[dev.boringcrypto] all: merge master into dev.boringcrypto

Change-Id: I2dcec316fd08d91db4183fb9d3b9afde65cc248f

alert.go

@@ -15,63 +15,75 @@ const (
 )
 
 const (
-	alertCloseNotify            alert = 0
-	alertUnexpectedMessage      alert = 10
-	alertBadRecordMAC           alert = 20
-	alertDecryptionFailed       alert = 21
-	alertRecordOverflow         alert = 22
-	alertDecompressionFailure   alert = 30
-	alertHandshakeFailure       alert = 40
-	alertBadCertificate         alert = 42
-	alertUnsupportedCertificate alert = 43
-	alertCertificateRevoked     alert = 44
-	alertCertificateExpired     alert = 45
-	alertCertificateUnknown     alert = 46
-	alertIllegalParameter       alert = 47
-	alertUnknownCA              alert = 48
-	alertAccessDenied           alert = 49
-	alertDecodeError            alert = 50
-	alertDecryptError           alert = 51
-	alertProtocolVersion        alert = 70
-	alertInsufficientSecurity   alert = 71
-	alertInternalError          alert = 80
-	alertInappropriateFallback  alert = 86
-	alertUserCanceled           alert = 90
-	alertNoRenegotiation        alert = 100
-	alertMissingExtension       alert = 109
-	alertUnsupportedExtension   alert = 110
-	alertUnrecognizedName       alert = 112
-	alertNoApplicationProtocol  alert = 120
+	alertCloseNotify                  alert = 0
+	alertUnexpectedMessage            alert = 10
+	alertBadRecordMAC                 alert = 20
+	alertDecryptionFailed             alert = 21
+	alertRecordOverflow               alert = 22
+	alertDecompressionFailure         alert = 30
+	alertHandshakeFailure             alert = 40
+	alertBadCertificate               alert = 42
+	alertUnsupportedCertificate       alert = 43
+	alertCertificateRevoked           alert = 44
+	alertCertificateExpired           alert = 45
+	alertCertificateUnknown           alert = 46
+	alertIllegalParameter             alert = 47
+	alertUnknownCA                    alert = 48
+	alertAccessDenied                 alert = 49
+	alertDecodeError                  alert = 50
+	alertDecryptError                 alert = 51
+	alertExportRestriction            alert = 60
+	alertProtocolVersion              alert = 70
+	alertInsufficientSecurity         alert = 71
+	alertInternalError                alert = 80
+	alertInappropriateFallback        alert = 86
+	alertUserCanceled                 alert = 90
+	alertNoRenegotiation              alert = 100
+	alertMissingExtension             alert = 109
+	alertUnsupportedExtension         alert = 110
+	alertCertificateUnobtainable      alert = 111
+	alertUnrecognizedName             alert = 112
+	alertBadCertificateStatusResponse alert = 113
+	alertBadCertificateHashValue      alert = 114
+	alertUnknownPSKIdentity           alert = 115
+	alertCertificateRequired          alert = 116
+	alertNoApplicationProtocol        alert = 120
 )
 
 var alertText = map[alert]string{
-	alertCloseNotify:            "close notify",
-	alertUnexpectedMessage:      "unexpected message",
-	alertBadRecordMAC:           "bad record MAC",
-	alertDecryptionFailed:       "decryption failed",
-	alertRecordOverflow:         "record overflow",
-	alertDecompressionFailure:   "decompression failure",
-	alertHandshakeFailure:       "handshake failure",
-	alertBadCertificate:         "bad certificate",
-	alertUnsupportedCertificate: "unsupported certificate",
-	alertCertificateRevoked:     "revoked certificate",
-	alertCertificateExpired:     "expired certificate",
-	alertCertificateUnknown:     "unknown certificate",
-	alertIllegalParameter:       "illegal parameter",
-	alertUnknownCA:              "unknown certificate authority",
-	alertAccessDenied:           "access denied",
-	alertDecodeError:            "error decoding message",
-	alertDecryptError:           "error decrypting message",
-	alertProtocolVersion:        "protocol version not supported",
-	alertInsufficientSecurity:   "insufficient security level",
-	alertInternalError:          "internal error",
-	alertInappropriateFallback:  "inappropriate fallback",
-	alertUserCanceled:           "user canceled",
-	alertNoRenegotiation:        "no renegotiation",
-	alertMissingExtension:       "missing extension",
-	alertUnsupportedExtension:   "unsupported extension",
-	alertUnrecognizedName:       "unrecognized name",
-	alertNoApplicationProtocol:  "no application protocol",
+	alertCloseNotify:                  "close notify",
+	alertUnexpectedMessage:            "unexpected message",
+	alertBadRecordMAC:                 "bad record MAC",
+	alertDecryptionFailed:             "decryption failed",
+	alertRecordOverflow:               "record overflow",
+	alertDecompressionFailure:         "decompression failure",
+	alertHandshakeFailure:             "handshake failure",
+	alertBadCertificate:               "bad certificate",
+	alertUnsupportedCertificate:       "unsupported certificate",
+	alertCertificateRevoked:           "revoked certificate",
+	alertCertificateExpired:           "expired certificate",
+	alertCertificateUnknown:           "unknown certificate",
+	alertIllegalParameter:             "illegal parameter",
+	alertUnknownCA:                    "unknown certificate authority",
+	alertAccessDenied:                 "access denied",
+	alertDecodeError:                  "error decoding message",
+	alertDecryptError:                 "error decrypting message",
+	alertExportRestriction:            "export restriction",
+	alertProtocolVersion:              "protocol version not supported",
+	alertInsufficientSecurity:         "insufficient security level",
+	alertInternalError:                "internal error",
+	alertInappropriateFallback:        "inappropriate fallback",
+	alertUserCanceled:                 "user canceled",
+	alertNoRenegotiation:              "no renegotiation",
+	alertMissingExtension:             "missing extension",
+	alertUnsupportedExtension:         "unsupported extension",
+	alertCertificateUnobtainable:      "certificate unobtainable",
+	alertUnrecognizedName:             "unrecognized name",
+	alertBadCertificateStatusResponse: "bad certificate status response",
+	alertBadCertificateHashValue:      "bad certificate hash value",
+	alertUnknownPSKIdentity:           "unknown PSK identity",
+	alertCertificateRequired:          "certificate required",
+	alertNoApplicationProtocol:        "no application protocol",
 }
 
 func (e alert) String() string {

auth.go

@@ -11,7 +11,6 @@ import (
 	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/rsa"
-	"encoding/asn1"
 	"errors"
 	"fmt"
 	"hash"
@@ -27,14 +26,7 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c
 		if !ok {
 			return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
 		}
-		ecdsaSig := new(ecdsaSignature)
-		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
-			return err
-		}
-		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
-			return errors.New("ECDSA signature contained zero or negative values")
-		}
-		if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) {
+		if !ecdsa.VerifyASN1(pubKey, signed, sig) {
 			return errors.New("ECDSA verification failure")
 		}
 	case signatureEd25519:
@@ -114,7 +106,7 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType
 	case Ed25519:
 		sigType = signatureEd25519
 	default:
-		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
+		return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
 	}
 	switch signatureAlgorithm {
 	case PKCS1WithSHA1, ECDSAWithSHA1:
@@ -128,7 +120,7 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType
 	case Ed25519:
 		hash = directSigning
 	default:
-		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
+		return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
 	}
 	return sigType, hash, nil
 }
@@ -153,6 +145,25 @@ func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash c
 	}
 }
 
+var rsaSignatureSchemes = []struct {
+	scheme          SignatureScheme
+	minModulusBytes int
+	maxVersion      uint16
+}{
+	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
+	//    emLen >= hLen + sLen + 2
+	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
+	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
+	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
+	// PKCS#1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
+	//    emLen >= len(prefix) + hLen + 11
+	// TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
+	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
+	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
+}
+
 // signatureSchemesForCertificate returns the list of supported SignatureSchemes
 // for a given certificate, based on the public key and the protocol version,
 // and optionally filtered by its explicit SupportedSignatureAlgorithms.
@@ -189,23 +200,12 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
 			return nil
 		}
 	case *rsa.PublicKey:
-		if version != VersionTLS13 {
-			sigAlgs = []SignatureScheme{
-				PSSWithSHA256,
-				PSSWithSHA384,
-				PSSWithSHA512,
-				PKCS1WithSHA256,
-				PKCS1WithSHA384,
-				PKCS1WithSHA512,
-				PKCS1WithSHA1,
+		size := pub.Size()
+		sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
+		for _, candidate := range rsaSignatureSchemes {
+			if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
+				sigAlgs = append(sigAlgs, candidate.scheme)
 			}
-			break
-		}
-		// TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
-		sigAlgs = []SignatureScheme{
-			PSSWithSHA256,
-			PSSWithSHA384,
-			PSSWithSHA512,
 		}
 	case ed25519.PublicKey:
 		sigAlgs = []SignatureScheme{Ed25519}
@@ -278,6 +278,7 @@ func unsupportedCertificateError(cert *Certificate) error {
 			return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
 		}
 	case *rsa.PublicKey:
+		return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
 	case ed25519.PublicKey:
 	default:
 		return fmt.Errorf("tls: unsupported certificate key (%T)", pub)

auth_test.go

@@ -62,7 +62,7 @@ func TestSignatureSelection(t *testing.T) {
 			t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err)
 		}
 		if test.expectedSigAlg != sigAlg {
-			t.Errorf("test[%d]: expected signature scheme %#x, got %#x", testNo, test.expectedSigAlg, sigAlg)
+			t.Errorf("test[%d]: expected signature scheme %v, got %v", testNo, test.expectedSigAlg, sigAlg)
 		}
 		sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg)
 		if err != nil {
@@ -108,12 +108,14 @@ func TestSignatureSelection(t *testing.T) {
 		{rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
 		{pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13},
 		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
+		// The key can be too small for the hash.
+		{rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12},
 	}
 
 	for testNo, test := range badTests {
 		sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
 		if err == nil {
-			t.Errorf("test[%d]: unexpected success, got %#x", testNo, sigAlg)
+			t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg)
 		}
 	}
 }
@@ -127,7 +129,7 @@ func TestLegacyTypeAndHash(t *testing.T) {
 		t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType)
 	}
 	if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc {
-		t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, sigType)
+		t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
 	}
 
 	sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public())
@@ -138,7 +140,7 @@ func TestLegacyTypeAndHash(t *testing.T) {
 		t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType)
 	}
 	if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc {
-		t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, sigType)
+		t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
 	}
 
 	// Ed25519 is not supported by TLS 1.0 and 1.1.
@@ -154,13 +156,13 @@ func TestSupportedSignatureAlgorithms(t *testing.T) {
 	for _, sigAlg := range supportedSignatureAlgorithms() {
 		sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
 		if err != nil {
-			t.Errorf("%#04x: unexpected error: %v", sigAlg, err)
+			t.Errorf("%v: unexpected error: %v", sigAlg, err)
 		}
 		if sigType == 0 {
-			t.Errorf("%#04x: missing signature type", sigAlg)
+			t.Errorf("%v: missing signature type", sigAlg)
 		}
 		if hash == 0 && sigAlg != Ed25519 {
-			t.Errorf("%#04x: missing hash", sigAlg)
+			t.Errorf("%v: missing hash", sigAlg)
 		}
 	}
 }

common.go

@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"internal/cpu"
 	"io"
-	"math/big"
 	"net"
 	"strings"
 	"sync"
@@ -100,7 +99,6 @@ const (
 	extensionCertificateAuthorities  uint16 = 47
 	extensionSignatureAlgorithmsCert uint16 = 50
 	extensionKeyShare                uint16 = 51
-	extensionNextProtoNeg            uint16 = 13172 // not IANA assigned
 	extensionRenegotiationInfo       uint16 = 0xff01
 )
 
@@ -301,6 +299,8 @@ type ClientSessionCache interface {
 	Put(sessionKey string, cs *ClientSessionState)
 }
 
+//go:generate stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go
+
 // SignatureScheme identifies a signature algorithm supported by TLS. See
 // RFC 8446, Section 4.2.3.
 type SignatureScheme uint16
@@ -549,7 +549,7 @@ type Config struct {
 	// server's certificate chain and host name.
 	// If InsecureSkipVerify is true, TLS accepts any certificate
 	// presented by the server and any host name in that certificate.
-	// In this mode, TLS is susceptible to man-in-the-middle attacks.
+	// In this mode, TLS is susceptible to machine-in-the-middle attacks.
 	// This should be used only for testing.
 	InsecureSkipVerify bool
 
@@ -1274,13 +1274,6 @@ func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
 	return nil, false
 }
 
-// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
-type dsaSignature struct {
-	R, S *big.Int
-}
-
-type ecdsaSignature dsaSignature
-
 var emptyConfig Config
 
 func defaultConfig() *Config {

common_string.go

@@ -0,0 +1,116 @@
+// Code generated by "stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go"; DO NOT EDIT.
+
+package tls
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[PKCS1WithSHA256-1025]
+	_ = x[PKCS1WithSHA384-1281]
+	_ = x[PKCS1WithSHA512-1537]
+	_ = x[PSSWithSHA256-2052]
+	_ = x[PSSWithSHA384-2053]
+	_ = x[PSSWithSHA512-2054]
+	_ = x[ECDSAWithP256AndSHA256-1027]
+	_ = x[ECDSAWithP384AndSHA384-1283]
+	_ = x[ECDSAWithP521AndSHA512-1539]
+	_ = x[Ed25519-2055]
+	_ = x[PKCS1WithSHA1-513]
+	_ = x[ECDSAWithSHA1-515]
+}
+
+const (
+	_SignatureScheme_name_0 = "PKCS1WithSHA1"
+	_SignatureScheme_name_1 = "ECDSAWithSHA1"
+	_SignatureScheme_name_2 = "PKCS1WithSHA256"
+	_SignatureScheme_name_3 = "ECDSAWithP256AndSHA256"
+	_SignatureScheme_name_4 = "PKCS1WithSHA384"
+	_SignatureScheme_name_5 = "ECDSAWithP384AndSHA384"
+	_SignatureScheme_name_6 = "PKCS1WithSHA512"
+	_SignatureScheme_name_7 = "ECDSAWithP521AndSHA512"
+	_SignatureScheme_name_8 = "PSSWithSHA256PSSWithSHA384PSSWithSHA512Ed25519"
+)
+
+var (
+	_SignatureScheme_index_8 = [...]uint8{0, 13, 26, 39, 46}
+)
+
+func (i SignatureScheme) String() string {
+	switch {
+	case i == 513:
+		return _SignatureScheme_name_0
+	case i == 515:
+		return _SignatureScheme_name_1
+	case i == 1025:
+		return _SignatureScheme_name_2
+	case i == 1027:
+		return _SignatureScheme_name_3
+	case i == 1281:
+		return _SignatureScheme_name_4
+	case i == 1283:
+		return _SignatureScheme_name_5
+	case i == 1537:
+		return _SignatureScheme_name_6
+	case i == 1539:
+		return _SignatureScheme_name_7
+	case 2052 <= i && i <= 2055:
+		i -= 2052
+		return _SignatureScheme_name_8[_SignatureScheme_index_8[i]:_SignatureScheme_index_8[i+1]]
+	default:
+		return "SignatureScheme(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+}
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[CurveP256-23]
+	_ = x[CurveP384-24]
+	_ = x[CurveP521-25]
+	_ = x[X25519-29]
+}
+
+const (
+	_CurveID_name_0 = "CurveP256CurveP384CurveP521"
+	_CurveID_name_1 = "X25519"
+)
+
+var (
+	_CurveID_index_0 = [...]uint8{0, 9, 18, 27}
+)
+
+func (i CurveID) String() string {
+	switch {
+	case 23 <= i && i <= 25:
+		i -= 23
+		return _CurveID_name_0[_CurveID_index_0[i]:_CurveID_index_0[i+1]]
+	case i == 29:
+		return _CurveID_name_1
+	default:
+		return "CurveID(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+}
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[NoClientCert-0]
+	_ = x[RequestClientCert-1]
+	_ = x[RequireAnyClientCert-2]
+	_ = x[VerifyClientCertIfGiven-3]
+	_ = x[RequireAndVerifyClientCert-4]
+}
+
+const _ClientAuthType_name = "NoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCert"
+
+var _ClientAuthType_index = [...]uint8{0, 12, 29, 49, 72, 98}
+
+func (i ClientAuthType) String() string {
+	if i < 0 || i >= ClientAuthType(len(_ClientAuthType_index)-1) {
+		return "ClientAuthType(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _ClientAuthType_name[_ClientAuthType_index[i]:_ClientAuthType_index[i+1]]
+}

conn.go

@@ -1344,7 +1344,7 @@ func (c *Conn) Handshake() error {
 	if c.handshakeErr == nil {
 		c.handshakes++
 	} else {
-		// If an error occurred during the hadshake try to flush the
+		// If an error occurred during the handshake try to flush the
 		// alert that might be left in the buffer.
 		c.flush()
 	}

example_test.go

@@ -30,29 +30,28 @@ func ExampleDial() {
 	// Connecting with a custom root-certificate set.
 
 	const rootPEM = `
+-- GlobalSign Root R2, valid until Dec 15, 2021
 -----BEGIN CERTIFICATE-----
-MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
-EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
-bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
-VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
-h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
-ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
-EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
-DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
-qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
-VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
-K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
-KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
-ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
-BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
-/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
-zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
-HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
-WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
-yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
+MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
+v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
+eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
+tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
+C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
+zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
+mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
+V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
+bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
+3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
+J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
+291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
+AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
+TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
 -----END CERTIFICATE-----`
 
 	// First, create the set of root certificates. For this example we only

handshake_client.go

@@ -844,14 +844,6 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 	return nil
 }
 
-// tls11SignatureSchemes contains the signature schemes that we synthesise for
-// a TLS <= 1.1 connection, based on the supported certificate types.
-var (
-	tls11SignatureSchemes      = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1}
-	tls11SignatureSchemesECDSA = tls11SignatureSchemes[:3]
-	tls11SignatureSchemesRSA   = tls11SignatureSchemes[3:]
-)
-
 // certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS
 // <= 1.2 CertificateRequest, making an effort to fill in missing information.
 func certificateRequestInfoFromMsg(vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo {
@@ -871,17 +863,25 @@ func certificateRequestInfoFromMsg(vers uint16, certReq *certificateRequestMsg)
 	}
 
 	if !certReq.hasSignatureAlgorithm {
-		// Prior to TLS 1.2, the signature schemes were not
-		// included in the certificate request message. In this
-		// case we use a plausible list based on the acceptable
-		// certificate types.
+		// Prior to TLS 1.2, signature schemes did not exist. In this case we
+		// make up a list based on the acceptable certificate types, to help
+		// GetClientCertificate and SupportsCertificate select the right certificate.
+		// The hash part of the SignatureScheme is a lie here, because
+		// TLS 1.0 and 1.1 always use MD5+SHA1 for RSA and SHA1 for ECDSA.
 		switch {
 		case rsaAvail && ecAvail:
-			cri.SignatureSchemes = tls11SignatureSchemes
+			cri.SignatureSchemes = []SignatureScheme{
+				ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
+				PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
+			}
 		case rsaAvail:
-			cri.SignatureSchemes = tls11SignatureSchemesRSA
+			cri.SignatureSchemes = []SignatureScheme{
+				PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
+			}
 		case ecAvail:
-			cri.SignatureSchemes = tls11SignatureSchemesECDSA
+			cri.SignatureSchemes = []SignatureScheme{
+				ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
+			}
 		}
 		return cri
 	}

handshake_client_test.go

@@ -1748,7 +1748,7 @@ func TestHandshakeRace(t *testing.T) {
 
 		startWrite := make(chan struct{})
 		startRead := make(chan struct{})
-		readDone := make(chan struct{})
+		readDone := make(chan struct{}, 1)
 
 		client := Client(c, testConfig)
 		go func() {

handshake_server.go

@@ -241,7 +241,7 @@ func (hs *serverHandshakeState) processClientHello() error {
 	hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
 
 	if hs.ecdheOk {
-		// Although omiting the ec_point_formats extension is permitted, some
+		// Although omitting the ec_point_formats extension is permitted, some
 		// old OpenSSL version will refuse to handshake if not present.
 		//
 		// Per RFC 4492, section 5.1.2, implementations MUST support the

handshake_server_test.go

@@ -182,7 +182,7 @@ func TestRenegotiationExtension(t *testing.T) {
 		cipherSuites:                 []uint16{TLS_RSA_WITH_RC4_128_SHA},
 	}
 
-	bufChan := make(chan []byte)
+	bufChan := make(chan []byte, 1)
 	c, s := localPipe(t)
 
 	go func() {
@@ -274,7 +274,7 @@ func TestTLS12OnlyCipherSuites(t *testing.T) {
 }
 
 func TestTLSPointFormats(t *testing.T) {
-	// Test that a Server returns the ec_point_format extention when ECC is
+	// Test that a Server returns the ec_point_format extension when ECC is
 	// negotiated, and not returned on RSA handshake.
 	tests := []struct {
 		name                string
@@ -575,11 +575,12 @@ func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd,
 		return nil, nil, err
 	}
 
-	connChan := make(chan interface{})
+	connChan := make(chan interface{}, 1)
 	go func() {
 		tcpConn, err := l.Accept()
 		if err != nil {
 			connChan <- err
+			return
 		}
 		connChan <- tcpConn
 	}()
@@ -1180,12 +1181,22 @@ func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
 }
 
 func TestHandshakeServerRSAPSS(t *testing.T) {
+	// We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we
+	// verify the server implementation will disregard the client preference in
+	// that case. See Issue 29793.
 	test := &serverTest{
 		name:    "RSA-RSAPSS",
-		command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
+		command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
 	}
 	runServerTestTLS12(t, test)
 	runServerTestTLS13(t, test)
+
+	test = &serverTest{
+		name:                          "RSA-RSAPSS-TooSmall",
+		command:                       []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512"},
+		expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
+	}
+	runServerTestTLS13(t, test)
 }
 
 func TestHandshakeServerEd25519(t *testing.T) {
@@ -1637,7 +1648,7 @@ T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
 		config.MinVersion = VersionTLS13
 		server := Server(serverConn, config)
 		err := server.Handshake()
-		expectError(t, err, "key size too small for PSS signature")
+		expectError(t, err, "key size too small")
 		close(done)
 	}()
 	err = client.Handshake()

handshake_test.go

@@ -275,9 +275,9 @@ Dialing:
 		var c1 net.Conn
 		c1, err = net.Dial(addr.Network(), addr.String())
 		if err != nil {
-			if runtime.GOOS == "dragonfly" && isConnRefused(err) {
-				// golang.org/issue/29583: Dragonfly sometimes returned a spurious
-				// ECONNREFUSED.
+			if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) {
+				// golang.org/issue/29583: Dragonfly sometimes returns a spurious
+				// ECONNREFUSED or ETIMEDOUT.
 				<-tooSlow.C
 				continue
 			}

key_schedule.go

@@ -7,14 +7,14 @@ package tls
 import (
 	"crypto/elliptic"
 	"crypto/hmac"
-	"crypto/subtle"
 	"errors"
-	"golang.org/x/crypto/cryptobyte"
-	"golang.org/x/crypto/curve25519"
-	"golang.org/x/crypto/hkdf"
 	"hash"
 	"io"
 	"math/big"
+
+	"golang.org/x/crypto/cryptobyte"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
 )
 
 // This file contains the functions necessary to compute the TLS 1.3 key
@@ -111,12 +111,15 @@ type ecdheParameters interface {
 
 func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) {
 	if curveID == X25519 {
-		p := &x25519Parameters{}
-		if _, err := io.ReadFull(rand, p.privateKey[:]); err != nil {
+		privateKey := make([]byte, curve25519.ScalarSize)
+		if _, err := io.ReadFull(rand, privateKey); err != nil {
 			return nil, err
 		}
-		curve25519.ScalarBaseMult(&p.publicKey, &p.privateKey)
-		return p, nil
+		publicKey, err := curve25519.X25519(privateKey, curve25519.Basepoint)
+		if err != nil {
+			return nil, err
+		}
+		return &x25519Parameters{privateKey: privateKey, publicKey: publicKey}, nil
 	}
 
 	curve, ok := curveForCurveID(curveID)
@@ -178,8 +181,8 @@ func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
 }
 
 type x25519Parameters struct {
-	privateKey [32]byte
-	publicKey  [32]byte
+	privateKey []byte
+	publicKey  []byte
 }
 
 func (p *x25519Parameters) CurveID() CurveID {
@@ -191,19 +194,9 @@ func (p *x25519Parameters) PublicKey() []byte {
 }
 
 func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte {
-	if len(peerPublicKey) != 32 {
+	sharedKey, err := curve25519.X25519(p.privateKey, peerPublicKey)
+	if err != nil {
 		return nil
 	}
-
-	var theirPublicKey, sharedKey [32]byte
-	copy(theirPublicKey[:], peerPublicKey)
-	curve25519.ScalarMult(&sharedKey, &p.privateKey, &theirPublicKey)
-
-	// Check for low-order inputs. See RFC 8422, Section 5.11.
-	var allZeroes [32]byte
-	if subtle.ConstantTimeCompare(allZeroes[:], sharedKey[:]) == 1 {
-		return nil
-	}
-
-	return sharedKey[:]
+	return sharedKey
 }

testdata/Server-TLSv12-RSA-RSAPSS

@@ -1,14 +1,14 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 91 01 00 00  8d 03 03 63 d6 91 ee ad  |...........c....|
-00000010  71 ef 42 ad de f0 3f 02  a1 93 33 d9 f0 e1 cf 4c  |q.B...?...3....L|
-00000020  30 f7 2c 9f a1 0c b8 d5  4e 0a c5 00 00 2a c0 30  |0.,.....N....*.0|
+00000000  16 03 01 00 91 01 00 00  8d 03 03 6d d9 a6 ff 3e  |...........m...>|
+00000010  4b 00 33 67 b4 8c c6 e8  07 ee f3 77 83 31 81 e9  |K.3g.......w.1..|
+00000020  8f 3e 9e 77 8b 5c 8b 84  47 b4 33 00 00 2a c0 30  |.>.w.\..G.3..*.0|
 00000030  00 9f cc a8 cc aa c0 2f  00 9e c0 28 00 6b c0 27  |......./...(.k.'|
 00000040  00 67 c0 14 00 39 c0 13  00 33 00 9d 00 9c 00 3d  |.g...9...3.....=|
 00000050  00 3c 00 35 00 2f 00 ff  01 00 00 3a 00 00 00 0e  |.<.5./.....:....|
 00000060  00 0c 00 00 09 31 32 37  2e 30 2e 30 2e 31 00 0b  |.....127.0.0.1..|
 00000070  00 04 03 00 01 02 00 0a  00 0c 00 0a 00 1d 00 17  |................|
 00000080  00 1e 00 19 00 18 00 16  00 00 00 17 00 00 00 0d  |................|
-00000090  00 04 00 02 08 04                                 |......|
+00000090  00 04 00 02 08 06                                 |......|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 37 02 00 00  33 03 03 00 00 00 00 00  |....7...3.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -51,32 +51,5 @@
 00000260  0c 5c ee b1 87 82 f1 6c  04 ed 73 bb b3 43 77 8d  |.\.....l..s..Cw.|
 00000270  0c 1c f1 0f a1 d8 40 83  61 c9 4c 72 2b 9d ae db  |......@.a.Lr+...|
 00000280  46 06 06 4d f4 c1 b3 3e  c0 d1 bd 42 d4 db fe 3d  |F..M...>...B...=|
-00000290  13 60 84 5c 21 d3 3b e9  fa e7 16 03 03 00 ac 0c  |.`.\!.;.........|
-000002a0  00 00 a8 03 00 1d 20 2f  e5 7d a3 47 cd 62 43 15  |...... /.}.G.bC.|
-000002b0  28 da ac 5f bb 29 07 30  ff f6 84 af c4 cf c2 ed  |(.._.).0........|
-000002c0  90 99 5f 58 cb 3b 74 08  04 00 80 bf 7b 0d b8 ab  |.._X.;t.....{...|
-000002d0  95 96 80 37 60 fb 2f 53  0d 21 aa 6a 0d c9 48 6f  |...7`./S.!.j..Ho|
-000002e0  d7 d2 d3 ca 22 58 9e 77  4a aa 32 c6 e7 0a 77 2e  |...."X.wJ.2...w.|
-000002f0  59 72 f2 24 5a 2c 9e a3  7e a5 cc a1 b5 68 55 30  |Yr.$Z,..~....hU0|
-00000300  c8 a8 c1 b0 5b 74 49 85  07 bf 7b 36 16 ba 48 54  |....[tI...{6..HT|
-00000310  3f 1d 28 08 d7 c3 26 c3  8e 6f 5c 49 13 e9 49 55  |?.(...&..o\I..IU|
-00000320  b3 3e bb 70 8c df 6f 0b  f0 e7 6c ac 7d fe 1e 4c  |.>.p..o...l.}..L|
-00000330  6b 8c 22 e7 d0 97 b0 c9  4a b9 11 94 ef 13 c7 d3  |k.".....J.......|
-00000340  3f 07 d8 e6 6f 87 85 de  97 25 b2 16 03 03 00 04  |?...o....%......|
-00000350  0e 00 00 00                                       |....|
->>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 3f 05 77 b8 ef bf  |....%...! ?.w...|
-00000010  2e dd af ba 76 d7 6f 36  35 7e c7 99 23 dc e7 a6  |....v.o65~..#...|
-00000020  52 a3 81 76 71 8a b0 be  85 73 14 03 03 00 01 01  |R..vq....s......|
-00000030  16 03 03 00 28 d1 45 19  f0 ef 75 54 ff 90 a0 36  |....(.E...uT...6|
-00000040  d0 06 c8 9e e5 67 fa 38  eb 13 4c ed 84 ab 8f 37  |.....g.8..L....7|
-00000050  63 23 8a 5d 8c d7 ce 96  2f 4f 91 b7 03           |c#.]..../O...|
->>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 28 00 00 00 00 00  |..........(.....|
-00000010  00 00 00 2d d2 61 48 46  5b 15 3b d8 09 bc be 9a  |...-.aHF[.;.....|
-00000020  08 39 e3 b1 9f 2a 33 50  64 8b 11 92 13 dd dd 34  |.9...*3Pd......4|
-00000030  90 43 a2 17 03 03 00 25  00 00 00 00 00 00 00 01  |.C.....%........|
-00000040  81 7f c4 4f 37 a3 d0 b3  e7 b9 b7 c1 90 8e 96 51  |...O7..........Q|
-00000050  4e 77 2c 4c a9 85 d5 61  6c b7 8b 8a 8c 15 03 03  |Nw,L...al.......|
-00000060  00 1a 00 00 00 00 00 00  00 02 1f 57 78 97 2b 6f  |...........Wx.+o|
-00000070  11 95 09 77 61 82 6e 7c  6d 48 05 c0              |...wa.n|mH..|
+00000290  13 60 84 5c 21 d3 3b e9  fa e7 15 03 03 00 02 02  |.`.\!.;.........|
+000002a0  28                                                |(|

testdata/Server-TLSv13-RSA-RSAPSS

@@ -1,101 +1,16 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 c6 01 00 00  c2 03 03 39 95 ab cc 1c  |...........9....|
-00000010  64 13 9d 19 2e 3e 73 33  48 b1 a9 f7 88 14 5a 83  |d....>s3H.....Z.|
-00000020  19 f7 b5 08 8d e4 80 09  72 21 99 20 23 ad 4c 2c  |........r!. #.L,|
-00000030  66 84 1e e8 c3 0c 9f 66  19 76 df a3 e0 62 cd 7d  |f......f.v...b.}|
-00000040  95 85 70 4f 37 fb 39 58  50 b1 d5 7b 00 08 13 02  |..pO7.9XP..{....|
+00000000  16 03 01 00 c6 01 00 00  c2 03 03 6b 64 fe be 82  |...........kd...|
+00000010  d3 c7 f8 26 35 c1 7c 50  d0 a9 19 a5 1d 6b d5 1b  |...&5.|P.....k..|
+00000020  25 9b 47 fb 49 01 fc df  2e dc 8e 20 92 d0 73 81  |%.G.I...... ..s.|
+00000030  91 5a 8a f9 2a cf 29 c7  9d 43 b2 b0 7d b9 5a a3  |.Z..*.)..C..}.Z.|
+00000040  5f 74 53 a0 8e fe 4e 2e  83 0d 3b 0f 00 08 13 02  |_tS...N...;.....|
 00000050  13 03 13 01 00 ff 01 00  00 71 00 00 00 0e 00 0c  |.........q......|
 00000060  00 00 09 31 32 37 2e 30  2e 30 2e 31 00 0b 00 04  |...127.0.0.1....|
 00000070  03 00 01 02 00 0a 00 0c  00 0a 00 1d 00 17 00 1e  |................|
 00000080  00 19 00 18 00 16 00 00  00 17 00 00 00 0d 00 04  |................|
-00000090  00 02 08 04 00 2b 00 03  02 03 04 00 2d 00 02 01  |.....+......-...|
-000000a0  01 00 33 00 26 00 24 00  1d 00 20 be 29 89 8d 44  |..3.&.$... .)..D|
-000000b0  4d e5 51 88 7a 1a 56 52  a8 86 74 13 0e e9 a5 a7  |M.Q.z.VR..t.....|
-000000c0  b6 7f 38 b3 ef 62 e6 b0  c5 2a 0a                 |..8..b...*.|
+00000090  00 02 08 06 00 2b 00 03  02 03 04 00 2d 00 02 01  |.....+......-...|
+000000a0  01 00 33 00 26 00 24 00  1d 00 20 76 43 b3 ed 62  |..3.&.$... vC..b|
+000000b0  22 72 15 69 b5 5b fd 9c  ac 4a bd 36 4a 8d 3a 08  |"r.i.[...J.6J.:.|
+000000c0  9d a0 5e 10 e6 13 87 2b  41 51 66                 |..^....+AQf|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 7a 02 00 00  76 03 03 00 00 00 00 00  |....z...v.......|
-00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 00 00 00 00 00  00 00 00 20 23 ad 4c 2c  |........... #.L,|
-00000030  66 84 1e e8 c3 0c 9f 66  19 76 df a3 e0 62 cd 7d  |f......f.v...b.}|
-00000040  95 85 70 4f 37 fb 39 58  50 b1 d5 7b 13 02 00 00  |..pO7.9XP..{....|
-00000050  2e 00 2b 00 02 03 04 00  33 00 24 00 1d 00 20 2f  |..+.....3.$... /|
-00000060  e5 7d a3 47 cd 62 43 15  28 da ac 5f bb 29 07 30  |.}.G.bC.(.._.).0|
-00000070  ff f6 84 af c4 cf c2 ed  90 99 5f 58 cb 3b 74 14  |.........._X.;t.|
-00000080  03 03 00 01 01 17 03 03  00 17 49 c6 88 9c 3b 2f  |..........I...;/|
-00000090  3a 0a e6 8e 75 d0 39 11  ad 08 87 17 2c 14 96 28  |:...u.9.....,..(|
-000000a0  85 17 03 03 02 6d 2a d6  89 4d 5d f3 6c 28 97 dd  |.....m*..M].l(..|
-000000b0  4e 45 88 e8 90 a4 f3 45  86 cf 59 d6 61 6e 1a a7  |NE.....E..Y.an..|
-000000c0  b7 35 7e 9c 6e 11 19 c4  1b 89 b9 5a 7c aa 1f 96  |.5~.n......Z|...|
-000000d0  e2 36 6d 54 09 12 2f 28  12 20 a3 41 06 bd 44 3c  |.6mT../(. .A..D<|
-000000e0  73 be d3 8c 78 18 a1 63  ad f9 9d 41 20 5e 32 55  |s...x..c...A ^2U|
-000000f0  8e 18 c1 d8 b0 93 13 7e  88 a0 af 8a 59 e2 af 43  |.......~....Y..C|
-00000100  d2 82 66 ba c5 a1 97 94  e8 63 40 1b 8f c4 eb 49  |..f......c@....I|
-00000110  19 91 65 e9 54 d3 90 76  d6 f8 ff 15 20 31 3c 86  |..e.T..v.... 1<.|
-00000120  88 8a 43 be 77 a0 28 de  fa 9f d5 30 14 a8 35 2f  |..C.w.(....0..5/|
-00000130  5e ee 9d cf b5 69 d1 f5  f6 55 d1 1a 61 3f 4c a1  |^....i...U..a?L.|
-00000140  97 38 5b 87 7e ce 88 23  8a d0 bd fc 4b c5 da f7  |.8[.~..#....K...|
-00000150  25 6c 6c 0b ec 61 50 72  97 6b f7 fe 9b 5b 5a f9  |%ll..aPr.k...[Z.|
-00000160  59 19 71 10 74 2d 14 8c  1b 52 8b 39 1c 56 ea 7e  |Y.q.t-...R.9.V.~|
-00000170  7a c9 8f 7c bd db 1e c5  02 9f 42 8b 63 ee 13 52  |z..|......B.c..R|
-00000180  fe 46 40 de 7b 97 27 b0  16 87 75 96 c7 1c 88 5d  |.F@.{.'...u....]|
-00000190  2e 64 7f a8 df e0 16 b9  ee 27 7e b3 98 99 f7 4a  |.d.......'~....J|
-000001a0  83 05 78 bb 59 07 8e 1a  46 1d 0f 45 87 ae d9 ae  |..x.Y...F..E....|
-000001b0  6f 42 ed b1 72 14 8c 9d  33 72 95 ac 12 bb a0 20  |oB..r...3r..... |
-000001c0  56 a8 8a 23 e4 51 6a 89  f5 8e bc 55 5a e2 8d 78  |V..#.Qj....UZ..x|
-000001d0  84 24 55 99 cf 37 61 8c  7e 46 17 f3 26 ca 27 ec  |.$U..7a.~F..&.'.|
-000001e0  f4 04 f6 76 1d cf 82 0c  bd 85 82 81 06 f1 96 ce  |...v............|
-000001f0  78 54 6c eb a0 f8 cf 30  6a 10 17 08 e6 94 83 4f  |xTl....0j......O|
-00000200  56 34 80 ef ac fa ab e7  59 9e 6b f9 f8 38 76 cc  |V4......Y.k..8v.|
-00000210  3b 09 b0 16 3f 3f 5c d3  6a ad d9 2c 65 d8 ce b4  |;...??\.j..,e...|
-00000220  19 53 c4 c9 d1 82 e8 19  72 ec bc 85 ef 3a 6e e5  |.S......r....:n.|
-00000230  ba 3c f8 37 98 98 80 47  5f 47 4f cd ed f5 0e bc  |.<.7...G_GO.....|
-00000240  4e 14 a2 7d 8d 43 0b 18  ba 3b 10 50 e4 18 fc ac  |N..}.C...;.P....|
-00000250  0e 01 21 73 68 da 50 51  8a 64 b6 18 28 ca e3 a4  |..!sh.PQ.d..(...|
-00000260  aa d2 5c 28 ff 64 fd cb  28 00 db b1 5c bf 75 81  |..\(.d..(...\.u.|
-00000270  bb d2 8c df 5c 26 70 1d  d6 fe 7a 94 65 27 93 72  |....\&p...z.e'.r|
-00000280  bc ba 17 92 8f be 61 ec  f5 88 04 ed fb cc f3 5c  |......a........\|
-00000290  71 d0 a4 5d 13 a6 a3 82  89 e8 9e 1a 8e 31 fd 2f  |q..].........1./|
-000002a0  57 53 98 d5 1f c4 3f 8e  92 7f 1b 90 a3 ad 6c 96  |WS....?.......l.|
-000002b0  42 cc f2 f0 1c 8d 3f 31  fd b2 53 29 79 16 9a 96  |B.....?1..S)y...|
-000002c0  fd d6 fe d4 3f 13 aa 39  73 d4 73 6d 9a ff f6 db  |....?..9s.sm....|
-000002d0  52 0a 1e 76 71 0f d3 ee  de a8 b3 05 3b 24 c4 72  |R..vq.......;$.r|
-000002e0  67 78 f1 be df c5 c0 87  32 60 28 96 8e b2 2e 3f  |gx......2`(....?|
-000002f0  7d e9 aa b7 66 57 ee 67  e6 ac 70 da 60 ce c2 00  |}...fW.g..p.`...|
-00000300  55 2f 20 25 39 a5 5e b9  65 c3 00 63 c7 5a a9 31  |U/ %9.^.e..c.Z.1|
-00000310  de fe 65 17 03 03 00 99  95 83 6d be 56 ef 4f a3  |..e.......m.V.O.|
-00000320  96 5f a8 3d d5 a1 f3 8e  9a 8c 40 35 f4 12 2c 0a  |._.=......@5..,.|
-00000330  b3 02 3b d2 14 d8 a4 f1  12 01 be e1 8a 6b 5f 01  |..;..........k_.|
-00000340  71 de ac 70 e9 7a 90 78  2e 2a a8 29 64 20 85 dd  |q..p.z.x.*.)d ..|
-00000350  57 09 cf 48 29 d0 63 42  bc 9b ec 0c e2 2d 41 d0  |W..H).cB.....-A.|
-00000360  cb d8 68 46 b7 17 fc 1d  95 12 5a 4c c3 10 67 32  |..hF......ZL..g2|
-00000370  f7 7a 14 55 63 fb 57 6e  59 ee b6 66 b8 65 e1 37  |.z.Uc.WnY..f.e.7|
-00000380  e6 7c 6c 07 8b d1 84 80  01 11 ce 7f 20 f0 4d 42  |.|l......... .MB|
-00000390  a7 67 01 12 e6 b5 9b d4  6a fe 38 37 71 ca 60 d6  |.g......j.87q.`.|
-000003a0  12 d7 00 b5 26 c3 97 1d  9f 37 6a 82 31 ef c3 12  |....&....7j.1...|
-000003b0  bc 17 03 03 00 45 65 1e  cf 1f 1e 73 93 8d 66 54  |.....Ee....s..fT|
-000003c0  47 b0 73 9f d1 a4 9d 3b  b0 72 b4 f2 5f 06 e1 d2  |G.s....;.r.._...|
-000003d0  1f bb 3d 13 48 7c 7a e0  19 15 9f aa a5 ed 09 18  |..=.H|z.........|
-000003e0  2e 4e 8a cd 66 2b 9c b3  fe 99 b0 57 06 2e b3 a0  |.N..f+.....W....|
-000003f0  79 92 c1 bb 0e 29 44 02  f1 b0 43 17 03 03 00 a3  |y....)D...C.....|
-00000400  52 cd d9 d7 60 1c f5 06  83 aa 2f e0 0c 0f 5e 6d  |R...`...../...^m|
-00000410  0f 29 93 b9 ae 50 04 c6  f7 d3 ff c7 d1 ac 9d 43  |.)...P.........C|
-00000420  d7 b5 76 7a 16 b7 2c b7  79 48 a4 c3 28 2a 86 10  |..vz..,.yH..(*..|
-00000430  d1 24 7c 04 ed af 1f 8a  0b 18 29 97 7a 7a 47 3f  |.$|.......).zzG?|
-00000440  1f fe ba 9c 72 d9 9b ae  9b 83 5f f4 5a 4f 10 b8  |....r....._.ZO..|
-00000450  e5 45 35 76 77 a2 ac 99  1c bc 78 cf 6f 62 ef ef  |.E5vw.....x.ob..|
-00000460  9b 1b 90 eb 95 6b a1 25  82 b7 c1 1b 6f da 10 4c  |.....k.%....o..L|
-00000470  aa 3e a8 ba dd 77 b1 39  a0 b2 6a 11 18 44 2a 8d  |.>...w.9..j..D*.|
-00000480  58 9a 53 31 e1 d1 ec 8b  47 95 63 67 44 67 8d 09  |X.S1....G.cgDg..|
-00000490  2f 16 f5 19 cd 65 1d 52  d7 bd 19 f0 bb ec 7b 55  |/....e.R......{U|
-000004a0  33 4f 84                                          |3O.|
->>> Flow 3 (client to server)
-00000000  14 03 03 00 01 01 17 03  03 00 45 07 3f db d9 c7  |..........E.?...|
-00000010  05 fd c4 0c 2d ae ee d8  d7 e7 ac 46 19 a2 17 e5  |....-......F....|
-00000020  5e 10 30 65 05 be e0 c7  1e b3 e2 16 a4 d6 69 e1  |^.0e..........i.|
-00000030  2c ff 18 ba e4 8f d0 3d  12 45 df c3 d4 08 0d e6  |,......=.E......|
-00000040  94 6e 83 6d 99 9d f3 f1  02 48 6b 6f d1 2d f0 c6  |.n.m.....Hko.-..|
->>> Flow 4 (server to client)
-00000000  17 03 03 00 1e 2a 3d 96  b4 6a 9e 7f 7f ca e0 8e  |.....*=..j......|
-00000010  41 4e bd 82 86 61 b8 59  19 e4 97 02 c2 00 7e 69  |AN...a.Y......~i|
-00000020  81 b0 64 17 03 03 00 13  63 91 94 1a a3 51 bf 95  |..d.....c....Q..|
-00000030  9e 09 a2 a1 f0 01 57 93  00 71 49                 |......W..qI|
+00000000  15 03 03 00 02 02 28                              |......(|

testdata/Server-TLSv13-RSA-RSAPSS-TooSmall

@@ -0,0 +1,16 @@
+>>> Flow 1 (client to server)
+00000000  16 03 01 00 c6 01 00 00  c2 03 03 7c a4 3e 3b dd  |...........|.>;.|
+00000010  d4 90 de 04 87 40 12 a6  f8 63 d9 9d b3 44 7b 52  |.....@...c...D{R|
+00000020  9b b2 2d e2 da 0a 6b 87  30 2e 1f 20 38 be 06 6e  |..-...k.0.. 8..n|
+00000030  b8 2d 46 93 8d ed 31 ea  5c 44 5a 3a 6e 3a bd 3c  |.-F...1.\DZ:n:.<|
+00000040  0d 69 99 2c 5d 59 30 85  1a bc ce 59 00 08 13 02  |.i.,]Y0....Y....|
+00000050  13 03 13 01 00 ff 01 00  00 71 00 00 00 0e 00 0c  |.........q......|
+00000060  00 00 09 31 32 37 2e 30  2e 30 2e 31 00 0b 00 04  |...127.0.0.1....|
+00000070  03 00 01 02 00 0a 00 0c  00 0a 00 1d 00 17 00 1e  |................|
+00000080  00 19 00 18 00 16 00 00  00 17 00 00 00 0d 00 04  |................|
+00000090  00 02 08 06 00 2b 00 03  02 03 04 00 2d 00 02 01  |.....+......-...|
+000000a0  01 00 33 00 26 00 24 00  1d 00 20 d9 cb e9 03 27  |..3.&.$... ....'|
+000000b0  59 f0 bd 7a 1f 17 88 c7  35 2b 92 0c d9 0c 0f 9a  |Y..z....5+......|
+000000c0  b5 47 c7 e2 97 aa 92 04  c6 63 2d                 |.G.......c-|
+>>> Flow 2 (server to client)
+00000000  15 03 03 00 02 02 28                              |......(|

tls.go

@@ -116,9 +116,10 @@ func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*
 
 	if timeout != 0 {
 		errChannel = make(chan error, 2)
-		time.AfterFunc(timeout, func() {
+		timer := time.AfterFunc(timeout, func() {
 			errChannel <- timeoutError{}
 		})
+		defer timer.Stop()
 	}
 
 	rawConn, err := dialer.Dial(network, addr)

tls_test.go

@@ -294,7 +294,11 @@ func TestTLSUniqueMatches(t *testing.T) {
 	defer ln.Close()
 
 	serverTLSUniques := make(chan []byte)
+	parentDone := make(chan struct{})
+	childDone := make(chan struct{})
+	defer close(parentDone)
 	go func() {
+		defer close(childDone)
 		for i := 0; i < 2; i++ {
 			sconn, err := ln.Accept()
 			if err != nil {
@@ -308,7 +312,11 @@ func TestTLSUniqueMatches(t *testing.T) {
 				t.Error(err)
 				return
 			}
-			serverTLSUniques <- srv.ConnectionState().TLSUnique
+			select {
+			case <-parentDone:
+				return
+			case serverTLSUniques <- srv.ConnectionState().TLSUnique:
+			}
 		}
 	}()
 
@@ -318,7 +326,15 @@ func TestTLSUniqueMatches(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
+
+	var serverTLSUniquesValue []byte
+	select {
+	case <-childDone:
+		return
+	case serverTLSUniquesValue = <-serverTLSUniques:
+	}
+
+	if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
 		t.Error("client and server channel bindings differ")
 	}
 	conn.Close()
@@ -331,7 +347,14 @@ func TestTLSUniqueMatches(t *testing.T) {
 	if !conn.ConnectionState().DidResume {
 		t.Error("second session did not use resumption")
 	}
-	if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) {
+
+	select {
+	case <-childDone:
+		return
+	case serverTLSUniquesValue = <-serverTLSUniques:
+	}
+
+	if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) {
 		t.Error("client and server channel bindings differ when session resumption is used")
 	}
 }