src/pkg/crypto/tls/conn.go - The Go Programming Language

Golang

Source file src/pkg/crypto/tls/conn.go

     1	// Copyright 2010 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	// TLS low level connection and record layer
     6	
     7	package tls
     8	
     9	import (
    10		"bytes"
    11		"crypto/cipher"
    12		"crypto/subtle"
    13		"crypto/x509"
    14		"errors"
    15		"io"
    16		"net"
    17		"sync"
    18		"time"
    19	)
    20	
    21	// A Conn represents a secured connection.
    22	// It implements the net.Conn interface.
    23	type Conn struct {
    24		// constant
    25		conn     net.Conn
    26		isClient bool
    27	
    28		// constant after handshake; protected by handshakeMutex
    29		handshakeMutex    sync.Mutex // handshakeMutex < in.Mutex, out.Mutex, errMutex
    30		vers              uint16     // TLS version
    31		haveVers          bool       // version has been negotiated
    32		config            *Config    // configuration passed to constructor
    33		handshakeComplete bool
    34		cipherSuite       uint16
    35		ocspResponse      []byte // stapled OCSP response
    36		peerCertificates  []*x509.Certificate
    37		// verifiedChains contains the certificate chains that we built, as
    38		// opposed to the ones presented by the server.
    39		verifiedChains [][]*x509.Certificate
    40		// serverName contains the server name indicated by the client, if any.
    41		serverName string
    42	
    43		clientProtocol         string
    44		clientProtocolFallback bool
    45	
    46		// first permanent error
    47		errMutex sync.Mutex
    48		err      error
    49	
    50		// input/output
    51		in, out  halfConn     // in.Mutex < out.Mutex
    52		rawInput *block       // raw input, right off the wire
    53		input    *block       // application data waiting to be read
    54		hand     bytes.Buffer // handshake data waiting to be read
    55	
    56		tmp [16]byte
    57	}
    58	
    59	func (c *Conn) setError(err error) error {
    60		c.errMutex.Lock()
    61		defer c.errMutex.Unlock()
    62	
    63		if c.err == nil {
    64			c.err = err
    65		}
    66		return err
    67	}
    68	
    69	func (c *Conn) error() error {
    70		c.errMutex.Lock()
    71		defer c.errMutex.Unlock()
    72	
    73		return c.err
    74	}
    75	
    76	// Access to net.Conn methods.
    77	// Cannot just embed net.Conn because that would
    78	// export the struct field too.
    79	
    80	// LocalAddr returns the local network address.
    81	func (c *Conn) LocalAddr() net.Addr {
    82		return c.conn.LocalAddr()
    83	}
    84	
    85	// RemoteAddr returns the remote network address.
    86	func (c *Conn) RemoteAddr() net.Addr {
    87		return c.conn.RemoteAddr()
    88	}
    89	
    90	// SetDeadline sets the read and write deadlines associated with the connection.
    91	// A zero value for t means Read and Write will not time out.
    92	// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
    93	func (c *Conn) SetDeadline(t time.Time) error {
    94		return c.conn.SetDeadline(t)
    95	}
    96	
    97	// SetReadDeadline sets the read deadline on the underlying connection.
    98	// A zero value for t means Read will not time out.
    99	func (c *Conn) SetReadDeadline(t time.Time) error {
   100		return c.conn.SetReadDeadline(t)
   101	}
   102	
   103	// SetWriteDeadline sets the write deadline on the underlying conneciton.
   104	// A zero value for t means Write will not time out.
   105	// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
   106	func (c *Conn) SetWriteDeadline(t time.Time) error {
   107		return c.conn.SetWriteDeadline(t)
   108	}
   109	
   110	// A halfConn represents one direction of the record layer
   111	// connection, either sending or receiving.
   112	type halfConn struct {
   113		sync.Mutex
   114		version uint16      // protocol version
   115		cipher  interface{} // cipher algorithm
   116		mac     macFunction
   117		seq     [8]byte // 64-bit sequence number
   118		bfree   *block  // list of free blocks
   119	
   120		nextCipher interface{} // next encryption state
   121		nextMac    macFunction // next MAC algorithm
   122	
   123		// used to save allocating a new buffer for each MAC.
   124		inDigestBuf, outDigestBuf []byte
   125	}
   126	
   127	// prepareCipherSpec sets the encryption and MAC states
   128	// that a subsequent changeCipherSpec will use.
   129	func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) {
   130		hc.version = version
   131		hc.nextCipher = cipher
   132		hc.nextMac = mac
   133	}
   134	
   135	// changeCipherSpec changes the encryption and MAC states
   136	// to the ones previously passed to prepareCipherSpec.
   137	func (hc *halfConn) changeCipherSpec() error {
   138		if hc.nextCipher == nil {
   139			return alertInternalError
   140		}
   141		hc.cipher = hc.nextCipher
   142		hc.mac = hc.nextMac
   143		hc.nextCipher = nil
   144		hc.nextMac = nil
   145		return nil
   146	}
   147	
   148	// incSeq increments the sequence number.
   149	func (hc *halfConn) incSeq() {
   150		for i := 7; i >= 0; i-- {
   151			hc.seq[i]++
   152			if hc.seq[i] != 0 {
   153				return
   154			}
   155		}
   156	
   157		// Not allowed to let sequence number wrap.
   158		// Instead, must renegotiate before it does.
   159		// Not likely enough to bother.
   160		panic("TLS: sequence number wraparound")
   161	}
   162	
   163	// resetSeq resets the sequence number to zero.
   164	func (hc *halfConn) resetSeq() {
   165		for i := range hc.seq {
   166			hc.seq[i] = 0
   167		}
   168	}
   169	
   170	// removePadding returns an unpadded slice, in constant time, which is a prefix
   171	// of the input. It also returns a byte which is equal to 255 if the padding
   172	// was valid and 0 otherwise. See RFC 2246, section 6.2.3.2
   173	func removePadding(payload []byte) ([]byte, byte) {
   174		if len(payload) < 1 {
   175			return payload, 0
   176		}
   177	
   178		paddingLen := payload[len(payload)-1]
   179		t := uint(len(payload)-1) - uint(paddingLen)
   180		// if len(payload) >= (paddingLen - 1) then the MSB of t is zero
   181		good := byte(int32(^t) >> 31)
   182	
   183		toCheck := 255 // the maximum possible padding length
   184		// The length of the padded data is public, so we can use an if here
   185		if toCheck+1 > len(payload) {
   186			toCheck = len(payload) - 1
   187		}
   188	
   189		for i := 0; i < toCheck; i++ {
   190			t := uint(paddingLen) - uint(i)
   191			// if i <= paddingLen then the MSB of t is zero
   192			mask := byte(int32(^t) >> 31)
   193			b := payload[len(payload)-1-i]
   194			good &^= mask&paddingLen ^ mask&b
   195		}
   196	
   197		// We AND together the bits of good and replicate the result across
   198		// all the bits.
   199		good &= good << 4
   200		good &= good << 2
   201		good &= good << 1
   202		good = uint8(int8(good) >> 7)
   203	
   204		toRemove := good&paddingLen + 1
   205		return payload[:len(payload)-int(toRemove)], good
   206	}
   207	
   208	// removePaddingSSL30 is a replacement for removePadding in the case that the
   209	// protocol version is SSLv3. In this version, the contents of the padding
   210	// are random and cannot be checked.
   211	func removePaddingSSL30(payload []byte) ([]byte, byte) {
   212		if len(payload) < 1 {
   213			return payload, 0
   214		}
   215	
   216		paddingLen := int(payload[len(payload)-1]) + 1
   217		if paddingLen > len(payload) {
   218			return payload, 0
   219		}
   220	
   221		return payload[:len(payload)-paddingLen], 255
   222	}
   223	
   224	func roundUp(a, b int) int {
   225		return a + (b-a%b)%b
   226	}
   227	
   228	// decrypt checks and strips the mac and decrypts the data in b.
   229	func (hc *halfConn) decrypt(b *block) (bool, alert) {
   230		// pull out payload
   231		payload := b.data[recordHeaderLen:]
   232	
   233		macSize := 0
   234		if hc.mac != nil {
   235			macSize = hc.mac.Size()
   236		}
   237	
   238		paddingGood := byte(255)
   239	
   240		// decrypt
   241		if hc.cipher != nil {
   242			switch c := hc.cipher.(type) {
   243			case cipher.Stream:
   244				c.XORKeyStream(payload, payload)
   245			case cipher.BlockMode:
   246				blockSize := c.BlockSize()
   247	
   248				if len(payload)%blockSize != 0 || len(payload) < roundUp(macSize+1, blockSize) {
   249					return false, alertBadRecordMAC
   250				}
   251	
   252				c.CryptBlocks(payload, payload)
   253				if hc.version == versionSSL30 {
   254					payload, paddingGood = removePaddingSSL30(payload)
   255				} else {
   256					payload, paddingGood = removePadding(payload)
   257				}
   258				b.resize(recordHeaderLen + len(payload))
   259	
   260				// note that we still have a timing side-channel in the
   261				// MAC check, below. An attacker can align the record
   262				// so that a correct padding will cause one less hash
   263				// block to be calculated. Then they can iteratively
   264				// decrypt a record by breaking each byte. See
   265				// "Password Interception in a SSL/TLS Channel", Brice
   266				// Canvel et al.
   267				//
   268				// However, our behavior matches OpenSSL, so we leak
   269				// only as much as they do.
   270			default:
   271				panic("unknown cipher type")
   272			}
   273		}
   274	
   275		// check, strip mac
   276		if hc.mac != nil {
   277			if len(payload) < macSize {
   278				return false, alertBadRecordMAC
   279			}
   280	
   281			// strip mac off payload, b.data
   282			n := len(payload) - macSize
   283			b.data[3] = byte(n >> 8)
   284			b.data[4] = byte(n)
   285			b.resize(recordHeaderLen + n)
   286			remoteMAC := payload[n:]
   287			localMAC := hc.mac.MAC(hc.inDigestBuf, hc.seq[0:], b.data)
   288			hc.incSeq()
   289	
   290			if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 {
   291				return false, alertBadRecordMAC
   292			}
   293			hc.inDigestBuf = localMAC
   294		}
   295	
   296		return true, 0
   297	}
   298	
   299	// padToBlockSize calculates the needed padding block, if any, for a payload.
   300	// On exit, prefix aliases payload and extends to the end of the last full
   301	// block of payload. finalBlock is a fresh slice which contains the contents of
   302	// any suffix of payload as well as the needed padding to make finalBlock a
   303	// full block.
   304	func padToBlockSize(payload []byte, blockSize int) (prefix, finalBlock []byte) {
   305		overrun := len(payload) % blockSize
   306		paddingLen := blockSize - overrun
   307		prefix = payload[:len(payload)-overrun]
   308		finalBlock = make([]byte, blockSize)
   309		copy(finalBlock, payload[len(payload)-overrun:])
   310		for i := overrun; i < blockSize; i++ {
   311			finalBlock[i] = byte(paddingLen - 1)
   312		}
   313		return
   314	}
   315	
   316	// encrypt encrypts and macs the data in b.
   317	func (hc *halfConn) encrypt(b *block) (bool, alert) {
   318		// mac
   319		if hc.mac != nil {
   320			mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data)
   321			hc.incSeq()
   322	
   323			n := len(b.data)
   324			b.resize(n + len(mac))
   325			copy(b.data[n:], mac)
   326			hc.outDigestBuf = mac
   327		}
   328	
   329		payload := b.data[recordHeaderLen:]
   330	
   331		// encrypt
   332		if hc.cipher != nil {
   333			switch c := hc.cipher.(type) {
   334			case cipher.Stream:
   335				c.XORKeyStream(payload, payload)
   336			case cipher.BlockMode:
   337				prefix, finalBlock := padToBlockSize(payload, c.BlockSize())
   338				b.resize(recordHeaderLen + len(prefix) + len(finalBlock))
   339				c.CryptBlocks(b.data[recordHeaderLen:], prefix)
   340				c.CryptBlocks(b.data[recordHeaderLen+len(prefix):], finalBlock)
   341			default:
   342				panic("unknown cipher type")
   343			}
   344		}
   345	
   346		// update length to include MAC and any block padding needed.
   347		n := len(b.data) - recordHeaderLen
   348		b.data[3] = byte(n >> 8)
   349		b.data[4] = byte(n)
   350	
   351		return true, 0
   352	}
   353	
   354	// A block is a simple data buffer.
   355	type block struct {
   356		data []byte
   357		off  int // index for Read
   358		link *block
   359	}
   360	
   361	// resize resizes block to be n bytes, growing if necessary.
   362	func (b *block) resize(n int) {
   363		if n > cap(b.data) {
   364			b.reserve(n)
   365		}
   366		b.data = b.data[0:n]
   367	}
   368	
   369	// reserve makes sure that block contains a capacity of at least n bytes.
   370	func (b *block) reserve(n int) {
   371		if cap(b.data) >= n {
   372			return
   373		}
   374		m := cap(b.data)
   375		if m == 0 {
   376			m = 1024
   377		}
   378		for m < n {
   379			m *= 2
   380		}
   381		data := make([]byte, len(b.data), m)
   382		copy(data, b.data)
   383		b.data = data
   384	}
   385	
   386	// readFromUntil reads from r into b until b contains at least n bytes
   387	// or else returns an error.
   388	func (b *block) readFromUntil(r io.Reader, n int) error {
   389		// quick case
   390		if len(b.data) >= n {
   391			return nil
   392		}
   393	
   394		// read until have enough.
   395		b.reserve(n)
   396		for {
   397			m, err := r.Read(b.data[len(b.data):cap(b.data)])
   398			b.data = b.data[0 : len(b.data)+m]
   399			if len(b.data) >= n {
   400				break
   401			}
   402			if err != nil {
   403				return err
   404			}
   405		}
   406		return nil
   407	}
   408	
   409	func (b *block) Read(p []byte) (n int, err error) {
   410		n = copy(p, b.data[b.off:])
   411		b.off += n
   412		return
   413	}
   414	
   415	// newBlock allocates a new block, from hc's free list if possible.
   416	func (hc *halfConn) newBlock() *block {
   417		b := hc.bfree
   418		if b == nil {
   419			return new(block)
   420		}
   421		hc.bfree = b.link
   422		b.link = nil
   423		b.resize(0)
   424		return b
   425	}
   426	
   427	// freeBlock returns a block to hc's free list.
   428	// The protocol is such that each side only has a block or two on
   429	// its free list at a time, so there's no need to worry about
   430	// trimming the list, etc.
   431	func (hc *halfConn) freeBlock(b *block) {
   432		b.link = hc.bfree
   433		hc.bfree = b
   434	}
   435	
   436	// splitBlock splits a block after the first n bytes,
   437	// returning a block with those n bytes and a
   438	// block with the remainder.  the latter may be nil.
   439	func (hc *halfConn) splitBlock(b *block, n int) (*block, *block) {
   440		if len(b.data) <= n {
   441			return b, nil
   442		}
   443		bb := hc.newBlock()
   444		bb.resize(len(b.data) - n)
   445		copy(bb.data, b.data[n:])
   446		b.data = b.data[0:n]
   447		return b, bb
   448	}
   449	
   450	// readRecord reads the next TLS record from the connection
   451	// and updates the record layer state.
   452	// c.in.Mutex <= L; c.input == nil.
   453	func (c *Conn) readRecord(want recordType) error {
   454		// Caller must be in sync with connection:
   455		// handshake data if handshake not yet completed,
   456		// else application data.  (We don't support renegotiation.)
   457		switch want {
   458		default:
   459			return c.sendAlert(alertInternalError)
   460		case recordTypeHandshake, recordTypeChangeCipherSpec:
   461			if c.handshakeComplete {
   462				return c.sendAlert(alertInternalError)
   463			}
   464		case recordTypeApplicationData:
   465			if !c.handshakeComplete {
   466				return c.sendAlert(alertInternalError)
   467			}
   468		}
   469	
   470	Again:
   471		if c.rawInput == nil {
   472			c.rawInput = c.in.newBlock()
   473		}
   474		b := c.rawInput
   475	
   476		// Read header, payload.
   477		if err := b.readFromUntil(c.conn, recordHeaderLen); err != nil {
   478			// RFC suggests that EOF without an alertCloseNotify is
   479			// an error, but popular web sites seem to do this,
   480			// so we can't make it an error.
   481			// if err == io.EOF {
   482			// 	err = io.ErrUnexpectedEOF
   483			// }
   484			if e, ok := err.(net.Error); !ok || !e.Temporary() {
   485				c.setError(err)
   486			}
   487			return err
   488		}
   489		typ := recordType(b.data[0])
   490		vers := uint16(b.data[1])<<8 | uint16(b.data[2])
   491		n := int(b.data[3])<<8 | int(b.data[4])
   492		if c.haveVers && vers != c.vers {
   493			return c.sendAlert(alertProtocolVersion)
   494		}
   495		if n > maxCiphertext {
   496			return c.sendAlert(alertRecordOverflow)
   497		}
   498		if !c.haveVers {
   499			// First message, be extra suspicious:
   500			// this might not be a TLS client.
   501			// Bail out before reading a full 'body', if possible.
   502			// The current max version is 3.1. 
   503			// If the version is >= 16.0, it's probably not real.
   504			// Similarly, a clientHello message encodes in
   505			// well under a kilobyte.  If the length is >= 12 kB,
   506			// it's probably not real.
   507			if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 || n >= 0x3000 {
   508				return c.sendAlert(alertUnexpectedMessage)
   509			}
   510		}
   511		if err := b.readFromUntil(c.conn, recordHeaderLen+n); err != nil {
   512			if err == io.EOF {
   513				err = io.ErrUnexpectedEOF
   514			}
   515			if e, ok := err.(net.Error); !ok || !e.Temporary() {
   516				c.setError(err)
   517			}
   518			return err
   519		}
   520	
   521		// Process message.
   522		b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n)
   523		b.off = recordHeaderLen
   524		if ok, err := c.in.decrypt(b); !ok {
   525			return c.sendAlert(err)
   526		}
   527		data := b.data[b.off:]
   528		if len(data) > maxPlaintext {
   529			c.sendAlert(alertRecordOverflow)
   530			c.in.freeBlock(b)
   531			return c.error()
   532		}
   533	
   534		switch typ {
   535		default:
   536			c.sendAlert(alertUnexpectedMessage)
   537	
   538		case recordTypeAlert:
   539			if len(data) != 2 {
   540				c.sendAlert(alertUnexpectedMessage)
   541				break
   542			}
   543			if alert(data[1]) == alertCloseNotify {
   544				c.setError(io.EOF)
   545				break
   546			}
   547			switch data[0] {
   548			case alertLevelWarning:
   549				// drop on the floor
   550				c.in.freeBlock(b)
   551				goto Again
   552			case alertLevelError:
   553				c.setError(&net.OpError{Op: "remote error", Err: alert(data[1])})
   554			default:
   555				c.sendAlert(alertUnexpectedMessage)
   556			}
   557	
   558		case recordTypeChangeCipherSpec:
   559			if typ != want || len(data) != 1 || data[0] != 1 {
   560				c.sendAlert(alertUnexpectedMessage)
   561				break
   562			}
   563			err := c.in.changeCipherSpec()
   564			if err != nil {
   565				c.sendAlert(err.(alert))
   566			}
   567	
   568		case recordTypeApplicationData:
   569			if typ != want {
   570				c.sendAlert(alertUnexpectedMessage)
   571				break
   572			}
   573			c.input = b
   574			b = nil
   575	
   576		case recordTypeHandshake:
   577			// TODO(rsc): Should at least pick off connection close.
   578			if typ != want {
   579				return c.sendAlert(alertNoRenegotiation)
   580			}
   581			c.hand.Write(data)
   582		}
   583	
   584		if b != nil {
   585			c.in.freeBlock(b)
   586		}
   587		return c.error()
   588	}
   589	
   590	// sendAlert sends a TLS alert message.
   591	// c.out.Mutex <= L.
   592	func (c *Conn) sendAlertLocked(err alert) error {
   593		c.tmp[0] = alertLevelError
   594		if err == alertNoRenegotiation {
   595			c.tmp[0] = alertLevelWarning
   596		}
   597		c.tmp[1] = byte(err)
   598		c.writeRecord(recordTypeAlert, c.tmp[0:2])
   599		// closeNotify is a special case in that it isn't an error:
   600		if err != alertCloseNotify {
   601			return c.setError(&net.OpError{Op: "local error", Err: err})
   602		}
   603		return nil
   604	}
   605	
   606	// sendAlert sends a TLS alert message.
   607	// L < c.out.Mutex.
   608	func (c *Conn) sendAlert(err alert) error {
   609		c.out.Lock()
   610		defer c.out.Unlock()
   611		return c.sendAlertLocked(err)
   612	}
   613	
   614	// writeRecord writes a TLS record with the given type and payload
   615	// to the connection and updates the record layer state.
   616	// c.out.Mutex <= L.
   617	func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
   618		b := c.out.newBlock()
   619		for len(data) > 0 {
   620			m := len(data)
   621			if m > maxPlaintext {
   622				m = maxPlaintext
   623			}
   624			b.resize(recordHeaderLen + m)
   625			b.data[0] = byte(typ)
   626			vers := c.vers
   627			if vers == 0 {
   628				vers = maxVersion
   629			}
   630			b.data[1] = byte(vers >> 8)
   631			b.data[2] = byte(vers)
   632			b.data[3] = byte(m >> 8)
   633			b.data[4] = byte(m)
   634			copy(b.data[recordHeaderLen:], data)
   635			c.out.encrypt(b)
   636			_, err = c.conn.Write(b.data)
   637			if err != nil {
   638				break
   639			}
   640			n += m
   641			data = data[m:]
   642		}
   643		c.out.freeBlock(b)
   644	
   645		if typ == recordTypeChangeCipherSpec {
   646			err = c.out.changeCipherSpec()
   647			if err != nil {
   648				// Cannot call sendAlert directly,
   649				// because we already hold c.out.Mutex.
   650				c.tmp[0] = alertLevelError
   651				c.tmp[1] = byte(err.(alert))
   652				c.writeRecord(recordTypeAlert, c.tmp[0:2])
   653				c.err = &net.OpError{Op: "local error", Err: err}
   654				return n, c.err
   655			}
   656		}
   657		return
   658	}
   659	
   660	// readHandshake reads the next handshake message from
   661	// the record layer.
   662	// c.in.Mutex < L; c.out.Mutex < L.
   663	func (c *Conn) readHandshake() (interface{}, error) {
   664		for c.hand.Len() < 4 {
   665			if c.err != nil {
   666				return nil, c.err
   667			}
   668			if err := c.readRecord(recordTypeHandshake); err != nil {
   669				return nil, err
   670			}
   671		}
   672	
   673		data := c.hand.Bytes()
   674		n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
   675		if n > maxHandshake {
   676			c.sendAlert(alertInternalError)
   677			return nil, c.err
   678		}
   679		for c.hand.Len() < 4+n {
   680			if c.err != nil {
   681				return nil, c.err
   682			}
   683			if err := c.readRecord(recordTypeHandshake); err != nil {
   684				return nil, err
   685			}
   686		}
   687		data = c.hand.Next(4 + n)
   688		var m handshakeMessage
   689		switch data[0] {
   690		case typeClientHello:
   691			m = new(clientHelloMsg)
   692		case typeServerHello:
   693			m = new(serverHelloMsg)
   694		case typeCertificate:
   695			m = new(certificateMsg)
   696		case typeCertificateRequest:
   697			m = new(certificateRequestMsg)
   698		case typeCertificateStatus:
   699			m = new(certificateStatusMsg)
   700		case typeServerKeyExchange:
   701			m = new(serverKeyExchangeMsg)
   702		case typeServerHelloDone:
   703			m = new(serverHelloDoneMsg)
   704		case typeClientKeyExchange:
   705			m = new(clientKeyExchangeMsg)
   706		case typeCertificateVerify:
   707			m = new(certificateVerifyMsg)
   708		case typeNextProtocol:
   709			m = new(nextProtoMsg)
   710		case typeFinished:
   711			m = new(finishedMsg)
   712		default:
   713			c.sendAlert(alertUnexpectedMessage)
   714			return nil, alertUnexpectedMessage
   715		}
   716	
   717		// The handshake message unmarshallers
   718		// expect to be able to keep references to data,
   719		// so pass in a fresh copy that won't be overwritten.
   720		data = append([]byte(nil), data...)
   721	
   722		if !m.unmarshal(data) {
   723			c.sendAlert(alertUnexpectedMessage)
   724			return nil, alertUnexpectedMessage
   725		}
   726		return m, nil
   727	}
   728	
   729	// Write writes data to the connection.
   730	func (c *Conn) Write(b []byte) (int, error) {
   731		if c.err != nil {
   732			return 0, c.err
   733		}
   734	
   735		if c.err = c.Handshake(); c.err != nil {
   736			return 0, c.err
   737		}
   738	
   739		c.out.Lock()
   740		defer c.out.Unlock()
   741	
   742		if !c.handshakeComplete {
   743			return 0, alertInternalError
   744		}
   745	
   746		var n int
   747		n, c.err = c.writeRecord(recordTypeApplicationData, b)
   748		return n, c.err
   749	}
   750	
   751	// Read can be made to time out and return a net.Error with Timeout() == true
   752	// after a fixed time limit; see SetDeadline and SetReadDeadline.
   753	func (c *Conn) Read(b []byte) (n int, err error) {
   754		if err = c.Handshake(); err != nil {
   755			return
   756		}
   757	
   758		c.in.Lock()
   759		defer c.in.Unlock()
   760	
   761		for c.input == nil && c.err == nil {
   762			if err := c.readRecord(recordTypeApplicationData); err != nil {
   763				// Soft error, like EAGAIN
   764				return 0, err
   765			}
   766		}
   767		if c.err != nil {
   768			return 0, c.err
   769		}
   770		n, err = c.input.Read(b)
   771		if c.input.off >= len(c.input.data) {
   772			c.in.freeBlock(c.input)
   773			c.input = nil
   774		}
   775		return n, nil
   776	}
   777	
   778	// Close closes the connection.
   779	func (c *Conn) Close() error {
   780		var alertErr error
   781	
   782		c.handshakeMutex.Lock()
   783		defer c.handshakeMutex.Unlock()
   784		if c.handshakeComplete {
   785			alertErr = c.sendAlert(alertCloseNotify)
   786		}
   787	
   788		if err := c.conn.Close(); err != nil {
   789			return err
   790		}
   791		return alertErr
   792	}
   793	
   794	// Handshake runs the client or server handshake
   795	// protocol if it has not yet been run.
   796	// Most uses of this package need not call Handshake
   797	// explicitly: the first Read or Write will call it automatically.
   798	func (c *Conn) Handshake() error {
   799		c.handshakeMutex.Lock()
   800		defer c.handshakeMutex.Unlock()
   801		if err := c.error(); err != nil {
   802			return err
   803		}
   804		if c.handshakeComplete {
   805			return nil
   806		}
   807		if c.isClient {
   808			return c.clientHandshake()
   809		}
   810		return c.serverHandshake()
   811	}
   812	
   813	// ConnectionState returns basic TLS details about the connection.
   814	func (c *Conn) ConnectionState() ConnectionState {
   815		c.handshakeMutex.Lock()
   816		defer c.handshakeMutex.Unlock()
   817	
   818		var state ConnectionState
   819		state.HandshakeComplete = c.handshakeComplete
   820		if c.handshakeComplete {
   821			state.NegotiatedProtocol = c.clientProtocol
   822			state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback
   823			state.CipherSuite = c.cipherSuite
   824			state.PeerCertificates = c.peerCertificates
   825			state.VerifiedChains = c.verifiedChains
   826			state.ServerName = c.serverName
   827		}
   828	
   829		return state
   830	}
   831	
   832	// OCSPResponse returns the stapled OCSP response from the TLS server, if
   833	// any. (Only valid for client connections.)
   834	func (c *Conn) OCSPResponse() []byte {
   835		c.handshakeMutex.Lock()
   836		defer c.handshakeMutex.Unlock()
   837	
   838		return c.ocspResponse
   839	}
   840	
   841	// VerifyHostname checks that the peer certificate chain is valid for
   842	// connecting to host.  If so, it returns nil; if not, it returns an error
   843	// describing the problem.
   844	func (c *Conn) VerifyHostname(host string) error {
   845		c.handshakeMutex.Lock()
   846		defer c.handshakeMutex.Unlock()
   847		if !c.isClient {
   848			return errors.New("VerifyHostname called on TLS server connection")
   849		}
   850		if !c.handshakeComplete {
   851			return errors.New("TLS handshake has not yet been performed")
   852		}
   853		return c.peerCertificates[0].VerifyHostname(host)
   854	}