Commit Graph

334 Commits

Author SHA1 Message Date
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
2680804ebc crypto/tls: enforce that either ServerName or InsecureSkipVerify be given.
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.

Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.

Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.

A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.

Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.

See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.

Fixes #7342.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/67010043
2014-02-21 15:56:41 -05:00
Adam Langley
dbe3452407 crypto/x509: add example of using a custom root list.
Fixes #6267.

LGTM=r, josharian
R=golang-codereviews, josharian, r
CC=golang-codereviews
https://golang.org/cl/61020043
2014-02-19 11:18:35 -05:00
Adam Langley
ae10e2fdd9 crypto/tls: improve documentation for ServerName.
Users of the low-level, Client function are frequenctly missing the
fact that, unless they pass a ServerName to the TLS connection then it
cannot verify the certificates against any name.

This change makes it clear that at least one of InsecureSkipVerify and
ServerName should always be set.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/65440043
2014-02-19 11:17:09 -05:00
Adam Langley
5a2aacff2f crypto/tls: better error messages.
LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/60580046
2014-02-12 11:20:01 -05:00
Anthony Martin
8cf5d703de crypto/tls: do not send the current time in hello messages
This reduces the ability to fingerprint TLS connections.

The impeteus for this change was a recent change to OpenSSL
by Nick Mathewson:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2016265dfb

LGTM=agl
R=agl
CC=golang-codereviews
https://golang.org/cl/57230043
2014-02-04 10:51:37 -05:00
Gautham Thambidorai
9323f900fd crypto/tls: Client side support for TLS session resumption.
Adam (agl@) had already done an initial review of this CL in a branch.

Added ClientSessionState to Config which now allows clients to keep state
required to resume a TLS session with a server. A client handshake will try
and use the SessionTicket/MasterSecret in this cached state if the server
acknowledged resumption.

We also added support to cache ClientSessionState object in Config that will
be looked up by server remote address during the handshake.

R=golang-codereviews, agl, rsc, agl, agl, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/15680043
2014-01-22 18:24:03 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
98968dca72 crypto/tls: rework reference tests.
The practice of storing reference connections for testing has worked
reasonably well, but the large blocks of literal data in the .go files
is ugly and updating the tests is a real problem because their number
has grown.

This CL changes the way that reference tests work. It's now possible to
automatically update the tests and the test data is now stored in
testdata/. This should make it easier to implement changes that affect
all connections, like implementing the renegotiation extension.

R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/42060044
2013-12-20 11:37:05 -05:00
Adam Langley
75982d4f0c crypto/tls: generate random serial numbers.
NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
2013-12-15 12:57:57 -05:00
Adam Langley
1a11255b00 crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake.
Despite SHA256 support being required for TLS 1.2 handshakes, some
servers are aborting handshakes that don't offer SHA1 support.

This change adds support for signing TLS 1.2 ServerKeyExchange messages
with SHA1. It does not add support for signing TLS 1.2 client
certificates with SHA1 as that would require the handshake to be
buffered.

Fixes #6618.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/15650043
2013-10-21 16:35:09 -04:00
Russ Cox
a13de249ee crypto/tls: document ConnectionState fields
Fixes #6456.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/14289043
2013-10-02 21:40:01 -04:00
Frithjof Schulze
3ee1782da4 crypto/tls: Update reference to the TLS 1.2 RFC.
Ticket 13740047 updated the documented TLS version to 1.2.
This also updates the RFC refered to.

R=golang-dev
CC=golang-dev, rsc
https://golang.org/cl/14029043
2013-10-02 12:09:13 -04:00
Adam Langley
493b985991 crypto/tls: don't select TLS 1.2 cipher suites in prior versions.
AES-GCM cipher suites are only defined for TLS 1.2, although there's
nothing really version specific about them. However, development
versions of NSS (meaning Firefox and Chrome) have an issue where
they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello
but then balk when the server selects one.

This change causes Go clients not to advertise TLS 1.2 cipher suites
unless TLS 1.2 is being used, and prevents servers from selecting them
unless TLS 1.2 has been negotiated.

https://code.google.com/p/chromium/issues/detail?id=297151
https://bugzilla.mozilla.org/show_bug.cgi?id=919677

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13573047
2013-09-26 17:09:56 -04:00
Russ Cox
a40b48d4e0 crypto/tls: document that the package supports TLS 1.2
Fixes #6456.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13740047
2013-09-23 16:05:23 -04:00
Adam Langley
679f6ca983 crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate.
47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the
cipher suite selection to take that into account. Thus Go servers could
try and select an ECDSA cipher suite while only having an RSA
certificate, leading to connection failures.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13239053
2013-09-17 13:30:36 -04:00
Adam Langley
8eaa99cd77 crypto/tls: fix TLS 1.2 client certificates.
With TLS 1.2, when sending client certificates the code was omitting
the new (in TLS 1.2) signature and hash fields.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13413050
2013-09-16 16:39:42 -04:00
Adam Langley
5774c69eb7 crypto/tls: support AES-GCM.
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
2013-08-29 17:18:59 -04:00
Joel Sing
749a12a83a crypto/tls: Add support for ECDHE-ECDSA
Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server
key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA,
ECDHE-ECDSA also provides PFS.

R=agl
CC=golang-dev
https://golang.org/cl/7006047
2013-07-17 12:33:16 -04:00
Adam Langley
3a888fc059 crypto/tls: implement TLS 1.2.
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
2013-07-02 19:58:56 -04:00
Frithjof Schulze
0084d30351 crypto/tls: Change TLS version to 1.1 in the package comment.
Also use 2048-bit RSA keys as default in generate_cert.go,
as recommended by the NIST.

R=golang-dev, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/10676043
2013-06-27 11:23:55 -07:00
Adam Langley
320cfd8f47 crypto/tls: change advertised ciphersuite order.
TLS clients send ciphersuites in preference order (most prefereable
first). This change alters the order so that ECDHE comes before plain
RSA, and RC4 comes before AES (because of the Lucky13 attack).

This is unlikely to have much effect: as a server, the code uses the
client's ciphersuite order by default and, as a client, the non-Go
server probably imposes its order.

R=golang-dev, r, raggi, jsing
CC=golang-dev
https://golang.org/cl/10372045
2013-06-19 16:46:53 -04:00
Adam Langley
79e7f7decf crypto/tls: support TLS 1.1.
The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/7880043
2013-06-04 20:02:22 -04:00
John Shahid
2946f7013d crypto/tls: Check all certificates in the path.
Currently we only check the leaf node's issuer against the list of
distinguished names in the server's CertificateRequest message. This
will fail if the client certiciate has more than one certificate in
the path and the leaf node issuer isn't in the list of distinguished
names, but the issuer's issuer was in the distinguished names.

R=agl, agl
CC=gobot, golang-dev
https://golang.org/cl/9795043
2013-05-29 11:21:32 -04:00
Adam Langley
f41a7e7ee6 crypto/tls: don't send NPN extension if NextProtos is not set.
This isn't clearly a bug on Go's part, but it triggers a bug in Firefox
which means that crypto/tls and net/http cannot be wired up together
unless NextProtos includes "http/1.1". When net/http sets up the
tls.Config, it does this and so works fine. But anyone setting up the
tls.Config themselves will hit the Firefox bug.

Fixes #5445.

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/9539045
2013-05-21 10:47:31 -04:00
Adam Langley
44490a3db4 crypto/tls: fix flakey test.
A test added in b37d2fdcc4d9 didn't work with some values of GOMAXPROCS
because the defer statements were in the wrong order: the Pipe could be
closed before the TLS Client was.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/9187047
2013-05-16 12:29:23 -04:00
Adam Langley
7b0cd8f727 crypto/tls: ignore empty TLS records.
OpenSSL can be configured to send empty records in order to randomise
the CBC IV. This is an early version of 1/n-1 record splitting (that Go
does) and is quite reasonable, but it results in tls.Conn.Read
returning (0, nil).

This change ignores up to 100 consecutive, empty records to avoid
returning (0, nil) to callers.

Fixes 5309.

R=golang-dev, r, minux.ma
CC=golang-dev
https://golang.org/cl/8852044
2013-05-15 10:25:54 -04:00
Brad Fitzpatrick
4b14a48417 crypto/tls: use method values
Currently fails with a compiler error, though.

R=golang-dev, agl, rsc
CC=golang-dev
https://golang.org/cl/7933043
2013-03-20 23:53:38 -04:00
Adam Langley
b9ddc2767a crypto/x509: support IP SANs.
Subject Alternative Names in X.509 certificates may include IP
addresses. This change adds support for marshaling, unmarshaling and
verifying this form of SAN.

It also causes IP addresses to only be checked against IP SANs,
rather than against hostnames as was previously the case. This
reflects RFC 6125.

Fixes #4658.

R=golang-dev, mikioh.mikioh, bradfitz
CC=golang-dev
https://golang.org/cl/7336046
2013-02-15 10:40:17 -05:00
Adam Langley
9d5e7dd72f crypto/tls: allow the server to enforce its ciphersuite preferences.
Previously, Go TLS servers always took the client's preferences into
account when selecting a ciphersuite. This change adds the option of
using the server's preferences, which can be expressed by setting
tls.Config.CipherSuites.

This mirrors Apache's SSLHonorCipherOrder directive.

R=golang-dev, nightlyone, bradfitz, ality
CC=golang-dev
https://golang.org/cl/7163043
2013-01-22 10:10:38 -05:00
Brad Fitzpatrick
ada990689f crypto/tls: fix loading keys labeled just "PRIVATE KEY"
Worked in Go 1, broken in f440e65f93fe.

Fixes #4477

R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6865043
2012-12-01 11:02:08 -08:00
Anthony Martin
a954c40163 crypto/tls: use 1/n-1 record splitting to protect against BEAST
This requires rebasing the block-mode test scripts.
I used GnuTLS version 3.1.4.

R=agl
CC=golang-dev
https://golang.org/cl/6844073
2012-11-26 10:56:39 -08:00
Robin Eklind
3f2e394f59 archive/zip, crypto/tls, net/http: Fix print format errors.
All of the errors were located using "go vet ./..." in "src/pkg".

R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/6856056
2012-11-16 17:24:43 -08:00
Joel Sing
d7e46146f4 crypto/tls: add support for loading EC X.509 key pairs
Add support for loading X.509 key pairs that consist of a certificate
with an EC public key and its corresponding EC private key.

R=agl
CC=golang-dev
https://golang.org/cl/6776043
2012-11-16 19:33:59 +11:00
Robert Griesemer
ff9c946903 gofmt: apply gofmt -w src misc
Remove trailing whitespace in comments.
No other changes.

R=r
CC=golang-dev
https://golang.org/cl/6815053
2012-10-30 13:38:01 -07:00
Adam Langley
489bd5ddd5 crypto/tls: make closeNotify a warning alert.
The RFC doesn't actually have an opinion on whether this is a fatal or
warning level alert, but common practice suggests that it should be a
warning.

This involves rebasing most of the tests.

Fixes #3413.

R=golang-dev, shanemhansen, rsc
CC=golang-dev
https://golang.org/cl/6654050
2012-10-16 15:40:37 -04:00
Adam Langley
cf463f462c crypto/tls: fix NPN extension parsing.
I typoed the code and tried to parse all the way to the end of the
message. Therefore it fails when NPN is not the last extension in the
ServerHello.

Fixes #4088.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6637052
2012-10-09 13:25:47 -04:00
Adam Langley
13d26a420a crypto/tls: support session ticket resumption.
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).

R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
2012-09-24 16:52:43 -04:00
Adam Langley
d263b7d38c crypto/tls: allow certificates and key to be in either order.
X509KeyPair wasn't really supposed to allow the certificate and
key to be in the same file, but it did work if you put the key
first. Since some HTTPS servers support loading keys and certs
like this, this change makes it work in either order.

Fixes #3986.

R=golang-dev, dave, rsc
CC=golang-dev
https://golang.org/cl/6499103
2012-09-13 11:00:16 -04:00
Dave Cheney
a0608ba23c crypto/tls: fix data race on conn.err
Fixes #3862.

There were many areas where conn.err was being accessed
outside the mutex. This proposal moves the err value to
an embedded struct to make it more obvious when the error
value is being accessed.

As there are no Benchmark tests in this package I cannot
feel confident of the impact of this additional locking,
although most will be uncontended.

R=dvyukov, agl
CC=golang-dev
https://golang.org/cl/6497070
2012-09-06 17:50:26 +10:00
Adam Langley
22777bcc54 crypto/tls: return better error message in the case of an SSLv2 handshake.
Update #3930
Return a better error message in this situation.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/6474055
2012-08-23 16:44:44 -04:00
Mikkel Krautz
0c7b858b3e crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs
If we aren't explicit about the KeyUsages, the verifier
will treat the certificate as a server certificate and require
it to have a ExtKeyUsageServerAuth key usage.

R=golang-dev
CC=golang-dev
https://golang.org/cl/6453148
2012-08-18 15:50:33 -07:00
Adam Langley
d32fa8a79a crypto/tls: remove flakey tests
This removes some (non-short only) tests that involved connections to
the outside world and thus were flakey. This does remove some test
coverage of the root fetchers on non-Windows platforms, but the right
place for that is crypto/x509.

R=golang-dev, krautz, rsc
CC=golang-dev
https://golang.org/cl/6455085
2012-08-03 13:28:05 -04:00
Benjamin Black
8c517a7cdf tls: add AES256 ciphers
R=golang-dev, rsc, agl
CC=golang-dev
https://golang.org/cl/6188061
2012-05-18 11:06:58 -04:00
Michael Gehring
615733d170 crypto/tls: fix decoding of certLen in certificateMsg.unmarshal
certLen was decoded incorrectly if length > 2^16-1.

R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6197077
2012-05-14 12:26:29 -04:00
Adam Langley
30b2db1e5f crypto/tls: don't always use the default private key.
When SNI based certificate selection is enabled, we previously used
the default private key even if we selected a non-default certificate.

Fixes #3367.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5987058
2012-04-12 12:35:21 -04:00
Adam Langley
ca7f685323 crypto/tls: update how we create testing scripts.
crypto/tls is tested, in part, by replaying recorded TLS connections
and checking that the bytes sent by the Go code haven't changed.

Previously we used GnuTLS's debug output and extracted the bytes of
the TLS connection using a Python script. That wasn't great, and I
think GnuTLS removed that level of debugging in a more current
release.

This change records the connection with Go code and adds a test for
ECDHE-AES clients generating using this method.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5988048
2012-04-11 12:55:57 -04:00
Adam Langley
5c7df56059 crypto/tls: don't select ECC ciphersuites with no mutual curve.
The existing code that tried to prevent ECC ciphersuites from being
selected when there were no mutual curves still left |suite| set.
This lead to a panic on a nil pointer when there were no acceptable
ciphersuites at all.

Thanks to George Kadianakis for pointing it out.

R=golang-dev, r, bradfitz
CC=golang-dev
https://golang.org/cl/5857043
2012-03-23 10:48:51 -04:00
Adam Langley
43927bb46c crypto/tls: always send a Certificate message if one was requested.
If a CertificateRequest is received we have to reply with a
Certificate message, even if we don't have a certificate to offer.

Fixes #3339.

R=golang-dev, r, ality
CC=golang-dev
https://golang.org/cl/5845067
2012-03-19 12:34:35 -04:00
Robert Hencke
46f6bfea8f crypto/tls, fmt: print fixes
R=golang-dev, bradfitz, minux.ma, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/5787069
2012-03-12 12:04:45 +09:00