Commit Graph

58 Commits

Author SHA1 Message Date
Rob Pike
5bf12753e9 all: fix some vet-caught formatting errors, mostly but not only in tests
Could go in 1.5, although not critical.
See also #12107

Change-Id: I7f1608b58581d21df4db58f0db654fef79e33a90
Reviewed-on: https://go-review.googlesource.com/13481
Reviewed-by: Dave Cheney <dave@cheney.net>
2015-08-21 05:37:36 +00:00
Adam Langley
bd4954ddeb crypto/tls: update testing certificates.
This change alters the certificate used in many tests so that it's no
longer self-signed. This allows some tests to exercise the standard
certificate verification paths in the future.

Change-Id: I9c3fcd6847eed8269ff3b86d9b6966406bf0642d
Reviewed-on: https://go-review.googlesource.com/13244
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-05 19:06:51 +00:00
Adam Langley
0269b0170f crypto/tls: call GetCertificate if Certificates is empty.
This change causes the GetCertificate callback to be called if
Certificates is empty. Previously this configuration would result in an
error.

This allows people to have servers that depend entirely on dynamic
certificate selection, even when the client doesn't send SNI.

Fixes #9208.

Change-Id: I2f5a5551215958b88b154c64a114590300dfc461
Reviewed-on: https://go-review.googlesource.com/8792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-26 22:00:35 +00:00
Jonathan Rudenberg
8ea126be4d crypto/tls: add support for Certificate Transparency
This change adds support for serving and receiving Signed Certificate
Timestamps as described in RFC 6962.

The server is now capable of serving SCTs listed in the Certificate
structure. The client now asks for SCTs and, if any are received,
they are exposed in the ConnectionState structure.

Fixes #10201

Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb
Reviewed-on: https://go-review.googlesource.com/8988
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2015-04-26 16:53:11 +00:00
Jonathan Rudenberg
65d33c3580 crypto/tls: fix test data generation
- Multiple GetCertificate tests shared the same name and were
  overwriting each other, each test now has a unique name.
- expectAlert was not implemented in the data updater, the single
  test that used it has been replaced with a ClientHello failure
  test.

Fixes #10470

Change-Id: I500738f6302ffa863d7ee45d85fa8773155e0614
Reviewed-on: https://go-review.googlesource.com/8959
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-16 18:16:37 +00:00
Adam Langley
0c7dc105c1 crypto/tls: tidy up a little and add test.
This is a follow on to 28f33b4a which removes one of the boolean flags
and adds a test for the key-driven cipher selection.

Change-Id: If2a400de807eb19110352912a9f467491cc8986c
Reviewed-on: https://go-review.googlesource.com/8428
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Jacob Haven <jacob@cloudflare.com>
2015-04-04 00:06:21 +00:00
Adam Langley
c1da171db7 crypto/tls: disable RC4 by default.
RC4 is frowned upon[1] at this point and major providers are disabling it
by default[2].

Those who still need RC4 support in crypto/tls can enable it by
specifying the CipherSuites slice in crypto/tls.Config explicitly.

Fixes #10094.

[1] https://tools.ietf.org/html/rfc7465
[2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/

Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f
Reviewed-on: https://go-review.googlesource.com/7647
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-18 00:38:14 +00:00
Joël Stemmer
921f871f9e crypto/tls: fix typo in tls handshake error
Change-Id: Ia9f39250619ea6e94157efceddfb2e02d35f3ae2
Reviewed-on: https://go-review.googlesource.com/7041
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-06 18:18:40 +00:00
Jacob H. Haven
e8ae7b54bb crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289
Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256).
Testdata were all updated to correspond with the new cipher suites in the handshake.

Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f
Reviewed-on: https://go-review.googlesource.com/3265
Reviewed-by: Adam Langley <agl@golang.org>
2015-02-04 00:18:14 +00:00
Adam Langley
0581a2f81d crypto/tls: fix renegotiation extension.
There are two methods by which TLS clients signal the renegotiation
extension: either a special cipher suite value or a TLS extension.

It appears that I left debugging code in when I landed support for the
extension because there's a "+ 1" in the switch statement that shouldn't
be there.

The effect of this is very small, but it will break Firefox if
security.ssl.require_safe_negotiation is enabled in about:config.
(Although almost nobody does this.)

This change fixes the original bug and adds a test. Sadly the test is a
little complex because there's no OpenSSL s_client option that mirrors
that behaviour of require_safe_negotiation.

Change-Id: Ia6925c7d9bbc0713e7104228a57d2d61d537c07a
Reviewed-on: https://go-review.googlesource.com/1900
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-01-06 19:50:07 +00:00
Ben Burkert
18902d24a3 crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version
Fix TLS_FALLBACK_SCSV check when comparing the client version to the
default max version. This enables the TLS_FALLBACK_SCSV check by default
in servers that do not explicitly set a max version in the tls config.

Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e
Reviewed-on: https://go-review.googlesource.com/1776
Reviewed-by: Adam Langley <agl@golang.org>
2014-12-18 19:36:01 +00:00
Adam Langley
4e47a4aef7 crypto/tls: support TLS_FALLBACK_SCSV as a server.
A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only
supports SSLv3 as a server, not as a client. An easy fix is to change
the default minimum version to TLS 1.0 but that seems a little much
this late in the 1.4 process as it may break some things.

Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a
mechanism for solving the fallback problem overall. Chrome has
implemented this since February and Google has urged others to do so in
light of yesterday's news.

With this change, clients can indicate that they are doing a fallback
connection and Go servers will be able to correctly reject them.

[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
[2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/157090043
2014-10-15 17:54:04 -07:00
Adam Langley
d279bab6f5 crypto/tls: ensure that we don't resume when tickets are disabled.
LGTM=r
R=r, adg, rsc
https://golang.org/cl/148080043
2014-09-26 11:02:09 +10:00
Percy Wegmann
9e441ebf1d crypto/tls: Added dynamic alternative to NameToCertificate map for SNI
Revised version of https://golang.org/cl/81260045/

LGTM=agl
R=golang-codereviews, gobot, agl, ox
CC=golang-codereviews
https://golang.org/cl/107400043
2014-08-06 11:22:00 -07:00
Adam Langley
5e8d397065 crypto/tls: add ALPN support.
Fixes #6736.

LGTM=mikioh.mikioh
R=bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/108710046
2014-08-05 11:36:20 -07:00
Robert Griesemer
601d9250e6 src, misc: applied gofmt -w -s
TBR=rsc
R=golang-codereviews
CC=golang-codereviews
https://golang.org/cl/111770043
2014-07-01 10:28:10 -07:00
Adam Langley
24720a0864 crypto/tls: report TLS version in ConnectionState.
Fixes #7231.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/68250043
2014-02-24 18:01:28 -05:00
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
5a2aacff2f crypto/tls: better error messages.
LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/60580046
2014-02-12 11:20:01 -05:00
Gautham Thambidorai
9323f900fd crypto/tls: Client side support for TLS session resumption.
Adam (agl@) had already done an initial review of this CL in a branch.

Added ClientSessionState to Config which now allows clients to keep state
required to resume a TLS session with a server. A client handshake will try
and use the SessionTicket/MasterSecret in this cached state if the server
acknowledged resumption.

We also added support to cache ClientSessionState object in Config that will
be looked up by server remote address during the handshake.

R=golang-codereviews, agl, rsc, agl, agl, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/15680043
2014-01-22 18:24:03 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
98968dca72 crypto/tls: rework reference tests.
The practice of storing reference connections for testing has worked
reasonably well, but the large blocks of literal data in the .go files
is ugly and updating the tests is a real problem because their number
has grown.

This CL changes the way that reference tests work. It's now possible to
automatically update the tests and the test data is now stored in
testdata/. This should make it easier to implement changes that affect
all connections, like implementing the renegotiation extension.

R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/42060044
2013-12-20 11:37:05 -05:00
Adam Langley
493b985991 crypto/tls: don't select TLS 1.2 cipher suites in prior versions.
AES-GCM cipher suites are only defined for TLS 1.2, although there's
nothing really version specific about them. However, development
versions of NSS (meaning Firefox and Chrome) have an issue where
they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello
but then balk when the server selects one.

This change causes Go clients not to advertise TLS 1.2 cipher suites
unless TLS 1.2 is being used, and prevents servers from selecting them
unless TLS 1.2 has been negotiated.

https://code.google.com/p/chromium/issues/detail?id=297151
https://bugzilla.mozilla.org/show_bug.cgi?id=919677

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13573047
2013-09-26 17:09:56 -04:00
Adam Langley
679f6ca983 crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate.
47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the
cipher suite selection to take that into account. Thus Go servers could
try and select an ECDSA cipher suite while only having an RSA
certificate, leading to connection failures.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13239053
2013-09-17 13:30:36 -04:00
Adam Langley
5774c69eb7 crypto/tls: support AES-GCM.
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
2013-08-29 17:18:59 -04:00
Joel Sing
749a12a83a crypto/tls: Add support for ECDHE-ECDSA
Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server
key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA,
ECDHE-ECDSA also provides PFS.

R=agl
CC=golang-dev
https://golang.org/cl/7006047
2013-07-17 12:33:16 -04:00
Adam Langley
3a888fc059 crypto/tls: implement TLS 1.2.
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
2013-07-02 19:58:56 -04:00
Adam Langley
79e7f7decf crypto/tls: support TLS 1.1.
The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/7880043
2013-06-04 20:02:22 -04:00
Adam Langley
9d5e7dd72f crypto/tls: allow the server to enforce its ciphersuite preferences.
Previously, Go TLS servers always took the client's preferences into
account when selecting a ciphersuite. This change adds the option of
using the server's preferences, which can be expressed by setting
tls.Config.CipherSuites.

This mirrors Apache's SSLHonorCipherOrder directive.

R=golang-dev, nightlyone, bradfitz, ality
CC=golang-dev
https://golang.org/cl/7163043
2013-01-22 10:10:38 -05:00
Anthony Martin
a954c40163 crypto/tls: use 1/n-1 record splitting to protect against BEAST
This requires rebasing the block-mode test scripts.
I used GnuTLS version 3.1.4.

R=agl
CC=golang-dev
https://golang.org/cl/6844073
2012-11-26 10:56:39 -08:00
Adam Langley
489bd5ddd5 crypto/tls: make closeNotify a warning alert.
The RFC doesn't actually have an opinion on whether this is a fatal or
warning level alert, but common practice suggests that it should be a
warning.

This involves rebasing most of the tests.

Fixes #3413.

R=golang-dev, shanemhansen, rsc
CC=golang-dev
https://golang.org/cl/6654050
2012-10-16 15:40:37 -04:00
Adam Langley
13d26a420a crypto/tls: support session ticket resumption.
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).

R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
2012-09-24 16:52:43 -04:00
Adam Langley
30b2db1e5f crypto/tls: don't always use the default private key.
When SNI based certificate selection is enabled, we previously used
the default private key even if we selected a non-default certificate.

Fixes #3367.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5987058
2012-04-12 12:35:21 -04:00
Adam Langley
ca7f685323 crypto/tls: update how we create testing scripts.
crypto/tls is tested, in part, by replaying recorded TLS connections
and checking that the bytes sent by the Go code haven't changed.

Previously we used GnuTLS's debug output and extracted the bytes of
the TLS connection using a Python script. That wasn't great, and I
think GnuTLS removed that level of debugging in a more current
release.

This change records the connection with Go code and adds a test for
ECDHE-AES clients generating using this method.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5988048
2012-04-11 12:55:57 -04:00
Robert Griesemer
000149abb2 all: gofmt -w -s src misc
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5781058
2012-03-08 10:48:51 -08:00
Shenghou Ma
136907f44f all: update 'gotest' to 'go test'
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5645099
2012-02-13 13:58:17 -05:00
Jeff R. Allen
5fa105421a crypto/tls: Improve TLS Client Authentication
Fix incorrect marshal/unmarshal of certificateRequest.
Add support for configuring client-auth on the server side.
Fix the certificate selection in the client side.
Update generate_cert.go to new time package

Fixes #2521.

R=krautz, agl, bradfitz
CC=golang-dev, mikkel
https://golang.org/cl/5448093
2012-01-05 12:05:38 -05:00
Russ Cox
119592d80f use new strconv API
All but 3 cases (in gcimporter.go and hixie.go)
are automatic conversions using gofix.

No attempt is made to use the new Append functions
even though there are definitely opportunities.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/5447069
2011-12-05 15:48:46 -05:00
Russ Cox
37bb6649e2 use new time API
R=bradfitz, gri, r, dsymonds
CC=golang-dev
https://golang.org/cl/5390042
2011-11-30 12:01:46 -05:00
Rob Pike
1530d25d4f renaming_2: gofix -r go1pkgrename src/pkg/[a-l]*
R=rsc
CC=golang-dev
https://golang.org/cl/5358041
2011-11-08 15:40:58 -08:00
Russ Cox
107fb7400c src/pkg/[a-m]*: gofix -r error -force=error
R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/5322051
2011-11-01 22:04:37 -04:00
Mikkel Krautz
7697013b51 crypto/tls: fetch root certificates using Mac OS API
Fixes #1009.

R=adg, rsc
CC=golang-dev
https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
Louis Kruger
0d32935135 crypto/tls: add 3DES ciphersuites
The following ciphersuites are added:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
This change helps conform to the TLS1.1 standard because
the first ciphersuite is "mandatory" in RFC4346

R=golang-dev, agl, rsc
CC=golang-dev
https://golang.org/cl/5164042
2011-10-11 13:07:32 -04:00
Adam Langley
76c2ff557a crypto/tls: support SSLv3
It would be nice not to have to support this since all the clients
that we care about support TLSv1 by now. However, due to buggy
implementations of SSLv3 on the Internet which can't do version
negotiation correctly, browsers will sometimes switch to SSLv3. Since
there's no good way for a browser tell a network problem from a buggy
server, this downgrade can occur even if the server in question is
actually working correctly.

So we need to support SSLv3 for robustness :(

Fixes #1703.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5018045
2011-09-14 15:32:19 -04:00
Russ Cox
39082848cf crypto/tls: handle non-TLS more robustly
Fixes #2253.

R=agl
CC=golang-dev
https://golang.org/cl/4960066
2011-09-12 16:52:49 -04:00
Robert Griesemer
5085d142c2 go/printer: changed max. number of newlines from 3 to 2
manual changes in src/pkg/go/printer, src/cmd/gofix/signal_test.go
(cd src/cmd/gofix/testdata; gofmt -w *.in *.out)
(cd src/pkg/go/printer; gotest -update)
gofmt -w misc src

runs all tests

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/4715041
2011-07-14 14:39:40 -07:00
Adam Langley
de4a706aa9 crypto/rsa: support > 3 primes.
With full multi-prime support we can support version 1 PKCS#1 private
keys. This means exporting all the members of rsa.PrivateKey, thus
making the API a little messy. However there has already been another
request to export this so it seems to be something that's needed.

Over time, rsa.GenerateMultiPrimeKey will replace rsa.GenerateKey, but
I need to work on the prime balance first because we're no longer
generating primes which are a multiples of 8 bits.

Fixes #987.

R=rsc
CC=golang-dev
https://golang.org/cl/4378046
2011-04-22 15:33:41 -04:00
Kyle Consalus
6e38ce296e Make.pkg, doc: Replace references to "-benchmarks" and "-match" with "-test.bench" and "-test.run".
R=r
CC=golang-dev
https://golang.org/cl/4197041
2011-02-22 20:23:21 -08:00
Adam Langley
9d188d7c03 crypto/tls: missed a file
R=rsc
CC=golang-dev
https://golang.org/cl/3674043
2010-12-16 17:14:02 -05:00
Adam Langley
4dcd8890aa crypto/tls: check in support code.
This support code helps in generating the handshake scripts
which are used for testing.

R=rsc, ality
CC=golang-dev
https://golang.org/cl/3680041
2010-12-16 10:39:53 -05:00