This fixes the following vulnerability scenario:
* Victim logs into SAFE-HOST on SAFE-IP-ADDRESS regularly.
* Victim is cajoled into connecting to attacker controlled
ATTACK-HOST, on ATTACK-IP-ADDRESS. ATTACK-HOST uses a different host
key type (e.g. Ed25519 vs RSA). The new key is added at the end of
known_hosts.
* Attacker makes DNS system return ATTACK-IP-ADDRESS for SAFE-HOST.
* Victim logs into SAFE-HOST, but is not warned because the host key
matches ATTACK-IP-ADDRESS.
For this attack to work, the key type has to be different, because
knownhosts gives precedence to the first key found for each type. Add
a test that asserts this behavior.
The new semantics simplify the code, but callers that modify
.ssh/known_host interactviely must now take an extra step to remain
OpenSSH compatible: on successful login, the IP address must be
checked without hostname, and if it is not known, added separately to
the known_hosts file, so future logins that use an IP address only
will be protected too.
Thanks to Daniel Parks <security@demonhorse.net> for finding this
vulnerability.
Change-Id: I62b1b60ceb02e2f583a4657213feac1a8885dd42
Reviewed-on: https://go-review.googlesource.com/104939
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The extra Close call runs in a separate goroutine, and races with the
deferred Close call, leading to test flakes if the extra call fails
Change-Id: Ia1a2fb3932906da7cd0a8854b55f82785bb33716
Reviewed-on: https://go-review.googlesource.com/104335
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The marshal method allows the hash's internal state to be serialized and
unmarshaled at a later time, without having the re-write the entire stream
of data that was already written to the hash.
Fixesgolang/go#24548
Change-Id: I82358c34181fc815f85d5d1509fb2fe0e62e40bd
Reviewed-on: https://go-review.googlesource.com/103241
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
This change adds the equivalents of crypto_sign, crypto_sign_open and
crypto_sign_keypair in TweetNaCl and libsodium using the Ed25519 system.
The original NaCl codebase does not contain functions with identical
semantics but its documentation stated the intent of using Ed25519 in
future releases.
Fixesgolang/go#24350
Change-Id: I4c3c86b4875f2f718ad9299c2274b4ad9e11fbeb
Reviewed-on: https://go-review.googlesource.com/100578
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Currently, the renewal flow will check the cache before renewing to make
sure it is actually necessary. This change modifies this flow to update
the local state so the cached cert is actually used by the manager.
Fixesgolang/go#22960
Change-Id: I16668e8098616190938ee52858294b59bc1a5160
Reviewed-on: https://go-review.googlesource.com/89995
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
MPIs are (supposed to be) stripped of leading zeroes. Avoid passing
such short values into crypto/rsa, even if it currently happens to work.
Change-Id: I5a5f4813b8358e83fcc2deeda1272d2733814542
Reviewed-on: https://go-review.googlesource.com/100844
Reviewed-by: Adam Langley <agl@golang.org>
Rather than rounding the `type || X || Y` byte sequence to the next
8-bit boundary, packet.NewECDSAPublicKey() now rounds the X and Y
coordinates individually, then adds the bitlength 3 of type 4
(compressed). For NIST P-256, this leads to a bit length of 515,
rather than 520. GnuPG calculates 515 as well, and
https://tools.ietf.org/html/rfc6637#section-6 explicitly states that
"the exact size of the MPI payload is 515 bits for 'Curve P-256,'"
so the new formula is consistent.
Fixesgolang/go#23460
Change-Id: I64b340d1c761bfd795a1a64dc2f7a831c8b2ff32
Reviewed-on: https://go-review.googlesource.com/87995
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in
the range [0, order) in order to prevent signature malleability. This is
a new requirement in the RFC so the ed25519 package predates it. This
change aligns the code with the RFC.
The linked bug says that libsodium is also enforcing this check by
default.
See golang/go#24350
Change-Id: Ib69ce7c9e5a58971cbe225318d9fd87660bd5e4b
Reviewed-on: https://go-review.googlesource.com/100436
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TestMakeRawState currently fails on Solaris:
--- FAIL: TestMakeRawState (0.00s)
terminal_test.go:334: states do not match; was &{0xc420015dd0}, expected &{0xc420015da0}
Change terminal.State to include a copy to the unix.Termios (like the
implementation for Linux and the BSDs) which also makes terminal.MakeRaw behave
as expected and lets TestMakeRawState pass.
Change-Id: I29382f83b84ff301991e1db170f32f41e144aec8
Reviewed-on: https://go-review.googlesource.com/99456
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Directly use unix.IoctlSetTermios and windows.SetConsoleMode instead of
wrapping them with a closure.
Change-Id: I6309253fbb6e59e029424273b48aaa608873ea17
Reviewed-on: https://go-review.googlesource.com/99455
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
"At Let's Encrypt, we are seeing clients in the wild that continue
polling their challenges long after those challenges have expired and
started serving 404."
The 4xx response code errors are client errors and should not be
retried.
Fixesgolang/go#24145
Change-Id: I012c584fc4defd3a0d64a653860c35705c5c6653
Reviewed-on: https://go-review.googlesource.com/97695
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
yet.
Since ServerAuthError returns all errors collected during the
userAuthLoop, it will always include the generic error "no auth passed
yet" (assuming the connection fails).
Change-Id: I5f6c67f3f0762b023618178d4028600d2b6c9253
Reviewed-on: https://go-review.googlesource.com/92737
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The openpgp package promotes bad defaults by not setting the
preferred cipher and hash of new entities created by
`openpgp.NewEntity`.
The preferred hash can be set by passing a `packet.Config`
with a `DefaultHash` set, but the same cannot be done for
the preferred cipher.
This change copies the DefaultCipher into the self-signature, similar to
DefaultHash.
Change-Id: I80e1289d67b7cd4079be8c1d5ba603a555dbe5c1
Reviewed-on: https://go-review.googlesource.com/66430
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Confusingly, `Identity.Name` should actually refer to `uid.Id` and not
`uid.Name`. This fixes the code in NewEntity, and creates a test case to
verify.
Change-Id: Id46de876fc7b0359faecfeb9b09a8e454710d485
Reviewed-on: https://go-review.googlesource.com/92595
Reviewed-by: Adam Langley <agl@golang.org>
The existing client side authentication does not handle correctly
the partial success flag in SSH_MSG_USERAUTH_FAILURE authentication
responses.
This commit fixes two problems in ssh library:
1) RetryableAuthMethod() now breaks out from the retry loop and
returns when underlying auth method fails with partial success
set to true.
2) Book keeping of tried (and failed) auth methods in
clientAuthenticate() does not mark an auth method failed if it
fails with partial success set to true.
Fixesgolang/go#23461
Change-Id: Ib2e1a1d54bfe2549496199bb2f66ebbce58d130d
Reviewed-on: https://go-review.googlesource.com/88035
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
This change exports the Argon2 variant Argon2id and improves documenation.
The following parameter recommendations are added:
- Argon2i:
time=3 and max. memory for non-interactive scenarios as recommended by the
RFC draft https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3
- Argon2id:
time=2 and memory=64MB for interactive scenarios as used by libsodium >= 1.0.9
https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html
time=1 and max. memory for non-interactive scenarios as recommended by the
RFC draft linked above.
Fixesgolang/go#23602
Change-Id: Ia4d537e6126e5aff1243f2b5579df6bc8edb851a
Reviewed-on: https://go-review.googlesource.com/91935
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
os.NewFile assigns finalizer to close file handle
passed into ReadPassword. But that is not expected.
Make a duplicate of original file handle, and pass
copy handle into ReadPassword instead.
Fixesgolang/go#23525
Change-Id: I4d6725e9a1cc20defd1b58afc383e35a7f9ee4e9
Reviewed-on: https://go-review.googlesource.com/89395
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
Run-TryBot: Alex Brainman <alex.brainman@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Incomplete reads leave (part of) the verification tag zeroed, leading
to a failing MAC, and this is more likely to happen with larger
packets. The test added in the previous commit should stop this from
regressing.
Reinstate chacha20-poly1305 as a default cipher and prefer it over AES
CTR flavors.
Fixesgolang/go#23510
Change-Id: I7599897e59448edb7b814eebcc8226ea15b365d6
Reviewed-on: https://go-review.googlesource.com/89075
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This effectively disables the cipher.
Add a test against OpenSSH which sends larger packets through the
tested ciphers. This reproduces the problem reported in golang/go#23510
Change-Id: I4b124c690c409c6a0af2621e58a964ff55815f57
Reviewed-on: https://go-review.googlesource.com/88995
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
The change fixes argon2_test build failure which currently
reads as follows when built with gccgo:
./argon2/blamka_ref.go:9:1: error: redefinition of 'processBlock'
func processBlock(out, in1, in2 *block) {
^
./argon2/blamka_amd64.go:53:1: note: previous definition of 'processBlock' was here
func processBlock(out, in1, in2 *block) {
^
./argon2/blamka_ref.go:13:1: error: redefinition of 'processBlockXOR'
func processBlockXOR(out, in1, in2 *block) {
^
./argon2/blamka_amd64.go:57:1: note: previous definition of 'processBlockXOR' was here
func processBlockXOR(out, in1, in2 *block) {
^
Change-Id: I5c1d7360a2a91a2ac27273a5c1da2a139b1537a7
Reviewed-on: https://go-review.googlesource.com/88455
Run-TryBot: Alex Vaghin <ddos@google.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
chacha20-poly1305 is an AEAD which performs well without hardware
support. It is recommended as a replacement for the aging arcfour128
and arcfour256 ciphers.
Fixesgolang/go#9489
Change-Id: I5d5a4620a435e65997f0ba7e683a34c29d9a396b
Reviewed-on: https://go-review.googlesource.com/87077
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The Manager now loops through known challenge types,
trying to fulfill one at a time until it succeeds or runs out
of supported challenges.
The provisioning of "http-01" challenges can be done
using the new Manager.HTTPHandler method.
It requires listening on unencrypted port 80.
Fixesgolang/go#21890
Change-Id: I55de9501f0069a9f460fedd8b5b0a09b94f9ef05
Reviewed-on: https://go-review.googlesource.com/87201
Run-TryBot: Alex Vaghin <ddos@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixesgolang/go#23194
During SSH Protocol Version Exchange, a client may send metadata lines
prior to sending the SSH version string. To conform to the RFC, all SSH
implementations must support this (minimally, clients can ignore the
metadata lines).
For example, this is valid:
some-metadata
SSH-2.0-OpenSSH
The current Go implementation takes the first line it sees as
the version string (in this case, some-metadata). Then, it uses
the next line (SSH-2.0-OpenSSH) as part of key exchange, which
is guaranteed to fail.
Unfortunately, this SSH feature is used by some vendors and is part
of the official RFC: https://tools.ietf.org/html/rfc4253#section-4.2
Change-Id: I7be61700a07756353875bf43aad09a580ba533ff
Reviewed-on: https://go-review.googlesource.com/86675
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This exposes the chacha20 stream cipher to the entire x/crypto
package, and in particular to the SSH package, which uses separate,
unauthenticated chacha20 encryption for packet lengths.
Change-Id: I0b705482128f0657c09292370f03d08b588f7fec
Reviewed-on: https://go-review.googlesource.com/87075
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This change fixes an incorrect key derivation if the
degree of parallelism is greater than 1.
This change adds additional test vectors generated by the
https://github.com/P-H-C/phc-winner-argon2 CLI.
Fixesgolang/go#23200
Change-Id: I8add8382b9e9ebbf9a70493050867c9af4ed6aa7
Reviewed-on: https://go-review.googlesource.com/85055
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Add benchmarks for PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256.
This is to help measure the crypto/hmac changes in CL 27458.
Change-Id: I17ef12f3a4641ba44f7bb917a9d87a3ed7c97c67
Reviewed-on: https://go-review.googlesource.com/84380
Reviewed-by: Filippo Valsorda <hi@filippo.io>
This CL adds the package argon2. The argon2 package implements
the Argon2 PBKDF family (Argon2i, Argon2d, Argon2id).
Argon2 is memory-hard key derivation function and is specified
at https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
It can be used to derive cryptographic keys with high entropy from low
entropy passwords.
Fixesgolang/go#19896
Change-Id: I5b099682a8e3d7569ad18400cebddefc99a7e22f
Reviewed-on: https://go-review.googlesource.com/82575
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Han-Wen Nienhuys
ValarDragon
Mark Rushakoff
Florian Uekermann
Brad Morgan
Filippo Valsorda
Mike Tsao
Lars Lehtonen
Andrew Bonventre
Adam Langley
Kyle Spiers
Ilya Tocar
Tobias Klauser
Jake Burkhead
Alex Vaghin
Brad Fitzpatrick
Spencer Tung
Damien Tournoud
Yaron de Leeuw
Ingo Gottwald
Sami Pönkänen
Andreas Auernhammer
Sergey Lukjanov
Yasuhiro Matsumoto
Justin Gracenin
Mansour Rahimi
Andrew Ekstedt
Peter Moody