Source file src/pkg/crypto/tls/tls.go

     1	// Copyright 2009 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	// Package tls partially implements TLS 1.2, as specified in RFC 5246,
     6	// and TLS 1.3, as specified in RFC 8446.
     7	//
     8	// TLS 1.3 is available on an opt-out basis in Go 1.13. To disable
     9	// it, set the GODEBUG environment variable (comma-separated key=value
    10	// options) such that it includes "tls13=0".
    11	package tls
    12	
    13	// BUG(agl): The crypto/tls package only implements some countermeasures
    14	// against Lucky13 attacks on CBC-mode encryption, and only on SHA1
    15	// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
    16	// https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
    17	
    18	import (
    19		"bytes"
    20		"crypto"
    21		"crypto/ecdsa"
    22		"crypto/ed25519"
    23		"crypto/rsa"
    24		"crypto/x509"
    25		"encoding/pem"
    26		"errors"
    27		"fmt"
    28		"io/ioutil"
    29		"net"
    30		"strings"
    31		"time"
    32	)
    33	
    34	// Server returns a new TLS server side connection
    35	// using conn as the underlying transport.
    36	// The configuration config must be non-nil and must include
    37	// at least one certificate or else set GetCertificate.
    38	func Server(conn net.Conn, config *Config) *Conn {
    39		return &Conn{conn: conn, config: config}
    40	}
    41	
    42	// Client returns a new TLS client side connection
    43	// using conn as the underlying transport.
    44	// The config cannot be nil: users must set either ServerName or
    45	// InsecureSkipVerify in the config.
    46	func Client(conn net.Conn, config *Config) *Conn {
    47		return &Conn{conn: conn, config: config, isClient: true}
    48	}
    49	
    50	// A listener implements a network listener (net.Listener) for TLS connections.
    51	type listener struct {
    52		net.Listener
    53		config *Config
    54	}
    55	
    56	// Accept waits for and returns the next incoming TLS connection.
    57	// The returned connection is of type *Conn.
    58	func (l *listener) Accept() (net.Conn, error) {
    59		c, err := l.Listener.Accept()
    60		if err != nil {
    61			return nil, err
    62		}
    63		return Server(c, l.config), nil
    64	}
    65	
    66	// NewListener creates a Listener which accepts connections from an inner
    67	// Listener and wraps each connection with Server.
    68	// The configuration config must be non-nil and must include
    69	// at least one certificate or else set GetCertificate.
    70	func NewListener(inner net.Listener, config *Config) net.Listener {
    71		l := new(listener)
    72		l.Listener = inner
    73		l.config = config
    74		return l
    75	}
    76	
    77	// Listen creates a TLS listener accepting connections on the
    78	// given network address using net.Listen.
    79	// The configuration config must be non-nil and must include
    80	// at least one certificate or else set GetCertificate.
    81	func Listen(network, laddr string, config *Config) (net.Listener, error) {
    82		if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
    83			return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
    84		}
    85		l, err := net.Listen(network, laddr)
    86		if err != nil {
    87			return nil, err
    88		}
    89		return NewListener(l, config), nil
    90	}
    91	
    92	type timeoutError struct{}
    93	
    94	func (timeoutError) Error() string   { return "tls: DialWithDialer timed out" }
    95	func (timeoutError) Timeout() bool   { return true }
    96	func (timeoutError) Temporary() bool { return true }
    97	
    98	// DialWithDialer connects to the given network address using dialer.Dial and
    99	// then initiates a TLS handshake, returning the resulting TLS connection. Any
   100	// timeout or deadline given in the dialer apply to connection and TLS
   101	// handshake as a whole.
   102	//
   103	// DialWithDialer interprets a nil configuration as equivalent to the zero
   104	// configuration; see the documentation of Config for the defaults.
   105	func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*Conn, error) {
   106		// We want the Timeout and Deadline values from dialer to cover the
   107		// whole process: TCP connection and TLS handshake. This means that we
   108		// also need to start our own timers now.
   109		timeout := dialer.Timeout
   110	
   111		if !dialer.Deadline.IsZero() {
   112			deadlineTimeout := time.Until(dialer.Deadline)
   113			if timeout == 0 || deadlineTimeout < timeout {
   114				timeout = deadlineTimeout
   115			}
   116		}
   117	
   118		var errChannel chan error
   119	
   120		if timeout != 0 {
   121			errChannel = make(chan error, 2)
   122			time.AfterFunc(timeout, func() {
   123				errChannel <- timeoutError{}
   124			})
   125		}
   126	
   127		rawConn, err := dialer.Dial(network, addr)
   128		if err != nil {
   129			return nil, err
   130		}
   131	
   132		colonPos := strings.LastIndex(addr, ":")
   133		if colonPos == -1 {
   134			colonPos = len(addr)
   135		}
   136		hostname := addr[:colonPos]
   137	
   138		if config == nil {
   139			config = defaultConfig()
   140		}
   141		// If no ServerName is set, infer the ServerName
   142		// from the hostname we're connecting to.
   143		if config.ServerName == "" {
   144			// Make a copy to avoid polluting argument or default.
   145			c := config.Clone()
   146			c.ServerName = hostname
   147			config = c
   148		}
   149	
   150		conn := Client(rawConn, config)
   151	
   152		if timeout == 0 {
   153			err = conn.Handshake()
   154		} else {
   155			go func() {
   156				errChannel <- conn.Handshake()
   157			}()
   158	
   159			err = <-errChannel
   160		}
   161	
   162		if err != nil {
   163			rawConn.Close()
   164			return nil, err
   165		}
   166	
   167		return conn, nil
   168	}
   169	
   170	// Dial connects to the given network address using net.Dial
   171	// and then initiates a TLS handshake, returning the resulting
   172	// TLS connection.
   173	// Dial interprets a nil configuration as equivalent to
   174	// the zero configuration; see the documentation of Config
   175	// for the defaults.
   176	func Dial(network, addr string, config *Config) (*Conn, error) {
   177		return DialWithDialer(new(net.Dialer), network, addr, config)
   178	}
   179	
   180	// LoadX509KeyPair reads and parses a public/private key pair from a pair
   181	// of files. The files must contain PEM encoded data. The certificate file
   182	// may contain intermediate certificates following the leaf certificate to
   183	// form a certificate chain. On successful return, Certificate.Leaf will
   184	// be nil because the parsed form of the certificate is not retained.
   185	func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
   186		certPEMBlock, err := ioutil.ReadFile(certFile)
   187		if err != nil {
   188			return Certificate{}, err
   189		}
   190		keyPEMBlock, err := ioutil.ReadFile(keyFile)
   191		if err != nil {
   192			return Certificate{}, err
   193		}
   194		return X509KeyPair(certPEMBlock, keyPEMBlock)
   195	}
   196	
   197	// X509KeyPair parses a public/private key pair from a pair of
   198	// PEM encoded data. On successful return, Certificate.Leaf will be nil because
   199	// the parsed form of the certificate is not retained.
   200	func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
   201		fail := func(err error) (Certificate, error) { return Certificate{}, err }
   202	
   203		var cert Certificate
   204		var skippedBlockTypes []string
   205		for {
   206			var certDERBlock *pem.Block
   207			certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
   208			if certDERBlock == nil {
   209				break
   210			}
   211			if certDERBlock.Type == "CERTIFICATE" {
   212				cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
   213			} else {
   214				skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type)
   215			}
   216		}
   217	
   218		if len(cert.Certificate) == 0 {
   219			if len(skippedBlockTypes) == 0 {
   220				return fail(errors.New("tls: failed to find any PEM data in certificate input"))
   221			}
   222			if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
   223				return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
   224			}
   225			return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
   226		}
   227	
   228		skippedBlockTypes = skippedBlockTypes[:0]
   229		var keyDERBlock *pem.Block
   230		for {
   231			keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
   232			if keyDERBlock == nil {
   233				if len(skippedBlockTypes) == 0 {
   234					return fail(errors.New("tls: failed to find any PEM data in key input"))
   235				}
   236				if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
   237					return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key"))
   238				}
   239				return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
   240			}
   241			if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
   242				break
   243			}
   244			skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
   245		}
   246	
   247		// We don't need to parse the public key for TLS, but we so do anyway
   248		// to check that it looks sane and matches the private key.
   249		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
   250		if err != nil {
   251			return fail(err)
   252		}
   253	
   254		cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
   255		if err != nil {
   256			return fail(err)
   257		}
   258	
   259		switch pub := x509Cert.PublicKey.(type) {
   260		case *rsa.PublicKey:
   261			priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
   262			if !ok {
   263				return fail(errors.New("tls: private key type does not match public key type"))
   264			}
   265			if pub.N.Cmp(priv.N) != 0 {
   266				return fail(errors.New("tls: private key does not match public key"))
   267			}
   268		case *ecdsa.PublicKey:
   269			priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
   270			if !ok {
   271				return fail(errors.New("tls: private key type does not match public key type"))
   272			}
   273			if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
   274				return fail(errors.New("tls: private key does not match public key"))
   275			}
   276		case ed25519.PublicKey:
   277			priv, ok := cert.PrivateKey.(ed25519.PrivateKey)
   278			if !ok {
   279				return fail(errors.New("tls: private key type does not match public key type"))
   280			}
   281			if !bytes.Equal(priv.Public().(ed25519.PublicKey), pub) {
   282				return fail(errors.New("tls: private key does not match public key"))
   283			}
   284		default:
   285			return fail(errors.New("tls: unknown public key algorithm"))
   286		}
   287	
   288		return cert, nil
   289	}
   290	
   291	// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
   292	// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
   293	// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
   294	func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
   295		if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
   296			return key, nil
   297		}
   298		if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
   299			switch key := key.(type) {
   300			case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
   301				return key, nil
   302			default:
   303				return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
   304			}
   305		}
   306		if key, err := x509.ParseECPrivateKey(der); err == nil {
   307			return key, nil
   308		}
   309	
   310		return nil, errors.New("tls: failed to parse private key")
   311	}
   312	

View as plain text