Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1 | // Copyright 2009 The Go Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style |
| 3 | // license that can be found in the LICENSE file. |
| 4 | |
Adam Langley | dc7e9c4 | 2015-09-29 15:21:04 -0700 | [diff] [blame] | 5 | package runner |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 6 | |
| 7 | import ( |
| 8 | "container/list" |
| 9 | "crypto" |
David Benjamin | d30a990 | 2014-08-24 01:44:23 -0400 | [diff] [blame] | 10 | "crypto/ecdsa" |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 11 | "crypto/rand" |
| 12 | "crypto/x509" |
| 13 | "fmt" |
| 14 | "io" |
| 15 | "math/big" |
| 16 | "strings" |
| 17 | "sync" |
| 18 | "time" |
| 19 | ) |
| 20 | |
| 21 | const ( |
| 22 | VersionSSL30 = 0x0300 |
| 23 | VersionTLS10 = 0x0301 |
| 24 | VersionTLS11 = 0x0302 |
| 25 | VersionTLS12 = 0x0303 |
Nick Harper | 1fd39d8 | 2016-06-14 18:14:35 -0700 | [diff] [blame] | 26 | VersionTLS13 = 0x0304 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 27 | ) |
| 28 | |
David Benjamin | 353577c | 2017-06-29 15:54:58 -0400 | [diff] [blame] | 29 | const ( |
| 30 | VersionDTLS10 = 0xfeff |
| 31 | VersionDTLS12 = 0xfefd |
| 32 | ) |
| 33 | |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 34 | // A draft version of TLS 1.3 that is sent over the wire for the current draft. |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 35 | const ( |
Steven Valdez | 4c7f5fa | 2017-10-02 15:53:57 -0400 | [diff] [blame] | 36 | tls13DraftVersion = 0x7f12 |
| 37 | tls13ExperimentVersion = 0x7e01 |
| 38 | tls13Experiment2Version = 0x7e02 |
| 39 | tls13Experiment3Version = 0x7e03 |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 40 | ) |
| 41 | |
| 42 | const ( |
Steven Valdez | 4c7f5fa | 2017-10-02 15:53:57 -0400 | [diff] [blame] | 43 | TLS13Default = 0 |
| 44 | TLS13Experiment = 1 |
| 45 | TLS13Experiment2 = 2 |
| 46 | TLS13Experiment3 = 3 |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 47 | ) |
Nick Harper | 4d90c10 | 2016-07-17 10:53:26 +0200 | [diff] [blame] | 48 | |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 49 | var allTLSWireVersions = []uint16{ |
| 50 | tls13DraftVersion, |
Steven Valdez | c7d4d21 | 2017-09-11 13:53:08 -0400 | [diff] [blame] | 51 | tls13Experiment3Version, |
Steven Valdez | 1682126 | 2017-09-08 17:03:42 -0400 | [diff] [blame] | 52 | tls13Experiment2Version, |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 53 | tls13ExperimentVersion, |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 54 | VersionTLS12, |
| 55 | VersionTLS11, |
| 56 | VersionTLS10, |
| 57 | VersionSSL30, |
| 58 | } |
| 59 | |
| 60 | var allDTLSWireVersions = []uint16{ |
| 61 | VersionDTLS12, |
| 62 | VersionDTLS10, |
| 63 | } |
| 64 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 65 | const ( |
David Benjamin | 83c0bc9 | 2014-08-04 01:23:53 -0400 | [diff] [blame] | 66 | maxPlaintext = 16384 // maximum plaintext payload length |
| 67 | maxCiphertext = 16384 + 2048 // maximum ciphertext payload length |
| 68 | tlsRecordHeaderLen = 5 // record header length |
| 69 | dtlsRecordHeaderLen = 13 |
| 70 | maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 71 | |
| 72 | minVersion = VersionSSL30 |
Nick Harper | 1fd39d8 | 2016-06-14 18:14:35 -0700 | [diff] [blame] | 73 | maxVersion = VersionTLS13 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 74 | ) |
| 75 | |
| 76 | // TLS record types. |
| 77 | type recordType uint8 |
| 78 | |
| 79 | const ( |
Steven Valdez | dbe0158 | 2017-07-14 10:39:28 -0400 | [diff] [blame] | 80 | recordTypeChangeCipherSpec recordType = 20 |
| 81 | recordTypeAlert recordType = 21 |
| 82 | recordTypeHandshake recordType = 22 |
| 83 | recordTypeApplicationData recordType = 23 |
| 84 | recordTypePlaintextHandshake recordType = 24 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 85 | ) |
| 86 | |
| 87 | // TLS handshake message types. |
| 88 | const ( |
David Benjamin | cedff87 | 2016-06-30 18:55:18 -0400 | [diff] [blame] | 89 | typeHelloRequest uint8 = 0 |
| 90 | typeClientHello uint8 = 1 |
| 91 | typeServerHello uint8 = 2 |
| 92 | typeHelloVerifyRequest uint8 = 3 |
| 93 | typeNewSessionTicket uint8 = 4 |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 94 | typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16 |
| 95 | typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16 |
David Benjamin | cedff87 | 2016-06-30 18:55:18 -0400 | [diff] [blame] | 96 | typeCertificate uint8 = 11 |
| 97 | typeServerKeyExchange uint8 = 12 |
| 98 | typeCertificateRequest uint8 = 13 |
| 99 | typeServerHelloDone uint8 = 14 |
| 100 | typeCertificateVerify uint8 = 15 |
| 101 | typeClientKeyExchange uint8 = 16 |
| 102 | typeFinished uint8 = 20 |
| 103 | typeCertificateStatus uint8 = 22 |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 104 | typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16 |
David Benjamin | cedff87 | 2016-06-30 18:55:18 -0400 | [diff] [blame] | 105 | typeNextProtocol uint8 = 67 // Not IANA assigned |
| 106 | typeChannelID uint8 = 203 // Not IANA assigned |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 107 | ) |
| 108 | |
| 109 | // TLS compression types. |
| 110 | const ( |
| 111 | compressionNone uint8 = 0 |
| 112 | ) |
| 113 | |
| 114 | // TLS extension numbers |
| 115 | const ( |
David Benjamin | 61f9527 | 2014-11-25 01:55:35 -0500 | [diff] [blame] | 116 | extensionServerName uint16 = 0 |
| 117 | extensionStatusRequest uint16 = 5 |
| 118 | extensionSupportedCurves uint16 = 10 |
| 119 | extensionSupportedPoints uint16 = 11 |
| 120 | extensionSignatureAlgorithms uint16 = 13 |
| 121 | extensionUseSRTP uint16 = 14 |
| 122 | extensionALPN uint16 = 16 |
| 123 | extensionSignedCertificateTimestamp uint16 = 18 |
David Benjamin | e51fb0f | 2017-09-07 11:51:46 -0400 | [diff] [blame] | 124 | extensionPadding uint16 = 21 |
David Benjamin | 61f9527 | 2014-11-25 01:55:35 -0500 | [diff] [blame] | 125 | extensionExtendedMasterSecret uint16 = 23 |
| 126 | extensionSessionTicket uint16 = 35 |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 127 | extensionKeyShare uint16 = 40 // draft-ietf-tls-tls13-16 |
| 128 | extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-16 |
| 129 | extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-16 |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 130 | extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-16 |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 131 | extensionCookie uint16 = 44 // draft-ietf-tls-tls13-16 |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 132 | extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-18 |
Steven Valdez | 08b65f4 | 2016-12-07 15:29:45 -0500 | [diff] [blame] | 133 | extensionTicketEarlyDataInfo uint16 = 46 // draft-ietf-tls-tls13-18 |
David Benjamin | 399e7c9 | 2015-07-30 23:01:27 -0400 | [diff] [blame] | 134 | extensionCustom uint16 = 1234 // not IANA assigned |
David Benjamin | 61f9527 | 2014-11-25 01:55:35 -0500 | [diff] [blame] | 135 | extensionNextProtoNeg uint16 = 13172 // not IANA assigned |
| 136 | extensionRenegotiationInfo uint16 = 0xff01 |
| 137 | extensionChannelID uint16 = 30032 // not IANA assigned |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 138 | ) |
| 139 | |
| 140 | // TLS signaling cipher suite values |
| 141 | const ( |
| 142 | scsvRenegotiation uint16 = 0x00ff |
| 143 | ) |
| 144 | |
| 145 | // CurveID is the type of a TLS identifier for an elliptic curve. See |
| 146 | // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 |
| 147 | type CurveID uint16 |
| 148 | |
| 149 | const ( |
David Benjamin | cba2b62 | 2015-12-18 22:13:41 -0500 | [diff] [blame] | 150 | CurveP224 CurveID = 21 |
| 151 | CurveP256 CurveID = 23 |
| 152 | CurveP384 CurveID = 24 |
| 153 | CurveP521 CurveID = 25 |
| 154 | CurveX25519 CurveID = 29 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 155 | ) |
| 156 | |
| 157 | // TLS Elliptic Curve Point Formats |
| 158 | // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 |
| 159 | const ( |
David Benjamin | a81967b | 2016-12-22 09:16:57 -0500 | [diff] [blame] | 160 | pointFormatUncompressed uint8 = 0 |
| 161 | pointFormatCompressedPrime uint8 = 1 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 162 | ) |
| 163 | |
| 164 | // TLS CertificateStatusType (RFC 3546) |
| 165 | const ( |
| 166 | statusTypeOCSP uint8 = 1 |
| 167 | ) |
| 168 | |
| 169 | // Certificate types (for certificateRequestMsg) |
| 170 | const ( |
David Benjamin | 7b03051 | 2014-07-08 17:30:11 -0400 | [diff] [blame] | 171 | CertTypeRSASign = 1 // A certificate containing an RSA key |
| 172 | CertTypeDSSSign = 2 // A certificate containing a DSA key |
| 173 | CertTypeRSAFixedDH = 3 // A certificate containing a static DH key |
| 174 | CertTypeDSSFixedDH = 4 // A certificate containing a static DH key |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 175 | |
| 176 | // See RFC4492 sections 3 and 5.5. |
David Benjamin | 7b03051 | 2014-07-08 17:30:11 -0400 | [diff] [blame] | 177 | CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. |
| 178 | CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. |
| 179 | CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 180 | |
| 181 | // Rest of these are reserved by the TLS spec |
| 182 | ) |
| 183 | |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 184 | // signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note |
| 185 | // that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with |
| 186 | // TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature |
| 187 | // algorithms' throughout. We match the latter. |
| 188 | type signatureAlgorithm uint16 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 189 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 190 | const ( |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 191 | // RSASSA-PKCS1-v1_5 algorithms |
| 192 | signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101 |
| 193 | signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201 |
| 194 | signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401 |
| 195 | signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501 |
| 196 | signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 197 | |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 198 | // ECDSA algorithms |
| 199 | signatureECDSAWithSHA1 signatureAlgorithm = 0x0203 |
| 200 | signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403 |
| 201 | signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503 |
| 202 | signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603 |
| 203 | |
| 204 | // RSASSA-PSS algorithms |
David Benjamin | af56fbd | 2016-09-21 14:38:06 -0400 | [diff] [blame] | 205 | signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804 |
| 206 | signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805 |
| 207 | signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806 |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 208 | |
| 209 | // EdDSA algorithms |
David Benjamin | af56fbd | 2016-09-21 14:38:06 -0400 | [diff] [blame] | 210 | signatureEd25519 signatureAlgorithm = 0x0807 |
| 211 | signatureEd448 signatureAlgorithm = 0x0808 |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 212 | ) |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 213 | |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 214 | // supportedSignatureAlgorithms contains the default supported signature |
| 215 | // algorithms. |
| 216 | var supportedSignatureAlgorithms = []signatureAlgorithm{ |
| 217 | signatureRSAPSSWithSHA256, |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 218 | signatureRSAPKCS1WithSHA256, |
| 219 | signatureECDSAWithP256AndSHA256, |
| 220 | signatureRSAPKCS1WithSHA1, |
| 221 | signatureECDSAWithSHA1, |
David Benjamin | d768c5d | 2017-03-28 18:28:44 -0500 | [diff] [blame] | 222 | signatureEd25519, |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 223 | } |
| 224 | |
David Benjamin | ca6c826 | 2014-11-15 19:06:08 -0500 | [diff] [blame] | 225 | // SRTP protection profiles (See RFC 5764, section 4.1.2) |
| 226 | const ( |
| 227 | SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 |
| 228 | SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 |
| 229 | ) |
| 230 | |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 231 | // PskKeyExchangeMode values (see draft-ietf-tls-tls13-16) |
David Benjamin | 5810488 | 2016-07-18 01:25:41 +0200 | [diff] [blame] | 232 | const ( |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 233 | pskKEMode = 0 |
| 234 | pskDHEKEMode = 1 |
| 235 | ) |
| 236 | |
Steven Valdez | c4aa727 | 2016-10-03 12:25:56 -0400 | [diff] [blame] | 237 | // KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3) |
| 238 | const ( |
| 239 | keyUpdateNotRequested = 0 |
| 240 | keyUpdateRequested = 1 |
| 241 | ) |
| 242 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 243 | // ConnectionState records basic TLS details about the connection. |
| 244 | type ConnectionState struct { |
| 245 | Version uint16 // TLS version used by the connection (e.g. VersionTLS12) |
| 246 | HandshakeComplete bool // TLS handshake is complete |
| 247 | DidResume bool // connection resumes a previous TLS connection |
| 248 | CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) |
| 249 | NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) |
| 250 | NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server |
David Benjamin | fc7b086 | 2014-09-06 13:21:53 -0400 | [diff] [blame] | 251 | NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 252 | ServerName string // server name requested by client, if any (server side only) |
| 253 | PeerCertificates []*x509.Certificate // certificate chain presented by remote peer |
| 254 | VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates |
David Benjamin | d30a990 | 2014-08-24 01:44:23 -0400 | [diff] [blame] | 255 | ChannelID *ecdsa.PublicKey // the channel ID for this connection |
David Benjamin | ca6c826 | 2014-11-15 19:06:08 -0500 | [diff] [blame] | 256 | SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile |
David Benjamin | c057762 | 2015-09-12 18:28:38 -0400 | [diff] [blame] | 257 | TLSUnique []byte // the tls-unique channel binding |
Paul Lietar | 4fac72e | 2015-09-09 13:44:55 +0100 | [diff] [blame] | 258 | SCTList []byte // signed certificate timestamp list |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 259 | PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 260 | CurveID CurveID // the curve used in ECDHE |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 261 | } |
| 262 | |
| 263 | // ClientAuthType declares the policy the server will follow for |
| 264 | // TLS Client Authentication. |
| 265 | type ClientAuthType int |
| 266 | |
| 267 | const ( |
| 268 | NoClientCert ClientAuthType = iota |
| 269 | RequestClientCert |
| 270 | RequireAnyClientCert |
| 271 | VerifyClientCertIfGiven |
| 272 | RequireAndVerifyClientCert |
| 273 | ) |
| 274 | |
| 275 | // ClientSessionState contains the state needed by clients to resume TLS |
| 276 | // sessions. |
| 277 | type ClientSessionState struct { |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 278 | sessionId []uint8 // Session ID supplied by the server. nil if the session has a ticket. |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 279 | sessionTicket []uint8 // Encrypted ticket used for session resumption with server |
| 280 | vers uint16 // SSL/TLS version negotiated for the session |
Steven Valdez | c7d4d21 | 2017-09-11 13:53:08 -0400 | [diff] [blame] | 281 | wireVersion uint16 // Wire SSL/TLS version negotiated for the session |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 282 | cipherSuite uint16 // Ciphersuite negotiated for the session |
| 283 | masterSecret []byte // MasterSecret generated by client on a full handshake |
| 284 | handshakeHash []byte // Handshake hash for Channel ID purposes. |
| 285 | serverCertificates []*x509.Certificate // Certificate chain presented by the server |
| 286 | extendedMasterSecret bool // Whether an extended master secret was used to generate the session |
Paul Lietar | 62be8ac | 2015-09-16 10:03:30 +0100 | [diff] [blame] | 287 | sctList []byte |
| 288 | ocspResponse []byte |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 289 | earlyALPN string |
Nick Harper | 0b3625b | 2016-07-25 16:16:28 -0700 | [diff] [blame] | 290 | ticketCreationTime time.Time |
| 291 | ticketExpiration time.Time |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 292 | ticketAgeAdd uint32 |
Nick Harper | f2511f1 | 2016-12-06 16:02:31 -0800 | [diff] [blame] | 293 | maxEarlyDataSize uint32 |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 294 | } |
| 295 | |
| 296 | // ClientSessionCache is a cache of ClientSessionState objects that can be used |
| 297 | // by a client to resume a TLS session with a given server. ClientSessionCache |
| 298 | // implementations should expect to be called concurrently from different |
| 299 | // goroutines. |
| 300 | type ClientSessionCache interface { |
| 301 | // Get searches for a ClientSessionState associated with the given key. |
| 302 | // On return, ok is true if one was found. |
| 303 | Get(sessionKey string) (session *ClientSessionState, ok bool) |
| 304 | |
| 305 | // Put adds the ClientSessionState to the cache with the given key. |
| 306 | Put(sessionKey string, cs *ClientSessionState) |
| 307 | } |
| 308 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 309 | // ServerSessionCache is a cache of sessionState objects that can be used by a |
| 310 | // client to resume a TLS session with a given server. ServerSessionCache |
| 311 | // implementations should expect to be called concurrently from different |
| 312 | // goroutines. |
| 313 | type ServerSessionCache interface { |
| 314 | // Get searches for a sessionState associated with the given session |
| 315 | // ID. On return, ok is true if one was found. |
| 316 | Get(sessionId string) (session *sessionState, ok bool) |
| 317 | |
| 318 | // Put adds the sessionState to the cache with the given session ID. |
| 319 | Put(sessionId string, session *sessionState) |
| 320 | } |
| 321 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 322 | // A Config structure is used to configure a TLS client or server. |
| 323 | // After one has been passed to a TLS function it must not be |
| 324 | // modified. A Config may be reused; the tls package will also not |
| 325 | // modify it. |
| 326 | type Config struct { |
| 327 | // Rand provides the source of entropy for nonces and RSA blinding. |
| 328 | // If Rand is nil, TLS uses the cryptographic random reader in package |
| 329 | // crypto/rand. |
| 330 | // The Reader must be safe for use by multiple goroutines. |
| 331 | Rand io.Reader |
| 332 | |
| 333 | // Time returns the current time as the number of seconds since the epoch. |
| 334 | // If Time is nil, TLS uses time.Now. |
| 335 | Time func() time.Time |
| 336 | |
| 337 | // Certificates contains one or more certificate chains |
| 338 | // to present to the other side of the connection. |
| 339 | // Server configurations must include at least one certificate. |
| 340 | Certificates []Certificate |
| 341 | |
| 342 | // NameToCertificate maps from a certificate name to an element of |
| 343 | // Certificates. Note that a certificate name can be of the form |
| 344 | // '*.example.com' and so doesn't have to be a domain name as such. |
| 345 | // See Config.BuildNameToCertificate |
| 346 | // The nil value causes the first element of Certificates to be used |
| 347 | // for all connections. |
| 348 | NameToCertificate map[string]*Certificate |
| 349 | |
| 350 | // RootCAs defines the set of root certificate authorities |
| 351 | // that clients use when verifying server certificates. |
| 352 | // If RootCAs is nil, TLS uses the host's root CA set. |
| 353 | RootCAs *x509.CertPool |
| 354 | |
| 355 | // NextProtos is a list of supported, application level protocols. |
| 356 | NextProtos []string |
| 357 | |
| 358 | // ServerName is used to verify the hostname on the returned |
| 359 | // certificates unless InsecureSkipVerify is given. It is also included |
| 360 | // in the client's handshake to support virtual hosting. |
| 361 | ServerName string |
| 362 | |
| 363 | // ClientAuth determines the server's policy for |
| 364 | // TLS Client Authentication. The default is NoClientCert. |
| 365 | ClientAuth ClientAuthType |
| 366 | |
| 367 | // ClientCAs defines the set of root certificate authorities |
| 368 | // that servers use if required to verify a client certificate |
| 369 | // by the policy in ClientAuth. |
| 370 | ClientCAs *x509.CertPool |
| 371 | |
David Benjamin | 7b03051 | 2014-07-08 17:30:11 -0400 | [diff] [blame] | 372 | // ClientCertificateTypes defines the set of allowed client certificate |
| 373 | // types. The default is CertTypeRSASign and CertTypeECDSASign. |
| 374 | ClientCertificateTypes []byte |
| 375 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 376 | // InsecureSkipVerify controls whether a client verifies the |
| 377 | // server's certificate chain and host name. |
| 378 | // If InsecureSkipVerify is true, TLS accepts any certificate |
| 379 | // presented by the server and any host name in that certificate. |
| 380 | // In this mode, TLS is susceptible to man-in-the-middle attacks. |
| 381 | // This should be used only for testing. |
| 382 | InsecureSkipVerify bool |
| 383 | |
| 384 | // CipherSuites is a list of supported cipher suites. If CipherSuites |
| 385 | // is nil, TLS uses a list of suites supported by the implementation. |
| 386 | CipherSuites []uint16 |
| 387 | |
| 388 | // PreferServerCipherSuites controls whether the server selects the |
| 389 | // client's most preferred ciphersuite, or the server's most preferred |
| 390 | // ciphersuite. If true then the server's preference, as expressed in |
| 391 | // the order of elements in CipherSuites, is used. |
| 392 | PreferServerCipherSuites bool |
| 393 | |
| 394 | // SessionTicketsDisabled may be set to true to disable session ticket |
| 395 | // (resumption) support. |
| 396 | SessionTicketsDisabled bool |
| 397 | |
| 398 | // SessionTicketKey is used by TLS servers to provide session |
| 399 | // resumption. See RFC 5077. If zero, it will be filled with |
| 400 | // random data before the first server handshake. |
| 401 | // |
| 402 | // If multiple servers are terminating connections for the same host |
| 403 | // they should all have the same SessionTicketKey. If the |
| 404 | // SessionTicketKey leaks, previously recorded and future TLS |
| 405 | // connections using that key are compromised. |
| 406 | SessionTicketKey [32]byte |
| 407 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 408 | // ClientSessionCache is a cache of ClientSessionState entries |
| 409 | // for TLS session resumption. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 410 | ClientSessionCache ClientSessionCache |
| 411 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 412 | // ServerSessionCache is a cache of sessionState entries for TLS session |
| 413 | // resumption. |
| 414 | ServerSessionCache ServerSessionCache |
| 415 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 416 | // MinVersion contains the minimum SSL/TLS version that is acceptable. |
| 417 | // If zero, then SSLv3 is taken as the minimum. |
| 418 | MinVersion uint16 |
| 419 | |
| 420 | // MaxVersion contains the maximum SSL/TLS version that is acceptable. |
| 421 | // If zero, then the maximum version supported by this package is used, |
| 422 | // which is currently TLS 1.2. |
| 423 | MaxVersion uint16 |
| 424 | |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 425 | // TLS13Variant is the variant of TLS 1.3 to use. |
| 426 | TLS13Variant int |
| 427 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 428 | // CurvePreferences contains the elliptic curves that will be used in |
| 429 | // an ECDHE handshake, in preference order. If empty, the default will |
| 430 | // be used. |
| 431 | CurvePreferences []CurveID |
| 432 | |
Nick Harper | dcfbc67 | 2016-07-16 17:47:31 +0200 | [diff] [blame] | 433 | // DefaultCurves contains the elliptic curves for which public values will |
| 434 | // be sent in the ClientHello's KeyShare extension. If this value is nil, |
| 435 | // all supported curves will have public values sent. This field is ignored |
| 436 | // on servers. |
| 437 | DefaultCurves []CurveID |
| 438 | |
David Benjamin | d30a990 | 2014-08-24 01:44:23 -0400 | [diff] [blame] | 439 | // ChannelID contains the ECDSA key for the client to use as |
| 440 | // its TLS Channel ID. |
| 441 | ChannelID *ecdsa.PrivateKey |
| 442 | |
| 443 | // RequestChannelID controls whether the server requests a TLS |
| 444 | // Channel ID. If negotiated, the client's public key is |
| 445 | // returned in the ConnectionState. |
| 446 | RequestChannelID bool |
| 447 | |
David Benjamin | 48cae08 | 2014-10-27 01:06:24 -0400 | [diff] [blame] | 448 | // PreSharedKey, if not nil, is the pre-shared key to use with |
| 449 | // the PSK cipher suites. |
| 450 | PreSharedKey []byte |
| 451 | |
| 452 | // PreSharedKeyIdentity, if not empty, is the identity to use |
| 453 | // with the PSK cipher suites. |
| 454 | PreSharedKeyIdentity string |
| 455 | |
Nick Harper | ab20cec | 2016-12-19 17:38:41 -0800 | [diff] [blame] | 456 | // MaxEarlyDataSize controls the maximum number of bytes that the |
| 457 | // server will accept in early data and advertise in a |
| 458 | // NewSessionTicketMsg. If 0, no early data will be accepted and |
| 459 | // the TicketEarlyDataInfo extension in the NewSessionTicketMsg |
| 460 | // will be omitted. |
| 461 | MaxEarlyDataSize uint32 |
| 462 | |
David Benjamin | ca6c826 | 2014-11-15 19:06:08 -0500 | [diff] [blame] | 463 | // SRTPProtectionProfiles, if not nil, is the list of SRTP |
| 464 | // protection profiles to offer in DTLS-SRTP. |
| 465 | SRTPProtectionProfiles []uint16 |
| 466 | |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 467 | // SignSignatureAlgorithms, if not nil, overrides the default set of |
| 468 | // supported signature algorithms to sign with. |
| 469 | SignSignatureAlgorithms []signatureAlgorithm |
| 470 | |
| 471 | // VerifySignatureAlgorithms, if not nil, overrides the default set of |
| 472 | // supported signature algorithms that are accepted. |
| 473 | VerifySignatureAlgorithms []signatureAlgorithm |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 474 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 475 | // Bugs specifies optional misbehaviour to be used for testing other |
| 476 | // implementations. |
| 477 | Bugs ProtocolBugs |
| 478 | |
| 479 | serverInitOnce sync.Once // guards calling (*Config).serverInit |
| 480 | } |
| 481 | |
| 482 | type BadValue int |
| 483 | |
| 484 | const ( |
| 485 | BadValueNone BadValue = iota |
| 486 | BadValueNegative |
| 487 | BadValueZero |
| 488 | BadValueLimit |
| 489 | BadValueLarge |
| 490 | NumBadValues |
| 491 | ) |
| 492 | |
David Benjamin | b36a395 | 2015-12-01 18:53:13 -0500 | [diff] [blame] | 493 | type RSABadValue int |
| 494 | |
| 495 | const ( |
| 496 | RSABadValueNone RSABadValue = iota |
| 497 | RSABadValueCorrupt |
| 498 | RSABadValueTooLong |
| 499 | RSABadValueTooShort |
| 500 | RSABadValueWrongVersion |
| 501 | NumRSABadValues |
| 502 | ) |
| 503 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 504 | type ProtocolBugs struct { |
David Benjamin | 5208fd4 | 2016-07-13 21:43:25 -0400 | [diff] [blame] | 505 | // InvalidSignature specifies that the signature in a ServerKeyExchange |
| 506 | // or CertificateVerify message should be invalid. |
| 507 | InvalidSignature bool |
David Benjamin | 6de0e53 | 2015-07-28 22:43:19 -0400 | [diff] [blame] | 508 | |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 509 | // SendCurve, if non-zero, causes the server to send the specified curve |
| 510 | // ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather |
| 511 | // than the negotiated one. |
David Benjamin | 4c3ddf7 | 2016-06-29 18:13:53 -0400 | [diff] [blame] | 512 | SendCurve CurveID |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 513 | |
David Benjamin | 2b07fa4 | 2016-03-02 00:23:57 -0500 | [diff] [blame] | 514 | // InvalidECDHPoint, if true, causes the ECC points in |
| 515 | // ServerKeyExchange or ClientKeyExchange messages to be invalid. |
| 516 | InvalidECDHPoint bool |
| 517 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 518 | // BadECDSAR controls ways in which the 'r' value of an ECDSA signature |
| 519 | // can be invalid. |
| 520 | BadECDSAR BadValue |
| 521 | BadECDSAS BadValue |
Adam Langley | 80842bd | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 522 | |
| 523 | // MaxPadding causes CBC records to have the maximum possible padding. |
| 524 | MaxPadding bool |
| 525 | // PaddingFirstByteBad causes the first byte of the padding to be |
| 526 | // incorrect. |
| 527 | PaddingFirstByteBad bool |
| 528 | // PaddingFirstByteBadIf255 causes the first byte of padding to be |
| 529 | // incorrect if there's a maximum amount of padding (i.e. 255 bytes). |
| 530 | PaddingFirstByteBadIf255 bool |
Adam Langley | ac61fa3 | 2014-06-23 12:03:11 -0700 | [diff] [blame] | 531 | |
| 532 | // FailIfNotFallbackSCSV causes a server handshake to fail if the |
| 533 | // client doesn't send the fallback SCSV value. |
| 534 | FailIfNotFallbackSCSV bool |
David Benjamin | 35a7a44 | 2014-07-05 00:23:20 -0400 | [diff] [blame] | 535 | |
| 536 | // DuplicateExtension causes an extra empty extension of bogus type to |
| 537 | // be emitted in either the ClientHello or the ServerHello. |
| 538 | DuplicateExtension bool |
David Benjamin | 1c375dd | 2014-07-12 00:48:23 -0400 | [diff] [blame] | 539 | |
| 540 | // UnauthenticatedECDH causes the server to pretend ECDHE_RSA |
| 541 | // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No |
| 542 | // Certificate message is sent and no signature is added to |
| 543 | // ServerKeyExchange. |
| 544 | UnauthenticatedECDH bool |
David Benjamin | 9c651c9 | 2014-07-12 13:27:45 -0400 | [diff] [blame] | 545 | |
David Benjamin | b80168e | 2015-02-08 18:30:14 -0500 | [diff] [blame] | 546 | // SkipHelloVerifyRequest causes a DTLS server to skip the |
| 547 | // HelloVerifyRequest message. |
| 548 | SkipHelloVerifyRequest bool |
| 549 | |
David Benjamin | dcd979f | 2015-04-20 18:26:52 -0400 | [diff] [blame] | 550 | // SkipCertificateStatus, if true, causes the server to skip the |
| 551 | // CertificateStatus message. This is legal because CertificateStatus is |
| 552 | // optional, even with a status_request in ServerHello. |
| 553 | SkipCertificateStatus bool |
| 554 | |
David Benjamin | 9c651c9 | 2014-07-12 13:27:45 -0400 | [diff] [blame] | 555 | // SkipServerKeyExchange causes the server to skip sending |
| 556 | // ServerKeyExchange messages. |
| 557 | SkipServerKeyExchange bool |
David Benjamin | a0e5223 | 2014-07-19 17:39:58 -0400 | [diff] [blame] | 558 | |
David Benjamin | b80168e | 2015-02-08 18:30:14 -0500 | [diff] [blame] | 559 | // SkipNewSessionTicket causes the server to skip sending the |
| 560 | // NewSessionTicket message despite promising to in ServerHello. |
| 561 | SkipNewSessionTicket bool |
| 562 | |
David Benjamin | 0b7ca7d | 2016-03-10 15:44:22 -0500 | [diff] [blame] | 563 | // SkipClientCertificate causes the client to skip the Certificate |
| 564 | // message. |
| 565 | SkipClientCertificate bool |
| 566 | |
David Benjamin | a0e5223 | 2014-07-19 17:39:58 -0400 | [diff] [blame] | 567 | // SkipChangeCipherSpec causes the implementation to skip |
| 568 | // sending the ChangeCipherSpec message (and adjusting cipher |
| 569 | // state accordingly for the Finished message). |
| 570 | SkipChangeCipherSpec bool |
David Benjamin | f3ec83d | 2014-07-21 22:42:34 -0400 | [diff] [blame] | 571 | |
David Benjamin | b80168e | 2015-02-08 18:30:14 -0500 | [diff] [blame] | 572 | // SkipFinished causes the implementation to skip sending the Finished |
| 573 | // message. |
| 574 | SkipFinished bool |
| 575 | |
David Benjamin | 32c8927 | 2017-03-26 13:54:21 -0500 | [diff] [blame] | 576 | // SkipEndOfEarlyData causes the implementation to skip the |
| 577 | // end_of_early_data alert. |
| 578 | SkipEndOfEarlyData bool |
| 579 | |
Dimitar Vlahovski | bd70845 | 2017-08-10 18:01:06 +0200 | [diff] [blame] | 580 | // SkipCertificateVerify, if true causes peer to skip sending a |
| 581 | // CertificateVerify message after the Certificate message. |
| 582 | SkipCertificateVerify bool |
| 583 | |
David Benjamin | f3ec83d | 2014-07-21 22:42:34 -0400 | [diff] [blame] | 584 | // EarlyChangeCipherSpec causes the client to send an early |
| 585 | // ChangeCipherSpec message before the ClientKeyExchange. A value of |
| 586 | // zero disables this behavior. One and two configure variants for 0.9.8 |
| 587 | // and 1.0.1 modes, respectively. |
| 588 | EarlyChangeCipherSpec int |
David Benjamin | d23f412 | 2014-07-23 15:09:48 -0400 | [diff] [blame] | 589 | |
David Benjamin | 8144f99 | 2016-06-22 17:05:13 -0400 | [diff] [blame] | 590 | // StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake |
| 591 | // message in DTLS to be prefaced by stray ChangeCipherSpec record. This |
| 592 | // may be used to test DTLS's handling of reordered ChangeCipherSpec. |
| 593 | StrayChangeCipherSpec bool |
| 594 | |
David Benjamin | b0c761e | 2017-06-25 22:42:55 -0400 | [diff] [blame] | 595 | // ReorderChangeCipherSpec causes the ChangeCipherSpec message to be |
| 596 | // sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec, |
| 597 | // the cipher change happens at the usual time. |
| 598 | ReorderChangeCipherSpec bool |
| 599 | |
David Benjamin | 86271ee | 2014-07-21 16:14:03 -0400 | [diff] [blame] | 600 | // FragmentAcrossChangeCipherSpec causes the implementation to fragment |
| 601 | // the Finished (or NextProto) message around the ChangeCipherSpec |
| 602 | // messages. |
| 603 | FragmentAcrossChangeCipherSpec bool |
| 604 | |
David Benjamin | 6167281 | 2016-07-14 23:10:43 -0400 | [diff] [blame] | 605 | // SendUnencryptedFinished, if true, causes the Finished message to be |
| 606 | // send unencrypted before ChangeCipherSpec rather than after it. |
| 607 | SendUnencryptedFinished bool |
| 608 | |
David Benjamin | 7964b18 | 2016-07-14 23:36:30 -0400 | [diff] [blame] | 609 | // PartialEncryptedExtensionsWithServerHello, if true, causes the TLS |
| 610 | // 1.3 server to send part of EncryptedExtensions unencrypted |
| 611 | // in the same record as ServerHello. |
| 612 | PartialEncryptedExtensionsWithServerHello bool |
| 613 | |
| 614 | // PartialClientFinishedWithClientHello, if true, causes the TLS 1.3 |
| 615 | // client to send part of Finished unencrypted in the same record as |
| 616 | // ClientHello. |
| 617 | PartialClientFinishedWithClientHello bool |
| 618 | |
David Benjamin | d86c767 | 2014-08-02 04:07:12 -0400 | [diff] [blame] | 619 | // SendV2ClientHello causes the client to send a V2ClientHello |
| 620 | // instead of a normal ClientHello. |
| 621 | SendV2ClientHello bool |
David Benjamin | bef270a | 2014-08-02 04:22:02 -0400 | [diff] [blame] | 622 | |
| 623 | // SendFallbackSCSV causes the client to include |
| 624 | // TLS_FALLBACK_SCSV in the ClientHello. |
| 625 | SendFallbackSCSV bool |
David Benjamin | 43ec06f | 2014-08-05 02:28:57 -0400 | [diff] [blame] | 626 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 627 | // SendRenegotiationSCSV causes the client to include the renegotiation |
| 628 | // SCSV in the ClientHello. |
| 629 | SendRenegotiationSCSV bool |
| 630 | |
David Benjamin | 43ec06f | 2014-08-05 02:28:57 -0400 | [diff] [blame] | 631 | // MaxHandshakeRecordLength, if non-zero, is the maximum size of a |
David Benjamin | 9821454 | 2014-08-07 18:02:39 -0400 | [diff] [blame] | 632 | // handshake record. Handshake messages will be split into multiple |
| 633 | // records at the specified size, except that the client_version will |
David Benjamin | bd15a8e | 2015-05-29 18:48:16 -0400 | [diff] [blame] | 634 | // never be fragmented. For DTLS, it is the maximum handshake fragment |
| 635 | // size, not record size; DTLS allows multiple handshake fragments in a |
| 636 | // single handshake record. See |PackHandshakeFragments|. |
David Benjamin | 43ec06f | 2014-08-05 02:28:57 -0400 | [diff] [blame] | 637 | MaxHandshakeRecordLength int |
David Benjamin | a8e3e0e | 2014-08-06 22:11:10 -0400 | [diff] [blame] | 638 | |
David Benjamin | 9821454 | 2014-08-07 18:02:39 -0400 | [diff] [blame] | 639 | // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to |
| 640 | // the first 6 bytes of the ClientHello. |
| 641 | FragmentClientVersion bool |
| 642 | |
Alex Chernyakhovsky | 4cd8c43 | 2014-11-01 19:39:08 -0400 | [diff] [blame] | 643 | // FragmentAlert will cause all alerts to be fragmented across |
| 644 | // two records. |
| 645 | FragmentAlert bool |
| 646 | |
David Benjamin | 0d3a8c6 | 2016-03-11 22:25:18 -0500 | [diff] [blame] | 647 | // DoubleAlert will cause all alerts to be sent as two copies packed |
| 648 | // within one record. |
| 649 | DoubleAlert bool |
| 650 | |
David Benjamin | 3fd1fbd | 2015-02-03 16:07:32 -0500 | [diff] [blame] | 651 | // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted |
| 652 | // alert to be sent. |
| 653 | SendSpuriousAlert alert |
Alex Chernyakhovsky | 4cd8c43 | 2014-11-01 19:39:08 -0400 | [diff] [blame] | 654 | |
David Benjamin | b36a395 | 2015-12-01 18:53:13 -0500 | [diff] [blame] | 655 | // BadRSAClientKeyExchange causes the client to send a corrupted RSA |
| 656 | // ClientKeyExchange which would not pass padding checks. |
| 657 | BadRSAClientKeyExchange RSABadValue |
David Benjamin | bed9aae | 2014-08-07 19:13:38 -0400 | [diff] [blame] | 658 | |
| 659 | // RenewTicketOnResume causes the server to renew the session ticket and |
| 660 | // send a NewSessionTicket message during an abbreviated handshake. |
| 661 | RenewTicketOnResume bool |
David Benjamin | 98e882e | 2014-08-08 13:24:34 -0400 | [diff] [blame] | 662 | |
David Benjamin | 3c6a1ea | 2016-09-26 18:30:05 -0400 | [diff] [blame] | 663 | // SendClientVersion, if non-zero, causes the client to send the |
| 664 | // specified value in the ClientHello version field. |
David Benjamin | 98e882e | 2014-08-08 13:24:34 -0400 | [diff] [blame] | 665 | SendClientVersion uint16 |
David Benjamin | 83c0bc9 | 2014-08-04 01:23:53 -0400 | [diff] [blame] | 666 | |
Steven Valdez | fdd1099 | 2016-09-15 16:27:05 -0400 | [diff] [blame] | 667 | // OmitSupportedVersions, if true, causes the client to omit the |
| 668 | // supported versions extension. |
| 669 | OmitSupportedVersions bool |
| 670 | |
| 671 | // SendSupportedVersions, if non-empty, causes the client to send a |
| 672 | // supported versions extension with the values from array. |
| 673 | SendSupportedVersions []uint16 |
| 674 | |
David Benjamin | 1f61f0d | 2016-07-10 12:20:35 -0400 | [diff] [blame] | 675 | // NegotiateVersion, if non-zero, causes the server to negotiate the |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 676 | // specifed wire version rather than the version supported by either |
David Benjamin | 1f61f0d | 2016-07-10 12:20:35 -0400 | [diff] [blame] | 677 | // peer. |
| 678 | NegotiateVersion uint16 |
| 679 | |
David Benjamin | e7e36aa | 2016-08-08 12:39:41 -0400 | [diff] [blame] | 680 | // NegotiateVersionOnRenego, if non-zero, causes the server to negotiate |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 681 | // the specified wire version on renegotiation rather than retaining it. |
David Benjamin | e7e36aa | 2016-08-08 12:39:41 -0400 | [diff] [blame] | 682 | NegotiateVersionOnRenego uint16 |
| 683 | |
David Benjamin | e58c4f5 | 2014-08-24 03:47:07 -0400 | [diff] [blame] | 684 | // ExpectFalseStart causes the server to, on full handshakes, |
| 685 | // expect the peer to False Start; the server Finished message |
| 686 | // isn't sent until we receive an application data record |
| 687 | // from the peer. |
| 688 | ExpectFalseStart bool |
David Benjamin | 5c24a1d | 2014-08-31 00:59:27 -0400 | [diff] [blame] | 689 | |
David Benjamin | 1c63315 | 2015-04-02 20:19:11 -0400 | [diff] [blame] | 690 | // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full |
| 691 | // handshakes, send an alert just before reading the application data |
| 692 | // record to test False Start. This can be used in a negative False |
| 693 | // Start test to determine whether the peer processed the alert (and |
| 694 | // closed the connection) before or after sending app data. |
| 695 | AlertBeforeFalseStartTest alert |
| 696 | |
David Benjamin | e78bfde | 2014-09-06 12:45:15 -0400 | [diff] [blame] | 697 | // ExpectServerName, if not empty, is the hostname the client |
| 698 | // must specify in the server_name extension. |
| 699 | ExpectServerName string |
David Benjamin | fc7b086 | 2014-09-06 13:21:53 -0400 | [diff] [blame] | 700 | |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 701 | // SwapNPNAndALPN switches the relative order between NPN and ALPN in |
| 702 | // both ClientHello and ServerHello. |
David Benjamin | fc7b086 | 2014-09-06 13:21:53 -0400 | [diff] [blame] | 703 | SwapNPNAndALPN bool |
David Benjamin | 01fe820 | 2014-09-24 15:21:44 -0400 | [diff] [blame] | 704 | |
Adam Langley | efb0e16 | 2015-07-09 11:35:04 -0700 | [diff] [blame] | 705 | // ALPNProtocol, if not nil, sets the ALPN protocol that a server will |
| 706 | // return. |
| 707 | ALPNProtocol *string |
| 708 | |
David Benjamin | 405da48 | 2016-08-08 17:25:07 -0400 | [diff] [blame] | 709 | // AcceptAnySession causes the server to resume sessions regardless of |
| 710 | // the version associated with the session or cipher suite. It also |
| 711 | // causes the server to look in both TLS 1.2 and 1.3 extensions to |
| 712 | // process a ticket. |
| 713 | AcceptAnySession bool |
| 714 | |
| 715 | // SendBothTickets, if true, causes the client to send tickets in both |
| 716 | // TLS 1.2 and 1.3 extensions. |
| 717 | SendBothTickets bool |
Adam Langley | 3831173 | 2014-10-16 19:04:35 -0700 | [diff] [blame] | 718 | |
David Benjamin | 4199b0d | 2016-11-01 13:58:25 -0400 | [diff] [blame] | 719 | // FilterTicket, if not nil, causes the client to modify a session |
| 720 | // ticket before sending it in a resume handshake. |
| 721 | FilterTicket func([]byte) ([]byte, error) |
Adam Langley | 3831173 | 2014-10-16 19:04:35 -0700 | [diff] [blame] | 722 | |
David Benjamin | d4c349b | 2017-02-09 14:07:17 -0500 | [diff] [blame] | 723 | // TicketSessionIDLength, if non-zero, is the length of the session ID |
| 724 | // to send with a ticket resumption offer. |
| 725 | TicketSessionIDLength int |
| 726 | |
| 727 | // EmptyTicketSessionID, if true, causes the client to send an empty |
| 728 | // session ID with a ticket resumption offer. For simplicity, this will |
| 729 | // also cause the client to interpret a ServerHello with empty session |
| 730 | // ID as a resumption. (A client which sends empty session ID is |
| 731 | // normally expected to look ahead for ChangeCipherSpec.) |
| 732 | EmptyTicketSessionID bool |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 733 | |
Steven Valdez | 0e4a448 | 2017-07-17 11:12:34 -0400 | [diff] [blame] | 734 | // SendClientHelloSessionID, if not nil, is the session ID sent in the |
| 735 | // ClientHello. |
| 736 | SendClientHelloSessionID []byte |
| 737 | |
| 738 | // ExpectClientHelloSessionID, if true, causes the server to fail the |
| 739 | // connection if there is not a SessionID in the ClientHello. |
| 740 | ExpectClientHelloSessionID bool |
| 741 | |
David Benjamin | 405da48 | 2016-08-08 17:25:07 -0400 | [diff] [blame] | 742 | // ExpectNoTLS12Session, if true, causes the server to fail the |
| 743 | // connection if either a session ID or TLS 1.2 ticket is offered. |
| 744 | ExpectNoTLS12Session bool |
| 745 | |
| 746 | // ExpectNoTLS13PSK, if true, causes the server to fail the connection |
| 747 | // if a TLS 1.3 PSK is offered. |
| 748 | ExpectNoTLS13PSK bool |
| 749 | |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 750 | // RequireExtendedMasterSecret, if true, requires that the peer support |
| 751 | // the extended master secret option. |
| 752 | RequireExtendedMasterSecret bool |
| 753 | |
David Benjamin | ca6554b | 2014-11-08 12:31:52 -0500 | [diff] [blame] | 754 | // NoExtendedMasterSecret causes the client and server to behave as if |
David Benjamin | 163c956 | 2016-08-29 23:14:17 -0400 | [diff] [blame] | 755 | // they didn't support an extended master secret in the initial |
| 756 | // handshake. |
Adam Langley | 7571292 | 2014-10-10 16:23:43 -0700 | [diff] [blame] | 757 | NoExtendedMasterSecret bool |
Adam Langley | 2ae77d2 | 2014-10-28 17:29:33 -0700 | [diff] [blame] | 758 | |
David Benjamin | 163c956 | 2016-08-29 23:14:17 -0400 | [diff] [blame] | 759 | // NoExtendedMasterSecretOnRenegotiation causes the client and server to |
| 760 | // behave as if they didn't support an extended master secret in |
| 761 | // renegotiation handshakes. |
| 762 | NoExtendedMasterSecretOnRenegotiation bool |
| 763 | |
Adam Langley | 2ae77d2 | 2014-10-28 17:29:33 -0700 | [diff] [blame] | 764 | // EmptyRenegotiationInfo causes the renegotiation extension to be |
| 765 | // empty in a renegotiation handshake. |
| 766 | EmptyRenegotiationInfo bool |
| 767 | |
| 768 | // BadRenegotiationInfo causes the renegotiation extension value in a |
David Benjamin | 9343b0b | 2017-07-01 00:31:27 -0400 | [diff] [blame] | 769 | // renegotiation handshake to be incorrect at the start. |
Adam Langley | 2ae77d2 | 2014-10-28 17:29:33 -0700 | [diff] [blame] | 770 | BadRenegotiationInfo bool |
David Benjamin | 5e961c1 | 2014-11-07 01:48:35 -0500 | [diff] [blame] | 771 | |
David Benjamin | 9343b0b | 2017-07-01 00:31:27 -0400 | [diff] [blame] | 772 | // BadRenegotiationInfoEnd causes the renegotiation extension value in |
| 773 | // a renegotiation handshake to be incorrect at the end. |
| 774 | BadRenegotiationInfoEnd bool |
| 775 | |
David Benjamin | 3e052de | 2015-11-25 20:10:31 -0500 | [diff] [blame] | 776 | // NoRenegotiationInfo disables renegotiation info support in all |
| 777 | // handshakes. |
David Benjamin | ca6554b | 2014-11-08 12:31:52 -0500 | [diff] [blame] | 778 | NoRenegotiationInfo bool |
| 779 | |
David Benjamin | 3e052de | 2015-11-25 20:10:31 -0500 | [diff] [blame] | 780 | // NoRenegotiationInfoInInitial disables renegotiation info support in |
| 781 | // the initial handshake. |
| 782 | NoRenegotiationInfoInInitial bool |
| 783 | |
| 784 | // NoRenegotiationInfoAfterInitial disables renegotiation info support |
| 785 | // in renegotiation handshakes. |
| 786 | NoRenegotiationInfoAfterInitial bool |
| 787 | |
Adam Langley | 5021b22 | 2015-06-12 18:27:58 -0700 | [diff] [blame] | 788 | // RequireRenegotiationInfo, if true, causes the client to return an |
| 789 | // error if the server doesn't reply with the renegotiation extension. |
| 790 | RequireRenegotiationInfo bool |
| 791 | |
David Benjamin | 8e6db49 | 2015-07-25 18:29:23 -0400 | [diff] [blame] | 792 | // SequenceNumberMapping, if non-nil, is the mapping function to apply |
| 793 | // to the sequence number of outgoing packets. For both TLS and DTLS, |
| 794 | // the two most-significant bytes in the resulting sequence number are |
| 795 | // ignored so that the DTLS epoch cannot be changed. |
| 796 | SequenceNumberMapping func(uint64) uint64 |
David Benjamin | 9114fae | 2014-11-08 11:41:14 -0500 | [diff] [blame] | 797 | |
David Benjamin | a3e8949 | 2015-02-26 15:16:22 -0500 | [diff] [blame] | 798 | // RSAEphemeralKey, if true, causes the server to send a |
| 799 | // ServerKeyExchange message containing an ephemeral key (as in |
| 800 | // RSA_EXPORT) in the plain RSA key exchange. |
| 801 | RSAEphemeralKey bool |
David Benjamin | ca6c826 | 2014-11-15 19:06:08 -0500 | [diff] [blame] | 802 | |
| 803 | // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the |
| 804 | // client offers when negotiating SRTP. MKI support is still missing so |
| 805 | // the peer must still send none. |
| 806 | SRTPMasterKeyIdentifer string |
| 807 | |
| 808 | // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the |
| 809 | // server sends in the ServerHello instead of the negotiated one. |
| 810 | SendSRTPProtectionProfile uint16 |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 811 | |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 812 | // NoSignatureAlgorithms, if true, causes the client to omit the |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 813 | // signature and hashes extension. |
| 814 | // |
| 815 | // For a server, it will cause an empty list to be sent in the |
| 816 | // CertificateRequest message. None the less, the configured set will |
| 817 | // still be enforced. |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 818 | NoSignatureAlgorithms bool |
David Benjamin | c44b1df | 2014-11-23 12:11:01 -0500 | [diff] [blame] | 819 | |
David Benjamin | 55a4364 | 2015-04-20 14:45:55 -0400 | [diff] [blame] | 820 | // NoSupportedCurves, if true, causes the client to omit the |
| 821 | // supported_curves extension. |
| 822 | NoSupportedCurves bool |
| 823 | |
David Benjamin | c44b1df | 2014-11-23 12:11:01 -0500 | [diff] [blame] | 824 | // RequireSameRenegoClientVersion, if true, causes the server |
| 825 | // to require that all ClientHellos match in offered version |
| 826 | // across a renego. |
| 827 | RequireSameRenegoClientVersion bool |
Feng Lu | 41aa325 | 2014-11-21 22:47:56 -0800 | [diff] [blame] | 828 | |
David Benjamin | b1dd8cd | 2016-09-26 19:20:48 -0400 | [diff] [blame] | 829 | // ExpectInitialRecordVersion, if non-zero, is the expected value of |
David Benjamin | e6f2221 | 2016-11-08 14:28:24 -0500 | [diff] [blame] | 830 | // record-layer version field before the protocol version is determined. |
David Benjamin | 1e29a6b | 2014-12-10 02:27:24 -0500 | [diff] [blame] | 831 | ExpectInitialRecordVersion uint16 |
David Benjamin | 13be1de | 2015-01-11 16:29:36 -0500 | [diff] [blame] | 832 | |
David Benjamin | e6f2221 | 2016-11-08 14:28:24 -0500 | [diff] [blame] | 833 | // SendRecordVersion, if non-zero, is the value to send as the |
| 834 | // record-layer version. |
| 835 | SendRecordVersion uint16 |
| 836 | |
| 837 | // SendInitialRecordVersion, if non-zero, is the value to send as the |
| 838 | // record-layer version before the protocol version is determined. |
| 839 | SendInitialRecordVersion uint16 |
| 840 | |
David Benjamin | 13be1de | 2015-01-11 16:29:36 -0500 | [diff] [blame] | 841 | // MaxPacketLength, if non-zero, is the maximum acceptable size for a |
| 842 | // packet. |
| 843 | MaxPacketLength int |
David Benjamin | 6095de8 | 2014-12-27 01:50:38 -0500 | [diff] [blame] | 844 | |
| 845 | // SendCipherSuite, if non-zero, is the cipher suite value that the |
| 846 | // server will send in the ServerHello. This does not affect the cipher |
| 847 | // the server believes it has actually negotiated. |
| 848 | SendCipherSuite uint16 |
David Benjamin | 4189bd9 | 2015-01-25 23:52:39 -0500 | [diff] [blame] | 849 | |
David Benjamin | 75f9914 | 2016-11-12 12:36:06 +0900 | [diff] [blame] | 850 | // SendCipherSuites, if not nil, is the cipher suite list that the |
| 851 | // client will send in the ClientHello. This does not affect the cipher |
| 852 | // the client believes it has actually offered. |
| 853 | SendCipherSuites []uint16 |
| 854 | |
David Benjamin | 4cf369b | 2015-08-22 01:35:43 -0400 | [diff] [blame] | 855 | // AppDataBeforeHandshake, if not nil, causes application data to be |
| 856 | // sent immediately before the first handshake message. |
| 857 | AppDataBeforeHandshake []byte |
| 858 | |
| 859 | // AppDataAfterChangeCipherSpec, if not nil, causes application data to |
David Benjamin | 4189bd9 | 2015-01-25 23:52:39 -0500 | [diff] [blame] | 860 | // be sent immediately after ChangeCipherSpec. |
| 861 | AppDataAfterChangeCipherSpec []byte |
David Benjamin | 83f9040 | 2015-01-27 01:09:43 -0500 | [diff] [blame] | 862 | |
David Benjamin | dc3da93 | 2015-03-12 15:09:02 -0400 | [diff] [blame] | 863 | // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent |
| 864 | // immediately after ChangeCipherSpec. |
| 865 | AlertAfterChangeCipherSpec alert |
| 866 | |
David Benjamin | 83f9040 | 2015-01-27 01:09:43 -0500 | [diff] [blame] | 867 | // TimeoutSchedule is the schedule of packet drops and simulated |
| 868 | // timeouts for before each handshake leg from the peer. |
| 869 | TimeoutSchedule []time.Duration |
| 870 | |
| 871 | // PacketAdaptor is the packetAdaptor to use to simulate timeouts. |
| 872 | PacketAdaptor *packetAdaptor |
David Benjamin | b3774b9 | 2015-01-31 17:16:01 -0500 | [diff] [blame] | 873 | |
| 874 | // ReorderHandshakeFragments, if true, causes handshake fragments in |
| 875 | // DTLS to overlap and be sent in the wrong order. It also causes |
| 876 | // pre-CCS flights to be sent twice. (Post-CCS flights consist of |
| 877 | // Finished and will trigger a spurious retransmit.) |
| 878 | ReorderHandshakeFragments bool |
David Benjamin | ddb9f15 | 2015-02-03 15:44:39 -0500 | [diff] [blame] | 879 | |
David Benjamin | 6167281 | 2016-07-14 23:10:43 -0400 | [diff] [blame] | 880 | // ReverseHandshakeFragments, if true, causes handshake fragments in |
| 881 | // DTLS to be reversed within a flight. |
| 882 | ReverseHandshakeFragments bool |
| 883 | |
David Benjamin | 7538122 | 2015-03-02 19:30:30 -0500 | [diff] [blame] | 884 | // MixCompleteMessageWithFragments, if true, causes handshake |
| 885 | // messages in DTLS to redundantly both fragment the message |
| 886 | // and include a copy of the full one. |
| 887 | MixCompleteMessageWithFragments bool |
| 888 | |
David Benjamin | 302b818 | 2017-08-22 14:47:22 -0700 | [diff] [blame] | 889 | // RetransmitFinished, if true, causes the DTLS Finished message to be |
| 890 | // sent twice. |
| 891 | RetransmitFinished bool |
| 892 | |
David Benjamin | ddb9f15 | 2015-02-03 15:44:39 -0500 | [diff] [blame] | 893 | // SendInvalidRecordType, if true, causes a record with an invalid |
| 894 | // content type to be sent immediately following the handshake. |
| 895 | SendInvalidRecordType bool |
David Benjamin | bcb2d91 | 2015-02-24 23:45:43 -0500 | [diff] [blame] | 896 | |
David Benjamin | 0b8d5da | 2016-07-15 00:39:56 -0400 | [diff] [blame] | 897 | // SendWrongMessageType, if non-zero, causes messages of the specified |
| 898 | // type to be sent with the wrong value. |
| 899 | SendWrongMessageType byte |
David Benjamin | 7538122 | 2015-03-02 19:30:30 -0500 | [diff] [blame] | 900 | |
David Benjamin | 639846e | 2016-09-09 11:41:18 -0400 | [diff] [blame] | 901 | // SendTrailingMessageData, if non-zero, causes messages of the |
| 902 | // specified type to be sent with trailing data. |
| 903 | SendTrailingMessageData byte |
| 904 | |
David Benjamin | 7538122 | 2015-03-02 19:30:30 -0500 | [diff] [blame] | 905 | // FragmentMessageTypeMismatch, if true, causes all non-initial |
| 906 | // handshake fragments in DTLS to have the wrong message type. |
| 907 | FragmentMessageTypeMismatch bool |
| 908 | |
| 909 | // FragmentMessageLengthMismatch, if true, causes all non-initial |
| 910 | // handshake fragments in DTLS to have the wrong message length. |
| 911 | FragmentMessageLengthMismatch bool |
| 912 | |
David Benjamin | 11fc66a | 2015-06-16 11:40:24 -0400 | [diff] [blame] | 913 | // SplitFragments, if non-zero, causes the handshake fragments in DTLS |
| 914 | // to be split across two records. The value of |SplitFragments| is the |
| 915 | // number of bytes in the first fragment. |
| 916 | SplitFragments int |
David Benjamin | 7538122 | 2015-03-02 19:30:30 -0500 | [diff] [blame] | 917 | |
| 918 | // SendEmptyFragments, if true, causes handshakes to include empty |
| 919 | // fragments in DTLS. |
| 920 | SendEmptyFragments bool |
David Benjamin | cdea40c | 2015-03-19 14:09:43 -0400 | [diff] [blame] | 921 | |
David Benjamin | 9a41d1b | 2015-05-16 01:30:09 -0400 | [diff] [blame] | 922 | // SendSplitAlert, if true, causes an alert to be sent with the header |
| 923 | // and record body split across multiple packets. The peer should |
| 924 | // discard these packets rather than process it. |
| 925 | SendSplitAlert bool |
| 926 | |
David Benjamin | 4b27d9f | 2015-05-12 22:42:52 -0400 | [diff] [blame] | 927 | // FailIfResumeOnRenego, if true, causes renegotiations to fail if the |
| 928 | // client offers a resumption or the server accepts one. |
| 929 | FailIfResumeOnRenego bool |
David Benjamin | 3c9746a | 2015-03-19 15:00:10 -0400 | [diff] [blame] | 930 | |
David Benjamin | 67d1fb5 | 2015-03-16 15:16:23 -0400 | [diff] [blame] | 931 | // IgnorePeerCipherPreferences, if true, causes the peer's cipher |
| 932 | // preferences to be ignored. |
| 933 | IgnorePeerCipherPreferences bool |
David Benjamin | 72dc783 | 2015-03-16 17:49:43 -0400 | [diff] [blame] | 934 | |
| 935 | // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's |
| 936 | // signature algorithm preferences to be ignored. |
| 937 | IgnorePeerSignatureAlgorithmPreferences bool |
David Benjamin | 340d5ed | 2015-03-21 02:21:37 -0400 | [diff] [blame] | 938 | |
David Benjamin | c574f41 | 2015-04-20 11:13:01 -0400 | [diff] [blame] | 939 | // IgnorePeerCurvePreferences, if true, causes the peer's curve |
| 940 | // preferences to be ignored. |
| 941 | IgnorePeerCurvePreferences bool |
| 942 | |
David Benjamin | 513f0ea | 2015-04-02 19:33:31 -0400 | [diff] [blame] | 943 | // BadFinished, if true, causes the Finished hash to be broken. |
| 944 | BadFinished bool |
Adam Langley | a7997f1 | 2015-05-14 17:38:50 -0700 | [diff] [blame] | 945 | |
David Benjamin | 582ba04 | 2016-07-07 12:33:25 -0700 | [diff] [blame] | 946 | // PackHandshakeFragments, if true, causes handshake fragments in DTLS |
| 947 | // to be packed into individual handshake records, up to the specified |
| 948 | // record size. |
David Benjamin | bd15a8e | 2015-05-29 18:48:16 -0400 | [diff] [blame] | 949 | PackHandshakeFragments int |
| 950 | |
David Benjamin | 582ba04 | 2016-07-07 12:33:25 -0700 | [diff] [blame] | 951 | // PackHandshakeRecords, if true, causes handshake records in DTLS to be |
| 952 | // packed into individual packets, up to the specified packet size. |
David Benjamin | bd15a8e | 2015-05-29 18:48:16 -0400 | [diff] [blame] | 953 | PackHandshakeRecords int |
David Benjamin | 0fa4012 | 2015-05-30 17:13:12 -0400 | [diff] [blame] | 954 | |
David Benjamin | 582ba04 | 2016-07-07 12:33:25 -0700 | [diff] [blame] | 955 | // PackHandshakeFlight, if true, causes each handshake flight in TLS to |
| 956 | // be packed into records, up to the largest size record available. |
| 957 | PackHandshakeFlight bool |
| 958 | |
David Benjamin | 5ecb88b | 2016-10-04 17:51:35 -0400 | [diff] [blame] | 959 | // AdvertiseAllConfiguredCiphers, if true, causes the client to |
| 960 | // advertise all configured cipher suite values. |
| 961 | AdvertiseAllConfiguredCiphers bool |
David Benjamin | 8923c0b | 2015-06-07 11:42:34 -0400 | [diff] [blame] | 962 | |
| 963 | // EmptyCertificateList, if true, causes the server to send an empty |
| 964 | // certificate list in the Certificate message. |
| 965 | EmptyCertificateList bool |
David Benjamin | d98452d | 2015-06-16 14:16:23 -0400 | [diff] [blame] | 966 | |
| 967 | // ExpectNewTicket, if true, causes the client to abort if it does not |
| 968 | // receive a new ticket. |
| 969 | ExpectNewTicket bool |
Adam Langley | 33ad2b5 | 2015-07-20 17:43:53 -0700 | [diff] [blame] | 970 | |
| 971 | // RequireClientHelloSize, if not zero, is the required length in bytes |
| 972 | // of the ClientHello /record/. This is checked by the server. |
| 973 | RequireClientHelloSize int |
Adam Langley | 0950563 | 2015-07-30 18:10:13 -0700 | [diff] [blame] | 974 | |
| 975 | // CustomExtension, if not empty, contains the contents of an extension |
| 976 | // that will be added to client/server hellos. |
| 977 | CustomExtension string |
| 978 | |
David Benjamin | 490469f | 2016-10-05 22:44:38 -0400 | [diff] [blame] | 979 | // CustomUnencryptedExtension, if not empty, contains the contents of |
| 980 | // an extension that will be added to ServerHello in TLS 1.3. |
| 981 | CustomUnencryptedExtension string |
| 982 | |
Adam Langley | 0950563 | 2015-07-30 18:10:13 -0700 | [diff] [blame] | 983 | // ExpectedCustomExtension, if not nil, contains the expected contents |
| 984 | // of a custom extension. |
| 985 | ExpectedCustomExtension *string |
David Benjamin | 30789da | 2015-08-29 22:56:45 -0400 | [diff] [blame] | 986 | |
David Benjamin | 1286bee | 2016-10-07 15:25:06 -0400 | [diff] [blame] | 987 | // CustomTicketExtension, if not empty, contains the contents of an |
| 988 | // extension what will be added to NewSessionTicket in TLS 1.3. |
| 989 | CustomTicketExtension string |
| 990 | |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 991 | // CustomTicketExtension, if not empty, contains the contents of an |
| 992 | // extension what will be added to HelloRetryRequest in TLS 1.3. |
| 993 | CustomHelloRetryRequestExtension string |
| 994 | |
David Benjamin | 30789da | 2015-08-29 22:56:45 -0400 | [diff] [blame] | 995 | // NoCloseNotify, if true, causes the close_notify alert to be skipped |
| 996 | // on connection shutdown. |
| 997 | NoCloseNotify bool |
| 998 | |
David Benjamin | fa214e4 | 2016-05-10 17:03:10 -0400 | [diff] [blame] | 999 | // SendAlertOnShutdown, if non-zero, is the alert to send instead of |
| 1000 | // close_notify on shutdown. |
| 1001 | SendAlertOnShutdown alert |
| 1002 | |
David Benjamin | 30789da | 2015-08-29 22:56:45 -0400 | [diff] [blame] | 1003 | // ExpectCloseNotify, if true, requires a close_notify from the peer on |
| 1004 | // shutdown. Records from the peer received after close_notify is sent |
| 1005 | // are not discard. |
| 1006 | ExpectCloseNotify bool |
David Benjamin | 2c99d28 | 2015-09-01 10:23:00 -0400 | [diff] [blame] | 1007 | |
| 1008 | // SendLargeRecords, if true, allows outgoing records to be sent |
| 1009 | // arbitrarily large. |
| 1010 | SendLargeRecords bool |
David Benjamin | 76c2efc | 2015-08-31 14:24:29 -0400 | [diff] [blame] | 1011 | |
| 1012 | // NegotiateALPNAndNPN, if true, causes the server to negotiate both |
| 1013 | // ALPN and NPN in the same connetion. |
| 1014 | NegotiateALPNAndNPN bool |
David Benjamin | dd6fed9 | 2015-10-23 17:41:12 -0400 | [diff] [blame] | 1015 | |
David Benjamin | 0c40a96 | 2016-08-01 12:05:50 -0400 | [diff] [blame] | 1016 | // SendALPN, if non-empty, causes the server to send the specified |
David Benjamin | 3e51757 | 2016-08-11 11:52:23 -0400 | [diff] [blame] | 1017 | // string in the ALPN extension regardless of the content or presence of |
| 1018 | // the client offer. |
David Benjamin | 0c40a96 | 2016-08-01 12:05:50 -0400 | [diff] [blame] | 1019 | SendALPN string |
| 1020 | |
David Benjamin | 490469f | 2016-10-05 22:44:38 -0400 | [diff] [blame] | 1021 | // SendUnencryptedALPN, if non-empty, causes the server to send the |
| 1022 | // specified string in a ServerHello ALPN extension in TLS 1.3. |
| 1023 | SendUnencryptedALPN string |
| 1024 | |
David Benjamin | dd6fed9 | 2015-10-23 17:41:12 -0400 | [diff] [blame] | 1025 | // SendEmptySessionTicket, if true, causes the server to send an empty |
| 1026 | // session ticket. |
| 1027 | SendEmptySessionTicket bool |
| 1028 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1029 | // SendPSKKeyExchangeModes, if present, determines the PSK key exchange modes |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 1030 | // to send. |
| 1031 | SendPSKKeyExchangeModes []byte |
| 1032 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1033 | // ExpectNoNewSessionTicket, if present, means that the client will fail upon |
| 1034 | // receipt of a NewSessionTicket message. |
| 1035 | ExpectNoNewSessionTicket bool |
| 1036 | |
David Benjamin | 9c33ae8 | 2017-01-08 06:04:43 -0500 | [diff] [blame] | 1037 | // DuplicateTicketEarlyDataInfo causes an extra empty extension of |
| 1038 | // ticket_early_data_info to be sent in NewSessionTicket. |
| 1039 | DuplicateTicketEarlyDataInfo bool |
| 1040 | |
Steven Valdez | 08b65f4 | 2016-12-07 15:29:45 -0500 | [diff] [blame] | 1041 | // ExpectTicketEarlyDataInfo, if true, means that the client will fail upon |
| 1042 | // absence of the ticket_early_data_info extension. |
| 1043 | ExpectTicketEarlyDataInfo bool |
| 1044 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1045 | // ExpectTicketAge, if non-zero, is the expected age of the ticket that the |
| 1046 | // server receives from the client. |
| 1047 | ExpectTicketAge time.Duration |
Steven Valdez | 5b98608 | 2016-09-01 12:29:49 -0400 | [diff] [blame] | 1048 | |
David Benjamin | 35ac5b7 | 2017-03-03 15:05:56 -0500 | [diff] [blame] | 1049 | // SendTicketAge, if non-zero, is the ticket age to be sent by the |
| 1050 | // client. |
| 1051 | SendTicketAge time.Duration |
| 1052 | |
David Benjamin | dd6fed9 | 2015-10-23 17:41:12 -0400 | [diff] [blame] | 1053 | // FailIfSessionOffered, if true, causes the server to fail any |
| 1054 | // connections where the client offers a non-empty session ID or session |
| 1055 | // ticket. |
| 1056 | FailIfSessionOffered bool |
Adam Langley | 27a0d08 | 2015-11-03 13:34:10 -0800 | [diff] [blame] | 1057 | |
| 1058 | // SendHelloRequestBeforeEveryAppDataRecord, if true, causes a |
| 1059 | // HelloRequest handshake message to be sent before each application |
| 1060 | // data record. This only makes sense for a server. |
| 1061 | SendHelloRequestBeforeEveryAppDataRecord bool |
Adam Langley | c4f25ce | 2015-11-26 16:39:08 -0800 | [diff] [blame] | 1062 | |
David Benjamin | 71dd666 | 2016-07-08 14:10:48 -0700 | [diff] [blame] | 1063 | // SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a |
| 1064 | // HelloRequest handshake message to be sent before each handshake |
| 1065 | // message. This only makes sense for a server. |
| 1066 | SendHelloRequestBeforeEveryHandshakeMessage bool |
| 1067 | |
David Benjamin | 8411b24 | 2015-11-26 12:07:28 -0500 | [diff] [blame] | 1068 | // BadChangeCipherSpec, if not nil, is the body to be sent in |
| 1069 | // ChangeCipherSpec records instead of {1}. |
| 1070 | BadChangeCipherSpec []byte |
David Benjamin | ef5dfd2 | 2015-12-06 13:17:07 -0500 | [diff] [blame] | 1071 | |
| 1072 | // BadHelloRequest, if not nil, is what to send instead of a |
| 1073 | // HelloRequest. |
| 1074 | BadHelloRequest []byte |
David Benjamin | ef1b009 | 2015-11-21 14:05:44 -0500 | [diff] [blame] | 1075 | |
| 1076 | // RequireSessionTickets, if true, causes the client to require new |
| 1077 | // sessions use session tickets instead of session IDs. |
| 1078 | RequireSessionTickets bool |
David Benjamin | f2b8363 | 2016-03-01 22:57:46 -0500 | [diff] [blame] | 1079 | |
| 1080 | // NullAllCiphers, if true, causes every cipher to behave like the null |
| 1081 | // cipher. |
| 1082 | NullAllCiphers bool |
David Benjamin | 80d1b35 | 2016-05-04 19:19:06 -0400 | [diff] [blame] | 1083 | |
| 1084 | // SendSCTListOnResume, if not nil, causes the server to send the |
| 1085 | // supplied SCT list in resumption handshakes. |
| 1086 | SendSCTListOnResume []byte |
Matt Braithwaite | 54217e4 | 2016-06-13 13:03:47 -0700 | [diff] [blame] | 1087 | |
David Benjamin | 5c4271f | 2017-08-23 22:09:41 -0700 | [diff] [blame] | 1088 | // SendSCTListOnRenegotiation, if not nil, causes the server to send the |
| 1089 | // supplied SCT list on renegotiation. |
| 1090 | SendSCTListOnRenegotiation []byte |
| 1091 | |
David Benjamin | daa8850 | 2016-10-04 16:32:16 -0400 | [diff] [blame] | 1092 | // SendOCSPResponseOnResume, if not nil, causes the server to advertise |
| 1093 | // OCSP stapling in resumption handshakes and, if applicable, send the |
| 1094 | // supplied stapled response. |
| 1095 | SendOCSPResponseOnResume []byte |
| 1096 | |
David Benjamin | 5c4271f | 2017-08-23 22:09:41 -0700 | [diff] [blame] | 1097 | // SendOCSPResponseOnResume, if not nil, causes the server to send the |
| 1098 | // supplied OCSP response on renegotiation. |
| 1099 | SendOCSPResponseOnRenegotiation []byte |
| 1100 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1101 | // SendExtensionOnCertificate, if not nil, causes the runner to send the |
| 1102 | // supplied bytes in the extensions on the Certificate message. |
| 1103 | SendExtensionOnCertificate []byte |
| 1104 | |
| 1105 | // SendOCSPOnIntermediates, if not nil, causes the server to send the |
| 1106 | // supplied OCSP on intermediate certificates in the Certificate message. |
| 1107 | SendOCSPOnIntermediates []byte |
| 1108 | |
| 1109 | // SendSCTOnIntermediates, if not nil, causes the server to send the |
| 1110 | // supplied SCT on intermediate certificates in the Certificate message. |
| 1111 | SendSCTOnIntermediates []byte |
| 1112 | |
| 1113 | // SendDuplicateCertExtensions, if true, causes the server to send an extra |
| 1114 | // copy of the OCSP/SCT extensions in the Certificate message. |
| 1115 | SendDuplicateCertExtensions bool |
| 1116 | |
| 1117 | // ExpectNoExtensionsOnIntermediate, if true, causes the client to |
| 1118 | // reject extensions on intermediate certificates. |
| 1119 | ExpectNoExtensionsOnIntermediate bool |
| 1120 | |
David Benjamin | c9ae27c | 2016-06-24 22:56:37 -0400 | [diff] [blame] | 1121 | // RecordPadding is the number of bytes of padding to add to each |
| 1122 | // encrypted record in TLS 1.3. |
| 1123 | RecordPadding int |
| 1124 | |
| 1125 | // OmitRecordContents, if true, causes encrypted records in TLS 1.3 to |
| 1126 | // be missing their body and content type. Padding, if configured, is |
| 1127 | // still added. |
| 1128 | OmitRecordContents bool |
| 1129 | |
| 1130 | // OuterRecordType, if non-zero, is the outer record type to use instead |
| 1131 | // of application data. |
| 1132 | OuterRecordType recordType |
David Benjamin | a95e9f3 | 2016-07-08 16:28:04 -0700 | [diff] [blame] | 1133 | |
| 1134 | // SendSignatureAlgorithm, if non-zero, causes all signatures to be sent |
| 1135 | // with the given signature algorithm rather than the one negotiated. |
| 1136 | SendSignatureAlgorithm signatureAlgorithm |
David Benjamin | 1fb125c | 2016-07-08 18:52:12 -0700 | [diff] [blame] | 1137 | |
| 1138 | // SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be |
| 1139 | // skipped. |
| 1140 | SkipECDSACurveCheck bool |
David Benjamin | fd5c45f | 2016-06-30 18:30:40 -0400 | [diff] [blame] | 1141 | |
| 1142 | // IgnoreSignatureVersionChecks, if true, causes all signature |
| 1143 | // algorithms to be enabled at all TLS versions. |
| 1144 | IgnoreSignatureVersionChecks bool |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1145 | |
| 1146 | // NegotiateRenegotiationInfoAtAllVersions, if true, causes |
| 1147 | // Renegotiation Info to be negotiated at all versions. |
| 1148 | NegotiateRenegotiationInfoAtAllVersions bool |
| 1149 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1150 | // NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at |
| 1151 | // all versions. |
| 1152 | NegotiateNPNAtAllVersions bool |
| 1153 | |
| 1154 | // NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at |
| 1155 | // all versions. |
| 1156 | NegotiateEMSAtAllVersions bool |
| 1157 | |
| 1158 | // AdvertiseTicketExtension, if true, causes the ticket extension to be |
| 1159 | // advertised in server extensions |
| 1160 | AdvertiseTicketExtension bool |
| 1161 | |
Steven Valdez | 803c77a | 2016-09-06 14:13:43 -0400 | [diff] [blame] | 1162 | // NegotiatePSKResumption, if true, causes the server to attempt pure PSK |
| 1163 | // resumption. |
| 1164 | NegotiatePSKResumption bool |
| 1165 | |
David Benjamin | 7f78df4 | 2016-10-05 22:33:19 -0400 | [diff] [blame] | 1166 | // AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to |
| 1167 | // always acknowledge a session, regardless of one was offered. |
| 1168 | AlwaysSelectPSKIdentity bool |
| 1169 | |
| 1170 | // SelectPSKIdentityOnResume, if non-zero, causes the server to select |
| 1171 | // the specified PSK identity index rather than the actual value. |
| 1172 | SelectPSKIdentityOnResume uint16 |
| 1173 | |
Steven Valdez | af3b8a9 | 2016-11-01 12:49:22 -0400 | [diff] [blame] | 1174 | // ExtraPSKIdentity, if true, causes the client to send an extra PSK |
| 1175 | // identity. |
| 1176 | ExtraPSKIdentity bool |
| 1177 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1178 | // MissingKeyShare, if true, causes the TLS 1.3 implementation to skip |
| 1179 | // sending a key_share extension and use the zero ECDHE secret |
| 1180 | // instead. |
| 1181 | MissingKeyShare bool |
| 1182 | |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1183 | // SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3 |
| 1184 | // ClientHello to skip sending a key_share extension and use the zero |
| 1185 | // ECDHE secret instead. |
| 1186 | SecondClientHelloMissingKeyShare bool |
| 1187 | |
| 1188 | // MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3 |
| 1189 | // client to pretend the server requested a HelloRetryRequest with the |
| 1190 | // given curve rather than the actual one. |
| 1191 | MisinterpretHelloRetryRequestCurve CurveID |
| 1192 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1193 | // DuplicateKeyShares, if true, causes the TLS 1.3 client to send two |
| 1194 | // copies of each KeyShareEntry. |
| 1195 | DuplicateKeyShares bool |
| 1196 | |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 1197 | // SendEarlyAlert, if true, sends a fatal alert after the ClientHello. |
| 1198 | SendEarlyAlert bool |
| 1199 | |
Nick Harper | f2511f1 | 2016-12-06 16:02:31 -0800 | [diff] [blame] | 1200 | // SendFakeEarlyDataLength, if non-zero, is the amount of early data to |
| 1201 | // send after the ClientHello. |
| 1202 | SendFakeEarlyDataLength int |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 1203 | |
Steven Valdez | 681eb6a | 2016-12-19 13:19:29 -0500 | [diff] [blame] | 1204 | // SendStrayEarlyHandshake, if non-zero, causes the client to send a stray |
| 1205 | // handshake record before sending end of early data. |
| 1206 | SendStrayEarlyHandshake bool |
| 1207 | |
Steven Valdez | a4ee74d | 2016-11-29 13:36:45 -0500 | [diff] [blame] | 1208 | // OmitEarlyDataExtension, if true, causes the early data extension to |
| 1209 | // be omitted in the ClientHello. |
| 1210 | OmitEarlyDataExtension bool |
| 1211 | |
| 1212 | // SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to |
| 1213 | // send early data after the second ClientHello. |
| 1214 | SendEarlyDataOnSecondClientHello bool |
| 1215 | |
| 1216 | // InterleaveEarlyData, if true, causes the TLS 1.3 client to send early |
| 1217 | // data interleaved with the second ClientHello and the client Finished. |
| 1218 | InterleaveEarlyData bool |
| 1219 | |
Nick Harper | f2511f1 | 2016-12-06 16:02:31 -0800 | [diff] [blame] | 1220 | // SendEarlyData causes a TLS 1.3 client to send the provided data |
| 1221 | // in application data records immediately after the ClientHello, |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 1222 | // provided that the client offers a TLS 1.3 session. It will do this |
| 1223 | // whether or not the server advertised early data for the ticket. |
Nick Harper | f2511f1 | 2016-12-06 16:02:31 -0800 | [diff] [blame] | 1224 | SendEarlyData [][]byte |
| 1225 | |
Steven Valdez | 2d85062 | 2017-01-11 11:34:52 -0500 | [diff] [blame] | 1226 | // ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data |
| 1227 | // was accepted by the server. |
| 1228 | ExpectEarlyDataAccepted bool |
| 1229 | |
| 1230 | // AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data |
| 1231 | // regardless of ALPN mismatch. |
| 1232 | AlwaysAcceptEarlyData bool |
| 1233 | |
| 1234 | // AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data. |
| 1235 | AlwaysRejectEarlyData bool |
| 1236 | |
| 1237 | // SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the |
| 1238 | // early_data extension in EncryptedExtensions, independent of whether |
| 1239 | // it was accepted. |
| 1240 | SendEarlyDataExtension bool |
| 1241 | |
Nick Harper | ab20cec | 2016-12-19 17:38:41 -0800 | [diff] [blame] | 1242 | // ExpectEarlyData causes a TLS 1.3 server to read application |
| 1243 | // data after the ClientHello (assuming the server is able to |
| 1244 | // derive the key under which the data is encrypted) before it |
| 1245 | // sends a ServerHello. It checks that the application data it |
| 1246 | // reads matches what is provided in ExpectEarlyData and errors if |
| 1247 | // the number of records or their content do not match. |
| 1248 | ExpectEarlyData [][]byte |
| 1249 | |
Steven Valdez | e831a81 | 2017-03-09 14:56:07 -0500 | [diff] [blame] | 1250 | // ExpectLateEarlyData causes a TLS 1.3 server to read application |
| 1251 | // data after the ServerFinished (assuming the server is able to |
| 1252 | // derive the key under which the data is encrypted) before it |
| 1253 | // sends the ClientFinished. It checks that the application data it |
| 1254 | // reads matches what is provided in ExpectLateEarlyData and errors if |
| 1255 | // the number of records or their content do not match. |
| 1256 | ExpectLateEarlyData [][]byte |
| 1257 | |
Nick Harper | 7cd0a97 | 2016-12-02 11:08:40 -0800 | [diff] [blame] | 1258 | // SendHalfRTTData causes a TLS 1.3 server to send the provided |
| 1259 | // data in application data records before reading the client's |
| 1260 | // Finished message. |
| 1261 | SendHalfRTTData [][]byte |
| 1262 | |
David Benjamin | 794cc59 | 2017-03-25 22:24:23 -0500 | [diff] [blame] | 1263 | // ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to |
| 1264 | // read application data after reading the server's Finished message and |
| 1265 | // before sending any subsequent handshake messages. It checks that the |
Nick Harper | 7cd0a97 | 2016-12-02 11:08:40 -0800 | [diff] [blame] | 1266 | // application data it reads matches what is provided in |
| 1267 | // ExpectHalfRTTData and errors if the number of records or their |
| 1268 | // content do not match. |
| 1269 | ExpectHalfRTTData [][]byte |
| 1270 | |
Steven Valdez | 143e8b3 | 2016-07-11 13:19:03 -0400 | [diff] [blame] | 1271 | // EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to |
| 1272 | // emit an empty EncryptedExtensions block. |
| 1273 | EmptyEncryptedExtensions bool |
| 1274 | |
| 1275 | // EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to |
| 1276 | // include the KeyShare extension in the EncryptedExtensions block. |
| 1277 | EncryptedExtensionsWithKeyShare bool |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1278 | |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 1279 | // AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to |
| 1280 | // be sent by the server, even if empty. |
| 1281 | AlwaysSendHelloRetryRequest bool |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1282 | |
| 1283 | // SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send |
| 1284 | // two HelloRetryRequests instead of one. |
| 1285 | SecondHelloRetryRequest bool |
| 1286 | |
David Benjamin | 3baa6e1 | 2016-10-07 21:10:38 -0400 | [diff] [blame] | 1287 | // SendHelloRetryRequestCurve, if non-zero, causes the server to send |
| 1288 | // the specified curve in a HelloRetryRequest. |
| 1289 | SendHelloRetryRequestCurve CurveID |
| 1290 | |
| 1291 | // SendHelloRetryRequestCookie, if not nil, contains a cookie to be |
| 1292 | // sent by the server in HelloRetryRequest. |
| 1293 | SendHelloRetryRequestCookie []byte |
| 1294 | |
| 1295 | // DuplicateHelloRetryRequestExtensions, if true, causes all |
| 1296 | // HelloRetryRequest extensions to be sent twice. |
| 1297 | DuplicateHelloRetryRequestExtensions bool |
| 1298 | |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1299 | // SendServerHelloVersion, if non-zero, causes the server to send the |
David Benjamin | 3c6a1ea | 2016-09-26 18:30:05 -0400 | [diff] [blame] | 1300 | // specified value in ServerHello version field. |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1301 | SendServerHelloVersion uint16 |
| 1302 | |
Steven Valdez | 038da9b | 2017-07-10 12:57:25 -0400 | [diff] [blame] | 1303 | // SendServerSupportedExtensionVersion, if non-zero, causes the server to send |
| 1304 | // the specified value in supported_versions extension in the ServerHello. |
| 1305 | SendServerSupportedExtensionVersion uint16 |
| 1306 | |
Steven Valdez | 5440fe0 | 2016-07-18 12:40:30 -0400 | [diff] [blame] | 1307 | // SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send |
| 1308 | // HelloRetryRequest. |
| 1309 | SkipHelloRetryRequest bool |
David Benjamin | 12d2c48 | 2016-07-24 10:56:51 -0400 | [diff] [blame] | 1310 | |
| 1311 | // PackHelloRequestWithFinished, if true, causes the TLS server to send |
| 1312 | // HelloRequest in the same record as Finished. |
| 1313 | PackHelloRequestWithFinished bool |
David Benjamin | 02edcd0 | 2016-07-27 17:40:37 -0400 | [diff] [blame] | 1314 | |
David Benjamin | e73c7f4 | 2016-08-17 00:29:33 -0400 | [diff] [blame] | 1315 | // ExpectMissingKeyShare, if true, causes the TLS server to fail the |
| 1316 | // connection if the selected curve appears in the client's initial |
| 1317 | // ClientHello. That is, it requires that a HelloRetryRequest be sent. |
| 1318 | ExpectMissingKeyShare bool |
| 1319 | |
David Benjamin | 02edcd0 | 2016-07-27 17:40:37 -0400 | [diff] [blame] | 1320 | // SendExtraFinished, if true, causes an extra Finished message to be |
| 1321 | // sent. |
| 1322 | SendExtraFinished bool |
David Benjamin | 8a8349b | 2016-08-18 02:32:23 -0400 | [diff] [blame] | 1323 | |
| 1324 | // SendRequestContext, if not empty, is the request context to send in |
| 1325 | // a TLS 1.3 CertificateRequest. |
| 1326 | SendRequestContext []byte |
David Benjamin | abe94e3 | 2016-09-04 14:18:58 -0400 | [diff] [blame] | 1327 | |
| 1328 | // SendSNIWarningAlert, if true, causes the server to send an |
| 1329 | // unrecognized_name alert before the ServerHello. |
| 1330 | SendSNIWarningAlert bool |
David Benjamin | c241d79 | 2016-09-09 10:34:20 -0400 | [diff] [blame] | 1331 | |
| 1332 | // SendCompressionMethods, if not nil, is the compression method list to |
| 1333 | // send in the ClientHello. |
| 1334 | SendCompressionMethods []byte |
David Benjamin | 7867934 | 2016-09-16 19:42:05 -0400 | [diff] [blame] | 1335 | |
David Benjamin | 413e79e | 2017-07-01 10:11:53 -0400 | [diff] [blame] | 1336 | // SendCompressionMethod is the compression method to send in the |
| 1337 | // ServerHello. |
| 1338 | SendCompressionMethod byte |
| 1339 | |
David Benjamin | 7867934 | 2016-09-16 19:42:05 -0400 | [diff] [blame] | 1340 | // AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to |
| 1341 | // always send a ServerKeyExchange for PSK ciphers, even if the identity |
| 1342 | // hint is empty. |
| 1343 | AlwaysSendPreSharedKeyIdentityHint bool |
David Benjamin | 7e1f984 | 2016-09-20 19:24:40 -0400 | [diff] [blame] | 1344 | |
| 1345 | // TrailingKeyShareData, if true, causes the client key share list to |
| 1346 | // include a trailing byte. |
| 1347 | TrailingKeyShareData bool |
David Benjamin | 196df5b | 2016-09-21 16:23:27 -0400 | [diff] [blame] | 1348 | |
| 1349 | // InvalidChannelIDSignature, if true, causes the client to generate an |
| 1350 | // invalid Channel ID signature. |
| 1351 | InvalidChannelIDSignature bool |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 1352 | |
David Benjamin | 1a5e8ec | 2016-10-07 15:19:18 -0400 | [diff] [blame] | 1353 | // ExpectGREASE, if true, causes messages without GREASE values to be |
| 1354 | // rejected. See draft-davidben-tls-grease-01. |
David Benjamin | 65ac997 | 2016-09-02 21:35:25 -0400 | [diff] [blame] | 1355 | ExpectGREASE bool |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1356 | |
| 1357 | // SendShortPSKBinder, if true, causes the client to send a PSK binder |
| 1358 | // that is one byte shorter than it should be. |
| 1359 | SendShortPSKBinder bool |
| 1360 | |
| 1361 | // SendInvalidPSKBinder, if true, causes the client to send an invalid |
| 1362 | // PSK binder. |
| 1363 | SendInvalidPSKBinder bool |
| 1364 | |
| 1365 | // SendNoPSKBinder, if true, causes the client to send no PSK binders. |
| 1366 | SendNoPSKBinder bool |
| 1367 | |
David Benjamin | aedf303 | 2016-12-01 16:47:56 -0500 | [diff] [blame] | 1368 | // SendExtraPSKBinder, if true, causes the client to send an extra PSK |
| 1369 | // binder. |
| 1370 | SendExtraPSKBinder bool |
| 1371 | |
Steven Valdez | a833c35 | 2016-11-01 13:39:36 -0400 | [diff] [blame] | 1372 | // PSKBinderFirst, if true, causes the client to send the PSK Binder |
| 1373 | // extension as the first extension instead of the last extension. |
| 1374 | PSKBinderFirst bool |
David Benjamin | 53210cb | 2016-11-16 09:01:48 +0900 | [diff] [blame] | 1375 | |
| 1376 | // NoOCSPStapling, if true, causes the client to not request OCSP |
| 1377 | // stapling. |
| 1378 | NoOCSPStapling bool |
| 1379 | |
| 1380 | // NoSignedCertificateTimestamps, if true, causes the client to not |
| 1381 | // request signed certificate timestamps. |
| 1382 | NoSignedCertificateTimestamps bool |
David Benjamin | 6f600d6 | 2016-12-21 16:06:54 -0500 | [diff] [blame] | 1383 | |
David Benjamin | a81967b | 2016-12-22 09:16:57 -0500 | [diff] [blame] | 1384 | // SendSupportedPointFormats, if not nil, is the list of supported point |
| 1385 | // formats to send in ClientHello or ServerHello. If set to a non-nil |
| 1386 | // empty slice, no extension will be sent. |
| 1387 | SendSupportedPointFormats []byte |
David Benjamin | e3fbb36 | 2017-01-06 16:19:28 -0500 | [diff] [blame] | 1388 | |
David Benjamin | 6c1f2b7 | 2017-10-04 17:01:22 -0400 | [diff] [blame] | 1389 | // SendServerSupportedCurves, if true, causes the server to send its |
| 1390 | // supported curves list in the ServerHello (TLS 1.2) or |
| 1391 | // EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and |
| 1392 | // valid in TLS 1.3. |
| 1393 | SendServerSupportedCurves bool |
| 1394 | |
David Benjamin | e3fbb36 | 2017-01-06 16:19:28 -0500 | [diff] [blame] | 1395 | // MaxReceivePlaintext, if non-zero, is the maximum plaintext record |
| 1396 | // length accepted from the peer. |
| 1397 | MaxReceivePlaintext int |
David Benjamin | 17b3083 | 2017-01-28 14:00:32 -0500 | [diff] [blame] | 1398 | |
| 1399 | // SendTicketLifetime, if non-zero, is the ticket lifetime to send in |
| 1400 | // NewSessionTicket messages. |
| 1401 | SendTicketLifetime time.Duration |
David Benjamin | 023d419 | 2017-02-06 13:49:07 -0500 | [diff] [blame] | 1402 | |
| 1403 | // SendServerNameAck, if true, causes the server to acknowledge the SNI |
| 1404 | // extension. |
| 1405 | SendServerNameAck bool |
Adam Langley | 2ff7933 | 2017-02-28 13:45:39 -0800 | [diff] [blame] | 1406 | |
| 1407 | // ExpectCertificateReqNames, if not nil, contains the list of X.509 |
| 1408 | // names that must be sent in a CertificateRequest from the server. |
| 1409 | ExpectCertificateReqNames [][]byte |
David Benjamin | a58baaf | 2017-02-28 20:54:28 -0500 | [diff] [blame] | 1410 | |
| 1411 | // RenegotiationCertificate, if not nil, is the certificate to use on |
| 1412 | // renegotiation handshakes. |
| 1413 | RenegotiationCertificate *Certificate |
David Benjamin | 6952211 | 2017-03-28 15:38:29 -0500 | [diff] [blame] | 1414 | |
| 1415 | // UseLegacySigningAlgorithm, if non-zero, is the signature algorithm |
| 1416 | // to use when signing in TLS 1.1 and earlier where algorithms are not |
| 1417 | // negotiated. |
| 1418 | UseLegacySigningAlgorithm signatureAlgorithm |
David Benjamin | ebacdee | 2017-04-08 11:00:45 -0400 | [diff] [blame] | 1419 | |
| 1420 | // SendServerHelloAsHelloRetryRequest, if true, causes the server to |
| 1421 | // send ServerHello messages with a HelloRetryRequest type field. |
| 1422 | SendServerHelloAsHelloRetryRequest bool |
David Benjamin | bbba939 | 2017-04-06 12:54:12 -0400 | [diff] [blame] | 1423 | |
| 1424 | // RejectUnsolicitedKeyUpdate, if true, causes all unsolicited |
| 1425 | // KeyUpdates from the peer to be rejected. |
| 1426 | RejectUnsolicitedKeyUpdate bool |
David Benjamin | b853f31 | 2017-07-14 18:40:34 -0400 | [diff] [blame] | 1427 | |
| 1428 | // OmitExtensions, if true, causes the extensions field in ClientHello |
| 1429 | // and ServerHello messages to be omitted. |
| 1430 | OmitExtensions bool |
| 1431 | |
David Benjamin | 09ed119 | 2017-07-14 20:11:07 -0400 | [diff] [blame] | 1432 | // EmptyExtensions, if true, causes the extensions field in ClientHello |
David Benjamin | b853f31 | 2017-07-14 18:40:34 -0400 | [diff] [blame] | 1433 | // and ServerHello messages to be present, but empty. |
| 1434 | EmptyExtensions bool |
David Benjamin | 09ed119 | 2017-07-14 20:11:07 -0400 | [diff] [blame] | 1435 | |
David Benjamin | 0a47191 | 2017-08-31 00:19:57 -0400 | [diff] [blame] | 1436 | // ExpectOmitExtensions, if true, causes the client to reject |
| 1437 | // ServerHello messages that do not omit extensions. |
| 1438 | ExpectOmitExtensions bool |
| 1439 | |
David Benjamin | 09ed119 | 2017-07-14 20:11:07 -0400 | [diff] [blame] | 1440 | // ExpectRecordSplitting, if true, causes application records to only be |
| 1441 | // accepted if they follow a 1/n-1 record split. |
| 1442 | ExpectRecordSplitting bool |
David Benjamin | e51fb0f | 2017-09-07 11:51:46 -0400 | [diff] [blame] | 1443 | |
| 1444 | // PadClientHello, if non-zero, pads the ClientHello to a multiple of |
| 1445 | // that many bytes. |
| 1446 | PadClientHello int |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1447 | } |
| 1448 | |
| 1449 | func (c *Config) serverInit() { |
| 1450 | if c.SessionTicketsDisabled { |
| 1451 | return |
| 1452 | } |
| 1453 | |
| 1454 | // If the key has already been set then we have nothing to do. |
| 1455 | for _, b := range c.SessionTicketKey { |
| 1456 | if b != 0 { |
| 1457 | return |
| 1458 | } |
| 1459 | } |
| 1460 | |
| 1461 | if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { |
| 1462 | c.SessionTicketsDisabled = true |
| 1463 | } |
| 1464 | } |
| 1465 | |
| 1466 | func (c *Config) rand() io.Reader { |
| 1467 | r := c.Rand |
| 1468 | if r == nil { |
| 1469 | return rand.Reader |
| 1470 | } |
| 1471 | return r |
| 1472 | } |
| 1473 | |
| 1474 | func (c *Config) time() time.Time { |
| 1475 | t := c.Time |
| 1476 | if t == nil { |
| 1477 | t = time.Now |
| 1478 | } |
| 1479 | return t() |
| 1480 | } |
| 1481 | |
| 1482 | func (c *Config) cipherSuites() []uint16 { |
| 1483 | s := c.CipherSuites |
| 1484 | if s == nil { |
| 1485 | s = defaultCipherSuites() |
| 1486 | } |
| 1487 | return s |
| 1488 | } |
| 1489 | |
David Benjamin | cecee27 | 2016-06-30 13:33:47 -0400 | [diff] [blame] | 1490 | func (c *Config) minVersion(isDTLS bool) uint16 { |
| 1491 | ret := uint16(minVersion) |
| 1492 | if c != nil && c.MinVersion != 0 { |
| 1493 | ret = c.MinVersion |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1494 | } |
David Benjamin | cecee27 | 2016-06-30 13:33:47 -0400 | [diff] [blame] | 1495 | if isDTLS { |
| 1496 | // The lowest version of DTLS is 1.0. There is no DSSL 3.0. |
| 1497 | if ret < VersionTLS10 { |
| 1498 | return VersionTLS10 |
| 1499 | } |
| 1500 | // There is no such thing as DTLS 1.1. |
| 1501 | if ret == VersionTLS11 { |
| 1502 | return VersionTLS12 |
| 1503 | } |
| 1504 | } |
| 1505 | return ret |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1506 | } |
| 1507 | |
David Benjamin | cecee27 | 2016-06-30 13:33:47 -0400 | [diff] [blame] | 1508 | func (c *Config) maxVersion(isDTLS bool) uint16 { |
| 1509 | ret := uint16(maxVersion) |
| 1510 | if c != nil && c.MaxVersion != 0 { |
| 1511 | ret = c.MaxVersion |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1512 | } |
David Benjamin | cecee27 | 2016-06-30 13:33:47 -0400 | [diff] [blame] | 1513 | if isDTLS { |
| 1514 | // We only implement up to DTLS 1.2. |
| 1515 | if ret > VersionTLS12 { |
| 1516 | return VersionTLS12 |
| 1517 | } |
| 1518 | // There is no such thing as DTLS 1.1. |
| 1519 | if ret == VersionTLS11 { |
| 1520 | return VersionTLS10 |
| 1521 | } |
| 1522 | } |
| 1523 | return ret |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1524 | } |
| 1525 | |
David Benjamin | cba2b62 | 2015-12-18 22:13:41 -0500 | [diff] [blame] | 1526 | var defaultCurvePreferences = []CurveID{CurveX25519, CurveP256, CurveP384, CurveP521} |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1527 | |
| 1528 | func (c *Config) curvePreferences() []CurveID { |
| 1529 | if c == nil || len(c.CurvePreferences) == 0 { |
| 1530 | return defaultCurvePreferences |
| 1531 | } |
| 1532 | return c.CurvePreferences |
| 1533 | } |
| 1534 | |
Nick Harper | dcfbc67 | 2016-07-16 17:47:31 +0200 | [diff] [blame] | 1535 | func (c *Config) defaultCurves() map[CurveID]bool { |
| 1536 | defaultCurves := make(map[CurveID]bool) |
| 1537 | curves := c.DefaultCurves |
| 1538 | if c == nil || c.DefaultCurves == nil { |
| 1539 | curves = c.curvePreferences() |
| 1540 | } |
| 1541 | for _, curveID := range curves { |
| 1542 | defaultCurves[curveID] = true |
| 1543 | } |
| 1544 | return defaultCurves |
| 1545 | } |
| 1546 | |
Steven Valdez | 1682126 | 2017-09-08 17:03:42 -0400 | [diff] [blame] | 1547 | func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) { |
| 1548 | if isDTLS { |
| 1549 | switch vers { |
| 1550 | case VersionDTLS12: |
| 1551 | return VersionTLS12, true |
| 1552 | case VersionDTLS10: |
| 1553 | return VersionTLS10, true |
| 1554 | } |
| 1555 | } else { |
| 1556 | switch vers { |
| 1557 | case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12: |
| 1558 | return vers, true |
Steven Valdez | 4c7f5fa | 2017-10-02 15:53:57 -0400 | [diff] [blame] | 1559 | case tls13DraftVersion, tls13ExperimentVersion, tls13Experiment2Version, tls13Experiment3Version: |
Steven Valdez | 1682126 | 2017-09-08 17:03:42 -0400 | [diff] [blame] | 1560 | return VersionTLS13, true |
| 1561 | } |
| 1562 | } |
| 1563 | |
| 1564 | return 0, false |
| 1565 | } |
| 1566 | |
| 1567 | func isResumptionExperiment(vers uint16) bool { |
Steven Valdez | c7d4d21 | 2017-09-11 13:53:08 -0400 | [diff] [blame] | 1568 | return vers == tls13ExperimentVersion || vers == tls13Experiment2Version || vers == tls13Experiment3Version |
| 1569 | } |
| 1570 | |
| 1571 | func isResumptionClientCCSExperiment(vers uint16) bool { |
Steven Valdez | 1682126 | 2017-09-08 17:03:42 -0400 | [diff] [blame] | 1572 | return vers == tls13ExperimentVersion || vers == tls13Experiment2Version |
| 1573 | } |
| 1574 | |
Steven Valdez | c7d4d21 | 2017-09-11 13:53:08 -0400 | [diff] [blame] | 1575 | func isResumptionRecordVersionExperiment(vers uint16) bool { |
| 1576 | return vers == tls13Experiment2Version || vers == tls13Experiment3Version |
| 1577 | } |
| 1578 | |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 1579 | // isSupportedVersion checks if the specified wire version is acceptable. If so, |
| 1580 | // it returns true and the corresponding protocol version. Otherwise, it returns |
| 1581 | // false. |
| 1582 | func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { |
Steven Valdez | 4c7f5fa | 2017-10-02 15:53:57 -0400 | [diff] [blame] | 1583 | if (c.TLS13Variant != TLS13Experiment && wireVers == tls13ExperimentVersion) || |
Steven Valdez | 1682126 | 2017-09-08 17:03:42 -0400 | [diff] [blame] | 1584 | (c.TLS13Variant != TLS13Experiment2 && wireVers == tls13Experiment2Version) || |
Steven Valdez | c7d4d21 | 2017-09-11 13:53:08 -0400 | [diff] [blame] | 1585 | (c.TLS13Variant != TLS13Experiment3 && wireVers == tls13Experiment3Version) || |
Steven Valdez | 520e122 | 2017-06-13 12:45:25 -0400 | [diff] [blame] | 1586 | (c.TLS13Variant != TLS13Default && wireVers == tls13DraftVersion) { |
| 1587 | return 0, false |
| 1588 | } |
| 1589 | |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 1590 | vers, ok := wireToVersion(wireVers, isDTLS) |
| 1591 | if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { |
| 1592 | return 0, false |
| 1593 | } |
| 1594 | return vers, true |
| 1595 | } |
| 1596 | |
| 1597 | func (c *Config) supportedVersions(isDTLS bool) []uint16 { |
| 1598 | versions := allTLSWireVersions |
| 1599 | if isDTLS { |
| 1600 | versions = allDTLSWireVersions |
| 1601 | } |
| 1602 | var ret []uint16 |
| 1603 | for _, vers := range versions { |
| 1604 | if _, ok := c.isSupportedVersion(vers, isDTLS); ok { |
| 1605 | ret = append(ret, vers) |
| 1606 | } |
| 1607 | } |
| 1608 | return ret |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1609 | } |
| 1610 | |
| 1611 | // getCertificateForName returns the best certificate for the given name, |
| 1612 | // defaulting to the first element of c.Certificates if there are no good |
| 1613 | // options. |
| 1614 | func (c *Config) getCertificateForName(name string) *Certificate { |
| 1615 | if len(c.Certificates) == 1 || c.NameToCertificate == nil { |
| 1616 | // There's only one choice, so no point doing any work. |
| 1617 | return &c.Certificates[0] |
| 1618 | } |
| 1619 | |
| 1620 | name = strings.ToLower(name) |
| 1621 | for len(name) > 0 && name[len(name)-1] == '.' { |
| 1622 | name = name[:len(name)-1] |
| 1623 | } |
| 1624 | |
| 1625 | if cert, ok := c.NameToCertificate[name]; ok { |
| 1626 | return cert |
| 1627 | } |
| 1628 | |
| 1629 | // try replacing labels in the name with wildcards until we get a |
| 1630 | // match. |
| 1631 | labels := strings.Split(name, ".") |
| 1632 | for i := range labels { |
| 1633 | labels[i] = "*" |
| 1634 | candidate := strings.Join(labels, ".") |
| 1635 | if cert, ok := c.NameToCertificate[candidate]; ok { |
| 1636 | return cert |
| 1637 | } |
| 1638 | } |
| 1639 | |
| 1640 | // If nothing matches, return the first certificate. |
| 1641 | return &c.Certificates[0] |
| 1642 | } |
| 1643 | |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 1644 | func (c *Config) signSignatureAlgorithms() []signatureAlgorithm { |
| 1645 | if c != nil && c.SignSignatureAlgorithms != nil { |
| 1646 | return c.SignSignatureAlgorithms |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1647 | } |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 1648 | return supportedSignatureAlgorithms |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1649 | } |
| 1650 | |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 1651 | func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm { |
| 1652 | if c != nil && c.VerifySignatureAlgorithms != nil { |
| 1653 | return c.VerifySignatureAlgorithms |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1654 | } |
David Benjamin | 7a41d37 | 2016-07-09 11:21:54 -0700 | [diff] [blame] | 1655 | return supportedSignatureAlgorithms |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1656 | } |
| 1657 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1658 | // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate |
| 1659 | // from the CommonName and SubjectAlternateName fields of each of the leaf |
| 1660 | // certificates. |
| 1661 | func (c *Config) BuildNameToCertificate() { |
| 1662 | c.NameToCertificate = make(map[string]*Certificate) |
| 1663 | for i := range c.Certificates { |
| 1664 | cert := &c.Certificates[i] |
| 1665 | x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) |
| 1666 | if err != nil { |
| 1667 | continue |
| 1668 | } |
| 1669 | if len(x509Cert.Subject.CommonName) > 0 { |
| 1670 | c.NameToCertificate[x509Cert.Subject.CommonName] = cert |
| 1671 | } |
| 1672 | for _, san := range x509Cert.DNSNames { |
| 1673 | c.NameToCertificate[san] = cert |
| 1674 | } |
| 1675 | } |
| 1676 | } |
| 1677 | |
| 1678 | // A Certificate is a chain of one or more certificates, leaf first. |
| 1679 | type Certificate struct { |
| 1680 | Certificate [][]byte |
| 1681 | PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey |
| 1682 | // OCSPStaple contains an optional OCSP response which will be served |
| 1683 | // to clients that request it. |
| 1684 | OCSPStaple []byte |
David Benjamin | 61f9527 | 2014-11-25 01:55:35 -0500 | [diff] [blame] | 1685 | // SignedCertificateTimestampList contains an optional encoded |
| 1686 | // SignedCertificateTimestampList structure which will be |
| 1687 | // served to clients that request it. |
| 1688 | SignedCertificateTimestampList []byte |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1689 | // Leaf is the parsed form of the leaf certificate, which may be |
| 1690 | // initialized using x509.ParseCertificate to reduce per-handshake |
| 1691 | // processing for TLS clients doing client authentication. If nil, the |
| 1692 | // leaf certificate will be parsed as needed. |
| 1693 | Leaf *x509.Certificate |
| 1694 | } |
| 1695 | |
| 1696 | // A TLS record. |
| 1697 | type record struct { |
| 1698 | contentType recordType |
| 1699 | major, minor uint8 |
| 1700 | payload []byte |
| 1701 | } |
| 1702 | |
| 1703 | type handshakeMessage interface { |
| 1704 | marshal() []byte |
| 1705 | unmarshal([]byte) bool |
| 1706 | } |
| 1707 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 1708 | // lruSessionCache is a client or server session cache implementation |
| 1709 | // that uses an LRU caching strategy. |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1710 | type lruSessionCache struct { |
| 1711 | sync.Mutex |
| 1712 | |
| 1713 | m map[string]*list.Element |
| 1714 | q *list.List |
| 1715 | capacity int |
| 1716 | } |
| 1717 | |
| 1718 | type lruSessionCacheEntry struct { |
| 1719 | sessionKey string |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 1720 | state interface{} |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1721 | } |
| 1722 | |
| 1723 | // Put adds the provided (sessionKey, cs) pair to the cache. |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 1724 | func (c *lruSessionCache) Put(sessionKey string, cs interface{}) { |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1725 | c.Lock() |
| 1726 | defer c.Unlock() |
| 1727 | |
| 1728 | if elem, ok := c.m[sessionKey]; ok { |
| 1729 | entry := elem.Value.(*lruSessionCacheEntry) |
| 1730 | entry.state = cs |
| 1731 | c.q.MoveToFront(elem) |
| 1732 | return |
| 1733 | } |
| 1734 | |
| 1735 | if c.q.Len() < c.capacity { |
| 1736 | entry := &lruSessionCacheEntry{sessionKey, cs} |
| 1737 | c.m[sessionKey] = c.q.PushFront(entry) |
| 1738 | return |
| 1739 | } |
| 1740 | |
| 1741 | elem := c.q.Back() |
| 1742 | entry := elem.Value.(*lruSessionCacheEntry) |
| 1743 | delete(c.m, entry.sessionKey) |
| 1744 | entry.sessionKey = sessionKey |
| 1745 | entry.state = cs |
| 1746 | c.q.MoveToFront(elem) |
| 1747 | c.m[sessionKey] = elem |
| 1748 | } |
| 1749 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 1750 | // Get returns the value associated with a given key. It returns (nil, |
| 1751 | // false) if no value is found. |
| 1752 | func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) { |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1753 | c.Lock() |
| 1754 | defer c.Unlock() |
| 1755 | |
| 1756 | if elem, ok := c.m[sessionKey]; ok { |
| 1757 | c.q.MoveToFront(elem) |
| 1758 | return elem.Value.(*lruSessionCacheEntry).state, true |
| 1759 | } |
| 1760 | return nil, false |
| 1761 | } |
| 1762 | |
David Benjamin | fe8eb9a | 2014-11-17 03:19:02 -0500 | [diff] [blame] | 1763 | // lruClientSessionCache is a ClientSessionCache implementation that |
| 1764 | // uses an LRU caching strategy. |
| 1765 | type lruClientSessionCache struct { |
| 1766 | lruSessionCache |
| 1767 | } |
| 1768 | |
| 1769 | func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { |
| 1770 | c.lruSessionCache.Put(sessionKey, cs) |
| 1771 | } |
| 1772 | |
| 1773 | func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { |
| 1774 | cs, ok := c.lruSessionCache.Get(sessionKey) |
| 1775 | if !ok { |
| 1776 | return nil, false |
| 1777 | } |
| 1778 | return cs.(*ClientSessionState), true |
| 1779 | } |
| 1780 | |
| 1781 | // lruServerSessionCache is a ServerSessionCache implementation that |
| 1782 | // uses an LRU caching strategy. |
| 1783 | type lruServerSessionCache struct { |
| 1784 | lruSessionCache |
| 1785 | } |
| 1786 | |
| 1787 | func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) { |
| 1788 | c.lruSessionCache.Put(sessionId, session) |
| 1789 | } |
| 1790 | |
| 1791 | func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) { |
| 1792 | cs, ok := c.lruSessionCache.Get(sessionId) |
| 1793 | if !ok { |
| 1794 | return nil, false |
| 1795 | } |
| 1796 | return cs.(*sessionState), true |
| 1797 | } |
| 1798 | |
| 1799 | // NewLRUClientSessionCache returns a ClientSessionCache with the given |
| 1800 | // capacity that uses an LRU strategy. If capacity is < 1, a default capacity |
| 1801 | // is used instead. |
| 1802 | func NewLRUClientSessionCache(capacity int) ClientSessionCache { |
| 1803 | const defaultSessionCacheCapacity = 64 |
| 1804 | |
| 1805 | if capacity < 1 { |
| 1806 | capacity = defaultSessionCacheCapacity |
| 1807 | } |
| 1808 | return &lruClientSessionCache{ |
| 1809 | lruSessionCache{ |
| 1810 | m: make(map[string]*list.Element), |
| 1811 | q: list.New(), |
| 1812 | capacity: capacity, |
| 1813 | }, |
| 1814 | } |
| 1815 | } |
| 1816 | |
| 1817 | // NewLRUServerSessionCache returns a ServerSessionCache with the given |
| 1818 | // capacity that uses an LRU strategy. If capacity is < 1, a default capacity |
| 1819 | // is used instead. |
| 1820 | func NewLRUServerSessionCache(capacity int) ServerSessionCache { |
| 1821 | const defaultSessionCacheCapacity = 64 |
| 1822 | |
| 1823 | if capacity < 1 { |
| 1824 | capacity = defaultSessionCacheCapacity |
| 1825 | } |
| 1826 | return &lruServerSessionCache{ |
| 1827 | lruSessionCache{ |
| 1828 | m: make(map[string]*list.Element), |
| 1829 | q: list.New(), |
| 1830 | capacity: capacity, |
| 1831 | }, |
| 1832 | } |
| 1833 | } |
| 1834 | |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1835 | // TODO(jsing): Make these available to both crypto/x509 and crypto/tls. |
| 1836 | type dsaSignature struct { |
| 1837 | R, S *big.Int |
| 1838 | } |
| 1839 | |
| 1840 | type ecdsaSignature dsaSignature |
| 1841 | |
| 1842 | var emptyConfig Config |
| 1843 | |
| 1844 | func defaultConfig() *Config { |
| 1845 | return &emptyConfig |
| 1846 | } |
| 1847 | |
| 1848 | var ( |
| 1849 | once sync.Once |
| 1850 | varDefaultCipherSuites []uint16 |
| 1851 | ) |
| 1852 | |
| 1853 | func defaultCipherSuites() []uint16 { |
| 1854 | once.Do(initDefaultCipherSuites) |
| 1855 | return varDefaultCipherSuites |
| 1856 | } |
| 1857 | |
| 1858 | func initDefaultCipherSuites() { |
David Benjamin | 48cae08 | 2014-10-27 01:06:24 -0400 | [diff] [blame] | 1859 | for _, suite := range cipherSuites { |
| 1860 | if suite.flags&suitePSK == 0 { |
| 1861 | varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) |
| 1862 | } |
Adam Langley | 95c29f3 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1863 | } |
| 1864 | } |
| 1865 | |
| 1866 | func unexpectedMessageError(wanted, got interface{}) error { |
| 1867 | return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) |
| 1868 | } |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1869 | |
Nick Harper | 60edffd | 2016-06-21 15:19:24 -0700 | [diff] [blame] | 1870 | func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool { |
| 1871 | for _, s := range sigAlgs { |
| 1872 | if s == sigAlg { |
David Benjamin | 000800a | 2014-11-14 01:43:59 -0500 | [diff] [blame] | 1873 | return true |
| 1874 | } |
| 1875 | } |
| 1876 | return false |
| 1877 | } |
Nick Harper | 85f20c2 | 2016-07-04 10:11:59 -0700 | [diff] [blame] | 1878 | |
| 1879 | var ( |
David Benjamin | a128a55 | 2016-10-13 14:26:33 -0400 | [diff] [blame] | 1880 | // See draft-ietf-tls-tls13-16, section 6.3.1.2. |
Nick Harper | 85f20c2 | 2016-07-04 10:11:59 -0700 | [diff] [blame] | 1881 | downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} |
| 1882 | downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} |
| 1883 | ) |
Steven Valdez | c94998a | 2017-06-20 10:55:02 -0400 | [diff] [blame] | 1884 | |
| 1885 | func containsGREASE(values []uint16) bool { |
| 1886 | for _, v := range values { |
| 1887 | if isGREASEValue(v) { |
| 1888 | return true |
| 1889 | } |
| 1890 | } |
| 1891 | return false |
| 1892 | } |