mirror of
https://github.com/golang/go.git
synced 2026-06-27 19:30:52 +00:00
crypto/tls: migrate off legacy testConfig
Change-Id: I6afbde4b57028fccc49a6cefab90d6bc6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/776701 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Filippo Valsorda
Gopher Robot
parent
ca4f272170
commit
c78a8273c8
7 changed files with 253 additions and 230 deletions
|
|
@ -125,13 +125,18 @@ func TestCertificateSelection(t *testing.T) {
|
|||
}
|
||||
|
||||
// Run with multiple crypto configs to test the logic for computing TLS record overheads.
|
||||
func runDynamicRecordSizingTest(t *testing.T, config *Config) {
|
||||
func runDynamicRecordSizingTest(t *testing.T, serverConfig *Config) {
|
||||
clientConn, serverConn := localPipe(t)
|
||||
|
||||
serverConfig := config.Clone()
|
||||
serverConfig = serverConfig.Clone()
|
||||
serverConfig.DynamicRecordSizingDisabled = false
|
||||
tlsConn := Server(serverConn, serverConfig)
|
||||
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MinVersion = serverConfig.MinVersion
|
||||
clientConfig.MaxVersion = serverConfig.MaxVersion
|
||||
clientConfig.CipherSuites = serverConfig.CipherSuites
|
||||
|
||||
handshakeDone := make(chan struct{})
|
||||
recordSizesChan := make(chan []int, 1)
|
||||
defer func() { <-recordSizesChan }() // wait for the goroutine to exit
|
||||
|
|
@ -142,7 +147,7 @@ func runDynamicRecordSizingTest(t *testing.T, config *Config) {
|
|||
defer close(recordSizesChan)
|
||||
defer clientConn.Close()
|
||||
|
||||
tlsConn := Client(clientConn, config)
|
||||
tlsConn := Client(clientConn, clientConfig)
|
||||
if err := tlsConn.Handshake(); err != nil {
|
||||
t.Errorf("Error from client handshake: %v", err)
|
||||
return
|
||||
|
|
@ -232,7 +237,7 @@ func runDynamicRecordSizingTest(t *testing.T, config *Config) {
|
|||
func TestDynamicRecordSizingWithStreamCipher(t *testing.T) {
|
||||
skipFIPS(t) // No RC4 in FIPS mode.
|
||||
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.MaxVersion = VersionTLS12
|
||||
config.CipherSuites = []uint16{TLS_RSA_WITH_RC4_128_SHA}
|
||||
runDynamicRecordSizingTest(t, config)
|
||||
|
|
@ -241,21 +246,21 @@ func TestDynamicRecordSizingWithStreamCipher(t *testing.T) {
|
|||
func TestDynamicRecordSizingWithCBC(t *testing.T) {
|
||||
skipFIPS(t) // No CBC cipher suites in defaultCipherSuitesFIPS.
|
||||
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.MaxVersion = VersionTLS12
|
||||
config.CipherSuites = []uint16{TLS_RSA_WITH_AES_256_CBC_SHA}
|
||||
runDynamicRecordSizingTest(t, config)
|
||||
}
|
||||
|
||||
func TestDynamicRecordSizingWithAEAD(t *testing.T) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.MaxVersion = VersionTLS12
|
||||
config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
|
||||
runDynamicRecordSizingTest(t, config)
|
||||
}
|
||||
|
||||
func TestDynamicRecordSizingWithTLSv13(t *testing.T) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
runDynamicRecordSizingTest(t, config)
|
||||
}
|
||||
|
||||
|
|
@ -295,11 +300,13 @@ func TestRecordBadVersionTLS13(t *testing.T) {
|
|||
defer server.Close()
|
||||
defer client.Close()
|
||||
|
||||
config := testConfig.Clone()
|
||||
config.MinVersion, config.MaxVersion = VersionTLS13, VersionTLS13
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MinVersion, clientConfig.MaxVersion = VersionTLS13, VersionTLS13
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MinVersion, serverConfig.MaxVersion = VersionTLS13, VersionTLS13
|
||||
|
||||
go func() {
|
||||
tlsConn := Client(client, config)
|
||||
tlsConn := Client(client, clientConfig)
|
||||
if err := tlsConn.Handshake(); err != nil {
|
||||
t.Errorf("Error from client handshake: %v", err)
|
||||
return
|
||||
|
|
@ -308,7 +315,7 @@ func TestRecordBadVersionTLS13(t *testing.T) {
|
|||
tlsConn.Write([]byte{1})
|
||||
}()
|
||||
|
||||
tlsConn := Server(server, config)
|
||||
tlsConn := Server(server, serverConfig)
|
||||
if err := tlsConn.Handshake(); err != nil {
|
||||
t.Errorf("Error from client handshake: %v", err)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -398,13 +398,15 @@ func TestFIPSCertAlgs(t *testing.T) {
|
|||
|
||||
// client verifying server cert
|
||||
testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key any, list [][]byte, ok bool) {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigFIPS140.Clone()
|
||||
clientConfig.RootCAs = pool
|
||||
clientConfig.InsecureSkipVerify = false
|
||||
clientConfig.ServerName = "example.com"
|
||||
clientConfig.Time = func() time.Time { return time.Unix(0, 0) }
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigFIPS140.Clone()
|
||||
serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
|
||||
serverConfig.Time = func() time.Time { return time.Unix(0, 0) }
|
||||
|
||||
clientErr, _ := fipsHandshake(t, clientConfig, serverConfig)
|
||||
|
||||
|
|
@ -425,13 +427,15 @@ func TestFIPSCertAlgs(t *testing.T) {
|
|||
|
||||
// server verifying client cert
|
||||
testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key any, list [][]byte, ok bool) {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig.ServerName = "example.com"
|
||||
clientConfig := testConfigFIPS140.Clone()
|
||||
clientConfig.InsecureSkipVerify = true
|
||||
clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
|
||||
clientConfig.Time = func() time.Time { return time.Unix(0, 0) }
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigFIPS140.Clone()
|
||||
serverConfig.ClientCAs = pool
|
||||
serverConfig.ClientAuth = RequireAndVerifyClientCert
|
||||
serverConfig.Time = func() time.Time { return time.Unix(0, 0) }
|
||||
|
||||
_, serverErr := fipsHandshake(t, clientConfig, serverConfig)
|
||||
|
||||
|
|
|
|||
|
|
@ -1209,13 +1209,15 @@ func TestLRUClientSessionCache(t *testing.T) {
|
|||
func TestKeyLogTLS12(t *testing.T) {
|
||||
var serverBuf, clientBuf bytes.Buffer
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.KeyLogWriter = &clientBuf
|
||||
clientConfig.MaxVersion = VersionTLS12
|
||||
clientConfig.Rand = zeroSource{}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.KeyLogWriter = &serverBuf
|
||||
serverConfig.MaxVersion = VersionTLS12
|
||||
serverConfig.Rand = zeroSource{}
|
||||
|
||||
c, s := localPipe(t)
|
||||
done := make(chan bool)
|
||||
|
|
@ -1262,11 +1264,13 @@ func TestKeyLogTLS12(t *testing.T) {
|
|||
func TestKeyLogTLS13(t *testing.T) {
|
||||
var serverBuf, clientBuf bytes.Buffer
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.KeyLogWriter = &clientBuf
|
||||
clientConfig.Rand = zeroSource{}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.KeyLogWriter = &serverBuf
|
||||
serverConfig.Rand = zeroSource{}
|
||||
|
||||
c, s := localPipe(t)
|
||||
done := make(chan bool)
|
||||
|
|
@ -2065,11 +2069,8 @@ func testVerifyPeerCertificate(t *testing.T, version uint16) {
|
|||
var clientCalled, serverCalled bool
|
||||
|
||||
go func() {
|
||||
config := testConfig.Clone()
|
||||
config.ServerName = "test.golang.example"
|
||||
config := testConfigServer.Clone()
|
||||
config.ClientAuth = RequireAndVerifyClientCert
|
||||
config.ClientCAs = testClientRootCertPool
|
||||
config.Time = testTime
|
||||
config.MaxVersion = version
|
||||
config.Certificates = []Certificate{testRSA2048Cert}
|
||||
config.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
|
||||
|
|
@ -2081,11 +2082,8 @@ func testVerifyPeerCertificate(t *testing.T, version uint16) {
|
|||
done <- err
|
||||
}()
|
||||
|
||||
config := testConfig.Clone()
|
||||
config := testConfigClient.Clone()
|
||||
config.Certificates = []Certificate{testClientRSA2048Cert}
|
||||
config.ServerName = "test.golang.example"
|
||||
config.RootCAs = testRootCertPool
|
||||
config.Time = testTime
|
||||
config.MaxVersion = version
|
||||
test.configureClient(config, &clientCalled)
|
||||
clientErr := Client(c, config).Handshake()
|
||||
|
|
@ -2128,13 +2126,13 @@ func TestFailedWrite(t *testing.T) {
|
|||
done := make(chan bool)
|
||||
|
||||
go func() {
|
||||
Server(s, testConfig).Handshake()
|
||||
Server(s, testConfigServer.Clone()).Handshake()
|
||||
s.Close()
|
||||
done <- true
|
||||
}()
|
||||
|
||||
brokenC := &brokenConn{Conn: c, breakAfter: breakAfter}
|
||||
err := Client(brokenC, testConfig).Handshake()
|
||||
err := Client(brokenC, testConfigClient.Clone()).Handshake()
|
||||
if err != brokenConnErr {
|
||||
t.Errorf("#%d: expected error from brokenConn but got %q", breakAfter, err)
|
||||
}
|
||||
|
|
@ -2170,14 +2168,14 @@ func testBuffering(t *testing.T, version uint16) {
|
|||
serverWCC := &writeCountingConn{Conn: s}
|
||||
|
||||
go func() {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.MaxVersion = version
|
||||
Server(serverWCC, config).Handshake()
|
||||
serverWCC.Close()
|
||||
done <- true
|
||||
}()
|
||||
|
||||
err := Client(clientWCC, testConfig).Handshake()
|
||||
err := Client(clientWCC, testConfigClient.Clone()).Handshake()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
@ -2209,7 +2207,7 @@ func TestAlertFlushing(t *testing.T) {
|
|||
clientWCC := &writeCountingConn{Conn: c}
|
||||
serverWCC := &writeCountingConn{Conn: s}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
|
||||
// Cause a signature-time error
|
||||
brokenKey := rsa.PrivateKey{PublicKey: testRSA2048Key.PublicKey}
|
||||
|
|
@ -2225,7 +2223,7 @@ func TestAlertFlushing(t *testing.T) {
|
|||
done <- true
|
||||
}()
|
||||
|
||||
err := Client(clientWCC, testConfig).Handshake()
|
||||
err := Client(clientWCC, testConfigClient.Clone()).Handshake()
|
||||
if err == nil {
|
||||
t.Fatal("client unexpectedly returned no error")
|
||||
}
|
||||
|
|
@ -2254,7 +2252,7 @@ func TestHandshakeRace(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
|
||||
go func() {
|
||||
server := Server(s, testConfig)
|
||||
server := Server(s, testConfigServer.Clone())
|
||||
if err := server.Handshake(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
|
@ -2272,7 +2270,7 @@ func TestHandshakeRace(t *testing.T) {
|
|||
startRead := make(chan struct{})
|
||||
readDone := make(chan struct{}, 1)
|
||||
|
||||
client := Client(c, testConfig)
|
||||
client := Client(c, testConfigClient.Clone())
|
||||
go func() {
|
||||
<-startWrite
|
||||
var request [1]byte
|
||||
|
|
@ -2386,16 +2384,15 @@ func TestGetClientCertificate(t *testing.T) {
|
|||
func testGetClientCertificate(t *testing.T, version uint16) {
|
||||
// Note: using RSA 2048 test certificates because they are compatible with FIPS mode.
|
||||
for i, test := range getClientCertificateTests {
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.Certificates = []Certificate{testRSA2048Cert}
|
||||
serverConfig.ClientAuth = VerifyClientCertIfGiven
|
||||
serverConfig.RootCAs = testRootCertPool
|
||||
serverConfig.ClientCAs = testClientRootCertPool
|
||||
serverConfig.Time = testTime
|
||||
serverConfig.MinVersion = VersionTLS10
|
||||
serverConfig.MaxVersion = version
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.Certificates = []Certificate{testClientRSA2048Cert}
|
||||
clientConfig.MinVersion = VersionTLS10
|
||||
clientConfig.MaxVersion = version
|
||||
|
||||
test.setup(clientConfig, serverConfig)
|
||||
|
|
@ -2490,7 +2487,7 @@ RwBA9Xk1KBNF
|
|||
|
||||
func TestCloseClientConnectionOnIdleServer(t *testing.T) {
|
||||
clientConn, serverConn := localPipe(t)
|
||||
client := Client(clientConn, testConfig.Clone())
|
||||
client := Client(clientConn, testConfigClient.Clone())
|
||||
go func() {
|
||||
var b [1]byte
|
||||
serverConn.Read(b[:])
|
||||
|
|
@ -2511,9 +2508,11 @@ func testDowngradeCanary(t *testing.T, clientVersion, serverVersion uint16) erro
|
|||
defer func() { testingOnlyForceDowngradeCanary = false }()
|
||||
testingOnlyForceDowngradeCanary = true
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MinVersion = VersionTLS10
|
||||
clientConfig.MaxVersion = clientVersion
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MinVersion = VersionTLS10
|
||||
serverConfig.MaxVersion = serverVersion
|
||||
_, _, err := testHandshake(t, clientConfig, serverConfig)
|
||||
return err
|
||||
|
|
@ -2570,7 +2569,7 @@ func testResumptionKeepsOCSPAndSCT(t *testing.T, ver uint16) {
|
|||
RootCAs: testRootCertPool,
|
||||
Time: testTime,
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.Certificates = []Certificate{testRSA2048Cert}
|
||||
serverConfig.MaxVersion = ver
|
||||
serverConfig.Certificates[0].OCSPStaple = []byte{1, 2, 3}
|
||||
|
|
@ -2646,7 +2645,7 @@ func TestClientHandshakeContextCancellation(t *testing.T) {
|
|||
<-unblockServer
|
||||
_ = s.Close()
|
||||
}()
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
// Initiates client side handshake, which will block until the client hello is read
|
||||
// by the server, unless the cancellation works.
|
||||
err := cli.HandshakeContext(ctx)
|
||||
|
|
@ -2703,7 +2702,7 @@ func TestTLS13OnlyClientHelloCipherSuite(t *testing.T) {
|
|||
|
||||
func testTLS13OnlyClientHelloCipherSuite(t *testing.T, ciphers []uint16) {
|
||||
serverConfig := &Config{
|
||||
Certificates: testConfig.Certificates,
|
||||
Certificates: testConfigServer.Certificates,
|
||||
GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
|
||||
expectedCiphersuites := defaultCipherSuitesTLS13NoAES
|
||||
if fips140tls.Required() {
|
||||
|
|
@ -2794,7 +2793,7 @@ u58=
|
|||
func TestHandshakeRSATooBig(t *testing.T) {
|
||||
testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
|
||||
|
||||
c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
|
||||
c := &Conn{conn: &discardConn{}, config: testConfigClient.Clone()}
|
||||
|
||||
expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
|
||||
err := c.verifyServerCertificate([][]byte{testCert.Bytes})
|
||||
|
|
@ -2818,8 +2817,8 @@ func TestTLS13ECHRejectionCallbacks(t *testing.T) {
|
|||
SerialNumber: big.NewInt(1),
|
||||
Subject: pkix.Name{CommonName: "test"},
|
||||
DNSNames: []string{"example.golang"},
|
||||
NotBefore: testConfig.Time().Add(-time.Hour),
|
||||
NotAfter: testConfig.Time().Add(time.Hour),
|
||||
NotBefore: testConfigServer.Time().Add(-time.Hour),
|
||||
NotAfter: testConfigServer.Time().Add(time.Hour),
|
||||
}
|
||||
certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
|
||||
if err != nil {
|
||||
|
|
@ -2830,7 +2829,7 @@ func TestTLS13ECHRejectionCallbacks(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
|
||||
clientConfig, serverConfig := testConfigClient.Clone(), testConfigServer.Clone()
|
||||
serverConfig.Certificates = []Certificate{
|
||||
{
|
||||
Certificate: [][]byte{certDER},
|
||||
|
|
@ -2915,7 +2914,7 @@ func TestTLS13ECHRejectionCallbacks(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestECHTLS12Server(t *testing.T) {
|
||||
clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
|
||||
clientConfig, serverConfig := testConfigClient.Clone(), testConfigServer.Clone()
|
||||
|
||||
serverConfig.MaxVersion = VersionTLS12
|
||||
clientConfig.MinVersion = 0
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ func testFatal(t *testing.T, err error) {
|
|||
func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {
|
||||
c, s := localPipe(t)
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
if ch, ok := m.(*clientHelloMsg); ok {
|
||||
cli.vers = ch.vers
|
||||
}
|
||||
|
|
@ -98,13 +98,13 @@ func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessa
|
|||
}
|
||||
|
||||
func TestSimpleError(t *testing.T) {
|
||||
testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message")
|
||||
testClientHelloFailure(t, testConfigServer.Clone(), &serverHelloDoneMsg{}, "unexpected handshake message")
|
||||
}
|
||||
|
||||
var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30}
|
||||
|
||||
func TestRejectBadProtocolVersion(t *testing.T) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.MinVersion = VersionSSL30
|
||||
for _, v := range badProtocolVersions {
|
||||
testClientHelloFailure(t, config, &clientHelloMsg{
|
||||
|
|
@ -126,7 +126,7 @@ func TestNoSuiteOverlap(t *testing.T) {
|
|||
cipherSuites: []uint16{0xff00},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
}
|
||||
testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")
|
||||
testClientHelloFailure(t, testConfigServer.Clone(), clientHello, "no cipher suite supported by both client and server")
|
||||
}
|
||||
|
||||
func TestNoCompressionOverlap(t *testing.T) {
|
||||
|
|
@ -136,7 +136,7 @@ func TestNoCompressionOverlap(t *testing.T) {
|
|||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{0xff},
|
||||
}
|
||||
testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
|
||||
testClientHelloFailure(t, testConfigServer.Clone(), clientHello, "client does not support uncompressed connections")
|
||||
}
|
||||
|
||||
func TestNoRC4ByDefault(t *testing.T) {
|
||||
|
|
@ -146,7 +146,7 @@ func TestNoRC4ByDefault(t *testing.T) {
|
|||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
// Reset the enabled cipher suites to nil in order to test the
|
||||
// defaults.
|
||||
serverConfig.CipherSuites = nil
|
||||
|
|
@ -154,7 +154,7 @@ func TestNoRC4ByDefault(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestRejectSNIWithTrailingDot(t *testing.T) {
|
||||
testClientHelloFailure(t, testConfig, &clientHelloMsg{
|
||||
testClientHelloFailure(t, testConfigServer.Clone(), &clientHelloMsg{
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
serverName: "foo.com.",
|
||||
|
|
@ -172,7 +172,7 @@ func TestDontSelectECDSAWithRSAKey(t *testing.T) {
|
|||
supportedCurves: []CurveID{CurveP256},
|
||||
supportedPoints: []uint8{pointFormatUncompressed},
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.CipherSuites = clientHello.cipherSuites
|
||||
serverConfig.Certificates = make([]Certificate, 1)
|
||||
serverConfig.Certificates[0] = testECDSAP256Cert
|
||||
|
|
@ -182,7 +182,7 @@ func TestDontSelectECDSAWithRSAKey(t *testing.T) {
|
|||
|
||||
// Now test that switching to an RSA key causes the expected error (and
|
||||
// not an internal error about a signing failure).
|
||||
serverConfig.Certificates = testConfig.Certificates
|
||||
serverConfig.Certificates = []Certificate{testRSA2048Cert}
|
||||
testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server")
|
||||
}
|
||||
|
||||
|
|
@ -197,7 +197,7 @@ func TestDontSelectRSAWithECDSAKey(t *testing.T) {
|
|||
supportedCurves: []CurveID{CurveP256},
|
||||
supportedPoints: []uint8{pointFormatUncompressed},
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.CipherSuites = clientHello.cipherSuites
|
||||
// First test that it *does* work when the server's key is RSA.
|
||||
testClientHello(t, serverConfig, clientHello)
|
||||
|
|
@ -225,7 +225,7 @@ func TestRenegotiationExtension(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
cli.vers = clientHello.vers
|
||||
if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
|
||||
testFatal(t, err)
|
||||
|
|
@ -240,7 +240,10 @@ func TestRenegotiationExtension(t *testing.T) {
|
|||
bufChan <- buf[:n]
|
||||
}()
|
||||
|
||||
Server(s, testConfig).Handshake()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.CipherSuites = allCipherSuites()
|
||||
serverConfig.MinVersion = VersionTLS10
|
||||
Server(s, serverConfig).Handshake()
|
||||
buf := <-bufChan
|
||||
|
||||
if len(buf) < 5+4 {
|
||||
|
|
@ -287,7 +290,7 @@ func TestTLS12OnlyCipherSuites(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
replyChan := make(chan any)
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
cli.vers = clientHello.vers
|
||||
if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
|
||||
testFatal(t, err)
|
||||
|
|
@ -300,8 +303,9 @@ func TestTLS12OnlyCipherSuites(t *testing.T) {
|
|||
replyChan <- reply
|
||||
}
|
||||
}()
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.CipherSuites = clientHello.cipherSuites
|
||||
config.MinVersion = VersionTLS10
|
||||
Server(s, config).Handshake()
|
||||
s.Close()
|
||||
reply := <-replyChan
|
||||
|
|
@ -352,7 +356,7 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
replyChan := make(chan any)
|
||||
go func() {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.Certificates = []Certificate{testRSA2048Cert}
|
||||
cli := Client(c, clientConfig)
|
||||
cli.vers = clientHello.vers
|
||||
|
|
@ -367,7 +371,7 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
replyChan <- reply
|
||||
}
|
||||
}()
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.Certificates = []Certificate{testRSA2048Cert}
|
||||
serverConfig.CipherSuites = clientHello.cipherSuites
|
||||
Server(s, serverConfig).Handshake()
|
||||
|
|
@ -396,11 +400,11 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
func TestAlertForwarding(t *testing.T) {
|
||||
c, s := localPipe(t)
|
||||
go func() {
|
||||
Client(c, testConfig).sendAlert(alertUnknownCA)
|
||||
Client(c, testConfigClient.Clone()).sendAlert(alertUnknownCA)
|
||||
c.Close()
|
||||
}()
|
||||
|
||||
err := Server(s, testConfig).Handshake()
|
||||
err := Server(s, testConfigServer.Clone()).Handshake()
|
||||
s.Close()
|
||||
if opErr, ok := errors.AsType[*net.OpError](err); !ok || opErr.Err != error(alertUnknownCA) {
|
||||
t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA))
|
||||
|
|
@ -411,7 +415,7 @@ func TestClose(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
go c.Close()
|
||||
|
||||
err := Server(s, testConfig).Handshake()
|
||||
err := Server(s, testConfigServer.Clone()).Handshake()
|
||||
s.Close()
|
||||
if err != io.EOF {
|
||||
t.Errorf("Got error: %s; expected: %s", err, io.EOF)
|
||||
|
|
@ -420,7 +424,7 @@ func TestClose(t *testing.T) {
|
|||
|
||||
func TestVersion(t *testing.T) {
|
||||
serverConfig := &Config{
|
||||
Certificates: testConfig.Certificates,
|
||||
Certificates: testConfigServer.Certificates,
|
||||
MaxVersion: VersionTLS13,
|
||||
}
|
||||
clientConfig := &Config{
|
||||
|
|
@ -449,7 +453,7 @@ func TestCipherSuitePreference(t *testing.T) {
|
|||
serverConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
|
||||
Certificates: testConfig.Certificates,
|
||||
Certificates: testConfigServer.Certificates,
|
||||
MaxVersion: VersionTLS12,
|
||||
GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) {
|
||||
if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 {
|
||||
|
|
@ -513,7 +517,7 @@ func TestCrossVersionResume(t *testing.T) {
|
|||
func testCrossVersionResume(t *testing.T, version uint16) {
|
||||
serverConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
Certificates: testConfig.Certificates,
|
||||
Certificates: []Certificate{testRSA2048Cert},
|
||||
Time: testTime,
|
||||
}
|
||||
clientConfig := &Config{
|
||||
|
|
@ -1181,7 +1185,7 @@ func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
|
|||
// Go's TLS client presents extensions in the ClientHello sorted by extension ID
|
||||
slices.Sort(expectedExtensions)
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
|
||||
if !slices.Equal(expectedExtensions, clientHello.Extensions) {
|
||||
t.Errorf("expected extensions on ClientHelloInfo (%v) to match clientHelloMsg (%v)", expectedExtensions, clientHello.Extensions)
|
||||
|
|
@ -1204,7 +1208,7 @@ func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
|
|||
func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
|
||||
const errMsg = "TestHandshakeServerSNIGetCertificateError error"
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
|
||||
return nil, errors.New(errMsg)
|
||||
}
|
||||
|
|
@ -1224,7 +1228,7 @@ func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
|
|||
func TestHandshakeServerEmptyCertificates(t *testing.T) {
|
||||
const errMsg = "TestHandshakeServerEmptyCertificates error"
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {
|
||||
return nil, errors.New(errMsg)
|
||||
}
|
||||
|
|
@ -1403,7 +1407,7 @@ func TestHandshakeServerEd25519(t *testing.T) {
|
|||
}
|
||||
|
||||
func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.CipherSuites = []uint16{cipherSuite}
|
||||
config.CurvePreferences = []CurveID{curve}
|
||||
config.Certificates = make([]Certificate, 1)
|
||||
|
|
@ -1414,7 +1418,7 @@ func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16,
|
|||
clientConn, serverConn := localPipe(b)
|
||||
serverConn = &recordingConn{Conn: serverConn}
|
||||
go func() {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigClient.Clone()
|
||||
config.MaxVersion = version
|
||||
config.CurvePreferences = []CurveID{curve}
|
||||
client := Client(clientConn, config)
|
||||
|
|
@ -1562,13 +1566,13 @@ func TestSNIGivenOnFailure(t *testing.T) {
|
|||
serverName: expectedServerName,
|
||||
}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
// Erase the server's cipher suites to ensure the handshake fails.
|
||||
serverConfig.CipherSuites = nil
|
||||
|
||||
c, s := localPipe(t)
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
cli.vers = clientHello.vers
|
||||
if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
|
||||
testFatal(t, err)
|
||||
|
|
@ -1630,7 +1634,7 @@ var getConfigForClientTests = []struct {
|
|||
{
|
||||
nil,
|
||||
func(clientHello *ClientHelloInfo) (*Config, error) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
// Setting a maximum version of TLS 1.1 should cause
|
||||
// the handshake to fail, as the client MinVersion is TLS 1.2.
|
||||
config.MaxVersion = VersionTLS11
|
||||
|
|
@ -1647,7 +1651,7 @@ var getConfigForClientTests = []struct {
|
|||
config.sessionTicketKeys = nil
|
||||
},
|
||||
func(clientHello *ClientHelloInfo) (*Config, error) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
clear(config.SessionTicketKey[:])
|
||||
config.sessionTicketKeys = nil
|
||||
return config, nil
|
||||
|
|
@ -1670,7 +1674,7 @@ var getConfigForClientTests = []struct {
|
|||
config.SetSessionTicketKeys([][32]byte{dummyKey})
|
||||
},
|
||||
func(clientHello *ClientHelloInfo) (*Config, error) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.sessionTicketKeys = nil
|
||||
return config, nil
|
||||
},
|
||||
|
|
@ -1685,8 +1689,8 @@ var getConfigForClientTests = []struct {
|
|||
}
|
||||
|
||||
func TestGetConfigForClient(t *testing.T) {
|
||||
serverConfig := testConfig.Clone()
|
||||
clientConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MinVersion = VersionTLS12
|
||||
|
||||
for i, test := range getConfigForClientTests {
|
||||
|
|
@ -1734,7 +1738,7 @@ func TestGetConfigForClient(t *testing.T) {
|
|||
|
||||
func TestCloseServerConnectionOnIdleClient(t *testing.T) {
|
||||
clientConn, serverConn := localPipe(t)
|
||||
server := Server(serverConn, testConfig.Clone())
|
||||
server := Server(serverConn, testConfigServer.Clone())
|
||||
go func() {
|
||||
clientConn.Write([]byte{'0'})
|
||||
server.Close()
|
||||
|
|
@ -1772,7 +1776,7 @@ func expectError(t *testing.T, err error, sub string) {
|
|||
func TestKeyTooSmallForRSAPSS(t *testing.T) {
|
||||
t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",rsa1024min=0")
|
||||
clientConn, serverConn := localPipe(t)
|
||||
client := Client(clientConn, testConfigClient)
|
||||
client := Client(clientConn, testConfigClient.Clone())
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
config := testConfigServer.Clone()
|
||||
|
|
@ -1789,11 +1793,11 @@ func TestKeyTooSmallForRSAPSS(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestMultipleCertificates(t *testing.T) {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
|
||||
clientConfig.MaxVersion = VersionTLS12
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.Certificates = []Certificate{testECDSAP256Cert, testRSA2048Cert}
|
||||
|
||||
_, clientState, err := testHandshake(t, clientConfig, serverConfig)
|
||||
|
|
@ -2063,7 +2067,7 @@ func TestServerHandshakeContextCancellation(t *testing.T) {
|
|||
<-unblockClient
|
||||
_ = c.Close()
|
||||
}()
|
||||
conn := Server(s, testConfig)
|
||||
conn := Server(s, testConfigServer.Clone())
|
||||
// Initiates server side handshake, which will block until a client hello is read
|
||||
// unless the cancellation works.
|
||||
err := conn.HandshakeContext(ctx)
|
||||
|
|
@ -2090,8 +2094,8 @@ func TestServerHandshakeContextCancellation(t *testing.T) {
|
|||
func TestHandshakeContextHierarchy(t *testing.T) {
|
||||
c, s := localPipe(t)
|
||||
clientErr := make(chan error, 1)
|
||||
clientConfig := testConfig.Clone()
|
||||
serverConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
key := struct{}{}
|
||||
|
|
@ -2197,7 +2201,7 @@ func testHandshakeChainExpiryResumption(t *testing.T, version uint16) {
|
|||
t.Run(name, func(t *testing.T) {
|
||||
initialLeafDER, expiredLeafDER, initialRoot := createChain(leafNotAfter, rootNotAfter)
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = version
|
||||
serverConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{initialLeafDER, expiredLeafDER},
|
||||
|
|
@ -2212,7 +2216,7 @@ func testHandshakeChainExpiryResumption(t *testing.T, version uint16) {
|
|||
serverConfig.InsecureSkipVerify = false
|
||||
serverConfig.ServerName = "expired-resume.example.com"
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = version
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{initialLeafDER, expiredLeafDER},
|
||||
|
|
@ -2317,7 +2321,7 @@ func testHandshakeGetConfigForClientDifferentClientCAs(t *testing.T, version uin
|
|||
t.Fatalf("CreateCertificate: %v", err)
|
||||
}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = version
|
||||
serverConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{certA},
|
||||
|
|
@ -2342,7 +2346,7 @@ func testHandshakeGetConfigForClientDifferentClientCAs(t *testing.T, version uin
|
|||
serverConfig.InsecureSkipVerify = false
|
||||
serverConfig.ServerName = "example.com"
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = version
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{certA},
|
||||
|
|
@ -2435,7 +2439,7 @@ func testHandshakeChangeRootCAsResumption(t *testing.T, version uint16) {
|
|||
t.Fatalf("CreateCertificate: %v", err)
|
||||
}
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = version
|
||||
serverConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{certA},
|
||||
|
|
@ -2450,7 +2454,7 @@ func testHandshakeChangeRootCAsResumption(t *testing.T, version uint16) {
|
|||
serverConfig.InsecureSkipVerify = false
|
||||
serverConfig.ServerName = "example.com"
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = version
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: [][]byte{certA},
|
||||
|
|
|
|||
|
|
@ -670,7 +670,7 @@ func TestServerHelloTrailingMessage(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
go func() {
|
||||
ctx := context.Background()
|
||||
srv := Server(s, testConfig)
|
||||
srv := Server(s, testConfigServer.Clone())
|
||||
clientHello, _, err := srv.readClientHello(ctx)
|
||||
if err != nil {
|
||||
testFatal(t, err)
|
||||
|
|
@ -699,7 +699,7 @@ func TestServerHelloTrailingMessage(t *testing.T) {
|
|||
srv.Close()
|
||||
}()
|
||||
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
|
||||
if err := cli.Handshake(); err == nil {
|
||||
t.Fatal("expected error from incomplete handshake, got nil")
|
||||
|
|
@ -713,7 +713,7 @@ func TestClientHelloTrailingMessage(t *testing.T) {
|
|||
|
||||
c, s := localPipe(t)
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
|
||||
hello, _, _, err := cli.makeClientHello()
|
||||
if err != nil {
|
||||
|
|
@ -731,7 +731,7 @@ func TestClientHelloTrailingMessage(t *testing.T) {
|
|||
cli.Close()
|
||||
}()
|
||||
|
||||
srv := Server(s, testConfig)
|
||||
srv := Server(s, testConfigServer.Clone())
|
||||
expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
|
||||
if err := srv.Handshake(); err == nil {
|
||||
t.Fatal("expected error from incomplete handshake, got nil")
|
||||
|
|
@ -748,7 +748,7 @@ func TestDoubleClientHelloHRR(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
cli := Client(c, testConfigClient.Clone())
|
||||
|
||||
hello, _, _, err := cli.makeClientHello()
|
||||
if err != nil {
|
||||
|
|
@ -767,7 +767,7 @@ func TestDoubleClientHelloHRR(t *testing.T) {
|
|||
cli.Close()
|
||||
}()
|
||||
|
||||
srv := Server(s, testConfig)
|
||||
srv := Server(s, testConfigServer.Clone())
|
||||
expectedErr := "tls: handshake buffer not empty before HelloRetryRequest"
|
||||
if err := srv.Handshake(); err == nil {
|
||||
t.Fatal("expected error from incomplete handshake, got nil")
|
||||
|
|
@ -804,11 +804,14 @@ func TestMultipleKeyUpdate(t *testing.T) {
|
|||
t.Run(fmt.Sprintf("requestUpdate=%t", requestUpdate), func(t *testing.T) {
|
||||
|
||||
c, s := localPipe(t)
|
||||
cfg := testConfig.Clone()
|
||||
cfg.MinVersion = VersionTLS13
|
||||
cfg.MaxVersion = VersionTLS13
|
||||
client := Client(c, testConfig)
|
||||
server := Server(s, testConfig)
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MinVersion = VersionTLS13
|
||||
clientConfig.MaxVersion = VersionTLS13
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MinVersion = VersionTLS13
|
||||
serverConfig.MaxVersion = VersionTLS13
|
||||
client := Client(c, clientConfig)
|
||||
server := Server(s, serverConfig)
|
||||
|
||||
clientHandshakeDone := make(chan struct{})
|
||||
go func() {
|
||||
|
|
|
|||
|
|
@ -172,13 +172,15 @@ func runTestQUICConnection(ctx context.Context, cli, srv *testQUICConn, onEvent
|
|||
}
|
||||
|
||||
func TestQUICConnection(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cli := newTestQUICClient(t, config)
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
|
|
@ -214,12 +216,11 @@ func TestQUICConnection(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICSessionResumption(t *testing.T) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
clientConfig.TLSConfig.ServerName = "example.go.dev"
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
|
|
@ -258,12 +259,11 @@ func TestQUICSessionResumption(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICFragmentaryData(t *testing.T) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
clientConfig.TLSConfig.ServerName = "example.go.dev"
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
|
|
@ -290,11 +290,13 @@ func TestQUICFragmentaryData(t *testing.T) {
|
|||
|
||||
func TestQUICPostHandshakeClientAuthentication(t *testing.T) {
|
||||
// RFC 9001, Section 4.4.
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -318,11 +320,13 @@ func TestQUICPostHandshakeClientAuthentication(t *testing.T) {
|
|||
|
||||
func TestQUICPostHandshakeKeyUpdate(t *testing.T) {
|
||||
// RFC 9001, Section 6.
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -342,11 +346,13 @@ func TestQUICPostHandshakeKeyUpdate(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICPostHandshakeMessageTooLarge(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -364,12 +370,12 @@ func TestQUICPostHandshakeMessageTooLarge(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICHandshakeError(t *testing.T) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.InsecureSkipVerify = false
|
||||
clientConfig.TLSConfig.ServerName = "name"
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
|
|
@ -396,15 +402,18 @@ func TestQUICHandshakeError(t *testing.T) {
|
|||
// Test that we can report an error produced by the GetEncryptedClientHelloKeys function.
|
||||
func TestQUICECHKeyError(t *testing.T) {
|
||||
getECHKeysError := errors.New("error returned by GetEncryptedClientHelloKeys")
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
config.TLSConfig.NextProtos = []string{"h3"}
|
||||
config.TLSConfig.GetEncryptedClientHelloKeys = func(*ClientHelloInfo) ([]EncryptedClientHelloKey, error) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
serverConfig.TLSConfig.GetEncryptedClientHelloKeys = func(*ClientHelloInfo) ([]EncryptedClientHelloKey, error) {
|
||||
return nil, getECHKeysError
|
||||
}
|
||||
cli := newTestQUICClient(t, config)
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != errTransportParametersRequired {
|
||||
t.Fatalf("handshake with no client parameters: %v; want errTransportParametersRequired", err)
|
||||
|
|
@ -428,12 +437,15 @@ func TestQUICECHKeyError(t *testing.T) {
|
|||
// and that it reports the application protocol as soon as it has been
|
||||
// negotiated.
|
||||
func TestQUICConnectionState(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
config.TLSConfig.NextProtos = []string{"h3"}
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
onEvent := func(e QUICEvent, src, dst *testQUICConn) bool {
|
||||
cliCS := cli.conn.ConnectionState()
|
||||
|
|
@ -459,10 +471,12 @@ func TestQUICStartContextPropagation(t *testing.T) {
|
|||
const key = "key"
|
||||
const value = "value"
|
||||
ctx := context.WithValue(context.Background(), key, value)
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
calls := 0
|
||||
config.TLSConfig.GetConfigForClient = func(info *ClientHelloInfo) (*Config, error) {
|
||||
serverConfig.TLSConfig.GetConfigForClient = func(info *ClientHelloInfo) (*Config, error) {
|
||||
calls++
|
||||
got, _ := info.Context().Value(key).(string)
|
||||
if got != value {
|
||||
|
|
@ -470,9 +484,9 @@ func TestQUICStartContextPropagation(t *testing.T) {
|
|||
}
|
||||
return nil, nil
|
||||
}
|
||||
cli := newTestQUICClient(t, config)
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(ctx, cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -488,22 +502,24 @@ func TestQUICClientHelloInfoConn(t *testing.T) {
|
|||
clientHelloInfoConn.Close()
|
||||
peerConn.Close()
|
||||
})
|
||||
config := &QUICConfig{
|
||||
TLSConfig: testConfig.Clone(),
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{
|
||||
TLSConfig: testConfigServer.Clone(),
|
||||
ClientHelloInfoConn: clientHelloInfoConn,
|
||||
}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
var called bool
|
||||
config.TLSConfig.GetConfigForClient = func(info *ClientHelloInfo) (*Config, error) {
|
||||
serverConfig.TLSConfig.GetConfigForClient = func(info *ClientHelloInfo) (*Config, error) {
|
||||
called = true
|
||||
if info.Conn != clientHelloInfoConn {
|
||||
t.Errorf("ClientHelloInfo.Conn = %v, want %v", info.Conn, clientHelloInfoConn)
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
cli := newTestQUICClient(t, config)
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -515,11 +531,13 @@ func TestQUICClientHelloInfoConn(t *testing.T) {
|
|||
|
||||
func TestQUICContextCancelation(t *testing.T) {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
// Verify that canceling the connection context concurrently does not cause any races.
|
||||
// See https://go.dev/issue/77274.
|
||||
|
|
@ -532,12 +550,11 @@ func TestQUICContextCancelation(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICDelayedTransportParameters(t *testing.T) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
clientConfig.TLSConfig.ServerName = "example.go.dev"
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cliParams := "client params"
|
||||
|
|
@ -566,12 +583,14 @@ func TestQUICDelayedTransportParameters(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICEmptyTransportParameters(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
|
||||
cli := newTestQUICClient(t, config)
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
srv := newTestQUICServer(t, config)
|
||||
srv := newTestQUICServer(t, serverConfig)
|
||||
srv.conn.SetTransportParameters(nil)
|
||||
if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil {
|
||||
t.Fatalf("error during connection handshake: %v", err)
|
||||
|
|
@ -592,9 +611,9 @@ func TestQUICEmptyTransportParameters(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICCanceledWaitingForData(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.SetTransportParameters(nil)
|
||||
cli.conn.Start(context.Background())
|
||||
for cli.conn.NextEvent().Kind != QUICNoEvent {
|
||||
|
|
@ -606,9 +625,9 @@ func TestQUICCanceledWaitingForData(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICCanceledWaitingForTransportParams(t *testing.T) {
|
||||
config := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
config.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, config)
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
cli := newTestQUICClient(t, clientConfig)
|
||||
cli.conn.Start(context.Background())
|
||||
for cli.conn.NextEvent().Kind != QUICTransportParametersRequired {
|
||||
}
|
||||
|
|
@ -619,13 +638,12 @@ func TestQUICCanceledWaitingForTransportParams(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestQUICEarlyData(t *testing.T) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
clientConfig.TLSConfig.ServerName = "example.go.dev"
|
||||
clientConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
|
||||
|
|
@ -681,14 +699,13 @@ func TestQUICEarlyDataDeclined(t *testing.T) {
|
|||
}
|
||||
|
||||
func testQUICEarlyDataDeclined(t *testing.T, server bool) {
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
clientConfig := &QUICConfig{TLSConfig: testConfigClient.Clone()}
|
||||
clientConfig.EnableSessionEvents = true
|
||||
clientConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
clientConfig.TLSConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
clientConfig.TLSConfig.ServerName = "example.go.dev"
|
||||
clientConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfig.Clone()}
|
||||
serverConfig := &QUICConfig{TLSConfig: testConfigServer.Clone()}
|
||||
serverConfig.EnableSessionEvents = true
|
||||
serverConfig.TLSConfig.MinVersion = VersionTLS13
|
||||
serverConfig.TLSConfig.NextProtos = []string{"h3"}
|
||||
|
|
|
|||
|
|
@ -297,7 +297,7 @@ func TestDeadlineOnWrite(t *testing.T) {
|
|||
srvCh <- nil
|
||||
return
|
||||
}
|
||||
srv := Server(sconn, testConfig.Clone())
|
||||
srv := Server(sconn, testConfigServer.Clone())
|
||||
if err := srv.Handshake(); err != nil {
|
||||
srvCh <- nil
|
||||
return
|
||||
|
|
@ -305,7 +305,7 @@ func TestDeadlineOnWrite(t *testing.T) {
|
|||
srvCh <- srv
|
||||
}()
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = VersionTLS12
|
||||
conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
|
||||
if err != nil {
|
||||
|
|
@ -435,7 +435,7 @@ func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
|
|||
srvCh <- nil
|
||||
return
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
srv := Server(sconn, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
serr = fmt.Errorf("handshake: %v", err)
|
||||
|
|
@ -445,7 +445,7 @@ func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
|
|||
srvCh <- srv
|
||||
}()
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
// In TLS 1.3, alerts are encrypted and disguised as application data, so
|
||||
// the opportunistic peek won't work.
|
||||
clientConfig.MaxVersion = VersionTLS12
|
||||
|
|
@ -485,6 +485,9 @@ func TestTLSUniqueMatches(t *testing.T) {
|
|||
ln := newLocalListener(t)
|
||||
defer ln.Close()
|
||||
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3
|
||||
|
||||
serverTLSUniques := make(chan []byte)
|
||||
parentDone := make(chan struct{})
|
||||
childDone := make(chan struct{})
|
||||
|
|
@ -497,8 +500,6 @@ func TestTLSUniqueMatches(t *testing.T) {
|
|||
t.Error(err)
|
||||
return
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3
|
||||
srv := Server(sconn, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
t.Error(err)
|
||||
|
|
@ -512,7 +513,7 @@ func TestTLSUniqueMatches(t *testing.T) {
|
|||
}
|
||||
}()
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
|
||||
if err != nil {
|
||||
|
|
@ -630,7 +631,7 @@ func TestConnCloseBreakingWrite(t *testing.T) {
|
|||
srvCh <- nil
|
||||
return
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
srv := Server(sconn, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
serr = fmt.Errorf("handshake: %v", err)
|
||||
|
|
@ -650,7 +651,7 @@ func TestConnCloseBreakingWrite(t *testing.T) {
|
|||
Conn: cconn,
|
||||
}
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
tconn := Client(conn, clientConfig)
|
||||
if err := tconn.Handshake(); err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
@ -707,7 +708,7 @@ func TestConnCloseWrite(t *testing.T) {
|
|||
}
|
||||
defer sconn.Close()
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
srv := Server(sconn, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
return fmt.Errorf("handshake: %v", err)
|
||||
|
|
@ -737,7 +738,7 @@ func TestConnCloseWrite(t *testing.T) {
|
|||
clientCloseWrite := func() error {
|
||||
defer close(clientDoneChan)
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -792,7 +793,7 @@ func TestConnCloseWrite(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
defer netConn.Close()
|
||||
conn := Client(netConn, testConfig.Clone())
|
||||
conn := Client(netConn, testConfigClient.Clone())
|
||||
|
||||
if err := conn.CloseWrite(); err != errEarlyCloseWrite {
|
||||
t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
|
||||
|
|
@ -811,7 +812,7 @@ func TestWarningAlertFlood(t *testing.T) {
|
|||
}
|
||||
defer sconn.Close()
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
srv := Server(sconn, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
return fmt.Errorf("handshake: %v", err)
|
||||
|
|
@ -833,7 +834,7 @@ func TestWarningAlertFlood(t *testing.T) {
|
|||
errChan := make(chan error, 1)
|
||||
go func() { errChan <- server() }()
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = VersionTLS12 // there are no warning alerts in TLS 1.3
|
||||
conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
|
||||
if err != nil {
|
||||
|
|
@ -1035,7 +1036,7 @@ func throughput(b *testing.B, version uint16, totalBytes int64, dynamicRecordSiz
|
|||
// (cannot call b.Fatal in goroutine)
|
||||
panic(fmt.Errorf("accept: %v", err))
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.CipherSuites = nil // the defaults may prefer faster ciphers
|
||||
serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
|
||||
srv := Server(sconn, serverConfig)
|
||||
|
|
@ -1049,7 +1050,7 @@ func throughput(b *testing.B, version uint16, totalBytes int64, dynamicRecordSiz
|
|||
}()
|
||||
|
||||
b.SetBytes(totalBytes)
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.CipherSuites = nil // the defaults may prefer faster ciphers
|
||||
clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
|
||||
clientConfig.MaxVersion = version
|
||||
|
|
@ -1133,7 +1134,7 @@ func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled
|
|||
// (cannot call b.Fatal in goroutine)
|
||||
panic(fmt.Errorf("accept: %v", err))
|
||||
}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
|
||||
srv := Server(&slowConn{sconn, bps}, serverConfig)
|
||||
if err := srv.Handshake(); err != nil {
|
||||
|
|
@ -1143,7 +1144,7 @@ func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled
|
|||
}
|
||||
}()
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled
|
||||
clientConfig.MaxVersion = version
|
||||
|
||||
|
|
@ -1400,7 +1401,7 @@ func TestConnectionState(t *testing.T) {
|
|||
// Issue 28744: Ensure that we don't modify memory
|
||||
// that Config doesn't own such as Certificates.
|
||||
func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {
|
||||
config := testConfig.Clone()
|
||||
config := testConfigServer.Clone()
|
||||
config.Certificates = []Certificate{testRSA2048Cert, testSNICert}
|
||||
|
||||
config.BuildNameToCertificate()
|
||||
|
|
@ -1824,12 +1825,12 @@ func (s brokenSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts
|
|||
// TestPKCS1OnlyCert uses a client certificate with a broken crypto.Signer that
|
||||
// always makes PKCS #1 v1.5 signatures, so can't be used with RSA-PSS.
|
||||
func TestPKCS1OnlyCert(t *testing.T) {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: testRSA2048Cert.Certificate,
|
||||
PrivateKey: brokenSigner{testRSA2048Key},
|
||||
Certificate: testClientRSA2048Cert.Certificate,
|
||||
PrivateKey: brokenSigner{testClientRSA2048Key},
|
||||
}}
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = VersionTLS12 // TLS 1.3 doesn't support PKCS #1 v1.5
|
||||
serverConfig.ClientAuth = RequireAnyClientCert
|
||||
|
||||
|
|
@ -1901,13 +1902,6 @@ func testVerifyCertificates(t *testing.T, version uint16) {
|
|||
},
|
||||
}
|
||||
|
||||
issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
rootCAs := x509.NewCertPool()
|
||||
rootCAs.AddCert(issuer)
|
||||
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
|
@ -1915,15 +1909,13 @@ func testVerifyCertificates(t *testing.T, version uint16) {
|
|||
var serverVerifyConnection, clientVerifyConnection bool
|
||||
var serverVerifyPeerCertificates, clientVerifyPeerCertificates bool
|
||||
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig.Time = testTime
|
||||
clientConfig := testConfigClient.Clone()
|
||||
clientConfig.MaxVersion = version
|
||||
clientConfig.MinVersion = version
|
||||
clientConfig.RootCAs = rootCAs
|
||||
clientConfig.ServerName = "example.golang"
|
||||
clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)
|
||||
serverConfig := clientConfig.Clone()
|
||||
serverConfig.ClientCAs = rootCAs
|
||||
serverConfig := testConfigServer.Clone()
|
||||
serverConfig.MaxVersion = version
|
||||
serverConfig.MinVersion = version
|
||||
|
||||
clientConfig.VerifyConnection = func(cs ConnectionState) error {
|
||||
clientVerifyConnection = true
|
||||
|
|
@ -2125,8 +2117,8 @@ func TestHandshakeMLKEM(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
baseConfig := testConfig.Clone()
|
||||
baseConfig.CurvePreferences = nil
|
||||
baseServerConfig := testConfigServer.Clone()
|
||||
baseClientConfig := testConfigClient.Clone()
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
if fips140tls.Required() && test.expectSelected == X25519 {
|
||||
|
|
@ -2137,7 +2129,7 @@ func TestHandshakeMLKEM(t *testing.T) {
|
|||
} else {
|
||||
t.Parallel()
|
||||
}
|
||||
serverConfig := baseConfig.Clone()
|
||||
serverConfig := baseServerConfig.Clone()
|
||||
if test.serverConfig != nil {
|
||||
test.serverConfig(serverConfig)
|
||||
}
|
||||
|
|
@ -2151,7 +2143,7 @@ func TestHandshakeMLKEM(t *testing.T) {
|
|||
}
|
||||
return nil, nil
|
||||
}
|
||||
clientConfig := baseConfig.Clone()
|
||||
clientConfig := baseClientConfig.Clone()
|
||||
if test.clientConfig != nil {
|
||||
test.clientConfig(clientConfig)
|
||||
}
|
||||
|
|
@ -2245,7 +2237,7 @@ func TestEarlyLargeCertMsg(t *testing.T) {
|
|||
}()
|
||||
|
||||
expectedErr := "tls: handshake message of length 131071 bytes exceeds maximum of 65536 bytes"
|
||||
servConn := Server(server, testConfig)
|
||||
servConn := Server(server, testConfigServer.Clone())
|
||||
err := servConn.Handshake()
|
||||
if err == nil {
|
||||
t.Fatal("unexpected success")
|
||||
|
|
@ -2277,7 +2269,7 @@ func TestLargeCertMsg(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
|
||||
clientConfig, serverConfig := testConfigClient.Clone(), testConfigServer.Clone()
|
||||
clientConfig.InsecureSkipVerify = true
|
||||
serverConfig.Certificates = []Certificate{
|
||||
{
|
||||
|
|
@ -2355,9 +2347,7 @@ func TestECH(t *testing.T) {
|
|||
})
|
||||
echConfigList := builder.BytesOrPanic()
|
||||
|
||||
clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
|
||||
clientConfig.InsecureSkipVerify = false
|
||||
clientConfig.Rand = rand.Reader
|
||||
clientConfig, serverConfig := testConfigClient.Clone(), testConfigServer.Clone()
|
||||
clientConfig.Time = nil
|
||||
clientConfig.MinVersion = VersionTLS13
|
||||
clientConfig.ServerName = "secret.example"
|
||||
|
|
@ -2366,7 +2356,6 @@ func TestECH(t *testing.T) {
|
|||
clientConfig.RootCAs.AddCert(publicCert)
|
||||
clientConfig.EncryptedClientHelloConfigList = echConfigList
|
||||
serverConfig.InsecureSkipVerify = false
|
||||
serverConfig.Rand = rand.Reader
|
||||
serverConfig.Time = nil
|
||||
serverConfig.MinVersion = VersionTLS13
|
||||
serverConfig.ServerName = "public.example"
|
||||
|
|
@ -2444,15 +2433,15 @@ func TestMessageSigner(t *testing.T) {
|
|||
}
|
||||
|
||||
func testMessageSigner(t *testing.T, version uint16) {
|
||||
clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
|
||||
clientConfig, serverConfig := testConfigClient.Clone(), testConfigServer.Clone()
|
||||
serverConfig.ClientAuth = RequireAnyClientCert
|
||||
clientConfig.MinVersion = version
|
||||
clientConfig.MaxVersion = version
|
||||
serverConfig.MinVersion = version
|
||||
serverConfig.MaxVersion = version
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: testRSA2048Cert.Certificate,
|
||||
PrivateKey: messageOnlySigner{testRSA2048Key},
|
||||
Certificate: testClientRSA2048Cert.Certificate,
|
||||
PrivateKey: messageOnlySigner{testClientRSA2048Key},
|
||||
}}
|
||||
serverConfig.Certificates = []Certificate{{
|
||||
Certificate: testRSA2048Cert.Certificate,
|
||||
|
|
@ -2471,8 +2460,8 @@ func testMessageSigner(t *testing.T, version uint16) {
|
|||
}
|
||||
|
||||
clientConfig.Certificates = []Certificate{{
|
||||
Certificate: testECDSAP256Cert.Certificate,
|
||||
PrivateKey: messageOnlySigner{testECDSAP256Key},
|
||||
Certificate: testClientECDSAP256Cert.Certificate,
|
||||
PrivateKey: messageOnlySigner{testClientECDSAP256Key},
|
||||
}}
|
||||
serverConfig.Certificates = []Certificate{{
|
||||
Certificate: testECDSAP256Cert.Certificate,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue