runner

type ACKFlightFunc = func(c *DTLSController, prev, received []DTLSMessage, records []DTLSRecordNumberInfo)

type ALPSUseCodepoint int

type BadValue int

type CertCompressionAlg struct {
	// Compress returns a compressed representation of the input.
	Compress func([]byte) []byte
	// Decompress depresses the contents of in and writes the result to out, which
	// will be the correct size. It returns true on success and false otherwise.
	Decompress func(out, in []byte) bool
}

type ClientAuthType int

type ClientSessionCache interface {
	// Get searches for a ClientSessionState associated with the given key.
	// On return, ok is true if one was found.
	Get(sessionKey string) (session *ClientSessionState, ok bool)

	// Put adds the ClientSessionState to the cache with the given key.
	Put(sessionKey string, cs *ClientSessionState)
}

type ClientSessionState struct {
	// contains filtered or unexported fields
}

type Config struct {
	// Rand provides the source of entropy for nonces and RSA blinding.
	// If Rand is nil, TLS uses the cryptographic random reader in package
	// crypto/rand.
	// The Reader must be safe for use by multiple goroutines.
	Rand io.Reader

	// Time returns the current time as the number of seconds since the epoch.
	// If Time is nil, TLS uses time.Now.
	Time func() time.Time

	// Credential contains the credential to present to the other side of
	// the connection. Server configurations must include this field.
	Credential *Credential

	// RootCAs defines the set of root certificate authorities
	// that clients use when verifying server certificates.
	// If RootCAs is nil, TLS uses the host's root CA set.
	RootCAs *x509.CertPool

	// SendRootCAs, if true, causes the client to send the list of
	// supported root CAs in the certificate_authorities extension.
	SendRootCAs bool

	// NextProtos is a list of supported, application level protocols.
	NextProtos []string

	// NoFallbackNextProto, if true, causes the client to decline to pick an NPN
	// protocol, instead of picking an opportunistic, fallback protocol.
	NoFallbackNextProto bool

	// NegotiateNPNWithNoProtos, if true, causes the server to negotiate NPN
	// despite having no protocols configured.
	NegotiateNPNWithNoProtos bool

	// ApplicationSettings is a set of application settings to use which each
	// application protocol.
	ApplicationSettings map[string][]byte

	// ALPSUseNewCodepoint controls which TLS extension codepoint is used to
	// convey the ApplicationSettings.
	ALPSUseNewCodepoint ALPSUseCodepoint

	// ServerName is used to verify the hostname on the returned
	// certificates unless InsecureSkipVerify is given. It is also included
	// in the client's handshake to support virtual hosting.
	ServerName string

	// ClientECHConfig, when non-nil, is the ECHConfig the client will use to
	// attempt ECH.
	ClientECHConfig *ECHConfig

	// ECHCipherSuites, for the client, is the list of HPKE cipher suites in
	// decreasing order of preference. If empty, the default will be used.
	ECHCipherSuites []HPKECipherSuite

	// ServerECHConfigs is the server's list of ECHConfig values with
	// corresponding secret keys.
	ServerECHConfigs []ServerECHConfig

	// ECHOuterExtensions is the list of extensions that the client will
	// compress with the ech_outer_extensions extension. If empty, no extensions
	// will be compressed.
	ECHOuterExtensions []uint16

	// ClientAuth determines the server's policy for
	// TLS Client Authentication. The default is NoClientCert.
	ClientAuth ClientAuthType

	// ClientCAs defines the set of root certificate authorities
	// that servers use if required to verify a client certificate
	// by the policy in ClientAuth.
	ClientCAs *x509.CertPool

	// ClientCertificateTypes defines the set of allowed client certificate
	// types. The default is CertTypeRSASign and CertTypeECDSASign.
	ClientCertificateTypes []byte

	// InsecureSkipVerify controls whether a client verifies the
	// server's certificate chain and host name.
	// If InsecureSkipVerify is true, TLS accepts any certificate
	// presented by the server and any host name in that certificate.
	// In this mode, TLS is susceptible to man-in-the-middle attacks.
	// This should be used only for testing.
	InsecureSkipVerify bool

	// CipherSuites is a list of supported cipher suites. If CipherSuites
	// is nil, TLS uses a list of suites supported by the implementation.
	CipherSuites []uint16

	// PreferServerCipherSuites controls whether the server selects the
	// client's most preferred ciphersuite, or the server's most preferred
	// ciphersuite. If true then the server's preference, as expressed in
	// the order of elements in CipherSuites, is used.
	PreferServerCipherSuites bool

	// SessionTicketsDisabled may be set to true to disable session ticket
	// (resumption) support.
	SessionTicketsDisabled bool

	// SessionTicketKey is used by TLS servers to provide session
	// resumption. See RFC 5077. If zero, it will be filled with
	// random data before the first server handshake.
	//
	// If multiple servers are terminating connections for the same host
	// they should all have the same SessionTicketKey. If the
	// SessionTicketKey leaks, previously recorded and future TLS
	// connections using that key are compromised.
	SessionTicketKey [32]byte

	// ClientSessionCache is a cache of ClientSessionState entries
	// for TLS session resumption.
	ClientSessionCache ClientSessionCache

	// ServerSessionCache is a cache of sessionState entries for TLS session
	// resumption.
	ServerSessionCache ServerSessionCache

	// MinVersion contains the minimum SSL/TLS version that is acceptable.
	// If zero, then SSLv3 is taken as the minimum.
	MinVersion uint16

	// MaxVersion contains the maximum SSL/TLS version that is acceptable.
	// If zero, then the maximum version supported by this package is used,
	// which is currently TLS 1.2.
	MaxVersion uint16

	// CurvePreferences contains the elliptic curves that will be used in
	// an ECDHE handshake, in preference order. If empty, the default will
	// be used.
	CurvePreferences []CurveID

	// DefaultCurves contains the elliptic curves for which public values will
	// be sent in the ClientHello's KeyShare extension. If this value is nil,
	// all supported curves will have public values sent. This field is ignored
	// on servers.
	DefaultCurves []CurveID

	// ChannelID contains the ECDSA key for the client to use as
	// its TLS Channel ID.
	ChannelID *ecdsa.PrivateKey

	// RequestChannelID controls whether the server requests a TLS
	// Channel ID. If negotiated, the client's public key is
	// returned in the ConnectionState.
	RequestChannelID bool

	// PreSharedKey, if not nil, is the pre-shared key to use with
	// the PSK cipher suites.
	PreSharedKey []byte

	// PreSharedKeyIdentity, if not empty, is the identity to use
	// with the PSK cipher suites.
	PreSharedKeyIdentity string

	// MaxEarlyDataSize controls the maximum number of bytes that the
	// server will accept in early data and advertise in a
	// NewSessionTicketMsg. If 0, no early data will be accepted and
	// the early_data extension in the NewSessionTicketMsg will be omitted.
	MaxEarlyDataSize uint32

	// SRTPProtectionProfiles, if not nil, is the list of SRTP
	// protection profiles to offer in DTLS-SRTP.
	SRTPProtectionProfiles []uint16

	// VerifySignatureAlgorithms, if not nil, overrides the default set of
	// supported signature algorithms that are accepted.
	VerifySignatureAlgorithms []signatureAlgorithm

	// DelegatedCredentialAlgorithms, if not empty, is the set of signature
	// algorithms allowed for the delegated credential key. If empty, delegated
	// credentials are disabled.
	DelegatedCredentialAlgorithms []signatureAlgorithm

	// QUICTransportParams, if not empty, will be sent in the QUIC
	// transport parameters extension.
	QUICTransportParams []byte

	// QUICTransportParamsUseLegacyCodepoint controls which TLS extension
	// codepoint is used to convey the QUIC transport parameters.
	QUICTransportParamsUseLegacyCodepoint QUICUseCodepoint

	CertCompressionAlgs map[uint16]CertCompressionAlg

	// DTLSUseShortSeqNums specifies whether the DTLS 1.3 record header
	// should use short (8-bit) or long (16-bit) sequence numbers. The
	// default is to use long sequence numbers.
	DTLSUseShortSeqNums bool

	// DTLSRecordHeaderOmitLength specified whether the DTLS 1.3 record
	// header includes a length field. The default is to include the length
	// field.
	DTLSRecordHeaderOmitLength bool

	// RequestTrustAnchors, if not nil, is the list of trust anchor IDs to
	// request in ClientHello.
	RequestTrustAnchors [][]byte

	// AvailableTrustAnchors, if not empty, is the list of trust anchor IDs
	// to report as available in EncryptedExtensions.
	AvailableTrustAnchors [][]byte

	// ResumptionAcrossNames specifies whether session tickets issued by the TLS
	// server should be marked as compatible with cross-name resumption.
	ResumptionAcrossNames bool

	// Bugs specifies optional misbehaviour to be used for testing other
	// implementations.
	Bugs ProtocolBugs
	// contains filtered or unexported fields
}

type Conn struct {
	// contains filtered or unexported fields
}

type ConnectionState struct {
	Version                    uint16                // TLS version used by the connection (e.g. VersionTLS12)
	HandshakeComplete          bool                  // TLS handshake is complete
	DidResume                  bool                  // connection resumes a previous TLS connection
	CipherSuite                uint16                // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
	NegotiatedProtocol         string                // negotiated next protocol (from Config.NextProtos)
	NegotiatedProtocolIsMutual bool                  // negotiated protocol was advertised by server
	NegotiatedProtocolFromALPN bool                  // protocol negotiated with ALPN
	ServerName                 string                // server name requested by client, if any (server side only)
	ServerNameAck              bool                  // whether the server acknowledged the server name (client side only)
	PeerCertificates           []*x509.Certificate   // certificate chain presented by remote peer
	PeerDelegatedCredential    []byte                // delegated credential presented by remote peer
	VerifiedChains             [][]*x509.Certificate // verified chains built from PeerCertificates
	OCSPResponse               []byte                // stapled OCSP response from the peer, if any
	ChannelID                  *ecdsa.PublicKey      // the channel ID for this connection
	SRTPProtectionProfile      uint16                // the negotiated DTLS-SRTP protection profile
	TLSUnique                  []byte                // the tls-unique channel binding
	SCTList                    []byte                // signed certificate timestamp list
	PeerSignatureAlgorithm     signatureAlgorithm    // algorithm used by the peer in the handshake
	CurveID                    CurveID               // the curve used in ECDHE
	QUICTransportParams        []byte                // the QUIC transport params received from the peer
	QUICTransportParamsLegacy  []byte                // the legacy QUIC transport params received from the peer
	HasApplicationSettings     bool                  // whether ALPS was negotiated
	PeerApplicationSettings    []byte                // application settings received from the peer
	HasApplicationSettingsOld  bool                  // whether ALPS old codepoint was negotiated
	PeerApplicationSettingsOld []byte                // the old application settings received from the peer
	ECHAccepted                bool                  // whether ECH was accepted on this connection
}

type Credential struct {
	Type CredentialType
	// Certificate is a chain of one or more certificates, leaf first.
	Certificate [][]byte
	// RootCertificate is the certificate that issued this chain.
	RootCertificate []byte
	PrivateKey      crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey
	// OCSPStaple contains an optional OCSP response which will be served
	// to clients that request it.
	OCSPStaple []byte
	// SignedCertificateTimestampList contains an optional encoded
	// SignedCertificateTimestampList structure which will be
	// served to clients that request it.
	SignedCertificateTimestampList []byte
	// SignatureAlgorithms, if not nil, overrides the default set of
	// supported signature algorithms to sign with.
	SignatureAlgorithms []signatureAlgorithm
	// DelegatedCredential is the delegated credential to use
	// with the certificate.
	DelegatedCredential []byte
	// ChainPath is the path to the temporary on disk copy of the certificate
	// chain.
	ChainPath string
	// KeyPath is the path to the temporary on disk copy of the key.
	KeyPath string
	// RootPath is the path to the temporary on disk copy of the root of the
	// certificate chain. If the chain only contains one certificate ChainPath
	// and RootPath will be the same.
	RootPath string
	// SignSignatureAlgorithms, if not nil, overrides the default set of
	// supported signature algorithms to sign with.
	SignSignatureAlgorithms []signatureAlgorithm
	// MustMatchIssuer, if set, causes the shim to only consider this
	// credential when the issuer matches a peer-requested CA.
	MustMatchIssuer bool
	// The following fields are used for PAKE credentials. For simplicity,
	// we specify the password directly and expect the shim and runner to
	// compute the client- and server-specific halves as needed.
	PAKEContext  []byte
	PAKEClientID []byte
	PAKEServerID []byte
	PAKEPassword []byte
	// WrongPAKERole, if set, causes the shim to be configured with a
	// credential of the wrong role.
	WrongPAKERole bool
	// OverridePAKECodepoint, if non-zero, causes the runner to send the
	// specified value instead of the actual PAKE codepoint.
	OverridePAKECodepoint uint16
	// TrustAnchorID, if not empty, is the trust anchor ID for the issuer
	// of the certificate chain.
	TrustAnchorID []byte
}

type CredentialType int

type CurveID uint16

type DTLSController struct {
	// contains filtered or unexported fields
}

type DTLSFragment struct {
	Epoch              uint16
	IsChangeCipherSpec bool
	// The following fields are only used if IsChangeCipherSpec is false.
	Type        uint8
	TotalLength int
	Sequence    uint16
	Offset      int
	Data        []byte
	// ShouldDiscard, if true, indicates the shim is expected to discard this
	// fragment. A record with such a fragment must not be ACKed by the shim.
	ShouldDiscard bool
}

type DTLSMessage struct {
	Epoch              uint16
	IsChangeCipherSpec bool
	// The following fields are only used if IsChangeCipherSpec is false.
	Type     uint8
	Sequence uint16
	Data     []byte
}

type DTLSRecordNumber struct {
	// Store the Epoch as a uint64, so that tests can send ACKs for epochs that
	// the shim would never use.
	Epoch    uint64
	Sequence uint64
}

type DTLSRecordNumberInfo struct {
	DTLSRecordNumber
	// The first byte covered by this record, inclusive. We only need to store
	// one range because we require that the shim arrange fragments in order.
	// Any gaps will have been previously-ACKed data, so there is no harm in
	// double-ACKing.
	MessageStartSequence uint16
	MessageStartOffset   int
	// The last byte covered by this record, exclusive.
	MessageEndSequence uint16
	MessageEndOffset   int
}

type ECHConfig struct {
	Raw          []byte
	ConfigID     uint8
	KEM          uint16
	PublicKey    []byte
	MaxNameLen   uint8
	PublicName   string
	CipherSuites []HPKECipherSuite
	// The following fields are only used by CreateECHConfig().
	UnsupportedExtension          bool
	UnsupportedMandatoryExtension bool
}

type HPKECipherSuite struct {
	KDF  uint16
	AEAD uint16
}

type ProtocolBugs struct {
	// InvalidSignature specifies that the signature in a ServerKeyExchange
	// or CertificateVerify message should be invalid.
	InvalidSignature bool

	// SendCurve, if non-zero, causes the server to send the specified curve
	// ID in ServerKeyExchange (TLS 1.2) or ServerHello (TLS 1.3) rather
	// than the negotiated one.
	SendCurve CurveID

	// ECDHPointNotOnCurve, if true, causes the ECDH points to not be on the
	// curve.
	ECDHPointNotOnCurve bool

	// TruncateKeyShare, if true, causes key shares to be truncated by one byte.
	TruncateKeyShare bool

	// PadKeyShare, if true, causes key shares to be truncated to one byte.
	PadKeyShare bool

	// BadECDSAR controls ways in which the 'r' value of an ECDSA signature
	// can be invalid.
	BadECDSAR BadValue
	BadECDSAS BadValue

	// MaxPadding causes CBC records to have the maximum possible padding.
	MaxPadding bool
	// PaddingFirstByteBad causes the first byte of the padding to be
	// incorrect.
	PaddingFirstByteBad bool
	// PaddingFirstByteBadIf255 causes the first byte of padding to be
	// incorrect if there's a maximum amount of padding (i.e. 255 bytes).
	PaddingFirstByteBadIf255 bool

	// FailIfNotFallbackSCSV causes a server handshake to fail if the
	// client doesn't send the fallback SCSV value.
	FailIfNotFallbackSCSV bool

	// DuplicateExtension causes an extra empty extension of bogus type to
	// be emitted in either the ClientHello or the ServerHello.
	DuplicateExtension bool

	// UnauthenticatedECDH causes the server to pretend ECDHE_RSA
	// and ECDHE_ECDSA cipher suites are actually ECDH_anon. No
	// Certificate message is sent and no signature is added to
	// ServerKeyExchange.
	UnauthenticatedECDH bool

	// SkipHelloVerifyRequest causes a DTLS server to skip the
	// HelloVerifyRequest message.
	SkipHelloVerifyRequest bool

	// ForceHelloVerifyRequest causes a DTLS server to send a
	// HelloVerifyRequest message in DTLS 1.3 or other cases where it
	// otherwise wouldn't.
	ForceHelloVerifyRequest bool

	// HelloVerifyRequestCookieLength, if non-zero, is the length of the cookie
	// to request in HelloVerifyRequest.
	HelloVerifyRequestCookieLength int

	// EmptyHelloVerifyRequestCookie, if true, causes a DTLS server to request
	// an empty cookie in HelloVerifyRequest.
	EmptyHelloVerifyRequestCookie bool

	// SkipCertificateStatus, if true, causes the server to skip the
	// CertificateStatus message. This is legal because CertificateStatus is
	// optional, even with a status_request in ServerHello.
	SkipCertificateStatus bool

	// SkipServerKeyExchange causes the server to skip sending
	// ServerKeyExchange messages.
	SkipServerKeyExchange bool

	// SkipNewSessionTicket causes the server to skip sending the
	// NewSessionTicket message despite promising to in ServerHello.
	SkipNewSessionTicket bool

	// UseFirstSessionTicket causes the client to cache only the first session
	// ticket received.
	UseFirstSessionTicket bool

	// SkipClientCertificate causes the client to skip the Certificate
	// message.
	SkipClientCertificate bool

	// SkipChangeCipherSpec causes the implementation to skip
	// sending the ChangeCipherSpec message (and adjusting cipher
	// state accordingly for the Finished message).
	SkipChangeCipherSpec bool

	// SkipFinished causes the implementation to skip sending the Finished
	// message.
	SkipFinished bool

	// SkipEndOfEarlyData causes the implementation to skip
	// end_of_early_data.
	SkipEndOfEarlyData bool

	// NonEmptyEndOfEarlyData causes the implementation to end an extra byte in the
	// EndOfEarlyData.
	NonEmptyEndOfEarlyData bool

	// SendEndOfEarlyDataInQUICAndDTLS causes the implementation to send
	// EndOfEarlyData even in QUIC and DTLS, which do not use the message.
	SendEndOfEarlyDataInQUICAndDTLS bool

	// SkipCertificateVerify, if true causes peer to skip sending a
	// CertificateVerify message after the Certificate message.
	SkipCertificateVerify bool

	// EarlyChangeCipherSpec causes the client to send an early
	// ChangeCipherSpec message before the ClientKeyExchange. A value of
	// zero disables this behavior. One and two configure variants for
	// 1.0.1 and 0.9.8 modes, respectively.
	EarlyChangeCipherSpec int

	// FragmentAcrossChangeCipherSpec causes the implementation to fragment
	// the Finished (or NextProto) message around the ChangeCipherSpec
	// messages.
	FragmentAcrossChangeCipherSpec bool

	// SendExtraChangeCipherSpec causes the implementation to send extra
	// ChangeCipherSpec messages.
	SendExtraChangeCipherSpec int

	// SendPostHandshakeChangeCipherSpec causes the implementation to send
	// a ChangeCipherSpec record before every application data record.
	SendPostHandshakeChangeCipherSpec bool

	// PartialEncryptedExtensionsWithServerHello, if true, causes the TLS
	// 1.3 server to send part of EncryptedExtensions unencrypted
	// in the same record as ServerHello.
	PartialEncryptedExtensionsWithServerHello bool

	// PartialClientFinishedWithClientHello, if true, causes the TLS 1.2
	// or TLS 1.3 client to send part of Finished unencrypted in the same
	// record as ClientHello.
	PartialClientFinishedWithClientHello bool

	// PartialClientFinishedWithSecondClientHello, if true, causes the
	// TLS 1.3 client to send part of Finished unencrypted in the same
	// record as the second ClientHello.
	PartialClientFinishedWithSecondClientHello bool

	// PartialEndOfEarlyDataWithClientHello, if true, causes the TLS 1.3
	// client to send part of EndOfEarlyData unencrypted in the same record
	// as ClientHello.
	PartialEndOfEarlyDataWithClientHello bool

	// PartialSecondClientHelloAfterFirst, if true, causes the TLS 1.3 client
	// to send part of the second ClientHello in the same record as the first
	// one.
	PartialSecondClientHelloAfterFirst bool

	// PartialClientKeyExchangeWithClientHello, if true, causes the TLS 1.2
	// client to send part of the ClientKeyExchange in the same record as
	// the ClientHello.
	PartialClientKeyExchangeWithClientHello bool

	// PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2
	// server to send part of the NewSessionTicket in the same record as
	// ServerHelloDone.
	PartialNewSessionTicketWithServerHelloDone bool

	// PartialNewSessionTicketWithServerHelloDone, if true, causes the TLS 1.2
	// server to send part of the Finished in the same record as ServerHelloDone.
	PartialFinishedWithServerHelloDone bool

	// PartialServerHelloWithHelloRetryRequest, if true, causes the TLS 1.3
	// server to send part of the ServerHello in the same record as
	// HelloRetryRequest.
	PartialServerHelloWithHelloRetryRequest bool

	// TrailingDataWithFinished, if true, causes the record containing the
	// Finished message to include an extra byte of data at the end.
	TrailingDataWithFinished bool

	// SendV2ClientHello causes the client to send a V2ClientHello
	// instead of a normal ClientHello.
	SendV2ClientHello bool

	// V2ClientHelloChallengeLength is the length of the challenge field to send
	// in V2ClientHello.
	V2ClientHelloChallengeLength int

	// SendFallbackSCSV causes the client to include
	// TLS_FALLBACK_SCSV in the ClientHello.
	SendFallbackSCSV bool

	// SendRenegotiationSCSV causes the client to include the renegotiation
	// SCSV in the ClientHello.
	SendRenegotiationSCSV bool

	// MaxHandshakeRecordLength, if non-zero, is the maximum size of a
	// handshake record. Handshake messages will be split into multiple
	// records at the specified size. For DTLS, it is the maximum handshake
	// fragment size, not record size; DTLS allows multiple handshake fragments
	// in a single handshake record. See |PackHandshakeFragments|.
	MaxHandshakeRecordLength int

	// FragmentAlert will cause all alerts to be fragmented across
	// two records.
	FragmentAlert bool

	// DoubleAlert will cause all alerts to be sent as two copies packed
	// within one record.
	DoubleAlert bool

	// SendSpuriousAlert, if non-zero, will cause an spurious, unwanted
	// alert to be sent.
	SendSpuriousAlert alert

	// BadRSAClientKeyExchange causes the client to send a corrupted RSA
	// ClientKeyExchange which would not pass padding checks.
	BadRSAClientKeyExchange RSABadValue

	// RenewTicketOnResume causes the server to renew the session ticket and
	// send a NewSessionTicket message during an abbreviated handshake.
	RenewTicketOnResume bool

	// SendClientVersion, if non-zero, causes the client to send the
	// specified value in the ClientHello version field.
	SendClientVersion uint16

	// OmitSupportedVersions, if true, causes the client to omit the
	// supported versions extension.
	OmitSupportedVersions bool

	// SendSupportedVersions, if non-empty, causes the client to send a
	// supported versions extension with the values from array.
	SendSupportedVersions []uint16

	// NegotiateVersion, if non-zero, causes the server to negotiate the
	// specified wire version rather than the version supported by either
	// peer.
	NegotiateVersion uint16

	// NegotiateVersionOnRenego, if non-zero, causes the server to negotiate
	// the specified wire version on renegotiation rather than retaining it.
	NegotiateVersionOnRenego uint16

	// ExpectFalseStart causes the server to, on full handshakes,
	// expect the peer to False Start; the server Finished message
	// isn't sent until we receive an application data record
	// from the peer.
	ExpectFalseStart bool

	// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
	// handshakes, send an alert just before reading the application data
	// record to test False Start. This can be used in a negative False
	// Start test to determine whether the peer processed the alert (and
	// closed the connection) before or after sending app data.
	AlertBeforeFalseStartTest alert

	// ExpectServerName, if not empty, is the hostname the client
	// must specify in the selected ClientHello's server_name extension.
	ExpectServerName string

	// ExpectServerName, if not empty, is the hostname the client
	// must specify in the ClientHelloOuter's server_name extension.
	ExpectOuterServerName string

	// ExpectClientECH causes the server to require that the client offer ECH.
	ExpectClientECH bool

	// ExpectNoClientECH causes the server to require that the client not offer ECH.
	ExpectNoClientECH bool

	// IgnoreECHConfigCipherPreferences, when true, causes the client to ignore
	// the cipher preferences in the ECHConfig and select the most preferred ECH
	// cipher suite unconditionally.
	IgnoreECHConfigCipherPreferences bool

	// ExpectECHRetryConfigs, when non-nil, contains the expected bytes of the
	// server's retry configs.
	ExpectECHRetryConfigs []byte

	// SendECHRetryConfigs, if not empty, contains the ECH server's serialized
	// retry configs.
	SendECHRetryConfigs []byte

	// AlwaysSendECHRetryConfigs, if true, causes the ECH server to send retry
	// configs unconditionally, including in the TLS 1.2 ServerHello.
	AlwaysSendECHRetryConfigs bool

	// AlwaysSendECHHelloRetryRequest, if true, causes the ECH server to send
	// the ECH HelloRetryRequest extension unconditionally.
	AlwaysSendECHHelloRetryRequest bool

	// SendInvalidECHInner, if not empty, causes the client to send the
	// specified byte string after the type field in ClientHelloInner
	// encrypted_client_hello extension.
	SendInvalidECHInner []byte

	// OmitECHInner, if true, causes the client to omit the encrypted_client_hello
	// extension on the ClientHelloInner message.
	OmitECHInner bool

	// OmitSecondECHInner, if true, causes the client to omit the
	// encrypted_client_hello extension on the second ClientHelloInner message.
	OmitSecondECHInner bool

	// OmitServerHelloECHConfirmation, if true, causes the server to omit the
	// ECH confirmation in the ServerHello.
	OmitServerHelloECHConfirmation bool

	// AlwaysSendECHInner, if true, causes the client to send an inner
	// encrypted_client_hello extension on all ClientHello messages. The server
	// is then expected to unconditionally confirm the extension when
	// negotiating TLS 1.3 or later.
	AlwaysSendECHInner bool

	// TruncateClientECHEnc, if true, causes the client to send a shortened
	// ClientECH.enc value in its encrypted_client_hello extension.
	TruncateClientECHEnc bool

	// ClientECHPadding is the number of bytes of padding to add to the client
	// ECH payload.
	ClientECHPadding int

	// BadClientECHPadding, if true, causes the client ECH padding to contain a
	// non-zero byte.
	BadClientECHPadding bool

	// OfferSessionInClientHelloOuter, if true, causes the client to offer
	// sessions in ClientHelloOuter.
	OfferSessionInClientHelloOuter bool

	// OnlyCompressSecondClientHelloInner, if true, causes the client to
	// only apply outer_extensions to the second ClientHello.
	OnlyCompressSecondClientHelloInner bool

	// OmitSecondEncryptedClientHello, if true, causes the client to omit the
	// second encrypted_client_hello extension.
	OmitSecondEncryptedClientHello bool

	// CorruptEncryptedClientHello, if true, causes the client to incorrectly
	// encrypt the encrypted_client_hello extension.
	CorruptEncryptedClientHello bool

	// CorruptSecondEncryptedClientHello, if true, causes the client to
	// incorrectly encrypt the second encrypted_client_hello extension.
	CorruptSecondEncryptedClientHello bool

	// CorruptSecondEncryptedClientHelloConfigID, if true, causes the client to
	// incorrectly set the second ClientHello's ECH config ID.
	CorruptSecondEncryptedClientHelloConfigID bool

	// AllowTLS12InClientHelloInner, if true, causes the client to include
	// TLS 1.2 and earlier in ClientHelloInner.
	AllowTLS12InClientHelloInner bool

	// MinimalClientHelloOuter, if true, causes the client to omit most fields
	// in ClientHelloOuter. Note this will make handshake attempts with the
	// ClientHelloOuter fail and should only be used in tests that expect
	// success.
	MinimalClientHelloOuter bool

	// ExpectECHOuterExtensions is a list of extension IDs which the server
	// will require to be present in ech_outer_extensions.
	ExpectECHOuterExtensions []uint16

	// ExpectECHOuterExtensions is a list of extension IDs which the server
	// will require to be omitted in ech_outer_extensions.
	ExpectECHUncompressedExtensions []uint16

	// ECHOuterExtensionOrder, if not nil, is an extension order to apply to
	// ClientHelloOuter, instead of ordering the |ECHOuterExtensions| to match
	// in both ClientHellos.
	ECHOuterExtensionOrder []uint16

	// UseInnerSessionWithClientHelloOuter, if true, causes the server to
	// handshake with ClientHelloOuter, but resume the session from
	// ClientHelloInner.
	UseInnerSessionWithClientHelloOuter bool

	// RecordClientHelloInner, when non-nil, is called whenever the client
	// generates an encrypted ClientHello. The byte strings do not include the
	// ClientHello header.
	RecordClientHelloInner func(encodedInner, outer []byte) error

	// SwapNPNAndALPN switches the relative order between NPN and ALPN in
	// both ClientHello and ServerHello.
	SwapNPNAndALPN bool

	// ALPNProtocol, if not nil, sets the ALPN protocol that a server will
	// return.
	ALPNProtocol *string

	// AlwaysNegotiateApplicationSettingsBoth, if true, causes the server to
	// negotiate ALPS using both codepoint for a protocol even if the client did
	// not support it or the version is wrong.
	AlwaysNegotiateApplicationSettingsBoth bool

	// AlwaysNegotiateApplicationSettingsNew, if true, causes the server to
	// negotiate ALPS using new codepoint for a protocol even if the client did
	// not support it or the version is wrong.
	AlwaysNegotiateApplicationSettingsNew bool

	// AlwaysNegotiateApplicationSettingsOld, if true, causes the server to
	// negotiate ALPS using old codepoint for a protocol even if the client did
	// not support it or the version is wrong.
	AlwaysNegotiateApplicationSettingsOld bool

	// SendApplicationSettingsWithEarlyData, if true, causes the client and
	// server to send the application_settings extension with early data,
	// rather than letting them implicitly carry over.
	SendApplicationSettingsWithEarlyData bool

	// AlwaysSendClientEncryptedExtension, if true, causes the client to always
	// send a, possibly empty, client EncryptedExtensions message.
	AlwaysSendClientEncryptedExtensions bool

	// OmitClientEncryptedExtensions, if true, causes the client to omit the
	// client EncryptedExtensions message.
	OmitClientEncryptedExtensions bool

	// OmitClientApplicationSettings, if true, causes the client to omit the
	// application_settings extension but still send EncryptedExtensions.
	OmitClientApplicationSettings bool

	// SendExtraClientEncryptedExtension, if true, causes the client to
	// include an unsolicited extension in the client EncryptedExtensions
	// message.
	SendExtraClientEncryptedExtension bool

	// AcceptAnySession causes the server to resume sessions regardless of
	// the version associated with the session or cipher suite. It also
	// causes the server to look in both TLS 1.2 and 1.3 extensions to
	// process a ticket.
	AcceptAnySession bool

	// SendBothTickets, if true, causes the client to send tickets in both
	// TLS 1.2 and 1.3 extensions.
	SendBothTickets bool

	// FilterTicket, if not nil, causes the client to modify a session
	// ticket before sending it in a resume handshake.
	FilterTicket func([]byte) ([]byte, error)

	// TicketSessionIDLength, if non-zero, is the length of the session ID
	// to send with a ticket resumption offer.
	TicketSessionIDLength int

	// EmptyTicketSessionID, if true, causes the client to send an empty
	// session ID with a ticket resumption offer. For simplicity, this will
	// also cause the client to interpret a ServerHello with empty session
	// ID as a resumption. (A client which sends empty session ID is
	// normally expected to look ahead for ChangeCipherSpec.)
	EmptyTicketSessionID bool

	// NewSessionIDLength, if non-zero is the length of the session ID to use
	// when issung new sessions.
	NewSessionIDLength int

	// SendClientHelloSessionID, if not nil, is the session ID sent in the
	// ClientHello.
	SendClientHelloSessionID []byte

	// ExpectClientHelloSessionID, if true, causes the server to fail the
	// connection if there is not a session ID in the ClientHello.
	ExpectClientHelloSessionID bool

	// EchoSessionIDInFullHandshake, if true, causes the server to echo the
	// ClientHello session ID, even in TLS 1.2 full handshakes.
	EchoSessionIDInFullHandshake bool

	// ExpectNoSessionID, if true, causes the server to fail the connection if
	// the session ID field is present.
	ExpectNoSessionID bool

	// ExpectNoTLS12Session, if true, causes the server to fail the
	// connection if the client offered a TLS 1.2 session. TLS 1.3 clients
	// always offer session IDs for compatibility, so the session ID check
	// checks for sessions the server issued.
	ExpectNoTLS12Session bool

	// ExpectNoTLS12TicketSupport, if true, causes the server to fail the
	// connection if the client signaled TLS 1.2 session ticket support.
	// (This implicitly enforces that the client does not send a ticket.)
	ExpectNoTLS12TicketSupport bool

	// ExpectNoTLS13PSK, if true, causes the server to fail the connection
	// if a TLS 1.3 PSK is offered.
	ExpectNoTLS13PSK bool

	// ExpectNoTLS13PSKAfterHRR, if true, causes the server to fail the connection
	// if a TLS 1.3 PSK is offered after HRR.
	ExpectNoTLS13PSKAfterHRR bool

	// RequireExtendedMasterSecret, if true, requires that the peer support
	// the extended master secret option.
	RequireExtendedMasterSecret bool

	// NoExtendedMasterSecret causes the client and server to behave as if
	// they didn't support an extended master secret in the initial
	// handshake.
	NoExtendedMasterSecret bool

	// NoExtendedMasterSecretOnRenegotiation causes the client and server to
	// behave as if they didn't support an extended master secret in
	// renegotiation handshakes.
	NoExtendedMasterSecretOnRenegotiation bool

	// EmptyRenegotiationInfo causes the renegotiation extension to be
	// empty in a renegotiation handshake.
	EmptyRenegotiationInfo bool

	// BadRenegotiationInfo causes the renegotiation extension value in a
	// renegotiation handshake to be incorrect at the start.
	BadRenegotiationInfo bool

	// BadRenegotiationInfoEnd causes the renegotiation extension value in
	// a renegotiation handshake to be incorrect at the end.
	BadRenegotiationInfoEnd bool

	// NoRenegotiationInfo disables renegotiation info support in all
	// handshakes.
	NoRenegotiationInfo bool

	// NoRenegotiationInfoInInitial disables renegotiation info support in
	// the initial handshake.
	NoRenegotiationInfoInInitial bool

	// NoRenegotiationInfoAfterInitial disables renegotiation info support
	// in renegotiation handshakes.
	NoRenegotiationInfoAfterInitial bool

	// RequireRenegotiationInfo, if true, causes the client to return an
	// error if the server doesn't reply with the renegotiation extension.
	RequireRenegotiationInfo bool

	// SequenceNumberMapping, if non-nil, is the mapping function to apply
	// to the sequence number of outgoing packets. For both TLS and DTLS,
	// the two most-significant bytes in the resulting sequence number are
	// ignored so that the DTLS epoch cannot be changed.
	SequenceNumberMapping func(uint64) uint64

	// RSAEphemeralKey, if true, causes the server to send a
	// ServerKeyExchange message containing an ephemeral key (as in
	// RSA_EXPORT) in the plain RSA key exchange.
	RSAEphemeralKey bool

	// SRTPMasterKeyIdentifier, if not empty, is the SRTP MKI value that the
	// client offers when negotiating SRTP. MKI support is still missing so
	// the peer must still send none.
	SRTPMasterKeyIdentifier string

	// SendSRTPProtectionProfile, if non-zero, is the SRTP profile that the
	// server sends in the ServerHello instead of the negotiated one.
	SendSRTPProtectionProfile uint16

	// NoSignatureAlgorithms, if true, causes the client to omit the
	// signature and hashes extension.
	//
	// For a server, it will cause an empty list to be sent in the
	// CertificateRequest message. None the less, the configured set will
	// still be enforced.
	NoSignatureAlgorithms bool

	// NoSupportedCurves, if true, causes the client to omit the
	// supported_curves extension.
	NoSupportedCurves bool

	// RequireSameRenegoClientVersion, if true, causes the server
	// to require that all ClientHellos match in offered version
	// across a renego.
	RequireSameRenegoClientVersion bool

	// ExpectInitialRecordVersion, if non-zero, is the expected value of
	// record-layer version field before the protocol version is determined.
	ExpectInitialRecordVersion uint16

	// SendRecordVersion, if non-zero, is the value to send as the
	// record-layer version.
	SendRecordVersion uint16

	// SendInitialRecordVersion, if non-zero, is the value to send as the
	// record-layer version before the protocol version is determined.
	SendInitialRecordVersion uint16

	// MaxPacketLength, if non-zero, is the maximum acceptable size for a
	// packet. The shim will also be expected to maximally fill packets in the
	// handshake up to this limit.
	MaxPacketLength int

	// SendCipherSuite, if non-zero, is the cipher suite value that the
	// server will send in the ServerHello. This does not affect the cipher
	// the server believes it has actually negotiated.
	SendCipherSuite uint16

	// SendCipherSuites, if not nil, is the cipher suite list that the
	// client will send in the ClientHello. This does not affect the cipher
	// the client believes it has actually offered.
	SendCipherSuites []uint16

	// AppDataBeforeHandshake, if not nil, causes application data to be
	// sent immediately before the first handshake message.
	AppDataBeforeHandshake []byte

	// AppDataAfterChangeCipherSpec, if not nil, causes application data to
	// be sent immediately after ChangeCipherSpec.
	AppDataAfterChangeCipherSpec []byte

	// AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent
	// immediately after ChangeCipherSpec.
	AlertAfterChangeCipherSpec alert

	// AppDataBeforeTLS13KeyChange, if not nil, causes application data to
	// be sent immediately before the final key change in (D)TLS 1.3.
	AppDataBeforeTLS13KeyChange []byte

	// UnencryptedEncryptedExtensions, if true, causes the server to send
	// EncryptedExtensions unencrypted, delaying the first key change.
	UnencryptedEncryptedExtensions bool

	// PacketAdaptor is the packetAdaptor to use to simulate timeouts.
	PacketAdaptor *packetAdaptor

	// WriteFlightDTLS, if not nil, overrides the default behavior for writing
	// the flight in DTLS. See DTLSController for details.
	WriteFlightDTLS WriteFlightFunc

	// ACKFlightDTLS, if not nil, overrides the default behavior for
	// acknowledging the final flight (of either the handshake or a
	// post-handshake transaction) in DTLS. See DTLSController for details.
	ACKFlightDTLS ACKFlightFunc

	// SkipImplicitACKRead, if true, causes the DTLS 1.3 client to skip
	// implicitly reading the ACK at the end of the handshake. This may be used
	// when WriteFlightDTLS consumes the ACK itself.
	SkipImplicitACKRead bool

	// MockQUICTransport is the mockQUICTransport used when testing
	// QUIC interfaces.
	MockQUICTransport *mockQUICTransport

	// ReorderHandshakeFragments, if true, causes handshake fragments in
	// DTLS to overlap and be sent in the wrong order. It also causes
	// pre-CCS flights to be sent twice. (Post-CCS flights consist of
	// Finished and will trigger a spurious retransmit.)
	ReorderHandshakeFragments bool

	// MixCompleteMessageWithFragments, if true, causes handshake
	// messages in DTLS to redundantly both fragment the message
	// and include a copy of the full one.
	MixCompleteMessageWithFragments bool

	// SendInvalidRecordType, if true, causes a record with an invalid
	// content type to be sent immediately following the handshake.
	SendInvalidRecordType bool

	// SendWrongMessageType, if non-zero, causes messages of the specified
	// type to be sent with the wrong value.
	SendWrongMessageType byte

	// SendTrailingMessageData, if non-zero, causes messages of the
	// specified type to be sent with trailing data.
	SendTrailingMessageData byte

	// SplitFragments, if non-zero, causes the handshake fragments in DTLS
	// to be split across two records. The value of |SplitFragments| is the
	// number of bytes in the first fragment.
	SplitFragments int

	// SendEmptyFragments, if true, causes handshakes to include empty
	// fragments in DTLS.
	SendEmptyFragments bool

	// SendSplitAlert, if true, causes an alert to be sent with the header
	// and record body split across multiple packets. The peer should
	// discard these packets rather than process it.
	SendSplitAlert bool

	// FailIfResumeOnRenego, if true, causes renegotiations to fail if the
	// client offers a resumption or the server accepts one.
	FailIfResumeOnRenego bool

	// IgnorePeerCipherPreferences, if true, causes the peer's cipher
	// preferences to be ignored.
	IgnorePeerCipherPreferences bool

	// IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's
	// signature algorithm preferences to be ignored.
	IgnorePeerSignatureAlgorithmPreferences bool

	// IgnorePeerCurvePreferences, if true, causes the peer's curve
	// preferences to be ignored.
	IgnorePeerCurvePreferences bool

	// BadFinished, if true, causes the Finished hash to be broken.
	BadFinished bool

	// PackHandshakeFragments, if true, causes handshake fragments in DTLS
	// to be packed into individual handshake records, up to the specified
	// record size.
	PackHandshakeFragments int

	// PackHandshakeRecords, if non-zero, causes handshake and
	// ChangeCipherSpec records in DTLS to be packed into individual
	// packets, up to the specified packet size.
	PackHandshakeRecords int

	// PackAppDataWithHandshake, if true, extends PackHandshakeRecords to
	// additionally include the first application data record sent after the
	// final Finished message in a handshake. (If the final Finished message
	// is sent by the peer, this option has no effect.) This requires that
	// the runner rather than shim speak first in a given test.
	PackAppDataWithHandshake bool

	// SplitAndPackAppData, if true, causes application data in DTLS to be
	// split into two records each and packed into one packet.
	SplitAndPackAppData bool

	// PackHandshakeFlight, if true, causes each handshake flight in TLS to
	// be packed into records, up to the largest size record available.
	PackHandshakeFlight bool

	// AdvertiseAllConfiguredCiphers, if true, causes the client to
	// advertise all configured cipher suite values.
	AdvertiseAllConfiguredCiphers bool

	// EmptyCertificateList, if true, causes the server to send an empty
	// certificate list in the Certificate message.
	EmptyCertificateList bool

	// ExpectNewTicket, if true, causes the client to abort if it does not
	// receive a new ticket.
	ExpectNewTicket bool

	// RequireClientHelloSize, if not zero, is the required length in bytes
	// of the ClientHello /record/. This is checked by the server.
	RequireClientHelloSize int

	// CustomExtension, if not empty, contains the contents of an extension
	// that will be added to client/server hellos.
	CustomExtension string

	// CustomUnencryptedExtension, if not empty, contains the contents of
	// an extension that will be added to ServerHello in TLS 1.3.
	CustomUnencryptedExtension string

	// ExpectedCustomExtension, if not nil, contains the expected contents
	// of a custom extension.
	ExpectedCustomExtension *string

	// CustomTicketExtension, if not empty, contains the contents of an
	// extension what will be added to NewSessionTicket in TLS 1.3.
	CustomTicketExtension string

	// CustomTicketExtension, if not empty, contains the contents of an
	// extension what will be added to HelloRetryRequest in TLS 1.3.
	CustomHelloRetryRequestExtension string

	// NoCloseNotify, if true, causes the close_notify alert to be skipped
	// on connection shutdown.
	NoCloseNotify bool

	// SendAlertOnShutdown, if non-zero, is the alert to send instead of
	// close_notify on shutdown.
	SendAlertOnShutdown alert

	// ExpectCloseNotify, if true, requires a close_notify from the peer on
	// shutdown. Records from the peer received after close_notify is sent
	// are not discard.
	ExpectCloseNotify bool

	// SendLargeRecords, if true, allows outgoing records to be sent
	// arbitrarily large.
	SendLargeRecords bool

	// NegotiateALPNAndNPN, if true, causes the server to negotiate both
	// ALPN and NPN in the same connection.
	NegotiateALPNAndNPN bool

	// SendALPN, if non-empty, causes the server to send the specified
	// string in the ALPN extension regardless of the content or presence of
	// the client offer.
	SendALPN string

	// SendUnencryptedALPN, if non-empty, causes the server to send the
	// specified string in a ServerHello ALPN extension in TLS 1.3.
	SendUnencryptedALPN string

	// SendEmptySessionTicket, if true, causes the server to send an empty
	// session ticket.
	SendEmptySessionTicket bool

	// SendPSKKeyExchangeModes, if not nil, determines the PSK key exchange
	// modes to send. If a non-nil empty slice, no extension will be sent.
	SendPSKKeyExchangeModes []byte

	// ExpectNoNewSessionTicket, if true, means that the client will fail upon
	// receipt of a NewSessionTicket message.
	ExpectNoNewSessionTicket bool

	// ExpectNoNonEmptyNewSessionTicket, if true, means that the client will
	// fail upon receipt of a NewSessionTicket message that was non-empty. In
	// TLS 1.3, this is the same as ExpectNoNewSessionTicket. In TLS 1.2, this
	// allows the server to commit to sending NewSessionTicket, but then decline
	// to send one.
	ExpectNoNonEmptyNewSessionTicket bool

	// DuplicateTicketEarlyData causes an extra empty extension of early_data to
	// be sent in NewSessionTicket.
	DuplicateTicketEarlyData bool

	// ExpectTicketEarlyData, if true, means that the client will fail upon
	// absence of the early_data extension.
	ExpectTicketEarlyData bool

	// ExpectTicketAge, if non-zero, is the expected age of the ticket that the
	// server receives from the client.
	ExpectTicketAge time.Duration

	// SendTicketAge, if non-zero, is the ticket age to be sent by the
	// client.
	SendTicketAge time.Duration

	// SendHelloRequestBeforeEveryAppDataRecord, if true, causes a
	// HelloRequest handshake message to be sent before each application
	// data record. This only makes sense for a server.
	SendHelloRequestBeforeEveryAppDataRecord bool

	// SendHelloRequestBeforeEveryHandshakeMessage, if true, causes a
	// HelloRequest handshake message to be sent before each handshake
	// message. This only makes sense for a server.
	SendHelloRequestBeforeEveryHandshakeMessage bool

	// BadChangeCipherSpec, if not nil, is the body to be sent in
	// ChangeCipherSpec records instead of {1}.
	BadChangeCipherSpec []byte

	// BadHelloRequest, if not nil, is what to send instead of a
	// HelloRequest.
	BadHelloRequest []byte

	// RequireSessionTickets, if true, causes the client to require new
	// sessions use session tickets instead of session IDs.
	RequireSessionTickets bool

	// RequireSessionIDs, if true, causes the client to require new sessions use
	// session IDs instead of session tickets.
	RequireSessionIDs bool

	// NullAllCiphers, if true, causes every cipher to behave like the null
	// cipher.
	NullAllCiphers bool

	// SendSCTListOnResume, if not nil, causes the server to send the
	// supplied SCT list in resumption handshakes.
	SendSCTListOnResume []byte

	// SendSCTListOnRenegotiation, if not nil, causes the server to send the
	// supplied SCT list on renegotiation.
	SendSCTListOnRenegotiation []byte

	// SendOCSPResponseOnResume, if not nil, causes the server to advertise
	// OCSP stapling in resumption handshakes and, if applicable, send the
	// supplied stapled response.
	SendOCSPResponseOnResume []byte

	// SendOCSPResponseOnResume, if not nil, causes the server to send the
	// supplied OCSP response on renegotiation.
	SendOCSPResponseOnRenegotiation []byte

	// SendExtensionOnCertificate, if not nil, causes the runner to send the
	// supplied bytes in the extensions on the Certificate message.
	SendExtensionOnCertificate []byte

	// SendOCSPOnIntermediates, if not nil, causes the server to send the
	// supplied OCSP on intermediate certificates in the Certificate message.
	SendOCSPOnIntermediates []byte

	// SendSCTOnIntermediates, if not nil, causes the server to send the
	// supplied SCT on intermediate certificates in the Certificate message.
	SendSCTOnIntermediates []byte

	// SendDuplicateCertExtensions, if true, causes the server to send an extra
	// copy of the OCSP/SCT extensions in the Certificate message.
	SendDuplicateCertExtensions bool

	// ExpectNoExtensionsOnIntermediate, if true, causes the client to
	// reject extensions on intermediate certificates.
	ExpectNoExtensionsOnIntermediate bool

	// RecordPadding is the number of bytes of padding to add to each
	// encrypted record in TLS 1.3.
	RecordPadding int

	// OmitRecordContents, if true, causes encrypted records in TLS 1.3 to
	// be missing their body and content type. Padding, if configured, is
	// still added.
	OmitRecordContents bool

	// OuterRecordType, if non-zero, is the outer record type to use instead
	// of application data.
	OuterRecordType recordType

	// SendSignatureAlgorithm, if non-zero, causes all signatures to be sent
	// with the given signature algorithm rather than the one negotiated.
	SendSignatureAlgorithm signatureAlgorithm

	// SkipECDSACurveCheck, if true, causes all ECDSA curve checks to be
	// skipped.
	SkipECDSACurveCheck bool

	// IgnoreSignatureVersionChecks, if true, causes all signature
	// algorithms to be enabled at all TLS versions.
	IgnoreSignatureVersionChecks bool

	// NegotiateRenegotiationInfoAtAllVersions, if true, causes
	// Renegotiation Info to be negotiated at all versions.
	NegotiateRenegotiationInfoAtAllVersions bool

	// NegotiateNPNAtAllVersions, if true, causes NPN to be negotiated at
	// all versions.
	NegotiateNPNAtAllVersions bool

	// NegotiateEMSAtAllVersions, if true, causes EMS to be negotiated at
	// all versions.
	NegotiateEMSAtAllVersions bool

	// AdvertiseTicketExtension, if true, causes the ticket extension to be
	// advertised in server extensions
	AdvertiseTicketExtension bool

	// NegotiatePSKResumption, if true, causes the server to attempt pure PSK
	// resumption.
	NegotiatePSKResumption bool

	// AlwaysSelectPSKIdentity, if true, causes the server in TLS 1.3 to
	// always acknowledge a session, regardless of one was offered.
	AlwaysSelectPSKIdentity bool

	// SelectPSKIdentityOnResume, if non-zero, causes the server to select
	// the specified PSK identity index rather than the actual value.
	SelectPSKIdentityOnResume uint16

	// ExtraPSKIdentity, if true, causes the client to send an extra PSK
	// identity.
	ExtraPSKIdentity bool

	// MissingKeyShare, if true, causes the TLS 1.3 implementation to skip
	// sending a key_share extension and use the zero ECDHE secret
	// instead.
	MissingKeyShare bool

	// SecondClientHelloMissingKeyShare, if true, causes the second TLS 1.3
	// ClientHello to skip sending a key_share extension and use the zero
	// ECDHE secret instead.
	SecondClientHelloMissingKeyShare bool

	// MisinterpretHelloRetryRequestCurve, if non-zero, causes the TLS 1.3
	// client to pretend the server requested a HelloRetryRequest with the
	// given curve rather than the actual one.
	MisinterpretHelloRetryRequestCurve CurveID

	// DuplicateKeyShares, if true, causes the TLS 1.3 client to send two
	// copies of each KeyShareEntry.
	DuplicateKeyShares bool

	// SendEarlyAlert, if true, sends a fatal alert after the ClientHello.
	SendEarlyAlert bool

	// SendFakeEarlyDataLength, if non-zero, is the amount of early data to
	// send after the ClientHello.
	SendFakeEarlyDataLength int

	// SendStrayEarlyHandshake, if non-zero, causes the client to send a stray
	// handshake record before sending end of early data.
	SendStrayEarlyHandshake bool

	// OmitEarlyDataExtension, if true, causes the early data extension to
	// be omitted in the ClientHello.
	OmitEarlyDataExtension bool

	// SendEarlyDataOnSecondClientHello, if true, causes the TLS 1.3 client to
	// send early data after the second ClientHello.
	SendEarlyDataOnSecondClientHello bool

	// InterleaveEarlyData, if true, causes the TLS 1.3 client to send early
	// data interleaved with the second ClientHello and the client Finished.
	InterleaveEarlyData bool

	// SendEarlyData causes a TLS 1.3 client to send the provided data
	// in application data records immediately after the ClientHello,
	// provided that the client offers a TLS 1.3 session. It will do this
	// whether or not the server advertised early data for the ticket.
	SendEarlyData [][]byte

	// ExpectEarlyDataAccepted causes a TLS 1.3 client to check that early data
	// was accepted by the server.
	ExpectEarlyDataAccepted bool

	// AlwaysAcceptEarlyData causes a TLS 1.3 server to always accept early data
	// regardless of ALPN mismatch.
	AlwaysAcceptEarlyData bool

	// AlwaysRejectEarlyData causes a TLS 1.3 server to always reject early data.
	AlwaysRejectEarlyData bool

	// SendEarlyDataExtension, if true, causes a TLS 1.3 server to send the
	// early_data extension in EncryptedExtensions, independent of whether
	// it was accepted.
	SendEarlyDataExtension bool

	// ExpectEarlyData causes a TLS 1.3 server to read application
	// data after the ClientHello (assuming the server is able to
	// derive the key under which the data is encrypted) before it
	// sends a ServerHello. It checks that the application data it
	// reads matches what is provided in ExpectEarlyData and errors if
	// the number of records or their content do not match.
	ExpectEarlyData [][]byte

	// ExpectLateEarlyData causes a TLS 1.3 server to read application
	// data after the ServerFinished (assuming the server is able to
	// derive the key under which the data is encrypted) before it
	// sends the ClientFinished. It checks that the application data it
	// reads matches what is provided in ExpectLateEarlyData and errors if
	// the number of records or their content do not match.
	ExpectLateEarlyData [][]byte

	// ExpectHalfRTTData causes a TLS 1.3 client, if 0-RTT was accepted, to
	// read application data after reading the server's Finished message and
	// before sending any subsequent handshake messages. It checks that the
	// application data it reads matches what is provided in
	// ExpectHalfRTTData and errors if the number of records or their
	// content do not match.
	ExpectHalfRTTData [][]byte

	// EmptyEncryptedExtensions, if true, causes the TLS 1.3 server to
	// emit an empty EncryptedExtensions block.
	EmptyEncryptedExtensions bool

	// EncryptedExtensionsWithKeyShare, if true, causes the TLS 1.3 server to
	// include the KeyShare extension in the EncryptedExtensions block.
	EncryptedExtensionsWithKeyShare bool

	// AlwaysSendHelloRetryRequest, if true, causes a HelloRetryRequest to
	// be sent by the server, even if empty.
	AlwaysSendHelloRetryRequest bool

	// SecondHelloRetryRequest, if true, causes the TLS 1.3 server to send
	// two HelloRetryRequests instead of one.
	SecondHelloRetryRequest bool

	// SendHelloRetryRequestCurve, if non-zero, causes the server to send
	// the specified curve in a HelloRetryRequest, even if the client did
	// not offer key shares at all.
	SendHelloRetryRequestCurve CurveID

	// SendHelloRetryRequestCipherSuite, if non-zero, causes the server to send
	// the specified cipher suite in a HelloRetryRequest.
	SendHelloRetryRequestCipherSuite uint16

	// SendHelloRetryRequestCookie, if not nil, contains a cookie to be
	// sent by the server in HelloRetryRequest.
	SendHelloRetryRequestCookie []byte

	// DuplicateHelloRetryRequestExtensions, if true, causes all
	// HelloRetryRequest extensions to be sent twice.
	DuplicateHelloRetryRequestExtensions bool

	// SendServerHelloVersion, if non-zero, causes the server to send the
	// specified value in ServerHello version field.
	SendServerHelloVersion uint16

	// SendServerSupportedVersionExtension, if non-zero, causes the server to send
	// the specified value in supported_versions extension in the ServerHello (but
	// not the HelloRetryRequest).
	SendServerSupportedVersionExtension uint16

	// OmitServerSupportedVersionExtension, if true, causes the server to
	// omit the supported_versions extension in the ServerHello (but not the
	// HelloRetryRequest)
	OmitServerSupportedVersionExtension bool

	// SkipHelloRetryRequest, if true, causes the TLS 1.3 server to not send
	// HelloRetryRequest.
	SkipHelloRetryRequest bool

	// PackHelloRequestWithFinished, if true, causes the TLS server to send
	// HelloRequest in the same record as Finished.
	PackHelloRequestWithFinished bool

	// ExpectMissingKeyShare, if true, causes the TLS server to fail the
	// connection if the selected curve appears in the client's initial
	// ClientHello. That is, it requires that a HelloRetryRequest be sent.
	ExpectMissingKeyShare bool

	// SendExtraFinished, if true, causes an extra Finished message to be
	// sent.
	SendExtraFinished bool

	// SendRequestContext, if not empty, is the request context to send in
	// a TLS 1.3 CertificateRequest.
	SendRequestContext []byte

	// OmitCertificateRequestAlgorithms, if true, omits the signature_algorithm
	// extension in a TLS 1.3 CertificateRequest.
	OmitCertificateRequestAlgorithms bool

	// SendCustomCertificateRequest, if non-zero, send an additional custom
	// extension in a TLS 1.3 CertificateRequest.
	SendCustomCertificateRequest uint16

	// AlwaysSendCertificateRequest, if true, causes the server to send
	// CertificateRequest in TLS 1.3, even in handshakes where it is not
	// allowed, such as resumption.
	AlwaysSendCertificateRequest bool

	// AlwaysSendCertificate, if true, causes the server to send Certificate in
	// TLS 1.3, even in handshakes where it is not allowed, such as resumption.
	AlwaysSendCertificate bool

	// UseCertificateCredential, if not nil, is the credential to use as a
	// server for TLS 1.3 Certificate and CertificateVerify messages. This may
	// be used with AlwaysSendCertificate to authenticate with a certificate
	// alongside some non-certificate credential.
	UseCertificateCredential *Credential

	// SendSNIWarningAlert, if true, causes the server to send an
	// unrecognized_name alert before the ServerHello.
	SendSNIWarningAlert bool

	// SendCompressionMethods, if not nil, is the compression method list to
	// send in the ClientHello.
	SendCompressionMethods []byte

	// SendCompressionMethod is the compression method to send in the
	// ServerHello.
	SendCompressionMethod byte

	// AlwaysSendPreSharedKeyIdentityHint, if true, causes the server to
	// always send a ServerKeyExchange for PSK ciphers, even if the identity
	// hint is empty.
	AlwaysSendPreSharedKeyIdentityHint bool

	// TrailingKeyShareData, if true, causes the client key share list to
	// include a trailing byte.
	TrailingKeyShareData bool

	// InvalidChannelIDSignature, if true, causes the client to generate an
	// invalid Channel ID signature.
	InvalidChannelIDSignature bool

	// AlwaysNegotiateChannelID, if true, causes the server to negotiate Channel
	// ID, even when the client does not offer it.
	AlwaysNegotiateChannelID bool

	// ExpectGREASE, if true, causes messages without GREASE values to be
	// rejected. See RFC 8701.
	ExpectGREASE bool

	// OmitPSKsOnSecondClientHello, if true, causes the client to omit the
	// PSK extension on the second ClientHello.
	OmitPSKsOnSecondClientHello bool

	// OnlyCorruptSecondPSKBinder, if true, causes the options below to
	// only apply to the second PSK binder.
	OnlyCorruptSecondPSKBinder bool

	// SendShortPSKBinder, if true, causes the client to send a PSK binder
	// that is one byte shorter than it should be.
	SendShortPSKBinder bool

	// SendInvalidPSKBinder, if true, causes the client to send an invalid
	// PSK binder.
	SendInvalidPSKBinder bool

	// SendNoPSKBinder, if true, causes the client to send no PSK binders.
	SendNoPSKBinder bool

	// SendExtraPSKBinder, if true, causes the client to send an extra PSK
	// binder.
	SendExtraPSKBinder bool

	// PSKBinderFirst, if true, causes the client to send the PSK Binder
	// extension as the first extension instead of the last extension.
	PSKBinderFirst bool

	// NoOCSPStapling, if true, causes the client to not request OCSP
	// stapling.
	NoOCSPStapling bool

	// NoSignedCertificateTimestamps, if true, causes the client to not
	// request signed certificate timestamps.
	NoSignedCertificateTimestamps bool

	// ExpectPeerRequestedTrustAnchors, if not nil, causes the server to
	// require the client to request the specified trust anchors in the
	// ClientHello.
	ExpectPeerRequestedTrustAnchors [][]byte

	// ExpectPeerAvailableTrustAnchors, if not nil, causes the client to
	// require the server to list the specified trust anchors as available
	// in EncryptedExtensions.
	ExpectPeerAvailableTrustAnchors [][]byte

	// ExpectPeerMatchTrustAnchor, if not nil, causes the client to require the
	// server to acknowledge, or not acknowledge the trust_anchors extension in
	// Certificate.
	ExpectPeerMatchTrustAnchor *bool

	// AlwaysMatchTrustAnchorID, if true, causes the server to always indicate
	// a trust anchor ID match in the Certificate message.
	AlwaysMatchTrustAnchorID bool

	// SendTrustAnchorWrongCertificate sends a trust anchor ID extension
	// on the second certificate in the Certificate message.
	SendTrustAnchorWrongCertificate bool

	// SendNonEmptyTrustAnchorMatch sends a non-empty trust anchor ID
	// extension to indicate a match.
	SendNonEmptyTrustAnchorMatch bool

	// AlwaysSendAvailableTrustAnchors, if true, causese the server to always
	// send available trust anchors in EncryptedExtensions, even if unsolicited.
	AlwaysSendAvailableTrustAnchors bool

	// SendSupportedPointFormats, if not nil, is the list of supported point
	// formats to send in ClientHello or ServerHello. If set to a non-nil
	// empty slice, no extension will be sent.
	SendSupportedPointFormats []byte

	// SendServerSupportedCurves, if true, causes the server to send its
	// supported curves list in the ServerHello (TLS 1.2) or
	// EncryptedExtensions (TLS 1.3) message. This is invalid in TLS 1.2 and
	// valid in TLS 1.3.
	SendServerSupportedCurves bool

	// MaxReceivePlaintext, if non-zero, is the maximum plaintext record
	// length accepted from the peer.
	MaxReceivePlaintext int

	// ExpectPackedEncryptedHandshake, if non-zero, requires that the peer maximally
	// pack their encrypted handshake messages, fitting at most the specified number
	// of bytes per record. In TLS, the limit counts plaintext bytes. In DTLS, it
	// counts packet size and checks both that fragments are packed into records and
	// records are packed into packets.
	ExpectPackedEncryptedHandshake int

	// SendTicketLifetime, if non-zero, is the ticket lifetime to send in
	// NewSessionTicket messages.
	SendTicketLifetime time.Duration

	// SendServerNameAck, if true, causes the server to acknowledge the SNI
	// extension.
	SendServerNameAck bool

	// ExpectCertificateReqNames, if not nil, contains the list of X.509
	// names that must be sent in a CertificateRequest from the server.
	ExpectCertificateReqNames [][]byte

	// RenegotiationCertificate, if not nil, is the certificate to use on
	// renegotiation handshakes.
	RenegotiationCertificate *Credential

	// SigningAlgorithmForLegacyVersions, if non-zero, is the signature algorithm
	// to use when signing in TLS 1.1 and earlier where algorithms are not
	// negotiated.
	SigningAlgorithmForLegacyVersions signatureAlgorithm

	// AlwaysSignAsLegacyVersion, if true, causes all TLS versions to sign as if
	// they were TLS 1.1 and earlier. This can be paired with
	// SendSignatureAlgorithm to send a given signature algorithm enum.
	AlwaysSignAsLegacyVersion bool

	// RejectUnsolicitedKeyUpdate, if true, causes all unsolicited
	// KeyUpdates from the peer to be rejected.
	RejectUnsolicitedKeyUpdate bool

	// OmitExtensions, if true, causes the extensions field in ClientHello
	// and ServerHello messages to be omitted.
	OmitExtensions bool

	// EmptyExtensions, if true, causes the extensions field in ClientHello
	// and ServerHello messages to be present, but empty.
	EmptyExtensions bool

	// ExpectOmitExtensions, if true, causes the client to reject
	// ServerHello messages that do not omit extensions.
	ExpectOmitExtensions bool

	// ExpectRecordSplitting, if true, causes application records to only be
	// accepted if they follow a 1/n-1 record split.
	ExpectRecordSplitting bool

	// PadClientHello, if non-zero, pads the ClientHello to a multiple of
	// that many bytes.
	PadClientHello int

	// SendTLS13DowngradeRandom, if true, causes the server to send the
	// TLS 1.3 anti-downgrade signal.
	SendTLS13DowngradeRandom bool

	// IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the
	// TLS 1.3 anti-downgrade signal.
	IgnoreTLS13DowngradeRandom bool

	// SendCompressedCoordinates, if true, causes ECDH key shares over NIST
	// curves to use compressed coordinates.
	SendCompressedCoordinates bool

	// SetX25519HighBit, if true, causes X25519 key shares to set their
	// high-order bit.
	SetX25519HighBit bool

	// LowOrderX25519Point, if true, causes X25519 key shares to be a low
	// order point.
	LowOrderX25519Point bool

	// MLKEMEncapKeyNotReduced, if true, causes the ML-KEM encapsulation key
	// to not be fully reduced.
	MLKEMEncapKeyNotReduced bool

	// DuplicateCompressedCertAlgs, if true, causes two, equal, certificate
	// compression algorithm IDs to be sent.
	DuplicateCompressedCertAlgs bool

	// ExpectedCompressedCert specifies the compression algorithm ID that must be
	// used on this connection, or zero if there are no special requirements.
	ExpectedCompressedCert uint16

	// ExpectUncompressedCert, if true, specifies that certificate compression
	// should not be used on this connection.
	ExpectUncompressedCert bool

	// SendCertCompressionAlgID, if not zero, sets the algorithm ID that will be
	// sent in the compressed certificate message.
	SendCertCompressionAlgID uint16

	// SendCertUncompressedLength, if not zero, sets the uncompressed length that
	// will be sent in the compressed certificate message.
	SendCertUncompressedLength uint32

	// SendClientHelloWithFixes, if not nil, sends the specified byte string
	// instead of the ClientHello. This string is incorporated into the
	// transcript as if it were the real ClientHello, but the handshake will
	// otherwise behave as if this was not sent in terms of what ciphers it
	// will accept, etc.
	//
	// The input is modified to match key share entries. DefaultCurves must
	// be configured to match. The random and session ID fields are
	// extracted from the ClientHello.
	SendClientHelloWithFixes []byte

	// SendJDK11DowngradeRandom, if true, causes the server to send the JDK
	// 11 downgrade signal.
	SendJDK11DowngradeRandom bool

	// ExpectJDK11DowngradeRandom is whether the client should expect the
	// server to send the JDK 11 downgrade signal.
	ExpectJDK11DowngradeRandom bool

	// FailIfHelloRetryRequested causes a handshake failure if a server requests a
	// hello retry.
	FailIfHelloRetryRequested bool

	// FailIfPostQuantumOffered will cause a server to reject a ClientHello if
	// post-quantum curves are supported.
	FailIfPostQuantumOffered bool

	// ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello
	// should have key shares for.
	ExpectedKeyShares []CurveID

	// CompatModeWithQUIC, if true, enables TLS 1.3 compatibility mode
	// when running over QUIC.
	CompatModeWithQUIC bool

	// DTLS13EchoSessionID, if true, has DTLS 1.3 servers echo the client's
	// session ID in the ServerHello.
	DTLS13EchoSessionID bool

	// DTLSUsePlaintextRecord header, if true, has DTLS 1.3 connections to use
	// the DTLS 1.2 record header once the handshake completes. The bug is not
	// activated during the handshake so that the handshake can complete first.
	DTLSUsePlaintextRecordHeader bool

	// DTLS13RecordHeaderSetCIDBit, if true, sets the Connection ID bit in
	// the DTLS 1.3 record header.
	DTLS13RecordHeaderSetCIDBit bool

	// EncryptSessionTicketKey, if non-nil, is the ticket key to use when
	// encrypting tickets.
	EncryptSessionTicketKey *[32]byte

	// OmitPublicName omits the server name extension from ClientHelloOuter.
	OmitPublicName bool

	// AllowEpochOverflow allows DTLS epoch numbers to wrap around.
	AllowEpochOverflow bool

	// SendPAKEInHelloRetryRequest causes the server to send a HelloRetryRequest
	// message containing a PAKE extension.
	SendPAKEInHelloRetryRequest bool

	// UnsolicitedPAKE, if non-zero, causes a ServerHello to contain a PAKE
	// response of the specified algorithm, even if the client didn't request it.
	UnsolicitedPAKE uint16

	// OfferExtraPAKEs, if not empty, is a list of additional PAKE algorithms to
	// offer as a client. They cannot be negotiated and should be used in tests
	// where the server is expected to ignore them.
	OfferExtraPAKEs []uint16

	// OfferExtraPAKEClientID and OfferExtraPAKEServerID are the PAKE client and
	// server IDs to send with OfferExtraPAKEs. These may be left unset if
	// configured with a real PAKE credential.
	OfferExtraPAKEClientID []byte
	OfferExtraPAKEServerID []byte

	// TruncatePAKEMessage, if true, causes PAKE messages to be truncated.
	TruncatePAKEMessage bool

	// CheckClientHello is called on the initial ClientHello received from the
	// peer, to implement extra checks.
	CheckClientHello func(*clientHelloMsg) error

	// SendTicketFlags contains a list of flags, represented by bit index, that
	// the server will send in TLS 1.3 NewSessionTicket.
	SendTicketFlags []uint

	// AlwaysSendTicketFlags causes the server to send the flags extension in
	// TLS 1.3 NewSessionTicket even if empty.
	AlwaysSendTicketFlags bool

	// TicketFlagPadding is the number of extra bytes of padding (giving a
	// non-minimal encoding) to include in the flags extension in TLS 1.3
	// NewSessionTicket.
	TicketFlagPadding int

	// ExpectResumptionAcrossNames, if not nil, causes the client to require all
	// NewSessionTicket messages to have or not have the resumption_across_names
	// flag set.
	ExpectResumptionAcrossNames *bool
}

type QUICUseCodepoint int

type RSABadValue int

type ServerECHConfig struct {
	ECHConfig *ECHConfig
	Key       []byte
}

type ServerSessionCache interface {
	// Get searches for a sessionState associated with the given session
	// ID. On return, ok is true if one was found.
	Get(sessionID string) (session *sessionState, ok bool)

	// Put adds the sessionState to the cache with the given session ID.
	Put(sessionID string, session *sessionState)
}

type ShimConfiguration struct {
	// DisabledTests maps from a glob-based pattern to a freeform string.
	// The glob pattern is used to exclude tests from being run and the
	// freeform string is unparsed but expected to explain why the test is
	// disabled.
	DisabledTests map[string]string

	// ErrorMap maps from expected error strings to the correct error
	// string for the shim in question. For example, it might map
	// “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
	// like “SSL_ERROR_NO_CYPHER_OVERLAP”.
	ErrorMap map[string][]string

	// HalfRTTTickets is the number of half-RTT tickets the client should
	// expect before half-RTT data when testing 0-RTT.
	HalfRTTTickets int

	// MaxACKBuffer is the maximum number of received records the shim is
	// expected to retain when ACKing.
	MaxACKBuffer int
}

type WriteFlightFunc = func(c *DTLSController, prev, received, next []DTLSMessage, records []DTLSRecordNumberInfo)

type X509ChainBuilder struct {
	// contains filtered or unexported fields
}

type X509Info struct {
	PrivateKey         crypto.Signer
	Name               pkix.Name
	DNSNames           []string
	IsCA               bool
	SubjectKeyID       []byte
	KeyUsage           x509.KeyUsage
	SignatureAlgorithm X509SignatureAlgorithm
	// EncodeSPKIAsRSAPSS, if true, causes the subjectPublicKeyInfo field to be
	// encoded as id-RSASSA-PSS with SHA-256 parameters, instead of
	// id-rsaEncryption. This is sufficient for our purposes because we do not
	// need real id-RSASSA-PSS support in the test runner. If we ever to, we
	// can replace this with a real PSSPrivateKey type.
	EncodeSPKIAsRSAPSS bool
}

type X509SignatureAlgorithm int