OLD | NEW |
1 // Copyright 2009 The Go Authors. All rights reserved. | 1 // Copyright 2009 The Go Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
4 | 4 |
5 package tls | 5 package tls |
6 | 6 |
7 import ( | 7 import ( |
8 "crypto" | 8 "crypto" |
9 "crypto/rand" | 9 "crypto/rand" |
10 "crypto/x509" | 10 "crypto/x509" |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
104 // ServerName contains the server name indicated by the client, if any. | 104 // ServerName contains the server name indicated by the client, if any. |
105 // (Only valid for server connections.) | 105 // (Only valid for server connections.) |
106 ServerName string | 106 ServerName string |
107 | 107 |
108 // the certificate chain that was presented by the other side | 108 // the certificate chain that was presented by the other side |
109 PeerCertificates []*x509.Certificate | 109 PeerCertificates []*x509.Certificate |
110 // the verified certificate chains built from PeerCertificates. | 110 // the verified certificate chains built from PeerCertificates. |
111 VerifiedChains [][]*x509.Certificate | 111 VerifiedChains [][]*x509.Certificate |
112 } | 112 } |
113 | 113 |
| 114 // ClientAuthType declares the policy the server will follow for |
| 115 // TLS Client Authentication. |
| 116 type ClientAuthType int |
| 117 |
| 118 const ( |
| 119 NoClientCert ClientAuthType = iota |
| 120 RequestClientCert |
| 121 RequireAnyClientCert |
| 122 VerifyClientCertIfGiven |
| 123 RequireAndVerifyClientCert |
| 124 ) |
| 125 |
114 // A Config structure is used to configure a TLS client or server. After one | 126 // A Config structure is used to configure a TLS client or server. After one |
115 // has been passed to a TLS function it must not be modified. | 127 // has been passed to a TLS function it must not be modified. |
116 type Config struct { | 128 type Config struct { |
117 // Rand provides the source of entropy for nonces and RSA blinding. | 129 // Rand provides the source of entropy for nonces and RSA blinding. |
118 // If Rand is nil, TLS uses the cryptographic random reader in package | 130 // If Rand is nil, TLS uses the cryptographic random reader in package |
119 // crypto/rand. | 131 // crypto/rand. |
120 Rand io.Reader | 132 Rand io.Reader |
121 | 133 |
122 // Time returns the current time as the number of seconds since the epoc
h. | 134 // Time returns the current time as the number of seconds since the epoc
h. |
123 » // If Time is nil, TLS uses the system time.Seconds. | 135 » // If Time is nil, TLS uses time.Now. |
124 Time func() time.Time | 136 Time func() time.Time |
125 | 137 |
126 // Certificates contains one or more certificate chains | 138 // Certificates contains one or more certificate chains |
127 // to present to the other side of the connection. | 139 // to present to the other side of the connection. |
128 // Server configurations must include at least one certificate. | 140 // Server configurations must include at least one certificate. |
129 Certificates []Certificate | 141 Certificates []Certificate |
130 | 142 |
131 // NameToCertificate maps from a certificate name to an element of | 143 // NameToCertificate maps from a certificate name to an element of |
132 // Certificates. Note that a certificate name can be of the form | 144 // Certificates. Note that a certificate name can be of the form |
133 // '*.example.com' and so doesn't have to be a domain name as such. | 145 // '*.example.com' and so doesn't have to be a domain name as such. |
134 // See Config.BuildNameToCertificate | 146 // See Config.BuildNameToCertificate |
135 // The nil value causes the first element of Certificates to be used | 147 // The nil value causes the first element of Certificates to be used |
136 // for all connections. | 148 // for all connections. |
137 NameToCertificate map[string]*Certificate | 149 NameToCertificate map[string]*Certificate |
138 | 150 |
139 // RootCAs defines the set of root certificate authorities | 151 // RootCAs defines the set of root certificate authorities |
140 // that clients use when verifying server certificates. | 152 // that clients use when verifying server certificates. |
141 // If RootCAs is nil, TLS uses the host's root CA set. | 153 // If RootCAs is nil, TLS uses the host's root CA set. |
142 RootCAs *x509.CertPool | 154 RootCAs *x509.CertPool |
143 | 155 |
144 // NextProtos is a list of supported, application level protocols. | 156 // NextProtos is a list of supported, application level protocols. |
145 NextProtos []string | 157 NextProtos []string |
146 | 158 |
147 // ServerName is included in the client's handshake to support virtual | 159 // ServerName is included in the client's handshake to support virtual |
148 // hosting. | 160 // hosting. |
149 ServerName string | 161 ServerName string |
150 | 162 |
151 » // AuthenticateClient controls whether a server will request a certifica
te | 163 » // ClientAuth determines the server's policy for |
152 » // from the client. It does not require that the client send a | 164 » // TLS Client Authentication. The default is NoClientCert. |
153 » // certificate nor does it require that the certificate sent be | 165 » ClientAuth ClientAuthType |
154 » // anything more than self-signed. | 166 |
155 » AuthenticateClient bool | 167 » // ClientCAs defines the set of root certificate authorities |
| 168 » // that servers use if required to verify a client certificate |
| 169 » // by the policy in ClientAuth. |
| 170 » ClientCAs *x509.CertPool |
156 | 171 |
157 // InsecureSkipVerify controls whether a client verifies the | 172 // InsecureSkipVerify controls whether a client verifies the |
158 // server's certificate chain and host name. | 173 // server's certificate chain and host name. |
159 // If InsecureSkipVerify is true, TLS accepts any certificate | 174 // If InsecureSkipVerify is true, TLS accepts any certificate |
160 // presented by the server and any host name in that certificate. | 175 // presented by the server and any host name in that certificate. |
161 // In this mode, TLS is susceptible to man-in-the-middle attacks. | 176 // In this mode, TLS is susceptible to man-in-the-middle attacks. |
162 // This should be used only for testing. | 177 // This should be used only for testing. |
163 InsecureSkipVerify bool | 178 InsecureSkipVerify bool |
164 | 179 |
165 // CipherSuites is a list of supported cipher suites. If CipherSuites | 180 // CipherSuites is a list of supported cipher suites. If CipherSuites |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
252 } | 267 } |
253 } | 268 } |
254 | 269 |
255 // A Certificate is a chain of one or more certificates, leaf first. | 270 // A Certificate is a chain of one or more certificates, leaf first. |
256 type Certificate struct { | 271 type Certificate struct { |
257 Certificate [][]byte | 272 Certificate [][]byte |
258 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey | 273 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey |
259 // OCSPStaple contains an optional OCSP response which will be served | 274 // OCSPStaple contains an optional OCSP response which will be served |
260 // to clients that request it. | 275 // to clients that request it. |
261 OCSPStaple []byte | 276 OCSPStaple []byte |
| 277 // ParsedLeaf is the parsed form of the leaf certificate, which may be |
| 278 // initialized by callers using x509.ParseCertificate to reduce |
| 279 // per-handshake processing. If nil, the leaf certificate will |
| 280 // be parsed during each SSL handshake. |
| 281 ParsedLeaf *x509.Certificate |
262 } | 282 } |
263 | 283 |
264 // A TLS record. | 284 // A TLS record. |
265 type record struct { | 285 type record struct { |
266 contentType recordType | 286 contentType recordType |
267 major, minor uint8 | 287 major, minor uint8 |
268 payload []byte | 288 payload []byte |
269 } | 289 } |
270 | 290 |
271 type handshakeMessage interface { | 291 type handshakeMessage interface { |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
312 varDefaultRoots *x509.CertPool | 332 varDefaultRoots *x509.CertPool |
313 varDefaultCipherSuites []uint16 | 333 varDefaultCipherSuites []uint16 |
314 ) | 334 ) |
315 | 335 |
316 func initDefaultCipherSuites() { | 336 func initDefaultCipherSuites() { |
317 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) | 337 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) |
318 for i, suite := range cipherSuites { | 338 for i, suite := range cipherSuites { |
319 varDefaultCipherSuites[i] = suite.id | 339 varDefaultCipherSuites[i] = suite.id |
320 } | 340 } |
321 } | 341 } |
OLD | NEW |