Merge branch 'refraction-networking:master' into master

alert.go

@@ -58,6 +58,7 @@ const (
 	alertUnknownPSKIdentity           alert = 115
 	alertCertificateRequired          alert = 116
 	alertNoApplicationProtocol        alert = 120
+	alertECHRequired                  alert = 121
 )
 
 var alertText = map[alert]string{
@@ -94,6 +95,7 @@ var alertText = map[alert]string{
 	alertUnknownPSKIdentity:           "unknown PSK identity",
 	alertCertificateRequired:          "certificate required",
 	alertNoApplicationProtocol:        "no application protocol",
+	alertECHRequired:                  "ECH required",
 }
 
 func (e alert) String() string {

common.go

@@ -306,6 +306,11 @@ type ConnectionState struct {
 
 	// ekm is a closure exposed via ExportKeyingMaterial.
 	ekm func(label string, context []byte, length int) ([]byte, error)
+
+	// ECHRetryConfigs contains the ECH retry configurations sent by the server in
+	// EncryptedExtensions message. It is only populated if the server sent the
+	// ech extension in EncryptedExtensions message.
+	ECHRetryConfigs []ECHConfig // [uTLS]
 }
 
 // ExportKeyingMaterial returns length bytes of exported key material in a new
@@ -836,6 +841,17 @@ type Config struct {
 	// autoSessionTicketKeys is like sessionTicketKeys but is owned by the
 	// auto-rotation logic. See Config.ticketKeys.
 	autoSessionTicketKeys []ticketKey
+
+	// ECHConfigs contains the ECH configurations to be used by the ECH
+	// extension if any.
+	// It could either be distributed by the server in EncryptedExtensions
+	// message or out-of-band.
+	//
+	// If ECHConfigs is nil and an ECH extension is present, GREASEd ECH
+	// extension will be sent.
+	//
+	// If GREASE ECH extension is present, this field will be ignored.
+	ECHConfigs []ECHConfig // [uTLS]
 }
 
 const (
@@ -921,6 +937,7 @@ func (c *Config) Clone() *Config {
 		autoSessionTicketKeys:       c.autoSessionTicketKeys,
 
 		PreferSkipResumptionOnNilExtension: c.PreferSkipResumptionOnNilExtension, // [UTLS]
+		ECHConfigs:                         c.ECHConfigs,                         // [uTLS]
 	}
 }
 

dicttls/LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2023, Gaukas Wang
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

dicttls/README.md

@@ -0,0 +1,12 @@
+# Dict TLS
+
+This is a vendored version of [godicttls](https://github.com/gaukas/godicttls)
+
+Below is a copy of the original README.md
+
+# godicttls
+Dictionary for TLS written in Go providing bidirectional mapping values to their names, plus enum convenience for values.
+
+Last Update with data fetched from [IANA](www.iana.org) in March 2023: 
+- Transport Layer Security (TLS) Parameters [link](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml)
+- Transport Layer Security (TLS) Extensions [link](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml)

dicttls/alerts.go

@@ -0,0 +1,118 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6
+// last updated: March 2023
+
+const (
+	Alert_close_notify                    uint8 = 0
+	Alert_unexpected_message              uint8 = 10
+	Alert_bad_record_mac                  uint8 = 20
+	Alert_decryption_failed               uint8 = 21
+	Alert_record_overflow                 uint8 = 22
+	Alert_decompression_failure           uint8 = 30
+	Alert_handshake_failure               uint8 = 40
+	Alert_no_certificate                  uint8 = 41
+	Alert_bad_certificate                 uint8 = 42
+	Alert_unsupported_certificate         uint8 = 43
+	Alert_certificate_revoked             uint8 = 44
+	Alert_certificate_expired             uint8 = 45
+	Alert_certificate_unknown             uint8 = 46
+	Alert_illegal_parameter               uint8 = 47
+	Alert_unknown_ca                      uint8 = 48
+	Alert_access_denied                   uint8 = 49
+	Alert_decode_error                    uint8 = 50
+	Alert_decrypt_error                   uint8 = 51
+	Alert_too_many_cids_requested         uint8 = 52
+	Alert_export_restriction              uint8 = 60
+	Alert_protocol_version                uint8 = 70
+	Alert_insufficient_security           uint8 = 71
+	Alert_internal_error                  uint8 = 80
+	Alert_inappropriate_fallback          uint8 = 86
+	Alert_user_canceled                   uint8 = 90
+	Alert_no_renegotiation                uint8 = 100
+	Alert_missing_extension               uint8 = 109
+	Alert_unsupported_extension           uint8 = 110
+	Alert_certificate_unobtainable        uint8 = 111
+	Alert_unrecognized_name               uint8 = 112
+	Alert_bad_certificate_status_response uint8 = 113
+	Alert_bad_certificate_hash_value      uint8 = 114
+	Alert_unknown_psk_identity            uint8 = 115
+	Alert_certificate_required            uint8 = 116
+	Alert_no_application_protocol         uint8 = 120
+)
+
+var DictAlertValueIndexed = map[uint8]string{
+	0:   "close_notify",
+	10:  "unexpected_message",
+	20:  "bad_record_mac",
+	21:  "decryption_failed",
+	22:  "record_overflow",
+	30:  "decompression_failure",
+	40:  "handshake_failure",
+	41:  "no_certificate",
+	42:  "bad_certificate",
+	43:  "unsupported_certificate",
+	44:  "certificate_revoked",
+	45:  "certificate_expired",
+	46:  "certificate_unknown",
+	47:  "illegal_parameter",
+	48:  "unknown_ca",
+	49:  "access_denied",
+	50:  "decode_error",
+	51:  "decrypt_error",
+	52:  "too_many_cids_requested",
+	60:  "export_restriction",
+	70:  "protocol_version",
+	71:  "insufficient_security",
+	80:  "internal_error",
+	86:  "inappropriate_fallback",
+	90:  "user_canceled",
+	100: "no_renegotiation",
+	109: "missing_extension",
+	110: "unsupported_extension",
+	111: "certificate_unobtainable",
+	112: "unrecognized_name",
+	113: "bad_certificate_status_response",
+	114: "bad_certificate_hash_value",
+	115: "unknown_psk_identity",
+	116: "certificate_required",
+	120: "no_application_protocol",
+}
+
+var DictAlertNameIndexed = map[string]uint8{
+	"close_notify":                    0,
+	"unexpected_message":              10,
+	"bad_record_mac":                  20,
+	"decryption_failed":               21,
+	"record_overflow":                 22,
+	"decompression_failure":           30,
+	"handshake_failure":               40,
+	"no_certificate":                  41,
+	"bad_certificate":                 42,
+	"unsupported_certificate":         43,
+	"certificate_revoked":             44,
+	"certificate_expired":             45,
+	"certificate_unknown":             46,
+	"illegal_parameter":               47,
+	"unknown_ca":                      48,
+	"access_denied":                   49,
+	"decode_error":                    50,
+	"decrypt_error":                   51,
+	"too_many_cids_requested":         52,
+	"export_restriction":              60,
+	"protocol_version":                70,
+	"insufficient_security":           71,
+	"internal_error":                  80,
+	"inappropriate_fallback":          86,
+	"user_canceled":                   90,
+	"no_renegotiation":                100,
+	"missing_extension":               109,
+	"unsupported_extension":           110,
+	"certificate_unobtainable":        111,
+	"unrecognized_name":               112,
+	"bad_certificate_status_response": 113,
+	"bad_certificate_hash_value":      114,
+	"unknown_psk_identity":            115,
+	"certificate_required":            116,
+	"no_application_protocol":         120,
+}

dicttls/authorization_data_formats.go

@@ -0,0 +1,35 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#authorization-data
+// last updated: March 2023
+
+const (
+	AuthData_x509_attr_cert             uint16 = 0
+	AuthData_saml_assertion             uint16 = 1
+	AuthData_x509_attr_cert_url         uint16 = 2
+	AuthData_saml_assertion_url         uint16 = 3
+	AuthData_keynote_assertion_list     uint16 = 64
+	AuthData_keynote_assertion_list_url uint16 = 65
+	AuthData_dtcp_authorization         uint16 = 66
+)
+
+var DictAuthorizationDataFormatValueIndexed = map[uint16]string{
+	0:  "x509_attr_cert",
+	1:  "saml_assertion",
+	2:  "x509_attr_cert_url",
+	3:  "saml_assertion_url",
+	64: "keynote_assertion_list",
+	65: "keynote_assertion_list_url",
+	66: "dtcp_authorization",
+}
+
+var DictAuthorizationDataFormatNameIndexed = map[string]uint16{
+	"x509_attr_cert":             0,
+	"saml_assertion":             1,
+	"x509_attr_cert_url":         2,
+	"saml_assertion_url":         3,
+	"Unassigned":                 0,
+	"keynote_assertion_list":     64,
+	"keynote_assertion_list_url": 65,
+	"dtcp_authorization":         66,
+}

dicttls/cachedinformationtype_values.go

@@ -0,0 +1,19 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#cachedinformationtype
+// last updated: March 2023
+
+const (
+	CachedInformationType_cert     uint8 = 1
+	CachedInformationType_cert_req uint8 = 2
+)
+
+var DictCachedInformationTypeValueIndexed = map[uint8]string{
+	1: "cert",
+	2: "cert_req",
+}
+
+var DictCachedInformationTypeNameIndexed = map[string]uint8{
+	"cert":     1,
+	"cert_req": 2,
+}

dicttls/certificate_compression_algorithm_ids.go

@@ -0,0 +1,22 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-certificate-compression-algorithm-ids
+// last updated: March 2023
+
+const (
+	CertCompAlg_zlib   uint16 = 1
+	CertCompAlg_brotli uint16 = 2
+	CertCompAlg_zstd   uint16 = 3
+)
+
+var DictCertificateCompressionAlgorithmValueIndexed = map[uint16]string{
+	1: "zlib",
+	2: "brotli",
+	3: "zstd",
+}
+
+var DictCertificateCompressionAlgorithmNameIndexed = map[string]uint16{
+	"zlib":   1,
+	"brotli": 2,
+	"zstd":   3,
+}

dicttls/certificate_status_types.go

@@ -0,0 +1,19 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#certificate-status
+// last updated: March 2023
+
+const (
+	CertStatusType_ocsp       uint8 = 1
+	CertStatusType_ocsp_multi uint8 = 2
+)
+
+var DictCertificateStatusTypeValueIndexed = map[uint8]string{
+	1: "ocsp",
+	2: "ocsp_multi",
+}
+
+var DictCertificateStatusTypeNameIndexed = map[string]uint8{
+	"ocsp":       1,
+	"ocsp_multi": 2,
+}

dicttls/certificte_types.go

@@ -0,0 +1,25 @@
+package dicttls
+
+// source: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3
+// last updated: March 2023
+
+const (
+	CertType_X509           uint8 = 0
+	CertType_OpenPGP        uint8 = 1
+	CertType_Raw_Public_Key uint8 = 2
+	CertType_1609Dot2       uint8 = 3
+)
+
+var DictCertificateTypeValueIndexed = map[uint8]string{
+	0: "X509",
+	1: "OpenPGP",
+	2: "Raw Public Key",
+	3: "1609Dot2",
+}
+
+var DictCertificateTypeNameIndexed = map[string]uint8{
+	"X509":           0,
+	"OpenPGP":        1,
+	"Raw Public Key": 2,
+	"1609Dot2":       3,
+}