crypto/tls: make tests use SetGlobalRandom

This requires dropping parallelism, but it doesn't seem to impact wall time significantly. Also, clone configs before each test, to avoid STEK generation influencing the randomness draw. Change-Id: I8cd5d71bd9a383009e4486663a69dc8e6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/765923 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Mark Freeman <markfreeman@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2026-06-27 19:30:52 +00:00 · 2026-04-07 00:30:37 +02:00 · 2026-04-07 00:30:37 +02:00 · 6baecf3148
commit 6baecf3148
parent fbab18c66a
3 changed files with 8 additions and 15 deletions
--- a/src/crypto/tls/handshake_client_test.go
+++ b/src/crypto/tls/handshake_client_test.go
@ -314,6 +314,7 @@ func (test *clientTest) run(t *testing.T, write bool) {
 	if config == nil {
 		config = testConfig
 	}
+	config = config.Clone()
 	client := Client(clientConn, config)
 	defer client.Close()

@ -473,7 +474,6 @@ func peekError(conn net.Conn) error {
 }

 func runClientTestForVersion(t *testing.T, template *clientTest, version, option string) {
-	// Make a deep copy of the template before going parallel.
 	test := *template
 	if template.config != nil {
 		test.config = template.config.Clone()
@ -481,7 +481,7 @@ func runClientTestForVersion(t *testing.T, template *clientTest, version, option
 	test.name = version + "-" + test.name
 	test.args = append([]string{option}, test.args...)

-	runTestAndUpdateIfNeeded(t, version, test.run, false)
+	runTestAndUpdateIfNeeded(t, version, test.run)
 }

 func runClientTestTLS10(t *testing.T, template *clientTest) {
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@ -599,9 +599,6 @@ type serverTest struct {
 	// ConnectionState of the resulting connection. It returns false if the
 	// ConnectionState is unacceptable.
 	validate func(ConnectionState) error
-	// wait, if true, prevents this subtest from calling t.Parallel.
-	// If false, runServerTest* returns immediately.
-	wait bool
 }

 var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"}
@ -710,6 +707,7 @@ func (test *serverTest) run(t *testing.T, write bool) {
 	if config == nil {
 		config = testConfig
 	}
+	config = config.Clone()
 	server := Server(serverConn, config)

 	_, err := server.Write([]byte("hello, world\n"))
@ -772,7 +770,6 @@ func (test *serverTest) run(t *testing.T, write bool) {
 }

 func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) {
-	// Make a deep copy of the template before going parallel.
 	test := *template
 	if template.config != nil {
 		test.config = template.config.Clone()
@ -784,7 +781,7 @@ func runServerTestForVersion(t *testing.T, template *serverTest, version, option
 	test.command = append([]string(nil), test.command...)
 	test.command = append(test.command, option)

-	runTestAndUpdateIfNeeded(t, version, test.run, test.wait)
+	runTestAndUpdateIfNeeded(t, version, test.run)
 }

 func runServerTestTLS10(t *testing.T, template *serverTest) {
@ -1232,7 +1229,6 @@ func TestServerResumption(t *testing.T) {
 	testIssue := &serverTest{
 		name:    "IssueTicket",
 		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
-		wait:    true,
 	}
 	testResume := &serverTest{
 		name:    "Resume",
@ -1280,7 +1276,6 @@ func TestServerResumptionDisabled(t *testing.T) {
 		name:    "IssueTicketPreDisable",
 		command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
 		config:  config,
-		wait:    true,
 	}
 	testResume := &serverTest{
 		name:    "ResumeDisabled",
@ -1483,8 +1478,6 @@ func TestClientAuth(t *testing.T) {
 		defer os.Remove(ed25519CertPath)
 		ed25519KeyPath = tempFile(clientEd25519KeyPEM)
 		defer os.Remove(ed25519KeyPath)
-	} else {
-		t.Parallel()
 	}

 	config := testConfig.Clone()
--- a/src/crypto/tls/handshake_test.go
+++ b/src/crypto/tls/handshake_test.go
@ -23,6 +23,7 @@ import (
 	"strings"
 	"sync"
 	"testing"
+	"testing/cryptotest"
 	"time"
 )

@ -52,19 +53,18 @@ var (
 	bogoReport = flag.String("bogo-html-report", "", "File path to render an HTML report with BoGo results")
 )

-func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) {
+func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool)) {
 	// FIPS mode is non-deterministic and so isn't suited for testing against static test transcripts.
 	skipFIPS(t)

 	success := t.Run(name, func(t *testing.T) {
-		if !*update && !wait {
-			t.Parallel()
-		}
+		cryptotest.SetGlobalRandom(t, 0)
 		run(t, false)
 	})

 	if !success && *update {
 		t.Run(name+"#update", func(t *testing.T) {
+			cryptotest.SetGlobalRandom(t, 0)
 			run(t, true)
 		})
 	}