Source file src/crypto/tls/handshake_server_test.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"crypto"
    11  	"crypto/ecdh"
    12  	"crypto/elliptic"
    13  	"crypto/rand"
    14  	"crypto/tls/internal/fips140tls"
    15  	"crypto/x509"
    16  	"encoding/pem"
    17  	"errors"
    18  	"fmt"
    19  	"io"
    20  	"net"
    21  	"os"
    22  	"os/exec"
    23  	"path/filepath"
    24  	"runtime"
    25  	"slices"
    26  	"strings"
    27  	"sync/atomic"
    28  	"testing"
    29  	"time"
    30  )
    31  
    32  func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
    33  	t.Helper()
    34  	testClientHelloFailure(t, serverConfig, m, "")
    35  }
    36  
    37  // testFatal is a hack to prevent the compiler from complaining that there is a
    38  // call to t.Fatal from a non-test goroutine
    39  func testFatal(t *testing.T, err error) {
    40  	t.Helper()
    41  	t.Fatal(err)
    42  }
    43  
    44  func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
    45  	c, s := localPipe(t)
    46  	go func() {
    47  		cli := Client(c, testConfig)
    48  		if ch, ok := m.(*clientHelloMsg); ok {
    49  			cli.vers = ch.vers
    50  		}
    51  		if _, err := cli.writeHandshakeRecord(m, nil); err != nil {
    52  			testFatal(t, err)
    53  		}
    54  		c.Close()
    55  	}()
    56  	ctx := context.Background()
    57  	conn := Server(s, serverConfig)
    58  	ch, ech, err := conn.readClientHello(ctx)
    59  	if conn.vers == VersionTLS13 {
    60  		hs := serverHandshakeStateTLS13{
    61  			c:           conn,
    62  			ctx:         ctx,
    63  			clientHello: ch,
    64  			echContext:  ech,
    65  		}
    66  		if err == nil {
    67  			err = hs.processClientHello()
    68  		}
    69  		if err == nil {
    70  			err = hs.checkForResumption()
    71  		}
    72  		if err == nil {
    73  			err = hs.pickCertificate()
    74  		}
    75  	} else {
    76  		hs := serverHandshakeState{
    77  			c:           conn,
    78  			ctx:         ctx,
    79  			clientHello: ch,
    80  		}
    81  		if err == nil {
    82  			err = hs.processClientHello()
    83  		}
    84  		if err == nil {
    85  			err = hs.pickCipherSuite()
    86  		}
    87  	}
    88  	s.Close()
    89  	t.Helper()
    90  	if len(expectedSubStr) == 0 {
    91  		if err != nil && err != io.EOF {
    92  			t.Errorf("Got error: %s; expected to succeed", err)
    93  		}
    94  	} else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
    95  		t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
    96  	}
    97  }
    98  
    99  func TestSimpleError(t *testing.T) {
   100  	testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
   101  }
   102  
   103  var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}
   104  
   105  func TestRejectBadProtocolVersion(t *testing.T) {
   106  	config := testConfig.Clone()
   107  	config.MinVersion = VersionSSL30
   108  	for _, v := range badProtocolVersions {
   109  		testClientHelloFailure(t, config, &clientHelloMsg{
   110  			vers:   v,
   111  			random: make([]byte, 32),
   112  		}, "unsupported versions")
   113  	}
   114  	testClientHelloFailure(t, config, &clientHelloMsg{
   115  		vers:              VersionTLS12,
   116  		supportedVersions: badProtocolVersions,
   117  		random:            make([]byte, 32),
   118  	}, "unsupported versions")
   119  }
   120  
   121  func TestNoSuiteOverlap(t *testing.T) {
   122  	clientHello := &clientHelloMsg{
   123  		vers:               VersionTLS12,
   124  		random:             make([]byte, 32),
   125  		cipherSuites:       []uint16{0xff00},
   126  		compressionMethods: []uint8{compressionNone},
   127  	}
   128  	testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
   129  }
   130  
   131  func TestNoCompressionOverlap(t *testing.T) {
   132  	clientHello := &clientHelloMsg{
   133  		vers:               VersionTLS12,
   134  		random:             make([]byte, 32),
   135  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
   136  		compressionMethods: []uint8{0xff},
   137  	}
   138  	testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
   139  }
   140  
   141  func TestNoRC4ByDefault(t *testing.T) {
   142  	clientHello := &clientHelloMsg{
   143  		vers:               VersionTLS12,
   144  		random:             make([]byte, 32),
   145  		cipherSuites:       []uint16{TLS_RSA_WITH_RC4_128_SHA},
   146  		compressionMethods: []uint8{compressionNone},
   147  	}
   148  	serverConfig := testConfig.Clone()
   149  	// Reset the enabled cipher suites to nil in order to test the
   150  	// defaults.
   151  	serverConfig.CipherSuites = nil
   152  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   153  }
   154  
   155  func TestRejectSNIWithTrailingDot(t *testing.T) {
   156  	testClientHelloFailure(t, testConfig, &clientHelloMsg{
   157  		vers:       VersionTLS12,
   158  		random:     make([]byte, 32),
   159  		serverName: "foo.com.",
   160  	}, "unexpected message")
   161  }
   162  
   163  func TestDontSelectECDSAWithRSAKey(t *testing.T) {
   164  	// Test that, even when both sides support an ECDSA cipher suite, it
   165  	// won't be selected if the server's private key doesn't support it.
   166  	clientHello := &clientHelloMsg{
   167  		vers:               VersionTLS12,
   168  		random:             make([]byte, 32),
   169  		cipherSuites:       []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
   170  		compressionMethods: []uint8{compressionNone},
   171  		supportedCurves:    []CurveID{CurveP256},
   172  		supportedPoints:    []uint8{pointFormatUncompressed},
   173  	}
   174  	serverConfig := testConfig.Clone()
   175  	serverConfig.CipherSuites = clientHello.cipherSuites
   176  	serverConfig.Certificates = make([]Certificate, 1)
   177  	serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   178  	serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   179  	serverConfig.BuildNameToCertificate()
   180  	// First test that it *does* work when the server's key is ECDSA.
   181  	testClientHello(t, serverConfig, clientHello)
   182  
   183  	// Now test that switching to an RSA key causes the expected error (and
   184  	// not an internal error about a signing failure).
   185  	serverConfig.Certificates = testConfig.Certificates
   186  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   187  }
   188  
   189  func TestDontSelectRSAWithECDSAKey(t *testing.T) {
   190  	// Test that, even when both sides support an RSA cipher suite, it
   191  	// won't be selected if the server's private key doesn't support it.
   192  	clientHello := &clientHelloMsg{
   193  		vers:               VersionTLS12,
   194  		random:             make([]byte, 32),
   195  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
   196  		compressionMethods: []uint8{compressionNone},
   197  		supportedCurves:    []CurveID{CurveP256},
   198  		supportedPoints:    []uint8{pointFormatUncompressed},
   199  	}
   200  	serverConfig := testConfig.Clone()
   201  	serverConfig.CipherSuites = clientHello.cipherSuites
   202  	// First test that it *does* work when the server's key is RSA.
   203  	testClientHello(t, serverConfig, clientHello)
   204  
   205  	// Now test that switching to an ECDSA key causes the expected error
   206  	// (and not an internal error about a signing failure).
   207  	serverConfig.Certificates = make([]Certificate, 1)
   208  	serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   209  	serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
   210  	serverConfig.BuildNameToCertificate()
   211  	testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
   212  }
   213  
   214  func TestRenegotiationExtension(t *testing.T) {
   215  	skipFIPS(t) // #70505
   216  
   217  	clientHello := &clientHelloMsg{
   218  		vers:                         VersionTLS12,
   219  		compressionMethods:           []uint8{compressionNone},
   220  		random:                       make([]byte, 32),
   221  		secureRenegotiationSupported: true,
   222  		cipherSuites:                 []uint16{TLS_RSA_WITH_RC4_128_SHA},
   223  	}
   224  
   225  	bufChan := make(chan []byte, 1)
   226  	c, s := localPipe(t)
   227  
   228  	go func() {
   229  		cli := Client(c, testConfig)
   230  		cli.vers = clientHello.vers
   231  		if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
   232  			testFatal(t, err)
   233  		}
   234  
   235  		buf := make([]byte, 1024)
   236  		n, err := c.Read(buf)
   237  		if err != nil {
   238  			t.Errorf("Server read returned error: %s", err)
   239  			return
   240  		}
   241  		c.Close()
   242  		bufChan <- buf[:n]
   243  	}()
   244  
   245  	Server(s, testConfig).Handshake()
   246  	buf := <-bufChan
   247  
   248  	if len(buf) < 5+4 {
   249  		t.Fatalf("Server returned short message of length %d", len(buf))
   250  	}
   251  	// buf contains a TLS record, with a 5 byte record header and a 4 byte
   252  	// handshake header. The length of the ServerHello is taken from the
   253  	// handshake header.
   254  	serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8])
   255  
   256  	var serverHello serverHelloMsg
   257  	// unmarshal expects to be given the handshake header, but
   258  	// serverHelloLen doesn't include it.
   259  	if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) {
   260  		t.Fatalf("Failed to parse ServerHello")
   261  	}
   262  
   263  	if !serverHello.secureRenegotiationSupported {
   264  		t.Errorf("Secure renegotiation extension was not echoed.")
   265  	}
   266  }
   267  
   268  func TestTLS12OnlyCipherSuites(t *testing.T) {
   269  	skipFIPS(t) // No TLS 1.1 in FIPS mode.
   270  
   271  	// Test that a Server doesn't select a TLS 1.2-only cipher suite when
   272  	// the client negotiates TLS 1.1.
   273  	clientHello := &clientHelloMsg{
   274  		vers:   VersionTLS11,
   275  		random: make([]byte, 32),
   276  		cipherSuites: []uint16{
   277  			// The Server, by default, will use the client's
   278  			// preference order. So the GCM cipher suite
   279  			// will be selected unless it's excluded because
   280  			// of the version in this ClientHello.
   281  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   282  			TLS_RSA_WITH_RC4_128_SHA,
   283  		},
   284  		compressionMethods: []uint8{compressionNone},
   285  		supportedCurves:    []CurveID{CurveP256, CurveP384, CurveP521},
   286  		supportedPoints:    []uint8{pointFormatUncompressed},
   287  	}
   288  
   289  	c, s := localPipe(t)
   290  	replyChan := make(chan any)
   291  	go func() {
   292  		cli := Client(c, testConfig)
   293  		cli.vers = clientHello.vers
   294  		if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
   295  			testFatal(t, err)
   296  		}
   297  		reply, err := cli.readHandshake(nil)
   298  		c.Close()
   299  		if err != nil {
   300  			replyChan <- err
   301  		} else {
   302  			replyChan <- reply
   303  		}
   304  	}()
   305  	config := testConfig.Clone()
   306  	config.CipherSuites = clientHello.cipherSuites
   307  	Server(s, config).Handshake()
   308  	s.Close()
   309  	reply := <-replyChan
   310  	if err, ok := reply.(error); ok {
   311  		t.Fatal(err)
   312  	}
   313  	serverHello, ok := reply.(*serverHelloMsg)
   314  	if !ok {
   315  		t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
   316  	}
   317  	if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA {
   318  		t.Fatalf("bad cipher suite from server: %x", s)
   319  	}
   320  }
   321  
   322  func TestTLSPointFormats(t *testing.T) {
   323  	// Test that a Server returns the ec_point_format extension when ECC is
   324  	// negotiated, and not on a RSA handshake or if ec_point_format is missing.
   325  	tests := []struct {
   326  		name                string
   327  		cipherSuites        []uint16
   328  		supportedCurves     []CurveID
   329  		supportedPoints     []uint8
   330  		wantSupportedPoints bool
   331  	}{
   332  		{"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true},
   333  		{"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, nil, false},
   334  		{"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true},
   335  		{"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
   336  		{"RSA with ec_point_format", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, []uint8{pointFormatUncompressed}, false},
   337  	}
   338  	for _, tt := range tests {
   339  		// The RSA subtests should be enabled for FIPS 140 required mode: #70505
   340  		if strings.HasPrefix(tt.name, "RSA") && fips140tls.Required() {
   341  			t.Logf("skipping in FIPS mode.")
   342  			continue
   343  		}
   344  		t.Run(tt.name, func(t *testing.T) {
   345  			clientHello := &clientHelloMsg{
   346  				vers:               VersionTLS12,
   347  				random:             make([]byte, 32),
   348  				cipherSuites:       tt.cipherSuites,
   349  				compressionMethods: []uint8{compressionNone},
   350  				supportedCurves:    tt.supportedCurves,
   351  				supportedPoints:    tt.supportedPoints,
   352  			}
   353  
   354  			c, s := localPipe(t)
   355  			replyChan := make(chan any)
   356  			go func() {
   357  				clientConfig := testConfig.Clone()
   358  				clientConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
   359  				cli := Client(c, clientConfig)
   360  				cli.vers = clientHello.vers
   361  				if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
   362  					testFatal(t, err)
   363  				}
   364  				reply, err := cli.readHandshake(nil)
   365  				c.Close()
   366  				if err != nil {
   367  					replyChan <- err
   368  				} else {
   369  					replyChan <- reply
   370  				}
   371  			}()
   372  			serverConfig := testConfig.Clone()
   373  			serverConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
   374  			serverConfig.CipherSuites = clientHello.cipherSuites
   375  			Server(s, serverConfig).Handshake()
   376  			s.Close()
   377  			reply := <-replyChan
   378  			if err, ok := reply.(error); ok {
   379  				t.Fatal(err)
   380  			}
   381  			serverHello, ok := reply.(*serverHelloMsg)
   382  			if !ok {
   383  				t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
   384  			}
   385  			if tt.wantSupportedPoints {
   386  				if !bytes.Equal(serverHello.supportedPoints, []uint8{pointFormatUncompressed}) {
   387  					t.Fatal("incorrect ec_point_format extension from server")
   388  				}
   389  			} else {
   390  				if len(serverHello.supportedPoints) != 0 {
   391  					t.Fatalf("unexpected ec_point_format extension from server: %v", serverHello.supportedPoints)
   392  				}
   393  			}
   394  		})
   395  	}
   396  }
   397  
   398  func TestAlertForwarding(t *testing.T) {
   399  	c, s := localPipe(t)
   400  	go func() {
   401  		Client(c, testConfig).sendAlert(alertUnknownCA)
   402  		c.Close()
   403  	}()
   404  
   405  	err := Server(s, testConfig).Handshake()
   406  	s.Close()
   407  	var opErr *net.OpError
   408  	if !errors.As(err, &opErr) || opErr.Err != error(alertUnknownCA) {
   409  		t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
   410  	}
   411  }
   412  
   413  func TestClose(t *testing.T) {
   414  	c, s := localPipe(t)
   415  	go c.Close()
   416  
   417  	err := Server(s, testConfig).Handshake()
   418  	s.Close()
   419  	if err != io.EOF {
   420  		t.Errorf("Got error: %s; expected: %s", err, io.EOF)
   421  	}
   422  }
   423  
   424  func TestVersion(t *testing.T) {
   425  	serverConfig := &Config{
   426  		Certificates: testConfig.Certificates,
   427  		MaxVersion:   VersionTLS13,
   428  	}
   429  	clientConfig := &Config{
   430  		InsecureSkipVerify: true,
   431  		MinVersion:         VersionTLS12,
   432  	}
   433  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   434  	if err != nil {
   435  		t.Fatalf("handshake failed: %s", err)
   436  	}
   437  	if state.Version != VersionTLS13 {
   438  		t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11)
   439  	}
   440  
   441  	clientConfig.MinVersion = 0
   442  	serverConfig.MaxVersion = VersionTLS11
   443  	_, _, err = testHandshake(t, clientConfig, serverConfig)
   444  	if err == nil {
   445  		t.Fatalf("expected failure to connect with TLS 1.0/1.1")
   446  	}
   447  }
   448  
   449  func TestCipherSuitePreference(t *testing.T) {
   450  	skipFIPS(t) // No RC4 or CHACHA20_POLY1305 in FIPS mode.
   451  
   452  	serverConfig := &Config{
   453  		CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
   454  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
   455  		Certificates: testConfig.Certificates,
   456  		MaxVersion:   VersionTLS12,
   457  		GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
   458  			if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
   459  				t.Error("the advertised order should not depend on Config.CipherSuites")
   460  			}
   461  			if len(chi.CipherSuites) != 2+len(defaultCipherSuitesTLS13) {
   462  				t.Error("the advertised TLS 1.2 suites should be filtered by Config.CipherSuites")
   463  			}
   464  			return nil, nil
   465  		},
   466  	}
   467  	clientConfig := &Config{
   468  		CipherSuites:       []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
   469  		InsecureSkipVerify: true,
   470  	}
   471  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   472  	if err != nil {
   473  		t.Fatalf("handshake failed: %s", err)
   474  	}
   475  	if state.CipherSuite != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
   476  		t.Error("the preference order should not depend on Config.CipherSuites")
   477  	}
   478  }
   479  
   480  func TestSCTHandshake(t *testing.T) {
   481  	t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) })
   482  	t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) })
   483  }
   484  
   485  func testSCTHandshake(t *testing.T, version uint16) {
   486  	expected := [][]byte{[]byte("certificate"), []byte("transparency")}
   487  	serverConfig := &Config{
   488  		Certificates: []Certificate{{
   489  			Certificate:                 [][]byte{testRSACertificate},
   490  			PrivateKey:                  testRSAPrivateKey,
   491  			SignedCertificateTimestamps: expected,
   492  		}},
   493  		MaxVersion: version,
   494  	}
   495  	clientConfig := &Config{
   496  		InsecureSkipVerify: true,
   497  	}
   498  	_, state, err := testHandshake(t, clientConfig, serverConfig)
   499  	if err != nil {
   500  		t.Fatalf("handshake failed: %s", err)
   501  	}
   502  	actual := state.SignedCertificateTimestamps
   503  	if len(actual) != len(expected) {
   504  		t.Fatalf("got %d scts, want %d", len(actual), len(expected))
   505  	}
   506  	for i, sct := range expected {
   507  		if !bytes.Equal(sct, actual[i]) {
   508  			t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct)
   509  		}
   510  	}
   511  }
   512  
   513  func TestCrossVersionResume(t *testing.T) {
   514  	t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) })
   515  	t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) })
   516  }
   517  
   518  func testCrossVersionResume(t *testing.T, version uint16) {
   519  	serverConfig := &Config{
   520  		CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
   521  		Certificates: testConfig.Certificates,
   522  		Time:         testTime,
   523  	}
   524  	clientConfig := &Config{
   525  		CipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
   526  		InsecureSkipVerify: true,
   527  		ClientSessionCache: NewLRUClientSessionCache(1),
   528  		ServerName:         "servername",
   529  		MinVersion:         VersionTLS12,
   530  		Time:               testTime,
   531  	}
   532  
   533  	// Establish a session at TLS 1.3.
   534  	clientConfig.MaxVersion = VersionTLS13
   535  	_, _, err := testHandshake(t, clientConfig, serverConfig)
   536  	if err != nil {
   537  		t.Fatalf("handshake failed: %s", err)
   538  	}
   539  
   540  	// The client session cache now contains a TLS 1.3 session.
   541  	state, _, err := testHandshake(t, clientConfig, serverConfig)
   542  	if err != nil {
   543  		t.Fatalf("handshake failed: %s", err)
   544  	}
   545  	if !state.DidResume {
   546  		t.Fatalf("handshake did not resume at the same version")
   547  	}
   548  
   549  	// Test that the server will decline to resume at a lower version.
   550  	clientConfig.MaxVersion = VersionTLS12
   551  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   552  	if err != nil {
   553  		t.Fatalf("handshake failed: %s", err)
   554  	}
   555  	if state.DidResume {
   556  		t.Fatalf("handshake resumed at a lower version")
   557  	}
   558  
   559  	// The client session cache now contains a TLS 1.2 session.
   560  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   561  	if err != nil {
   562  		t.Fatalf("handshake failed: %s", err)
   563  	}
   564  	if !state.DidResume {
   565  		t.Fatalf("handshake did not resume at the same version")
   566  	}
   567  
   568  	// Test that the server will decline to resume at a higher version.
   569  	clientConfig.MaxVersion = VersionTLS13
   570  	state, _, err = testHandshake(t, clientConfig, serverConfig)
   571  	if err != nil {
   572  		t.Fatalf("handshake failed: %s", err)
   573  	}
   574  	if state.DidResume {
   575  		t.Fatalf("handshake resumed at a higher version")
   576  	}
   577  }
   578  
   579  // Note: see comment in handshake_test.go for details of how the reference
   580  // tests work.
   581  
   582  // serverTest represents a test of the TLS server handshake against a reference
   583  // implementation.
   584  type serverTest struct {
   585  	// name is a freeform string identifying the test and the file in which
   586  	// the expected results will be stored.
   587  	name string
   588  	// command, if not empty, contains a series of arguments for the
   589  	// command to run for the reference server.
   590  	command []string
   591  	// expectedPeerCerts contains a list of PEM blocks of expected
   592  	// certificates from the client.
   593  	expectedPeerCerts []string
   594  	// config, if not nil, contains a custom Config to use for this test.
   595  	config *Config
   596  	// expectHandshakeErrorIncluding, when not empty, contains a string
   597  	// that must be a substring of the error resulting from the handshake.
   598  	expectHandshakeErrorIncluding string
   599  	// validate, if not nil, is a function that will be called with the
   600  	// ConnectionState of the resulting connection. It returns false if the
   601  	// ConnectionState is unacceptable.
   602  	validate func(ConnectionState) error
   603  	// wait, if true, prevents this subtest from calling t.Parallel.
   604  	// If false, runServerTest* returns immediately.
   605  	wait bool
   606  }
   607  
   608  var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
   609  
   610  // connFromCommand starts opens a listening socket and starts the reference
   611  // client to connect to it. It returns a recordingConn that wraps the resulting
   612  // connection.
   613  func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) {
   614  	l, err := net.ListenTCP("tcp", &net.TCPAddr{
   615  		IP:   net.IPv4(127, 0, 0, 1),
   616  		Port: 0,
   617  	})
   618  	if err != nil {
   619  		return nil, nil, err
   620  	}
   621  	defer l.Close()
   622  
   623  	port := l.Addr().(*net.TCPAddr).Port
   624  
   625  	var command []string
   626  	command = append(command, test.command...)
   627  	if len(command) == 0 {
   628  		command = defaultClientCommand
   629  	}
   630  	command = append(command, "-connect")
   631  	command = append(command, fmt.Sprintf("127.0.0.1:%d", port))
   632  	cmd := exec.Command(command[0], command[1:]...)
   633  	cmd.Stdin = nil
   634  	var output bytes.Buffer
   635  	cmd.Stdout = &output
   636  	cmd.Stderr = &output
   637  	if err := cmd.Start(); err != nil {
   638  		return nil, nil, err
   639  	}
   640  
   641  	connChan := make(chan any, 1)
   642  	go func() {
   643  		tcpConn, err := l.Accept()
   644  		if err != nil {
   645  			connChan <- err
   646  			return
   647  		}
   648  		connChan <- tcpConn
   649  	}()
   650  
   651  	var tcpConn net.Conn
   652  	select {
   653  	case connOrError := <-connChan:
   654  		if err, ok := connOrError.(error); ok {
   655  			return nil, nil, err
   656  		}
   657  		tcpConn = connOrError.(net.Conn)
   658  	case <-time.After(2 * time.Second):
   659  		return nil, nil, errors.New("timed out waiting for connection from child process")
   660  	}
   661  
   662  	record := &recordingConn{
   663  		Conn: tcpConn,
   664  	}
   665  
   666  	return record, cmd, nil
   667  }
   668  
   669  func (test *serverTest) dataPath() string {
   670  	return filepath.Join("testdata", "Server-"+test.name)
   671  }
   672  
   673  func (test *serverTest) loadData() (flows [][]byte, err error) {
   674  	in, err := os.Open(test.dataPath())
   675  	if err != nil {
   676  		return nil, err
   677  	}
   678  	defer in.Close()
   679  	return parseTestData(in)
   680  }
   681  
   682  func (test *serverTest) run(t *testing.T, write bool) {
   683  	var serverConn net.Conn
   684  	var recordingConn *recordingConn
   685  	var childProcess *exec.Cmd
   686  
   687  	if write {
   688  		var err error
   689  		recordingConn, childProcess, err = test.connFromCommand()
   690  		if err != nil {
   691  			t.Fatalf("Failed to start subcommand: %s", err)
   692  		}
   693  		serverConn = recordingConn
   694  		defer func() {
   695  			if t.Failed() {
   696  				t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout)
   697  			}
   698  		}()
   699  	} else {
   700  		flows, err := test.loadData()
   701  		if err != nil {
   702  			t.Fatalf("Failed to load data from %s", test.dataPath())
   703  		}
   704  		serverConn = &replayingConn{t: t, flows: flows, reading: true}
   705  	}
   706  	config := test.config
   707  	if config == nil {
   708  		config = testConfig
   709  	}
   710  	server := Server(serverConn, config)
   711  
   712  	_, err := server.Write([]byte("hello, world\n"))
   713  	if len(test.expectHandshakeErrorIncluding) > 0 {
   714  		if err == nil {
   715  			t.Errorf("Error expected, but no error returned")
   716  		} else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {
   717  			t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)
   718  		}
   719  	} else {
   720  		if err != nil {
   721  			t.Logf("Error from Server.Write: '%s'", err)
   722  		}
   723  	}
   724  	server.Close()
   725  
   726  	connState := server.ConnectionState()
   727  	peerCerts := connState.PeerCertificates
   728  	if len(peerCerts) == len(test.expectedPeerCerts) {
   729  		for i, peerCert := range peerCerts {
   730  			block, _ := pem.Decode([]byte(test.expectedPeerCerts[i]))
   731  			if !bytes.Equal(block.Bytes, peerCert.Raw) {
   732  				t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1)
   733  			}
   734  		}
   735  	} else {
   736  		t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts))
   737  	}
   738  
   739  	if test.validate != nil {
   740  		if err := test.validate(connState); err != nil {
   741  			t.Fatalf("validate callback returned error: %s", err)
   742  		}
   743  	}
   744  
   745  	if write {
   746  		serverConn.Close()
   747  		path := test.dataPath()
   748  		out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
   749  		if err != nil {
   750  			t.Fatalf("Failed to create output file: %s", err)
   751  		}
   752  		defer out.Close()
   753  		recordingConn.Close()
   754  		if len(recordingConn.flows) < 3 {
   755  			if len(test.expectHandshakeErrorIncluding) == 0 {
   756  				t.Fatalf("Handshake failed")
   757  			}
   758  		}
   759  		recordingConn.WriteTo(out)
   760  		t.Logf("Wrote %s\n", path)
   761  		childProcess.Wait()
   762  	}
   763  }
   764  
   765  func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
   766  	// Make a deep copy of the template before going parallel.
   767  	test := *template
   768  	if template.config != nil {
   769  		test.config = template.config.Clone()
   770  	}
   771  	test.name = version + "-" + test.name
   772  	if len(test.command) == 0 {
   773  		test.command = defaultClientCommand
   774  	}
   775  	test.command = append([]string(nil), test.command...)
   776  	test.command = append(test.command, option)
   777  
   778  	runTestAndUpdateIfNeeded(t, version, test.run, test.wait)
   779  }
   780  
   781  func runServerTestTLS10(t *testing.T, template *serverTest) {
   782  	runServerTestForVersion(t, template, "TLSv10", "-tls1")
   783  }
   784  
   785  func runServerTestTLS11(t *testing.T, template *serverTest) {
   786  	runServerTestForVersion(t, template, "TLSv11", "-tls1_1")
   787  }
   788  
   789  func runServerTestTLS12(t *testing.T, template *serverTest) {
   790  	runServerTestForVersion(t, template, "TLSv12", "-tls1_2")
   791  }
   792  
   793  func runServerTestTLS13(t *testing.T, template *serverTest) {
   794  	runServerTestForVersion(t, template, "TLSv13", "-tls1_3")
   795  }
   796  
   797  func TestHandshakeServerRSARC4(t *testing.T) {
   798  	test := &serverTest{
   799  		name:    "RSA-RC4",
   800  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},
   801  	}
   802  	runServerTestTLS10(t, test)
   803  	runServerTestTLS11(t, test)
   804  	runServerTestTLS12(t, test)
   805  }
   806  
   807  func TestHandshakeServerRSA3DES(t *testing.T) {
   808  	test := &serverTest{
   809  		name:    "RSA-3DES",
   810  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"},
   811  	}
   812  	runServerTestTLS10(t, test)
   813  	runServerTestTLS12(t, test)
   814  }
   815  
   816  func TestHandshakeServerRSAAES(t *testing.T) {
   817  	test := &serverTest{
   818  		name:    "RSA-AES",
   819  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
   820  	}
   821  	runServerTestTLS10(t, test)
   822  	runServerTestTLS12(t, test)
   823  }
   824  
   825  func TestHandshakeServerAESGCM(t *testing.T) {
   826  	test := &serverTest{
   827  		name:    "RSA-AES-GCM",
   828  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"},
   829  	}
   830  	runServerTestTLS12(t, test)
   831  }
   832  
   833  func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
   834  	test := &serverTest{
   835  		name:    "RSA-AES256-GCM-SHA384",
   836  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"},
   837  	}
   838  	runServerTestTLS12(t, test)
   839  }
   840  
   841  func TestHandshakeServerAES128SHA256(t *testing.T) {
   842  	test := &serverTest{
   843  		name:    "AES128-SHA256",
   844  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
   845  	}
   846  	runServerTestTLS13(t, test)
   847  }
   848  func TestHandshakeServerAES256SHA384(t *testing.T) {
   849  	test := &serverTest{
   850  		name:    "AES256-SHA384",
   851  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"},
   852  	}
   853  	runServerTestTLS13(t, test)
   854  }
   855  func TestHandshakeServerCHACHA20SHA256(t *testing.T) {
   856  	test := &serverTest{
   857  		name:    "CHACHA20-SHA256",
   858  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   859  	}
   860  	runServerTestTLS13(t, test)
   861  }
   862  
   863  func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
   864  	config := testConfig.Clone()
   865  	config.Certificates = make([]Certificate, 1)
   866  	config.Certificates[0].Certificate = [][]byte{testECDSACertificate}
   867  	config.Certificates[0].PrivateKey = testECDSAPrivateKey
   868  	config.BuildNameToCertificate()
   869  
   870  	test := &serverTest{
   871  		name:    "ECDHE-ECDSA-AES",
   872  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
   873  		config:  config,
   874  	}
   875  	runServerTestTLS10(t, test)
   876  	runServerTestTLS12(t, test)
   877  	runServerTestTLS13(t, test)
   878  }
   879  
   880  func TestHandshakeServerX25519(t *testing.T) {
   881  	config := testConfig.Clone()
   882  	config.CurvePreferences = []CurveID{X25519}
   883  
   884  	test := &serverTest{
   885  		name:    "X25519",
   886  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"},
   887  		config:  config,
   888  	}
   889  	runServerTestTLS12(t, test)
   890  	runServerTestTLS13(t, test)
   891  }
   892  
   893  func TestHandshakeServerP256(t *testing.T) {
   894  	config := testConfig.Clone()
   895  	config.CurvePreferences = []CurveID{CurveP256}
   896  
   897  	test := &serverTest{
   898  		name:    "P256",
   899  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"},
   900  		config:  config,
   901  	}
   902  	runServerTestTLS12(t, test)
   903  	runServerTestTLS13(t, test)
   904  }
   905  
   906  func TestHandshakeServerHelloRetryRequest(t *testing.T) {
   907  	config := testConfig.Clone()
   908  	config.CurvePreferences = []CurveID{CurveP256}
   909  
   910  	test := &serverTest{
   911  		name:    "HelloRetryRequest",
   912  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"},
   913  		config:  config,
   914  		validate: func(cs ConnectionState) error {
   915  			if !cs.testingOnlyDidHRR {
   916  				return errors.New("expected HelloRetryRequest")
   917  			}
   918  			return nil
   919  		},
   920  	}
   921  	runServerTestTLS13(t, test)
   922  }
   923  
   924  // TestHandshakeServerKeySharePreference checks that we prefer a key share even
   925  // if it's later in the CurvePreferences order.
   926  func TestHandshakeServerKeySharePreference(t *testing.T) {
   927  	config := testConfig.Clone()
   928  	config.CurvePreferences = []CurveID{X25519, CurveP256}
   929  
   930  	test := &serverTest{
   931  		name:    "KeySharePreference",
   932  		command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256:X25519"},
   933  		config:  config,
   934  		validate: func(cs ConnectionState) error {
   935  			if cs.testingOnlyDidHRR {
   936  				return errors.New("unexpected HelloRetryRequest")
   937  			}
   938  			return nil
   939  		},
   940  	}
   941  	runServerTestTLS13(t, test)
   942  }
   943  
   944  func TestHandshakeServerALPN(t *testing.T) {
   945  	config := testConfig.Clone()
   946  	config.NextProtos = []string{"proto1", "proto2"}
   947  
   948  	test := &serverTest{
   949  		name: "ALPN",
   950  		// Note that this needs OpenSSL 1.0.2 because that is the first
   951  		// version that supports the -alpn flag.
   952  		command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   953  		config:  config,
   954  		validate: func(state ConnectionState) error {
   955  			// The server's preferences should override the client.
   956  			if state.NegotiatedProtocol != "proto1" {
   957  				return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
   958  			}
   959  			return nil
   960  		},
   961  	}
   962  	runServerTestTLS12(t, test)
   963  	runServerTestTLS13(t, test)
   964  }
   965  
   966  func TestHandshakeServerALPNNoMatch(t *testing.T) {
   967  	config := testConfig.Clone()
   968  	config.NextProtos = []string{"proto3"}
   969  
   970  	test := &serverTest{
   971  		name: "ALPN-NoMatch",
   972  		// Note that this needs OpenSSL 1.0.2 because that is the first
   973  		// version that supports the -alpn flag.
   974  		command:                       []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   975  		config:                        config,
   976  		expectHandshakeErrorIncluding: "client requested unsupported application protocol",
   977  	}
   978  	runServerTestTLS12(t, test)
   979  	runServerTestTLS13(t, test)
   980  }
   981  
   982  func TestHandshakeServerALPNNotConfigured(t *testing.T) {
   983  	config := testConfig.Clone()
   984  	config.NextProtos = nil
   985  
   986  	test := &serverTest{
   987  		name: "ALPN-NotConfigured",
   988  		// Note that this needs OpenSSL 1.0.2 because that is the first
   989  		// version that supports the -alpn flag.
   990  		command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
   991  		config:  config,
   992  		validate: func(state ConnectionState) error {
   993  			if state.NegotiatedProtocol != "" {
   994  				return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
   995  			}
   996  			return nil
   997  		},
   998  	}
   999  	runServerTestTLS12(t, test)
  1000  	runServerTestTLS13(t, test)
  1001  }
  1002  
  1003  func TestHandshakeServerALPNFallback(t *testing.T) {
  1004  	config := testConfig.Clone()
  1005  	config.NextProtos = []string{"proto1", "h2", "proto2"}
  1006  
  1007  	test := &serverTest{
  1008  		name: "ALPN-Fallback",
  1009  		// Note that this needs OpenSSL 1.0.2 because that is the first
  1010  		// version that supports the -alpn flag.
  1011  		command: []string{"openssl", "s_client", "-alpn", "proto3,http/1.1,proto4", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
  1012  		config:  config,
  1013  		validate: func(state ConnectionState) error {
  1014  			if state.NegotiatedProtocol != "" {
  1015  				return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol)
  1016  			}
  1017  			return nil
  1018  		},
  1019  	}
  1020  	runServerTestTLS12(t, test)
  1021  	runServerTestTLS13(t, test)
  1022  }
  1023  
  1024  // TestHandshakeServerSNI involves a client sending an SNI extension of
  1025  // "snitest.com", which happens to match the CN of testSNICertificate. The test
  1026  // verifies that the server correctly selects that certificate.
  1027  func TestHandshakeServerSNI(t *testing.T) {
  1028  	test := &serverTest{
  1029  		name:    "SNI",
  1030  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
  1031  	}
  1032  	runServerTestTLS12(t, test)
  1033  }
  1034  
  1035  // TestHandshakeServerSNIGetCertificate is similar to TestHandshakeServerSNI, but
  1036  // tests the dynamic GetCertificate method
  1037  func TestHandshakeServerSNIGetCertificate(t *testing.T) {
  1038  	config := testConfig.Clone()
  1039  
  1040  	// Replace the NameToCertificate map with a GetCertificate function
  1041  	nameToCert := config.NameToCertificate
  1042  	config.NameToCertificate = nil
  1043  	config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1044  		cert := nameToCert[clientHello.ServerName]
  1045  		return cert, nil
  1046  	}
  1047  	test := &serverTest{
  1048  		name:    "SNI-GetCertificate",
  1049  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
  1050  		config:  config,
  1051  	}
  1052  	runServerTestTLS12(t, test)
  1053  }
  1054  
  1055  // TestHandshakeServerSNIGetCertificateNotFound is similar to
  1056  // TestHandshakeServerSNICertForName, but tests to make sure that when the
  1057  // GetCertificate method doesn't return a cert, we fall back to what's in
  1058  // the NameToCertificate map.
  1059  func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
  1060  	config := testConfig.Clone()
  1061  
  1062  	config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1063  		return nil, nil
  1064  	}
  1065  	test := &serverTest{
  1066  		name:    "SNI-GetCertificateNotFound",
  1067  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},
  1068  		config:  config,
  1069  	}
  1070  	runServerTestTLS12(t, test)
  1071  }
  1072  
  1073  // TestHandshakeServerGetCertificateExtensions tests to make sure that the
  1074  // Extensions passed to GetCertificate match what we expect based on the
  1075  // clientHelloMsg
  1076  func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
  1077  	const errMsg = "TestHandshakeServerGetCertificateExtensions error"
  1078  	// ensure the test condition inside our GetCertificate callback
  1079  	// is actually invoked
  1080  	var called atomic.Int32
  1081  
  1082  	testVersions := []uint16{VersionTLS12, VersionTLS13}
  1083  	for _, vers := range testVersions {
  1084  		t.Run(fmt.Sprintf("TLS version %04x", vers), func(t *testing.T) {
  1085  			pk, _ := ecdh.P256().GenerateKey(rand.Reader)
  1086  			clientHello := &clientHelloMsg{
  1087  				vers:                         vers,
  1088  				random:                       make([]byte, 32),
  1089  				cipherSuites:                 []uint16{TLS_AES_128_GCM_SHA256},
  1090  				compressionMethods:           []uint8{compressionNone},
  1091  				serverName:                   "test",
  1092  				keyShares:                    []keyShare{{group: CurveP256, data: pk.PublicKey().Bytes()}},
  1093  				supportedCurves:              []CurveID{CurveP256},
  1094  				supportedSignatureAlgorithms: []SignatureScheme{ECDSAWithP256AndSHA256},
  1095  			}
  1096  
  1097  			// the clientHelloMsg initialized just above is serialized with
  1098  			// two extensions: server_name(0) and application_layer_protocol_negotiation(16)
  1099  			expectedExtensions := []uint16{
  1100  				extensionServerName,
  1101  				extensionSupportedCurves,
  1102  				extensionSignatureAlgorithms,
  1103  				extensionKeyShare,
  1104  			}
  1105  
  1106  			if vers == VersionTLS13 {
  1107  				clientHello.supportedVersions = []uint16{VersionTLS13}
  1108  				expectedExtensions = append(expectedExtensions, extensionSupportedVersions)
  1109  			}
  1110  
  1111  			// Go's TLS client presents extensions in the ClientHello sorted by extension ID
  1112  			slices.Sort(expectedExtensions)
  1113  
  1114  			serverConfig := testConfig.Clone()
  1115  			serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1116  				if !slices.Equal(expectedExtensions, clientHello.Extensions) {
  1117  					t.Errorf("expected extensions on ClientHelloInfo (%v) to match clientHelloMsg (%v)", expectedExtensions, clientHello.Extensions)
  1118  				}
  1119  				called.Add(1)
  1120  
  1121  				return nil, errors.New(errMsg)
  1122  			}
  1123  			testClientHelloFailure(t, serverConfig, clientHello, errMsg)
  1124  		})
  1125  	}
  1126  
  1127  	if int(called.Load()) != len(testVersions) {
  1128  		t.Error("expected our GetCertificate test to be called twice")
  1129  	}
  1130  }
  1131  
  1132  // TestHandshakeServerSNIGetCertificateError tests to make sure that errors in
  1133  // GetCertificate result in a tls alert.
  1134  func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
  1135  	const errMsg = "TestHandshakeServerSNIGetCertificateError error"
  1136  
  1137  	serverConfig := testConfig.Clone()
  1138  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1139  		return nil, errors.New(errMsg)
  1140  	}
  1141  
  1142  	clientHello := &clientHelloMsg{
  1143  		vers:               VersionTLS12,
  1144  		random:             make([]byte, 32),
  1145  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
  1146  		compressionMethods: []uint8{compressionNone},
  1147  		serverName:         "test",
  1148  	}
  1149  	testClientHelloFailure(t, serverConfig, clientHello, errMsg)
  1150  }
  1151  
  1152  // TestHandshakeServerEmptyCertificates tests that GetCertificates is called in
  1153  // the case that Certificates is empty, even without SNI.
  1154  func TestHandshakeServerEmptyCertificates(t *testing.T) {
  1155  	const errMsg = "TestHandshakeServerEmptyCertificates error"
  1156  
  1157  	serverConfig := testConfig.Clone()
  1158  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  1159  		return nil, errors.New(errMsg)
  1160  	}
  1161  	serverConfig.Certificates = nil
  1162  
  1163  	clientHello := &clientHelloMsg{
  1164  		vers:               VersionTLS12,
  1165  		random:             make([]byte, 32),
  1166  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
  1167  		compressionMethods: []uint8{compressionNone},
  1168  	}
  1169  	testClientHelloFailure(t, serverConfig, clientHello, errMsg)
  1170  
  1171  	// With an empty Certificates and a nil GetCertificate, the server
  1172  	// should always return a “no certificates” error.
  1173  	serverConfig.GetCertificate = nil
  1174  
  1175  	clientHello = &clientHelloMsg{
  1176  		vers:               VersionTLS12,
  1177  		random:             make([]byte, 32),
  1178  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
  1179  		compressionMethods: []uint8{compressionNone},
  1180  	}
  1181  	testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
  1182  }
  1183  
  1184  func TestServerResumption(t *testing.T) {
  1185  	sessionFilePath := tempFile("")
  1186  	defer os.Remove(sessionFilePath)
  1187  
  1188  	testIssue := &serverTest{
  1189  		name:    "IssueTicket",
  1190  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
  1191  		wait:    true,
  1192  	}
  1193  	testResume := &serverTest{
  1194  		name:    "Resume",
  1195  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1196  		validate: func(state ConnectionState) error {
  1197  			if !state.DidResume {
  1198  				return errors.New("did not resume")
  1199  			}
  1200  			return nil
  1201  		},
  1202  	}
  1203  
  1204  	runServerTestTLS12(t, testIssue)
  1205  	runServerTestTLS12(t, testResume)
  1206  
  1207  	runServerTestTLS13(t, testIssue)
  1208  	runServerTestTLS13(t, testResume)
  1209  
  1210  	config := testConfig.Clone()
  1211  	config.CurvePreferences = []CurveID{CurveP256}
  1212  
  1213  	testResumeHRR := &serverTest{
  1214  		name: "Resume-HelloRetryRequest",
  1215  		command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites",
  1216  			"TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1217  		config: config,
  1218  		validate: func(state ConnectionState) error {
  1219  			if !state.DidResume {
  1220  				return errors.New("did not resume")
  1221  			}
  1222  			return nil
  1223  		},
  1224  	}
  1225  
  1226  	runServerTestTLS13(t, testResumeHRR)
  1227  }
  1228  
  1229  func TestServerResumptionDisabled(t *testing.T) {
  1230  	sessionFilePath := tempFile("")
  1231  	defer os.Remove(sessionFilePath)
  1232  
  1233  	config := testConfig.Clone()
  1234  
  1235  	testIssue := &serverTest{
  1236  		name:    "IssueTicketPreDisable",
  1237  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
  1238  		config:  config,
  1239  		wait:    true,
  1240  	}
  1241  	testResume := &serverTest{
  1242  		name:    "ResumeDisabled",
  1243  		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
  1244  		config:  config,
  1245  		validate: func(state ConnectionState) error {
  1246  			if state.DidResume {
  1247  				return errors.New("resumed with SessionTicketsDisabled")
  1248  			}
  1249  			return nil
  1250  		},
  1251  	}
  1252  
  1253  	config.SessionTicketsDisabled = false
  1254  	runServerTestTLS12(t, testIssue)
  1255  	config.SessionTicketsDisabled = true
  1256  	runServerTestTLS12(t, testResume)
  1257  
  1258  	config.SessionTicketsDisabled = false
  1259  	runServerTestTLS13(t, testIssue)
  1260  	config.SessionTicketsDisabled = true
  1261  	runServerTestTLS13(t, testResume)
  1262  }
  1263  
  1264  func TestFallbackSCSV(t *testing.T) {
  1265  	serverConfig := Config{
  1266  		Certificates: testConfig.Certificates,
  1267  		MinVersion:   VersionTLS11,
  1268  	}
  1269  	test := &serverTest{
  1270  		name:   "FallbackSCSV",
  1271  		config: &serverConfig,
  1272  		// OpenSSL 1.0.1j is needed for the -fallback_scsv option.
  1273  		command:                       []string{"openssl", "s_client", "-fallback_scsv"},
  1274  		expectHandshakeErrorIncluding: "inappropriate protocol fallback",
  1275  	}
  1276  	runServerTestTLS11(t, test)
  1277  }
  1278  
  1279  func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
  1280  	test := &serverTest{
  1281  		name:    "ExportKeyingMaterial",
  1282  		command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-AES256-SHA", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
  1283  		config:  testConfig.Clone(),
  1284  		validate: func(state ConnectionState) error {
  1285  			if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
  1286  				return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
  1287  			} else if len(km) != 42 {
  1288  				return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
  1289  			}
  1290  			return nil
  1291  		},
  1292  	}
  1293  	runServerTestTLS10(t, test)
  1294  	runServerTestTLS12(t, test)
  1295  	runServerTestTLS13(t, test)
  1296  }
  1297  
  1298  func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
  1299  	test := &serverTest{
  1300  		name:    "RSA-RSAPKCS1v15",
  1301  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"},
  1302  	}
  1303  	runServerTestTLS12(t, test)
  1304  }
  1305  
  1306  func TestHandshakeServerRSAPSS(t *testing.T) {
  1307  	// We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we
  1308  	// verify the server implementation will disregard the client preference in
  1309  	// that case. See Issue 29793.
  1310  	test := &serverTest{
  1311  		name:    "RSA-RSAPSS",
  1312  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
  1313  	}
  1314  	runServerTestTLS12(t, test)
  1315  	runServerTestTLS13(t, test)
  1316  
  1317  	test = &serverTest{
  1318  		name:                          "RSA-RSAPSS-TooSmall",
  1319  		command:                       []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"},
  1320  		expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
  1321  	}
  1322  	runServerTestTLS13(t, test)
  1323  }
  1324  
  1325  func TestHandshakeServerEd25519(t *testing.T) {
  1326  	config := testConfig.Clone()
  1327  	config.Certificates = make([]Certificate, 1)
  1328  	config.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
  1329  	config.Certificates[0].PrivateKey = testEd25519PrivateKey
  1330  	config.BuildNameToCertificate()
  1331  
  1332  	test := &serverTest{
  1333  		name:    "Ed25519",
  1334  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
  1335  		config:  config,
  1336  	}
  1337  	runServerTestTLS12(t, test)
  1338  	runServerTestTLS13(t, test)
  1339  }
  1340  
  1341  func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
  1342  	config := testConfig.Clone()
  1343  	config.CipherSuites = []uint16{cipherSuite}
  1344  	config.CurvePreferences = []CurveID{curve}
  1345  	config.Certificates = make([]Certificate, 1)
  1346  	config.Certificates[0].Certificate = [][]byte{cert}
  1347  	config.Certificates[0].PrivateKey = key
  1348  	config.BuildNameToCertificate()
  1349  
  1350  	clientConn, serverConn := localPipe(b)
  1351  	serverConn = &recordingConn{Conn: serverConn}
  1352  	go func() {
  1353  		config := testConfig.Clone()
  1354  		config.MaxVersion = version
  1355  		config.CurvePreferences = []CurveID{curve}
  1356  		client := Client(clientConn, config)
  1357  		client.Handshake()
  1358  	}()
  1359  	server := Server(serverConn, config)
  1360  	if err := server.Handshake(); err != nil {
  1361  		b.Fatalf("handshake failed: %v", err)
  1362  	}
  1363  	serverConn.Close()
  1364  	flows := serverConn.(*recordingConn).flows
  1365  
  1366  	b.ResetTimer()
  1367  	for i := 0; i < b.N; i++ {
  1368  		replay := &replayingConn{t: b, flows: slices.Clone(flows), reading: true}
  1369  		server := Server(replay, config)
  1370  		if err := server.Handshake(); err != nil {
  1371  			b.Fatalf("handshake failed: %v", err)
  1372  		}
  1373  	}
  1374  }
  1375  
  1376  func BenchmarkHandshakeServer(b *testing.B) {
  1377  	b.Run("RSA", func(b *testing.B) {
  1378  		benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256,
  1379  			0, testRSACertificate, testRSAPrivateKey)
  1380  	})
  1381  	b.Run("ECDHE-P256-RSA", func(b *testing.B) {
  1382  		b.Run("TLSv13", func(b *testing.B) {
  1383  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1384  				CurveP256, testRSACertificate, testRSAPrivateKey)
  1385  		})
  1386  		b.Run("TLSv12", func(b *testing.B) {
  1387  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1388  				CurveP256, testRSACertificate, testRSAPrivateKey)
  1389  		})
  1390  	})
  1391  	b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) {
  1392  		b.Run("TLSv13", func(b *testing.B) {
  1393  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1394  				CurveP256, testP256Certificate, testP256PrivateKey)
  1395  		})
  1396  		b.Run("TLSv12", func(b *testing.B) {
  1397  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1398  				CurveP256, testP256Certificate, testP256PrivateKey)
  1399  		})
  1400  	})
  1401  	b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) {
  1402  		b.Run("TLSv13", func(b *testing.B) {
  1403  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1404  				X25519, testP256Certificate, testP256PrivateKey)
  1405  		})
  1406  		b.Run("TLSv12", func(b *testing.B) {
  1407  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1408  				X25519, testP256Certificate, testP256PrivateKey)
  1409  		})
  1410  	})
  1411  	b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) {
  1412  		if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() {
  1413  			b.Fatal("test ECDSA key doesn't use curve P-521")
  1414  		}
  1415  		b.Run("TLSv13", func(b *testing.B) {
  1416  			benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1417  				CurveP521, testECDSACertificate, testECDSAPrivateKey)
  1418  		})
  1419  		b.Run("TLSv12", func(b *testing.B) {
  1420  			benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1421  				CurveP521, testECDSACertificate, testECDSAPrivateKey)
  1422  		})
  1423  	})
  1424  }
  1425  
  1426  func TestClientAuth(t *testing.T) {
  1427  	var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath, ed25519CertPath, ed25519KeyPath string
  1428  
  1429  	if *update {
  1430  		certPath = tempFile(clientCertificatePEM)
  1431  		defer os.Remove(certPath)
  1432  		keyPath = tempFile(clientKeyPEM)
  1433  		defer os.Remove(keyPath)
  1434  		ecdsaCertPath = tempFile(clientECDSACertificatePEM)
  1435  		defer os.Remove(ecdsaCertPath)
  1436  		ecdsaKeyPath = tempFile(clientECDSAKeyPEM)
  1437  		defer os.Remove(ecdsaKeyPath)
  1438  		ed25519CertPath = tempFile(clientEd25519CertificatePEM)
  1439  		defer os.Remove(ed25519CertPath)
  1440  		ed25519KeyPath = tempFile(clientEd25519KeyPEM)
  1441  		defer os.Remove(ed25519KeyPath)
  1442  	} else {
  1443  		t.Parallel()
  1444  	}
  1445  
  1446  	config := testConfig.Clone()
  1447  	config.ClientAuth = RequestClientCert
  1448  
  1449  	test := &serverTest{
  1450  		name:    "ClientAuthRequestedNotGiven",
  1451  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
  1452  		config:  config,
  1453  	}
  1454  	runServerTestTLS12(t, test)
  1455  	runServerTestTLS13(t, test)
  1456  
  1457  	test = &serverTest{
  1458  		name: "ClientAuthRequestedAndGiven",
  1459  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1460  			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
  1461  		config:            config,
  1462  		expectedPeerCerts: []string{clientCertificatePEM},
  1463  	}
  1464  	runServerTestTLS12(t, test)
  1465  	runServerTestTLS13(t, test)
  1466  
  1467  	test = &serverTest{
  1468  		name: "ClientAuthRequestedAndECDSAGiven",
  1469  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1470  			"-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
  1471  		config:            config,
  1472  		expectedPeerCerts: []string{clientECDSACertificatePEM},
  1473  	}
  1474  	runServerTestTLS12(t, test)
  1475  	runServerTestTLS13(t, test)
  1476  
  1477  	test = &serverTest{
  1478  		name: "ClientAuthRequestedAndEd25519Given",
  1479  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
  1480  			"-cert", ed25519CertPath, "-key", ed25519KeyPath},
  1481  		config:            config,
  1482  		expectedPeerCerts: []string{clientEd25519CertificatePEM},
  1483  	}
  1484  	runServerTestTLS12(t, test)
  1485  	runServerTestTLS13(t, test)
  1486  
  1487  	test = &serverTest{
  1488  		name: "ClientAuthRequestedAndPKCS1v15Given",
  1489  		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
  1490  			"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pkcs1_sha256"},
  1491  		config:            config,
  1492  		expectedPeerCerts: []string{clientCertificatePEM},
  1493  	}
  1494  	runServerTestTLS12(t, test)
  1495  }
  1496  
  1497  func TestSNIGivenOnFailure(t *testing.T) {
  1498  	const expectedServerName = "test.testing"
  1499  
  1500  	clientHello := &clientHelloMsg{
  1501  		vers:               VersionTLS12,
  1502  		random:             make([]byte, 32),
  1503  		cipherSuites:       []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
  1504  		compressionMethods: []uint8{compressionNone},
  1505  		serverName:         expectedServerName,
  1506  	}
  1507  
  1508  	serverConfig := testConfig.Clone()
  1509  	// Erase the server's cipher suites to ensure the handshake fails.
  1510  	serverConfig.CipherSuites = nil
  1511  
  1512  	c, s := localPipe(t)
  1513  	go func() {
  1514  		cli := Client(c, testConfig)
  1515  		cli.vers = clientHello.vers
  1516  		if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
  1517  			testFatal(t, err)
  1518  		}
  1519  		c.Close()
  1520  	}()
  1521  	conn := Server(s, serverConfig)
  1522  	ctx := context.Background()
  1523  	ch, _, err := conn.readClientHello(ctx)
  1524  	hs := serverHandshakeState{
  1525  		c:           conn,
  1526  		ctx:         ctx,
  1527  		clientHello: ch,
  1528  	}
  1529  	if err == nil {
  1530  		err = hs.processClientHello()
  1531  	}
  1532  	if err == nil {
  1533  		err = hs.pickCipherSuite()
  1534  	}
  1535  	defer s.Close()
  1536  
  1537  	if err == nil {
  1538  		t.Error("No error reported from server")
  1539  	}
  1540  
  1541  	cs := hs.c.ConnectionState()
  1542  	if cs.HandshakeComplete {
  1543  		t.Error("Handshake registered as complete")
  1544  	}
  1545  
  1546  	if cs.ServerName != expectedServerName {
  1547  		t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName)
  1548  	}
  1549  }
  1550  
  1551  var getConfigForClientTests = []struct {
  1552  	setup          func(config *Config)
  1553  	callback       func(clientHello *ClientHelloInfo) (*Config, error)
  1554  	errorSubstring string
  1555  	verify         func(config *Config) error
  1556  }{
  1557  	{
  1558  		nil,
  1559  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1560  			return nil, nil
  1561  		},
  1562  		"",
  1563  		nil,
  1564  	},
  1565  	{
  1566  		nil,
  1567  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1568  			return nil, errors.New("should bubble up")
  1569  		},
  1570  		"should bubble up",
  1571  		nil,
  1572  	},
  1573  	{
  1574  		nil,
  1575  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1576  			config := testConfig.Clone()
  1577  			// Setting a maximum version of TLS 1.1 should cause
  1578  			// the handshake to fail, as the client MinVersion is TLS 1.2.
  1579  			config.MaxVersion = VersionTLS11
  1580  			return config, nil
  1581  		},
  1582  		"client offered only unsupported versions",
  1583  		nil,
  1584  	},
  1585  	{
  1586  		func(config *Config) {
  1587  			for i := range config.SessionTicketKey {
  1588  				config.SessionTicketKey[i] = byte(i)
  1589  			}
  1590  			config.sessionTicketKeys = nil
  1591  		},
  1592  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1593  			config := testConfig.Clone()
  1594  			for i := range config.SessionTicketKey {
  1595  				config.SessionTicketKey[i] = 0
  1596  			}
  1597  			config.sessionTicketKeys = nil
  1598  			return config, nil
  1599  		},
  1600  		"",
  1601  		func(config *Config) error {
  1602  			if config.SessionTicketKey == [32]byte{} {
  1603  				return fmt.Errorf("expected SessionTicketKey to be set")
  1604  			}
  1605  			return nil
  1606  		},
  1607  	},
  1608  	{
  1609  		func(config *Config) {
  1610  			var dummyKey [32]byte
  1611  			for i := range dummyKey {
  1612  				dummyKey[i] = byte(i)
  1613  			}
  1614  
  1615  			config.SetSessionTicketKeys([][32]byte{dummyKey})
  1616  		},
  1617  		func(clientHello *ClientHelloInfo) (*Config, error) {
  1618  			config := testConfig.Clone()
  1619  			config.sessionTicketKeys = nil
  1620  			return config, nil
  1621  		},
  1622  		"",
  1623  		func(config *Config) error {
  1624  			if config.SessionTicketKey == [32]byte{} {
  1625  				return fmt.Errorf("expected SessionTicketKey to be set")
  1626  			}
  1627  			return nil
  1628  		},
  1629  	},
  1630  }
  1631  
  1632  func TestGetConfigForClient(t *testing.T) {
  1633  	serverConfig := testConfig.Clone()
  1634  	clientConfig := testConfig.Clone()
  1635  	clientConfig.MinVersion = VersionTLS12
  1636  
  1637  	for i, test := range getConfigForClientTests {
  1638  		if test.setup != nil {
  1639  			test.setup(serverConfig)
  1640  		}
  1641  
  1642  		var configReturned *Config
  1643  		serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) {
  1644  			config, err := test.callback(clientHello)
  1645  			configReturned = config
  1646  			return config, err
  1647  		}
  1648  		c, s := localPipe(t)
  1649  		done := make(chan error)
  1650  
  1651  		go func() {
  1652  			defer s.Close()
  1653  			done <- Server(s, serverConfig).Handshake()
  1654  		}()
  1655  
  1656  		clientErr := Client(c, clientConfig).Handshake()
  1657  		c.Close()
  1658  
  1659  		serverErr := <-done
  1660  
  1661  		if len(test.errorSubstring) == 0 {
  1662  			if serverErr != nil || clientErr != nil {
  1663  				t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr)
  1664  			}
  1665  			if test.verify != nil {
  1666  				if err := test.verify(configReturned); err != nil {
  1667  					t.Errorf("test[%d]: verify returned error: %v", i, err)
  1668  				}
  1669  			}
  1670  		} else {
  1671  			if serverErr == nil {
  1672  				t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring)
  1673  			} else if !strings.Contains(serverErr.Error(), test.errorSubstring) {
  1674  				t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr)
  1675  			}
  1676  		}
  1677  	}
  1678  }
  1679  
  1680  func TestCloseServerConnectionOnIdleClient(t *testing.T) {
  1681  	clientConn, serverConn := localPipe(t)
  1682  	server := Server(serverConn, testConfig.Clone())
  1683  	go func() {
  1684  		clientConn.Write([]byte{'0'})
  1685  		server.Close()
  1686  	}()
  1687  	server.SetReadDeadline(time.Now().Add(time.Minute))
  1688  	err := server.Handshake()
  1689  	if err != nil {
  1690  		if err, ok := err.(net.Error); ok && err.Timeout() {
  1691  			t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
  1692  		}
  1693  	} else {
  1694  		t.Errorf("Error expected, but no error returned")
  1695  	}
  1696  }
  1697  
  1698  func TestCloneHash(t *testing.T) {
  1699  	h1 := crypto.SHA256.New()
  1700  	h1.Write([]byte("test"))
  1701  	s1 := h1.Sum(nil)
  1702  	h2 := cloneHash(h1, crypto.SHA256)
  1703  	s2 := h2.Sum(nil)
  1704  	if !bytes.Equal(s1, s2) {
  1705  		t.Error("cloned hash generated a different sum")
  1706  	}
  1707  }
  1708  
  1709  func expectError(t *testing.T, err error, sub string) {
  1710  	if err == nil {
  1711  		t.Errorf(`expected error %q, got nil`, sub)
  1712  	} else if !strings.Contains(err.Error(), sub) {
  1713  		t.Errorf(`expected error %q, got %q`, sub, err)
  1714  	}
  1715  }
  1716  
  1717  func TestKeyTooSmallForRSAPSS(t *testing.T) {
  1718  	cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE-----
  1719  MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS
  1720  MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy
  1721  OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd
  1722  ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ
  1723  nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
  1724  DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu
  1725  Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q
  1726  KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA==
  1727  -----END CERTIFICATE-----`), []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
  1728  MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T
  1729  HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/
  1730  yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z
  1731  4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz
  1732  nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd
  1733  hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s
  1734  T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
  1735  -----END RSA TESTING KEY-----`)))
  1736  	if err != nil {
  1737  		t.Fatal(err)
  1738  	}
  1739  
  1740  	clientConn, serverConn := localPipe(t)
  1741  	client := Client(clientConn, testConfig)
  1742  	done := make(chan struct{})
  1743  	go func() {
  1744  		config := testConfig.Clone()
  1745  		config.Certificates = []Certificate{cert}
  1746  		config.MinVersion = VersionTLS13
  1747  		server := Server(serverConn, config)
  1748  		err := server.Handshake()
  1749  		expectError(t, err, "key size too small")
  1750  		close(done)
  1751  	}()
  1752  	err = client.Handshake()
  1753  	expectError(t, err, "handshake failure")
  1754  	<-done
  1755  }
  1756  
  1757  func TestMultipleCertificates(t *testing.T) {
  1758  	clientConfig := testConfig.Clone()
  1759  	clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
  1760  	clientConfig.MaxVersion = VersionTLS12
  1761  
  1762  	serverConfig := testConfig.Clone()
  1763  	serverConfig.Certificates = []Certificate{{
  1764  		Certificate: [][]byte{testECDSACertificate},
  1765  		PrivateKey:  testECDSAPrivateKey,
  1766  	}, {
  1767  		Certificate: [][]byte{testRSACertificate},
  1768  		PrivateKey:  testRSAPrivateKey,
  1769  	}}
  1770  
  1771  	_, clientState, err := testHandshake(t, clientConfig, serverConfig)
  1772  	if err != nil {
  1773  		t.Fatal(err)
  1774  	}
  1775  	if got := clientState.PeerCertificates[0].PublicKeyAlgorithm; got != x509.RSA {
  1776  		t.Errorf("expected RSA certificate, got %v", got)
  1777  	}
  1778  }
  1779  
  1780  func TestAESCipherReordering(t *testing.T) {
  1781  	skipFIPS(t) // No CHACHA20_POLY1305 for FIPS.
  1782  
  1783  	currentAESSupport := hasAESGCMHardwareSupport
  1784  	defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
  1785  
  1786  	tests := []struct {
  1787  		name            string
  1788  		clientCiphers   []uint16
  1789  		serverHasAESGCM bool
  1790  		serverCiphers   []uint16
  1791  		expectedCipher  uint16
  1792  	}{
  1793  		{
  1794  			name: "server has hardware AES, client doesn't (pick ChaCha)",
  1795  			clientCiphers: []uint16{
  1796  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1797  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1798  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1799  			},
  1800  			serverHasAESGCM: true,
  1801  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1802  		},
  1803  		{
  1804  			name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)",
  1805  			clientCiphers: []uint16{
  1806  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1807  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1808  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1809  			},
  1810  			serverHasAESGCM: false,
  1811  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1812  		},
  1813  		{
  1814  			name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
  1815  			clientCiphers: []uint16{
  1816  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1817  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1818  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1819  			},
  1820  			serverHasAESGCM: true,
  1821  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1822  		},
  1823  		{
  1824  			name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)",
  1825  			clientCiphers: []uint16{
  1826  				0x0A0A, // GREASE value
  1827  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1828  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1829  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1830  			},
  1831  			serverHasAESGCM: true,
  1832  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1833  		},
  1834  		{
  1835  			name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)",
  1836  			clientCiphers: []uint16{
  1837  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1838  				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1839  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1840  			},
  1841  			serverHasAESGCM: false,
  1842  			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1843  		},
  1844  		{
  1845  			name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)",
  1846  			clientCiphers: []uint16{
  1847  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1848  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1849  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1850  			},
  1851  			serverHasAESGCM: false,
  1852  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1853  		},
  1854  		{
  1855  			name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)",
  1856  			clientCiphers: []uint16{
  1857  				0x0A0A, // GREASE value
  1858  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1859  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1860  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1861  			},
  1862  			serverHasAESGCM: false,
  1863  			expectedCipher:  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1864  		},
  1865  		{
  1866  			name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (AES-GCM)",
  1867  			clientCiphers: []uint16{
  1868  				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1869  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1870  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1871  			},
  1872  			serverHasAESGCM: false,
  1873  			serverCiphers: []uint16{
  1874  				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1875  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1876  			},
  1877  			expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1878  		},
  1879  		{
  1880  			name: "client prefers AES-GCM, server has hardware but doesn't support AES (pick ChaCha)",
  1881  			clientCiphers: []uint16{
  1882  				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1883  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1884  				TLS_RSA_WITH_AES_128_CBC_SHA,
  1885  			},
  1886  			serverHasAESGCM: true,
  1887  			serverCiphers: []uint16{
  1888  				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1889  			},
  1890  			expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1891  		},
  1892  	}
  1893  
  1894  	for _, tc := range tests {
  1895  		t.Run(tc.name, func(t *testing.T) {
  1896  			hasAESGCMHardwareSupport = tc.serverHasAESGCM
  1897  			hs := &serverHandshakeState{
  1898  				c: &Conn{
  1899  					config: &Config{
  1900  						CipherSuites: tc.serverCiphers,
  1901  					},
  1902  					vers: VersionTLS12,
  1903  				},
  1904  				clientHello: &clientHelloMsg{
  1905  					cipherSuites: tc.clientCiphers,
  1906  					vers:         VersionTLS12,
  1907  				},
  1908  				ecdheOk:      true,
  1909  				rsaSignOk:    true,
  1910  				rsaDecryptOk: true,
  1911  			}
  1912  
  1913  			err := hs.pickCipherSuite()
  1914  			if err != nil {
  1915  				t.Errorf("pickCipherSuite failed: %s", err)
  1916  			}
  1917  
  1918  			if tc.expectedCipher != hs.suite.id {
  1919  				t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
  1920  			}
  1921  		})
  1922  	}
  1923  }
  1924  
  1925  func TestAESCipherReorderingTLS13(t *testing.T) {
  1926  	skipFIPS(t) // No CHACHA20_POLY1305 for FIPS.
  1927  
  1928  	currentAESSupport := hasAESGCMHardwareSupport
  1929  	defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
  1930  
  1931  	tests := []struct {
  1932  		name            string
  1933  		clientCiphers   []uint16
  1934  		serverHasAESGCM bool
  1935  		expectedCipher  uint16
  1936  	}{
  1937  		{
  1938  			name: "server has hardware AES, client doesn't (pick ChaCha)",
  1939  			clientCiphers: []uint16{
  1940  				TLS_CHACHA20_POLY1305_SHA256,
  1941  				TLS_AES_128_GCM_SHA256,
  1942  			},
  1943  			serverHasAESGCM: true,
  1944  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1945  		},
  1946  		{
  1947  			name: "neither server nor client have hardware AES (pick ChaCha)",
  1948  			clientCiphers: []uint16{
  1949  				TLS_CHACHA20_POLY1305_SHA256,
  1950  				TLS_AES_128_GCM_SHA256,
  1951  			},
  1952  			serverHasAESGCM: false,
  1953  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1954  		},
  1955  		{
  1956  			name: "client prefers AES, server doesn't have hardware (pick ChaCha)",
  1957  			clientCiphers: []uint16{
  1958  				TLS_AES_128_GCM_SHA256,
  1959  				TLS_CHACHA20_POLY1305_SHA256,
  1960  			},
  1961  			serverHasAESGCM: false,
  1962  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1963  		},
  1964  		{
  1965  			name: "client prefers AES and sends GREASE, server doesn't have hardware (pick ChaCha)",
  1966  			clientCiphers: []uint16{
  1967  				0x0A0A, // GREASE value
  1968  				TLS_AES_128_GCM_SHA256,
  1969  				TLS_CHACHA20_POLY1305_SHA256,
  1970  			},
  1971  			serverHasAESGCM: false,
  1972  			expectedCipher:  TLS_CHACHA20_POLY1305_SHA256,
  1973  		},
  1974  		{
  1975  			name: "client prefers AES, server has hardware AES (pick AES)",
  1976  			clientCiphers: []uint16{
  1977  				TLS_AES_128_GCM_SHA256,
  1978  				TLS_CHACHA20_POLY1305_SHA256,
  1979  			},
  1980  			serverHasAESGCM: true,
  1981  			expectedCipher:  TLS_AES_128_GCM_SHA256,
  1982  		},
  1983  		{
  1984  			name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)",
  1985  			clientCiphers: []uint16{
  1986  				0x0A0A, // GREASE value
  1987  				TLS_AES_128_GCM_SHA256,
  1988  				TLS_CHACHA20_POLY1305_SHA256,
  1989  			},
  1990  			serverHasAESGCM: true,
  1991  			expectedCipher:  TLS_AES_128_GCM_SHA256,
  1992  		},
  1993  	}
  1994  
  1995  	for _, tc := range tests {
  1996  		t.Run(tc.name, func(t *testing.T) {
  1997  			hasAESGCMHardwareSupport = tc.serverHasAESGCM
  1998  			pk, _ := ecdh.X25519().GenerateKey(rand.Reader)
  1999  			hs := &serverHandshakeStateTLS13{
  2000  				c: &Conn{
  2001  					config: &Config{},
  2002  					vers:   VersionTLS13,
  2003  				},
  2004  				clientHello: &clientHelloMsg{
  2005  					cipherSuites:       tc.clientCiphers,
  2006  					supportedVersions:  []uint16{VersionTLS13},
  2007  					compressionMethods: []uint8{compressionNone},
  2008  					keyShares:          []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
  2009  					supportedCurves:    []CurveID{X25519},
  2010  				},
  2011  			}
  2012  
  2013  			err := hs.processClientHello()
  2014  			if err != nil {
  2015  				t.Errorf("pickCipherSuite failed: %s", err)
  2016  			}
  2017  
  2018  			if tc.expectedCipher != hs.suite.id {
  2019  				t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
  2020  			}
  2021  		})
  2022  	}
  2023  }
  2024  
  2025  // TestServerHandshakeContextCancellation tests that canceling
  2026  // the context given to the server side conn.HandshakeContext
  2027  // interrupts the in-progress handshake.
  2028  func TestServerHandshakeContextCancellation(t *testing.T) {
  2029  	c, s := localPipe(t)
  2030  	ctx, cancel := context.WithCancel(context.Background())
  2031  	unblockClient := make(chan struct{})
  2032  	defer close(unblockClient)
  2033  	go func() {
  2034  		cancel()
  2035  		<-unblockClient
  2036  		_ = c.Close()
  2037  	}()
  2038  	conn := Server(s, testConfig)
  2039  	// Initiates server side handshake, which will block until a client hello is read
  2040  	// unless the cancellation works.
  2041  	err := conn.HandshakeContext(ctx)
  2042  	if err == nil {
  2043  		t.Fatal("Server handshake did not error when the context was canceled")
  2044  	}
  2045  	if err != context.Canceled {
  2046  		t.Errorf("Unexpected server handshake error: %v", err)
  2047  	}
  2048  	if runtime.GOARCH == "wasm" {
  2049  		t.Skip("conn.Close does not error as expected when called multiple times on WASM")
  2050  	}
  2051  	err = conn.Close()
  2052  	if err == nil {
  2053  		t.Error("Server connection was not closed when the context was canceled")
  2054  	}
  2055  }
  2056  
  2057  // TestHandshakeContextHierarchy tests whether the contexts
  2058  // available to GetClientCertificate and GetCertificate are
  2059  // derived from the context provided to HandshakeContext, and
  2060  // that those contexts are canceled after HandshakeContext has
  2061  // returned.
  2062  func TestHandshakeContextHierarchy(t *testing.T) {
  2063  	c, s := localPipe(t)
  2064  	clientErr := make(chan error, 1)
  2065  	clientConfig := testConfig.Clone()
  2066  	serverConfig := testConfig.Clone()
  2067  	ctx, cancel := context.WithCancel(context.Background())
  2068  	defer cancel()
  2069  	key := struct{}{}
  2070  	ctx = context.WithValue(ctx, key, true)
  2071  	go func() {
  2072  		defer close(clientErr)
  2073  		defer c.Close()
  2074  		var innerCtx context.Context
  2075  		clientConfig.Certificates = nil
  2076  		clientConfig.GetClientCertificate = func(certificateRequest *CertificateRequestInfo) (*Certificate, error) {
  2077  			if val, ok := certificateRequest.Context().Value(key).(bool); !ok || !val {
  2078  				t.Errorf("GetClientCertificate context was not child of HandshakeContext")
  2079  			}
  2080  			innerCtx = certificateRequest.Context()
  2081  			return &Certificate{
  2082  				Certificate: [][]byte{testRSACertificate},
  2083  				PrivateKey:  testRSAPrivateKey,
  2084  			}, nil
  2085  		}
  2086  		cli := Client(c, clientConfig)
  2087  		err := cli.HandshakeContext(ctx)
  2088  		if err != nil {
  2089  			clientErr <- err
  2090  			return
  2091  		}
  2092  		select {
  2093  		case <-innerCtx.Done():
  2094  		default:
  2095  			t.Errorf("GetClientCertificate context was not canceled after HandshakeContext returned.")
  2096  		}
  2097  	}()
  2098  	var innerCtx context.Context
  2099  	serverConfig.Certificates = nil
  2100  	serverConfig.ClientAuth = RequestClientCert
  2101  	serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
  2102  		if val, ok := clientHello.Context().Value(key).(bool); !ok || !val {
  2103  			t.Errorf("GetClientCertificate context was not child of HandshakeContext")
  2104  		}
  2105  		innerCtx = clientHello.Context()
  2106  		return &Certificate{
  2107  			Certificate: [][]byte{testRSACertificate},
  2108  			PrivateKey:  testRSAPrivateKey,
  2109  		}, nil
  2110  	}
  2111  	conn := Server(s, serverConfig)
  2112  	err := conn.HandshakeContext(ctx)
  2113  	if err != nil {
  2114  		t.Errorf("Unexpected server handshake error: %v", err)
  2115  	}
  2116  	select {
  2117  	case <-innerCtx.Done():
  2118  	default:
  2119  		t.Errorf("GetCertificate context was not canceled after HandshakeContext returned.")
  2120  	}
  2121  	if err := <-clientErr; err != nil {
  2122  		t.Errorf("Unexpected client error: %v", err)
  2123  	}
  2124  }
  2125  

View as plain text