1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "container/list" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/rand" 12 "crypto/x509" 13 "errors" 14 "fmt" 15 "io" 16 "math/big" 17 "strings" 18 "sync" 19 "time" 20) 21 22const ( 23 VersionSSL30 = 0x0300 24 VersionTLS10 = 0x0301 25 VersionTLS11 = 0x0302 26 VersionTLS12 = 0x0303 27 VersionTLS13 = 0x0304 28) 29 30const ( 31 VersionDTLS10 = 0xfeff 32 VersionDTLS12 = 0xfefd 33) 34 35var allTLSWireVersions = []uint16{ 36 VersionTLS13, 37 VersionTLS12, 38 VersionTLS11, 39 VersionTLS10, 40 VersionSSL30, 41} 42 43var allDTLSWireVersions = []uint16{ 44 VersionDTLS12, 45 VersionDTLS10, 46} 47 48const ( 49 maxPlaintext = 16384 // maximum plaintext payload length 50 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length 51 tlsRecordHeaderLen = 5 // record header length 52 dtlsRecordHeaderLen = 13 53 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) 54 55 minVersion = VersionSSL30 56 maxVersion = VersionTLS13 57) 58 59// TLS record types. 60type recordType uint8 61 62const ( 63 recordTypeChangeCipherSpec recordType = 20 64 recordTypeAlert recordType = 21 65 recordTypeHandshake recordType = 22 66 recordTypeApplicationData recordType = 23 67 recordTypePlaintextHandshake recordType = 24 68) 69 70// TLS handshake message types. 71const ( 72 typeHelloRequest uint8 = 0 73 typeClientHello uint8 = 1 74 typeServerHello uint8 = 2 75 typeHelloVerifyRequest uint8 = 3 76 typeNewSessionTicket uint8 = 4 77 typeEndOfEarlyData uint8 = 5 78 typeHelloRetryRequest uint8 = 6 79 typeEncryptedExtensions uint8 = 8 80 typeCertificate uint8 = 11 81 typeServerKeyExchange uint8 = 12 82 typeCertificateRequest uint8 = 13 83 typeServerHelloDone uint8 = 14 84 typeCertificateVerify uint8 = 15 85 typeClientKeyExchange uint8 = 16 86 typeFinished uint8 = 20 87 typeCertificateStatus uint8 = 22 88 typeKeyUpdate uint8 = 24 89 typeCompressedCertificate uint8 = 25 // Not IANA assigned 90 typeNextProtocol uint8 = 67 // Not IANA assigned 91 typeChannelID uint8 = 203 // Not IANA assigned 92 typeMessageHash uint8 = 254 93) 94 95// TLS compression types. 96const ( 97 compressionNone uint8 = 0 98) 99 100// TLS extension numbers 101const ( 102 extensionServerName uint16 = 0 103 extensionStatusRequest uint16 = 5 104 extensionSupportedCurves uint16 = 10 105 extensionSupportedPoints uint16 = 11 106 extensionSignatureAlgorithms uint16 = 13 107 extensionUseSRTP uint16 = 14 108 extensionALPN uint16 = 16 109 extensionSignedCertificateTimestamp uint16 = 18 110 extensionPadding uint16 = 21 111 extensionExtendedMasterSecret uint16 = 23 112 extensionTokenBinding uint16 = 24 113 extensionCompressedCertAlgs uint16 = 27 114 extensionSessionTicket uint16 = 35 115 extensionPreSharedKey uint16 = 41 116 extensionEarlyData uint16 = 42 117 extensionSupportedVersions uint16 = 43 118 extensionCookie uint16 = 44 119 extensionPSKKeyExchangeModes uint16 = 45 120 extensionCertificateAuthorities uint16 = 47 121 extensionSignatureAlgorithmsCert uint16 = 50 122 extensionKeyShare uint16 = 51 123 extensionCustom uint16 = 1234 // not IANA assigned 124 extensionNextProtoNeg uint16 = 13172 // not IANA assigned 125 extensionRenegotiationInfo uint16 = 0xff01 126 extensionQUICTransportParams uint16 = 0xffa5 // draft-ietf-quic-tls-13 127 extensionChannelID uint16 = 30032 // not IANA assigned 128 extensionDelegatedCredentials uint16 = 0xff02 // not IANA assigned 129) 130 131// TLS signaling cipher suite values 132const ( 133 scsvRenegotiation uint16 = 0x00ff 134) 135 136var tls13HelloRetryRequest = []uint8{ 137 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 138 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 139 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 140} 141 142// CurveID is the type of a TLS identifier for an elliptic curve. See 143// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 144type CurveID uint16 145 146const ( 147 CurveP224 CurveID = 21 148 CurveP256 CurveID = 23 149 CurveP384 CurveID = 24 150 CurveP521 CurveID = 25 151 CurveX25519 CurveID = 29 152 CurveCECPQ2 CurveID = 16696 153) 154 155// TLS Elliptic Curve Point Formats 156// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 157const ( 158 pointFormatUncompressed uint8 = 0 159 pointFormatCompressedPrime uint8 = 1 160) 161 162// TLS CertificateStatusType (RFC 3546) 163const ( 164 statusTypeOCSP uint8 = 1 165) 166 167// Certificate types (for certificateRequestMsg) 168const ( 169 CertTypeRSASign = 1 // A certificate containing an RSA key 170 CertTypeDSSSign = 2 // A certificate containing a DSA key 171 CertTypeRSAFixedDH = 3 // A certificate containing a static DH key 172 CertTypeDSSFixedDH = 4 // A certificate containing a static DH key 173 174 // See RFC4492 sections 3 and 5.5. 175 CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. 176 CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. 177 CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. 178 179 // Rest of these are reserved by the TLS spec 180) 181 182// signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note 183// that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with 184// TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature 185// algorithms' throughout. We match the latter. 186type signatureAlgorithm uint16 187 188const ( 189 // RSASSA-PKCS1-v1_5 algorithms 190 signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101 191 signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201 192 signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401 193 signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501 194 signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601 195 196 // ECDSA algorithms 197 signatureECDSAWithSHA1 signatureAlgorithm = 0x0203 198 signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403 199 signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503 200 signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603 201 202 // RSASSA-PSS algorithms 203 signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804 204 signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805 205 signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806 206 207 // EdDSA algorithms 208 signatureEd25519 signatureAlgorithm = 0x0807 209 signatureEd448 signatureAlgorithm = 0x0808 210) 211 212// supportedSignatureAlgorithms contains the default supported signature 213// algorithms. 214var supportedSignatureAlgorithms = []signatureAlgorithm{ 215 signatureRSAPSSWithSHA256, 216 signatureRSAPKCS1WithSHA256, 217 signatureECDSAWithP256AndSHA256, 218 signatureRSAPKCS1WithSHA1, 219 signatureECDSAWithSHA1, 220 signatureEd25519, 221} 222 223// SRTP protection profiles (See RFC 5764, section 4.1.2) 224const ( 225 SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 226 SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 227) 228 229// PskKeyExchangeMode values (see RFC 8446, section 4.2.9) 230const ( 231 pskKEMode = 0 232 pskDHEKEMode = 1 233) 234 235// KeyUpdateRequest values (see RFC 8446, section 4.6.3) 236const ( 237 keyUpdateNotRequested = 0 238 keyUpdateRequested = 1 239) 240 241// ConnectionState records basic TLS details about the connection. 242type ConnectionState struct { 243 Version uint16 // TLS version used by the connection (e.g. VersionTLS12) 244 HandshakeComplete bool // TLS handshake is complete 245 DidResume bool // connection resumes a previous TLS connection 246 CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) 247 NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) 248 NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server 249 NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN 250 ServerName string // server name requested by client, if any (server side only) 251 PeerCertificates []*x509.Certificate // certificate chain presented by remote peer 252 VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates 253 ChannelID *ecdsa.PublicKey // the channel ID for this connection 254 TokenBindingNegotiated bool // whether Token Binding was negotiated 255 TokenBindingParam uint8 // the negotiated Token Binding key parameter 256 SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile 257 TLSUnique []byte // the tls-unique channel binding 258 SCTList []byte // signed certificate timestamp list 259 PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake 260 CurveID CurveID // the curve used in ECDHE 261 QUICTransportParams []byte // the QUIC transport params received from the peer 262} 263 264// ClientAuthType declares the policy the server will follow for 265// TLS Client Authentication. 266type ClientAuthType int 267 268const ( 269 NoClientCert ClientAuthType = iota 270 RequestClientCert 271 RequireAnyClientCert 272 VerifyClientCertIfGiven 273 RequireAndVerifyClientCert 274) 275 276// ClientSessionState contains the state needed by clients to resume TLS 277// sessions. 278type ClientSessionState struct { 279 sessionId []uint8 // Session ID supplied by the server. nil if the session has a ticket. 280 sessionTicket []uint8 // Encrypted ticket used for session resumption with server 281 vers uint16 // SSL/TLS version negotiated for the session 282 wireVersion uint16 // Wire SSL/TLS version negotiated for the session 283 cipherSuite uint16 // Ciphersuite negotiated for the session 284 masterSecret []byte // MasterSecret generated by client on a full handshake 285 handshakeHash []byte // Handshake hash for Channel ID purposes. 286 serverCertificates []*x509.Certificate // Certificate chain presented by the server 287 extendedMasterSecret bool // Whether an extended master secret was used to generate the session 288 sctList []byte 289 ocspResponse []byte 290 earlyALPN string 291 ticketCreationTime time.Time 292 ticketExpiration time.Time 293 ticketAgeAdd uint32 294 maxEarlyDataSize uint32 295} 296 297// ClientSessionCache is a cache of ClientSessionState objects that can be used 298// by a client to resume a TLS session with a given server. ClientSessionCache 299// implementations should expect to be called concurrently from different 300// goroutines. 301type ClientSessionCache interface { 302 // Get searches for a ClientSessionState associated with the given key. 303 // On return, ok is true if one was found. 304 Get(sessionKey string) (session *ClientSessionState, ok bool) 305 306 // Put adds the ClientSessionState to the cache with the given key. 307 Put(sessionKey string, cs *ClientSessionState) 308} 309 310// ServerSessionCache is a cache of sessionState objects that can be used by a 311// client to resume a TLS session with a given server. ServerSessionCache 312// implementations should expect to be called concurrently from different 313// goroutines. 314type ServerSessionCache interface { 315 // Get searches for a sessionState associated with the given session 316 // ID. On return, ok is true if one was found. 317 Get(sessionId string) (session *sessionState, ok bool) 318 319 // Put adds the sessionState to the cache with the given session ID. 320 Put(sessionId string, session *sessionState) 321} 322 323// CertCompressionAlg is a certificate compression algorithm, specified as a 324// pair of functions for compressing and decompressing certificates. 325type CertCompressionAlg struct { 326 // Compress returns a compressed representation of the input. 327 Compress func([]byte) []byte 328 // Decompress depresses the contents of in and writes the result to out, which 329 // will be the correct size. It returns true on success and false otherwise. 330 Decompress func(out, in []byte) bool 331} 332 333// A Config structure is used to configure a TLS client or server. 334// After one has been passed to a TLS function it must not be 335// modified. A Config may be reused; the tls package will also not 336// modify it. 337type Config struct { 338 // Rand provides the source of entropy for nonces and RSA blinding. 339 // If Rand is nil, TLS uses the cryptographic random reader in package 340 // crypto/rand. 341 // The Reader must be safe for use by multiple goroutines. 342 Rand io.Reader 343 344 // Time returns the current time as the number of seconds since the epoch. 345 // If Time is nil, TLS uses time.Now. 346 Time func() time.Time 347 348 // Certificates contains one or more certificate chains 349 // to present to the other side of the connection. 350 // Server configurations must include at least one certificate. 351 Certificates []Certificate 352 353 // NameToCertificate maps from a certificate name to an element of 354 // Certificates. Note that a certificate name can be of the form 355 // '*.example.com' and so doesn't have to be a domain name as such. 356 // See Config.BuildNameToCertificate 357 // The nil value causes the first element of Certificates to be used 358 // for all connections. 359 NameToCertificate map[string]*Certificate 360 361 // RootCAs defines the set of root certificate authorities 362 // that clients use when verifying server certificates. 363 // If RootCAs is nil, TLS uses the host's root CA set. 364 RootCAs *x509.CertPool 365 366 // NextProtos is a list of supported, application level protocols. 367 NextProtos []string 368 369 // ServerName is used to verify the hostname on the returned 370 // certificates unless InsecureSkipVerify is given. It is also included 371 // in the client's handshake to support virtual hosting. 372 ServerName string 373 374 // ClientAuth determines the server's policy for 375 // TLS Client Authentication. The default is NoClientCert. 376 ClientAuth ClientAuthType 377 378 // ClientCAs defines the set of root certificate authorities 379 // that servers use if required to verify a client certificate 380 // by the policy in ClientAuth. 381 ClientCAs *x509.CertPool 382 383 // ClientCertificateTypes defines the set of allowed client certificate 384 // types. The default is CertTypeRSASign and CertTypeECDSASign. 385 ClientCertificateTypes []byte 386 387 // InsecureSkipVerify controls whether a client verifies the 388 // server's certificate chain and host name. 389 // If InsecureSkipVerify is true, TLS accepts any certificate 390 // presented by the server and any host name in that certificate. 391 // In this mode, TLS is susceptible to man-in-the-middle attacks. 392 // This should be used only for testing. 393 InsecureSkipVerify bool 394 395 // CipherSuites is a list of supported cipher suites. If CipherSuites 396 // is nil, TLS uses a list of suites supported by the implementation. 397 CipherSuites []uint16 398 399 // PreferServerCipherSuites controls whether the server selects the 400 // client's most preferred ciphersuite, or the server's most preferred 401 // ciphersuite. If true then the server's preference, as expressed in 402 // the order of elements in CipherSuites, is used. 403 PreferServerCipherSuites bool 404 405 // SessionTicketsDisabled may be set to true to disable session ticket 406 // (resumption) support. 407 SessionTicketsDisabled bool 408 409 // SessionTicketKey is used by TLS servers to provide session 410 // resumption. See RFC 5077. If zero, it will be filled with 411 // random data before the first server handshake. 412 // 413 // If multiple servers are terminating connections for the same host 414 // they should all have the same SessionTicketKey. If the 415 // SessionTicketKey leaks, previously recorded and future TLS 416 // connections using that key are compromised. 417 SessionTicketKey [32]byte 418 419 // ClientSessionCache is a cache of ClientSessionState entries 420 // for TLS session resumption. 421 ClientSessionCache ClientSessionCache 422 423 // ServerSessionCache is a cache of sessionState entries for TLS session 424 // resumption. 425 ServerSessionCache ServerSessionCache 426 427 // MinVersion contains the minimum SSL/TLS version that is acceptable. 428 // If zero, then SSLv3 is taken as the minimum. 429 MinVersion uint16 430 431 // MaxVersion contains the maximum SSL/TLS version that is acceptable. 432 // If zero, then the maximum version supported by this package is used, 433 // which is currently TLS 1.2. 434 MaxVersion uint16 435 436 // CurvePreferences contains the elliptic curves that will be used in 437 // an ECDHE handshake, in preference order. If empty, the default will 438 // be used. 439 CurvePreferences []CurveID 440 441 // DefaultCurves contains the elliptic curves for which public values will 442 // be sent in the ClientHello's KeyShare extension. If this value is nil, 443 // all supported curves will have public values sent. This field is ignored 444 // on servers. 445 DefaultCurves []CurveID 446 447 // ChannelID contains the ECDSA key for the client to use as 448 // its TLS Channel ID. 449 ChannelID *ecdsa.PrivateKey 450 451 // RequestChannelID controls whether the server requests a TLS 452 // Channel ID. If negotiated, the client's public key is 453 // returned in the ConnectionState. 454 RequestChannelID bool 455 456 // TokenBindingParams contains a list of TokenBindingKeyParameters 457 // (draft-ietf-tokbind-protocol-16) to attempt to negotiate. If 458 // nil, Token Binding will not be negotiated. 459 TokenBindingParams []byte 460 461 // TokenBindingVersion contains the serialized ProtocolVersion to 462 // use when negotiating Token Binding. 463 TokenBindingVersion uint16 464 465 // ExpectTokenBindingParams is checked by a server that the client 466 // sent ExpectTokenBindingParams as its list of Token Binding 467 // paramters. 468 ExpectTokenBindingParams []byte 469 470 // PreSharedKey, if not nil, is the pre-shared key to use with 471 // the PSK cipher suites. 472 PreSharedKey []byte 473 474 // PreSharedKeyIdentity, if not empty, is the identity to use 475 // with the PSK cipher suites. 476 PreSharedKeyIdentity string 477 478 // MaxEarlyDataSize controls the maximum number of bytes that the 479 // server will accept in early data and advertise in a 480 // NewSessionTicketMsg. If 0, no early data will be accepted and 481 // the early_data extension in the NewSessionTicketMsg will be omitted. 482 MaxEarlyDataSize uint32 483 484 // SRTPProtectionProfiles, if not nil, is the list of SRTP 485 // protection profiles to offer in DTLS-SRTP. 486 SRTPProtectionProfiles []uint16 487 488 // SignSignatureAlgorithms, if not nil, overrides the default set of 489 // supported signature algorithms to sign with. 490 SignSignatureAlgorithms []signatureAlgorithm 491 492 // VerifySignatureAlgorithms, if not nil, overrides the default set of 493 // supported signature algorithms that are accepted. 494 VerifySignatureAlgorithms []signatureAlgorithm 495 496 // QUICTransportParams, if not empty, will be sent in the QUIC 497 // transport parameters extension. 498 QUICTransportParams []byte 499 500 CertCompressionAlgs map[uint16]CertCompressionAlg 501 502 // Bugs specifies optional misbehaviour to be used for testing other 503 // implementations. 504 Bugs ProtocolBugs 505 506 serverInitOnce sync.Once // guards calling (*Config).serverInit 507} 508 509type BadValue int 510 511const ( 512 BadValueNone BadValue = iota 513 BadValueNegative 514 BadValueZero 515 BadValueLimit 516 BadValueLarge 517 NumBadValues 518) 519 520type RSABadValue int 521 522const ( 523 RSABadValueNone RSABadValue = iota 524 RSABadValueCorrupt 525 RSABadValueTooLong 526 RSABadValueTooShort 527 RSABadValueWrongVersion1 528 RSABadValueWrongVersion2 529 RSABadValueWrongBlockType 530 RSABadValueWrongLeadingByte 531 RSABadValueNoZero 532 NumRSABadValues 533) 534 535type RSAPSSSupport int 536 537const ( 538 RSAPSSSupportAny RSAPSSSupport = iota 539 RSAPSSSupportNone 540 RSAPSSSupportOnlineSignatureOnly 541 RSAPSSSupportBoth 542) 543 544type ProtocolBugs struct { 545 // InvalidSignature specifies that the signature in a ServerKeyExchange 546 // or CertificateVerify message should be invalid. 547 InvalidSignature bool 548 549 // SendCurve, if non-zero, causes the server to send the specified curve 550 // ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather 551 // than the negotiated one. 552 SendCurve CurveID 553 554 // InvalidECDHPoint, if true, causes the ECC points in 555 // ServerKeyExchange or ClientKeyExchange messages to be invalid. 556 InvalidECDHPoint bool 557 558 // BadECDSAR controls ways in which the 'r' value of an ECDSA signature 559 // can be invalid. 560 BadECDSAR BadValue 561 BadECDSAS BadValue 562 563 // MaxPadding causes CBC records to have the maximum possible padding. 564 MaxPadding bool 565 // PaddingFirstByteBad causes the first byte of the padding to be 566 // incorrect. 567 PaddingFirstByteBad bool 568 // PaddingFirstByteBadIf255 causes the first byte of padding to be 569 // incorrect if there's a maximum amount of padding (i.e. 255 bytes). 570 PaddingFirstByteBadIf255 bool 571 572 // FailIfNotFallbackSCSV causes a server handshake to fail if the 573 // client doesn't send the fallback SCSV value. 574 FailIfNotFallbackSCSV bool 575 576 // DuplicateExtension causes an extra empty extension of bogus type to 577 // be emitted in either the ClientHello or the ServerHello. 578 DuplicateExtension bool 579 580 // UnauthenticatedECDH causes the server to pretend ECDHE_RSA 581 // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No 582 // Certificate message is sent and no signature is added to 583 // ServerKeyExchange. 584 UnauthenticatedECDH bool 585 586 // SkipHelloVerifyRequest causes a DTLS server to skip the 587 // HelloVerifyRequest message. 588 SkipHelloVerifyRequest bool 589 590 // SkipCertificateStatus, if true, causes the server to skip the 591 // CertificateStatus message. This is legal because CertificateStatus is 592 // optional, even with a status_request in ServerHello. 593 SkipCertificateStatus bool 594 595 // SkipServerKeyExchange causes the server to skip sending 596 // ServerKeyExchange messages. 597 SkipServerKeyExchange bool 598 599 // SkipNewSessionTicket causes the server to skip sending the 600 // NewSessionTicket message despite promising to in ServerHello. 601 SkipNewSessionTicket bool 602 603 // UseFirstSessionTicket causes the client to cache only the first session 604 // ticket received. 605 UseFirstSessionTicket bool 606 607 // SkipClientCertificate causes the client to skip the Certificate 608 // message. 609 SkipClientCertificate bool 610 611 // SkipChangeCipherSpec causes the implementation to skip 612 // sending the ChangeCipherSpec message (and adjusting cipher 613 // state accordingly for the Finished message). 614 SkipChangeCipherSpec bool 615 616 // SkipFinished causes the implementation to skip sending the Finished 617 // message. 618 SkipFinished bool 619 620 // SkipEndOfEarlyData causes the implementation to skip 621 // end_of_early_data. 622 SkipEndOfEarlyData bool 623 624 // NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the 625 // EndOfEarlyData. 626 NonEmptyEndOfEarlyData bool 627 628 // SkipCertificateVerify, if true causes peer to skip sending a 629 // CertificateVerify message after the Certificate message. 630 SkipCertificateVerify bool 631 632 // EarlyChangeCipherSpec causes the client to send an early 633 // ChangeCipherSpec message before the ClientKeyExchange. A value of 634 // zero disables this behavior. One and two configure variants for 635 // 1.0.1 and 0.9.8 modes, respectively. 636 EarlyChangeCipherSpec int 637 638 // StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake 639 // message in DTLS to be prefaced by stray ChangeCipherSpec record. This 640 // may be used to test DTLS's handling of reordered ChangeCipherSpec. 641 StrayChangeCipherSpec bool 642 643 // ReorderChangeCipherSpec causes the ChangeCipherSpec message to be 644 // sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec, 645 // the cipher change happens at the usual time. 646 ReorderChangeCipherSpec bool 647 648 // FragmentAcrossChangeCipherSpec causes the implementation to fragment 649 // the Finished (or NextProto) message around the ChangeCipherSpec 650 // messages. 651 FragmentAcrossChangeCipherSpec bool 652 653 // SendExtraChangeCipherSpec causes the implementation to send extra 654 // ChangeCipherSpec messages. 655 SendExtraChangeCipherSpec int 656 657 // SendPostHandshakeChangeCipherSpec causes the implementation to send 658 // a ChangeCipherSpec record before every application data record. 659 SendPostHandshakeChangeCipherSpec bool 660 661 // SendUnencryptedFinished, if true, causes the Finished message to be 662 // send unencrypted before ChangeCipherSpec rather than after it. 663 SendUnencryptedFinished bool 664 665 // PartialEncryptedExtensionsWithServerHello, if true, causes the TLS 666 // 1.3 server to send part of EncryptedExtensions unencrypted 667 // in the same record as ServerHello. 668 PartialEncryptedExtensionsWithServerHello bool 669 670 // PartialClientFinishedWithClientHello, if true, causes the TLS 1.3 671 // client to send part of Finished unencrypted in the same record as 672 // ClientHello. 673 PartialClientFinishedWithClientHello bool 674 675 // SendV2ClientHello causes the client to send a V2ClientHello 676 // instead of a normal ClientHello. 677 SendV2ClientHello bool 678 679 // SendFallbackSCSV causes the client to include 680 // TLS_FALLBACK_SCSV in the ClientHello. 681 SendFallbackSCSV bool 682 683 // SendRenegotiationSCSV causes the client to include the renegotiation 684 // SCSV in the ClientHello. 685 SendRenegotiationSCSV bool 686 687 // MaxHandshakeRecordLength, if non-zero, is the maximum size of a 688 // handshake record. Handshake messages will be split into multiple 689 // records at the specified size, except that the client_version will 690 // never be fragmented. For DTLS, it is the maximum handshake fragment 691 // size, not record size; DTLS allows multiple handshake fragments in a 692 // single handshake record. See |PackHandshakeFragments|. 693 MaxHandshakeRecordLength int 694 695 // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to 696 // the first 6 bytes of the ClientHello. 697 FragmentClientVersion bool 698 699 // FragmentAlert will cause all alerts to be fragmented across 700 // two records. 701 FragmentAlert bool 702 703 // DoubleAlert will cause all alerts to be sent as two copies packed 704 // within one record. 705 DoubleAlert bool 706 707 // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted 708 // alert to be sent. 709 SendSpuriousAlert alert 710 711 // BadRSAClientKeyExchange causes the client to send a corrupted RSA 712 // ClientKeyExchange which would not pass padding checks. 713 BadRSAClientKeyExchange RSABadValue 714 715 // RenewTicketOnResume causes the server to renew the session ticket and 716 // send a NewSessionTicket message during an abbreviated handshake. 717 RenewTicketOnResume bool 718 719 // SendClientVersion, if non-zero, causes the client to send the 720 // specified value in the ClientHello version field. 721 SendClientVersion uint16 722 723 // OmitSupportedVersions, if true, causes the client to omit the 724 // supported versions extension. 725 OmitSupportedVersions bool 726 727 // SendSupportedVersions, if non-empty, causes the client to send a 728 // supported versions extension with the values from array. 729 SendSupportedVersions []uint16 730 731 // NegotiateVersion, if non-zero, causes the server to negotiate the 732 // specifed wire version rather than the version supported by either 733 // peer. 734 NegotiateVersion uint16 735 736 // NegotiateVersionOnRenego, if non-zero, causes the server to negotiate 737 // the specified wire version on renegotiation rather than retaining it. 738 NegotiateVersionOnRenego uint16 739 740 // ExpectFalseStart causes the server to, on full handshakes, 741 // expect the peer to False Start; the server Finished message 742 // isn't sent until we receive an application data record 743 // from the peer. 744 ExpectFalseStart bool 745 746 // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full 747 // handshakes, send an alert just before reading the application data 748 // record to test False Start. This can be used in a negative False 749 // Start test to determine whether the peer processed the alert (and 750 // closed the connection) before or after sending app data. 751 AlertBeforeFalseStartTest alert 752 753 // ExpectServerName, if not empty, is the hostname the client 754 // must specify in the server_name extension. 755 ExpectServerName string 756 757 // SwapNPNAndALPN switches the relative order between NPN and ALPN in 758 // both ClientHello and ServerHello. 759 SwapNPNAndALPN bool 760 761 // ALPNProtocol, if not nil, sets the ALPN protocol that a server will 762 // return. 763 ALPNProtocol *string 764 765 // AcceptAnySession causes the server to resume sessions regardless of 766 // the version associated with the session or cipher suite. It also 767 // causes the server to look in both TLS 1.2 and 1.3 extensions to 768 // process a ticket. 769 AcceptAnySession bool 770 771 // SendBothTickets, if true, causes the client to send tickets in both 772 // TLS 1.2 and 1.3 extensions. 773 SendBothTickets bool 774 775 // FilterTicket, if not nil, causes the client to modify a session 776 // ticket before sending it in a resume handshake. 777 FilterTicket func([]byte) ([]byte, error) 778 779 // TicketSessionIDLength, if non-zero, is the length of the session ID 780 // to send with a ticket resumption offer. 781 TicketSessionIDLength int 782 783 // EmptyTicketSessionID, if true, causes the client to send an empty 784 // session ID with a ticket resumption offer. For simplicity, this will 785 // also cause the client to interpret a ServerHello with empty session 786 // ID as a resumption. (A client which sends empty session ID is 787 // normally expected to look ahead for ChangeCipherSpec.) 788 EmptyTicketSessionID bool 789 790 // SendClientHelloSessionID, if not nil, is the session ID sent in the 791 // ClientHello. 792 SendClientHelloSessionID []byte 793 794 // ExpectClientHelloSessionID, if true, causes the server to fail the 795 // connection if there is not a session ID in the ClientHello. 796 ExpectClientHelloSessionID bool 797 798 // EchoSessionIDInFullHandshake, if true, causes the server to echo the 799 // ClientHello session ID, even in TLS 1.2 full handshakes. 800 EchoSessionIDInFullHandshake bool 801 802 // ExpectNoTLS12Session, if true, causes the server to fail the 803 // connection if either a session ID or TLS 1.2 ticket is offered. 804 ExpectNoTLS12Session bool 805 806 // ExpectNoTLS13PSK, if true, causes the server to fail the connection 807 // if a TLS 1.3 PSK is offered. 808 ExpectNoTLS13PSK bool 809 810 // ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection 811 // if a TLS 1.3 PSK is offered after HRR. 812 ExpectNoTLS13PSKAfterHRR bool 813 814 // RequireExtendedMasterSecret, if true, requires that the peer support 815 // the extended master secret option. 816 RequireExtendedMasterSecret bool 817 818 // NoExtendedMasterSecret causes the client and server to behave as if 819 // they didn't support an extended master secret in the initial 820 // handshake. 821 NoExtendedMasterSecret bool 822 823 // NoExtendedMasterSecretOnRenegotiation causes the client and server to 824 // behave as if they didn't support an extended master secret in 825 // renegotiation handshakes. 826 NoExtendedMasterSecretOnRenegotiation bool 827 828 // EmptyRenegotiationInfo causes the renegotiation extension to be 829 // empty in a renegotiation handshake. 830 EmptyRenegotiationInfo bool 831 832 // BadRenegotiationInfo causes the renegotiation extension value in a 833 // renegotiation handshake to be incorrect at the start. 834 BadRenegotiationInfo bool 835 836 // BadRenegotiationInfoEnd causes the renegotiation extension value in 837 // a renegotiation handshake to be incorrect at the end. 838 BadRenegotiationInfoEnd bool 839 840 // NoRenegotiationInfo disables renegotiation info support in all 841 // handshakes. 842 NoRenegotiationInfo bool 843 844 // NoRenegotiationInfoInInitial disables renegotiation info support in 845 // the initial handshake. 846 NoRenegotiationInfoInInitial bool 847 848 // NoRenegotiationInfoAfterInitial disables renegotiation info support 849 // in renegotiation handshakes. 850 NoRenegotiationInfoAfterInitial bool 851 852 // RequireRenegotiationInfo, if true, causes the client to return an 853 // error if the server doesn't reply with the renegotiation extension. 854 RequireRenegotiationInfo bool 855 856 // SequenceNumberMapping, if non-nil, is the mapping function to apply 857 // to the sequence number of outgoing packets. For both TLS and DTLS, 858 // the two most-significant bytes in the resulting sequence number are 859 // ignored so that the DTLS epoch cannot be changed. 860 SequenceNumberMapping func(uint64) uint64 861 862 // RSAEphemeralKey, if true, causes the server to send a 863 // ServerKeyExchange message containing an ephemeral key (as in 864 // RSA_EXPORT) in the plain RSA key exchange. 865 RSAEphemeralKey bool 866 867 // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the 868 // client offers when negotiating SRTP. MKI support is still missing so 869 // the peer must still send none. 870 SRTPMasterKeyIdentifer string 871 872 // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the 873 // server sends in the ServerHello instead of the negotiated one. 874 SendSRTPProtectionProfile uint16 875 876 // NoSignatureAlgorithms, if true, causes the client to omit the 877 // signature and hashes extension. 878 // 879 // For a server, it will cause an empty list to be sent in the 880 // CertificateRequest message. None the less, the configured set will 881 // still be enforced. 882 NoSignatureAlgorithms bool 883 884 // NoSupportedCurves, if true, causes the client to omit the 885 // supported_curves extension. 886 NoSupportedCurves bool 887 888 // RequireSameRenegoClientVersion, if true, causes the server 889 // to require that all ClientHellos match in offered version 890 // across a renego. 891 RequireSameRenegoClientVersion bool 892 893 // ExpectInitialRecordVersion, if non-zero, is the expected value of 894 // record-layer version field before the protocol version is determined. 895 ExpectInitialRecordVersion uint16 896 897 // SendRecordVersion, if non-zero, is the value to send as the 898 // record-layer version. 899 SendRecordVersion uint16 900 901 // SendInitialRecordVersion, if non-zero, is the value to send as the 902 // record-layer version before the protocol version is determined. 903 SendInitialRecordVersion uint16 904 905 // MaxPacketLength, if non-zero, is the maximum acceptable size for a 906 // packet. 907 MaxPacketLength int 908 909 // SendCipherSuite, if non-zero, is the cipher suite value that the 910 // server will send in the ServerHello. This does not affect the cipher 911 // the server believes it has actually negotiated. 912 SendCipherSuite uint16 913 914 // SendCipherSuites, if not nil, is the cipher suite list that the 915 // client will send in the ClientHello. This does not affect the cipher 916 // the client believes it has actually offered. 917 SendCipherSuites []uint16 918 919 // AppDataBeforeHandshake, if not nil, causes application data to be 920 // sent immediately before the first handshake message. 921 AppDataBeforeHandshake []byte 922 923 // AppDataAfterChangeCipherSpec, if not nil, causes application data to 924 // be sent immediately after ChangeCipherSpec. 925 AppDataAfterChangeCipherSpec []byte 926 927 // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent 928 // immediately after ChangeCipherSpec. 929 AlertAfterChangeCipherSpec alert 930 931 // TimeoutSchedule is the schedule of packet drops and simulated 932 // timeouts for before each handshake leg from the peer. 933 TimeoutSchedule []time.Duration 934 935 // PacketAdaptor is the packetAdaptor to use to simulate timeouts. 936 PacketAdaptor *packetAdaptor 937 938 // ReorderHandshakeFragments, if true, causes handshake fragments in 939 // DTLS to overlap and be sent in the wrong order. It also causes 940 // pre-CCS flights to be sent twice. (Post-CCS flights consist of 941 // Finished and will trigger a spurious retransmit.) 942 ReorderHandshakeFragments bool 943 944 // ReverseHandshakeFragments, if true, causes handshake fragments in 945 // DTLS to be reversed within a flight. 946 ReverseHandshakeFragments bool 947 948 // MixCompleteMessageWithFragments, if true, causes handshake 949 // messages in DTLS to redundantly both fragment the message 950 // and include a copy of the full one. 951 MixCompleteMessageWithFragments bool 952 953 // RetransmitFinished, if true, causes the DTLS Finished message to be 954 // sent twice. 955 RetransmitFinished bool 956 957 // SendInvalidRecordType, if true, causes a record with an invalid 958 // content type to be sent immediately following the handshake. 959 SendInvalidRecordType bool 960 961 // SendWrongMessageType, if non-zero, causes messages of the specified 962 // type to be sent with the wrong value. 963 SendWrongMessageType byte 964 965 // SendTrailingMessageData, if non-zero, causes messages of the 966 // specified type to be sent with trailing data. 967 SendTrailingMessageData byte 968 969 // FragmentMessageTypeMismatch, if true, causes all non-initial 970 // handshake fragments in DTLS to have the wrong message type. 971 FragmentMessageTypeMismatch bool 972 973 // FragmentMessageLengthMismatch, if true, causes all non-initial 974 // handshake fragments in DTLS to have the wrong message length. 975 FragmentMessageLengthMismatch bool 976 977 // SplitFragments, if non-zero, causes the handshake fragments in DTLS 978 // to be split across two records. The value of |SplitFragments| is the 979 // number of bytes in the first fragment. 980 SplitFragments int 981 982 // SendEmptyFragments, if true, causes handshakes to include empty 983 // fragments in DTLS. 984 SendEmptyFragments bool 985 986 // SendSplitAlert, if true, causes an alert to be sent with the header 987 // and record body split across multiple packets. The peer should 988 // discard these packets rather than process it. 989 SendSplitAlert bool 990 991 // FailIfResumeOnRenego, if true, causes renegotiations to fail if the 992 // client offers a resumption or the server accepts one. 993 FailIfResumeOnRenego bool 994 995 // IgnorePeerCipherPreferences, if true, causes the peer's cipher 996 // preferences to be ignored. 997 IgnorePeerCipherPreferences bool 998 999 // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's 1000 // signature algorithm preferences to be ignored. 1001 IgnorePeerSignatureAlgorithmPreferences bool 1002 1003 // IgnorePeerCurvePreferences, if true, causes the peer's curve 1004 // preferences to be ignored. 1005 IgnorePeerCurvePreferences bool 1006 1007 // BadFinished, if true, causes the Finished hash to be broken. 1008 BadFinished bool 1009 1010 // PackHandshakeFragments, if true, causes handshake fragments in DTLS 1011 // to be packed into individual handshake records, up to the specified 1012 // record size. 1013 PackHandshakeFragments int 1014 1015 // PackHandshakeRecords, if non-zero, causes handshake and 1016 // ChangeCipherSpec records in DTLS to be packed into individual 1017 // packets, up to the specified packet size. 1018 PackHandshakeRecords int 1019 1020 // PackAppDataWithHandshake, if true, extends PackHandshakeRecords to 1021 // additionally include the first application data record sent after the 1022 // final Finished message in a handshake. (If the final Finished message 1023 // is sent by the peer, this option has no effect.) This requires that 1024 // the runner rather than shim speak first in a given test. 1025 PackAppDataWithHandshake bool 1026 1027 // SplitAndPackAppData, if true, causes application data in DTLS to be 1028 // split into two records each and packed into one packet. 1029 SplitAndPackAppData bool 1030 1031 // PackHandshakeFlight, if true, causes each handshake flight in TLS to 1032 // be packed into records, up to the largest size record available. 1033 PackHandshakeFlight bool 1034 1035 // AdvertiseAllConfiguredCiphers, if true, causes the client to 1036 // advertise all configured cipher suite values. 1037 AdvertiseAllConfiguredCiphers bool 1038 1039 // EmptyCertificateList, if true, causes the server to send an empty 1040 // certificate list in the Certificate message. 1041 EmptyCertificateList bool 1042 1043 // ExpectNewTicket, if true, causes the client to abort if it does not 1044 // receive a new ticket. 1045 ExpectNewTicket bool 1046 1047 // RequireClientHelloSize, if not zero, is the required length in bytes 1048 // of the ClientHello /record/. This is checked by the server. 1049 RequireClientHelloSize int 1050 1051 // CustomExtension, if not empty, contains the contents of an extension 1052 // that will be added to client/server hellos. 1053 CustomExtension string 1054 1055 // CustomUnencryptedExtension, if not empty, contains the contents of 1056 // an extension that will be added to ServerHello in TLS 1.3. 1057 CustomUnencryptedExtension string 1058 1059 // ExpectedCustomExtension, if not nil, contains the expected contents 1060 // of a custom extension. 1061 ExpectedCustomExtension *string 1062 1063 // CustomTicketExtension, if not empty, contains the contents of an 1064 // extension what will be added to NewSessionTicket in TLS 1.3. 1065 CustomTicketExtension string 1066 1067 // CustomTicketExtension, if not empty, contains the contents of an 1068 // extension what will be added to HelloRetryRequest in TLS 1.3. 1069 CustomHelloRetryRequestExtension string 1070 1071 // NoCloseNotify, if true, causes the close_notify alert to be skipped 1072 // on connection shutdown. 1073 NoCloseNotify bool 1074 1075 // SendAlertOnShutdown, if non-zero, is the alert to send instead of 1076 // close_notify on shutdown. 1077 SendAlertOnShutdown alert 1078 1079 // ExpectCloseNotify, if true, requires a close_notify from the peer on 1080 // shutdown. Records from the peer received after close_notify is sent 1081 // are not discard. 1082 ExpectCloseNotify bool 1083 1084 // SendLargeRecords, if true, allows outgoing records to be sent 1085 // arbitrarily large. 1086 SendLargeRecords bool 1087 1088 // NegotiateALPNAndNPN, if true, causes the server to negotiate both 1089 // ALPN and NPN in the same connetion. 1090 NegotiateALPNAndNPN bool 1091 1092 // SendALPN, if non-empty, causes the server to send the specified 1093 // string in the ALPN extension regardless of the content or presence of 1094 // the client offer. 1095 SendALPN string 1096 1097 // SendUnencryptedALPN, if non-empty, causes the server to send the 1098 // specified string in a ServerHello ALPN extension in TLS 1.3. 1099 SendUnencryptedALPN string 1100 1101 // SendEmptySessionTicket, if true, causes the server to send an empty 1102 // session ticket. 1103 SendEmptySessionTicket bool 1104 1105 // SendPSKKeyExchangeModes, if present, determines the PSK key exchange modes 1106 // to send. 1107 SendPSKKeyExchangeModes []byte 1108 1109 // ExpectNoNewSessionTicket, if present, means that the client will fail upon 1110 // receipt of a NewSessionTicket message. 1111 ExpectNoNewSessionTicket bool 1112 1113 // DuplicateTicketEarlyData causes an extra empty extension of early_data to 1114 // be sent in NewSessionTicket. 1115 DuplicateTicketEarlyData bool 1116 1117 // ExpectTicketEarlyData, if true, means that the client will fail upon 1118 // absence of the early_data extension. 1119 ExpectTicketEarlyData bool 1120 1121 // ExpectTicketAge, if non-zero, is the expected age of the ticket that the 1122 // server receives from the client. 1123 ExpectTicketAge time.Duration 1124 1125 // SendTicketAge, if non-zero, is the ticket age to be sent by the 1126 // client. 1127 SendTicketAge time.Duration 1128 1129 // FailIfSessionOffered, if true, causes the server to fail any 1130 // connections where the client offers a non-empty session ID or session 1131 // ticket. 1132 FailIfSessionOffered bool 1133 1134 // SendHelloRequestBeforeEveryAppDataRecord, if true, causes a 1135 // HelloRequest handshake message to be sent before each application 1136 // data record. This only makes sense for a server. 1137 SendHelloRequestBeforeEveryAppDataRecord bool 1138 1139 // SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a 1140 // HelloRequest handshake message to be sent before each handshake 1141 // message. This only makes sense for a server. 1142 SendHelloRequestBeforeEveryHandshakeMessage bool 1143 1144 // BadChangeCipherSpec, if not nil, is the body to be sent in 1145 // ChangeCipherSpec records instead of {1}. 1146 BadChangeCipherSpec []byte 1147 1148 // BadHelloRequest, if not nil, is what to send instead of a 1149 // HelloRequest. 1150 BadHelloRequest []byte 1151 1152 // RequireSessionTickets, if true, causes the client to require new 1153 // sessions use session tickets instead of session IDs. 1154 RequireSessionTickets bool 1155 1156 // RequireSessionIDs, if true, causes the client to require new sessions use 1157 // session IDs instead of session tickets. 1158 RequireSessionIDs bool 1159 1160 // NullAllCiphers, if true, causes every cipher to behave like the null 1161 // cipher. 1162 NullAllCiphers bool 1163 1164 // SendSCTListOnResume, if not nil, causes the server to send the 1165 // supplied SCT list in resumption handshakes. 1166 SendSCTListOnResume []byte 1167 1168 // SendSCTListOnRenegotiation, if not nil, causes the server to send the 1169 // supplied SCT list on renegotiation. 1170 SendSCTListOnRenegotiation []byte 1171 1172 // SendOCSPResponseOnResume, if not nil, causes the server to advertise 1173 // OCSP stapling in resumption handshakes and, if applicable, send the 1174 // supplied stapled response. 1175 SendOCSPResponseOnResume []byte 1176 1177 // SendOCSPResponseOnResume, if not nil, causes the server to send the 1178 // supplied OCSP response on renegotiation. 1179 SendOCSPResponseOnRenegotiation []byte 1180 1181 // SendExtensionOnCertificate, if not nil, causes the runner to send the 1182 // supplied bytes in the extensions on the Certificate message. 1183 SendExtensionOnCertificate []byte 1184 1185 // SendOCSPOnIntermediates, if not nil, causes the server to send the 1186 // supplied OCSP on intermediate certificates in the Certificate message. 1187 SendOCSPOnIntermediates []byte 1188 1189 // SendSCTOnIntermediates, if not nil, causes the server to send the 1190 // supplied SCT on intermediate certificates in the Certificate message. 1191 SendSCTOnIntermediates []byte 1192 1193 // SendDuplicateCertExtensions, if true, causes the server to send an extra 1194 // copy of the OCSP/SCT extensions in the Certificate message. 1195 SendDuplicateCertExtensions bool 1196 1197 // ExpectNoExtensionsOnIntermediate, if true, causes the client to 1198 // reject extensions on intermediate certificates. 1199 ExpectNoExtensionsOnIntermediate bool 1200 1201 // RecordPadding is the number of bytes of padding to add to each 1202 // encrypted record in TLS 1.3. 1203 RecordPadding int 1204 1205 // OmitRecordContents, if true, causes encrypted records in TLS 1.3 to 1206 // be missing their body and content type. Padding, if configured, is 1207 // still added. 1208 OmitRecordContents bool 1209 1210 // OuterRecordType, if non-zero, is the outer record type to use instead 1211 // of application data. 1212 OuterRecordType recordType 1213 1214 // SendSignatureAlgorithm, if non-zero, causes all signatures to be sent 1215 // with the given signature algorithm rather than the one negotiated. 1216 SendSignatureAlgorithm signatureAlgorithm 1217 1218 // SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be 1219 // skipped. 1220 SkipECDSACurveCheck bool 1221 1222 // IgnoreSignatureVersionChecks, if true, causes all signature 1223 // algorithms to be enabled at all TLS versions. 1224 IgnoreSignatureVersionChecks bool 1225 1226 // NegotiateRenegotiationInfoAtAllVersions, if true, causes 1227 // Renegotiation Info to be negotiated at all versions. 1228 NegotiateRenegotiationInfoAtAllVersions bool 1229 1230 // NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at 1231 // all versions. 1232 NegotiateNPNAtAllVersions bool 1233 1234 // NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at 1235 // all versions. 1236 NegotiateEMSAtAllVersions bool 1237 1238 // AdvertiseTicketExtension, if true, causes the ticket extension to be 1239 // advertised in server extensions 1240 AdvertiseTicketExtension bool 1241 1242 // NegotiatePSKResumption, if true, causes the server to attempt pure PSK 1243 // resumption. 1244 NegotiatePSKResumption bool 1245 1246 // AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to 1247 // always acknowledge a session, regardless of one was offered. 1248 AlwaysSelectPSKIdentity bool 1249 1250 // SelectPSKIdentityOnResume, if non-zero, causes the server to select 1251 // the specified PSK identity index rather than the actual value. 1252 SelectPSKIdentityOnResume uint16 1253 1254 // ExtraPSKIdentity, if true, causes the client to send an extra PSK 1255 // identity. 1256 ExtraPSKIdentity bool 1257 1258 // MissingKeyShare, if true, causes the TLS 1.3 implementation to skip 1259 // sending a key_share extension and use the zero ECDHE secret 1260 // instead. 1261 MissingKeyShare bool 1262 1263 // SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3 1264 // ClientHello to skip sending a key_share extension and use the zero 1265 // ECDHE secret instead. 1266 SecondClientHelloMissingKeyShare bool 1267 1268 // MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3 1269 // client to pretend the server requested a HelloRetryRequest with the 1270 // given curve rather than the actual one. 1271 MisinterpretHelloRetryRequestCurve CurveID 1272 1273 // DuplicateKeyShares, if true, causes the TLS 1.3 client to send two 1274 // copies of each KeyShareEntry. 1275 DuplicateKeyShares bool 1276 1277 // SendEarlyAlert, if true, sends a fatal alert after the ClientHello. 1278 SendEarlyAlert bool 1279 1280 // SendFakeEarlyDataLength, if non-zero, is the amount of early data to 1281 // send after the ClientHello. 1282 SendFakeEarlyDataLength int 1283 1284 // SendStrayEarlyHandshake, if non-zero, causes the client to send a stray 1285 // handshake record before sending end of early data. 1286 SendStrayEarlyHandshake bool 1287 1288 // OmitEarlyDataExtension, if true, causes the early data extension to 1289 // be omitted in the ClientHello. 1290 OmitEarlyDataExtension bool 1291 1292 // SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to 1293 // send early data after the second ClientHello. 1294 SendEarlyDataOnSecondClientHello bool 1295 1296 // InterleaveEarlyData, if true, causes the TLS 1.3 client to send early 1297 // data interleaved with the second ClientHello and the client Finished. 1298 InterleaveEarlyData bool 1299 1300 // SendEarlyData causes a TLS 1.3 client to send the provided data 1301 // in application data records immediately after the ClientHello, 1302 // provided that the client offers a TLS 1.3 session. It will do this 1303 // whether or not the server advertised early data for the ticket. 1304 SendEarlyData [][]byte 1305 1306 // ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data 1307 // was accepted by the server. 1308 ExpectEarlyDataAccepted bool 1309 1310 // AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data 1311 // regardless of ALPN mismatch. 1312 AlwaysAcceptEarlyData bool 1313 1314 // AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data. 1315 AlwaysRejectEarlyData bool 1316 1317 // SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the 1318 // early_data extension in EncryptedExtensions, independent of whether 1319 // it was accepted. 1320 SendEarlyDataExtension bool 1321 1322 // ExpectEarlyKeyingMaterial, if non-zero, causes a TLS 1.3 server to 1323 // read an application data record after the ClientHello before it sends 1324 // a ServerHello. The record's contents have the specified length and 1325 // match the corresponding early exporter value. This is used to test 1326 // the client using the early exporter in the 0-RTT state. 1327 ExpectEarlyKeyingMaterial int 1328 1329 // ExpectEarlyKeyingLabel is the label to use with 1330 // ExpectEarlyKeyingMaterial. 1331 ExpectEarlyKeyingLabel string 1332 1333 // ExpectEarlyKeyingContext is the context string to use with 1334 // ExpectEarlyKeyingMaterial 1335 ExpectEarlyKeyingContext string 1336 1337 // ExpectEarlyData causes a TLS 1.3 server to read application 1338 // data after the ClientHello (assuming the server is able to 1339 // derive the key under which the data is encrypted) before it 1340 // sends a ServerHello. It checks that the application data it 1341 // reads matches what is provided in ExpectEarlyData and errors if 1342 // the number of records or their content do not match. 1343 ExpectEarlyData [][]byte 1344 1345 // ExpectLateEarlyData causes a TLS 1.3 server to read application 1346 // data after the ServerFinished (assuming the server is able to 1347 // derive the key under which the data is encrypted) before it 1348 // sends the ClientFinished. It checks that the application data it 1349 // reads matches what is provided in ExpectLateEarlyData and errors if 1350 // the number of records or their content do not match. 1351 ExpectLateEarlyData [][]byte 1352 1353 // SendHalfRTTData causes a TLS 1.3 server to send the provided 1354 // data in application data records before reading the client's 1355 // Finished message. 1356 SendHalfRTTData [][]byte 1357 1358 // ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to 1359 // read application data after reading the server's Finished message and 1360 // before sending any subsequent handshake messages. It checks that the 1361 // application data it reads matches what is provided in 1362 // ExpectHalfRTTData and errors if the number of records or their 1363 // content do not match. 1364 ExpectHalfRTTData [][]byte 1365 1366 // EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to 1367 // emit an empty EncryptedExtensions block. 1368 EmptyEncryptedExtensions bool 1369 1370 // EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to 1371 // include the KeyShare extension in the EncryptedExtensions block. 1372 EncryptedExtensionsWithKeyShare bool 1373 1374 // AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to 1375 // be sent by the server, even if empty. 1376 AlwaysSendHelloRetryRequest bool 1377 1378 // SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send 1379 // two HelloRetryRequests instead of one. 1380 SecondHelloRetryRequest bool 1381 1382 // SendHelloRetryRequestCurve, if non-zero, causes the server to send 1383 // the specified curve in a HelloRetryRequest. 1384 SendHelloRetryRequestCurve CurveID 1385 1386 // SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send 1387 // the specified cipher suite in a HelloRetryRequest. 1388 SendHelloRetryRequestCipherSuite uint16 1389 1390 // SendHelloRetryRequestCookie, if not nil, contains a cookie to be 1391 // sent by the server in HelloRetryRequest. 1392 SendHelloRetryRequestCookie []byte 1393 1394 // DuplicateHelloRetryRequestExtensions, if true, causes all 1395 // HelloRetryRequest extensions to be sent twice. 1396 DuplicateHelloRetryRequestExtensions bool 1397 1398 // SendServerHelloVersion, if non-zero, causes the server to send the 1399 // specified value in ServerHello version field. 1400 SendServerHelloVersion uint16 1401 1402 // SendServerSupportedVersionExtension, if non-zero, causes the server to send 1403 // the specified value in supported_versions extension in the ServerHello (but 1404 // not the HelloRetryRequest). 1405 SendServerSupportedVersionExtension uint16 1406 1407 // OmitServerSupportedVersionExtension, if true, causes the server to 1408 // omit the supported_versions extension in the ServerHello (but not the 1409 // HelloRetryRequest) 1410 OmitServerSupportedVersionExtension bool 1411 1412 // SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send 1413 // HelloRetryRequest. 1414 SkipHelloRetryRequest bool 1415 1416 // PackHelloRequestWithFinished, if true, causes the TLS server to send 1417 // HelloRequest in the same record as Finished. 1418 PackHelloRequestWithFinished bool 1419 1420 // ExpectMissingKeyShare, if true, causes the TLS server to fail the 1421 // connection if the selected curve appears in the client's initial 1422 // ClientHello. That is, it requires that a HelloRetryRequest be sent. 1423 ExpectMissingKeyShare bool 1424 1425 // SendExtraFinished, if true, causes an extra Finished message to be 1426 // sent. 1427 SendExtraFinished bool 1428 1429 // SendRequestContext, if not empty, is the request context to send in 1430 // a TLS 1.3 CertificateRequest. 1431 SendRequestContext []byte 1432 1433 // OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm 1434 // extension in a TLS 1.3 CertificateRequest. 1435 OmitCertificateRequestAlgorithms bool 1436 1437 // SendCustomCertificateRequest, if non-zero, send an additional custom 1438 // extension in a TLS 1.3 CertificateRequest. 1439 SendCustomCertificateRequest uint16 1440 1441 // SendSNIWarningAlert, if true, causes the server to send an 1442 // unrecognized_name alert before the ServerHello. 1443 SendSNIWarningAlert bool 1444 1445 // SendCompressionMethods, if not nil, is the compression method list to 1446 // send in the ClientHello. 1447 SendCompressionMethods []byte 1448 1449 // SendCompressionMethod is the compression method to send in the 1450 // ServerHello. 1451 SendCompressionMethod byte 1452 1453 // AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to 1454 // always send a ServerKeyExchange for PSK ciphers, even if the identity 1455 // hint is empty. 1456 AlwaysSendPreSharedKeyIdentityHint bool 1457 1458 // TrailingKeyShareData, if true, causes the client key share list to 1459 // include a trailing byte. 1460 TrailingKeyShareData bool 1461 1462 // InvalidChannelIDSignature, if true, causes the client to generate an 1463 // invalid Channel ID signature. 1464 InvalidChannelIDSignature bool 1465 1466 // ExpectGREASE, if true, causes messages without GREASE values to be 1467 // rejected. See draft-davidben-tls-grease-01. 1468 ExpectGREASE bool 1469 1470 // SendShortPSKBinder, if true, causes the client to send a PSK binder 1471 // that is one byte shorter than it should be. 1472 SendShortPSKBinder bool 1473 1474 // SendInvalidPSKBinder, if true, causes the client to send an invalid 1475 // PSK binder. 1476 SendInvalidPSKBinder bool 1477 1478 // SendNoPSKBinder, if true, causes the client to send no PSK binders. 1479 SendNoPSKBinder bool 1480 1481 // SendExtraPSKBinder, if true, causes the client to send an extra PSK 1482 // binder. 1483 SendExtraPSKBinder bool 1484 1485 // PSKBinderFirst, if true, causes the client to send the PSK Binder 1486 // extension as the first extension instead of the last extension. 1487 PSKBinderFirst bool 1488 1489 // NoOCSPStapling, if true, causes the client to not request OCSP 1490 // stapling. 1491 NoOCSPStapling bool 1492 1493 // NoSignedCertificateTimestamps, if true, causes the client to not 1494 // request signed certificate timestamps. 1495 NoSignedCertificateTimestamps bool 1496 1497 // SendSupportedPointFormats, if not nil, is the list of supported point 1498 // formats to send in ClientHello or ServerHello. If set to a non-nil 1499 // empty slice, no extension will be sent. 1500 SendSupportedPointFormats []byte 1501 1502 // SendServerSupportedCurves, if true, causes the server to send its 1503 // supported curves list in the ServerHello (TLS 1.2) or 1504 // EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and 1505 // valid in TLS 1.3. 1506 SendServerSupportedCurves bool 1507 1508 // MaxReceivePlaintext, if non-zero, is the maximum plaintext record 1509 // length accepted from the peer. 1510 MaxReceivePlaintext int 1511 1512 // ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally 1513 // pack their encrypted handshake messages, fitting at most the 1514 // specified number of plaintext bytes per record. 1515 ExpectPackedEncryptedHandshake int 1516 1517 // SendTicketLifetime, if non-zero, is the ticket lifetime to send in 1518 // NewSessionTicket messages. 1519 SendTicketLifetime time.Duration 1520 1521 // SendServerNameAck, if true, causes the server to acknowledge the SNI 1522 // extension. 1523 SendServerNameAck bool 1524 1525 // ExpectCertificateReqNames, if not nil, contains the list of X.509 1526 // names that must be sent in a CertificateRequest from the server. 1527 ExpectCertificateReqNames [][]byte 1528 1529 // RenegotiationCertificate, if not nil, is the certificate to use on 1530 // renegotiation handshakes. 1531 RenegotiationCertificate *Certificate 1532 1533 // ExpectNoCertificateAuthoritiesExtension, if true, causes the client to 1534 // reject CertificateRequest with the CertificateAuthorities extension. 1535 ExpectNoCertificateAuthoritiesExtension bool 1536 1537 // UseLegacySigningAlgorithm, if non-zero, is the signature algorithm 1538 // to use when signing in TLS 1.1 and earlier where algorithms are not 1539 // negotiated. 1540 UseLegacySigningAlgorithm signatureAlgorithm 1541 1542 // SendServerHelloAsHelloRetryRequest, if true, causes the server to 1543 // send ServerHello messages with a HelloRetryRequest type field. 1544 SendServerHelloAsHelloRetryRequest bool 1545 1546 // RejectUnsolicitedKeyUpdate, if true, causes all unsolicited 1547 // KeyUpdates from the peer to be rejected. 1548 RejectUnsolicitedKeyUpdate bool 1549 1550 // OmitExtensions, if true, causes the extensions field in ClientHello 1551 // and ServerHello messages to be omitted. 1552 OmitExtensions bool 1553 1554 // EmptyExtensions, if true, causes the extensions field in ClientHello 1555 // and ServerHello messages to be present, but empty. 1556 EmptyExtensions bool 1557 1558 // ExpectOmitExtensions, if true, causes the client to reject 1559 // ServerHello messages that do not omit extensions. 1560 ExpectOmitExtensions bool 1561 1562 // ExpectRecordSplitting, if true, causes application records to only be 1563 // accepted if they follow a 1/n-1 record split. 1564 ExpectRecordSplitting bool 1565 1566 // PadClientHello, if non-zero, pads the ClientHello to a multiple of 1567 // that many bytes. 1568 PadClientHello int 1569 1570 // SendTLS13DowngradeRandom, if true, causes the server to send the 1571 // TLS 1.3 anti-downgrade signal. 1572 SendTLS13DowngradeRandom bool 1573 1574 // CheckTLS13DowngradeRandom, if true, causes the client to check the 1575 // TLS 1.3 anti-downgrade signal regardless of its variant. 1576 CheckTLS13DowngradeRandom bool 1577 1578 // IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the 1579 // TLS 1.3 anti-downgrade signal. 1580 IgnoreTLS13DowngradeRandom bool 1581 1582 // SendCompressedCoordinates, if true, causes ECDH key shares over NIST 1583 // curves to use compressed coordinates. 1584 SendCompressedCoordinates bool 1585 1586 // ExpectRSAPSSSupport specifies the level of RSA-PSS support expected 1587 // from the peer. 1588 ExpectRSAPSSSupport RSAPSSSupport 1589 1590 // SetX25519HighBit, if true, causes X25519 key shares to set their 1591 // high-order bit. 1592 SetX25519HighBit bool 1593 1594 // DuplicateCompressedCertAlgs, if true, causes two, equal, certificate 1595 // compression algorithm IDs to be sent. 1596 DuplicateCompressedCertAlgs bool 1597 1598 // ExpectedCompressedCert specifies the compression algorithm ID that must be 1599 // used on this connection, or zero if there are no special requirements. 1600 ExpectedCompressedCert uint16 1601 1602 // SendCertCompressionAlgId, if not zero, sets the algorithm ID that will be 1603 // sent in the compressed certificate message. 1604 SendCertCompressionAlgId uint16 1605 1606 // SendCertUncompressedLength, if not zero, sets the uncompressed length that 1607 // will be sent in the compressed certificate message. 1608 SendCertUncompressedLength uint32 1609 1610 // SendClientHelloWithFixes, if not nil, sends the specified byte string 1611 // instead of the ClientHello. This string is incorporated into the 1612 // transcript as if it were the real ClientHello, but the handshake will 1613 // otherwise behave as if this was not sent in terms of what ciphers it 1614 // will accept, etc. 1615 // 1616 // The input is modified to match key share entries. DefaultCurves must 1617 // be configured to match. The random and session ID fields are 1618 // extracted from the ClientHello. 1619 SendClientHelloWithFixes []byte 1620 1621 // SendJDK11DowngradeRandom, if true, causes the server to send the JDK 1622 // 11 downgrade signal. 1623 SendJDK11DowngradeRandom bool 1624 1625 // ExpectJDK11DowngradeRandom is whether the client should expect the 1626 // server to send the JDK 11 downgrade signal. 1627 ExpectJDK11DowngradeRandom bool 1628 1629 // FailIfHelloRetryRequested causes a handshake failure if a server requests a 1630 // hello retry. 1631 FailIfHelloRetryRequested bool 1632 1633 // FailedIfCECPQ2Offered will cause a server to reject a ClientHello if CECPQ2 1634 // is supported. 1635 FailIfCECPQ2Offered bool 1636 1637 // ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello 1638 // should have key shares for. 1639 ExpectedKeyShares []CurveID 1640 1641 // ExpectDelegatedCredentials, if true, requires that the handshake present 1642 // delegated credentials. 1643 ExpectDelegatedCredentials bool 1644 1645 // FailIfDelegatedCredentials, if true, causes a handshake failure if the 1646 // server returns delegated credentials. 1647 FailIfDelegatedCredentials bool 1648 1649 // DisableDelegatedCredentials, if true, disables client support for delegated 1650 // credentials. 1651 DisableDelegatedCredentials bool 1652} 1653 1654func (c *Config) serverInit() { 1655 if c.SessionTicketsDisabled { 1656 return 1657 } 1658 1659 // If the key has already been set then we have nothing to do. 1660 for _, b := range c.SessionTicketKey { 1661 if b != 0 { 1662 return 1663 } 1664 } 1665 1666 if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { 1667 c.SessionTicketsDisabled = true 1668 } 1669} 1670 1671func (c *Config) rand() io.Reader { 1672 r := c.Rand 1673 if r == nil { 1674 return rand.Reader 1675 } 1676 return r 1677} 1678 1679func (c *Config) time() time.Time { 1680 t := c.Time 1681 if t == nil { 1682 t = time.Now 1683 } 1684 return t() 1685} 1686 1687func (c *Config) cipherSuites() []uint16 { 1688 s := c.CipherSuites 1689 if s == nil { 1690 s = defaultCipherSuites() 1691 } 1692 return s 1693} 1694 1695func (c *Config) minVersion(isDTLS bool) uint16 { 1696 ret := uint16(minVersion) 1697 if c != nil && c.MinVersion != 0 { 1698 ret = c.MinVersion 1699 } 1700 if isDTLS { 1701 // The lowest version of DTLS is 1.0. There is no DSSL 3.0. 1702 if ret < VersionTLS10 { 1703 return VersionTLS10 1704 } 1705 // There is no such thing as DTLS 1.1. 1706 if ret == VersionTLS11 { 1707 return VersionTLS12 1708 } 1709 } 1710 return ret 1711} 1712 1713func (c *Config) maxVersion(isDTLS bool) uint16 { 1714 ret := uint16(maxVersion) 1715 if c != nil && c.MaxVersion != 0 { 1716 ret = c.MaxVersion 1717 } 1718 if isDTLS { 1719 // We only implement up to DTLS 1.2. 1720 if ret > VersionTLS12 { 1721 return VersionTLS12 1722 } 1723 // There is no such thing as DTLS 1.1. 1724 if ret == VersionTLS11 { 1725 return VersionTLS10 1726 } 1727 } 1728 return ret 1729} 1730 1731var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521} 1732 1733func (c *Config) curvePreferences() []CurveID { 1734 if c == nil || len(c.CurvePreferences) == 0 { 1735 return defaultCurvePreferences 1736 } 1737 return c.CurvePreferences 1738} 1739 1740func (c *Config) defaultCurves() map[CurveID]bool { 1741 defaultCurves := make(map[CurveID]bool) 1742 curves := c.DefaultCurves 1743 if c == nil || c.DefaultCurves == nil { 1744 curves = c.curvePreferences() 1745 } 1746 for _, curveID := range curves { 1747 defaultCurves[curveID] = true 1748 } 1749 return defaultCurves 1750} 1751 1752func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { 1753 if isDTLS { 1754 switch vers { 1755 case VersionDTLS12: 1756 return VersionTLS12, true 1757 case VersionDTLS10: 1758 return VersionTLS10, true 1759 } 1760 } else { 1761 switch vers { 1762 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13: 1763 return vers, true 1764 } 1765 } 1766 1767 return 0, false 1768} 1769 1770// isSupportedVersion checks if the specified wire version is acceptable. If so, 1771// it returns true and the corresponding protocol version. Otherwise, it returns 1772// false. 1773func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { 1774 vers, ok := wireToVersion(wireVers, isDTLS) 1775 if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { 1776 return 0, false 1777 } 1778 return vers, true 1779} 1780 1781func (c *Config) supportedVersions(isDTLS bool) []uint16 { 1782 versions := allTLSWireVersions 1783 if isDTLS { 1784 versions = allDTLSWireVersions 1785 } 1786 var ret []uint16 1787 for _, vers := range versions { 1788 if _, ok := c.isSupportedVersion(vers, isDTLS); ok { 1789 ret = append(ret, vers) 1790 } 1791 } 1792 return ret 1793} 1794 1795// getCertificateForName returns the best certificate for the given name, 1796// defaulting to the first element of c.Certificates if there are no good 1797// options. 1798func (c *Config) getCertificateForName(name string) *Certificate { 1799 if len(c.Certificates) == 1 || c.NameToCertificate == nil { 1800 // There's only one choice, so no point doing any work. 1801 return &c.Certificates[0] 1802 } 1803 1804 name = strings.ToLower(name) 1805 for len(name) > 0 && name[len(name)-1] == '.' { 1806 name = name[:len(name)-1] 1807 } 1808 1809 if cert, ok := c.NameToCertificate[name]; ok { 1810 return cert 1811 } 1812 1813 // try replacing labels in the name with wildcards until we get a 1814 // match. 1815 labels := strings.Split(name, ".") 1816 for i := range labels { 1817 labels[i] = "*" 1818 candidate := strings.Join(labels, ".") 1819 if cert, ok := c.NameToCertificate[candidate]; ok { 1820 return cert 1821 } 1822 } 1823 1824 // If nothing matches, return the first certificate. 1825 return &c.Certificates[0] 1826} 1827 1828func (c *Config) signSignatureAlgorithms() []signatureAlgorithm { 1829 if c != nil && c.SignSignatureAlgorithms != nil { 1830 return c.SignSignatureAlgorithms 1831 } 1832 return supportedSignatureAlgorithms 1833} 1834 1835func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm { 1836 if c != nil && c.VerifySignatureAlgorithms != nil { 1837 return c.VerifySignatureAlgorithms 1838 } 1839 return supportedSignatureAlgorithms 1840} 1841 1842// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate 1843// from the CommonName and SubjectAlternateName fields of each of the leaf 1844// certificates. 1845func (c *Config) BuildNameToCertificate() { 1846 c.NameToCertificate = make(map[string]*Certificate) 1847 for i := range c.Certificates { 1848 cert := &c.Certificates[i] 1849 x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) 1850 if err != nil { 1851 continue 1852 } 1853 if len(x509Cert.Subject.CommonName) > 0 { 1854 c.NameToCertificate[x509Cert.Subject.CommonName] = cert 1855 } 1856 for _, san := range x509Cert.DNSNames { 1857 c.NameToCertificate[san] = cert 1858 } 1859 } 1860} 1861 1862// A Certificate is a chain of one or more certificates, leaf first. 1863type Certificate struct { 1864 Certificate [][]byte 1865 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey 1866 // OCSPStaple contains an optional OCSP response which will be served 1867 // to clients that request it. 1868 OCSPStaple []byte 1869 // SignedCertificateTimestampList contains an optional encoded 1870 // SignedCertificateTimestampList structure which will be 1871 // served to clients that request it. 1872 SignedCertificateTimestampList []byte 1873 // Leaf is the parsed form of the leaf certificate, which may be 1874 // initialized using x509.ParseCertificate to reduce per-handshake 1875 // processing for TLS clients doing client authentication. If nil, the 1876 // leaf certificate will be parsed as needed. 1877 Leaf *x509.Certificate 1878} 1879 1880// A TLS record. 1881type record struct { 1882 contentType recordType 1883 major, minor uint8 1884 payload []byte 1885} 1886 1887type handshakeMessage interface { 1888 marshal() []byte 1889 unmarshal([]byte) bool 1890} 1891 1892// lruSessionCache is a client or server session cache implementation 1893// that uses an LRU caching strategy. 1894type lruSessionCache struct { 1895 sync.Mutex 1896 1897 m map[string]*list.Element 1898 q *list.List 1899 capacity int 1900} 1901 1902type lruSessionCacheEntry struct { 1903 sessionKey string 1904 state interface{} 1905} 1906 1907// Put adds the provided (sessionKey, cs) pair to the cache. 1908func (c *lruSessionCache) Put(sessionKey string, cs interface{}) { 1909 c.Lock() 1910 defer c.Unlock() 1911 1912 if elem, ok := c.m[sessionKey]; ok { 1913 entry := elem.Value.(*lruSessionCacheEntry) 1914 entry.state = cs 1915 c.q.MoveToFront(elem) 1916 return 1917 } 1918 1919 if c.q.Len() < c.capacity { 1920 entry := &lruSessionCacheEntry{sessionKey, cs} 1921 c.m[sessionKey] = c.q.PushFront(entry) 1922 return 1923 } 1924 1925 elem := c.q.Back() 1926 entry := elem.Value.(*lruSessionCacheEntry) 1927 delete(c.m, entry.sessionKey) 1928 entry.sessionKey = sessionKey 1929 entry.state = cs 1930 c.q.MoveToFront(elem) 1931 c.m[sessionKey] = elem 1932} 1933 1934// Get returns the value associated with a given key. It returns (nil, 1935// false) if no value is found. 1936func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) { 1937 c.Lock() 1938 defer c.Unlock() 1939 1940 if elem, ok := c.m[sessionKey]; ok { 1941 c.q.MoveToFront(elem) 1942 return elem.Value.(*lruSessionCacheEntry).state, true 1943 } 1944 return nil, false 1945} 1946 1947// lruClientSessionCache is a ClientSessionCache implementation that 1948// uses an LRU caching strategy. 1949type lruClientSessionCache struct { 1950 lruSessionCache 1951} 1952 1953func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { 1954 c.lruSessionCache.Put(sessionKey, cs) 1955} 1956 1957func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { 1958 cs, ok := c.lruSessionCache.Get(sessionKey) 1959 if !ok { 1960 return nil, false 1961 } 1962 return cs.(*ClientSessionState), true 1963} 1964 1965// lruServerSessionCache is a ServerSessionCache implementation that 1966// uses an LRU caching strategy. 1967type lruServerSessionCache struct { 1968 lruSessionCache 1969} 1970 1971func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) { 1972 c.lruSessionCache.Put(sessionId, session) 1973} 1974 1975func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) { 1976 cs, ok := c.lruSessionCache.Get(sessionId) 1977 if !ok { 1978 return nil, false 1979 } 1980 return cs.(*sessionState), true 1981} 1982 1983// NewLRUClientSessionCache returns a ClientSessionCache with the given 1984// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 1985// is used instead. 1986func NewLRUClientSessionCache(capacity int) ClientSessionCache { 1987 const defaultSessionCacheCapacity = 64 1988 1989 if capacity < 1 { 1990 capacity = defaultSessionCacheCapacity 1991 } 1992 return &lruClientSessionCache{ 1993 lruSessionCache{ 1994 m: make(map[string]*list.Element), 1995 q: list.New(), 1996 capacity: capacity, 1997 }, 1998 } 1999} 2000 2001// NewLRUServerSessionCache returns a ServerSessionCache with the given 2002// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 2003// is used instead. 2004func NewLRUServerSessionCache(capacity int) ServerSessionCache { 2005 const defaultSessionCacheCapacity = 64 2006 2007 if capacity < 1 { 2008 capacity = defaultSessionCacheCapacity 2009 } 2010 return &lruServerSessionCache{ 2011 lruSessionCache{ 2012 m: make(map[string]*list.Element), 2013 q: list.New(), 2014 capacity: capacity, 2015 }, 2016 } 2017} 2018 2019// TODO(jsing): Make these available to both crypto/x509 and crypto/tls. 2020type dsaSignature struct { 2021 R, S *big.Int 2022} 2023 2024type ecdsaSignature dsaSignature 2025 2026var emptyConfig Config 2027 2028func defaultConfig() *Config { 2029 return &emptyConfig 2030} 2031 2032var ( 2033 once sync.Once 2034 varDefaultCipherSuites []uint16 2035) 2036 2037func defaultCipherSuites() []uint16 { 2038 once.Do(initDefaultCipherSuites) 2039 return varDefaultCipherSuites 2040} 2041 2042func initDefaultCipherSuites() { 2043 for _, suite := range cipherSuites { 2044 if suite.flags&suitePSK == 0 { 2045 varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) 2046 } 2047 } 2048} 2049 2050func unexpectedMessageError(wanted, got interface{}) error { 2051 return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) 2052} 2053 2054func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool { 2055 for _, s := range sigAlgs { 2056 if s == sigAlg { 2057 return true 2058 } 2059 } 2060 return false 2061} 2062 2063var ( 2064 // See RFC 8446, section 4.1.3. 2065 downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} 2066 downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} 2067 2068 // This is a non-standard randomly-generated value. 2069 downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff} 2070) 2071 2072func containsGREASE(values []uint16) bool { 2073 for _, v := range values { 2074 if isGREASEValue(v) { 2075 return true 2076 } 2077 } 2078 return false 2079} 2080 2081func checkRSAPSSSupport(support RSAPSSSupport, sigAlgs, sigAlgsCert []signatureAlgorithm) error { 2082 if sigAlgsCert == nil { 2083 sigAlgsCert = sigAlgs 2084 } else if eqSignatureAlgorithms(sigAlgs, sigAlgsCert) { 2085 // The peer should have only sent the list once. 2086 return errors.New("tls: signature_algorithms and signature_algorithms_cert extensions were identical") 2087 } 2088 2089 if support == RSAPSSSupportAny { 2090 return nil 2091 } 2092 2093 var foundPSS, foundPSSCert bool 2094 for _, sigAlg := range sigAlgs { 2095 if sigAlg == signatureRSAPSSWithSHA256 || sigAlg == signatureRSAPSSWithSHA384 || sigAlg == signatureRSAPSSWithSHA512 { 2096 foundPSS = true 2097 break 2098 } 2099 } 2100 for _, sigAlg := range sigAlgsCert { 2101 if sigAlg == signatureRSAPSSWithSHA256 || sigAlg == signatureRSAPSSWithSHA384 || sigAlg == signatureRSAPSSWithSHA512 { 2102 foundPSSCert = true 2103 break 2104 } 2105 } 2106 2107 expectPSS := support != RSAPSSSupportNone 2108 if foundPSS != expectPSS { 2109 if expectPSS { 2110 return errors.New("tls: peer did not support PSS") 2111 } else { 2112 return errors.New("tls: peer unexpectedly supported PSS") 2113 } 2114 } 2115 2116 expectPSSCert := support == RSAPSSSupportBoth 2117 if foundPSSCert != expectPSSCert { 2118 if expectPSSCert { 2119 return errors.New("tls: peer did not support PSS in certificates") 2120 } else { 2121 return errors.New("tls: peer unexpectedly supported PSS in certificates") 2122 } 2123 } 2124 2125 return nil 2126} 2127