crypto/tls: enable TLS 1.3 and update tests

To disable TLS 1.3, simply remove VersionTLS13 from supportedVersions,
as tested by TestEscapeRoute, and amend documentation. To make it
opt-in, revert the change to (*Config).supportedVersions from this CL.

I did not have the heart to implement the early data skipping feature
when I realized that it did not offer a choice between two
abstraction-breaking options, but demanded them both (look for handshake
type in case of HelloRetryRequest, trial decryption otherwise). It's a
lot of complexity for an apparently small gain, but if anyone has strong
opinions about it let me know.

Note that in TLS 1.3 alerts are encrypted, so the close_notify peeking
to return (n > 0, io.EOF) from Read doesn't work. If we are lucky, those
servers that unexpectedly close connections after serving a single
request will have stopped (maybe thanks to H/2) before they got updated
to TLS 1.3.

Relatedly, session tickets are now provisioned on the client first Read
instead of at Handshake time, because they are, well, post-handshake
messages. If this proves to be a problem we might try to peek at them.

Doubled the tests that cover logic that's different in TLS 1.3.

The benchmarks for TLS 1.2 compared to be0f3c286b5 (before TLS 1.3 and
its refactors, after CL 142817 changed them to use real connections)
show little movement.

name                                       old time/op   new time/op   delta
HandshakeServer/RSA-8                        795µs ± 1%    798µs ± 1%    ~     (p=0.057 n=10+18)
HandshakeServer/ECDHE-P256-RSA-8             903µs ± 0%    909µs ± 1%  +0.68%  (p=0.000 n=8+17)
HandshakeServer/ECDHE-P256-ECDSA-P256-8      198µs ± 0%    204µs ± 1%  +3.24%  (p=0.000 n=9+18)
HandshakeServer/ECDHE-X25519-ECDSA-P256-8    202µs ± 3%    208µs ± 1%  +2.98%  (p=0.000 n=9+20)
HandshakeServer/ECDHE-P521-ECDSA-P521-8     15.5ms ± 1%   15.9ms ± 2%  +2.49%  (p=0.000 n=10+20)
Throughput/MaxPacket/1MB-8                  5.81ms ±23%   6.14ms ±44%    ~     (p=0.605 n=8+18)
Throughput/MaxPacket/2MB-8                  8.91ms ±22%   8.74ms ±33%    ~     (p=0.498 n=9+19)
Throughput/MaxPacket/4MB-8                  12.8ms ± 3%   14.0ms ±10%  +9.74%  (p=0.000 n=10+17)
Throughput/MaxPacket/8MB-8                  25.1ms ± 7%   24.6ms ±16%    ~     (p=0.129 n=9+19)
Throughput/MaxPacket/16MB-8                 46.3ms ± 4%   45.9ms ±12%    ~     (p=0.340 n=9+20)
Throughput/MaxPacket/32MB-8                 88.5ms ± 4%   86.0ms ± 4%  -2.82%  (p=0.004 n=10+20)
Throughput/MaxPacket/64MB-8                  173ms ± 2%    167ms ± 7%  -3.42%  (p=0.001 n=10+19)
Throughput/DynamicPacket/1MB-8              5.88ms ± 4%   6.59ms ±64%    ~     (p=0.232 n=9+18)
Throughput/DynamicPacket/2MB-8              9.08ms ±12%   8.73ms ±21%    ~     (p=0.408 n=10+18)
Throughput/DynamicPacket/4MB-8              14.2ms ± 5%   14.0ms ±11%    ~     (p=0.188 n=9+19)
Throughput/DynamicPacket/8MB-8              25.1ms ± 6%   24.0ms ± 7%  -4.39%  (p=0.000 n=10+18)
Throughput/DynamicPacket/16MB-8             45.6ms ± 3%   43.3ms ± 1%  -5.22%  (p=0.000 n=10+8)
Throughput/DynamicPacket/32MB-8             88.4ms ± 3%   84.8ms ± 2%  -4.06%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8              175ms ± 3%    167ms ± 2%  -4.63%  (p=0.000 n=10+10)
Latency/MaxPacket/200kbps-8                  694ms ± 0%    694ms ± 0%  -0.02%  (p=0.000 n=9+9)
Latency/MaxPacket/500kbps-8                  279ms ± 0%    279ms ± 0%  -0.09%  (p=0.000 n=10+10)
Latency/MaxPacket/1000kbps-8                 140ms ± 0%    140ms ± 0%  -0.15%  (p=0.000 n=10+9)
Latency/MaxPacket/2000kbps-8                71.1ms ± 0%   71.0ms ± 0%  -0.09%  (p=0.001 n=8+9)
Latency/MaxPacket/5000kbps-8                30.5ms ± 6%   30.1ms ± 6%    ~     (p=0.905 n=10+9)
Latency/DynamicPacket/200kbps-8              134ms ± 0%    134ms ± 0%    ~     (p=0.796 n=9+9)
Latency/DynamicPacket/500kbps-8             54.8ms ± 0%   54.7ms ± 0%  -0.18%  (p=0.000 n=8+10)
Latency/DynamicPacket/1000kbps-8            28.5ms ± 0%   29.1ms ± 8%    ~     (p=0.173 n=8+10)
Latency/DynamicPacket/2000kbps-8            15.3ms ± 6%   15.9ms ±10%    ~     (p=0.905 n=9+10)
Latency/DynamicPacket/5000kbps-8            9.14ms ±21%   9.65ms ±82%    ~     (p=0.529 n=10+10)

name                                       old speed     new speed     delta
Throughput/MaxPacket/1MB-8                 175MB/s ±13%  167MB/s ±64%    ~     (p=0.646 n=7+20)
Throughput/MaxPacket/2MB-8                 241MB/s ±25%  241MB/s ±40%    ~     (p=0.660 n=9+20)
Throughput/MaxPacket/4MB-8                 328MB/s ± 3%  300MB/s ± 9%  -8.70%  (p=0.000 n=10+17)
Throughput/MaxPacket/8MB-8                 335MB/s ± 7%  340MB/s ±17%    ~     (p=0.212 n=9+20)
Throughput/MaxPacket/16MB-8                363MB/s ± 4%  367MB/s ±11%    ~     (p=0.340 n=9+20)
Throughput/MaxPacket/32MB-8                379MB/s ± 4%  390MB/s ± 4%  +2.93%  (p=0.004 n=10+20)
Throughput/MaxPacket/64MB-8                388MB/s ± 2%  401MB/s ± 7%  +3.25%  (p=0.004 n=10+20)
Throughput/DynamicPacket/1MB-8             178MB/s ± 4%  157MB/s ±73%    ~     (p=0.127 n=9+20)
Throughput/DynamicPacket/2MB-8             232MB/s ±11%  243MB/s ±18%    ~     (p=0.415 n=10+18)
Throughput/DynamicPacket/4MB-8             296MB/s ± 5%  299MB/s ±15%    ~     (p=0.295 n=9+20)
Throughput/DynamicPacket/8MB-8             334MB/s ± 6%  350MB/s ± 7%  +4.58%  (p=0.000 n=10+18)
Throughput/DynamicPacket/16MB-8            368MB/s ± 3%  388MB/s ± 1%  +5.48%  (p=0.000 n=10+8)
Throughput/DynamicPacket/32MB-8            380MB/s ± 3%  396MB/s ± 2%  +4.20%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8            384MB/s ± 3%  403MB/s ± 2%  +4.83%  (p=0.000 n=10+10)

Comparing TLS 1.2 and TLS 1.3 at tip shows a slight (~5-10%) slowdown of
handshakes, which might be worth looking at next cycle, but the latency
improvements are expected to overshadow that.

name                                       old time/op   new time/op   delta
HandshakeServer/ECDHE-P256-RSA-8             909µs ± 1%    963µs ± 0%   +5.87%  (p=0.000 n=17+18)
HandshakeServer/ECDHE-P256-ECDSA-P256-8      204µs ± 1%    225µs ± 2%  +10.20%  (p=0.000 n=18+20)
HandshakeServer/ECDHE-X25519-ECDSA-P256-8    208µs ± 1%    230µs ± 2%  +10.35%  (p=0.000 n=20+18)
HandshakeServer/ECDHE-P521-ECDSA-P521-8     15.9ms ± 2%   15.9ms ± 1%     ~     (p=0.444 n=20+19)
Throughput/MaxPacket/1MB-8                  6.14ms ±44%   7.07ms ±46%     ~     (p=0.057 n=18+19)
Throughput/MaxPacket/2MB-8                  8.74ms ±33%   8.61ms ± 9%     ~     (p=0.552 n=19+17)
Throughput/MaxPacket/4MB-8                  14.0ms ±10%   14.1ms ±12%     ~     (p=0.707 n=17+20)
Throughput/MaxPacket/8MB-8                  24.6ms ±16%   25.6ms ±14%     ~     (p=0.107 n=19+20)
Throughput/MaxPacket/16MB-8                 45.9ms ±12%   44.7ms ± 6%     ~     (p=0.607 n=20+19)
Throughput/MaxPacket/32MB-8                 86.0ms ± 4%   87.9ms ± 8%     ~     (p=0.113 n=20+19)
Throughput/MaxPacket/64MB-8                  167ms ± 7%    169ms ± 2%   +1.26%  (p=0.011 n=19+19)
Throughput/DynamicPacket/1MB-8              6.59ms ±64%   6.79ms ±43%     ~     (p=0.480 n=18+19)
Throughput/DynamicPacket/2MB-8              8.73ms ±21%   9.58ms ±13%   +9.71%  (p=0.006 n=18+20)
Throughput/DynamicPacket/4MB-8              14.0ms ±11%   13.9ms ±10%     ~     (p=0.687 n=19+20)
Throughput/DynamicPacket/8MB-8              24.0ms ± 7%   24.6ms ± 8%   +2.36%  (p=0.045 n=18+17)
Throughput/DynamicPacket/16MB-8             43.3ms ± 1%   44.3ms ± 2%   +2.48%  (p=0.001 n=8+9)
Throughput/DynamicPacket/32MB-8             84.8ms ± 2%   86.7ms ± 2%   +2.27%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8              167ms ± 2%    170ms ± 3%   +1.89%  (p=0.005 n=10+10)
Latency/MaxPacket/200kbps-8                  694ms ± 0%    699ms ± 0%   +0.65%  (p=0.000 n=9+10)
Latency/MaxPacket/500kbps-8                  279ms ± 0%    280ms ± 0%   +0.68%  (p=0.000 n=10+10)
Latency/MaxPacket/1000kbps-8                 140ms ± 0%    141ms ± 0%   +0.59%  (p=0.000 n=9+9)
Latency/MaxPacket/2000kbps-8                71.0ms ± 0%   71.3ms ± 0%   +0.42%  (p=0.000 n=9+9)
Latency/MaxPacket/5000kbps-8                30.1ms ± 6%   30.7ms ±10%   +1.93%  (p=0.019 n=9+9)
Latency/DynamicPacket/200kbps-8              134ms ± 0%    138ms ± 0%   +3.22%  (p=0.000 n=9+10)
Latency/DynamicPacket/500kbps-8             54.7ms ± 0%   56.3ms ± 0%   +3.03%  (p=0.000 n=10+8)
Latency/DynamicPacket/1000kbps-8            29.1ms ± 8%   29.1ms ± 0%     ~     (p=0.173 n=10+8)
Latency/DynamicPacket/2000kbps-8            15.9ms ±10%   16.4ms ±36%     ~     (p=0.633 n=10+8)
Latency/DynamicPacket/5000kbps-8            9.65ms ±82%   8.32ms ± 8%     ~     (p=0.573 n=10+8)

name                                       old speed     new speed     delta
Throughput/MaxPacket/1MB-8                 167MB/s ±64%  155MB/s ±55%     ~     (p=0.224 n=20+19)
Throughput/MaxPacket/2MB-8                 241MB/s ±40%  244MB/s ± 9%     ~     (p=0.407 n=20+17)
Throughput/MaxPacket/4MB-8                 300MB/s ± 9%  298MB/s ±11%     ~     (p=0.707 n=17+20)
Throughput/MaxPacket/8MB-8                 340MB/s ±17%  330MB/s ±13%     ~     (p=0.201 n=20+20)
Throughput/MaxPacket/16MB-8                367MB/s ±11%  375MB/s ± 5%     ~     (p=0.607 n=20+19)
Throughput/MaxPacket/32MB-8                390MB/s ± 4%  382MB/s ± 8%     ~     (p=0.113 n=20+19)
Throughput/MaxPacket/64MB-8                401MB/s ± 7%  397MB/s ± 2%   -0.96%  (p=0.030 n=20+19)
Throughput/DynamicPacket/1MB-8             157MB/s ±73%  156MB/s ±39%     ~     (p=0.738 n=20+20)
Throughput/DynamicPacket/2MB-8             243MB/s ±18%  220MB/s ±14%   -9.65%  (p=0.006 n=18+20)
Throughput/DynamicPacket/4MB-8             299MB/s ±15%  303MB/s ± 9%     ~     (p=0.512 n=20+20)
Throughput/DynamicPacket/8MB-8             350MB/s ± 7%  342MB/s ± 8%   -2.27%  (p=0.045 n=18+17)
Throughput/DynamicPacket/16MB-8            388MB/s ± 1%  378MB/s ± 2%   -2.41%  (p=0.001 n=8+9)
Throughput/DynamicPacket/32MB-8            396MB/s ± 2%  387MB/s ± 2%   -2.21%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8            403MB/s ± 2%  396MB/s ± 3%   -1.84%  (p=0.005 n=10+10)

Fixes #9671

Change-Id: Ieb57c5140eb2c083b8be0d42b240cd2eeec0dcf6
Reviewed-on: https://go-review.googlesource.com/c/147638
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

1 files changed, 27 insertions, 24 deletions

diff --git a/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4 b/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4
index 3d788c35d2..cbf41d5c3a 100644
--- a/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4
+++ b/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4
@@ -1,12 +1,15 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 39 01 00 00  35 03 01 71 34 00 f7 c4  |....9...5..q4...|
-00000010  e6 94 b4 ca f2 af d5 0a  82 ce d4 f6 b7 4a a7 d1  |.............J..|
-00000020  1a 88 65 b2 3c b2 6c ec  f7 eb 4a 00 00 04 00 05  |..e.<.l...J.....|
-00000030  00 ff 01 00 00 08 00 16  00 00 00 17 00 00        |..............|
+00000000  16 03 01 00 63 01 00 00  5f 03 01 79 6a d2 2d 89  |....c..._..yj.-.|
+00000010  ce 1b 74 2f fd 6b ea e2  2d 21 56 0d e9 37 ce b9  |..t/.k..-!V..7..|
+00000020  bc 96 ef 0c 71 66 7a 3b  13 3a 6b 00 00 04 00 05  |....qfz;.:k.....|
+00000030  00 ff 01 00 00 32 00 00  00 0e 00 0c 00 00 09 31  |.....2.........1|
+00000040  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
+00000050  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
+00000060  00 16 00 00 00 17 00 00                           |........|
 >>> Flow 2 (server to client)
 00000000  16 03 01 00 31 02 00 00  2d 03 01 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 05 00 00  |................|
+00000020  00 00 00 44 4f 57 4e 47  52 44 00 00 00 05 00 00  |...DOWNGRD......|
 00000030  05 ff 01 00 01 00 16 03  01 02 59 0b 00 02 55 00  |..........Y...U.|
 00000040  02 52 00 02 4f 30 82 02  4b 30 82 01 b4 a0 03 02  |.R..O0..K0......|
 00000050  01 02 02 09 00 e8 f0 9d  3f e2 5b ea a6 30 0d 06  |........?.[..0..|
@@ -47,23 +50,23 @@
 00000280  b3 3e c0 d1 bd 42 d4 db  fe 3d 13 60 84 5c 21 d3  |.>...B...=.`.\!.|
 00000290  3b e9 fa e7 16 03 01 00  04 0e 00 00 00           |;............|
 >>> Flow 3 (client to server)
-00000000  16 03 01 00 86 10 00 00  82 00 80 a5 75 5a 20 2c  |............uZ ,|
-00000010  31 f7 61 dc 73 c7 f6 4c  06 d2 b9 c0 e8 5f cc 0c  |1.a.s..L....._..|
-00000020  51 70 0a 30 b2 8a bb 3b  4c 37 f6 d3 38 da 13 48  |Qp.0...;L7..8..H|
-00000030  90 4f fe 41 ec 53 3c fb  07 26 77 68 07 a0 fb 71  |.O.A.S<..&wh...q|
-00000040  b6 cc 3c cd b4 64 03 08  3a 76 97 6e 6c f1 b4 a9  |..<..d..:v.nl...|
-00000050  af f4 e0 ce bf 36 b9 8e  37 12 de 5b ac 24 06 63  |.....6..7..[.$.c|
-00000060  e2 fb 13 33 be 3b 8d 93  e3 10 95 29 21 b2 22 77  |...3.;.....)!."w|
-00000070  cb 95 b2 13 b3 76 47 98  13 1b a8 cc 50 47 ed 50  |.....vG.....PG.P|
-00000080  f0 cc ca 5a c6 a0 1e c9  9c 97 58 14 03 01 00 01  |...Z......X.....|
-00000090  01 16 03 01 00 24 e7 fd  a2 7e fd 6f 53 da 29 68  |.....$...~.oS.)h|
-000000a0  c3 49 2e e9 69 a1 94 b9  e4 a0 cb a2 94 14 a6 42  |.I..i..........B|
-000000b0  df 75 1e da 95 e5 60 e3  35 f1                    |.u....`.5.|
+00000000  16 03 01 00 86 10 00 00  82 00 80 d4 da 80 53 5a  |..............SZ|
+00000010  4c fc 0b c3 91 a0 b4 91  24 5a 6b 59 01 fa 05 52  |L.......$ZkY...R|
+00000020  cb 37 8c de 51 58 d7 ac  24 e2 d3 ac ad e6 00 0f  |.7..QX..$.......|
+00000030  72 50 a4 81 c3 18 ef f9  cb 0f 8b 6a cd e5 0e 46  |rP.........j...F|
+00000040  9a f1 3c 61 ed 31 d4 c0  35 61 14 1e e8 b5 0c b2  |..<a.1..5a......|
+00000050  12 d3 98 5b 54 11 41 cb  8c 13 44 3b 22 fd 3f 5e  |...[T.A...D;".?^|
+00000060  29 db 5a 46 13 ee 46 50  ba 25 f4 fb 90 ea ba 73  |).ZF..FP.%.....s|
+00000070  3d 8e 9e 4b cd c3 98 e6  34 99 fd 1a 8d f7 c4 53  |=..K....4......S|
+00000080  22 ca 3a 40 85 1e 64 ff  bc 29 d8 14 03 01 00 01  |".:@..d..)......|
+00000090  01 16 03 01 00 24 fd 64  7d 03 fb ae e7 36 bd ce  |.....$.d}....6..|
+000000a0  c3 76 f7 17 84 bd ca d6  33 b6 c9 04 1e f4 79 b9  |.v......3.....y.|
+000000b0  d1 32 49 cd 85 d9 fe c1  11 d1                    |.2I.......|
 >>> Flow 4 (server to client)
-00000000  14 03 01 00 01 01 16 03  01 00 24 44 a6 c8 7b 5f  |..........$D..{_|
-00000010  b9 4e c2 62 2d e0 c3 9f  76 0f b3 e5 f5 07 b7 c0  |.N.b-...v.......|
-00000020  93 cd 1f 32 3c 0a 7a 83  57 4a 24 59 ac 95 f9 17  |...2<.z.WJ$Y....|
-00000030  03 01 00 21 6f 02 76 2e  70 82 a0 6c 11 ce 3c b8  |...!o.v.p..l..<.|
-00000040  dd d3 9e 2a ee ce d7 7f  63 1a 5b 35 d0 46 68 7d  |...*....c.[5.Fh}|
-00000050  21 6e 5b 64 fc 15 03 01  00 16 81 56 32 7d 51 e4  |!n[d.......V2}Q.|
-00000060  08 53 85 45 65 c3 87 ac  b0 58 70 4f 6f f7 64 4e  |.S.Ee....XpOo.dN|
+00000000  14 03 01 00 01 01 16 03  01 00 24 0a 1c be 60 96  |..........$...`.|
+00000010  78 67 15 22 ac 38 39 87  80 f5 69 2b 08 32 01 23  |xg.".89...i+.2.#|
+00000020  e0 96 b3 89 8c 57 5f e4  27 33 66 90 b9 47 bc 17  |.....W_.'3f..G..|
+00000030  03 01 00 21 fd 10 f3 e3  e6 14 bf b2 72 ab f0 bb  |...!........r...|
+00000040  11 04 54 da cd 93 03 14  78 2c 26 32 44 2c 0c e8  |..T.....x,&2D,..|
+00000050  7e 56 25 83 0f 15 03 01  00 16 0c 26 07 14 19 aa  |~V%........&....|
+00000060  7e 78 bf 39 96 07 44 3d  a9 c6 50 7d dc c9 de f5  |~x.9..D=..P}....|