Compare commits

...

6 Commits

2 changed files with 344 additions and 85 deletions

View File

@ -8,7 +8,6 @@ import (
"net" "net"
"net/smtp" "net/smtp"
"net/url" "net/url"
"strconv"
"time" "time"
"github.com/ooni/probe-cli/v3/internal/engine/experiment/urlgetter" "github.com/ooni/probe-cli/v3/internal/engine/experiment/urlgetter"
@ -26,9 +25,6 @@ var (
// errInvalidScheme indicates that the scheme is invalid // errInvalidScheme indicates that the scheme is invalid
errInvalidScheme = errors.New("scheme must be smtp(s)") errInvalidScheme = errors.New("scheme must be smtp(s)")
// errInvalidPort indicates that the port provided could not be parsed as an int
errInvalidPort = errors.New("Port number is not a valid integer")
) )
const ( const (
@ -37,14 +33,16 @@ const (
) )
// Config contains the experiment config. // Config contains the experiment config.
type Config struct { type Config struct{}
type RuntimeConfig struct {
host string host string
port string port string
forced_tls bool forced_tls bool
noop_count uint8 noop_count uint8
} }
func config(input model.MeasurementTarget) (*Config, error) { func config(input model.MeasurementTarget) (*RuntimeConfig, error) {
if input == "" { if input == "" {
// TODO: static input data (eg. gmail/riseup..) // TODO: static input data (eg. gmail/riseup..)
return nil, errNoInputProvided return nil, errNoInputProvided
@ -68,16 +66,11 @@ func config(input model.MeasurementTarget) (*Config, error) {
port = "465" port = "465"
} }
} else { } else {
// Check that requested port is a valid integer // Valid port is checked by URL parsing
_, err := strconv.Atoi(parsed.Port())
if err != nil {
return nil, errInvalidPort
} else {
port = parsed.Port() port = parsed.Port()
} }
}
valid_config := Config{ valid_config := RuntimeConfig{
host: parsed.Hostname(), host: parsed.Hostname(),
forced_tls: parsed.Scheme == "smtps", forced_tls: parsed.Scheme == "smtps",
port: port, port: port,
@ -88,14 +81,24 @@ func config(input model.MeasurementTarget) (*Config, error) {
} }
// TestKeys contains the experiment results // TestKeys contains the experiment results
type TestKeys struct { type TestKeys struct {
Queries []*model.ArchivalDNSLookupResult `json:"queries"` Queries []*model.ArchivalDNSLookupResult `json:"queries"`
TCPConnect []*model.ArchivalTCPConnectResult `json:"tcp_connect"` Runs map[string]*IndividualTestKeys `json:"runs"`
TLSHandshakes []*model.ArchivalTLSOrQUICHandshakeResult `json:"tls_handshakes"`
SMTPErrors map[string][]*string `json:"smtp"`
NoOpCounter uint8 `json:"successful_noops"`
// Used for global failure (DNS resolution) // Used for global failure (DNS resolution)
Failure string `json:"failure"` Failure string `json:"failure"`
// Indicates global failure or individual test failure
Failed bool `json:"failed"`
}
// IndividualTestKeys contains results for TCP/IP level stuff for each address found
// in the DNS lookup
type IndividualTestKeys struct {
NoOpCounter uint8
TCPConnect []*model.ArchivalTCPConnectResult `json:"tcp_connect"`
TLSHandshakes []*model.ArchivalTLSOrQUICHandshakeResult `json:"tls_handshakes"`
// Individual failure aborting the test run for this address/port combo
Failure *string `json:"failure"`
} }
type Measurer struct { type Measurer struct {
@ -117,9 +120,9 @@ func (m Measurer) ExperimentVersion() string {
return testVersion return testVersion
} }
// Manages sequential SMTP sessions to the same hostname (over different IPs) // Manages sequential TCP sessions to the same hostname (over different IPs)
// don't use in parallel! // don't use in parallel!
type SMTPRunner struct { type TCPRunner struct {
trace *measurexlite.Trace trace *measurexlite.Trace
logger model.Logger logger model.Logger
ctx context.Context ctx context.Context
@ -127,17 +130,101 @@ type SMTPRunner struct {
tlsconfig *tls.Config tlsconfig *tls.Config
host string host string
port string port string
// addr is changed everytime SMTPRunner.conn(addr) is called // addr is changed everytime TCPRunner.conn(addr) is called
addr string addr string
} }
func (r SMTPRunner) smtp_error(err error) { type TCPSession struct {
key := net.JoinHostPort(r.addr, r.port) addr string
// Key is initialized in conn() no need to check here port string
r.tk.SMTPErrors[key] = append(r.tk.SMTPErrors[key], tracex.NewFailure(err)) runner *TCPRunner
tk *IndividualTestKeys
tls bool
raw_conn *net.Conn
tls_conn *net.Conn
} }
func (r SMTPRunner) resolve(host string) ([]string, bool) { func (s *TCPSession) Close() {
if s.tls {
var conn = *s.tls_conn
conn.Close()
} else {
var conn = *s.raw_conn
conn.Close()
}
}
func (s *TCPSession) current_conn() net.Conn {
if s.tls {
return *s.tls_conn
} else {
return *s.raw_conn
}
}
func (r *TCPRunner) run_key() string {
return net.JoinHostPort(r.addr, r.port)
}
func (r *TCPRunner) get_run() *IndividualTestKeys {
if r.tk.Runs == nil {
r.tk.Runs = make(map[string]*IndividualTestKeys)
}
key := r.run_key()
val, exists := r.tk.Runs[key]
if exists {
return val
} else {
r.tk.Runs[key] = &IndividualTestKeys{}
return r.tk.Runs[key]
}
}
func (r *TCPRunner) conn(addr string, port string) (*TCPSession, bool) {
r.addr = addr
run := r.get_run()
s := new(TCPSession)
if !s.conn(addr, port, r, run) {
return nil, false
}
return s, true
}
func (r *TCPRunner) dial(addr string, port string) (net.Conn, error) {
dialer := r.trace.NewDialerWithoutResolver(r.logger)
conn, err := dialer.DialContext(r.ctx, "tcp", net.JoinHostPort(addr, port))
run := r.get_run()
run.TCPConnect = append(run.TCPConnect, r.trace.TCPConnects()...)
return conn, err
}
func (s *TCPSession) conn(addr string, port string, runner *TCPRunner, tk *IndividualTestKeys) bool {
// Initialize addr field and corresponding errors in TestKeys
s.addr = addr
s.port = port
s.tls = false
s.runner = runner
s.tk = tk
conn, err := runner.dial(addr, port)
if err != nil {
s.error(err)
return false
}
s.raw_conn = &conn
return true
}
func (s *TCPSession) error(err error) {
s.runner.tk.Failed = true
s.tk.Failure = tracex.NewFailure(err)
//s. = append(s.errors, tracex.NewFailure(err))
}
func (r *TCPRunner) resolve(host string) ([]string, bool) {
r.logger.Infof("Resolving DNS for %s", host) r.logger.Infof("Resolving DNS for %s", host)
resolver := r.trace.NewStdlibResolver(r.logger) resolver := r.trace.NewStdlibResolver(r.logger)
addrs, err := resolver.LookupHost(r.ctx, host) addrs, err := resolver.LookupHost(r.ctx, host)
@ -151,77 +238,70 @@ func (r SMTPRunner) resolve(host string) ([]string, bool) {
return addrs, true return addrs, true
} }
func (r SMTPRunner) conn(addr string) (net.Conn, bool) { func (s *TCPSession) handshake() bool {
// Initialize addr field and corresponding errors in TestKeys if s.tls {
r.addr = addr // TLS already initialized...
if r.tk.SMTPErrors == nil { return true
r.tk.SMTPErrors = make(map[string][]*string)
} }
r.tk.SMTPErrors[net.JoinHostPort(addr, r.port)] = []*string{} s.runner.logger.Infof("Starting TLS handshake with %s:%s", s.addr, s.port)
thx := s.runner.trace.NewTLSHandshakerStdlib(s.runner.logger)
dialer := r.trace.NewDialerWithoutResolver(r.logger) tconn, _, err := thx.Handshake(s.runner.ctx, *s.raw_conn, s.runner.tlsconfig)
conn, err := dialer.DialContext(r.ctx, "tcp", net.JoinHostPort(r.addr, r.port)) s.tk.TLSHandshakes = append(s.tk.TLSHandshakes, s.runner.trace.FirstTLSHandshakeOrNil())
r.tk.TCPConnect = append(r.tk.TCPConnect, r.trace.TCPConnects()...)
if err != nil { if err != nil {
r.smtp_error(err) s.error(err)
return nil, false return false
}
return conn, true
} }
func (r SMTPRunner) handshake(conn net.Conn) (net.Conn, bool) { s.tls = true
r.logger.Infof("Starting TLS handshake with %s:%s (%s)", r.host, r.port, r.addr) s.tls_conn = &tconn
thx := r.trace.NewTLSHandshakerStdlib(r.logger) s.runner.logger.Infof("Handshake succeeded")
tconn, _, err := thx.Handshake(r.ctx, conn, r.tlsconfig) return true
r.tk.TLSHandshakes = append(r.tk.TLSHandshakes, r.trace.FirstTLSHandshakeOrNil())
if err != nil {
r.smtp_error(err)
return nil, false
}
r.logger.Infof("Handshake succeeded")
return tconn, true
} }
func (r SMTPRunner) starttls(conn net.Conn, message string) (net.Conn, bool) { func (s *TCPSession) starttls(message string) bool {
if s.tls {
// TLS already initialized...
return true
}
if message != "" { if message != "" {
r.logger.Infof("Asking for StartTLS upgrade") s.runner.logger.Infof("Asking for StartTLS upgrade")
conn.Write([]byte(message)) s.current_conn().Write([]byte(message))
} }
tconn, success := r.handshake(conn) return s.handshake()
return tconn, success
} }
func (r SMTPRunner) smtp(conn net.Conn, ehlo string, noop uint8) bool { func (s *TCPSession) smtp(ehlo string, noop uint8) bool {
client, err := smtp.NewClient(conn, ehlo) // Auto-choose plaintext/TCP session
client, err := smtp.NewClient(s.current_conn(), ehlo)
if err != nil { if err != nil {
r.smtp_error(err) s.error(err)
return false return false
} }
err = client.Hello(ehlo) err = client.Hello(ehlo)
if err != nil { if err != nil {
r.smtp_error(err) s.error(err)
return false return false
} }
if noop > 0 { if noop > 0 {
r.logger.Infof("Trying to generate more no-op traffic") s.runner.logger.Infof("Trying to generate more no-op traffic")
// TODO: noop counter per IP address // TODO: noop counter per IP address
r.tk.NoOpCounter = 0 s.tk.NoOpCounter = 0
for r.tk.NoOpCounter < noop { for s.tk.NoOpCounter < noop {
r.tk.NoOpCounter += 1 s.tk.NoOpCounter += 1
r.logger.Infof("NoOp Iteration %d", r.tk.NoOpCounter) s.runner.logger.Infof("NoOp Iteration %d", s.tk.NoOpCounter)
err = client.Noop() err = client.Noop()
if err != nil { if err != nil {
r.smtp_error(err) s.error(err)
break break
} }
} }
if r.tk.NoOpCounter == noop { if s.tk.NoOpCounter == noop {
r.logger.Infof("Successfully generated no-op traffic") s.runner.logger.Infof("Successfully generated no-op traffic")
return true return true
} else { } else {
r.logger.Infof("Failed no-op traffic at iteration %d", r.tk.NoOpCounter) s.runner.logger.Infof("Failed no-op traffic at iteration %d", s.tk.NoOpCounter)
return false return false
} }
} }
@ -234,7 +314,6 @@ func (m Measurer) Run(
ctx context.Context, sess model.ExperimentSession, ctx context.Context, sess model.ExperimentSession,
measurement *model.Measurement, callbacks model.ExperimentCallbacks, measurement *model.Measurement, callbacks model.ExperimentCallbacks,
) error { ) error {
log := sess.Logger() log := sess.Logger()
trace := measurexlite.NewTrace(0, measurement.MeasurementStartTimeSaved) trace := measurexlite.NewTrace(0, measurement.MeasurementStartTimeSaved)
@ -255,7 +334,7 @@ func (m Measurer) Run(
ServerName: config.host, ServerName: config.host,
} }
runner := SMTPRunner{ runner := &TCPRunner{
trace: trace, trace: trace,
logger: log, logger: log,
ctx: ctx, ctx: ctx,
@ -263,7 +342,6 @@ func (m Measurer) Run(
tlsconfig: &tlsconfig, tlsconfig: &tlsconfig,
host: config.host, host: config.host,
port: config.port, port: config.port,
addr: "",
} }
// First resolve DNS // First resolve DNS
@ -273,38 +351,34 @@ func (m Measurer) Run(
} }
for _, addr := range addrs { for _, addr := range addrs {
conn, success := runner.conn(addr) tcp_session, success := runner.conn(addr, config.port)
if !success {
return nil
}
defer conn.Close()
if config.forced_tls {
// Direct TLS connection
tconn, success := runner.handshake(conn)
if !success { if !success {
continue continue
} }
defer tconn.Close() defer tcp_session.Close()
if config.forced_tls {
// Direct TLS connection
if !tcp_session.handshake() {
continue
}
// Try EHLO + NoOps // Try EHLO + NoOps
if !runner.smtp(tconn, "localhost", 10) { if !tcp_session.smtp("localhost", config.noop_count) {
continue continue
} }
} else { } else {
// StartTLS... first try plaintext EHLO // StartTLS... first try plaintext EHLO
if !runner.smtp(conn, "localhost", 0) { if !tcp_session.smtp("localhost", 0) {
continue continue
} }
// Upgrade via StartTLS and try EHLO + NoOps // Upgrade via StartTLS and try EHLO + NoOps
tconn, success := runner.starttls(conn, "STARTTLS\n") if !tcp_session.starttls("STARTTLS\n") {
if !success {
continue continue
} }
defer tconn.Close()
if !runner.smtp(tconn, "localhost", 10) { if !tcp_session.smtp("localhost", config.noop_count) {
continue continue
} }
} }

View File

@ -0,0 +1,185 @@
package smtp
import (
"bufio"
"context"
"crypto/tls"
"errors"
"fmt"
"net"
"strings"
"testing"
"github.com/ooni/probe-cli/v3/internal/engine/mockable"
"github.com/ooni/probe-cli/v3/internal/model"
)
func plaintextListener() net.Listener {
l, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {
if l, err = net.Listen("tcp6", "[::1]:0"); err != nil {
panic(fmt.Sprintf("httptest: failed to listen on a port: %v", err))
}
}
return l
}
func tlsListener(l net.Listener) net.Listener {
return tls.NewListener(l, &tls.Config{})
}
func listener_addr(l net.Listener) string {
return l.Addr().String()
}
func ValidSMTPServer(conn net.Conn) {
for {
command, err := bufio.NewReader(conn).ReadString('\n')
if err != nil {
return
}
if command == "" {
} else if command == "NOOP" {
conn.Write([]byte("250 2.0.0 Ok\n"))
} else if command == "STARTTLS" {
conn.Write([]byte("220 2.0.0 Ready to start TLS\n"))
// TODO: conn.Close does not actually close connection? or does client not detect it?
conn.Close()
return
} else if strings.HasPrefix(command, "EHLO") {
conn.Write([]byte("250 mock.example.com\n"))
}
conn.Write([]byte("\n"))
}
}
func TCPServer(l net.Listener) {
for {
conn, err := l.Accept()
if err != nil {
continue
}
defer conn.Close()
conn.Write([]byte("220 mock.example.com ESMTP (spam is not appreciated)\n"))
ValidSMTPServer(conn)
}
}
func TestMeasurer_run(t *testing.T) {
// runHelper is an helper function to run this set of tests.
runHelper := func(input string) (*model.Measurement, model.ExperimentMeasurer, error) {
m := NewExperimentMeasurer(Config{})
if m.ExperimentName() != "smtp" {
t.Fatal("invalid experiment name")
}
if m.ExperimentVersion() != "0.0.1" {
t.Fatal("invalid experiment version")
}
ctx := context.Background()
meas := &model.Measurement{
Input: model.MeasurementTarget(input),
}
sess := &mockable.Session{
MockableLogger: model.DiscardLogger,
}
callbacks := model.NewPrinterCallbacks(model.DiscardLogger)
err := m.Run(ctx, sess, meas, callbacks)
return meas, m, err
}
t.Run("with empty input", func(t *testing.T) {
_, _, err := runHelper("")
if !errors.Is(err, errNoInputProvided) {
t.Fatal("unexpected error", err)
}
})
t.Run("with invalid URL", func(t *testing.T) {
_, _, err := runHelper("\t")
if !errors.Is(err, errInputIsNotAnURL) {
t.Fatal("unexpected error", err)
}
})
t.Run("with invalid scheme", func(t *testing.T) {
_, _, err := runHelper("https://8.8.8.8:443/")
if !errors.Is(err, errInvalidScheme) {
t.Fatal("unexpected error", err)
}
})
t.Run("with broken TLS", func(t *testing.T) {
p := plaintextListener()
defer p.Close()
l := tlsListener(p)
defer l.Close()
addr := listener_addr(l)
go TCPServer(l)
meas, m, err := runHelper("smtps://" + addr)
if err != nil {
t.Fatal(err)
}
tk := meas.TestKeys.(*TestKeys)
for _, run := range tk.Runs {
for _, handshake := range run.TLSHandshakes {
if *handshake.Failure != "unknown_failure: remote error: tls: unrecognized name" {
t.Fatal("expected unrecognized_name in TLS handshake")
}
}
if run.NoOpCounter != 0 {
t.Fatalf("expected to not have any noops, not %d noops", run.NoOpCounter)
}
}
ask, err := m.GetSummaryKeys(meas)
if err != nil {
t.Fatal("cannot obtain summary")
}
summary := ask.(SummaryKeys)
if summary.IsAnomaly {
t.Fatal("expected no anomaly")
}
})
t.Run("with broken starttls", func(t *testing.T) {
l := plaintextListener()
defer l.Close()
addr := listener_addr(l)
go TCPServer(l)
meas, m, err := runHelper("smtp://" + addr)
if err != nil {
t.Fatal(err)
}
tk := meas.TestKeys.(*TestKeys)
for _, run := range tk.Runs {
for _, handshake := range run.TLSHandshakes {
if *handshake.Failure != "generic_timeout_error" {
t.Fatal("expected timeout in TLS handshake")
}
}
if run.NoOpCounter != 0 {
t.Fatalf("expected to not have any noops, not %d noops", run.NoOpCounter)
}
}
ask, err := m.GetSummaryKeys(meas)
if err != nil {
t.Fatal("cannot obtain summary")
}
summary := ask.(SummaryKeys)
if summary.IsAnomaly {
t.Fatal("expected no anomaly")
}
})
}