Alternative TLS implementation in Go
07b6287f24
This change adds Config.Renegotiation which controls whether a TLS client will accept renegotiation requests from a server. This is used, for example, by some web servers that wish to “add” a client certificate to an HTTPS connection. This is disabled by default because it significantly complicates the state machine. Originally, handshakeMutex was taken before locking either Conn.in or Conn.out. However, if renegotiation is permitted then a handshake may be triggered during a Read() call. If Conn.in were unlocked before taking handshakeMutex then a concurrent Read() call could see an intermediate state and trigger an error. Thus handshakeMutex is now locked after Conn.in and the handshake functions assume that Conn.in is locked for the duration of the handshake. Additionally, handshakeMutex used to protect Conn.out also. With the possibility of renegotiation that's no longer viable and so writeRecordLocked has been split off. Fixes #5742. Change-Id: I935914db1f185d507ff39bba8274c148d756a1c8 Reviewed-on: https://go-review.googlesource.com/22475 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org> |
||
---|---|---|
testdata | ||
alert.go | ||
cipher_suites.go | ||
common.go | ||
conn_test.go | ||
conn.go | ||
example_test.go | ||
generate_cert.go | ||
handshake_client_test.go | ||
handshake_client.go | ||
handshake_messages_test.go | ||
handshake_messages.go | ||
handshake_server_test.go | ||
handshake_server.go | ||
handshake_test.go | ||
key_agreement.go | ||
prf_test.go | ||
prf.go | ||
ticket.go | ||
tls_test.go | ||
tls.go |