1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
26 var rsaCertPEM = `-----BEGIN CERTIFICATE-----
27 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
28 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
29 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
30 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
31 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
32 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
33 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
34 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
35 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
36 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
37 -----END CERTIFICATE-----
40 var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
41 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
42 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
43 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
44 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
45 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
46 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
47 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
48 -----END RSA PRIVATE KEY-----
51 // keyPEM is the same as rsaKeyPEM, but declares itself as just
52 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477
53 var keyPEM = `-----BEGIN PRIVATE KEY-----
54 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
55 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
56 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
57 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
58 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
59 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
60 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
61 -----END PRIVATE KEY-----
64 var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----
65 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
66 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
67 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG
68 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk
69 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR
70 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl
71 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8
72 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo
73 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb
74 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1
75 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==
76 -----END CERTIFICATE-----
79 var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS-----
81 -----END EC PARAMETERS-----
82 -----BEGIN EC PRIVATE KEY-----
83 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0
84 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL
85 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz
86 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q
87 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==
88 -----END EC PRIVATE KEY-----
91 var keyPairTests = []struct {
96 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},
97 {"RSA", rsaCertPEM, rsaKeyPEM},
98 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477
101 func TestX509KeyPair(t *testing.T) {
104 for _, test := range keyPairTests {
105 pem = []byte(test.cert + test.key)
106 if _, err := X509KeyPair(pem, pem); err != nil {
107 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)
109 pem = []byte(test.key + test.cert)
110 if _, err := X509KeyPair(pem, pem); err != nil {
111 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)
116 func TestX509KeyPairErrors(t *testing.T) {
117 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))
119 t.Fatalf("X509KeyPair didn't return an error when arguments were switched")
121 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {
122 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)
125 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))
127 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")
129 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {
130 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)
133 const nonsensePEM = `
134 -----BEGIN NONSENSE-----
136 -----END NONSENSE-----
139 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))
141 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")
143 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {
144 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)
148 func TestX509MixedKeyPair(t *testing.T) {
149 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {
150 t.Error("Load of RSA certificate succeeded with ECDSA private key")
152 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {
153 t.Error("Load of ECDSA certificate succeeded with RSA private key")
157 func newLocalListener(t testing.TB) net.Listener {
158 ln, err := net.Listen("tcp", "127.0.0.1:0")
160 ln, err = net.Listen("tcp6", "[::1]:0")
168 func TestDialTimeout(t *testing.T) {
170 t.Skip("skipping in short mode")
172 listener := newLocalListener(t)
174 addr := listener.Addr().String()
175 defer listener.Close()
177 complete := make(chan bool)
178 defer close(complete)
181 conn, err := listener.Accept()
190 dialer := &net.Dialer{
191 Timeout: 10 * time.Millisecond,
195 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil {
196 t.Fatal("DialWithTimeout completed successfully")
199 if !isTimeoutError(err) {
200 t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err)
204 func isTimeoutError(err error) bool {
205 if ne, ok := err.(net.Error); ok {
211 // tests that Conn.Read returns (non-zero, io.EOF) instead of
212 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right
213 // behind the application data in the buffer.
214 func TestConnReadNonzeroAndEOF(t *testing.T) {
215 // This test is racy: it assumes that after a write to a
216 // localhost TCP connection, the peer TCP connection can
217 // immediately read it. Because it's racy, we skip this test
218 // in short mode, and then retry it several times with an
219 // increasing sleep in between our final write (via srv.Close
220 // below) and the following read.
222 t.Skip("skipping in short mode")
225 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {
226 if err = testConnReadNonzeroAndEOF(t, delay); err == nil {
233 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
234 ln := newLocalListener(t)
237 srvCh := make(chan *Conn, 1)
240 sconn, err := ln.Accept()
246 serverConfig := testConfig.Clone()
247 srv := Server(sconn, serverConfig)
248 if err := srv.Handshake(); err != nil {
249 serr = fmt.Errorf("handshake: %v", err)
256 clientConfig := testConfig.Clone()
257 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
268 buf := make([]byte, 6)
270 srv.Write([]byte("foobar"))
271 n, err := conn.Read(buf)
272 if n != 6 || err != nil || string(buf) != "foobar" {
273 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
276 srv.Write([]byte("abcdef"))
279 n, err = conn.Read(buf)
280 if n != 6 || string(buf) != "abcdef" {
281 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)
284 return fmt.Errorf("Second Read error = %v; want io.EOF", err)
289 func TestTLSUniqueMatches(t *testing.T) {
290 ln := newLocalListener(t)
293 serverTLSUniques := make(chan []byte)
295 for i := 0; i < 2; i++ {
296 sconn, err := ln.Accept()
301 serverConfig := testConfig.Clone()
302 srv := Server(sconn, serverConfig)
303 if err := srv.Handshake(); err != nil {
307 serverTLSUniques <- srv.ConnectionState().TLSUnique
311 clientConfig := testConfig.Clone()
312 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
313 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
317 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
318 t.Error("client and server channel bindings differ")
322 conn, err = Dial("tcp", ln.Addr().String(), clientConfig)
327 if !conn.ConnectionState().DidResume {
328 t.Error("second session did not use resumption")
330 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
331 t.Error("client and server channel bindings differ when session resumption is used")
335 func TestVerifyHostname(t *testing.T) {
336 testenv.MustHaveExternalNetwork(t)
338 c, err := Dial("tcp", "www.google.com:https", nil)
342 if err := c.VerifyHostname("www.google.com"); err != nil {
343 t.Fatalf("verify www.google.com: %v", err)
345 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
346 t.Fatalf("verify www.yahoo.com succeeded")
349 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})
353 if err := c.VerifyHostname("www.google.com"); err == nil {
354 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
356 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
357 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
361 func TestVerifyHostnameResumed(t *testing.T) {
362 testenv.MustHaveExternalNetwork(t)
365 ClientSessionCache: NewLRUClientSessionCache(32),
367 for i := 0; i < 2; i++ {
368 c, err := Dial("tcp", "www.google.com:https", config)
370 t.Fatalf("Dial #%d: %v", i, err)
372 cs := c.ConnectionState()
373 if i > 0 && !cs.DidResume {
374 t.Fatalf("Subsequent connection unexpectedly didn't resume")
376 if cs.VerifiedChains == nil {
377 t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i)
379 if err := c.VerifyHostname("www.google.com"); err != nil {
380 t.Fatalf("verify www.google.com #%d: %v", i, err)
386 func TestConnCloseBreakingWrite(t *testing.T) {
387 ln := newLocalListener(t)
390 srvCh := make(chan *Conn, 1)
395 sconn, err = ln.Accept()
401 serverConfig := testConfig.Clone()
402 srv := Server(sconn, serverConfig)
403 if err := srv.Handshake(); err != nil {
404 serr = fmt.Errorf("handshake: %v", err)
411 cconn, err := net.Dial("tcp", ln.Addr().String())
417 conn := &changeImplConn{
421 clientConfig := testConfig.Clone()
422 tconn := Client(conn, clientConfig)
423 if err := tconn.Handshake(); err != nil {
433 connClosed := make(chan struct{})
434 conn.closeFunc = func() error {
439 inWrite := make(chan bool, 1)
440 var errConnClosed = errors.New("conn closed for test")
441 conn.writeFunc = func(p []byte) (n int, err error) {
444 return 0, errConnClosed
447 closeReturned := make(chan bool, 1)
450 tconn.Close() // test that this doesn't block forever.
451 closeReturned <- true
454 _, err = tconn.Write([]byte("foo"))
455 if err != errConnClosed {
456 t.Errorf("Write error = %v; want errConnClosed", err)
460 if err := tconn.Close(); err != errClosed {
461 t.Errorf("Close error = %v; want errClosed", err)
465 func TestConnCloseWrite(t *testing.T) {
466 ln := newLocalListener(t)
469 clientDoneChan := make(chan struct{})
471 serverCloseWrite := func() error {
472 sconn, err := ln.Accept()
474 return fmt.Errorf("accept: %v", err)
478 serverConfig := testConfig.Clone()
479 srv := Server(sconn, serverConfig)
480 if err := srv.Handshake(); err != nil {
481 return fmt.Errorf("handshake: %v", err)
485 data, err := ioutil.ReadAll(srv)
490 return fmt.Errorf("Read data = %q; want nothing", data)
493 if err := srv.CloseWrite(); err != nil {
494 return fmt.Errorf("server CloseWrite: %v", err)
497 // Wait for clientCloseWrite to finish, so we know we
498 // tested the CloseWrite before we defer the
499 // sconn.Close above, which would also cause the
500 // client to unblock like CloseWrite.
505 clientCloseWrite := func() error {
506 defer close(clientDoneChan)
508 clientConfig := testConfig.Clone()
509 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
513 if err := conn.Handshake(); err != nil {
518 if err := conn.CloseWrite(); err != nil {
519 return fmt.Errorf("client CloseWrite: %v", err)
522 if _, err := conn.Write([]byte{0}); err != errShutdown {
523 return fmt.Errorf("CloseWrite error = %v; want errShutdown", err)
526 data, err := ioutil.ReadAll(conn)
531 return fmt.Errorf("Read data = %q; want nothing", data)
536 errChan := make(chan error, 2)
538 go func() { errChan <- serverCloseWrite() }()
539 go func() { errChan <- clientCloseWrite() }()
541 for i := 0; i < 2; i++ {
543 case err := <-errChan:
547 case <-time.After(10 * time.Second):
552 // Also test CloseWrite being called before the handshake is
555 ln2 := newLocalListener(t)
558 netConn, err := net.Dial("tcp", ln2.Addr().String())
562 defer netConn.Close()
563 conn := Client(netConn, testConfig.Clone())
565 if err := conn.CloseWrite(); err != errEarlyCloseWrite {
566 t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
571 func TestClone(t *testing.T) {
573 v := reflect.ValueOf(&c1).Elem()
575 rnd := rand.New(rand.NewSource(time.Now().Unix()))
577 for i := 0; i < typ.NumField(); i++ {
580 // unexported field; not cloned.
584 // testing/quick can't handle functions or interfaces.
585 fn := typ.Field(i).Name
588 f.Set(reflect.ValueOf(io.Reader(os.Stdin)))
590 case "Time", "GetCertificate", "GetConfigForClient", "VerifyPeerCertificate", "GetClientCertificate":
591 // DeepEqual can't compare functions.
594 f.Set(reflect.ValueOf([]Certificate{
595 {Certificate: [][]byte{{'b'}}},
598 case "NameToCertificate":
599 f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil}))
601 case "RootCAs", "ClientCAs":
602 f.Set(reflect.ValueOf(x509.NewCertPool()))
604 case "ClientSessionCache":
605 f.Set(reflect.ValueOf(NewLRUClientSessionCache(10)))
608 f.Set(reflect.ValueOf(io.Writer(os.Stdout)))
613 q, ok := quick.Value(f.Type(), rnd)
615 t.Fatalf("quick.Value failed on field %s", fn)
621 // DeepEqual also compares unexported fields, thus c2 needs to have run
622 // serverInit in order to be DeepEqual to c1. Cloning it and discarding
623 // the result is sufficient.
626 if !reflect.DeepEqual(&c1, c2) {
627 t.Errorf("clone failed to copy a field")
631 // changeImplConn is a net.Conn which can change its Write and Close
633 type changeImplConn struct {
635 writeFunc func([]byte) (int, error)
636 closeFunc func() error
639 func (w *changeImplConn) Write(p []byte) (n int, err error) {
640 if w.writeFunc != nil {
641 return w.writeFunc(p)
643 return w.Conn.Write(p)
646 func (w *changeImplConn) Close() error {
647 if w.closeFunc != nil {
650 return w.Conn.Close()
653 func throughput(b *testing.B, totalBytes int64, dynamicRecordSizingDisabled bool) {
654 ln := newLocalListener(b)
659 // Less than 64KB because Windows appears to use a TCP rwin < 64KB.
661 const bufsize = 32 << 10
664 buf := make([]byte, bufsize)
665 for i := 0; i < N; i++ {
666 sconn, err := ln.Accept()
668 // panic rather than synchronize to avoid benchmark overhead
669 // (cannot call b.Fatal in goroutine)
670 panic(fmt.Errorf("accept: %v", err))
672 serverConfig := testConfig.Clone()
673 serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers
674 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
675 srv := Server(sconn, serverConfig)
676 if err := srv.Handshake(); err != nil {
677 panic(fmt.Errorf("handshake: %v", err))
679 if _, err := io.CopyBuffer(srv, srv, buf); err != nil {
680 panic(fmt.Errorf("copy buffer: %v", err))
685 b.SetBytes(totalBytes)
686 clientConfig := testConfig.Clone()
687 clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers
688 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
690 buf := make([]byte, bufsize)
691 chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf))))
692 for i := 0; i < N; i++ {
693 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
697 for j := 0; j < chunks; j++ {
698 _, err := conn.Write(buf)
702 _, err = io.ReadFull(conn, buf)
711 func BenchmarkThroughput(b *testing.B) {
712 for _, mode := range []string{"Max", "Dynamic"} {
713 for size := 1; size <= 64; size <<= 1 {
714 name := fmt.Sprintf("%sPacket/%dMB", mode, size)
715 b.Run(name, func(b *testing.B) {
716 throughput(b, int64(size<<20), mode == "Max")
722 type slowConn struct {
727 func (c *slowConn) Write(p []byte) (int, error) {
734 time.Sleep(100 * time.Microsecond)
735 allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8
736 if allowed > len(p) {
740 n, err := c.Conn.Write(p[wrote:allowed])
750 func latency(b *testing.B, bps int, dynamicRecordSizingDisabled bool) {
751 ln := newLocalListener(b)
757 for i := 0; i < N; i++ {
758 sconn, err := ln.Accept()
760 // panic rather than synchronize to avoid benchmark overhead
761 // (cannot call b.Fatal in goroutine)
762 panic(fmt.Errorf("accept: %v", err))
764 serverConfig := testConfig.Clone()
765 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
766 srv := Server(&slowConn{sconn, bps}, serverConfig)
767 if err := srv.Handshake(); err != nil {
768 panic(fmt.Errorf("handshake: %v", err))
774 clientConfig := testConfig.Clone()
775 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
777 buf := make([]byte, 16384)
778 peek := make([]byte, 1)
780 for i := 0; i < N; i++ {
781 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
785 // make sure we're connected and previous connection has stopped
786 if _, err := conn.Write(buf[:1]); err != nil {
789 if _, err := io.ReadFull(conn, peek); err != nil {
792 if _, err := conn.Write(buf); err != nil {
795 if _, err = io.ReadFull(conn, peek); err != nil {
802 func BenchmarkLatency(b *testing.B) {
803 for _, mode := range []string{"Max", "Dynamic"} {
804 for _, kbps := range []int{200, 500, 1000, 2000, 5000} {
805 name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps)
806 b.Run(name, func(b *testing.B) {
807 latency(b, kbps*1000, mode == "Max")