crypto/tls: expand the ConnectionState docs

Fixes #37572

Change-Id: I493392f535a979ee16609861041da2ecfe21cf77
Reviewed-on: https://go-review.googlesource.com/c/go/+/239744
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 3a5ca226133c493121e5a1be001caeac1dedbb8c..eb002ada2f5ea79f16d98c5e1b09a5beec6c90c1 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -213,28 +213,72 @@ var testingOnlyForceDowngradeCanary bool
 
 // ConnectionState records basic TLS details about the connection.
 type ConnectionState struct {
-       Version                     uint16                // TLS version used by the connection (e.g. VersionTLS12)
-       HandshakeComplete           bool                  // TLS handshake is complete
-       DidResume                   bool                  // connection resumes a previous TLS connection
-       CipherSuite                 uint16                // cipher suite in use (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ...)
-       NegotiatedProtocol          string                // negotiated next protocol (not guaranteed to be from Config.NextProtos)
-       NegotiatedProtocolIsMutual  bool                  // negotiated protocol was advertised by server (client side only)
-       ServerName                  string                // server name requested by client, if any
-       PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
-       VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates
-       SignedCertificateTimestamps [][]byte              // SCTs from the peer, if any
-       OCSPResponse                []byte                // stapled OCSP response from peer, if any
+       // Version is the TLS version used by the connection (e.g. VersionTLS12).
+       Version uint16
 
-       // ekm is a closure exposed via ExportKeyingMaterial.
-       ekm func(label string, context []byte, length int) ([]byte, error)
+       // HandshakeComplete is true if the handshake has concluded.
+       HandshakeComplete bool
+
+       // DidResume is true if this connection was successfully resumed from a
+       // previous session with a session ticket or similar mechanism.
+       DidResume bool
+
+       // CipherSuite is the cipher suite negotiated for the connection (e.g.
+       // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256).
+       CipherSuite uint16
+
+       // NegotiatedProtocol is the application protocol negotiated with ALPN.
+       //
+       // Note that on the client side, this is currently not guaranteed to be from
+       // Config.NextProtos.
+       NegotiatedProtocol string
+
+       // NegotiatedProtocolIsMutual used to indicate a mutual NPN negotiation.
+       //
+       // Deprecated: this value is always true.
+       NegotiatedProtocolIsMutual bool
+
+       // ServerName is the value of the Server Name Indication extension sent by
+       // the client. It's available both on the server and on the client side.
+       ServerName string
 
-       // TLSUnique contains the "tls-unique" channel binding value (see RFC
-       // 5929, section 3). For resumed sessions this value will be nil
-       // because resumption does not include enough context (see
-       // https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will
-       // change in future versions of Go once the TLS master-secret fix has
-       // been standardized and implemented. It is not defined in TLS 1.3.
+       // PeerCertificates are the parsed certificates sent by the peer, in the
+       // order in which they were sent. The first element is the leaf certificate
+       // that the connection is verified against.
+       //
+       // On the client side, it can't be empty. On the server side, it can be
+       // empty if Config.ClientAuth is not RequireAnyClientCert or
+       // RequireAndVerifyClientCert.
+       PeerCertificates []*x509.Certificate
+
+       // VerifiedChains is a list of one or more chains where the first element is
+       // PeerCertificates[0] and the last element is from Config.RootCAs (on the
+       // client side) or Config.ClientCAs (on the server side).
+       //
+       // On the client side, it's set if Config.InsecureSkipVerify is false. On
+       // the server side, it's set if Config.ClientAuth is VerifyClientCertIfGiven
+       // (and the peer provided a certificate) or RequireAndVerifyClientCert.
+       VerifiedChains [][]*x509.Certificate
+
+       // SignedCertificateTimestamps is a list of SCTs provided by the peer
+       // through the TLS handshake for the leaf certificate, if any.
+       SignedCertificateTimestamps [][]byte
+
+       // OCSPResponse is a stapled Online Certificate Status Protocol (OCSP)
+       // response provided by the peer for the leaf certificate, if any.
+       OCSPResponse []byte
+
+       // TLSUnique contains the "tls-unique" channel binding value (see RFC 5929,
+       // Section 3). This value will be nil for TLS 1.3 connections and for all
+       // resumed connections.
+       //
+       // Deprecated: there are conditions in which this value might not be unique
+       // to a connection. See the Security Considerations sections of RFC 5705 and
+       // RFC 7627, and https://mitls.org/pages/attacks/3SHAKE#channelbindings.
        TLSUnique []byte
+
+       // ekm is a closure exposed via ExportKeyingMaterial.
+       ekm func(label string, context []byte, length int) ([]byte, error)
 }
 
 // ExportKeyingMaterial returns length bytes of exported key material in a new