crypto/tls: enable TLS 1.3 and update tests

To disable TLS 1.3, simply remove VersionTLS13 from supportedVersions,
as tested by TestEscapeRoute, and amend documentation. To make it
opt-in, revert the change to (*Config).supportedVersions from this CL.

I did not have the heart to implement the early data skipping feature
when I realized that it did not offer a choice between two
abstraction-breaking options, but demanded them both (look for handshake
type in case of HelloRetryRequest, trial decryption otherwise). It's a
lot of complexity for an apparently small gain, but if anyone has strong
opinions about it let me know.

Note that in TLS 1.3 alerts are encrypted, so the close_notify peeking
to return (n > 0, io.EOF) from Read doesn't work. If we are lucky, those
servers that unexpectedly close connections after serving a single
request will have stopped (maybe thanks to H/2) before they got updated
to TLS 1.3.

Relatedly, session tickets are now provisioned on the client first Read
instead of at Handshake time, because they are, well, post-handshake
messages. If this proves to be a problem we might try to peek at them.

Doubled the tests that cover logic that's different in TLS 1.3.

The benchmarks for TLS 1.2 compared to be0f3c286b5 (before TLS 1.3 and
its refactors, after CL 142817 changed them to use real connections)
show little movement.

name                                       old time/op   new time/op   delta
HandshakeServer/RSA-8                        795µs ± 1%    798µs ± 1%    ~     (p=0.057 n=10+18)
HandshakeServer/ECDHE-P256-RSA-8             903µs ± 0%    909µs ± 1%  +0.68%  (p=0.000 n=8+17)
HandshakeServer/ECDHE-P256-ECDSA-P256-8      198µs ± 0%    204µs ± 1%  +3.24%  (p=0.000 n=9+18)
HandshakeServer/ECDHE-X25519-ECDSA-P256-8    202µs ± 3%    208µs ± 1%  +2.98%  (p=0.000 n=9+20)
HandshakeServer/ECDHE-P521-ECDSA-P521-8     15.5ms ± 1%   15.9ms ± 2%  +2.49%  (p=0.000 n=10+20)
Throughput/MaxPacket/1MB-8                  5.81ms ±23%   6.14ms ±44%    ~     (p=0.605 n=8+18)
Throughput/MaxPacket/2MB-8                  8.91ms ±22%   8.74ms ±33%    ~     (p=0.498 n=9+19)
Throughput/MaxPacket/4MB-8                  12.8ms ± 3%   14.0ms ±10%  +9.74%  (p=0.000 n=10+17)
Throughput/MaxPacket/8MB-8                  25.1ms ± 7%   24.6ms ±16%    ~     (p=0.129 n=9+19)
Throughput/MaxPacket/16MB-8                 46.3ms ± 4%   45.9ms ±12%    ~     (p=0.340 n=9+20)
Throughput/MaxPacket/32MB-8                 88.5ms ± 4%   86.0ms ± 4%  -2.82%  (p=0.004 n=10+20)
Throughput/MaxPacket/64MB-8                  173ms ± 2%    167ms ± 7%  -3.42%  (p=0.001 n=10+19)
Throughput/DynamicPacket/1MB-8              5.88ms ± 4%   6.59ms ±64%    ~     (p=0.232 n=9+18)
Throughput/DynamicPacket/2MB-8              9.08ms ±12%   8.73ms ±21%    ~     (p=0.408 n=10+18)
Throughput/DynamicPacket/4MB-8              14.2ms ± 5%   14.0ms ±11%    ~     (p=0.188 n=9+19)
Throughput/DynamicPacket/8MB-8              25.1ms ± 6%   24.0ms ± 7%  -4.39%  (p=0.000 n=10+18)
Throughput/DynamicPacket/16MB-8             45.6ms ± 3%   43.3ms ± 1%  -5.22%  (p=0.000 n=10+8)
Throughput/DynamicPacket/32MB-8             88.4ms ± 3%   84.8ms ± 2%  -4.06%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8              175ms ± 3%    167ms ± 2%  -4.63%  (p=0.000 n=10+10)
Latency/MaxPacket/200kbps-8                  694ms ± 0%    694ms ± 0%  -0.02%  (p=0.000 n=9+9)
Latency/MaxPacket/500kbps-8                  279ms ± 0%    279ms ± 0%  -0.09%  (p=0.000 n=10+10)
Latency/MaxPacket/1000kbps-8                 140ms ± 0%    140ms ± 0%  -0.15%  (p=0.000 n=10+9)
Latency/MaxPacket/2000kbps-8                71.1ms ± 0%   71.0ms ± 0%  -0.09%  (p=0.001 n=8+9)
Latency/MaxPacket/5000kbps-8                30.5ms ± 6%   30.1ms ± 6%    ~     (p=0.905 n=10+9)
Latency/DynamicPacket/200kbps-8              134ms ± 0%    134ms ± 0%    ~     (p=0.796 n=9+9)
Latency/DynamicPacket/500kbps-8             54.8ms ± 0%   54.7ms ± 0%  -0.18%  (p=0.000 n=8+10)
Latency/DynamicPacket/1000kbps-8            28.5ms ± 0%   29.1ms ± 8%    ~     (p=0.173 n=8+10)
Latency/DynamicPacket/2000kbps-8            15.3ms ± 6%   15.9ms ±10%    ~     (p=0.905 n=9+10)
Latency/DynamicPacket/5000kbps-8            9.14ms ±21%   9.65ms ±82%    ~     (p=0.529 n=10+10)

name                                       old speed     new speed     delta
Throughput/MaxPacket/1MB-8                 175MB/s ±13%  167MB/s ±64%    ~     (p=0.646 n=7+20)
Throughput/MaxPacket/2MB-8                 241MB/s ±25%  241MB/s ±40%    ~     (p=0.660 n=9+20)
Throughput/MaxPacket/4MB-8                 328MB/s ± 3%  300MB/s ± 9%  -8.70%  (p=0.000 n=10+17)
Throughput/MaxPacket/8MB-8                 335MB/s ± 7%  340MB/s ±17%    ~     (p=0.212 n=9+20)
Throughput/MaxPacket/16MB-8                363MB/s ± 4%  367MB/s ±11%    ~     (p=0.340 n=9+20)
Throughput/MaxPacket/32MB-8                379MB/s ± 4%  390MB/s ± 4%  +2.93%  (p=0.004 n=10+20)
Throughput/MaxPacket/64MB-8                388MB/s ± 2%  401MB/s ± 7%  +3.25%  (p=0.004 n=10+20)
Throughput/DynamicPacket/1MB-8             178MB/s ± 4%  157MB/s ±73%    ~     (p=0.127 n=9+20)
Throughput/DynamicPacket/2MB-8             232MB/s ±11%  243MB/s ±18%    ~     (p=0.415 n=10+18)
Throughput/DynamicPacket/4MB-8             296MB/s ± 5%  299MB/s ±15%    ~     (p=0.295 n=9+20)
Throughput/DynamicPacket/8MB-8             334MB/s ± 6%  350MB/s ± 7%  +4.58%  (p=0.000 n=10+18)
Throughput/DynamicPacket/16MB-8            368MB/s ± 3%  388MB/s ± 1%  +5.48%  (p=0.000 n=10+8)
Throughput/DynamicPacket/32MB-8            380MB/s ± 3%  396MB/s ± 2%  +4.20%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8            384MB/s ± 3%  403MB/s ± 2%  +4.83%  (p=0.000 n=10+10)

Comparing TLS 1.2 and TLS 1.3 at tip shows a slight (~5-10%) slowdown of
handshakes, which might be worth looking at next cycle, but the latency
improvements are expected to overshadow that.

name                                       old time/op   new time/op   delta
HandshakeServer/ECDHE-P256-RSA-8             909µs ± 1%    963µs ± 0%   +5.87%  (p=0.000 n=17+18)
HandshakeServer/ECDHE-P256-ECDSA-P256-8      204µs ± 1%    225µs ± 2%  +10.20%  (p=0.000 n=18+20)
HandshakeServer/ECDHE-X25519-ECDSA-P256-8    208µs ± 1%    230µs ± 2%  +10.35%  (p=0.000 n=20+18)
HandshakeServer/ECDHE-P521-ECDSA-P521-8     15.9ms ± 2%   15.9ms ± 1%     ~     (p=0.444 n=20+19)
Throughput/MaxPacket/1MB-8                  6.14ms ±44%   7.07ms ±46%     ~     (p=0.057 n=18+19)
Throughput/MaxPacket/2MB-8                  8.74ms ±33%   8.61ms ± 9%     ~     (p=0.552 n=19+17)
Throughput/MaxPacket/4MB-8                  14.0ms ±10%   14.1ms ±12%     ~     (p=0.707 n=17+20)
Throughput/MaxPacket/8MB-8                  24.6ms ±16%   25.6ms ±14%     ~     (p=0.107 n=19+20)
Throughput/MaxPacket/16MB-8                 45.9ms ±12%   44.7ms ± 6%     ~     (p=0.607 n=20+19)
Throughput/MaxPacket/32MB-8                 86.0ms ± 4%   87.9ms ± 8%     ~     (p=0.113 n=20+19)
Throughput/MaxPacket/64MB-8                  167ms ± 7%    169ms ± 2%   +1.26%  (p=0.011 n=19+19)
Throughput/DynamicPacket/1MB-8              6.59ms ±64%   6.79ms ±43%     ~     (p=0.480 n=18+19)
Throughput/DynamicPacket/2MB-8              8.73ms ±21%   9.58ms ±13%   +9.71%  (p=0.006 n=18+20)
Throughput/DynamicPacket/4MB-8              14.0ms ±11%   13.9ms ±10%     ~     (p=0.687 n=19+20)
Throughput/DynamicPacket/8MB-8              24.0ms ± 7%   24.6ms ± 8%   +2.36%  (p=0.045 n=18+17)
Throughput/DynamicPacket/16MB-8             43.3ms ± 1%   44.3ms ± 2%   +2.48%  (p=0.001 n=8+9)
Throughput/DynamicPacket/32MB-8             84.8ms ± 2%   86.7ms ± 2%   +2.27%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8              167ms ± 2%    170ms ± 3%   +1.89%  (p=0.005 n=10+10)
Latency/MaxPacket/200kbps-8                  694ms ± 0%    699ms ± 0%   +0.65%  (p=0.000 n=9+10)
Latency/MaxPacket/500kbps-8                  279ms ± 0%    280ms ± 0%   +0.68%  (p=0.000 n=10+10)
Latency/MaxPacket/1000kbps-8                 140ms ± 0%    141ms ± 0%   +0.59%  (p=0.000 n=9+9)
Latency/MaxPacket/2000kbps-8                71.0ms ± 0%   71.3ms ± 0%   +0.42%  (p=0.000 n=9+9)
Latency/MaxPacket/5000kbps-8                30.1ms ± 6%   30.7ms ±10%   +1.93%  (p=0.019 n=9+9)
Latency/DynamicPacket/200kbps-8              134ms ± 0%    138ms ± 0%   +3.22%  (p=0.000 n=9+10)
Latency/DynamicPacket/500kbps-8             54.7ms ± 0%   56.3ms ± 0%   +3.03%  (p=0.000 n=10+8)
Latency/DynamicPacket/1000kbps-8            29.1ms ± 8%   29.1ms ± 0%     ~     (p=0.173 n=10+8)
Latency/DynamicPacket/2000kbps-8            15.9ms ±10%   16.4ms ±36%     ~     (p=0.633 n=10+8)
Latency/DynamicPacket/5000kbps-8            9.65ms ±82%   8.32ms ± 8%     ~     (p=0.573 n=10+8)

name                                       old speed     new speed     delta
Throughput/MaxPacket/1MB-8                 167MB/s ±64%  155MB/s ±55%     ~     (p=0.224 n=20+19)
Throughput/MaxPacket/2MB-8                 241MB/s ±40%  244MB/s ± 9%     ~     (p=0.407 n=20+17)
Throughput/MaxPacket/4MB-8                 300MB/s ± 9%  298MB/s ±11%     ~     (p=0.707 n=17+20)
Throughput/MaxPacket/8MB-8                 340MB/s ±17%  330MB/s ±13%     ~     (p=0.201 n=20+20)
Throughput/MaxPacket/16MB-8                367MB/s ±11%  375MB/s ± 5%     ~     (p=0.607 n=20+19)
Throughput/MaxPacket/32MB-8                390MB/s ± 4%  382MB/s ± 8%     ~     (p=0.113 n=20+19)
Throughput/MaxPacket/64MB-8                401MB/s ± 7%  397MB/s ± 2%   -0.96%  (p=0.030 n=20+19)
Throughput/DynamicPacket/1MB-8             157MB/s ±73%  156MB/s ±39%     ~     (p=0.738 n=20+20)
Throughput/DynamicPacket/2MB-8             243MB/s ±18%  220MB/s ±14%   -9.65%  (p=0.006 n=18+20)
Throughput/DynamicPacket/4MB-8             299MB/s ±15%  303MB/s ± 9%     ~     (p=0.512 n=20+20)
Throughput/DynamicPacket/8MB-8             350MB/s ± 7%  342MB/s ± 8%   -2.27%  (p=0.045 n=18+17)
Throughput/DynamicPacket/16MB-8            388MB/s ± 1%  378MB/s ± 2%   -2.41%  (p=0.001 n=8+9)
Throughput/DynamicPacket/32MB-8            396MB/s ± 2%  387MB/s ± 2%   -2.21%  (p=0.000 n=10+10)
Throughput/DynamicPacket/64MB-8            403MB/s ± 2%  396MB/s ± 3%   -1.84%  (p=0.005 n=10+10)

Fixes #9671

Change-Id: Ieb57c5140eb2c083b8be0d42b240cd2eeec0dcf6
Reviewed-on: https://go-review.googlesource.com/c/147638
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

1 files changed, 35 insertions, 32 deletions

diff --git a/src/crypto/tls/testdata/Server-TLSv12-RSA-AES b/src/crypto/tls/testdata/Server-TLSv12-RSA-AES
index 813f7489c8..e4d773d4c4 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-AES
@@ -1,15 +1,18 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 5d 01 00 00  59 03 03 7a e5 86 e2 0a  |....]...Y..z....|
-00000010  53 e7 ba 32 d1 57 47 ed  45 29 1b 33 2c 58 33 8f  |S..2.WG.E).3,X3.|
-00000020  36 2c 50 6f f9 c7 3b 12  40 23 e2 00 00 04 00 2f  |6,Po..;.@#...../|
-00000030  00 ff 01 00 00 2c 00 0d  00 20 00 1e 06 01 06 02  |.....,... ......|
-00000040  06 03 05 01 05 02 05 03  04 01 04 02 04 03 03 01  |................|
-00000050  03 02 03 03 02 01 02 02  02 03 00 16 00 00 00 17  |................|
-00000060  00 00                                             |..|
+00000000  16 03 01 00 97 01 00 00  93 03 03 41 7b 60 d8 f5  |...........A{`..|
+00000010  1c 4a 95 f9 03 de 94 0c  b6 34 94 3c 6e 82 f2 de  |.J.......4.<n...|
+00000020  2c 28 00 98 02 56 5e 8d  53 60 da 00 00 04 00 2f  |,(...V^.S`...../|
+00000030  00 ff 01 00 00 66 00 00  00 0e 00 0c 00 00 09 31  |.....f.........1|
+00000040  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
+00000050  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
+00000060  00 16 00 00 00 17 00 00  00 0d 00 30 00 2e 04 03  |...........0....|
+00000070  05 03 06 03 08 07 08 08  08 09 08 0a 08 0b 08 04  |................|
+00000080  08 05 08 06 04 01 05 01  06 01 03 03 02 03 03 01  |................|
+00000090  02 01 03 02 02 02 04 02  05 02 06 02              |............|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 2f 00 00  |............./..|
+00000020  00 00 00 44 4f 57 4e 47  52 44 01 00 00 2f 00 00  |...DOWNGRD.../..|
 00000030  05 ff 01 00 01 00 16 03  03 02 59 0b 00 02 55 00  |..........Y...U.|
 00000040  02 52 00 02 4f 30 82 02  4b 30 82 01 b4 a0 03 02  |.R..O0..K0......|
 00000050  01 02 02 09 00 e8 f0 9d  3f e2 5b ea a6 30 0d 06  |........?.[..0..|
@@ -50,31 +53,31 @@
 00000280  b3 3e c0 d1 bd 42 d4 db  fe 3d 13 60 84 5c 21 d3  |.>...B...=.`.\!.|
 00000290  3b e9 fa e7 16 03 03 00  04 0e 00 00 00           |;............|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 86 10 00 00  82 00 80 8f 13 d1 23 1b  |..............#.|
-00000010  8d 28 c7 a3 97 66 9f 8a  c1 13 a1 c9 3b 25 93 7a  |.(...f......;%.z|
-00000020  ea 54 58 fc 57 41 ca 92  77 99 13 01 61 e4 73 90  |.TX.WA..w...a.s.|
-00000030  c7 f1 2b 5e 5e 79 cf 69  7d 6b 3f 6e 5f 2e b0 f5  |..+^^y.i}k?n_...|
-00000040  f7 53 2b 46 15 92 6c 20  95 6b 44 6a 0a 3d 0b 56  |.S+F..l .kDj.=.V|
-00000050  66 53 ff 55 ec 38 10 cf  76 2c 0e ab 45 7a 02 6a  |fS.U.8..v,..Ez.j|
-00000060  75 07 11 80 6c d0 57 79  ed d6 4b b8 a0 04 91 a0  |u...l.Wy..K.....|
-00000070  d4 4b 76 38 9c b3 a6 2e  0c 3e 63 a8 18 15 c9 ab  |.Kv8.....>c.....|
-00000080  54 69 cd e5 6f 3c 56 a6  5f a7 e0 14 03 03 00 01  |Ti..o<V._.......|
-00000090  01 16 03 03 00 40 06 07  16 b4 7f fa 1a 8f 9b 1a  |.....@..........|
-000000a0  a3 23 ba 5f ce ff 0a 70  b1 11 2b 84 77 7a 78 1a  |.#._...p..+.wzx.|
-000000b0  6c 32 93 6c 31 e8 e5 26  12 97 14 33 a9 77 71 19  |l2.l1..&...3.wq.|
-000000c0  0b 20 5d 8f 3c 71 0d a4  b9 94 aa ff 42 8e d3 2d  |. ].<q......B..-|
-000000d0  7e 57 3b 35 41 cc                                 |~W;5A.|
+00000000  16 03 03 00 86 10 00 00  82 00 80 15 eb 41 72 e4  |.............Ar.|
+00000010  cf 0f 8b bb 9a ea aa 2a  f1 dc 2e c9 db d8 cf bd  |.......*........|
+00000020  5e fb 86 30 98 b4 22 62  a5 32 d0 e6 3d 38 49 1a  |^..0.."b.2..=8I.|
+00000030  70 6f fa d3 81 c0 8d 00  c6 cd 80 b6 ed 26 8b 98  |po...........&..|
+00000040  3a 26 8b 8e 88 ba 61 a6  8e 19 5a 0e 51 bb 4e 9e  |:&....a...Z.Q.N.|
+00000050  a9 21 09 77 cf 42 eb 26  90 3a 08 bb c5 89 88 2c  |.!.w.B.&.:.....,|
+00000060  19 db b3 1c 7a d0 60 76  be 9a d5 0c ec df dd 11  |....z.`v........|
+00000070  9e a0 85 a5 36 3d 07 f7  36 47 52 92 cd 84 7b 2e  |....6=..6GR...{.|
+00000080  13 18 47 58 8a 00 4b 39  59 bb da 14 03 03 00 01  |..GX..K9Y.......|
+00000090  01 16 03 03 00 40 16 0e  0a 79 db 54 11 36 73 af  |.....@...y.T.6s.|
+000000a0  eb cb 9d e8 b4 42 1a f8  94 f0 fb d1 60 f8 9f 9d  |.....B......`...|
+000000b0  ba 87 f6 27 ef 54 e4 f9  f7 1f a7 61 f5 82 1a 40  |...'.T.....a...@|
+000000c0  96 81 f6 14 db 89 ec 8b  0c 37 ba 11 55 94 d3 df  |.........7..U...|
+000000d0  df 8d 61 ec a7 43                                 |..a..C|
 >>> Flow 4 (server to client)
 00000000  14 03 03 00 01 01 16 03  03 00 40 00 00 00 00 00  |..........@.....|
-00000010  00 00 00 00 00 00 00 00  00 00 00 51 27 cd 07 6e  |...........Q'..n|
-00000020  72 c8 17 ba e7 62 7c d0  49 55 e7 e6 c5 2c 93 39  |r....b|.IU...,.9|
-00000030  55 02 f5 fa 9a 7a 6f c5  79 6f ff 0f 4b b9 3d ad  |U....zo.yo..K.=.|
-00000040  23 c7 53 ad 13 2d d6 da  83 d0 67 17 03 03 00 40  |#.S..-....g....@|
+00000010  00 00 00 00 00 00 00 00  00 00 00 ef 1a ed 92 e1  |................|
+00000020  e1 81 1e a8 e1 ff 2b 2b  64 89 17 55 2d ce eb be  |......++d..U-...|
+00000030  17 a6 b8 a7 55 8a c4 3b  8a 5a c7 56 7c b5 90 c9  |....U..;.Z.V|...|
+00000040  19 bc 13 07 50 91 42 2a  46 13 d1 17 03 03 00 40  |....P.B*F......@|
 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000060  f5 09 3b 69 c2 1f f8 03  78 1b 13 57 ca 92 96 eb  |..;i....x..W....|
-00000070  f8 71 30 09 5a 68 01 47  96 b1 5b 7d b7 57 5e 70  |.q0.Zh.G..[}.W^p|
-00000080  00 77 bb 55 32 7b d9 a5  f7 e2 a8 6d 4b d6 be c6  |.w.U2{.....mK...|
+00000060  9e fe 95 fa 67 a5 af 14  f0 80 fd 65 65 ac 0a 91  |....g......ee...|
+00000070  4a 1d 4a c3 de 3f 35 a7  de 10 94 55 b0 8f be e6  |J.J..?5....U....|
+00000080  76 a2 74 4c 89 47 b9 10  8f 78 a9 01 6b ac bb d9  |v.tL.G...x..k...|
 00000090  15 03 03 00 30 00 00 00  00 00 00 00 00 00 00 00  |....0...........|
-000000a0  00 00 00 00 00 58 1e a0  14 82 8d e4 c5 92 35 79  |.....X........5y|
-000000b0  3b 5e 3a fe 97 18 db 27  19 7e b5 14 8c 01 fb 6a  |;^:....'.~.....j|
-000000c0  e4 26 96 e6 de                                    |.&...|
+000000a0  00 00 00 00 00 36 ce 1a  97 3e e3 0e 62 74 70 10  |.....6...>..btp.|
+000000b0  ec a5 30 16 1f 2d e0 5b  c9 38 4d fb 61 2e 45 35  |..0..-.[.8M.a.E5|
+000000c0  4b 69 da 43 39                                    |Ki.C9|