kris
/
th5
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49 Commits
3 Branches
2.6 MiB
 
 
Tree: 50ac183397
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '50ac183397'
${ noResults }
th5/tls.go

168 lines
4.6 KiB
Raw Blame History 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // This package partially implements the TLS 1.1 protocol, as specified in RFC 4346.

  6. package tls

  7. 

  8. import (

  9. 	"crypto/rsa"

  10. 	"crypto/x509"

  11. 	"encoding/pem"

  12. 	"io/ioutil"

  13. 	"net"

  14. 	"os"

  15. 	"strings"

  16. )

  17. 

  18. // Server returns a new TLS server side connection

  19. // using conn as the underlying transport.

  20. // The configuration config must be non-nil and must have

  21. // at least one certificate.

  22. func Server(conn net.Conn, config *Config) *Conn {

  23. 	return &Conn{conn: conn, config: config}

  24. }

  25. 

  26. // Client returns a new TLS client side connection

  27. // using conn as the underlying transport.

  28. // Client interprets a nil configuration as equivalent to

  29. // the zero configuration; see the documentation of Config

  30. // for the defaults.

  31. func Client(conn net.Conn, config *Config) *Conn {

  32. 	return &Conn{conn: conn, config: config, isClient: true}

  33. }

  34. 

  35. // A Listener implements a network listener (net.Listener) for TLS connections.

  36. type Listener struct {

  37. 	listener net.Listener

  38. 	config   *Config

  39. }

  40. 

  41. // Accept waits for and returns the next incoming TLS connection.

  42. // The returned connection c is a *tls.Conn.

  43. func (l *Listener) Accept() (c net.Conn, err os.Error) {

  44. 	c, err = l.listener.Accept()

  45. 	if err != nil {

  46. 		return

  47. 	}

  48. 	c = Server(c, l.config)

  49. 	return

  50. }

  51. 

  52. // Close closes the listener.

  53. func (l *Listener) Close() os.Error { return l.listener.Close() }

  54. 

  55. // Addr returns the listener's network address.

  56. func (l *Listener) Addr() net.Addr { return l.listener.Addr() }

  57. 

  58. // NewListener creates a Listener which accepts connections from an inner

  59. // Listener and wraps each connection with Server.

  60. // The configuration config must be non-nil and must have

  61. // at least one certificate.

  62. func NewListener(listener net.Listener, config *Config) (l *Listener) {

  63. 	l = new(Listener)

  64. 	l.listener = listener

  65. 	l.config = config

  66. 	return

  67. }

  68. 

  69. // Listen creates a TLS listener accepting connections on the

  70. // given network address using net.Listen.

  71. // The configuration config must be non-nil and must have

  72. // at least one certificate.

  73. func Listen(network, laddr string, config *Config) (*Listener, os.Error) {

  74. 	if config == nil || len(config.Certificates) == 0 {

  75. 		return nil, os.NewError("tls.Listen: no certificates in configuration")

  76. 	}

  77. 	l, err := net.Listen(network, laddr)

  78. 	if err != nil {

  79. 		return nil, err

  80. 	}

  81. 	return NewListener(l, config), nil

  82. }

  83. 

  84. // Dial connects to the given network address using net.Dial

  85. // and then initiates a TLS handshake, returning the resulting

  86. // TLS connection.

  87. // Dial interprets a nil configuration as equivalent to

  88. // the zero configuration; see the documentation of Config

  89. // for the defaults.

  90. func Dial(network, laddr, raddr string, config *Config) (*Conn, os.Error) {

  91. 	c, err := net.Dial(network, laddr, raddr)

  92. 	if err != nil {

  93. 		return nil, err

  94. 	}

  95. 

  96. 	colonPos := strings.LastIndex(raddr, ":")

  97. 	if colonPos == -1 {

  98. 		colonPos = len(raddr)

  99. 	}

  100. 	hostname := raddr[:colonPos]

  101. 

  102. 	if config == nil {

  103. 		config = defaultConfig()

  104. 	}

  105. 	if config.ServerName != "" {

  106. 		// Make a copy to avoid polluting argument or default.

  107. 		c := *config

  108. 		c.ServerName = hostname

  109. 		config = &c

  110. 	}

  111. 	conn := Client(c, config)

  112. 	if err = conn.Handshake(); err != nil {

  113. 		c.Close()

  114. 		return nil, err

  115. 	}

  116. 	return conn, nil

  117. }

  118. 

  119. // LoadX509KeyPair reads and parses a public/private key pair from a pair of

  120. // files. The files must contain PEM encoded data.

  121. func LoadX509KeyPair(certFile string, keyFile string) (cert Certificate, err os.Error) {

  122. 	certPEMBlock, err := ioutil.ReadFile(certFile)

  123. 	if err != nil {

  124. 		return

  125. 	}

  126. 

  127. 	certDERBlock, _ := pem.Decode(certPEMBlock)

  128. 	if certDERBlock == nil {

  129. 		err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")

  130. 		return

  131. 	}

  132. 

  133. 	cert.Certificate = [][]byte{certDERBlock.Bytes}

  134. 

  135. 	keyPEMBlock, err := ioutil.ReadFile(keyFile)

  136. 	if err != nil {

  137. 		return

  138. 	}

  139. 

  140. 	keyDERBlock, _ := pem.Decode(keyPEMBlock)

  141. 	if keyDERBlock == nil {

  142. 		err = os.ErrorString("crypto/tls: failed to parse key PEM data")

  143. 		return

  144. 	}

  145. 

  146. 	key, err := x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)

  147. 	if err != nil {

  148. 		err = os.ErrorString("crypto/tls: failed to parse key")

  149. 		return

  150. 	}

  151. 

  152. 	cert.PrivateKey = key

  153. 

  154. 	// We don't need to parse the public key for TLS, but we so do anyway

  155. 	// to check that it looks sane and matches the private key.

  156. 	x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)

  157. 	if err != nil {

  158. 		return

  159. 	}

  160. 

  161. 	if x509Cert.PublicKeyAlgorithm != x509.RSA || x509Cert.PublicKey.(*rsa.PublicKey).N.Cmp(key.PublicKey.N) != 0 {

  162. 		err = os.ErrorString("crypto/tls: private key does not match public key")

  163. 		return

  164. 	}

  165. 

  166. 	return

  167. }