1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "bytes" 9 "context" 10 "crypto/rsa" 11 "crypto/x509" 12 "encoding/base64" 13 "encoding/binary" 14 "encoding/pem" 15 "errors" 16 "fmt" 17 "io" 18 "math/big" 19 "net" 20 "os" 21 "os/exec" 22 "path/filepath" 23 "reflect" 24 "runtime" 25 "strconv" 26 "strings" 27 "testing" 28 "time" 29) 30 31// Note: see comment in handshake_test.go for details of how the reference 32// tests work. 33 34// opensslInputEvent enumerates possible inputs that can be sent to an `openssl 35// s_client` process. 36type opensslInputEvent int 37 38const ( 39 // opensslRenegotiate causes OpenSSL to request a renegotiation of the 40 // connection. 41 opensslRenegotiate opensslInputEvent = iota 42 43 // opensslSendBanner causes OpenSSL to send the contents of 44 // opensslSentinel on the connection. 45 opensslSendSentinel 46 47 // opensslKeyUpdate causes OpenSSL to send a key update message to the 48 // client and request one back. 49 opensslKeyUpdate 50) 51 52const opensslSentinel = "SENTINEL\n" 53 54type opensslInput chan opensslInputEvent 55 56func (i opensslInput) Read(buf []byte) (n int, err error) { 57 for event := range i { 58 switch event { 59 case opensslRenegotiate: 60 return copy(buf, []byte("R\n")), nil 61 case opensslKeyUpdate: 62 return copy(buf, []byte("K\n")), nil 63 case opensslSendSentinel: 64 return copy(buf, []byte(opensslSentinel)), nil 65 default: 66 panic("unknown event") 67 } 68 } 69 70 return 0, io.EOF 71} 72 73// opensslOutputSink is an io.Writer that receives the stdout and stderr from an 74// `openssl` process and sends a value to handshakeComplete or readKeyUpdate 75// when certain messages are seen. 76type opensslOutputSink struct { 77 handshakeComplete chan struct{} 78 readKeyUpdate chan struct{} 79 all []byte 80 line []byte 81} 82 83func newOpensslOutputSink() *opensslOutputSink { 84 return &opensslOutputSink{make(chan struct{}), make(chan struct{}), nil, nil} 85} 86 87// opensslEndOfHandshake is a message that the “openssl s_server” tool will 88// print when a handshake completes if run with “-state”. 89const opensslEndOfHandshake = "SSL_accept:SSLv3/TLS write finished" 90 91// opensslReadKeyUpdate is a message that the “openssl s_server” tool will 92// print when a KeyUpdate message is received if run with “-state”. 93const opensslReadKeyUpdate = "SSL_accept:TLSv1.3 read client key update" 94 95func (o *opensslOutputSink) Write(data []byte) (n int, err error) { 96 o.line = append(o.line, data...) 97 o.all = append(o.all, data...) 98 99 for { 100 i := bytes.IndexByte(o.line, '\n') 101 if i < 0 { 102 break 103 } 104 105 if bytes.Equal([]byte(opensslEndOfHandshake), o.line[:i]) { 106 o.handshakeComplete <- struct{}{} 107 } 108 if bytes.Equal([]byte(opensslReadKeyUpdate), o.line[:i]) { 109 o.readKeyUpdate <- struct{}{} 110 } 111 o.line = o.line[i+1:] 112 } 113 114 return len(data), nil 115} 116 117func (o *opensslOutputSink) String() string { 118 return string(o.all) 119} 120 121// clientTest represents a test of the TLS client handshake against a reference 122// implementation. 123type clientTest struct { 124 // name is a freeform string identifying the test and the file in which 125 // the expected results will be stored. 126 name string 127 // args, if not empty, contains a series of arguments for the 128 // command to run for the reference server. 129 args []string 130 // config, if not nil, contains a custom Config to use for this test. 131 config *Config 132 // cert, if not empty, contains a DER-encoded certificate for the 133 // reference server. 134 cert []byte 135 // key, if not nil, contains either a *rsa.PrivateKey, ed25519.PrivateKey or 136 // *ecdsa.PrivateKey which is the private key for the reference server. 137 key interface{} 138 // extensions, if not nil, contains a list of extension data to be returned 139 // from the ServerHello. The data should be in standard TLS format with 140 // a 2-byte uint16 type, 2-byte data length, followed by the extension data. 141 extensions [][]byte 142 // validate, if not nil, is a function that will be called with the 143 // ConnectionState of the resulting connection. It returns a non-nil 144 // error if the ConnectionState is unacceptable. 145 validate func(ConnectionState) error 146 // numRenegotiations is the number of times that the connection will be 147 // renegotiated. 148 numRenegotiations int 149 // renegotiationExpectedToFail, if not zero, is the number of the 150 // renegotiation attempt that is expected to fail. 151 renegotiationExpectedToFail int 152 // checkRenegotiationError, if not nil, is called with any error 153 // arising from renegotiation. It can map expected errors to nil to 154 // ignore them. 155 checkRenegotiationError func(renegotiationNum int, err error) error 156 // sendKeyUpdate will cause the server to send a KeyUpdate message. 157 sendKeyUpdate bool 158} 159 160var serverCommand = []string{"openssl", "s_server", "-no_ticket", "-num_tickets", "0"} 161 162// connFromCommand starts the reference server process, connects to it and 163// returns a recordingConn for the connection. The stdin return value is an 164// opensslInput for the stdin of the child process. It must be closed before 165// Waiting for child. 166func (test *clientTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, stdin opensslInput, stdout *opensslOutputSink, err error) { 167 cert := testRSACertificate 168 if len(test.cert) > 0 { 169 cert = test.cert 170 } 171 certPath := tempFile(string(cert)) 172 defer os.Remove(certPath) 173 174 var key interface{} = testRSAPrivateKey 175 if test.key != nil { 176 key = test.key 177 } 178 derBytes, err := x509.MarshalPKCS8PrivateKey(key) 179 if err != nil { 180 panic(err) 181 } 182 183 var pemOut bytes.Buffer 184 pem.Encode(&pemOut, &pem.Block{Type: "PRIVATE KEY", Bytes: derBytes}) 185 186 keyPath := tempFile(pemOut.String()) 187 defer os.Remove(keyPath) 188 189 var command []string 190 command = append(command, serverCommand...) 191 command = append(command, test.args...) 192 command = append(command, "-cert", certPath, "-certform", "DER", "-key", keyPath) 193 // serverPort contains the port that OpenSSL will listen on. OpenSSL 194 // can't take "0" as an argument here so we have to pick a number and 195 // hope that it's not in use on the machine. Since this only occurs 196 // when -update is given and thus when there's a human watching the 197 // test, this isn't too bad. 198 const serverPort = 24323 199 command = append(command, "-accept", strconv.Itoa(serverPort)) 200 201 if len(test.extensions) > 0 { 202 var serverInfo bytes.Buffer 203 for _, ext := range test.extensions { 204 pem.Encode(&serverInfo, &pem.Block{ 205 Type: fmt.Sprintf("SERVERINFO FOR EXTENSION %d", binary.BigEndian.Uint16(ext)), 206 Bytes: ext, 207 }) 208 } 209 serverInfoPath := tempFile(serverInfo.String()) 210 defer os.Remove(serverInfoPath) 211 command = append(command, "-serverinfo", serverInfoPath) 212 } 213 214 if test.numRenegotiations > 0 || test.sendKeyUpdate { 215 found := false 216 for _, flag := range command[1:] { 217 if flag == "-state" { 218 found = true 219 break 220 } 221 } 222 223 if !found { 224 panic("-state flag missing to OpenSSL, you need this if testing renegotiation or KeyUpdate") 225 } 226 } 227 228 cmd := exec.Command(command[0], command[1:]...) 229 stdin = opensslInput(make(chan opensslInputEvent)) 230 cmd.Stdin = stdin 231 out := newOpensslOutputSink() 232 cmd.Stdout = out 233 cmd.Stderr = out 234 if err := cmd.Start(); err != nil { 235 return nil, nil, nil, nil, err 236 } 237 238 // OpenSSL does print an "ACCEPT" banner, but it does so *before* 239 // opening the listening socket, so we can't use that to wait until it 240 // has started listening. Thus we are forced to poll until we get a 241 // connection. 242 var tcpConn net.Conn 243 for i := uint(0); i < 5; i++ { 244 tcpConn, err = net.DialTCP("tcp", nil, &net.TCPAddr{ 245 IP: net.IPv4(127, 0, 0, 1), 246 Port: serverPort, 247 }) 248 if err == nil { 249 break 250 } 251 time.Sleep((1 << i) * 5 * time.Millisecond) 252 } 253 if err != nil { 254 close(stdin) 255 cmd.Process.Kill() 256 err = fmt.Errorf("error connecting to the OpenSSL server: %v (%v)\n\n%s", err, cmd.Wait(), out) 257 return nil, nil, nil, nil, err 258 } 259 260 record := &recordingConn{ 261 Conn: tcpConn, 262 } 263 264 return record, cmd, stdin, out, nil 265} 266 267func (test *clientTest) dataPath() string { 268 return filepath.Join("testdata", "Client-"+test.name) 269} 270 271func (test *clientTest) loadData() (flows [][]byte, err error) { 272 in, err := os.Open(test.dataPath()) 273 if err != nil { 274 return nil, err 275 } 276 defer in.Close() 277 return parseTestData(in) 278} 279 280func (test *clientTest) run(t *testing.T, write bool) { 281 var clientConn, serverConn net.Conn 282 var recordingConn *recordingConn 283 var childProcess *exec.Cmd 284 var stdin opensslInput 285 var stdout *opensslOutputSink 286 287 if write { 288 var err error 289 recordingConn, childProcess, stdin, stdout, err = test.connFromCommand() 290 if err != nil { 291 t.Fatalf("Failed to start subcommand: %s", err) 292 } 293 clientConn = recordingConn 294 defer func() { 295 if t.Failed() { 296 t.Logf("OpenSSL output:\n\n%s", stdout.all) 297 } 298 }() 299 } else { 300 clientConn, serverConn = localPipe(t) 301 } 302 303 doneChan := make(chan bool) 304 defer func() { 305 clientConn.Close() 306 <-doneChan 307 }() 308 go func() { 309 defer close(doneChan) 310 311 config := test.config 312 if config == nil { 313 config = testConfig 314 } 315 client := Client(clientConn, config) 316 defer client.Close() 317 318 if _, err := client.Write([]byte("hello\n")); err != nil { 319 t.Errorf("Client.Write failed: %s", err) 320 return 321 } 322 323 for i := 1; i <= test.numRenegotiations; i++ { 324 // The initial handshake will generate a 325 // handshakeComplete signal which needs to be quashed. 326 if i == 1 && write { 327 <-stdout.handshakeComplete 328 } 329 330 // OpenSSL will try to interleave application data and 331 // a renegotiation if we send both concurrently. 332 // Therefore: ask OpensSSL to start a renegotiation, run 333 // a goroutine to call client.Read and thus process the 334 // renegotiation request, watch for OpenSSL's stdout to 335 // indicate that the handshake is complete and, 336 // finally, have OpenSSL write something to cause 337 // client.Read to complete. 338 if write { 339 stdin <- opensslRenegotiate 340 } 341 342 signalChan := make(chan struct{}) 343 344 go func() { 345 defer close(signalChan) 346 347 buf := make([]byte, 256) 348 n, err := client.Read(buf) 349 350 if test.checkRenegotiationError != nil { 351 newErr := test.checkRenegotiationError(i, err) 352 if err != nil && newErr == nil { 353 return 354 } 355 err = newErr 356 } 357 358 if err != nil { 359 t.Errorf("Client.Read failed after renegotiation #%d: %s", i, err) 360 return 361 } 362 363 buf = buf[:n] 364 if !bytes.Equal([]byte(opensslSentinel), buf) { 365 t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel) 366 } 367 368 if expected := i + 1; client.handshakes != expected { 369 t.Errorf("client should have recorded %d handshakes, but believes that %d have occurred", expected, client.handshakes) 370 } 371 }() 372 373 if write && test.renegotiationExpectedToFail != i { 374 <-stdout.handshakeComplete 375 stdin <- opensslSendSentinel 376 } 377 <-signalChan 378 } 379 380 if test.sendKeyUpdate { 381 if write { 382 <-stdout.handshakeComplete 383 stdin <- opensslKeyUpdate 384 } 385 386 doneRead := make(chan struct{}) 387 388 go func() { 389 defer close(doneRead) 390 391 buf := make([]byte, 256) 392 n, err := client.Read(buf) 393 394 if err != nil { 395 t.Errorf("Client.Read failed after KeyUpdate: %s", err) 396 return 397 } 398 399 buf = buf[:n] 400 if !bytes.Equal([]byte(opensslSentinel), buf) { 401 t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel) 402 } 403 }() 404 405 if write { 406 // There's no real reason to wait for the client KeyUpdate to 407 // send data with the new server keys, except that s_server 408 // drops writes if they are sent at the wrong time. 409 <-stdout.readKeyUpdate 410 stdin <- opensslSendSentinel 411 } 412 <-doneRead 413 414 if _, err := client.Write([]byte("hello again\n")); err != nil { 415 t.Errorf("Client.Write failed: %s", err) 416 return 417 } 418 } 419 420 if test.validate != nil { 421 if err := test.validate(client.ConnectionState()); err != nil { 422 t.Errorf("validate callback returned error: %s", err) 423 } 424 } 425 426 // If the server sent us an alert after our last flight, give it a 427 // chance to arrive. 428 if write && test.renegotiationExpectedToFail == 0 { 429 if err := peekError(client); err != nil { 430 t.Errorf("final Read returned an error: %s", err) 431 } 432 } 433 }() 434 435 if !write { 436 flows, err := test.loadData() 437 if err != nil { 438 t.Fatalf("%s: failed to load data from %s: %v", test.name, test.dataPath(), err) 439 } 440 for i, b := range flows { 441 if i%2 == 1 { 442 if *fast { 443 serverConn.SetWriteDeadline(time.Now().Add(1 * time.Second)) 444 } else { 445 serverConn.SetWriteDeadline(time.Now().Add(1 * time.Minute)) 446 } 447 serverConn.Write(b) 448 continue 449 } 450 bb := make([]byte, len(b)) 451 if *fast { 452 serverConn.SetReadDeadline(time.Now().Add(1 * time.Second)) 453 } else { 454 serverConn.SetReadDeadline(time.Now().Add(1 * time.Minute)) 455 } 456 _, err := io.ReadFull(serverConn, bb) 457 if err != nil { 458 t.Fatalf("%s, flow %d: %s", test.name, i+1, err) 459 } 460 if !bytes.Equal(b, bb) { 461 t.Fatalf("%s, flow %d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b) 462 } 463 } 464 } 465 466 <-doneChan 467 if !write { 468 serverConn.Close() 469 } 470 471 if write { 472 path := test.dataPath() 473 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) 474 if err != nil { 475 t.Fatalf("Failed to create output file: %s", err) 476 } 477 defer out.Close() 478 recordingConn.Close() 479 close(stdin) 480 childProcess.Process.Kill() 481 childProcess.Wait() 482 if len(recordingConn.flows) < 3 { 483 t.Fatalf("Client connection didn't work") 484 } 485 recordingConn.WriteTo(out) 486 t.Logf("Wrote %s\n", path) 487 } 488} 489 490// peekError does a read with a short timeout to check if the next read would 491// cause an error, for example if there is an alert waiting on the wire. 492func peekError(conn net.Conn) error { 493 conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) 494 if n, err := conn.Read(make([]byte, 1)); n != 0 { 495 return errors.New("unexpectedly read data") 496 } else if err != nil { 497 if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() { 498 return err 499 } 500 } 501 return nil 502} 503 504func runClientTestForVersion(t *testing.T, template *clientTest, version, option string) { 505 // Make a deep copy of the template before going parallel. 506 test := *template 507 if template.config != nil { 508 test.config = template.config.Clone() 509 } 510 test.name = version + "-" + test.name 511 test.args = append([]string{option}, test.args...) 512 513 runTestAndUpdateIfNeeded(t, version, test.run, false) 514} 515 516func runClientTestTLS10(t *testing.T, template *clientTest) { 517 runClientTestForVersion(t, template, "TLSv10", "-tls1") 518} 519 520func runClientTestTLS11(t *testing.T, template *clientTest) { 521 runClientTestForVersion(t, template, "TLSv11", "-tls1_1") 522} 523 524func runClientTestTLS12(t *testing.T, template *clientTest) { 525 runClientTestForVersion(t, template, "TLSv12", "-tls1_2") 526} 527 528func runClientTestTLS13(t *testing.T, template *clientTest) { 529 runClientTestForVersion(t, template, "TLSv13", "-tls1_3") 530} 531 532func TestHandshakeClientRSARC4(t *testing.T) { 533 test := &clientTest{ 534 name: "RSA-RC4", 535 args: []string{"-cipher", "RC4-SHA"}, 536 } 537 runClientTestTLS10(t, test) 538 runClientTestTLS11(t, test) 539 runClientTestTLS12(t, test) 540} 541 542func TestHandshakeClientRSAAES128GCM(t *testing.T) { 543 test := &clientTest{ 544 name: "AES128-GCM-SHA256", 545 args: []string{"-cipher", "AES128-GCM-SHA256"}, 546 } 547 runClientTestTLS12(t, test) 548} 549 550func TestHandshakeClientRSAAES256GCM(t *testing.T) { 551 test := &clientTest{ 552 name: "AES256-GCM-SHA384", 553 args: []string{"-cipher", "AES256-GCM-SHA384"}, 554 } 555 runClientTestTLS12(t, test) 556} 557 558func TestHandshakeClientECDHERSAAES(t *testing.T) { 559 test := &clientTest{ 560 name: "ECDHE-RSA-AES", 561 args: []string{"-cipher", "ECDHE-RSA-AES128-SHA"}, 562 } 563 runClientTestTLS10(t, test) 564 runClientTestTLS11(t, test) 565 runClientTestTLS12(t, test) 566} 567 568func TestHandshakeClientECDHEECDSAAES(t *testing.T) { 569 test := &clientTest{ 570 name: "ECDHE-ECDSA-AES", 571 args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA"}, 572 cert: testECDSACertificate, 573 key: testECDSAPrivateKey, 574 } 575 runClientTestTLS10(t, test) 576 runClientTestTLS11(t, test) 577 runClientTestTLS12(t, test) 578} 579 580func TestHandshakeClientECDHEECDSAAESGCM(t *testing.T) { 581 test := &clientTest{ 582 name: "ECDHE-ECDSA-AES-GCM", 583 args: []string{"-cipher", "ECDHE-ECDSA-AES128-GCM-SHA256"}, 584 cert: testECDSACertificate, 585 key: testECDSAPrivateKey, 586 } 587 runClientTestTLS12(t, test) 588} 589 590func TestHandshakeClientAES256GCMSHA384(t *testing.T) { 591 test := &clientTest{ 592 name: "ECDHE-ECDSA-AES256-GCM-SHA384", 593 args: []string{"-cipher", "ECDHE-ECDSA-AES256-GCM-SHA384"}, 594 cert: testECDSACertificate, 595 key: testECDSAPrivateKey, 596 } 597 runClientTestTLS12(t, test) 598} 599 600func TestHandshakeClientAES128CBCSHA256(t *testing.T) { 601 test := &clientTest{ 602 name: "AES128-SHA256", 603 args: []string{"-cipher", "AES128-SHA256"}, 604 } 605 runClientTestTLS12(t, test) 606} 607 608func TestHandshakeClientECDHERSAAES128CBCSHA256(t *testing.T) { 609 test := &clientTest{ 610 name: "ECDHE-RSA-AES128-SHA256", 611 args: []string{"-cipher", "ECDHE-RSA-AES128-SHA256"}, 612 } 613 runClientTestTLS12(t, test) 614} 615 616func TestHandshakeClientECDHEECDSAAES128CBCSHA256(t *testing.T) { 617 test := &clientTest{ 618 name: "ECDHE-ECDSA-AES128-SHA256", 619 args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA256"}, 620 cert: testECDSACertificate, 621 key: testECDSAPrivateKey, 622 } 623 runClientTestTLS12(t, test) 624} 625 626func TestHandshakeClientX25519(t *testing.T) { 627 config := testConfig.Clone() 628 config.CurvePreferences = []CurveID{X25519} 629 630 test := &clientTest{ 631 name: "X25519-ECDHE", 632 args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"}, 633 config: config, 634 } 635 636 runClientTestTLS12(t, test) 637 runClientTestTLS13(t, test) 638} 639 640func TestHandshakeClientP256(t *testing.T) { 641 config := testConfig.Clone() 642 config.CurvePreferences = []CurveID{CurveP256} 643 644 test := &clientTest{ 645 name: "P256-ECDHE", 646 args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, 647 config: config, 648 } 649 650 runClientTestTLS12(t, test) 651 runClientTestTLS13(t, test) 652} 653 654func TestHandshakeClientHelloRetryRequest(t *testing.T) { 655 config := testConfig.Clone() 656 config.CurvePreferences = []CurveID{X25519, CurveP256} 657 658 test := &clientTest{ 659 name: "HelloRetryRequest", 660 args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, 661 config: config, 662 } 663 664 runClientTestTLS13(t, test) 665} 666 667func TestHandshakeClientECDHERSAChaCha20(t *testing.T) { 668 config := testConfig.Clone() 669 config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305} 670 671 test := &clientTest{ 672 name: "ECDHE-RSA-CHACHA20-POLY1305", 673 args: []string{"-cipher", "ECDHE-RSA-CHACHA20-POLY1305"}, 674 config: config, 675 } 676 677 runClientTestTLS12(t, test) 678} 679 680func TestHandshakeClientECDHEECDSAChaCha20(t *testing.T) { 681 config := testConfig.Clone() 682 config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305} 683 684 test := &clientTest{ 685 name: "ECDHE-ECDSA-CHACHA20-POLY1305", 686 args: []string{"-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305"}, 687 config: config, 688 cert: testECDSACertificate, 689 key: testECDSAPrivateKey, 690 } 691 692 runClientTestTLS12(t, test) 693} 694 695func TestHandshakeClientAES128SHA256(t *testing.T) { 696 test := &clientTest{ 697 name: "AES128-SHA256", 698 args: []string{"-ciphersuites", "TLS_AES_128_GCM_SHA256"}, 699 } 700 runClientTestTLS13(t, test) 701} 702func TestHandshakeClientAES256SHA384(t *testing.T) { 703 test := &clientTest{ 704 name: "AES256-SHA384", 705 args: []string{"-ciphersuites", "TLS_AES_256_GCM_SHA384"}, 706 } 707 runClientTestTLS13(t, test) 708} 709func TestHandshakeClientCHACHA20SHA256(t *testing.T) { 710 test := &clientTest{ 711 name: "CHACHA20-SHA256", 712 args: []string{"-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, 713 } 714 runClientTestTLS13(t, test) 715} 716 717func TestHandshakeClientECDSATLS13(t *testing.T) { 718 test := &clientTest{ 719 name: "ECDSA", 720 cert: testECDSACertificate, 721 key: testECDSAPrivateKey, 722 } 723 runClientTestTLS13(t, test) 724} 725 726func TestHandshakeClientEd25519(t *testing.T) { 727 test := &clientTest{ 728 name: "Ed25519", 729 cert: testEd25519Certificate, 730 key: testEd25519PrivateKey, 731 } 732 runClientTestTLS12(t, test) 733 runClientTestTLS13(t, test) 734 735 config := testConfig.Clone() 736 cert, _ := X509KeyPair([]byte(clientEd25519CertificatePEM), []byte(clientEd25519KeyPEM)) 737 config.Certificates = []Certificate{cert} 738 739 test = &clientTest{ 740 name: "ClientCert-Ed25519", 741 args: []string{"-Verify", "1"}, 742 config: config, 743 } 744 745 runClientTestTLS12(t, test) 746 runClientTestTLS13(t, test) 747} 748 749func TestHandshakeClientCertRSA(t *testing.T) { 750 config := testConfig.Clone() 751 cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM)) 752 config.Certificates = []Certificate{cert} 753 754 test := &clientTest{ 755 name: "ClientCert-RSA-RSA", 756 args: []string{"-cipher", "AES128", "-Verify", "1"}, 757 config: config, 758 } 759 760 runClientTestTLS10(t, test) 761 runClientTestTLS12(t, test) 762 763 test = &clientTest{ 764 name: "ClientCert-RSA-ECDSA", 765 args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"}, 766 config: config, 767 cert: testECDSACertificate, 768 key: testECDSAPrivateKey, 769 } 770 771 runClientTestTLS10(t, test) 772 runClientTestTLS12(t, test) 773 runClientTestTLS13(t, test) 774 775 test = &clientTest{ 776 name: "ClientCert-RSA-AES256-GCM-SHA384", 777 args: []string{"-cipher", "ECDHE-RSA-AES256-GCM-SHA384", "-Verify", "1"}, 778 config: config, 779 cert: testRSACertificate, 780 key: testRSAPrivateKey, 781 } 782 783 runClientTestTLS12(t, test) 784} 785 786func TestHandshakeClientCertECDSA(t *testing.T) { 787 config := testConfig.Clone() 788 cert, _ := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM)) 789 config.Certificates = []Certificate{cert} 790 791 test := &clientTest{ 792 name: "ClientCert-ECDSA-RSA", 793 args: []string{"-cipher", "AES128", "-Verify", "1"}, 794 config: config, 795 } 796 797 runClientTestTLS10(t, test) 798 runClientTestTLS12(t, test) 799 runClientTestTLS13(t, test) 800 801 test = &clientTest{ 802 name: "ClientCert-ECDSA-ECDSA", 803 args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"}, 804 config: config, 805 cert: testECDSACertificate, 806 key: testECDSAPrivateKey, 807 } 808 809 runClientTestTLS10(t, test) 810 runClientTestTLS12(t, test) 811} 812 813// TestHandshakeClientCertRSAPSS tests rsa_pss_rsae_sha256 signatures from both 814// client and server certificates. It also serves from both sides a certificate 815// signed itself with RSA-PSS, mostly to check that crypto/x509 chain validation 816// works. 817func TestHandshakeClientCertRSAPSS(t *testing.T) { 818 cert, err := x509.ParseCertificate(testRSAPSSCertificate) 819 if err != nil { 820 panic(err) 821 } 822 rootCAs := x509.NewCertPool() 823 rootCAs.AddCert(cert) 824 825 config := testConfig.Clone() 826 // Use GetClientCertificate to bypass the client certificate selection logic. 827 config.GetClientCertificate = func(*CertificateRequestInfo) (*Certificate, error) { 828 return &Certificate{ 829 Certificate: [][]byte{testRSAPSSCertificate}, 830 PrivateKey: testRSAPrivateKey, 831 }, nil 832 } 833 config.RootCAs = rootCAs 834 835 test := &clientTest{ 836 name: "ClientCert-RSA-RSAPSS", 837 args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs", 838 "rsa_pss_rsae_sha256", "-sigalgs", "rsa_pss_rsae_sha256"}, 839 config: config, 840 cert: testRSAPSSCertificate, 841 key: testRSAPrivateKey, 842 } 843 runClientTestTLS12(t, test) 844 runClientTestTLS13(t, test) 845} 846 847func TestHandshakeClientCertRSAPKCS1v15(t *testing.T) { 848 config := testConfig.Clone() 849 cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM)) 850 config.Certificates = []Certificate{cert} 851 852 test := &clientTest{ 853 name: "ClientCert-RSA-RSAPKCS1v15", 854 args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs", 855 "rsa_pkcs1_sha256", "-sigalgs", "rsa_pkcs1_sha256"}, 856 config: config, 857 } 858 859 runClientTestTLS12(t, test) 860} 861 862func TestClientKeyUpdate(t *testing.T) { 863 test := &clientTest{ 864 name: "KeyUpdate", 865 args: []string{"-state"}, 866 sendKeyUpdate: true, 867 } 868 runClientTestTLS13(t, test) 869} 870 871func TestResumption(t *testing.T) { 872 t.Run("TLSv12", func(t *testing.T) { testResumption(t, VersionTLS12) }) 873 t.Run("TLSv13", func(t *testing.T) { testResumption(t, VersionTLS13) }) 874} 875 876func testResumption(t *testing.T, version uint16) { 877 if testing.Short() { 878 t.Skip("skipping in -short mode") 879 } 880 serverConfig := &Config{ 881 MaxVersion: version, 882 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, 883 Certificates: testConfig.Certificates, 884 } 885 886 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 887 if err != nil { 888 panic(err) 889 } 890 891 rootCAs := x509.NewCertPool() 892 rootCAs.AddCert(issuer) 893 894 clientConfig := &Config{ 895 MaxVersion: version, 896 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, 897 ClientSessionCache: NewLRUClientSessionCache(32), 898 RootCAs: rootCAs, 899 ServerName: "example.golang", 900 } 901 902 testResumeState := func(test string, didResume bool) { 903 _, hs, err := testHandshake(t, clientConfig, serverConfig) 904 if err != nil { 905 t.Fatalf("%s: handshake failed: %s", test, err) 906 } 907 if hs.DidResume != didResume { 908 t.Fatalf("%s resumed: %v, expected: %v", test, hs.DidResume, didResume) 909 } 910 if didResume && (hs.PeerCertificates == nil || hs.VerifiedChains == nil) { 911 t.Fatalf("expected non-nil certificates after resumption. Got peerCertificates: %#v, verifiedCertificates: %#v", hs.PeerCertificates, hs.VerifiedChains) 912 } 913 if got, want := hs.ServerName, clientConfig.ServerName; got != want { 914 t.Errorf("%s: server name %s, want %s", test, got, want) 915 } 916 } 917 918 getTicket := func() []byte { 919 return clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.sessionTicket 920 } 921 deleteTicket := func() { 922 ticketKey := clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).sessionKey 923 clientConfig.ClientSessionCache.Put(ticketKey, nil) 924 } 925 corruptTicket := func() { 926 clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.masterSecret[0] ^= 0xff 927 } 928 randomKey := func() [32]byte { 929 var k [32]byte 930 if _, err := io.ReadFull(serverConfig.rand(), k[:]); err != nil { 931 t.Fatalf("Failed to read new SessionTicketKey: %s", err) 932 } 933 return k 934 } 935 936 testResumeState("Handshake", false) 937 ticket := getTicket() 938 testResumeState("Resume", true) 939 if !bytes.Equal(ticket, getTicket()) && version != VersionTLS13 { 940 t.Fatal("first ticket doesn't match ticket after resumption") 941 } 942 if bytes.Equal(ticket, getTicket()) && version == VersionTLS13 { 943 t.Fatal("ticket didn't change after resumption") 944 } 945 946 // An old session ticket can resume, but the server will provide a ticket encrypted with a fresh key. 947 serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) } 948 testResumeState("ResumeWithOldTicket", true) 949 if bytes.Equal(ticket[:ticketKeyNameLen], getTicket()[:ticketKeyNameLen]) { 950 t.Fatal("old first ticket matches the fresh one") 951 } 952 953 // Now the session tickey key is expired, so a full handshake should occur. 954 serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) } 955 testResumeState("ResumeWithExpiredTicket", false) 956 if bytes.Equal(ticket, getTicket()) { 957 t.Fatal("expired first ticket matches the fresh one") 958 } 959 960 serverConfig.Time = func() time.Time { return time.Now() } // reset the time back 961 key1 := randomKey() 962 serverConfig.SetSessionTicketKeys([][32]byte{key1}) 963 964 testResumeState("InvalidSessionTicketKey", false) 965 testResumeState("ResumeAfterInvalidSessionTicketKey", true) 966 967 key2 := randomKey() 968 serverConfig.SetSessionTicketKeys([][32]byte{key2, key1}) 969 ticket = getTicket() 970 testResumeState("KeyChange", true) 971 if bytes.Equal(ticket, getTicket()) { 972 t.Fatal("new ticket wasn't included while resuming") 973 } 974 testResumeState("KeyChangeFinish", true) 975 976 // Age the session ticket a bit, but not yet expired. 977 serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) } 978 testResumeState("OldSessionTicket", true) 979 ticket = getTicket() 980 // Expire the session ticket, which would force a full handshake. 981 serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) } 982 testResumeState("ExpiredSessionTicket", false) 983 if bytes.Equal(ticket, getTicket()) { 984 t.Fatal("new ticket wasn't provided after old ticket expired") 985 } 986 987 // Age the session ticket a bit at a time, but don't expire it. 988 d := 0 * time.Hour 989 for i := 0; i < 13; i++ { 990 d += 12 * time.Hour 991 serverConfig.Time = func() time.Time { return time.Now().Add(d) } 992 testResumeState("OldSessionTicket", true) 993 } 994 // Expire it (now a little more than 7 days) and make sure a full 995 // handshake occurs for TLS 1.2. Resumption should still occur for 996 // TLS 1.3 since the client should be using a fresh ticket sent over 997 // by the server. 998 d += 12 * time.Hour 999 serverConfig.Time = func() time.Time { return time.Now().Add(d) } 1000 if version == VersionTLS13 { 1001 testResumeState("ExpiredSessionTicket", true) 1002 } else { 1003 testResumeState("ExpiredSessionTicket", false) 1004 } 1005 if bytes.Equal(ticket, getTicket()) { 1006 t.Fatal("new ticket wasn't provided after old ticket expired") 1007 } 1008 1009 // Reset serverConfig to ensure that calling SetSessionTicketKeys 1010 // before the serverConfig is used works. 1011 serverConfig = &Config{ 1012 MaxVersion: version, 1013 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, 1014 Certificates: testConfig.Certificates, 1015 } 1016 serverConfig.SetSessionTicketKeys([][32]byte{key2}) 1017 1018 testResumeState("FreshConfig", true) 1019 1020 // In TLS 1.3, cross-cipher suite resumption is allowed as long as the KDF 1021 // hash matches. Also, Config.CipherSuites does not apply to TLS 1.3. 1022 if version != VersionTLS13 { 1023 clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA} 1024 testResumeState("DifferentCipherSuite", false) 1025 testResumeState("DifferentCipherSuiteRecovers", true) 1026 } 1027 1028 deleteTicket() 1029 testResumeState("WithoutSessionTicket", false) 1030 1031 // Session resumption should work when using client certificates 1032 deleteTicket() 1033 serverConfig.ClientCAs = rootCAs 1034 serverConfig.ClientAuth = RequireAndVerifyClientCert 1035 clientConfig.Certificates = serverConfig.Certificates 1036 testResumeState("InitialHandshake", false) 1037 testResumeState("WithClientCertificates", true) 1038 serverConfig.ClientAuth = NoClientCert 1039 1040 // Tickets should be removed from the session cache on TLS handshake 1041 // failure, and the client should recover from a corrupted PSK 1042 testResumeState("FetchTicketToCorrupt", false) 1043 corruptTicket() 1044 _, _, err = testHandshake(t, clientConfig, serverConfig) 1045 if err == nil { 1046 t.Fatalf("handshake did not fail with a corrupted client secret") 1047 } 1048 testResumeState("AfterHandshakeFailure", false) 1049 1050 clientConfig.ClientSessionCache = nil 1051 testResumeState("WithoutSessionCache", false) 1052} 1053 1054func TestLRUClientSessionCache(t *testing.T) { 1055 // Initialize cache of capacity 4. 1056 cache := NewLRUClientSessionCache(4) 1057 cs := make([]ClientSessionState, 6) 1058 keys := []string{"0", "1", "2", "3", "4", "5", "6"} 1059 1060 // Add 4 entries to the cache and look them up. 1061 for i := 0; i < 4; i++ { 1062 cache.Put(keys[i], &cs[i]) 1063 } 1064 for i := 0; i < 4; i++ { 1065 if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] { 1066 t.Fatalf("session cache failed lookup for added key: %s", keys[i]) 1067 } 1068 } 1069 1070 // Add 2 more entries to the cache. First 2 should be evicted. 1071 for i := 4; i < 6; i++ { 1072 cache.Put(keys[i], &cs[i]) 1073 } 1074 for i := 0; i < 2; i++ { 1075 if s, ok := cache.Get(keys[i]); ok || s != nil { 1076 t.Fatalf("session cache should have evicted key: %s", keys[i]) 1077 } 1078 } 1079 1080 // Touch entry 2. LRU should evict 3 next. 1081 cache.Get(keys[2]) 1082 cache.Put(keys[0], &cs[0]) 1083 if s, ok := cache.Get(keys[3]); ok || s != nil { 1084 t.Fatalf("session cache should have evicted key 3") 1085 } 1086 1087 // Update entry 0 in place. 1088 cache.Put(keys[0], &cs[3]) 1089 if s, ok := cache.Get(keys[0]); !ok || s != &cs[3] { 1090 t.Fatalf("session cache failed update for key 0") 1091 } 1092 1093 // Calling Put with a nil entry deletes the key. 1094 cache.Put(keys[0], nil) 1095 if _, ok := cache.Get(keys[0]); ok { 1096 t.Fatalf("session cache failed to delete key 0") 1097 } 1098 1099 // Delete entry 2. LRU should keep 4 and 5 1100 cache.Put(keys[2], nil) 1101 if _, ok := cache.Get(keys[2]); ok { 1102 t.Fatalf("session cache failed to delete key 4") 1103 } 1104 for i := 4; i < 6; i++ { 1105 if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] { 1106 t.Fatalf("session cache should not have deleted key: %s", keys[i]) 1107 } 1108 } 1109} 1110 1111func TestKeyLogTLS12(t *testing.T) { 1112 var serverBuf, clientBuf bytes.Buffer 1113 1114 clientConfig := testConfig.Clone() 1115 clientConfig.KeyLogWriter = &clientBuf 1116 clientConfig.MaxVersion = VersionTLS12 1117 1118 serverConfig := testConfig.Clone() 1119 serverConfig.KeyLogWriter = &serverBuf 1120 serverConfig.MaxVersion = VersionTLS12 1121 1122 c, s := localPipe(t) 1123 done := make(chan bool) 1124 1125 go func() { 1126 defer close(done) 1127 1128 if err := Server(s, serverConfig).Handshake(); err != nil { 1129 t.Errorf("server: %s", err) 1130 return 1131 } 1132 s.Close() 1133 }() 1134 1135 if err := Client(c, clientConfig).Handshake(); err != nil { 1136 t.Fatalf("client: %s", err) 1137 } 1138 1139 c.Close() 1140 <-done 1141 1142 checkKeylogLine := func(side, loggedLine string) { 1143 if len(loggedLine) == 0 { 1144 t.Fatalf("%s: no keylog line was produced", side) 1145 } 1146 const expectedLen = 13 /* "CLIENT_RANDOM" */ + 1147 1 /* space */ + 1148 32*2 /* hex client nonce */ + 1149 1 /* space */ + 1150 48*2 /* hex master secret */ + 1151 1 /* new line */ 1152 if len(loggedLine) != expectedLen { 1153 t.Fatalf("%s: keylog line has incorrect length (want %d, got %d): %q", side, expectedLen, len(loggedLine), loggedLine) 1154 } 1155 if !strings.HasPrefix(loggedLine, "CLIENT_RANDOM "+strings.Repeat("0", 64)+" ") { 1156 t.Fatalf("%s: keylog line has incorrect structure or nonce: %q", side, loggedLine) 1157 } 1158 } 1159 1160 checkKeylogLine("client", clientBuf.String()) 1161 checkKeylogLine("server", serverBuf.String()) 1162} 1163 1164func TestKeyLogTLS13(t *testing.T) { 1165 var serverBuf, clientBuf bytes.Buffer 1166 1167 clientConfig := testConfig.Clone() 1168 clientConfig.KeyLogWriter = &clientBuf 1169 1170 serverConfig := testConfig.Clone() 1171 serverConfig.KeyLogWriter = &serverBuf 1172 1173 c, s := localPipe(t) 1174 done := make(chan bool) 1175 1176 go func() { 1177 defer close(done) 1178 1179 if err := Server(s, serverConfig).Handshake(); err != nil { 1180 t.Errorf("server: %s", err) 1181 return 1182 } 1183 s.Close() 1184 }() 1185 1186 if err := Client(c, clientConfig).Handshake(); err != nil { 1187 t.Fatalf("client: %s", err) 1188 } 1189 1190 c.Close() 1191 <-done 1192 1193 checkKeylogLines := func(side, loggedLines string) { 1194 loggedLines = strings.TrimSpace(loggedLines) 1195 lines := strings.Split(loggedLines, "\n") 1196 if len(lines) != 4 { 1197 t.Errorf("Expected the %s to log 4 lines, got %d", side, len(lines)) 1198 } 1199 } 1200 1201 checkKeylogLines("client", clientBuf.String()) 1202 checkKeylogLines("server", serverBuf.String()) 1203} 1204 1205func TestHandshakeClientALPNMatch(t *testing.T) { 1206 config := testConfig.Clone() 1207 config.NextProtos = []string{"proto2", "proto1"} 1208 1209 test := &clientTest{ 1210 name: "ALPN", 1211 // Note that this needs OpenSSL 1.0.2 because that is the first 1212 // version that supports the -alpn flag. 1213 args: []string{"-alpn", "proto1,proto2"}, 1214 config: config, 1215 validate: func(state ConnectionState) error { 1216 // The server's preferences should override the client. 1217 if state.NegotiatedProtocol != "proto1" { 1218 return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol) 1219 } 1220 return nil 1221 }, 1222 } 1223 runClientTestTLS12(t, test) 1224 runClientTestTLS13(t, test) 1225} 1226 1227func TestServerSelectingUnconfiguredApplicationProtocol(t *testing.T) { 1228 // This checks that the server can't select an application protocol that the 1229 // client didn't offer. 1230 1231 c, s := localPipe(t) 1232 errChan := make(chan error, 1) 1233 1234 go func() { 1235 client := Client(c, &Config{ 1236 ServerName: "foo", 1237 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1238 NextProtos: []string{"http", "something-else"}, 1239 }) 1240 errChan <- client.Handshake() 1241 }() 1242 1243 var header [5]byte 1244 if _, err := io.ReadFull(s, header[:]); err != nil { 1245 t.Fatal(err) 1246 } 1247 recordLen := int(header[3])<<8 | int(header[4]) 1248 1249 record := make([]byte, recordLen) 1250 if _, err := io.ReadFull(s, record); err != nil { 1251 t.Fatal(err) 1252 } 1253 1254 serverHello := &serverHelloMsg{ 1255 vers: VersionTLS12, 1256 random: make([]byte, 32), 1257 cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256, 1258 alpnProtocol: "how-about-this", 1259 } 1260 serverHelloBytes := serverHello.marshal() 1261 1262 s.Write([]byte{ 1263 byte(recordTypeHandshake), 1264 byte(VersionTLS12 >> 8), 1265 byte(VersionTLS12 & 0xff), 1266 byte(len(serverHelloBytes) >> 8), 1267 byte(len(serverHelloBytes)), 1268 }) 1269 s.Write(serverHelloBytes) 1270 s.Close() 1271 1272 if err := <-errChan; !strings.Contains(err.Error(), "server selected unadvertised ALPN protocol") { 1273 t.Fatalf("Expected error about unconfigured cipher suite but got %q", err) 1274 } 1275} 1276 1277// sctsBase64 contains data from `openssl s_client -serverinfo 18 -connect ritter.vg:443` 1278const sctsBase64 = "ABIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFHl5nuFgAABAMARjBEAiAcS4JdlW5nW9sElUv2zvQyPoZ6ejKrGGB03gjaBZFMLwIgc1Qbbn+hsH0RvObzhS+XZhr3iuQQJY8S9G85D9KeGPAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUeX4bVwAAAEAwBHMEUCIDIhFDgG2HIuADBkGuLobU5a4dlCHoJLliWJ1SYT05z6AiEAjxIoZFFPRNWMGGIjskOTMwXzQ1Wh2e7NxXE1kd1J0QsAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAUhcZIqHAAAEAwBHMEUCICmJ1rBT09LpkbzxtUC+Hi7nXLR0J+2PmwLp+sJMuqK+AiEAr0NkUnEVKVhAkccIFpYDqHOlZaBsuEhWWrYpg2RtKp0=" 1279 1280func TestHandshakClientSCTs(t *testing.T) { 1281 config := testConfig.Clone() 1282 1283 scts, err := base64.StdEncoding.DecodeString(sctsBase64) 1284 if err != nil { 1285 t.Fatal(err) 1286 } 1287 1288 // Note that this needs OpenSSL 1.0.2 because that is the first 1289 // version that supports the -serverinfo flag. 1290 test := &clientTest{ 1291 name: "SCT", 1292 config: config, 1293 extensions: [][]byte{scts}, 1294 validate: func(state ConnectionState) error { 1295 expectedSCTs := [][]byte{ 1296 scts[8:125], 1297 scts[127:245], 1298 scts[247:], 1299 } 1300 if n := len(state.SignedCertificateTimestamps); n != len(expectedSCTs) { 1301 return fmt.Errorf("Got %d scts, wanted %d", n, len(expectedSCTs)) 1302 } 1303 for i, expected := range expectedSCTs { 1304 if sct := state.SignedCertificateTimestamps[i]; !bytes.Equal(sct, expected) { 1305 return fmt.Errorf("SCT #%d contained %x, expected %x", i, sct, expected) 1306 } 1307 } 1308 return nil 1309 }, 1310 } 1311 runClientTestTLS12(t, test) 1312 1313 // TLS 1.3 moved SCTs to the Certificate extensions and -serverinfo only 1314 // supports ServerHello extensions. 1315} 1316 1317func TestRenegotiationRejected(t *testing.T) { 1318 config := testConfig.Clone() 1319 test := &clientTest{ 1320 name: "RenegotiationRejected", 1321 args: []string{"-state"}, 1322 config: config, 1323 numRenegotiations: 1, 1324 renegotiationExpectedToFail: 1, 1325 checkRenegotiationError: func(renegotiationNum int, err error) error { 1326 if err == nil { 1327 return errors.New("expected error from renegotiation but got nil") 1328 } 1329 if !strings.Contains(err.Error(), "no renegotiation") { 1330 return fmt.Errorf("expected renegotiation to be rejected but got %q", err) 1331 } 1332 return nil 1333 }, 1334 } 1335 runClientTestTLS12(t, test) 1336} 1337 1338func TestRenegotiateOnce(t *testing.T) { 1339 config := testConfig.Clone() 1340 config.Renegotiation = RenegotiateOnceAsClient 1341 1342 test := &clientTest{ 1343 name: "RenegotiateOnce", 1344 args: []string{"-state"}, 1345 config: config, 1346 numRenegotiations: 1, 1347 } 1348 1349 runClientTestTLS12(t, test) 1350} 1351 1352func TestRenegotiateTwice(t *testing.T) { 1353 config := testConfig.Clone() 1354 config.Renegotiation = RenegotiateFreelyAsClient 1355 1356 test := &clientTest{ 1357 name: "RenegotiateTwice", 1358 args: []string{"-state"}, 1359 config: config, 1360 numRenegotiations: 2, 1361 } 1362 1363 runClientTestTLS12(t, test) 1364} 1365 1366func TestRenegotiateTwiceRejected(t *testing.T) { 1367 config := testConfig.Clone() 1368 config.Renegotiation = RenegotiateOnceAsClient 1369 1370 test := &clientTest{ 1371 name: "RenegotiateTwiceRejected", 1372 args: []string{"-state"}, 1373 config: config, 1374 numRenegotiations: 2, 1375 renegotiationExpectedToFail: 2, 1376 checkRenegotiationError: func(renegotiationNum int, err error) error { 1377 if renegotiationNum == 1 { 1378 return err 1379 } 1380 1381 if err == nil { 1382 return errors.New("expected error from renegotiation but got nil") 1383 } 1384 if !strings.Contains(err.Error(), "no renegotiation") { 1385 return fmt.Errorf("expected renegotiation to be rejected but got %q", err) 1386 } 1387 return nil 1388 }, 1389 } 1390 1391 runClientTestTLS12(t, test) 1392} 1393 1394func TestHandshakeClientExportKeyingMaterial(t *testing.T) { 1395 test := &clientTest{ 1396 name: "ExportKeyingMaterial", 1397 config: testConfig.Clone(), 1398 validate: func(state ConnectionState) error { 1399 if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil { 1400 return fmt.Errorf("ExportKeyingMaterial failed: %v", err) 1401 } else if len(km) != 42 { 1402 return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42) 1403 } 1404 return nil 1405 }, 1406 } 1407 runClientTestTLS10(t, test) 1408 runClientTestTLS12(t, test) 1409 runClientTestTLS13(t, test) 1410} 1411 1412var hostnameInSNITests = []struct { 1413 in, out string 1414}{ 1415 // Opaque string 1416 {"", ""}, 1417 {"localhost", "localhost"}, 1418 {"foo, bar, baz and qux", "foo, bar, baz and qux"}, 1419 1420 // DNS hostname 1421 {"golang.org", "golang.org"}, 1422 {"golang.org.", "golang.org"}, 1423 1424 // Literal IPv4 address 1425 {"1.2.3.4", ""}, 1426 1427 // Literal IPv6 address 1428 {"::1", ""}, 1429 {"::1%lo0", ""}, // with zone identifier 1430 {"[::1]", ""}, // as per RFC 5952 we allow the [] style as IPv6 literal 1431 {"[::1%lo0]", ""}, 1432} 1433 1434func TestHostnameInSNI(t *testing.T) { 1435 for _, tt := range hostnameInSNITests { 1436 c, s := localPipe(t) 1437 1438 go func(host string) { 1439 Client(c, &Config{ServerName: host, InsecureSkipVerify: true}).Handshake() 1440 }(tt.in) 1441 1442 var header [5]byte 1443 if _, err := io.ReadFull(s, header[:]); err != nil { 1444 t.Fatal(err) 1445 } 1446 recordLen := int(header[3])<<8 | int(header[4]) 1447 1448 record := make([]byte, recordLen) 1449 if _, err := io.ReadFull(s, record[:]); err != nil { 1450 t.Fatal(err) 1451 } 1452 1453 c.Close() 1454 s.Close() 1455 1456 var m clientHelloMsg 1457 if !m.unmarshal(record) { 1458 t.Errorf("unmarshaling ClientHello for %q failed", tt.in) 1459 continue 1460 } 1461 if tt.in != tt.out && m.serverName == tt.in { 1462 t.Errorf("prohibited %q found in ClientHello: %x", tt.in, record) 1463 } 1464 if m.serverName != tt.out { 1465 t.Errorf("expected %q not found in ClientHello: %x", tt.out, record) 1466 } 1467 } 1468} 1469 1470func TestServerSelectingUnconfiguredCipherSuite(t *testing.T) { 1471 // This checks that the server can't select a cipher suite that the 1472 // client didn't offer. See #13174. 1473 1474 c, s := localPipe(t) 1475 errChan := make(chan error, 1) 1476 1477 go func() { 1478 client := Client(c, &Config{ 1479 ServerName: "foo", 1480 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, 1481 }) 1482 errChan <- client.Handshake() 1483 }() 1484 1485 var header [5]byte 1486 if _, err := io.ReadFull(s, header[:]); err != nil { 1487 t.Fatal(err) 1488 } 1489 recordLen := int(header[3])<<8 | int(header[4]) 1490 1491 record := make([]byte, recordLen) 1492 if _, err := io.ReadFull(s, record); err != nil { 1493 t.Fatal(err) 1494 } 1495 1496 // Create a ServerHello that selects a different cipher suite than the 1497 // sole one that the client offered. 1498 serverHello := &serverHelloMsg{ 1499 vers: VersionTLS12, 1500 random: make([]byte, 32), 1501 cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384, 1502 } 1503 serverHelloBytes := serverHello.marshal() 1504 1505 s.Write([]byte{ 1506 byte(recordTypeHandshake), 1507 byte(VersionTLS12 >> 8), 1508 byte(VersionTLS12 & 0xff), 1509 byte(len(serverHelloBytes) >> 8), 1510 byte(len(serverHelloBytes)), 1511 }) 1512 s.Write(serverHelloBytes) 1513 s.Close() 1514 1515 if err := <-errChan; !strings.Contains(err.Error(), "unconfigured cipher") { 1516 t.Fatalf("Expected error about unconfigured cipher suite but got %q", err) 1517 } 1518} 1519 1520func TestVerifyConnection(t *testing.T) { 1521 t.Run("TLSv12", func(t *testing.T) { testVerifyConnection(t, VersionTLS12) }) 1522 t.Run("TLSv13", func(t *testing.T) { testVerifyConnection(t, VersionTLS13) }) 1523} 1524 1525func testVerifyConnection(t *testing.T, version uint16) { 1526 checkFields := func(c ConnectionState, called *int, errorType string) error { 1527 if c.Version != version { 1528 return fmt.Errorf("%s: got Version %v, want %v", errorType, c.Version, version) 1529 } 1530 if c.HandshakeComplete { 1531 return fmt.Errorf("%s: got HandshakeComplete, want false", errorType) 1532 } 1533 if c.ServerName != "example.golang" { 1534 return fmt.Errorf("%s: got ServerName %s, want %s", errorType, c.ServerName, "example.golang") 1535 } 1536 if c.NegotiatedProtocol != "protocol1" { 1537 return fmt.Errorf("%s: got NegotiatedProtocol %s, want %s", errorType, c.NegotiatedProtocol, "protocol1") 1538 } 1539 if c.CipherSuite == 0 { 1540 return fmt.Errorf("%s: got CipherSuite 0, want non-zero", errorType) 1541 } 1542 wantDidResume := false 1543 if *called == 2 { // if this is the second time, then it should be a resumption 1544 wantDidResume = true 1545 } 1546 if c.DidResume != wantDidResume { 1547 return fmt.Errorf("%s: got DidResume %t, want %t", errorType, c.DidResume, wantDidResume) 1548 } 1549 return nil 1550 } 1551 1552 tests := []struct { 1553 name string 1554 configureServer func(*Config, *int) 1555 configureClient func(*Config, *int) 1556 }{ 1557 { 1558 name: "RequireAndVerifyClientCert", 1559 configureServer: func(config *Config, called *int) { 1560 config.ClientAuth = RequireAndVerifyClientCert 1561 config.VerifyConnection = func(c ConnectionState) error { 1562 *called++ 1563 if l := len(c.PeerCertificates); l != 1 { 1564 return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l) 1565 } 1566 if len(c.VerifiedChains) == 0 { 1567 return fmt.Errorf("server: got len(VerifiedChains) = 0, wanted non-zero") 1568 } 1569 return checkFields(c, called, "server") 1570 } 1571 }, 1572 configureClient: func(config *Config, called *int) { 1573 config.VerifyConnection = func(c ConnectionState) error { 1574 *called++ 1575 if l := len(c.PeerCertificates); l != 1 { 1576 return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) 1577 } 1578 if len(c.VerifiedChains) == 0 { 1579 return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero") 1580 } 1581 if c.DidResume { 1582 return nil 1583 // The SCTs and OCSP Response are dropped on resumption. 1584 // See http://golang.org/issue/39075. 1585 } 1586 if len(c.OCSPResponse) == 0 { 1587 return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") 1588 } 1589 if len(c.SignedCertificateTimestamps) == 0 { 1590 return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") 1591 } 1592 return checkFields(c, called, "client") 1593 } 1594 }, 1595 }, 1596 { 1597 name: "InsecureSkipVerify", 1598 configureServer: func(config *Config, called *int) { 1599 config.ClientAuth = RequireAnyClientCert 1600 config.InsecureSkipVerify = true 1601 config.VerifyConnection = func(c ConnectionState) error { 1602 *called++ 1603 if l := len(c.PeerCertificates); l != 1 { 1604 return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l) 1605 } 1606 if c.VerifiedChains != nil { 1607 return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains) 1608 } 1609 return checkFields(c, called, "server") 1610 } 1611 }, 1612 configureClient: func(config *Config, called *int) { 1613 config.InsecureSkipVerify = true 1614 config.VerifyConnection = func(c ConnectionState) error { 1615 *called++ 1616 if l := len(c.PeerCertificates); l != 1 { 1617 return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) 1618 } 1619 if c.VerifiedChains != nil { 1620 return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains) 1621 } 1622 if c.DidResume { 1623 return nil 1624 // The SCTs and OCSP Response are dropped on resumption. 1625 // See http://golang.org/issue/39075. 1626 } 1627 if len(c.OCSPResponse) == 0 { 1628 return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") 1629 } 1630 if len(c.SignedCertificateTimestamps) == 0 { 1631 return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") 1632 } 1633 return checkFields(c, called, "client") 1634 } 1635 }, 1636 }, 1637 { 1638 name: "NoClientCert", 1639 configureServer: func(config *Config, called *int) { 1640 config.ClientAuth = NoClientCert 1641 config.VerifyConnection = func(c ConnectionState) error { 1642 *called++ 1643 return checkFields(c, called, "server") 1644 } 1645 }, 1646 configureClient: func(config *Config, called *int) { 1647 config.VerifyConnection = func(c ConnectionState) error { 1648 *called++ 1649 return checkFields(c, called, "client") 1650 } 1651 }, 1652 }, 1653 { 1654 name: "RequestClientCert", 1655 configureServer: func(config *Config, called *int) { 1656 config.ClientAuth = RequestClientCert 1657 config.VerifyConnection = func(c ConnectionState) error { 1658 *called++ 1659 return checkFields(c, called, "server") 1660 } 1661 }, 1662 configureClient: func(config *Config, called *int) { 1663 config.Certificates = nil // clear the client cert 1664 config.VerifyConnection = func(c ConnectionState) error { 1665 *called++ 1666 if l := len(c.PeerCertificates); l != 1 { 1667 return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) 1668 } 1669 if len(c.VerifiedChains) == 0 { 1670 return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero") 1671 } 1672 if c.DidResume { 1673 return nil 1674 // The SCTs and OCSP Response are dropped on resumption. 1675 // See http://golang.org/issue/39075. 1676 } 1677 if len(c.OCSPResponse) == 0 { 1678 return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") 1679 } 1680 if len(c.SignedCertificateTimestamps) == 0 { 1681 return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") 1682 } 1683 return checkFields(c, called, "client") 1684 } 1685 }, 1686 }, 1687 } 1688 for _, test := range tests { 1689 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 1690 if err != nil { 1691 panic(err) 1692 } 1693 rootCAs := x509.NewCertPool() 1694 rootCAs.AddCert(issuer) 1695 1696 var serverCalled, clientCalled int 1697 1698 serverConfig := &Config{ 1699 MaxVersion: version, 1700 Certificates: []Certificate{testConfig.Certificates[0]}, 1701 ClientCAs: rootCAs, 1702 NextProtos: []string{"protocol1"}, 1703 } 1704 serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} 1705 serverConfig.Certificates[0].OCSPStaple = []byte("dummy ocsp") 1706 test.configureServer(serverConfig, &serverCalled) 1707 1708 clientConfig := &Config{ 1709 MaxVersion: version, 1710 ClientSessionCache: NewLRUClientSessionCache(32), 1711 RootCAs: rootCAs, 1712 ServerName: "example.golang", 1713 Certificates: []Certificate{testConfig.Certificates[0]}, 1714 NextProtos: []string{"protocol1"}, 1715 } 1716 test.configureClient(clientConfig, &clientCalled) 1717 1718 testHandshakeState := func(name string, didResume bool) { 1719 _, hs, err := testHandshake(t, clientConfig, serverConfig) 1720 if err != nil { 1721 t.Fatalf("%s: handshake failed: %s", name, err) 1722 } 1723 if hs.DidResume != didResume { 1724 t.Errorf("%s: resumed: %v, expected: %v", name, hs.DidResume, didResume) 1725 } 1726 wantCalled := 1 1727 if didResume { 1728 wantCalled = 2 // resumption would mean this is the second time it was called in this test 1729 } 1730 if clientCalled != wantCalled { 1731 t.Errorf("%s: expected client VerifyConnection called %d times, did %d times", name, wantCalled, clientCalled) 1732 } 1733 if serverCalled != wantCalled { 1734 t.Errorf("%s: expected server VerifyConnection called %d times, did %d times", name, wantCalled, serverCalled) 1735 } 1736 } 1737 testHandshakeState(fmt.Sprintf("%s-FullHandshake", test.name), false) 1738 testHandshakeState(fmt.Sprintf("%s-Resumption", test.name), true) 1739 } 1740} 1741 1742func TestVerifyPeerCertificate(t *testing.T) { 1743 t.Run("TLSv12", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS12) }) 1744 t.Run("TLSv13", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS13) }) 1745} 1746 1747func testVerifyPeerCertificate(t *testing.T, version uint16) { 1748 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 1749 if err != nil { 1750 panic(err) 1751 } 1752 1753 rootCAs := x509.NewCertPool() 1754 rootCAs.AddCert(issuer) 1755 1756 now := func() time.Time { return time.Unix(1476984729, 0) } 1757 1758 sentinelErr := errors.New("TestVerifyPeerCertificate") 1759 1760 verifyPeerCertificateCallback := func(called *bool, rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1761 if l := len(rawCerts); l != 1 { 1762 return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l) 1763 } 1764 if len(validatedChains) == 0 { 1765 return errors.New("got len(validatedChains) = 0, wanted non-zero") 1766 } 1767 *called = true 1768 return nil 1769 } 1770 verifyConnectionCallback := func(called *bool, isClient bool, c ConnectionState) error { 1771 if l := len(c.PeerCertificates); l != 1 { 1772 return fmt.Errorf("got len(PeerCertificates) = %d, wanted 1", l) 1773 } 1774 if len(c.VerifiedChains) == 0 { 1775 return fmt.Errorf("got len(VerifiedChains) = 0, wanted non-zero") 1776 } 1777 if isClient && len(c.OCSPResponse) == 0 { 1778 return fmt.Errorf("got len(OCSPResponse) = 0, wanted non-zero") 1779 } 1780 *called = true 1781 return nil 1782 } 1783 1784 tests := []struct { 1785 configureServer func(*Config, *bool) 1786 configureClient func(*Config, *bool) 1787 validate func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) 1788 }{ 1789 { 1790 configureServer: func(config *Config, called *bool) { 1791 config.InsecureSkipVerify = false 1792 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1793 return verifyPeerCertificateCallback(called, rawCerts, validatedChains) 1794 } 1795 }, 1796 configureClient: func(config *Config, called *bool) { 1797 config.InsecureSkipVerify = false 1798 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1799 return verifyPeerCertificateCallback(called, rawCerts, validatedChains) 1800 } 1801 }, 1802 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1803 if clientErr != nil { 1804 t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) 1805 } 1806 if serverErr != nil { 1807 t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) 1808 } 1809 if !clientCalled { 1810 t.Errorf("test[%d]: client did not call callback", testNo) 1811 } 1812 if !serverCalled { 1813 t.Errorf("test[%d]: server did not call callback", testNo) 1814 } 1815 }, 1816 }, 1817 { 1818 configureServer: func(config *Config, called *bool) { 1819 config.InsecureSkipVerify = false 1820 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1821 return sentinelErr 1822 } 1823 }, 1824 configureClient: func(config *Config, called *bool) { 1825 config.VerifyPeerCertificate = nil 1826 }, 1827 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1828 if serverErr != sentinelErr { 1829 t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) 1830 } 1831 }, 1832 }, 1833 { 1834 configureServer: func(config *Config, called *bool) { 1835 config.InsecureSkipVerify = false 1836 }, 1837 configureClient: func(config *Config, called *bool) { 1838 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1839 return sentinelErr 1840 } 1841 }, 1842 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1843 if clientErr != sentinelErr { 1844 t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) 1845 } 1846 }, 1847 }, 1848 { 1849 configureServer: func(config *Config, called *bool) { 1850 config.InsecureSkipVerify = false 1851 }, 1852 configureClient: func(config *Config, called *bool) { 1853 config.InsecureSkipVerify = true 1854 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1855 if l := len(rawCerts); l != 1 { 1856 return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l) 1857 } 1858 // With InsecureSkipVerify set, this 1859 // callback should still be called but 1860 // validatedChains must be empty. 1861 if l := len(validatedChains); l != 0 { 1862 return fmt.Errorf("got len(validatedChains) = %d, wanted zero", l) 1863 } 1864 *called = true 1865 return nil 1866 } 1867 }, 1868 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1869 if clientErr != nil { 1870 t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) 1871 } 1872 if serverErr != nil { 1873 t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) 1874 } 1875 if !clientCalled { 1876 t.Errorf("test[%d]: client did not call callback", testNo) 1877 } 1878 }, 1879 }, 1880 { 1881 configureServer: func(config *Config, called *bool) { 1882 config.InsecureSkipVerify = false 1883 config.VerifyConnection = func(c ConnectionState) error { 1884 return verifyConnectionCallback(called, false, c) 1885 } 1886 }, 1887 configureClient: func(config *Config, called *bool) { 1888 config.InsecureSkipVerify = false 1889 config.VerifyConnection = func(c ConnectionState) error { 1890 return verifyConnectionCallback(called, true, c) 1891 } 1892 }, 1893 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1894 if clientErr != nil { 1895 t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) 1896 } 1897 if serverErr != nil { 1898 t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) 1899 } 1900 if !clientCalled { 1901 t.Errorf("test[%d]: client did not call callback", testNo) 1902 } 1903 if !serverCalled { 1904 t.Errorf("test[%d]: server did not call callback", testNo) 1905 } 1906 }, 1907 }, 1908 { 1909 configureServer: func(config *Config, called *bool) { 1910 config.InsecureSkipVerify = false 1911 config.VerifyConnection = func(c ConnectionState) error { 1912 return sentinelErr 1913 } 1914 }, 1915 configureClient: func(config *Config, called *bool) { 1916 config.InsecureSkipVerify = false 1917 config.VerifyConnection = nil 1918 }, 1919 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1920 if serverErr != sentinelErr { 1921 t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) 1922 } 1923 }, 1924 }, 1925 { 1926 configureServer: func(config *Config, called *bool) { 1927 config.InsecureSkipVerify = false 1928 config.VerifyConnection = nil 1929 }, 1930 configureClient: func(config *Config, called *bool) { 1931 config.InsecureSkipVerify = false 1932 config.VerifyConnection = func(c ConnectionState) error { 1933 return sentinelErr 1934 } 1935 }, 1936 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1937 if clientErr != sentinelErr { 1938 t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) 1939 } 1940 }, 1941 }, 1942 { 1943 configureServer: func(config *Config, called *bool) { 1944 config.InsecureSkipVerify = false 1945 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1946 return verifyPeerCertificateCallback(called, rawCerts, validatedChains) 1947 } 1948 config.VerifyConnection = func(c ConnectionState) error { 1949 return sentinelErr 1950 } 1951 }, 1952 configureClient: func(config *Config, called *bool) { 1953 config.InsecureSkipVerify = false 1954 config.VerifyPeerCertificate = nil 1955 config.VerifyConnection = nil 1956 }, 1957 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1958 if serverErr != sentinelErr { 1959 t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) 1960 } 1961 if !serverCalled { 1962 t.Errorf("test[%d]: server did not call callback", testNo) 1963 } 1964 }, 1965 }, 1966 { 1967 configureServer: func(config *Config, called *bool) { 1968 config.InsecureSkipVerify = false 1969 config.VerifyPeerCertificate = nil 1970 config.VerifyConnection = nil 1971 }, 1972 configureClient: func(config *Config, called *bool) { 1973 config.InsecureSkipVerify = false 1974 config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { 1975 return verifyPeerCertificateCallback(called, rawCerts, validatedChains) 1976 } 1977 config.VerifyConnection = func(c ConnectionState) error { 1978 return sentinelErr 1979 } 1980 }, 1981 validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { 1982 if clientErr != sentinelErr { 1983 t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) 1984 } 1985 if !clientCalled { 1986 t.Errorf("test[%d]: client did not call callback", testNo) 1987 } 1988 }, 1989 }, 1990 } 1991 1992 for i, test := range tests { 1993 c, s := localPipe(t) 1994 done := make(chan error) 1995 1996 var clientCalled, serverCalled bool 1997 1998 go func() { 1999 config := testConfig.Clone() 2000 config.ServerName = "example.golang" 2001 config.ClientAuth = RequireAndVerifyClientCert 2002 config.ClientCAs = rootCAs 2003 config.Time = now 2004 config.MaxVersion = version 2005 config.Certificates = make([]Certificate, 1) 2006 config.Certificates[0].Certificate = [][]byte{testRSACertificate} 2007 config.Certificates[0].PrivateKey = testRSAPrivateKey 2008 config.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} 2009 config.Certificates[0].OCSPStaple = []byte("dummy ocsp") 2010 test.configureServer(config, &serverCalled) 2011 2012 err = Server(s, config).Handshake() 2013 s.Close() 2014 done <- err 2015 }() 2016 2017 config := testConfig.Clone() 2018 config.ServerName = "example.golang" 2019 config.RootCAs = rootCAs 2020 config.Time = now 2021 config.MaxVersion = version 2022 test.configureClient(config, &clientCalled) 2023 clientErr := Client(c, config).Handshake() 2024 c.Close() 2025 serverErr := <-done 2026 2027 test.validate(t, i, clientCalled, serverCalled, clientErr, serverErr) 2028 } 2029} 2030 2031// brokenConn wraps a net.Conn and causes all Writes after a certain number to 2032// fail with brokenConnErr. 2033type brokenConn struct { 2034 net.Conn 2035 2036 // breakAfter is the number of successful writes that will be allowed 2037 // before all subsequent writes fail. 2038 breakAfter int 2039 2040 // numWrites is the number of writes that have been done. 2041 numWrites int 2042} 2043 2044// brokenConnErr is the error that brokenConn returns once exhausted. 2045var brokenConnErr = errors.New("too many writes to brokenConn") 2046 2047func (b *brokenConn) Write(data []byte) (int, error) { 2048 if b.numWrites >= b.breakAfter { 2049 return 0, brokenConnErr 2050 } 2051 2052 b.numWrites++ 2053 return b.Conn.Write(data) 2054} 2055 2056func TestFailedWrite(t *testing.T) { 2057 // Test that a write error during the handshake is returned. 2058 for _, breakAfter := range []int{0, 1} { 2059 c, s := localPipe(t) 2060 done := make(chan bool) 2061 2062 go func() { 2063 Server(s, testConfig).Handshake() 2064 s.Close() 2065 done <- true 2066 }() 2067 2068 brokenC := &brokenConn{Conn: c, breakAfter: breakAfter} 2069 err := Client(brokenC, testConfig).Handshake() 2070 if err != brokenConnErr { 2071 t.Errorf("#%d: expected error from brokenConn but got %q", breakAfter, err) 2072 } 2073 brokenC.Close() 2074 2075 <-done 2076 } 2077} 2078 2079// writeCountingConn wraps a net.Conn and counts the number of Write calls. 2080type writeCountingConn struct { 2081 net.Conn 2082 2083 // numWrites is the number of writes that have been done. 2084 numWrites int 2085} 2086 2087func (wcc *writeCountingConn) Write(data []byte) (int, error) { 2088 wcc.numWrites++ 2089 return wcc.Conn.Write(data) 2090} 2091 2092func TestBuffering(t *testing.T) { 2093 t.Run("TLSv12", func(t *testing.T) { testBuffering(t, VersionTLS12) }) 2094 t.Run("TLSv13", func(t *testing.T) { testBuffering(t, VersionTLS13) }) 2095} 2096 2097func testBuffering(t *testing.T, version uint16) { 2098 c, s := localPipe(t) 2099 done := make(chan bool) 2100 2101 clientWCC := &writeCountingConn{Conn: c} 2102 serverWCC := &writeCountingConn{Conn: s} 2103 2104 go func() { 2105 config := testConfig.Clone() 2106 config.MaxVersion = version 2107 Server(serverWCC, config).Handshake() 2108 serverWCC.Close() 2109 done <- true 2110 }() 2111 2112 err := Client(clientWCC, testConfig).Handshake() 2113 if err != nil { 2114 t.Fatal(err) 2115 } 2116 clientWCC.Close() 2117 <-done 2118 2119 var expectedClient, expectedServer int 2120 if version == VersionTLS13 { 2121 expectedClient = 2 2122 expectedServer = 1 2123 } else { 2124 expectedClient = 2 2125 expectedServer = 2 2126 } 2127 2128 if n := clientWCC.numWrites; n != expectedClient { 2129 t.Errorf("expected client handshake to complete with %d writes, but saw %d", expectedClient, n) 2130 } 2131 2132 if n := serverWCC.numWrites; n != expectedServer { 2133 t.Errorf("expected server handshake to complete with %d writes, but saw %d", expectedServer, n) 2134 } 2135} 2136 2137func TestAlertFlushing(t *testing.T) { 2138 c, s := localPipe(t) 2139 done := make(chan bool) 2140 2141 clientWCC := &writeCountingConn{Conn: c} 2142 serverWCC := &writeCountingConn{Conn: s} 2143 2144 serverConfig := testConfig.Clone() 2145 2146 // Cause a signature-time error 2147 brokenKey := rsa.PrivateKey{PublicKey: testRSAPrivateKey.PublicKey} 2148 brokenKey.D = big.NewInt(42) 2149 serverConfig.Certificates = []Certificate{{ 2150 Certificate: [][]byte{testRSACertificate}, 2151 PrivateKey: &brokenKey, 2152 }} 2153 2154 go func() { 2155 Server(serverWCC, serverConfig).Handshake() 2156 serverWCC.Close() 2157 done <- true 2158 }() 2159 2160 err := Client(clientWCC, testConfig).Handshake() 2161 if err == nil { 2162 t.Fatal("client unexpectedly returned no error") 2163 } 2164 2165 const expectedError = "remote error: tls: internal error" 2166 if e := err.Error(); !strings.Contains(e, expectedError) { 2167 t.Fatalf("expected to find %q in error but error was %q", expectedError, e) 2168 } 2169 clientWCC.Close() 2170 <-done 2171 2172 if n := serverWCC.numWrites; n != 1 { 2173 t.Errorf("expected server handshake to complete with one write, but saw %d", n) 2174 } 2175} 2176 2177func TestHandshakeRace(t *testing.T) { 2178 if testing.Short() { 2179 t.Skip("skipping in -short mode") 2180 } 2181 t.Parallel() 2182 // This test races a Read and Write to try and complete a handshake in 2183 // order to provide some evidence that there are no races or deadlocks 2184 // in the handshake locking. 2185 for i := 0; i < 32; i++ { 2186 c, s := localPipe(t) 2187 2188 go func() { 2189 server := Server(s, testConfig) 2190 if err := server.Handshake(); err != nil { 2191 panic(err) 2192 } 2193 2194 var request [1]byte 2195 if n, err := server.Read(request[:]); err != nil || n != 1 { 2196 panic(err) 2197 } 2198 2199 server.Write(request[:]) 2200 server.Close() 2201 }() 2202 2203 startWrite := make(chan struct{}) 2204 startRead := make(chan struct{}) 2205 readDone := make(chan struct{}, 1) 2206 2207 client := Client(c, testConfig) 2208 go func() { 2209 <-startWrite 2210 var request [1]byte 2211 client.Write(request[:]) 2212 }() 2213 2214 go func() { 2215 <-startRead 2216 var reply [1]byte 2217 if _, err := io.ReadFull(client, reply[:]); err != nil { 2218 panic(err) 2219 } 2220 c.Close() 2221 readDone <- struct{}{} 2222 }() 2223 2224 if i&1 == 1 { 2225 startWrite <- struct{}{} 2226 startRead <- struct{}{} 2227 } else { 2228 startRead <- struct{}{} 2229 startWrite <- struct{}{} 2230 } 2231 <-readDone 2232 } 2233} 2234 2235var getClientCertificateTests = []struct { 2236 setup func(*Config, *Config) 2237 expectedClientError string 2238 verify func(*testing.T, int, *ConnectionState) 2239}{ 2240 { 2241 func(clientConfig, serverConfig *Config) { 2242 // Returning a Certificate with no certificate data 2243 // should result in an empty message being sent to the 2244 // server. 2245 serverConfig.ClientCAs = nil 2246 clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { 2247 if len(cri.SignatureSchemes) == 0 { 2248 panic("empty SignatureSchemes") 2249 } 2250 if len(cri.AcceptableCAs) != 0 { 2251 panic("AcceptableCAs should have been empty") 2252 } 2253 return new(Certificate), nil 2254 } 2255 }, 2256 "", 2257 func(t *testing.T, testNum int, cs *ConnectionState) { 2258 if l := len(cs.PeerCertificates); l != 0 { 2259 t.Errorf("#%d: expected no certificates but got %d", testNum, l) 2260 } 2261 }, 2262 }, 2263 { 2264 func(clientConfig, serverConfig *Config) { 2265 // With TLS 1.1, the SignatureSchemes should be 2266 // synthesised from the supported certificate types. 2267 clientConfig.MaxVersion = VersionTLS11 2268 clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { 2269 if len(cri.SignatureSchemes) == 0 { 2270 panic("empty SignatureSchemes") 2271 } 2272 return new(Certificate), nil 2273 } 2274 }, 2275 "", 2276 func(t *testing.T, testNum int, cs *ConnectionState) { 2277 if l := len(cs.PeerCertificates); l != 0 { 2278 t.Errorf("#%d: expected no certificates but got %d", testNum, l) 2279 } 2280 }, 2281 }, 2282 { 2283 func(clientConfig, serverConfig *Config) { 2284 // Returning an error should abort the handshake with 2285 // that error. 2286 clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { 2287 return nil, errors.New("GetClientCertificate") 2288 } 2289 }, 2290 "GetClientCertificate", 2291 func(t *testing.T, testNum int, cs *ConnectionState) { 2292 }, 2293 }, 2294 { 2295 func(clientConfig, serverConfig *Config) { 2296 clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { 2297 if len(cri.AcceptableCAs) == 0 { 2298 panic("empty AcceptableCAs") 2299 } 2300 cert := &Certificate{ 2301 Certificate: [][]byte{testRSACertificate}, 2302 PrivateKey: testRSAPrivateKey, 2303 } 2304 return cert, nil 2305 } 2306 }, 2307 "", 2308 func(t *testing.T, testNum int, cs *ConnectionState) { 2309 if len(cs.VerifiedChains) == 0 { 2310 t.Errorf("#%d: expected some verified chains, but found none", testNum) 2311 } 2312 }, 2313 }, 2314} 2315 2316func TestGetClientCertificate(t *testing.T) { 2317 t.Run("TLSv12", func(t *testing.T) { testGetClientCertificate(t, VersionTLS12) }) 2318 t.Run("TLSv13", func(t *testing.T) { testGetClientCertificate(t, VersionTLS13) }) 2319} 2320 2321func testGetClientCertificate(t *testing.T, version uint16) { 2322 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 2323 if err != nil { 2324 panic(err) 2325 } 2326 2327 for i, test := range getClientCertificateTests { 2328 serverConfig := testConfig.Clone() 2329 serverConfig.ClientAuth = VerifyClientCertIfGiven 2330 serverConfig.RootCAs = x509.NewCertPool() 2331 serverConfig.RootCAs.AddCert(issuer) 2332 serverConfig.ClientCAs = serverConfig.RootCAs 2333 serverConfig.Time = func() time.Time { return time.Unix(1476984729, 0) } 2334 serverConfig.MaxVersion = version 2335 2336 clientConfig := testConfig.Clone() 2337 clientConfig.MaxVersion = version 2338 2339 test.setup(clientConfig, serverConfig) 2340 2341 type serverResult struct { 2342 cs ConnectionState 2343 err error 2344 } 2345 2346 c, s := localPipe(t) 2347 done := make(chan serverResult) 2348 2349 go func() { 2350 defer s.Close() 2351 server := Server(s, serverConfig) 2352 err := server.Handshake() 2353 2354 var cs ConnectionState 2355 if err == nil { 2356 cs = server.ConnectionState() 2357 } 2358 done <- serverResult{cs, err} 2359 }() 2360 2361 clientErr := Client(c, clientConfig).Handshake() 2362 c.Close() 2363 2364 result := <-done 2365 2366 if clientErr != nil { 2367 if len(test.expectedClientError) == 0 { 2368 t.Errorf("#%d: client error: %v", i, clientErr) 2369 } else if got := clientErr.Error(); got != test.expectedClientError { 2370 t.Errorf("#%d: expected client error %q, but got %q", i, test.expectedClientError, got) 2371 } else { 2372 test.verify(t, i, &result.cs) 2373 } 2374 } else if len(test.expectedClientError) > 0 { 2375 t.Errorf("#%d: expected client error %q, but got no error", i, test.expectedClientError) 2376 } else if err := result.err; err != nil { 2377 t.Errorf("#%d: server error: %v", i, err) 2378 } else { 2379 test.verify(t, i, &result.cs) 2380 } 2381 } 2382} 2383 2384func TestRSAPSSKeyError(t *testing.T) { 2385 // crypto/tls does not support the rsa_pss_pss_* SignatureSchemes. If support for 2386 // public keys with OID RSASSA-PSS is added to crypto/x509, they will be misused with 2387 // the rsa_pss_rsae_* SignatureSchemes. Assert that RSASSA-PSS certificates don't 2388 // parse, or that they don't carry *rsa.PublicKey keys. 2389 b, _ := pem.Decode([]byte(` 2390-----BEGIN CERTIFICATE----- 2391MIIDZTCCAhygAwIBAgIUCF2x0FyTgZG0CC9QTDjGWkB5vgEwPgYJKoZIhvcNAQEK 2392MDGgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQC 2393AgDeMBIxEDAOBgNVBAMMB1JTQS1QU1MwHhcNMTgwNjI3MjI0NDM2WhcNMTgwNzI3 2394MjI0NDM2WjASMRAwDgYDVQQDDAdSU0EtUFNTMIIBIDALBgkqhkiG9w0BAQoDggEP 2395ADCCAQoCggEBANxDm0f76JdI06YzsjB3AmmjIYkwUEGxePlafmIASFjDZl/elD0Z 2396/a7xLX468b0qGxLS5al7XCcEprSdsDR6DF5L520+pCbpfLyPOjuOvGmk9KzVX4x5 2397b05YXYuXdsQ0Kjxcx2i3jjCday6scIhMJVgBZxTEyMj1thPQM14SHzKCd/m6HmCL 2398QmswpH2yMAAcBRWzRpp/vdH5DeOJEB3aelq7094no731mrLUCHRiZ1htq8BDB3ou 2399czwqgwspbqZ4dnMXl2MvfySQ5wJUxQwILbiuAKO2lVVPUbFXHE9pgtznNoPvKwQT 2400JNcX8ee8WIZc2SEGzofjk3NpjR+2ADB2u3sCAwEAAaNTMFEwHQYDVR0OBBYEFNEz 2401AdyJ2f+fU+vSCS6QzohnOnprMB8GA1UdIwQYMBaAFNEzAdyJ2f+fU+vSCS6Qzohn 2402OnprMA8GA1UdEwEB/wQFMAMBAf8wPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQME 2403AgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeA4IBAQCjEdrR5aab 2404sZmCwrMeKidXgfkmWvfuLDE+TCbaqDZp7BMWcMQXT9O0UoUT5kqgKj2ARm2pEW0Z 2405H3Z1vj3bbds72qcDIJXp+l0fekyLGeCrX/CbgnMZXEP7+/+P416p34ChR1Wz4dU1 2406KD3gdsUuTKKeMUog3plxlxQDhRQmiL25ygH1LmjLd6dtIt0GVRGr8lj3euVeprqZ 2407bZ3Uq5eLfsn8oPgfC57gpO6yiN+UURRTlK3bgYvLh4VWB3XXk9UaQZ7Mq1tpXjoD 2408HYFybkWzibkZp4WRo+Fa28rirH+/wHt0vfeN7UCceURZEx4JaxIIfe4ku7uDRhJi 2409RwBA9Xk1KBNF 2410-----END CERTIFICATE-----`)) 2411 if b == nil { 2412 t.Fatal("Failed to decode certificate") 2413 } 2414 cert, err := x509.ParseCertificate(b.Bytes) 2415 if err != nil { 2416 return 2417 } 2418 if _, ok := cert.PublicKey.(*rsa.PublicKey); ok { 2419 t.Error("A RSASSA-PSS certificate was parsed like a PKCS#1 v1.5 one, and it will be mistakenly used with rsa_pss_rsae_* signature algorithms") 2420 } 2421} 2422 2423func TestCloseClientConnectionOnIdleServer(t *testing.T) { 2424 clientConn, serverConn := localPipe(t) 2425 client := Client(clientConn, testConfig.Clone()) 2426 go func() { 2427 var b [1]byte 2428 serverConn.Read(b[:]) 2429 client.Close() 2430 }() 2431 client.SetWriteDeadline(time.Now().Add(time.Minute)) 2432 err := client.Handshake() 2433 if err != nil { 2434 if err, ok := err.(net.Error); ok && err.Timeout() { 2435 t.Errorf("Expected a closed network connection error but got '%s'", err.Error()) 2436 } 2437 } else { 2438 t.Errorf("Error expected, but no error returned") 2439 } 2440} 2441 2442func testDowngradeCanary(t *testing.T, clientVersion, serverVersion uint16) error { 2443 defer func() { testingOnlyForceDowngradeCanary = false }() 2444 testingOnlyForceDowngradeCanary = true 2445 2446 clientConfig := testConfig.Clone() 2447 clientConfig.MaxVersion = clientVersion 2448 serverConfig := testConfig.Clone() 2449 serverConfig.MaxVersion = serverVersion 2450 _, _, err := testHandshake(t, clientConfig, serverConfig) 2451 return err 2452} 2453 2454func TestDowngradeCanary(t *testing.T) { 2455 if err := testDowngradeCanary(t, VersionTLS13, VersionTLS12); err == nil { 2456 t.Errorf("downgrade from TLS 1.3 to TLS 1.2 was not detected") 2457 } 2458 if testing.Short() { 2459 t.Skip("skipping the rest of the checks in short mode") 2460 } 2461 if err := testDowngradeCanary(t, VersionTLS13, VersionTLS11); err == nil { 2462 t.Errorf("downgrade from TLS 1.3 to TLS 1.1 was not detected") 2463 } 2464 if err := testDowngradeCanary(t, VersionTLS13, VersionTLS10); err == nil { 2465 t.Errorf("downgrade from TLS 1.3 to TLS 1.0 was not detected") 2466 } 2467 if err := testDowngradeCanary(t, VersionTLS12, VersionTLS11); err == nil { 2468 t.Errorf("downgrade from TLS 1.2 to TLS 1.1 was not detected") 2469 } 2470 if err := testDowngradeCanary(t, VersionTLS12, VersionTLS10); err == nil { 2471 t.Errorf("downgrade from TLS 1.2 to TLS 1.0 was not detected") 2472 } 2473 if err := testDowngradeCanary(t, VersionTLS13, VersionTLS13); err != nil { 2474 t.Errorf("server unexpectedly sent downgrade canary for TLS 1.3") 2475 } 2476 if err := testDowngradeCanary(t, VersionTLS12, VersionTLS12); err != nil { 2477 t.Errorf("client didn't ignore expected TLS 1.2 canary") 2478 } 2479 if err := testDowngradeCanary(t, VersionTLS11, VersionTLS11); err != nil { 2480 t.Errorf("client unexpectedly reacted to a canary in TLS 1.1") 2481 } 2482 if err := testDowngradeCanary(t, VersionTLS10, VersionTLS10); err != nil { 2483 t.Errorf("client unexpectedly reacted to a canary in TLS 1.0") 2484 } 2485} 2486 2487func TestResumptionKeepsOCSPAndSCT(t *testing.T) { 2488 t.Run("TLSv12", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS12) }) 2489 t.Run("TLSv13", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS13) }) 2490} 2491 2492func testResumptionKeepsOCSPAndSCT(t *testing.T, ver uint16) { 2493 issuer, err := x509.ParseCertificate(testRSACertificateIssuer) 2494 if err != nil { 2495 t.Fatalf("failed to parse test issuer") 2496 } 2497 roots := x509.NewCertPool() 2498 roots.AddCert(issuer) 2499 clientConfig := &Config{ 2500 MaxVersion: ver, 2501 ClientSessionCache: NewLRUClientSessionCache(32), 2502 ServerName: "example.golang", 2503 RootCAs: roots, 2504 } 2505 serverConfig := testConfig.Clone() 2506 serverConfig.MaxVersion = ver 2507 serverConfig.Certificates[0].OCSPStaple = []byte{1, 2, 3} 2508 serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{4, 5, 6}} 2509 2510 _, ccs, err := testHandshake(t, clientConfig, serverConfig) 2511 if err != nil { 2512 t.Fatalf("handshake failed: %s", err) 2513 } 2514 // after a new session we expect to see OCSPResponse and 2515 // SignedCertificateTimestamps populated as usual 2516 if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) { 2517 t.Errorf("client ConnectionState contained unexpected OCSPResponse: wanted %v, got %v", 2518 serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse) 2519 } 2520 if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) { 2521 t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps: wanted %v, got %v", 2522 serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps) 2523 } 2524 2525 // if the server doesn't send any SCTs, repopulate the old SCTs 2526 oldSCTs := serverConfig.Certificates[0].SignedCertificateTimestamps 2527 serverConfig.Certificates[0].SignedCertificateTimestamps = nil 2528 _, ccs, err = testHandshake(t, clientConfig, serverConfig) 2529 if err != nil { 2530 t.Fatalf("handshake failed: %s", err) 2531 } 2532 if !ccs.DidResume { 2533 t.Fatalf("expected session to be resumed") 2534 } 2535 // after a resumed session we also expect to see OCSPResponse 2536 // and SignedCertificateTimestamps populated 2537 if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) { 2538 t.Errorf("client ConnectionState contained unexpected OCSPResponse after resumption: wanted %v, got %v", 2539 serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse) 2540 } 2541 if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, oldSCTs) { 2542 t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v", 2543 oldSCTs, ccs.SignedCertificateTimestamps) 2544 } 2545 2546 // Only test overriding the SCTs for TLS 1.2, since in 1.3 2547 // the server won't send the message containing them 2548 if ver == VersionTLS13 { 2549 return 2550 } 2551 2552 // if the server changes the SCTs it sends, they should override the saved SCTs 2553 serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{7, 8, 9}} 2554 _, ccs, err = testHandshake(t, clientConfig, serverConfig) 2555 if err != nil { 2556 t.Fatalf("handshake failed: %s", err) 2557 } 2558 if !ccs.DidResume { 2559 t.Fatalf("expected session to be resumed") 2560 } 2561 if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) { 2562 t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v", 2563 serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps) 2564 } 2565} 2566 2567// TestClientHandshakeContextCancellation tests that cancelling 2568// the context given to the client side conn.HandshakeContext 2569// interrupts the in-progress handshake. 2570func TestClientHandshakeContextCancellation(t *testing.T) { 2571 c, s := localPipe(t) 2572 ctx, cancel := context.WithCancel(context.Background()) 2573 unblockServer := make(chan struct{}) 2574 defer close(unblockServer) 2575 go func() { 2576 cancel() 2577 <-unblockServer 2578 _ = s.Close() 2579 }() 2580 cli := Client(c, testConfig) 2581 // Initiates client side handshake, which will block until the client hello is read 2582 // by the server, unless the cancellation works. 2583 err := cli.HandshakeContext(ctx) 2584 if err == nil { 2585 t.Fatal("Client handshake did not error when the context was canceled") 2586 } 2587 if err != context.Canceled { 2588 t.Errorf("Unexpected client handshake error: %v", err) 2589 } 2590 if runtime.GOARCH == "wasm" { 2591 t.Skip("conn.Close does not error as expected when called multiple times on WASM") 2592 } 2593 err = cli.Close() 2594 if err == nil { 2595 t.Error("Client connection was not closed when the context was canceled") 2596 } 2597} 2598