crypto/tls: check and record godebugs more granularly

We should call Value as late as possible to allow programs to set GODEBUG with os.Setenv, and IncNonDefault only when (and every time) the GODEBUG has an effect on a connection (that we'd have regularly rejected). Change-Id: If7a1446de407db7ca2d904d41dda13558b684dda Reviewed-on: https://go-review.googlesource.com/c/go/+/544335 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-11-21 23:16:56 +01:00 · 2023-11-21 23:16:56 +01:00 · fef99935ac
commit fef99935ac
parent f20bc39fcb
6 changed files with 43 additions and 37 deletions
--- a/conn.go
+++ b/conn.go
@ -1600,7 +1600,7 @@ func (c *Conn) ConnectionState() ConnectionState {
 	return c.connectionStateLocked()
 }

-var ekmgodebug = godebug.New("tlsunsafeekm")
+var tlsunsafeekm = godebug.New("tlsunsafeekm")

 func (c *Conn) connectionStateLocked() ConnectionState {
 	var state ConnectionState
@ -1626,8 +1626,8 @@ func (c *Conn) connectionStateLocked() ConnectionState {
 		state.ekm = noEKMBecauseRenegotiation
 	} else if c.vers != VersionTLS13 && !c.extMasterSecret {
 		state.ekm = func(label string, context []byte, length int) ([]byte, error) {
-			if ekmgodebug.Value() == "1" {
-				ekmgodebug.IncNonDefault()
+			if tlsunsafeekm.Value() == "1" {
+				tlsunsafeekm.IncNonDefault()
 				return c.ekm(label, context, length)
 			}
 			return noEKMBecauseNoEMS(label, context, length)