Commit Graph

84 Commits

Author SHA1 Message Date
Adam Langley
76c2ff557a crypto/tls: support SSLv3
It would be nice not to have to support this since all the clients
that we care about support TLSv1 by now. However, due to buggy
implementations of SSLv3 on the Internet which can't do version
negotiation correctly, browsers will sometimes switch to SSLv3. Since
there's no good way for a browser tell a network problem from a buggy
server, this downgrade can occur even if the server in question is
actually working correctly.

So we need to support SSLv3 for robustness :(

Fixes #1703.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5018045
2011-09-14 15:32:19 -04:00
Russ Cox
39082848cf crypto/tls: handle non-TLS more robustly
Fixes #2253.

R=agl
CC=golang-dev
https://golang.org/cl/4960066
2011-09-12 16:52:49 -04:00
Robert Griesemer
5085d142c2 go/printer: changed max. number of newlines from 3 to 2
manual changes in src/pkg/go/printer, src/cmd/gofix/signal_test.go
(cd src/cmd/gofix/testdata; gofmt -w *.in *.out)
(cd src/pkg/go/printer; gotest -update)
gofmt -w misc src

runs all tests

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/4715041
2011-07-14 14:39:40 -07:00
Adam Langley
9c8b32c2d6 crypto/tls: fix generate_cert.go
Fixes #2030.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/4635092
2011-07-06 16:22:21 -04:00
Robert Griesemer
a5b2e93aa2 os.Error API: don't export os.ErrorString, use os.NewError consistently
This is a core API change.

1) gofix misc src
2) Manual adjustments to the following files under src/pkg:
   gob/decode.go
   rpc/client.go
   os/error.go
   io/io.go
   bufio/bufio.go
   http/request.go
   websocket/client.go
as well as:
   src/cmd/gofix/testdata/*.go.in (reverted)
   test/fixedbugs/bug243.go
3) Implemented gofix patch (oserrorstring.go) and test case (oserrorstring_test.go)

Compiles and runs all tests.

R=r, rsc, gri
CC=golang-dev
https://golang.org/cl/4607052
2011-06-22 10:52:47 -07:00
Russ Cox
35e8279c86 respect goto restrictions
R=gri
CC=golang-dev
https://golang.org/cl/4625044
2011-06-17 06:07:13 -04:00
Adam Langley
5a4918e635 crypto: reorg, cleanup and add function for generating CRLs.
This change moves a number of common PKIX structures into
crypto/x509/pkix, from where x509, and ocsp can reference
them, saving duplication. It also removes x509/crl and merges it into
x509 and x509/pkix.

x509 is changed to take advantage of the big.Int support that now
exists in asn1. Because of this, the public/private key pair in
http/httptest/server.go had to be updated because it was serialised
with an old version of the code that didn't zero pad ASN.1 INTEGERs.

R=bradfitz, rsc
CC=golang-dev
https://golang.org/cl/4532115
2011-06-06 10:35:46 -04:00
Rob Pike
1b7f4ea6c3 crypto/tls/generate_cert.go: fix misspelling of O_CREATE.
Fixes #1888.

R=ken
CC=golang-dev
https://golang.org/cl/4515148
2011-05-27 21:06:50 +10:00
Robert Hencke
3bdd4f3140 pkg: spelling tweaks, A-H
R=ality, bradfitz, rsc, dsymonds, adg, qyzhai, dchest
CC=golang-dev
https://golang.org/cl/4536063
2011-05-18 13:14:56 -04:00
Adam Langley
cf7be9b458 crypto/tls: export the verified chains.
The verified chains are the chains that were actually verified.

R=bradfitz
CC=golang-dev
https://golang.org/cl/4462046
2011-05-05 13:44:36 -04:00
Russ Cox
f23d109356 fix tree for reflect rename
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/4435067
2011-04-25 13:39:36 -04:00
Adam Langley
c282fa0f0b crypto/tls: use time(), not Time().
The unexported version returns a sensible default when the user hasn't
set a value. The exported version crashes in that case.

R=bradfitzgo, rsc1
CC=golang-dev
https://golang.org/cl/4435070
2011-04-25 10:27:36 -04:00
Adam Langley
de4a706aa9 crypto/rsa: support > 3 primes.
With full multi-prime support we can support version 1 PKCS#1 private
keys. This means exporting all the members of rsa.PrivateKey, thus
making the API a little messy. However there has already been another
request to export this so it seems to be something that's needed.

Over time, rsa.GenerateMultiPrimeKey will replace rsa.GenerateKey, but
I need to work on the prime balance first because we're no longer
generating primes which are a multiples of 8 bits.

Fixes #987.

R=rsc
CC=golang-dev
https://golang.org/cl/4378046
2011-04-22 15:33:41 -04:00
Nigel Tao
5a11e9ba00 src/pkg: make package doc comments consistently start with "Package foo".
R=rsc
CC=golang-dev
https://golang.org/cl/4442064
2011-04-20 09:57:05 +10:00
Adam Langley
24df228d7a crypto: move certificate verification into x509.
People have a need to verify certificates in situations other than TLS
client handshaking. Thus this CL moves certificate verification into
x509 and expands its abilities.

R=bradfitzgo
CC=golang-dev
https://golang.org/cl/4407046
2011-04-19 09:57:58 -04:00
Adam Langley
4f813669cb crypto/tls: add server-side OCSP stapling support.
We already had support on the client side. I also changed the name of
the flag in the ServerHello structure to match the name of the same
flag in the ClientHello (ocspStapling).

R=bradfitzgo
CC=golang-dev
https://golang.org/cl/4408044
2011-04-14 14:47:28 -04:00
Robert Griesemer
8cf428d710 gofmt: gofmt -s -w src misc
R=r, bradfitzwork
CC=golang-dev
https://golang.org/cl/4406044
2011-04-13 15:13:59 -07:00
Russ Cox
32d22d1fb1 gofix: don't rewrite O_APPEND opens
R=r, rog
CC=golang-dev
https://golang.org/cl/4364041
2011-04-05 11:12:02 -04:00
Rob Pike
abbbdb168d os: New Open API.
We replace the current Open with:
OpenFile(name, flag, perm) // same as old Open
Open(name) // same as old Open(name, O_RDONLY, 0)
Create(name) // same as old Open(name, O_RDWR|O_TRUNC|O_CREAT, 0666)

This CL includes a gofix module and full code updates: all.bash passes.
(There may be a few comments I missed.)

The interesting packages are:
        gofix
        os
Everything else is automatically generated except for hand tweaks to:
        src/pkg/io/ioutil/ioutil.go
        src/pkg/io/ioutil/tempfile.go
        src/pkg/crypto/tls/generate_cert.go
        src/cmd/goyacc/goyacc.go
        src/cmd/goyacc/units.y

R=golang-dev, bradfitzwork, rsc, r2
CC=golang-dev
https://golang.org/cl/4357052
2011-04-04 23:42:14 -07:00
Brad Fitzpatrick
1721e53cdf httptest: add NewTLSServer
Enables the use of https servers in tests.

R=agl, rsc, agl1
CC=golang-dev
https://golang.org/cl/4284063
2011-04-04 08:32:59 -07:00
Adam Langley
78f486a80c crypto/tls: extend NPN support to the client.
R=bradfitzgo, rsc1, bradfitzwork
CC=golang-dev
https://golang.org/cl/4277085
2011-03-29 17:53:09 -04:00
Russ Cox
9fe949aa97 net: drop laddr from Dial, cname from LookupHost; new functions
Drop laddr argument from Dial.

Drop cname return from LookupHost.

Add LookupIP, LookupCNAME, ParseCIDR, IP.Equal.
Export SplitHostPort, JoinHostPort.
Add AAAA (IPv6) support to host lookups.

Preparations for implementing some of the
lookups using cgo.

ParseCIDR and IP.Equal are logically new in this CL
but accidentally snuck into an earlier CL about unused
labels that was in the same client.

In crypto/tls, drop laddr from Dial to match net.

R=golang-dev, dsymonds, adg, rh
CC=golang-dev
https://golang.org/cl/4244055
2011-03-28 23:28:42 -04:00
Rob Pike
dc6468fcf1 testing: shorten some more tests
R=rsc
CC=golang-dev
https://golang.org/cl/4314044
2011-03-26 11:25:22 -07:00
Dave Cheney
a39229ebc1 crypto/tls: fix compile error
Fixes #1555.

R=rsc, bradfitzgo
CC=golang-dev
https://golang.org/cl/4284047
2011-03-12 19:35:41 -08:00
Brad Fitzpatrick
36cddf2fc1 tls: move PeerCertificates to ConnectionState
R=agl, agl1
CC=golang-dev, rsc
https://golang.org/cl/4248078
2011-03-10 07:22:53 -08:00
Kyle Consalus
6e38ce296e Make.pkg, doc: Replace references to "-benchmarks" and "-match" with "-test.bench" and "-test.run".
R=r
CC=golang-dev
https://golang.org/cl/4197041
2011-02-22 20:23:21 -08:00
Adam Langley
09d14e14a9 crypto/tls: make protocol negotiation failure fatal
R=r, r2
CC=golang-dev
https://golang.org/cl/4178054
2011-02-15 16:38:45 -05:00
Adam Langley
01806ad10b crypto/tls: select best ciphersuite, not worst.
Previously, the outer loop would continue until we selected the
client's least preferable ciphersuite.

R=golang-dev, r2
CC=golang-dev
https://golang.org/cl/4029056
2011-02-05 13:56:36 -05:00
Adam Langley
1abb987e07 crypto/tls: load a chain of certificates from a file.
Many recently issued certificates are chained: there's one or more
intermediate certificates between the host certificate and the root CA
certificate. This change causes the code to load any number of
certificates from the certificate file. This matches the behaviour of
common webservers, and the output of OpenSSL's command line tools.

R=golang-dev, r2
CC=golang-dev
https://golang.org/cl/4119057
2011-02-05 13:54:25 -05:00
Adam Langley
b8e817cbf8 crypto: add package.
The crypto package is added as a common place to store identifiers for
hash functions. At the moment, the rsa package has an enumeration of
hash functions and knowledge of their digest lengths. This is an
unfortunate coupling and other high level crypto packages tend to need
to duplicate this enumeration and knowledge (i.e. openpgp).

crypto pulls this code out into a common location.

It would also make sense to add similar support for ciphers to crypto,
but the problem there isn't as acute that isn't done in this change.

R=bradfitzgo, r, rsc
CC=golang-dev
https://golang.org/cl/4080046
2011-02-01 11:02:48 -05:00
Rob Pike
45b573322e tls: fix argument mistake in Error call.
R=agl, agl1, rsc
CC=golang-dev
https://golang.org/cl/3753041
2010-12-17 13:47:52 -08:00
Adam Langley
9d188d7c03 crypto/tls: missed a file
R=rsc
CC=golang-dev
https://golang.org/cl/3674043
2010-12-16 17:14:02 -05:00
Adam Langley
954c3ec034 crypto/tls: add ECDHE support
(ECDHE is "Elliptic Curve Diffie Hellman Ephemeral")

R=rsc
CC=golang-dev
https://golang.org/cl/3668042
2010-12-16 17:10:50 -05:00
Adam Langley
4dcd8890aa crypto/tls: check in support code.
This support code helps in generating the handshake scripts
which are used for testing.

R=rsc, ality
CC=golang-dev
https://golang.org/cl/3680041
2010-12-16 10:39:53 -05:00
Adam Langley
effe736267 crypto/tls: commit fixes which I hadn't saved.
R=rsc
CC=golang-dev
https://golang.org/cl/3685041
2010-12-15 13:58:57 -05:00
Adam Langley
50ac183397 crypto/tls: support CBC ciphers
This is largely based on ality's CL 2747042.

crypto/rc4: API break in order to conform to crypto/cipher's
Stream interface

cipher/cipher: promote to the default build

Since CBC differs between TLS 1.0 and 1.1, we downgrade and
support only 1.0 at the current time. 1.0 is what most of the
world uses.

Given this CL, it would be trival to add support for AES 256,
SHA 256 etc, but I haven't in order to keep the change smaller.

R=rsc
CC=ality, golang-dev
https://golang.org/cl/3659041
2010-12-15 11:49:55 -05:00
Anthony Martin
368c7fa03e crypto/tls: use rand.Reader in cert generation example
R=rsc, agl1
CC=golang-dev
https://golang.org/cl/3536043
2010-12-14 12:22:28 -05:00
Russ Cox
f98d01fb7e crypto/tls: add *Config argument to Dial
Document undocumented exported names.
Allow nil Rand, Time, RootCAs in Config.

Fixes #1248.

R=agl1
CC=golang-dev
https://golang.org/cl/3481042
2010-12-07 16:15:15 -05:00
Christian Himpel
24b6f5d63e crypto/tls: fix build of certificate generation example
R=agl1, rsc
CC=golang-dev
https://golang.org/cl/3366041
2010-12-07 16:14:55 -05:00
Kyle Consalus
67c5445327 Removed bytes.Add and bytes.AddByte; we now have 'append'.
Changed all uses of bytes.Add (aside from those testing bytes.Add) to append(a, b...).
Also ran "gofmt -s" and made use of copy([]byte, string) in the fasta benchmark.

R=golang-dev, r, r2
CC=golang-dev
https://golang.org/cl/3302042
2010-12-01 11:59:13 -08:00
Adam Langley
93eb884c98 crypto/tls: use pool building for certificate checking
Previously we checked the certificate chain from the leaf
upwards and expected to jump from the last cert in the chain to
a root certificate.

Although technically correct, there are a number of sites with
problems including out-of-order certs, superfluous certs and
missing certs.

The last of these requires AIA chasing, which is a lot of
complexity. However, we can address the more common cases by
using a pool building algorithm, as browsers do.

We build a pool of root certificates and a pool from the
server's chain. We then try to build a path to a root
certificate, using either of these pools.

This differs from the behaviour of, say, Firefox in that Firefox
will accumulate intermedite certificate in a persistent pool in
the hope that it can use them to fill in gaps in future chains.

We don't do that because it leads to confusing errors which only
occur based on the order to sites visited.

This change also enabled SNI for tls.Dial so that sites will return
the correct certificate chain.

R=rsc
CC=golang-dev
https://golang.org/cl/2916041
2010-11-05 09:54:56 -04:00
Russ Cox
8fe46b4768 use append
R=gri, r, r2
CC=golang-dev
https://golang.org/cl/2743042
2010-10-27 19:47:23 -07:00
Robert Griesemer
b1f31f442e gofmt -s -w src misc
R=r, rsc
CC=golang-dev
https://golang.org/cl/2662041
2010-10-22 10:06:33 -07:00
Rob Pike
feb7be32ae log: new interface
New logging interface simplifies and generalizes.

1) Loggers now have only one output.
2) log.Stdout, Stderr, Crash and friends are gone.
	Logging is now always to standard error by default.
3) log.Panic* replaces log.Crash*.
4) Exiting and panicking are not part of the logger's state; instead
	the functions Exit* and Panic* simply call Exit or panic after
	printing.
5) There is now one 'standard logger'.  Instead of calling Stderr,
	use Print etc.  There are now triples, by analogy with fmt:
		Print, Println, Printf
	What was log.Stderr is now best represented by log.Println,
	since there are now separate Print and Println functions
	(and methods).
6) New functions SetOutput, SetFlags, and SetPrefix allow global
	editing of the standard logger's properties.   This is new
	functionality. For instance, one can call
		log.SetFlags(log.Lshortfile|log.Ltime|log.Lmicroseconds)
	to get all logging output to show file name, line number, and
	time stamp.

In short, for most purposes
	log.Stderr -> log.Println or log.Print
	log.Stderrf -> log.Printf
	log.Crash -> log.Panicln or log.Panic
	log.Crashf -> log.Panicf
	log.Exit -> log.Exitln or log.Exit
	log.Exitf -> log.Exitf (no change)

This has a slight breakage: since loggers now write only to one
output, existing calls to log.New() need to delete the second argument.
Also, custom loggers with exit or panic properties will need to be
reworked.

All package code updated to new interface.

The test has been reworked somewhat.

The old interface will be removed after the new release.
For now, its elements are marked 'deprecated' in their comments.

Fixes #1184.

R=rsc
CC=golang-dev
https://golang.org/cl/2419042
2010-10-12 12:59:18 -07:00
Adam Langley
597324882f crypto/tls: make SetReadTimeout work.
Fixes #1181.

R=rsc, agl1, cw, r2
CC=golang-dev
https://golang.org/cl/2414041
2010-10-11 10:41:01 -04:00
Adam Langley
dd9f217e6a crypto/tls: better error messages for certificate issues.
Fixes #1146.

R=rsc, agl1
CC=golang-dev
https://golang.org/cl/2380042
2010-10-11 10:39:56 -04:00
Adam Langley
f4b6e2236c crypto/x509, crypto/tls: improve root matching and observe CA flag.
The key/value format of X.500 names means that it's possible to encode
a name with multiple values for, say, organisation. RFC5280
doesn't seem to consider this, but there are Verisign root
certificates which do this and, in order to find the correct
root certificate in some cases, we need to handle it.

Also, CA certificates should set the CA flag and we now check
this. After looking at the other X.509 extensions it appears
that they are universally ignored/bit rotted away so we ignore
them.

R=rsc
CC=golang-dev
https://golang.org/cl/2249042
2010-09-20 12:17:31 -04:00
Adam Langley
ed8da7bff6 Fix certificate validation.
asn1: add support for T61String because this is the string type which
    several www.google.com certificates are now using for fields like
    CommonName
tls: force a handshake in Dial so that certificates are ready
    afterwards.

Fixes #1114.

R=rsc
CC=golang-dev
https://golang.org/cl/2216043
2010-09-20 10:32:08 -04:00
Russ Cox
657e8dab30 http: check https certificate against host name
Fixes #1093.

R=agl, agl1
CC=golang-dev
https://golang.org/cl/2115045
2010-09-11 23:41:12 -04:00
Adam Langley
4c5892dcab crypto/tls: don't return an error from Close()
Fixes #1037.

R=adg, rsc1
CC=golang-dev
https://golang.org/cl/2107048
2010-09-10 15:55:35 -04:00