2014-06-20 20:00:00 +01:00
|
|
|
// Copyright 2009 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
2015-09-29 23:21:04 +01:00
|
|
|
package runner
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
import (
|
|
|
|
"container/list"
|
|
|
|
"crypto"
|
2014-08-24 06:44:23 +01:00
|
|
|
"crypto/ecdsa"
|
2014-06-20 20:00:00 +01:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
2018-04-08 18:59:25 +01:00
|
|
|
"errors"
|
2014-06-20 20:00:00 +01:00
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"math/big"
|
|
|
|
"strings"
|
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
VersionSSL30 = 0x0300
|
|
|
|
VersionTLS10 = 0x0301
|
|
|
|
VersionTLS11 = 0x0302
|
|
|
|
VersionTLS12 = 0x0303
|
2016-06-15 02:14:35 +01:00
|
|
|
VersionTLS13 = 0x0304
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
2017-06-29 20:54:58 +01:00
|
|
|
const (
|
|
|
|
VersionDTLS10 = 0xfeff
|
|
|
|
VersionDTLS12 = 0xfefd
|
|
|
|
)
|
|
|
|
|
2016-09-15 21:27:05 +01:00
|
|
|
// A draft version of TLS 1.3 that is sent over the wire for the current draft.
|
2017-06-13 17:45:25 +01:00
|
|
|
const (
|
2018-01-22 20:20:31 +00:00
|
|
|
tls13Draft23Version = 0x7f17
|
2018-03-27 18:15:26 +01:00
|
|
|
tls13Draft28Version = 0x7f1c
|
2017-06-13 17:45:25 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2018-08-27 22:45:49 +01:00
|
|
|
TLS13RFC = 0
|
2018-05-10 16:04:53 +01:00
|
|
|
TLS13Draft23 = 1
|
|
|
|
TLS13Draft28 = 2
|
2018-08-27 22:45:49 +01:00
|
|
|
TLS13All = 3
|
2017-06-13 17:45:25 +01:00
|
|
|
)
|
2016-07-17 09:53:26 +01:00
|
|
|
|
2017-06-20 15:55:02 +01:00
|
|
|
var allTLSWireVersions = []uint16{
|
2018-08-13 15:07:45 +01:00
|
|
|
VersionTLS13,
|
2018-03-27 18:15:26 +01:00
|
|
|
tls13Draft28Version,
|
2018-01-09 11:18:36 +00:00
|
|
|
tls13Draft23Version,
|
2017-06-20 15:55:02 +01:00
|
|
|
VersionTLS12,
|
|
|
|
VersionTLS11,
|
|
|
|
VersionTLS10,
|
|
|
|
VersionSSL30,
|
|
|
|
}
|
|
|
|
|
|
|
|
var allDTLSWireVersions = []uint16{
|
|
|
|
VersionDTLS12,
|
|
|
|
VersionDTLS10,
|
|
|
|
}
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
const (
|
2014-08-04 06:23:53 +01:00
|
|
|
maxPlaintext = 16384 // maximum plaintext payload length
|
|
|
|
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
|
|
|
|
tlsRecordHeaderLen = 5 // record header length
|
|
|
|
dtlsRecordHeaderLen = 13
|
|
|
|
maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
minVersion = VersionSSL30
|
2016-06-15 02:14:35 +01:00
|
|
|
maxVersion = VersionTLS13
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS record types.
|
|
|
|
type recordType uint8
|
|
|
|
|
|
|
|
const (
|
2017-07-14 15:39:28 +01:00
|
|
|
recordTypeChangeCipherSpec recordType = 20
|
|
|
|
recordTypeAlert recordType = 21
|
|
|
|
recordTypeHandshake recordType = 22
|
|
|
|
recordTypeApplicationData recordType = 23
|
|
|
|
recordTypePlaintextHandshake recordType = 24
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS handshake message types.
|
|
|
|
const (
|
2018-05-02 17:06:48 +01:00
|
|
|
typeHelloRequest uint8 = 0
|
|
|
|
typeClientHello uint8 = 1
|
|
|
|
typeServerHello uint8 = 2
|
|
|
|
typeHelloVerifyRequest uint8 = 3
|
|
|
|
typeNewSessionTicket uint8 = 4
|
2018-08-15 04:26:39 +01:00
|
|
|
typeEndOfEarlyData uint8 = 5
|
|
|
|
typeHelloRetryRequest uint8 = 6
|
|
|
|
typeEncryptedExtensions uint8 = 8
|
2018-05-02 17:06:48 +01:00
|
|
|
typeCertificate uint8 = 11
|
|
|
|
typeServerKeyExchange uint8 = 12
|
|
|
|
typeCertificateRequest uint8 = 13
|
|
|
|
typeServerHelloDone uint8 = 14
|
|
|
|
typeCertificateVerify uint8 = 15
|
|
|
|
typeClientKeyExchange uint8 = 16
|
|
|
|
typeFinished uint8 = 20
|
|
|
|
typeCertificateStatus uint8 = 22
|
2018-08-15 04:26:39 +01:00
|
|
|
typeKeyUpdate uint8 = 24
|
2018-05-02 17:06:48 +01:00
|
|
|
typeCompressedCertificate uint8 = 25 // Not IANA assigned
|
|
|
|
typeNextProtocol uint8 = 67 // Not IANA assigned
|
|
|
|
typeChannelID uint8 = 203 // Not IANA assigned
|
2018-08-15 04:26:39 +01:00
|
|
|
typeMessageHash uint8 = 254
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS compression types.
|
|
|
|
const (
|
|
|
|
compressionNone uint8 = 0
|
|
|
|
)
|
|
|
|
|
|
|
|
// TLS extension numbers
|
|
|
|
const (
|
2014-11-25 06:55:35 +00:00
|
|
|
extensionServerName uint16 = 0
|
|
|
|
extensionStatusRequest uint16 = 5
|
|
|
|
extensionSupportedCurves uint16 = 10
|
|
|
|
extensionSupportedPoints uint16 = 11
|
|
|
|
extensionSignatureAlgorithms uint16 = 13
|
|
|
|
extensionUseSRTP uint16 = 14
|
|
|
|
extensionALPN uint16 = 16
|
|
|
|
extensionSignedCertificateTimestamp uint16 = 18
|
2017-09-07 16:51:46 +01:00
|
|
|
extensionPadding uint16 = 21
|
2014-11-25 06:55:35 +00:00
|
|
|
extensionExtendedMasterSecret uint16 = 23
|
2017-09-21 23:02:22 +01:00
|
|
|
extensionTokenBinding uint16 = 24
|
2018-05-02 17:06:48 +01:00
|
|
|
extensionCompressedCertAlgs uint16 = 27
|
2014-11-25 06:55:35 +00:00
|
|
|
extensionSessionTicket uint16 = 35
|
2018-08-15 04:26:39 +01:00
|
|
|
extensionPreSharedKey uint16 = 41
|
|
|
|
extensionEarlyData uint16 = 42
|
|
|
|
extensionSupportedVersions uint16 = 43
|
|
|
|
extensionCookie uint16 = 44
|
|
|
|
extensionPSKKeyExchangeModes uint16 = 45
|
|
|
|
extensionCertificateAuthorities uint16 = 47
|
|
|
|
extensionSignatureAlgorithmsCert uint16 = 50
|
|
|
|
extensionKeyShare uint16 = 51
|
2015-07-31 04:01:27 +01:00
|
|
|
extensionCustom uint16 = 1234 // not IANA assigned
|
2014-11-25 06:55:35 +00:00
|
|
|
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
|
|
|
|
extensionRenegotiationInfo uint16 = 0xff01
|
2018-06-28 10:04:23 +01:00
|
|
|
extensionQUICTransportParams uint16 = 0xffa5 // draft-ietf-quic-tls-13
|
2018-07-18 02:26:05 +01:00
|
|
|
extensionChannelID uint16 = 30032 // not IANA assigned
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS signaling cipher suite values
|
|
|
|
const (
|
|
|
|
scsvRenegotiation uint16 = 0x00ff
|
|
|
|
)
|
|
|
|
|
2017-11-07 22:09:52 +00:00
|
|
|
var tls13HelloRetryRequest = []uint8{
|
|
|
|
0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c,
|
|
|
|
0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb,
|
|
|
|
0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
|
|
|
|
}
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// CurveID is the type of a TLS identifier for an elliptic curve. See
|
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
|
|
|
|
type CurveID uint16
|
|
|
|
|
|
|
|
const (
|
2015-12-19 03:13:41 +00:00
|
|
|
CurveP224 CurveID = 21
|
|
|
|
CurveP256 CurveID = 23
|
|
|
|
CurveP384 CurveID = 24
|
|
|
|
CurveP521 CurveID = 25
|
|
|
|
CurveX25519 CurveID = 29
|
2018-11-12 21:53:42 +00:00
|
|
|
CurveCECPQ2 CurveID = 16696
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS Elliptic Curve Point Formats
|
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
|
|
|
|
const (
|
2016-12-22 14:16:57 +00:00
|
|
|
pointFormatUncompressed uint8 = 0
|
|
|
|
pointFormatCompressedPrime uint8 = 1
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS CertificateStatusType (RFC 3546)
|
|
|
|
const (
|
|
|
|
statusTypeOCSP uint8 = 1
|
|
|
|
)
|
|
|
|
|
|
|
|
// Certificate types (for certificateRequestMsg)
|
|
|
|
const (
|
2014-07-08 22:30:11 +01:00
|
|
|
CertTypeRSASign = 1 // A certificate containing an RSA key
|
|
|
|
CertTypeDSSSign = 2 // A certificate containing a DSA key
|
|
|
|
CertTypeRSAFixedDH = 3 // A certificate containing a static DH key
|
|
|
|
CertTypeDSSFixedDH = 4 // A certificate containing a static DH key
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
// See RFC4492 sections 3 and 5.5.
|
2014-07-08 22:30:11 +01:00
|
|
|
CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
|
|
|
|
CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
|
|
|
|
CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
// Rest of these are reserved by the TLS spec
|
|
|
|
)
|
|
|
|
|
2016-06-21 23:19:24 +01:00
|
|
|
// signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note
|
|
|
|
// that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with
|
|
|
|
// TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature
|
|
|
|
// algorithms' throughout. We match the latter.
|
|
|
|
type signatureAlgorithm uint16
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
const (
|
2016-06-21 23:19:24 +01:00
|
|
|
// RSASSA-PKCS1-v1_5 algorithms
|
|
|
|
signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101
|
|
|
|
signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201
|
|
|
|
signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401
|
|
|
|
signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501
|
|
|
|
signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601
|
|
|
|
|
|
|
|
// ECDSA algorithms
|
|
|
|
signatureECDSAWithSHA1 signatureAlgorithm = 0x0203
|
|
|
|
signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403
|
|
|
|
signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503
|
|
|
|
signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603
|
|
|
|
|
|
|
|
// RSASSA-PSS algorithms
|
2016-09-21 19:38:06 +01:00
|
|
|
signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804
|
|
|
|
signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805
|
|
|
|
signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806
|
2016-06-21 23:19:24 +01:00
|
|
|
|
|
|
|
// EdDSA algorithms
|
2016-09-21 19:38:06 +01:00
|
|
|
signatureEd25519 signatureAlgorithm = 0x0807
|
|
|
|
signatureEd448 signatureAlgorithm = 0x0808
|
2014-06-20 20:00:00 +01:00
|
|
|
)
|
|
|
|
|
2016-07-09 19:21:54 +01:00
|
|
|
// supportedSignatureAlgorithms contains the default supported signature
|
|
|
|
// algorithms.
|
|
|
|
var supportedSignatureAlgorithms = []signatureAlgorithm{
|
|
|
|
signatureRSAPSSWithSHA256,
|
2016-06-21 23:19:24 +01:00
|
|
|
signatureRSAPKCS1WithSHA256,
|
|
|
|
signatureECDSAWithP256AndSHA256,
|
|
|
|
signatureRSAPKCS1WithSHA1,
|
|
|
|
signatureECDSAWithSHA1,
|
2017-03-29 00:28:44 +01:00
|
|
|
signatureEd25519,
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
2014-11-16 00:06:08 +00:00
|
|
|
// SRTP protection profiles (See RFC 5764, section 4.1.2)
|
|
|
|
const (
|
|
|
|
SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001
|
|
|
|
SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002
|
|
|
|
)
|
|
|
|
|
2018-08-15 04:26:39 +01:00
|
|
|
// PskKeyExchangeMode values (see RFC 8446, section 4.2.9)
|
2016-07-18 00:25:41 +01:00
|
|
|
const (
|
2016-09-01 17:29:49 +01:00
|
|
|
pskKEMode = 0
|
|
|
|
pskDHEKEMode = 1
|
|
|
|
)
|
|
|
|
|
2018-08-15 04:26:39 +01:00
|
|
|
// KeyUpdateRequest values (see RFC 8446, section 4.6.3)
|
2016-10-03 17:25:56 +01:00
|
|
|
const (
|
|
|
|
keyUpdateNotRequested = 0
|
|
|
|
keyUpdateRequested = 1
|
|
|
|
)
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// ConnectionState records basic TLS details about the connection.
|
|
|
|
type ConnectionState struct {
|
|
|
|
Version uint16 // TLS version used by the connection (e.g. VersionTLS12)
|
|
|
|
HandshakeComplete bool // TLS handshake is complete
|
|
|
|
DidResume bool // connection resumes a previous TLS connection
|
|
|
|
CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
|
|
|
|
NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos)
|
|
|
|
NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server
|
2014-09-06 18:21:53 +01:00
|
|
|
NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN
|
2014-06-20 20:00:00 +01:00
|
|
|
ServerName string // server name requested by client, if any (server side only)
|
|
|
|
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
|
|
|
|
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
|
2014-08-24 06:44:23 +01:00
|
|
|
ChannelID *ecdsa.PublicKey // the channel ID for this connection
|
2017-09-21 23:02:22 +01:00
|
|
|
TokenBindingNegotiated bool // whether Token Binding was negotiated
|
|
|
|
TokenBindingParam uint8 // the negotiated Token Binding key parameter
|
2014-11-16 00:06:08 +00:00
|
|
|
SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile
|
2015-09-12 23:28:38 +01:00
|
|
|
TLSUnique []byte // the tls-unique channel binding
|
2015-09-09 13:44:55 +01:00
|
|
|
SCTList []byte // signed certificate timestamp list
|
2016-06-21 23:19:24 +01:00
|
|
|
PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake
|
2016-07-18 17:40:30 +01:00
|
|
|
CurveID CurveID // the curve used in ECDHE
|
2017-12-22 23:50:43 +00:00
|
|
|
QUICTransportParams []byte // the QUIC transport params received from the peer
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// ClientAuthType declares the policy the server will follow for
|
|
|
|
// TLS Client Authentication.
|
|
|
|
type ClientAuthType int
|
|
|
|
|
|
|
|
const (
|
|
|
|
NoClientCert ClientAuthType = iota
|
|
|
|
RequestClientCert
|
|
|
|
RequireAnyClientCert
|
|
|
|
VerifyClientCertIfGiven
|
|
|
|
RequireAndVerifyClientCert
|
|
|
|
)
|
|
|
|
|
|
|
|
// ClientSessionState contains the state needed by clients to resume TLS
|
|
|
|
// sessions.
|
|
|
|
type ClientSessionState struct {
|
2014-11-17 08:19:02 +00:00
|
|
|
sessionId []uint8 // Session ID supplied by the server. nil if the session has a ticket.
|
2014-10-11 00:23:43 +01:00
|
|
|
sessionTicket []uint8 // Encrypted ticket used for session resumption with server
|
|
|
|
vers uint16 // SSL/TLS version negotiated for the session
|
2017-09-11 18:53:08 +01:00
|
|
|
wireVersion uint16 // Wire SSL/TLS version negotiated for the session
|
2014-10-11 00:23:43 +01:00
|
|
|
cipherSuite uint16 // Ciphersuite negotiated for the session
|
|
|
|
masterSecret []byte // MasterSecret generated by client on a full handshake
|
|
|
|
handshakeHash []byte // Handshake hash for Channel ID purposes.
|
|
|
|
serverCertificates []*x509.Certificate // Certificate chain presented by the server
|
|
|
|
extendedMasterSecret bool // Whether an extended master secret was used to generate the session
|
2015-09-16 10:03:30 +01:00
|
|
|
sctList []byte
|
|
|
|
ocspResponse []byte
|
2017-01-11 16:34:52 +00:00
|
|
|
earlyALPN string
|
2016-07-26 00:16:28 +01:00
|
|
|
ticketCreationTime time.Time
|
|
|
|
ticketExpiration time.Time
|
2016-11-01 17:39:36 +00:00
|
|
|
ticketAgeAdd uint32
|
2016-12-07 00:02:31 +00:00
|
|
|
maxEarlyDataSize uint32
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// ClientSessionCache is a cache of ClientSessionState objects that can be used
|
|
|
|
// by a client to resume a TLS session with a given server. ClientSessionCache
|
|
|
|
// implementations should expect to be called concurrently from different
|
|
|
|
// goroutines.
|
|
|
|
type ClientSessionCache interface {
|
|
|
|
// Get searches for a ClientSessionState associated with the given key.
|
|
|
|
// On return, ok is true if one was found.
|
|
|
|
Get(sessionKey string) (session *ClientSessionState, ok bool)
|
|
|
|
|
|
|
|
// Put adds the ClientSessionState to the cache with the given key.
|
|
|
|
Put(sessionKey string, cs *ClientSessionState)
|
|
|
|
}
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// ServerSessionCache is a cache of sessionState objects that can be used by a
|
|
|
|
// client to resume a TLS session with a given server. ServerSessionCache
|
|
|
|
// implementations should expect to be called concurrently from different
|
|
|
|
// goroutines.
|
|
|
|
type ServerSessionCache interface {
|
|
|
|
// Get searches for a sessionState associated with the given session
|
|
|
|
// ID. On return, ok is true if one was found.
|
|
|
|
Get(sessionId string) (session *sessionState, ok bool)
|
|
|
|
|
|
|
|
// Put adds the sessionState to the cache with the given session ID.
|
|
|
|
Put(sessionId string, session *sessionState)
|
|
|
|
}
|
|
|
|
|
2018-05-02 17:06:48 +01:00
|
|
|
// CertCompressionAlg is a certificate compression algorithm, specified as a
|
|
|
|
// pair of functions for compressing and decompressing certificates.
|
|
|
|
type CertCompressionAlg struct {
|
|
|
|
// Compress returns a compressed representation of the input.
|
|
|
|
Compress func([]byte) []byte
|
|
|
|
// Decompress depresses the contents of in and writes the result to out, which
|
|
|
|
// will be the correct size. It returns true on success and false otherwise.
|
|
|
|
Decompress func(out, in []byte) bool
|
|
|
|
}
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// A Config structure is used to configure a TLS client or server.
|
|
|
|
// After one has been passed to a TLS function it must not be
|
|
|
|
// modified. A Config may be reused; the tls package will also not
|
|
|
|
// modify it.
|
|
|
|
type Config struct {
|
|
|
|
// Rand provides the source of entropy for nonces and RSA blinding.
|
|
|
|
// If Rand is nil, TLS uses the cryptographic random reader in package
|
|
|
|
// crypto/rand.
|
|
|
|
// The Reader must be safe for use by multiple goroutines.
|
|
|
|
Rand io.Reader
|
|
|
|
|
|
|
|
// Time returns the current time as the number of seconds since the epoch.
|
|
|
|
// If Time is nil, TLS uses time.Now.
|
|
|
|
Time func() time.Time
|
|
|
|
|
|
|
|
// Certificates contains one or more certificate chains
|
|
|
|
// to present to the other side of the connection.
|
|
|
|
// Server configurations must include at least one certificate.
|
|
|
|
Certificates []Certificate
|
|
|
|
|
|
|
|
// NameToCertificate maps from a certificate name to an element of
|
|
|
|
// Certificates. Note that a certificate name can be of the form
|
|
|
|
// '*.example.com' and so doesn't have to be a domain name as such.
|
|
|
|
// See Config.BuildNameToCertificate
|
|
|
|
// The nil value causes the first element of Certificates to be used
|
|
|
|
// for all connections.
|
|
|
|
NameToCertificate map[string]*Certificate
|
|
|
|
|
|
|
|
// RootCAs defines the set of root certificate authorities
|
|
|
|
// that clients use when verifying server certificates.
|
|
|
|
// If RootCAs is nil, TLS uses the host's root CA set.
|
|
|
|
RootCAs *x509.CertPool
|
|
|
|
|
|
|
|
// NextProtos is a list of supported, application level protocols.
|
|
|
|
NextProtos []string
|
|
|
|
|
|
|
|
// ServerName is used to verify the hostname on the returned
|
|
|
|
// certificates unless InsecureSkipVerify is given. It is also included
|
|
|
|
// in the client's handshake to support virtual hosting.
|
|
|
|
ServerName string
|
|
|
|
|
|
|
|
// ClientAuth determines the server's policy for
|
|
|
|
// TLS Client Authentication. The default is NoClientCert.
|
|
|
|
ClientAuth ClientAuthType
|
|
|
|
|
|
|
|
// ClientCAs defines the set of root certificate authorities
|
|
|
|
// that servers use if required to verify a client certificate
|
|
|
|
// by the policy in ClientAuth.
|
|
|
|
ClientCAs *x509.CertPool
|
|
|
|
|
2014-07-08 22:30:11 +01:00
|
|
|
// ClientCertificateTypes defines the set of allowed client certificate
|
|
|
|
// types. The default is CertTypeRSASign and CertTypeECDSASign.
|
|
|
|
ClientCertificateTypes []byte
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// InsecureSkipVerify controls whether a client verifies the
|
|
|
|
// server's certificate chain and host name.
|
|
|
|
// If InsecureSkipVerify is true, TLS accepts any certificate
|
|
|
|
// presented by the server and any host name in that certificate.
|
|
|
|
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
|
|
|
// This should be used only for testing.
|
|
|
|
InsecureSkipVerify bool
|
|
|
|
|
|
|
|
// CipherSuites is a list of supported cipher suites. If CipherSuites
|
|
|
|
// is nil, TLS uses a list of suites supported by the implementation.
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
|
|
|
// PreferServerCipherSuites controls whether the server selects the
|
|
|
|
// client's most preferred ciphersuite, or the server's most preferred
|
|
|
|
// ciphersuite. If true then the server's preference, as expressed in
|
|
|
|
// the order of elements in CipherSuites, is used.
|
|
|
|
PreferServerCipherSuites bool
|
|
|
|
|
|
|
|
// SessionTicketsDisabled may be set to true to disable session ticket
|
|
|
|
// (resumption) support.
|
|
|
|
SessionTicketsDisabled bool
|
|
|
|
|
|
|
|
// SessionTicketKey is used by TLS servers to provide session
|
|
|
|
// resumption. See RFC 5077. If zero, it will be filled with
|
|
|
|
// random data before the first server handshake.
|
|
|
|
//
|
|
|
|
// If multiple servers are terminating connections for the same host
|
|
|
|
// they should all have the same SessionTicketKey. If the
|
|
|
|
// SessionTicketKey leaks, previously recorded and future TLS
|
|
|
|
// connections using that key are compromised.
|
|
|
|
SessionTicketKey [32]byte
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// ClientSessionCache is a cache of ClientSessionState entries
|
|
|
|
// for TLS session resumption.
|
2014-06-20 20:00:00 +01:00
|
|
|
ClientSessionCache ClientSessionCache
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// ServerSessionCache is a cache of sessionState entries for TLS session
|
|
|
|
// resumption.
|
|
|
|
ServerSessionCache ServerSessionCache
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// MinVersion contains the minimum SSL/TLS version that is acceptable.
|
|
|
|
// If zero, then SSLv3 is taken as the minimum.
|
|
|
|
MinVersion uint16
|
|
|
|
|
|
|
|
// MaxVersion contains the maximum SSL/TLS version that is acceptable.
|
|
|
|
// If zero, then the maximum version supported by this package is used,
|
|
|
|
// which is currently TLS 1.2.
|
|
|
|
MaxVersion uint16
|
|
|
|
|
2017-06-13 17:45:25 +01:00
|
|
|
// TLS13Variant is the variant of TLS 1.3 to use.
|
|
|
|
TLS13Variant int
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// CurvePreferences contains the elliptic curves that will be used in
|
|
|
|
// an ECDHE handshake, in preference order. If empty, the default will
|
|
|
|
// be used.
|
|
|
|
CurvePreferences []CurveID
|
|
|
|
|
2016-07-16 16:47:31 +01:00
|
|
|
// DefaultCurves contains the elliptic curves for which public values will
|
|
|
|
// be sent in the ClientHello's KeyShare extension. If this value is nil,
|
|
|
|
// all supported curves will have public values sent. This field is ignored
|
|
|
|
// on servers.
|
|
|
|
DefaultCurves []CurveID
|
|
|
|
|
2014-08-24 06:44:23 +01:00
|
|
|
// ChannelID contains the ECDSA key for the client to use as
|
|
|
|
// its TLS Channel ID.
|
|
|
|
ChannelID *ecdsa.PrivateKey
|
|
|
|
|
|
|
|
// RequestChannelID controls whether the server requests a TLS
|
|
|
|
// Channel ID. If negotiated, the client's public key is
|
|
|
|
// returned in the ConnectionState.
|
|
|
|
RequestChannelID bool
|
|
|
|
|
2017-09-21 23:02:22 +01:00
|
|
|
// TokenBindingParams contains a list of TokenBindingKeyParameters
|
|
|
|
// (draft-ietf-tokbind-protocol-16) to attempt to negotiate. If
|
|
|
|
// nil, Token Binding will not be negotiated.
|
|
|
|
TokenBindingParams []byte
|
|
|
|
|
|
|
|
// TokenBindingVersion contains the serialized ProtocolVersion to
|
|
|
|
// use when negotiating Token Binding.
|
|
|
|
TokenBindingVersion uint16
|
|
|
|
|
|
|
|
// ExpectTokenBindingParams is checked by a server that the client
|
|
|
|
// sent ExpectTokenBindingParams as its list of Token Binding
|
|
|
|
// paramters.
|
|
|
|
ExpectTokenBindingParams []byte
|
|
|
|
|
2014-10-27 05:06:24 +00:00
|
|
|
// PreSharedKey, if not nil, is the pre-shared key to use with
|
|
|
|
// the PSK cipher suites.
|
|
|
|
PreSharedKey []byte
|
|
|
|
|
|
|
|
// PreSharedKeyIdentity, if not empty, is the identity to use
|
|
|
|
// with the PSK cipher suites.
|
|
|
|
PreSharedKeyIdentity string
|
|
|
|
|
2016-12-20 01:38:41 +00:00
|
|
|
// MaxEarlyDataSize controls the maximum number of bytes that the
|
|
|
|
// server will accept in early data and advertise in a
|
|
|
|
// NewSessionTicketMsg. If 0, no early data will be accepted and
|
2017-10-11 17:29:36 +01:00
|
|
|
// the early_data extension in the NewSessionTicketMsg will be omitted.
|
2016-12-20 01:38:41 +00:00
|
|
|
MaxEarlyDataSize uint32
|
|
|
|
|
2014-11-16 00:06:08 +00:00
|
|
|
// SRTPProtectionProfiles, if not nil, is the list of SRTP
|
|
|
|
// protection profiles to offer in DTLS-SRTP.
|
|
|
|
SRTPProtectionProfiles []uint16
|
|
|
|
|
2016-07-09 19:21:54 +01:00
|
|
|
// SignSignatureAlgorithms, if not nil, overrides the default set of
|
|
|
|
// supported signature algorithms to sign with.
|
|
|
|
SignSignatureAlgorithms []signatureAlgorithm
|
|
|
|
|
|
|
|
// VerifySignatureAlgorithms, if not nil, overrides the default set of
|
|
|
|
// supported signature algorithms that are accepted.
|
|
|
|
VerifySignatureAlgorithms []signatureAlgorithm
|
2014-11-14 06:43:59 +00:00
|
|
|
|
2017-12-22 23:50:43 +00:00
|
|
|
// QUICTransportParams, if not empty, will be sent in the QUIC
|
|
|
|
// transport parameters extension.
|
|
|
|
QUICTransportParams []byte
|
|
|
|
|
2018-05-02 17:06:48 +01:00
|
|
|
CertCompressionAlgs map[uint16]CertCompressionAlg
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// Bugs specifies optional misbehaviour to be used for testing other
|
|
|
|
// implementations.
|
|
|
|
Bugs ProtocolBugs
|
|
|
|
|
|
|
|
serverInitOnce sync.Once // guards calling (*Config).serverInit
|
|
|
|
}
|
|
|
|
|
|
|
|
type BadValue int
|
|
|
|
|
|
|
|
const (
|
|
|
|
BadValueNone BadValue = iota
|
|
|
|
BadValueNegative
|
|
|
|
BadValueZero
|
|
|
|
BadValueLimit
|
|
|
|
BadValueLarge
|
|
|
|
NumBadValues
|
|
|
|
)
|
|
|
|
|
2015-12-01 23:53:13 +00:00
|
|
|
type RSABadValue int
|
|
|
|
|
|
|
|
const (
|
|
|
|
RSABadValueNone RSABadValue = iota
|
|
|
|
RSABadValueCorrupt
|
|
|
|
RSABadValueTooLong
|
|
|
|
RSABadValueTooShort
|
2017-10-13 04:07:45 +01:00
|
|
|
RSABadValueWrongVersion1
|
|
|
|
RSABadValueWrongVersion2
|
|
|
|
RSABadValueWrongBlockType
|
|
|
|
RSABadValueWrongLeadingByte
|
|
|
|
RSABadValueNoZero
|
2015-12-01 23:53:13 +00:00
|
|
|
NumRSABadValues
|
|
|
|
)
|
|
|
|
|
2018-04-08 18:59:25 +01:00
|
|
|
type RSAPSSSupport int
|
|
|
|
|
|
|
|
const (
|
|
|
|
RSAPSSSupportAny RSAPSSSupport = iota
|
|
|
|
RSAPSSSupportNone
|
|
|
|
RSAPSSSupportOnlineSignatureOnly
|
|
|
|
RSAPSSSupportBoth
|
|
|
|
)
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
type ProtocolBugs struct {
|
2016-07-14 02:43:25 +01:00
|
|
|
// InvalidSignature specifies that the signature in a ServerKeyExchange
|
|
|
|
// or CertificateVerify message should be invalid.
|
|
|
|
InvalidSignature bool
|
2015-07-29 03:43:19 +01:00
|
|
|
|
2016-07-18 17:40:30 +01:00
|
|
|
// SendCurve, if non-zero, causes the server to send the specified curve
|
|
|
|
// ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather
|
|
|
|
// than the negotiated one.
|
2016-06-29 23:13:53 +01:00
|
|
|
SendCurve CurveID
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2016-03-02 05:23:57 +00:00
|
|
|
// InvalidECDHPoint, if true, causes the ECC points in
|
|
|
|
// ServerKeyExchange or ClientKeyExchange messages to be invalid.
|
|
|
|
InvalidECDHPoint bool
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// BadECDSAR controls ways in which the 'r' value of an ECDSA signature
|
|
|
|
// can be invalid.
|
|
|
|
BadECDSAR BadValue
|
|
|
|
BadECDSAS BadValue
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
// MaxPadding causes CBC records to have the maximum possible padding.
|
|
|
|
MaxPadding bool
|
|
|
|
// PaddingFirstByteBad causes the first byte of the padding to be
|
|
|
|
// incorrect.
|
|
|
|
PaddingFirstByteBad bool
|
|
|
|
// PaddingFirstByteBadIf255 causes the first byte of padding to be
|
|
|
|
// incorrect if there's a maximum amount of padding (i.e. 255 bytes).
|
|
|
|
PaddingFirstByteBadIf255 bool
|
2014-06-23 20:03:11 +01:00
|
|
|
|
|
|
|
// FailIfNotFallbackSCSV causes a server handshake to fail if the
|
|
|
|
// client doesn't send the fallback SCSV value.
|
|
|
|
FailIfNotFallbackSCSV bool
|
2014-07-05 05:23:20 +01:00
|
|
|
|
|
|
|
// DuplicateExtension causes an extra empty extension of bogus type to
|
|
|
|
// be emitted in either the ClientHello or the ServerHello.
|
|
|
|
DuplicateExtension bool
|
2014-07-12 05:48:23 +01:00
|
|
|
|
|
|
|
// UnauthenticatedECDH causes the server to pretend ECDHE_RSA
|
|
|
|
// and ECDHE_ECDSA cipher suites are actually ECDH_anon. No
|
|
|
|
// Certificate message is sent and no signature is added to
|
|
|
|
// ServerKeyExchange.
|
|
|
|
UnauthenticatedECDH bool
|
2014-07-12 18:27:45 +01:00
|
|
|
|
2015-02-08 23:30:14 +00:00
|
|
|
// SkipHelloVerifyRequest causes a DTLS server to skip the
|
|
|
|
// HelloVerifyRequest message.
|
|
|
|
SkipHelloVerifyRequest bool
|
|
|
|
|
2015-04-20 23:26:52 +01:00
|
|
|
// SkipCertificateStatus, if true, causes the server to skip the
|
|
|
|
// CertificateStatus message. This is legal because CertificateStatus is
|
|
|
|
// optional, even with a status_request in ServerHello.
|
|
|
|
SkipCertificateStatus bool
|
|
|
|
|
2014-07-12 18:27:45 +01:00
|
|
|
// SkipServerKeyExchange causes the server to skip sending
|
|
|
|
// ServerKeyExchange messages.
|
|
|
|
SkipServerKeyExchange bool
|
2014-07-19 22:39:58 +01:00
|
|
|
|
2015-02-08 23:30:14 +00:00
|
|
|
// SkipNewSessionTicket causes the server to skip sending the
|
|
|
|
// NewSessionTicket message despite promising to in ServerHello.
|
|
|
|
SkipNewSessionTicket bool
|
|
|
|
|
2017-10-10 16:45:01 +01:00
|
|
|
// UseFirstSessionTicket causes the client to cache only the first session
|
|
|
|
// ticket received.
|
|
|
|
UseFirstSessionTicket bool
|
|
|
|
|
2016-03-10 20:44:22 +00:00
|
|
|
// SkipClientCertificate causes the client to skip the Certificate
|
|
|
|
// message.
|
|
|
|
SkipClientCertificate bool
|
|
|
|
|
2014-07-19 22:39:58 +01:00
|
|
|
// SkipChangeCipherSpec causes the implementation to skip
|
|
|
|
// sending the ChangeCipherSpec message (and adjusting cipher
|
|
|
|
// state accordingly for the Finished message).
|
|
|
|
SkipChangeCipherSpec bool
|
2014-07-22 03:42:34 +01:00
|
|
|
|
2015-02-08 23:30:14 +00:00
|
|
|
// SkipFinished causes the implementation to skip sending the Finished
|
|
|
|
// message.
|
|
|
|
SkipFinished bool
|
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// SkipEndOfEarlyData causes the implementation to skip
|
|
|
|
// end_of_early_data.
|
2017-03-26 19:54:21 +01:00
|
|
|
SkipEndOfEarlyData bool
|
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the
|
|
|
|
// EndOfEarlyData.
|
|
|
|
NonEmptyEndOfEarlyData bool
|
|
|
|
|
2017-08-10 17:01:06 +01:00
|
|
|
// SkipCertificateVerify, if true causes peer to skip sending a
|
|
|
|
// CertificateVerify message after the Certificate message.
|
|
|
|
SkipCertificateVerify bool
|
|
|
|
|
2014-07-22 03:42:34 +01:00
|
|
|
// EarlyChangeCipherSpec causes the client to send an early
|
|
|
|
// ChangeCipherSpec message before the ClientKeyExchange. A value of
|
2017-10-06 23:33:23 +01:00
|
|
|
// zero disables this behavior. One and two configure variants for
|
|
|
|
// 1.0.1 and 0.9.8 modes, respectively.
|
2014-07-22 03:42:34 +01:00
|
|
|
EarlyChangeCipherSpec int
|
2014-07-23 20:09:48 +01:00
|
|
|
|
2016-06-22 22:05:13 +01:00
|
|
|
// StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake
|
|
|
|
// message in DTLS to be prefaced by stray ChangeCipherSpec record. This
|
|
|
|
// may be used to test DTLS's handling of reordered ChangeCipherSpec.
|
|
|
|
StrayChangeCipherSpec bool
|
|
|
|
|
2017-06-26 03:42:55 +01:00
|
|
|
// ReorderChangeCipherSpec causes the ChangeCipherSpec message to be
|
|
|
|
// sent at start of each flight in DTLS. Unlike EarlyChangeCipherSpec,
|
|
|
|
// the cipher change happens at the usual time.
|
|
|
|
ReorderChangeCipherSpec bool
|
|
|
|
|
2014-07-21 21:14:03 +01:00
|
|
|
// FragmentAcrossChangeCipherSpec causes the implementation to fragment
|
|
|
|
// the Finished (or NextProto) message around the ChangeCipherSpec
|
|
|
|
// messages.
|
|
|
|
FragmentAcrossChangeCipherSpec bool
|
|
|
|
|
2017-11-07 22:09:52 +00:00
|
|
|
// SendExtraChangeCipherSpec causes the implementation to send extra
|
|
|
|
// ChangeCipherSpec messages.
|
|
|
|
SendExtraChangeCipherSpec int
|
|
|
|
|
2017-11-14 03:10:49 +00:00
|
|
|
// SendPostHandshakeChangeCipherSpec causes the implementation to send
|
|
|
|
// a ChangeCipherSpec record before every application data record.
|
|
|
|
SendPostHandshakeChangeCipherSpec bool
|
|
|
|
|
2016-07-15 04:10:43 +01:00
|
|
|
// SendUnencryptedFinished, if true, causes the Finished message to be
|
|
|
|
// send unencrypted before ChangeCipherSpec rather than after it.
|
|
|
|
SendUnencryptedFinished bool
|
|
|
|
|
2016-07-15 04:36:30 +01:00
|
|
|
// PartialEncryptedExtensionsWithServerHello, if true, causes the TLS
|
|
|
|
// 1.3 server to send part of EncryptedExtensions unencrypted
|
|
|
|
// in the same record as ServerHello.
|
|
|
|
PartialEncryptedExtensionsWithServerHello bool
|
|
|
|
|
|
|
|
// PartialClientFinishedWithClientHello, if true, causes the TLS 1.3
|
|
|
|
// client to send part of Finished unencrypted in the same record as
|
|
|
|
// ClientHello.
|
|
|
|
PartialClientFinishedWithClientHello bool
|
|
|
|
|
2014-08-02 09:07:12 +01:00
|
|
|
// SendV2ClientHello causes the client to send a V2ClientHello
|
|
|
|
// instead of a normal ClientHello.
|
|
|
|
SendV2ClientHello bool
|
2014-08-02 09:22:02 +01:00
|
|
|
|
|
|
|
// SendFallbackSCSV causes the client to include
|
|
|
|
// TLS_FALLBACK_SCSV in the ClientHello.
|
|
|
|
SendFallbackSCSV bool
|
2014-08-05 07:28:57 +01:00
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
// SendRenegotiationSCSV causes the client to include the renegotiation
|
|
|
|
// SCSV in the ClientHello.
|
|
|
|
SendRenegotiationSCSV bool
|
|
|
|
|
2014-08-05 07:28:57 +01:00
|
|
|
// MaxHandshakeRecordLength, if non-zero, is the maximum size of a
|
2014-08-07 23:02:39 +01:00
|
|
|
// handshake record. Handshake messages will be split into multiple
|
|
|
|
// records at the specified size, except that the client_version will
|
2015-05-29 23:48:16 +01:00
|
|
|
// never be fragmented. For DTLS, it is the maximum handshake fragment
|
|
|
|
// size, not record size; DTLS allows multiple handshake fragments in a
|
|
|
|
// single handshake record. See |PackHandshakeFragments|.
|
2014-08-05 07:28:57 +01:00
|
|
|
MaxHandshakeRecordLength int
|
2014-08-07 03:11:10 +01:00
|
|
|
|
2014-08-07 23:02:39 +01:00
|
|
|
// FragmentClientVersion will allow MaxHandshakeRecordLength to apply to
|
|
|
|
// the first 6 bytes of the ClientHello.
|
|
|
|
FragmentClientVersion bool
|
|
|
|
|
2014-11-01 23:39:08 +00:00
|
|
|
// FragmentAlert will cause all alerts to be fragmented across
|
|
|
|
// two records.
|
|
|
|
FragmentAlert bool
|
|
|
|
|
2016-03-12 03:25:18 +00:00
|
|
|
// DoubleAlert will cause all alerts to be sent as two copies packed
|
|
|
|
// within one record.
|
|
|
|
DoubleAlert bool
|
|
|
|
|
2015-02-03 21:07:32 +00:00
|
|
|
// SendSpuriousAlert, if non-zero, will cause an spurious, unwanted
|
|
|
|
// alert to be sent.
|
|
|
|
SendSpuriousAlert alert
|
2014-11-01 23:39:08 +00:00
|
|
|
|
2015-12-01 23:53:13 +00:00
|
|
|
// BadRSAClientKeyExchange causes the client to send a corrupted RSA
|
|
|
|
// ClientKeyExchange which would not pass padding checks.
|
|
|
|
BadRSAClientKeyExchange RSABadValue
|
2014-08-08 00:13:38 +01:00
|
|
|
|
|
|
|
// RenewTicketOnResume causes the server to renew the session ticket and
|
|
|
|
// send a NewSessionTicket message during an abbreviated handshake.
|
|
|
|
RenewTicketOnResume bool
|
2014-08-08 18:24:34 +01:00
|
|
|
|
2016-09-26 23:30:05 +01:00
|
|
|
// SendClientVersion, if non-zero, causes the client to send the
|
|
|
|
// specified value in the ClientHello version field.
|
2014-08-08 18:24:34 +01:00
|
|
|
SendClientVersion uint16
|
2014-08-04 06:23:53 +01:00
|
|
|
|
2016-09-15 21:27:05 +01:00
|
|
|
// OmitSupportedVersions, if true, causes the client to omit the
|
|
|
|
// supported versions extension.
|
|
|
|
OmitSupportedVersions bool
|
|
|
|
|
|
|
|
// SendSupportedVersions, if non-empty, causes the client to send a
|
|
|
|
// supported versions extension with the values from array.
|
|
|
|
SendSupportedVersions []uint16
|
|
|
|
|
2016-07-10 17:20:35 +01:00
|
|
|
// NegotiateVersion, if non-zero, causes the server to negotiate the
|
2017-06-20 15:55:02 +01:00
|
|
|
// specifed wire version rather than the version supported by either
|
2016-07-10 17:20:35 +01:00
|
|
|
// peer.
|
|
|
|
NegotiateVersion uint16
|
|
|
|
|
2016-08-08 17:39:41 +01:00
|
|
|
// NegotiateVersionOnRenego, if non-zero, causes the server to negotiate
|
2017-06-20 15:55:02 +01:00
|
|
|
// the specified wire version on renegotiation rather than retaining it.
|
2016-08-08 17:39:41 +01:00
|
|
|
NegotiateVersionOnRenego uint16
|
|
|
|
|
2014-08-24 08:47:07 +01:00
|
|
|
// ExpectFalseStart causes the server to, on full handshakes,
|
|
|
|
// expect the peer to False Start; the server Finished message
|
|
|
|
// isn't sent until we receive an application data record
|
|
|
|
// from the peer.
|
|
|
|
ExpectFalseStart bool
|
2014-08-31 05:59:27 +01:00
|
|
|
|
2015-04-03 01:19:11 +01:00
|
|
|
// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
|
|
|
|
// handshakes, send an alert just before reading the application data
|
|
|
|
// record to test False Start. This can be used in a negative False
|
|
|
|
// Start test to determine whether the peer processed the alert (and
|
|
|
|
// closed the connection) before or after sending app data.
|
|
|
|
AlertBeforeFalseStartTest alert
|
|
|
|
|
2014-09-06 17:45:15 +01:00
|
|
|
// ExpectServerName, if not empty, is the hostname the client
|
|
|
|
// must specify in the server_name extension.
|
|
|
|
ExpectServerName string
|
2014-09-06 18:21:53 +01:00
|
|
|
|
2015-08-31 19:24:29 +01:00
|
|
|
// SwapNPNAndALPN switches the relative order between NPN and ALPN in
|
|
|
|
// both ClientHello and ServerHello.
|
2014-09-06 18:21:53 +01:00
|
|
|
SwapNPNAndALPN bool
|
2014-09-24 20:21:44 +01:00
|
|
|
|
2015-07-09 19:35:04 +01:00
|
|
|
// ALPNProtocol, if not nil, sets the ALPN protocol that a server will
|
|
|
|
// return.
|
|
|
|
ALPNProtocol *string
|
|
|
|
|
2016-08-08 22:25:07 +01:00
|
|
|
// AcceptAnySession causes the server to resume sessions regardless of
|
|
|
|
// the version associated with the session or cipher suite. It also
|
|
|
|
// causes the server to look in both TLS 1.2 and 1.3 extensions to
|
|
|
|
// process a ticket.
|
|
|
|
AcceptAnySession bool
|
|
|
|
|
|
|
|
// SendBothTickets, if true, causes the client to send tickets in both
|
|
|
|
// TLS 1.2 and 1.3 extensions.
|
|
|
|
SendBothTickets bool
|
2014-10-17 03:04:35 +01:00
|
|
|
|
2016-11-01 17:58:25 +00:00
|
|
|
// FilterTicket, if not nil, causes the client to modify a session
|
|
|
|
// ticket before sending it in a resume handshake.
|
|
|
|
FilterTicket func([]byte) ([]byte, error)
|
2014-10-17 03:04:35 +01:00
|
|
|
|
2017-02-09 19:07:17 +00:00
|
|
|
// TicketSessionIDLength, if non-zero, is the length of the session ID
|
|
|
|
// to send with a ticket resumption offer.
|
|
|
|
TicketSessionIDLength int
|
|
|
|
|
|
|
|
// EmptyTicketSessionID, if true, causes the client to send an empty
|
|
|
|
// session ID with a ticket resumption offer. For simplicity, this will
|
|
|
|
// also cause the client to interpret a ServerHello with empty session
|
|
|
|
// ID as a resumption. (A client which sends empty session ID is
|
|
|
|
// normally expected to look ahead for ChangeCipherSpec.)
|
|
|
|
EmptyTicketSessionID bool
|
2014-10-11 00:23:43 +01:00
|
|
|
|
2017-07-17 16:12:34 +01:00
|
|
|
// SendClientHelloSessionID, if not nil, is the session ID sent in the
|
|
|
|
// ClientHello.
|
|
|
|
SendClientHelloSessionID []byte
|
|
|
|
|
|
|
|
// ExpectClientHelloSessionID, if true, causes the server to fail the
|
2018-01-26 21:33:12 +00:00
|
|
|
// connection if there is not a session ID in the ClientHello.
|
2017-07-17 16:12:34 +01:00
|
|
|
ExpectClientHelloSessionID bool
|
|
|
|
|
2018-01-26 21:33:12 +00:00
|
|
|
// EchoSessionIDInFullHandshake, if true, causes the server to echo the
|
|
|
|
// ClientHello session ID, even in TLS 1.2 full handshakes.
|
|
|
|
EchoSessionIDInFullHandshake bool
|
|
|
|
|
2016-08-08 22:25:07 +01:00
|
|
|
// ExpectNoTLS12Session, if true, causes the server to fail the
|
|
|
|
// connection if either a session ID or TLS 1.2 ticket is offered.
|
|
|
|
ExpectNoTLS12Session bool
|
|
|
|
|
|
|
|
// ExpectNoTLS13PSK, if true, causes the server to fail the connection
|
|
|
|
// if a TLS 1.3 PSK is offered.
|
|
|
|
ExpectNoTLS13PSK bool
|
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection
|
|
|
|
// if a TLS 1.3 PSK is offered after HRR.
|
|
|
|
ExpectNoTLS13PSKAfterHRR bool
|
|
|
|
|
2014-10-11 00:23:43 +01:00
|
|
|
// RequireExtendedMasterSecret, if true, requires that the peer support
|
|
|
|
// the extended master secret option.
|
|
|
|
RequireExtendedMasterSecret bool
|
|
|
|
|
2014-11-08 17:31:52 +00:00
|
|
|
// NoExtendedMasterSecret causes the client and server to behave as if
|
2016-08-30 04:14:17 +01:00
|
|
|
// they didn't support an extended master secret in the initial
|
|
|
|
// handshake.
|
2014-10-11 00:23:43 +01:00
|
|
|
NoExtendedMasterSecret bool
|
2014-10-29 00:29:33 +00:00
|
|
|
|
2016-08-30 04:14:17 +01:00
|
|
|
// NoExtendedMasterSecretOnRenegotiation causes the client and server to
|
|
|
|
// behave as if they didn't support an extended master secret in
|
|
|
|
// renegotiation handshakes.
|
|
|
|
NoExtendedMasterSecretOnRenegotiation bool
|
|
|
|
|
2014-10-29 00:29:33 +00:00
|
|
|
// EmptyRenegotiationInfo causes the renegotiation extension to be
|
|
|
|
// empty in a renegotiation handshake.
|
|
|
|
EmptyRenegotiationInfo bool
|
|
|
|
|
|
|
|
// BadRenegotiationInfo causes the renegotiation extension value in a
|
2017-07-01 05:31:27 +01:00
|
|
|
// renegotiation handshake to be incorrect at the start.
|
2014-10-29 00:29:33 +00:00
|
|
|
BadRenegotiationInfo bool
|
2014-11-07 06:48:35 +00:00
|
|
|
|
2017-07-01 05:31:27 +01:00
|
|
|
// BadRenegotiationInfoEnd causes the renegotiation extension value in
|
|
|
|
// a renegotiation handshake to be incorrect at the end.
|
|
|
|
BadRenegotiationInfoEnd bool
|
|
|
|
|
2015-11-26 01:10:31 +00:00
|
|
|
// NoRenegotiationInfo disables renegotiation info support in all
|
|
|
|
// handshakes.
|
2014-11-08 17:31:52 +00:00
|
|
|
NoRenegotiationInfo bool
|
|
|
|
|
2015-11-26 01:10:31 +00:00
|
|
|
// NoRenegotiationInfoInInitial disables renegotiation info support in
|
|
|
|
// the initial handshake.
|
|
|
|
NoRenegotiationInfoInInitial bool
|
|
|
|
|
|
|
|
// NoRenegotiationInfoAfterInitial disables renegotiation info support
|
|
|
|
// in renegotiation handshakes.
|
|
|
|
NoRenegotiationInfoAfterInitial bool
|
|
|
|
|
2015-06-13 02:27:58 +01:00
|
|
|
// RequireRenegotiationInfo, if true, causes the client to return an
|
|
|
|
// error if the server doesn't reply with the renegotiation extension.
|
|
|
|
RequireRenegotiationInfo bool
|
|
|
|
|
2015-07-25 23:29:23 +01:00
|
|
|
// SequenceNumberMapping, if non-nil, is the mapping function to apply
|
|
|
|
// to the sequence number of outgoing packets. For both TLS and DTLS,
|
|
|
|
// the two most-significant bytes in the resulting sequence number are
|
|
|
|
// ignored so that the DTLS epoch cannot be changed.
|
|
|
|
SequenceNumberMapping func(uint64) uint64
|
2014-11-08 16:41:14 +00:00
|
|
|
|
2015-02-26 20:16:22 +00:00
|
|
|
// RSAEphemeralKey, if true, causes the server to send a
|
|
|
|
// ServerKeyExchange message containing an ephemeral key (as in
|
|
|
|
// RSA_EXPORT) in the plain RSA key exchange.
|
|
|
|
RSAEphemeralKey bool
|
2014-11-16 00:06:08 +00:00
|
|
|
|
|
|
|
// SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the
|
|
|
|
// client offers when negotiating SRTP. MKI support is still missing so
|
|
|
|
// the peer must still send none.
|
|
|
|
SRTPMasterKeyIdentifer string
|
|
|
|
|
|
|
|
// SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the
|
|
|
|
// server sends in the ServerHello instead of the negotiated one.
|
|
|
|
SendSRTPProtectionProfile uint16
|
2014-11-14 06:43:59 +00:00
|
|
|
|
2016-06-21 23:19:24 +01:00
|
|
|
// NoSignatureAlgorithms, if true, causes the client to omit the
|
2014-11-14 06:43:59 +00:00
|
|
|
// signature and hashes extension.
|
|
|
|
//
|
|
|
|
// For a server, it will cause an empty list to be sent in the
|
|
|
|
// CertificateRequest message. None the less, the configured set will
|
|
|
|
// still be enforced.
|
2016-06-21 23:19:24 +01:00
|
|
|
NoSignatureAlgorithms bool
|
2014-11-23 17:11:01 +00:00
|
|
|
|
2015-04-20 19:45:55 +01:00
|
|
|
// NoSupportedCurves, if true, causes the client to omit the
|
|
|
|
// supported_curves extension.
|
|
|
|
NoSupportedCurves bool
|
|
|
|
|
2014-11-23 17:11:01 +00:00
|
|
|
// RequireSameRenegoClientVersion, if true, causes the server
|
|
|
|
// to require that all ClientHellos match in offered version
|
|
|
|
// across a renego.
|
|
|
|
RequireSameRenegoClientVersion bool
|
2014-11-22 06:47:56 +00:00
|
|
|
|
2016-09-27 00:20:48 +01:00
|
|
|
// ExpectInitialRecordVersion, if non-zero, is the expected value of
|
2016-11-08 19:28:24 +00:00
|
|
|
// record-layer version field before the protocol version is determined.
|
2014-12-10 07:27:24 +00:00
|
|
|
ExpectInitialRecordVersion uint16
|
2016-11-08 19:28:24 +00:00
|
|
|
|
|
|
|
// SendRecordVersion, if non-zero, is the value to send as the
|
|
|
|
// record-layer version.
|
|
|
|
SendRecordVersion uint16
|
|
|
|
|
|
|
|
// SendInitialRecordVersion, if non-zero, is the value to send as the
|
|
|
|
// record-layer version before the protocol version is determined.
|
|
|
|
SendInitialRecordVersion uint16
|
2015-01-11 21:29:36 +00:00
|
|
|
|
|
|
|
// MaxPacketLength, if non-zero, is the maximum acceptable size for a
|
|
|
|
// packet.
|
|
|
|
MaxPacketLength int
|
2014-12-27 06:50:38 +00:00
|
|
|
|
|
|
|
// SendCipherSuite, if non-zero, is the cipher suite value that the
|
|
|
|
// server will send in the ServerHello. This does not affect the cipher
|
|
|
|
// the server believes it has actually negotiated.
|
|
|
|
SendCipherSuite uint16
|
2015-01-26 04:52:39 +00:00
|
|
|
|
2016-11-12 03:36:06 +00:00
|
|
|
// SendCipherSuites, if not nil, is the cipher suite list that the
|
|
|
|
// client will send in the ClientHello. This does not affect the cipher
|
|
|
|
// the client believes it has actually offered.
|
|
|
|
SendCipherSuites []uint16
|
|
|
|
|
2015-08-22 06:35:43 +01:00
|
|
|
// AppDataBeforeHandshake, if not nil, causes application data to be
|
|
|
|
// sent immediately before the first handshake message.
|
|
|
|
AppDataBeforeHandshake []byte
|
|
|
|
|
|
|
|
// AppDataAfterChangeCipherSpec, if not nil, causes application data to
|
2015-01-26 04:52:39 +00:00
|
|
|
// be sent immediately after ChangeCipherSpec.
|
|
|
|
AppDataAfterChangeCipherSpec []byte
|
Add DTLS timeout and retransmit tests.
This extends the packet adaptor protocol to send three commands:
type command =
| Packet of []byte
| Timeout of time.Duration
| TimeoutAck
When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the
BIO_read, returns out of the SSL stack, advances the clock, calls
DTLSv1_handle_timeout, and continues.
If the Go side sends Timeout right between sending handshake flight N and
reading flight N+1, the shim won't read the Timeout until it has sent flight
N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes
after N+1. Go then drops all packets before the TimeoutAck, thus dropping one
transmit of flight N+1 without having to actually process the packets to
determine the end of the flight. The shim then sees the updated clock, calls
DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real.
When dropping packets, Go checks the epoch and increments sequence numbers so
that we can continue to be strict here. This requires tracking the initial
sequence number of the next epoch.
The final Finished message takes an additional special-case to test. DTLS
triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only
implements the former which should be sufficient (and is necessary) EXCEPT for
the final Finished message. If the peer's final Finished message is lost, it
won't be waiting for a message from us, so it won't time out anything. That
retransmit must be triggered on stale message, so we retransmit the Finished
message in Go.
Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c
Reviewed-on: https://boringssl-review.googlesource.com/3212
Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
|
|
|
|
2015-03-12 19:09:02 +00:00
|
|
|
// AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent
|
|
|
|
// immediately after ChangeCipherSpec.
|
|
|
|
AlertAfterChangeCipherSpec alert
|
|
|
|
|
Add DTLS timeout and retransmit tests.
This extends the packet adaptor protocol to send three commands:
type command =
| Packet of []byte
| Timeout of time.Duration
| TimeoutAck
When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the
BIO_read, returns out of the SSL stack, advances the clock, calls
DTLSv1_handle_timeout, and continues.
If the Go side sends Timeout right between sending handshake flight N and
reading flight N+1, the shim won't read the Timeout until it has sent flight
N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes
after N+1. Go then drops all packets before the TimeoutAck, thus dropping one
transmit of flight N+1 without having to actually process the packets to
determine the end of the flight. The shim then sees the updated clock, calls
DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real.
When dropping packets, Go checks the epoch and increments sequence numbers so
that we can continue to be strict here. This requires tracking the initial
sequence number of the next epoch.
The final Finished message takes an additional special-case to test. DTLS
triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only
implements the former which should be sufficient (and is necessary) EXCEPT for
the final Finished message. If the peer's final Finished message is lost, it
won't be waiting for a message from us, so it won't time out anything. That
retransmit must be triggered on stale message, so we retransmit the Finished
message in Go.
Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c
Reviewed-on: https://boringssl-review.googlesource.com/3212
Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 06:09:43 +00:00
|
|
|
// TimeoutSchedule is the schedule of packet drops and simulated
|
|
|
|
// timeouts for before each handshake leg from the peer.
|
|
|
|
TimeoutSchedule []time.Duration
|
|
|
|
|
|
|
|
// PacketAdaptor is the packetAdaptor to use to simulate timeouts.
|
|
|
|
PacketAdaptor *packetAdaptor
|
2015-01-31 22:16:01 +00:00
|
|
|
|
|
|
|
// ReorderHandshakeFragments, if true, causes handshake fragments in
|
|
|
|
// DTLS to overlap and be sent in the wrong order. It also causes
|
|
|
|
// pre-CCS flights to be sent twice. (Post-CCS flights consist of
|
|
|
|
// Finished and will trigger a spurious retransmit.)
|
|
|
|
ReorderHandshakeFragments bool
|
2015-02-03 20:44:39 +00:00
|
|
|
|
2016-07-15 04:10:43 +01:00
|
|
|
// ReverseHandshakeFragments, if true, causes handshake fragments in
|
|
|
|
// DTLS to be reversed within a flight.
|
|
|
|
ReverseHandshakeFragments bool
|
|
|
|
|
2015-03-03 00:30:30 +00:00
|
|
|
// MixCompleteMessageWithFragments, if true, causes handshake
|
|
|
|
// messages in DTLS to redundantly both fragment the message
|
|
|
|
// and include a copy of the full one.
|
|
|
|
MixCompleteMessageWithFragments bool
|
|
|
|
|
2017-08-22 22:47:22 +01:00
|
|
|
// RetransmitFinished, if true, causes the DTLS Finished message to be
|
|
|
|
// sent twice.
|
|
|
|
RetransmitFinished bool
|
|
|
|
|
2015-02-03 20:44:39 +00:00
|
|
|
// SendInvalidRecordType, if true, causes a record with an invalid
|
|
|
|
// content type to be sent immediately following the handshake.
|
|
|
|
SendInvalidRecordType bool
|
2015-02-25 04:45:43 +00:00
|
|
|
|
2016-07-15 05:39:56 +01:00
|
|
|
// SendWrongMessageType, if non-zero, causes messages of the specified
|
|
|
|
// type to be sent with the wrong value.
|
|
|
|
SendWrongMessageType byte
|
2015-03-03 00:30:30 +00:00
|
|
|
|
2016-09-09 16:41:18 +01:00
|
|
|
// SendTrailingMessageData, if non-zero, causes messages of the
|
|
|
|
// specified type to be sent with trailing data.
|
|
|
|
SendTrailingMessageData byte
|
|
|
|
|
2015-03-03 00:30:30 +00:00
|
|
|
// FragmentMessageTypeMismatch, if true, causes all non-initial
|
|
|
|
// handshake fragments in DTLS to have the wrong message type.
|
|
|
|
FragmentMessageTypeMismatch bool
|
|
|
|
|
|
|
|
// FragmentMessageLengthMismatch, if true, causes all non-initial
|
|
|
|
// handshake fragments in DTLS to have the wrong message length.
|
|
|
|
FragmentMessageLengthMismatch bool
|
|
|
|
|
2015-06-16 16:40:24 +01:00
|
|
|
// SplitFragments, if non-zero, causes the handshake fragments in DTLS
|
|
|
|
// to be split across two records. The value of |SplitFragments| is the
|
|
|
|
// number of bytes in the first fragment.
|
|
|
|
SplitFragments int
|
2015-03-03 00:30:30 +00:00
|
|
|
|
|
|
|
// SendEmptyFragments, if true, causes handshakes to include empty
|
|
|
|
// fragments in DTLS.
|
|
|
|
SendEmptyFragments bool
|
2015-03-19 18:09:43 +00:00
|
|
|
|
2015-05-16 06:30:09 +01:00
|
|
|
// SendSplitAlert, if true, causes an alert to be sent with the header
|
|
|
|
// and record body split across multiple packets. The peer should
|
|
|
|
// discard these packets rather than process it.
|
|
|
|
SendSplitAlert bool
|
|
|
|
|
2015-05-13 03:42:52 +01:00
|
|
|
// FailIfResumeOnRenego, if true, causes renegotiations to fail if the
|
|
|
|
// client offers a resumption or the server accepts one.
|
|
|
|
FailIfResumeOnRenego bool
|
2015-03-19 19:00:10 +00:00
|
|
|
|
2015-03-16 19:16:23 +00:00
|
|
|
// IgnorePeerCipherPreferences, if true, causes the peer's cipher
|
|
|
|
// preferences to be ignored.
|
|
|
|
IgnorePeerCipherPreferences bool
|
2015-03-16 21:49:43 +00:00
|
|
|
|
|
|
|
// IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's
|
|
|
|
// signature algorithm preferences to be ignored.
|
|
|
|
IgnorePeerSignatureAlgorithmPreferences bool
|
2015-03-21 06:21:37 +00:00
|
|
|
|
2015-04-20 16:13:01 +01:00
|
|
|
// IgnorePeerCurvePreferences, if true, causes the peer's curve
|
|
|
|
// preferences to be ignored.
|
|
|
|
IgnorePeerCurvePreferences bool
|
|
|
|
|
2015-04-03 00:33:31 +01:00
|
|
|
// BadFinished, if true, causes the Finished hash to be broken.
|
|
|
|
BadFinished bool
|
2015-05-15 01:38:50 +01:00
|
|
|
|
2016-07-07 20:33:25 +01:00
|
|
|
// PackHandshakeFragments, if true, causes handshake fragments in DTLS
|
|
|
|
// to be packed into individual handshake records, up to the specified
|
|
|
|
// record size.
|
2015-05-29 23:48:16 +01:00
|
|
|
PackHandshakeFragments int
|
|
|
|
|
2017-10-12 22:14:45 +01:00
|
|
|
// PackHandshakeRecords, if non-zero, causes handshake and
|
|
|
|
// ChangeCipherSpec records in DTLS to be packed into individual
|
|
|
|
// packets, up to the specified packet size.
|
2015-05-29 23:48:16 +01:00
|
|
|
PackHandshakeRecords int
|
2015-05-30 22:13:12 +01:00
|
|
|
|
2017-10-12 22:14:45 +01:00
|
|
|
// PackAppDataWithHandshake, if true, extends PackHandshakeRecords to
|
|
|
|
// additionally include the first application data record sent after the
|
|
|
|
// final Finished message in a handshake. (If the final Finished message
|
|
|
|
// is sent by the peer, this option has no effect.) This requires that
|
|
|
|
// the runner rather than shim speak first in a given test.
|
|
|
|
PackAppDataWithHandshake bool
|
|
|
|
|
|
|
|
// SplitAndPackAppData, if true, causes application data in DTLS to be
|
|
|
|
// split into two records each and packed into one packet.
|
|
|
|
SplitAndPackAppData bool
|
|
|
|
|
2016-07-07 20:33:25 +01:00
|
|
|
// PackHandshakeFlight, if true, causes each handshake flight in TLS to
|
|
|
|
// be packed into records, up to the largest size record available.
|
|
|
|
PackHandshakeFlight bool
|
|
|
|
|
2016-10-04 22:51:35 +01:00
|
|
|
// AdvertiseAllConfiguredCiphers, if true, causes the client to
|
|
|
|
// advertise all configured cipher suite values.
|
|
|
|
AdvertiseAllConfiguredCiphers bool
|
2015-06-07 16:42:34 +01:00
|
|
|
|
|
|
|
// EmptyCertificateList, if true, causes the server to send an empty
|
|
|
|
// certificate list in the Certificate message.
|
|
|
|
EmptyCertificateList bool
|
2015-06-16 19:16:23 +01:00
|
|
|
|
|
|
|
// ExpectNewTicket, if true, causes the client to abort if it does not
|
|
|
|
// receive a new ticket.
|
|
|
|
ExpectNewTicket bool
|
2015-07-21 01:43:53 +01:00
|
|
|
|
|
|
|
// RequireClientHelloSize, if not zero, is the required length in bytes
|
|
|
|
// of the ClientHello /record/. This is checked by the server.
|
|
|
|
RequireClientHelloSize int
|
2015-07-31 02:10:13 +01:00
|
|
|
|
|
|
|
// CustomExtension, if not empty, contains the contents of an extension
|
|
|
|
// that will be added to client/server hellos.
|
|
|
|
CustomExtension string
|
|
|
|
|
2016-10-06 03:44:38 +01:00
|
|
|
// CustomUnencryptedExtension, if not empty, contains the contents of
|
|
|
|
// an extension that will be added to ServerHello in TLS 1.3.
|
|
|
|
CustomUnencryptedExtension string
|
|
|
|
|
2015-07-31 02:10:13 +01:00
|
|
|
// ExpectedCustomExtension, if not nil, contains the expected contents
|
|
|
|
// of a custom extension.
|
|
|
|
ExpectedCustomExtension *string
|
2015-08-30 03:56:45 +01:00
|
|
|
|
2016-10-07 20:25:06 +01:00
|
|
|
// CustomTicketExtension, if not empty, contains the contents of an
|
|
|
|
// extension what will be added to NewSessionTicket in TLS 1.3.
|
|
|
|
CustomTicketExtension string
|
|
|
|
|
2016-10-08 02:10:38 +01:00
|
|
|
// CustomTicketExtension, if not empty, contains the contents of an
|
|
|
|
// extension what will be added to HelloRetryRequest in TLS 1.3.
|
|
|
|
CustomHelloRetryRequestExtension string
|
|
|
|
|
2015-08-30 03:56:45 +01:00
|
|
|
// NoCloseNotify, if true, causes the close_notify alert to be skipped
|
|
|
|
// on connection shutdown.
|
|
|
|
NoCloseNotify bool
|
|
|
|
|
2016-05-10 22:03:10 +01:00
|
|
|
// SendAlertOnShutdown, if non-zero, is the alert to send instead of
|
|
|
|
// close_notify on shutdown.
|
|
|
|
SendAlertOnShutdown alert
|
|
|
|
|
2015-08-30 03:56:45 +01:00
|
|
|
// ExpectCloseNotify, if true, requires a close_notify from the peer on
|
|
|
|
// shutdown. Records from the peer received after close_notify is sent
|
|
|
|
// are not discard.
|
|
|
|
ExpectCloseNotify bool
|
2015-09-01 15:23:00 +01:00
|
|
|
|
|
|
|
// SendLargeRecords, if true, allows outgoing records to be sent
|
|
|
|
// arbitrarily large.
|
|
|
|
SendLargeRecords bool
|
2015-08-31 19:24:29 +01:00
|
|
|
|
|
|
|
// NegotiateALPNAndNPN, if true, causes the server to negotiate both
|
|
|
|
// ALPN and NPN in the same connetion.
|
|
|
|
NegotiateALPNAndNPN bool
|
2015-10-23 22:41:12 +01:00
|
|
|
|
2016-08-01 17:05:50 +01:00
|
|
|
// SendALPN, if non-empty, causes the server to send the specified
|
2016-08-11 16:52:23 +01:00
|
|
|
// string in the ALPN extension regardless of the content or presence of
|
|
|
|
// the client offer.
|
2016-08-01 17:05:50 +01:00
|
|
|
SendALPN string
|
|
|
|
|
2016-10-06 03:44:38 +01:00
|
|
|
// SendUnencryptedALPN, if non-empty, causes the server to send the
|
|
|
|
// specified string in a ServerHello ALPN extension in TLS 1.3.
|
|
|
|
SendUnencryptedALPN string
|
|
|
|
|
2015-10-23 22:41:12 +01:00
|
|
|
// SendEmptySessionTicket, if true, causes the server to send an empty
|
|
|
|
// session ticket.
|
|
|
|
SendEmptySessionTicket bool
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
// SendPSKKeyExchangeModes, if present, determines the PSK key exchange modes
|
2016-09-01 17:29:49 +01:00
|
|
|
// to send.
|
|
|
|
SendPSKKeyExchangeModes []byte
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
// ExpectNoNewSessionTicket, if present, means that the client will fail upon
|
|
|
|
// receipt of a NewSessionTicket message.
|
|
|
|
ExpectNoNewSessionTicket bool
|
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// DuplicateTicketEarlyData causes an extra empty extension of early_data to
|
|
|
|
// be sent in NewSessionTicket.
|
|
|
|
DuplicateTicketEarlyData bool
|
2017-01-08 11:04:43 +00:00
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// ExpectTicketEarlyData, if true, means that the client will fail upon
|
|
|
|
// absence of the early_data extension.
|
|
|
|
ExpectTicketEarlyData bool
|
2016-12-07 20:29:45 +00:00
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
// ExpectTicketAge, if non-zero, is the expected age of the ticket that the
|
|
|
|
// server receives from the client.
|
|
|
|
ExpectTicketAge time.Duration
|
2016-09-01 17:29:49 +01:00
|
|
|
|
2017-03-03 20:05:56 +00:00
|
|
|
// SendTicketAge, if non-zero, is the ticket age to be sent by the
|
|
|
|
// client.
|
|
|
|
SendTicketAge time.Duration
|
|
|
|
|
2015-10-23 22:41:12 +01:00
|
|
|
// FailIfSessionOffered, if true, causes the server to fail any
|
|
|
|
// connections where the client offers a non-empty session ID or session
|
|
|
|
// ticket.
|
|
|
|
FailIfSessionOffered bool
|
2015-11-03 21:34:10 +00:00
|
|
|
|
|
|
|
// SendHelloRequestBeforeEveryAppDataRecord, if true, causes a
|
|
|
|
// HelloRequest handshake message to be sent before each application
|
|
|
|
// data record. This only makes sense for a server.
|
|
|
|
SendHelloRequestBeforeEveryAppDataRecord bool
|
2015-11-27 00:39:08 +00:00
|
|
|
|
2016-07-08 22:10:48 +01:00
|
|
|
// SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a
|
|
|
|
// HelloRequest handshake message to be sent before each handshake
|
|
|
|
// message. This only makes sense for a server.
|
|
|
|
SendHelloRequestBeforeEveryHandshakeMessage bool
|
|
|
|
|
2015-11-26 17:07:28 +00:00
|
|
|
// BadChangeCipherSpec, if not nil, is the body to be sent in
|
|
|
|
// ChangeCipherSpec records instead of {1}.
|
|
|
|
BadChangeCipherSpec []byte
|
2015-12-06 18:17:07 +00:00
|
|
|
|
|
|
|
// BadHelloRequest, if not nil, is what to send instead of a
|
|
|
|
// HelloRequest.
|
|
|
|
BadHelloRequest []byte
|
2015-11-21 19:05:44 +00:00
|
|
|
|
|
|
|
// RequireSessionTickets, if true, causes the client to require new
|
|
|
|
// sessions use session tickets instead of session IDs.
|
|
|
|
RequireSessionTickets bool
|
2016-03-02 03:57:46 +00:00
|
|
|
|
2018-07-18 02:26:05 +01:00
|
|
|
// RequireSessionIDs, if true, causes the client to require new sessions use
|
|
|
|
// session IDs instead of session tickets.
|
|
|
|
RequireSessionIDs bool
|
|
|
|
|
2016-03-02 03:57:46 +00:00
|
|
|
// NullAllCiphers, if true, causes every cipher to behave like the null
|
|
|
|
// cipher.
|
|
|
|
NullAllCiphers bool
|
2016-05-05 00:19:06 +01:00
|
|
|
|
|
|
|
// SendSCTListOnResume, if not nil, causes the server to send the
|
|
|
|
// supplied SCT list in resumption handshakes.
|
|
|
|
SendSCTListOnResume []byte
|
2016-06-13 21:03:47 +01:00
|
|
|
|
2017-08-24 06:09:41 +01:00
|
|
|
// SendSCTListOnRenegotiation, if not nil, causes the server to send the
|
|
|
|
// supplied SCT list on renegotiation.
|
|
|
|
SendSCTListOnRenegotiation []byte
|
|
|
|
|
2016-10-04 21:32:16 +01:00
|
|
|
// SendOCSPResponseOnResume, if not nil, causes the server to advertise
|
|
|
|
// OCSP stapling in resumption handshakes and, if applicable, send the
|
|
|
|
// supplied stapled response.
|
|
|
|
SendOCSPResponseOnResume []byte
|
|
|
|
|
2017-08-24 06:09:41 +01:00
|
|
|
// SendOCSPResponseOnResume, if not nil, causes the server to send the
|
|
|
|
// supplied OCSP response on renegotiation.
|
|
|
|
SendOCSPResponseOnRenegotiation []byte
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
// SendExtensionOnCertificate, if not nil, causes the runner to send the
|
|
|
|
// supplied bytes in the extensions on the Certificate message.
|
|
|
|
SendExtensionOnCertificate []byte
|
|
|
|
|
|
|
|
// SendOCSPOnIntermediates, if not nil, causes the server to send the
|
|
|
|
// supplied OCSP on intermediate certificates in the Certificate message.
|
|
|
|
SendOCSPOnIntermediates []byte
|
|
|
|
|
|
|
|
// SendSCTOnIntermediates, if not nil, causes the server to send the
|
|
|
|
// supplied SCT on intermediate certificates in the Certificate message.
|
|
|
|
SendSCTOnIntermediates []byte
|
|
|
|
|
|
|
|
// SendDuplicateCertExtensions, if true, causes the server to send an extra
|
|
|
|
// copy of the OCSP/SCT extensions in the Certificate message.
|
|
|
|
SendDuplicateCertExtensions bool
|
|
|
|
|
|
|
|
// ExpectNoExtensionsOnIntermediate, if true, causes the client to
|
|
|
|
// reject extensions on intermediate certificates.
|
|
|
|
ExpectNoExtensionsOnIntermediate bool
|
|
|
|
|
2016-06-25 03:56:37 +01:00
|
|
|
// RecordPadding is the number of bytes of padding to add to each
|
|
|
|
// encrypted record in TLS 1.3.
|
|
|
|
RecordPadding int
|
|
|
|
|
|
|
|
// OmitRecordContents, if true, causes encrypted records in TLS 1.3 to
|
|
|
|
// be missing their body and content type. Padding, if configured, is
|
|
|
|
// still added.
|
|
|
|
OmitRecordContents bool
|
|
|
|
|
|
|
|
// OuterRecordType, if non-zero, is the outer record type to use instead
|
|
|
|
// of application data.
|
|
|
|
OuterRecordType recordType
|
2016-07-09 00:28:04 +01:00
|
|
|
|
|
|
|
// SendSignatureAlgorithm, if non-zero, causes all signatures to be sent
|
|
|
|
// with the given signature algorithm rather than the one negotiated.
|
|
|
|
SendSignatureAlgorithm signatureAlgorithm
|
2016-07-09 02:52:12 +01:00
|
|
|
|
|
|
|
// SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be
|
|
|
|
// skipped.
|
|
|
|
SkipECDSACurveCheck bool
|
2016-06-30 23:30:40 +01:00
|
|
|
|
|
|
|
// IgnoreSignatureVersionChecks, if true, causes all signature
|
|
|
|
// algorithms to be enabled at all TLS versions.
|
|
|
|
IgnoreSignatureVersionChecks bool
|
2016-07-11 18:19:03 +01:00
|
|
|
|
|
|
|
// NegotiateRenegotiationInfoAtAllVersions, if true, causes
|
|
|
|
// Renegotiation Info to be negotiated at all versions.
|
|
|
|
NegotiateRenegotiationInfoAtAllVersions bool
|
|
|
|
|
|
|
|
// NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at
|
|
|
|
// all versions.
|
|
|
|
NegotiateNPNAtAllVersions bool
|
|
|
|
|
|
|
|
// NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at
|
|
|
|
// all versions.
|
|
|
|
NegotiateEMSAtAllVersions bool
|
|
|
|
|
|
|
|
// AdvertiseTicketExtension, if true, causes the ticket extension to be
|
|
|
|
// advertised in server extensions
|
|
|
|
AdvertiseTicketExtension bool
|
|
|
|
|
2016-09-06 19:13:43 +01:00
|
|
|
// NegotiatePSKResumption, if true, causes the server to attempt pure PSK
|
|
|
|
// resumption.
|
|
|
|
NegotiatePSKResumption bool
|
|
|
|
|
2016-10-06 03:33:19 +01:00
|
|
|
// AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to
|
|
|
|
// always acknowledge a session, regardless of one was offered.
|
|
|
|
AlwaysSelectPSKIdentity bool
|
|
|
|
|
|
|
|
// SelectPSKIdentityOnResume, if non-zero, causes the server to select
|
|
|
|
// the specified PSK identity index rather than the actual value.
|
|
|
|
SelectPSKIdentityOnResume uint16
|
|
|
|
|
2016-11-01 16:49:22 +00:00
|
|
|
// ExtraPSKIdentity, if true, causes the client to send an extra PSK
|
|
|
|
// identity.
|
|
|
|
ExtraPSKIdentity bool
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
// MissingKeyShare, if true, causes the TLS 1.3 implementation to skip
|
|
|
|
// sending a key_share extension and use the zero ECDHE secret
|
|
|
|
// instead.
|
|
|
|
MissingKeyShare bool
|
|
|
|
|
2016-07-18 17:40:30 +01:00
|
|
|
// SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3
|
|
|
|
// ClientHello to skip sending a key_share extension and use the zero
|
|
|
|
// ECDHE secret instead.
|
|
|
|
SecondClientHelloMissingKeyShare bool
|
|
|
|
|
|
|
|
// MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3
|
|
|
|
// client to pretend the server requested a HelloRetryRequest with the
|
|
|
|
// given curve rather than the actual one.
|
|
|
|
MisinterpretHelloRetryRequestCurve CurveID
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
// DuplicateKeyShares, if true, causes the TLS 1.3 client to send two
|
|
|
|
// copies of each KeyShareEntry.
|
|
|
|
DuplicateKeyShares bool
|
|
|
|
|
2016-11-29 18:36:45 +00:00
|
|
|
// SendEarlyAlert, if true, sends a fatal alert after the ClientHello.
|
|
|
|
SendEarlyAlert bool
|
|
|
|
|
2016-12-07 00:02:31 +00:00
|
|
|
// SendFakeEarlyDataLength, if non-zero, is the amount of early data to
|
|
|
|
// send after the ClientHello.
|
|
|
|
SendFakeEarlyDataLength int
|
2016-11-29 18:36:45 +00:00
|
|
|
|
2016-12-19 18:19:29 +00:00
|
|
|
// SendStrayEarlyHandshake, if non-zero, causes the client to send a stray
|
|
|
|
// handshake record before sending end of early data.
|
|
|
|
SendStrayEarlyHandshake bool
|
|
|
|
|
2016-11-29 18:36:45 +00:00
|
|
|
// OmitEarlyDataExtension, if true, causes the early data extension to
|
|
|
|
// be omitted in the ClientHello.
|
|
|
|
OmitEarlyDataExtension bool
|
|
|
|
|
|
|
|
// SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to
|
|
|
|
// send early data after the second ClientHello.
|
|
|
|
SendEarlyDataOnSecondClientHello bool
|
|
|
|
|
|
|
|
// InterleaveEarlyData, if true, causes the TLS 1.3 client to send early
|
|
|
|
// data interleaved with the second ClientHello and the client Finished.
|
|
|
|
InterleaveEarlyData bool
|
|
|
|
|
2016-12-07 00:02:31 +00:00
|
|
|
// SendEarlyData causes a TLS 1.3 client to send the provided data
|
|
|
|
// in application data records immediately after the ClientHello,
|
2017-01-11 16:34:52 +00:00
|
|
|
// provided that the client offers a TLS 1.3 session. It will do this
|
|
|
|
// whether or not the server advertised early data for the ticket.
|
2016-12-07 00:02:31 +00:00
|
|
|
SendEarlyData [][]byte
|
|
|
|
|
2017-01-11 16:34:52 +00:00
|
|
|
// ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data
|
|
|
|
// was accepted by the server.
|
|
|
|
ExpectEarlyDataAccepted bool
|
|
|
|
|
|
|
|
// AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data
|
|
|
|
// regardless of ALPN mismatch.
|
|
|
|
AlwaysAcceptEarlyData bool
|
|
|
|
|
|
|
|
// AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data.
|
|
|
|
AlwaysRejectEarlyData bool
|
|
|
|
|
|
|
|
// SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the
|
|
|
|
// early_data extension in EncryptedExtensions, independent of whether
|
|
|
|
// it was accepted.
|
|
|
|
SendEarlyDataExtension bool
|
|
|
|
|
2017-12-08 22:05:06 +00:00
|
|
|
// ExpectEarlyKeyingMaterial, if non-zero, causes a TLS 1.3 server to
|
|
|
|
// read an application data record after the ClientHello before it sends
|
|
|
|
// a ServerHello. The record's contents have the specified length and
|
|
|
|
// match the corresponding early exporter value. This is used to test
|
|
|
|
// the client using the early exporter in the 0-RTT state.
|
|
|
|
ExpectEarlyKeyingMaterial int
|
|
|
|
|
|
|
|
// ExpectEarlyKeyingLabel is the label to use with
|
|
|
|
// ExpectEarlyKeyingMaterial.
|
|
|
|
ExpectEarlyKeyingLabel string
|
|
|
|
|
|
|
|
// ExpectEarlyKeyingContext is the context string to use with
|
|
|
|
// ExpectEarlyKeyingMaterial
|
|
|
|
ExpectEarlyKeyingContext string
|
|
|
|
|
2016-12-20 01:38:41 +00:00
|
|
|
// ExpectEarlyData causes a TLS 1.3 server to read application
|
|
|
|
// data after the ClientHello (assuming the server is able to
|
|
|
|
// derive the key under which the data is encrypted) before it
|
|
|
|
// sends a ServerHello. It checks that the application data it
|
|
|
|
// reads matches what is provided in ExpectEarlyData and errors if
|
|
|
|
// the number of records or their content do not match.
|
|
|
|
ExpectEarlyData [][]byte
|
|
|
|
|
2017-03-09 19:56:07 +00:00
|
|
|
// ExpectLateEarlyData causes a TLS 1.3 server to read application
|
|
|
|
// data after the ServerFinished (assuming the server is able to
|
|
|
|
// derive the key under which the data is encrypted) before it
|
|
|
|
// sends the ClientFinished. It checks that the application data it
|
|
|
|
// reads matches what is provided in ExpectLateEarlyData and errors if
|
|
|
|
// the number of records or their content do not match.
|
|
|
|
ExpectLateEarlyData [][]byte
|
|
|
|
|
2016-12-02 19:08:40 +00:00
|
|
|
// SendHalfRTTData causes a TLS 1.3 server to send the provided
|
|
|
|
// data in application data records before reading the client's
|
|
|
|
// Finished message.
|
|
|
|
SendHalfRTTData [][]byte
|
|
|
|
|
2017-03-26 04:24:23 +01:00
|
|
|
// ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to
|
|
|
|
// read application data after reading the server's Finished message and
|
|
|
|
// before sending any subsequent handshake messages. It checks that the
|
2016-12-02 19:08:40 +00:00
|
|
|
// application data it reads matches what is provided in
|
|
|
|
// ExpectHalfRTTData and errors if the number of records or their
|
|
|
|
// content do not match.
|
|
|
|
ExpectHalfRTTData [][]byte
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
// EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to
|
|
|
|
// emit an empty EncryptedExtensions block.
|
|
|
|
EmptyEncryptedExtensions bool
|
|
|
|
|
|
|
|
// EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to
|
|
|
|
// include the KeyShare extension in the EncryptedExtensions block.
|
|
|
|
EncryptedExtensionsWithKeyShare bool
|
2016-07-18 17:40:30 +01:00
|
|
|
|
2016-10-08 02:10:38 +01:00
|
|
|
// AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to
|
|
|
|
// be sent by the server, even if empty.
|
|
|
|
AlwaysSendHelloRetryRequest bool
|
2016-07-18 17:40:30 +01:00
|
|
|
|
|
|
|
// SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send
|
|
|
|
// two HelloRetryRequests instead of one.
|
|
|
|
SecondHelloRetryRequest bool
|
2016-10-08 02:10:38 +01:00
|
|
|
|
|
|
|
// SendHelloRetryRequestCurve, if non-zero, causes the server to send
|
|
|
|
// the specified curve in a HelloRetryRequest.
|
|
|
|
SendHelloRetryRequestCurve CurveID
|
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send
|
|
|
|
// the specified cipher suite in a HelloRetryRequest.
|
|
|
|
SendHelloRetryRequestCipherSuite uint16
|
|
|
|
|
2016-10-08 02:10:38 +01:00
|
|
|
// SendHelloRetryRequestCookie, if not nil, contains a cookie to be
|
|
|
|
// sent by the server in HelloRetryRequest.
|
|
|
|
SendHelloRetryRequestCookie []byte
|
|
|
|
|
|
|
|
// DuplicateHelloRetryRequestExtensions, if true, causes all
|
|
|
|
// HelloRetryRequest extensions to be sent twice.
|
|
|
|
DuplicateHelloRetryRequestExtensions bool
|
2016-07-18 17:40:30 +01:00
|
|
|
|
|
|
|
// SendServerHelloVersion, if non-zero, causes the server to send the
|
2016-09-26 23:30:05 +01:00
|
|
|
// specified value in ServerHello version field.
|
2016-07-18 17:40:30 +01:00
|
|
|
SendServerHelloVersion uint16
|
|
|
|
|
2018-05-05 03:00:33 +01:00
|
|
|
// SendServerSupportedVersionExtension, if non-zero, causes the server to send
|
|
|
|
// the specified value in supported_versions extension in the ServerHello (but
|
|
|
|
// not the HelloRetryRequest).
|
|
|
|
SendServerSupportedVersionExtension uint16
|
|
|
|
|
|
|
|
// OmitServerSupportedVersionExtension, if true, causes the server to
|
|
|
|
// omit the supported_versions extension in the ServerHello (but not the
|
|
|
|
// HelloRetryRequest)
|
|
|
|
OmitServerSupportedVersionExtension bool
|
2017-07-10 17:57:25 +01:00
|
|
|
|
2016-07-18 17:40:30 +01:00
|
|
|
// SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send
|
|
|
|
// HelloRetryRequest.
|
|
|
|
SkipHelloRetryRequest bool
|
2016-07-24 15:56:51 +01:00
|
|
|
|
|
|
|
// PackHelloRequestWithFinished, if true, causes the TLS server to send
|
|
|
|
// HelloRequest in the same record as Finished.
|
|
|
|
PackHelloRequestWithFinished bool
|
2016-07-27 22:40:37 +01:00
|
|
|
|
2016-08-17 05:29:33 +01:00
|
|
|
// ExpectMissingKeyShare, if true, causes the TLS server to fail the
|
|
|
|
// connection if the selected curve appears in the client's initial
|
|
|
|
// ClientHello. That is, it requires that a HelloRetryRequest be sent.
|
|
|
|
ExpectMissingKeyShare bool
|
|
|
|
|
2016-07-27 22:40:37 +01:00
|
|
|
// SendExtraFinished, if true, causes an extra Finished message to be
|
|
|
|
// sent.
|
|
|
|
SendExtraFinished bool
|
2016-08-18 07:32:23 +01:00
|
|
|
|
|
|
|
// SendRequestContext, if not empty, is the request context to send in
|
|
|
|
// a TLS 1.3 CertificateRequest.
|
|
|
|
SendRequestContext []byte
|
2016-09-04 19:18:58 +01:00
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm
|
|
|
|
// extension in a TLS 1.3 CertificateRequest.
|
|
|
|
OmitCertificateRequestAlgorithms bool
|
|
|
|
|
|
|
|
// SendCustomCertificateRequest, if non-zero, send an additional custom
|
|
|
|
// extension in a TLS 1.3 CertificateRequest.
|
|
|
|
SendCustomCertificateRequest uint16
|
|
|
|
|
2016-09-04 19:18:58 +01:00
|
|
|
// SendSNIWarningAlert, if true, causes the server to send an
|
|
|
|
// unrecognized_name alert before the ServerHello.
|
|
|
|
SendSNIWarningAlert bool
|
2016-09-09 15:34:20 +01:00
|
|
|
|
|
|
|
// SendCompressionMethods, if not nil, is the compression method list to
|
|
|
|
// send in the ClientHello.
|
|
|
|
SendCompressionMethods []byte
|
2016-09-17 00:42:05 +01:00
|
|
|
|
2017-07-01 15:11:53 +01:00
|
|
|
// SendCompressionMethod is the compression method to send in the
|
|
|
|
// ServerHello.
|
|
|
|
SendCompressionMethod byte
|
|
|
|
|
2016-09-17 00:42:05 +01:00
|
|
|
// AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to
|
|
|
|
// always send a ServerKeyExchange for PSK ciphers, even if the identity
|
|
|
|
// hint is empty.
|
|
|
|
AlwaysSendPreSharedKeyIdentityHint bool
|
2016-09-21 00:24:40 +01:00
|
|
|
|
|
|
|
// TrailingKeyShareData, if true, causes the client key share list to
|
|
|
|
// include a trailing byte.
|
|
|
|
TrailingKeyShareData bool
|
2016-09-21 21:23:27 +01:00
|
|
|
|
|
|
|
// InvalidChannelIDSignature, if true, causes the client to generate an
|
|
|
|
// invalid Channel ID signature.
|
|
|
|
InvalidChannelIDSignature bool
|
2016-09-03 02:35:25 +01:00
|
|
|
|
2016-10-07 20:19:18 +01:00
|
|
|
// ExpectGREASE, if true, causes messages without GREASE values to be
|
|
|
|
// rejected. See draft-davidben-tls-grease-01.
|
2016-09-03 02:35:25 +01:00
|
|
|
ExpectGREASE bool
|
2016-11-01 17:39:36 +00:00
|
|
|
|
|
|
|
// SendShortPSKBinder, if true, causes the client to send a PSK binder
|
|
|
|
// that is one byte shorter than it should be.
|
|
|
|
SendShortPSKBinder bool
|
|
|
|
|
|
|
|
// SendInvalidPSKBinder, if true, causes the client to send an invalid
|
|
|
|
// PSK binder.
|
|
|
|
SendInvalidPSKBinder bool
|
|
|
|
|
|
|
|
// SendNoPSKBinder, if true, causes the client to send no PSK binders.
|
|
|
|
SendNoPSKBinder bool
|
|
|
|
|
2016-12-01 21:47:56 +00:00
|
|
|
// SendExtraPSKBinder, if true, causes the client to send an extra PSK
|
|
|
|
// binder.
|
|
|
|
SendExtraPSKBinder bool
|
|
|
|
|
2016-11-01 17:39:36 +00:00
|
|
|
// PSKBinderFirst, if true, causes the client to send the PSK Binder
|
|
|
|
// extension as the first extension instead of the last extension.
|
|
|
|
PSKBinderFirst bool
|
2016-11-16 00:01:48 +00:00
|
|
|
|
|
|
|
// NoOCSPStapling, if true, causes the client to not request OCSP
|
|
|
|
// stapling.
|
|
|
|
NoOCSPStapling bool
|
|
|
|
|
|
|
|
// NoSignedCertificateTimestamps, if true, causes the client to not
|
|
|
|
// request signed certificate timestamps.
|
|
|
|
NoSignedCertificateTimestamps bool
|
2016-12-21 21:06:54 +00:00
|
|
|
|
2016-12-22 14:16:57 +00:00
|
|
|
// SendSupportedPointFormats, if not nil, is the list of supported point
|
|
|
|
// formats to send in ClientHello or ServerHello. If set to a non-nil
|
|
|
|
// empty slice, no extension will be sent.
|
|
|
|
SendSupportedPointFormats []byte
|
2017-01-06 21:19:28 +00:00
|
|
|
|
2017-10-04 22:01:22 +01:00
|
|
|
// SendServerSupportedCurves, if true, causes the server to send its
|
|
|
|
// supported curves list in the ServerHello (TLS 1.2) or
|
|
|
|
// EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and
|
|
|
|
// valid in TLS 1.3.
|
|
|
|
SendServerSupportedCurves bool
|
|
|
|
|
2017-01-06 21:19:28 +00:00
|
|
|
// MaxReceivePlaintext, if non-zero, is the maximum plaintext record
|
|
|
|
// length accepted from the peer.
|
|
|
|
MaxReceivePlaintext int
|
2017-01-28 19:00:32 +00:00
|
|
|
|
2018-05-24 22:17:34 +01:00
|
|
|
// ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally
|
|
|
|
// pack their encrypted handshake messages, fitting at most the
|
|
|
|
// specified number of plaintext bytes per record.
|
|
|
|
ExpectPackedEncryptedHandshake int
|
|
|
|
|
|
|
|
// ForbidHandshakePacking, if true, requires the peer place a record
|
|
|
|
// boundary after every handshake message.
|
|
|
|
ForbidHandshakePacking bool
|
|
|
|
|
2017-01-28 19:00:32 +00:00
|
|
|
// SendTicketLifetime, if non-zero, is the ticket lifetime to send in
|
|
|
|
// NewSessionTicket messages.
|
|
|
|
SendTicketLifetime time.Duration
|
2017-02-06 18:49:07 +00:00
|
|
|
|
|
|
|
// SendServerNameAck, if true, causes the server to acknowledge the SNI
|
|
|
|
// extension.
|
|
|
|
SendServerNameAck bool
|
2017-02-28 21:45:39 +00:00
|
|
|
|
|
|
|
// ExpectCertificateReqNames, if not nil, contains the list of X.509
|
|
|
|
// names that must be sent in a CertificateRequest from the server.
|
|
|
|
ExpectCertificateReqNames [][]byte
|
2017-03-01 01:54:28 +00:00
|
|
|
|
|
|
|
// RenegotiationCertificate, if not nil, is the certificate to use on
|
|
|
|
// renegotiation handshakes.
|
|
|
|
RenegotiationCertificate *Certificate
|
2017-03-28 21:38:29 +01:00
|
|
|
|
2017-10-11 17:29:36 +01:00
|
|
|
// ExpectNoCertificateAuthoritiesExtension, if true, causes the client to
|
|
|
|
// reject CertificateRequest with the CertificateAuthorities extension.
|
|
|
|
ExpectNoCertificateAuthoritiesExtension bool
|
|
|
|
|
2017-03-28 21:38:29 +01:00
|
|
|
// UseLegacySigningAlgorithm, if non-zero, is the signature algorithm
|
|
|
|
// to use when signing in TLS 1.1 and earlier where algorithms are not
|
|
|
|
// negotiated.
|
|
|
|
UseLegacySigningAlgorithm signatureAlgorithm
|
2017-04-08 16:00:45 +01:00
|
|
|
|
|
|
|
// SendServerHelloAsHelloRetryRequest, if true, causes the server to
|
|
|
|
// send ServerHello messages with a HelloRetryRequest type field.
|
|
|
|
SendServerHelloAsHelloRetryRequest bool
|
2017-04-06 17:54:12 +01:00
|
|
|
|
|
|
|
// RejectUnsolicitedKeyUpdate, if true, causes all unsolicited
|
|
|
|
// KeyUpdates from the peer to be rejected.
|
|
|
|
RejectUnsolicitedKeyUpdate bool
|
2017-07-14 23:40:34 +01:00
|
|
|
|
|
|
|
// OmitExtensions, if true, causes the extensions field in ClientHello
|
|
|
|
// and ServerHello messages to be omitted.
|
|
|
|
OmitExtensions bool
|
|
|
|
|
2017-07-15 01:11:07 +01:00
|
|
|
// EmptyExtensions, if true, causes the extensions field in ClientHello
|
2017-07-14 23:40:34 +01:00
|
|
|
// and ServerHello messages to be present, but empty.
|
|
|
|
EmptyExtensions bool
|
2017-07-15 01:11:07 +01:00
|
|
|
|
2017-08-31 05:19:57 +01:00
|
|
|
// ExpectOmitExtensions, if true, causes the client to reject
|
|
|
|
// ServerHello messages that do not omit extensions.
|
|
|
|
ExpectOmitExtensions bool
|
|
|
|
|
2017-07-15 01:11:07 +01:00
|
|
|
// ExpectRecordSplitting, if true, causes application records to only be
|
|
|
|
// accepted if they follow a 1/n-1 record split.
|
|
|
|
ExpectRecordSplitting bool
|
2017-09-07 16:51:46 +01:00
|
|
|
|
|
|
|
// PadClientHello, if non-zero, pads the ClientHello to a multiple of
|
|
|
|
// that many bytes.
|
|
|
|
PadClientHello int
|
2017-12-18 23:00:23 +00:00
|
|
|
|
2018-08-13 15:54:48 +01:00
|
|
|
// SendTLS13DowngradeRandom, if true, causes the server to send the
|
|
|
|
// TLS 1.3 anti-downgrade signal.
|
|
|
|
SendTLS13DowngradeRandom bool
|
2017-12-18 23:00:23 +00:00
|
|
|
|
2018-08-13 15:54:48 +01:00
|
|
|
// CheckTLS13DowngradeRandom, if true, causes the client to check the
|
|
|
|
// TLS 1.3 anti-downgrade signal regardless of its variant.
|
|
|
|
CheckTLS13DowngradeRandom bool
|
|
|
|
|
|
|
|
// IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the
|
|
|
|
// TLS 1.3 anti-downgrade signal.
|
|
|
|
IgnoreTLS13DowngradeRandom bool
|
2017-12-30 16:04:39 +00:00
|
|
|
|
2018-02-15 00:50:38 +00:00
|
|
|
// SendCompressedCoordinates, if true, causes ECDH key shares over NIST
|
|
|
|
// curves to use compressed coordinates.
|
|
|
|
SendCompressedCoordinates bool
|
2018-04-08 18:59:25 +01:00
|
|
|
|
|
|
|
// ExpectRSAPSSSupport specifies the level of RSA-PSS support expected
|
|
|
|
// from the peer.
|
|
|
|
ExpectRSAPSSSupport RSAPSSSupport
|
2018-04-07 00:17:20 +01:00
|
|
|
|
|
|
|
// SetX25519HighBit, if true, causes X25519 key shares to set their
|
|
|
|
// high-order bit.
|
|
|
|
SetX25519HighBit bool
|
2018-05-02 17:06:48 +01:00
|
|
|
|
|
|
|
// DuplicateCompressedCertAlgs, if true, causes two, equal, certificate
|
|
|
|
// compression algorithm IDs to be sent.
|
|
|
|
DuplicateCompressedCertAlgs bool
|
|
|
|
|
|
|
|
// ExpectedCompressedCert specifies the compression algorithm ID that must be
|
|
|
|
// used on this connection, or zero if there are no special requirements.
|
|
|
|
ExpectedCompressedCert uint16
|
2018-06-08 00:39:49 +01:00
|
|
|
|
|
|
|
// SendCertCompressionAlgId, if not zero, sets the algorithm ID that will be
|
|
|
|
// sent in the compressed certificate message.
|
|
|
|
SendCertCompressionAlgId uint16
|
|
|
|
|
|
|
|
// SendCertUncompressedLength, if not zero, sets the uncompressed length that
|
|
|
|
// will be sent in the compressed certificate message.
|
|
|
|
SendCertUncompressedLength uint32
|
2018-11-19 21:49:56 +00:00
|
|
|
|
|
|
|
// SendClientHelloWithFixes, if not nil, sends the specified byte string
|
|
|
|
// instead of the ClientHello. This string is incorporated into the
|
|
|
|
// transcript as if it were the real ClientHello, but the handshake will
|
|
|
|
// otherwise behave as if this was not sent in terms of what ciphers it
|
|
|
|
// will accept, etc.
|
|
|
|
//
|
|
|
|
// The input is modified to match key share entries. DefaultCurves must
|
|
|
|
// be configured to match. The random and session ID fields are
|
|
|
|
// extracted from the ClientHello.
|
|
|
|
SendClientHelloWithFixes []byte
|
|
|
|
|
|
|
|
// SendJDK11DowngradeRandom, if true, causes the server to send the JDK
|
|
|
|
// 11 downgrade signal.
|
|
|
|
SendJDK11DowngradeRandom bool
|
|
|
|
|
|
|
|
// ExpectJDK11DowngradeRandom is whether the client should expect the
|
|
|
|
// server to send the JDK 11 downgrade signal.
|
|
|
|
ExpectJDK11DowngradeRandom bool
|
2018-11-12 21:53:42 +00:00
|
|
|
|
|
|
|
// FailIfHelloRetryRequested causes a handshake failure if a server requests a
|
|
|
|
// hello retry.
|
|
|
|
FailIfHelloRetryRequested bool
|
|
|
|
|
|
|
|
// FailedIfCECPQ2Offered will cause a server to reject a ClientHello if CECPQ2
|
|
|
|
// is supported.
|
|
|
|
FailIfCECPQ2Offered bool
|
|
|
|
|
|
|
|
// ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello
|
|
|
|
// should have key shares for.
|
|
|
|
ExpectedKeyShares []CurveID
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) serverInit() {
|
|
|
|
if c.SessionTicketsDisabled {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the key has already been set then we have nothing to do.
|
|
|
|
for _, b := range c.SessionTicketKey {
|
|
|
|
if b != 0 {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
|
|
|
|
c.SessionTicketsDisabled = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) rand() io.Reader {
|
|
|
|
r := c.Rand
|
|
|
|
if r == nil {
|
|
|
|
return rand.Reader
|
|
|
|
}
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) time() time.Time {
|
|
|
|
t := c.Time
|
|
|
|
if t == nil {
|
|
|
|
t = time.Now
|
|
|
|
}
|
|
|
|
return t()
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) cipherSuites() []uint16 {
|
|
|
|
s := c.CipherSuites
|
|
|
|
if s == nil {
|
|
|
|
s = defaultCipherSuites()
|
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2016-06-30 18:33:47 +01:00
|
|
|
func (c *Config) minVersion(isDTLS bool) uint16 {
|
|
|
|
ret := uint16(minVersion)
|
|
|
|
if c != nil && c.MinVersion != 0 {
|
|
|
|
ret = c.MinVersion
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
2016-06-30 18:33:47 +01:00
|
|
|
if isDTLS {
|
|
|
|
// The lowest version of DTLS is 1.0. There is no DSSL 3.0.
|
|
|
|
if ret < VersionTLS10 {
|
|
|
|
return VersionTLS10
|
|
|
|
}
|
|
|
|
// There is no such thing as DTLS 1.1.
|
|
|
|
if ret == VersionTLS11 {
|
|
|
|
return VersionTLS12
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
2016-06-30 18:33:47 +01:00
|
|
|
func (c *Config) maxVersion(isDTLS bool) uint16 {
|
|
|
|
ret := uint16(maxVersion)
|
|
|
|
if c != nil && c.MaxVersion != 0 {
|
|
|
|
ret = c.MaxVersion
|
|
|
|
}
|
|
|
|
if isDTLS {
|
|
|
|
// We only implement up to DTLS 1.2.
|
|
|
|
if ret > VersionTLS12 {
|
|
|
|
return VersionTLS12
|
|
|
|
}
|
|
|
|
// There is no such thing as DTLS 1.1.
|
|
|
|
if ret == VersionTLS11 {
|
|
|
|
return VersionTLS10
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
2016-06-30 18:33:47 +01:00
|
|
|
return ret
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
2018-11-12 21:53:42 +00:00
|
|
|
var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
func (c *Config) curvePreferences() []CurveID {
|
|
|
|
if c == nil || len(c.CurvePreferences) == 0 {
|
|
|
|
return defaultCurvePreferences
|
|
|
|
}
|
|
|
|
return c.CurvePreferences
|
|
|
|
}
|
|
|
|
|
2016-07-16 16:47:31 +01:00
|
|
|
func (c *Config) defaultCurves() map[CurveID]bool {
|
|
|
|
defaultCurves := make(map[CurveID]bool)
|
|
|
|
curves := c.DefaultCurves
|
|
|
|
if c == nil || c.DefaultCurves == nil {
|
|
|
|
curves = c.curvePreferences()
|
|
|
|
}
|
|
|
|
for _, curveID := range curves {
|
|
|
|
defaultCurves[curveID] = true
|
|
|
|
}
|
|
|
|
return defaultCurves
|
|
|
|
}
|
|
|
|
|
2017-09-08 22:03:42 +01:00
|
|
|
func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
|
|
|
|
if isDTLS {
|
|
|
|
switch vers {
|
|
|
|
case VersionDTLS12:
|
|
|
|
return VersionTLS12, true
|
|
|
|
case VersionDTLS10:
|
|
|
|
return VersionTLS10, true
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
switch vers {
|
2018-08-13 15:07:45 +01:00
|
|
|
case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13:
|
2017-09-08 22:03:42 +01:00
|
|
|
return vers, true
|
2018-03-27 18:15:26 +01:00
|
|
|
case tls13Draft23Version, tls13Draft28Version:
|
2017-09-08 22:03:42 +01:00
|
|
|
return VersionTLS13, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
|
2018-03-27 18:15:26 +01:00
|
|
|
func isDraft28(vers uint16) bool {
|
2018-08-13 15:07:45 +01:00
|
|
|
return vers == tls13Draft28Version || vers == VersionTLS13
|
2018-03-27 18:15:26 +01:00
|
|
|
}
|
|
|
|
|
2017-06-20 15:55:02 +01:00
|
|
|
// isSupportedVersion checks if the specified wire version is acceptable. If so,
|
|
|
|
// it returns true and the corresponding protocol version. Otherwise, it returns
|
|
|
|
// false.
|
|
|
|
func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
|
|
|
|
vers, ok := wireToVersion(wireVers, isDTLS)
|
|
|
|
if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) {
|
|
|
|
return 0, false
|
|
|
|
}
|
2018-08-13 15:07:45 +01:00
|
|
|
if vers == VersionTLS13 {
|
|
|
|
switch c.TLS13Variant {
|
|
|
|
case TLS13Draft23:
|
|
|
|
if wireVers != tls13Draft23Version {
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
case TLS13Draft28:
|
|
|
|
if wireVers != tls13Draft28Version {
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
case TLS13RFC:
|
|
|
|
if wireVers != VersionTLS13 {
|
|
|
|
return 0, false
|
|
|
|
}
|
2018-08-27 22:45:49 +01:00
|
|
|
case TLS13All:
|
2018-08-13 15:07:45 +01:00
|
|
|
// Allow all of them.
|
|
|
|
default:
|
|
|
|
panic(c.TLS13Variant)
|
|
|
|
}
|
|
|
|
}
|
2017-06-20 15:55:02 +01:00
|
|
|
return vers, true
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) supportedVersions(isDTLS bool) []uint16 {
|
|
|
|
versions := allTLSWireVersions
|
|
|
|
if isDTLS {
|
|
|
|
versions = allDTLSWireVersions
|
|
|
|
}
|
|
|
|
var ret []uint16
|
|
|
|
for _, vers := range versions {
|
|
|
|
if _, ok := c.isSupportedVersion(vers, isDTLS); ok {
|
|
|
|
ret = append(ret, vers)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// getCertificateForName returns the best certificate for the given name,
|
|
|
|
// defaulting to the first element of c.Certificates if there are no good
|
|
|
|
// options.
|
|
|
|
func (c *Config) getCertificateForName(name string) *Certificate {
|
|
|
|
if len(c.Certificates) == 1 || c.NameToCertificate == nil {
|
|
|
|
// There's only one choice, so no point doing any work.
|
|
|
|
return &c.Certificates[0]
|
|
|
|
}
|
|
|
|
|
|
|
|
name = strings.ToLower(name)
|
|
|
|
for len(name) > 0 && name[len(name)-1] == '.' {
|
|
|
|
name = name[:len(name)-1]
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert, ok := c.NameToCertificate[name]; ok {
|
|
|
|
return cert
|
|
|
|
}
|
|
|
|
|
|
|
|
// try replacing labels in the name with wildcards until we get a
|
|
|
|
// match.
|
|
|
|
labels := strings.Split(name, ".")
|
|
|
|
for i := range labels {
|
|
|
|
labels[i] = "*"
|
|
|
|
candidate := strings.Join(labels, ".")
|
|
|
|
if cert, ok := c.NameToCertificate[candidate]; ok {
|
|
|
|
return cert
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// If nothing matches, return the first certificate.
|
|
|
|
return &c.Certificates[0]
|
|
|
|
}
|
|
|
|
|
2016-07-09 19:21:54 +01:00
|
|
|
func (c *Config) signSignatureAlgorithms() []signatureAlgorithm {
|
|
|
|
if c != nil && c.SignSignatureAlgorithms != nil {
|
|
|
|
return c.SignSignatureAlgorithms
|
2014-11-14 06:43:59 +00:00
|
|
|
}
|
2016-07-09 19:21:54 +01:00
|
|
|
return supportedSignatureAlgorithms
|
2014-11-14 06:43:59 +00:00
|
|
|
}
|
|
|
|
|
2016-07-09 19:21:54 +01:00
|
|
|
func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm {
|
|
|
|
if c != nil && c.VerifySignatureAlgorithms != nil {
|
|
|
|
return c.VerifySignatureAlgorithms
|
2014-11-14 06:43:59 +00:00
|
|
|
}
|
2016-07-09 19:21:54 +01:00
|
|
|
return supportedSignatureAlgorithms
|
2014-11-14 06:43:59 +00:00
|
|
|
}
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
|
|
|
|
// from the CommonName and SubjectAlternateName fields of each of the leaf
|
|
|
|
// certificates.
|
|
|
|
func (c *Config) BuildNameToCertificate() {
|
|
|
|
c.NameToCertificate = make(map[string]*Certificate)
|
|
|
|
for i := range c.Certificates {
|
|
|
|
cert := &c.Certificates[i]
|
|
|
|
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if len(x509Cert.Subject.CommonName) > 0 {
|
|
|
|
c.NameToCertificate[x509Cert.Subject.CommonName] = cert
|
|
|
|
}
|
|
|
|
for _, san := range x509Cert.DNSNames {
|
|
|
|
c.NameToCertificate[san] = cert
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// A Certificate is a chain of one or more certificates, leaf first.
|
|
|
|
type Certificate struct {
|
|
|
|
Certificate [][]byte
|
|
|
|
PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey
|
|
|
|
// OCSPStaple contains an optional OCSP response which will be served
|
|
|
|
// to clients that request it.
|
|
|
|
OCSPStaple []byte
|
2014-11-25 06:55:35 +00:00
|
|
|
// SignedCertificateTimestampList contains an optional encoded
|
|
|
|
// SignedCertificateTimestampList structure which will be
|
|
|
|
// served to clients that request it.
|
|
|
|
SignedCertificateTimestampList []byte
|
2014-06-20 20:00:00 +01:00
|
|
|
// Leaf is the parsed form of the leaf certificate, which may be
|
|
|
|
// initialized using x509.ParseCertificate to reduce per-handshake
|
|
|
|
// processing for TLS clients doing client authentication. If nil, the
|
|
|
|
// leaf certificate will be parsed as needed.
|
|
|
|
Leaf *x509.Certificate
|
|
|
|
}
|
|
|
|
|
|
|
|
// A TLS record.
|
|
|
|
type record struct {
|
|
|
|
contentType recordType
|
|
|
|
major, minor uint8
|
|
|
|
payload []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
type handshakeMessage interface {
|
|
|
|
marshal() []byte
|
|
|
|
unmarshal([]byte) bool
|
|
|
|
}
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// lruSessionCache is a client or server session cache implementation
|
|
|
|
// that uses an LRU caching strategy.
|
2014-06-20 20:00:00 +01:00
|
|
|
type lruSessionCache struct {
|
|
|
|
sync.Mutex
|
|
|
|
|
|
|
|
m map[string]*list.Element
|
|
|
|
q *list.List
|
|
|
|
capacity int
|
|
|
|
}
|
|
|
|
|
|
|
|
type lruSessionCacheEntry struct {
|
|
|
|
sessionKey string
|
2014-11-17 08:19:02 +00:00
|
|
|
state interface{}
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Put adds the provided (sessionKey, cs) pair to the cache.
|
2014-11-17 08:19:02 +00:00
|
|
|
func (c *lruSessionCache) Put(sessionKey string, cs interface{}) {
|
2014-06-20 20:00:00 +01:00
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if c.q.Len() < c.capacity {
|
|
|
|
entry := &lruSessionCacheEntry{sessionKey, cs}
|
|
|
|
c.m[sessionKey] = c.q.PushFront(entry)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
elem := c.q.Back()
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
delete(c.m, entry.sessionKey)
|
|
|
|
entry.sessionKey = sessionKey
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
c.m[sessionKey] = elem
|
|
|
|
}
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// Get returns the value associated with a given key. It returns (nil,
|
|
|
|
// false) if no value is found.
|
|
|
|
func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) {
|
2014-06-20 20:00:00 +01:00
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return elem.Value.(*lruSessionCacheEntry).state, true
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
2014-11-17 08:19:02 +00:00
|
|
|
// lruClientSessionCache is a ClientSessionCache implementation that
|
|
|
|
// uses an LRU caching strategy.
|
|
|
|
type lruClientSessionCache struct {
|
|
|
|
lruSessionCache
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) {
|
|
|
|
c.lruSessionCache.Put(sessionKey, cs)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
|
|
|
|
cs, ok := c.lruSessionCache.Get(sessionKey)
|
|
|
|
if !ok {
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
return cs.(*ClientSessionState), true
|
|
|
|
}
|
|
|
|
|
|
|
|
// lruServerSessionCache is a ServerSessionCache implementation that
|
|
|
|
// uses an LRU caching strategy.
|
|
|
|
type lruServerSessionCache struct {
|
|
|
|
lruSessionCache
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) {
|
|
|
|
c.lruSessionCache.Put(sessionId, session)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) {
|
|
|
|
cs, ok := c.lruSessionCache.Get(sessionId)
|
|
|
|
if !ok {
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
return cs.(*sessionState), true
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLRUClientSessionCache returns a ClientSessionCache with the given
|
|
|
|
// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
|
|
|
|
// is used instead.
|
|
|
|
func NewLRUClientSessionCache(capacity int) ClientSessionCache {
|
|
|
|
const defaultSessionCacheCapacity = 64
|
|
|
|
|
|
|
|
if capacity < 1 {
|
|
|
|
capacity = defaultSessionCacheCapacity
|
|
|
|
}
|
|
|
|
return &lruClientSessionCache{
|
|
|
|
lruSessionCache{
|
|
|
|
m: make(map[string]*list.Element),
|
|
|
|
q: list.New(),
|
|
|
|
capacity: capacity,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLRUServerSessionCache returns a ServerSessionCache with the given
|
|
|
|
// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
|
|
|
|
// is used instead.
|
|
|
|
func NewLRUServerSessionCache(capacity int) ServerSessionCache {
|
|
|
|
const defaultSessionCacheCapacity = 64
|
|
|
|
|
|
|
|
if capacity < 1 {
|
|
|
|
capacity = defaultSessionCacheCapacity
|
|
|
|
}
|
|
|
|
return &lruServerSessionCache{
|
|
|
|
lruSessionCache{
|
|
|
|
m: make(map[string]*list.Element),
|
|
|
|
q: list.New(),
|
|
|
|
capacity: capacity,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
|
|
|
|
type dsaSignature struct {
|
|
|
|
R, S *big.Int
|
|
|
|
}
|
|
|
|
|
|
|
|
type ecdsaSignature dsaSignature
|
|
|
|
|
|
|
|
var emptyConfig Config
|
|
|
|
|
|
|
|
func defaultConfig() *Config {
|
|
|
|
return &emptyConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
once sync.Once
|
|
|
|
varDefaultCipherSuites []uint16
|
|
|
|
)
|
|
|
|
|
|
|
|
func defaultCipherSuites() []uint16 {
|
|
|
|
once.Do(initDefaultCipherSuites)
|
|
|
|
return varDefaultCipherSuites
|
|
|
|
}
|
|
|
|
|
|
|
|
func initDefaultCipherSuites() {
|
2014-10-27 05:06:24 +00:00
|
|
|
for _, suite := range cipherSuites {
|
|
|
|
if suite.flags&suitePSK == 0 {
|
|
|
|
varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func unexpectedMessageError(wanted, got interface{}) error {
|
|
|
|
return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
|
|
|
|
}
|
2014-11-14 06:43:59 +00:00
|
|
|
|
2016-06-21 23:19:24 +01:00
|
|
|
func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool {
|
|
|
|
for _, s := range sigAlgs {
|
|
|
|
if s == sigAlg {
|
2014-11-14 06:43:59 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2016-07-04 18:11:59 +01:00
|
|
|
|
|
|
|
var (
|
2018-08-15 04:26:39 +01:00
|
|
|
// See RFC 8446, section 4.1.3.
|
2016-07-04 18:11:59 +01:00
|
|
|
downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}
|
|
|
|
downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}
|
2018-11-19 21:49:56 +00:00
|
|
|
|
|
|
|
// This is a non-standard randomly-generated value.
|
|
|
|
downgradeJDK11 = []byte{0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff}
|
2016-07-04 18:11:59 +01:00
|
|
|
)
|
2017-06-20 15:55:02 +01:00
|
|
|
|
|
|
|
func containsGREASE(values []uint16) bool {
|
|
|
|
for _, v := range values {
|
|
|
|
if isGREASEValue(v) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2018-04-08 18:59:25 +01:00
|
|
|
|
|
|
|
func checkRSAPSSSupport(support RSAPSSSupport, sigAlgs, sigAlgsCert []signatureAlgorithm) error {
|
|
|
|
if sigAlgsCert == nil {
|
|
|
|
sigAlgsCert = sigAlgs
|
|
|
|
} else if eqSignatureAlgorithms(sigAlgs, sigAlgsCert) {
|
|
|
|
// The peer should have only sent the list once.
|
|
|
|
return errors.New("tls: signature_algorithms and signature_algorithms_cert extensions were identical")
|
|
|
|
}
|
|
|
|
|
|
|
|
if support == RSAPSSSupportAny {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var foundPSS, foundPSSCert bool
|
|
|
|
for _, sigAlg := range sigAlgs {
|
|
|
|
if sigAlg == signatureRSAPSSWithSHA256 || sigAlg == signatureRSAPSSWithSHA384 || sigAlg == signatureRSAPSSWithSHA512 {
|
|
|
|
foundPSS = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, sigAlg := range sigAlgsCert {
|
|
|
|
if sigAlg == signatureRSAPSSWithSHA256 || sigAlg == signatureRSAPSSWithSHA384 || sigAlg == signatureRSAPSSWithSHA512 {
|
|
|
|
foundPSSCert = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
expectPSS := support != RSAPSSSupportNone
|
|
|
|
if foundPSS != expectPSS {
|
|
|
|
if expectPSS {
|
|
|
|
return errors.New("tls: peer did not support PSS")
|
|
|
|
} else {
|
|
|
|
return errors.New("tls: peer unexpectedly supported PSS")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
expectPSSCert := support == RSAPSSSupportBoth
|
|
|
|
if foundPSSCert != expectPSSCert {
|
|
|
|
if expectPSSCert {
|
|
|
|
return errors.New("tls: peer did not support PSS in certificates")
|
|
|
|
} else {
|
|
|
|
return errors.New("tls: peer unexpectedly supported PSS in certificates")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|