatal("unexpected Duration") - } - if ev[1].Err != nil { - t.Fatal("unexpected Err") - } - if ev[1].Name != "tls_handshake_done" { - t.Fatal("unexpected Name") - } - if ev[1].TLSCipherSuite == "" { - t.Fatal("unexpected TLSCipherSuite") - } - if ev[1].TLSNegotiatedProto != "h2" { - t.Fatal("unexpected TLSNegotiatedProto") - } - if !reflect.DeepEqual(ev[1].TLSNextProtos, nextprotos) { - t.Fatal("unexpected TLSNextProtos") - } - if ev[1].TLSPeerCerts == nil { - t.Fatal("unexpected TLSPeerCerts") - } - if ev[1].TLSServerName != "www.google.com" { - t.Fatal("unexpected TLSServerName") - } - if ev[1].TLSVersion == "" { - t.Fatal("unexpected TLSVersion") - } - if ev[1].Time.Before(ev[0].Time) { - t.Fatal("unexpected Time") - } -} - -func TestSaverTLSHandshakerHostnameError(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Dialer: new(net.Dialer), - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - conn, err := tlsdlr.DialTLSContext( - context.Background(), "tcp", "wrong.host.badssl.com:443") - if err == nil { - t.Fatal("expected an error here") - } - if conn != nil { - t.Fatal("expected nil conn here") - } - for _, ev := range saver.Read() { - if ev.Name != "tls_handshake_done" { - continue - } - if ev.NoTLSVerify == true { - t.Fatal("expected NoTLSVerify to be false") - } - if len(ev.TLSPeerCerts) < 1 { - t.Fatal("expected at least a certificate here") - } - } -} - -func TestSaverTLSHandshakerInvalidCertError(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Dialer: new(net.Dialer), - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - conn, err := tlsdlr.DialTLSContext( - context.Background(), "tcp", "expired.badssl.com:443") - if err == nil { - t.Fatal("expected an error here") - } - if conn != nil { - t.Fatal("expected nil conn here") - } - for _, ev := range saver.Read() { - if ev.Name != "tls_handshake_done" { - continue - } - if ev.NoTLSVerify == true { - t.Fatal("expected NoTLSVerify to be false") - } - if len(ev.TLSPeerCerts) < 1 { - t.Fatal("expected at least a certificate here") - } - } -} - -func TestSaverTLSHandshakerAuthorityError(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Dialer: new(net.Dialer), - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - conn, err := tlsdlr.DialTLSContext( - context.Background(), "tcp", "self-signed.badssl.com:443") - if err == nil { - t.Fatal("expected an error here") - } - if conn != nil { - t.Fatal("expected nil conn here") - } - for _, ev := range saver.Read() { - if ev.Name != "tls_handshake_done" { - continue - } - if ev.NoTLSVerify == true { - t.Fatal("expected NoTLSVerify to be false") - } - if len(ev.TLSPeerCerts) < 1 { - t.Fatal("expected at least a certificate here") - } - } -} - -func TestSaverTLSHandshakerNoTLSVerify(t *testing.T) { - if testing.Short() { - t.Skip("skip test in short mode") - } - saver := &trace.Saver{} - tlsdlr := dialer.TLSDialer{ - Config: &tls.Config{InsecureSkipVerify: true}, - Dialer: new(net.Dialer), - TLSHandshaker: dialer.SaverTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, - Saver: saver, - }, - } - conn, err := tlsdlr.DialTLSContext( - context.Background(), "tcp", "self-signed.badssl.com:443") - if err != nil { - t.Fatal(err) - } - if conn == nil { - t.Fatal("expected non-nil conn here") - } - conn.Close() - for _, ev := range saver.Read() { - if ev.Name != "tls_handshake_done" { - continue - } - if ev.NoTLSVerify != true { - t.Fatal("expected NoTLSVerify to be true") - } - if len(ev.TLSPeerCerts) < 1 { - t.Fatal("expected at least a certificate here") - } - } -} diff --git a/internal/engine/netx/netx.go b/internal/engine/netx/netx.go index 5a2175a..74a513d 100644 --- a/internal/engine/netx/netx.go +++ b/internal/engine/netx/netx.go @@ -33,11 +33,12 @@ import ( "github.com/lucas-clemente/quic-go" "github.com/ooni/probe-cli/v3/internal/engine/netx/bytecounter" "github.com/ooni/probe-cli/v3/internal/engine/netx/dialer" - "github.com/ooni/probe-cli/v3/internal/engine/netx/gocertifi" "github.com/ooni/probe-cli/v3/internal/engine/netx/httptransport" "github.com/ooni/probe-cli/v3/internal/engine/netx/quicdialer" "github.com/ooni/probe-cli/v3/internal/engine/netx/resolver" "github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" "github.com/ooni/probe-cli/v3/internal/runtimex" ) @@ -113,8 +114,8 @@ type tlsHandshaker interface { // NewDefaultCertPool returns a copy of the default x509 // certificate pool. This function panics on failure. func NewDefaultCertPool() *x509.CertPool { - pool, err := gocertifi.CACerts() - runtimex.PanicOnError(err, "gocertifi.CACerts() failed") + pool, err := tlsx.CACerts() + runtimex.PanicOnError(err, "tlsx.CACerts() failed") return pool } @@ -196,14 +197,14 @@ func NewTLSDialer(config Config) TLSDialer { if config.Dialer == nil { config.Dialer = NewDialer(config) } - var h tlsHandshaker = dialer.SystemTLSHandshaker{} - h = dialer.TimeoutTLSHandshaker{TLSHandshaker: h} - h = dialer.ErrorWrapperTLSHandshaker{TLSHandshaker: h} + var h tlsHandshaker = tlsdialer.SystemTLSHandshaker{} + h = tlsdialer.TimeoutTLSHandshaker{TLSHandshaker: h} + h = tlsdialer.ErrorWrapperTLSHandshaker{TLSHandshaker: h} if config.Logger != nil { - h = dialer.LoggingTLSHandshaker{Logger: config.Logger, TLSHandshaker: h} + h = tlsdialer.LoggingTLSHandshaker{Logger: config.Logger, TLSHandshaker: h} } if config.TLSSaver != nil { - h = dialer.SaverTLSHandshaker{TLSHandshaker: h, Saver: config.TLSSaver} + h = tlsdialer.SaverTLSHandshaker{TLSHandshaker: h, Saver: config.TLSSaver} } if config.TLSConfig == nil { config.TLSConfig = &tls.Config{NextProtos: []string{"h2", "http/1.1"}} @@ -213,7 +214,7 @@ func NewTLSDialer(config Config) TLSDialer { } config.TLSConfig.RootCAs = config.CertPool config.TLSConfig.InsecureSkipVerify = config.NoTLSVerify - return dialer.TLSDialer{ + return tlsdialer.TLSDialer{ Config: config.TLSConfig, Dialer: config.Dialer, TLSHandshaker: h, diff --git a/internal/engine/netx/netx_test.go b/internal/engine/netx/netx_test.go index 9526ee8..e04d2c4 100644 --- a/internal/engine/netx/netx_test.go +++ b/internal/engine/netx/netx_test.go @@ -14,6 +14,7 @@ import ( "github.com/ooni/probe-cli/v3/internal/engine/netx/httptransport" "github.com/ooni/probe-cli/v3/internal/engine/netx/resolver" "github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" ) @@ -486,7 +487,7 @@ func TestNewDialerWithContextByteCounting(t *testing.T) { func TestNewTLSDialerVanilla(t *testing.T) { td := netx.NewTLSDialer(netx.Config{}) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -512,15 +513,15 @@ func TestNewTLSDialerVanilla(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -529,7 +530,7 @@ func TestNewTLSDialerWithConfig(t *testing.T) { td := netx.NewTLSDialer(netx.Config{ TLSConfig: new(tls.Config), }) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -552,15 +553,15 @@ func TestNewTLSDialerWithConfig(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -569,7 +570,7 @@ func TestNewTLSDialerWithLogging(t *testing.T) { td := netx.NewTLSDialer(netx.Config{ Logger: log.Log, }) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -595,22 +596,22 @@ func TestNewTLSDialerWithLogging(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - lth, ok := rtd.TLSHandshaker.(dialer.LoggingTLSHandshaker) + lth, ok := rtd.TLSHandshaker.(tlsdialer.LoggingTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } if lth.Logger != log.Log { t.Fatal("not the Logger we expected") } - ewth, ok := lth.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := lth.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -620,7 +621,7 @@ func TestNewTLSDialerWithSaver(t *testing.T) { td := netx.NewTLSDialer(netx.Config{ TLSSaver: saver, }) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -646,22 +647,22 @@ func TestNewTLSDialerWithSaver(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - sth, ok := rtd.TLSHandshaker.(dialer.SaverTLSHandshaker) + sth, ok := rtd.TLSHandshaker.(tlsdialer.SaverTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } if sth.Saver != saver { t.Fatal("not the Logger we expected") } - ewth, ok := sth.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := sth.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -671,7 +672,7 @@ func TestNewTLSDialerWithNoTLSVerifyAndConfig(t *testing.T) { TLSConfig: new(tls.Config), NoTLSVerify: true, }) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -697,15 +698,15 @@ func TestNewTLSDialerWithNoTLSVerifyAndConfig(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -714,7 +715,7 @@ func TestNewTLSDialerWithNoTLSVerifyAndNoConfig(t *testing.T) { td := netx.NewTLSDialer(netx.Config{ NoTLSVerify: true, }) - rtd, ok := td.(dialer.TLSDialer) + rtd, ok := td.(tlsdialer.TLSDialer) if !ok { t.Fatal("not the TLSDialer we expected") } @@ -743,15 +744,15 @@ func TestNewTLSDialerWithNoTLSVerifyAndNoConfig(t *testing.T) { if rtd.TLSHandshaker == nil { t.Fatal("invalid TLSHandshaker") } - ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker) + ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker) + tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker) if !ok { t.Fatal("not the TLSHandshaker we expected") } - if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok { + if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok { t.Fatal("not the TLSHandshaker we expected") } } @@ -785,10 +786,10 @@ func TestNewWithDialer(t *testing.T) { func TestNewWithTLSDialer(t *testing.T) { expected := errors.New("mocked error") - tlsDialer := dialer.TLSDialer{ + tlsDialer := tlsdialer.TLSDialer{ Config: new(tls.Config), Dialer: netx.FakeDialer{Err: expected}, - TLSHandshaker: dialer.SystemTLSHandshaker{}, + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, } txp := netx.NewHTTPTransport(netx.Config{ TLSDialer: tlsDialer, diff --git a/internal/engine/netx/quicdialer/saver.go b/internal/engine/netx/quicdialer/saver.go index 88fa2de..0427ef1 100644 --- a/internal/engine/netx/quicdialer/saver.go +++ b/internal/engine/netx/quicdialer/saver.go @@ -6,7 +6,7 @@ import ( "time" "github.com/lucas-clemente/quic-go" - "github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" ) diff --git a/internal/engine/netx/tlsdialer/eof_test.go b/internal/engine/netx/tlsdialer/eof_test.go new file mode 100644 index 0000000..56612a3 --- /dev/null +++ b/internal/engine/netx/tlsdialer/eof_test.go @@ -0,0 +1,80 @@ +package tlsdialer + +import ( + "context" + "crypto/tls" + "io" + "net" + "time" +) + +type EOFDialer struct{} + +func (EOFDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { + time.Sleep(10 * time.Microsecond) + return nil, io.EOF +} + +type EOFConnDialer struct{} + +func (EOFConnDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { + return EOFConn{}, nil +} + +type EOFConn struct { + net.Conn +} + +func (EOFConn) Read(p []byte) (int, error) { + time.Sleep(10 * time.Microsecond) + return 0, io.EOF +} + +func (EOFConn) Write(p []byte) (int, error) { + time.Sleep(10 * time.Microsecond) + return 0, io.EOF +} + +func (EOFConn) Close() error { + time.Sleep(10 * time.Microsecond) + return io.EOF +} + +func (EOFConn) LocalAddr() net.Addr { + return EOFAddr{} +} + +func (EOFConn) RemoteAddr() net.Addr { + return EOFAddr{} +} + +func (EOFConn) SetDeadline(t time.Time) error { + return nil +} + +func (EOFConn) SetReadDeadline(t time.Time) error { + return nil +} + +func (EOFConn) SetWriteDeadline(t time.Time) error { + return nil +} + +type EOFAddr struct{} + +func (EOFAddr) Network() string { + return "tcp" +} + +func (EOFAddr) String() string { + return "127.0.0.1:1234" +} + +type EOFTLSHandshaker struct{} + +func (EOFTLSHandshaker) Handshake( + ctx context.Context, conn net.Conn, config *tls.Config, +) (net.Conn, tls.ConnectionState, error) { + time.Sleep(10 * time.Microsecond) + return nil, tls.ConnectionState{}, io.EOF +} diff --git a/internal/engine/netx/tlsdialer/fake_test.go b/internal/engine/netx/tlsdialer/fake_test.go new file mode 100644 index 0000000..1b4e0b3 --- /dev/null +++ b/internal/engine/netx/tlsdialer/fake_test.go @@ -0,0 +1,71 @@ +package tlsdialer + +import ( + "context" + "io" + "net" + "time" +) + +type FakeDialer struct { + Conn net.Conn + Err error +} + +func (d FakeDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { + time.Sleep(10 * time.Microsecond) + return d.Conn, d.Err +} + +type FakeConn struct { + ReadError error + ReadData []byte + SetDeadlineError error + SetReadDeadlineError error + SetWriteDeadlineError error + WriteError error +} + +func (c *FakeConn) Read(b []byte) (int, error) { + if len(c.ReadData) > 0 { + n := copy(b, c.ReadData) + c.ReadData = c.ReadData[n:] + return n, nil + } + if c.ReadError != nil { + return 0, c.ReadError + } + return 0, io.EOF +} + +func (c *FakeConn) Write(b []byte) (n int, err error) { + if c.WriteError != nil { + return 0, c.WriteError + } + n = len(b) + return +} + +func (*FakeConn) Close() (err error) { + return +} + +func (*FakeConn) LocalAddr() net.Addr { + return &net.TCPAddr{} +} + +func (*FakeConn) RemoteAddr() net.Addr { + return &net.TCPAddr{} +} + +func (c *FakeConn) SetDeadline(t time.Time) (err error) { + return c.SetDeadlineError +} + +func (c *FakeConn) SetReadDeadline(t time.Time) (err error) { + return c.SetReadDeadlineError +} + +func (c *FakeConn) SetWriteDeadline(t time.Time) (err error) { + return c.SetWriteDeadlineError +} diff --git a/internal/engine/netx/tlsdialer/integration_test.go b/internal/engine/netx/tlsdialer/integration_test.go new file mode 100644 index 0000000..694d204 --- /dev/null +++ b/internal/engine/netx/tlsdialer/integration_test.go @@ -0,0 +1,36 @@ +package tlsdialer_test + +import ( + "context" + "net" + "net/http" + "testing" + + "github.com/apex/log" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" +) + +func TestTLSDialerSuccess(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + log.SetLevel(log.DebugLevel) + dialer := tlsdialer.TLSDialer{Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.LoggingTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Logger: log.Log, + }, + } + txp := &http.Transport{DialTLS: func(network, address string) (net.Conn, error) { + // AlpineLinux edge is still using Go 1.13. We cannot switch to + // using DialTLSContext here as we'd like to until either Alpine + // switches to Go 1.14 or we drop the MK dependency. + return dialer.DialTLSContext(context.Background(), network, address) + }} + client := &http.Client{Transport: txp} + resp, err := client.Get("https://www.google.com") + if err != nil { + t.Fatal(err) + } + resp.Body.Close() +} diff --git a/internal/engine/netx/tlsdialer/logging.go b/internal/engine/netx/tlsdialer/logging.go new file mode 100644 index 0000000..6945d8c --- /dev/null +++ b/internal/engine/netx/tlsdialer/logging.go @@ -0,0 +1,39 @@ +package tlsdialer + +import ( + "context" + "crypto/tls" + "net" + "time" + + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" +) + +// Logger is the logger assumed by this package +type Logger interface { + Debugf(format string, v ...interface{}) + Debug(message string) +} + +// LoggingTLSHandshaker is a TLSHandshaker with logging +type LoggingTLSHandshaker struct { + TLSHandshaker + Logger Logger +} + +// Handshake implements Handshaker.Handshake +func (h LoggingTLSHandshaker) Handshake( + ctx context.Context, conn net.Conn, config *tls.Config, +) (net.Conn, tls.ConnectionState, error) { + h.Logger.Debugf("tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos) + start := time.Now() + tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config) + stop := time.Now() + h.Logger.Debugf( + "tls {sni=%s next=%+v}... %+v in %s {next=%s cipher=%s v=%s}", config.ServerName, + config.NextProtos, err, stop.Sub(start), state.NegotiatedProtocol, + tlsx.CipherSuiteString(state.CipherSuite), tlsx.VersionString(state.Version)) + return tlsconn, state, err +} + +var _ TLSHandshaker = LoggingTLSHandshaker{} diff --git a/internal/engine/netx/tlsdialer/logging_test.go b/internal/engine/netx/tlsdialer/logging_test.go new file mode 100644 index 0000000..96733ef --- /dev/null +++ b/internal/engine/netx/tlsdialer/logging_test.go @@ -0,0 +1,28 @@ +package tlsdialer_test + +import ( + "context" + "crypto/tls" + "errors" + "io" + "testing" + + "github.com/apex/log" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" +) + +func TestLoggingTLSHandshakerFailure(t *testing.T) { + h := tlsdialer.LoggingTLSHandshaker{ + TLSHandshaker: tlsdialer.EOFTLSHandshaker{}, + Logger: log.Log, + } + tlsconn, _, err := h.Handshake(context.Background(), tlsdialer.EOFConn{}, &tls.Config{ + ServerName: "www.google.com", + }) + if !errors.Is(err, io.EOF) { + t.Fatal("not the error we expected") + } + if tlsconn != nil { + t.Fatal("expected nil tlsconn here") + } +} diff --git a/internal/engine/netx/tlsdialer/saver.go b/internal/engine/netx/tlsdialer/saver.go new file mode 100644 index 0000000..ded184a --- /dev/null +++ b/internal/engine/netx/tlsdialer/saver.go @@ -0,0 +1,49 @@ +package tlsdialer + +import ( + "context" + "crypto/tls" + "net" + "time" + + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" +) + +// SaverTLSHandshaker saves events occurring during the handshake +type SaverTLSHandshaker struct { + TLSHandshaker + Saver *trace.Saver +} + +// Handshake implements TLSHandshaker.Handshake +func (h SaverTLSHandshaker) Handshake( + ctx context.Context, conn net.Conn, config *tls.Config, +) (net.Conn, tls.ConnectionState, error) { + start := time.Now() + h.Saver.Write(trace.Event{ + Name: "tls_handshake_start", + NoTLSVerify: config.InsecureSkipVerify, + TLSNextProtos: config.NextProtos, + TLSServerName: config.ServerName, + Time: start, + }) + tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config) + stop := time.Now() + h.Saver.Write(trace.Event{ + Duration: stop.Sub(start), + Err: err, + Name: "tls_handshake_done", + NoTLSVerify: config.InsecureSkipVerify, + TLSCipherSuite: tlsx.CipherSuiteString(state.CipherSuite), + TLSNegotiatedProto: state.NegotiatedProtocol, + TLSNextProtos: config.NextProtos, + TLSPeerCerts: trace.PeerCerts(state, err), + TLSServerName: config.ServerName, + TLSVersion: tlsx.VersionString(state.Version), + Time: stop, + }) + return tlsconn, state, err +} + +var _ TLSHandshaker = SaverTLSHandshaker{} diff --git a/internal/engine/netx/tlsdialer/saver_test.go b/internal/engine/netx/tlsdialer/saver_test.go new file mode 100644 index 0000000..7cbaa16 --- /dev/null +++ b/internal/engine/netx/tlsdialer/saver_test.go @@ -0,0 +1,313 @@ +package tlsdialer_test + +import ( + "context" + "crypto/tls" + "net" + "reflect" + "testing" + "time" + + "github.com/ooni/probe-cli/v3/internal/engine/netx/dialer" + "github.com/ooni/probe-cli/v3/internal/engine/netx/errorx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" + "github.com/ooni/probe-cli/v3/internal/engine/netx/trace" +) + +func TestSaverTLSHandshakerSuccessWithReadWrite(t *testing.T) { + // This is the most common use case for collecting reads, writes + if testing.Short() { + t.Skip("skip test in short mode") + } + nextprotos := []string{"h2"} + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Config: &tls.Config{NextProtos: nextprotos}, + Dialer: dialer.SaverConnDialer{ + Dialer: new(net.Dialer), + Saver: saver, + }, + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + // Implementation note: we don't close the connection here because it is + // very handy to have the last event being the end of the handshake + _, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443") + if err != nil { + t.Fatal(err) + } + ev := saver.Read() + if len(ev) < 4 { + // it's a bit tricky to be sure about the right number of + // events because network conditions may influence that + t.Fatal("unexpected number of events") + } + if ev[0].Name != "tls_handshake_start" { + t.Fatal("unexpected Name") + } + if ev[0].TLSServerName != "www.google.com" { + t.Fatal("unexpected TLSServerName") + } + if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) { + t.Fatal("unexpected TLSNextProtos") + } + if ev[0].Time.After(time.Now()) { + t.Fatal("unexpected Time") + } + last := len(ev) - 1 + for idx := 1; idx < last; idx++ { + if ev[idx].Data == nil { + t.Fatal("unexpected Data") + } + if ev[idx].Duration <= 0 { + t.Fatal("unexpected Duration") + } + if ev[idx].Err != nil { + t.Fatal("unexpected Err") + } + if ev[idx].NumBytes <= 0 { + t.Fatal("unexpected NumBytes") + } + switch ev[idx].Name { + case errorx.ReadOperation, errorx.WriteOperation: + default: + t.Fatal("unexpected Name") + } + if ev[idx].Time.Before(ev[idx-1].Time) { + t.Fatal("unexpected Time") + } + } + if ev[last].Duration <= 0 { + t.Fatal("unexpected Duration") + } + if ev[last].Err != nil { + t.Fatal("unexpected Err") + } + if ev[last].Name != "tls_handshake_done" { + t.Fatal("unexpected Name") + } + if ev[last].TLSCipherSuite == "" { + t.Fatal("unexpected TLSCipherSuite") + } + if ev[last].TLSNegotiatedProto != "h2" { + t.Fatal("unexpected TLSNegotiatedProto") + } + if !reflect.DeepEqual(ev[last].TLSNextProtos, nextprotos) { + t.Fatal("unexpected TLSNextProtos") + } + if ev[last].TLSPeerCerts == nil { + t.Fatal("unexpected TLSPeerCerts") + } + if ev[last].TLSServerName != "www.google.com" { + t.Fatal("unexpected TLSServerName") + } + if ev[last].TLSVersion == "" { + t.Fatal("unexpected TLSVersion") + } + if ev[last].Time.Before(ev[last-1].Time) { + t.Fatal("unexpected Time") + } +} + +func TestSaverTLSHandshakerSuccess(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + nextprotos := []string{"h2"} + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Config: &tls.Config{NextProtos: nextprotos}, + Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + conn, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443") + if err != nil { + t.Fatal(err) + } + conn.Close() + ev := saver.Read() + if len(ev) != 2 { + t.Fatal("unexpected number of events") + } + if ev[0].Name != "tls_handshake_start" { + t.Fatal("unexpected Name") + } + if ev[0].TLSServerName != "www.google.com" { + t.Fatal("unexpected TLSServerName") + } + if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) { + t.Fatal("unexpected TLSNextProtos") + } + if ev[0].Time.After(time.Now()) { + t.Fatal("unexpected Time") + } + if ev[1].Duration <= 0 { + t.Fatal("unexpected Duration") + } + if ev[1].Err != nil { + t.Fatal("unexpected Err") + } + if ev[1].Name != "tls_handshake_done" { + t.Fatal("unexpected Name") + } + if ev[1].TLSCipherSuite == "" { + t.Fatal("unexpected TLSCipherSuite") + } + if ev[1].TLSNegotiatedProto != "h2" { + t.Fatal("unexpected TLSNegotiatedProto") + } + if !reflect.DeepEqual(ev[1].TLSNextProtos, nextprotos) { + t.Fatal("unexpected TLSNextProtos") + } + if ev[1].TLSPeerCerts == nil { + t.Fatal("unexpected TLSPeerCerts") + } + if ev[1].TLSServerName != "www.google.com" { + t.Fatal("unexpected TLSServerName") + } + if ev[1].TLSVersion == "" { + t.Fatal("unexpected TLSVersion") + } + if ev[1].Time.Before(ev[0].Time) { + t.Fatal("unexpected Time") + } +} + +func TestSaverTLSHandshakerHostnameError(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + conn, err := tlsdlr.DialTLSContext( + context.Background(), "tcp", "wrong.host.badssl.com:443") + if err == nil { + t.Fatal("expected an error here") + } + if conn != nil { + t.Fatal("expected nil conn here") + } + for _, ev := range saver.Read() { + if ev.Name != "tls_handshake_done" { + continue + } + if ev.NoTLSVerify == true { + t.Fatal("expected NoTLSVerify to be false") + } + if len(ev.TLSPeerCerts) < 1 { + t.Fatal("expected at least a certificate here") + } + } +} + +func TestSaverTLSHandshakerInvalidCertError(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + conn, err := tlsdlr.DialTLSContext( + context.Background(), "tcp", "expired.badssl.com:443") + if err == nil { + t.Fatal("expected an error here") + } + if conn != nil { + t.Fatal("expected nil conn here") + } + for _, ev := range saver.Read() { + if ev.Name != "tls_handshake_done" { + continue + } + if ev.NoTLSVerify == true { + t.Fatal("expected NoTLSVerify to be false") + } + if len(ev.TLSPeerCerts) < 1 { + t.Fatal("expected at least a certificate here") + } + } +} + +func TestSaverTLSHandshakerAuthorityError(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + conn, err := tlsdlr.DialTLSContext( + context.Background(), "tcp", "self-signed.badssl.com:443") + if err == nil { + t.Fatal("expected an error here") + } + if conn != nil { + t.Fatal("expected nil conn here") + } + for _, ev := range saver.Read() { + if ev.Name != "tls_handshake_done" { + continue + } + if ev.NoTLSVerify == true { + t.Fatal("expected NoTLSVerify to be false") + } + if len(ev.TLSPeerCerts) < 1 { + t.Fatal("expected at least a certificate here") + } + } +} + +func TestSaverTLSHandshakerNoTLSVerify(t *testing.T) { + if testing.Short() { + t.Skip("skip test in short mode") + } + saver := &trace.Saver{} + tlsdlr := tlsdialer.TLSDialer{ + Config: &tls.Config{InsecureSkipVerify: true}, + Dialer: new(net.Dialer), + TLSHandshaker: tlsdialer.SaverTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, + Saver: saver, + }, + } + conn, err := tlsdlr.DialTLSContext( + context.Background(), "tcp", "self-signed.badssl.com:443") + if err != nil { + t.Fatal(err) + } + if conn == nil { + t.Fatal("expected non-nil conn here") + } + conn.Close() + for _, ev := range saver.Read() { + if ev.Name != "tls_handshake_done" { + continue + } + if ev.NoTLSVerify != true { + t.Fatal("expected NoTLSVerify to be true") + } + if len(ev.TLSPeerCerts) < 1 { + t.Fatal("expected at least a certificate here") + } + } +} diff --git a/internal/engine/netx/dialer/tls.go b/internal/engine/netx/tlsdialer/tls.go similarity index 93% rename from internal/engine/netx/dialer/tls.go rename to internal/engine/netx/tlsdialer/tls.go index cf958d8..ccd76fa 100644 --- a/internal/engine/netx/dialer/tls.go +++ b/internal/engine/netx/tlsdialer/tls.go @@ -1,4 +1,5 @@ -package dialer +// Package tlsdialer contains code to establish TLS connections. +package tlsdialer import ( "context" @@ -11,6 +12,11 @@ import ( "github.com/ooni/probe-cli/v3/internal/engine/netx/errorx" ) +// UnderlyingDialer is the underlying dialer type. +type UnderlyingDialer interface { + DialContext(ctx context.Context, network, address string) (net.Conn, error) +} + // TLSHandshaker is the generic TLS handshaker type TLSHandshaker interface { Handshake(ctx context.Context, conn net.Conn, config *tls.Config) ( @@ -105,7 +111,7 @@ func (h EmitterTLSHandshaker) Handshake( // TLSDialer is the TLS dialer type TLSDialer struct { Config *tls.Config - Dialer Dialer + Dialer UnderlyingDialer TLSHandshaker TLSHandshaker } diff --git a/internal/engine/netx/dialer/tls_test.go b/internal/engine/netx/tlsdialer/tls_test.go similarity index 78% rename from internal/engine/netx/dialer/tls_test.go rename to internal/engine/netx/tlsdialer/tls_test.go index d7b16ac..9e093fe 100644 --- a/internal/engine/netx/dialer/tls_test.go +++ b/internal/engine/netx/tlsdialer/tls_test.go @@ -1,4 +1,4 @@ -package dialer_test +package tlsdialer_test import ( "context" @@ -11,13 +11,13 @@ import ( "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/handlers" "github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx" - "github.com/ooni/probe-cli/v3/internal/engine/netx/dialer" "github.com/ooni/probe-cli/v3/internal/engine/netx/errorx" + "github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer" ) func TestSystemTLSHandshakerEOFError(t *testing.T) { - h := dialer.SystemTLSHandshaker{} - conn, _, err := h.Handshake(context.Background(), dialer.EOFConn{}, &tls.Config{ + h := tlsdialer.SystemTLSHandshaker{} + conn, _, err := h.Handshake(context.Background(), tlsdialer.EOFConn{}, &tls.Config{ ServerName: "x.org", }) if err != io.EOF { @@ -29,13 +29,13 @@ func TestSystemTLSHandshakerEOFError(t *testing.T) { } func TestTimeoutTLSHandshakerSetDeadlineError(t *testing.T) { - h := dialer.TimeoutTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, + h := tlsdialer.TimeoutTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, HandshakeTimeout: 200 * time.Millisecond, } expected := errors.New("mocked error") conn, _, err := h.Handshake( - context.Background(), &dialer.FakeConn{SetDeadlineError: expected}, + context.Background(), &tlsdialer.FakeConn{SetDeadlineError: expected}, new(tls.Config)) if !errors.Is(err, expected) { t.Fatal("not the error that we expected") @@ -46,12 +46,12 @@ func TestTimeoutTLSHandshakerSetDeadlineError(t *testing.T) { } func TestTimeoutTLSHandshakerEOFError(t *testing.T) { - h := dialer.TimeoutTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, + h := tlsdialer.TimeoutTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, HandshakeTimeout: 200 * time.Millisecond, } conn, _, err := h.Handshake( - context.Background(), dialer.EOFConn{}, &tls.Config{ServerName: "x.org"}) + context.Background(), tlsdialer.EOFConn{}, &tls.Config{ServerName: "x.org"}) if !errors.Is(err, io.EOF) { t.Fatal("not the error that we expected") } @@ -61,8 +61,8 @@ func TestTimeoutTLSHandshakerEOFError(t *testing.T) { } func TestTimeoutTLSHandshakerCallsSetDeadline(t *testing.T) { - h := dialer.TimeoutTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, + h := tlsdialer.TimeoutTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, HandshakeTimeout: 200 * time.Millisecond, } underlying := &SetDeadlineConn{} @@ -86,7 +86,7 @@ func TestTimeoutTLSHandshakerCallsSetDeadline(t *testing.T) { } type SetDeadlineConn struct { - dialer.EOFConn + tlsdialer.EOFConn deadlines []time.Time } @@ -96,9 +96,9 @@ func (c *SetDeadlineConn) SetDeadline(t time.Time) error { } func TestErrorWrapperTLSHandshakerFailure(t *testing.T) { - h := dialer.ErrorWrapperTLSHandshaker{TLSHandshaker: dialer.EOFTLSHandshaker{}} + h := tlsdialer.ErrorWrapperTLSHandshaker{TLSHandshaker: tlsdialer.EOFTLSHandshaker{}} conn, _, err := h.Handshake( - context.Background(), dialer.EOFConn{}, new(tls.Config)) + context.Background(), tlsdialer.EOFConn{}, new(tls.Config)) if !errors.Is(err, io.EOF) { t.Fatal("not the error that we expected") } @@ -126,8 +126,8 @@ func TestEmitterTLSHandshakerFailure(t *testing.T) { Beginning: time.Now(), Handler: saver, }) - h := dialer.EmitterTLSHandshaker{TLSHandshaker: dialer.EOFTLSHandshaker{}} - conn, _, err := h.Handshake(ctx, dialer.EOFConn{}, &tls.Config{ + h := tlsdialer.EmitterTLSHandshaker{TLSHandshaker: tlsdialer.EOFTLSHandshaker{}} + conn, _, err := h.Handshake(ctx, tlsdialer.EOFConn{}, &tls.Config{ ServerName: "www.kernel.org", }) if !errors.Is(err, io.EOF) { @@ -164,7 +164,7 @@ func TestEmitterTLSHandshakerFailure(t *testing.T) { } func TestTLSDialerFailureSplitHostPort(t *testing.T) { - dialer := dialer.TLSDialer{} + dialer := tlsdialer.TLSDialer{} conn, err := dialer.DialTLSContext( context.Background(), "tcp", "www.google.com") // missing port if err == nil { @@ -176,7 +176,7 @@ func TestTLSDialerFailureSplitHostPort(t *testing.T) { } func TestTLSDialerFailureDialing(t *testing.T) { - dialer := dialer.TLSDialer{Dialer: dialer.EOFDialer{}} + dialer := tlsdialer.TLSDialer{Dialer: tlsdialer.EOFDialer{}} conn, err := dialer.DialTLSContext( context.Background(), "tcp", "www.google.com:443") if !errors.Is(err, io.EOF) { @@ -188,9 +188,9 @@ func TestTLSDialerFailureDialing(t *testing.T) { } func TestTLSDialerFailureHandshaking(t *testing.T) { - rec := &RecorderTLSHandshaker{TLSHandshaker: dialer.SystemTLSHandshaker{}} - dialer := dialer.TLSDialer{ - Dialer: dialer.EOFConnDialer{}, + rec := &RecorderTLSHandshaker{TLSHandshaker: tlsdialer.SystemTLSHandshaker{}} + dialer := tlsdialer.TLSDialer{ + Dialer: tlsdialer.EOFConnDialer{}, TLSHandshaker: rec, } conn, err := dialer.DialTLSContext( @@ -207,12 +207,12 @@ func TestTLSDialerFailureHandshaking(t *testing.T) { } func TestTLSDialerFailureHandshakingOverrideSNI(t *testing.T) { - rec := &RecorderTLSHandshaker{TLSHandshaker: dialer.SystemTLSHandshaker{}} - dialer := dialer.TLSDialer{ + rec := &RecorderTLSHandshaker{TLSHandshaker: tlsdialer.SystemTLSHandshaker{}} + dialer := tlsdialer.TLSDialer{ Config: &tls.Config{ ServerName: "x.org", }, - Dialer: dialer.EOFConnDialer{}, + Dialer: tlsdialer.EOFConnDialer{}, TLSHandshaker: rec, } conn, err := dialer.DialTLSContext( @@ -229,7 +229,7 @@ func TestTLSDialerFailureHandshakingOverrideSNI(t *testing.T) { } type RecorderTLSHandshaker struct { - dialer.TLSHandshaker + tlsdialer.TLSHandshaker SNI string } @@ -241,10 +241,10 @@ func (h *RecorderTLSHandshaker) Handshake( } func TestDialTLSContextGood(t *testing.T) { - dialer := dialer.TLSDialer{ + dialer := tlsdialer.TLSDialer{ Config: &tls.Config{ServerName: "google.com"}, Dialer: new(net.Dialer), - TLSHandshaker: dialer.SystemTLSHandshaker{}, + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, } conn, err := dialer.DialTLSContext(context.Background(), "tcp", "google.com:443") if err != nil { @@ -257,12 +257,12 @@ func TestDialTLSContextGood(t *testing.T) { } func TestDialTLSContextTimeout(t *testing.T) { - dialer := dialer.TLSDialer{ + dialer := tlsdialer.TLSDialer{ Config: &tls.Config{ServerName: "google.com"}, Dialer: new(net.Dialer), - TLSHandshaker: dialer.ErrorWrapperTLSHandshaker{ - TLSHandshaker: dialer.TimeoutTLSHandshaker{ - TLSHandshaker: dialer.SystemTLSHandshaker{}, + TLSHandshaker: tlsdialer.ErrorWrapperTLSHandshaker{ + TLSHandshaker: tlsdialer.TimeoutTLSHandshaker{ + TLSHandshaker: tlsdialer.SystemTLSHandshaker{}, HandshakeTimeout: 10 * time.Microsecond, }, }, diff --git a/internal/engine/netx/gocertifi/certifi.go b/internal/engine/netx/tlsx/certifi.go similarity index 97% rename from internal/engine/netx/gocertifi/certifi.go rename to internal/engine/netx/tlsx/certifi.go index 0a1f0f9..2be0d24 100644 --- a/internal/engine/netx/gocertifi/certifi.go +++ b/internal/engine/netx/tlsx/certifi.go @@ -1,8 +1,8 @@ // Code generated by go generate; DO NOT EDIT. -// 2021-05-12 09:14:54.779668278 +0200 CEST m=+6.872930413 +// 2021-06-08 13:03:08.852763 +0200 CEST m=+2.563240667 // https://curl.haxx.se/ca/cacert.pem -package gocertifi +package tlsx //go:generate go run generate.go "https://curl.haxx.se/ca/cacert.pem" @@ -12,7 +12,7 @@ const pemcerts string = ` ## ## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: Tue Apr 13 03:12:04 2021 GMT +## Certificate data from Mozilla as of: Tue May 25 03:12:05 2021 GMT ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates @@ -25,7 +25,7 @@ const pemcerts string = ` ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.28. -## SHA256: f377673fa3c22ba2188a4cea041c7b8c99a4817ffde6821e98325ce89324e5aa +## SHA256: e292bd4e2d500c86df45b830d89417be5c42ee670408f1d2c454c63d8a782865 ## @@ -904,82 +904,6 @@ Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== -----END CERTIFICATE----- -Chambers of Commerce Root - 2008 -================================ ------BEGIN CERTIFICATE----- -MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy -Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl -ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF -EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl -cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA -XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj -h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/ -ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk -NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g -D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331 -lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ -0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj -ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2 -EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI -G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ -BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh -bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh -bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC -CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH -AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1 -wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH -3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU -RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6 -M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1 -YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF -9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK -zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG -nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg -OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ ------END CERTIFICATE----- - -Global Chambersign Root - 2008 -============================== ------BEGIN CERTIFICATE----- -MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx -NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg -Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ -QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD -aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf -VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf -XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0 -ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB -/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA -TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M -H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe -Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF -HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh -wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB -AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT -BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE -BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm -aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm -aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp -1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0 -dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG -/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6 -ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s -dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg -9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH -foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du -qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr -P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq -c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z -09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B ------END CERTIFICATE----- - Go Daddy Root Certificate Authority - G2 ======================================== -----BEGIN CERTIFICATE----- @@ -3227,7 +3151,7 @@ CAezNIm8BZ/3Hobui3A= ` // CACerts builds an X.509 certificate pool containing the -// certificate bundle from https://curl.haxx.se/ca/cacert.pem fetch on 2021-05-12 09:14:54.779668278 +0200 CEST m=+6.872930413. +// certificate bundle from https://curl.haxx.se/ca/cacert.pem fetch on 2021-06-08 13:03:08.852763 +0200 CEST m=+2.563240667. // Returns nil on error along with an appropriate error code. func CACerts() (*x509.CertPool, error) { pool := x509.NewCertPool() diff --git a/internal/engine/netx/gocertifi/generate.go b/internal/engine/netx/tlsx/generate.go similarity index 99% rename from internal/engine/netx/gocertifi/generate.go rename to internal/engine/netx/tlsx/generate.go index 927b08b..eb0165d 100644 --- a/internal/engine/netx/gocertifi/generate.go +++ b/internal/engine/netx/tlsx/generate.go @@ -26,7 +26,7 @@ var tmpl = template.Must(template.New("").Parse(`// Code generated by go generat // {{ .Timestamp }} // {{ .URL }} -package gocertifi +package tlsx //go:generate go run generate.go "{{ .URL }}" diff --git a/internal/engine/internal/tlsx/tlsx.go b/internal/engine/netx/tlsx/tlsx.go similarity index 100% rename from internal/engine/internal/tlsx/tlsx.go rename to internal/engine/netx/tlsx/tlsx.go diff --git a/internal/engine/internal/tlsx/tlsx_test.go b/internal/engine/netx/tlsx/tlsx_test.go similarity index 100% rename from internal/engine/internal/tlsx/tlsx_test.go rename to internal/engine/netx/tlsx/tlsx_test.go