crypto/tls: good defaults

R=agl1
CC=golang-dev
https://golang.org/cl/851041

diff --git a/src/pkg/crypto/tls/common.go b/src/pkg/crypto/tls/common.go
index 8ef8b09d8b5640ae7bd823aa0a12c21c2844b7d3..ef54a1db76363e29f07761915c20086dc417e068 100644 (file)
--- a/src/pkg/crypto/tls/common.go
+++ b/src/pkg/crypto/tls/common.go
@@ -5,9 +5,13 @@
 package tls
 
 import (
+       "crypto/rand"
        "crypto/rsa"
        "io"
+       "io/ioutil"
+       "once"
        "os"
+       "time"
 )
 
 const (
@@ -130,3 +134,38 @@ func (nop) Sum() []byte { return nil }
 func (nop) Reset() {}
 
 func (nop) Size() int { return 0 }
+
+
+// The defaultConfig is used in place of a nil *Config in the TLS server and client.
+var varDefaultConfig *Config
+
+func defaultConfig() *Config {
+       once.Do(initDefaultConfig)
+       return varDefaultConfig
+}
+
+// Possible certificate files; stop after finding one.
+// On OS X we should really be using the Directory Services keychain
+// but that requires a lot of Mach goo to get at.  Instead we use
+// the same root set that curl uses.
+var certFiles = []string{
+       "/etc/ssl/certs/ca-certificates.crt", // Linux etc
+       "/usr/share/curl/curl-ca-bundle.crt", // OS X
+}
+
+func initDefaultConfig() {
+       roots := NewCASet()
+       for _, file := range certFiles {
+               data, err := ioutil.ReadFile(file)
+               if err == nil {
+                       roots.SetFromPEM(data)
+                       break
+               }
+       }
+
+       varDefaultConfig = &Config{
+               Rand:    rand.Reader,
+               Time:    time.Seconds,
+               RootCAs: roots,
+       }
+}

diff --git a/src/pkg/crypto/tls/tls.go b/src/pkg/crypto/tls/tls.go
index 7c76ddeb9b7487324820afa87ca4c3377b94a477..5fbf850daa0dda523da693501ee9f9f88057ef3b 100644 (file)
--- a/src/pkg/crypto/tls/tls.go
+++ b/src/pkg/crypto/tls/tls.go
@@ -125,6 +125,9 @@ type handshaker interface {
 // Server establishes a secure connection over the given connection and acts
 // as a TLS server.
 func startTLSGoroutines(conn net.Conn, h handshaker, config *Config) *Conn {
+       if config == nil {
+               config = defaultConfig()
+       }
        tls := new(Conn)
        tls.Conn = conn
 
@@ -167,7 +170,6 @@ func (l *Listener) Accept() (c net.Conn, err os.Error) {
        if err != nil {
                return
        }
-
        c = Server(c, l.config)
        return
 }
@@ -179,8 +181,27 @@ func (l *Listener) Addr() net.Addr { return l.listener.Addr() }
 // NewListener creates a Listener which accepts connections from an inner
 // Listener and wraps each connection with Server.
 func NewListener(listener net.Listener, config *Config) (l *Listener) {
+       if config == nil {
+               config = defaultConfig()
+       }
        l = new(Listener)
        l.listener = listener
        l.config = config
        return
 }
+
+func Listen(network, laddr string) (net.Listener, os.Error) {
+       l, err := net.Listen(network, laddr)
+       if err != nil {
+               return nil, err
+       }
+       return NewListener(l, nil), nil
+}
+
+func Dial(network, laddr, raddr string) (net.Conn, os.Error) {
+       c, err := net.Dial(network, laddr, raddr)
+       if err != nil {
+               return nil, err
+       }
+       return Client(c, nil), nil
+}