1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
27 var rsaCertPEM = `-----BEGIN CERTIFICATE-----
28 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
29 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
30 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
31 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
32 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
33 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
34 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
35 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
36 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
37 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
38 -----END CERTIFICATE-----
41 var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY-----
42 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
43 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
44 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
45 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
46 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
47 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
48 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
49 -----END RSA TESTING KEY-----
52 // keyPEM is the same as rsaKeyPEM, but declares itself as just
53 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477
54 var keyPEM = testingKey(`-----BEGIN TESTING KEY-----
55 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
56 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
57 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
58 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
59 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
60 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
61 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
62 -----END TESTING KEY-----
65 var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----
66 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
67 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
68 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG
69 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk
70 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR
71 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl
72 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8
73 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo
74 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb
75 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1
76 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==
77 -----END CERTIFICATE-----
80 var ecdsaKeyPEM = testingKey(`-----BEGIN EC PARAMETERS-----
82 -----END EC PARAMETERS-----
83 -----BEGIN EC TESTING KEY-----
84 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0
85 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL
86 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz
87 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q
88 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==
89 -----END EC TESTING KEY-----
92 var keyPairTests = []struct {
97 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},
98 {"RSA", rsaCertPEM, rsaKeyPEM},
99 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477
102 func TestX509KeyPair(t *testing.T) {
105 for _, test := range keyPairTests {
106 pem = []byte(test.cert + test.key)
107 if _, err := X509KeyPair(pem, pem); err != nil {
108 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)
110 pem = []byte(test.key + test.cert)
111 if _, err := X509KeyPair(pem, pem); err != nil {
112 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)
117 func TestX509KeyPairErrors(t *testing.T) {
118 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))
120 t.Fatalf("X509KeyPair didn't return an error when arguments were switched")
122 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {
123 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)
126 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))
128 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")
130 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {
131 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)
134 const nonsensePEM = `
135 -----BEGIN NONSENSE-----
137 -----END NONSENSE-----
140 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))
142 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")
144 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {
145 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)
149 func TestX509MixedKeyPair(t *testing.T) {
150 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {
151 t.Error("Load of RSA certificate succeeded with ECDSA private key")
153 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {
154 t.Error("Load of ECDSA certificate succeeded with RSA private key")
158 func newLocalListener(t testing.TB) net.Listener {
159 ln, err := net.Listen("tcp", "127.0.0.1:0")
161 ln, err = net.Listen("tcp6", "[::1]:0")
169 func TestDialTimeout(t *testing.T) {
171 t.Skip("skipping in short mode")
174 timeout := 100 * time.Microsecond
176 acceptc := make(chan net.Conn)
177 listener := newLocalListener(t)
180 conn, err := listener.Accept()
189 addr := listener.Addr().String()
190 dialer := &net.Dialer{
193 if conn, err := DialWithDialer(dialer, "tcp", addr, nil); err == nil {
195 t.Errorf("DialWithTimeout unexpectedly completed successfully")
196 } else if !isTimeoutError(err) {
197 t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err)
202 // We're looking for a timeout during the handshake, so check that the
203 // Listener actually accepted the connection to initiate it. (If the server
204 // takes too long to accept the connection, we might cancel before the
205 // underlying net.Conn is ever dialed — without ever attempting a
207 lconn, ok := <-acceptc
209 // The Listener accepted a connection, so assume that it was from our
210 // Dial: we triggered the timeout at the point where we wanted it!
211 t.Logf("Listener accepted a connection from %s", lconn.RemoteAddr())
214 // Close any spurious extra connecitions from the listener. (This is
215 // possible if there are, for example, stray Dial calls from other tests.)
216 for extraConn := range acceptc {
217 t.Logf("spurious extra connection from %s", extraConn.RemoteAddr())
224 t.Logf("with timeout %v, DialWithDialer returned before listener accepted any connections; retrying", timeout)
229 func TestDeadlineOnWrite(t *testing.T) {
231 t.Skip("skipping in short mode")
234 ln := newLocalListener(t)
237 srvCh := make(chan *Conn, 1)
240 sconn, err := ln.Accept()
245 srv := Server(sconn, testConfig.Clone())
246 if err := srv.Handshake(); err != nil {
253 clientConfig := testConfig.Clone()
254 clientConfig.MaxVersion = VersionTLS12
255 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
266 // Make sure the client/server is setup correctly and is able to do a typical Write/Read
267 buf := make([]byte, 6)
268 if _, err := srv.Write([]byte("foobar")); err != nil {
269 t.Errorf("Write err: %v", err)
271 if n, err := conn.Read(buf); n != 6 || err != nil || string(buf) != "foobar" {
272 t.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
275 // Set a deadline which should cause Write to timeout
276 if err = srv.SetDeadline(time.Now()); err != nil {
277 t.Fatalf("SetDeadline(time.Now()) err: %v", err)
279 if _, err = srv.Write([]byte("should fail")); err == nil {
280 t.Fatal("Write should have timed out")
283 // Clear deadline and make sure it still times out
284 if err = srv.SetDeadline(time.Time{}); err != nil {
285 t.Fatalf("SetDeadline(time.Time{}) err: %v", err)
287 if _, err = srv.Write([]byte("This connection is permanently broken")); err == nil {
288 t.Fatal("Write which previously failed should still time out")
292 if ne := err.(net.Error); ne.Temporary() != false {
293 t.Error("Write timed out but incorrectly classified the error as Temporary")
295 if !isTimeoutError(err) {
296 t.Error("Write timed out but did not classify the error as a Timeout")
300 type readerFunc func([]byte) (int, error)
302 func (f readerFunc) Read(b []byte) (int, error) { return f(b) }
304 // TestDialer tests that tls.Dialer.DialContext can abort in the middle of a handshake.
305 // (The other cases are all handled by the existing dial tests in this package, which
306 // all also flow through the same code shared code paths)
307 func TestDialer(t *testing.T) {
308 ln := newLocalListener(t)
311 unblockServer := make(chan struct{}) // close-only
312 defer close(unblockServer)
314 conn, err := ln.Accept()
322 ctx, cancel := context.WithCancel(context.Background())
323 d := Dialer{Config: &Config{
324 Rand: readerFunc(func(b []byte) (n int, err error) {
325 // By the time crypto/tls wants randomness, that means it has a TCP
326 // connection, so we're past the Dialer's dial and now blocked
327 // in a handshake. Cancel our context and see if we get unstuck.
328 // (Our TCP listener above never reads or writes, so the Handshake
329 // would otherwise be stuck forever)
335 _, err := d.DialContext(ctx, "tcp", ln.Addr().String())
336 if err != context.Canceled {
337 t.Errorf("err = %v; want context.Canceled", err)
341 func isTimeoutError(err error) bool {
342 if ne, ok := err.(net.Error); ok {
348 // tests that Conn.Read returns (non-zero, io.EOF) instead of
349 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right
350 // behind the application data in the buffer.
351 func TestConnReadNonzeroAndEOF(t *testing.T) {
352 // This test is racy: it assumes that after a write to a
353 // localhost TCP connection, the peer TCP connection can
354 // immediately read it. Because it's racy, we skip this test
355 // in short mode, and then retry it several times with an
356 // increasing sleep in between our final write (via srv.Close
357 // below) and the following read.
359 t.Skip("skipping in short mode")
362 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {
363 if err = testConnReadNonzeroAndEOF(t, delay); err == nil {
370 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
371 ln := newLocalListener(t)
374 srvCh := make(chan *Conn, 1)
377 sconn, err := ln.Accept()
383 serverConfig := testConfig.Clone()
384 srv := Server(sconn, serverConfig)
385 if err := srv.Handshake(); err != nil {
386 serr = fmt.Errorf("handshake: %v", err)
393 clientConfig := testConfig.Clone()
394 // In TLS 1.3, alerts are encrypted and disguised as application data, so
395 // the opportunistic peek won't work.
396 clientConfig.MaxVersion = VersionTLS12
397 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
408 buf := make([]byte, 6)
410 srv.Write([]byte("foobar"))
411 n, err := conn.Read(buf)
412 if n != 6 || err != nil || string(buf) != "foobar" {
413 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
416 srv.Write([]byte("abcdef"))
419 n, err = conn.Read(buf)
420 if n != 6 || string(buf) != "abcdef" {
421 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)
424 return fmt.Errorf("Second Read error = %v; want io.EOF", err)
429 func TestTLSUniqueMatches(t *testing.T) {
430 ln := newLocalListener(t)
433 serverTLSUniques := make(chan []byte)
434 parentDone := make(chan struct{})
435 childDone := make(chan struct{})
436 defer close(parentDone)
438 defer close(childDone)
439 for i := 0; i < 2; i++ {
440 sconn, err := ln.Accept()
445 serverConfig := testConfig.Clone()
446 serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3
447 srv := Server(sconn, serverConfig)
448 if err := srv.Handshake(); err != nil {
455 case serverTLSUniques <- srv.ConnectionState().TLSUnique:
460 clientConfig := testConfig.Clone()
461 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
462 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
467 var serverTLSUniquesValue []byte
471 case serverTLSUniquesValue = <-serverTLSUniques:
474 if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
475 t.Error("client and server channel bindings differ")
479 conn, err = Dial("tcp", ln.Addr().String(), clientConfig)
484 if !conn.ConnectionState().DidResume {
485 t.Error("second session did not use resumption")
491 case serverTLSUniquesValue = <-serverTLSUniques:
494 if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
495 t.Error("client and server channel bindings differ when session resumption is used")
499 func TestVerifyHostname(t *testing.T) {
500 testenv.MustHaveExternalNetwork(t)
502 c, err := Dial("tcp", "www.google.com:https", nil)
506 if err := c.VerifyHostname("www.google.com"); err != nil {
507 t.Fatalf("verify www.google.com: %v", err)
509 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
510 t.Fatalf("verify www.yahoo.com succeeded")
513 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})
517 if err := c.VerifyHostname("www.google.com"); err == nil {
518 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
522 func TestConnCloseBreakingWrite(t *testing.T) {
523 ln := newLocalListener(t)
526 srvCh := make(chan *Conn, 1)
531 sconn, err = ln.Accept()
537 serverConfig := testConfig.Clone()
538 srv := Server(sconn, serverConfig)
539 if err := srv.Handshake(); err != nil {
540 serr = fmt.Errorf("handshake: %v", err)
547 cconn, err := net.Dial("tcp", ln.Addr().String())
553 conn := &changeImplConn{
557 clientConfig := testConfig.Clone()
558 tconn := Client(conn, clientConfig)
559 if err := tconn.Handshake(); err != nil {
569 connClosed := make(chan struct{})
570 conn.closeFunc = func() error {
575 inWrite := make(chan bool, 1)
576 var errConnClosed = errors.New("conn closed for test")
577 conn.writeFunc = func(p []byte) (n int, err error) {
580 return 0, errConnClosed
583 closeReturned := make(chan bool, 1)
586 tconn.Close() // test that this doesn't block forever.
587 closeReturned <- true
590 _, err = tconn.Write([]byte("foo"))
591 if err != errConnClosed {
592 t.Errorf("Write error = %v; want errConnClosed", err)
596 if err := tconn.Close(); err != net.ErrClosed {
597 t.Errorf("Close error = %v; want net.ErrClosed", err)
601 func TestConnCloseWrite(t *testing.T) {
602 ln := newLocalListener(t)
605 clientDoneChan := make(chan struct{})
607 serverCloseWrite := func() error {
608 sconn, err := ln.Accept()
610 return fmt.Errorf("accept: %v", err)
614 serverConfig := testConfig.Clone()
615 srv := Server(sconn, serverConfig)
616 if err := srv.Handshake(); err != nil {
617 return fmt.Errorf("handshake: %v", err)
621 data, err := io.ReadAll(srv)
626 return fmt.Errorf("Read data = %q; want nothing", data)
629 if err := srv.CloseWrite(); err != nil {
630 return fmt.Errorf("server CloseWrite: %v", err)
633 // Wait for clientCloseWrite to finish, so we know we
634 // tested the CloseWrite before we defer the
635 // sconn.Close above, which would also cause the
636 // client to unblock like CloseWrite.
641 clientCloseWrite := func() error {
642 defer close(clientDoneChan)
644 clientConfig := testConfig.Clone()
645 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
649 if err := conn.Handshake(); err != nil {
654 if err := conn.CloseWrite(); err != nil {
655 return fmt.Errorf("client CloseWrite: %v", err)
658 if _, err := conn.Write([]byte{0}); err != errShutdown {
659 return fmt.Errorf("CloseWrite error = %v; want errShutdown", err)
662 data, err := io.ReadAll(conn)
667 return fmt.Errorf("Read data = %q; want nothing", data)
672 errChan := make(chan error, 2)
674 go func() { errChan <- serverCloseWrite() }()
675 go func() { errChan <- clientCloseWrite() }()
677 for i := 0; i < 2; i++ {
679 case err := <-errChan:
683 case <-time.After(10 * time.Second):
688 // Also test CloseWrite being called before the handshake is
691 ln2 := newLocalListener(t)
694 netConn, err := net.Dial("tcp", ln2.Addr().String())
698 defer netConn.Close()
699 conn := Client(netConn, testConfig.Clone())
701 if err := conn.CloseWrite(); err != errEarlyCloseWrite {
702 t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
707 func TestWarningAlertFlood(t *testing.T) {
708 ln := newLocalListener(t)
711 server := func() error {
712 sconn, err := ln.Accept()
714 return fmt.Errorf("accept: %v", err)
718 serverConfig := testConfig.Clone()
719 srv := Server(sconn, serverConfig)
720 if err := srv.Handshake(); err != nil {
721 return fmt.Errorf("handshake: %v", err)
725 _, err = io.ReadAll(srv)
727 return errors.New("unexpected lack of error from server")
729 const expected = "too many ignored"
730 if str := err.Error(); !strings.Contains(str, expected) {
731 return fmt.Errorf("expected error containing %q, but saw: %s", expected, str)
737 errChan := make(chan error, 1)
738 go func() { errChan <- server() }()
740 clientConfig := testConfig.Clone()
741 clientConfig.MaxVersion = VersionTLS12 // there are no warning alerts in TLS 1.3
742 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
747 if err := conn.Handshake(); err != nil {
751 for i := 0; i < maxUselessRecords+1; i++ {
752 conn.sendAlert(alertNoRenegotiation)
755 if err := <-errChan; err != nil {
760 func TestCloneFuncFields(t *testing.T) {
761 const expectedCount = 8
765 Time: func() time.Time {
769 GetCertificate: func(*ClientHelloInfo) (*Certificate, error) {
773 GetClientCertificate: func(*CertificateRequestInfo) (*Certificate, error) {
777 GetConfigForClient: func(*ClientHelloInfo) (*Config, error) {
781 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
785 VerifyConnection: func(ConnectionState) error {
789 UnwrapSession: func(identity []byte, cs ConnectionState) (*SessionState, error) {
793 WrapSession: func(cs ConnectionState, ss *SessionState) ([]byte, error) {
802 c2.GetCertificate(nil)
803 c2.GetClientCertificate(nil)
804 c2.GetConfigForClient(nil)
805 c2.VerifyPeerCertificate(nil, nil)
806 c2.VerifyConnection(ConnectionState{})
807 c2.UnwrapSession(nil, ConnectionState{})
808 c2.WrapSession(ConnectionState{}, nil)
810 if called != (1<<expectedCount)-1 {
811 t.Fatalf("expected %d calls but saw calls %b", expectedCount, called)
815 func TestCloneNonFuncFields(t *testing.T) {
817 v := reflect.ValueOf(&c1).Elem()
820 for i := 0; i < typ.NumField(); i++ {
822 // testing/quick can't handle functions or interfaces and so
824 switch fn := typ.Field(i).Name; fn {
826 f.Set(reflect.ValueOf(io.Reader(os.Stdin)))
827 case "Time", "GetCertificate", "GetConfigForClient", "VerifyPeerCertificate", "VerifyConnection", "GetClientCertificate", "WrapSession", "UnwrapSession":
828 // DeepEqual can't compare functions. If you add a
829 // function field to this list, you must also change
830 // TestCloneFuncFields to ensure that the func field is
833 f.Set(reflect.ValueOf([]Certificate{
834 {Certificate: [][]byte{{'b'}}},
836 case "NameToCertificate":
837 f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil}))
838 case "RootCAs", "ClientCAs":
839 f.Set(reflect.ValueOf(x509.NewCertPool()))
840 case "ClientSessionCache":
841 f.Set(reflect.ValueOf(NewLRUClientSessionCache(10)))
843 f.Set(reflect.ValueOf(io.Writer(os.Stdout)))
845 f.Set(reflect.ValueOf([]string{"a", "b"}))
847 f.Set(reflect.ValueOf("b"))
849 f.Set(reflect.ValueOf(VerifyClientCertIfGiven))
850 case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites":
851 f.Set(reflect.ValueOf(true))
852 case "MinVersion", "MaxVersion":
853 f.Set(reflect.ValueOf(uint16(VersionTLS12)))
854 case "SessionTicketKey":
855 f.Set(reflect.ValueOf([32]byte{}))
857 f.Set(reflect.ValueOf([]uint16{1, 2}))
858 case "CurvePreferences":
859 f.Set(reflect.ValueOf([]CurveID{CurveP256}))
860 case "Renegotiation":
861 f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
862 case "mutex", "autoSessionTicketKeys", "sessionTicketKeys":
863 continue // these are unexported fields that are handled separately
865 t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
868 // Set the unexported fields related to session ticket keys, which are copied with Clone().
869 c1.autoSessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)}
870 c1.sessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)}
873 if !reflect.DeepEqual(&c1, c2) {
874 t.Errorf("clone failed to copy a field")
878 func TestCloneNilConfig(t *testing.T) {
880 if cc := config.Clone(); cc != nil {
881 t.Fatalf("Clone with nil should return nil, got: %+v", cc)
885 // changeImplConn is a net.Conn which can change its Write and Close
887 type changeImplConn struct {
889 writeFunc func([]byte) (int, error)
890 closeFunc func() error
893 func (w *changeImplConn) Write(p []byte) (n int, err error) {
894 if w.writeFunc != nil {
895 return w.writeFunc(p)
897 return w.Conn.Write(p)
900 func (w *changeImplConn) Close() error {
901 if w.closeFunc != nil {
904 return w.Conn.Close()
907 func throughput(b *testing.B, version uint16, totalBytes int64, dynamicRecordSizingDisabled bool) {
908 ln := newLocalListener(b)
913 // Less than 64KB because Windows appears to use a TCP rwin < 64KB.
915 const bufsize = 32 << 10
918 buf := make([]byte, bufsize)
919 for i := 0; i < N; i++ {
920 sconn, err := ln.Accept()
922 // panic rather than synchronize to avoid benchmark overhead
923 // (cannot call b.Fatal in goroutine)
924 panic(fmt.Errorf("accept: %v", err))
926 serverConfig := testConfig.Clone()
927 serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers
928 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
929 srv := Server(sconn, serverConfig)
930 if err := srv.Handshake(); err != nil {
931 panic(fmt.Errorf("handshake: %v", err))
933 if _, err := io.CopyBuffer(srv, srv, buf); err != nil {
934 panic(fmt.Errorf("copy buffer: %v", err))
939 b.SetBytes(totalBytes)
940 clientConfig := testConfig.Clone()
941 clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers
942 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
943 clientConfig.MaxVersion = version
945 buf := make([]byte, bufsize)
946 chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf))))
947 for i := 0; i < N; i++ {
948 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
952 for j := 0; j < chunks; j++ {
953 _, err := conn.Write(buf)
957 _, err = io.ReadFull(conn, buf)
966 func BenchmarkThroughput(b *testing.B) {
967 for _, mode := range []string{"Max", "Dynamic"} {
968 for size := 1; size <= 64; size <<= 1 {
969 name := fmt.Sprintf("%sPacket/%dMB", mode, size)
970 b.Run(name, func(b *testing.B) {
971 b.Run("TLSv12", func(b *testing.B) {
972 throughput(b, VersionTLS12, int64(size<<20), mode == "Max")
974 b.Run("TLSv13", func(b *testing.B) {
975 throughput(b, VersionTLS13, int64(size<<20), mode == "Max")
982 type slowConn struct {
987 func (c *slowConn) Write(p []byte) (int, error) {
994 time.Sleep(100 * time.Microsecond)
995 allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8
996 if allowed > len(p) {
1000 n, err := c.Conn.Write(p[wrote:allowed])
1010 func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled bool) {
1011 ln := newLocalListener(b)
1017 for i := 0; i < N; i++ {
1018 sconn, err := ln.Accept()
1020 // panic rather than synchronize to avoid benchmark overhead
1021 // (cannot call b.Fatal in goroutine)
1022 panic(fmt.Errorf("accept: %v", err))
1024 serverConfig := testConfig.Clone()
1025 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
1026 srv := Server(&slowConn{sconn, bps}, serverConfig)
1027 if err := srv.Handshake(); err != nil {
1028 panic(fmt.Errorf("handshake: %v", err))
1034 clientConfig := testConfig.Clone()
1035 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
1036 clientConfig.MaxVersion = version
1038 buf := make([]byte, 16384)
1039 peek := make([]byte, 1)
1041 for i := 0; i < N; i++ {
1042 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
1046 // make sure we're connected and previous connection has stopped
1047 if _, err := conn.Write(buf[:1]); err != nil {
1050 if _, err := io.ReadFull(conn, peek); err != nil {
1053 if _, err := conn.Write(buf); err != nil {
1056 if _, err = io.ReadFull(conn, peek); err != nil {
1063 func BenchmarkLatency(b *testing.B) {
1064 for _, mode := range []string{"Max", "Dynamic"} {
1065 for _, kbps := range []int{200, 500, 1000, 2000, 5000} {
1066 name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps)
1067 b.Run(name, func(b *testing.B) {
1068 b.Run("TLSv12", func(b *testing.B) {
1069 latency(b, VersionTLS12, kbps*1000, mode == "Max")
1071 b.Run("TLSv13", func(b *testing.B) {
1072 latency(b, VersionTLS13, kbps*1000, mode == "Max")
1079 func TestConnectionStateMarshal(t *testing.T) {
1080 cs := &ConnectionState{}
1081 _, err := json.Marshal(cs)
1083 t.Errorf("json.Marshal failed on ConnectionState: %v", err)
1087 func TestConnectionState(t *testing.T) {
1088 issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
1092 rootCAs := x509.NewCertPool()
1093 rootCAs.AddCert(issuer)
1095 now := func() time.Time { return time.Unix(1476984729, 0) }
1097 const alpnProtocol = "golang"
1098 const serverName = "example.golang"
1099 var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
1100 var ocsp = []byte("dummy ocsp")
1102 for _, v := range []uint16{VersionTLS12, VersionTLS13} {
1110 t.Run(name, func(t *testing.T) {
1114 Certificates: make([]Certificate, 1),
1118 ClientAuth: RequireAndVerifyClientCert,
1119 NextProtos: []string{alpnProtocol},
1120 ServerName: serverName,
1122 config.Certificates[0].Certificate = [][]byte{testRSACertificate}
1123 config.Certificates[0].PrivateKey = testRSAPrivateKey
1124 config.Certificates[0].SignedCertificateTimestamps = scts
1125 config.Certificates[0].OCSPStaple = ocsp
1127 ss, cs, err := testHandshake(t, config, config)
1129 t.Fatalf("Handshake failed: %v", err)
1132 if ss.Version != v || cs.Version != v {
1133 t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v)
1136 if !ss.HandshakeComplete || !cs.HandshakeComplete {
1137 t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete)
1140 if ss.DidResume || cs.DidResume {
1141 t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume)
1144 if ss.CipherSuite == 0 || cs.CipherSuite == 0 {
1145 t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite)
1148 if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol {
1149 t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol)
1152 if !cs.NegotiatedProtocolIsMutual {
1153 t.Errorf("Got false NegotiatedProtocolIsMutual on the client side")
1155 // NegotiatedProtocolIsMutual on the server side is unspecified.
1157 if ss.ServerName != serverName {
1158 t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName)
1160 if cs.ServerName != serverName {
1161 t.Errorf("Got server name on client connection %q, expected %q", cs.ServerName, serverName)
1164 if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 {
1165 t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1)
1168 if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 {
1169 t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1)
1170 } else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 {
1171 t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2)
1174 if len(cs.SignedCertificateTimestamps) != 2 {
1175 t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2)
1177 if !bytes.Equal(cs.OCSPResponse, ocsp) {
1178 t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp)
1180 // Only TLS 1.3 supports OCSP and SCTs on client certs.
1181 if v == VersionTLS13 {
1182 if len(ss.SignedCertificateTimestamps) != 2 {
1183 t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2)
1185 if !bytes.Equal(ss.OCSPResponse, ocsp) {
1186 t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp)
1190 if v == VersionTLS13 {
1191 if ss.TLSUnique != nil || cs.TLSUnique != nil {
1192 t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique)
1195 if ss.TLSUnique == nil || cs.TLSUnique == nil {
1196 t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique)
1203 // Issue 28744: Ensure that we don't modify memory
1204 // that Config doesn't own such as Certificates.
1205 func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {
1207 Certificate: [][]byte{testRSACertificate},
1208 PrivateKey: testRSAPrivateKey,
1211 Certificate: [][]byte{testSNICertificate},
1212 PrivateKey: testRSAPrivateKey,
1214 config := testConfig.Clone()
1215 config.Certificates = []Certificate{c0, c1}
1217 config.BuildNameToCertificate()
1218 got := config.Certificates
1219 want := []Certificate{c0, c1}
1220 if !reflect.DeepEqual(got, want) {
1221 t.Fatalf("Certificates were mutated by BuildNameToCertificate\nGot: %#v\nWant: %#v\n", got, want)
1225 func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
1227 func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
1228 rsaCert := &Certificate{
1229 Certificate: [][]byte{testRSACertificate},
1230 PrivateKey: testRSAPrivateKey,
1232 pkcs1Cert := &Certificate{
1233 Certificate: [][]byte{testRSACertificate},
1234 PrivateKey: testRSAPrivateKey,
1235 SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256},
1237 ecdsaCert := &Certificate{
1238 // ECDSA P-256 certificate
1239 Certificate: [][]byte{testP256Certificate},
1240 PrivateKey: testP256PrivateKey,
1242 ed25519Cert := &Certificate{
1243 Certificate: [][]byte{testEd25519Certificate},
1244 PrivateKey: testEd25519PrivateKey,
1249 chi *ClientHelloInfo
1252 {rsaCert, &ClientHelloInfo{
1253 ServerName: "example.golang",
1254 SignatureSchemes: []SignatureScheme{PSSWithSHA256},
1255 SupportedVersions: []uint16{VersionTLS13},
1257 {ecdsaCert, &ClientHelloInfo{
1258 SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256},
1259 SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
1261 {rsaCert, &ClientHelloInfo{
1262 ServerName: "example.com",
1263 SignatureSchemes: []SignatureScheme{PSSWithSHA256},
1264 SupportedVersions: []uint16{VersionTLS13},
1265 }, "not valid for requested server name"},
1266 {ecdsaCert, &ClientHelloInfo{
1267 SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384},
1268 SupportedVersions: []uint16{VersionTLS13},
1269 }, "signature algorithms"},
1270 {pkcs1Cert, &ClientHelloInfo{
1271 SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256},
1272 SupportedVersions: []uint16{VersionTLS13},
1273 }, "signature algorithms"},
1275 {rsaCert, &ClientHelloInfo{
1276 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1277 SignatureSchemes: []SignatureScheme{PKCS1WithSHA1},
1278 SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
1279 }, "signature algorithms"},
1280 {rsaCert, &ClientHelloInfo{
1281 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1282 SignatureSchemes: []SignatureScheme{PKCS1WithSHA1},
1283 SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
1285 MaxVersion: VersionTLS12,
1287 }, ""}, // Check that mutual version selection works.
1289 {ecdsaCert, &ClientHelloInfo{
1290 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1291 SupportedCurves: []CurveID{CurveP256},
1292 SupportedPoints: []uint8{pointFormatUncompressed},
1293 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256},
1294 SupportedVersions: []uint16{VersionTLS12},
1296 {ecdsaCert, &ClientHelloInfo{
1297 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1298 SupportedCurves: []CurveID{CurveP256},
1299 SupportedPoints: []uint8{pointFormatUncompressed},
1300 SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384},
1301 SupportedVersions: []uint16{VersionTLS12},
1302 }, ""}, // TLS 1.2 does not restrict curves based on the SignatureScheme.
1303 {ecdsaCert, &ClientHelloInfo{
1304 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1305 SupportedCurves: []CurveID{CurveP256},
1306 SupportedPoints: []uint8{pointFormatUncompressed},
1307 SignatureSchemes: nil,
1308 SupportedVersions: []uint16{VersionTLS12},
1309 }, ""}, // TLS 1.2 comes with default signature schemes.
1310 {ecdsaCert, &ClientHelloInfo{
1311 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1312 SupportedCurves: []CurveID{CurveP256},
1313 SupportedPoints: []uint8{pointFormatUncompressed},
1314 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256},
1315 SupportedVersions: []uint16{VersionTLS12},
1317 {ecdsaCert, &ClientHelloInfo{
1318 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1319 SupportedCurves: []CurveID{CurveP256},
1320 SupportedPoints: []uint8{pointFormatUncompressed},
1321 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256},
1322 SupportedVersions: []uint16{VersionTLS12},
1324 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1327 {ecdsaCert, &ClientHelloInfo{
1328 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1329 SupportedCurves: []CurveID{CurveP384},
1330 SupportedPoints: []uint8{pointFormatUncompressed},
1331 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256},
1332 SupportedVersions: []uint16{VersionTLS12},
1333 }, "certificate curve"},
1334 {ecdsaCert, &ClientHelloInfo{
1335 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1336 SupportedCurves: []CurveID{CurveP256},
1337 SupportedPoints: []uint8{1},
1338 SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256},
1339 SupportedVersions: []uint16{VersionTLS12},
1340 }, "doesn't support ECDHE"},
1341 {ecdsaCert, &ClientHelloInfo{
1342 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1343 SupportedCurves: []CurveID{CurveP256},
1344 SupportedPoints: []uint8{pointFormatUncompressed},
1345 SignatureSchemes: []SignatureScheme{PSSWithSHA256},
1346 SupportedVersions: []uint16{VersionTLS12},
1347 }, "signature algorithms"},
1349 {ed25519Cert, &ClientHelloInfo{
1350 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1351 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support
1352 SupportedPoints: []uint8{pointFormatUncompressed},
1353 SignatureSchemes: []SignatureScheme{Ed25519},
1354 SupportedVersions: []uint16{VersionTLS12},
1356 {ed25519Cert, &ClientHelloInfo{
1357 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1358 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support
1359 SupportedPoints: []uint8{pointFormatUncompressed},
1360 SignatureSchemes: []SignatureScheme{Ed25519},
1361 SupportedVersions: []uint16{VersionTLS10},
1362 }, "doesn't support Ed25519"},
1363 {ed25519Cert, &ClientHelloInfo{
1364 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1365 SupportedCurves: []CurveID{},
1366 SupportedPoints: []uint8{pointFormatUncompressed},
1367 SignatureSchemes: []SignatureScheme{Ed25519},
1368 SupportedVersions: []uint16{VersionTLS12},
1369 }, "doesn't support ECDHE"},
1371 {rsaCert, &ClientHelloInfo{
1372 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1373 SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support
1374 SupportedPoints: []uint8{pointFormatUncompressed},
1375 SupportedVersions: []uint16{VersionTLS10},
1377 {rsaCert, &ClientHelloInfo{
1378 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1379 SupportedVersions: []uint16{VersionTLS12},
1380 }, ""}, // static RSA fallback
1382 for i, tt := range tests {
1383 err := tt.chi.SupportsCertificate(tt.c)
1385 case tt.wantErr == "" && err != nil:
1386 t.Errorf("%d: unexpected error: %v", i, err)
1387 case tt.wantErr != "" && err == nil:
1388 t.Errorf("%d: unexpected success", i)
1389 case tt.wantErr != "" && !strings.Contains(err.Error(), tt.wantErr):
1390 t.Errorf("%d: got error %q, expected %q", i, err, tt.wantErr)
1395 func TestCipherSuites(t *testing.T) {
1397 for _, c := range CipherSuites() {
1399 t.Errorf("CipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID)
1405 t.Errorf("%#04x: Insecure CipherSuite returned by CipherSuites()", c.ID)
1409 for _, c := range InsecureCipherSuites() {
1411 t.Errorf("InsecureCipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID)
1417 t.Errorf("%#04x: not Insecure CipherSuite returned by InsecureCipherSuites()", c.ID)
1421 CipherSuiteByID := func(id uint16) *CipherSuite {
1422 for _, c := range CipherSuites() {
1427 for _, c := range InsecureCipherSuites() {
1435 for _, c := range cipherSuites {
1436 cc := CipherSuiteByID(c.id)
1438 t.Errorf("%#04x: no CipherSuite entry", c.id)
1442 if tls12Only := c.flags&suiteTLS12 != 0; tls12Only && len(cc.SupportedVersions) != 1 {
1443 t.Errorf("%#04x: suite is TLS 1.2 only, but SupportedVersions is %v", c.id, cc.SupportedVersions)
1444 } else if !tls12Only && len(cc.SupportedVersions) != 3 {
1445 t.Errorf("%#04x: suite TLS 1.0-1.2, but SupportedVersions is %v", c.id, cc.SupportedVersions)
1448 if got := CipherSuiteName(c.id); got != cc.Name {
1449 t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name)
1452 for _, c := range cipherSuitesTLS13 {
1453 cc := CipherSuiteByID(c.id)
1455 t.Errorf("%#04x: no CipherSuite entry", c.id)
1460 t.Errorf("%#04x: Insecure %v, expected false", c.id, cc.Insecure)
1462 if len(cc.SupportedVersions) != 1 || cc.SupportedVersions[0] != VersionTLS13 {
1463 t.Errorf("%#04x: suite is TLS 1.3 only, but SupportedVersions is %v", c.id, cc.SupportedVersions)
1466 if got := CipherSuiteName(c.id); got != cc.Name {
1467 t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name)
1471 if got := CipherSuiteName(0xabc); got != "0x0ABC" {
1472 t.Errorf("unexpected fallback CipherSuiteName: got %q, expected 0x0ABC", got)
1475 if len(cipherSuitesPreferenceOrder) != len(cipherSuites) {
1476 t.Errorf("cipherSuitesPreferenceOrder is not the same size as cipherSuites")
1478 if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) {
1479 t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder")
1482 // Check that disabled suites are at the end of the preference lists, and
1483 // that they are marked insecure.
1484 for i, id := range disabledCipherSuites {
1485 offset := len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
1486 if cipherSuitesPreferenceOrder[offset+i] != id {
1487 t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrder", i)
1489 if cipherSuitesPreferenceOrderNoAES[offset+i] != id {
1490 t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrderNoAES", i)
1492 c := CipherSuiteByID(id)
1494 t.Errorf("%#04x: no CipherSuite entry", id)
1498 t.Errorf("%#04x: disabled by default but not marked insecure", id)
1502 for i, prefOrder := range [][]uint16{cipherSuitesPreferenceOrder, cipherSuitesPreferenceOrderNoAES} {
1503 // Check that insecure and HTTP/2 bad cipher suites are at the end of
1504 // the preference lists.
1505 var sawInsecure, sawBad bool
1506 for _, id := range prefOrder {
1507 c := CipherSuiteByID(id)
1509 t.Errorf("%#04x: no CipherSuite entry", id)
1515 } else if sawInsecure {
1516 t.Errorf("%#04x: secure suite after insecure one(s)", id)
1519 if http2isBadCipher(id) {
1522 t.Errorf("%#04x: non-bad suite after bad HTTP/2 one(s)", id)
1526 // Check that the list is sorted according to the documented criteria.
1527 isBetter := func(a, b int) bool {
1528 aSuite, bSuite := cipherSuiteByID(prefOrder[a]), cipherSuiteByID(prefOrder[b])
1529 aName, bName := CipherSuiteName(prefOrder[a]), CipherSuiteName(prefOrder[b])
1531 if !strings.Contains(aName, "RC4") && strings.Contains(bName, "RC4") {
1533 } else if strings.Contains(aName, "RC4") && !strings.Contains(bName, "RC4") {
1537 if !strings.Contains(aName, "CBC_SHA256") && strings.Contains(bName, "CBC_SHA256") {
1539 } else if strings.Contains(aName, "CBC_SHA256") && !strings.Contains(bName, "CBC_SHA256") {
1543 if !strings.Contains(aName, "3DES") && strings.Contains(bName, "3DES") {
1545 } else if strings.Contains(aName, "3DES") && !strings.Contains(bName, "3DES") {
1549 if aSuite.flags&suiteECDHE != 0 && bSuite.flags&suiteECDHE == 0 {
1551 } else if aSuite.flags&suiteECDHE == 0 && bSuite.flags&suiteECDHE != 0 {
1555 if aSuite.aead != nil && bSuite.aead == nil {
1557 } else if aSuite.aead == nil && bSuite.aead != nil {
1561 if strings.Contains(aName, "AES") && strings.Contains(bName, "CHACHA20") {
1562 return i == 0 // true for cipherSuitesPreferenceOrder
1563 } else if strings.Contains(aName, "CHACHA20") && strings.Contains(bName, "AES") {
1564 return i != 0 // true for cipherSuitesPreferenceOrderNoAES
1566 // AES-128 < AES-256
1567 if strings.Contains(aName, "AES_128") && strings.Contains(bName, "AES_256") {
1569 } else if strings.Contains(aName, "AES_256") && strings.Contains(bName, "AES_128") {
1573 if aSuite.flags&suiteECSign != 0 && bSuite.flags&suiteECSign == 0 {
1575 } else if aSuite.flags&suiteECSign == 0 && bSuite.flags&suiteECSign != 0 {
1578 t.Fatalf("two ciphersuites are equal by all criteria: %v and %v", aName, bName)
1579 panic("unreachable")
1581 if !sort.SliceIsSorted(prefOrder, isBetter) {
1582 t.Error("preference order is not sorted according to the rules")
1587 // http2isBadCipher is copied from net/http.
1588 // TODO: if it ends up exposed somewhere, use that instead.
1589 func http2isBadCipher(cipher uint16) bool {
1591 case TLS_RSA_WITH_RC4_128_SHA,
1592 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
1593 TLS_RSA_WITH_AES_128_CBC_SHA,
1594 TLS_RSA_WITH_AES_256_CBC_SHA,
1595 TLS_RSA_WITH_AES_128_CBC_SHA256,
1596 TLS_RSA_WITH_AES_128_GCM_SHA256,
1597 TLS_RSA_WITH_AES_256_GCM_SHA384,
1598 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
1599 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1600 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1601 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
1602 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
1603 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1604 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
1605 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
1606 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
1613 type brokenSigner struct{ crypto.Signer }
1615 func (s brokenSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
1616 // Replace opts with opts.HashFunc(), so rsa.PSSOptions are discarded.
1617 return s.Signer.Sign(rand, digest, opts.HashFunc())
1620 // TestPKCS1OnlyCert uses a client certificate with a broken crypto.Signer that
1621 // always makes PKCS #1 v1.5 signatures, so can't be used with RSA-PSS.
1622 func TestPKCS1OnlyCert(t *testing.T) {
1623 clientConfig := testConfig.Clone()
1624 clientConfig.Certificates = []Certificate{{
1625 Certificate: [][]byte{testRSACertificate},
1626 PrivateKey: brokenSigner{testRSAPrivateKey},
1628 serverConfig := testConfig.Clone()
1629 serverConfig.MaxVersion = VersionTLS12 // TLS 1.3 doesn't support PKCS #1 v1.5
1630 serverConfig.ClientAuth = RequireAnyClientCert
1632 // If RSA-PSS is selected, the handshake should fail.
1633 if _, _, err := testHandshake(t, clientConfig, serverConfig); err == nil {
1634 t.Fatal("expected broken certificate to cause connection to fail")
1637 clientConfig.Certificates[0].SupportedSignatureAlgorithms =
1638 []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}
1640 // But if the certificate restricts supported algorithms, RSA-PSS should not
1641 // be selected, and the handshake should succeed.
1642 if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {