update mint, and adapt to the new use of the extension handler

2018-02-01 10:57:02 +08:00
parent 65eaf8131d
commit 1cc209e4fb
17 changed files with 362 additions and 340 deletions
--- a/vendor/github.com/bifurcation/mint/conn.go
+++ b/vendor/github.com/bifurcation/mint/conn.go
@@ -88,12 +88,40 @@ type Config struct {
 	// It should make sure that the Cookie cannot be read and tampered with by the client.
 	// If non-blocking mode is used, and cookies are required, this field has to be set.
 	// In blocking mode, a default cookie protector is used, if this is unused.
-	CookieProtector   CookieProtector
+	CookieProtector CookieProtector
+	// The ExtensionHandler is used to add custom extensions.
+	ExtensionHandler  AppExtensionHandler
 	RequireClientAuth bool

+	// Time returns the current time as the number of seconds since the epoch.
+	// If Time is nil, TLS uses time.Now.
+	Time func() time.Time
+	// RootCAs defines the set of root certificate authorities
+	// that clients use when verifying server certificates.
+	// If RootCAs is nil, TLS uses the host's root CA set.
+	RootCAs *x509.CertPool
+	// InsecureSkipVerify controls whether a client verifies the
+	// server's certificate chain and host name.
+	// If InsecureSkipVerify is true, TLS accepts any certificate
+	// presented by the server and any host name in that certificate.
+	// In this mode, TLS is susceptible to man-in-the-middle attacks.
+	// This should be used only for testing.
+	InsecureSkipVerify bool
+
 	// Shared fields
-	Certificates     []*Certificate
-	AuthCertificate  func(chain []CertificateEntry) error
+	Certificates []*Certificate
+	// VerifyPeerCertificate, if not nil, is called after normal
+	// certificate verification by either a TLS client or server. It
+	// receives the raw ASN.1 certificates provided by the peer and also
+	// any verified chains that normal processing found. If it returns a
+	// non-nil error, the handshake is aborted and that error results.
+	//
+	// If normal verification fails then the handshake will abort before
+	// considering this callback. If normal verification is disabled by
+	// setting InsecureSkipVerify then this callback will be considered but
+	// the verifiedChains argument will always be nil.
+	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
+
 	CipherSuites     []CipherSuite
 	Groups           []NamedGroup
 	SignatureSchemes []SignatureScheme
@@ -125,18 +153,22 @@ func (c *Config) Clone() *Config {
 		RequireCookie:      c.RequireCookie,
 		CookieHandler:      c.CookieHandler,
 		CookieProtector:    c.CookieProtector,
+		ExtensionHandler:   c.ExtensionHandler,
 		RequireClientAuth:  c.RequireClientAuth,
+		Time:               c.Time,
+		RootCAs:            c.RootCAs,
+		InsecureSkipVerify: c.InsecureSkipVerify,

-		Certificates:     c.Certificates,
-		AuthCertificate:  c.AuthCertificate,
-		CipherSuites:     c.CipherSuites,
-		Groups:           c.Groups,
-		SignatureSchemes: c.SignatureSchemes,
-		NextProtos:       c.NextProtos,
-		PSKs:             c.PSKs,
-		PSKModes:         c.PSKModes,
-		NonBlocking:      c.NonBlocking,
-		UseDTLS:          c.UseDTLS,
+		Certificates:          c.Certificates,
+		VerifyPeerCertificate: c.VerifyPeerCertificate,
+		CipherSuites:          c.CipherSuites,
+		Groups:                c.Groups,
+		SignatureSchemes:      c.SignatureSchemes,
+		NextProtos:            c.NextProtos,
+		PSKs:                  c.PSKs,
+		PSKModes:              c.PSKModes,
+		NonBlocking:           c.NonBlocking,
+		UseDTLS:               c.UseDTLS,
 	}
 }

@@ -163,28 +195,6 @@ func (c *Config) Init(isClient bool) error {
 	if len(c.PSKModes) == 0 {
 		c.PSKModes = defaultPSKModes
 	}
-
-	// If there is no certificate, generate one
-	if !isClient && len(c.Certificates) == 0 {
-		logf(logTypeHandshake, "Generating key name=%v", c.ServerName)
-		priv, err := newSigningKey(RSA_PSS_SHA256)
-		if err != nil {
-			return err
-		}
-
-		cert, err := newSelfSigned(c.ServerName, RSA_PKCS1_SHA256, priv)
-		if err != nil {
-			return err
-		}
-
-		c.Certificates = []*Certificate{
-			{
-				Chain:      []*x509.Certificate{cert},
-				PrivateKey: priv,
-			},
-		}
-	}
-
 	return nil
 }

@@ -199,6 +209,14 @@ func (c *Config) ValidForClient() bool {
 	return len(c.ServerName) > 0
 }

+func (c *Config) time() time.Time {
+	t := c.Time
+	if t == nil {
+		t = time.Now
+	}
+	return t()
+}
+
 var (
 	defaultSupportedCipherSuites = []CipherSuite{
 		TLS_AES_128_GCM_SHA256,
@@ -231,9 +249,10 @@ var (

 type ConnectionState struct {
 	HandshakeState   State
-	CipherSuite      CipherSuiteParams   // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
-	PeerCertificates []*x509.Certificate // certificate chain presented by remote peer TODO(ekr@rtfm.com): implement
-	NextProto        string              // Selected ALPN proto
+	CipherSuite      CipherSuiteParams     // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
+	PeerCertificates []*x509.Certificate   // certificate chain presented by remote peer
+	VerifiedChains   [][]*x509.Certificate // verified chains built from PeerCertificates
+	NextProto        string                // Selected ALPN proto
 }

 // Conn implements the net.Conn interface, as with "crypto/tls"
@@ -255,8 +274,6 @@ type Conn struct {
 	readBuffer []byte
 	in, out    *RecordLayer
 	hsCtx      HandshakeContext
-
-	extHandler AppExtensionHandler
 }

 func NewConn(conn net.Conn, config *Config, isClient bool) *Conn {
@@ -637,22 +654,6 @@ func (c *Conn) HandshakeSetup() Alert {
 		return AlertInternalError
 	}

-	// Set things up
-	caps := Capabilities{
-		CipherSuites:      c.config.CipherSuites,
-		Groups:            c.config.Groups,
-		SignatureSchemes:  c.config.SignatureSchemes,
-		PSKs:              c.config.PSKs,
-		PSKModes:          c.config.PSKModes,
-		AllowEarlyData:    c.config.AllowEarlyData,
-		RequireCookie:     c.config.RequireCookie,
-		CookieProtector:   c.config.CookieProtector,
-		CookieHandler:     c.config.CookieHandler,
-		RequireClientAuth: c.config.RequireClientAuth,
-		NextProtos:        c.config.NextProtos,
-		Certificates:      c.config.Certificates,
-		ExtensionHandler:  c.extHandler,
-	}
 	opts := ConnectionOptions{
 		ServerName: c.config.ServerName,
 		NextProtos: c.config.NextProtos,
@@ -660,7 +661,7 @@ func (c *Conn) HandshakeSetup() Alert {
 	}

 	if c.isClient {
-		state, actions, alert = ClientStateStart{Caps: caps, Opts: opts, hsCtx: c.hsCtx}.Next(nil)
+		state, actions, alert = ClientStateStart{Config: c.config, Opts: opts, hsCtx: c.hsCtx}.Next(nil)
 		if alert != AlertNoAlert {
 			logf(logTypeHandshake, "Error initializing client state: %v", alert)
 			return alert
@@ -681,13 +682,13 @@ func (c *Conn) HandshakeSetup() Alert {
 				return AlertInternalError
 			}
 			var err error
-			caps.CookieProtector, err = NewDefaultCookieProtector()
+			c.config.CookieProtector, err = NewDefaultCookieProtector()
 			if err != nil {
 				logf(logTypeHandshake, "Error initializing cookie source: %v", alert)
 				return AlertInternalError
 			}
 		}
-		state = ServerStateStart{Caps: caps, conn: c, hsCtx: c.hsCtx}
+		state = ServerStateStart{Config: c.config, conn: c, hsCtx: c.hsCtx}
 	}

 	c.hState = state
@@ -867,7 +868,7 @@ func (c *Conn) ComputeExporter(label string, context []byte, keyLength int) ([]b
 	return HkdfExpandLabel(c.state.cryptoParams.Hash, tmpSecret, "exporter", hc, keyLength), nil
 }

-func (c *Conn) State() ConnectionState {
+func (c *Conn) ConnectionState() ConnectionState {
 	state := ConnectionState{
 		HandshakeState: c.GetHsState(),
 	}
@@ -875,16 +876,9 @@ func (c *Conn) State() ConnectionState {
 	if c.handshakeComplete {
 		state.CipherSuite = cipherSuiteMap[c.state.Params.CipherSuite]
 		state.NextProto = c.state.Params.NextProto
+		state.VerifiedChains = c.state.verifiedChains
+		state.PeerCertificates = c.state.peerCertificates
 	}

 	return state
 }
-
-func (c *Conn) SetExtensionHandler(h AppExtensionHandler) error {
-	if c.hState != nil {
-		return fmt.Errorf("Can't set extension handler after setup")
-	}
-
-	c.extHandler = h
-	return nil
-}