Commit Graph

104 Commits

Author SHA1 Message Date
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
Brad Burch
0957fdb171 crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes #8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
2018-03-13 08:38:50 +00:00
Peter Wu
824987c5ad tris: implement draft-22 middlebox compatibility mode
Send/Skip CCS, set legacy record version to 3,3 and echo session ID.
CCS must be ignored while the handshake is running, but not thereafter:
https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5

Unconditionally send CCS as server because bogo requires it, even if no
session ID is included in the Client Hello. TLS 1.3 clients MUST ignore
it anyway, so it should not hurt.

Fixes interop with boringssl and openssl and passes bogo.
2017-12-13 20:16:48 +00:00
Peter Wu
92d04f3ebd tris: advertise PSS in Client Hello for TLS 1.3
Until PSS support is finalized for TLS 1.2, let's not advertise support
for that. Since TLS 1.3 however mandates PSS, we have no other option
than advertising this even if we have not added complete support.

Another reason why I apply it to just TLS 1.3 and not 1.2 is because the
latter would require updating the testdata.
2017-12-13 17:39:53 +00:00
Peter Wu
928e35b73a crypto/tls: extract certificate validation for the client
Moved some code and added a comment in preparation for extending the TLS
1.3 client with certificate validation. No functional change.
2017-12-13 17:39:53 +00:00
Peter Wu
9e25a0a25d crypto/tls: initial TLS 1.3 client support
Advertise TLS 1.3 in supported_versions and send a key share for the
first preferred curve. Missing are HRR, certificate validation and
Encrypted Extensions processing (see TODO notes).

For simplicity only a single key share is remembered. This key share
should be updated with a HRR (when implemented).
2017-12-13 17:39:53 +00:00
Peter Wu
634f9a5858 crypto/tls: prepare for TLS 1.3 client handshake.
This change splits handshake processing for TLS 1.3, reindenting the TLS
1.2 code path and splitting initializationg of the handshake hash. No
equivalent is added for processServerHello because session resumption is
not supported yet.
2017-12-13 17:39:53 +00:00
Peter Wu
9eb1d7faf7 crypto/tls: skip session cache for TLS 1.3
Skip reading the session cache if TLS 1.3 is in use (the cache has no
use), skip storing a session if TLS 1.3 is in use (sessionCache can
still be set when TLS 1.2 is allowed).
2017-12-13 17:39:53 +00:00
Peter Wu
9f46cf9e2d crypto/tls: add RSASSA-PSS support for handshake messages
This adds support for RSASSA-PSS signatures in handshake messages as
required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS
when advertised in the Client Hello (this will be done later as the
testdata will change).

Updates #9671

Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
2017-12-13 17:34:03 +00:00
Peter Wu
1850fd015e crypto/tls: consolidate signatures handling in SKE and CV
ServerKeyExchange and CertificateVerify can share the same logic for
picking a signature algorithm (based on the certificate public key and
advertised algorithms), selecting a hash algorithm (depending on TLS
version) and signature verification.

Refactor the code to achieve code reuse, have common error checking
(especially for intersecting supported signature algorithms) and to
prepare for addition of new signature algorithms. Code should be easier
to read since version-dependent logic is concentrated at one place.

Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
2017-12-13 17:34:03 +00:00
Peter Wu
fa9ccdc8b0 Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream
Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts
96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2
f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
54d04c2fcb crypto/tls: remove bookkeeping code from pHash function
d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme.
cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes
d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
5e42658fc0 all: prefer bytes.IndexByte over bytes.Index
d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex
5a986eca86 all: fix article typos
0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache
4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS
b3465646ff crypto/tls: add BenchmarkHandshakeServer
d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice
e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:
 * handshake_client.go: conflict between our ("crypto/tls: allow client to
   pick TLS 1.3, do not enable it by default.") and upstream
   ("crypto/tls: split clientHandshake into multiple methods"), resolve
   by applying the mutualVersion->pickVersion change in pickTLSVersion.
 * handshake_server.go: trivial conflict due to upstreamed patch
   ("crypto/tls: replace signatureAndHash by SignatureScheme.") and
   ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:
 * tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS
   1.3 minimal server") was renamed as required by ("crypto/tls: replace
   signatureAndHash by SignatureScheme.").
 * handshake_client.go: moved check from ("crypto/tls: check that client
   cipher suite matches version") to pickCipherSuite as required by
   ("crypto/tls: split clientHandshake into multiple methods").
2017-11-14 14:26:20 +00:00
Peter Wu
6c380f3bb6 crypto/tls: replace signatureAndHash by SignatureScheme.
Consolidate the signature and hash fields (SignatureAndHashAlgorithm in
TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21).
This makes it easier to add RSASSA-PSS for TLS 1.2 in the future.

Fields were named like "signatureAlgorithm" rather than
"signatureScheme" since that name is also used throughout the 1.3 draft.

The only new public symbol is ECDSAWithSHA1, other than that this is an
internal change with no new functionality.

Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0
Reviewed-on: https://go-review.googlesource.com/62210
Reviewed-by: Adam Langley <agl@golang.org>
2017-10-13 23:25:03 +00:00
Marvin Stenger
8251c0f791 all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
This reverts https://golang.org/cl/66372.

Updates #22148

Change-Id: I3e94af3dfc11a2883bf28e1d5e1f32f98760b3ee
Reviewed-on: https://go-review.googlesource.com/68431
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-10-05 23:19:42 +00:00
Peter Wu
aab74cb372 crypto/tls: allow client to pick TLS 1.3, do not enable it by default.
mutualVersion takes a maximum version, but skips TLS 1.3 because this
version is not negotiated via ClientHello.legacy_version. The server
however still uses its ServerHello.version field to select a version
from the supported_versions extension and the client must do the same.

A new getSupportedVersions method is introduced to have a single place
to handle the mapping of VersionTLS13 to the draft values.

Remove the MaxVersion override to TLS 1.3, users must set MaxVersion if
they intent to use the experimental TLS 1.3 functionality.

Fixes: ("crypto/tls: make 1.3 version negotiation more robust")
2017-09-29 12:47:55 +01:00
Peter Wu
857c7243c9 crypto/tls: check that client cipher suite matches version 2017-09-29 12:47:14 +01:00
Peter Wu
998f77009e crypto/tls: remove TLS13CipherSuites.
To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites,
remove the distinction between both suites. TLS 1.3 suites are now
always included in the default cipher list (and the client will send it
if MaxVersion allows for it).

Since TLS 1.3 is expected to become the default MaxVersion and
applications might have set only TLS 1.2 cipher suites in their
configuration, TLS 1.3 cipher suites are added when none are present.

Alternatively, I considered disallowing overriding the TLS 1.3 suites,
but that requires more complexity and has not much benefits. Provide a
mechanism and do not dictate policy, application developers might want
to fix a cipher suite for testing other implementations for example.

Fixes https://github.com/cloudflare/tls-tris/pull/22
2017-09-29 12:47:14 +01:00
Tom Thorogood
599c1f949b crypto/tls: Don't advertise TLS 1.3-only cipher unless attempting TLS 1.3 2017-09-29 12:47:14 +01:00
Marvin Stenger
d547ccf7ac all: prefer strings.LastIndexByte over strings.LastIndex
strings.LastIndexByte was introduced in go1.5 and it can be used
effectively wherever the second argument to strings.LastIndex is
exactly one byte long.

This avoids generating unnecessary string symbols and saves
a few calls to strings.LastIndex.

Change-Id: I7b5679d616197b055cffe6882a8675d24a98b574
Reviewed-on: https://go-review.googlesource.com/66372
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-27 00:54:24 +00:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Tomas Susanka
4b944d1428 tris: typos 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25 crypto/tls: use correct alerts
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
341de96a61 crypto/tls: fix Conn.phase data races
Phase should only be accessed under in.Mutex. Handshake and all Read
operations obtain that lock. However, many functions checking for
handshakeRunning only obtain handshakeMutex: reintroduce
handshakeCompleted for them. ConnectionState and Close check for
handshakeConfirmed, introduce an atomic flag for them.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
f8c15889af crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
Filippo Valsorda
1117f76fcc crypto/tls: return from Handshake before the Client Finished in 1.3 2017-09-05 21:06:34 +01:00
Filippo Valsorda
26a95ba46a [dev.tls] crypto/tls: implement TLS 1.3 cipher suites
I opted for adding a separate TLS13CipherSuites field to the Config
because library users that did not set Config.MaxVersion are
supposed to get TLS 1.3 support automatically, like it has been for
HTTP/2, but having set CipherSuites would effectively disable it.

Updates #9671

Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
2017-09-05 20:29:39 +01:00
Sergey Frolov
95bebf2e8e crypto/tls: split clientHandshake into multiple methods
Change-Id: I23bfaa7e03a21aad4e85baa3bf52bb00c09b75d0
Reviewed-on: https://go-review.googlesource.com/44354
Reviewed-by: Adam Langley <agl@golang.org>
2017-08-09 22:24:19 +00:00
Adam Langley
59e91483bd crypto/tls: reject SNI values with a trailing dot.
SNI values may not include a trailing dot according to
https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls
handled this correctly as a client, it didn't reject this as a server.

This change makes sending an SNI value with a trailing dot a fatal
error.

Updates #18114.

Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631
Reviewed-on: https://go-review.googlesource.com/33904
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-02-01 21:59:57 +00:00
Kevin Burke
72ea563e1e cmd/gofmt, crypto/tls: fix typos
Fix spelling of "original" and "occurred" in new gofmt docs. The same
misspelling of "occurred" was also present in crypto/tls, I fixed it there as
well.

Change-Id: I67b4f1c09bd1a2eb1844207d5514f08a9f525ff9
Reviewed-on: https://go-review.googlesource.com/33138
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-11-11 16:42:40 +00:00
Adam Langley
a1b5b4eab5 crypto/tls: add GetClientCertificate callback
Currently, the selection of a client certificate done internally based
on the limitations given by the server's request and the certifcates in
the Config. This means that it's not possible for an application to
control that selection based on details of the request.

This change adds a callback, GetClientCertificate, that is called by a
Client during the handshake and which allows applications to select the
best certificate at that time.

(Based on https://golang.org/cl/25570/ by Bernd Fix.)

Fixes #16626.

Change-Id: Ia4cea03235d2aa3c9fd49c99c227593c8e86ddd9
Reviewed-on: https://go-review.googlesource.com/32115
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-27 17:20:07 +00:00
Joshua Boelter
a660d3e993 crypto/tls: add VerifyPeerCertificate to tls.Config
VerifyPeerCertificate returns an error if the peer should not be
trusted. It will be called after the initial handshake and before
any other verification checks on the cert or chain are performed.
This provides the callee an opportunity to augment the certificate
verification.

If VerifyPeerCertificate is not nil and returns an error,
then the handshake will fail.

Fixes #16363

Change-Id: I6a22f199f0e81b6f5d5f37c54d85ab878216bb22
Reviewed-on: https://go-review.googlesource.com/26654
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-24 23:24:11 +00:00
Adam Langley
5b97009ebb crypto/tls: simplify keylog tests.
Since there's no aspect of key logging that OpenSSL can check for us,
the tests for it might as well just connect to another goroutine as this
is lower-maintainance.

Change-Id: I746d1dbad1b4bbfc8ef6ccf136ee4824dbda021e
Reviewed-on: https://go-review.googlesource.com/30089
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Joonas Kuorilehto <joneskoo@derbian.fi>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-01 15:50:11 +00:00
Joonas Kuorilehto
f513433c3e crypto/tls: add KeyLogWriter for debugging
Add support for writing TLS client random and master secret
in NSS key log format.

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format

Normally this is enabled by a developer debugging TLS based
applications, especially HTTP/2, by setting the KeyLogWriter
to an open file. The keys negotiated in handshake are then
logged and can be used to decrypt TLS sessions e.g. in Wireshark.

Applications may choose to add support similar to NSS where this
is enabled by environment variable, but no such mechanism is
built in to Go. Instead each application must explicitly enable.

Fixes #13057.

Change-Id: If6edd2d58999903e8390b1674ba4257ecc747ae1
Reviewed-on: https://go-review.googlesource.com/27434
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-27 17:20:55 +00:00
Adam Langley
0d94116736 crypto/tls: buffer handshake messages.
This change causes TLS handshake messages to be buffered and written in
a single Write to the underlying net.Conn.

There are two reasons to want to do this:

Firstly, it's slightly preferable to do this in order to save sending
several, small packets over the network where a single one will do.

Secondly, since 37c28759ca46cf381a466e32168a793165d9c9e9 errors from
Write have been returned from a handshake. This means that, if a peer
closes the connection during a handshake, a “broken pipe” error may
result from tls.Conn.Handshake(). This can mask any, more detailed,
fatal alerts that the peer may have sent because a read will never
happen.

Buffering handshake messages means that the peer will not receive, and
possibly reject, any of a flow while it's still being written.

Fixes #15709

Change-Id: I38dcff1abecc06e52b2de647ea98713ce0fb9a21
Reviewed-on: https://go-review.googlesource.com/23609
Reviewed-by: Andrew Gerrand <adg@golang.org>
Run-TryBot: Andrew Gerrand <adg@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-06-01 23:26:04 +00:00
Adam Langley
07b6287f24 crypto/tls: allow renegotiation to be handled by a client.
This change adds Config.Renegotiation which controls whether a TLS
client will accept renegotiation requests from a server. This is used,
for example, by some web servers that wish to “add” a client certificate
to an HTTPS connection.

This is disabled by default because it significantly complicates the
state machine.

Originally, handshakeMutex was taken before locking either Conn.in or
Conn.out. However, if renegotiation is permitted then a handshake may
be triggered during a Read() call. If Conn.in were unlocked before
taking handshakeMutex then a concurrent Read() call could see an
intermediate state and trigger an error. Thus handshakeMutex is now
locked after Conn.in and the handshake functions assume that Conn.in is
locked for the duration of the handshake.

Additionally, handshakeMutex used to protect Conn.out also. With the
possibility of renegotiation that's no longer viable and so
writeRecordLocked has been split off.

Fixes #5742.

Change-Id: I935914db1f185d507ff39bba8274c148d756a1c8
Reviewed-on: https://go-review.googlesource.com/22475
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2016-04-28 17:56:28 +00:00
Adam Langley
df48510552 crypto/tls: make error prefix uniform.
Error strings in this package were all over the place: some were
prefixed with “tls:”, some with “crypto/tls:” and some didn't have a
prefix.

This change makes everything use the prefix “tls:”.

Change-Id: Ie8b073c897764b691140412ecd6613da8c4e33a2
Reviewed-on: https://go-review.googlesource.com/21893
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2016-04-14 16:28:53 +00:00
David Benjamin
ca4a3279f9 crypto/tls: Enforce that version and cipher match on resume.
Per RFC 5246, 7.4.1.3:

   cipher_suite
      The single cipher suite selected by the server from the list in
      ClientHello.cipher_suites.  For resumed sessions, this field is
      the value from the state of the session being resumed.

The specifications are not very clearly written about resuming sessions
at the wrong version (i.e. is the TLS 1.0 notion of "session" the same
type as the TLS 1.1 notion of "session"?). But every other
implementation enforces this check and not doing so has some odd
semantics.

Change-Id: I6234708bd02b636c25139d83b0d35381167e5cad
Reviewed-on: https://go-review.googlesource.com/21153
Reviewed-by: Adam Langley <agl@golang.org>
2016-04-12 01:07:46 +00:00
Emmanuel Odeke
e15014c62b crypto/tls: minor refactors for readability
Change-Id: I93e73f16474b4b31f7097af2f9479822dfc34c5c
Reviewed-on: https://go-review.googlesource.com/20678
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-14 21:17:37 +00:00
Tamir Duberstein
326f5bb02b crypto/tls: check errors from (*Conn).writeRecord
This promotes a connection hang during TLS handshake to a proper error.
This doesn't fully address #14539 because the error reported in that
case is a write-on-socket-not-connected error, which implies that an
earlier error during connection setup is not being checked, but it is
an improvement over the current behaviour.

Updates #14539.

Change-Id: I0571a752d32d5303db48149ab448226868b19495
Reviewed-on: https://go-review.googlesource.com/19990
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-02 18:20:46 +00:00
Mikio Hara
75d204850c crypto/tls: don't send IPv6 literals and absolute FQDNs as SNI values
This is a followup change to #13111 for filtering out IPv6 literals and
absolute FQDNs from being as the SNI values.

Updates #13111.
Fixes #14404.

Change-Id: I09ab8d2a9153d9a92147e57ca141f2e97ddcef6e
Reviewed-on: https://go-review.googlesource.com/19704
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-02-27 10:05:53 +00:00
Ralph Corderoy
96e5bf3ce5 crypto/tls: Server can specify an unadvertised cipher suite
During the TLS handshake, check the cipher suite the server selects is
one of those offered in the ClientHello.  The code was checking it was
in the larger list that was sometimes whittled down for the ClientHello.

Fixes #13174

Change-Id: Iad8eebbcfa5027f30403b9700c43cfa949e135bb
Reviewed-on: https://go-review.googlesource.com/16698
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-11-26 17:22:57 +00:00
Adam Langley
f75fa96c2c crypto/tls: don't send IP literals as SNI values.
(This relands commit a4dcc692011bf1ceca9b1a363fd83f3e59e399ee.)

https://tools.ietf.org/html/rfc6066#section-3 states:

  “Literal IPv4 and IPv6 addresses are not permitted in "HostName".”

However, if an IP literal was set as Config.ServerName (which could
happen as easily as calling Dial with an IP address) then the code would
send the IP literal as the SNI value.

This change filters out IP literals, as recognised by net.ParseIP, from
being sent as the SNI value.

Fixes #13111.

Change-Id: I6e544a78a01388f8fe98150589d073b917087f75
Reviewed-on: https://go-review.googlesource.com/16776
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-10 22:17:16 +00:00
Adam Langley
367577a70f Revert "crypto/tls: don't send IP literals as SNI values."
This reverts commit a4dcc692011bf1ceca9b1a363fd83f3e59e399ee.

Change-Id: Ib55fd349a604d6b5220dac20327501e1ce46b962
Reviewed-on: https://go-review.googlesource.com/16770
Reviewed-by: Adam Langley <agl@golang.org>
2015-11-09 23:16:51 +00:00
Adam Langley
25dd71bbe6 crypto/tls: don't send IP literals as SNI values.
https://tools.ietf.org/html/rfc6066#section-3 states:

  “Literal IPv4 and IPv6 addresses are not permitted in "HostName".”

However, if an IP literal was set as Config.ServerName (which could
happen as easily as calling Dial with an IP address) then the code would
send the IP literal as the SNI value.

This change filters out IP literals, as recognised by net.ParseIP, from
being sent as the SNI value.

Fixes #13111.

Change-Id: Ie9ec7acc767ae172b48c9c6dd8d84fa27b1cf0de
Reviewed-on: https://go-review.googlesource.com/16742
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-11-09 23:09:48 +00:00
Russ Cox
9c9b97f554 crypto/tls: fix ConnectionState().VerifiedChains for resumed connection
Strengthening VerifyHostname exposed the fact that for resumed
connections, ConnectionState().VerifiedChains was not being saved
and restored during the ClientSessionCache operations.
Do that.

This change just saves the verified chains in the client's session
cache. It does not re-verify the certificates when resuming a
connection.

There are arguments both ways about this: we want fast, light-weight
resumption connections (thus suggesting that we shouldn't verify) but
it could also be a little surprising that, if the verification config
is changed, that would be ignored if the same session cache is used.

On the server side we do re-verify client-auth certificates, but the
situation is a little different there. The client session cache is an
object in memory that's reset each time the process restarts. But the
server's session cache is a conceptual object, held by the clients, so
can persist across server restarts. Thus the chance of a change in
verification config being surprisingly ignored is much higher in the
server case.

Fixes #12024.

Change-Id: I3081029623322ce3d9f4f3819659fdd9a381db16
Reviewed-on: https://go-review.googlesource.com/13164
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-05 19:59:28 +00:00
Adam Langley
728bcd44b6 crypto/tls: decouple handshake signatures from the handshake hash.
Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.

TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.

Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.

However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.

Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.

This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.

This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.

It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.

Much of this code was written by davidben@ for the purposes of testing
BoringSSL.

Partly addresses #9757

Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-30 03:47:02 +00:00
Jonathan Rudenberg
8ea126be4d crypto/tls: add support for Certificate Transparency
This change adds support for serving and receiving Signed Certificate
Timestamps as described in RFC 6962.

The server is now capable of serving SCTs listed in the Certificate
structure. The client now asks for SCTs and, if any are received,
they are exposed in the ConnectionState structure.

Fixes #10201

Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb
Reviewed-on: https://go-review.googlesource.com/8988
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2015-04-26 16:53:11 +00:00
Jacob H. Haven
e8ae7b54bb crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289
Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256).
Testdata were all updated to correspond with the new cipher suites in the handshake.

Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f
Reviewed-on: https://go-review.googlesource.com/3265
Reviewed-by: Adam Langley <agl@golang.org>
2015-02-04 00:18:14 +00:00
Adam Langley
b88cd69926 crypto: add Signer
Signer is an interface to support opaque private keys.
These keys typically result from being kept in special hardware
(i.e. a TPM) although sometimes operating systems provide a
similar interface using process isolation for security rather
than hardware boundaries.

This changes provides interfaces for representing them and
alters crypto/tls so that client certificates can use
opaque keys.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews, jdeprez
https://golang.org/cl/114680043
2014-08-29 12:36:30 -07:00
Andres Erbsen
16b2f42015 crypto/tls: implement tls-unique channel binding (RFC 5929 section 3).
Tested against GnuTLS and Python.

LGTM=agl
R=golang-codereviews, agl, ashankar
CC=agl, golang-codereviews
https://golang.org/cl/117100043
2014-08-11 16:40:42 -07:00
Adam Langley
5e8d397065 crypto/tls: add ALPN support.
Fixes #6736.

LGTM=mikioh.mikioh
R=bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/108710046
2014-08-05 11:36:20 -07:00