const VersionTLS10 … const VersionTLS11 … const VersionTLS12 … const VersionTLS13 … const VersionSSL30 … // VersionName returns the name for the provided TLS version number // (e.g. "TLS 1.3"), or a fallback representation of the value if the // version is not implemented by this package. func VersionName(version uint16) string { … } const maxPlaintext … const maxCiphertext … const maxCiphertextTLS13 … const recordHeaderLen … const maxHandshake … const maxHandshakeCertificateMsg … const maxUselessRecords … type recordType … const recordTypeChangeCipherSpec … const recordTypeAlert … const recordTypeHandshake … const recordTypeApplicationData … const typeHelloRequest … const typeClientHello … const typeServerHello … const typeNewSessionTicket … const typeEndOfEarlyData … const typeEncryptedExtensions … const typeCertificate … const typeServerKeyExchange … const typeCertificateRequest … const typeServerHelloDone … const typeCertificateVerify … const typeClientKeyExchange … const typeFinished … const typeCertificateStatus … const typeKeyUpdate … const typeMessageHash … const compressionNone … const extensionServerName … const extensionStatusRequest … const extensionSupportedCurves … const extensionSupportedPoints … const extensionSignatureAlgorithms … const extensionALPN … const extensionSCT … const extensionExtendedMasterSecret … const extensionSessionTicket … const extensionPreSharedKey … const extensionEarlyData … const extensionSupportedVersions … const extensionCookie … const extensionPSKModes … const extensionCertificateAuthorities … const extensionSignatureAlgorithmsCert … const extensionKeyShare … const extensionQUICTransportParameters … const extensionRenegotiationInfo … const extensionECHOuterExtensions … const extensionEncryptedClientHello … const scsvRenegotiation … type CurveID … const CurveP256 … const CurveP384 … const CurveP521 … const X25519 … const x25519Kyber768Draft00 … type keyShare … const pskModePlain … const pskModeDHE … type pskIdentity … const pointFormatUncompressed … const statusTypeOCSP … const certTypeRSASign … const certTypeECDSASign … const signaturePKCS1v15 … const signatureRSAPSS … const signatureECDSA … const signatureEd25519 … var directSigning … var helloRetryRequestRandom … const downgradeCanaryTLS12 … const downgradeCanaryTLS11 … var testingOnlyForceDowngradeCanary … type ConnectionState … // ExportKeyingMaterial returns length bytes of exported key material in a new // slice as defined in RFC 5705. If context is nil, it is not used as part of // the seed. If the connection was set to allow renegotiation via // Config.Renegotiation, or if the connections supports neither TLS 1.3 nor // Extended Master Secret, this function will return an error. // // Exporting key material without Extended Master Secret or TLS 1.3 was disabled // in Go 1.22 due to security issues (see the Security Considerations sections // of RFC 5705 and RFC 7627), but can be re-enabled with the GODEBUG setting // tlsunsafeekm=1. func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) { … } type ClientAuthType … const NoClientCert … const RequestClientCert … const RequireAnyClientCert … const VerifyClientCertIfGiven … const RequireAndVerifyClientCert … // requiresClientCert reports whether the ClientAuthType requires a client // certificate to be provided. func requiresClientCert(c ClientAuthType) bool { … } type ClientSessionCache … type SignatureScheme … const PKCS1WithSHA256 … const PKCS1WithSHA384 … const PKCS1WithSHA512 … const PSSWithSHA256 … const PSSWithSHA384 … const PSSWithSHA512 … const ECDSAWithP256AndSHA256 … const ECDSAWithP384AndSHA384 … const ECDSAWithP521AndSHA512 … const Ed25519 … const PKCS1WithSHA1 … const ECDSAWithSHA1 … type ClientHelloInfo … // Context returns the context of the handshake that is in progress. // This context is a child of the context passed to HandshakeContext, // if any, and is canceled when the handshake concludes. func (c *ClientHelloInfo) Context() context.Context { … } type CertificateRequestInfo … // Context returns the context of the handshake that is in progress. // This context is a child of the context passed to HandshakeContext, // if any, and is canceled when the handshake concludes. func (c *CertificateRequestInfo) Context() context.Context { … } type RenegotiationSupport … const RenegotiateNever … const RenegotiateOnceAsClient … const RenegotiateFreelyAsClient … type Config … const ticketKeyLifetime … const ticketKeyRotation … type ticketKey … // ticketKeyFromBytes converts from the external representation of a session // ticket key to a ticketKey. Externally, session ticket keys are 32 random // bytes and this function expands that into sufficient name and key material. func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey) { … } const maxSessionTicketLifetime … // Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a [Config] that is // being used concurrently by a TLS client or server. func (c *Config) Clone() *Config { … } var deprecatedSessionTicketKey … // initLegacySessionTicketKeyRLocked ensures the legacy SessionTicketKey field is // randomized if empty, and that sessionTicketKeys is populated from it otherwise. func (c *Config) initLegacySessionTicketKeyRLocked() { … } // ticketKeys returns the ticketKeys for this connection. // If configForClient has explicitly set keys, those will // be returned. Otherwise, the keys on c will be used and // may be rotated if auto-managed. // During rotation, any expired session ticket keys are deleted from // c.sessionTicketKeys. If the session ticket key that is currently // encrypting tickets (ie. the first ticketKey in c.sessionTicketKeys) // is not fresh, then a new session ticket key will be // created and prepended to c.sessionTicketKeys. func (c *Config) ticketKeys(configForClient *Config) []ticketKey { … } // SetSessionTicketKeys updates the session ticket keys for a server. // // The first key will be used when creating new tickets, while all keys can be // used for decrypting tickets. It is safe to call this function while the // server is running in order to rotate the session ticket keys. The function // will panic if keys is empty. // // Calling this function will turn off automatic session ticket key rotation. // // If multiple servers are terminating connections for the same host they should // all have the same session ticket keys. If the session ticket keys leaks, // previously recorded and future TLS connections using those keys might be // compromised. func (c *Config) SetSessionTicketKeys(keys [][32]byte) { … } func (c *Config) rand() io.Reader { … } func (c *Config) time() time.Time { … } func (c *Config) cipherSuites() []uint16 { … } var supportedVersions … const roleClient … const roleServer … var tls10server … func (c *Config) supportedVersions(isClient bool) []uint16 { … } func (c *Config) maxSupportedVersion(isClient bool) uint16 { … } // supportedVersionsFromMax returns a list of supported versions derived from a // legacy maximum version value. Note that only versions supported by this // library are returned. Any newer peer will use supportedVersions anyway. func supportedVersionsFromMax(maxVersion uint16) []uint16 { … } func (c *Config) curvePreferences(version uint16) []CurveID { … } func (c *Config) supportsCurve(version uint16, curve CurveID) bool { … } // mutualVersion returns the protocol version to use given the advertised // versions of the peer. Priority is given to the peer preference order. func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool) { … } var errNoCertificates … // getCertificate returns the best certificate for the given ClientHelloInfo, // defaulting to the first element of c.Certificates. func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) { … } // SupportsCertificate returns nil if the provided certificate is supported by // the client that sent the ClientHello. Otherwise, it returns an error // describing the reason for the incompatibility. // // If this [ClientHelloInfo] was passed to a GetConfigForClient or GetCertificate // callback, this method will take into account the associated [Config]. Note that // if GetConfigForClient returns a different [Config], the change can't be // accounted for by this method. // // This function will call x509.ParseCertificate unless c.Leaf is set, which can // incur a significant performance cost. func (chi *ClientHelloInfo) SupportsCertificate(c *Certificate) error { … } // SupportsCertificate returns nil if the provided certificate is supported by // the server that sent the CertificateRequest. Otherwise, it returns an error // describing the reason for the incompatibility. func (cri *CertificateRequestInfo) SupportsCertificate(c *Certificate) error { … } // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate // from the CommonName and SubjectAlternateName fields of each of the leaf // certificates. // // Deprecated: NameToCertificate only allows associating a single certificate // with a given name. Leave that field nil to let the library select the first // compatible chain from Certificates. func (c *Config) BuildNameToCertificate() { … } const keyLogLabelTLS12 … const keyLogLabelClientHandshake … const keyLogLabelServerHandshake … const keyLogLabelClientTraffic … const keyLogLabelServerTraffic … func (c *Config) writeKeyLog(label string, clientRandom, secret []byte) error { … } var writerMutex … type Certificate … // leaf returns the parsed leaf certificate, either from c.Leaf or by parsing // the corresponding c.Certificate[0]. func (c *Certificate) leaf() (*x509.Certificate, error) { … } type handshakeMessage … type handshakeMessageWithOriginalBytes … type lruSessionCache … type lruSessionCacheEntry … // NewLRUClientSessionCache returns a [ClientSessionCache] with the given // capacity that uses an LRU strategy. If capacity is < 1, a default capacity // is used instead. func NewLRUClientSessionCache(capacity int) ClientSessionCache { … } // Put adds the provided (sessionKey, cs) pair to the cache. If cs is nil, the entry // corresponding to sessionKey is removed from the cache instead. func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) { … } // Get returns the [ClientSessionState] value associated with a given key. It // returns (nil, false) if no value is found. func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { … } var emptyConfig … func defaultConfig() *Config { … } func unexpectedMessageError(wanted, got any) error { … } // supportedSignatureAlgorithms returns the supported signature algorithms. func supportedSignatureAlgorithms() []SignatureScheme { … } func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool { … } type CertificateVerificationError … func (e *CertificateVerificationError) Error() string { … } func (e *CertificateVerificationError) Unwrap() error { … }
Codebase Browser
go