github.com/icodeface/tls@v0.0.0-20230910023335-34df9250cd12/common.go (about)

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"container/list"
     9  	"crypto"
    10  	"crypto/rand"
    11  	"crypto/sha512"
    12  	"crypto/x509"
    13  	"errors"
    14  	"fmt"
    15  	"github.com/icodeface/tls/internal/cpu"
    16  	"io"
    17  	"math/big"
    18  	"net"
    19  	"os"
    20  	"strings"
    21  	"sync"
    22  	"time"
    23  )
    24  
    25  const (
    26  	VersionSSL30 = 0x0300
    27  	VersionTLS10 = 0x0301
    28  	VersionTLS11 = 0x0302
    29  	VersionTLS12 = 0x0303
    30  	VersionTLS13 = 0x0304
    31  )
    32  
    33  const (
    34  	maxPlaintext       = 16384        // maximum plaintext payload length
    35  	maxCiphertext      = 16384 + 2048 // maximum ciphertext payload length
    36  	maxCiphertextTLS13 = 16384 + 256  // maximum ciphertext length in TLS 1.3
    37  	recordHeaderLen    = 5            // record header length
    38  	maxHandshake       = 65536        // maximum handshake we support (protocol max is 16 MB)
    39  	maxUselessRecords  = 16           // maximum number of consecutive non-advancing records
    40  )
    41  
    42  // TLS record types.
    43  type recordType uint8
    44  
    45  const (
    46  	recordTypeChangeCipherSpec recordType = 20
    47  	recordTypeAlert            recordType = 21
    48  	recordTypeHandshake        recordType = 22
    49  	recordTypeApplicationData  recordType = 23
    50  )
    51  
    52  // TLS handshake message types.
    53  const (
    54  	typeHelloRequest        uint8 = 0
    55  	typeClientHello         uint8 = 1
    56  	typeServerHello         uint8 = 2
    57  	typeNewSessionTicket    uint8 = 4
    58  	typeEndOfEarlyData      uint8 = 5
    59  	typeEncryptedExtensions uint8 = 8
    60  	typeCertificate         uint8 = 11
    61  	typeServerKeyExchange   uint8 = 12
    62  	typeCertificateRequest  uint8 = 13
    63  	typeServerHelloDone     uint8 = 14
    64  	typeCertificateVerify   uint8 = 15
    65  	typeClientKeyExchange   uint8 = 16
    66  	typeFinished            uint8 = 20
    67  	typeCertificateStatus   uint8 = 22
    68  	typeKeyUpdate           uint8 = 24
    69  	typeNextProtocol        uint8 = 67  // Not IANA assigned
    70  	typeMessageHash         uint8 = 254 // synthetic message
    71  )
    72  
    73  // TLS compression types.
    74  const (
    75  	compressionNone uint8 = 0
    76  )
    77  
    78  // TLS extension numbers
    79  const (
    80  	extensionServerName              uint16 = 0
    81  	extensionStatusRequest           uint16 = 5
    82  	extensionSupportedCurves         uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7
    83  	extensionSupportedPoints         uint16 = 11
    84  	extensionSignatureAlgorithms     uint16 = 13
    85  	extensionALPN                    uint16 = 16
    86  	extensionSCT                     uint16 = 18
    87  	extensionSessionTicket           uint16 = 35
    88  	extensionPreSharedKey            uint16 = 41
    89  	extensionEarlyData               uint16 = 42
    90  	extensionSupportedVersions       uint16 = 43
    91  	extensionCookie                  uint16 = 44
    92  	extensionPSKModes                uint16 = 45
    93  	extensionCertificateAuthorities  uint16 = 47
    94  	extensionSignatureAlgorithmsCert uint16 = 50
    95  	extensionKeyShare                uint16 = 51
    96  	extensionNextProtoNeg            uint16 = 13172 // not IANA assigned
    97  	extensionRenegotiationInfo       uint16 = 0xff01
    98  )
    99  
   100  // TLS signaling cipher suite values
   101  const (
   102  	scsvRenegotiation uint16 = 0x00ff
   103  )
   104  
   105  // CurveID is the type of a TLS identifier for an elliptic curve. See
   106  // https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
   107  //
   108  // In TLS 1.3, this type is called NamedGroup, but at this time this library
   109  // only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
   110  type CurveID uint16
   111  
   112  const (
   113  	CurveP256 CurveID = 23
   114  	CurveP384 CurveID = 24
   115  	CurveP521 CurveID = 25
   116  	X25519    CurveID = 29
   117  )
   118  
   119  // TLS 1.3 Key Share. See RFC 8446, Section 4.2.8.
   120  type keyShare struct {
   121  	group CurveID
   122  	data  []byte
   123  }
   124  
   125  // TLS 1.3 PSK Key Exchange Modes. See RFC 8446, Section 4.2.9.
   126  const (
   127  	pskModePlain uint8 = 0
   128  	pskModeDHE   uint8 = 1
   129  )
   130  
   131  // TLS 1.3 PSK Identity. Can be a Session Ticket, or a reference to a saved
   132  // session. See RFC 8446, Section 4.2.11.
   133  type pskIdentity struct {
   134  	label               []byte
   135  	obfuscatedTicketAge uint32
   136  }
   137  
   138  // TLS Elliptic Curve Point Formats
   139  // https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
   140  const (
   141  	pointFormatUncompressed uint8 = 0
   142  )
   143  
   144  // TLS CertificateStatusType (RFC 3546)
   145  const (
   146  	statusTypeOCSP uint8 = 1
   147  )
   148  
   149  // Certificate types (for certificateRequestMsg)
   150  const (
   151  	certTypeRSASign   = 1
   152  	certTypeECDSASign = 64 // RFC 4492, Section 5.5
   153  )
   154  
   155  // Signature algorithms (for internal signaling use). Starting at 16 to avoid overlap with
   156  // TLS 1.2 codepoints (RFC 5246, Appendix A.4.1), with which these have nothing to do.
   157  const (
   158  	signaturePKCS1v15 uint8 = iota + 16
   159  	signatureECDSA
   160  	signatureRSAPSS
   161  )
   162  
   163  // supportedSignatureAlgorithms contains the signature and hash algorithms that
   164  // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
   165  // CertificateRequest. The two fields are merged to match with TLS 1.3.
   166  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
   167  var supportedSignatureAlgorithms = []SignatureScheme{
   168  	PSSWithSHA256,
   169  	PSSWithSHA384,
   170  	PSSWithSHA512,
   171  	PKCS1WithSHA256,
   172  	ECDSAWithP256AndSHA256,
   173  	PKCS1WithSHA384,
   174  	ECDSAWithP384AndSHA384,
   175  	PKCS1WithSHA512,
   176  	ECDSAWithP521AndSHA512,
   177  	PKCS1WithSHA1,
   178  	ECDSAWithSHA1,
   179  }
   180  
   181  // RSA-PSS is disabled in TLS 1.2 for Go 1.12. See Issue 30055.
   182  var supportedSignatureAlgorithmsTLS12 = supportedSignatureAlgorithms[3:]
   183  
   184  // helloRetryRequestRandom is set as the Random value of a ServerHello
   185  // to signal that the message is actually a HelloRetryRequest.
   186  var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3.
   187  	0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
   188  	0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
   189  	0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
   190  	0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C,
   191  }
   192  
   193  const (
   194  	// downgradeCanaryTLS12 or downgradeCanaryTLS11 is embedded in the server
   195  	// random as a downgrade protection if the server would be capable of
   196  	// negotiating a higher version. See RFC 8446, Section 4.1.3.
   197  	downgradeCanaryTLS12 = "DOWNGRD\x01"
   198  	downgradeCanaryTLS11 = "DOWNGRD\x00"
   199  )
   200  
   201  // ConnectionState records basic TLS details about the connection.
   202  type ConnectionState struct {
   203  	Version                     uint16                // TLS version used by the connection (e.g. VersionTLS12)
   204  	HandshakeComplete           bool                  // TLS handshake is complete
   205  	DidResume                   bool                  // connection resumes a previous TLS connection
   206  	CipherSuite                 uint16                // cipher suite in use (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ...)
   207  	NegotiatedProtocol          string                // negotiated next protocol (not guaranteed to be from Config.NextProtos)
   208  	NegotiatedProtocolIsMutual  bool                  // negotiated protocol was advertised by server (client side only)
   209  	ServerName                  string                // server name requested by client, if any (server side only)
   210  	PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
   211  	VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates
   212  	SignedCertificateTimestamps [][]byte              // SCTs from the peer, if any
   213  	OCSPResponse                []byte                // stapled OCSP response from peer, if any
   214  
   215  	// ekm is a closure exposed via ExportKeyingMaterial.
   216  	ekm func(label string, context []byte, length int) ([]byte, error)
   217  
   218  	// TLSUnique contains the "tls-unique" channel binding value (see RFC
   219  	// 5929, section 3). For resumed sessions this value will be nil
   220  	// because resumption does not include enough context (see
   221  	// https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will
   222  	// change in future versions of Go once the TLS master-secret fix has
   223  	// been standardized and implemented. It is not defined in TLS 1.3.
   224  	TLSUnique []byte
   225  }
   226  
   227  // ExportKeyingMaterial returns length bytes of exported key material in a new
   228  // slice as defined in RFC 5705. If context is nil, it is not used as part of
   229  // the seed. If the connection was set to allow renegotiation via
   230  // Config.Renegotiation, this function will return an error.
   231  func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) {
   232  	return cs.ekm(label, context, length)
   233  }
   234  
   235  // ClientAuthType declares the policy the server will follow for
   236  // TLS Client Authentication.
   237  type ClientAuthType int
   238  
   239  const (
   240  	NoClientCert ClientAuthType = iota
   241  	RequestClientCert
   242  	RequireAnyClientCert
   243  	VerifyClientCertIfGiven
   244  	RequireAndVerifyClientCert
   245  )
   246  
   247  // requiresClientCert reports whether the ClientAuthType requires a client
   248  // certificate to be provided.
   249  func requiresClientCert(c ClientAuthType) bool {
   250  	switch c {
   251  	case RequireAnyClientCert, RequireAndVerifyClientCert:
   252  		return true
   253  	default:
   254  		return false
   255  	}
   256  }
   257  
   258  // ClientSessionState contains the state needed by clients to resume TLS
   259  // sessions.
   260  type ClientSessionState struct {
   261  	sessionTicket      []uint8               // Encrypted ticket used for session resumption with server
   262  	vers               uint16                // SSL/TLS version negotiated for the session
   263  	cipherSuite        uint16                // Ciphersuite negotiated for the session
   264  	masterSecret       []byte                // Full handshake MasterSecret, or TLS 1.3 resumption_master_secret
   265  	serverCertificates []*x509.Certificate   // Certificate chain presented by the server
   266  	verifiedChains     [][]*x509.Certificate // Certificate chains we built for verification
   267  	receivedAt         time.Time             // When the session ticket was received from the server
   268  
   269  	// TLS 1.3 fields.
   270  	nonce  []byte    // Ticket nonce sent by the server, to derive PSK
   271  	useBy  time.Time // Expiration of the ticket lifetime as set by the server
   272  	ageAdd uint32    // Random obfuscation factor for sending the ticket age
   273  }
   274  
   275  // ClientSessionCache is a cache of ClientSessionState objects that can be used
   276  // by a client to resume a TLS session with a given server. ClientSessionCache
   277  // implementations should expect to be called concurrently from different
   278  // goroutines. Up to TLS 1.2, only ticket-based resumption is supported, not
   279  // SessionID-based resumption. In TLS 1.3 they were merged into PSK modes, which
   280  // are supported via this interface.
   281  type ClientSessionCache interface {
   282  	// Get searches for a ClientSessionState associated with the given key.
   283  	// On return, ok is true if one was found.
   284  	Get(sessionKey string) (session *ClientSessionState, ok bool)
   285  
   286  	// Put adds the ClientSessionState to the cache with the given key. It might
   287  	// get called multiple times in a connection if a TLS 1.3 server provides
   288  	// more than one session ticket. If called with a nil *ClientSessionState,
   289  	// it should remove the cache entry.
   290  	Put(sessionKey string, cs *ClientSessionState)
   291  }
   292  
   293  // SignatureScheme identifies a signature algorithm supported by TLS. See
   294  // RFC 8446, Section 4.2.3.
   295  type SignatureScheme uint16
   296  
   297  const (
   298  	// RSASSA-PKCS1-v1_5 algorithms.
   299  	PKCS1WithSHA256 SignatureScheme = 0x0401
   300  	PKCS1WithSHA384 SignatureScheme = 0x0501
   301  	PKCS1WithSHA512 SignatureScheme = 0x0601
   302  
   303  	// RSASSA-PSS algorithms with public key OID rsaEncryption.
   304  	PSSWithSHA256 SignatureScheme = 0x0804
   305  	PSSWithSHA384 SignatureScheme = 0x0805
   306  	PSSWithSHA512 SignatureScheme = 0x0806
   307  
   308  	// ECDSA algorithms. Only constrained to a specific curve in TLS 1.3.
   309  	ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
   310  	ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
   311  	ECDSAWithP521AndSHA512 SignatureScheme = 0x0603
   312  
   313  	// Legacy signature and hash algorithms for TLS 1.2.
   314  	PKCS1WithSHA1 SignatureScheme = 0x0201
   315  	ECDSAWithSHA1 SignatureScheme = 0x0203
   316  )
   317  
   318  // ClientHelloInfo contains information from a ClientHello message in order to
   319  // guide certificate selection in the GetCertificate callback.
   320  type ClientHelloInfo struct {
   321  	// CipherSuites lists the CipherSuites supported by the client (e.g.
   322  	// TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).
   323  	CipherSuites []uint16
   324  
   325  	// ServerName indicates the name of the server requested by the client
   326  	// in order to support virtual hosting. ServerName is only set if the
   327  	// client is using SNI (see RFC 4366, Section 3.1).
   328  	ServerName string
   329  
   330  	// SupportedCurves lists the elliptic curves supported by the client.
   331  	// SupportedCurves is set only if the Supported Elliptic Curves
   332  	// Extension is being used (see RFC 4492, Section 5.1.1).
   333  	SupportedCurves []CurveID
   334  
   335  	// SupportedPoints lists the point formats supported by the client.
   336  	// SupportedPoints is set only if the Supported Point Formats Extension
   337  	// is being used (see RFC 4492, Section 5.1.2).
   338  	SupportedPoints []uint8
   339  
   340  	// SignatureSchemes lists the signature and hash schemes that the client
   341  	// is willing to verify. SignatureSchemes is set only if the Signature
   342  	// Algorithms Extension is being used (see RFC 5246, Section 7.4.1.4.1).
   343  	SignatureSchemes []SignatureScheme
   344  
   345  	// SupportedProtos lists the application protocols supported by the client.
   346  	// SupportedProtos is set only if the Application-Layer Protocol
   347  	// Negotiation Extension is being used (see RFC 7301, Section 3.1).
   348  	//
   349  	// Servers can select a protocol by setting Config.NextProtos in a
   350  	// GetConfigForClient return value.
   351  	SupportedProtos []string
   352  
   353  	// SupportedVersions lists the TLS versions supported by the client.
   354  	// For TLS versions less than 1.3, this is extrapolated from the max
   355  	// version advertised by the client, so values other than the greatest
   356  	// might be rejected if used.
   357  	SupportedVersions []uint16
   358  
   359  	// Conn is the underlying net.Conn for the connection. Do not read
   360  	// from, or write to, this connection; that will cause the TLS
   361  	// connection to fail.
   362  	Conn net.Conn
   363  }
   364  
   365  // CertificateRequestInfo contains information from a server's
   366  // CertificateRequest message, which is used to demand a certificate and proof
   367  // of control from a client.
   368  type CertificateRequestInfo struct {
   369  	// AcceptableCAs contains zero or more, DER-encoded, X.501
   370  	// Distinguished Names. These are the names of root or intermediate CAs
   371  	// that the server wishes the returned certificate to be signed by. An
   372  	// empty slice indicates that the server has no preference.
   373  	AcceptableCAs [][]byte
   374  
   375  	// SignatureSchemes lists the signature schemes that the server is
   376  	// willing to verify.
   377  	SignatureSchemes []SignatureScheme
   378  }
   379  
   380  // RenegotiationSupport enumerates the different levels of support for TLS
   381  // renegotiation. TLS renegotiation is the act of performing subsequent
   382  // handshakes on a connection after the first. This significantly complicates
   383  // the state machine and has been the source of numerous, subtle security
   384  // issues. Initiating a renegotiation is not supported, but support for
   385  // accepting renegotiation requests may be enabled.
   386  //
   387  // Even when enabled, the server may not change its identity between handshakes
   388  // (i.e. the leaf certificate must be the same). Additionally, concurrent
   389  // handshake and application data flow is not permitted so renegotiation can
   390  // only be used with protocols that synchronise with the renegotiation, such as
   391  // HTTPS.
   392  //
   393  // Renegotiation is not defined in TLS 1.3.
   394  type RenegotiationSupport int
   395  
   396  const (
   397  	// RenegotiateNever disables renegotiation.
   398  	RenegotiateNever RenegotiationSupport = iota
   399  
   400  	// RenegotiateOnceAsClient allows a remote server to request
   401  	// renegotiation once per connection.
   402  	RenegotiateOnceAsClient
   403  
   404  	// RenegotiateFreelyAsClient allows a remote server to repeatedly
   405  	// request renegotiation.
   406  	RenegotiateFreelyAsClient
   407  )
   408  
   409  // A Config structure is used to configure a TLS client or server.
   410  // After one has been passed to a TLS function it must not be
   411  // modified. A Config may be reused; the tls package will also not
   412  // modify it.
   413  type Config struct {
   414  	// Rand provides the source of entropy for nonces and RSA blinding.
   415  	// If Rand is nil, TLS uses the cryptographic random reader in package
   416  	// crypto/rand.
   417  	// The Reader must be safe for use by multiple goroutines.
   418  	Rand io.Reader
   419  
   420  	// Time returns the current time as the number of seconds since the epoch.
   421  	// If Time is nil, TLS uses time.Now.
   422  	Time func() time.Time
   423  
   424  	// Certificates contains one or more certificate chains to present to
   425  	// the other side of the connection. Server configurations must include
   426  	// at least one certificate or else set GetCertificate. Clients doing
   427  	// client-authentication may set either Certificates or
   428  	// GetClientCertificate.
   429  	Certificates []Certificate
   430  
   431  	// NameToCertificate maps from a certificate name to an element of
   432  	// Certificates. Note that a certificate name can be of the form
   433  	// '*.example.com' and so doesn't have to be a domain name as such.
   434  	// See Config.BuildNameToCertificate
   435  	// The nil value causes the first element of Certificates to be used
   436  	// for all connections.
   437  	NameToCertificate map[string]*Certificate
   438  
   439  	// GetCertificate returns a Certificate based on the given
   440  	// ClientHelloInfo. It will only be called if the client supplies SNI
   441  	// information or if Certificates is empty.
   442  	//
   443  	// If GetCertificate is nil or returns nil, then the certificate is
   444  	// retrieved from NameToCertificate. If NameToCertificate is nil, the
   445  	// first element of Certificates will be used.
   446  	GetCertificate func(*ClientHelloInfo) (*Certificate, error)
   447  
   448  	// GetClientCertificate, if not nil, is called when a server requests a
   449  	// certificate from a client. If set, the contents of Certificates will
   450  	// be ignored.
   451  	//
   452  	// If GetClientCertificate returns an error, the handshake will be
   453  	// aborted and that error will be returned. Otherwise
   454  	// GetClientCertificate must return a non-nil Certificate. If
   455  	// Certificate.Certificate is empty then no certificate will be sent to
   456  	// the server. If this is unacceptable to the server then it may abort
   457  	// the handshake.
   458  	//
   459  	// GetClientCertificate may be called multiple times for the same
   460  	// connection if renegotiation occurs or if TLS 1.3 is in use.
   461  	GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
   462  
   463  	// GetConfigForClient, if not nil, is called after a ClientHello is
   464  	// received from a client. It may return a non-nil Config in order to
   465  	// change the Config that will be used to handle this connection. If
   466  	// the returned Config is nil, the original Config will be used. The
   467  	// Config returned by this callback may not be subsequently modified.
   468  	//
   469  	// If GetConfigForClient is nil, the Config passed to Server() will be
   470  	// used for all connections.
   471  	//
   472  	// Uniquely for the fields in the returned Config, session ticket keys
   473  	// will be duplicated from the original Config if not set.
   474  	// Specifically, if SetSessionTicketKeys was called on the original
   475  	// config but not on the returned config then the ticket keys from the
   476  	// original config will be copied into the new config before use.
   477  	// Otherwise, if SessionTicketKey was set in the original config but
   478  	// not in the returned config then it will be copied into the returned
   479  	// config before use. If neither of those cases applies then the key
   480  	// material from the returned config will be used for session tickets.
   481  	GetConfigForClient func(*ClientHelloInfo) (*Config, error)
   482  
   483  	// VerifyPeerCertificate, if not nil, is called after normal
   484  	// certificate verification by either a TLS client or server. It
   485  	// receives the raw ASN.1 certificates provided by the peer and also
   486  	// any verified chains that normal processing found. If it returns a
   487  	// non-nil error, the handshake is aborted and that error results.
   488  	//
   489  	// If normal verification fails then the handshake will abort before
   490  	// considering this callback. If normal verification is disabled by
   491  	// setting InsecureSkipVerify, or (for a server) when ClientAuth is
   492  	// RequestClientCert or RequireAnyClientCert, then this callback will
   493  	// be considered but the verifiedChains argument will always be nil.
   494  	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
   495  
   496  	// RootCAs defines the set of root certificate authorities
   497  	// that clients use when verifying server certificates.
   498  	// If RootCAs is nil, TLS uses the host's root CA set.
   499  	RootCAs *x509.CertPool
   500  
   501  	// NextProtos is a list of supported application level protocols, in
   502  	// order of preference.
   503  	NextProtos []string
   504  
   505  	// ServerName is used to verify the hostname on the returned
   506  	// certificates unless InsecureSkipVerify is given. It is also included
   507  	// in the client's handshake to support virtual hosting unless it is
   508  	// an IP address.
   509  	ServerName string
   510  
   511  	// ClientAuth determines the server's policy for
   512  	// TLS Client Authentication. The default is NoClientCert.
   513  	ClientAuth ClientAuthType
   514  
   515  	// ClientCAs defines the set of root certificate authorities
   516  	// that servers use if required to verify a client certificate
   517  	// by the policy in ClientAuth.
   518  	ClientCAs *x509.CertPool
   519  
   520  	// InsecureSkipVerify controls whether a client verifies the
   521  	// server's certificate chain and host name.
   522  	// If InsecureSkipVerify is true, TLS accepts any certificate
   523  	// presented by the server and any host name in that certificate.
   524  	// In this mode, TLS is susceptible to man-in-the-middle attacks.
   525  	// This should be used only for testing.
   526  	InsecureSkipVerify bool
   527  
   528  	// CipherSuites is a list of supported cipher suites for TLS versions up to
   529  	// TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites
   530  	// is used, with a preference order based on hardware performance. The
   531  	// default cipher suites might change over Go versions. Note that TLS 1.3
   532  	// ciphersuites are not configurable.
   533  	CipherSuites []uint16
   534  
   535  	// PreferServerCipherSuites controls whether the server selects the
   536  	// client's most preferred ciphersuite, or the server's most preferred
   537  	// ciphersuite. If true then the server's preference, as expressed in
   538  	// the order of elements in CipherSuites, is used.
   539  	PreferServerCipherSuites bool
   540  
   541  	// SessionTicketsDisabled may be set to true to disable session ticket and
   542  	// PSK (resumption) support. Note that on clients, session ticket support is
   543  	// also disabled if ClientSessionCache is nil.
   544  	SessionTicketsDisabled bool
   545  
   546  	// SessionTicketKey is used by TLS servers to provide session resumption.
   547  	// See RFC 5077 and the PSK mode of RFC 8446. If zero, it will be filled
   548  	// with random data before the first server handshake.
   549  	//
   550  	// If multiple servers are terminating connections for the same host
   551  	// they should all have the same SessionTicketKey. If the
   552  	// SessionTicketKey leaks, previously recorded and future TLS
   553  	// connections using that key might be compromised.
   554  	SessionTicketKey [32]byte
   555  
   556  	// ClientSessionCache is a cache of ClientSessionState entries for TLS
   557  	// session resumption. It is only used by clients.
   558  	ClientSessionCache ClientSessionCache
   559  
   560  	// MinVersion contains the minimum SSL/TLS version that is acceptable.
   561  	// If zero, then TLS 1.0 is taken as the minimum.
   562  	MinVersion uint16
   563  
   564  	// MaxVersion contains the maximum SSL/TLS version that is acceptable.
   565  	// If zero, then the maximum version supported by this package is used,
   566  	// which is currently TLS 1.3.
   567  	MaxVersion uint16
   568  
   569  	// CurvePreferences contains the elliptic curves that will be used in
   570  	// an ECDHE handshake, in preference order. If empty, the default will
   571  	// be used. The client will use the first preference as the type for
   572  	// its key share in TLS 1.3. This may change in the future.
   573  	CurvePreferences []CurveID
   574  
   575  	// DynamicRecordSizingDisabled disables adaptive sizing of TLS records.
   576  	// When true, the largest possible TLS record size is always used. When
   577  	// false, the size of TLS records may be adjusted in an attempt to
   578  	// improve latency.
   579  	DynamicRecordSizingDisabled bool
   580  
   581  	// Renegotiation controls what types of renegotiation are supported.
   582  	// The default, none, is correct for the vast majority of applications.
   583  	Renegotiation RenegotiationSupport
   584  
   585  	// KeyLogWriter optionally specifies a destination for TLS master secrets
   586  	// in NSS key log format that can be used to allow external programs
   587  	// such as Wireshark to decrypt TLS connections.
   588  	// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
   589  	// Use of KeyLogWriter compromises security and should only be
   590  	// used for debugging.
   591  	KeyLogWriter io.Writer
   592  
   593  	serverInitOnce sync.Once // guards calling (*Config).serverInit
   594  
   595  	// mutex protects sessionTicketKeys.
   596  	mutex sync.RWMutex
   597  	// sessionTicketKeys contains zero or more ticket keys. If the length
   598  	// is zero, SessionTicketsDisabled must be true. The first key is used
   599  	// for new tickets and any subsequent keys can be used to decrypt old
   600  	// tickets.
   601  	sessionTicketKeys []ticketKey
   602  }
   603  
   604  // ticketKeyNameLen is the number of bytes of identifier that is prepended to
   605  // an encrypted session ticket in order to identify the key used to encrypt it.
   606  const ticketKeyNameLen = 16
   607  
   608  // ticketKey is the internal representation of a session ticket key.
   609  type ticketKey struct {
   610  	// keyName is an opaque byte string that serves to identify the session
   611  	// ticket key. It's exposed as plaintext in every session ticket.
   612  	keyName [ticketKeyNameLen]byte
   613  	aesKey  [16]byte
   614  	hmacKey [16]byte
   615  }
   616  
   617  // ticketKeyFromBytes converts from the external representation of a session
   618  // ticket key to a ticketKey. Externally, session ticket keys are 32 random
   619  // bytes and this function expands that into sufficient name and key material.
   620  func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
   621  	hashed := sha512.Sum512(b[:])
   622  	copy(key.keyName[:], hashed[:ticketKeyNameLen])
   623  	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
   624  	copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
   625  	return key
   626  }
   627  
   628  // maxSessionTicketLifetime is the maximum allowed lifetime of a TLS 1.3 session
   629  // ticket, and the lifetime we set for tickets we send.
   630  const maxSessionTicketLifetime = 7 * 24 * time.Hour
   631  
   632  // Clone returns a shallow clone of c. It is safe to clone a Config that is
   633  // being used concurrently by a TLS client or server.
   634  func (c *Config) Clone() *Config {
   635  	// Running serverInit ensures that it's safe to read
   636  	// SessionTicketsDisabled.
   637  	c.serverInitOnce.Do(func() { c.serverInit(nil) })
   638  
   639  	var sessionTicketKeys []ticketKey
   640  	c.mutex.RLock()
   641  	sessionTicketKeys = c.sessionTicketKeys
   642  	c.mutex.RUnlock()
   643  
   644  	return &Config{
   645  		Rand:                        c.Rand,
   646  		Time:                        c.Time,
   647  		Certificates:                c.Certificates,
   648  		NameToCertificate:           c.NameToCertificate,
   649  		GetCertificate:              c.GetCertificate,
   650  		GetClientCertificate:        c.GetClientCertificate,
   651  		GetConfigForClient:          c.GetConfigForClient,
   652  		VerifyPeerCertificate:       c.VerifyPeerCertificate,
   653  		RootCAs:                     c.RootCAs,
   654  		NextProtos:                  c.NextProtos,
   655  		ServerName:                  c.ServerName,
   656  		ClientAuth:                  c.ClientAuth,
   657  		ClientCAs:                   c.ClientCAs,
   658  		InsecureSkipVerify:          c.InsecureSkipVerify,
   659  		CipherSuites:                c.CipherSuites,
   660  		PreferServerCipherSuites:    c.PreferServerCipherSuites,
   661  		SessionTicketsDisabled:      c.SessionTicketsDisabled,
   662  		SessionTicketKey:            c.SessionTicketKey,
   663  		ClientSessionCache:          c.ClientSessionCache,
   664  		MinVersion:                  c.MinVersion,
   665  		MaxVersion:                  c.MaxVersion,
   666  		CurvePreferences:            c.CurvePreferences,
   667  		DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
   668  		Renegotiation:               c.Renegotiation,
   669  		KeyLogWriter:                c.KeyLogWriter,
   670  		sessionTicketKeys:           sessionTicketKeys,
   671  	}
   672  }
   673  
   674  // serverInit is run under c.serverInitOnce to do initialization of c. If c was
   675  // returned by a GetConfigForClient callback then the argument should be the
   676  // Config that was passed to Server, otherwise it should be nil.
   677  func (c *Config) serverInit(originalConfig *Config) {
   678  	if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 {
   679  		return
   680  	}
   681  
   682  	alreadySet := false
   683  	for _, b := range c.SessionTicketKey {
   684  		if b != 0 {
   685  			alreadySet = true
   686  			break
   687  		}
   688  	}
   689  
   690  	if !alreadySet {
   691  		if originalConfig != nil {
   692  			copy(c.SessionTicketKey[:], originalConfig.SessionTicketKey[:])
   693  		} else if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
   694  			c.SessionTicketsDisabled = true
   695  			return
   696  		}
   697  	}
   698  
   699  	if originalConfig != nil {
   700  		originalConfig.mutex.RLock()
   701  		c.sessionTicketKeys = originalConfig.sessionTicketKeys
   702  		originalConfig.mutex.RUnlock()
   703  	} else {
   704  		c.sessionTicketKeys = []ticketKey{ticketKeyFromBytes(c.SessionTicketKey)}
   705  	}
   706  }
   707  
   708  func (c *Config) ticketKeys() []ticketKey {
   709  	c.mutex.RLock()
   710  	// c.sessionTicketKeys is constant once created. SetSessionTicketKeys
   711  	// will only update it by replacing it with a new value.
   712  	ret := c.sessionTicketKeys
   713  	c.mutex.RUnlock()
   714  	return ret
   715  }
   716  
   717  // SetSessionTicketKeys updates the session ticket keys for a server. The first
   718  // key will be used when creating new tickets, while all keys can be used for
   719  // decrypting tickets. It is safe to call this function while the server is
   720  // running in order to rotate the session ticket keys. The function will panic
   721  // if keys is empty.
   722  func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
   723  	if len(keys) == 0 {
   724  		panic("tls: keys must have at least one key")
   725  	}
   726  
   727  	newKeys := make([]ticketKey, len(keys))
   728  	for i, bytes := range keys {
   729  		newKeys[i] = ticketKeyFromBytes(bytes)
   730  	}
   731  
   732  	c.mutex.Lock()
   733  	c.sessionTicketKeys = newKeys
   734  	c.mutex.Unlock()
   735  }
   736  
   737  func (c *Config) rand() io.Reader {
   738  	r := c.Rand
   739  	if r == nil {
   740  		return rand.Reader
   741  	}
   742  	return r
   743  }
   744  
   745  func (c *Config) time() time.Time {
   746  	t := c.Time
   747  	if t == nil {
   748  		t = time.Now
   749  	}
   750  	return t()
   751  }
   752  
   753  func (c *Config) cipherSuites() []uint16 {
   754  	s := c.CipherSuites
   755  	if s == nil {
   756  		s = defaultCipherSuites()
   757  	}
   758  	return s
   759  }
   760  
   761  var supportedVersions = []uint16{
   762  	VersionTLS13,
   763  	VersionTLS12,
   764  	VersionTLS11,
   765  	VersionTLS10,
   766  	VersionSSL30,
   767  }
   768  
   769  func (c *Config) supportedVersions(isClient bool) []uint16 {
   770  	versions := make([]uint16, 0, len(supportedVersions))
   771  	for _, v := range supportedVersions {
   772  		if c != nil && c.MinVersion != 0 && v < c.MinVersion {
   773  			continue
   774  		}
   775  		if c != nil && c.MaxVersion != 0 && v > c.MaxVersion {
   776  			continue
   777  		}
   778  		// TLS 1.0 is the minimum version supported as a client.
   779  		if isClient && v < VersionTLS10 {
   780  			continue
   781  		}
   782  		// TLS 1.3 is opt-in in Go 1.12.
   783  		if v == VersionTLS13 && !isTLS13Supported() {
   784  			continue
   785  		}
   786  		versions = append(versions, v)
   787  	}
   788  	return versions
   789  }
   790  
   791  // tls13Support caches the result for isTLS13Supported.
   792  var tls13Support struct {
   793  	sync.Once
   794  	cached bool
   795  }
   796  
   797  // isTLS13Supported returns whether the program opted into TLS 1.3 via
   798  // GODEBUG=tls13=1. It's cached after the first execution.
   799  func isTLS13Supported() bool {
   800  	tls13Support.Do(func() {
   801  		tls13Support.cached = goDebugString("tls13") == "1"
   802  	})
   803  	return tls13Support.cached
   804  }
   805  
   806  // goDebugString returns the value of the named GODEBUG key.
   807  // GODEBUG is of the form "key=val,key2=val2".
   808  func goDebugString(key string) string {
   809  	s := os.Getenv("GODEBUG")
   810  	for i := 0; i < len(s)-len(key)-1; i++ {
   811  		if i > 0 && s[i-1] != ',' {
   812  			continue
   813  		}
   814  		afterKey := s[i+len(key):]
   815  		if afterKey[0] != '=' || s[i:i+len(key)] != key {
   816  			continue
   817  		}
   818  		val := afterKey[1:]
   819  		for i, b := range val {
   820  			if b == ',' {
   821  				return val[:i]
   822  			}
   823  		}
   824  		return val
   825  	}
   826  	return ""
   827  }
   828  
   829  func (c *Config) maxSupportedVersion(isClient bool) uint16 {
   830  	supportedVersions := c.supportedVersions(isClient)
   831  	if len(supportedVersions) == 0 {
   832  		return 0
   833  	}
   834  	return supportedVersions[0]
   835  }
   836  
   837  // supportedVersionsFromMax returns a list of supported versions derived from a
   838  // legacy maximum version value. Note that only versions supported by this
   839  // library are returned. Any newer peer will use supportedVersions anyway.
   840  func supportedVersionsFromMax(maxVersion uint16) []uint16 {
   841  	versions := make([]uint16, 0, len(supportedVersions))
   842  	for _, v := range supportedVersions {
   843  		if v > maxVersion {
   844  			continue
   845  		}
   846  		versions = append(versions, v)
   847  	}
   848  	return versions
   849  }
   850  
   851  var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521}
   852  
   853  func (c *Config) curvePreferences() []CurveID {
   854  	if c == nil || len(c.CurvePreferences) == 0 {
   855  		return defaultCurvePreferences
   856  	}
   857  	return c.CurvePreferences
   858  }
   859  
   860  // mutualVersion returns the protocol version to use given the advertised
   861  // versions of the peer. Priority is given to the peer preference order.
   862  func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool) {
   863  	supportedVersions := c.supportedVersions(isClient)
   864  	for _, peerVersion := range peerVersions {
   865  		for _, v := range supportedVersions {
   866  			if v == peerVersion {
   867  				return v, true
   868  			}
   869  		}
   870  	}
   871  	return 0, false
   872  }
   873  
   874  // getCertificate returns the best certificate for the given ClientHelloInfo,
   875  // defaulting to the first element of c.Certificates.
   876  func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) {
   877  	if c.GetCertificate != nil &&
   878  		(len(c.Certificates) == 0 || len(clientHello.ServerName) > 0) {
   879  		cert, err := c.GetCertificate(clientHello)
   880  		if cert != nil || err != nil {
   881  			return cert, err
   882  		}
   883  	}
   884  
   885  	if len(c.Certificates) == 0 {
   886  		return nil, errors.New("tls: no certificates configured")
   887  	}
   888  
   889  	if len(c.Certificates) == 1 || c.NameToCertificate == nil {
   890  		// There's only one choice, so no point doing any work.
   891  		return &c.Certificates[0], nil
   892  	}
   893  
   894  	name := strings.ToLower(clientHello.ServerName)
   895  	for len(name) > 0 && name[len(name)-1] == '.' {
   896  		name = name[:len(name)-1]
   897  	}
   898  
   899  	if cert, ok := c.NameToCertificate[name]; ok {
   900  		return cert, nil
   901  	}
   902  
   903  	// try replacing labels in the name with wildcards until we get a
   904  	// match.
   905  	labels := strings.Split(name, ".")
   906  	for i := range labels {
   907  		labels[i] = "*"
   908  		candidate := strings.Join(labels, ".")
   909  		if cert, ok := c.NameToCertificate[candidate]; ok {
   910  			return cert, nil
   911  		}
   912  	}
   913  
   914  	// If nothing matches, return the first certificate.
   915  	return &c.Certificates[0], nil
   916  }
   917  
   918  // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
   919  // from the CommonName and SubjectAlternateName fields of each of the leaf
   920  // certificates.
   921  func (c *Config) BuildNameToCertificate() {
   922  	c.NameToCertificate = make(map[string]*Certificate)
   923  	for i := range c.Certificates {
   924  		cert := &c.Certificates[i]
   925  		x509Cert := cert.Leaf
   926  		if x509Cert == nil {
   927  			var err error
   928  			x509Cert, err = x509.ParseCertificate(cert.Certificate[0])
   929  			if err != nil {
   930  				continue
   931  			}
   932  		}
   933  		if len(x509Cert.Subject.CommonName) > 0 {
   934  			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
   935  		}
   936  		for _, san := range x509Cert.DNSNames {
   937  			c.NameToCertificate[san] = cert
   938  		}
   939  	}
   940  }
   941  
   942  const (
   943  	keyLogLabelTLS12           = "CLIENT_RANDOM"
   944  	keyLogLabelClientHandshake = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
   945  	keyLogLabelServerHandshake = "SERVER_HANDSHAKE_TRAFFIC_SECRET"
   946  	keyLogLabelClientTraffic   = "CLIENT_TRAFFIC_SECRET_0"
   947  	keyLogLabelServerTraffic   = "SERVER_TRAFFIC_SECRET_0"
   948  )
   949  
   950  func (c *Config) writeKeyLog(label string, clientRandom, secret []byte) error {
   951  	if c.KeyLogWriter == nil {
   952  		return nil
   953  	}
   954  
   955  	logLine := []byte(fmt.Sprintf("%s %x %x\n", label, clientRandom, secret))
   956  
   957  	writerMutex.Lock()
   958  	_, err := c.KeyLogWriter.Write(logLine)
   959  	writerMutex.Unlock()
   960  
   961  	return err
   962  }
   963  
   964  // writerMutex protects all KeyLogWriters globally. It is rarely enabled,
   965  // and is only for debugging, so a global mutex saves space.
   966  var writerMutex sync.Mutex
   967  
   968  // A Certificate is a chain of one or more certificates, leaf first.
   969  type Certificate struct {
   970  	Certificate [][]byte
   971  	// PrivateKey contains the private key corresponding to the public key in
   972  	// Leaf. This must implement crypto.Signer with an RSA or ECDSA PublicKey.
   973  	// For a server up to TLS 1.2, it can also implement crypto.Decrypter with
   974  	// an RSA PublicKey.
   975  	PrivateKey crypto.PrivateKey
   976  	// OCSPStaple contains an optional OCSP response which will be served
   977  	// to clients that request it.
   978  	OCSPStaple []byte
   979  	// SignedCertificateTimestamps contains an optional list of Signed
   980  	// Certificate Timestamps which will be served to clients that request it.
   981  	SignedCertificateTimestamps [][]byte
   982  	// Leaf is the parsed form of the leaf certificate, which may be
   983  	// initialized using x509.ParseCertificate to reduce per-handshake
   984  	// processing for TLS clients doing client authentication. If nil, the
   985  	// leaf certificate will be parsed as needed.
   986  	Leaf *x509.Certificate
   987  }
   988  
   989  type handshakeMessage interface {
   990  	marshal() []byte
   991  	unmarshal([]byte) bool
   992  }
   993  
   994  // lruSessionCache is a ClientSessionCache implementation that uses an LRU
   995  // caching strategy.
   996  type lruSessionCache struct {
   997  	sync.Mutex
   998  
   999  	m        map[string]*list.Element
  1000  	q        *list.List
  1001  	capacity int
  1002  }
  1003  
  1004  type lruSessionCacheEntry struct {
  1005  	sessionKey string
  1006  	state      *ClientSessionState
  1007  }
  1008  
  1009  // NewLRUClientSessionCache returns a ClientSessionCache with the given
  1010  // capacity that uses an LRU strategy. If capacity is < 1, a default capacity
  1011  // is used instead.
  1012  func NewLRUClientSessionCache(capacity int) ClientSessionCache {
  1013  	const defaultSessionCacheCapacity = 64
  1014  
  1015  	if capacity < 1 {
  1016  		capacity = defaultSessionCacheCapacity
  1017  	}
  1018  	return &lruSessionCache{
  1019  		m:        make(map[string]*list.Element),
  1020  		q:        list.New(),
  1021  		capacity: capacity,
  1022  	}
  1023  }
  1024  
  1025  // Put adds the provided (sessionKey, cs) pair to the cache. If cs is nil, the entry
  1026  // corresponding to sessionKey is removed from the cache instead.
  1027  func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) {
  1028  	c.Lock()
  1029  	defer c.Unlock()
  1030  
  1031  	if elem, ok := c.m[sessionKey]; ok {
  1032  		if cs == nil {
  1033  			c.q.Remove(elem)
  1034  			delete(c.m, sessionKey)
  1035  		} else {
  1036  			entry := elem.Value.(*lruSessionCacheEntry)
  1037  			entry.state = cs
  1038  			c.q.MoveToFront(elem)
  1039  		}
  1040  		return
  1041  	}
  1042  
  1043  	if c.q.Len() < c.capacity {
  1044  		entry := &lruSessionCacheEntry{sessionKey, cs}
  1045  		c.m[sessionKey] = c.q.PushFront(entry)
  1046  		return
  1047  	}
  1048  
  1049  	elem := c.q.Back()
  1050  	entry := elem.Value.(*lruSessionCacheEntry)
  1051  	delete(c.m, entry.sessionKey)
  1052  	entry.sessionKey = sessionKey
  1053  	entry.state = cs
  1054  	c.q.MoveToFront(elem)
  1055  	c.m[sessionKey] = elem
  1056  }
  1057  
  1058  // Get returns the ClientSessionState value associated with a given key. It
  1059  // returns (nil, false) if no value is found.
  1060  func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
  1061  	c.Lock()
  1062  	defer c.Unlock()
  1063  
  1064  	if elem, ok := c.m[sessionKey]; ok {
  1065  		c.q.MoveToFront(elem)
  1066  		return elem.Value.(*lruSessionCacheEntry).state, true
  1067  	}
  1068  	return nil, false
  1069  }
  1070  
  1071  // TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
  1072  type dsaSignature struct {
  1073  	R, S *big.Int
  1074  }
  1075  
  1076  type ecdsaSignature dsaSignature
  1077  
  1078  var emptyConfig Config
  1079  
  1080  func defaultConfig() *Config {
  1081  	return &emptyConfig
  1082  }
  1083  
  1084  var (
  1085  	once                        sync.Once
  1086  	varDefaultCipherSuites      []uint16
  1087  	varDefaultCipherSuitesTLS13 []uint16
  1088  )
  1089  
  1090  func defaultCipherSuites() []uint16 {
  1091  	once.Do(initDefaultCipherSuites)
  1092  	return varDefaultCipherSuites
  1093  }
  1094  
  1095  func defaultCipherSuitesTLS13() []uint16 {
  1096  	once.Do(initDefaultCipherSuites)
  1097  	return varDefaultCipherSuitesTLS13
  1098  }
  1099  
  1100  func initDefaultCipherSuites() {
  1101  	var topCipherSuites []uint16
  1102  
  1103  	// Check the cpu flags for each platform that has optimized GCM implementations.
  1104  	// Worst case, these variables will just all be false.
  1105  	var (
  1106  		hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
  1107  		hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
  1108  		// Keep in sync with crypto/aes/cipher_s390x.go.
  1109  		hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
  1110  
  1111  		hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
  1112  	)
  1113  
  1114  	if hasGCMAsm {
  1115  		// If AES-GCM hardware is provided then prioritise AES-GCM
  1116  		// cipher suites.
  1117  		topCipherSuites = []uint16{
  1118  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1119  			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1120  			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1121  			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  1122  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1123  			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1124  		}
  1125  		varDefaultCipherSuitesTLS13 = []uint16{
  1126  			TLS_AES_128_GCM_SHA256,
  1127  			TLS_CHACHA20_POLY1305_SHA256,
  1128  			TLS_AES_256_GCM_SHA384,
  1129  		}
  1130  	} else {
  1131  		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
  1132  		// cipher suites first.
  1133  		topCipherSuites = []uint16{
  1134  			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
  1135  			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
  1136  			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  1137  			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  1138  			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  1139  			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  1140  		}
  1141  		varDefaultCipherSuitesTLS13 = []uint16{
  1142  			TLS_CHACHA20_POLY1305_SHA256,
  1143  			TLS_AES_128_GCM_SHA256,
  1144  			TLS_AES_256_GCM_SHA384,
  1145  		}
  1146  	}
  1147  
  1148  	varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))
  1149  	varDefaultCipherSuites = append(varDefaultCipherSuites, topCipherSuites...)
  1150  
  1151  NextCipherSuite:
  1152  	for _, suite := range cipherSuites {
  1153  		if suite.flags&suiteDefaultOff != 0 {
  1154  			continue
  1155  		}
  1156  		for _, existing := range varDefaultCipherSuites {
  1157  			if existing == suite.id {
  1158  				continue NextCipherSuite
  1159  			}
  1160  		}
  1161  		varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
  1162  	}
  1163  }
  1164  
  1165  func unexpectedMessageError(wanted, got interface{}) error {
  1166  	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
  1167  }
  1168  
  1169  func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool {
  1170  	for _, s := range supportedSignatureAlgorithms {
  1171  		if s == sigAlg {
  1172  			return true
  1173  		}
  1174  	}
  1175  	return false
  1176  }
  1177  
  1178  // signatureFromSignatureScheme maps a signature algorithm to the underlying
  1179  // signature method (without hash function).
  1180  func signatureFromSignatureScheme(signatureAlgorithm SignatureScheme) uint8 {
  1181  	switch signatureAlgorithm {
  1182  	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
  1183  		return signaturePKCS1v15
  1184  	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
  1185  		return signatureRSAPSS
  1186  	case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
  1187  		return signatureECDSA
  1188  	default:
  1189  		return 0
  1190  	}
  1191  }