type Conn … // LocalAddr returns the local network address. func (c *Conn) LocalAddr() net.Addr { … } // RemoteAddr returns the remote network address. func (c *Conn) RemoteAddr() net.Addr { … } // SetDeadline sets the read and write deadlines associated with the connection. // A zero value for t means [Conn.Read] and [Conn.Write] will not time out. // After a Write has timed out, the TLS state is corrupt and all future writes will return the same error. func (c *Conn) SetDeadline(t time.Time) error { … } // SetReadDeadline sets the read deadline on the underlying connection. // A zero value for t means [Conn.Read] will not time out. func (c *Conn) SetReadDeadline(t time.Time) error { … } // SetWriteDeadline sets the write deadline on the underlying connection. // A zero value for t means [Conn.Write] will not time out. // After a [Conn.Write] has timed out, the TLS state is corrupt and all future writes will return the same error. func (c *Conn) SetWriteDeadline(t time.Time) error { … } // NetConn returns the underlying connection that is wrapped by c. // Note that writing to or reading from this connection directly will corrupt the // TLS session. func (c *Conn) NetConn() net.Conn { … } type halfConn … type permanentError … func (e *permanentError) Error() string { … } func (e *permanentError) Unwrap() error { … } func (e *permanentError) Timeout() bool { … } func (e *permanentError) Temporary() bool { … } func (hc *halfConn) setErrorLocked(err error) error { … } // prepareCipherSpec sets the encryption and MAC states // that a subsequent changeCipherSpec will use. func (hc *halfConn) prepareCipherSpec(version uint16, cipher any, mac hash.Hash) { … } // changeCipherSpec changes the encryption and MAC states // to the ones previously passed to prepareCipherSpec. func (hc *halfConn) changeCipherSpec() error { … } func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) { … } // incSeq increments the sequence number. func (hc *halfConn) incSeq() { … } // explicitNonceLen returns the number of bytes of explicit nonce or IV included // in each record. Explicit nonces are present only in CBC modes after TLS 1.0 // and in certain AEAD modes in TLS 1.2. func (hc *halfConn) explicitNonceLen() int { … } // extractPadding returns, in constant time, the length of the padding to remove // from the end of payload. It also returns a byte which is equal to 255 if the // padding was valid and 0 otherwise. See RFC 2246, Section 6.2.3.2. func extractPadding(payload []byte) (toRemove int, good byte) { … } func roundUp(a, b int) int { … } type cbcMode … // decrypt authenticates and decrypts the record if protection is active at // this stage. The returned plaintext might overlap with the input. func (hc *halfConn) decrypt(record []byte) ([]byte, recordType, error) { … } // sliceForAppend extends the input slice by n bytes. head is the full extended // slice, while tail is the appended part. If the original slice has sufficient // capacity no allocation is performed. func sliceForAppend(in []byte, n int) (head, tail []byte) { … } // encrypt encrypts payload, adding the appropriate nonce and/or MAC, and // appends it to record, which must already contain the record header. func (hc *halfConn) encrypt(record, payload []byte, rand io.Reader) ([]byte, error) { … } type RecordHeaderError … func (e RecordHeaderError) Error() string { … } func (c *Conn) newRecordHeaderError(conn net.Conn, msg string) (err RecordHeaderError) { … } func (c *Conn) readRecord() error { … } func (c *Conn) readChangeCipherSpec() error { … } // readRecordOrCCS reads one or more TLS records from the connection and // updates the record layer state. Some invariants: // - c.in must be locked // - c.input must be empty // // During the handshake one and only one of the following will happen: // - c.hand grows // - c.in.changeCipherSpec is called // - an error is returned // // After the handshake one and only one of the following will happen: // - c.hand grows // - c.input is set // - an error is returned func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error { … } // retryReadRecord recurs into readRecordOrCCS to drop a non-advancing record, like // a warning alert, empty application_data, or a change_cipher_spec in TLS 1.3. func (c *Conn) retryReadRecord(expectChangeCipherSpec bool) error { … } type atLeastReader … func (r *atLeastReader) Read(p []byte) (int, error) { … } // readFromUntil reads from r into c.rawInput until c.rawInput contains // at least n bytes or else returns an error. func (c *Conn) readFromUntil(r io.Reader, n int) error { … } // sendAlertLocked sends a TLS alert message. func (c *Conn) sendAlertLocked(err alert) error { … } // sendAlert sends a TLS alert message. func (c *Conn) sendAlert(err alert) error { … } const tcpMSSEstimate … const recordSizeBoostThreshold … // maxPayloadSizeForWrite returns the maximum TLS payload size to use for the // next application data record. There is the following trade-off: // // - For latency-sensitive applications, such as web browsing, each TLS // record should fit in one TCP segment. // - For throughput-sensitive applications, such as large file transfers, // larger TLS records better amortize framing and encryption overheads. // // A simple heuristic that works well in practice is to use small records for // the first 1MB of data, then use larger records for subsequent data, and // reset back to smaller records after the connection becomes idle. See "High // Performance Web Networking", Chapter 4, or: // https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/ // // In the interests of simplicity and determinism, this code does not attempt // to reset the record size once the connection is idle, however. func (c *Conn) maxPayloadSizeForWrite(typ recordType) int { … } func (c *Conn) write(data []byte) (int, error) { … } func (c *Conn) flush() (int, error) { … } var outBufPool … // writeRecordLocked writes a TLS record with the given type and payload to the // connection and updates the record layer state. func (c *Conn) writeRecordLocked(typ recordType, data []byte) (int, error) { … } // writeHandshakeRecord writes a handshake message to the connection and updates // the record layer state. If transcript is non-nil the marshaled message is // written to it. func (c *Conn) writeHandshakeRecord(msg handshakeMessage, transcript transcriptHash) (int, error) { … } // writeChangeCipherRecord writes a ChangeCipherSpec message to the connection and // updates the record layer state. func (c *Conn) writeChangeCipherRecord() error { … } // readHandshakeBytes reads handshake data until c.hand contains at least n bytes. func (c *Conn) readHandshakeBytes(n int) error { … } // readHandshake reads the next handshake message from // the record layer. If transcript is non-nil, the message // is written to the passed transcriptHash. func (c *Conn) readHandshake(transcript transcriptHash) (any, error) { … } func (c *Conn) unmarshalHandshakeMessage(data []byte, transcript transcriptHash) (handshakeMessage, error) { … } var errShutdown … // Write writes data to the connection. // // As Write calls [Conn.Handshake], in order to prevent indefinite blocking a deadline // must be set for both [Conn.Read] and Write before Write is called when the handshake // has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and // [Conn.SetWriteDeadline]. func (c *Conn) Write(b []byte) (int, error) { … } // handleRenegotiation processes a HelloRequest handshake message. func (c *Conn) handleRenegotiation() error { … } // handlePostHandshakeMessage processes a handshake message arrived after the // handshake is complete. Up to TLS 1.2, it indicates the start of a renegotiation. func (c *Conn) handlePostHandshakeMessage() error { … } func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error { … } // Read reads data from the connection. // // As Read calls [Conn.Handshake], in order to prevent indefinite blocking a deadline // must be set for both Read and [Conn.Write] before Read is called when the handshake // has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and // [Conn.SetWriteDeadline]. func (c *Conn) Read(b []byte) (int, error) { … } // Close closes the connection. func (c *Conn) Close() error { … } var errEarlyCloseWrite … // CloseWrite shuts down the writing side of the connection. It should only be // called once the handshake has completed and does not call CloseWrite on the // underlying connection. Most callers should just use [Conn.Close]. func (c *Conn) CloseWrite() error { … } func (c *Conn) closeNotify() error { … } // Handshake runs the client or server handshake // protocol if it has not yet been run. // // Most uses of this package need not call Handshake explicitly: the // first [Conn.Read] or [Conn.Write] will call it automatically. // // For control over canceling or setting a timeout on a handshake, use // [Conn.HandshakeContext] or the [Dialer]'s DialContext method instead. // // In order to avoid denial of service attacks, the maximum RSA key size allowed // in certificates sent by either the TLS server or client is limited to 8192 // bits. This limit can be overridden by setting tlsmaxrsasize in the GODEBUG // environment variable (e.g. GODEBUG=tlsmaxrsasize=4096). func (c *Conn) Handshake() error { … } // HandshakeContext runs the client or server handshake // protocol if it has not yet been run. // // The provided Context must be non-nil. If the context is canceled before // the handshake is complete, the handshake is interrupted and an error is returned. // Once the handshake has completed, cancellation of the context will not affect the // connection. // // Most uses of this package need not call HandshakeContext explicitly: the // first [Conn.Read] or [Conn.Write] will call it automatically. func (c *Conn) HandshakeContext(ctx context.Context) error { … } func (c *Conn) handshakeContext(ctx context.Context) (ret error) { … } // ConnectionState returns basic TLS details about the connection. func (c *Conn) ConnectionState() ConnectionState { … } var tlsunsafeekm … func (c *Conn) connectionStateLocked() ConnectionState { … } // OCSPResponse returns the stapled OCSP response from the TLS server, if // any. (Only valid for client connections.) func (c *Conn) OCSPResponse() []byte { … } // VerifyHostname checks that the peer certificate chain is valid for // connecting to host. If so, it returns nil; if not, it returns an error // describing the problem. func (c *Conn) VerifyHostname(host string) error { … }
Codebase Browser
go