Source file
src/crypto/tls/handshake_server_test.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/ecdh"
12 "crypto/elliptic"
13 "crypto/rand"
14 "crypto/tls/internal/fips140tls"
15 "crypto/x509"
16 "encoding/pem"
17 "errors"
18 "fmt"
19 "io"
20 "net"
21 "os"
22 "os/exec"
23 "path/filepath"
24 "runtime"
25 "slices"
26 "strings"
27 "sync/atomic"
28 "testing"
29 "time"
30 )
31
32 func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
33 t.Helper()
34 testClientHelloFailure(t, serverConfig, m, "")
35 }
36
37
38
39 func testFatal(t *testing.T, err error) {
40 t.Helper()
41 t.Fatal(err)
42 }
43
44 func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
45 c, s := localPipe(t)
46 go func() {
47 cli := Client(c, testConfig)
48 if ch, ok := m.(*clientHelloMsg); ok {
49 cli.vers = ch.vers
50 }
51 if _, err := cli.writeHandshakeRecord(m, nil); err != nil {
52 testFatal(t, err)
53 }
54 c.Close()
55 }()
56 ctx := context.Background()
57 conn := Server(s, serverConfig)
58 ch, ech, err := conn.readClientHello(ctx)
59 if conn.vers == VersionTLS13 {
60 hs := serverHandshakeStateTLS13{
61 c: conn,
62 ctx: ctx,
63 clientHello: ch,
64 echContext: ech,
65 }
66 if err == nil {
67 err = hs.processClientHello()
68 }
69 if err == nil {
70 err = hs.checkForResumption()
71 }
72 if err == nil {
73 err = hs.pickCertificate()
74 }
75 } else {
76 hs := serverHandshakeState{
77 c: conn,
78 ctx: ctx,
79 clientHello: ch,
80 }
81 if err == nil {
82 err = hs.processClientHello()
83 }
84 if err == nil {
85 err = hs.pickCipherSuite()
86 }
87 }
88 s.Close()
89 t.Helper()
90 if len(expectedSubStr) == 0 {
91 if err != nil && err != io.EOF {
92 t.Errorf("Got error: %s; expected to succeed", err)
93 }
94 } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
95 t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
96 }
97 }
98
99 func TestSimpleError(t *testing.T) {
100 testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
101 }
102
103 var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}
104
105 func TestRejectBadProtocolVersion(t *testing.T) {
106 config := testConfig.Clone()
107 config.MinVersion = VersionSSL30
108 for _, v := range badProtocolVersions {
109 testClientHelloFailure(t, config, &clientHelloMsg{
110 vers: v,
111 random: make([]byte, 32),
112 }, "unsupported versions")
113 }
114 testClientHelloFailure(t, config, &clientHelloMsg{
115 vers: VersionTLS12,
116 supportedVersions: badProtocolVersions,
117 random: make([]byte, 32),
118 }, "unsupported versions")
119 }
120
121 func TestNoSuiteOverlap(t *testing.T) {
122 clientHello := &clientHelloMsg{
123 vers: VersionTLS12,
124 random: make([]byte, 32),
125 cipherSuites: []uint16{0xff00},
126 compressionMethods: []uint8{compressionNone},
127 }
128 testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
129 }
130
131 func TestNoCompressionOverlap(t *testing.T) {
132 clientHello := &clientHelloMsg{
133 vers: VersionTLS12,
134 random: make([]byte, 32),
135 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
136 compressionMethods: []uint8{0xff},
137 }
138 testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
139 }
140
141 func TestNoRC4ByDefault(t *testing.T) {
142 clientHello := &clientHelloMsg{
143 vers: VersionTLS12,
144 random: make([]byte, 32),
145 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
146 compressionMethods: []uint8{compressionNone},
147 }
148 serverConfig := testConfig.Clone()
149
150
151 serverConfig.CipherSuites = nil
152 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
153 }
154
155 func TestRejectSNIWithTrailingDot(t *testing.T) {
156 testClientHelloFailure(t, testConfig, &clientHelloMsg{
157 vers: VersionTLS12,
158 random: make([]byte, 32),
159 serverName: "foo.com.",
160 }, "unexpected message")
161 }
162
163 func TestDontSelectECDSAWithRSAKey(t *testing.T) {
164
165
166 clientHello := &clientHelloMsg{
167 vers: VersionTLS12,
168 random: make([]byte, 32),
169 cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
170 compressionMethods: []uint8{compressionNone},
171 supportedCurves: []CurveID{CurveP256},
172 supportedPoints: []uint8{pointFormatUncompressed},
173 }
174 serverConfig := testConfig.Clone()
175 serverConfig.CipherSuites = clientHello.cipherSuites
176 serverConfig.Certificates = make([]Certificate, 1)
177 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
178 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
179 serverConfig.BuildNameToCertificate()
180
181 testClientHello(t, serverConfig, clientHello)
182
183
184
185 serverConfig.Certificates = testConfig.Certificates
186 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
187 }
188
189 func TestDontSelectRSAWithECDSAKey(t *testing.T) {
190
191
192 clientHello := &clientHelloMsg{
193 vers: VersionTLS12,
194 random: make([]byte, 32),
195 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
196 compressionMethods: []uint8{compressionNone},
197 supportedCurves: []CurveID{CurveP256},
198 supportedPoints: []uint8{pointFormatUncompressed},
199 }
200 serverConfig := testConfig.Clone()
201 serverConfig.CipherSuites = clientHello.cipherSuites
202
203 testClientHello(t, serverConfig, clientHello)
204
205
206
207 serverConfig.Certificates = make([]Certificate, 1)
208 serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
209 serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
210 serverConfig.BuildNameToCertificate()
211 testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
212 }
213
214 func TestRenegotiationExtension(t *testing.T) {
215 skipFIPS(t)
216
217 clientHello := &clientHelloMsg{
218 vers: VersionTLS12,
219 compressionMethods: []uint8{compressionNone},
220 random: make([]byte, 32),
221 secureRenegotiationSupported: true,
222 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
223 }
224
225 bufChan := make(chan []byte, 1)
226 c, s := localPipe(t)
227
228 go func() {
229 cli := Client(c, testConfig)
230 cli.vers = clientHello.vers
231 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
232 testFatal(t, err)
233 }
234
235 buf := make([]byte, 1024)
236 n, err := c.Read(buf)
237 if err != nil {
238 t.Errorf("Server read returned error: %s", err)
239 return
240 }
241 c.Close()
242 bufChan <- buf[:n]
243 }()
244
245 Server(s, testConfig).Handshake()
246 buf := <-bufChan
247
248 if len(buf) < 5+4 {
249 t.Fatalf("Server returned short message of length %d", len(buf))
250 }
251
252
253
254 serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8])
255
256 var serverHello serverHelloMsg
257
258
259 if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) {
260 t.Fatalf("Failed to parse ServerHello")
261 }
262
263 if !serverHello.secureRenegotiationSupported {
264 t.Errorf("Secure renegotiation extension was not echoed.")
265 }
266 }
267
268 func TestTLS12OnlyCipherSuites(t *testing.T) {
269 skipFIPS(t)
270
271
272
273 clientHello := &clientHelloMsg{
274 vers: VersionTLS11,
275 random: make([]byte, 32),
276 cipherSuites: []uint16{
277
278
279
280
281 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
282 TLS_RSA_WITH_RC4_128_SHA,
283 },
284 compressionMethods: []uint8{compressionNone},
285 supportedCurves: []CurveID{CurveP256, CurveP384, CurveP521},
286 supportedPoints: []uint8{pointFormatUncompressed},
287 }
288
289 c, s := localPipe(t)
290 replyChan := make(chan any)
291 go func() {
292 cli := Client(c, testConfig)
293 cli.vers = clientHello.vers
294 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
295 testFatal(t, err)
296 }
297 reply, err := cli.readHandshake(nil)
298 c.Close()
299 if err != nil {
300 replyChan <- err
301 } else {
302 replyChan <- reply
303 }
304 }()
305 config := testConfig.Clone()
306 config.CipherSuites = clientHello.cipherSuites
307 Server(s, config).Handshake()
308 s.Close()
309 reply := <-replyChan
310 if err, ok := reply.(error); ok {
311 t.Fatal(err)
312 }
313 serverHello, ok := reply.(*serverHelloMsg)
314 if !ok {
315 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
316 }
317 if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
318 t.Fatalf("bad cipher suite from server: %x", s)
319 }
320 }
321
322 func TestTLSPointFormats(t *testing.T) {
323
324
325 tests := []struct {
326 name string
327 cipherSuites []uint16
328 supportedCurves []CurveID
329 supportedPoints []uint8
330 wantSupportedPoints bool
331 }{
332 {"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true},
333 {"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, nil, false},
334 {"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true},
335 {"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
336 {"RSA with ec_point_format", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, []uint8{pointFormatUncompressed}, false},
337 }
338 for _, tt := range tests {
339
340 if strings.HasPrefix(tt.name, "RSA") && fips140tls.Required() {
341 t.Logf("skipping in FIPS mode.")
342 continue
343 }
344 t.Run(tt.name, func(t *testing.T) {
345 clientHello := &clientHelloMsg{
346 vers: VersionTLS12,
347 random: make([]byte, 32),
348 cipherSuites: tt.cipherSuites,
349 compressionMethods: []uint8{compressionNone},
350 supportedCurves: tt.supportedCurves,
351 supportedPoints: tt.supportedPoints,
352 }
353
354 c, s := localPipe(t)
355 replyChan := make(chan any)
356 go func() {
357 clientConfig := testConfig.Clone()
358 clientConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
359 cli := Client(c, clientConfig)
360 cli.vers = clientHello.vers
361 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
362 testFatal(t, err)
363 }
364 reply, err := cli.readHandshake(nil)
365 c.Close()
366 if err != nil {
367 replyChan <- err
368 } else {
369 replyChan <- reply
370 }
371 }()
372 serverConfig := testConfig.Clone()
373 serverConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
374 serverConfig.CipherSuites = clientHello.cipherSuites
375 Server(s, serverConfig).Handshake()
376 s.Close()
377 reply := <-replyChan
378 if err, ok := reply.(error); ok {
379 t.Fatal(err)
380 }
381 serverHello, ok := reply.(*serverHelloMsg)
382 if !ok {
383 t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
384 }
385 if tt.wantSupportedPoints {
386 if !bytes.Equal(serverHello.supportedPoints, []uint8{pointFormatUncompressed}) {
387 t.Fatal("incorrect ec_point_format extension from server")
388 }
389 } else {
390 if len(serverHello.supportedPoints) != 0 {
391 t.Fatalf("unexpected ec_point_format extension from server: %v", serverHello.supportedPoints)
392 }
393 }
394 })
395 }
396 }
397
398 func TestAlertForwarding(t *testing.T) {
399 c, s := localPipe(t)
400 go func() {
401 Client(c, testConfig).sendAlert(alertUnknownCA)
402 c.Close()
403 }()
404
405 err := Server(s, testConfig).Handshake()
406 s.Close()
407 var opErr *net.OpError
408 if !errors.As(err, &opErr) || opErr.Err != error(alertUnknownCA) {
409 t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
410 }
411 }
412
413 func TestClose(t *testing.T) {
414 c, s := localPipe(t)
415 go c.Close()
416
417 err := Server(s, testConfig).Handshake()
418 s.Close()
419 if err != io.EOF {
420 t.Errorf("Got error: %s; expected: %s", err, io.EOF)
421 }
422 }
423
424 func TestVersion(t *testing.T) {
425 serverConfig := &Config{
426 Certificates: testConfig.Certificates,
427 MaxVersion: VersionTLS13,
428 }
429 clientConfig := &Config{
430 InsecureSkipVerify: true,
431 MinVersion: VersionTLS12,
432 }
433 state, _, err := testHandshake(t, clientConfig, serverConfig)
434 if err != nil {
435 t.Fatalf("handshake failed: %s", err)
436 }
437 if state.Version != VersionTLS13 {
438 t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
439 }
440
441 clientConfig.MinVersion = 0
442 serverConfig.MaxVersion = VersionTLS11
443 _, _, err = testHandshake(t, clientConfig, serverConfig)
444 if err == nil {
445 t.Fatalf("expected failure to connect with TLS 1.0/1.1")
446 }
447 }
448
449 func TestCipherSuitePreference(t *testing.T) {
450 skipFIPS(t)
451
452 serverConfig := &Config{
453 CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
454 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
455 Certificates: testConfig.Certificates,
456 MaxVersion: VersionTLS12,
457 GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
458 if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
459 t.Error("the advertised order should not depend on Config.CipherSuites")
460 }
461 if len(chi.CipherSuites) != 2+len(defaultCipherSuitesTLS13) {
462 t.Error("the advertised TLS 1.2 suites should be filtered by Config.CipherSuites")
463 }
464 return nil, nil
465 },
466 }
467 clientConfig := &Config{
468 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
469 InsecureSkipVerify: true,
470 }
471 state, _, err := testHandshake(t, clientConfig, serverConfig)
472 if err != nil {
473 t.Fatalf("handshake failed: %s", err)
474 }
475 if state.CipherSuite != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
476 t.Error("the preference order should not depend on Config.CipherSuites")
477 }
478 }
479
480 func TestSCTHandshake(t *testing.T) {
481 t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) })
482 t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) })
483 }
484
485 func testSCTHandshake(t *testing.T, version uint16) {
486 expected := [][]byte{[]byte("certificate"), []byte("transparency")}
487 serverConfig := &Config{
488 Certificates: []Certificate{{
489 Certificate: [][]byte{testRSACertificate},
490 PrivateKey: testRSAPrivateKey,
491 SignedCertificateTimestamps: expected,
492 }},
493 MaxVersion: version,
494 }
495 clientConfig := &Config{
496 InsecureSkipVerify: true,
497 }
498 _, state, err := testHandshake(t, clientConfig, serverConfig)
499 if err != nil {
500 t.Fatalf("handshake failed: %s", err)
501 }
502 actual := state.SignedCertificateTimestamps
503 if len(actual) != len(expected) {
504 t.Fatalf("got %d scts, want %d", len(actual), len(expected))
505 }
506 for i, sct := range expected {
507 if !bytes.Equal(sct, actual[i]) {
508 t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct)
509 }
510 }
511 }
512
513 func TestCrossVersionResume(t *testing.T) {
514 t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) })
515 t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) })
516 }
517
518 func testCrossVersionResume(t *testing.T, version uint16) {
519 serverConfig := &Config{
520 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
521 Certificates: testConfig.Certificates,
522 Time: testTime,
523 }
524 clientConfig := &Config{
525 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
526 InsecureSkipVerify: true,
527 ClientSessionCache: NewLRUClientSessionCache(1),
528 ServerName: "servername",
529 MinVersion: VersionTLS12,
530 Time: testTime,
531 }
532
533
534 clientConfig.MaxVersion = VersionTLS13
535 _, _, err := testHandshake(t, clientConfig, serverConfig)
536 if err != nil {
537 t.Fatalf("handshake failed: %s", err)
538 }
539
540
541 state, _, err := testHandshake(t, clientConfig, serverConfig)
542 if err != nil {
543 t.Fatalf("handshake failed: %s", err)
544 }
545 if !state.DidResume {
546 t.Fatalf("handshake did not resume at the same version")
547 }
548
549
550 clientConfig.MaxVersion = VersionTLS12
551 state, _, err = testHandshake(t, clientConfig, serverConfig)
552 if err != nil {
553 t.Fatalf("handshake failed: %s", err)
554 }
555 if state.DidResume {
556 t.Fatalf("handshake resumed at a lower version")
557 }
558
559
560 state, _, err = testHandshake(t, clientConfig, serverConfig)
561 if err != nil {
562 t.Fatalf("handshake failed: %s", err)
563 }
564 if !state.DidResume {
565 t.Fatalf("handshake did not resume at the same version")
566 }
567
568
569 clientConfig.MaxVersion = VersionTLS13
570 state, _, err = testHandshake(t, clientConfig, serverConfig)
571 if err != nil {
572 t.Fatalf("handshake failed: %s", err)
573 }
574 if state.DidResume {
575 t.Fatalf("handshake resumed at a higher version")
576 }
577 }
578
579
580
581
582
583
584 type serverTest struct {
585
586
587 name string
588
589
590 command []string
591
592
593 expectedPeerCerts []string
594
595 config *Config
596
597
598 expectHandshakeErrorIncluding string
599
600
601
602 validate func(ConnectionState) error
603
604
605 wait bool
606 }
607
608 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
609
610
611
612
613 func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
614 l, err := net.ListenTCP("tcp", &net.TCPAddr{
615 IP: net.IPv4(127, 0, 0, 1),
616 Port: 0,
617 })
618 if err != nil {
619 return nil, nil, err
620 }
621 defer l.Close()
622
623 port := l.Addr().(*net.TCPAddr).Port
624
625 var command []string
626 command = append(command, test.command...)
627 if len(command) == 0 {
628 command = defaultClientCommand
629 }
630 command = append(command, "-connect")
631 command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
632 cmd := exec.Command(command[0], command[1:]...)
633 cmd.Stdin = nil
634 var output bytes.Buffer
635 cmd.Stdout = &output
636 cmd.Stderr = &output
637 if err := cmd.Start(); err != nil {
638 return nil, nil, err
639 }
640
641 connChan := make(chan any, 1)
642 go func() {
643 tcpConn, err := l.Accept()
644 if err != nil {
645 connChan <- err
646 return
647 }
648 connChan <- tcpConn
649 }()
650
651 var tcpConn net.Conn
652 select {
653 case connOrError := <-connChan:
654 if err, ok := connOrError.(error); ok {
655 return nil, nil, err
656 }
657 tcpConn = connOrError.(net.Conn)
658 case <-time.After(2 * time.Second):
659 return nil, nil, errors.New("timed out waiting for connection from child process")
660 }
661
662 record := &recordingConn{
663 Conn: tcpConn,
664 }
665
666 return record, cmd, nil
667 }
668
669 func (test *serverTest) dataPath() string {
670 return filepath.Join("testdata", "Server-"+test.name)
671 }
672
673 func (test *serverTest) loadData() (flows [][]byte, err error) {
674 in, err := os.Open(test.dataPath())
675 if err != nil {
676 return nil, err
677 }
678 defer in.Close()
679 return parseTestData(in)
680 }
681
682 func (test *serverTest) run(t *testing.T, write bool) {
683 var serverConn net.Conn
684 var recordingConn *recordingConn
685 var childProcess *exec.Cmd
686
687 if write {
688 var err error
689 recordingConn, childProcess, err = test.connFromCommand()
690 if err != nil {
691 t.Fatalf("Failed to start subcommand: %s", err)
692 }
693 serverConn = recordingConn
694 defer func() {
695 if t.Failed() {
696 t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout)
697 }
698 }()
699 } else {
700 flows, err := test.loadData()
701 if err != nil {
702 t.Fatalf("Failed to load data from %s", test.dataPath())
703 }
704 serverConn = &replayingConn{t: t, flows: flows, reading: true}
705 }
706 config := test.config
707 if config == nil {
708 config = testConfig
709 }
710 server := Server(serverConn, config)
711
712 _, err := server.Write([]byte("hello, world\n"))
713 if len(test.expectHandshakeErrorIncluding) > 0 {
714 if err == nil {
715 t.Errorf("Error expected, but no error returned")
716 } else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {
717 t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)
718 }
719 } else {
720 if err != nil {
721 t.Logf("Error from Server.Write: '%s'", err)
722 }
723 }
724 server.Close()
725
726 connState := server.ConnectionState()
727 peerCerts := connState.PeerCertificates
728 if len(peerCerts) == len(test.expectedPeerCerts) {
729 for i, peerCert := range peerCerts {
730 block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
731 if !bytes.Equal(block.Bytes, peerCert.Raw) {
732 t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
733 }
734 }
735 } else {
736 t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
737 }
738
739 if test.validate != nil {
740 if err := test.validate(connState); err != nil {
741 t.Fatalf("validate callback returned error: %s", err)
742 }
743 }
744
745 if write {
746 serverConn.Close()
747 path := test.dataPath()
748 out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
749 if err != nil {
750 t.Fatalf("Failed to create output file: %s", err)
751 }
752 defer out.Close()
753 recordingConn.Close()
754 if len(recordingConn.flows) < 3 {
755 if len(test.expectHandshakeErrorIncluding) == 0 {
756 t.Fatalf("Handshake failed")
757 }
758 }
759 recordingConn.WriteTo(out)
760 t.Logf("Wrote %s\n", path)
761 childProcess.Wait()
762 }
763 }
764
765 func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
766
767 test := *template
768 if template.config != nil {
769 test.config = template.config.Clone()
770 }
771 test.name = version + "-" + test.name
772 if len(test.command) == 0 {
773 test.command = defaultClientCommand
774 }
775 test.command = append([]string(nil), test.command...)
776 test.command = append(test.command, option)
777
778 runTestAndUpdateIfNeeded(t, version, test.run, test.wait)
779 }
780
781 func runServerTestTLS10(t *testing.T, template *serverTest) {
782 runServerTestForVersion(t, template, "TLSv10", "-tls1")
783 }
784
785 func runServerTestTLS11(t *testing.T, template *serverTest) {
786 runServerTestForVersion(t, template, "TLSv11", "-tls1_1")
787 }
788
789 func runServerTestTLS12(t *testing.T, template *serverTest) {
790 runServerTestForVersion(t, template, "TLSv12", "-tls1_2")
791 }
792
793 func runServerTestTLS13(t *testing.T, template *serverTest) {
794 runServerTestForVersion(t, template, "TLSv13", "-tls1_3")
795 }
796
797 func TestHandshakeServerRSARC4(t *testing.T) {
798 test := &serverTest{
799 name: "RSA-RC4",
800 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
801 }
802 runServerTestTLS10(t, test)
803 runServerTestTLS11(t, test)
804 runServerTestTLS12(t, test)
805 }
806
807 func TestHandshakeServerRSA3DES(t *testing.T) {
808 test := &serverTest{
809 name: "RSA-3DES",
810 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
811 }
812 runServerTestTLS10(t, test)
813 runServerTestTLS12(t, test)
814 }
815
816 func TestHandshakeServerRSAAES(t *testing.T) {
817 test := &serverTest{
818 name: "RSA-AES",
819 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
820 }
821 runServerTestTLS10(t, test)
822 runServerTestTLS12(t, test)
823 }
824
825 func TestHandshakeServerAESGCM(t *testing.T) {
826 test := &serverTest{
827 name: "RSA-AES-GCM",
828 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
829 }
830 runServerTestTLS12(t, test)
831 }
832
833 func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
834 test := &serverTest{
835 name: "RSA-AES256-GCM-SHA384",
836 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"},
837 }
838 runServerTestTLS12(t, test)
839 }
840
841 func TestHandshakeServerAES128SHA256(t *testing.T) {
842 test := &serverTest{
843 name: "AES128-SHA256",
844 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
845 }
846 runServerTestTLS13(t, test)
847 }
848 func TestHandshakeServerAES256SHA384(t *testing.T) {
849 test := &serverTest{
850 name: "AES256-SHA384",
851 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"},
852 }
853 runServerTestTLS13(t, test)
854 }
855 func TestHandshakeServerCHACHA20SHA256(t *testing.T) {
856 test := &serverTest{
857 name: "CHACHA20-SHA256",
858 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
859 }
860 runServerTestTLS13(t, test)
861 }
862
863 func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
864 config := testConfig.Clone()
865 config.Certificates = make([]Certificate, 1)
866 config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
867 config.Certificates[0].PrivateKey = testECDSAPrivateKey
868 config.BuildNameToCertificate()
869
870 test := &serverTest{
871 name: "ECDHE-ECDSA-AES",
872 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
873 config: config,
874 }
875 runServerTestTLS10(t, test)
876 runServerTestTLS12(t, test)
877 runServerTestTLS13(t, test)
878 }
879
880 func TestHandshakeServerX25519(t *testing.T) {
881 config := testConfig.Clone()
882 config.CurvePreferences = []CurveID{X25519}
883
884 test := &serverTest{
885 name: "X25519",
886 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"},
887 config: config,
888 }
889 runServerTestTLS12(t, test)
890 runServerTestTLS13(t, test)
891 }
892
893 func TestHandshakeServerP256(t *testing.T) {
894 config := testConfig.Clone()
895 config.CurvePreferences = []CurveID{CurveP256}
896
897 test := &serverTest{
898 name: "P256",
899 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"},
900 config: config,
901 }
902 runServerTestTLS12(t, test)
903 runServerTestTLS13(t, test)
904 }
905
906 func TestHandshakeServerHelloRetryRequest(t *testing.T) {
907 config := testConfig.Clone()
908 config.CurvePreferences = []CurveID{CurveP256}
909
910 test := &serverTest{
911 name: "HelloRetryRequest",
912 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"},
913 config: config,
914 validate: func(cs ConnectionState) error {
915 if !cs.testingOnlyDidHRR {
916 return errors.New("expected HelloRetryRequest")
917 }
918 return nil
919 },
920 }
921 runServerTestTLS13(t, test)
922 }
923
924
925
926 func TestHandshakeServerKeySharePreference(t *testing.T) {
927 config := testConfig.Clone()
928 config.CurvePreferences = []CurveID{X25519, CurveP256}
929
930 test := &serverTest{
931 name: "KeySharePreference",
932 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256:X25519"},
933 config: config,
934 validate: func(cs ConnectionState) error {
935 if cs.testingOnlyDidHRR {
936 return errors.New("unexpected HelloRetryRequest")
937 }
938 return nil
939 },
940 }
941 runServerTestTLS13(t, test)
942 }
943
944 func TestHandshakeServerALPN(t *testing.T) {
945 config := testConfig.Clone()
946 config.NextProtos = []string{"proto1", "proto2"}
947
948 test := &serverTest{
949 name: "ALPN",
950
951
952 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
953 config: config,
954 validate: func(state ConnectionState) error {
955
956 if state.NegotiatedProtocol != "proto1" {
957 return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
958 }
959 return nil
960 },
961 }
962 runServerTestTLS12(t, test)
963 runServerTestTLS13(t, test)
964 }
965
966 func TestHandshakeServerALPNNoMatch(t *testing.T) {
967 config := testConfig.Clone()
968 config.NextProtos = []string{"proto3"}
969
970 test := &serverTest{
971 name: "ALPN-NoMatch",
972
973
974 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
975 config: config,
976 expectHandshakeErrorIncluding: "client requested unsupported application protocol",
977 }
978 runServerTestTLS12(t, test)
979 runServerTestTLS13(t, test)
980 }
981
982 func TestHandshakeServerALPNNotConfigured(t *testing.T) {
983 config := testConfig.Clone()
984 config.NextProtos = nil
985
986 test := &serverTest{
987 name: "ALPN-NotConfigured",
988
989
990 command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
991 config: config,
992 validate: func(state ConnectionState) error {
993 if state.NegotiatedProtocol != "" {
994 return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
995 }
996 return nil
997 },
998 }
999 runServerTestTLS12(t, test)
1000 runServerTestTLS13(t, test)
1001 }
1002
1003 func TestHandshakeServerALPNFallback(t *testing.T) {
1004 config := testConfig.Clone()
1005 config.NextProtos = []string{"proto1", "h2", "proto2"}
1006
1007 test := &serverTest{
1008 name: "ALPN-Fallback",
1009
1010
1011 command: []string{"openssl", "s_client", "-alpn", "proto3,http/1.1,proto4", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1012 config: config,
1013 validate: func(state ConnectionState) error {
1014 if state.NegotiatedProtocol != "" {
1015 return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
1016 }
1017 return nil
1018 },
1019 }
1020 runServerTestTLS12(t, test)
1021 runServerTestTLS13(t, test)
1022 }
1023
1024
1025
1026
1027 func TestHandshakeServerSNI(t *testing.T) {
1028 test := &serverTest{
1029 name: "SNI",
1030 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1031 }
1032 runServerTestTLS12(t, test)
1033 }
1034
1035
1036
1037 func TestHandshakeServerSNIGetCertificate(t *testing.T) {
1038 config := testConfig.Clone()
1039
1040
1041 nameToCert := config.NameToCertificate
1042 config.NameToCertificate = nil
1043 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1044 cert := nameToCert[clientHello.ServerName]
1045 return cert, nil
1046 }
1047 test := &serverTest{
1048 name: "SNI-GetCertificate",
1049 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1050 config: config,
1051 }
1052 runServerTestTLS12(t, test)
1053 }
1054
1055
1056
1057
1058
1059 func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
1060 config := testConfig.Clone()
1061
1062 config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1063 return nil, nil
1064 }
1065 test := &serverTest{
1066 name: "SNI-GetCertificateNotFound",
1067 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
1068 config: config,
1069 }
1070 runServerTestTLS12(t, test)
1071 }
1072
1073
1074
1075
1076 func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
1077 const errMsg = "TestHandshakeServerGetCertificateExtensions error"
1078
1079
1080 var called atomic.Int32
1081
1082 testVersions := []uint16{VersionTLS12, VersionTLS13}
1083 for _, vers := range testVersions {
1084 t.Run(fmt.Sprintf("TLS version %04x", vers), func(t *testing.T) {
1085 pk, _ := ecdh.P256().GenerateKey(rand.Reader)
1086 clientHello := &clientHelloMsg{
1087 vers: vers,
1088 random: make([]byte, 32),
1089 cipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
1090 compressionMethods: []uint8{compressionNone},
1091 serverName: "test",
1092 keyShares: []keyShare{{group: CurveP256, data: pk.PublicKey().Bytes()}},
1093 supportedCurves: []CurveID{CurveP256},
1094 supportedSignatureAlgorithms: []SignatureScheme{ECDSAWithP256AndSHA256},
1095 }
1096
1097
1098
1099 expectedExtensions := []uint16{
1100 extensionServerName,
1101 extensionSupportedCurves,
1102 extensionSignatureAlgorithms,
1103 extensionKeyShare,
1104 }
1105
1106 if vers == VersionTLS13 {
1107 clientHello.supportedVersions = []uint16{VersionTLS13}
1108 expectedExtensions = append(expectedExtensions, extensionSupportedVersions)
1109 }
1110
1111
1112 slices.Sort(expectedExtensions)
1113
1114 serverConfig := testConfig.Clone()
1115 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1116 if !slices.Equal(expectedExtensions, clientHello.Extensions) {
1117 t.Errorf("expected extensions on ClientHelloInfo (%v) to match clientHelloMsg (%v)", expectedExtensions, clientHello.Extensions)
1118 }
1119 called.Add(1)
1120
1121 return nil, errors.New(errMsg)
1122 }
1123 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1124 })
1125 }
1126
1127 if int(called.Load()) != len(testVersions) {
1128 t.Error("expected our GetCertificate test to be called twice")
1129 }
1130 }
1131
1132
1133
1134 func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
1135 const errMsg = "TestHandshakeServerSNIGetCertificateError error"
1136
1137 serverConfig := testConfig.Clone()
1138 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1139 return nil, errors.New(errMsg)
1140 }
1141
1142 clientHello := &clientHelloMsg{
1143 vers: VersionTLS12,
1144 random: make([]byte, 32),
1145 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1146 compressionMethods: []uint8{compressionNone},
1147 serverName: "test",
1148 }
1149 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1150 }
1151
1152
1153
1154 func TestHandshakeServerEmptyCertificates(t *testing.T) {
1155 const errMsg = "TestHandshakeServerEmptyCertificates error"
1156
1157 serverConfig := testConfig.Clone()
1158 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
1159 return nil, errors.New(errMsg)
1160 }
1161 serverConfig.Certificates = nil
1162
1163 clientHello := &clientHelloMsg{
1164 vers: VersionTLS12,
1165 random: make([]byte, 32),
1166 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1167 compressionMethods: []uint8{compressionNone},
1168 }
1169 testClientHelloFailure(t, serverConfig, clientHello, errMsg)
1170
1171
1172
1173 serverConfig.GetCertificate = nil
1174
1175 clientHello = &clientHelloMsg{
1176 vers: VersionTLS12,
1177 random: make([]byte, 32),
1178 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1179 compressionMethods: []uint8{compressionNone},
1180 }
1181 testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
1182 }
1183
1184 func TestServerResumption(t *testing.T) {
1185 sessionFilePath := tempFile("")
1186 defer os.Remove(sessionFilePath)
1187
1188 testIssue := &serverTest{
1189 name: "IssueTicket",
1190 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
1191 wait: true,
1192 }
1193 testResume := &serverTest{
1194 name: "Resume",
1195 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1196 validate: func(state ConnectionState) error {
1197 if !state.DidResume {
1198 return errors.New("did not resume")
1199 }
1200 return nil
1201 },
1202 }
1203
1204 runServerTestTLS12(t, testIssue)
1205 runServerTestTLS12(t, testResume)
1206
1207 runServerTestTLS13(t, testIssue)
1208 runServerTestTLS13(t, testResume)
1209
1210 config := testConfig.Clone()
1211 config.CurvePreferences = []CurveID{CurveP256}
1212
1213 testResumeHRR := &serverTest{
1214 name: "Resume-HelloRetryRequest",
1215 command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites",
1216 "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1217 config: config,
1218 validate: func(state ConnectionState) error {
1219 if !state.DidResume {
1220 return errors.New("did not resume")
1221 }
1222 return nil
1223 },
1224 }
1225
1226 runServerTestTLS13(t, testResumeHRR)
1227 }
1228
1229 func TestServerResumptionDisabled(t *testing.T) {
1230 sessionFilePath := tempFile("")
1231 defer os.Remove(sessionFilePath)
1232
1233 config := testConfig.Clone()
1234
1235 testIssue := &serverTest{
1236 name: "IssueTicketPreDisable",
1237 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
1238 config: config,
1239 wait: true,
1240 }
1241 testResume := &serverTest{
1242 name: "ResumeDisabled",
1243 command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
1244 config: config,
1245 validate: func(state ConnectionState) error {
1246 if state.DidResume {
1247 return errors.New("resumed with SessionTicketsDisabled")
1248 }
1249 return nil
1250 },
1251 }
1252
1253 config.SessionTicketsDisabled = false
1254 runServerTestTLS12(t, testIssue)
1255 config.SessionTicketsDisabled = true
1256 runServerTestTLS12(t, testResume)
1257
1258 config.SessionTicketsDisabled = false
1259 runServerTestTLS13(t, testIssue)
1260 config.SessionTicketsDisabled = true
1261 runServerTestTLS13(t, testResume)
1262 }
1263
1264 func TestFallbackSCSV(t *testing.T) {
1265 serverConfig := Config{
1266 Certificates: testConfig.Certificates,
1267 MinVersion: VersionTLS11,
1268 }
1269 test := &serverTest{
1270 name: "FallbackSCSV",
1271 config: &serverConfig,
1272
1273 command: []string{"openssl", "s_client", "-fallback_scsv"},
1274 expectHandshakeErrorIncluding: "inappropriate protocol fallback",
1275 }
1276 runServerTestTLS11(t, test)
1277 }
1278
1279 func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
1280 test := &serverTest{
1281 name: "ExportKeyingMaterial",
1282 command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-AES256-SHA", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1283 config: testConfig.Clone(),
1284 validate: func(state ConnectionState) error {
1285 if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
1286 return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
1287 } else if len(km) != 42 {
1288 return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
1289 }
1290 return nil
1291 },
1292 }
1293 runServerTestTLS10(t, test)
1294 runServerTestTLS12(t, test)
1295 runServerTestTLS13(t, test)
1296 }
1297
1298 func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
1299 test := &serverTest{
1300 name: "RSA-RSAPKCS1v15",
1301 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"},
1302 }
1303 runServerTestTLS12(t, test)
1304 }
1305
1306 func TestHandshakeServerRSAPSS(t *testing.T) {
1307
1308
1309
1310 test := &serverTest{
1311 name: "RSA-RSAPSS",
1312 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
1313 }
1314 runServerTestTLS12(t, test)
1315 runServerTestTLS13(t, test)
1316
1317 test = &serverTest{
1318 name: "RSA-RSAPSS-TooSmall",
1319 command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"},
1320 expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
1321 }
1322 runServerTestTLS13(t, test)
1323 }
1324
1325 func TestHandshakeServerEd25519(t *testing.T) {
1326 config := testConfig.Clone()
1327 config.Certificates = make([]Certificate, 1)
1328 config.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
1329 config.Certificates[0].PrivateKey = testEd25519PrivateKey
1330 config.BuildNameToCertificate()
1331
1332 test := &serverTest{
1333 name: "Ed25519",
1334 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
1335 config: config,
1336 }
1337 runServerTestTLS12(t, test)
1338 runServerTestTLS13(t, test)
1339 }
1340
1341 func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
1342 config := testConfig.Clone()
1343 config.CipherSuites = []uint16{cipherSuite}
1344 config.CurvePreferences = []CurveID{curve}
1345 config.Certificates = make([]Certificate, 1)
1346 config.Certificates[0].Certificate = [][]byte{cert}
1347 config.Certificates[0].PrivateKey = key
1348 config.BuildNameToCertificate()
1349
1350 clientConn, serverConn := localPipe(b)
1351 serverConn = &recordingConn{Conn: serverConn}
1352 go func() {
1353 config := testConfig.Clone()
1354 config.MaxVersion = version
1355 config.CurvePreferences = []CurveID{curve}
1356 client := Client(clientConn, config)
1357 client.Handshake()
1358 }()
1359 server := Server(serverConn, config)
1360 if err := server.Handshake(); err != nil {
1361 b.Fatalf("handshake failed: %v", err)
1362 }
1363 serverConn.Close()
1364 flows := serverConn.(*recordingConn).flows
1365
1366 b.ResetTimer()
1367 for i := 0; i < b.N; i++ {
1368 replay := &replayingConn{t: b, flows: slices.Clone(flows), reading: true}
1369 server := Server(replay, config)
1370 if err := server.Handshake(); err != nil {
1371 b.Fatalf("handshake failed: %v", err)
1372 }
1373 }
1374 }
1375
1376 func BenchmarkHandshakeServer(b *testing.B) {
1377 b.Run("RSA", func(b *testing.B) {
1378 benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256,
1379 0, testRSACertificate, testRSAPrivateKey)
1380 })
1381 b.Run("ECDHE-P256-RSA", func(b *testing.B) {
1382 b.Run("TLSv13", func(b *testing.B) {
1383 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1384 CurveP256, testRSACertificate, testRSAPrivateKey)
1385 })
1386 b.Run("TLSv12", func(b *testing.B) {
1387 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1388 CurveP256, testRSACertificate, testRSAPrivateKey)
1389 })
1390 })
1391 b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) {
1392 b.Run("TLSv13", func(b *testing.B) {
1393 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1394 CurveP256, testP256Certificate, testP256PrivateKey)
1395 })
1396 b.Run("TLSv12", func(b *testing.B) {
1397 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1398 CurveP256, testP256Certificate, testP256PrivateKey)
1399 })
1400 })
1401 b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) {
1402 b.Run("TLSv13", func(b *testing.B) {
1403 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1404 X25519, testP256Certificate, testP256PrivateKey)
1405 })
1406 b.Run("TLSv12", func(b *testing.B) {
1407 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1408 X25519, testP256Certificate, testP256PrivateKey)
1409 })
1410 })
1411 b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) {
1412 if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() {
1413 b.Fatal("test ECDSA key doesn't use curve P-521")
1414 }
1415 b.Run("TLSv13", func(b *testing.B) {
1416 benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1417 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1418 })
1419 b.Run("TLSv12", func(b *testing.B) {
1420 benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
1421 CurveP521, testECDSACertificate, testECDSAPrivateKey)
1422 })
1423 })
1424 }
1425
1426 func TestClientAuth(t *testing.T) {
1427 var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath, ed25519CertPath, ed25519KeyPath string
1428
1429 if *update {
1430 certPath = tempFile(clientCertificatePEM)
1431 defer os.Remove(certPath)
1432 keyPath = tempFile(clientKeyPEM)
1433 defer os.Remove(keyPath)
1434 ecdsaCertPath = tempFile(clientECDSACertificatePEM)
1435 defer os.Remove(ecdsaCertPath)
1436 ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
1437 defer os.Remove(ecdsaKeyPath)
1438 ed25519CertPath = tempFile(clientEd25519CertificatePEM)
1439 defer os.Remove(ed25519CertPath)
1440 ed25519KeyPath = tempFile(clientEd25519KeyPEM)
1441 defer os.Remove(ed25519KeyPath)
1442 } else {
1443 t.Parallel()
1444 }
1445
1446 config := testConfig.Clone()
1447 config.ClientAuth = RequestClientCert
1448
1449 test := &serverTest{
1450 name: "ClientAuthRequestedNotGiven",
1451 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
1452 config: config,
1453 }
1454 runServerTestTLS12(t, test)
1455 runServerTestTLS13(t, test)
1456
1457 test = &serverTest{
1458 name: "ClientAuthRequestedAndGiven",
1459 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1460 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
1461 config: config,
1462 expectedPeerCerts: []string{clientCertificatePEM},
1463 }
1464 runServerTestTLS12(t, test)
1465 runServerTestTLS13(t, test)
1466
1467 test = &serverTest{
1468 name: "ClientAuthRequestedAndECDSAGiven",
1469 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1470 "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
1471 config: config,
1472 expectedPeerCerts: []string{clientECDSACertificatePEM},
1473 }
1474 runServerTestTLS12(t, test)
1475 runServerTestTLS13(t, test)
1476
1477 test = &serverTest{
1478 name: "ClientAuthRequestedAndEd25519Given",
1479 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
1480 "-cert", ed25519CertPath, "-key", ed25519KeyPath},
1481 config: config,
1482 expectedPeerCerts: []string{clientEd25519CertificatePEM},
1483 }
1484 runServerTestTLS12(t, test)
1485 runServerTestTLS13(t, test)
1486
1487 test = &serverTest{
1488 name: "ClientAuthRequestedAndPKCS1v15Given",
1489 command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
1490 "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pkcs1_sha256"},
1491 config: config,
1492 expectedPeerCerts: []string{clientCertificatePEM},
1493 }
1494 runServerTestTLS12(t, test)
1495 }
1496
1497 func TestSNIGivenOnFailure(t *testing.T) {
1498 const expectedServerName = "test.testing"
1499
1500 clientHello := &clientHelloMsg{
1501 vers: VersionTLS12,
1502 random: make([]byte, 32),
1503 cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1504 compressionMethods: []uint8{compressionNone},
1505 serverName: expectedServerName,
1506 }
1507
1508 serverConfig := testConfig.Clone()
1509
1510 serverConfig.CipherSuites = nil
1511
1512 c, s := localPipe(t)
1513 go func() {
1514 cli := Client(c, testConfig)
1515 cli.vers = clientHello.vers
1516 if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
1517 testFatal(t, err)
1518 }
1519 c.Close()
1520 }()
1521 conn := Server(s, serverConfig)
1522 ctx := context.Background()
1523 ch, _, err := conn.readClientHello(ctx)
1524 hs := serverHandshakeState{
1525 c: conn,
1526 ctx: ctx,
1527 clientHello: ch,
1528 }
1529 if err == nil {
1530 err = hs.processClientHello()
1531 }
1532 if err == nil {
1533 err = hs.pickCipherSuite()
1534 }
1535 defer s.Close()
1536
1537 if err == nil {
1538 t.Error("No error reported from server")
1539 }
1540
1541 cs := hs.c.ConnectionState()
1542 if cs.HandshakeComplete {
1543 t.Error("Handshake registered as complete")
1544 }
1545
1546 if cs.ServerName != expectedServerName {
1547 t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName)
1548 }
1549 }
1550
1551 var getConfigForClientTests = []struct {
1552 setup func(config *Config)
1553 callback func(clientHello *ClientHelloInfo) (*Config, error)
1554 errorSubstring string
1555 verify func(config *Config) error
1556 }{
1557 {
1558 nil,
1559 func(clientHello *ClientHelloInfo) (*Config, error) {
1560 return nil, nil
1561 },
1562 "",
1563 nil,
1564 },
1565 {
1566 nil,
1567 func(clientHello *ClientHelloInfo) (*Config, error) {
1568 return nil, errors.New("should bubble up")
1569 },
1570 "should bubble up",
1571 nil,
1572 },
1573 {
1574 nil,
1575 func(clientHello *ClientHelloInfo) (*Config, error) {
1576 config := testConfig.Clone()
1577
1578
1579 config.MaxVersion = VersionTLS11
1580 return config, nil
1581 },
1582 "client offered only unsupported versions",
1583 nil,
1584 },
1585 {
1586 func(config *Config) {
1587 for i := range config.SessionTicketKey {
1588 config.SessionTicketKey[i] = byte(i)
1589 }
1590 config.sessionTicketKeys = nil
1591 },
1592 func(clientHello *ClientHelloInfo) (*Config, error) {
1593 config := testConfig.Clone()
1594 for i := range config.SessionTicketKey {
1595 config.SessionTicketKey[i] = 0
1596 }
1597 config.sessionTicketKeys = nil
1598 return config, nil
1599 },
1600 "",
1601 func(config *Config) error {
1602 if config.SessionTicketKey == [32]byte{} {
1603 return fmt.Errorf("expected SessionTicketKey to be set")
1604 }
1605 return nil
1606 },
1607 },
1608 {
1609 func(config *Config) {
1610 var dummyKey [32]byte
1611 for i := range dummyKey {
1612 dummyKey[i] = byte(i)
1613 }
1614
1615 config.SetSessionTicketKeys([][32]byte{dummyKey})
1616 },
1617 func(clientHello *ClientHelloInfo) (*Config, error) {
1618 config := testConfig.Clone()
1619 config.sessionTicketKeys = nil
1620 return config, nil
1621 },
1622 "",
1623 func(config *Config) error {
1624 if config.SessionTicketKey == [32]byte{} {
1625 return fmt.Errorf("expected SessionTicketKey to be set")
1626 }
1627 return nil
1628 },
1629 },
1630 }
1631
1632 func TestGetConfigForClient(t *testing.T) {
1633 serverConfig := testConfig.Clone()
1634 clientConfig := testConfig.Clone()
1635 clientConfig.MinVersion = VersionTLS12
1636
1637 for i, test := range getConfigForClientTests {
1638 if test.setup != nil {
1639 test.setup(serverConfig)
1640 }
1641
1642 var configReturned *Config
1643 serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
1644 config, err := test.callback(clientHello)
1645 configReturned = config
1646 return config, err
1647 }
1648 c, s := localPipe(t)
1649 done := make(chan error)
1650
1651 go func() {
1652 defer s.Close()
1653 done <- Server(s, serverConfig).Handshake()
1654 }()
1655
1656 clientErr := Client(c, clientConfig).Handshake()
1657 c.Close()
1658
1659 serverErr := <-done
1660
1661 if len(test.errorSubstring) == 0 {
1662 if serverErr != nil || clientErr != nil {
1663 t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr)
1664 }
1665 if test.verify != nil {
1666 if err := test.verify(configReturned); err != nil {
1667 t.Errorf("test[%d]: verify returned error: %v", i, err)
1668 }
1669 }
1670 } else {
1671 if serverErr == nil {
1672 t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring)
1673 } else if !strings.Contains(serverErr.Error(), test.errorSubstring) {
1674 t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr)
1675 }
1676 }
1677 }
1678 }
1679
1680 func TestCloseServerConnectionOnIdleClient(t *testing.T) {
1681 clientConn, serverConn := localPipe(t)
1682 server := Server(serverConn, testConfig.Clone())
1683 go func() {
1684 clientConn.Write([]byte{'0'})
1685 server.Close()
1686 }()
1687 server.SetReadDeadline(time.Now().Add(time.Minute))
1688 err := server.Handshake()
1689 if err != nil {
1690 if err, ok := err.(net.Error); ok && err.Timeout() {
1691 t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
1692 }
1693 } else {
1694 t.Errorf("Error expected, but no error returned")
1695 }
1696 }
1697
1698 func TestCloneHash(t *testing.T) {
1699 h1 := crypto.SHA256.New()
1700 h1.Write([]byte("test"))
1701 s1 := h1.Sum(nil)
1702 h2 := cloneHash(h1, crypto.SHA256)
1703 s2 := h2.Sum(nil)
1704 if !bytes.Equal(s1, s2) {
1705 t.Error("cloned hash generated a different sum")
1706 }
1707 }
1708
1709 func expectError(t *testing.T, err error, sub string) {
1710 if err == nil {
1711 t.Errorf(`expected error %q, got nil`, sub)
1712 } else if !strings.Contains(err.Error(), sub) {
1713 t.Errorf(`expected error %q, got %q`, sub, err)
1714 }
1715 }
1716
1717 func TestKeyTooSmallForRSAPSS(t *testing.T) {
1718 cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE-----
1719 MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS
1720 MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy
1721 OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd
1722 ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ
1723 nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
1724 DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu
1725 Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q
1726 KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA==
1727 -----END CERTIFICATE-----`), []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
1728 MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T
1729 HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/
1730 yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z
1731 4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz
1732 nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd
1733 hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s
1734 T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
1735 -----END RSA TESTING KEY-----`)))
1736 if err != nil {
1737 t.Fatal(err)
1738 }
1739
1740 clientConn, serverConn := localPipe(t)
1741 client := Client(clientConn, testConfig)
1742 done := make(chan struct{})
1743 go func() {
1744 config := testConfig.Clone()
1745 config.Certificates = []Certificate{cert}
1746 config.MinVersion = VersionTLS13
1747 server := Server(serverConn, config)
1748 err := server.Handshake()
1749 expectError(t, err, "key size too small")
1750 close(done)
1751 }()
1752 err = client.Handshake()
1753 expectError(t, err, "handshake failure")
1754 <-done
1755 }
1756
1757 func TestMultipleCertificates(t *testing.T) {
1758 clientConfig := testConfig.Clone()
1759 clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
1760 clientConfig.MaxVersion = VersionTLS12
1761
1762 serverConfig := testConfig.Clone()
1763 serverConfig.Certificates = []Certificate{{
1764 Certificate: [][]byte{testECDSACertificate},
1765 PrivateKey: testECDSAPrivateKey,
1766 }, {
1767 Certificate: [][]byte{testRSACertificate},
1768 PrivateKey: testRSAPrivateKey,
1769 }}
1770
1771 _, clientState, err := testHandshake(t, clientConfig, serverConfig)
1772 if err != nil {
1773 t.Fatal(err)
1774 }
1775 if got := clientState.PeerCertificates[0].PublicKeyAlgorithm; got != x509.RSA {
1776 t.Errorf("expected RSA certificate, got %v", got)
1777 }
1778 }
1779
1780 func TestAESCipherReordering(t *testing.T) {
1781 skipFIPS(t)
1782
1783 currentAESSupport := hasAESGCMHardwareSupport
1784 defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
1785
1786 tests := []struct {
1787 name string
1788 clientCiphers []uint16
1789 serverHasAESGCM bool
1790 serverCiphers []uint16
1791 expectedCipher uint16
1792 }{
1793 {
1794 name: "server has hardware AES, client doesn't (pick ChaCha)",
1795 clientCiphers: []uint16{
1796 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1797 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1798 TLS_RSA_WITH_AES_128_CBC_SHA,
1799 },
1800 serverHasAESGCM: true,
1801 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1802 },
1803 {
1804 name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)",
1805 clientCiphers: []uint16{
1806 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1807 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1808 TLS_RSA_WITH_AES_128_CBC_SHA,
1809 },
1810 serverHasAESGCM: false,
1811 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1812 },
1813 {
1814 name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
1815 clientCiphers: []uint16{
1816 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1817 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1818 TLS_RSA_WITH_AES_128_CBC_SHA,
1819 },
1820 serverHasAESGCM: true,
1821 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1822 },
1823 {
1824 name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)",
1825 clientCiphers: []uint16{
1826 0x0A0A,
1827 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1828 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1829 TLS_RSA_WITH_AES_128_CBC_SHA,
1830 },
1831 serverHasAESGCM: true,
1832 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1833 },
1834 {
1835 name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)",
1836 clientCiphers: []uint16{
1837 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1838 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1839 TLS_RSA_WITH_AES_128_CBC_SHA,
1840 },
1841 serverHasAESGCM: false,
1842 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1843 },
1844 {
1845 name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)",
1846 clientCiphers: []uint16{
1847 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1848 TLS_RSA_WITH_AES_128_CBC_SHA,
1849 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1850 },
1851 serverHasAESGCM: false,
1852 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1853 },
1854 {
1855 name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)",
1856 clientCiphers: []uint16{
1857 0x0A0A,
1858 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1859 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1860 TLS_RSA_WITH_AES_128_CBC_SHA,
1861 },
1862 serverHasAESGCM: false,
1863 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1864 },
1865 {
1866 name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (AES-GCM)",
1867 clientCiphers: []uint16{
1868 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1869 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1870 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1871 },
1872 serverHasAESGCM: false,
1873 serverCiphers: []uint16{
1874 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
1875 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1876 },
1877 expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1878 },
1879 {
1880 name: "client prefers AES-GCM, server has hardware but doesn't support AES (pick ChaCha)",
1881 clientCiphers: []uint16{
1882 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1883 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1884 TLS_RSA_WITH_AES_128_CBC_SHA,
1885 },
1886 serverHasAESGCM: true,
1887 serverCiphers: []uint16{
1888 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1889 },
1890 expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1891 },
1892 }
1893
1894 for _, tc := range tests {
1895 t.Run(tc.name, func(t *testing.T) {
1896 hasAESGCMHardwareSupport = tc.serverHasAESGCM
1897 hs := &serverHandshakeState{
1898 c: &Conn{
1899 config: &Config{
1900 CipherSuites: tc.serverCiphers,
1901 },
1902 vers: VersionTLS12,
1903 },
1904 clientHello: &clientHelloMsg{
1905 cipherSuites: tc.clientCiphers,
1906 vers: VersionTLS12,
1907 },
1908 ecdheOk: true,
1909 rsaSignOk: true,
1910 rsaDecryptOk: true,
1911 }
1912
1913 err := hs.pickCipherSuite()
1914 if err != nil {
1915 t.Errorf("pickCipherSuite failed: %s", err)
1916 }
1917
1918 if tc.expectedCipher != hs.suite.id {
1919 t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
1920 }
1921 })
1922 }
1923 }
1924
1925 func TestAESCipherReorderingTLS13(t *testing.T) {
1926 skipFIPS(t)
1927
1928 currentAESSupport := hasAESGCMHardwareSupport
1929 defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
1930
1931 tests := []struct {
1932 name string
1933 clientCiphers []uint16
1934 serverHasAESGCM bool
1935 expectedCipher uint16
1936 }{
1937 {
1938 name: "server has hardware AES, client doesn't (pick ChaCha)",
1939 clientCiphers: []uint16{
1940 TLS_CHACHA20_POLY1305_SHA256,
1941 TLS_AES_128_GCM_SHA256,
1942 },
1943 serverHasAESGCM: true,
1944 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1945 },
1946 {
1947 name: "neither server nor client have hardware AES (pick ChaCha)",
1948 clientCiphers: []uint16{
1949 TLS_CHACHA20_POLY1305_SHA256,
1950 TLS_AES_128_GCM_SHA256,
1951 },
1952 serverHasAESGCM: false,
1953 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1954 },
1955 {
1956 name: "client prefers AES, server doesn't have hardware (pick ChaCha)",
1957 clientCiphers: []uint16{
1958 TLS_AES_128_GCM_SHA256,
1959 TLS_CHACHA20_POLY1305_SHA256,
1960 },
1961 serverHasAESGCM: false,
1962 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1963 },
1964 {
1965 name: "client prefers AES and sends GREASE, server doesn't have hardware (pick ChaCha)",
1966 clientCiphers: []uint16{
1967 0x0A0A,
1968 TLS_AES_128_GCM_SHA256,
1969 TLS_CHACHA20_POLY1305_SHA256,
1970 },
1971 serverHasAESGCM: false,
1972 expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
1973 },
1974 {
1975 name: "client prefers AES, server has hardware AES (pick AES)",
1976 clientCiphers: []uint16{
1977 TLS_AES_128_GCM_SHA256,
1978 TLS_CHACHA20_POLY1305_SHA256,
1979 },
1980 serverHasAESGCM: true,
1981 expectedCipher: TLS_AES_128_GCM_SHA256,
1982 },
1983 {
1984 name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)",
1985 clientCiphers: []uint16{
1986 0x0A0A,
1987 TLS_AES_128_GCM_SHA256,
1988 TLS_CHACHA20_POLY1305_SHA256,
1989 },
1990 serverHasAESGCM: true,
1991 expectedCipher: TLS_AES_128_GCM_SHA256,
1992 },
1993 }
1994
1995 for _, tc := range tests {
1996 t.Run(tc.name, func(t *testing.T) {
1997 hasAESGCMHardwareSupport = tc.serverHasAESGCM
1998 pk, _ := ecdh.X25519().GenerateKey(rand.Reader)
1999 hs := &serverHandshakeStateTLS13{
2000 c: &Conn{
2001 config: &Config{},
2002 vers: VersionTLS13,
2003 },
2004 clientHello: &clientHelloMsg{
2005 cipherSuites: tc.clientCiphers,
2006 supportedVersions: []uint16{VersionTLS13},
2007 compressionMethods: []uint8{compressionNone},
2008 keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
2009 supportedCurves: []CurveID{X25519},
2010 },
2011 }
2012
2013 err := hs.processClientHello()
2014 if err != nil {
2015 t.Errorf("pickCipherSuite failed: %s", err)
2016 }
2017
2018 if tc.expectedCipher != hs.suite.id {
2019 t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
2020 }
2021 })
2022 }
2023 }
2024
2025
2026
2027
2028 func TestServerHandshakeContextCancellation(t *testing.T) {
2029 c, s := localPipe(t)
2030 ctx, cancel := context.WithCancel(context.Background())
2031 unblockClient := make(chan struct{})
2032 defer close(unblockClient)
2033 go func() {
2034 cancel()
2035 <-unblockClient
2036 _ = c.Close()
2037 }()
2038 conn := Server(s, testConfig)
2039
2040
2041 err := conn.HandshakeContext(ctx)
2042 if err == nil {
2043 t.Fatal("Server handshake did not error when the context was canceled")
2044 }
2045 if err != context.Canceled {
2046 t.Errorf("Unexpected server handshake error: %v", err)
2047 }
2048 if runtime.GOARCH == "wasm" {
2049 t.Skip("conn.Close does not error as expected when called multiple times on WASM")
2050 }
2051 err = conn.Close()
2052 if err == nil {
2053 t.Error("Server connection was not closed when the context was canceled")
2054 }
2055 }
2056
2057
2058
2059
2060
2061
2062 func TestHandshakeContextHierarchy(t *testing.T) {
2063 c, s := localPipe(t)
2064 clientErr := make(chan error, 1)
2065 clientConfig := testConfig.Clone()
2066 serverConfig := testConfig.Clone()
2067 ctx, cancel := context.WithCancel(context.Background())
2068 defer cancel()
2069 key := struct{}{}
2070 ctx = context.WithValue(ctx, key, true)
2071 go func() {
2072 defer close(clientErr)
2073 defer c.Close()
2074 var innerCtx context.Context
2075 clientConfig.Certificates = nil
2076 clientConfig.GetClientCertificate = func(certificateRequest *CertificateRequestInfo) (*Certificate, error) {
2077 if val, ok := certificateRequest.Context().Value(key).(bool); !ok || !val {
2078 t.Errorf("GetClientCertificate context was not child of HandshakeContext")
2079 }
2080 innerCtx = certificateRequest.Context()
2081 return &Certificate{
2082 Certificate: [][]byte{testRSACertificate},
2083 PrivateKey: testRSAPrivateKey,
2084 }, nil
2085 }
2086 cli := Client(c, clientConfig)
2087 err := cli.HandshakeContext(ctx)
2088 if err != nil {
2089 clientErr <- err
2090 return
2091 }
2092 select {
2093 case <-innerCtx.Done():
2094 default:
2095 t.Errorf("GetClientCertificate context was not canceled after HandshakeContext returned.")
2096 }
2097 }()
2098 var innerCtx context.Context
2099 serverConfig.Certificates = nil
2100 serverConfig.ClientAuth = RequestClientCert
2101 serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
2102 if val, ok := clientHello.Context().Value(key).(bool); !ok || !val {
2103 t.Errorf("GetClientCertificate context was not child of HandshakeContext")
2104 }
2105 innerCtx = clientHello.Context()
2106 return &Certificate{
2107 Certificate: [][]byte{testRSACertificate},
2108 PrivateKey: testRSAPrivateKey,
2109 }, nil
2110 }
2111 conn := Server(s, serverConfig)
2112 err := conn.HandshakeContext(ctx)
2113 if err != nil {
2114 t.Errorf("Unexpected server handshake error: %v", err)
2115 }
2116 select {
2117 case <-innerCtx.Done():
2118 default:
2119 t.Errorf("GetCertificate context was not canceled after HandshakeContext returned.")
2120 }
2121 if err := <-clientErr; err != nil {
2122 t.Errorf("Unexpected client error: %v", err)
2123 }
2124 }
2125
View as plain text