1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// TLS low level connection and record layer 6 7package main 8 9import ( 10 "bytes" 11 "crypto/cipher" 12 "crypto/ecdsa" 13 "crypto/subtle" 14 "crypto/x509" 15 "errors" 16 "fmt" 17 "io" 18 "net" 19 "sync" 20 "time" 21) 22 23// A Conn represents a secured connection. 24// It implements the net.Conn interface. 25type Conn struct { 26 // constant 27 conn net.Conn 28 isDTLS bool 29 isClient bool 30 31 // constant after handshake; protected by handshakeMutex 32 handshakeMutex sync.Mutex // handshakeMutex < in.Mutex, out.Mutex, errMutex 33 handshakeErr error // error resulting from handshake 34 vers uint16 // TLS version 35 haveVers bool // version has been negotiated 36 config *Config // configuration passed to constructor 37 handshakeComplete bool 38 didResume bool // whether this connection was a session resumption 39 cipherSuite uint16 40 ocspResponse []byte // stapled OCSP response 41 peerCertificates []*x509.Certificate 42 // verifiedChains contains the certificate chains that we built, as 43 // opposed to the ones presented by the server. 44 verifiedChains [][]*x509.Certificate 45 // serverName contains the server name indicated by the client, if any. 46 serverName string 47 48 clientProtocol string 49 clientProtocolFallback bool 50 usedALPN bool 51 52 channelID *ecdsa.PublicKey 53 54 // input/output 55 in, out halfConn // in.Mutex < out.Mutex 56 rawInput *block // raw input, right off the wire 57 input *block // application record waiting to be read 58 hand bytes.Buffer // handshake record waiting to be read 59 60 // DTLS state 61 sendHandshakeSeq uint16 62 recvHandshakeSeq uint16 63 handMsg []byte // pending assembled handshake message 64 handMsgLen int // handshake message length, not including the header 65 66 tmp [16]byte 67} 68 69// Access to net.Conn methods. 70// Cannot just embed net.Conn because that would 71// export the struct field too. 72 73// LocalAddr returns the local network address. 74func (c *Conn) LocalAddr() net.Addr { 75 return c.conn.LocalAddr() 76} 77 78// RemoteAddr returns the remote network address. 79func (c *Conn) RemoteAddr() net.Addr { 80 return c.conn.RemoteAddr() 81} 82 83// SetDeadline sets the read and write deadlines associated with the connection. 84// A zero value for t means Read and Write will not time out. 85// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error. 86func (c *Conn) SetDeadline(t time.Time) error { 87 return c.conn.SetDeadline(t) 88} 89 90// SetReadDeadline sets the read deadline on the underlying connection. 91// A zero value for t means Read will not time out. 92func (c *Conn) SetReadDeadline(t time.Time) error { 93 return c.conn.SetReadDeadline(t) 94} 95 96// SetWriteDeadline sets the write deadline on the underlying conneciton. 97// A zero value for t means Write will not time out. 98// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error. 99func (c *Conn) SetWriteDeadline(t time.Time) error { 100 return c.conn.SetWriteDeadline(t) 101} 102 103// A halfConn represents one direction of the record layer 104// connection, either sending or receiving. 105type halfConn struct { 106 sync.Mutex 107 108 err error // first permanent error 109 version uint16 // protocol version 110 isDTLS bool 111 cipher interface{} // cipher algorithm 112 mac macFunction 113 seq [8]byte // 64-bit sequence number 114 bfree *block // list of free blocks 115 116 nextCipher interface{} // next encryption state 117 nextMac macFunction // next MAC algorithm 118 119 // used to save allocating a new buffer for each MAC. 120 inDigestBuf, outDigestBuf []byte 121 122 config *Config 123} 124 125func (hc *halfConn) setErrorLocked(err error) error { 126 hc.err = err 127 return err 128} 129 130func (hc *halfConn) error() error { 131 hc.Lock() 132 err := hc.err 133 hc.Unlock() 134 return err 135} 136 137// prepareCipherSpec sets the encryption and MAC states 138// that a subsequent changeCipherSpec will use. 139func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) { 140 hc.version = version 141 hc.nextCipher = cipher 142 hc.nextMac = mac 143} 144 145// changeCipherSpec changes the encryption and MAC states 146// to the ones previously passed to prepareCipherSpec. 147func (hc *halfConn) changeCipherSpec(config *Config) error { 148 if hc.nextCipher == nil { 149 return alertInternalError 150 } 151 hc.cipher = hc.nextCipher 152 hc.mac = hc.nextMac 153 hc.nextCipher = nil 154 hc.nextMac = nil 155 hc.config = config 156 hc.incEpoch() 157 return nil 158} 159 160// incSeq increments the sequence number. 161func (hc *halfConn) incSeq() { 162 limit := 0 163 if hc.isDTLS { 164 // Increment up to the epoch in DTLS. 165 limit = 2 166 } 167 for i := 7; i >= limit; i-- { 168 hc.seq[i]++ 169 if hc.seq[i] != 0 { 170 return 171 } 172 } 173 174 // Not allowed to let sequence number wrap. 175 // Instead, must renegotiate before it does. 176 // Not likely enough to bother. 177 panic("TLS: sequence number wraparound") 178} 179 180// incEpoch resets the sequence number. In DTLS, it increments the 181// epoch half of the sequence number. 182func (hc *halfConn) incEpoch() { 183 limit := 0 184 if hc.isDTLS { 185 for i := 1; i >= 0; i-- { 186 hc.seq[i]++ 187 if hc.seq[i] != 0 { 188 break 189 } 190 if i == 0 { 191 panic("TLS: epoch number wraparound") 192 } 193 } 194 limit = 2 195 } 196 seq := hc.seq[limit:] 197 for i := range seq { 198 seq[i] = 0 199 } 200} 201 202func (hc *halfConn) recordHeaderLen() int { 203 if hc.isDTLS { 204 return dtlsRecordHeaderLen 205 } 206 return tlsRecordHeaderLen 207} 208 209// removePadding returns an unpadded slice, in constant time, which is a prefix 210// of the input. It also returns a byte which is equal to 255 if the padding 211// was valid and 0 otherwise. See RFC 2246, section 6.2.3.2 212func removePadding(payload []byte) ([]byte, byte) { 213 if len(payload) < 1 { 214 return payload, 0 215 } 216 217 paddingLen := payload[len(payload)-1] 218 t := uint(len(payload)-1) - uint(paddingLen) 219 // if len(payload) >= (paddingLen - 1) then the MSB of t is zero 220 good := byte(int32(^t) >> 31) 221 222 toCheck := 255 // the maximum possible padding length 223 // The length of the padded data is public, so we can use an if here 224 if toCheck+1 > len(payload) { 225 toCheck = len(payload) - 1 226 } 227 228 for i := 0; i < toCheck; i++ { 229 t := uint(paddingLen) - uint(i) 230 // if i <= paddingLen then the MSB of t is zero 231 mask := byte(int32(^t) >> 31) 232 b := payload[len(payload)-1-i] 233 good &^= mask&paddingLen ^ mask&b 234 } 235 236 // We AND together the bits of good and replicate the result across 237 // all the bits. 238 good &= good << 4 239 good &= good << 2 240 good &= good << 1 241 good = uint8(int8(good) >> 7) 242 243 toRemove := good&paddingLen + 1 244 return payload[:len(payload)-int(toRemove)], good 245} 246 247// removePaddingSSL30 is a replacement for removePadding in the case that the 248// protocol version is SSLv3. In this version, the contents of the padding 249// are random and cannot be checked. 250func removePaddingSSL30(payload []byte) ([]byte, byte) { 251 if len(payload) < 1 { 252 return payload, 0 253 } 254 255 paddingLen := int(payload[len(payload)-1]) + 1 256 if paddingLen > len(payload) { 257 return payload, 0 258 } 259 260 return payload[:len(payload)-paddingLen], 255 261} 262 263func roundUp(a, b int) int { 264 return a + (b-a%b)%b 265} 266 267// cbcMode is an interface for block ciphers using cipher block chaining. 268type cbcMode interface { 269 cipher.BlockMode 270 SetIV([]byte) 271} 272 273// decrypt checks and strips the mac and decrypts the data in b. Returns a 274// success boolean, the number of bytes to skip from the start of the record in 275// order to get the application payload, and an optional alert value. 276func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert) { 277 recordHeaderLen := hc.recordHeaderLen() 278 279 // pull out payload 280 payload := b.data[recordHeaderLen:] 281 282 macSize := 0 283 if hc.mac != nil { 284 macSize = hc.mac.Size() 285 } 286 287 paddingGood := byte(255) 288 explicitIVLen := 0 289 290 seq := hc.seq[:] 291 if hc.isDTLS { 292 // DTLS sequence numbers are explicit. 293 seq = b.data[3:11] 294 } 295 296 // decrypt 297 if hc.cipher != nil { 298 switch c := hc.cipher.(type) { 299 case cipher.Stream: 300 c.XORKeyStream(payload, payload) 301 case cipher.AEAD: 302 explicitIVLen = 8 303 if len(payload) < explicitIVLen { 304 return false, 0, alertBadRecordMAC 305 } 306 nonce := payload[:8] 307 payload = payload[8:] 308 309 var additionalData [13]byte 310 copy(additionalData[:], seq) 311 copy(additionalData[8:], b.data[:3]) 312 n := len(payload) - c.Overhead() 313 additionalData[11] = byte(n >> 8) 314 additionalData[12] = byte(n) 315 var err error 316 payload, err = c.Open(payload[:0], nonce, payload, additionalData[:]) 317 if err != nil { 318 return false, 0, alertBadRecordMAC 319 } 320 b.resize(recordHeaderLen + explicitIVLen + len(payload)) 321 case cbcMode: 322 blockSize := c.BlockSize() 323 if hc.version >= VersionTLS11 || hc.isDTLS { 324 explicitIVLen = blockSize 325 } 326 327 if len(payload)%blockSize != 0 || len(payload) < roundUp(explicitIVLen+macSize+1, blockSize) { 328 return false, 0, alertBadRecordMAC 329 } 330 331 if explicitIVLen > 0 { 332 c.SetIV(payload[:explicitIVLen]) 333 payload = payload[explicitIVLen:] 334 } 335 c.CryptBlocks(payload, payload) 336 if hc.version == VersionSSL30 { 337 payload, paddingGood = removePaddingSSL30(payload) 338 } else { 339 payload, paddingGood = removePadding(payload) 340 } 341 b.resize(recordHeaderLen + explicitIVLen + len(payload)) 342 343 // note that we still have a timing side-channel in the 344 // MAC check, below. An attacker can align the record 345 // so that a correct padding will cause one less hash 346 // block to be calculated. Then they can iteratively 347 // decrypt a record by breaking each byte. See 348 // "Password Interception in a SSL/TLS Channel", Brice 349 // Canvel et al. 350 // 351 // However, our behavior matches OpenSSL, so we leak 352 // only as much as they do. 353 default: 354 panic("unknown cipher type") 355 } 356 } 357 358 // check, strip mac 359 if hc.mac != nil { 360 if len(payload) < macSize { 361 return false, 0, alertBadRecordMAC 362 } 363 364 // strip mac off payload, b.data 365 n := len(payload) - macSize 366 b.data[recordHeaderLen-2] = byte(n >> 8) 367 b.data[recordHeaderLen-1] = byte(n) 368 b.resize(recordHeaderLen + explicitIVLen + n) 369 remoteMAC := payload[n:] 370 localMAC := hc.mac.MAC(hc.inDigestBuf, seq, b.data[:3], b.data[recordHeaderLen-2:recordHeaderLen], payload[:n]) 371 372 if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 { 373 return false, 0, alertBadRecordMAC 374 } 375 hc.inDigestBuf = localMAC 376 } 377 hc.incSeq() 378 379 return true, recordHeaderLen + explicitIVLen, 0 380} 381 382// padToBlockSize calculates the needed padding block, if any, for a payload. 383// On exit, prefix aliases payload and extends to the end of the last full 384// block of payload. finalBlock is a fresh slice which contains the contents of 385// any suffix of payload as well as the needed padding to make finalBlock a 386// full block. 387func padToBlockSize(payload []byte, blockSize int, config *Config) (prefix, finalBlock []byte) { 388 overrun := len(payload) % blockSize 389 prefix = payload[:len(payload)-overrun] 390 391 paddingLen := blockSize - overrun 392 finalSize := blockSize 393 if config.Bugs.MaxPadding { 394 for paddingLen+blockSize <= 256 { 395 paddingLen += blockSize 396 } 397 finalSize = 256 398 } 399 finalBlock = make([]byte, finalSize) 400 for i := range finalBlock { 401 finalBlock[i] = byte(paddingLen - 1) 402 } 403 if config.Bugs.PaddingFirstByteBad || config.Bugs.PaddingFirstByteBadIf255 && paddingLen == 256 { 404 finalBlock[overrun] ^= 0xff 405 } 406 copy(finalBlock, payload[len(payload)-overrun:]) 407 return 408} 409 410// encrypt encrypts and macs the data in b. 411func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) { 412 recordHeaderLen := hc.recordHeaderLen() 413 414 // mac 415 if hc.mac != nil { 416 mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data[:3], b.data[recordHeaderLen-2:recordHeaderLen], b.data[recordHeaderLen+explicitIVLen:]) 417 418 n := len(b.data) 419 b.resize(n + len(mac)) 420 copy(b.data[n:], mac) 421 hc.outDigestBuf = mac 422 } 423 424 payload := b.data[recordHeaderLen:] 425 426 // encrypt 427 if hc.cipher != nil { 428 switch c := hc.cipher.(type) { 429 case cipher.Stream: 430 c.XORKeyStream(payload, payload) 431 case cipher.AEAD: 432 payloadLen := len(b.data) - recordHeaderLen - explicitIVLen 433 b.resize(len(b.data) + c.Overhead()) 434 nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen] 435 payload := b.data[recordHeaderLen+explicitIVLen:] 436 payload = payload[:payloadLen] 437 438 var additionalData [13]byte 439 copy(additionalData[:], hc.seq[:]) 440 copy(additionalData[8:], b.data[:3]) 441 additionalData[11] = byte(payloadLen >> 8) 442 additionalData[12] = byte(payloadLen) 443 444 c.Seal(payload[:0], nonce, payload, additionalData[:]) 445 case cbcMode: 446 blockSize := c.BlockSize() 447 if explicitIVLen > 0 { 448 c.SetIV(payload[:explicitIVLen]) 449 payload = payload[explicitIVLen:] 450 } 451 prefix, finalBlock := padToBlockSize(payload, blockSize, hc.config) 452 b.resize(recordHeaderLen + explicitIVLen + len(prefix) + len(finalBlock)) 453 c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen:], prefix) 454 c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen+len(prefix):], finalBlock) 455 default: 456 panic("unknown cipher type") 457 } 458 } 459 460 // update length to include MAC and any block padding needed. 461 n := len(b.data) - recordHeaderLen 462 b.data[recordHeaderLen-2] = byte(n >> 8) 463 b.data[recordHeaderLen-1] = byte(n) 464 hc.incSeq() 465 466 return true, 0 467} 468 469// A block is a simple data buffer. 470type block struct { 471 data []byte 472 off int // index for Read 473 link *block 474} 475 476// resize resizes block to be n bytes, growing if necessary. 477func (b *block) resize(n int) { 478 if n > cap(b.data) { 479 b.reserve(n) 480 } 481 b.data = b.data[0:n] 482} 483 484// reserve makes sure that block contains a capacity of at least n bytes. 485func (b *block) reserve(n int) { 486 if cap(b.data) >= n { 487 return 488 } 489 m := cap(b.data) 490 if m == 0 { 491 m = 1024 492 } 493 for m < n { 494 m *= 2 495 } 496 data := make([]byte, len(b.data), m) 497 copy(data, b.data) 498 b.data = data 499} 500 501// readFromUntil reads from r into b until b contains at least n bytes 502// or else returns an error. 503func (b *block) readFromUntil(r io.Reader, n int) error { 504 // quick case 505 if len(b.data) >= n { 506 return nil 507 } 508 509 // read until have enough. 510 b.reserve(n) 511 for { 512 m, err := r.Read(b.data[len(b.data):cap(b.data)]) 513 b.data = b.data[0 : len(b.data)+m] 514 if len(b.data) >= n { 515 // TODO(bradfitz,agl): slightly suspicious 516 // that we're throwing away r.Read's err here. 517 break 518 } 519 if err != nil { 520 return err 521 } 522 } 523 return nil 524} 525 526func (b *block) Read(p []byte) (n int, err error) { 527 n = copy(p, b.data[b.off:]) 528 b.off += n 529 return 530} 531 532// newBlock allocates a new block, from hc's free list if possible. 533func (hc *halfConn) newBlock() *block { 534 b := hc.bfree 535 if b == nil { 536 return new(block) 537 } 538 hc.bfree = b.link 539 b.link = nil 540 b.resize(0) 541 return b 542} 543 544// freeBlock returns a block to hc's free list. 545// The protocol is such that each side only has a block or two on 546// its free list at a time, so there's no need to worry about 547// trimming the list, etc. 548func (hc *halfConn) freeBlock(b *block) { 549 b.link = hc.bfree 550 hc.bfree = b 551} 552 553// splitBlock splits a block after the first n bytes, 554// returning a block with those n bytes and a 555// block with the remainder. the latter may be nil. 556func (hc *halfConn) splitBlock(b *block, n int) (*block, *block) { 557 if len(b.data) <= n { 558 return b, nil 559 } 560 bb := hc.newBlock() 561 bb.resize(len(b.data) - n) 562 copy(bb.data, b.data[n:]) 563 b.data = b.data[0:n] 564 return b, bb 565} 566 567func (c *Conn) doReadRecord(want recordType) (recordType, *block, error) { 568 if c.isDTLS { 569 return c.dtlsDoReadRecord(want) 570 } 571 572 recordHeaderLen := tlsRecordHeaderLen 573 574 if c.rawInput == nil { 575 c.rawInput = c.in.newBlock() 576 } 577 b := c.rawInput 578 579 // Read header, payload. 580 if err := b.readFromUntil(c.conn, recordHeaderLen); err != nil { 581 // RFC suggests that EOF without an alertCloseNotify is 582 // an error, but popular web sites seem to do this, 583 // so we can't make it an error. 584 // if err == io.EOF { 585 // err = io.ErrUnexpectedEOF 586 // } 587 if e, ok := err.(net.Error); !ok || !e.Temporary() { 588 c.in.setErrorLocked(err) 589 } 590 return 0, nil, err 591 } 592 typ := recordType(b.data[0]) 593 594 // No valid TLS record has a type of 0x80, however SSLv2 handshakes 595 // start with a uint16 length where the MSB is set and the first record 596 // is always < 256 bytes long. Therefore typ == 0x80 strongly suggests 597 // an SSLv2 client. 598 if want == recordTypeHandshake && typ == 0x80 { 599 c.sendAlert(alertProtocolVersion) 600 return 0, nil, c.in.setErrorLocked(errors.New("tls: unsupported SSLv2 handshake received")) 601 } 602 603 vers := uint16(b.data[1])<<8 | uint16(b.data[2]) 604 n := int(b.data[3])<<8 | int(b.data[4]) 605 if c.haveVers && vers != c.vers { 606 c.sendAlert(alertProtocolVersion) 607 return 0, nil, c.in.setErrorLocked(fmt.Errorf("tls: received record with version %x when expecting version %x", vers, c.vers)) 608 } 609 if n > maxCiphertext { 610 c.sendAlert(alertRecordOverflow) 611 return 0, nil, c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d", n)) 612 } 613 if !c.haveVers { 614 // First message, be extra suspicious: 615 // this might not be a TLS client. 616 // Bail out before reading a full 'body', if possible. 617 // The current max version is 3.1. 618 // If the version is >= 16.0, it's probably not real. 619 // Similarly, a clientHello message encodes in 620 // well under a kilobyte. If the length is >= 12 kB, 621 // it's probably not real. 622 if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 || n >= 0x3000 { 623 c.sendAlert(alertUnexpectedMessage) 624 return 0, nil, c.in.setErrorLocked(fmt.Errorf("tls: first record does not look like a TLS handshake")) 625 } 626 } 627 if err := b.readFromUntil(c.conn, recordHeaderLen+n); err != nil { 628 if err == io.EOF { 629 err = io.ErrUnexpectedEOF 630 } 631 if e, ok := err.(net.Error); !ok || !e.Temporary() { 632 c.in.setErrorLocked(err) 633 } 634 return 0, nil, err 635 } 636 637 // Process message. 638 b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n) 639 ok, off, err := c.in.decrypt(b) 640 if !ok { 641 c.in.setErrorLocked(c.sendAlert(err)) 642 } 643 b.off = off 644 return typ, b, nil 645} 646 647// readRecord reads the next TLS record from the connection 648// and updates the record layer state. 649// c.in.Mutex <= L; c.input == nil. 650func (c *Conn) readRecord(want recordType) error { 651 // Caller must be in sync with connection: 652 // handshake data if handshake not yet completed, 653 // else application data. (We don't support renegotiation.) 654 switch want { 655 default: 656 c.sendAlert(alertInternalError) 657 return c.in.setErrorLocked(errors.New("tls: unknown record type requested")) 658 case recordTypeHandshake, recordTypeChangeCipherSpec: 659 if c.handshakeComplete { 660 c.sendAlert(alertInternalError) 661 return c.in.setErrorLocked(errors.New("tls: handshake or ChangeCipherSpec requested after handshake complete")) 662 } 663 case recordTypeApplicationData: 664 if !c.handshakeComplete && !c.config.Bugs.ExpectFalseStart { 665 c.sendAlert(alertInternalError) 666 return c.in.setErrorLocked(errors.New("tls: application data record requested before handshake complete")) 667 } 668 } 669 670Again: 671 typ, b, err := c.doReadRecord(want) 672 if err != nil { 673 return err 674 } 675 data := b.data[b.off:] 676 if len(data) > maxPlaintext { 677 err := c.sendAlert(alertRecordOverflow) 678 c.in.freeBlock(b) 679 return c.in.setErrorLocked(err) 680 } 681 682 switch typ { 683 default: 684 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 685 686 case recordTypeAlert: 687 if len(data) != 2 { 688 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 689 break 690 } 691 if alert(data[1]) == alertCloseNotify { 692 c.in.setErrorLocked(io.EOF) 693 break 694 } 695 switch data[0] { 696 case alertLevelWarning: 697 // drop on the floor 698 c.in.freeBlock(b) 699 goto Again 700 case alertLevelError: 701 c.in.setErrorLocked(&net.OpError{Op: "remote error", Err: alert(data[1])}) 702 default: 703 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 704 } 705 706 case recordTypeChangeCipherSpec: 707 if typ != want || len(data) != 1 || data[0] != 1 { 708 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 709 break 710 } 711 err := c.in.changeCipherSpec(c.config) 712 if err != nil { 713 c.in.setErrorLocked(c.sendAlert(err.(alert))) 714 } 715 716 case recordTypeApplicationData: 717 if typ != want { 718 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 719 break 720 } 721 c.input = b 722 b = nil 723 724 case recordTypeHandshake: 725 // TODO(rsc): Should at least pick off connection close. 726 if typ != want { 727 return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation)) 728 } 729 c.hand.Write(data) 730 } 731 732 if b != nil { 733 c.in.freeBlock(b) 734 } 735 return c.in.err 736} 737 738// sendAlert sends a TLS alert message. 739// c.out.Mutex <= L. 740func (c *Conn) sendAlertLocked(err alert) error { 741 switch err { 742 case alertNoRenegotiation, alertCloseNotify: 743 c.tmp[0] = alertLevelWarning 744 default: 745 c.tmp[0] = alertLevelError 746 } 747 c.tmp[1] = byte(err) 748 c.writeRecord(recordTypeAlert, c.tmp[0:2]) 749 // closeNotify is a special case in that it isn't an error: 750 if err != alertCloseNotify { 751 return c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err}) 752 } 753 return nil 754} 755 756// sendAlert sends a TLS alert message. 757// L < c.out.Mutex. 758func (c *Conn) sendAlert(err alert) error { 759 c.out.Lock() 760 defer c.out.Unlock() 761 return c.sendAlertLocked(err) 762} 763 764// writeV2Record writes a record for a V2ClientHello. 765func (c *Conn) writeV2Record(data []byte) (n int, err error) { 766 record := make([]byte, 2+len(data)) 767 record[0] = uint8(len(data)>>8) | 0x80 768 record[1] = uint8(len(data)) 769 copy(record[2:], data) 770 return c.conn.Write(record) 771} 772 773// writeRecord writes a TLS record with the given type and payload 774// to the connection and updates the record layer state. 775// c.out.Mutex <= L. 776func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) { 777 if c.isDTLS { 778 return c.dtlsWriteRecord(typ, data) 779 } 780 781 recordHeaderLen := tlsRecordHeaderLen 782 b := c.out.newBlock() 783 first := true 784 isClientHello := typ == recordTypeHandshake && len(data) > 0 && data[0] == typeClientHello 785 for len(data) > 0 { 786 m := len(data) 787 if m > maxPlaintext { 788 m = maxPlaintext 789 } 790 if typ == recordTypeHandshake && c.config.Bugs.MaxHandshakeRecordLength > 0 && m > c.config.Bugs.MaxHandshakeRecordLength { 791 m = c.config.Bugs.MaxHandshakeRecordLength 792 // By default, do not fragment the client_version or 793 // server_version, which are located in the first 6 794 // bytes. 795 if first && isClientHello && !c.config.Bugs.FragmentClientVersion && m < 6 { 796 m = 6 797 } 798 } 799 explicitIVLen := 0 800 explicitIVIsSeq := false 801 first = false 802 803 var cbc cbcMode 804 if c.out.version >= VersionTLS11 { 805 var ok bool 806 if cbc, ok = c.out.cipher.(cbcMode); ok { 807 explicitIVLen = cbc.BlockSize() 808 } 809 } 810 if explicitIVLen == 0 { 811 if _, ok := c.out.cipher.(cipher.AEAD); ok { 812 explicitIVLen = 8 813 // The AES-GCM construction in TLS has an 814 // explicit nonce so that the nonce can be 815 // random. However, the nonce is only 8 bytes 816 // which is too small for a secure, random 817 // nonce. Therefore we use the sequence number 818 // as the nonce. 819 explicitIVIsSeq = true 820 } 821 } 822 b.resize(recordHeaderLen + explicitIVLen + m) 823 b.data[0] = byte(typ) 824 vers := c.vers 825 if vers == 0 { 826 // Some TLS servers fail if the record version is 827 // greater than TLS 1.0 for the initial ClientHello. 828 vers = VersionTLS10 829 } 830 b.data[1] = byte(vers >> 8) 831 b.data[2] = byte(vers) 832 b.data[3] = byte(m >> 8) 833 b.data[4] = byte(m) 834 if explicitIVLen > 0 { 835 explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen] 836 if explicitIVIsSeq { 837 copy(explicitIV, c.out.seq[:]) 838 } else { 839 if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil { 840 break 841 } 842 } 843 } 844 copy(b.data[recordHeaderLen+explicitIVLen:], data) 845 c.out.encrypt(b, explicitIVLen) 846 _, err = c.conn.Write(b.data) 847 if err != nil { 848 break 849 } 850 n += m 851 data = data[m:] 852 } 853 c.out.freeBlock(b) 854 855 if typ == recordTypeChangeCipherSpec { 856 err = c.out.changeCipherSpec(c.config) 857 if err != nil { 858 // Cannot call sendAlert directly, 859 // because we already hold c.out.Mutex. 860 c.tmp[0] = alertLevelError 861 c.tmp[1] = byte(err.(alert)) 862 c.writeRecord(recordTypeAlert, c.tmp[0:2]) 863 return n, c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err}) 864 } 865 } 866 return 867} 868 869func (c *Conn) doReadHandshake() ([]byte, error) { 870 if c.isDTLS { 871 return c.dtlsDoReadHandshake() 872 } 873 874 for c.hand.Len() < 4 { 875 if err := c.in.err; err != nil { 876 return nil, err 877 } 878 if err := c.readRecord(recordTypeHandshake); err != nil { 879 return nil, err 880 } 881 } 882 883 data := c.hand.Bytes() 884 n := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 885 if n > maxHandshake { 886 return nil, c.in.setErrorLocked(c.sendAlert(alertInternalError)) 887 } 888 for c.hand.Len() < 4+n { 889 if err := c.in.err; err != nil { 890 return nil, err 891 } 892 if err := c.readRecord(recordTypeHandshake); err != nil { 893 return nil, err 894 } 895 } 896 return c.hand.Next(4 + n), nil 897} 898 899// readHandshake reads the next handshake message from 900// the record layer. 901// c.in.Mutex < L; c.out.Mutex < L. 902func (c *Conn) readHandshake() (interface{}, error) { 903 data, err := c.doReadHandshake() 904 if err != nil { 905 return nil, err 906 } 907 908 var m handshakeMessage 909 switch data[0] { 910 case typeClientHello: 911 m = &clientHelloMsg{ 912 isDTLS: c.isDTLS, 913 } 914 case typeServerHello: 915 m = &serverHelloMsg{ 916 isDTLS: c.isDTLS, 917 } 918 case typeNewSessionTicket: 919 m = new(newSessionTicketMsg) 920 case typeCertificate: 921 m = new(certificateMsg) 922 case typeCertificateRequest: 923 m = &certificateRequestMsg{ 924 hasSignatureAndHash: c.vers >= VersionTLS12, 925 } 926 case typeCertificateStatus: 927 m = new(certificateStatusMsg) 928 case typeServerKeyExchange: 929 m = new(serverKeyExchangeMsg) 930 case typeServerHelloDone: 931 m = new(serverHelloDoneMsg) 932 case typeClientKeyExchange: 933 m = new(clientKeyExchangeMsg) 934 case typeCertificateVerify: 935 m = &certificateVerifyMsg{ 936 hasSignatureAndHash: c.vers >= VersionTLS12, 937 } 938 case typeNextProtocol: 939 m = new(nextProtoMsg) 940 case typeFinished: 941 m = new(finishedMsg) 942 case typeHelloVerifyRequest: 943 m = new(helloVerifyRequestMsg) 944 case typeEncryptedExtensions: 945 m = new(encryptedExtensionsMsg) 946 default: 947 return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 948 } 949 950 // The handshake message unmarshallers 951 // expect to be able to keep references to data, 952 // so pass in a fresh copy that won't be overwritten. 953 data = append([]byte(nil), data...) 954 955 if !m.unmarshal(data) { 956 return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) 957 } 958 return m, nil 959} 960 961// Write writes data to the connection. 962func (c *Conn) Write(b []byte) (int, error) { 963 if err := c.Handshake(); err != nil { 964 return 0, err 965 } 966 967 c.out.Lock() 968 defer c.out.Unlock() 969 970 if err := c.out.err; err != nil { 971 return 0, err 972 } 973 974 if !c.handshakeComplete { 975 return 0, alertInternalError 976 } 977 978 // SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext 979 // attack when using block mode ciphers due to predictable IVs. 980 // This can be prevented by splitting each Application Data 981 // record into two records, effectively randomizing the IV. 982 // 983 // http://www.openssl.org/~bodo/tls-cbc.txt 984 // https://bugzilla.mozilla.org/show_bug.cgi?id=665814 985 // http://www.imperialviolet.org/2012/01/15/beastfollowup.html 986 987 var m int 988 if len(b) > 1 && c.vers <= VersionTLS10 && !c.isDTLS { 989 if _, ok := c.out.cipher.(cipher.BlockMode); ok { 990 n, err := c.writeRecord(recordTypeApplicationData, b[:1]) 991 if err != nil { 992 return n, c.out.setErrorLocked(err) 993 } 994 m, b = 1, b[1:] 995 } 996 } 997 998 n, err := c.writeRecord(recordTypeApplicationData, b) 999 return n + m, c.out.setErrorLocked(err) 1000} 1001 1002// Read can be made to time out and return a net.Error with Timeout() == true 1003// after a fixed time limit; see SetDeadline and SetReadDeadline. 1004func (c *Conn) Read(b []byte) (n int, err error) { 1005 if err = c.Handshake(); err != nil { 1006 return 1007 } 1008 1009 c.in.Lock() 1010 defer c.in.Unlock() 1011 1012 // Some OpenSSL servers send empty records in order to randomize the 1013 // CBC IV. So this loop ignores a limited number of empty records. 1014 const maxConsecutiveEmptyRecords = 100 1015 for emptyRecordCount := 0; emptyRecordCount <= maxConsecutiveEmptyRecords; emptyRecordCount++ { 1016 for c.input == nil && c.in.err == nil { 1017 if err := c.readRecord(recordTypeApplicationData); err != nil { 1018 // Soft error, like EAGAIN 1019 return 0, err 1020 } 1021 } 1022 if err := c.in.err; err != nil { 1023 return 0, err 1024 } 1025 1026 n, err = c.input.Read(b) 1027 if c.input.off >= len(c.input.data) || c.isDTLS { 1028 c.in.freeBlock(c.input) 1029 c.input = nil 1030 } 1031 1032 // If a close-notify alert is waiting, read it so that 1033 // we can return (n, EOF) instead of (n, nil), to signal 1034 // to the HTTP response reading goroutine that the 1035 // connection is now closed. This eliminates a race 1036 // where the HTTP response reading goroutine would 1037 // otherwise not observe the EOF until its next read, 1038 // by which time a client goroutine might have already 1039 // tried to reuse the HTTP connection for a new 1040 // request. 1041 // See https://codereview.appspot.com/76400046 1042 // and http://golang.org/issue/3514 1043 if ri := c.rawInput; ri != nil && 1044 n != 0 && err == nil && 1045 c.input == nil && len(ri.data) > 0 && recordType(ri.data[0]) == recordTypeAlert { 1046 if recErr := c.readRecord(recordTypeApplicationData); recErr != nil { 1047 err = recErr // will be io.EOF on closeNotify 1048 } 1049 } 1050 1051 if n != 0 || err != nil { 1052 return n, err 1053 } 1054 } 1055 1056 return 0, io.ErrNoProgress 1057} 1058 1059// Close closes the connection. 1060func (c *Conn) Close() error { 1061 var alertErr error 1062 1063 c.handshakeMutex.Lock() 1064 defer c.handshakeMutex.Unlock() 1065 if c.handshakeComplete { 1066 alertErr = c.sendAlert(alertCloseNotify) 1067 } 1068 1069 if err := c.conn.Close(); err != nil { 1070 return err 1071 } 1072 return alertErr 1073} 1074 1075// Handshake runs the client or server handshake 1076// protocol if it has not yet been run. 1077// Most uses of this package need not call Handshake 1078// explicitly: the first Read or Write will call it automatically. 1079func (c *Conn) Handshake() error { 1080 c.handshakeMutex.Lock() 1081 defer c.handshakeMutex.Unlock() 1082 if err := c.handshakeErr; err != nil { 1083 return err 1084 } 1085 if c.handshakeComplete { 1086 return nil 1087 } 1088 1089 if c.isClient { 1090 c.handshakeErr = c.clientHandshake() 1091 } else { 1092 c.handshakeErr = c.serverHandshake() 1093 } 1094 return c.handshakeErr 1095} 1096 1097// ConnectionState returns basic TLS details about the connection. 1098func (c *Conn) ConnectionState() ConnectionState { 1099 c.handshakeMutex.Lock() 1100 defer c.handshakeMutex.Unlock() 1101 1102 var state ConnectionState 1103 state.HandshakeComplete = c.handshakeComplete 1104 if c.handshakeComplete { 1105 state.Version = c.vers 1106 state.NegotiatedProtocol = c.clientProtocol 1107 state.DidResume = c.didResume 1108 state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback 1109 state.NegotiatedProtocolFromALPN = c.usedALPN 1110 state.CipherSuite = c.cipherSuite 1111 state.PeerCertificates = c.peerCertificates 1112 state.VerifiedChains = c.verifiedChains 1113 state.ServerName = c.serverName 1114 state.ChannelID = c.channelID 1115 } 1116 1117 return state 1118} 1119 1120// OCSPResponse returns the stapled OCSP response from the TLS server, if 1121// any. (Only valid for client connections.) 1122func (c *Conn) OCSPResponse() []byte { 1123 c.handshakeMutex.Lock() 1124 defer c.handshakeMutex.Unlock() 1125 1126 return c.ocspResponse 1127} 1128 1129// VerifyHostname checks that the peer certificate chain is valid for 1130// connecting to host. If so, it returns nil; if not, it returns an error 1131// describing the problem. 1132func (c *Conn) VerifyHostname(host string) error { 1133 c.handshakeMutex.Lock() 1134 defer c.handshakeMutex.Unlock() 1135 if !c.isClient { 1136 return errors.New("tls: VerifyHostname called on TLS server connection") 1137 } 1138 if !c.handshakeComplete { 1139 return errors.New("tls: handshake has not yet been performed") 1140 } 1141 return c.peerCertificates[0].VerifyHostname(host) 1142} 1143