github.com/code-reading/golang@v0.0.0-20220303082512-ba5bc0e589a3/go/src/crypto/tls/tls_test.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "context" 10 "crypto" 11 "crypto/x509" 12 "encoding/json" 13 "errors" 14 "fmt" 15 "internal/testenv" 16 "io" 17 "math" 18 "net" 19 "os" 20 "reflect" 21 "sort" 22 "strings" 23 "testing" 24 "time" 25 ) 26 27 var rsaCertPEM = `-----BEGIN CERTIFICATE----- 28 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV 29 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX 30 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF 31 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 32 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ 33 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa 34 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv 35 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF 36 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW 37 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V 38 -----END CERTIFICATE----- 39 ` 40 41 var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY----- 42 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 43 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 44 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 45 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 46 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 47 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 48 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 49 -----END RSA TESTING KEY----- 50 `) 51 52 // keyPEM is the same as rsaKeyPEM, but declares itself as just 53 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477 54 var keyPEM = testingKey(`-----BEGIN TESTING KEY----- 55 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 56 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 57 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 58 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 59 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 60 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 61 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 62 -----END TESTING KEY----- 63 `) 64 65 var ecdsaCertPEM = `-----BEGIN CERTIFICATE----- 66 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw 67 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 68 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG 69 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk 70 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR 71 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl 72 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8 73 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo 74 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb 75 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1 76 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA== 77 -----END CERTIFICATE----- 78 ` 79 80 var ecdsaKeyPEM = testingKey(`-----BEGIN EC PARAMETERS----- 81 BgUrgQQAIw== 82 -----END EC PARAMETERS----- 83 -----BEGIN EC TESTING KEY----- 84 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0 85 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL 86 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz 87 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q 88 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ== 89 -----END EC TESTING KEY----- 90 `) 91 92 var keyPairTests = []struct { 93 algo string 94 cert string 95 key string 96 }{ 97 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM}, 98 {"RSA", rsaCertPEM, rsaKeyPEM}, 99 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477 100 } 101 102 func TestX509KeyPair(t *testing.T) { 103 t.Parallel() 104 var pem []byte 105 for _, test := range keyPairTests { 106 pem = []byte(test.cert + test.key) 107 if _, err := X509KeyPair(pem, pem); err != nil { 108 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err) 109 } 110 pem = []byte(test.key + test.cert) 111 if _, err := X509KeyPair(pem, pem); err != nil { 112 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err) 113 } 114 } 115 } 116 117 func TestX509KeyPairErrors(t *testing.T) { 118 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM)) 119 if err == nil { 120 t.Fatalf("X509KeyPair didn't return an error when arguments were switched") 121 } 122 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) { 123 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err) 124 } 125 126 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM)) 127 if err == nil { 128 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates") 129 } 130 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) { 131 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err) 132 } 133 134 const nonsensePEM = ` 135 -----BEGIN NONSENSE----- 136 Zm9vZm9vZm9v 137 -----END NONSENSE----- 138 ` 139 140 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM)) 141 if err == nil { 142 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense") 143 } 144 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) { 145 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err) 146 } 147 } 148 149 func TestX509MixedKeyPair(t *testing.T) { 150 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil { 151 t.Error("Load of RSA certificate succeeded with ECDSA private key") 152 } 153 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil { 154 t.Error("Load of ECDSA certificate succeeded with RSA private key") 155 } 156 } 157 158 func newLocalListener(t testing.TB) net.Listener { 159 ln, err := net.Listen("tcp", "127.0.0.1:0") 160 if err != nil { 161 ln, err = net.Listen("tcp6", "[::1]:0") 162 } 163 if err != nil { 164 t.Fatal(err) 165 } 166 return ln 167 } 168 169 func TestDialTimeout(t *testing.T) { 170 if testing.Short() { 171 t.Skip("skipping in short mode") 172 } 173 listener := newLocalListener(t) 174 175 addr := listener.Addr().String() 176 defer listener.Close() 177 178 complete := make(chan bool) 179 defer close(complete) 180 181 go func() { 182 conn, err := listener.Accept() 183 if err != nil { 184 t.Error(err) 185 return 186 } 187 <-complete 188 conn.Close() 189 }() 190 191 dialer := &net.Dialer{ 192 Timeout: 10 * time.Millisecond, 193 } 194 195 var err error 196 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil { 197 t.Fatal("DialWithTimeout completed successfully") 198 } 199 200 if !isTimeoutError(err) { 201 t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err) 202 } 203 } 204 205 func TestDeadlineOnWrite(t *testing.T) { 206 if testing.Short() { 207 t.Skip("skipping in short mode") 208 } 209 210 ln := newLocalListener(t) 211 defer ln.Close() 212 213 srvCh := make(chan *Conn, 1) 214 215 go func() { 216 sconn, err := ln.Accept() 217 if err != nil { 218 srvCh <- nil 219 return 220 } 221 srv := Server(sconn, testConfig.Clone()) 222 if err := srv.Handshake(); err != nil { 223 srvCh <- nil 224 return 225 } 226 srvCh <- srv 227 }() 228 229 clientConfig := testConfig.Clone() 230 clientConfig.MaxVersion = VersionTLS12 231 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 232 if err != nil { 233 t.Fatal(err) 234 } 235 defer conn.Close() 236 237 srv := <-srvCh 238 if srv == nil { 239 t.Error(err) 240 } 241 242 // Make sure the client/server is setup correctly and is able to do a typical Write/Read 243 buf := make([]byte, 6) 244 if _, err := srv.Write([]byte("foobar")); err != nil { 245 t.Errorf("Write err: %v", err) 246 } 247 if n, err := conn.Read(buf); n != 6 || err != nil || string(buf) != "foobar" { 248 t.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) 249 } 250 251 // Set a deadline which should cause Write to timeout 252 if err = srv.SetDeadline(time.Now()); err != nil { 253 t.Fatalf("SetDeadline(time.Now()) err: %v", err) 254 } 255 if _, err = srv.Write([]byte("should fail")); err == nil { 256 t.Fatal("Write should have timed out") 257 } 258 259 // Clear deadline and make sure it still times out 260 if err = srv.SetDeadline(time.Time{}); err != nil { 261 t.Fatalf("SetDeadline(time.Time{}) err: %v", err) 262 } 263 if _, err = srv.Write([]byte("This connection is permanently broken")); err == nil { 264 t.Fatal("Write which previously failed should still time out") 265 } 266 267 // Verify the error 268 if ne := err.(net.Error); ne.Temporary() != false { 269 t.Error("Write timed out but incorrectly classified the error as Temporary") 270 } 271 if !isTimeoutError(err) { 272 t.Error("Write timed out but did not classify the error as a Timeout") 273 } 274 } 275 276 type readerFunc func([]byte) (int, error) 277 278 func (f readerFunc) Read(b []byte) (int, error) { return f(b) } 279 280 // TestDialer tests that tls.Dialer.DialContext can abort in the middle of a handshake. 281 // (The other cases are all handled by the existing dial tests in this package, which 282 // all also flow through the same code shared code paths) 283 func TestDialer(t *testing.T) { 284 ln := newLocalListener(t) 285 defer ln.Close() 286 287 unblockServer := make(chan struct{}) // close-only 288 defer close(unblockServer) 289 go func() { 290 conn, err := ln.Accept() 291 if err != nil { 292 return 293 } 294 defer conn.Close() 295 <-unblockServer 296 }() 297 298 ctx, cancel := context.WithCancel(context.Background()) 299 d := Dialer{Config: &Config{ 300 Rand: readerFunc(func(b []byte) (n int, err error) { 301 // By the time crypto/tls wants randomness, that means it has a TCP 302 // connection, so we're past the Dialer's dial and now blocked 303 // in a handshake. Cancel our context and see if we get unstuck. 304 // (Our TCP listener above never reads or writes, so the Handshake 305 // would otherwise be stuck forever) 306 cancel() 307 return len(b), nil 308 }), 309 ServerName: "foo", 310 }} 311 _, err := d.DialContext(ctx, "tcp", ln.Addr().String()) 312 if err != context.Canceled { 313 t.Errorf("err = %v; want context.Canceled", err) 314 } 315 } 316 317 func isTimeoutError(err error) bool { 318 if ne, ok := err.(net.Error); ok { 319 return ne.Timeout() 320 } 321 return false 322 } 323 324 // tests that Conn.Read returns (non-zero, io.EOF) instead of 325 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right 326 // behind the application data in the buffer. 327 func TestConnReadNonzeroAndEOF(t *testing.T) { 328 // This test is racy: it assumes that after a write to a 329 // localhost TCP connection, the peer TCP connection can 330 // immediately read it. Because it's racy, we skip this test 331 // in short mode, and then retry it several times with an 332 // increasing sleep in between our final write (via srv.Close 333 // below) and the following read. 334 if testing.Short() { 335 t.Skip("skipping in short mode") 336 } 337 var err error 338 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 { 339 if err = testConnReadNonzeroAndEOF(t, delay); err == nil { 340 return 341 } 342 } 343 t.Error(err) 344 } 345 346 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error { 347 ln := newLocalListener(t) 348 defer ln.Close() 349 350 srvCh := make(chan *Conn, 1) 351 var serr error 352 go func() { 353 sconn, err := ln.Accept() 354 if err != nil { 355 serr = err 356 srvCh <- nil 357 return 358 } 359 serverConfig := testConfig.Clone() 360 srv := Server(sconn, serverConfig) 361 if err := srv.Handshake(); err != nil { 362 serr = fmt.Errorf("handshake: %v", err) 363 srvCh <- nil 364 return 365 } 366 srvCh <- srv 367 }() 368 369 clientConfig := testConfig.Clone() 370 // In TLS 1.3, alerts are encrypted and disguised as application data, so 371 // the opportunistic peek won't work. 372 clientConfig.MaxVersion = VersionTLS12 373 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 374 if err != nil { 375 t.Fatal(err) 376 } 377 defer conn.Close() 378 379 srv := <-srvCh 380 if srv == nil { 381 return serr 382 } 383 384 buf := make([]byte, 6) 385 386 srv.Write([]byte("foobar")) 387 n, err := conn.Read(buf) 388 if n != 6 || err != nil || string(buf) != "foobar" { 389 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) 390 } 391 392 srv.Write([]byte("abcdef")) 393 srv.Close() 394 time.Sleep(delay) 395 n, err = conn.Read(buf) 396 if n != 6 || string(buf) != "abcdef" { 397 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf) 398 } 399 if err != io.EOF { 400 return fmt.Errorf("Second Read error = %v; want io.EOF", err) 401 } 402 return nil 403 } 404 405 func TestTLSUniqueMatches(t *testing.T) { 406 ln := newLocalListener(t) 407 defer ln.Close() 408 409 serverTLSUniques := make(chan []byte) 410 parentDone := make(chan struct{}) 411 childDone := make(chan struct{}) 412 defer close(parentDone) 413 go func() { 414 defer close(childDone) 415 for i := 0; i < 2; i++ { 416 sconn, err := ln.Accept() 417 if err != nil { 418 t.Error(err) 419 return 420 } 421 serverConfig := testConfig.Clone() 422 serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3 423 srv := Server(sconn, serverConfig) 424 if err := srv.Handshake(); err != nil { 425 t.Error(err) 426 return 427 } 428 select { 429 case <-parentDone: 430 return 431 case serverTLSUniques <- srv.ConnectionState().TLSUnique: 432 } 433 } 434 }() 435 436 clientConfig := testConfig.Clone() 437 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) 438 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 439 if err != nil { 440 t.Fatal(err) 441 } 442 443 var serverTLSUniquesValue []byte 444 select { 445 case <-childDone: 446 return 447 case serverTLSUniquesValue = <-serverTLSUniques: 448 } 449 450 if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { 451 t.Error("client and server channel bindings differ") 452 } 453 conn.Close() 454 455 conn, err = Dial("tcp", ln.Addr().String(), clientConfig) 456 if err != nil { 457 t.Fatal(err) 458 } 459 defer conn.Close() 460 if !conn.ConnectionState().DidResume { 461 t.Error("second session did not use resumption") 462 } 463 464 select { 465 case <-childDone: 466 return 467 case serverTLSUniquesValue = <-serverTLSUniques: 468 } 469 470 if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { 471 t.Error("client and server channel bindings differ when session resumption is used") 472 } 473 } 474 475 func TestVerifyHostname(t *testing.T) { 476 testenv.MustHaveExternalNetwork(t) 477 478 c, err := Dial("tcp", "www.google.com:https", nil) 479 if err != nil { 480 t.Fatal(err) 481 } 482 if err := c.VerifyHostname("www.google.com"); err != nil { 483 t.Fatalf("verify www.google.com: %v", err) 484 } 485 if err := c.VerifyHostname("www.yahoo.com"); err == nil { 486 t.Fatalf("verify www.yahoo.com succeeded") 487 } 488 489 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true}) 490 if err != nil { 491 t.Fatal(err) 492 } 493 if err := c.VerifyHostname("www.google.com"); err == nil { 494 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") 495 } 496 } 497 498 func TestConnCloseBreakingWrite(t *testing.T) { 499 ln := newLocalListener(t) 500 defer ln.Close() 501 502 srvCh := make(chan *Conn, 1) 503 var serr error 504 var sconn net.Conn 505 go func() { 506 var err error 507 sconn, err = ln.Accept() 508 if err != nil { 509 serr = err 510 srvCh <- nil 511 return 512 } 513 serverConfig := testConfig.Clone() 514 srv := Server(sconn, serverConfig) 515 if err := srv.Handshake(); err != nil { 516 serr = fmt.Errorf("handshake: %v", err) 517 srvCh <- nil 518 return 519 } 520 srvCh <- srv 521 }() 522 523 cconn, err := net.Dial("tcp", ln.Addr().String()) 524 if err != nil { 525 t.Fatal(err) 526 } 527 defer cconn.Close() 528 529 conn := &changeImplConn{ 530 Conn: cconn, 531 } 532 533 clientConfig := testConfig.Clone() 534 tconn := Client(conn, clientConfig) 535 if err := tconn.Handshake(); err != nil { 536 t.Fatal(err) 537 } 538 539 srv := <-srvCh 540 if srv == nil { 541 t.Fatal(serr) 542 } 543 defer sconn.Close() 544 545 connClosed := make(chan struct{}) 546 conn.closeFunc = func() error { 547 close(connClosed) 548 return nil 549 } 550 551 inWrite := make(chan bool, 1) 552 var errConnClosed = errors.New("conn closed for test") 553 conn.writeFunc = func(p []byte) (n int, err error) { 554 inWrite <- true 555 <-connClosed 556 return 0, errConnClosed 557 } 558 559 closeReturned := make(chan bool, 1) 560 go func() { 561 <-inWrite 562 tconn.Close() // test that this doesn't block forever. 563 closeReturned <- true 564 }() 565 566 _, err = tconn.Write([]byte("foo")) 567 if err != errConnClosed { 568 t.Errorf("Write error = %v; want errConnClosed", err) 569 } 570 571 <-closeReturned 572 if err := tconn.Close(); err != net.ErrClosed { 573 t.Errorf("Close error = %v; want net.ErrClosed", err) 574 } 575 } 576 577 func TestConnCloseWrite(t *testing.T) { 578 ln := newLocalListener(t) 579 defer ln.Close() 580 581 clientDoneChan := make(chan struct{}) 582 583 serverCloseWrite := func() error { 584 sconn, err := ln.Accept() 585 if err != nil { 586 return fmt.Errorf("accept: %v", err) 587 } 588 defer sconn.Close() 589 590 serverConfig := testConfig.Clone() 591 srv := Server(sconn, serverConfig) 592 if err := srv.Handshake(); err != nil { 593 return fmt.Errorf("handshake: %v", err) 594 } 595 defer srv.Close() 596 597 data, err := io.ReadAll(srv) 598 if err != nil { 599 return err 600 } 601 if len(data) > 0 { 602 return fmt.Errorf("Read data = %q; want nothing", data) 603 } 604 605 if err := srv.CloseWrite(); err != nil { 606 return fmt.Errorf("server CloseWrite: %v", err) 607 } 608 609 // Wait for clientCloseWrite to finish, so we know we 610 // tested the CloseWrite before we defer the 611 // sconn.Close above, which would also cause the 612 // client to unblock like CloseWrite. 613 <-clientDoneChan 614 return nil 615 } 616 617 clientCloseWrite := func() error { 618 defer close(clientDoneChan) 619 620 clientConfig := testConfig.Clone() 621 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 622 if err != nil { 623 return err 624 } 625 if err := conn.Handshake(); err != nil { 626 return err 627 } 628 defer conn.Close() 629 630 if err := conn.CloseWrite(); err != nil { 631 return fmt.Errorf("client CloseWrite: %v", err) 632 } 633 634 if _, err := conn.Write([]byte{0}); err != errShutdown { 635 return fmt.Errorf("CloseWrite error = %v; want errShutdown", err) 636 } 637 638 data, err := io.ReadAll(conn) 639 if err != nil { 640 return err 641 } 642 if len(data) > 0 { 643 return fmt.Errorf("Read data = %q; want nothing", data) 644 } 645 return nil 646 } 647 648 errChan := make(chan error, 2) 649 650 go func() { errChan <- serverCloseWrite() }() 651 go func() { errChan <- clientCloseWrite() }() 652 653 for i := 0; i < 2; i++ { 654 select { 655 case err := <-errChan: 656 if err != nil { 657 t.Fatal(err) 658 } 659 case <-time.After(10 * time.Second): 660 t.Fatal("deadlock") 661 } 662 } 663 664 // Also test CloseWrite being called before the handshake is 665 // finished: 666 { 667 ln2 := newLocalListener(t) 668 defer ln2.Close() 669 670 netConn, err := net.Dial("tcp", ln2.Addr().String()) 671 if err != nil { 672 t.Fatal(err) 673 } 674 defer netConn.Close() 675 conn := Client(netConn, testConfig.Clone()) 676 677 if err := conn.CloseWrite(); err != errEarlyCloseWrite { 678 t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err) 679 } 680 } 681 } 682 683 func TestWarningAlertFlood(t *testing.T) { 684 ln := newLocalListener(t) 685 defer ln.Close() 686 687 server := func() error { 688 sconn, err := ln.Accept() 689 if err != nil { 690 return fmt.Errorf("accept: %v", err) 691 } 692 defer sconn.Close() 693 694 serverConfig := testConfig.Clone() 695 srv := Server(sconn, serverConfig) 696 if err := srv.Handshake(); err != nil { 697 return fmt.Errorf("handshake: %v", err) 698 } 699 defer srv.Close() 700 701 _, err = io.ReadAll(srv) 702 if err == nil { 703 return errors.New("unexpected lack of error from server") 704 } 705 const expected = "too many ignored" 706 if str := err.Error(); !strings.Contains(str, expected) { 707 return fmt.Errorf("expected error containing %q, but saw: %s", expected, str) 708 } 709 710 return nil 711 } 712 713 errChan := make(chan error, 1) 714 go func() { errChan <- server() }() 715 716 clientConfig := testConfig.Clone() 717 clientConfig.MaxVersion = VersionTLS12 // there are no warning alerts in TLS 1.3 718 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 719 if err != nil { 720 t.Fatal(err) 721 } 722 defer conn.Close() 723 if err := conn.Handshake(); err != nil { 724 t.Fatal(err) 725 } 726 727 for i := 0; i < maxUselessRecords+1; i++ { 728 conn.sendAlert(alertNoRenegotiation) 729 } 730 731 if err := <-errChan; err != nil { 732 t.Fatal(err) 733 } 734 } 735 736 func TestCloneFuncFields(t *testing.T) { 737 const expectedCount = 6 738 called := 0 739 740 c1 := Config{ 741 Time: func() time.Time { 742 called |= 1 << 0 743 return time.Time{} 744 }, 745 GetCertificate: func(*ClientHelloInfo) (*Certificate, error) { 746 called |= 1 << 1 747 return nil, nil 748 }, 749 GetClientCertificate: func(*CertificateRequestInfo) (*Certificate, error) { 750 called |= 1 << 2 751 return nil, nil 752 }, 753 GetConfigForClient: func(*ClientHelloInfo) (*Config, error) { 754 called |= 1 << 3 755 return nil, nil 756 }, 757 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { 758 called |= 1 << 4 759 return nil 760 }, 761 VerifyConnection: func(ConnectionState) error { 762 called |= 1 << 5 763 return nil 764 }, 765 } 766 767 c2 := c1.Clone() 768 769 c2.Time() 770 c2.GetCertificate(nil) 771 c2.GetClientCertificate(nil) 772 c2.GetConfigForClient(nil) 773 c2.VerifyPeerCertificate(nil, nil) 774 c2.VerifyConnection(ConnectionState{}) 775 776 if called != (1<<expectedCount)-1 { 777 t.Fatalf("expected %d calls but saw calls %b", expectedCount, called) 778 } 779 } 780 781 func TestCloneNonFuncFields(t *testing.T) { 782 var c1 Config 783 v := reflect.ValueOf(&c1).Elem() 784 785 typ := v.Type() 786 for i := 0; i < typ.NumField(); i++ { 787 f := v.Field(i) 788 // testing/quick can't handle functions or interfaces and so 789 // isn't used here. 790 switch fn := typ.Field(i).Name; fn { 791 case "Rand": 792 f.Set(reflect.ValueOf(io.Reader(os.Stdin))) 793 case "Time", "GetCertificate", "GetConfigForClient", "VerifyPeerCertificate", "VerifyConnection", "GetClientCertificate": 794 // DeepEqual can't compare functions. If you add a 795 // function field to this list, you must also change 796 // TestCloneFuncFields to ensure that the func field is 797 // cloned. 798 case "Certificates": 799 f.Set(reflect.ValueOf([]Certificate{ 800 {Certificate: [][]byte{{'b'}}}, 801 })) 802 case "NameToCertificate": 803 f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil})) 804 case "RootCAs", "ClientCAs": 805 f.Set(reflect.ValueOf(x509.NewCertPool())) 806 case "ClientSessionCache": 807 f.Set(reflect.ValueOf(NewLRUClientSessionCache(10))) 808 case "KeyLogWriter": 809 f.Set(reflect.ValueOf(io.Writer(os.Stdout))) 810 case "NextProtos": 811 f.Set(reflect.ValueOf([]string{"a", "b"})) 812 case "ServerName": 813 f.Set(reflect.ValueOf("b")) 814 case "ClientAuth": 815 f.Set(reflect.ValueOf(VerifyClientCertIfGiven)) 816 case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites": 817 f.Set(reflect.ValueOf(true)) 818 case "MinVersion", "MaxVersion": 819 f.Set(reflect.ValueOf(uint16(VersionTLS12))) 820 case "SessionTicketKey": 821 f.Set(reflect.ValueOf([32]byte{})) 822 case "CipherSuites": 823 f.Set(reflect.ValueOf([]uint16{1, 2})) 824 case "CurvePreferences": 825 f.Set(reflect.ValueOf([]CurveID{CurveP256})) 826 case "Renegotiation": 827 f.Set(reflect.ValueOf(RenegotiateOnceAsClient)) 828 case "mutex", "autoSessionTicketKeys", "sessionTicketKeys": 829 continue // these are unexported fields that are handled separately 830 default: 831 t.Errorf("all fields must be accounted for, but saw unknown field %q", fn) 832 } 833 } 834 // Set the unexported fields related to session ticket keys, which are copied with Clone(). 835 c1.autoSessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)} 836 c1.sessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)} 837 838 c2 := c1.Clone() 839 if !reflect.DeepEqual(&c1, c2) { 840 t.Errorf("clone failed to copy a field") 841 } 842 } 843 844 func TestCloneNilConfig(t *testing.T) { 845 var config *Config 846 if cc := config.Clone(); cc != nil { 847 t.Fatalf("Clone with nil should return nil, got: %+v", cc) 848 } 849 } 850 851 // changeImplConn is a net.Conn which can change its Write and Close 852 // methods. 853 type changeImplConn struct { 854 net.Conn 855 writeFunc func([]byte) (int, error) 856 closeFunc func() error 857 } 858 859 func (w *changeImplConn) Write(p []byte) (n int, err error) { 860 if w.writeFunc != nil { 861 return w.writeFunc(p) 862 } 863 return w.Conn.Write(p) 864 } 865 866 func (w *changeImplConn) Close() error { 867 if w.closeFunc != nil { 868 return w.closeFunc() 869 } 870 return w.Conn.Close() 871 } 872 873 func throughput(b *testing.B, version uint16, totalBytes int64, dynamicRecordSizingDisabled bool) { 874 ln := newLocalListener(b) 875 defer ln.Close() 876 877 N := b.N 878 879 // Less than 64KB because Windows appears to use a TCP rwin < 64KB. 880 // See Issue #15899. 881 const bufsize = 32 << 10 882 883 go func() { 884 buf := make([]byte, bufsize) 885 for i := 0; i < N; i++ { 886 sconn, err := ln.Accept() 887 if err != nil { 888 // panic rather than synchronize to avoid benchmark overhead 889 // (cannot call b.Fatal in goroutine) 890 panic(fmt.Errorf("accept: %v", err)) 891 } 892 serverConfig := testConfig.Clone() 893 serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers 894 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled 895 srv := Server(sconn, serverConfig) 896 if err := srv.Handshake(); err != nil { 897 panic(fmt.Errorf("handshake: %v", err)) 898 } 899 if _, err := io.CopyBuffer(srv, srv, buf); err != nil { 900 panic(fmt.Errorf("copy buffer: %v", err)) 901 } 902 } 903 }() 904 905 b.SetBytes(totalBytes) 906 clientConfig := testConfig.Clone() 907 clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers 908 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled 909 clientConfig.MaxVersion = version 910 911 buf := make([]byte, bufsize) 912 chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf)))) 913 for i := 0; i < N; i++ { 914 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 915 if err != nil { 916 b.Fatal(err) 917 } 918 for j := 0; j < chunks; j++ { 919 _, err := conn.Write(buf) 920 if err != nil { 921 b.Fatal(err) 922 } 923 _, err = io.ReadFull(conn, buf) 924 if err != nil { 925 b.Fatal(err) 926 } 927 } 928 conn.Close() 929 } 930 } 931 932 func BenchmarkThroughput(b *testing.B) { 933 for _, mode := range []string{"Max", "Dynamic"} { 934 for size := 1; size <= 64; size <<= 1 { 935 name := fmt.Sprintf("%sPacket/%dMB", mode, size) 936 b.Run(name, func(b *testing.B) { 937 b.Run("TLSv12", func(b *testing.B) { 938 throughput(b, VersionTLS12, int64(size<<20), mode == "Max") 939 }) 940 b.Run("TLSv13", func(b *testing.B) { 941 throughput(b, VersionTLS13, int64(size<<20), mode == "Max") 942 }) 943 }) 944 } 945 } 946 } 947 948 type slowConn struct { 949 net.Conn 950 bps int 951 } 952 953 func (c *slowConn) Write(p []byte) (int, error) { 954 if c.bps == 0 { 955 panic("too slow") 956 } 957 t0 := time.Now() 958 wrote := 0 959 for wrote < len(p) { 960 time.Sleep(100 * time.Microsecond) 961 allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8 962 if allowed > len(p) { 963 allowed = len(p) 964 } 965 if wrote < allowed { 966 n, err := c.Conn.Write(p[wrote:allowed]) 967 wrote += n 968 if err != nil { 969 return wrote, err 970 } 971 } 972 } 973 return len(p), nil 974 } 975 976 func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled bool) { 977 ln := newLocalListener(b) 978 defer ln.Close() 979 980 N := b.N 981 982 go func() { 983 for i := 0; i < N; i++ { 984 sconn, err := ln.Accept() 985 if err != nil { 986 // panic rather than synchronize to avoid benchmark overhead 987 // (cannot call b.Fatal in goroutine) 988 panic(fmt.Errorf("accept: %v", err)) 989 } 990 serverConfig := testConfig.Clone() 991 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled 992 srv := Server(&slowConn{sconn, bps}, serverConfig) 993 if err := srv.Handshake(); err != nil { 994 panic(fmt.Errorf("handshake: %v", err)) 995 } 996 io.Copy(srv, srv) 997 } 998 }() 999 1000 clientConfig := testConfig.Clone() 1001 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled 1002 clientConfig.MaxVersion = version 1003 1004 buf := make([]byte, 16384) 1005 peek := make([]byte, 1) 1006 1007 for i := 0; i < N; i++ { 1008 conn, err := Dial("tcp", ln.Addr().String(), clientConfig) 1009 if err != nil { 1010 b.Fatal(err) 1011 } 1012 // make sure we're connected and previous connection has stopped 1013 if _, err := conn.Write(buf[:1]); err != nil { 1014 b.Fatal(err) 1015 } 1016 if _, err := io.ReadFull(conn, peek); err != nil { 1017 b.Fatal(err) 1018 } 1019 if _, err := conn.Write(buf); err != nil { 1020 b.Fatal(err) 1021 } 1022 if _, err = io.ReadFull(conn, peek); err != nil { 1023 b.Fatal(err) 1024 } 1025 conn.Close() 1026 } 1027 } 1028 1029 func BenchmarkLatency(b *testing.B) { 1030 for _, mode := range []string{"Max", "Dynamic"} { 1031 for _, kbps := range []int{200, 500, 1000, 2000, 5000} { 1032 name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps) 1033 b.Run(name, func(b *testing.B) { 1034 b.Run("TLSv12", func(b *testing.B) { 1035 latency(b, VersionTLS12, kbps*1000, mode == "Max") 1036 }) 1037 b.Run("TLSv13", func(b *testing.B) { 1038 latency(b, VersionTLS13, kbps*1000, mode == "Max") 1039 }) 1040 }) 1041 } 1042 } 1043 } 1044 1045 func TestConnectionStateMarshal(t *testing.T) { 1046 cs := &ConnectionState{} 1047 _, err := json.Marshal(cs) 1048 if err != nil { 1049 t.Errorf("json.Marshal failed on ConnectionState: %v", err) 1050 } 1051 } 1052 1053 func TestConnectionState(t *testing.T) { 1054 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 1055 if err != nil { 1056 panic(err) 1057 } 1058 rootCAs := x509.NewCertPool() 1059 rootCAs.AddCert(issuer) 1060 1061 now := func() time.Time { return time.Unix(1476984729, 0) } 1062 1063 const alpnProtocol = "golang" 1064 const serverName = "example.golang" 1065 var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} 1066 var ocsp = []byte("dummy ocsp") 1067 1068 for _, v := range []uint16{VersionTLS12, VersionTLS13} { 1069 var name string 1070 switch v { 1071 case VersionTLS12: 1072 name = "TLSv12" 1073 case VersionTLS13: 1074 name = "TLSv13" 1075 } 1076 t.Run(name, func(t *testing.T) { 1077 config := &Config{ 1078 Time: now, 1079 Rand: zeroSource{}, 1080 Certificates: make([]Certificate, 1), 1081 MaxVersion: v, 1082 RootCAs: rootCAs, 1083 ClientCAs: rootCAs, 1084 ClientAuth: RequireAndVerifyClientCert, 1085 NextProtos: []string{alpnProtocol}, 1086 ServerName: serverName, 1087 } 1088 config.Certificates[0].Certificate = [][]byte{testRSACertificate} 1089 config.Certificates[0].PrivateKey = testRSAPrivateKey 1090 config.Certificates[0].SignedCertificateTimestamps = scts 1091 config.Certificates[0].OCSPStaple = ocsp 1092 1093 ss, cs, err := testHandshake(t, config, config) 1094 if err != nil { 1095 t.Fatalf("Handshake failed: %v", err) 1096 } 1097 1098 if ss.Version != v || cs.Version != v { 1099 t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v) 1100 } 1101 1102 if !ss.HandshakeComplete || !cs.HandshakeComplete { 1103 t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete) 1104 } 1105 1106 if ss.DidResume || cs.DidResume { 1107 t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume) 1108 } 1109 1110 if ss.CipherSuite == 0 || cs.CipherSuite == 0 { 1111 t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite) 1112 } 1113 1114 if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol { 1115 t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol) 1116 } 1117 1118 if !cs.NegotiatedProtocolIsMutual { 1119 t.Errorf("Got false NegotiatedProtocolIsMutual on the client side") 1120 } 1121 // NegotiatedProtocolIsMutual on the server side is unspecified. 1122 1123 if ss.ServerName != serverName { 1124 t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName) 1125 } 1126 if cs.ServerName != serverName { 1127 t.Errorf("Got server name on client connection %q, expected %q", cs.ServerName, serverName) 1128 } 1129 1130 if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 { 1131 t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1) 1132 } 1133 1134 if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 { 1135 t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1) 1136 } else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 { 1137 t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2) 1138 } 1139 1140 if len(cs.SignedCertificateTimestamps) != 2 { 1141 t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2) 1142 } 1143 if !bytes.Equal(cs.OCSPResponse, ocsp) { 1144 t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp) 1145 } 1146 // Only TLS 1.3 supports OCSP and SCTs on client certs. 1147 if v == VersionTLS13 { 1148 if len(ss.SignedCertificateTimestamps) != 2 { 1149 t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2) 1150 } 1151 if !bytes.Equal(ss.OCSPResponse, ocsp) { 1152 t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp) 1153 } 1154 } 1155 1156 if v == VersionTLS13 { 1157 if ss.TLSUnique != nil || cs.TLSUnique != nil { 1158 t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique) 1159 } 1160 } else { 1161 if ss.TLSUnique == nil || cs.TLSUnique == nil { 1162 t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique) 1163 } 1164 } 1165 }) 1166 } 1167 } 1168 1169 // Issue 28744: Ensure that we don't modify memory 1170 // that Config doesn't own such as Certificates. 1171 func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) { 1172 c0 := Certificate{ 1173 Certificate: [][]byte{testRSACertificate}, 1174 PrivateKey: testRSAPrivateKey, 1175 } 1176 c1 := Certificate{ 1177 Certificate: [][]byte{testSNICertificate}, 1178 PrivateKey: testRSAPrivateKey, 1179 } 1180 config := testConfig.Clone() 1181 config.Certificates = []Certificate{c0, c1} 1182 1183 config.BuildNameToCertificate() 1184 got := config.Certificates 1185 want := []Certificate{c0, c1} 1186 if !reflect.DeepEqual(got, want) { 1187 t.Fatalf("Certificates were mutated by BuildNameToCertificate\nGot: %#v\nWant: %#v\n", got, want) 1188 } 1189 } 1190 1191 func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } 1192 1193 func TestClientHelloInfo_SupportsCertificate(t *testing.T) { 1194 rsaCert := &Certificate{ 1195 Certificate: [][]byte{testRSACertificate}, 1196 PrivateKey: testRSAPrivateKey, 1197 } 1198 pkcs1Cert := &Certificate{ 1199 Certificate: [][]byte{testRSACertificate}, 1200 PrivateKey: testRSAPrivateKey, 1201 SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, 1202 } 1203 ecdsaCert := &Certificate{ 1204 // ECDSA P-256 certificate 1205 Certificate: [][]byte{testP256Certificate}, 1206 PrivateKey: testP256PrivateKey, 1207 } 1208 ed25519Cert := &Certificate{ 1209 Certificate: [][]byte{testEd25519Certificate}, 1210 PrivateKey: testEd25519PrivateKey, 1211 } 1212 1213 tests := []struct { 1214 c *Certificate 1215 chi *ClientHelloInfo 1216 wantErr string 1217 }{ 1218 {rsaCert, &ClientHelloInfo{ 1219 ServerName: "example.golang", 1220 SignatureSchemes: []SignatureScheme{PSSWithSHA256}, 1221 SupportedVersions: []uint16{VersionTLS13}, 1222 }, ""}, 1223 {ecdsaCert, &ClientHelloInfo{ 1224 SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256}, 1225 SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, 1226 }, ""}, 1227 {rsaCert, &ClientHelloInfo{ 1228 ServerName: "example.com", 1229 SignatureSchemes: []SignatureScheme{PSSWithSHA256}, 1230 SupportedVersions: []uint16{VersionTLS13}, 1231 }, "not valid for requested server name"}, 1232 {ecdsaCert, &ClientHelloInfo{ 1233 SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384}, 1234 SupportedVersions: []uint16{VersionTLS13}, 1235 }, "signature algorithms"}, 1236 {pkcs1Cert, &ClientHelloInfo{ 1237 SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256}, 1238 SupportedVersions: []uint16{VersionTLS13}, 1239 }, "signature algorithms"}, 1240 1241 {rsaCert, &ClientHelloInfo{ 1242 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1243 SignatureSchemes: []SignatureScheme{PKCS1WithSHA1}, 1244 SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, 1245 }, "signature algorithms"}, 1246 {rsaCert, &ClientHelloInfo{ 1247 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1248 SignatureSchemes: []SignatureScheme{PKCS1WithSHA1}, 1249 SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, 1250 config: &Config{ 1251 MaxVersion: VersionTLS12, 1252 }, 1253 }, ""}, // Check that mutual version selection works. 1254 1255 {ecdsaCert, &ClientHelloInfo{ 1256 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1257 SupportedCurves: []CurveID{CurveP256}, 1258 SupportedPoints: []uint8{pointFormatUncompressed}, 1259 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, 1260 SupportedVersions: []uint16{VersionTLS12}, 1261 }, ""}, 1262 {ecdsaCert, &ClientHelloInfo{ 1263 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1264 SupportedCurves: []CurveID{CurveP256}, 1265 SupportedPoints: []uint8{pointFormatUncompressed}, 1266 SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384}, 1267 SupportedVersions: []uint16{VersionTLS12}, 1268 }, ""}, // TLS 1.2 does not restrict curves based on the SignatureScheme. 1269 {ecdsaCert, &ClientHelloInfo{ 1270 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1271 SupportedCurves: []CurveID{CurveP256}, 1272 SupportedPoints: []uint8{pointFormatUncompressed}, 1273 SignatureSchemes: nil, 1274 SupportedVersions: []uint16{VersionTLS12}, 1275 }, ""}, // TLS 1.2 comes with default signature schemes. 1276 {ecdsaCert, &ClientHelloInfo{ 1277 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1278 SupportedCurves: []CurveID{CurveP256}, 1279 SupportedPoints: []uint8{pointFormatUncompressed}, 1280 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, 1281 SupportedVersions: []uint16{VersionTLS12}, 1282 }, "cipher suite"}, 1283 {ecdsaCert, &ClientHelloInfo{ 1284 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1285 SupportedCurves: []CurveID{CurveP256}, 1286 SupportedPoints: []uint8{pointFormatUncompressed}, 1287 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, 1288 SupportedVersions: []uint16{VersionTLS12}, 1289 config: &Config{ 1290 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1291 }, 1292 }, "cipher suite"}, 1293 {ecdsaCert, &ClientHelloInfo{ 1294 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1295 SupportedCurves: []CurveID{CurveP384}, 1296 SupportedPoints: []uint8{pointFormatUncompressed}, 1297 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, 1298 SupportedVersions: []uint16{VersionTLS12}, 1299 }, "certificate curve"}, 1300 {ecdsaCert, &ClientHelloInfo{ 1301 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1302 SupportedCurves: []CurveID{CurveP256}, 1303 SupportedPoints: []uint8{1}, 1304 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, 1305 SupportedVersions: []uint16{VersionTLS12}, 1306 }, "doesn't support ECDHE"}, 1307 {ecdsaCert, &ClientHelloInfo{ 1308 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1309 SupportedCurves: []CurveID{CurveP256}, 1310 SupportedPoints: []uint8{pointFormatUncompressed}, 1311 SignatureSchemes: []SignatureScheme{PSSWithSHA256}, 1312 SupportedVersions: []uint16{VersionTLS12}, 1313 }, "signature algorithms"}, 1314 1315 {ed25519Cert, &ClientHelloInfo{ 1316 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1317 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support 1318 SupportedPoints: []uint8{pointFormatUncompressed}, 1319 SignatureSchemes: []SignatureScheme{Ed25519}, 1320 SupportedVersions: []uint16{VersionTLS12}, 1321 }, ""}, 1322 {ed25519Cert, &ClientHelloInfo{ 1323 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1324 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support 1325 SupportedPoints: []uint8{pointFormatUncompressed}, 1326 SignatureSchemes: []SignatureScheme{Ed25519}, 1327 SupportedVersions: []uint16{VersionTLS10}, 1328 }, "doesn't support Ed25519"}, 1329 {ed25519Cert, &ClientHelloInfo{ 1330 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, 1331 SupportedCurves: []CurveID{}, 1332 SupportedPoints: []uint8{pointFormatUncompressed}, 1333 SignatureSchemes: []SignatureScheme{Ed25519}, 1334 SupportedVersions: []uint16{VersionTLS12}, 1335 }, "doesn't support ECDHE"}, 1336 1337 {rsaCert, &ClientHelloInfo{ 1338 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, 1339 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support 1340 SupportedPoints: []uint8{pointFormatUncompressed}, 1341 SupportedVersions: []uint16{VersionTLS10}, 1342 }, ""}, 1343 {rsaCert, &ClientHelloInfo{ 1344 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1345 SupportedVersions: []uint16{VersionTLS12}, 1346 }, ""}, // static RSA fallback 1347 } 1348 for i, tt := range tests { 1349 err := tt.chi.SupportsCertificate(tt.c) 1350 switch { 1351 case tt.wantErr == "" && err != nil: 1352 t.Errorf("%d: unexpected error: %v", i, err) 1353 case tt.wantErr != "" && err == nil: 1354 t.Errorf("%d: unexpected success", i) 1355 case tt.wantErr != "" && !strings.Contains(err.Error(), tt.wantErr): 1356 t.Errorf("%d: got error %q, expected %q", i, err, tt.wantErr) 1357 } 1358 } 1359 } 1360 1361 func TestCipherSuites(t *testing.T) { 1362 var lastID uint16 1363 for _, c := range CipherSuites() { 1364 if lastID > c.ID { 1365 t.Errorf("CipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID) 1366 } else { 1367 lastID = c.ID 1368 } 1369 1370 if c.Insecure { 1371 t.Errorf("%#04x: Insecure CipherSuite returned by CipherSuites()", c.ID) 1372 } 1373 } 1374 lastID = 0 1375 for _, c := range InsecureCipherSuites() { 1376 if lastID > c.ID { 1377 t.Errorf("InsecureCipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID) 1378 } else { 1379 lastID = c.ID 1380 } 1381 1382 if !c.Insecure { 1383 t.Errorf("%#04x: not Insecure CipherSuite returned by InsecureCipherSuites()", c.ID) 1384 } 1385 } 1386 1387 CipherSuiteByID := func(id uint16) *CipherSuite { 1388 for _, c := range CipherSuites() { 1389 if c.ID == id { 1390 return c 1391 } 1392 } 1393 for _, c := range InsecureCipherSuites() { 1394 if c.ID == id { 1395 return c 1396 } 1397 } 1398 return nil 1399 } 1400 1401 for _, c := range cipherSuites { 1402 cc := CipherSuiteByID(c.id) 1403 if cc == nil { 1404 t.Errorf("%#04x: no CipherSuite entry", c.id) 1405 continue 1406 } 1407 1408 if tls12Only := c.flags&suiteTLS12 != 0; tls12Only && len(cc.SupportedVersions) != 1 { 1409 t.Errorf("%#04x: suite is TLS 1.2 only, but SupportedVersions is %v", c.id, cc.SupportedVersions) 1410 } else if !tls12Only && len(cc.SupportedVersions) != 3 { 1411 t.Errorf("%#04x: suite TLS 1.0-1.2, but SupportedVersions is %v", c.id, cc.SupportedVersions) 1412 } 1413 1414 if got := CipherSuiteName(c.id); got != cc.Name { 1415 t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name) 1416 } 1417 } 1418 for _, c := range cipherSuitesTLS13 { 1419 cc := CipherSuiteByID(c.id) 1420 if cc == nil { 1421 t.Errorf("%#04x: no CipherSuite entry", c.id) 1422 continue 1423 } 1424 1425 if cc.Insecure { 1426 t.Errorf("%#04x: Insecure %v, expected false", c.id, cc.Insecure) 1427 } 1428 if len(cc.SupportedVersions) != 1 || cc.SupportedVersions[0] != VersionTLS13 { 1429 t.Errorf("%#04x: suite is TLS 1.3 only, but SupportedVersions is %v", c.id, cc.SupportedVersions) 1430 } 1431 1432 if got := CipherSuiteName(c.id); got != cc.Name { 1433 t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name) 1434 } 1435 } 1436 1437 if got := CipherSuiteName(0xabc); got != "0x0ABC" { 1438 t.Errorf("unexpected fallback CipherSuiteName: got %q, expected 0x0ABC", got) 1439 } 1440 1441 if len(cipherSuitesPreferenceOrder) != len(cipherSuites) { 1442 t.Errorf("cipherSuitesPreferenceOrder is not the same size as cipherSuites") 1443 } 1444 if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) { 1445 t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder") 1446 } 1447 1448 // Check that disabled suites are at the end of the preference lists, and 1449 // that they are marked insecure. 1450 for i, id := range disabledCipherSuites { 1451 offset := len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites) 1452 if cipherSuitesPreferenceOrder[offset+i] != id { 1453 t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrder", i) 1454 } 1455 if cipherSuitesPreferenceOrderNoAES[offset+i] != id { 1456 t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrderNoAES", i) 1457 } 1458 c := CipherSuiteByID(id) 1459 if c == nil { 1460 t.Errorf("%#04x: no CipherSuite entry", id) 1461 continue 1462 } 1463 if !c.Insecure { 1464 t.Errorf("%#04x: disabled by default but not marked insecure", id) 1465 } 1466 } 1467 1468 for i, prefOrder := range [][]uint16{cipherSuitesPreferenceOrder, cipherSuitesPreferenceOrderNoAES} { 1469 // Check that insecure and HTTP/2 bad cipher suites are at the end of 1470 // the preference lists. 1471 var sawInsecure, sawBad bool 1472 for _, id := range prefOrder { 1473 c := CipherSuiteByID(id) 1474 if c == nil { 1475 t.Errorf("%#04x: no CipherSuite entry", id) 1476 continue 1477 } 1478 1479 if c.Insecure { 1480 sawInsecure = true 1481 } else if sawInsecure { 1482 t.Errorf("%#04x: secure suite after insecure one(s)", id) 1483 } 1484 1485 if http2isBadCipher(id) { 1486 sawBad = true 1487 } else if sawBad { 1488 t.Errorf("%#04x: non-bad suite after bad HTTP/2 one(s)", id) 1489 } 1490 } 1491 1492 // Check that the list is sorted according to the documented criteria. 1493 isBetter := func(a, b int) bool { 1494 aSuite, bSuite := cipherSuiteByID(prefOrder[a]), cipherSuiteByID(prefOrder[b]) 1495 aName, bName := CipherSuiteName(prefOrder[a]), CipherSuiteName(prefOrder[b]) 1496 // * < RC4 1497 if !strings.Contains(aName, "RC4") && strings.Contains(bName, "RC4") { 1498 return true 1499 } else if strings.Contains(aName, "RC4") && !strings.Contains(bName, "RC4") { 1500 return false 1501 } 1502 // * < CBC_SHA256 1503 if !strings.Contains(aName, "CBC_SHA256") && strings.Contains(bName, "CBC_SHA256") { 1504 return true 1505 } else if strings.Contains(aName, "CBC_SHA256") && !strings.Contains(bName, "CBC_SHA256") { 1506 return false 1507 } 1508 // * < 3DES 1509 if !strings.Contains(aName, "3DES") && strings.Contains(bName, "3DES") { 1510 return true 1511 } else if strings.Contains(aName, "3DES") && !strings.Contains(bName, "3DES") { 1512 return false 1513 } 1514 // ECDHE < * 1515 if aSuite.flags&suiteECDHE != 0 && bSuite.flags&suiteECDHE == 0 { 1516 return true 1517 } else if aSuite.flags&suiteECDHE == 0 && bSuite.flags&suiteECDHE != 0 { 1518 return false 1519 } 1520 // AEAD < CBC 1521 if aSuite.aead != nil && bSuite.aead == nil { 1522 return true 1523 } else if aSuite.aead == nil && bSuite.aead != nil { 1524 return false 1525 } 1526 // AES < ChaCha20 1527 if strings.Contains(aName, "AES") && strings.Contains(bName, "CHACHA20") { 1528 return i == 0 // true for cipherSuitesPreferenceOrder 1529 } else if strings.Contains(aName, "CHACHA20") && strings.Contains(bName, "AES") { 1530 return i != 0 // true for cipherSuitesPreferenceOrderNoAES 1531 } 1532 // AES-128 < AES-256 1533 if strings.Contains(aName, "AES_128") && strings.Contains(bName, "AES_256") { 1534 return true 1535 } else if strings.Contains(aName, "AES_256") && strings.Contains(bName, "AES_128") { 1536 return false 1537 } 1538 // ECDSA < RSA 1539 if aSuite.flags&suiteECSign != 0 && bSuite.flags&suiteECSign == 0 { 1540 return true 1541 } else if aSuite.flags&suiteECSign == 0 && bSuite.flags&suiteECSign != 0 { 1542 return false 1543 } 1544 t.Fatalf("two ciphersuites are equal by all criteria: %v and %v", aName, bName) 1545 panic("unreachable") 1546 } 1547 if !sort.SliceIsSorted(prefOrder, isBetter) { 1548 t.Error("preference order is not sorted according to the rules") 1549 } 1550 } 1551 } 1552 1553 // http2isBadCipher is copied from net/http. 1554 // TODO: if it ends up exposed somewhere, use that instead. 1555 func http2isBadCipher(cipher uint16) bool { 1556 switch cipher { 1557 case TLS_RSA_WITH_RC4_128_SHA, 1558 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 1559 TLS_RSA_WITH_AES_128_CBC_SHA, 1560 TLS_RSA_WITH_AES_256_CBC_SHA, 1561 TLS_RSA_WITH_AES_128_CBC_SHA256, 1562 TLS_RSA_WITH_AES_128_GCM_SHA256, 1563 TLS_RSA_WITH_AES_256_GCM_SHA384, 1564 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 1565 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1566 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1567 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 1568 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 1569 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1570 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1571 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 1572 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 1573 return true 1574 default: 1575 return false 1576 } 1577 } 1578 1579 type brokenSigner struct{ crypto.Signer } 1580 1581 func (s brokenSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { 1582 // Replace opts with opts.HashFunc(), so rsa.PSSOptions are discarded. 1583 return s.Signer.Sign(rand, digest, opts.HashFunc()) 1584 } 1585 1586 // TestPKCS1OnlyCert uses a client certificate with a broken crypto.Signer that 1587 // always makes PKCS #1 v1.5 signatures, so can't be used with RSA-PSS. 1588 func TestPKCS1OnlyCert(t *testing.T) { 1589 clientConfig := testConfig.Clone() 1590 clientConfig.Certificates = []Certificate{{ 1591 Certificate: [][]byte{testRSACertificate}, 1592 PrivateKey: brokenSigner{testRSAPrivateKey}, 1593 }} 1594 serverConfig := testConfig.Clone() 1595 serverConfig.MaxVersion = VersionTLS12 // TLS 1.3 doesn't support PKCS #1 v1.5 1596 serverConfig.ClientAuth = RequireAnyClientCert 1597 1598 // If RSA-PSS is selected, the handshake should fail. 1599 if _, _, err := testHandshake(t, clientConfig, serverConfig); err == nil { 1600 t.Fatal("expected broken certificate to cause connection to fail") 1601 } 1602 1603 clientConfig.Certificates[0].SupportedSignatureAlgorithms = 1604 []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256} 1605 1606 // But if the certificate restricts supported algorithms, RSA-PSS should not 1607 // be selected, and the handshake should succeed. 1608 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil { 1609 t.Error(err) 1610 } 1611 }