libgo/go/crypto/tls/tls.go

   1 // Copyright 2009 The Go Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 // Package tls partially implements TLS 1.2, as specified in RFC 5246,
   6 // and TLS 1.3, as specified in RFC 8446.
   7 package tls
   8
   9 // BUG(agl): The crypto/tls package only implements some countermeasures
  10 // against Lucky13 attacks on CBC-mode encryption, and only on SHA1
  11 // variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
  12 // https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
  13
  14 import (
  15         "bytes"
  16         "context"
  17         "crypto"
  18         "crypto/ecdsa"
  19         "crypto/ed25519"
  20         "crypto/rsa"
  21         "crypto/x509"
  22         "encoding/pem"
  23         "errors"
  24         "fmt"
  25         "net"
  26         "os"
  27         "strings"
  28 )
  29
  30 // Server returns a new TLS server side connection
  31 // using conn as the underlying transport.
  32 // The configuration config must be non-nil and must include
  33 // at least one certificate or else set GetCertificate.
  34 func Server(conn net.Conn, config *Config) *Conn {
  35         c := &Conn{
  36                 conn:   conn,
  37                 config: config,
  38         }
  39         c.handshakeFn = c.serverHandshake
  40         return c
  41 }
  42
  43 // Client returns a new TLS client side connection
  44 // using conn as the underlying transport.
  45 // The config cannot be nil: users must set either ServerName or
  46 // InsecureSkipVerify in the config.
  47 func Client(conn net.Conn, config *Config) *Conn {
  48         c := &Conn{
  49                 conn:     conn,
  50                 config:   config,
  51                 isClient: true,
  52         }
  53         c.handshakeFn = c.clientHandshake
  54         return c
  55 }
  56
  57 // A listener implements a network listener (net.Listener) for TLS connections.
  58 type listener struct {
  59         net.Listener
  60         config *Config
  61 }
  62
  63 // Accept waits for and returns the next incoming TLS connection.
  64 // The returned connection is of type *Conn.
  65 func (l *listener) Accept() (net.Conn, error) {
  66         c, err := l.Listener.Accept()
  67         if err != nil {
  68                 return nil, err
  69         }
  70         return Server(c, l.config), nil
  71 }
  72
  73 // NewListener creates a Listener which accepts connections from an inner
  74 // Listener and wraps each connection with Server.
  75 // The configuration config must be non-nil and must include
  76 // at least one certificate or else set GetCertificate.
  77 func NewListener(inner net.Listener, config *Config) net.Listener {
  78         l := new(listener)
  79         l.Listener = inner
  80         l.config = config
  81         return l
  82 }
  83
  84 // Listen creates a TLS listener accepting connections on the
  85 // given network address using net.Listen.
  86 // The configuration config must be non-nil and must include
  87 // at least one certificate or else set GetCertificate.
  88 func Listen(network, laddr string, config *Config) (net.Listener, error) {
  89         if config == nil || len(config.Certificates) == 0 &&
  90                 config.GetCertificate == nil && config.GetConfigForClient == nil {
  91                 return nil, errors.New("tls: neither Certificates, GetCertificate, nor GetConfigForClient set in Config")
  92         }
  93         l, err := net.Listen(network, laddr)
  94         if err != nil {
  95                 return nil, err
  96         }
  97         return NewListener(l, config), nil
  98 }
  99
 100 type timeoutError struct{}
 101
 102 func (timeoutError) Error() string   { return "tls: DialWithDialer timed out" }
 103 func (timeoutError) Timeout() bool   { return true }
 104 func (timeoutError) Temporary() bool { return true }
 105
 106 // DialWithDialer connects to the given network address using dialer.Dial and
 107 // then initiates a TLS handshake, returning the resulting TLS connection. Any
 108 // timeout or deadline given in the dialer apply to connection and TLS
 109 // handshake as a whole.
 110 //
 111 // DialWithDialer interprets a nil configuration as equivalent to the zero
 112 // configuration; see the documentation of Config for the defaults.
 113 //
 114 // DialWithDialer uses context.Background internally; to specify the context,
 115 // use Dialer.DialContext with NetDialer set to the desired dialer.
 116 func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*Conn, error) {
 117         return dial(context.Background(), dialer, network, addr, config)
 118 }
 119
 120 func dial(ctx context.Context, netDialer *net.Dialer, network, addr string, config *Config) (*Conn, error) {
 121         if netDialer.Timeout != 0 {
 122                 var cancel context.CancelFunc
 123                 ctx, cancel = context.WithTimeout(ctx, netDialer.Timeout)
 124                 defer cancel()
 125         }
 126
 127         if !netDialer.Deadline.IsZero() {
 128                 var cancel context.CancelFunc
 129                 ctx, cancel = context.WithDeadline(ctx, netDialer.Deadline)
 130                 defer cancel()
 131         }
 132
 133         rawConn, err := netDialer.DialContext(ctx, network, addr)
 134         if err != nil {
 135                 return nil, err
 136         }
 137
 138         colonPos := strings.LastIndex(addr, ":")
 139         if colonPos == -1 {
 140                 colonPos = len(addr)
 141         }
 142         hostname := addr[:colonPos]
 143
 144         if config == nil {
 145                 config = defaultConfig()
 146         }
 147         // If no ServerName is set, infer the ServerName
 148         // from the hostname we're connecting to.
 149         if config.ServerName == "" {
 150                 // Make a copy to avoid polluting argument or default.
 151                 c := config.Clone()
 152                 c.ServerName = hostname
 153                 config = c
 154         }
 155
 156         conn := Client(rawConn, config)
 157         if err := conn.HandshakeContext(ctx); err != nil {
 158                 rawConn.Close()
 159                 return nil, err
 160         }
 161         return conn, nil
 162 }
 163
 164 // Dial connects to the given network address using net.Dial
 165 // and then initiates a TLS handshake, returning the resulting
 166 // TLS connection.
 167 // Dial interprets a nil configuration as equivalent to
 168 // the zero configuration; see the documentation of Config
 169 // for the defaults.
 170 func Dial(network, addr string, config *Config) (*Conn, error) {
 171         return DialWithDialer(new(net.Dialer), network, addr, config)
 172 }
 173
 174 // Dialer dials TLS connections given a configuration and a Dialer for the
 175 // underlying connection.
 176 type Dialer struct {
 177         // NetDialer is the optional dialer to use for the TLS connections'
 178         // underlying TCP connections.
 179         // A nil NetDialer is equivalent to the net.Dialer zero value.
 180         NetDialer *net.Dialer
 181
 182         // Config is the TLS configuration to use for new connections.
 183         // A nil configuration is equivalent to the zero
 184         // configuration; see the documentation of Config for the
 185         // defaults.
 186         Config *Config
 187 }
 188
 189 // Dial connects to the given network address and initiates a TLS
 190 // handshake, returning the resulting TLS connection.
 191 //
 192 // The returned Conn, if any, will always be of type *Conn.
 193 //
 194 // Dial uses context.Background internally; to specify the context,
 195 // use DialContext.
 196 func (d *Dialer) Dial(network, addr string) (net.Conn, error) {
 197         return d.DialContext(context.Background(), network, addr)
 198 }
 199
 200 func (d *Dialer) netDialer() *net.Dialer {
 201         if d.NetDialer != nil {
 202                 return d.NetDialer
 203         }
 204         return new(net.Dialer)
 205 }
 206
 207 // DialContext connects to the given network address and initiates a TLS
 208 // handshake, returning the resulting TLS connection.
 209 //
 210 // The provided Context must be non-nil. If the context expires before
 211 // the connection is complete, an error is returned. Once successfully
 212 // connected, any expiration of the context will not affect the
 213 // connection.
 214 //
 215 // The returned Conn, if any, will always be of type *Conn.
 216 func (d *Dialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
 217         c, err := dial(ctx, d.netDialer(), network, addr, d.Config)
 218         if err != nil {
 219                 // Don't return c (a typed nil) in an interface.
 220                 return nil, err
 221         }
 222         return c, nil
 223 }
 224
 225 // LoadX509KeyPair reads and parses a public/private key pair from a pair
 226 // of files. The files must contain PEM encoded data. The certificate file
 227 // may contain intermediate certificates following the leaf certificate to
 228 // form a certificate chain. On successful return, Certificate.Leaf will
 229 // be nil because the parsed form of the certificate is not retained.
 230 func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
 231         certPEMBlock, err := os.ReadFile(certFile)
 232         if err != nil {
 233                 return Certificate{}, err
 234         }
 235         keyPEMBlock, err := os.ReadFile(keyFile)
 236         if err != nil {
 237                 return Certificate{}, err
 238         }
 239         return X509KeyPair(certPEMBlock, keyPEMBlock)
 240 }
 241
 242 // X509KeyPair parses a public/private key pair from a pair of
 243 // PEM encoded data. On successful return, Certificate.Leaf will be nil because
 244 // the parsed form of the certificate is not retained.
 245 func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 246         fail := func(err error) (Certificate, error) { return Certificate{}, err }
 247
 248         var cert Certificate
 249         var skippedBlockTypes []string
 250         for {
 251                 var certDERBlock *pem.Block
 252                 certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
 253                 if certDERBlock == nil {
 254                         break
 255                 }
 256                 if certDERBlock.Type == "CERTIFICATE" {
 257                         cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
 258                 } else {
 259                         skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type)
 260                 }
 261         }
 262
 263         if len(cert.Certificate) == 0 {
 264                 if len(skippedBlockTypes) == 0 {
 265                         return fail(errors.New("tls: failed to find any PEM data in certificate input"))
 266                 }
 267                 if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
 268                         return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
 269                 }
 270                 return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
 271         }
 272
 273         skippedBlockTypes = skippedBlockTypes[:0]
 274         var keyDERBlock *pem.Block
 275         for {
 276                 keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
 277                 if keyDERBlock == nil {
 278                         if len(skippedBlockTypes) == 0 {
 279                                 return fail(errors.New("tls: failed to find any PEM data in key input"))
 280                         }
 281                         if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
 282                                 return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key"))
 283                         }
 284                         return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
 285                 }
 286                 if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
 287                         break
 288                 }
 289                 skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
 290         }
 291
 292         // We don't need to parse the public key for TLS, but we so do anyway
 293         // to check that it looks sane and matches the private key.
 294         x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 295         if err != nil {
 296                 return fail(err)
 297         }
 298
 299         cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
 300         if err != nil {
 301                 return fail(err)
 302         }
 303
 304         switch pub := x509Cert.PublicKey.(type) {
 305         case *rsa.PublicKey:
 306                 priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
 307                 if !ok {
 308                         return fail(errors.New("tls: private key type does not match public key type"))
 309                 }
 310                 if pub.N.Cmp(priv.N) != 0 {
 311                         return fail(errors.New("tls: private key does not match public key"))
 312                 }
 313         case *ecdsa.PublicKey:
 314                 priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
 315                 if !ok {
 316                         return fail(errors.New("tls: private key type does not match public key type"))
 317                 }
 318                 if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
 319                         return fail(errors.New("tls: private key does not match public key"))
 320                 }
 321         case ed25519.PublicKey:
 322                 priv, ok := cert.PrivateKey.(ed25519.PrivateKey)
 323                 if !ok {
 324                         return fail(errors.New("tls: private key type does not match public key type"))
 325                 }
 326                 if !bytes.Equal(priv.Public().(ed25519.PublicKey), pub) {
 327                         return fail(errors.New("tls: private key does not match public key"))
 328                 }
 329         default:
 330                 return fail(errors.New("tls: unknown public key algorithm"))
 331         }
 332
 333         return cert, nil
 334 }
 335
 336 // Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
 337 // PKCS #1 private keys by default, while OpenSSL 1.0.0 generates PKCS #8 keys.
 338 // OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
 339 func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
 340         if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
 341                 return key, nil
 342         }
 343         if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
 344                 switch key := key.(type) {
 345                 case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
 346                         return key, nil
 347                 default:
 348                         return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
 349                 }
 350         }
 351         if key, err := x509.ParseECPrivateKey(der); err == nil {
 352                 return key, nil
 353         }
 354
 355         return nil, errors.New("tls: failed to parse private key")
 356 }