crypto/tls: expose extensions presented by client to GetCertificate

This enables JA3 and JA4 TLS fingerprinting to be implemented from the GetCertificate callback, similar to what BoringSSL provides with its SSL_CTX_set_dos_protection_cb hook. fixes #32936 Change-Id: Idb54ebcb43075582fcef0ac6438727f494543424 Reviewed-on: https://go-review.googlesource.com/c/go/+/471396 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2025-04-03 20:17:36 +03:00 · 2023-02-25 16:24:54 -08:00 · 2023-02-25 16:24:54 -08:00 · 0d9e15f699
commit 0d9e15f699
parent 681bfddd9d
5 changed files with 80 additions and 0 deletions
--- a/handshake_messages.go
+++ b/handshake_messages.go
@ -97,6 +97,8 @@ type clientHelloMsg struct {
 	pskBinders                       [][]byte
 	quicTransportParameters          []byte
 	encryptedClientHello             []byte
+	// extensions are only populated on the server-side of a handshake
+	extensions []uint16
 }

 func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
@ -467,6 +469,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 			return false
 		}
 		seenExts[extension] = true
+		m.extensions = append(m.extensions, extension)

 		switch extension {
 		case extensionServerName: