Source file src/crypto/tls/tls_test.go

     1  // Copyright 2012 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"crypto"
    11  	"crypto/x509"
    12  	"encoding/json"
    13  	"errors"
    14  	"fmt"
    15  	"internal/testenv"
    16  	"io"
    17  	"math"
    18  	"net"
    19  	"os"
    20  	"reflect"
    21  	"sort"
    22  	"strings"
    23  	"testing"
    24  	"time"
    25  )
    26  
    27  var rsaCertPEM = `-----BEGIN CERTIFICATE-----
    28  MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
    29  BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
    30  aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
    31  MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
    32  ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
    33  hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
    34  rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
    35  zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
    36  MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
    37  r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
    38  -----END CERTIFICATE-----
    39  `
    40  
    41  var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY-----
    42  MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
    43  k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
    44  6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
    45  MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
    46  SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
    47  xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
    48  D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
    49  -----END RSA TESTING KEY-----
    50  `)
    51  
    52  // keyPEM is the same as rsaKeyPEM, but declares itself as just
    53  // "PRIVATE KEY", not "RSA PRIVATE KEY".  https://golang.org/issue/4477
    54  var keyPEM = testingKey(`-----BEGIN TESTING KEY-----
    55  MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
    56  k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
    57  6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
    58  MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
    59  SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
    60  xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
    61  D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
    62  -----END TESTING KEY-----
    63  `)
    64  
    65  var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----
    66  MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
    67  EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
    68  eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG
    69  EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk
    70  Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR
    71  lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl
    72  01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8
    73  XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo
    74  A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb
    75  H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1
    76  +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==
    77  -----END CERTIFICATE-----
    78  `
    79  
    80  var ecdsaKeyPEM = testingKey(`-----BEGIN EC PARAMETERS-----
    81  BgUrgQQAIw==
    82  -----END EC PARAMETERS-----
    83  -----BEGIN EC TESTING KEY-----
    84  MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0
    85  NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL
    86  06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz
    87  VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q
    88  kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==
    89  -----END EC TESTING KEY-----
    90  `)
    91  
    92  var keyPairTests = []struct {
    93  	algo string
    94  	cert string
    95  	key  string
    96  }{
    97  	{"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},
    98  	{"RSA", rsaCertPEM, rsaKeyPEM},
    99  	{"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477
   100  }
   101  
   102  func TestX509KeyPair(t *testing.T) {
   103  	t.Parallel()
   104  	var pem []byte
   105  	for _, test := range keyPairTests {
   106  		pem = []byte(test.cert + test.key)
   107  		if _, err := X509KeyPair(pem, pem); err != nil {
   108  			t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)
   109  		}
   110  		pem = []byte(test.key + test.cert)
   111  		if _, err := X509KeyPair(pem, pem); err != nil {
   112  			t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)
   113  		}
   114  	}
   115  }
   116  
   117  func TestX509KeyPairErrors(t *testing.T) {
   118  	_, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))
   119  	if err == nil {
   120  		t.Fatalf("X509KeyPair didn't return an error when arguments were switched")
   121  	}
   122  	if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {
   123  		t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)
   124  	}
   125  
   126  	_, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))
   127  	if err == nil {
   128  		t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")
   129  	}
   130  	if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {
   131  		t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)
   132  	}
   133  
   134  	const nonsensePEM = `
   135  -----BEGIN NONSENSE-----
   136  Zm9vZm9vZm9v
   137  -----END NONSENSE-----
   138  `
   139  
   140  	_, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))
   141  	if err == nil {
   142  		t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")
   143  	}
   144  	if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {
   145  		t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)
   146  	}
   147  }
   148  
   149  func TestX509MixedKeyPair(t *testing.T) {
   150  	if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {
   151  		t.Error("Load of RSA certificate succeeded with ECDSA private key")
   152  	}
   153  	if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {
   154  		t.Error("Load of ECDSA certificate succeeded with RSA private key")
   155  	}
   156  }
   157  
   158  func newLocalListener(t testing.TB) net.Listener {
   159  	ln, err := net.Listen("tcp", "127.0.0.1:0")
   160  	if err != nil {
   161  		ln, err = net.Listen("tcp6", "[::1]:0")
   162  	}
   163  	if err != nil {
   164  		t.Fatal(err)
   165  	}
   166  	return ln
   167  }
   168  
   169  func TestDialTimeout(t *testing.T) {
   170  	if testing.Short() {
   171  		t.Skip("skipping in short mode")
   172  	}
   173  	listener := newLocalListener(t)
   174  
   175  	addr := listener.Addr().String()
   176  	defer listener.Close()
   177  
   178  	complete := make(chan bool)
   179  	defer close(complete)
   180  
   181  	go func() {
   182  		conn, err := listener.Accept()
   183  		if err != nil {
   184  			t.Error(err)
   185  			return
   186  		}
   187  		<-complete
   188  		conn.Close()
   189  	}()
   190  
   191  	dialer := &net.Dialer{
   192  		Timeout: 10 * time.Millisecond,
   193  	}
   194  
   195  	var err error
   196  	if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil {
   197  		t.Fatal("DialWithTimeout completed successfully")
   198  	}
   199  
   200  	if !isTimeoutError(err) {
   201  		t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err)
   202  	}
   203  }
   204  
   205  func TestDeadlineOnWrite(t *testing.T) {
   206  	if testing.Short() {
   207  		t.Skip("skipping in short mode")
   208  	}
   209  
   210  	ln := newLocalListener(t)
   211  	defer ln.Close()
   212  
   213  	srvCh := make(chan *Conn, 1)
   214  
   215  	go func() {
   216  		sconn, err := ln.Accept()
   217  		if err != nil {
   218  			srvCh <- nil
   219  			return
   220  		}
   221  		srv := Server(sconn, testConfig.Clone())
   222  		if err := srv.Handshake(); err != nil {
   223  			srvCh <- nil
   224  			return
   225  		}
   226  		srvCh <- srv
   227  	}()
   228  
   229  	clientConfig := testConfig.Clone()
   230  	clientConfig.MaxVersion = VersionTLS12
   231  	conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   232  	if err != nil {
   233  		t.Fatal(err)
   234  	}
   235  	defer conn.Close()
   236  
   237  	srv := <-srvCh
   238  	if srv == nil {
   239  		t.Error(err)
   240  	}
   241  
   242  	// Make sure the client/server is setup correctly and is able to do a typical Write/Read
   243  	buf := make([]byte, 6)
   244  	if _, err := srv.Write([]byte("foobar")); err != nil {
   245  		t.Errorf("Write err: %v", err)
   246  	}
   247  	if n, err := conn.Read(buf); n != 6 || err != nil || string(buf) != "foobar" {
   248  		t.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
   249  	}
   250  
   251  	// Set a deadline which should cause Write to timeout
   252  	if err = srv.SetDeadline(time.Now()); err != nil {
   253  		t.Fatalf("SetDeadline(time.Now()) err: %v", err)
   254  	}
   255  	if _, err = srv.Write([]byte("should fail")); err == nil {
   256  		t.Fatal("Write should have timed out")
   257  	}
   258  
   259  	// Clear deadline and make sure it still times out
   260  	if err = srv.SetDeadline(time.Time{}); err != nil {
   261  		t.Fatalf("SetDeadline(time.Time{}) err: %v", err)
   262  	}
   263  	if _, err = srv.Write([]byte("This connection is permanently broken")); err == nil {
   264  		t.Fatal("Write which previously failed should still time out")
   265  	}
   266  
   267  	// Verify the error
   268  	if ne := err.(net.Error); ne.Temporary() != false {
   269  		t.Error("Write timed out but incorrectly classified the error as Temporary")
   270  	}
   271  	if !isTimeoutError(err) {
   272  		t.Error("Write timed out but did not classify the error as a Timeout")
   273  	}
   274  }
   275  
   276  type readerFunc func([]byte) (int, error)
   277  
   278  func (f readerFunc) Read(b []byte) (int, error) { return f(b) }
   279  
   280  // TestDialer tests that tls.Dialer.DialContext can abort in the middle of a handshake.
   281  // (The other cases are all handled by the existing dial tests in this package, which
   282  // all also flow through the same code shared code paths)
   283  func TestDialer(t *testing.T) {
   284  	ln := newLocalListener(t)
   285  	defer ln.Close()
   286  
   287  	unblockServer := make(chan struct{}) // close-only
   288  	defer close(unblockServer)
   289  	go func() {
   290  		conn, err := ln.Accept()
   291  		if err != nil {
   292  			return
   293  		}
   294  		defer conn.Close()
   295  		<-unblockServer
   296  	}()
   297  
   298  	ctx, cancel := context.WithCancel(context.Background())
   299  	d := Dialer{Config: &Config{
   300  		Rand: readerFunc(func(b []byte) (n int, err error) {
   301  			// By the time crypto/tls wants randomness, that means it has a TCP
   302  			// connection, so we're past the Dialer's dial and now blocked
   303  			// in a handshake. Cancel our context and see if we get unstuck.
   304  			// (Our TCP listener above never reads or writes, so the Handshake
   305  			// would otherwise be stuck forever)
   306  			cancel()
   307  			return len(b), nil
   308  		}),
   309  		ServerName: "foo",
   310  	}}
   311  	_, err := d.DialContext(ctx, "tcp", ln.Addr().String())
   312  	if err != context.Canceled {
   313  		t.Errorf("err = %v; want context.Canceled", err)
   314  	}
   315  }
   316  
   317  func isTimeoutError(err error) bool {
   318  	if ne, ok := err.(net.Error); ok {
   319  		return ne.Timeout()
   320  	}
   321  	return false
   322  }
   323  
   324  // tests that Conn.Read returns (non-zero, io.EOF) instead of
   325  // (non-zero, nil) when a Close (alertCloseNotify) is sitting right
   326  // behind the application data in the buffer.
   327  func TestConnReadNonzeroAndEOF(t *testing.T) {
   328  	// This test is racy: it assumes that after a write to a
   329  	// localhost TCP connection, the peer TCP connection can
   330  	// immediately read it. Because it's racy, we skip this test
   331  	// in short mode, and then retry it several times with an
   332  	// increasing sleep in between our final write (via srv.Close
   333  	// below) and the following read.
   334  	if testing.Short() {
   335  		t.Skip("skipping in short mode")
   336  	}
   337  	var err error
   338  	for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {
   339  		if err = testConnReadNonzeroAndEOF(t, delay); err == nil {
   340  			return
   341  		}
   342  	}
   343  	t.Error(err)
   344  }
   345  
   346  func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
   347  	ln := newLocalListener(t)
   348  	defer ln.Close()
   349  
   350  	srvCh := make(chan *Conn, 1)
   351  	var serr error
   352  	go func() {
   353  		sconn, err := ln.Accept()
   354  		if err != nil {
   355  			serr = err
   356  			srvCh <- nil
   357  			return
   358  		}
   359  		serverConfig := testConfig.Clone()
   360  		srv := Server(sconn, serverConfig)
   361  		if err := srv.Handshake(); err != nil {
   362  			serr = fmt.Errorf("handshake: %v", err)
   363  			srvCh <- nil
   364  			return
   365  		}
   366  		srvCh <- srv
   367  	}()
   368  
   369  	clientConfig := testConfig.Clone()
   370  	// In TLS 1.3, alerts are encrypted and disguised as application data, so
   371  	// the opportunistic peek won't work.
   372  	clientConfig.MaxVersion = VersionTLS12
   373  	conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   374  	if err != nil {
   375  		t.Fatal(err)
   376  	}
   377  	defer conn.Close()
   378  
   379  	srv := <-srvCh
   380  	if srv == nil {
   381  		return serr
   382  	}
   383  
   384  	buf := make([]byte, 6)
   385  
   386  	srv.Write([]byte("foobar"))
   387  	n, err := conn.Read(buf)
   388  	if n != 6 || err != nil || string(buf) != "foobar" {
   389  		return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
   390  	}
   391  
   392  	srv.Write([]byte("abcdef"))
   393  	srv.Close()
   394  	time.Sleep(delay)
   395  	n, err = conn.Read(buf)
   396  	if n != 6 || string(buf) != "abcdef" {
   397  		return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)
   398  	}
   399  	if err != io.EOF {
   400  		return fmt.Errorf("Second Read error = %v; want io.EOF", err)
   401  	}
   402  	return nil
   403  }
   404  
   405  func TestTLSUniqueMatches(t *testing.T) {
   406  	ln := newLocalListener(t)
   407  	defer ln.Close()
   408  
   409  	serverTLSUniques := make(chan []byte)
   410  	parentDone := make(chan struct{})
   411  	childDone := make(chan struct{})
   412  	defer close(parentDone)
   413  	go func() {
   414  		defer close(childDone)
   415  		for i := 0; i < 2; i++ {
   416  			sconn, err := ln.Accept()
   417  			if err != nil {
   418  				t.Error(err)
   419  				return
   420  			}
   421  			serverConfig := testConfig.Clone()
   422  			serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3
   423  			srv := Server(sconn, serverConfig)
   424  			if err := srv.Handshake(); err != nil {
   425  				t.Error(err)
   426  				return
   427  			}
   428  			select {
   429  			case <-parentDone:
   430  				return
   431  			case serverTLSUniques <- srv.ConnectionState().TLSUnique:
   432  			}
   433  		}
   434  	}()
   435  
   436  	clientConfig := testConfig.Clone()
   437  	clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
   438  	conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   439  	if err != nil {
   440  		t.Fatal(err)
   441  	}
   442  
   443  	var serverTLSUniquesValue []byte
   444  	select {
   445  	case <-childDone:
   446  		return
   447  	case serverTLSUniquesValue = <-serverTLSUniques:
   448  	}
   449  
   450  	if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
   451  		t.Error("client and server channel bindings differ")
   452  	}
   453  	conn.Close()
   454  
   455  	conn, err = Dial("tcp", ln.Addr().String(), clientConfig)
   456  	if err != nil {
   457  		t.Fatal(err)
   458  	}
   459  	defer conn.Close()
   460  	if !conn.ConnectionState().DidResume {
   461  		t.Error("second session did not use resumption")
   462  	}
   463  
   464  	select {
   465  	case <-childDone:
   466  		return
   467  	case serverTLSUniquesValue = <-serverTLSUniques:
   468  	}
   469  
   470  	if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
   471  		t.Error("client and server channel bindings differ when session resumption is used")
   472  	}
   473  }
   474  
   475  func TestVerifyHostname(t *testing.T) {
   476  	testenv.MustHaveExternalNetwork(t)
   477  
   478  	c, err := Dial("tcp", "www.google.com:https", nil)
   479  	if err != nil {
   480  		t.Fatal(err)
   481  	}
   482  	if err := c.VerifyHostname("www.google.com"); err != nil {
   483  		t.Fatalf("verify www.google.com: %v", err)
   484  	}
   485  	if err := c.VerifyHostname("www.yahoo.com"); err == nil {
   486  		t.Fatalf("verify www.yahoo.com succeeded")
   487  	}
   488  
   489  	c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})
   490  	if err != nil {
   491  		t.Fatal(err)
   492  	}
   493  	if err := c.VerifyHostname("www.google.com"); err == nil {
   494  		t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")
   495  	}
   496  }
   497  
   498  func TestConnCloseBreakingWrite(t *testing.T) {
   499  	ln := newLocalListener(t)
   500  	defer ln.Close()
   501  
   502  	srvCh := make(chan *Conn, 1)
   503  	var serr error
   504  	var sconn net.Conn
   505  	go func() {
   506  		var err error
   507  		sconn, err = ln.Accept()
   508  		if err != nil {
   509  			serr = err
   510  			srvCh <- nil
   511  			return
   512  		}
   513  		serverConfig := testConfig.Clone()
   514  		srv := Server(sconn, serverConfig)
   515  		if err := srv.Handshake(); err != nil {
   516  			serr = fmt.Errorf("handshake: %v", err)
   517  			srvCh <- nil
   518  			return
   519  		}
   520  		srvCh <- srv
   521  	}()
   522  
   523  	cconn, err := net.Dial("tcp", ln.Addr().String())
   524  	if err != nil {
   525  		t.Fatal(err)
   526  	}
   527  	defer cconn.Close()
   528  
   529  	conn := &changeImplConn{
   530  		Conn: cconn,
   531  	}
   532  
   533  	clientConfig := testConfig.Clone()
   534  	tconn := Client(conn, clientConfig)
   535  	if err := tconn.Handshake(); err != nil {
   536  		t.Fatal(err)
   537  	}
   538  
   539  	srv := <-srvCh
   540  	if srv == nil {
   541  		t.Fatal(serr)
   542  	}
   543  	defer sconn.Close()
   544  
   545  	connClosed := make(chan struct{})
   546  	conn.closeFunc = func() error {
   547  		close(connClosed)
   548  		return nil
   549  	}
   550  
   551  	inWrite := make(chan bool, 1)
   552  	var errConnClosed = errors.New("conn closed for test")
   553  	conn.writeFunc = func(p []byte) (n int, err error) {
   554  		inWrite <- true
   555  		<-connClosed
   556  		return 0, errConnClosed
   557  	}
   558  
   559  	closeReturned := make(chan bool, 1)
   560  	go func() {
   561  		<-inWrite
   562  		tconn.Close() // test that this doesn't block forever.
   563  		closeReturned <- true
   564  	}()
   565  
   566  	_, err = tconn.Write([]byte("foo"))
   567  	if err != errConnClosed {
   568  		t.Errorf("Write error = %v; want errConnClosed", err)
   569  	}
   570  
   571  	<-closeReturned
   572  	if err := tconn.Close(); err != net.ErrClosed {
   573  		t.Errorf("Close error = %v; want net.ErrClosed", err)
   574  	}
   575  }
   576  
   577  func TestConnCloseWrite(t *testing.T) {
   578  	ln := newLocalListener(t)
   579  	defer ln.Close()
   580  
   581  	clientDoneChan := make(chan struct{})
   582  
   583  	serverCloseWrite := func() error {
   584  		sconn, err := ln.Accept()
   585  		if err != nil {
   586  			return fmt.Errorf("accept: %v", err)
   587  		}
   588  		defer sconn.Close()
   589  
   590  		serverConfig := testConfig.Clone()
   591  		srv := Server(sconn, serverConfig)
   592  		if err := srv.Handshake(); err != nil {
   593  			return fmt.Errorf("handshake: %v", err)
   594  		}
   595  		defer srv.Close()
   596  
   597  		data, err := io.ReadAll(srv)
   598  		if err != nil {
   599  			return err
   600  		}
   601  		if len(data) > 0 {
   602  			return fmt.Errorf("Read data = %q; want nothing", data)
   603  		}
   604  
   605  		if err := srv.CloseWrite(); err != nil {
   606  			return fmt.Errorf("server CloseWrite: %v", err)
   607  		}
   608  
   609  		// Wait for clientCloseWrite to finish, so we know we
   610  		// tested the CloseWrite before we defer the
   611  		// sconn.Close above, which would also cause the
   612  		// client to unblock like CloseWrite.
   613  		<-clientDoneChan
   614  		return nil
   615  	}
   616  
   617  	clientCloseWrite := func() error {
   618  		defer close(clientDoneChan)
   619  
   620  		clientConfig := testConfig.Clone()
   621  		conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   622  		if err != nil {
   623  			return err
   624  		}
   625  		if err := conn.Handshake(); err != nil {
   626  			return err
   627  		}
   628  		defer conn.Close()
   629  
   630  		if err := conn.CloseWrite(); err != nil {
   631  			return fmt.Errorf("client CloseWrite: %v", err)
   632  		}
   633  
   634  		if _, err := conn.Write([]byte{0}); err != errShutdown {
   635  			return fmt.Errorf("CloseWrite error = %v; want errShutdown", err)
   636  		}
   637  
   638  		data, err := io.ReadAll(conn)
   639  		if err != nil {
   640  			return err
   641  		}
   642  		if len(data) > 0 {
   643  			return fmt.Errorf("Read data = %q; want nothing", data)
   644  		}
   645  		return nil
   646  	}
   647  
   648  	errChan := make(chan error, 2)
   649  
   650  	go func() { errChan <- serverCloseWrite() }()
   651  	go func() { errChan <- clientCloseWrite() }()
   652  
   653  	for i := 0; i < 2; i++ {
   654  		select {
   655  		case err := <-errChan:
   656  			if err != nil {
   657  				t.Fatal(err)
   658  			}
   659  		case <-time.After(10 * time.Second):
   660  			t.Fatal("deadlock")
   661  		}
   662  	}
   663  
   664  	// Also test CloseWrite being called before the handshake is
   665  	// finished:
   666  	{
   667  		ln2 := newLocalListener(t)
   668  		defer ln2.Close()
   669  
   670  		netConn, err := net.Dial("tcp", ln2.Addr().String())
   671  		if err != nil {
   672  			t.Fatal(err)
   673  		}
   674  		defer netConn.Close()
   675  		conn := Client(netConn, testConfig.Clone())
   676  
   677  		if err := conn.CloseWrite(); err != errEarlyCloseWrite {
   678  			t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
   679  		}
   680  	}
   681  }
   682  
   683  func TestWarningAlertFlood(t *testing.T) {
   684  	ln := newLocalListener(t)
   685  	defer ln.Close()
   686  
   687  	server := func() error {
   688  		sconn, err := ln.Accept()
   689  		if err != nil {
   690  			return fmt.Errorf("accept: %v", err)
   691  		}
   692  		defer sconn.Close()
   693  
   694  		serverConfig := testConfig.Clone()
   695  		srv := Server(sconn, serverConfig)
   696  		if err := srv.Handshake(); err != nil {
   697  			return fmt.Errorf("handshake: %v", err)
   698  		}
   699  		defer srv.Close()
   700  
   701  		_, err = io.ReadAll(srv)
   702  		if err == nil {
   703  			return errors.New("unexpected lack of error from server")
   704  		}
   705  		const expected = "too many ignored"
   706  		if str := err.Error(); !strings.Contains(str, expected) {
   707  			return fmt.Errorf("expected error containing %q, but saw: %s", expected, str)
   708  		}
   709  
   710  		return nil
   711  	}
   712  
   713  	errChan := make(chan error, 1)
   714  	go func() { errChan <- server() }()
   715  
   716  	clientConfig := testConfig.Clone()
   717  	clientConfig.MaxVersion = VersionTLS12 // there are no warning alerts in TLS 1.3
   718  	conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   719  	if err != nil {
   720  		t.Fatal(err)
   721  	}
   722  	defer conn.Close()
   723  	if err := conn.Handshake(); err != nil {
   724  		t.Fatal(err)
   725  	}
   726  
   727  	for i := 0; i < maxUselessRecords+1; i++ {
   728  		conn.sendAlert(alertNoRenegotiation)
   729  	}
   730  
   731  	if err := <-errChan; err != nil {
   732  		t.Fatal(err)
   733  	}
   734  }
   735  
   736  func TestCloneFuncFields(t *testing.T) {
   737  	const expectedCount = 6
   738  	called := 0
   739  
   740  	c1 := Config{
   741  		Time: func() time.Time {
   742  			called |= 1 << 0
   743  			return time.Time{}
   744  		},
   745  		GetCertificate: func(*ClientHelloInfo) (*Certificate, error) {
   746  			called |= 1 << 1
   747  			return nil, nil
   748  		},
   749  		GetClientCertificate: func(*CertificateRequestInfo) (*Certificate, error) {
   750  			called |= 1 << 2
   751  			return nil, nil
   752  		},
   753  		GetConfigForClient: func(*ClientHelloInfo) (*Config, error) {
   754  			called |= 1 << 3
   755  			return nil, nil
   756  		},
   757  		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
   758  			called |= 1 << 4
   759  			return nil
   760  		},
   761  		VerifyConnection: func(ConnectionState) error {
   762  			called |= 1 << 5
   763  			return nil
   764  		},
   765  	}
   766  
   767  	c2 := c1.Clone()
   768  
   769  	c2.Time()
   770  	c2.GetCertificate(nil)
   771  	c2.GetClientCertificate(nil)
   772  	c2.GetConfigForClient(nil)
   773  	c2.VerifyPeerCertificate(nil, nil)
   774  	c2.VerifyConnection(ConnectionState{})
   775  
   776  	if called != (1<<expectedCount)-1 {
   777  		t.Fatalf("expected %d calls but saw calls %b", expectedCount, called)
   778  	}
   779  }
   780  
   781  func TestCloneNonFuncFields(t *testing.T) {
   782  	var c1 Config
   783  	v := reflect.ValueOf(&c1).Elem()
   784  
   785  	typ := v.Type()
   786  	for i := 0; i < typ.NumField(); i++ {
   787  		f := v.Field(i)
   788  		// testing/quick can't handle functions or interfaces and so
   789  		// isn't used here.
   790  		switch fn := typ.Field(i).Name; fn {
   791  		case "Rand":
   792  			f.Set(reflect.ValueOf(io.Reader(os.Stdin)))
   793  		case "Time", "GetCertificate", "GetConfigForClient", "VerifyPeerCertificate", "VerifyConnection", "GetClientCertificate":
   794  			// DeepEqual can't compare functions. If you add a
   795  			// function field to this list, you must also change
   796  			// TestCloneFuncFields to ensure that the func field is
   797  			// cloned.
   798  		case "Certificates":
   799  			f.Set(reflect.ValueOf([]Certificate{
   800  				{Certificate: [][]byte{{'b'}}},
   801  			}))
   802  		case "NameToCertificate":
   803  			f.Set(reflect.ValueOf(map[string]*Certificate{"a": nil}))
   804  		case "RootCAs", "ClientCAs":
   805  			f.Set(reflect.ValueOf(x509.NewCertPool()))
   806  		case "ClientSessionCache":
   807  			f.Set(reflect.ValueOf(NewLRUClientSessionCache(10)))
   808  		case "KeyLogWriter":
   809  			f.Set(reflect.ValueOf(io.Writer(os.Stdout)))
   810  		case "NextProtos":
   811  			f.Set(reflect.ValueOf([]string{"a", "b"}))
   812  		case "ServerName":
   813  			f.Set(reflect.ValueOf("b"))
   814  		case "ClientAuth":
   815  			f.Set(reflect.ValueOf(VerifyClientCertIfGiven))
   816  		case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites":
   817  			f.Set(reflect.ValueOf(true))
   818  		case "MinVersion", "MaxVersion":
   819  			f.Set(reflect.ValueOf(uint16(VersionTLS12)))
   820  		case "SessionTicketKey":
   821  			f.Set(reflect.ValueOf([32]byte{}))
   822  		case "CipherSuites":
   823  			f.Set(reflect.ValueOf([]uint16{1, 2}))
   824  		case "CurvePreferences":
   825  			f.Set(reflect.ValueOf([]CurveID{CurveP256}))
   826  		case "Renegotiation":
   827  			f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
   828  		case "mutex", "autoSessionTicketKeys", "sessionTicketKeys":
   829  			continue // these are unexported fields that are handled separately
   830  		default:
   831  			t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
   832  		}
   833  	}
   834  	// Set the unexported fields related to session ticket keys, which are copied with Clone().
   835  	c1.autoSessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)}
   836  	c1.sessionTicketKeys = []ticketKey{c1.ticketKeyFromBytes(c1.SessionTicketKey)}
   837  
   838  	c2 := c1.Clone()
   839  	if !reflect.DeepEqual(&c1, c2) {
   840  		t.Errorf("clone failed to copy a field")
   841  	}
   842  }
   843  
   844  func TestCloneNilConfig(t *testing.T) {
   845  	var config *Config
   846  	if cc := config.Clone(); cc != nil {
   847  		t.Fatalf("Clone with nil should return nil, got: %+v", cc)
   848  	}
   849  }
   850  
   851  // changeImplConn is a net.Conn which can change its Write and Close
   852  // methods.
   853  type changeImplConn struct {
   854  	net.Conn
   855  	writeFunc func([]byte) (int, error)
   856  	closeFunc func() error
   857  }
   858  
   859  func (w *changeImplConn) Write(p []byte) (n int, err error) {
   860  	if w.writeFunc != nil {
   861  		return w.writeFunc(p)
   862  	}
   863  	return w.Conn.Write(p)
   864  }
   865  
   866  func (w *changeImplConn) Close() error {
   867  	if w.closeFunc != nil {
   868  		return w.closeFunc()
   869  	}
   870  	return w.Conn.Close()
   871  }
   872  
   873  func throughput(b *testing.B, version uint16, totalBytes int64, dynamicRecordSizingDisabled bool) {
   874  	ln := newLocalListener(b)
   875  	defer ln.Close()
   876  
   877  	N := b.N
   878  
   879  	// Less than 64KB because Windows appears to use a TCP rwin < 64KB.
   880  	// See Issue #15899.
   881  	const bufsize = 32 << 10
   882  
   883  	go func() {
   884  		buf := make([]byte, bufsize)
   885  		for i := 0; i < N; i++ {
   886  			sconn, err := ln.Accept()
   887  			if err != nil {
   888  				// panic rather than synchronize to avoid benchmark overhead
   889  				// (cannot call b.Fatal in goroutine)
   890  				panic(fmt.Errorf("accept: %v", err))
   891  			}
   892  			serverConfig := testConfig.Clone()
   893  			serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers
   894  			serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
   895  			srv := Server(sconn, serverConfig)
   896  			if err := srv.Handshake(); err != nil {
   897  				panic(fmt.Errorf("handshake: %v", err))
   898  			}
   899  			if _, err := io.CopyBuffer(srv, srv, buf); err != nil {
   900  				panic(fmt.Errorf("copy buffer: %v", err))
   901  			}
   902  		}
   903  	}()
   904  
   905  	b.SetBytes(totalBytes)
   906  	clientConfig := testConfig.Clone()
   907  	clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers
   908  	clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
   909  	clientConfig.MaxVersion = version
   910  
   911  	buf := make([]byte, bufsize)
   912  	chunks := int(math.Ceil(float64(totalBytes) / float64(len(buf))))
   913  	for i := 0; i < N; i++ {
   914  		conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
   915  		if err != nil {
   916  			b.Fatal(err)
   917  		}
   918  		for j := 0; j < chunks; j++ {
   919  			_, err := conn.Write(buf)
   920  			if err != nil {
   921  				b.Fatal(err)
   922  			}
   923  			_, err = io.ReadFull(conn, buf)
   924  			if err != nil {
   925  				b.Fatal(err)
   926  			}
   927  		}
   928  		conn.Close()
   929  	}
   930  }
   931  
   932  func BenchmarkThroughput(b *testing.B) {
   933  	for _, mode := range []string{"Max", "Dynamic"} {
   934  		for size := 1; size <= 64; size <<= 1 {
   935  			name := fmt.Sprintf("%sPacket/%dMB", mode, size)
   936  			b.Run(name, func(b *testing.B) {
   937  				b.Run("TLSv12", func(b *testing.B) {
   938  					throughput(b, VersionTLS12, int64(size<<20), mode == "Max")
   939  				})
   940  				b.Run("TLSv13", func(b *testing.B) {
   941  					throughput(b, VersionTLS13, int64(size<<20), mode == "Max")
   942  				})
   943  			})
   944  		}
   945  	}
   946  }
   947  
   948  type slowConn struct {
   949  	net.Conn
   950  	bps int
   951  }
   952  
   953  func (c *slowConn) Write(p []byte) (int, error) {
   954  	if c.bps == 0 {
   955  		panic("too slow")
   956  	}
   957  	t0 := time.Now()
   958  	wrote := 0
   959  	for wrote < len(p) {
   960  		time.Sleep(100 * time.Microsecond)
   961  		allowed := int(time.Since(t0).Seconds()*float64(c.bps)) / 8
   962  		if allowed > len(p) {
   963  			allowed = len(p)
   964  		}
   965  		if wrote < allowed {
   966  			n, err := c.Conn.Write(p[wrote:allowed])
   967  			wrote += n
   968  			if err != nil {
   969  				return wrote, err
   970  			}
   971  		}
   972  	}
   973  	return len(p), nil
   974  }
   975  
   976  func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled bool) {
   977  	ln := newLocalListener(b)
   978  	defer ln.Close()
   979  
   980  	N := b.N
   981  
   982  	go func() {
   983  		for i := 0; i < N; i++ {
   984  			sconn, err := ln.Accept()
   985  			if err != nil {
   986  				// panic rather than synchronize to avoid benchmark overhead
   987  				// (cannot call b.Fatal in goroutine)
   988  				panic(fmt.Errorf("accept: %v", err))
   989  			}
   990  			serverConfig := testConfig.Clone()
   991  			serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
   992  			srv := Server(&slowConn{sconn, bps}, serverConfig)
   993  			if err := srv.Handshake(); err != nil {
   994  				panic(fmt.Errorf("handshake: %v", err))
   995  			}
   996  			io.Copy(srv, srv)
   997  		}
   998  	}()
   999  
  1000  	clientConfig := testConfig.Clone()
  1001  	clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
  1002  	clientConfig.MaxVersion = version
  1003  
  1004  	buf := make([]byte, 16384)
  1005  	peek := make([]byte, 1)
  1006  
  1007  	for i := 0; i < N; i++ {
  1008  		conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
  1009  		if err != nil {
  1010  			b.Fatal(err)
  1011  		}
  1012  		// make sure we're connected and previous connection has stopped
  1013  		if _, err := conn.Write(buf[:1]); err != nil {
  1014  			b.Fatal(err)
  1015  		}
  1016  		if _, err := io.ReadFull(conn, peek); err != nil {
  1017  			b.Fatal(err)
  1018  		}
  1019  		if _, err := conn.Write(buf); err != nil {
  1020  			b.Fatal(err)
  1021  		}
  1022  		if _, err = io.ReadFull(conn, peek); err != nil {
  1023  			b.Fatal(err)
  1024  		}
  1025  		conn.Close()
  1026  	}
  1027  }
  1028  
  1029  func BenchmarkLatency(b *testing.B) {
  1030  	for _, mode := range []string{"Max", "Dynamic"} {
  1031  		for _, kbps := range []int{200, 500, 1000, 2000, 5000} {
  1032  			name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps)
  1033  			b.Run(name, func(b *testing.B) {
  1034  				b.Run("TLSv12", func(b *testing.B) {
  1035  					latency(b, VersionTLS12, kbps*1000, mode == "Max")
  1036  				})
  1037  				b.Run("TLSv13", func(b *testing.B) {
  1038  					latency(b, VersionTLS13, kbps*1000, mode == "Max")
  1039  				})
  1040  			})
  1041  		}
  1042  	}
  1043  }
  1044  
  1045  func TestConnectionStateMarshal(t *testing.T) {
  1046  	cs := &ConnectionState{}
  1047  	_, err := json.Marshal(cs)
  1048  	if err != nil {
  1049  		t.Errorf("json.Marshal failed on ConnectionState: %v", err)
  1050  	}
  1051  }
  1052  
  1053  func TestConnectionState(t *testing.T) {
  1054  	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
  1055  	if err != nil {
  1056  		panic(err)
  1057  	}
  1058  	rootCAs := x509.NewCertPool()
  1059  	rootCAs.AddCert(issuer)
  1060  
  1061  	now := func() time.Time { return time.Unix(1476984729, 0) }
  1062  
  1063  	const alpnProtocol = "golang"
  1064  	const serverName = "example.golang"
  1065  	var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
  1066  	var ocsp = []byte("dummy ocsp")
  1067  
  1068  	for _, v := range []uint16{VersionTLS12, VersionTLS13} {
  1069  		var name string
  1070  		switch v {
  1071  		case VersionTLS12:
  1072  			name = "TLSv12"
  1073  		case VersionTLS13:
  1074  			name = "TLSv13"
  1075  		}
  1076  		t.Run(name, func(t *testing.T) {
  1077  			config := &Config{
  1078  				Time:         now,
  1079  				Rand:         zeroSource{},
  1080  				Certificates: make([]Certificate, 1),
  1081  				MaxVersion:   v,
  1082  				RootCAs:      rootCAs,
  1083  				ClientCAs:    rootCAs,
  1084  				ClientAuth:   RequireAndVerifyClientCert,
  1085  				NextProtos:   []string{alpnProtocol},
  1086  				ServerName:   serverName,
  1087  			}
  1088  			config.Certificates[0].Certificate = [][]byte{testRSACertificate}
  1089  			config.Certificates[0].PrivateKey = testRSAPrivateKey
  1090  			config.Certificates[0].SignedCertificateTimestamps = scts
  1091  			config.Certificates[0].OCSPStaple = ocsp
  1092  
  1093  			ss, cs, err := testHandshake(t, config, config)
  1094  			if err != nil {
  1095  				t.Fatalf("Handshake failed: %v", err)
  1096  			}
  1097  
  1098  			if ss.Version != v || cs.Version != v {
  1099  				t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v)
  1100  			}
  1101  
  1102  			if !ss.HandshakeComplete || !cs.HandshakeComplete {
  1103  				t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete)
  1104  			}
  1105  
  1106  			if ss.DidResume || cs.DidResume {
  1107  				t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume)
  1108  			}
  1109  
  1110  			if ss.CipherSuite == 0 || cs.CipherSuite == 0 {
  1111  				t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite)
  1112  			}
  1113  
  1114  			if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol {
  1115  				t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol)
  1116  			}
  1117  
  1118  			if !cs.NegotiatedProtocolIsMutual {
  1119  				t.Errorf("Got false NegotiatedProtocolIsMutual on the client side")
  1120  			}
  1121  			// NegotiatedProtocolIsMutual on the server side is unspecified.
  1122  
  1123  			if ss.ServerName != serverName {
  1124  				t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName)
  1125  			}
  1126  			if cs.ServerName != serverName {
  1127  				t.Errorf("Got server name on client connection %q, expected %q", cs.ServerName, serverName)
  1128  			}
  1129  
  1130  			if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 {
  1131  				t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1)
  1132  			}
  1133  
  1134  			if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 {
  1135  				t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1)
  1136  			} else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 {
  1137  				t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2)
  1138  			}
  1139  
  1140  			if len(cs.SignedCertificateTimestamps) != 2 {
  1141  				t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2)
  1142  			}
  1143  			if !bytes.Equal(cs.OCSPResponse, ocsp) {
  1144  				t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp)
  1145  			}
  1146  			// Only TLS 1.3 supports OCSP and SCTs on client certs.
  1147  			if v == VersionTLS13 {
  1148  				if len(ss.SignedCertificateTimestamps) != 2 {
  1149  					t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2)
  1150  				}
  1151  				if !bytes.Equal(ss.OCSPResponse, ocsp) {
  1152  					t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp)
  1153  				}
  1154  			}
  1155  
  1156  			if v == VersionTLS13 {
  1157  				if ss.TLSUnique != nil || cs.TLSUnique != nil {
  1158  					t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique)
  1159  				}
  1160  			} else {
  1161  				if ss.TLSUnique == nil || cs.TLSUnique == nil {
  1162  					t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique)
  1163  				}
  1164  			}
  1165  		})
  1166  	}
  1167  }
  1168  
  1169  // Issue 28744: Ensure that we don't modify memory
  1170  // that Config doesn't own such as Certificates.
  1171  func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {
  1172  	c0 := Certificate{
  1173  		Certificate: [][]byte{testRSACertificate},
  1174  		PrivateKey:  testRSAPrivateKey,
  1175  	}
  1176  	c1 := Certificate{
  1177  		Certificate: [][]byte{testSNICertificate},
  1178  		PrivateKey:  testRSAPrivateKey,
  1179  	}
  1180  	config := testConfig.Clone()
  1181  	config.Certificates = []Certificate{c0, c1}
  1182  
  1183  	config.BuildNameToCertificate()
  1184  	got := config.Certificates
  1185  	want := []Certificate{c0, c1}
  1186  	if !reflect.DeepEqual(got, want) {
  1187  		t.Fatalf("Certificates were mutated by BuildNameToCertificate\nGot: %#v\nWant: %#v\n", got, want)
  1188  	}
  1189  }
  1190  
  1191  func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
  1192  
  1193  func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
  1194  	rsaCert := &Certificate{
  1195  		Certificate: [][]byte{testRSACertificate},
  1196  		PrivateKey:  testRSAPrivateKey,
  1197  	}
  1198  	pkcs1Cert := &Certificate{
  1199  		Certificate:                  [][]byte{testRSACertificate},
  1200  		PrivateKey:                   testRSAPrivateKey,
  1201  		SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256},
  1202  	}
  1203  	ecdsaCert := &Certificate{
  1204  		// ECDSA P-256 certificate
  1205  		Certificate: [][]byte{testP256Certificate},
  1206  		PrivateKey:  testP256PrivateKey,
  1207  	}
  1208  	ed25519Cert := &Certificate{
  1209  		Certificate: [][]byte{testEd25519Certificate},
  1210  		PrivateKey:  testEd25519PrivateKey,
  1211  	}
  1212  
  1213  	tests := []struct {
  1214  		c       *Certificate
  1215  		chi     *ClientHelloInfo
  1216  		wantErr string
  1217  	}{
  1218  		{rsaCert, &ClientHelloInfo{
  1219  			ServerName:        "example.golang",
  1220  			SignatureSchemes:  []SignatureScheme{PSSWithSHA256},
  1221  			SupportedVersions: []uint16{VersionTLS13},
  1222  		}, ""},
  1223  		{ecdsaCert, &ClientHelloInfo{
  1224  			SignatureSchemes:  []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256},
  1225  			SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
  1226  		}, ""},
  1227  		{rsaCert, &ClientHelloInfo{
  1228  			ServerName:        "example.com",
  1229  			SignatureSchemes:  []SignatureScheme{PSSWithSHA256},
  1230  			SupportedVersions: []uint16{VersionTLS13},
  1231  		}, "not valid for requested server name"},
  1232  		{ecdsaCert, &ClientHelloInfo{
  1233  			SignatureSchemes:  []SignatureScheme{ECDSAWithP384AndSHA384},
  1234  			SupportedVersions: []uint16{VersionTLS13},
  1235  		}, "signature algorithms"},
  1236  		{pkcs1Cert, &ClientHelloInfo{
  1237  			SignatureSchemes:  []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256},
  1238  			SupportedVersions: []uint16{VersionTLS13},
  1239  		}, "signature algorithms"},
  1240  
  1241  		{rsaCert, &ClientHelloInfo{
  1242  			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
  1243  			SignatureSchemes:  []SignatureScheme{PKCS1WithSHA1},
  1244  			SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
  1245  		}, "signature algorithms"},
  1246  		{rsaCert, &ClientHelloInfo{
  1247  			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
  1248  			SignatureSchemes:  []SignatureScheme{PKCS1WithSHA1},
  1249  			SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
  1250  			config: &Config{
  1251  				MaxVersion: VersionTLS12,
  1252  			},
  1253  		}, ""}, // Check that mutual version selection works.
  1254  
  1255  		{ecdsaCert, &ClientHelloInfo{
  1256  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1257  			SupportedCurves:   []CurveID{CurveP256},
  1258  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1259  			SignatureSchemes:  []SignatureScheme{ECDSAWithP256AndSHA256},
  1260  			SupportedVersions: []uint16{VersionTLS12},
  1261  		}, ""},
  1262  		{ecdsaCert, &ClientHelloInfo{
  1263  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1264  			SupportedCurves:   []CurveID{CurveP256},
  1265  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1266  			SignatureSchemes:  []SignatureScheme{ECDSAWithP384AndSHA384},
  1267  			SupportedVersions: []uint16{VersionTLS12},
  1268  		}, ""}, // TLS 1.2 does not restrict curves based on the SignatureScheme.
  1269  		{ecdsaCert, &ClientHelloInfo{
  1270  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1271  			SupportedCurves:   []CurveID{CurveP256},
  1272  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1273  			SignatureSchemes:  nil,
  1274  			SupportedVersions: []uint16{VersionTLS12},
  1275  		}, ""}, // TLS 1.2 comes with default signature schemes.
  1276  		{ecdsaCert, &ClientHelloInfo{
  1277  			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
  1278  			SupportedCurves:   []CurveID{CurveP256},
  1279  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1280  			SignatureSchemes:  []SignatureScheme{ECDSAWithP256AndSHA256},
  1281  			SupportedVersions: []uint16{VersionTLS12},
  1282  		}, "cipher suite"},
  1283  		{ecdsaCert, &ClientHelloInfo{
  1284  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1285  			SupportedCurves:   []CurveID{CurveP256},
  1286  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1287  			SignatureSchemes:  []SignatureScheme{ECDSAWithP256AndSHA256},
  1288  			SupportedVersions: []uint16{VersionTLS12},
  1289  			config: &Config{
  1290  				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
  1291  			},
  1292  		}, "cipher suite"},
  1293  		{ecdsaCert, &ClientHelloInfo{
  1294  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1295  			SupportedCurves:   []CurveID{CurveP384},
  1296  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1297  			SignatureSchemes:  []SignatureScheme{ECDSAWithP256AndSHA256},
  1298  			SupportedVersions: []uint16{VersionTLS12},
  1299  		}, "certificate curve"},
  1300  		{ecdsaCert, &ClientHelloInfo{
  1301  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1302  			SupportedCurves:   []CurveID{CurveP256},
  1303  			SupportedPoints:   []uint8{1},
  1304  			SignatureSchemes:  []SignatureScheme{ECDSAWithP256AndSHA256},
  1305  			SupportedVersions: []uint16{VersionTLS12},
  1306  		}, "doesn't support ECDHE"},
  1307  		{ecdsaCert, &ClientHelloInfo{
  1308  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1309  			SupportedCurves:   []CurveID{CurveP256},
  1310  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1311  			SignatureSchemes:  []SignatureScheme{PSSWithSHA256},
  1312  			SupportedVersions: []uint16{VersionTLS12},
  1313  		}, "signature algorithms"},
  1314  
  1315  		{ed25519Cert, &ClientHelloInfo{
  1316  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1317  			SupportedCurves:   []CurveID{CurveP256}, // only relevant for ECDHE support
  1318  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1319  			SignatureSchemes:  []SignatureScheme{Ed25519},
  1320  			SupportedVersions: []uint16{VersionTLS12},
  1321  		}, ""},
  1322  		{ed25519Cert, &ClientHelloInfo{
  1323  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1324  			SupportedCurves:   []CurveID{CurveP256}, // only relevant for ECDHE support
  1325  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1326  			SignatureSchemes:  []SignatureScheme{Ed25519},
  1327  			SupportedVersions: []uint16{VersionTLS10},
  1328  		}, "doesn't support Ed25519"},
  1329  		{ed25519Cert, &ClientHelloInfo{
  1330  			CipherSuites:      []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
  1331  			SupportedCurves:   []CurveID{},
  1332  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1333  			SignatureSchemes:  []SignatureScheme{Ed25519},
  1334  			SupportedVersions: []uint16{VersionTLS12},
  1335  		}, "doesn't support ECDHE"},
  1336  
  1337  		{rsaCert, &ClientHelloInfo{
  1338  			CipherSuites:      []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
  1339  			SupportedCurves:   []CurveID{CurveP256}, // only relevant for ECDHE support
  1340  			SupportedPoints:   []uint8{pointFormatUncompressed},
  1341  			SupportedVersions: []uint16{VersionTLS10},
  1342  		}, ""},
  1343  		{rsaCert, &ClientHelloInfo{
  1344  			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
  1345  			SupportedVersions: []uint16{VersionTLS12},
  1346  		}, ""}, // static RSA fallback
  1347  	}
  1348  	for i, tt := range tests {
  1349  		err := tt.chi.SupportsCertificate(tt.c)
  1350  		switch {
  1351  		case tt.wantErr == "" && err != nil:
  1352  			t.Errorf("%d: unexpected error: %v", i, err)
  1353  		case tt.wantErr != "" && err == nil:
  1354  			t.Errorf("%d: unexpected success", i)
  1355  		case tt.wantErr != "" && !strings.Contains(err.Error(), tt.wantErr):
  1356  			t.Errorf("%d: got error %q, expected %q", i, err, tt.wantErr)
  1357  		}
  1358  	}
  1359  }
  1360  
  1361  func TestCipherSuites(t *testing.T) {
  1362  	var lastID uint16
  1363  	for _, c := range CipherSuites() {
  1364  		if lastID > c.ID {
  1365  			t.Errorf("CipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID)
  1366  		} else {
  1367  			lastID = c.ID
  1368  		}
  1369  
  1370  		if c.Insecure {
  1371  			t.Errorf("%#04x: Insecure CipherSuite returned by CipherSuites()", c.ID)
  1372  		}
  1373  	}
  1374  	lastID = 0
  1375  	for _, c := range InsecureCipherSuites() {
  1376  		if lastID > c.ID {
  1377  			t.Errorf("InsecureCipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID)
  1378  		} else {
  1379  			lastID = c.ID
  1380  		}
  1381  
  1382  		if !c.Insecure {
  1383  			t.Errorf("%#04x: not Insecure CipherSuite returned by InsecureCipherSuites()", c.ID)
  1384  		}
  1385  	}
  1386  
  1387  	CipherSuiteByID := func(id uint16) *CipherSuite {
  1388  		for _, c := range CipherSuites() {
  1389  			if c.ID == id {
  1390  				return c
  1391  			}
  1392  		}
  1393  		for _, c := range InsecureCipherSuites() {
  1394  			if c.ID == id {
  1395  				return c
  1396  			}
  1397  		}
  1398  		return nil
  1399  	}
  1400  
  1401  	for _, c := range cipherSuites {
  1402  		cc := CipherSuiteByID(c.id)
  1403  		if cc == nil {
  1404  			t.Errorf("%#04x: no CipherSuite entry", c.id)
  1405  			continue
  1406  		}
  1407  
  1408  		if tls12Only := c.flags&suiteTLS12 != 0; tls12Only && len(cc.SupportedVersions) != 1 {
  1409  			t.Errorf("%#04x: suite is TLS 1.2 only, but SupportedVersions is %v", c.id, cc.SupportedVersions)
  1410  		} else if !tls12Only && len(cc.SupportedVersions) != 3 {
  1411  			t.Errorf("%#04x: suite TLS 1.0-1.2, but SupportedVersions is %v", c.id, cc.SupportedVersions)
  1412  		}
  1413  
  1414  		if got := CipherSuiteName(c.id); got != cc.Name {
  1415  			t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name)
  1416  		}
  1417  	}
  1418  	for _, c := range cipherSuitesTLS13 {
  1419  		cc := CipherSuiteByID(c.id)
  1420  		if cc == nil {
  1421  			t.Errorf("%#04x: no CipherSuite entry", c.id)
  1422  			continue
  1423  		}
  1424  
  1425  		if cc.Insecure {
  1426  			t.Errorf("%#04x: Insecure %v, expected false", c.id, cc.Insecure)
  1427  		}
  1428  		if len(cc.SupportedVersions) != 1 || cc.SupportedVersions[0] != VersionTLS13 {
  1429  			t.Errorf("%#04x: suite is TLS 1.3 only, but SupportedVersions is %v", c.id, cc.SupportedVersions)
  1430  		}
  1431  
  1432  		if got := CipherSuiteName(c.id); got != cc.Name {
  1433  			t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name)
  1434  		}
  1435  	}
  1436  
  1437  	if got := CipherSuiteName(0xabc); got != "0x0ABC" {
  1438  		t.Errorf("unexpected fallback CipherSuiteName: got %q, expected 0x0ABC", got)
  1439  	}
  1440  
  1441  	if len(cipherSuitesPreferenceOrder) != len(cipherSuites) {
  1442  		t.Errorf("cipherSuitesPreferenceOrder is not the same size as cipherSuites")
  1443  	}
  1444  	if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) {
  1445  		t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder")
  1446  	}
  1447  
  1448  	// Check that disabled suites are at the end of the preference lists, and
  1449  	// that they are marked insecure.
  1450  	for i, id := range disabledCipherSuites {
  1451  		offset := len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
  1452  		if cipherSuitesPreferenceOrder[offset+i] != id {
  1453  			t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrder", i)
  1454  		}
  1455  		if cipherSuitesPreferenceOrderNoAES[offset+i] != id {
  1456  			t.Errorf("disabledCipherSuites[%d]: not at the end of cipherSuitesPreferenceOrderNoAES", i)
  1457  		}
  1458  		c := CipherSuiteByID(id)
  1459  		if c == nil {
  1460  			t.Errorf("%#04x: no CipherSuite entry", id)
  1461  			continue
  1462  		}
  1463  		if !c.Insecure {
  1464  			t.Errorf("%#04x: disabled by default but not marked insecure", id)
  1465  		}
  1466  	}
  1467  
  1468  	for i, prefOrder := range [][]uint16{cipherSuitesPreferenceOrder, cipherSuitesPreferenceOrderNoAES} {
  1469  		// Check that insecure and HTTP/2 bad cipher suites are at the end of
  1470  		// the preference lists.
  1471  		var sawInsecure, sawBad bool
  1472  		for _, id := range prefOrder {
  1473  			c := CipherSuiteByID(id)
  1474  			if c == nil {
  1475  				t.Errorf("%#04x: no CipherSuite entry", id)
  1476  				continue
  1477  			}
  1478  
  1479  			if c.Insecure {
  1480  				sawInsecure = true
  1481  			} else if sawInsecure {
  1482  				t.Errorf("%#04x: secure suite after insecure one(s)", id)
  1483  			}
  1484  
  1485  			if http2isBadCipher(id) {
  1486  				sawBad = true
  1487  			} else if sawBad {
  1488  				t.Errorf("%#04x: non-bad suite after bad HTTP/2 one(s)", id)
  1489  			}
  1490  		}
  1491  
  1492  		// Check that the list is sorted according to the documented criteria.
  1493  		isBetter := func(a, b int) bool {
  1494  			aSuite, bSuite := cipherSuiteByID(prefOrder[a]), cipherSuiteByID(prefOrder[b])
  1495  			aName, bName := CipherSuiteName(prefOrder[a]), CipherSuiteName(prefOrder[b])
  1496  			// * < RC4
  1497  			if !strings.Contains(aName, "RC4") && strings.Contains(bName, "RC4") {
  1498  				return true
  1499  			} else if strings.Contains(aName, "RC4") && !strings.Contains(bName, "RC4") {
  1500  				return false
  1501  			}
  1502  			// * < CBC_SHA256
  1503  			if !strings.Contains(aName, "CBC_SHA256") && strings.Contains(bName, "CBC_SHA256") {
  1504  				return true
  1505  			} else if strings.Contains(aName, "CBC_SHA256") && !strings.Contains(bName, "CBC_SHA256") {
  1506  				return false
  1507  			}
  1508  			// * < 3DES
  1509  			if !strings.Contains(aName, "3DES") && strings.Contains(bName, "3DES") {
  1510  				return true
  1511  			} else if strings.Contains(aName, "3DES") && !strings.Contains(bName, "3DES") {
  1512  				return false
  1513  			}
  1514  			// ECDHE < *
  1515  			if aSuite.flags&suiteECDHE != 0 && bSuite.flags&suiteECDHE == 0 {
  1516  				return true
  1517  			} else if aSuite.flags&suiteECDHE == 0 && bSuite.flags&suiteECDHE != 0 {
  1518  				return false
  1519  			}
  1520  			// AEAD < CBC
  1521  			if aSuite.aead != nil && bSuite.aead == nil {
  1522  				return true
  1523  			} else if aSuite.aead == nil && bSuite.aead != nil {
  1524  				return false
  1525  			}
  1526  			// AES < ChaCha20
  1527  			if strings.Contains(aName, "AES") && strings.Contains(bName, "CHACHA20") {
  1528  				return i == 0 // true for cipherSuitesPreferenceOrder
  1529  			} else if strings.Contains(aName, "CHACHA20") && strings.Contains(bName, "AES") {
  1530  				return i != 0 // true for cipherSuitesPreferenceOrderNoAES
  1531  			}
  1532  			// AES-128 < AES-256
  1533  			if strings.Contains(aName, "AES_128") && strings.Contains(bName, "AES_256") {
  1534  				return true
  1535  			} else if strings.Contains(aName, "AES_256") && strings.Contains(bName, "AES_128") {
  1536  				return false
  1537  			}
  1538  			// ECDSA < RSA
  1539  			if aSuite.flags&suiteECSign != 0 && bSuite.flags&suiteECSign == 0 {
  1540  				return true
  1541  			} else if aSuite.flags&suiteECSign == 0 && bSuite.flags&suiteECSign != 0 {
  1542  				return false
  1543  			}
  1544  			t.Fatalf("two ciphersuites are equal by all criteria: %v and %v", aName, bName)
  1545  			panic("unreachable")
  1546  		}
  1547  		if !sort.SliceIsSorted(prefOrder, isBetter) {
  1548  			t.Error("preference order is not sorted according to the rules")
  1549  		}
  1550  	}
  1551  }
  1552  
  1553  // http2isBadCipher is copied from net/http.
  1554  // TODO: if it ends up exposed somewhere, use that instead.
  1555  func http2isBadCipher(cipher uint16) bool {
  1556  	switch cipher {
  1557  	case TLS_RSA_WITH_RC4_128_SHA,
  1558  		TLS_RSA_WITH_3DES_EDE_CBC_SHA,
  1559  		TLS_RSA_WITH_AES_128_CBC_SHA,
  1560  		TLS_RSA_WITH_AES_256_CBC_SHA,
  1561  		TLS_RSA_WITH_AES_128_CBC_SHA256,
  1562  		TLS_RSA_WITH_AES_128_GCM_SHA256,
  1563  		TLS_RSA_WITH_AES_256_GCM_SHA384,
  1564  		TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
  1565  		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  1566  		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  1567  		TLS_ECDHE_RSA_WITH_RC4_128_SHA,
  1568  		TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  1569  		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  1570  		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  1571  		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  1572  		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
  1573  		return true
  1574  	default:
  1575  		return false
  1576  	}
  1577  }
  1578  
  1579  type brokenSigner struct{ crypto.Signer }
  1580  
  1581  func (s brokenSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
  1582  	// Replace opts with opts.HashFunc(), so rsa.PSSOptions are discarded.
  1583  	return s.Signer.Sign(rand, digest, opts.HashFunc())
  1584  }
  1585  
  1586  // TestPKCS1OnlyCert uses a client certificate with a broken crypto.Signer that
  1587  // always makes PKCS #1 v1.5 signatures, so can't be used with RSA-PSS.
  1588  func TestPKCS1OnlyCert(t *testing.T) {
  1589  	clientConfig := testConfig.Clone()
  1590  	clientConfig.Certificates = []Certificate{{
  1591  		Certificate: [][]byte{testRSACertificate},
  1592  		PrivateKey:  brokenSigner{testRSAPrivateKey},
  1593  	}}
  1594  	serverConfig := testConfig.Clone()
  1595  	serverConfig.MaxVersion = VersionTLS12 // TLS 1.3 doesn't support PKCS #1 v1.5
  1596  	serverConfig.ClientAuth = RequireAnyClientCert
  1597  
  1598  	// If RSA-PSS is selected, the handshake should fail.
  1599  	if _, _, err := testHandshake(t, clientConfig, serverConfig); err == nil {
  1600  		t.Fatal("expected broken certificate to cause connection to fail")
  1601  	}
  1602  
  1603  	clientConfig.Certificates[0].SupportedSignatureAlgorithms =
  1604  		[]SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}
  1605  
  1606  	// But if the certificate restricts supported algorithms, RSA-PSS should not
  1607  	// be selected, and the handshake should succeed.
  1608  	if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
  1609  		t.Error(err)
  1610  	}
  1611  }
  1612  

View as plain text