From a8c2e5c6adc0d8f9b976a55bf4e22fcf5770ea55 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Tue, 27 Aug 2019 17:36:07 -0400 Subject: [PATCH] crypto/tls: remove TLS 1.3 opt-out Fixes #30055 Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d Reviewed-on: https://go-review.googlesource.com/c/go/+/191999 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick --- src/crypto/tls/common.go | 43 ------------------------- src/crypto/tls/handshake_test.go | 1 - src/crypto/tls/tls.go | 4 --- src/crypto/tls/tls_test.go | 54 -------------------------------- 4 files changed, 102 deletions(-) diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go index 84390fde9ea..14662e3ea90 100644 --- a/src/crypto/tls/common.go +++ b/src/crypto/tls/common.go @@ -16,7 +16,6 @@ import ( "io" "math/big" "net" - "os" "strings" "sync" "time" @@ -799,53 +798,11 @@ func (c *Config) supportedVersions() []uint16 { if c != nil && c.MaxVersion != 0 && v > c.MaxVersion { continue } - // TLS 1.3 is opt-out in Go 1.13. - if v == VersionTLS13 && !isTLS13Supported() { - continue - } versions = append(versions, v) } return versions } -// tls13Support caches the result for isTLS13Supported. -var tls13Support struct { - sync.Once - cached bool -} - -// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting -// out with GODEBUG=tls13=0. It's cached after the first execution. -func isTLS13Supported() bool { - tls13Support.Do(func() { - tls13Support.cached = goDebugString("tls13") != "0" - }) - return tls13Support.cached -} - -// goDebugString returns the value of the named GODEBUG key. -// GODEBUG is of the form "key=val,key2=val2". -func goDebugString(key string) string { - s := os.Getenv("GODEBUG") - for i := 0; i < len(s)-len(key)-1; i++ { - if i > 0 && s[i-1] != ',' { - continue - } - afterKey := s[i+len(key):] - if afterKey[0] != '=' || s[i:i+len(key)] != key { - continue - } - val := afterKey[1:] - for i, b := range val { - if b == ',' { - return val[:i] - } - } - return val - } - return "" -} - func (c *Config) maxSupportedVersion() uint16 { supportedVersions := c.supportedVersions() if len(supportedVersions) == 0 { diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go index 50278db446b..6081ab20f03 100644 --- a/src/crypto/tls/handshake_test.go +++ b/src/crypto/tls/handshake_test.go @@ -345,7 +345,6 @@ func runMain(m *testing.M) int { Rand: zeroSource{}, Certificates: make([]Certificate, 2), InsecureSkipVerify: true, - MaxVersion: VersionTLS13, CipherSuites: allCipherSuites(), } testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go index ba6d5eba15b..58c3a6b5ad2 100644 --- a/src/crypto/tls/tls.go +++ b/src/crypto/tls/tls.go @@ -4,10 +4,6 @@ // Package tls partially implements TLS 1.2, as specified in RFC 5246, // and TLS 1.3, as specified in RFC 8446. -// -// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable -// it, set the GODEBUG environment variable (comma-separated key=value -// options) such that it includes "tls13=0". package tls // BUG(agl): The crypto/tls package only implements some countermeasures diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go index 98ac02674d0..c06e580b446 100644 --- a/src/crypto/tls/tls_test.go +++ b/src/crypto/tls/tls_test.go @@ -18,7 +18,6 @@ import ( "os" "reflect" "strings" - "sync" "testing" "time" ) @@ -1023,59 +1022,6 @@ func TestConnectionState(t *testing.T) { } } -// TestEscapeRoute tests that the library will still work if support for TLS 1.3 -// is dropped later in the Go 1.12 cycle. -func TestEscapeRoute(t *testing.T) { - defer func(savedSupportedVersions []uint16) { - supportedVersions = savedSupportedVersions - }(supportedVersions) - supportedVersions = []uint16{ - VersionTLS12, - VersionTLS11, - VersionTLS10, - } - - expectVersion(t, testConfig, testConfig, VersionTLS12) -} - -func expectVersion(t *testing.T, clientConfig, serverConfig *Config, v uint16) { - ss, cs, err := testHandshake(t, clientConfig, serverConfig) - if err != nil { - t.Fatalf("Handshake failed: %v", err) - } - if ss.Version != v { - t.Errorf("Server negotiated version %x, expected %x", cs.Version, v) - } - if cs.Version != v { - t.Errorf("Client negotiated version %x, expected %x", cs.Version, v) - } -} - -// TestTLS13Switch checks the behavior of GODEBUG=tls13=[0|1]. See Issue 30055. -func TestTLS13Switch(t *testing.T) { - defer func(savedGODEBUG string) { - os.Setenv("GODEBUG", savedGODEBUG) - }(os.Getenv("GODEBUG")) - - os.Setenv("GODEBUG", "tls13=0") - tls13Support.Once = sync.Once{} // reset the cache - - tls12Config := testConfig.Clone() - tls12Config.MaxVersion = VersionTLS12 - expectVersion(t, testConfig, testConfig, VersionTLS12) - expectVersion(t, tls12Config, testConfig, VersionTLS12) - expectVersion(t, testConfig, tls12Config, VersionTLS12) - expectVersion(t, tls12Config, tls12Config, VersionTLS12) - - os.Setenv("GODEBUG", "tls13=1") - tls13Support.Once = sync.Once{} // reset the cache - - expectVersion(t, testConfig, testConfig, VersionTLS13) - expectVersion(t, tls12Config, testConfig, VersionTLS12) - expectVersion(t, testConfig, tls12Config, VersionTLS12) - expectVersion(t, tls12Config, tls12Config, VersionTLS12) -} - // Issue 28744: Ensure that we don't modify memory // that Config doesn't own such as Certificates. func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {