search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libgo: update to go1.9
[official-gcc.git] / libgo / go / crypto / tls / conn.go
blobe6d85aa26391fa0aada9c676cbabc642f6a93a95
1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 // TLS low level connection and record layer
6
7 package tls
8
9 import (
10 "bytes"
11 "crypto/cipher"
12 "crypto/subtle"
13 "crypto/x509"
14 "errors"
15 "fmt"
16 "io"
17 "net"
18 "sync"
19 "sync/atomic"
20 "time"
21 )
22
23 // A Conn represents a secured connection.
24 // It implements the net.Conn interface.
25 type Conn struct {
26 // constant
27 conn net.Conn
28 isClient bool
29
30 // constant after handshake; protected by handshakeMutex
31 handshakeMutex sync.Mutex // handshakeMutex < in.Mutex, out.Mutex, errMutex
32 // handshakeCond, if not nil, indicates that a goroutine is committed
33 // to running the handshake for this Conn. Other goroutines that need
34 // to wait for the handshake can wait on this, under handshakeMutex.
35 handshakeCond *sync.Cond
36 handshakeErr error // error resulting from handshake
37 vers uint16 // TLS version
38 haveVers bool // version has been negotiated
39 config *Config // configuration passed to constructor
40 // handshakeComplete is true if the connection is currently transferring
41 // application data (i.e. is not currently processing a handshake).
42 handshakeComplete bool
43 // handshakes counts the number of handshakes performed on the
44 // connection so far. If renegotiation is disabled then this is either
45 // zero or one.
46 handshakes int
47 didResume bool // whether this connection was a session resumption
48 cipherSuite uint16
49 ocspResponse []byte // stapled OCSP response
50 scts [][]byte // signed certificate timestamps from server
51 peerCertificates []*x509.Certificate
52 // verifiedChains contains the certificate chains that we built, as
53 // opposed to the ones presented by the server.
54 verifiedChains [][]*x509.Certificate
55 // serverName contains the server name indicated by the client, if any.
56 serverName string
57 // secureRenegotiation is true if the server echoed the secure
58 // renegotiation extension. (This is meaningless as a server because
59 // renegotiation is not supported in that case.)
60 secureRenegotiation bool
61
62 // clientFinishedIsFirst is true if the client sent the first Finished
63 // message during the most recent handshake. This is recorded because
64 // the first transmitted Finished message is the tls-unique
65 // channel-binding value.
66 clientFinishedIsFirst bool
67
68 // closeNotifyErr is any error from sending the alertCloseNotify record.
69 closeNotifyErr error
70 // closeNotifySent is true if the Conn attempted to send an
71 // alertCloseNotify record.
72 closeNotifySent bool
73
74 // clientFinished and serverFinished contain the Finished message sent
75 // by the client or server in the most recent handshake. This is
76 // retained to support the renegotiation extension and tls-unique
77 // channel-binding.
78 clientFinished [12]byte
79 serverFinished [12]byte
80
81 clientProtocol string
82 clientProtocolFallback bool
83
84 // input/output
85 in, out halfConn // in.Mutex < out.Mutex
86 rawInput *block // raw input, right off the wire
87 input *block // application data waiting to be read
88 hand bytes.Buffer // handshake data waiting to be read
89 buffering bool // whether records are buffered in sendBuf
90 sendBuf []byte // a buffer of records waiting to be sent
91
92 // bytesSent counts the bytes of application data sent.
93 // packetsSent counts packets.
94 bytesSent int64
95 packetsSent int64
96
97 // activeCall is an atomic int32; the low bit is whether Close has
98 // been called. the rest of the bits are the number of goroutines
99 // in Conn.Write.
100 activeCall int32
101
102 tmp [16]byte
103 }
104
105 // Access to net.Conn methods.
106 // Cannot just embed net.Conn because that would
107 // export the struct field too.
108
109 // LocalAddr returns the local network address.
110 func (c *Conn) LocalAddr() net.Addr {
111 return c.conn.LocalAddr()
112 }
113
114 // RemoteAddr returns the remote network address.
115 func (c *Conn) RemoteAddr() net.Addr {
116 return c.conn.RemoteAddr()
117 }
118
119 // SetDeadline sets the read and write deadlines associated with the connection.
120 // A zero value for t means Read and Write will not time out.
121 // After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
122 func (c *Conn) SetDeadline(t time.Time) error {
123 return c.conn.SetDeadline(t)
124 }
125
126 // SetReadDeadline sets the read deadline on the underlying connection.
127 // A zero value for t means Read will not time out.
128 func (c *Conn) SetReadDeadline(t time.Time) error {
129 return c.conn.SetReadDeadline(t)
130 }
131
132 // SetWriteDeadline sets the write deadline on the underlying connection.
133 // A zero value for t means Write will not time out.
134 // After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
135 func (c *Conn) SetWriteDeadline(t time.Time) error {
136 return c.conn.SetWriteDeadline(t)
137 }
138
139 // A halfConn represents one direction of the record layer
140 // connection, either sending or receiving.
141 type halfConn struct {
142 sync.Mutex
143
144 err error // first permanent error
145 version uint16 // protocol version
146 cipher interface{} // cipher algorithm
147 mac macFunction
148 seq [8]byte // 64-bit sequence number
149 bfree *block // list of free blocks
150 additionalData [13]byte // to avoid allocs; interface method args escape
151
152 nextCipher interface{} // next encryption state
153 nextMac macFunction // next MAC algorithm
154
155 // used to save allocating a new buffer for each MAC.
156 inDigestBuf, outDigestBuf []byte
157 }
158
159 func (hc *halfConn) setErrorLocked(err error) error {
160 hc.err = err
161 return err
162 }
163
164 // prepareCipherSpec sets the encryption and MAC states
165 // that a subsequent changeCipherSpec will use.
166 func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) {
167 hc.version = version
168 hc.nextCipher = cipher
169 hc.nextMac = mac
170 }
171
172 // changeCipherSpec changes the encryption and MAC states
173 // to the ones previously passed to prepareCipherSpec.
174 func (hc *halfConn) changeCipherSpec() error {
175 if hc.nextCipher == nil {
176 return alertInternalError
177 }
178 hc.cipher = hc.nextCipher
179 hc.mac = hc.nextMac
180 hc.nextCipher = nil
181 hc.nextMac = nil
182 for i := range hc.seq {
183 hc.seq[i] = 0
184 }
185 return nil
186 }
187
188 // incSeq increments the sequence number.
189 func (hc *halfConn) incSeq() {
190 for i := 7; i >= 0; i-- {
191 hc.seq[i]++
192 if hc.seq[i] != 0 {
193 return
194 }
195 }
196
197 // Not allowed to let sequence number wrap.
198 // Instead, must renegotiate before it does.
199 // Not likely enough to bother.
200 panic("TLS: sequence number wraparound")
201 }
202
203 // extractPadding returns, in constant time, the length of the padding to remove
204 // from the end of payload. It also returns a byte which is equal to 255 if the
205 // padding was valid and 0 otherwise. See RFC 2246, section 6.2.3.2
206 func extractPadding(payload []byte) (toRemove int, good byte) {
207 if len(payload) < 1 {
208 return 0, 0
209 }
210
211 paddingLen := payload[len(payload)-1]
212 t := uint(len(payload)-1) - uint(paddingLen)
213 // if len(payload) >= (paddingLen - 1) then the MSB of t is zero
214 good = byte(int32(^t) >> 31)
215
216 toCheck := 255 // the maximum possible padding length
217 // The length of the padded data is public, so we can use an if here
218 if toCheck+1 > len(payload) {
219 toCheck = len(payload) - 1
220 }
221
222 for i := 0; i < toCheck; i++ {
223 t := uint(paddingLen) - uint(i)
224 // if i <= paddingLen then the MSB of t is zero
225 mask := byte(int32(^t) >> 31)
226 b := payload[len(payload)-1-i]
227 good &^= mask&paddingLen ^ mask&b
228 }
229
230 // We AND together the bits of good and replicate the result across
231 // all the bits.
232 good &= good << 4
233 good &= good << 2
234 good &= good << 1
235 good = uint8(int8(good) >> 7)
236
237 toRemove = int(paddingLen) + 1
238 return
239 }
240
241 // extractPaddingSSL30 is a replacement for extractPadding in the case that the
242 // protocol version is SSLv3. In this version, the contents of the padding
243 // are random and cannot be checked.
244 func extractPaddingSSL30(payload []byte) (toRemove int, good byte) {
245 if len(payload) < 1 {
246 return 0, 0
247 }
248
249 paddingLen := int(payload[len(payload)-1]) + 1
250 if paddingLen > len(payload) {
251 return 0, 0
252 }
253
254 return paddingLen, 255
255 }
256
257 func roundUp(a, b int) int {
258 return a + (b-a%b)%b
259 }
260
261 // cbcMode is an interface for block ciphers using cipher block chaining.
262 type cbcMode interface {
263 cipher.BlockMode
264 SetIV([]byte)
265 }
266
267 // decrypt checks and strips the mac and decrypts the data in b. Returns a
268 // success boolean, the number of bytes to skip from the start of the record in
269 // order to get the application payload, and an optional alert value.
270 func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert) {
271 // pull out payload
272 payload := b.data[recordHeaderLen:]
273
274 macSize := 0
275 if hc.mac != nil {
276 macSize = hc.mac.Size()
277 }
278
279 paddingGood := byte(255)
280 paddingLen := 0
281 explicitIVLen := 0
282
283 // decrypt
284 if hc.cipher != nil {
285 switch c := hc.cipher.(type) {
286 case cipher.Stream:
287 c.XORKeyStream(payload, payload)
288 case aead:
289 explicitIVLen = c.explicitNonceLen()
290 if len(payload) < explicitIVLen {
291 return false, 0, alertBadRecordMAC
292 }
293 nonce := payload[:explicitIVLen]
294 payload = payload[explicitIVLen:]
295
296 if len(nonce) == 0 {
297 nonce = hc.seq[:]
298 }
299
300 copy(hc.additionalData[:], hc.seq[:])
301 copy(hc.additionalData[8:], b.data[:3])
302 n := len(payload) - c.Overhead()
303 hc.additionalData[11] = byte(n >> 8)
304 hc.additionalData[12] = byte(n)
305 var err error
306 payload, err = c.Open(payload[:0], nonce, payload, hc.additionalData[:])
307 if err != nil {
308 return false, 0, alertBadRecordMAC
309 }
310 b.resize(recordHeaderLen + explicitIVLen + len(payload))
311 case cbcMode:
312 blockSize := c.BlockSize()
313 if hc.version >= VersionTLS11 {
314 explicitIVLen = blockSize
315 }
316
317 if len(payload)%blockSize != 0 || len(payload) < roundUp(explicitIVLen+macSize+1, blockSize) {
318 return false, 0, alertBadRecordMAC
319 }
320
321 if explicitIVLen > 0 {
322 c.SetIV(payload[:explicitIVLen])
323 payload = payload[explicitIVLen:]
324 }
325 c.CryptBlocks(payload, payload)
326 if hc.version == VersionSSL30 {
327 paddingLen, paddingGood = extractPaddingSSL30(payload)
328 } else {
329 paddingLen, paddingGood = extractPadding(payload)
330
331 // To protect against CBC padding oracles like Lucky13, the data
332 // past paddingLen (which is secret) is passed to the MAC
333 // function as extra data, to be fed into the HMAC after
334 // computing the digest. This makes the MAC constant time as
335 // long as the digest computation is constant time and does not
336 // affect the subsequent write.
337 }
338 default:
339 panic("unknown cipher type")
340 }
341 }
342
343 // check, strip mac
344 if hc.mac != nil {
345 if len(payload) < macSize {
346 return false, 0, alertBadRecordMAC
347 }
348
349 // strip mac off payload, b.data
350 n := len(payload) - macSize - paddingLen
351 n = subtle.ConstantTimeSelect(int(uint32(n)>>31), 0, n) // if n < 0 { n = 0 }
352 b.data[3] = byte(n >> 8)
353 b.data[4] = byte(n)
354 remoteMAC := payload[n : n+macSize]
355 localMAC := hc.mac.MAC(hc.inDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], payload[:n], payload[n+macSize:])
356
357 if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 {
358 return false, 0, alertBadRecordMAC
359 }
360 hc.inDigestBuf = localMAC
361
362 b.resize(recordHeaderLen + explicitIVLen + n)
363 }
364 hc.incSeq()
365
366 return true, recordHeaderLen + explicitIVLen, 0
367 }
368
369 // padToBlockSize calculates the needed padding block, if any, for a payload.
370 // On exit, prefix aliases payload and extends to the end of the last full
371 // block of payload. finalBlock is a fresh slice which contains the contents of
372 // any suffix of payload as well as the needed padding to make finalBlock a
373 // full block.
374 func padToBlockSize(payload []byte, blockSize int) (prefix, finalBlock []byte) {
375 overrun := len(payload) % blockSize
376 paddingLen := blockSize - overrun
377 prefix = payload[:len(payload)-overrun]
378 finalBlock = make([]byte, blockSize)
379 copy(finalBlock, payload[len(payload)-overrun:])
380 for i := overrun; i < blockSize; i++ {
381 finalBlock[i] = byte(paddingLen - 1)
382 }
383 return
384 }
385
386 // encrypt encrypts and macs the data in b.
387 func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
388 // mac
389 if hc.mac != nil {
390 mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], b.data[recordHeaderLen+explicitIVLen:], nil)
391
392 n := len(b.data)
393 b.resize(n + len(mac))
394 copy(b.data[n:], mac)
395 hc.outDigestBuf = mac
396 }
397
398 payload := b.data[recordHeaderLen:]
399
400 // encrypt
401 if hc.cipher != nil {
402 switch c := hc.cipher.(type) {
403 case cipher.Stream:
404 c.XORKeyStream(payload, payload)
405 case aead:
406 payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
407 b.resize(len(b.data) + c.Overhead())
408 nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
409 if len(nonce) == 0 {
410 nonce = hc.seq[:]
411 }
412 payload := b.data[recordHeaderLen+explicitIVLen:]
413 payload = payload[:payloadLen]
414
415 copy(hc.additionalData[:], hc.seq[:])
416 copy(hc.additionalData[8:], b.data[:3])
417 hc.additionalData[11] = byte(payloadLen >> 8)
418 hc.additionalData[12] = byte(payloadLen)
419
420 c.Seal(payload[:0], nonce, payload, hc.additionalData[:])
421 case cbcMode:
422 blockSize := c.BlockSize()
423 if explicitIVLen > 0 {
424 c.SetIV(payload[:explicitIVLen])
425 payload = payload[explicitIVLen:]
426 }
427 prefix, finalBlock := padToBlockSize(payload, blockSize)
428 b.resize(recordHeaderLen + explicitIVLen + len(prefix) + len(finalBlock))
429 c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen:], prefix)
430 c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen+len(prefix):], finalBlock)
431 default:
432 panic("unknown cipher type")
433 }
434 }
435
436 // update length to include MAC and any block padding needed.
437 n := len(b.data) - recordHeaderLen
438 b.data[3] = byte(n >> 8)
439 b.data[4] = byte(n)
440 hc.incSeq()
441
442 return true, 0
443 }
444
445 // A block is a simple data buffer.
446 type block struct {
447 data []byte
448 off int // index for Read
449 link *block
450 }
451
452 // resize resizes block to be n bytes, growing if necessary.
453 func (b *block) resize(n int) {
454 if n > cap(b.data) {
455 b.reserve(n)
456 }
457 b.data = b.data[0:n]
458 }
459
460 // reserve makes sure that block contains a capacity of at least n bytes.
461 func (b *block) reserve(n int) {
462 if cap(b.data) >= n {
463 return
464 }
465 m := cap(b.data)
466 if m == 0 {
467 m = 1024
468 }
469 for m < n {
470 m *= 2
471 }
472 data := make([]byte, len(b.data), m)
473 copy(data, b.data)
474 b.data = data
475 }
476
477 // readFromUntil reads from r into b until b contains at least n bytes
478 // or else returns an error.
479 func (b *block) readFromUntil(r io.Reader, n int) error {
480 // quick case
481 if len(b.data) >= n {
482 return nil
483 }
484
485 // read until have enough.
486 b.reserve(n)
487 for {
488 m, err := r.Read(b.data[len(b.data):cap(b.data)])
489 b.data = b.data[0 : len(b.data)+m]
490 if len(b.data) >= n {
491 // TODO(bradfitz,agl): slightly suspicious
492 // that we're throwing away r.Read's err here.
493 break
494 }
495 if err != nil {
496 return err
497 }
498 }
499 return nil
500 }
501
502 func (b *block) Read(p []byte) (n int, err error) {
503 n = copy(p, b.data[b.off:])
504 b.off += n
505 return
506 }
507
508 // newBlock allocates a new block, from hc's free list if possible.
509 func (hc *halfConn) newBlock() *block {
510 b := hc.bfree
511 if b == nil {
512 return new(block)
513 }
514 hc.bfree = b.link
515 b.link = nil
516 b.resize(0)
517 return b
518 }
519
520 // freeBlock returns a block to hc's free list.
521 // The protocol is such that each side only has a block or two on
522 // its free list at a time, so there's no need to worry about
523 // trimming the list, etc.
524 func (hc *halfConn) freeBlock(b *block) {
525 b.link = hc.bfree
526 hc.bfree = b
527 }
528
529 // splitBlock splits a block after the first n bytes,
530 // returning a block with those n bytes and a
531 // block with the remainder. the latter may be nil.
532 func (hc *halfConn) splitBlock(b *block, n int) (*block, *block) {
533 if len(b.data) <= n {
534 return b, nil
535 }
536 bb := hc.newBlock()
537 bb.resize(len(b.data) - n)
538 copy(bb.data, b.data[n:])
539 b.data = b.data[0:n]
540 return b, bb
541 }
542
543 // RecordHeaderError results when a TLS record header is invalid.
544 type RecordHeaderError struct {
545 // Msg contains a human readable string that describes the error.
546 Msg string
547 // RecordHeader contains the five bytes of TLS record header that
548 // triggered the error.
549 RecordHeader [5]byte
550 }
551
552 func (e RecordHeaderError) Error() string { return "tls: " + e.Msg }
553
554 func (c *Conn) newRecordHeaderError(msg string) (err RecordHeaderError) {
555 err.Msg = msg
556 copy(err.RecordHeader[:], c.rawInput.data)
557 return err
558 }
559
560 // readRecord reads the next TLS record from the connection
561 // and updates the record layer state.
562 // c.in.Mutex <= L; c.input == nil.
563 func (c *Conn) readRecord(want recordType) error {
564 // Caller must be in sync with connection:
565 // handshake data if handshake not yet completed,
566 // else application data.
567 switch want {
568 default:
569 c.sendAlert(alertInternalError)
570 return c.in.setErrorLocked(errors.New("tls: unknown record type requested"))
571 case recordTypeHandshake, recordTypeChangeCipherSpec:
572 if c.handshakeComplete {
573 c.sendAlert(alertInternalError)
574 return c.in.setErrorLocked(errors.New("tls: handshake or ChangeCipherSpec requested while not in handshake"))
575 }
576 case recordTypeApplicationData:
577 if !c.handshakeComplete {
578 c.sendAlert(alertInternalError)
579 return c.in.setErrorLocked(errors.New("tls: application data record requested while in handshake"))
580 }
581 }
582
583 Again:
584 if c.rawInput == nil {
585 c.rawInput = c.in.newBlock()
586 }
587 b := c.rawInput
588
589 // Read header, payload.
590 if err := b.readFromUntil(c.conn, recordHeaderLen); err != nil {
591 // RFC suggests that EOF without an alertCloseNotify is
592 // an error, but popular web sites seem to do this,
593 // so we can't make it an error.
594 // if err == io.EOF {
595 // err = io.ErrUnexpectedEOF
596 // }
597 if e, ok := err.(net.Error); !ok || !e.Temporary() {
598 c.in.setErrorLocked(err)
599 }
600 return err
601 }
602 typ := recordType(b.data[0])
603
604 // No valid TLS record has a type of 0x80, however SSLv2 handshakes
605 // start with a uint16 length where the MSB is set and the first record
606 // is always < 256 bytes long. Therefore typ == 0x80 strongly suggests
607 // an SSLv2 client.
608 if want == recordTypeHandshake && typ == 0x80 {
609 c.sendAlert(alertProtocolVersion)
610 return c.in.setErrorLocked(c.newRecordHeaderError("unsupported SSLv2 handshake received"))
611 }
612
613 vers := uint16(b.data[1])<<8 | uint16(b.data[2])
614 n := int(b.data[3])<<8 | int(b.data[4])
615 if c.haveVers && vers != c.vers {
616 c.sendAlert(alertProtocolVersion)
617 msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, c.vers)
618 return c.in.setErrorLocked(c.newRecordHeaderError(msg))
619 }
620 if n > maxCiphertext {
621 c.sendAlert(alertRecordOverflow)
622 msg := fmt.Sprintf("oversized record received with length %d", n)
623 return c.in.setErrorLocked(c.newRecordHeaderError(msg))
624 }
625 if !c.haveVers {
626 // First message, be extra suspicious: this might not be a TLS
627 // client. Bail out before reading a full 'body', if possible.
628 // The current max version is 3.3 so if the version is >= 16.0,
629 // it's probably not real.
630 if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 {
631 c.sendAlert(alertUnexpectedMessage)
632 return c.in.setErrorLocked(c.newRecordHeaderError("first record does not look like a TLS handshake"))
633 }
634 }
635 if err := b.readFromUntil(c.conn, recordHeaderLen+n); err != nil {
636 if err == io.EOF {
637 err = io.ErrUnexpectedEOF
638 }
639 if e, ok := err.(net.Error); !ok || !e.Temporary() {
640 c.in.setErrorLocked(err)
641 }
642 return err
643 }
644
645 // Process message.
646 b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n)
647 ok, off, alertValue := c.in.decrypt(b)
648 if !ok {
649 c.in.freeBlock(b)
650 return c.in.setErrorLocked(c.sendAlert(alertValue))
651 }
652 b.off = off
653 data := b.data[b.off:]
654 if len(data) > maxPlaintext {
655 err := c.sendAlert(alertRecordOverflow)
656 c.in.freeBlock(b)
657 return c.in.setErrorLocked(err)
658 }
659
660 switch typ {
661 default:
662 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
663
664 case recordTypeAlert:
665 if len(data) != 2 {
666 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
667 break
668 }
669 if alert(data[1]) == alertCloseNotify {
670 c.in.setErrorLocked(io.EOF)
671 break
672 }
673 switch data[0] {
674 case alertLevelWarning:
675 // drop on the floor
676 c.in.freeBlock(b)
677 goto Again
678 case alertLevelError:
679 c.in.setErrorLocked(&net.OpError{Op: "remote error", Err: alert(data[1])})
680 default:
681 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
682 }
683
684 case recordTypeChangeCipherSpec:
685 if typ != want || len(data) != 1 || data[0] != 1 {
686 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
687 break
688 }
689 err := c.in.changeCipherSpec()
690 if err != nil {
691 c.in.setErrorLocked(c.sendAlert(err.(alert)))
692 }
693
694 case recordTypeApplicationData:
695 if typ != want {
696 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
697 break
698 }
699 c.input = b
700 b = nil
701
702 case recordTypeHandshake:
703 // TODO(rsc): Should at least pick off connection close.
704 if typ != want && !(c.isClient && c.config.Renegotiation != RenegotiateNever) {
705 return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation))
706 }
707 c.hand.Write(data)
708 }
709
710 if b != nil {
711 c.in.freeBlock(b)
712 }
713 return c.in.err
714 }
715
716 // sendAlert sends a TLS alert message.
717 // c.out.Mutex <= L.
718 func (c *Conn) sendAlertLocked(err alert) error {
719 switch err {
720 case alertNoRenegotiation, alertCloseNotify:
721 c.tmp[0] = alertLevelWarning
722 default:
723 c.tmp[0] = alertLevelError
724 }
725 c.tmp[1] = byte(err)
726
727 _, writeErr := c.writeRecordLocked(recordTypeAlert, c.tmp[0:2])
728 if err == alertCloseNotify {
729 // closeNotify is a special case in that it isn't an error.
730 return writeErr
731 }
732
733 return c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err})
734 }
735
736 // sendAlert sends a TLS alert message.
737 // L < c.out.Mutex.
738 func (c *Conn) sendAlert(err alert) error {
739 c.out.Lock()
740 defer c.out.Unlock()
741 return c.sendAlertLocked(err)
742 }
743
744 const (
745 // tcpMSSEstimate is a conservative estimate of the TCP maximum segment
746 // size (MSS). A constant is used, rather than querying the kernel for
747 // the actual MSS, to avoid complexity. The value here is the IPv6
748 // minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
749 // bytes) and a TCP header with timestamps (32 bytes).
750 tcpMSSEstimate = 1208
751
752 // recordSizeBoostThreshold is the number of bytes of application data
753 // sent after which the TLS record size will be increased to the
754 // maximum.
755 recordSizeBoostThreshold = 128 * 1024
756 )
757
758 // maxPayloadSizeForWrite returns the maximum TLS payload size to use for the
759 // next application data record. There is the following trade-off:
760 //
761 // - For latency-sensitive applications, such as web browsing, each TLS
762 // record should fit in one TCP segment.
763 // - For throughput-sensitive applications, such as large file transfers,
764 // larger TLS records better amortize framing and encryption overheads.
765 //
766 // A simple heuristic that works well in practice is to use small records for
767 // the first 1MB of data, then use larger records for subsequent data, and
768 // reset back to smaller records after the connection becomes idle. See "High
769 // Performance Web Networking", Chapter 4, or:
770 // https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
771 //
772 // In the interests of simplicity and determinism, this code does not attempt
773 // to reset the record size once the connection is idle, however.
774 //
775 // c.out.Mutex <= L.
776 func (c *Conn) maxPayloadSizeForWrite(typ recordType, explicitIVLen int) int {
777 if c.config.DynamicRecordSizingDisabled || typ != recordTypeApplicationData {
778 return maxPlaintext
779 }
780
781 if c.bytesSent >= recordSizeBoostThreshold {
782 return maxPlaintext
783 }
784
785 // Subtract TLS overheads to get the maximum payload size.
786 macSize := 0
787 if c.out.mac != nil {
788 macSize = c.out.mac.Size()
789 }
790
791 payloadBytes := tcpMSSEstimate - recordHeaderLen - explicitIVLen
792 if c.out.cipher != nil {
793 switch ciph := c.out.cipher.(type) {
794 case cipher.Stream:
795 payloadBytes -= macSize
796 case cipher.AEAD:
797 payloadBytes -= ciph.Overhead()
798 case cbcMode:
799 blockSize := ciph.BlockSize()
800 // The payload must fit in a multiple of blockSize, with
801 // room for at least one padding byte.
802 payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
803 // The MAC is appended before padding so affects the
804 // payload size directly.
805 payloadBytes -= macSize
806 default:
807 panic("unknown cipher type")
808 }
809 }
810
811 // Allow packet growth in arithmetic progression up to max.
812 pkt := c.packetsSent
813 c.packetsSent++
814 if pkt > 1000 {
815 return maxPlaintext // avoid overflow in multiply below
816 }
817
818 n := payloadBytes * int(pkt+1)
819 if n > maxPlaintext {
820 n = maxPlaintext
821 }
822 return n
823 }
824
825 // c.out.Mutex <= L.
826 func (c *Conn) write(data []byte) (int, error) {
827 if c.buffering {
828 c.sendBuf = append(c.sendBuf, data...)
829 return len(data), nil
830 }
831
832 n, err := c.conn.Write(data)
833 c.bytesSent += int64(n)
834 return n, err
835 }
836
837 func (c *Conn) flush() (int, error) {
838 if len(c.sendBuf) == 0 {
839 return 0, nil
840 }
841
842 n, err := c.conn.Write(c.sendBuf)
843 c.bytesSent += int64(n)
844 c.sendBuf = nil
845 c.buffering = false
846 return n, err
847 }
848
849 // writeRecordLocked writes a TLS record with the given type and payload to the
850 // connection and updates the record layer state.
851 // c.out.Mutex <= L.
852 func (c *Conn) writeRecordLocked(typ recordType, data []byte) (int, error) {
853 b := c.out.newBlock()
854 defer c.out.freeBlock(b)
855
856 var n int
857 for len(data) > 0 {
858 explicitIVLen := 0
859 explicitIVIsSeq := false
860
861 var cbc cbcMode
862 if c.out.version >= VersionTLS11 {
863 var ok bool
864 if cbc, ok = c.out.cipher.(cbcMode); ok {
865 explicitIVLen = cbc.BlockSize()
866 }
867 }
868 if explicitIVLen == 0 {
869 if c, ok := c.out.cipher.(aead); ok {
870 explicitIVLen = c.explicitNonceLen()
871
872 // The AES-GCM construction in TLS has an
873 // explicit nonce so that the nonce can be
874 // random. However, the nonce is only 8 bytes
875 // which is too small for a secure, random
876 // nonce. Therefore we use the sequence number
877 // as the nonce.
878 explicitIVIsSeq = explicitIVLen > 0
879 }
880 }
881 m := len(data)
882 if maxPayload := c.maxPayloadSizeForWrite(typ, explicitIVLen); m > maxPayload {
883 m = maxPayload
884 }
885 b.resize(recordHeaderLen + explicitIVLen + m)
886 b.data[0] = byte(typ)
887 vers := c.vers
888 if vers == 0 {
889 // Some TLS servers fail if the record version is
890 // greater than TLS 1.0 for the initial ClientHello.
891 vers = VersionTLS10
892 }
893 b.data[1] = byte(vers >> 8)
894 b.data[2] = byte(vers)
895 b.data[3] = byte(m >> 8)
896 b.data[4] = byte(m)
897 if explicitIVLen > 0 {
898 explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
899 if explicitIVIsSeq {
900 copy(explicitIV, c.out.seq[:])
901 } else {
902 if _, err := io.ReadFull(c.config.rand(), explicitIV); err != nil {
903 return n, err
904 }
905 }
906 }
907 copy(b.data[recordHeaderLen+explicitIVLen:], data)
908 c.out.encrypt(b, explicitIVLen)
909 if _, err := c.write(b.data); err != nil {
910 return n, err
911 }
912 n += m
913 data = data[m:]
914 }
915
916 if typ == recordTypeChangeCipherSpec {
917 if err := c.out.changeCipherSpec(); err != nil {
918 return n, c.sendAlertLocked(err.(alert))
919 }
920 }
921
922 return n, nil
923 }
924
925 // writeRecord writes a TLS record with the given type and payload to the
926 // connection and updates the record layer state.
927 // L < c.out.Mutex.
928 func (c *Conn) writeRecord(typ recordType, data []byte) (int, error) {
929 c.out.Lock()
930 defer c.out.Unlock()
931
932 return c.writeRecordLocked(typ, data)
933 }
934
935 // readHandshake reads the next handshake message from
936 // the record layer.
937 // c.in.Mutex < L; c.out.Mutex < L.
938 func (c *Conn) readHandshake() (interface{}, error) {
939 for c.hand.Len() < 4 {
940 if err := c.in.err; err != nil {
941 return nil, err
942 }
943 if err := c.readRecord(recordTypeHandshake); err != nil {
944 return nil, err
945 }
946 }
947
948 data := c.hand.Bytes()
949 n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
950 if n > maxHandshake {
951 c.sendAlertLocked(alertInternalError)
952 return nil, c.in.setErrorLocked(fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshake))
953 }
954 for c.hand.Len() < 4+n {
955 if err := c.in.err; err != nil {
956 return nil, err
957 }
958 if err := c.readRecord(recordTypeHandshake); err != nil {
959 return nil, err
960 }
961 }
962 data = c.hand.Next(4 + n)
963 var m handshakeMessage
964 switch data[0] {
965 case typeHelloRequest:
966 m = new(helloRequestMsg)
967 case typeClientHello:
968 m = new(clientHelloMsg)
969 case typeServerHello:
970 m = new(serverHelloMsg)
971 case typeNewSessionTicket:
972 m = new(newSessionTicketMsg)
973 case typeCertificate:
974 m = new(certificateMsg)
975 case typeCertificateRequest:
976 m = &certificateRequestMsg{
977 hasSignatureAndHash: c.vers >= VersionTLS12,
978 }
979 case typeCertificateStatus:
980 m = new(certificateStatusMsg)
981 case typeServerKeyExchange:
982 m = new(serverKeyExchangeMsg)
983 case typeServerHelloDone:
984 m = new(serverHelloDoneMsg)
985 case typeClientKeyExchange:
986 m = new(clientKeyExchangeMsg)
987 case typeCertificateVerify:
988 m = &certificateVerifyMsg{
989 hasSignatureAndHash: c.vers >= VersionTLS12,
990 }
991 case typeNextProtocol:
992 m = new(nextProtoMsg)
993 case typeFinished:
994 m = new(finishedMsg)
995 default:
996 return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
997 }
998
999 // The handshake message unmarshalers
1000 // expect to be able to keep references to data,
1001 // so pass in a fresh copy that won't be overwritten.
1002 data = append([]byte(nil), data...)
1003
1004 if !m.unmarshal(data) {
1005 return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
1006 }
1007 return m, nil
1008 }
1009
1010 var (
1011 errClosed = errors.New("tls: use of closed connection")
1012 errShutdown = errors.New("tls: protocol is shutdown")
1013 )
1014
1015 // Write writes data to the connection.
1016 func (c *Conn) Write(b []byte) (int, error) {
1017 // interlock with Close below
1018 for {
1019 x := atomic.LoadInt32(&c.activeCall)
1020 if x&1 != 0 {
1021 return 0, errClosed
1022 }
1023 if atomic.CompareAndSwapInt32(&c.activeCall, x, x+2) {
1024 defer atomic.AddInt32(&c.activeCall, -2)
1025 break
1026 }
1027 }
1028
1029 if err := c.Handshake(); err != nil {
1030 return 0, err
1031 }
1032
1033 c.out.Lock()
1034 defer c.out.Unlock()
1035
1036 if err := c.out.err; err != nil {
1037 return 0, err
1038 }
1039
1040 if !c.handshakeComplete {
1041 return 0, alertInternalError
1042 }
1043
1044 if c.closeNotifySent {
1045 return 0, errShutdown
1046 }
1047
1048 // SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
1049 // attack when using block mode ciphers due to predictable IVs.
1050 // This can be prevented by splitting each Application Data
1051 // record into two records, effectively randomizing the IV.
1052 //
1053 // http://www.openssl.org/~bodo/tls-cbc.txt
1054 // https://bugzilla.mozilla.org/show_bug.cgi?id=665814
1055 // http://www.imperialviolet.org/2012/01/15/beastfollowup.html
1056
1057 var m int
1058 if len(b) > 1 && c.vers <= VersionTLS10 {
1059 if _, ok := c.out.cipher.(cipher.BlockMode); ok {
1060 n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
1061 if err != nil {
1062 return n, c.out.setErrorLocked(err)
1063 }
1064 m, b = 1, b[1:]
1065 }
1066 }
1067
1068 n, err := c.writeRecordLocked(recordTypeApplicationData, b)
1069 return n + m, c.out.setErrorLocked(err)
1070 }
1071
1072 // handleRenegotiation processes a HelloRequest handshake message.
1073 // c.in.Mutex <= L
1074 func (c *Conn) handleRenegotiation() error {
1075 msg, err := c.readHandshake()
1076 if err != nil {
1077 return err
1078 }
1079
1080 _, ok := msg.(*helloRequestMsg)
1081 if !ok {
1082 c.sendAlert(alertUnexpectedMessage)
1083 return alertUnexpectedMessage
1084 }
1085
1086 if !c.isClient {
1087 return c.sendAlert(alertNoRenegotiation)
1088 }
1089
1090 switch c.config.Renegotiation {
1091 case RenegotiateNever:
1092 return c.sendAlert(alertNoRenegotiation)
1093 case RenegotiateOnceAsClient:
1094 if c.handshakes > 1 {
1095 return c.sendAlert(alertNoRenegotiation)
1096 }
1097 case RenegotiateFreelyAsClient:
1098 // Ok.
1099 default:
1100 c.sendAlert(alertInternalError)
1101 return errors.New("tls: unknown Renegotiation value")
1102 }
1103
1104 c.handshakeMutex.Lock()
1105 defer c.handshakeMutex.Unlock()
1106
1107 c.handshakeComplete = false
1108 if c.handshakeErr = c.clientHandshake(); c.handshakeErr == nil {
1109 c.handshakes++
1110 }
1111 return c.handshakeErr
1112 }
1113
1114 // Read can be made to time out and return a net.Error with Timeout() == true
1115 // after a fixed time limit; see SetDeadline and SetReadDeadline.
1116 func (c *Conn) Read(b []byte) (n int, err error) {
1117 if err = c.Handshake(); err != nil {
1118 return
1119 }
1120 if len(b) == 0 {
1121 // Put this after Handshake, in case people were calling
1122 // Read(nil) for the side effect of the Handshake.
1123 return
1124 }
1125
1126 c.in.Lock()
1127 defer c.in.Unlock()
1128
1129 // Some OpenSSL servers send empty records in order to randomize the
1130 // CBC IV. So this loop ignores a limited number of empty records.
1131 const maxConsecutiveEmptyRecords = 100
1132 for emptyRecordCount := 0; emptyRecordCount <= maxConsecutiveEmptyRecords; emptyRecordCount++ {
1133 for c.input == nil && c.in.err == nil {
1134 if err := c.readRecord(recordTypeApplicationData); err != nil {
1135 // Soft error, like EAGAIN
1136 return 0, err
1137 }
1138 if c.hand.Len() > 0 {
1139 // We received handshake bytes, indicating the
1140 // start of a renegotiation.
1141 if err := c.handleRenegotiation(); err != nil {
1142 return 0, err
1143 }
1144 }
1145 }
1146 if err := c.in.err; err != nil {
1147 return 0, err
1148 }
1149
1150 n, err = c.input.Read(b)
1151 if c.input.off >= len(c.input.data) {
1152 c.in.freeBlock(c.input)
1153 c.input = nil
1154 }
1155
1156 // If a close-notify alert is waiting, read it so that
1157 // we can return (n, EOF) instead of (n, nil), to signal
1158 // to the HTTP response reading goroutine that the
1159 // connection is now closed. This eliminates a race
1160 // where the HTTP response reading goroutine would
1161 // otherwise not observe the EOF until its next read,
1162 // by which time a client goroutine might have already
1163 // tried to reuse the HTTP connection for a new
1164 // request.
1165 // See https://codereview.appspot.com/76400046
1166 // and https://golang.org/issue/3514
1167 if ri := c.rawInput; ri != nil &&
1168 n != 0 && err == nil &&
1169 c.input == nil && len(ri.data) > 0 && recordType(ri.data[0]) == recordTypeAlert {
1170 if recErr := c.readRecord(recordTypeApplicationData); recErr != nil {
1171 err = recErr // will be io.EOF on closeNotify
1172 }
1173 }
1174
1175 if n != 0 || err != nil {
1176 return n, err
1177 }
1178 }
1179
1180 return 0, io.ErrNoProgress
1181 }
1182
1183 // Close closes the connection.
1184 func (c *Conn) Close() error {
1185 // Interlock with Conn.Write above.
1186 var x int32
1187 for {
1188 x = atomic.LoadInt32(&c.activeCall)
1189 if x&1 != 0 {
1190 return errClosed
1191 }
1192 if atomic.CompareAndSwapInt32(&c.activeCall, x, x|1) {
1193 break
1194 }
1195 }
1196 if x != 0 {
1197 // io.Writer and io.Closer should not be used concurrently.
1198 // If Close is called while a Write is currently in-flight,
1199 // interpret that as a sign that this Close is really just
1200 // being used to break the Write and/or clean up resources and
1201 // avoid sending the alertCloseNotify, which may block
1202 // waiting on handshakeMutex or the c.out mutex.
1203 return c.conn.Close()
1204 }
1205
1206 var alertErr error
1207
1208 c.handshakeMutex.Lock()
1209 if c.handshakeComplete {
1210 alertErr = c.closeNotify()
1211 }
1212 c.handshakeMutex.Unlock()
1213
1214 if err := c.conn.Close(); err != nil {
1215 return err
1216 }
1217 return alertErr
1218 }
1219
1220 var errEarlyCloseWrite = errors.New("tls: CloseWrite called before handshake complete")
1221
1222 // CloseWrite shuts down the writing side of the connection. It should only be
1223 // called once the handshake has completed and does not call CloseWrite on the
1224 // underlying connection. Most callers should just use Close.
1225 func (c *Conn) CloseWrite() error {
1226 c.handshakeMutex.Lock()
1227 defer c.handshakeMutex.Unlock()
1228 if !c.handshakeComplete {
1229 return errEarlyCloseWrite
1230 }
1231
1232 return c.closeNotify()
1233 }
1234
1235 func (c *Conn) closeNotify() error {
1236 c.out.Lock()
1237 defer c.out.Unlock()
1238
1239 if !c.closeNotifySent {
1240 c.closeNotifyErr = c.sendAlertLocked(alertCloseNotify)
1241 c.closeNotifySent = true
1242 }
1243 return c.closeNotifyErr
1244 }
1245
1246 // Handshake runs the client or server handshake
1247 // protocol if it has not yet been run.
1248 // Most uses of this package need not call Handshake
1249 // explicitly: the first Read or Write will call it automatically.
1250 func (c *Conn) Handshake() error {
1251 // c.handshakeErr and c.handshakeComplete are protected by
1252 // c.handshakeMutex. In order to perform a handshake, we need to lock
1253 // c.in also and c.handshakeMutex must be locked after c.in.
1254 //
1255 // However, if a Read() operation is hanging then it'll be holding the
1256 // lock on c.in and so taking it here would cause all operations that
1257 // need to check whether a handshake is pending (such as Write) to
1258 // block.
1259 //
1260 // Thus we first take c.handshakeMutex to check whether a handshake is
1261 // needed.
1262 //
1263 // If so then, previously, this code would unlock handshakeMutex and
1264 // then lock c.in and handshakeMutex in the correct order to run the
1265 // handshake. The problem was that it was possible for a Read to
1266 // complete the handshake once handshakeMutex was unlocked and then
1267 // keep c.in while waiting for network data. Thus a concurrent
1268 // operation could be blocked on c.in.
1269 //
1270 // Thus handshakeCond is used to signal that a goroutine is committed
1271 // to running the handshake and other goroutines can wait on it if they
1272 // need. handshakeCond is protected by handshakeMutex.
1273 c.handshakeMutex.Lock()
1274 defer c.handshakeMutex.Unlock()
1275
1276 for {
1277 if err := c.handshakeErr; err != nil {
1278 return err
1279 }
1280 if c.handshakeComplete {
1281 return nil
1282 }
1283 if c.handshakeCond == nil {
1284 break
1285 }
1286
1287 c.handshakeCond.Wait()
1288 }
1289
1290 // Set handshakeCond to indicate that this goroutine is committing to
1291 // running the handshake.
1292 c.handshakeCond = sync.NewCond(&c.handshakeMutex)
1293 c.handshakeMutex.Unlock()
1294
1295 c.in.Lock()
1296 defer c.in.Unlock()
1297
1298 c.handshakeMutex.Lock()
1299
1300 // The handshake cannot have completed when handshakeMutex was unlocked
1301 // because this goroutine set handshakeCond.
1302 if c.handshakeErr != nil || c.handshakeComplete {
1303 panic("handshake should not have been able to complete after handshakeCond was set")
1304 }
1305
1306 if c.isClient {
1307 c.handshakeErr = c.clientHandshake()
1308 } else {
1309 c.handshakeErr = c.serverHandshake()
1310 }
1311 if c.handshakeErr == nil {
1312 c.handshakes++
1313 } else {
1314 // If an error occurred during the hadshake try to flush the
1315 // alert that might be left in the buffer.
1316 c.flush()
1317 }
1318
1319 if c.handshakeErr == nil && !c.handshakeComplete {
1320 panic("handshake should have had a result.")
1321 }
1322
1323 // Wake any other goroutines that are waiting for this handshake to
1324 // complete.
1325 c.handshakeCond.Broadcast()
1326 c.handshakeCond = nil
1327
1328 return c.handshakeErr
1329 }
1330
1331 // ConnectionState returns basic TLS details about the connection.
1332 func (c *Conn) ConnectionState() ConnectionState {
1333 c.handshakeMutex.Lock()
1334 defer c.handshakeMutex.Unlock()
1335
1336 var state ConnectionState
1337 state.HandshakeComplete = c.handshakeComplete
1338 state.ServerName = c.serverName
1339
1340 if c.handshakeComplete {
1341 state.Version = c.vers
1342 state.NegotiatedProtocol = c.clientProtocol
1343 state.DidResume = c.didResume
1344 state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback
1345 state.CipherSuite = c.cipherSuite
1346 state.PeerCertificates = c.peerCertificates
1347 state.VerifiedChains = c.verifiedChains
1348 state.SignedCertificateTimestamps = c.scts
1349 state.OCSPResponse = c.ocspResponse
1350 if !c.didResume {
1351 if c.clientFinishedIsFirst {
1352 state.TLSUnique = c.clientFinished[:]
1353 } else {
1354 state.TLSUnique = c.serverFinished[:]
1355 }
1356 }
1357 }
1358
1359 return state
1360 }
1361
1362 // OCSPResponse returns the stapled OCSP response from the TLS server, if
1363 // any. (Only valid for client connections.)
1364 func (c *Conn) OCSPResponse() []byte {
1365 c.handshakeMutex.Lock()
1366 defer c.handshakeMutex.Unlock()
1367
1368 return c.ocspResponse
1369 }
1370
1371 // VerifyHostname checks that the peer certificate chain is valid for
1372 // connecting to host. If so, it returns nil; if not, it returns an error
1373 // describing the problem.
1374 func (c *Conn) VerifyHostname(host string) error {
1375 c.handshakeMutex.Lock()
1376 defer c.handshakeMutex.Unlock()
1377 if !c.isClient {
1378 return errors.New("tls: VerifyHostname called on TLS server connection")
1379 }
1380 if !c.handshakeComplete {
1381 return errors.New("tls: handshake has not yet been performed")
1382 }
1383 if len(c.verifiedChains) == 0 {
1384 return errors.New("tls: handshake did not verify certificate chain")
1385 }
1386 return c.peerCertificates[0].VerifyHostname(host)
1387 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org