Black Lives Matter. Support the Equal Justice Initiative.

Source file src/crypto/tls/handshake_server_test.go

Documentation: crypto/tls

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"crypto"
    11  	"crypto/elliptic"
    12  	"crypto/x509"
    13  	"encoding/pem"
    14  	"errors"
    15  	"fmt"
    16  	"io"
    17  	"net"
    18  	"os"
    19  	"os/exec"
    20  	"path/filepath"
    21  	"runtime"
    22  	"strings"
    23  	"testing"
    24  	"time"
    25  
    26  	"golang.org/x/crypto/curve25519"
    27  )
    28  
    29  func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
    30  	testClientHelloFailure(t, serverConfig, m, "")
    31  }
    32  
    33  func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
    34  	c, s := localPipe(t)
    35  	go func() {
    36  		cli := Client(c, testConfig)
    37  		if ch, ok := m.(*clientHelloMsg); ok {
    38  			cli.vers = ch.vers
    39  		}
    40  		cli.writeRecord(recordTypeHandshake, m.marshal())
    41  		c.Close()
    42  	}()
    43  	ctx := context.Background()
    44  	conn := Server(s, serverConfig)
    45  	ch, err := conn.readClientHello(ctx)
    46  	hs := serverHandshakeState{
    47  		c:           conn,
    48  		ctx:         ctx,
    49  		clientHello: ch,
    50  	}
    51  	if err == nil {
    52  		err = hs.processClientHello()
    53  	}
    54  	if err == nil {
    55  		err = hs.pickCipherSuite()
    56  	}
    57  	s.Close()
    58  	if len(expectedSubStr) == 0 {
    59  		if err != nil && err != io.EOF {
    60  			t.Errorf("Got error: %s; expected to succeed", err)
    61  		}
    62  	} else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
    63  		t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
    64  	}
    65  }
    66  
    67  func TestSimpleError(t *testing.T) {
    68  	testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
    69  }
    70  
    71  var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}
    72  
    73  func TestRejectBadProtocolVersion(t *testing.T) {
    74  	config := testConfig.Clone()
    75  	config.MinVersion = VersionSSL30
    76  	for _, v := range badProtocolVersions {
    77  		testClientHelloFailure(t, config, &clientHelloMsg{
    78  			vers:   v,
    79  			random: make([]byte, 32),
    80  		}, "unsupported versions")
    81  	}
    82  	testClientHelloFailure(t, config, &clientHelloMsg{
    83  		vers:              VersionTLS12,
    84  		supportedVersions: badProtocolVersions,
    85  		random:            make([]byte, 32),
    86  	}, "unsupported versions")
    87  }
    88  
    89  func TestNoSuiteOverlap(t *testing.T) {
    90  	clientHello := &clientHelloMsg{
    91  		vers:               VersionTLS10,
    92  		random:             make([]byte, 32),
    93  		cipherSuites:       []uint16{0xff00},
    94  		compressionMethods: []uint8{compressionNone},
    95  	}
    96  	testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
    97  }
    98  
    99  func TestNoCompressionOverlap(t *testing.T) {
   100  	clientHello := &clientHelloMsg{
   101  		vers:               VersionTLS10,
   102  		random:             make([]byte, 32),
   103  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
   104  		compressionMethods: []uint8{0xff},
   105  	}
   106  	testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
   107  }
   108  
   109  func TestNoRC4ByDefault(t *testing.T) {
   110  	clientHello := &clientHelloMsg{
   111  		vers:               VersionTLS10,
   112  		random:             make([]byte, 32),
   113  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
   114  		compressionMethods: []uint8{compressionNone},
   115  	}
   116  	serverConfig := testConfig.Clone()
   117  	// Reset the enabled cipher suites to nil in order to test the
   118  	// defaults.
   119  	serverConfig.CipherSuites = nil
   120  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   121  }
   122  
   123  func TestRejectSNIWithTrailingDot(t *testing.T) {
   124  	testClientHelloFailure(t, testConfig, &clientHelloMsg{
   125  		vers:       VersionTLS12,
   126  		random:     make([]byte, 32),
   127  		serverName: "foo.com.",
   128  	}, "unexpected message")
   129  }
   130  
   131  func TestDontSelectECDSAWithRSAKey(t *testing.T) {
   132  	// Test that, even when both sides support an ECDSA cipher suite, it
   133  	// won't be selected if the server's private key doesn't support it.
   134  	clientHello := &clientHelloMsg{
   135  		vers:               VersionTLS10,
   136  		random:             make([]byte, 32),
   137  		cipherSuites:       []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
   138  		compressionMethods: []uint8{compressionNone},
   139  		supportedCurves:    []CurveID{CurveP256},
   140  		supportedPoints:    []uint8{pointFormatUncompressed},
   141  	}
   142  	serverConfig := testConfig.Clone()
   143  	serverConfig.CipherSuites = clientHello.cipherSuites
   144  	serverConfig.Certificates = make([]Certificate, 1)
   145  	serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   146  	serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   147  	serverConfig.BuildNameToCertificate()
   148  	// First test that it *does* work when the server's key is ECDSA.
   149  	testClientHello(t, serverConfig, clientHello)
   150  
   151  	// Now test that switching to an RSA key causes the expected error (and
   152  	// not an internal error about a signing failure).
   153  	serverConfig.Certificates = testConfig.Certificates
   154  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   155  }
   156  
   157  func TestDontSelectRSAWithECDSAKey(t *testing.T) {
   158  	// Test that, even when both sides support an RSA cipher suite, it
   159  	// won't be selected if the server's private key doesn't support it.
   160  	clientHello := &clientHelloMsg{
   161  		vers:               VersionTLS10,
   162  		random:             make([]byte, 32),
   163  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
   164  		compressionMethods: []uint8{compressionNone},
   165  		supportedCurves:    []CurveID{CurveP256},
   166  		supportedPoints:    []uint8{pointFormatUncompressed},
   167  	}
   168  	serverConfig := testConfig.Clone()
   169  	serverConfig.CipherSuites = clientHello.cipherSuites
   170  	// First test that it *does* work when the server's key is RSA.
   171  	testClientHello(t, serverConfig, clientHello)
   172  
   173  	// Now test that switching to an ECDSA key causes the expected error
   174  	// (and not an internal error about a signing failure).
   175  	serverConfig.Certificates = make([]Certificate, 1)
   176  	serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   177  	serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   178  	serverConfig.BuildNameToCertificate()
   179  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   180  }
   181  
   182  func TestRenegotiationExtension(t *testing.T) {
   183  	clientHello := &clientHelloMsg{
   184  		vers:                         VersionTLS12,
   185  		compressionMethods:           []uint8{compressionNone},
   186  		random:                       make([]byte, 32),
   187  		secureRenegotiationSupported: true,
   188  		cipherSuites:                 []uint16{TLS_RSA_WITH_RC4_128_SHA},
   189  	}
   190  
   191  	bufChan := make(chan []byte, 1)
   192  	c, s := localPipe(t)
   193  
   194  	go func() {
   195  		cli := Client(c, testConfig)
   196  		cli.vers = clientHello.vers
   197  		cli.writeRecord(recordTypeHandshake, clientHello.marshal())
   198  
   199  		buf := make([]byte, 1024)
   200  		n, err := c.Read(buf)
   201  		if err != nil {
   202  			t.Errorf("Server read returned error: %s", err)
   203  			return
   204  		}
   205  		c.Close()
   206  		bufChan <- buf[:n]
   207  	}()
   208  
   209  	Server(s, testConfig).Handshake()
   210  	buf := <-bufChan
   211  
   212  	if len(buf) < 5+4 {
   213  		t.Fatalf("Server returned short message of length %d", len(buf))
   214  	}
   215  	// buf contains a TLS record, with a 5 byte record header and a 4 byte
   216  	// handshake header. The length of the ServerHello is taken from the
   217  	// handshake header.
   218  	serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8])
   219  
   220  	var serverHello serverHelloMsg
   221  	// unmarshal expects to be given the handshake header, but
   222  	// serverHelloLen doesn't include it.
   223  	if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) {
   224  		t.Fatalf("Failed to parse ServerHello")
   225  	}
   226  
   227  	if !serverHello.secureRenegotiationSupported {
   228  		t.Errorf("Secure renegotiation extension was not echoed.")
   229  	}
   230  }
   231  
   232  func TestTLS12OnlyCipherSuites(t *testing.T) {
   233  	// Test that a Server doesn't select a TLS 1.2-only cipher suite when
   234  	// the client negotiates TLS 1.1.
   235  	clientHello := &clientHelloMsg{
   236  		vers:   VersionTLS11,
   237  		random: make([]byte, 32),
   238  		cipherSuites: []uint16{
   239  			// The Server, by default, will use the client's
   240  			// preference order. So the GCM cipher suite
   241  			// will be selected unless it's excluded because
   242  			// of the version in this ClientHello.
   243  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   244  			TLS_RSA_WITH_RC4_128_SHA,
   245  		},
   246  		compressionMethods: []uint8{compressionNone},
   247  		supportedCurves:    []CurveID{CurveP256, CurveP384, CurveP521},
   248  		supportedPoints:    []uint8{pointFormatUncompressed},
   249  	}
   250  
   251  	c, s := localPipe(t)
   252  	replyChan := make(chan interface{})
   253  	go func() {
   254  		cli := Client(c, testConfig)
   255  		cli.vers = clientHello.vers
   256  		cli.writeRecord(recordTypeHandshake, clientHello.marshal())
   257  		reply, err := cli.readHandshake()
   258  		c.Close()
   259  		if err != nil {
   260  			replyChan <- err
   261  		} else {
   262  			replyChan <- reply
   263  		}
   264  	}()
   265  	config := testConfig.Clone()
   266  	config.CipherSuites = clientHello.cipherSuites
   267  	Server(s, config).Handshake()
   268  	s.Close()
   269  	reply := <-replyChan
   270  	if err, ok := reply.(error); ok {
   271  		t.Fatal(err)
   272  	}
   273  	serverHello, ok := reply.(*serverHelloMsg)
   274  	if !ok {
   275  		t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
   276  	}
   277  	if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
   278  		t.Fatalf("bad cipher suite from server: %x", s)
   279  	}
   280  }
   281  
   282  func TestTLSPointFormats(t *testing.T) {
   283  	// Test that a Server returns the ec_point_format extension when ECC is
   284  	// negotiated, and not returned on RSA handshake.
   285  	tests := []struct {
   286  		name                string
   287  		cipherSuites        []uint16
   288  		supportedCurves     []CurveID
   289  		supportedPoints     []uint8
   290  		wantSupportedPoints bool
   291  	}{
   292  		{"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{compressionNone}, true},
   293  		{"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
   294  	}
   295  	for _, tt := range tests {
   296  		t.Run(tt.name, func(t *testing.T) {
   297  			clientHello := &clientHelloMsg{
   298  				vers:               VersionTLS12,
   299  				random:             make([]byte, 32),
   300  				cipherSuites:       tt.cipherSuites,
   301  				compressionMethods: []uint8{compressionNone},
   302  				supportedCurves:    tt.supportedCurves,
   303  				supportedPoints:    tt.supportedPoints,
   304  			}
   305  
   306  			c, s := localPipe(t)
   307  			replyChan := make(chan interface{})
   308  			go func() {
   309  				cli := Client(c, testConfig)
   310  				cli.vers = clientHello.vers
   311  				cli.writeRecord(recordTypeHandshake, clientHello.marshal())
   312  				reply, err := cli.readHandshake()
   313  				c.Close()
   314  				if err != nil {
   315  					replyChan <- err
   316  				} else {
   317  					replyChan <- reply
   318  				}
   319  			}()
   320  			config := testConfig.Clone()
   321  			config.CipherSuites = clientHello.cipherSuites
   322  			Server(s, config).Handshake()
   323  			s.Close()
   324  			reply := <-replyChan
   325  			if err, ok := reply.(error); ok {
   326  				t.Fatal(err)
   327  			}
   328  			serverHello, ok := reply.(*serverHelloMsg)
   329  			if !ok {
   330  				t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
   331  			}
   332  			if tt.wantSupportedPoints {
   333  				if len(serverHello.supportedPoints) < 1 {
   334  					t.Fatal("missing ec_point_format extension from server")
   335  				}
   336  				found := false
   337  				for _, p := range serverHello.supportedPoints {
   338  					if p == pointFormatUncompressed {
   339  						found = true
   340  						break
   341  					}
   342  				}
   343  				if !found {
   344  					t.Fatal("missing uncompressed format in ec_point_format extension from server")
   345  				}
   346  			} else {
   347  				if len(serverHello.supportedPoints) != 0 {
   348  					t.Fatalf("unexcpected ec_point_format extension from server: %v", serverHello.supportedPoints)
   349  				}
   350  			}
   351  		})
   352  	}
   353  }
   354  
   355  func TestAlertForwarding(t *testing.T) {
   356  	c, s := localPipe(t)
   357  	go func() {
   358  		Client(c, testConfig).sendAlert(alertUnknownCA)
   359  		c.Close()
   360  	}()
   361  
   362  	err := Server(s, testConfig).Handshake()
   363  	s.Close()
   364  	var opErr *net.OpError
   365  	if !errors.As(err, &opErr) || opErr.Err != error(alertUnknownCA) {
   366  		t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
   367  	}
   368  }
   369  
   370  func TestClose(t *testing.T) {
   371  	c, s := localPipe(t)
   372  	go c.Close()
   373  
   374  	err := Server(s, testConfig).Handshake()
   375  	s.Close()
   376  	if err != io.EOF {
   377  		t.Errorf("Got error: %s; expected: %s", err, io.EOF)
   378  	}
   379  }
   380  
   381  func TestVersion(t *testing.T) {
   382  	serverConfig := &Config{
   383  		Certificates: testConfig.Certificates,
   384  		MaxVersion:   VersionTLS11,
   385  	}
   386  	clientConfig := &Config{
   387  		InsecureSkipVerify: true,
   388  	}
   389  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   390  	if err != nil {
   391  		t.Fatalf("handshake failed: %s", err)
   392  	}
   393  	if state.Version != VersionTLS11 {
   394  		t.Fatalf("Incorrect version %x, should be %x", state.Version, VersionTLS11)
   395  	}
   396  }
   397  
   398  func TestCipherSuitePreference(t *testing.T) {
   399  	serverConfig := &Config{
   400  		CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
   401  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
   402  		Certificates: testConfig.Certificates,
   403  		MaxVersion:   VersionTLS12,
   404  		GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
   405  			if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
   406  				t.Error("the advertised order should not depend on Config.CipherSuites")
   407  			}
   408  			if len(chi.CipherSuites) != 2+len(defaultCipherSuitesTLS13) {
   409  				t.Error("the advertised TLS 1.2 suites should be filtered by Config.CipherSuites")
   410  			}
   411  			return nil, nil
   412  		},
   413  	}
   414  	clientConfig := &Config{
   415  		CipherSuites:       []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
   416  		InsecureSkipVerify: true,
   417  	}
   418  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   419  	if err != nil {
   420  		t.Fatalf("handshake failed: %s", err)
   421  	}
   422  	if state.CipherSuite != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
   423  		t.Error("the preference order should not depend on Config.CipherSuites")
   424  	}
   425  }
   426  
   427  func TestSCTHandshake(t *testing.T) {
   428  	t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) })
   429  	t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) })
   430  }
   431  
   432  func testSCTHandshake(t *testing.T, version uint16) {
   433  	expected := [][]byte{[]byte("certificate"), []byte("transparency")}
   434  	serverConfig := &Config{
   435  		Certificates: []Certificate{{
   436  			Certificate:                 [][]byte{testRSACertificate},
   437  			PrivateKey:                  testRSAPrivateKey,
   438  			SignedCertificateTimestamps: expected,
   439  		}},
   440  		MaxVersion: version,
   441  	}
   442  	clientConfig := &Config{
   443  		InsecureSkipVerify: true,
   444  	}
   445  	_, state, err := testHandshake(t, clientConfig, serverConfig)
   446  	if err != nil {
   447  		t.Fatalf("handshake failed: %s", err)
   448  	}
   449  	actual := state.SignedCertificateTimestamps
   450  	if len(actual) != len(expected) {
   451  		t.Fatalf("got %d scts, want %d", len(actual), len(expected))
   452  	}
   453  	for i, sct := range expected {
   454  		if !bytes.Equal(sct, actual[i]) {
   455  			t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct)
   456  		}
   457  	}
   458  }
   459  
   460  func TestCrossVersionResume(t *testing.T) {
   461  	t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) })
   462  	t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) })
   463  }
   464  
   465  func testCrossVersionResume(t *testing.T, version uint16) {
   466  	serverConfig := &Config{
   467  		CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
   468  		Certificates: testConfig.Certificates,
   469  	}
   470  	clientConfig := &Config{
   471  		CipherSuites:       []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
   472  		InsecureSkipVerify: true,
   473  		ClientSessionCache: NewLRUClientSessionCache(1),
   474  		ServerName:         "servername",
   475  	}
   476  
   477  	// Establish a session at TLS 1.1.
   478  	clientConfig.MaxVersion = VersionTLS11
   479  	_, _, err := testHandshake(t, clientConfig, serverConfig)
   480  	if err != nil {
   481  		t.Fatalf("handshake failed: %s", err)
   482  	}
   483  
   484  	// The client session cache now contains a TLS 1.1 session.
   485  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   486  	if err != nil {
   487  		t.Fatalf("handshake failed: %s", err)
   488  	}
   489  	if !state.DidResume {
   490  		t.Fatalf("handshake did not resume at the same version")
   491  	}
   492  
   493  	// Test that the server will decline to resume at a lower version.
   494  	clientConfig.MaxVersion = VersionTLS10
   495  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   496  	if err != nil {
   497  		t.Fatalf("handshake failed: %s", err)
   498  	}
   499  	if state.DidResume {
   500  		t.Fatalf("handshake resumed at a lower version")
   501  	}
   502  
   503  	// The client session cache now contains a TLS 1.0 session.
   504  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   505  	if err != nil {
   506  		t.Fatalf("handshake failed: %s", err)
   507  	}
   508  	if !state.DidResume {
   509  		t.Fatalf("handshake did not resume at the same version")
   510  	}
   511  
   512  	// Test that the server will decline to resume at a higher version.
   513  	clientConfig.MaxVersion = VersionTLS11
   514  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   515  	if err != nil {
   516  		t.Fatalf("handshake failed: %s", err)
   517  	}
   518  	if state.DidResume {
   519  		t.Fatalf("handshake resumed at a higher version")
   520  	}
   521  }
   522  
   523  // Note: see comment in handshake_test.go for details of how the reference
   524  // tests work.
   525  
   526  // serverTest represents a test of the TLS server handshake against a reference
   527  // implementation.
   528  type serverTest struct {
   529  	// name is a freeform string identifying the test and the file in which
   530  	// the expected results will be stored.
   531  	name string
   532  	// command, if not empty, contains a series of arguments for the
   533  	// command to run for the reference server.
   534  	command []string
   535  	// expectedPeerCerts contains a list of PEM blocks of expected
   536  	// certificates from the client.
   537  	expectedPeerCerts []string
   538  	// config, if not nil, contains a custom Config to use for this test.
   539  	config *Config
   540  	// expectHandshakeErrorIncluding, when not empty, contains a string
   541  	// that must be a substring of the error resulting from the handshake.
   542  	expectHandshakeErrorIncluding string
   543  	// validate, if not nil, is a function that will be called with the
   544  	// ConnectionState of the resulting connection. It returns false if the
   545  	// ConnectionState is unacceptable.
   546  	validate func(ConnectionState) error
   547  	// wait, if true, prevents this subtest from calling t.Parallel.
   548  	// If false, runServerTest* returns immediately.
   549  	wait bool
   550  }
   551  
   552  var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
   553  
   554  // connFromCommand starts opens a listening socket and starts the reference
   555  // client to connect to it. It returns a recordingConn that wraps the resulting
   556  // connection.
   557  func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
   558  	l, err := net.ListenTCP("tcp", &net.TCPAddr{
   559  		IP:   net.IPv4(127, 0, 0, 1),
   560  		Port: 0,
   561  	})
   562  	if err != nil {
   563  		return nil, nil, err
   564  	}
   565  	defer l.Close()
   566  
   567  	port := l.Addr().(*net.TCPAddr).Port
   568  
   569  	var command []string
   570  	command = append(command, test.command...)
   571  	if len(command) == 0 {
   572  		command = defaultClientCommand
   573  	}
   574  	command = append(command, "-connect")
   575  	command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
   576  	cmd := exec.Command(command[0], command[1:]...)
   577  	cmd.Stdin = nil
   578  	var output bytes.Buffer
   579  	cmd.Stdout = &output
   580  	cmd.Stderr = &output
   581  	if err := cmd.Start(); err != nil {
   582  		return nil, nil, err
   583  	}
   584  
   585  	connChan := make(chan interface{}, 1)
   586  	go func() {
   587  		tcpConn, err := l.Accept()
   588  		if err != nil {
   589  			connChan <- err
   590  			return
   591  		}
   592  		connChan <- tcpConn
   593  	}()
   594  
   595  	var tcpConn net.Conn
   596  	select {
   597  	case connOrError := <-connChan:
   598  		if err, ok := connOrError.(error); ok {
   599  			return nil, nil, err
   600  		}
   601  		tcpConn = connOrError.(net.Conn)
   602  	case <-time.After(2 * time.Second):
   603  		return nil, nil, errors.New("timed out waiting for connection from child process")
   604  	}
   605  
   606  	record := &recordingConn{
   607  		Conn: tcpConn,
   608  	}
   609  
   610  	return record, cmd, nil
   611  }
   612  
   613  func (test *serverTest) dataPath() string {
   614  	return filepath.Join("testdata", "Server-"+test.name)
   615  }
   616  
   617  func (test *serverTest) loadData() (flows [][]byte, err error) {
   618  	in, err := os.Open(test.dataPath())
   619  	if err != nil {
   620  		return nil, err
   621  	}
   622  	defer in.Close()
   623  	return parseTestData(in)
   624  }
   625  
   626  func (test *serverTest) run(t *testing.T, write bool) {
   627  	var clientConn, serverConn net.Conn
   628  	var recordingConn *recordingConn
   629  	var childProcess *exec.Cmd
   630  
   631  	if write {
   632  		var err error
   633  		recordingConn, childProcess, err = test.connFromCommand()
   634  		if err != nil {
   635  			t.Fatalf("Failed to start subcommand: %s", err)
   636  		}
   637  		serverConn = recordingConn
   638  		defer func() {
   639  			if t.Failed() {
   640  				t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout)
   641  			}
   642  		}()
   643  	} else {
   644  		clientConn, serverConn = localPipe(t)
   645  	}
   646  	config := test.config
   647  	if config == nil {
   648  		config = testConfig
   649  	}
   650  	server := Server(serverConn, config)
   651  	connStateChan := make(chan ConnectionState, 1)
   652  	go func() {
   653  		_, err := server.Write([]byte("hello, world\n"))
   654  		if len(test.expectHandshakeErrorIncluding) > 0 {
   655  			if err == nil {
   656  				t.Errorf("Error expected, but no error returned")
   657  			} else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {
   658  				t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)
   659  			}
   660  		} else {
   661  			if err != nil {
   662  				t.Logf("Error from Server.Write: '%s'", err)
   663  			}
   664  		}
   665  		server.Close()
   666  		serverConn.Close()
   667  		connStateChan <- server.ConnectionState()
   668  	}()
   669  
   670  	if !write {
   671  		flows, err := test.loadData()
   672  		if err != nil {
   673  			t.Fatalf("%s: failed to load data from %s", test.name, test.dataPath())
   674  		}
   675  		for i, b := range flows {
   676  			if i%2 == 0 {
   677  				if *fast {
   678  					clientConn.SetWriteDeadline(time.Now().Add(1 * time.Second))
   679  				} else {
   680  					clientConn.SetWriteDeadline(time.Now().Add(1 * time.Minute))
   681  				}
   682  				clientConn.Write(b)
   683  				continue
   684  			}
   685  			bb := make([]byte, len(b))
   686  			if *fast {
   687  				clientConn.SetReadDeadline(time.Now().Add(1 * time.Second))
   688  			} else {
   689  				clientConn.SetReadDeadline(time.Now().Add(1 * time.Minute))
   690  			}
   691  			n, err := io.ReadFull(clientConn, bb)
   692  			if err != nil {
   693  				t.Fatalf("%s #%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", test.name, i+1, err, n, len(bb), bb[:n], b)
   694  			}
   695  			if !bytes.Equal(b, bb) {
   696  				t.Fatalf("%s #%d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b)
   697  			}
   698  		}
   699  		clientConn.Close()
   700  	}
   701  
   702  	connState := <-connStateChan
   703  	peerCerts := connState.PeerCertificates
   704  	if len(peerCerts) == len(test.expectedPeerCerts) {
   705  		for i, peerCert := range peerCerts {
   706  			block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
   707  			if !bytes.Equal(block.Bytes, peerCert.Raw) {
   708  				t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
   709  			}
   710  		}
   711  	} else {
   712  		t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
   713  	}
   714  
   715  	if test.validate != nil {
   716  		if err := test.validate(connState); err != nil {
   717  			t.Fatalf("validate callback returned error: %s", err)
   718  		}
   719  	}
   720  
   721  	if write {
   722  		path := test.dataPath()
   723  		out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
   724  		if err != nil {
   725  			t.Fatalf("Failed to create output file: %s", err)
   726  		}
   727  		defer out.Close()
   728  		recordingConn.Close()
   729  		if len(recordingConn.flows) < 3 {
   730  			if len(test.expectHandshakeErrorIncluding) == 0 {
   731  				t.Fatalf("Handshake failed")
   732  			}
   733  		}
   734  		recordingConn.WriteTo(out)
   735  		t.Logf("Wrote %s\n", path)
   736  		childProcess.Wait()
   737  	}
   738  }
   739  
   740  func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
   741  	// Make a deep copy of the template before going parallel.
   742  	test := *template
   743  	if template.config != nil {
   744  		test.config = template.config.Clone()
   745  	}
   746  	test.name = version + "-" + test.name
   747  	if len(test.command) == 0 {
   748  		test.command = defaultClientCommand
   749  	}
   750  	test.command = append([]string(nil), test.command...)
   751  	test.command = append(test.command, option)
   752  
   753  	runTestAndUpdateIfNeeded(t, version, test.run, test.wait)
   754  }
   755  
   756  func runServerTestTLS10(t *testing.T, template *serverTest) {
   757  	runServerTestForVersion(t, template, "TLSv10", "-tls1")
   758  }
   759  
   760  func runServerTestTLS11(t *testing.T, template *serverTest) {
   761  	runServerTestForVersion(t, template, "TLSv11", "-tls1_1")
   762  }
   763  
   764  func runServerTestTLS12(t *testing.T, template *serverTest) {
   765  	runServerTestForVersion(t, template, "TLSv12", "-tls1_2")
   766  }
   767  
   768  func runServerTestTLS13(t *testing.T, template *serverTest) {
   769  	runServerTestForVersion(t, template, "TLSv13", "-tls1_3")
   770  }
   771  
   772  func TestHandshakeServerRSARC4(t *testing.T) {
   773  	test := &serverTest{
   774  		name:    "RSA-RC4",
   775  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
   776  	}
   777  	runServerTestTLS10(t, test)
   778  	runServerTestTLS11(t, test)
   779  	runServerTestTLS12(t, test)
   780  }
   781  
   782  func TestHandshakeServerRSA3DES(t *testing.T) {
   783  	test := &serverTest{
   784  		name:    "RSA-3DES",
   785  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
   786  	}
   787  	runServerTestTLS10(t, test)
   788  	runServerTestTLS12(t, test)
   789  }
   790  
   791  func TestHandshakeServerRSAAES(t *testing.T) {
   792  	test := &serverTest{
   793  		name:    "RSA-AES",
   794  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
   795  	}
   796  	runServerTestTLS10(t, test)
   797  	runServerTestTLS12(t, test)
   798  }
   799  
   800  func TestHandshakeServerAESGCM(t *testing.T) {
   801  	test := &serverTest{
   802  		name:    "RSA-AES-GCM",
   803  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
   804  	}
   805  	runServerTestTLS12(t, test)
   806  }
   807  
   808  func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
   809  	test := &serverTest{
   810  		name:    "RSA-AES256-GCM-SHA384",
   811  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"},
   812  	}
   813  	runServerTestTLS12(t, test)
   814  }
   815  
   816  func TestHandshakeServerAES128SHA256(t *testing.T) {
   817  	test := &serverTest{
   818  		name:    "AES128-SHA256",
   819  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
   820  	}
   821  	runServerTestTLS13(t, test)
   822  }
   823  func TestHandshakeServerAES256SHA384(t *testing.T) {
   824  	test := &serverTest{
   825  		name:    "AES256-SHA384",
   826  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"},
   827  	}
   828  	runServerTestTLS13(t, test)
   829  }
   830  func TestHandshakeServerCHACHA20SHA256(t *testing.T) {
   831  	test := &serverTest{
   832  		name:    "CHACHA20-SHA256",
   833  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   834  	}
   835  	runServerTestTLS13(t, test)
   836  }
   837  
   838  func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
   839  	config := testConfig.Clone()
   840  	config.Certificates = make([]Certificate, 1)
   841  	config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   842  	config.Certificates[0].PrivateKey = testECDSAPrivateKey
   843  	config.BuildNameToCertificate()
   844  
   845  	test := &serverTest{
   846  		name:    "ECDHE-ECDSA-AES",
   847  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
   848  		config:  config,
   849  	}
   850  	runServerTestTLS10(t, test)
   851  	runServerTestTLS12(t, test)
   852  	runServerTestTLS13(t, test)
   853  }
   854  
   855  func TestHandshakeServerX25519(t *testing.T) {
   856  	config := testConfig.Clone()
   857  	config.CurvePreferences = []CurveID{X25519}
   858  
   859  	test := &serverTest{
   860  		name:    "X25519",
   861  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"},
   862  		config:  config,
   863  	}
   864  	runServerTestTLS12(t, test)
   865  	runServerTestTLS13(t, test)
   866  }
   867  
   868  func TestHandshakeServerP256(t *testing.T) {
   869  	config := testConfig.Clone()
   870  	config.CurvePreferences = []CurveID{CurveP256}
   871  
   872  	test := &serverTest{
   873  		name:    "P256",
   874  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"},
   875  		config:  config,
   876  	}
   877  	runServerTestTLS12(t, test)
   878  	runServerTestTLS13(t, test)
   879  }
   880  
   881  func TestHandshakeServerHelloRetryRequest(t *testing.T) {
   882  	config := testConfig.Clone()
   883  	config.CurvePreferences = []CurveID{CurveP256}
   884  
   885  	test := &serverTest{
   886  		name:    "HelloRetryRequest",
   887  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"},
   888  		config:  config,
   889  	}
   890  	runServerTestTLS13(t, test)
   891  }
   892  
   893  func TestHandshakeServerALPN(t *testing.T) {
   894  	config := testConfig.Clone()
   895  	config.NextProtos = []string{"proto1", "proto2"}
   896  
   897  	test := &serverTest{
   898  		name: "ALPN",
   899  		// Note that this needs OpenSSL 1.0.2 because that is the first
   900  		// version that supports the -alpn flag.
   901  		command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   902  		config:  config,
   903  		validate: func(state ConnectionState) error {
   904  			// The server's preferences should override the client.
   905  			if state.NegotiatedProtocol != "proto1" {
   906  				return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
   907  			}
   908  			return nil
   909  		},
   910  	}
   911  	runServerTestTLS12(t, test)
   912  	runServerTestTLS13(t, test)
   913  }
   914  
   915  func TestHandshakeServerALPNNoMatch(t *testing.T) {
   916  	config := testConfig.Clone()
   917  	config.NextProtos = []string{"proto3"}
   918  
   919  	test := &serverTest{
   920  		name: "ALPN-NoMatch",
   921  		// Note that this needs OpenSSL 1.0.2 because that is the first
   922  		// version that supports the -alpn flag.
   923  		command:                       []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   924  		config:                        config,
   925  		expectHandshakeErrorIncluding: "client requested unsupported application protocol",
   926  	}
   927  	runServerTestTLS12(t, test)
   928  	runServerTestTLS13(t, test)
   929  }
   930  
   931  func TestHandshakeServerALPNNotConfigured(t *testing.T) {
   932  	config := testConfig.Clone()
   933  	config.NextProtos = nil
   934  
   935  	test := &serverTest{
   936  		name: "ALPN-NotConfigured",
   937  		// Note that this needs OpenSSL 1.0.2 because that is the first
   938  		// version that supports the -alpn flag.
   939  		command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   940  		config:  config,
   941  		validate: func(state ConnectionState) error {
   942  			if state.NegotiatedProtocol != "" {
   943  				return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
   944  			}
   945  			return nil
   946  		},
   947  	}
   948  	runServerTestTLS12(t, test)
   949  	runServerTestTLS13(t, test)
   950  }
   951  
   952  func TestHandshakeServerALPNFallback(t *testing.T) {
   953  	config := testConfig.Clone()
   954  	config.NextProtos = []string{"proto1", "h2", "proto2"}
   955  
   956  	test := &serverTest{
   957  		name: "ALPN-Fallback",
   958  		// Note that this needs OpenSSL 1.0.2 because that is the first
   959  		// version that supports the -alpn flag.
   960  		command: []string{"openssl", "s_client", "-alpn", "proto3,http/1.1,proto4", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   961  		config:  config,
   962  		validate: func(state ConnectionState) error {
   963  			if state.NegotiatedProtocol != "" {
   964  				return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
   965  			}
   966  			return nil
   967  		},
   968  	}
   969  	runServerTestTLS12(t, test)
   970  	runServerTestTLS13(t, test)
   971  }
   972  
   973  // TestHandshakeServerSNI involves a client sending an SNI extension of
   974  // "snitest.com", which happens to match the CN of testSNICertificate. The test
   975  // verifies that the server correctly selects that certificate.
   976  func TestHandshakeServerSNI(t *testing.T) {
   977  	test := &serverTest{
   978  		name:    "SNI",
   979  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
   980  	}
   981  	runServerTestTLS12(t, test)
   982  }
   983  
   984  // TestHandshakeServerSNICertForName is similar to TestHandshakeServerSNI, but
   985  // tests the dynamic GetCertificate method
   986  func TestHandshakeServerSNIGetCertificate(t *testing.T) {
   987  	config := testConfig.Clone()
   988  
   989  	// Replace the NameToCertificate map with a GetCertificate function
   990  	nameToCert := config.NameToCertificate
   991  	config.NameToCertificate = nil
   992  	config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
   993  		cert := nameToCert[clientHello.ServerName]
   994  		return cert, nil
   995  	}
   996  	test := &serverTest{
   997  		name:    "SNI-GetCertificate",
   998  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
   999  		config:  config,
  1000  	}
  1001  	runServerTestTLS12(t, test)
  1002  }
  1003  
  1004  // TestHandshakeServerSNICertForNameNotFound is similar to
  1005  // TestHandshakeServerSNICertForName, but tests to make sure that when the
  1006  // GetCertificate method doesn't return a cert, we fall back to what's in
  1007  // the NameToCertificate map.
  1008  func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
  1009  	config := testConfig.Clone()
  1010  
  1011  	config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1012  		return nil, nil
  1013  	}
  1014  	test := &serverTest{
  1015  		name:    "SNI-GetCertificateNotFound",
  1016  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
  1017  		config:  config,
  1018  	}
  1019  	runServerTestTLS12(t, test)
  1020  }
  1021  
  1022  // TestHandshakeServerSNICertForNameError tests to make sure that errors in
  1023  // GetCertificate result in a tls alert.
  1024  func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
  1025  	const errMsg = "TestHandshakeServerSNIGetCertificateError error"
  1026  
  1027  	serverConfig := testConfig.Clone()
  1028  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1029  		return nil, errors.New(errMsg)
  1030  	}
  1031  
  1032  	clientHello := &clientHelloMsg{
  1033  		vers:               VersionTLS10,
  1034  		random:             make([]byte, 32),
  1035  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
  1036  		compressionMethods: []uint8{compressionNone},
  1037  		serverName:         "test",
  1038  	}
  1039  	testClientHelloFailure(t, serverConfig, clientHello, errMsg)
  1040  }
  1041  
  1042  // TestHandshakeServerEmptyCertificates tests that GetCertificates is called in
  1043  // the case that Certificates is empty, even without SNI.
  1044  func TestHandshakeServerEmptyCertificates(t *testing.T) {
  1045  	const errMsg = "TestHandshakeServerEmptyCertificates error"
  1046  
  1047  	serverConfig := testConfig.Clone()
  1048  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1049  		return nil, errors.New(errMsg)
  1050  	}
  1051  	serverConfig.Certificates = nil
  1052  
  1053  	clientHello := &clientHelloMsg{
  1054  		vers:               VersionTLS10,
  1055  		random:             make([]byte, 32),
  1056  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
  1057  		compressionMethods: []uint8{compressionNone},
  1058  	}
  1059  	testClientHelloFailure(t, serverConfig, clientHello, errMsg)
  1060  
  1061  	// With an empty Certificates and a nil GetCertificate, the server
  1062  	// should always return a “no certificates” error.
  1063  	serverConfig.GetCertificate = nil
  1064  
  1065  	clientHello = &clientHelloMsg{
  1066  		vers:               VersionTLS10,
  1067  		random:             make([]byte, 32),
  1068  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
  1069  		compressionMethods: []uint8{compressionNone},
  1070  	}
  1071  	testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
  1072  }
  1073  
  1074  func TestServerResumption(t *testing.T) {
  1075  	sessionFilePath := tempFile("")
  1076  	defer os.Remove(sessionFilePath)
  1077  
  1078  	testIssue := &serverTest{
  1079  		name:    "IssueTicket",
  1080  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
  1081  		wait:    true,
  1082  	}
  1083  	testResume := &serverTest{
  1084  		name:    "Resume",
  1085  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1086  		validate: func(state ConnectionState) error {
  1087  			if !state.DidResume {
  1088  				return errors.New("did not resume")
  1089  			}
  1090  			return nil
  1091  		},
  1092  	}
  1093  
  1094  	runServerTestTLS12(t, testIssue)
  1095  	runServerTestTLS12(t, testResume)
  1096  
  1097  	runServerTestTLS13(t, testIssue)
  1098  	runServerTestTLS13(t, testResume)
  1099  
  1100  	config := testConfig.Clone()
  1101  	config.CurvePreferences = []CurveID{CurveP256}
  1102  
  1103  	testResumeHRR := &serverTest{
  1104  		name: "Resume-HelloRetryRequest",
  1105  		command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites",
  1106  			"TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1107  		config: config,
  1108  		validate: func(state ConnectionState) error {
  1109  			if !state.DidResume {
  1110  				return errors.New("did not resume")
  1111  			}
  1112  			return nil
  1113  		},
  1114  	}
  1115  
  1116  	runServerTestTLS13(t, testResumeHRR)
  1117  }
  1118  
  1119  func TestServerResumptionDisabled(t *testing.T) {
  1120  	sessionFilePath := tempFile("")
  1121  	defer os.Remove(sessionFilePath)
  1122  
  1123  	config := testConfig.Clone()
  1124  
  1125  	testIssue := &serverTest{
  1126  		name:    "IssueTicketPreDisable",
  1127  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
  1128  		config:  config,
  1129  		wait:    true,
  1130  	}
  1131  	testResume := &serverTest{
  1132  		name:    "ResumeDisabled",
  1133  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1134  		config:  config,
  1135  		validate: func(state ConnectionState) error {
  1136  			if state.DidResume {
  1137  				return errors.New("resumed with SessionTicketsDisabled")
  1138  			}
  1139  			return nil
  1140  		},
  1141  	}
  1142  
  1143  	config.SessionTicketsDisabled = false
  1144  	runServerTestTLS12(t, testIssue)
  1145  	config.SessionTicketsDisabled = true
  1146  	runServerTestTLS12(t, testResume)
  1147  
  1148  	config.SessionTicketsDisabled = false
  1149  	runServerTestTLS13(t, testIssue)
  1150  	config.SessionTicketsDisabled = true
  1151  	runServerTestTLS13(t, testResume)
  1152  }
  1153  
  1154  func TestFallbackSCSV(t *testing.T) {
  1155  	serverConfig := Config{
  1156  		Certificates: testConfig.Certificates,
  1157  	}
  1158  	test := &serverTest{
  1159  		name:   "FallbackSCSV",
  1160  		config: &serverConfig,
  1161  		// OpenSSL 1.0.1j is needed for the -fallback_scsv option.
  1162  		command:                       []string{"openssl", "s_client", "-fallback_scsv"},
  1163  		expectHandshakeErrorIncluding: "inappropriate protocol fallback",
  1164  	}
  1165  	runServerTestTLS11(t, test)
  1166  }
  1167  
  1168  func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
  1169  	test := &serverTest{
  1170  		name:    "ExportKeyingMaterial",
  1171  		command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-AES256-SHA", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
  1172  		config:  testConfig.Clone(),
  1173  		validate: func(state ConnectionState) error {
  1174  			if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
  1175  				return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
  1176  			} else if len(km) != 42 {
  1177  				return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
  1178  			}
  1179  			return nil
  1180  		},
  1181  	}
  1182  	runServerTestTLS10(t, test)
  1183  	runServerTestTLS12(t, test)
  1184  	runServerTestTLS13(t, test)
  1185  }
  1186  
  1187  func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
  1188  	test := &serverTest{
  1189  		name:    "RSA-RSAPKCS1v15",
  1190  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"},
  1191  	}
  1192  	runServerTestTLS12(t, test)
  1193  }
  1194  
  1195  func TestHandshakeServerRSAPSS(t *testing.T) {
  1196  	// We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we
  1197  	// verify the server implementation will disregard the client preference in
  1198  	// that case. See Issue 29793.
  1199  	test := &serverTest{
  1200  		name:    "RSA-RSAPSS",
  1201  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
  1202  	}
  1203  	runServerTestTLS12(t, test)
  1204  	runServerTestTLS13(t, test)
  1205  
  1206  	test = &serverTest{
  1207  		name:                          "RSA-RSAPSS-TooSmall",
  1208  		command:                       []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"},
  1209  		expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
  1210  	}
  1211  	runServerTestTLS13(t, test)
  1212  }
  1213  
  1214  func TestHandshakeServerEd25519(t *testing.T) {
  1215  	config := testConfig.Clone()
  1216  	config.Certificates = make([]Certificate, 1)
  1217  	config.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
  1218  	config.Certificates[0].PrivateKey = testEd25519PrivateKey
  1219  	config.BuildNameToCertificate()
  1220  
  1221  	test := &serverTest{
  1222  		name:    "Ed25519",
  1223  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
  1224  		config:  config,
  1225  	}
  1226  	runServerTestTLS12(t, test)
  1227  	runServerTestTLS13(t, test)
  1228  }
  1229  
  1230  func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
  1231  	config := testConfig.Clone()
  1232  	config.CipherSuites = []uint16{cipherSuite}
  1233  	config.CurvePreferences = []CurveID{curve}
  1234  	config.Certificates = make([]Certificate, 1)
  1235  	config.Certificates[0].Certificate = [][]byte{cert}
  1236  	config.Certificates[0].PrivateKey = key
  1237  	config.BuildNameToCertificate()
  1238  
  1239  	clientConn, serverConn := localPipe(b)
  1240  	serverConn = &recordingConn{Conn: serverConn}
  1241  	go func() {
  1242  		config := testConfig.Clone()
  1243  		config.MaxVersion = version
  1244  		config.CurvePreferences = []CurveID{curve}
  1245  		client := Client(clientConn, config)
  1246  		client.Handshake()
  1247  	}()
  1248  	server := Server(serverConn, config)
  1249  	if err := server.Handshake(); err != nil {
  1250  		b.Fatalf("handshake failed: %v", err)
  1251  	}
  1252  	serverConn.Close()
  1253  	flows := serverConn.(*recordingConn).flows
  1254  
  1255  	feeder := make(chan struct{})
  1256  	clientConn, serverConn = localPipe(b)
  1257  
  1258  	go func() {
  1259  		for range feeder {
  1260  			for i, f := range flows {
  1261  				if i%2 == 0 {
  1262  					clientConn.Write(f)
  1263  					continue
  1264  				}
  1265  				ff := make([]byte, len(f))
  1266  				n, err := io.ReadFull(clientConn, ff)
  1267  				if err != nil {
  1268  					b.Errorf("#%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", i+1, err, n, len(ff), ff[:n], f)
  1269  				}
  1270  				if !bytes.Equal(f, ff) {
  1271  					b.Errorf("#%d: mismatch on read: got:%x want:%x", i+1, ff, f)
  1272  				}
  1273  			}
  1274  		}
  1275  	}()
  1276  
  1277  	b.ResetTimer()
  1278  	for i := 0; i < b.N; i++ {
  1279  		feeder <- struct{}{}
  1280  		server := Server(serverConn, config)
  1281  		if err := server.Handshake(); err != nil {
  1282  			b.Fatalf("handshake failed: %v", err)
  1283  		}
  1284  	}
  1285  	close(feeder)
  1286  }
  1287  
  1288  func BenchmarkHandshakeServer(b *testing.B) {
  1289  	b.Run("RSA", func(b *testing.B) {
  1290  		benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256,
  1291  			0, testRSACertificate, testRSAPrivateKey)
  1292  	})
  1293  	b.Run("ECDHE-P256-RSA", func(b *testing.B) {
  1294  		b.Run("TLSv13", func(b *testing.B) {
  1295  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1296  				CurveP256, testRSACertificate, testRSAPrivateKey)
  1297  		})
  1298  		b.Run("TLSv12", func(b *testing.B) {
  1299  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1300  				CurveP256, testRSACertificate, testRSAPrivateKey)
  1301  		})
  1302  	})
  1303  	b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) {
  1304  		b.Run("TLSv13", func(b *testing.B) {
  1305  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1306  				CurveP256, testP256Certificate, testP256PrivateKey)
  1307  		})
  1308  		b.Run("TLSv12", func(b *testing.B) {
  1309  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1310  				CurveP256, testP256Certificate, testP256PrivateKey)
  1311  		})
  1312  	})
  1313  	b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) {
  1314  		b.Run("TLSv13", func(b *testing.B) {
  1315  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1316  				X25519, testP256Certificate, testP256PrivateKey)
  1317  		})
  1318  		b.Run("TLSv12", func(b *testing.B) {
  1319  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1320  				X25519, testP256Certificate, testP256PrivateKey)
  1321  		})
  1322  	})
  1323  	b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) {
  1324  		if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() {
  1325  			b.Fatal("test ECDSA key doesn't use curve P-521")
  1326  		}
  1327  		b.Run("TLSv13", func(b *testing.B) {
  1328  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1329  				CurveP521, testECDSACertificate, testECDSAPrivateKey)
  1330  		})
  1331  		b.Run("TLSv12", func(b *testing.B) {
  1332  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1333  				CurveP521, testECDSACertificate, testECDSAPrivateKey)
  1334  		})
  1335  	})
  1336  }
  1337  
  1338  func TestClientAuth(t *testing.T) {
  1339  	var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath, ed25519CertPath, ed25519KeyPath string
  1340  
  1341  	if *update {
  1342  		certPath = tempFile(clientCertificatePEM)
  1343  		defer os.Remove(certPath)
  1344  		keyPath = tempFile(clientKeyPEM)
  1345  		defer os.Remove(keyPath)
  1346  		ecdsaCertPath = tempFile(clientECDSACertificatePEM)
  1347  		defer os.Remove(ecdsaCertPath)
  1348  		ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
  1349  		defer os.Remove(ecdsaKeyPath)
  1350  		ed25519CertPath = tempFile(clientEd25519CertificatePEM)
  1351  		defer os.Remove(ed25519CertPath)
  1352  		ed25519KeyPath = tempFile(clientEd25519KeyPEM)
  1353  		defer os.Remove(ed25519KeyPath)
  1354  	} else {
  1355  		t.Parallel()
  1356  	}
  1357  
  1358  	config := testConfig.Clone()
  1359  	config.ClientAuth = RequestClientCert
  1360  
  1361  	test := &serverTest{
  1362  		name:    "ClientAuthRequestedNotGiven",
  1363  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
  1364  		config:  config,
  1365  	}
  1366  	runServerTestTLS12(t, test)
  1367  	runServerTestTLS13(t, test)
  1368  
  1369  	test = &serverTest{
  1370  		name: "ClientAuthRequestedAndGiven",
  1371  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1372  			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
  1373  		config:            config,
  1374  		expectedPeerCerts: []string{clientCertificatePEM},
  1375  	}
  1376  	runServerTestTLS12(t, test)
  1377  	runServerTestTLS13(t, test)
  1378  
  1379  	test = &serverTest{
  1380  		name: "ClientAuthRequestedAndECDSAGiven",
  1381  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1382  			"-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
  1383  		config:            config,
  1384  		expectedPeerCerts: []string{clientECDSACertificatePEM},
  1385  	}
  1386  	runServerTestTLS12(t, test)
  1387  	runServerTestTLS13(t, test)
  1388  
  1389  	test = &serverTest{
  1390  		name: "ClientAuthRequestedAndEd25519Given",
  1391  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1392  			"-cert", ed25519CertPath, "-key", ed25519KeyPath},
  1393  		config:            config,
  1394  		expectedPeerCerts: []string{clientEd25519CertificatePEM},
  1395  	}
  1396  	runServerTestTLS12(t, test)
  1397  	runServerTestTLS13(t, test)
  1398  
  1399  	test = &serverTest{
  1400  		name: "ClientAuthRequestedAndPKCS1v15Given",
  1401  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
  1402  			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pkcs1_sha256"},
  1403  		config:            config,
  1404  		expectedPeerCerts: []string{clientCertificatePEM},
  1405  	}
  1406  	runServerTestTLS12(t, test)
  1407  }
  1408  
  1409  func TestSNIGivenOnFailure(t *testing.T) {
  1410  	const expectedServerName = "test.testing"
  1411  
  1412  	clientHello := &clientHelloMsg{
  1413  		vers:               VersionTLS10,
  1414  		random:             make([]byte, 32),
  1415  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
  1416  		compressionMethods: []uint8{compressionNone},
  1417  		serverName:         expectedServerName,
  1418  	}
  1419  
  1420  	serverConfig := testConfig.Clone()
  1421  	// Erase the server's cipher suites to ensure the handshake fails.
  1422  	serverConfig.CipherSuites = nil
  1423  
  1424  	c, s := localPipe(t)
  1425  	go func() {
  1426  		cli := Client(c, testConfig)
  1427  		cli.vers = clientHello.vers
  1428  		cli.writeRecord(recordTypeHandshake, clientHello.marshal())
  1429  		c.Close()
  1430  	}()
  1431  	conn := Server(s, serverConfig)
  1432  	ctx := context.Background()
  1433  	ch, err := conn.readClientHello(ctx)
  1434  	hs := serverHandshakeState{
  1435  		c:           conn,
  1436  		ctx:         ctx,
  1437  		clientHello: ch,
  1438  	}
  1439  	if err == nil {
  1440  		err = hs.processClientHello()
  1441  	}
  1442  	if err == nil {
  1443  		err = hs.pickCipherSuite()
  1444  	}
  1445  	defer s.Close()
  1446  
  1447  	if err == nil {
  1448  		t.Error("No error reported from server")
  1449  	}
  1450  
  1451  	cs := hs.c.ConnectionState()
  1452  	if cs.HandshakeComplete {
  1453  		t.Error("Handshake registered as complete")
  1454  	}
  1455  
  1456  	if cs.ServerName != expectedServerName {
  1457  		t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName)
  1458  	}
  1459  }
  1460  
  1461  var getConfigForClientTests = []struct {
  1462  	setup          func(config *Config)
  1463  	callback       func(clientHello *ClientHelloInfo) (*Config, error)
  1464  	errorSubstring string
  1465  	verify         func(config *Config) error
  1466  }{
  1467  	{
  1468  		nil,
  1469  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1470  			return nil, nil
  1471  		},
  1472  		"",
  1473  		nil,
  1474  	},
  1475  	{
  1476  		nil,
  1477  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1478  			return nil, errors.New("should bubble up")
  1479  		},
  1480  		"should bubble up",
  1481  		nil,
  1482  	},
  1483  	{
  1484  		nil,
  1485  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1486  			config := testConfig.Clone()
  1487  			// Setting a maximum version of TLS 1.1 should cause
  1488  			// the handshake to fail, as the client MinVersion is TLS 1.2.
  1489  			config.MaxVersion = VersionTLS11
  1490  			return config, nil
  1491  		},
  1492  		"client offered only unsupported versions",
  1493  		nil,
  1494  	},
  1495  	{
  1496  		func(config *Config) {
  1497  			for i := range config.SessionTicketKey {
  1498  				config.SessionTicketKey[i] = byte(i)
  1499  			}
  1500  			config.sessionTicketKeys = nil
  1501  		},
  1502  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1503  			config := testConfig.Clone()
  1504  			for i := range config.SessionTicketKey {
  1505  				config.SessionTicketKey[i] = 0
  1506  			}
  1507  			config.sessionTicketKeys = nil
  1508  			return config, nil
  1509  		},
  1510  		"",
  1511  		func(config *Config) error {
  1512  			if config.SessionTicketKey == [32]byte{} {
  1513  				return fmt.Errorf("expected SessionTicketKey to be set")
  1514  			}
  1515  			return nil
  1516  		},
  1517  	},
  1518  	{
  1519  		func(config *Config) {
  1520  			var dummyKey [32]byte
  1521  			for i := range dummyKey {
  1522  				dummyKey[i] = byte(i)
  1523  			}
  1524  
  1525  			config.SetSessionTicketKeys([][32]byte{dummyKey})
  1526  		},
  1527  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1528  			config := testConfig.Clone()
  1529  			config.sessionTicketKeys = nil
  1530  			return config, nil
  1531  		},
  1532  		"",
  1533  		func(config *Config) error {
  1534  			if config.SessionTicketKey == [32]byte{} {
  1535  				return fmt.Errorf("expected SessionTicketKey to be set")
  1536  			}
  1537  			return nil
  1538  		},
  1539  	},
  1540  }
  1541  
  1542  func TestGetConfigForClient(t *testing.T) {
  1543  	serverConfig := testConfig.Clone()
  1544  	clientConfig := testConfig.Clone()
  1545  	clientConfig.MinVersion = VersionTLS12
  1546  
  1547  	for i, test := range getConfigForClientTests {
  1548  		if test.setup != nil {
  1549  			test.setup(serverConfig)
  1550  		}
  1551  
  1552  		var configReturned *Config
  1553  		serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
  1554  			config, err := test.callback(clientHello)
  1555  			configReturned = config
  1556  			return config, err
  1557  		}
  1558  		c, s := localPipe(t)
  1559  		done := make(chan error)
  1560  
  1561  		go func() {
  1562  			defer s.Close()
  1563  			done <- Server(s, serverConfig).Handshake()
  1564  		}()
  1565  
  1566  		clientErr := Client(c, clientConfig).Handshake()
  1567  		c.Close()
  1568  
  1569  		serverErr := <-done
  1570  
  1571  		if len(test.errorSubstring) == 0 {
  1572  			if serverErr != nil || clientErr != nil {
  1573  				t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr)
  1574  			}
  1575  			if test.verify != nil {
  1576  				if err := test.verify(configReturned); err != nil {
  1577  					t.Errorf("test[%d]: verify returned error: %v", i, err)
  1578  				}
  1579  			}
  1580  		} else {
  1581  			if serverErr == nil {
  1582  				t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring)
  1583  			} else if !strings.Contains(serverErr.Error(), test.errorSubstring) {
  1584  				t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr)
  1585  			}
  1586  		}
  1587  	}
  1588  }
  1589  
  1590  func TestCloseServerConnectionOnIdleClient(t *testing.T) {
  1591  	clientConn, serverConn := localPipe(t)
  1592  	server := Server(serverConn, testConfig.Clone())
  1593  	go func() {
  1594  		clientConn.Write([]byte{'0'})
  1595  		server.Close()
  1596  	}()
  1597  	server.SetReadDeadline(time.Now().Add(time.Minute))
  1598  	err := server.Handshake()
  1599  	if err != nil {
  1600  		if err, ok := err.(net.Error); ok && err.Timeout() {
  1601  			t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
  1602  		}
  1603  	} else {
  1604  		t.Errorf("Error expected, but no error returned")
  1605  	}
  1606  }
  1607  
  1608  func TestCloneHash(t *testing.T) {
  1609  	h1 := crypto.SHA256.New()
  1610  	h1.Write([]byte("test"))
  1611  	s1 := h1.Sum(nil)
  1612  	h2 := cloneHash(h1, crypto.SHA256)
  1613  	s2 := h2.Sum(nil)
  1614  	if !bytes.Equal(s1, s2) {
  1615  		t.Error("cloned hash generated a different sum")
  1616  	}
  1617  }
  1618  
  1619  func expectError(t *testing.T, err error, sub string) {
  1620  	if err == nil {
  1621  		t.Errorf(`expected error %q, got nil`, sub)
  1622  	} else if !strings.Contains(err.Error(), sub) {
  1623  		t.Errorf(`expected error %q, got %q`, sub, err)
  1624  	}
  1625  }
  1626  
  1627  func TestKeyTooSmallForRSAPSS(t *testing.T) {
  1628  	cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE-----
  1629  MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS
  1630  MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy
  1631  OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd
  1632  ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ
  1633  nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
  1634  DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu
  1635  Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q
  1636  KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA==
  1637  -----END CERTIFICATE-----`), []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
  1638  MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T
  1639  HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/
  1640  yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z
  1641  4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz
  1642  nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd
  1643  hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s
  1644  T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
  1645  -----END RSA TESTING KEY-----`)))
  1646  	if err != nil {
  1647  		t.Fatal(err)
  1648  	}
  1649  
  1650  	clientConn, serverConn := localPipe(t)
  1651  	client := Client(clientConn, testConfig)
  1652  	done := make(chan struct{})
  1653  	go func() {
  1654  		config := testConfig.Clone()
  1655  		config.Certificates = []Certificate{cert}
  1656  		config.MinVersion = VersionTLS13
  1657  		server := Server(serverConn, config)
  1658  		err := server.Handshake()
  1659  		expectError(t, err, "key size too small")
  1660  		close(done)
  1661  	}()
  1662  	err = client.Handshake()
  1663  	expectError(t, err, "handshake failure")
  1664  	<-done
  1665  }
  1666  
  1667  func TestMultipleCertificates(t *testing.T) {
  1668  	clientConfig := testConfig.Clone()
  1669  	clientConfig.CipherSuites = []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}
  1670  	clientConfig.MaxVersion = VersionTLS12
  1671  
  1672  	serverConfig := testConfig.Clone()
  1673  	serverConfig.Certificates = []Certificate{{
  1674  		Certificate: [][]byte{testECDSACertificate},
  1675  		PrivateKey:  testECDSAPrivateKey,
  1676  	}, {
  1677  		Certificate: [][]byte{testRSACertificate},
  1678  		PrivateKey:  testRSAPrivateKey,
  1679  	}}
  1680  
  1681  	_, clientState, err := testHandshake(t, clientConfig, serverConfig)
  1682  	if err != nil {
  1683  		t.Fatal(err)
  1684  	}
  1685  	if got := clientState.PeerCertificates[0].PublicKeyAlgorithm; got != x509.RSA {
  1686  		t.Errorf("expected RSA certificate, got %v", got)
  1687  	}
  1688  }
  1689  
  1690  func TestAESCipherReordering(t *testing.T) {
  1691  	currentAESSupport := hasAESGCMHardwareSupport
  1692  	defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
  1693  
  1694  	tests := []struct {
  1695  		name            string
  1696  		clientCiphers   []uint16
  1697  		serverHasAESGCM bool
  1698  		serverCiphers   []uint16
  1699  		expectedCipher  uint16
  1700  	}{
  1701  		{
  1702  			name: "server has hardware AES, client doesn't (pick ChaCha)",
  1703  			clientCiphers: []uint16{
  1704  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1705  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1706  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1707  			},
  1708  			serverHasAESGCM: true,
  1709  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1710  		},
  1711  		{
  1712  			name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)",
  1713  			clientCiphers: []uint16{
  1714  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1715  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1716  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1717  			},
  1718  			serverHasAESGCM: false,
  1719  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1720  		},
  1721  		{
  1722  			name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
  1723  			clientCiphers: []uint16{
  1724  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1725  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1726  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1727  			},
  1728  			serverHasAESGCM: true,
  1729  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1730  		},
  1731  		{
  1732  			name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)",
  1733  			clientCiphers: []uint16{
  1734  				0x0A0A, // GREASE value
  1735  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1736  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1737  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1738  			},
  1739  			serverHasAESGCM: true,
  1740  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1741  		},
  1742  		{
  1743  			name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)",
  1744  			clientCiphers: []uint16{
  1745  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1746  				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1747  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1748  			},
  1749  			serverHasAESGCM: false,
  1750  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1751  		},
  1752  		{
  1753  			name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)",
  1754  			clientCiphers: []uint16{
  1755  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1756  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1757  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1758  			},
  1759  			serverHasAESGCM: false,
  1760  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1761  		},
  1762  		{
  1763  			name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)",
  1764  			clientCiphers: []uint16{
  1765  				0x0A0A, // GREASE value
  1766  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1767  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1768  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1769  			},
  1770  			serverHasAESGCM: false,
  1771  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1772  		},
  1773  		{
  1774  			name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (AES-GCM)",
  1775  			clientCiphers: []uint16{
  1776  				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1777  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1778  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1779  			},
  1780  			serverHasAESGCM: false,
  1781  			serverCiphers: []uint16{
  1782  				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1783  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1784  			},
  1785  			expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1786  		},
  1787  		{
  1788  			name: "client prefers AES-GCM, server has hardware but doesn't support AES (pick ChaCha)",
  1789  			clientCiphers: []uint16{
  1790  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1791  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1792  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1793  			},
  1794  			serverHasAESGCM: true,
  1795  			serverCiphers: []uint16{
  1796  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1797  			},
  1798  			expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1799  		},
  1800  	}
  1801  
  1802  	for _, tc := range tests {
  1803  		t.Run(tc.name, func(t *testing.T) {
  1804  			hasAESGCMHardwareSupport = tc.serverHasAESGCM
  1805  			hs := &serverHandshakeState{
  1806  				c: &Conn{
  1807  					config: &Config{
  1808  						CipherSuites: tc.serverCiphers,
  1809  					},
  1810  					vers: VersionTLS12,
  1811  				},
  1812  				clientHello: &clientHelloMsg{
  1813  					cipherSuites: tc.clientCiphers,
  1814  					vers:         VersionTLS12,
  1815  				},
  1816  				ecdheOk:      true,
  1817  				rsaSignOk:    true,
  1818  				rsaDecryptOk: true,
  1819  			}
  1820  
  1821  			err := hs.pickCipherSuite()
  1822  			if err != nil {
  1823  				t.Errorf("pickCipherSuite failed: %s", err)
  1824  			}
  1825  
  1826  			if tc.expectedCipher != hs.suite.id {
  1827  				t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
  1828  			}
  1829  		})
  1830  	}
  1831  }
  1832  
  1833  func TestAESCipherReorderingTLS13(t *testing.T) {
  1834  	currentAESSupport := hasAESGCMHardwareSupport
  1835  	defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
  1836  
  1837  	tests := []struct {
  1838  		name            string
  1839  		clientCiphers   []uint16
  1840  		serverHasAESGCM bool
  1841  		expectedCipher  uint16
  1842  	}{
  1843  		{
  1844  			name: "server has hardware AES, client doesn't (pick ChaCha)",
  1845  			clientCiphers: []uint16{
  1846  				TLS_CHACHA20_POLY1305_SHA256,
  1847  				TLS_AES_128_GCM_SHA256,
  1848  			},
  1849  			serverHasAESGCM: true,
  1850  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1851  		},
  1852  		{
  1853  			name: "neither server nor client have hardware AES (pick ChaCha)",
  1854  			clientCiphers: []uint16{
  1855  				TLS_CHACHA20_POLY1305_SHA256,
  1856  				TLS_AES_128_GCM_SHA256,
  1857  			},
  1858  			serverHasAESGCM: false,
  1859  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1860  		},
  1861  		{
  1862  			name: "client prefers AES, server doesn't have hardware (pick ChaCha)",
  1863  			clientCiphers: []uint16{
  1864  				TLS_AES_128_GCM_SHA256,
  1865  				TLS_CHACHA20_POLY1305_SHA256,
  1866  			},
  1867  			serverHasAESGCM: false,
  1868  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1869  		},
  1870  		{
  1871  			name: "client prefers AES and sends GREASE, server doesn't have hardware (pick ChaCha)",
  1872  			clientCiphers: []uint16{
  1873  				0x0A0A, // GREASE value
  1874  				TLS_AES_128_GCM_SHA256,
  1875  				TLS_CHACHA20_POLY1305_SHA256,
  1876  			},
  1877  			serverHasAESGCM: false,
  1878  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1879  		},
  1880  		{
  1881  			name: "client prefers AES, server has hardware AES (pick AES)",
  1882  			clientCiphers: []uint16{
  1883  				TLS_AES_128_GCM_SHA256,
  1884  				TLS_CHACHA20_POLY1305_SHA256,
  1885  			},
  1886  			serverHasAESGCM: true,
  1887  			expectedCipher:  TLS_AES_128_GCM_SHA256,
  1888  		},
  1889  		{
  1890  			name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)",
  1891  			clientCiphers: []uint16{
  1892  				0x0A0A, // GREASE value
  1893  				TLS_AES_128_GCM_SHA256,
  1894  				TLS_CHACHA20_POLY1305_SHA256,
  1895  			},
  1896  			serverHasAESGCM: true,
  1897  			expectedCipher:  TLS_AES_128_GCM_SHA256,
  1898  		},
  1899  	}
  1900  
  1901  	for _, tc := range tests {
  1902  		t.Run(tc.name, func(t *testing.T) {
  1903  			hasAESGCMHardwareSupport = tc.serverHasAESGCM
  1904  			hs := &serverHandshakeStateTLS13{
  1905  				c: &Conn{
  1906  					config: &Config{},
  1907  					vers:   VersionTLS13,
  1908  				},
  1909  				clientHello: &clientHelloMsg{
  1910  					cipherSuites:       tc.clientCiphers,
  1911  					supportedVersions:  []uint16{VersionTLS13},
  1912  					compressionMethods: []uint8{compressionNone},
  1913  					keyShares:          []keyShare{{group: X25519, data: curve25519.Basepoint}},
  1914  				},
  1915  			}
  1916  
  1917  			err := hs.processClientHello()
  1918  			if err != nil {
  1919  				t.Errorf("pickCipherSuite failed: %s", err)
  1920  			}
  1921  
  1922  			if tc.expectedCipher != hs.suite.id {
  1923  				t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
  1924  			}
  1925  		})
  1926  	}
  1927  }
  1928  
  1929  // TestServerHandshakeContextCancellation tests that cancelling
  1930  // the context given to the server side conn.HandshakeContext
  1931  // interrupts the in-progress handshake.
  1932  func TestServerHandshakeContextCancellation(t *testing.T) {
  1933  	c, s := localPipe(t)
  1934  	ctx, cancel := context.WithCancel(context.Background())
  1935  	unblockClient := make(chan struct{})
  1936  	defer close(unblockClient)
  1937  	go func() {
  1938  		cancel()
  1939  		<-unblockClient
  1940  		_ = c.Close()
  1941  	}()
  1942  	conn := Server(s, testConfig)
  1943  	// Initiates server side handshake, which will block until a client hello is read
  1944  	// unless the cancellation works.
  1945  	err := conn.HandshakeContext(ctx)
  1946  	if err == nil {
  1947  		t.Fatal("Server handshake did not error when the context was canceled")
  1948  	}
  1949  	if err != context.Canceled {
  1950  		t.Errorf("Unexpected server handshake error: %v", err)
  1951  	}
  1952  	if runtime.GOARCH == "wasm" {
  1953  		t.Skip("conn.Close does not error as expected when called multiple times on WASM")
  1954  	}
  1955  	err = conn.Close()
  1956  	if err == nil {
  1957  		t.Error("Server connection was not closed when the context was canceled")
  1958  	}
  1959  }
  1960  
  1961  // TestHandshakeContextHierarchy tests whether the contexts
  1962  // available to GetClientCertificate and GetCertificate are
  1963  // derived from the context provided to HandshakeContext, and
  1964  // that those contexts are canceled after HandshakeContext has
  1965  // returned.
  1966  func TestHandshakeContextHierarchy(t *testing.T) {
  1967  	c, s := localPipe(t)
  1968  	clientErr := make(chan error, 1)
  1969  	clientConfig := testConfig.Clone()
  1970  	serverConfig := testConfig.Clone()
  1971  	ctx, cancel := context.WithCancel(context.Background())
  1972  	defer cancel()
  1973  	key := struct{}{}
  1974  	ctx = context.WithValue(ctx, key, true)
  1975  	go func() {
  1976  		defer close(clientErr)
  1977  		defer c.Close()
  1978  		var innerCtx context.Context
  1979  		clientConfig.Certificates = nil
  1980  		clientConfig.GetClientCertificate = func(certificateRequest *CertificateRequestInfo) (*Certificate, error) {
  1981  			if val, ok := certificateRequest.Context().Value(key).(bool); !ok || !val {
  1982  				t.Errorf("GetClientCertificate context was not child of HandshakeContext")
  1983  			}
  1984  			innerCtx = certificateRequest.Context()
  1985  			return &Certificate{
  1986  				Certificate: [][]byte{testRSACertificate},
  1987  				PrivateKey:  testRSAPrivateKey,
  1988  			}, nil
  1989  		}
  1990  		cli := Client(c, clientConfig)
  1991  		err := cli.HandshakeContext(ctx)
  1992  		if err != nil {
  1993  			clientErr <- err
  1994  			return
  1995  		}
  1996  		select {
  1997  		case <-innerCtx.Done():
  1998  		default:
  1999  			t.Errorf("GetClientCertificate context was not canceled after HandshakeContext returned.")
  2000  		}
  2001  	}()
  2002  	var innerCtx context.Context
  2003  	serverConfig.Certificates = nil
  2004  	serverConfig.ClientAuth = RequestClientCert
  2005  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  2006  		if val, ok := clientHello.Context().Value(key).(bool); !ok || !val {
  2007  			t.Errorf("GetClientCertificate context was not child of HandshakeContext")
  2008  		}
  2009  		innerCtx = clientHello.Context()
  2010  		return &Certificate{
  2011  			Certificate: [][]byte{testRSACertificate},
  2012  			PrivateKey:  testRSAPrivateKey,
  2013  		}, nil
  2014  	}
  2015  	conn := Server(s, serverConfig)
  2016  	err := conn.HandshakeContext(ctx)
  2017  	if err != nil {
  2018  		t.Errorf("Unexpected server handshake error: %v", err)
  2019  	}
  2020  	select {
  2021  	case <-innerCtx.Done():
  2022  	default:
  2023  		t.Errorf("GetCertificate context was not canceled after HandshakeContext returned.")
  2024  	}
  2025  	if err := <-clientErr; err != nil {
  2026  		t.Errorf("Unexpected client error: %v", err)
  2027  	}
  2028  }
  2029  

View as plain text