github.com/icodeface/tls@v0.0.0-20230910023335-34df9250cd12/handshake_server_test.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/rsa" 13 "crypto/x509" 14 "encoding/hex" 15 "encoding/pem" 16 "errors" 17 "fmt" 18 "io" 19 "io/ioutil" 20 "math/big" 21 "net" 22 "os" 23 "os/exec" 24 "path/filepath" 25 "strings" 26 "testing" 27 "time" 28 ) 29 30 // zeroSource is an io.Reader that returns an unlimited number of zero bytes. 31 type zeroSource struct{} 32 33 func (zeroSource) Read(b []byte) (n int, err error) { 34 for i := range b { 35 b[i] = 0 36 } 37 38 return len(b), nil 39 } 40 41 var testConfig *Config 42 43 func allCipherSuites() []uint16 { 44 ids := make([]uint16, len(cipherSuites)) 45 for i, suite := range cipherSuites { 46 ids[i] = suite.id 47 } 48 49 return ids 50 } 51 52 func init() { 53 testConfig = &Config{ 54 Time: func() time.Time { return time.Unix(0, 0) }, 55 Rand: zeroSource{}, 56 Certificates: make([]Certificate, 2), 57 InsecureSkipVerify: true, 58 MinVersion: VersionSSL30, 59 MaxVersion: VersionTLS13, 60 CipherSuites: allCipherSuites(), 61 } 62 testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} 63 testConfig.Certificates[0].PrivateKey = testRSAPrivateKey 64 testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate} 65 testConfig.Certificates[1].PrivateKey = testRSAPrivateKey 66 testConfig.BuildNameToCertificate() 67 if keyFile := os.Getenv("SSLKEYLOGFILE"); keyFile != "" { 68 f, err := os.OpenFile(keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 69 if err != nil { 70 panic("failed to open SSLKEYLOGFILE: " + err.Error()) 71 } 72 testConfig.KeyLogWriter = f 73 } 74 } 75 76 func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) { 77 testClientHelloFailure(t, serverConfig, m, "") 78 } 79 80 func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) { 81 c, s := localPipe(t) 82 go func() { 83 cli := Client(c, testConfig) 84 if ch, ok := m.(*clientHelloMsg); ok { 85 cli.vers = ch.vers 86 } 87 cli.writeRecord(recordTypeHandshake, m.marshal()) 88 c.Close() 89 }() 90 conn := Server(s, serverConfig) 91 ch, err := conn.readClientHello() 92 hs := serverHandshakeState{ 93 c: conn, 94 clientHello: ch, 95 } 96 if err == nil { 97 err = hs.processClientHello() 98 } 99 if err == nil { 100 err = hs.pickCipherSuite() 101 } 102 s.Close() 103 if len(expectedSubStr) == 0 { 104 if err != nil && err != io.EOF { 105 t.Errorf("Got error: %s; expected to succeed", err) 106 } 107 } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) { 108 t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr) 109 } 110 } 111 112 func TestSimpleError(t *testing.T) { 113 testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message") 114 } 115 116 var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205} 117 118 func TestRejectBadProtocolVersion(t *testing.T) { 119 for _, v := range badProtocolVersions { 120 testClientHelloFailure(t, testConfig, &clientHelloMsg{ 121 vers: v, 122 random: make([]byte, 32), 123 }, "unsupported versions") 124 } 125 testClientHelloFailure(t, testConfig, &clientHelloMsg{ 126 vers: VersionTLS12, 127 supportedVersions: badProtocolVersions, 128 random: make([]byte, 32), 129 }, "unsupported versions") 130 } 131 132 func TestNoSuiteOverlap(t *testing.T) { 133 clientHello := &clientHelloMsg{ 134 vers: VersionTLS10, 135 random: make([]byte, 32), 136 cipherSuites: []uint16{0xff00}, 137 compressionMethods: []uint8{compressionNone}, 138 } 139 testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server") 140 } 141 142 func TestNoCompressionOverlap(t *testing.T) { 143 clientHello := &clientHelloMsg{ 144 vers: VersionTLS10, 145 random: make([]byte, 32), 146 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 147 compressionMethods: []uint8{0xff}, 148 } 149 testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections") 150 } 151 152 func TestNoRC4ByDefault(t *testing.T) { 153 clientHello := &clientHelloMsg{ 154 vers: VersionTLS10, 155 random: make([]byte, 32), 156 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 157 compressionMethods: []uint8{compressionNone}, 158 } 159 serverConfig := testConfig.Clone() 160 // Reset the enabled cipher suites to nil in order to test the 161 // defaults. 162 serverConfig.CipherSuites = nil 163 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") 164 } 165 166 func TestRejectSNIWithTrailingDot(t *testing.T) { 167 testClientHelloFailure(t, testConfig, &clientHelloMsg{ 168 vers: VersionTLS12, 169 random: make([]byte, 32), 170 serverName: "foo.com.", 171 }, "unexpected message") 172 } 173 174 func TestDontSelectECDSAWithRSAKey(t *testing.T) { 175 // Test that, even when both sides support an ECDSA cipher suite, it 176 // won't be selected if the server's private key doesn't support it. 177 clientHello := &clientHelloMsg{ 178 vers: VersionTLS10, 179 random: make([]byte, 32), 180 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, 181 compressionMethods: []uint8{compressionNone}, 182 supportedCurves: []CurveID{CurveP256}, 183 supportedPoints: []uint8{pointFormatUncompressed}, 184 } 185 serverConfig := testConfig.Clone() 186 serverConfig.CipherSuites = clientHello.cipherSuites 187 serverConfig.Certificates = make([]Certificate, 1) 188 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 189 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 190 serverConfig.BuildNameToCertificate() 191 // First test that it *does* work when the server's key is ECDSA. 192 testClientHello(t, serverConfig, clientHello) 193 194 // Now test that switching to an RSA key causes the expected error (and 195 // not an internal error about a signing failure). 196 serverConfig.Certificates = testConfig.Certificates 197 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") 198 } 199 200 func TestDontSelectRSAWithECDSAKey(t *testing.T) { 201 // Test that, even when both sides support an RSA cipher suite, it 202 // won't be selected if the server's private key doesn't support it. 203 clientHello := &clientHelloMsg{ 204 vers: VersionTLS10, 205 random: make([]byte, 32), 206 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, 207 compressionMethods: []uint8{compressionNone}, 208 supportedCurves: []CurveID{CurveP256}, 209 supportedPoints: []uint8{pointFormatUncompressed}, 210 } 211 serverConfig := testConfig.Clone() 212 serverConfig.CipherSuites = clientHello.cipherSuites 213 // First test that it *does* work when the server's key is RSA. 214 testClientHello(t, serverConfig, clientHello) 215 216 // Now test that switching to an ECDSA key causes the expected error 217 // (and not an internal error about a signing failure). 218 serverConfig.Certificates = make([]Certificate, 1) 219 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} 220 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey 221 serverConfig.BuildNameToCertificate() 222 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") 223 } 224 225 func TestRenegotiationExtension(t *testing.T) { 226 clientHello := &clientHelloMsg{ 227 vers: VersionTLS12, 228 compressionMethods: []uint8{compressionNone}, 229 random: make([]byte, 32), 230 secureRenegotiationSupported: true, 231 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 232 } 233 234 bufChan := make(chan []byte) 235 c, s := localPipe(t) 236 237 go func() { 238 cli := Client(c, testConfig) 239 cli.vers = clientHello.vers 240 cli.writeRecord(recordTypeHandshake, clientHello.marshal()) 241 242 buf := make([]byte, 1024) 243 n, err := c.Read(buf) 244 if err != nil { 245 t.Errorf("Server read returned error: %s", err) 246 return 247 } 248 c.Close() 249 bufChan <- buf[:n] 250 }() 251 252 Server(s, testConfig).Handshake() 253 buf := <-bufChan 254 255 if len(buf) < 5+4 { 256 t.Fatalf("Server returned short message of length %d", len(buf)) 257 } 258 // buf contains a TLS record, with a 5 byte record header and a 4 byte 259 // handshake header. The length of the ServerHello is taken from the 260 // handshake header. 261 serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8]) 262 263 var serverHello serverHelloMsg 264 // unmarshal expects to be given the handshake header, but 265 // serverHelloLen doesn't include it. 266 if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) { 267 t.Fatalf("Failed to parse ServerHello") 268 } 269 270 if !serverHello.secureRenegotiationSupported { 271 t.Errorf("Secure renegotiation extension was not echoed.") 272 } 273 } 274 275 func TestTLS12OnlyCipherSuites(t *testing.T) { 276 // Test that a Server doesn't select a TLS 1.2-only cipher suite when 277 // the client negotiates TLS 1.1. 278 clientHello := &clientHelloMsg{ 279 vers: VersionTLS11, 280 random: make([]byte, 32), 281 cipherSuites: []uint16{ 282 // The Server, by default, will use the client's 283 // preference order. So the GCM cipher suite 284 // will be selected unless it's excluded because 285 // of the version in this ClientHello. 286 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 287 TLS_RSA_WITH_RC4_128_SHA, 288 }, 289 compressionMethods: []uint8{compressionNone}, 290 supportedCurves: []CurveID{CurveP256, CurveP384, CurveP521}, 291 supportedPoints: []uint8{pointFormatUncompressed}, 292 } 293 294 c, s := localPipe(t) 295 replyChan := make(chan interface{}) 296 go func() { 297 cli := Client(c, testConfig) 298 cli.vers = clientHello.vers 299 cli.writeRecord(recordTypeHandshake, clientHello.marshal()) 300 reply, err := cli.readHandshake() 301 c.Close() 302 if err != nil { 303 replyChan <- err 304 } else { 305 replyChan <- reply 306 } 307 }() 308 config := testConfig.Clone() 309 config.CipherSuites = clientHello.cipherSuites 310 Server(s, config).Handshake() 311 s.Close() 312 reply := <-replyChan 313 if err, ok := reply.(error); ok { 314 t.Fatal(err) 315 } 316 serverHello, ok := reply.(*serverHelloMsg) 317 if !ok { 318 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply) 319 } 320 if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA { 321 t.Fatalf("bad cipher suite from server: %x", s) 322 } 323 } 324 325 func TestAlertForwarding(t *testing.T) { 326 c, s := localPipe(t) 327 go func() { 328 Client(c, testConfig).sendAlert(alertUnknownCA) 329 c.Close() 330 }() 331 332 err := Server(s, testConfig).Handshake() 333 s.Close() 334 if e, ok := err.(*net.OpError); !ok || e.Err != error(alertUnknownCA) { 335 t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA)) 336 } 337 } 338 339 func TestClose(t *testing.T) { 340 c, s := localPipe(t) 341 go c.Close() 342 343 err := Server(s, testConfig).Handshake() 344 s.Close() 345 if err != io.EOF { 346 t.Errorf("Got error: %s; expected: %s", err, io.EOF) 347 } 348 } 349 350 func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) { 351 c, s := localPipe(t) 352 errChan := make(chan error) 353 go func() { 354 cli := Client(c, clientConfig) 355 err := cli.Handshake() 356 if err != nil { 357 errChan <- fmt.Errorf("client: %v", err) 358 c.Close() 359 return 360 } 361 defer cli.Close() 362 clientState = cli.ConnectionState() 363 buf, err := ioutil.ReadAll(cli) 364 if err != nil { 365 t.Errorf("failed to call cli.Read: %v", err) 366 } 367 if got := string(buf); got != opensslSentinel { 368 t.Errorf("read %q from TLS connection, but expected %q", got, opensslSentinel) 369 } 370 errChan <- nil 371 }() 372 server := Server(s, serverConfig) 373 err = server.Handshake() 374 if err == nil { 375 serverState = server.ConnectionState() 376 if _, err := io.WriteString(server, opensslSentinel); err != nil { 377 t.Errorf("failed to call server.Write: %v", err) 378 } 379 if err := server.Close(); err != nil { 380 t.Errorf("failed to call server.Close: %v", err) 381 } 382 err = <-errChan 383 } else { 384 s.Close() 385 <-errChan 386 } 387 return 388 } 389 390 func TestVersion(t *testing.T) { 391 serverConfig := &Config{ 392 Certificates: testConfig.Certificates, 393 MaxVersion: VersionTLS11, 394 } 395 clientConfig := &Config{ 396 InsecureSkipVerify: true, 397 } 398 state, _, err := testHandshake(t, clientConfig, serverConfig) 399 if err != nil { 400 t.Fatalf("handshake failed: %s", err) 401 } 402 if state.Version != VersionTLS11 { 403 t.Fatalf("Incorrect version %x, should be %x", state.Version, VersionTLS11) 404 } 405 } 406 407 func TestCipherSuitePreference(t *testing.T) { 408 serverConfig := &Config{ 409 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, 410 Certificates: testConfig.Certificates, 411 MaxVersion: VersionTLS11, 412 } 413 clientConfig := &Config{ 414 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA}, 415 InsecureSkipVerify: true, 416 } 417 state, _, err := testHandshake(t, clientConfig, serverConfig) 418 if err != nil { 419 t.Fatalf("handshake failed: %s", err) 420 } 421 if state.CipherSuite != TLS_RSA_WITH_AES_128_CBC_SHA { 422 // By default the server should use the client's preference. 423 t.Fatalf("Client's preference was not used, got %x", state.CipherSuite) 424 } 425 426 serverConfig.PreferServerCipherSuites = true 427 state, _, err = testHandshake(t, clientConfig, serverConfig) 428 if err != nil { 429 t.Fatalf("handshake failed: %s", err) 430 } 431 if state.CipherSuite != TLS_RSA_WITH_RC4_128_SHA { 432 t.Fatalf("Server's preference was not used, got %x", state.CipherSuite) 433 } 434 } 435 436 func TestSCTHandshake(t *testing.T) { 437 t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) }) 438 t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) }) 439 } 440 441 func testSCTHandshake(t *testing.T, version uint16) { 442 expected := [][]byte{[]byte("certificate"), []byte("transparency")} 443 serverConfig := &Config{ 444 Certificates: []Certificate{{ 445 Certificate: [][]byte{testRSACertificate}, 446 PrivateKey: testRSAPrivateKey, 447 SignedCertificateTimestamps: expected, 448 }}, 449 MaxVersion: version, 450 } 451 clientConfig := &Config{ 452 InsecureSkipVerify: true, 453 } 454 _, state, err := testHandshake(t, clientConfig, serverConfig) 455 if err != nil { 456 t.Fatalf("handshake failed: %s", err) 457 } 458 actual := state.SignedCertificateTimestamps 459 if len(actual) != len(expected) { 460 t.Fatalf("got %d scts, want %d", len(actual), len(expected)) 461 } 462 for i, sct := range expected { 463 if !bytes.Equal(sct, actual[i]) { 464 t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct) 465 } 466 } 467 } 468 469 func TestCrossVersionResume(t *testing.T) { 470 t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) }) 471 t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) }) 472 } 473 474 func testCrossVersionResume(t *testing.T, version uint16) { 475 serverConfig := &Config{ 476 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, 477 Certificates: testConfig.Certificates, 478 } 479 clientConfig := &Config{ 480 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, 481 InsecureSkipVerify: true, 482 ClientSessionCache: NewLRUClientSessionCache(1), 483 ServerName: "servername", 484 } 485 486 // Establish a session at TLS 1.1. 487 clientConfig.MaxVersion = VersionTLS11 488 _, _, err := testHandshake(t, clientConfig, serverConfig) 489 if err != nil { 490 t.Fatalf("handshake failed: %s", err) 491 } 492 493 // The client session cache now contains a TLS 1.1 session. 494 state, _, err := testHandshake(t, clientConfig, serverConfig) 495 if err != nil { 496 t.Fatalf("handshake failed: %s", err) 497 } 498 if !state.DidResume { 499 t.Fatalf("handshake did not resume at the same version") 500 } 501 502 // Test that the server will decline to resume at a lower version. 503 clientConfig.MaxVersion = VersionTLS10 504 state, _, err = testHandshake(t, clientConfig, serverConfig) 505 if err != nil { 506 t.Fatalf("handshake failed: %s", err) 507 } 508 if state.DidResume { 509 t.Fatalf("handshake resumed at a lower version") 510 } 511 512 // The client session cache now contains a TLS 1.0 session. 513 state, _, err = testHandshake(t, clientConfig, serverConfig) 514 if err != nil { 515 t.Fatalf("handshake failed: %s", err) 516 } 517 if !state.DidResume { 518 t.Fatalf("handshake did not resume at the same version") 519 } 520 521 // Test that the server will decline to resume at a higher version. 522 clientConfig.MaxVersion = VersionTLS11 523 state, _, err = testHandshake(t, clientConfig, serverConfig) 524 if err != nil { 525 t.Fatalf("handshake failed: %s", err) 526 } 527 if state.DidResume { 528 t.Fatalf("handshake resumed at a higher version") 529 } 530 } 531 532 // Note: see comment in handshake_test.go for details of how the reference 533 // tests work. 534 535 // serverTest represents a test of the TLS server handshake against a reference 536 // implementation. 537 type serverTest struct { 538 // name is a freeform string identifying the test and the file in which 539 // the expected results will be stored. 540 name string 541 // command, if not empty, contains a series of arguments for the 542 // command to run for the reference server. 543 command []string 544 // expectedPeerCerts contains a list of PEM blocks of expected 545 // certificates from the client. 546 expectedPeerCerts []string 547 // config, if not nil, contains a custom Config to use for this test. 548 config *Config 549 // expectHandshakeErrorIncluding, when not empty, contains a string 550 // that must be a substring of the error resulting from the handshake. 551 expectHandshakeErrorIncluding string 552 // validate, if not nil, is a function that will be called with the 553 // ConnectionState of the resulting connection. It returns false if the 554 // ConnectionState is unacceptable. 555 validate func(ConnectionState) error 556 // wait, if true, prevents this subtest from calling t.Parallel. 557 // If false, runServerTest* returns immediately. 558 wait bool 559 } 560 561 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"} 562 563 // connFromCommand starts opens a listening socket and starts the reference 564 // client to connect to it. It returns a recordingConn that wraps the resulting 565 // connection. 566 func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) { 567 l, err := net.ListenTCP("tcp", &net.TCPAddr{ 568 IP: net.IPv4(127, 0, 0, 1), 569 Port: 0, 570 }) 571 if err != nil { 572 return nil, nil, err 573 } 574 defer l.Close() 575 576 port := l.Addr().(*net.TCPAddr).Port 577 578 var command []string 579 command = append(command, test.command...) 580 if len(command) == 0 { 581 command = defaultClientCommand 582 } 583 command = append(command, "-connect") 584 command = append(command, fmt.Sprintf("127.0.0.1:%d", port)) 585 cmd := exec.Command(command[0], command[1:]...) 586 cmd.Stdin = nil 587 var output bytes.Buffer 588 cmd.Stdout = &output 589 cmd.Stderr = &output 590 if err := cmd.Start(); err != nil { 591 return nil, nil, err 592 } 593 594 connChan := make(chan interface{}) 595 go func() { 596 tcpConn, err := l.Accept() 597 if err != nil { 598 connChan <- err 599 } 600 connChan <- tcpConn 601 }() 602 603 var tcpConn net.Conn 604 select { 605 case connOrError := <-connChan: 606 if err, ok := connOrError.(error); ok { 607 return nil, nil, err 608 } 609 tcpConn = connOrError.(net.Conn) 610 case <-time.After(2 * time.Second): 611 return nil, nil, errors.New("timed out waiting for connection from child process") 612 } 613 614 record := &recordingConn{ 615 Conn: tcpConn, 616 } 617 618 return record, cmd, nil 619 } 620 621 func (test *serverTest) dataPath() string { 622 return filepath.Join("testdata", "Server-"+test.name) 623 } 624 625 func (test *serverTest) loadData() (flows [][]byte, err error) { 626 in, err := os.Open(test.dataPath()) 627 if err != nil { 628 return nil, err 629 } 630 defer in.Close() 631 return parseTestData(in) 632 } 633 634 func (test *serverTest) run(t *testing.T, write bool) { 635 checkOpenSSLVersion(t) 636 637 var clientConn, serverConn net.Conn 638 var recordingConn *recordingConn 639 var childProcess *exec.Cmd 640 641 if write { 642 var err error 643 recordingConn, childProcess, err = test.connFromCommand() 644 if err != nil { 645 t.Fatalf("Failed to start subcommand: %s", err) 646 } 647 serverConn = recordingConn 648 defer func() { 649 if t.Failed() { 650 t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout) 651 } 652 }() 653 } else { 654 clientConn, serverConn = localPipe(t) 655 } 656 config := test.config 657 if config == nil { 658 config = testConfig 659 } 660 server := Server(serverConn, config) 661 connStateChan := make(chan ConnectionState, 1) 662 go func() { 663 _, err := server.Write([]byte("hello, world\n")) 664 if len(test.expectHandshakeErrorIncluding) > 0 { 665 if err == nil { 666 t.Errorf("Error expected, but no error returned") 667 } else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) { 668 t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s) 669 } 670 } else { 671 if err != nil { 672 t.Logf("Error from Server.Write: '%s'", err) 673 } 674 } 675 server.Close() 676 serverConn.Close() 677 connStateChan <- server.ConnectionState() 678 }() 679 680 if !write { 681 flows, err := test.loadData() 682 if err != nil { 683 t.Fatalf("%s: failed to load data from %s", test.name, test.dataPath()) 684 } 685 for i, b := range flows { 686 if i%2 == 0 { 687 clientConn.SetWriteDeadline(time.Now().Add(1 * time.Minute)) 688 clientConn.Write(b) 689 continue 690 } 691 bb := make([]byte, len(b)) 692 clientConn.SetReadDeadline(time.Now().Add(1 * time.Minute)) 693 n, err := io.ReadFull(clientConn, bb) 694 if err != nil { 695 t.Fatalf("%s #%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", test.name, i+1, err, n, len(bb), bb[:n], b) 696 } 697 if !bytes.Equal(b, bb) { 698 t.Fatalf("%s #%d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b) 699 } 700 } 701 clientConn.Close() 702 } 703 704 connState := <-connStateChan 705 peerCerts := connState.PeerCertificates 706 if len(peerCerts) == len(test.expectedPeerCerts) { 707 for i, peerCert := range peerCerts { 708 block, _ := pem.Decode([]byte(test.expectedPeerCerts[i])) 709 if !bytes.Equal(block.Bytes, peerCert.Raw) { 710 t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1) 711 } 712 } 713 } else { 714 t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts)) 715 } 716 717 if test.validate != nil { 718 if err := test.validate(connState); err != nil { 719 t.Fatalf("validate callback returned error: %s", err) 720 } 721 } 722 723 if write { 724 path := test.dataPath() 725 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) 726 if err != nil { 727 t.Fatalf("Failed to create output file: %s", err) 728 } 729 defer out.Close() 730 recordingConn.Close() 731 if len(recordingConn.flows) < 3 { 732 if len(test.expectHandshakeErrorIncluding) == 0 { 733 t.Fatalf("Handshake failed") 734 } 735 } 736 recordingConn.WriteTo(out) 737 t.Logf("Wrote %s\n", path) 738 childProcess.Wait() 739 } 740 } 741 742 func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) { 743 t.Run(version, func(t *testing.T) { 744 // Make a deep copy of the template before going parallel. 745 test := *template 746 if template.config != nil { 747 test.config = template.config.Clone() 748 } 749 750 if !*update && !template.wait { 751 t.Parallel() 752 } 753 754 test.name = version + "-" + test.name 755 if len(test.command) == 0 { 756 test.command = defaultClientCommand 757 } 758 test.command = append([]string(nil), test.command...) 759 test.command = append(test.command, option) 760 test.run(t, *update) 761 }) 762 } 763 764 func runServerTestSSLv3(t *testing.T, template *serverTest) { 765 runServerTestForVersion(t, template, "SSLv3", "-ssl3") 766 } 767 768 func runServerTestTLS10(t *testing.T, template *serverTest) { 769 runServerTestForVersion(t, template, "TLSv10", "-tls1") 770 } 771 772 func runServerTestTLS11(t *testing.T, template *serverTest) { 773 runServerTestForVersion(t, template, "TLSv11", "-tls1_1") 774 } 775 776 func runServerTestTLS12(t *testing.T, template *serverTest) { 777 runServerTestForVersion(t, template, "TLSv12", "-tls1_2") 778 } 779 780 func runServerTestTLS13(t *testing.T, template *serverTest) { 781 runServerTestForVersion(t, template, "TLSv13", "-tls1_3") 782 } 783 784 func TestHandshakeServerRSARC4(t *testing.T) { 785 test := &serverTest{ 786 name: "RSA-RC4", 787 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"}, 788 } 789 runServerTestSSLv3(t, test) 790 runServerTestTLS10(t, test) 791 runServerTestTLS11(t, test) 792 runServerTestTLS12(t, test) 793 } 794 795 func TestHandshakeServerRSA3DES(t *testing.T) { 796 test := &serverTest{ 797 name: "RSA-3DES", 798 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"}, 799 } 800 runServerTestSSLv3(t, test) 801 runServerTestTLS10(t, test) 802 runServerTestTLS12(t, test) 803 } 804 805 func TestHandshakeServerRSAAES(t *testing.T) { 806 test := &serverTest{ 807 name: "RSA-AES", 808 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"}, 809 } 810 runServerTestSSLv3(t, test) 811 runServerTestTLS10(t, test) 812 runServerTestTLS12(t, test) 813 } 814 815 func TestHandshakeServerAESGCM(t *testing.T) { 816 test := &serverTest{ 817 name: "RSA-AES-GCM", 818 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"}, 819 } 820 runServerTestTLS12(t, test) 821 } 822 823 func TestHandshakeServerAES256GCMSHA384(t *testing.T) { 824 test := &serverTest{ 825 name: "RSA-AES256-GCM-SHA384", 826 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"}, 827 } 828 runServerTestTLS12(t, test) 829 } 830 831 func TestHandshakeServerAES128SHA256(t *testing.T) { 832 test := &serverTest{ 833 name: "AES128-SHA256", 834 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, 835 } 836 runServerTestTLS13(t, test) 837 } 838 func TestHandshakeServerAES256SHA384(t *testing.T) { 839 test := &serverTest{ 840 name: "AES256-SHA384", 841 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"}, 842 } 843 runServerTestTLS13(t, test) 844 } 845 func TestHandshakeServerCHACHA20SHA256(t *testing.T) { 846 test := &serverTest{ 847 name: "CHACHA20-SHA256", 848 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, 849 } 850 runServerTestTLS13(t, test) 851 } 852 853 func TestHandshakeServerECDHEECDSAAES(t *testing.T) { 854 config := testConfig.Clone() 855 config.Certificates = make([]Certificate, 1) 856 config.Certificates[0].Certificate = [][]byte{testECDSACertificate} 857 config.Certificates[0].PrivateKey = testECDSAPrivateKey 858 config.BuildNameToCertificate() 859 860 test := &serverTest{ 861 name: "ECDHE-ECDSA-AES", 862 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, 863 config: config, 864 } 865 runServerTestTLS10(t, test) 866 runServerTestTLS12(t, test) 867 runServerTestTLS13(t, test) 868 } 869 870 func TestHandshakeServerX25519(t *testing.T) { 871 config := testConfig.Clone() 872 config.CurvePreferences = []CurveID{X25519} 873 874 test := &serverTest{ 875 name: "X25519", 876 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"}, 877 config: config, 878 } 879 runServerTestTLS12(t, test) 880 runServerTestTLS13(t, test) 881 } 882 883 func TestHandshakeServerP256(t *testing.T) { 884 config := testConfig.Clone() 885 config.CurvePreferences = []CurveID{CurveP256} 886 887 test := &serverTest{ 888 name: "P256", 889 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, 890 config: config, 891 } 892 runServerTestTLS12(t, test) 893 runServerTestTLS13(t, test) 894 } 895 896 func TestHandshakeServerHelloRetryRequest(t *testing.T) { 897 config := testConfig.Clone() 898 config.CurvePreferences = []CurveID{CurveP256} 899 900 test := &serverTest{ 901 name: "HelloRetryRequest", 902 command: []string{"openssl", "s_client", "-no_ticket", "-curves", "X25519:P-256"}, 903 config: config, 904 } 905 runServerTestTLS13(t, test) 906 } 907 908 func TestHandshakeServerALPN(t *testing.T) { 909 config := testConfig.Clone() 910 config.NextProtos = []string{"proto1", "proto2"} 911 912 test := &serverTest{ 913 name: "ALPN", 914 // Note that this needs OpenSSL 1.0.2 because that is the first 915 // version that supports the -alpn flag. 916 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"}, 917 config: config, 918 validate: func(state ConnectionState) error { 919 // The server's preferences should override the client. 920 if state.NegotiatedProtocol != "proto1" { 921 return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol) 922 } 923 return nil 924 }, 925 } 926 runServerTestTLS12(t, test) 927 runServerTestTLS13(t, test) 928 } 929 930 func TestHandshakeServerALPNNoMatch(t *testing.T) { 931 config := testConfig.Clone() 932 config.NextProtos = []string{"proto3"} 933 934 test := &serverTest{ 935 name: "ALPN-NoMatch", 936 // Note that this needs OpenSSL 1.0.2 because that is the first 937 // version that supports the -alpn flag. 938 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"}, 939 config: config, 940 validate: func(state ConnectionState) error { 941 // Rather than reject the connection, Go doesn't select 942 // a protocol when there is no overlap. 943 if state.NegotiatedProtocol != "" { 944 return fmt.Errorf("Got protocol %q, wanted ''", state.NegotiatedProtocol) 945 } 946 return nil 947 }, 948 } 949 runServerTestTLS12(t, test) 950 runServerTestTLS13(t, test) 951 } 952 953 // TestHandshakeServerSNI involves a client sending an SNI extension of 954 // "snitest.com", which happens to match the CN of testSNICertificate. The test 955 // verifies that the server correctly selects that certificate. 956 func TestHandshakeServerSNI(t *testing.T) { 957 test := &serverTest{ 958 name: "SNI", 959 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, 960 } 961 runServerTestTLS12(t, test) 962 } 963 964 // TestHandshakeServerSNICertForName is similar to TestHandshakeServerSNI, but 965 // tests the dynamic GetCertificate method 966 func TestHandshakeServerSNIGetCertificate(t *testing.T) { 967 config := testConfig.Clone() 968 969 // Replace the NameToCertificate map with a GetCertificate function 970 nameToCert := config.NameToCertificate 971 config.NameToCertificate = nil 972 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { 973 cert := nameToCert[clientHello.ServerName] 974 return cert, nil 975 } 976 test := &serverTest{ 977 name: "SNI-GetCertificate", 978 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, 979 config: config, 980 } 981 runServerTestTLS12(t, test) 982 } 983 984 // TestHandshakeServerSNICertForNameNotFound is similar to 985 // TestHandshakeServerSNICertForName, but tests to make sure that when the 986 // GetCertificate method doesn't return a cert, we fall back to what's in 987 // the NameToCertificate map. 988 func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) { 989 config := testConfig.Clone() 990 991 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { 992 return nil, nil 993 } 994 test := &serverTest{ 995 name: "SNI-GetCertificateNotFound", 996 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, 997 config: config, 998 } 999 runServerTestTLS12(t, test) 1000 } 1001 1002 // TestHandshakeServerSNICertForNameError tests to make sure that errors in 1003 // GetCertificate result in a tls alert. 1004 func TestHandshakeServerSNIGetCertificateError(t *testing.T) { 1005 const errMsg = "TestHandshakeServerSNIGetCertificateError error" 1006 1007 serverConfig := testConfig.Clone() 1008 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { 1009 return nil, errors.New(errMsg) 1010 } 1011 1012 clientHello := &clientHelloMsg{ 1013 vers: VersionTLS10, 1014 random: make([]byte, 32), 1015 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 1016 compressionMethods: []uint8{compressionNone}, 1017 serverName: "test", 1018 } 1019 testClientHelloFailure(t, serverConfig, clientHello, errMsg) 1020 } 1021 1022 // TestHandshakeServerEmptyCertificates tests that GetCertificates is called in 1023 // the case that Certificates is empty, even without SNI. 1024 func TestHandshakeServerEmptyCertificates(t *testing.T) { 1025 const errMsg = "TestHandshakeServerEmptyCertificates error" 1026 1027 serverConfig := testConfig.Clone() 1028 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { 1029 return nil, errors.New(errMsg) 1030 } 1031 serverConfig.Certificates = nil 1032 1033 clientHello := &clientHelloMsg{ 1034 vers: VersionTLS10, 1035 random: make([]byte, 32), 1036 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 1037 compressionMethods: []uint8{compressionNone}, 1038 } 1039 testClientHelloFailure(t, serverConfig, clientHello, errMsg) 1040 1041 // With an empty Certificates and a nil GetCertificate, the server 1042 // should always return a “no certificates” error. 1043 serverConfig.GetCertificate = nil 1044 1045 clientHello = &clientHelloMsg{ 1046 vers: VersionTLS10, 1047 random: make([]byte, 32), 1048 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 1049 compressionMethods: []uint8{compressionNone}, 1050 } 1051 testClientHelloFailure(t, serverConfig, clientHello, "no certificates") 1052 } 1053 1054 // TestCipherSuiteCertPreferance ensures that we select an RSA ciphersuite with 1055 // an RSA certificate and an ECDSA ciphersuite with an ECDSA certificate. 1056 func TestCipherSuiteCertPreferenceECDSA(t *testing.T) { 1057 config := testConfig.Clone() 1058 config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA} 1059 config.PreferServerCipherSuites = true 1060 1061 test := &serverTest{ 1062 name: "CipherSuiteCertPreferenceRSA", 1063 config: config, 1064 } 1065 runServerTestTLS12(t, test) 1066 1067 config = testConfig.Clone() 1068 config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA} 1069 config.Certificates = []Certificate{ 1070 { 1071 Certificate: [][]byte{testECDSACertificate}, 1072 PrivateKey: testECDSAPrivateKey, 1073 }, 1074 } 1075 config.BuildNameToCertificate() 1076 config.PreferServerCipherSuites = true 1077 1078 test = &serverTest{ 1079 name: "CipherSuiteCertPreferenceECDSA", 1080 config: config, 1081 } 1082 runServerTestTLS12(t, test) 1083 } 1084 1085 func TestServerResumption(t *testing.T) { 1086 sessionFilePath := tempFile("") 1087 defer os.Remove(sessionFilePath) 1088 1089 testIssue := &serverTest{ 1090 name: "IssueTicket", 1091 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath}, 1092 wait: true, 1093 } 1094 testResume := &serverTest{ 1095 name: "Resume", 1096 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath}, 1097 validate: func(state ConnectionState) error { 1098 if !state.DidResume { 1099 return errors.New("did not resume") 1100 } 1101 return nil 1102 }, 1103 } 1104 1105 runServerTestTLS12(t, testIssue) 1106 runServerTestTLS12(t, testResume) 1107 1108 runServerTestTLS13(t, testIssue) 1109 runServerTestTLS13(t, testResume) 1110 1111 config := testConfig.Clone() 1112 config.CurvePreferences = []CurveID{CurveP256} 1113 1114 testResumeHRR := &serverTest{ 1115 name: "Resume-HelloRetryRequest", 1116 command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-sess_in", sessionFilePath}, 1117 config: config, 1118 validate: func(state ConnectionState) error { 1119 if !state.DidResume { 1120 return errors.New("did not resume") 1121 } 1122 return nil 1123 }, 1124 } 1125 1126 runServerTestTLS13(t, testResumeHRR) 1127 } 1128 1129 func TestServerResumptionDisabled(t *testing.T) { 1130 sessionFilePath := tempFile("") 1131 defer os.Remove(sessionFilePath) 1132 1133 config := testConfig.Clone() 1134 1135 testIssue := &serverTest{ 1136 name: "IssueTicketPreDisable", 1137 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath}, 1138 config: config, 1139 wait: true, 1140 } 1141 testResume := &serverTest{ 1142 name: "ResumeDisabled", 1143 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath}, 1144 config: config, 1145 validate: func(state ConnectionState) error { 1146 if state.DidResume { 1147 return errors.New("resumed with SessionTicketsDisabled") 1148 } 1149 return nil 1150 }, 1151 } 1152 1153 config.SessionTicketsDisabled = false 1154 runServerTestTLS12(t, testIssue) 1155 config.SessionTicketsDisabled = true 1156 runServerTestTLS12(t, testResume) 1157 1158 config.SessionTicketsDisabled = false 1159 runServerTestTLS13(t, testIssue) 1160 config.SessionTicketsDisabled = true 1161 runServerTestTLS13(t, testResume) 1162 } 1163 1164 func TestFallbackSCSV(t *testing.T) { 1165 serverConfig := Config{ 1166 Certificates: testConfig.Certificates, 1167 } 1168 test := &serverTest{ 1169 name: "FallbackSCSV", 1170 config: &serverConfig, 1171 // OpenSSL 1.0.1j is needed for the -fallback_scsv option. 1172 command: []string{"openssl", "s_client", "-fallback_scsv"}, 1173 expectHandshakeErrorIncluding: "inappropriate protocol fallback", 1174 } 1175 runServerTestTLS11(t, test) 1176 } 1177 1178 func TestHandshakeServerExportKeyingMaterial(t *testing.T) { 1179 test := &serverTest{ 1180 name: "ExportKeyingMaterial", 1181 command: []string{"openssl", "s_client"}, 1182 config: testConfig.Clone(), 1183 validate: func(state ConnectionState) error { 1184 if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil { 1185 return fmt.Errorf("ExportKeyingMaterial failed: %v", err) 1186 } else if len(km) != 42 { 1187 return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42) 1188 } 1189 return nil 1190 }, 1191 } 1192 runServerTestTLS10(t, test) 1193 runServerTestTLS12(t, test) 1194 runServerTestTLS13(t, test) 1195 } 1196 1197 func TestHandshakeServerRSAPKCS1v15(t *testing.T) { 1198 test := &serverTest{ 1199 name: "RSA-RSAPKCS1v15", 1200 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pkcs1_sha256"}, 1201 } 1202 runServerTestTLS12(t, test) 1203 } 1204 1205 func TestHandshakeServerRSAPSS(t *testing.T) { 1206 test := &serverTest{ 1207 name: "RSA-RSAPSS", 1208 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"}, 1209 } 1210 runServerTestTLS12(t, test) 1211 runServerTestTLS13(t, test) 1212 } 1213 1214 func TestHandshakeServerPSSDisabled(t *testing.T) { 1215 test := &serverTest{ 1216 name: "RSA-PSS-Disabled", 1217 command: []string{"openssl", "s_client", "-no_ticket"}, 1218 wait: true, 1219 } 1220 1221 // Restore the default signature algorithms, disabling RSA-PSS in TLS 1.2, 1222 // and check that handshakes still work. 1223 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12 1224 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }() 1225 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12 1226 1227 runServerTestTLS12(t, test) 1228 runServerTestTLS13(t, test) 1229 1230 test = &serverTest{ 1231 name: "RSA-PSS-Disabled-Required", 1232 command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"}, 1233 wait: true, 1234 1235 expectHandshakeErrorIncluding: "peer doesn't support any common signature algorithms", 1236 } 1237 1238 runServerTestTLS12(t, test) 1239 } 1240 1241 func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) { 1242 config := testConfig.Clone() 1243 config.CipherSuites = []uint16{cipherSuite} 1244 config.CurvePreferences = []CurveID{curve} 1245 config.Certificates = make([]Certificate, 1) 1246 config.Certificates[0].Certificate = [][]byte{cert} 1247 config.Certificates[0].PrivateKey = key 1248 config.BuildNameToCertificate() 1249 1250 clientConn, serverConn := localPipe(b) 1251 serverConn = &recordingConn{Conn: serverConn} 1252 go func() { 1253 config := testConfig.Clone() 1254 config.MaxVersion = version 1255 config.CurvePreferences = []CurveID{curve} 1256 client := Client(clientConn, config) 1257 client.Handshake() 1258 }() 1259 server := Server(serverConn, config) 1260 if err := server.Handshake(); err != nil { 1261 b.Fatalf("handshake failed: %v", err) 1262 } 1263 serverConn.Close() 1264 flows := serverConn.(*recordingConn).flows 1265 1266 feeder := make(chan struct{}) 1267 clientConn, serverConn = localPipe(b) 1268 1269 go func() { 1270 for range feeder { 1271 for i, f := range flows { 1272 if i%2 == 0 { 1273 clientConn.Write(f) 1274 continue 1275 } 1276 ff := make([]byte, len(f)) 1277 n, err := io.ReadFull(clientConn, ff) 1278 if err != nil { 1279 b.Errorf("#%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", i+1, err, n, len(ff), ff[:n], f) 1280 } 1281 if !bytes.Equal(f, ff) { 1282 b.Errorf("#%d: mismatch on read: got:%x want:%x", i+1, ff, f) 1283 } 1284 } 1285 } 1286 }() 1287 1288 b.ResetTimer() 1289 for i := 0; i < b.N; i++ { 1290 feeder <- struct{}{} 1291 server := Server(serverConn, config) 1292 if err := server.Handshake(); err != nil { 1293 b.Fatalf("handshake failed: %v", err) 1294 } 1295 } 1296 close(feeder) 1297 } 1298 1299 func BenchmarkHandshakeServer(b *testing.B) { 1300 b.Run("RSA", func(b *testing.B) { 1301 benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256, 1302 0, testRSACertificate, testRSAPrivateKey) 1303 }) 1304 b.Run("ECDHE-P256-RSA", func(b *testing.B) { 1305 b.Run("TLSv13", func(b *testing.B) { 1306 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1307 CurveP256, testRSACertificate, testRSAPrivateKey) 1308 }) 1309 b.Run("TLSv12", func(b *testing.B) { 1310 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1311 CurveP256, testRSACertificate, testRSAPrivateKey) 1312 }) 1313 }) 1314 b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) { 1315 b.Run("TLSv13", func(b *testing.B) { 1316 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1317 CurveP256, testP256Certificate, testP256PrivateKey) 1318 }) 1319 b.Run("TLSv12", func(b *testing.B) { 1320 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1321 CurveP256, testP256Certificate, testP256PrivateKey) 1322 }) 1323 }) 1324 b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) { 1325 b.Run("TLSv13", func(b *testing.B) { 1326 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1327 X25519, testP256Certificate, testP256PrivateKey) 1328 }) 1329 b.Run("TLSv12", func(b *testing.B) { 1330 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1331 X25519, testP256Certificate, testP256PrivateKey) 1332 }) 1333 }) 1334 b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) { 1335 if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() { 1336 b.Fatal("test ECDSA key doesn't use curve P-521") 1337 } 1338 b.Run("TLSv13", func(b *testing.B) { 1339 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1340 CurveP521, testECDSACertificate, testECDSAPrivateKey) 1341 }) 1342 b.Run("TLSv12", func(b *testing.B) { 1343 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1344 CurveP521, testECDSACertificate, testECDSAPrivateKey) 1345 }) 1346 }) 1347 } 1348 1349 const clientCertificatePEM = ` 1350 -----BEGIN CERTIFICATE----- 1351 MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS 1352 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz 1353 MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC 1354 gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff 1355 NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K 1356 hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD 1357 VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw 1358 DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU 1359 8ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK 1360 o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR 1361 e/oCO8HJ/+rJnahJ05XX1Q7lNQ== 1362 -----END CERTIFICATE-----` 1363 1364 const clientKeyPEM = ` 1365 -----BEGIN RSA PRIVATE KEY----- 1366 MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa 1367 YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J 1368 czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB 1369 AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc 1370 qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv 1371 PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z 1372 9TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY 1373 dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ 1374 zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w 1375 jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ 1376 rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr 1377 FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU 1378 csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6 1379 -----END RSA PRIVATE KEY-----` 1380 1381 const clientECDSACertificatePEM = ` 1382 -----BEGIN CERTIFICATE----- 1383 MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw 1384 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 1385 eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG 1386 EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK 1387 b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv 1388 ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs 1389 jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q 1390 ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg 1391 C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa 1392 2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw 1393 jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes= 1394 -----END CERTIFICATE-----` 1395 1396 const clientECDSAKeyPEM = ` 1397 -----BEGIN EC PARAMETERS----- 1398 BgUrgQQAIw== 1399 -----END EC PARAMETERS----- 1400 -----BEGIN EC PRIVATE KEY----- 1401 MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8 1402 k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1 1403 FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd 1404 3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx 1405 +U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q== 1406 -----END EC PRIVATE KEY-----` 1407 1408 func TestClientAuth(t *testing.T) { 1409 var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath string 1410 1411 if *update { 1412 certPath = tempFile(clientCertificatePEM) 1413 defer os.Remove(certPath) 1414 keyPath = tempFile(clientKeyPEM) 1415 defer os.Remove(keyPath) 1416 ecdsaCertPath = tempFile(clientECDSACertificatePEM) 1417 defer os.Remove(ecdsaCertPath) 1418 ecdsaKeyPath = tempFile(clientECDSAKeyPEM) 1419 defer os.Remove(ecdsaKeyPath) 1420 } 1421 1422 t.Run("Normal", func(t *testing.T) { 1423 config := testConfig.Clone() 1424 config.ClientAuth = RequestClientCert 1425 1426 test := &serverTest{ 1427 name: "ClientAuthRequestedNotGiven", 1428 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"}, 1429 config: config, 1430 } 1431 runServerTestTLS12(t, test) 1432 runServerTestTLS13(t, test) 1433 1434 config.ClientAuth = RequireAnyClientCert 1435 1436 test = &serverTest{ 1437 name: "ClientAuthRequestedAndGiven", 1438 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", 1439 "-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pss_rsae_sha256"}, 1440 config: config, 1441 expectedPeerCerts: []string{clientCertificatePEM}, 1442 } 1443 runServerTestTLS12(t, test) 1444 runServerTestTLS13(t, test) 1445 1446 test = &serverTest{ 1447 name: "ClientAuthRequestedAndECDSAGiven", 1448 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", 1449 "-cert", ecdsaCertPath, "-key", ecdsaKeyPath}, 1450 config: config, 1451 expectedPeerCerts: []string{clientECDSACertificatePEM}, 1452 } 1453 runServerTestTLS12(t, test) 1454 runServerTestTLS13(t, test) 1455 1456 test = &serverTest{ 1457 name: "ClientAuthRequestedAndPKCS1v15Given", 1458 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", 1459 "-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pkcs1_sha256"}, 1460 config: config, 1461 expectedPeerCerts: []string{clientCertificatePEM}, 1462 } 1463 runServerTestTLS12(t, test) 1464 }) 1465 1466 // Restore the default signature algorithms, disabling RSA-PSS in TLS 1.2, 1467 // and check that handshakes still work. 1468 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12 1469 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }() 1470 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12 1471 1472 t.Run("PSSDisabled", func(t *testing.T) { 1473 config := testConfig.Clone() 1474 config.ClientAuth = RequireAnyClientCert 1475 1476 test := &serverTest{ 1477 name: "ClientAuthRequestedAndGiven-PSS-Disabled", 1478 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", 1479 "-cert", certPath, "-key", keyPath}, 1480 config: config, 1481 expectedPeerCerts: []string{clientCertificatePEM}, 1482 } 1483 runServerTestTLS12(t, test) 1484 runServerTestTLS13(t, test) 1485 1486 test = &serverTest{ 1487 name: "ClientAuthRequestedAndGiven-PSS-Disabled-Required", 1488 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", 1489 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"}, 1490 config: config, 1491 1492 expectHandshakeErrorIncluding: "client didn't provide a certificate", 1493 } 1494 runServerTestTLS12(t, test) 1495 }) 1496 } 1497 1498 func TestSNIGivenOnFailure(t *testing.T) { 1499 const expectedServerName = "test.testing" 1500 1501 clientHello := &clientHelloMsg{ 1502 vers: VersionTLS10, 1503 random: make([]byte, 32), 1504 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 1505 compressionMethods: []uint8{compressionNone}, 1506 serverName: expectedServerName, 1507 } 1508 1509 serverConfig := testConfig.Clone() 1510 // Erase the server's cipher suites to ensure the handshake fails. 1511 serverConfig.CipherSuites = nil 1512 1513 c, s := localPipe(t) 1514 go func() { 1515 cli := Client(c, testConfig) 1516 cli.vers = clientHello.vers 1517 cli.writeRecord(recordTypeHandshake, clientHello.marshal()) 1518 c.Close() 1519 }() 1520 conn := Server(s, serverConfig) 1521 ch, err := conn.readClientHello() 1522 hs := serverHandshakeState{ 1523 c: conn, 1524 clientHello: ch, 1525 } 1526 if err == nil { 1527 err = hs.processClientHello() 1528 } 1529 if err == nil { 1530 err = hs.pickCipherSuite() 1531 } 1532 defer s.Close() 1533 1534 if err == nil { 1535 t.Error("No error reported from server") 1536 } 1537 1538 cs := hs.c.ConnectionState() 1539 if cs.HandshakeComplete { 1540 t.Error("Handshake registered as complete") 1541 } 1542 1543 if cs.ServerName != expectedServerName { 1544 t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName) 1545 } 1546 } 1547 1548 var getConfigForClientTests = []struct { 1549 setup func(config *Config) 1550 callback func(clientHello *ClientHelloInfo) (*Config, error) 1551 errorSubstring string 1552 verify func(config *Config) error 1553 }{ 1554 { 1555 nil, 1556 func(clientHello *ClientHelloInfo) (*Config, error) { 1557 return nil, nil 1558 }, 1559 "", 1560 nil, 1561 }, 1562 { 1563 nil, 1564 func(clientHello *ClientHelloInfo) (*Config, error) { 1565 return nil, errors.New("should bubble up") 1566 }, 1567 "should bubble up", 1568 nil, 1569 }, 1570 { 1571 nil, 1572 func(clientHello *ClientHelloInfo) (*Config, error) { 1573 config := testConfig.Clone() 1574 // Setting a maximum version of TLS 1.1 should cause 1575 // the handshake to fail, as the client MinVersion is TLS 1.2. 1576 config.MaxVersion = VersionTLS11 1577 return config, nil 1578 }, 1579 "client offered only unsupported versions", 1580 nil, 1581 }, 1582 { 1583 func(config *Config) { 1584 for i := range config.SessionTicketKey { 1585 config.SessionTicketKey[i] = byte(i) 1586 } 1587 config.sessionTicketKeys = nil 1588 }, 1589 func(clientHello *ClientHelloInfo) (*Config, error) { 1590 config := testConfig.Clone() 1591 for i := range config.SessionTicketKey { 1592 config.SessionTicketKey[i] = 0 1593 } 1594 config.sessionTicketKeys = nil 1595 return config, nil 1596 }, 1597 "", 1598 func(config *Config) error { 1599 // The value of SessionTicketKey should have been 1600 // duplicated into the per-connection Config. 1601 for i := range config.SessionTicketKey { 1602 if b := config.SessionTicketKey[i]; b != byte(i) { 1603 return fmt.Errorf("SessionTicketKey was not duplicated from original Config: byte %d has value %d", i, b) 1604 } 1605 } 1606 return nil 1607 }, 1608 }, 1609 { 1610 func(config *Config) { 1611 var dummyKey [32]byte 1612 for i := range dummyKey { 1613 dummyKey[i] = byte(i) 1614 } 1615 1616 config.SetSessionTicketKeys([][32]byte{dummyKey}) 1617 }, 1618 func(clientHello *ClientHelloInfo) (*Config, error) { 1619 config := testConfig.Clone() 1620 config.sessionTicketKeys = nil 1621 return config, nil 1622 }, 1623 "", 1624 func(config *Config) error { 1625 // The session ticket keys should have been duplicated 1626 // into the per-connection Config. 1627 if l := len(config.sessionTicketKeys); l != 1 { 1628 return fmt.Errorf("got len(sessionTicketKeys) == %d, wanted 1", l) 1629 } 1630 return nil 1631 }, 1632 }, 1633 } 1634 1635 func TestGetConfigForClient(t *testing.T) { 1636 serverConfig := testConfig.Clone() 1637 clientConfig := testConfig.Clone() 1638 clientConfig.MinVersion = VersionTLS12 1639 1640 for i, test := range getConfigForClientTests { 1641 if test.setup != nil { 1642 test.setup(serverConfig) 1643 } 1644 1645 var configReturned *Config 1646 serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) { 1647 config, err := test.callback(clientHello) 1648 configReturned = config 1649 return config, err 1650 } 1651 c, s := localPipe(t) 1652 done := make(chan error) 1653 1654 go func() { 1655 defer s.Close() 1656 done <- Server(s, serverConfig).Handshake() 1657 }() 1658 1659 clientErr := Client(c, clientConfig).Handshake() 1660 c.Close() 1661 1662 serverErr := <-done 1663 1664 if len(test.errorSubstring) == 0 { 1665 if serverErr != nil || clientErr != nil { 1666 t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr) 1667 } 1668 if test.verify != nil { 1669 if err := test.verify(configReturned); err != nil { 1670 t.Errorf("test[%d]: verify returned error: %v", i, err) 1671 } 1672 } 1673 } else { 1674 if serverErr == nil { 1675 t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring) 1676 } else if !strings.Contains(serverErr.Error(), test.errorSubstring) { 1677 t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr) 1678 } 1679 } 1680 } 1681 } 1682 1683 func bigFromString(s string) *big.Int { 1684 ret := new(big.Int) 1685 ret.SetString(s, 10) 1686 return ret 1687 } 1688 1689 func fromHex(s string) []byte { 1690 b, _ := hex.DecodeString(s) 1691 return b 1692 } 1693 1694 var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7") 1695 1696 var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76") 1697 1698 // testRSAPSSCertificate has signatureAlgorithm rsassaPss, and subjectPublicKeyInfo 1699 // algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes. 1700 // See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed. 1701 var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1") 1702 1703 var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a") 1704 1705 var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed") 1706 1707 var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a") 1708 1709 var testRSAPrivateKey = &rsa.PrivateKey{ 1710 PublicKey: rsa.PublicKey{ 1711 N: bigFromString("153980389784927331788354528594524332344709972855165340650588877572729725338415474372475094155672066328274535240275856844648695200875763869073572078279316458648124537905600131008790701752441155668003033945258023841165089852359980273279085783159654751552359397986180318708491098942831252291841441726305535546071"), 1712 E: 65537, 1713 }, 1714 D: bigFromString("7746362285745539358014631136245887418412633787074173796862711588221766398229333338511838891484974940633857861775630560092874987828057333663969469797013996401149696897591265769095952887917296740109742927689053276850469671231961384712725169432413343763989564437170644270643461665184965150423819594083121075825"), 1715 Primes: []*big.Int{ 1716 bigFromString("13299275414352936908236095374926261633419699590839189494995965049151460173257838079863316944311313904000258169883815802963543635820059341150014695560313417"), 1717 bigFromString("11578103692682951732111718237224894755352163854919244905974423810539077224889290605729035287537520656160688625383765857517518932447378594964220731750802463"), 1718 }, 1719 } 1720 1721 var testECDSAPrivateKey = &ecdsa.PrivateKey{ 1722 PublicKey: ecdsa.PublicKey{ 1723 Curve: elliptic.P521(), 1724 X: bigFromString("2636411247892461147287360222306590634450676461695221912739908880441342231985950069527906976759812296359387337367668045707086543273113073382714101597903639351"), 1725 Y: bigFromString("3204695818431246682253994090650952614555094516658732116404513121125038617915183037601737180082382202488628239201196033284060130040574800684774115478859677243"), 1726 }, 1727 D: bigFromString("5477294338614160138026852784385529180817726002953041720191098180813046231640184669647735805135001309477695746518160084669446643325196003346204701381388769751"), 1728 } 1729 1730 var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75")) 1731 1732 func TestCloseServerConnectionOnIdleClient(t *testing.T) { 1733 clientConn, serverConn := localPipe(t) 1734 server := Server(serverConn, testConfig.Clone()) 1735 go func() { 1736 clientConn.Write([]byte{'0'}) 1737 server.Close() 1738 }() 1739 server.SetReadDeadline(time.Now().Add(time.Minute)) 1740 err := server.Handshake() 1741 if err != nil { 1742 if err, ok := err.(net.Error); ok && err.Timeout() { 1743 t.Errorf("Expected a closed network connection error but got '%s'", err.Error()) 1744 } 1745 } else { 1746 t.Errorf("Error expected, but no error returned") 1747 } 1748 } 1749 1750 func TestCloneHash(t *testing.T) { 1751 h1 := crypto.SHA256.New() 1752 h1.Write([]byte("test")) 1753 s1 := h1.Sum(nil) 1754 h2 := cloneHash(h1, crypto.SHA256) 1755 s2 := h2.Sum(nil) 1756 if !bytes.Equal(s1, s2) { 1757 t.Error("cloned hash generated a different sum") 1758 } 1759 } 1760 1761 func TestKeyTooSmallForRSAPSS(t *testing.T) { 1762 clientConn, serverConn := localPipe(t) 1763 client := Client(clientConn, testConfig) 1764 cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE----- 1765 MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS 1766 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy 1767 OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd 1768 ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ 1769 nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE 1770 DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu 1771 Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q 1772 KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA== 1773 -----END CERTIFICATE-----`), []byte(`-----BEGIN RSA PRIVATE KEY----- 1774 MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T 1775 HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/ 1776 yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z 1777 4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz 1778 nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd 1779 hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s 1780 T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g 1781 -----END RSA PRIVATE KEY-----`)) 1782 if err != nil { 1783 t.Fatal(err) 1784 } 1785 1786 done := make(chan struct{}) 1787 go func() { 1788 config := testConfig.Clone() 1789 config.Certificates = []Certificate{cert} 1790 config.MinVersion = VersionTLS13 1791 server := Server(serverConn, config) 1792 err := server.Handshake() 1793 if !strings.Contains(err.Error(), "key size too small for PSS signature") { 1794 t.Errorf(`expected "key size too small for PSS signature", got %q`, err) 1795 } 1796 close(done) 1797 }() 1798 err = client.Handshake() 1799 if !strings.Contains(err.Error(), "handshake failure") { 1800 t.Errorf(`expected "handshake failure", got %q`, err) 1801 } 1802 <-done 1803 1804 // With RSA-PSS disabled and TLS 1.2, this should work. 1805 1806 testSupportedSignatureAlgorithmsTLS12 := supportedSignatureAlgorithmsTLS12 1807 defer func() { supportedSignatureAlgorithmsTLS12 = testSupportedSignatureAlgorithmsTLS12 }() 1808 supportedSignatureAlgorithmsTLS12 = savedSupportedSignatureAlgorithmsTLS12 1809 1810 serverConfig := testConfig.Clone() 1811 serverConfig.Certificates = []Certificate{cert} 1812 serverConfig.MaxVersion = VersionTLS12 1813 testHandshake(t, testConfig, serverConfig) 1814 }