1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "container/list" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/rand" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "math/big" 16 "strings" 17 "sync" 18 "time" 19 20 "boringssl.googlesource.com/boringssl/ssl/test/runner/hpke" 21) 22 23const ( 24 VersionSSL30 = 0x0300 25 VersionTLS10 = 0x0301 26 VersionTLS11 = 0x0302 27 VersionTLS12 = 0x0303 28 VersionTLS13 = 0x0304 29) 30 31const ( 32 VersionDTLS10 = 0xfeff 33 VersionDTLS12 = 0xfefd 34) 35 36var allTLSWireVersions = []uint16{ 37 VersionTLS13, 38 VersionTLS12, 39 VersionTLS11, 40 VersionTLS10, 41 VersionSSL30, 42} 43 44var allDTLSWireVersions = []uint16{ 45 VersionDTLS12, 46 VersionDTLS10, 47} 48 49const ( 50 maxPlaintext = 16384 // maximum plaintext payload length 51 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length 52 tlsRecordHeaderLen = 5 // record header length 53 dtlsRecordHeaderLen = 13 54 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) 55 56 minVersion = VersionSSL30 57 maxVersion = VersionTLS13 58) 59 60// TLS record types. 61type recordType uint8 62 63const ( 64 recordTypeChangeCipherSpec recordType = 20 65 recordTypeAlert recordType = 21 66 recordTypeHandshake recordType = 22 67 recordTypeApplicationData recordType = 23 68 recordTypePlaintextHandshake recordType = 24 69) 70 71// TLS handshake message types. 72const ( 73 typeHelloRequest uint8 = 0 74 typeClientHello uint8 = 1 75 typeServerHello uint8 = 2 76 typeHelloVerifyRequest uint8 = 3 77 typeNewSessionTicket uint8 = 4 78 typeEndOfEarlyData uint8 = 5 79 typeEncryptedExtensions uint8 = 8 80 typeCertificate uint8 = 11 81 typeServerKeyExchange uint8 = 12 82 typeCertificateRequest uint8 = 13 83 typeServerHelloDone uint8 = 14 84 typeCertificateVerify uint8 = 15 85 typeClientKeyExchange uint8 = 16 86 typeFinished uint8 = 20 87 typeCertificateStatus uint8 = 22 88 typeKeyUpdate uint8 = 24 89 typeCompressedCertificate uint8 = 25 // Not IANA assigned 90 typeNextProtocol uint8 = 67 // Not IANA assigned 91 typeChannelID uint8 = 203 // Not IANA assigned 92 typeMessageHash uint8 = 254 93) 94 95// TLS compression types. 96const ( 97 compressionNone uint8 = 0 98) 99 100// TLS extension numbers 101const ( 102 extensionServerName uint16 = 0 103 extensionStatusRequest uint16 = 5 104 extensionSupportedCurves uint16 = 10 105 extensionSupportedPoints uint16 = 11 106 extensionSignatureAlgorithms uint16 = 13 107 extensionUseSRTP uint16 = 14 108 extensionALPN uint16 = 16 109 extensionSignedCertificateTimestamp uint16 = 18 110 extensionPadding uint16 = 21 111 extensionExtendedMasterSecret uint16 = 23 112 extensionCompressedCertAlgs uint16 = 27 113 extensionSessionTicket uint16 = 35 114 extensionPreSharedKey uint16 = 41 115 extensionEarlyData uint16 = 42 116 extensionSupportedVersions uint16 = 43 117 extensionCookie uint16 = 44 118 extensionPSKKeyExchangeModes uint16 = 45 119 extensionCertificateAuthorities uint16 = 47 120 extensionSignatureAlgorithmsCert uint16 = 50 121 extensionKeyShare uint16 = 51 122 extensionQUICTransportParams uint16 = 57 123 extensionCustom uint16 = 1234 // not IANA assigned 124 extensionNextProtoNeg uint16 = 13172 // not IANA assigned 125 extensionApplicationSettings uint16 = 17513 // not IANA assigned 126 extensionRenegotiationInfo uint16 = 0xff01 127 extensionQUICTransportParamsLegacy uint16 = 0xffa5 // draft-ietf-quic-tls-32 and earlier 128 extensionChannelID uint16 = 30032 // not IANA assigned 129 extensionDelegatedCredentials uint16 = 0x22 // draft-ietf-tls-subcerts-06 130 extensionDuplicate uint16 = 0xffff // not IANA assigned 131 extensionEncryptedClientHello uint16 = 0xfe0d // not IANA assigned 132 extensionECHOuterExtensions uint16 = 0xfd00 // not IANA assigned 133) 134 135// TLS signaling cipher suite values 136const ( 137 scsvRenegotiation uint16 = 0x00ff 138) 139 140var tls13HelloRetryRequest = []uint8{ 141 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 142 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 143 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 144} 145 146// CurveID is the type of a TLS identifier for an elliptic curve. See 147// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 148type CurveID uint16 149 150const ( 151 CurveP224 CurveID = 21 152 CurveP256 CurveID = 23 153 CurveP384 CurveID = 24 154 CurveP521 CurveID = 25 155 CurveX25519 CurveID = 29 156 CurveCECPQ2 CurveID = 16696 157) 158 159// TLS Elliptic Curve Point Formats 160// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 161const ( 162 pointFormatUncompressed uint8 = 0 163 pointFormatCompressedPrime uint8 = 1 164) 165 166// TLS CertificateStatusType (RFC 3546) 167const ( 168 statusTypeOCSP uint8 = 1 169) 170 171// Certificate types (for certificateRequestMsg) 172const ( 173 CertTypeRSASign = 1 // A certificate containing an RSA key 174 CertTypeDSSSign = 2 // A certificate containing a DSA key 175 CertTypeRSAFixedDH = 3 // A certificate containing a static DH key 176 CertTypeDSSFixedDH = 4 // A certificate containing a static DH key 177 178 // See RFC 4492 sections 3 and 5.5. 179 CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. 180 CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. 181 CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. 182 183 // Rest of these are reserved by the TLS spec 184) 185 186// signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note 187// that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with 188// TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature 189// algorithms' throughout. We match the latter. 190type signatureAlgorithm uint16 191 192const ( 193 // RSASSA-PKCS1-v1_5 algorithms 194 signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101 195 signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201 196 signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401 197 signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501 198 signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601 199 200 // ECDSA algorithms 201 signatureECDSAWithSHA1 signatureAlgorithm = 0x0203 202 signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403 203 signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503 204 signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603 205 206 // RSASSA-PSS algorithms 207 signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804 208 signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805 209 signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806 210 211 // EdDSA algorithms 212 signatureEd25519 signatureAlgorithm = 0x0807 213 signatureEd448 signatureAlgorithm = 0x0808 214) 215 216// supportedSignatureAlgorithms contains the default supported signature 217// algorithms. 218var supportedSignatureAlgorithms = []signatureAlgorithm{ 219 signatureRSAPSSWithSHA256, 220 signatureRSAPKCS1WithSHA256, 221 signatureECDSAWithP256AndSHA256, 222 signatureRSAPKCS1WithSHA1, 223 signatureECDSAWithSHA1, 224 signatureEd25519, 225} 226 227// SRTP protection profiles (See RFC 5764, section 4.1.2) 228const ( 229 SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 230 SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 231) 232 233// PskKeyExchangeMode values (see RFC 8446, section 4.2.9) 234const ( 235 pskKEMode = 0 236 pskDHEKEMode = 1 237) 238 239// KeyUpdateRequest values (see RFC 8446, section 4.6.3) 240const ( 241 keyUpdateNotRequested = 0 242 keyUpdateRequested = 1 243) 244 245// draft-ietf-tls-esni-13, sections 7.2 and 7.2.1. 246const echAcceptConfirmationLength = 8 247 248// ConnectionState records basic TLS details about the connection. 249type ConnectionState struct { 250 Version uint16 // TLS version used by the connection (e.g. VersionTLS12) 251 HandshakeComplete bool // TLS handshake is complete 252 DidResume bool // connection resumes a previous TLS connection 253 CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) 254 NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) 255 NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server 256 NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN 257 ServerName string // server name requested by client, if any (server side only) 258 PeerCertificates []*x509.Certificate // certificate chain presented by remote peer 259 VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates 260 OCSPResponse []byte // stapled OCSP response from the peer, if any 261 ChannelID *ecdsa.PublicKey // the channel ID for this connection 262 SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile 263 TLSUnique []byte // the tls-unique channel binding 264 SCTList []byte // signed certificate timestamp list 265 PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake 266 CurveID CurveID // the curve used in ECDHE 267 QUICTransportParams []byte // the QUIC transport params received from the peer 268 QUICTransportParamsLegacy []byte // the legacy QUIC transport params received from the peer 269 HasApplicationSettings bool // whether ALPS was negotiated 270 PeerApplicationSettings []byte // application settings received from the peer 271 ECHAccepted bool // whether ECH was accepted on this connection 272} 273 274// ClientAuthType declares the policy the server will follow for 275// TLS Client Authentication. 276type ClientAuthType int 277 278const ( 279 NoClientCert ClientAuthType = iota 280 RequestClientCert 281 RequireAnyClientCert 282 VerifyClientCertIfGiven 283 RequireAndVerifyClientCert 284) 285 286// ClientSessionState contains the state needed by clients to resume TLS 287// sessions. 288type ClientSessionState struct { 289 sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. 290 sessionTicket []uint8 // Encrypted ticket used for session resumption with server 291 vers uint16 // SSL/TLS version negotiated for the session 292 wireVersion uint16 // Wire SSL/TLS version negotiated for the session 293 cipherSuite *cipherSuite // Ciphersuite negotiated for the session 294 secret []byte // Secret associated with the session 295 handshakeHash []byte // Handshake hash for Channel ID purposes. 296 serverCertificates []*x509.Certificate // Certificate chain presented by the server 297 extendedMasterSecret bool // Whether an extended master secret was used to generate the session 298 sctList []byte 299 ocspResponse []byte 300 earlyALPN string 301 ticketCreationTime time.Time 302 ticketExpiration time.Time 303 ticketAgeAdd uint32 304 maxEarlyDataSize uint32 305 hasApplicationSettings bool 306 localApplicationSettings []byte 307 peerApplicationSettings []byte 308} 309 310// ClientSessionCache is a cache of ClientSessionState objects that can be used 311// by a client to resume a TLS session with a given server. ClientSessionCache 312// implementations should expect to be called concurrently from different 313// goroutines. 314type ClientSessionCache interface { 315 // Get searches for a ClientSessionState associated with the given key. 316 // On return, ok is true if one was found. 317 Get(sessionKey string) (session *ClientSessionState, ok bool) 318 319 // Put adds the ClientSessionState to the cache with the given key. 320 Put(sessionKey string, cs *ClientSessionState) 321} 322 323// ServerSessionCache is a cache of sessionState objects that can be used by a 324// client to resume a TLS session with a given server. ServerSessionCache 325// implementations should expect to be called concurrently from different 326// goroutines. 327type ServerSessionCache interface { 328 // Get searches for a sessionState associated with the given session 329 // ID. On return, ok is true if one was found. 330 Get(sessionID string) (session *sessionState, ok bool) 331 332 // Put adds the sessionState to the cache with the given session ID. 333 Put(sessionID string, session *sessionState) 334} 335 336// CertCompressionAlg is a certificate compression algorithm, specified as a 337// pair of functions for compressing and decompressing certificates. 338type CertCompressionAlg struct { 339 // Compress returns a compressed representation of the input. 340 Compress func([]byte) []byte 341 // Decompress depresses the contents of in and writes the result to out, which 342 // will be the correct size. It returns true on success and false otherwise. 343 Decompress func(out, in []byte) bool 344} 345 346// QUICUseCodepoint controls which TLS extension codepoint is used to convey the 347// QUIC transport parameters. QUICUseCodepointStandard means use 57, 348// QUICUseCodepointLegacy means use legacy value 0xff5a, QUICUseCodepointBoth 349// means use both. QUICUseCodepointNeither means do not send transport 350// parameters. 351type QUICUseCodepoint int 352 353const ( 354 QUICUseCodepointStandard QUICUseCodepoint = iota 355 QUICUseCodepointLegacy 356 QUICUseCodepointBoth 357 QUICUseCodepointNeither 358 NumQUICUseCodepoints 359) 360 361func (c QUICUseCodepoint) IncludeStandard() bool { 362 return c == QUICUseCodepointStandard || c == QUICUseCodepointBoth 363} 364 365func (c QUICUseCodepoint) IncludeLegacy() bool { 366 return c == QUICUseCodepointLegacy || c == QUICUseCodepointBoth 367} 368 369func (c QUICUseCodepoint) String() string { 370 switch c { 371 case QUICUseCodepointStandard: 372 return "Standard" 373 case QUICUseCodepointLegacy: 374 return "Legacy" 375 case QUICUseCodepointBoth: 376 return "Both" 377 case QUICUseCodepointNeither: 378 return "Neither" 379 } 380 panic("unknown value") 381} 382 383// A Config structure is used to configure a TLS client or server. 384// After one has been passed to a TLS function it must not be 385// modified. A Config may be reused; the tls package will also not 386// modify it. 387type Config struct { 388 // Rand provides the source of entropy for nonces and RSA blinding. 389 // If Rand is nil, TLS uses the cryptographic random reader in package 390 // crypto/rand. 391 // The Reader must be safe for use by multiple goroutines. 392 Rand io.Reader 393 394 // Time returns the current time as the number of seconds since the epoch. 395 // If Time is nil, TLS uses time.Now. 396 Time func() time.Time 397 398 // Certificates contains one or more certificate chains 399 // to present to the other side of the connection. 400 // Server configurations must include at least one certificate. 401 Certificates []Certificate 402 403 // NameToCertificate maps from a certificate name to an element of 404 // Certificates. Note that a certificate name can be of the form 405 // '*.example.com' and so doesn't have to be a domain name as such. 406 // See Config.BuildNameToCertificate 407 // The nil value causes the first element of Certificates to be used 408 // for all connections. 409 NameToCertificate map[string]*Certificate 410 411 // RootCAs defines the set of root certificate authorities 412 // that clients use when verifying server certificates. 413 // If RootCAs is nil, TLS uses the host's root CA set. 414 RootCAs *x509.CertPool 415 416 // NextProtos is a list of supported, application level protocols. 417 NextProtos []string 418 419 // ApplicationSettings is a set of application settings to use which each 420 // application protocol. 421 ApplicationSettings map[string][]byte 422 423 // ServerName is used to verify the hostname on the returned 424 // certificates unless InsecureSkipVerify is given. It is also included 425 // in the client's handshake to support virtual hosting. 426 ServerName string 427 428 // ClientECHConfig, when non-nil, is the ECHConfig the client will use to 429 // attempt ECH. 430 ClientECHConfig *ECHConfig 431 432 // ECHCipherSuites, for the client, is the list of HPKE cipher suites in 433 // decreasing order of preference. If empty, the default will be used. 434 ECHCipherSuites []HPKECipherSuite 435 436 // ServerECHConfigs is the server's list of ECHConfig values with 437 // corresponding secret keys. 438 ServerECHConfigs []ServerECHConfig 439 440 // ECHOuterExtensions is the list of extensions that the client will 441 // compress with the ech_outer_extensions extension. If empty, no extensions 442 // will be compressed. 443 ECHOuterExtensions []uint16 444 445 // ClientAuth determines the server's policy for 446 // TLS Client Authentication. The default is NoClientCert. 447 ClientAuth ClientAuthType 448 449 // ClientCAs defines the set of root certificate authorities 450 // that servers use if required to verify a client certificate 451 // by the policy in ClientAuth. 452 ClientCAs *x509.CertPool 453 454 // ClientCertificateTypes defines the set of allowed client certificate 455 // types. The default is CertTypeRSASign and CertTypeECDSASign. 456 ClientCertificateTypes []byte 457 458 // InsecureSkipVerify controls whether a client verifies the 459 // server's certificate chain and host name. 460 // If InsecureSkipVerify is true, TLS accepts any certificate 461 // presented by the server and any host name in that certificate. 462 // In this mode, TLS is susceptible to man-in-the-middle attacks. 463 // This should be used only for testing. 464 InsecureSkipVerify bool 465 466 // CipherSuites is a list of supported cipher suites. If CipherSuites 467 // is nil, TLS uses a list of suites supported by the implementation. 468 CipherSuites []uint16 469 470 // PreferServerCipherSuites controls whether the server selects the 471 // client's most preferred ciphersuite, or the server's most preferred 472 // ciphersuite. If true then the server's preference, as expressed in 473 // the order of elements in CipherSuites, is used. 474 PreferServerCipherSuites bool 475 476 // SessionTicketsDisabled may be set to true to disable session ticket 477 // (resumption) support. 478 SessionTicketsDisabled bool 479 480 // SessionTicketKey is used by TLS servers to provide session 481 // resumption. See RFC 5077. If zero, it will be filled with 482 // random data before the first server handshake. 483 // 484 // If multiple servers are terminating connections for the same host 485 // they should all have the same SessionTicketKey. If the 486 // SessionTicketKey leaks, previously recorded and future TLS 487 // connections using that key are compromised. 488 SessionTicketKey [32]byte 489 490 // ClientSessionCache is a cache of ClientSessionState entries 491 // for TLS session resumption. 492 ClientSessionCache ClientSessionCache 493 494 // ServerSessionCache is a cache of sessionState entries for TLS session 495 // resumption. 496 ServerSessionCache ServerSessionCache 497 498 // MinVersion contains the minimum SSL/TLS version that is acceptable. 499 // If zero, then SSLv3 is taken as the minimum. 500 MinVersion uint16 501 502 // MaxVersion contains the maximum SSL/TLS version that is acceptable. 503 // If zero, then the maximum version supported by this package is used, 504 // which is currently TLS 1.2. 505 MaxVersion uint16 506 507 // CurvePreferences contains the elliptic curves that will be used in 508 // an ECDHE handshake, in preference order. If empty, the default will 509 // be used. 510 CurvePreferences []CurveID 511 512 // DefaultCurves contains the elliptic curves for which public values will 513 // be sent in the ClientHello's KeyShare extension. If this value is nil, 514 // all supported curves will have public values sent. This field is ignored 515 // on servers. 516 DefaultCurves []CurveID 517 518 // ChannelID contains the ECDSA key for the client to use as 519 // its TLS Channel ID. 520 ChannelID *ecdsa.PrivateKey 521 522 // RequestChannelID controls whether the server requests a TLS 523 // Channel ID. If negotiated, the client's public key is 524 // returned in the ConnectionState. 525 RequestChannelID bool 526 527 // PreSharedKey, if not nil, is the pre-shared key to use with 528 // the PSK cipher suites. 529 PreSharedKey []byte 530 531 // PreSharedKeyIdentity, if not empty, is the identity to use 532 // with the PSK cipher suites. 533 PreSharedKeyIdentity string 534 535 // MaxEarlyDataSize controls the maximum number of bytes that the 536 // server will accept in early data and advertise in a 537 // NewSessionTicketMsg. If 0, no early data will be accepted and 538 // the early_data extension in the NewSessionTicketMsg will be omitted. 539 MaxEarlyDataSize uint32 540 541 // SRTPProtectionProfiles, if not nil, is the list of SRTP 542 // protection profiles to offer in DTLS-SRTP. 543 SRTPProtectionProfiles []uint16 544 545 // SignSignatureAlgorithms, if not nil, overrides the default set of 546 // supported signature algorithms to sign with. 547 SignSignatureAlgorithms []signatureAlgorithm 548 549 // VerifySignatureAlgorithms, if not nil, overrides the default set of 550 // supported signature algorithms that are accepted. 551 VerifySignatureAlgorithms []signatureAlgorithm 552 553 // QUICTransportParams, if not empty, will be sent in the QUIC 554 // transport parameters extension. 555 QUICTransportParams []byte 556 557 // QUICTransportParamsUseLegacyCodepoint controls which TLS extension 558 // codepoint is used to convey the QUIC transport parameters. 559 QUICTransportParamsUseLegacyCodepoint QUICUseCodepoint 560 561 CertCompressionAlgs map[uint16]CertCompressionAlg 562 563 // Bugs specifies optional misbehaviour to be used for testing other 564 // implementations. 565 Bugs ProtocolBugs 566 567 serverInitOnce sync.Once // guards calling (*Config).serverInit 568} 569 570type BadValue int 571 572const ( 573 BadValueNone BadValue = iota 574 BadValueNegative 575 BadValueZero 576 BadValueLimit 577 BadValueLarge 578 NumBadValues 579) 580 581type RSABadValue int 582 583const ( 584 RSABadValueNone RSABadValue = iota 585 RSABadValueCorrupt 586 RSABadValueTooLong 587 RSABadValueTooShort 588 RSABadValueWrongVersion1 589 RSABadValueWrongVersion2 590 RSABadValueWrongBlockType 591 RSABadValueWrongLeadingByte 592 RSABadValueNoZero 593 NumRSABadValues 594) 595 596type ProtocolBugs struct { 597 // InvalidSignature specifies that the signature in a ServerKeyExchange 598 // or CertificateVerify message should be invalid. 599 InvalidSignature bool 600 601 // SendCurve, if non-zero, causes the server to send the specified curve 602 // ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather 603 // than the negotiated one. 604 SendCurve CurveID 605 606 // InvalidECDHPoint, if true, causes the ECC points in 607 // ServerKeyExchange or ClientKeyExchange messages to be invalid. 608 InvalidECDHPoint bool 609 610 // BadECDSAR controls ways in which the 'r' value of an ECDSA signature 611 // can be invalid. 612 BadECDSAR BadValue 613 BadECDSAS BadValue 614 615 // MaxPadding causes CBC records to have the maximum possible padding. 616 MaxPadding bool 617 // PaddingFirstByteBad causes the first byte of the padding to be 618 // incorrect. 619 PaddingFirstByteBad bool 620 // PaddingFirstByteBadIf255 causes the first byte of padding to be 621 // incorrect if there's a maximum amount of padding (i.e. 255 bytes). 622 PaddingFirstByteBadIf255 bool 623 624 // FailIfNotFallbackSCSV causes a server handshake to fail if the 625 // client doesn't send the fallback SCSV value. 626 FailIfNotFallbackSCSV bool 627 628 // DuplicateExtension causes an extra empty extension of bogus type to 629 // be emitted in either the ClientHello or the ServerHello. 630 DuplicateExtension bool 631 632 // UnauthenticatedECDH causes the server to pretend ECDHE_RSA 633 // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No 634 // Certificate message is sent and no signature is added to 635 // ServerKeyExchange. 636 UnauthenticatedECDH bool 637 638 // SkipHelloVerifyRequest causes a DTLS server to skip the 639 // HelloVerifyRequest message. 640 SkipHelloVerifyRequest bool 641 642 // SkipCertificateStatus, if true, causes the server to skip the 643 // CertificateStatus message. This is legal because CertificateStatus is 644 // optional, even with a status_request in ServerHello. 645 SkipCertificateStatus bool 646 647 // SkipServerKeyExchange causes the server to skip sending 648 // ServerKeyExchange messages. 649 SkipServerKeyExchange bool 650 651 // SkipNewSessionTicket causes the server to skip sending the 652 // NewSessionTicket message despite promising to in ServerHello. 653 SkipNewSessionTicket bool 654 655 // UseFirstSessionTicket causes the client to cache only the first session 656 // ticket received. 657 UseFirstSessionTicket bool 658 659 // SkipClientCertificate causes the client to skip the Certificate 660 // message. 661 SkipClientCertificate bool 662 663 // SkipChangeCipherSpec causes the implementation to skip 664 // sending the ChangeCipherSpec message (and adjusting cipher 665 // state accordingly for the Finished message). 666 SkipChangeCipherSpec bool 667 668 // SkipFinished causes the implementation to skip sending the Finished 669 // message. 670 SkipFinished bool 671 672 // SkipEndOfEarlyData causes the implementation to skip 673 // end_of_early_data. 674 SkipEndOfEarlyData bool 675 676 // NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the 677 // EndOfEarlyData. 678 NonEmptyEndOfEarlyData bool 679 680 // SkipCertificateVerify, if true causes peer to skip sending a 681 // CertificateVerify message after the Certificate message. 682 SkipCertificateVerify bool 683 684 // EarlyChangeCipherSpec causes the client to send an early 685 // ChangeCipherSpec message before the ClientKeyExchange. A value of 686 // zero disables this behavior. One and two configure variants for 687 // 1.0.1 and 0.9.8 modes, respectively. 688 EarlyChangeCipherSpec int 689 690 // StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake 691 // message in DTLS to be prefaced by stray ChangeCipherSpec record. This 692 // may be used to test DTLS's handling of reordered ChangeCipherSpec. 693 StrayChangeCipherSpec bool 694 695 // ReorderChangeCipherSpec causes the ChangeCipherSpec message to be 696 // sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec, 697 // the cipher change happens at the usual time. 698 ReorderChangeCipherSpec bool 699 700 // FragmentAcrossChangeCipherSpec causes the implementation to fragment 701 // the Finished (or NextProto) message around the ChangeCipherSpec 702 // messages. 703 FragmentAcrossChangeCipherSpec bool 704 705 // SendExtraChangeCipherSpec causes the implementation to send extra 706 // ChangeCipherSpec messages. 707 SendExtraChangeCipherSpec int 708 709 // SendPostHandshakeChangeCipherSpec causes the implementation to send 710 // a ChangeCipherSpec record before every application data record. 711 SendPostHandshakeChangeCipherSpec bool 712 713 // SendUnencryptedFinished, if true, causes the Finished message to be 714 // send unencrypted before ChangeCipherSpec rather than after it. 715 SendUnencryptedFinished bool 716 717 // PartialEncryptedExtensionsWithServerHello, if true, causes the TLS 718 // 1.3 server to send part of EncryptedExtensions unencrypted 719 // in the same record as ServerHello. 720 PartialEncryptedExtensionsWithServerHello bool 721 722 // PartialClientFinishedWithClientHello, if true, causes the TLS 1.2 723 // or TLS 1.3 client to send part of Finished unencrypted in the same 724 // record as ClientHello. 725 PartialClientFinishedWithClientHello bool 726 727 // PartialClientFinishedWithSecondClientHello, if true, causes the 728 // TLS 1.3 client to send part of Finished unencrypted in the same 729 // record as the second ClientHello. 730 PartialClientFinishedWithSecondClientHello bool 731 732 // PartialEndOfEarlyDataWithClientHello, if true, causes the TLS 1.3 733 // client to send part of EndOfEarlyData unencrypted in the same record 734 // as ClientHello. 735 PartialEndOfEarlyDataWithClientHello bool 736 737 // PartialSecondClientHelloAfterFirst, if true, causes the TLS 1.3 client 738 // to send part of the second ClientHello in the same record as the first 739 // one. 740 PartialSecondClientHelloAfterFirst bool 741 742 // PartialClientKeyExchangeWithClientHello, if true, causes the TLS 1.2 743 // client to send part of the ClientKeyExchange in the same record as 744 // the ClientHello. 745 PartialClientKeyExchangeWithClientHello bool 746 747 // PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2 748 // server to send part of the NewSessionTicket in the same record as 749 // ServerHelloDone. 750 PartialNewSessionTicketWithServerHelloDone bool 751 752 // PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2 753 // server to send part of the Finshed in the same record as ServerHelloDone. 754 PartialFinishedWithServerHelloDone bool 755 756 // PartialServerHelloWithHelloRetryRequest, if true, causes the TLS 1.3 757 // server to send part of the ServerHello in the same record as 758 // HelloRetryRequest. 759 PartialServerHelloWithHelloRetryRequest bool 760 761 // TrailingDataWithFinished, if true, causes the record containing the 762 // Finished message to include an extra byte of data at the end. 763 TrailingDataWithFinished bool 764 765 // SendV2ClientHello causes the client to send a V2ClientHello 766 // instead of a normal ClientHello. 767 SendV2ClientHello bool 768 769 // V2ClientHelloChallengeLength is the length of the challenge field to send 770 // in V2ClientHello. 771 V2ClientHelloChallengeLength int 772 773 // SendFallbackSCSV causes the client to include 774 // TLS_FALLBACK_SCSV in the ClientHello. 775 SendFallbackSCSV bool 776 777 // SendRenegotiationSCSV causes the client to include the renegotiation 778 // SCSV in the ClientHello. 779 SendRenegotiationSCSV bool 780 781 // MaxHandshakeRecordLength, if non-zero, is the maximum size of a 782 // handshake record. Handshake messages will be split into multiple 783 // records at the specified size, except that the client_version will 784 // never be fragmented. For DTLS, it is the maximum handshake fragment 785 // size, not record size; DTLS allows multiple handshake fragments in a 786 // single handshake record. See |PackHandshakeFragments|. 787 MaxHandshakeRecordLength int 788 789 // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to 790 // the first 6 bytes of the ClientHello. 791 FragmentClientVersion bool 792 793 // FragmentAlert will cause all alerts to be fragmented across 794 // two records. 795 FragmentAlert bool 796 797 // DoubleAlert will cause all alerts to be sent as two copies packed 798 // within one record. 799 DoubleAlert bool 800 801 // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted 802 // alert to be sent. 803 SendSpuriousAlert alert 804 805 // BadRSAClientKeyExchange causes the client to send a corrupted RSA 806 // ClientKeyExchange which would not pass padding checks. 807 BadRSAClientKeyExchange RSABadValue 808 809 // RenewTicketOnResume causes the server to renew the session ticket and 810 // send a NewSessionTicket message during an abbreviated handshake. 811 RenewTicketOnResume bool 812 813 // SendClientVersion, if non-zero, causes the client to send the 814 // specified value in the ClientHello version field. 815 SendClientVersion uint16 816 817 // OmitSupportedVersions, if true, causes the client to omit the 818 // supported versions extension. 819 OmitSupportedVersions bool 820 821 // SendSupportedVersions, if non-empty, causes the client to send a 822 // supported versions extension with the values from array. 823 SendSupportedVersions []uint16 824 825 // NegotiateVersion, if non-zero, causes the server to negotiate the 826 // specifed wire version rather than the version supported by either 827 // peer. 828 NegotiateVersion uint16 829 830 // NegotiateVersionOnRenego, if non-zero, causes the server to negotiate 831 // the specified wire version on renegotiation rather than retaining it. 832 NegotiateVersionOnRenego uint16 833 834 // ExpectFalseStart causes the server to, on full handshakes, 835 // expect the peer to False Start; the server Finished message 836 // isn't sent until we receive an application data record 837 // from the peer. 838 ExpectFalseStart bool 839 840 // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full 841 // handshakes, send an alert just before reading the application data 842 // record to test False Start. This can be used in a negative False 843 // Start test to determine whether the peer processed the alert (and 844 // closed the connection) before or after sending app data. 845 AlertBeforeFalseStartTest alert 846 847 // ExpectServerName, if not empty, is the hostname the client 848 // must specify in the selected ClientHello's server_name extension. 849 ExpectServerName string 850 851 // ExpectServerName, if not empty, is the hostname the client 852 // must specify in the ClientHelloOuter's server_name extension. 853 ExpectOuterServerName string 854 855 // ExpectClientECH causes the server to require that the client offer ECH. 856 ExpectClientECH bool 857 858 // ExpectNoClientECH causes the server to require that the client not offer ECH. 859 ExpectNoClientECH bool 860 861 // IgnoreECHConfigCipherPreferences, when true, causes the client to ignore 862 // the cipher preferences in the ECHConfig and select the most preferred ECH 863 // cipher suite unconditionally. 864 IgnoreECHConfigCipherPreferences bool 865 866 // ExpectECHRetryConfigs, when non-nil, contains the expected bytes of the 867 // server's retry configs. 868 ExpectECHRetryConfigs []byte 869 870 // SendECHRetryConfigs, if not empty, contains the ECH server's serialized 871 // retry configs. 872 SendECHRetryConfigs []byte 873 874 // AlwaysSendECHRetryConfigs, if true, causes the ECH server to send retry 875 // configs unconditionally, including in the TLS 1.2 ServerHello. 876 AlwaysSendECHRetryConfigs bool 877 878 // AlwaysSendECHHelloRetryRequest, if true, causes the ECH server to send 879 // the ECH HelloRetryRequest extension unconditionally. 880 AlwaysSendECHHelloRetryRequest bool 881 882 // SendInvalidECHInner, if not empty, causes the client to send the 883 // specified byte string after the type field in ClientHelloInner 884 // encrypted_client_hello extension. 885 SendInvalidECHInner []byte 886 887 // OmitECHInner, if true, causes the client to omit the encrypted_client_hello 888 // extension on the ClientHelloInner message. 889 OmitECHInner bool 890 891 // OmitSecondECHInner, if true, causes the client to omit the 892 // encrypted_client_hello extension on the second ClientHelloInner message. 893 OmitSecondECHInner bool 894 895 // OmitServerHelloECHConfirmation, if true, causes the server to omit the 896 // ECH confirmation in the ServerHello. 897 OmitServerHelloECHConfirmation bool 898 899 // AlwaysSendECHInner, if true, causes the client to send an inner 900 // encrypted_client_hello extension on all ClientHello messages. The server 901 // is then expected to unconditionally confirm the extension when 902 // negotiating TLS 1.3 or later. 903 AlwaysSendECHInner bool 904 905 // TruncateClientECHEnc, if true, causes the client to send a shortened 906 // ClientECH.enc value in its encrypted_client_hello extension. 907 TruncateClientECHEnc bool 908 909 // ClientECHPadding is the number of bytes of padding to add to the client 910 // ECH payload. 911 ClientECHPadding int 912 913 // BadClientECHPadding, if true, causes the client ECH padding to contain a 914 // non-zero byte. 915 BadClientECHPadding bool 916 917 // OfferSessionInClientHelloOuter, if true, causes the client to offer 918 // sessions in ClientHelloOuter. 919 OfferSessionInClientHelloOuter bool 920 921 // OnlyCompressSecondClientHelloInner, if true, causes the client to 922 // only apply outer_extensions to the second ClientHello. 923 OnlyCompressSecondClientHelloInner bool 924 925 // OmitSecondEncryptedClientHello, if true, causes the client to omit the 926 // second encrypted_client_hello extension. 927 OmitSecondEncryptedClientHello bool 928 929 // CorruptEncryptedClientHello, if true, causes the client to incorrectly 930 // encrypt the encrypted_client_hello extension. 931 CorruptEncryptedClientHello bool 932 933 // CorruptSecondEncryptedClientHello, if true, causes the client to 934 // incorrectly encrypt the second encrypted_client_hello extension. 935 CorruptSecondEncryptedClientHello bool 936 937 // CorruptSecondEncryptedClientHelloConfigID, if true, causes the client to 938 // incorrectly set the second ClientHello's ECH config ID. 939 CorruptSecondEncryptedClientHelloConfigID bool 940 941 // AllowTLS12InClientHelloInner, if true, causes the client to include 942 // TLS 1.2 and earlier in ClientHelloInner. 943 AllowTLS12InClientHelloInner bool 944 945 // MinimalClientHelloOuter, if true, causes the client to omit most fields 946 // in ClientHelloOuter. Note this will make handshake attempts with the 947 // ClientHelloOuter fail and should only be used in tests that expect 948 // success. 949 MinimalClientHelloOuter bool 950 951 // ExpectECHOuterExtensions is a list of extension IDs which the server 952 // will require to be present in ech_outer_extensions. 953 ExpectECHOuterExtensions []uint16 954 955 // ExpectECHOuterExtensions is a list of extension IDs which the server 956 // will require to be omitted in ech_outer_extensions. 957 ExpectECHUncompressedExtensions []uint16 958 959 // ECHOuterExtensionOrder, if not nil, is an extension order to apply to 960 // ClientHelloOuter, instead of ordering the |ECHOuterExtensions| to match 961 // in both ClientHellos. 962 ECHOuterExtensionOrder []uint16 963 964 // UseInnerSessionWithClientHelloOuter, if true, causes the server to 965 // handshake with ClientHelloOuter, but resume the session from 966 // ClientHelloInner. 967 UseInnerSessionWithClientHelloOuter bool 968 969 // RecordClientHelloInner, when non-nil, is called whenever the client 970 // generates an encrypted ClientHello. The byte strings do not include the 971 // ClientHello header. 972 RecordClientHelloInner func(encodedInner, outer []byte) error 973 974 // SwapNPNAndALPN switches the relative order between NPN and ALPN in 975 // both ClientHello and ServerHello. 976 SwapNPNAndALPN bool 977 978 // ALPNProtocol, if not nil, sets the ALPN protocol that a server will 979 // return. 980 ALPNProtocol *string 981 982 // AlwaysNegotiateApplicationSettings, if true, causes the server to 983 // negotiate ALPS for a protocol even if the client did not support it or 984 // the version is wrong. 985 AlwaysNegotiateApplicationSettings bool 986 987 // SendApplicationSettingsWithEarlyData, if true, causes the client and 988 // server to send the application_settings extension with early data, 989 // rather than letting them implicitly carry over. 990 SendApplicationSettingsWithEarlyData bool 991 992 // AlwaysSendClientEncryptedExtension, if true, causes the client to always 993 // send a, possibly empty, client EncryptedExtensions message. 994 AlwaysSendClientEncryptedExtensions bool 995 996 // OmitClientEncryptedExtensions, if true, causes the client to omit the 997 // client EncryptedExtensions message. 998 OmitClientEncryptedExtensions bool 999 1000 // OmitClientApplicationSettings, if true, causes the client to omit the 1001 // application_settings extension but still send EncryptedExtensions. 1002 OmitClientApplicationSettings bool 1003 1004 // SendExtraClientEncryptedExtension, if true, causes the client to 1005 // include an unsolicited extension in the client EncryptedExtensions 1006 // message. 1007 SendExtraClientEncryptedExtension bool 1008 1009 // AcceptAnySession causes the server to resume sessions regardless of 1010 // the version associated with the session or cipher suite. It also 1011 // causes the server to look in both TLS 1.2 and 1.3 extensions to 1012 // process a ticket. 1013 AcceptAnySession bool 1014 1015 // SendBothTickets, if true, causes the client to send tickets in both 1016 // TLS 1.2 and 1.3 extensions. 1017 SendBothTickets bool 1018 1019 // FilterTicket, if not nil, causes the client to modify a session 1020 // ticket before sending it in a resume handshake. 1021 FilterTicket func([]byte) ([]byte, error) 1022 1023 // TicketSessionIDLength, if non-zero, is the length of the session ID 1024 // to send with a ticket resumption offer. 1025 TicketSessionIDLength int 1026 1027 // EmptyTicketSessionID, if true, causes the client to send an empty 1028 // session ID with a ticket resumption offer. For simplicity, this will 1029 // also cause the client to interpret a ServerHello with empty session 1030 // ID as a resumption. (A client which sends empty session ID is 1031 // normally expected to look ahead for ChangeCipherSpec.) 1032 EmptyTicketSessionID bool 1033 1034 // NewSessionIDLength, if non-zero is the length of the session ID to use 1035 // when issung new sessions. 1036 NewSessionIDLength int 1037 1038 // SendClientHelloSessionID, if not nil, is the session ID sent in the 1039 // ClientHello. 1040 SendClientHelloSessionID []byte 1041 1042 // ExpectClientHelloSessionID, if true, causes the server to fail the 1043 // connection if there is not a session ID in the ClientHello. 1044 ExpectClientHelloSessionID bool 1045 1046 // EchoSessionIDInFullHandshake, if true, causes the server to echo the 1047 // ClientHello session ID, even in TLS 1.2 full handshakes. 1048 EchoSessionIDInFullHandshake bool 1049 1050 // ExpectNoSessionID, if true, causes the server to fail the connection if 1051 // the session ID field is present. 1052 ExpectNoSessionID bool 1053 1054 // ExpectNoTLS12Session, if true, causes the server to fail the 1055 // connection if the server offered a TLS 1.2 session. TLS 1.3 clients 1056 // always offer session IDs for compatibility, so the session ID check 1057 // checks for sessions the server issued. 1058 ExpectNoTLS12Session bool 1059 1060 // ExpectNoTLS13PSK, if true, causes the server to fail the connection 1061 // if a TLS 1.3 PSK is offered. 1062 ExpectNoTLS13PSK bool 1063 1064 // ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection 1065 // if a TLS 1.3 PSK is offered after HRR. 1066 ExpectNoTLS13PSKAfterHRR bool 1067 1068 // RequireExtendedMasterSecret, if true, requires that the peer support 1069 // the extended master secret option. 1070 RequireExtendedMasterSecret bool 1071 1072 // NoExtendedMasterSecret causes the client and server to behave as if 1073 // they didn't support an extended master secret in the initial 1074 // handshake. 1075 NoExtendedMasterSecret bool 1076 1077 // NoExtendedMasterSecretOnRenegotiation causes the client and server to 1078 // behave as if they didn't support an extended master secret in 1079 // renegotiation handshakes. 1080 NoExtendedMasterSecretOnRenegotiation bool 1081 1082 // EmptyRenegotiationInfo causes the renegotiation extension to be 1083 // empty in a renegotiation handshake. 1084 EmptyRenegotiationInfo bool 1085 1086 // BadRenegotiationInfo causes the renegotiation extension value in a 1087 // renegotiation handshake to be incorrect at the start. 1088 BadRenegotiationInfo bool 1089 1090 // BadRenegotiationInfoEnd causes the renegotiation extension value in 1091 // a renegotiation handshake to be incorrect at the end. 1092 BadRenegotiationInfoEnd bool 1093 1094 // NoRenegotiationInfo disables renegotiation info support in all 1095 // handshakes. 1096 NoRenegotiationInfo bool 1097 1098 // NoRenegotiationInfoInInitial disables renegotiation info support in 1099 // the initial handshake. 1100 NoRenegotiationInfoInInitial bool 1101 1102 // NoRenegotiationInfoAfterInitial disables renegotiation info support 1103 // in renegotiation handshakes. 1104 NoRenegotiationInfoAfterInitial bool 1105 1106 // RequireRenegotiationInfo, if true, causes the client to return an 1107 // error if the server doesn't reply with the renegotiation extension. 1108 RequireRenegotiationInfo bool 1109 1110 // SequenceNumberMapping, if non-nil, is the mapping function to apply 1111 // to the sequence number of outgoing packets. For both TLS and DTLS, 1112 // the two most-significant bytes in the resulting sequence number are 1113 // ignored so that the DTLS epoch cannot be changed. 1114 SequenceNumberMapping func(uint64) uint64 1115 1116 // RSAEphemeralKey, if true, causes the server to send a 1117 // ServerKeyExchange message containing an ephemeral key (as in 1118 // RSA_EXPORT) in the plain RSA key exchange. 1119 RSAEphemeralKey bool 1120 1121 // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the 1122 // client offers when negotiating SRTP. MKI support is still missing so 1123 // the peer must still send none. 1124 SRTPMasterKeyIdentifer string 1125 1126 // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the 1127 // server sends in the ServerHello instead of the negotiated one. 1128 SendSRTPProtectionProfile uint16 1129 1130 // NoSignatureAlgorithms, if true, causes the client to omit the 1131 // signature and hashes extension. 1132 // 1133 // For a server, it will cause an empty list to be sent in the 1134 // CertificateRequest message. None the less, the configured set will 1135 // still be enforced. 1136 NoSignatureAlgorithms bool 1137 1138 // NoSupportedCurves, if true, causes the client to omit the 1139 // supported_curves extension. 1140 NoSupportedCurves bool 1141 1142 // RequireSameRenegoClientVersion, if true, causes the server 1143 // to require that all ClientHellos match in offered version 1144 // across a renego. 1145 RequireSameRenegoClientVersion bool 1146 1147 // ExpectInitialRecordVersion, if non-zero, is the expected value of 1148 // record-layer version field before the protocol version is determined. 1149 ExpectInitialRecordVersion uint16 1150 1151 // SendRecordVersion, if non-zero, is the value to send as the 1152 // record-layer version. 1153 SendRecordVersion uint16 1154 1155 // SendInitialRecordVersion, if non-zero, is the value to send as the 1156 // record-layer version before the protocol version is determined. 1157 SendInitialRecordVersion uint16 1158 1159 // MaxPacketLength, if non-zero, is the maximum acceptable size for a 1160 // packet. 1161 MaxPacketLength int 1162 1163 // SendCipherSuite, if non-zero, is the cipher suite value that the 1164 // server will send in the ServerHello. This does not affect the cipher 1165 // the server believes it has actually negotiated. 1166 SendCipherSuite uint16 1167 1168 // SendCipherSuites, if not nil, is the cipher suite list that the 1169 // client will send in the ClientHello. This does not affect the cipher 1170 // the client believes it has actually offered. 1171 SendCipherSuites []uint16 1172 1173 // AppDataBeforeHandshake, if not nil, causes application data to be 1174 // sent immediately before the first handshake message. 1175 AppDataBeforeHandshake []byte 1176 1177 // AppDataAfterChangeCipherSpec, if not nil, causes application data to 1178 // be sent immediately after ChangeCipherSpec. 1179 AppDataAfterChangeCipherSpec []byte 1180 1181 // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent 1182 // immediately after ChangeCipherSpec. 1183 AlertAfterChangeCipherSpec alert 1184 1185 // TimeoutSchedule is the schedule of packet drops and simulated 1186 // timeouts for before each handshake leg from the peer. 1187 TimeoutSchedule []time.Duration 1188 1189 // PacketAdaptor is the packetAdaptor to use to simulate timeouts. 1190 PacketAdaptor *packetAdaptor 1191 1192 // MockQUICTransport is the mockQUICTransport used when testing 1193 // QUIC interfaces. 1194 MockQUICTransport *mockQUICTransport 1195 1196 // ReorderHandshakeFragments, if true, causes handshake fragments in 1197 // DTLS to overlap and be sent in the wrong order. It also causes 1198 // pre-CCS flights to be sent twice. (Post-CCS flights consist of 1199 // Finished and will trigger a spurious retransmit.) 1200 ReorderHandshakeFragments bool 1201 1202 // ReverseHandshakeFragments, if true, causes handshake fragments in 1203 // DTLS to be reversed within a flight. 1204 ReverseHandshakeFragments bool 1205 1206 // MixCompleteMessageWithFragments, if true, causes handshake 1207 // messages in DTLS to redundantly both fragment the message 1208 // and include a copy of the full one. 1209 MixCompleteMessageWithFragments bool 1210 1211 // RetransmitFinished, if true, causes the DTLS Finished message to be 1212 // sent twice. 1213 RetransmitFinished bool 1214 1215 // SendInvalidRecordType, if true, causes a record with an invalid 1216 // content type to be sent immediately following the handshake. 1217 SendInvalidRecordType bool 1218 1219 // SendWrongMessageType, if non-zero, causes messages of the specified 1220 // type to be sent with the wrong value. 1221 SendWrongMessageType byte 1222 1223 // SendTrailingMessageData, if non-zero, causes messages of the 1224 // specified type to be sent with trailing data. 1225 SendTrailingMessageData byte 1226 1227 // FragmentMessageTypeMismatch, if true, causes all non-initial 1228 // handshake fragments in DTLS to have the wrong message type. 1229 FragmentMessageTypeMismatch bool 1230 1231 // FragmentMessageLengthMismatch, if true, causes all non-initial 1232 // handshake fragments in DTLS to have the wrong message length. 1233 FragmentMessageLengthMismatch bool 1234 1235 // SplitFragments, if non-zero, causes the handshake fragments in DTLS 1236 // to be split across two records. The value of |SplitFragments| is the 1237 // number of bytes in the first fragment. 1238 SplitFragments int 1239 1240 // SendEmptyFragments, if true, causes handshakes to include empty 1241 // fragments in DTLS. 1242 SendEmptyFragments bool 1243 1244 // SendSplitAlert, if true, causes an alert to be sent with the header 1245 // and record body split across multiple packets. The peer should 1246 // discard these packets rather than process it. 1247 SendSplitAlert bool 1248 1249 // FailIfResumeOnRenego, if true, causes renegotiations to fail if the 1250 // client offers a resumption or the server accepts one. 1251 FailIfResumeOnRenego bool 1252 1253 // IgnorePeerCipherPreferences, if true, causes the peer's cipher 1254 // preferences to be ignored. 1255 IgnorePeerCipherPreferences bool 1256 1257 // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's 1258 // signature algorithm preferences to be ignored. 1259 IgnorePeerSignatureAlgorithmPreferences bool 1260 1261 // IgnorePeerCurvePreferences, if true, causes the peer's curve 1262 // preferences to be ignored. 1263 IgnorePeerCurvePreferences bool 1264 1265 // BadFinished, if true, causes the Finished hash to be broken. 1266 BadFinished bool 1267 1268 // PackHandshakeFragments, if true, causes handshake fragments in DTLS 1269 // to be packed into individual handshake records, up to the specified 1270 // record size. 1271 PackHandshakeFragments int 1272 1273 // PackHandshakeRecords, if non-zero, causes handshake and 1274 // ChangeCipherSpec records in DTLS to be packed into individual 1275 // packets, up to the specified packet size. 1276 PackHandshakeRecords int 1277 1278 // PackAppDataWithHandshake, if true, extends PackHandshakeRecords to 1279 // additionally include the first application data record sent after the 1280 // final Finished message in a handshake. (If the final Finished message 1281 // is sent by the peer, this option has no effect.) This requires that 1282 // the runner rather than shim speak first in a given test. 1283 PackAppDataWithHandshake bool 1284 1285 // SplitAndPackAppData, if true, causes application data in DTLS to be 1286 // split into two records each and packed into one packet. 1287 SplitAndPackAppData bool 1288 1289 // PackHandshakeFlight, if true, causes each handshake flight in TLS to 1290 // be packed into records, up to the largest size record available. 1291 PackHandshakeFlight bool 1292 1293 // AdvertiseAllConfiguredCiphers, if true, causes the client to 1294 // advertise all configured cipher suite values. 1295 AdvertiseAllConfiguredCiphers bool 1296 1297 // EmptyCertificateList, if true, causes the server to send an empty 1298 // certificate list in the Certificate message. 1299 EmptyCertificateList bool 1300 1301 // ExpectNewTicket, if true, causes the client to abort if it does not 1302 // receive a new ticket. 1303 ExpectNewTicket bool 1304 1305 // RequireClientHelloSize, if not zero, is the required length in bytes 1306 // of the ClientHello /record/. This is checked by the server. 1307 RequireClientHelloSize int 1308 1309 // CustomExtension, if not empty, contains the contents of an extension 1310 // that will be added to client/server hellos. 1311 CustomExtension string 1312 1313 // CustomUnencryptedExtension, if not empty, contains the contents of 1314 // an extension that will be added to ServerHello in TLS 1.3. 1315 CustomUnencryptedExtension string 1316 1317 // ExpectedCustomExtension, if not nil, contains the expected contents 1318 // of a custom extension. 1319 ExpectedCustomExtension *string 1320 1321 // CustomTicketExtension, if not empty, contains the contents of an 1322 // extension what will be added to NewSessionTicket in TLS 1.3. 1323 CustomTicketExtension string 1324 1325 // CustomTicketExtension, if not empty, contains the contents of an 1326 // extension what will be added to HelloRetryRequest in TLS 1.3. 1327 CustomHelloRetryRequestExtension string 1328 1329 // NoCloseNotify, if true, causes the close_notify alert to be skipped 1330 // on connection shutdown. 1331 NoCloseNotify bool 1332 1333 // SendAlertOnShutdown, if non-zero, is the alert to send instead of 1334 // close_notify on shutdown. 1335 SendAlertOnShutdown alert 1336 1337 // ExpectCloseNotify, if true, requires a close_notify from the peer on 1338 // shutdown. Records from the peer received after close_notify is sent 1339 // are not discard. 1340 ExpectCloseNotify bool 1341 1342 // SendLargeRecords, if true, allows outgoing records to be sent 1343 // arbitrarily large. 1344 SendLargeRecords bool 1345 1346 // NegotiateALPNAndNPN, if true, causes the server to negotiate both 1347 // ALPN and NPN in the same connetion. 1348 NegotiateALPNAndNPN bool 1349 1350 // SendALPN, if non-empty, causes the server to send the specified 1351 // string in the ALPN extension regardless of the content or presence of 1352 // the client offer. 1353 SendALPN string 1354 1355 // SendUnencryptedALPN, if non-empty, causes the server to send the 1356 // specified string in a ServerHello ALPN extension in TLS 1.3. 1357 SendUnencryptedALPN string 1358 1359 // SendEmptySessionTicket, if true, causes the server to send an empty 1360 // session ticket. 1361 SendEmptySessionTicket bool 1362 1363 // SendPSKKeyExchangeModes, if not nil, determines the PSK key exchange 1364 // modes to send. If a non-nil empty slice, no extension will be sent. 1365 SendPSKKeyExchangeModes []byte 1366 1367 // ExpectNoNewSessionTicket, if present, means that the client will fail upon 1368 // receipt of a NewSessionTicket message. 1369 ExpectNoNewSessionTicket bool 1370 1371 // DuplicateTicketEarlyData causes an extra empty extension of early_data to 1372 // be sent in NewSessionTicket. 1373 DuplicateTicketEarlyData bool 1374 1375 // ExpectTicketEarlyData, if true, means that the client will fail upon 1376 // absence of the early_data extension. 1377 ExpectTicketEarlyData bool 1378 1379 // ExpectTicketAge, if non-zero, is the expected age of the ticket that the 1380 // server receives from the client. 1381 ExpectTicketAge time.Duration 1382 1383 // SendTicketAge, if non-zero, is the ticket age to be sent by the 1384 // client. 1385 SendTicketAge time.Duration 1386 1387 // SendHelloRequestBeforeEveryAppDataRecord, if true, causes a 1388 // HelloRequest handshake message to be sent before each application 1389 // data record. This only makes sense for a server. 1390 SendHelloRequestBeforeEveryAppDataRecord bool 1391 1392 // SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a 1393 // HelloRequest handshake message to be sent before each handshake 1394 // message. This only makes sense for a server. 1395 SendHelloRequestBeforeEveryHandshakeMessage bool 1396 1397 // BadChangeCipherSpec, if not nil, is the body to be sent in 1398 // ChangeCipherSpec records instead of {1}. 1399 BadChangeCipherSpec []byte 1400 1401 // BadHelloRequest, if not nil, is what to send instead of a 1402 // HelloRequest. 1403 BadHelloRequest []byte 1404 1405 // RequireSessionTickets, if true, causes the client to require new 1406 // sessions use session tickets instead of session IDs. 1407 RequireSessionTickets bool 1408 1409 // RequireSessionIDs, if true, causes the client to require new sessions use 1410 // session IDs instead of session tickets. 1411 RequireSessionIDs bool 1412 1413 // NullAllCiphers, if true, causes every cipher to behave like the null 1414 // cipher. 1415 NullAllCiphers bool 1416 1417 // SendSCTListOnResume, if not nil, causes the server to send the 1418 // supplied SCT list in resumption handshakes. 1419 SendSCTListOnResume []byte 1420 1421 // SendSCTListOnRenegotiation, if not nil, causes the server to send the 1422 // supplied SCT list on renegotiation. 1423 SendSCTListOnRenegotiation []byte 1424 1425 // SendOCSPResponseOnResume, if not nil, causes the server to advertise 1426 // OCSP stapling in resumption handshakes and, if applicable, send the 1427 // supplied stapled response. 1428 SendOCSPResponseOnResume []byte 1429 1430 // SendOCSPResponseOnResume, if not nil, causes the server to send the 1431 // supplied OCSP response on renegotiation. 1432 SendOCSPResponseOnRenegotiation []byte 1433 1434 // SendExtensionOnCertificate, if not nil, causes the runner to send the 1435 // supplied bytes in the extensions on the Certificate message. 1436 SendExtensionOnCertificate []byte 1437 1438 // SendOCSPOnIntermediates, if not nil, causes the server to send the 1439 // supplied OCSP on intermediate certificates in the Certificate message. 1440 SendOCSPOnIntermediates []byte 1441 1442 // SendSCTOnIntermediates, if not nil, causes the server to send the 1443 // supplied SCT on intermediate certificates in the Certificate message. 1444 SendSCTOnIntermediates []byte 1445 1446 // SendDuplicateCertExtensions, if true, causes the server to send an extra 1447 // copy of the OCSP/SCT extensions in the Certificate message. 1448 SendDuplicateCertExtensions bool 1449 1450 // ExpectNoExtensionsOnIntermediate, if true, causes the client to 1451 // reject extensions on intermediate certificates. 1452 ExpectNoExtensionsOnIntermediate bool 1453 1454 // RecordPadding is the number of bytes of padding to add to each 1455 // encrypted record in TLS 1.3. 1456 RecordPadding int 1457 1458 // OmitRecordContents, if true, causes encrypted records in TLS 1.3 to 1459 // be missing their body and content type. Padding, if configured, is 1460 // still added. 1461 OmitRecordContents bool 1462 1463 // OuterRecordType, if non-zero, is the outer record type to use instead 1464 // of application data. 1465 OuterRecordType recordType 1466 1467 // SendSignatureAlgorithm, if non-zero, causes all signatures to be sent 1468 // with the given signature algorithm rather than the one negotiated. 1469 SendSignatureAlgorithm signatureAlgorithm 1470 1471 // SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be 1472 // skipped. 1473 SkipECDSACurveCheck bool 1474 1475 // IgnoreSignatureVersionChecks, if true, causes all signature 1476 // algorithms to be enabled at all TLS versions. 1477 IgnoreSignatureVersionChecks bool 1478 1479 // NegotiateRenegotiationInfoAtAllVersions, if true, causes 1480 // Renegotiation Info to be negotiated at all versions. 1481 NegotiateRenegotiationInfoAtAllVersions bool 1482 1483 // NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at 1484 // all versions. 1485 NegotiateNPNAtAllVersions bool 1486 1487 // NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at 1488 // all versions. 1489 NegotiateEMSAtAllVersions bool 1490 1491 // AdvertiseTicketExtension, if true, causes the ticket extension to be 1492 // advertised in server extensions 1493 AdvertiseTicketExtension bool 1494 1495 // NegotiatePSKResumption, if true, causes the server to attempt pure PSK 1496 // resumption. 1497 NegotiatePSKResumption bool 1498 1499 // AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to 1500 // always acknowledge a session, regardless of one was offered. 1501 AlwaysSelectPSKIdentity bool 1502 1503 // SelectPSKIdentityOnResume, if non-zero, causes the server to select 1504 // the specified PSK identity index rather than the actual value. 1505 SelectPSKIdentityOnResume uint16 1506 1507 // ExtraPSKIdentity, if true, causes the client to send an extra PSK 1508 // identity. 1509 ExtraPSKIdentity bool 1510 1511 // MissingKeyShare, if true, causes the TLS 1.3 implementation to skip 1512 // sending a key_share extension and use the zero ECDHE secret 1513 // instead. 1514 MissingKeyShare bool 1515 1516 // SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3 1517 // ClientHello to skip sending a key_share extension and use the zero 1518 // ECDHE secret instead. 1519 SecondClientHelloMissingKeyShare bool 1520 1521 // MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3 1522 // client to pretend the server requested a HelloRetryRequest with the 1523 // given curve rather than the actual one. 1524 MisinterpretHelloRetryRequestCurve CurveID 1525 1526 // DuplicateKeyShares, if true, causes the TLS 1.3 client to send two 1527 // copies of each KeyShareEntry. 1528 DuplicateKeyShares bool 1529 1530 // SendEarlyAlert, if true, sends a fatal alert after the ClientHello. 1531 SendEarlyAlert bool 1532 1533 // SendFakeEarlyDataLength, if non-zero, is the amount of early data to 1534 // send after the ClientHello. 1535 SendFakeEarlyDataLength int 1536 1537 // SendStrayEarlyHandshake, if non-zero, causes the client to send a stray 1538 // handshake record before sending end of early data. 1539 SendStrayEarlyHandshake bool 1540 1541 // OmitEarlyDataExtension, if true, causes the early data extension to 1542 // be omitted in the ClientHello. 1543 OmitEarlyDataExtension bool 1544 1545 // SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to 1546 // send early data after the second ClientHello. 1547 SendEarlyDataOnSecondClientHello bool 1548 1549 // InterleaveEarlyData, if true, causes the TLS 1.3 client to send early 1550 // data interleaved with the second ClientHello and the client Finished. 1551 InterleaveEarlyData bool 1552 1553 // SendEarlyData causes a TLS 1.3 client to send the provided data 1554 // in application data records immediately after the ClientHello, 1555 // provided that the client offers a TLS 1.3 session. It will do this 1556 // whether or not the server advertised early data for the ticket. 1557 SendEarlyData [][]byte 1558 1559 // ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data 1560 // was accepted by the server. 1561 ExpectEarlyDataAccepted bool 1562 1563 // AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data 1564 // regardless of ALPN mismatch. 1565 AlwaysAcceptEarlyData bool 1566 1567 // AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data. 1568 AlwaysRejectEarlyData bool 1569 1570 // SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the 1571 // early_data extension in EncryptedExtensions, independent of whether 1572 // it was accepted. 1573 SendEarlyDataExtension bool 1574 1575 // ExpectEarlyData causes a TLS 1.3 server to read application 1576 // data after the ClientHello (assuming the server is able to 1577 // derive the key under which the data is encrypted) before it 1578 // sends a ServerHello. It checks that the application data it 1579 // reads matches what is provided in ExpectEarlyData and errors if 1580 // the number of records or their content do not match. 1581 ExpectEarlyData [][]byte 1582 1583 // ExpectLateEarlyData causes a TLS 1.3 server to read application 1584 // data after the ServerFinished (assuming the server is able to 1585 // derive the key under which the data is encrypted) before it 1586 // sends the ClientFinished. It checks that the application data it 1587 // reads matches what is provided in ExpectLateEarlyData and errors if 1588 // the number of records or their content do not match. 1589 ExpectLateEarlyData [][]byte 1590 1591 // SendHalfRTTData causes a TLS 1.3 server to send the provided 1592 // data in application data records before reading the client's 1593 // Finished message. 1594 SendHalfRTTData [][]byte 1595 1596 // ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to 1597 // read application data after reading the server's Finished message and 1598 // before sending any subsequent handshake messages. It checks that the 1599 // application data it reads matches what is provided in 1600 // ExpectHalfRTTData and errors if the number of records or their 1601 // content do not match. 1602 ExpectHalfRTTData [][]byte 1603 1604 // EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to 1605 // emit an empty EncryptedExtensions block. 1606 EmptyEncryptedExtensions bool 1607 1608 // EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to 1609 // include the KeyShare extension in the EncryptedExtensions block. 1610 EncryptedExtensionsWithKeyShare bool 1611 1612 // AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to 1613 // be sent by the server, even if empty. 1614 AlwaysSendHelloRetryRequest bool 1615 1616 // SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send 1617 // two HelloRetryRequests instead of one. 1618 SecondHelloRetryRequest bool 1619 1620 // SendHelloRetryRequestCurve, if non-zero, causes the server to send 1621 // the specified curve in a HelloRetryRequest. 1622 SendHelloRetryRequestCurve CurveID 1623 1624 // SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send 1625 // the specified cipher suite in a HelloRetryRequest. 1626 SendHelloRetryRequestCipherSuite uint16 1627 1628 // SendHelloRetryRequestCookie, if not nil, contains a cookie to be 1629 // sent by the server in HelloRetryRequest. 1630 SendHelloRetryRequestCookie []byte 1631 1632 // DuplicateHelloRetryRequestExtensions, if true, causes all 1633 // HelloRetryRequest extensions to be sent twice. 1634 DuplicateHelloRetryRequestExtensions bool 1635 1636 // SendServerHelloVersion, if non-zero, causes the server to send the 1637 // specified value in ServerHello version field. 1638 SendServerHelloVersion uint16 1639 1640 // SendServerSupportedVersionExtension, if non-zero, causes the server to send 1641 // the specified value in supported_versions extension in the ServerHello (but 1642 // not the HelloRetryRequest). 1643 SendServerSupportedVersionExtension uint16 1644 1645 // OmitServerSupportedVersionExtension, if true, causes the server to 1646 // omit the supported_versions extension in the ServerHello (but not the 1647 // HelloRetryRequest) 1648 OmitServerSupportedVersionExtension bool 1649 1650 // SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send 1651 // HelloRetryRequest. 1652 SkipHelloRetryRequest bool 1653 1654 // PackHelloRequestWithFinished, if true, causes the TLS server to send 1655 // HelloRequest in the same record as Finished. 1656 PackHelloRequestWithFinished bool 1657 1658 // ExpectMissingKeyShare, if true, causes the TLS server to fail the 1659 // connection if the selected curve appears in the client's initial 1660 // ClientHello. That is, it requires that a HelloRetryRequest be sent. 1661 ExpectMissingKeyShare bool 1662 1663 // SendExtraFinished, if true, causes an extra Finished message to be 1664 // sent. 1665 SendExtraFinished bool 1666 1667 // SendRequestContext, if not empty, is the request context to send in 1668 // a TLS 1.3 CertificateRequest. 1669 SendRequestContext []byte 1670 1671 // OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm 1672 // extension in a TLS 1.3 CertificateRequest. 1673 OmitCertificateRequestAlgorithms bool 1674 1675 // SendCustomCertificateRequest, if non-zero, send an additional custom 1676 // extension in a TLS 1.3 CertificateRequest. 1677 SendCustomCertificateRequest uint16 1678 1679 // SendSNIWarningAlert, if true, causes the server to send an 1680 // unrecognized_name alert before the ServerHello. 1681 SendSNIWarningAlert bool 1682 1683 // SendCompressionMethods, if not nil, is the compression method list to 1684 // send in the ClientHello. 1685 SendCompressionMethods []byte 1686 1687 // SendCompressionMethod is the compression method to send in the 1688 // ServerHello. 1689 SendCompressionMethod byte 1690 1691 // AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to 1692 // always send a ServerKeyExchange for PSK ciphers, even if the identity 1693 // hint is empty. 1694 AlwaysSendPreSharedKeyIdentityHint bool 1695 1696 // TrailingKeyShareData, if true, causes the client key share list to 1697 // include a trailing byte. 1698 TrailingKeyShareData bool 1699 1700 // InvalidChannelIDSignature, if true, causes the client to generate an 1701 // invalid Channel ID signature. 1702 InvalidChannelIDSignature bool 1703 1704 // AlwaysNegotiateChannelID, if true, causes the server to negotiate Channel 1705 // ID, even whenn the client does not offer it. 1706 AlwaysNegotiateChannelID bool 1707 1708 // ExpectGREASE, if true, causes messages without GREASE values to be 1709 // rejected. See RFC 8701. 1710 ExpectGREASE bool 1711 1712 // OmitPSKsOnSecondClientHello, if true, causes the client to omit the 1713 // PSK extension on the second ClientHello. 1714 OmitPSKsOnSecondClientHello bool 1715 1716 // OnlyCorruptSecondPSKBinder, if true, causes the options below to 1717 // only apply to the second PSK binder. 1718 OnlyCorruptSecondPSKBinder bool 1719 1720 // SendShortPSKBinder, if true, causes the client to send a PSK binder 1721 // that is one byte shorter than it should be. 1722 SendShortPSKBinder bool 1723 1724 // SendInvalidPSKBinder, if true, causes the client to send an invalid 1725 // PSK binder. 1726 SendInvalidPSKBinder bool 1727 1728 // SendNoPSKBinder, if true, causes the client to send no PSK binders. 1729 SendNoPSKBinder bool 1730 1731 // SendExtraPSKBinder, if true, causes the client to send an extra PSK 1732 // binder. 1733 SendExtraPSKBinder bool 1734 1735 // PSKBinderFirst, if true, causes the client to send the PSK Binder 1736 // extension as the first extension instead of the last extension. 1737 PSKBinderFirst bool 1738 1739 // NoOCSPStapling, if true, causes the client to not request OCSP 1740 // stapling. 1741 NoOCSPStapling bool 1742 1743 // NoSignedCertificateTimestamps, if true, causes the client to not 1744 // request signed certificate timestamps. 1745 NoSignedCertificateTimestamps bool 1746 1747 // SendSupportedPointFormats, if not nil, is the list of supported point 1748 // formats to send in ClientHello or ServerHello. If set to a non-nil 1749 // empty slice, no extension will be sent. 1750 SendSupportedPointFormats []byte 1751 1752 // SendServerSupportedCurves, if true, causes the server to send its 1753 // supported curves list in the ServerHello (TLS 1.2) or 1754 // EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and 1755 // valid in TLS 1.3. 1756 SendServerSupportedCurves bool 1757 1758 // MaxReceivePlaintext, if non-zero, is the maximum plaintext record 1759 // length accepted from the peer. 1760 MaxReceivePlaintext int 1761 1762 // ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally 1763 // pack their encrypted handshake messages, fitting at most the 1764 // specified number of plaintext bytes per record. 1765 ExpectPackedEncryptedHandshake int 1766 1767 // SendTicketLifetime, if non-zero, is the ticket lifetime to send in 1768 // NewSessionTicket messages. 1769 SendTicketLifetime time.Duration 1770 1771 // SendServerNameAck, if true, causes the server to acknowledge the SNI 1772 // extension. 1773 SendServerNameAck bool 1774 1775 // ExpectCertificateReqNames, if not nil, contains the list of X.509 1776 // names that must be sent in a CertificateRequest from the server. 1777 ExpectCertificateReqNames [][]byte 1778 1779 // RenegotiationCertificate, if not nil, is the certificate to use on 1780 // renegotiation handshakes. 1781 RenegotiationCertificate *Certificate 1782 1783 // ExpectNoCertificateAuthoritiesExtension, if true, causes the client to 1784 // reject CertificateRequest with the CertificateAuthorities extension. 1785 ExpectNoCertificateAuthoritiesExtension bool 1786 1787 // UseLegacySigningAlgorithm, if non-zero, is the signature algorithm 1788 // to use when signing in TLS 1.1 and earlier where algorithms are not 1789 // negotiated. 1790 UseLegacySigningAlgorithm signatureAlgorithm 1791 1792 // RejectUnsolicitedKeyUpdate, if true, causes all unsolicited 1793 // KeyUpdates from the peer to be rejected. 1794 RejectUnsolicitedKeyUpdate bool 1795 1796 // OmitExtensions, if true, causes the extensions field in ClientHello 1797 // and ServerHello messages to be omitted. 1798 OmitExtensions bool 1799 1800 // EmptyExtensions, if true, causes the extensions field in ClientHello 1801 // and ServerHello messages to be present, but empty. 1802 EmptyExtensions bool 1803 1804 // ExpectOmitExtensions, if true, causes the client to reject 1805 // ServerHello messages that do not omit extensions. 1806 ExpectOmitExtensions bool 1807 1808 // ExpectRecordSplitting, if true, causes application records to only be 1809 // accepted if they follow a 1/n-1 record split. 1810 ExpectRecordSplitting bool 1811 1812 // PadClientHello, if non-zero, pads the ClientHello to a multiple of 1813 // that many bytes. 1814 PadClientHello int 1815 1816 // SendTLS13DowngradeRandom, if true, causes the server to send the 1817 // TLS 1.3 anti-downgrade signal. 1818 SendTLS13DowngradeRandom bool 1819 1820 // IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the 1821 // TLS 1.3 anti-downgrade signal. 1822 IgnoreTLS13DowngradeRandom bool 1823 1824 // SendCompressedCoordinates, if true, causes ECDH key shares over NIST 1825 // curves to use compressed coordinates. 1826 SendCompressedCoordinates bool 1827 1828 // SetX25519HighBit, if true, causes X25519 key shares to set their 1829 // high-order bit. 1830 SetX25519HighBit bool 1831 1832 // DuplicateCompressedCertAlgs, if true, causes two, equal, certificate 1833 // compression algorithm IDs to be sent. 1834 DuplicateCompressedCertAlgs bool 1835 1836 // ExpectedCompressedCert specifies the compression algorithm ID that must be 1837 // used on this connection, or zero if there are no special requirements. 1838 ExpectedCompressedCert uint16 1839 1840 // ExpectUncompressedCert, if true, specifies that certificate compression 1841 // should not be used on this connection. 1842 ExpectUncompressedCert bool 1843 1844 // SendCertCompressionAlgID, if not zero, sets the algorithm ID that will be 1845 // sent in the compressed certificate message. 1846 SendCertCompressionAlgID uint16 1847 1848 // SendCertUncompressedLength, if not zero, sets the uncompressed length that 1849 // will be sent in the compressed certificate message. 1850 SendCertUncompressedLength uint32 1851 1852 // SendClientHelloWithFixes, if not nil, sends the specified byte string 1853 // instead of the ClientHello. This string is incorporated into the 1854 // transcript as if it were the real ClientHello, but the handshake will 1855 // otherwise behave as if this was not sent in terms of what ciphers it 1856 // will accept, etc. 1857 // 1858 // The input is modified to match key share entries. DefaultCurves must 1859 // be configured to match. The random and session ID fields are 1860 // extracted from the ClientHello. 1861 SendClientHelloWithFixes []byte 1862 1863 // SendJDK11DowngradeRandom, if true, causes the server to send the JDK 1864 // 11 downgrade signal. 1865 SendJDK11DowngradeRandom bool 1866 1867 // ExpectJDK11DowngradeRandom is whether the client should expect the 1868 // server to send the JDK 11 downgrade signal. 1869 ExpectJDK11DowngradeRandom bool 1870 1871 // FailIfHelloRetryRequested causes a handshake failure if a server requests a 1872 // hello retry. 1873 FailIfHelloRetryRequested bool 1874 1875 // FailedIfCECPQ2Offered will cause a server to reject a ClientHello if CECPQ2 1876 // is supported. 1877 FailIfCECPQ2Offered bool 1878 1879 // ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello 1880 // should have key shares for. 1881 ExpectedKeyShares []CurveID 1882 1883 // ExpectDelegatedCredentials, if true, requires that the handshake present 1884 // delegated credentials. 1885 ExpectDelegatedCredentials bool 1886 1887 // FailIfDelegatedCredentials, if true, causes a handshake failure if the 1888 // server returns delegated credentials. 1889 FailIfDelegatedCredentials bool 1890 1891 // DisableDelegatedCredentials, if true, disables client support for delegated 1892 // credentials. 1893 DisableDelegatedCredentials bool 1894 1895 // CompatModeWithQUIC, if true, enables TLS 1.3 compatibility mode 1896 // when running over QUIC. 1897 CompatModeWithQUIC bool 1898 1899 // EncryptSessionTicketKey, if non-nil, is the ticket key to use when 1900 // encrypting tickets. 1901 EncryptSessionTicketKey *[32]byte 1902} 1903 1904func (c *Config) serverInit() { 1905 if c.SessionTicketsDisabled { 1906 return 1907 } 1908 1909 // If the key has already been set then we have nothing to do. 1910 for _, b := range c.SessionTicketKey { 1911 if b != 0 { 1912 return 1913 } 1914 } 1915 1916 if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { 1917 c.SessionTicketsDisabled = true 1918 } 1919} 1920 1921func (c *Config) rand() io.Reader { 1922 r := c.Rand 1923 if r == nil { 1924 return rand.Reader 1925 } 1926 return r 1927} 1928 1929func (c *Config) time() time.Time { 1930 t := c.Time 1931 if t == nil { 1932 t = time.Now 1933 } 1934 return t() 1935} 1936 1937func (c *Config) cipherSuites() []uint16 { 1938 s := c.CipherSuites 1939 if s == nil { 1940 s = defaultCipherSuites() 1941 } 1942 return s 1943} 1944 1945func (c *Config) minVersion(isDTLS bool) uint16 { 1946 ret := uint16(minVersion) 1947 if c != nil && c.MinVersion != 0 { 1948 ret = c.MinVersion 1949 } 1950 if isDTLS { 1951 // The lowest version of DTLS is 1.0. There is no DSSL 3.0. 1952 if ret < VersionTLS10 { 1953 return VersionTLS10 1954 } 1955 // There is no such thing as DTLS 1.1. 1956 if ret == VersionTLS11 { 1957 return VersionTLS12 1958 } 1959 } 1960 return ret 1961} 1962 1963func (c *Config) maxVersion(isDTLS bool) uint16 { 1964 ret := uint16(maxVersion) 1965 if c != nil && c.MaxVersion != 0 { 1966 ret = c.MaxVersion 1967 } 1968 if isDTLS { 1969 // We only implement up to DTLS 1.2. 1970 if ret > VersionTLS12 { 1971 return VersionTLS12 1972 } 1973 // There is no such thing as DTLS 1.1. 1974 if ret == VersionTLS11 { 1975 return VersionTLS10 1976 } 1977 } 1978 return ret 1979} 1980 1981var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521} 1982 1983func (c *Config) curvePreferences() []CurveID { 1984 if c == nil || len(c.CurvePreferences) == 0 { 1985 return defaultCurvePreferences 1986 } 1987 return c.CurvePreferences 1988} 1989 1990func (c *Config) defaultCurves() map[CurveID]bool { 1991 defaultCurves := make(map[CurveID]bool) 1992 curves := c.DefaultCurves 1993 if c == nil || c.DefaultCurves == nil { 1994 curves = c.curvePreferences() 1995 } 1996 for _, curveID := range curves { 1997 defaultCurves[curveID] = true 1998 } 1999 return defaultCurves 2000} 2001 2002var defaultECHCipherSuitePreferences = []HPKECipherSuite{ 2003 {KDF: hpke.HKDFSHA256, AEAD: hpke.AES128GCM}, 2004 {KDF: hpke.HKDFSHA256, AEAD: hpke.AES256GCM}, 2005 {KDF: hpke.HKDFSHA256, AEAD: hpke.ChaCha20Poly1305}, 2006} 2007 2008func (c *Config) echCipherSuitePreferences() []HPKECipherSuite { 2009 if c == nil || len(c.ECHCipherSuites) == 0 { 2010 return defaultECHCipherSuitePreferences 2011 } 2012 return c.ECHCipherSuites 2013} 2014 2015func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { 2016 if isDTLS { 2017 switch vers { 2018 case VersionDTLS12: 2019 return VersionTLS12, true 2020 case VersionDTLS10: 2021 return VersionTLS10, true 2022 } 2023 } else { 2024 switch vers { 2025 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13: 2026 return vers, true 2027 } 2028 } 2029 2030 return 0, false 2031} 2032 2033// isSupportedVersion checks if the specified wire version is acceptable. If so, 2034// it returns true and the corresponding protocol version. Otherwise, it returns 2035// false. 2036func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { 2037 vers, ok := wireToVersion(wireVers, isDTLS) 2038 if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { 2039 return 0, false 2040 } 2041 return vers, true 2042} 2043 2044func (c *Config) supportedVersions(isDTLS, requireTLS13 bool) []uint16 { 2045 versions := allTLSWireVersions 2046 if isDTLS { 2047 versions = allDTLSWireVersions 2048 } 2049 var ret []uint16 2050 for _, wireVers := range versions { 2051 vers, ok := c.isSupportedVersion(wireVers, isDTLS) 2052 if !ok { 2053 continue 2054 } 2055 if requireTLS13 && vers < VersionTLS13 { 2056 continue 2057 } 2058 ret = append(ret, wireVers) 2059 } 2060 return ret 2061} 2062 2063// getCertificateForName returns the best certificate for the given name, 2064// defaulting to the first element of c.Certificates if there are no good 2065// options. 2066func (c *Config) getCertificateForName(name string) *Certificate { 2067 if len(c.Certificates) == 1 || c.NameToCertificate == nil { 2068 // There's only one choice, so no point doing any work. 2069 return &c.Certificates[0] 2070 } 2071 2072 name = strings.ToLower(name) 2073 for len(name) > 0 && name[len(name)-1] == '.' { 2074 name = name[:len(name)-1] 2075 } 2076 2077 if cert, ok := c.NameToCertificate[name]; ok { 2078 return cert 2079 } 2080 2081 // try replacing labels in the name with wildcards until we get a 2082 // match. 2083 labels := strings.Split(name, ".") 2084 for i := range labels { 2085 labels[i] = "*" 2086 candidate := strings.Join(labels, ".") 2087 if cert, ok := c.NameToCertificate[candidate]; ok { 2088 return cert 2089 } 2090 } 2091 2092 // If nothing matches, return the first certificate. 2093 return &c.Certificates[0] 2094} 2095 2096func (c *Config) signSignatureAlgorithms() []signatureAlgorithm { 2097 if c != nil && c.SignSignatureAlgorithms != nil { 2098 return c.SignSignatureAlgorithms 2099 } 2100 return supportedSignatureAlgorithms 2101} 2102 2103func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm { 2104 if c != nil && c.VerifySignatureAlgorithms != nil { 2105 return c.VerifySignatureAlgorithms 2106 } 2107 return supportedSignatureAlgorithms 2108} 2109 2110// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate 2111// from the CommonName and SubjectAlternateName fields of each of the leaf 2112// certificates. 2113func (c *Config) BuildNameToCertificate() { 2114 c.NameToCertificate = make(map[string]*Certificate) 2115 for i := range c.Certificates { 2116 cert := &c.Certificates[i] 2117 x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) 2118 if err != nil { 2119 continue 2120 } 2121 if len(x509Cert.Subject.CommonName) > 0 { 2122 c.NameToCertificate[x509Cert.Subject.CommonName] = cert 2123 } 2124 for _, san := range x509Cert.DNSNames { 2125 c.NameToCertificate[san] = cert 2126 } 2127 } 2128} 2129 2130// A Certificate is a chain of one or more certificates, leaf first. 2131type Certificate struct { 2132 Certificate [][]byte 2133 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey 2134 // OCSPStaple contains an optional OCSP response which will be served 2135 // to clients that request it. 2136 OCSPStaple []byte 2137 // SignedCertificateTimestampList contains an optional encoded 2138 // SignedCertificateTimestampList structure which will be 2139 // served to clients that request it. 2140 SignedCertificateTimestampList []byte 2141 // Leaf is the parsed form of the leaf certificate, which may be 2142 // initialized using x509.ParseCertificate to reduce per-handshake 2143 // processing for TLS clients doing client authentication. If nil, the 2144 // leaf certificate will be parsed as needed. 2145 Leaf *x509.Certificate 2146} 2147 2148// A TLS record. 2149type record struct { 2150 contentType recordType 2151 major, minor uint8 2152 payload []byte 2153} 2154 2155type handshakeMessage interface { 2156 marshal() []byte 2157 unmarshal([]byte) bool 2158} 2159 2160// lruSessionCache is a client or server session cache implementation 2161// that uses an LRU caching strategy. 2162type lruSessionCache struct { 2163 sync.Mutex 2164 2165 m map[string]*list.Element 2166 q *list.List 2167 capacity int 2168} 2169 2170type lruSessionCacheEntry struct { 2171 sessionKey string 2172 state interface{} 2173} 2174 2175// Put adds the provided (sessionKey, cs) pair to the cache. 2176func (c *lruSessionCache) Put(sessionKey string, cs interface{}) { 2177 c.Lock() 2178 defer c.Unlock() 2179 2180 if elem, ok := c.m[sessionKey]; ok { 2181 entry := elem.Value.(*lruSessionCacheEntry) 2182 entry.state = cs 2183 c.q.MoveToFront(elem) 2184 return 2185 } 2186 2187 if c.q.Len() < c.capacity { 2188 entry := &lruSessionCacheEntry{sessionKey, cs} 2189 c.m[sessionKey] = c.q.PushFront(entry) 2190 return 2191 } 2192 2193 elem := c.q.Back() 2194 entry := elem.Value.(*lruSessionCacheEntry) 2195 delete(c.m, entry.sessionKey) 2196 entry.sessionKey = sessionKey 2197 entry.state = cs 2198 c.q.MoveToFront(elem) 2199 c.m[sessionKey] = elem 2200} 2201 2202// Get returns the value associated with a given key. It returns (nil, 2203// false) if no value is found. 2204func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) { 2205 c.Lock() 2206 defer c.Unlock() 2207 2208 if elem, ok := c.m[sessionKey]; ok { 2209 c.q.MoveToFront(elem) 2210 return elem.Value.(*lruSessionCacheEntry).state, true 2211 } 2212 return nil, false 2213} 2214 2215// lruClientSessionCache is a ClientSessionCache implementation that 2216// uses an LRU caching strategy. 2217type lruClientSessionCache struct { 2218 lruSessionCache 2219} 2220 2221func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { 2222 c.lruSessionCache.Put(sessionKey, cs) 2223} 2224 2225func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { 2226 cs, ok := c.lruSessionCache.Get(sessionKey) 2227 if !ok { 2228 return nil, false 2229 } 2230 return cs.(*ClientSessionState), true 2231} 2232 2233// lruServerSessionCache is a ServerSessionCache implementation that 2234// uses an LRU caching strategy. 2235type lruServerSessionCache struct { 2236 lruSessionCache 2237} 2238 2239func (c *lruServerSessionCache) Put(sessionID string, session *sessionState) { 2240 c.lruSessionCache.Put(sessionID, session) 2241} 2242 2243func (c *lruServerSessionCache) Get(sessionID string) (*sessionState, bool) { 2244 cs, ok := c.lruSessionCache.Get(sessionID) 2245 if !ok { 2246 return nil, false 2247 } 2248 return cs.(*sessionState), true 2249} 2250 2251// NewLRUClientSessionCache returns a ClientSessionCache with the given 2252// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 2253// is used instead. 2254func NewLRUClientSessionCache(capacity int) ClientSessionCache { 2255 const defaultSessionCacheCapacity = 64 2256 2257 if capacity < 1 { 2258 capacity = defaultSessionCacheCapacity 2259 } 2260 return &lruClientSessionCache{ 2261 lruSessionCache{ 2262 m: make(map[string]*list.Element), 2263 q: list.New(), 2264 capacity: capacity, 2265 }, 2266 } 2267} 2268 2269// NewLRUServerSessionCache returns a ServerSessionCache with the given 2270// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 2271// is used instead. 2272func NewLRUServerSessionCache(capacity int) ServerSessionCache { 2273 const defaultSessionCacheCapacity = 64 2274 2275 if capacity < 1 { 2276 capacity = defaultSessionCacheCapacity 2277 } 2278 return &lruServerSessionCache{ 2279 lruSessionCache{ 2280 m: make(map[string]*list.Element), 2281 q: list.New(), 2282 capacity: capacity, 2283 }, 2284 } 2285} 2286 2287// TODO(jsing): Make these available to both crypto/x509 and crypto/tls. 2288type dsaSignature struct { 2289 R, S *big.Int 2290} 2291 2292type ecdsaSignature dsaSignature 2293 2294var emptyConfig Config 2295 2296func defaultConfig() *Config { 2297 return &emptyConfig 2298} 2299 2300var ( 2301 once sync.Once 2302 varDefaultCipherSuites []uint16 2303) 2304 2305func defaultCipherSuites() []uint16 { 2306 once.Do(initDefaultCipherSuites) 2307 return varDefaultCipherSuites 2308} 2309 2310func initDefaultCipherSuites() { 2311 for _, suite := range cipherSuites { 2312 if suite.flags&suitePSK == 0 { 2313 varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) 2314 } 2315 } 2316} 2317 2318func unexpectedMessageError(wanted, got interface{}) error { 2319 return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) 2320} 2321 2322func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool { 2323 for _, s := range sigAlgs { 2324 if s == sigAlg { 2325 return true 2326 } 2327 } 2328 return false 2329} 2330 2331var ( 2332 // See RFC 8446, section 4.1.3. 2333 downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} 2334 downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} 2335 2336 // This is a non-standard randomly-generated value. 2337 downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff} 2338) 2339 2340func containsGREASE(values []uint16) bool { 2341 for _, v := range values { 2342 if isGREASEValue(v) { 2343 return true 2344 } 2345 } 2346 return false 2347} 2348 2349func isAllZero(v []byte) bool { 2350 for _, b := range v { 2351 if b != 0 { 2352 return false 2353 } 2354 } 2355 return true 2356} 2357