• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"container/list"
9	"crypto"
10	"crypto/ecdsa"
11	"crypto/rand"
12	"crypto/x509"
13	"fmt"
14	"io"
15	"math/big"
16	"strings"
17	"sync"
18	"time"
19)
20
21const (
22	VersionSSL30 = 0x0300
23	VersionTLS10 = 0x0301
24	VersionTLS11 = 0x0302
25	VersionTLS12 = 0x0303
26	VersionTLS13 = 0x0304
27)
28
29const (
30	VersionDTLS10 = 0xfeff
31	VersionDTLS12 = 0xfefd
32)
33
34var allTLSWireVersions = []uint16{
35	VersionTLS13,
36	VersionTLS12,
37	VersionTLS11,
38	VersionTLS10,
39	VersionSSL30,
40}
41
42var allDTLSWireVersions = []uint16{
43	VersionDTLS12,
44	VersionDTLS10,
45}
46
47const (
48	maxPlaintext        = 16384        // maximum plaintext payload length
49	maxCiphertext       = 16384 + 2048 // maximum ciphertext payload length
50	tlsRecordHeaderLen  = 5            // record header length
51	dtlsRecordHeaderLen = 13
52	maxHandshake        = 65536 // maximum handshake we support (protocol max is 16 MB)
53
54	minVersion = VersionSSL30
55	maxVersion = VersionTLS13
56)
57
58// TLS record types.
59type recordType uint8
60
61const (
62	recordTypeChangeCipherSpec   recordType = 20
63	recordTypeAlert              recordType = 21
64	recordTypeHandshake          recordType = 22
65	recordTypeApplicationData    recordType = 23
66	recordTypePlaintextHandshake recordType = 24
67)
68
69// TLS handshake message types.
70const (
71	typeHelloRequest          uint8 = 0
72	typeClientHello           uint8 = 1
73	typeServerHello           uint8 = 2
74	typeHelloVerifyRequest    uint8 = 3
75	typeNewSessionTicket      uint8 = 4
76	typeEndOfEarlyData        uint8 = 5
77	typeHelloRetryRequest     uint8 = 6
78	typeEncryptedExtensions   uint8 = 8
79	typeCertificate           uint8 = 11
80	typeServerKeyExchange     uint8 = 12
81	typeCertificateRequest    uint8 = 13
82	typeServerHelloDone       uint8 = 14
83	typeCertificateVerify     uint8 = 15
84	typeClientKeyExchange     uint8 = 16
85	typeFinished              uint8 = 20
86	typeCertificateStatus     uint8 = 22
87	typeKeyUpdate             uint8 = 24
88	typeCompressedCertificate uint8 = 25  // Not IANA assigned
89	typeNextProtocol          uint8 = 67  // Not IANA assigned
90	typeChannelID             uint8 = 203 // Not IANA assigned
91	typeMessageHash           uint8 = 254
92)
93
94// TLS compression types.
95const (
96	compressionNone uint8 = 0
97)
98
99// TLS extension numbers
100const (
101	extensionServerName                 uint16 = 0
102	extensionStatusRequest              uint16 = 5
103	extensionSupportedCurves            uint16 = 10
104	extensionSupportedPoints            uint16 = 11
105	extensionSignatureAlgorithms        uint16 = 13
106	extensionUseSRTP                    uint16 = 14
107	extensionALPN                       uint16 = 16
108	extensionSignedCertificateTimestamp uint16 = 18
109	extensionPadding                    uint16 = 21
110	extensionExtendedMasterSecret       uint16 = 23
111	extensionTokenBinding               uint16 = 24
112	extensionCompressedCertAlgs         uint16 = 27
113	extensionSessionTicket              uint16 = 35
114	extensionPreSharedKey               uint16 = 41
115	extensionEarlyData                  uint16 = 42
116	extensionSupportedVersions          uint16 = 43
117	extensionCookie                     uint16 = 44
118	extensionPSKKeyExchangeModes        uint16 = 45
119	extensionCertificateAuthorities     uint16 = 47
120	extensionSignatureAlgorithmsCert    uint16 = 50
121	extensionKeyShare                   uint16 = 51
122	extensionQUICTransportParams        uint16 = 57    // draft-ietf-quic-tls-33 and later
123	extensionCustom                     uint16 = 1234  // not IANA assigned
124	extensionNextProtoNeg               uint16 = 13172 // not IANA assigned
125	extensionApplicationSettings        uint16 = 17513 // not IANA assigned
126	extensionRenegotiationInfo          uint16 = 0xff01
127	extensionQUICTransportParamsLegacy  uint16 = 0xffa5 // draft-ietf-quic-tls-32 and earlier
128	extensionChannelID                  uint16 = 30032  // not IANA assigned
129	extensionDelegatedCredentials       uint16 = 0x22   // draft-ietf-tls-subcerts-06
130	extensionDuplicate                  uint16 = 0xffff // not IANA assigned
131	extensionEncryptedClientHello       uint16 = 0xfe09 // not IANA assigned
132	extensionECHIsInner                 uint16 = 0xda09 // not IANA assigned
133)
134
135// TLS signaling cipher suite values
136const (
137	scsvRenegotiation uint16 = 0x00ff
138)
139
140var tls13HelloRetryRequest = []uint8{
141	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c,
142	0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb,
143	0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
144}
145
146// CurveID is the type of a TLS identifier for an elliptic curve. See
147// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
148type CurveID uint16
149
150const (
151	CurveP224   CurveID = 21
152	CurveP256   CurveID = 23
153	CurveP384   CurveID = 24
154	CurveP521   CurveID = 25
155	CurveX25519 CurveID = 29
156	CurveCECPQ2 CurveID = 16696
157)
158
159// TLS Elliptic Curve Point Formats
160// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
161const (
162	pointFormatUncompressed    uint8 = 0
163	pointFormatCompressedPrime uint8 = 1
164)
165
166// TLS CertificateStatusType (RFC 3546)
167const (
168	statusTypeOCSP uint8 = 1
169)
170
171// Certificate types (for certificateRequestMsg)
172const (
173	CertTypeRSASign    = 1 // A certificate containing an RSA key
174	CertTypeDSSSign    = 2 // A certificate containing a DSA key
175	CertTypeRSAFixedDH = 3 // A certificate containing a static DH key
176	CertTypeDSSFixedDH = 4 // A certificate containing a static DH key
177
178	// See RFC4492 sections 3 and 5.5.
179	CertTypeECDSASign      = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
180	CertTypeRSAFixedECDH   = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
181	CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
182
183	// Rest of these are reserved by the TLS spec
184)
185
186// signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note
187// that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with
188// TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature
189// algorithms' throughout. We match the latter.
190type signatureAlgorithm uint16
191
192const (
193	// RSASSA-PKCS1-v1_5 algorithms
194	signatureRSAPKCS1WithMD5    signatureAlgorithm = 0x0101
195	signatureRSAPKCS1WithSHA1   signatureAlgorithm = 0x0201
196	signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401
197	signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501
198	signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601
199
200	// ECDSA algorithms
201	signatureECDSAWithSHA1          signatureAlgorithm = 0x0203
202	signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403
203	signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503
204	signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603
205
206	// RSASSA-PSS algorithms
207	signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804
208	signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805
209	signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806
210
211	// EdDSA algorithms
212	signatureEd25519 signatureAlgorithm = 0x0807
213	signatureEd448   signatureAlgorithm = 0x0808
214)
215
216// supportedSignatureAlgorithms contains the default supported signature
217// algorithms.
218var supportedSignatureAlgorithms = []signatureAlgorithm{
219	signatureRSAPSSWithSHA256,
220	signatureRSAPKCS1WithSHA256,
221	signatureECDSAWithP256AndSHA256,
222	signatureRSAPKCS1WithSHA1,
223	signatureECDSAWithSHA1,
224	signatureEd25519,
225}
226
227// SRTP protection profiles (See RFC 5764, section 4.1.2)
228const (
229	SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001
230	SRTP_AES128_CM_HMAC_SHA1_32        = 0x0002
231)
232
233// PskKeyExchangeMode values (see RFC 8446, section 4.2.9)
234const (
235	pskKEMode    = 0
236	pskDHEKEMode = 1
237)
238
239// KeyUpdateRequest values (see RFC 8446, section 4.6.3)
240const (
241	keyUpdateNotRequested = 0
242	keyUpdateRequested    = 1
243)
244
245// ConnectionState records basic TLS details about the connection.
246type ConnectionState struct {
247	Version                    uint16                // TLS version used by the connection (e.g. VersionTLS12)
248	HandshakeComplete          bool                  // TLS handshake is complete
249	DidResume                  bool                  // connection resumes a previous TLS connection
250	CipherSuite                uint16                // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
251	NegotiatedProtocol         string                // negotiated next protocol (from Config.NextProtos)
252	NegotiatedProtocolIsMutual bool                  // negotiated protocol was advertised by server
253	NegotiatedProtocolFromALPN bool                  // protocol negotiated with ALPN
254	ServerName                 string                // server name requested by client, if any (server side only)
255	PeerCertificates           []*x509.Certificate   // certificate chain presented by remote peer
256	VerifiedChains             [][]*x509.Certificate // verified chains built from PeerCertificates
257	OCSPResponse               []byte                // stapled OCSP response from the peer, if any
258	ChannelID                  *ecdsa.PublicKey      // the channel ID for this connection
259	TokenBindingNegotiated     bool                  // whether Token Binding was negotiated
260	TokenBindingParam          uint8                 // the negotiated Token Binding key parameter
261	SRTPProtectionProfile      uint16                // the negotiated DTLS-SRTP protection profile
262	TLSUnique                  []byte                // the tls-unique channel binding
263	SCTList                    []byte                // signed certificate timestamp list
264	PeerSignatureAlgorithm     signatureAlgorithm    // algorithm used by the peer in the handshake
265	CurveID                    CurveID               // the curve used in ECDHE
266	QUICTransportParams        []byte                // the QUIC transport params received from the peer
267	QUICTransportParamsLegacy  []byte                // the legacy QUIC transport params received from the peer
268	HasApplicationSettings     bool                  // whether ALPS was negotiated
269	PeerApplicationSettings    []byte                // application settings received from the peer
270}
271
272// ClientAuthType declares the policy the server will follow for
273// TLS Client Authentication.
274type ClientAuthType int
275
276const (
277	NoClientCert ClientAuthType = iota
278	RequestClientCert
279	RequireAnyClientCert
280	VerifyClientCertIfGiven
281	RequireAndVerifyClientCert
282)
283
284// ClientSessionState contains the state needed by clients to resume TLS
285// sessions.
286type ClientSessionState struct {
287	sessionID                []uint8             // Session ID supplied by the server. nil if the session has a ticket.
288	sessionTicket            []uint8             // Encrypted ticket used for session resumption with server
289	vers                     uint16              // SSL/TLS version negotiated for the session
290	wireVersion              uint16              // Wire SSL/TLS version negotiated for the session
291	cipherSuite              uint16              // Ciphersuite negotiated for the session
292	masterSecret             []byte              // MasterSecret generated by client on a full handshake
293	handshakeHash            []byte              // Handshake hash for Channel ID purposes.
294	serverCertificates       []*x509.Certificate // Certificate chain presented by the server
295	extendedMasterSecret     bool                // Whether an extended master secret was used to generate the session
296	sctList                  []byte
297	ocspResponse             []byte
298	earlyALPN                string
299	ticketCreationTime       time.Time
300	ticketExpiration         time.Time
301	ticketAgeAdd             uint32
302	maxEarlyDataSize         uint32
303	hasApplicationSettings   bool
304	localApplicationSettings []byte
305	peerApplicationSettings  []byte
306}
307
308// ClientSessionCache is a cache of ClientSessionState objects that can be used
309// by a client to resume a TLS session with a given server. ClientSessionCache
310// implementations should expect to be called concurrently from different
311// goroutines.
312type ClientSessionCache interface {
313	// Get searches for a ClientSessionState associated with the given key.
314	// On return, ok is true if one was found.
315	Get(sessionKey string) (session *ClientSessionState, ok bool)
316
317	// Put adds the ClientSessionState to the cache with the given key.
318	Put(sessionKey string, cs *ClientSessionState)
319}
320
321// ServerSessionCache is a cache of sessionState objects that can be used by a
322// client to resume a TLS session with a given server. ServerSessionCache
323// implementations should expect to be called concurrently from different
324// goroutines.
325type ServerSessionCache interface {
326	// Get searches for a sessionState associated with the given session
327	// ID. On return, ok is true if one was found.
328	Get(sessionID string) (session *sessionState, ok bool)
329
330	// Put adds the sessionState to the cache with the given session ID.
331	Put(sessionID string, session *sessionState)
332}
333
334// CertCompressionAlg is a certificate compression algorithm, specified as a
335// pair of functions for compressing and decompressing certificates.
336type CertCompressionAlg struct {
337	// Compress returns a compressed representation of the input.
338	Compress func([]byte) []byte
339	// Decompress depresses the contents of in and writes the result to out, which
340	// will be the correct size. It returns true on success and false otherwise.
341	Decompress func(out, in []byte) bool
342}
343
344// QUICUseCodepoint controls which TLS extension codepoint is used to convey the
345// QUIC transport parameters. QUICUseCodepointStandard means use 57,
346// QUICUseCodepointLegacy means use legacy value 0xff5a, QUICUseCodepointBoth
347// means use both. QUICUseCodepointNeither means do not send transport
348// parameters.
349type QUICUseCodepoint int
350
351const (
352	QUICUseCodepointStandard QUICUseCodepoint = iota
353	QUICUseCodepointLegacy
354	QUICUseCodepointBoth
355	QUICUseCodepointNeither
356	NumQUICUseCodepoints
357)
358
359func (c QUICUseCodepoint) IncludeStandard() bool {
360	return c == QUICUseCodepointStandard || c == QUICUseCodepointBoth
361}
362
363func (c QUICUseCodepoint) IncludeLegacy() bool {
364	return c == QUICUseCodepointLegacy || c == QUICUseCodepointBoth
365}
366
367func (c QUICUseCodepoint) String() string {
368	switch c {
369	case QUICUseCodepointStandard:
370		return "Standard"
371	case QUICUseCodepointLegacy:
372		return "Legacy"
373	case QUICUseCodepointBoth:
374		return "Both"
375	case QUICUseCodepointNeither:
376		return "Neither"
377	}
378	panic("unknown value")
379}
380
381// A Config structure is used to configure a TLS client or server.
382// After one has been passed to a TLS function it must not be
383// modified. A Config may be reused; the tls package will also not
384// modify it.
385type Config struct {
386	// Rand provides the source of entropy for nonces and RSA blinding.
387	// If Rand is nil, TLS uses the cryptographic random reader in package
388	// crypto/rand.
389	// The Reader must be safe for use by multiple goroutines.
390	Rand io.Reader
391
392	// Time returns the current time as the number of seconds since the epoch.
393	// If Time is nil, TLS uses time.Now.
394	Time func() time.Time
395
396	// Certificates contains one or more certificate chains
397	// to present to the other side of the connection.
398	// Server configurations must include at least one certificate.
399	Certificates []Certificate
400
401	// NameToCertificate maps from a certificate name to an element of
402	// Certificates. Note that a certificate name can be of the form
403	// '*.example.com' and so doesn't have to be a domain name as such.
404	// See Config.BuildNameToCertificate
405	// The nil value causes the first element of Certificates to be used
406	// for all connections.
407	NameToCertificate map[string]*Certificate
408
409	// RootCAs defines the set of root certificate authorities
410	// that clients use when verifying server certificates.
411	// If RootCAs is nil, TLS uses the host's root CA set.
412	RootCAs *x509.CertPool
413
414	// NextProtos is a list of supported, application level protocols.
415	NextProtos []string
416
417	// ApplicationSettings is a set of application settings to use which each
418	// application protocol.
419	ApplicationSettings map[string][]byte
420
421	// ServerName is used to verify the hostname on the returned
422	// certificates unless InsecureSkipVerify is given. It is also included
423	// in the client's handshake to support virtual hosting.
424	ServerName string
425
426	// ClientAuth determines the server's policy for
427	// TLS Client Authentication. The default is NoClientCert.
428	ClientAuth ClientAuthType
429
430	// ClientCAs defines the set of root certificate authorities
431	// that servers use if required to verify a client certificate
432	// by the policy in ClientAuth.
433	ClientCAs *x509.CertPool
434
435	// ClientCertificateTypes defines the set of allowed client certificate
436	// types. The default is CertTypeRSASign and CertTypeECDSASign.
437	ClientCertificateTypes []byte
438
439	// InsecureSkipVerify controls whether a client verifies the
440	// server's certificate chain and host name.
441	// If InsecureSkipVerify is true, TLS accepts any certificate
442	// presented by the server and any host name in that certificate.
443	// In this mode, TLS is susceptible to man-in-the-middle attacks.
444	// This should be used only for testing.
445	InsecureSkipVerify bool
446
447	// CipherSuites is a list of supported cipher suites. If CipherSuites
448	// is nil, TLS uses a list of suites supported by the implementation.
449	CipherSuites []uint16
450
451	// PreferServerCipherSuites controls whether the server selects the
452	// client's most preferred ciphersuite, or the server's most preferred
453	// ciphersuite. If true then the server's preference, as expressed in
454	// the order of elements in CipherSuites, is used.
455	PreferServerCipherSuites bool
456
457	// SessionTicketsDisabled may be set to true to disable session ticket
458	// (resumption) support.
459	SessionTicketsDisabled bool
460
461	// SessionTicketKey is used by TLS servers to provide session
462	// resumption. See RFC 5077. If zero, it will be filled with
463	// random data before the first server handshake.
464	//
465	// If multiple servers are terminating connections for the same host
466	// they should all have the same SessionTicketKey. If the
467	// SessionTicketKey leaks, previously recorded and future TLS
468	// connections using that key are compromised.
469	SessionTicketKey [32]byte
470
471	// ClientSessionCache is a cache of ClientSessionState entries
472	// for TLS session resumption.
473	ClientSessionCache ClientSessionCache
474
475	// ServerSessionCache is a cache of sessionState entries for TLS session
476	// resumption.
477	ServerSessionCache ServerSessionCache
478
479	// MinVersion contains the minimum SSL/TLS version that is acceptable.
480	// If zero, then SSLv3 is taken as the minimum.
481	MinVersion uint16
482
483	// MaxVersion contains the maximum SSL/TLS version that is acceptable.
484	// If zero, then the maximum version supported by this package is used,
485	// which is currently TLS 1.2.
486	MaxVersion uint16
487
488	// CurvePreferences contains the elliptic curves that will be used in
489	// an ECDHE handshake, in preference order. If empty, the default will
490	// be used.
491	CurvePreferences []CurveID
492
493	// DefaultCurves contains the elliptic curves for which public values will
494	// be sent in the ClientHello's KeyShare extension. If this value is nil,
495	// all supported curves will have public values sent. This field is ignored
496	// on servers.
497	DefaultCurves []CurveID
498
499	// ChannelID contains the ECDSA key for the client to use as
500	// its TLS Channel ID.
501	ChannelID *ecdsa.PrivateKey
502
503	// RequestChannelID controls whether the server requests a TLS
504	// Channel ID. If negotiated, the client's public key is
505	// returned in the ConnectionState.
506	RequestChannelID bool
507
508	// TokenBindingParams contains a list of TokenBindingKeyParameters
509	// (draft-ietf-tokbind-protocol-16) to attempt to negotiate. If
510	// nil, Token Binding will not be negotiated.
511	TokenBindingParams []byte
512
513	// TokenBindingVersion contains the serialized ProtocolVersion to
514	// use when negotiating Token Binding.
515	TokenBindingVersion uint16
516
517	// ExpectTokenBindingParams is checked by a server that the client
518	// sent ExpectTokenBindingParams as its list of Token Binding
519	// paramters.
520	ExpectTokenBindingParams []byte
521
522	// PreSharedKey, if not nil, is the pre-shared key to use with
523	// the PSK cipher suites.
524	PreSharedKey []byte
525
526	// PreSharedKeyIdentity, if not empty, is the identity to use
527	// with the PSK cipher suites.
528	PreSharedKeyIdentity string
529
530	// MaxEarlyDataSize controls the maximum number of bytes that the
531	// server will accept in early data and advertise in a
532	// NewSessionTicketMsg. If 0, no early data will be accepted and
533	// the early_data extension in the NewSessionTicketMsg will be omitted.
534	MaxEarlyDataSize uint32
535
536	// SRTPProtectionProfiles, if not nil, is the list of SRTP
537	// protection profiles to offer in DTLS-SRTP.
538	SRTPProtectionProfiles []uint16
539
540	// SignSignatureAlgorithms, if not nil, overrides the default set of
541	// supported signature algorithms to sign with.
542	SignSignatureAlgorithms []signatureAlgorithm
543
544	// VerifySignatureAlgorithms, if not nil, overrides the default set of
545	// supported signature algorithms that are accepted.
546	VerifySignatureAlgorithms []signatureAlgorithm
547
548	// QUICTransportParams, if not empty, will be sent in the QUIC
549	// transport parameters extension.
550	QUICTransportParams []byte
551
552	// QUICTransportParamsUseLegacyCodepoint controls which TLS extension
553	// codepoint is used to convey the QUIC transport parameters.
554	QUICTransportParamsUseLegacyCodepoint QUICUseCodepoint
555
556	CertCompressionAlgs map[uint16]CertCompressionAlg
557
558	// Bugs specifies optional misbehaviour to be used for testing other
559	// implementations.
560	Bugs ProtocolBugs
561
562	serverInitOnce sync.Once // guards calling (*Config).serverInit
563}
564
565type BadValue int
566
567const (
568	BadValueNone BadValue = iota
569	BadValueNegative
570	BadValueZero
571	BadValueLimit
572	BadValueLarge
573	NumBadValues
574)
575
576type RSABadValue int
577
578const (
579	RSABadValueNone RSABadValue = iota
580	RSABadValueCorrupt
581	RSABadValueTooLong
582	RSABadValueTooShort
583	RSABadValueWrongVersion1
584	RSABadValueWrongVersion2
585	RSABadValueWrongBlockType
586	RSABadValueWrongLeadingByte
587	RSABadValueNoZero
588	NumRSABadValues
589)
590
591type ProtocolBugs struct {
592	// InvalidSignature specifies that the signature in a ServerKeyExchange
593	// or CertificateVerify message should be invalid.
594	InvalidSignature bool
595
596	// SendCurve, if non-zero, causes the server to send the specified curve
597	// ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather
598	// than the negotiated one.
599	SendCurve CurveID
600
601	// InvalidECDHPoint, if true, causes the ECC points in
602	// ServerKeyExchange or ClientKeyExchange messages to be invalid.
603	InvalidECDHPoint bool
604
605	// BadECDSAR controls ways in which the 'r' value of an ECDSA signature
606	// can be invalid.
607	BadECDSAR BadValue
608	BadECDSAS BadValue
609
610	// MaxPadding causes CBC records to have the maximum possible padding.
611	MaxPadding bool
612	// PaddingFirstByteBad causes the first byte of the padding to be
613	// incorrect.
614	PaddingFirstByteBad bool
615	// PaddingFirstByteBadIf255 causes the first byte of padding to be
616	// incorrect if there's a maximum amount of padding (i.e. 255 bytes).
617	PaddingFirstByteBadIf255 bool
618
619	// FailIfNotFallbackSCSV causes a server handshake to fail if the
620	// client doesn't send the fallback SCSV value.
621	FailIfNotFallbackSCSV bool
622
623	// DuplicateExtension causes an extra empty extension of bogus type to
624	// be emitted in either the ClientHello or the ServerHello.
625	DuplicateExtension bool
626
627	// UnauthenticatedECDH causes the server to pretend ECDHE_RSA
628	// and ECDHE_ECDSA cipher suites are actually ECDH_anon. No
629	// Certificate message is sent and no signature is added to
630	// ServerKeyExchange.
631	UnauthenticatedECDH bool
632
633	// SkipHelloVerifyRequest causes a DTLS server to skip the
634	// HelloVerifyRequest message.
635	SkipHelloVerifyRequest bool
636
637	// SkipCertificateStatus, if true, causes the server to skip the
638	// CertificateStatus message. This is legal because CertificateStatus is
639	// optional, even with a status_request in ServerHello.
640	SkipCertificateStatus bool
641
642	// SkipServerKeyExchange causes the server to skip sending
643	// ServerKeyExchange messages.
644	SkipServerKeyExchange bool
645
646	// SkipNewSessionTicket causes the server to skip sending the
647	// NewSessionTicket message despite promising to in ServerHello.
648	SkipNewSessionTicket bool
649
650	// UseFirstSessionTicket causes the client to cache only the first session
651	// ticket received.
652	UseFirstSessionTicket bool
653
654	// SkipClientCertificate causes the client to skip the Certificate
655	// message.
656	SkipClientCertificate bool
657
658	// SkipChangeCipherSpec causes the implementation to skip
659	// sending the ChangeCipherSpec message (and adjusting cipher
660	// state accordingly for the Finished message).
661	SkipChangeCipherSpec bool
662
663	// SkipFinished causes the implementation to skip sending the Finished
664	// message.
665	SkipFinished bool
666
667	// SkipEndOfEarlyData causes the implementation to skip
668	// end_of_early_data.
669	SkipEndOfEarlyData bool
670
671	// NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the
672	// EndOfEarlyData.
673	NonEmptyEndOfEarlyData bool
674
675	// SkipCertificateVerify, if true causes peer to skip sending a
676	// CertificateVerify message after the Certificate message.
677	SkipCertificateVerify bool
678
679	// EarlyChangeCipherSpec causes the client to send an early
680	// ChangeCipherSpec message before the ClientKeyExchange. A value of
681	// zero disables this behavior. One and two configure variants for
682	// 1.0.1 and 0.9.8 modes, respectively.
683	EarlyChangeCipherSpec int
684
685	// StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake
686	// message in DTLS to be prefaced by stray ChangeCipherSpec record. This
687	// may be used to test DTLS's handling of reordered ChangeCipherSpec.
688	StrayChangeCipherSpec bool
689
690	// ReorderChangeCipherSpec causes the ChangeCipherSpec message to be
691	// sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec,
692	// the cipher change happens at the usual time.
693	ReorderChangeCipherSpec bool
694
695	// FragmentAcrossChangeCipherSpec causes the implementation to fragment
696	// the Finished (or NextProto) message around the ChangeCipherSpec
697	// messages.
698	FragmentAcrossChangeCipherSpec bool
699
700	// SendExtraChangeCipherSpec causes the implementation to send extra
701	// ChangeCipherSpec messages.
702	SendExtraChangeCipherSpec int
703
704	// SendPostHandshakeChangeCipherSpec causes the implementation to send
705	// a ChangeCipherSpec record before every application data record.
706	SendPostHandshakeChangeCipherSpec bool
707
708	// SendUnencryptedFinished, if true, causes the Finished message to be
709	// send unencrypted before ChangeCipherSpec rather than after it.
710	SendUnencryptedFinished bool
711
712	// PartialEncryptedExtensionsWithServerHello, if true, causes the TLS
713	// 1.3 server to send part of EncryptedExtensions unencrypted
714	// in the same record as ServerHello.
715	PartialEncryptedExtensionsWithServerHello bool
716
717	// PartialClientFinishedWithClientHello, if true, causes the TLS 1.2
718	// or TLS 1.3 client to send part of Finished unencrypted in the same
719	// record as ClientHello.
720	PartialClientFinishedWithClientHello bool
721
722	// PartialClientFinishedWithSecondClientHello, if true, causes the
723	// TLS 1.3 client to send part of Finished unencrypted in the same
724	// record as the second ClientHello.
725	PartialClientFinishedWithSecondClientHello bool
726
727	// PartialEndOfEarlyDataWithClientHello, if true, causes the TLS 1.3
728	// client to send part of EndOfEarlyData unencrypted in the same record
729	// as ClientHello.
730	PartialEndOfEarlyDataWithClientHello bool
731
732	// PartialSecondClientHelloAfterFirst, if true, causes the TLS 1.3 client
733	// to send part of the second ClientHello in the same record as the first
734	// one.
735	PartialSecondClientHelloAfterFirst bool
736
737	// PartialClientKeyExchangeWithClientHello, if true, causes the TLS 1.2
738	// client to send part of the ClientKeyExchange in the same record as
739	// the ClientHello.
740	PartialClientKeyExchangeWithClientHello bool
741
742	// PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2
743	// server to send part of the NewSessionTicket in the same record as
744	// ServerHelloDone.
745	PartialNewSessionTicketWithServerHelloDone bool
746
747	// PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2
748	// server to send part of the Finshed in the same record as ServerHelloDone.
749	PartialFinishedWithServerHelloDone bool
750
751	// PartialServerHelloWithHelloRetryRequest, if true, causes the TLS 1.3
752	// server to send part of the ServerHello in the same record as
753	// HelloRetryRequest.
754	PartialServerHelloWithHelloRetryRequest bool
755
756	// TrailingDataWithFinished, if true, causes the record containing the
757	// Finished message to include an extra byte of data at the end.
758	TrailingDataWithFinished bool
759
760	// SendV2ClientHello causes the client to send a V2ClientHello
761	// instead of a normal ClientHello.
762	SendV2ClientHello bool
763
764	// SendFallbackSCSV causes the client to include
765	// TLS_FALLBACK_SCSV in the ClientHello.
766	SendFallbackSCSV bool
767
768	// SendRenegotiationSCSV causes the client to include the renegotiation
769	// SCSV in the ClientHello.
770	SendRenegotiationSCSV bool
771
772	// MaxHandshakeRecordLength, if non-zero, is the maximum size of a
773	// handshake record. Handshake messages will be split into multiple
774	// records at the specified size, except that the client_version will
775	// never be fragmented. For DTLS, it is the maximum handshake fragment
776	// size, not record size; DTLS allows multiple handshake fragments in a
777	// single handshake record. See |PackHandshakeFragments|.
778	MaxHandshakeRecordLength int
779
780	// FragmentClientVersion will allow MaxHandshakeRecordLength to apply to
781	// the first 6 bytes of the ClientHello.
782	FragmentClientVersion bool
783
784	// FragmentAlert will cause all alerts to be fragmented across
785	// two records.
786	FragmentAlert bool
787
788	// DoubleAlert will cause all alerts to be sent as two copies packed
789	// within one record.
790	DoubleAlert bool
791
792	// SendSpuriousAlert, if non-zero, will cause an spurious, unwanted
793	// alert to be sent.
794	SendSpuriousAlert alert
795
796	// BadRSAClientKeyExchange causes the client to send a corrupted RSA
797	// ClientKeyExchange which would not pass padding checks.
798	BadRSAClientKeyExchange RSABadValue
799
800	// RenewTicketOnResume causes the server to renew the session ticket and
801	// send a NewSessionTicket message during an abbreviated handshake.
802	RenewTicketOnResume bool
803
804	// SendClientVersion, if non-zero, causes the client to send the
805	// specified value in the ClientHello version field.
806	SendClientVersion uint16
807
808	// OmitSupportedVersions, if true, causes the client to omit the
809	// supported versions extension.
810	OmitSupportedVersions bool
811
812	// SendSupportedVersions, if non-empty, causes the client to send a
813	// supported versions extension with the values from array.
814	SendSupportedVersions []uint16
815
816	// NegotiateVersion, if non-zero, causes the server to negotiate the
817	// specifed wire version rather than the version supported by either
818	// peer.
819	NegotiateVersion uint16
820
821	// NegotiateVersionOnRenego, if non-zero, causes the server to negotiate
822	// the specified wire version on renegotiation rather than retaining it.
823	NegotiateVersionOnRenego uint16
824
825	// ExpectFalseStart causes the server to, on full handshakes,
826	// expect the peer to False Start; the server Finished message
827	// isn't sent until we receive an application data record
828	// from the peer.
829	ExpectFalseStart bool
830
831	// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
832	// handshakes, send an alert just before reading the application data
833	// record to test False Start. This can be used in a negative False
834	// Start test to determine whether the peer processed the alert (and
835	// closed the connection) before or after sending app data.
836	AlertBeforeFalseStartTest alert
837
838	// ExpectServerName, if not empty, is the hostname the client
839	// must specify in the server_name extension.
840	ExpectServerName string
841
842	// ExpectClientECH causes the server to expect the peer to send an
843	// encrypted_client_hello extension containing a ClientECH structure.
844	ExpectClientECH bool
845
846	// ExpectServerAcceptECH causes the client to expect that the server will
847	// indicate ECH acceptance in the ServerHello.
848	ExpectServerAcceptECH bool
849
850	// SendECHRetryConfigs, if not empty, contains the ECH server's serialized
851	// retry configs.
852	SendECHRetryConfigs []byte
853
854	// SendEncryptedClientHello, when true, causes the client to send a
855	// placeholder encrypted_client_hello extension on the ClientHelloOuter
856	// message.
857	SendPlaceholderEncryptedClientHello bool
858
859	// SendECHIsInner, when non-nil, causes the client to send an ech_is_inner
860	// extension on the ClientHelloOuter message. When nil, the extension will
861	// be omitted.
862	SendECHIsInner []byte
863
864	// SwapNPNAndALPN switches the relative order between NPN and ALPN in
865	// both ClientHello and ServerHello.
866	SwapNPNAndALPN bool
867
868	// ALPNProtocol, if not nil, sets the ALPN protocol that a server will
869	// return.
870	ALPNProtocol *string
871
872	// AlwaysNegotiateApplicationSettings, if true, causes the server to
873	// negotiate ALPS for a protocol even if the client did not support it or
874	// the version is wrong.
875	AlwaysNegotiateApplicationSettings bool
876
877	// SendApplicationSettingsWithEarlyData, if true, causes the client and
878	// server to send the application_settings extension with early data,
879	// rather than letting them implicitly carry over.
880	SendApplicationSettingsWithEarlyData bool
881
882	// AlwaysSendClientEncryptedExtension, if true, causes the client to always
883	// send a, possibly empty, client EncryptedExtensions message.
884	AlwaysSendClientEncryptedExtensions bool
885
886	// OmitClientEncryptedExtensions, if true, causes the client to omit the
887	// client EncryptedExtensions message.
888	OmitClientEncryptedExtensions bool
889
890	// OmitClientApplicationSettings, if true, causes the client to omit the
891	// application_settings extension but still send EncryptedExtensions.
892	OmitClientApplicationSettings bool
893
894	// SendExtraClientEncryptedExtension, if true, causes the client to
895	// include an unsolicited extension in the client EncryptedExtensions
896	// message.
897	SendExtraClientEncryptedExtension bool
898
899	// AcceptAnySession causes the server to resume sessions regardless of
900	// the version associated with the session or cipher suite. It also
901	// causes the server to look in both TLS 1.2 and 1.3 extensions to
902	// process a ticket.
903	AcceptAnySession bool
904
905	// SendBothTickets, if true, causes the client to send tickets in both
906	// TLS 1.2 and 1.3 extensions.
907	SendBothTickets bool
908
909	// FilterTicket, if not nil, causes the client to modify a session
910	// ticket before sending it in a resume handshake.
911	FilterTicket func([]byte) ([]byte, error)
912
913	// TicketSessionIDLength, if non-zero, is the length of the session ID
914	// to send with a ticket resumption offer.
915	TicketSessionIDLength int
916
917	// EmptyTicketSessionID, if true, causes the client to send an empty
918	// session ID with a ticket resumption offer. For simplicity, this will
919	// also cause the client to interpret a ServerHello with empty session
920	// ID as a resumption. (A client which sends empty session ID is
921	// normally expected to look ahead for ChangeCipherSpec.)
922	EmptyTicketSessionID bool
923
924	// SendClientHelloSessionID, if not nil, is the session ID sent in the
925	// ClientHello.
926	SendClientHelloSessionID []byte
927
928	// ExpectClientHelloSessionID, if true, causes the server to fail the
929	// connection if there is not a session ID in the ClientHello.
930	ExpectClientHelloSessionID bool
931
932	// EchoSessionIDInFullHandshake, if true, causes the server to echo the
933	// ClientHello session ID, even in TLS 1.2 full handshakes.
934	EchoSessionIDInFullHandshake bool
935
936	// ExpectNoTLS12Session, if true, causes the server to fail the
937	// connection if either a session ID or TLS 1.2 ticket is offered.
938	ExpectNoTLS12Session bool
939
940	// ExpectNoTLS13PSK, if true, causes the server to fail the connection
941	// if a TLS 1.3 PSK is offered.
942	ExpectNoTLS13PSK bool
943
944	// ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection
945	// if a TLS 1.3 PSK is offered after HRR.
946	ExpectNoTLS13PSKAfterHRR bool
947
948	// RequireExtendedMasterSecret, if true, requires that the peer support
949	// the extended master secret option.
950	RequireExtendedMasterSecret bool
951
952	// NoExtendedMasterSecret causes the client and server to behave as if
953	// they didn't support an extended master secret in the initial
954	// handshake.
955	NoExtendedMasterSecret bool
956
957	// NoExtendedMasterSecretOnRenegotiation causes the client and server to
958	// behave as if they didn't support an extended master secret in
959	// renegotiation handshakes.
960	NoExtendedMasterSecretOnRenegotiation bool
961
962	// EmptyRenegotiationInfo causes the renegotiation extension to be
963	// empty in a renegotiation handshake.
964	EmptyRenegotiationInfo bool
965
966	// BadRenegotiationInfo causes the renegotiation extension value in a
967	// renegotiation handshake to be incorrect at the start.
968	BadRenegotiationInfo bool
969
970	// BadRenegotiationInfoEnd causes the renegotiation extension value in
971	// a renegotiation handshake to be incorrect at the end.
972	BadRenegotiationInfoEnd bool
973
974	// NoRenegotiationInfo disables renegotiation info support in all
975	// handshakes.
976	NoRenegotiationInfo bool
977
978	// NoRenegotiationInfoInInitial disables renegotiation info support in
979	// the initial handshake.
980	NoRenegotiationInfoInInitial bool
981
982	// NoRenegotiationInfoAfterInitial disables renegotiation info support
983	// in renegotiation handshakes.
984	NoRenegotiationInfoAfterInitial bool
985
986	// RequireRenegotiationInfo, if true, causes the client to return an
987	// error if the server doesn't reply with the renegotiation extension.
988	RequireRenegotiationInfo bool
989
990	// SequenceNumberMapping, if non-nil, is the mapping function to apply
991	// to the sequence number of outgoing packets. For both TLS and DTLS,
992	// the two most-significant bytes in the resulting sequence number are
993	// ignored so that the DTLS epoch cannot be changed.
994	SequenceNumberMapping func(uint64) uint64
995
996	// RSAEphemeralKey, if true, causes the server to send a
997	// ServerKeyExchange message containing an ephemeral key (as in
998	// RSA_EXPORT) in the plain RSA key exchange.
999	RSAEphemeralKey bool
1000
1001	// SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the
1002	// client offers when negotiating SRTP. MKI support is still missing so
1003	// the peer must still send none.
1004	SRTPMasterKeyIdentifer string
1005
1006	// SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the
1007	// server sends in the ServerHello instead of the negotiated one.
1008	SendSRTPProtectionProfile uint16
1009
1010	// NoSignatureAlgorithms, if true, causes the client to omit the
1011	// signature and hashes extension.
1012	//
1013	// For a server, it will cause an empty list to be sent in the
1014	// CertificateRequest message. None the less, the configured set will
1015	// still be enforced.
1016	NoSignatureAlgorithms bool
1017
1018	// NoSupportedCurves, if true, causes the client to omit the
1019	// supported_curves extension.
1020	NoSupportedCurves bool
1021
1022	// RequireSameRenegoClientVersion, if true, causes the server
1023	// to require that all ClientHellos match in offered version
1024	// across a renego.
1025	RequireSameRenegoClientVersion bool
1026
1027	// ExpectInitialRecordVersion, if non-zero, is the expected value of
1028	// record-layer version field before the protocol version is determined.
1029	ExpectInitialRecordVersion uint16
1030
1031	// SendRecordVersion, if non-zero, is the value to send as the
1032	// record-layer version.
1033	SendRecordVersion uint16
1034
1035	// SendInitialRecordVersion, if non-zero, is the value to send as the
1036	// record-layer version before the protocol version is determined.
1037	SendInitialRecordVersion uint16
1038
1039	// MaxPacketLength, if non-zero, is the maximum acceptable size for a
1040	// packet.
1041	MaxPacketLength int
1042
1043	// SendCipherSuite, if non-zero, is the cipher suite value that the
1044	// server will send in the ServerHello. This does not affect the cipher
1045	// the server believes it has actually negotiated.
1046	SendCipherSuite uint16
1047
1048	// SendCipherSuites, if not nil, is the cipher suite list that the
1049	// client will send in the ClientHello. This does not affect the cipher
1050	// the client believes it has actually offered.
1051	SendCipherSuites []uint16
1052
1053	// AppDataBeforeHandshake, if not nil, causes application data to be
1054	// sent immediately before the first handshake message.
1055	AppDataBeforeHandshake []byte
1056
1057	// AppDataAfterChangeCipherSpec, if not nil, causes application data to
1058	// be sent immediately after ChangeCipherSpec.
1059	AppDataAfterChangeCipherSpec []byte
1060
1061	// AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent
1062	// immediately after ChangeCipherSpec.
1063	AlertAfterChangeCipherSpec alert
1064
1065	// TimeoutSchedule is the schedule of packet drops and simulated
1066	// timeouts for before each handshake leg from the peer.
1067	TimeoutSchedule []time.Duration
1068
1069	// PacketAdaptor is the packetAdaptor to use to simulate timeouts.
1070	PacketAdaptor *packetAdaptor
1071
1072	// MockQUICTransport is the mockQUICTransport used when testing
1073	// QUIC interfaces.
1074	MockQUICTransport *mockQUICTransport
1075
1076	// ReorderHandshakeFragments, if true, causes handshake fragments in
1077	// DTLS to overlap and be sent in the wrong order. It also causes
1078	// pre-CCS flights to be sent twice. (Post-CCS flights consist of
1079	// Finished and will trigger a spurious retransmit.)
1080	ReorderHandshakeFragments bool
1081
1082	// ReverseHandshakeFragments, if true, causes handshake fragments in
1083	// DTLS to be reversed within a flight.
1084	ReverseHandshakeFragments bool
1085
1086	// MixCompleteMessageWithFragments, if true, causes handshake
1087	// messages in DTLS to redundantly both fragment the message
1088	// and include a copy of the full one.
1089	MixCompleteMessageWithFragments bool
1090
1091	// RetransmitFinished, if true, causes the DTLS Finished message to be
1092	// sent twice.
1093	RetransmitFinished bool
1094
1095	// SendInvalidRecordType, if true, causes a record with an invalid
1096	// content type to be sent immediately following the handshake.
1097	SendInvalidRecordType bool
1098
1099	// SendWrongMessageType, if non-zero, causes messages of the specified
1100	// type to be sent with the wrong value.
1101	SendWrongMessageType byte
1102
1103	// SendTrailingMessageData, if non-zero, causes messages of the
1104	// specified type to be sent with trailing data.
1105	SendTrailingMessageData byte
1106
1107	// FragmentMessageTypeMismatch, if true, causes all non-initial
1108	// handshake fragments in DTLS to have the wrong message type.
1109	FragmentMessageTypeMismatch bool
1110
1111	// FragmentMessageLengthMismatch, if true, causes all non-initial
1112	// handshake fragments in DTLS to have the wrong message length.
1113	FragmentMessageLengthMismatch bool
1114
1115	// SplitFragments, if non-zero, causes the handshake fragments in DTLS
1116	// to be split across two records. The value of |SplitFragments| is the
1117	// number of bytes in the first fragment.
1118	SplitFragments int
1119
1120	// SendEmptyFragments, if true, causes handshakes to include empty
1121	// fragments in DTLS.
1122	SendEmptyFragments bool
1123
1124	// SendSplitAlert, if true, causes an alert to be sent with the header
1125	// and record body split across multiple packets. The peer should
1126	// discard these packets rather than process it.
1127	SendSplitAlert bool
1128
1129	// FailIfResumeOnRenego, if true, causes renegotiations to fail if the
1130	// client offers a resumption or the server accepts one.
1131	FailIfResumeOnRenego bool
1132
1133	// IgnorePeerCipherPreferences, if true, causes the peer's cipher
1134	// preferences to be ignored.
1135	IgnorePeerCipherPreferences bool
1136
1137	// IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's
1138	// signature algorithm preferences to be ignored.
1139	IgnorePeerSignatureAlgorithmPreferences bool
1140
1141	// IgnorePeerCurvePreferences, if true, causes the peer's curve
1142	// preferences to be ignored.
1143	IgnorePeerCurvePreferences bool
1144
1145	// BadFinished, if true, causes the Finished hash to be broken.
1146	BadFinished bool
1147
1148	// PackHandshakeFragments, if true, causes handshake fragments in DTLS
1149	// to be packed into individual handshake records, up to the specified
1150	// record size.
1151	PackHandshakeFragments int
1152
1153	// PackHandshakeRecords, if non-zero, causes handshake and
1154	// ChangeCipherSpec records in DTLS to be packed into individual
1155	// packets, up to the specified packet size.
1156	PackHandshakeRecords int
1157
1158	// PackAppDataWithHandshake, if true, extends PackHandshakeRecords to
1159	// additionally include the first application data record sent after the
1160	// final Finished message in a handshake. (If the final Finished message
1161	// is sent by the peer, this option has no effect.) This requires that
1162	// the runner rather than shim speak first in a given test.
1163	PackAppDataWithHandshake bool
1164
1165	// SplitAndPackAppData, if true, causes application data in DTLS to be
1166	// split into two records each and packed into one packet.
1167	SplitAndPackAppData bool
1168
1169	// PackHandshakeFlight, if true, causes each handshake flight in TLS to
1170	// be packed into records, up to the largest size record available.
1171	PackHandshakeFlight bool
1172
1173	// AdvertiseAllConfiguredCiphers, if true, causes the client to
1174	// advertise all configured cipher suite values.
1175	AdvertiseAllConfiguredCiphers bool
1176
1177	// EmptyCertificateList, if true, causes the server to send an empty
1178	// certificate list in the Certificate message.
1179	EmptyCertificateList bool
1180
1181	// ExpectNewTicket, if true, causes the client to abort if it does not
1182	// receive a new ticket.
1183	ExpectNewTicket bool
1184
1185	// RequireClientHelloSize, if not zero, is the required length in bytes
1186	// of the ClientHello /record/. This is checked by the server.
1187	RequireClientHelloSize int
1188
1189	// CustomExtension, if not empty, contains the contents of an extension
1190	// that will be added to client/server hellos.
1191	CustomExtension string
1192
1193	// CustomUnencryptedExtension, if not empty, contains the contents of
1194	// an extension that will be added to ServerHello in TLS 1.3.
1195	CustomUnencryptedExtension string
1196
1197	// ExpectedCustomExtension, if not nil, contains the expected contents
1198	// of a custom extension.
1199	ExpectedCustomExtension *string
1200
1201	// CustomTicketExtension, if not empty, contains the contents of an
1202	// extension what will be added to NewSessionTicket in TLS 1.3.
1203	CustomTicketExtension string
1204
1205	// CustomTicketExtension, if not empty, contains the contents of an
1206	// extension what will be added to HelloRetryRequest in TLS 1.3.
1207	CustomHelloRetryRequestExtension string
1208
1209	// NoCloseNotify, if true, causes the close_notify alert to be skipped
1210	// on connection shutdown.
1211	NoCloseNotify bool
1212
1213	// SendAlertOnShutdown, if non-zero, is the alert to send instead of
1214	// close_notify on shutdown.
1215	SendAlertOnShutdown alert
1216
1217	// ExpectCloseNotify, if true, requires a close_notify from the peer on
1218	// shutdown. Records from the peer received after close_notify is sent
1219	// are not discard.
1220	ExpectCloseNotify bool
1221
1222	// SendLargeRecords, if true, allows outgoing records to be sent
1223	// arbitrarily large.
1224	SendLargeRecords bool
1225
1226	// NegotiateALPNAndNPN, if true, causes the server to negotiate both
1227	// ALPN and NPN in the same connetion.
1228	NegotiateALPNAndNPN bool
1229
1230	// SendALPN, if non-empty, causes the server to send the specified
1231	// string in the ALPN extension regardless of the content or presence of
1232	// the client offer.
1233	SendALPN string
1234
1235	// SendUnencryptedALPN, if non-empty, causes the server to send the
1236	// specified string in a ServerHello ALPN extension in TLS 1.3.
1237	SendUnencryptedALPN string
1238
1239	// SendEmptySessionTicket, if true, causes the server to send an empty
1240	// session ticket.
1241	SendEmptySessionTicket bool
1242
1243	// SendPSKKeyExchangeModes, if present, determines the PSK key exchange modes
1244	// to send.
1245	SendPSKKeyExchangeModes []byte
1246
1247	// ExpectNoNewSessionTicket, if present, means that the client will fail upon
1248	// receipt of a NewSessionTicket message.
1249	ExpectNoNewSessionTicket bool
1250
1251	// DuplicateTicketEarlyData causes an extra empty extension of early_data to
1252	// be sent in NewSessionTicket.
1253	DuplicateTicketEarlyData bool
1254
1255	// ExpectTicketEarlyData, if true, means that the client will fail upon
1256	// absence of the early_data extension.
1257	ExpectTicketEarlyData bool
1258
1259	// ExpectTicketAge, if non-zero, is the expected age of the ticket that the
1260	// server receives from the client.
1261	ExpectTicketAge time.Duration
1262
1263	// SendTicketAge, if non-zero, is the ticket age to be sent by the
1264	// client.
1265	SendTicketAge time.Duration
1266
1267	// FailIfSessionOffered, if true, causes the server to fail any
1268	// connections where the client offers a non-empty session ID or session
1269	// ticket.
1270	FailIfSessionOffered bool
1271
1272	// SendHelloRequestBeforeEveryAppDataRecord, if true, causes a
1273	// HelloRequest handshake message to be sent before each application
1274	// data record. This only makes sense for a server.
1275	SendHelloRequestBeforeEveryAppDataRecord bool
1276
1277	// SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a
1278	// HelloRequest handshake message to be sent before each handshake
1279	// message. This only makes sense for a server.
1280	SendHelloRequestBeforeEveryHandshakeMessage bool
1281
1282	// BadChangeCipherSpec, if not nil, is the body to be sent in
1283	// ChangeCipherSpec records instead of {1}.
1284	BadChangeCipherSpec []byte
1285
1286	// BadHelloRequest, if not nil, is what to send instead of a
1287	// HelloRequest.
1288	BadHelloRequest []byte
1289
1290	// RequireSessionTickets, if true, causes the client to require new
1291	// sessions use session tickets instead of session IDs.
1292	RequireSessionTickets bool
1293
1294	// RequireSessionIDs, if true, causes the client to require new sessions use
1295	// session IDs instead of session tickets.
1296	RequireSessionIDs bool
1297
1298	// NullAllCiphers, if true, causes every cipher to behave like the null
1299	// cipher.
1300	NullAllCiphers bool
1301
1302	// SendSCTListOnResume, if not nil, causes the server to send the
1303	// supplied SCT list in resumption handshakes.
1304	SendSCTListOnResume []byte
1305
1306	// SendSCTListOnRenegotiation, if not nil, causes the server to send the
1307	// supplied SCT list on renegotiation.
1308	SendSCTListOnRenegotiation []byte
1309
1310	// SendOCSPResponseOnResume, if not nil, causes the server to advertise
1311	// OCSP stapling in resumption handshakes and, if applicable, send the
1312	// supplied stapled response.
1313	SendOCSPResponseOnResume []byte
1314
1315	// SendOCSPResponseOnResume, if not nil, causes the server to send the
1316	// supplied OCSP response on renegotiation.
1317	SendOCSPResponseOnRenegotiation []byte
1318
1319	// SendExtensionOnCertificate, if not nil, causes the runner to send the
1320	// supplied bytes in the extensions on the Certificate message.
1321	SendExtensionOnCertificate []byte
1322
1323	// SendOCSPOnIntermediates, if not nil, causes the server to send the
1324	// supplied OCSP on intermediate certificates in the Certificate message.
1325	SendOCSPOnIntermediates []byte
1326
1327	// SendSCTOnIntermediates, if not nil, causes the server to send the
1328	// supplied SCT on intermediate certificates in the Certificate message.
1329	SendSCTOnIntermediates []byte
1330
1331	// SendDuplicateCertExtensions, if true, causes the server to send an extra
1332	// copy of the OCSP/SCT extensions in the Certificate message.
1333	SendDuplicateCertExtensions bool
1334
1335	// ExpectNoExtensionsOnIntermediate, if true, causes the client to
1336	// reject extensions on intermediate certificates.
1337	ExpectNoExtensionsOnIntermediate bool
1338
1339	// RecordPadding is the number of bytes of padding to add to each
1340	// encrypted record in TLS 1.3.
1341	RecordPadding int
1342
1343	// OmitRecordContents, if true, causes encrypted records in TLS 1.3 to
1344	// be missing their body and content type. Padding, if configured, is
1345	// still added.
1346	OmitRecordContents bool
1347
1348	// OuterRecordType, if non-zero, is the outer record type to use instead
1349	// of application data.
1350	OuterRecordType recordType
1351
1352	// SendSignatureAlgorithm, if non-zero, causes all signatures to be sent
1353	// with the given signature algorithm rather than the one negotiated.
1354	SendSignatureAlgorithm signatureAlgorithm
1355
1356	// SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be
1357	// skipped.
1358	SkipECDSACurveCheck bool
1359
1360	// IgnoreSignatureVersionChecks, if true, causes all signature
1361	// algorithms to be enabled at all TLS versions.
1362	IgnoreSignatureVersionChecks bool
1363
1364	// NegotiateRenegotiationInfoAtAllVersions, if true, causes
1365	// Renegotiation Info to be negotiated at all versions.
1366	NegotiateRenegotiationInfoAtAllVersions bool
1367
1368	// NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at
1369	// all versions.
1370	NegotiateNPNAtAllVersions bool
1371
1372	// NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at
1373	// all versions.
1374	NegotiateEMSAtAllVersions bool
1375
1376	// AdvertiseTicketExtension, if true, causes the ticket extension to be
1377	// advertised in server extensions
1378	AdvertiseTicketExtension bool
1379
1380	// NegotiatePSKResumption, if true, causes the server to attempt pure PSK
1381	// resumption.
1382	NegotiatePSKResumption bool
1383
1384	// AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to
1385	// always acknowledge a session, regardless of one was offered.
1386	AlwaysSelectPSKIdentity bool
1387
1388	// SelectPSKIdentityOnResume, if non-zero, causes the server to select
1389	// the specified PSK identity index rather than the actual value.
1390	SelectPSKIdentityOnResume uint16
1391
1392	// ExtraPSKIdentity, if true, causes the client to send an extra PSK
1393	// identity.
1394	ExtraPSKIdentity bool
1395
1396	// MissingKeyShare, if true, causes the TLS 1.3 implementation to skip
1397	// sending a key_share extension and use the zero ECDHE secret
1398	// instead.
1399	MissingKeyShare bool
1400
1401	// SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3
1402	// ClientHello to skip sending a key_share extension and use the zero
1403	// ECDHE secret instead.
1404	SecondClientHelloMissingKeyShare bool
1405
1406	// MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3
1407	// client to pretend the server requested a HelloRetryRequest with the
1408	// given curve rather than the actual one.
1409	MisinterpretHelloRetryRequestCurve CurveID
1410
1411	// DuplicateKeyShares, if true, causes the TLS 1.3 client to send two
1412	// copies of each KeyShareEntry.
1413	DuplicateKeyShares bool
1414
1415	// SendEarlyAlert, if true, sends a fatal alert after the ClientHello.
1416	SendEarlyAlert bool
1417
1418	// SendFakeEarlyDataLength, if non-zero, is the amount of early data to
1419	// send after the ClientHello.
1420	SendFakeEarlyDataLength int
1421
1422	// SendStrayEarlyHandshake, if non-zero, causes the client to send a stray
1423	// handshake record before sending end of early data.
1424	SendStrayEarlyHandshake bool
1425
1426	// OmitEarlyDataExtension, if true, causes the early data extension to
1427	// be omitted in the ClientHello.
1428	OmitEarlyDataExtension bool
1429
1430	// SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to
1431	// send early data after the second ClientHello.
1432	SendEarlyDataOnSecondClientHello bool
1433
1434	// InterleaveEarlyData, if true, causes the TLS 1.3 client to send early
1435	// data interleaved with the second ClientHello and the client Finished.
1436	InterleaveEarlyData bool
1437
1438	// SendEarlyData causes a TLS 1.3 client to send the provided data
1439	// in application data records immediately after the ClientHello,
1440	// provided that the client offers a TLS 1.3 session. It will do this
1441	// whether or not the server advertised early data for the ticket.
1442	SendEarlyData [][]byte
1443
1444	// ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data
1445	// was accepted by the server.
1446	ExpectEarlyDataAccepted bool
1447
1448	// AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data
1449	// regardless of ALPN mismatch.
1450	AlwaysAcceptEarlyData bool
1451
1452	// AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data.
1453	AlwaysRejectEarlyData bool
1454
1455	// SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the
1456	// early_data extension in EncryptedExtensions, independent of whether
1457	// it was accepted.
1458	SendEarlyDataExtension bool
1459
1460	// ExpectEarlyData causes a TLS 1.3 server to read application
1461	// data after the ClientHello (assuming the server is able to
1462	// derive the key under which the data is encrypted) before it
1463	// sends a ServerHello. It checks that the application data it
1464	// reads matches what is provided in ExpectEarlyData and errors if
1465	// the number of records or their content do not match.
1466	ExpectEarlyData [][]byte
1467
1468	// ExpectLateEarlyData causes a TLS 1.3 server to read application
1469	// data after the ServerFinished (assuming the server is able to
1470	// derive the key under which the data is encrypted) before it
1471	// sends the ClientFinished. It checks that the application data it
1472	// reads matches what is provided in ExpectLateEarlyData and errors if
1473	// the number of records or their content do not match.
1474	ExpectLateEarlyData [][]byte
1475
1476	// SendHalfRTTData causes a TLS 1.3 server to send the provided
1477	// data in application data records before reading the client's
1478	// Finished message.
1479	SendHalfRTTData [][]byte
1480
1481	// ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to
1482	// read application data after reading the server's Finished message and
1483	// before sending any subsequent handshake messages. It checks that the
1484	// application data it reads matches what is provided in
1485	// ExpectHalfRTTData and errors if the number of records or their
1486	// content do not match.
1487	ExpectHalfRTTData [][]byte
1488
1489	// EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to
1490	// emit an empty EncryptedExtensions block.
1491	EmptyEncryptedExtensions bool
1492
1493	// EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to
1494	// include the KeyShare extension in the EncryptedExtensions block.
1495	EncryptedExtensionsWithKeyShare bool
1496
1497	// AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to
1498	// be sent by the server, even if empty.
1499	AlwaysSendHelloRetryRequest bool
1500
1501	// SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send
1502	// two HelloRetryRequests instead of one.
1503	SecondHelloRetryRequest bool
1504
1505	// SendHelloRetryRequestCurve, if non-zero, causes the server to send
1506	// the specified curve in a HelloRetryRequest.
1507	SendHelloRetryRequestCurve CurveID
1508
1509	// SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send
1510	// the specified cipher suite in a HelloRetryRequest.
1511	SendHelloRetryRequestCipherSuite uint16
1512
1513	// SendHelloRetryRequestCookie, if not nil, contains a cookie to be
1514	// sent by the server in HelloRetryRequest.
1515	SendHelloRetryRequestCookie []byte
1516
1517	// DuplicateHelloRetryRequestExtensions, if true, causes all
1518	// HelloRetryRequest extensions to be sent twice.
1519	DuplicateHelloRetryRequestExtensions bool
1520
1521	// SendServerHelloVersion, if non-zero, causes the server to send the
1522	// specified value in ServerHello version field.
1523	SendServerHelloVersion uint16
1524
1525	// SendServerSupportedVersionExtension, if non-zero, causes the server to send
1526	// the specified value in supported_versions extension in the ServerHello (but
1527	// not the HelloRetryRequest).
1528	SendServerSupportedVersionExtension uint16
1529
1530	// OmitServerSupportedVersionExtension, if true, causes the server to
1531	// omit the supported_versions extension in the ServerHello (but not the
1532	// HelloRetryRequest)
1533	OmitServerSupportedVersionExtension bool
1534
1535	// SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send
1536	// HelloRetryRequest.
1537	SkipHelloRetryRequest bool
1538
1539	// PackHelloRequestWithFinished, if true, causes the TLS server to send
1540	// HelloRequest in the same record as Finished.
1541	PackHelloRequestWithFinished bool
1542
1543	// ExpectMissingKeyShare, if true, causes the TLS server to fail the
1544	// connection if the selected curve appears in the client's initial
1545	// ClientHello. That is, it requires that a HelloRetryRequest be sent.
1546	ExpectMissingKeyShare bool
1547
1548	// SendExtraFinished, if true, causes an extra Finished message to be
1549	// sent.
1550	SendExtraFinished bool
1551
1552	// SendRequestContext, if not empty, is the request context to send in
1553	// a TLS 1.3 CertificateRequest.
1554	SendRequestContext []byte
1555
1556	// OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm
1557	// extension in a TLS 1.3 CertificateRequest.
1558	OmitCertificateRequestAlgorithms bool
1559
1560	// SendCustomCertificateRequest, if non-zero, send an additional custom
1561	// extension in a TLS 1.3 CertificateRequest.
1562	SendCustomCertificateRequest uint16
1563
1564	// SendSNIWarningAlert, if true, causes the server to send an
1565	// unrecognized_name alert before the ServerHello.
1566	SendSNIWarningAlert bool
1567
1568	// SendCompressionMethods, if not nil, is the compression method list to
1569	// send in the ClientHello.
1570	SendCompressionMethods []byte
1571
1572	// SendCompressionMethod is the compression method to send in the
1573	// ServerHello.
1574	SendCompressionMethod byte
1575
1576	// AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to
1577	// always send a ServerKeyExchange for PSK ciphers, even if the identity
1578	// hint is empty.
1579	AlwaysSendPreSharedKeyIdentityHint bool
1580
1581	// TrailingKeyShareData, if true, causes the client key share list to
1582	// include a trailing byte.
1583	TrailingKeyShareData bool
1584
1585	// InvalidChannelIDSignature, if true, causes the client to generate an
1586	// invalid Channel ID signature.
1587	InvalidChannelIDSignature bool
1588
1589	// ExpectGREASE, if true, causes messages without GREASE values to be
1590	// rejected. See draft-davidben-tls-grease-01.
1591	ExpectGREASE bool
1592
1593	// OmitPSKsOnSecondClientHello, if true, causes the client to omit the
1594	// PSK extension on the second ClientHello.
1595	OmitPSKsOnSecondClientHello bool
1596
1597	// OnlyCorruptSecondPSKBinder, if true, causes the options below to
1598	// only apply to the second PSK binder.
1599	OnlyCorruptSecondPSKBinder bool
1600
1601	// SendShortPSKBinder, if true, causes the client to send a PSK binder
1602	// that is one byte shorter than it should be.
1603	SendShortPSKBinder bool
1604
1605	// SendInvalidPSKBinder, if true, causes the client to send an invalid
1606	// PSK binder.
1607	SendInvalidPSKBinder bool
1608
1609	// SendNoPSKBinder, if true, causes the client to send no PSK binders.
1610	SendNoPSKBinder bool
1611
1612	// SendExtraPSKBinder, if true, causes the client to send an extra PSK
1613	// binder.
1614	SendExtraPSKBinder bool
1615
1616	// PSKBinderFirst, if true, causes the client to send the PSK Binder
1617	// extension as the first extension instead of the last extension.
1618	PSKBinderFirst bool
1619
1620	// NoOCSPStapling, if true, causes the client to not request OCSP
1621	// stapling.
1622	NoOCSPStapling bool
1623
1624	// NoSignedCertificateTimestamps, if true, causes the client to not
1625	// request signed certificate timestamps.
1626	NoSignedCertificateTimestamps bool
1627
1628	// SendSupportedPointFormats, if not nil, is the list of supported point
1629	// formats to send in ClientHello or ServerHello. If set to a non-nil
1630	// empty slice, no extension will be sent.
1631	SendSupportedPointFormats []byte
1632
1633	// SendServerSupportedCurves, if true, causes the server to send its
1634	// supported curves list in the ServerHello (TLS 1.2) or
1635	// EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and
1636	// valid in TLS 1.3.
1637	SendServerSupportedCurves bool
1638
1639	// MaxReceivePlaintext, if non-zero, is the maximum plaintext record
1640	// length accepted from the peer.
1641	MaxReceivePlaintext int
1642
1643	// ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally
1644	// pack their encrypted handshake messages, fitting at most the
1645	// specified number of plaintext bytes per record.
1646	ExpectPackedEncryptedHandshake int
1647
1648	// SendTicketLifetime, if non-zero, is the ticket lifetime to send in
1649	// NewSessionTicket messages.
1650	SendTicketLifetime time.Duration
1651
1652	// SendServerNameAck, if true, causes the server to acknowledge the SNI
1653	// extension.
1654	SendServerNameAck bool
1655
1656	// ExpectCertificateReqNames, if not nil, contains the list of X.509
1657	// names that must be sent in a CertificateRequest from the server.
1658	ExpectCertificateReqNames [][]byte
1659
1660	// RenegotiationCertificate, if not nil, is the certificate to use on
1661	// renegotiation handshakes.
1662	RenegotiationCertificate *Certificate
1663
1664	// ExpectNoCertificateAuthoritiesExtension, if true, causes the client to
1665	// reject CertificateRequest with the CertificateAuthorities extension.
1666	ExpectNoCertificateAuthoritiesExtension bool
1667
1668	// UseLegacySigningAlgorithm, if non-zero, is the signature algorithm
1669	// to use when signing in TLS 1.1 and earlier where algorithms are not
1670	// negotiated.
1671	UseLegacySigningAlgorithm signatureAlgorithm
1672
1673	// SendServerHelloAsHelloRetryRequest, if true, causes the server to
1674	// send ServerHello messages with a HelloRetryRequest type field.
1675	SendServerHelloAsHelloRetryRequest bool
1676
1677	// RejectUnsolicitedKeyUpdate, if true, causes all unsolicited
1678	// KeyUpdates from the peer to be rejected.
1679	RejectUnsolicitedKeyUpdate bool
1680
1681	// OmitExtensions, if true, causes the extensions field in ClientHello
1682	// and ServerHello messages to be omitted.
1683	OmitExtensions bool
1684
1685	// EmptyExtensions, if true, causes the extensions field in ClientHello
1686	// and ServerHello messages to be present, but empty.
1687	EmptyExtensions bool
1688
1689	// ExpectOmitExtensions, if true, causes the client to reject
1690	// ServerHello messages that do not omit extensions.
1691	ExpectOmitExtensions bool
1692
1693	// ExpectRecordSplitting, if true, causes application records to only be
1694	// accepted if they follow a 1/n-1 record split.
1695	ExpectRecordSplitting bool
1696
1697	// PadClientHello, if non-zero, pads the ClientHello to a multiple of
1698	// that many bytes.
1699	PadClientHello int
1700
1701	// SendTLS13DowngradeRandom, if true, causes the server to send the
1702	// TLS 1.3 anti-downgrade signal.
1703	SendTLS13DowngradeRandom bool
1704
1705	// CheckTLS13DowngradeRandom, if true, causes the client to check the
1706	// TLS 1.3 anti-downgrade signal regardless of its variant.
1707	CheckTLS13DowngradeRandom bool
1708
1709	// IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the
1710	// TLS 1.3 anti-downgrade signal.
1711	IgnoreTLS13DowngradeRandom bool
1712
1713	// SendCompressedCoordinates, if true, causes ECDH key shares over NIST
1714	// curves to use compressed coordinates.
1715	SendCompressedCoordinates bool
1716
1717	// SetX25519HighBit, if true, causes X25519 key shares to set their
1718	// high-order bit.
1719	SetX25519HighBit bool
1720
1721	// DuplicateCompressedCertAlgs, if true, causes two, equal, certificate
1722	// compression algorithm IDs to be sent.
1723	DuplicateCompressedCertAlgs bool
1724
1725	// ExpectedCompressedCert specifies the compression algorithm ID that must be
1726	// used on this connection, or zero if there are no special requirements.
1727	ExpectedCompressedCert uint16
1728
1729	// SendCertCompressionAlgID, if not zero, sets the algorithm ID that will be
1730	// sent in the compressed certificate message.
1731	SendCertCompressionAlgID uint16
1732
1733	// SendCertUncompressedLength, if not zero, sets the uncompressed length that
1734	// will be sent in the compressed certificate message.
1735	SendCertUncompressedLength uint32
1736
1737	// SendClientHelloWithFixes, if not nil, sends the specified byte string
1738	// instead of the ClientHello. This string is incorporated into the
1739	// transcript as if it were the real ClientHello, but the handshake will
1740	// otherwise behave as if this was not sent in terms of what ciphers it
1741	// will accept, etc.
1742	//
1743	// The input is modified to match key share entries. DefaultCurves must
1744	// be configured to match. The random and session ID fields are
1745	// extracted from the ClientHello.
1746	SendClientHelloWithFixes []byte
1747
1748	// SendJDK11DowngradeRandom, if true, causes the server to send the JDK
1749	// 11 downgrade signal.
1750	SendJDK11DowngradeRandom bool
1751
1752	// ExpectJDK11DowngradeRandom is whether the client should expect the
1753	// server to send the JDK 11 downgrade signal.
1754	ExpectJDK11DowngradeRandom bool
1755
1756	// FailIfHelloRetryRequested causes a handshake failure if a server requests a
1757	// hello retry.
1758	FailIfHelloRetryRequested bool
1759
1760	// FailedIfCECPQ2Offered will cause a server to reject a ClientHello if CECPQ2
1761	// is supported.
1762	FailIfCECPQ2Offered bool
1763
1764	// ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello
1765	// should have key shares for.
1766	ExpectedKeyShares []CurveID
1767
1768	// ExpectDelegatedCredentials, if true, requires that the handshake present
1769	// delegated credentials.
1770	ExpectDelegatedCredentials bool
1771
1772	// FailIfDelegatedCredentials, if true, causes a handshake failure if the
1773	// server returns delegated credentials.
1774	FailIfDelegatedCredentials bool
1775
1776	// DisableDelegatedCredentials, if true, disables client support for delegated
1777	// credentials.
1778	DisableDelegatedCredentials bool
1779
1780	// CompatModeWithQUIC, if true, enables TLS 1.3 compatibility mode
1781	// when running over QUIC.
1782	CompatModeWithQUIC bool
1783}
1784
1785func (c *Config) serverInit() {
1786	if c.SessionTicketsDisabled {
1787		return
1788	}
1789
1790	// If the key has already been set then we have nothing to do.
1791	for _, b := range c.SessionTicketKey {
1792		if b != 0 {
1793			return
1794		}
1795	}
1796
1797	if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
1798		c.SessionTicketsDisabled = true
1799	}
1800}
1801
1802func (c *Config) rand() io.Reader {
1803	r := c.Rand
1804	if r == nil {
1805		return rand.Reader
1806	}
1807	return r
1808}
1809
1810func (c *Config) time() time.Time {
1811	t := c.Time
1812	if t == nil {
1813		t = time.Now
1814	}
1815	return t()
1816}
1817
1818func (c *Config) cipherSuites() []uint16 {
1819	s := c.CipherSuites
1820	if s == nil {
1821		s = defaultCipherSuites()
1822	}
1823	return s
1824}
1825
1826func (c *Config) minVersion(isDTLS bool) uint16 {
1827	ret := uint16(minVersion)
1828	if c != nil && c.MinVersion != 0 {
1829		ret = c.MinVersion
1830	}
1831	if isDTLS {
1832		// The lowest version of DTLS is 1.0. There is no DSSL 3.0.
1833		if ret < VersionTLS10 {
1834			return VersionTLS10
1835		}
1836		// There is no such thing as DTLS 1.1.
1837		if ret == VersionTLS11 {
1838			return VersionTLS12
1839		}
1840	}
1841	return ret
1842}
1843
1844func (c *Config) maxVersion(isDTLS bool) uint16 {
1845	ret := uint16(maxVersion)
1846	if c != nil && c.MaxVersion != 0 {
1847		ret = c.MaxVersion
1848	}
1849	if isDTLS {
1850		// We only implement up to DTLS 1.2.
1851		if ret > VersionTLS12 {
1852			return VersionTLS12
1853		}
1854		// There is no such thing as DTLS 1.1.
1855		if ret == VersionTLS11 {
1856			return VersionTLS10
1857		}
1858	}
1859	return ret
1860}
1861
1862var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
1863
1864func (c *Config) curvePreferences() []CurveID {
1865	if c == nil || len(c.CurvePreferences) == 0 {
1866		return defaultCurvePreferences
1867	}
1868	return c.CurvePreferences
1869}
1870
1871func (c *Config) defaultCurves() map[CurveID]bool {
1872	defaultCurves := make(map[CurveID]bool)
1873	curves := c.DefaultCurves
1874	if c == nil || c.DefaultCurves == nil {
1875		curves = c.curvePreferences()
1876	}
1877	for _, curveID := range curves {
1878		defaultCurves[curveID] = true
1879	}
1880	return defaultCurves
1881}
1882
1883func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
1884	if isDTLS {
1885		switch vers {
1886		case VersionDTLS12:
1887			return VersionTLS12, true
1888		case VersionDTLS10:
1889			return VersionTLS10, true
1890		}
1891	} else {
1892		switch vers {
1893		case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13:
1894			return vers, true
1895		}
1896	}
1897
1898	return 0, false
1899}
1900
1901// isSupportedVersion checks if the specified wire version is acceptable. If so,
1902// it returns true and the corresponding protocol version. Otherwise, it returns
1903// false.
1904func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
1905	vers, ok := wireToVersion(wireVers, isDTLS)
1906	if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) {
1907		return 0, false
1908	}
1909	return vers, true
1910}
1911
1912func (c *Config) supportedVersions(isDTLS bool) []uint16 {
1913	versions := allTLSWireVersions
1914	if isDTLS {
1915		versions = allDTLSWireVersions
1916	}
1917	var ret []uint16
1918	for _, vers := range versions {
1919		if _, ok := c.isSupportedVersion(vers, isDTLS); ok {
1920			ret = append(ret, vers)
1921		}
1922	}
1923	return ret
1924}
1925
1926// getCertificateForName returns the best certificate for the given name,
1927// defaulting to the first element of c.Certificates if there are no good
1928// options.
1929func (c *Config) getCertificateForName(name string) *Certificate {
1930	if len(c.Certificates) == 1 || c.NameToCertificate == nil {
1931		// There's only one choice, so no point doing any work.
1932		return &c.Certificates[0]
1933	}
1934
1935	name = strings.ToLower(name)
1936	for len(name) > 0 && name[len(name)-1] == '.' {
1937		name = name[:len(name)-1]
1938	}
1939
1940	if cert, ok := c.NameToCertificate[name]; ok {
1941		return cert
1942	}
1943
1944	// try replacing labels in the name with wildcards until we get a
1945	// match.
1946	labels := strings.Split(name, ".")
1947	for i := range labels {
1948		labels[i] = "*"
1949		candidate := strings.Join(labels, ".")
1950		if cert, ok := c.NameToCertificate[candidate]; ok {
1951			return cert
1952		}
1953	}
1954
1955	// If nothing matches, return the first certificate.
1956	return &c.Certificates[0]
1957}
1958
1959func (c *Config) signSignatureAlgorithms() []signatureAlgorithm {
1960	if c != nil && c.SignSignatureAlgorithms != nil {
1961		return c.SignSignatureAlgorithms
1962	}
1963	return supportedSignatureAlgorithms
1964}
1965
1966func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm {
1967	if c != nil && c.VerifySignatureAlgorithms != nil {
1968		return c.VerifySignatureAlgorithms
1969	}
1970	return supportedSignatureAlgorithms
1971}
1972
1973// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
1974// from the CommonName and SubjectAlternateName fields of each of the leaf
1975// certificates.
1976func (c *Config) BuildNameToCertificate() {
1977	c.NameToCertificate = make(map[string]*Certificate)
1978	for i := range c.Certificates {
1979		cert := &c.Certificates[i]
1980		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
1981		if err != nil {
1982			continue
1983		}
1984		if len(x509Cert.Subject.CommonName) > 0 {
1985			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
1986		}
1987		for _, san := range x509Cert.DNSNames {
1988			c.NameToCertificate[san] = cert
1989		}
1990	}
1991}
1992
1993// A Certificate is a chain of one or more certificates, leaf first.
1994type Certificate struct {
1995	Certificate [][]byte
1996	PrivateKey  crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey
1997	// OCSPStaple contains an optional OCSP response which will be served
1998	// to clients that request it.
1999	OCSPStaple []byte
2000	// SignedCertificateTimestampList contains an optional encoded
2001	// SignedCertificateTimestampList structure which will be
2002	// served to clients that request it.
2003	SignedCertificateTimestampList []byte
2004	// Leaf is the parsed form of the leaf certificate, which may be
2005	// initialized using x509.ParseCertificate to reduce per-handshake
2006	// processing for TLS clients doing client authentication. If nil, the
2007	// leaf certificate will be parsed as needed.
2008	Leaf *x509.Certificate
2009}
2010
2011// A TLS record.
2012type record struct {
2013	contentType  recordType
2014	major, minor uint8
2015	payload      []byte
2016}
2017
2018type handshakeMessage interface {
2019	marshal() []byte
2020	unmarshal([]byte) bool
2021}
2022
2023// lruSessionCache is a client or server session cache implementation
2024// that uses an LRU caching strategy.
2025type lruSessionCache struct {
2026	sync.Mutex
2027
2028	m        map[string]*list.Element
2029	q        *list.List
2030	capacity int
2031}
2032
2033type lruSessionCacheEntry struct {
2034	sessionKey string
2035	state      interface{}
2036}
2037
2038// Put adds the provided (sessionKey, cs) pair to the cache.
2039func (c *lruSessionCache) Put(sessionKey string, cs interface{}) {
2040	c.Lock()
2041	defer c.Unlock()
2042
2043	if elem, ok := c.m[sessionKey]; ok {
2044		entry := elem.Value.(*lruSessionCacheEntry)
2045		entry.state = cs
2046		c.q.MoveToFront(elem)
2047		return
2048	}
2049
2050	if c.q.Len() < c.capacity {
2051		entry := &lruSessionCacheEntry{sessionKey, cs}
2052		c.m[sessionKey] = c.q.PushFront(entry)
2053		return
2054	}
2055
2056	elem := c.q.Back()
2057	entry := elem.Value.(*lruSessionCacheEntry)
2058	delete(c.m, entry.sessionKey)
2059	entry.sessionKey = sessionKey
2060	entry.state = cs
2061	c.q.MoveToFront(elem)
2062	c.m[sessionKey] = elem
2063}
2064
2065// Get returns the value associated with a given key. It returns (nil,
2066// false) if no value is found.
2067func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) {
2068	c.Lock()
2069	defer c.Unlock()
2070
2071	if elem, ok := c.m[sessionKey]; ok {
2072		c.q.MoveToFront(elem)
2073		return elem.Value.(*lruSessionCacheEntry).state, true
2074	}
2075	return nil, false
2076}
2077
2078// lruClientSessionCache is a ClientSessionCache implementation that
2079// uses an LRU caching strategy.
2080type lruClientSessionCache struct {
2081	lruSessionCache
2082}
2083
2084func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) {
2085	c.lruSessionCache.Put(sessionKey, cs)
2086}
2087
2088func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
2089	cs, ok := c.lruSessionCache.Get(sessionKey)
2090	if !ok {
2091		return nil, false
2092	}
2093	return cs.(*ClientSessionState), true
2094}
2095
2096// lruServerSessionCache is a ServerSessionCache implementation that
2097// uses an LRU caching strategy.
2098type lruServerSessionCache struct {
2099	lruSessionCache
2100}
2101
2102func (c *lruServerSessionCache) Put(sessionID string, session *sessionState) {
2103	c.lruSessionCache.Put(sessionID, session)
2104}
2105
2106func (c *lruServerSessionCache) Get(sessionID string) (*sessionState, bool) {
2107	cs, ok := c.lruSessionCache.Get(sessionID)
2108	if !ok {
2109		return nil, false
2110	}
2111	return cs.(*sessionState), true
2112}
2113
2114// NewLRUClientSessionCache returns a ClientSessionCache with the given
2115// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
2116// is used instead.
2117func NewLRUClientSessionCache(capacity int) ClientSessionCache {
2118	const defaultSessionCacheCapacity = 64
2119
2120	if capacity < 1 {
2121		capacity = defaultSessionCacheCapacity
2122	}
2123	return &lruClientSessionCache{
2124		lruSessionCache{
2125			m:        make(map[string]*list.Element),
2126			q:        list.New(),
2127			capacity: capacity,
2128		},
2129	}
2130}
2131
2132// NewLRUServerSessionCache returns a ServerSessionCache with the given
2133// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
2134// is used instead.
2135func NewLRUServerSessionCache(capacity int) ServerSessionCache {
2136	const defaultSessionCacheCapacity = 64
2137
2138	if capacity < 1 {
2139		capacity = defaultSessionCacheCapacity
2140	}
2141	return &lruServerSessionCache{
2142		lruSessionCache{
2143			m:        make(map[string]*list.Element),
2144			q:        list.New(),
2145			capacity: capacity,
2146		},
2147	}
2148}
2149
2150// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
2151type dsaSignature struct {
2152	R, S *big.Int
2153}
2154
2155type ecdsaSignature dsaSignature
2156
2157var emptyConfig Config
2158
2159func defaultConfig() *Config {
2160	return &emptyConfig
2161}
2162
2163var (
2164	once                   sync.Once
2165	varDefaultCipherSuites []uint16
2166)
2167
2168func defaultCipherSuites() []uint16 {
2169	once.Do(initDefaultCipherSuites)
2170	return varDefaultCipherSuites
2171}
2172
2173func initDefaultCipherSuites() {
2174	for _, suite := range cipherSuites {
2175		if suite.flags&suitePSK == 0 {
2176			varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
2177		}
2178	}
2179}
2180
2181func unexpectedMessageError(wanted, got interface{}) error {
2182	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
2183}
2184
2185func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool {
2186	for _, s := range sigAlgs {
2187		if s == sigAlg {
2188			return true
2189		}
2190	}
2191	return false
2192}
2193
2194var (
2195	// See RFC 8446, section 4.1.3.
2196	downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
2197	downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
2198
2199	// This is a non-standard randomly-generated value.
2200	downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff}
2201)
2202
2203func containsGREASE(values []uint16) bool {
2204	for _, v := range values {
2205		if isGREASEValue(v) {
2206			return true
2207		}
2208	}
2209	return false
2210}
2211