Commit Graph

542 Commits

Author SHA1 Message Date
Brad Fitzpatrick
89d6b4b257 crypto/tls: don't block on Read of zero bytes
Fixes #7775

LGTM=rsc
R=agl, rsc
CC=golang-codereviews
https://golang.org/cl/88340043
2014-04-15 19:40:00 -07:00
Brad Fitzpatrick
53431b940d crypto/tls: deflake TestConnReadNonzeroAndEOF
Fixes #7683

LGTM=rsc
R=rsc
CC=golang-codereviews
https://golang.org/cl/83080048
2014-04-02 14:31:57 -07:00
Brad Fitzpatrick
a56b0bf7e2 crypto/tls: make Conn.Read return (n, io.EOF) when EOF is next in buffer
Update #3514

An io.Reader is permitted to return either (n, nil)
or (n, io.EOF) on EOF or other error.

The tls package previously always returned (n, nil) for a read
of size n if n bytes were available, not surfacing errors at
the same time.

Amazon's HTTPS frontends like to hang up on clients without
sending the appropriate HTTP headers. (In their defense,
they're allowed to hang up any time, but generally a server
hangs up after a bit of inactivity, not immediately.) In any
case, the Go HTTP client tries to re-use connections by
looking at whether the response headers say to keep the
connection open, and because the connection looks okay, under
heavy load it's possible we'll reuse it immediately, writing
the next request, just as the Transport's always-reading
goroutine returns from tls.Conn.Read and sees (0, io.EOF).

But because Amazon does send an AlertCloseNotify record before
it hangs up on us, and the tls package does its own internal
buffering (up to 1024 bytes) of pending data, we have the
AlertCloseNotify in an unread buffer when our Conn.Read (to
the HTTP Transport code) reads its final bit of data in the
HTTP response body.

This change makes that final Read return (n, io.EOF) when
an AlertCloseNotify record is buffered right after, if we'd
otherwise return (n, nil).

A dependent change in the HTTP code then notes whether a
client connection has seen an io.EOF and uses that as an
additional signal to not reuse a HTTPS connection. With both
changes, the majority of Amazon request failures go
away. Without either one, 10-20 goroutines hitting the S3 API
leads to such an error rate that empirically up to 5 retries
are needed to complete an API call.

LGTM=agl, rsc
R=agl, rsc
CC=golang-codereviews
https://golang.org/cl/76400046
2014-03-25 10:58:35 -07:00
Adam Langley
cb66b63918 encoding/asn1: use GeneralizedTime for times outside the range of UTCTime.
Fixes issue #6976.

LGTM=r
R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/72080044
2014-03-21 11:14:38 -04:00
Brad Fitzpatrick
ab3538d779 crypto/tls: clarify concurrent use of Config
LGTM=r, agl
R=agl, r
CC=golang-codereviews
https://golang.org/cl/77530044
2014-03-20 08:32:06 -07:00
Adam Langley
ef4934a9ed crypto/tls: split connErr to avoid read/write races.
Currently a write error will cause future reads to return that same error.
However, there may have been extra information from a peer pending on
the read direction that is now unavailable.

This change splits the single connErr into errors for the read, write and
handshake. (Splitting off the handshake error is needed because both read
and write paths check the handshake error.)

Fixes #7414.

LGTM=bradfitz, r
R=golang-codereviews, r, bradfitz
CC=golang-codereviews
https://golang.org/cl/69090044
2014-03-03 09:01:44 -05:00
Adam Langley
8d65af24c4 crypto/tls: add DialWithDialer.
While reviewing uses of the lower-level Client API in code, I found
that in many cases, code was using Client only because it needed a
timeout on the connection. DialWithDialer allows a timeout (and
 other values) to be specified without resorting to the low-level API.

LGTM=r
R=golang-codereviews, r, bradfitz
CC=golang-codereviews
https://golang.org/cl/68920045
2014-02-28 09:40:12 -05:00
Adam Langley
24720a0864 crypto/tls: report TLS version in ConnectionState.
Fixes #7231.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/68250043
2014-02-24 18:01:28 -05:00
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
2680804ebc crypto/tls: enforce that either ServerName or InsecureSkipVerify be given.
crypto/tls has two functions for creating a client connection: Dial,
which most users are expected to use, and Client, which is the
lower-level API.

Dial does what you expect: it gives you a secure connection to the host
that you specify and the majority of users of crypto/tls appear to work
fine with it.

Client gives more control but needs more care. Specifically, if it
wasn't given a server name in the tls.Config then it didn't check that
the server's certificates match any hostname - because it doesn't have
one to check against. It was assumed that users of the low-level API
call VerifyHostname on the certificate themselves if they didn't supply
a hostname.

A review of the uses of Client both within Google and in a couple of
external libraries has shown that nearly all of them got this wrong.

Thus, this change enforces that either a ServerName or
InsecureSkipVerify is given. This does not affect tls.Dial.

See discussion at https://groups.google.com/d/msg/golang-nuts/4vnt7NdLvVU/b1SJ4u0ikb0J.

Fixes #7342.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/67010043
2014-02-21 15:56:41 -05:00
Adam Langley
dbe3452407 crypto/x509: add example of using a custom root list.
Fixes #6267.

LGTM=r, josharian
R=golang-codereviews, josharian, r
CC=golang-codereviews
https://golang.org/cl/61020043
2014-02-19 11:18:35 -05:00
Adam Langley
ae10e2fdd9 crypto/tls: improve documentation for ServerName.
Users of the low-level, Client function are frequenctly missing the
fact that, unless they pass a ServerName to the TLS connection then it
cannot verify the certificates against any name.

This change makes it clear that at least one of InsecureSkipVerify and
ServerName should always be set.

LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/65440043
2014-02-19 11:17:09 -05:00
Adam Langley
5a2aacff2f crypto/tls: better error messages.
LGTM=bradfitz
R=golang-codereviews, bradfitz
CC=golang-codereviews
https://golang.org/cl/60580046
2014-02-12 11:20:01 -05:00
Anthony Martin
8cf5d703de crypto/tls: do not send the current time in hello messages
This reduces the ability to fingerprint TLS connections.

The impeteus for this change was a recent change to OpenSSL
by Nick Mathewson:

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2016265dfb

LGTM=agl
R=agl
CC=golang-codereviews
https://golang.org/cl/57230043
2014-02-04 10:51:37 -05:00
Gautham Thambidorai
9323f900fd crypto/tls: Client side support for TLS session resumption.
Adam (agl@) had already done an initial review of this CL in a branch.

Added ClientSessionState to Config which now allows clients to keep state
required to resume a TLS session with a server. A client handshake will try
and use the SessionTicket/MasterSecret in this cached state if the server
acknowledged resumption.

We also added support to cache ClientSessionState object in Config that will
be looked up by server remote address during the handshake.

R=golang-codereviews, agl, rsc, agl, agl, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/15680043
2014-01-22 18:24:03 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
98968dca72 crypto/tls: rework reference tests.
The practice of storing reference connections for testing has worked
reasonably well, but the large blocks of literal data in the .go files
is ugly and updating the tests is a real problem because their number
has grown.

This CL changes the way that reference tests work. It's now possible to
automatically update the tests and the test data is now stored in
testdata/. This should make it easier to implement changes that affect
all connections, like implementing the renegotiation extension.

R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/42060044
2013-12-20 11:37:05 -05:00
Adam Langley
75982d4f0c crypto/tls: generate random serial numbers.
NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
2013-12-15 12:57:57 -05:00
Adam Langley
1a11255b00 crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake.
Despite SHA256 support being required for TLS 1.2 handshakes, some
servers are aborting handshakes that don't offer SHA1 support.

This change adds support for signing TLS 1.2 ServerKeyExchange messages
with SHA1. It does not add support for signing TLS 1.2 client
certificates with SHA1 as that would require the handshake to be
buffered.

Fixes #6618.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/15650043
2013-10-21 16:35:09 -04:00
Russ Cox
a13de249ee crypto/tls: document ConnectionState fields
Fixes #6456.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/14289043
2013-10-02 21:40:01 -04:00
Frithjof Schulze
3ee1782da4 crypto/tls: Update reference to the TLS 1.2 RFC.
Ticket 13740047 updated the documented TLS version to 1.2.
This also updates the RFC refered to.

R=golang-dev
CC=golang-dev, rsc
https://golang.org/cl/14029043
2013-10-02 12:09:13 -04:00
Adam Langley
493b985991 crypto/tls: don't select TLS 1.2 cipher suites in prior versions.
AES-GCM cipher suites are only defined for TLS 1.2, although there's
nothing really version specific about them. However, development
versions of NSS (meaning Firefox and Chrome) have an issue where
they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello
but then balk when the server selects one.

This change causes Go clients not to advertise TLS 1.2 cipher suites
unless TLS 1.2 is being used, and prevents servers from selecting them
unless TLS 1.2 has been negotiated.

https://code.google.com/p/chromium/issues/detail?id=297151
https://bugzilla.mozilla.org/show_bug.cgi?id=919677

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13573047
2013-09-26 17:09:56 -04:00
Russ Cox
a40b48d4e0 crypto/tls: document that the package supports TLS 1.2
Fixes #6456.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13740047
2013-09-23 16:05:23 -04:00
Adam Langley
679f6ca983 crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate.
47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the
cipher suite selection to take that into account. Thus Go servers could
try and select an ECDSA cipher suite while only having an RSA
certificate, leading to connection failures.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13239053
2013-09-17 13:30:36 -04:00
Adam Langley
8eaa99cd77 crypto/tls: fix TLS 1.2 client certificates.
With TLS 1.2, when sending client certificates the code was omitting
the new (in TLS 1.2) signature and hash fields.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13413050
2013-09-16 16:39:42 -04:00
Adam Langley
5774c69eb7 crypto/tls: support AES-GCM.
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
2013-08-29 17:18:59 -04:00
Joel Sing
749a12a83a crypto/tls: Add support for ECDHE-ECDSA
Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server
key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA,
ECDHE-ECDSA also provides PFS.

R=agl
CC=golang-dev
https://golang.org/cl/7006047
2013-07-17 12:33:16 -04:00
Adam Langley
3a888fc059 crypto/tls: implement TLS 1.2.
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
2013-07-02 19:58:56 -04:00
Frithjof Schulze
0084d30351 crypto/tls: Change TLS version to 1.1 in the package comment.
Also use 2048-bit RSA keys as default in generate_cert.go,
as recommended by the NIST.

R=golang-dev, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/10676043
2013-06-27 11:23:55 -07:00
Adam Langley
320cfd8f47 crypto/tls: change advertised ciphersuite order.
TLS clients send ciphersuites in preference order (most prefereable
first). This change alters the order so that ECDHE comes before plain
RSA, and RC4 comes before AES (because of the Lucky13 attack).

This is unlikely to have much effect: as a server, the code uses the
client's ciphersuite order by default and, as a client, the non-Go
server probably imposes its order.

R=golang-dev, r, raggi, jsing
CC=golang-dev
https://golang.org/cl/10372045
2013-06-19 16:46:53 -04:00
Adam Langley
79e7f7decf crypto/tls: support TLS 1.1.
The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/7880043
2013-06-04 20:02:22 -04:00
John Shahid
2946f7013d crypto/tls: Check all certificates in the path.
Currently we only check the leaf node's issuer against the list of
distinguished names in the server's CertificateRequest message. This
will fail if the client certiciate has more than one certificate in
the path and the leaf node issuer isn't in the list of distinguished
names, but the issuer's issuer was in the distinguished names.

R=agl, agl
CC=gobot, golang-dev
https://golang.org/cl/9795043
2013-05-29 11:21:32 -04:00
Adam Langley
f41a7e7ee6 crypto/tls: don't send NPN extension if NextProtos is not set.
This isn't clearly a bug on Go's part, but it triggers a bug in Firefox
which means that crypto/tls and net/http cannot be wired up together
unless NextProtos includes "http/1.1". When net/http sets up the
tls.Config, it does this and so works fine. But anyone setting up the
tls.Config themselves will hit the Firefox bug.

Fixes #5445.

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/9539045
2013-05-21 10:47:31 -04:00
Adam Langley
44490a3db4 crypto/tls: fix flakey test.
A test added in b37d2fdcc4d9 didn't work with some values of GOMAXPROCS
because the defer statements were in the wrong order: the Pipe could be
closed before the TLS Client was.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/9187047
2013-05-16 12:29:23 -04:00
Adam Langley
7b0cd8f727 crypto/tls: ignore empty TLS records.
OpenSSL can be configured to send empty records in order to randomise
the CBC IV. This is an early version of 1/n-1 record splitting (that Go
does) and is quite reasonable, but it results in tls.Conn.Read
returning (0, nil).

This change ignores up to 100 consecutive, empty records to avoid
returning (0, nil) to callers.

Fixes 5309.

R=golang-dev, r, minux.ma
CC=golang-dev
https://golang.org/cl/8852044
2013-05-15 10:25:54 -04:00
Brad Fitzpatrick
4b14a48417 crypto/tls: use method values
Currently fails with a compiler error, though.

R=golang-dev, agl, rsc
CC=golang-dev
https://golang.org/cl/7933043
2013-03-20 23:53:38 -04:00
Adam Langley
b9ddc2767a crypto/x509: support IP SANs.
Subject Alternative Names in X.509 certificates may include IP
addresses. This change adds support for marshaling, unmarshaling and
verifying this form of SAN.

It also causes IP addresses to only be checked against IP SANs,
rather than against hostnames as was previously the case. This
reflects RFC 6125.

Fixes #4658.

R=golang-dev, mikioh.mikioh, bradfitz
CC=golang-dev
https://golang.org/cl/7336046
2013-02-15 10:40:17 -05:00
Adam Langley
9d5e7dd72f crypto/tls: allow the server to enforce its ciphersuite preferences.
Previously, Go TLS servers always took the client's preferences into
account when selecting a ciphersuite. This change adds the option of
using the server's preferences, which can be expressed by setting
tls.Config.CipherSuites.

This mirrors Apache's SSLHonorCipherOrder directive.

R=golang-dev, nightlyone, bradfitz, ality
CC=golang-dev
https://golang.org/cl/7163043
2013-01-22 10:10:38 -05:00
Brad Fitzpatrick
ada990689f crypto/tls: fix loading keys labeled just "PRIVATE KEY"
Worked in Go 1, broken in f440e65f93fe.

Fixes #4477

R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6865043
2012-12-01 11:02:08 -08:00
Anthony Martin
a954c40163 crypto/tls: use 1/n-1 record splitting to protect against BEAST
This requires rebasing the block-mode test scripts.
I used GnuTLS version 3.1.4.

R=agl
CC=golang-dev
https://golang.org/cl/6844073
2012-11-26 10:56:39 -08:00
Robin Eklind
3f2e394f59 archive/zip, crypto/tls, net/http: Fix print format errors.
All of the errors were located using "go vet ./..." in "src/pkg".

R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/6856056
2012-11-16 17:24:43 -08:00
Joel Sing
d7e46146f4 crypto/tls: add support for loading EC X.509 key pairs
Add support for loading X.509 key pairs that consist of a certificate
with an EC public key and its corresponding EC private key.

R=agl
CC=golang-dev
https://golang.org/cl/6776043
2012-11-16 19:33:59 +11:00
Robert Griesemer
ff9c946903 gofmt: apply gofmt -w src misc
Remove trailing whitespace in comments.
No other changes.

R=r
CC=golang-dev
https://golang.org/cl/6815053
2012-10-30 13:38:01 -07:00
Adam Langley
489bd5ddd5 crypto/tls: make closeNotify a warning alert.
The RFC doesn't actually have an opinion on whether this is a fatal or
warning level alert, but common practice suggests that it should be a
warning.

This involves rebasing most of the tests.

Fixes #3413.

R=golang-dev, shanemhansen, rsc
CC=golang-dev
https://golang.org/cl/6654050
2012-10-16 15:40:37 -04:00
Adam Langley
cf463f462c crypto/tls: fix NPN extension parsing.
I typoed the code and tried to parse all the way to the end of the
message. Therefore it fails when NPN is not the last extension in the
ServerHello.

Fixes #4088.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6637052
2012-10-09 13:25:47 -04:00
Adam Langley
13d26a420a crypto/tls: support session ticket resumption.
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).

R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
2012-09-24 16:52:43 -04:00
Adam Langley
d263b7d38c crypto/tls: allow certificates and key to be in either order.
X509KeyPair wasn't really supposed to allow the certificate and
key to be in the same file, but it did work if you put the key
first. Since some HTTPS servers support loading keys and certs
like this, this change makes it work in either order.

Fixes #3986.

R=golang-dev, dave, rsc
CC=golang-dev
https://golang.org/cl/6499103
2012-09-13 11:00:16 -04:00
Dave Cheney
a0608ba23c crypto/tls: fix data race on conn.err
Fixes #3862.

There were many areas where conn.err was being accessed
outside the mutex. This proposal moves the err value to
an embedded struct to make it more obvious when the error
value is being accessed.

As there are no Benchmark tests in this package I cannot
feel confident of the impact of this additional locking,
although most will be uncontended.

R=dvyukov, agl
CC=golang-dev
https://golang.org/cl/6497070
2012-09-06 17:50:26 +10:00
Adam Langley
22777bcc54 crypto/tls: return better error message in the case of an SSLv2 handshake.
Update #3930
Return a better error message in this situation.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/6474055
2012-08-23 16:44:44 -04:00
Mikkel Krautz
0c7b858b3e crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs
If we aren't explicit about the KeyUsages, the verifier
will treat the certificate as a server certificate and require
it to have a ExtKeyUsageServerAuth key usage.

R=golang-dev
CC=golang-dev
https://golang.org/cl/6453148
2012-08-18 15:50:33 -07:00