Enable TLS testing from udp-test, enable on CI

This commit is contained in:
Travis Burtrum 2019-12-16 21:44:07 -05:00
parent 7316bb5341
commit 2cd69aaf15
6 changed files with 164 additions and 61 deletions

View File

@ -54,6 +54,9 @@ test_script:
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test && cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test &&
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is
) )
- if [%CARGO_FEATURES%]==[openssl_vendored] (
cargo run --target %TARGET% --release --features %CARGO_FEATURES% --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
)
before_deploy: before_deploy:
# TODO Update this to build the artifacts that matter to you # TODO Update this to build the artifacts that matter to you

28
ci/cert.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrvZ+p0/2i/p1s
xzg3ydOS4z5S3QD0WAD1gdBTUBPjqmeGNbtXl5XLGPTYJeBqNNGRv6louB+jL8U+
TSBsyyARVZfJ9EDU3iG1fOQzz6sK8yhVL15bL4wJHobDGkL1zc0//ozDbr9iH5Xi
5Xh1q9lEyLMviASNjZbWcdGWxxKQRceluzcTyowesBr7K9nQaQF7cSmetCYaA1L9
JXokHY3P8pPEOhfo8SI7Lkt7XzKrnI0RBEIQBDF5F/XsKHO2Iso8bVq1huNr37MH
QDEDo+D8803oFS+89j9SFDv2QgITZgl0gtY5w911qbNtyz0hWYloXzmlPH2QF/+Z
XThI2Kd/AgMBAAECggEARmvN4Xxsv346HRWfhri6ibumnaHDt22yjvj47ICkdzEz
nAPCWwtsP8hu9Yaqe8JGwMXfeHIvfuGitoY3qoSsFI+NWyFNyDuBhQK+LESWNTo5
qpxuy2M2v7KFvdCx7krCQ+Bj5esujNS4yD4h49Zgk+TcHLxgaY7KcAphz7q3cPKP
hJPkwSvFmLMdqomyLJfBTWPx6Ue3ioAfKxM62hbaYlBth1ch5YqOhL84YCMnPmbq
hL/iTTlPcXeZoCodEHoOac/t8Nvv4fRetrBqk9uMZXZ1Bm9VfKbVDysfiKp9W+np
uvtYUht/TdlrzjE01h3QHNnkYgJA+yuK/qjL0nvoYQKBgQDjN4HdZqA7ZBPvQUtq
LVfpm2jy/8Sf3ewUUx7Pwselft7FOpKzkouVhdyWY8BweN97zwaYPJo7OtfMzT3Y
NPO5Vz7nxMcvwZXir0VV514lLIYjqkZkDY94thGayFaF8DmyqfIfTuyVPrigRfOR
8+dbYJrSVn9hnP4i9cxoIu39TwKBgQDBfxAFp2gJ1G3U2YAjNt4qrbsdPZvsX6CI
A8T5EuiPanAqaVWbQnkPFQq077qBSlCI/zUunw01I0pyuR74paY7PaiKT3hLkovh
v2VlOFEMaA7K/TTjv6tZS5P8DXuM/r34h5XRVsaKXKPNBGoAcbvanJ/96N42j+E1
G4+R8FMG0QKBgFMmKfkKqFJzojPpEh8N7uEHRVW/sYXLYaxiaqEfJ45xqjZE5BCg
7UHPldTXNkIyiZ42ObSWYN6R/wzsgthPMG2/9r48LaRVVHN7LoVsQPCbpY8BrfbJ
W5qSDkk1TSyAp6yxMnCwojVPmaLVVngv6Jdw99dHXiAronjKuH3XYn5TAoGAUUpd
Y9Kx3bdWMR7zO1gYvBtiyeURNZvzKFFVFkMAWwgfeWHpaiHiFBkF93/jfd/Ht9Zn
9F8zwEhERbBKN7H4BVlhDkJWyoEVrVCoe37OZgTtehAogSoMBaa/1Buh9VksXFYx
9dGb9ZL36fDZy7f8cNpuSNDlUkzeE16x0WECsJECgYBdekYJFJWppHjQ0ID5Jt1T
GHQIovXFsHfACIKC1lyytqgtEdSaWQD0SfFsg/s6BYcW7bfs/tejTnbJySvcp3rC
+FCznrEfk6wVFuj/nrgB/MpmxbsG2N5EmchRX5YJHVDRtWpQxPkNgRvdNBPkPY54
5zSUEJh+lLSg+ZjuM52eOg==
-----END PRIVATE KEY-----

21
ci/cert.pem Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUfeb7Ocg4fLv5BEiXLhLS5/fQGm0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEyMTcwMjE2MDhaFw0yOTEy
MTQwMjE2MDhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCrvZ+p0/2i/p1sxzg3ydOS4z5S3QD0WAD1gdBTUBPj
qmeGNbtXl5XLGPTYJeBqNNGRv6louB+jL8U+TSBsyyARVZfJ9EDU3iG1fOQzz6sK
8yhVL15bL4wJHobDGkL1zc0//ozDbr9iH5Xi5Xh1q9lEyLMviASNjZbWcdGWxxKQ
RceluzcTyowesBr7K9nQaQF7cSmetCYaA1L9JXokHY3P8pPEOhfo8SI7Lkt7XzKr
nI0RBEIQBDF5F/XsKHO2Iso8bVq1huNr37MHQDEDo+D8803oFS+89j9SFDv2QgIT
Zgl0gtY5w911qbNtyz0hWYloXzmlPH2QF/+ZXThI2Kd/AgMBAAGjUzBRMB0GA1Ud
DgQWBBSxoWXwmMEmKrsRsii2l1/IBhlvMzAfBgNVHSMEGDAWgBSxoWXwmMEmKrsR
sii2l1/IBhlvMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB3
NIlwmAL3FBrqHmg5M+zh+xKkNl/O8SK4bJwhPoTYR+DHsDlEQWvwSVaGV5HGyqy2
cv39kHJ6OisSuOitESV4gdOUZvm/WCSV5xHpokJpGlztRSKi4iwFNONn0LUi4lnF
gkYgjS4OfOCjVJ0YgAkYaBYALM3PTY3VpG32vaz62A7mIzO5Jn/kMtEIgFT+32Be
BE/8E+pcOhgkvoE1xwv0STbrnM8dGN8/zyXvb1wt4b2ijkBlT5Wsqs0yvPa31SD0
FDqc+4/H3bJXjwfBGDbf18sTY1UQEPyQdNC7vhiy/w2AgjVNjVpNBI9nvj+9rkZ5
8m8sP3ldEkdIqSRCl95o
-----END CERTIFICATE-----

View File

@ -15,6 +15,11 @@ main() {
# now run udp-test through proxy/proxyd # now run udp-test through proxy/proxyd
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is
if [ $CARGO_FEATURES != "default" ]; then
# run TLS tests then too
cross run --target $TARGET --release --features $CARGO_FEATURES --bin udp-test -- -is --tls-key ci/cert.key --tls-cert ci/cert.pem
fi
} }
# we don't run the "test phase" when doing deploys # we don't run the "test phase" when doing deploys

View File

@ -72,8 +72,21 @@ fn main() {
let args = Args::new(&raw_args); let args = Args::new(&raw_args);
let default_udp_host_target = "127.0.0.1:51820"; let default_udp_host_target = "127.0.0.1:51820";
let default_socket_timeout = 10; let default_socket_timeout = 10;
let tls_key = args.get_option(&["-tk", "--tls-key"]);
let tls_cert = args.get_option(&["-tc", "--tls-cert"]);
let tls = if tls_key.is_some() && tls_cert.is_some() {
true
} else if tls_key.is_none() && tls_cert.is_none() {
false
} else {
println!("Error: if one of --tls-key or --tls-cert is specified both must be!");
exit(1);
};
let mut first_arg = args.get_str(&["-uh", "--udp-host"], default_udp_host_target); let mut first_arg = args.get_str(&["-uh", "--udp-host"], default_udp_host_target);
if args.flag("-h") || args.flag("--help"){ if args.flag("-h") || args.flag("--help") {
println!(r#"usage: udp-test [options...] println!(r#"usage: udp-test [options...]
-h, --help print this usage text -h, --help print this usage text
-s, --self-test run a self test through proxy -s, --self-test run a self test through proxy
@ -83,6 +96,12 @@ fn main() {
-ut, --udp-target <ip:port> UDP target to send packets to, default: {} -ut, --udp-target <ip:port> UDP target to send packets to, default: {}
-st, --socket-timeout <seconds> Socket timeout (time to wait for data) -st, --socket-timeout <seconds> Socket timeout (time to wait for data)
before terminating, default: {} before terminating, default: {}
TLS option for self tests only, otherwise self tests are plaintext only:
-tk, --tls-key <ip:port> TLS key to listen with,
requires --tls-cert also
-tc, --tls-cert <ip:port> TLS cert to listen with,
requires --tls-key also
"#, default_udp_host_target, default_udp_host_target, default_socket_timeout); "#, default_udp_host_target, default_udp_host_target, default_socket_timeout);
return; return;
} else if args.flag("-s") || args.flag("--self-test") { } else if args.flag("-s") || args.flag("--self-test") {
@ -94,23 +113,50 @@ fn main() {
let udp_test = args.get_str_idx(0, "udp-test"); let udp_test = args.get_str_idx(0, "udp-test");
let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy"); let proxy = udp_test.clone().replace("udp-test", "wireguard-proxy");
println!("executing: {} -th '{}' -ut '{}'", proxy, tcp_host, host); let mut proxyd = if tls {
let mut proxyd = Command::new(proxy.clone()) let tls_key = tls_key.unwrap();
.arg("-th") let tls_cert = tls_cert.unwrap();
.arg(tcp_host) println!("executing: {} -th '{}' -ut '{}' -tk '{}' -tc '{}'", proxy, tcp_host, host, tls_key, tls_cert);
.arg("-ut") Command::new(proxy.clone())
.arg(host) .arg("-th")
.spawn() .arg(tcp_host)
.expect("wireguard-proxy server failed to launch"); .arg("-ut")
.arg(host)
.arg("-tk")
.arg(tls_key)
.arg("-tc")
.arg(tls_cert)
.spawn()
.expect("wireguard-proxy TLS server failed to launch")
} else {
println!("executing: {} -th '{}' -ut '{}'", proxy, tcp_host, host);
Command::new(proxy.clone())
.arg("-th")
.arg(tcp_host)
.arg("-ut")
.arg(host)
.spawn()
.expect("wireguard-proxy server failed to launch")
};
println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);
println!("executing: {} -tt {}", proxy, tcp_host); let mut proxy = if tls {
let mut proxy = Command::new(proxy) println!("executing: {} -tt {} --tls", proxy, tcp_host);
.arg("-tt") Command::new(proxy)
.arg(tcp_host) .arg("-tt")
.spawn() .arg(tcp_host)
.expect("wireguard-proxy client failed to launch"); .arg("--tls")
.spawn()
.expect("wireguard-proxy TLS client failed to launch")
} else {
println!("executing: {} -tt {}", proxy, tcp_host);
Command::new(proxy)
.arg("-tt")
.arg(tcp_host)
.spawn()
.expect("wireguard-proxy client failed to launch")
};
println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);
@ -154,14 +200,21 @@ fn main() {
proxy_server.client_handler.udp_target, proxy_server.client_handler.socket_timeout, proxy_server.client_handler.udp_target, proxy_server.client_handler.socket_timeout,
); );
println!("executing: wireguard-proxy -th '{}' -ut '{}'", tcp_host, host); if tls {
thread::spawn(move || proxy_server.start().expect("error running proxy_server")); let tls_key = tls_key.unwrap().to_owned();
let tls_cert = tls_cert.unwrap().to_owned();
println!("executing: wireguard-proxy -th '{}' -ut '{}' -tk '{}' -tc '{}'", tcp_host, host, tls_key, tls_cert);
thread::spawn(move || proxy_server.start_tls(&tls_key, &tls_cert).expect("error running TLS proxy_server"));
} else {
println!("executing: wireguard-proxy -th '{}' -ut '{}'", tcp_host, host);
thread::spawn(move || proxy_server.start().expect("error running proxy_server"));
}
println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy server to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);
let proxy_client = ProxyClient::new( let proxy_client = ProxyClient::new(
"127.0.0.1:51820".to_owned(), "127.0.0.1:51820".to_owned(),
tcp_host.to_owned().to_owned(), tcp_host.to_owned(),
15, 15,
); );
@ -172,8 +225,14 @@ fn main() {
proxy_client.socket_timeout, proxy_client.socket_timeout,
); );
println!("executing: wireguard-proxy -tt {}", tcp_host); if tls {
thread::spawn(move || proxy_client.start().expect("error running proxy_client")); println!("executing: wireguard-proxy -tt {} --tls", tcp_host);
let hostname = tcp_host.split(":").next().expect("cannot extract hostname from tcp_host");
thread::spawn(move || proxy_client.start_tls(hostname).expect("error running proxy_client"));
} else {
println!("executing: wireguard-proxy -tt {}", tcp_host);
thread::spawn(move || proxy_client.start().expect("error running proxy_client"));
}
println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep); println!("waiting: {:?} for wireguard-proxy client to come up.....", sleep);
thread::sleep(sleep); thread::sleep(sleep);

69
test.sh
View File

@ -1,25 +1,28 @@
#!/bin/sh #!/bin/sh
set -x set -x
# first run without TLS # cert created with:
cargo clean # cd ci && echo -e '\n\n\n\n\n\n\n' | openssl req -new -x509 -days 3650 -nodes -out cert.pem -keyout cert.key
cargo build --release --no-default-features
export PATH="$(pwd)/target/release:$PATH" export PATH="$(pwd)/target/release:$PATH"
run_tests() {
client_arg="$1"
shift
# first make sure udp-test succeeds running against itself # first make sure udp-test succeeds running against itself
udp-test || exit 1 udp-test || exit 1
# now run udp-test without spawning other processes # now run udp-test without spawning other processes
udp-test -is || exit 1 udp-test -is "$@" || exit 1
# now run proxyd pointing to udp-test # now run proxyd pointing to udp-test
wireguard-proxy -th 127.0.0.1:5555 -ut 127.0.0.1:51822 & wireguard-proxy -th 127.0.0.1:5555 -ut 127.0.0.1:51822 "$@" &
proxyd_pid=$! proxyd_pid=$!
# wait for ports to be set up, this is fragile... # wait for ports to be set up, this is fragile...
sleep 5 sleep 5
# proxy pointing to proxyd # proxy pointing to proxyd
wireguard-proxy -tt 127.0.0.1:5555 & wireguard-proxy -tt 127.0.0.1:5555 "$client_arg" &
proxy_pid=$! proxy_pid=$!
# wait for ports to be set up, this is fragile... # wait for ports to be set up, this is fragile...
sleep 1 sleep 1
@ -32,45 +35,29 @@ kill $proxyd_pid $proxy_pid
[ $udp_exit -ne 0 ] && exit $udp_exit [ $udp_exit -ne 0 ] && exit $udp_exit
# now run udp-test essentially just like the script above, but all in rust # now run udp-test essentially just like the script above, but all in rust
udp-test -s || exit 1 udp-test -s "$@" || exit 1
echo "non-tls tests passed!" }
echo -e '\n\n\n\n\n\n\n' | openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key
# first run without TLS # first run without TLS
cargo clean cargo clean
cargo build --release cargo build --release || exit 1
run_tests || exit 1
export PATH="$(pwd)/target/release:$PATH" # first run with non-vendored tls
cargo clean
cargo build --release --features tls || exit 1
# first plaintext tests
run_tests || exit 1
# then TLS tests
run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1
# first make sure udp-test succeeds running against itself # second run with vendored tls
udp-test || exit 1 cargo clean
cargo build --release --features openssl_vendored || exit 1
# first plaintext tests
run_tests || exit 1
# then TLS tests
run_tests --tls --tls-key ci/cert.key --tls-cert ci/cert.pem || exit 1
# now run udp-test without spawning other processes exit 0
udp-test -is || exit 1
# now run proxyd pointing to udp-test
wireguard-proxy -th 127.0.0.1:5555 -ut 127.0.0.1:51822 --tls-key cert.key --tls-cert cert.pem &
proxyd_pid=$!
# wait for ports to be set up, this is fragile...
sleep 5
# proxy pointing to proxyd
wireguard-proxy -tt 127.0.0.1:5555 --tls &
proxy_pid=$!
# wait for ports to be set up, this is fragile...
sleep 1
# and udp-test pointing to proxy, which then hops to proxyd, and finally back to udp-test
udp-test -uh 127.0.0.1:51822
udp_exit=$?
kill $proxyd_pid $proxy_pid
rm -f cert.pem cert.key
[ $udp_exit -ne 0 ] && exit $udp_exit
# now run udp-test essentially just like the script above, but all in rust
udp-test -s
exit $?