handshake_test.go

     1  // Copyright 2013 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bufio"
     9  	"bytes"
    10  	"context"
    11  	"crypto/ed25519"
    12  	"crypto/x509"
    13  	"encoding/hex"
    14  	"errors"
    15  	"flag"
    16  	"fmt"
    17  	"io"
    18  	"net"
    19  	"os"
    20  	"os/exec"
    21  	"runtime"
    22  	"strconv"
    23  	"strings"
    24  	"sync"
    25  	"testing"
    26  	"time"
    27  )
    28  
    29  // TLS reference tests run a connection against a reference implementation
    30  // (OpenSSL) of TLS and record the bytes of the resulting connection. The Go
    31  // code, during a test, is configured with deterministic randomness and so the
    32  // reference test can be reproduced exactly in the future.
    33  //
    34  // In order to save everyone who wishes to run the tests from needing the
    35  // reference implementation installed, the reference connections are saved in
    36  // files in the testdata directory. Thus running the tests involves nothing
    37  // external, but creating and updating them requires the reference
    38  // implementation.
    39  //
    40  // Tests can be updated by running them with the -update flag. This will cause
    41  // the test files for failing tests to be regenerated. Since the reference
    42  // implementation will always generate fresh random numbers, large parts of the
    43  // reference connection will always change.
    44  
    45  var (
    46  	update       = flag.Bool("update", false, "update golden files on failure")
    47  	keyFile      = flag.String("keylog", "", "destination file for KeyLogWriter")
    48  	bogoMode     = flag.Bool("bogo-mode", false, "Enabled bogo shim mode, ignore everything else")
    49  	bogoFilter   = flag.String("bogo-filter", "", "BoGo test filter")
    50  	bogoLocalDir = flag.String("bogo-local-dir", "",
    51  		"If not-present, checkout BoGo into this dir, or otherwise use it as a pre-existing checkout")
    52  	bogoReport = flag.String("bogo-html-report", "", "File path to render an HTML report with BoGo results")
    53  )
    54  
    55  func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) {
    56  	// FIPS mode is non-deterministic and so isn't suited for testing against static test transcripts.
    57  	skipFIPS(t)
    58  
    59  	success := t.Run(name, func(t *testing.T) {
    60  		if !*update && !wait {
    61  			t.Parallel()
    62  		}
    63  		run(t, false)
    64  	})
    65  
    66  	if !success && *update {
    67  		t.Run(name+"#update", func(t *testing.T) {
    68  			run(t, true)
    69  		})
    70  	}
    71  }
    72  
    73  // checkOpenSSLVersion ensures that the version of OpenSSL looks reasonable
    74  // before updating the test data.
    75  func checkOpenSSLVersion() error {
    76  	if !*update {
    77  		return nil
    78  	}
    79  
    80  	openssl := exec.Command("openssl", "version")
    81  	output, err := openssl.CombinedOutput()
    82  	if err != nil {
    83  		return err
    84  	}
    85  
    86  	version := string(output)
    87  	if strings.HasPrefix(version, "OpenSSL 1.1.1") {
    88  		return nil
    89  	}
    90  
    91  	println("***********************************************")
    92  	println("")
    93  	println("You need to build OpenSSL 1.1.1 from source in order")
    94  	println("to update the test data.")
    95  	println("")
    96  	println("Configure it with:")
    97  	println("./Configure enable-weak-ssl-ciphers no-shared")
    98  	println("and then add the apps/ directory at the front of your PATH.")
    99  	println("***********************************************")
   100  
   101  	return errors.New("version of OpenSSL does not appear to be suitable for updating test data")
   102  }
   103  
   104  // recordingConn is a net.Conn that records the traffic that passes through it.
   105  // WriteTo can be used to produce output that can be later be loaded with
   106  // ParseTestData.
   107  type recordingConn struct {
   108  	net.Conn
   109  	sync.Mutex
   110  	flows   [][]byte
   111  	reading bool
   112  }
   113  
   114  func (r *recordingConn) Read(b []byte) (n int, err error) {
   115  	if n, err = r.Conn.Read(b); n == 0 {
   116  		return
   117  	}
   118  	b = b[:n]
   119  
   120  	r.Lock()
   121  	defer r.Unlock()
   122  
   123  	if l := len(r.flows); l == 0 || !r.reading {
   124  		buf := make([]byte, len(b))
   125  		copy(buf, b)
   126  		r.flows = append(r.flows, buf)
   127  	} else {
   128  		r.flows[l-1] = append(r.flows[l-1], b[:n]...)
   129  	}
   130  	r.reading = true
   131  	return
   132  }
   133  
   134  func (r *recordingConn) Write(b []byte) (n int, err error) {
   135  	if n, err = r.Conn.Write(b); n == 0 {
   136  		return
   137  	}
   138  	b = b[:n]
   139  
   140  	r.Lock()
   141  	defer r.Unlock()
   142  
   143  	if l := len(r.flows); l == 0 || r.reading {
   144  		buf := make([]byte, len(b))
   145  		copy(buf, b)
   146  		r.flows = append(r.flows, buf)
   147  	} else {
   148  		r.flows[l-1] = append(r.flows[l-1], b[:n]...)
   149  	}
   150  	r.reading = false
   151  	return
   152  }
   153  
   154  // WriteTo writes Go source code to w that contains the recorded traffic.
   155  func (r *recordingConn) WriteTo(w io.Writer) (int64, error) {
   156  	// TLS always starts with a client to server flow.
   157  	clientToServer := true
   158  	var written int64
   159  	for i, flow := range r.flows {
   160  		source, dest := "client", "server"
   161  		if !clientToServer {
   162  			source, dest = dest, source
   163  		}
   164  		n, err := fmt.Fprintf(w, ">>> Flow %d (%s to %s)\n", i+1, source, dest)
   165  		written += int64(n)
   166  		if err != nil {
   167  			return written, err
   168  		}
   169  		dumper := hex.Dumper(w)
   170  		n, err = dumper.Write(flow)
   171  		written += int64(n)
   172  		if err != nil {
   173  			return written, err
   174  		}
   175  		err = dumper.Close()
   176  		if err != nil {
   177  			return written, err
   178  		}
   179  		clientToServer = !clientToServer
   180  	}
   181  	return written, nil
   182  }
   183  
   184  func parseTestData(r io.Reader) (flows [][]byte, err error) {
   185  	var currentFlow []byte
   186  
   187  	scanner := bufio.NewScanner(r)
   188  	for scanner.Scan() {
   189  		line := scanner.Text()
   190  		// If the line starts with ">>> " then it marks the beginning
   191  		// of a new flow.
   192  		if strings.HasPrefix(line, ">>> ") {
   193  			if len(currentFlow) > 0 || len(flows) > 0 {
   194  				flows = append(flows, currentFlow)
   195  				currentFlow = nil
   196  			}
   197  			continue
   198  		}
   199  
   200  		// Otherwise the line is a line of hex dump that looks like:
   201  		// 00000170  fc f5 06 bf (...)  |.....X{&?......!|
   202  		// (Some bytes have been omitted from the middle section.)
   203  		_, after, ok := strings.Cut(line, " ")
   204  		if !ok {
   205  			return nil, errors.New("invalid test data")
   206  		}
   207  		line = after
   208  
   209  		before, _, ok := strings.Cut(line, "|")
   210  		if !ok {
   211  			return nil, errors.New("invalid test data")
   212  		}
   213  		line = before
   214  
   215  		hexBytes := strings.Fields(line)
   216  		for _, hexByte := range hexBytes {
   217  			val, err := strconv.ParseUint(hexByte, 16, 8)
   218  			if err != nil {
   219  				return nil, errors.New("invalid hex byte in test data: " + err.Error())
   220  			}
   221  			currentFlow = append(currentFlow, byte(val))
   222  		}
   223  	}
   224  
   225  	if len(currentFlow) > 0 {
   226  		flows = append(flows, currentFlow)
   227  	}
   228  
   229  	return flows, nil
   230  }
   231  
   232  // replayingConn is a net.Conn that replays flows recorded by recordingConn.
   233  type replayingConn struct {
   234  	t testing.TB
   235  	sync.Mutex
   236  	flows   [][]byte
   237  	reading bool
   238  }
   239  
   240  var _ net.Conn = (*replayingConn)(nil)
   241  
   242  func (r *replayingConn) Read(b []byte) (n int, err error) {
   243  	r.Lock()
   244  	defer r.Unlock()
   245  
   246  	if !r.reading {
   247  		r.t.Errorf("expected write, got read")
   248  		return 0, fmt.Errorf("recording expected write, got read")
   249  	}
   250  
   251  	n = copy(b, r.flows[0])
   252  	r.flows[0] = r.flows[0][n:]
   253  	if len(r.flows[0]) == 0 {
   254  		r.flows = r.flows[1:]
   255  		if len(r.flows) == 0 {
   256  			return n, io.EOF
   257  		} else {
   258  			r.reading = false
   259  		}
   260  	}
   261  	return n, nil
   262  }
   263  
   264  func (r *replayingConn) Write(b []byte) (n int, err error) {
   265  	r.Lock()
   266  	defer r.Unlock()
   267  
   268  	if r.reading {
   269  		r.t.Errorf("expected read, got write")
   270  		return 0, fmt.Errorf("recording expected read, got write")
   271  	}
   272  
   273  	if !bytes.HasPrefix(r.flows[0], b) {
   274  		r.t.Errorf("write mismatch: expected %x, got %x", r.flows[0], b)
   275  		return 0, fmt.Errorf("write mismatch")
   276  	}
   277  	r.flows[0] = r.flows[0][len(b):]
   278  	if len(r.flows[0]) == 0 {
   279  		r.flows = r.flows[1:]
   280  		r.reading = true
   281  	}
   282  	return len(b), nil
   283  }
   284  
   285  func (r *replayingConn) Close() error {
   286  	r.Lock()
   287  	defer r.Unlock()
   288  
   289  	if len(r.flows) > 0 {
   290  		r.t.Errorf("closed with unfinished flows")
   291  		return fmt.Errorf("unexpected close")
   292  	}
   293  	return nil
   294  }
   295  
   296  func (r *replayingConn) LocalAddr() net.Addr                { return nil }
   297  func (r *replayingConn) RemoteAddr() net.Addr               { return nil }
   298  func (r *replayingConn) SetDeadline(t time.Time) error      { return nil }
   299  func (r *replayingConn) SetReadDeadline(t time.Time) error  { return nil }
   300  func (r *replayingConn) SetWriteDeadline(t time.Time) error { return nil }
   301  
   302  // tempFile creates a temp file containing contents and returns its path.
   303  func tempFile(contents string) string {
   304  	file, err := os.CreateTemp("", "go-tls-test")
   305  	if err != nil {
   306  		panic("failed to create temp file: " + err.Error())
   307  	}
   308  	path := file.Name()
   309  	file.WriteString(contents)
   310  	file.Close()
   311  	return path
   312  }
   313  
   314  // localListener is set up by TestMain and used by localPipe to create Conn
   315  // pairs like net.Pipe, but connected by an actual buffered TCP connection.
   316  var localListener struct {
   317  	mu   sync.Mutex
   318  	addr net.Addr
   319  	ch   chan net.Conn
   320  }
   321  
   322  const localFlakes = 0 // change to 1 or 2 to exercise localServer/localPipe handling of mismatches
   323  
   324  func localServer(l net.Listener) {
   325  	for n := 0; ; n++ {
   326  		c, err := l.Accept()
   327  		if err != nil {
   328  			return
   329  		}
   330  		if localFlakes == 1 && n%2 == 0 {
   331  			c.Close()
   332  			continue
   333  		}
   334  		localListener.ch <- c
   335  	}
   336  }
   337  
   338  var isConnRefused = func(err error) bool { return false }
   339  
   340  func localPipe(t testing.TB) (net.Conn, net.Conn) {
   341  	localListener.mu.Lock()
   342  	defer localListener.mu.Unlock()
   343  
   344  	addr := localListener.addr
   345  
   346  	var err error
   347  Dialing:
   348  	// We expect a rare mismatch, but probably not 5 in a row.
   349  	for i := 0; i < 5; i++ {
   350  		tooSlow := time.NewTimer(1 * time.Second)
   351  		defer tooSlow.Stop()
   352  		var c1 net.Conn
   353  		c1, err = net.Dial(addr.Network(), addr.String())
   354  		if err != nil {
   355  			if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) {
   356  				// golang.org/issue/29583: Dragonfly sometimes returns a spurious
   357  				// ECONNREFUSED or ETIMEDOUT.
   358  				<-tooSlow.C
   359  				continue
   360  			}
   361  			t.Fatalf("localPipe: %v", err)
   362  		}
   363  		if localFlakes == 2 && i == 0 {
   364  			c1.Close()
   365  			continue
   366  		}
   367  		for {
   368  			select {
   369  			case <-tooSlow.C:
   370  				t.Logf("localPipe: timeout waiting for %v", c1.LocalAddr())
   371  				c1.Close()
   372  				continue Dialing
   373  
   374  			case c2 := <-localListener.ch:
   375  				if c2.RemoteAddr().String() == c1.LocalAddr().String() {
   376  					t.Cleanup(func() { c1.Close() })
   377  					t.Cleanup(func() { c2.Close() })
   378  					return c1, c2
   379  				}
   380  				t.Logf("localPipe: unexpected connection: %v != %v", c2.RemoteAddr(), c1.LocalAddr())
   381  				c2.Close()
   382  			}
   383  		}
   384  	}
   385  
   386  	t.Fatalf("localPipe: failed to connect: %v", err)
   387  	panic("unreachable")
   388  }
   389  
   390  // zeroSource is an io.Reader that returns an unlimited number of zero bytes.
   391  type zeroSource struct{}
   392  
   393  func (zeroSource) Read(b []byte) (n int, err error) {
   394  	clear(b)
   395  	return len(b), nil
   396  }
   397  
   398  func allCipherSuites() []uint16 {
   399  	ids := make([]uint16, len(cipherSuites))
   400  	for i, suite := range cipherSuites {
   401  		ids[i] = suite.id
   402  	}
   403  
   404  	return ids
   405  }
   406  
   407  var testConfig *Config
   408  
   409  func TestMain(m *testing.M) {
   410  	flag.Usage = func() {
   411  		fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s:\n", os.Args)
   412  		flag.PrintDefaults()
   413  		if *bogoMode {
   414  			os.Exit(89)
   415  		}
   416  	}
   417  
   418  	flag.Parse()
   419  
   420  	if *bogoMode {
   421  		bogoShim()
   422  		os.Exit(0)
   423  	}
   424  
   425  	os.Exit(runMain(m))
   426  }
   427  
   428  func runMain(m *testing.M) int {
   429  	// Cipher suites preferences change based on the architecture. Force them to
   430  	// the version without AES acceleration for test consistency.
   431  	hasAESGCMHardwareSupport = false
   432  
   433  	// Set up localPipe.
   434  	l, err := net.Listen("tcp", "127.0.0.1:0")
   435  	if err != nil {
   436  		l, err = net.Listen("tcp6", "[::1]:0")
   437  	}
   438  	if err != nil {
   439  		fmt.Fprintf(os.Stderr, "Failed to open local listener: %v", err)
   440  		os.Exit(1)
   441  	}
   442  	localListener.ch = make(chan net.Conn)
   443  	localListener.addr = l.Addr()
   444  	defer l.Close()
   445  	go localServer(l)
   446  
   447  	if err := checkOpenSSLVersion(); err != nil {
   448  		fmt.Fprintf(os.Stderr, "Error: %v", err)
   449  		os.Exit(1)
   450  	}
   451  
   452  	// TODO(filippo): deprecate Config.Rand, and regenerate handshake recordings
   453  	// to use cryptotest.SetGlobalRandom instead.
   454  	os.Setenv("GODEBUG", "cryptocustomrand=1,"+os.Getenv("GODEBUG"))
   455  
   456  	testConfig = &Config{
   457  		Time:               func() time.Time { return time.Unix(0, 0) },
   458  		Rand:               zeroSource{},
   459  		Certificates:       make([]Certificate, 2),
   460  		InsecureSkipVerify: true,
   461  		CipherSuites:       allCipherSuites(),
   462  		CurvePreferences:   []CurveID{X25519, CurveP256, CurveP384, CurveP521},
   463  		MinVersion:         VersionTLS10,
   464  		MaxVersion:         VersionTLS13,
   465  	}
   466  	testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
   467  	testConfig.Certificates[0].PrivateKey = testRSAPrivateKey
   468  	testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate}
   469  	testConfig.Certificates[1].PrivateKey = testRSAPrivateKey
   470  	testConfig.BuildNameToCertificate()
   471  	if *keyFile != "" {
   472  		f, err := os.OpenFile(*keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
   473  		if err != nil {
   474  			panic("failed to open -keylog file: " + err.Error())
   475  		}
   476  		testConfig.KeyLogWriter = f
   477  		defer f.Close()
   478  	}
   479  
   480  	return m.Run()
   481  }
   482  
   483  func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) {
   484  	const sentinel = "SENTINEL\n"
   485  	c, s := localPipe(t)
   486  	errChan := make(chan error, 1)
   487  	go func() {
   488  		cli := Client(c, clientConfig)
   489  		err := cli.Handshake()
   490  		if err != nil {
   491  			errChan <- fmt.Errorf("client: %v", err)
   492  			c.Close()
   493  			return
   494  		}
   495  		defer func() { errChan <- nil }()
   496  		clientState = cli.ConnectionState()
   497  		buf, err := io.ReadAll(cli)
   498  		if err != nil {
   499  			t.Errorf("failed to call cli.Read: %v", err)
   500  		}
   501  		if got := string(buf); got != sentinel {
   502  			t.Errorf("read %q from TLS connection, but expected %q", got, sentinel)
   503  		}
   504  		// We discard the error because after ReadAll returns the server must
   505  		// have already closed the connection. Sending data (the closeNotify
   506  		// alert) can cause a reset, that will make Close return an error.
   507  		cli.Close()
   508  	}()
   509  	server := Server(s, serverConfig)
   510  	err = server.Handshake()
   511  	if err == nil {
   512  		serverState = server.ConnectionState()
   513  		if _, err := io.WriteString(server, sentinel); err != nil {
   514  			t.Errorf("failed to call server.Write: %v", err)
   515  		}
   516  		if err := server.Close(); err != nil {
   517  			t.Errorf("failed to call server.Close: %v", err)
   518  		}
   519  	} else {
   520  		err = fmt.Errorf("server: %v", err)
   521  		s.Close()
   522  	}
   523  	err = errors.Join(err, <-errChan)
   524  	return
   525  }
   526  
   527  func fromHex(s string) []byte {
   528  	b, _ := hex.DecodeString(s)
   529  	return b
   530  }
   531  
   532  // testTime is 2016-10-20T17:32:09.000Z, which is within the validity period of
   533  // [testRSACertificate], [testRSACertificateIssuer], [testRSA2048Certificate],
   534  // [testRSA2048CertificateIssuer], and [testECDSACertificate].
   535  var testTime = func() time.Time { return time.Unix(1476984729, 0) }
   536  
   537  var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7")
   538  
   539  var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76")
   540  
   541  var testRSA2048Certificate = fromHex("30820316308201fea003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3338303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30820122300d06092a864886f70d01010105000382010f003082010a0282010100e0ac47db9ba1b7f98a996c62dc1d248d4ee570544136fe4e911e22fccc0fe2b20982f3c4cdd8f4065c5068c873ca0a768b80dc915edc66541a5f26cdea44e56e411221e2f9927bf4e009fee76dbe0e118dcc13392efd6f42d8eb2fd5bc8f63ac77800c84d3be90c20c321273254b9137ef61f825dad1ec2c5e75aa4be6d3104899bd5ac400da7ab942b4227a3870ae5bb97870aa09a1082fb8e78b944cd7fd1b0c6fb1cce03b5430b12ef9ce2d95e01821766e998df0cc99202a57cf030577bd2dc0ec85a49f203511bb6f0e9f43398ead0958f8d7534c61e81daf4501faaa68d9cbc725b58401900fa48a3e2333b15c88cf0c5cc8f33fb9464f9d5f5768b8f10203010001a35a3058300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b050003820101009e83f835e2da08204ee6f8bdca793cf83c7aec175349c1642dfbe9f4d0dcfb1aedb4d0122e16c2ad92e63dd31cce10ca5dd04be48cded0fdc8fea49e891d9d93e778a67d54b619ac167ce7bb0f6000ca00c5677d09df3eb10080134ba32bfe4132d33954dc479cb266288d53d3f43af9c78c0ca59d396498bdc56d4966dc6b7e49081f7f2ae1d704bb9f9effed93c57d3b738da02edff3999e3f1a5dce2b093951947d233d9c6b6a12b4b1611826aa02544980089eebbcf22a1a96bd35a3ddf638578989334a93d5081fab442b4383ba6213b7cdd74110582244a2abd937828b311d8dd69178756db7874293b9810c5c2e833f91d49d283a62caaf359141997f")
   542  
   543  var testRSA2048CertificateIssuer = fromHex("308203223082020aa003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b308c1720c7054abe66e1be6f8a11246808215a810e8936e47601f7ec1afeb02ad69a5000959d4e08ebc4455ef90b39616f380b8ff2e76f29942d7e009cf010824fe56f69140ac39b761595255ec2aa35155ca2eea884f57b25f8a52f41f56f65b0197cb6c637f9adfa97d8ac27565449f64e67f8b918646ffd630601b0badd8d38aea421fe413ee94f10ea5874c2fd6d8c1b9febaa5ca0ce759993a232c9c48e52230bbf58777b0c30e07e9e0914133730d844b9887b950d5a17c779ac69de2d9c65d26f1ea46c7dd7ac636af6d77df7c9218f78c7b5f08b025867f343ac66cd43a657ac44bfd7e9d07e95a22ff9a0babf72dcffc66eba0a1d90731f67e3bbd0203010001a361305f300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff301d0603551d0e0416041460145a6ce2e8a15b1b68db9a4752ce8684d6ba2d300d06092a864886f70d01010b050003820101001d342fe0b50a25d57a8b13bc14d0abb1eea7431ee752aa423e1306654183e44e9d48bbf592cd32ce77310fdc4e8bbcd724fc43d2723f454bfe605ff90d38d8c6fe60b36c6f4d2d7e4e79bceeb2484f0565274b0d0c4a8562370677624a4c133e332a9e63d4b47544c14e4908ee8685dd0760ae6f4ab089ede2b0cdc595ecefbee7d8be80d57b2d4e4510b6ceda54d1a5980540214191d81cc89a983da43d4043f8efe97a2e231c5153bded520acce87ec8c64a3408f0eb4c742c4a877e8b5b7b7f72497734a41a95994a7a103262ea6d598d03fd5cb0579ed4702424da8893334c58215bc655d49656aedcd02d18676f45d6b9469ae04b89abe9b358391cce99")
   544  
   545  var testRSA2048PrivateKey, _ = x509.ParsePKCS1PrivateKey(fromHex("308204a40201000282010100e0ac47db9ba1b7f98a996c62dc1d248d4ee570544136fe4e911e22fccc0fe2b20982f3c4cdd8f4065c5068c873ca0a768b80dc915edc66541a5f26cdea44e56e411221e2f9927bf4e009fee76dbe0e118dcc13392efd6f42d8eb2fd5bc8f63ac77800c84d3be90c20c321273254b9137ef61f825dad1ec2c5e75aa4be6d3104899bd5ac400da7ab942b4227a3870ae5bb97870aa09a1082fb8e78b944cd7fd1b0c6fb1cce03b5430b12ef9ce2d95e01821766e998df0cc99202a57cf030577bd2dc0ec85a49f203511bb6f0e9f43398ead0958f8d7534c61e81daf4501faaa68d9cbc725b58401900fa48a3e2333b15c88cf0c5cc8f33fb9464f9d5f5768b8f10203010001028201007aac96efca229b199e1bf79a63256677e1c455792bc2a348b2e409a68ea57dda486740430d4290bb885c3f5a741eb567d4f41f7b2098a726f4df4f88cf899edc7c9b31f584dffedece15a7212642c7dbbdd8d806392a183e1fc30af36169c9bab9e528f0bdcd27ad4c8b6a97849da6452c6809de61848db80c3ba3289e785042cdfd46fbfee5f78adcba2927fcd8cbe9dcaa97190457eaa45d77adbe0db820aff0c8511d837ab5b307bad5f85afd2cc70d9659ec58045d97ced1eb7950670ac559449c0305fddefda1bac88d36629a177f65abad182c6470830b39e7f6dbdef4df813ccaef01d5a42d37213b2b9647e2ff56a63e6b6a4b6e8a1567bbfd77042102818100eb66f205e8507c78f7167dbef3ddf02fde6a67bd15152609e9296576e28c79678177145ae98e0a2fee58fdb3d626fb6beae3e0ae0b76bc47d16fcdeb16f0caca8a0902779979382609705ae84514de480c2fb2ddda3049347cc1bde9f1a359747079ef3dce020a3c186c90e63bc20b5489a40d768b1c1c35c679edc5662e18c702818100f454ffff95b126b55cb13b68a3841600fc0bc69ff4064f7ceb122495fa972fdb05ca2fa1c6e2e84432f81c96875ab12226e8ce92ba808c4f6325f27ce058791f05db96e623687d3cfc198e748a07521a8c7ee9e7e8faf95b0985be82b867a49f7d5d50fac3881d2c39dedfdbca3ebe847b859c9864cf7a543e4688f5a60118870281806cee737ac65950704daeebbb8c701c709a54d4f28baa00b33f6137a1bf0e5033d4963d2620c3e8f4eb2fe51eee2f95d3079c31e1784e96ac093fdaa33a376d3032961ebd27990fa192669abab715041385082196461c6813d0d37ac5a25afbcf452937cb7ae438c63c6b28d651bae6b1550c446aa1cefd42e9388d0df6cdc80b02818100cac172c33504923bb494fad8e5c0a9c5dd63244bfe63f238969632b82700a95cd71c2694d887d9f92656d0da75ae640a1441e392cda3f94bb3da7cb4f6335527d2639c809467946e34423cfe26c0d6786398ba20922d1b1a59f79bd5bc937d8040b75c890c13fb298548977a3c05ff71cf535c54f66b5a77684a7e4363a3cb2702818100a4d782f35d5a07f9c1f8f9c378564b220387d1e481cc856b631de7637d8bb77c851db070122050ac230dc6e45edf4523471c717c1cb86a36b2fd3358fae349d51be54d71d7dbeaa6af668323e2b51933f0b8488aa12723e0f32207068b4aa64ed54bcef4acbbbe35b92802faba7ed45ae52bef8313d9ef4393ccc5cf868ddbf8"))
   546  
   547  // testRSAPSSCertificate has signatureAlgorithm rsassaPss, but subjectPublicKeyInfo
   548  // algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes.
   549  // See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed.
   550  var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1")
   551  
   552  var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a")
   553  
   554  var testEd25519Certificate = fromHex("3082012e3081e1a00302010202100f431c425793941de987e4f1ad15005d300506032b657030123110300e060355040a130741636d6520436f301e170d3139303531363231333830315a170d3230303531353231333830315a30123110300e060355040a130741636d6520436f302a300506032b65700321003fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8fa34d304b300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030160603551d11040f300d820b6578616d706c652e636f6d300506032b65700341006344ed9cc4be5324539fd2108d9fe82108909539e50dc155ff2c16b71dfcab7d4dd4e09313d0a942e0b66bfe5d6748d79f50bc6ccd4b03837cf20858cdaccf0c")
   555  
   556  var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed")
   557  
   558  var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a")
   559  
   560  var testRSAPrivateKey, _ = x509.ParsePKCS1PrivateKey(fromHex("3082025b02010002818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d702030100010281800b07fbcf48b50f1388db34b016298b8217f2092a7c9a04f77db6775a3d1279b62ee9951f7e371e9de33f015aea80660760b3951dc589a9f925ed7de13e8f520e1ccbc7498ce78e7fab6d59582c2386cc07ed688212a576ff37833bd5943483b5554d15a0b9b4010ed9bf09f207e7e9805f649240ed6c1256ed75ab7cd56d9671024100fded810da442775f5923debae4ac758390a032a16598d62f059bb2e781a9c2f41bfa015c209f966513fe3bf5a58717cbdb385100de914f88d649b7d15309fa49024100dd10978c623463a1802c52f012cfa72ff5d901f25a2292446552c2568b1840e49a312e127217c2186615aae4fb6602a4f6ebf3f3d160f3b3ad04c592f65ae41f02400c69062ca781841a09de41ed7a6d9f54adc5d693a2c6847949d9e1358555c9ac6a8d9e71653ac77beb2d3abaf7bb1183aa14278956575dbebf525d0482fd72d90240560fe1900ba36dae3022115fd952f2399fb28e2975a1c3e3d0b679660bdcb356cc189d611cfdd6d87cd5aea45aa30a2082e8b51e94c2f3dd5d5c6036a8a615ed0240143993d80ece56f877cb80048335701eb0e608cc0c1ca8c2227b52edf8f1ac99c562f2541b5ce81f0515af1c5b4770dba53383964b4b725ff46fdec3d08907df"))
   561  
   562  var testECDSAPrivateKey, _ = x509.ParseECPrivateKey(fromHex("3081dc0201010442019883e909ad0ac9ea3d33f9eae661f1785206970f8ca9a91672f1eedca7a8ef12bd6561bb246dda5df4b4d5e7e3a92649bc5d83a0bf92972e00e62067d0c7bd99d7a00706052b81040023a18189038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b"))
   563  
   564  var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75"))
   565  
   566  var testEd25519PrivateKey = ed25519.PrivateKey(fromHex("3a884965e76b3f55e5faf9615458a92354894234de3ec9f684d46d55cebf3dc63fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8f"))
   567  
   568  const clientCertificatePEM = `
   569  -----BEGIN CERTIFICATE-----
   570  MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS
   571  MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz
   572  MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
   573  gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff
   574  NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K
   575  hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD
   576  VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw
   577  DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU
   578  8ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK
   579  o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR
   580  e/oCO8HJ/+rJnahJ05XX1Q7lNQ==
   581  -----END CERTIFICATE-----`
   582  
   583  var clientKeyPEM = testingKey(`
   584  -----BEGIN RSA TESTING KEY-----
   585  MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa
   586  YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J
   587  czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB
   588  AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc
   589  qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv
   590  PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z
   591  9TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY
   592  dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ
   593  zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w
   594  jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ
   595  rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr
   596  FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU
   597  csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6
   598  -----END RSA TESTING KEY-----`)
   599  
   600  const clientECDSACertificatePEM = `
   601  -----BEGIN CERTIFICATE-----
   602  MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw
   603  EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0
   604  eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG
   605  EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK
   606  b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv
   607  ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs
   608  jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q
   609  ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg
   610  C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa
   611  2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw
   612  jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes=
   613  -----END CERTIFICATE-----`
   614  
   615  var clientECDSAKeyPEM = testingKey(`
   616  -----BEGIN EC PARAMETERS-----
   617  BgUrgQQAIw==
   618  -----END EC PARAMETERS-----
   619  -----BEGIN EC TESTING KEY-----
   620  MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8
   621  k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1
   622  FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd
   623  3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx
   624  +U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q==
   625  -----END EC TESTING KEY-----`)
   626  
   627  const clientEd25519CertificatePEM = `
   628  -----BEGIN CERTIFICATE-----
   629  MIIBLjCB4aADAgECAhAX0YGTviqMISAQJRXoNCNPMAUGAytlcDASMRAwDgYDVQQK
   630  EwdBY21lIENvMB4XDTE5MDUxNjIxNTQyNloXDTIwMDUxNTIxNTQyNlowEjEQMA4G
   631  A1UEChMHQWNtZSBDbzAqMAUGAytlcAMhAAvgtWC14nkwPb7jHuBQsQTIbcd4bGkv
   632  xRStmmNveRKRo00wSzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
   633  AwIwDAYDVR0TAQH/BAIwADAWBgNVHREEDzANggtleGFtcGxlLmNvbTAFBgMrZXAD
   634  QQD8GRcqlKUx+inILn9boF2KTjRAOdazENwZ/qAicbP1j6FYDc308YUkv+Y9FN/f
   635  7Q7hF9gRomDQijcjKsJGqjoI
   636  -----END CERTIFICATE-----`
   637  
   638  var clientEd25519KeyPEM = testingKey(`
   639  -----BEGIN TESTING KEY-----
   640  MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I
   641  -----END TESTING KEY-----`)
   642  
   643  func TestServerHelloTrailingMessage(t *testing.T) {
   644  	// In TLS 1.3 the change cipher spec message is optional. If a CCS message
   645  	// is not sent, after reading the ServerHello, the read traffic secret is
   646  	// set, and all following messages must be encrypted. If the server sends
   647  	// additional unencrypted messages in a record with the ServerHello, the
   648  	// client must either fail or ignore the additional messages.
   649  
   650  	c, s := localPipe(t)
   651  	go func() {
   652  		ctx := context.Background()
   653  		srv := Server(s, testConfig)
   654  		clientHello, _, err := srv.readClientHello(ctx)
   655  		if err != nil {
   656  			testFatal(t, err)
   657  		}
   658  
   659  		hs := serverHandshakeStateTLS13{
   660  			c:           srv,
   661  			ctx:         ctx,
   662  			clientHello: clientHello,
   663  		}
   664  		if err := hs.processClientHello(); err != nil {
   665  			testFatal(t, err)
   666  		}
   667  		if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
   668  			testFatal(t, err)
   669  		}
   670  
   671  		record, err := concatHandshakeMessages(hs.hello, &encryptedExtensionsMsg{alpnProtocol: "h2"})
   672  		if err != nil {
   673  			testFatal(t, err)
   674  		}
   675  
   676  		if _, err := s.Write(record); err != nil {
   677  			testFatal(t, err)
   678  		}
   679  		srv.Close()
   680  	}()
   681  
   682  	cli := Client(c, testConfig)
   683  	expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
   684  	if err := cli.Handshake(); err == nil {
   685  		t.Fatal("expected error from incomplete handshake, got nil")
   686  	} else if err.Error() != expectedErr {
   687  		t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
   688  	}
   689  }
   690  
   691  func TestClientHelloTrailingMessage(t *testing.T) {
   692  	// Same as TestServerHelloTrailingMessage but for the client side.
   693  
   694  	c, s := localPipe(t)
   695  	go func() {
   696  		cli := Client(c, testConfig)
   697  
   698  		hello, _, _, err := cli.makeClientHello()
   699  		if err != nil {
   700  			testFatal(t, err)
   701  		}
   702  
   703  		record, err := concatHandshakeMessages(hello, &certificateMsgTLS13{})
   704  		if err != nil {
   705  			testFatal(t, err)
   706  		}
   707  
   708  		if _, err := c.Write(record); err != nil {
   709  			testFatal(t, err)
   710  		}
   711  		cli.Close()
   712  	}()
   713  
   714  	srv := Server(s, testConfig)
   715  	expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
   716  	if err := srv.Handshake(); err == nil {
   717  		t.Fatal("expected error from incomplete handshake, got nil")
   718  	} else if err.Error() != expectedErr {
   719  		t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
   720  	}
   721  }
   722  
   723  func TestDoubleClientHelloHRR(t *testing.T) {
   724  	// If a client sends two ClientHello messages in a single record, and the
   725  	// server sends a HRR after reading the first ClientHello, the server must
   726  	// either fail or ignore the trailing ClientHello.
   727  
   728  	c, s := localPipe(t)
   729  
   730  	go func() {
   731  		cli := Client(c, testConfig)
   732  
   733  		hello, _, _, err := cli.makeClientHello()
   734  		if err != nil {
   735  			testFatal(t, err)
   736  		}
   737  		hello.keyShares = nil
   738  
   739  		record, err := concatHandshakeMessages(hello, hello)
   740  		if err != nil {
   741  			testFatal(t, err)
   742  		}
   743  
   744  		if _, err := c.Write(record); err != nil {
   745  			testFatal(t, err)
   746  		}
   747  		cli.Close()
   748  	}()
   749  
   750  	srv := Server(s, testConfig)
   751  	expectedErr := "tls: handshake buffer not empty before HelloRetryRequest"
   752  	if err := srv.Handshake(); err == nil {
   753  		t.Fatal("expected error from incomplete handshake, got nil")
   754  	} else if err.Error() != expectedErr {
   755  		t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
   756  	}
   757  }
   758  
   759  // concatHandshakeMessages marshals and concatenates the given handshake
   760  // messages into a single record.
   761  func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) {
   762  	var marshalled []byte
   763  	for _, msg := range msgs {
   764  		data, err := msg.marshal()
   765  		if err != nil {
   766  			return nil, err
   767  		}
   768  		marshalled = append(marshalled, data...)
   769  	}
   770  	m := len(marshalled)
   771  	outBuf := make([]byte, recordHeaderLen)
   772  	outBuf[0] = byte(recordTypeHandshake)
   773  	vers := VersionTLS12
   774  	outBuf[1] = byte(vers >> 8)
   775  	outBuf[2] = byte(vers)
   776  	outBuf[3] = byte(m >> 8)
   777  	outBuf[4] = byte(m)
   778  	outBuf = append(outBuf, marshalled...)
   779  	return outBuf, nil
   780  }
   781
View as plain text