github.com/d4l3k/go@v0.0.0-20151015000803-65fc379daeda/src/crypto/tls/tls_test.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "fmt" 10 "internal/testenv" 11 "io" 12 "net" 13 "strings" 14 "testing" 15 "time" 16 ) 17 18 var rsaCertPEM = `-----BEGIN CERTIFICATE----- 19 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV 20 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX 21 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF 22 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 23 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ 24 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa 25 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv 26 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF 27 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW 28 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V 29 -----END CERTIFICATE----- 30 ` 31 32 var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY----- 33 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 34 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 35 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 36 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 37 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 38 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 39 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 40 -----END RSA PRIVATE KEY----- 41 ` 42 43 // keyPEM is the same as rsaKeyPEM, but declares itself as just 44 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477 45 var keyPEM = `-----BEGIN PRIVATE KEY----- 46 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 47 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 48 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 49 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 50 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 51 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 52 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 53 -----END PRIVATE KEY----- 54 ` 55 56 var ecdsaCertPEM = `-----BEGIN CERTIFICATE----- 57 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw 58 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 59 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG 60 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk 61 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR 62 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl 63 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8 64 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo 65 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb 66 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1 67 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA== 68 -----END CERTIFICATE----- 69 ` 70 71 var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS----- 72 BgUrgQQAIw== 73 -----END EC PARAMETERS----- 74 -----BEGIN EC PRIVATE KEY----- 75 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0 76 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL 77 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz 78 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q 79 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ== 80 -----END EC PRIVATE KEY----- 81 ` 82 83 var keyPairTests = []struct { 84 algo string 85 cert string 86 key string 87 }{ 88 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM}, 89 {"RSA", rsaCertPEM, rsaKeyPEM}, 90 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477 91 } 92 93 func TestX509KeyPair(t *testing.T) { 94 var pem []byte 95 for _, test := range keyPairTests { 96 pem = []byte(test.cert + test.key) 97 if _, err := X509KeyPair(pem, pem); err != nil { 98 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err) 99 } 100 pem = []byte(test.key + test.cert) 101 if _, err := X509KeyPair(pem, pem); err != nil { 102 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err) 103 } 104 } 105 } 106 107 func TestX509KeyPairErrors(t *testing.T) { 108 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM)) 109 if err == nil { 110 t.Fatalf("X509KeyPair didn't return an error when arguments were switched") 111 } 112 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) { 113 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err) 114 } 115 116 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM)) 117 if err == nil { 118 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates") 119 } 120 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) { 121 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err) 122 } 123 124 const nonsensePEM = ` 125 -----BEGIN NONSENSE----- 126 Zm9vZm9vZm9v 127 -----END NONSENSE----- 128 ` 129 130 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM)) 131 if err == nil { 132 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense") 133 } 134 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) { 135 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err) 136 } 137 } 138 139 func TestX509MixedKeyPair(t *testing.T) { 140 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil { 141 t.Error("Load of RSA certificate succeeded with ECDSA private key") 142 } 143 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil { 144 t.Error("Load of ECDSA certificate succeeded with RSA private key") 145 } 146 } 147 148 func newLocalListener(t *testing.T) net.Listener { 149 ln, err := net.Listen("tcp", "127.0.0.1:0") 150 if err != nil { 151 ln, err = net.Listen("tcp6", "[::1]:0") 152 } 153 if err != nil { 154 t.Fatal(err) 155 } 156 return ln 157 } 158 159 func TestDialTimeout(t *testing.T) { 160 if testing.Short() { 161 t.Skip("skipping in short mode") 162 } 163 listener := newLocalListener(t) 164 165 addr := listener.Addr().String() 166 defer listener.Close() 167 168 complete := make(chan bool) 169 defer close(complete) 170 171 go func() { 172 conn, err := listener.Accept() 173 if err != nil { 174 t.Error(err) 175 return 176 } 177 <-complete 178 conn.Close() 179 }() 180 181 dialer := &net.Dialer{ 182 Timeout: 10 * time.Millisecond, 183 } 184 185 var err error 186 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil { 187 t.Fatal("DialWithTimeout completed successfully") 188 } 189 190 if !strings.Contains(err.Error(), "timed out") { 191 t.Errorf("resulting error not a timeout: %s", err) 192 } 193 } 194 195 // tests that Conn.Read returns (non-zero, io.EOF) instead of 196 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right 197 // behind the application data in the buffer. 198 func TestConnReadNonzeroAndEOF(t *testing.T) { 199 // This test is racy: it assumes that after a write to a 200 // localhost TCP connection, the peer TCP connection can 201 // immediately read it. Because it's racy, we skip this test 202 // in short mode, and then retry it several times with an 203 // increasing sleep in between our final write (via srv.Close 204 // below) and the following read. 205 if testing.Short() { 206 t.Skip("skipping in short mode") 207 } 208 var err error 209 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 { 210 if err = testConnReadNonzeroAndEOF(t, delay); err == nil { 211 return 212 } 213 } 214 t.Error(err) 215 } 216 217 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error { 218 ln := newLocalListener(t) 219 defer ln.Close() 220 221 srvCh := make(chan *Conn, 1) 222 var serr error 223 go func() { 224 sconn, err := ln.Accept() 225 if err != nil { 226 serr = err 227 srvCh <- nil 228 return 229 } 230 serverConfig := *testConfig 231 srv := Server(sconn, &serverConfig) 232 if err := srv.Handshake(); err != nil { 233 serr = fmt.Errorf("handshake: %v", err) 234 srvCh <- nil 235 return 236 } 237 srvCh <- srv 238 }() 239 240 clientConfig := *testConfig 241 conn, err := Dial("tcp", ln.Addr().String(), &clientConfig) 242 if err != nil { 243 t.Fatal(err) 244 } 245 defer conn.Close() 246 247 srv := <-srvCh 248 if srv == nil { 249 return serr 250 } 251 252 buf := make([]byte, 6) 253 254 srv.Write([]byte("foobar")) 255 n, err := conn.Read(buf) 256 if n != 6 || err != nil || string(buf) != "foobar" { 257 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) 258 } 259 260 srv.Write([]byte("abcdef")) 261 srv.Close() 262 time.Sleep(delay) 263 n, err = conn.Read(buf) 264 if n != 6 || string(buf) != "abcdef" { 265 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf) 266 } 267 if err != io.EOF { 268 return fmt.Errorf("Second Read error = %v; want io.EOF", err) 269 } 270 return nil 271 } 272 273 func TestTLSUniqueMatches(t *testing.T) { 274 ln := newLocalListener(t) 275 defer ln.Close() 276 277 serverTLSUniques := make(chan []byte) 278 go func() { 279 for i := 0; i < 2; i++ { 280 sconn, err := ln.Accept() 281 if err != nil { 282 t.Fatal(err) 283 } 284 serverConfig := *testConfig 285 srv := Server(sconn, &serverConfig) 286 if err := srv.Handshake(); err != nil { 287 t.Fatal(err) 288 } 289 serverTLSUniques <- srv.ConnectionState().TLSUnique 290 } 291 }() 292 293 clientConfig := *testConfig 294 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) 295 conn, err := Dial("tcp", ln.Addr().String(), &clientConfig) 296 if err != nil { 297 t.Fatal(err) 298 } 299 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { 300 t.Error("client and server channel bindings differ") 301 } 302 conn.Close() 303 304 conn, err = Dial("tcp", ln.Addr().String(), &clientConfig) 305 if err != nil { 306 t.Fatal(err) 307 } 308 defer conn.Close() 309 if !conn.ConnectionState().DidResume { 310 t.Error("second session did not use resumption") 311 } 312 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { 313 t.Error("client and server channel bindings differ when session resumption is used") 314 } 315 } 316 317 func TestVerifyHostname(t *testing.T) { 318 testenv.MustHaveExternalNetwork(t) 319 320 c, err := Dial("tcp", "www.google.com:https", nil) 321 if err != nil { 322 t.Fatal(err) 323 } 324 if err := c.VerifyHostname("www.google.com"); err != nil { 325 t.Fatalf("verify www.google.com: %v", err) 326 } 327 if err := c.VerifyHostname("www.yahoo.com"); err == nil { 328 t.Fatalf("verify www.yahoo.com succeeded") 329 } 330 331 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true}) 332 if err != nil { 333 t.Fatal(err) 334 } 335 if err := c.VerifyHostname("www.google.com"); err == nil { 336 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") 337 } 338 if err := c.VerifyHostname("www.yahoo.com"); err == nil { 339 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") 340 } 341 } 342 343 func TestVerifyHostnameResumed(t *testing.T) { 344 testenv.MustHaveExternalNetwork(t) 345 346 config := &Config{ 347 ClientSessionCache: NewLRUClientSessionCache(32), 348 } 349 for i := 0; i < 2; i++ { 350 c, err := Dial("tcp", "www.google.com:https", config) 351 if err != nil { 352 t.Fatalf("Dial #%d: %v", i, err) 353 } 354 cs := c.ConnectionState() 355 if i > 0 && !cs.DidResume { 356 t.Fatalf("Subsequent connection unexpectedly didn't resume") 357 } 358 if cs.VerifiedChains == nil { 359 t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i) 360 } 361 if err := c.VerifyHostname("www.google.com"); err != nil { 362 t.Fatalf("verify www.google.com #%d: %v", i, err) 363 } 364 c.Close() 365 } 366 }