Commit Graph

103 Commits

Author SHA1 Message Date
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
2680804ebc crypto/tls: enforce that either ServerName or InsecureSkipVerify be given.
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.

Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.

Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.

A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.

Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.

See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.

Fixes #7342.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/67010043
2014-02-21 15:56:41 -05:00
Adam Langley
5a2aacff2f crypto/tls: better error messages.
LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/60580046
2014-02-12 11:20:01 -05:00
Anthony Martin
8cf5d703de crypto/tls: do not send the current time in hello messages
This reduces the ability to fingerprint TLS connections.

The impeteus for this change was a recent change to OpenSSL
by Nick Mathewson:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2016265dfb

LGTM=agl
R=agl
CC=golang-codereviews
https://golang.org/cl/57230043
2014-02-04 10:51:37 -05:00
Gautham Thambidorai
9323f900fd crypto/tls: Client side support for TLS session resumption.
Adam (agl@) had already done an initial review of this CL in a branch.

Added ClientSessionState to Config which now allows clients to keep state
required to resume a TLS session with a server. A client handshake will try
and use the SessionTicket/MasterSecret in this cached state if the server
acknowledged resumption.

We also added support to cache ClientSessionState object in Config that will
be looked up by server remote address during the handshake.

R=golang-codereviews, agl, rsc, agl, agl, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/15680043
2014-01-22 18:24:03 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
1a11255b00 crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake.
Despite SHA256 support being required for TLS 1.2 handshakes, some
servers are aborting handshakes that don't offer SHA1 support.

This change adds support for signing TLS 1.2 ServerKeyExchange messages
with SHA1. It does not add support for signing TLS 1.2 client
certificates with SHA1 as that would require the handshake to be
buffered.

Fixes #6618.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/15650043
2013-10-21 16:35:09 -04:00
Adam Langley
493b985991 crypto/tls: don't select TLS 1.2 cipher suites in prior versions.
AES-GCM cipher suites are only defined for TLS 1.2, although there's
nothing really version specific about them. However, development
versions of NSS (meaning Firefox and Chrome) have an issue where
they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello
but then balk when the server selects one.

This change causes Go clients not to advertise TLS 1.2 cipher suites
unless TLS 1.2 is being used, and prevents servers from selecting them
unless TLS 1.2 has been negotiated.

https://code.google.com/p/chromium/issues/detail?id=297151
https://bugzilla.mozilla.org/show_bug.cgi?id=919677

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13573047
2013-09-26 17:09:56 -04:00
Adam Langley
8eaa99cd77 crypto/tls: fix TLS 1.2 client certificates.
With TLS 1.2, when sending client certificates the code was omitting
the new (in TLS 1.2) signature and hash fields.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13413050
2013-09-16 16:39:42 -04:00
Adam Langley
5774c69eb7 crypto/tls: support AES-GCM.
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
2013-08-29 17:18:59 -04:00
Joel Sing
749a12a83a crypto/tls: Add support for ECDHE-ECDSA
Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server
key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA,
ECDHE-ECDSA also provides PFS.

R=agl
CC=golang-dev
https://golang.org/cl/7006047
2013-07-17 12:33:16 -04:00
Adam Langley
3a888fc059 crypto/tls: implement TLS 1.2.
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
2013-07-02 19:58:56 -04:00
Adam Langley
79e7f7decf crypto/tls: support TLS 1.1.
The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/7880043
2013-06-04 20:02:22 -04:00
John Shahid
2946f7013d crypto/tls: Check all certificates in the path.
Currently we only check the leaf node's issuer against the list of
distinguished names in the server's CertificateRequest message. This
will fail if the client certiciate has more than one certificate in
the path and the leaf node issuer isn't in the list of distinguished
names, but the issuer's issuer was in the distinguished names.

R=agl, agl
CC=gobot, golang-dev
https://golang.org/cl/9795043
2013-05-29 11:21:32 -04:00
Adam Langley
13d26a420a crypto/tls: support session ticket resumption.
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).

R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
2012-09-24 16:52:43 -04:00
Dave Cheney
a0608ba23c crypto/tls: fix data race on conn.err
Fixes #3862.

There were many areas where conn.err was being accessed
outside the mutex. This proposal moves the err value to
an embedded struct to make it more obvious when the error
value is being accessed.

As there are no Benchmark tests in this package I cannot
feel confident of the impact of this additional locking,
although most will be uncontended.

R=dvyukov, agl
CC=golang-dev
https://golang.org/cl/6497070
2012-09-06 17:50:26 +10:00
Adam Langley
43927bb46c crypto/tls: always send a Certificate message if one was requested.
If a CertificateRequest is received we have to reply with a
Certificate message, even if we don't have a certificate to offer.

Fixes #3339.

R=golang-dev, r, ality
CC=golang-dev
https://golang.org/cl/5845067
2012-03-19 12:34:35 -04:00
Mikkel Krautz
c8b807a37a crypto/x509: new home for root fetchers; build chains using Windows API
This moves the various CA root fetchers from crypto/tls into crypto/x509.

The move was brought about by issue 2997. Windows doesn't ship with all
its root certificates, but will instead download them as-needed when using
CryptoAPI for certificate verification.

This CL changes crypto/x509 to verify a certificate using the system root
CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is
now implemented using Windows's CryptoAPI. All other root fetchers are
unchanged, and still use Go's own verification code.

The CL also fixes the hostname matching logic in crypto/tls/tls.go, in
order to be able to test whether hostname mismatches are honored by the
Windows verification code.

The move to crypto/x509 also allows other packages to use the OS-provided
root certificates, instead of hiding them inside the crypto/tls package.

Fixes #2997.

R=agl, golang-dev, alex.brainman, rsc, mikkel
CC=golang-dev
https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
Robert Griesemer
788245c9f6 go/printer, gofmt: improved comma placement
Not a Go 1 issue, but appeared to be fairly easy to fix.

- Note that a few existing test cases look slightly worse but
  those cases were not representative for real code. All real
  code looks better now.

- Manual move of the comment in go/scanner/example_test.go
  before applying gofmt.

- gofmt -w $GOROOT/src $GOROOT/misc

Fixes #3062.

R=rsc
CC=golang-dev
https://golang.org/cl/5674093
2012-02-22 11:27:45 -08:00
Adam Langley
8ee5e4091a crypto/tls: better error message when connecting to SSLv3 servers.
We support SSLv3 as a server but not as a client (and we don't want to
support it as a client). This change fixes the error message when
connecting to an SSLv3 server since SSLv3 support on the server side
made mutualVersion accept SSLv3.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5545073
2012-01-31 11:22:47 -05:00
Jeff R. Allen
5fa105421a crypto/tls: Improve TLS Client Authentication
Fix incorrect marshal/unmarshal of certificateRequest.
Add support for configuring client-auth on the server side.
Fix the certificate selection in the client side.
Update generate_cert.go to new time package

Fixes #2521.

R=krautz, agl, bradfitz
CC=golang-dev, mikkel
https://golang.org/cl/5448093
2012-01-05 12:05:38 -05:00
Adam Langley
b5b0822258 crypto/tls: don't assume an RSA private key in the API.
We still very much assume it in the code, but with this change in
place we can implement other things later without changing and users
of the package.

Fixes #2319.

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/5489073
2011-12-19 10:39:30 -05:00
Adam Langley
ba3c11f6db crypto: allocate less.
The code in hash functions themselves could write directly into the
output buffer for a savings of about 50ns. But it's a little ugly so I
wasted a copy.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5440111
2011-12-06 18:25:14 -05:00
Adam Langley
c08ab14bad Add a []byte argument to hash.Hash to allow an allocation to be saved.
This is the result of running `gofix -r hashsum` over the tree, changing
the hash function implementations by hand and then fixing a couple of
instances where gofix didn't catch something.

The changed implementations are as simple as possible while still
working: I'm not trying to optimise in this CL.

R=rsc, cw, rogpeppe
CC=golang-dev
https://golang.org/cl/5448065
2011-12-01 12:35:37 -05:00
Russ Cox
37bb6649e2 use new time API
R=bradfitz, gri, r, dsymonds
CC=golang-dev
https://golang.org/cl/5390042
2011-11-30 12:01:46 -05:00
Adam Langley
c9662b8656 crypto/tls: don't rely on map iteration order.
Previously we were using the map iteration order to set the order of
the cipher suites in the ClientHello.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5440048
2011-11-28 15:34:16 -05:00
Russ Cox
107fb7400c src/pkg/[a-m]*: gofix -r error -force=error
R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/5322051
2011-11-01 22:04:37 -04:00
Mikkel Krautz
7697013b51 crypto/tls: fetch root certificates using Mac OS API
Fixes #1009.

R=adg, rsc
CC=golang-dev
https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
Adam Langley
76c2ff557a crypto/tls: support SSLv3
It would be nice not to have to support this since all the clients
that we care about support TLSv1 by now. However, due to buggy
implementations of SSLv3 on the Internet which can't do version
negotiation correctly, browsers will sometimes switch to SSLv3. Since
there's no good way for a browser tell a network problem from a buggy
server, this downgrade can occur even if the server in question is
actually working correctly.

So we need to support SSLv3 for robustness :(

Fixes #1703.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5018045
2011-09-14 15:32:19 -04:00
Robert Griesemer
a5b2e93aa2 os.Error API: don't export os.ErrorString, use os.NewError consistently
This is a core API change.

1) gofix misc src
2) Manual adjustments to the following files under src/pkg:
   gob/decode.go
   rpc/client.go
   os/error.go
   io/io.go
   bufio/bufio.go
   http/request.go
   websocket/client.go
as well as:
   src/cmd/gofix/testdata/*.go.in (reverted)
   test/fixedbugs/bug243.go
3) Implemented gofix patch (oserrorstring.go) and test case (oserrorstring_test.go)

Compiles and runs all tests.

R=r, rsc, gri
CC=golang-dev
https://golang.org/cl/4607052
2011-06-22 10:52:47 -07:00
Adam Langley
c282fa0f0b crypto/tls: use time(), not Time().
The unexported version returns a sensible default when the user hasn't
set a value. The exported version crashes in that case.

R=bradfitzgo, rsc1
CC=golang-dev
https://golang.org/cl/4435070
2011-04-25 10:27:36 -04:00
Adam Langley
24df228d7a crypto: move certificate verification into x509.
People have a need to verify certificates in situations other than TLS
client handshaking. Thus this CL moves certificate verification into
x509 and expands its abilities.

R=bradfitzgo
CC=golang-dev
https://golang.org/cl/4407046
2011-04-19 09:57:58 -04:00
Adam Langley
4f813669cb crypto/tls: add server-side OCSP stapling support.
We already had support on the client side. I also changed the name of
the flag in the ServerHello structure to match the name of the same
flag in the ClientHello (ocspStapling).

R=bradfitzgo
CC=golang-dev
https://golang.org/cl/4408044
2011-04-14 14:47:28 -04:00
Adam Langley
78f486a80c crypto/tls: extend NPN support to the client.
R=bradfitzgo, rsc1, bradfitzwork
CC=golang-dev
https://golang.org/cl/4277085
2011-03-29 17:53:09 -04:00
Adam Langley
09d14e14a9 crypto/tls: make protocol negotiation failure fatal
R=r, r2
CC=golang-dev
https://golang.org/cl/4178054
2011-02-15 16:38:45 -05:00
Adam Langley
b8e817cbf8 crypto: add package.
The crypto package is added as a common place to store identifiers for
hash functions. At the moment, the rsa package has an enumeration of
hash functions and knowledge of their digest lengths. This is an
unfortunate coupling and other high level crypto packages tend to need
to duplicate this enumeration and knowledge (i.e. openpgp).

crypto pulls this code out into a common location.

It would also make sense to add similar support for ciphers to crypto,
but the problem there isn't as acute that isn't done in this change.

R=bradfitzgo, r, rsc
CC=golang-dev
https://golang.org/cl/4080046
2011-02-01 11:02:48 -05:00
Adam Langley
954c3ec034 crypto/tls: add ECDHE support
(ECDHE is "Elliptic Curve Diffie Hellman Ephemeral")

R=rsc
CC=golang-dev
https://golang.org/cl/3668042
2010-12-16 17:10:50 -05:00
Adam Langley
50ac183397 crypto/tls: support CBC ciphers
This is largely based on ality's CL 2747042.

crypto/rc4: API break in order to conform to crypto/cipher's
Stream interface

cipher/cipher: promote to the default build

Since CBC differs between TLS 1.0 and 1.1, we downgrade and
support only 1.0 at the current time. 1.0 is what most of the
world uses.

Given this CL, it would be trival to add support for AES 256,
SHA 256 etc, but I haven't in order to keep the change smaller.

R=rsc
CC=ality, golang-dev
https://golang.org/cl/3659041
2010-12-15 11:49:55 -05:00
Russ Cox
f98d01fb7e crypto/tls: add *Config argument to Dial
Document undocumented exported names.
Allow nil Rand, Time, RootCAs in Config.

Fixes #1248.

R=agl1
CC=golang-dev
https://golang.org/cl/3481042
2010-12-07 16:15:15 -05:00
Adam Langley
93eb884c98 crypto/tls: use pool building for certificate checking
Previously we checked the certificate chain from the leaf
upwards and expected to jump from the last cert in the chain to
a root certificate.

Although technically correct, there are a number of sites with
problems including out-of-order certs, superfluous certs and
missing certs.

The last of these requires AIA chasing, which is a lot of
complexity. However, we can address the more common cases by
using a pool building algorithm, as browsers do.

We build a pool of root certificates and a pool from the
server's chain. We then try to build a path to a root
certificate, using either of these pools.

This differs from the behaviour of, say, Firefox in that Firefox
will accumulate intermedite certificate in a persistent pool in
the hope that it can use them to fill in gaps in future chains.

We don't do that because it leads to confusing errors which only
occur based on the order to sites visited.

This change also enabled SNI for tls.Dial so that sites will return
the correct certificate chain.

R=rsc
CC=golang-dev
https://golang.org/cl/2916041
2010-11-05 09:54:56 -04:00
Adam Langley
dd9f217e6a crypto/tls: better error messages for certificate issues.
Fixes #1146.

R=rsc, agl1
CC=golang-dev
https://golang.org/cl/2380042
2010-10-11 10:39:56 -04:00
Adam Langley
f4b6e2236c crypto/x509, crypto/tls: improve root matching and observe CA flag.
The key/value format of X.500 names means that it's possible to encode
a name with multiple values for, say, organisation. RFC5280
doesn't seem to consider this, but there are Verisign root
certificates which do this and, in order to find the correct
root certificate in some cases, we need to handle it.

Also, CA certificates should set the CA flag and we now check
this. After looking at the other X.509 extensions it appears
that they are universally ignored/bit rotted away so we ignore
them.

R=rsc
CC=golang-dev
https://golang.org/cl/2249042
2010-09-20 12:17:31 -04:00
Jukka-Pekka Kekkonen
f610c8e06b crypto/hmac: make Sum idempotent
Fixes #978.

R=rsc
CC=golang-dev
https://golang.org/cl/1967045
2010-08-26 13:32:29 -04:00
Mikkel Krautz
e85c1c3393 crypto/tls: client certificate support.
This changeset implements client certificate support in crypto/tls
for both handshake_server.go and handshake_client.go

The updated server implementation sends an empty CertificateAuthorities
field in the CertificateRequest, thus allowing clients to send any
certificates they wish. Likewise, the client code will only respond
with its certificate when the server requests a certificate with this
field empty.

R=agl, rsc, agl1
CC=golang-dev
https://golang.org/cl/1975042
2010-08-16 11:22:22 -04:00
Fazlul Shahriar
5f134f7d77 http: add https client support
Fixes #851.

R=rsc
CC=golang-dev
https://golang.org/cl/1729052
2010-07-28 18:13:56 -07:00
Adam Langley
cbf5c897cb crypto/tls: add client-side SNI support and PeerCertificates.
SNI (Server Name Indication) is a way for a TLS client to
indicate to the server which name it knows the server by. This
allows the server to have several names and return the correct
certificate for each (virtual hosting).

PeerCertificates returns the list of certificates presented by
server.

R=r
CC=golang-dev
https://golang.org/cl/1741053
2010-07-21 11:36:01 -04:00
Adam Langley
a54a4371e7 crypto/tls: add client OCSP stapling support.
R=r, rsc
CC=golang-dev
https://golang.org/cl/1750042
2010-07-14 10:40:15 -04:00
Russ Cox
751062bb0e crypto/tls: simpler implementation of record layer
Depends on CL 957045, 980043, 1004043.
Fixes #715.

R=agl1, agl
CC=golang-dev
https://golang.org/cl/943043
2010-04-26 22:19:04 -07:00
Robert Griesemer
c2e73307b5 gofmt: experiment: align values in map composites where possible
- gofmt -w src misc
- looking for feedback

R=rsc, r
CC=golang-dev
https://golang.org/cl/223076
2010-03-02 13:46:51 -08:00
Adam Langley
581072a866 crypto/tls: extensions and Next Protocol Negotiation
Add support for TLS extensions in general and Next Protocol
Negotiation in particular.

R=rsc
CC=golang-dev
https://golang.org/cl/181045
2009-12-23 11:13:09 -08:00
Robert Griesemer
536df07f72 1) Change default gofmt default settings for
parsing and printing to new syntax.

                  Use -oldparser to parse the old syntax,
                  use -oldprinter to print the old syntax.

               2) Change default gofmt formatting settings
                  to use tabs for indentation only and to use
                  spaces for alignment. This will make the code
                  alignment insensitive to an editor's tabwidth.

                  Use -spaces=false to use tabs for alignment.

               3) Manually changed src/exp/parser/parser_test.go
                  so that it doesn't try to parse the parser's
                  source files using the old syntax (they have
                  new syntax now).

               4) gofmt -w src misc test/bench

	       1st set of files.

R=rsc
CC=agl, golang-dev, iant, ken2, r
https://golang.org/cl/180047
2009-12-15 15:33:31 -08:00
Christopher Wedgwood
b80146a4c9 a[b:len(a)] -> a[b:]
R=r, rsc
CC=agl1
https://golang.org/cl/161070
2009-11-30 12:03:43 -08:00
Adam Langley
79f2a55aea crypto/tls: add initial client implementation.
R=rsc, agl
CC=golang-dev
https://golang.org/cl/157076
2009-11-21 15:53:03 -08:00