wip; MEN-3730 OpenSSL via Space Monkey.

.gitignore

@@ -27,3 +27,7 @@ mender
 
 # Go test coverage output
 *coverage*.txt
+
+# IDE and editors
+.idea
+*.swp

.gitlab-ci.yml

@@ -29,6 +29,13 @@ test:
     - apt-get update && apt-get install -yyq liblzma-dev libssl-dev
     - make get-tools
   script:
+#    - cat /etc/ssl/openssl.cnf
+#    - sed -i    -e 's/CipherString = DEFAULT@SECLEVEL=.*/CipherString = DEFAULT@SECLEVEL=-1/' /etc/ssl/openssl.cnf
+#    - cat /etc/ssl/openssl.cnf
+#    - pwd
+#    - find . -name server.crt
+#    - go mod vendor
+    - echo "127.0.0.1 www.dimi.fr" >> /etc/hosts
     - make extracheck
     - make coverage
     - make

Makefile

@@ -170,9 +170,13 @@ check: test extracheck
 test:
 	$(GO) test $(BUILDV) $(PKGS)
 
-extracheck: gofmt govet godeadcode govarcheck gocyclo
+extracheck: gomod gofmt govet godeadcode govarcheck gocyclo
 	echo "All extra-checks passed!"
 
+gomod:
+	echo "-- checking if code is gofmt'ed"
+	$(GO) mod vendor
+
 gofmt:
 	echo "-- checking if code is gofmt'ed"
 	if [ -n "$$($(GOFMT) -d $(PKGFILES))" ]; then \

client/client.go

@@ -26,6 +26,7 @@ import (
 	"strings"
 	"time"
 
+	openssl "github.com/Linutronix/golang-openssl"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/http2"
@@ -280,9 +281,49 @@ func newHttpClient() *http.Client {
 	return &http.Client{}
 }
 
+func dialOpenSSL(conf Config, network string, addr string) (net.Conn, error) {
+	contextSSL, err := openssl.NewCtx() // probably should consider reusing the context, but we
+	// have to propagate it with every request
+	err = contextSSL.LoadVerifyLocations(conf.ServerCert, "")
+	if err != nil {
+		return nil, err
+	}
+	flags := openssl.DialFlags(0)
+
+	if conf.NoVerify {
+		flags = openssl.InsecureSkipHostVerification
+	}
+
+	conn, err := openssl.Dial("tcp", addr, contextSSL, flags)
+	if conn == nil || err != nil {
+		return nil, err
+	}
+
+	conn.VerifyMode()
+	conn.PeerCertificate()
+	v := conn.VerifyResult()
+	if v != openssl.Ok {
+		if v == openssl.CertHasExpired {
+			return nil, errors.Errorf("certificate has expired, openssl verify rc: %d server cert file: %s", v, conf.ServerCert)
+		}
+		if v == openssl.DepthZeroSelfSignedCert {
+			return nil, errors.Errorf("depth zero self-signed certificate, openssl verify rc: %d server cert file: %s", v, conf.ServerCert)
+		}
+		if v == 0x42 { //X509_V_ERR_EE_KEY_TOO_SMALL
+			return nil, errors.Errorf("end entity key too short, openssl verify rc: %d server cert file: %s", v, conf.ServerCert)
+		}
+		if v == 0x14 { //X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+			return nil, errors.Errorf("certificate signed by unknown authority, openssl verify rc: %d server cert file: %s", v, conf.ServerCert)
+		}
+		return nil, errors.Errorf("not a valid certificate, openssl verify rc: %d server cert file: %s", v, conf.ServerCert)
+	}
+	return conn, err
+}
+
 func newHttpsClient(conf Config) (*http.Client, error) {
 	client := newHttpClient()
 
+	//conf.ServerCert = "/go/src/github.com/mendersoftware/mender/client/" + conf.ServerCert
 	trustedcerts := loadServerTrust(&conf)
 
 	if conf.NoVerify {
@@ -295,6 +336,9 @@ func newHttpsClient(conf Config) (*http.Client, error) {
 	transport := http.Transport{
 		TLSClientConfig: &tlsc,
 		Proxy:           http.ProxyFromEnvironment,
+		DialTLS: func(network string, addr string) (net.Conn, error) {
+			return dialOpenSSL(conf, network, addr)
+		},
 	}
 
 	client.Transport = &transport

client/client_auth_test.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -88,13 +88,15 @@ func TestClientAuth(t *testing.T) {
 		http.Header{},
 	}
 
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		responder.headers = r.Header
 		w.WriteHeader(responder.httpStatus)
 		w.Header().Set("Content-Type", "application/json")
 
 		fmt.Fprint(w, responder.data)
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	ac, err := NewApiClient(
@@ -122,8 +124,9 @@ func TestClientAuth(t *testing.T) {
 }
 
 func TestClientAuthExpiredCert(t *testing.T) {
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-	}))
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+		localhostCertExpired,
+		localhostKeyExpired)
 	defer ts.Close()
 
 	ac, err := NewApiClient(
@@ -145,8 +148,9 @@ func TestClientAuthExpiredCert(t *testing.T) {
 }
 
 func TestClientAuthUnknownAuthorityCert(t *testing.T) {
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-	}))
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+		localhostCertUnknown,
+		localhostKeyUnknown)
 	defer ts.Close()
 
 	ac, err := NewApiClient(
@@ -161,15 +165,70 @@ func TestClientAuthUnknownAuthorityCert(t *testing.T) {
 	msger := &testAuthDataMessenger{
 		reqData: []byte("foobar"),
 	}
-	rsp, err := client.Request(ac, ts.URL, msger)
+	rsp, err := client.Request(ac, strings.ReplaceAll(ts.URL, "127.0.0.1", "www.dimi.fr"), msger)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "certificate signed by unknown authority")
+	// see https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/x509/x509_vfy.c#L3268
+	//     for self-signed openssl always returns self-signed error; either
+	//     X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT or X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+	//     and never X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+	assert.Nil(t, rsp)
+}
+
+//X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+func TestClientAuthDepthZeroSelfSignedCert(t *testing.T) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+		localhostCert,
+		localhostKey)
+	defer ts.Close()
+
+	ac, err := NewApiClient(
+		Config{"server.zero.depth.self.signed.crt", true, false},
+	)
+	assert.NotNil(t, ac)
+	assert.NoError(t, err)
+
+	client := NewAuth()
+	assert.NotNil(t, client)
+
+	msger := &testAuthDataMessenger{
+		reqData: []byte("foobar"),
+	}
+	rsp, err := client.Request(ac, ts.URL, msger)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "depth zero self-signed certificate")
+	assert.Nil(t, rsp)
+}
+
+//X509_V_ERR_EE_KEY_TOO_SMALL
+func TestClientAuthEndEntityKeyTooSmall(t *testing.T) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+		localhostCertShortEEKey,
+		localhostKeyShortEEKey)
+	defer ts.Close()
+
+	ac, err := NewApiClient(
+		Config{"server.crt", true, false},
+	)
+	assert.NotNil(t, ac)
+	assert.NoError(t, err)
+
+	client := NewAuth()
+	assert.NotNil(t, client)
+
+	msger := &testAuthDataMessenger{
+		reqData: []byte("foobar"),
+	}
+	rsp, err := client.Request(ac, ts.URL, msger)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "end entity key too short")
 	assert.Nil(t, rsp)
 }
 
 func TestClientAuthNoCert(t *testing.T) {
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-	}))
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	ac, err := NewApiClient(

client/client_inventory_test.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Northern.tech AS
+// Copyright 2020 Northern.tech AS
 //
 //    Licensed under the Apache License, Version 2.0 (the "License");
 //    you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@ package client
 import (
 	"io/ioutil"
 	"net/http"
-	"net/http/httptest"
 	"testing"
 
 	"github.com/pkg/errors"
@@ -35,12 +34,14 @@ func TestInventoryClient(t *testing.T) {
 	}
 
 	// Test server that always responds with 200 code, and specific payload
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(responder.httpStatus)
 
 		responder.recdata, _ = ioutil.ReadAll(r.Body)
 		responder.path = r.URL.Path
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	ac, err := NewApiClient(

client/client_log_test.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Northern.tech AS
+// Copyright 2020 Northern.tech AS
 //
 //    Licensed under the Apache License, Version 2.0 (the "License");
 //    you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@ package client
 import (
 	"io/ioutil"
 	"net/http"
-	"net/http/httptest"
 	"testing"
 
 	"github.com/pkg/errors"
@@ -35,12 +34,14 @@ func TestLogUploadClient(t *testing.T) {
 	}
 
 	// Test server that always responds with 200 code, and specific payload
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(responder.httpStatus)
 
 		responder.recdata, _ = ioutil.ReadAll(r.Body)
 		responder.path = r.URL.Path
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	ac, err := NewApiClient(

client/client_status_test.go

@@ -1,4 +1,4 @@
-// Copyright 2018 Northern.tech AS
+// Copyright 2020 Northern.tech AS
 //
 //    Licensed under the Apache License, Version 2.0 (the "License");
 //    you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@ package client
 import (
 	"io/ioutil"
 	"net/http"
-	"net/http/httptest"
 	"testing"
 
 	"github.com/pkg/errors"
@@ -35,12 +34,14 @@ func TestStatusClient(t *testing.T) {
 	}
 
 	// Test server that always responds with 200 code, and specific payload
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(responder.httpStatus)
 
 		responder.recdata, _ = ioutil.ReadAll(r.Body)
 		responder.path = r.URL.Path
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	ac, err := NewApiClient(

client/client_test.go

@@ -20,7 +20,6 @@ import (
 	"errors"
 	"net"
 	"net/http"
-	"net/http/httptest"
 	"runtime"
 	"strings"
 	"testing"
@@ -81,11 +80,13 @@ func TestApiClientRequest(t *testing.T) {
 		http.Header{},
 	}
 
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		responder.headers = r.Header
 		w.WriteHeader(responder.httpStatus)
 		w.Header().Set("Content-Type", "application/json")
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	auth := false
@@ -138,10 +139,12 @@ func TestClientConnectionTimeout(t *testing.T) {
 	prevReadingTimeout := defaultClientReadingTimeout
 	defaultClientReadingTimeout = 10 * time.Millisecond
 
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// sleep so that client request will timeout
 		time.Sleep(defaultClientReadingTimeout + defaultClientReadingTimeout)
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 
 	defer func() {
 		ts.Close()
@@ -360,11 +363,13 @@ func TestFailoverAPICall(t *testing.T) {
 		http.Header{},
 	}
 
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	ts := startTestHTTPS(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		responder.headers = r.Header
 		w.WriteHeader(responder.httpStatus)
 		w.Header().Set("Content-Type", "application/json")
-	}))
+	}),
+		localhostCert,
+		localhostKey)
 	defer ts.Close()
 
 	mulServerfunc := func() func() *MenderServer {