Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(505)

Side by Side Diff: src/pkg/crypto/tls/common.go

Issue 5262041: code review 5262041: crypto/tls: fetch root certificates using Mac OS API (Closed)
Patch Set: diff -r 988a7f023895 https://go.googlecode.com/hg/ Created 12 years, 5 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/pkg/crypto/tls/Makefile ('k') | src/pkg/crypto/tls/handshake_client.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2009 The Go Authors. All rights reserved. 1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 package tls 5 package tls
6 6
7 import ( 7 import (
8 "crypto/rand" 8 "crypto/rand"
9 "crypto/rsa" 9 "crypto/rsa"
10 "crypto/x509" 10 "crypto/x509"
11 "io" 11 "io"
12 "io/ioutil"
13 "strings" 12 "strings"
14 "sync" 13 "sync"
15 "time" 14 "time"
16 ) 15 )
17 16
18 const ( 17 const (
19 maxPlaintext = 16384 // maximum plaintext payload length 18 maxPlaintext = 16384 // maximum plaintext payload length
20 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length 19 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
21 recordHeaderLen = 5 // record header length 20 recordHeaderLen = 5 // record header length
22 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) 21 maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after
148 // ServerName is included in the client's handshake to support virtual 147 // ServerName is included in the client's handshake to support virtual
149 // hosting. 148 // hosting.
150 ServerName string 149 ServerName string
151 150
152 // AuthenticateClient controls whether a server will request a certifica te 151 // AuthenticateClient controls whether a server will request a certifica te
153 // from the client. It does not require that the client send a 152 // from the client. It does not require that the client send a
154 // certificate nor does it require that the certificate sent be 153 // certificate nor does it require that the certificate sent be
155 // anything more than self-signed. 154 // anything more than self-signed.
156 AuthenticateClient bool 155 AuthenticateClient bool
157 156
157 // InsecureSkipVerify controls whether a client verifies the
158 // server's certificate chain and host name.
159 // If InsecureSkipVerify is true, TLS accepts any certificate
160 // presented by the server and any host name in that certificate.
161 // In this mode, TLS is susceptible to man-in-the-middle attacks.
162 // This should be used only for testing.
163 InsecureSkipVerify bool
164
158 // CipherSuites is a list of supported cipher suites. If CipherSuites 165 // CipherSuites is a list of supported cipher suites. If CipherSuites
159 // is nil, TLS uses a list of suites supported by the implementation. 166 // is nil, TLS uses a list of suites supported by the implementation.
160 CipherSuites []uint16 167 CipherSuites []uint16
161 } 168 }
162 169
163 func (c *Config) rand() io.Reader { 170 func (c *Config) rand() io.Reader {
164 r := c.Rand 171 r := c.Rand
165 if r == nil { 172 if r == nil {
166 return rand.Reader 173 return rand.Reader
167 } 174 }
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after
277 } 284 }
278 return vers, true 285 return vers, true
279 } 286 }
280 287
281 var emptyConfig Config 288 var emptyConfig Config
282 289
283 func defaultConfig() *Config { 290 func defaultConfig() *Config {
284 return &emptyConfig 291 return &emptyConfig
285 } 292 }
286 293
287 // Possible certificate files; stop after finding one.
288 // On OS X we should really be using the Directory Services keychain
289 // but that requires a lot of Mach goo to get at. Instead we use
290 // the same root set that curl uses.
291 var certFiles = []string{
292 "/etc/ssl/certs/ca-certificates.crt", // Linux etc
293 "/usr/share/curl/curl-ca-bundle.crt", // OS X
294 }
295
296 var once sync.Once 294 var once sync.Once
297 295
298 func defaultRoots() *x509.CertPool { 296 func defaultRoots() *x509.CertPool {
299 once.Do(initDefaults) 297 once.Do(initDefaults)
300 return varDefaultRoots 298 return varDefaultRoots
301 } 299 }
302 300
303 func defaultCipherSuites() []uint16 { 301 func defaultCipherSuites() []uint16 {
304 once.Do(initDefaults) 302 once.Do(initDefaults)
305 return varDefaultCipherSuites 303 return varDefaultCipherSuites
306 } 304 }
307 305
308 func initDefaults() { 306 func initDefaults() {
309 initDefaultRoots() 307 initDefaultRoots()
310 initDefaultCipherSuites() 308 initDefaultCipherSuites()
311 } 309 }
312 310
313 var varDefaultRoots *x509.CertPool 311 var (
314 312 » varDefaultRoots *x509.CertPool
315 func initDefaultRoots() { 313 » varDefaultCipherSuites []uint16
316 » roots := x509.NewCertPool() 314 )
317 » for _, file := range certFiles {
318 » » data, err := ioutil.ReadFile(file)
319 » » if err == nil {
320 » » » roots.AppendCertsFromPEM(data)
321 » » » break
322 » » }
323 » }
324 » varDefaultRoots = roots
325 }
326
327 var varDefaultCipherSuites []uint16
328 315
329 func initDefaultCipherSuites() { 316 func initDefaultCipherSuites() {
330 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) 317 varDefaultCipherSuites = make([]uint16, len(cipherSuites))
331 i := 0 318 i := 0
332 for id := range cipherSuites { 319 for id := range cipherSuites {
333 varDefaultCipherSuites[i] = id 320 varDefaultCipherSuites[i] = id
334 i++ 321 i++
335 } 322 }
336 } 323 }
OLDNEW
« no previous file with comments | « src/pkg/crypto/tls/Makefile ('k') | src/pkg/crypto/tls/handshake_client.go » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b