7697013b51
Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
324 lines
8.4 KiB
Go
324 lines
8.4 KiB
Go
// Copyright 2009 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package tls
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"io"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
maxPlaintext = 16384 // maximum plaintext payload length
|
|
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
|
|
recordHeaderLen = 5 // record header length
|
|
maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
|
|
|
|
versionSSL30 = 0x0300
|
|
versionTLS10 = 0x0301
|
|
|
|
minVersion = versionSSL30
|
|
maxVersion = versionTLS10
|
|
)
|
|
|
|
// TLS record types.
|
|
type recordType uint8
|
|
|
|
const (
|
|
recordTypeChangeCipherSpec recordType = 20
|
|
recordTypeAlert recordType = 21
|
|
recordTypeHandshake recordType = 22
|
|
recordTypeApplicationData recordType = 23
|
|
)
|
|
|
|
// TLS handshake message types.
|
|
const (
|
|
typeClientHello uint8 = 1
|
|
typeServerHello uint8 = 2
|
|
typeCertificate uint8 = 11
|
|
typeServerKeyExchange uint8 = 12
|
|
typeCertificateRequest uint8 = 13
|
|
typeServerHelloDone uint8 = 14
|
|
typeCertificateVerify uint8 = 15
|
|
typeClientKeyExchange uint8 = 16
|
|
typeFinished uint8 = 20
|
|
typeCertificateStatus uint8 = 22
|
|
typeNextProtocol uint8 = 67 // Not IANA assigned
|
|
)
|
|
|
|
// TLS compression types.
|
|
const (
|
|
compressionNone uint8 = 0
|
|
)
|
|
|
|
// TLS extension numbers
|
|
var (
|
|
extensionServerName uint16 = 0
|
|
extensionStatusRequest uint16 = 5
|
|
extensionSupportedCurves uint16 = 10
|
|
extensionSupportedPoints uint16 = 11
|
|
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
|
|
)
|
|
|
|
// TLS Elliptic Curves
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
|
|
var (
|
|
curveP256 uint16 = 23
|
|
curveP384 uint16 = 24
|
|
curveP521 uint16 = 25
|
|
)
|
|
|
|
// TLS Elliptic Curve Point Formats
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
|
|
var (
|
|
pointFormatUncompressed uint8 = 0
|
|
)
|
|
|
|
// TLS CertificateStatusType (RFC 3546)
|
|
const (
|
|
statusTypeOCSP uint8 = 1
|
|
)
|
|
|
|
// Certificate types (for certificateRequestMsg)
|
|
const (
|
|
certTypeRSASign = 1 // A certificate containing an RSA key
|
|
certTypeDSSSign = 2 // A certificate containing a DSA key
|
|
certTypeRSAFixedDH = 3 // A certificate containing a static DH key
|
|
certTypeDSSFixedDH = 4 // A certificate containing a static DH key
|
|
// Rest of these are reserved by the TLS spec
|
|
)
|
|
|
|
// ConnectionState records basic TLS details about the connection.
|
|
type ConnectionState struct {
|
|
HandshakeComplete bool
|
|
CipherSuite uint16
|
|
NegotiatedProtocol string
|
|
NegotiatedProtocolIsMutual bool
|
|
|
|
// ServerName contains the server name indicated by the client, if any.
|
|
// (Only valid for server connections.)
|
|
ServerName string
|
|
|
|
// the certificate chain that was presented by the other side
|
|
PeerCertificates []*x509.Certificate
|
|
// the verified certificate chains built from PeerCertificates.
|
|
VerifiedChains [][]*x509.Certificate
|
|
}
|
|
|
|
// A Config structure is used to configure a TLS client or server. After one
|
|
// has been passed to a TLS function it must not be modified.
|
|
type Config struct {
|
|
// Rand provides the source of entropy for nonces and RSA blinding.
|
|
// If Rand is nil, TLS uses the cryptographic random reader in package
|
|
// crypto/rand.
|
|
Rand io.Reader
|
|
|
|
// Time returns the current time as the number of seconds since the epoch.
|
|
// If Time is nil, TLS uses the system time.Seconds.
|
|
Time func() int64
|
|
|
|
// Certificates contains one or more certificate chains
|
|
// to present to the other side of the connection.
|
|
// Server configurations must include at least one certificate.
|
|
Certificates []Certificate
|
|
|
|
// NameToCertificate maps from a certificate name to an element of
|
|
// Certificates. Note that a certificate name can be of the form
|
|
// '*.example.com' and so doesn't have to be a domain name as such.
|
|
// See Config.BuildNameToCertificate
|
|
// The nil value causes the first element of Certificates to be used
|
|
// for all connections.
|
|
NameToCertificate map[string]*Certificate
|
|
|
|
// RootCAs defines the set of root certificate authorities
|
|
// that clients use when verifying server certificates.
|
|
// If RootCAs is nil, TLS uses the host's root CA set.
|
|
RootCAs *x509.CertPool
|
|
|
|
// NextProtos is a list of supported, application level protocols.
|
|
NextProtos []string
|
|
|
|
// ServerName is included in the client's handshake to support virtual
|
|
// hosting.
|
|
ServerName string
|
|
|
|
// AuthenticateClient controls whether a server will request a certificate
|
|
// from the client. It does not require that the client send a
|
|
// certificate nor does it require that the certificate sent be
|
|
// anything more than self-signed.
|
|
AuthenticateClient bool
|
|
|
|
// InsecureSkipVerify controls whether a client verifies the
|
|
// server's certificate chain and host name.
|
|
// If InsecureSkipVerify is true, TLS accepts any certificate
|
|
// presented by the server and any host name in that certificate.
|
|
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
|
// This should be used only for testing.
|
|
InsecureSkipVerify bool
|
|
|
|
// CipherSuites is a list of supported cipher suites. If CipherSuites
|
|
// is nil, TLS uses a list of suites supported by the implementation.
|
|
CipherSuites []uint16
|
|
}
|
|
|
|
func (c *Config) rand() io.Reader {
|
|
r := c.Rand
|
|
if r == nil {
|
|
return rand.Reader
|
|
}
|
|
return r
|
|
}
|
|
|
|
func (c *Config) time() int64 {
|
|
t := c.Time
|
|
if t == nil {
|
|
t = time.Seconds
|
|
}
|
|
return t()
|
|
}
|
|
|
|
func (c *Config) rootCAs() *x509.CertPool {
|
|
s := c.RootCAs
|
|
if s == nil {
|
|
s = defaultRoots()
|
|
}
|
|
return s
|
|
}
|
|
|
|
func (c *Config) cipherSuites() []uint16 {
|
|
s := c.CipherSuites
|
|
if s == nil {
|
|
s = defaultCipherSuites()
|
|
}
|
|
return s
|
|
}
|
|
|
|
// getCertificateForName returns the best certificate for the given name,
|
|
// defaulting to the first element of c.Certificates if there are no good
|
|
// options.
|
|
func (c *Config) getCertificateForName(name string) *Certificate {
|
|
if len(c.Certificates) == 1 || c.NameToCertificate == nil {
|
|
// There's only one choice, so no point doing any work.
|
|
return &c.Certificates[0]
|
|
}
|
|
|
|
name = strings.ToLower(name)
|
|
for len(name) > 0 && name[len(name)-1] == '.' {
|
|
name = name[:len(name)-1]
|
|
}
|
|
|
|
if cert, ok := c.NameToCertificate[name]; ok {
|
|
return cert
|
|
}
|
|
|
|
// try replacing labels in the name with wildcards until we get a
|
|
// match.
|
|
labels := strings.Split(name, ".")
|
|
for i := range labels {
|
|
labels[i] = "*"
|
|
candidate := strings.Join(labels, ".")
|
|
if cert, ok := c.NameToCertificate[candidate]; ok {
|
|
return cert
|
|
}
|
|
}
|
|
|
|
// If nothing matches, return the first certificate.
|
|
return &c.Certificates[0]
|
|
}
|
|
|
|
// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
|
|
// from the CommonName and SubjectAlternateName fields of each of the leaf
|
|
// certificates.
|
|
func (c *Config) BuildNameToCertificate() {
|
|
c.NameToCertificate = make(map[string]*Certificate)
|
|
for i := range c.Certificates {
|
|
cert := &c.Certificates[i]
|
|
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
|
|
if err != nil {
|
|
continue
|
|
}
|
|
if len(x509Cert.Subject.CommonName) > 0 {
|
|
c.NameToCertificate[x509Cert.Subject.CommonName] = cert
|
|
}
|
|
for _, san := range x509Cert.DNSNames {
|
|
c.NameToCertificate[san] = cert
|
|
}
|
|
}
|
|
}
|
|
|
|
// A Certificate is a chain of one or more certificates, leaf first.
|
|
type Certificate struct {
|
|
Certificate [][]byte
|
|
PrivateKey *rsa.PrivateKey
|
|
// OCSPStaple contains an optional OCSP response which will be served
|
|
// to clients that request it.
|
|
OCSPStaple []byte
|
|
}
|
|
|
|
// A TLS record.
|
|
type record struct {
|
|
contentType recordType
|
|
major, minor uint8
|
|
payload []byte
|
|
}
|
|
|
|
type handshakeMessage interface {
|
|
marshal() []byte
|
|
unmarshal([]byte) bool
|
|
}
|
|
|
|
// mutualVersion returns the protocol version to use given the advertised
|
|
// version of the peer.
|
|
func mutualVersion(vers uint16) (uint16, bool) {
|
|
if vers < minVersion {
|
|
return 0, false
|
|
}
|
|
if vers > maxVersion {
|
|
vers = maxVersion
|
|
}
|
|
return vers, true
|
|
}
|
|
|
|
var emptyConfig Config
|
|
|
|
func defaultConfig() *Config {
|
|
return &emptyConfig
|
|
}
|
|
|
|
var once sync.Once
|
|
|
|
func defaultRoots() *x509.CertPool {
|
|
once.Do(initDefaults)
|
|
return varDefaultRoots
|
|
}
|
|
|
|
func defaultCipherSuites() []uint16 {
|
|
once.Do(initDefaults)
|
|
return varDefaultCipherSuites
|
|
}
|
|
|
|
func initDefaults() {
|
|
initDefaultRoots()
|
|
initDefaultCipherSuites()
|
|
}
|
|
|
|
var (
|
|
varDefaultRoots *x509.CertPool
|
|
varDefaultCipherSuites []uint16
|
|
)
|
|
|
|
func initDefaultCipherSuites() {
|
|
varDefaultCipherSuites = make([]uint16, len(cipherSuites))
|
|
i := 0
|
|
for id := range cipherSuites {
|
|
varDefaultCipherSuites[i] = id
|
|
i++
|
|
}
|
|
}
|