tls

Accept method #

Accept waits for and returns the next incoming TLS connection. The returned connection is of type *Conn.

func (l *listener) Accept() (net.Conn, error)

BlockSize method #

func (c *cthWrapper) BlockSize() int

BuildNameToCertificate method #

BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate from the CommonName and SubjectAlternateName fields of each of the leaf certificates. Deprecated: NameToCertificate only allows associating a single certificate with a given name. Leave that field nil to let the library select the first compatible chain from Certificates.

func (c *Config) BuildNameToCertificate()

Bytes method #

Bytes encodes the session, including any private fields, so that it can be parsed by [ParseSessionState]. The encoding contains secret values critical to the security of future and possibly past sessions. The specific encoding should be considered opaque and may change incompatibly between Go versions.

func (s *SessionState) Bytes() ([]byte, error)

CipherSuiteName function #

CipherSuiteName returns the standard name for the passed cipher suite ID (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation of the ID value if the cipher suite is not implemented by this package.

func CipherSuiteName(id uint16) string

CipherSuites function #

CipherSuites returns a list of cipher suites currently implemented by this package, excluding those with security issues, which are returned by [InsecureCipherSuites]. The list is sorted by ID. Note that the default cipher suites selected by this package might depend on logic that can't be captured by a static list, and might not match those returned by this function.

func CipherSuites() []*CipherSuite

Client function #

Client returns a new TLS client side connection using conn as the underlying transport. The config cannot be nil: users must set either ServerName or InsecureSkipVerify in the config.

func Client(conn net.Conn, config *Config) *Conn

Clone method #

Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a [Config] that is being used concurrently by a TLS client or server.

func (c *Config) Clone() *Config

Close method #

Close closes the connection and stops any in-progress handshake.

func (q *QUICConn) Close() error

Close method #

Close closes the connection.

func (c *Conn) Close() error

CloseWrite method #

CloseWrite shuts down the writing side of the connection. It should only be called once the handshake has completed and does not call CloseWrite on the underlying connection. Most callers should just use [Conn.Close].

func (c *Conn) CloseWrite() error

ConnectionState method #

ConnectionState returns basic TLS details about the connection.

func (c *Conn) ConnectionState() ConnectionState

ConnectionState method #

ConnectionState returns basic TLS details about the connection.

func (q *QUICConn) ConnectionState() ConnectionState

Context method #

Context returns the context of the handshake that is in progress. This context is a child of the context passed to HandshakeContext, if any, and is canceled when the handshake concludes.

func (c *ClientHelloInfo) Context() context.Context

Context method #

Context returns the context of the handshake that is in progress. This context is a child of the context passed to HandshakeContext, if any, and is canceled when the handshake concludes.

func (c *CertificateRequestInfo) Context() context.Context

DecryptTicket method #

DecryptTicket decrypts a ticket encrypted by [Config.EncryptTicket]. It can be used as a [Config.UnwrapSession] implementation. If the ticket can't be decrypted or parsed, DecryptTicket returns (nil, nil).

func (c *Config) DecryptTicket(identity []byte, cs ConnectionState) (*SessionState, error)

Dial function #

Dial connects to the given network address using net.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Dial interprets a nil configuration as equivalent to the zero configuration; see the documentation of Config for the defaults.

func Dial(network string, addr string, config *Config) (*Conn, error)

Dial method #

Dial connects to the given network address and initiates a TLS handshake, returning the resulting TLS connection. The returned [Conn], if any, will always be of type *[Conn]. Dial uses context.Background internally; to specify the context, use [Dialer.DialContext].

func (d *Dialer) Dial(network string, addr string) (net.Conn, error)

DialContext method #

DialContext connects to the given network address and initiates a TLS handshake, returning the resulting TLS connection. The provided Context must be non-nil. If the context expires before the connection is complete, an error is returned. Once successfully connected, any expiration of the context will not affect the connection. The returned [Conn], if any, will always be of type *[Conn].

func (d *Dialer) DialContext(ctx context.Context, network string, addr string) (net.Conn, error)

DialWithDialer function #

DialWithDialer connects to the given network address using dialer.Dial and then initiates a TLS handshake, returning the resulting TLS connection. Any timeout or deadline given in the dialer apply to connection and TLS handshake as a whole. DialWithDialer interprets a nil configuration as equivalent to the zero configuration; see the documentation of [Config] for the defaults. DialWithDialer uses context.Background internally; to specify the context, use [Dialer.DialContext] with NetDialer set to the desired dialer.

func DialWithDialer(dialer *net.Dialer, network string, addr string, config *Config) (*Conn, error)

EncryptTicket method #

EncryptTicket encrypts a ticket with the [Config]'s configured (or default) session ticket keys. It can be used as a [Config.WrapSession] implementation.

func (c *Config) EncryptTicket(cs ConnectionState, ss *SessionState) ([]byte, error)

Error method #

func (e *CertificateVerificationError) Error() string

Error method #

func (e AlertError) Error() string

Error method #

func (timeoutError) Error() string

Error method #

func (e *permanentError) Error() string

Error method #

func (e RecordHeaderError) Error() string

Error method #

func (e *ECHRejectionError) Error() string

Error method #

func (e alert) Error() string

ExportKeyingMaterial method #

ExportKeyingMaterial returns length bytes of exported key material in a new slice as defined in RFC 5705. If context is nil, it is not used as part of the seed. If the connection was set to allow renegotiation via Config.Renegotiation, or if the connections supports neither TLS 1.3 nor Extended Master Secret, this function will return an error. Exporting key material without Extended Master Secret or TLS 1.3 was disabled in Go 1.22 due to security issues (see the Security Considerations sections of RFC 5705 and RFC 7627), but can be re-enabled with the GODEBUG setting tlsunsafeekm=1.

func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error)

Get method #

Get returns the [ClientSessionState] value associated with a given key. It returns (nil, false) if no value is found.

func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool)

HandleData method #

HandleData handles handshake bytes received from the peer. It may produce connection events, which may be read with [QUICConn.NextEvent].

func (q *QUICConn) HandleData(level QUICEncryptionLevel, data []byte) error

Handshake method #

Handshake runs the client or server handshake protocol if it has not yet been run. Most uses of this package need not call Handshake explicitly: the first [Conn.Read] or [Conn.Write] will call it automatically. For control over canceling or setting a timeout on a handshake, use [Conn.HandshakeContext] or the [Dialer]'s DialContext method instead. In order to avoid denial of service attacks, the maximum RSA key size allowed in certificates sent by either the TLS server or client is limited to 8192 bits. This limit can be overridden by setting tlsmaxrsasize in the GODEBUG environment variable (e.g. GODEBUG=tlsmaxrsasize=4096).

func (c *Conn) Handshake() error

HandshakeContext method #

HandshakeContext runs the client or server handshake protocol if it has not yet been run. The provided Context must be non-nil. If the context is canceled before the handshake is complete, the handshake is interrupted and an error is returned. Once the handshake has completed, cancellation of the context will not affect the connection. Most uses of this package need not call HandshakeContext explicitly: the first [Conn.Read] or [Conn.Write] will call it automatically.

func (c *Conn) HandshakeContext(ctx context.Context) error

InsecureCipherSuites function #

InsecureCipherSuites returns a list of cipher suites currently implemented by this package and which have security issues. Most applications should not use the cipher suites in this list, and should only use those returned by [CipherSuites].

func InsecureCipherSuites() []*CipherSuite

Listen function #

Listen creates a TLS listener accepting connections on the given network address using net.Listen. The configuration config must be non-nil and must include at least one certificate or else set GetCertificate.

func Listen(network string, laddr string, config *Config) (net.Listener, error)

LoadX509KeyPair function #

LoadX509KeyPair reads and parses a public/private key pair from a pair of files. The files must contain PEM encoded data. The certificate file may contain intermediate certificates following the leaf certificate to form a certificate chain. On successful return, Certificate.Leaf will be populated. Before Go 1.23 Certificate.Leaf was left nil, and the parsed certificate was discarded. This behavior can be re-enabled by setting "x509keypairleaf=0" in the GODEBUG environment variable.

func LoadX509KeyPair(certFile string, keyFile string) (Certificate, error)

LocalAddr method #

LocalAddr returns the local network address.

func (c *Conn) LocalAddr() net.Addr

Marshal method #

func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error

NetConn method #

NetConn returns the underlying connection that is wrapped by c. Note that writing to or reading from this connection directly will corrupt the TLS session.

func (c *Conn) NetConn() net.Conn

NewLRUClientSessionCache function #

NewLRUClientSessionCache returns a [ClientSessionCache] with the given capacity that uses an LRU strategy. If capacity is < 1, a default capacity is used instead.

func NewLRUClientSessionCache(capacity int) ClientSessionCache

NewListener function #

NewListener creates a Listener which accepts connections from an inner Listener and wraps each connection with [Server]. The configuration config must be non-nil and must include at least one certificate or else set GetCertificate.

func NewListener(inner net.Listener, config *Config) net.Listener

NewResumptionState function #

NewResumptionState returns a state value that can be returned by [ClientSessionCache.Get] to resume a previous session. state needs to be returned by [ParseSessionState], and the ticket and session state must have been returned by [ClientSessionState.ResumptionState].

func NewResumptionState(ticket []byte, state *SessionState) (*ClientSessionState, error)

NextEvent method #

NextEvent returns the next event occurring on the connection. It returns an event with a Kind of [QUICNoEvent] when no events are available.

func (q *QUICConn) NextEvent() QUICEvent

NonceSize method #

func (f *prefixNonceAEAD) NonceSize() int

NonceSize method #

func (f *xorNonceAEAD) NonceSize() int

OCSPResponse method #

OCSPResponse returns the stapled OCSP response from the TLS server, if any. (Only valid for client connections.)

func (c *Conn) OCSPResponse() []byte

Open method #

func (f *prefixNonceAEAD) Open(out []byte, nonce []byte, ciphertext []byte, additionalData []byte) ([]byte, error)

Open method #

func (f *xorNonceAEAD) Open(out []byte, nonce []byte, ciphertext []byte, additionalData []byte) ([]byte, error)

Overhead method #

func (f *xorNonceAEAD) Overhead() int

Overhead method #

func (f *prefixNonceAEAD) Overhead() int

ParseSessionState function #

ParseSessionState parses a [SessionState] encoded by [SessionState.Bytes].

func ParseSessionState(data []byte) (*SessionState, error)

Put method #

Put adds the provided (sessionKey, cs) pair to the cache. If cs is nil, the entry corresponding to sessionKey is removed from the cache instead.

func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState)

QUICClient function #

QUICClient returns a new TLS client side connection using QUICTransport as the underlying transport. The config cannot be nil. The config's MinVersion must be at least TLS 1.3.

func QUICClient(config *QUICConfig) *QUICConn

QUICServer function #

QUICServer returns a new TLS server side connection using QUICTransport as the underlying transport. The config cannot be nil. The config's MinVersion must be at least TLS 1.3.

func QUICServer(config *QUICConfig) *QUICConn

Read method #

func (r *atLeastReader) Read(p []byte) (int, error)

Read method #

Read reads data from the connection. As Read calls [Conn.Handshake], in order to prevent indefinite blocking a deadline must be set for both Read and [Conn.Write] before Read is called when the handshake has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and [Conn.SetWriteDeadline].

func (c *Conn) Read(b []byte) (int, error)

RemoteAddr method #

RemoteAddr returns the remote network address.

func (c *Conn) RemoteAddr() net.Addr

Reset method #

func (c *cthWrapper) Reset()

ResumptionState method #

ResumptionState returns the session ticket sent by the server (also known as the session's identity) and the state necessary to resume this session. It can be called by [ClientSessionCache.Put] to serialize (with [SessionState.Bytes]) and store the session.

func (cs *ClientSessionState) ResumptionState() (ticket []byte, state *SessionState, err error)

Seal method #

func (f *prefixNonceAEAD) Seal(out []byte, nonce []byte, plaintext []byte, additionalData []byte) []byte

Seal method #

func (f *xorNonceAEAD) Seal(out []byte, nonce []byte, plaintext []byte, additionalData []byte) []byte

SendSessionTicket method #

SendSessionTicket sends a session ticket to the client. It produces connection events, which may be read with [QUICConn.NextEvent]. Currently, it can only be called once.

func (q *QUICConn) SendSessionTicket(opts QUICSessionTicketOptions) error

Server function #

Server returns a new TLS server side connection using conn as the underlying transport. The configuration config must be non-nil and must include at least one certificate or else set GetCertificate.

func Server(conn net.Conn, config *Config) *Conn

SetDeadline method #

SetDeadline sets the read and write deadlines associated with the connection. A zero value for t means [Conn.Read] and [Conn.Write] will not time out. After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.

func (c *Conn) SetDeadline(t time.Time) error

SetReadDeadline method #

SetReadDeadline sets the read deadline on the underlying connection. A zero value for t means [Conn.Read] will not time out.

func (c *Conn) SetReadDeadline(t time.Time) error

SetSessionTicketKeys method #

SetSessionTicketKeys updates the session ticket keys for a server. The first key will be used when creating new tickets, while all keys can be used for decrypting tickets. It is safe to call this function while the server is running in order to rotate the session ticket keys. The function will panic if keys is empty. Calling this function will turn off automatic session ticket key rotation. If multiple servers are terminating connections for the same host they should all have the same session ticket keys. If the session ticket keys leaks, previously recorded and future TLS connections using those keys might be compromised.

func (c *Config) SetSessionTicketKeys(keys [][32]byte)

SetTransportParameters method #

SetTransportParameters sets the transport parameters to send to the peer. Server connections may delay setting the transport parameters until after receiving the client's transport parameters. See [QUICTransportParametersRequired].

func (q *QUICConn) SetTransportParameters(params []byte)

SetWriteDeadline method #

SetWriteDeadline sets the write deadline on the underlying connection. A zero value for t means [Conn.Write] will not time out. After a [Conn.Write] has timed out, the TLS state is corrupt and all future writes will return the same error.

func (c *Conn) SetWriteDeadline(t time.Time) error

Size method #

func (c *cthWrapper) Size() int

Start method #

Start starts the client or server handshake protocol. It may produce connection events, which may be read with [QUICConn.NextEvent]. Start must be called at most once.

func (q *QUICConn) Start(ctx context.Context) error

StoreSession method #

StoreSession stores a session previously received in a QUICStoreSession event in the ClientSessionCache. The application may process additional events or modify the SessionState before storing the session.

func (q *QUICConn) StoreSession(session *SessionState) error

String method #

func (e alert) String() string

String method #

func (i SignatureScheme) String() string

String method #

func (i ClientAuthType) String() string

String method #

func (i CurveID) String() string

String method #

func (l QUICEncryptionLevel) String() string

Sum method #

func (h finishedHash) Sum() []byte

Sum method #

func (c *cthWrapper) Sum(b []byte) []byte

SupportsCertificate method #

SupportsCertificate returns nil if the provided certificate is supported by the client that sent the ClientHello. Otherwise, it returns an error describing the reason for the incompatibility. If this [ClientHelloInfo] was passed to a GetConfigForClient or GetCertificate callback, this method will take into account the associated [Config]. Note that if GetConfigForClient returns a different [Config], the change can't be accounted for by this method. This function will call x509.ParseCertificate unless c.Leaf is set, which can incur a significant performance cost.

func (chi *ClientHelloInfo) SupportsCertificate(c *Certificate) error

SupportsCertificate method #

SupportsCertificate returns nil if the provided certificate is supported by the server that sent the CertificateRequest. Otherwise, it returns an error describing the reason for the incompatibility.

func (cri *CertificateRequestInfo) SupportsCertificate(c *Certificate) error

Temporary method #

func (e *permanentError) Temporary() bool

Temporary method #

func (timeoutError) Temporary() bool

Timeout method #

func (e *permanentError) Timeout() bool

Timeout method #

func (timeoutError) Timeout() bool

Unwrap method #

func (e *CertificateVerificationError) Unwrap() error

Unwrap method #

func (e *permanentError) Unwrap() error

VerifyHostname method #

VerifyHostname checks that the peer certificate chain is valid for connecting to host. If so, it returns nil; if not, it returns an error describing the problem.

func (c *Conn) VerifyHostname(host string) error

VersionName function #

VersionName returns the name for the provided TLS version number (e.g. "TLS 1.3"), or a fallback representation of the value if the version is not implemented by this package.

func VersionName(version uint16) string

Write method #

func (h *finishedHash) Write(msg []byte) (n int, err error)

Write method #

func (c *cthWrapper) Write(p []byte) (int, error)

Write method #

Write writes data to the connection. As Write calls [Conn.Handshake], in order to prevent indefinite blocking a deadline must be set for both [Conn.Read] and Write before Write is called when the handshake has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and [Conn.SetWriteDeadline].

func (c *Conn) Write(b []byte) (int, error)

X509KeyPair function #

X509KeyPair parses a public/private key pair from a pair of PEM encoded data. On successful return, Certificate.Leaf will be populated. Before Go 1.23 Certificate.Leaf was left nil, and the parsed certificate was discarded. This behavior can be re-enabled by setting "x509keypairleaf=0" in the GODEBUG environment variable.

func X509KeyPair(certPEMBlock []byte, keyPEMBlock []byte) (Certificate, error)

_ function #

func _()

_ function #

func _()

_ function #

func _()

active method #

active increments the number of references to the entry, wraps the certificate in the entry in an activeCert, and sets the finalizer. Note that there is a race between active and the finalizer set on the returned activeCert, triggered if active is called after the ref count is decremented such that refs may be > 0 when evict is called. We consider this safe, since the caller holding an activeCert for an entry that is no longer in the cache is fine, with the only side effect being the memory overhead of there being more than one distinct reference to a certificate alive at once.

func (cc *certCache) active(e *cacheEntry) *activeCert

addBytesWithLength function #

addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If the length of the sequence is not the value specified, it produces an error.

func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int)

addUint64 function #

addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.

func addUint64(b *cryptobyte.Builder, v uint64)

aeadAESGCM function #

func aeadAESGCM(key []byte, noncePrefix []byte) aead

aeadAESGCMTLS13 function #

aeadAESGCMTLS13 should be an internal detail, but widely used packages access it using linkname. Notable members of the hall of shame include: - github.com/xtls/xray-core - github.com/v2fly/v2ray-core Do not remove or change the type signature. See go.dev/issue/67401. go:linkname aeadAESGCMTLS13

func aeadAESGCMTLS13(key []byte, nonceMask []byte) aead

aeadChaCha20Poly1305 function #

func aeadChaCha20Poly1305(key []byte, nonceMask []byte) aead

aesgcmPreferred function #

aesgcmPreferred returns whether the first known cipher in the preference list is an AES-GCM cipher, implying the peer has hardware support for it.

func aesgcmPreferred(ciphers []uint16) bool

buildRetryConfigList function #

func buildRetryConfigList(keys []EncryptedClientHelloKey) ([]byte, error)

certificateRequestInfoFromMsg function #

certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS <= 1.2 CertificateRequest, making an effort to fill in missing information.

func certificateRequestInfoFromMsg(ctx context.Context, vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo

certificatesToBytesSlice function #

func certificatesToBytesSlice(certs []*x509.Certificate) [][]byte

changeCipherSpec method #

changeCipherSpec changes the encryption and MAC states to the ones previously passed to prepareCipherSpec.

func (hc *halfConn) changeCipherSpec() error

checkALPN function #

checkALPN ensure that the server's choice of ALPN protocol is compatible with the protocols that we advertised in the ClientHello.

func checkALPN(clientProtos []string, serverProto string, quic bool) error

checkForResumption method #

checkForResumption reports whether we should perform resumption on this connection.

func (hs *serverHandshakeState) checkForResumption() error

checkForResumption method #

func (hs *serverHandshakeStateTLS13) checkForResumption() error

checkKeySize function #

func checkKeySize(n int) (max int, ok bool)

checkServerHelloOrHRR method #

checkServerHelloOrHRR does validity checks that apply to both ServerHello and HelloRetryRequest messages. It sets hs.suite.

func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error

cipher3DES function #

func cipher3DES(key []byte, iv []byte, isRead bool) any

cipherAES function #

func cipherAES(key []byte, iv []byte, isRead bool) any

cipherRC4 function #

func cipherRC4(key []byte, iv []byte, isRead bool) any

cipherSuiteByID function #

func cipherSuiteByID(id uint16) *cipherSuite

cipherSuiteOk method #

func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool

cipherSuiteTLS13ByID function #

func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13

cipherSuites method #

func (c *Config) cipherSuites() []uint16

clientHandshake method #

func (c *Conn) clientHandshake(ctx context.Context) (err error)

clientHelloInfo function #

func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo

clientSessionCacheKey method #

clientSessionCacheKey returns a key used to cache sessionTickets that could be used to resume previously negotiated TLS sessions with a server.

func (c *Conn) clientSessionCacheKey() string

clientSum method #

clientSum returns the contents of the verify_data member of a client's Finished message.

func (h finishedHash) clientSum(masterSecret []byte) []byte

clone method #

func (m *clientHelloMsg) clone() *clientHelloMsg

cloneHash function #

cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler interfaces implemented by standard library hashes to clone the state of in to a new instance of h. It returns nil if the operation fails.

func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash

closeNotify method #

func (c *Conn) closeNotify() error

computeAndUpdateOuterECHExtension function #

func computeAndUpdateOuterECHExtension(outer *clientHelloMsg, inner *clientHelloMsg, ech *echClientContext, useKey bool) error

computeAndUpdatePSK function #

func computeAndUpdatePSK(m *clientHelloMsg, binderKey []byte, transcript hash.Hash, finishedHash func([]byte, hash.Hash) []byte) error

connectionStateLocked method #

func (c *Conn) connectionStateLocked() ConnectionState

curveForCurveID function #

func curveForCurveID(id CurveID) (ecdh.Curve, bool)

curveIDForCurve function #

func curveIDForCurve(curve ecdh.Curve) (CurveID, bool)

curvePreferences method #

func (c *Config) curvePreferences(version uint16) []CurveID

decodeInnerClientHello function #

func decodeInnerClientHello(outer *clientHelloMsg, encoded []byte) (*clientHelloMsg, error)

decrypt method #

decrypt authenticates and decrypts the record if protection is active at this stage. The returned plaintext might overlap with the input.

func (hc *halfConn) decrypt(record []byte) ([]byte, recordType, error)

decryptECHPayload function #

func decryptECHPayload(context *hpke.Receipient, hello []byte, payload []byte) ([]byte, error)

decryptTicket method #

func (c *Config) decryptTicket(encrypted []byte, ticketKeys []ticketKey) []byte

defaultCipherSuites function #

func defaultCipherSuites() []uint16

defaultConfig function #

func defaultConfig() *Config

defaultCurvePreferences function #

defaultCurvePreferences is the default set of supported key exchanges, as well as the preference order.

func defaultCurvePreferences() []CurveID

dial function #

func dial(ctx context.Context, netDialer *net.Dialer, network string, addr string, config *Config) (*Conn, error)

discardHandshakeBuffer method #

discardHandshakeBuffer is called when there is no more need to buffer the entirety of the handshake messages.

func (h *finishedHash) discardHandshakeBuffer()

doFullHandshake method #

func (hs *serverHandshakeState) doFullHandshake() error

doFullHandshake method #

func (hs *clientHandshakeState) doFullHandshake() error

doHelloRetryRequest method #

func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) (*keyShare, error)

doResumeHandshake method #

func (hs *serverHandshakeState) doResumeHandshake() error

ecdheECDSAKA function #

func ecdheECDSAKA(version uint16) keyAgreement

ecdheRSAKA function #

func ecdheRSAKA(version uint16) keyAgreement

ekmFromMasterSecret function #

ekmFromMasterSecret generates exported keying material as defined in RFC 5705.

func ekmFromMasterSecret(version uint16, suite *cipherSuite, masterSecret []byte, clientRandom []byte, serverRandom []byte) (func(string, []byte, int) ([]byte, error))

encodeInnerClientHello function #

func encodeInnerClientHello(inner *clientHelloMsg, maxNameLength int) ([]byte, error)

encrypt method #

encrypt encrypts payload, adding the appropriate nonce and/or MAC, and appends it to record, which must already contain the record header.

func (hc *halfConn) encrypt(record []byte, payload []byte, rand io.Reader) ([]byte, error)

encryptTicket method #

func (c *Config) encryptTicket(state []byte, ticketKeys []ticketKey) ([]byte, error)

establishHandshakeKeys method #

func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error

establishKeys method #

func (hs *serverHandshakeState) establishKeys() error

establishKeys method #

func (hs *clientHandshakeState) establishKeys() error

evict method #

evict removes a cacheEntry from the cache.

func (cc *certCache) evict(e *cacheEntry)

explicitNonceLen method #

func (f *prefixNonceAEAD) explicitNonceLen() int

explicitNonceLen method #

explicitNonceLen returns the number of bytes of explicit nonce or IV included in each record. Explicit nonces are present only in CBC modes after TLS 1.0 and in certain AEAD modes in TLS 1.2.

func (hc *halfConn) explicitNonceLen() int

explicitNonceLen method #

func (f *xorNonceAEAD) explicitNonceLen() int

exportKeyingMaterial method #

exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to RFC 8446, Section 7.5.

func (c *cipherSuiteTLS13) exportKeyingMaterial(s *tls13.MasterSecret, transcript hash.Hash) (func(string, []byte, int) ([]byte, error))

extMasterFromPreMasterSecret function #

extMasterFromPreMasterSecret generates the extended master secret from the pre-master secret. See RFC 7627.

func extMasterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret []byte, transcript []byte) []byte

extractPadding function #

extractPadding returns, in constant time, the length of the padding to remove from the end of payload. It also returns a byte which is equal to 255 if the padding was valid and 0 otherwise. See RFC 2246, Section 6.2.3.2.

func extractPadding(payload []byte) (toRemove int, good byte)

extractRawExtensions function #

func extractRawExtensions(hello *clientHelloMsg) ([]rawExtension, error)

finishedHash method #

finishedHash generates the Finished verify_data or PskBinderEntry according to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey selection.

func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte

fipsAllowCert function #

func fipsAllowCert(c *x509.Certificate) bool

fipsAllowChain function #

func fipsAllowChain(chain []*x509.Certificate) bool

fipsAllowedChains function #

fipsAllowedChains returns chains that are allowed to be used in a TLS connection based on the current fips140tls enforcement setting. If fips140tls is not required, the chains are returned as-is with no processing. Otherwise, the returned chains are filtered to only those allowed by FIPS 140-3. If this results in no chains it returns an error.

func fipsAllowedChains(chains [][]*x509.Certificate) ([][]*x509.Certificate, error)

flush method #

func (c *Conn) flush() (int, error)

generateClientKeyExchange method #

func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)

generateClientKeyExchange method #

func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)

generateECDHEKey function #

generateECDHEKey returns a PrivateKey that implements Diffie-Hellman according to RFC 8446, Section 4.2.8.2.

func generateECDHEKey(rand io.Reader, curveID CurveID) (*ecdh.PrivateKey, error)

generateOuterECHExt function #

func generateOuterECHExt(id uint8, kdfID uint16, aeadID uint16, encodedKey []byte, payload []byte) ([]byte, error)

generateServerKeyExchange method #

func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error)

generateServerKeyExchange method #

func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error)

getCertificate method #

getCertificate returns the best certificate for the given ClientHelloInfo, defaulting to the first element of c.Certificates.

func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error)

getClientCertificate method #

func (c *Conn) getClientCertificate(cri *CertificateRequestInfo) (*Certificate, error)

handleKeyUpdate method #

func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error

handleNewSessionTicket method #

func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error

handlePostHandshakeMessage method #

handlePostHandshakeMessage processes a handshake message arrived after the handshake is complete. Up to TLS 1.2, it indicates the start of a renegotiation.

func (c *Conn) handlePostHandshakeMessage() error

handleRenegotiation method #

handleRenegotiation processes a HelloRequest handshake message.

func (c *Conn) handleRenegotiation() error

handshake method #

func (hs *serverHandshakeStateTLS13) handshake() error

handshake method #

handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and, optionally, hs.session, hs.earlySecret and hs.binderKey to be set.

func (hs *clientHandshakeStateTLS13) handshake() error

handshake method #

func (hs *serverHandshakeState) handshake() error

handshake method #

Does the handshake, either a full one or resumes old session. Requires hs.c, hs.hello, hs.serverHello, and, optionally, hs.session to be set.

func (hs *clientHandshakeState) handshake() error

handshakeContext method #

func (c *Conn) handshakeContext(ctx context.Context) (ret error)

hashForClientCertificate method #

hashForClientCertificate returns the handshake messages so far, pre-hashed if necessary, suitable for signing by a TLS client certificate.

func (h finishedHash) hashForClientCertificate(sigType uint8, hashAlg crypto.Hash) []byte

hashForServerKeyExchange function #

hashForServerKeyExchange hashes the given slices and returns their digest using the given hash function (for TLS 1.2) or using a default based on the sigType (for earlier TLS versions). For Ed25519 signatures, which don't do pre-hashing, it returns the concatenation of the slices.

func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) []byte

hostnameInSNI function #

hostnameInSNI converts name into an appropriate hostname for SNI. Literal IP addresses and absolute FQDNs are not permitted as SNI values. See RFC 6066, Section 3.

func hostnameInSNI(name string) string

illegalClientHelloChange function #

illegalClientHelloChange reports whether the two ClientHello messages are different, with the exception of the changes allowed before and after a HelloRetryRequest. See RFC 8446, Section 4.1.2.

func illegalClientHelloChange(ch *clientHelloMsg, ch1 *clientHelloMsg) bool

incSeq method #

incSeq increments the sequence number.

func (hc *halfConn) incSeq()

init function #

func init()

initLegacySessionTicketKeyRLocked method #

initLegacySessionTicketKeyRLocked ensures the legacy SessionTicketKey field is randomized if empty, and that sessionTicketKeys is populated from it otherwise.

func (c *Config) initLegacySessionTicketKeyRLocked()

isPQKeyExchange function #

func isPQKeyExchange(curve CurveID) bool

isSupportedSignatureAlgorithm function #

func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool

isTLS13OnlyKeyExchange function #

func isTLS13OnlyKeyExchange(curve CurveID) bool

keysFromMasterSecret function #

keysFromMasterSecret generates the connection keys from the master secret, given the lengths of the MAC key, cipher key and IV, as defined in RFC 2246, Section 6.3.

func keysFromMasterSecret(version uint16, suite *cipherSuite, masterSecret []byte, clientRandom []byte, serverRandom []byte, macLen int, keyLen int, ivLen int) (clientMAC []byte, serverMAC []byte, clientKey []byte, serverKey []byte, clientIV []byte, serverIV []byte)

leaf method #

leaf returns the parsed leaf certificate, either from c.Leaf or by parsing the corresponding c.Certificate[0].

func (c *Certificate) leaf() (*x509.Certificate, error)

legacyTypeAndHashFromPublicKey function #

legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for a given public key used with TLS 1.0 and 1.1, before the introduction of signature algorithm negotiation.

func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error)

loadSession method #

func (c *Conn) loadSession(hello *clientHelloMsg) (session *SessionState, earlySecret *tls13.EarlySecret, binderKey []byte, err error)

macSHA1 function #

macSHA1 returns a SHA-1 based constant time MAC.

func macSHA1(key []byte) hash.Hash

macSHA256 function #

macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and is currently only used in disabled-by-default cipher suites.

func macSHA256(key []byte) hash.Hash

makeClientHello method #

func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echClientContext, error)

marshal method #

func (m *certificateVerifyMsg) marshal() ([]byte, error)

marshal method #

func (m *keyUpdateMsg) marshal() ([]byte, error)

marshal method #

func (m *clientHelloMsg) marshal() ([]byte, error)

marshal method #

func (m *serverHelloMsg) marshal() ([]byte, error)

marshal method #

func (m *endOfEarlyDataMsg) marshal() ([]byte, error)

marshal method #

func (m *certificateMsg) marshal() ([]byte, error)

marshal method #

func (m *encryptedExtensionsMsg) marshal() ([]byte, error)

marshal method #

func (m *certificateRequestMsg) marshal() ([]byte, error)

marshal method #

func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error)

marshal method #

func (m *certificateMsgTLS13) marshal() ([]byte, error)

marshal method #

func (m *certificateRequestMsgTLS13) marshal() ([]byte, error)

marshal method #

func (m *clientKeyExchangeMsg) marshal() ([]byte, error)

marshal method #

func (m *serverHelloDoneMsg) marshal() ([]byte, error)

marshal method #

func (m *serverKeyExchangeMsg) marshal() ([]byte, error)

marshal method #

func (*helloRequestMsg) marshal() ([]byte, error)

marshal method #

func (m *newSessionTicketMsg) marshal() ([]byte, error)

marshal method #

func (m *finishedMsg) marshal() ([]byte, error)

marshal method #

func (m *certificateStatusMsg) marshal() ([]byte, error)

marshalCertificate function #

func marshalCertificate(b *cryptobyte.Builder, certificate Certificate)

marshalEncryptedClientHelloConfigList function #

func marshalEncryptedClientHelloConfigList(configs []EncryptedClientHelloKey) ([]byte, error)

marshalMsg method #

func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error)

marshalWithoutBinders method #

marshalWithoutBinders returns the ClientHello through the PreSharedKeyExtension.identities field, according to RFC 8446, Section 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.

func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error)

masterFromPreMasterSecret function #

masterFromPreMasterSecret generates the master secret from the pre-master secret. See RFC 5246, Section 8.1.

func masterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret []byte, clientRandom []byte, serverRandom []byte) []byte

maxPayloadSizeForWrite method #

maxPayloadSizeForWrite returns the maximum TLS payload size to use for the next application data record. There is the following trade-off: - For latency-sensitive applications, such as web browsing, each TLS record should fit in one TCP segment. - For throughput-sensitive applications, such as large file transfers, larger TLS records better amortize framing and encryption overheads. A simple heuristic that works well in practice is to use small records for the first 1MB of data, then use larger records for subsequent data, and reset back to smaller records after the connection becomes idle. See "High Performance Web Networking", Chapter 4, or: https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/ In the interests of simplicity and determinism, this code does not attempt to reset the record size once the connection is idle, however.

func (c *Conn) maxPayloadSizeForWrite(typ recordType) int

maxSupportedVersion method #

func (c *Config) maxSupportedVersion(isClient bool) uint16

md5SHA1Hash function #

md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the concatenation of an MD5 and SHA1 hash.

func md5SHA1Hash(slices [][]byte) []byte

mutualCipherSuite function #

mutualCipherSuite returns a cipherSuite given a list of supported ciphersuites and the id requested by the peer.

func mutualCipherSuite(have []uint16, want uint16) *cipherSuite

mutualCipherSuiteTLS13 function #

func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13

mutualVersion method #

mutualVersion returns the protocol version to use given the advertised versions of the peer. Priority is given to the peer preference order.

func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool)

negotiateALPN function #

negotiateALPN picks a shared ALPN protocol that both sides support in server preference order. If ALPN is not configured or the peer doesn't support it, it returns "" and no error.

func negotiateALPN(serverProtos []string, clientProtos []string, quic bool) (string, error)

netDialer method #

func (d *Dialer) netDialer() *net.Dialer

newCert method #

newCert returns a x509.Certificate parsed from der. If there is already a copy of the certificate in the cache, a reference to the existing certificate will be returned. Otherwise, a fresh certificate will be added to the cache, and the reference returned. The returned reference should not be mutated.

func (cc *certCache) newCert(der []byte) (*activeCert, error)

newConstantTimeHash function #

func newConstantTimeHash(h func() hash.Hash) (func() hash.Hash)

newFinishedHash function #

func newFinishedHash(version uint16, cipherSuite *cipherSuite) finishedHash

newQUICConn function #

func newQUICConn(conn *Conn, config *QUICConfig) *QUICConn

newRecordHeaderError method #

func (c *Conn) newRecordHeaderError(conn net.Conn, msg string) (err RecordHeaderError)

nextTrafficSecret method #

nextTrafficSecret generates the next traffic secret, given the current one, according to RFC 8446, Section 7.2.

func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte

noEKMBecauseNoEMS function #

noEKMBecauseNoEMS is used as a value of ConnectionState.ekm when Extended Master Secret is not negotiated and thus we wish to fail all key-material export requests.

func noEKMBecauseNoEMS(label string, context []byte, length int) ([]byte, error)

noEKMBecauseRenegotiation function #

noEKMBecauseRenegotiation is used as a value of ConnectionState.ekm when renegotiation is enabled and thus we wish to fail all key-material export requests.

func noEKMBecauseRenegotiation(label string, context []byte, length int) ([]byte, error)

originalBytes method #

func (m *clientHelloMsg) originalBytes() []byte

originalBytes method #

func (m *serverHelloMsg) originalBytes() []byte

pHash function #

pHash implements the P_hash function, as defined in RFC 4346, Section 5.

func pHash(result []byte, secret []byte, seed []byte, hash func() hash.Hash)

parseECHConfig function #

func parseECHConfig(enc []byte) (skip bool, ec echConfig, err error)

parseECHConfigList function #

parseECHConfigList parses a draft-ietf-tls-esni-18 ECHConfigList, returning a slice of parsed ECHConfigs, in the same order they were parsed, or an error if the list is malformed.

func parseECHConfigList(data []byte) ([]echConfig, error)

parseECHExt function #

func parseECHExt(ext []byte) (echType echExtType, cs echCipher, configID uint8, encap []byte, payload []byte, err error)

parsePrivateKey function #

Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates PKCS #1 private keys by default, while OpenSSL 1.0.0 generates PKCS #8 keys. OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.

func parsePrivateKey(der []byte) (crypto.PrivateKey, error)

pickCertificate method #

func (hs *serverHandshakeStateTLS13) pickCertificate() error

pickCipherSuite method #

func (hs *clientHandshakeState) pickCipherSuite() error

pickCipherSuite method #

func (hs *serverHandshakeState) pickCipherSuite() error

pickECHCipherSuite function #

func pickECHCipherSuite(suites []echCipher) (echCipher, error)

pickECHConfig function #

func pickECHConfig(list []echConfig) *echConfig

pickTLSVersion method #

func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error

prepareCipherSpec method #

prepareCipherSpec sets the encryption and MAC states that a subsequent changeCipherSpec will use.

func (hc *halfConn) prepareCipherSpec(version uint16, cipher any, mac hash.Hash)

prf10 function #

prf10 implements the TLS 1.0 pseudo-random function, as defined in RFC 2246, Section 5.

func prf10(secret []byte, label string, seed []byte, keyLen int) []byte

prf12 function #

prf12 implements the TLS 1.2 pseudo-random function, as defined in RFC 5246, Section 5.

func prf12(hashFunc func() hash.Hash) prfFunc

prfAndHashForVersion function #

func prfAndHashForVersion(version uint16, suite *cipherSuite) (prfFunc, crypto.Hash)

prfForVersion function #

func prfForVersion(version uint16, suite *cipherSuite) prfFunc

processCertsFromClient method #

processCertsFromClient takes a chain of client certificates either from a Certificates message and verifies them.

func (c *Conn) processCertsFromClient(certificate Certificate) error

processClientHello method #

func (hs *serverHandshakeState) processClientHello() error

processClientHello method #

func (hs *serverHandshakeStateTLS13) processClientHello() error

processClientKeyExchange method #

func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error)

processClientKeyExchange method #

func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error)

processECHClientHello method #

func (c *Conn) processECHClientHello(outer *clientHelloMsg) (*clientHelloMsg, *echServerContext, error)

processHelloRetryRequest method #

processHelloRetryRequest handles the HRR in hs.serverHello, modifies and resends hs.hello, and reads the new ServerHello into hs.serverHello.

func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error

processServerHello method #

func (hs *clientHandshakeState) processServerHello() (bool, error)

processServerHello method #

func (hs *clientHandshakeStateTLS13) processServerHello() error

processServerKeyExchange method #

func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error

processServerKeyExchange method #

func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error

quicError function #

quicError ensures err is an AlertError. If err is not already, quicError wraps it with alertInternalError.

func quicError(err error) error

quicGetTransportParameters method #

func (c *Conn) quicGetTransportParameters() ([]byte, error)

quicHandshakeComplete method #

func (c *Conn) quicHandshakeComplete()

quicReadHandshakeBytes method #

func (c *Conn) quicReadHandshakeBytes(n int) error

quicRejectedEarlyData method #

func (c *Conn) quicRejectedEarlyData()

quicResumeSession method #

func (c *Conn) quicResumeSession(session *SessionState) error

quicSetReadSecret method #

func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte)

quicSetTransportParameters method #

func (c *Conn) quicSetTransportParameters(params []byte)

quicSetWriteSecret method #

func (c *Conn) quicSetWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte)

quicStoreSession method #

func (c *Conn) quicStoreSession(session *SessionState)

quicWaitForSignal method #

quicWaitForSignal notifies the QUICConn that handshake progress is blocked, and waits for a signal that the handshake should proceed. The handshake may become blocked waiting for handshake bytes or for the user to provide transport parameters.

func (c *Conn) quicWaitForSignal() error

quicWriteCryptoData method #

func (c *Conn) quicWriteCryptoData(level QUICEncryptionLevel, data []byte)

rand method #

func (c *Config) rand() io.Reader

readChangeCipherSpec method #

func (c *Conn) readChangeCipherSpec() error

readClientCertificate method #

func (hs *serverHandshakeStateTLS13) readClientCertificate() error

readClientFinished method #

func (hs *serverHandshakeStateTLS13) readClientFinished() error

readClientHello method #

readClientHello reads a ClientHello message and selects the protocol version.

func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServerContext, error)

readFinished method #

func (hs *serverHandshakeState) readFinished(out []byte) error

readFinished method #

func (hs *clientHandshakeState) readFinished(out []byte) error

readFromUntil method #

readFromUntil reads from r into c.rawInput until c.rawInput contains at least n bytes or else returns an error.

func (c *Conn) readFromUntil(r io.Reader, n int) error

readHandshake method #

readHandshake reads the next handshake message from the record layer. If transcript is non-nil, the message is written to the passed transcriptHash.

func (c *Conn) readHandshake(transcript transcriptHash) (any, error)

readHandshakeBytes method #

readHandshakeBytes reads handshake data until c.hand contains at least n bytes.

func (c *Conn) readHandshakeBytes(n int) error

readRecord method #

func (c *Conn) readRecord() error

readRecordOrCCS method #

readRecordOrCCS reads one or more TLS records from the connection and updates the record layer state. Some invariants: - c.in must be locked - c.input must be empty During the handshake one and only one of the following will happen: - c.hand grows - c.in.changeCipherSpec is called - an error is returned After the handshake one and only one of the following will happen: - c.hand grows - c.input is set - an error is returned

func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error

readServerCertificate method #

func (hs *clientHandshakeStateTLS13) readServerCertificate() error

readServerFinished method #

func (hs *clientHandshakeStateTLS13) readServerFinished() error

readServerParameters method #

func (hs *clientHandshakeStateTLS13) readServerParameters() error

readSessionTicket method #

func (hs *clientHandshakeState) readSessionTicket() error

readUint16LengthPrefixed function #

readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a []byte instead of a cryptobyte.String.

func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool

readUint24LengthPrefixed function #

readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a []byte instead of a cryptobyte.String.

func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool

readUint64 function #

readUint64 decodes a big-endian, 64-bit value into out and advances over it. It reports whether the read was successful.

func readUint64(s *cryptobyte.String, out *uint64) bool

readUint8LengthPrefixed function #

readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a []byte instead of a cryptobyte.String.

func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool

requestClientCert method #

func (hs *serverHandshakeStateTLS13) requestClientCert() bool

requiresClientCert function #

requiresClientCert reports whether the ClientAuthType requires a client certificate to be provided.

func requiresClientCert(c ClientAuthType) bool

retryReadRecord method #

retryReadRecord recurs into readRecordOrCCS to drop a non-advancing record, like a warning alert, empty application_data, or a change_cipher_spec in TLS 1.3.

func (c *Conn) retryReadRecord(expectChangeCipherSpec bool) error

roundUp function #

func roundUp(a int, b int) int

rsaKA function #

func rsaKA(version uint16) keyAgreement

saveSessionTicket method #

func (hs *clientHandshakeState) saveSessionTicket() error

selectCipherSuite function #

selectCipherSuite returns the first TLS 1.0–1.2 cipher suite from ids which is also in supportedIDs and passes the ok filter.

func selectCipherSuite(ids []uint16, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite

selectSignatureScheme function #

selectSignatureScheme picks a SignatureScheme from the peer's preference list that works with the selected certificate. It's only called for protocol versions that support signature algorithms, so TLS 1.2 and 1.3.

func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error)

sendAlert method #

sendAlert sends a TLS alert message.

func (c *Conn) sendAlert(err alert) error

sendAlertLocked method #

sendAlertLocked sends a TLS alert message.

func (c *Conn) sendAlertLocked(err alert) error

sendClientCertificate method #

func (hs *clientHandshakeStateTLS13) sendClientCertificate() error

sendClientFinished method #

func (hs *clientHandshakeStateTLS13) sendClientFinished() error

sendDummyChangeCipherSpec method #

sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.

func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error

sendDummyChangeCipherSpec method #

sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.

func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error

sendFinished method #

func (hs *clientHandshakeState) sendFinished(out []byte) error

sendFinished method #

func (hs *serverHandshakeState) sendFinished(out []byte) error

sendServerCertificate method #

func (hs *serverHandshakeStateTLS13) sendServerCertificate() error

sendServerFinished method #

func (hs *serverHandshakeStateTLS13) sendServerFinished() error

sendServerParameters method #

func (hs *serverHandshakeStateTLS13) sendServerParameters() error

sendSessionTicket method #

func (hs *serverHandshakeState) sendSessionTicket() error

sendSessionTicket method #

func (c *Conn) sendSessionTicket(earlyData bool, extra [][]byte) error

sendSessionTickets method #

func (hs *serverHandshakeStateTLS13) sendSessionTickets() error

serverHandshake method #

serverHandshake performs a TLS handshake as a server.

func (c *Conn) serverHandshake(ctx context.Context) error

serverResumedSession method #

func (hs *clientHandshakeState) serverResumedSession() bool

serverSum method #

serverSum returns the contents of the verify_data member of a server's Finished message.

func (h finishedHash) serverSum(masterSecret []byte) []byte

sessionState method #

sessionState returns a partially filled-out [SessionState] with information from the current connection.

func (c *Conn) sessionState() *SessionState

setErrorLocked method #

func (hc *halfConn) setErrorLocked(err error) error

setTrafficSecret method #

func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte)

sha1Hash function #

sha1Hash calculates a SHA1 hash over the given byte slices.

func sha1Hash(slices [][]byte) []byte

shouldSendSessionTickets method #

func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool

signatureSchemesForCertificate function #

signatureSchemesForCertificate returns the list of supported SignatureSchemes for a given certificate, based on the public key and the protocol version, and optionally filtered by its explicit SupportedSignatureAlgorithms. This function must be kept in sync with supportedSignatureAlgorithms. FIPS filtering is applied in the caller, selectSignatureScheme.

func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme

signedMessage function #

signedMessage returns the pre-hashed (if necessary) message to be signed by certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3.

func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte

skipUint16LengthPrefixed function #

func skipUint16LengthPrefixed(s *cryptobyte.String) bool

skipUint8LengthPrefixed function #

func skipUint8LengthPrefixed(s *cryptobyte.String) bool

sliceForAppend function #

sliceForAppend extends the input slice by n bytes. head is the full extended slice, while tail is the appended part. If the original slice has sufficient capacity no allocation is performed.

func sliceForAppend(in []byte, n int) (head []byte, tail []byte)

splitPreMasterSecret function #

Split a premaster secret in two as specified in RFC 4346, Section 5.

func splitPreMasterSecret(secret []byte) (s1 []byte, s2 []byte)

supportedSignatureAlgorithms function #

supportedSignatureAlgorithms returns the supported signature algorithms.

func supportedSignatureAlgorithms() []SignatureScheme

supportedVersions method #

func (c *Config) supportedVersions(isClient bool) []uint16

supportedVersionsFromMax function #

supportedVersionsFromMax returns a list of supported versions derived from a legacy maximum version value. Note that only versions supported by this library are returned. Any newer peer will use supportedVersions anyway.

func supportedVersionsFromMax(maxVersion uint16) []uint16

supportsCurve method #

func (c *Config) supportsCurve(version uint16, curve CurveID) bool

supportsECDHE function #

supportsECDHE returns whether ECDHE key exchanges can be used with this pre-TLS 1.3 client.

func supportsECDHE(c *Config, version uint16, supportedCurves []CurveID, supportedPoints []uint8) bool

ticketKeyFromBytes method #

ticketKeyFromBytes converts from the external representation of a session ticket key to a ticketKey. Externally, session ticket keys are 32 random bytes and this function expands that into sufficient name and key material.

func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey)

ticketKeys method #

ticketKeys returns the ticketKeys for this connection. If configForClient has explicitly set keys, those will be returned. Otherwise, the keys on c will be used and may be rotated if auto-managed. During rotation, any expired session ticket keys are deleted from c.sessionTicketKeys. If the session ticket key that is currently encrypting tickets (ie. the first ticketKey in c.sessionTicketKeys) is not fresh, then a new session ticket key will be created and prepended to c.sessionTicketKeys.

func (c *Config) ticketKeys(configForClient *Config) []ticketKey

time method #

func (c *Config) time() time.Time

tls10MAC function #

tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3.

func tls10MAC(h hash.Hash, out []byte, seq []byte, header []byte, data []byte, extra []byte) []byte

trafficKey method #

trafficKey generates traffic keys according to RFC 8446, Section 7.3.

func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key []byte, iv []byte)

transcriptMsg function #

transcriptMsg is a helper used to hash messages which are not hashed when they are read from, or written to, the wire. This is typically the case for messages which are either not sent, or need to be hashed out of order from when they are read/written. For most messages, the message is marshalled using their marshal method, since their wire representation is idempotent. For clientHelloMsg and serverHelloMsg, we store the original wire representation of the message and use that for hashing, since unmarshal/marshal are not idempotent due to extension ordering and other malleable fields, which may cause differences between what was received and what we marshal.

func transcriptMsg(msg handshakeMessage, h transcriptHash) error

typeAndHashFromSignatureScheme function #

typeAndHashFromSignatureScheme returns the corresponding signature type and crypto.Hash for a given TLS SignatureScheme.

func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error)

unexpectedMessageError function #

func unexpectedMessageError(wanted any, got any) error

unmarshal method #

func (m *certificateMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *clientHelloMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool

unmarshal method #

func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *keyUpdateMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *certificateStatusMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *finishedMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *certificateMsgTLS13) unmarshal(data []byte) bool

unmarshal method #

func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *certificateRequestMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *serverHelloMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool

unmarshal method #

func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *newSessionTicketMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *serverHelloDoneMsg) unmarshal(data []byte) bool

unmarshal method #

func (*helloRequestMsg) unmarshal(data []byte) bool

unmarshal method #

func (m *certificateVerifyMsg) unmarshal(data []byte) bool

unmarshalCertificate function #

func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool

unmarshalHandshakeMessage method #

func (c *Conn) unmarshalHandshakeMessage(data []byte, transcript transcriptHash) (handshakeMessage, error)

unsupportedCertificateError function #

unsupportedCertificateError returns a helpful error for certificates with an unsupported private key.

func unsupportedCertificateError(cert *Certificate) error

updateBinders method #

updateBinders updates the m.pskBinders field. The supplied binders must have the same length as the current m.pskBinders.

func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error

validDNSName function #

validDNSName is a rather rudimentary check for the validity of a DNS name. This is used to check if the public_name in a ECHConfig is valid when we are picking a config. This can be somewhat lax because even if we pick a valid-looking name, the DNS layer will later reject it anyway.

func validDNSName(name string) bool

verifyHandshakeSignature function #

verifyHandshakeSignature verifies a signature against pre-hashed (if required) handshake contents.

func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed []byte, sig []byte) error

verifyServerCertificate method #

verifyServerCertificate parses and verifies the provided chain, setting c.verifiedChains and c.peerCertificates or sending the appropriate alert.

func (c *Conn) verifyServerCertificate(certificates [][]byte) error

write method #

func (c *Conn) write(data []byte) (int, error)

writeChangeCipherRecord method #

writeChangeCipherRecord writes a ChangeCipherSpec message to the connection and updates the record layer state.

func (c *Conn) writeChangeCipherRecord() error

writeHandshakeRecord method #

writeHandshakeRecord writes a handshake message to the connection and updates the record layer state. If transcript is non-nil the marshaled message is written to it.

func (c *Conn) writeHandshakeRecord(msg handshakeMessage, transcript transcriptHash) (int, error)

writeKeyLog method #

func (c *Config) writeKeyLog(label string, clientRandom []byte, secret []byte) error

writeRecordLocked method #

writeRecordLocked writes a TLS record with the given type and payload to the connection and updates the record layer state.

func (c *Conn) writeRecordLocked(typ recordType, data []byte) (int, error)