github.com/huandu/go@v0.0.0-20151114150818-04e615e41150/src/crypto/tls/tls_test.go (about) 1 // Copyright 2012 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "fmt" 10 "internal/testenv" 11 "io" 12 "net" 13 "strings" 14 "testing" 15 "time" 16 ) 17 18 var rsaCertPEM = `-----BEGIN CERTIFICATE----- 19 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV 20 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX 21 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF 22 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 23 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ 24 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa 25 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv 26 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF 27 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW 28 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V 29 -----END CERTIFICATE----- 30 ` 31 32 var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY----- 33 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 34 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 35 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 36 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 37 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 38 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 39 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 40 -----END RSA PRIVATE KEY----- 41 ` 42 43 // keyPEM is the same as rsaKeyPEM, but declares itself as just 44 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477 45 var keyPEM = `-----BEGIN PRIVATE KEY----- 46 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo 47 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G 48 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N 49 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW 50 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T 51 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi 52 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== 53 -----END PRIVATE KEY----- 54 ` 55 56 var ecdsaCertPEM = `-----BEGIN CERTIFICATE----- 57 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw 58 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 59 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG 60 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk 61 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR 62 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl 63 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8 64 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo 65 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb 66 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1 67 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA== 68 -----END CERTIFICATE----- 69 ` 70 71 var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS----- 72 BgUrgQQAIw== 73 -----END EC PARAMETERS----- 74 -----BEGIN EC PRIVATE KEY----- 75 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0 76 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL 77 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz 78 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q 79 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ== 80 -----END EC PRIVATE KEY----- 81 ` 82 83 var keyPairTests = []struct { 84 algo string 85 cert string 86 key string 87 }{ 88 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM}, 89 {"RSA", rsaCertPEM, rsaKeyPEM}, 90 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477 91 } 92 93 func TestX509KeyPair(t *testing.T) { 94 var pem []byte 95 for _, test := range keyPairTests { 96 pem = []byte(test.cert + test.key) 97 if _, err := X509KeyPair(pem, pem); err != nil { 98 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err) 99 } 100 pem = []byte(test.key + test.cert) 101 if _, err := X509KeyPair(pem, pem); err != nil { 102 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err) 103 } 104 } 105 } 106 107 func TestX509MixedKeyPair(t *testing.T) { 108 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil { 109 t.Error("Load of RSA certificate succeeded with ECDSA private key") 110 } 111 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil { 112 t.Error("Load of ECDSA certificate succeeded with RSA private key") 113 } 114 } 115 116 func newLocalListener(t *testing.T) net.Listener { 117 ln, err := net.Listen("tcp", "127.0.0.1:0") 118 if err != nil { 119 ln, err = net.Listen("tcp6", "[::1]:0") 120 } 121 if err != nil { 122 t.Fatal(err) 123 } 124 return ln 125 } 126 127 func TestDialTimeout(t *testing.T) { 128 if testing.Short() { 129 t.Skip("skipping in short mode") 130 } 131 listener := newLocalListener(t) 132 133 addr := listener.Addr().String() 134 defer listener.Close() 135 136 complete := make(chan bool) 137 defer close(complete) 138 139 go func() { 140 conn, err := listener.Accept() 141 if err != nil { 142 t.Error(err) 143 return 144 } 145 <-complete 146 conn.Close() 147 }() 148 149 dialer := &net.Dialer{ 150 Timeout: 10 * time.Millisecond, 151 } 152 153 var err error 154 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil { 155 t.Fatal("DialWithTimeout completed successfully") 156 } 157 158 if !strings.Contains(err.Error(), "timed out") { 159 t.Errorf("resulting error not a timeout: %s", err) 160 } 161 } 162 163 // tests that Conn.Read returns (non-zero, io.EOF) instead of 164 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right 165 // behind the application data in the buffer. 166 func TestConnReadNonzeroAndEOF(t *testing.T) { 167 // This test is racy: it assumes that after a write to a 168 // localhost TCP connection, the peer TCP connection can 169 // immediately read it. Because it's racy, we skip this test 170 // in short mode, and then retry it several times with an 171 // increasing sleep in between our final write (via srv.Close 172 // below) and the following read. 173 if testing.Short() { 174 t.Skip("skipping in short mode") 175 } 176 var err error 177 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 { 178 if err = testConnReadNonzeroAndEOF(t, delay); err == nil { 179 return 180 } 181 } 182 t.Error(err) 183 } 184 185 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error { 186 ln := newLocalListener(t) 187 defer ln.Close() 188 189 srvCh := make(chan *Conn, 1) 190 var serr error 191 go func() { 192 sconn, err := ln.Accept() 193 if err != nil { 194 serr = err 195 srvCh <- nil 196 return 197 } 198 serverConfig := *testConfig 199 srv := Server(sconn, &serverConfig) 200 if err := srv.Handshake(); err != nil { 201 serr = fmt.Errorf("handshake: %v", err) 202 srvCh <- nil 203 return 204 } 205 srvCh <- srv 206 }() 207 208 clientConfig := *testConfig 209 conn, err := Dial("tcp", ln.Addr().String(), &clientConfig) 210 if err != nil { 211 t.Fatal(err) 212 } 213 defer conn.Close() 214 215 srv := <-srvCh 216 if srv == nil { 217 return serr 218 } 219 220 buf := make([]byte, 6) 221 222 srv.Write([]byte("foobar")) 223 n, err := conn.Read(buf) 224 if n != 6 || err != nil || string(buf) != "foobar" { 225 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) 226 } 227 228 srv.Write([]byte("abcdef")) 229 srv.Close() 230 time.Sleep(delay) 231 n, err = conn.Read(buf) 232 if n != 6 || string(buf) != "abcdef" { 233 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf) 234 } 235 if err != io.EOF { 236 return fmt.Errorf("Second Read error = %v; want io.EOF", err) 237 } 238 return nil 239 } 240 241 func TestTLSUniqueMatches(t *testing.T) { 242 ln := newLocalListener(t) 243 defer ln.Close() 244 245 serverTLSUniques := make(chan []byte) 246 go func() { 247 for i := 0; i < 2; i++ { 248 sconn, err := ln.Accept() 249 if err != nil { 250 t.Fatal(err) 251 } 252 serverConfig := *testConfig 253 srv := Server(sconn, &serverConfig) 254 if err := srv.Handshake(); err != nil { 255 t.Fatal(err) 256 } 257 serverTLSUniques <- srv.ConnectionState().TLSUnique 258 } 259 }() 260 261 clientConfig := *testConfig 262 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) 263 conn, err := Dial("tcp", ln.Addr().String(), &clientConfig) 264 if err != nil { 265 t.Fatal(err) 266 } 267 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { 268 t.Error("client and server channel bindings differ") 269 } 270 conn.Close() 271 272 conn, err = Dial("tcp", ln.Addr().String(), &clientConfig) 273 if err != nil { 274 t.Fatal(err) 275 } 276 defer conn.Close() 277 if !conn.ConnectionState().DidResume { 278 t.Error("second session did not use resumption") 279 } 280 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { 281 t.Error("client and server channel bindings differ when session resumption is used") 282 } 283 } 284 285 func TestVerifyHostname(t *testing.T) { 286 testenv.MustHaveExternalNetwork(t) 287 288 c, err := Dial("tcp", "www.google.com:https", nil) 289 if err != nil { 290 t.Fatal(err) 291 } 292 if err := c.VerifyHostname("www.google.com"); err != nil { 293 t.Fatalf("verify www.google.com: %v", err) 294 } 295 if err := c.VerifyHostname("www.yahoo.com"); err == nil { 296 t.Fatalf("verify www.yahoo.com succeeded") 297 } 298 299 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true}) 300 if err != nil { 301 t.Fatal(err) 302 } 303 if err := c.VerifyHostname("www.google.com"); err == nil { 304 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") 305 } 306 if err := c.VerifyHostname("www.yahoo.com"); err == nil { 307 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") 308 } 309 } 310 311 func TestVerifyHostnameResumed(t *testing.T) { 312 testenv.MustHaveExternalNetwork(t) 313 314 config := &Config{ 315 ClientSessionCache: NewLRUClientSessionCache(32), 316 } 317 for i := 0; i < 2; i++ { 318 c, err := Dial("tcp", "www.google.com:https", config) 319 if err != nil { 320 t.Fatalf("Dial #%d: %v", i, err) 321 } 322 cs := c.ConnectionState() 323 if i > 0 && !cs.DidResume { 324 t.Fatalf("Subsequent connection unexpectedly didn't resume") 325 } 326 if cs.VerifiedChains == nil { 327 t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i) 328 } 329 if err := c.VerifyHostname("www.google.com"); err != nil { 330 t.Fatalf("verify www.google.com #%d: %v", i, err) 331 } 332 c.Close() 333 } 334 }