Skip to content

Commit

Permalink
crypto/tls: remove TLS 1.3 opt-out
Browse files Browse the repository at this point in the history
Fixes #30055

Change-Id: If757c43b52fc7bf62b0afb1c720615329fb5569d
Reviewed-on: https://go-review.googlesource.com/c/go/+/191999
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
  • Loading branch information
FiloSottile committed Aug 27, 2019
1 parent ffcb678 commit a8c2e5c
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 102 deletions.
43 changes: 0 additions & 43 deletions src/crypto/tls/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (
"io"
"math/big"
"net"
"os"
"strings"
"sync"
"time"
Expand Down Expand Up @@ -799,53 +798,11 @@ func (c *Config) supportedVersions() []uint16 {
if c != nil && c.MaxVersion != 0 && v > c.MaxVersion {
continue
}
// TLS 1.3 is opt-out in Go 1.13.
if v == VersionTLS13 && !isTLS13Supported() {
continue
}
versions = append(versions, v)
}
return versions
}

// tls13Support caches the result for isTLS13Supported.
var tls13Support struct {
sync.Once
cached bool
}

// isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
// out with GODEBUG=tls13=0. It's cached after the first execution.
func isTLS13Supported() bool {
tls13Support.Do(func() {
tls13Support.cached = goDebugString("tls13") != "0"
})
return tls13Support.cached
}

// goDebugString returns the value of the named GODEBUG key.
// GODEBUG is of the form "key=val,key2=val2".
func goDebugString(key string) string {
s := os.Getenv("GODEBUG")
for i := 0; i < len(s)-len(key)-1; i++ {
if i > 0 && s[i-1] != ',' {
continue
}
afterKey := s[i+len(key):]
if afterKey[0] != '=' || s[i:i+len(key)] != key {
continue
}
val := afterKey[1:]
for i, b := range val {
if b == ',' {
return val[:i]
}
}
return val
}
return ""
}

func (c *Config) maxSupportedVersion() uint16 {
supportedVersions := c.supportedVersions()
if len(supportedVersions) == 0 {
Expand Down
1 change: 0 additions & 1 deletion src/crypto/tls/handshake_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,6 @@ func runMain(m *testing.M) int {
Rand: zeroSource{},
Certificates: make([]Certificate, 2),
InsecureSkipVerify: true,
MaxVersion: VersionTLS13,
CipherSuites: allCipherSuites(),
}
testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
Expand Down
4 changes: 0 additions & 4 deletions src/crypto/tls/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,6 @@

// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
//
// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
// it, set the GODEBUG environment variable (comma-separated key=value
// options) such that it includes "tls13=0".
package tls

// BUG(agl): The crypto/tls package only implements some countermeasures
Expand Down
54 changes: 0 additions & 54 deletions src/crypto/tls/tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"os"
"reflect"
"strings"
"sync"
"testing"
"time"
)
Expand Down Expand Up @@ -1023,59 +1022,6 @@ func TestConnectionState(t *testing.T) {
}
}

// TestEscapeRoute tests that the library will still work if support for TLS 1.3
// is dropped later in the Go 1.12 cycle.
func TestEscapeRoute(t *testing.T) {
defer func(savedSupportedVersions []uint16) {
supportedVersions = savedSupportedVersions
}(supportedVersions)
supportedVersions = []uint16{
VersionTLS12,
VersionTLS11,
VersionTLS10,
}

expectVersion(t, testConfig, testConfig, VersionTLS12)
}

func expectVersion(t *testing.T, clientConfig, serverConfig *Config, v uint16) {
ss, cs, err := testHandshake(t, clientConfig, serverConfig)
if err != nil {
t.Fatalf("Handshake failed: %v", err)
}
if ss.Version != v {
t.Errorf("Server negotiated version %x, expected %x", cs.Version, v)
}
if cs.Version != v {
t.Errorf("Client negotiated version %x, expected %x", cs.Version, v)
}
}

// TestTLS13Switch checks the behavior of GODEBUG=tls13=[0|1]. See Issue 30055.
func TestTLS13Switch(t *testing.T) {
defer func(savedGODEBUG string) {
os.Setenv("GODEBUG", savedGODEBUG)
}(os.Getenv("GODEBUG"))

os.Setenv("GODEBUG", "tls13=0")
tls13Support.Once = sync.Once{} // reset the cache

tls12Config := testConfig.Clone()
tls12Config.MaxVersion = VersionTLS12
expectVersion(t, testConfig, testConfig, VersionTLS12)
expectVersion(t, tls12Config, testConfig, VersionTLS12)
expectVersion(t, testConfig, tls12Config, VersionTLS12)
expectVersion(t, tls12Config, tls12Config, VersionTLS12)

os.Setenv("GODEBUG", "tls13=1")
tls13Support.Once = sync.Once{} // reset the cache

expectVersion(t, testConfig, testConfig, VersionTLS13)
expectVersion(t, tls12Config, testConfig, VersionTLS12)
expectVersion(t, testConfig, tls12Config, VersionTLS12)
expectVersion(t, tls12Config, tls12Config, VersionTLS12)
}

// Issue 28744: Ensure that we don't modify memory
// that Config doesn't own such as Certificates.
func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) {
Expand Down

0 comments on commit a8c2e5c

Please sign in to comment.