Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: tls client-side test recordings don't include the close notify message #69846

Closed
rygrange opened this issue Oct 11, 2024 · 4 comments
Closed

crypto/tls: tls client-side test recordings don't include the close notify message #69846

rygrange opened this issue Oct 11, 2024 · 4 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.24

Comments

@rygrange
Copy link
Contributor

Go version

go version devel go1.24-7f87b82955 Mon Sep 30 18:47:31 2024 +0000 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/ubuntu/.cache/go-build'
GOENV='/home/ubuntu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/ubuntu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/ubuntu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/ubuntu/code/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/ubuntu/code/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.24-7f87b82955 Mon Sep 30 18:47:31 2024 +0000'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/ubuntu/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2701037647=/tmp/go-build -gno-record-gcc-switches'

What did you do?

I compiled go master from source by going into src and running make.bash, after downloading, untarring, and setting my GOROOT_BOOTSTRAP to a Go 1.23.1 precompiled binary tarball for linux amd64. After compiling master and setting the PATH with the go/bin directory, I found the current openssl version to use for updating tls testdata in src/crypto/tls/handshake_test.go:85. From here I got the latest release source code for OpenSSL 1.1.1 which was 1.1.1w. Then I ran ./Configure enable-weak-ssl-ciphers no-shared linux-x86_64 and then make to compile. Testing the command apps/openssl version worked fine:

$ apps/openssl version
OpenSSL 1.1.1w  11 Sep 2023

Next I exported the PATH as stated in the comment in the Go code:

$ export PATH=$(pwd)/apps:$PATH
$ openssl version
OpenSSL 1.1.1w  11 Sep 2023

The test dependencies are all installed. Next I will try a test that should verify the bug.
Here are the steps for running the test that will cause the failure:

  1. run a test with tls test recordings and see it pass with no changes (TestHandshakeClientECDHEECDSAAESGCM)
  2. remove the recording for that test (the file Client-TLSv12-ECDHE-ECDSA-AES-GCM)
  3. run the test with update and see it fail both during the first run and succeed the update run, updating the recording
  4. run the test without update again and see it fail
  5. compare the old and new recordings and see that the final close message was not recorded

What did you see happen?

$ go version
go version devel go1.24-7f87b82955 Mon Sep 30 18:47:31 2024 +0000 linux/amd64
$ go test crypto/tls -run=^TestHandshakeClientECDHEECDSAAESGCM$ -v     
=== RUN   TestHandshakeClientECDHEECDSAAESGCM
=== RUN   TestHandshakeClientECDHEECDSAAESGCM/TLSv12
=== PAUSE TestHandshakeClientECDHEECDSAAESGCM/TLSv12
=== CONT  TestHandshakeClientECDHEECDSAAESGCM/TLSv12
--- PASS: TestHandshakeClientECDHEECDSAAESGCM (0.00s)
    --- PASS: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 (0.00s)
PASS
ok      crypto/tls      0.018s
$ rm src/crypto/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM
$ go test crypto/tls -v -update -run=^TestHandshakeClientECDHEECDSAAESGCM$
=== RUN   TestHandshakeClientECDHEECDSAAESGCM
=== RUN   TestHandshakeClientECDHEECDSAAESGCM/TLSv12
    handshake_client_test.go:307: failed to load data from testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM: open testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM: no such file or directory
=== RUN   TestHandshakeClientECDHEECDSAAESGCM/TLSv12#update
    handshake_client_test.go:451: Wrote testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM
--- FAIL: TestHandshakeClientECDHEECDSAAESGCM (0.13s)
    --- FAIL: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 (0.00s)
    --- PASS: TestHandshakeClientECDHEECDSAAESGCM/TLSv12#update (0.13s)
FAIL
FAIL    crypto/tls      0.144s
FAIL
$ go test crypto/tls -v -run=^TestHandshakeClientECDHEECDSAAESGCM$ 
=== RUN   TestHandshakeClientECDHEECDSAAESGCM
=== RUN   TestHandshakeClientECDHEECDSAAESGCM/TLSv12
=== PAUSE TestHandshakeClientECDHEECDSAAESGCM/TLSv12
=== CONT  TestHandshakeClientECDHEECDSAAESGCM/TLSv12
    handshake_test.go:263: expected read, got write
--- FAIL: TestHandshakeClientECDHEECDSAAESGCM (0.00s)
    --- FAIL: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 (0.00s)
FAIL
FAIL    crypto/tls      0.017s
FAIL

New recording without close notify
Clipboard_2024-09-30-16-42-14 copy

Old with close notify
Clipboard_2024-09-30-16-43-34 copy

What did you expect to see?

I expected the test to have succeeded with ok when running the test again (step 4) after rerecording the tls test in step 3. The messages in the tls recording should include the close notify record, meaning when the test is replaying the recording it should match properly on the final message when the deferred client.Close() call is occurring. This will mean that all the recorded messages will match and the test will succeed. Fixing this issue will fix this recording problem for all client handshake tests that use this recording test harness. This fix would likely need to be made in both master and release-branch.go1.23 to ensure that new recordings that need to be made in client tls handshake tests function properly.
@gabyhelp
Copy link

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@cherrymui
Copy link
Member

cc @FiloSottile @rolandshoemaker @golang/security

@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 11, 2024
@cherrymui cherrymui added this to the Backlog milestone Oct 11, 2024
@rygrange
Copy link
Contributor Author

I am working on submitting a fix for this in gerrit (will be Change-Id: I93898de32abd89659a32ed240df6daea5aeaa7fc). I just need to wait until I get an employer CLA agreement added to my account.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/620395 mentions this issue: crypto/tls: include close notify in client tls test recordings

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. FixPending Issues that have a fix which has not yet been reviewed or submitted. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Oct 16, 2024
@dmitshur dmitshur modified the milestones: Backlog, Go1.24 Oct 16, 2024
@gabyhelp gabyhelp mentioned this issue Oct 25, 2024
Closed
adotkhan pushed a commit to Psiphon-Labs/psiphon-tls that referenced this issue Nov 28, 2024
@rygrange @gopherbot
crypto/tls: include close notify in client tls test recordings
03abb12 
This commit fixes the issue where tls testdata recordings made with the
newer version of the prerecorded tls conversation test harness, doesn't
end up capturing the final close notify message. The fix simply ensures
that the tls.Client closes before the recording of the conversation is
closed. The closing of the client connection directly is no longer
needed when updating the recording since it will be closed when the
tls.Client is closed.

Fixes golang/go#69846

Change-Id: I93898de32abd89659a32ed240df6daea5aeaa7fc
Reviewed-on: https://go-review.googlesource.com/c/go/+/620395
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@gabyhelp gabyhelp mentioned this issue Dec 19, 2024
Closed
@gabyhelp gabyhelp mentioned this issue Dec 29, 2024
Closed
@gabyhelp gabyhelp mentioned this issue Jan 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.24
Development

No branches or pull requests
5 participants
@dmitshur @gopherbot @rygrange @cherrymui @gabyhelp