crypto/tls: add CloseWrite method to Conn

The CloseWrite method sends a close_notify alert record to the other
side of the connection. This record indicates that the sender has
finished sending on the connection. Unlike the Close method, the sender
may still read from the connection until it recieves a close_notify
record (or the underlying connection is closed). This is analogous to a
TCP half-close.

Updates #8579

Change-Id: I9c6bc193efcb25cc187f7735ee07170afa7fdde3
Reviewed-on: https://go-review.googlesource.com/25159
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This commit is contained in:
Ben Burkert 2016-07-24 15:13:56 -07:00 committed by Brad Fitzpatrick
parent 98052045d9
commit 152328ca0e
2 changed files with 128 additions and 2 deletions

44
conn.go
View File

@ -64,6 +64,13 @@ type Conn struct {
// the first transmitted Finished message is the tls-unique // the first transmitted Finished message is the tls-unique
// channel-binding value. // channel-binding value.
clientFinishedIsFirst bool clientFinishedIsFirst bool
// closeNotifyErr is any error from sending the alertCloseNotify record.
closeNotifyErr error
// closeNotifySent is true if the Conn attempted to send an
// alertCloseNotify record.
closeNotifySent bool
// clientFinished and serverFinished contain the Finished message sent // clientFinished and serverFinished contain the Finished message sent
// by the client or server in the most recent handshake. This is // by the client or server in the most recent handshake. This is
// retained to support the renegotiation extension and tls-unique // retained to support the renegotiation extension and tls-unique
@ -992,7 +999,10 @@ func (c *Conn) readHandshake() (interface{}, error) {
return m, nil return m, nil
} }
var errClosed = errors.New("tls: use of closed connection") var (
errClosed = errors.New("tls: use of closed connection")
errShutdown = errors.New("tls: protocol is shutdown")
)
// Write writes data to the connection. // Write writes data to the connection.
func (c *Conn) Write(b []byte) (int, error) { func (c *Conn) Write(b []byte) (int, error) {
@ -1023,6 +1033,10 @@ func (c *Conn) Write(b []byte) (int, error) {
return 0, alertInternalError return 0, alertInternalError
} }
if c.closeNotifySent {
return 0, errShutdown
}
// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext // SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
// attack when using block mode ciphers due to predictable IVs. // attack when using block mode ciphers due to predictable IVs.
// This can be prevented by splitting each Application Data // This can be prevented by splitting each Application Data
@ -1186,7 +1200,7 @@ func (c *Conn) Close() error {
c.handshakeMutex.Lock() c.handshakeMutex.Lock()
defer c.handshakeMutex.Unlock() defer c.handshakeMutex.Unlock()
if c.handshakeComplete { if c.handshakeComplete {
alertErr = c.sendAlert(alertCloseNotify) alertErr = c.closeNotify()
} }
if err := c.conn.Close(); err != nil { if err := c.conn.Close(); err != nil {
@ -1195,6 +1209,32 @@ func (c *Conn) Close() error {
return alertErr return alertErr
} }
var errEarlyCloseWrite = errors.New("tls: CloseWrite called before handshake complete")
// CloseWrite shuts down the writing side of the connection. It should only be
// called once the handshake has completed and does not call CloseWrite on the
// underlying connection. Most callers should just use Close.
func (c *Conn) CloseWrite() error {
c.handshakeMutex.Lock()
defer c.handshakeMutex.Unlock()
if !c.handshakeComplete {
return errEarlyCloseWrite
}
return c.closeNotify()
}
func (c *Conn) closeNotify() error {
c.out.Lock()
defer c.out.Unlock()
if !c.closeNotifySent {
c.closeNotifyErr = c.sendAlertLocked(alertCloseNotify)
c.closeNotifySent = true
}
return c.closeNotifyErr
}
// Handshake runs the client or server handshake // Handshake runs the client or server handshake
// protocol if it has not yet been run. // protocol if it has not yet been run.
// Most uses of this package need not call Handshake // Most uses of this package need not call Handshake

View File

@ -11,6 +11,7 @@ import (
"fmt" "fmt"
"internal/testenv" "internal/testenv"
"io" "io"
"io/ioutil"
"math" "math"
"math/rand" "math/rand"
"net" "net"
@ -458,6 +459,91 @@ func TestConnCloseBreakingWrite(t *testing.T) {
} }
} }
func TestConnCloseWrite(t *testing.T) {
ln := newLocalListener(t)
defer ln.Close()
go func() {
sconn, err := ln.Accept()
if err != nil {
t.Fatal(err)
}
serverConfig := testConfig.Clone()
srv := Server(sconn, serverConfig)
if err := srv.Handshake(); err != nil {
t.Fatalf("handshake: %v", err)
}
defer srv.Close()
data, err := ioutil.ReadAll(srv)
if err != nil {
t.Fatal(err)
}
if len(data) > 0 {
t.Errorf("Read data = %q; want nothing", data)
}
if err = srv.CloseWrite(); err != nil {
t.Errorf("server CloseWrite: %v", err)
}
}()
clientConfig := testConfig.Clone()
conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
if err != nil {
t.Fatal(err)
}
if err = conn.Handshake(); err != nil {
t.Fatal(err)
}
defer conn.Close()
if err = conn.CloseWrite(); err != nil {
t.Errorf("client CloseWrite: %v", err)
}
if _, err := conn.Write([]byte{0}); err != errShutdown {
t.Errorf("CloseWrite error = %v; want errShutdown", err)
}
data, err := ioutil.ReadAll(conn)
if err != nil {
t.Fatal(err)
}
if len(data) > 0 {
t.Errorf("Read data = %q; want nothing", data)
}
// test CloseWrite called before handshake finished
ln2 := newLocalListener(t)
defer ln2.Close()
go func() {
sconn, err := ln2.Accept()
if err != nil {
t.Fatal(err)
}
serverConfig := testConfig.Clone()
srv := Server(sconn, serverConfig)
srv.Handshake()
srv.Close()
}()
netConn, err := net.Dial("tcp", ln2.Addr().String())
if err != nil {
t.Fatal(err)
}
conn = Client(netConn, clientConfig)
if err = conn.CloseWrite(); err != errEarlyCloseWrite {
t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err)
}
}
func TestClone(t *testing.T) { func TestClone(t *testing.T) {
var c1 Config var c1 Config
v := reflect.ValueOf(&c1).Elem() v := reflect.ValueOf(&c1).Elem()