runtime/internal/rpc/stream/crypto: Remove unused tls.go
Change-Id: I7f18e88438ecbb69d2bce0b1e1b689e31fb69947
diff --git a/runtime/internal/rpc/stream/benchmark/throughput_test.go b/runtime/internal/rpc/stream/benchmark/throughput_test.go
index 39a0c46..f84b6b1 100644
--- a/runtime/internal/rpc/stream/benchmark/throughput_test.go
+++ b/runtime/internal/rpc/stream/benchmark/throughput_test.go
@@ -52,11 +52,6 @@
benchmarkFlow(b, securityNone, 2, 2, 2)
}
-func Benchmark_throughput_TLS_1Conn(b *testing.B) { benchmarkTLS(b, 1) }
-func Benchmark_throughput_TLS_2Conns(b *testing.B) { benchmarkTLS(b, 2) }
-func Benchmark_throughput_TLS_4Conns(b *testing.B) { benchmarkTLS(b, 4) }
-func Benchmark_throughput_TLS_8Conns(b *testing.B) { benchmarkTLS(b, 8) }
-
func Benchmark_throughput_Flow_1VIF_1VC_1Flow(b *testing.B) {
benchmarkFlow(b, securityDefault, 1, 1, 1)
}
diff --git a/runtime/internal/rpc/stream/benchmark/throughput_tls.go b/runtime/internal/rpc/stream/benchmark/throughput_tls.go
deleted file mode 100644
index db4e96a..0000000
--- a/runtime/internal/rpc/stream/benchmark/throughput_tls.go
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright 2015 The Vanadium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package benchmark
-
-import (
- "crypto/tls"
- "io"
- "net"
- "testing"
-
- "v.io/x/ref/runtime/internal/rpc/stream/crypto"
-)
-
-func benchmarkTLS(b *testing.B, nConns int) {
- rchan := make(chan *tls.Conn, nConns)
- wchan := make(chan *tls.Conn, nConns)
- ln, err := net.Listen("tcp", "127.0.0.1:0")
- if err != nil {
- b.Fatalf("net.Listen failed: %v", err)
- return
- }
-
- defer ln.Close()
- // One goroutine to dial nConns connections.
- var tlsConfig tls.Config
- tlsConfig.InsecureSkipVerify = true
- go func() {
- for i := 0; i < nConns; i++ {
- conn, err := tls.Dial("tcp", ln.Addr().String(), &tlsConfig)
- if err != nil {
- b.Fatalf("tls.Dial(%q, %q) failed: %v", "tcp", ln.Addr(), err)
- wchan <- nil
- return
- }
- wchan <- conn
- }
- close(wchan)
- }()
- // One goroutine to accept nConns connections.
- go func() {
- for i := 0; i < nConns; i++ {
- conn, err := ln.Accept()
- if err != nil {
- b.Fatalf("Accept failed: %v", err)
- rchan <- nil
- }
- server := tls.Server(conn, crypto.ServerTLSConfig())
- server.Handshake()
- rchan <- server
- }
- close(rchan)
- }()
-
- var readers []io.ReadCloser
- var writers []io.WriteCloser
- for r := range rchan {
- readers = append(readers, r)
- }
- for w := range wchan {
- writers = append(writers, w)
- }
- if b.Failed() {
- return
- }
- (&throughputTester{b: b, readers: readers, writers: writers}).Run()
-}
diff --git a/runtime/internal/rpc/stream/crypto/crypto_test.go b/runtime/internal/rpc/stream/crypto/crypto_test.go
index db56407..ed27061 100644
--- a/runtime/internal/rpc/stream/crypto/crypto_test.go
+++ b/runtime/internal/rpc/stream/crypto/crypto_test.go
@@ -76,12 +76,6 @@
t.Logf("Byte overhead of encryption: %v", overhead)
}
-func TestTLS(t *testing.T) {
- server, client := net.Pipe()
- c1, c2 := tlsCrypters(t, server, client)
- testSimple(t, c1, c2)
-}
-
func TestBox(t *testing.T) {
c1, c2 := boxCrypters(t, nil, nil)
testSimple(t, c1, c2)
@@ -111,72 +105,10 @@
}
}
-func TestChannelBindingTLS(t *testing.T) { testChannelBinding(t, tlsCrypters) }
func TestChannelBindingBox(t *testing.T) { testChannelBinding(t, boxCrypters) }
-func TestTLSNil(t *testing.T) {
- conn1, conn2 := net.Pipe()
- c1, c2 := tlsCrypters(t, conn1, conn2)
- if t.Failed() {
- return
- }
- cipher, err := c1.Encrypt(iobuf.NewSlice(nil))
- if err != nil {
- t.Fatal(err)
- }
- plain, err := c2.Decrypt(cipher)
- if err != nil {
- t.Fatal(err)
- }
- if plain.Size() != 0 {
- t.Fatalf("Decryption produced non-empty data (%d)", plain.Size())
- }
-}
-
-func TestTLSFragmentedPlaintext(t *testing.T) {
- // Form RFC 5246, Section 6.2.1, the maximum length of a TLS record is
- // 16K (it is represented by a uint16).
- // http://tools.ietf.org/html/rfc5246#section-6.2.1
- const dataLen = 16384 + 1
- conn1, conn2 := net.Pipe()
- enc, dec := tlsCrypters(t, conn1, conn2)
- cipher, err := enc.Encrypt(iobuf.NewSlice(make([]byte, dataLen)))
- if err != nil {
- t.Fatal(err)
- }
- plain, err := dec.Decrypt(cipher)
- if err != nil {
- t.Fatal(err)
- }
- if !bytes.Equal(plain.Contents, make([]byte, dataLen)) {
- t.Errorf("Got %d bytes, want %d bytes of zeroes", plain.Size(), dataLen)
- }
-}
-
type factory func(t testing.TB, server, client net.Conn) (Crypter, Crypter)
-func tlsCrypters(t testing.TB, serverConn, clientConn net.Conn) (Crypter, Crypter) {
- crypters := make(chan Crypter)
- go func() {
- server, err := NewTLSServer(serverConn, serverConn.LocalAddr(), serverConn.RemoteAddr(), iobuf.NewAllocator(iobuf.NewPool(0), 0))
- if err != nil {
- t.Fatal(err)
- }
- crypters <- server
- }()
-
- go func() {
- client, err := NewTLSClient(clientConn, clientConn.LocalAddr(), clientConn.RemoteAddr(), TLSClientSessionCache{}, iobuf.NewAllocator(iobuf.NewPool(0), 0))
- if err != nil {
- t.Fatal(err)
- }
- crypters <- client
- }()
- c1 := <-crypters
- c2 := <-crypters
- return c1, c2
-}
-
func boxCrypters(t testing.TB, _, _ net.Conn) (Crypter, Crypter) {
server, client := make(chan *BoxKey, 1), make(chan *BoxKey, 1)
clientExchanger := func(pubKey *BoxKey) (*BoxKey, error) {
@@ -220,12 +152,6 @@
}
}
-func BenchmarkTLSEncrypt_1B(b *testing.B) { benchmarkEncrypt(b, tlsCrypters, 1) }
-func BenchmarkTLSEncrypt_1K(b *testing.B) { benchmarkEncrypt(b, tlsCrypters, 1<<10) }
-func BenchmarkTLSEncrypt_10K(b *testing.B) { benchmarkEncrypt(b, tlsCrypters, 10<<10) }
-func BenchmarkTLSEncrypt_1M(b *testing.B) { benchmarkEncrypt(b, tlsCrypters, 1<<20) }
-func BenchmarkTLSEncrypt_5M(b *testing.B) { benchmarkEncrypt(b, tlsCrypters, 5<<20) }
-
func BenchmarkBoxEncrypt_1B(b *testing.B) { benchmarkEncrypt(b, boxCrypters, 1) }
func BenchmarkBoxEncrypt_1K(b *testing.B) { benchmarkEncrypt(b, boxCrypters, 1<<10) }
func BenchmarkBoxEncrypt_10K(b *testing.B) { benchmarkEncrypt(b, boxCrypters, 10<<10) }
@@ -255,11 +181,6 @@
plainslice.Release()
}
}
-func BenchmarkTLSRoundTrip_1B(b *testing.B) { benchmarkRoundTrip(b, tlsCrypters, 1) }
-func BenchmarkTLSRoundTrip_1K(b *testing.B) { benchmarkRoundTrip(b, tlsCrypters, 1<<10) }
-func BenchmarkTLSRoundTrip_10K(b *testing.B) { benchmarkRoundTrip(b, tlsCrypters, 10<<10) }
-func BenchmarkTLSRoundTrip_1M(b *testing.B) { benchmarkRoundTrip(b, tlsCrypters, 1<<20) }
-func BenchmarkTLSRoundTrip_5M(b *testing.B) { benchmarkRoundTrip(b, tlsCrypters, 5<<20) }
func BenchmarkBoxRoundTrip_1B(b *testing.B) { benchmarkRoundTrip(b, boxCrypters, 1) }
func BenchmarkBoxRoundTrip_1K(b *testing.B) { benchmarkRoundTrip(b, boxCrypters, 1<<10) }
@@ -276,5 +197,4 @@
}
}
-func BenchmarkTLSSetup(b *testing.B) { benchmarkSetup(b, tlsCrypters) }
func BenchmarkBoxSetup(b *testing.B) { benchmarkSetup(b, boxCrypters) }
diff --git a/runtime/internal/rpc/stream/crypto/tls.go b/runtime/internal/rpc/stream/crypto/tls.go
deleted file mode 100644
index 3f5d07f..0000000
--- a/runtime/internal/rpc/stream/crypto/tls.go
+++ /dev/null
@@ -1,252 +0,0 @@
-// Copyright 2015 The Vanadium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.4
-
-package crypto
-
-import (
- "bytes"
- "crypto/tls"
- "fmt"
- "io"
- "net"
- "sync"
- "time"
-
- "v.io/v23/verror"
-
- "v.io/x/ref/runtime/internal/lib/iobuf"
- "v.io/x/ref/runtime/internal/rpc/stream"
-)
-
-var (
- // These errors are intended to be used as arguments to higher
- // level errors and hence {1}{2} is omitted from their format
- // strings to avoid repeating these n-times in the final error
- // message visible to the user.
- errDeadlinesNotSupported = reg(".errDeadlinesNotSupported", "deadlines not supported")
- errEndOfEncryptedSlice = reg(".errEndOfEncryptedSlice", "end of encrypted slice")
-)
-
-// TLSClientSessionCacheOpt specifies the ClientSessionCache used to resume TLS sessions.
-// It adapts tls.ClientSessionCache to the v.io/v23/x/ref/profiles/internal/rpc/stream.VCOpt interface.
-type TLSClientSessionCache struct{ tls.ClientSessionCache }
-
-func (TLSClientSessionCache) RPCStreamVCOpt() {}
-
-// NewTLSClient returns a Crypter implementation that uses TLS, assuming
-// handshaker was initiated by a client.
-func NewTLSClient(handshaker io.ReadWriteCloser, local, remote net.Addr, sessionCache TLSClientSessionCache, alloc *iobuf.Allocator) (Crypter, error) {
- var config tls.Config
- // TLS + resumption + channel bindings is broken: <https://secure-resumption.com/#channelbindings>.
- config.SessionTicketsDisabled = true
- config.InsecureSkipVerify = true
- config.ClientSessionCache = sessionCache.ClientSessionCache
- return newTLSCrypter(handshaker, local, remote, &config, alloc, false)
-}
-
-// NewTLSServer returns a Crypter implementation that uses TLS, assuming
-// handshaker was accepted by a server.
-func NewTLSServer(handshaker io.ReadWriteCloser, local, remote net.Addr, alloc *iobuf.Allocator) (Crypter, error) {
- return newTLSCrypter(handshaker, local, remote, ServerTLSConfig(), alloc, true)
-}
-
-type fakeConn struct {
- handshakeConn io.ReadWriteCloser
- out bytes.Buffer
- in []byte
- laddr, raddr net.Addr
-}
-
-func (c *fakeConn) Read(b []byte) (n int, err error) {
- if c.handshakeConn != nil {
- return c.handshakeConn.Read(b)
- }
- if len(c.in) == 0 {
- return 0, stream.NewNetError(verror.New(stream.ErrNetwork, nil, verror.New(errEndOfEncryptedSlice, nil)), false, true)
- }
- n = copy(b, c.in)
- c.in = c.in[n:]
- return
-}
-
-func (c *fakeConn) Write(b []byte) (int, error) {
- if c.handshakeConn != nil {
- return c.handshakeConn.Write(b)
- }
- return c.out.Write(b)
-}
-
-func (*fakeConn) Close() error { return nil }
-func (c *fakeConn) LocalAddr() net.Addr { return c.laddr }
-func (c *fakeConn) RemoteAddr() net.Addr { return c.raddr }
-func (*fakeConn) SetDeadline(t time.Time) error {
- return verror.New(stream.ErrBadState, nil, verror.New(errDeadlinesNotSupported, nil))
-}
-func (*fakeConn) SetReadDeadline(t time.Time) error {
- return verror.New(stream.ErrBadState, nil, verror.New(errDeadlinesNotSupported, nil))
-}
-func (*fakeConn) SetWriteDeadline(t time.Time) error {
- return verror.New(stream.ErrBadState, nil, verror.New(errDeadlinesNotSupported, nil))
-}
-
-// tlsCrypter implements the Crypter interface using crypto/tls.
-//
-// crypto/tls provides a net.Conn, while the Crypter interface operates on
-// iobuf.Slice objects. In order to adapt to the Crypter in stream.ErrNetwork, verrorterface, the
-// strategy is as follows:
-//
-// - netTLSCrypter wraps a net.Conn with an alternative implementation
-// (fakeConn) for the TLS handshake protocol.
-// - Once the TLS handshake is complete, fakeConn switches to a mode where all
-// Write calls add to a bytes.Buffer and all Read calls read from a
-// bytes.Buffer.
-// - Encrypt uses tls.Conn.Write, which in-turn invokes fakeConn.Write and then
-// it extracts the contents of the underlying bytes.Buffer.
-// - Decrypt adds to the read buffer and then invokes tls.Conn.Read, which
-// in-turn invokes fakeConn.Read, which reads from that buffer.
-type tlsCrypter struct {
- mu sync.Mutex
- alloc *iobuf.Allocator
- tls *tls.Conn
- fc *fakeConn
-}
-
-func newTLSCrypter(handshaker io.ReadWriteCloser, local, remote net.Addr, config *tls.Config, alloc *iobuf.Allocator, server bool) (Crypter, error) {
- fc := &fakeConn{handshakeConn: handshaker, laddr: local, raddr: remote}
- var t *tls.Conn
- if server {
- t = tls.Server(fc, config)
- } else {
- // The TLS handshake protocol ends with a message received by the client.
- // handshaker should be closed only after the handshake protocol completes.
- // So, the client closes the handshaker.
- defer handshaker.Close()
- t = tls.Client(fc, config)
- }
- if err := t.Handshake(); err != nil {
- return nil, err
- }
- // Must have used Diffie-Hellman to exchange keys (so that the key selection
- // is independent of any TLS certificates used). This helps ensure that
- // identities exchanged during the vanadium authentication protocol cannot be
- // stolen and are bound to the session key established during the TLS handshake.
- switch cs := t.ConnectionState().CipherSuite; cs {
- case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
- case tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
- case tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
- case tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:
- case tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
- case tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
- case tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
- case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
- case tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
- default:
- t.Close()
- return nil, verror.New(stream.ErrBadArg, nil, verror.New(errUnrecognizedCipherText, nil, fmt.Sprintf("0x%04x", cs)))
- }
- fc.handshakeConn = nil
- return &tlsCrypter{
- alloc: alloc,
- tls: t,
- fc: fc,
- }, nil
-}
-
-func (c *tlsCrypter) Encrypt(plaintext *iobuf.Slice) (*iobuf.Slice, error) {
- defer plaintext.Release()
- c.mu.Lock()
- defer c.mu.Unlock()
- defer c.fc.out.Reset()
- if _, err := c.tls.Write(plaintext.Contents); err != nil {
- return nil, err
- }
- return c.alloc.Copy(c.fc.out.Bytes()), nil
-}
-
-func (c *tlsCrypter) Decrypt(ciphertext *iobuf.Slice) (*iobuf.Slice, error) {
- defer ciphertext.Release()
- if ciphertext.Size() == 0 {
- return ciphertext, nil
- }
- c.mu.Lock()
- defer c.mu.Unlock()
- c.fc.in = ciphertext.Contents
- // Given the cipher suites used, len(plaintext) < len(ciphertext)
- // (ciphertext includes TLS record headers). Allocating space for
- // plaintext based on ciphertext.Size should suffice.
- plaintext := c.alloc.Alloc(uint(ciphertext.Size()))
- out := plaintext.Contents
- for {
- n, err := c.tls.Read(out)
- if err != nil {
- if _, exit := err.(*stream.NetError); exit {
- break
- }
- plaintext.Release()
- return nil, err
- }
- out = out[n:]
- }
- plaintext.Contents = plaintext.Contents[:plaintext.Size()-len(out)]
- return plaintext, nil
-}
-
-func (c *tlsCrypter) ChannelBinding() []byte {
- return c.tls.ConnectionState().TLSUnique
-}
-
-func (c *tlsCrypter) String() string {
- state := c.tls.ConnectionState()
- return fmt.Sprintf("TLS CipherSuite:0x%04x Resumed:%v", state.CipherSuite, state.DidResume)
-}
-
-// ServerTLSConfig returns the tls.Config used by NewTLSServer.
-func ServerTLSConfig() *tls.Config {
- c, err := tls.X509KeyPair([]byte(serverCert), []byte(serverKey))
- if err != nil {
- panic(err)
- }
- return &tls.Config{
- // TLS + resumption + channel bindings is broken: <https://secure-resumption.com/#channelbindings>.
- SessionTicketsDisabled: true,
- Certificates: []tls.Certificate{c},
- InsecureSkipVerify: true,
- // RC4_128_SHA is 4-5X faster compared to the other cipher suites.
- // There are concerns with its security (see http://en.wikipedia.org/wiki/RC4 and
- // https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan),
- // so this decision will be revisted.
- // TODO(ashankar,ataly): Figure out what cipher to use and how to
- // have a speedy Go implementation of it.
- CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
- }
-}
-
-// PEM-encoded certificates and keys used in the tests.
-// One way to generate them is:
-// go run $GOROOT/src/pkg/crypto/tls/generate_cert.go --host=localhost --duration=87600h --ecdsa-curve=P256
-// (This generates a self-signed certificate valid for 10 years)
-// which will create cert.pem and key.pem files.
-const (
- serverCert = `
------BEGIN CERTIFICATE-----
-MIIBbTCCAROgAwIBAgIQMD+Kzawjvhij1B/BmvHxLDAKBggqhkjOPQQDAjASMRAw
-DgYDVQQKEwdBY21lIENvMB4XDTE0MDcxODIzMTYxMloXDTI0MDcxNTIzMTYxMlow
-EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLiz
-Ajsly1DS8NJF2KE195V83TgidfgGEB7nudscdKWH3+5uQHgCc+2BV/7AGGj3yePR
-ZZLzYD95goJ/a7eet/2jSzBJMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggr
-BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
-hkjOPQQDAgNIADBFAiAb4tBxggEpnKdxv66TBVFxAUn3EBWX25XlL1G2GF8RkAIh
-AOAwys3mvzM4Td/2kV9QNyQPZ9kLLQr9A9ryB0H3N9Yz
------END CERTIFICATE-----
-`
- serverKey = `
------BEGIN ECDSA PRIVATE KEY-----
-MHcCAQEEIPLfwg+SVC2/xUcKq0bI9y2+SDEEdCeGuxuBz22BhAw1oAoGCCqGSM49
-AwEHoUQDQgAEuLMCOyXLUNLw0kXYoTX3lXzdOCJ1+AYQHue52xx0pYff7m5AeAJz
-7YFX/sAYaPfJ49FlkvNgP3mCgn9rt563/Q==
------END ECDSA PRIVATE KEY-----
-`
-)
