1
0
mirror of https://github.com/golang/go synced 2024-11-14 09:10:27 -07:00
Commit Graph

272 Commits

Author SHA1 Message Date
Ben Burkert
c6185aa632 crypto/tls: add CloseWrite method to Conn
The CloseWrite method sends a close_notify alert record to the other
side of the connection. This record indicates that the sender has
finished sending on the connection. Unlike the Close method, the sender
may still read from the connection until it recieves a close_notify
record (or the underlying connection is closed). This is analogous to a
TCP half-close.

Updates #8579

Change-Id: I9c6bc193efcb25cc187f7735ee07170afa7fdde3
Reviewed-on: https://go-review.googlesource.com/25159
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-17 14:26:55 +00:00
Yasuhiro Matsumoto
05471e9ee6 crypto/x509: implement SystemCertPool on Windows
Fixes #16736

Change-Id: I335d201e3f6738d838de3881087cb640fc7670e8
Reviewed-on: https://go-review.googlesource.com/30578
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-17 08:29:16 +00:00
Michael Munday
61f1a38bcb crypto/{aes,cipher}: fix panic in CBC on s390x when src length is 0
Adds a test to check that block cipher modes accept a zero-length
input.

Fixes #17435.

Change-Id: Ie093c4cdff756b5c2dcb79342e167b3de5622389
Reviewed-on: https://go-review.googlesource.com/31070
Run-TryBot: Michael Munday <munday@ca.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-13 21:42:23 +00:00
Adam Langley
9e98e7e668 crypto/tls: enable X25519 by default.
Since this changes the offered curves in the ClientHello, all the test
data needs to be updated too.

Change-Id: I227934711104349c0f0eab11d854e5a2adcbc363
Reviewed-on: https://go-review.googlesource.com/30825
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:07:31 +00:00
Adam Langley
8a11cb318f crypto/tls: support X25519.
X25519 (RFC 7748) is now commonly used for key agreement in TLS
connections, as specified in
https://tools.ietf.org/html/draft-ietf-tls-curve25519-01.

This change adds support for that in crypto/tls, but does not enabled it
by default so that there's less test noise. A future change will enable
it by default and will update all the test data at the same time.

Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4
Reviewed-on: https://go-review.googlesource.com/30824
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:04:28 +00:00
Adam Langley
8c74139cad crypto/tls: fix printing of OpenSSL output when updating a test fails.
When updating the test data against OpenSSL, the handshake can fail and
the stdout/stderr output of OpenSSL is very useful in finding out why.

However, printing that output has been broken for some time because its
no longer sent to a byte.Buffer. This change fixes that.

Change-Id: I6f846c7dc80f1ccee9fa1be36f0b579b3754e05f
Reviewed-on: https://go-review.googlesource.com/30823
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:04:02 +00:00
Adam Langley
9d88292c83 crypto/tls: switch to OpenSSL 1.1.0 for test data.
We will need OpenSSL 1.1.0 in order to test some of the features
expected for Go 1.8. However, 1.1.0 also disables (by default) some
things that we still want to test, such as RC4, 3DES and SSLv3. Thus
developers wanting to update the crypto/tls test data will need to build
OpenSSL from source.

This change updates the test data with transcripts generated by 1.1.0
(in order to reduce future diffs) and also causes a banner to be printed
if 1.1.0 is not used when updating.

(The test for an ALPN mismatch is removed because OpenSSL now terminates
the connection with a fatal alert if no known ALPN protocols are
offered. There's no point testing against this because it's an OpenSSL
behaviour.)

Change-Id: I957516975e0b8c7def84184f65c81d0b68f1c551
Reviewed-on: https://go-review.googlesource.com/30821
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-12 17:03:46 +00:00
Adam Langley
809a1de1ac crypto/x509: parse all names in an RDN.
The Subject and Issuer names in a certificate look like they should be a
list of key-value pairs. However, they're actually a list of lists of
key-value pairs. Previously we only looked at the first element of each
sublist and the vast majority of certificates only have one element per
sublist.

However, it's possible to have multiple elements and some 360
certificates from the “Pilot” log are so constructed.

This change causes all elements of the sublists to be processed.

Fixes #16836.

Change-Id: Ie0a5159135b08226ec517fcf251aa17aada37857
Reviewed-on: https://go-review.googlesource.com/30810
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-11 17:35:55 +00:00
Emmanuel Odeke
0ff40a76ad crypto/x509: check that the issuer name matches the issuer's subject name.
Fixes #14955.

Change-Id: I157432584bb51088bec565f6bb9e64348345cff9
Reviewed-on: https://go-review.googlesource.com/23571
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2016-10-09 20:05:42 +00:00
Quentin Smith
ce645534e4 crypto/x509: support RHEL 7 cert bundle
RHEL 7 introduces a new tool, update-ca-trust(8), which places the
certificate bundle in a new location. Add this path to the list of
locations that are searched for the certificate bundle.

Fixes #15749

Change-Id: Idc97f885ee48ef085f1eb4dacbd1c2cf55f94ff5
Reviewed-on: https://go-review.googlesource.com/30375
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-05 22:12:09 +00:00
Michael Munday
fb4f4f4e96 crypto/{aes,cipher}: add optimized implementation of AES-GCM for s390x
Also adds two tests: one to exercise the counter incrementing code
and one which checks the output of the optimized implementation
against that of the generic implementation for large/unaligned data
sizes.

Uses the KIMD instruction for GHASH and the KMCTR instruction for AES
in counter mode.

AESGCMSeal1K  75.0MB/s ± 2%  1008.7MB/s ± 1%  +1245.71%  (p=0.000 n=10+10)
AESGCMOpen1K  75.3MB/s ± 1%  1006.0MB/s ± 1%  +1235.59%   (p=0.000 n=10+9)
AESGCMSeal8K  78.5MB/s ± 1%  1748.4MB/s ± 1%  +2127.34%   (p=0.000 n=9+10)
AESGCMOpen8K  78.5MB/s ± 0%  1752.7MB/s ± 0%  +2134.07%   (p=0.000 n=10+9)

Change-Id: I88dbcfcb5988104bfd290ae15a60a2721c1338be
Reviewed-on: https://go-review.googlesource.com/30361
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-05 15:37:53 +00:00
Filippo Valsorda
f28cf8346c crypto/tls: implement countermeasures against CBC padding oracles
The aim is to make the decrypt() timing profile constant, irrespective of
the CBC padding length or correctness.  The old algorithm, on valid padding,
would only MAC bytes up to the padding length threshold, making CBC
ciphersuites vulnerable to plaintext recovery attacks as presented in the
"Lucky Thirteen" paper.

The new algorithm Write()s to the MAC all supposed payload, performs a
constant time Sum()---which required implementing a constant time Sum() in
crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest
of the data. This is performed whether the padding is good or not.

This should have no explicit secret-dependent timings, but it does NOT
attempt to normalize memory accesses to prevent cache timing leaks.

Updates #13385

Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7
Reviewed-on: https://go-review.googlesource.com/18130
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2016-10-04 13:21:02 +00:00
Adam Langley
998419575f crypto/ecdsa: correct code comment.
The code comment mixed up max and min. In this case, min is correct
because this entropy is only used to make the signature scheme
probabilistic. (I.e. if it were fixed then the scheme would still be
secure except that key.Sign(foo) would always give the same result for a
fixed key and foo.)

For this purpose, 256-bits is plenty.

Fixes #16819.

Change-Id: I309bb312b775cf0c4b7463c980ba4b19ad412c36
Reviewed-on: https://go-review.googlesource.com/30153
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-02 19:38:37 +00:00
Adam Langley
49aa1d791b crypto/x509: return better error when a certificate contains no names.
Currently, if a certificate contains no names (that we parsed),
verification will return the confusing error:
    x509: certificate is valid for , not example.com.

This change improves the error for that situation.

Fixes #16834.

Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55
Reviewed-on: https://go-review.googlesource.com/30152
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-10-02 19:38:24 +00:00
Adam Langley
e4dafa3262 crypto/x509: fix name constraints handling.
This change brings the behaviour of X.509 name constraints into line
with NSS[1]. In this area, the behavior specified by the RFC and by NIST
differs and this code follows the NIST behaviour.

[1] https://github.com/servo/nss/blob/master/lib/certdb/genname.c

Fixes #16347, fixes #14833.

Change-Id: I5acd1970041291c2e3936f5b1fd36f2a0338e613
Reviewed-on: https://go-review.googlesource.com/30155
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-02 18:48:04 +00:00
Adam Langley
2878cf14f3 crypto/tls: simplify keylog tests.
Since there's no aspect of key logging that OpenSSL can check for us,
the tests for it might as well just connect to another goroutine as this
is lower-maintainance.

Change-Id: I746d1dbad1b4bbfc8ef6ccf136ee4824dbda021e
Reviewed-on: https://go-review.googlesource.com/30089
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Joonas Kuorilehto <joneskoo@derbian.fi>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-10-01 15:50:11 +00:00
David Benjamin
ab6ba99484 crypto/tls: Fix c.in.decrypt error handling.
readRecord was not returning early if c.in.decrypt failed and ran
through the rest of the function. It does set c.in.err, so the various
checks in the callers do ultimately notice before acting on the result,
but we should avoid running the rest of the function at all.

Also rename 'err' to 'alertValue' since it isn't actually an error.

Change-Id: I6660924716a85af704bd3fe81521b34766238695
Reviewed-on: https://go-review.googlesource.com/24709
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2016-09-30 18:44:37 +00:00
Adam Langley
254169d7bb crypto/tls: fix deadlock when racing to complete handshake.
After renegotiation support was added (af125a5193) it's possible for a
Write to block on a Read when racing to complete the handshake:
   1. The Write determines that a handshake is needed and tries to
      take the neccesary locks in the correct order.
   2. The Read also determines that a handshake is needed and wins
      the race to take the locks.
   3. The Read goroutine completes the handshake and wins a race
      to unlock and relock c.in, which it'll hold when waiting for
      more network data.

If the application-level protocol requires the Write to complete before
data can be read then the system as a whole will deadlock.

Unfortunately it doesn't appear possible to reverse the locking order of
c.in and handshakeMutex because we might read a renegotiation request at
any point and need to be able to do a handshake without unlocking.

So this change adds a sync.Cond that indicates that a goroutine has
committed to doing a handshake. Other interested goroutines can wait on
that Cond when needed.

The test for this isn't great. I was able to reproduce the deadlock with
it only when building with -race. (Because -race happened to alter the
timing just enough.)

Fixes #17101.

Change-Id: I4e8757f7b82a84e46c9963a977d089f0fb675495
Reviewed-on: https://go-review.googlesource.com/29164
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2016-09-22 18:36:58 +00:00
Nigel Tao
a7dc821d64 crypto/rsa: clarify comment on maximum message length.
See https://groups.google.com/d/topic/golang-nuts/stbum5gZbAc/discussion

Change-Id: I2e78e8d0dadd78c8b0389514cad3c45d061b663b
Reviewed-on: https://go-review.googlesource.com/29496
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-09-22 03:06:25 +00:00
Emmanuel Odeke
31ba855014 crypto/md5, crypto/sha1, crypto/sha256: add examples for checksumming a file
Updates #16360.

Change-Id: I75714d2b5f095fe39fd81edfa6dd9e44d7c44da1
Reviewed-on: https://go-review.googlesource.com/29375
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-09-19 17:29:19 +00:00
Adam Langley
ee3f3a6007 crypto/rsa: ensure that generating toy RSA keys doesn't loop.
If there are too few primes of the given length then it can be
impossible to generate an RSA key with n distinct primes.

This change approximates the expected number of candidate primes and
causes key generation to return an error if it's unlikely to succeed.

Fixes #16596.

Change-Id: I53b60d0cb90e2d0e6f0662befa64d13f24af51a7
Reviewed-on: https://go-review.googlesource.com/28969
Reviewed-by: Minux Ma <minux@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Minux Ma <minux@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-09-13 20:22:42 +00:00
Michal Bohuslávek
4ba2a4913c crypto/rsa: remove unused variable y
Change-Id: I70beb844cd6928dbfbfd8de365e0cb708e54f71e
Reviewed-on: https://go-review.googlesource.com/28496
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2016-09-11 23:38:44 +00:00
Filippo Valsorda
5a59b66f23 crypto/tls: flush the buffer on handshake errors
Since 2a8c81ff handshake messages are not written directly to wire but
buffered.  If an error happens at the wrong time the alert will be
written to the buffer but never flushed, causing an EOF on the client
instead of a more descriptive alert.

Thanks to Brendan McMillion for reporting this.

Fixes #17037

Change-Id: Ie093648aa3f754f4bc61c2e98c79962005dd6aa2
Reviewed-on: https://go-review.googlesource.com/28818
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-09-11 23:29:03 +00:00
Joonas Kuorilehto
f30598dd71 crypto/tls: Add mutex to protect KeyLogWriter
Concurrent use of tls.Config is allowed, and may lead to
KeyLogWriter being written to concurrently. Without a mutex
to protect it, corrupted output may occur. A mutex is added
for correctness.

The mutex is made global to save size of the config struct as
KeyLogWriter is rarely enabled.

Related to #13057.

Change-Id: I5ee55b6d8b43a191ec21f06e2aaae5002a71daef
Reviewed-on: https://go-review.googlesource.com/29016
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-09-10 21:31:48 +00:00
Adam Langley
210ac4d5e0 crypto/cipher: enforce message size limits for GCM.
The maximum input plaintext for GCM is 64GiB - 64. Since the GCM
interface is one-shot, it's very hard to hit this in Go (one would need
a 64GiB buffer in memory), but we should still enforce this limit.

Thanks to Quan Nguyen for pointing it out.

Change-Id: Icced47bf8d4d5dfbefa165cf13e893205c9577b8
Reviewed-on: https://go-review.googlesource.com/28410
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-09-02 16:23:15 +00:00
Brad Fitzpatrick
d24f446a90 crypto/tls: add Config.Clone
In Go 1.0, the Config struct consisted only of exported fields.

In Go 1.1, it started to grow private, uncopyable fields (sync.Once,
sync.Mutex, etc).

Ever since, people have been writing their own private Config.Clone
methods, or risking it and doing a language-level shallow copy and
copying the unexported sync variables.

Clean this up and export the Config.clone method as Config.Clone.
This matches the convention of Template.Clone from text/template and
html/template at least.

Fixes #15771
Updates #16228 (needs update in x/net/http2 before fixed)
Updates #16492 (not sure whether @agl wants to do more)

Change-Id: I48c2825d4fef55a75d2f99640a7079c56fce39ca
Reviewed-on: https://go-review.googlesource.com/28075
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-09-01 04:26:12 +00:00
Kevin Burke
448d3952af crypto/sha256: add examples for New, Sum256
The goal for these examples is to show how to mirror the
functionality of the sha256sum Unix utility, a common checksumming
tool, using the Go standard library.

Add a newline at the end of the input, so users will get the same
output if they type `echo 'hello world' | sha256sum`, since the
builtin shell echo appends a newline by default. Also use hex output
(instead of the shorter base64) since this is the default output
encoding for shasum/sha256sum.

Change-Id: I0036874b3cc5ba85432bfcb86f81b51c4e0238fd
Reviewed-on: https://go-review.googlesource.com/24868
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-31 05:13:48 +00:00
Bryan Alexander
8e6948fe88 crypto/x509: Fix bug in UnknownAuthorityError.Error
Fix bug in UnknownAuthorityError.Error that would never allow Org
Name to be inserted into error message if the Common Name was empty.
Create tests for all three paths in UnknownAuthorityError.Error

Change-Id: Id8afc444e897ef549df682d93a8563fd9de22a2b
Reviewed-on: https://go-review.googlesource.com/27992
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-31 00:09:58 +00:00
Keith Randall
842b05832f all: use testing.GoToolPath instead of "go"
This change makes sure that tests are run with the correct
version of the go tool.  The correct version is the one that
we invoked with "go test", not the one that is first in our path.

Fixes #16577

Change-Id: If22c8f8c3ec9e7c35d094362873819f2fbb8559b
Reviewed-on: https://go-review.googlesource.com/28089
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-30 22:49:11 +00:00
Brad Fitzpatrick
298791a94a all: use time.Until where applicable
Updates #14595

Change-Id: Idf60b3004c7a0ebb59dd48389ab62c854069e09f
Reviewed-on: https://go-review.googlesource.com/28073
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-30 01:23:46 +00:00
Ethan Miller
4955147291 math/big: add assembly implementation of arith for ppc64{le}
The existing implementation used a pure go implementation, leading to slow
cryptographic performance.

Implemented mulWW, subVV, mulAddVWW, addMulVVW, and bitLen for
ppc64{le}.
Implemented divWW for ppc64le only, as the DIVDEU instruction is only
available on Power8 or newer.

benchcmp output:

benchmark                         old ns/op     new ns/op     delta
BenchmarkSignP384                 28934360      10877330      -62.41%
BenchmarkRSA2048Decrypt           41261033      5139930       -87.54%
BenchmarkRSA2048Sign              45231300      7610985       -83.17%
Benchmark3PrimeRSA2048Decrypt     20487300      2481408       -87.89%

Fixes #16621

Change-Id: If8b68963bb49909bde832f2bda08a3791c4f5b7a
Reviewed-on: https://go-review.googlesource.com/26951
Run-TryBot: Michael Munday <munday@ca.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Michael Munday <munday@ca.ibm.com>
2016-08-29 21:03:21 +00:00
Joonas Kuorilehto
320bd562cb crypto/tls: add KeyLogWriter for debugging
Add support for writing TLS client random and master secret
in NSS key log format.

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format

Normally this is enabled by a developer debugging TLS based
applications, especially HTTP/2, by setting the KeyLogWriter
to an open file. The keys negotiated in handshake are then
logged and can be used to decrypt TLS sessions e.g. in Wireshark.

Applications may choose to add support similar to NSS where this
is enabled by environment variable, but no such mechanism is
built in to Go. Instead each application must explicitly enable.

Fixes #13057.

Change-Id: If6edd2d58999903e8390b1674ba4257ecc747ae1
Reviewed-on: https://go-review.googlesource.com/27434
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-27 17:20:55 +00:00
Josh Bleecher Snyder
71ab9fa312 all: fix assembly vet issues
Add missing function prototypes.
Fix function prototypes.
Use FP references instead of SP references.
Fix variable names.
Update comments.
Clean up whitespace. (Not for vet.)

All fairly minor fixes to make vet happy.

Updates #11041

Change-Id: Ifab2cdf235ff61cdc226ab1d84b8467b5ac9446c
Reviewed-on: https://go-review.googlesource.com/27713
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-25 18:52:31 +00:00
Josh Bleecher Snyder
e2103adb6c crypto/*, runtime: nacl asm fixes
Found by vet.

Updates #11041

Change-Id: I5217b3e20c6af435d7500d6bb487b9895efe6605
Reviewed-on: https://go-review.googlesource.com/27493
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2016-08-22 19:50:41 +00:00
Adam Langley
8ad70a5493 crypto/x509: allow a leaf certificate to be specified directly as root.
In other systems, putting a leaf certificate in the root store works to
express that exactly that certificate is acceptable. This change makes
that work in Go too.

Fixes #16763.

Change-Id: I5c0a8dbc47aa631b23dd49061fb217ed8b0c719c
Reviewed-on: https://go-review.googlesource.com/27393
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-19 16:56:23 +00:00
Adam Langley
bcd54f6ca5 crypto/x509: recognise ISO OID for RSA+SHA1
For some reason, ISO decided to duplicate the OID for RSA+SHA1. Most
pertinantly, the makecert.exe utility on Windows is known to have used
this OID.

This change makes the ISO OID an alias for the normal one.

Change-Id: I60b76265bf1721282bdb0d5c99c98d227c18a878
Reviewed-on: https://go-review.googlesource.com/27394
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-19 16:29:58 +00:00
Adam Langley
4e79c152b1 crypto/tls: don't generate random ticket keys if already set.
If SetSessionTicketKeys was called on a fresh tls.Config, the configured
keys would be overridden with a random key by serverInit.

Fixes #15421.

Change-Id: I5d6cc81fc3e5de4dfa15eb614d102fb886150d1b
Reviewed-on: https://go-review.googlesource.com/27317
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-18 22:48:53 +00:00
Adam Langley
da2a938910 crypto/tls: fix comment typo.
This was pointed out in https://go-review.googlesource.com/#/c/27315/1
but I changed and uploaded the wrong branch. This actually makes the
fix.

Change-Id: Ib615b06c9141b914648b6abbeeb688c5ffa0d2e3
Reviewed-on: https://go-review.googlesource.com/27360
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-18 21:52:31 +00:00
Adam Langley
8741504888 crypto/tls: support AES-128-CBC cipher suites with SHA-256.
These were new with TLS 1.2 and, reportedly, some servers require it.
Since it's easy, this change adds suport for three flavours of
AES-128-CBC with SHA-256 MACs.

Other testdata/ files have to be updated because this changes the list
of cipher suites offered by default by the client.

Fixes #15487.

Change-Id: I1b14330c31eeda20185409a37072343552c3464f
Reviewed-on: https://go-review.googlesource.com/27315
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-18 21:46:46 +00:00
Adam Langley
e41b0e2bcb crypto/x509: support PSS signatures.
Although the term “RSA” is almost synonymous with PKCS#1 v1.5, that
standard is quite flawed, cryptographically speaking. Bellare and
Rogaway fixed PKCS#1 v1.5 with OAEP (for encryption) and PSS (for
signatures) but they only see a fraction of the use of v1.5.

This change adds support for creating and verifying X.509 certificates
that use PSS signatures. Sadly, every possible dimension of flexibility
seems to have been reflected in the integration of X.509 and PSS
resulting in a huge amount of excess complexity. This change only
supports one “sane” configuration for each of SHA-{256, 384, 512}.
Hopefully this is sufficient because it saves a lot of complexity in the
code.

Although X.509 certificates with PSS signatures are rare, I'm inclined
to look favourably on them because they are sufficiently superior.

Fixes #15958.

Change-Id: I7282e0b68ad0177209f8b2add473b94aa5224c07
Reviewed-on: https://go-review.googlesource.com/24743
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-18 00:40:17 +00:00
Adam Langley
59aeac20c0 crypto/x509: require a NULL parameters for RSA public keys.
The RFC is clear that the Parameters in an AlgorithmIdentifer for an RSA
public key must be NULL. BoringSSL enforces this so we have strong
evidence that this is a widely compatible change.

Embarrassingly enough, the major source of violations of this is us. Go
used to get this correct in only one of two places. This was only fixed
in 2013 (with 4874bc9b). That's why lots of test certificates are
updated in this change.

Fixes #16166.

Change-Id: Ib9a4551349354c66e730d44eb8cee4ec402ea8ab
Reviewed-on: https://go-review.googlesource.com/27312
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-17 23:47:18 +00:00
Adam Langley
69371671c7 crypto/hmac: don't test for length equality in Equal.
subtle.ConstantTimeCompare now tests the length of the inputs (although
it didn't when this code was written) so this test in crypto/hmac is now
superfluous.

Fixes #16336.

Change-Id: Ic02d8537e776fa1dd5694d3af07a28c4d840d14b
Reviewed-on: https://go-review.googlesource.com/27239
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-17 23:23:28 +00:00
Adam Langley
b23b9a762c crypto/x509: return error for missing SerialNumber.
If the SerialNumber is nil in the template then the resulting panic is
rather deep in encoding/asn1 and it's not obvious what went wrong.

This change tests and returns a more helpful error in this case.

Fixes #16603.

Change-Id: Ib30d652555191eb78f705dff8d909e4b5808f9ca
Reviewed-on: https://go-review.googlesource.com/27238
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-17 23:23:18 +00:00
Atin M
ebcd179793 crypto/tls: set Conn.ConnectionState.ServerName unconditionally
Moves the state.ServerName assignment to outside the if
statement that checks for handshakeComplete.

Fixes #15571

Change-Id: I6c4131ddb16389aed1c410a975f9aa3b52816965
Reviewed-on: https://go-review.googlesource.com/22862
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2016-08-17 20:21:08 +00:00
Josh Bleecher Snyder
302dd7b71e crypto/cipher, math/big: fix example names
Fixes (legit) vet warnings.
Fix some verb tenses while we're here.

Updates #11041

Change-Id: I27e995f55b38f4cf584e97a67b8545e8247e83d6
Reviewed-on: https://go-review.googlesource.com/27122
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
Reviewed-by: David Crawshaw <crawshaw@golang.org>
2016-08-16 14:36:32 +00:00
Josh Bleecher Snyder
6d2db0986f crypto/tls: fix WriteTo method signature
Give *recordingConn the correct WriteTo signature
to be an io.WriterTo. This makes vet happy.
It also means that it'll report errors,
which were previously being ignored.

Updates #11041

Change-Id: I13f171407d63f4b62427679bff362eb74faddca5
Reviewed-on: https://go-review.googlesource.com/27121
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-08-16 14:36:19 +00:00
Mikio Hara
2cb471e40d crypto/tls: gofmt -w -s
Change-Id: Iedf9000e3bb1fa73b4c3669eae846e85f1f5fdfe
Reviewed-on: https://go-review.googlesource.com/24489
Run-TryBot: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-16 02:30:53 +00:00
Ilya Tocar
4e24e1d999 cmd/internal/obj/x86: VPSHUFD takes an unsigned byte.
VPSHUFD should take an unsigned argument to be consistent with
PSHUFD. Also fix all usage.

Fixes #16499

Change-Id: Ie699c102afed0379445914a251710365b14d89b6
Reviewed-on: https://go-review.googlesource.com/25383
Run-TryBot: Ilya Tocar <ilya.tocar@intel.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-08-16 00:21:50 +00:00
Brad Fitzpatrick
4a15508c66 crypto/x509: detect OS X version for FetchPEMRoots at run time
https://golang.org/cl/25233 was detecting the OS X release at compile
time, not run time. Detect it at run time instead.

Fixes #16473 (again)

Change-Id: I6bec4996e57aa50c52599c165aa6f1fae7423fa7
Reviewed-on: https://go-review.googlesource.com/25281
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2016-07-26 23:16:15 +00:00
Brad Fitzpatrick
ff60da6962 crypto/x509: use Go 1.6 implementation for FetchPEMRoots for OS X 10.8
Conservative fix for the OS X 10.8 crash. We can unify them back together
during the Go 1.8 dev cycle.

Fixes #16473

Change-Id: If07228deb2be36093dd324b3b3bcb31c23a95035
Reviewed-on: https://go-review.googlesource.com/25233
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-07-26 21:18:26 +00:00