This change allows people who want to parse or set odd X.509 extensions
to do so without having to add support for them all to the package.
I tried to make it so that only a single member: Extensions would be
needed. However, that would mean detecting when the caller had altered
the contents of it so that parsing and marshaling a certificate
wouldn't ignore all changes to the other members. This ended up being
messy, thus the current design where there are two members: one for
reading and another for writing.
As crypto/x509 adds support for more extensions in the future, the raw
extensions will still be in Extensions for older code that expects it
there. Also, future extensions will be overridden by any raw extensions
added to ExtraExtensions by code that was written before support was
added.
R=golang-dev, r
CC=golang-dev, jpsugar
https://golang.org/cl/12056043
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
In the event that code tries to use a hash function that isn't compiled
in and panics, give the developer a fighting chance of figuring out
which hash function it needed.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/12420045
This patch introduces specialized functions for initial
and final permutations, and precomputes the output of the
third permutation on the S-box elements.
benchmark old ns/op new ns/op delta
BenchmarkEncrypt 3581 1226 -65.76%
BenchmarkDecrypt 3590 1224 -65.91%
benchmark old MB/s new MB/s speedup
BenchmarkEncrypt 2.23 6.52 2.92x
BenchmarkDecrypt 2.23 6.53 2.93x
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/12072045
An ARM version of md5block.go with a big improvement in
throughput (up to 2.5x) and a reduction in object size (21%).
Code size
Before 3100 bytes
After 2424 bytes
21% smaller
Benchmarks on Rasperry Pi
benchmark old ns/op new ns/op delta
BenchmarkHash8Bytes 11703 6636 -43.30%
BenchmarkHash1K 38057 21881 -42.50%
BenchmarkHash8K 208131 142735 -31.42%
BenchmarkHash8BytesUnaligned 11457 6570 -42.66%
BenchmarkHash1KUnaligned 69334 26841 -61.29%
BenchmarkHash8KUnaligned 455120 182223 -59.96%
benchmark old MB/s new MB/s speedup
BenchmarkHash8Bytes 0.68 1.21 1.78x
BenchmarkHash1K 26.91 46.80 1.74x
BenchmarkHash8K 39.36 57.39 1.46x
BenchmarkHash8BytesUnaligned 0.70 1.22 1.74x
BenchmarkHash1KUnaligned 14.77 38.15 2.58x
BenchmarkHash8KUnaligned 18.00 44.96 2.50x
benchmark old allocs new allocs delta
BenchmarkHash8Bytes 1 0 -100.00%
BenchmarkHash1K 2 0 -100.00%
BenchmarkHash8K 2 0 -100.00%
BenchmarkHash8BytesUnaligned 1 0 -100.00%
BenchmarkHash1KUnaligned 2 0 -100.00%
BenchmarkHash8KUnaligned 2 0 -100.00%
benchmark old bytes new bytes delta
BenchmarkHash8Bytes 64 0 -100.00%
BenchmarkHash1K 128 0 -100.00%
BenchmarkHash8K 128 0 -100.00%
BenchmarkHash8BytesUnaligned 64 0 -100.00%
BenchmarkHash1KUnaligned 128 0 -100.00%
BenchmarkHash8KUnaligned 128 0 -100.00%
This also adds another test which makes sure that the sums
over larger blocks work properly. I wrote this test when I was
worried about memory corruption.
R=golang-dev, dave, bradfitz, rsc, ajstarks
CC=golang-dev, minux.ma, remyoudompheng
https://golang.org/cl/11648043
Phrases like "returns whether or not the image is opaque" could be
describing what the function does (it always returns, regardless of
the opacity) or what it returns (a boolean indicating the opacity).
Even when the "or not" is missing, the phrasing is bizarre.
Go with "reports whether", which is still clunky but at least makes
it clear we're talking about the return value.
These were edited by hand. A few were cleaned up in other ways.
R=golang-dev, dsymonds
CC=golang-dev
https://golang.org/cl/11699043
Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server
key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA,
ECDHE-ECDSA also provides PFS.
R=agl
CC=golang-dev
https://golang.org/cl/7006047
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
Also use 2048-bit RSA keys as default in generate_cert.go,
as recommended by the NIST.
R=golang-dev, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/10676043
On my 64-bit machine, despite being 32-bit code, fixed-base
multiplications are 7.1x faster and arbitary multiplications are 2.6x
faster.
It is difficult to review this change. However, the code is essentially
the same as code that has been open-sourced in Chromium. There it has
been successfully performing P-256 operations for several months on
many machines so the arithmetic of the code should be sound.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10551044
Makes it easy to ask the simple question, what is the hash of this data?
Also fix the commentary and prints in Sum256.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10630043
Makes it easy to ask the simple question, what is the hash of this data?
Also mark block as non-escaping.
R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/10624044
The compiler still gets the escape analysis wrong, but the annotation here is correct.
R=golang-dev, dave, bradfitz
CC=golang-dev
https://golang.org/cl/10514046
TLS clients send ciphersuites in preference order (most prefereable
first). This change alters the order so that ECDHE comes before plain
RSA, and RC4 comes before AES (because of the Lucky13 attack).
This is unlikely to have much effect: as a server, the code uses the
client's ciphersuite order by default and, as a client, the non-Go
server probably imposes its order.
R=golang-dev, r, raggi, jsing
CC=golang-dev
https://golang.org/cl/10372045
Don't panic when the underlying Writer isn't a Closer. And
document what Close does and clarify that it's not a Flush.
R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/10310043
The first identifier in an Object Identifer must be between 0 and 2
inclusive. The range of values that the second one can take depends
on the value of the first one.
The two first identifiers are not necessarily encoded in a single octet,
but in a varint.
R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/10140046
The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/7880043
Currently we only check the leaf node's issuer against the list of
distinguished names in the server's CertificateRequest message. This
will fail if the client certiciate has more than one certificate in
the path and the leaf node issuer isn't in the list of distinguished
names, but the issuer's issuer was in the distinguished names.
R=agl, agl
CC=gobot, golang-dev
https://golang.org/cl/9795043
crypto/x509 has ended up with a variety of error formats. This change makes them all start with "x509: ".
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/9736043
This change contains an implementation of the RSASSA-PSS signature
algorithm described in RFC 3447.
R=agl, agl
CC=gobot, golang-dev, r
https://golang.org/cl/9438043
This isn't clearly a bug on Go's part, but it triggers a bug in Firefox
which means that crypto/tls and net/http cannot be wired up together
unless NextProtos includes "http/1.1". When net/http sets up the
tls.Config, it does this and so works fine. But anyone setting up the
tls.Config themselves will hit the Firefox bug.
Fixes#5445.
R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/9539045
Failures caused by errors like invalid signatures or missing hash
functions cause rather generic, unhelpful error messages because no
trust chain can be constructed: "x509: certificate signed by unknown
authority."
With this change, authority errors may contain the reason why an
arbitary candidate step in the chain was rejected. For example, in the
event of a missing hash function the error looks like:
x509: certificate signed by unknown authority (possibly because of
"crypto/x509: cannot verify signature: algorithm unimplemented" while
trying to verify candidate authority certificate 'Thawte SGC CA')
Fixes 5058.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/9104051
A test added in b37d2fdcc4d9 didn't work with some values of GOMAXPROCS
because the defer statements were in the wrong order: the Pipe could be
closed before the TLS Client was.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/9187047
The PKCS#1 spec requires that the PS padding in an RSA message be at
least 8 bytes long. We were not previously checking this. This isn't
important in the most common situation (session key encryption), but
the impact is unclear in other cases.
This change enforces the specified minimum size.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/9222045
OpenSSL can be configured to send empty records in order to randomise
the CBC IV. This is an early version of 1/n-1 record splitting (that Go
does) and is quite reasonable, but it results in tls.Conn.Read
returning (0, nil).
This change ignores up to 100 consecutive, empty records to avoid
returning (0, nil) to callers.
Fixes 5309.
R=golang-dev, r, minux.ma
CC=golang-dev
https://golang.org/cl/8852044
At some point in the past, I believe the GCD algorithm was setting d to
be negative. The RSA code has been correcting that ever since but, now,
it appears to have changed and the correction isn't needed.
Having d be too large is harmless, it's just a little odd and I
happened to notice.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/7948044
XOR key into data 128 bits at a time instead of 64 bits
and pipeline half of state loads. Rotate loop to allow
single-register indexing for state[i].
On a MacBookPro10,2 (Core i5):
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 412 224 -45.63%
BenchmarkRC4_1K 3179 1613 -49.26%
BenchmarkRC4_8K 25223 12545 -50.26%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 310.51 570.42 1.84x
BenchmarkRC4_1K 322.09 634.48 1.97x
BenchmarkRC4_8K 320.97 645.32 2.01x
For comparison, on the same machine, openssl 0.9.8r reports
its rc4 speed as somewhat under 350 MB/s for both 1K and 8K
(it is operating 64 bits at a time).
On an Intel Xeon E5520:
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 418 259 -38.04%
BenchmarkRC4_1K 3200 1884 -41.12%
BenchmarkRC4_8K 25173 14529 -42.28%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 306.04 492.48 1.61x
BenchmarkRC4_1K 319.93 543.26 1.70x
BenchmarkRC4_8K 321.61 557.20 1.73x
For comparison, on the same machine, openssl 1.0.1
reports its rc4 speed as 587 MB/s for 1K and 601 MB/s for 8K.
R=agl
CC=golang-dev
https://golang.org/cl/7865046
-- amd64 --
On a MacBookPro10,2 (Core i5):
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 470 421 -10.43%
BenchmarkRC4_1K 3123 3275 +4.87%
BenchmarkRC4_8K 26351 25866 -1.84%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 272.22 303.40 1.11x
BenchmarkRC4_1K 327.80 312.58 0.95x
BenchmarkRC4_8K 307.24 313.00 1.02x
For comparison, on the same machine, openssl 0.9.8r reports
its rc4 speed as somewhat under 350 MB/s for both 1K and 8K.
The Core i5 performance can be boosted another 20%, but only
by making the Xeon performance significantly slower.
On an Intel Xeon E5520:
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 774 417 -46.12%
BenchmarkRC4_1K 6121 3200 -47.72%
BenchmarkRC4_8K 48394 25151 -48.03%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 165.18 306.84 1.86x
BenchmarkRC4_1K 167.28 319.92 1.91x
BenchmarkRC4_8K 167.29 321.89 1.92x
For comparison, on the same machine, openssl 1.0.1
(which uses a different implementation than 0.9.8r)
reports its rc4 speed as 587 MB/s for 1K and 601 MB/s for 8K.
It is using SIMD instructions to do more in parallel.
So there's still some improvement to be had, but even so,
this is almost 2x faster than what it replaced.
-- 386 --
On a MacBookPro10,2 (Core i5):
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 3491 421 -87.94%
BenchmarkRC4_1K 28063 3205 -88.58%
BenchmarkRC4_8K 220392 25228 -88.55%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 36.66 303.81 8.29x
BenchmarkRC4_1K 36.49 319.42 8.75x
BenchmarkRC4_8K 36.73 320.90 8.74x
On an Intel Xeon E5520:
benchmark old ns/op new ns/op delta
BenchmarkRC4_128 2268 524 -76.90%
BenchmarkRC4_1K 18161 4137 -77.22%
BenchmarkRC4_8K 142396 32350 -77.28%
benchmark old MB/s new MB/s speedup
BenchmarkRC4_128 56.42 244.13 4.33x
BenchmarkRC4_1K 56.38 247.46 4.39x
BenchmarkRC4_8K 56.86 250.26 4.40x
R=agl
CC=golang-dev
https://golang.org/cl/7547050
The heuristics for BitLen of a product of randomly generated primes
are wrong, and the generated candidates never match the required
size for nprimes > 10. This corner case is not expected to be used in
practice.
R=agl
CC=golang-dev
https://golang.org/cl/7397052
If a test can be placed in the same package ("internal"), it is placed
there. This facilitates testing of package-private details. Because of
dependency cycles some packages cannot be tested by internal tests.
R=golang-dev, rsc, mikioh.mikioh
CC=golang-dev, r
https://golang.org/cl/7323044
Subject Alternative Names in X.509 certificates may include IP
addresses. This change adds support for marshaling, unmarshaling and
verifying this form of SAN.
It also causes IP addresses to only be checked against IP SANs,
rather than against hostnames as was previously the case. This
reflects RFC 6125.
Fixes#4658.
R=golang-dev, mikioh.mikioh, bradfitz
CC=golang-dev
https://golang.org/cl/7336046
On Windows, CryptoAPI is finding an alternative validation path. Since
this is a little non-deterministic, this change disables that test
when using system validation.
R=golang-dev
CC=golang-dev
https://golang.org/cl/7313068
By default, crypto/x509 assumes that users wish to validate
certificates for ServerAuth. However, due to historical reasons,
COMODO's intermediates don't specify ServerAuth as an allowed key
usage.
Rather NSS and CryptoAPI both allow these SGC OIDs to be equivalent to
ServerAuth.
R=rsc
CC=golang-dev
https://golang.org/cl/7312070
Someone found software that generates negative numbers for the RSA
modulus in an X.509 certificate. Our error messages were very poor in
this case so this change improves that.
Update #4728
Return more helpful errors when RSA parameters are negative or zero.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/7228072
On Windows, crypto/x509 passes through to Windows's CryptoAPI
to verify certificate chains. This method can't produce a
SystemRootsError, so make sure we always skip the test on
Windows.
This is needed because testVerify is called in both
TestGoVerify and TestSystemVerify on Windows - one is for
testing the Go verifier, the other one is for testing the
CryptoAPI verifier. The orignal CL tried to sidestep
this issue by setting systemSkip to true, but that only
affected TestSystemVerify.
R=golang-dev, agl, snaury, minux.ma
CC=golang-dev
https://golang.org/cl/7185043
Previously, Go TLS servers always took the client's preferences into
account when selecting a ciphersuite. This change adds the option of
using the server's preferences, which can be expressed by setting
tls.Config.CipherSuites.
This mirrors Apache's SSLHonorCipherOrder directive.
R=golang-dev, nightlyone, bradfitz, ality
CC=golang-dev
https://golang.org/cl/7163043
I messed this up from the beginning. The receiver isn't a pointer so
setting Err is useless. In order to maintain the API, just remove the
superfluous code.
Fixes#4657.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/7161043
bytes.Equal is simpler to read and should also be faster because
of short-circuiting and assembly implementations.
Change generated automatically using:
gofmt -r 'bytes.Compare(a, b) == 0 -> bytes.Equal(a, b)'
gofmt -r 'bytes.Compare(a, b) != 0 -> !bytes.Equal(a, b)'
R=golang-dev, dave, adg, rsc
CC=golang-dev
https://golang.org/cl/7038051
While half of all numbers don't have their most-significant bit set,
this is becoming increasingly impermissible for RSA moduli. In an
attempt to exclude weak keys, several bits of software either do, or
will, enforce that RSA moduli are >= 1024-bits.
However, Go often generates 1023-bit RSA moduli which this software
would then reject.
This change causes crypto/rsa to regenerate the primes in the event
that the result is shorter than requested.
It also alters crypto/rand in order to remove the performance impact
of this:
The most important change to crypto/rand is that it will now set the
top two bits in a generated prime (OpenSSL does the same thing).
Multiplying two n/2 bit numbers, where each have the top two bits set,
will always result in an n-bit product. (The effectively makes the
crypto/rsa change moot, but that seems too fragile to depend on.)
Also this change adds code to crypto/rand to rapidly eliminate some
obviously composite numbers and reduce the number of Miller-Rabin
tests needed to generate a prime.
R=rsc, minux.ma
CC=golang-dev
https://golang.org/cl/7002050
EDE2 is a rare DES mode that can be implemented with crypto/des, but
it's somewhat non-obvious so this CL adds an example of doing so.
Fixes#3537.
R=golang-dev, adg
CC=golang-dev
https://golang.org/cl/6721056
Add support for loading X.509 key pairs that consist of a certificate
with an EC public key and its corresponding EC private key.
R=agl
CC=golang-dev
https://golang.org/cl/6776043
Arbitrary decisions: order of the arguments and the
fact it takes a block-type argument (rather than
leaving to user to fill it in later); I'm happy whatever
colour we want to paint it.
We also change DecryptPEMBlock so that it won't
panic when the IV has the wrong size.
R=agl, agl
CC=golang-dev
https://golang.org/cl/6820114
The current implement can fail when the
block size is not a multiple of 8 bytes.
This CL makes it work, and also checks that the
data is in fact a multiple of the block size.
R=agl, agl
CC=golang-dev
https://golang.org/cl/6827058
The RFC doesn't actually have an opinion on whether this is a fatal or
warning level alert, but common practice suggests that it should be a
warning.
This involves rebasing most of the tests.
Fixes#3413.
R=golang-dev, shanemhansen, rsc
CC=golang-dev
https://golang.org/cl/6654050
I was an idiot and was thinking that a small base didn't matter
because the exponentiation would quickly make the number the same size
as the modulus. But, of course, the small base continues to make
multiplications unrealistically cheap throughout the computation.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/6649048
It was suggested that it's too easy to use crypto/hmac insecurely and
I think that has some merit. This change adds a Equal function to
make it obvious that MAC values should be compared in constant time.
R=rsc, max
CC=golang-dev
https://golang.org/cl/6632044
Preparation for forthcoming CL 6624051: Will make it
easier to see if/what changes are incurred by it.
The alignment changes in this CL are due to CL 6610051
(fix to alignment heuristic) where it appears that an
old version of gofmt was run (and thus the correct
alignment updates were not done).
R=r
CC=golang-dev
https://golang.org/cl/6639044
I typoed the code and tried to parse all the way to the end of the
message. Therefore it fails when NPN is not the last extension in the
ServerHello.
Fixes#4088.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6637052
Adds a DecryptBlock function which takes a password and a *pem.Block and
returns the decrypted DER bytes suitable for passing into other crypto/x509
functions.
R=golang-dev, agl, leterip
CC=golang-dev
https://golang.org/cl/6555052
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).
R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
Previously we tried to parse email constraints as the maximum base
distance (which is unused and must be omitted according to RFC 5280)
because they share the same tag number. Rather than complicate the
code further, this CL just ignores the unused values.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/6552044
X509KeyPair wasn't really supposed to allow the certificate and
key to be in the same file, but it did work if you put the key
first. Since some HTTPS servers support loading keys and certs
like this, this change makes it work in either order.
Fixes#3986.
R=golang-dev, dave, rsc
CC=golang-dev
https://golang.org/cl/6499103
Right now we only have 32-bit ints so that's a no-op.
Took the opportunity to check for some other invalid values too.
Suggestions for additions or modifications welcome.
R=agl
CC=golang-dev
https://golang.org/cl/6493112
Fixes#3862.
There were many areas where conn.err was being accessed
outside the mutex. This proposal moves the err value to
an embedded struct to make it more obvious when the error
value is being accessed.
As there are no Benchmark tests in this package I cannot
feel confident of the impact of this additional locking,
although most will be uncontended.
R=dvyukov, agl
CC=golang-dev
https://golang.org/cl/6497070
If we aren't explicit about the KeyUsages, the verifier
will treat the certificate as a server certificate and require
it to have a ExtKeyUsageServerAuth key usage.
R=golang-dev
CC=golang-dev
https://golang.org/cl/6453148
Since NUL usually terminates strings in underlying syscalls, allowing
it when converting string arguments is a security risk, especially
when dealing with filenames. For example, a program might reason that
filename like "/root/..\x00/" is a subdirectory or "/root/" and allow
access to it, while underlying syscall will treat "\x00" as an end of
that string and the actual filename will be "/root/..", which might
be unexpected. Returning EINVAL when string arguments have NUL in
them makes sure this attack vector is unusable.
R=golang-dev, r, bradfitz, fullung, rsc, minux.ma
CC=golang-dev
https://golang.org/cl/6458050
These aren't needed for scalar multiplication, but since we export a
generic Add function we should handle it.
This change also corrects two bugs in p224Contract that it turned up.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6458076
This removes some (non-short only) tests that involved connections to
the outside world and thus were flakey. This does remove some test
coverage of the root fetchers on non-Windows platforms, but the right
place for that is crypto/x509.
R=golang-dev, krautz, rsc
CC=golang-dev
https://golang.org/cl/6455085
We already support reading ECDSA certificates and this change adds
write support.
R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6422046
OpenSSL requires that RSA signatures be exactly the same byte-length
as the modulus. Currently it'll reject ~1/256 of our signatures: those
that end up a byte shorter.
Fixes#3796.
R=golang-dev, edsrzf, r
CC=golang-dev
https://golang.org/cl/6352093
Previously, strings that didn't have an explicit ASN.1 string type
were taken to be ASN.1 PrintableStrings. This resulted in an error if
a unrepresentable charactor was included.
For compatibility reasons, I'm too afraid to switch the default string
type to UTF8String, but this patch causes untyped strings to become
UTF8Strings if they contain a charactor that's not valid in a
PrintableString.
Fixes#3791.
R=golang-dev, bradfitz, r, r
CC=golang-dev
https://golang.org/cl/6348074
Entrust have issued a root certificate that's not marked as valid for
signing certificates.
This results in Go programs failing to validate certificates that
chain up to this root (i.e. gateway.push.apple.com:2195).
Although this is clearly a mistake on Entrust's part, it seems that we
will have to bodge around it.
R=golang-dev, dave, r
CC=golang-dev
https://golang.org/cl/6346064
Ran 'double.pl' on the pkg tree to identify doubled words.
One change to an error string return in x509; the rest are in comments.
Thanks to Matt Jibson for the idea.
R=golang-dev, bsiegert
CC=golang-dev
https://golang.org/cl/6344089
Flame motivated me to get around to adding extended key usage support
so that code signing certificates can't be used for TLS server
authentication and vice versa.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6304065
The speedup is a combination of unrolling/specializing
the actual code and also making the compiler generate better code.
Go 1.0.1 (size: 1239 code + 320 data = 1559 total)
md5.BenchmarkHash1K 1000000 7178 ns/op 142.64 MB/s
md5.BenchmarkHash8K 200000 56834 ns/op 144.14 MB/s
Partial unroll (size: 1115 code + 256 data = 1371 total)
md5.BenchmarkHash1K 5000000 2513 ns/op 407.37 MB/s
md5.BenchmarkHash8K 500000 19406 ns/op 422.13 MB/s
Complete unroll (size: 1900 code + 0 data = 1900 code)
md5.BenchmarkHash1K 5000000 2442 ns/op 419.18 MB/s
md5.BenchmarkHash8K 500000 18957 ns/op 432.13 MB/s
Comparing Go 1.0.1 and the complete unroll (this CL):
benchmark old MB/s new MB/s speedup
md5.BenchmarkHash1K 142.64 419.18 2.94x
md5.BenchmarkHash8K 144.14 432.13 3.00x
On the same machine, 'openssl speed md5' reports 441 MB/s
and 531 MB/s for our two cases, so this CL is at 90% and 80% of
those speeds, which is at least in the right ballpark.
OpenSSL is using carefully engineered assembly, so we are
unlikely to catch up completely.
Measurements on a Mid-2010 MacPro5,1.
R=golang-dev, bradfitz, agl
CC=golang-dev
https://golang.org/cl/6220046
This includes the NIST test suite for ECDSA and alters the test to
parse and evaluate it.
R=golang-dev, bradfitz, rsc, b
CC=golang-dev
https://golang.org/cl/6219058
http://www.rsa.com/rsalabs/node.asp?id=2125:
NOTE: A new OID has been defined for the combination
of the v1.5 signature scheme and the SHA-224 hash function:
sha224WithRSAEncryption OBJECT IDENTIFIER ::=
Like the other sha*WithRSAEncryption OIDs in PKCS #1 v2.1,
this OID has NULL parameters.
The DigestInfo encoding for SHA-224 (see Section 9.2, Note 1) is:
(0x)30 2d 30 0d 06 09 60 86 48 01 65 03 04 02 04 05 00 04 1c || H
R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6208076
crypto.Hash.New() changed to panicking when the hash function isn't
linked in, but crypto/x509 still expects it to return nil.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6175047
On Solaris versions before Solaris 11, the kernel will not
return more than 1040 on a single read from /dev/urandom.
R=golang-dev, agl, bradfitz, rsc, iant, dchest
CC=golang-dev
https://golang.org/cl/6113046
When SNI based certificate selection is enabled, we previously used
the default private key even if we selected a non-default certificate.
Fixes#3367.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5987058
crypto/tls is tested, in part, by replaying recorded TLS connections
and checking that the bytes sent by the Go code haven't changed.
Previously we used GnuTLS's debug output and extracted the bytes of
the TLS connection using a Python script. That wasn't great, and I
think GnuTLS removed that level of debugging in a more current
release.
This change records the connection with Go code and adds a test for
ECDHE-AES clients generating using this method.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5988048
Previously we checked that de ≡ 1 mod φ(n). Since φ(n) is a multiple
of |(ℤ/nℤ)*|, this encompassed the new check, but it was too strict as
keys generated by GnuTLS would be rejected when gcd(p-1,q-1)≠1.
(Also updated the error strings in crypto/rsa to contain the package name, which some were missing.)
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/5867043
The existing code that tried to prevent ECC ciphersuites from being
selected when there were no mutual curves still left |suite| set.
This lead to a panic on a nil pointer when there were no acceptable
ciphersuites at all.
Thanks to George Kadianakis for pointing it out.
R=golang-dev, r, bradfitz
CC=golang-dev
https://golang.org/cl/5857043
If a CertificateRequest is received we have to reply with a
Certificate message, even if we don't have a certificate to offer.
Fixes#3339.
R=golang-dev, r, ality
CC=golang-dev
https://golang.org/cl/5845067
This moves the various CA root fetchers from crypto/tls into crypto/x509.
The move was brought about by issue 2997. Windows doesn't ship with all
its root certificates, but will instead download them as-needed when using
CryptoAPI for certificate verification.
This CL changes crypto/x509 to verify a certificate using the system root
CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is
now implemented using Windows's CryptoAPI. All other root fetchers are
unchanged, and still use Go's own verification code.
The CL also fixes the hostname matching logic in crypto/tls/tls.go, in
order to be able to test whether hostname mismatches are honored by the
Windows verification code.
The move to crypto/x509 also allows other packages to use the OS-provided
root certificates, instead of hiding them inside the crypto/tls package.
Fixes#2997.
R=agl, golang-dev, alex.brainman, rsc, mikkel
CC=golang-dev
https://golang.org/cl/5700087
An X.509 path length constrains the number of certificate that may
follow in the chain. This is a little simplistic for a first pass as it
doesn't check self-signed certificates (which don't count towards the
length), but it's conservatively simplistic.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/5727057
asn1 didn't have an omitempty tag, so the list of additional primes in
an RSA private key was serialised as an empty SEQUENCE, even for
version 1 structures. This tripped up external code that didn't handle
v2.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/5729062
Not a Go 1 issue, but appeared to be fairly easy to fix.
- Note that a few existing test cases look slightly worse but
those cases were not representative for real code. All real
code looks better now.
- Manual move of the comment in go/scanner/example_test.go
before applying gofmt.
- gofmt -w $GOROOT/src $GOROOT/misc
Fixes#3062.
R=rsc
CC=golang-dev
https://golang.org/cl/5674093
