1 // Copyright 2012 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
25 var rsaCertPEM = `-----BEGIN CERTIFICATE-----
26 MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
27 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
28 aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
29 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
30 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
31 hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
32 rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
33 zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
34 MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
35 r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
36 -----END CERTIFICATE-----
39 var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
40 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
41 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
42 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
43 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
44 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
45 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
46 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
47 -----END RSA PRIVATE KEY-----
50 // keyPEM is the same as rsaKeyPEM, but declares itself as just
51 // "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477
52 var keyPEM = `-----BEGIN PRIVATE KEY-----
53 MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
54 k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
55 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
56 MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
57 SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
58 xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
59 D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
60 -----END PRIVATE KEY-----
63 var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----
64 MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
65 EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
66 eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG
67 EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk
68 Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR
69 lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl
70 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8
71 XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo
72 A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb
73 H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1
74 +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==
75 -----END CERTIFICATE-----
78 var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS-----
80 -----END EC PARAMETERS-----
81 -----BEGIN EC PRIVATE KEY-----
82 MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0
83 NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL
84 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz
85 VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q
86 kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==
87 -----END EC PRIVATE KEY-----
90 var keyPairTests = []struct {
95 {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},
96 {"RSA", rsaCertPEM, rsaKeyPEM},
97 {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477
100 func TestX509KeyPair(t *testing.T) {
102 for _, test := range keyPairTests {
103 pem = []byte(test.cert + test.key)
104 if _, err := X509KeyPair(pem, pem); err != nil {
105 t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)
107 pem = []byte(test.key + test.cert)
108 if _, err := X509KeyPair(pem, pem); err != nil {
109 t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)
114 func TestX509KeyPairErrors(t *testing.T) {
115 _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))
117 t.Fatalf("X509KeyPair didn't return an error when arguments were switched")
119 if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {
120 t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)
123 _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))
125 t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")
127 if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {
128 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)
131 const nonsensePEM = `
132 -----BEGIN NONSENSE-----
134 -----END NONSENSE-----
137 _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))
139 t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")
141 if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {
142 t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)
146 func TestX509MixedKeyPair(t *testing.T) {
147 if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {
148 t.Error("Load of RSA certificate succeeded with ECDSA private key")
150 if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {
151 t.Error("Load of ECDSA certificate succeeded with RSA private key")
155 func newLocalListener(t testing.TB) net.Listener {
156 ln, err := net.Listen("tcp", "127.0.0.1:0")
158 ln, err = net.Listen("tcp6", "[::1]:0")
166 func TestDialTimeout(t *testing.T) {
168 t.Skip("skipping in short mode")
170 listener := newLocalListener(t)
172 addr := listener.Addr().String()
173 defer listener.Close()
175 complete := make(chan bool)
176 defer close(complete)
179 conn, err := listener.Accept()
188 dialer := &net.Dialer{
189 Timeout: 10 * time.Millisecond,
193 if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil {
194 t.Fatal("DialWithTimeout completed successfully")
197 if !isTimeoutError(err) {
198 t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err)
202 func isTimeoutError(err error) bool {
203 if ne, ok := err.(net.Error); ok {
209 // tests that Conn.Read returns (non-zero, io.EOF) instead of
210 // (non-zero, nil) when a Close (alertCloseNotify) is sitting right
211 // behind the application data in the buffer.
212 func TestConnReadNonzeroAndEOF(t *testing.T) {
213 // This test is racy: it assumes that after a write to a
214 // localhost TCP connection, the peer TCP connection can
215 // immediately read it. Because it's racy, we skip this test
216 // in short mode, and then retry it several times with an
217 // increasing sleep in between our final write (via srv.Close
218 // below) and the following read.
220 t.Skip("skipping in short mode")
223 for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {
224 if err = testConnReadNonzeroAndEOF(t, delay); err == nil {
231 func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
232 ln := newLocalListener(t)
235 srvCh := make(chan *Conn, 1)
238 sconn, err := ln.Accept()
244 serverConfig := testConfig.clone()
245 srv := Server(sconn, serverConfig)
246 if err := srv.Handshake(); err != nil {
247 serr = fmt.Errorf("handshake: %v", err)
254 clientConfig := testConfig.clone()
255 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
266 buf := make([]byte, 6)
268 srv.Write([]byte("foobar"))
269 n, err := conn.Read(buf)
270 if n != 6 || err != nil || string(buf) != "foobar" {
271 return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
274 srv.Write([]byte("abcdef"))
277 n, err = conn.Read(buf)
278 if n != 6 || string(buf) != "abcdef" {
279 return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)
282 return fmt.Errorf("Second Read error = %v; want io.EOF", err)
287 func TestTLSUniqueMatches(t *testing.T) {
288 ln := newLocalListener(t)
291 serverTLSUniques := make(chan []byte)
293 for i := 0; i < 2; i++ {
294 sconn, err := ln.Accept()
298 serverConfig := testConfig.clone()
299 srv := Server(sconn, serverConfig)
300 if err := srv.Handshake(); err != nil {
303 serverTLSUniques <- srv.ConnectionState().TLSUnique
307 clientConfig := testConfig.clone()
308 clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
309 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
313 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
314 t.Error("client and server channel bindings differ")
318 conn, err = Dial("tcp", ln.Addr().String(), clientConfig)
323 if !conn.ConnectionState().DidResume {
324 t.Error("second session did not use resumption")
326 if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
327 t.Error("client and server channel bindings differ when session resumption is used")
331 func TestVerifyHostname(t *testing.T) {
332 testenv.MustHaveExternalNetwork(t)
334 c, err := Dial("tcp", "www.google.com:https", nil)
338 if err := c.VerifyHostname("www.google.com"); err != nil {
339 t.Fatalf("verify www.google.com: %v", err)
341 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
342 t.Fatalf("verify www.yahoo.com succeeded")
345 c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})
349 if err := c.VerifyHostname("www.google.com"); err == nil {
350 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
352 if err := c.VerifyHostname("www.yahoo.com"); err == nil {
353 t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
357 func TestVerifyHostnameResumed(t *testing.T) {
358 testenv.MustHaveExternalNetwork(t)
361 ClientSessionCache: NewLRUClientSessionCache(32),
363 for i := 0; i < 2; i++ {
364 c, err := Dial("tcp", "www.google.com:https", config)
366 t.Fatalf("Dial #%d: %v", i, err)
368 cs := c.ConnectionState()
369 if i > 0 && !cs.DidResume {
370 t.Fatalf("Subsequent connection unexpectedly didn't resume")
372 if cs.VerifiedChains == nil {
373 t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i)
375 if err := c.VerifyHostname("www.google.com"); err != nil {
376 t.Fatalf("verify www.google.com #%d: %v", i, err)
382 func TestConnCloseBreakingWrite(t *testing.T) {
383 ln := newLocalListener(t)
386 srvCh := make(chan *Conn, 1)
391 sconn, err = ln.Accept()
397 serverConfig := testConfig.clone()
398 srv := Server(sconn, serverConfig)
399 if err := srv.Handshake(); err != nil {
400 serr = fmt.Errorf("handshake: %v", err)
407 cconn, err := net.Dial("tcp", ln.Addr().String())
413 conn := &changeImplConn{
417 clientConfig := testConfig.clone()
418 tconn := Client(conn, clientConfig)
419 if err := tconn.Handshake(); err != nil {
429 connClosed := make(chan struct{})
430 conn.closeFunc = func() error {
435 inWrite := make(chan bool, 1)
436 var errConnClosed = errors.New("conn closed for test")
437 conn.writeFunc = func(p []byte) (n int, err error) {
440 return 0, errConnClosed
443 closeReturned := make(chan bool, 1)
446 tconn.Close() // test that this doesn't block forever.
447 closeReturned <- true
450 _, err = tconn.Write([]byte("foo"))
451 if err != errConnClosed {
452 t.Errorf("Write error = %v; want errConnClosed", err)
456 if err := tconn.Close(); err != errClosed {
457 t.Errorf("Close error = %v; want errClosed", err)
461 func TestClone(t *testing.T) {
463 v := reflect.ValueOf(&c1).Elem()
465 rnd := rand.New(rand.NewSource(time.Now().Unix()))
467 for i := 0; i < typ.NumField(); i++ {
470 // unexported field; not cloned.
474 // testing/quick can't handle functions or interfaces.
475 fn := typ.Field(i).Name
478 f.Set(reflect.ValueOf(io.Reader(os.Stdin)))
480 case "Time", "GetCertificate":
481 // DeepEqual can't compare functions.
484 f.Set(reflect.ValueOf([]Certificate{
485 {Certificate: [][]byte{[]byte{'b'}}},
488 case "NameToCertificate":
489 f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil}))
491 case "RootCAs", "ClientCAs":
492 f.Set(reflect.ValueOf(x509.NewCertPool()))
494 case "ClientSessionCache":
495 f.Set(reflect.ValueOf(NewLRUClientSessionCache(10)))
499 q, ok := quick.Value(f.Type(), rnd)
501 t.Fatalf("quick.Value failed on field %s", fn)
508 if !reflect.DeepEqual(&c1, c2) {
509 t.Errorf("clone failed to copy a field")
513 // changeImplConn is a net.Conn which can change its Write and Close
515 type changeImplConn struct {
517 writeFunc func([]byte) (int, error)
518 closeFunc func() error
521 func (w *changeImplConn) Write(p []byte) (n int, err error) {
522 if w.writeFunc != nil {
523 return w.writeFunc(p)
525 return w.Conn.Write(p)
528 func (w *changeImplConn) Close() error {
529 if w.closeFunc != nil {
532 return w.Conn.Close()
535 func throughput(b *testing.B, totalBytes int64, dynamicRecordSizingDisabled bool) {
536 ln := newLocalListener(b)
542 for i := 0; i < N; i++ {
543 sconn, err := ln.Accept()
545 // panic rather than synchronize to avoid benchmark overhead
546 // (cannot call b.Fatal in goroutine)
547 panic(fmt.Errorf("accept: %v", err))
549 serverConfig := testConfig.clone()
550 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
551 srv := Server(sconn, serverConfig)
552 if err := srv.Handshake(); err != nil {
553 panic(fmt.Errorf("handshake: %v", err))
559 b.SetBytes(totalBytes)
560 clientConfig := testConfig.clone()
561 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
563 buf := make([]byte, 1<<14)
564 chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf))))
565 for i := 0; i < N; i++ {
566 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
570 for j := 0; j < chunks; j++ {
571 _, err := conn.Write(buf)
575 _, err = io.ReadFull(conn, buf)
584 func BenchmarkThroughput(b *testing.B) {
585 for _, mode := range []string{"Max", "Dynamic"} {
586 for size := 1; size <= 64; size <<= 1 {
587 name := fmt.Sprintf("%sPacket/%dMB", mode, size)
588 b.Run(name, func(b *testing.B) {
589 throughput(b, int64(size<<20), mode == "Max")
595 type slowConn struct {
600 func (c *slowConn) Write(p []byte) (int, error) {
607 time.Sleep(100 * time.Microsecond)
608 allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8
609 if allowed > len(p) {
613 n, err := c.Conn.Write(p[wrote:allowed])
623 func latency(b *testing.B, bps int, dynamicRecordSizingDisabled bool) {
624 ln := newLocalListener(b)
630 for i := 0; i < N; i++ {
631 sconn, err := ln.Accept()
633 // panic rather than synchronize to avoid benchmark overhead
634 // (cannot call b.Fatal in goroutine)
635 panic(fmt.Errorf("accept: %v", err))
637 serverConfig := testConfig.clone()
638 serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
639 srv := Server(&slowConn{sconn, bps}, serverConfig)
640 if err := srv.Handshake(); err != nil {
641 panic(fmt.Errorf("handshake: %v", err))
647 clientConfig := testConfig.clone()
648 clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
650 buf := make([]byte, 16384)
651 peek := make([]byte, 1)
653 for i := 0; i < N; i++ {
654 conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
658 // make sure we're connected and previous connection has stopped
659 if _, err := conn.Write(buf[:1]); err != nil {
662 if _, err := io.ReadFull(conn, peek); err != nil {
665 if _, err := conn.Write(buf); err != nil {
668 if _, err = io.ReadFull(conn, peek); err != nil {
675 func BenchmarkLatency(b *testing.B) {
676 for _, mode := range []string{"Max", "Dynamic"} {
677 for _, kbps := range []int{200, 500, 1000, 2000, 5000} {
678 name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps)
679 b.Run(name, func(b *testing.B) {
680 latency(b, kbps*1000, mode == "Max")