kris
/
boringssl
1
0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Версии 0 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1673 Ревизии
12 Клонове
38 MiB
ИН на ревизия: b2d987b47c
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от 'b2d987b47c'
${ noResults }
boringssl/ssl/test/runner/common.go

common.go 36 KiB
Директен файл Normal View История

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Implement TLS Channel ID in runner.go Change-Id: Ia349c7a7cdcfd49965cd0c4d6cf81a76fbffb696 Reviewed-on: https://boringssl-review.googlesource.com/1604 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test-only DTLS implementation in runner.go. Run against openssl s_client and openssl s_server. This seems to work for a start, although it may need to become cleverer to stress more of BoringSSL's implementation for test purposes. In particular, it assumes a reliable, in-order channel. And it requires that the peer send handshake fragments in order. Retransmit and whatnot are not implemented. The peer under test will be expected to handle a lossy channel, but all loss in the channel will be controlled. MAC errors, etc., are fatal. Change-Id: I329233cfb0994938fd012667ddf7c6a791ac7164 Reviewed-on: https://boringssl-review.googlesource.com/1390 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Implement TLS Channel ID in runner.go Change-Id: Ia349c7a7cdcfd49965cd0c4d6cf81a76fbffb696 Reviewed-on: https://boringssl-review.googlesource.com/1604 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Run go fmt on runner. That got out of sync at some point. Change-Id: I5a45f50f330ceb65053181afc916053a80aa2c5d Reviewed-on: https://boringssl-review.googlesource.com/5541 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test that client curve preferences are enforced. Change-Id: Idc8ac43bd59607641ac2ad0b7179b2f942c0b0ce Reviewed-on: https://boringssl-review.googlesource.com/4403 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add a test for certificate types parsing. Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a Reviewed-on: https://boringssl-review.googlesource.com/1111 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add a test for certificate types parsing. Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a Reviewed-on: https://boringssl-review.googlesource.com/1111 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test client auth under TLS 1.2 hash mismatch and SSL 3. Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also use it for SSL 3. This isn't strictly necessary as we know the hash functions, but Go's hash.Hash interface lacks a Copy method. Also fix the server-side tests which failed to test every TLS version. Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600 Reviewed-on: https://boringssl-review.googlesource.com/1664 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Implement TLS Channel ID in runner.go Change-Id: Ia349c7a7cdcfd49965cd0c4d6cf81a76fbffb696 Reviewed-on: https://boringssl-review.googlesource.com/1604 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add SSL_get_tls_unique. SSL_get_tls_unique returns the tls-unique channel-binding value as defined in https://tools.ietf.org/html/rfc5929#section-3.1. Change-Id: Id9644328a7db8a91cf3ff0deee9dd6ce0d3e00ba Reviewed-on: https://boringssl-review.googlesource.com/4984 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add a test for certificate types parsing. Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a Reviewed-on: https://boringssl-review.googlesource.com/1111 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Implement TLS Channel ID in runner.go Change-Id: Ia349c7a7cdcfd49965cd0c4d6cf81a76fbffb696 Reviewed-on: https://boringssl-review.googlesource.com/1604 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for bad CertificateVerify signatures. I don't think we had coverage for this check. Change-Id: I5e454e69c1ee9f1b9760d2ef1431170d76f78d63 Reviewed-on: https://boringssl-review.googlesource.com/5544 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Fix test of first of 255 CBC padding bytes. Thanks to Peter Gijsels for pointing out that if a CBC record has 255 bytes of padding, the first was not being checked.
преди 10 години
Implement TLS_FALLBACK_SCSV support for the client. With this change, calling SSL_enable_fallback_scsv on a client SSL* will cause the fallback SCSV to be sent. This is intended to be set when the client is performing TLS fallback after a failed connection. (This only happens if the application itself implements this behaviour: OpenSSL does not do fallback automatically.) The fallback SCSV indicates to the server that it should reject the connection if the version indicated by the client is less than the version supported by the server. See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02. Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
преди 10 години
Check duplicate extensions before processing. ClientHello and ServerHello are not allowed to include duplicate extensions. Add a new helper function to check this and call as appropriate. Remove ad-hoc per-extension duplicate checks which are no unnecessary. Add runner.go tests to verify such message correctly rejected. Change-Id: I7babd5b642dfec941459512869e2dd6de26a831c Reviewed-on: https://boringssl-review.googlesource.com/1100 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add UnauthenticatedECDH bug test. This works, but there's enough shared codepaths that it's worth a test to ensure it stays that way. Change-Id: I5d5a729811e35832170322957258304213204e3b Reviewed-on: https://boringssl-review.googlesource.com/1155 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Be strict about requiring ServerKeyExchange. Missing ServerKeyExchange is handled, but only because it hits an ERR_R_INTERNAL_ERROR in ssl3_send_client_key_exchange in trying to find the server ECDH parameters. Be strict about requiring it for ECDHE. Change-Id: Ifce5b73c8bd14746b8a2185f479d550e9e3f84df Reviewed-on: https://boringssl-review.googlesource.com/1157 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test that False Start fails if the server second leg is omitted. This works fine, but I believe NSS had a bug here a couple years ago. Also move all the Skip* bug options next to each other in order. Change-Id: I72dcb3babeee7ba73b3d7dc5ebef2e2298e37438 Reviewed-on: https://boringssl-review.googlesource.com/3333 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
CertificateStatus is optional. Because RFC 6066 is obnoxious like that and IIS servers actually do this when OCSP-stapling is configured, but the OCSP server cannot be reached. BUG=478947 Change-Id: I3d34c1497e0b6b02d706278dcea5ceb684ff60ae Reviewed-on: https://boringssl-review.googlesource.com/4461 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Be strict about requiring ServerKeyExchange. Missing ServerKeyExchange is handled, but only because it hits an ERR_R_INTERNAL_ERROR in ssl3_send_client_key_exchange in trying to find the server ECDH parameters. Be strict about requiring it for ECDHE. Change-Id: Ifce5b73c8bd14746b8a2185f479d550e9e3f84df Reviewed-on: https://boringssl-review.googlesource.com/1157 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add SkipChangeCipherSpec tests. They pass, but this is an error case that is probably worth a test. Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed Reviewed-on: https://boringssl-review.googlesource.com/1257 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test that False Start fails if the server second leg is omitted. This works fine, but I believe NSS had a bug here a couple years ago. Also move all the Skip* bug options next to each other in order. Change-Id: I72dcb3babeee7ba73b3d7dc5ebef2e2298e37438 Reviewed-on: https://boringssl-review.googlesource.com/3333 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add SkipChangeCipherSpec tests. They pass, but this is an error case that is probably worth a test. Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed Reviewed-on: https://boringssl-review.googlesource.com/1257 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add EarlyChangeCipherSpec tests. Adapted from patch in https://www.imperialviolet.org/2014/06/05/earlyccs.html. Change-Id: I14bf314d105780e23e6bd09217870deff5744979 Reviewed-on: https://boringssl-review.googlesource.com/1292 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test that False Start fails if the server second leg is omitted. This works fine, but I believe NSS had a bug here a couple years ago. Also move all the Skip* bug options next to each other in order. Change-Id: I72dcb3babeee7ba73b3d7dc5ebef2e2298e37438 Reviewed-on: https://boringssl-review.googlesource.com/3333 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add EarlyChangeCipherSpec tests. Adapted from patch in https://www.imperialviolet.org/2014/06/05/earlyccs.html. Change-Id: I14bf314d105780e23e6bd09217870deff5744979 Reviewed-on: https://boringssl-review.googlesource.com/1292 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Improve test coverage around NewSessionTicket message. Test both when the peer doesn't support session tickets and when the server promises a NewSessionTicket message but doesn't deliver. Change-Id: I48f338094002beac2e6b80e41851c72822b3b9d5 Reviewed-on: https://boringssl-review.googlesource.com/1300 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Change CCS_OK to EXPECT_CCS. Now that the flag is set accurately, use it to enforce that the handshake and CCS synchronization. If EXPECT_CCS is set, enforce that: (a) No handshake records may be received before ChangeCipherSpec. (b) There is no pending handshake data at the point EXPECT_CCS is set. Change-Id: I04b228fe6a7a771cf6600b7d38aa762b2d553f08 Reviewed-on: https://boringssl-review.googlesource.com/1299 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add a test to assert parsing V2ClientHellos works. Should have test coverage there as long as we care about supporting it. Change-Id: Ic67539228b550f2ebd0b543d5a58640913b0474b Reviewed-on: https://boringssl-review.googlesource.com/1371 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add server-side FallbackSCSV tests. Assert that inappropriate fallbacks are detected, but if the client_version matches the server's highest version, do not abort the handshake. Change-Id: I9d72570bce45e1eb23fc2b74a3c5fca10562e573 Reviewed-on: https://boringssl-review.googlesource.com/1373 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Convert the renegotiation extension to the new system. This change also switches the behaviour of the client. Previously the client would send the SCSV rather than the extension, but now it'll only do that for SSLv3 connections. Change-Id: I67a04b8abbef2234747c0dac450458deb6b0cd0a Reviewed-on: https://boringssl-review.googlesource.com/5143 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for CVE-2014-3511. Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to better stress the state machine. Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd Reviewed-on: https://boringssl-review.googlesource.com/1452 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Fix DTLS handling of multiple records in a packet. 9a41d1b946c17f353c1f7f1d35713b5623dc399e broke handling of multiple records in a single packet. If |extend| is true, not all of the previous packet should be consumed, only up to the record length. Add a test which stresses the DTLS stack's handling of multiple handshake fragments in a handshake record and multiple handshake records in a packet. Change-Id: I96571098ad9001e96440501c4730325227b155b8 Reviewed-on: https://boringssl-review.googlesource.com/4950 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test state machine asynchronous behavior. Add a framework for testing the asynchronous codepath. Move some handshake state machine coverage tests to cover a range of record-layer and handshake-layer asynchronicity. This adds tests for the previous two async bugs fixed. Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e Reviewed-on: https://boringssl-review.googlesource.com/1410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Remove SSL_OP_TLS_ROLLBACK_BUG. It's not part of SSL_OP_ALL and is unused, so remove it. Add a test that asserts the version check works. Change-Id: I917516594ec5a4998a8316782f035697c33d99b0 Reviewed-on: https://boringssl-review.googlesource.com/1418 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for CVE-2014-3511. Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to better stress the state machine. Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd Reviewed-on: https://boringssl-review.googlesource.com/1452 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Remove support for processing fragmented alerts Prior to this change, BoringSSL maintained a 2-byte buffer for alerts, and would support reassembly of fragmented alerts. NSS does not support fragmented alerts, nor would any reasonable implementation produce them. Remove fragmented alert handling and produce an error if a fragmented alert has ever been encountered. Change-Id: I31530ac372e8a90b47cf89404630c1c207cfb048 Reviewed-on: https://boringssl-review.googlesource.com/2125 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add test coverage for normal alert parsing. We have test coverage for invalid alerts, but not for normal ones on the DTLS side. Change-Id: I359dce8d4dc80dfa99b5d8bacd73f48a8e4ac310 Reviewed-on: https://boringssl-review.googlesource.com/3291 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Remove support for processing fragmented alerts Prior to this change, BoringSSL maintained a 2-byte buffer for alerts, and would support reassembly of fragmented alerts. NSS does not support fragmented alerts, nor would any reasonable implementation produce them. Remove fragmented alert handling and produce an error if a fragmented alert has ever been encountered. Change-Id: I31530ac372e8a90b47cf89404630c1c207cfb048 Reviewed-on: https://boringssl-review.googlesource.com/2125 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Remove SSL_OP_TLS_ROLLBACK_BUG. It's not part of SSL_OP_ALL and is unused, so remove it. Add a test that asserts the version check works. Change-Id: I917516594ec5a4998a8316782f035697c33d99b0 Reviewed-on: https://boringssl-review.googlesource.com/1418 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add RenewTicketOnResume tests. Didn't have coverage for abbreviated handshakes with NewSessionTicket. Also add some missing resumeSession flags so the tests match the comments. Change-Id: Ie4d76e8764561f3f1f31e1aa9595324affce0db8 Reviewed-on: https://boringssl-review.googlesource.com/1453 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Clean up s23_srvr.c. ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an even older SSL_OP_NON_EXPORT_FIRST option (see upstream's d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic. Split it into three states and move V2ClientHello parsing into its own function. Port it to CBS and CBB to give bounds checks on the V2ClientHello parse. This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an extra time. It also unbreaks the invariant between s->packet, s->packet_length, s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this was of no consequence because the first ssl3_read_n call passes extend = 0 which resets s->packet and s->packet_length. It also makes us tolerant to major version bumps in the ClientHello. Add tests for TLS tolerance of both minor and major version bumps as well as the HTTP request error codes. Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257 Reviewed-on: https://boringssl-review.googlesource.com/1455 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test-only DTLS implementation in runner.go. Run against openssl s_client and openssl s_server. This seems to work for a start, although it may need to become cleverer to stress more of BoringSSL's implementation for test purposes. In particular, it assumes a reliable, in-order channel. And it requires that the peer send handshake fragments in order. Retransmit and whatnot are not implemented. The peer under test will be expected to handle a lossy channel, but all loss in the channel will be controlled. MAC errors, etc., are fatal. Change-Id: I329233cfb0994938fd012667ddf7c6a791ac7164 Reviewed-on: https://boringssl-review.googlesource.com/1390 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add a test to ensure False Start occurs. This adds the missing test coverage for 7e3305eebd7fb06d57e7f25b3bbf9c10d526f7d5. Change-Id: I8c9f1dc998afa9bb1f6fb2a7872a651037bb4844 Reviewed-on: https://boringssl-review.googlesource.com/1610 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add a test for SSL_OP_TLS_D5_BUG. If this is part of SSL_OP_ALL, we should have a test for it. Change-Id: Ia72422beb2da6434726e78e174f3416f90f7c897 Reviewed-on: https://boringssl-review.googlesource.com/1695 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add negative False Start tests. Extend the False Start tests to optionally send an alert (thus avoiding deadlock) before waiting for the out-of-order app data. Based on whether the peer shuts off the connection before or after sending app data, we can determine whether the peer False Started by observing purely external effects. Change-Id: I8b9fecc29668e0b0c34b5fd19d0f239545011bae Reviewed-on: https://boringssl-review.googlesource.com/4213 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add a test for SSL_OP_TLS_D5_BUG. If this is part of SSL_OP_ALL, we should have a test for it. Change-Id: Ia72422beb2da6434726e78e174f3416f90f7c897 Reviewed-on: https://boringssl-review.googlesource.com/1695 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Check the server did not use a TLS 1.2 cipher suite pre-TLS 1.2. This check got refactored in OpenSSL 1.0.2 and broke in the process. Fix this and add a test. Otherwise things like client auth can get slightly confused; it will try to sign the MD5/SHA-1 hash, but the TLS 1.2 cipher suite may not use SSL_HANDSHAKE_MAC_DEFAULT, so those digests won't be available. Based on upstream's 226751ae4a1f3e00021c43399d7bb51a99c22c17. Change-Id: I5b864d3a696f3187b849c53b872c24fb7df27924 Reviewed-on: https://boringssl-review.googlesource.com/1696 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Improve test coverage for server_name extension. Notably, this would have caught ed8270a55c3845abbc85dfeed358597fef059ea9 (although, apart from staring at code coverage, knowing to set resumeSession on the server test isn't exactly obvious). Perhaps we should systematically set it on all extension server tests; ClientHello extension parsing happens after resumption has been determined and is often sensitive to it. Change-Id: Ie83f294a26881a6a41969e9dbd102d0a93cb68b5 Reviewed-on: https://boringssl-review.googlesource.com/1750 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test that ALPN is preferred over NPN. Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda Reviewed-on: https://boringssl-review.googlesource.com/1755 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Reject empty ALPN protocols. https://tools.ietf.org/html/rfc7301#section-3.1 specifies that a ProtocolName may not be empty. This change enforces this in ClientHello and ServerHello messages. Thanks to Doug Hogan for reporting this. Change-Id: Iab879c83145007799b94d2725201ede1a39e4596 Reviewed-on: https://boringssl-review.googlesource.com/5390 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add tests for client version negotiation and session resumption. BUG=chromium:417134 Change-Id: If5914be98026d899000fde267b2d329861ca3136 Reviewed-on: https://boringssl-review.googlesource.com/1822 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Fix memory leak when decoding corrupt tickets. This is CVE-2014-3567 from upstream. See https://www.openssl.org/news/secadv_20141015.txt Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815 Reviewed-on: https://boringssl-review.googlesource.com/1970 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for client-initiated renegotiation. These'll get removed once most of renego support is gone, but this is to prove removing the warning alert from the previous commit still prevents legacy renegotiations. Change-Id: I7d9d95e1d4c5d23d3b6d170938a5499a65f2d5ea Reviewed-on: https://boringssl-review.googlesource.com/2236 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Extended master secret support. This change implements support for the extended master secret. See https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 https://secure-resumption.com/ Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93 Reviewed-on: https://boringssl-review.googlesource.com/1930 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test server-side renegotiation. This change adds support to the Go code for renegotiation as a client, meaning that we can test BoringSSL's renegotiation as a server. Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b Reviewed-on: https://boringssl-review.googlesource.com/2082 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add DTLS replay tests. At the record layer, DTLS maintains a window of seen sequence numbers to detect replays. Add tests to cover that case. Test both repeated sequence numbers within the window and sequence numbers past the window's left edge. Also test receiving sequence numbers far past the window's right edge. Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86 Reviewed-on: https://boringssl-review.googlesource.com/2221 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for client-initiated renegotiation. These'll get removed once most of renego support is gone, but this is to prove removing the warning alert from the previous commit still prevents legacy renegotiations. Change-Id: I7d9d95e1d4c5d23d3b6d170938a5499a65f2d5ea Reviewed-on: https://boringssl-review.googlesource.com/2236 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Convert the renegotiation extension to the new system. This change also switches the behaviour of the client. Previously the client would send the SCSV rather than the extension, but now it'll only do that for SSLv3 connections. Change-Id: I67a04b8abbef2234747c0dac450458deb6b0cd0a Reviewed-on: https://boringssl-review.googlesource.com/5143 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add more aggressive DTLS replay tests. The existing tests only went monotonic. Allow an arbitrary mapping function. Also test by sending more app data. The handshake is fairly resilient to replayed packets, whereas our test code intentionally isn't. Change-Id: I0fb74bbacc260c65ec5f6a1ca8f3cb23b4192855 Reviewed-on: https://boringssl-review.googlesource.com/5556 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add a test for RSA ServerKeyExchange. Ensure that the client rejects it with UNEXPECTED_MESSAGE, not by attempting to decode it. Change-Id: Ifc5613cf1152e0f7dcbee73e05df1ef367dfbfd5 Reviewed-on: https://boringssl-review.googlesource.com/2232 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Test that we reject RSA ServerKeyExchange more thoroughly. The old test just sent an empty ServerKeyExchange which is sufficient as we reject the message early. But be more thorough and implement the actual ephemeral key logic in the test server. Change-Id: I016658762e4502c928c051e14d69eea67b5a495f Reviewed-on: https://boringssl-review.googlesource.com/3650 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add DTLS-SRTP tests. Just the negotiation portion as everything else is external. This feature is used in WebRTC. Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116 Reviewed-on: https://boringssl-review.googlesource.com/2310 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add test for renego client_version quirk. In upstream's f4e1169341ad1217e670387db5b0c12d680f95f4, the client_version was made constant across renegotiations, even if the server negotiated a lower version. NSS has the same quirk, reportedly for SChannel: https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/ssl3con.c&sq=package:chromium&l=5103 Add a test to ensure we do not regress this. Change-Id: I214e062463c203b86a9bab00f8503442e1bf74fe Reviewed-on: https://boringssl-review.googlesource.com/2405 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Handle empty curve preferences from the client. See upstream's bd891f098bdfcaa285c073ce556d0f5e27ec3a10. It honestly seems kinda dumb for a client to do this, but apparently the spec allows this. Judging by code inspection, OpenSSL 1.0.1 also allowed this, so this avoids a behavior change when switching from 1.0.1 to BoringSSL. Add a test for this, which revealed that, unlike upstream's version, this actually works with ecdh_auto since tls1_get_shared_curve also needs updating. (To be mentioned in newsletter.) Change-Id: Ie622700f17835965457034393b90f346740cfca8 Reviewed-on: https://boringssl-review.googlesource.com/4464 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add test for renego client_version quirk. In upstream's f4e1169341ad1217e670387db5b0c12d680f95f4, the client_version was made constant across renegotiations, even if the server negotiated a lower version. NSS has the same quirk, reportedly for SChannel: https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/ssl3con.c&sq=package:chromium&l=5103 Add a test to ensure we do not regress this. Change-Id: I214e062463c203b86a9bab00f8503442e1bf74fe Reviewed-on: https://boringssl-review.googlesource.com/2405 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
ClientHello Padding for Fast Radio Opening in 3G. The ClientHello record is padded to 1024 bytes when fastradio_padding is enabled. As a result, the 3G cellular radio is fast forwarded to DCH (high data rate) state. This mechanism leads to a substantial redunction in terms of TLS handshake latency, and benefits mobile apps that are running on top of TLS. Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
преди 10 години
Add assertions on the initial record version number. The record-layer version of the ServerHello should match the final version. The record-layer version of the ClientHello should be the advertised version, but clamped at TLS 1.0. This is to ensure future rewrites do not regress this. Change-Id: I96f1f0674944997ff38b562453a322ce61652635 Reviewed-on: https://boringssl-review.googlesource.com/2540 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Add a basic MTU test. The minimum MTU (not consistently enforced) is just under 256, so it's difficult to test everything, but this is a basic test. (E.g., without renego, the only handshake message with encryption is Finished which fits in the MTU.) It tests the server side because the Certificate message is large enough to require fragmentation. Change-Id: Ida11f1057cebae2b800ad13696f98bb3a7fbbc5e Reviewed-on: https://boringssl-review.googlesource.com/2824 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add tests for certificate mismatch. Cover another mildly interesting error case. Change-Id: Ice773af79f5e03f39f0cd2a9e158bae03e065392 Reviewed-on: https://boringssl-review.googlesource.com/2841 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test application data and Finished reordering. This is fatal for TLS but buffered in DTLS. The buffering isn't strictly necessary (it would be just as valid to drop the record on the floor), but so long as we want this behavior it should have a test. Change-Id: I5846bb2fe80d78e25b6dfad51bcfcff2dc427c3f Reviewed-on: https://boringssl-review.googlesource.com/3029 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Process alerts between ChangeCipherSpec and Finished. This mostly[*] doesn't matter for TLS since the message would have been rejected anyway, but, in DTLS, if the peer rejects our Finished, it will send an encrypted alert. This will then cause it to hang, which isn't very helpful. I've made the change on both TLS and DTLS so the two protocols don't diverge on this point. It is true that we're accepting nominally encrypted and authenticated alerts before Finished, but, prior to ChangeCipherSpec, the alerts are sent in the clear anyway so an attacker could already inject alerts. A consumer could only be sensitive to it being post-CCS if it was watching msg_callback. The only non-debug consumer of msg_callback I've found anywhere is some hostapd code to detect Heartbeat. See https://code.google.com/p/webrtc/issues/detail?id=4403 for an instance where the equivalent behavior in OpenSSL masks an alert. [*] This does change behavior slightly if the peer sends a warning alert between CCS and Finished. I believe this is benign as warning alerts are usually ignored apart from info_callback and msg_callback. The one exception is a close_notify which is a slightly new state (accepting close_notify during a handshake seems questionable...), but they're processed pre-CCS too. Change-Id: Idd0d49b9f9aa9d35374a9f5e2f815cdb931f5254 Reviewed-on: https://boringssl-review.googlesource.com/3883 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add DTLS timeout and retransmit tests. This extends the packet adaptor protocol to send three commands: type command = | Packet of []byte | Timeout of time.Duration | TimeoutAck When the shim processes a Timeout in BIO_read, it sends TimeoutAck, fails the BIO_read, returns out of the SSL stack, advances the clock, calls DTLSv1_handle_timeout, and continues. If the Go side sends Timeout right between sending handshake flight N and reading flight N+1, the shim won't read the Timeout until it has sent flight N+1 (it only processes packet commands in BIO_read), so the TimeoutAck comes after N+1. Go then drops all packets before the TimeoutAck, thus dropping one transmit of flight N+1 without having to actually process the packets to determine the end of the flight. The shim then sees the updated clock, calls DTLSv1_handle_timeout, and re-sends flight N+1 for Go to process for real. When dropping packets, Go checks the epoch and increments sequence numbers so that we can continue to be strict here. This requires tracking the initial sequence number of the next epoch. The final Finished message takes an additional special-case to test. DTLS triggers retransmits on either a timeout or seeing a stale flight. OpenSSL only implements the former which should be sufficient (and is necessary) EXCEPT for the final Finished message. If the peer's final Finished message is lost, it won't be waiting for a message from us, so it won't time out anything. That retransmit must be triggered on stale message, so we retransmit the Finished message in Go. Change-Id: I3ffbdb1de525beb2ee831b304670a3387877634c Reviewed-on: https://boringssl-review.googlesource.com/3212 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add initial handshake reassembly tests. For now, only test reorderings when we always or never fragment messages. There's a third untested case: when full messages and fragments are mixed. That will be tested later after making it actually work. Change-Id: Ic4efb3f5e87b1319baf2d4af31eafa40f6a50fa6 Reviewed-on: https://boringssl-review.googlesource.com/3216 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Reject all invalid records. The check on the DTLS side was broken anyway. On the TLS side, the spec does say to ignore them, but there should be no need for this in future-proofing and NSS doesn't appear to be lenient here. See also https://boringssl-review.googlesource.com/#/c/3233/ Change-Id: I0846222936c5e08acdcfd9d6f854a99df767e468 Reviewed-on: https://boringssl-review.googlesource.com/3290 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Rework DTLS handshake message reassembly logic. Notably, drop all special cases around receiving a message in order and receiving a full message. It makes things more complicated and was the source of bugs (the MixCompleteMessageWithFragments tests added in this CL did not pass before). Instead, every message goes through an hm_fragment, and dtls1_get_message always checks buffered_messages to see if the next is complete. The downside is that we pay one more copy of the message data in the common case. This is only during connection setup, so I think it's worth the simplicity. (If we want to optimize later, we could either tighten ssl3_get_message's interface to allow the handshake data being in the hm_fragment's backing store rather than s->init_buf or swap out s->init_buf with the hm_fragment's backing store when a mesasge completes. This CL does not address ssl_read_bytes being an inappropriate API for DTLS. Future work will revise the handshake/transport boundary to align better with DTLS's needs. Also other problems that I've left as TODOs. Change-Id: Ib4570d45634b5181ecf192894d735e8699b1c86b Reviewed-on: https://boringssl-review.googlesource.com/3764 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Reject all invalid records. The check on the DTLS side was broken anyway. On the TLS side, the spec does say to ignore them, but there should be no need for this in future-proofing and NSS doesn't appear to be lenient here. See also https://boringssl-review.googlesource.com/#/c/3233/ Change-Id: I0846222936c5e08acdcfd9d6f854a99df767e468 Reviewed-on: https://boringssl-review.googlesource.com/3290 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Actually check that the message has the expected type in DTLS. That might be a reasonable check to make, maybe. DTLS handshake message reading has a ton of other bugs and needs a complete rewrite. But let's fix this and get a test in now. Change-Id: I4981fc302feb9125908bb6161ed1a18288c39e2b Reviewed-on: https://boringssl-review.googlesource.com/3600 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Rework DTLS handshake message reassembly logic. Notably, drop all special cases around receiving a message in order and receiving a full message. It makes things more complicated and was the source of bugs (the MixCompleteMessageWithFragments tests added in this CL did not pass before). Instead, every message goes through an hm_fragment, and dtls1_get_message always checks buffered_messages to see if the next is complete. The downside is that we pay one more copy of the message data in the common case. This is only during connection setup, so I think it's worth the simplicity. (If we want to optimize later, we could either tighten ssl3_get_message's interface to allow the handshake data being in the hm_fragment's backing store rather than s->init_buf or swap out s->init_buf with the hm_fragment's backing store when a mesasge completes. This CL does not address ssl_read_bytes being an inappropriate API for DTLS. Future work will revise the handshake/transport boundary to align better with DTLS's needs. Also other problems that I've left as TODOs. Change-Id: Ib4570d45634b5181ecf192894d735e8699b1c86b Reviewed-on: https://boringssl-review.googlesource.com/3764 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
DTLS fragments may not be split across two records. See also upstream's 9dcab127e14467733523ff7626da8906e67eedd6. The root problem is dtls1_read_bytes is wrong, but we can get the right behavior now and add a regression test for it before cleaning it up. Change-Id: I4e5c39ab254a872d9f64242c9b77b020bdded6e6 Reviewed-on: https://boringssl-review.googlesource.com/5123 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Rework DTLS handshake message reassembly logic. Notably, drop all special cases around receiving a message in order and receiving a full message. It makes things more complicated and was the source of bugs (the MixCompleteMessageWithFragments tests added in this CL did not pass before). Instead, every message goes through an hm_fragment, and dtls1_get_message always checks buffered_messages to see if the next is complete. The downside is that we pay one more copy of the message data in the common case. This is only during connection setup, so I think it's worth the simplicity. (If we want to optimize later, we could either tighten ssl3_get_message's interface to allow the handshake data being in the hm_fragment's backing store rather than s->init_buf or swap out s->init_buf with the hm_fragment's backing store when a mesasge completes. This CL does not address ssl_read_bytes being an inappropriate API for DTLS. Future work will revise the handshake/transport boundary to align better with DTLS's needs. Also other problems that I've left as TODOs. Change-Id: Ib4570d45634b5181ecf192894d735e8699b1c86b Reviewed-on: https://boringssl-review.googlesource.com/3764 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add tests for full handshakes under renegotiation. In verifying the fix for CVE-2015-0291, I noticed we don't actually have any test coverage for full handshakes on renegotiation. All our tests always do resumptions. Change-Id: Ia9b701e8a50ba9353fefb8cc4fb86e78065d0b40 Reviewed-on: https://boringssl-review.googlesource.com/4050 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Deprecate SSL_*_read_ahead and enforce DTLS packet boundaries. Now that WebRTC honors packet boundaries (https://crbug.com/447431), we can start enforcing them correctly. Configuring read-ahead now does nothing. Instead DTLS will always set "read-ahead" and also correctly enforce packet boundaries when reading records. Add tests to ensure that badly fragmented packets are ignored. Because such packets don't fail the handshake, the tests work by injecting an alert in the front of the handshake stream and ensuring the DTLS implementation ignores them. ssl3_read_n can be be considerably unraveled now, but leave that for future cleanup. For now, make it correct. BUG=468889 Change-Id: I800cfabe06615af31c2ccece436ca52aed9fe899 Reviewed-on: https://boringssl-review.googlesource.com/4820 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Never resume sessions on renegotiations. This cuts down on one config knob as well as one case in the renego combinatorial explosion. Since the only case we care about with renego is the client auth hack, there's no reason to ever do resumption. Especially since, no matter what's in the session cache: - OpenSSL will only ever offer the session it just established, whether or not a newer one with client auth was since established. - Chrome will never cache sessions created on a renegotiation, so such a session would never make it to the session cache. - The new_session + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION logic had a bug where it would unconditionally never offer tickets (but would advertise support) on renego, so any server doing renego resumption against an OpenSSL-derived client must not support session tickets. This also gets rid of s->new_session which is now pointless. BUG=429450 Change-Id: I884bdcdc80bff45935b2c429b4bbc9c16b2288f8 Reviewed-on: https://boringssl-review.googlesource.com/4732 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Regression test for CVE-2015-0291. This is really just scar tissue with https://crbug.com/468889 being the real underlying problem. But the test is pretty easy. Change-Id: I5eca18fdcbde8665c0e6c3ac419a28152647d66f Reviewed-on: https://boringssl-review.googlesource.com/4052 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test that client cipher preferences are enforced. Change-Id: I6e760cfd785c0c5688da6f7d3d3092a8add40409 Reviewed-on: https://boringssl-review.googlesource.com/4070 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test that signature_algorithm preferences are enforced. Both on the client and the server. Change-Id: I9892c6dbbb29938154aba4f53b10e8b5231f9c47 Reviewed-on: https://boringssl-review.googlesource.com/4071 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test that warning alerts are ignored. Partly inspired by the new state exposed in dc3da938992d209a3b36acbd9695cfcab1fdf041, stress this codepath by spamming our poor shim with warning alerts. Change-Id: I876c6e52911b6eb57493cf3e1782b37ea96d01f8 Reviewed-on: https://boringssl-review.googlesource.com/4112 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test that client curve preferences are enforced. Change-Id: Idc8ac43bd59607641ac2ad0b7179b2f942c0b0ce Reviewed-on: https://boringssl-review.googlesource.com/4403 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Test that bad Finished messages are rejected. That's a pretty obvious thing to test. I'm not sure how we forgot that one. Change-Id: I7e1a7df6c6abbdd587e0f7723117f50d09faa5c4 Reviewed-on: https://boringssl-review.googlesource.com/4211 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Set minimum DH group size to 1024 bits. DH groups less than 1024 bits are clearly not very safe. Ideally servers would switch to ECDHE because 1024 isn't great either, but this will serve for the short term. BUG=490240 Change-Id: Ic9aac714cdcdcbfae319b5eb1410675d3b903a69 Reviewed-on: https://boringssl-review.googlesource.com/4813 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Fix DTLS handling of multiple records in a packet. 9a41d1b946c17f353c1f7f1d35713b5623dc399e broke handling of multiple records in a single packet. If |extend| is true, not all of the previous packet should be consumed, only up to the record length. Add a test which stresses the DTLS stack's handling of multiple handshake fragments in a handshake record and multiple handshake records in a packet. Change-Id: I96571098ad9001e96440501c4730325227b155b8 Reviewed-on: https://boringssl-review.googlesource.com/4950 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add a test that DTLS does not support RC4. Make sure we don't break that on accident. Change-Id: I22d58d35170d43375622fe61e4a588d1d626a054 Reviewed-on: https://boringssl-review.googlesource.com/4960 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Explicitly check for empty certificate list. The NULL checks later on notice, but failing with SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS on accident is confusing. Require that the message be non-empty. Change-Id: Iddfac6a3ae6e6dc66c3de41d3bb26e133c0c6e1d Reviewed-on: https://boringssl-review.googlesource.com/5046 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Add a test for the ticket callback. Change-Id: I7b2a4f617bd8d49c86fdaaf45bf67e0170bbd44f Reviewed-on: https://boringssl-review.googlesource.com/5230 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Tidy up extensions stuff and drop fastradio support. Fastradio was a trick where the ClientHello was padding to at least 1024 bytes in order to trick some mobile radios into entering high-power mode immediately. After experimentation, the feature is being dropped. This change also tidies up a bit of the extensions code now that everything is using the new system. Change-Id: Icf7892e0ac1fbe5d66a5d7b405ec455c6850a41c Reviewed-on: https://boringssl-review.googlesource.com/5466 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Implement custom extensions. This change mirrors upstream's custom extension API because we have some internal users that depend on it. Change-Id: I408e442de0a55df7b05c872c953ff048cd406513 Reviewed-on: https://boringssl-review.googlesource.com/5471 Reviewed-by: Adam Langley <agl@google.com>
преди 9 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for OCSP stapling and SCT lists. We forgot to add those when we implemented the features. (Also relevant because they will provide test coverage later for configuring features when using the generic method tables rather than *_client_method.) Change-Id: Ie08b27de893095e01a05a7084775676616459807 Reviewed-on: https://boringssl-review.googlesource.com/2410 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for session-ID-based resumption. This implements session IDs in client and server in runner.go. Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503 Reviewed-on: https://boringssl-review.googlesource.com/2350 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for PSK cipher suites. Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will be in a follow-up. Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3 Reviewed-on: https://boringssl-review.googlesource.com/2051 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
преди 10 години
Add tests for signature algorithm negotiation. Change-Id: I5a263734560997b774014b5742877aa4b2940664 Reviewed-on: https://boringssl-review.googlesource.com/2289 Reviewed-by: Adam Langley <agl@google.com>
преди 10 години
 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099 
  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package main

  6. 

  7. import (

  8. 	"container/list"

  9. 	"crypto"

  10. 	"crypto/ecdsa"

  11. 	"crypto/rand"

  12. 	"crypto/x509"

  13. 	"fmt"

  14. 	"io"

  15. 	"math/big"

  16. 	"strings"

  17. 	"sync"

  18. 	"time"

  19. )

  20. 

  21. const (

  22. 	VersionSSL30 = 0x0300

  23. 	VersionTLS10 = 0x0301

  24. 	VersionTLS11 = 0x0302

  25. 	VersionTLS12 = 0x0303

  26. )

  27. 

  28. const (

  29. 	maxPlaintext        = 16384        // maximum plaintext payload length

  30. 	maxCiphertext       = 16384 + 2048 // maximum ciphertext payload length

  31. 	tlsRecordHeaderLen  = 5            // record header length

  32. 	dtlsRecordHeaderLen = 13

  33. 	maxHandshake        = 65536 // maximum handshake we support (protocol max is 16 MB)

  34. 

  35. 	minVersion = VersionSSL30

  36. 	maxVersion = VersionTLS12

  37. )

  38. 

  39. // TLS record types.

  40. type recordType uint8

  41. 

  42. const (

  43. 	recordTypeChangeCipherSpec recordType = 20

  44. 	recordTypeAlert            recordType = 21

  45. 	recordTypeHandshake        recordType = 22

  46. 	recordTypeApplicationData  recordType = 23

  47. )

  48. 

  49. // TLS handshake message types.

  50. const (

  51. 	typeHelloRequest        uint8 = 0

  52. 	typeClientHello         uint8 = 1

  53. 	typeServerHello         uint8 = 2

  54. 	typeHelloVerifyRequest  uint8 = 3

  55. 	typeNewSessionTicket    uint8 = 4

  56. 	typeCertificate         uint8 = 11

  57. 	typeServerKeyExchange   uint8 = 12

  58. 	typeCertificateRequest  uint8 = 13

  59. 	typeServerHelloDone     uint8 = 14

  60. 	typeCertificateVerify   uint8 = 15

  61. 	typeClientKeyExchange   uint8 = 16

  62. 	typeFinished            uint8 = 20

  63. 	typeCertificateStatus   uint8 = 22

  64. 	typeNextProtocol        uint8 = 67  // Not IANA assigned

  65. 	typeEncryptedExtensions uint8 = 203 // Not IANA assigned

  66. )

  67. 

  68. // TLS compression types.

  69. const (

  70. 	compressionNone uint8 = 0

  71. )

  72. 

  73. // TLS extension numbers

  74. const (

  75. 	extensionServerName                 uint16 = 0

  76. 	extensionStatusRequest              uint16 = 5

  77. 	extensionSupportedCurves            uint16 = 10

  78. 	extensionSupportedPoints            uint16 = 11

  79. 	extensionSignatureAlgorithms        uint16 = 13

  80. 	extensionUseSRTP                    uint16 = 14

  81. 	extensionALPN                       uint16 = 16

  82. 	extensionSignedCertificateTimestamp uint16 = 18

  83. 	extensionExtendedMasterSecret       uint16 = 23

  84. 	extensionSessionTicket              uint16 = 35

  85. 	extensionCustom                     uint16 = 1234  // not IANA assigned

  86. 	extensionNextProtoNeg               uint16 = 13172 // not IANA assigned

  87. 	extensionRenegotiationInfo          uint16 = 0xff01

  88. 	extensionChannelID                  uint16 = 30032 // not IANA assigned

  89. )

  90. 

  91. // TLS signaling cipher suite values

  92. const (

  93. 	scsvRenegotiation uint16 = 0x00ff

  94. )

  95. 

  96. // CurveID is the type of a TLS identifier for an elliptic curve. See

  97. // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8

  98. type CurveID uint16

  99. 

  100. const (

  101. 	CurveP224 CurveID = 21

  102. 	CurveP256 CurveID = 23

  103. 	CurveP384 CurveID = 24

  104. 	CurveP521 CurveID = 25

  105. )

  106. 

  107. // TLS Elliptic Curve Point Formats

  108. // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9

  109. const (

  110. 	pointFormatUncompressed uint8 = 0

  111. )

  112. 

  113. // TLS CertificateStatusType (RFC 3546)

  114. const (

  115. 	statusTypeOCSP uint8 = 1

  116. )

  117. 

  118. // Certificate types (for certificateRequestMsg)

  119. const (

  120. 	CertTypeRSASign    = 1 // A certificate containing an RSA key

  121. 	CertTypeDSSSign    = 2 // A certificate containing a DSA key

  122. 	CertTypeRSAFixedDH = 3 // A certificate containing a static DH key

  123. 	CertTypeDSSFixedDH = 4 // A certificate containing a static DH key

  124. 

  125. 	// See RFC4492 sections 3 and 5.5.

  126. 	CertTypeECDSASign      = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.

  127. 	CertTypeRSAFixedECDH   = 65 // A certificate containing an ECDH-capable public key, signed with RSA.

  128. 	CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.

  129. 

  130. 	// Rest of these are reserved by the TLS spec

  131. )

  132. 

  133. // Hash functions for TLS 1.2 (See RFC 5246, section A.4.1)

  134. const (

  135. 	hashMD5    uint8 = 1

  136. 	hashSHA1   uint8 = 2

  137. 	hashSHA224 uint8 = 3

  138. 	hashSHA256 uint8 = 4

  139. 	hashSHA384 uint8 = 5

  140. 	hashSHA512 uint8 = 6

  141. )

  142. 

  143. // Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)

  144. const (

  145. 	signatureRSA   uint8 = 1

  146. 	signatureECDSA uint8 = 3

  147. )

  148. 

  149. // signatureAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See

  150. // RFC 5246, section A.4.1.

  151. type signatureAndHash struct {

  152. 	signature, hash uint8

  153. }

  154. 

  155. // supportedSKXSignatureAlgorithms contains the signature and hash algorithms

  156. // that the code advertises as supported in a TLS 1.2 ClientHello.

  157. var supportedSKXSignatureAlgorithms = []signatureAndHash{

  158. 	{signatureRSA, hashSHA256},

  159. 	{signatureECDSA, hashSHA256},

  160. 	{signatureRSA, hashSHA1},

  161. 	{signatureECDSA, hashSHA1},

  162. }

  163. 

  164. // supportedClientCertSignatureAlgorithms contains the signature and hash

  165. // algorithms that the code advertises as supported in a TLS 1.2

  166. // CertificateRequest.

  167. var supportedClientCertSignatureAlgorithms = []signatureAndHash{

  168. 	{signatureRSA, hashSHA256},

  169. 	{signatureECDSA, hashSHA256},

  170. }

  171. 

  172. // SRTP protection profiles (See RFC 5764, section 4.1.2)

  173. const (

  174. 	SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001

  175. 	SRTP_AES128_CM_HMAC_SHA1_32        = 0x0002

  176. )

  177. 

  178. // ConnectionState records basic TLS details about the connection.

  179. type ConnectionState struct {

  180. 	Version                    uint16                // TLS version used by the connection (e.g. VersionTLS12)

  181. 	HandshakeComplete          bool                  // TLS handshake is complete

  182. 	DidResume                  bool                  // connection resumes a previous TLS connection

  183. 	CipherSuite                uint16                // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)

  184. 	NegotiatedProtocol         string                // negotiated next protocol (from Config.NextProtos)

  185. 	NegotiatedProtocolIsMutual bool                  // negotiated protocol was advertised by server

  186. 	NegotiatedProtocolFromALPN bool                  // protocol negotiated with ALPN

  187. 	ServerName                 string                // server name requested by client, if any (server side only)

  188. 	PeerCertificates           []*x509.Certificate   // certificate chain presented by remote peer

  189. 	VerifiedChains             [][]*x509.Certificate // verified chains built from PeerCertificates

  190. 	ChannelID                  *ecdsa.PublicKey      // the channel ID for this connection

  191. 	SRTPProtectionProfile      uint16                // the negotiated DTLS-SRTP protection profile

  192. 	TLSUnique                  []byte

  193. }

  194. 

  195. // ClientAuthType declares the policy the server will follow for

  196. // TLS Client Authentication.

  197. type ClientAuthType int

  198. 

  199. const (

  200. 	NoClientCert ClientAuthType = iota

  201. 	RequestClientCert

  202. 	RequireAnyClientCert

  203. 	VerifyClientCertIfGiven

  204. 	RequireAndVerifyClientCert

  205. )

  206. 

  207. // ClientSessionState contains the state needed by clients to resume TLS

  208. // sessions.

  209. type ClientSessionState struct {

  210. 	sessionId            []uint8             // Session ID supplied by the server. nil if the session has a ticket.

  211. 	sessionTicket        []uint8             // Encrypted ticket used for session resumption with server

  212. 	vers                 uint16              // SSL/TLS version negotiated for the session

  213. 	cipherSuite          uint16              // Ciphersuite negotiated for the session

  214. 	masterSecret         []byte              // MasterSecret generated by client on a full handshake

  215. 	handshakeHash        []byte              // Handshake hash for Channel ID purposes.

  216. 	serverCertificates   []*x509.Certificate // Certificate chain presented by the server

  217. 	extendedMasterSecret bool                // Whether an extended master secret was used to generate the session

  218. }

  219. 

  220. // ClientSessionCache is a cache of ClientSessionState objects that can be used

  221. // by a client to resume a TLS session with a given server. ClientSessionCache

  222. // implementations should expect to be called concurrently from different

  223. // goroutines.

  224. type ClientSessionCache interface {

  225. 	// Get searches for a ClientSessionState associated with the given key.

  226. 	// On return, ok is true if one was found.

  227. 	Get(sessionKey string) (session *ClientSessionState, ok bool)

  228. 

  229. 	// Put adds the ClientSessionState to the cache with the given key.

  230. 	Put(sessionKey string, cs *ClientSessionState)

  231. }

  232. 

  233. // ServerSessionCache is a cache of sessionState objects that can be used by a

  234. // client to resume a TLS session with a given server. ServerSessionCache

  235. // implementations should expect to be called concurrently from different

  236. // goroutines.

  237. type ServerSessionCache interface {

  238. 	// Get searches for a sessionState associated with the given session

  239. 	// ID. On return, ok is true if one was found.

  240. 	Get(sessionId string) (session *sessionState, ok bool)

  241. 

  242. 	// Put adds the sessionState to the cache with the given session ID.

  243. 	Put(sessionId string, session *sessionState)

  244. }

  245. 

  246. // A Config structure is used to configure a TLS client or server.

  247. // After one has been passed to a TLS function it must not be

  248. // modified. A Config may be reused; the tls package will also not

  249. // modify it.

  250. type Config struct {

  251. 	// Rand provides the source of entropy for nonces and RSA blinding.

  252. 	// If Rand is nil, TLS uses the cryptographic random reader in package

  253. 	// crypto/rand.

  254. 	// The Reader must be safe for use by multiple goroutines.

  255. 	Rand io.Reader

  256. 

  257. 	// Time returns the current time as the number of seconds since the epoch.

  258. 	// If Time is nil, TLS uses time.Now.

  259. 	Time func() time.Time

  260. 

  261. 	// Certificates contains one or more certificate chains

  262. 	// to present to the other side of the connection.

  263. 	// Server configurations must include at least one certificate.

  264. 	Certificates []Certificate

  265. 

  266. 	// NameToCertificate maps from a certificate name to an element of

  267. 	// Certificates. Note that a certificate name can be of the form

  268. 	// '*.example.com' and so doesn't have to be a domain name as such.

  269. 	// See Config.BuildNameToCertificate

  270. 	// The nil value causes the first element of Certificates to be used

  271. 	// for all connections.

  272. 	NameToCertificate map[string]*Certificate

  273. 

  274. 	// RootCAs defines the set of root certificate authorities

  275. 	// that clients use when verifying server certificates.

  276. 	// If RootCAs is nil, TLS uses the host's root CA set.

  277. 	RootCAs *x509.CertPool

  278. 

  279. 	// NextProtos is a list of supported, application level protocols.

  280. 	NextProtos []string

  281. 

  282. 	// ServerName is used to verify the hostname on the returned

  283. 	// certificates unless InsecureSkipVerify is given. It is also included

  284. 	// in the client's handshake to support virtual hosting.

  285. 	ServerName string

  286. 

  287. 	// ClientAuth determines the server's policy for

  288. 	// TLS Client Authentication. The default is NoClientCert.

  289. 	ClientAuth ClientAuthType

  290. 

  291. 	// ClientCAs defines the set of root certificate authorities

  292. 	// that servers use if required to verify a client certificate

  293. 	// by the policy in ClientAuth.

  294. 	ClientCAs *x509.CertPool

  295. 

  296. 	// ClientCertificateTypes defines the set of allowed client certificate

  297. 	// types. The default is CertTypeRSASign and CertTypeECDSASign.

  298. 	ClientCertificateTypes []byte

  299. 

  300. 	// InsecureSkipVerify controls whether a client verifies the

  301. 	// server's certificate chain and host name.

  302. 	// If InsecureSkipVerify is true, TLS accepts any certificate

  303. 	// presented by the server and any host name in that certificate.

  304. 	// In this mode, TLS is susceptible to man-in-the-middle attacks.

  305. 	// This should be used only for testing.

  306. 	InsecureSkipVerify bool

  307. 

  308. 	// CipherSuites is a list of supported cipher suites. If CipherSuites

  309. 	// is nil, TLS uses a list of suites supported by the implementation.

  310. 	CipherSuites []uint16

  311. 

  312. 	// PreferServerCipherSuites controls whether the server selects the

  313. 	// client's most preferred ciphersuite, or the server's most preferred

  314. 	// ciphersuite. If true then the server's preference, as expressed in

  315. 	// the order of elements in CipherSuites, is used.

  316. 	PreferServerCipherSuites bool

  317. 

  318. 	// SessionTicketsDisabled may be set to true to disable session ticket

  319. 	// (resumption) support.

  320. 	SessionTicketsDisabled bool

  321. 

  322. 	// SessionTicketKey is used by TLS servers to provide session

  323. 	// resumption. See RFC 5077. If zero, it will be filled with

  324. 	// random data before the first server handshake.

  325. 	//

  326. 	// If multiple servers are terminating connections for the same host

  327. 	// they should all have the same SessionTicketKey. If the

  328. 	// SessionTicketKey leaks, previously recorded and future TLS

  329. 	// connections using that key are compromised.

  330. 	SessionTicketKey [32]byte

  331. 

  332. 	// ClientSessionCache is a cache of ClientSessionState entries

  333. 	// for TLS session resumption.

  334. 	ClientSessionCache ClientSessionCache

  335. 

  336. 	// ServerSessionCache is a cache of sessionState entries for TLS session

  337. 	// resumption.

  338. 	ServerSessionCache ServerSessionCache

  339. 

  340. 	// MinVersion contains the minimum SSL/TLS version that is acceptable.

  341. 	// If zero, then SSLv3 is taken as the minimum.

  342. 	MinVersion uint16

  343. 

  344. 	// MaxVersion contains the maximum SSL/TLS version that is acceptable.

  345. 	// If zero, then the maximum version supported by this package is used,

  346. 	// which is currently TLS 1.2.

  347. 	MaxVersion uint16

  348. 

  349. 	// CurvePreferences contains the elliptic curves that will be used in

  350. 	// an ECDHE handshake, in preference order. If empty, the default will

  351. 	// be used.

  352. 	CurvePreferences []CurveID

  353. 

  354. 	// ChannelID contains the ECDSA key for the client to use as

  355. 	// its TLS Channel ID.

  356. 	ChannelID *ecdsa.PrivateKey

  357. 

  358. 	// RequestChannelID controls whether the server requests a TLS

  359. 	// Channel ID. If negotiated, the client's public key is

  360. 	// returned in the ConnectionState.

  361. 	RequestChannelID bool

  362. 

  363. 	// PreSharedKey, if not nil, is the pre-shared key to use with

  364. 	// the PSK cipher suites.

  365. 	PreSharedKey []byte

  366. 

  367. 	// PreSharedKeyIdentity, if not empty, is the identity to use

  368. 	// with the PSK cipher suites.

  369. 	PreSharedKeyIdentity string

  370. 

  371. 	// SRTPProtectionProfiles, if not nil, is the list of SRTP

  372. 	// protection profiles to offer in DTLS-SRTP.

  373. 	SRTPProtectionProfiles []uint16

  374. 

  375. 	// SignatureAndHashes, if not nil, overrides the default set of

  376. 	// supported signature and hash algorithms to advertise in

  377. 	// CertificateRequest.

  378. 	SignatureAndHashes []signatureAndHash

  379. 

  380. 	// Bugs specifies optional misbehaviour to be used for testing other

  381. 	// implementations.

  382. 	Bugs ProtocolBugs

  383. 

  384. 	serverInitOnce sync.Once // guards calling (*Config).serverInit

  385. }

  386. 

  387. type BadValue int

  388. 

  389. const (

  390. 	BadValueNone BadValue = iota

  391. 	BadValueNegative

  392. 	BadValueZero

  393. 	BadValueLimit

  394. 	BadValueLarge

  395. 	NumBadValues

  396. )

  397. 

  398. type ProtocolBugs struct {

  399. 	// InvalidSKXSignature specifies that the signature in a

  400. 	// ServerKeyExchange message should be invalid.

  401. 	InvalidSKXSignature bool

  402. 

  403. 	// InvalidCertVerifySignature specifies that the signature in a

  404. 	// CertificateVerify message should be invalid.

  405. 	InvalidCertVerifySignature bool

  406. 

  407. 	// InvalidSKXCurve causes the curve ID in the ServerKeyExchange message

  408. 	// to be wrong.

  409. 	InvalidSKXCurve bool

  410. 

  411. 	// BadECDSAR controls ways in which the 'r' value of an ECDSA signature

  412. 	// can be invalid.

  413. 	BadECDSAR BadValue

  414. 	BadECDSAS BadValue

  415. 

  416. 	// MaxPadding causes CBC records to have the maximum possible padding.

  417. 	MaxPadding bool

  418. 	// PaddingFirstByteBad causes the first byte of the padding to be

  419. 	// incorrect.

  420. 	PaddingFirstByteBad bool

  421. 	// PaddingFirstByteBadIf255 causes the first byte of padding to be

  422. 	// incorrect if there's a maximum amount of padding (i.e. 255 bytes).

  423. 	PaddingFirstByteBadIf255 bool

  424. 

  425. 	// FailIfNotFallbackSCSV causes a server handshake to fail if the

  426. 	// client doesn't send the fallback SCSV value.

  427. 	FailIfNotFallbackSCSV bool

  428. 

  429. 	// DuplicateExtension causes an extra empty extension of bogus type to

  430. 	// be emitted in either the ClientHello or the ServerHello.

  431. 	DuplicateExtension bool

  432. 

  433. 	// UnauthenticatedECDH causes the server to pretend ECDHE_RSA

  434. 	// and ECDHE_ECDSA cipher suites are actually ECDH_anon. No

  435. 	// Certificate message is sent and no signature is added to

  436. 	// ServerKeyExchange.

  437. 	UnauthenticatedECDH bool

  438. 

  439. 	// SkipHelloVerifyRequest causes a DTLS server to skip the

  440. 	// HelloVerifyRequest message.

  441. 	SkipHelloVerifyRequest bool

  442. 

  443. 	// SkipCertificateStatus, if true, causes the server to skip the

  444. 	// CertificateStatus message. This is legal because CertificateStatus is

  445. 	// optional, even with a status_request in ServerHello.

  446. 	SkipCertificateStatus bool

  447. 

  448. 	// SkipServerKeyExchange causes the server to skip sending

  449. 	// ServerKeyExchange messages.

  450. 	SkipServerKeyExchange bool

  451. 

  452. 	// SkipNewSessionTicket causes the server to skip sending the

  453. 	// NewSessionTicket message despite promising to in ServerHello.

  454. 	SkipNewSessionTicket bool

  455. 

  456. 	// SkipChangeCipherSpec causes the implementation to skip

  457. 	// sending the ChangeCipherSpec message (and adjusting cipher

  458. 	// state accordingly for the Finished message).

  459. 	SkipChangeCipherSpec bool

  460. 

  461. 	// SkipFinished causes the implementation to skip sending the Finished

  462. 	// message.

  463. 	SkipFinished bool

  464. 

  465. 	// EarlyChangeCipherSpec causes the client to send an early

  466. 	// ChangeCipherSpec message before the ClientKeyExchange. A value of

  467. 	// zero disables this behavior. One and two configure variants for 0.9.8

  468. 	// and 1.0.1 modes, respectively.

  469. 	EarlyChangeCipherSpec int

  470. 

  471. 	// FragmentAcrossChangeCipherSpec causes the implementation to fragment

  472. 	// the Finished (or NextProto) message around the ChangeCipherSpec

  473. 	// messages.

  474. 	FragmentAcrossChangeCipherSpec bool

  475. 

  476. 	// SendV2ClientHello causes the client to send a V2ClientHello

  477. 	// instead of a normal ClientHello.

  478. 	SendV2ClientHello bool

  479. 

  480. 	// SendFallbackSCSV causes the client to include

  481. 	// TLS_FALLBACK_SCSV in the ClientHello.

  482. 	SendFallbackSCSV bool

  483. 

  484. 	// SendRenegotiationSCSV causes the client to include the renegotiation

  485. 	// SCSV in the ClientHello.

  486. 	SendRenegotiationSCSV bool

  487. 

  488. 	// MaxHandshakeRecordLength, if non-zero, is the maximum size of a

  489. 	// handshake record. Handshake messages will be split into multiple

  490. 	// records at the specified size, except that the client_version will

  491. 	// never be fragmented. For DTLS, it is the maximum handshake fragment

  492. 	// size, not record size; DTLS allows multiple handshake fragments in a

  493. 	// single handshake record. See |PackHandshakeFragments|.

  494. 	MaxHandshakeRecordLength int

  495. 

  496. 	// FragmentClientVersion will allow MaxHandshakeRecordLength to apply to

  497. 	// the first 6 bytes of the ClientHello.

  498. 	FragmentClientVersion bool

  499. 

  500. 	// FragmentAlert will cause all alerts to be fragmented across

  501. 	// two records.

  502. 	FragmentAlert bool

  503. 

  504. 	// SendSpuriousAlert, if non-zero, will cause an spurious, unwanted

  505. 	// alert to be sent.

  506. 	SendSpuriousAlert alert

  507. 

  508. 	// RsaClientKeyExchangeVersion, if non-zero, causes the client to send a

  509. 	// ClientKeyExchange with the specified version rather than the

  510. 	// client_version when performing the RSA key exchange.

  511. 	RsaClientKeyExchangeVersion uint16

  512. 

  513. 	// RenewTicketOnResume causes the server to renew the session ticket and

  514. 	// send a NewSessionTicket message during an abbreviated handshake.

  515. 	RenewTicketOnResume bool

  516. 

  517. 	// SendClientVersion, if non-zero, causes the client to send a different

  518. 	// TLS version in the ClientHello than the maximum supported version.

  519. 	SendClientVersion uint16

  520. 

  521. 	// ExpectFalseStart causes the server to, on full handshakes,

  522. 	// expect the peer to False Start; the server Finished message

  523. 	// isn't sent until we receive an application data record

  524. 	// from the peer.

  525. 	ExpectFalseStart bool

  526. 

  527. 	// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full

  528. 	// handshakes, send an alert just before reading the application data

  529. 	// record to test False Start. This can be used in a negative False

  530. 	// Start test to determine whether the peer processed the alert (and

  531. 	// closed the connection) before or after sending app data.

  532. 	AlertBeforeFalseStartTest alert

  533. 

  534. 	// SSL3RSAKeyExchange causes the client to always send an RSA

  535. 	// ClientKeyExchange message without the two-byte length

  536. 	// prefix, as if it were SSL3.

  537. 	SSL3RSAKeyExchange bool

  538. 

  539. 	// SkipCipherVersionCheck causes the server to negotiate

  540. 	// TLS 1.2 ciphers in earlier versions of TLS.

  541. 	SkipCipherVersionCheck bool

  542. 

  543. 	// ExpectServerName, if not empty, is the hostname the client

  544. 	// must specify in the server_name extension.

  545. 	ExpectServerName string

  546. 

  547. 	// SwapNPNAndALPN switches the relative order between NPN and

  548. 	// ALPN on the server. This is to test that server preference

  549. 	// of ALPN works regardless of their relative order.

  550. 	SwapNPNAndALPN bool

  551. 

  552. 	// ALPNProtocol, if not nil, sets the ALPN protocol that a server will

  553. 	// return.

  554. 	ALPNProtocol *string

  555. 

  556. 	// AllowSessionVersionMismatch causes the server to resume sessions

  557. 	// regardless of the version associated with the session.

  558. 	AllowSessionVersionMismatch bool

  559. 

  560. 	// CorruptTicket causes a client to corrupt a session ticket before

  561. 	// sending it in a resume handshake.

  562. 	CorruptTicket bool

  563. 

  564. 	// OversizedSessionId causes the session id that is sent with a ticket

  565. 	// resumption attempt to be too large (33 bytes).

  566. 	OversizedSessionId bool

  567. 

  568. 	// RequireExtendedMasterSecret, if true, requires that the peer support

  569. 	// the extended master secret option.

  570. 	RequireExtendedMasterSecret bool

  571. 

  572. 	// NoExtendedMasterSecret causes the client and server to behave as if

  573. 	// they didn't support an extended master secret.

  574. 	NoExtendedMasterSecret bool

  575. 

  576. 	// EmptyRenegotiationInfo causes the renegotiation extension to be

  577. 	// empty in a renegotiation handshake.

  578. 	EmptyRenegotiationInfo bool

  579. 

  580. 	// BadRenegotiationInfo causes the renegotiation extension value in a

  581. 	// renegotiation handshake to be incorrect.

  582. 	BadRenegotiationInfo bool

  583. 

  584. 	// NoRenegotiationInfo causes the client to behave as if it

  585. 	// didn't support the renegotiation info extension.

  586. 	NoRenegotiationInfo bool

  587. 

  588. 	// RequireRenegotiationInfo, if true, causes the client to return an

  589. 	// error if the server doesn't reply with the renegotiation extension.

  590. 	RequireRenegotiationInfo bool

  591. 

  592. 	// SequenceNumberMapping, if non-nil, is the mapping function to apply

  593. 	// to the sequence number of outgoing packets. For both TLS and DTLS,

  594. 	// the two most-significant bytes in the resulting sequence number are

  595. 	// ignored so that the DTLS epoch cannot be changed.

  596. 	SequenceNumberMapping func(uint64) uint64

  597. 

  598. 	// RSAEphemeralKey, if true, causes the server to send a

  599. 	// ServerKeyExchange message containing an ephemeral key (as in

  600. 	// RSA_EXPORT) in the plain RSA key exchange.

  601. 	RSAEphemeralKey bool

  602. 

  603. 	// SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the

  604. 	// client offers when negotiating SRTP. MKI support is still missing so

  605. 	// the peer must still send none.

  606. 	SRTPMasterKeyIdentifer string

  607. 

  608. 	// SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the

  609. 	// server sends in the ServerHello instead of the negotiated one.

  610. 	SendSRTPProtectionProfile uint16

  611. 

  612. 	// NoSignatureAndHashes, if true, causes the client to omit the

  613. 	// signature and hashes extension.

  614. 	//

  615. 	// For a server, it will cause an empty list to be sent in the

  616. 	// CertificateRequest message. None the less, the configured set will

  617. 	// still be enforced.

  618. 	NoSignatureAndHashes bool

  619. 

  620. 	// NoSupportedCurves, if true, causes the client to omit the

  621. 	// supported_curves extension.

  622. 	NoSupportedCurves bool

  623. 

  624. 	// RequireSameRenegoClientVersion, if true, causes the server

  625. 	// to require that all ClientHellos match in offered version

  626. 	// across a renego.

  627. 	RequireSameRenegoClientVersion bool

  628. 

  629. 	// ExpectInitialRecordVersion, if non-zero, is the expected

  630. 	// version of the records before the version is determined.

  631. 	ExpectInitialRecordVersion uint16

  632. 

  633. 	// MaxPacketLength, if non-zero, is the maximum acceptable size for a

  634. 	// packet.

  635. 	MaxPacketLength int

  636. 

  637. 	// SendCipherSuite, if non-zero, is the cipher suite value that the

  638. 	// server will send in the ServerHello. This does not affect the cipher

  639. 	// the server believes it has actually negotiated.

  640. 	SendCipherSuite uint16

  641. 

  642. 	// AppDataAfterChangeCipherSpec, if not null, causes application data to

  643. 	// be sent immediately after ChangeCipherSpec.

  644. 	AppDataAfterChangeCipherSpec []byte

  645. 

  646. 	// AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent

  647. 	// immediately after ChangeCipherSpec.

  648. 	AlertAfterChangeCipherSpec alert

  649. 

  650. 	// TimeoutSchedule is the schedule of packet drops and simulated

  651. 	// timeouts for before each handshake leg from the peer.

  652. 	TimeoutSchedule []time.Duration

  653. 

  654. 	// PacketAdaptor is the packetAdaptor to use to simulate timeouts.

  655. 	PacketAdaptor *packetAdaptor

  656. 

  657. 	// ReorderHandshakeFragments, if true, causes handshake fragments in

  658. 	// DTLS to overlap and be sent in the wrong order. It also causes

  659. 	// pre-CCS flights to be sent twice. (Post-CCS flights consist of

  660. 	// Finished and will trigger a spurious retransmit.)

  661. 	ReorderHandshakeFragments bool

  662. 

  663. 	// MixCompleteMessageWithFragments, if true, causes handshake

  664. 	// messages in DTLS to redundantly both fragment the message

  665. 	// and include a copy of the full one.

  666. 	MixCompleteMessageWithFragments bool

  667. 

  668. 	// SendInvalidRecordType, if true, causes a record with an invalid

  669. 	// content type to be sent immediately following the handshake.

  670. 	SendInvalidRecordType bool

  671. 

  672. 	// WrongCertificateMessageType, if true, causes Certificate message to

  673. 	// be sent with the wrong message type.

  674. 	WrongCertificateMessageType bool

  675. 

  676. 	// FragmentMessageTypeMismatch, if true, causes all non-initial

  677. 	// handshake fragments in DTLS to have the wrong message type.

  678. 	FragmentMessageTypeMismatch bool

  679. 

  680. 	// FragmentMessageLengthMismatch, if true, causes all non-initial

  681. 	// handshake fragments in DTLS to have the wrong message length.

  682. 	FragmentMessageLengthMismatch bool

  683. 

  684. 	// SplitFragments, if non-zero, causes the handshake fragments in DTLS

  685. 	// to be split across two records. The value of |SplitFragments| is the

  686. 	// number of bytes in the first fragment.

  687. 	SplitFragments int

  688. 

  689. 	// SendEmptyFragments, if true, causes handshakes to include empty

  690. 	// fragments in DTLS.

  691. 	SendEmptyFragments bool

  692. 

  693. 	// SendSplitAlert, if true, causes an alert to be sent with the header

  694. 	// and record body split across multiple packets. The peer should

  695. 	// discard these packets rather than process it.

  696. 	SendSplitAlert bool

  697. 

  698. 	// FailIfResumeOnRenego, if true, causes renegotiations to fail if the

  699. 	// client offers a resumption or the server accepts one.

  700. 	FailIfResumeOnRenego bool

  701. 

  702. 	// IgnorePeerCipherPreferences, if true, causes the peer's cipher

  703. 	// preferences to be ignored.

  704. 	IgnorePeerCipherPreferences bool

  705. 

  706. 	// IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's

  707. 	// signature algorithm preferences to be ignored.

  708. 	IgnorePeerSignatureAlgorithmPreferences bool

  709. 

  710. 	// IgnorePeerCurvePreferences, if true, causes the peer's curve

  711. 	// preferences to be ignored.

  712. 	IgnorePeerCurvePreferences bool

  713. 

  714. 	// BadFinished, if true, causes the Finished hash to be broken.

  715. 	BadFinished bool

  716. 

  717. 	// DHGroupPrime, if not nil, is used to define the (finite field)

  718. 	// Diffie-Hellman group. The generator used is always two.

  719. 	DHGroupPrime *big.Int

  720. 

  721. 	// PackHandshakeFragments, if true, causes handshake fragments to be

  722. 	// packed into individual handshake records, up to the specified record

  723. 	// size.

  724. 	PackHandshakeFragments int

  725. 

  726. 	// PackHandshakeRecords, if true, causes handshake records to be packed

  727. 	// into individual packets, up to the specified packet size.

  728. 	PackHandshakeRecords int

  729. 

  730. 	// EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS.

  731. 	EnableAllCiphersInDTLS bool

  732. 

  733. 	// EmptyCertificateList, if true, causes the server to send an empty

  734. 	// certificate list in the Certificate message.

  735. 	EmptyCertificateList bool

  736. 

  737. 	// ExpectNewTicket, if true, causes the client to abort if it does not

  738. 	// receive a new ticket.

  739. 	ExpectNewTicket bool

  740. 

  741. 	// RequireClientHelloSize, if not zero, is the required length in bytes

  742. 	// of the ClientHello /record/. This is checked by the server.

  743. 	RequireClientHelloSize int

  744. 

  745. 	// CustomExtension, if not empty, contains the contents of an extension

  746. 	// that will be added to client/server hellos.

  747. 	CustomExtension string

  748. 

  749. 	// ExpectedCustomExtension, if not nil, contains the expected contents

  750. 	// of a custom extension.

  751. 	ExpectedCustomExtension *string

  752. }

  753. 

  754. func (c *Config) serverInit() {

  755. 	if c.SessionTicketsDisabled {

  756. 		return

  757. 	}

  758. 

  759. 	// If the key has already been set then we have nothing to do.

  760. 	for _, b := range c.SessionTicketKey {

  761. 		if b != 0 {

  762. 			return

  763. 		}

  764. 	}

  765. 

  766. 	if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {

  767. 		c.SessionTicketsDisabled = true

  768. 	}

  769. }

  770. 

  771. func (c *Config) rand() io.Reader {

  772. 	r := c.Rand

  773. 	if r == nil {

  774. 		return rand.Reader

  775. 	}

  776. 	return r

  777. }

  778. 

  779. func (c *Config) time() time.Time {

  780. 	t := c.Time

  781. 	if t == nil {

  782. 		t = time.Now

  783. 	}

  784. 	return t()

  785. }

  786. 

  787. func (c *Config) cipherSuites() []uint16 {

  788. 	s := c.CipherSuites

  789. 	if s == nil {

  790. 		s = defaultCipherSuites()

  791. 	}

  792. 	return s

  793. }

  794. 

  795. func (c *Config) minVersion() uint16 {

  796. 	if c == nil || c.MinVersion == 0 {

  797. 		return minVersion

  798. 	}

  799. 	return c.MinVersion

  800. }

  801. 

  802. func (c *Config) maxVersion() uint16 {

  803. 	if c == nil || c.MaxVersion == 0 {

  804. 		return maxVersion

  805. 	}

  806. 	return c.MaxVersion

  807. }

  808. 

  809. var defaultCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}

  810. 

  811. func (c *Config) curvePreferences() []CurveID {

  812. 	if c == nil || len(c.CurvePreferences) == 0 {

  813. 		return defaultCurvePreferences

  814. 	}

  815. 	return c.CurvePreferences

  816. }

  817. 

  818. // mutualVersion returns the protocol version to use given the advertised

  819. // version of the peer.

  820. func (c *Config) mutualVersion(vers uint16) (uint16, bool) {

  821. 	minVersion := c.minVersion()

  822. 	maxVersion := c.maxVersion()

  823. 

  824. 	if vers < minVersion {

  825. 		return 0, false

  826. 	}

  827. 	if vers > maxVersion {

  828. 		vers = maxVersion

  829. 	}

  830. 	return vers, true

  831. }

  832. 

  833. // getCertificateForName returns the best certificate for the given name,

  834. // defaulting to the first element of c.Certificates if there are no good

  835. // options.

  836. func (c *Config) getCertificateForName(name string) *Certificate {

  837. 	if len(c.Certificates) == 1 || c.NameToCertificate == nil {

  838. 		// There's only one choice, so no point doing any work.

  839. 		return &c.Certificates[0]

  840. 	}

  841. 

  842. 	name = strings.ToLower(name)

  843. 	for len(name) > 0 && name[len(name)-1] == '.' {

  844. 		name = name[:len(name)-1]

  845. 	}

  846. 

  847. 	if cert, ok := c.NameToCertificate[name]; ok {

  848. 		return cert

  849. 	}

  850. 

  851. 	// try replacing labels in the name with wildcards until we get a

  852. 	// match.

  853. 	labels := strings.Split(name, ".")

  854. 	for i := range labels {

  855. 		labels[i] = "*"

  856. 		candidate := strings.Join(labels, ".")

  857. 		if cert, ok := c.NameToCertificate[candidate]; ok {

  858. 			return cert

  859. 		}

  860. 	}

  861. 

  862. 	// If nothing matches, return the first certificate.

  863. 	return &c.Certificates[0]

  864. }

  865. 

  866. func (c *Config) signatureAndHashesForServer() []signatureAndHash {

  867. 	if c != nil && c.SignatureAndHashes != nil {

  868. 		return c.SignatureAndHashes

  869. 	}

  870. 	return supportedClientCertSignatureAlgorithms

  871. }

  872. 

  873. func (c *Config) signatureAndHashesForClient() []signatureAndHash {

  874. 	if c != nil && c.SignatureAndHashes != nil {

  875. 		return c.SignatureAndHashes

  876. 	}

  877. 	return supportedSKXSignatureAlgorithms

  878. }

  879. 

  880. // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate

  881. // from the CommonName and SubjectAlternateName fields of each of the leaf

  882. // certificates.

  883. func (c *Config) BuildNameToCertificate() {

  884. 	c.NameToCertificate = make(map[string]*Certificate)

  885. 	for i := range c.Certificates {

  886. 		cert := &c.Certificates[i]

  887. 		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])

  888. 		if err != nil {

  889. 			continue

  890. 		}

  891. 		if len(x509Cert.Subject.CommonName) > 0 {

  892. 			c.NameToCertificate[x509Cert.Subject.CommonName] = cert

  893. 		}

  894. 		for _, san := range x509Cert.DNSNames {

  895. 			c.NameToCertificate[san] = cert

  896. 		}

  897. 	}

  898. }

  899. 

  900. // A Certificate is a chain of one or more certificates, leaf first.

  901. type Certificate struct {

  902. 	Certificate [][]byte

  903. 	PrivateKey  crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey

  904. 	// OCSPStaple contains an optional OCSP response which will be served

  905. 	// to clients that request it.

  906. 	OCSPStaple []byte

  907. 	// SignedCertificateTimestampList contains an optional encoded

  908. 	// SignedCertificateTimestampList structure which will be

  909. 	// served to clients that request it.

  910. 	SignedCertificateTimestampList []byte

  911. 	// Leaf is the parsed form of the leaf certificate, which may be

  912. 	// initialized using x509.ParseCertificate to reduce per-handshake

  913. 	// processing for TLS clients doing client authentication. If nil, the

  914. 	// leaf certificate will be parsed as needed.

  915. 	Leaf *x509.Certificate

  916. }

  917. 

  918. // A TLS record.

  919. type record struct {

  920. 	contentType  recordType

  921. 	major, minor uint8

  922. 	payload      []byte

  923. }

  924. 

  925. type handshakeMessage interface {

  926. 	marshal() []byte

  927. 	unmarshal([]byte) bool

  928. }

  929. 

  930. // lruSessionCache is a client or server session cache implementation

  931. // that uses an LRU caching strategy.

  932. type lruSessionCache struct {

  933. 	sync.Mutex

  934. 

  935. 	m        map[string]*list.Element

  936. 	q        *list.List

  937. 	capacity int

  938. }

  939. 

  940. type lruSessionCacheEntry struct {

  941. 	sessionKey string

  942. 	state      interface{}

  943. }

  944. 

  945. // Put adds the provided (sessionKey, cs) pair to the cache.

  946. func (c *lruSessionCache) Put(sessionKey string, cs interface{}) {

  947. 	c.Lock()

  948. 	defer c.Unlock()

  949. 

  950. 	if elem, ok := c.m[sessionKey]; ok {

  951. 		entry := elem.Value.(*lruSessionCacheEntry)

  952. 		entry.state = cs

  953. 		c.q.MoveToFront(elem)

  954. 		return

  955. 	}

  956. 

  957. 	if c.q.Len() < c.capacity {

  958. 		entry := &lruSessionCacheEntry{sessionKey, cs}

  959. 		c.m[sessionKey] = c.q.PushFront(entry)

  960. 		return

  961. 	}

  962. 

  963. 	elem := c.q.Back()

  964. 	entry := elem.Value.(*lruSessionCacheEntry)

  965. 	delete(c.m, entry.sessionKey)

  966. 	entry.sessionKey = sessionKey

  967. 	entry.state = cs

  968. 	c.q.MoveToFront(elem)

  969. 	c.m[sessionKey] = elem

  970. }

  971. 

  972. // Get returns the value associated with a given key. It returns (nil,

  973. // false) if no value is found.

  974. func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) {

  975. 	c.Lock()

  976. 	defer c.Unlock()

  977. 

  978. 	if elem, ok := c.m[sessionKey]; ok {

  979. 		c.q.MoveToFront(elem)

  980. 		return elem.Value.(*lruSessionCacheEntry).state, true

  981. 	}

  982. 	return nil, false

  983. }

  984. 

  985. // lruClientSessionCache is a ClientSessionCache implementation that

  986. // uses an LRU caching strategy.

  987. type lruClientSessionCache struct {

  988. 	lruSessionCache

  989. }

  990. 

  991. func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) {

  992. 	c.lruSessionCache.Put(sessionKey, cs)

  993. }

  994. 

  995. func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {

  996. 	cs, ok := c.lruSessionCache.Get(sessionKey)

  997. 	if !ok {

  998. 		return nil, false

  999. 	}

  1000. 	return cs.(*ClientSessionState), true

  1001. }

  1002. 

  1003. // lruServerSessionCache is a ServerSessionCache implementation that

  1004. // uses an LRU caching strategy.

  1005. type lruServerSessionCache struct {

  1006. 	lruSessionCache

  1007. }

  1008. 

  1009. func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) {

  1010. 	c.lruSessionCache.Put(sessionId, session)

  1011. }

  1012. 

  1013. func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) {

  1014. 	cs, ok := c.lruSessionCache.Get(sessionId)

  1015. 	if !ok {

  1016. 		return nil, false

  1017. 	}

  1018. 	return cs.(*sessionState), true

  1019. }

  1020. 

  1021. // NewLRUClientSessionCache returns a ClientSessionCache with the given

  1022. // capacity that uses an LRU strategy. If capacity is < 1, a default capacity

  1023. // is used instead.

  1024. func NewLRUClientSessionCache(capacity int) ClientSessionCache {

  1025. 	const defaultSessionCacheCapacity = 64

  1026. 

  1027. 	if capacity < 1 {

  1028. 		capacity = defaultSessionCacheCapacity

  1029. 	}

  1030. 	return &lruClientSessionCache{

  1031. 		lruSessionCache{

  1032. 			m:        make(map[string]*list.Element),

  1033. 			q:        list.New(),

  1034. 			capacity: capacity,

  1035. 		},

  1036. 	}

  1037. }

  1038. 

  1039. // NewLRUServerSessionCache returns a ServerSessionCache with the given

  1040. // capacity that uses an LRU strategy. If capacity is < 1, a default capacity

  1041. // is used instead.

  1042. func NewLRUServerSessionCache(capacity int) ServerSessionCache {

  1043. 	const defaultSessionCacheCapacity = 64

  1044. 

  1045. 	if capacity < 1 {

  1046. 		capacity = defaultSessionCacheCapacity

  1047. 	}

  1048. 	return &lruServerSessionCache{

  1049. 		lruSessionCache{

  1050. 			m:        make(map[string]*list.Element),

  1051. 			q:        list.New(),

  1052. 			capacity: capacity,

  1053. 		},

  1054. 	}

  1055. }

  1056. 

  1057. // TODO(jsing): Make these available to both crypto/x509 and crypto/tls.

  1058. type dsaSignature struct {

  1059. 	R, S *big.Int

  1060. }

  1061. 

  1062. type ecdsaSignature dsaSignature

  1063. 

  1064. var emptyConfig Config

  1065. 

  1066. func defaultConfig() *Config {

  1067. 	return &emptyConfig

  1068. }

  1069. 

  1070. var (

  1071. 	once                   sync.Once

  1072. 	varDefaultCipherSuites []uint16

  1073. )

  1074. 

  1075. func defaultCipherSuites() []uint16 {

  1076. 	once.Do(initDefaultCipherSuites)

  1077. 	return varDefaultCipherSuites

  1078. }

  1079. 

  1080. func initDefaultCipherSuites() {

  1081. 	for _, suite := range cipherSuites {

  1082. 		if suite.flags&suitePSK == 0 {

  1083. 			varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)

  1084. 		}

  1085. 	}

  1086. }

  1087. 

  1088. func unexpectedMessageError(wanted, got interface{}) error {

  1089. 	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)

  1090. }

  1091. 

  1092. func isSupportedSignatureAndHash(sigHash signatureAndHash, sigHashes []signatureAndHash) bool {

  1093. 	for _, s := range sigHashes {

  1094. 		if s == sigHash {

  1095. 			return true

  1096. 		}

  1097. 	}

  1098. 	return false

  1099. }