github.com/ccccaoqing/test@v0.0.0-20220510085219-3985d23445c0/src/crypto/tls/tls.go

github.com/ccccaoqing/test@v0.0.0-20220510085219-3985d23445c0/src/crypto/tls/tls.go (about)

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package tls partially implements TLS 1.2, as specified in RFC 5246.
     6  package tls
     7  
     8  import (
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/rsa"
    12  	"crypto/x509"
    13  	"encoding/pem"
    14  	"errors"
    15  	"io/ioutil"
    16  	"net"
    17  	"strings"
    18  	"time"
    19  )
    20  
    21  // Server returns a new TLS server side connection
    22  // using conn as the underlying transport.
    23  // The configuration config must be non-nil and must have
    24  // at least one certificate.
    25  func Server(conn net.Conn, config *Config) *Conn {
    26  	return &Conn{conn: conn, config: config}
    27  }
    28  
    29  // Client returns a new TLS client side connection
    30  // using conn as the underlying transport.
    31  // The config cannot be nil: users must set either ServerName or
    32  // InsecureSkipVerify in the config.
    33  func Client(conn net.Conn, config *Config) *Conn {
    34  	return &Conn{conn: conn, config: config, isClient: true}
    35  }
    36  
    37  // A listener implements a network listener (net.Listener) for TLS connections.
    38  type listener struct {
    39  	net.Listener
    40  	config *Config
    41  }
    42  
    43  // Accept waits for and returns the next incoming TLS connection.
    44  // The returned connection c is a *tls.Conn.
    45  func (l *listener) Accept() (c net.Conn, err error) {
    46  	c, err = l.Listener.Accept()
    47  	if err != nil {
    48  		return
    49  	}
    50  	c = Server(c, l.config)
    51  	return
    52  }
    53  
    54  // NewListener creates a Listener which accepts connections from an inner
    55  // Listener and wraps each connection with Server.
    56  // The configuration config must be non-nil and must have
    57  // at least one certificate.
    58  func NewListener(inner net.Listener, config *Config) net.Listener {
    59  	l := new(listener)
    60  	l.Listener = inner
    61  	l.config = config
    62  	return l
    63  }
    64  
    65  // Listen creates a TLS listener accepting connections on the
    66  // given network address using net.Listen.
    67  // The configuration config must be non-nil and must have
    68  // at least one certificate.
    69  func Listen(network, laddr string, config *Config) (net.Listener, error) {
    70  	if config == nil || len(config.Certificates) == 0 {
    71  		return nil, errors.New("tls.Listen: no certificates in configuration")
    72  	}
    73  	l, err := net.Listen(network, laddr)
    74  	if err != nil {
    75  		return nil, err
    76  	}
    77  	return NewListener(l, config), nil
    78  }
    79  
    80  type timeoutError struct{}
    81  
    82  func (timeoutError) Error() string   { return "tls: DialWithDialer timed out" }
    83  func (timeoutError) Timeout() bool   { return true }
    84  func (timeoutError) Temporary() bool { return true }
    85  
    86  // DialWithDialer connects to the given network address using dialer.Dial and
    87  // then initiates a TLS handshake, returning the resulting TLS connection. Any
    88  // timeout or deadline given in the dialer apply to connection and TLS
    89  // handshake as a whole.
    90  //
    91  // DialWithDialer interprets a nil configuration as equivalent to the zero
    92  // configuration; see the documentation of Config for the defaults.
    93  func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*Conn, error) {
    94  	// We want the Timeout and Deadline values from dialer to cover the
    95  	// whole process: TCP connection and TLS handshake. This means that we
    96  	// also need to start our own timers now.
    97  	timeout := dialer.Timeout
    98  
    99  	if !dialer.Deadline.IsZero() {
   100  		deadlineTimeout := dialer.Deadline.Sub(time.Now())
   101  		if timeout == 0 || deadlineTimeout < timeout {
   102  			timeout = deadlineTimeout
   103  		}
   104  	}
   105  
   106  	var errChannel chan error
   107  
   108  	if timeout != 0 {
   109  		errChannel = make(chan error, 2)
   110  		time.AfterFunc(timeout, func() {
   111  			errChannel <- timeoutError{}
   112  		})
   113  	}
   114  
   115  	rawConn, err := dialer.Dial(network, addr)
   116  	if err != nil {
   117  		return nil, err
   118  	}
   119  
   120  	colonPos := strings.LastIndex(addr, ":")
   121  	if colonPos == -1 {
   122  		colonPos = len(addr)
   123  	}
   124  	hostname := addr[:colonPos]
   125  
   126  	if config == nil {
   127  		config = defaultConfig()
   128  	}
   129  	// If no ServerName is set, infer the ServerName
   130  	// from the hostname we're connecting to.
   131  	if config.ServerName == "" {
   132  		// Make a copy to avoid polluting argument or default.
   133  		c := *config
   134  		c.ServerName = hostname
   135  		config = &c
   136  	}
   137  
   138  	conn := Client(rawConn, config)
   139  
   140  	if timeout == 0 {
   141  		err = conn.Handshake()
   142  	} else {
   143  		go func() {
   144  			errChannel <- conn.Handshake()
   145  		}()
   146  
   147  		err = <-errChannel
   148  	}
   149  
   150  	if err != nil {
   151  		rawConn.Close()
   152  		return nil, err
   153  	}
   154  
   155  	return conn, nil
   156  }
   157  
   158  // Dial connects to the given network address using net.Dial
   159  // and then initiates a TLS handshake, returning the resulting
   160  // TLS connection.
   161  // Dial interprets a nil configuration as equivalent to
   162  // the zero configuration; see the documentation of Config
   163  // for the defaults.
   164  func Dial(network, addr string, config *Config) (*Conn, error) {
   165  	return DialWithDialer(new(net.Dialer), network, addr, config)
   166  }
   167  
   168  // LoadX509KeyPair reads and parses a public/private key pair from a pair of
   169  // files. The files must contain PEM encoded data.
   170  func LoadX509KeyPair(certFile, keyFile string) (cert Certificate, err error) {
   171  	certPEMBlock, err := ioutil.ReadFile(certFile)
   172  	if err != nil {
   173  		return
   174  	}
   175  	keyPEMBlock, err := ioutil.ReadFile(keyFile)
   176  	if err != nil {
   177  		return
   178  	}
   179  	return X509KeyPair(certPEMBlock, keyPEMBlock)
   180  }
   181  
   182  // X509KeyPair parses a public/private key pair from a pair of
   183  // PEM encoded data.
   184  func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err error) {
   185  	var certDERBlock *pem.Block
   186  	for {
   187  		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
   188  		if certDERBlock == nil {
   189  			break
   190  		}
   191  		if certDERBlock.Type == "CERTIFICATE" {
   192  			cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
   193  		}
   194  	}
   195  
   196  	if len(cert.Certificate) == 0 {
   197  		err = errors.New("crypto/tls: failed to parse certificate PEM data")
   198  		return
   199  	}
   200  
   201  	var keyDERBlock *pem.Block
   202  	for {
   203  		keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
   204  		if keyDERBlock == nil {
   205  			err = errors.New("crypto/tls: failed to parse key PEM data")
   206  			return
   207  		}
   208  		if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
   209  			break
   210  		}
   211  	}
   212  
   213  	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
   214  	if err != nil {
   215  		return
   216  	}
   217  
   218  	// We don't need to parse the public key for TLS, but we so do anyway
   219  	// to check that it looks sane and matches the private key.
   220  	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
   221  	if err != nil {
   222  		return
   223  	}
   224  
   225  	switch pub := x509Cert.PublicKey.(type) {
   226  	case *rsa.PublicKey:
   227  		priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
   228  		if !ok {
   229  			err = errors.New("crypto/tls: private key type does not match public key type")
   230  			return
   231  		}
   232  		if pub.N.Cmp(priv.N) != 0 {
   233  			err = errors.New("crypto/tls: private key does not match public key")
   234  			return
   235  		}
   236  	case *ecdsa.PublicKey:
   237  		priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
   238  		if !ok {
   239  			err = errors.New("crypto/tls: private key type does not match public key type")
   240  			return
   241  
   242  		}
   243  		if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
   244  			err = errors.New("crypto/tls: private key does not match public key")
   245  			return
   246  		}
   247  	default:
   248  		err = errors.New("crypto/tls: unknown public key algorithm")
   249  		return
   250  	}
   251  
   252  	return
   253  }
   254  
   255  // Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
   256  // PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
   257  // OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
   258  func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
   259  	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
   260  		return key, nil
   261  	}
   262  	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
   263  		switch key := key.(type) {
   264  		case *rsa.PrivateKey, *ecdsa.PrivateKey:
   265  			return key, nil
   266  		default:
   267  			return nil, errors.New("crypto/tls: found unknown private key type in PKCS#8 wrapping")
   268  		}
   269  	}
   270  	if key, err := x509.ParseECPrivateKey(der); err == nil {
   271  		return key, nil
   272  	}
   273  
   274  	return nil, errors.New("crypto/tls: failed to parse private key")
   275  }