Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1332)

Delta Between Two Patch Sets: src/pkg/net/http/transport.go

Issue 128930043: code review 128930043: net/http: optional TLSVerifyCallback func for Transport
Left Patch Set: diff -r 0449858880beeb4216dc94ac59892205473f6f78 https://code.google.com/p/go Created 9 years, 7 months ago
Right Patch Set: diff -r 7e5e03f8413588757bfd33f63a4ebb8d1d8f1753 https://code.google.com/p/go Created 9 years, 7 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
Left: Side by side diff | Download
Right: Side by side diff | Download
« no previous file with change/comment | « no previous file | src/pkg/net/http/transport_test.go » ('j') | no next file with change/comment »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
LEFTRIGHT
1 // Copyright 2011 The Go Authors. All rights reserved. 1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 // HTTP client implementation. See RFC 2616. 5 // HTTP client implementation. See RFC 2616.
6 // 6 //
7 // This is the low-level Transport implementation of RoundTripper. 7 // This is the low-level Transport implementation of RoundTripper.
8 // The high-level interface is in client.go. 8 // The high-level interface is in client.go.
9 9
10 package http 10 package http
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
67 Dial func(network, addr string) (net.Conn, error) 67 Dial func(network, addr string) (net.Conn, error)
68 68
69 // TLSClientConfig specifies the TLS configuration to use with 69 // TLSClientConfig specifies the TLS configuration to use with
70 // tls.Client. If nil, the default configuration is used. 70 // tls.Client. If nil, the default configuration is used.
71 TLSClientConfig *tls.Config 71 TLSClientConfig *tls.Config
72 72
73 // TLSHandshakeTimeout specifies the maximum amount of time waiting to 73 // TLSHandshakeTimeout specifies the maximum amount of time waiting to
74 // wait for a TLS handshake. Zero means no timeout. 74 // wait for a TLS handshake. Zero means no timeout.
75 TLSHandshakeTimeout time.Duration 75 TLSHandshakeTimeout time.Duration
76 76
77 » // TLSVerifyCallback, if non-nil, is invoked right before hostname 77 » // TLSVerify optionally specifies a validity check on new TLS client
bradfitz 2014/08/13 00:48:44 I think I'd drop the word "Callback". Dial and Pro
cee-dub 2014/08/13 07:19:57 Done.
78 » // verification, and offers an opportunity for callers to augment TLS 78 » // connections. The function must not mutate the Config or connection.
79 » // policy. The config is the actual built config as augmented with 79 » // If nil, only the hostname is checked. It is an error to set TLSVerify
80 » // hostnames, which can be used to change the hostname used for 80 » // when TLSClientConfig.InsecureSkipVerify is true.
81 » // verification. If an error is returned, the connection is aborted. 81 » TLSVerify func(*tls.Conn, *tls.Config) error
82 » TLSVerifyCallback func(*tls.Conn, *tls.Config) error
83 82
84 // DisableKeepAlives, if true, prevents re-use of TCP connections 83 // DisableKeepAlives, if true, prevents re-use of TCP connections
85 // between different HTTP requests. 84 // between different HTTP requests.
86 DisableKeepAlives bool 85 DisableKeepAlives bool
87 86
88 // DisableCompression, if true, prevents the Transport from 87 // DisableCompression, if true, prevents the Transport from
89 // requesting compression with an "Accept-Encoding: gzip" 88 // requesting compression with an "Accept-Encoding: gzip"
90 // request header when the Request contains no existing 89 // request header when the Request contains no existing
91 // Accept-Encoding value. If the Transport requests gzip on 90 // Accept-Encoding value. If the Transport requests gzip on
92 // its own and gets a gzipped response, it's transparently 91 // its own and gets a gzipped response, it's transparently
(...skipping 491 matching lines...) Expand 10 before | Expand all | Expand 10 after
584 err := tlsConn.Handshake() 583 err := tlsConn.Handshake()
585 if timer != nil { 584 if timer != nil {
586 timer.Stop() 585 timer.Stop()
587 } 586 }
588 errc <- err 587 errc <- err
589 }() 588 }()
590 if err := <-errc; err != nil { 589 if err := <-errc; err != nil {
591 plainConn.Close() 590 plainConn.Close()
592 return nil, err 591 return nil, err
593 } 592 }
594 » » if t.TLSVerifyCallback != nil { 593 » » if err := t.tlsVerify(tlsConn, cfg); err != nil {
595 » » » if err := t.TLSVerifyCallback(tlsConn, cfg); err != nil { 594 » » » plainConn.Close()
596 » » » » return nil, err 595 » » » return nil, err
597 » » » }
598 » » }
599 » » if !cfg.InsecureSkipVerify {
600 » » » if err := tlsConn.VerifyHostname(cfg.ServerName); err != nil {
601 » » » » plainConn.Close()
602 » » » » return nil, err
603 » » » }
604 } 596 }
605 cs := tlsConn.ConnectionState() 597 cs := tlsConn.ConnectionState()
606 pconn.tlsState = &cs 598 pconn.tlsState = &cs
607 pconn.conn = tlsConn 599 pconn.conn = tlsConn
608 } 600 }
609 601
610 pconn.br = bufio.NewReader(noteEOFReader{pconn.conn, &pconn.sawEOF}) 602 pconn.br = bufio.NewReader(noteEOFReader{pconn.conn, &pconn.sawEOF})
611 pconn.bw = bufio.NewWriter(pconn.conn) 603 pconn.bw = bufio.NewWriter(pconn.conn)
612 go pconn.readLoop() 604 go pconn.readLoop()
613 go pconn.writeLoop() 605 go pconn.writeLoop()
614 return pconn, nil 606 return pconn, nil
607 }
608
609 // tlsVerify returns errors from a call to either of TLSVerify or VerifyHostname
610 // unless InsecureSkipVerify is set.
611 func (t *Transport) tlsVerify(conn *tls.Conn, cfg *tls.Config) error {
612 if cfg.InsecureSkipVerify {
613 if t.TLSVerify != nil {
614 return errors.New("http: may not set both TLSVerify in t he Transport and InsecureSkipVerify in the tls.Config")
615 }
616 return nil
617 }
618
619 if t.TLSVerify != nil {
620 return t.TLSVerify(conn, cfg)
621 }
622 return conn.VerifyHostname(cfg.ServerName)
615 } 623 }
616 624
617 // useProxy returns true if requests to addr should use a proxy, 625 // useProxy returns true if requests to addr should use a proxy,
618 // according to the NO_PROXY or no_proxy environment variable. 626 // according to the NO_PROXY or no_proxy environment variable.
619 // addr is always a canonicalAddr with a host and port. 627 // addr is always a canonicalAddr with a host and port.
620 func useProxy(addr string) bool { 628 func useProxy(addr string) bool {
621 if len(addr) == 0 { 629 if len(addr) == 0 {
622 return true 630 return true
623 } 631 }
624 host, _, err := net.SplitHostPort(addr) 632 host, _, err := net.SplitHostPort(addr)
(...skipping 586 matching lines...) Expand 10 before | Expand all | Expand 10 after
1211 sawEOF *bool 1219 sawEOF *bool
1212 } 1220 }
1213 1221
1214 func (nr noteEOFReader) Read(p []byte) (n int, err error) { 1222 func (nr noteEOFReader) Read(p []byte) (n int, err error) {
1215 n, err = nr.r.Read(p) 1223 n, err = nr.r.Read(p)
1216 if err == io.EOF { 1224 if err == io.EOF {
1217 *nr.sawEOF = true 1225 *nr.sawEOF = true
1218 } 1226 }
1219 return 1227 return
1220 } 1228 }
LEFTRIGHT

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b