refactor: move tlsdialer to netxlite (#404)
Part of https://github.com/ooni/probe/issues/1505
This commit is contained in:
Simone Basso
GitHub
@@ -0,0 +1,69 @@
|
||||
package netxlite
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"net"
|
||||
)
|
||||
|
||||
// TLSDialer is the TLS dialer
|
||||
type TLSDialer struct {
|
||||
// Config is the OPTIONAL tls config.
|
||||
Config *tls.Config
|
||||
|
||||
// Dialer is the MANDATORY dialer.
|
||||
Dialer Dialer
|
||||
|
||||
// TLSHandshaker is the MANDATORY TLS handshaker.
|
||||
TLSHandshaker TLSHandshaker
|
||||
}
|
||||
|
||||
// DialTLSContext dials a TLS connection.
|
||||
func (d *TLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
host, port, err := net.SplitHostPort(address)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
conn, err := d.Dialer.DialContext(ctx, network, address)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
config := d.config(host, port)
|
||||
tlsconn, _, err := d.TLSHandshaker.Handshake(ctx, conn, config)
|
||||
if err != nil {
|
||||
conn.Close()
|
||||
return nil, err
|
||||
}
|
||||
return tlsconn, nil
|
||||
}
|
||||
|
||||
// config creates a new config. If d.Config is nil, then we start
|
||||
// from an empty config. Otherwise, we clone d.Config.
|
||||
//
|
||||
// We set the ServerName field if not already set.
|
||||
//
|
||||
// We set the ALPN if the port is 443 or 853, if not already set.
|
||||
//
|
||||
// We force using our root CA, unless it's already set.
|
||||
func (d *TLSDialer) config(host, port string) *tls.Config {
|
||||
config := d.Config
|
||||
if config == nil {
|
||||
config = &tls.Config{}
|
||||
}
|
||||
config = config.Clone() // operate on a clone
|
||||
if config.ServerName == "" {
|
||||
config.ServerName = host
|
||||
}
|
||||
if len(config.NextProtos) <= 0 {
|
||||
switch port {
|
||||
case "443":
|
||||
config.NextProtos = []string{"h2", "http/1.1"}
|
||||
case "853":
|
||||
config.NextProtos = []string{"dot"}
|
||||
}
|
||||
}
|
||||
if config.RootCAs == nil {
|
||||
config.RootCAs = NewDefaultCertPool()
|
||||
}
|
||||
return config
|
||||
}
|
||||
@@ -0,0 +1,177 @@
|
||||
package netxlite
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"io"
|
||||
"net"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
"github.com/ooni/probe-cli/v3/internal/netxmocks"
|
||||
)
|
||||
|
||||
func TestTLSDialerFailureSplitHostPort(t *testing.T) {
|
||||
dialer := &TLSDialer{}
|
||||
ctx := context.Background()
|
||||
const address = "www.google.com" // missing port
|
||||
conn, err := dialer.DialTLSContext(ctx, "tcp", address)
|
||||
if err == nil || !strings.HasSuffix(err.Error(), "missing port in address") {
|
||||
t.Fatal("not the error we expected", err)
|
||||
}
|
||||
if conn != nil {
|
||||
t.Fatal("connection is not nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerFailureDialing(t *testing.T) {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
cancel() // immediately fail
|
||||
dialer := TLSDialer{Dialer: &net.Dialer{}}
|
||||
conn, err := dialer.DialTLSContext(ctx, "tcp", "www.google.com:443")
|
||||
if err == nil || !strings.HasSuffix(err.Error(), "operation was canceled") {
|
||||
t.Fatal("not the error we expected", err)
|
||||
}
|
||||
if conn != nil {
|
||||
t.Fatal("connection is not nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerFailureHandshaking(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
dialer := TLSDialer{
|
||||
Config: &tls.Config{},
|
||||
Dialer: &netxmocks.Dialer{MockDialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
return &netxmocks.Conn{MockWrite: func(b []byte) (int, error) {
|
||||
return 0, io.EOF
|
||||
}, MockClose: func() error {
|
||||
return nil
|
||||
}, MockSetDeadline: func(t time.Time) error {
|
||||
return nil
|
||||
}}, nil
|
||||
}},
|
||||
TLSHandshaker: &TLSHandshakerStdlib{},
|
||||
}
|
||||
conn, err := dialer.DialTLSContext(ctx, "tcp", "www.google.com:443")
|
||||
if !errors.Is(err, io.EOF) {
|
||||
t.Fatal("not the error we expected", err)
|
||||
}
|
||||
if conn != nil {
|
||||
t.Fatal("connection is not nil")
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerSuccessHandshaking(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
dialer := TLSDialer{
|
||||
Dialer: &netxmocks.Dialer{MockDialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
return &netxmocks.Conn{MockWrite: func(b []byte) (int, error) {
|
||||
return 0, io.EOF
|
||||
}, MockClose: func() error {
|
||||
return nil
|
||||
}, MockSetDeadline: func(t time.Time) error {
|
||||
return nil
|
||||
}}, nil
|
||||
}},
|
||||
TLSHandshaker: &netxmocks.TLSHandshaker{
|
||||
MockHandshake: func(ctx context.Context, conn net.Conn, config *tls.Config) (net.Conn, tls.ConnectionState, error) {
|
||||
return tls.Client(conn, config), tls.ConnectionState{}, nil
|
||||
},
|
||||
},
|
||||
}
|
||||
conn, err := dialer.DialTLSContext(ctx, "tcp", "www.google.com:443")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if conn == nil {
|
||||
t.Fatal("connection is nil")
|
||||
}
|
||||
conn.Close()
|
||||
}
|
||||
|
||||
func TestTLSDialerConfigFromEmptyConfigForWeb(t *testing.T) {
|
||||
d := &TLSDialer{}
|
||||
config := d.config("www.google.com", "443")
|
||||
if config.ServerName != "www.google.com" {
|
||||
t.Fatal("invalid server name")
|
||||
}
|
||||
if config.RootCAs == nil {
|
||||
t.Fatal("expected non-nil root CAs")
|
||||
}
|
||||
if diff := cmp.Diff(config.NextProtos, []string{"h2", "http/1.1"}); diff != "" {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerConfigFromEmptyConfigForDoT(t *testing.T) {
|
||||
d := &TLSDialer{}
|
||||
config := d.config("dns.google", "853")
|
||||
if config.ServerName != "dns.google" {
|
||||
t.Fatal("invalid server name")
|
||||
}
|
||||
if config.RootCAs == nil {
|
||||
t.Fatal("expected non-nil root CAs")
|
||||
}
|
||||
if diff := cmp.Diff(config.NextProtos, []string{"dot"}); diff != "" {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerConfigWithServerName(t *testing.T) {
|
||||
d := &TLSDialer{
|
||||
Config: &tls.Config{
|
||||
ServerName: "example.com",
|
||||
},
|
||||
}
|
||||
config := d.config("dns.google", "853")
|
||||
if config.ServerName != "example.com" {
|
||||
t.Fatal("invalid server name")
|
||||
}
|
||||
if config.RootCAs == nil {
|
||||
t.Fatal("expected non-nil root CAs")
|
||||
}
|
||||
if diff := cmp.Diff(config.NextProtos, []string{"dot"}); diff != "" {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerConfigWithALPN(t *testing.T) {
|
||||
d := &TLSDialer{
|
||||
Config: &tls.Config{
|
||||
NextProtos: []string{"h2"},
|
||||
},
|
||||
}
|
||||
config := d.config("dns.google", "853")
|
||||
if config.ServerName != "dns.google" {
|
||||
t.Fatal("invalid server name")
|
||||
}
|
||||
if config.RootCAs == nil {
|
||||
t.Fatal("expected non-nil root CAs")
|
||||
}
|
||||
if diff := cmp.Diff(config.NextProtos, []string{"h2"}); diff != "" {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDialerConfigWithRootCA(t *testing.T) {
|
||||
pool := &x509.CertPool{}
|
||||
d := &TLSDialer{
|
||||
Config: &tls.Config{
|
||||
RootCAs: pool,
|
||||
},
|
||||
}
|
||||
config := d.config("dns.google", "853")
|
||||
if config.ServerName != "dns.google" {
|
||||
t.Fatal("invalid server name")
|
||||
}
|
||||
if config.RootCAs != pool {
|
||||
t.Fatal("not the RootCAs we expected")
|
||||
}
|
||||
if diff := cmp.Diff(config.NextProtos, []string{"dot"}); diff != "" {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user