Issue 48580043: code review 48580043: crypto/tls: support renegotiation extension.

Issue 48580043: code review 48580043: crypto/tls: support renegotiation extension. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
11 years, 5 months ago by agl1

Modified:
11 years, 5 months ago

Reviewers:
mikio

CC:
golang-codereviews, mikio

Visibility:
Public.

Description

crypto/tls: support renegotiation extension. The renegotiation extension was introduced[1] due to an attack by Ray in which a client's handshake was spliced into a connection that was renegotiating, thus giving an attacker the ability to inject an arbitary prefix into the connection. Go has never supported renegotiation as a server and so this attack doesn't apply. As a client, it's possible that at some point in the future the population of servers will be sufficiently updated that it'll be possible to reject connections where the server hasn't demonstrated that it has been updated to address this problem. We're not at that point yet, but it's good for Go servers to support the extension so that it might be possible to do in the future. [1] https://tools.ietf.org/search/rfc5746

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+2941 lines, -2885 lines)			Patch
M	src/pkg/crypto/tls/common.go	View	1	3 chunks	+9 lines, -3 lines	0 comments	Download
M	src/pkg/crypto/tls/handshake_client.go	View	1	1 chunk	+9 lines, -8 lines	0 comments	Download
M	src/pkg/crypto/tls/handshake_messages.go	View	1 2	13 chunks	+68 lines, -29 lines	0 comments	Download
M	src/pkg/crypto/tls/handshake_server.go	View	1	1 chunk	+1 line, -0 lines	0 comments	Download
M	src/pkg/crypto/tls/handshake_server_test.go	View	1	1 chunk	+2 lines, -2 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA	View	1	2 chunks	+74 lines, -74 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA	View	1	2 chunks	+66 lines, -66 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ClientCert-RSA-ECDSA	View	1	2 chunks	+81 lines, -81 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ClientCert-RSA-RSA	View	1	2 chunks	+73 lines, -73 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ECDHE-ECDSA-AES	View	1	1 chunk	+72 lines, -71 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-ECDHE-RSA-AES	View	1	1 chunk	+82 lines, -82 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv10-RSA-RC4	View	1	2 chunks	+64 lines, -63 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv11-ECDHE-ECDSA-AES	View	1	2 chunks	+72 lines, -71 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv11-ECDHE-RSA-AES	View	1	2 chunks	+82 lines, -82 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv11-RSA-RC4	View	1	2 chunks	+64 lines, -63 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA	View	1	2 chunks	+78 lines, -77 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA	View	1	2 chunks	+68 lines, -68 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-ECDSA	View	1	2 chunks	+84 lines, -83 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA	View	1	2 chunks	+75 lines, -75 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES	View	1	2 chunks	+72 lines, -72 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM	View	1	1 chunk	+69 lines, -69 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-ECDHE-RSA-AES	View	1	2 chunks	+82 lines, -82 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Client-TLSv12-RSA-RC4	View	1	2 chunks	+64 lines, -63 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-SSLv3-RSA-3DES	View	1	1 chunk	+78 lines, -77 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-SSLv3-RSA-AES	View	1	1 chunk	+79 lines, -78 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-SSLv3-RSA-RC4	View	1	1 chunk	+74 lines, -73 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES	View	1	1 chunk	+88 lines, -87 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv10-RSA-3DES	View	1	1 chunk	+74 lines, -73 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv10-RSA-AES	View	1	1 chunk	+77 lines, -76 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv10-RSA-RC4	View	1	1 chunk	+71 lines, -70 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv11-RSA-RC4	View	1	1 chunk	+71 lines, -70 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceECDSA	View	1	2 chunks	+37 lines, -44 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceRSA	View	1	2 chunks	+44 lines, -51 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven	View	1	2 chunks	+84 lines, -84 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven	View	1	2 chunks	+84 lines, -83 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedNotGiven	View	1	1 chunk	+75 lines, -74 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES	View	1	1 chunk	+90 lines, -89 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-IssueTicket	View	1	1 chunk	+79 lines, -79 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-RSA-3DES	View	1	1 chunk	+77 lines, -76 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-RSA-AES	View	1	1 chunk	+79 lines, -78 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-RSA-AES-GCM	View	1	1 chunk	+96 lines, -96 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-RSA-RC4	View	1	1 chunk	+74 lines, -73 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-Resume	View	1	1 chunk	+31 lines, -30 lines	0 comments	Download
M	src/pkg/crypto/tls/testdata/Server-TLSv12-SNI	View	1	1 chunk	+68 lines, -67 lines	0 comments	Download

Messages

Total messages: 5

Expand All Messages | Collapse All Messages

agl1

Hello golang-dev@googlegroups.com (cc: golang-codereviews@googlegroups.com), I'd like you to review this change to https://code.google.com/p/go/

11 years, 5 months ago (2014-01-07 23:13:25 UTC) #1

gobot

Replacing golang-dev with golang-codereviews. To the author of this CL: If you are using 'hg ...

11 years, 5 months ago (2014-01-07 23:16:48 UTC) #2

mikio

LGTM You can refer to RFC 5746 in the CL description but people who want ...

11 years, 5 months ago (2014-01-09 10:56:28 UTC) #3

agl1

11 years, 5 months ago (2014-01-09 18:38:19 UTC) #5

*** Submitted as https://code.google.com/p/go/source/detail?r=f1e918132139 ***

crypto/tls: support renegotiation extension.

The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://codereview.appspot.com/48580043

Expand All Messages | Collapse All Messages