diff options
Diffstat (limited to 'libgo/go/crypto/tls/common.go')
-rw-r--r-- | libgo/go/crypto/tls/common.go | 36 |
1 files changed, 14 insertions, 22 deletions
diff --git a/libgo/go/crypto/tls/common.go b/libgo/go/crypto/tls/common.go index de833a90563..5860838dd25 100644 --- a/libgo/go/crypto/tls/common.go +++ b/libgo/go/crypto/tls/common.go @@ -163,8 +163,8 @@ type ConnectionState struct { HandshakeComplete bool // TLS handshake is complete DidResume bool // connection resumes a previous TLS connection CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...) - NegotiatedProtocol string // negotiated next protocol (from Config.NextProtos) - NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server + NegotiatedProtocol string // negotiated next protocol (not guaranteed to be from Config.NextProtos) + NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server (client side only) ServerName string // server name requested by client, if any (server side only) PeerCertificates []*x509.Certificate // certificate chain presented by remote peer VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates @@ -174,9 +174,9 @@ type ConnectionState struct { // TLSUnique contains the "tls-unique" channel binding value (see RFC // 5929, section 3). For resumed sessions this value will be nil // because resumption does not include enough context (see - // https://secure-resumption.com/#channelbindings). This will change in - // future versions of Go once the TLS master-secret fix has been - // standardized and implemented. + // https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will + // change in future versions of Go once the TLS master-secret fix has + // been standardized and implemented. TLSUnique []byte } @@ -206,7 +206,8 @@ type ClientSessionState struct { // ClientSessionCache is a cache of ClientSessionState objects that can be used // by a client to resume a TLS session with a given server. ClientSessionCache // implementations should expect to be called concurrently from different -// goroutines. +// goroutines. Only ticket-based resumption is supported, not SessionID-based +// resumption. type ClientSessionCache interface { // Get searches for a ClientSessionState associated with the given key. // On return, ok is true if one was found. @@ -508,17 +509,13 @@ type Config struct { serverInitOnce sync.Once // guards calling (*Config).serverInit - // mutex protects sessionTicketKeys and originalConfig. + // mutex protects sessionTicketKeys. mutex sync.RWMutex // sessionTicketKeys contains zero or more ticket keys. If the length // is zero, SessionTicketsDisabled must be true. The first key is used // for new tickets and any subsequent keys can be used to decrypt old // tickets. sessionTicketKeys []ticketKey - // originalConfig is set to the Config that was passed to Server if - // this Config is returned by a GetConfigForClient callback. It's used - // by serverInit in order to copy session ticket keys if needed. - originalConfig *Config } // ticketKeyNameLen is the number of bytes of identifier that is prepended to @@ -550,7 +547,7 @@ func ticketKeyFromBytes(b [32]byte) (key ticketKey) { func (c *Config) Clone() *Config { // Running serverInit ensures that it's safe to read // SessionTicketsDisabled. - c.serverInitOnce.Do(c.serverInit) + c.serverInitOnce.Do(func() { c.serverInit(nil) }) var sessionTicketKeys []ticketKey c.mutex.RLock() @@ -584,20 +581,17 @@ func (c *Config) Clone() *Config { Renegotiation: c.Renegotiation, KeyLogWriter: c.KeyLogWriter, sessionTicketKeys: sessionTicketKeys, - // originalConfig is deliberately not duplicated. } } -func (c *Config) serverInit() { +// serverInit is run under c.serverInitOnce to do initialization of c. If c was +// returned by a GetConfigForClient callback then the argument should be the +// Config that was passed to Server, otherwise it should be nil. +func (c *Config) serverInit(originalConfig *Config) { if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 { return } - var originalConfig *Config - c.mutex.Lock() - originalConfig, c.originalConfig = c.originalConfig, nil - c.mutex.Unlock() - alreadySet := false for _, b := range c.SessionTicketKey { if b != 0 { @@ -947,9 +941,7 @@ func initDefaultCipherSuites() { } varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites)) - for _, topCipher := range topCipherSuites { - varDefaultCipherSuites = append(varDefaultCipherSuites, topCipher) - } + varDefaultCipherSuites = append(varDefaultCipherSuites, topCipherSuites...) NextCipherSuite: for _, suite := range cipherSuites { |