qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-17 06:24:48 -07:00
Code Releases Activity

crypto/tls: remove TLS 1.3 opt-out

Browse Source 
Fixes #30055

Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d
Reviewed-on: https://go-review.googlesource.com/c/go/+/191999
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Filippo Valsorda 2019-08-27 17:36:07 -04:00
parent ffcb678f47
commit a8c2e5c6ad
4 changed files with 0 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/crypto/tls/common.go
View File

@ -16,7 +16,6 @@ import (
"io" "io"
"math/big" "math/big"
"net" "net"
"os"
"strings" "strings"
"sync" "sync"
"time" "time"
@ -799,53 +798,11 @@ func (c *Config) supportedVersions() []uint16 {
if c != nil && c.MaxVersion != 0 && v > c.MaxVersion { if c != nil && c.MaxVersion != 0 && v > c.MaxVersion {
continue continue
} }
// TLS 1.3 is opt-out in Go 1.13.
if v == VersionTLS13 && !isTLS13Supported() {
continue
}
versions = append(versions, v) versions = append(versions, v)
} }
return versions return versions
} }
// tls13Support caches the result for isTLS13Supported.
var tls13Support struct {
sync.Once
cached bool
}
// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
// out with GODEBUG=tls13=0. It's cached after the first execution.
func isTLS13Supported() bool {
tls13Support.Do(func() {
tls13Support.cached = goDebugString("tls13") != "0"
})
return tls13Support.cached
}
// goDebugString returns the value of the named GODEBUG key.
// GODEBUG is of the form "key=val,key2=val2".
func goDebugString(key string) string {
s := os.Getenv("GODEBUG")
for i := 0; i < len(s)-len(key)-1; i++ {
if i > 0 && s[i-1] != ',' {
continue
}
afterKey := s[i+len(key):]
if afterKey[0] != '=' || s[i:i+len(key)] != key {
continue
}
val := afterKey[1:]
for i, b := range val {
if b == ',' {
return val[:i]
}
}
return val
}
return ""
}
func (c *Config) maxSupportedVersion() uint16 { func (c *Config) maxSupportedVersion() uint16 {
supportedVersions := c.supportedVersions() supportedVersions := c.supportedVersions()
if len(supportedVersions) == 0 { if len(supportedVersions) == 0 {

1
src/crypto/tls/handshake_test.go
View File

@ -345,7 +345,6 @@ func runMain(m *testing.M) int {
Rand: zeroSource{}, Rand: zeroSource{},
Certificates: make([]Certificate, 2), Certificates: make([]Certificate, 2),
InsecureSkipVerify: true, InsecureSkipVerify: true,
MaxVersion: VersionTLS13,
CipherSuites: allCipherSuites(), CipherSuites: allCipherSuites(),
} }
testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}

4
src/crypto/tls/tls.go
View File

@ -4,10 +4,6 @@
// Package tls partially implements TLS 1.2, as specified in RFC 5246, // Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446. // and TLS 1.3, as specified in RFC 8446.
//
// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
// it, set the GODEBUG environment variable (comma-separated key=value
// options) such that it includes "tls13=0".
package tls package tls
// BUG(agl): The crypto/tls package only implements some countermeasures // BUG(agl): The crypto/tls package only implements some countermeasures

54
src/crypto/tls/tls_test.go
View File

@ -18,7 +18,6 @@ import (
"os" "os"
"reflect" "reflect"
"strings" "strings"
"sync"
"testing" "testing"
"time" "time"
) )
@ -1023,59 +1022,6 @@ func TestConnectionState(t *testing.T) {
} }
} }
// TestEscapeRoute tests that the library will still work if support for TLS 1.3
// is dropped later in the Go 1.12 cycle.
func TestEscapeRoute(t *testing.T) {
defer func(savedSupportedVersions []uint16) {
supportedVersions = savedSupportedVersions
}(supportedVersions)
supportedVersions = []uint16{
VersionTLS12,
VersionTLS11,
VersionTLS10,
}
expectVersion(t, testConfig, testConfig, VersionTLS12)
}
func expectVersion(t *testing.T, clientConfig, serverConfig *Config, v uint16) {
ss, cs, err := testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("Handshake failed: %v", err)
}
if ss.Version != v {
t.Errorf("Server negotiated version %x, expected %x", cs.Version, v)
}
if cs.Version != v {
t.Errorf("Client negotiated version %x, expected %x", cs.Version, v)
}
}
// TestTLS13Switch checks the behavior of GODEBUG=tls13=[0|1]. See Issue 30055.
func TestTLS13Switch(t *testing.T) {
defer func(savedGODEBUG string) {
os.Setenv("GODEBUG", savedGODEBUG)
}(os.Getenv("GODEBUG"))
os.Setenv("GODEBUG", "tls13=0")
tls13Support.Once = sync.Once{} // reset the cache
tls12Config := testConfig.Clone()
tls12Config.MaxVersion = VersionTLS12
expectVersion(t, testConfig, testConfig, VersionTLS12)
expectVersion(t, tls12Config, testConfig, VersionTLS12)
expectVersion(t, testConfig, tls12Config, VersionTLS12)
expectVersion(t, tls12Config, tls12Config, VersionTLS12)
os.Setenv("GODEBUG", "tls13=1")
tls13Support.Once = sync.Once{} // reset the cache
expectVersion(t, testConfig, testConfig, VersionTLS13)
expectVersion(t, tls12Config, testConfig, VersionTLS12)
expectVersion(t, testConfig, tls12Config, VersionTLS12)
expectVersion(t, tls12Config, tls12Config, VersionTLS12)
}
// Issue 28744: Ensure that we don't modify memory // Issue 28744: Ensure that we don't modify memory
// that Config doesn't own such as Certificates. // that Config doesn't own such as Certificates.
func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) { func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {