test: add test for checking tls downgrade canary

mingyech · mingyech · commit bd6a9be3c4ea · 2025-04-20T17:16:16.000-06:00
diff --git a/handshake_test.go b/handshake_test.go
@@ -477,7 +477,7 @@ func runMain(m *testing.M) int {
 
 func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) {
 	// [uTLS SECTION BEGIN]
-	return testUtlsHandshake(t, clientConfig, serverConfig, nil)
+	return testUtlsHandshake(t, clientConfig, serverConfig, spec)
 }
 func testUtlsHandshake(t *testing.T, clientConfig, serverConfig *Config, spec *ClientHelloSpec) (serverState, clientState ConnectionState, err error) {
 	// [uTLS SECTION END]
diff --git a/u_conn_test.go b/u_conn_test.go
@@ -851,3 +851,59 @@ func TestUTLSECH(t *testing.T) {
 		})
 	}
 }
+
+var spec *ClientHelloSpec = nil
+
+func TestDowngradeCanaryUTLS(t *testing.T) {
+
+	chromeLatest, err := utlsIdToSpec(HelloChrome_Auto)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	firefoxLatest, err := utlsIdToSpec(HelloFirefox_Auto)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, test := range []struct {
+		name          string
+		spec          *ClientHelloSpec
+		expectSuccess bool
+	}{
+		{
+			name:          "latest chrome",
+			spec:          &chromeLatest,
+			expectSuccess: true,
+		},
+		{
+			name:          "latest firefox",
+			spec:          &firefoxLatest,
+			expectSuccess: true,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			spec = test.spec
+			if err := testDowngradeCanary(t, VersionTLS13, VersionTLS12); err == nil {
+				t.Errorf("downgrade from TLS 1.3 to TLS 1.2 was not detected")
+			}
+			if testing.Short() {
+				t.Skip("skipping the rest of the checks in short mode")
+			}
+			if err := testDowngradeCanary(t, VersionTLS13, VersionTLS11); err == nil {
+				t.Errorf("downgrade from TLS 1.3 to TLS 1.1 was not detected")
+			}
+			if err := testDowngradeCanary(t, VersionTLS13, VersionTLS10); err == nil {
+				t.Errorf("downgrade from TLS 1.3 to TLS 1.0 was not detected")
+			}
+			if err := testDowngradeCanary(t, VersionTLS12, VersionTLS11); err == nil {
+				t.Errorf("downgrade from TLS 1.2 to TLS 1.1 was not detected")
+			}
+			if err := testDowngradeCanary(t, VersionTLS12, VersionTLS10); err == nil {
+				t.Errorf("downgrade from TLS 1.2 to TLS 1.0 was not detected")
+			}
+			spec = nil
+		})
+
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -477,7 +477,7 @@ func runMain(m *testing.M) int {`
`477`	`477`
`478`	`478`	`func testHandshake(t testing.T, clientConfig, serverConfig Config) (serverState, clientState ConnectionState, err error) {`
`479`	`479`	`// [uTLS SECTION BEGIN]`
`480`		`- return testUtlsHandshake(t, clientConfig, serverConfig, nil)`
	`480`	`+ return testUtlsHandshake(t, clientConfig, serverConfig, spec)`
`481`	`481`	`}`
`482`	`482`	`func testUtlsHandshake(t testing.T, clientConfig, serverConfig Config, spec *ClientHelloSpec) (serverState, clientState ConnectionState, err error) {`
`483`	`483`	`// [uTLS SECTION END]`