Source file
src/crypto/tls/handshake_server_test.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/ecdh"
12 "crypto/elliptic"
13 "crypto/rand"
14 "crypto/tls/internal/fips140tls"
15 "crypto/x509"
16 "crypto/x509/pkix"
17 "encoding/pem"
18 "errors"
19 "fmt"
20 "io"
21 "net"
22 "os"
23 "os/exec"
24 "path/filepath"
25 "runtime"
26 "slices"
27 "strings"
28 "sync/atomic"
29 "testing"
30 "time"
31 )
32
33 func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
34 t.Helper()
35 testClientHelloFailure(t, serverConfig, m, "")
36 }
37
38
39
40 func testFatal(t *testing.T, err error) {
41 t.Helper()
42 t.Fatal(err)
43 }
44
45 func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
46 c, s := localPipe(t)
47 go func() {
48 cli := Client(c, testConfig)
49 if ch, ok := m.(*clientHelloMsg); ok {
50 cli.vers = ch.vers
51 }
52 if _, err := cli.writeHandshakeRecord(m, nil); err != nil {
53 testFatal(t, err)
54 }
55 c.Close()
56 }()
57 ctx := context.Background()
58 conn := Server(s, serverConfig)
59 ch, ech, err := conn.readClientHello(ctx)
60 if conn.vers == VersionTLS13 {
61 hs := serverHandshakeStateTLS13{
62 c: conn,
63 ctx: ctx,
64 clientHello: ch,
65 echContext: ech,
66 }
67 if err == nil {
68 err = hs.processClientHello()
69 }
70 if err == nil {
71 err = hs.checkForResumption()
72 }
73 if err == nil {
74 err = hs.pickCertificate()
75 }
76 } else {
77 hs := serverHandshakeState{
78 c: conn,
79 ctx: ctx,
80 clientHello: ch,
81 }
82 if err == nil {
83 err = hs.processClientHello()
84 }
85 if err == nil {
86 err = hs.pickCipherSuite()
87 }
88 }
89 s.Close()
90 t.Helper()
91 if len(expectedSubStr) == 0 {
92 if err != nil && err != io.EOF {
93 t.Errorf("Got error: %s; expected to succeed", err)
94 }
95 } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
96 t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
97 }
98 }
99
100 func TestSimpleError(t *testing.T) {
101 testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
102 }
103
104 var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}
105
106 func TestRejectBadProtocolVersion(t *testing.T) {
107 config := testConfig.Clone()
108 config.MinVersion = VersionSSL30
109 for _, v := range badProtocolVersions {
110 testClientHelloFailure(t, config, &clientHelloMsg{
111 vers: v,
112 random: make([]byte, 32),
113 }, "unsupported versions")
114 }
115 testClientHelloFailure(t, config, &clientHelloMsg{
116 vers: VersionTLS12,
117 supportedVersions: badProtocolVersions,
118 random: make([]byte, 32),
119 }, "unsupported versions")
120 }
121
122 func TestNoSuiteOverlap(t *testing.T) {
123 clientHello := &clientHelloMsg{
124 vers: VersionTLS12,
125 random: make([]byte, 32),
126 cipherSuites: []uint16{0xff00},
127 compressionMethods: []uint8{compressionNone},
128 }
129 testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
130 }
131
132 func TestNoCompressionOverlap(t *testing.T) {
133 clientHello := &clientHelloMsg{
134 vers: VersionTLS12,
135 random: make([]byte, 32),
136 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
137 compressionMethods: []uint8{0xff},
138 }
139 testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
140 }
141
142 func TestNoRC4ByDefault(t *testing.T) {
143 clientHello := &clientHelloMsg{
144 vers: VersionTLS12,
145 random: make([]byte, 32),
146 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
147 compressionMethods: []uint8{compressionNone},
148 }
149 serverConfig := testConfig.Clone()
150
151
152 serverConfig.CipherSuites = nil
153 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
154 }
155
156 func TestRejectSNIWithTrailingDot(t *testing.T) {
157 testClientHelloFailure(t, testConfig, &clientHelloMsg{
158 vers: VersionTLS12,
159 random: make([]byte, 32),
160 serverName: "foo.com.",
161 }, "decoding message")
162 }
163
164 func TestDontSelectECDSAWithRSAKey(t *testing.T) {
165
166
167 clientHello := &clientHelloMsg{
168 vers: VersionTLS12,
169 random: make([]byte, 32),
170 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
171 compressionMethods: []uint8{compressionNone},
172 supportedCurves: []CurveID{CurveP256},
173 supportedPoints: []uint8{pointFormatUncompressed},
174 }
175 serverConfig := testConfig.Clone()
176 serverConfig.CipherSuites = clientHello.cipherSuites
177 serverConfig.Certificates = make([]Certificate, 1)
178 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
179 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
180 serverConfig.BuildNameToCertificate()
181
182 testClientHello(t, serverConfig, clientHello)
183
184
185
186 serverConfig.Certificates = testConfig.Certificates
187 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
188 }
189
190 func TestDontSelectRSAWithECDSAKey(t *testing.T) {
191
192
193 clientHello := &clientHelloMsg{
194 vers: VersionTLS12,
195 random: make([]byte, 32),
196 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
197 compressionMethods: []uint8{compressionNone},
198 supportedCurves: []CurveID{CurveP256},
199 supportedPoints: []uint8{pointFormatUncompressed},
200 }
201 serverConfig := testConfig.Clone()
202 serverConfig.CipherSuites = clientHello.cipherSuites
203
204 testClientHello(t, serverConfig, clientHello)
205
206
207
208 serverConfig.Certificates = make([]Certificate, 1)
209 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
210 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
211 serverConfig.BuildNameToCertificate()
212 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
213 }
214
215 func TestRenegotiationExtension(t *testing.T) {
216 skipFIPS(t)
217
218 clientHello := &clientHelloMsg{
219 vers: VersionTLS12,
220 compressionMethods: []uint8{compressionNone},
221 random: make([]byte, 32),
222 secureRenegotiationSupported: true,
223 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
224 }
225
226 bufChan := make(chan []byte, 1)
227 c, s := localPipe(t)
228
229 go func() {
230 cli := Client(c, testConfig)
231 cli.vers = clientHello.vers
232 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
233 testFatal(t, err)
234 }
235
236 buf := make([]byte, 1024)
237 n, err := c.Read(buf)
238 if err != nil {
239 t.Errorf("Server read returned error: %s", err)
240 }
241 c.Close()
242 bufChan <- buf[:n]
243 }()
244
245 Server(s, testConfig).Handshake()
246 buf := <-bufChan
247
248 if len(buf) < 5+4 {
249 t.Fatalf("Server returned short message of length %d", len(buf))
250 }
251
252
253
254 serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8])
255
256 var serverHello serverHelloMsg
257
258
259 if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) {
260 t.Fatalf("Failed to parse ServerHello")
261 }
262
263 if !serverHello.secureRenegotiationSupported {
264 t.Errorf("Secure renegotiation extension was not echoed.")
265 }
266 }
267
268 func TestTLS12OnlyCipherSuites(t *testing.T) {
269 skipFIPS(t)
270
271
272
273 clientHello := &clientHelloMsg{
274 vers: VersionTLS11,
275 random: make([]byte, 32),
276 cipherSuites: []uint16{
277
278
279
280
281 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
282 TLS_RSA_WITH_RC4_128_SHA,
283 },
284 compressionMethods: []uint8{compressionNone},
285 supportedCurves: []CurveID{CurveP256, CurveP384, CurveP521},
286 supportedPoints: []uint8{pointFormatUncompressed},
287 }
288
289 c, s := localPipe(t)
290 replyChan := make(chan any)
291 go func() {
292 cli := Client(c, testConfig)
293 cli.vers = clientHello.vers
294 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
295 testFatal(t, err)
296 }
297 reply, err := cli.readHandshake(nil)
298 c.Close()
299 if err != nil {
300 replyChan <- err
301 } else {
302 replyChan <- reply
303 }
304 }()
305 config := testConfig.Clone()
306 config.CipherSuites = clientHello.cipherSuites
307 Server(s, config).Handshake()
308 s.Close()
309 reply := <-replyChan
310 if err, ok := reply.(error); ok {
311 t.Fatal(err)
312 }
313 serverHello, ok := reply.(*serverHelloMsg)
314 if !ok {
315 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
316 }
317 if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
318 t.Fatalf("bad cipher suite from server: %x", s)
319 }
320 }
321
322 func TestTLSPointFormats(t *testing.T) {
323
324
325 tests := []struct {
326 name string
327 cipherSuites []uint16
328 supportedCurves []CurveID
329 supportedPoints []uint8
330 wantSupportedPoints bool
331 }{
332 {"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true},
333 {"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, nil, false},
334 {"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true},
335 {"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
336 {"RSA with ec_point_format", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, []uint8{pointFormatUncompressed}, false},
337 }
338 for _, tt := range tests {
339
340 if strings.HasPrefix(tt.name, "RSA") && fips140tls.Required() {
341 t.Logf("skipping in FIPS mode.")
342 continue
343 }
344 t.Run(tt.name, func(t *testing.T) {
345 clientHello := &clientHelloMsg{
346 vers: VersionTLS12,
347 random: make([]byte, 32),
348 cipherSuites: tt.cipherSuites,
349 compressionMethods: []uint8{compressionNone},
350 supportedCurves: tt.supportedCurves,
351 supportedPoints: tt.supportedPoints,
352 }
353
354 c, s := localPipe(t)
355 replyChan := make(chan any)
356 go func() {
357 clientConfig := testConfig.Clone()
358 clientConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
359 cli := Client(c, clientConfig)
360 cli.vers = clientHello.vers
361 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
362 testFatal(t, err)
363 }
364 reply, err := cli.readHandshake(nil)
365 c.Close()
366 if err != nil {
367 replyChan <- err
368 } else {
369 replyChan <- reply
370 }
371 }()
372 serverConfig := testConfig.Clone()
373 serverConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
374 serverConfig.CipherSuites = clientHello.cipherSuites
375 Server(s, serverConfig).Handshake()
376 s.Close()
377 reply := <-replyChan
378 if err, ok := reply.(error); ok {
379 t.Fatal(err)
380 }
381 serverHello, ok := reply.(*serverHelloMsg)
382 if !ok {
383 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
384 }
385 if tt.wantSupportedPoints {
386 if !bytes.Equal(serverHello.supportedPoints, []uint8{pointFormatUncompressed}) {
387 t.Fatal("incorrect ec_point_format extension from server")
388 }
389 } else {
390 if len(serverHello.supportedPoints) != 0 {
391 t.Fatalf("unexpected ec_point_format extension from server: %v", serverHello.supportedPoints)
392 }
393 }
394 })
395 }
396 }
397
398 func TestAlertForwarding(t *testing.T) {
399 c, s := localPipe(t)
400 go func() {
401 Client(c, testConfig).sendAlert(alertUnknownCA)
402 c.Close()
403 }()
404
405 err := Server(s, testConfig).Handshake()
406 s.Close()
407 if opErr, ok := errors.AsType[*net.OpError](err); !ok || opErr.Err != error(alertUnknownCA) {
408 t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
409 }
410 }
411
412 func TestClose(t *testing.T) {
413 c, s := localPipe(t)
414 go c.Close()
415
416 err := Server(s, testConfig).Handshake()
417 s.Close()
418 if err != io.EOF {
419 t.Errorf("Got error: %s; expected: %s", err, io.EOF)
420 }
421 }
422
423 func TestVersion(t *testing.T) {
424 serverConfig := &Config{
425 Certificates: testConfig.Certificates,
426 MaxVersion: VersionTLS13,
427 }
428 clientConfig := &Config{
429 InsecureSkipVerify: true,
430 MinVersion: VersionTLS12,
431 }
432 state, _, err := testHandshake(t, clientConfig, serverConfig)
433 if err != nil {
434 t.Fatalf("handshake failed: %s", err)
435 }
436 if state.Version != VersionTLS13 {
437 t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
438 }
439
440 clientConfig.MinVersion = 0
441 serverConfig.MaxVersion = VersionTLS11
442 _, _, err = testHandshake(t, clientConfig, serverConfig)
443 if err == nil {
444 t.Fatalf("expected failure to connect with TLS 1.0/1.1")
445 }
446 }
447
448 func TestCipherSuitePreference(t *testing.T) {
449 skipFIPS(t)
450
451 serverConfig := &Config{
452 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
453 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
454 Certificates: testConfig.Certificates,
455 MaxVersion: VersionTLS12,
456 GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
457 if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
458 t.Error("the advertised order should not depend on Config.CipherSuites")
459 }
460 if len(chi.CipherSuites) != 2+len(defaultCipherSuitesTLS13) {
461 t.Error("the advertised TLS 1.2 suites should be filtered by Config.CipherSuites")
462 }
463 return nil, nil
464 },
465 }
466 clientConfig := &Config{
467 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
468 InsecureSkipVerify: true,
469 }
470 state, _, err := testHandshake(t, clientConfig, serverConfig)
471 if err != nil {
472 t.Fatalf("handshake failed: %s", err)
473 }
474 if state.CipherSuite != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
475 t.Error("the preference order should not depend on Config.CipherSuites")
476 }
477 }
478
479 func TestSCTHandshake(t *testing.T) {
480 t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) })
481 t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) })
482 }
483
484 func testSCTHandshake(t *testing.T, version uint16) {
485 expected := [][]byte{[]byte("certificate"), []byte("transparency")}
486 serverConfig := &Config{
487 Certificates: []Certificate{{
488 Certificate: [][]byte{testRSACertificate},
489 PrivateKey: testRSAPrivateKey,
490 SignedCertificateTimestamps: expected,
491 }},
492 MaxVersion: version,
493 }
494 clientConfig := &Config{
495 InsecureSkipVerify: true,
496 }
497 _, state, err := testHandshake(t, clientConfig, serverConfig)
498 if err != nil {
499 t.Fatalf("handshake failed: %s", err)
500 }
501 actual := state.SignedCertificateTimestamps
502 if len(actual) != len(expected) {
503 t.Fatalf("got %d scts, want %d", len(actual), len(expected))
504 }
505 for i, sct := range expected {
506 if !bytes.Equal(sct, actual[i]) {
507 t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct)
508 }
509 }
510 }
511
512 func TestCrossVersionResume(t *testing.T) {
513 t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) })
514 t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) })
515 }
516
517 func testCrossVersionResume(t *testing.T, version uint16) {
518 serverConfig := &Config{
519 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
520 Certificates: testConfig.Certificates,
521 Time: testTime,
522 }
523 clientConfig := &Config{
524 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
525 InsecureSkipVerify: true,
526 ClientSessionCache: NewLRUClientSessionCache(1),
527 ServerName: "servername",
528 MinVersion: VersionTLS12,
529 Time: testTime,
530 }
531
532
533 clientConfig.MaxVersion = VersionTLS13
534 _, _, err := testHandshake(t, clientConfig, serverConfig)
535 if err != nil {
536 t.Fatalf("handshake failed: %s", err)
537 }
538
539
540 state, _, err := testHandshake(t, clientConfig, serverConfig)
541 if err != nil {
542 t.Fatalf("handshake failed: %s", err)
543 }
544 if !state.DidResume {
545 t.Fatalf("handshake did not resume at the same version")
546 }
547
548
549 clientConfig.MaxVersion = VersionTLS12
550 state, _, err = testHandshake(t, clientConfig, serverConfig)
551 if err != nil {
552 t.Fatalf("handshake failed: %s", err)
553 }
554 if state.DidResume {
555 t.Fatalf("handshake resumed at a lower version")
556 }
557
558
559 state, _, err = testHandshake(t, clientConfig, serverConfig)
560 if err != nil {
561 t.Fatalf("handshake failed: %s", err)
562 }
563 if !state.DidResume {
564 t.Fatalf("handshake did not resume at the same version")
565 }
566
567
568 clientConfig.MaxVersion = VersionTLS13
569 state, _, err = testHandshake(t, clientConfig, serverConfig)
570 if err != nil {
571 t.Fatalf("handshake failed: %s", err)
572 }
573 if state.DidResume {
574 t.Fatalf("handshake resumed at a higher version")
575 }
576 }
577
578
579
580
581
582
583 type serverTest struct {
584
585
586 name string
587
588
589 command []string
590
591
592 expectedPeerCerts []string
593
594 config *Config
595
596
597 expectHandshakeErrorIncluding string
598
599
600
601 validate func(ConnectionState) error
602
603
604 wait bool
605 }
606
607 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
608
609
610
611
612 func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
613 l, err := net.ListenTCP("tcp", &net.TCPAddr{
614 IP: net.IPv4(127, 0, 0, 1),
615 Port: 0,
616 })
617 if err != nil {
618 return nil, nil, err
619 }
620 defer l.Close()
621
622 port := l.Addr().(*net.TCPAddr).Port
623
624 var command []string
625 command = append(command, test.command...)
626 if len(command) == 0 {
627 command = defaultClientCommand
628 }
629 command = append(command, "-connect")
630 command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
631 cmd := exec.Command(command[0], command[1:]...)
632 cmd.Stdin = nil
633 var output bytes.Buffer
634 cmd.Stdout = &output
635 cmd.Stderr = &output
636 if err := cmd.Start(); err != nil {
637 return nil, nil, err
638 }
639
640 connChan := make(chan any, 1)
641 go func() {
642 tcpConn, err := l.Accept()
643 if err != nil {
644 connChan <- err
645 return
646 }
647 connChan <- tcpConn
648 }()
649
650 var tcpConn net.Conn
651 select {
652 case connOrError := <-connChan:
653 if err, ok := connOrError.(error); ok {
654 return nil, nil, err
655 }
656 tcpConn = connOrError.(net.Conn)
657 case <-time.After(2 * time.Second):
658 return nil, nil, errors.New("timed out waiting for connection from child process")
659 }
660
661 record := &recordingConn{
662 Conn: tcpConn,
663 }
664
665 return record, cmd, nil
666 }
667
668 func (test *serverTest) dataPath() string {
669 return filepath.Join("testdata", "Server-"+test.name)
670 }
671
672 func (test *serverTest) loadData() (flows [][]byte, err error) {
673 in, err := os.Open(test.dataPath())
674 if err != nil {
675 return nil, err
676 }
677 defer in.Close()
678 return parseTestData(in)
679 }
680
681 func (test *serverTest) run(t *testing.T, write bool) {
682 var serverConn net.Conn
683 var recordingConn *recordingConn
684 var childProcess *exec.Cmd
685
686 if write {
687 var err error
688 recordingConn, childProcess, err = test.connFromCommand()
689 if err != nil {
690 t.Fatalf("Failed to start subcommand: %s", err)
691 }
692 serverConn = recordingConn
693 defer func() {
694 if t.Failed() {
695 t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout)
696 }
697 }()
698 } else {
699 flows, err := test.loadData()
700 if err != nil {
701 t.Fatalf("Failed to load data from %s", test.dataPath())
702 }
703 serverConn = &replayingConn{t: t, flows: flows, reading: true}
704 }
705 config := test.config
706 if config == nil {
707 config = testConfig
708 }
709 server := Server(serverConn, config)
710
711 _, err := server.Write([]byte("hello, world\n"))
712 if len(test.expectHandshakeErrorIncluding) > 0 {
713 if err == nil {
714 t.Errorf("Error expected, but no error returned")
715 } else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {
716 t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)
717 }
718 } else {
719 if err != nil {
720 t.Logf("Error from Server.Write: '%s'", err)
721 }
722 }
723 server.Close()
724
725 connState := server.ConnectionState()
726 peerCerts := connState.PeerCertificates
727 if len(peerCerts) == len(test.expectedPeerCerts) {
728 for i, peerCert := range peerCerts {
729 block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
730 if !bytes.Equal(block.Bytes, peerCert.Raw) {
731 t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
732 }
733 }
734 } else {
735 t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
736 }
737
738 if test.validate != nil && !t.Failed() {
739 if err := test.validate(connState); err != nil {
740 t.Fatalf("validate callback returned error: %s", err)
741 }
742 }
743
744 if write {
745 serverConn.Close()
746 path := test.dataPath()
747 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
748 if err != nil {
749 t.Fatalf("Failed to create output file: %s", err)
750 }
751 defer out.Close()
752 recordingConn.Close()
753 if len(recordingConn.flows) < 3 {
754 if len(test.expectHandshakeErrorIncluding) == 0 {
755 t.Fatalf("Handshake failed")
756 }
757 }
758 recordingConn.WriteTo(out)
759 t.Logf("Wrote %s\n", path)
760 childProcess.Wait()
761 }
762 }
763
764 func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
765
766 test := *template
767 if template.config != nil {
768 test.config = template.config.Clone()
769 }
770 test.name = version + "-" + test.name
771 if len(test.command) == 0 {
772 test.command = defaultClientCommand
773 }
774 test.command = append([]string(nil), test.command...)
775 test.command = append(test.command, option)
776
777 runTestAndUpdateIfNeeded(t, version, test.run, test.wait)
778 }
779
780 func runServerTestTLS10(t *testing.T, template *serverTest) {
781 runServerTestForVersion(t, template, "TLSv10", "-tls1")
782 }
783
784 func runServerTestTLS11(t *testing.T, template *serverTest) {
785 runServerTestForVersion(t, template, "TLSv11", "-tls1_1")
786 }
787
788 func runServerTestTLS12(t *testing.T, template *serverTest) {
789 runServerTestForVersion(t, template, "TLSv12", "-tls1_2")
790 }
791
792 func runServerTestTLS13(t *testing.T, template *serverTest) {
793 runServerTestForVersion(t, template, "TLSv13", "-tls1_3")
794 }
795
796 func TestHandshakeServerRSARC4(t *testing.T) {
797 test := &serverTest{
798 name: "RSA-RC4",
799 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
800 }
801 runServerTestTLS10(t, test)
802 runServerTestTLS11(t, test)
803 runServerTestTLS12(t, test)
804 }
805
806 func TestHandshakeServerRSA3DES(t *testing.T) {
807 test := &serverTest{
808 name: "RSA-3DES",
809 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
810 }
811 runServerTestTLS10(t, test)
812 runServerTestTLS12(t, test)
813 }
814
815 func TestHandshakeServerRSAAES(t *testing.T) {
816 test := &serverTest{
817 name: "RSA-AES",
818 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
819 }
820 runServerTestTLS10(t, test)
821 runServerTestTLS12(t, test)
822 }
823
824 func TestHandshakeServerAESGCM(t *testing.T) {
825 test := &serverTest{
826 name: "RSA-AES-GCM",
827 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
828 }
829 runServerTestTLS12(t, test)
830 }
831
832 func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
833 test := &serverTest{
834 name: "RSA-AES256-GCM-SHA384",
835 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"},
836 }
837 runServerTestTLS12(t, test)
838 }
839
840 func TestHandshakeServerAES128SHA256(t *testing.T) {
841 test := &serverTest{
842 name: "AES128-SHA256",
843 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
844 }
845 runServerTestTLS13(t, test)
846 }
847 func TestHandshakeServerAES256SHA384(t *testing.T) {
848 test := &serverTest{
849 name: "AES256-SHA384",
850 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"},
851 }
852 runServerTestTLS13(t, test)
853 }
854 func TestHandshakeServerCHACHA20SHA256(t *testing.T) {
855 test := &serverTest{
856 name: "CHACHA20-SHA256",
857 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
858 }
859 runServerTestTLS13(t, test)
860 }
861
862 func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
863 config := testConfig.Clone()
864 config.Certificates = make([]Certificate, 1)
865 config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
866 config.Certificates[0].PrivateKey = testECDSAPrivateKey
867 config.BuildNameToCertificate()
868
869 test := &serverTest{
870 name: "ECDHE-ECDSA-AES",
871 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
872 config: config,
873 }
874 runServerTestTLS10(t, test)
875 runServerTestTLS12(t, test)
876 runServerTestTLS13(t, test)
877 }
878
879 func TestHandshakeServerX25519(t *testing.T) {
880 config := testConfig.Clone()
881 config.CurvePreferences = []CurveID{X25519}
882
883 test := &serverTest{
884 name: "X25519",
885 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"},
886 config: config,
887 }
888 runServerTestTLS12(t, test)
889 runServerTestTLS13(t, test)
890 }
891
892 func TestHandshakeServerP256(t *testing.T) {
893 config := testConfig.Clone()
894 config.CurvePreferences = []CurveID{CurveP256}
895
896 test := &serverTest{
897 name: "P256",
898 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"},
899 config: config,
900 }
901 runServerTestTLS12(t, test)
902 runServerTestTLS13(t, test)
903 }
904
905 func TestHandshakeServerHelloRetryRequest(t *testing.T) {
906 config := testConfig.Clone()
907 config.CurvePreferences = []CurveID{CurveP256}
908
909 var clientHelloInfoHRR bool
910 var getCertificateCalled bool
911 eeCert := config.Certificates[0]
912 config.Certificates = nil
913 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
914 getCertificateCalled = true
915 clientHelloInfoHRR = clientHello.HelloRetryRequest
916 return &eeCert, nil
917 }
918
919 test := &serverTest{
920 name: "HelloRetryRequest",
921 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"},
922 config: config,
923 validate: func(cs ConnectionState) error {
924 if !cs.HelloRetryRequest {
925 return errors.New("expected HelloRetryRequest")
926 }
927 if !getCertificateCalled {
928 return errors.New("expected GetCertificate to be called")
929 }
930 if !clientHelloInfoHRR {
931 return errors.New("expected ClientHelloInfo.HelloRetryRequest to be true")
932 }
933 return nil
934 },
935 }
936 runServerTestTLS13(t, test)
937 }
938
939
940
941
942 func TestHandshakeServerKeySharePreference(t *testing.T) {
943 config := testConfig.Clone()
944 config.CurvePreferences = []CurveID{X25519, CurveP256}
945
946
947
948 var clientHelloInfoHRR bool
949 var getCertificateCalled bool
950 eeCert := config.Certificates[0]
951 config.Certificates = nil
952 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
953 getCertificateCalled = true
954 clientHelloInfoHRR = clientHello.HelloRetryRequest
955 return &eeCert, nil
956 }
957
958 test := &serverTest{
959 name: "KeySharePreference",
960 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256:X25519"},
961 config: config,
962 validate: func(cs ConnectionState) error {
963 if cs.HelloRetryRequest {
964 return errors.New("unexpected HelloRetryRequest")
965 }
966 if !getCertificateCalled {
967 return errors.New("expected GetCertificate to be called")
968 }
969 if clientHelloInfoHRR {
970 return errors.New("expected ClientHelloInfo.HelloRetryRequest to be false")
971 }
972 return nil
973 },
974 }
975 runServerTestTLS13(t, test)
976 }
977
978 func TestHandshakeServerALPN(t *testing.T) {
979 config := testConfig.Clone()
980 config.NextProtos = []string{"proto1", "proto2"}
981
982 test := &serverTest{
983 name: "ALPN",
984
985
986 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
987 config: config,
988 validate: func(state ConnectionState) error {
989
990 if state.NegotiatedProtocol != "proto1" {
991 return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
992 }
993 return nil
994 },
995 }
996 runServerTestTLS12(t, test)
997 runServerTestTLS13(t, test)
998 }
999
1000 func TestHandshakeServerALPNNoMatch(t *testing.T) {
1001 config := testConfig.Clone()
1002 config.NextProtos = []string{"proto3"}
1003
1004 test := &serverTest{
1005 name: "ALPN-NoMatch",
1006
1007
1008 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1009 config: config,
1010 expectHandshakeErrorIncluding: "client requested unsupported application protocol",
1011 }
1012 runServerTestTLS12(t, test)
1013 runServerTestTLS13(t, test)
1014 }
1015
1016 func TestHandshakeServerALPNNotConfigured(t *testing.T) {
1017 config := testConfig.Clone()
1018 config.NextProtos = nil
1019
1020 test := &serverTest{
1021 name: "ALPN-NotConfigured",
1022
1023
1024 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1025 config: config,
1026 validate: func(state ConnectionState) error {
1027 if state.NegotiatedProtocol != "" {
1028 return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
1029 }
1030 return nil
1031 },
1032 }
1033 runServerTestTLS12(t, test)
1034 runServerTestTLS13(t, test)
1035 }
1036
1037 func TestHandshakeServerALPNFallback(t *testing.T) {
1038 config := testConfig.Clone()
1039 config.NextProtos = []string{"proto1", "h2", "proto2"}
1040
1041 test := &serverTest{
1042 name: "ALPN-Fallback",
1043
1044
1045 command: []string{"openssl", "s_client", "-alpn", "proto3,http/1.1,proto4", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1046 config: config,
1047 validate: func(state ConnectionState) error {
1048 if state.NegotiatedProtocol != "" {
1049 return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
1050 }
1051 return nil
1052 },
1053 }
1054 runServerTestTLS12(t, test)
1055 runServerTestTLS13(t, test)
1056 }
1057
1058
1059
1060
1061 func TestHandshakeServerSNI(t *testing.T) {
1062 test := &serverTest{
1063 name: "SNI",
1064 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1065 }
1066 runServerTestTLS12(t, test)
1067 }
1068
1069
1070
1071 func TestHandshakeServerSNIGetCertificate(t *testing.T) {
1072 config := testConfig.Clone()
1073
1074
1075 nameToCert := config.NameToCertificate
1076 config.NameToCertificate = nil
1077 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1078 cert := nameToCert[clientHello.ServerName]
1079 return cert, nil
1080 }
1081 test := &serverTest{
1082 name: "SNI-GetCertificate",
1083 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1084 config: config,
1085 }
1086 runServerTestTLS12(t, test)
1087 }
1088
1089
1090
1091
1092
1093 func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
1094 config := testConfig.Clone()
1095
1096 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1097 return nil, nil
1098 }
1099 test := &serverTest{
1100 name: "SNI-GetCertificateNotFound",
1101 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1102 config: config,
1103 }
1104 runServerTestTLS12(t, test)
1105 }
1106
1107
1108
1109
1110 func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
1111 const errMsg = "TestHandshakeServerGetCertificateExtensions error"
1112
1113
1114 var called atomic.Int32
1115
1116 testVersions := []uint16{VersionTLS12, VersionTLS13}
1117 for _, vers := range testVersions {
1118 t.Run(fmt.Sprintf("TLS version %04x", vers), func(t *testing.T) {
1119 pk, _ := ecdh.P256().GenerateKey(rand.Reader)
1120 clientHello := &clientHelloMsg{
1121 vers: vers,
1122 random: make([]byte, 32),
1123 cipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
1124 compressionMethods: []uint8{compressionNone},
1125 serverName: "test",
1126 keyShares: []keyShare{{group: CurveP256, data: pk.PublicKey().Bytes()}},
1127 supportedCurves: []CurveID{CurveP256},
1128 supportedSignatureAlgorithms: []SignatureScheme{ECDSAWithP256AndSHA256},
1129 }
1130
1131
1132
1133 expectedExtensions := []uint16{
1134 extensionServerName,
1135 extensionSupportedCurves,
1136 extensionSignatureAlgorithms,
1137 extensionKeyShare,
1138 }
1139
1140 if vers == VersionTLS13 {
1141 clientHello.supportedVersions = []uint16{VersionTLS13}
1142 expectedExtensions = append(expectedExtensions, extensionSupportedVersions)
1143 }
1144
1145
1146 slices.Sort(expectedExtensions)
1147
1148 serverConfig := testConfig.Clone()
1149 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1150 if !slices.Equal(expectedExtensions, clientHello.Extensions) {
1151 t.Errorf("expected extensions on ClientHelloInfo (%v) to match clientHelloMsg (%v)", expectedExtensions, clientHello.Extensions)
1152 }
1153 called.Add(1)
1154
1155 return nil, errors.New(errMsg)
1156 }
1157 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1158 })
1159 }
1160
1161 if int(called.Load()) != len(testVersions) {
1162 t.Error("expected our GetCertificate test to be called twice")
1163 }
1164 }
1165
1166
1167
1168 func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
1169 const errMsg = "TestHandshakeServerSNIGetCertificateError error"
1170
1171 serverConfig := testConfig.Clone()
1172 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1173 return nil, errors.New(errMsg)
1174 }
1175
1176 clientHello := &clientHelloMsg{
1177 vers: VersionTLS12,
1178 random: make([]byte, 32),
1179 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1180 compressionMethods: []uint8{compressionNone},
1181 serverName: "test",
1182 }
1183 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1184 }
1185
1186
1187
1188 func TestHandshakeServerEmptyCertificates(t *testing.T) {
1189 const errMsg = "TestHandshakeServerEmptyCertificates error"
1190
1191 serverConfig := testConfig.Clone()
1192 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1193 return nil, errors.New(errMsg)
1194 }
1195 serverConfig.Certificates = nil
1196
1197 clientHello := &clientHelloMsg{
1198 vers: VersionTLS12,
1199 random: make([]byte, 32),
1200 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1201 compressionMethods: []uint8{compressionNone},
1202 }
1203 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1204
1205
1206
1207 serverConfig.GetCertificate = nil
1208
1209 clientHello = &clientHelloMsg{
1210 vers: VersionTLS12,
1211 random: make([]byte, 32),
1212 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1213 compressionMethods: []uint8{compressionNone},
1214 }
1215 testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
1216 }
1217
1218 func TestServerResumption(t *testing.T) {
1219 sessionFilePath := tempFile("")
1220 defer os.Remove(sessionFilePath)
1221
1222 testIssue := &serverTest{
1223 name: "IssueTicket",
1224 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
1225 wait: true,
1226 }
1227 testResume := &serverTest{
1228 name: "Resume",
1229 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1230 validate: func(state ConnectionState) error {
1231 if !state.DidResume {
1232 return errors.New("did not resume")
1233 }
1234 return nil
1235 },
1236 }
1237
1238 runServerTestTLS12(t, testIssue)
1239 runServerTestTLS12(t, testResume)
1240
1241 runServerTestTLS13(t, testIssue)
1242 runServerTestTLS13(t, testResume)
1243
1244 config := testConfig.Clone()
1245 config.CurvePreferences = []CurveID{CurveP256}
1246
1247 testResumeHRR := &serverTest{
1248 name: "Resume-HelloRetryRequest",
1249 command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites",
1250 "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1251 config: config,
1252 validate: func(state ConnectionState) error {
1253 if !state.DidResume {
1254 return errors.New("did not resume")
1255 }
1256 return nil
1257 },
1258 }
1259
1260 runServerTestTLS13(t, testResumeHRR)
1261 }
1262
1263 func TestServerResumptionDisabled(t *testing.T) {
1264 sessionFilePath := tempFile("")
1265 defer os.Remove(sessionFilePath)
1266
1267 config := testConfig.Clone()
1268
1269 testIssue := &serverTest{
1270 name: "IssueTicketPreDisable",
1271 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
1272 config: config,
1273 wait: true,
1274 }
1275 testResume := &serverTest{
1276 name: "ResumeDisabled",
1277 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1278 config: config,
1279 validate: func(state ConnectionState) error {
1280 if state.DidResume {
1281 return errors.New("resumed with SessionTicketsDisabled")
1282 }
1283 return nil
1284 },
1285 }
1286
1287 config.SessionTicketsDisabled = false
1288 runServerTestTLS12(t, testIssue)
1289 config.SessionTicketsDisabled = true
1290 runServerTestTLS12(t, testResume)
1291
1292 config.SessionTicketsDisabled = false
1293 runServerTestTLS13(t, testIssue)
1294 config.SessionTicketsDisabled = true
1295 runServerTestTLS13(t, testResume)
1296 }
1297
1298 func TestFallbackSCSV(t *testing.T) {
1299 serverConfig := Config{
1300 Certificates: testConfig.Certificates,
1301 MinVersion: VersionTLS11,
1302 }
1303 test := &serverTest{
1304 name: "FallbackSCSV",
1305 config: &serverConfig,
1306
1307 command: []string{"openssl", "s_client", "-fallback_scsv"},
1308 expectHandshakeErrorIncluding: "inappropriate protocol fallback",
1309 }
1310 runServerTestTLS11(t, test)
1311 }
1312
1313 func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
1314 test := &serverTest{
1315 name: "ExportKeyingMaterial",
1316 command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-AES256-SHA", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1317 config: testConfig.Clone(),
1318 validate: func(state ConnectionState) error {
1319 if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
1320 return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
1321 } else if len(km) != 42 {
1322 return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
1323 }
1324 return nil
1325 },
1326 }
1327 runServerTestTLS10(t, test)
1328 runServerTestTLS12(t, test)
1329 runServerTestTLS13(t, test)
1330 }
1331
1332 func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
1333 test := &serverTest{
1334 name: "RSA-RSAPKCS1v15",
1335 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"},
1336 }
1337 runServerTestTLS12(t, test)
1338 }
1339
1340 func TestHandshakeServerRSAPSS(t *testing.T) {
1341
1342
1343
1344 test := &serverTest{
1345 name: "RSA-RSAPSS",
1346 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
1347 }
1348 runServerTestTLS12(t, test)
1349 runServerTestTLS13(t, test)
1350
1351 test = &serverTest{
1352 name: "RSA-RSAPSS-TooSmall",
1353 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"},
1354 expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
1355 }
1356 runServerTestTLS13(t, test)
1357 }
1358
1359 func TestHandshakeServerEd25519(t *testing.T) {
1360 config := testConfig.Clone()
1361 config.Certificates = make([]Certificate, 1)
1362 config.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
1363 config.Certificates[0].PrivateKey = testEd25519PrivateKey
1364 config.BuildNameToCertificate()
1365
1366 test := &serverTest{
1367 name: "Ed25519",
1368 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1369 config: config,
1370 }
1371 runServerTestTLS12(t, test)
1372 runServerTestTLS13(t, test)
1373 }
1374
1375 func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
1376 config := testConfig.Clone()
1377 config.CipherSuites = []uint16{cipherSuite}
1378 config.CurvePreferences = []CurveID{curve}
1379 config.Certificates = make([]Certificate, 1)
1380 config.Certificates[0].Certificate = [][]byte{cert}
1381 config.Certificates[0].PrivateKey = key
1382 config.BuildNameToCertificate()
1383
1384 clientConn, serverConn := localPipe(b)
1385 serverConn = &recordingConn{Conn: serverConn}
1386 go func() {
1387 config := testConfig.Clone()
1388 config.MaxVersion = version
1389 config.CurvePreferences = []CurveID{curve}
1390 client := Client(clientConn, config)
1391 client.Handshake()
1392 }()
1393 server := Server(serverConn, config)
1394 if err := server.Handshake(); err != nil {
1395 b.Fatalf("handshake failed: %v", err)
1396 }
1397 serverConn.Close()
1398 flows := serverConn.(*recordingConn).flows
1399
1400 b.ResetTimer()
1401 for i := 0; i < b.N; i++ {
1402 replay := &replayingConn{t: b, flows: slices.Clone(flows), reading: true}
1403 server := Server(replay, config)
1404 if err := server.Handshake(); err != nil {
1405 b.Fatalf("handshake failed: %v", err)
1406 }
1407 }
1408 }
1409
1410 func BenchmarkHandshakeServer(b *testing.B) {
1411 b.Run("RSA", func(b *testing.B) {
1412 benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256,
1413 0, testRSACertificate, testRSAPrivateKey)
1414 })
1415 b.Run("ECDHE-P256-RSA", func(b *testing.B) {
1416 b.Run("TLSv13", func(b *testing.B) {
1417 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1418 CurveP256, testRSACertificate, testRSAPrivateKey)
1419 })
1420 b.Run("TLSv12", func(b *testing.B) {
1421 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1422 CurveP256, testRSACertificate, testRSAPrivateKey)
1423 })
1424 })
1425 b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) {
1426 b.Run("TLSv13", func(b *testing.B) {
1427 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1428 CurveP256, testP256Certificate, testP256PrivateKey)
1429 })
1430 b.Run("TLSv12", func(b *testing.B) {
1431 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1432 CurveP256, testP256Certificate, testP256PrivateKey)
1433 })
1434 })
1435 b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) {
1436 b.Run("TLSv13", func(b *testing.B) {
1437 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1438 X25519, testP256Certificate, testP256PrivateKey)
1439 })
1440 b.Run("TLSv12", func(b *testing.B) {
1441 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1442 X25519, testP256Certificate, testP256PrivateKey)
1443 })
1444 })
1445 b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) {
1446 if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() {
1447 b.Fatal("test ECDSA key doesn't use curve P-521")
1448 }
1449 b.Run("TLSv13", func(b *testing.B) {
1450 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1451 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1452 })
1453 b.Run("TLSv12", func(b *testing.B) {
1454 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
1455 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1456 })
1457 })
1458 }
1459
1460 func TestClientAuth(t *testing.T) {
1461 var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath, ed25519CertPath, ed25519KeyPath string
1462
1463 if *update {
1464 certPath = tempFile(clientCertificatePEM)
1465 defer os.Remove(certPath)
1466 keyPath = tempFile(clientKeyPEM)
1467 defer os.Remove(keyPath)
1468 ecdsaCertPath = tempFile(clientECDSACertificatePEM)
1469 defer os.Remove(ecdsaCertPath)
1470 ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
1471 defer os.Remove(ecdsaKeyPath)
1472 ed25519CertPath = tempFile(clientEd25519CertificatePEM)
1473 defer os.Remove(ed25519CertPath)
1474 ed25519KeyPath = tempFile(clientEd25519KeyPEM)
1475 defer os.Remove(ed25519KeyPath)
1476 } else {
1477 t.Parallel()
1478 }
1479
1480 config := testConfig.Clone()
1481 config.ClientAuth = RequestClientCert
1482
1483 test := &serverTest{
1484 name: "ClientAuthRequestedNotGiven",
1485 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
1486 config: config,
1487 }
1488 runServerTestTLS12(t, test)
1489 runServerTestTLS13(t, test)
1490
1491 test = &serverTest{
1492 name: "ClientAuthRequestedAndGiven",
1493 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1494 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
1495 config: config,
1496 expectedPeerCerts: []string{clientCertificatePEM},
1497 }
1498 runServerTestTLS12(t, test)
1499 runServerTestTLS13(t, test)
1500
1501 test = &serverTest{
1502 name: "ClientAuthRequestedAndECDSAGiven",
1503 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1504 "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
1505 config: config,
1506 expectedPeerCerts: []string{clientECDSACertificatePEM},
1507 }
1508 runServerTestTLS12(t, test)
1509 runServerTestTLS13(t, test)
1510
1511 test = &serverTest{
1512 name: "ClientAuthRequestedAndEd25519Given",
1513 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1514 "-cert", ed25519CertPath, "-key", ed25519KeyPath},
1515 config: config,
1516 expectedPeerCerts: []string{clientEd25519CertificatePEM},
1517 }
1518 runServerTestTLS12(t, test)
1519 runServerTestTLS13(t, test)
1520
1521 test = &serverTest{
1522 name: "ClientAuthRequestedAndPKCS1v15Given",
1523 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1524 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pkcs1_sha256"},
1525 config: config,
1526 expectedPeerCerts: []string{clientCertificatePEM},
1527 }
1528 runServerTestTLS12(t, test)
1529 }
1530
1531 func TestSNIGivenOnFailure(t *testing.T) {
1532 const expectedServerName = "test.testing"
1533
1534 clientHello := &clientHelloMsg{
1535 vers: VersionTLS12,
1536 random: make([]byte, 32),
1537 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1538 compressionMethods: []uint8{compressionNone},
1539 serverName: expectedServerName,
1540 }
1541
1542 serverConfig := testConfig.Clone()
1543
1544 serverConfig.CipherSuites = nil
1545
1546 c, s := localPipe(t)
1547 go func() {
1548 cli := Client(c, testConfig)
1549 cli.vers = clientHello.vers
1550 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
1551 testFatal(t, err)
1552 }
1553 c.Close()
1554 }()
1555 conn := Server(s, serverConfig)
1556 ctx := context.Background()
1557 ch, _, err := conn.readClientHello(ctx)
1558 hs := serverHandshakeState{
1559 c: conn,
1560 ctx: ctx,
1561 clientHello: ch,
1562 }
1563 if err == nil {
1564 err = hs.processClientHello()
1565 }
1566 if err == nil {
1567 err = hs.pickCipherSuite()
1568 }
1569 defer s.Close()
1570
1571 if err == nil {
1572 t.Error("No error reported from server")
1573 }
1574
1575 cs := hs.c.ConnectionState()
1576 if cs.HandshakeComplete {
1577 t.Error("Handshake registered as complete")
1578 }
1579
1580 if cs.ServerName != expectedServerName {
1581 t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName)
1582 }
1583 }
1584
1585 var getConfigForClientTests = []struct {
1586 setup func(config *Config)
1587 callback func(clientHello *ClientHelloInfo) (*Config, error)
1588 errorSubstring string
1589 verify func(config *Config) error
1590 }{
1591 {
1592 nil,
1593 func(clientHello *ClientHelloInfo) (*Config, error) {
1594 return nil, nil
1595 },
1596 "",
1597 nil,
1598 },
1599 {
1600 nil,
1601 func(clientHello *ClientHelloInfo) (*Config, error) {
1602 return nil, errors.New("should bubble up")
1603 },
1604 "should bubble up",
1605 nil,
1606 },
1607 {
1608 nil,
1609 func(clientHello *ClientHelloInfo) (*Config, error) {
1610 config := testConfig.Clone()
1611
1612
1613 config.MaxVersion = VersionTLS11
1614 return config, nil
1615 },
1616 "client offered only unsupported versions",
1617 nil,
1618 },
1619 {
1620 func(config *Config) {
1621 for i := range config.SessionTicketKey {
1622 config.SessionTicketKey[i] = byte(i)
1623 }
1624 config.sessionTicketKeys = nil
1625 },
1626 func(clientHello *ClientHelloInfo) (*Config, error) {
1627 config := testConfig.Clone()
1628 clear(config.SessionTicketKey[:])
1629 config.sessionTicketKeys = nil
1630 return config, nil
1631 },
1632 "",
1633 func(config *Config) error {
1634 if config.SessionTicketKey == [32]byte{} {
1635 return fmt.Errorf("expected SessionTicketKey to be set")
1636 }
1637 return nil
1638 },
1639 },
1640 {
1641 func(config *Config) {
1642 var dummyKey [32]byte
1643 for i := range dummyKey {
1644 dummyKey[i] = byte(i)
1645 }
1646
1647 config.SetSessionTicketKeys([][32]byte{dummyKey})
1648 },
1649 func(clientHello *ClientHelloInfo) (*Config, error) {
1650 config := testConfig.Clone()
1651 config.sessionTicketKeys = nil
1652 return config, nil
1653 },
1654 "",
1655 func(config *Config) error {
1656 if config.SessionTicketKey == [32]byte{} {
1657 return fmt.Errorf("expected SessionTicketKey to be set")
1658 }
1659 return nil
1660 },
1661 },
1662 }
1663
1664 func TestGetConfigForClient(t *testing.T) {
1665 serverConfig := testConfig.Clone()
1666 clientConfig := testConfig.Clone()
1667 clientConfig.MinVersion = VersionTLS12
1668
1669 for i, test := range getConfigForClientTests {
1670 if test.setup != nil {
1671 test.setup(serverConfig)
1672 }
1673
1674 var configReturned *Config
1675 serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
1676 config, err := test.callback(clientHello)
1677 configReturned = config
1678 return config, err
1679 }
1680 c, s := localPipe(t)
1681 done := make(chan error)
1682
1683 go func() {
1684 defer s.Close()
1685 done <- Server(s, serverConfig).Handshake()
1686 }()
1687
1688 clientErr := Client(c, clientConfig).Handshake()
1689 c.Close()
1690
1691 serverErr := <-done
1692
1693 if len(test.errorSubstring) == 0 {
1694 if serverErr != nil || clientErr != nil {
1695 t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr)
1696 }
1697 if test.verify != nil {
1698 if err := test.verify(configReturned); err != nil {
1699 t.Errorf("test[%d]: verify returned error: %v", i, err)
1700 }
1701 }
1702 } else {
1703 if serverErr == nil {
1704 t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring)
1705 } else if !strings.Contains(serverErr.Error(), test.errorSubstring) {
1706 t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr)
1707 }
1708 }
1709 }
1710 }
1711
1712 func TestCloseServerConnectionOnIdleClient(t *testing.T) {
1713 clientConn, serverConn := localPipe(t)
1714 server := Server(serverConn, testConfig.Clone())
1715 go func() {
1716 clientConn.Write([]byte{'0'})
1717 server.Close()
1718 }()
1719 server.SetReadDeadline(time.Now().Add(time.Minute))
1720 err := server.Handshake()
1721 if err != nil {
1722 if err, ok := err.(net.Error); ok && err.Timeout() {
1723 t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
1724 }
1725 } else {
1726 t.Errorf("Error expected, but no error returned")
1727 }
1728 }
1729
1730 func TestCloneHash(t *testing.T) {
1731 h1 := crypto.SHA256.New()
1732 h1.Write([]byte("test"))
1733 s1 := h1.Sum(nil)
1734 h2 := cloneHash(h1, crypto.SHA256)
1735 s2 := h2.Sum(nil)
1736 if !bytes.Equal(s1, s2) {
1737 t.Error("cloned hash generated a different sum")
1738 }
1739 }
1740
1741 func expectError(t *testing.T, err error, sub string) {
1742 if err == nil {
1743 t.Errorf(`expected error %q, got nil`, sub)
1744 } else if !strings.Contains(err.Error(), sub) {
1745 t.Errorf(`expected error %q, got %q`, sub, err)
1746 }
1747 }
1748
1749 func TestKeyTooSmallForRSAPSS(t *testing.T) {
1750 cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE-----
1751 MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS
1752 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy
1753 OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd
1754 ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ
1755 nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
1756 DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu
1757 Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q
1758 KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA==
1759 -----END CERTIFICATE-----`), []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
1760 MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T
1761 HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/
1762 yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z
1763 4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz
1764 nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd
1765 hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s
1766 T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
1767 -----END RSA TESTING KEY-----`)))
1768 if err != nil {
1769 t.Fatal(err)
1770 }
1771
1772 clientConn, serverConn := localPipe(t)
1773 client := Client(clientConn, testConfig)
1774 done := make(chan struct{})
1775 go func() {
1776 config := testConfig.Clone()
1777 config.Certificates = []Certificate{cert}
1778 config.MinVersion = VersionTLS13
1779 server := Server(serverConn, config)
1780 err := server.Handshake()
1781 expectError(t, err, "key size too small")
1782 close(done)
1783 }()
1784 err = client.Handshake()
1785 expectError(t, err, "handshake failure")
1786 <-done
1787 }
1788
1789 func TestMultipleCertificates(t *testing.T) {
1790 clientConfig := testConfig.Clone()
1791 clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
1792 clientConfig.MaxVersion = VersionTLS12
1793
1794 serverConfig := testConfig.Clone()
1795 serverConfig.Certificates = []Certificate{{
1796 Certificate: [][]byte{testECDSACertificate},
1797 PrivateKey: testECDSAPrivateKey,
1798 }, {
1799 Certificate: [][]byte{testRSACertificate},
1800 PrivateKey: testRSAPrivateKey,
1801 }}
1802
1803 _, clientState, err := testHandshake(t, clientConfig, serverConfig)
1804 if err != nil {
1805 t.Fatal(err)
1806 }
1807 if got := clientState.PeerCertificates[0].PublicKeyAlgorithm; got != x509.RSA {
1808 t.Errorf("expected RSA certificate, got %v", got)
1809 }
1810 }
1811
1812 func TestAESCipherReordering(t *testing.T) {
1813 skipFIPS(t)
1814
1815 currentAESSupport := hasAESGCMHardwareSupport
1816 defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
1817
1818 tests := []struct {
1819 name string
1820 clientCiphers []uint16
1821 serverHasAESGCM bool
1822 serverCiphers []uint16
1823 expectedCipher uint16
1824 }{
1825 {
1826 name: "server has hardware AES, client doesn't (pick ChaCha)",
1827 clientCiphers: []uint16{
1828 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1829 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1830 TLS_RSA_WITH_AES_128_CBC_SHA,
1831 },
1832 serverHasAESGCM: true,
1833 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1834 },
1835 {
1836 name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)",
1837 clientCiphers: []uint16{
1838 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1839 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1840 TLS_RSA_WITH_AES_128_CBC_SHA,
1841 },
1842 serverHasAESGCM: false,
1843 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1844 },
1845 {
1846 name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
1847 clientCiphers: []uint16{
1848 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1849 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1850 TLS_RSA_WITH_AES_128_CBC_SHA,
1851 },
1852 serverHasAESGCM: true,
1853 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1854 },
1855 {
1856 name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)",
1857 clientCiphers: []uint16{
1858 0x0A0A,
1859 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1860 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1861 TLS_RSA_WITH_AES_128_CBC_SHA,
1862 },
1863 serverHasAESGCM: true,
1864 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1865 },
1866 {
1867 name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)",
1868 clientCiphers: []uint16{
1869 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1870 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1871 TLS_RSA_WITH_AES_128_CBC_SHA,
1872 },
1873 serverHasAESGCM: false,
1874 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1875 },
1876 {
1877 name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)",
1878 clientCiphers: []uint16{
1879 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1880 TLS_RSA_WITH_AES_128_CBC_SHA,
1881 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1882 },
1883 serverHasAESGCM: false,
1884 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1885 },
1886 {
1887 name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)",
1888 clientCiphers: []uint16{
1889 0x0A0A,
1890 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1891 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1892 TLS_RSA_WITH_AES_128_CBC_SHA,
1893 },
1894 serverHasAESGCM: false,
1895 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1896 },
1897 {
1898 name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (AES-GCM)",
1899 clientCiphers: []uint16{
1900 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1901 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1902 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1903 },
1904 serverHasAESGCM: false,
1905 serverCiphers: []uint16{
1906 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1907 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1908 },
1909 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1910 },
1911 {
1912 name: "client prefers AES-GCM, server has hardware but doesn't support AES (pick ChaCha)",
1913 clientCiphers: []uint16{
1914 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1915 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1916 TLS_RSA_WITH_AES_128_CBC_SHA,
1917 },
1918 serverHasAESGCM: true,
1919 serverCiphers: []uint16{
1920 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1921 },
1922 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
1923 },
1924 }
1925
1926 for _, tc := range tests {
1927 t.Run(tc.name, func(t *testing.T) {
1928 hasAESGCMHardwareSupport = tc.serverHasAESGCM
1929 hs := &serverHandshakeState{
1930 c: &Conn{
1931 config: &Config{
1932 CipherSuites: tc.serverCiphers,
1933 },
1934 vers: VersionTLS12,
1935 },
1936 clientHello: &clientHelloMsg{
1937 cipherSuites: tc.clientCiphers,
1938 vers: VersionTLS12,
1939 },
1940 ecdheOk: true,
1941 rsaSignOk: true,
1942 rsaDecryptOk: true,
1943 }
1944
1945 err := hs.pickCipherSuite()
1946 if err != nil {
1947 t.Errorf("pickCipherSuite failed: %s", err)
1948 }
1949
1950 if tc.expectedCipher != hs.suite.id {
1951 t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
1952 }
1953 })
1954 }
1955 }
1956
1957 func TestAESCipherReorderingTLS13(t *testing.T) {
1958 skipFIPS(t)
1959
1960 currentAESSupport := hasAESGCMHardwareSupport
1961 defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
1962
1963 tests := []struct {
1964 name string
1965 clientCiphers []uint16
1966 serverHasAESGCM bool
1967 expectedCipher uint16
1968 }{
1969 {
1970 name: "server has hardware AES, client doesn't (pick ChaCha)",
1971 clientCiphers: []uint16{
1972 TLS_CHACHA20_POLY1305_SHA256,
1973 TLS_AES_128_GCM_SHA256,
1974 },
1975 serverHasAESGCM: true,
1976 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1977 },
1978 {
1979 name: "neither server nor client have hardware AES (pick ChaCha)",
1980 clientCiphers: []uint16{
1981 TLS_CHACHA20_POLY1305_SHA256,
1982 TLS_AES_128_GCM_SHA256,
1983 },
1984 serverHasAESGCM: false,
1985 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1986 },
1987 {
1988 name: "client prefers AES, server doesn't have hardware (pick ChaCha)",
1989 clientCiphers: []uint16{
1990 TLS_AES_128_GCM_SHA256,
1991 TLS_CHACHA20_POLY1305_SHA256,
1992 },
1993 serverHasAESGCM: false,
1994 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1995 },
1996 {
1997 name: "client prefers AES and sends GREASE, server doesn't have hardware (pick ChaCha)",
1998 clientCiphers: []uint16{
1999 0x0A0A,
2000 TLS_AES_128_GCM_SHA256,
2001 TLS_CHACHA20_POLY1305_SHA256,
2002 },
2003 serverHasAESGCM: false,
2004 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
2005 },
2006 {
2007 name: "client prefers AES, server has hardware AES (pick AES)",
2008 clientCiphers: []uint16{
2009 TLS_AES_128_GCM_SHA256,
2010 TLS_CHACHA20_POLY1305_SHA256,
2011 },
2012 serverHasAESGCM: true,
2013 expectedCipher: TLS_AES_128_GCM_SHA256,
2014 },
2015 {
2016 name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)",
2017 clientCiphers: []uint16{
2018 0x0A0A,
2019 TLS_AES_128_GCM_SHA256,
2020 TLS_CHACHA20_POLY1305_SHA256,
2021 },
2022 serverHasAESGCM: true,
2023 expectedCipher: TLS_AES_128_GCM_SHA256,
2024 },
2025 }
2026
2027 for _, tc := range tests {
2028 t.Run(tc.name, func(t *testing.T) {
2029 hasAESGCMHardwareSupport = tc.serverHasAESGCM
2030 pk, _ := ecdh.X25519().GenerateKey(rand.Reader)
2031 hs := &serverHandshakeStateTLS13{
2032 c: &Conn{
2033 config: &Config{},
2034 vers: VersionTLS13,
2035 },
2036 clientHello: &clientHelloMsg{
2037 cipherSuites: tc.clientCiphers,
2038 supportedVersions: []uint16{VersionTLS13},
2039 compressionMethods: []uint8{compressionNone},
2040 keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
2041 supportedCurves: []CurveID{X25519},
2042 },
2043 }
2044
2045 err := hs.processClientHello()
2046 if err != nil {
2047 t.Errorf("pickCipherSuite failed: %s", err)
2048 }
2049
2050 if tc.expectedCipher != hs.suite.id {
2051 t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
2052 }
2053 })
2054 }
2055 }
2056
2057
2058
2059
2060 func TestServerHandshakeContextCancellation(t *testing.T) {
2061 c, s := localPipe(t)
2062 ctx, cancel := context.WithCancel(context.Background())
2063 unblockClient := make(chan struct{})
2064 defer close(unblockClient)
2065 go func() {
2066 cancel()
2067 <-unblockClient
2068 _ = c.Close()
2069 }()
2070 conn := Server(s, testConfig)
2071
2072
2073 err := conn.HandshakeContext(ctx)
2074 if err == nil {
2075 t.Fatal("Server handshake did not error when the context was canceled")
2076 }
2077 if err != context.Canceled {
2078 t.Errorf("Unexpected server handshake error: %v", err)
2079 }
2080 if runtime.GOOS == "js" || runtime.GOOS == "wasip1" {
2081 t.Skip("conn.Close does not error as expected when called multiple times on GOOS=js or GOOS=wasip1")
2082 }
2083 err = conn.Close()
2084 if err == nil {
2085 t.Error("Server connection was not closed when the context was canceled")
2086 }
2087 }
2088
2089
2090
2091
2092
2093
2094 func TestHandshakeContextHierarchy(t *testing.T) {
2095 c, s := localPipe(t)
2096 clientErr := make(chan error, 1)
2097 clientConfig := testConfig.Clone()
2098 serverConfig := testConfig.Clone()
2099 ctx, cancel := context.WithCancel(context.Background())
2100 defer cancel()
2101 key := struct{}{}
2102 ctx = context.WithValue(ctx, key, true)
2103 go func() {
2104 defer close(clientErr)
2105 defer c.Close()
2106 var innerCtx context.Context
2107 clientConfig.Certificates = nil
2108 clientConfig.GetClientCertificate = func(certificateRequest *CertificateRequestInfo) (*Certificate, error) {
2109 if val, ok := certificateRequest.Context().Value(key).(bool); !ok || !val {
2110 t.Errorf("GetClientCertificate context was not child of HandshakeContext")
2111 }
2112 innerCtx = certificateRequest.Context()
2113 return &Certificate{
2114 Certificate: [][]byte{testRSACertificate},
2115 PrivateKey: testRSAPrivateKey,
2116 }, nil
2117 }
2118 cli := Client(c, clientConfig)
2119 err := cli.HandshakeContext(ctx)
2120 if err != nil {
2121 clientErr <- err
2122 return
2123 }
2124 select {
2125 case <-innerCtx.Done():
2126 default:
2127 t.Errorf("GetClientCertificate context was not canceled after HandshakeContext returned.")
2128 }
2129 }()
2130 var innerCtx context.Context
2131 serverConfig.Certificates = nil
2132 serverConfig.ClientAuth = RequestClientCert
2133 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
2134 if val, ok := clientHello.Context().Value(key).(bool); !ok || !val {
2135 t.Errorf("GetClientCertificate context was not child of HandshakeContext")
2136 }
2137 innerCtx = clientHello.Context()
2138 return &Certificate{
2139 Certificate: [][]byte{testRSACertificate},
2140 PrivateKey: testRSAPrivateKey,
2141 }, nil
2142 }
2143 conn := Server(s, serverConfig)
2144 err := conn.HandshakeContext(ctx)
2145 if err != nil {
2146 t.Errorf("Unexpected server handshake error: %v", err)
2147 }
2148 select {
2149 case <-innerCtx.Done():
2150 default:
2151 t.Errorf("GetCertificate context was not canceled after HandshakeContext returned.")
2152 }
2153 if err := <-clientErr; err != nil {
2154 t.Errorf("Unexpected client error: %v", err)
2155 }
2156 }
2157
2158 func TestHandshakeChainExpiryResumption(t *testing.T) {
2159 t.Run("TLS1.2", func(t *testing.T) {
2160 testHandshakeChainExpiryResumption(t, VersionTLS12)
2161 })
2162 t.Run("TLS1.3", func(t *testing.T) {
2163 testHandshakeChainExpiryResumption(t, VersionTLS13)
2164 })
2165 }
2166
2167 func testHandshakeChainExpiryResumption(t *testing.T, version uint16) {
2168 now := time.Now()
2169
2170 createChain := func(leafNotAfter, rootNotAfter time.Time) (leafDER, expiredLeafDER []byte, root *x509.Certificate) {
2171 tmpl := &x509.Certificate{
2172 Subject: pkix.Name{CommonName: "root"},
2173 NotBefore: rootNotAfter.Add(-time.Hour * 24),
2174 NotAfter: rootNotAfter,
2175 IsCA: true,
2176 BasicConstraintsValid: true,
2177 }
2178 rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2179 if err != nil {
2180 t.Fatalf("CreateCertificate: %v", err)
2181 }
2182 root, err = x509.ParseCertificate(rootDER)
2183 if err != nil {
2184 t.Fatalf("ParseCertificate: %v", err)
2185 }
2186
2187 tmpl = &x509.Certificate{
2188 Subject: pkix.Name{},
2189 DNSNames: []string{"expired-resume.example.com"},
2190 NotBefore: leafNotAfter.Add(-time.Hour * 24),
2191 NotAfter: leafNotAfter,
2192 KeyUsage: x509.KeyUsageDigitalSignature,
2193 }
2194 leafCertDER, err := x509.CreateCertificate(rand.Reader, tmpl, root, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2195 if err != nil {
2196 t.Fatalf("CreateCertificate: %v", err)
2197 }
2198 tmpl.NotBefore, tmpl.NotAfter = leafNotAfter.Add(-time.Hour*24*365), leafNotAfter.Add(-time.Hour*24*364)
2199 expiredLeafDERCertDER, err := x509.CreateCertificate(rand.Reader, tmpl, root, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2200 if err != nil {
2201 t.Fatalf("CreateCertificate: %v", err)
2202 }
2203
2204 return leafCertDER, expiredLeafDERCertDER, root
2205 }
2206 testExpiration := func(name string, leafNotAfter, rootNotAfter time.Time) {
2207 t.Run(name, func(t *testing.T) {
2208 initialLeafDER, expiredLeafDER, initialRoot := createChain(leafNotAfter, rootNotAfter)
2209
2210 serverConfig := testConfig.Clone()
2211 serverConfig.MaxVersion = version
2212 serverConfig.Certificates = []Certificate{{
2213 Certificate: [][]byte{initialLeafDER, expiredLeafDER},
2214 PrivateKey: testECDSAPrivateKey,
2215 }}
2216 serverConfig.ClientCAs = x509.NewCertPool()
2217 serverConfig.ClientCAs.AddCert(initialRoot)
2218 serverConfig.ClientAuth = RequireAndVerifyClientCert
2219 serverConfig.Time = func() time.Time {
2220 return now
2221 }
2222 serverConfig.InsecureSkipVerify = false
2223 serverConfig.ServerName = "expired-resume.example.com"
2224
2225 clientConfig := testConfig.Clone()
2226 clientConfig.MaxVersion = version
2227 clientConfig.Certificates = []Certificate{{
2228 Certificate: [][]byte{initialLeafDER, expiredLeafDER},
2229 PrivateKey: testECDSAPrivateKey,
2230 }}
2231 clientConfig.RootCAs = x509.NewCertPool()
2232 clientConfig.RootCAs.AddCert(initialRoot)
2233 clientConfig.ServerName = "expired-resume.example.com"
2234 clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
2235 clientConfig.InsecureSkipVerify = false
2236 clientConfig.ServerName = "expired-resume.example.com"
2237 clientConfig.Time = func() time.Time {
2238 return now
2239 }
2240
2241 testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
2242 t.Helper()
2243 ss, cs, err := testHandshake(t, cc, sc)
2244 if err != nil {
2245 t.Fatalf("handshake: %v", err)
2246 }
2247 if cs.DidResume != expectResume {
2248 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2249 }
2250 if ss.DidResume != expectResume {
2251 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2252 }
2253 }
2254
2255 testResume(t, serverConfig, clientConfig, false)
2256 testResume(t, serverConfig, clientConfig, true)
2257
2258 expiredNow := time.Unix(0, min(leafNotAfter.UnixNano(), rootNotAfter.UnixNano())).Add(time.Minute)
2259
2260 freshLeafDER, expiredLeafDER, freshRoot := createChain(expiredNow.Add(time.Hour), expiredNow.Add(time.Hour))
2261 clientConfig.Certificates = []Certificate{{
2262 Certificate: [][]byte{freshLeafDER, expiredLeafDER},
2263 PrivateKey: testECDSAPrivateKey,
2264 }}
2265 serverConfig.Time = func() time.Time {
2266 return expiredNow
2267 }
2268 serverConfig.ClientCAs = x509.NewCertPool()
2269 serverConfig.ClientCAs.AddCert(freshRoot)
2270
2271 testResume(t, serverConfig, clientConfig, false)
2272 })
2273 }
2274
2275 testExpiration("LeafExpiresBeforeRoot", now.Add(2*time.Hour), now.Add(3*time.Hour))
2276 testExpiration("LeafExpiresAfterRoot", now.Add(2*time.Hour), now.Add(time.Hour))
2277 }
2278
2279 func TestHandshakeGetConfigForClientDifferentClientCAs(t *testing.T) {
2280 t.Run("TLS1.2", func(t *testing.T) {
2281 testHandshakeGetConfigForClientDifferentClientCAs(t, VersionTLS12)
2282 })
2283 t.Run("TLS1.3", func(t *testing.T) {
2284 testHandshakeGetConfigForClientDifferentClientCAs(t, VersionTLS13)
2285 })
2286 }
2287
2288 func testHandshakeGetConfigForClientDifferentClientCAs(t *testing.T, version uint16) {
2289 now := time.Now()
2290 tmpl := &x509.Certificate{
2291 Subject: pkix.Name{CommonName: "root"},
2292 NotBefore: now.Add(-time.Hour * 24),
2293 NotAfter: now.Add(time.Hour * 24),
2294 IsCA: true,
2295 BasicConstraintsValid: true,
2296 }
2297 rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2298 if err != nil {
2299 t.Fatalf("CreateCertificate: %v", err)
2300 }
2301 rootA, err := x509.ParseCertificate(rootDER)
2302 if err != nil {
2303 t.Fatalf("ParseCertificate: %v", err)
2304 }
2305 rootDER, err = x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testRSA2048PrivateKey.PublicKey, testRSA2048PrivateKey)
2306 if err != nil {
2307 t.Fatalf("CreateCertificate: %v", err)
2308 }
2309 rootB, err := x509.ParseCertificate(rootDER)
2310 if err != nil {
2311 t.Fatalf("ParseCertificate: %v", err)
2312 }
2313
2314 tmpl = &x509.Certificate{
2315 Subject: pkix.Name{},
2316 DNSNames: []string{"example.com"},
2317 NotBefore: now.Add(-time.Hour * 24),
2318 NotAfter: now.Add(time.Hour * 24),
2319 KeyUsage: x509.KeyUsageDigitalSignature,
2320 }
2321 certA, err := x509.CreateCertificate(rand.Reader, tmpl, rootA, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2322 if err != nil {
2323 t.Fatalf("CreateCertificate: %v", err)
2324 }
2325 certB, err := x509.CreateCertificate(rand.Reader, tmpl, rootB, &testECDSAPrivateKey.PublicKey, testRSA2048PrivateKey)
2326 if err != nil {
2327 t.Fatalf("CreateCertificate: %v", err)
2328 }
2329
2330 serverConfig := testConfig.Clone()
2331 serverConfig.MaxVersion = version
2332 serverConfig.Certificates = []Certificate{{
2333 Certificate: [][]byte{certA},
2334 PrivateKey: testECDSAPrivateKey,
2335 }}
2336 serverConfig.Time = func() time.Time {
2337 return now
2338 }
2339 serverConfig.ClientCAs = x509.NewCertPool()
2340 serverConfig.ClientCAs.AddCert(rootA)
2341 serverConfig.ClientAuth = RequireAndVerifyClientCert
2342 switchConfig := false
2343 serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
2344 if !switchConfig {
2345 return nil, nil
2346 }
2347 cfg := serverConfig.Clone()
2348 cfg.ClientCAs = x509.NewCertPool()
2349 cfg.ClientCAs.AddCert(rootB)
2350 return cfg, nil
2351 }
2352 serverConfig.InsecureSkipVerify = false
2353 serverConfig.ServerName = "example.com"
2354
2355 clientConfig := testConfig.Clone()
2356 clientConfig.MaxVersion = version
2357 clientConfig.Certificates = []Certificate{{
2358 Certificate: [][]byte{certA},
2359 PrivateKey: testECDSAPrivateKey,
2360 }}
2361 clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
2362 clientConfig.RootCAs = x509.NewCertPool()
2363 clientConfig.RootCAs.AddCert(rootA)
2364 clientConfig.Time = func() time.Time {
2365 return now
2366 }
2367 clientConfig.InsecureSkipVerify = false
2368 clientConfig.ServerName = "example.com"
2369
2370 testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
2371 t.Helper()
2372 ss, cs, err := testHandshake(t, cc, sc)
2373 if err != nil {
2374 t.Fatalf("handshake: %v", err)
2375 }
2376 if cs.DidResume != expectResume {
2377 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2378 }
2379 if ss.DidResume != expectResume {
2380 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2381 }
2382 }
2383
2384 testResume(t, serverConfig, clientConfig, false)
2385 testResume(t, serverConfig, clientConfig, true)
2386
2387 clientConfig.Certificates[0].Certificate = [][]byte{certB}
2388
2389
2390
2391 switchConfig = true
2392
2393 testResume(t, serverConfig, clientConfig, false)
2394 testResume(t, serverConfig, clientConfig, true)
2395 }
2396
2397 func TestHandshakeChangeRootCAsResumption(t *testing.T) {
2398 t.Run("TLS1.2", func(t *testing.T) {
2399 testHandshakeChangeRootCAsResumption(t, VersionTLS12)
2400 })
2401 t.Run("TLS1.3", func(t *testing.T) {
2402 testHandshakeChangeRootCAsResumption(t, VersionTLS13)
2403 })
2404 }
2405
2406 func testHandshakeChangeRootCAsResumption(t *testing.T, version uint16) {
2407 now := time.Now()
2408 tmpl := &x509.Certificate{
2409 Subject: pkix.Name{CommonName: "root"},
2410 NotBefore: now.Add(-time.Hour * 24),
2411 NotAfter: now.Add(time.Hour * 24),
2412 IsCA: true,
2413 BasicConstraintsValid: true,
2414 }
2415 rootDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2416 if err != nil {
2417 t.Fatalf("CreateCertificate: %v", err)
2418 }
2419 rootA, err := x509.ParseCertificate(rootDER)
2420 if err != nil {
2421 t.Fatalf("ParseCertificate: %v", err)
2422 }
2423 rootDER, err = x509.CreateCertificate(rand.Reader, tmpl, tmpl, &testRSA2048PrivateKey.PublicKey, testRSA2048PrivateKey)
2424 if err != nil {
2425 t.Fatalf("CreateCertificate: %v", err)
2426 }
2427 rootB, err := x509.ParseCertificate(rootDER)
2428 if err != nil {
2429 t.Fatalf("ParseCertificate: %v", err)
2430 }
2431
2432 tmpl = &x509.Certificate{
2433 Subject: pkix.Name{},
2434 DNSNames: []string{"example.com"},
2435 NotBefore: now.Add(-time.Hour * 24),
2436 NotAfter: now.Add(time.Hour * 24),
2437 KeyUsage: x509.KeyUsageDigitalSignature,
2438 }
2439 certA, err := x509.CreateCertificate(rand.Reader, tmpl, rootA, &testECDSAPrivateKey.PublicKey, testECDSAPrivateKey)
2440 if err != nil {
2441 t.Fatalf("CreateCertificate: %v", err)
2442 }
2443 certB, err := x509.CreateCertificate(rand.Reader, tmpl, rootB, &testECDSAPrivateKey.PublicKey, testRSA2048PrivateKey)
2444 if err != nil {
2445 t.Fatalf("CreateCertificate: %v", err)
2446 }
2447
2448 serverConfig := testConfig.Clone()
2449 serverConfig.MaxVersion = version
2450 serverConfig.Certificates = []Certificate{{
2451 Certificate: [][]byte{certA},
2452 PrivateKey: testECDSAPrivateKey,
2453 }}
2454 serverConfig.Time = func() time.Time {
2455 return now
2456 }
2457 serverConfig.ClientCAs = x509.NewCertPool()
2458 serverConfig.ClientCAs.AddCert(rootA)
2459 serverConfig.ClientAuth = RequireAndVerifyClientCert
2460 serverConfig.InsecureSkipVerify = false
2461 serverConfig.ServerName = "example.com"
2462
2463 clientConfig := testConfig.Clone()
2464 clientConfig.MaxVersion = version
2465 clientConfig.Certificates = []Certificate{{
2466 Certificate: [][]byte{certA},
2467 PrivateKey: testECDSAPrivateKey,
2468 }}
2469 clientConfig.ClientSessionCache = NewLRUClientSessionCache(32)
2470 clientConfig.RootCAs = x509.NewCertPool()
2471 clientConfig.RootCAs.AddCert(rootA)
2472 clientConfig.Time = func() time.Time {
2473 return now
2474 }
2475 clientConfig.InsecureSkipVerify = false
2476 clientConfig.ServerName = "example.com"
2477
2478 testResume := func(t *testing.T, sc, cc *Config, expectResume bool) {
2479 t.Helper()
2480 ss, cs, err := testHandshake(t, cc, sc)
2481 if err != nil {
2482 t.Fatalf("handshake: %v", err)
2483 }
2484 if cs.DidResume != expectResume {
2485 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2486 }
2487 if ss.DidResume != expectResume {
2488 t.Fatalf("DidResume = %v; want %v", cs.DidResume, expectResume)
2489 }
2490 }
2491
2492 testResume(t, serverConfig, clientConfig, false)
2493 testResume(t, serverConfig, clientConfig, true)
2494
2495 clientConfig = clientConfig.Clone()
2496 clientConfig.RootCAs = x509.NewCertPool()
2497 clientConfig.RootCAs.AddCert(rootB)
2498
2499 serverConfig.Certificates[0].Certificate = [][]byte{certB}
2500
2501 testResume(t, serverConfig, clientConfig, false)
2502 testResume(t, serverConfig, clientConfig, true)
2503 }
2504
View as plain text