package measurexlite import ( "bytes" "context" "crypto/tls" "crypto/x509" "errors" "net" "reflect" "testing" "time" "github.com/google/go-cmp/cmp" "github.com/ooni/probe-cli/v3/internal/model" "github.com/ooni/probe-cli/v3/internal/model/mocks" "github.com/ooni/probe-cli/v3/internal/netxlite" "github.com/ooni/probe-cli/v3/internal/netxlite/filtering" "github.com/ooni/probe-cli/v3/internal/testingx" ) func TestNewTLSHandshakerStdlib(t *testing.T) { t.Run("NewTLSHandshakerStdlib creates a wrapped TLSHandshaker", func(t *testing.T) { underlying := &mocks.TLSHandshaker{} zeroTime := time.Now() trace := NewTrace(0, zeroTime) trace.NewTLSHandshakerStdlibFn = func(dl model.DebugLogger) model.TLSHandshaker { return underlying } thx := trace.NewTLSHandshakerStdlib(model.DiscardLogger) thxt := thx.(*tlsHandshakerTrace) if thxt.thx != underlying { t.Fatal("invalid TLS handshaker") } if thxt.tx != trace { t.Fatal("invalid trace") } }) t.Run("Handshake calls the underlying dialer with context-based tracing", func(t *testing.T) { expectedErr := errors.New("mocked err") zeroTime := time.Now() trace := NewTrace(0, zeroTime) var hasCorrectTrace bool underlying := &mocks.TLSHandshaker{ MockHandshake: func(ctx context.Context, conn net.Conn, config *tls.Config) (net.Conn, tls.ConnectionState, error) { gotTrace := netxlite.ContextTraceOrDefault(ctx) hasCorrectTrace = (gotTrace == trace) return nil, tls.ConnectionState{}, expectedErr }, } trace.NewTLSHandshakerStdlibFn = func(dl model.DebugLogger) model.TLSHandshaker { return underlying } thx := trace.NewTLSHandshakerStdlib(model.DiscardLogger) ctx := context.Background() conn, state, err := thx.Handshake(ctx, &mocks.Conn{}, &tls.Config{}) if !errors.Is(err, expectedErr) { t.Fatal("unexpected err", err) } if !reflect.ValueOf(state).IsZero() { t.Fatal("expected zero-value state") } if conn != nil { t.Fatal("expected nil conn") } if !hasCorrectTrace { t.Fatal("does not have the correct trace") } }) t.Run("Handshake saves into the trace", func(t *testing.T) { mockedErr := errors.New("mocked") zeroTime := time.Now() td := testingx.NewTimeDeterministic(zeroTime) trace := NewTrace(0, zeroTime) trace.TimeNowFn = td.Now // deterministic timing thx := trace.NewTLSHandshakerStdlib(model.DiscardLogger) ctx := context.Background() tcpConn := &mocks.Conn{ MockSetDeadline: func(t time.Time) error { return nil }, MockRemoteAddr: func() net.Addr { return &mocks.Addr{ MockNetwork: func() string { return "tcp" }, MockString: func() string { return "1.1.1.1:443" }, } }, MockWrite: func(b []byte) (int, error) { return 0, mockedErr }, MockClose: func() error { return nil }, } tlsConfig := &tls.Config{ InsecureSkipVerify: true, ServerName: "dns.cloudflare.com", } conn, state, err := thx.Handshake(ctx, tcpConn, tlsConfig) if !errors.Is(err, mockedErr) { t.Fatal("unexpected err", err) } if !reflect.ValueOf(state).IsZero() { t.Fatal("expected zero-value state") } if conn != nil { t.Fatal("expected nil conn") } t.Run("TLSHandshake events", func(t *testing.T) { events := trace.TLSHandshakes() if len(events) != 1 { t.Fatal("expected to see single TLSHandshake event") } expectedFailure := "unknown_failure: mocked" expect := &model.ArchivalTLSOrQUICHandshakeResult{ Network: "tcp", Address: "1.1.1.1:443", CipherSuite: "", Failure: &expectedFailure, NegotiatedProtocol: "", NoTLSVerify: true, PeerCertificates: []model.ArchivalMaybeBinaryData{}, ServerName: "dns.cloudflare.com", T: time.Second.Seconds(), Tags: []string{}, TLSVersion: "", } got := events[0] if diff := cmp.Diff(expect, got); diff != "" { t.Fatal(diff) } }) t.Run("Network events", func(t *testing.T) { events := trace.NetworkEvents() if len(events) != 2 { t.Fatal("expected to see two Network events") } t.Run("tls_handshake_start", func(t *testing.T) { expect := &model.ArchivalNetworkEvent{ Address: "", Failure: nil, NumBytes: 0, Operation: "tls_handshake_start", Proto: "", T: 0, Tags: []string{}, } got := events[0] if diff := cmp.Diff(expect, got); diff != "" { t.Fatal(diff) } }) t.Run("tls_handshake_done", func(t *testing.T) { expect := &model.ArchivalNetworkEvent{ Address: "", Failure: nil, NumBytes: 0, Operation: "tls_handshake_done", Proto: "", T0: time.Second.Seconds(), T: time.Second.Seconds(), Tags: []string{}, } got := events[1] if diff := cmp.Diff(expect, got); diff != "" { t.Fatal(diff) } }) }) }) t.Run("Handshake discards events when buffers are full", func(t *testing.T) { mockedErr := errors.New("mocked") zeroTime := time.Now() trace := NewTrace(0, zeroTime) trace.networkEvent = make(chan *model.ArchivalNetworkEvent) // no buffer trace.tlsHandshake = make(chan *model.ArchivalTLSOrQUICHandshakeResult) // no buffer thx := trace.NewTLSHandshakerStdlib(model.DiscardLogger) ctx := context.Background() tcpConn := &mocks.Conn{ MockSetDeadline: func(t time.Time) error { return nil }, MockRemoteAddr: func() net.Addr { return &mocks.Addr{ MockNetwork: func() string { return "tcp" }, MockString: func() string { return "1.1.1.1:443" }, } }, MockWrite: func(b []byte) (int, error) { return 0, mockedErr }, MockClose: func() error { return nil }, } tlsConfig := &tls.Config{ InsecureSkipVerify: true, ServerName: "dns.cloudflare.com", } conn, state, err := thx.Handshake(ctx, tcpConn, tlsConfig) if !errors.Is(err, mockedErr) { t.Fatal("unexpected err", err) } if !reflect.ValueOf(state).IsZero() { t.Fatal("expected zero-value state") } if conn != nil { t.Fatal("expected nil conn") } t.Run("TLSHandshake events", func(t *testing.T) { events := trace.TLSHandshakes() if len(events) != 0 { t.Fatal("expected to see no TLSHandshake events") } }) t.Run("Network events", func(t *testing.T) { events := trace.NetworkEvents() if len(events) != 0 { t.Fatal("expected to see no Network events") } }) }) t.Run("we collect the desired data with a local TLS server", func(t *testing.T) { server := filtering.NewTLSServer(filtering.TLSActionBlockText) dialer := netxlite.NewDialerWithoutResolver(model.DiscardLogger) ctx := context.Background() conn, err := dialer.DialContext(ctx, "tcp", server.Endpoint()) if err != nil { t.Fatal(err) } defer conn.Close() zeroTime := time.Now() dt := testingx.NewTimeDeterministic(zeroTime) trace := NewTrace(0, zeroTime) trace.TimeNowFn = dt.Now // deterministic timing thx := trace.NewTLSHandshakerStdlib(model.DiscardLogger) tlsConfig := &tls.Config{ RootCAs: server.CertPool(), ServerName: "dns.google", } tlsConn, connState, err := thx.Handshake(ctx, conn, tlsConfig) if err != nil { t.Fatal(err) } defer tlsConn.Close() data, err := netxlite.ReadAllContext(ctx, tlsConn) if err != nil { t.Fatal(err) } if !bytes.Equal(data, filtering.HTTPBlockpage451) { t.Fatal("bytes should match") } t.Run("TLSHandshake events", func(t *testing.T) { events := trace.TLSHandshakes() if len(events) != 1 { t.Fatal("expected to see a single TLSHandshake event") } expected := &model.ArchivalTLSOrQUICHandshakeResult{ Network: "tcp", Address: conn.RemoteAddr().String(), CipherSuite: netxlite.TLSCipherSuiteString(connState.CipherSuite), Failure: nil, NegotiatedProtocol: "", NoTLSVerify: false, PeerCertificates: []model.ArchivalMaybeBinaryData{}, ServerName: "dns.google", T: time.Second.Seconds(), Tags: []string{}, TLSVersion: netxlite.TLSVersionString(connState.Version), } got := events[0] // TODO(bassosimone): it's still unclear to me how to test that // I am getting exactly the expected certificate here. I think the // certificate is generated on the fly by google/martian. So, I'm // just going to reduce the precision of this check. if len(got.PeerCertificates) != 2 { t.Fatal("expected to see two certificates") } got.PeerCertificates = []model.ArchivalMaybeBinaryData{} // see above if diff := cmp.Diff(expected, got); diff != "" { t.Fatal(diff) } }) t.Run("Network events", func(t *testing.T) { events := trace.NetworkEvents() if len(events) != 2 { t.Fatal("expected to see two Network events") } t.Run("tls_handshake_start", func(t *testing.T) { expect := &model.ArchivalNetworkEvent{ Address: "", Failure: nil, NumBytes: 0, Operation: "tls_handshake_start", Proto: "", T: 0, Tags: []string{}, } got := events[0] if diff := cmp.Diff(expect, got); diff != "" { t.Fatal(diff) } }) t.Run("tls_handshake_done", func(t *testing.T) { expect := &model.ArchivalNetworkEvent{ Address: "", Failure: nil, NumBytes: 0, Operation: "tls_handshake_done", Proto: "", T0: time.Second.Seconds(), T: time.Second.Seconds(), Tags: []string{}, } got := events[1] if diff := cmp.Diff(expect, got); diff != "" { t.Fatal(diff) } }) }) }) } func TestFirstTLSHandshake(t *testing.T) { t.Run("returns nil when buffer is empty", func(t *testing.T) { zeroTime := time.Now() trace := NewTrace(0, zeroTime) got := trace.FirstTLSHandshakeOrNil() if got != nil { t.Fatal("expected nil event") } }) t.Run("return first non-nil TLSHandshake", func(t *testing.T) { filler := func(tx *Trace, events []*model.ArchivalTLSOrQUICHandshakeResult) { for _, ev := range events { tx.tlsHandshake <- ev } } zeroTime := time.Now() trace := NewTrace(0, zeroTime) expect := []*model.ArchivalTLSOrQUICHandshakeResult{{ Network: "tcp", Address: "1.1.1.1:443", CipherSuite: "", Failure: nil, NegotiatedProtocol: "", NoTLSVerify: true, PeerCertificates: []model.ArchivalMaybeBinaryData{}, ServerName: "dns.cloudflare.com", T: time.Second.Seconds(), Tags: []string{}, TLSVersion: "", }, { Network: "tcp", Address: "8.8.8.8:443", CipherSuite: "", Failure: nil, NegotiatedProtocol: "", NoTLSVerify: true, PeerCertificates: []model.ArchivalMaybeBinaryData{}, ServerName: "dns.google.com", T: time.Second.Seconds(), Tags: []string{}, TLSVersion: "", }} filler(trace, expect) got := trace.FirstTLSHandshakeOrNil() if diff := cmp.Diff(got, expect[0]); diff != "" { t.Fatal(diff) } }) } func TestTLSPeerCerts(t *testing.T) { type args struct { state tls.ConnectionState err error } tests := []struct { name string args args wantOut []model.ArchivalMaybeBinaryData }{{ name: "x509.HostnameError", args: args{ state: tls.ConnectionState{}, err: x509.HostnameError{ Certificate: &x509.Certificate{ Raw: []byte("deadbeef"), }, }, }, wantOut: []model.ArchivalMaybeBinaryData{{ Value: "deadbeef", }}, }, { name: "x509.UnknownAuthorityError", args: args{ state: tls.ConnectionState{}, err: x509.UnknownAuthorityError{ Cert: &x509.Certificate{ Raw: []byte("deadbeef"), }, }, }, wantOut: []model.ArchivalMaybeBinaryData{{ Value: "deadbeef", }}, }, { name: "x509.CertificateInvalidError", args: args{ state: tls.ConnectionState{}, err: x509.CertificateInvalidError{ Cert: &x509.Certificate{ Raw: []byte("deadbeef"), }, }, }, wantOut: []model.ArchivalMaybeBinaryData{{ Value: "deadbeef", }}, }, { name: "successful case", args: args{ state: tls.ConnectionState{ PeerCertificates: []*x509.Certificate{{ Raw: []byte("deadbeef"), }, { Raw: []byte("abad1dea"), }}, }, err: nil, }, wantOut: []model.ArchivalMaybeBinaryData{{ Value: "deadbeef", }, { Value: "abad1dea", }}, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { gotOut := TLSPeerCerts(tt.args.state, tt.args.err) if diff := cmp.Diff(tt.wantOut, gotOut); diff != "" { t.Fatal(diff) } }) } }