|
| 1 | +package crypto |
| 2 | + |
| 3 | +import ( |
| 4 | + "crypto/tls" |
| 5 | + "net/http" |
| 6 | + "net/http/httptest" |
| 7 | + "runtime" |
| 8 | + "slices" |
| 9 | + "testing" |
| 10 | + |
| 11 | + "github.com/stretchr/testify/require" |
| 12 | + |
| 13 | + "github.com/cloudflare/cloudflared/features" |
| 14 | +) |
| 15 | + |
| 16 | +// TestCurvePreferences verifies that GetCurvePreferences returns the |
| 17 | +// documented curve list for each supported PostQuantumMode. The expected |
| 18 | +// values correspond to the contract described in the package documentation |
| 19 | +// and must be identical under FIPS and non-FIPS builds (see TUN-10413). |
| 20 | +func TestCurvePreferences(t *testing.T) { |
| 21 | + t.Parallel() |
| 22 | + |
| 23 | + tests := []struct { |
| 24 | + name string |
| 25 | + expectedCurves []tls.CurveID |
| 26 | + pqMode features.PostQuantumMode |
| 27 | + }{ |
| 28 | + { |
| 29 | + name: "Prefer PQ", |
| 30 | + pqMode: features.PostQuantumPrefer, |
| 31 | + expectedCurves: []tls.CurveID{tls.X25519MLKEM768, P256Kyber768Draft00, tls.CurveP256}, |
| 32 | + }, |
| 33 | + { |
| 34 | + name: "Strict PQ", |
| 35 | + pqMode: features.PostQuantumStrict, |
| 36 | + expectedCurves: []tls.CurveID{tls.X25519MLKEM768, P256Kyber768Draft00}, |
| 37 | + }, |
| 38 | + } |
| 39 | + |
| 40 | + for _, tcase := range tests { |
| 41 | + t.Run(tcase.name, func(t *testing.T) { |
| 42 | + t.Parallel() |
| 43 | + curves, err := getCurvePreferences(tcase.pqMode) |
| 44 | + require.NoError(t, err) |
| 45 | + require.Equal(t, tcase.expectedCurves, curves) |
| 46 | + }) |
| 47 | + } |
| 48 | +} |
| 49 | + |
| 50 | +// TestCurvePreferenceUnknownMode asserts that passing a PostQuantumMode |
| 51 | +// value outside of the documented constants produces an error instead of |
| 52 | +// silently returning a nil or default curve list. This protects callers |
| 53 | +// from accidentally negotiating with an unintended curve set. |
| 54 | +func TestCurvePreferenceUnknownMode(t *testing.T) { |
| 55 | + t.Parallel() |
| 56 | + |
| 57 | + _, err := getCurvePreferences(features.PostQuantumMode(255)) |
| 58 | + require.Error(t, err) |
| 59 | +} |
| 60 | + |
| 61 | +// TestReturnedSliceIsIndependent ensures GetCurvePreferences returns a |
| 62 | +// fresh slice on every call, so that callers cannot corrupt the |
| 63 | +// package-level defaults by mutating the result. |
| 64 | +func TestReturnedSliceIsIndependent(t *testing.T) { |
| 65 | + t.Parallel() |
| 66 | + |
| 67 | + first, err := getCurvePreferences(features.PostQuantumPrefer) |
| 68 | + require.NoError(t, err) |
| 69 | + // Mutate the returned slice. |
| 70 | + first[0] = tls.CurveP521 |
| 71 | + |
| 72 | + second, err := getCurvePreferences(features.PostQuantumPrefer) |
| 73 | + require.NoError(t, err) |
| 74 | + require.Equal(t, tls.X25519MLKEM768, second[0], "package defaults must not be affected by caller mutation") |
| 75 | +} |
| 76 | + |
| 77 | +// runClientServerHandshake drives a TLS 1.3 handshake with the given curve |
| 78 | +// preferences set on the client and captures the SupportedCurves list |
| 79 | +// advertised by the client in its ClientHello. The helper is used by |
| 80 | +// TestSupportedCurvesNegotiation to exercise the curves end-to-end against |
| 81 | +// the standard library's TLS stack. |
| 82 | +func runClientServerHandshake(t *testing.T, curves []tls.CurveID) []tls.CurveID { |
| 83 | + var advertisedCurves []tls.CurveID |
| 84 | + ts := httptest.NewUnstartedServer(nil) |
| 85 | + ts.TLS = &tls.Config{ // nolint: gosec |
| 86 | + GetConfigForClient: func(chi *tls.ClientHelloInfo) (*tls.Config, error) { |
| 87 | + advertisedCurves = slices.Clone(chi.SupportedCurves) |
| 88 | + return nil, nil |
| 89 | + }, |
| 90 | + } |
| 91 | + ts.StartTLS() |
| 92 | + defer ts.Close() |
| 93 | + clientTLSConfig := ts.Client().Transport.(*http.Transport).TLSClientConfig |
| 94 | + clientTLSConfig.CurvePreferences = curves |
| 95 | + resp, err := ts.Client().Head(ts.URL) |
| 96 | + if err != nil { |
| 97 | + t.Error(err) |
| 98 | + return nil |
| 99 | + } |
| 100 | + defer func() { _ = resp.Body.Close() }() |
| 101 | + return advertisedCurves |
| 102 | +} |
| 103 | + |
| 104 | +// TestSupportedCurvesNegotiation verifies that the curves returned by |
| 105 | +// GetCurvePreferences survive a real TLS handshake unchanged, i.e. the |
| 106 | +// standard library advertises exactly the curves we expect. Currently only |
| 107 | +// PostQuantumPrefer is exercised because PostQuantumStrict would cause the |
| 108 | +// handshake to fail against httptest servers that do not support |
| 109 | +// X25519MLKEM768 server-side. |
| 110 | +func TestSupportedCurvesNegotiation(t *testing.T) { |
| 111 | + t.Parallel() |
| 112 | + for _, tcase := range []features.PostQuantumMode{features.PostQuantumPrefer} { |
| 113 | + curves, err := getCurvePreferences(tcase) |
| 114 | + require.NoError(t, err) |
| 115 | + advertisedCurves := runClientServerHandshake(t, curves) |
| 116 | + require.True(t, slices.Contains(advertisedCurves, tls.CurveP256)) |
| 117 | + require.True(t, slices.Contains(advertisedCurves, tls.X25519MLKEM768)) |
| 118 | + expectedLength := 2 |
| 119 | + if runtime.GOOS == "linux" { |
| 120 | + // P256Kyber768Draft00 only exists in linux |
| 121 | + require.True(t, slices.Contains(advertisedCurves, P256Kyber768Draft00)) |
| 122 | + expectedLength = 3 |
| 123 | + } |
| 124 | + require.Len(t, advertisedCurves, expectedLength) |
| 125 | + } |
| 126 | +} |
0 commit comments