2009-11-03 02:25:20 +00:00
|
|
|
// Copyright 2009 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package tls
|
|
|
|
|
|
|
|
import (
|
2014-01-22 23:24:03 +00:00
|
|
|
"container/list"
|
2011-12-19 15:39:30 +00:00
|
|
|
"crypto"
|
2010-04-05 22:38:02 +01:00
|
|
|
"crypto/rand"
|
2011-03-10 15:22:53 +00:00
|
|
|
"crypto/x509"
|
2014-02-12 16:20:01 +00:00
|
|
|
"fmt"
|
2009-12-15 23:33:31 +00:00
|
|
|
"io"
|
2013-07-17 17:33:16 +01:00
|
|
|
"math/big"
|
2011-10-08 15:06:53 +01:00
|
|
|
"strings"
|
2010-08-05 21:14:41 +01:00
|
|
|
"sync"
|
2010-04-05 22:38:02 +01:00
|
|
|
"time"
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
const (
|
|
|
|
VersionSSL30 = 0x0300
|
|
|
|
VersionTLS10 = 0x0301
|
|
|
|
VersionTLS11 = 0x0302
|
2013-07-03 00:58:56 +01:00
|
|
|
VersionTLS12 = 0x0303
|
2013-06-05 01:02:22 +01:00
|
|
|
)
|
|
|
|
|
2009-11-03 02:25:20 +00:00
|
|
|
const (
|
2010-04-27 06:19:04 +01:00
|
|
|
maxPlaintext = 16384 // maximum plaintext payload length
|
|
|
|
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
|
|
|
|
recordHeaderLen = 5 // record header length
|
|
|
|
maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
|
2009-11-03 02:25:20 +00:00
|
|
|
|
2014-12-18 19:31:14 +00:00
|
|
|
minVersion = VersionTLS10
|
2013-07-03 00:58:56 +01:00
|
|
|
maxVersion = VersionTLS12
|
2010-04-27 06:19:04 +01:00
|
|
|
)
|
2009-11-03 02:25:20 +00:00
|
|
|
|
|
|
|
// TLS record types.
|
|
|
|
type recordType uint8
|
|
|
|
|
|
|
|
const (
|
2009-12-15 23:33:31 +00:00
|
|
|
recordTypeChangeCipherSpec recordType = 20
|
|
|
|
recordTypeAlert recordType = 21
|
|
|
|
recordTypeHandshake recordType = 22
|
|
|
|
recordTypeApplicationData recordType = 23
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS handshake message types.
|
|
|
|
const (
|
2010-08-16 16:22:22 +01:00
|
|
|
typeClientHello uint8 = 1
|
|
|
|
typeServerHello uint8 = 2
|
2012-09-24 21:52:43 +01:00
|
|
|
typeNewSessionTicket uint8 = 4
|
2010-08-16 16:22:22 +01:00
|
|
|
typeCertificate uint8 = 11
|
2010-12-16 22:10:50 +00:00
|
|
|
typeServerKeyExchange uint8 = 12
|
2010-08-16 16:22:22 +01:00
|
|
|
typeCertificateRequest uint8 = 13
|
|
|
|
typeServerHelloDone uint8 = 14
|
|
|
|
typeCertificateVerify uint8 = 15
|
|
|
|
typeClientKeyExchange uint8 = 16
|
|
|
|
typeFinished uint8 = 20
|
|
|
|
typeCertificateStatus uint8 = 22
|
|
|
|
typeNextProtocol uint8 = 67 // Not IANA assigned
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS compression types.
|
2010-07-14 15:40:15 +01:00
|
|
|
const (
|
2009-12-15 23:33:31 +00:00
|
|
|
compressionNone uint8 = 0
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
2009-12-23 19:13:09 +00:00
|
|
|
// TLS extension numbers
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionServerName uint16 = 0
|
|
|
|
extensionStatusRequest uint16 = 5
|
|
|
|
extensionSupportedCurves uint16 = 10
|
|
|
|
extensionSupportedPoints uint16 = 11
|
|
|
|
extensionSignatureAlgorithms uint16 = 13
|
2014-08-05 19:36:20 +01:00
|
|
|
extensionALPN uint16 = 16
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionSessionTicket uint16 = 35
|
|
|
|
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
|
2014-01-09 18:38:11 +00:00
|
|
|
extensionRenegotiationInfo uint16 = 0xff01
|
|
|
|
)
|
|
|
|
|
|
|
|
// TLS signaling cipher suite values
|
|
|
|
const (
|
|
|
|
scsvRenegotiation uint16 = 0x00ff
|
2010-12-16 22:10:50 +00:00
|
|
|
)
|
|
|
|
|
2014-02-24 22:57:51 +00:00
|
|
|
// CurveID is the type of a TLS identifier for an elliptic curve. See
|
2010-12-16 22:10:50 +00:00
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
|
2014-02-24 22:57:51 +00:00
|
|
|
type CurveID uint16
|
|
|
|
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2014-02-24 22:57:51 +00:00
|
|
|
CurveP256 CurveID = 23
|
|
|
|
CurveP384 CurveID = 24
|
|
|
|
CurveP521 CurveID = 25
|
2010-12-16 22:10:50 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS Elliptic Curve Point Formats
|
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2010-12-16 22:10:50 +00:00
|
|
|
pointFormatUncompressed uint8 = 0
|
2010-07-14 15:40:15 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS CertificateStatusType (RFC 3546)
|
|
|
|
const (
|
|
|
|
statusTypeOCSP uint8 = 1
|
2009-12-23 19:13:09 +00:00
|
|
|
)
|
|
|
|
|
2010-08-16 16:22:22 +01:00
|
|
|
// Certificate types (for certificateRequestMsg)
|
|
|
|
const (
|
|
|
|
certTypeRSASign = 1 // A certificate containing an RSA key
|
|
|
|
certTypeDSSSign = 2 // A certificate containing a DSA key
|
|
|
|
certTypeRSAFixedDH = 3 // A certificate containing a static DH key
|
2011-05-18 18:14:56 +01:00
|
|
|
certTypeDSSFixedDH = 4 // A certificate containing a static DH key
|
2013-07-17 17:33:16 +01:00
|
|
|
|
|
|
|
// See RFC4492 sections 3 and 5.5.
|
|
|
|
certTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
|
|
|
|
certTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
|
|
|
|
certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
|
|
|
|
|
2010-08-16 16:22:22 +01:00
|
|
|
// Rest of these are reserved by the TLS spec
|
|
|
|
)
|
|
|
|
|
2013-07-03 00:58:56 +01:00
|
|
|
// Hash functions for TLS 1.2 (See RFC 5246, section A.4.1)
|
|
|
|
const (
|
|
|
|
hashSHA1 uint8 = 2
|
|
|
|
hashSHA256 uint8 = 4
|
2015-03-06 13:08:55 +00:00
|
|
|
hashSHA384 uint8 = 5
|
2013-07-03 00:58:56 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)
|
|
|
|
const (
|
|
|
|
signatureRSA uint8 = 1
|
|
|
|
signatureECDSA uint8 = 3
|
|
|
|
)
|
|
|
|
|
|
|
|
// signatureAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See
|
|
|
|
// RFC 5246, section A.4.1.
|
|
|
|
type signatureAndHash struct {
|
|
|
|
hash, signature uint8
|
|
|
|
}
|
|
|
|
|
2013-10-21 21:35:09 +01:00
|
|
|
// supportedSKXSignatureAlgorithms contains the signature and hash algorithms
|
|
|
|
// that the code advertises as supported in a TLS 1.2 ClientHello.
|
|
|
|
var supportedSKXSignatureAlgorithms = []signatureAndHash{
|
|
|
|
{hashSHA256, signatureRSA},
|
|
|
|
{hashSHA256, signatureECDSA},
|
|
|
|
{hashSHA1, signatureRSA},
|
|
|
|
{hashSHA1, signatureECDSA},
|
|
|
|
}
|
|
|
|
|
|
|
|
// supportedClientCertSignatureAlgorithms contains the signature and hash
|
|
|
|
// algorithms that the code advertises as supported in a TLS 1.2
|
2013-07-03 00:58:56 +01:00
|
|
|
// CertificateRequest.
|
2013-10-21 21:35:09 +01:00
|
|
|
var supportedClientCertSignatureAlgorithms = []signatureAndHash{
|
2013-07-03 00:58:56 +01:00
|
|
|
{hashSHA256, signatureRSA},
|
2013-07-17 17:33:16 +01:00
|
|
|
{hashSHA256, signatureECDSA},
|
2013-07-03 00:58:56 +01:00
|
|
|
}
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// ConnectionState records basic TLS details about the connection.
|
2009-11-03 02:25:20 +00:00
|
|
|
type ConnectionState struct {
|
2014-02-24 23:01:28 +00:00
|
|
|
Version uint16 // TLS version used by the connection (e.g. VersionTLS12)
|
2013-10-03 02:40:01 +01:00
|
|
|
HandshakeComplete bool // TLS handshake is complete
|
|
|
|
DidResume bool // connection resumes a previous TLS connection
|
|
|
|
CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
|
|
|
|
NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos)
|
|
|
|
NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server
|
|
|
|
ServerName string // server name requested by client, if any (server side only)
|
|
|
|
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
|
|
|
|
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
|
2014-08-12 00:40:42 +01:00
|
|
|
|
|
|
|
// TLSUnique contains the "tls-unique" channel binding value (see RFC
|
|
|
|
// 5929, section 3). For resumed sessions this value will be nil
|
|
|
|
// because resumption does not include enough context (see
|
|
|
|
// https://secure-resumption.com/#channelbindings). This will change in
|
|
|
|
// future versions of Go once the TLS master-secret fix has been
|
|
|
|
// standardized and implemented.
|
|
|
|
TLSUnique []byte
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2012-01-05 17:05:38 +00:00
|
|
|
// ClientAuthType declares the policy the server will follow for
|
|
|
|
// TLS Client Authentication.
|
|
|
|
type ClientAuthType int
|
|
|
|
|
|
|
|
const (
|
|
|
|
NoClientCert ClientAuthType = iota
|
|
|
|
RequestClientCert
|
|
|
|
RequireAnyClientCert
|
|
|
|
VerifyClientCertIfGiven
|
|
|
|
RequireAndVerifyClientCert
|
|
|
|
)
|
|
|
|
|
2014-01-22 23:24:03 +00:00
|
|
|
// ClientSessionState contains the state needed by clients to resume TLS
|
|
|
|
// sessions.
|
|
|
|
type ClientSessionState struct {
|
|
|
|
sessionTicket []uint8 // Encrypted ticket used for session resumption with server
|
|
|
|
vers uint16 // SSL/TLS version negotiated for the session
|
|
|
|
cipherSuite uint16 // Ciphersuite negotiated for the session
|
|
|
|
masterSecret []byte // MasterSecret generated by client on a full handshake
|
|
|
|
serverCertificates []*x509.Certificate // Certificate chain presented by the server
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClientSessionCache is a cache of ClientSessionState objects that can be used
|
|
|
|
// by a client to resume a TLS session with a given server. ClientSessionCache
|
|
|
|
// implementations should expect to be called concurrently from different
|
|
|
|
// goroutines.
|
|
|
|
type ClientSessionCache interface {
|
|
|
|
// Get searches for a ClientSessionState associated with the given key.
|
|
|
|
// On return, ok is true if one was found.
|
|
|
|
Get(sessionKey string) (session *ClientSessionState, ok bool)
|
|
|
|
|
|
|
|
// Put adds the ClientSessionState to the cache with the given key.
|
|
|
|
Put(sessionKey string, cs *ClientSessionState)
|
|
|
|
}
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// ClientHelloInfo contains information from a ClientHello message in order to
|
|
|
|
// guide certificate selection in the GetCertificate callback.
|
|
|
|
type ClientHelloInfo struct {
|
|
|
|
// CipherSuites lists the CipherSuites supported by the client (e.g.
|
|
|
|
// TLS_RSA_WITH_RC4_128_SHA).
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
|
|
|
// ServerName indicates the name of the server requested by the client
|
|
|
|
// in order to support virtual hosting. ServerName is only set if the
|
|
|
|
// client is using SNI (see
|
|
|
|
// http://tools.ietf.org/html/rfc4366#section-3.1).
|
|
|
|
ServerName string
|
|
|
|
|
|
|
|
// SupportedCurves lists the elliptic curves supported by the client.
|
|
|
|
// SupportedCurves is set only if the Supported Elliptic Curves
|
|
|
|
// Extension is being used (see
|
|
|
|
// http://tools.ietf.org/html/rfc4492#section-5.1.1).
|
|
|
|
SupportedCurves []CurveID
|
|
|
|
|
|
|
|
// SupportedPoints lists the point formats supported by the client.
|
|
|
|
// SupportedPoints is set only if the Supported Point Formats Extension
|
|
|
|
// is being used (see
|
|
|
|
// http://tools.ietf.org/html/rfc4492#section-5.1.2).
|
|
|
|
SupportedPoints []uint8
|
|
|
|
}
|
|
|
|
|
2014-03-20 15:32:06 +00:00
|
|
|
// A Config structure is used to configure a TLS client or server.
|
|
|
|
// After one has been passed to a TLS function it must not be
|
|
|
|
// modified. A Config may be reused; the tls package will also not
|
|
|
|
// modify it.
|
2009-11-03 02:25:20 +00:00
|
|
|
type Config struct {
|
|
|
|
// Rand provides the source of entropy for nonces and RSA blinding.
|
2010-12-07 21:15:15 +00:00
|
|
|
// If Rand is nil, TLS uses the cryptographic random reader in package
|
|
|
|
// crypto/rand.
|
2014-03-20 15:32:06 +00:00
|
|
|
// The Reader must be safe for use by multiple goroutines.
|
2009-12-15 23:33:31 +00:00
|
|
|
Rand io.Reader
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2009-11-03 02:25:20 +00:00
|
|
|
// Time returns the current time as the number of seconds since the epoch.
|
2012-01-05 17:05:38 +00:00
|
|
|
// If Time is nil, TLS uses time.Now.
|
2011-11-30 17:01:46 +00:00
|
|
|
Time func() time.Time
|
2010-12-07 21:15:15 +00:00
|
|
|
|
|
|
|
// Certificates contains one or more certificate chains
|
|
|
|
// to present to the other side of the connection.
|
|
|
|
// Server configurations must include at least one certificate.
|
2009-12-15 23:33:31 +00:00
|
|
|
Certificates []Certificate
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2011-10-08 15:06:53 +01:00
|
|
|
// NameToCertificate maps from a certificate name to an element of
|
|
|
|
// Certificates. Note that a certificate name can be of the form
|
|
|
|
// '*.example.com' and so doesn't have to be a domain name as such.
|
|
|
|
// See Config.BuildNameToCertificate
|
|
|
|
// The nil value causes the first element of Certificates to be used
|
|
|
|
// for all connections.
|
|
|
|
NameToCertificate map[string]*Certificate
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// GetCertificate returns a Certificate based on the given
|
|
|
|
// ClientHelloInfo. If GetCertificate is nil or returns nil, then the
|
|
|
|
// certificate is retrieved from NameToCertificate. If
|
|
|
|
// NameToCertificate is nil, the first element of Certificates will be
|
|
|
|
// used.
|
|
|
|
GetCertificate func(clientHello *ClientHelloInfo) (*Certificate, error)
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// RootCAs defines the set of root certificate authorities
|
|
|
|
// that clients use when verifying server certificates.
|
|
|
|
// If RootCAs is nil, TLS uses the host's root CA set.
|
2011-04-19 14:57:58 +01:00
|
|
|
RootCAs *x509.CertPool
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2009-12-23 19:13:09 +00:00
|
|
|
// NextProtos is a list of supported, application level protocols.
|
|
|
|
NextProtos []string
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2014-02-19 16:17:09 +00:00
|
|
|
// ServerName is used to verify the hostname on the returned
|
|
|
|
// certificates unless InsecureSkipVerify is given. It is also included
|
|
|
|
// in the client's handshake to support virtual hosting.
|
2010-07-21 16:36:01 +01:00
|
|
|
ServerName string
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2012-01-05 17:05:38 +00:00
|
|
|
// ClientAuth determines the server's policy for
|
|
|
|
// TLS Client Authentication. The default is NoClientCert.
|
|
|
|
ClientAuth ClientAuthType
|
|
|
|
|
|
|
|
// ClientCAs defines the set of root certificate authorities
|
|
|
|
// that servers use if required to verify a client certificate
|
|
|
|
// by the policy in ClientAuth.
|
|
|
|
ClientCAs *x509.CertPool
|
2010-12-15 16:49:55 +00:00
|
|
|
|
2011-10-13 18:59:13 +01:00
|
|
|
// InsecureSkipVerify controls whether a client verifies the
|
|
|
|
// server's certificate chain and host name.
|
|
|
|
// If InsecureSkipVerify is true, TLS accepts any certificate
|
|
|
|
// presented by the server and any host name in that certificate.
|
|
|
|
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
|
|
|
// This should be used only for testing.
|
|
|
|
InsecureSkipVerify bool
|
|
|
|
|
2010-12-15 16:49:55 +00:00
|
|
|
// CipherSuites is a list of supported cipher suites. If CipherSuites
|
|
|
|
// is nil, TLS uses a list of suites supported by the implementation.
|
|
|
|
CipherSuites []uint16
|
2012-09-24 21:52:43 +01:00
|
|
|
|
2013-01-22 15:10:38 +00:00
|
|
|
// PreferServerCipherSuites controls whether the server selects the
|
|
|
|
// client's most preferred ciphersuite, or the server's most preferred
|
|
|
|
// ciphersuite. If true then the server's preference, as expressed in
|
|
|
|
// the order of elements in CipherSuites, is used.
|
|
|
|
PreferServerCipherSuites bool
|
|
|
|
|
2012-09-24 21:52:43 +01:00
|
|
|
// SessionTicketsDisabled may be set to true to disable session ticket
|
|
|
|
// (resumption) support.
|
|
|
|
SessionTicketsDisabled bool
|
|
|
|
|
|
|
|
// SessionTicketKey is used by TLS servers to provide session
|
|
|
|
// resumption. See RFC 5077. If zero, it will be filled with
|
|
|
|
// random data before the first server handshake.
|
|
|
|
//
|
|
|
|
// If multiple servers are terminating connections for the same host
|
|
|
|
// they should all have the same SessionTicketKey. If the
|
|
|
|
// SessionTicketKey leaks, previously recorded and future TLS
|
|
|
|
// connections using that key are compromised.
|
|
|
|
SessionTicketKey [32]byte
|
|
|
|
|
2014-01-22 23:24:03 +00:00
|
|
|
// SessionCache is a cache of ClientSessionState entries for TLS session
|
|
|
|
// resumption.
|
|
|
|
ClientSessionCache ClientSessionCache
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
// MinVersion contains the minimum SSL/TLS version that is acceptable.
|
2015-02-22 01:14:36 +00:00
|
|
|
// If zero, then TLS 1.0 is taken as the minimum.
|
2013-06-05 01:02:22 +01:00
|
|
|
MinVersion uint16
|
|
|
|
|
|
|
|
// MaxVersion contains the maximum SSL/TLS version that is acceptable.
|
|
|
|
// If zero, then the maximum version supported by this package is used,
|
2013-09-23 21:05:23 +01:00
|
|
|
// which is currently TLS 1.2.
|
2013-06-05 01:02:22 +01:00
|
|
|
MaxVersion uint16
|
|
|
|
|
2014-02-24 22:57:51 +00:00
|
|
|
// CurvePreferences contains the elliptic curves that will be used in
|
|
|
|
// an ECDHE handshake, in preference order. If empty, the default will
|
|
|
|
// be used.
|
|
|
|
CurvePreferences []CurveID
|
|
|
|
|
2013-03-21 03:53:38 +00:00
|
|
|
serverInitOnce sync.Once // guards calling (*Config).serverInit
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) serverInit() {
|
|
|
|
if c.SessionTicketsDisabled {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the key has already been set then we have nothing to do.
|
|
|
|
for _, b := range c.SessionTicketKey {
|
|
|
|
if b != 0 {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
|
|
|
|
c.SessionTicketsDisabled = true
|
|
|
|
}
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
func (c *Config) rand() io.Reader {
|
|
|
|
r := c.Rand
|
|
|
|
if r == nil {
|
|
|
|
return rand.Reader
|
|
|
|
}
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
2011-11-30 17:01:46 +00:00
|
|
|
func (c *Config) time() time.Time {
|
2010-12-07 21:15:15 +00:00
|
|
|
t := c.Time
|
|
|
|
if t == nil {
|
2011-11-30 17:01:46 +00:00
|
|
|
t = time.Now
|
2010-12-07 21:15:15 +00:00
|
|
|
}
|
|
|
|
return t()
|
|
|
|
}
|
|
|
|
|
2010-12-15 16:49:55 +00:00
|
|
|
func (c *Config) cipherSuites() []uint16 {
|
|
|
|
s := c.CipherSuites
|
2010-12-15 18:58:57 +00:00
|
|
|
if s == nil {
|
2010-12-15 16:49:55 +00:00
|
|
|
s = defaultCipherSuites()
|
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
func (c *Config) minVersion() uint16 {
|
|
|
|
if c == nil || c.MinVersion == 0 {
|
|
|
|
return minVersion
|
|
|
|
}
|
|
|
|
return c.MinVersion
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) maxVersion() uint16 {
|
|
|
|
if c == nil || c.MaxVersion == 0 {
|
|
|
|
return maxVersion
|
|
|
|
}
|
|
|
|
return c.MaxVersion
|
|
|
|
}
|
|
|
|
|
2014-02-24 22:57:51 +00:00
|
|
|
var defaultCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}
|
|
|
|
|
|
|
|
func (c *Config) curvePreferences() []CurveID {
|
|
|
|
if c == nil || len(c.CurvePreferences) == 0 {
|
|
|
|
return defaultCurvePreferences
|
|
|
|
}
|
|
|
|
return c.CurvePreferences
|
|
|
|
}
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
// mutualVersion returns the protocol version to use given the advertised
|
|
|
|
// version of the peer.
|
|
|
|
func (c *Config) mutualVersion(vers uint16) (uint16, bool) {
|
|
|
|
minVersion := c.minVersion()
|
|
|
|
maxVersion := c.maxVersion()
|
|
|
|
|
|
|
|
if vers < minVersion {
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
if vers > maxVersion {
|
|
|
|
vers = maxVersion
|
|
|
|
}
|
|
|
|
return vers, true
|
|
|
|
}
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// getCertificate returns the best certificate for the given ClientHelloInfo,
|
|
|
|
// defaulting to the first element of c.Certificates.
|
|
|
|
func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) {
|
|
|
|
if c.GetCertificate != nil {
|
|
|
|
cert, err := c.GetCertificate(clientHello)
|
|
|
|
if cert != nil || err != nil {
|
|
|
|
return cert, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-10-08 15:06:53 +01:00
|
|
|
if len(c.Certificates) == 1 || c.NameToCertificate == nil {
|
|
|
|
// There's only one choice, so no point doing any work.
|
2014-08-06 19:22:00 +01:00
|
|
|
return &c.Certificates[0], nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
name := strings.ToLower(clientHello.ServerName)
|
2011-10-08 15:06:53 +01:00
|
|
|
for len(name) > 0 && name[len(name)-1] == '.' {
|
|
|
|
name = name[:len(name)-1]
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert, ok := c.NameToCertificate[name]; ok {
|
2014-08-06 19:22:00 +01:00
|
|
|
return cert, nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// try replacing labels in the name with wildcards until we get a
|
|
|
|
// match.
|
|
|
|
labels := strings.Split(name, ".")
|
|
|
|
for i := range labels {
|
|
|
|
labels[i] = "*"
|
|
|
|
candidate := strings.Join(labels, ".")
|
|
|
|
if cert, ok := c.NameToCertificate[candidate]; ok {
|
2014-08-06 19:22:00 +01:00
|
|
|
return cert, nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// If nothing matches, return the first certificate.
|
2014-08-06 19:22:00 +01:00
|
|
|
return &c.Certificates[0], nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
|
|
|
|
// from the CommonName and SubjectAlternateName fields of each of the leaf
|
|
|
|
// certificates.
|
|
|
|
func (c *Config) BuildNameToCertificate() {
|
|
|
|
c.NameToCertificate = make(map[string]*Certificate)
|
|
|
|
for i := range c.Certificates {
|
|
|
|
cert := &c.Certificates[i]
|
|
|
|
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if len(x509Cert.Subject.CommonName) > 0 {
|
|
|
|
c.NameToCertificate[x509Cert.Subject.CommonName] = cert
|
|
|
|
}
|
|
|
|
for _, san := range x509Cert.DNSNames {
|
|
|
|
c.NameToCertificate[san] = cert
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// A Certificate is a chain of one or more certificates, leaf first.
|
2009-11-03 02:25:20 +00:00
|
|
|
type Certificate struct {
|
2009-12-15 23:33:31 +00:00
|
|
|
Certificate [][]byte
|
2014-08-29 20:36:30 +01:00
|
|
|
// PrivateKey contains the private key corresponding to the public key
|
2015-03-19 11:01:57 +00:00
|
|
|
// in Leaf. For a server, this must implement either crypto.Decrypter
|
|
|
|
// (implemented by RSA private keys) or crypto.Signer (which includes
|
|
|
|
// RSA and ECDSA private keys). For a client doing client authentication,
|
|
|
|
// this can be any type that implements crypto.Signer.
|
2014-08-29 20:36:30 +01:00
|
|
|
PrivateKey crypto.PrivateKey
|
2011-04-14 19:47:28 +01:00
|
|
|
// OCSPStaple contains an optional OCSP response which will be served
|
|
|
|
// to clients that request it.
|
|
|
|
OCSPStaple []byte
|
2012-01-05 17:05:38 +00:00
|
|
|
// Leaf is the parsed form of the leaf certificate, which may be
|
|
|
|
// initialized using x509.ParseCertificate to reduce per-handshake
|
|
|
|
// processing for TLS clients doing client authentication. If nil, the
|
|
|
|
// leaf certificate will be parsed as needed.
|
|
|
|
Leaf *x509.Certificate
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// A TLS record.
|
|
|
|
type record struct {
|
2009-12-15 23:33:31 +00:00
|
|
|
contentType recordType
|
|
|
|
major, minor uint8
|
|
|
|
payload []byte
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type handshakeMessage interface {
|
2009-12-15 23:33:31 +00:00
|
|
|
marshal() []byte
|
2010-04-27 06:19:04 +01:00
|
|
|
unmarshal([]byte) bool
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2014-01-22 23:24:03 +00:00
|
|
|
// lruSessionCache is a ClientSessionCache implementation that uses an LRU
|
|
|
|
// caching strategy.
|
|
|
|
type lruSessionCache struct {
|
|
|
|
sync.Mutex
|
|
|
|
|
|
|
|
m map[string]*list.Element
|
|
|
|
q *list.List
|
|
|
|
capacity int
|
|
|
|
}
|
|
|
|
|
|
|
|
type lruSessionCacheEntry struct {
|
|
|
|
sessionKey string
|
|
|
|
state *ClientSessionState
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLRUClientSessionCache returns a ClientSessionCache with the given
|
|
|
|
// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
|
|
|
|
// is used instead.
|
|
|
|
func NewLRUClientSessionCache(capacity int) ClientSessionCache {
|
|
|
|
const defaultSessionCacheCapacity = 64
|
|
|
|
|
|
|
|
if capacity < 1 {
|
|
|
|
capacity = defaultSessionCacheCapacity
|
|
|
|
}
|
|
|
|
return &lruSessionCache{
|
|
|
|
m: make(map[string]*list.Element),
|
|
|
|
q: list.New(),
|
|
|
|
capacity: capacity,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put adds the provided (sessionKey, cs) pair to the cache.
|
|
|
|
func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) {
|
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if c.q.Len() < c.capacity {
|
|
|
|
entry := &lruSessionCacheEntry{sessionKey, cs}
|
|
|
|
c.m[sessionKey] = c.q.PushFront(entry)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
elem := c.q.Back()
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
delete(c.m, entry.sessionKey)
|
|
|
|
entry.sessionKey = sessionKey
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
c.m[sessionKey] = elem
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get returns the ClientSessionState value associated with a given key. It
|
|
|
|
// returns (nil, false) if no value is found.
|
|
|
|
func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
|
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return elem.Value.(*lruSessionCacheEntry).state, true
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
2013-07-17 17:33:16 +01:00
|
|
|
// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
|
|
|
|
type dsaSignature struct {
|
|
|
|
R, S *big.Int
|
|
|
|
}
|
|
|
|
|
|
|
|
type ecdsaSignature dsaSignature
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
var emptyConfig Config
|
2010-08-05 21:14:41 +01:00
|
|
|
|
2010-04-05 22:38:02 +01:00
|
|
|
func defaultConfig() *Config {
|
2010-12-07 21:15:15 +00:00
|
|
|
return &emptyConfig
|
2010-04-05 22:38:02 +01:00
|
|
|
}
|
|
|
|
|
2012-03-07 18:12:35 +00:00
|
|
|
var (
|
|
|
|
once sync.Once
|
|
|
|
varDefaultCipherSuites []uint16
|
|
|
|
)
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2010-12-15 16:49:55 +00:00
|
|
|
func defaultCipherSuites() []uint16 {
|
2012-03-07 18:12:35 +00:00
|
|
|
once.Do(initDefaultCipherSuites)
|
2010-12-15 16:49:55 +00:00
|
|
|
return varDefaultCipherSuites
|
|
|
|
}
|
|
|
|
|
|
|
|
func initDefaultCipherSuites() {
|
2015-03-17 00:13:10 +00:00
|
|
|
varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))
|
|
|
|
for _, suite := range cipherSuites {
|
|
|
|
if suite.flags&suiteDefaultOff != 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
|
2010-12-15 16:49:55 +00:00
|
|
|
}
|
|
|
|
}
|
2014-02-12 16:20:01 +00:00
|
|
|
|
|
|
|
func unexpectedMessageError(wanted, got interface{}) error {
|
|
|
|
return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
|
|
|
|
}
|