Skip to content

Instantly share code, notes, and snippets.

@FiloSottile
Last active July 10, 2017 19:56
Show Gist options
  • Save FiloSottile/37d6516af411582e2aa35a981bf12102 to your computer and use it in GitHub Desktop.
Save FiloSottile/37d6516af411582e2aa35a981bf12102 to your computer and use it in GitHub Desktop.
@@ -8,6 +8,7 @@
CONSTANTS
const (
+ // TLS 1.0 - 1.2 cipher suites.
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
@@ -31,6 +32,11 @@
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca8
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca9
+ // TLS 1.3+ cipher suites.
+ TLS_AES_128_GCM_SHA256 uint16 = 0x1301
+ TLS_AES_256_GCM_SHA384 uint16 = 0x1302
+ TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
+
// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
// that the client is doing version fallback. See
// https://tools.ietf.org/html/rfc7507.
@@ -43,10 +49,12 @@
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
const (
VersionSSL30 = 0x0300
VersionTLS10 = 0x0301
VersionTLS11 = 0x0302
VersionTLS12 = 0x0303
+ VersionTLS13 = 0x0304
)
FUNCTIONS
@@ -173,6 +181,18 @@ type ClientHelloInfo struct
// from, or write to, this connection; that will cause the TLS
// connection to fail.
Conn net.Conn
+
+ // Offered0RTTData is true if the client announced that it will send
+ // 0-RTT data. If the server Config.Accept0RTTData is true, and the
+ // client offered a session ticket valid for that purpose, it will
+ // be notified that the 0-RTT data is accepted and it will be made
+ // immediately available for Read.
+ Offered0RTTData bool
+
+ // The Fingerprint is an sequence of bytes unique to this Client Hello.
+ // It can be used to prevent or mitigate 0-RTT data replays as it's
+ // guaranteed that a replayed connection will have the same Fingerprint.
+ Fingerprint []byte
}
ClientHelloInfo contains information from a ClientHello message in order
to guide certificate selection in the GetCertificate callback.
@@ -314,10 +338,15 @@ type Config struct
// This should be used only for testing.
InsecureSkipVerify bool
// CipherSuites is a list of supported cipher suites. If CipherSuites
// is nil, TLS uses a list of suites supported by the implementation.
+ // TLS 1.3 uses a default set of secure cipher suites.
CipherSuites []uint16
// PreferServerCipherSuites controls whether the server selects the
// client's most preferred ciphersuite, or the server's most preferred
// ciphersuite. If true then the server's preference, as expressed in
@@ -373,6 +402,31 @@ type Config struct
// Use of KeyLogWriter compromises security and should only be
// used for debugging.
KeyLogWriter io.Writer
+
+ // If Max0RTTDataSize is not zero, the client will be allowed to use
+ // session tickets to send at most this number of bytes of 0-RTT data.
+ // 0-RTT data is subject to replay and has memory DoS implications.
+ // The server will later be able to refuse the 0-RTT data with
+ // Accept0RTTData, or wait for the client to prove that it's not
+ // replayed with Conn.ConfirmHandshake.
+ //
+ // It has no meaning on the client.
+ //
+ // See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2.3.
+ Max0RTTDataSize uint32
+
+ // Accept0RTTData makes the 0-RTT data received from the client
+ // immediately available to Read. 0-RTT data is subject to replay.
+ // Use Conn.ConfirmHandshake to wait until the data is known not
+ // to be replayed after reading it.
+ //
+ // It has no meaning on the client.
+ //
+ // See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2.3.
+ Accept0RTTData bool
// contains filtered or unexported fields
}
A Config structure is used to configure a TLS client or server. After
@@ -434,6 +488,18 @@
be called once the handshake has completed and does not call CloseWrite
on the underlying connection. Most callers should just use Close.
+func (c *Conn) ConfirmHandshake() error
+ ConfirmHandshake waits for the handshake to reach a point at which the
+ connection is certainly not replayed. That is, after receiving the
+ Client Finished.
+
+ If ConfirmHandshake returns an error and until ConfirmHandshake returns,
+ the 0-RTT data should not be trusted not to be replayed.
+
+ This is only meaningful in TLS 1.3 when Accept0RTTData is true and the
+ client sent valid 0-RTT data. In any other case it's equivalent to
+ calling Hendshake.
+
func (c *Conn) ConnectionState() ConnectionState
ConnectionState returns basic TLS details about the connection.
@@ -442,6 +508,9 @@ func (*Conn).Handshake
been run. Most uses of this package need not call Handshake explicitly:
the first Read or Write will call it automatically.
+ In TLS 1.3 Handshake returns after the client and server first flights,
+ without waiting for the Client Finished.
+
func (c *Conn) LocalAddr() net.Addr
LocalAddr returns the local network address.
@@ -500,6 +570,17 @@ type ConnectionState struct
// future versions of Go once the TLS master-secret fix has been
// standardized and implemented.
TLSUnique []byte
+
+ // HandshakeConfirmed is true once all data returned by Read
+ // (past and future) is guaranteed not to be replayed.
+ HandshakeConfirmed bool
+
+ // The Fingerprint is an sequence of bytes unique to this connection.
+ // It can be used to prevent or mitigate 0-RTT data replays as it's
+ // guaranteed that a replayed connection will have the same Fingerprint.
+ Fingerprint []byte
}
ConnectionState records basic TLS details about the connection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment