crypto/tls: add CFControl parameter to Config

Add CFControl parameter to Config. This value will be used to propagate
Cloudflare-internal logic from the TLS configuration to HTTP requests.

Author: cjpatton

src/crypto/tls/common.go

@@ -279,6 +279,13 @@ type ConnectionState struct {
 	// RFC 7627, and https://mitls.org/pages/attacks/3SHAKE#channelbindings.
 	TLSUnique []byte
 
+	// CFControl is used to pass additional TLS configuration information to
+	// HTTP requests.
+	//
+	// NOTE: This feature is used to implement Cloudflare-internal features.
+	// This feature is unstable and applications MUST NOT depend on it.
+	CFControl interface{}
+
 	// ekm is a closure exposed via ExportKeyingMaterial.
 	ekm func(label string, context []byte, length int) ([]byte, error)
 }
@@ -739,6 +746,13 @@ type Config struct {
 	// used for debugging.
 	KeyLogWriter io.Writer
 
+	// CFControl is used to pass additional TLS configuration information to
+	// HTTP requests via ConnectionState.
+	//
+	// NOTE: This feature is used to implement Cloudflare-internal features.
+	// This feature is unstable and applications MUST NOT depend on it.
+	CFControl interface{}
+
 	// mutex protects sessionTicketKeys and autoSessionTicketKeys.
 	mutex sync.RWMutex
 	// sessionTicketKeys contains zero or more ticket keys. If set, it means
@@ -829,6 +843,7 @@ func (c *Config) Clone() *Config {
 		DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
 		Renegotiation:               c.Renegotiation,
 		KeyLogWriter:                c.KeyLogWriter,
+		CFControl:                   c.CFControl,
 		sessionTicketKeys:           c.sessionTicketKeys,
 		autoSessionTicketKeys:       c.autoSessionTicketKeys,
 	}

src/crypto/tls/conn.go

@@ -1527,6 +1527,7 @@ func (c *Conn) connectionStateLocked() ConnectionState {
 	state.VerifiedChains = c.verifiedChains
 	state.SignedCertificateTimestamps = c.scts
 	state.OCSPResponse = c.ocspResponse
+	state.CFControl = c.config.CFControl
 	if !c.didResume && c.vers != VersionTLS13 {
 		if c.clientFinishedIsFirst {
 			state.TLSUnique = c.clientFinished[:]

src/crypto/tls/tls_cf_test.go

@@ -0,0 +1,19 @@
+package tls
+
+import (
+	"testing"
+)
+
+type testCFControl struct {
+	flags uint64
+}
+
+// Check that CFControl is correctly propagated from Config to ConnectionState.
+func TestPropagateCFControl(t *testing.T) {
+	want := uint64(23)
+	s := Server(nil, &Config{CFControl: &testCFControl{want}})
+	got := s.ConnectionState().CFControl.(*testCFControl).flags
+	if got != want {
+		t.Errorf("failed to propagate CFControl: got %v; want %v", got, want)
+	}
+}

src/crypto/tls/tls_test.go

@@ -829,6 +829,8 @@ func TestCloneNonFuncFields(t *testing.T) {
 			f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
 		case "mutex", "autoSessionTicketKeys", "sessionTicketKeys":
 			continue // these are unexported fields that are handled separately
+		case "CFControl":
+			f.Set(reflect.ValueOf(&testCFControl{23}))
 		default:
 			t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
 		}