fix: add tests and fix bugs

2025-04-04 20:47:36 +03:00 · 2025-03-27 15:54:58 -06:00 · 2025-03-27 15:54:58 -06:00 · 6f87c69b6a
commit 6f87c69b6a
parent ed46e3def4
6 changed files with 178 additions and 30 deletions
--- a/handshake_client.go
+++ b/handshake_client.go
@ -214,9 +214,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echCli
 	var ech *echClientContext
 	if c.config.EncryptedClientHelloConfigList != nil {
-		// if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
+		if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
-		// 	return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
+			return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
-		// }
+		}
 		if c.config.MaxVersion != 0 && c.config.MaxVersion <= VersionTLS12 {
 			return nil, nil, nil, errors.New("tls: MaxVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
 		}
--- a/handshake_test.go
+++ b/handshake_test.go
@ -476,11 +476,32 @@ func runMain(m *testing.M) int {
 }
 func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) {
 	// [uTLS SECTION BEGIN]
 	return testUtlsHandshake(t, clientConfig, serverConfig, nil)
 }
 func testUtlsHandshake(t *testing.T, clientConfig, serverConfig *Config, spec *ClientHelloSpec) (serverState, clientState ConnectionState, err error) {
 	// [uTLS SECTION END]
 	const sentinel = "SENTINEL\n"
 	c, s := localPipe(t)
 	errChan := make(chan error, 1)
 	go func() {
-		cli := Client(c, clientConfig)
+		// [uTLS SECTION BEGIN]
 		var cli interface {
 			Handshake() error
 			ConnectionState() ConnectionState
 			Close() error
 			io.Reader
 		}
 		if spec != nil {
 			ucli := UClient(c, clientConfig, HelloCustom)
 			if err = ucli.ApplyPreset(spec); err != nil {
 				return
 			}
 			cli = ucli
 		} else {
 			cli = Client(c, clientConfig)
 		}
 		// [uTLS SECTION END]
 		err := cli.Handshake()
 		if err != nil {
 			errChan <- fmt.Errorf("client: %v", err)
--- a/tls_test.go
+++ b/tls_test.go
@ -2068,6 +2068,10 @@ func TestLargeCertMsg(t *testing.T) {
 }
 func TestECH(t *testing.T) {
 	testECHSpec(t, nil, true)
 }
 func testECHSpec(t *testing.T, spec *ClientHelloSpec, expectSuccess bool) {
 	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatal(err)
@ -2157,26 +2161,34 @@ func TestECH(t *testing.T) {
 		{Config: echConfig, PrivateKey: echKey.Bytes(), SendAsRetry: true},
 	}
-	ss, cs, err := testHandshake(t, clientConfig, serverConfig)
+	// [uTLS SECTION BEGIN]
-	if err != nil {
+	ss, cs, err := testUtlsHandshake(t, clientConfig, serverConfig, spec)
-		t.Fatalf("unexpected failure: %s", err)
+	if expectSuccess {
-	}
+		if err != nil {
-	if !ss.ECHAccepted {
+			t.Fatalf("unexpected failure: %s", err)
-		t.Fatal("server ConnectionState shows ECH not accepted")
+		}
-	}
+		if !ss.ECHAccepted {
-	if !cs.ECHAccepted {
+			t.Fatal("server ConnectionState shows ECH not accepted")
-		t.Fatal("client ConnectionState shows ECH not accepted")
+		}
-	}
+		if !cs.ECHAccepted {
-	if cs.ServerName != "secret.example" || ss.ServerName != "secret.example" {
+			t.Fatal("client ConnectionState shows ECH not accepted")
-		t.Fatalf("unexpected ConnectionState.ServerName, want %q, got server:%q, client: %q", "secret.example", ss.ServerName, cs.ServerName)
+		}
-	}
+		if cs.ServerName != "secret.example" || ss.ServerName != "secret.example" {
-	if len(cs.VerifiedChains) != 1 {
+			t.Fatalf("unexpected ConnectionState.ServerName, want %q, got server:%q, client: %q", "secret.example", ss.ServerName, cs.ServerName)
-		t.Fatal("unexpect number of certificate chains")
+		}
-	}
+		if len(cs.VerifiedChains) != 1 {
-	if len(cs.VerifiedChains[0]) != 1 {
+			t.Fatal("unexpect number of certificate chains")
-		t.Fatal("unexpect number of certificates")
+		}
-	}
+		if len(cs.VerifiedChains[0]) != 1 {
-	if !cs.VerifiedChains[0][0].Equal(secretCert) {
+			t.Fatal("unexpect number of certificates")
-		t.Fatal("unexpected certificate")
+		}
 		if !cs.VerifiedChains[0][0].Equal(secretCert) {
 			t.Fatal("unexpected certificate")
 		}
 	} else {
 		if err == nil {
 			t.Fatalf("unexpected handshake success, expected failure")
 		}
 	}
 	// [uTLS SECTION END]
 }
--- a/u_conn.go
+++ b/u_conn.go
@ -528,6 +528,9 @@ func (uconn *UConn) computeAndUpdateOuterECHExtension(inner *clientHelloMsg, ech
 		_, ok := ext.(EncryptedClientHelloExtension)
 		return ok
 	})
 	if echExtIdx < 0 {
 		return fmt.Errorf("extension satisfying EncryptedClientHelloExtension not present")
 	}
 	oldExt := uconn.Extensions[echExtIdx]
 	uconn.Extensions[echExtIdx] = &GenericExtension{
@ -582,12 +585,18 @@ func (uconn *UConn) MarshalClientHello() error {
 			_, ok := ext.(*SNIExtension)
 			return ok
 		})
 		if sniExtIdex < 0 {
 			return fmt.Errorf("sni extension missing while attempting ECH")
 		}
 		oldSNI := uconn.Extensions[sniExtIdex]
 		uconn.Extensions[sniExtIdex] = &SNIExtension{
 			ServerName: string(ech.config.PublicName),
 		}
 		uconn.computeAndUpdateOuterECHExtension(inner, ech, true)
 		uconn.Extensions[sniExtIdex] = oldSNI
 		uconn.echCtx = ech
 		return nil
 	}
@ -753,8 +762,6 @@ func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16, specExtensions []T
 	}
 	uconn.HandshakeState.Hello.SupportedVersions = makeSupportedVersions(minTLSVers, maxTLSVers)
 	uconn.config.MinVersion = minTLSVers
 	uconn.config.MaxVersion = maxTLSVers
 	return nil
 }
--- a/u_conn_test.go
+++ b/u_conn_test.go
@ -743,3 +743,111 @@ func TestUTLSMakeConnWithCompleteHandshake(t *testing.T) {
 	serverTls.Write(serverMsg)
 }
 func TestUTLSECH(t *testing.T) {
 	chromeLatest, err := utlsIdToSpec(HelloChrome_Auto)
 	if err != nil {
 		t.Fatal(err)
 	}
 	firefoxLatest, err := utlsIdToSpec(HelloFirefox_Auto)
 	if err != nil {
 		t.Fatal(err)
 	}
 	for _, test := range []struct {
 		name          string
 		spec          *ClientHelloSpec
 		expectSuccess bool
 	}{
 		{
 			name:          "latest chrome",
 			spec:          &chromeLatest,
 			expectSuccess: true,
 		},
 		{
 			name:          "latest firefox",
 			spec:          &firefoxLatest,
 			expectSuccess: true,
 		},
 		{
 			name: "ech extension missing",
 			spec: &ClientHelloSpec{
 				CipherSuites: []uint16{
 					GREASE_PLACEHOLDER,
 					TLS_AES_128_GCM_SHA256,
 					TLS_AES_256_GCM_SHA384,
 					TLS_CHACHA20_POLY1305_SHA256,
 					TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 					TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 					TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 					TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 					TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 					TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 					TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 					TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 					TLS_RSA_WITH_AES_128_GCM_SHA256,
 					TLS_RSA_WITH_AES_256_GCM_SHA384,
 					TLS_RSA_WITH_AES_128_CBC_SHA,
 					TLS_RSA_WITH_AES_256_CBC_SHA,
 				},
 				CompressionMethods: []byte{
 					0x00, // compressionNone
 				},
 				Extensions: ShuffleChromeTLSExtensions([]TLSExtension{
 					&UtlsGREASEExtension{},
 					&SNIExtension{},
 					&ExtendedMasterSecretExtension{},
 					&RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
 					&SupportedCurvesExtension{[]CurveID{
 						GREASE_PLACEHOLDER,
 						X25519Kyber768Draft00,
 						X25519,
 						CurveP256,
 						CurveP384,
 					}},
 					&SupportedPointsExtension{SupportedPoints: []byte{
 						0x00, // pointFormatUncompressed
 					}},
 					&SessionTicketExtension{},
 					&ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
 					&StatusRequestExtension{},
 					&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
 						ECDSAWithP256AndSHA256,
 						PSSWithSHA256,
 						PKCS1WithSHA256,
 						ECDSAWithP384AndSHA384,
 						PSSWithSHA384,
 						PKCS1WithSHA384,
 						PSSWithSHA512,
 						PKCS1WithSHA512,
 					}},
 					&SCTExtension{},
 					&KeyShareExtension{[]KeyShare{
 						{Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}},
 						{Group: X25519Kyber768Draft00},
 						{Group: X25519},
 					}},
 					&PSKKeyExchangeModesExtension{[]uint8{
 						PskModeDHE,
 					}},
 					&SupportedVersionsExtension{[]uint16{
 						GREASE_PLACEHOLDER,
 						VersionTLS13,
 						VersionTLS12,
 					}},
 					&UtlsCompressCertExtension{[]CertCompressionAlgo{
 						CertCompressionBrotli,
 					}},
 					&ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}},
 					&UtlsGREASEExtension{},
 				}),
 			},
 			expectSuccess: false,
 		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			testECHSpec(t, test.spec, test.expectSuccess)
 		})
 	}
 }
--- a/u_handshake_client.go
+++ b/u_handshake_client.go
@ -353,9 +353,9 @@ func (c *Conn) makeClientHelloForApplyPreset() (*clientHelloMsg, *keySharePrivat
 	var ech *echClientContext
 	if c.config.EncryptedClientHelloConfigList != nil {
-		// if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
+		if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
-		// 	return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
+			return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
-		// }
+		}
 		if c.config.MaxVersion != 0 && c.config.MaxVersion <= VersionTLS12 {
 			return nil, nil, nil, errors.New("tls: MaxVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
 		}