Source file src/crypto/tls/common.go

Documentation: crypto/tls

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"container/list"
     9  	"crypto"
    10  	"crypto/rand"
    11  	"crypto/sha512"
    12  	"crypto/x509"
    13  	"errors"
    14  	"fmt"
    15  	"internal/cpu"
    16  	"io"
    17  	"math/big"
    18  	"net"
    19  	"os"
    20  	"strings"
    21  	"sync"
    22  	"time"
    23  )
    24  
    25  const (
    26  	VersionTLS10 = 0x0301
    27  	VersionTLS11 = 0x0302
    28  	VersionTLS12 = 0x0303
    29  	VersionTLS13 = 0x0304
    30  
    31  	// Deprecated: SSLv3 is cryptographically broken, and will be
    32  	// removed in Go 1.14. See golang.org/issue/32716.
    33  	VersionSSL30 = 0x0300
    34  )
    35  
    36  const (
    37  	maxPlaintext       = 16384        // maximum plaintext payload length
    38  	maxCiphertext      = 16384 + 2048 // maximum ciphertext payload length
    39  	maxCiphertextTLS13 = 16384 + 256  // maximum ciphertext length in TLS 1.3
    40  	recordHeaderLen    = 5            // record header length
    41  	maxHandshake       = 65536        // maximum handshake we support (protocol max is 16 MB)
    42  	maxUselessRecords  = 16           // maximum number of consecutive non-advancing records
    43  )
    44  
    45  // TLS record types.
    46  type recordType uint8
    47  
    48  const (
    49  	recordTypeChangeCipherSpec recordType = 20
    50  	recordTypeAlert            recordType = 21
    51  	recordTypeHandshake        recordType = 22
    52  	recordTypeApplicationData  recordType = 23
    53  )
    54  
    55  // TLS handshake message types.
    56  const (
    57  	typeHelloRequest        uint8 = 0
    58  	typeClientHello         uint8 = 1
    59  	typeServerHello         uint8 = 2
    60  	typeNewSessionTicket    uint8 = 4
    61  	typeEndOfEarlyData      uint8 = 5
    62  	typeEncryptedExtensions uint8 = 8
    63  	typeCertificate         uint8 = 11
    64  	typeServerKeyExchange   uint8 = 12
    65  	typeCertificateRequest  uint8 = 13
    66  	typeServerHelloDone     uint8 = 14
    67  	typeCertificateVerify   uint8 = 15
    68  	typeClientKeyExchange   uint8 = 16
    69  	typeFinished            uint8 = 20
    70  	typeCertificateStatus   uint8 = 22
    71  	typeKeyUpdate           uint8 = 24
    72  	typeNextProtocol        uint8 = 67  // Not IANA assigned
    73  	typeMessageHash         uint8 = 254 // synthetic message
    74  )
    75  
    76  // TLS compression types.
    77  const (
    78  	compressionNone uint8 = 0
    79  )
    80  
    81  // TLS extension numbers
    82  const (
    83  	extensionServerName              uint16 = 0
    84  	extensionStatusRequest           uint16 = 5
    85  	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
    86  	extensionSupportedPoints         uint16 = 11
    87  	extensionSignatureAlgorithms     uint16 = 13
    88  	extensionALPN                    uint16 = 16
    89  	extensionSCT                     uint16 = 18
    90  	extensionSessionTicket           uint16 = 35
    91  	extensionPreSharedKey            uint16 = 41
    92  	extensionEarlyData               uint16 = 42
    93  	extensionSupportedVersions       uint16 = 43
    94  	extensionCookie                  uint16 = 44
    95  	extensionPSKModes                uint16 = 45
    96  	extensionCertificateAuthorities  uint16 = 47
    97  	extensionSignatureAlgorithmsCert uint16 = 50
    98  	extensionKeyShare                uint16 = 51
    99  	extensionNextProtoNeg            uint16 = 13172 // not IANA assigned
   100  	extensionRenegotiationInfo       uint16 = 0xff01
   101  )
   102  
   103  // TLS signaling cipher suite values
   104  const (
   105  	scsvRenegotiation uint16 = 0x00ff
   106  )
   107  
   108  // CurveID is the type of a TLS identifier for an elliptic curve. See
   109  // https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
   110  //
   111  // In TLS 1.3, this type is called NamedGroup, but at this time this library
   112  // only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
   113  type CurveID uint16
   114  
   115  const (
   116  	CurveP256 CurveID = 23
   117  	CurveP384 CurveID = 24
   118  	CurveP521 CurveID = 25
   119  	X25519    CurveID = 29
   120  )
   121  
   122  // TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.
   123  type keyShare struct {
   124  	group CurveID
   125  	data  []byte
   126  }
   127  
   128  // TLS 1.3 PSK Key Exchange Modes. See RFC 8446, Section 4.2.9.
   129  const (
   130  	pskModePlain uint8 = 0
   131  	pskModeDHE   uint8 = 1
   132  )
   133  
   134  // TLS 1.3 PSK Identity. Can be a Session Ticket, or a reference to a saved
   135  // session. See RFC 8446, Section 4.2.11.
   136  type pskIdentity struct {
   137  	label               []byte
   138  	obfuscatedTicketAge uint32
   139  }
   140  
   141  // TLS Elliptic Curve Point Formats
   142  // https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
   143  const (
   144  	pointFormatUncompressed uint8 = 0
   145  )
   146  
   147  // TLS CertificateStatusType (RFC 3546)
   148  const (
   149  	statusTypeOCSP uint8 = 1
   150  )
   151  
   152  // Certificate types (for certificateRequestMsg)
   153  const (
   154  	certTypeRSASign   = 1
   155  	certTypeECDSASign = 64 // ECDSA or EdDSA keys, see RFC 8422, Section 3.
   156  )
   157  
   158  // Signature algorithms (for internal signaling use). Starting at 225 to avoid overlap with
   159  // TLS 1.2 codepoints (RFC 5246, Appendix A.4.1), with which these have nothing to do.
   160  const (
   161  	signaturePKCS1v15 uint8 = iota + 225
   162  	signatureRSAPSS
   163  	signatureECDSA
   164  	signatureEd25519
   165  )
   166  
   167  // directSigning is a standard Hash value that signals that no pre-hashing
   168  // should be performed, and that the input should be signed directly. It is the
   169  // hash function associated with the Ed25519 signature scheme.
   170  var directSigning crypto.Hash = 0
   171  
   172  // supportedSignatureAlgorithms contains the signature and hash algorithms that
   173  // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
   174  // CertificateRequest. The two fields are merged to match with TLS 1.3.
   175  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
   176  var supportedSignatureAlgorithms = []SignatureScheme{
   177  	PSSWithSHA256,
   178  	ECDSAWithP256AndSHA256,
   179  	Ed25519,
   180  	PSSWithSHA384,
   181  	PSSWithSHA512,
   182  	PKCS1WithSHA256,
   183  	PKCS1WithSHA384,
   184  	PKCS1WithSHA512,
   185  	ECDSAWithP384AndSHA384,
   186  	ECDSAWithP521AndSHA512,
   187  	PKCS1WithSHA1,
   188  	ECDSAWithSHA1,
   189  }
   190  
   191  // supportedSignatureAlgorithmsTLS12 contains the signature and hash algorithms
   192  // that are supported in TLS 1.2, where it is possible to distinguish the
   193  // protocol version. This is temporary, see Issue 32425.
   194  var supportedSignatureAlgorithmsTLS12 = []SignatureScheme{
   195  	PKCS1WithSHA256,
   196  	ECDSAWithP256AndSHA256,
   197  	Ed25519,
   198  	PKCS1WithSHA384,
   199  	PKCS1WithSHA512,
   200  	ECDSAWithP384AndSHA384,
   201  	ECDSAWithP521AndSHA512,
   202  	PKCS1WithSHA1,
   203  	ECDSAWithSHA1,
   204  }
   205  
   206  // helloRetryRequestRandom is set as the Random value of a ServerHello
   207  // to signal that the message is actually a HelloRetryRequest.
   208  var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3.
   209  	0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
   210  	0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
   211  	0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
   212  	0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C,
   213  }
   214  
   215  const (
   216  	// downgradeCanaryTLS12 or downgradeCanaryTLS11 is embedded in the server
   217  	// random as a downgrade protection if the server would be capable of
   218  	// negotiating a higher version. See RFC 8446, Section 4.1.3.
   219  	downgradeCanaryTLS12 = "DOWNGRD\x01"
   220  	downgradeCanaryTLS11 = "DOWNGRD\x00"
   221  )
   222  
   223  // ConnectionState records basic TLS details about the connection.
   224  type ConnectionState struct {
   225  	Version                     uint16                // TLS version used by the connection (e.g. VersionTLS12)
   226  	HandshakeComplete           bool                  // TLS handshake is complete
   227  	DidResume                   bool                  // connection resumes a previous TLS connection
   228  	CipherSuite                 uint16                // cipher suite in use (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ...)
   229  	NegotiatedProtocol          string                // negotiated next protocol (not guaranteed to be from Config.NextProtos)
   230  	NegotiatedProtocolIsMutual  bool                  // negotiated protocol was advertised by server (client side only)
   231  	ServerName                  string                // server name requested by client, if any (server side only)
   232  	PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
   233  	VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates
   234  	SignedCertificateTimestamps [][]byte              // SCTs from the peer, if any
   235  	OCSPResponse                []byte                // stapled OCSP response from peer, if any
   236  
   237  	// ekm is a closure exposed via ExportKeyingMaterial.
   238  	ekm func(label string, context []byte, length int) ([]byte, error)
   239  
   240  	// TLSUnique contains the "tls-unique" channel binding value (see RFC
   241  	// 5929, section 3). For resumed sessions this value will be nil
   242  	// because resumption does not include enough context (see
   243  	// https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will
   244  	// change in future versions of Go once the TLS master-secret fix has
   245  	// been standardized and implemented. It is not defined in TLS 1.3.
   246  	TLSUnique []byte
   247  }
   248  
   249  // ExportKeyingMaterial returns length bytes of exported key material in a new
   250  // slice as defined in RFC 5705. If context is nil, it is not used as part of
   251  // the seed. If the connection was set to allow renegotiation via
   252  // Config.Renegotiation, this function will return an error.
   253  func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) {
   254  	return cs.ekm(label, context, length)
   255  }
   256  
   257  // ClientAuthType declares the policy the server will follow for
   258  // TLS Client Authentication.
   259  type ClientAuthType int
   260  
   261  const (
   262  	NoClientCert ClientAuthType = iota
   263  	RequestClientCert
   264  	RequireAnyClientCert
   265  	VerifyClientCertIfGiven
   266  	RequireAndVerifyClientCert
   267  )
   268  
   269  // requiresClientCert reports whether the ClientAuthType requires a client
   270  // certificate to be provided.
   271  func requiresClientCert(c ClientAuthType) bool {
   272  	switch c {
   273  	case RequireAnyClientCert, RequireAndVerifyClientCert:
   274  		return true
   275  	default:
   276  		return false
   277  	}
   278  }
   279  
   280  // ClientSessionState contains the state needed by clients to resume TLS
   281  // sessions.
   282  type ClientSessionState struct {
   283  	sessionTicket      []uint8               // Encrypted ticket used for session resumption with server
   284  	vers               uint16                // SSL/TLS version negotiated for the session
   285  	cipherSuite        uint16                // Ciphersuite negotiated for the session
   286  	masterSecret       []byte                // Full handshake MasterSecret, or TLS 1.3 resumption_master_secret
   287  	serverCertificates []*x509.Certificate   // Certificate chain presented by the server
   288  	verifiedChains     [][]*x509.Certificate // Certificate chains we built for verification
   289  	receivedAt         time.Time             // When the session ticket was received from the server
   290  
   291  	// TLS 1.3 fields.
   292  	nonce  []byte    // Ticket nonce sent by the server, to derive PSK
   293  	useBy  time.Time // Expiration of the ticket lifetime as set by the server
   294  	ageAdd uint32    // Random obfuscation factor for sending the ticket age
   295  }
   296  
   297  // ClientSessionCache is a cache of ClientSessionState objects that can be used
   298  // by a client to resume a TLS session with a given server. ClientSessionCache
   299  // implementations should expect to be called concurrently from different
   300  // goroutines. Up to TLS 1.2, only ticket-based resumption is supported, not
   301  // SessionID-based resumption. In TLS 1.3 they were merged into PSK modes, which
   302  // are supported via this interface.
   303  type ClientSessionCache interface {
   304  	// Get searches for a ClientSessionState associated with the given key.
   305  	// On return, ok is true if one was found.
   306  	Get(sessionKey string) (session *ClientSessionState, ok bool)
   307  
   308  	// Put adds the ClientSessionState to the cache with the given key. It might
   309  	// get called multiple times in a connection if a TLS 1.3 server provides
   310  	// more than one session ticket. If called with a nil *ClientSessionState,
   311  	// it should remove the cache entry.
   312  	Put(sessionKey string, cs *ClientSessionState)
   313  }
   314  
   315  // SignatureScheme identifies a signature algorithm supported by TLS. See
   316  // RFC 8446, Section 4.2.3.
   317  type SignatureScheme uint16
   318  
   319  const (
   320  	// RSASSA-PKCS1-v1_5 algorithms.
   321  	PKCS1WithSHA256 SignatureScheme = 0x0401
   322  	PKCS1WithSHA384 SignatureScheme = 0x0501
   323  	PKCS1WithSHA512 SignatureScheme = 0x0601
   324  
   325  	// RSASSA-PSS algorithms with public key OID rsaEncryption.
   326  	PSSWithSHA256 SignatureScheme = 0x0804
   327  	PSSWithSHA384 SignatureScheme = 0x0805
   328  	PSSWithSHA512 SignatureScheme = 0x0806
   329  
   330  	// ECDSA algorithms. Only constrained to a specific curve in TLS 1.3.
   331  	ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
   332  	ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
   333  	ECDSAWithP521AndSHA512 SignatureScheme = 0x0603
   334  
   335  	// EdDSA algorithms.
   336  	Ed25519 SignatureScheme = 0x0807
   337  
   338  	// Legacy signature and hash algorithms for TLS 1.2.
   339  	PKCS1WithSHA1 SignatureScheme = 0x0201
   340  	ECDSAWithSHA1 SignatureScheme = 0x0203
   341  )
   342  
   343  // ClientHelloInfo contains information from a ClientHello message in order to
   344  // guide certificate selection in the GetCertificate callback.
   345  type ClientHelloInfo struct {
   346  	// CipherSuites lists the CipherSuites supported by the client (e.g.
   347  	// TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).
   348  	CipherSuites []uint16
   349  
   350  	// ServerName indicates the name of the server requested by the client
   351  	// in order to support virtual hosting. ServerName is only set if the
   352  	// client is using SNI (see RFC 4366, Section 3.1).
   353  	ServerName string
   354  
   355  	// SupportedCurves lists the elliptic curves supported by the client.
   356  	// SupportedCurves is set only if the Supported Elliptic Curves
   357  	// Extension is being used (see RFC 4492, Section 5.1.1).
   358  	SupportedCurves []CurveID
   359  
   360  	// SupportedPoints lists the point formats supported by the client.
   361  	// SupportedPoints is set only if the Supported Point Formats Extension
   362  	// is being used (see RFC 4492, Section 5.1.2).
   363  	SupportedPoints []uint8
   364  
   365  	// SignatureSchemes lists the signature and hash schemes that the client
   366  	// is willing to verify. SignatureSchemes is set only if the Signature
   367  	// Algorithms Extension is being used (see RFC 5246, Section 7.4.1.4.1).
   368  	SignatureSchemes []SignatureScheme
   369  
   370  	// SupportedProtos lists the application protocols supported by the client.
   371  	// SupportedProtos is set only if the Application-Layer Protocol
   372  	// Negotiation Extension is being used (see RFC 7301, Section 3.1).
   373  	//
   374  	// Servers can select a protocol by setting Config.NextProtos in a
   375  	// GetConfigForClient return value.
   376  	SupportedProtos []string
   377  
   378  	// SupportedVersions lists the TLS versions supported by the client.
   379  	// For TLS versions less than 1.3, this is extrapolated from the max
   380  	// version advertised by the client, so values other than the greatest
   381  	// might be rejected if used.
   382  	SupportedVersions []uint16
   383  
   384  	// Conn is the underlying net.Conn for the connection. Do not read
   385  	// from, or write to, this connection; that will cause the TLS
   386  	// connection to fail.
   387  	Conn net.Conn
   388  }
   389  
   390  // CertificateRequestInfo contains information from a server's
   391  // CertificateRequest message, which is used to demand a certificate and proof
   392  // of control from a client.
   393  type CertificateRequestInfo struct {
   394  	// AcceptableCAs contains zero or more, DER-encoded, X.501
   395  	// Distinguished Names. These are the names of root or intermediate CAs
   396  	// that the server wishes the returned certificate to be signed by. An
   397  	// empty slice indicates that the server has no preference.
   398  	AcceptableCAs [][]byte
   399  
   400  	// SignatureSchemes lists the signature schemes that the server is
   401  	// willing to verify.
   402  	SignatureSchemes []SignatureScheme
   403  }
   404  
   405  // RenegotiationSupport enumerates the different levels of support for TLS
   406  // renegotiation. TLS renegotiation is the act of performing subsequent
   407  // handshakes on a connection after the first. This significantly complicates
   408  // the state machine and has been the source of numerous, subtle security
   409  // issues. Initiating a renegotiation is not supported, but support for
   410  // accepting renegotiation requests may be enabled.
   411  //
   412  // Even when enabled, the server may not change its identity between handshakes
   413  // (i.e. the leaf certificate must be the same). Additionally, concurrent
   414  // handshake and application data flow is not permitted so renegotiation can
   415  // only be used with protocols that synchronise with the renegotiation, such as
   416  // HTTPS.
   417  //
   418  // Renegotiation is not defined in TLS 1.3.
   419  type RenegotiationSupport int
   420  
   421  const (
   422  	// RenegotiateNever disables renegotiation.
   423  	RenegotiateNever RenegotiationSupport = iota
   424  
   425  	// RenegotiateOnceAsClient allows a remote server to request
   426  	// renegotiation once per connection.
   427  	RenegotiateOnceAsClient
   428  
   429  	// RenegotiateFreelyAsClient allows a remote server to repeatedly
   430  	// request renegotiation.
   431  	RenegotiateFreelyAsClient
   432  )
   433  
   434  // A Config structure is used to configure a TLS client or server.
   435  // After one has been passed to a TLS function it must not be
   436  // modified. A Config may be reused; the tls package will also not
   437  // modify it.
   438  type Config struct {
   439  	// Rand provides the source of entropy for nonces and RSA blinding.
   440  	// If Rand is nil, TLS uses the cryptographic random reader in package
   441  	// crypto/rand.
   442  	// The Reader must be safe for use by multiple goroutines.
   443  	Rand io.Reader
   444  
   445  	// Time returns the current time as the number of seconds since the epoch.
   446  	// If Time is nil, TLS uses time.Now.
   447  	Time func() time.Time
   448  
   449  	// Certificates contains one or more certificate chains to present to
   450  	// the other side of the connection. Server configurations must include
   451  	// at least one certificate or else set GetCertificate. Clients doing
   452  	// client-authentication may set either Certificates or
   453  	// GetClientCertificate.
   454  	Certificates []Certificate
   455  
   456  	// NameToCertificate maps from a certificate name to an element of
   457  	// Certificates. Note that a certificate name can be of the form
   458  	// '*.example.com' and so doesn't have to be a domain name as such.
   459  	// See Config.BuildNameToCertificate
   460  	// The nil value causes the first element of Certificates to be used
   461  	// for all connections.
   462  	NameToCertificate map[string]*Certificate
   463  
   464  	// GetCertificate returns a Certificate based on the given
   465  	// ClientHelloInfo. It will only be called if the client supplies SNI
   466  	// information or if Certificates is empty.
   467  	//
   468  	// If GetCertificate is nil or returns nil, then the certificate is
   469  	// retrieved from NameToCertificate. If NameToCertificate is nil, the
   470  	// first element of Certificates will be used.
   471  	GetCertificate func(*ClientHelloInfo) (*Certificate, error)
   472  
   473  	// GetClientCertificate, if not nil, is called when a server requests a
   474  	// certificate from a client. If set, the contents of Certificates will
   475  	// be ignored.
   476  	//
   477  	// If GetClientCertificate returns an error, the handshake will be
   478  	// aborted and that error will be returned. Otherwise
   479  	// GetClientCertificate must return a non-nil Certificate. If
   480  	// Certificate.Certificate is empty then no certificate will be sent to
   481  	// the server. If this is unacceptable to the server then it may abort
   482  	// the handshake.
   483  	//
   484  	// GetClientCertificate may be called multiple times for the same
   485  	// connection if renegotiation occurs or if TLS 1.3 is in use.
   486  	GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
   487  
   488  	// GetConfigForClient, if not nil, is called after a ClientHello is
   489  	// received from a client. It may return a non-nil Config in order to
   490  	// change the Config that will be used to handle this connection. If
   491  	// the returned Config is nil, the original Config will be used. The
   492  	// Config returned by this callback may not be subsequently modified.
   493  	//
   494  	// If GetConfigForClient is nil, the Config passed to Server() will be
   495  	// used for all connections.
   496  	//
   497  	// Uniquely for the fields in the returned Config, session ticket keys
   498  	// will be duplicated from the original Config if not set.
   499  	// Specifically, if SetSessionTicketKeys was called on the original
   500  	// config but not on the returned config then the ticket keys from the
   501  	// original config will be copied into the new config before use.
   502  	// Otherwise, if SessionTicketKey was set in the original config but
   503  	// not in the returned config then it will be copied into the returned
   504  	// config before use. If neither of those cases applies then the key
   505  	// material from the returned config will be used for session tickets.
   506  	GetConfigForClient func(*ClientHelloInfo) (*Config, error)
   507  
   508  	// VerifyPeerCertificate, if not nil, is called after normal
   509  	// certificate verification by either a TLS client or server. It
   510  	// receives the raw ASN.1 certificates provided by the peer and also
   511  	// any verified chains that normal processing found. If it returns a
   512  	// non-nil error, the handshake is aborted and that error results.
   513  	//
   514  	// If normal verification fails then the handshake will abort before
   515  	// considering this callback. If normal verification is disabled by
   516  	// setting InsecureSkipVerify, or (for a server) when ClientAuth is
   517  	// RequestClientCert or RequireAnyClientCert, then this callback will
   518  	// be considered but the verifiedChains argument will always be nil.
   519  	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
   520  
   521  	// RootCAs defines the set of root certificate authorities
   522  	// that clients use when verifying server certificates.
   523  	// If RootCAs is nil, TLS uses the host's root CA set.
   524  	RootCAs *x509.CertPool
   525  
   526  	// NextProtos is a list of supported application level protocols, in
   527  	// order of preference.
   528  	NextProtos []string
   529  
   530  	// ServerName is used to verify the hostname on the returned
   531  	// certificates unless InsecureSkipVerify is given. It is also included
   532  	// in the client's handshake to support virtual hosting unless it is
   533  	// an IP address.
   534  	ServerName string
   535  
   536  	// ClientAuth determines the server's policy for
   537  	// TLS Client Authentication. The default is NoClientCert.
   538  	ClientAuth ClientAuthType
   539  
   540  	// ClientCAs defines the set of root certificate authorities
   541  	// that servers use if required to verify a client certificate
   542  	// by the policy in ClientAuth.
   543  	ClientCAs *x509.CertPool
   544  
   545  	// InsecureSkipVerify controls whether a client verifies the
   546  	// server's certificate chain and host name.
   547  	// If InsecureSkipVerify is true, TLS accepts any certificate
   548  	// presented by the server and any host name in that certificate.
   549  	// In this mode, TLS is susceptible to man-in-the-middle attacks.
   550  	// This should be used only for testing.
   551  	InsecureSkipVerify bool
   552  
   553  	// CipherSuites is a list of supported cipher suites for TLS versions up to
   554  	// TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites
   555  	// is used, with a preference order based on hardware performance. The
   556  	// default cipher suites might change over Go versions. Note that TLS 1.3
   557  	// ciphersuites are not configurable.
   558  	CipherSuites []uint16
   559  
   560  	// PreferServerCipherSuites controls whether the server selects the
   561  	// client's most preferred ciphersuite, or the server's most preferred
   562  	// ciphersuite. If true then the server's preference, as expressed in
   563  	// the order of elements in CipherSuites, is used.
   564  	PreferServerCipherSuites bool
   565  
   566  	// SessionTicketsDisabled may be set to true to disable session ticket and
   567  	// PSK (resumption) support. Note that on clients, session ticket support is
   568  	// also disabled if ClientSessionCache is nil.
   569  	SessionTicketsDisabled bool
   570  
   571  	// SessionTicketKey is used by TLS servers to provide session resumption.
   572  	// See RFC 5077 and the PSK mode of RFC 8446. If zero, it will be filled
   573  	// with random data before the first server handshake.
   574  	//
   575  	// If multiple servers are terminating connections for the same host
   576  	// they should all have the same SessionTicketKey. If the
   577  	// SessionTicketKey leaks, previously recorded and future TLS
   578  	// connections using that key might be compromised.
   579  	SessionTicketKey [32]byte
   580  
   581  	// ClientSessionCache is a cache of ClientSessionState entries for TLS
   582  	// session resumption. It is only used by clients.
   583  	ClientSessionCache ClientSessionCache
   584  
   585  	// MinVersion contains the minimum SSL/TLS version that is acceptable.
   586  	// If zero, then TLS 1.0 is taken as the minimum.
   587  	MinVersion uint16
   588  
   589  	// MaxVersion contains the maximum SSL/TLS version that is acceptable.
   590  	// If zero, then the maximum version supported by this package is used,
   591  	// which is currently TLS 1.3.
   592  	MaxVersion uint16
   593  
   594  	// CurvePreferences contains the elliptic curves that will be used in
   595  	// an ECDHE handshake, in preference order. If empty, the default will
   596  	// be used. The client will use the first preference as the type for
   597  	// its key share in TLS 1.3. This may change in the future.
   598  	CurvePreferences []CurveID
   599  
   600  	// DynamicRecordSizingDisabled disables adaptive sizing of TLS records.
   601  	// When true, the largest possible TLS record size is always used. When
   602  	// false, the size of TLS records may be adjusted in an attempt to
   603  	// improve latency.
   604  	DynamicRecordSizingDisabled bool
   605  
   606  	// Renegotiation controls what types of renegotiation are supported.
   607  	// The default, none, is correct for the vast majority of applications.
   608  	Renegotiation RenegotiationSupport
   609  
   610  	// KeyLogWriter optionally specifies a destination for TLS master secrets
   611  	// in NSS key log format that can be used to allow external programs
   612  	// such as Wireshark to decrypt TLS connections.
   613  	// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
   614  	// Use of KeyLogWriter compromises security and should only be
   615  	// used for debugging.
   616  	KeyLogWriter io.Writer
   617  
   618  	serverInitOnce sync.Once // guards calling (*Config).serverInit
   619  
   620  	// mutex protects sessionTicketKeys.
   621  	mutex sync.RWMutex
   622  	// sessionTicketKeys contains zero or more ticket keys. If the length
   623  	// is zero, SessionTicketsDisabled must be true. The first key is used
   624  	// for new tickets and any subsequent keys can be used to decrypt old
   625  	// tickets.
   626  	sessionTicketKeys []ticketKey
   627  }
   628  
   629  // ticketKeyNameLen is the number of bytes of identifier that is prepended to
   630  // an encrypted session ticket in order to identify the key used to encrypt it.
   631  const ticketKeyNameLen = 16
   632  
   633  // ticketKey is the internal representation of a session ticket key.
   634  type ticketKey struct {
   635  	// keyName is an opaque byte string that serves to identify the session
   636  	// ticket key. It's exposed as plaintext in every session ticket.
   637  	keyName [ticketKeyNameLen]byte
   638  	aesKey  [16]byte
   639  	hmacKey [16]byte
   640  }
   641  
   642  // ticketKeyFromBytes converts from the external representation of a session
   643  // ticket key to a ticketKey. Externally, session ticket keys are 32 random
   644  // bytes and this function expands that into sufficient name and key material.
   645  func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
   646  	hashed := sha512.Sum512(b[:])
   647  	copy(key.keyName[:], hashed[:ticketKeyNameLen])
   648  	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
   649  	copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
   650  	return key
   651  }
   652  
   653  // maxSessionTicketLifetime is the maximum allowed lifetime of a TLS 1.3 session
   654  // ticket, and the lifetime we set for tickets we send.
   655  const maxSessionTicketLifetime = 7 * 24 * time.Hour
   656  
   657  // Clone returns a shallow clone of c. It is safe to clone a Config that is
   658  // being used concurrently by a TLS client or server.
   659  func (c *Config) Clone() *Config {
   660  	// Running serverInit ensures that it's safe to read
   661  	// SessionTicketsDisabled.
   662  	c.serverInitOnce.Do(func() { c.serverInit(nil) })
   663  
   664  	var sessionTicketKeys []ticketKey
   665  	c.mutex.RLock()
   666  	sessionTicketKeys = c.sessionTicketKeys
   667  	c.mutex.RUnlock()
   668  
   669  	return &Config{
   670  		Rand:                        c.Rand,
   671  		Time:                        c.Time,
   672  		Certificates:                c.Certificates,
   673  		NameToCertificate:           c.NameToCertificate,
   674  		GetCertificate:              c.GetCertificate,
   675  		GetClientCertificate:        c.GetClientCertificate,
   676  		GetConfigForClient:          c.GetConfigForClient,
   677  		VerifyPeerCertificate:       c.VerifyPeerCertificate,
   678  		RootCAs:                     c.RootCAs,
   679  		NextProtos:                  c.NextProtos,
   680  		ServerName:                  c.ServerName,
   681  		ClientAuth:                  c.ClientAuth,
   682  		ClientCAs:                   c.ClientCAs,
   683  		InsecureSkipVerify:          c.InsecureSkipVerify,
   684  		CipherSuites:                c.CipherSuites,
   685  		PreferServerCipherSuites:    c.PreferServerCipherSuites,
   686  		SessionTicketsDisabled:      c.SessionTicketsDisabled,
   687  		SessionTicketKey:            c.SessionTicketKey,
   688  		ClientSessionCache:          c.ClientSessionCache,
   689  		MinVersion:                  c.MinVersion,
   690  		MaxVersion:                  c.MaxVersion,
   691  		CurvePreferences:            c.CurvePreferences,
   692  		DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
   693  		Renegotiation:               c.Renegotiation,
   694  		KeyLogWriter:                c.KeyLogWriter,
   695  		sessionTicketKeys:           sessionTicketKeys,
   696  	}
   697  }
   698  
   699  // serverInit is run under c.serverInitOnce to do initialization of c. If c was
   700  // returned by a GetConfigForClient callback then the argument should be the
   701  // Config that was passed to Server, otherwise it should be nil.
   702  func (c *Config) serverInit(originalConfig *Config) {
   703  	if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 {
   704  		return
   705  	}
   706  
   707  	alreadySet := false
   708  	for _, b := range c.SessionTicketKey {
   709  		if b != 0 {
   710  			alreadySet = true
   711  			break
   712  		}
   713  	}
   714  
   715  	if !alreadySet {
   716  		if originalConfig != nil {
   717  			copy(c.SessionTicketKey[:], originalConfig.SessionTicketKey[:])
   718  		} else if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
   719  			c.SessionTicketsDisabled = true
   720  			return
   721  		}
   722  	}
   723  
   724  	if originalConfig != nil {
   725  		originalConfig.mutex.RLock()
   726  		c.sessionTicketKeys = originalConfig.sessionTicketKeys
   727  		originalConfig.mutex.RUnlock()
   728  	} else {
   729  		c.sessionTicketKeys = []ticketKey{ticketKeyFromBytes(c.SessionTicketKey)}
   730  	}
   731  }
   732  
   733  func (c *Config) ticketKeys() []ticketKey {
   734  	c.mutex.RLock()
   735  	// c.sessionTicketKeys is constant once created. SetSessionTicketKeys
   736  	// will only update it by replacing it with a new value.
   737  	ret := c.sessionTicketKeys
   738  	c.mutex.RUnlock()
   739  	return ret
   740  }
   741  
   742  // SetSessionTicketKeys updates the session ticket keys for a server. The first
   743  // key will be used when creating new tickets, while all keys can be used for
   744  // decrypting tickets. It is safe to call this function while the server is
   745  // running in order to rotate the session ticket keys. The function will panic
   746  // if keys is empty.
   747  func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
   748  	if len(keys) == 0 {
   749  		panic("tls: keys must have at least one key")
   750  	}
   751  
   752  	newKeys := make([]ticketKey, len(keys))
   753  	for i, bytes := range keys {
   754  		newKeys[i] = ticketKeyFromBytes(bytes)
   755  	}
   756  
   757  	c.mutex.Lock()
   758  	c.sessionTicketKeys = newKeys
   759  	c.mutex.Unlock()
   760  }
   761  
   762  func (c *Config) rand() io.Reader {
   763  	r := c.Rand
   764  	if r == nil {
   765  		return rand.Reader
   766  	}
   767  	return r
   768  }
   769  
   770  func (c *Config) time() time.Time {
   771  	t := c.Time
   772  	if t == nil {
   773  		t = time.Now
   774  	}
   775  	return t()
   776  }
   777  
   778  func (c *Config) cipherSuites() []uint16 {
   779  	s := c.CipherSuites
   780  	if s == nil {
   781  		s = defaultCipherSuites()
   782  	}
   783  	return s
   784  }
   785  
   786  var supportedVersions = []uint16{
   787  	VersionTLS13,
   788  	VersionTLS12,
   789  	VersionTLS11,
   790  	VersionTLS10,
   791  	VersionSSL30,
   792  }
   793  
   794  func (c *Config) supportedVersions(isClient bool) []uint16 {
   795  	versions := make([]uint16, 0, len(supportedVersions))
   796  	for _, v := range supportedVersions {
   797  		// TLS 1.0 is the default minimum version.
   798  		if (c == nil || c.MinVersion == 0) && v < VersionTLS10 {
   799  			continue
   800  		}
   801  		if c != nil && c.MinVersion != 0 && v < c.MinVersion {
   802  			continue
   803  		}
   804  		if c != nil && c.MaxVersion != 0 && v > c.MaxVersion {
   805  			continue
   806  		}
   807  		// TLS 1.0 is the minimum version supported as a client.
   808  		if isClient && v < VersionTLS10 {
   809  			continue
   810  		}
   811  		// TLS 1.3 is opt-out in Go 1.13.
   812  		if v == VersionTLS13 && !isTLS13Supported() {
   813  			continue
   814  		}
   815  		versions = append(versions, v)
   816  	}
   817  	return versions
   818  }
   819  
   820  // tls13Support caches the result for isTLS13Supported.
   821  var tls13Support struct {
   822  	sync.Once
   823  	cached bool
   824  }
   825  
   826  // isTLS13Supported returns whether the program enabled TLS 1.3 by not opting
   827  // out with GODEBUG=tls13=0. It's cached after the first execution.
   828  func isTLS13Supported() bool {
   829  	tls13Support.Do(func() {
   830  		tls13Support.cached = goDebugString("tls13") != "0"
   831  	})
   832  	return tls13Support.cached
   833  }
   834  
   835  // goDebugString returns the value of the named GODEBUG key.
   836  // GODEBUG is of the form "key=val,key2=val2".
   837  func goDebugString(key string) string {
   838  	s := os.Getenv("GODEBUG")
   839  	for i := 0; i < len(s)-len(key)-1; i++ {
   840  		if i > 0 && s[i-1] != ',' {
   841  			continue
   842  		}
   843  		afterKey := s[i+len(key):]
   844  		if afterKey[0] != '=' || s[i:i+len(key)] != key {
   845  			continue
   846  		}
   847  		val := afterKey[1:]
   848  		for i, b := range val {
   849  			if b == ',' {
   850  				return val[:i]
   851  			}
   852  		}
   853  		return val
   854  	}
   855  	return ""
   856  }
   857  
   858  func (c *Config) maxSupportedVersion(isClient bool) uint16 {
   859  	supportedVersions := c.supportedVersions(isClient)
   860  	if len(supportedVersions) == 0 {
   861  		return 0
   862  	}
   863  	return supportedVersions[0]
   864  }
   865  
   866  // supportedVersionsFromMax returns a list of supported versions derived from a
   867  // legacy maximum version value. Note that only versions supported by this
   868  // library are returned. Any newer peer will use supportedVersions anyway.
   869  func supportedVersionsFromMax(maxVersion uint16) []uint16 {
   870  	versions := make([]uint16, 0, len(supportedVersions))
   871  	for _, v := range supportedVersions {
   872  		if v > maxVersion {
   873  			continue
   874  		}
   875  		versions = append(versions, v)
   876  	}
   877  	return versions
   878  }
   879  
   880  var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521}
   881  
   882  func (c *Config) curvePreferences() []CurveID {
   883  	if c == nil || len(c.CurvePreferences) == 0 {
   884  		return defaultCurvePreferences
   885  	}
   886  	return c.CurvePreferences
   887  }
   888  
   889  // mutualVersion returns the protocol version to use given the advertised
   890  // versions of the peer. Priority is given to the peer preference order.
   891  func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool) {
   892  	supportedVersions := c.supportedVersions(isClient)
   893  	for _, peerVersion := range peerVersions {
   894  		for _, v := range supportedVersions {
   895  			if v == peerVersion {
   896  				return v, true
   897  			}
   898  		}
   899  	}
   900  	return 0, false
   901  }
   902  
   903  // getCertificate returns the best certificate for the given ClientHelloInfo,
   904  // defaulting to the first element of c.Certificates.
   905  func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) {
   906  	if c.GetCertificate != nil &&
   907  		(len(c.Certificates) == 0 || len(clientHello.ServerName) > 0) {
   908  		cert, err := c.GetCertificate(clientHello)
   909  		if cert != nil || err != nil {
   910  			return cert, err
   911  		}
   912  	}
   913  
   914  	if len(c.Certificates) == 0 {
   915  		return nil, errors.New("tls: no certificates configured")
   916  	}
   917  
   918  	if len(c.Certificates) == 1 || c.NameToCertificate == nil {
   919  		// There's only one choice, so no point doing any work.
   920  		return &c.Certificates[0], nil
   921  	}
   922  
   923  	name := strings.ToLower(clientHello.ServerName)
   924  	for len(name) > 0 && name[len(name)-1] == '.' {
   925  		name = name[:len(name)-1]
   926  	}
   927  
   928  	if cert, ok := c.NameToCertificate[name]; ok {
   929  		return cert, nil
   930  	}
   931  
   932  	// try replacing labels in the name with wildcards until we get a
   933  	// match.
   934  	labels := strings.Split(name, ".")
   935  	for i := range labels {
   936  		labels[i] = "*"
   937  		candidate := strings.Join(labels, ".")
   938  		if cert, ok := c.NameToCertificate[candidate]; ok {
   939  			return cert, nil
   940  		}
   941  	}
   942  
   943  	// If nothing matches, return the first certificate.
   944  	return &c.Certificates[0], nil
   945  }
   946  
   947  // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
   948  // from the CommonName and SubjectAlternateName fields of each of the leaf
   949  // certificates.
   950  func (c *Config) BuildNameToCertificate() {
   951  	c.NameToCertificate = make(map[string]*Certificate)
   952  	for i := range c.Certificates {
   953  		cert := &c.Certificates[i]
   954  		x509Cert := cert.Leaf
   955  		if x509Cert == nil {
   956  			var err error
   957  			x509Cert, err = x509.ParseCertificate(cert.Certificate[0])
   958  			if err != nil {
   959  				continue
   960  			}
   961  		}
   962  		if len(x509Cert.Subject.CommonName) > 0 {
   963  			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
   964  		}
   965  		for _, san := range x509Cert.DNSNames {
   966  			c.NameToCertificate[san] = cert
   967  		}
   968  	}
   969  }
   970  
   971  const (
   972  	keyLogLabelTLS12           = "CLIENT_RANDOM"
   973  	keyLogLabelClientHandshake = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
   974  	keyLogLabelServerHandshake = "SERVER_HANDSHAKE_TRAFFIC_SECRET"
   975  	keyLogLabelClientTraffic   = "CLIENT_TRAFFIC_SECRET_0"
   976  	keyLogLabelServerTraffic   = "SERVER_TRAFFIC_SECRET_0"
   977  )
   978  
   979  func (c *Config) writeKeyLog(label string, clientRandom, secret []byte) error {
   980  	if c.KeyLogWriter == nil {
   981  		return nil
   982  	}
   983  
   984  	logLine := []byte(fmt.Sprintf("%s %x %x\n", label, clientRandom, secret))
   985  
   986  	writerMutex.Lock()
   987  	_, err := c.KeyLogWriter.Write(logLine)
   988  	writerMutex.Unlock()
   989  
   990  	return err
   991  }
   992  
   993  // writerMutex protects all KeyLogWriters globally. It is rarely enabled,
   994  // and is only for debugging, so a global mutex saves space.
   995  var writerMutex sync.Mutex
   996  
   997  // A Certificate is a chain of one or more certificates, leaf first.
   998  type Certificate struct {
   999  	Certificate [][]byte
  1000  	// PrivateKey contains the private key corresponding to the public key in
  1001  	// Leaf. This must implement crypto.Signer with an RSA, ECDSA or Ed25519 PublicKey.
  1002  	// For a server up to TLS 1.2, it can also implement crypto.Decrypter with
  1003  	// an RSA PublicKey.
  1004  	PrivateKey crypto.PrivateKey
  1005  	// OCSPStaple contains an optional OCSP response which will be served
  1006  	// to clients that request it.
  1007  	OCSPStaple []byte
  1008  	// SignedCertificateTimestamps contains an optional list of Signed
  1009  	// Certificate Timestamps which will be served to clients that request it.
  1010  	SignedCertificateTimestamps [][]byte
  1011  	// Leaf is the parsed form of the leaf certificate, which may be
  1012  	// initialized using x509.ParseCertificate to reduce per-handshake
  1013  	// processing for TLS clients doing client authentication. If nil, the
  1014  	// leaf certificate will be parsed as needed.
  1015  	Leaf *x509.Certificate
  1016  }
  1017  
  1018  type handshakeMessage interface {
  1019  	marshal() []byte
  1020  	unmarshal([]byte) bool
  1021  }
  1022  
  1023  // lruSessionCache is a ClientSessionCache implementation that uses an LRU
  1024  // caching strategy.
  1025  type lruSessionCache struct {
  1026  	sync.Mutex
  1027  
  1028  	m        map[string]*list.Element
  1029  	q        *list.List
  1030  	capacity int
  1031  }
  1032  
  1033  type lruSessionCacheEntry struct {
  1034  	sessionKey string
  1035  	state      *ClientSessionState
  1036  }
  1037  
  1038  // NewLRUClientSessionCache returns a ClientSessionCache with the given
  1039  // capacity that uses an LRU strategy. If capacity is < 1, a default capacity
  1040  // is used instead.
  1041  func NewLRUClientSessionCache(capacity int) ClientSessionCache {
  1042  	const defaultSessionCacheCapacity = 64
  1043  
  1044  	if capacity < 1 {
  1045  		capacity = defaultSessionCacheCapacity
  1046  	}
  1047  	return &lruSessionCache{
  1048  		m:        make(map[string]*list.Element),
  1049  		q:        list.New(),
  1050  		capacity: capacity,
  1051  	}
  1052  }
  1053  
  1054  // Put adds the provided (sessionKey, cs) pair to the cache. If cs is nil, the entry
  1055  // corresponding to sessionKey is removed from the cache instead.
  1056  func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) {
  1057  	c.Lock()
  1058  	defer c.Unlock()
  1059  
  1060  	if elem, ok := c.m[sessionKey]; ok {
  1061  		if cs == nil {
  1062  			c.q.Remove(elem)
  1063  			delete(c.m, sessionKey)
  1064  		} else {
  1065  			entry := elem.Value.(*lruSessionCacheEntry)
  1066  			entry.state = cs
  1067  			c.q.MoveToFront(elem)
  1068  		}
  1069  		return
  1070  	}
  1071  
  1072  	if c.q.Len() < c.capacity {
  1073  		entry := &lruSessionCacheEntry{sessionKey, cs}
  1074  		c.m[sessionKey] = c.q.PushFront(entry)
  1075  		return
  1076  	}
  1077  
  1078  	elem := c.q.Back()
  1079  	entry := elem.Value.(*lruSessionCacheEntry)
  1080  	delete(c.m, entry.sessionKey)
  1081  	entry.sessionKey = sessionKey
  1082  	entry.state = cs
  1083  	c.q.MoveToFront(elem)
  1084  	c.m[sessionKey] = elem
  1085  }
  1086  
  1087  // Get returns the ClientSessionState value associated with a given key. It
  1088  // returns (nil, false) if no value is found.
  1089  func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
  1090  	c.Lock()
  1091  	defer c.Unlock()
  1092  
  1093  	if elem, ok := c.m[sessionKey]; ok {
  1094  		c.q.MoveToFront(elem)
  1095  		return elem.Value.(*lruSessionCacheEntry).state, true
  1096  	}
  1097  	return nil, false
  1098  }
  1099  
  1100  // TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
  1101  type dsaSignature struct {
  1102  	R, S *big.Int
  1103  }
  1104  
  1105  type ecdsaSignature dsaSignature
  1106  
  1107  var emptyConfig Config
  1108  
  1109  func defaultConfig() *Config {
  1110  	return &emptyConfig
  1111  }
  1112  
  1113  var (
  1114  	once                        sync.Once
  1115  	varDefaultCipherSuites      []uint16
  1116  	varDefaultCipherSuitesTLS13 []uint16
  1117  )
  1118  
  1119  func defaultCipherSuites() []uint16 {
  1120  	once.Do(initDefaultCipherSuites)
  1121  	return varDefaultCipherSuites
  1122  }
  1123  
  1124  func defaultCipherSuitesTLS13() []uint16 {
  1125  	once.Do(initDefaultCipherSuites)
  1126  	return varDefaultCipherSuitesTLS13
  1127  }
  1128  
  1129  func initDefaultCipherSuites() {
  1130  	var topCipherSuites []uint16
  1131  
  1132  	// Check the cpu flags for each platform that has optimized GCM implementations.
  1133  	// Worst case, these variables will just all be false.
  1134  	var (
  1135  		hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
  1136  		hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
  1137  		// Keep in sync with crypto/aes/cipher_s390x.go.
  1138  		hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
  1139  
  1140  		hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
  1141  	)
  1142  
  1143  	if hasGCMAsm {
  1144  		// If AES-GCM hardware is provided then prioritise AES-GCM
  1145  		// cipher suites.
  1146  		topCipherSuites = []uint16{
  1147  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1148  			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1149  			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1150  			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  1151  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1152  			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1153  		}
  1154  		varDefaultCipherSuitesTLS13 = []uint16{
  1155  			TLS_AES_128_GCM_SHA256,
  1156  			TLS_CHACHA20_POLY1305_SHA256,
  1157  			TLS_AES_256_GCM_SHA384,
  1158  		}
  1159  	} else {
  1160  		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
  1161  		// cipher suites first.
  1162  		topCipherSuites = []uint16{
  1163  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1164  			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1165  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1166  			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1167  			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1168  			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  1169  		}
  1170  		varDefaultCipherSuitesTLS13 = []uint16{
  1171  			TLS_CHACHA20_POLY1305_SHA256,
  1172  			TLS_AES_128_GCM_SHA256,
  1173  			TLS_AES_256_GCM_SHA384,
  1174  		}
  1175  	}
  1176  
  1177  	varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))
  1178  	varDefaultCipherSuites = append(varDefaultCipherSuites, topCipherSuites...)
  1179  
  1180  NextCipherSuite:
  1181  	for _, suite := range cipherSuites {
  1182  		if suite.flags&suiteDefaultOff != 0 {
  1183  			continue
  1184  		}
  1185  		for _, existing := range varDefaultCipherSuites {
  1186  			if existing == suite.id {
  1187  				continue NextCipherSuite
  1188  			}
  1189  		}
  1190  		varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
  1191  	}
  1192  }
  1193  
  1194  func unexpectedMessageError(wanted, got interface{}) error {
  1195  	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
  1196  }
  1197  
  1198  func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool {
  1199  	for _, s := range supportedSignatureAlgorithms {
  1200  		if s == sigAlg {
  1201  			return true
  1202  		}
  1203  	}
  1204  	return false
  1205  }
  1206  
  1207  // signatureFromSignatureScheme maps a signature algorithm to the underlying
  1208  // signature method (without hash function).
  1209  func signatureFromSignatureScheme(signatureAlgorithm SignatureScheme) uint8 {
  1210  	switch signatureAlgorithm {
  1211  	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
  1212  		return signaturePKCS1v15
  1213  	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
  1214  		return signatureRSAPSS
  1215  	case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
  1216  		return signatureECDSA
  1217  	case Ed25519:
  1218  		return signatureEd25519
  1219  	default:
  1220  		return 0
  1221  	}
  1222  }
  1223  

View as plain text