// will use the optimised implementation in this file when possible. Instances

// of this type only exist when hasGCMAsm returns true.

type aesCipherGCM struct {

}

// NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only

// called by crypto/cipher.NewGCM via the gcmAble interface.

func (c *aesCipherGCM) NewGCM(nonceSize int) (cipher.AEAD, error) {

},

}

// Test Cipher Encrypt method against FIPS 197 examples.

func TestCipherEncrypt(t *testing.T) {

for i, tt := range encryptTests {

// Rotate

func rotw(w uint32) uint32 { return w<<8 | w>>24 }

// Their rcon[i] is our powx[i-1] << 24.

func expandKeyGo(key []byte, enc, dec []uint32) {

// Encryption key setup.

case 16, 24, 32:

break

}

c := aesCipher{make([]uint32, n), make([]uint32, n)}

return &c, nil

}

if len(dst) < BlockSize {

panic("crypto/aes: output not full block")

}

}

func (c *aesCipher) Decrypt(dst, src []byte) {

if len(dst) < BlockSize {

panic("crypto/aes: output not full block")

}

}

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package aes

}

func expandKey(key []byte, enc, dec []uint32) {

expandKeyGo(key, enc, dec)

}

type cbcEncrypter cbc

// NewCBCEncrypter returns a BlockMode which encrypts in cipher block chaining

// mode, using the given Block. The length of iv must be the same as the

// Block's block size.

if len(iv) != b.BlockSize() {

panic("cipher.NewCBCEncrypter: IV length must equal block size")

}

return (*cbcEncrypter)(newCBC(b, iv))

}

type cbcDecrypter cbc

// NewCBCDecrypter returns a BlockMode which decrypts in cipher block chaining

// mode, using the given Block. The length of iv must be the same as the

// Block's block size and must match the iv used to encrypt the data.

if len(iv) != b.BlockSize() {

panic("cipher.NewCBCDecrypter: IV length must equal block size")

}

return (*cbcDecrypter)(newCBC(b, iv))

}

package cipher

// A Block represents an implementation of block cipher

// extend that capability to streams of blocks.

type Block interface {

// BlockSize returns the cipher's block size.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

const streamBufferSize = 512

// NewCTR returns a Stream which encrypts/decrypts using the given Block in

// counter mode. The length of iv must be the same as the Block's block size.

func NewCTR(block Block, iv []byte) Stream {

if len(iv) != block.BlockSize() {

panic("cipher.NewCTR: IV length must equal block size")

}

// The key argument should be the AES key, either 16 or 32 bytes

// to select AES-128 or AES-256.

key := []byte("AES256Key-32Characters1234567890")

block, err := aes.NewCipher(key)

if err != nil {

panic(err.Error())

}

}

func ExampleNewCBCDecrypter() {

)

const wordSize = int(unsafe.Sizeof(uintptr(0)))

// fastXORBytes xors in bulk. It only works on architectures that

// support unaligned read/writes.

d2 := make([]byte, 1024+alignD)[alignD:]

xorBytes(d1, p, q)

safeXORBytes(d2, p, q)

t.Error("not equal")

}

}

for i := 0; i < 4; i++ {

for j := 0; j < 16; j++ {

f := uint64(sBoxes[s][i][j]) << (4 * (7 - uint(s)))

feistelBox[s][16*i+j] = uint32(f)

}

}

// GenerateParameters puts a random, valid set of DSA parameters into params.

// This function can take many seconds, even on fast machines.

// This function doesn't follow FIPS 186-3 exactly in that it doesn't

// use a verification seed to generate the primes. The verification

// seed doesn't appear to be exported or used by other code and

GeneratePrimes:

for {

}

qBytes[len(qBytes)-1] |= 1

}

for i := 0; i < 4*L; i++ {

}

pBytes[len(pBytes)-1] |= 1

}

params.G = g

}

}

}

// GenerateKey generates a public and private key pair.

k, err := randFieldElement(c, rand)

if err != nil {

}

priv.PublicKey.Curve = c

priv.D = k

priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())

}

// hashToInt converts a hash value to an integer. There is some disagreement

var errZeroParam = errors.New("zero parameter")

func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {

// Get max(log2(q) / 2, 256) bits of entropy from rand.

entropylen := (priv.Curve.Params().BitSize + 7) / 16

c := pub.Curve

N := c.Params().N

return false

}

if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {

}

if r0.Cmp(r1) == 0 {

}

}

}

}

}

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

p256CopyConditional(yOut, &ty, mask)

p256CopyConditional(zOut, &tz, mask)

// If p was not zero, then n is now non-zero.

}

}

}

p256CopyConditional(xOut, &tx, mask)

p256CopyConditional(yOut, &ty, mask)

p256CopyConditional(zOut, &tz, mask)

}

}

// if cond == 0 res <- b; else res <- a

func p256MovCond(res, a, b []uint64, cond int)

func p256BigToLittle(res []uint64, in []byte)

func p256LittleToBig(res []byte, in []uint64)

func p256PointDoubleAsm(res, in []uint64)

func (curve p256Curve) Inverse(k *big.Int) *big.Int {

if k.Cmp(p256.N) >= 0 {

// This should never happen.

}

// table will store precomputed powers of x. The four words at index

type hmac struct {

size int

blocksize int

outer, inner hash.Hash

}

func (h *hmac) Sum(in []byte) []byte {

origLen := len(in)

in = h.inner.Sum(in)

h.outer.Reset()

return h.outer.Sum(in[:origLen])

}

func (h *hmac) Reset() {

h.inner.Reset()

}

// New returns a new HMAC hash using the given hash.Hash type and key.

hm.inner = h()

hm.size = hm.inner.Size()

hm.blocksize = hm.inner.BlockSize()

if len(key) > hm.blocksize {

// If key is too big, hash it.

hm.outer.Write(key)

key = hm.outer.Sum(nil)

}

return hm

}

t.Error("Equal accepted unequal slices")

}

}

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

}

func (d *digest) checkSum() [Size]byte {

len := d.len

var tmp [64]byte

tmp[0] = 0x80

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package md5

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package md5

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Reader is a global, shared instance of a cryptographically

// strong pseudo-random generator.

//

// On Linux, Reader uses getrandom(2) if available, /dev/urandom otherwise.

// On Windows systems, Reader uses the CryptGenRandom API.

var Reader io.Reader

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// systems without a reliable /dev/urandom.

// newReader returns a new pseudorandom generator that

// the generator seeds itself by reading from the system's

// random number generator, typically /dev/random.

// The Read method on the returned reader always returns

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

p.SetBytes(bytes)

// a multiple of any of these primes we add two until it isn't.

// The probability of overflowing is minimal and can be ignored

// because we still perform Miller-Rabin tests on the result.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

return "crypto/rc4: invalid key size " + strconv.Itoa(int(k))

}

// RC4 key, at least 1 byte and at most 256 bytes.

func NewCipher(key []byte) (*Cipher, error) {

k := len(key)

}

// xorKeyStreamGeneric sets dst to the result of XORing src with the

// not overlap.

//

// This is the pure Go version. rc4_{amd64,386,arm}* contain assembly

SessionKeyLen int

}

//

//

if err := checkPub(pub); err != nil {

return nil, err

}

k := (pub.N.BitLen() + 7) / 8

if len(msg) > k-11 {

}

// EM = 0x00 || 0x02 || PS || 0x00 || M

em := make([]byte, k)

em[1] = 2

ps, mm := em[2:len(em)-len(msg)-1], em[len(em)-len(msg):]

if err != nil {

}

em[len(em)-len(msg)-1] = 0

copy(mm, msg)

c := encrypt(new(big.Int), pub, m)

copyWithLeftPad(em, c.Bytes())

}

// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.

// learn whether each instance returned an error then they can decrypt and

// forge signatures as if they had the private key. See

// DecryptPKCS1v15SessionKey for a way of solving this problem.

if err := checkPub(&priv.PublicKey); err != nil {

return nil, err

}

valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)

if err != nil {

}

if valid == 0 {

return nil, ErrDecryption

}

}

// DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.

// a random value was used (because it'll be different for the same ciphertext)

// and thus whether the padding was correct. This defeats the point of this

// function. Using at least a 16-byte key will protect against this attack.

if err := checkPub(&priv.PublicKey); err != nil {

return err

}

valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)

if err != nil {

}

if len(em) != k {

valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key)))

subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):])

}

// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if

crypto.RIPEMD160: {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14},

}

// advisable except for interoperability.

//

//

hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))

if err != nil {

}

tLen := len(prefix) + hashLen

m := new(big.Int).SetBytes(em)

c, err := decryptAndCheck(rand, priv, m)

if err != nil {

}

copyWithLeftPad(em, c.Bytes())

}

// VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.

// function and sig is the signature. A valid signature is indicated by

// returning a nil error. If hash is zero then hashed is used directly. This

// isn't advisable except for interoperability.

hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))

if err != nil {

}

tLen := len(prefix) + hashLen

k := (pub.N.BitLen() + 7) / 8

if k < tLen+11 {

}

c := new(big.Int).SetBytes(sig)

hash.Reset()

// 7. Generate an octet string PS consisting of emLen - sLen - hLen - 2

//

// 8. Let DB = PS || 0x01 || salt; DB is an octet string of length

// emLen - hLen - 1.

// Note that hashed must be the result of hashing the input message using the

// given hash function. The opts argument may be nil, in which case sensible

// defaults are used.

saltLength := opts.saltLength()

switch saltLength {

case PSSSaltLengthAuto:

}

salt := make([]byte, saltLength)

}

return signPSSWithSalt(rand, priv, hash, hashed, salt)

}

// possible.

//

// Two sets of interfaces are included in this package. When a more abstract

// with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract

// over the public-key primitive, the PrivateKey struct implements the

// Decrypter and Signer interfaces from the crypto package.

// GenerateKey generates an RSA keypair of the given bit size using the

// random source random (for example, crypto/rand.Reader).

return GenerateMultiPrimeKey(random, 2, bits)

}

//

// [1] US patent 4405829 (1972, expired)

// [2] http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf

priv.E = 65537

if nprimes < 2 {

todo += (nprimes - 2) / 5

}

for i := 0; i < nprimes; i++ {

primes[i], err = rand.Prime(random, todo/(nprimes-i))

if err != nil {

return nil, err

}

priv.Precompute()

}

// incCounter increments a four byte, big-endian counter.

//

// The message must be no longer than the length of the public modulus less

// twice the hash length plus 2.

if err := checkPub(pub); err != nil {

return nil, err

}

hash.Reset()

k := (pub.N.BitLen() + 7) / 8

if len(msg) > k-2*hash.Size()-2 {

}

hash.Write(label)

db[len(db)-len(msg)-1] = 1

copy(db[len(db)-len(msg):], msg)

if err != nil {

}

mgf1XOR(db, hash, seed)

m := new(big.Int)

m.SetBytes(em)

c := encrypt(new(big.Int), pub, m)

if len(out) < k {

// If the output is too small, we need to left-pad with zeros.

out = t

}

}

// ErrDecryption represents a failure to decrypt a message.

//

// The label parameter must match the value given when encrypting. See

// EncryptOAEP for details.

if err := checkPub(&priv.PublicKey); err != nil {

return nil, err

}

k := (priv.N.BitLen() + 7) / 8

if len(ciphertext) > k ||

k < hash.Size()*2+2 {

}

c := new(big.Int).SetBytes(ciphertext)

m, err := decrypt(random, priv, c)

if err != nil {

}

hash.Write(label)

}

if firstByteIsZero&lHash2Good&^invalid&^lookingForIndex != 1 {

}

}

// leftPad returns a new slice of length size. The contents of input are right

func (d *digest) checkSum() [Size]byte {

len := d.len

var tmp [64]byte

tmp[0] = 0x80

if len%64 < 56 {

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha1

}

var golden = []sha1Test{

{"da39a3ee5e6b4b0d3255bfef95601890afd80709", ""},

{"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8", "a"},

{"da23614e02469a0d7c7bd1bdab5c9c474b1904dc", "ab"},

}

}

func TestBlockGeneric(t *testing.T) {

}

}

benchmarkSize(b, 8)

}

func BenchmarkHash1K(b *testing.B) {

benchmarkSize(b, 1024)

}

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha1

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha1

func (d *digest) checkSum() [Size]byte {

len := d.len

var tmp [64]byte

tmp[0] = 0x80

if len%64 < 56 {

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha256

import (

"fmt"

"io"

"testing"

}

}

var bench = New()

var buf = make([]byte, 8192)

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// SHA256 block step.

// In its own file so that a faster assembly or C version

// can be substituted easily.

0xc67178f2,

}

var w [64]uint32

h0, h1, h2, h3, h4, h5, h6, h7 := dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7]

for len(p) >= chunk {

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha256

}

func (d *digest) checkSum() [Size]byte {

len := d.len

var tmp [128]byte

tmp[0] = 0x80

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha512

import (

"encoding/hex"

"hash"

"io"

}

}

var bench = New()

var buf = make([]byte, 8192)

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

// SHA512 block step.

// In its own file so that a faster assembly or C version

// can be substituted easily.

0x6c44198c4a475817,

}

var w [80]uint64

h0, h1, h2, h3, h4, h5, h6, h7 := dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7]

for len(p) >= chunk {

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package sha512

// code but require careful thought to use correctly.

package subtle

// and y, have equal contents. The time taken is a function of the length of

// the slices and is independent of the contents.

func ConstantTimeCompare(x, y []byte) int {

func (e alert) String() string {

s, ok := alertText[e]

if ok {

}

}

func (e alert) Error() string {

var cipherSuites = []*cipherSuite{

// Ciphersuite order is chosen so that ECDHE comes before plain RSA

{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},

{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},

{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

return nil

}

const (

TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005

TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a

// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator

// that the client is doing version fallback. See

TLS_FALLBACK_SCSV uint16 = 0x5600

)

// TLS handshake message types.

const (

typeClientHello uint8 = 1

typeServerHello uint8 = 2

typeNewSessionTicket uint8 = 4

certTypeRSAFixedDH = 3 // A certificate containing a static DH key

certTypeDSSFixedDH = 4 // A certificate containing a static DH key

certTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.

certTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.

certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.

SupportedPoints []uint8

}

// A Config structure is used to configure a TLS client or server.

// After one has been passed to a TLS function it must not be

// modified. A Config may be reused; the tls package will also not

// be used.

CurvePreferences []CurveID

serverInitOnce sync.Once // guards calling (*Config).serverInit

// mutex protects sessionTicketKeys

return key

}

func (c *Config) serverInit() {

if c.SessionTicketsDisabled {

return

}

if len(c.Certificates) == 0 {

}

if len(c.Certificates) == 1 || c.NameToCertificate == nil {

Leaf *x509.Certificate

}

type handshakeMessage interface {

marshal() []byte

unmarshal([]byte) bool

isClient bool

// constant after handshake; protected by handshakeMutex

handshakeComplete bool

// verifiedChains contains the certificate chains that we built, as

// opposed to the ones presented by the server.

verifiedChains [][]*x509.Certificate

// serverName contains the server name indicated by the client, if any.

serverName string

clientProtocol string

clientProtocolFallback bool

// input/output

// activeCall is an atomic int32; the low bit is whether Close has

// been called. the rest of the bits are the number of goroutines

return err

}

// prepareCipherSpec sets the encryption and MAC states

// that a subsequent changeCipherSpec will use.

func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) {

panic("TLS: sequence number wraparound")

}

// removePadding returns an unpadded slice, in constant time, which is a prefix

// of the input. It also returns a byte which is equal to 255 if the padding

// was valid and 0 otherwise. See RFC 2246, section 6.2.3.2

func (c *Conn) readRecord(want recordType) error {

// Caller must be in sync with connection:

// handshake data if handshake not yet completed,

switch want {

default:

c.sendAlert(alertInternalError)

case recordTypeHandshake, recordTypeChangeCipherSpec:

if c.handshakeComplete {

c.sendAlert(alertInternalError)

}

case recordTypeApplicationData:

if !c.handshakeComplete {

c.sendAlert(alertInternalError)

}

}

case recordTypeHandshake:

// TODO(rsc): Should at least pick off connection close.

return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation))

}

c.hand.Write(data)

c.tmp[0] = alertLevelError

}

c.tmp[1] = byte(err)

}

}

// sendAlert sends a TLS alert message.

return c.sendAlertLocked(err)

}

// c.out.Mutex <= L.

b := c.out.newBlock()

for len(data) > 0 {

explicitIVLen := 0

explicitIVIsSeq := false

explicitIVIsSeq = true

}

}

b.resize(recordHeaderLen + explicitIVLen + m)

b.data[0] = byte(typ)

vers := c.vers

if explicitIVIsSeq {

copy(explicitIV, c.out.seq[:])

} else {

}

}

}

copy(b.data[recordHeaderLen+explicitIVLen:], data)

c.out.encrypt(b, explicitIVLen)

}

n += m

data = data[m:]

}

if typ == recordTypeChangeCipherSpec {

}

}

}

// readHandshake reads the next handshake message from

data := c.hand.Bytes()

n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])

if n > maxHandshake {

}

for c.hand.Len() < 4+n {

if err := c.in.err; err != nil {

data = c.hand.Next(4 + n)

var m handshakeMessage

switch data[0] {

case typeClientHello:

m = new(clientHelloMsg)

case typeServerHello:

return m, nil

}

// Write writes data to the connection.

func (c *Conn) Write(b []byte) (int, error) {

var m int

if len(b) > 1 && c.vers <= VersionTLS10 {

if _, ok := c.out.cipher.(cipher.BlockMode); ok {

if err != nil {

return n, c.out.setErrorLocked(err)

}

}

}

return n + m, c.out.setErrorLocked(err)

}

// Read can be made to time out and return a net.Error with Timeout() == true

// after a fixed time limit; see SetDeadline and SetReadDeadline.

func (c *Conn) Read(b []byte) (n int, err error) {

// Soft error, like EAGAIN

return 0, err

}

}

if err := c.in.err; err != nil {

return 0, err

// Most uses of this package need not call Handshake

// explicitly: the first Read or Write will call it automatically.

func (c *Conn) Handshake() error {

c.handshakeMutex.Lock()

defer c.handshakeMutex.Unlock()

}

if c.isClient {

} else {

c.handshakeErr = c.serverHandshake()

}

return c.handshakeErr

}

state.SignedCertificateTimestamps = c.scts

state.OCSPResponse = c.ocspResponse

if !c.didResume {

}

}

}

// VerifyHostname checks that the peer certificate chain is valid for

// describing the problem.

func (c *Conn) VerifyHostname(host string) error {

c.handshakeMutex.Lock()

package tls

import (

"testing"

)

t.Errorf("foo.bar.baz.example.com returned certificate %d, not 0", n)

}

}

"io"

"net"

"strconv"

)

type clientHandshakeState struct {

session *ClientSessionState

}

func (c *Conn) clientHandshake() error {

if c.config == nil {

c.config = defaultConfig()

}

if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {

return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")

}

return errors.New("tls: NextProtos values too large")

}

}

}

possibleCipherSuites := c.config.cipherSuites()

if sessionCache != nil {

hello.ticketSupported = true

// Try to resume a previously negotiated TLS session, if

// available.

cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)

}

}

msg, err := c.readHandshake()

if err != nil {

hs.finishedHash.Write(hs.hello.marshal())

hs.finishedHash.Write(hs.serverHello.marshal())

if isResume {

if err := hs.establishKeys(); err != nil {

return err

if err := hs.readSessionTicket(); err != nil {

return err

}

return err

}

return err

}

} else {

if err := hs.establishKeys(); err != nil {

return err

}

return err

}

if err := hs.readSessionTicket(); err != nil {

return err

}

return err

}

}

}

hs.finishedHash.Write(certMsg.marshal())

}

}

}

}

}

if hs.serverHello.ocspStapling {

msg, err = c.readHandshake()

if err != nil {

skx, ok := msg.(*serverKeyExchangeMsg)

if ok {

hs.finishedHash.Write(skx.marshal())

if err != nil {

c.sendAlert(alertUnexpectedMessage)

return err

certMsg.certificates = chainToSend.Certificate

}

hs.finishedHash.Write(certMsg.marshal())

}

if err != nil {

c.sendAlert(alertInternalError)

return err

}

if ckx != nil {

hs.finishedHash.Write(ckx.marshal())

}

if chainToSend != nil {

}

hs.finishedHash.Write(certVerify.marshal())

}

hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)

return false, errors.New("tls: server selected unsupported compression format")

}

clientDidNPN := hs.hello.nextProtoNeg

clientDidALPN := len(hs.hello.alpnProtocols) > 0

serverHasNPN := hs.serverHello.nextProtoNeg

if !clientDidNPN && serverHasNPN {

c.sendAlert(alertHandshakeFailure)

}

if !clientDidALPN && serverHasALPN {

c.sendAlert(alertHandshakeFailure)

}

if serverHasNPN && serverHasALPN {

c.sendAlert(alertHandshakeFailure)

}

if serverHasALPN {

}

c.scts = hs.serverHello.scts

}

}

func (hs *clientHandshakeState) readFinished(out []byte) error {

c := hs.c

c.readRecord(recordTypeChangeCipherSpec)

}

msg, err := c.readHandshake()

func (hs *clientHandshakeState) sendFinished(out []byte) error {

c := hs.c

if hs.serverHello.nextProtoNeg {

nextProto := new(nextProtoMsg)

proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)

c.clientProtocolFallback = fallback

hs.finishedHash.Write(nextProto.marshal())

}

finished := new(finishedMsg)

finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)

hs.finishedHash.Write(finished.marshal())

copy(out, finished.verifyData)

return nil

}

return protos[0], true

}

"encoding/base64"

"encoding/binary"

"encoding/pem"

"fmt"

"io"

"net"

// Note: see comment in handshake_test.go for details of how the reference

// tests work.

return 0, io.EOF

}

// clientTest represents a test of the TLS client handshake against a reference

// implementation.

type clientTest struct {

// ConnectionState of the resulting connection. It returns a non-nil

// error if the ConnectionState is unacceptable.

validate func(ConnectionState) error

}

var defaultServerCommand = []string{"openssl", "s_server"}

// connFromCommand starts the reference server process, connects to it and

// Waiting for child.

cert := testRSACertificate

if len(test.cert) > 0 {

cert = test.cert

command = append(command, "-serverinfo", serverInfoPath)

}

cmd := exec.Command(command[0], command[1:]...)

cmd.Stdin = stdin

if err := cmd.Start(); err != nil {

}

// OpenSSL does print an "ACCEPT" banner, but it does so *before*

close(stdin)

out.WriteTo(os.Stdout)

cmd.Process.Kill()

}

record := &recordingConn{

Conn: tcpConn,

}

}

func (test *clientTest) dataPath() string {

var clientConn, serverConn net.Conn

var recordingConn *recordingConn

var childProcess *exec.Cmd

if write {

var err error

if err != nil {

t.Fatalf("Failed to start subcommand: %s", err)

}

doneChan := make(chan bool)

go func() {

if _, err := client.Write([]byte("hello\n")); err != nil {

t.Errorf("Client.Write failed: %s", err)

}

if test.validate != nil {

if err := test.validate(client.ConnectionState()); err != nil {

t.Errorf("validate callback returned error: %s", err)

}

}

}()

if !write {

}

func TestHandshakeClientCertRSA(t *testing.T) {

cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM))

config.Certificates = []Certificate{cert}

test := &clientTest{

name: "ClientCert-RSA-RSA",

command: []string{"openssl", "s_server", "-cipher", "RC4-SHA", "-verify", "1"},

}

runClientTestTLS10(t, test)

test = &clientTest{

name: "ClientCert-RSA-ECDSA",

command: []string{"openssl", "s_server", "-cipher", "ECDHE-ECDSA-AES128-SHA", "-verify", "1"},

cert: testECDSACertificate,

key: testECDSAPrivateKey,

}

test = &clientTest{

name: "ClientCert-RSA-AES256-GCM-SHA384",

command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384", "-verify", "1"},

cert: testRSACertificate,

key: testRSAPrivateKey,

}

}

func TestHandshakeClientCertECDSA(t *testing.T) {

cert, _ := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM))

config.Certificates = []Certificate{cert}

test := &clientTest{

name: "ClientCert-ECDSA-RSA",

command: []string{"openssl", "s_server", "-cipher", "RC4-SHA", "-verify", "1"},

}

runClientTestTLS10(t, test)

test = &clientTest{

name: "ClientCert-ECDSA-ECDSA",

command: []string{"openssl", "s_server", "-cipher", "ECDHE-ECDSA-AES128-SHA", "-verify", "1"},

cert: testECDSACertificate,

key: testECDSAPrivateKey,

}

t.Fatalf("%s resumed: %v, expected: %v", test, hs.DidResume, didResume)

}

if didResume && (hs.PeerCertificates == nil || hs.VerifiedChains == nil) {

}

}

}

func TestHandshakeClientALPNMatch(t *testing.T) {

config.NextProtos = []string{"proto2", "proto1"}

test := &clientTest{

// Note that this needs OpenSSL 1.0.2 because that is the first

// version that supports the -alpn flag.

command: []string{"openssl", "s_server", "-alpn", "proto1,proto2"},

validate: func(state ConnectionState) error {

// The server's preferences should override the client.

if state.NegotiatedProtocol != "proto1" {

}

func TestHandshakeClientALPNNoMatch(t *testing.T) {

config.NextProtos = []string{"proto3"}

test := &clientTest{

// Note that this needs OpenSSL 1.0.2 because that is the first

// version that supports the -alpn flag.

command: []string{"openssl", "s_server", "-alpn", "proto1,proto2"},

validate: func(state ConnectionState) error {

// There's no overlap so OpenSSL will not select a protocol.

if state.NegotiatedProtocol != "" {

const sctsBase64 = "ABIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFHl5nuFgAABAMARjBEAiAcS4JdlW5nW9sElUv2zvQyPoZ6ejKrGGB03gjaBZFMLwIgc1Qbbn+hsH0RvObzhS+XZhr3iuQQJY8S9G85D9KeGPAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUeX4bVwAAAEAwBHMEUCIDIhFDgG2HIuADBkGuLobU5a4dlCHoJLliWJ1SYT05z6AiEAjxIoZFFPRNWMGGIjskOTMwXzQ1Wh2e7NxXE1kd1J0QsAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAUhcZIqHAAAEAwBHMEUCICmJ1rBT09LpkbzxtUC+Hi7nXLR0J+2PmwLp+sJMuqK+AiEAr0NkUnEVKVhAkccIFpYDqHOlZaBsuEhWWrYpg2RtKp0="

func TestHandshakClientSCTs(t *testing.T) {

scts, err := base64.StdEncoding.DecodeString(sctsBase64)

if err != nil {

// Note that this needs OpenSSL 1.0.2 because that is the first

// version that supports the -serverinfo flag.

command: []string{"openssl", "s_server"},

extensions: [][]byte{scts},

validate: func(state ConnectionState) error {

expectedSCTs := [][]byte{

runClientTestTLS12(t, test)

}

c, s := net.Pipe()

var header [5]byte

if _, err := io.ReadFull(s, header[:]); err != nil {

if _, err := io.ReadFull(s, record[:]); err != nil {

t.Fatal(err)

}

s.Close()

}

}

}

t.Fatalf("Expected error about unconfigured cipher suite but got %q", err)

}

}

import "bytes"

type clientHelloMsg struct {

}

func (m *clientHelloMsg) equal(i interface{}) bool {

m.ticketSupported == m1.ticketSupported &&

bytes.Equal(m.sessionTicket, m1.sessionTicket) &&

eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) &&

eqStrings(m.alpnProtocols, m1.alpnProtocols)

}

extensionsLength += 2 + 2*len(m.signatureAndHashes)

numExtensions++

}

numExtensions++

}

if len(m.alpnProtocols) > 0 {

z[4] = byte(l)

z = z[5:]

for _, pointFormat := range m.supportedPoints {

z = z[1:]

}

}

z = z[2:]

}

}

z[0] = byte(extensionRenegotiationInfo >> 8)

z[1] = byte(extensionRenegotiationInfo & 0xff)

z[2] = 0

z = z[5:]

}

if len(m.alpnProtocols) > 0 {

z[0] = byte(extensionALPN >> 8)

for i := 0; i < numCipherSuites; i++ {

m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])

if m.cipherSuites[i] == scsvRenegotiation {

}

}

data = data[2+cipherSuiteLen:]

d = d[2:]

}

case extensionRenegotiationInfo:

return false

}

case extensionALPN:

if length < 2 {

return false

}

type serverHelloMsg struct {

}

func (m *serverHelloMsg) equal(i interface{}) bool {

eqStrings(m.nextProtos, m1.nextProtos) &&

m.ocspStapling == m1.ocspStapling &&

m.ticketSupported == m1.ticketSupported &&

m.alpnProtocol == m1.alpnProtocol

}

if m.ticketSupported {

numExtensions++

}

numExtensions++

}

if alpnLen := len(m.alpnProtocol); alpnLen > 0 {

z := x[39+len(m.sessionId):]

z[0] = uint8(m.cipherSuite >> 8)

z[1] = uint8(m.cipherSuite)

z = z[3:]

if numExtensions > 0 {

z[1] = byte(extensionSessionTicket)

z = z[4:]

}

z[0] = byte(extensionRenegotiationInfo >> 8)

z[1] = byte(extensionRenegotiationInfo & 0xff)

z[2] = 0

z = z[5:]

}

if alpnLen := len(m.alpnProtocol); alpnLen > 0 {

z[0] = byte(extensionALPN >> 8)

}

m.ticketSupported = true

case extensionRenegotiationInfo:

return false

}

case extensionALPN:

d := data[:length]

if len(d) < 3 {

m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])

cas = cas[caLen:]

}

}

type certificateVerifyMsg struct {

return true

}

func eqUint16s(x, y []uint16) bool {

if len(x) != len(y) {

return false

}

// serverHandshake performs a TLS handshake as a server.

func (c *Conn) serverHandshake() error {

config := c.config

}

// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3

if isResume {

// The client has included a session ticket and so we do an abbreviated handshake.

if err := hs.doResumeHandshake(); err != nil {

return err

}

}

return err

}

if err := hs.readFinished(nil); err != nil {

return err

}

if err := hs.establishKeys(); err != nil {

return err

}

return err

}

if err := hs.sendSessionTicket(); err != nil {

return err

}

if err := hs.sendFinished(nil); err != nil {

return err

}

}

c.handshakeComplete = true

c.sendAlert(alertInternalError)

return false, err

}

hs.hello.compressionMethod = compressionNone

if len(hs.clientHello.serverName) > 0 {

c.serverName = hs.clientHello.serverName

}

}

CipherSuites: hs.clientHello.cipherSuites,

ServerName: hs.clientHello.serverName,

SupportedCurves: hs.clientHello.supportedCurves,

SupportedPoints: hs.clientHello.supportedPoints,

c.sendAlert(alertInternalError)

return false, err

}

hs.rsaSignOk = true

default:

c.sendAlert(alertInternalError)

}

}

if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {

hs.rsaDecryptOk = true

default:

c.sendAlert(alertInternalError)

}

}

return false, errors.New("tls: no cipher suite supported by both client and server")

}

for _, id := range hs.clientHello.cipherSuites {

if id == TLS_FALLBACK_SCSV {

// The client is doing a fallback connection.

return false

}

return false

}

hs.finishedHash.discardHandshakeBuffer()

hs.finishedHash.Write(hs.clientHello.marshal())

hs.finishedHash.Write(hs.hello.marshal())

if len(hs.sessionState.certificates) > 0 {

if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {

}

hs.finishedHash.Write(hs.clientHello.marshal())

hs.finishedHash.Write(hs.hello.marshal())

certMsg := new(certificateMsg)

certMsg.certificates = hs.cert.Certificate

hs.finishedHash.Write(certMsg.marshal())

if hs.hello.ocspStapling {

certStatus := new(certificateStatusMsg)

certStatus.statusType = statusTypeOCSP

certStatus.response = hs.cert.OCSPStaple

hs.finishedHash.Write(certStatus.marshal())

}

keyAgreement := hs.suite.ka(c.vers)

}

if skx != nil {

hs.finishedHash.Write(skx.marshal())

}

if config.ClientAuth >= RequestClientCert {

certReq.certificateAuthorities = config.ClientCAs.Subjects()

}

hs.finishedHash.Write(certReq.marshal())

}

helloDone := new(serverHelloDoneMsg)

hs.finishedHash.Write(helloDone.marshal())

var pub crypto.PublicKey // public key for client auth, if any

// If we received a client cert in response to our certificate request message,

// the client will send us a certificateVerifyMsg immediately after the

// handshake-layer messages that is signed using the private key corresponding

// to the client's certificate. This allows us to verify that the client is in

// possession of the private key of the certificate.

switch key := pub.(type) {

case *ecdsa.PublicKey:

if signatureAndHash.signature != signatureECDSA {

break

}

ecdsaSig := new(ecdsaSignature)

break

}

if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

break

}

var digest []byte

break

}

if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {

}

case *rsa.PublicKey:

if signatureAndHash.signature != signatureRSA {

break

}

var digest []byte

c := hs.c

c.readRecord(recordTypeChangeCipherSpec)

}

if hs.hello.nextProtoNeg {

}

hs.finishedHash.Write(m.marshal())

return nil

}

func (hs *serverHandshakeState) sendFinished(out []byte) error {

c := hs.c

finished := new(finishedMsg)

finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)

hs.finishedHash.Write(finished.marshal())

c.cipherSuite = hs.suite.id

copy(out, finished.verifyData)

c.verifiedChains = chains

}

}

}

// setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState

func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) {

// Create in-memory network connection,

// expected error.

c, s := net.Pipe()

go func() {

cli.writeRecord(recordTypeHandshake, m.marshal())

c.Close()

}()

s.Close()

if len(expectedSubStr) == 0 {

if err != nil && err != io.EOF {

func TestNoSuiteOverlap(t *testing.T) {

clientHello := &clientHelloMsg{

cipherSuites: []uint16{0xff00},

}

testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server")

}

func TestNoCompressionOverlap(t *testing.T) {

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},

compressionMethods: []uint8{0xff},

}

func TestNoRC4ByDefault(t *testing.T) {

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},

}

// Reset the enabled cipher suites to nil in order to test the

// defaults.

serverConfig.CipherSuites = nil

}

func TestDontSelectECDSAWithRSAKey(t *testing.T) {

// Test that, even when both sides support an ECDSA cipher suite, it

// won't be selected if the server's private key doesn't support it.

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},

supportedCurves: []CurveID{CurveP256},

supportedPoints: []uint8{pointFormatUncompressed},

}

serverConfig.CipherSuites = clientHello.cipherSuites

serverConfig.Certificates = make([]Certificate, 1)

serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}

serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey

serverConfig.BuildNameToCertificate()

// First test that it *does* work when the server's key is ECDSA.

// Now test that switching to an RSA key causes the expected error (and

// not an internal error about a signing failure).

serverConfig.Certificates = testConfig.Certificates

}

func TestDontSelectRSAWithECDSAKey(t *testing.T) {

// Test that, even when both sides support an RSA cipher suite, it

// won't be selected if the server's private key doesn't support it.

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},

supportedCurves: []CurveID{CurveP256},

supportedPoints: []uint8{pointFormatUncompressed},

}

serverConfig.CipherSuites = clientHello.cipherSuites

// First test that it *does* work when the server's key is RSA.

// Now test that switching to an ECDSA key causes the expected error

// (and not an internal error about a signing failure).

serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}

serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey

serverConfig.BuildNameToCertificate()

}

func TestRenegotiationExtension(t *testing.T) {

clientHello := &clientHelloMsg{

}

var buf []byte

t.Fatalf("Failed to parse ServerHello")

}

t.Errorf("Secure renegotiation extension was not echoed.")

}

}

reply, clientErr = cli.readHandshake()

c.Close()

}()

config.CipherSuites = clientHello.cipherSuites

s.Close()

if clientErr != nil {

t.Fatal(clientErr)

}

}

// Note: see comment in handshake_test.go for details of how the reference

// tests work.

server := Server(serverConn, config)

connStateChan := make(chan ConnectionState, 1)

go func() {

if len(test.expectHandshakeErrorIncluding) > 0 {

if err == nil {

t.Errorf("Error expected, but no error returned")

} else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) {

t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s)

}

}

server.Close()

serverConn.Close()

}

func TestHandshakeServerECDHEECDSAAES(t *testing.T) {

config.Certificates = make([]Certificate, 1)

config.Certificates[0].Certificate = [][]byte{testECDSACertificate}

config.Certificates[0].PrivateKey = testECDSAPrivateKey

test := &serverTest{

name: "ECDHE-ECDSA-AES",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA"},

}

runServerTestTLS10(t, test)

runServerTestTLS12(t, test)

}

func TestHandshakeServerALPN(t *testing.T) {

config.NextProtos = []string{"proto1", "proto2"}

test := &serverTest{

// Note that this needs OpenSSL 1.0.2 because that is the first

// version that supports the -alpn flag.

command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},

validate: func(state ConnectionState) error {

// The server's preferences should override the client.

if state.NegotiatedProtocol != "proto1" {

}

func TestHandshakeServerALPNNoMatch(t *testing.T) {

config.NextProtos = []string{"proto3"}

test := &serverTest{

// Note that this needs OpenSSL 1.0.2 because that is the first

// version that supports the -alpn flag.

command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},

validate: func(state ConnectionState) error {

// Rather than reject the connection, Go doesn't select

// a protocol when there is no overlap.

// TestHandshakeServerSNICertForName is similar to TestHandshakeServerSNI, but

// tests the dynamic GetCertificate method

func TestHandshakeServerSNIGetCertificate(t *testing.T) {

// Replace the NameToCertificate map with a GetCertificate function

nameToCert := config.NameToCertificate

test := &serverTest{

name: "SNI-GetCertificate",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},

}

runServerTestTLS12(t, test)

}

// GetCertificate method doesn't return a cert, we fall back to what's in

// the NameToCertificate map.

func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {

config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {

return nil, nil

test := &serverTest{

name: "SNI-GetCertificateNotFound",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"},

}

runServerTestTLS12(t, test)

}

func TestHandshakeServerSNIGetCertificateError(t *testing.T) {

const errMsg = "TestHandshakeServerSNIGetCertificateError error"

serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {

return nil, errors.New(errMsg)

}

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},

serverName: "test",

}

}

// TestHandshakeServerEmptyCertificates tests that GetCertificates is called in

func TestHandshakeServerEmptyCertificates(t *testing.T) {

const errMsg = "TestHandshakeServerEmptyCertificates error"

serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) {

return nil, errors.New(errMsg)

}

serverConfig.Certificates = nil

clientHello := &clientHelloMsg{

cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},

}

// With an empty Certificates and a nil GetCertificate, the server

// should always return a “no certificates” error.

serverConfig.GetCertificate = nil

clientHello = &clientHelloMsg{

cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},

}

}

// TestCipherSuiteCertPreferance ensures that we select an RSA ciphersuite with

// an RSA certificate and an ECDSA ciphersuite with an ECDSA certificate.

func TestCipherSuiteCertPreferenceECDSA(t *testing.T) {

config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}

config.PreferServerCipherSuites = true

test := &serverTest{

name: "CipherSuiteCertPreferenceRSA",

}

runServerTestTLS12(t, test)

config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}

config.Certificates = []Certificate{

{

test = &serverTest{

name: "CipherSuiteCertPreferenceECDSA",

}

runServerTestTLS12(t, test)

}

sessionFilePath := tempFile("")

defer os.Remove(sessionFilePath)

test := &serverTest{

name: "IssueTicketPreDisable",

command: []string{"openssl", "s_client", "-cipher", "RC4-SHA", "-sess_out", sessionFilePath},

}

runServerTestTLS12(t, test)

test = &serverTest{

name: "ResumeDisabled",

command: []string{"openssl", "s_client", "-cipher", "RC4-SHA", "-sess_in", sessionFilePath},

}

runServerTestTLS12(t, test)

}

func TestFallbackSCSV(t *testing.T) {

Certificates: testConfig.Certificates,

}

test := &serverTest{

name: "FallbackSCSV",

// OpenSSL 1.0.1j is needed for the -fallback_scsv option.

command: []string{"openssl", "s_client", "-fallback_scsv"},

expectHandshakeErrorIncluding: "inappropriate protocol fallback",

defer os.Remove(ecdsaKeyPath)

}

config.ClientAuth = RequestClientCert

test := &serverTest{

name: "ClientAuthRequestedNotGiven",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"},

}

runServerTestTLS12(t, test)

test = &serverTest{

name: "ClientAuthRequestedAndGiven",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA", "-cert", certPath, "-key", keyPath},

expectedPeerCerts: []string{clientCertificatePEM},

}

runServerTestTLS12(t, test)

test = &serverTest{

name: "ClientAuthRequestedAndECDSAGiven",

command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA", "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},

expectedPeerCerts: []string{clientECDSACertificatePEM},

}

runServerTestTLS12(t, test)

if err != nil {

return nil, err

}

// by checking it, we would leak information about the validity of the

// encrypted pre-master secret. Secondly, it provides only a small

// benefit against a downgrade attack and some implementations send the

case signatureECDSA:

_, ok := priv.Public().(*ecdsa.PublicKey)

if !ok {

}

case signatureRSA:

_, ok := priv.Public().(*rsa.PublicKey)

if !ok {

}

default:

}

sig, err = priv.Sign(config.rand(), digest, hashFunc)

if err != nil {

}

skx := new(serverKeyExchangeMsg)

case signatureECDSA:

pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)

if !ok {

}

ecdsaSig := new(ecdsaSignature)

if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {

return err

}

if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

}

if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {

}

case signatureRSA:

pubKey, ok := cert.PublicKey.(*rsa.PublicKey)

if !ok {

}

if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {

return err

}

default:

}

return nil

func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

if ka.curve == nil {

}

priv, mx, my, err := elliptic.GenerateKey(ka.curve, config.rand())

if err != nil {

done := 0

i := 0

// bytes. Since no more ciphersuites will be added to SSLv3, this will

// remain true. Each iteration gives us 16 bytes so 10 iterations will

// be sufficient.