kris
/
tls-tris
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
259 Revīzijas
4 Atzari
2.5 MiB
 
 
 
 
 
 
Koks: 326f5bb02b
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '326f5bb02b'
${ noResults }
tls-tris/tls_test.go

469 rindas
13 KiB
Neapstrādāts Vainot Vēsture 

  1. // Copyright 2012 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"bytes"

  9. 	"errors"

  10. 	"fmt"

  11. 	"internal/testenv"

  12. 	"io"

  13. 	"net"

  14. 	"strings"

  15. 	"testing"

  16. 	"time"

  17. )

  18. 

  19. var rsaCertPEM = `-----BEGIN CERTIFICATE-----

  20. MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV

  21. BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX

  22. aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF

  23. MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50

  24. ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ

  25. hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa

  26. rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv

  27. zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF

  28. MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW

  29. r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V

  30. -----END CERTIFICATE-----

  31. `

  32. 

  33. var rsaKeyPEM = `-----BEGIN RSA PRIVATE KEY-----

  34. MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo

  35. k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G

  36. 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N

  37. MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW

  38. SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T

  39. xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi

  40. D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==

  41. -----END RSA PRIVATE KEY-----

  42. `

  43. 

  44. // keyPEM is the same as rsaKeyPEM, but declares itself as just

  45. // "PRIVATE KEY", not "RSA PRIVATE KEY".  https://golang.org/issue/4477

  46. var keyPEM = `-----BEGIN PRIVATE KEY-----

  47. MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo

  48. k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G

  49. 6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N

  50. MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW

  51. SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T

  52. xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi

  53. D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==

  54. -----END PRIVATE KEY-----

  55. `

  56. 

  57. var ecdsaCertPEM = `-----BEGIN CERTIFICATE-----

  58. MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw

  59. EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0

  60. eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG

  61. EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk

  62. Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR

  63. lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl

  64. 01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8

  65. XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo

  66. A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb

  67. H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1

  68. +jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA==

  69. -----END CERTIFICATE-----

  70. `

  71. 

  72. var ecdsaKeyPEM = `-----BEGIN EC PARAMETERS-----

  73. BgUrgQQAIw==

  74. -----END EC PARAMETERS-----

  75. -----BEGIN EC PRIVATE KEY-----

  76. MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0

  77. NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL

  78. 06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz

  79. VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q

  80. kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ==

  81. -----END EC PRIVATE KEY-----

  82. `

  83. 

  84. var keyPairTests = []struct {

  85. 	algo string

  86. 	cert string

  87. 	key  string

  88. }{

  89. 	{"ECDSA", ecdsaCertPEM, ecdsaKeyPEM},

  90. 	{"RSA", rsaCertPEM, rsaKeyPEM},

  91. 	{"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477

  92. }

  93. 

  94. func TestX509KeyPair(t *testing.T) {

  95. 	var pem []byte

  96. 	for _, test := range keyPairTests {

  97. 		pem = []byte(test.cert + test.key)

  98. 		if _, err := X509KeyPair(pem, pem); err != nil {

  99. 			t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err)

  100. 		}

  101. 		pem = []byte(test.key + test.cert)

  102. 		if _, err := X509KeyPair(pem, pem); err != nil {

  103. 			t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err)

  104. 		}

  105. 	}

  106. }

  107. 

  108. func TestX509KeyPairErrors(t *testing.T) {

  109. 	_, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM))

  110. 	if err == nil {

  111. 		t.Fatalf("X509KeyPair didn't return an error when arguments were switched")

  112. 	}

  113. 	if subStr := "been switched"; !strings.Contains(err.Error(), subStr) {

  114. 		t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err)

  115. 	}

  116. 

  117. 	_, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM))

  118. 	if err == nil {

  119. 		t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates")

  120. 	}

  121. 	if subStr := "certificate"; !strings.Contains(err.Error(), subStr) {

  122. 		t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err)

  123. 	}

  124. 

  125. 	const nonsensePEM = `

  126. -----BEGIN NONSENSE-----

  127. Zm9vZm9vZm9v

  128. -----END NONSENSE-----

  129. `

  130. 

  131. 	_, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM))

  132. 	if err == nil {

  133. 		t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense")

  134. 	}

  135. 	if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) {

  136. 		t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err)

  137. 	}

  138. }

  139. 

  140. func TestX509MixedKeyPair(t *testing.T) {

  141. 	if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil {

  142. 		t.Error("Load of RSA certificate succeeded with ECDSA private key")

  143. 	}

  144. 	if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil {

  145. 		t.Error("Load of ECDSA certificate succeeded with RSA private key")

  146. 	}

  147. }

  148. 

  149. func newLocalListener(t *testing.T) net.Listener {

  150. 	ln, err := net.Listen("tcp", "127.0.0.1:0")

  151. 	if err != nil {

  152. 		ln, err = net.Listen("tcp6", "[::1]:0")

  153. 	}

  154. 	if err != nil {

  155. 		t.Fatal(err)

  156. 	}

  157. 	return ln

  158. }

  159. 

  160. func TestDialTimeout(t *testing.T) {

  161. 	if testing.Short() {

  162. 		t.Skip("skipping in short mode")

  163. 	}

  164. 	listener := newLocalListener(t)

  165. 

  166. 	addr := listener.Addr().String()

  167. 	defer listener.Close()

  168. 

  169. 	complete := make(chan bool)

  170. 	defer close(complete)

  171. 

  172. 	go func() {

  173. 		conn, err := listener.Accept()

  174. 		if err != nil {

  175. 			t.Error(err)

  176. 			return

  177. 		}

  178. 		<-complete

  179. 		conn.Close()

  180. 	}()

  181. 

  182. 	dialer := &net.Dialer{

  183. 		Timeout: 10 * time.Millisecond,

  184. 	}

  185. 

  186. 	var err error

  187. 	if _, err = DialWithDialer(dialer, "tcp", addr, nil); err == nil {

  188. 		t.Fatal("DialWithTimeout completed successfully")

  189. 	}

  190. 

  191. 	if !strings.Contains(err.Error(), "timed out") {

  192. 		t.Errorf("resulting error not a timeout: %s", err)

  193. 	}

  194. }

  195. 

  196. // tests that Conn.Read returns (non-zero, io.EOF) instead of

  197. // (non-zero, nil) when a Close (alertCloseNotify) is sitting right

  198. // behind the application data in the buffer.

  199. func TestConnReadNonzeroAndEOF(t *testing.T) {

  200. 	// This test is racy: it assumes that after a write to a

  201. 	// localhost TCP connection, the peer TCP connection can

  202. 	// immediately read it. Because it's racy, we skip this test

  203. 	// in short mode, and then retry it several times with an

  204. 	// increasing sleep in between our final write (via srv.Close

  205. 	// below) and the following read.

  206. 	if testing.Short() {

  207. 		t.Skip("skipping in short mode")

  208. 	}

  209. 	var err error

  210. 	for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 {

  211. 		if err = testConnReadNonzeroAndEOF(t, delay); err == nil {

  212. 			return

  213. 		}

  214. 	}

  215. 	t.Error(err)

  216. }

  217. 

  218. func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {

  219. 	ln := newLocalListener(t)

  220. 	defer ln.Close()

  221. 

  222. 	srvCh := make(chan *Conn, 1)

  223. 	var serr error

  224. 	go func() {

  225. 		sconn, err := ln.Accept()

  226. 		if err != nil {

  227. 			serr = err

  228. 			srvCh <- nil

  229. 			return

  230. 		}

  231. 		serverConfig := *testConfig

  232. 		srv := Server(sconn, &serverConfig)

  233. 		if err := srv.Handshake(); err != nil {

  234. 			serr = fmt.Errorf("handshake: %v", err)

  235. 			srvCh <- nil

  236. 			return

  237. 		}

  238. 		srvCh <- srv

  239. 	}()

  240. 

  241. 	clientConfig := *testConfig

  242. 	conn, err := Dial("tcp", ln.Addr().String(), &clientConfig)

  243. 	if err != nil {

  244. 		t.Fatal(err)

  245. 	}

  246. 	defer conn.Close()

  247. 

  248. 	srv := <-srvCh

  249. 	if srv == nil {

  250. 		return serr

  251. 	}

  252. 

  253. 	buf := make([]byte, 6)

  254. 

  255. 	srv.Write([]byte("foobar"))

  256. 	n, err := conn.Read(buf)

  257. 	if n != 6 || err != nil || string(buf) != "foobar" {

  258. 		return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)

  259. 	}

  260. 

  261. 	srv.Write([]byte("abcdef"))

  262. 	srv.Close()

  263. 	time.Sleep(delay)

  264. 	n, err = conn.Read(buf)

  265. 	if n != 6 || string(buf) != "abcdef" {

  266. 		return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf)

  267. 	}

  268. 	if err != io.EOF {

  269. 		return fmt.Errorf("Second Read error = %v; want io.EOF", err)

  270. 	}

  271. 	return nil

  272. }

  273. 

  274. func TestTLSUniqueMatches(t *testing.T) {

  275. 	ln := newLocalListener(t)

  276. 	defer ln.Close()

  277. 

  278. 	serverTLSUniques := make(chan []byte)

  279. 	go func() {

  280. 		for i := 0; i < 2; i++ {

  281. 			sconn, err := ln.Accept()

  282. 			if err != nil {

  283. 				t.Fatal(err)

  284. 			}

  285. 			serverConfig := *testConfig

  286. 			srv := Server(sconn, &serverConfig)

  287. 			if err := srv.Handshake(); err != nil {

  288. 				t.Fatal(err)

  289. 			}

  290. 			serverTLSUniques <- srv.ConnectionState().TLSUnique

  291. 		}

  292. 	}()

  293. 

  294. 	clientConfig := *testConfig

  295. 	clientConfig.ClientSessionCache = NewLRUClientSessionCache(1)

  296. 	conn, err := Dial("tcp", ln.Addr().String(), &clientConfig)

  297. 	if err != nil {

  298. 		t.Fatal(err)

  299. 	}

  300. 	if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {

  301. 		t.Error("client and server channel bindings differ")

  302. 	}

  303. 	conn.Close()

  304. 

  305. 	conn, err = Dial("tcp", ln.Addr().String(), &clientConfig)

  306. 	if err != nil {

  307. 		t.Fatal(err)

  308. 	}

  309. 	defer conn.Close()

  310. 	if !conn.ConnectionState().DidResume {

  311. 		t.Error("second session did not use resumption")

  312. 	}

  313. 	if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {

  314. 		t.Error("client and server channel bindings differ when session resumption is used")

  315. 	}

  316. }

  317. 

  318. func TestVerifyHostname(t *testing.T) {

  319. 	testenv.MustHaveExternalNetwork(t)

  320. 

  321. 	c, err := Dial("tcp", "www.google.com:https", nil)

  322. 	if err != nil {

  323. 		t.Fatal(err)

  324. 	}

  325. 	if err := c.VerifyHostname("www.google.com"); err != nil {

  326. 		t.Fatalf("verify www.google.com: %v", err)

  327. 	}

  328. 	if err := c.VerifyHostname("www.yahoo.com"); err == nil {

  329. 		t.Fatalf("verify www.yahoo.com succeeded")

  330. 	}

  331. 

  332. 	c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true})

  333. 	if err != nil {

  334. 		t.Fatal(err)

  335. 	}

  336. 	if err := c.VerifyHostname("www.google.com"); err == nil {

  337. 		t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")

  338. 	}

  339. 	if err := c.VerifyHostname("www.yahoo.com"); err == nil {

  340. 		t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true")

  341. 	}

  342. }

  343. 

  344. func TestVerifyHostnameResumed(t *testing.T) {

  345. 	testenv.MustHaveExternalNetwork(t)

  346. 

  347. 	config := &Config{

  348. 		ClientSessionCache: NewLRUClientSessionCache(32),

  349. 	}

  350. 	for i := 0; i < 2; i++ {

  351. 		c, err := Dial("tcp", "www.google.com:https", config)

  352. 		if err != nil {

  353. 			t.Fatalf("Dial #%d: %v", i, err)

  354. 		}

  355. 		cs := c.ConnectionState()

  356. 		if i > 0 && !cs.DidResume {

  357. 			t.Fatalf("Subsequent connection unexpectedly didn't resume")

  358. 		}

  359. 		if cs.VerifiedChains == nil {

  360. 			t.Fatalf("Dial #%d: cs.VerifiedChains == nil", i)

  361. 		}

  362. 		if err := c.VerifyHostname("www.google.com"); err != nil {

  363. 			t.Fatalf("verify www.google.com #%d: %v", i, err)

  364. 		}

  365. 		c.Close()

  366. 	}

  367. }

  368. 

  369. func TestConnCloseBreakingWrite(t *testing.T) {

  370. 	ln := newLocalListener(t)

  371. 	defer ln.Close()

  372. 

  373. 	srvCh := make(chan *Conn, 1)

  374. 	var serr error

  375. 	var sconn net.Conn

  376. 	go func() {

  377. 		var err error

  378. 		sconn, err = ln.Accept()

  379. 		if err != nil {

  380. 			serr = err

  381. 			srvCh <- nil

  382. 			return

  383. 		}

  384. 		serverConfig := *testConfig

  385. 		srv := Server(sconn, &serverConfig)

  386. 		if err := srv.Handshake(); err != nil {

  387. 			serr = fmt.Errorf("handshake: %v", err)

  388. 			srvCh <- nil

  389. 			return

  390. 		}

  391. 		srvCh <- srv

  392. 	}()

  393. 

  394. 	cconn, err := net.Dial("tcp", ln.Addr().String())

  395. 	if err != nil {

  396. 		t.Fatal(err)

  397. 	}

  398. 	defer cconn.Close()

  399. 

  400. 	conn := &changeImplConn{

  401. 		Conn: cconn,

  402. 	}

  403. 

  404. 	clientConfig := *testConfig

  405. 	tconn := Client(conn, &clientConfig)

  406. 	if err := tconn.Handshake(); err != nil {

  407. 		t.Fatal(err)

  408. 	}

  409. 

  410. 	srv := <-srvCh

  411. 	if srv == nil {

  412. 		t.Fatal(serr)

  413. 	}

  414. 	defer sconn.Close()

  415. 

  416. 	connClosed := make(chan struct{})

  417. 	conn.closeFunc = func() error {

  418. 		close(connClosed)

  419. 		return nil

  420. 	}

  421. 

  422. 	inWrite := make(chan bool, 1)

  423. 	var errConnClosed = errors.New("conn closed for test")

  424. 	conn.writeFunc = func(p []byte) (n int, err error) {

  425. 		inWrite <- true

  426. 		<-connClosed

  427. 		return 0, errConnClosed

  428. 	}

  429. 

  430. 	closeReturned := make(chan bool, 1)

  431. 	go func() {

  432. 		<-inWrite

  433. 		tconn.Close() // test that this doesn't block forever.

  434. 		closeReturned <- true

  435. 	}()

  436. 

  437. 	_, err = tconn.Write([]byte("foo"))

  438. 	if err != errConnClosed {

  439. 		t.Errorf("Write error = %v; want errConnClosed", err)

  440. 	}

  441. 

  442. 	<-closeReturned

  443. 	if err := tconn.Close(); err != errClosed {

  444. 		t.Errorf("Close error = %v; want errClosed", err)

  445. 	}

  446. }

  447. 

  448. // changeImplConn is a net.Conn which can change its Write and Close

  449. // methods.

  450. type changeImplConn struct {

  451. 	net.Conn

  452. 	writeFunc func([]byte) (int, error)

  453. 	closeFunc func() error

  454. }

  455. 

  456. func (w *changeImplConn) Write(p []byte) (n int, err error) {

  457. 	if w.writeFunc != nil {

  458. 		return w.writeFunc(p)

  459. 	}

  460. 	return w.Conn.Write(p)

  461. }

  462. 

  463. func (w *changeImplConn) Close() error {

  464. 	if w.closeFunc != nil {

  465. 		return w.closeFunc()

  466. 	}

  467. 	return w.Conn.Close()

  468. }