handshake_client_test.go

Documentation: crypto/tls

		 1  // Copyright 2010 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package tls
		 6  
		 7  import (
		 8  	"bytes"
		 9  	"context"
		10  	"crypto/rsa"
		11  	"crypto/x509"
		12  	"encoding/base64"
		13  	"encoding/binary"
		14  	"encoding/pem"
		15  	"errors"
		16  	"fmt"
		17  	"io"
		18  	"math/big"
		19  	"net"
		20  	"os"
		21  	"os/exec"
		22  	"path/filepath"
		23  	"reflect"
		24  	"runtime"
		25  	"strconv"
		26  	"strings"
		27  	"testing"
		28  	"time"
		29  )
		30  
		31  // Note: see comment in handshake_test.go for details of how the reference
		32  // tests work.
		33  
		34  // opensslInputEvent enumerates possible inputs that can be sent to an `openssl
		35  // s_client` process.
		36  type opensslInputEvent int
		37  
		38  const (
		39  	// opensslRenegotiate causes OpenSSL to request a renegotiation of the
		40  	// connection.
		41  	opensslRenegotiate opensslInputEvent = iota
		42  
		43  	// opensslSendBanner causes OpenSSL to send the contents of
		44  	// opensslSentinel on the connection.
		45  	opensslSendSentinel
		46  
		47  	// opensslKeyUpdate causes OpenSSL to send a key update message to the
		48  	// client and request one back.
		49  	opensslKeyUpdate
		50  )
		51  
		52  const opensslSentinel = "SENTINEL\n"
		53  
		54  type opensslInput chan opensslInputEvent
		55  
		56  func (i opensslInput) Read(buf []byte) (n int, err error) {
		57  	for event := range i {
		58  		switch event {
		59  		case opensslRenegotiate:
		60  			return copy(buf, []byte("R\n")), nil
		61  		case opensslKeyUpdate:
		62  			return copy(buf, []byte("K\n")), nil
		63  		case opensslSendSentinel:
		64  			return copy(buf, []byte(opensslSentinel)), nil
		65  		default:
		66  			panic("unknown event")
		67  		}
		68  	}
		69  
		70  	return 0, io.EOF
		71  }
		72  
		73  // opensslOutputSink is an io.Writer that receives the stdout and stderr from an
		74  // `openssl` process and sends a value to handshakeComplete or readKeyUpdate
		75  // when certain messages are seen.
		76  type opensslOutputSink struct {
		77  	handshakeComplete chan struct{}
		78  	readKeyUpdate		 chan struct{}
		79  	all							 []byte
		80  	line							[]byte
		81  }
		82  
		83  func newOpensslOutputSink() *opensslOutputSink {
		84  	return &opensslOutputSink{make(chan struct{}), make(chan struct{}), nil, nil}
		85  }
		86  
		87  // opensslEndOfHandshake is a message that the “openssl s_server” tool will
		88  // print when a handshake completes if run with “-state”.
		89  const opensslEndOfHandshake = "SSL_accept:SSLv3/TLS write finished"
		90  
		91  // opensslReadKeyUpdate is a message that the “openssl s_server” tool will
		92  // print when a KeyUpdate message is received if run with “-state”.
		93  const opensslReadKeyUpdate = "SSL_accept:TLSv1.3 read client key update"
		94  
		95  func (o *opensslOutputSink) Write(data []byte) (n int, err error) {
		96  	o.line = append(o.line, data...)
		97  	o.all = append(o.all, data...)
		98  
		99  	for {
	 100  		i := bytes.IndexByte(o.line, '\n')
	 101  		if i < 0 {
	 102  			break
	 103  		}
	 104  
	 105  		if bytes.Equal([]byte(opensslEndOfHandshake), o.line[:i]) {
	 106  			o.handshakeComplete <- struct{}{}
	 107  		}
	 108  		if bytes.Equal([]byte(opensslReadKeyUpdate), o.line[:i]) {
	 109  			o.readKeyUpdate <- struct{}{}
	 110  		}
	 111  		o.line = o.line[i+1:]
	 112  	}
	 113  
	 114  	return len(data), nil
	 115  }
	 116  
	 117  func (o *opensslOutputSink) String() string {
	 118  	return string(o.all)
	 119  }
	 120  
	 121  // clientTest represents a test of the TLS client handshake against a reference
	 122  // implementation.
	 123  type clientTest struct {
	 124  	// name is a freeform string identifying the test and the file in which
	 125  	// the expected results will be stored.
	 126  	name string
	 127  	// args, if not empty, contains a series of arguments for the
	 128  	// command to run for the reference server.
	 129  	args []string
	 130  	// config, if not nil, contains a custom Config to use for this test.
	 131  	config *Config
	 132  	// cert, if not empty, contains a DER-encoded certificate for the
	 133  	// reference server.
	 134  	cert []byte
	 135  	// key, if not nil, contains either a *rsa.PrivateKey, ed25519.PrivateKey or
	 136  	// *ecdsa.PrivateKey which is the private key for the reference server.
	 137  	key interface{}
	 138  	// extensions, if not nil, contains a list of extension data to be returned
	 139  	// from the ServerHello. The data should be in standard TLS format with
	 140  	// a 2-byte uint16 type, 2-byte data length, followed by the extension data.
	 141  	extensions [][]byte
	 142  	// validate, if not nil, is a function that will be called with the
	 143  	// ConnectionState of the resulting connection. It returns a non-nil
	 144  	// error if the ConnectionState is unacceptable.
	 145  	validate func(ConnectionState) error
	 146  	// numRenegotiations is the number of times that the connection will be
	 147  	// renegotiated.
	 148  	numRenegotiations int
	 149  	// renegotiationExpectedToFail, if not zero, is the number of the
	 150  	// renegotiation attempt that is expected to fail.
	 151  	renegotiationExpectedToFail int
	 152  	// checkRenegotiationError, if not nil, is called with any error
	 153  	// arising from renegotiation. It can map expected errors to nil to
	 154  	// ignore them.
	 155  	checkRenegotiationError func(renegotiationNum int, err error) error
	 156  	// sendKeyUpdate will cause the server to send a KeyUpdate message.
	 157  	sendKeyUpdate bool
	 158  }
	 159  
	 160  var serverCommand = []string{"openssl", "s_server", "-no_ticket", "-num_tickets", "0"}
	 161  
	 162  // connFromCommand starts the reference server process, connects to it and
	 163  // returns a recordingConn for the connection. The stdin return value is an
	 164  // opensslInput for the stdin of the child process. It must be closed before
	 165  // Waiting for child.
	 166  func (test *clientTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, stdin opensslInput, stdout *opensslOutputSink, err error) {
	 167  	cert := testRSACertificate
	 168  	if len(test.cert) > 0 {
	 169  		cert = test.cert
	 170  	}
	 171  	certPath := tempFile(string(cert))
	 172  	defer os.Remove(certPath)
	 173  
	 174  	var key interface{} = testRSAPrivateKey
	 175  	if test.key != nil {
	 176  		key = test.key
	 177  	}
	 178  	derBytes, err := x509.MarshalPKCS8PrivateKey(key)
	 179  	if err != nil {
	 180  		panic(err)
	 181  	}
	 182  
	 183  	var pemOut bytes.Buffer
	 184  	pem.Encode(&pemOut, &pem.Block{Type: "PRIVATE KEY", Bytes: derBytes})
	 185  
	 186  	keyPath := tempFile(pemOut.String())
	 187  	defer os.Remove(keyPath)
	 188  
	 189  	var command []string
	 190  	command = append(command, serverCommand...)
	 191  	command = append(command, test.args...)
	 192  	command = append(command, "-cert", certPath, "-certform", "DER", "-key", keyPath)
	 193  	// serverPort contains the port that OpenSSL will listen on. OpenSSL
	 194  	// can't take "0" as an argument here so we have to pick a number and
	 195  	// hope that it's not in use on the machine. Since this only occurs
	 196  	// when -update is given and thus when there's a human watching the
	 197  	// test, this isn't too bad.
	 198  	const serverPort = 24323
	 199  	command = append(command, "-accept", strconv.Itoa(serverPort))
	 200  
	 201  	if len(test.extensions) > 0 {
	 202  		var serverInfo bytes.Buffer
	 203  		for _, ext := range test.extensions {
	 204  			pem.Encode(&serverInfo, &pem.Block{
	 205  				Type:	fmt.Sprintf("SERVERINFO FOR EXTENSION %d", binary.BigEndian.Uint16(ext)),
	 206  				Bytes: ext,
	 207  			})
	 208  		}
	 209  		serverInfoPath := tempFile(serverInfo.String())
	 210  		defer os.Remove(serverInfoPath)
	 211  		command = append(command, "-serverinfo", serverInfoPath)
	 212  	}
	 213  
	 214  	if test.numRenegotiations > 0 || test.sendKeyUpdate {
	 215  		found := false
	 216  		for _, flag := range command[1:] {
	 217  			if flag == "-state" {
	 218  				found = true
	 219  				break
	 220  			}
	 221  		}
	 222  
	 223  		if !found {
	 224  			panic("-state flag missing to OpenSSL, you need this if testing renegotiation or KeyUpdate")
	 225  		}
	 226  	}
	 227  
	 228  	cmd := exec.Command(command[0], command[1:]...)
	 229  	stdin = opensslInput(make(chan opensslInputEvent))
	 230  	cmd.Stdin = stdin
	 231  	out := newOpensslOutputSink()
	 232  	cmd.Stdout = out
	 233  	cmd.Stderr = out
	 234  	if err := cmd.Start(); err != nil {
	 235  		return nil, nil, nil, nil, err
	 236  	}
	 237  
	 238  	// OpenSSL does print an "ACCEPT" banner, but it does so *before*
	 239  	// opening the listening socket, so we can't use that to wait until it
	 240  	// has started listening. Thus we are forced to poll until we get a
	 241  	// connection.
	 242  	var tcpConn net.Conn
	 243  	for i := uint(0); i < 5; i++ {
	 244  		tcpConn, err = net.DialTCP("tcp", nil, &net.TCPAddr{
	 245  			IP:	 net.IPv4(127, 0, 0, 1),
	 246  			Port: serverPort,
	 247  		})
	 248  		if err == nil {
	 249  			break
	 250  		}
	 251  		time.Sleep((1 << i) * 5 * time.Millisecond)
	 252  	}
	 253  	if err != nil {
	 254  		close(stdin)
	 255  		cmd.Process.Kill()
	 256  		err = fmt.Errorf("error connecting to the OpenSSL server: %v (%v)\n\n%s", err, cmd.Wait(), out)
	 257  		return nil, nil, nil, nil, err
	 258  	}
	 259  
	 260  	record := &recordingConn{
	 261  		Conn: tcpConn,
	 262  	}
	 263  
	 264  	return record, cmd, stdin, out, nil
	 265  }
	 266  
	 267  func (test *clientTest) dataPath() string {
	 268  	return filepath.Join("testdata", "Client-"+test.name)
	 269  }
	 270  
	 271  func (test *clientTest) loadData() (flows [][]byte, err error) {
	 272  	in, err := os.Open(test.dataPath())
	 273  	if err != nil {
	 274  		return nil, err
	 275  	}
	 276  	defer in.Close()
	 277  	return parseTestData(in)
	 278  }
	 279  
	 280  func (test *clientTest) run(t *testing.T, write bool) {
	 281  	var clientConn, serverConn net.Conn
	 282  	var recordingConn *recordingConn
	 283  	var childProcess *exec.Cmd
	 284  	var stdin opensslInput
	 285  	var stdout *opensslOutputSink
	 286  
	 287  	if write {
	 288  		var err error
	 289  		recordingConn, childProcess, stdin, stdout, err = test.connFromCommand()
	 290  		if err != nil {
	 291  			t.Fatalf("Failed to start subcommand: %s", err)
	 292  		}
	 293  		clientConn = recordingConn
	 294  		defer func() {
	 295  			if t.Failed() {
	 296  				t.Logf("OpenSSL output:\n\n%s", stdout.all)
	 297  			}
	 298  		}()
	 299  	} else {
	 300  		clientConn, serverConn = localPipe(t)
	 301  	}
	 302  
	 303  	doneChan := make(chan bool)
	 304  	defer func() {
	 305  		clientConn.Close()
	 306  		<-doneChan
	 307  	}()
	 308  	go func() {
	 309  		defer close(doneChan)
	 310  
	 311  		config := test.config
	 312  		if config == nil {
	 313  			config = testConfig
	 314  		}
	 315  		client := Client(clientConn, config)
	 316  		defer client.Close()
	 317  
	 318  		if _, err := client.Write([]byte("hello\n")); err != nil {
	 319  			t.Errorf("Client.Write failed: %s", err)
	 320  			return
	 321  		}
	 322  
	 323  		for i := 1; i <= test.numRenegotiations; i++ {
	 324  			// The initial handshake will generate a
	 325  			// handshakeComplete signal which needs to be quashed.
	 326  			if i == 1 && write {
	 327  				<-stdout.handshakeComplete
	 328  			}
	 329  
	 330  			// OpenSSL will try to interleave application data and
	 331  			// a renegotiation if we send both concurrently.
	 332  			// Therefore: ask OpensSSL to start a renegotiation, run
	 333  			// a goroutine to call client.Read and thus process the
	 334  			// renegotiation request, watch for OpenSSL's stdout to
	 335  			// indicate that the handshake is complete and,
	 336  			// finally, have OpenSSL write something to cause
	 337  			// client.Read to complete.
	 338  			if write {
	 339  				stdin <- opensslRenegotiate
	 340  			}
	 341  
	 342  			signalChan := make(chan struct{})
	 343  
	 344  			go func() {
	 345  				defer close(signalChan)
	 346  
	 347  				buf := make([]byte, 256)
	 348  				n, err := client.Read(buf)
	 349  
	 350  				if test.checkRenegotiationError != nil {
	 351  					newErr := test.checkRenegotiationError(i, err)
	 352  					if err != nil && newErr == nil {
	 353  						return
	 354  					}
	 355  					err = newErr
	 356  				}
	 357  
	 358  				if err != nil {
	 359  					t.Errorf("Client.Read failed after renegotiation #%d: %s", i, err)
	 360  					return
	 361  				}
	 362  
	 363  				buf = buf[:n]
	 364  				if !bytes.Equal([]byte(opensslSentinel), buf) {
	 365  					t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel)
	 366  				}
	 367  
	 368  				if expected := i + 1; client.handshakes != expected {
	 369  					t.Errorf("client should have recorded %d handshakes, but believes that %d have occurred", expected, client.handshakes)
	 370  				}
	 371  			}()
	 372  
	 373  			if write && test.renegotiationExpectedToFail != i {
	 374  				<-stdout.handshakeComplete
	 375  				stdin <- opensslSendSentinel
	 376  			}
	 377  			<-signalChan
	 378  		}
	 379  
	 380  		if test.sendKeyUpdate {
	 381  			if write {
	 382  				<-stdout.handshakeComplete
	 383  				stdin <- opensslKeyUpdate
	 384  			}
	 385  
	 386  			doneRead := make(chan struct{})
	 387  
	 388  			go func() {
	 389  				defer close(doneRead)
	 390  
	 391  				buf := make([]byte, 256)
	 392  				n, err := client.Read(buf)
	 393  
	 394  				if err != nil {
	 395  					t.Errorf("Client.Read failed after KeyUpdate: %s", err)
	 396  					return
	 397  				}
	 398  
	 399  				buf = buf[:n]
	 400  				if !bytes.Equal([]byte(opensslSentinel), buf) {
	 401  					t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel)
	 402  				}
	 403  			}()
	 404  
	 405  			if write {
	 406  				// There's no real reason to wait for the client KeyUpdate to
	 407  				// send data with the new server keys, except that s_server
	 408  				// drops writes if they are sent at the wrong time.
	 409  				<-stdout.readKeyUpdate
	 410  				stdin <- opensslSendSentinel
	 411  			}
	 412  			<-doneRead
	 413  
	 414  			if _, err := client.Write([]byte("hello again\n")); err != nil {
	 415  				t.Errorf("Client.Write failed: %s", err)
	 416  				return
	 417  			}
	 418  		}
	 419  
	 420  		if test.validate != nil {
	 421  			if err := test.validate(client.ConnectionState()); err != nil {
	 422  				t.Errorf("validate callback returned error: %s", err)
	 423  			}
	 424  		}
	 425  
	 426  		// If the server sent us an alert after our last flight, give it a
	 427  		// chance to arrive.
	 428  		if write && test.renegotiationExpectedToFail == 0 {
	 429  			if err := peekError(client); err != nil {
	 430  				t.Errorf("final Read returned an error: %s", err)
	 431  			}
	 432  		}
	 433  	}()
	 434  
	 435  	if !write {
	 436  		flows, err := test.loadData()
	 437  		if err != nil {
	 438  			t.Fatalf("%s: failed to load data from %s: %v", test.name, test.dataPath(), err)
	 439  		}
	 440  		for i, b := range flows {
	 441  			if i%2 == 1 {
	 442  				if *fast {
	 443  					serverConn.SetWriteDeadline(time.Now().Add(1 * time.Second))
	 444  				} else {
	 445  					serverConn.SetWriteDeadline(time.Now().Add(1 * time.Minute))
	 446  				}
	 447  				serverConn.Write(b)
	 448  				continue
	 449  			}
	 450  			bb := make([]byte, len(b))
	 451  			if *fast {
	 452  				serverConn.SetReadDeadline(time.Now().Add(1 * time.Second))
	 453  			} else {
	 454  				serverConn.SetReadDeadline(time.Now().Add(1 * time.Minute))
	 455  			}
	 456  			_, err := io.ReadFull(serverConn, bb)
	 457  			if err != nil {
	 458  				t.Fatalf("%s, flow %d: %s", test.name, i+1, err)
	 459  			}
	 460  			if !bytes.Equal(b, bb) {
	 461  				t.Fatalf("%s, flow %d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b)
	 462  			}
	 463  		}
	 464  	}
	 465  
	 466  	<-doneChan
	 467  	if !write {
	 468  		serverConn.Close()
	 469  	}
	 470  
	 471  	if write {
	 472  		path := test.dataPath()
	 473  		out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
	 474  		if err != nil {
	 475  			t.Fatalf("Failed to create output file: %s", err)
	 476  		}
	 477  		defer out.Close()
	 478  		recordingConn.Close()
	 479  		close(stdin)
	 480  		childProcess.Process.Kill()
	 481  		childProcess.Wait()
	 482  		if len(recordingConn.flows) < 3 {
	 483  			t.Fatalf("Client connection didn't work")
	 484  		}
	 485  		recordingConn.WriteTo(out)
	 486  		t.Logf("Wrote %s\n", path)
	 487  	}
	 488  }
	 489  
	 490  // peekError does a read with a short timeout to check if the next read would
	 491  // cause an error, for example if there is an alert waiting on the wire.
	 492  func peekError(conn net.Conn) error {
	 493  	conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
	 494  	if n, err := conn.Read(make([]byte, 1)); n != 0 {
	 495  		return errors.New("unexpectedly read data")
	 496  	} else if err != nil {
	 497  		if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() {
	 498  			return err
	 499  		}
	 500  	}
	 501  	return nil
	 502  }
	 503  
	 504  func runClientTestForVersion(t *testing.T, template *clientTest, version, option string) {
	 505  	// Make a deep copy of the template before going parallel.
	 506  	test := *template
	 507  	if template.config != nil {
	 508  		test.config = template.config.Clone()
	 509  	}
	 510  	test.name = version + "-" + test.name
	 511  	test.args = append([]string{option}, test.args...)
	 512  
	 513  	runTestAndUpdateIfNeeded(t, version, test.run, false)
	 514  }
	 515  
	 516  func runClientTestTLS10(t *testing.T, template *clientTest) {
	 517  	runClientTestForVersion(t, template, "TLSv10", "-tls1")
	 518  }
	 519  
	 520  func runClientTestTLS11(t *testing.T, template *clientTest) {
	 521  	runClientTestForVersion(t, template, "TLSv11", "-tls1_1")
	 522  }
	 523  
	 524  func runClientTestTLS12(t *testing.T, template *clientTest) {
	 525  	runClientTestForVersion(t, template, "TLSv12", "-tls1_2")
	 526  }
	 527  
	 528  func runClientTestTLS13(t *testing.T, template *clientTest) {
	 529  	runClientTestForVersion(t, template, "TLSv13", "-tls1_3")
	 530  }
	 531  
	 532  func TestHandshakeClientRSARC4(t *testing.T) {
	 533  	test := &clientTest{
	 534  		name: "RSA-RC4",
	 535  		args: []string{"-cipher", "RC4-SHA"},
	 536  	}
	 537  	runClientTestTLS10(t, test)
	 538  	runClientTestTLS11(t, test)
	 539  	runClientTestTLS12(t, test)
	 540  }
	 541  
	 542  func TestHandshakeClientRSAAES128GCM(t *testing.T) {
	 543  	test := &clientTest{
	 544  		name: "AES128-GCM-SHA256",
	 545  		args: []string{"-cipher", "AES128-GCM-SHA256"},
	 546  	}
	 547  	runClientTestTLS12(t, test)
	 548  }
	 549  
	 550  func TestHandshakeClientRSAAES256GCM(t *testing.T) {
	 551  	test := &clientTest{
	 552  		name: "AES256-GCM-SHA384",
	 553  		args: []string{"-cipher", "AES256-GCM-SHA384"},
	 554  	}
	 555  	runClientTestTLS12(t, test)
	 556  }
	 557  
	 558  func TestHandshakeClientECDHERSAAES(t *testing.T) {
	 559  	test := &clientTest{
	 560  		name: "ECDHE-RSA-AES",
	 561  		args: []string{"-cipher", "ECDHE-RSA-AES128-SHA"},
	 562  	}
	 563  	runClientTestTLS10(t, test)
	 564  	runClientTestTLS11(t, test)
	 565  	runClientTestTLS12(t, test)
	 566  }
	 567  
	 568  func TestHandshakeClientECDHEECDSAAES(t *testing.T) {
	 569  	test := &clientTest{
	 570  		name: "ECDHE-ECDSA-AES",
	 571  		args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA"},
	 572  		cert: testECDSACertificate,
	 573  		key:	testECDSAPrivateKey,
	 574  	}
	 575  	runClientTestTLS10(t, test)
	 576  	runClientTestTLS11(t, test)
	 577  	runClientTestTLS12(t, test)
	 578  }
	 579  
	 580  func TestHandshakeClientECDHEECDSAAESGCM(t *testing.T) {
	 581  	test := &clientTest{
	 582  		name: "ECDHE-ECDSA-AES-GCM",
	 583  		args: []string{"-cipher", "ECDHE-ECDSA-AES128-GCM-SHA256"},
	 584  		cert: testECDSACertificate,
	 585  		key:	testECDSAPrivateKey,
	 586  	}
	 587  	runClientTestTLS12(t, test)
	 588  }
	 589  
	 590  func TestHandshakeClientAES256GCMSHA384(t *testing.T) {
	 591  	test := &clientTest{
	 592  		name: "ECDHE-ECDSA-AES256-GCM-SHA384",
	 593  		args: []string{"-cipher", "ECDHE-ECDSA-AES256-GCM-SHA384"},
	 594  		cert: testECDSACertificate,
	 595  		key:	testECDSAPrivateKey,
	 596  	}
	 597  	runClientTestTLS12(t, test)
	 598  }
	 599  
	 600  func TestHandshakeClientAES128CBCSHA256(t *testing.T) {
	 601  	test := &clientTest{
	 602  		name: "AES128-SHA256",
	 603  		args: []string{"-cipher", "AES128-SHA256"},
	 604  	}
	 605  	runClientTestTLS12(t, test)
	 606  }
	 607  
	 608  func TestHandshakeClientECDHERSAAES128CBCSHA256(t *testing.T) {
	 609  	test := &clientTest{
	 610  		name: "ECDHE-RSA-AES128-SHA256",
	 611  		args: []string{"-cipher", "ECDHE-RSA-AES128-SHA256"},
	 612  	}
	 613  	runClientTestTLS12(t, test)
	 614  }
	 615  
	 616  func TestHandshakeClientECDHEECDSAAES128CBCSHA256(t *testing.T) {
	 617  	test := &clientTest{
	 618  		name: "ECDHE-ECDSA-AES128-SHA256",
	 619  		args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA256"},
	 620  		cert: testECDSACertificate,
	 621  		key:	testECDSAPrivateKey,
	 622  	}
	 623  	runClientTestTLS12(t, test)
	 624  }
	 625  
	 626  func TestHandshakeClientX25519(t *testing.T) {
	 627  	config := testConfig.Clone()
	 628  	config.CurvePreferences = []CurveID{X25519}
	 629  
	 630  	test := &clientTest{
	 631  		name:	 "X25519-ECDHE",
	 632  		args:	 []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"},
	 633  		config: config,
	 634  	}
	 635  
	 636  	runClientTestTLS12(t, test)
	 637  	runClientTestTLS13(t, test)
	 638  }
	 639  
	 640  func TestHandshakeClientP256(t *testing.T) {
	 641  	config := testConfig.Clone()
	 642  	config.CurvePreferences = []CurveID{CurveP256}
	 643  
	 644  	test := &clientTest{
	 645  		name:	 "P256-ECDHE",
	 646  		args:	 []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
	 647  		config: config,
	 648  	}
	 649  
	 650  	runClientTestTLS12(t, test)
	 651  	runClientTestTLS13(t, test)
	 652  }
	 653  
	 654  func TestHandshakeClientHelloRetryRequest(t *testing.T) {
	 655  	config := testConfig.Clone()
	 656  	config.CurvePreferences = []CurveID{X25519, CurveP256}
	 657  
	 658  	test := &clientTest{
	 659  		name:	 "HelloRetryRequest",
	 660  		args:	 []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
	 661  		config: config,
	 662  	}
	 663  
	 664  	runClientTestTLS13(t, test)
	 665  }
	 666  
	 667  func TestHandshakeClientECDHERSAChaCha20(t *testing.T) {
	 668  	config := testConfig.Clone()
	 669  	config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305}
	 670  
	 671  	test := &clientTest{
	 672  		name:	 "ECDHE-RSA-CHACHA20-POLY1305",
	 673  		args:	 []string{"-cipher", "ECDHE-RSA-CHACHA20-POLY1305"},
	 674  		config: config,
	 675  	}
	 676  
	 677  	runClientTestTLS12(t, test)
	 678  }
	 679  
	 680  func TestHandshakeClientECDHEECDSAChaCha20(t *testing.T) {
	 681  	config := testConfig.Clone()
	 682  	config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305}
	 683  
	 684  	test := &clientTest{
	 685  		name:	 "ECDHE-ECDSA-CHACHA20-POLY1305",
	 686  		args:	 []string{"-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305"},
	 687  		config: config,
	 688  		cert:	 testECDSACertificate,
	 689  		key:		testECDSAPrivateKey,
	 690  	}
	 691  
	 692  	runClientTestTLS12(t, test)
	 693  }
	 694  
	 695  func TestHandshakeClientAES128SHA256(t *testing.T) {
	 696  	test := &clientTest{
	 697  		name: "AES128-SHA256",
	 698  		args: []string{"-ciphersuites", "TLS_AES_128_GCM_SHA256"},
	 699  	}
	 700  	runClientTestTLS13(t, test)
	 701  }
	 702  func TestHandshakeClientAES256SHA384(t *testing.T) {
	 703  	test := &clientTest{
	 704  		name: "AES256-SHA384",
	 705  		args: []string{"-ciphersuites", "TLS_AES_256_GCM_SHA384"},
	 706  	}
	 707  	runClientTestTLS13(t, test)
	 708  }
	 709  func TestHandshakeClientCHACHA20SHA256(t *testing.T) {
	 710  	test := &clientTest{
	 711  		name: "CHACHA20-SHA256",
	 712  		args: []string{"-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
	 713  	}
	 714  	runClientTestTLS13(t, test)
	 715  }
	 716  
	 717  func TestHandshakeClientECDSATLS13(t *testing.T) {
	 718  	test := &clientTest{
	 719  		name: "ECDSA",
	 720  		cert: testECDSACertificate,
	 721  		key:	testECDSAPrivateKey,
	 722  	}
	 723  	runClientTestTLS13(t, test)
	 724  }
	 725  
	 726  func TestHandshakeClientEd25519(t *testing.T) {
	 727  	test := &clientTest{
	 728  		name: "Ed25519",
	 729  		cert: testEd25519Certificate,
	 730  		key:	testEd25519PrivateKey,
	 731  	}
	 732  	runClientTestTLS12(t, test)
	 733  	runClientTestTLS13(t, test)
	 734  
	 735  	config := testConfig.Clone()
	 736  	cert, _ := X509KeyPair([]byte(clientEd25519CertificatePEM), []byte(clientEd25519KeyPEM))
	 737  	config.Certificates = []Certificate{cert}
	 738  
	 739  	test = &clientTest{
	 740  		name:	 "ClientCert-Ed25519",
	 741  		args:	 []string{"-Verify", "1"},
	 742  		config: config,
	 743  	}
	 744  
	 745  	runClientTestTLS12(t, test)
	 746  	runClientTestTLS13(t, test)
	 747  }
	 748  
	 749  func TestHandshakeClientCertRSA(t *testing.T) {
	 750  	config := testConfig.Clone()
	 751  	cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM))
	 752  	config.Certificates = []Certificate{cert}
	 753  
	 754  	test := &clientTest{
	 755  		name:	 "ClientCert-RSA-RSA",
	 756  		args:	 []string{"-cipher", "AES128", "-Verify", "1"},
	 757  		config: config,
	 758  	}
	 759  
	 760  	runClientTestTLS10(t, test)
	 761  	runClientTestTLS12(t, test)
	 762  
	 763  	test = &clientTest{
	 764  		name:	 "ClientCert-RSA-ECDSA",
	 765  		args:	 []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"},
	 766  		config: config,
	 767  		cert:	 testECDSACertificate,
	 768  		key:		testECDSAPrivateKey,
	 769  	}
	 770  
	 771  	runClientTestTLS10(t, test)
	 772  	runClientTestTLS12(t, test)
	 773  	runClientTestTLS13(t, test)
	 774  
	 775  	test = &clientTest{
	 776  		name:	 "ClientCert-RSA-AES256-GCM-SHA384",
	 777  		args:	 []string{"-cipher", "ECDHE-RSA-AES256-GCM-SHA384", "-Verify", "1"},
	 778  		config: config,
	 779  		cert:	 testRSACertificate,
	 780  		key:		testRSAPrivateKey,
	 781  	}
	 782  
	 783  	runClientTestTLS12(t, test)
	 784  }
	 785  
	 786  func TestHandshakeClientCertECDSA(t *testing.T) {
	 787  	config := testConfig.Clone()
	 788  	cert, _ := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM))
	 789  	config.Certificates = []Certificate{cert}
	 790  
	 791  	test := &clientTest{
	 792  		name:	 "ClientCert-ECDSA-RSA",
	 793  		args:	 []string{"-cipher", "AES128", "-Verify", "1"},
	 794  		config: config,
	 795  	}
	 796  
	 797  	runClientTestTLS10(t, test)
	 798  	runClientTestTLS12(t, test)
	 799  	runClientTestTLS13(t, test)
	 800  
	 801  	test = &clientTest{
	 802  		name:	 "ClientCert-ECDSA-ECDSA",
	 803  		args:	 []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"},
	 804  		config: config,
	 805  		cert:	 testECDSACertificate,
	 806  		key:		testECDSAPrivateKey,
	 807  	}
	 808  
	 809  	runClientTestTLS10(t, test)
	 810  	runClientTestTLS12(t, test)
	 811  }
	 812  
	 813  // TestHandshakeClientCertRSAPSS tests rsa_pss_rsae_sha256 signatures from both
	 814  // client and server certificates. It also serves from both sides a certificate
	 815  // signed itself with RSA-PSS, mostly to check that crypto/x509 chain validation
	 816  // works.
	 817  func TestHandshakeClientCertRSAPSS(t *testing.T) {
	 818  	cert, err := x509.ParseCertificate(testRSAPSSCertificate)
	 819  	if err != nil {
	 820  		panic(err)
	 821  	}
	 822  	rootCAs := x509.NewCertPool()
	 823  	rootCAs.AddCert(cert)
	 824  
	 825  	config := testConfig.Clone()
	 826  	// Use GetClientCertificate to bypass the client certificate selection logic.
	 827  	config.GetClientCertificate = func(*CertificateRequestInfo) (*Certificate, error) {
	 828  		return &Certificate{
	 829  			Certificate: [][]byte{testRSAPSSCertificate},
	 830  			PrivateKey:	testRSAPrivateKey,
	 831  		}, nil
	 832  	}
	 833  	config.RootCAs = rootCAs
	 834  
	 835  	test := &clientTest{
	 836  		name: "ClientCert-RSA-RSAPSS",
	 837  		args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs",
	 838  			"rsa_pss_rsae_sha256", "-sigalgs", "rsa_pss_rsae_sha256"},
	 839  		config: config,
	 840  		cert:	 testRSAPSSCertificate,
	 841  		key:		testRSAPrivateKey,
	 842  	}
	 843  	runClientTestTLS12(t, test)
	 844  	runClientTestTLS13(t, test)
	 845  }
	 846  
	 847  func TestHandshakeClientCertRSAPKCS1v15(t *testing.T) {
	 848  	config := testConfig.Clone()
	 849  	cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM))
	 850  	config.Certificates = []Certificate{cert}
	 851  
	 852  	test := &clientTest{
	 853  		name: "ClientCert-RSA-RSAPKCS1v15",
	 854  		args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs",
	 855  			"rsa_pkcs1_sha256", "-sigalgs", "rsa_pkcs1_sha256"},
	 856  		config: config,
	 857  	}
	 858  
	 859  	runClientTestTLS12(t, test)
	 860  }
	 861  
	 862  func TestClientKeyUpdate(t *testing.T) {
	 863  	test := &clientTest{
	 864  		name:					"KeyUpdate",
	 865  		args:					[]string{"-state"},
	 866  		sendKeyUpdate: true,
	 867  	}
	 868  	runClientTestTLS13(t, test)
	 869  }
	 870  
	 871  func TestResumption(t *testing.T) {
	 872  	t.Run("TLSv12", func(t *testing.T) { testResumption(t, VersionTLS12) })
	 873  	t.Run("TLSv13", func(t *testing.T) { testResumption(t, VersionTLS13) })
	 874  }
	 875  
	 876  func testResumption(t *testing.T, version uint16) {
	 877  	if testing.Short() {
	 878  		t.Skip("skipping in -short mode")
	 879  	}
	 880  	serverConfig := &Config{
	 881  		MaxVersion:	 version,
	 882  		CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
	 883  		Certificates: testConfig.Certificates,
	 884  	}
	 885  
	 886  	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
	 887  	if err != nil {
	 888  		panic(err)
	 889  	}
	 890  
	 891  	rootCAs := x509.NewCertPool()
	 892  	rootCAs.AddCert(issuer)
	 893  
	 894  	clientConfig := &Config{
	 895  		MaxVersion:				 version,
	 896  		CipherSuites:			 []uint16{TLS_RSA_WITH_RC4_128_SHA},
	 897  		ClientSessionCache: NewLRUClientSessionCache(32),
	 898  		RootCAs:						rootCAs,
	 899  		ServerName:				 "example.golang",
	 900  	}
	 901  
	 902  	testResumeState := func(test string, didResume bool) {
	 903  		_, hs, err := testHandshake(t, clientConfig, serverConfig)
	 904  		if err != nil {
	 905  			t.Fatalf("%s: handshake failed: %s", test, err)
	 906  		}
	 907  		if hs.DidResume != didResume {
	 908  			t.Fatalf("%s resumed: %v, expected: %v", test, hs.DidResume, didResume)
	 909  		}
	 910  		if didResume && (hs.PeerCertificates == nil || hs.VerifiedChains == nil) {
	 911  			t.Fatalf("expected non-nil certificates after resumption. Got peerCertificates: %#v, verifiedCertificates: %#v", hs.PeerCertificates, hs.VerifiedChains)
	 912  		}
	 913  		if got, want := hs.ServerName, clientConfig.ServerName; got != want {
	 914  			t.Errorf("%s: server name %s, want %s", test, got, want)
	 915  		}
	 916  	}
	 917  
	 918  	getTicket := func() []byte {
	 919  		return clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.sessionTicket
	 920  	}
	 921  	deleteTicket := func() {
	 922  		ticketKey := clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).sessionKey
	 923  		clientConfig.ClientSessionCache.Put(ticketKey, nil)
	 924  	}
	 925  	corruptTicket := func() {
	 926  		clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.masterSecret[0] ^= 0xff
	 927  	}
	 928  	randomKey := func() [32]byte {
	 929  		var k [32]byte
	 930  		if _, err := io.ReadFull(serverConfig.rand(), k[:]); err != nil {
	 931  			t.Fatalf("Failed to read new SessionTicketKey: %s", err)
	 932  		}
	 933  		return k
	 934  	}
	 935  
	 936  	testResumeState("Handshake", false)
	 937  	ticket := getTicket()
	 938  	testResumeState("Resume", true)
	 939  	if !bytes.Equal(ticket, getTicket()) && version != VersionTLS13 {
	 940  		t.Fatal("first ticket doesn't match ticket after resumption")
	 941  	}
	 942  	if bytes.Equal(ticket, getTicket()) && version == VersionTLS13 {
	 943  		t.Fatal("ticket didn't change after resumption")
	 944  	}
	 945  
	 946  	// An old session ticket can resume, but the server will provide a ticket encrypted with a fresh key.
	 947  	serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) }
	 948  	testResumeState("ResumeWithOldTicket", true)
	 949  	if bytes.Equal(ticket[:ticketKeyNameLen], getTicket()[:ticketKeyNameLen]) {
	 950  		t.Fatal("old first ticket matches the fresh one")
	 951  	}
	 952  
	 953  	// Now the session tickey key is expired, so a full handshake should occur.
	 954  	serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) }
	 955  	testResumeState("ResumeWithExpiredTicket", false)
	 956  	if bytes.Equal(ticket, getTicket()) {
	 957  		t.Fatal("expired first ticket matches the fresh one")
	 958  	}
	 959  
	 960  	serverConfig.Time = func() time.Time { return time.Now() } // reset the time back
	 961  	key1 := randomKey()
	 962  	serverConfig.SetSessionTicketKeys([][32]byte{key1})
	 963  
	 964  	testResumeState("InvalidSessionTicketKey", false)
	 965  	testResumeState("ResumeAfterInvalidSessionTicketKey", true)
	 966  
	 967  	key2 := randomKey()
	 968  	serverConfig.SetSessionTicketKeys([][32]byte{key2, key1})
	 969  	ticket = getTicket()
	 970  	testResumeState("KeyChange", true)
	 971  	if bytes.Equal(ticket, getTicket()) {
	 972  		t.Fatal("new ticket wasn't included while resuming")
	 973  	}
	 974  	testResumeState("KeyChangeFinish", true)
	 975  
	 976  	// Age the session ticket a bit, but not yet expired.
	 977  	serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) }
	 978  	testResumeState("OldSessionTicket", true)
	 979  	ticket = getTicket()
	 980  	// Expire the session ticket, which would force a full handshake.
	 981  	serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) }
	 982  	testResumeState("ExpiredSessionTicket", false)
	 983  	if bytes.Equal(ticket, getTicket()) {
	 984  		t.Fatal("new ticket wasn't provided after old ticket expired")
	 985  	}
	 986  
	 987  	// Age the session ticket a bit at a time, but don't expire it.
	 988  	d := 0 * time.Hour
	 989  	for i := 0; i < 13; i++ {
	 990  		d += 12 * time.Hour
	 991  		serverConfig.Time = func() time.Time { return time.Now().Add(d) }
	 992  		testResumeState("OldSessionTicket", true)
	 993  	}
	 994  	// Expire it (now a little more than 7 days) and make sure a full
	 995  	// handshake occurs for TLS 1.2. Resumption should still occur for
	 996  	// TLS 1.3 since the client should be using a fresh ticket sent over
	 997  	// by the server.
	 998  	d += 12 * time.Hour
	 999  	serverConfig.Time = func() time.Time { return time.Now().Add(d) }
	1000  	if version == VersionTLS13 {
	1001  		testResumeState("ExpiredSessionTicket", true)
	1002  	} else {
	1003  		testResumeState("ExpiredSessionTicket", false)
	1004  	}
	1005  	if bytes.Equal(ticket, getTicket()) {
	1006  		t.Fatal("new ticket wasn't provided after old ticket expired")
	1007  	}
	1008  
	1009  	// Reset serverConfig to ensure that calling SetSessionTicketKeys
	1010  	// before the serverConfig is used works.
	1011  	serverConfig = &Config{
	1012  		MaxVersion:	 version,
	1013  		CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
	1014  		Certificates: testConfig.Certificates,
	1015  	}
	1016  	serverConfig.SetSessionTicketKeys([][32]byte{key2})
	1017  
	1018  	testResumeState("FreshConfig", true)
	1019  
	1020  	// In TLS 1.3, cross-cipher suite resumption is allowed as long as the KDF
	1021  	// hash matches. Also, Config.CipherSuites does not apply to TLS 1.3.
	1022  	if version != VersionTLS13 {
	1023  		clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA}
	1024  		testResumeState("DifferentCipherSuite", false)
	1025  		testResumeState("DifferentCipherSuiteRecovers", true)
	1026  	}
	1027  
	1028  	deleteTicket()
	1029  	testResumeState("WithoutSessionTicket", false)
	1030  
	1031  	// Session resumption should work when using client certificates
	1032  	deleteTicket()
	1033  	serverConfig.ClientCAs = rootCAs
	1034  	serverConfig.ClientAuth = RequireAndVerifyClientCert
	1035  	clientConfig.Certificates = serverConfig.Certificates
	1036  	testResumeState("InitialHandshake", false)
	1037  	testResumeState("WithClientCertificates", true)
	1038  	serverConfig.ClientAuth = NoClientCert
	1039  
	1040  	// Tickets should be removed from the session cache on TLS handshake
	1041  	// failure, and the client should recover from a corrupted PSK
	1042  	testResumeState("FetchTicketToCorrupt", false)
	1043  	corruptTicket()
	1044  	_, _, err = testHandshake(t, clientConfig, serverConfig)
	1045  	if err == nil {
	1046  		t.Fatalf("handshake did not fail with a corrupted client secret")
	1047  	}
	1048  	testResumeState("AfterHandshakeFailure", false)
	1049  
	1050  	clientConfig.ClientSessionCache = nil
	1051  	testResumeState("WithoutSessionCache", false)
	1052  }
	1053  
	1054  func TestLRUClientSessionCache(t *testing.T) {
	1055  	// Initialize cache of capacity 4.
	1056  	cache := NewLRUClientSessionCache(4)
	1057  	cs := make([]ClientSessionState, 6)
	1058  	keys := []string{"0", "1", "2", "3", "4", "5", "6"}
	1059  
	1060  	// Add 4 entries to the cache and look them up.
	1061  	for i := 0; i < 4; i++ {
	1062  		cache.Put(keys[i], &cs[i])
	1063  	}
	1064  	for i := 0; i < 4; i++ {
	1065  		if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] {
	1066  			t.Fatalf("session cache failed lookup for added key: %s", keys[i])
	1067  		}
	1068  	}
	1069  
	1070  	// Add 2 more entries to the cache. First 2 should be evicted.
	1071  	for i := 4; i < 6; i++ {
	1072  		cache.Put(keys[i], &cs[i])
	1073  	}
	1074  	for i := 0; i < 2; i++ {
	1075  		if s, ok := cache.Get(keys[i]); ok || s != nil {
	1076  			t.Fatalf("session cache should have evicted key: %s", keys[i])
	1077  		}
	1078  	}
	1079  
	1080  	// Touch entry 2. LRU should evict 3 next.
	1081  	cache.Get(keys[2])
	1082  	cache.Put(keys[0], &cs[0])
	1083  	if s, ok := cache.Get(keys[3]); ok || s != nil {
	1084  		t.Fatalf("session cache should have evicted key 3")
	1085  	}
	1086  
	1087  	// Update entry 0 in place.
	1088  	cache.Put(keys[0], &cs[3])
	1089  	if s, ok := cache.Get(keys[0]); !ok || s != &cs[3] {
	1090  		t.Fatalf("session cache failed update for key 0")
	1091  	}
	1092  
	1093  	// Calling Put with a nil entry deletes the key.
	1094  	cache.Put(keys[0], nil)
	1095  	if _, ok := cache.Get(keys[0]); ok {
	1096  		t.Fatalf("session cache failed to delete key 0")
	1097  	}
	1098  
	1099  	// Delete entry 2. LRU should keep 4 and 5
	1100  	cache.Put(keys[2], nil)
	1101  	if _, ok := cache.Get(keys[2]); ok {
	1102  		t.Fatalf("session cache failed to delete key 4")
	1103  	}
	1104  	for i := 4; i < 6; i++ {
	1105  		if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] {
	1106  			t.Fatalf("session cache should not have deleted key: %s", keys[i])
	1107  		}
	1108  	}
	1109  }
	1110  
	1111  func TestKeyLogTLS12(t *testing.T) {
	1112  	var serverBuf, clientBuf bytes.Buffer
	1113  
	1114  	clientConfig := testConfig.Clone()
	1115  	clientConfig.KeyLogWriter = &clientBuf
	1116  	clientConfig.MaxVersion = VersionTLS12
	1117  
	1118  	serverConfig := testConfig.Clone()
	1119  	serverConfig.KeyLogWriter = &serverBuf
	1120  	serverConfig.MaxVersion = VersionTLS12
	1121  
	1122  	c, s := localPipe(t)
	1123  	done := make(chan bool)
	1124  
	1125  	go func() {
	1126  		defer close(done)
	1127  
	1128  		if err := Server(s, serverConfig).Handshake(); err != nil {
	1129  			t.Errorf("server: %s", err)
	1130  			return
	1131  		}
	1132  		s.Close()
	1133  	}()
	1134  
	1135  	if err := Client(c, clientConfig).Handshake(); err != nil {
	1136  		t.Fatalf("client: %s", err)
	1137  	}
	1138  
	1139  	c.Close()
	1140  	<-done
	1141  
	1142  	checkKeylogLine := func(side, loggedLine string) {
	1143  		if len(loggedLine) == 0 {
	1144  			t.Fatalf("%s: no keylog line was produced", side)
	1145  		}
	1146  		const expectedLen = 13 /* "CLIENT_RANDOM" */ +
	1147  			1 /* space */ +
	1148  			32*2 /* hex client nonce */ +
	1149  			1 /* space */ +
	1150  			48*2 /* hex master secret */ +
	1151  			1 /* new line */
	1152  		if len(loggedLine) != expectedLen {
	1153  			t.Fatalf("%s: keylog line has incorrect length (want %d, got %d): %q", side, expectedLen, len(loggedLine), loggedLine)
	1154  		}
	1155  		if !strings.HasPrefix(loggedLine, "CLIENT_RANDOM "+strings.Repeat("0", 64)+" ") {
	1156  			t.Fatalf("%s: keylog line has incorrect structure or nonce: %q", side, loggedLine)
	1157  		}
	1158  	}
	1159  
	1160  	checkKeylogLine("client", clientBuf.String())
	1161  	checkKeylogLine("server", serverBuf.String())
	1162  }
	1163  
	1164  func TestKeyLogTLS13(t *testing.T) {
	1165  	var serverBuf, clientBuf bytes.Buffer
	1166  
	1167  	clientConfig := testConfig.Clone()
	1168  	clientConfig.KeyLogWriter = &clientBuf
	1169  
	1170  	serverConfig := testConfig.Clone()
	1171  	serverConfig.KeyLogWriter = &serverBuf
	1172  
	1173  	c, s := localPipe(t)
	1174  	done := make(chan bool)
	1175  
	1176  	go func() {
	1177  		defer close(done)
	1178  
	1179  		if err := Server(s, serverConfig).Handshake(); err != nil {
	1180  			t.Errorf("server: %s", err)
	1181  			return
	1182  		}
	1183  		s.Close()
	1184  	}()
	1185  
	1186  	if err := Client(c, clientConfig).Handshake(); err != nil {
	1187  		t.Fatalf("client: %s", err)
	1188  	}
	1189  
	1190  	c.Close()
	1191  	<-done
	1192  
	1193  	checkKeylogLines := func(side, loggedLines string) {
	1194  		loggedLines = strings.TrimSpace(loggedLines)
	1195  		lines := strings.Split(loggedLines, "\n")
	1196  		if len(lines) != 4 {
	1197  			t.Errorf("Expected the %s to log 4 lines, got %d", side, len(lines))
	1198  		}
	1199  	}
	1200  
	1201  	checkKeylogLines("client", clientBuf.String())
	1202  	checkKeylogLines("server", serverBuf.String())
	1203  }
	1204  
	1205  func TestHandshakeClientALPNMatch(t *testing.T) {
	1206  	config := testConfig.Clone()
	1207  	config.NextProtos = []string{"proto2", "proto1"}
	1208  
	1209  	test := &clientTest{
	1210  		name: "ALPN",
	1211  		// Note that this needs OpenSSL 1.0.2 because that is the first
	1212  		// version that supports the -alpn flag.
	1213  		args:	 []string{"-alpn", "proto1,proto2"},
	1214  		config: config,
	1215  		validate: func(state ConnectionState) error {
	1216  			// The server's preferences should override the client.
	1217  			if state.NegotiatedProtocol != "proto1" {
	1218  				return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol)
	1219  			}
	1220  			return nil
	1221  		},
	1222  	}
	1223  	runClientTestTLS12(t, test)
	1224  	runClientTestTLS13(t, test)
	1225  }
	1226  
	1227  func TestServerSelectingUnconfiguredApplicationProtocol(t *testing.T) {
	1228  	// This checks that the server can't select an application protocol that the
	1229  	// client didn't offer.
	1230  
	1231  	c, s := localPipe(t)
	1232  	errChan := make(chan error, 1)
	1233  
	1234  	go func() {
	1235  		client := Client(c, &Config{
	1236  			ServerName:	 "foo",
	1237  			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
	1238  			NextProtos:	 []string{"http", "something-else"},
	1239  		})
	1240  		errChan <- client.Handshake()
	1241  	}()
	1242  
	1243  	var header [5]byte
	1244  	if _, err := io.ReadFull(s, header[:]); err != nil {
	1245  		t.Fatal(err)
	1246  	}
	1247  	recordLen := int(header[3])<<8 | int(header[4])
	1248  
	1249  	record := make([]byte, recordLen)
	1250  	if _, err := io.ReadFull(s, record); err != nil {
	1251  		t.Fatal(err)
	1252  	}
	1253  
	1254  	serverHello := &serverHelloMsg{
	1255  		vers:				 VersionTLS12,
	1256  		random:			 make([]byte, 32),
	1257  		cipherSuite:	TLS_RSA_WITH_AES_128_GCM_SHA256,
	1258  		alpnProtocol: "how-about-this",
	1259  	}
	1260  	serverHelloBytes := serverHello.marshal()
	1261  
	1262  	s.Write([]byte{
	1263  		byte(recordTypeHandshake),
	1264  		byte(VersionTLS12 >> 8),
	1265  		byte(VersionTLS12 & 0xff),
	1266  		byte(len(serverHelloBytes) >> 8),
	1267  		byte(len(serverHelloBytes)),
	1268  	})
	1269  	s.Write(serverHelloBytes)
	1270  	s.Close()
	1271  
	1272  	if err := <-errChan; !strings.Contains(err.Error(), "server selected unadvertised ALPN protocol") {
	1273  		t.Fatalf("Expected error about unconfigured cipher suite but got %q", err)
	1274  	}
	1275  }
	1276  
	1277  // sctsBase64 contains data from `openssl s_client -serverinfo 18 -connect ritter.vg:443`
	1278  const sctsBase64 = "ABIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFHl5nuFgAABAMARjBEAiAcS4JdlW5nW9sElUv2zvQyPoZ6ejKrGGB03gjaBZFMLwIgc1Qbbn+hsH0RvObzhS+XZhr3iuQQJY8S9G85D9KeGPAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUeX4bVwAAAEAwBHMEUCIDIhFDgG2HIuADBkGuLobU5a4dlCHoJLliWJ1SYT05z6AiEAjxIoZFFPRNWMGGIjskOTMwXzQ1Wh2e7NxXE1kd1J0QsAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAUhcZIqHAAAEAwBHMEUCICmJ1rBT09LpkbzxtUC+Hi7nXLR0J+2PmwLp+sJMuqK+AiEAr0NkUnEVKVhAkccIFpYDqHOlZaBsuEhWWrYpg2RtKp0="
	1279  
	1280  func TestHandshakClientSCTs(t *testing.T) {
	1281  	config := testConfig.Clone()
	1282  
	1283  	scts, err := base64.StdEncoding.DecodeString(sctsBase64)
	1284  	if err != nil {
	1285  		t.Fatal(err)
	1286  	}
	1287  
	1288  	// Note that this needs OpenSSL 1.0.2 because that is the first
	1289  	// version that supports the -serverinfo flag.
	1290  	test := &clientTest{
	1291  		name:			 "SCT",
	1292  		config:		 config,
	1293  		extensions: [][]byte{scts},
	1294  		validate: func(state ConnectionState) error {
	1295  			expectedSCTs := [][]byte{
	1296  				scts[8:125],
	1297  				scts[127:245],
	1298  				scts[247:],
	1299  			}
	1300  			if n := len(state.SignedCertificateTimestamps); n != len(expectedSCTs) {
	1301  				return fmt.Errorf("Got %d scts, wanted %d", n, len(expectedSCTs))
	1302  			}
	1303  			for i, expected := range expectedSCTs {
	1304  				if sct := state.SignedCertificateTimestamps[i]; !bytes.Equal(sct, expected) {
	1305  					return fmt.Errorf("SCT #%d contained %x, expected %x", i, sct, expected)
	1306  				}
	1307  			}
	1308  			return nil
	1309  		},
	1310  	}
	1311  	runClientTestTLS12(t, test)
	1312  
	1313  	// TLS 1.3 moved SCTs to the Certificate extensions and -serverinfo only
	1314  	// supports ServerHello extensions.
	1315  }
	1316  
	1317  func TestRenegotiationRejected(t *testing.T) {
	1318  	config := testConfig.Clone()
	1319  	test := &clientTest{
	1320  		name:												"RenegotiationRejected",
	1321  		args:												[]string{"-state"},
	1322  		config:											config,
	1323  		numRenegotiations:					 1,
	1324  		renegotiationExpectedToFail: 1,
	1325  		checkRenegotiationError: func(renegotiationNum int, err error) error {
	1326  			if err == nil {
	1327  				return errors.New("expected error from renegotiation but got nil")
	1328  			}
	1329  			if !strings.Contains(err.Error(), "no renegotiation") {
	1330  				return fmt.Errorf("expected renegotiation to be rejected but got %q", err)
	1331  			}
	1332  			return nil
	1333  		},
	1334  	}
	1335  	runClientTestTLS12(t, test)
	1336  }
	1337  
	1338  func TestRenegotiateOnce(t *testing.T) {
	1339  	config := testConfig.Clone()
	1340  	config.Renegotiation = RenegotiateOnceAsClient
	1341  
	1342  	test := &clientTest{
	1343  		name:							"RenegotiateOnce",
	1344  		args:							[]string{"-state"},
	1345  		config:						config,
	1346  		numRenegotiations: 1,
	1347  	}
	1348  
	1349  	runClientTestTLS12(t, test)
	1350  }
	1351  
	1352  func TestRenegotiateTwice(t *testing.T) {
	1353  	config := testConfig.Clone()
	1354  	config.Renegotiation = RenegotiateFreelyAsClient
	1355  
	1356  	test := &clientTest{
	1357  		name:							"RenegotiateTwice",
	1358  		args:							[]string{"-state"},
	1359  		config:						config,
	1360  		numRenegotiations: 2,
	1361  	}
	1362  
	1363  	runClientTestTLS12(t, test)
	1364  }
	1365  
	1366  func TestRenegotiateTwiceRejected(t *testing.T) {
	1367  	config := testConfig.Clone()
	1368  	config.Renegotiation = RenegotiateOnceAsClient
	1369  
	1370  	test := &clientTest{
	1371  		name:												"RenegotiateTwiceRejected",
	1372  		args:												[]string{"-state"},
	1373  		config:											config,
	1374  		numRenegotiations:					 2,
	1375  		renegotiationExpectedToFail: 2,
	1376  		checkRenegotiationError: func(renegotiationNum int, err error) error {
	1377  			if renegotiationNum == 1 {
	1378  				return err
	1379  			}
	1380  
	1381  			if err == nil {
	1382  				return errors.New("expected error from renegotiation but got nil")
	1383  			}
	1384  			if !strings.Contains(err.Error(), "no renegotiation") {
	1385  				return fmt.Errorf("expected renegotiation to be rejected but got %q", err)
	1386  			}
	1387  			return nil
	1388  		},
	1389  	}
	1390  
	1391  	runClientTestTLS12(t, test)
	1392  }
	1393  
	1394  func TestHandshakeClientExportKeyingMaterial(t *testing.T) {
	1395  	test := &clientTest{
	1396  		name:	 "ExportKeyingMaterial",
	1397  		config: testConfig.Clone(),
	1398  		validate: func(state ConnectionState) error {
	1399  			if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
	1400  				return fmt.Errorf("ExportKeyingMaterial failed: %v", err)
	1401  			} else if len(km) != 42 {
	1402  				return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42)
	1403  			}
	1404  			return nil
	1405  		},
	1406  	}
	1407  	runClientTestTLS10(t, test)
	1408  	runClientTestTLS12(t, test)
	1409  	runClientTestTLS13(t, test)
	1410  }
	1411  
	1412  var hostnameInSNITests = []struct {
	1413  	in, out string
	1414  }{
	1415  	// Opaque string
	1416  	{"", ""},
	1417  	{"localhost", "localhost"},
	1418  	{"foo, bar, baz and qux", "foo, bar, baz and qux"},
	1419  
	1420  	// DNS hostname
	1421  	{"golang.org", "golang.org"},
	1422  	{"golang.org.", "golang.org"},
	1423  
	1424  	// Literal IPv4 address
	1425  	{"1.2.3.4", ""},
	1426  
	1427  	// Literal IPv6 address
	1428  	{"::1", ""},
	1429  	{"::1%lo0", ""}, // with zone identifier
	1430  	{"[::1]", ""},	 // as per RFC 5952 we allow the [] style as IPv6 literal
	1431  	{"[::1%lo0]", ""},
	1432  }
	1433  
	1434  func TestHostnameInSNI(t *testing.T) {
	1435  	for _, tt := range hostnameInSNITests {
	1436  		c, s := localPipe(t)
	1437  
	1438  		go func(host string) {
	1439  			Client(c, &Config{ServerName: host, InsecureSkipVerify: true}).Handshake()
	1440  		}(tt.in)
	1441  
	1442  		var header [5]byte
	1443  		if _, err := io.ReadFull(s, header[:]); err != nil {
	1444  			t.Fatal(err)
	1445  		}
	1446  		recordLen := int(header[3])<<8 | int(header[4])
	1447  
	1448  		record := make([]byte, recordLen)
	1449  		if _, err := io.ReadFull(s, record[:]); err != nil {
	1450  			t.Fatal(err)
	1451  		}
	1452  
	1453  		c.Close()
	1454  		s.Close()
	1455  
	1456  		var m clientHelloMsg
	1457  		if !m.unmarshal(record) {
	1458  			t.Errorf("unmarshaling ClientHello for %q failed", tt.in)
	1459  			continue
	1460  		}
	1461  		if tt.in != tt.out && m.serverName == tt.in {
	1462  			t.Errorf("prohibited %q found in ClientHello: %x", tt.in, record)
	1463  		}
	1464  		if m.serverName != tt.out {
	1465  			t.Errorf("expected %q not found in ClientHello: %x", tt.out, record)
	1466  		}
	1467  	}
	1468  }
	1469  
	1470  func TestServerSelectingUnconfiguredCipherSuite(t *testing.T) {
	1471  	// This checks that the server can't select a cipher suite that the
	1472  	// client didn't offer. See #13174.
	1473  
	1474  	c, s := localPipe(t)
	1475  	errChan := make(chan error, 1)
	1476  
	1477  	go func() {
	1478  		client := Client(c, &Config{
	1479  			ServerName:	 "foo",
	1480  			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
	1481  		})
	1482  		errChan <- client.Handshake()
	1483  	}()
	1484  
	1485  	var header [5]byte
	1486  	if _, err := io.ReadFull(s, header[:]); err != nil {
	1487  		t.Fatal(err)
	1488  	}
	1489  	recordLen := int(header[3])<<8 | int(header[4])
	1490  
	1491  	record := make([]byte, recordLen)
	1492  	if _, err := io.ReadFull(s, record); err != nil {
	1493  		t.Fatal(err)
	1494  	}
	1495  
	1496  	// Create a ServerHello that selects a different cipher suite than the
	1497  	// sole one that the client offered.
	1498  	serverHello := &serverHelloMsg{
	1499  		vers:				VersionTLS12,
	1500  		random:			make([]byte, 32),
	1501  		cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384,
	1502  	}
	1503  	serverHelloBytes := serverHello.marshal()
	1504  
	1505  	s.Write([]byte{
	1506  		byte(recordTypeHandshake),
	1507  		byte(VersionTLS12 >> 8),
	1508  		byte(VersionTLS12 & 0xff),
	1509  		byte(len(serverHelloBytes) >> 8),
	1510  		byte(len(serverHelloBytes)),
	1511  	})
	1512  	s.Write(serverHelloBytes)
	1513  	s.Close()
	1514  
	1515  	if err := <-errChan; !strings.Contains(err.Error(), "unconfigured cipher") {
	1516  		t.Fatalf("Expected error about unconfigured cipher suite but got %q", err)
	1517  	}
	1518  }
	1519  
	1520  func TestVerifyConnection(t *testing.T) {
	1521  	t.Run("TLSv12", func(t *testing.T) { testVerifyConnection(t, VersionTLS12) })
	1522  	t.Run("TLSv13", func(t *testing.T) { testVerifyConnection(t, VersionTLS13) })
	1523  }
	1524  
	1525  func testVerifyConnection(t *testing.T, version uint16) {
	1526  	checkFields := func(c ConnectionState, called *int, errorType string) error {
	1527  		if c.Version != version {
	1528  			return fmt.Errorf("%s: got Version %v, want %v", errorType, c.Version, version)
	1529  		}
	1530  		if c.HandshakeComplete {
	1531  			return fmt.Errorf("%s: got HandshakeComplete, want false", errorType)
	1532  		}
	1533  		if c.ServerName != "example.golang" {
	1534  			return fmt.Errorf("%s: got ServerName %s, want %s", errorType, c.ServerName, "example.golang")
	1535  		}
	1536  		if c.NegotiatedProtocol != "protocol1" {
	1537  			return fmt.Errorf("%s: got NegotiatedProtocol %s, want %s", errorType, c.NegotiatedProtocol, "protocol1")
	1538  		}
	1539  		if c.CipherSuite == 0 {
	1540  			return fmt.Errorf("%s: got CipherSuite 0, want non-zero", errorType)
	1541  		}
	1542  		wantDidResume := false
	1543  		if *called == 2 { // if this is the second time, then it should be a resumption
	1544  			wantDidResume = true
	1545  		}
	1546  		if c.DidResume != wantDidResume {
	1547  			return fmt.Errorf("%s: got DidResume %t, want %t", errorType, c.DidResume, wantDidResume)
	1548  		}
	1549  		return nil
	1550  	}
	1551  
	1552  	tests := []struct {
	1553  		name						string
	1554  		configureServer func(*Config, *int)
	1555  		configureClient func(*Config, *int)
	1556  	}{
	1557  		{
	1558  			name: "RequireAndVerifyClientCert",
	1559  			configureServer: func(config *Config, called *int) {
	1560  				config.ClientAuth = RequireAndVerifyClientCert
	1561  				config.VerifyConnection = func(c ConnectionState) error {
	1562  					*called++
	1563  					if l := len(c.PeerCertificates); l != 1 {
	1564  						return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l)
	1565  					}
	1566  					if len(c.VerifiedChains) == 0 {
	1567  						return fmt.Errorf("server: got len(VerifiedChains) = 0, wanted non-zero")
	1568  					}
	1569  					return checkFields(c, called, "server")
	1570  				}
	1571  			},
	1572  			configureClient: func(config *Config, called *int) {
	1573  				config.VerifyConnection = func(c ConnectionState) error {
	1574  					*called++
	1575  					if l := len(c.PeerCertificates); l != 1 {
	1576  						return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l)
	1577  					}
	1578  					if len(c.VerifiedChains) == 0 {
	1579  						return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero")
	1580  					}
	1581  					if c.DidResume {
	1582  						return nil
	1583  						// The SCTs and OCSP Response are dropped on resumption.
	1584  						// See http://golang.org/issue/39075.
	1585  					}
	1586  					if len(c.OCSPResponse) == 0 {
	1587  						return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero")
	1588  					}
	1589  					if len(c.SignedCertificateTimestamps) == 0 {
	1590  						return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero")
	1591  					}
	1592  					return checkFields(c, called, "client")
	1593  				}
	1594  			},
	1595  		},
	1596  		{
	1597  			name: "InsecureSkipVerify",
	1598  			configureServer: func(config *Config, called *int) {
	1599  				config.ClientAuth = RequireAnyClientCert
	1600  				config.InsecureSkipVerify = true
	1601  				config.VerifyConnection = func(c ConnectionState) error {
	1602  					*called++
	1603  					if l := len(c.PeerCertificates); l != 1 {
	1604  						return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l)
	1605  					}
	1606  					if c.VerifiedChains != nil {
	1607  						return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains)
	1608  					}
	1609  					return checkFields(c, called, "server")
	1610  				}
	1611  			},
	1612  			configureClient: func(config *Config, called *int) {
	1613  				config.InsecureSkipVerify = true
	1614  				config.VerifyConnection = func(c ConnectionState) error {
	1615  					*called++
	1616  					if l := len(c.PeerCertificates); l != 1 {
	1617  						return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l)
	1618  					}
	1619  					if c.VerifiedChains != nil {
	1620  						return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains)
	1621  					}
	1622  					if c.DidResume {
	1623  						return nil
	1624  						// The SCTs and OCSP Response are dropped on resumption.
	1625  						// See http://golang.org/issue/39075.
	1626  					}
	1627  					if len(c.OCSPResponse) == 0 {
	1628  						return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero")
	1629  					}
	1630  					if len(c.SignedCertificateTimestamps) == 0 {
	1631  						return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero")
	1632  					}
	1633  					return checkFields(c, called, "client")
	1634  				}
	1635  			},
	1636  		},
	1637  		{
	1638  			name: "NoClientCert",
	1639  			configureServer: func(config *Config, called *int) {
	1640  				config.ClientAuth = NoClientCert
	1641  				config.VerifyConnection = func(c ConnectionState) error {
	1642  					*called++
	1643  					return checkFields(c, called, "server")
	1644  				}
	1645  			},
	1646  			configureClient: func(config *Config, called *int) {
	1647  				config.VerifyConnection = func(c ConnectionState) error {
	1648  					*called++
	1649  					return checkFields(c, called, "client")
	1650  				}
	1651  			},
	1652  		},
	1653  		{
	1654  			name: "RequestClientCert",
	1655  			configureServer: func(config *Config, called *int) {
	1656  				config.ClientAuth = RequestClientCert
	1657  				config.VerifyConnection = func(c ConnectionState) error {
	1658  					*called++
	1659  					return checkFields(c, called, "server")
	1660  				}
	1661  			},
	1662  			configureClient: func(config *Config, called *int) {
	1663  				config.Certificates = nil // clear the client cert
	1664  				config.VerifyConnection = func(c ConnectionState) error {
	1665  					*called++
	1666  					if l := len(c.PeerCertificates); l != 1 {
	1667  						return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l)
	1668  					}
	1669  					if len(c.VerifiedChains) == 0 {
	1670  						return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero")
	1671  					}
	1672  					if c.DidResume {
	1673  						return nil
	1674  						// The SCTs and OCSP Response are dropped on resumption.
	1675  						// See http://golang.org/issue/39075.
	1676  					}
	1677  					if len(c.OCSPResponse) == 0 {
	1678  						return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero")
	1679  					}
	1680  					if len(c.SignedCertificateTimestamps) == 0 {
	1681  						return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero")
	1682  					}
	1683  					return checkFields(c, called, "client")
	1684  				}
	1685  			},
	1686  		},
	1687  	}
	1688  	for _, test := range tests {
	1689  		issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
	1690  		if err != nil {
	1691  			panic(err)
	1692  		}
	1693  		rootCAs := x509.NewCertPool()
	1694  		rootCAs.AddCert(issuer)
	1695  
	1696  		var serverCalled, clientCalled int
	1697  
	1698  		serverConfig := &Config{
	1699  			MaxVersion:	 version,
	1700  			Certificates: []Certificate{testConfig.Certificates[0]},
	1701  			ClientCAs:		rootCAs,
	1702  			NextProtos:	 []string{"protocol1"},
	1703  		}
	1704  		serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
	1705  		serverConfig.Certificates[0].OCSPStaple = []byte("dummy ocsp")
	1706  		test.configureServer(serverConfig, &serverCalled)
	1707  
	1708  		clientConfig := &Config{
	1709  			MaxVersion:				 version,
	1710  			ClientSessionCache: NewLRUClientSessionCache(32),
	1711  			RootCAs:						rootCAs,
	1712  			ServerName:				 "example.golang",
	1713  			Certificates:			 []Certificate{testConfig.Certificates[0]},
	1714  			NextProtos:				 []string{"protocol1"},
	1715  		}
	1716  		test.configureClient(clientConfig, &clientCalled)
	1717  
	1718  		testHandshakeState := func(name string, didResume bool) {
	1719  			_, hs, err := testHandshake(t, clientConfig, serverConfig)
	1720  			if err != nil {
	1721  				t.Fatalf("%s: handshake failed: %s", name, err)
	1722  			}
	1723  			if hs.DidResume != didResume {
	1724  				t.Errorf("%s: resumed: %v, expected: %v", name, hs.DidResume, didResume)
	1725  			}
	1726  			wantCalled := 1
	1727  			if didResume {
	1728  				wantCalled = 2 // resumption would mean this is the second time it was called in this test
	1729  			}
	1730  			if clientCalled != wantCalled {
	1731  				t.Errorf("%s: expected client VerifyConnection called %d times, did %d times", name, wantCalled, clientCalled)
	1732  			}
	1733  			if serverCalled != wantCalled {
	1734  				t.Errorf("%s: expected server VerifyConnection called %d times, did %d times", name, wantCalled, serverCalled)
	1735  			}
	1736  		}
	1737  		testHandshakeState(fmt.Sprintf("%s-FullHandshake", test.name), false)
	1738  		testHandshakeState(fmt.Sprintf("%s-Resumption", test.name), true)
	1739  	}
	1740  }
	1741  
	1742  func TestVerifyPeerCertificate(t *testing.T) {
	1743  	t.Run("TLSv12", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS12) })
	1744  	t.Run("TLSv13", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS13) })
	1745  }
	1746  
	1747  func testVerifyPeerCertificate(t *testing.T, version uint16) {
	1748  	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
	1749  	if err != nil {
	1750  		panic(err)
	1751  	}
	1752  
	1753  	rootCAs := x509.NewCertPool()
	1754  	rootCAs.AddCert(issuer)
	1755  
	1756  	now := func() time.Time { return time.Unix(1476984729, 0) }
	1757  
	1758  	sentinelErr := errors.New("TestVerifyPeerCertificate")
	1759  
	1760  	verifyPeerCertificateCallback := func(called *bool, rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1761  		if l := len(rawCerts); l != 1 {
	1762  			return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l)
	1763  		}
	1764  		if len(validatedChains) == 0 {
	1765  			return errors.New("got len(validatedChains) = 0, wanted non-zero")
	1766  		}
	1767  		*called = true
	1768  		return nil
	1769  	}
	1770  	verifyConnectionCallback := func(called *bool, isClient bool, c ConnectionState) error {
	1771  		if l := len(c.PeerCertificates); l != 1 {
	1772  			return fmt.Errorf("got len(PeerCertificates) = %d, wanted 1", l)
	1773  		}
	1774  		if len(c.VerifiedChains) == 0 {
	1775  			return fmt.Errorf("got len(VerifiedChains) = 0, wanted non-zero")
	1776  		}
	1777  		if isClient && len(c.OCSPResponse) == 0 {
	1778  			return fmt.Errorf("got len(OCSPResponse) = 0, wanted non-zero")
	1779  		}
	1780  		*called = true
	1781  		return nil
	1782  	}
	1783  
	1784  	tests := []struct {
	1785  		configureServer func(*Config, *bool)
	1786  		configureClient func(*Config, *bool)
	1787  		validate				func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error)
	1788  	}{
	1789  		{
	1790  			configureServer: func(config *Config, called *bool) {
	1791  				config.InsecureSkipVerify = false
	1792  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1793  					return verifyPeerCertificateCallback(called, rawCerts, validatedChains)
	1794  				}
	1795  			},
	1796  			configureClient: func(config *Config, called *bool) {
	1797  				config.InsecureSkipVerify = false
	1798  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1799  					return verifyPeerCertificateCallback(called, rawCerts, validatedChains)
	1800  				}
	1801  			},
	1802  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1803  				if clientErr != nil {
	1804  					t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr)
	1805  				}
	1806  				if serverErr != nil {
	1807  					t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr)
	1808  				}
	1809  				if !clientCalled {
	1810  					t.Errorf("test[%d]: client did not call callback", testNo)
	1811  				}
	1812  				if !serverCalled {
	1813  					t.Errorf("test[%d]: server did not call callback", testNo)
	1814  				}
	1815  			},
	1816  		},
	1817  		{
	1818  			configureServer: func(config *Config, called *bool) {
	1819  				config.InsecureSkipVerify = false
	1820  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1821  					return sentinelErr
	1822  				}
	1823  			},
	1824  			configureClient: func(config *Config, called *bool) {
	1825  				config.VerifyPeerCertificate = nil
	1826  			},
	1827  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1828  				if serverErr != sentinelErr {
	1829  					t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr)
	1830  				}
	1831  			},
	1832  		},
	1833  		{
	1834  			configureServer: func(config *Config, called *bool) {
	1835  				config.InsecureSkipVerify = false
	1836  			},
	1837  			configureClient: func(config *Config, called *bool) {
	1838  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1839  					return sentinelErr
	1840  				}
	1841  			},
	1842  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1843  				if clientErr != sentinelErr {
	1844  					t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr)
	1845  				}
	1846  			},
	1847  		},
	1848  		{
	1849  			configureServer: func(config *Config, called *bool) {
	1850  				config.InsecureSkipVerify = false
	1851  			},
	1852  			configureClient: func(config *Config, called *bool) {
	1853  				config.InsecureSkipVerify = true
	1854  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1855  					if l := len(rawCerts); l != 1 {
	1856  						return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l)
	1857  					}
	1858  					// With InsecureSkipVerify set, this
	1859  					// callback should still be called but
	1860  					// validatedChains must be empty.
	1861  					if l := len(validatedChains); l != 0 {
	1862  						return fmt.Errorf("got len(validatedChains) = %d, wanted zero", l)
	1863  					}
	1864  					*called = true
	1865  					return nil
	1866  				}
	1867  			},
	1868  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1869  				if clientErr != nil {
	1870  					t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr)
	1871  				}
	1872  				if serverErr != nil {
	1873  					t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr)
	1874  				}
	1875  				if !clientCalled {
	1876  					t.Errorf("test[%d]: client did not call callback", testNo)
	1877  				}
	1878  			},
	1879  		},
	1880  		{
	1881  			configureServer: func(config *Config, called *bool) {
	1882  				config.InsecureSkipVerify = false
	1883  				config.VerifyConnection = func(c ConnectionState) error {
	1884  					return verifyConnectionCallback(called, false, c)
	1885  				}
	1886  			},
	1887  			configureClient: func(config *Config, called *bool) {
	1888  				config.InsecureSkipVerify = false
	1889  				config.VerifyConnection = func(c ConnectionState) error {
	1890  					return verifyConnectionCallback(called, true, c)
	1891  				}
	1892  			},
	1893  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1894  				if clientErr != nil {
	1895  					t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr)
	1896  				}
	1897  				if serverErr != nil {
	1898  					t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr)
	1899  				}
	1900  				if !clientCalled {
	1901  					t.Errorf("test[%d]: client did not call callback", testNo)
	1902  				}
	1903  				if !serverCalled {
	1904  					t.Errorf("test[%d]: server did not call callback", testNo)
	1905  				}
	1906  			},
	1907  		},
	1908  		{
	1909  			configureServer: func(config *Config, called *bool) {
	1910  				config.InsecureSkipVerify = false
	1911  				config.VerifyConnection = func(c ConnectionState) error {
	1912  					return sentinelErr
	1913  				}
	1914  			},
	1915  			configureClient: func(config *Config, called *bool) {
	1916  				config.InsecureSkipVerify = false
	1917  				config.VerifyConnection = nil
	1918  			},
	1919  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1920  				if serverErr != sentinelErr {
	1921  					t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr)
	1922  				}
	1923  			},
	1924  		},
	1925  		{
	1926  			configureServer: func(config *Config, called *bool) {
	1927  				config.InsecureSkipVerify = false
	1928  				config.VerifyConnection = nil
	1929  			},
	1930  			configureClient: func(config *Config, called *bool) {
	1931  				config.InsecureSkipVerify = false
	1932  				config.VerifyConnection = func(c ConnectionState) error {
	1933  					return sentinelErr
	1934  				}
	1935  			},
	1936  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1937  				if clientErr != sentinelErr {
	1938  					t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr)
	1939  				}
	1940  			},
	1941  		},
	1942  		{
	1943  			configureServer: func(config *Config, called *bool) {
	1944  				config.InsecureSkipVerify = false
	1945  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1946  					return verifyPeerCertificateCallback(called, rawCerts, validatedChains)
	1947  				}
	1948  				config.VerifyConnection = func(c ConnectionState) error {
	1949  					return sentinelErr
	1950  				}
	1951  			},
	1952  			configureClient: func(config *Config, called *bool) {
	1953  				config.InsecureSkipVerify = false
	1954  				config.VerifyPeerCertificate = nil
	1955  				config.VerifyConnection = nil
	1956  			},
	1957  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1958  				if serverErr != sentinelErr {
	1959  					t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr)
	1960  				}
	1961  				if !serverCalled {
	1962  					t.Errorf("test[%d]: server did not call callback", testNo)
	1963  				}
	1964  			},
	1965  		},
	1966  		{
	1967  			configureServer: func(config *Config, called *bool) {
	1968  				config.InsecureSkipVerify = false
	1969  				config.VerifyPeerCertificate = nil
	1970  				config.VerifyConnection = nil
	1971  			},
	1972  			configureClient: func(config *Config, called *bool) {
	1973  				config.InsecureSkipVerify = false
	1974  				config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error {
	1975  					return verifyPeerCertificateCallback(called, rawCerts, validatedChains)
	1976  				}
	1977  				config.VerifyConnection = func(c ConnectionState) error {
	1978  					return sentinelErr
	1979  				}
	1980  			},
	1981  			validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) {
	1982  				if clientErr != sentinelErr {
	1983  					t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr)
	1984  				}
	1985  				if !clientCalled {
	1986  					t.Errorf("test[%d]: client did not call callback", testNo)
	1987  				}
	1988  			},
	1989  		},
	1990  	}
	1991  
	1992  	for i, test := range tests {
	1993  		c, s := localPipe(t)
	1994  		done := make(chan error)
	1995  
	1996  		var clientCalled, serverCalled bool
	1997  
	1998  		go func() {
	1999  			config := testConfig.Clone()
	2000  			config.ServerName = "example.golang"
	2001  			config.ClientAuth = RequireAndVerifyClientCert
	2002  			config.ClientCAs = rootCAs
	2003  			config.Time = now
	2004  			config.MaxVersion = version
	2005  			config.Certificates = make([]Certificate, 1)
	2006  			config.Certificates[0].Certificate = [][]byte{testRSACertificate}
	2007  			config.Certificates[0].PrivateKey = testRSAPrivateKey
	2008  			config.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")}
	2009  			config.Certificates[0].OCSPStaple = []byte("dummy ocsp")
	2010  			test.configureServer(config, &serverCalled)
	2011  
	2012  			err = Server(s, config).Handshake()
	2013  			s.Close()
	2014  			done <- err
	2015  		}()
	2016  
	2017  		config := testConfig.Clone()
	2018  		config.ServerName = "example.golang"
	2019  		config.RootCAs = rootCAs
	2020  		config.Time = now
	2021  		config.MaxVersion = version
	2022  		test.configureClient(config, &clientCalled)
	2023  		clientErr := Client(c, config).Handshake()
	2024  		c.Close()
	2025  		serverErr := <-done
	2026  
	2027  		test.validate(t, i, clientCalled, serverCalled, clientErr, serverErr)
	2028  	}
	2029  }
	2030  
	2031  // brokenConn wraps a net.Conn and causes all Writes after a certain number to
	2032  // fail with brokenConnErr.
	2033  type brokenConn struct {
	2034  	net.Conn
	2035  
	2036  	// breakAfter is the number of successful writes that will be allowed
	2037  	// before all subsequent writes fail.
	2038  	breakAfter int
	2039  
	2040  	// numWrites is the number of writes that have been done.
	2041  	numWrites int
	2042  }
	2043  
	2044  // brokenConnErr is the error that brokenConn returns once exhausted.
	2045  var brokenConnErr = errors.New("too many writes to brokenConn")
	2046  
	2047  func (b *brokenConn) Write(data []byte) (int, error) {
	2048  	if b.numWrites >= b.breakAfter {
	2049  		return 0, brokenConnErr
	2050  	}
	2051  
	2052  	b.numWrites++
	2053  	return b.Conn.Write(data)
	2054  }
	2055  
	2056  func TestFailedWrite(t *testing.T) {
	2057  	// Test that a write error during the handshake is returned.
	2058  	for _, breakAfter := range []int{0, 1} {
	2059  		c, s := localPipe(t)
	2060  		done := make(chan bool)
	2061  
	2062  		go func() {
	2063  			Server(s, testConfig).Handshake()
	2064  			s.Close()
	2065  			done <- true
	2066  		}()
	2067  
	2068  		brokenC := &brokenConn{Conn: c, breakAfter: breakAfter}
	2069  		err := Client(brokenC, testConfig).Handshake()
	2070  		if err != brokenConnErr {
	2071  			t.Errorf("#%d: expected error from brokenConn but got %q", breakAfter, err)
	2072  		}
	2073  		brokenC.Close()
	2074  
	2075  		<-done
	2076  	}
	2077  }
	2078  
	2079  // writeCountingConn wraps a net.Conn and counts the number of Write calls.
	2080  type writeCountingConn struct {
	2081  	net.Conn
	2082  
	2083  	// numWrites is the number of writes that have been done.
	2084  	numWrites int
	2085  }
	2086  
	2087  func (wcc *writeCountingConn) Write(data []byte) (int, error) {
	2088  	wcc.numWrites++
	2089  	return wcc.Conn.Write(data)
	2090  }
	2091  
	2092  func TestBuffering(t *testing.T) {
	2093  	t.Run("TLSv12", func(t *testing.T) { testBuffering(t, VersionTLS12) })
	2094  	t.Run("TLSv13", func(t *testing.T) { testBuffering(t, VersionTLS13) })
	2095  }
	2096  
	2097  func testBuffering(t *testing.T, version uint16) {
	2098  	c, s := localPipe(t)
	2099  	done := make(chan bool)
	2100  
	2101  	clientWCC := &writeCountingConn{Conn: c}
	2102  	serverWCC := &writeCountingConn{Conn: s}
	2103  
	2104  	go func() {
	2105  		config := testConfig.Clone()
	2106  		config.MaxVersion = version
	2107  		Server(serverWCC, config).Handshake()
	2108  		serverWCC.Close()
	2109  		done <- true
	2110  	}()
	2111  
	2112  	err := Client(clientWCC, testConfig).Handshake()
	2113  	if err != nil {
	2114  		t.Fatal(err)
	2115  	}
	2116  	clientWCC.Close()
	2117  	<-done
	2118  
	2119  	var expectedClient, expectedServer int
	2120  	if version == VersionTLS13 {
	2121  		expectedClient = 2
	2122  		expectedServer = 1
	2123  	} else {
	2124  		expectedClient = 2
	2125  		expectedServer = 2
	2126  	}
	2127  
	2128  	if n := clientWCC.numWrites; n != expectedClient {
	2129  		t.Errorf("expected client handshake to complete with %d writes, but saw %d", expectedClient, n)
	2130  	}
	2131  
	2132  	if n := serverWCC.numWrites; n != expectedServer {
	2133  		t.Errorf("expected server handshake to complete with %d writes, but saw %d", expectedServer, n)
	2134  	}
	2135  }
	2136  
	2137  func TestAlertFlushing(t *testing.T) {
	2138  	c, s := localPipe(t)
	2139  	done := make(chan bool)
	2140  
	2141  	clientWCC := &writeCountingConn{Conn: c}
	2142  	serverWCC := &writeCountingConn{Conn: s}
	2143  
	2144  	serverConfig := testConfig.Clone()
	2145  
	2146  	// Cause a signature-time error
	2147  	brokenKey := rsa.PrivateKey{PublicKey: testRSAPrivateKey.PublicKey}
	2148  	brokenKey.D = big.NewInt(42)
	2149  	serverConfig.Certificates = []Certificate{{
	2150  		Certificate: [][]byte{testRSACertificate},
	2151  		PrivateKey:	&brokenKey,
	2152  	}}
	2153  
	2154  	go func() {
	2155  		Server(serverWCC, serverConfig).Handshake()
	2156  		serverWCC.Close()
	2157  		done <- true
	2158  	}()
	2159  
	2160  	err := Client(clientWCC, testConfig).Handshake()
	2161  	if err == nil {
	2162  		t.Fatal("client unexpectedly returned no error")
	2163  	}
	2164  
	2165  	const expectedError = "remote error: tls: internal error"
	2166  	if e := err.Error(); !strings.Contains(e, expectedError) {
	2167  		t.Fatalf("expected to find %q in error but error was %q", expectedError, e)
	2168  	}
	2169  	clientWCC.Close()
	2170  	<-done
	2171  
	2172  	if n := serverWCC.numWrites; n != 1 {
	2173  		t.Errorf("expected server handshake to complete with one write, but saw %d", n)
	2174  	}
	2175  }
	2176  
	2177  func TestHandshakeRace(t *testing.T) {
	2178  	if testing.Short() {
	2179  		t.Skip("skipping in -short mode")
	2180  	}
	2181  	t.Parallel()
	2182  	// This test races a Read and Write to try and complete a handshake in
	2183  	// order to provide some evidence that there are no races or deadlocks
	2184  	// in the handshake locking.
	2185  	for i := 0; i < 32; i++ {
	2186  		c, s := localPipe(t)
	2187  
	2188  		go func() {
	2189  			server := Server(s, testConfig)
	2190  			if err := server.Handshake(); err != nil {
	2191  				panic(err)
	2192  			}
	2193  
	2194  			var request [1]byte
	2195  			if n, err := server.Read(request[:]); err != nil || n != 1 {
	2196  				panic(err)
	2197  			}
	2198  
	2199  			server.Write(request[:])
	2200  			server.Close()
	2201  		}()
	2202  
	2203  		startWrite := make(chan struct{})
	2204  		startRead := make(chan struct{})
	2205  		readDone := make(chan struct{}, 1)
	2206  
	2207  		client := Client(c, testConfig)
	2208  		go func() {
	2209  			<-startWrite
	2210  			var request [1]byte
	2211  			client.Write(request[:])
	2212  		}()
	2213  
	2214  		go func() {
	2215  			<-startRead
	2216  			var reply [1]byte
	2217  			if _, err := io.ReadFull(client, reply[:]); err != nil {
	2218  				panic(err)
	2219  			}
	2220  			c.Close()
	2221  			readDone <- struct{}{}
	2222  		}()
	2223  
	2224  		if i&1 == 1 {
	2225  			startWrite <- struct{}{}
	2226  			startRead <- struct{}{}
	2227  		} else {
	2228  			startRead <- struct{}{}
	2229  			startWrite <- struct{}{}
	2230  		}
	2231  		<-readDone
	2232  	}
	2233  }
	2234  
	2235  var getClientCertificateTests = []struct {
	2236  	setup							 func(*Config, *Config)
	2237  	expectedClientError string
	2238  	verify							func(*testing.T, int, *ConnectionState)
	2239  }{
	2240  	{
	2241  		func(clientConfig, serverConfig *Config) {
	2242  			// Returning a Certificate with no certificate data
	2243  			// should result in an empty message being sent to the
	2244  			// server.
	2245  			serverConfig.ClientCAs = nil
	2246  			clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) {
	2247  				if len(cri.SignatureSchemes) == 0 {
	2248  					panic("empty SignatureSchemes")
	2249  				}
	2250  				if len(cri.AcceptableCAs) != 0 {
	2251  					panic("AcceptableCAs should have been empty")
	2252  				}
	2253  				return new(Certificate), nil
	2254  			}
	2255  		},
	2256  		"",
	2257  		func(t *testing.T, testNum int, cs *ConnectionState) {
	2258  			if l := len(cs.PeerCertificates); l != 0 {
	2259  				t.Errorf("#%d: expected no certificates but got %d", testNum, l)
	2260  			}
	2261  		},
	2262  	},
	2263  	{
	2264  		func(clientConfig, serverConfig *Config) {
	2265  			// With TLS 1.1, the SignatureSchemes should be
	2266  			// synthesised from the supported certificate types.
	2267  			clientConfig.MaxVersion = VersionTLS11
	2268  			clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) {
	2269  				if len(cri.SignatureSchemes) == 0 {
	2270  					panic("empty SignatureSchemes")
	2271  				}
	2272  				return new(Certificate), nil
	2273  			}
	2274  		},
	2275  		"",
	2276  		func(t *testing.T, testNum int, cs *ConnectionState) {
	2277  			if l := len(cs.PeerCertificates); l != 0 {
	2278  				t.Errorf("#%d: expected no certificates but got %d", testNum, l)
	2279  			}
	2280  		},
	2281  	},
	2282  	{
	2283  		func(clientConfig, serverConfig *Config) {
	2284  			// Returning an error should abort the handshake with
	2285  			// that error.
	2286  			clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) {
	2287  				return nil, errors.New("GetClientCertificate")
	2288  			}
	2289  		},
	2290  		"GetClientCertificate",
	2291  		func(t *testing.T, testNum int, cs *ConnectionState) {
	2292  		},
	2293  	},
	2294  	{
	2295  		func(clientConfig, serverConfig *Config) {
	2296  			clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) {
	2297  				if len(cri.AcceptableCAs) == 0 {
	2298  					panic("empty AcceptableCAs")
	2299  				}
	2300  				cert := &Certificate{
	2301  					Certificate: [][]byte{testRSACertificate},
	2302  					PrivateKey:	testRSAPrivateKey,
	2303  				}
	2304  				return cert, nil
	2305  			}
	2306  		},
	2307  		"",
	2308  		func(t *testing.T, testNum int, cs *ConnectionState) {
	2309  			if len(cs.VerifiedChains) == 0 {
	2310  				t.Errorf("#%d: expected some verified chains, but found none", testNum)
	2311  			}
	2312  		},
	2313  	},
	2314  }
	2315  
	2316  func TestGetClientCertificate(t *testing.T) {
	2317  	t.Run("TLSv12", func(t *testing.T) { testGetClientCertificate(t, VersionTLS12) })
	2318  	t.Run("TLSv13", func(t *testing.T) { testGetClientCertificate(t, VersionTLS13) })
	2319  }
	2320  
	2321  func testGetClientCertificate(t *testing.T, version uint16) {
	2322  	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
	2323  	if err != nil {
	2324  		panic(err)
	2325  	}
	2326  
	2327  	for i, test := range getClientCertificateTests {
	2328  		serverConfig := testConfig.Clone()
	2329  		serverConfig.ClientAuth = VerifyClientCertIfGiven
	2330  		serverConfig.RootCAs = x509.NewCertPool()
	2331  		serverConfig.RootCAs.AddCert(issuer)
	2332  		serverConfig.ClientCAs = serverConfig.RootCAs
	2333  		serverConfig.Time = func() time.Time { return time.Unix(1476984729, 0) }
	2334  		serverConfig.MaxVersion = version
	2335  
	2336  		clientConfig := testConfig.Clone()
	2337  		clientConfig.MaxVersion = version
	2338  
	2339  		test.setup(clientConfig, serverConfig)
	2340  
	2341  		type serverResult struct {
	2342  			cs	ConnectionState
	2343  			err error
	2344  		}
	2345  
	2346  		c, s := localPipe(t)
	2347  		done := make(chan serverResult)
	2348  
	2349  		go func() {
	2350  			defer s.Close()
	2351  			server := Server(s, serverConfig)
	2352  			err := server.Handshake()
	2353  
	2354  			var cs ConnectionState
	2355  			if err == nil {
	2356  				cs = server.ConnectionState()
	2357  			}
	2358  			done <- serverResult{cs, err}
	2359  		}()
	2360  
	2361  		clientErr := Client(c, clientConfig).Handshake()
	2362  		c.Close()
	2363  
	2364  		result := <-done
	2365  
	2366  		if clientErr != nil {
	2367  			if len(test.expectedClientError) == 0 {
	2368  				t.Errorf("#%d: client error: %v", i, clientErr)
	2369  			} else if got := clientErr.Error(); got != test.expectedClientError {
	2370  				t.Errorf("#%d: expected client error %q, but got %q", i, test.expectedClientError, got)
	2371  			} else {
	2372  				test.verify(t, i, &result.cs)
	2373  			}
	2374  		} else if len(test.expectedClientError) > 0 {
	2375  			t.Errorf("#%d: expected client error %q, but got no error", i, test.expectedClientError)
	2376  		} else if err := result.err; err != nil {
	2377  			t.Errorf("#%d: server error: %v", i, err)
	2378  		} else {
	2379  			test.verify(t, i, &result.cs)
	2380  		}
	2381  	}
	2382  }
	2383  
	2384  func TestRSAPSSKeyError(t *testing.T) {
	2385  	// crypto/tls does not support the rsa_pss_pss_* SignatureSchemes. If support for
	2386  	// public keys with OID RSASSA-PSS is added to crypto/x509, they will be misused with
	2387  	// the rsa_pss_rsae_* SignatureSchemes. Assert that RSASSA-PSS certificates don't
	2388  	// parse, or that they don't carry *rsa.PublicKey keys.
	2389  	b, _ := pem.Decode([]byte(`
	2390  -----BEGIN CERTIFICATE-----
	2391  MIIDZTCCAhygAwIBAgIUCF2x0FyTgZG0CC9QTDjGWkB5vgEwPgYJKoZIhvcNAQEK
	2392  MDGgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQC
	2393  AgDeMBIxEDAOBgNVBAMMB1JTQS1QU1MwHhcNMTgwNjI3MjI0NDM2WhcNMTgwNzI3
	2394  MjI0NDM2WjASMRAwDgYDVQQDDAdSU0EtUFNTMIIBIDALBgkqhkiG9w0BAQoDggEP
	2395  ADCCAQoCggEBANxDm0f76JdI06YzsjB3AmmjIYkwUEGxePlafmIASFjDZl/elD0Z
	2396  /a7xLX468b0qGxLS5al7XCcEprSdsDR6DF5L520+pCbpfLyPOjuOvGmk9KzVX4x5
	2397  b05YXYuXdsQ0Kjxcx2i3jjCday6scIhMJVgBZxTEyMj1thPQM14SHzKCd/m6HmCL
	2398  QmswpH2yMAAcBRWzRpp/vdH5DeOJEB3aelq7094no731mrLUCHRiZ1htq8BDB3ou
	2399  czwqgwspbqZ4dnMXl2MvfySQ5wJUxQwILbiuAKO2lVVPUbFXHE9pgtznNoPvKwQT
	2400  JNcX8ee8WIZc2SEGzofjk3NpjR+2ADB2u3sCAwEAAaNTMFEwHQYDVR0OBBYEFNEz
	2401  AdyJ2f+fU+vSCS6QzohnOnprMB8GA1UdIwQYMBaAFNEzAdyJ2f+fU+vSCS6Qzohn
	2402  OnprMA8GA1UdEwEB/wQFMAMBAf8wPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQME
	2403  AgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeA4IBAQCjEdrR5aab
	2404  sZmCwrMeKidXgfkmWvfuLDE+TCbaqDZp7BMWcMQXT9O0UoUT5kqgKj2ARm2pEW0Z
	2405  H3Z1vj3bbds72qcDIJXp+l0fekyLGeCrX/CbgnMZXEP7+/+P416p34ChR1Wz4dU1
	2406  KD3gdsUuTKKeMUog3plxlxQDhRQmiL25ygH1LmjLd6dtIt0GVRGr8lj3euVeprqZ
	2407  bZ3Uq5eLfsn8oPgfC57gpO6yiN+UURRTlK3bgYvLh4VWB3XXk9UaQZ7Mq1tpXjoD
	2408  HYFybkWzibkZp4WRo+Fa28rirH+/wHt0vfeN7UCceURZEx4JaxIIfe4ku7uDRhJi
	2409  RwBA9Xk1KBNF
	2410  -----END CERTIFICATE-----`))
	2411  	if b == nil {
	2412  		t.Fatal("Failed to decode certificate")
	2413  	}
	2414  	cert, err := x509.ParseCertificate(b.Bytes)
	2415  	if err != nil {
	2416  		return
	2417  	}
	2418  	if _, ok := cert.PublicKey.(*rsa.PublicKey); ok {
	2419  		t.Error("A RSASSA-PSS certificate was parsed like a PKCS#1 v1.5 one, and it will be mistakenly used with rsa_pss_rsae_* signature algorithms")
	2420  	}
	2421  }
	2422  
	2423  func TestCloseClientConnectionOnIdleServer(t *testing.T) {
	2424  	clientConn, serverConn := localPipe(t)
	2425  	client := Client(clientConn, testConfig.Clone())
	2426  	go func() {
	2427  		var b [1]byte
	2428  		serverConn.Read(b[:])
	2429  		client.Close()
	2430  	}()
	2431  	client.SetWriteDeadline(time.Now().Add(time.Minute))
	2432  	err := client.Handshake()
	2433  	if err != nil {
	2434  		if err, ok := err.(net.Error); ok && err.Timeout() {
	2435  			t.Errorf("Expected a closed network connection error but got '%s'", err.Error())
	2436  		}
	2437  	} else {
	2438  		t.Errorf("Error expected, but no error returned")
	2439  	}
	2440  }
	2441  
	2442  func testDowngradeCanary(t *testing.T, clientVersion, serverVersion uint16) error {
	2443  	defer func() { testingOnlyForceDowngradeCanary = false }()
	2444  	testingOnlyForceDowngradeCanary = true
	2445  
	2446  	clientConfig := testConfig.Clone()
	2447  	clientConfig.MaxVersion = clientVersion
	2448  	serverConfig := testConfig.Clone()
	2449  	serverConfig.MaxVersion = serverVersion
	2450  	_, _, err := testHandshake(t, clientConfig, serverConfig)
	2451  	return err
	2452  }
	2453  
	2454  func TestDowngradeCanary(t *testing.T) {
	2455  	if err := testDowngradeCanary(t, VersionTLS13, VersionTLS12); err == nil {
	2456  		t.Errorf("downgrade from TLS 1.3 to TLS 1.2 was not detected")
	2457  	}
	2458  	if testing.Short() {
	2459  		t.Skip("skipping the rest of the checks in short mode")
	2460  	}
	2461  	if err := testDowngradeCanary(t, VersionTLS13, VersionTLS11); err == nil {
	2462  		t.Errorf("downgrade from TLS 1.3 to TLS 1.1 was not detected")
	2463  	}
	2464  	if err := testDowngradeCanary(t, VersionTLS13, VersionTLS10); err == nil {
	2465  		t.Errorf("downgrade from TLS 1.3 to TLS 1.0 was not detected")
	2466  	}
	2467  	if err := testDowngradeCanary(t, VersionTLS12, VersionTLS11); err == nil {
	2468  		t.Errorf("downgrade from TLS 1.2 to TLS 1.1 was not detected")
	2469  	}
	2470  	if err := testDowngradeCanary(t, VersionTLS12, VersionTLS10); err == nil {
	2471  		t.Errorf("downgrade from TLS 1.2 to TLS 1.0 was not detected")
	2472  	}
	2473  	if err := testDowngradeCanary(t, VersionTLS13, VersionTLS13); err != nil {
	2474  		t.Errorf("server unexpectedly sent downgrade canary for TLS 1.3")
	2475  	}
	2476  	if err := testDowngradeCanary(t, VersionTLS12, VersionTLS12); err != nil {
	2477  		t.Errorf("client didn't ignore expected TLS 1.2 canary")
	2478  	}
	2479  	if err := testDowngradeCanary(t, VersionTLS11, VersionTLS11); err != nil {
	2480  		t.Errorf("client unexpectedly reacted to a canary in TLS 1.1")
	2481  	}
	2482  	if err := testDowngradeCanary(t, VersionTLS10, VersionTLS10); err != nil {
	2483  		t.Errorf("client unexpectedly reacted to a canary in TLS 1.0")
	2484  	}
	2485  }
	2486  
	2487  func TestResumptionKeepsOCSPAndSCT(t *testing.T) {
	2488  	t.Run("TLSv12", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS12) })
	2489  	t.Run("TLSv13", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS13) })
	2490  }
	2491  
	2492  func testResumptionKeepsOCSPAndSCT(t *testing.T, ver uint16) {
	2493  	issuer, err := x509.ParseCertificate(testRSACertificateIssuer)
	2494  	if err != nil {
	2495  		t.Fatalf("failed to parse test issuer")
	2496  	}
	2497  	roots := x509.NewCertPool()
	2498  	roots.AddCert(issuer)
	2499  	clientConfig := &Config{
	2500  		MaxVersion:				 ver,
	2501  		ClientSessionCache: NewLRUClientSessionCache(32),
	2502  		ServerName:				 "example.golang",
	2503  		RootCAs:						roots,
	2504  	}
	2505  	serverConfig := testConfig.Clone()
	2506  	serverConfig.MaxVersion = ver
	2507  	serverConfig.Certificates[0].OCSPStaple = []byte{1, 2, 3}
	2508  	serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{4, 5, 6}}
	2509  
	2510  	_, ccs, err := testHandshake(t, clientConfig, serverConfig)
	2511  	if err != nil {
	2512  		t.Fatalf("handshake failed: %s", err)
	2513  	}
	2514  	// after a new session we expect to see OCSPResponse and
	2515  	// SignedCertificateTimestamps populated as usual
	2516  	if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) {
	2517  		t.Errorf("client ConnectionState contained unexpected OCSPResponse: wanted %v, got %v",
	2518  			serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse)
	2519  	}
	2520  	if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) {
	2521  		t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps: wanted %v, got %v",
	2522  			serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps)
	2523  	}
	2524  
	2525  	// if the server doesn't send any SCTs, repopulate the old SCTs
	2526  	oldSCTs := serverConfig.Certificates[0].SignedCertificateTimestamps
	2527  	serverConfig.Certificates[0].SignedCertificateTimestamps = nil
	2528  	_, ccs, err = testHandshake(t, clientConfig, serverConfig)
	2529  	if err != nil {
	2530  		t.Fatalf("handshake failed: %s", err)
	2531  	}
	2532  	if !ccs.DidResume {
	2533  		t.Fatalf("expected session to be resumed")
	2534  	}
	2535  	// after a resumed session we also expect to see OCSPResponse
	2536  	// and SignedCertificateTimestamps populated
	2537  	if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) {
	2538  		t.Errorf("client ConnectionState contained unexpected OCSPResponse after resumption: wanted %v, got %v",
	2539  			serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse)
	2540  	}
	2541  	if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, oldSCTs) {
	2542  		t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v",
	2543  			oldSCTs, ccs.SignedCertificateTimestamps)
	2544  	}
	2545  
	2546  	//	Only test overriding the SCTs for TLS 1.2, since in 1.3
	2547  	// the server won't send the message containing them
	2548  	if ver == VersionTLS13 {
	2549  		return
	2550  	}
	2551  
	2552  	// if the server changes the SCTs it sends, they should override the saved SCTs
	2553  	serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{7, 8, 9}}
	2554  	_, ccs, err = testHandshake(t, clientConfig, serverConfig)
	2555  	if err != nil {
	2556  		t.Fatalf("handshake failed: %s", err)
	2557  	}
	2558  	if !ccs.DidResume {
	2559  		t.Fatalf("expected session to be resumed")
	2560  	}
	2561  	if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) {
	2562  		t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v",
	2563  			serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps)
	2564  	}
	2565  }
	2566  
	2567  // TestClientHandshakeContextCancellation tests that cancelling
	2568  // the context given to the client side conn.HandshakeContext
	2569  // interrupts the in-progress handshake.
	2570  func TestClientHandshakeContextCancellation(t *testing.T) {
	2571  	c, s := localPipe(t)
	2572  	ctx, cancel := context.WithCancel(context.Background())
	2573  	unblockServer := make(chan struct{})
	2574  	defer close(unblockServer)
	2575  	go func() {
	2576  		cancel()
	2577  		<-unblockServer
	2578  		_ = s.Close()
	2579  	}()
	2580  	cli := Client(c, testConfig)
	2581  	// Initiates client side handshake, which will block until the client hello is read
	2582  	// by the server, unless the cancellation works.
	2583  	err := cli.HandshakeContext(ctx)
	2584  	if err == nil {
	2585  		t.Fatal("Client handshake did not error when the context was canceled")
	2586  	}
	2587  	if err != context.Canceled {
	2588  		t.Errorf("Unexpected client handshake error: %v", err)
	2589  	}
	2590  	if runtime.GOARCH == "wasm" {
	2591  		t.Skip("conn.Close does not error as expected when called multiple times on WASM")
	2592  	}
	2593  	err = cli.Close()
	2594  	if err == nil {
	2595  		t.Error("Client connection was not closed when the context was canceled")
	2596  	}
	2597  }
	2598
View as plain text