// Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package main import ( "container/list" "crypto" "crypto/ecdsa" "crypto/rand" "crypto/x509" "fmt" "io" "math/big" "strings" "sync" "time" ) const ( VersionSSL30 = 0x0300 VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 VersionTLS12 = 0x0303 ) const ( maxPlaintext = 16384 // maximum plaintext payload length maxCiphertext = 16384 + 2048 // maximum ciphertext payload length tlsRecordHeaderLen = 5 // record header length dtlsRecordHeaderLen = 13 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) minVersion = VersionSSL30 maxVersion = VersionTLS12 ) // TLS record types. type recordType uint8 const ( recordTypeChangeCipherSpec recordType = 20 recordTypeAlert recordType = 21 recordTypeHandshake recordType = 22 recordTypeApplicationData recordType = 23 ) // TLS handshake message types. const ( typeHelloRequest uint8 = 0 typeClientHello uint8 = 1 typeServerHello uint8 = 2 typeHelloVerifyRequest uint8 = 3 typeNewSessionTicket uint8 = 4 typeCertificate uint8 = 11 typeServerKeyExchange uint8 = 12 typeCertificateRequest uint8 = 13 typeServerHelloDone uint8 = 14 typeCertificateVerify uint8 = 15 typeClientKeyExchange uint8 = 16 typeFinished uint8 = 20 typeCertificateStatus uint8 = 22 typeNextProtocol uint8 = 67 // Not IANA assigned typeEncryptedExtensions uint8 = 203 // Not IANA assigned ) // TLS compression types. const ( compressionNone uint8 = 0 ) // TLS extension numbers const ( extensionServerName uint16 = 0 extensionStatusRequest uint16 = 5 extensionSupportedCurves uint16 = 10 extensionSupportedPoints uint16 = 11 extensionSignatureAlgorithms uint16 = 13 extensionUseSRTP uint16 = 14 extensionALPN uint16 = 16 extensionSignedCertificateTimestamp uint16 = 18 extensionExtendedMasterSecret uint16 = 23 extensionSessionTicket uint16 = 35 extensionNextProtoNeg uint16 = 13172 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 extensionChannelID uint16 = 30032 // not IANA assigned ) // TLS signaling cipher suite values const ( scsvRenegotiation uint16 = 0x00ff ) // CurveID is the type of a TLS identifier for an elliptic curve. See // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8 type CurveID uint16 const ( CurveP224 CurveID = 21 CurveP256 CurveID = 23 CurveP384 CurveID = 24 CurveP521 CurveID = 25 ) // TLS Elliptic Curve Point Formats // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 const ( pointFormatUncompressed uint8 = 0 ) // TLS CertificateStatusType (RFC 3546) const ( statusTypeOCSP uint8 = 1 ) // Certificate types (for certificateRequestMsg) const ( CertTypeRSASign = 1 // A certificate containing an RSA key CertTypeDSSSign = 2 // A certificate containing a DSA key CertTypeRSAFixedDH = 3 // A certificate containing a static DH key CertTypeDSSFixedDH = 4 // A certificate containing a static DH key // See RFC4492 sections 3 and 5.5. CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. // Rest of these are reserved by the TLS spec ) // Hash functions for TLS 1.2 (See RFC 5246, section A.4.1) const ( hashMD5 uint8 = 1 hashSHA1 uint8 = 2 hashSHA224 uint8 = 3 hashSHA256 uint8 = 4 hashSHA384 uint8 = 5 hashSHA512 uint8 = 6 ) // Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1) const ( signatureRSA uint8 = 1 signatureECDSA uint8 = 3 ) // signatureAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See // RFC 5246, section A.4.1. type signatureAndHash struct { signature, hash uint8 } // supportedSKXSignatureAlgorithms contains the signature and hash algorithms // that the code advertises as supported in a TLS 1.2 ClientHello. var supportedSKXSignatureAlgorithms = []signatureAndHash{ {signatureRSA, hashSHA256}, {signatureECDSA, hashSHA256}, {signatureRSA, hashSHA1}, {signatureECDSA, hashSHA1}, } // supportedClientCertSignatureAlgorithms contains the signature and hash // algorithms that the code advertises as supported in a TLS 1.2 // CertificateRequest. var supportedClientCertSignatureAlgorithms = []signatureAndHash{ {signatureRSA, hashSHA256}, {signatureECDSA, hashSHA256}, } // SRTP protection profiles (See RFC 5764, section 4.1.2) const ( SRTP_AES128_CM_HMAC_SHA1_80 uint16 = 0x0001 SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002 ) // ConnectionState records basic TLS details about the connection. type ConnectionState struct { Version uint16 // TLS version used by the connection (e.g. VersionTLS12) HandshakeComplete bool // TLS handshake is complete DidResume bool // connection resumes a previous TLS connection CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server NegotiatedProtocolFromALPN bool // protocol negotiated with ALPN ServerName string // server name requested by client, if any (server side only) PeerCertificates []*x509.Certificate // certificate chain presented by remote peer VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates ChannelID *ecdsa.PublicKey // the channel ID for this connection SRTPProtectionProfile uint16 // the negotiated DTLS-SRTP protection profile TLSUnique []byte } // ClientAuthType declares the policy the server will follow for // TLS Client Authentication. type ClientAuthType int const ( NoClientCert ClientAuthType = iota RequestClientCert RequireAnyClientCert VerifyClientCertIfGiven RequireAndVerifyClientCert ) // ClientSessionState contains the state needed by clients to resume TLS // sessions. type ClientSessionState struct { sessionId []uint8 // Session ID supplied by the server. nil if the session has a ticket. sessionTicket []uint8 // Encrypted ticket used for session resumption with server vers uint16 // SSL/TLS version negotiated for the session cipherSuite uint16 // Ciphersuite negotiated for the session masterSecret []byte // MasterSecret generated by client on a full handshake handshakeHash []byte // Handshake hash for Channel ID purposes. serverCertificates []*x509.Certificate // Certificate chain presented by the server extendedMasterSecret bool // Whether an extended master secret was used to generate the session } // ClientSessionCache is a cache of ClientSessionState objects that can be used // by a client to resume a TLS session with a given server. ClientSessionCache // implementations should expect to be called concurrently from different // goroutines. type ClientSessionCache interface { // Get searches for a ClientSessionState associated with the given key. // On return, ok is true if one was found. Get(sessionKey string) (session *ClientSessionState, ok bool) // Put adds the ClientSessionState to the cache with the given key. Put(sessionKey string, cs *ClientSessionState) } // ServerSessionCache is a cache of sessionState objects that can be used by a // client to resume a TLS session with a given server. ServerSessionCache // implementations should expect to be called concurrently from different // goroutines. type ServerSessionCache interface { // Get searches for a sessionState associated with the given session // ID. On return, ok is true if one was found. Get(sessionId string) (session *sessionState, ok bool) // Put adds the sessionState to the cache with the given session ID. Put(sessionId string, session *sessionState) } // A Config structure is used to configure a TLS client or server. // After one has been passed to a TLS function it must not be // modified. A Config may be reused; the tls package will also not // modify it. type Config struct { // Rand provides the source of entropy for nonces and RSA blinding. // If Rand is nil, TLS uses the cryptographic random reader in package // crypto/rand. // The Reader must be safe for use by multiple goroutines. Rand io.Reader // Time returns the current time as the number of seconds since the epoch. // If Time is nil, TLS uses time.Now. Time func() time.Time // Certificates contains one or more certificate chains // to present to the other side of the connection. // Server configurations must include at least one certificate. Certificates []Certificate // NameToCertificate maps from a certificate name to an element of // Certificates. Note that a certificate name can be of the form // '*.example.com' and so doesn't have to be a domain name as such. // See Config.BuildNameToCertificate // The nil value causes the first element of Certificates to be used // for all connections. NameToCertificate map[string]*Certificate // RootCAs defines the set of root certificate authorities // that clients use when verifying server certificates. // If RootCAs is nil, TLS uses the host's root CA set. RootCAs *x509.CertPool // NextProtos is a list of supported, application level protocols. NextProtos []string // ServerName is used to verify the hostname on the returned // certificates unless InsecureSkipVerify is given. It is also included // in the client's handshake to support virtual hosting. ServerName string // ClientAuth determines the server's policy for // TLS Client Authentication. The default is NoClientCert. ClientAuth ClientAuthType // ClientCAs defines the set of root certificate authorities // that servers use if required to verify a client certificate // by the policy in ClientAuth. ClientCAs *x509.CertPool // ClientCertificateTypes defines the set of allowed client certificate // types. The default is CertTypeRSASign and CertTypeECDSASign. ClientCertificateTypes []byte // InsecureSkipVerify controls whether a client verifies the // server's certificate chain and host name. // If InsecureSkipVerify is true, TLS accepts any certificate // presented by the server and any host name in that certificate. // In this mode, TLS is susceptible to man-in-the-middle attacks. // This should be used only for testing. InsecureSkipVerify bool // CipherSuites is a list of supported cipher suites. If CipherSuites // is nil, TLS uses a list of suites supported by the implementation. CipherSuites []uint16 // PreferServerCipherSuites controls whether the server selects the // client's most preferred ciphersuite, or the server's most preferred // ciphersuite. If true then the server's preference, as expressed in // the order of elements in CipherSuites, is used. PreferServerCipherSuites bool // SessionTicketsDisabled may be set to true to disable session ticket // (resumption) support. SessionTicketsDisabled bool // SessionTicketKey is used by TLS servers to provide session // resumption. See RFC 5077. If zero, it will be filled with // random data before the first server handshake. // // If multiple servers are terminating connections for the same host // they should all have the same SessionTicketKey. If the // SessionTicketKey leaks, previously recorded and future TLS // connections using that key are compromised. SessionTicketKey [32]byte // ClientSessionCache is a cache of ClientSessionState entries // for TLS session resumption. ClientSessionCache ClientSessionCache // ServerSessionCache is a cache of sessionState entries for TLS session // resumption. ServerSessionCache ServerSessionCache // MinVersion contains the minimum SSL/TLS version that is acceptable. // If zero, then SSLv3 is taken as the minimum. MinVersion uint16 // MaxVersion contains the maximum SSL/TLS version that is acceptable. // If zero, then the maximum version supported by this package is used, // which is currently TLS 1.2. MaxVersion uint16 // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will // be used. CurvePreferences []CurveID // ChannelID contains the ECDSA key for the client to use as // its TLS Channel ID. ChannelID *ecdsa.PrivateKey // RequestChannelID controls whether the server requests a TLS // Channel ID. If negotiated, the client's public key is // returned in the ConnectionState. RequestChannelID bool // PreSharedKey, if not nil, is the pre-shared key to use with // the PSK cipher suites. PreSharedKey []byte // PreSharedKeyIdentity, if not empty, is the identity to use // with the PSK cipher suites. PreSharedKeyIdentity string // SRTPProtectionProfiles, if not nil, is the list of SRTP // protection profiles to offer in DTLS-SRTP. SRTPProtectionProfiles []uint16 // SignatureAndHashes, if not nil, overrides the default set of // supported signature and hash algorithms to advertise in // CertificateRequest. SignatureAndHashes []signatureAndHash // Bugs specifies optional misbehaviour to be used for testing other // implementations. Bugs ProtocolBugs serverInitOnce sync.Once // guards calling (*Config).serverInit } type BadValue int const ( BadValueNone BadValue = iota BadValueNegative BadValueZero BadValueLimit BadValueLarge NumBadValues ) type ProtocolBugs struct { // InvalidSKXSignature specifies that the signature in a // ServerKeyExchange message should be invalid. InvalidSKXSignature bool // InvalidSKXCurve causes the curve ID in the ServerKeyExchange message // to be wrong. InvalidSKXCurve bool // BadECDSAR controls ways in which the 'r' value of an ECDSA signature // can be invalid. BadECDSAR BadValue BadECDSAS BadValue // MaxPadding causes CBC records to have the maximum possible padding. MaxPadding bool // PaddingFirstByteBad causes the first byte of the padding to be // incorrect. PaddingFirstByteBad bool // PaddingFirstByteBadIf255 causes the first byte of padding to be // incorrect if there's a maximum amount of padding (i.e. 255 bytes). PaddingFirstByteBadIf255 bool // FailIfNotFallbackSCSV causes a server handshake to fail if the // client doesn't send the fallback SCSV value. FailIfNotFallbackSCSV bool // DuplicateExtension causes an extra empty extension of bogus type to // be emitted in either the ClientHello or the ServerHello. DuplicateExtension bool // UnauthenticatedECDH causes the server to pretend ECDHE_RSA // and ECDHE_ECDSA cipher suites are actually ECDH_anon. No // Certificate message is sent and no signature is added to // ServerKeyExchange. UnauthenticatedECDH bool // SkipHelloVerifyRequest causes a DTLS server to skip the // HelloVerifyRequest message. SkipHelloVerifyRequest bool // SkipCertificateStatus, if true, causes the server to skip the // CertificateStatus message. This is legal because CertificateStatus is // optional, even with a status_request in ServerHello. SkipCertificateStatus bool // SkipServerKeyExchange causes the server to skip sending // ServerKeyExchange messages. SkipServerKeyExchange bool // SkipNewSessionTicket causes the server to skip sending the // NewSessionTicket message despite promising to in ServerHello. SkipNewSessionTicket bool // SkipChangeCipherSpec causes the implementation to skip // sending the ChangeCipherSpec message (and adjusting cipher // state accordingly for the Finished message). SkipChangeCipherSpec bool // SkipFinished causes the implementation to skip sending the Finished // message. SkipFinished bool // EarlyChangeCipherSpec causes the client to send an early // ChangeCipherSpec message before the ClientKeyExchange. A value of // zero disables this behavior. One and two configure variants for 0.9.8 // and 1.0.1 modes, respectively. EarlyChangeCipherSpec int // FragmentAcrossChangeCipherSpec causes the implementation to fragment // the Finished (or NextProto) message around the ChangeCipherSpec // messages. FragmentAcrossChangeCipherSpec bool // SendV2ClientHello causes the client to send a V2ClientHello // instead of a normal ClientHello. SendV2ClientHello bool // SendFallbackSCSV causes the client to include // TLS_FALLBACK_SCSV in the ClientHello. SendFallbackSCSV bool // MaxHandshakeRecordLength, if non-zero, is the maximum size of a // handshake record. Handshake messages will be split into multiple // records at the specified size, except that the client_version will // never be fragmented. For DTLS, it is the maximum handshake fragment // size, not record size; DTLS allows multiple handshake fragments in a // single handshake record. See |PackHandshakeFragments|. MaxHandshakeRecordLength int // FragmentClientVersion will allow MaxHandshakeRecordLength to apply to // the first 6 bytes of the ClientHello. FragmentClientVersion bool // FragmentAlert will cause all alerts to be fragmented across // two records. FragmentAlert bool // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted // alert to be sent. SendSpuriousAlert alert // RsaClientKeyExchangeVersion, if non-zero, causes the client to send a // ClientKeyExchange with the specified version rather than the // client_version when performing the RSA key exchange. RsaClientKeyExchangeVersion uint16 // RenewTicketOnResume causes the server to renew the session ticket and // send a NewSessionTicket message during an abbreviated handshake. RenewTicketOnResume bool // SendClientVersion, if non-zero, causes the client to send a different // TLS version in the ClientHello than the maximum supported version. SendClientVersion uint16 // ExpectFalseStart causes the server to, on full handshakes, // expect the peer to False Start; the server Finished message // isn't sent until we receive an application data record // from the peer. ExpectFalseStart bool // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full // handshakes, send an alert just before reading the application data // record to test False Start. This can be used in a negative False // Start test to determine whether the peer processed the alert (and // closed the connection) before or after sending app data. AlertBeforeFalseStartTest alert // SSL3RSAKeyExchange causes the client to always send an RSA // ClientKeyExchange message without the two-byte length // prefix, as if it were SSL3. SSL3RSAKeyExchange bool // SkipCipherVersionCheck causes the server to negotiate // TLS 1.2 ciphers in earlier versions of TLS. SkipCipherVersionCheck bool // ExpectServerName, if not empty, is the hostname the client // must specify in the server_name extension. ExpectServerName string // SwapNPNAndALPN switches the relative order between NPN and // ALPN on the server. This is to test that server preference // of ALPN works regardless of their relative order. SwapNPNAndALPN bool // AllowSessionVersionMismatch causes the server to resume sessions // regardless of the version associated with the session. AllowSessionVersionMismatch bool // CorruptTicket causes a client to corrupt a session ticket before // sending it in a resume handshake. CorruptTicket bool // OversizedSessionId causes the session id that is sent with a ticket // resumption attempt to be too large (33 bytes). OversizedSessionId bool // RequireExtendedMasterSecret, if true, requires that the peer support // the extended master secret option. RequireExtendedMasterSecret bool // NoExtendedMasterSecret causes the client and server to behave as if // they didn't support an extended master secret. NoExtendedMasterSecret bool // EmptyRenegotiationInfo causes the renegotiation extension to be // empty in a renegotiation handshake. EmptyRenegotiationInfo bool // BadRenegotiationInfo causes the renegotiation extension value in a // renegotiation handshake to be incorrect. BadRenegotiationInfo bool // NoRenegotiationInfo causes the client to behave as if it // didn't support the renegotiation info extension. NoRenegotiationInfo bool // SequenceNumberIncrement, if non-zero, causes outgoing sequence // numbers in DTLS to increment by that value rather by 1. This is to // stress the replay bitmap window by simulating extreme packet loss and // retransmit at the record layer. SequenceNumberIncrement uint64 // RSAEphemeralKey, if true, causes the server to send a // ServerKeyExchange message containing an ephemeral key (as in // RSA_EXPORT) in the plain RSA key exchange. RSAEphemeralKey bool // SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the // client offers when negotiating SRTP. MKI support is still missing so // the peer must still send none. SRTPMasterKeyIdentifer string // SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the // server sends in the ServerHello instead of the negotiated one. SendSRTPProtectionProfile uint16 // NoSignatureAndHashes, if true, causes the client to omit the // signature and hashes extension. // // For a server, it will cause an empty list to be sent in the // CertificateRequest message. None the less, the configured set will // still be enforced. NoSignatureAndHashes bool // NoSupportedCurves, if true, causes the client to omit the // supported_curves extension. NoSupportedCurves bool // RequireSameRenegoClientVersion, if true, causes the server // to require that all ClientHellos match in offered version // across a renego. RequireSameRenegoClientVersion bool // RequireFastradioPadding, if true, requires that ClientHello messages // be at least 1000 bytes long. RequireFastradioPadding bool // ExpectInitialRecordVersion, if non-zero, is the expected // version of the records before the version is determined. ExpectInitialRecordVersion uint16 // MaxPacketLength, if non-zero, is the maximum acceptable size for a // packet. MaxPacketLength int // SendCipherSuite, if non-zero, is the cipher suite value that the // server will send in the ServerHello. This does not affect the cipher // the server believes it has actually negotiated. SendCipherSuite uint16 // AppDataAfterChangeCipherSpec, if not null, causes application data to // be sent immediately after ChangeCipherSpec. AppDataAfterChangeCipherSpec []byte // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent // immediately after ChangeCipherSpec. AlertAfterChangeCipherSpec alert // TimeoutSchedule is the schedule of packet drops and simulated // timeouts for before each handshake leg from the peer. TimeoutSchedule []time.Duration // PacketAdaptor is the packetAdaptor to use to simulate timeouts. PacketAdaptor *packetAdaptor // ReorderHandshakeFragments, if true, causes handshake fragments in // DTLS to overlap and be sent in the wrong order. It also causes // pre-CCS flights to be sent twice. (Post-CCS flights consist of // Finished and will trigger a spurious retransmit.) ReorderHandshakeFragments bool // MixCompleteMessageWithFragments, if true, causes handshake // messages in DTLS to redundantly both fragment the message // and include a copy of the full one. MixCompleteMessageWithFragments bool // SendInvalidRecordType, if true, causes a record with an invalid // content type to be sent immediately following the handshake. SendInvalidRecordType bool // WrongCertificateMessageType, if true, causes Certificate message to // be sent with the wrong message type. WrongCertificateMessageType bool // FragmentMessageTypeMismatch, if true, causes all non-initial // handshake fragments in DTLS to have the wrong message type. FragmentMessageTypeMismatch bool // FragmentMessageLengthMismatch, if true, causes all non-initial // handshake fragments in DTLS to have the wrong message length. FragmentMessageLengthMismatch bool // SplitFragmentHeader, if true, causes the handshake fragments in DTLS // to be split across two records. SplitFragmentHeader bool // SplitFragmentBody, if true, causes the handshake bodies in DTLS to be // split across two records. // // TODO(davidben): There's one final split to test: when the header and // body are split across two records. But those are (incorrectly) // accepted right now. SplitFragmentBody bool // SendEmptyFragments, if true, causes handshakes to include empty // fragments in DTLS. SendEmptyFragments bool // SendSplitAlert, if true, causes an alert to be sent with the header // and record body split across multiple packets. The peer should // discard these packets rather than process it. SendSplitAlert bool // FailIfResumeOnRenego, if true, causes renegotiations to fail if the // client offers a resumption or the server accepts one. FailIfResumeOnRenego bool // IgnorePeerCipherPreferences, if true, causes the peer's cipher // preferences to be ignored. IgnorePeerCipherPreferences bool // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's // signature algorithm preferences to be ignored. IgnorePeerSignatureAlgorithmPreferences bool // IgnorePeerCurvePreferences, if true, causes the peer's curve // preferences to be ignored. IgnorePeerCurvePreferences bool // SendWarningAlerts, if non-zero, causes every record to be prefaced by // a warning alert. SendWarningAlerts alert // BadFinished, if true, causes the Finished hash to be broken. BadFinished bool // DHGroupPrime, if not nil, is used to define the (finite field) // Diffie-Hellman group. The generator used is always two. DHGroupPrime *big.Int // PackHandshakeFragments, if true, causes handshake fragments to be // packed into individual handshake records, up to the specified record // size. PackHandshakeFragments int // PackHandshakeRecords, if true, causes handshake records to be packed // into individual packets, up to the specified packet size. PackHandshakeRecords int // EnableAllCiphersInDTLS, if true, causes RC4 to be enabled in DTLS. EnableAllCiphersInDTLS bool } func (c *Config) serverInit() { if c.SessionTicketsDisabled { return } // If the key has already been set then we have nothing to do. for _, b := range c.SessionTicketKey { if b != 0 { return } } if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { c.SessionTicketsDisabled = true } } func (c *Config) rand() io.Reader { r := c.Rand if r == nil { return rand.Reader } return r } func (c *Config) time() time.Time { t := c.Time if t == nil { t = time.Now } return t() } func (c *Config) cipherSuites() []uint16 { s := c.CipherSuites if s == nil { s = defaultCipherSuites() } return s } func (c *Config) minVersion() uint16 { if c == nil || c.MinVersion == 0 { return minVersion } return c.MinVersion } func (c *Config) maxVersion() uint16 { if c == nil || c.MaxVersion == 0 { return maxVersion } return c.MaxVersion } var defaultCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521} func (c *Config) curvePreferences() []CurveID { if c == nil || len(c.CurvePreferences) == 0 { return defaultCurvePreferences } return c.CurvePreferences } // mutualVersion returns the protocol version to use given the advertised // version of the peer. func (c *Config) mutualVersion(vers uint16) (uint16, bool) { minVersion := c.minVersion() maxVersion := c.maxVersion() if vers < minVersion { return 0, false } if vers > maxVersion { vers = maxVersion } return vers, true } // getCertificateForName returns the best certificate for the given name, // defaulting to the first element of c.Certificates if there are no good // options. func (c *Config) getCertificateForName(name string) *Certificate { if len(c.Certificates) == 1 || c.NameToCertificate == nil { // There's only one choice, so no point doing any work. return &c.Certificates[0] } name = strings.ToLower(name) for len(name) > 0 && name[len(name)-1] == '.' { name = name[:len(name)-1] } if cert, ok := c.NameToCertificate[name]; ok { return cert } // try replacing labels in the name with wildcards until we get a // match. labels := strings.Split(name, ".") for i := range labels { labels[i] = "*" candidate := strings.Join(labels, ".") if cert, ok := c.NameToCertificate[candidate]; ok { return cert } } // If nothing matches, return the first certificate. return &c.Certificates[0] } func (c *Config) signatureAndHashesForServer() []signatureAndHash { if c != nil && c.SignatureAndHashes != nil { return c.SignatureAndHashes } return supportedClientCertSignatureAlgorithms } func (c *Config) signatureAndHashesForClient() []signatureAndHash { if c != nil && c.SignatureAndHashes != nil { return c.SignatureAndHashes } return supportedSKXSignatureAlgorithms } // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate // from the CommonName and SubjectAlternateName fields of each of the leaf // certificates. func (c *Config) BuildNameToCertificate() { c.NameToCertificate = make(map[string]*Certificate) for i := range c.Certificates { cert := &c.Certificates[i] x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) if err != nil { continue } if len(x509Cert.Subject.CommonName) > 0 { c.NameToCertificate[x509Cert.Subject.CommonName] = cert } for _, san := range x509Cert.DNSNames { c.NameToCertificate[san] = cert } } } // A Certificate is a chain of one or more certificates, leaf first. type Certificate struct { Certificate [][]byte PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey // OCSPStaple contains an optional OCSP response which will be served // to clients that request it. OCSPStaple []byte // SignedCertificateTimestampList contains an optional encoded // SignedCertificateTimestampList structure which will be // served to clients that request it. SignedCertificateTimestampList []byte // Leaf is the parsed form of the leaf certificate, which may be // initialized using x509.ParseCertificate to reduce per-handshake // processing for TLS clients doing client authentication. If nil, the // leaf certificate will be parsed as needed. Leaf *x509.Certificate } // A TLS record. type record struct { contentType recordType major, minor uint8 payload []byte } type handshakeMessage interface { marshal() []byte unmarshal([]byte) bool } // lruSessionCache is a client or server session cache implementation // that uses an LRU caching strategy. type lruSessionCache struct { sync.Mutex m map[string]*list.Element q *list.List capacity int } type lruSessionCacheEntry struct { sessionKey string state interface{} } // Put adds the provided (sessionKey, cs) pair to the cache. func (c *lruSessionCache) Put(sessionKey string, cs interface{}) { c.Lock() defer c.Unlock() if elem, ok := c.m[sessionKey]; ok { entry := elem.Value.(*lruSessionCacheEntry) entry.state = cs c.q.MoveToFront(elem) return } if c.q.Len() < c.capacity { entry := &lruSessionCacheEntry{sessionKey, cs} c.m[sessionKey] = c.q.PushFront(entry) return } elem := c.q.Back() entry := elem.Value.(*lruSessionCacheEntry) delete(c.m, entry.sessionKey) entry.sessionKey = sessionKey entry.state = cs c.q.MoveToFront(elem) c.m[sessionKey] = elem } // Get returns the value associated with a given key. It returns (nil, // false) if no value is found. func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) { c.Lock() defer c.Unlock() if elem, ok := c.m[sessionKey]; ok { c.q.MoveToFront(elem) return elem.Value.(*lruSessionCacheEntry).state, true } return nil, false } // lruClientSessionCache is a ClientSessionCache implementation that // uses an LRU caching strategy. type lruClientSessionCache struct { lruSessionCache } func (c *lruClientSessionCache) Put(sessionKey string, cs *ClientSessionState) { c.lruSessionCache.Put(sessionKey, cs) } func (c *lruClientSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { cs, ok := c.lruSessionCache.Get(sessionKey) if !ok { return nil, false } return cs.(*ClientSessionState), true } // lruServerSessionCache is a ServerSessionCache implementation that // uses an LRU caching strategy. type lruServerSessionCache struct { lruSessionCache } func (c *lruServerSessionCache) Put(sessionId string, session *sessionState) { c.lruSessionCache.Put(sessionId, session) } func (c *lruServerSessionCache) Get(sessionId string) (*sessionState, bool) { cs, ok := c.lruSessionCache.Get(sessionId) if !ok { return nil, false } return cs.(*sessionState), true } // NewLRUClientSessionCache returns a ClientSessionCache with the given // capacity that uses an LRU strategy. If capacity is < 1, a default capacity // is used instead. func NewLRUClientSessionCache(capacity int) ClientSessionCache { const defaultSessionCacheCapacity = 64 if capacity < 1 { capacity = defaultSessionCacheCapacity } return &lruClientSessionCache{ lruSessionCache{ m: make(map[string]*list.Element), q: list.New(), capacity: capacity, }, } } // NewLRUServerSessionCache returns a ServerSessionCache with the given // capacity that uses an LRU strategy. If capacity is < 1, a default capacity // is used instead. func NewLRUServerSessionCache(capacity int) ServerSessionCache { const defaultSessionCacheCapacity = 64 if capacity < 1 { capacity = defaultSessionCacheCapacity } return &lruServerSessionCache{ lruSessionCache{ m: make(map[string]*list.Element), q: list.New(), capacity: capacity, }, } } // TODO(jsing): Make these available to both crypto/x509 and crypto/tls. type dsaSignature struct { R, S *big.Int } type ecdsaSignature dsaSignature var emptyConfig Config func defaultConfig() *Config { return &emptyConfig } var ( once sync.Once varDefaultCipherSuites []uint16 ) func defaultCipherSuites() []uint16 { once.Do(initDefaultCipherSuites) return varDefaultCipherSuites } func initDefaultCipherSuites() { for _, suite := range cipherSuites { if suite.flags&suitePSK == 0 { varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id) } } } func unexpectedMessageError(wanted, got interface{}) error { return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) } func isSupportedSignatureAndHash(sigHash signatureAndHash, sigHashes []signatureAndHash) bool { for _, s := range sigHashes { if s == sigHash { return true } } return false }