1
0
mirror of https://github.com/golang/go synced 2024-11-13 20:20:30 -07:00
Commit Graph

272 Commits

Author SHA1 Message Date
David Benjamin
b88147c303 crypto/tls: Update references to draft-ietf-tls-downgrade-scsv-00.
It's RFC 7507 now.

Change-Id: Iccd6c65f9d4b1f4d17ee068dee4576a512ba8405
Reviewed-on: https://go-review.googlesource.com/21154
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-03-25 22:10:37 +00:00
Dominik Honnef
fdba5a7544 all: delete dead non-test code
This change removes a lot of dead code. Some of the code has never been
used, not even when it was first commited. The rest shouldn't have
survived refactors.

This change doesn't remove unused routines helpful for debugging, nor
does it remove code that's used in commented out blocks of code that are
only unused temporarily. Furthermore, unused constants weren't removed
when they were part of a set of constants from specifications.

One noteworthy omission from this CL are about 1000 lines of unused code
in cmd/fix, 700 lines of which are the typechecker, which hasn't been
used ever since the pre-Go 1 fixes have been removed. I wasn't sure if
this code should stick around for future uses of cmd/fix or be culled as
well.

Change-Id: Ib714bc7e487edc11ad23ba1c3222d1fd02e4a549
Reviewed-on: https://go-review.googlesource.com/20926
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-25 06:28:13 +00:00
Dmitry Chestnykh
6a6a073416 crypto/hmac: simplify implementation
Store already padded keys instead of storing key and padding it during
Reset and Sum. This simplifies code and makes Reset-Write-Sum sequences
faster, which helps /x/crypto/pbkdf2.

HMAC benchmark:

benchmark                    old ns/op     new ns/op     delta
BenchmarkHMACSHA256_1K-4     7669          7613          -0.73%
BenchmarkHMACSHA256_32-4     1880          1737          -7.61%

benchmark                    old MB/s     new MB/s     speedup
BenchmarkHMACSHA256_1K-4     133.52       134.50       1.01x
BenchmarkHMACSHA256_32-4     17.02        18.41        1.08x

PBKDF2 benchmark:

benchmark                       old ns/op     new ns/op     delta
BenchmarkPBKDF2HMACSHA256-4     1943196       1807699       -6.97%

Change-Id: I6697028370c226715ab477b0844951a83eb3488c
Reviewed-on: https://go-review.googlesource.com/21024
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-25 06:24:00 +00:00
Dominik Honnef
b2cf571040 all: delete dead test code
This deletes unused code and helpers from tests.

Change-Id: Ie31d46115f558ceb8da6efbf90c3c204e03b0d7e
Reviewed-on: https://go-review.googlesource.com/20927
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-21 07:10:08 +00:00
Emmanuel Odeke
f0711b9192 crypto/tls: minor refactors for readability
Change-Id: I93e73f16474b4b31f7097af2f9479822dfc34c5c
Reviewed-on: https://go-review.googlesource.com/20678
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-14 21:17:37 +00:00
Tom Bergan
ae00df128d crypto/tls: implement dynamic record sizing
Currently, if a client of crypto/tls (e.g., net/http, http2) calls
tls.Conn.Write with a 33KB buffer, that ends up writing three TLS
records: 16KB, 16KB, and 1KB. Slow clients (such as 2G phones) must
download the first 16KB record before they can decrypt the first byte.
To improve latency, it's better to send smaller TLS records. However,
sending smaller records adds overhead (more overhead bytes and more
crypto calls), which slightly hurts throughput.

A simple heuristic, implemented in this change, is to send small
records for new connections, then boost to large records after the
first 1MB has been written on the connection.

Fixes #14376

Change-Id: Ice0f6279325be6775aa55351809f88e07dd700cd
Reviewed-on: https://go-review.googlesource.com/19591
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Tom Bergan <tombergan@google.com>
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-12 00:47:13 +00:00
Adam Langley
055dcb7566 crypto/tls: document that the cipher suite list is non-exhaustive.
Fixes #14370.

Change-Id: Ieb95ee3494f592fb5fc74aa4b803479671816927
Reviewed-on: https://go-review.googlesource.com/20551
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-03-12 00:20:51 +00:00
Adam Langley
ec158cebd9 crypto/x509: correct OID for DSA-with-SHA-256.
I copied this down incorrectly. See
https://tools.ietf.org/html/rfc5758#section-3.1.

Thankfully it's incredibly obscure.

Fixes #14663.

Change-Id: I4792ee979916cc15aa2e300c8bc989bc4f9c63ac
Reviewed-on: https://go-review.googlesource.com/20549
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2016-03-12 00:13:26 +00:00
Adam Langley
88849736b2 crypto/tls: better error for oversized handshake messages.
This change improves the error message when encountering a TLS handshake
message that is larger than our limit (64KB). Previously the error was
just “local error: internal error”.

Updates #13401.

Change-Id: I86127112045ae33e51079e3bc047dd7386ddc71a
Reviewed-on: https://go-review.googlesource.com/20547
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-12 00:13:02 +00:00
Adam Langley
09d40378b9 crypto/x509/pkix: make 'v1' the default CRL version.
PKIX versions are off-by-one, so v1 is actually a zero on the wire, v2
is a one, and so on.

The RFC says that the version in a CRL is optional, but doesn't say what
the default is. Since v2 is the only accepted version, I had made the
default v2. However, OpenSSL considers the default to be v1. Also, if
the default is v2 and the element is optional then we'll never actually
write v2 on the wire. That's contrary to the RFC which clearly assumes
that v2 will be expressed on the wire in some cases.

Therefore, this change aligns with OpenSSL and assumes that v1 is the
default CRL version.

Fixes #13931

[1] https://tools.ietf.org/html/rfc5280#section-5.1

Change-Id: Ic0f638ebdd21981d92a99a882affebf3a77ab71a
Reviewed-on: https://go-review.googlesource.com/20544
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-03-10 23:48:16 +00:00
Adam Langley
1b8d4caddb crypto/x509: correct default X.509 version.
The default version of an X.509 certificate is v1, which is encoded on
the wire as a zero.

Fixes #13382.

Change-Id: I5fd725c3fc8b08fd978ab694a3e2d6d2a495918b
Reviewed-on: https://go-review.googlesource.com/20548
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-03-10 23:42:23 +00:00
Brad Fitzpatrick
bf44c4c889 crypto/tls: test for timeout error using the net.Error interface
Don't do a substring search to test for a timeout error.

Fixes #14722 (maybe)

Change-Id: I4e18c749d6fd92c084a1b0b83a805119e1ae5ff2
Reviewed-on: https://go-review.googlesource.com/20403
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-08 22:40:49 +00:00
Lynn Boger
8b51ee8315 crypto/cipher: xorBytes performance ppc64le/ppc64
Update supportsUnaligned in xor.go to be true for
GOARCH values ppc64le and ppc64.  This allows the
xor of long buffers to be done on double words
(8 bytes) instead of a single byte at a time, which
significantly improves performance.

Fixes #14350

Change-Id: Iccc6b9d3df2e604a55f4c1e4890bdd3bb0d77ab0
Reviewed-on: https://go-review.googlesource.com/19519
Reviewed-by: Minux Ma <minux@golang.org>
2016-03-05 01:51:33 +00:00
Tamir Duberstein
37c28759ca crypto/tls: check errors from (*Conn).writeRecord
This promotes a connection hang during TLS handshake to a proper error.
This doesn't fully address #14539 because the error reported in that
case is a write-on-socket-not-connected error, which implies that an
earlier error during connection setup is not being checked, but it is
an improvement over the current behaviour.

Updates #14539.

Change-Id: I0571a752d32d5303db48149ab448226868b19495
Reviewed-on: https://go-review.googlesource.com/19990
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-02 18:20:46 +00:00
Brad Fitzpatrick
5fea2ccc77 all: single space after period.
The tree's pretty inconsistent about single space vs double space
after a period in documentation. Make it consistently a single space,
per earlier decisions. This means contributors won't be confused by
misleading precedence.

This CL doesn't use go/doc to parse. It only addresses // comments.
It was generated with:

$ perl -i -npe 's,^(\s*// .+[a-z]\.)  +([A-Z]),$1 $2,' $(git grep -l -E '^\s*//(.+\.)  +([A-Z])')
$ go test go/doc -update

Change-Id: Iccdb99c37c797ef1f804a94b22ba5ee4b500c4f7
Reviewed-on: https://go-review.googlesource.com/20022
Reviewed-by: Rob Pike <r@golang.org>
Reviewed-by: Dave Day <djd@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-02 00:13:47 +00:00
Brad Fitzpatrick
519474451a all: make copyright headers consistent with one space after period
This is a subset of https://golang.org/cl/20022 with only the copyright
header lines, so the next CL will be smaller and more reviewable.

Go policy has been single space after periods in comments for some time.

The copyright header template at:

    https://golang.org/doc/contribute.html#copyright

also uses a single space.

Make them all consistent.

Change-Id: Icc26c6b8495c3820da6b171ca96a74701b4a01b0
Reviewed-on: https://go-review.googlesource.com/20111
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-03-01 23:34:33 +00:00
Keith Randall
9d854fd44a Merge branch 'dev.ssa' into mergebranch
Merge dev.ssa branch back into master.

Change-Id: Ie6fac3f8d355ab164f934415fe4fc7fcb8c3db16
2016-03-01 12:50:17 -08:00
Keith Randall
4fffd4569d [dev.ssa] Merge remote-tracking branch 'origin/master' into ssamerge
(Last?) Semi-regular merge from tip to dev.ssa.

Conflicts:
	src/cmd/compile/internal/gc/closure.go
	src/cmd/compile/internal/gc/gsubr.go
	src/cmd/compile/internal/gc/lex.go
	src/cmd/compile/internal/gc/pgen.go
	src/cmd/compile/internal/gc/syntax.go
	src/cmd/compile/internal/gc/walk.go
	src/cmd/internal/obj/pass.go

Change-Id: Ib5ea8bf74d420f4902a9c6208761be9f22371ae7
2016-02-29 13:32:20 -08:00
Brad Fitzpatrick
351c15f1ce all: remove public named return values when useless
Named returned values should only be used on public funcs and methods
when it contributes to the documentation.

Named return values should not be used if they're only saving the
programmer a few lines of code inside the body of the function,
especially if that means there's stutter in the documentation or it
was only there so the programmer could use a naked return
statement. (Naked returns should not be used except in very small
functions)

This change is a manual audit & cleanup of public func signatures.

Signatures were not changed if:

* the func was private (wouldn't be in public godoc)
* the documentation referenced it
* the named return value was an interesting name. (i.e. it wasn't
  simply stutter, repeating the name of the type)

There should be no changes in behavior. (At least: none intended)

Change-Id: I3472ef49619678fe786e5e0994bdf2d9de76d109
Reviewed-on: https://go-review.googlesource.com/20024
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-02-29 03:31:19 +00:00
Tamir Duberstein
622780b1c1 crypto/tls: don't log expected errors in test
This is minor cleanup that reduces test output noise.

Change-Id: Ib6db4daf8cb67b7784b2d5b222fa37c7f78a6a04
Reviewed-on: https://go-review.googlesource.com/19997
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-02-28 20:36:38 +00:00
Tamir Duberstein
186d3e30be crypto/tls: tests prefer constants to opaque literals
This is minor cleanup that makes the tests more readable.

Change-Id: I9f1f98f0f035096c284bdf3501e7520517a3e4d9
Reviewed-on: https://go-review.googlesource.com/19993
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-02-28 19:31:48 +00:00
Mikio Hara
f3f920ff8d crypto/tls: don't send IPv6 literals and absolute FQDNs as SNI values
This is a followup change to #13111 for filtering out IPv6 literals and
absolute FQDNs from being as the SNI values.

Updates #13111.
Fixes #14404.

Change-Id: I09ab8d2a9153d9a92147e57ca141f2e97ddcef6e
Reviewed-on: https://go-review.googlesource.com/19704
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-02-27 10:05:53 +00:00
Michael McConville
ddfe7b3dc0 crypto/rand: use the getentropy syscall on OpenBSD
Go already supports Linux's getrandom, which is a slightly modified
version of getentropy.

getentropy was added in OpenBSD 5.6. All supported versions of OpenBSD
include it so, unlike with Linux and getrandom, we don't need to test
for its presence.

Fixes #13785.

Change-Id: Ib536b96675f257cd8c5de1e3a36165e15c9abac9
Reviewed-on: https://go-review.googlesource.com/18219
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-02-26 19:58:09 +00:00
Datong Sun
c8ae2e82c7 crypto/x509: better documentation for ParsePKIXPublicKey
The existing documentation for ParsePKIXPublicKey is difficult to understand
and the return type of the parsed public key are not mentioned explicitly.

Descriptions about types of public key supported, as well as an example on
how to use type assertions to determine return type of a parsed public key
has been added.

Fixes #14355

Change-Id: Ib9561efb34255292735742c0b3e835c4b97ac589
Reviewed-on: https://go-review.googlesource.com/19757
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-02-26 06:36:10 +00:00
Martin Möhrmann
fdd0179bb1 all: fix typos and spelling
Change-Id: Icd06d99c42b8299fd931c7da821e1f418684d913
Reviewed-on: https://go-review.googlesource.com/19829
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-02-24 18:42:29 +00:00
Keith Randall
80bc512449 [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
Semi-regular merge from tip to dev.ssa.

Change-Id: If7d2269f267bcbc0ecd3a483d349951044470e3f
2016-02-23 14:42:20 -08:00
Shawn Smith
58ec5839cd all: fix typos
Change-Id: I6035941df8b0de6aeaf6c05df7257bcf6e9191fe
Reviewed-on: https://go-review.googlesource.com/19320
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-02-23 13:58:47 +00:00
Brady Sullivan
1e00cc1647 crypto/tls: Improve ambiguous comment in cipher_suites.go
A comment existed referencing RC4 coming before AES because of it's
vulnerability to the Lucky 13 attack. This clarifies that the Lucky 13 attack
only effects AES-CBC, and not AES-GCM.

Fixes #14474

Change-Id: Idcb07b5e0cdb0f9257cf75abea60129ba495b5f5
Reviewed-on: https://go-review.googlesource.com/19845
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-02-22 23:56:37 +00:00
Keith Randall
eb0cff9a76 [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
Semi-regular merge from tip to dev.ssa.

Two fixes:
1) Mark selectgo as not returning.  This caused problems
   because there are no VARKILL ops on the selectgo path,
   causing things to be marked live that shouldn't be.
2) Tell the amd64 assembler that addressing modes like
   name(SP)(AX*4) are ok.

Change-Id: I9ca81c76391b1a65cc47edc8610c70ff1a621913
2016-02-10 09:31:41 -08:00
Adam Langley
8437452404 crypto/rsa: expand on documentation and add some examples.
In some cases the documentation for functions in this package was
lacking from the beginning and, in order cases, the documentation didn't
keep pace as the package grew.

This change somewhat addresses that.

Updates #13711.

Change-Id: I25b2bb1fcd4658c5417671e23cf8e644d08cb9ab
Reviewed-on: https://go-review.googlesource.com/18486
Reviewed-by: Rob Pike <r@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2016-01-27 00:11:22 +00:00
Russ Cox
b4c9d01d81 crypto: document that Signer.Sign does not hash
Fixes #13938.

Change-Id: I0b4842b8bc22dc79323d6894c123cde638f52d3f
Reviewed-on: https://go-review.googlesource.com/18856
Reviewed-by: Adam Langley <agl@golang.org>
2016-01-26 16:27:16 +00:00
Kevin Kirsche
980364b7a2 crypto/cipher: Add AES-GCM encryption and decryption example
Add example of how to use the aes package to
implement AES encryption and decryption
within an application.

Per feedback, use more secure AES-GCM implementation as an
example in crypto/cipher instead of AES directly.

Change-Id: I84453ebb18e0bc79344a24171a031ec0d7ccec2e
Reviewed-on: https://go-review.googlesource.com/18803
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2016-01-26 15:58:42 +00:00
Adam Langley
b203f88c7f crypto/tls: note in comment that Certificate.Leaf is nil after parsing.
LoadX509KeyPair and X509KeyPair don't retain the parsed form of
certificates in their return value because it's generally not needed.
This change makes that clear in the comment.

See https://groups.google.com/d/msg/golang-dev/VResvFj2vF8/Wt6WkVT2AwAJ

Change-Id: Ibb759cd6e84c00f4450a012992088422c0546638
Reviewed-on: https://go-review.googlesource.com/18734
Reviewed-by: Russ Cox <rsc@golang.org>
2016-01-21 18:50:24 +00:00
Keith Randall
23d5810c8f [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
Semi-regular merge from tip to dev.ssa.

Conflicts:
	src/runtime/sys_windows_amd64.s

Change-Id: I5f733130049c810e6ceacd46dad85faebca52b29
2016-01-19 14:13:16 -08:00
Ilya Tocar
1d1f2fb4c6 cmd/internal/obj/x86: add new instructions, cleanup.
Add several instructions that were used via BYTE and use them.
Instructions added: PEXTRB, PEXTRD, PEXTRQ, PINSRB, XGETBV, POPCNT.

Change-Id: I5a80cd390dc01f3555dbbe856a475f74b5e6df65
Reviewed-on: https://go-review.googlesource.com/18593
Run-TryBot: Ilya Tocar <ilya.tocar@intel.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2016-01-13 14:04:44 +00:00
Brad Fitzpatrick
4ffba76855 crypto/tls: don't block in Conn.Close if Writes are in-flight
Conn.Close sends an encrypted "close notify" to signal secure EOF.
But writing that involves acquiring mutexes (handshake mutex + the
c.out mutex) and writing to the network. But if the reason we're
calling Conn.Close is because the network is already being
problematic, then Close might block, waiting for one of those mutexes.

Instead of blocking, and instead of introducing new API (at least for
now), distinguish between a normal Close (one that sends a secure EOF)
and a resource-releasing destructor-style Close based on whether there
are existing Write calls in-flight.

Because io.Writer and io.Closer aren't defined with respect to
concurrent usage, a Close with active Writes is already undefined, and
should only be used during teardown after failures (e.g. deadlines or
cancelations by HTTP users). A normal user will do a Write then
serially do a Close, and things are unchanged for that case.

This should fix the leaked goroutines and hung net/http.Transport
requests when there are network errors while making TLS requests.

Change-Id: If3f8c69d6fdcebf8c70227f41ad042ccc3f20ac9
Reviewed-on: https://go-review.googlesource.com/18572
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-01-13 04:49:19 +00:00
Adam Langley
13eabea0f7 crypto/cipher: always zero dst buffer on GCM authentication failure.
The AESNI GCM code decrypts and authenticates concurrently and so
overwrites the destination buffer even in the case of an authentication
failure.

This change updates the documentation to make that clear and also
mimics that behaviour in the generic code so that different platforms
act identically.

Fixes #13886

Change-Id: Idc54e51f01e27b0fc60c1745d50bb4c099d37e94
Reviewed-on: https://go-review.googlesource.com/18480
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-01-10 19:03:42 +00:00
Keith Randall
b386c34ef9 [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
Semi-regular merge from tip into dev.ssa.

Change-Id: I1627d7c7e6892cd4f1f5da5f3e07389ff1d677ce
2016-01-07 10:01:08 -08:00
Russ Cox
7f0b4a879b crypto/dsa: adjust GenerateParameters comment
Fixes #13725.

Change-Id: I5fe46851b238fc9ab301da8f8fc37bd1b7871748
Reviewed-on: https://go-review.googlesource.com/18316
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-01-06 16:58:21 +00:00
Brad Fitzpatrick
17ce03725c crypto/hmac: update link to FIPS HMAC spec
Thanks to Kevin Kirsche (github kkirsche).

Change-Id: Ia0017371f56065a5e88d1ebb800a6489136ee9b1
Reviewed-on: https://go-review.googlesource.com/18280
Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-01-06 02:17:06 +00:00
Adam Langley
9338f39459 crypto/x509: handle ECC private keys with the wrong length.
SEC-1 says: “The component privateKey is the private key defined to be
the octet string of length ⌊log₂(n)/8⌋ (where n is the order of the
curve)”.

Previously the code for parsing ECC private keys would panic (on
non-amd64) when the private was too long. It would also pass a too-short
private key to crypto/elliptic, possibly resulting in undesirable
behaviour.

This change makes the parsing function handle both too much and too
little padding because GnuTLS does the former and OpenSSL did the latter
until 30cd4ff294252c4b6a4b69cbef6a5b4117705d22. It also causes
serialisation to pad private keys correctly.

Fixes #13699

Change-Id: If9c2faeaeb45af8a4d7770d784f3d2633e7f8290
Reviewed-on: https://go-review.googlesource.com/18094
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2016-01-06 02:16:54 +00:00
Rob Pike
54641818c9 crypto/cipher: fix typo from last change
s/encrypt/decrypt/

The text is unsafe to cut and paste...

Change-Id: Iab19ddf8182d087e9a4b4d34a9eeabd1d2aa02d6
Reviewed-on: https://go-review.googlesource.com/18104
Reviewed-by: Rob Pike <r@golang.org>
2015-12-22 23:26:12 +00:00
Rob Pike
4e6750af81 crypto/cipher: improve documentation for AEAD
Give a link to the wikipedia page describing the mechanism and
explain better how to use the same buffer for input and output.

Change-Id: If6dfd6cf9c6dff0517cb715f60a11349dbdd91e0
Reviewed-on: https://go-review.googlesource.com/18103
Reviewed-by: Russ Cox <rsc@golang.org>
2015-12-22 21:45:53 +00:00
Russ Cox
be7544be23 crypto/x509: handle CRLDistributionPoints without FullNames
Fixes #12910.

Change-Id: If446e5dce236483bbb898cc5959baf8371f05142
Reviewed-on: https://go-review.googlesource.com/17550
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-12-17 07:17:28 +00:00
Adam Langley
40ac3690ef crypto/rsa: check CRT result.
This change adds a check after computing an RSA signature that the
signature is correct. This prevents an error in the CRT computation from
leaking the private key. See references in the linked bug.

benchmark                  old ns/op     new ns/op     delta
BenchmarkRSA2048Sign-3     5713305       6225215       +8.96%

Fixes #12453

Change-Id: I1f24e0b542f7c9a3f7e7ad4e971db3dc440ed3c1
Reviewed-on: https://go-review.googlesource.com/17862
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Robert Griesemer <gri@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-12-17 00:00:33 +00:00
Brad Fitzpatrick
91abab0429 crypto/tls: document lack of Lucky13 hardening
Updates #13385

Change-Id: I9c2edf8c02adc388c48760b29e63dfa2966262d6
Reviewed-on: https://go-review.googlesource.com/17532
Reviewed-by: Tim Cooijmans <timcooijmans@gmail.com>
Reviewed-by: Adam Langley <agl@golang.org>
2015-12-14 18:51:31 +00:00
Adam Langley
f740d717bd crypto/elliptic: resample private keys if out of range.
The orders of the curves in crypto/elliptic are all very close to a
power of two. None the less, there is a tiny bias in the private key
selection.

This change makes the distribution uniform by resampling in the case
that a private key is >= to the order of the curve. (It also switches
from using BitSize to Params().N.BitLen() because, although they're the
same value here, the latter is technically the correct thing to do.)

The private key sampling and nonce sampling in crypto/ecdsa don't have
this issue.

Fixes #11082.

Change-Id: Ie2aad563209a529fa1cab522abaf5fd505c7269a
Reviewed-on: https://go-review.googlesource.com/17460
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-12-08 17:39:09 +00:00
Brad Fitzpatrick
c34bc90ffc crypto/x509: convert ErrInsecureAlgorithm into a type
Change-Id: I411aeaf0cf75eb8b1c9005b622f664e9f25e4a68
Reviewed-on: https://go-review.googlesource.com/17400
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-12-07 14:24:49 +00:00
Russ Cox
606d9a7e18 crypto/x509: introduce ErrInsecureAlgorithm for insecure algorithms
Until now we've used ErrUnknownAlgorithm but that's a bit confusing
when it is returned for obviously-known things like MD5.

Fixes #10431.

Change-Id: Ief8a8ef46e5b99bd4fd18e1acd7ae398a484bac3
Reviewed-on: https://go-review.googlesource.com/17380
Reviewed-by: Adam Langley <agl@golang.org>
2015-12-03 20:02:09 +00:00
Adam Langley
a0ea93dea5 crypto/x509: permit serial numbers to be negative.
Some software that produces certificates doesn't encode integers
correctly and, about half the time, ends up producing certificates with
serial numbers that are actually negative.

This buggy software, sadly, appears to be common enough that we should
let these errors pass. This change allows a Certificate.SerialNumber to
be negative.

Fixes #8265.

Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4
Reviewed-on: https://go-review.googlesource.com/17247
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-11-28 00:07:16 +00:00
Ralph Corderoy
db4ef216cc crypto/tls: Server can specify an unadvertised cipher suite
During the TLS handshake, check the cipher suite the server selects is
one of those offered in the ClientHello.  The code was checking it was
in the larger list that was sometimes whittled down for the ClientHello.

Fixes #13174

Change-Id: Iad8eebbcfa5027f30403b9700c43cfa949e135bb
Reviewed-on: https://go-review.googlesource.com/16698
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-11-26 17:22:57 +00:00
Keith Randall
4304fbc4d0 [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
Conflicts:
	src/cmd/compile/internal/gc/racewalk.go
	src/cmd/internal/obj/stack.go
	src/cmd/internal/obj/x86/obj6.go
	src/runtime/stack.go
	test/nilptr3.go
	test/nosplit.go

Change-Id: Ie6053eb1577fd73e8243651f25c0f1fc765ae660
2015-11-16 17:19:42 -08:00
Caleb Spare
45d1c8ab59 crypto/tls: return a typed error on invalid record headers
The user can inspect the record data to detect that the other side is
not using the TLS protocol.

This will be used by the net/http client (in a follow-on CL) to detect
when an HTTPS client is speaking to an HTTP server.

Updates #11111.

Change-Id: I872f78717aa8e8e98cebd8075436209a52039a73
Reviewed-on: https://go-review.googlesource.com/16078
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-16 21:54:44 +00:00
Shenghou Ma
deb096122a crypto/tls: add TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites
Fixes #9894.

Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993
Reviewed-on: https://go-review.googlesource.com/16924
Run-TryBot: Minux Ma <minux@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-11-15 20:59:11 +00:00
Brad Fitzpatrick
5a0d9ef873 crypto/tls, crypto/aes: remove allocations when Writing & Reading
benchmark          old ns/op     new ns/op     delta
BenchmarkTLS-4     8571          7938          -7.39%

benchmark          old MB/s     new MB/s     speedup
BenchmarkTLS-4     119.46       128.98       1.08x

benchmark          old allocs     new allocs     delta
BenchmarkTLS-4     8              0              -100.00%

benchmark          old bytes     new bytes     delta
BenchmarkTLS-4     128           0             -100.00%

On:

func BenchmarkTLS(b *testing.B) {
        b.ReportAllocs()
        b.SetBytes(1024)
        ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
                io.Copy(ioutil.Discard, r.Body)
        }))
        defer ts.Close()
        buf := make([]byte, 1024)
        for i := range buf {
                buf[i] = byte(i)
        }
        c, err := tls.Dial("tcp", ts.Listener.Addr().String(), &tls.Config{
                InsecureSkipVerify: true,
        })
        if err != nil {
                b.Fatal(err)
        }
        defer c.Close()
        clen := int64(b.N) * 1024
        if _, err := c.Write([]byte(
            "POST / HTTP/1.1\r\nHost: foo\r\nContent-Length: " +
            fmt.Sprint(clen) + "\r\n\r\n")); err != nil {
                b.Fatal(err)
        }
        b.ResetTimer()
        for i := 0; i < b.N; i++ {
                if _, err := c.Write(buf); err != nil {
                        b.Fatal(err)
                }
        }
}

Change-Id: I206e7e2118b97148f9751b740d8470895634d3f5
Reviewed-on: https://go-review.googlesource.com/16828
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-14 13:12:47 +00:00
Ralph Corderoy
9c8cd83753 crypto/tls: len(clientRandom) used for serverRandom source
In keysFromMasterSecret(), don't copy from serverRandom into
seed[:len(clientRandom)].  Actually, switch from an array to a slice in
keysFromMasterSecret() and masterFromPreMasterSecret() so the length
need not be given;  that's how it's done elsewhere in the file.

Fixes #13181

Change-Id: I92abaa892d1bba80c2d4f12776341cda7d538837
Reviewed-on: https://go-review.googlesource.com/16697
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-11-10 22:17:54 +00:00
Adam Langley
9f08b6c494 crypto/tls: don't send IP literals as SNI values.
(This relands commit a4dcc692011bf1ceca9b1a363fd83f3e59e399ee.)

https://tools.ietf.org/html/rfc6066#section-3 states:

  “Literal IPv4 and IPv6 addresses are not permitted in "HostName".”

However, if an IP literal was set as Config.ServerName (which could
happen as easily as calling Dial with an IP address) then the code would
send the IP literal as the SNI value.

This change filters out IP literals, as recognised by net.ParseIP, from
being sent as the SNI value.

Fixes #13111.

Change-Id: I6e544a78a01388f8fe98150589d073b917087f75
Reviewed-on: https://go-review.googlesource.com/16776
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-10 22:17:16 +00:00
Vlad Krasnov
7bacfc640f crypto/elliptic,crypto/ecdsa: P256 amd64 assembly
This is based on the implementation used in OpenSSL, from a
submission by Shay Gueron and myself. Besides using assembly,
this implementation employs several optimizations described in:

    S.Gueron and V.Krasnov, "Fast prime field elliptic-curve
                             cryptography with 256-bit primes"

In addition a new and improved modular inverse modulo N is
implemented here.

The performance measured on a Haswell based Macbook Pro shows 21X
speedup for the sign and 9X for the verify operations.
The operation BaseMult is 30X faster (and the Diffie-Hellman/ECDSA
key generation that use it are sped up as well).

The adaptation to Go with the help of Filippo Valsorda

Updated the submission for faster verify/ecdh, fixed some asm syntax
and API problems and added benchmarks.

Change-Id: I86a33636747d5c92f15e0c8344caa2e7e07e0028
Reviewed-on: https://go-review.googlesource.com/8968
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-11-10 22:16:56 +00:00
Adam Langley
b46df69541 Revert "crypto/tls: don't send IP literals as SNI values."
This reverts commit a4dcc69201.

Change-Id: Ib55fd349a604d6b5220dac20327501e1ce46b962
Reviewed-on: https://go-review.googlesource.com/16770
Reviewed-by: Adam Langley <agl@golang.org>
2015-11-09 23:16:51 +00:00
Adam Langley
a4dcc69201 crypto/tls: don't send IP literals as SNI values.
https://tools.ietf.org/html/rfc6066#section-3 states:

  “Literal IPv4 and IPv6 addresses are not permitted in "HostName".”

However, if an IP literal was set as Config.ServerName (which could
happen as easily as calling Dial with an IP address) then the code would
send the IP literal as the SNI value.

This change filters out IP literals, as recognised by net.ParseIP, from
being sent as the SNI value.

Fixes #13111.

Change-Id: Ie9ec7acc767ae172b48c9c6dd8d84fa27b1cf0de
Reviewed-on: https://go-review.googlesource.com/16742
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-11-09 23:09:48 +00:00
Shenghou Ma
61ca7e5ccf crypto/x509: add /etc/ssl/certs to certificate directories
Fixes #12139.

Change-Id: Ied760ac37e2fc21ef951ae872136dc3bfd49bf9f
Reviewed-on: https://go-review.googlesource.com/16671
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-11-05 02:26:08 +00:00
unknown
8c827c045a crypto/md5: uniform Write func
Unification of implementation of existing md5.Write function
with other implementations (sha1, sha256, sha512).

Change-Id: I58ae02d165b17fc221953a5b4b986048b46c0508
Reviewed-on: https://go-review.googlesource.com/16621
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-11-04 15:41:25 +00:00
Caleb Spare
2bf91afd2b crypto/cipher: fix CTR infinite loop with large block sizes
Additionally, add a test for CTR mode to cover a range of block sizes.

Fixes #12975

Change-Id: I458aac1616228747e62f92f823768d55e874877a
Reviewed-on: https://go-review.googlesource.com/16050
Reviewed-by: Adam Langley <agl@golang.org>
2015-10-20 21:38:36 +00:00
Keith Randall
7c4fbb650c [dev.ssa] Merge remote-tracking branch 'origin/master' into mergebranch
The only major fixup is that duffzero changed from
8-byte writes to 16-byte writes.

Change-Id: I1762b74ce67a8e4b81c11568027cdb3572f7f87c
2015-10-19 14:00:03 -07:00
Adam Langley
e78e654c1d crypto/x509: parse CSRs with a critical flag in the requested extensions.
The format for a CSR is horribly underspecified and we had a mistake.
The code was parsing the attributes from the CSR as a
pkix.AttributeTypeAndValueSET, which is only almost correct: it works so
long as the requested extensions don't contain the optional “critical”
flag.

Unfortunately this mistake is exported somewhat in the API and the
Attributes field of a CSR actually has the wrong type. I've moved this
field to the bottom of the structure and updated the comment to reflect
this.

The Extensions and other fields of the CSR structure can be saved
however and this change does that.

Fixes #11897.

Change-Id: If8e2f5c21934800b72b041e38691efc3e897ecf1
Reviewed-on: https://go-review.googlesource.com/12717
Reviewed-by: Rob Pike <r@golang.org>
2015-09-30 00:59:15 +00:00
Adam Langley
8ee0261865 crypto/x509: make verification of an empty certificate consistent across platforms.
Platform-specific verification needs the ASN.1 contents of a certificate
but that might not be provided if the Certificate was not created by
ParseCertificate. In order to avoid a panic on Windows, and to make
behaviour consistent across platforms, this change causes verification
to fail when the ASN.1 contents of a certificate are not available.

Fixes #12184

Change-Id: I4395d74934e675c179eaf4cded1094a756e478bb
Reviewed-on: https://go-review.googlesource.com/14053
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-09-30 00:51:51 +00:00
Adam Langley
be16001187 crypto/tls: better error messages when PEM inputs are switched.
This change causes the types of skipped PEM blocks to be recorded when
no certificate or private-key data is found in a PEM input. This allows
for better error messages to be return in the case of common errors like
switching the certifiate and key inputs to X509KeyPair.

Fixes #11092

Change-Id: Ifc155a811cdcddd93b5787fe16a84c972011f2f7
Reviewed-on: https://go-review.googlesource.com/14054
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-09-30 00:27:46 +00:00
Tarmigan Casebolt
7360638da0 crypto/x509: return err if marshalPublicKey fails to marshal an rsa public key
Change-Id: I9bd5c1b66fd90f0b54bd1a8f3e57b6830d2b7733
Reviewed-on: https://go-review.googlesource.com/13846
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-09-18 21:48:10 +00:00
Didier Spezia
400bb82678 crypto/x509: map/slice literals janitoring
Simplify slice/map literal expression.
Caught with gofmt -d -s, fixed with gofmt -w -s

Change-Id: I4472c6003cf66e65f6e69050872ff95c96f01253
Reviewed-on: https://go-review.googlesource.com/13836
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-09-11 14:04:11 +00:00
Adam Langley
0cced63cc0 crypto/x509: emit PKIX names in a more standard order.
(See referenced bug for details.)

Fixes #11966.

Change-Id: I91f9c95594cf4fd6d25d9a81f155a643c7a1f8e0
Reviewed-on: https://go-review.googlesource.com/13038
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-08-30 15:34:48 +00:00
Adam Langley
cb5bca8e8a crypto/tls: reject ServerHellos with empty ALPN protocols.
https://tools.ietf.org/html/rfc7301#section-3.1 specifies that a
ProtocolName may not be empty. This change enforces this for ServerHello
messages—it's already enforced for ClientHello messages.

Change-Id: Ic5a5be6bebf07fba90a3cabd10b07ab7b4337f53
Reviewed-on: https://go-review.googlesource.com/12003
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-08-30 15:33:36 +00:00
aubble
34695c4742 crypto/tls: note in comments that setting GetCertificate is now sufficient.
In Go 1.5, Config.Certificates is no longer required if
Config.GetCertificate has been set. This change updated four comments to
reflect that.

Change-Id: Id72cc22fc79e931b2d645a7c3960c3241042762c
Reviewed-on: https://go-review.googlesource.com/13800
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-29 22:23:04 +00:00
Vlad Krasnov
efeeee38c9 crypto/aes: dedicated asm version of AES-GCM
The existing implementation didn't use the CLMUL instructions for fast
and constant time binary-field multiplication. With this change, amd64
CPUs that support both AES and CLMUL instructions will use an optimised
asm implementation.

benchmark                 old ns/op     new ns/op     delta
BenchmarkAESGCMSeal8K     91723         3200          -96.51%
BenchmarkAESGCMOpen8K     91487         3324          -96.37%
BenchmarkAESGCMSeal1K     11873         546           -95.40%
BenchmarkAESGCMOpen1K     11833         594           -94.98%

benchmark                 old MB/s     new MB/s     speedup
BenchmarkAESGCMSeal8K     89.31        2559.62      28.66x
BenchmarkAESGCMOpen8K     89.54        2463.78      27.52x
BenchmarkAESGCMSeal1K     86.24        1872.49      21.71x
BenchmarkAESGCMOpen1K     86.53        1721.78      19.90x

Change-Id: Idd63233098356d8b353d16624747b74d0c3f193e
Reviewed-on: https://go-review.googlesource.com/10484
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-29 21:02:38 +00:00
aubble
bfa016150b crypto/tls: allow tls.Listen when only GetCertificate is provided.
Go 1.5 allowed TLS connections where Config.Certificates was nil as long
as the GetCertificate callback was given. However, tls.Listen wasn't
updated accordingly until this change.

Change-Id: I5f67f323f63c988ff79642f3daf8a6b2a153e6b2
Reviewed-on: https://go-review.googlesource.com/13801
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-29 19:28:03 +00:00
Rob Pike
f62b749ae2 all: fix some vet-caught formatting errors, mostly but not only in tests
Could go in 1.5, although not critical.
See also #12107

Change-Id: I7f1608b58581d21df4db58f0db654fef79e33a90
Reviewed-on: https://go-review.googlesource.com/13481
Reviewed-by: Dave Cheney <dave@cheney.net>
2015-08-21 05:37:36 +00:00
Russ Cox
46a2913882 crypto/tls: fix ConnectionState().VerifiedChains for resumed connection
Strengthening VerifyHostname exposed the fact that for resumed
connections, ConnectionState().VerifiedChains was not being saved
and restored during the ClientSessionCache operations.
Do that.

This change just saves the verified chains in the client's session
cache. It does not re-verify the certificates when resuming a
connection.

There are arguments both ways about this: we want fast, light-weight
resumption connections (thus suggesting that we shouldn't verify) but
it could also be a little surprising that, if the verification config
is changed, that would be ignored if the same session cache is used.

On the server side we do re-verify client-auth certificates, but the
situation is a little different there. The client session cache is an
object in memory that's reset each time the process restarts. But the
server's session cache is a conceptual object, held by the clients, so
can persist across server restarts. Thus the chance of a change in
verification config being surprisingly ignored is much higher in the
server case.

Fixes #12024.

Change-Id: I3081029623322ce3d9f4f3819659fdd9a381db16
Reviewed-on: https://go-review.googlesource.com/13164
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-05 19:59:28 +00:00
Adam Langley
f51b7fbdc4 crypto/tls: update testing certificates.
This change alters the certificate used in many tests so that it's no
longer self-signed. This allows some tests to exercise the standard
certificate verification paths in the future.

Change-Id: I9c3fcd6847eed8269ff3b86d9b6966406bf0642d
Reviewed-on: https://go-review.googlesource.com/13244
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-08-05 19:06:51 +00:00
Russ Cox
ab714a70dc crypto/x509: mark root_darwin_armx.go as cgo-only
This allows running a cross-compile like
	GOOS=darwin GOARCH=arm go build std
to check that everything builds.

Otherwise there is a redefinition error because both
root_nocgo_darwin.go and root_darwin_armx.go
supply initSystemRoots.

Change-Id: Ic95976b2b698d28c629bfc93d8dac0048b023578
Reviewed-on: https://go-review.googlesource.com/12897
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-07-30 15:47:16 +00:00
Jeff R. Allen
9b7e728ee8 crypt/rand: update docs for Linux
Update the docs to explain the code added in
commit 67e1d400.

Fixes #11831.

Change-Id: I8fe72e449507847c4bd9d77de40947ded7f2ff9d
Reviewed-on: https://go-review.googlesource.com/12515
Reviewed-by: Dave Cheney <dave@cheney.net>
2015-07-26 02:57:16 +00:00
Adam Langley
bad52b352a crypto/elliptic: call IsOnCurve via the interface.
https://go-review.googlesource.com/#/c/2421/ contains an unfortunate
slip where IsOnCurve is called on the CurveParams rather than the curve.
This doesn't really matter, but it's a pain for people doing tricks with
crypto/elliptic and means that 1.5 would be a regression for them
without this change.

See https://groups.google.com/forum/#!topic/golang-dev/i8OPUTYctOk

Change-Id: Ifa5f25f9a95d7484cb53d4883cfd78dc58a0f9a7
Reviewed-on: https://go-review.googlesource.com/12506
Reviewed-by: Russ Cox <rsc@golang.org>
2015-07-22 17:37:36 +00:00
Russ Cox
a502fb2182 crypto/x509: disable sha2 test with system APIs
Fixes #11730.

Change-Id: I5bc60779a87dc07899dd70659a830996bf7812ca
Reviewed-on: https://go-review.googlesource.com/12527
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-07-22 17:33:27 +00:00
Russ Cox
3cf15b57f7 crypto/tls: check cert chain during VerifyHostname
Fixes #9063.

Change-Id: I536ef1f0b30c94c1ebf7922d84cb2f701b7d8a1a
Reviewed-on: https://go-review.googlesource.com/12526
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2015-07-22 17:32:00 +00:00
David Crawshaw
29eb7d18ed crypto/x509: iOS build tag
The iOS simulator compiles with GOOS=darwin GOARCH=386, and x509
sets the inappropriate flag -mmacosx-version-min=10.6. Condition
its compilation on the absence of an "ios" build tag.

Fixes #11736.

Change-Id: I4aa230643347320c3cb9d03b972734b2e0db930e
Reviewed-on: https://go-review.googlesource.com/12301
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-07-16 19:10:11 +00:00
Russ Cox
f8c97abf54 crypto/x509: add /etc/ssl/cacert.pem to OmniOS cert search list
Fixes #9146.

Change-Id: If5cb5ae92a201825b9ff32b3d0edfa032b9a0965
Reviewed-on: https://go-review.googlesource.com/12203
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-07-15 04:31:06 +00:00
Nevins Bartolomeo
1fff4bb156 crypto: add SHA-512/224 and SHA-512/256 as described in FIPS 180-4
Change-Id: Ifbab8203dea1eb0df4c834df22e12cb7c37c14fd
Reviewed-on: https://go-review.googlesource.com/10683
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
2015-07-14 19:45:21 +00:00
Brad Fitzpatrick
2ae77376f7 all: link to https instead of http
The one in misc/makerelease/makerelease.go is particularly bad and
probably warrants rotating our keys.

I didn't update old weekly notes, and reverted some changes involving
test code for now, since we're late in the Go 1.5 freeze. Otherwise,
the rest are all auto-generated changes, and all manually reviewed.

Change-Id: Ia2753576ab5d64826a167d259f48a2f50508792d
Reviewed-on: https://go-review.googlesource.com/12048
Reviewed-by: Rob Pike <r@golang.org>
2015-07-11 14:36:33 +00:00
Rob Pike
d16c7f8004 crypto: fix non-sentence in documentation for Decrypter
Comment change only.

Change-Id: I2e32c2b34d5a5659ead6d6082b06e1b039bf1147
Reviewed-on: https://go-review.googlesource.com/11852
Reviewed-by: Russ Cox <rsc@golang.org>
2015-07-02 03:43:34 +00:00
Adam Langley
2814906df0 crypto/rsa: check for primes ≤ 1 in Validate
Change 7c7126cfeb removed the primality
checking in Validate to save CPU time. That check happened to be
filtering out private keys with primes that were zero or one. Without
that filtering, such primes cause a panic when trying to use such a
private key.

This change specifically checks for and rejects primes ≤ 1 in Validate.

Fixes #11233.

Change-Id: Ie6537edb8250c07a45aaf50dab43227002ee7386
Reviewed-on: https://go-review.googlesource.com/11611
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-06-29 19:32:48 +00:00
Adam Langley
4ec946ce95 crypto/x509: don't panic when decrypting invalid PEM data.
If an encrypted PEM block contained ciphertext that was not a multiple
of the block size then the code would panic. This change tests for that
case and returns an error.

Fixes #11215.

Change-Id: I7b700f99e20810c4f545519b1e9d766b4640e8a7
Reviewed-on: https://go-review.googlesource.com/11097
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2015-06-26 16:16:51 +00:00
Dmitry Savintsev
c248aaef70 crypto/ecdsa, crypto/x509: update SEC1 ECC link in comments
Updated the document URL in comments to avoid dead link
Old: http://www.secg.org/download/aid-780/sec1-v2.pdf
New: http://www.secg.org/sec1-v2.pdf

Change-Id: If13d0da4c0e7831b2bd92c45116c2412a2a965f5
Reviewed-on: https://go-review.googlesource.com/11550
Reviewed-by: Russ Cox <rsc@golang.org>
2015-06-26 16:08:22 +00:00
Russ Cox
7bc3e58806 all: extract "can I exec?" check from tests into internal/testenv
Change-Id: I7b54be9d8b50b39e01c6be21f310ae9a10404e9d
Reviewed-on: https://go-review.googlesource.com/10753
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: David Crawshaw <crawshaw@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-06-16 18:07:36 +00:00
Adam Langley
6a34206ca9 crypto/tls: fix parsing of SNI extension.
The previous code had a brain fart: it took one of the length prefixes
as an element count, not a length. This didn't actually affect anything
because the loop stops as soon as it finds a hostname element, and the
hostname element is always the first and only element. (No other element
types have ever been defined.)

This change fixes the parsing in case SNI is ever changed in the future.

Fixes #10793.

Change-Id: Iafdf3381942bc22b1f33595315c53dc6cc2e9f0f
Reviewed-on: https://go-review.googlesource.com/11059
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-06-14 17:55:53 +00:00
Ainar Garipov
7f9f70e5b6 all: fix misprints in comments
These were found by grepping the comments from the go code and feeding
the output to aspell.

Change-Id: Id734d6c8d1938ec3c36bd94a4dbbad577e3ad395
Reviewed-on: https://go-review.googlesource.com/10941
Reviewed-by: Aamir Khan <syst3m.w0rm@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-06-11 14:18:57 +00:00
Carl Jackson
50e657fbfa crypto/cipher: Support unusual GCM nonce lengths
GCM is traditionally used with a 96-bit nonce, but the standard allows
for nonces of any size. Non-standard nonce sizes are required in some
protocols, so add support for them in crypto/cipher's GCM
implementation.

Change-Id: I7feca7e903eeba557dcce370412b6ffabf1207ab
Reviewed-on: https://go-review.googlesource.com/8946
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-06-09 18:46:13 +00:00
Adam Langley
c72b8aa3b3 crypto/tls: don't require an explicit client-auth EKU.
Previously we enforced both that the extended key usages of a client
certificate chain allowed for client authentication, and that the
client-auth EKU was in the leaf certificate.

This change removes the latter requirement. It's still the case that the
chain must be compatible with the client-auth EKU (i.e. that a parent
certificate isn't limited to another usage, like S/MIME), but we'll now
accept a leaf certificate with no EKUs for client-auth.

While it would be nice if all client certificates were explicit in their
intended purpose, I no longer feel that this battle is worthwhile.

Fixes #11087.

Change-Id: I777e695101cbeba069b730163533e2977f4dc1fc
Reviewed-on: https://go-review.googlesource.com/10806
Reviewed-by: Andrew Gerrand <adg@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-06-09 15:48:24 +00:00
Adam Langley
1ddb8c20c6 crypto/x509: be strict about trailing data.
The X.509 parser was allowing trailing data after a number of structures
in certificates and public keys. There's no obvious security issue here,
esp in certificates which are signed anyway, but this change makes
trailing data an error just in case.

Fixes #10583

Change-Id: Idc289914899600697fc6d30482227ff4bf479241
Reviewed-on: https://go-review.googlesource.com/9473
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-30 03:49:36 +00:00
Adam Langley
1c10598064 crypto/tls: update the supported signature algorithms.
This is the second in a two-part change. See https://golang.org/cl/9415
for details of the overall change.

This change updates the supported signature algorithms to include
SHA-384 and updates all the testdata/ files accordingly. Even some of
the testdata/ files named “TLS1.0” and “TLS1.1” have been updated
because they have TLS 1.2 ClientHello's even though the server picks a
lower version.

Fixes #9757.

Change-Id: Ia76de2b548d3b39cd4aa3f71132b0da7c917debd
Reviewed-on: https://go-review.googlesource.com/9472
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-30 03:47:51 +00:00
Adam Langley
09b238f155 crypto/tls: decouple handshake signatures from the handshake hash.
Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.

TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.

Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.

However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.

Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.

This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.

This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.

It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.

Much of this code was written by davidben@ for the purposes of testing
BoringSSL.

Partly addresses #9757

Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-30 03:47:02 +00:00
Adam Langley
d942737f8a crypto/x509: allow parsing of certificates with unknown critical extensions.
Previously, unknown critical extensions were a parse error. However, for
some cases one wishes to parse and use a certificate that may contain
these extensions. For example, when using a certificate in a TLS server:
it's the client's concern whether it understands the critical extensions
but the server still wishes to parse SNI values out of the certificate
etc.

This change moves the rejection of unknown critical extensions from
ParseCertificate to Certificate.Verify. The former will now record the
OIDs of unknown critical extensions in the Certificate and the latter
will fail to verify certificates with them. If a user of this package
wishes to handle any unknown critical extensions themselves, they can
extract the extensions from Certificate.Extensions, process them and
remove known OIDs from Certificate.UnknownCriticalExtensions.

See discussion at
https://groups.google.com/forum/#!msg/golang-nuts/IrzoZlwalTQ/qdK1k-ogeHIJ
and in the linked bug.

Fixes #10459

Change-Id: I762521a44c01160fa0901f990ba2f5d4977d7977
Reviewed-on: https://go-review.googlesource.com/9390
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-28 16:32:09 +00:00
Adam Langley
cba882ea9b crypto/tls: call GetCertificate if Certificates is empty.
This change causes the GetCertificate callback to be called if
Certificates is empty. Previously this configuration would result in an
error.

This allows people to have servers that depend entirely on dynamic
certificate selection, even when the client doesn't send SNI.

Fixes #9208.

Change-Id: I2f5a5551215958b88b154c64a114590300dfc461
Reviewed-on: https://go-review.googlesource.com/8792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-26 22:00:35 +00:00
Jonathan Rudenberg
ac2bf8ad06 crypto/tls: add OCSP response to ConnectionState
The OCSP response is currently only exposed via a method on Conn,
which makes it inaccessible when using wrappers like net/http. The
ConnectionState structure is typically available even when using
wrappers and contains many of the other handshake details, so this
change exposes the stapled OCSP response in that structure.

Change-Id: If8dab49292566912c615d816321b4353e711f71f
Reviewed-on: https://go-review.googlesource.com/9361
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-26 22:00:13 +00:00
David Leon Gil
d86b8d34d0 crypto/elliptic: don't unmarshal points that are off the curve
At present, Unmarshal does not check that the point it unmarshals
is actually *on* the curve. (It may be on the curve's twist.)

This can, as Daniel Bernstein has pointed out at great length,
lead to quite devastating attacks. And 3 out of the 4 curves
supported by crypto/elliptic have twists with cofactor != 1;
P-224, in particular, has a sufficiently large cofactor that it
is likely that conventional dlog attacks might be useful.

This closes #2445, filed by Watson Ladd.

To explain why this was (partially) rejected before being accepted:

In the general case, for curves with cofactor != 1, verifying subgroup
membership is required. (This is expensive and hard-to-implement.)
But, as recent discussion during the CFRG standardization process
has brought out, small-subgroup attacks are much less damaging than
a twist attack.

Change-Id: I284042eb9954ff9b7cde80b8b693b1d468c7e1e8
Reviewed-on: https://go-review.googlesource.com/2421
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-26 21:11:50 +00:00
Paul van Brouwershaven
54bb4b9fd7 crypto/x509: CertificateRequest signature verification
This implements a method for x509.CertificateRequest to prevent
certain attacks and to allow a CA/RA to properly check the validity
of the binding between an end entity and a key pair, to prove that
it has possession of (i.e., is able to use) the private key
corresponding to the public key for which a certificate is requested.

RFC 2986 section 3 states:

"A certification authority fulfills the request by authenticating the
requesting entity and verifying the entity's signature, and, if the
request is valid, constructing an X.509 certificate from the
distinguished name and public key, the issuer name, and the
certification authority's choice of serial number, validity period,
and signature algorithm."

Change-Id: I37795c3b1dfdfdd455d870e499b63885eb9bda4f
Reviewed-on: https://go-review.googlesource.com/7371
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-26 21:07:10 +00:00
Jonathan Rudenberg
bff1417543 crypto/tls: add support for session ticket key rotation
This change adds a new method to tls.Config, SetSessionTicketKeys, that
changes the key used to encrypt session tickets while the server is
running. Additional keys may be provided that will be used to maintain
continuity while rotating keys. If a ticket encrypted with an old key is
provided by the client, the server will resume the session and provide
the client with a ticket encrypted using the new key.

Fixes #9994

Change-Id: Idbc16b10ff39616109a51ed39a6fa208faad5b4e
Reviewed-on: https://go-review.googlesource.com/9072
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-26 20:57:28 +00:00
Jonathan Rudenberg
02e69c4b53 crypto/tls: add support for Certificate Transparency
This change adds support for serving and receiving Signed Certificate
Timestamps as described in RFC 6962.

The server is now capable of serving SCTs listed in the Certificate
structure. The client now asks for SCTs and, if any are received,
they are exposed in the ConnectionState structure.

Fixes #10201

Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb
Reviewed-on: https://go-review.googlesource.com/8988
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2015-04-26 16:53:11 +00:00
Jonathan Rudenberg
c1e73dd286 crypto/tls: fix test data generation
- Multiple GetCertificate tests shared the same name and were
  overwriting each other, each test now has a unique name.
- expectAlert was not implemented in the data updater, the single
  test that used it has been replaced with a ClientHello failure
  test.

Fixes #10470

Change-Id: I500738f6302ffa863d7ee45d85fa8773155e0614
Reviewed-on: https://go-review.googlesource.com/8959
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-04-16 18:16:37 +00:00
Shenghou Ma
f633e445c7 crypto/x509: build the builtin root certs also for darwin/arm64
Change-Id: I3b3f80791a1db4c2b7318f81a115972cd2237f06
Signed-off-by: Shenghou Ma <minux@golang.org>
Reviewed-on: https://go-review.googlesource.com/8785
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-04-16 16:50:30 +00:00
Ian Lance Taylor
6e83ef6d21 internal/syscall: move to unix subdirectory
Move the single file from internal/syscall to internal/syscall/unix,
to match the golang.org/x/sys layout.

Change-Id: I2fb2832b4cb22efc7666bd276f5401ac3e73dc40
Reviewed-on: https://go-review.googlesource.com/8972
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
2015-04-15 23:51:36 +00:00
David Crawshaw
439318dd50 crypto/x509: skip arm64 tests limited by iOS
Just like darwin/arm.

Change-Id: Ib0438021bfe9eb105222b93e5bb375c282cc7b8c
Reviewed-on: https://go-review.googlesource.com/8822
Reviewed-by: Minux Ma <minux@golang.org>
2015-04-13 11:55:32 +00:00
Adam Langley
7b850ec691 crypto/tls: tidy up a little and add test.
This is a follow on to 28f33b4a which removes one of the boolean flags
and adds a test for the key-driven cipher selection.

Change-Id: If2a400de807eb19110352912a9f467491cc8986c
Reviewed-on: https://go-review.googlesource.com/8428
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Jacob Haven <jacob@cloudflare.com>
2015-04-04 00:06:21 +00:00
Jacob H. Haven
88399b2e46 crypto/x509: Fix parsing bug in uncommon CSR Attributes.
A CSR containing challengePassword or unstructuredName Attributes
(included in default OpenSSL prompts) would break ASN.1 parsing.
This updates the parsing structures to allow but then ignore these
fields.

See this CFSSL issue: https://github.com/cloudflare/cfssl/issues/115

Change-Id: I26a3bf1794589d27e6e763da88ae32276f0170c7
Reviewed-on: https://go-review.googlesource.com/8160
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-03 00:28:30 +00:00
Jacob H. Haven
28f33b4a70 crypto/tls: make use of crypto.Signer and crypto.Decrypter
This change replaces all direct ECDSA/RSA sign and decrypt operations
with calls through the crypto.Signer and crypto.Decrypter interfaces.

This is a follow-up to https://go-review.googlesource.com/#/c/3900/
which added crypto.Decrypter and implemented it for RSA.

Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d
Reviewed-on: https://go-review.googlesource.com/7804
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-02 23:19:57 +00:00
Alex Brainman
34ee744d00 crypto/x509: use syscall.GetVersion instead of internal/syscall/windows.GetVersion
cl8167 introduced internal/syscall/windows.GetVersion, but we already
have that function in syscall.GetVersion. Use that instead.
Also revert all internal/syscall/windows cl8167 changes.

Change-Id: I512a5bf4b3b696e93aaf69e9e8b7df7022670ec0
Reviewed-on: https://go-review.googlesource.com/8302
Reviewed-by: Daniel Theophanes <kardianos@gmail.com>
Reviewed-by: Minux Ma <minux@golang.org>
2015-03-31 08:11:24 +00:00
Daniel Theophanes
cf7461caed crypto/x509: skip SHA2 system verify test if not supported.
Windows XP SP2 and Windows 2003 do not support SHA2.

Change-Id: Ica5faed040e9ced8b79fe78d512586e0e8788b3f
Reviewed-on: https://go-review.googlesource.com/8167
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-30 15:58:08 +00:00
Matt Bostock
f279cadfa4 crypto/tls: Correct minimum version in comment
Commit 604fa4d5 made TLS 1.0 the default minimum version. This commit
amends a comment to reflect that.

This is where the default is used in the absence of an explicit version
being set:
edadffa2f3/src/crypto/tls/common.go (L391-L393)

Change-Id: I8f1117ecdddc85bb1cc76a6834026505a380b793
Reviewed-on: https://go-review.googlesource.com/5525
Reviewed-by: Mikio Hara <mikioh.mikioh@gmail.com>
Reviewed-by: Minux Ma <minux@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-03-25 12:53:36 +00:00
Shenghou Ma
20b3a9b6ed crypto/x509: document that DecryptPEMBlock cannot detect all cases of incorrect password
Fixes #10171.

Change-Id: I1b2e30ebbb2b9d66680008674baa96e550efe1f2
Reviewed-on: https://go-review.googlesource.com/7603
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-03-20 04:39:50 +00:00
Josh Bleecher Snyder
2adc4e8927 all: use "reports whether" in place of "returns true if(f)"
Comment changes only.

Change-Id: I56848814564c4aa0988b451df18bebdfc88d6d94
Reviewed-on: https://go-review.googlesource.com/7721
Reviewed-by: Rob Pike <r@golang.org>
2015-03-18 15:14:06 +00:00
Adam Langley
d26fdf295e crypto/tls: disable RC4 by default.
RC4 is frowned upon[1] at this point and major providers are disabling it
by default[2].

Those who still need RC4 support in crypto/tls can enable it by
specifying the CipherSuites slice in crypto/tls.Config explicitly.

Fixes #10094.

[1] https://tools.ietf.org/html/rfc7465
[2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/

Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f
Reviewed-on: https://go-review.googlesource.com/7647
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-18 00:38:14 +00:00
Adam Langley
a432568300 crypto/tls: panic with unknown hash functions.
Just so that we notice in the future if another hash function is added
without updating this utility function, make it panic when passed an
unknown handshake hash function. (Which should never happen.)

Change-Id: I60a6fc01669441523d8c44e8fbe7ed435e7f04c8
Reviewed-on: https://go-review.googlesource.com/7646
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Joël Stemmer <stemmertech@gmail.com>
2015-03-18 00:37:56 +00:00
Adam Langley
123b38e105 crypto/{ecdsa,rsa}: always use io.ReadFull with crypto/rand.Reader.
crypto/rand.Reader doesn't ensure that short reads don't happen. This
change contains a couple of fixups where io.ReadFull wasn't being used
with it.

Change-Id: I3855b81f5890f2e703112eeea804aeba07b6a6b8
Reviewed-on: https://go-review.googlesource.com/7645
Reviewed-by: Minux Ma <minux@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-03-18 00:37:48 +00:00
Joël Stemmer
ebe3d693d4 crypto/tls: return correct hash function when using client certificates in handshake
Commit f1d669aee9 added support for
AES_256_GCM_SHA384 cipher suites as specified in RFC5289. However, it
did not take the arbitrary hash function into account in the TLS client
handshake when using client certificates.

The hashForClientCertificate method always returned SHA256 as its
hashing function, even if it actually used a different one to calculate
its digest. Setting up the connection would eventually fail with the
error "tls: failed to sign handshake with client certificate:
crypto/rsa: input must be hashed message".

Included is an additional test for this specific situation that uses the
SHA384 hash.

Fixes #9808

Change-Id: Iccbf4ab225633471ef897907c208ad31f92855a3
Reviewed-on: https://go-review.googlesource.com/7040
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-03-16 23:38:51 +00:00
Nick Sullivan
0a048ce5e9 crypto/rsa: implement crypto.Decrypter
Decrypter is an interface to support opaque private keys that perform
decryption operations. This interface is analogous to the crypto.Signer
interface.

This change introduces the crypto.Decrypter interface and implements
the crypto.Decrypter interface for rsa.PrivateKey with both OAEP and
PKCS#1 v1.5 padding modes.

Change-Id: I433f649f84ed3c2148337d735cafd75f1d94a904
Reviewed-on: https://go-review.googlesource.com/3900
Reviewed-by: Adam Langley <agl@golang.org>
2015-03-16 23:15:08 +00:00
Joël Stemmer
1d0a9eb8ab crypto/tls: fix typo in tls handshake error
Change-Id: Ia9f39250619ea6e94157efceddfb2e02d35f3ae2
Reviewed-on: https://go-review.googlesource.com/7041
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
2015-03-06 18:18:40 +00:00
David Crawshaw
b1517c39fb crypto/x509: skip tests not made for darwin/arm
Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d
Reviewed-on: https://go-review.googlesource.com/6252
Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
2015-02-27 19:38:33 +00:00
Adam Langley
abf8bbb709 crypto/x509: make behaviour of absolute DNS names match Chromium.
Previously, we didn't handle absolute DNS names in certificates the same
way as Chromium, and we probably shouldn't diverge from major browsers.

Change-Id: I56a3962ad1002f68b5dbd65ae90991b82c2f5629
Reviewed-on: https://go-review.googlesource.com/5692
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-24 19:45:52 +00:00
Adam Langley
e7fae68540 crypto/x509: allow wildcards only as the first label.
RFC 6125 now specifies that wildcards are only allowed for the leftmost
label in a pattern: https://tools.ietf.org/html/rfc6125#section-6.4.3.

This change updates Go to match the behaviour of major browsers in this
respect.

Fixes #9834.

Change-Id: I37c10a35177133624568f2e0cf2767533926b04a
Reviewed-on: https://go-review.googlesource.com/5691
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-24 19:45:34 +00:00
Adam Langley
8f8d066bfd crypto/tls: allow larger initial records.
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes #8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-02-24 19:39:36 +00:00
Adam Langley
c2317db2f9 crypto/x509: don't reject certs with critical policy extensions.
There was a missing continue that caused certificates with critical
certificate-policy extensions to be rejected. Additionally, that code
structure in general was prone to exactly that bug so I changed it
around to hopefully be more robust in the future.

Fixes #9964.

Change-Id: I58fc6ef3a84c1bd292a35b8b700f44ef312ec1c1
Reviewed-on: https://go-review.googlesource.com/5670
Reviewed-by: Andrew Gerrand <adg@golang.org>
2015-02-24 19:36:52 +00:00
Adam Langley
7c7126cfeb crypto/rsa: drop the primality check in crypto/rsa.Validate.
This check is expensive and adversely impacts startup times for some
servers with several, large RSA keys.

It was nice to have, but it's not really going to stop a targetted
attack and was never designed to – hopefully people's private keys
aren't attacker controlled!

Overall I think the feeling is that people would rather have the CPU
time back.

Fixes #6626.

Change-Id: I0143a58c9f22381116d4ca2a3bbba0d28575f3e5
Reviewed-on: https://go-review.googlesource.com/5641
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
2015-02-24 00:46:19 +00:00
Russ Cox
c11dadc503 [dev.cc] crypto/md5, crypto/sha1: restore a few SP references
Applying my post-submit comments from CL 5120.
The rewrite there changed the code from writing to the stack
frame to writing below the stack frame.

Change-Id: Ie7e0563c0c1731fede2bcefeaf3c9d88a0cf4063
Reviewed-on: https://go-review.googlesource.com/5470
Reviewed-by: David Crawshaw <crawshaw@golang.org>
2015-02-20 18:54:29 +00:00
Russ Cox
b4a7806724 [dev.cc] all: merge master (5868ce3) into dev.cc
This time for sure!

Change-Id: I7e7ea24edb7c2f711489e162fb97237a87533089
2015-02-20 10:28:36 -05:00
David Crawshaw
b2c2bc4856 crypto/x509: embed certificates on darwin/arm
Change-Id: Ia6b06f19e5ac424f01a1b90b78b507363b0c4577
Reviewed-on: https://go-review.googlesource.com/5061
Reviewed-by: Josh Bleecher Snyder <josharian@gmail.com>
2015-02-18 14:19:17 +00:00
Rob Pike
345350bf07 [dev.cc] cmd/asm: make 4(SP) illegal except on 386
Require a name to be specified when referencing the pseudo-stack.
If you want a real stack offset, use the hardware stack pointer (e.g.,
R13 on arm), not SP.

Fix affected assembly files.

Change-Id: If3545f187a43cdda4acc892000038ec25901132a
Reviewed-on: https://go-review.googlesource.com/5120
Run-TryBot: Rob Pike <r@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Dave Cheney <dave@cheney.net>
2015-02-18 03:41:29 +00:00
Rob Pike
7fbfbca2c4 [dev.cc] crypto/md5: fix arm assembler in md5block_arm.s
The mechanical edit in the last round managed to miss ROUND1, among
other indgnities.

Change-Id: Ie3e19d00435a9e701b9872167e4bc7756a9fb5a5
Reviewed-on: https://go-review.googlesource.com/4870
Reviewed-by: Minux Ma <minux@golang.org>
2015-02-14 00:14:27 +00:00
Rob Pike
69ddb7a408 [dev.cc] all: edit assembly source for ARM to be more regular
Several .s files for ARM had several properties the new assembler will not support.
These include:

- mentioning SP or PC as a hardware register
	These are always pseudo-registers except that in some contexts
	they're not, and it's confusing because the context should not affect
	which register you mean. Change the references to the hardware
	registers to be explicit: R13 for SP, R15 for PC.
- constant creation using assignment
	The files say a=b when they could instead say #define a b.
	There is no reason to have both mechanisms.
- R(0) to refer to R0.
	Some macros use this to a great extent. Again, it's easy just to
	use a #define to rename a register.

Change-Id: I002335ace8e876c5b63c71c2560533eb835346d2
Reviewed-on: https://go-review.googlesource.com/4822
Reviewed-by: Dave Cheney <dave@cheney.net>
2015-02-13 23:08:51 +00:00
rubyist
32304fc970 crypto/x509: allow matchHostnames to work with absolute domain names
If an absolute domain name (i.e. ends in a '.' like "example.com.") is used
with ssl/tls, the certificate will be reported as invalid. In matchHostnames,
the host and patterns are split on '.' and if the lengths of the resulting
slices do not match, the function returns false. When splitting an absolute
domain name on '.', the slice will have an extra empty string at the end. This
empty string should be discarded before comparison, if present.

Fixes #9828

Change-Id: I0e39674b44a6f93b5024497e76cf1b550832a61d
Reviewed-on: https://go-review.googlesource.com/4380
Reviewed-by: Adam Langley <agl@golang.org>
TryBot: Adam Langley <agl@golang.org>
2015-02-11 01:20:35 +00:00
Péter Surányi
9b6ccb1323 all: don't refer to code.google.com/p/go{,-wiki}/
Only documentation / comment changes. Update references to
point to golang.org permalinks or go.googlesource.com/go.
References in historical release notes under doc are left as is.

Change-Id: Icfc14e4998723e2c2d48f9877a91c5abef6794ea
Reviewed-on: https://go-review.googlesource.com/4060
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-02-06 14:41:47 +00:00
Jacob H. Haven
f1d669aee9 crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289
Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256).
Testdata were all updated to correspond with the new cipher suites in the handshake.

Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f
Reviewed-on: https://go-review.googlesource.com/3265
Reviewed-by: Adam Langley <agl@golang.org>
2015-02-04 00:18:14 +00:00
Paul van Brouwershaven
f7e78aa586 crypto/x509/pkix: Parse and add additional elements in a DN
Additional elements in a DN can be added in via ExtraNames. This
option can also be used for sorting DN elements in a custom order.

Change-Id: Ie408d332de913dc2a33bdd86433be38abb7b55be
Reviewed-on: https://go-review.googlesource.com/2257
Reviewed-by: Adam Langley <agl@golang.org>
2015-02-03 21:56:08 +00:00
David Leon Gil
a8049f58f9 crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.

Fixes #9452

--

This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:

   - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
   - reader = AES-256-CTR(k=csprng_key)

This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.

ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:

*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.

*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.

--

Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.

--

[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"

[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"

[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"

[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"

[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"

New tests:

  TestNonceSafety: Check that signatures are safe even with a
    broken entropy source.

  TestINDCCA: Check that signatures remain non-deterministic
    with a functional entropy source.

Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.

Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-28 01:39:51 +00:00
Adam Langley
35b8e511c2 Revert "crypto/ecdsa: make Sign safe with broken entropy sources"
This reverts commit 8d7bf2291b.

Change-Id: Iad2c74a504d64bcf7ca707b00bda29bc796a2ae9
Reviewed-on: https://go-review.googlesource.com/3320
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 22:31:32 +00:00
David Leon Gil
8d7bf2291b crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.

--

This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:

   - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
   - reader = AES-256-CTR(k=csprng_key)

This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.

ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:

*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.

*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.

--

Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.

--

[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"

[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"

[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"

[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"

[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"

Fixes #9452

Tests:

  TestNonceSafety: Check that signatures are safe even with a
    broken entropy source.

  TestINDCCA: Check that signatures remain non-deterministic
    with a functional entropy source.

Change-Id: Ie7e04057a3a26e6becb80e845ecb5004bb482745
Reviewed-on: https://go-review.googlesource.com/2422
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 22:02:17 +00:00
Paul van Brouwershaven
fe40cdd756 crypto/x509: implement crypto.Signer
Signer is an interface to support opaque private keys.
These keys typically result from being kept in special hardware
(i.e. a TPM) although sometimes operating systems provide a
similar interface using process isolation for security rather
than hardware boundaries.

This changes provides updates implements crypto.Signer in
CreateCRL and CreateCertificate so that they can be used with
opaque keys.

This CL has been discussed at: http://golang.org/cl/145910043

Change-Id: Id7857fb9a3b4c957c7050b519552ef1c8e55461e
Reviewed-on: https://go-review.googlesource.com/3126
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-21 20:13:48 +00:00
Adam Langley
8bf6e09f4c Revert "crypto/x509: implement crypto.Signer"
This reverts commit cef15faafe.

Change-Id: I6df3e9ea48cd58893892587dd5cd28c1eb759c48
Reviewed-on: https://go-review.googlesource.com/3090
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-21 00:40:03 +00:00
Paul van Brouwershaven
4e7f06511a crypto/x509: Authority Key Identifier must be included in all CRLs issued
According to RFC5280 the authority key identifier extension MUST included in all
CRLs issued. This patch includes the authority key identifier extension when the
Subject Key Identifier is present in the signing certificate.

RFC5280 states:

"The authority key identifier extension provides a means of identifying the
public key corresponding to the private key used to sign a CRL.  The
identification can be based on either the key identifier (the subject key
identifier in the CRL signer's certificate) or the issuer name and serial
number.  This extension is especially useful where an issuer has more than one
signing key, either due to multiple concurrent key pairs or due to changeover."

Conforming CRL issuers MUST use the key identifier method, and MUST include this
extension in all CRLs issued."

This CL has been discussed at: http://golang.org/cl/177760043

Change-Id: I9bf50521908bfe777ea2398f154c13e8c90d14ad
Reviewed-on: https://go-review.googlesource.com/2258
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-20 23:46:40 +00:00
Paul van Brouwershaven
cef15faafe crypto/x509: implement crypto.Signer
Signer is an interface to support opaque private keys.
These keys typically result from being kept in special hardware
(i.e. a TPM) although sometimes operating systems provide a
similar interface using process isolation for security rather
than hardware boundaries.

This changes provides updates implements crypto.Signer in
CreateCRL and CreateCertificate so that they can be used with
opaque keys.

This CL has been discussed at: http://golang.org/cl/145910043

Change-Id: Ie4a4a583fb120ff484a5ccf267ecd2a9c5a3902b
Reviewed-on: https://go-review.googlesource.com/2254
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-20 23:45:06 +00:00
Adam Langley
2fe8eadc9a crypto/x509: write exact BitLength in ASN.1 encoding for certificate KeyUsage
The encoded value of the certificate KeyUsage did contain additonal padding
that was not present with other certificate generators. According to ITU-T
X.690 the BitLength value should have no padding in a DER encoding.

See discussion:
https://groups.google.com/forum/#!topic/golang-nuts/dzaJ3hMpDcs

This CL has been discussed at: http://golang.org/cl/168990043

Change-Id: I1eff3f441b0566966a2d279631901ad9287c917d
Reviewed-on: https://go-review.googlesource.com/2255
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-15 01:58:54 +00:00
Dave Cheney
3c7bdd4d76 crypto/x509: add cert SmartOS cert path
Fix SmartOS build that was broken in 682922908f.

SmartOS pretends to be Ubuntu/Debian with respect to its SSL
certificate location.

Change-Id: I5405c6472c8a1e812e472e7301bf6084c17549d6
Reviewed-on: https://go-review.googlesource.com/2704
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-01-14 05:07:37 +00:00
Brad Fitzpatrick
552080c72a crypto/tls: remove return parameter stutter
Per https://golang.org/s/style#named-result-parameters

Change-Id: If69d3e6d3dbef385a0f41e743fa49c25475ca40c
Reviewed-on: https://go-review.googlesource.com/2761
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-13 21:35:11 +00:00
Paul van Brouwershaven
083e04c3d9 crypto/x509: Correction of incrorrect default version number in TBSCertificateList and Certificate.CreateCRL
RFC5280 states:

"This optional field describes the version of the encoded CRL.  When
 extensions are used, as required by this profile, this field MUST be
 present and MUST specify version 2 (the integer value is 1)."

This CL has been discussed at: http://golang.org/cl/172560043

Change-Id: I8a72d7593d5ca6714abe9abd6a37437c3b69ab0f
Reviewed-on: https://go-review.googlesource.com/2259
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-12 22:09:50 +00:00