1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package runner 6 7 import ( 8 "container/list" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/rand" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "math/big" 16 "strings" 17 "sync" 18 "time" 19 ) 20 21 const ( 22 VersionSSL30 = 0x0300 23 VersionTLS10 = 0x0301 24 VersionTLS11 = 0x0302 25 VersionTLS12 = 0x0303 26 VersionTLS13 = 0x0304 27 ) 28 29 const ( 30 VersionDTLS10 = 0xfeff 31 VersionDTLS12 = 0xfefd 32 ) 33 34 // A draft version of TLS 1.3 that is sent over the wire for the current draft. 35 const ( 36 tls13DraftVersion = 0x7f12 37 tls13ExperimentVersion = 0x7e01 38 tls13RecordTypeExperimentVersion = 0x7a12 39 ) 40 41 const ( 42 TLS13Default = 0 43 TLS13Experiment = 1 44 TLS13RecordTypeExperiment = 2 45 ) 46 47 var allTLSWireVersions = []uint16{ 48 tls13DraftVersion, 49 tls13ExperimentVersion, 50 tls13RecordTypeExperimentVersion, 51 VersionTLS12, 52 VersionTLS11, 53 VersionTLS10, 54 VersionSSL30, 55 } 56 57 var allDTLSWireVersions = []uint16{ 58 VersionDTLS12, 59 VersionDTLS10, 60 } 61 62 const ( 63 maxPlaintext = 16384 // maximum plaintext payload length 64 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length 65 tlsRecordHeaderLen = 5 // record header length 66 dtlsRecordHeaderLen = 13 67 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) 68 69 minVersion = VersionSSL30 70 maxVersion = VersionTLS13 71 ) 72 73 // TLS record types. 74 type recordType uint8 75 76 const ( 77 recordTypeChangeCipherSpec recordType = 20 78 recordTypeAlert recordType = 21 79 recordTypeHandshake recordType = 22 80 recordTypeApplicationData recordType = 23 81 recordTypePlaintextHandshake recordType = 24 82 ) 83 84 // TLS handshake message types. 85 const ( 86 typeHelloRequest uint8 = 0 87 typeClientHello uint8 = 1 88 typeServerHello uint8 = 2 89 typeHelloVerifyRequest uint8 = 3 90 typeNewSessionTicket uint8 = 4 91 typeHelloRetryRequest uint8 = 6 // draft-ietf-tls-tls13-16 92 typeEncryptedExtensions uint8 = 8 // draft-ietf-tls-tls13-16 93 typeCertificate uint8 = 11 94 typeServerKeyExchange uint8 = 12 95 typeCertificateRequest uint8 = 13 96 typeServerHelloDone uint8 = 14 97 typeCertificateVerify uint8 = 15 98 typeClientKeyExchange uint8 = 16 99 typeFinished uint8 = 20 100 typeCertificateStatus uint8 = 22 101 typeKeyUpdate uint8 = 24 // draft-ietf-tls-tls13-16 102 typeNextProtocol uint8 = 67 // Not IANA assigned 103 typeChannelID uint8 = 203 // Not IANA assigned 104 ) 105 106 // TLS compression types. 107 const ( 108 compressionNone uint8 = 0 109 ) 110 111 // TLS extension numbers 112 const ( 113 extensionServerName uint16 = 0 114 extensionStatusRequest uint16 = 5 115 extensionSupportedCurves uint16 = 10 116 extensionSupportedPoints uint16 = 11 117 extensionSignatureAlgorithms uint16 = 13 118 extensionUseSRTP uint16 = 14 119 extensionALPN uint16 = 16 120 extensionSignedCertificateTimestamp uint16 = 18 121 extensionExtendedMasterSecret uint16 = 23 122 extensionSessionTicket uint16 = 35 123 extensionKeyShare uint16 = 40 // draft-ietf-tls-tls13-16 124 extensionPreSharedKey uint16 = 41 // draft-ietf-tls-tls13-16 125 extensionEarlyData uint16 = 42 // draft-ietf-tls-tls13-16 126 extensionSupportedVersions uint16 = 43 // draft-ietf-tls-tls13-16 127 extensionCookie uint16 = 44 // draft-ietf-tls-tls13-16 128 extensionPSKKeyExchangeModes uint16 = 45 // draft-ietf-tls-tls13-18 129 extensionTicketEarlyDataInfo uint16 = 46 // draft-ietf-tls-tls13-18 130 extensionCustom uint16 = 1234 // not IANA assigned 131 extensionNextProtoNeg uint16 = 13172 // not IANA assigned 132 extensionRenegotiationInfo uint16 = 0xff01 133 extensionChannelID uint16 = 30032 // not IANA assigned 134 ) 135 136 // TLS signaling cipher suite values 137 const ( 138 scsvRenegotiation uint16 = 0x00ff 139 ) 140 141 // CurveID is the type of a TLS identifier for an elliptic curve. See 142 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 143 type CurveID uint16 144 145 const ( 146 CurveP224 CurveID = 21 147 CurveP256 CurveID = 23 148 CurveP384 CurveID = 24 149 CurveP521 CurveID = 25 150 CurveX25519 CurveID = 29 151 ) 152 153 // TLS Elliptic Curve Point Formats 154 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 155 const ( 156 pointFormatUncompressed uint8 = 0 157 pointFormatCompressedPrime uint8 = 1 158 ) 159 160 // TLS CertificateStatusType (RFC 3546) 161 const ( 162 statusTypeOCSP uint8 = 1 163 ) 164 165 // Certificate types (for certificateRequestMsg) 166 const ( 167 CertTypeRSASign = 1 // A certificate containing an RSA key 168 CertTypeDSSSign = 2 // A certificate containing a DSA key 169 CertTypeRSAFixedDH = 3 // A certificate containing a static DH key 170 CertTypeDSSFixedDH = 4 // A certificate containing a static DH key 171 172 // See RFC4492 sections 3 and 5.5. 173 CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. 174 CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. 175 CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. 176 177 // Rest of these are reserved by the TLS spec 178 ) 179 180 // signatureAlgorithm corresponds to a SignatureScheme value from TLS 1.3. Note 181 // that TLS 1.3 names the production 'SignatureScheme' to avoid colliding with 182 // TLS 1.2's SignatureAlgorithm but otherwise refers to them as 'signature 183 // algorithms' throughout. We match the latter. 184 type signatureAlgorithm uint16 185 186 const ( 187 // RSASSA-PKCS1-v1_5 algorithms 188 signatureRSAPKCS1WithMD5 signatureAlgorithm = 0x0101 189 signatureRSAPKCS1WithSHA1 signatureAlgorithm = 0x0201 190 signatureRSAPKCS1WithSHA256 signatureAlgorithm = 0x0401 191 signatureRSAPKCS1WithSHA384 signatureAlgorithm = 0x0501 192 signatureRSAPKCS1WithSHA512 signatureAlgorithm = 0x0601 193 194 // ECDSA algorithms 195 signatureECDSAWithSHA1 signatureAlgorithm = 0x0203 196 signatureECDSAWithP256AndSHA256 signatureAlgorithm = 0x0403 197 signatureECDSAWithP384AndSHA384 signatureAlgorithm = 0x0503 198 signatureECDSAWithP521AndSHA512 signatureAlgorithm = 0x0603 199 200 // RSASSA-PSS algorithms 201 signatureRSAPSSWithSHA256 signatureAlgorithm = 0x0804 202 signatureRSAPSSWithSHA384 signatureAlgorithm = 0x0805 203 signatureRSAPSSWithSHA512 signatureAlgorithm = 0x0806 204 205 // EdDSA algorithms 206 signatureEd25519 signatureAlgorithm = 0x0807 207 signatureEd448 signatureAlgorithm = 0x0808 208 ) 209 210 // supportedSignatureAlgorithms contains the default supported signature 211 // algorithms. 212 var supportedSignatureAlgorithms = []signatureAlgorithm{ 213 signatureRSAPSSWithSHA256, 214 signatureRSAPKCS1WithSHA256, 215 signatureECDSAWithP256AndSHA256, 216 signatureRSAPKCS1WithSHA1, 217 signatureECDSAWithSHA1, 218 signatureEd25519, 219 } 220 221 // SRTP protection profiles (See RFC 5764, section 4.1.2) 222 const ( 223 SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 224 SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 225 ) 226 227 // PskKeyExchangeMode values (see draft-ietf-tls-tls13-16) 228 const ( 229 pskKEMode = 0 230 pskDHEKEMode = 1 231 ) 232 233 // KeyUpdateRequest values (see draft-ietf-tls-tls13-16, section 4.5.3) 234 const ( 235 keyUpdateNotRequested = 0 236 keyUpdateRequested = 1 237 ) 238 239 // ConnectionState records basic TLS details about the connection. 240 type ConnectionState struct { 241 Version uint16 // TLS version used by the connection (e.g. VersionTLS12) 242 HandshakeComplete bool // TLS handshake is complete 243 DidResume bool // connection resumes a previous TLS connection 244 CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) 245 NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) 246 NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server 247 NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN 248 ServerName string // server name requested by client, if any (server side only) 249 PeerCertificates []*x509.Certificate // certificate chain presented by remote peer 250 VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates 251 ChannelID *ecdsa.PublicKey // the channel ID for this connection 252 SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile 253 TLSUnique []byte // the tls-unique channel binding 254 SCTList []byte // signed certificate timestamp list 255 PeerSignatureAlgorithm signatureAlgorithm // algorithm used by the peer in the handshake 256 CurveID CurveID // the curve used in ECDHE 257 } 258 259 // ClientAuthType declares the policy the server will follow for 260 // TLS Client Authentication. 261 type ClientAuthType int 262 263 const ( 264 NoClientCert ClientAuthType = iota 265 RequestClientCert 266 RequireAnyClientCert 267 VerifyClientCertIfGiven 268 RequireAndVerifyClientCert 269 ) 270 271 // ClientSessionState contains the state needed by clients to resume TLS 272 // sessions. 273 type ClientSessionState struct { 274 sessionId []uint8 // Session ID supplied by the server. nil if the session has a ticket. 275 sessionTicket []uint8 // Encrypted ticket used for session resumption with server 276 vers uint16 // SSL/TLS version negotiated for the session 277 cipherSuite uint16 // Ciphersuite negotiated for the session 278 masterSecret []byte // MasterSecret generated by client on a full handshake 279 handshakeHash []byte // Handshake hash for Channel ID purposes. 280 serverCertificates []*x509.Certificate // Certificate chain presented by the server 281 extendedMasterSecret bool // Whether an extended master secret was used to generate the session 282 sctList []byte 283 ocspResponse []byte 284 earlyALPN string 285 ticketCreationTime time.Time 286 ticketExpiration time.Time 287 ticketAgeAdd uint32 288 maxEarlyDataSize uint32 289 } 290 291 // ClientSessionCache is a cache of ClientSessionState objects that can be used 292 // by a client to resume a TLS session with a given server. ClientSessionCache 293 // implementations should expect to be called concurrently from different 294 // goroutines. 295 type ClientSessionCache interface { 296 // Get searches for a ClientSessionState associated with the given key. 297 // On return, ok is true if one was found. 298 Get(sessionKey string) (session *ClientSessionState, ok bool) 299 300 // Put adds the ClientSessionState to the cache with the given key. 301 Put(sessionKey string, cs *ClientSessionState) 302 } 303 304 // ServerSessionCache is a cache of sessionState objects that can be used by a 305 // client to resume a TLS session with a given server. ServerSessionCache 306 // implementations should expect to be called concurrently from different 307 // goroutines. 308 type ServerSessionCache interface { 309 // Get searches for a sessionState associated with the given session 310 // ID. On return, ok is true if one was found. 311 Get(sessionId string) (session *sessionState, ok bool) 312 313 // Put adds the sessionState to the cache with the given session ID. 314 Put(sessionId string, session *sessionState) 315 } 316 317 // A Config structure is used to configure a TLS client or server. 318 // After one has been passed to a TLS function it must not be 319 // modified. A Config may be reused; the tls package will also not 320 // modify it. 321 type Config struct { 322 // Rand provides the source of entropy for nonces and RSA blinding. 323 // If Rand is nil, TLS uses the cryptographic random reader in package 324 // crypto/rand. 325 // The Reader must be safe for use by multiple goroutines. 326 Rand io.Reader 327 328 // Time returns the current time as the number of seconds since the epoch. 329 // If Time is nil, TLS uses time.Now. 330 Time func() time.Time 331 332 // Certificates contains one or more certificate chains 333 // to present to the other side of the connection. 334 // Server configurations must include at least one certificate. 335 Certificates []Certificate 336 337 // NameToCertificate maps from a certificate name to an element of 338 // Certificates. Note that a certificate name can be of the form 339 // '*.example.com' and so doesn't have to be a domain name as such. 340 // See Config.BuildNameToCertificate 341 // The nil value causes the first element of Certificates to be used 342 // for all connections. 343 NameToCertificate map[string]*Certificate 344 345 // RootCAs defines the set of root certificate authorities 346 // that clients use when verifying server certificates. 347 // If RootCAs is nil, TLS uses the host's root CA set. 348 RootCAs *x509.CertPool 349 350 // NextProtos is a list of supported, application level protocols. 351 NextProtos []string 352 353 // ServerName is used to verify the hostname on the returned 354 // certificates unless InsecureSkipVerify is given. It is also included 355 // in the client's handshake to support virtual hosting. 356 ServerName string 357 358 // ClientAuth determines the server's policy for 359 // TLS Client Authentication. The default is NoClientCert. 360 ClientAuth ClientAuthType 361 362 // ClientCAs defines the set of root certificate authorities 363 // that servers use if required to verify a client certificate 364 // by the policy in ClientAuth. 365 ClientCAs *x509.CertPool 366 367 // ClientCertificateTypes defines the set of allowed client certificate 368 // types. The default is CertTypeRSASign and CertTypeECDSASign. 369 ClientCertificateTypes []byte 370 371 // InsecureSkipVerify controls whether a client verifies the 372 // server's certificate chain and host name. 373 // If InsecureSkipVerify is true, TLS accepts any certificate 374 // presented by the server and any host name in that certificate. 375 // In this mode, TLS is susceptible to man-in-the-middle attacks. 376 // This should be used only for testing. 377 InsecureSkipVerify bool 378 379 // CipherSuites is a list of supported cipher suites. If CipherSuites 380 // is nil, TLS uses a list of suites supported by the implementation. 381 CipherSuites []uint16 382 383 // PreferServerCipherSuites controls whether the server selects the 384 // client's most preferred ciphersuite, or the server's most preferred 385 // ciphersuite. If true then the server's preference, as expressed in 386 // the order of elements in CipherSuites, is used. 387 PreferServerCipherSuites bool 388 389 // SessionTicketsDisabled may be set to true to disable session ticket 390 // (resumption) support. 391 SessionTicketsDisabled bool 392 393 // SessionTicketKey is used by TLS servers to provide session 394 // resumption. See RFC 5077. If zero, it will be filled with 395 // random data before the first server handshake. 396 // 397 // If multiple servers are terminating connections for the same host 398 // they should all have the same SessionTicketKey. If the 399 // SessionTicketKey leaks, previously recorded and future TLS 400 // connections using that key are compromised. 401 SessionTicketKey [32]byte 402 403 // ClientSessionCache is a cache of ClientSessionState entries 404 // for TLS session resumption. 405 ClientSessionCache ClientSessionCache 406 407 // ServerSessionCache is a cache of sessionState entries for TLS session 408 // resumption. 409 ServerSessionCache ServerSessionCache 410 411 // MinVersion contains the minimum SSL/TLS version that is acceptable. 412 // If zero, then SSLv3 is taken as the minimum. 413 MinVersion uint16 414 415 // MaxVersion contains the maximum SSL/TLS version that is acceptable. 416 // If zero, then the maximum version supported by this package is used, 417 // which is currently TLS 1.2. 418 MaxVersion uint16 419 420 // TLS13Variant is the variant of TLS 1.3 to use. 421 TLS13Variant int 422 423 // CurvePreferences contains the elliptic curves that will be used in 424 // an ECDHE handshake, in preference order. If empty, the default will 425 // be used. 426 CurvePreferences []CurveID 427 428 // DefaultCurves contains the elliptic curves for which public values will 429 // be sent in the ClientHello's KeyShare extension. If this value is nil, 430 // all supported curves will have public values sent. This field is ignored 431 // on servers. 432 DefaultCurves []CurveID 433 434 // ChannelID contains the ECDSA key for the client to use as 435 // its TLS Channel ID. 436 ChannelID *ecdsa.PrivateKey 437 438 // RequestChannelID controls whether the server requests a TLS 439 // Channel ID. If negotiated, the client's public key is 440 // returned in the ConnectionState. 441 RequestChannelID bool 442 443 // PreSharedKey, if not nil, is the pre-shared key to use with 444 // the PSK cipher suites. 445 PreSharedKey []byte 446 447 // PreSharedKeyIdentity, if not empty, is the identity to use 448 // with the PSK cipher suites. 449 PreSharedKeyIdentity string 450 451 // MaxEarlyDataSize controls the maximum number of bytes that the 452 // server will accept in early data and advertise in a 453 // NewSessionTicketMsg. If 0, no early data will be accepted and 454 // the TicketEarlyDataInfo extension in the NewSessionTicketMsg 455 // will be omitted. 456 MaxEarlyDataSize uint32 457 458 // SRTPProtectionProfiles, if not nil, is the list of SRTP 459 // protection profiles to offer in DTLS-SRTP. 460 SRTPProtectionProfiles []uint16 461 462 // SignSignatureAlgorithms, if not nil, overrides the default set of 463 // supported signature algorithms to sign with. 464 SignSignatureAlgorithms []signatureAlgorithm 465 466 // VerifySignatureAlgorithms, if not nil, overrides the default set of 467 // supported signature algorithms that are accepted. 468 VerifySignatureAlgorithms []signatureAlgorithm 469 470 // Bugs specifies optional misbehaviour to be used for testing other 471 // implementations. 472 Bugs ProtocolBugs 473 474 serverInitOnce sync.Once // guards calling (*Config).serverInit 475 } 476 477 type BadValue int 478 479 const ( 480 BadValueNone BadValue = iota 481 BadValueNegative 482 BadValueZero 483 BadValueLimit 484 BadValueLarge 485 NumBadValues 486 ) 487 488 type RSABadValue int 489 490 const ( 491 RSABadValueNone RSABadValue = iota 492 RSABadValueCorrupt 493 RSABadValueTooLong 494 RSABadValueTooShort 495 RSABadValueWrongVersion 496 NumRSABadValues 497 ) 498 499 type ProtocolBugs struct { 500 // InvalidSignature specifies that the signature in a ServerKeyExchange 501 // or CertificateVerify message should be invalid. 502 InvalidSignature bool 503 504 // SendCurve, if non-zero, causes the server to send the specified curve 505 // ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather 506 // than the negotiated one. 507 SendCurve CurveID 508 509 // InvalidECDHPoint, if true, causes the ECC points in 510 // ServerKeyExchange or ClientKeyExchange messages to be invalid. 511 InvalidECDHPoint bool 512 513 // BadECDSAR controls ways in which the 'r' value of an ECDSA signature 514 // can be invalid. 515 BadECDSAR BadValue 516 BadECDSAS BadValue 517 518 // MaxPadding causes CBC records to have the maximum possible padding. 519 MaxPadding bool 520 // PaddingFirstByteBad causes the first byte of the padding to be 521 // incorrect. 522 PaddingFirstByteBad bool 523 // PaddingFirstByteBadIf255 causes the first byte of padding to be 524 // incorrect if there's a maximum amount of padding (i.e. 255 bytes). 525 PaddingFirstByteBadIf255 bool 526 527 // FailIfNotFallbackSCSV causes a server handshake to fail if the 528 // client doesn't send the fallback SCSV value. 529 FailIfNotFallbackSCSV bool 530 531 // DuplicateExtension causes an extra empty extension of bogus type to 532 // be emitted in either the ClientHello or the ServerHello. 533 DuplicateExtension bool 534 535 // UnauthenticatedECDH causes the server to pretend ECDHE_RSA 536 // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No 537 // Certificate message is sent and no signature is added to 538 // ServerKeyExchange. 539 UnauthenticatedECDH bool 540 541 // SkipHelloVerifyRequest causes a DTLS server to skip the 542 // HelloVerifyRequest message. 543 SkipHelloVerifyRequest bool 544 545 // SkipCertificateStatus, if true, causes the server to skip the 546 // CertificateStatus message. This is legal because CertificateStatus is 547 // optional, even with a status_request in ServerHello. 548 SkipCertificateStatus bool 549 550 // SkipServerKeyExchange causes the server to skip sending 551 // ServerKeyExchange messages. 552 SkipServerKeyExchange bool 553 554 // SkipNewSessionTicket causes the server to skip sending the 555 // NewSessionTicket message despite promising to in ServerHello. 556 SkipNewSessionTicket bool 557 558 // SkipClientCertificate causes the client to skip the Certificate 559 // message. 560 SkipClientCertificate bool 561 562 // SkipChangeCipherSpec causes the implementation to skip 563 // sending the ChangeCipherSpec message (and adjusting cipher 564 // state accordingly for the Finished message). 565 SkipChangeCipherSpec bool 566 567 // SkipFinished causes the implementation to skip sending the Finished 568 // message. 569 SkipFinished bool 570 571 // SkipEndOfEarlyData causes the implementation to skip the 572 // end_of_early_data alert. 573 SkipEndOfEarlyData bool 574 575 // EarlyChangeCipherSpec causes the client to send an early 576 // ChangeCipherSpec message before the ClientKeyExchange. A value of 577 // zero disables this behavior. One and two configure variants for 0.9.8 578 // and 1.0.1 modes, respectively. 579 EarlyChangeCipherSpec int 580 581 // StrayChangeCipherSpec causes every pre-ChangeCipherSpec handshake 582 // message in DTLS to be prefaced by stray ChangeCipherSpec record. This 583 // may be used to test DTLS's handling of reordered ChangeCipherSpec. 584 StrayChangeCipherSpec bool 585 586 // FragmentAcrossChangeCipherSpec causes the implementation to fragment 587 // the Finished (or NextProto) message around the ChangeCipherSpec 588 // messages. 589 FragmentAcrossChangeCipherSpec bool 590 591 // SendUnencryptedFinished, if true, causes the Finished message to be 592 // send unencrypted before ChangeCipherSpec rather than after it. 593 SendUnencryptedFinished bool 594 595 // PartialEncryptedExtensionsWithServerHello, if true, causes the TLS 596 // 1.3 server to send part of EncryptedExtensions unencrypted 597 // in the same record as ServerHello. 598 PartialEncryptedExtensionsWithServerHello bool 599 600 // PartialClientFinishedWithClientHello, if true, causes the TLS 1.3 601 // client to send part of Finished unencrypted in the same record as 602 // ClientHello. 603 PartialClientFinishedWithClientHello bool 604 605 // SendV2ClientHello causes the client to send a V2ClientHello 606 // instead of a normal ClientHello. 607 SendV2ClientHello bool 608 609 // SendFallbackSCSV causes the client to include 610 // TLS_FALLBACK_SCSV in the ClientHello. 611 SendFallbackSCSV bool 612 613 // SendRenegotiationSCSV causes the client to include the renegotiation 614 // SCSV in the ClientHello. 615 SendRenegotiationSCSV bool 616 617 // MaxHandshakeRecordLength, if non-zero, is the maximum size of a 618 // handshake record. Handshake messages will be split into multiple 619 // records at the specified size, except that the client_version will 620 // never be fragmented. For DTLS, it is the maximum handshake fragment 621 // size, not record size; DTLS allows multiple handshake fragments in a 622 // single handshake record. See |PackHandshakeFragments|. 623 MaxHandshakeRecordLength int 624 625 // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to 626 // the first 6 bytes of the ClientHello. 627 FragmentClientVersion bool 628 629 // FragmentAlert will cause all alerts to be fragmented across 630 // two records. 631 FragmentAlert bool 632 633 // DoubleAlert will cause all alerts to be sent as two copies packed 634 // within one record. 635 DoubleAlert bool 636 637 // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted 638 // alert to be sent. 639 SendSpuriousAlert alert 640 641 // BadRSAClientKeyExchange causes the client to send a corrupted RSA 642 // ClientKeyExchange which would not pass padding checks. 643 BadRSAClientKeyExchange RSABadValue 644 645 // RenewTicketOnResume causes the server to renew the session ticket and 646 // send a NewSessionTicket message during an abbreviated handshake. 647 RenewTicketOnResume bool 648 649 // SendClientVersion, if non-zero, causes the client to send the 650 // specified value in the ClientHello version field. 651 SendClientVersion uint16 652 653 // OmitSupportedVersions, if true, causes the client to omit the 654 // supported versions extension. 655 OmitSupportedVersions bool 656 657 // SendSupportedVersions, if non-empty, causes the client to send a 658 // supported versions extension with the values from array. 659 SendSupportedVersions []uint16 660 661 // NegotiateVersion, if non-zero, causes the server to negotiate the 662 // specifed wire version rather than the version supported by either 663 // peer. 664 NegotiateVersion uint16 665 666 // NegotiateVersionOnRenego, if non-zero, causes the server to negotiate 667 // the specified wire version on renegotiation rather than retaining it. 668 NegotiateVersionOnRenego uint16 669 670 // ExpectFalseStart causes the server to, on full handshakes, 671 // expect the peer to False Start; the server Finished message 672 // isn't sent until we receive an application data record 673 // from the peer. 674 ExpectFalseStart bool 675 676 // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full 677 // handshakes, send an alert just before reading the application data 678 // record to test False Start. This can be used in a negative False 679 // Start test to determine whether the peer processed the alert (and 680 // closed the connection) before or after sending app data. 681 AlertBeforeFalseStartTest alert 682 683 // ExpectServerName, if not empty, is the hostname the client 684 // must specify in the server_name extension. 685 ExpectServerName string 686 687 // SwapNPNAndALPN switches the relative order between NPN and ALPN in 688 // both ClientHello and ServerHello. 689 SwapNPNAndALPN bool 690 691 // ALPNProtocol, if not nil, sets the ALPN protocol that a server will 692 // return. 693 ALPNProtocol *string 694 695 // AcceptAnySession causes the server to resume sessions regardless of 696 // the version associated with the session or cipher suite. It also 697 // causes the server to look in both TLS 1.2 and 1.3 extensions to 698 // process a ticket. 699 AcceptAnySession bool 700 701 // SendBothTickets, if true, causes the client to send tickets in both 702 // TLS 1.2 and 1.3 extensions. 703 SendBothTickets bool 704 705 // FilterTicket, if not nil, causes the client to modify a session 706 // ticket before sending it in a resume handshake. 707 FilterTicket func([]byte) ([]byte, error) 708 709 // TicketSessionIDLength, if non-zero, is the length of the session ID 710 // to send with a ticket resumption offer. 711 TicketSessionIDLength int 712 713 // EmptyTicketSessionID, if true, causes the client to send an empty 714 // session ID with a ticket resumption offer. For simplicity, this will 715 // also cause the client to interpret a ServerHello with empty session 716 // ID as a resumption. (A client which sends empty session ID is 717 // normally expected to look ahead for ChangeCipherSpec.) 718 EmptyTicketSessionID bool 719 720 // ExpectNoTLS12Session, if true, causes the server to fail the 721 // connection if either a session ID or TLS 1.2 ticket is offered. 722 ExpectNoTLS12Session bool 723 724 // ExpectNoTLS13PSK, if true, causes the server to fail the connection 725 // if a TLS 1.3 PSK is offered. 726 ExpectNoTLS13PSK bool 727 728 // RequireExtendedMasterSecret, if true, requires that the peer support 729 // the extended master secret option. 730 RequireExtendedMasterSecret bool 731 732 // NoExtendedMasterSecret causes the client and server to behave as if 733 // they didn't support an extended master secret in the initial 734 // handshake. 735 NoExtendedMasterSecret bool 736 737 // NoExtendedMasterSecretOnRenegotiation causes the client and server to 738 // behave as if they didn't support an extended master secret in 739 // renegotiation handshakes. 740 NoExtendedMasterSecretOnRenegotiation bool 741 742 // EmptyRenegotiationInfo causes the renegotiation extension to be 743 // empty in a renegotiation handshake. 744 EmptyRenegotiationInfo bool 745 746 // BadRenegotiationInfo causes the renegotiation extension value in a 747 // renegotiation handshake to be incorrect at the start. 748 BadRenegotiationInfo bool 749 750 // BadRenegotiationInfoEnd causes the renegotiation extension value in 751 // a renegotiation handshake to be incorrect at the end. 752 BadRenegotiationInfoEnd bool 753 754 // NoRenegotiationInfo disables renegotiation info support in all 755 // handshakes. 756 NoRenegotiationInfo bool 757 758 // NoRenegotiationInfoInInitial disables renegotiation info support in 759 // the initial handshake. 760 NoRenegotiationInfoInInitial bool 761 762 // NoRenegotiationInfoAfterInitial disables renegotiation info support 763 // in renegotiation handshakes. 764 NoRenegotiationInfoAfterInitial bool 765 766 // RequireRenegotiationInfo, if true, causes the client to return an 767 // error if the server doesn't reply with the renegotiation extension. 768 RequireRenegotiationInfo bool 769 770 // SequenceNumberMapping, if non-nil, is the mapping function to apply 771 // to the sequence number of outgoing packets. For both TLS and DTLS, 772 // the two most-significant bytes in the resulting sequence number are 773 // ignored so that the DTLS epoch cannot be changed. 774 SequenceNumberMapping func(uint64) uint64 775 776 // RSAEphemeralKey, if true, causes the server to send a 777 // ServerKeyExchange message containing an ephemeral key (as in 778 // RSA_EXPORT) in the plain RSA key exchange. 779 RSAEphemeralKey bool 780 781 // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the 782 // client offers when negotiating SRTP. MKI support is still missing so 783 // the peer must still send none. 784 SRTPMasterKeyIdentifer string 785 786 // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the 787 // server sends in the ServerHello instead of the negotiated one. 788 SendSRTPProtectionProfile uint16 789 790 // NoSignatureAlgorithms, if true, causes the client to omit the 791 // signature and hashes extension. 792 // 793 // For a server, it will cause an empty list to be sent in the 794 // CertificateRequest message. None the less, the configured set will 795 // still be enforced. 796 NoSignatureAlgorithms bool 797 798 // NoSupportedCurves, if true, causes the client to omit the 799 // supported_curves extension. 800 NoSupportedCurves bool 801 802 // RequireSameRenegoClientVersion, if true, causes the server 803 // to require that all ClientHellos match in offered version 804 // across a renego. 805 RequireSameRenegoClientVersion bool 806 807 // ExpectInitialRecordVersion, if non-zero, is the expected value of 808 // record-layer version field before the protocol version is determined. 809 ExpectInitialRecordVersion uint16 810 811 // SendRecordVersion, if non-zero, is the value to send as the 812 // record-layer version. 813 SendRecordVersion uint16 814 815 // SendInitialRecordVersion, if non-zero, is the value to send as the 816 // record-layer version before the protocol version is determined. 817 SendInitialRecordVersion uint16 818 819 // MaxPacketLength, if non-zero, is the maximum acceptable size for a 820 // packet. 821 MaxPacketLength int 822 823 // SendCipherSuite, if non-zero, is the cipher suite value that the 824 // server will send in the ServerHello. This does not affect the cipher 825 // the server believes it has actually negotiated. 826 SendCipherSuite uint16 827 828 // SendCipherSuites, if not nil, is the cipher suite list that the 829 // client will send in the ClientHello. This does not affect the cipher 830 // the client believes it has actually offered. 831 SendCipherSuites []uint16 832 833 // AppDataBeforeHandshake, if not nil, causes application data to be 834 // sent immediately before the first handshake message. 835 AppDataBeforeHandshake []byte 836 837 // AppDataAfterChangeCipherSpec, if not nil, causes application data to 838 // be sent immediately after ChangeCipherSpec. 839 AppDataAfterChangeCipherSpec []byte 840 841 // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent 842 // immediately after ChangeCipherSpec. 843 AlertAfterChangeCipherSpec alert 844 845 // TimeoutSchedule is the schedule of packet drops and simulated 846 // timeouts for before each handshake leg from the peer. 847 TimeoutSchedule []time.Duration 848 849 // PacketAdaptor is the packetAdaptor to use to simulate timeouts. 850 PacketAdaptor *packetAdaptor 851 852 // ReorderHandshakeFragments, if true, causes handshake fragments in 853 // DTLS to overlap and be sent in the wrong order. It also causes 854 // pre-CCS flights to be sent twice. (Post-CCS flights consist of 855 // Finished and will trigger a spurious retransmit.) 856 ReorderHandshakeFragments bool 857 858 // ReverseHandshakeFragments, if true, causes handshake fragments in 859 // DTLS to be reversed within a flight. 860 ReverseHandshakeFragments bool 861 862 // MixCompleteMessageWithFragments, if true, causes handshake 863 // messages in DTLS to redundantly both fragment the message 864 // and include a copy of the full one. 865 MixCompleteMessageWithFragments bool 866 867 // SendInvalidRecordType, if true, causes a record with an invalid 868 // content type to be sent immediately following the handshake. 869 SendInvalidRecordType bool 870 871 // SendWrongMessageType, if non-zero, causes messages of the specified 872 // type to be sent with the wrong value. 873 SendWrongMessageType byte 874 875 // SendTrailingMessageData, if non-zero, causes messages of the 876 // specified type to be sent with trailing data. 877 SendTrailingMessageData byte 878 879 // FragmentMessageTypeMismatch, if true, causes all non-initial 880 // handshake fragments in DTLS to have the wrong message type. 881 FragmentMessageTypeMismatch bool 882 883 // FragmentMessageLengthMismatch, if true, causes all non-initial 884 // handshake fragments in DTLS to have the wrong message length. 885 FragmentMessageLengthMismatch bool 886 887 // SplitFragments, if non-zero, causes the handshake fragments in DTLS 888 // to be split across two records. The value of |SplitFragments| is the 889 // number of bytes in the first fragment. 890 SplitFragments int 891 892 // SendEmptyFragments, if true, causes handshakes to include empty 893 // fragments in DTLS. 894 SendEmptyFragments bool 895 896 // SendSplitAlert, if true, causes an alert to be sent with the header 897 // and record body split across multiple packets. The peer should 898 // discard these packets rather than process it. 899 SendSplitAlert bool 900 901 // FailIfResumeOnRenego, if true, causes renegotiations to fail if the 902 // client offers a resumption or the server accepts one. 903 FailIfResumeOnRenego bool 904 905 // IgnorePeerCipherPreferences, if true, causes the peer's cipher 906 // preferences to be ignored. 907 IgnorePeerCipherPreferences bool 908 909 // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's 910 // signature algorithm preferences to be ignored. 911 IgnorePeerSignatureAlgorithmPreferences bool 912 913 // IgnorePeerCurvePreferences, if true, causes the peer's curve 914 // preferences to be ignored. 915 IgnorePeerCurvePreferences bool 916 917 // BadFinished, if true, causes the Finished hash to be broken. 918 BadFinished bool 919 920 // PackHandshakeFragments, if true, causes handshake fragments in DTLS 921 // to be packed into individual handshake records, up to the specified 922 // record size. 923 PackHandshakeFragments int 924 925 // PackHandshakeRecords, if true, causes handshake records in DTLS to be 926 // packed into individual packets, up to the specified packet size. 927 PackHandshakeRecords int 928 929 // PackHandshakeFlight, if true, causes each handshake flight in TLS to 930 // be packed into records, up to the largest size record available. 931 PackHandshakeFlight bool 932 933 // AdvertiseAllConfiguredCiphers, if true, causes the client to 934 // advertise all configured cipher suite values. 935 AdvertiseAllConfiguredCiphers bool 936 937 // EmptyCertificateList, if true, causes the server to send an empty 938 // certificate list in the Certificate message. 939 EmptyCertificateList bool 940 941 // ExpectNewTicket, if true, causes the client to abort if it does not 942 // receive a new ticket. 943 ExpectNewTicket bool 944 945 // RequireClientHelloSize, if not zero, is the required length in bytes 946 // of the ClientHello /record/. This is checked by the server. 947 RequireClientHelloSize int 948 949 // CustomExtension, if not empty, contains the contents of an extension 950 // that will be added to client/server hellos. 951 CustomExtension string 952 953 // CustomUnencryptedExtension, if not empty, contains the contents of 954 // an extension that will be added to ServerHello in TLS 1.3. 955 CustomUnencryptedExtension string 956 957 // ExpectedCustomExtension, if not nil, contains the expected contents 958 // of a custom extension. 959 ExpectedCustomExtension *string 960 961 // CustomTicketExtension, if not empty, contains the contents of an 962 // extension what will be added to NewSessionTicket in TLS 1.3. 963 CustomTicketExtension string 964 965 // CustomTicketExtension, if not empty, contains the contents of an 966 // extension what will be added to HelloRetryRequest in TLS 1.3. 967 CustomHelloRetryRequestExtension string 968 969 // NoCloseNotify, if true, causes the close_notify alert to be skipped 970 // on connection shutdown. 971 NoCloseNotify bool 972 973 // SendAlertOnShutdown, if non-zero, is the alert to send instead of 974 // close_notify on shutdown. 975 SendAlertOnShutdown alert 976 977 // ExpectCloseNotify, if true, requires a close_notify from the peer on 978 // shutdown. Records from the peer received after close_notify is sent 979 // are not discard. 980 ExpectCloseNotify bool 981 982 // SendLargeRecords, if true, allows outgoing records to be sent 983 // arbitrarily large. 984 SendLargeRecords bool 985 986 // NegotiateALPNAndNPN, if true, causes the server to negotiate both 987 // ALPN and NPN in the same connetion. 988 NegotiateALPNAndNPN bool 989 990 // SendALPN, if non-empty, causes the server to send the specified 991 // string in the ALPN extension regardless of the content or presence of 992 // the client offer. 993 SendALPN string 994 995 // SendUnencryptedALPN, if non-empty, causes the server to send the 996 // specified string in a ServerHello ALPN extension in TLS 1.3. 997 SendUnencryptedALPN string 998 999 // SendEmptySessionTicket, if true, causes the server to send an empty 1000 // session ticket. 1001 SendEmptySessionTicket bool 1002 1003 // SendPSKKeyExchangeModes, if present, determines the PSK key exchange modes 1004 // to send. 1005 SendPSKKeyExchangeModes []byte 1006 1007 // ExpectNoNewSessionTicket, if present, means that the client will fail upon 1008 // receipt of a NewSessionTicket message. 1009 ExpectNoNewSessionTicket bool 1010 1011 // DuplicateTicketEarlyDataInfo causes an extra empty extension of 1012 // ticket_early_data_info to be sent in NewSessionTicket. 1013 DuplicateTicketEarlyDataInfo bool 1014 1015 // ExpectTicketEarlyDataInfo, if true, means that the client will fail upon 1016 // absence of the ticket_early_data_info extension. 1017 ExpectTicketEarlyDataInfo bool 1018 1019 // ExpectTicketAge, if non-zero, is the expected age of the ticket that the 1020 // server receives from the client. 1021 ExpectTicketAge time.Duration 1022 1023 // SendTicketAge, if non-zero, is the ticket age to be sent by the 1024 // client. 1025 SendTicketAge time.Duration 1026 1027 // FailIfSessionOffered, if true, causes the server to fail any 1028 // connections where the client offers a non-empty session ID or session 1029 // ticket. 1030 FailIfSessionOffered bool 1031 1032 // SendHelloRequestBeforeEveryAppDataRecord, if true, causes a 1033 // HelloRequest handshake message to be sent before each application 1034 // data record. This only makes sense for a server. 1035 SendHelloRequestBeforeEveryAppDataRecord bool 1036 1037 // SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a 1038 // HelloRequest handshake message to be sent before each handshake 1039 // message. This only makes sense for a server. 1040 SendHelloRequestBeforeEveryHandshakeMessage bool 1041 1042 // BadChangeCipherSpec, if not nil, is the body to be sent in 1043 // ChangeCipherSpec records instead of {1}. 1044 BadChangeCipherSpec []byte 1045 1046 // BadHelloRequest, if not nil, is what to send instead of a 1047 // HelloRequest. 1048 BadHelloRequest []byte 1049 1050 // RequireSessionTickets, if true, causes the client to require new 1051 // sessions use session tickets instead of session IDs. 1052 RequireSessionTickets bool 1053 1054 // NullAllCiphers, if true, causes every cipher to behave like the null 1055 // cipher. 1056 NullAllCiphers bool 1057 1058 // SendSCTListOnResume, if not nil, causes the server to send the 1059 // supplied SCT list in resumption handshakes. 1060 SendSCTListOnResume []byte 1061 1062 // SendSCTListOnRenegotiation, if not nil, causes the server to send the 1063 // supplied SCT list on renegotiation. 1064 SendSCTListOnRenegotiation []byte 1065 1066 // SendOCSPResponseOnResume, if not nil, causes the server to advertise 1067 // OCSP stapling in resumption handshakes and, if applicable, send the 1068 // supplied stapled response. 1069 SendOCSPResponseOnResume []byte 1070 1071 // SendOCSPResponseOnResume, if not nil, causes the server to send the 1072 // supplied OCSP response on renegotiation. 1073 SendOCSPResponseOnRenegotiation []byte 1074 1075 // SendExtensionOnCertificate, if not nil, causes the runner to send the 1076 // supplied bytes in the extensions on the Certificate message. 1077 SendExtensionOnCertificate []byte 1078 1079 // SendOCSPOnIntermediates, if not nil, causes the server to send the 1080 // supplied OCSP on intermediate certificates in the Certificate message. 1081 SendOCSPOnIntermediates []byte 1082 1083 // SendSCTOnIntermediates, if not nil, causes the server to send the 1084 // supplied SCT on intermediate certificates in the Certificate message. 1085 SendSCTOnIntermediates []byte 1086 1087 // SendDuplicateCertExtensions, if true, causes the server to send an extra 1088 // copy of the OCSP/SCT extensions in the Certificate message. 1089 SendDuplicateCertExtensions bool 1090 1091 // ExpectNoExtensionsOnIntermediate, if true, causes the client to 1092 // reject extensions on intermediate certificates. 1093 ExpectNoExtensionsOnIntermediate bool 1094 1095 // RecordPadding is the number of bytes of padding to add to each 1096 // encrypted record in TLS 1.3. 1097 RecordPadding int 1098 1099 // OmitRecordContents, if true, causes encrypted records in TLS 1.3 to 1100 // be missing their body and content type. Padding, if configured, is 1101 // still added. 1102 OmitRecordContents bool 1103 1104 // OuterRecordType, if non-zero, is the outer record type to use instead 1105 // of application data. 1106 OuterRecordType recordType 1107 1108 // SendSignatureAlgorithm, if non-zero, causes all signatures to be sent 1109 // with the given signature algorithm rather than the one negotiated. 1110 SendSignatureAlgorithm signatureAlgorithm 1111 1112 // SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be 1113 // skipped. 1114 SkipECDSACurveCheck bool 1115 1116 // IgnoreSignatureVersionChecks, if true, causes all signature 1117 // algorithms to be enabled at all TLS versions. 1118 IgnoreSignatureVersionChecks bool 1119 1120 // NegotiateRenegotiationInfoAtAllVersions, if true, causes 1121 // Renegotiation Info to be negotiated at all versions. 1122 NegotiateRenegotiationInfoAtAllVersions bool 1123 1124 // NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at 1125 // all versions. 1126 NegotiateNPNAtAllVersions bool 1127 1128 // NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at 1129 // all versions. 1130 NegotiateEMSAtAllVersions bool 1131 1132 // AdvertiseTicketExtension, if true, causes the ticket extension to be 1133 // advertised in server extensions 1134 AdvertiseTicketExtension bool 1135 1136 // NegotiatePSKResumption, if true, causes the server to attempt pure PSK 1137 // resumption. 1138 NegotiatePSKResumption bool 1139 1140 // AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to 1141 // always acknowledge a session, regardless of one was offered. 1142 AlwaysSelectPSKIdentity bool 1143 1144 // SelectPSKIdentityOnResume, if non-zero, causes the server to select 1145 // the specified PSK identity index rather than the actual value. 1146 SelectPSKIdentityOnResume uint16 1147 1148 // ExtraPSKIdentity, if true, causes the client to send an extra PSK 1149 // identity. 1150 ExtraPSKIdentity bool 1151 1152 // MissingKeyShare, if true, causes the TLS 1.3 implementation to skip 1153 // sending a key_share extension and use the zero ECDHE secret 1154 // instead. 1155 MissingKeyShare bool 1156 1157 // SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3 1158 // ClientHello to skip sending a key_share extension and use the zero 1159 // ECDHE secret instead. 1160 SecondClientHelloMissingKeyShare bool 1161 1162 // MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3 1163 // client to pretend the server requested a HelloRetryRequest with the 1164 // given curve rather than the actual one. 1165 MisinterpretHelloRetryRequestCurve CurveID 1166 1167 // DuplicateKeyShares, if true, causes the TLS 1.3 client to send two 1168 // copies of each KeyShareEntry. 1169 DuplicateKeyShares bool 1170 1171 // SendEarlyAlert, if true, sends a fatal alert after the ClientHello. 1172 SendEarlyAlert bool 1173 1174 // SendFakeEarlyDataLength, if non-zero, is the amount of early data to 1175 // send after the ClientHello. 1176 SendFakeEarlyDataLength int 1177 1178 // SendStrayEarlyHandshake, if non-zero, causes the client to send a stray 1179 // handshake record before sending end of early data. 1180 SendStrayEarlyHandshake bool 1181 1182 // OmitEarlyDataExtension, if true, causes the early data extension to 1183 // be omitted in the ClientHello. 1184 OmitEarlyDataExtension bool 1185 1186 // SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to 1187 // send early data after the second ClientHello. 1188 SendEarlyDataOnSecondClientHello bool 1189 1190 // InterleaveEarlyData, if true, causes the TLS 1.3 client to send early 1191 // data interleaved with the second ClientHello and the client Finished. 1192 InterleaveEarlyData bool 1193 1194 // SendEarlyData causes a TLS 1.3 client to send the provided data 1195 // in application data records immediately after the ClientHello, 1196 // provided that the client offers a TLS 1.3 session. It will do this 1197 // whether or not the server advertised early data for the ticket. 1198 SendEarlyData [][]byte 1199 1200 // ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data 1201 // was accepted by the server. 1202 ExpectEarlyDataAccepted bool 1203 1204 // AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data 1205 // regardless of ALPN mismatch. 1206 AlwaysAcceptEarlyData bool 1207 1208 // AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data. 1209 AlwaysRejectEarlyData bool 1210 1211 // SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the 1212 // early_data extension in EncryptedExtensions, independent of whether 1213 // it was accepted. 1214 SendEarlyDataExtension bool 1215 1216 // ExpectEarlyData causes a TLS 1.3 server to read application 1217 // data after the ClientHello (assuming the server is able to 1218 // derive the key under which the data is encrypted) before it 1219 // sends a ServerHello. It checks that the application data it 1220 // reads matches what is provided in ExpectEarlyData and errors if 1221 // the number of records or their content do not match. 1222 ExpectEarlyData [][]byte 1223 1224 // ExpectLateEarlyData causes a TLS 1.3 server to read application 1225 // data after the ServerFinished (assuming the server is able to 1226 // derive the key under which the data is encrypted) before it 1227 // sends the ClientFinished. It checks that the application data it 1228 // reads matches what is provided in ExpectLateEarlyData and errors if 1229 // the number of records or their content do not match. 1230 ExpectLateEarlyData [][]byte 1231 1232 // SendHalfRTTData causes a TLS 1.3 server to send the provided 1233 // data in application data records before reading the client's 1234 // Finished message. 1235 SendHalfRTTData [][]byte 1236 1237 // ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to 1238 // read application data after reading the server's Finished message and 1239 // before sending any subsequent handshake messages. It checks that the 1240 // application data it reads matches what is provided in 1241 // ExpectHalfRTTData and errors if the number of records or their 1242 // content do not match. 1243 ExpectHalfRTTData [][]byte 1244 1245 // EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to 1246 // emit an empty EncryptedExtensions block. 1247 EmptyEncryptedExtensions bool 1248 1249 // EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to 1250 // include the KeyShare extension in the EncryptedExtensions block. 1251 EncryptedExtensionsWithKeyShare bool 1252 1253 // AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to 1254 // be sent by the server, even if empty. 1255 AlwaysSendHelloRetryRequest bool 1256 1257 // SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send 1258 // two HelloRetryRequests instead of one. 1259 SecondHelloRetryRequest bool 1260 1261 // SendHelloRetryRequestCurve, if non-zero, causes the server to send 1262 // the specified curve in a HelloRetryRequest. 1263 SendHelloRetryRequestCurve CurveID 1264 1265 // SendHelloRetryRequestCookie, if not nil, contains a cookie to be 1266 // sent by the server in HelloRetryRequest. 1267 SendHelloRetryRequestCookie []byte 1268 1269 // DuplicateHelloRetryRequestExtensions, if true, causes all 1270 // HelloRetryRequest extensions to be sent twice. 1271 DuplicateHelloRetryRequestExtensions bool 1272 1273 // SendServerHelloVersion, if non-zero, causes the server to send the 1274 // specified value in ServerHello version field. 1275 SendServerHelloVersion uint16 1276 1277 // SendServerSupportedExtensionVersion, if non-zero, causes the server to send 1278 // the specified value in supported_versions extension in the ServerHello. 1279 SendServerSupportedExtensionVersion uint16 1280 1281 // SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send 1282 // HelloRetryRequest. 1283 SkipHelloRetryRequest bool 1284 1285 // PackHelloRequestWithFinished, if true, causes the TLS server to send 1286 // HelloRequest in the same record as Finished. 1287 PackHelloRequestWithFinished bool 1288 1289 // ExpectMissingKeyShare, if true, causes the TLS server to fail the 1290 // connection if the selected curve appears in the client's initial 1291 // ClientHello. That is, it requires that a HelloRetryRequest be sent. 1292 ExpectMissingKeyShare bool 1293 1294 // SendExtraFinished, if true, causes an extra Finished message to be 1295 // sent. 1296 SendExtraFinished bool 1297 1298 // SendRequestContext, if not empty, is the request context to send in 1299 // a TLS 1.3 CertificateRequest. 1300 SendRequestContext []byte 1301 1302 // SendSNIWarningAlert, if true, causes the server to send an 1303 // unrecognized_name alert before the ServerHello. 1304 SendSNIWarningAlert bool 1305 1306 // SendCompressionMethods, if not nil, is the compression method list to 1307 // send in the ClientHello. 1308 SendCompressionMethods []byte 1309 1310 // SendCompressionMethod is the compression method to send in the 1311 // ServerHello. 1312 SendCompressionMethod byte 1313 1314 // AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to 1315 // always send a ServerKeyExchange for PSK ciphers, even if the identity 1316 // hint is empty. 1317 AlwaysSendPreSharedKeyIdentityHint bool 1318 1319 // TrailingKeyShareData, if true, causes the client key share list to 1320 // include a trailing byte. 1321 TrailingKeyShareData bool 1322 1323 // InvalidChannelIDSignature, if true, causes the client to generate an 1324 // invalid Channel ID signature. 1325 InvalidChannelIDSignature bool 1326 1327 // ExpectGREASE, if true, causes messages without GREASE values to be 1328 // rejected. See draft-davidben-tls-grease-01. 1329 ExpectGREASE bool 1330 1331 // SendShortPSKBinder, if true, causes the client to send a PSK binder 1332 // that is one byte shorter than it should be. 1333 SendShortPSKBinder bool 1334 1335 // SendInvalidPSKBinder, if true, causes the client to send an invalid 1336 // PSK binder. 1337 SendInvalidPSKBinder bool 1338 1339 // SendNoPSKBinder, if true, causes the client to send no PSK binders. 1340 SendNoPSKBinder bool 1341 1342 // SendExtraPSKBinder, if true, causes the client to send an extra PSK 1343 // binder. 1344 SendExtraPSKBinder bool 1345 1346 // PSKBinderFirst, if true, causes the client to send the PSK Binder 1347 // extension as the first extension instead of the last extension. 1348 PSKBinderFirst bool 1349 1350 // NoOCSPStapling, if true, causes the client to not request OCSP 1351 // stapling. 1352 NoOCSPStapling bool 1353 1354 // NoSignedCertificateTimestamps, if true, causes the client to not 1355 // request signed certificate timestamps. 1356 NoSignedCertificateTimestamps bool 1357 1358 // SendSupportedPointFormats, if not nil, is the list of supported point 1359 // formats to send in ClientHello or ServerHello. If set to a non-nil 1360 // empty slice, no extension will be sent. 1361 SendSupportedPointFormats []byte 1362 1363 // MaxReceivePlaintext, if non-zero, is the maximum plaintext record 1364 // length accepted from the peer. 1365 MaxReceivePlaintext int 1366 1367 // SendTicketLifetime, if non-zero, is the ticket lifetime to send in 1368 // NewSessionTicket messages. 1369 SendTicketLifetime time.Duration 1370 1371 // SendServerNameAck, if true, causes the server to acknowledge the SNI 1372 // extension. 1373 SendServerNameAck bool 1374 1375 // ExpectCertificateReqNames, if not nil, contains the list of X.509 1376 // names that must be sent in a CertificateRequest from the server. 1377 ExpectCertificateReqNames [][]byte 1378 1379 // RenegotiationCertificate, if not nil, is the certificate to use on 1380 // renegotiation handshakes. 1381 RenegotiationCertificate *Certificate 1382 1383 // UseLegacySigningAlgorithm, if non-zero, is the signature algorithm 1384 // to use when signing in TLS 1.1 and earlier where algorithms are not 1385 // negotiated. 1386 UseLegacySigningAlgorithm signatureAlgorithm 1387 1388 // SendServerHelloAsHelloRetryRequest, if true, causes the server to 1389 // send ServerHello messages with a HelloRetryRequest type field. 1390 SendServerHelloAsHelloRetryRequest bool 1391 1392 // RejectUnsolicitedKeyUpdate, if true, causes all unsolicited 1393 // KeyUpdates from the peer to be rejected. 1394 RejectUnsolicitedKeyUpdate bool 1395 1396 // OmitExtensions, if true, causes the extensions field in ClientHello 1397 // and ServerHello messages to be omitted. 1398 OmitExtensions bool 1399 1400 // EmptyExtensions, if true, causese the extensions field in ClientHello 1401 // and ServerHello messages to be present, but empty. 1402 EmptyExtensions bool 1403 } 1404 1405 func (c *Config) serverInit() { 1406 if c.SessionTicketsDisabled { 1407 return 1408 } 1409 1410 // If the key has already been set then we have nothing to do. 1411 for _, b := range c.SessionTicketKey { 1412 if b != 0 { 1413 return 1414 } 1415 } 1416 1417 if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { 1418 c.SessionTicketsDisabled = true 1419 } 1420 } 1421 1422 func (c *Config) rand() io.Reader { 1423 r := c.Rand 1424 if r == nil { 1425 return rand.Reader 1426 } 1427 return r 1428 } 1429 1430 func (c *Config) time() time.Time { 1431 t := c.Time 1432 if t == nil { 1433 t = time.Now 1434 } 1435 return t() 1436 } 1437 1438 func (c *Config) cipherSuites() []uint16 { 1439 s := c.CipherSuites 1440 if s == nil { 1441 s = defaultCipherSuites() 1442 } 1443 return s 1444 } 1445 1446 func (c *Config) minVersion(isDTLS bool) uint16 { 1447 ret := uint16(minVersion) 1448 if c != nil && c.MinVersion != 0 { 1449 ret = c.MinVersion 1450 } 1451 if isDTLS { 1452 // The lowest version of DTLS is 1.0. There is no DSSL 3.0. 1453 if ret < VersionTLS10 { 1454 return VersionTLS10 1455 } 1456 // There is no such thing as DTLS 1.1. 1457 if ret == VersionTLS11 { 1458 return VersionTLS12 1459 } 1460 } 1461 return ret 1462 } 1463 1464 func (c *Config) maxVersion(isDTLS bool) uint16 { 1465 ret := uint16(maxVersion) 1466 if c != nil && c.MaxVersion != 0 { 1467 ret = c.MaxVersion 1468 } 1469 if isDTLS { 1470 // We only implement up to DTLS 1.2. 1471 if ret > VersionTLS12 { 1472 return VersionTLS12 1473 } 1474 // There is no such thing as DTLS 1.1. 1475 if ret == VersionTLS11 { 1476 return VersionTLS10 1477 } 1478 } 1479 return ret 1480 } 1481 1482 var defaultCurvePreferences = []CurveID{CurveX25519, CurveP256, CurveP384, CurveP521} 1483 1484 func (c *Config) curvePreferences() []CurveID { 1485 if c == nil || len(c.CurvePreferences) == 0 { 1486 return defaultCurvePreferences 1487 } 1488 return c.CurvePreferences 1489 } 1490 1491 func (c *Config) defaultCurves() map[CurveID]bool { 1492 defaultCurves := make(map[CurveID]bool) 1493 curves := c.DefaultCurves 1494 if c == nil || c.DefaultCurves == nil { 1495 curves = c.curvePreferences() 1496 } 1497 for _, curveID := range curves { 1498 defaultCurves[curveID] = true 1499 } 1500 return defaultCurves 1501 } 1502 1503 // isSupportedVersion checks if the specified wire version is acceptable. If so, 1504 // it returns true and the corresponding protocol version. Otherwise, it returns 1505 // false. 1506 func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { 1507 if (c.TLS13Variant != TLS13Experiment && wireVers == tls13ExperimentVersion) || 1508 (c.TLS13Variant != TLS13RecordTypeExperiment && wireVers == tls13RecordTypeExperimentVersion) || 1509 (c.TLS13Variant != TLS13Default && wireVers == tls13DraftVersion) { 1510 return 0, false 1511 } 1512 1513 vers, ok := wireToVersion(wireVers, isDTLS) 1514 if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { 1515 return 0, false 1516 } 1517 return vers, true 1518 } 1519 1520 func (c *Config) supportedVersions(isDTLS bool) []uint16 { 1521 versions := allTLSWireVersions 1522 if isDTLS { 1523 versions = allDTLSWireVersions 1524 } 1525 var ret []uint16 1526 for _, vers := range versions { 1527 if _, ok := c.isSupportedVersion(vers, isDTLS); ok { 1528 ret = append(ret, vers) 1529 } 1530 } 1531 return ret 1532 } 1533 1534 // getCertificateForName returns the best certificate for the given name, 1535 // defaulting to the first element of c.Certificates if there are no good 1536 // options. 1537 func (c *Config) getCertificateForName(name string) *Certificate { 1538 if len(c.Certificates) == 1 || c.NameToCertificate == nil { 1539 // There's only one choice, so no point doing any work. 1540 return &c.Certificates[0] 1541 } 1542 1543 name = strings.ToLower(name) 1544 for len(name) > 0 && name[len(name)-1] == '.' { 1545 name = name[:len(name)-1] 1546 } 1547 1548 if cert, ok := c.NameToCertificate[name]; ok { 1549 return cert 1550 } 1551 1552 // try replacing labels in the name with wildcards until we get a 1553 // match. 1554 labels := strings.Split(name, ".") 1555 for i := range labels { 1556 labels[i] = "*" 1557 candidate := strings.Join(labels, ".") 1558 if cert, ok := c.NameToCertificate[candidate]; ok { 1559 return cert 1560 } 1561 } 1562 1563 // If nothing matches, return the first certificate. 1564 return &c.Certificates[0] 1565 } 1566 1567 func (c *Config) signSignatureAlgorithms() []signatureAlgorithm { 1568 if c != nil && c.SignSignatureAlgorithms != nil { 1569 return c.SignSignatureAlgorithms 1570 } 1571 return supportedSignatureAlgorithms 1572 } 1573 1574 func (c *Config) verifySignatureAlgorithms() []signatureAlgorithm { 1575 if c != nil && c.VerifySignatureAlgorithms != nil { 1576 return c.VerifySignatureAlgorithms 1577 } 1578 return supportedSignatureAlgorithms 1579 } 1580 1581 // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate 1582 // from the CommonName and SubjectAlternateName fields of each of the leaf 1583 // certificates. 1584 func (c *Config) BuildNameToCertificate() { 1585 c.NameToCertificate = make(map[string]*Certificate) 1586 for i := range c.Certificates { 1587 cert := &c.Certificates[i] 1588 x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) 1589 if err != nil { 1590 continue 1591 } 1592 if len(x509Cert.Subject.CommonName) > 0 { 1593 c.NameToCertificate[x509Cert.Subject.CommonName] = cert 1594 } 1595 for _, san := range x509Cert.DNSNames { 1596 c.NameToCertificate[san] = cert 1597 } 1598 } 1599 } 1600 1601 // A Certificate is a chain of one or more certificates, leaf first. 1602 type Certificate struct { 1603 Certificate [][]byte 1604 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey 1605 // OCSPStaple contains an optional OCSP response which will be served 1606 // to clients that request it. 1607 OCSPStaple []byte 1608 // SignedCertificateTimestampList contains an optional encoded 1609 // SignedCertificateTimestampList structure which will be 1610 // served to clients that request it. 1611 SignedCertificateTimestampList []byte 1612 // Leaf is the parsed form of the leaf certificate, which may be 1613 // initialized using x509.ParseCertificate to reduce per-handshake 1614 // processing for TLS clients doing client authentication. If nil, the 1615 // leaf certificate will be parsed as needed. 1616 Leaf *x509.Certificate 1617 } 1618 1619 // A TLS record. 1620 type record struct { 1621 contentType recordType 1622 major, minor uint8 1623 payload []byte 1624 } 1625 1626 type handshakeMessage interface { 1627 marshal() []byte 1628 unmarshal([]byte) bool 1629 } 1630 1631 // lruSessionCache is a client or server session cache implementation 1632 // that uses an LRU caching strategy. 1633 type lruSessionCache struct { 1634 sync.Mutex 1635 1636 m map[string]*list.Element 1637 q *list.List 1638 capacity int 1639 } 1640 1641 type lruSessionCacheEntry struct { 1642 sessionKey string 1643 state interface{} 1644 } 1645 1646 // Put adds the provided (sessionKey, cs) pair to the cache. 1647 func (c *lruSessionCache) Put(sessionKey string, cs interface{}) { 1648 c.Lock() 1649 defer c.Unlock() 1650 1651 if elem, ok := c.m[sessionKey]; ok { 1652 entry := elem.Value.(*lruSessionCacheEntry) 1653 entry.state = cs 1654 c.q.MoveToFront(elem) 1655 return 1656 } 1657 1658 if c.q.Len() < c.capacity { 1659 entry := &lruSessionCacheEntry{sessionKey, cs} 1660 c.m[sessionKey] = c.q.PushFront(entry) 1661 return 1662 } 1663 1664 elem := c.q.Back() 1665 entry := elem.Value.(*lruSessionCacheEntry) 1666 delete(c.m, entry.sessionKey) 1667 entry.sessionKey = sessionKey 1668 entry.state = cs 1669 c.q.MoveToFront(elem) 1670 c.m[sessionKey] = elem 1671 } 1672 1673 // Get returns the value associated with a given key. It returns (nil, 1674 // false) if no value is found. 1675 func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) { 1676 c.Lock() 1677 defer c.Unlock() 1678 1679 if elem, ok := c.m[sessionKey]; ok { 1680 c.q.MoveToFront(elem) 1681 return elem.Value.(*lruSessionCacheEntry).state, true 1682 } 1683 return nil, false 1684 } 1685 1686 // lruClientSessionCache is a ClientSessionCache implementation that 1687 // uses an LRU caching strategy. 1688 type lruClientSessionCache struct { 1689 lruSessionCache 1690 } 1691 1692 func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { 1693 c.lruSessionCache.Put(sessionKey, cs) 1694 } 1695 1696 func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { 1697 cs, ok := c.lruSessionCache.Get(sessionKey) 1698 if !ok { 1699 return nil, false 1700 } 1701 return cs.(*ClientSessionState), true 1702 } 1703 1704 // lruServerSessionCache is a ServerSessionCache implementation that 1705 // uses an LRU caching strategy. 1706 type lruServerSessionCache struct { 1707 lruSessionCache 1708 } 1709 1710 func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) { 1711 c.lruSessionCache.Put(sessionId, session) 1712 } 1713 1714 func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) { 1715 cs, ok := c.lruSessionCache.Get(sessionId) 1716 if !ok { 1717 return nil, false 1718 } 1719 return cs.(*sessionState), true 1720 } 1721 1722 // NewLRUClientSessionCache returns a ClientSessionCache with the given 1723 // capacity that uses an LRU strategy. If capacity is < 1, a default capacity 1724 // is used instead. 1725 func NewLRUClientSessionCache(capacity int) ClientSessionCache { 1726 const defaultSessionCacheCapacity = 64 1727 1728 if capacity < 1 { 1729 capacity = defaultSessionCacheCapacity 1730 } 1731 return &lruClientSessionCache{ 1732 lruSessionCache{ 1733 m: make(map[string]*list.Element), 1734 q: list.New(), 1735 capacity: capacity, 1736 }, 1737 } 1738 } 1739 1740 // NewLRUServerSessionCache returns a ServerSessionCache with the given 1741 // capacity that uses an LRU strategy. If capacity is < 1, a default capacity 1742 // is used instead. 1743 func NewLRUServerSessionCache(capacity int) ServerSessionCache { 1744 const defaultSessionCacheCapacity = 64 1745 1746 if capacity < 1 { 1747 capacity = defaultSessionCacheCapacity 1748 } 1749 return &lruServerSessionCache{ 1750 lruSessionCache{ 1751 m: make(map[string]*list.Element), 1752 q: list.New(), 1753 capacity: capacity, 1754 }, 1755 } 1756 } 1757 1758 // TODO(jsing): Make these available to both crypto/x509 and crypto/tls. 1759 type dsaSignature struct { 1760 R, S *big.Int 1761 } 1762 1763 type ecdsaSignature dsaSignature 1764 1765 var emptyConfig Config 1766 1767 func defaultConfig() *Config { 1768 return &emptyConfig 1769 } 1770 1771 var ( 1772 once sync.Once 1773 varDefaultCipherSuites []uint16 1774 ) 1775 1776 func defaultCipherSuites() []uint16 { 1777 once.Do(initDefaultCipherSuites) 1778 return varDefaultCipherSuites 1779 } 1780 1781 func initDefaultCipherSuites() { 1782 for _, suite := range cipherSuites { 1783 if suite.flags&suitePSK == 0 { 1784 varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) 1785 } 1786 } 1787 } 1788 1789 func unexpectedMessageError(wanted, got interface{}) error { 1790 return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) 1791 } 1792 1793 func isSupportedSignatureAlgorithm(sigAlg signatureAlgorithm, sigAlgs []signatureAlgorithm) bool { 1794 for _, s := range sigAlgs { 1795 if s == sigAlg { 1796 return true 1797 } 1798 } 1799 return false 1800 } 1801 1802 var ( 1803 // See draft-ietf-tls-tls13-16, section 6.3.1.2. 1804 downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} 1805 downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} 1806 ) 1807 1808 func containsGREASE(values []uint16) bool { 1809 for _, v := range values { 1810 if isGREASEValue(v) { 1811 return true 1812 } 1813 } 1814 return false 1815 } 1816
