This change makes the Manager try creating a certificate
again, after a previously unsuccessful attempt.
The implementation is based on a timer, to prevent hitting
an ACME CA with too high QPS when under a heavy load.
The timer is hardcoded to 1 minute.
Fixesgolang/go#17740.
Change-Id: I46a49201cf423be3360633a89209d7b2bccc1d76
Reviewed-on: https://go-review.googlesource.com/41694
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This is a breaking change.
This adds a new hostkey callback which takes the hostname field
restrictions into account when validating host certificates.
Prior to this, a known_hosts file with the following entry
@cert-authority *.example.com ssh-rsa <example.com public key>
would, when passed to knownhosts.New() generate an ssh.HostKeyCallback
that would accept all host certificates signed by the example.com public
key, no matter what host the client was connecting to.
After this change, that known_hosts entry can only be used to validate
host certificates presented when connecting to hosts under *.example.com
This also renames IsAuthority to IsUserAuthority to make its intended
purpose more clear.
Change-Id: I7188a53fdd40a8c0bc21983105317b3498f567bb
Reviewed-on: https://go-review.googlesource.com/41751
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Spotted it thanks to a proposal in
https://github.com/golang/go/issues/19727.
Change-Id: I389a3fc0db3cf64fba41c3ecd70a236917ea8fa3
Reviewed-on: https://go-review.googlesource.com/41698
Run-TryBot: Sam Whited <sam@samwhited.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Sam Whited <sam@samwhited.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This change exposes a function to extract rate limit duration
from a client error using Retry-After response header.
Author: David Calavera <david.calavera@gmail.com>.
Fixesgolang/go#19304.
Change-Id: Iec9cfab398b84c6f216b95d3265ffad1ce2f29a7
Reviewed-on: https://go-review.googlesource.com/37463
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
A cached cert data may be corrupted or simply contain an expired
certificate, which results in GetCertificate returning an error.
This change makes the Manager ignore those invalid and expired
cache entries, treating them as nonexistent.
Fixesgolang/go#20035.
Change-Id: I5345291ecb1aab1cf19671cf0a383135c7102038
Reviewed-on: https://go-review.googlesource.com/41690
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The correct curve name for ES512 signatures is P-521, not P-512.
Author: Matthew Endsley <mendsley@gmail.com>.
Fixesgolang/go#18357.
Change-Id: I8d9ba046780921a9e1a5eaa947b9bcbd12e60e34
Reviewed-on: https://go-review.googlesource.com/34555
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Without this, autocert will panic with an unhelpful nil pointer inside
the acme client.
Reorganized the test suite's ACME server stub creation, as I needed to
be able to stand up a test where GetCertificate was expected to fail.
Change-Id: Ie5e19c6e7766b4578c9b3c16789d7b27bd3be163
Reviewed-on: https://go-review.googlesource.com/40951
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This change amends the default renewal to 30 days before cert expiration,
as recommended by various guides and the official LE documentation:
https://letsencrypt.readthedocs.io/en/latest/using.html#renewalFixesgolang/go#19616.
Change-Id: I9cfadff936871794e2938304e9e5ab1b0e0353d6
Reviewed-on: https://go-review.googlesource.com/38358
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Ensures that it compiles and makes it more discoverable in godoc.
Change-Id: I50a3deb23110017d0eb16b1da0ac729a96ff2602
Reviewed-on: https://go-review.googlesource.com/40952
Run-TryBot: Alex Vaghin <ddos@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Consider the following code:
var p *int
a := []int{0, 1, 2, 3}
for _, i := range a {
if i == 1 {
p = &i
}
}
fmt.Println(*p) // Prints 3
This prints 3 because the variable i is the exact same variable across
all iterations of the loop. When the address is taken for some specific
iteration, the user's intent is to capture the value of i at that
given loop, but instead the value of i in the last loop is what remains.
A bug this sort occurs in the check logic since the address of the
knownKey is taken, but is changed upon subsequent iterations of the
loop (which happens when there are multiple lines).
Change-Id: Ic626778cdcde3968dcff4fa5e7206274957dcb04
Reviewed-on: https://go-review.googlesource.com/40937
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
After receiving a badNonce error, the call can be safely retried. Nonce
errors can happen unexpectedly based on an unknown expiration date or
server-side changes. Rather than force the caller handle these errors,
retryPostJWS will keep retrying until success or a different error.
According to the spec, the error returned should be
"urn:ietf:params:acme:error:badNonce", but the error that Let's Encrypt
returns is "urn:acme:error:badNonce" so we just check the suffix.
Fixesgolang/go#19703
Change-Id: Id15012dff91e51d28ed8bc54f13a6212186cb7df
Reviewed-on: https://go-review.googlesource.com/40130
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>
Fixes a nil pointer dereference that slipped through buildbots because
it was introduced by the last two commits.
Change-Id: Ib269e910956cd8b3b46e217b03fde1b61572260a
Reviewed-on: https://go-review.googlesource.com/40530
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The normal handshake kicks off with a waitSession(), which guarantees
that we never attempt to send data before the first kex is completed,
but ensuring readPacketsLeft > 0 and writePacketsLeft > 0 helps
understand that thresholds can never cause spurious rekeying at the
start of a connection.
Change-Id: If5bcafcda0c7d16fd21f22c664101ac5f5b487d7
Reviewed-on: https://go-review.googlesource.com/38696
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Simplify the constant swap function.
On amd64: Replace the CMOVQEQ scheme with SSE2 code similar to the non-amd64 code.
On non-amd64: Avoid unnecessary loop iterations.
The result is less and slightly faster code.
name old time/op new time/op delta
ScalarBaseMult-4 653µs ± 0% 636µs ± 0% ~ (p=0.100 n=3+3)
name old time/op new time/op delta
ConstantSwap-4 10.4ns ± 1% 6.2ns ± 0% -39.86% (p=0.029 n=4+4)
On an i7-65000U
Change-Id: Ia5eea92e0b3eabb6c291d25229aa582b51278552
Reviewed-on: https://go-review.googlesource.com/39693
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This change breaks backwards compatibility.
MaxAuthTries specifies the maximum number of authentication attempts
permitted per connection. If set to a negative number, the server will
allow unlimited authentication attempts. MaxAuthTries defaults to 6 if
not specified, which is a backwards incompatible change. On exceeding
maximum authentication attempts, the server will send a disconnect
message to the client.
This configuration property mirrors a similar property in sshd_config
and prevents bad actors from continuously trying authentication.
Change-Id: Ic77d2c29ee2fd2ae5c764becf7df91d29d03131b
Reviewed-on: https://go-review.googlesource.com/35230
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The ctxhttp package used to be big and gross before net/http supported
contexts natively. Nowadays it barely does anything. Stop using it,
because it just pulls in the old context package anyway. (We can't
really clean up the ctxhttp package until Go 1.9)
Change-Id: I48b11f2f483783a32cbaa75e244301148a304c08
Reviewed-on: https://go-review.googlesource.com/40110
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>
A certificate must have the Server Auth Extended Key Usage to be used
for TLS, and an ECDSA certificate must have the Digital Signature Key
Usage to be used at all (you can't encrypt to an ECDSA key).
crypto/tls ignores (E)KUs when serving certificates, and most browsers
do as well, so it works, but OpenSSL would refuse to serve these
certificates, and clients would be allowed to reject them.
Change-Id: I699e58e613f01077e6b67fdb9e789d46e1672112
Reviewed-on: https://go-review.googlesource.com/39913
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>
This fixes weirdness when users use int64(-1) as sentinel value.
Also, really use cipher specific default thresholds. These were added
in a59c127441, but weren't taking
effect. Add a test.
Fixesgolang/go#19639
Change-Id: Ie9518a0ff12fded2fca35465abb427d7a9f84340
Reviewed-on: https://go-review.googlesource.com/39431
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Previously, the public key authentication for clients would send an
enquiry to the remote for every key specified before attempting to
authenticate with the server.
Now, we immediately try to authenticate once a valid key is found.
This results in exchanging fewer packets if the valid key is near the
top of the list. If all keys fail, then the number of packets exchanged
by the client and server is unaffected.
For OpenSSH daemon, an enquiry into the validity of a key without
authentication is still recorded as an authentication attempt, so any
clients with more than MaxAuthTries public keys would not be able to
authenticate using the previous implementation. This change will allow
clients to succeed authentication if the successful key is at the start
of the list of keys.
Change-Id: I8ea42caf40c0864752218c3f6934e86b12f5b81a
Reviewed-on: https://go-review.googlesource.com/38890
Reviewed-by: Adam Langley <agl@golang.org>
The standard library context package has been available since Go 1.7,
and the Go build dashboard (build.golang.org) only tests master and
the past two releases.
Also, the acme package makes no backwards compatibility guarantees,
not that I expect this to influence many people.
Change-Id: Ia1a294212e1e531f28f53cd954d4743a64611cab
Reviewed-on: https://go-review.googlesource.com/39272
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This change breaks existing behavior.
Before, a missing ClientConfig.HostKeyCallback would cause host key
checking to be disabled. In this configuration, establishing a
connection to any host just works, so today, most SSH client code in
the wild does not perform any host key checks.
This makes it easy to perform a MITM attack:
* SSH installations that use keyboard-interactive or password
authentication can be attacked with MITM, thereby stealing
passwords.
* Clients that use public-key authentication with agent forwarding are
also vulnerable: the MITM server could allow the login to succeed, and
then immediately ask the agent to authenticate the login to the real
server.
* Clients that use public-key authentication without agent forwarding
are harder to attack unnoticedly: an attacker cannot authenticate the
login to the real server, so it cannot in general present a convincing
server to the victim.
Now, a missing HostKeyCallback will cause the handshake to fail. This
change also provides InsecureIgnoreHostKey() and FixedHostKey(key) as
ready made host checkers.
A simplistic parser for OpenSSH's known_hosts file is given as an
example. This change does not provide a full-fledged parser, as it
has complexity (wildcards, revocation, hashed addresses) that will
need further consideration.
When introduced, the host checking feature maintained backward
compatibility at the expense of security. We have decided this is not
the right tradeoff for the SSH library.
Fixesgolang/go#19767
Change-Id: I45fc7ba9bd1ea29c31ec23f115cdbab99913e814
Reviewed-on: https://go-review.googlesource.com/38701
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
cryptobyte is a helper library for building and parsing byte strings,
specifically for TLS and ASN.1.
Change-Id: I046b94773f6781153784c79f3d81e6d464eaebe0
Reviewed-on: https://go-review.googlesource.com/36123
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Register BLAKE2s-256 if the package is imported.
Change-Id: Ib415ae641f21d863720bf9c089017ee97654a555
Reviewed-on: https://go-review.googlesource.com/36878
Reviewed-by: Matt Layher <mdlayher@gmail.com>
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Register BLAKE2b-256, BLAKE2b-384 and BLAKE2b-512 if the package is imported.
Change-Id: Iba425a62b42ed07219f7e56ff173ed5ae503704e
Reviewed-on: https://go-review.googlesource.com/36877
Reviewed-by: Matt Layher <mdlayher@gmail.com>
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Matt Layher <mdlayher@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This is the test that I use to sanity-check significant changes to the
package, thus it's probably worth checking it in. Since it's very slow,
it's disabled by default.
(Note that while it stands a good chance of catching errors in 32-bit
implementations, no amount of random testing is going to get useful
coverage for 64-bit implementations. Thus it really is just a sanity
check, despite the long run-time.)
Change-Id: I95b321eec6f3026dafbbc157a7ef35a27e88d247
Reviewed-on: https://go-review.googlesource.com/36566
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The test was assuming that the OCSP creation wouldn't cross a minute
boundary, which is flakey nonsense. Instead assert that the timestamp in
the OCSP response is within an hour of when we check it.
Change-Id: I3c822b738e9b04385319eb29a1cd275dc2ed112e
Reviewed-on: https://go-review.googlesource.com/36648
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Before this change, every JWS-signed request was preceded
by a HEAD request to fetch a fresh nonce.
The Client is now able to collect nonce values
from server responses and use them for future requests.
Additionally, this change also makes sure the client propagates
any error encountered during a fresh nonce fetch.
Fixesgolang/go#18428.
Change-Id: I33d21b450351cf4d98e72ee6c8fa654e9554bf92
Reviewed-on: https://go-review.googlesource.com/36514
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
memCache used an unsynchronized map, which failed go test -race. Add a
mutex and constructor function to fix it.
Change-Id: Iddaa492ea1e3d7747965c6423368baa6556402ed
Reviewed-on: https://go-review.googlesource.com/36545
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The previous attempt would fail in the following scenario:
* select picks "first" kex from requestKex
* read loop receives a remote kex, posts on requestKex (which is now
empty) [*] for sending out a response, and sends pendingKex on startKex.
* select picks pendingKex from startKex, and proceeds to run the key
exchange.
* the posting on requestKex in [*] now triggers a second key exchange.
Fixes#18861.
Change-Id: I443e82f1d04c7f17d1485fdb87072b9feec26aa8
Reviewed-on: https://go-review.googlesource.com/36055
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
The ssh tests currently require 127.0.0.1 to work which isn't
necessarily available everywhere. To fix the source-address tests,
support comma-separated source-address values per the PROTOCOL.certkeys
file:
Comma-separated list of source addresses
from which this certificate is accepted
for authentication. Addresses are
specified in CIDR format (nn.nn.nn.nn/nn
or hhhh::hhhh/nn).
If this option is not present then
certificates may be presented from any
source address.
Change-Id: I87536ff81ffa005c073da103021ebc0dfb12b620
Reviewed-on: https://go-review.googlesource.com/36110
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Alex Vaghin
Peter Moody
Ross Light
Rick Sayre
Han-Wen Nienhuys
Joe Tsai
James Hartig
Andreas Auernhammer
Brad Fitzpatrick
James Myers
Akihiro Suda
Filippo Valsorda
Paul Querna
Fredrik Forsmo
Martin Kreichgauer
Adam Langley
MiLk
Heschi Kreinick
Russ Cox