From ab53db0dcc7b268a28ebe7827ef353fb056c2d5b Mon Sep 17 00:00:00 2001 From: mendarb Date: Fri, 20 Mar 2026 23:23:56 +0100 Subject: [PATCH 1/2] fix: prevent nil pointer dereference panics in TestClientCertRequired Replace t.Errorf with t.Fatalf in error paths where execution would continue and dereference a nil response pointer, causing panics. Also add missing nil guard in ztls comparison logic and fix potential nil result dereference in openssl test. Fixes #952 Co-Authored-By: Claude Opus 4.6 --- pkg/tlsx/openssl/openssl_test.go | 4 ++-- pkg/tlsx/tls/tls_test.go | 8 ++++---- pkg/tlsx/ztls/ztls_test.go | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/tlsx/openssl/openssl_test.go b/pkg/tlsx/openssl/openssl_test.go index 4d382354..5c4541b4 100644 --- a/pkg/tlsx/openssl/openssl_test.go +++ b/pkg/tlsx/openssl/openssl_test.go @@ -187,12 +187,12 @@ func TestClientCertRequired(t *testing.T) { args, err := opts.Args() if err != nil { - t.Error(err.Error()) + t.Fatalf("failed to build args: %s", err) } result, err := execOpenSSL(context.Background(), args) if err != nil { - t.Errorf("failed to execute cmd:%v\ngot error %v", result.Command, err) + t.Fatalf("failed to execute cmd: %v", err) } actualResult := isClientCertRequired(result.Stderr) diff --git a/pkg/tlsx/tls/tls_test.go b/pkg/tlsx/tls/tls_test.go index b377fcc3..c848ede9 100644 --- a/pkg/tlsx/tls/tls_test.go +++ b/pkg/tlsx/tls/tls_test.go @@ -74,7 +74,7 @@ func TestClientCertRequired(t *testing.T) { parsedUrl, err := url.Parse(server.URL) if err != nil { - t.Errorf("error parsing test server url: %s", err) + t.Fatalf("error parsing test server url: %s", err) } connectOpts := clients.ConnectOptions{ @@ -83,7 +83,7 @@ func TestClientCertRequired(t *testing.T) { dialer, err := fastdialer.NewDialer(fastdialer.DefaultOptions) if err != nil { - t.Errorf("error initializing dialer: %s", err) + t.Fatalf("error initializing dialer: %s", err) } clientOpts := &clients.Options{ @@ -92,13 +92,13 @@ func TestClientCertRequired(t *testing.T) { client, err := tls.New(clientOpts) if err != nil { - t.Errorf("error initializing ztls client: %s", err) + t.Fatalf("error initializing tls client: %s", err) } host := parsedUrl.Hostname() resp, err := client.ConnectWithOptions(host, host, parsedUrl.Port(), connectOpts) if err != nil { - t.Errorf("client ConnectWithOptions call failed: %s", err) + t.Fatalf("client ConnectWithOptions call failed: %s", err) } actualResult := resp.ClientCertRequired diff --git a/pkg/tlsx/ztls/ztls_test.go b/pkg/tlsx/ztls/ztls_test.go index 07cb1a4d..3a7e1866 100644 --- a/pkg/tlsx/ztls/ztls_test.go +++ b/pkg/tlsx/ztls/ztls_test.go @@ -63,7 +63,7 @@ func TestClientCertRequired(t *testing.T) { parsedUrl, err := url.Parse(server.URL) if err != nil { - t.Errorf("error parsing test server url: %s", err) + t.Fatalf("error parsing test server url: %s", err) } connectOpts := clients.ConnectOptions{ @@ -72,7 +72,7 @@ func TestClientCertRequired(t *testing.T) { dialer, err := fastdialer.NewDialer(fastdialer.DefaultOptions) if err != nil { - t.Errorf("error initializing dialer: %s", err) + t.Fatalf("error initializing dialer: %s", err) } clientOpts := &clients.Options{ @@ -81,13 +81,13 @@ func TestClientCertRequired(t *testing.T) { client, err := ztls.New(clientOpts) if err != nil { - t.Errorf("error initializing ztls client: %s", err) + t.Fatalf("error initializing ztls client: %s", err) } host := parsedUrl.Hostname() resp, err := client.ConnectWithOptions(host, host, parsedUrl.Port(), connectOpts) if err != nil { - t.Errorf("client ConnectWithOptions call failed: %s", err) + t.Fatalf("client ConnectWithOptions call failed: %s", err) } actualResult := resp.ClientCertRequired @@ -96,7 +96,7 @@ func TestClientCertRequired(t *testing.T) { t.Errorf("expected isClientCertRequired = %t but received nil", *tc.expectedResult) } else if tc.expectedResult == nil && actualResult != nil { t.Errorf("expected isClientCertRequired = nil but received %t", *actualResult) - } else if *tc.expectedResult != *actualResult { + } else if tc.expectedResult != nil && actualResult != nil && *tc.expectedResult != *actualResult { t.Errorf("expected isClientCertRequired = %t but received %t", *tc.expectedResult, *actualResult) } }) From de7d08279b3e21bddee603ea1f6574eb8335a7b5 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Sat, 21 Mar 2026 00:20:24 +0100 Subject: [PATCH 2/2] merging dev --- pkg/tlsx/openssl/openssl_test.go | 9 +++------ pkg/tlsx/tls/tls_test.go | 6 ++---- pkg/tlsx/ztls/ztls_test.go | 6 ++---- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/pkg/tlsx/openssl/openssl_test.go b/pkg/tlsx/openssl/openssl_test.go index 86ca9021..8b1bf106 100644 --- a/pkg/tlsx/openssl/openssl_test.go +++ b/pkg/tlsx/openssl/openssl_test.go @@ -178,22 +178,19 @@ func TestClientCertRequired(t *testing.T) { args, err := opts.Args() if err != nil { - t.Error(err.Error()) + t.Fatalf("failed to build args: %s", err) } result, err := execOpenSSL(context.Background(), args) if err != nil { - t.Skipf("openssl execution failed (environment issue): %s", err) + t.Fatalf("failed to execute openssl: %v", err) } if result == nil || result.Stderr == "" { - t.Skip("openssl returned no output, skipping") + t.Fatal("openssl returned no output") } actualResult := isClientCertRequired(result.Stderr) if actualResult != tc.expectedResult { - if tc.expectedResult && strings.Contains(result.Stderr, "handshake failure") { - t.Skipf("openssl got generic handshake failure instead of specific cert alert (environment-dependent)") - } t.Errorf("expected isClientCertRequired = %t but received %t\nstderr: %s", tc.expectedResult, actualResult, result.Stderr) } }) diff --git a/pkg/tlsx/tls/tls_test.go b/pkg/tlsx/tls/tls_test.go index ab78476b..a82bc4ee 100644 --- a/pkg/tlsx/tls/tls_test.go +++ b/pkg/tlsx/tls/tls_test.go @@ -78,7 +78,7 @@ func TestClientCertRequired(t *testing.T) { parsedUrl, err := url.Parse(server.URL) if err != nil { - t.Errorf("error parsing test server url: %s", err) + t.Fatalf("error parsing test server url: %s", err) } connectOpts := clients.ConnectOptions{ @@ -103,9 +103,7 @@ func TestClientCertRequired(t *testing.T) { host := parsedUrl.Hostname() resp, err := client.ConnectWithOptions(host, host, parsedUrl.Port(), connectOpts) if err != nil { - // We don't fail here because some pre-existing failures are expected in some environments - t.Logf("client ConnectWithOptions failed (pre-existing issue?): %s", err) - return + t.Fatalf("client ConnectWithOptions call failed: %s", err) } actualResult := resp.ClientCertRequired diff --git a/pkg/tlsx/ztls/ztls_test.go b/pkg/tlsx/ztls/ztls_test.go index b68980c1..d6867b5b 100644 --- a/pkg/tlsx/ztls/ztls_test.go +++ b/pkg/tlsx/ztls/ztls_test.go @@ -63,7 +63,7 @@ func TestClientCertRequired(t *testing.T) { parsedUrl, err := url.Parse(server.URL) if err != nil { - t.Errorf("error parsing test server url: %s", err) + t.Fatalf("error parsing test server url: %s", err) } connectOpts := clients.ConnectOptions{ @@ -88,9 +88,7 @@ func TestClientCertRequired(t *testing.T) { host := parsedUrl.Hostname() resp, err := client.ConnectWithOptions(host, host, parsedUrl.Port(), connectOpts) if err != nil { - // We don't fail here because some pre-existing failures are expected in some environments - t.Logf("client ConnectWithOptions failed (pre-existing issue?): %s", err) - return + t.Fatalf("client ConnectWithOptions call failed: %s", err) } actualResult := resp.ClientCertRequired