1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
25 var rsaCertPEM = `-----BEGIN CERTIFICATE-----
26 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
27 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
28 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
29 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
30 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
31 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
32 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
33 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
34 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
35 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
36 -----END CERTIFICATE-----
39 var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
40 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
41 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
42 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
43 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
44 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
45 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
46 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
47 -----END RSA PRIVATE KEY-----
50 // keyPEM is the same as rsaKeyPEM, but declares itself as just
51 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477
52 var keyPEM = `-----BEGIN PRIVATE KEY-----
53 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
54 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
55 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
56 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
57 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
58 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
59 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
60 -----END PRIVATE KEY-----
63 var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----
64 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
65 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
66 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG
67 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk
68 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR
69 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl
70 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8
71 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo
72 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb
73 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1
74 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==
75 -----END CERTIFICATE-----
78 var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS-----
80 -----END EC PARAMETERS-----
81 -----BEGIN EC PRIVATE KEY-----
82 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0
83 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL
84 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz
85 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q
86 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==
87 -----END EC PRIVATE KEY-----
90 var keyPairTests = []struct {
95 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},
96 {"RSA", rsaCertPEM, rsaKeyPEM},
97 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477
100 func TestX509KeyPair(t *testing.T) {
103 for _, test := range keyPairTests {
104 pem = []byte(test.cert + test.key)
105 if _, err := X509KeyPair(pem, pem); err != nil {
106 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)
108 pem = []byte(test.key + test.cert)
109 if _, err := X509KeyPair(pem, pem); err != nil {
110 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)
115 func TestX509KeyPairErrors(t *testing.T) {
116 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))
118 t.Fatalf("X509KeyPair didn't return an error when arguments were switched")
120 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {
121 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)
124 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))
126 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")
128 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {
129 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)
132 const nonsensePEM = `
133 -----BEGIN NONSENSE-----
135 -----END NONSENSE-----
138 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))
140 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")
142 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {
143 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)
147 func TestX509MixedKeyPair(t *testing.T) {
148 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {
149 t.Error("Load of RSA certificate succeeded with ECDSA private key")
151 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {
152 t.Error("Load of ECDSA certificate succeeded with RSA private key")
156 func newLocalListener(t testing.TB) net.Listener {
157 ln, err := net.Listen("tcp", "127.0.0.1:0")
159 ln, err = net.Listen("tcp6", "[::1]:0")
167 func TestDialTimeout(t *testing.T) {
169 t.Skip("skipping in short mode")
171 listener := newLocalListener(t)
173 addr := listener.Addr().String()
174 defer listener.Close()
176 complete := make(chan bool)
177 defer close(complete)
180 conn, err := listener.Accept()
189 dialer := &net.Dialer{
190 Timeout: 10 * time.Millisecond,
194 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil {
195 t.Fatal("DialWithTimeout completed successfully")
198 if !isTimeoutError(err) {
199 t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err)
203 func isTimeoutError(err error) bool {
204 if ne, ok := err.(net.Error); ok {
210 // tests that Conn.Read returns (non-zero, io.EOF) instead of
211 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right
212 // behind the application data in the buffer.
213 func TestConnReadNonzeroAndEOF(t *testing.T) {
214 // This test is racy: it assumes that after a write to a
215 // localhost TCP connection, the peer TCP connection can
216 // immediately read it. Because it's racy, we skip this test
217 // in short mode, and then retry it several times with an
218 // increasing sleep in between our final write (via srv.Close
219 // below) and the following read.
221 t.Skip("skipping in short mode")
224 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {
225 if err = testConnReadNonzeroAndEOF(t, delay); err == nil {
232 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
233 ln := newLocalListener(t)
236 srvCh := make(chan *Conn, 1)
239 sconn, err := ln.Accept()
245 serverConfig := testConfig.Clone()
246 srv := Server(sconn, serverConfig)
247 if err := srv.Handshake(); err != nil {
248 serr = fmt.Errorf("handshake: %v", err)
255 clientConfig := testConfig.Clone()
256 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
267 buf := make([]byte, 6)
269 srv.Write([]byte("foobar"))
270 n, err := conn.Read(buf)
271 if n != 6 || err != nil || string(buf) != "foobar" {
272 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
275 srv.Write([]byte("abcdef"))
278 n, err = conn.Read(buf)
279 if n != 6 || string(buf) != "abcdef" {
280 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)
283 return fmt.Errorf("Second Read error = %v; want io.EOF", err)
288 func TestTLSUniqueMatches(t *testing.T) {
289 ln := newLocalListener(t)
292 serverTLSUniques := make(chan []byte)
294 for i := 0; i < 2; i++ {
295 sconn, err := ln.Accept()
300 serverConfig := testConfig.Clone()
301 srv := Server(sconn, serverConfig)
302 if err := srv.Handshake(); err != nil {
306 serverTLSUniques <- srv.ConnectionState().TLSUnique
310 clientConfig := testConfig.Clone()
311 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
312 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
316 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
317 t.Error("client and server channel bindings differ")
321 conn, err = Dial("tcp", ln.Addr().String(), clientConfig)
326 if !conn.ConnectionState().DidResume {
327 t.Error("second session did not use resumption")
329 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
330 t.Error("client and server channel bindings differ when session resumption is used")
334 func TestVerifyHostname(t *testing.T) {
335 testenv.MustHaveExternalNetwork(t)
337 c, err := Dial("tcp", "www.google.com:https", nil)
341 if err := c.VerifyHostname("www.google.com"); err != nil {
342 t.Fatalf("verify www.google.com: %v", err)
344 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
345 t.Fatalf("verify www.yahoo.com succeeded")
348 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})
352 if err := c.VerifyHostname("www.google.com"); err == nil {
353 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
355 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
356 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
360 func TestVerifyHostnameResumed(t *testing.T) {
361 testenv.MustHaveExternalNetwork(t)
364 ClientSessionCache: NewLRUClientSessionCache(32),
366 for i := 0; i < 2; i++ {
367 c, err := Dial("tcp", "www.google.com:https", config)
369 t.Fatalf("Dial #%d: %v", i, err)
371 cs := c.ConnectionState()
372 if i > 0 && !cs.DidResume {
373 t.Fatalf("Subsequent connection unexpectedly didn't resume")
375 if cs.VerifiedChains == nil {
376 t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i)
378 if err := c.VerifyHostname("www.google.com"); err != nil {
379 t.Fatalf("verify www.google.com #%d: %v", i, err)
385 func TestConnCloseBreakingWrite(t *testing.T) {
386 ln := newLocalListener(t)
389 srvCh := make(chan *Conn, 1)
394 sconn, err = ln.Accept()
400 serverConfig := testConfig.Clone()
401 srv := Server(sconn, serverConfig)
402 if err := srv.Handshake(); err != nil {
403 serr = fmt.Errorf("handshake: %v", err)
410 cconn, err := net.Dial("tcp", ln.Addr().String())
416 conn := &changeImplConn{
420 clientConfig := testConfig.Clone()
421 tconn := Client(conn, clientConfig)
422 if err := tconn.Handshake(); err != nil {
432 connClosed := make(chan struct{})
433 conn.closeFunc = func() error {
438 inWrite := make(chan bool, 1)
439 var errConnClosed = errors.New("conn closed for test")
440 conn.writeFunc = func(p []byte) (n int, err error) {
443 return 0, errConnClosed
446 closeReturned := make(chan bool, 1)
449 tconn.Close() // test that this doesn't block forever.
450 closeReturned <- true
453 _, err = tconn.Write([]byte("foo"))
454 if err != errConnClosed {
455 t.Errorf("Write error = %v; want errConnClosed", err)
459 if err := tconn.Close(); err != errClosed {
460 t.Errorf("Close error = %v; want errClosed", err)
464 func TestConnCloseWrite(t *testing.T) {
465 ln := newLocalListener(t)
468 clientDoneChan := make(chan struct{})
470 serverCloseWrite := func() error {
471 sconn, err := ln.Accept()
473 return fmt.Errorf("accept: %v", err)
477 serverConfig := testConfig.Clone()
478 srv := Server(sconn, serverConfig)
479 if err := srv.Handshake(); err != nil {
480 return fmt.Errorf("handshake: %v", err)
484 data, err := ioutil.ReadAll(srv)
489 return fmt.Errorf("Read data = %q; want nothing", data)
492 if err := srv.CloseWrite(); err != nil {
493 return fmt.Errorf("server CloseWrite: %v", err)
496 // Wait for clientCloseWrite to finish, so we know we
497 // tested the CloseWrite before we defer the
498 // sconn.Close above, which would also cause the
499 // client to unblock like CloseWrite.
504 clientCloseWrite := func() error {
505 defer close(clientDoneChan)
507 clientConfig := testConfig.Clone()
508 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
512 if err := conn.Handshake(); err != nil {
517 if err := conn.CloseWrite(); err != nil {
518 return fmt.Errorf("client CloseWrite: %v", err)
521 if _, err := conn.Write([]byte{0}); err != errShutdown {
522 return fmt.Errorf("CloseWrite error = %v; want errShutdown", err)
525 data, err := ioutil.ReadAll(conn)
530 return fmt.Errorf("Read data = %q; want nothing", data)
535 errChan := make(chan error, 2)
537 go func() { errChan <- serverCloseWrite() }()
538 go func() { errChan <- clientCloseWrite() }()
540 for i := 0; i < 2; i++ {
542 case err := <-errChan:
546 case <-time.After(10 * time.Second):
551 // Also test CloseWrite being called before the handshake is
554 ln2 := newLocalListener(t)
557 netConn, err := net.Dial("tcp", ln2.Addr().String())
561 defer netConn.Close()
562 conn := Client(netConn, testConfig.Clone())
564 if err := conn.CloseWrite(); err != errEarlyCloseWrite {
565 t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
570 func TestWarningAlertFlood(t *testing.T) {
571 ln := newLocalListener(t)
574 server := func() error {
575 sconn, err := ln.Accept()
577 return fmt.Errorf("accept: %v", err)
581 serverConfig := testConfig.Clone()
582 srv := Server(sconn, serverConfig)
583 if err := srv.Handshake(); err != nil {
584 return fmt.Errorf("handshake: %v", err)
588 _, err = ioutil.ReadAll(srv)
590 return errors.New("unexpected lack of error from server")
592 const expected = "too many ignored"
593 if str := err.Error(); !strings.Contains(str, expected) {
594 return fmt.Errorf("expected error containing %q, but saw: %s", expected, str)
600 errChan := make(chan error, 1)
601 go func() { errChan <- server() }()
603 clientConfig := testConfig.Clone()
604 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
609 if err := conn.Handshake(); err != nil {
613 for i := 0; i < maxUselessRecords+1; i++ {
614 conn.sendAlert(alertNoRenegotiation)
617 if err := <-errChan; err != nil {
622 func TestCloneFuncFields(t *testing.T) {
623 const expectedCount = 5
627 Time: func() time.Time {
631 GetCertificate: func(*ClientHelloInfo) (*Certificate, error) {
635 GetClientCertificate: func(*CertificateRequestInfo) (*Certificate, error) {
639 GetConfigForClient: func(*ClientHelloInfo) (*Config, error) {
643 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
652 c2.GetCertificate(nil)
653 c2.GetClientCertificate(nil)
654 c2.GetConfigForClient(nil)
655 c2.VerifyPeerCertificate(nil, nil)
657 if called != (1<<expectedCount)-1 {
658 t.Fatalf("expected %d calls but saw calls %b", expectedCount, called)
662 func TestCloneNonFuncFields(t *testing.T) {
664 v := reflect.ValueOf(&c1).Elem()
667 for i := 0; i < typ.NumField(); i++ {
670 // unexported field; not cloned.
674 // testing/quick can't handle functions or interfaces and so
676 switch fn := typ.Field(i).Name; fn {
678 f.Set(reflect.ValueOf(io.Reader(os.Stdin)))
679 case "Time", "GetCertificate", "GetConfigForClient", "VerifyPeerCertificate", "GetClientCertificate":
680 // DeepEqual can't compare functions. If you add a
681 // function field to this list, you must also change
682 // TestCloneFuncFields to ensure that the func field is
685 f.Set(reflect.ValueOf([]Certificate{
686 {Certificate: [][]byte{{'b'}}},
688 case "NameToCertificate":
689 f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil}))
690 case "RootCAs", "ClientCAs":
691 f.Set(reflect.ValueOf(x509.NewCertPool()))
692 case "ClientSessionCache":
693 f.Set(reflect.ValueOf(NewLRUClientSessionCache(10)))
695 f.Set(reflect.ValueOf(io.Writer(os.Stdout)))
697 f.Set(reflect.ValueOf([]string{"a", "b"}))
699 f.Set(reflect.ValueOf("b"))
701 f.Set(reflect.ValueOf(VerifyClientCertIfGiven))
702 case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites":
703 f.Set(reflect.ValueOf(true))
704 case "MinVersion", "MaxVersion":
705 f.Set(reflect.ValueOf(uint16(VersionTLS12)))
706 case "SessionTicketKey":
707 f.Set(reflect.ValueOf([32]byte{}))
709 f.Set(reflect.ValueOf([]uint16{1, 2}))
710 case "CurvePreferences":
711 f.Set(reflect.ValueOf([]CurveID{CurveP256}))
712 case "Renegotiation":
713 f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
715 t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
720 // DeepEqual also compares unexported fields, thus c2 needs to have run
721 // serverInit in order to be DeepEqual to c1. Cloning it and discarding
722 // the result is sufficient.
725 if !reflect.DeepEqual(&c1, c2) {
726 t.Errorf("clone failed to copy a field")
730 // changeImplConn is a net.Conn which can change its Write and Close
732 type changeImplConn struct {
734 writeFunc func([]byte) (int, error)
735 closeFunc func() error
738 func (w *changeImplConn) Write(p []byte) (n int, err error) {
739 if w.writeFunc != nil {
740 return w.writeFunc(p)
742 return w.Conn.Write(p)
745 func (w *changeImplConn) Close() error {
746 if w.closeFunc != nil {
749 return w.Conn.Close()
752 func throughput(b *testing.B, totalBytes int64, dynamicRecordSizingDisabled bool) {
753 ln := newLocalListener(b)
758 // Less than 64KB because Windows appears to use a TCP rwin < 64KB.
760 const bufsize = 32 << 10
763 buf := make([]byte, bufsize)
764 for i := 0; i < N; i++ {
765 sconn, err := ln.Accept()
767 // panic rather than synchronize to avoid benchmark overhead
768 // (cannot call b.Fatal in goroutine)
769 panic(fmt.Errorf("accept: %v", err))
771 serverConfig := testConfig.Clone()
772 serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers
773 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
774 srv := Server(sconn, serverConfig)
775 if err := srv.Handshake(); err != nil {
776 panic(fmt.Errorf("handshake: %v", err))
778 if _, err := io.CopyBuffer(srv, srv, buf); err != nil {
779 panic(fmt.Errorf("copy buffer: %v", err))
784 b.SetBytes(totalBytes)
785 clientConfig := testConfig.Clone()
786 clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers
787 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
789 buf := make([]byte, bufsize)
790 chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf))))
791 for i := 0; i < N; i++ {
792 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
796 for j := 0; j < chunks; j++ {
797 _, err := conn.Write(buf)
801 _, err = io.ReadFull(conn, buf)
810 func BenchmarkThroughput(b *testing.B) {
811 for _, mode := range []string{"Max", "Dynamic"} {
812 for size := 1; size <= 64; size <<= 1 {
813 name := fmt.Sprintf("%sPacket/%dMB", mode, size)
814 b.Run(name, func(b *testing.B) {
815 throughput(b, int64(size<<20), mode == "Max")
821 type slowConn struct {
826 func (c *slowConn) Write(p []byte) (int, error) {
833 time.Sleep(100 * time.Microsecond)
834 allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8
835 if allowed > len(p) {
839 n, err := c.Conn.Write(p[wrote:allowed])
849 func latency(b *testing.B, bps int, dynamicRecordSizingDisabled bool) {
850 ln := newLocalListener(b)
856 for i := 0; i < N; i++ {
857 sconn, err := ln.Accept()
859 // panic rather than synchronize to avoid benchmark overhead
860 // (cannot call b.Fatal in goroutine)
861 panic(fmt.Errorf("accept: %v", err))
863 serverConfig := testConfig.Clone()
864 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
865 srv := Server(&slowConn{sconn, bps}, serverConfig)
866 if err := srv.Handshake(); err != nil {
867 panic(fmt.Errorf("handshake: %v", err))
873 clientConfig := testConfig.Clone()
874 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
876 buf := make([]byte, 16384)
877 peek := make([]byte, 1)
879 for i := 0; i < N; i++ {
880 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
884 // make sure we're connected and previous connection has stopped
885 if _, err := conn.Write(buf[:1]); err != nil {
888 if _, err := io.ReadFull(conn, peek); err != nil {
891 if _, err := conn.Write(buf); err != nil {
894 if _, err = io.ReadFull(conn, peek); err != nil {
901 func BenchmarkLatency(b *testing.B) {
902 for _, mode := range []string{"Max", "Dynamic"} {
903 for _, kbps := range []int{200, 500, 1000, 2000, 5000} {
904 name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps)
905 b.Run(name, func(b *testing.B) {
906 latency(b, kbps*1000, mode == "Max")
912 func TestConnectionStateMarshal(t *testing.T) {
913 cs := &ConnectionState{}
914 _, err := json.Marshal(cs)
916 t.Errorf("json.Marshal failed on ConnectionState: %v", err)
920 func TestConnectionState(t *testing.T) {
921 issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
925 rootCAs := x509.NewCertPool()
926 rootCAs.AddCert(issuer)
928 now := func() time.Time { return time.Unix(1476984729, 0) }
930 const alpnProtocol = "golang"
931 const serverName = "example.golang"
932 var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
933 var ocsp = []byte("dummy ocsp")
935 for _, v := range []uint16{VersionTLS12, VersionTLS13} {
943 t.Run(name, func(t *testing.T) {
947 Certificates: make([]Certificate, 1),
951 ClientAuth: RequireAndVerifyClientCert,
952 NextProtos: []string{alpnProtocol},
953 ServerName: serverName,
955 config.Certificates[0].Certificate = [][]byte{testRSACertificate}
956 config.Certificates[0].PrivateKey = testRSAPrivateKey
957 config.Certificates[0].SignedCertificateTimestamps = scts
958 config.Certificates[0].OCSPStaple = ocsp
960 ss, cs, err := testHandshake(t, config, config)
962 t.Fatalf("Handshake failed: %v", err)
965 if ss.Version != v || cs.Version != v {
966 t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v)
969 if !ss.HandshakeComplete || !cs.HandshakeComplete {
970 t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete)
973 if ss.DidResume || cs.DidResume {
974 t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume)
977 if ss.CipherSuite == 0 || cs.CipherSuite == 0 {
978 t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite)
981 if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol {
982 t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol)
985 if !cs.NegotiatedProtocolIsMutual {
986 t.Errorf("Got false NegotiatedProtocolIsMutual on the client side")
988 // NegotiatedProtocolIsMutual on the server side is unspecified.
990 if ss.ServerName != serverName {
991 t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName)
993 if cs.ServerName != "" {
994 t.Errorf("Got unexpected server name on the client side")
997 if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 {
998 t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1)
1001 if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 {
1002 t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1)
1003 } else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 {
1004 t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2)
1007 if len(cs.SignedCertificateTimestamps) != 2 {
1008 t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2)
1010 if !bytes.Equal(cs.OCSPResponse, ocsp) {
1011 t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp)
1013 // Only TLS 1.3 supports OCSP and SCTs on client certs.
1014 if v == VersionTLS13 {
1015 if len(ss.SignedCertificateTimestamps) != 2 {
1016 t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2)
1018 if !bytes.Equal(ss.OCSPResponse, ocsp) {
1019 t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp)
1023 if v == VersionTLS13 {
1024 if ss.TLSUnique != nil || cs.TLSUnique != nil {
1025 t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique)
1028 if ss.TLSUnique == nil || cs.TLSUnique == nil {
1029 t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique)