xvzcf · xvzcf · Feb 23, 2021 · Feb 22, 2021
diff --git a/cmd/util/util.go b/cmd/util/util.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/cloudflare/circl/hpke"
+	"github.com/xvzcf/tls-interop-runner/internal/utils"
 )
 
 const usage = `Usage:
@@ -58,47 +59,62 @@ func main() {
 		log.Fatalln("ERROR: -make-ech requires -host")
 	}
 
+	var err error
 	if *makeRootCert {
-		makeRootCertificate(
-			&Config{
+		err = utils.MakeRootCertificate(
+			&utils.Config{
 				Hostnames:          []string{*hostName},
 				ValidFrom:          time.Now(),
 				ValidFor:           365 * 25 * time.Hour,
-				SignatureAlgorithm: signatureECDSAWithP521AndSHA512,
+				SignatureAlgorithm: utils.SignatureECDSAWithP521AndSHA512,
 			},
 			*outPath,
 			*outKeyPath,
 		)
+		if err != nil {
+			log.Fatalf("ERROR: %s\n", err)
+		}
+		log.Printf("Created a new root certificate at %s.\n", *outPath)
+		log.Printf("Created a new root key at %s.\n", *outKeyPath)
 	} else if *makeIntermediateCert {
-		makeIntermediateCertificate(
-			&Config{
+		err = utils.MakeIntermediateCertificate(
+			&utils.Config{
 				Hostnames:          []string{*hostName},
 				ValidFrom:          time.Now(),
 				ValidFor:           365 * 25 * time.Hour,
-				SignatureAlgorithm: signatureECDSAWithP256AndSHA256,
+				SignatureAlgorithm: utils.SignatureECDSAWithP256AndSHA256,
 				ForDC:              true,
 			},
 			*inCertPath,
 			*inKeyPath,
 			*outPath,
 			*outKeyPath,
 		)
+		if err != nil {
+			log.Fatalf("ERROR: %s\n", err)
+		}
+		log.Printf("Created a new intermediate certificate at %s.\n", *outPath)
+		log.Printf("Created a new intermediate key at %s.\n", *outKeyPath)
 	} else if *makeDC {
-		makeDelegatedCredential(
-			&Config{
+		err = utils.MakeDelegatedCredential(
+			&utils.Config{
 				ValidFor:           24 * time.Hour,
-				SignatureAlgorithm: signatureAlgorithm(*algorithm),
+				SignatureAlgorithm: uint16(*algorithm),
 			},
-			&Config{},
+			&utils.Config{},
 			*inCertPath,
 			*inKeyPath,
 			*outPath,
 		)
+		if err != nil {
+			log.Fatalf("ERROR: %s\n", err)
+		}
+		log.Printf("\nThe generated DC (format: DC, privkey) using algorithm %x is at \"%s\" \n\n", *algorithm, *outPath)
 	} else if *makeECH {
-		makeECHKey(
-			ECHConfigTemplate{
+		err = utils.MakeECHKey(
+			utils.ECHConfigTemplate{
 				PublicName: *hostName,
-				Version:    ECHVersionDraft09,
+				Version:    utils.ECHVersionDraft09,
 				KemId:      uint16(hpke.KEM_X25519_HKDF_SHA256),
 				KdfIds: []uint16{
 					uint16(hpke.KDF_HKDF_SHA256),

diff --git a/cmd/validatepcap/validate.go b/cmd/validatepcap/validate.go
diff --git a/cmd/validatepcap/validatepcap.go b/cmd/validatepcap/validatepcap.go
@@ -7,16 +7,15 @@ import (
 	"flag"
 	"fmt"
 	"log"
-	"os/exec"
-	"strconv"
-	"strings"
+
+	"github.com/xvzcf/tls-interop-runner/internal/pcap"
 )
 
 const usage = `Usage:
 
     $ validatepcap [-help] {-pcap-in} {-keylog-in} {-testcase}
 
-    Requires tshark with version >= 3.2.0
+    Requires tshark with version >= 3.2.0 to be in the PATH
 `
 
 func main() {
@@ -34,38 +33,21 @@ func main() {
 		return
 	}
 
-	tsharkPath, err := exec.LookPath("tshark")
-	fatalIfErr(err, "tshark not found in PATH.")
-
-	tsharkConfiguration, err := exec.Command(tsharkPath, "--version").Output()
-	fatalIfErr(err, "Could not retrieve tshark configuration.")
-
-	tsharkVersionLine := strings.Split(string(tsharkConfiguration), "\n")[0]
-	tsharkVersionFields := strings.Split(strings.Fields(tsharkVersionLine)[2], ".")
-	tsharkMajorVersion, err := strconv.Atoi(tsharkVersionFields[0])
-	fatalIfErr(err, "Could not retrieve tshark major version.")
-
-	tsharkMinorVersion, err := strconv.Atoi(tsharkVersionFields[1])
-	fatalIfErr(err, "Could not retrieve tshark minor version.")
-
-	if tsharkMajorVersion < 3 || tsharkMinorVersion < 2 {
-		log.Fatalf("Requires tshark with version >= 3.2.0.")
+	err := pcap.FindTshark()
+	if err != nil {
+		log.Fatalf("ERROR: Tshark not found: %s\n", err)
 	}
 
-	transcript, err := parsePCap(tsharkPath, *pcapPath, *keylogPath)
-	fatalIfErr(err, "Could not parse supplied PCap")
+	transcript, err := pcap.Parse(*pcapPath, *keylogPath)
+	if err != nil {
+		log.Fatalf("ERROR: Could not parse pcap: %s\n", err)
+	}
 
-	err = validateTranscript(transcript, *testcase)
+	err = pcap.Validate(transcript, *testcase)
 	if err != nil {
 		log.Fatalf("Testcase %s failed: %s", *testcase, err)
 	} else {
 		fmt.Printf("Testcase %s passed.\n", *testcase)
 	}
 
 }
-
-func fatalIfErr(err error, msg string) {
-	if err != nil {
-		log.Fatalf("ERROR: %s: %s\n", msg, err)
-	}
-}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,11 @@
+// SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
+// SPDX-License-Identifier: MIT
+
+module github.com/xvzcf/tls-interop-runner
+
+go 1.15
+
+require (
+	github.com/cloudflare/circl v1.0.1-0.20210104183656-96a0695de3c3
+	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,13 @@
+github.com/cloudflare/circl v1.0.1-0.20210104183656-96a0695de3c3 h1:tpTW2GMi0DOdFJswbXNG6f45rOAgowhgPdofAWDKLwI=
+github.com/cloudflare/circl v1.0.1-0.20210104183656-96a0695de3c3/go.mod h1:l2CvGr3DNS9Egif8pwQqJ45Ci9Y/PPs0XJHTcRKbGBQ=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f h1:QdHQnPce6K4XQewki9WNbG5KOROuDzqO3NaYjI1cXJ0=
+golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/go.sum.license b/go.sum.license
@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
+SPDX-License-Identifier: MIT
diff --git a/impl-endpoints/cloudflare-go/config.go b/impl-endpoints/cloudflare-go/config.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
+// SPDX-License-Identifier: MIT
+
 package main
 
 import (

diff --git a/cmd/validatepcap/parse.go → internal/pcap/parse.go b/cmd/validatepcap/parse.go → internal/pcap/parse.go
@@ -1,7 +1,7 @@
 // SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
 // SPDX-License-Identifier: MIT
 
-package main
+package pcap
 
 import (
 	"bytes"
@@ -22,12 +22,15 @@ type serverHelloMsg struct {
 	version uint16
 }
 
-type tlsTranscript struct {
-	clientHello clientHelloMsg
-	serverHello serverHelloMsg
+type TLSTranscript struct {
+	ClientHello clientHelloMsg
+	ServerHello serverHelloMsg
 }
 
-func parsePCap(tsharkPath string, pcapPath string, keylogPath string) (transcript tlsTranscript, err error) {
+// Parse takes in a PCAP and Keylog file and passes them to Tshark, which
+// returns packet information formatted in newline-delimited JSON; this JSON
+// is parsed for TLS handshake messages.
+func Parse(pcapPath string, keylogPath string) (transcript TLSTranscript, err error) {
 	rawJSON, err := exec.Command(tsharkPath,
 		"-r", pcapPath,
 		"-d", "tcp.port==4433,tls",
@@ -112,18 +115,18 @@ func parsePCap(tsharkPath string, pcapPath string, keylogPath string) (transcrip
 	return transcript, err
 }
 
-func parseOutClientHello(raw map[string]interface{}, transcript *tlsTranscript) error {
+func parseOutClientHello(raw map[string]interface{}, transcript *TLSTranscript) error {
 	version, err := strconv.ParseUint(raw["tls_tls_handshake_version"].(string), 0, 16)
 	if err != nil {
 		return err
 	}
-	transcript.clientHello.version = uint16(version)
+	transcript.ClientHello.version = uint16(version)
 
-	transcript.clientHello.serverName = raw["tls_tls_handshake_extensions_server_name"].(string)
+	transcript.ClientHello.serverName = raw["tls_tls_handshake_extensions_server_name"].(string)
 
 	for _, val := range raw["tls_tls_handshake_extension_type"].([]interface{}) {
 		if val == "34" {
-			transcript.clientHello.supportsDC = true
+			transcript.ClientHello.supportsDC = true
 		}
 	}
 
@@ -132,17 +135,17 @@ func parseOutClientHello(raw map[string]interface{}, transcript *tlsTranscript)
 		if err != nil {
 			return err
 		}
-		transcript.clientHello.supportedVersions = append(transcript.clientHello.supportedVersions, uint16(version))
+		transcript.ClientHello.supportedVersions = append(transcript.ClientHello.supportedVersions, uint16(version))
 	}
 	return nil
 }
 
-func parseOutServerHello(raw map[string]interface{}, transcript *tlsTranscript) error {
+func parseOutServerHello(raw map[string]interface{}, transcript *TLSTranscript) error {
 	version, err := strconv.ParseUint(raw["tls_tls_handshake_version"].(string), 0, 16)
 	if err != nil {
 		return err
 	}
-	transcript.serverHello.version = uint16(version)
+	transcript.ServerHello.version = uint16(version)
 
 	return nil
 }
diff --git a/internal/pcap/tshark.go b/internal/pcap/tshark.go
@@ -0,0 +1,45 @@
+// SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
+// SPDX-License-Identifier: MIT
+
+package pcap
+
+import (
+	"errors"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+var tsharkPath string
+
+// FindTshark looks for a sufficiently recent version of Tshark in the PATH,
+// and if it finds it, sets tsharkPath for use by Parse().
+func FindTshark() (err error) {
+	tsharkPath, err = exec.LookPath("tshark")
+	if err != nil {
+		return err
+	}
+
+	tsharkConfiguration, err := exec.Command(tsharkPath, "--version").Output()
+	if err != nil {
+		return err
+	}
+
+	tsharkVersionLine := strings.Split(string(tsharkConfiguration), "\n")[0]
+	tsharkVersionFields := strings.Split(strings.Fields(tsharkVersionLine)[2], ".")
+	tsharkMajorVersion, err := strconv.Atoi(tsharkVersionFields[0])
+	if err != nil {
+		return err
+	}
+
+	tsharkMinorVersion, err := strconv.Atoi(tsharkVersionFields[1])
+	if err != nil {
+		return err
+	}
+
+	if tsharkMajorVersion < 3 || tsharkMinorVersion < 2 {
+		return errors.New("requires tshark with version >= 3.2.0")
+	}
+
+	return nil
+}
diff --git a/internal/pcap/validate.go b/internal/pcap/validate.go
@@ -0,0 +1,33 @@
+// SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
+// SPDX-License-Identifier: MIT
+
+package pcap
+
+import (
+	"errors"
+)
+
+// Validate takes a transcript of a TLS handshake and a testcase, and checks
+// whether the transcript conforms with the transcript expected for the
+// testcase.
+func Validate(transcript TLSTranscript, testCase string) error {
+	switch testCase {
+	case "dc":
+		if transcript.ClientHello.version != 0x0303 {
+			return errors.New("ClientHello: legacy_version is not TLS 1.2")
+		}
+		if !transcript.ClientHello.supportsDC {
+			return errors.New("ClientHello: support for delegated credentials not indicated")
+		}
+		if transcript.ClientHello.serverName != "example.com" {
+			return errors.New("ClientHello: SNI should specify example.com")
+		}
+		for _, v := range transcript.ClientHello.supportedVersions {
+			if v == 0x0304 {
+				return nil
+			}
+		}
+		return errors.New("ClientHello: supported_versions does not include TLS 1.3")
+	}
+	return nil
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		SPDX-FileCopyrightText: 2020 The tls-interop-runner Authors
		SPDX-License-Identifier: MIT