summaryrefslogtreecommitdiff
path: root/src/pkg/crypto/tls
diff options
context:
space:
mode:
Diffstat (limited to 'src/pkg/crypto/tls')
-rw-r--r--src/pkg/crypto/tls/conn.go4
-rw-r--r--src/pkg/crypto/tls/generate_cert.go8
-rw-r--r--src/pkg/crypto/tls/handshake_client.go6
-rw-r--r--src/pkg/crypto/tls/handshake_server.go6
-rw-r--r--src/pkg/crypto/tls/key_agreement.go33
-rw-r--r--src/pkg/crypto/tls/tls.go8
6 files changed, 33 insertions, 32 deletions
diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index 097e182bd..fac65afd9 100644
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -790,10 +790,10 @@ func (c *Conn) VerifyHostname(host string) os.Error {
c.handshakeMutex.Lock()
defer c.handshakeMutex.Unlock()
if !c.isClient {
- return os.ErrorString("VerifyHostname called on TLS server connection")
+ return os.NewError("VerifyHostname called on TLS server connection")
}
if !c.handshakeComplete {
- return os.ErrorString("TLS handshake has not yet been performed")
+ return os.NewError("TLS handshake has not yet been performed")
}
return c.peerCertificates[0].VerifyHostname(host)
}
diff --git a/src/pkg/crypto/tls/generate_cert.go b/src/pkg/crypto/tls/generate_cert.go
index f46188879..41206e276 100644
--- a/src/pkg/crypto/tls/generate_cert.go
+++ b/src/pkg/crypto/tls/generate_cert.go
@@ -8,8 +8,10 @@
package main
import (
- "crypto/rsa"
+ "big"
+ "crypto/x509/pkix"
"crypto/rand"
+ "crypto/rsa"
"crypto/x509"
"encoding/pem"
"flag"
@@ -32,8 +34,8 @@ func main() {
now := time.Seconds()
template := x509.Certificate{
- SerialNumber: []byte{0},
- Subject: x509.Name{
+ SerialNumber: new(big.Int).SetInt64(0),
+ Subject: pkix.Name{
CommonName: *hostName,
Organization: []string{"Acme Co"},
},
diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go
index c758c96d4..15604cea7 100644
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@@ -40,7 +40,7 @@ func (c *Conn) clientHandshake() os.Error {
_, err := io.ReadFull(c.config.rand(), hello.random[4:])
if err != nil {
c.sendAlert(alertInternalError)
- return os.ErrorString("short read from Rand")
+ return os.NewError("short read from Rand")
}
finishedHash.Write(hello.marshal())
@@ -69,7 +69,7 @@ func (c *Conn) clientHandshake() os.Error {
if !hello.nextProtoNeg && serverHello.nextProtoNeg {
c.sendAlert(alertHandshakeFailure)
- return os.ErrorString("server advertised unrequested NPN")
+ return os.NewError("server advertised unrequested NPN")
}
suite, suiteId := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
@@ -92,7 +92,7 @@ func (c *Conn) clientHandshake() os.Error {
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
c.sendAlert(alertBadCertificate)
- return os.ErrorString("failed to parse certificate from server: " + err.String())
+ return os.NewError("failed to parse certificate from server: " + err.String())
}
certs[i] = cert
}
diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index e9431c6fa..44a324041 100644
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -173,7 +173,7 @@ FindCipherSuite:
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
c.sendAlert(alertBadCertificate)
- return os.ErrorString("could not parse client's certificate: " + err.String())
+ return os.NewError("could not parse client's certificate: " + err.String())
}
certs[i] = cert
}
@@ -182,7 +182,7 @@ FindCipherSuite:
for i := 1; i < len(certs); i++ {
if err := certs[i-1].CheckSignatureFrom(certs[i]); err != nil {
c.sendAlert(alertBadCertificate)
- return os.ErrorString("could not validate certificate signature: " + err.String())
+ return os.NewError("could not validate certificate signature: " + err.String())
}
}
@@ -229,7 +229,7 @@ FindCipherSuite:
err = rsa.VerifyPKCS1v15(pub, crypto.MD5SHA1, digest, certVerify.signature)
if err != nil {
c.sendAlert(alertBadCertificate)
- return os.ErrorString("could not validate signature of connection nonces: " + err.String())
+ return os.NewError("could not validate signature of connection nonces: " + err.String())
}
finishedHash.Write(certVerify.marshal())
diff --git a/src/pkg/crypto/tls/key_agreement.go b/src/pkg/crypto/tls/key_agreement.go
index 84f90c45a..48472fb6a 100644
--- a/src/pkg/crypto/tls/key_agreement.go
+++ b/src/pkg/crypto/tls/key_agreement.go
@@ -32,11 +32,11 @@ func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKe
}
if len(ckx.ciphertext) < 2 {
- return nil, os.ErrorString("bad ClientKeyExchange")
+ return nil, os.NewError("bad ClientKeyExchange")
}
ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])
if ciphertextLen != len(ckx.ciphertext)-2 {
- return nil, os.ErrorString("bad ClientKeyExchange")
+ return nil, os.NewError("bad ClientKeyExchange")
}
ciphertext := ckx.ciphertext[2:]
@@ -54,7 +54,7 @@ func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKe
}
func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) os.Error {
- return os.ErrorString("unexpected ServerKeyExchange")
+ return os.NewError("unexpected ServerKeyExchange")
}
func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, os.Error) {
@@ -146,7 +146,7 @@ Curve:
md5sha1 := md5SHA1Hash(clientHello.random, hello.random, serverECDHParams)
sig, err := rsa.SignPKCS1v15(config.rand(), config.Certificates[0].PrivateKey, crypto.MD5SHA1, md5sha1)
if err != nil {
- return nil, os.ErrorString("failed to sign ECDHE parameters: " + err.String())
+ return nil, os.NewError("failed to sign ECDHE parameters: " + err.String())
}
skx := new(serverKeyExchangeMsg)
@@ -162,11 +162,11 @@ Curve:
func (ka *ecdheRSAKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKeyExchangeMsg) ([]byte, os.Error) {
if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {
- return nil, os.ErrorString("bad ClientKeyExchange")
+ return nil, os.NewError("bad ClientKeyExchange")
}
x, y := ka.curve.Unmarshal(ckx.ciphertext[1:])
if x == nil {
- return nil, os.ErrorString("bad ClientKeyExchange")
+ return nil, os.NewError("bad ClientKeyExchange")
}
x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)
preMasterSecret := make([]byte, (ka.curve.BitSize+7)>>3)
@@ -176,12 +176,14 @@ func (ka *ecdheRSAKeyAgreement) processClientKeyExchange(config *Config, ckx *cl
return preMasterSecret, nil
}
+var errServerKeyExchange = os.NewError("invalid ServerKeyExchange")
+
func (ka *ecdheRSAKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) os.Error {
if len(skx.key) < 4 {
- goto Error
+ return errServerKeyExchange
}
if skx.key[0] != 3 { // named curve
- return os.ErrorString("server selected unsupported curve")
+ return os.NewError("server selected unsupported curve")
}
curveid := uint16(skx.key[1])<<8 | uint16(skx.key[2])
@@ -193,39 +195,36 @@ func (ka *ecdheRSAKeyAgreement) processServerKeyExchange(config *Config, clientH
case curveP521:
ka.curve = elliptic.P521()
default:
- return os.ErrorString("server selected unsupported curve")
+ return os.NewError("server selected unsupported curve")
}
publicLen := int(skx.key[3])
if publicLen+4 > len(skx.key) {
- goto Error
+ return errServerKeyExchange
}
ka.x, ka.y = ka.curve.Unmarshal(skx.key[4 : 4+publicLen])
if ka.x == nil {
- goto Error
+ return errServerKeyExchange
}
serverECDHParams := skx.key[:4+publicLen]
sig := skx.key[4+publicLen:]
if len(sig) < 2 {
- goto Error
+ return errServerKeyExchange
}
sigLen := int(sig[0])<<8 | int(sig[1])
if sigLen+2 != len(sig) {
- goto Error
+ return errServerKeyExchange
}
sig = sig[2:]
md5sha1 := md5SHA1Hash(clientHello.random, serverHello.random, serverECDHParams)
return rsa.VerifyPKCS1v15(cert.PublicKey.(*rsa.PublicKey), crypto.MD5SHA1, md5sha1, sig)
-
-Error:
- return os.ErrorString("invalid ServerKeyExchange")
}
func (ka *ecdheRSAKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, os.Error) {
if ka.curve == nil {
- return nil, nil, os.ErrorString("missing ServerKeyExchange message")
+ return nil, nil, os.NewError("missing ServerKeyExchange message")
}
priv, mx, my, err := ka.curve.GenerateKey(config.rand())
if err != nil {
diff --git a/src/pkg/crypto/tls/tls.go b/src/pkg/crypto/tls/tls.go
index 9e5c9270a..4f0859fee 100644
--- a/src/pkg/crypto/tls/tls.go
+++ b/src/pkg/crypto/tls/tls.go
@@ -147,19 +147,19 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err os.Err
}
if len(cert.Certificate) == 0 {
- err = os.ErrorString("crypto/tls: failed to parse certificate PEM data")
+ err = os.NewError("crypto/tls: failed to parse certificate PEM data")
return
}
keyDERBlock, _ := pem.Decode(keyPEMBlock)
if keyDERBlock == nil {
- err = os.ErrorString("crypto/tls: failed to parse key PEM data")
+ err = os.NewError("crypto/tls: failed to parse key PEM data")
return
}
key, err := x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)
if err != nil {
- err = os.ErrorString("crypto/tls: failed to parse key: " + err.String())
+ err = os.NewError("crypto/tls: failed to parse key: " + err.String())
return
}
@@ -173,7 +173,7 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err os.Err
}
if x509Cert.PublicKeyAlgorithm != x509.RSA || x509Cert.PublicKey.(*rsa.PublicKey).N.Cmp(key.PublicKey.N) != 0 {
- err = os.ErrorString("crypto/tls: private key does not match public key")
+ err = os.NewError("crypto/tls: private key does not match public key")
return
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-28 04:50:40 +0000