1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "container/list" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/rand" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "math/big" 16 "strings" 17 "sync" 18 "time" 19 20 "boringssl.googlesource.com/boringssl/ssl/test/runner/hpke" 21) 22 23const ( 24 VersionSSL30 = 0x0300 25 VersionTLS10 = 0x0301 26 VersionTLS11 = 0x0302 27 VersionTLS12 = 0x0303 28 VersionTLS13 = 0x0304 29) 30 31const ( 32 VersionDTLS10 = 0xfeff 33 VersionDTLS12 = 0xfefd 34) 35 36var allTLSWireVersions = []uint16{ 37 VersionTLS13, 38 VersionTLS12, 39 VersionTLS11, 40 VersionTLS10, 41 VersionSSL30, 42} 43 44var allDTLSWireVersions = []uint16{ 45 VersionDTLS12, 46 VersionDTLS10, 47} 48 49const ( 50 maxPlaintext = 16384 // maximum plaintext payload length 51 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length 52 tlsRecordHeaderLen = 5 // record header length 53 dtlsRecordHeaderLen = 13 54 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) 55 56 minVersion = VersionSSL30 57 maxVersion = VersionTLS13 58) 59 60// TLS record types. 61type recordType uint8 62 63const ( 64 recordTypeChangeCipherSpec recordType = 20 65 recordTypeAlert recordType = 21 66 recordTypeHandshake recordType = 22 67 recordTypeApplicationData recordType = 23 68 recordTypePlaintextHandshake recordType = 24 69) 70 71// TLS handshake message types. 72const ( 73 typeHelloRequest uint8 = 0 74 typeClientHello uint8 = 1 75 typeServerHello uint8 = 2 76 typeHelloVerifyRequest uint8 = 3 77 typeNewSessionTicket uint8 = 4 78 typeEndOfEarlyData uint8 = 5 79 typeEncryptedExtensions uint8 = 8 80 typeCertificate uint8 = 11 81 typeServerKeyExchange uint8 = 12 82 typeCertificateRequest uint8 = 13 83 typeServerHelloDone uint8 = 14 84 typeCertificateVerify uint8 = 15 85 typeClientKeyExchange uint8 = 16 86 typeFinished uint8 = 20 87 typeCertificateStatus uint8 = 22 88 typeKeyUpdate uint8 = 24 89 typeCompressedCertificate uint8 = 25 // Not IANA assigned 90 typeNextProtocol uint8 = 67 // Not IANA assigned 91 typeChannelID uint8 = 203 // Not IANA assigned 92 typeMessageHash uint8 = 254 93) 94 95// TLS compression types. 96const ( 97 compressionNone uint8 = 0 98) 99 100// TLS extension numbers 101const ( 102 extensionServerName uint16 = 0 103 extensionStatusRequest uint16 = 5 104 extensionSupportedCurves uint16 = 10 105 extensionSupportedPoints uint16 = 11 106 extensionSignatureAlgorithms uint16 = 13 107 extensionUseSRTP uint16 = 14 108 extensionALPN uint16 = 16 109 extensionSignedCertificateTimestamp uint16 = 18 110 extensionPadding uint16 = 21 111 extensionExtendedMasterSecret uint16 = 23 112 extensionCompressedCertAlgs uint16 = 27 113 extensionSessionTicket uint16 = 35 114 extensionPreSharedKey uint16 = 41 115 extensionEarlyData uint16 = 42 116 extensionSupportedVersions uint16 = 43 117 extensionCookie uint16 = 44 118 extensionPSKKeyExchangeModes uint16 = 45 119 extensionCertificateAuthorities uint16 = 47 120 extensionSignatureAlgorithmsCert uint16 = 50 121 extensionKeyShare uint16 = 51 122 extensionQUICTransportParams uint16 = 57 123 extensionCustom uint16 = 1234 // not IANA assigned 124 extensionNextProtoNeg uint16 = 13172 // not IANA assigned 125 extensionApplicationSettingsOld uint16 = 17513 // not IANA assigned 126 extensionApplicationSettings uint16 = 17613 // not IANA assigned 127 extensionRenegotiationInfo uint16 = 0xff01 128 extensionQUICTransportParamsLegacy uint16 = 0xffa5 // draft-ietf-quic-tls-32 and earlier 129 extensionChannelID uint16 = 30032 // not IANA assigned 130 extensionDelegatedCredentials uint16 = 0x22 // draft-ietf-tls-subcerts-06 131 extensionDuplicate uint16 = 0xffff // not IANA assigned 132 extensionEncryptedClientHello uint16 = 0xfe0d // not IANA assigned 133 extensionECHOuterExtensions uint16 = 0xfd00 // not IANA assigned 134) 135 136// TLS signaling cipher suite values 137const ( 138 scsvRenegotiation uint16 = 0x00ff 139) 140 141var tls13HelloRetryRequest = []uint8{ 142 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 143 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 144 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 145} 146 147// CurveID is the type of a TLS identifier for an elliptic curve. See 148// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 149type CurveID uint16 150 151const ( 152 CurveP224 CurveID = 21 153 CurveP256 CurveID = 23 154 CurveP384 CurveID = 24 155 CurveP521 CurveID = 25 156 CurveX25519 CurveID = 29 157 CurveX25519Kyber768 CurveID = 0x6399 158) 159 160// TLS Elliptic Curve Point Formats 161// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 162const ( 163 pointFormatUncompressed uint8 = 0 164 pointFormatCompressedPrime uint8 = 1 165) 166 167// TLS CertificateStatusType (RFC 3546) 168const ( 169 statusTypeOCSP uint8 = 1 170) 171 172// Certificate types (for certificateRequestMsg) 173const ( 174 CertTypeRSASign = 1 // A certificate containing an RSA key 175 CertTypeDSSSign = 2 // A certificate containing a DSA key 176 CertTypeRSAFixedDH = 3 // A certificate containing a static DH key 177 CertTypeDSSFixedDH = 4 // A certificate containing a static DH key 178 179 // See RFC 4492 sections 3 and 5.5. 180 CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. 181 CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. 182 CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. 183 184 // Rest of these are reserved by the TLS spec 185) 186 187// signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note 188// that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with 189// TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature 190// algorithms' throughout. We match the latter. 191type signatureAlgorithm uint16 192 193const ( 194 // RSASSA-PKCS1-v1_5 algorithms 195 signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101 196 signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201 197 signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401 198 signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501 199 signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601 200 201 // ECDSA algorithms 202 signatureECDSAWithSHA1 signatureAlgorithm = 0x0203 203 signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403 204 signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503 205 signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603 206 207 // RSASSA-PSS algorithms 208 signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804 209 signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805 210 signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806 211 212 // EdDSA algorithms 213 signatureEd25519 signatureAlgorithm = 0x0807 214 signatureEd448 signatureAlgorithm = 0x0808 215 216 // signatureRSAPKCS1WithMD5AndSHA1 is the internal value BoringSSL uses to 217 // represent the TLS 1.0/1.1 RSA MD5/SHA1 concatenation. We define the 218 // constant here to test that this doesn't leak into the protocol. 219 signatureRSAPKCS1WithMD5AndSHA1 signatureAlgorithm = 0xff01 220) 221 222// supportedSignatureAlgorithms contains the default supported signature 223// algorithms. 224var supportedSignatureAlgorithms = []signatureAlgorithm{ 225 signatureRSAPSSWithSHA256, 226 signatureRSAPSSWithSHA384, 227 signatureRSAPKCS1WithSHA256, 228 signatureECDSAWithP256AndSHA256, 229 signatureECDSAWithP384AndSHA384, 230 signatureRSAPKCS1WithSHA1, 231 signatureRSAPKCS1WithSHA256, 232 signatureRSAPKCS1WithSHA384, 233 signatureECDSAWithSHA1, 234 signatureEd25519, 235} 236 237// SRTP protection profiles (See RFC 5764, section 4.1.2) 238const ( 239 SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 240 SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 241) 242 243// PskKeyExchangeMode values (see RFC 8446, section 4.2.9) 244const ( 245 pskKEMode = 0 246 pskDHEKEMode = 1 247) 248 249// KeyUpdateRequest values (see RFC 8446, section 4.6.3) 250const ( 251 keyUpdateNotRequested = 0 252 keyUpdateRequested = 1 253) 254 255// draft-ietf-tls-esni-13, sections 7.2 and 7.2.1. 256const echAcceptConfirmationLength = 8 257 258// ConnectionState records basic TLS details about the connection. 259type ConnectionState struct { 260 Version uint16 // TLS version used by the connection (e.g. VersionTLS12) 261 HandshakeComplete bool // TLS handshake is complete 262 DidResume bool // connection resumes a previous TLS connection 263 CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) 264 NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) 265 NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server 266 NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN 267 ServerName string // server name requested by client, if any (server side only) 268 PeerCertificates []*x509.Certificate // certificate chain presented by remote peer 269 VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates 270 OCSPResponse []byte // stapled OCSP response from the peer, if any 271 ChannelID *ecdsa.PublicKey // the channel ID for this connection 272 SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile 273 TLSUnique []byte // the tls-unique channel binding 274 SCTList []byte // signed certificate timestamp list 275 PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake 276 CurveID CurveID // the curve used in ECDHE 277 QUICTransportParams []byte // the QUIC transport params received from the peer 278 QUICTransportParamsLegacy []byte // the legacy QUIC transport params received from the peer 279 HasApplicationSettings bool // whether ALPS was negotiated 280 PeerApplicationSettings []byte // application settings received from the peer 281 HasApplicationSettingsOld bool // whether ALPS old codepoint was negotiated 282 PeerApplicationSettingsOld []byte // the old application settings received from the peer 283 ECHAccepted bool // whether ECH was accepted on this connection 284} 285 286// ClientAuthType declares the policy the server will follow for 287// TLS Client Authentication. 288type ClientAuthType int 289 290const ( 291 NoClientCert ClientAuthType = iota 292 RequestClientCert 293 RequireAnyClientCert 294 VerifyClientCertIfGiven 295 RequireAndVerifyClientCert 296) 297 298// ClientSessionState contains the state needed by clients to resume TLS 299// sessions. 300type ClientSessionState struct { 301 sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. 302 sessionTicket []uint8 // Encrypted ticket used for session resumption with server 303 vers uint16 // SSL/TLS version negotiated for the session 304 wireVersion uint16 // Wire SSL/TLS version negotiated for the session 305 cipherSuite *cipherSuite // Ciphersuite negotiated for the session 306 secret []byte // Secret associated with the session 307 handshakeHash []byte // Handshake hash for Channel ID purposes. 308 serverCertificates []*x509.Certificate // Certificate chain presented by the server 309 extendedMasterSecret bool // Whether an extended master secret was used to generate the session 310 sctList []byte 311 ocspResponse []byte 312 earlyALPN string 313 ticketCreationTime time.Time 314 ticketExpiration time.Time 315 ticketAgeAdd uint32 316 maxEarlyDataSize uint32 317 hasApplicationSettings bool 318 localApplicationSettings []byte 319 peerApplicationSettings []byte 320 hasApplicationSettingsOld bool 321 localApplicationSettingsOld []byte 322 peerApplicationSettingsOld []byte 323} 324 325// ClientSessionCache is a cache of ClientSessionState objects that can be used 326// by a client to resume a TLS session with a given server. ClientSessionCache 327// implementations should expect to be called concurrently from different 328// goroutines. 329type ClientSessionCache interface { 330 // Get searches for a ClientSessionState associated with the given key. 331 // On return, ok is true if one was found. 332 Get(sessionKey string) (session *ClientSessionState, ok bool) 333 334 // Put adds the ClientSessionState to the cache with the given key. 335 Put(sessionKey string, cs *ClientSessionState) 336} 337 338// ServerSessionCache is a cache of sessionState objects that can be used by a 339// client to resume a TLS session with a given server. ServerSessionCache 340// implementations should expect to be called concurrently from different 341// goroutines. 342type ServerSessionCache interface { 343 // Get searches for a sessionState associated with the given session 344 // ID. On return, ok is true if one was found. 345 Get(sessionID string) (session *sessionState, ok bool) 346 347 // Put adds the sessionState to the cache with the given session ID. 348 Put(sessionID string, session *sessionState) 349} 350 351// CertCompressionAlg is a certificate compression algorithm, specified as a 352// pair of functions for compressing and decompressing certificates. 353type CertCompressionAlg struct { 354 // Compress returns a compressed representation of the input. 355 Compress func([]byte) []byte 356 // Decompress depresses the contents of in and writes the result to out, which 357 // will be the correct size. It returns true on success and false otherwise. 358 Decompress func(out, in []byte) bool 359} 360 361// QUICUseCodepoint controls which TLS extension codepoint is used to convey the 362// QUIC transport parameters. QUICUseCodepointStandard means use 57, 363// QUICUseCodepointLegacy means use legacy value 0xff5a, QUICUseCodepointBoth 364// means use both. QUICUseCodepointNeither means do not send transport 365// parameters. 366type QUICUseCodepoint int 367 368const ( 369 QUICUseCodepointStandard QUICUseCodepoint = iota 370 QUICUseCodepointLegacy 371 QUICUseCodepointBoth 372 QUICUseCodepointNeither 373 NumQUICUseCodepoints 374) 375 376func (c QUICUseCodepoint) IncludeStandard() bool { 377 return c == QUICUseCodepointStandard || c == QUICUseCodepointBoth 378} 379 380func (c QUICUseCodepoint) IncludeLegacy() bool { 381 return c == QUICUseCodepointLegacy || c == QUICUseCodepointBoth 382} 383 384func (c QUICUseCodepoint) String() string { 385 switch c { 386 case QUICUseCodepointStandard: 387 return "Standard" 388 case QUICUseCodepointLegacy: 389 return "Legacy" 390 case QUICUseCodepointBoth: 391 return "Both" 392 case QUICUseCodepointNeither: 393 return "Neither" 394 } 395 panic("unknown value") 396} 397 398// ALPSUseCodepoint controls which TLS extension codepoint is used to convey the 399// ApplicationSettings. ALPSUseCodepointNew means use 17613, 400// ALPSUseCodepointOld means use old value 17513. 401type ALPSUseCodepoint int 402 403const ( 404 ALPSUseCodepointNew ALPSUseCodepoint = iota 405 ALPSUseCodepointOld 406 NumALPSUseCodepoints 407) 408 409func (c ALPSUseCodepoint) IncludeNew() bool { 410 return c == ALPSUseCodepointNew 411} 412 413func (c ALPSUseCodepoint) IncludeOld() bool { 414 return c == ALPSUseCodepointOld 415} 416 417func (c ALPSUseCodepoint) String() string { 418 switch c { 419 case ALPSUseCodepointNew: 420 return "New" 421 case ALPSUseCodepointOld: 422 return "Old" 423 } 424 panic("unknown value") 425} 426 427// A Config structure is used to configure a TLS client or server. 428// After one has been passed to a TLS function it must not be 429// modified. A Config may be reused; the tls package will also not 430// modify it. 431type Config struct { 432 // Rand provides the source of entropy for nonces and RSA blinding. 433 // If Rand is nil, TLS uses the cryptographic random reader in package 434 // crypto/rand. 435 // The Reader must be safe for use by multiple goroutines. 436 Rand io.Reader 437 438 // Time returns the current time as the number of seconds since the epoch. 439 // If Time is nil, TLS uses time.Now. 440 Time func() time.Time 441 442 // Certificates contains one or more certificate chains 443 // to present to the other side of the connection. 444 // Server configurations must include at least one certificate. 445 Certificates []Certificate 446 447 // NameToCertificate maps from a certificate name to an element of 448 // Certificates. Note that a certificate name can be of the form 449 // '*.example.com' and so doesn't have to be a domain name as such. 450 // See Config.BuildNameToCertificate 451 // The nil value causes the first element of Certificates to be used 452 // for all connections. 453 NameToCertificate map[string]*Certificate 454 455 // RootCAs defines the set of root certificate authorities 456 // that clients use when verifying server certificates. 457 // If RootCAs is nil, TLS uses the host's root CA set. 458 RootCAs *x509.CertPool 459 460 // NextProtos is a list of supported, application level protocols. 461 NextProtos []string 462 463 // ApplicationSettings is a set of application settings to use which each 464 // application protocol. 465 ApplicationSettings map[string][]byte 466 467 // ALPSUseNewCodepoint controls which TLS extension codepoint is used to 468 // convey the ApplicationSettings. 469 ALPSUseNewCodepoint ALPSUseCodepoint 470 471 // ServerName is used to verify the hostname on the returned 472 // certificates unless InsecureSkipVerify is given. It is also included 473 // in the client's handshake to support virtual hosting. 474 ServerName string 475 476 // ClientECHConfig, when non-nil, is the ECHConfig the client will use to 477 // attempt ECH. 478 ClientECHConfig *ECHConfig 479 480 // ECHCipherSuites, for the client, is the list of HPKE cipher suites in 481 // decreasing order of preference. If empty, the default will be used. 482 ECHCipherSuites []HPKECipherSuite 483 484 // ServerECHConfigs is the server's list of ECHConfig values with 485 // corresponding secret keys. 486 ServerECHConfigs []ServerECHConfig 487 488 // ECHOuterExtensions is the list of extensions that the client will 489 // compress with the ech_outer_extensions extension. If empty, no extensions 490 // will be compressed. 491 ECHOuterExtensions []uint16 492 493 // ClientAuth determines the server's policy for 494 // TLS Client Authentication. The default is NoClientCert. 495 ClientAuth ClientAuthType 496 497 // ClientCAs defines the set of root certificate authorities 498 // that servers use if required to verify a client certificate 499 // by the policy in ClientAuth. 500 ClientCAs *x509.CertPool 501 502 // ClientCertificateTypes defines the set of allowed client certificate 503 // types. The default is CertTypeRSASign and CertTypeECDSASign. 504 ClientCertificateTypes []byte 505 506 // InsecureSkipVerify controls whether a client verifies the 507 // server's certificate chain and host name. 508 // If InsecureSkipVerify is true, TLS accepts any certificate 509 // presented by the server and any host name in that certificate. 510 // In this mode, TLS is susceptible to man-in-the-middle attacks. 511 // This should be used only for testing. 512 InsecureSkipVerify bool 513 514 // CipherSuites is a list of supported cipher suites. If CipherSuites 515 // is nil, TLS uses a list of suites supported by the implementation. 516 CipherSuites []uint16 517 518 // PreferServerCipherSuites controls whether the server selects the 519 // client's most preferred ciphersuite, or the server's most preferred 520 // ciphersuite. If true then the server's preference, as expressed in 521 // the order of elements in CipherSuites, is used. 522 PreferServerCipherSuites bool 523 524 // SessionTicketsDisabled may be set to true to disable session ticket 525 // (resumption) support. 526 SessionTicketsDisabled bool 527 528 // SessionTicketKey is used by TLS servers to provide session 529 // resumption. See RFC 5077. If zero, it will be filled with 530 // random data before the first server handshake. 531 // 532 // If multiple servers are terminating connections for the same host 533 // they should all have the same SessionTicketKey. If the 534 // SessionTicketKey leaks, previously recorded and future TLS 535 // connections using that key are compromised. 536 SessionTicketKey [32]byte 537 538 // ClientSessionCache is a cache of ClientSessionState entries 539 // for TLS session resumption. 540 ClientSessionCache ClientSessionCache 541 542 // ServerSessionCache is a cache of sessionState entries for TLS session 543 // resumption. 544 ServerSessionCache ServerSessionCache 545 546 // MinVersion contains the minimum SSL/TLS version that is acceptable. 547 // If zero, then SSLv3 is taken as the minimum. 548 MinVersion uint16 549 550 // MaxVersion contains the maximum SSL/TLS version that is acceptable. 551 // If zero, then the maximum version supported by this package is used, 552 // which is currently TLS 1.2. 553 MaxVersion uint16 554 555 // CurvePreferences contains the elliptic curves that will be used in 556 // an ECDHE handshake, in preference order. If empty, the default will 557 // be used. 558 CurvePreferences []CurveID 559 560 // DefaultCurves contains the elliptic curves for which public values will 561 // be sent in the ClientHello's KeyShare extension. If this value is nil, 562 // all supported curves will have public values sent. This field is ignored 563 // on servers. 564 DefaultCurves []CurveID 565 566 // ChannelID contains the ECDSA key for the client to use as 567 // its TLS Channel ID. 568 ChannelID *ecdsa.PrivateKey 569 570 // RequestChannelID controls whether the server requests a TLS 571 // Channel ID. If negotiated, the client's public key is 572 // returned in the ConnectionState. 573 RequestChannelID bool 574 575 // PreSharedKey, if not nil, is the pre-shared key to use with 576 // the PSK cipher suites. 577 PreSharedKey []byte 578 579 // PreSharedKeyIdentity, if not empty, is the identity to use 580 // with the PSK cipher suites. 581 PreSharedKeyIdentity string 582 583 // MaxEarlyDataSize controls the maximum number of bytes that the 584 // server will accept in early data and advertise in a 585 // NewSessionTicketMsg. If 0, no early data will be accepted and 586 // the early_data extension in the NewSessionTicketMsg will be omitted. 587 MaxEarlyDataSize uint32 588 589 // SRTPProtectionProfiles, if not nil, is the list of SRTP 590 // protection profiles to offer in DTLS-SRTP. 591 SRTPProtectionProfiles []uint16 592 593 // SignSignatureAlgorithms, if not nil, overrides the default set of 594 // supported signature algorithms to sign with. 595 SignSignatureAlgorithms []signatureAlgorithm 596 597 // VerifySignatureAlgorithms, if not nil, overrides the default set of 598 // supported signature algorithms that are accepted. 599 VerifySignatureAlgorithms []signatureAlgorithm 600 601 // QUICTransportParams, if not empty, will be sent in the QUIC 602 // transport parameters extension. 603 QUICTransportParams []byte 604 605 // QUICTransportParamsUseLegacyCodepoint controls which TLS extension 606 // codepoint is used to convey the QUIC transport parameters. 607 QUICTransportParamsUseLegacyCodepoint QUICUseCodepoint 608 609 CertCompressionAlgs map[uint16]CertCompressionAlg 610 611 // Bugs specifies optional misbehaviour to be used for testing other 612 // implementations. 613 Bugs ProtocolBugs 614 615 serverInitOnce sync.Once // guards calling (*Config).serverInit 616} 617 618type BadValue int 619 620const ( 621 BadValueNone BadValue = iota 622 BadValueNegative 623 BadValueZero 624 BadValueLimit 625 BadValueLarge 626 NumBadValues 627) 628 629type RSABadValue int 630 631const ( 632 RSABadValueNone RSABadValue = iota 633 RSABadValueCorrupt 634 RSABadValueTooLong 635 RSABadValueTooShort 636 RSABadValueWrongVersion1 637 RSABadValueWrongVersion2 638 RSABadValueWrongBlockType 639 RSABadValueWrongLeadingByte 640 RSABadValueNoZero 641 NumRSABadValues 642) 643 644type ProtocolBugs struct { 645 // InvalidSignature specifies that the signature in a ServerKeyExchange 646 // or CertificateVerify message should be invalid. 647 InvalidSignature bool 648 649 // SendCurve, if non-zero, causes the server to send the specified curve 650 // ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather 651 // than the negotiated one. 652 SendCurve CurveID 653 654 // InvalidECDHPoint, if true, causes the ECC points in 655 // ServerKeyExchange or ClientKeyExchange messages to be invalid. 656 InvalidECDHPoint bool 657 658 // BadECDSAR controls ways in which the 'r' value of an ECDSA signature 659 // can be invalid. 660 BadECDSAR BadValue 661 BadECDSAS BadValue 662 663 // MaxPadding causes CBC records to have the maximum possible padding. 664 MaxPadding bool 665 // PaddingFirstByteBad causes the first byte of the padding to be 666 // incorrect. 667 PaddingFirstByteBad bool 668 // PaddingFirstByteBadIf255 causes the first byte of padding to be 669 // incorrect if there's a maximum amount of padding (i.e. 255 bytes). 670 PaddingFirstByteBadIf255 bool 671 672 // FailIfNotFallbackSCSV causes a server handshake to fail if the 673 // client doesn't send the fallback SCSV value. 674 FailIfNotFallbackSCSV bool 675 676 // DuplicateExtension causes an extra empty extension of bogus type to 677 // be emitted in either the ClientHello or the ServerHello. 678 DuplicateExtension bool 679 680 // UnauthenticatedECDH causes the server to pretend ECDHE_RSA 681 // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No 682 // Certificate message is sent and no signature is added to 683 // ServerKeyExchange. 684 UnauthenticatedECDH bool 685 686 // SkipHelloVerifyRequest causes a DTLS server to skip the 687 // HelloVerifyRequest message. 688 SkipHelloVerifyRequest bool 689 690 // HelloVerifyRequestCookieLength, if non-zero, is the length of the cookie 691 // to request in HelloVerifyRequest. 692 HelloVerifyRequestCookieLength int 693 694 // EmptyHelloVerifyRequestCookie, if true, causes a DTLS server to request 695 // an empty cookie in HelloVerifyRequest. 696 EmptyHelloVerifyRequestCookie bool 697 698 // SkipCertificateStatus, if true, causes the server to skip the 699 // CertificateStatus message. This is legal because CertificateStatus is 700 // optional, even with a status_request in ServerHello. 701 SkipCertificateStatus bool 702 703 // SkipServerKeyExchange causes the server to skip sending 704 // ServerKeyExchange messages. 705 SkipServerKeyExchange bool 706 707 // SkipNewSessionTicket causes the server to skip sending the 708 // NewSessionTicket message despite promising to in ServerHello. 709 SkipNewSessionTicket bool 710 711 // UseFirstSessionTicket causes the client to cache only the first session 712 // ticket received. 713 UseFirstSessionTicket bool 714 715 // SkipClientCertificate causes the client to skip the Certificate 716 // message. 717 SkipClientCertificate bool 718 719 // SkipChangeCipherSpec causes the implementation to skip 720 // sending the ChangeCipherSpec message (and adjusting cipher 721 // state accordingly for the Finished message). 722 SkipChangeCipherSpec bool 723 724 // SkipFinished causes the implementation to skip sending the Finished 725 // message. 726 SkipFinished bool 727 728 // SkipEndOfEarlyData causes the implementation to skip 729 // end_of_early_data. 730 SkipEndOfEarlyData bool 731 732 // NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the 733 // EndOfEarlyData. 734 NonEmptyEndOfEarlyData bool 735 736 // SkipCertificateVerify, if true causes peer to skip sending a 737 // CertificateVerify message after the Certificate message. 738 SkipCertificateVerify bool 739 740 // EarlyChangeCipherSpec causes the client to send an early 741 // ChangeCipherSpec message before the ClientKeyExchange. A value of 742 // zero disables this behavior. One and two configure variants for 743 // 1.0.1 and 0.9.8 modes, respectively. 744 EarlyChangeCipherSpec int 745 746 // StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake 747 // message in DTLS to be prefaced by stray ChangeCipherSpec record. This 748 // may be used to test DTLS's handling of reordered ChangeCipherSpec. 749 StrayChangeCipherSpec bool 750 751 // ReorderChangeCipherSpec causes the ChangeCipherSpec message to be 752 // sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec, 753 // the cipher change happens at the usual time. 754 ReorderChangeCipherSpec bool 755 756 // FragmentAcrossChangeCipherSpec causes the implementation to fragment 757 // the Finished (or NextProto) message around the ChangeCipherSpec 758 // messages. 759 FragmentAcrossChangeCipherSpec bool 760 761 // SendExtraChangeCipherSpec causes the implementation to send extra 762 // ChangeCipherSpec messages. 763 SendExtraChangeCipherSpec int 764 765 // SendPostHandshakeChangeCipherSpec causes the implementation to send 766 // a ChangeCipherSpec record before every application data record. 767 SendPostHandshakeChangeCipherSpec bool 768 769 // SendUnencryptedFinished, if true, causes the Finished message to be 770 // send unencrypted before ChangeCipherSpec rather than after it. 771 SendUnencryptedFinished bool 772 773 // PartialEncryptedExtensionsWithServerHello, if true, causes the TLS 774 // 1.3 server to send part of EncryptedExtensions unencrypted 775 // in the same record as ServerHello. 776 PartialEncryptedExtensionsWithServerHello bool 777 778 // PartialClientFinishedWithClientHello, if true, causes the TLS 1.2 779 // or TLS 1.3 client to send part of Finished unencrypted in the same 780 // record as ClientHello. 781 PartialClientFinishedWithClientHello bool 782 783 // PartialClientFinishedWithSecondClientHello, if true, causes the 784 // TLS 1.3 client to send part of Finished unencrypted in the same 785 // record as the second ClientHello. 786 PartialClientFinishedWithSecondClientHello bool 787 788 // PartialEndOfEarlyDataWithClientHello, if true, causes the TLS 1.3 789 // client to send part of EndOfEarlyData unencrypted in the same record 790 // as ClientHello. 791 PartialEndOfEarlyDataWithClientHello bool 792 793 // PartialSecondClientHelloAfterFirst, if true, causes the TLS 1.3 client 794 // to send part of the second ClientHello in the same record as the first 795 // one. 796 PartialSecondClientHelloAfterFirst bool 797 798 // PartialClientKeyExchangeWithClientHello, if true, causes the TLS 1.2 799 // client to send part of the ClientKeyExchange in the same record as 800 // the ClientHello. 801 PartialClientKeyExchangeWithClientHello bool 802 803 // PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2 804 // server to send part of the NewSessionTicket in the same record as 805 // ServerHelloDone. 806 PartialNewSessionTicketWithServerHelloDone bool 807 808 // PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2 809 // server to send part of the Finshed in the same record as ServerHelloDone. 810 PartialFinishedWithServerHelloDone bool 811 812 // PartialServerHelloWithHelloRetryRequest, if true, causes the TLS 1.3 813 // server to send part of the ServerHello in the same record as 814 // HelloRetryRequest. 815 PartialServerHelloWithHelloRetryRequest bool 816 817 // TrailingDataWithFinished, if true, causes the record containing the 818 // Finished message to include an extra byte of data at the end. 819 TrailingDataWithFinished bool 820 821 // SendV2ClientHello causes the client to send a V2ClientHello 822 // instead of a normal ClientHello. 823 SendV2ClientHello bool 824 825 // V2ClientHelloChallengeLength is the length of the challenge field to send 826 // in V2ClientHello. 827 V2ClientHelloChallengeLength int 828 829 // SendFallbackSCSV causes the client to include 830 // TLS_FALLBACK_SCSV in the ClientHello. 831 SendFallbackSCSV bool 832 833 // SendRenegotiationSCSV causes the client to include the renegotiation 834 // SCSV in the ClientHello. 835 SendRenegotiationSCSV bool 836 837 // MaxHandshakeRecordLength, if non-zero, is the maximum size of a 838 // handshake record. Handshake messages will be split into multiple 839 // records at the specified size, except that the client_version will 840 // never be fragmented. For DTLS, it is the maximum handshake fragment 841 // size, not record size; DTLS allows multiple handshake fragments in a 842 // single handshake record. See |PackHandshakeFragments|. 843 MaxHandshakeRecordLength int 844 845 // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to 846 // the first 6 bytes of the ClientHello. 847 FragmentClientVersion bool 848 849 // FragmentAlert will cause all alerts to be fragmented across 850 // two records. 851 FragmentAlert bool 852 853 // DoubleAlert will cause all alerts to be sent as two copies packed 854 // within one record. 855 DoubleAlert bool 856 857 // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted 858 // alert to be sent. 859 SendSpuriousAlert alert 860 861 // BadRSAClientKeyExchange causes the client to send a corrupted RSA 862 // ClientKeyExchange which would not pass padding checks. 863 BadRSAClientKeyExchange RSABadValue 864 865 // RenewTicketOnResume causes the server to renew the session ticket and 866 // send a NewSessionTicket message during an abbreviated handshake. 867 RenewTicketOnResume bool 868 869 // SendClientVersion, if non-zero, causes the client to send the 870 // specified value in the ClientHello version field. 871 SendClientVersion uint16 872 873 // OmitSupportedVersions, if true, causes the client to omit the 874 // supported versions extension. 875 OmitSupportedVersions bool 876 877 // SendSupportedVersions, if non-empty, causes the client to send a 878 // supported versions extension with the values from array. 879 SendSupportedVersions []uint16 880 881 // NegotiateVersion, if non-zero, causes the server to negotiate the 882 // specifed wire version rather than the version supported by either 883 // peer. 884 NegotiateVersion uint16 885 886 // NegotiateVersionOnRenego, if non-zero, causes the server to negotiate 887 // the specified wire version on renegotiation rather than retaining it. 888 NegotiateVersionOnRenego uint16 889 890 // ExpectFalseStart causes the server to, on full handshakes, 891 // expect the peer to False Start; the server Finished message 892 // isn't sent until we receive an application data record 893 // from the peer. 894 ExpectFalseStart bool 895 896 // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full 897 // handshakes, send an alert just before reading the application data 898 // record to test False Start. This can be used in a negative False 899 // Start test to determine whether the peer processed the alert (and 900 // closed the connection) before or after sending app data. 901 AlertBeforeFalseStartTest alert 902 903 // ExpectServerName, if not empty, is the hostname the client 904 // must specify in the selected ClientHello's server_name extension. 905 ExpectServerName string 906 907 // ExpectServerName, if not empty, is the hostname the client 908 // must specify in the ClientHelloOuter's server_name extension. 909 ExpectOuterServerName string 910 911 // ExpectClientECH causes the server to require that the client offer ECH. 912 ExpectClientECH bool 913 914 // ExpectNoClientECH causes the server to require that the client not offer ECH. 915 ExpectNoClientECH bool 916 917 // IgnoreECHConfigCipherPreferences, when true, causes the client to ignore 918 // the cipher preferences in the ECHConfig and select the most preferred ECH 919 // cipher suite unconditionally. 920 IgnoreECHConfigCipherPreferences bool 921 922 // ExpectECHRetryConfigs, when non-nil, contains the expected bytes of the 923 // server's retry configs. 924 ExpectECHRetryConfigs []byte 925 926 // SendECHRetryConfigs, if not empty, contains the ECH server's serialized 927 // retry configs. 928 SendECHRetryConfigs []byte 929 930 // AlwaysSendECHRetryConfigs, if true, causes the ECH server to send retry 931 // configs unconditionally, including in the TLS 1.2 ServerHello. 932 AlwaysSendECHRetryConfigs bool 933 934 // AlwaysSendECHHelloRetryRequest, if true, causes the ECH server to send 935 // the ECH HelloRetryRequest extension unconditionally. 936 AlwaysSendECHHelloRetryRequest bool 937 938 // SendInvalidECHInner, if not empty, causes the client to send the 939 // specified byte string after the type field in ClientHelloInner 940 // encrypted_client_hello extension. 941 SendInvalidECHInner []byte 942 943 // OmitECHInner, if true, causes the client to omit the encrypted_client_hello 944 // extension on the ClientHelloInner message. 945 OmitECHInner bool 946 947 // OmitSecondECHInner, if true, causes the client to omit the 948 // encrypted_client_hello extension on the second ClientHelloInner message. 949 OmitSecondECHInner bool 950 951 // OmitServerHelloECHConfirmation, if true, causes the server to omit the 952 // ECH confirmation in the ServerHello. 953 OmitServerHelloECHConfirmation bool 954 955 // AlwaysSendECHInner, if true, causes the client to send an inner 956 // encrypted_client_hello extension on all ClientHello messages. The server 957 // is then expected to unconditionally confirm the extension when 958 // negotiating TLS 1.3 or later. 959 AlwaysSendECHInner bool 960 961 // TruncateClientECHEnc, if true, causes the client to send a shortened 962 // ClientECH.enc value in its encrypted_client_hello extension. 963 TruncateClientECHEnc bool 964 965 // ClientECHPadding is the number of bytes of padding to add to the client 966 // ECH payload. 967 ClientECHPadding int 968 969 // BadClientECHPadding, if true, causes the client ECH padding to contain a 970 // non-zero byte. 971 BadClientECHPadding bool 972 973 // OfferSessionInClientHelloOuter, if true, causes the client to offer 974 // sessions in ClientHelloOuter. 975 OfferSessionInClientHelloOuter bool 976 977 // OnlyCompressSecondClientHelloInner, if true, causes the client to 978 // only apply outer_extensions to the second ClientHello. 979 OnlyCompressSecondClientHelloInner bool 980 981 // OmitSecondEncryptedClientHello, if true, causes the client to omit the 982 // second encrypted_client_hello extension. 983 OmitSecondEncryptedClientHello bool 984 985 // CorruptEncryptedClientHello, if true, causes the client to incorrectly 986 // encrypt the encrypted_client_hello extension. 987 CorruptEncryptedClientHello bool 988 989 // CorruptSecondEncryptedClientHello, if true, causes the client to 990 // incorrectly encrypt the second encrypted_client_hello extension. 991 CorruptSecondEncryptedClientHello bool 992 993 // CorruptSecondEncryptedClientHelloConfigID, if true, causes the client to 994 // incorrectly set the second ClientHello's ECH config ID. 995 CorruptSecondEncryptedClientHelloConfigID bool 996 997 // AllowTLS12InClientHelloInner, if true, causes the client to include 998 // TLS 1.2 and earlier in ClientHelloInner. 999 AllowTLS12InClientHelloInner bool 1000 1001 // MinimalClientHelloOuter, if true, causes the client to omit most fields 1002 // in ClientHelloOuter. Note this will make handshake attempts with the 1003 // ClientHelloOuter fail and should only be used in tests that expect 1004 // success. 1005 MinimalClientHelloOuter bool 1006 1007 // ExpectECHOuterExtensions is a list of extension IDs which the server 1008 // will require to be present in ech_outer_extensions. 1009 ExpectECHOuterExtensions []uint16 1010 1011 // ExpectECHOuterExtensions is a list of extension IDs which the server 1012 // will require to be omitted in ech_outer_extensions. 1013 ExpectECHUncompressedExtensions []uint16 1014 1015 // ECHOuterExtensionOrder, if not nil, is an extension order to apply to 1016 // ClientHelloOuter, instead of ordering the |ECHOuterExtensions| to match 1017 // in both ClientHellos. 1018 ECHOuterExtensionOrder []uint16 1019 1020 // UseInnerSessionWithClientHelloOuter, if true, causes the server to 1021 // handshake with ClientHelloOuter, but resume the session from 1022 // ClientHelloInner. 1023 UseInnerSessionWithClientHelloOuter bool 1024 1025 // RecordClientHelloInner, when non-nil, is called whenever the client 1026 // generates an encrypted ClientHello. The byte strings do not include the 1027 // ClientHello header. 1028 RecordClientHelloInner func(encodedInner, outer []byte) error 1029 1030 // SwapNPNAndALPN switches the relative order between NPN and ALPN in 1031 // both ClientHello and ServerHello. 1032 SwapNPNAndALPN bool 1033 1034 // ALPNProtocol, if not nil, sets the ALPN protocol that a server will 1035 // return. 1036 ALPNProtocol *string 1037 1038 // AlwaysNegotiateApplicationSettingsBoth, if true, causes the server to 1039 // negotiate ALPS using both codepoint for a protocol even if the client did 1040 // not support it or the version is wrong. 1041 AlwaysNegotiateApplicationSettingsBoth bool 1042 1043 // AlwaysNegotiateApplicationSettingsNew, if true, causes the server to 1044 // negotiate ALPS using new codepoint for a protocol even if the client did 1045 // not support it or the version is wrong. 1046 AlwaysNegotiateApplicationSettingsNew bool 1047 1048 // AlwaysNegotiateApplicationSettingsOld, if true, causes the server to 1049 // negotiate ALPS using old codepoint for a protocol even if the client did 1050 // not support it or the version is wrong. 1051 AlwaysNegotiateApplicationSettingsOld bool 1052 1053 // SendApplicationSettingsWithEarlyData, if true, causes the client and 1054 // server to send the application_settings extension with early data, 1055 // rather than letting them implicitly carry over. 1056 SendApplicationSettingsWithEarlyData bool 1057 1058 // AlwaysSendClientEncryptedExtension, if true, causes the client to always 1059 // send a, possibly empty, client EncryptedExtensions message. 1060 AlwaysSendClientEncryptedExtensions bool 1061 1062 // OmitClientEncryptedExtensions, if true, causes the client to omit the 1063 // client EncryptedExtensions message. 1064 OmitClientEncryptedExtensions bool 1065 1066 // OmitClientApplicationSettings, if true, causes the client to omit the 1067 // application_settings extension but still send EncryptedExtensions. 1068 OmitClientApplicationSettings bool 1069 1070 // SendExtraClientEncryptedExtension, if true, causes the client to 1071 // include an unsolicited extension in the client EncryptedExtensions 1072 // message. 1073 SendExtraClientEncryptedExtension bool 1074 1075 // AcceptAnySession causes the server to resume sessions regardless of 1076 // the version associated with the session or cipher suite. It also 1077 // causes the server to look in both TLS 1.2 and 1.3 extensions to 1078 // process a ticket. 1079 AcceptAnySession bool 1080 1081 // SendBothTickets, if true, causes the client to send tickets in both 1082 // TLS 1.2 and 1.3 extensions. 1083 SendBothTickets bool 1084 1085 // FilterTicket, if not nil, causes the client to modify a session 1086 // ticket before sending it in a resume handshake. 1087 FilterTicket func([]byte) ([]byte, error) 1088 1089 // TicketSessionIDLength, if non-zero, is the length of the session ID 1090 // to send with a ticket resumption offer. 1091 TicketSessionIDLength int 1092 1093 // EmptyTicketSessionID, if true, causes the client to send an empty 1094 // session ID with a ticket resumption offer. For simplicity, this will 1095 // also cause the client to interpret a ServerHello with empty session 1096 // ID as a resumption. (A client which sends empty session ID is 1097 // normally expected to look ahead for ChangeCipherSpec.) 1098 EmptyTicketSessionID bool 1099 1100 // NewSessionIDLength, if non-zero is the length of the session ID to use 1101 // when issung new sessions. 1102 NewSessionIDLength int 1103 1104 // SendClientHelloSessionID, if not nil, is the session ID sent in the 1105 // ClientHello. 1106 SendClientHelloSessionID []byte 1107 1108 // ExpectClientHelloSessionID, if true, causes the server to fail the 1109 // connection if there is not a session ID in the ClientHello. 1110 ExpectClientHelloSessionID bool 1111 1112 // EchoSessionIDInFullHandshake, if true, causes the server to echo the 1113 // ClientHello session ID, even in TLS 1.2 full handshakes. 1114 EchoSessionIDInFullHandshake bool 1115 1116 // ExpectNoSessionID, if true, causes the server to fail the connection if 1117 // the session ID field is present. 1118 ExpectNoSessionID bool 1119 1120 // ExpectNoTLS12Session, if true, causes the server to fail the 1121 // connection if the server offered a TLS 1.2 session. TLS 1.3 clients 1122 // always offer session IDs for compatibility, so the session ID check 1123 // checks for sessions the server issued. 1124 ExpectNoTLS12Session bool 1125 1126 // ExpectNoTLS13PSK, if true, causes the server to fail the connection 1127 // if a TLS 1.3 PSK is offered. 1128 ExpectNoTLS13PSK bool 1129 1130 // ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection 1131 // if a TLS 1.3 PSK is offered after HRR. 1132 ExpectNoTLS13PSKAfterHRR bool 1133 1134 // RequireExtendedMasterSecret, if true, requires that the peer support 1135 // the extended master secret option. 1136 RequireExtendedMasterSecret bool 1137 1138 // NoExtendedMasterSecret causes the client and server to behave as if 1139 // they didn't support an extended master secret in the initial 1140 // handshake. 1141 NoExtendedMasterSecret bool 1142 1143 // NoExtendedMasterSecretOnRenegotiation causes the client and server to 1144 // behave as if they didn't support an extended master secret in 1145 // renegotiation handshakes. 1146 NoExtendedMasterSecretOnRenegotiation bool 1147 1148 // EmptyRenegotiationInfo causes the renegotiation extension to be 1149 // empty in a renegotiation handshake. 1150 EmptyRenegotiationInfo bool 1151 1152 // BadRenegotiationInfo causes the renegotiation extension value in a 1153 // renegotiation handshake to be incorrect at the start. 1154 BadRenegotiationInfo bool 1155 1156 // BadRenegotiationInfoEnd causes the renegotiation extension value in 1157 // a renegotiation handshake to be incorrect at the end. 1158 BadRenegotiationInfoEnd bool 1159 1160 // NoRenegotiationInfo disables renegotiation info support in all 1161 // handshakes. 1162 NoRenegotiationInfo bool 1163 1164 // NoRenegotiationInfoInInitial disables renegotiation info support in 1165 // the initial handshake. 1166 NoRenegotiationInfoInInitial bool 1167 1168 // NoRenegotiationInfoAfterInitial disables renegotiation info support 1169 // in renegotiation handshakes. 1170 NoRenegotiationInfoAfterInitial bool 1171 1172 // RequireRenegotiationInfo, if true, causes the client to return an 1173 // error if the server doesn't reply with the renegotiation extension. 1174 RequireRenegotiationInfo bool 1175 1176 // SequenceNumberMapping, if non-nil, is the mapping function to apply 1177 // to the sequence number of outgoing packets. For both TLS and DTLS, 1178 // the two most-significant bytes in the resulting sequence number are 1179 // ignored so that the DTLS epoch cannot be changed. 1180 SequenceNumberMapping func(uint64) uint64 1181 1182 // RSAEphemeralKey, if true, causes the server to send a 1183 // ServerKeyExchange message containing an ephemeral key (as in 1184 // RSA_EXPORT) in the plain RSA key exchange. 1185 RSAEphemeralKey bool 1186 1187 // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the 1188 // client offers when negotiating SRTP. MKI support is still missing so 1189 // the peer must still send none. 1190 SRTPMasterKeyIdentifer string 1191 1192 // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the 1193 // server sends in the ServerHello instead of the negotiated one. 1194 SendSRTPProtectionProfile uint16 1195 1196 // NoSignatureAlgorithms, if true, causes the client to omit the 1197 // signature and hashes extension. 1198 // 1199 // For a server, it will cause an empty list to be sent in the 1200 // CertificateRequest message. None the less, the configured set will 1201 // still be enforced. 1202 NoSignatureAlgorithms bool 1203 1204 // NoSupportedCurves, if true, causes the client to omit the 1205 // supported_curves extension. 1206 NoSupportedCurves bool 1207 1208 // RequireSameRenegoClientVersion, if true, causes the server 1209 // to require that all ClientHellos match in offered version 1210 // across a renego. 1211 RequireSameRenegoClientVersion bool 1212 1213 // ExpectInitialRecordVersion, if non-zero, is the expected value of 1214 // record-layer version field before the protocol version is determined. 1215 ExpectInitialRecordVersion uint16 1216 1217 // SendRecordVersion, if non-zero, is the value to send as the 1218 // record-layer version. 1219 SendRecordVersion uint16 1220 1221 // SendInitialRecordVersion, if non-zero, is the value to send as the 1222 // record-layer version before the protocol version is determined. 1223 SendInitialRecordVersion uint16 1224 1225 // MaxPacketLength, if non-zero, is the maximum acceptable size for a 1226 // packet. 1227 MaxPacketLength int 1228 1229 // SendCipherSuite, if non-zero, is the cipher suite value that the 1230 // server will send in the ServerHello. This does not affect the cipher 1231 // the server believes it has actually negotiated. 1232 SendCipherSuite uint16 1233 1234 // SendCipherSuites, if not nil, is the cipher suite list that the 1235 // client will send in the ClientHello. This does not affect the cipher 1236 // the client believes it has actually offered. 1237 SendCipherSuites []uint16 1238 1239 // AppDataBeforeHandshake, if not nil, causes application data to be 1240 // sent immediately before the first handshake message. 1241 AppDataBeforeHandshake []byte 1242 1243 // AppDataAfterChangeCipherSpec, if not nil, causes application data to 1244 // be sent immediately after ChangeCipherSpec. 1245 AppDataAfterChangeCipherSpec []byte 1246 1247 // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent 1248 // immediately after ChangeCipherSpec. 1249 AlertAfterChangeCipherSpec alert 1250 1251 // TimeoutSchedule is the schedule of packet drops and simulated 1252 // timeouts for before each handshake leg from the peer. 1253 TimeoutSchedule []time.Duration 1254 1255 // PacketAdaptor is the packetAdaptor to use to simulate timeouts. 1256 PacketAdaptor *packetAdaptor 1257 1258 // MockQUICTransport is the mockQUICTransport used when testing 1259 // QUIC interfaces. 1260 MockQUICTransport *mockQUICTransport 1261 1262 // ReorderHandshakeFragments, if true, causes handshake fragments in 1263 // DTLS to overlap and be sent in the wrong order. It also causes 1264 // pre-CCS flights to be sent twice. (Post-CCS flights consist of 1265 // Finished and will trigger a spurious retransmit.) 1266 ReorderHandshakeFragments bool 1267 1268 // ReverseHandshakeFragments, if true, causes handshake fragments in 1269 // DTLS to be reversed within a flight. 1270 ReverseHandshakeFragments bool 1271 1272 // MixCompleteMessageWithFragments, if true, causes handshake 1273 // messages in DTLS to redundantly both fragment the message 1274 // and include a copy of the full one. 1275 MixCompleteMessageWithFragments bool 1276 1277 // RetransmitFinished, if true, causes the DTLS Finished message to be 1278 // sent twice. 1279 RetransmitFinished bool 1280 1281 // SendInvalidRecordType, if true, causes a record with an invalid 1282 // content type to be sent immediately following the handshake. 1283 SendInvalidRecordType bool 1284 1285 // SendWrongMessageType, if non-zero, causes messages of the specified 1286 // type to be sent with the wrong value. 1287 SendWrongMessageType byte 1288 1289 // SendTrailingMessageData, if non-zero, causes messages of the 1290 // specified type to be sent with trailing data. 1291 SendTrailingMessageData byte 1292 1293 // FragmentMessageTypeMismatch, if true, causes all non-initial 1294 // handshake fragments in DTLS to have the wrong message type. 1295 FragmentMessageTypeMismatch bool 1296 1297 // FragmentMessageLengthMismatch, if true, causes all non-initial 1298 // handshake fragments in DTLS to have the wrong message length. 1299 FragmentMessageLengthMismatch bool 1300 1301 // SplitFragments, if non-zero, causes the handshake fragments in DTLS 1302 // to be split across two records. The value of |SplitFragments| is the 1303 // number of bytes in the first fragment. 1304 SplitFragments int 1305 1306 // SendEmptyFragments, if true, causes handshakes to include empty 1307 // fragments in DTLS. 1308 SendEmptyFragments bool 1309 1310 // SendSplitAlert, if true, causes an alert to be sent with the header 1311 // and record body split across multiple packets. The peer should 1312 // discard these packets rather than process it. 1313 SendSplitAlert bool 1314 1315 // FailIfResumeOnRenego, if true, causes renegotiations to fail if the 1316 // client offers a resumption or the server accepts one. 1317 FailIfResumeOnRenego bool 1318 1319 // IgnorePeerCipherPreferences, if true, causes the peer's cipher 1320 // preferences to be ignored. 1321 IgnorePeerCipherPreferences bool 1322 1323 // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's 1324 // signature algorithm preferences to be ignored. 1325 IgnorePeerSignatureAlgorithmPreferences bool 1326 1327 // IgnorePeerCurvePreferences, if true, causes the peer's curve 1328 // preferences to be ignored. 1329 IgnorePeerCurvePreferences bool 1330 1331 // BadFinished, if true, causes the Finished hash to be broken. 1332 BadFinished bool 1333 1334 // PackHandshakeFragments, if true, causes handshake fragments in DTLS 1335 // to be packed into individual handshake records, up to the specified 1336 // record size. 1337 PackHandshakeFragments int 1338 1339 // PackHandshakeRecords, if non-zero, causes handshake and 1340 // ChangeCipherSpec records in DTLS to be packed into individual 1341 // packets, up to the specified packet size. 1342 PackHandshakeRecords int 1343 1344 // PackAppDataWithHandshake, if true, extends PackHandshakeRecords to 1345 // additionally include the first application data record sent after the 1346 // final Finished message in a handshake. (If the final Finished message 1347 // is sent by the peer, this option has no effect.) This requires that 1348 // the runner rather than shim speak first in a given test. 1349 PackAppDataWithHandshake bool 1350 1351 // SplitAndPackAppData, if true, causes application data in DTLS to be 1352 // split into two records each and packed into one packet. 1353 SplitAndPackAppData bool 1354 1355 // PackHandshakeFlight, if true, causes each handshake flight in TLS to 1356 // be packed into records, up to the largest size record available. 1357 PackHandshakeFlight bool 1358 1359 // AdvertiseAllConfiguredCiphers, if true, causes the client to 1360 // advertise all configured cipher suite values. 1361 AdvertiseAllConfiguredCiphers bool 1362 1363 // EmptyCertificateList, if true, causes the server to send an empty 1364 // certificate list in the Certificate message. 1365 EmptyCertificateList bool 1366 1367 // ExpectNewTicket, if true, causes the client to abort if it does not 1368 // receive a new ticket. 1369 ExpectNewTicket bool 1370 1371 // RequireClientHelloSize, if not zero, is the required length in bytes 1372 // of the ClientHello /record/. This is checked by the server. 1373 RequireClientHelloSize int 1374 1375 // CustomExtension, if not empty, contains the contents of an extension 1376 // that will be added to client/server hellos. 1377 CustomExtension string 1378 1379 // CustomUnencryptedExtension, if not empty, contains the contents of 1380 // an extension that will be added to ServerHello in TLS 1.3. 1381 CustomUnencryptedExtension string 1382 1383 // ExpectedCustomExtension, if not nil, contains the expected contents 1384 // of a custom extension. 1385 ExpectedCustomExtension *string 1386 1387 // CustomTicketExtension, if not empty, contains the contents of an 1388 // extension what will be added to NewSessionTicket in TLS 1.3. 1389 CustomTicketExtension string 1390 1391 // CustomTicketExtension, if not empty, contains the contents of an 1392 // extension what will be added to HelloRetryRequest in TLS 1.3. 1393 CustomHelloRetryRequestExtension string 1394 1395 // NoCloseNotify, if true, causes the close_notify alert to be skipped 1396 // on connection shutdown. 1397 NoCloseNotify bool 1398 1399 // SendAlertOnShutdown, if non-zero, is the alert to send instead of 1400 // close_notify on shutdown. 1401 SendAlertOnShutdown alert 1402 1403 // ExpectCloseNotify, if true, requires a close_notify from the peer on 1404 // shutdown. Records from the peer received after close_notify is sent 1405 // are not discard. 1406 ExpectCloseNotify bool 1407 1408 // SendLargeRecords, if true, allows outgoing records to be sent 1409 // arbitrarily large. 1410 SendLargeRecords bool 1411 1412 // NegotiateALPNAndNPN, if true, causes the server to negotiate both 1413 // ALPN and NPN in the same connetion. 1414 NegotiateALPNAndNPN bool 1415 1416 // SendALPN, if non-empty, causes the server to send the specified 1417 // string in the ALPN extension regardless of the content or presence of 1418 // the client offer. 1419 SendALPN string 1420 1421 // SendUnencryptedALPN, if non-empty, causes the server to send the 1422 // specified string in a ServerHello ALPN extension in TLS 1.3. 1423 SendUnencryptedALPN string 1424 1425 // SendEmptySessionTicket, if true, causes the server to send an empty 1426 // session ticket. 1427 SendEmptySessionTicket bool 1428 1429 // SendPSKKeyExchangeModes, if not nil, determines the PSK key exchange 1430 // modes to send. If a non-nil empty slice, no extension will be sent. 1431 SendPSKKeyExchangeModes []byte 1432 1433 // ExpectNoNewSessionTicket, if present, means that the client will fail upon 1434 // receipt of a NewSessionTicket message. 1435 ExpectNoNewSessionTicket bool 1436 1437 // DuplicateTicketEarlyData causes an extra empty extension of early_data to 1438 // be sent in NewSessionTicket. 1439 DuplicateTicketEarlyData bool 1440 1441 // ExpectTicketEarlyData, if true, means that the client will fail upon 1442 // absence of the early_data extension. 1443 ExpectTicketEarlyData bool 1444 1445 // ExpectTicketAge, if non-zero, is the expected age of the ticket that the 1446 // server receives from the client. 1447 ExpectTicketAge time.Duration 1448 1449 // SendTicketAge, if non-zero, is the ticket age to be sent by the 1450 // client. 1451 SendTicketAge time.Duration 1452 1453 // SendHelloRequestBeforeEveryAppDataRecord, if true, causes a 1454 // HelloRequest handshake message to be sent before each application 1455 // data record. This only makes sense for a server. 1456 SendHelloRequestBeforeEveryAppDataRecord bool 1457 1458 // SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a 1459 // HelloRequest handshake message to be sent before each handshake 1460 // message. This only makes sense for a server. 1461 SendHelloRequestBeforeEveryHandshakeMessage bool 1462 1463 // BadChangeCipherSpec, if not nil, is the body to be sent in 1464 // ChangeCipherSpec records instead of {1}. 1465 BadChangeCipherSpec []byte 1466 1467 // BadHelloRequest, if not nil, is what to send instead of a 1468 // HelloRequest. 1469 BadHelloRequest []byte 1470 1471 // RequireSessionTickets, if true, causes the client to require new 1472 // sessions use session tickets instead of session IDs. 1473 RequireSessionTickets bool 1474 1475 // RequireSessionIDs, if true, causes the client to require new sessions use 1476 // session IDs instead of session tickets. 1477 RequireSessionIDs bool 1478 1479 // NullAllCiphers, if true, causes every cipher to behave like the null 1480 // cipher. 1481 NullAllCiphers bool 1482 1483 // SendSCTListOnResume, if not nil, causes the server to send the 1484 // supplied SCT list in resumption handshakes. 1485 SendSCTListOnResume []byte 1486 1487 // SendSCTListOnRenegotiation, if not nil, causes the server to send the 1488 // supplied SCT list on renegotiation. 1489 SendSCTListOnRenegotiation []byte 1490 1491 // SendOCSPResponseOnResume, if not nil, causes the server to advertise 1492 // OCSP stapling in resumption handshakes and, if applicable, send the 1493 // supplied stapled response. 1494 SendOCSPResponseOnResume []byte 1495 1496 // SendOCSPResponseOnResume, if not nil, causes the server to send the 1497 // supplied OCSP response on renegotiation. 1498 SendOCSPResponseOnRenegotiation []byte 1499 1500 // SendExtensionOnCertificate, if not nil, causes the runner to send the 1501 // supplied bytes in the extensions on the Certificate message. 1502 SendExtensionOnCertificate []byte 1503 1504 // SendOCSPOnIntermediates, if not nil, causes the server to send the 1505 // supplied OCSP on intermediate certificates in the Certificate message. 1506 SendOCSPOnIntermediates []byte 1507 1508 // SendSCTOnIntermediates, if not nil, causes the server to send the 1509 // supplied SCT on intermediate certificates in the Certificate message. 1510 SendSCTOnIntermediates []byte 1511 1512 // SendDuplicateCertExtensions, if true, causes the server to send an extra 1513 // copy of the OCSP/SCT extensions in the Certificate message. 1514 SendDuplicateCertExtensions bool 1515 1516 // ExpectNoExtensionsOnIntermediate, if true, causes the client to 1517 // reject extensions on intermediate certificates. 1518 ExpectNoExtensionsOnIntermediate bool 1519 1520 // RecordPadding is the number of bytes of padding to add to each 1521 // encrypted record in TLS 1.3. 1522 RecordPadding int 1523 1524 // OmitRecordContents, if true, causes encrypted records in TLS 1.3 to 1525 // be missing their body and content type. Padding, if configured, is 1526 // still added. 1527 OmitRecordContents bool 1528 1529 // OuterRecordType, if non-zero, is the outer record type to use instead 1530 // of application data. 1531 OuterRecordType recordType 1532 1533 // SendSignatureAlgorithm, if non-zero, causes all signatures to be sent 1534 // with the given signature algorithm rather than the one negotiated. 1535 SendSignatureAlgorithm signatureAlgorithm 1536 1537 // SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be 1538 // skipped. 1539 SkipECDSACurveCheck bool 1540 1541 // IgnoreSignatureVersionChecks, if true, causes all signature 1542 // algorithms to be enabled at all TLS versions. 1543 IgnoreSignatureVersionChecks bool 1544 1545 // NegotiateRenegotiationInfoAtAllVersions, if true, causes 1546 // Renegotiation Info to be negotiated at all versions. 1547 NegotiateRenegotiationInfoAtAllVersions bool 1548 1549 // NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at 1550 // all versions. 1551 NegotiateNPNAtAllVersions bool 1552 1553 // NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at 1554 // all versions. 1555 NegotiateEMSAtAllVersions bool 1556 1557 // AdvertiseTicketExtension, if true, causes the ticket extension to be 1558 // advertised in server extensions 1559 AdvertiseTicketExtension bool 1560 1561 // NegotiatePSKResumption, if true, causes the server to attempt pure PSK 1562 // resumption. 1563 NegotiatePSKResumption bool 1564 1565 // AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to 1566 // always acknowledge a session, regardless of one was offered. 1567 AlwaysSelectPSKIdentity bool 1568 1569 // SelectPSKIdentityOnResume, if non-zero, causes the server to select 1570 // the specified PSK identity index rather than the actual value. 1571 SelectPSKIdentityOnResume uint16 1572 1573 // ExtraPSKIdentity, if true, causes the client to send an extra PSK 1574 // identity. 1575 ExtraPSKIdentity bool 1576 1577 // MissingKeyShare, if true, causes the TLS 1.3 implementation to skip 1578 // sending a key_share extension and use the zero ECDHE secret 1579 // instead. 1580 MissingKeyShare bool 1581 1582 // SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3 1583 // ClientHello to skip sending a key_share extension and use the zero 1584 // ECDHE secret instead. 1585 SecondClientHelloMissingKeyShare bool 1586 1587 // MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3 1588 // client to pretend the server requested a HelloRetryRequest with the 1589 // given curve rather than the actual one. 1590 MisinterpretHelloRetryRequestCurve CurveID 1591 1592 // DuplicateKeyShares, if true, causes the TLS 1.3 client to send two 1593 // copies of each KeyShareEntry. 1594 DuplicateKeyShares bool 1595 1596 // SendEarlyAlert, if true, sends a fatal alert after the ClientHello. 1597 SendEarlyAlert bool 1598 1599 // SendFakeEarlyDataLength, if non-zero, is the amount of early data to 1600 // send after the ClientHello. 1601 SendFakeEarlyDataLength int 1602 1603 // SendStrayEarlyHandshake, if non-zero, causes the client to send a stray 1604 // handshake record before sending end of early data. 1605 SendStrayEarlyHandshake bool 1606 1607 // OmitEarlyDataExtension, if true, causes the early data extension to 1608 // be omitted in the ClientHello. 1609 OmitEarlyDataExtension bool 1610 1611 // SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to 1612 // send early data after the second ClientHello. 1613 SendEarlyDataOnSecondClientHello bool 1614 1615 // InterleaveEarlyData, if true, causes the TLS 1.3 client to send early 1616 // data interleaved with the second ClientHello and the client Finished. 1617 InterleaveEarlyData bool 1618 1619 // SendEarlyData causes a TLS 1.3 client to send the provided data 1620 // in application data records immediately after the ClientHello, 1621 // provided that the client offers a TLS 1.3 session. It will do this 1622 // whether or not the server advertised early data for the ticket. 1623 SendEarlyData [][]byte 1624 1625 // ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data 1626 // was accepted by the server. 1627 ExpectEarlyDataAccepted bool 1628 1629 // AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data 1630 // regardless of ALPN mismatch. 1631 AlwaysAcceptEarlyData bool 1632 1633 // AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data. 1634 AlwaysRejectEarlyData bool 1635 1636 // SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the 1637 // early_data extension in EncryptedExtensions, independent of whether 1638 // it was accepted. 1639 SendEarlyDataExtension bool 1640 1641 // ExpectEarlyData causes a TLS 1.3 server to read application 1642 // data after the ClientHello (assuming the server is able to 1643 // derive the key under which the data is encrypted) before it 1644 // sends a ServerHello. It checks that the application data it 1645 // reads matches what is provided in ExpectEarlyData and errors if 1646 // the number of records or their content do not match. 1647 ExpectEarlyData [][]byte 1648 1649 // ExpectLateEarlyData causes a TLS 1.3 server to read application 1650 // data after the ServerFinished (assuming the server is able to 1651 // derive the key under which the data is encrypted) before it 1652 // sends the ClientFinished. It checks that the application data it 1653 // reads matches what is provided in ExpectLateEarlyData and errors if 1654 // the number of records or their content do not match. 1655 ExpectLateEarlyData [][]byte 1656 1657 // SendHalfRTTData causes a TLS 1.3 server to send the provided 1658 // data in application data records before reading the client's 1659 // Finished message. 1660 SendHalfRTTData [][]byte 1661 1662 // ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to 1663 // read application data after reading the server's Finished message and 1664 // before sending any subsequent handshake messages. It checks that the 1665 // application data it reads matches what is provided in 1666 // ExpectHalfRTTData and errors if the number of records or their 1667 // content do not match. 1668 ExpectHalfRTTData [][]byte 1669 1670 // EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to 1671 // emit an empty EncryptedExtensions block. 1672 EmptyEncryptedExtensions bool 1673 1674 // EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to 1675 // include the KeyShare extension in the EncryptedExtensions block. 1676 EncryptedExtensionsWithKeyShare bool 1677 1678 // AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to 1679 // be sent by the server, even if empty. 1680 AlwaysSendHelloRetryRequest bool 1681 1682 // SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send 1683 // two HelloRetryRequests instead of one. 1684 SecondHelloRetryRequest bool 1685 1686 // SendHelloRetryRequestCurve, if non-zero, causes the server to send 1687 // the specified curve in a HelloRetryRequest. 1688 SendHelloRetryRequestCurve CurveID 1689 1690 // SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send 1691 // the specified cipher suite in a HelloRetryRequest. 1692 SendHelloRetryRequestCipherSuite uint16 1693 1694 // SendHelloRetryRequestCookie, if not nil, contains a cookie to be 1695 // sent by the server in HelloRetryRequest. 1696 SendHelloRetryRequestCookie []byte 1697 1698 // DuplicateHelloRetryRequestExtensions, if true, causes all 1699 // HelloRetryRequest extensions to be sent twice. 1700 DuplicateHelloRetryRequestExtensions bool 1701 1702 // SendServerHelloVersion, if non-zero, causes the server to send the 1703 // specified value in ServerHello version field. 1704 SendServerHelloVersion uint16 1705 1706 // SendServerSupportedVersionExtension, if non-zero, causes the server to send 1707 // the specified value in supported_versions extension in the ServerHello (but 1708 // not the HelloRetryRequest). 1709 SendServerSupportedVersionExtension uint16 1710 1711 // OmitServerSupportedVersionExtension, if true, causes the server to 1712 // omit the supported_versions extension in the ServerHello (but not the 1713 // HelloRetryRequest) 1714 OmitServerSupportedVersionExtension bool 1715 1716 // SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send 1717 // HelloRetryRequest. 1718 SkipHelloRetryRequest bool 1719 1720 // PackHelloRequestWithFinished, if true, causes the TLS server to send 1721 // HelloRequest in the same record as Finished. 1722 PackHelloRequestWithFinished bool 1723 1724 // ExpectMissingKeyShare, if true, causes the TLS server to fail the 1725 // connection if the selected curve appears in the client's initial 1726 // ClientHello. That is, it requires that a HelloRetryRequest be sent. 1727 ExpectMissingKeyShare bool 1728 1729 // SendExtraFinished, if true, causes an extra Finished message to be 1730 // sent. 1731 SendExtraFinished bool 1732 1733 // SendRequestContext, if not empty, is the request context to send in 1734 // a TLS 1.3 CertificateRequest. 1735 SendRequestContext []byte 1736 1737 // OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm 1738 // extension in a TLS 1.3 CertificateRequest. 1739 OmitCertificateRequestAlgorithms bool 1740 1741 // SendCustomCertificateRequest, if non-zero, send an additional custom 1742 // extension in a TLS 1.3 CertificateRequest. 1743 SendCustomCertificateRequest uint16 1744 1745 // SendSNIWarningAlert, if true, causes the server to send an 1746 // unrecognized_name alert before the ServerHello. 1747 SendSNIWarningAlert bool 1748 1749 // SendCompressionMethods, if not nil, is the compression method list to 1750 // send in the ClientHello. 1751 SendCompressionMethods []byte 1752 1753 // SendCompressionMethod is the compression method to send in the 1754 // ServerHello. 1755 SendCompressionMethod byte 1756 1757 // AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to 1758 // always send a ServerKeyExchange for PSK ciphers, even if the identity 1759 // hint is empty. 1760 AlwaysSendPreSharedKeyIdentityHint bool 1761 1762 // TrailingKeyShareData, if true, causes the client key share list to 1763 // include a trailing byte. 1764 TrailingKeyShareData bool 1765 1766 // InvalidChannelIDSignature, if true, causes the client to generate an 1767 // invalid Channel ID signature. 1768 InvalidChannelIDSignature bool 1769 1770 // AlwaysNegotiateChannelID, if true, causes the server to negotiate Channel 1771 // ID, even whenn the client does not offer it. 1772 AlwaysNegotiateChannelID bool 1773 1774 // ExpectGREASE, if true, causes messages without GREASE values to be 1775 // rejected. See RFC 8701. 1776 ExpectGREASE bool 1777 1778 // OmitPSKsOnSecondClientHello, if true, causes the client to omit the 1779 // PSK extension on the second ClientHello. 1780 OmitPSKsOnSecondClientHello bool 1781 1782 // OnlyCorruptSecondPSKBinder, if true, causes the options below to 1783 // only apply to the second PSK binder. 1784 OnlyCorruptSecondPSKBinder bool 1785 1786 // SendShortPSKBinder, if true, causes the client to send a PSK binder 1787 // that is one byte shorter than it should be. 1788 SendShortPSKBinder bool 1789 1790 // SendInvalidPSKBinder, if true, causes the client to send an invalid 1791 // PSK binder. 1792 SendInvalidPSKBinder bool 1793 1794 // SendNoPSKBinder, if true, causes the client to send no PSK binders. 1795 SendNoPSKBinder bool 1796 1797 // SendExtraPSKBinder, if true, causes the client to send an extra PSK 1798 // binder. 1799 SendExtraPSKBinder bool 1800 1801 // PSKBinderFirst, if true, causes the client to send the PSK Binder 1802 // extension as the first extension instead of the last extension. 1803 PSKBinderFirst bool 1804 1805 // NoOCSPStapling, if true, causes the client to not request OCSP 1806 // stapling. 1807 NoOCSPStapling bool 1808 1809 // NoSignedCertificateTimestamps, if true, causes the client to not 1810 // request signed certificate timestamps. 1811 NoSignedCertificateTimestamps bool 1812 1813 // SendSupportedPointFormats, if not nil, is the list of supported point 1814 // formats to send in ClientHello or ServerHello. If set to a non-nil 1815 // empty slice, no extension will be sent. 1816 SendSupportedPointFormats []byte 1817 1818 // SendServerSupportedCurves, if true, causes the server to send its 1819 // supported curves list in the ServerHello (TLS 1.2) or 1820 // EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and 1821 // valid in TLS 1.3. 1822 SendServerSupportedCurves bool 1823 1824 // MaxReceivePlaintext, if non-zero, is the maximum plaintext record 1825 // length accepted from the peer. 1826 MaxReceivePlaintext int 1827 1828 // ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally 1829 // pack their encrypted handshake messages, fitting at most the 1830 // specified number of plaintext bytes per record. 1831 ExpectPackedEncryptedHandshake int 1832 1833 // SendTicketLifetime, if non-zero, is the ticket lifetime to send in 1834 // NewSessionTicket messages. 1835 SendTicketLifetime time.Duration 1836 1837 // SendServerNameAck, if true, causes the server to acknowledge the SNI 1838 // extension. 1839 SendServerNameAck bool 1840 1841 // ExpectCertificateReqNames, if not nil, contains the list of X.509 1842 // names that must be sent in a CertificateRequest from the server. 1843 ExpectCertificateReqNames [][]byte 1844 1845 // RenegotiationCertificate, if not nil, is the certificate to use on 1846 // renegotiation handshakes. 1847 RenegotiationCertificate *Certificate 1848 1849 // ExpectNoCertificateAuthoritiesExtension, if true, causes the client to 1850 // reject CertificateRequest with the CertificateAuthorities extension. 1851 ExpectNoCertificateAuthoritiesExtension bool 1852 1853 // SigningAlgorithmForLegacyVersions, if non-zero, is the signature algorithm 1854 // to use when signing in TLS 1.1 and earlier where algorithms are not 1855 // negotiated. 1856 SigningAlgorithmForLegacyVersions signatureAlgorithm 1857 1858 // AlwaysSignAsLegacyVersion, if true, causes all TLS versions to sign as if 1859 // they were TLS 1.1 and earlier. This can be paired with 1860 // SendSignatureAlgorithm to send a given signature algorithm enum. 1861 AlwaysSignAsLegacyVersion bool 1862 1863 // RejectUnsolicitedKeyUpdate, if true, causes all unsolicited 1864 // KeyUpdates from the peer to be rejected. 1865 RejectUnsolicitedKeyUpdate bool 1866 1867 // OmitExtensions, if true, causes the extensions field in ClientHello 1868 // and ServerHello messages to be omitted. 1869 OmitExtensions bool 1870 1871 // EmptyExtensions, if true, causes the extensions field in ClientHello 1872 // and ServerHello messages to be present, but empty. 1873 EmptyExtensions bool 1874 1875 // ExpectOmitExtensions, if true, causes the client to reject 1876 // ServerHello messages that do not omit extensions. 1877 ExpectOmitExtensions bool 1878 1879 // ExpectRecordSplitting, if true, causes application records to only be 1880 // accepted if they follow a 1/n-1 record split. 1881 ExpectRecordSplitting bool 1882 1883 // PadClientHello, if non-zero, pads the ClientHello to a multiple of 1884 // that many bytes. 1885 PadClientHello int 1886 1887 // SendTLS13DowngradeRandom, if true, causes the server to send the 1888 // TLS 1.3 anti-downgrade signal. 1889 SendTLS13DowngradeRandom bool 1890 1891 // IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the 1892 // TLS 1.3 anti-downgrade signal. 1893 IgnoreTLS13DowngradeRandom bool 1894 1895 // SendCompressedCoordinates, if true, causes ECDH key shares over NIST 1896 // curves to use compressed coordinates. 1897 SendCompressedCoordinates bool 1898 1899 // SetX25519HighBit, if true, causes X25519 key shares to set their 1900 // high-order bit. 1901 SetX25519HighBit bool 1902 1903 // DuplicateCompressedCertAlgs, if true, causes two, equal, certificate 1904 // compression algorithm IDs to be sent. 1905 DuplicateCompressedCertAlgs bool 1906 1907 // ExpectedCompressedCert specifies the compression algorithm ID that must be 1908 // used on this connection, or zero if there are no special requirements. 1909 ExpectedCompressedCert uint16 1910 1911 // ExpectUncompressedCert, if true, specifies that certificate compression 1912 // should not be used on this connection. 1913 ExpectUncompressedCert bool 1914 1915 // SendCertCompressionAlgID, if not zero, sets the algorithm ID that will be 1916 // sent in the compressed certificate message. 1917 SendCertCompressionAlgID uint16 1918 1919 // SendCertUncompressedLength, if not zero, sets the uncompressed length that 1920 // will be sent in the compressed certificate message. 1921 SendCertUncompressedLength uint32 1922 1923 // SendClientHelloWithFixes, if not nil, sends the specified byte string 1924 // instead of the ClientHello. This string is incorporated into the 1925 // transcript as if it were the real ClientHello, but the handshake will 1926 // otherwise behave as if this was not sent in terms of what ciphers it 1927 // will accept, etc. 1928 // 1929 // The input is modified to match key share entries. DefaultCurves must 1930 // be configured to match. The random and session ID fields are 1931 // extracted from the ClientHello. 1932 SendClientHelloWithFixes []byte 1933 1934 // SendJDK11DowngradeRandom, if true, causes the server to send the JDK 1935 // 11 downgrade signal. 1936 SendJDK11DowngradeRandom bool 1937 1938 // ExpectJDK11DowngradeRandom is whether the client should expect the 1939 // server to send the JDK 11 downgrade signal. 1940 ExpectJDK11DowngradeRandom bool 1941 1942 // FailIfHelloRetryRequested causes a handshake failure if a server requests a 1943 // hello retry. 1944 FailIfHelloRetryRequested bool 1945 1946 // FailedIfKyberOffered will cause a server to reject a ClientHello if Kyber 1947 // is supported. 1948 FailIfKyberOffered bool 1949 1950 // ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello 1951 // should have key shares for. 1952 ExpectedKeyShares []CurveID 1953 1954 // ExpectDelegatedCredentials, if true, requires that the handshake present 1955 // delegated credentials. 1956 ExpectDelegatedCredentials bool 1957 1958 // FailIfDelegatedCredentials, if true, causes a handshake failure if the 1959 // server returns delegated credentials. 1960 FailIfDelegatedCredentials bool 1961 1962 // DisableDelegatedCredentials, if true, disables client support for delegated 1963 // credentials. 1964 DisableDelegatedCredentials bool 1965 1966 // CompatModeWithQUIC, if true, enables TLS 1.3 compatibility mode 1967 // when running over QUIC. 1968 CompatModeWithQUIC bool 1969 1970 // EncryptSessionTicketKey, if non-nil, is the ticket key to use when 1971 // encrypting tickets. 1972 EncryptSessionTicketKey *[32]byte 1973} 1974 1975func (c *Config) serverInit() { 1976 if c.SessionTicketsDisabled { 1977 return 1978 } 1979 1980 // If the key has already been set then we have nothing to do. 1981 for _, b := range c.SessionTicketKey { 1982 if b != 0 { 1983 return 1984 } 1985 } 1986 1987 if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { 1988 c.SessionTicketsDisabled = true 1989 } 1990} 1991 1992func (c *Config) rand() io.Reader { 1993 r := c.Rand 1994 if r == nil { 1995 return rand.Reader 1996 } 1997 return r 1998} 1999 2000func (c *Config) time() time.Time { 2001 t := c.Time 2002 if t == nil { 2003 t = time.Now 2004 } 2005 return t() 2006} 2007 2008func (c *Config) cipherSuites() []uint16 { 2009 s := c.CipherSuites 2010 if s == nil { 2011 s = defaultCipherSuites() 2012 } 2013 return s 2014} 2015 2016func (c *Config) minVersion(isDTLS bool) uint16 { 2017 ret := uint16(minVersion) 2018 if c != nil && c.MinVersion != 0 { 2019 ret = c.MinVersion 2020 } 2021 if isDTLS { 2022 // The lowest version of DTLS is 1.0. There is no DSSL 3.0. 2023 if ret < VersionTLS10 { 2024 return VersionTLS10 2025 } 2026 // There is no such thing as DTLS 1.1. 2027 if ret == VersionTLS11 { 2028 return VersionTLS12 2029 } 2030 } 2031 return ret 2032} 2033 2034func (c *Config) maxVersion(isDTLS bool) uint16 { 2035 ret := uint16(maxVersion) 2036 if c != nil && c.MaxVersion != 0 { 2037 ret = c.MaxVersion 2038 } 2039 if isDTLS { 2040 // We only implement up to DTLS 1.2. 2041 if ret > VersionTLS12 { 2042 return VersionTLS12 2043 } 2044 // There is no such thing as DTLS 1.1. 2045 if ret == VersionTLS11 { 2046 return VersionTLS10 2047 } 2048 } 2049 return ret 2050} 2051 2052var defaultCurvePreferences = []CurveID{CurveX25519Kyber768, CurveX25519, CurveP256, CurveP384, CurveP521} 2053 2054func (c *Config) curvePreferences() []CurveID { 2055 if c == nil || len(c.CurvePreferences) == 0 { 2056 return defaultCurvePreferences 2057 } 2058 return c.CurvePreferences 2059} 2060 2061func (c *Config) defaultCurves() map[CurveID]bool { 2062 defaultCurves := make(map[CurveID]bool) 2063 curves := c.DefaultCurves 2064 if c == nil || c.DefaultCurves == nil { 2065 curves = c.curvePreferences() 2066 } 2067 for _, curveID := range curves { 2068 defaultCurves[curveID] = true 2069 } 2070 return defaultCurves 2071} 2072 2073var defaultECHCipherSuitePreferences = []HPKECipherSuite{ 2074 {KDF: hpke.HKDFSHA256, AEAD: hpke.AES128GCM}, 2075 {KDF: hpke.HKDFSHA256, AEAD: hpke.AES256GCM}, 2076 {KDF: hpke.HKDFSHA256, AEAD: hpke.ChaCha20Poly1305}, 2077} 2078 2079func (c *Config) echCipherSuitePreferences() []HPKECipherSuite { 2080 if c == nil || len(c.ECHCipherSuites) == 0 { 2081 return defaultECHCipherSuitePreferences 2082 } 2083 return c.ECHCipherSuites 2084} 2085 2086func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { 2087 if isDTLS { 2088 switch vers { 2089 case VersionDTLS12: 2090 return VersionTLS12, true 2091 case VersionDTLS10: 2092 return VersionTLS10, true 2093 } 2094 } else { 2095 switch vers { 2096 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13: 2097 return vers, true 2098 } 2099 } 2100 2101 return 0, false 2102} 2103 2104// isSupportedVersion checks if the specified wire version is acceptable. If so, 2105// it returns true and the corresponding protocol version. Otherwise, it returns 2106// false. 2107func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { 2108 vers, ok := wireToVersion(wireVers, isDTLS) 2109 if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { 2110 return 0, false 2111 } 2112 return vers, true 2113} 2114 2115func (c *Config) supportedVersions(isDTLS, requireTLS13 bool) []uint16 { 2116 versions := allTLSWireVersions 2117 if isDTLS { 2118 versions = allDTLSWireVersions 2119 } 2120 var ret []uint16 2121 for _, wireVers := range versions { 2122 vers, ok := c.isSupportedVersion(wireVers, isDTLS) 2123 if !ok { 2124 continue 2125 } 2126 if requireTLS13 && vers < VersionTLS13 { 2127 continue 2128 } 2129 ret = append(ret, wireVers) 2130 } 2131 return ret 2132} 2133 2134// getCertificateForName returns the best certificate for the given name, 2135// defaulting to the first element of c.Certificates if there are no good 2136// options. 2137func (c *Config) getCertificateForName(name string) *Certificate { 2138 if len(c.Certificates) == 1 || c.NameToCertificate == nil { 2139 // There's only one choice, so no point doing any work. 2140 return &c.Certificates[0] 2141 } 2142 2143 name = strings.ToLower(name) 2144 for len(name) > 0 && name[len(name)-1] == '.' { 2145 name = name[:len(name)-1] 2146 } 2147 2148 if cert, ok := c.NameToCertificate[name]; ok { 2149 return cert 2150 } 2151 2152 // try replacing labels in the name with wildcards until we get a 2153 // match. 2154 labels := strings.Split(name, ".") 2155 for i := range labels { 2156 labels[i] = "*" 2157 candidate := strings.Join(labels, ".") 2158 if cert, ok := c.NameToCertificate[candidate]; ok { 2159 return cert 2160 } 2161 } 2162 2163 // If nothing matches, return the first certificate. 2164 return &c.Certificates[0] 2165} 2166 2167func (c *Config) signSignatureAlgorithms() []signatureAlgorithm { 2168 if c != nil && c.SignSignatureAlgorithms != nil { 2169 return c.SignSignatureAlgorithms 2170 } 2171 return supportedSignatureAlgorithms 2172} 2173 2174func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm { 2175 if c != nil && c.VerifySignatureAlgorithms != nil { 2176 return c.VerifySignatureAlgorithms 2177 } 2178 return supportedSignatureAlgorithms 2179} 2180 2181// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate 2182// from the CommonName and SubjectAlternateName fields of each of the leaf 2183// certificates. 2184func (c *Config) BuildNameToCertificate() { 2185 c.NameToCertificate = make(map[string]*Certificate) 2186 for i := range c.Certificates { 2187 cert := &c.Certificates[i] 2188 x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) 2189 if err != nil { 2190 continue 2191 } 2192 if len(x509Cert.Subject.CommonName) > 0 { 2193 c.NameToCertificate[x509Cert.Subject.CommonName] = cert 2194 } 2195 for _, san := range x509Cert.DNSNames { 2196 c.NameToCertificate[san] = cert 2197 } 2198 } 2199} 2200 2201// A Certificate is a chain of one or more certificates, leaf first. 2202type Certificate struct { 2203 Certificate [][]byte 2204 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey 2205 // OCSPStaple contains an optional OCSP response which will be served 2206 // to clients that request it. 2207 OCSPStaple []byte 2208 // SignedCertificateTimestampList contains an optional encoded 2209 // SignedCertificateTimestampList structure which will be 2210 // served to clients that request it. 2211 SignedCertificateTimestampList []byte 2212 // Leaf is the parsed form of the leaf certificate, which may be 2213 // initialized using x509.ParseCertificate to reduce per-handshake 2214 // processing for TLS clients doing client authentication. If nil, the 2215 // leaf certificate will be parsed as needed. 2216 Leaf *x509.Certificate 2217} 2218 2219// A TLS record. 2220type record struct { 2221 contentType recordType 2222 major, minor uint8 2223 payload []byte 2224} 2225 2226type handshakeMessage interface { 2227 marshal() []byte 2228 unmarshal([]byte) bool 2229} 2230 2231// lruSessionCache is a client or server session cache implementation 2232// that uses an LRU caching strategy. 2233type lruSessionCache struct { 2234 sync.Mutex 2235 2236 m map[string]*list.Element 2237 q *list.List 2238 capacity int 2239} 2240 2241type lruSessionCacheEntry struct { 2242 sessionKey string 2243 state any 2244} 2245 2246// Put adds the provided (sessionKey, cs) pair to the cache. 2247func (c *lruSessionCache) Put(sessionKey string, cs any) { 2248 c.Lock() 2249 defer c.Unlock() 2250 2251 if elem, ok := c.m[sessionKey]; ok { 2252 entry := elem.Value.(*lruSessionCacheEntry) 2253 entry.state = cs 2254 c.q.MoveToFront(elem) 2255 return 2256 } 2257 2258 if c.q.Len() < c.capacity { 2259 entry := &lruSessionCacheEntry{sessionKey, cs} 2260 c.m[sessionKey] = c.q.PushFront(entry) 2261 return 2262 } 2263 2264 elem := c.q.Back() 2265 entry := elem.Value.(*lruSessionCacheEntry) 2266 delete(c.m, entry.sessionKey) 2267 entry.sessionKey = sessionKey 2268 entry.state = cs 2269 c.q.MoveToFront(elem) 2270 c.m[sessionKey] = elem 2271} 2272 2273// Get returns the value associated with a given key. It returns (nil, 2274// false) if no value is found. 2275func (c *lruSessionCache) Get(sessionKey string) (any, bool) { 2276 c.Lock() 2277 defer c.Unlock() 2278 2279 if elem, ok := c.m[sessionKey]; ok { 2280 c.q.MoveToFront(elem) 2281 return elem.Value.(*lruSessionCacheEntry).state, true 2282 } 2283 return nil, false 2284} 2285 2286// lruClientSessionCache is a ClientSessionCache implementation that 2287// uses an LRU caching strategy. 2288type lruClientSessionCache struct { 2289 lruSessionCache 2290} 2291 2292func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { 2293 c.lruSessionCache.Put(sessionKey, cs) 2294} 2295 2296func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { 2297 cs, ok := c.lruSessionCache.Get(sessionKey) 2298 if !ok { 2299 return nil, false 2300 } 2301 return cs.(*ClientSessionState), true 2302} 2303 2304// lruServerSessionCache is a ServerSessionCache implementation that 2305// uses an LRU caching strategy. 2306type lruServerSessionCache struct { 2307 lruSessionCache 2308} 2309 2310func (c *lruServerSessionCache) Put(sessionID string, session *sessionState) { 2311 c.lruSessionCache.Put(sessionID, session) 2312} 2313 2314func (c *lruServerSessionCache) Get(sessionID string) (*sessionState, bool) { 2315 cs, ok := c.lruSessionCache.Get(sessionID) 2316 if !ok { 2317 return nil, false 2318 } 2319 return cs.(*sessionState), true 2320} 2321 2322// NewLRUClientSessionCache returns a ClientSessionCache with the given 2323// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 2324// is used instead. 2325func NewLRUClientSessionCache(capacity int) ClientSessionCache { 2326 const defaultSessionCacheCapacity = 64 2327 2328 if capacity < 1 { 2329 capacity = defaultSessionCacheCapacity 2330 } 2331 return &lruClientSessionCache{ 2332 lruSessionCache{ 2333 m: make(map[string]*list.Element), 2334 q: list.New(), 2335 capacity: capacity, 2336 }, 2337 } 2338} 2339 2340// NewLRUServerSessionCache returns a ServerSessionCache with the given 2341// capacity that uses an LRU strategy. If capacity is < 1, a default capacity 2342// is used instead. 2343func NewLRUServerSessionCache(capacity int) ServerSessionCache { 2344 const defaultSessionCacheCapacity = 64 2345 2346 if capacity < 1 { 2347 capacity = defaultSessionCacheCapacity 2348 } 2349 return &lruServerSessionCache{ 2350 lruSessionCache{ 2351 m: make(map[string]*list.Element), 2352 q: list.New(), 2353 capacity: capacity, 2354 }, 2355 } 2356} 2357 2358// TODO(jsing): Make these available to both crypto/x509 and crypto/tls. 2359type dsaSignature struct { 2360 R, S *big.Int 2361} 2362 2363type ecdsaSignature dsaSignature 2364 2365var emptyConfig Config 2366 2367func defaultConfig() *Config { 2368 return &emptyConfig 2369} 2370 2371var ( 2372 once sync.Once 2373 varDefaultCipherSuites []uint16 2374) 2375 2376func defaultCipherSuites() []uint16 { 2377 once.Do(initDefaultCipherSuites) 2378 return varDefaultCipherSuites 2379} 2380 2381func initDefaultCipherSuites() { 2382 for _, suite := range cipherSuites { 2383 if suite.flags&suitePSK == 0 { 2384 varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) 2385 } 2386 } 2387} 2388 2389func unexpectedMessageError(wanted, got any) error { 2390 return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) 2391} 2392 2393func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool { 2394 for _, s := range sigAlgs { 2395 if s == sigAlg { 2396 return true 2397 } 2398 } 2399 return false 2400} 2401 2402var ( 2403 // See RFC 8446, section 4.1.3. 2404 downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} 2405 downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} 2406 2407 // This is a non-standard randomly-generated value. 2408 downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff} 2409) 2410 2411func containsGREASE(values []uint16) bool { 2412 for _, v := range values { 2413 if isGREASEValue(v) { 2414 return true 2415 } 2416 } 2417 return false 2418} 2419 2420func isAllZero(v []byte) bool { 2421 for _, b := range v { 2422 if b != 0 { 2423 return false 2424 } 2425 } 2426 return true 2427} 2428