crypto/tls: remove TLS 1.3 opt-out

Fixes #30055 Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d Reviewed-on: https://go-review.googlesource.com/c/go/+/191999 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-17 04:14:52 -07:00 · 2019-08-27 17:36:07 -04:00 · 2019-08-27 17:36:07 -04:00 · a8c2e5c6ad
commit a8c2e5c6ad
parent ffcb678f47
4 changed files with 0 additions and 102 deletions
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@ -16,7 +16,6 @@ import (
 	"io"
 	"math/big"
 	"net"
-	"os"
 	"strings"
 	"sync"
 	"time"
@ -799,53 +798,11 @@ func (c *Config) supportedVersions() []uint16 {
 		if c != nil && c.MaxVersion != 0 && v > c.MaxVersion {
 			continue
 		}
-		// TLS 1.3 is opt-out in Go 1.13.
-		if v == VersionTLS13 && !isTLS13Supported() {
-			continue
-		}
 		versions = append(versions, v)
 	}
 	return versions
 }

-// tls13Support caches the result for isTLS13Supported.
-var tls13Support struct {
-	sync.Once
-	cached bool
-}
-
-// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
-// out with GODEBUG=tls13=0. It's cached after the first execution.
-func isTLS13Supported() bool {
-	tls13Support.Do(func() {
-		tls13Support.cached = goDebugString("tls13") != "0"
-	})
-	return tls13Support.cached
-}
-
-// goDebugString returns the value of the named GODEBUG key.
-// GODEBUG is of the form "key=val,key2=val2".
-func goDebugString(key string) string {
-	s := os.Getenv("GODEBUG")
-	for i := 0; i < len(s)-len(key)-1; i++ {
-		if i > 0 && s[i-1] != ',' {
-			continue
-		}
-		afterKey := s[i+len(key):]
-		if afterKey[0] != '=' || s[i:i+len(key)] != key {
-			continue
-		}
-		val := afterKey[1:]
-		for i, b := range val {
-			if b == ',' {
-				return val[:i]
-			}
-		}
-		return val
-	}
-	return ""
-}
-
 func (c *Config) maxSupportedVersion() uint16 {
 	supportedVersions := c.supportedVersions()
 	if len(supportedVersions) == 0 {
--- a/src/crypto/tls/handshake_test.go
+++ b/src/crypto/tls/handshake_test.go
@ -345,7 +345,6 @@ func runMain(m *testing.M) int {
 		Rand:               zeroSource{},
 		Certificates:       make([]Certificate, 2),
 		InsecureSkipVerify: true,
-		MaxVersion:         VersionTLS13,
 		CipherSuites:       allCipherSuites(),
 	}
 	testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
--- a/src/crypto/tls/tls.go
+++ b/src/crypto/tls/tls.go
@ -4,10 +4,6 @@

 // Package tls partially implements TLS 1.2, as specified in RFC 5246,
 // and TLS 1.3, as specified in RFC 8446.
-//
-// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
-// it, set the GODEBUG environment variable (comma-separated key=value
-// options) such that it includes "tls13=0".
 package tls

 // BUG(agl): The crypto/tls package only implements some countermeasures
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@ -18,7 +18,6 @@ import (
 	"os"
 	"reflect"
 	"strings"
-	"sync"
 	"testing"
 	"time"
 )
@ -1023,59 +1022,6 @@ func TestConnectionState(t *testing.T) {
 	}
 }

-// TestEscapeRoute tests that the library will still work if support for TLS 1.3
-// is dropped later in the Go 1.12 cycle.
-func TestEscapeRoute(t *testing.T) {
-	defer func(savedSupportedVersions []uint16) {
-		supportedVersions = savedSupportedVersions
-	}(supportedVersions)
-	supportedVersions = []uint16{
-		VersionTLS12,
-		VersionTLS11,
-		VersionTLS10,
-	}
-
-	expectVersion(t, testConfig, testConfig, VersionTLS12)
-}
-
-func expectVersion(t *testing.T, clientConfig, serverConfig *Config, v uint16) {
-	ss, cs, err := testHandshake(t, clientConfig, serverConfig)
-	if err != nil {
-		t.Fatalf("Handshake failed: %v", err)
-	}
-	if ss.Version != v {
-		t.Errorf("Server negotiated version %x, expected %x", cs.Version, v)
-	}
-	if cs.Version != v {
-		t.Errorf("Client negotiated version %x, expected %x", cs.Version, v)
-	}
-}
-
-// TestTLS13Switch checks the behavior of GODEBUG=tls13=[0|1]. See Issue 30055.
-func TestTLS13Switch(t *testing.T) {
-	defer func(savedGODEBUG string) {
-		os.Setenv("GODEBUG", savedGODEBUG)
-	}(os.Getenv("GODEBUG"))
-
-	os.Setenv("GODEBUG", "tls13=0")
-	tls13Support.Once = sync.Once{} // reset the cache
-
-	tls12Config := testConfig.Clone()
-	tls12Config.MaxVersion = VersionTLS12
-	expectVersion(t, testConfig, testConfig, VersionTLS12)
-	expectVersion(t, tls12Config, testConfig, VersionTLS12)
-	expectVersion(t, testConfig, tls12Config, VersionTLS12)
-	expectVersion(t, tls12Config, tls12Config, VersionTLS12)
-
-	os.Setenv("GODEBUG", "tls13=1")
-	tls13Support.Once = sync.Once{} // reset the cache
-
-	expectVersion(t, testConfig, testConfig, VersionTLS13)
-	expectVersion(t, tls12Config, testConfig, VersionTLS12)
-	expectVersion(t, testConfig, tls12Config, VersionTLS12)
-	expectVersion(t, tls12Config, tls12Config, VersionTLS12)
-}
-
 // Issue 28744: Ensure that we don't modify memory
 // that Config doesn't own such as Certificates.
 func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {