crypto/tls: support AES-GCM.

AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
author: Adam Langley <agl@golang.org> 2013-08-29 17:18:59 -0400
committer: Adam Langley <agl@golang.org> 2013-08-29 17:18:59 -0400
commit: 2fe9a5a3e826d8b2dc45652e1b5d1c23eeeb428b (patch)
tree: bcf30de95ec461ce3e6d275858a4e83dfcc99232 /src/pkg/crypto
parent: c4aa9c5c4ef32cdc65d29ac7e7cfa96fdbf7d394 (diff)
download: go-2fe9a5a3e826d8b2dc45652e1b5d1c23eeeb428b.tar.xz
5 files changed, 396 insertions, 35 deletions
diff --git a/src/pkg/crypto/tls/cipher_suites.go b/src/pkg/crypto/tls/cipher_suites.go
index 8404974f28..1dbda04a1d 100644
--- a/src/pkg/crypto/tls/cipher_suites.go
+++ b/src/pkg/crypto/tls/cipher_suites.go
@@ -49,22 +49,25 @@ type cipherSuite struct {
 	elliptic bool
 	cipher   func(key, iv []byte, isRead bool) interface{}
 	mac      func(version uint16, macKey []byte) macFunction
+	aead     func(key, fixedNonce []byte) cipher.AEAD
 }
 
 var cipherSuites = []*cipherSuite{
 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA
 	// and RC4 comes before AES (because of the Lucky13 attack).
-	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, true, cipherRC4, macSHA1},
-	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, true, cipherRC4, macSHA1},
-	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1},
-	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1},
-	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1},
-	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1},
-	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, false, cipherRC4, macSHA1},
-	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, false, cipherAES, macSHA1},
-	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, false, cipherAES, macSHA1},
-	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, true, cipher3DES, macSHA1},
-	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, false, cipher3DES, macSHA1},
+	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, true, nil, nil, aeadAESGCM},
+	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, true, nil, nil, aeadAESGCM},
+	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, true, cipherRC4, macSHA1, nil},
+	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, true, cipherRC4, macSHA1, nil},
+	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1, nil},
+	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1, nil},
+	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, true, cipherAES, macSHA1, nil},
+	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, true, cipherAES, macSHA1, nil},
+	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, false, cipherRC4, macSHA1, nil},
+	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, false, cipherAES, macSHA1, nil},
+	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, false, cipherAES, macSHA1, nil},
+	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, true, cipher3DES, macSHA1, nil},
+	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, false, cipher3DES, macSHA1, nil},
 }
 
 func cipherRC4(key, iv []byte, isRead bool) interface{} {
@@ -106,6 +109,46 @@ type macFunction interface {
 	MAC(digestBuf, seq, header, data []byte) []byte
 }
 
+// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
+// each call.
+type fixedNonceAEAD struct {
+	// sealNonce and openNonce are buffers where the larger nonce will be
+	// constructed. Since a seal and open operation may be running
+	// concurrently, there is a separate buffer for each.
+	sealNonce, openNonce []byte
+	aead                 cipher.AEAD
+}
+
+func (f *fixedNonceAEAD) NonceSize() int { return 8 }
+func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
+
+func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
+	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
+	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
+}
+
+func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
+	copy(f.openNonce[len(f.openNonce)-8:], nonce)
+	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
+}
+
+func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
+	aes, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+	aead, err := cipher.NewGCM(aes)
+	if err != nil {
+		panic(err)
+	}
+
+	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
+	copy(nonce1, fixedNonce)
+	copy(nonce2, fixedNonce)
+
+	return &fixedNonceAEAD{nonce1, nonce2, aead}
+}
+
 // ssl30MAC implements the SSLv3 MAC function, as defined in
 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
 type ssl30MAC struct {
@@ -197,15 +240,17 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
 // A list of the possible cipher suite ids. Taken from
 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 const (
-	TLS_RSA_WITH_RC4_128_SHA             uint16 = 0x0005
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA        uint16 = 0x000a
-	TLS_RSA_WITH_AES_128_CBC_SHA         uint16 = 0x002f
-	TLS_RSA_WITH_AES_256_CBC_SHA         uint16 = 0x0035
-	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA     uint16 = 0xc007
-	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
-	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
-	TLS_ECDHE_RSA_WITH_RC4_128_SHA       uint16 = 0xc011
-	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  uint16 = 0xc012
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   uint16 = 0xc013
-	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   uint16 = 0xc014
+	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
+	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
+	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
 )
diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index 287f81c1d5..2e64b88a68 100644
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -146,6 +146,9 @@ func (hc *halfConn) changeCipherSpec() error {
 	hc.mac = hc.nextMac
 	hc.nextCipher = nil
 	hc.nextMac = nil
+	for i := range hc.seq {
+		hc.seq[i] = 0
+	}
 	return nil
 }
 
@@ -255,6 +258,26 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
 		switch c := hc.cipher.(type) {
 		case cipher.Stream:
 			c.XORKeyStream(payload, payload)
+		case cipher.AEAD:
+			explicitIVLen = 8
+			if len(payload) < explicitIVLen {
+				return false, 0, alertBadRecordMAC
+			}
+			nonce := payload[:8]
+			payload = payload[8:]
+
+			var additionalData [13]byte
+			copy(additionalData[:], hc.seq[:])
+			copy(additionalData[8:], b.data[:3])
+			n := len(payload) - c.Overhead()
+			additionalData[11] = byte(n >> 8)
+			additionalData[12] = byte(n)
+			var err error
+			payload, err = c.Open(payload[:0], nonce, payload, additionalData[:])
+			if err != nil {
+				return false, 0, alertBadRecordMAC
+			}
+			b.resize(recordHeaderLen + explicitIVLen + len(payload))
 		case cbcMode:
 			blockSize := c.BlockSize()
 			if hc.version >= VersionTLS11 {
@@ -305,13 +328,13 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
 		b.resize(recordHeaderLen + explicitIVLen + n)
 		remoteMAC := payload[n:]
 		localMAC := hc.mac.MAC(hc.inDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], payload[:n])
-		hc.incSeq()
 
 		if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 {
 			return false, 0, alertBadRecordMAC
 		}
 		hc.inDigestBuf = localMAC
 	}
+	hc.incSeq()
 
 	return true, recordHeaderLen + explicitIVLen, 0
 }
@@ -338,7 +361,6 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 	// mac
 	if hc.mac != nil {
 		mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], b.data[recordHeaderLen+explicitIVLen:])
-		hc.incSeq()
 
 		n := len(b.data)
 		b.resize(n + len(mac))
@@ -353,6 +375,20 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 		switch c := hc.cipher.(type) {
 		case cipher.Stream:
 			c.XORKeyStream(payload, payload)
+		case cipher.AEAD:
+			payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
+			b.resize(len(b.data) + c.Overhead())
+			nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+			payload := b.data[recordHeaderLen+explicitIVLen:]
+			payload = payload[:payloadLen]
+
+			var additionalData [13]byte
+			copy(additionalData[:], hc.seq[:])
+			copy(additionalData[8:], b.data[:3])
+			additionalData[11] = byte(payloadLen >> 8)
+			additionalData[12] = byte(payloadLen)
+
+			c.Seal(payload[:0], nonce, payload, additionalData[:])
 		case cbcMode:
 			blockSize := c.BlockSize()
 			if explicitIVLen > 0 {
@@ -372,6 +408,7 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 	n := len(b.data) - recordHeaderLen
 	b.data[3] = byte(n >> 8)
 	b.data[4] = byte(n)
+	hc.incSeq()
 
 	return true, 0
 }
@@ -660,6 +697,7 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
 			m = maxPlaintext
 		}
 		explicitIVLen := 0
+		explicitIVIsSeq := false
 
 		var cbc cbcMode
 		if c.out.version >= VersionTLS11 {
@@ -668,6 +706,18 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
 				explicitIVLen = cbc.BlockSize()
 			}
 		}
+		if explicitIVLen == 0 {
+			if _, ok := c.out.cipher.(cipher.AEAD); ok {
+				explicitIVLen = 8
+				// The AES-GCM construction in TLS has an
+				// explicit nonce so that the nonce can be
+				// random. However, the nonce is only 8 bytes
+				// which is too small for a secure, random
+				// nonce. Therefore we use the sequence number
+				// as the nonce.
+				explicitIVIsSeq = true
+			}
+		}
 		b.resize(recordHeaderLen + explicitIVLen + m)
 		b.data[0] = byte(typ)
 		vers := c.vers
@@ -682,8 +732,12 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
 		b.data[4] = byte(m)
 		if explicitIVLen > 0 {
 			explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
-			if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
-				break
+			if explicitIVIsSeq {
+				copy(explicitIV, c.out.seq[:])
+			} else {
+				if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
+					break
+				}
 			}
 		}
 		copy(b.data[recordHeaderLen+explicitIVLen:], data)
diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go
index 01b244be1d..851df865ca 100644
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@@ -308,8 +308,14 @@ func (c *Conn) clientHandshake() error {
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
 		keysFromMasterSecret(c.vers, masterSecret, hello.random, serverHello.random, suite.macLen, suite.keyLen, suite.ivLen)
 
-	clientCipher := suite.cipher(clientKey, clientIV, false /* not for reading */)
-	clientHash := suite.mac(c.vers, clientMAC)
+	var clientCipher interface{}
+	var clientHash macFunction
+	if suite.cipher != nil {
+		clientCipher = suite.cipher(clientKey, clientIV, false /* not for reading */)
+		clientHash = suite.mac(c.vers, clientMAC)
+	} else {
+		clientCipher = suite.aead(clientKey, clientIV)
+	}
 	c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
 	c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
 
@@ -329,8 +335,14 @@ func (c *Conn) clientHandshake() error {
 	finishedHash.Write(finished.marshal())
 	c.writeRecord(recordTypeHandshake, finished.marshal())
 
-	serverCipher := suite.cipher(serverKey, serverIV, true /* for reading */)
-	serverHash := suite.mac(c.vers, serverMAC)
+	var serverCipher interface{}
+	var serverHash macFunction
+	if suite.cipher != nil {
+		serverCipher = suite.cipher(serverKey, serverIV, true /* for reading */)
+		serverHash = suite.mac(c.vers, serverMAC)
+	} else {
+		serverCipher = suite.aead(serverKey, serverIV)
+	}
 	c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
 	c.readRecord(recordTypeChangeCipherSpec)
 	if err := c.error(); err != nil {
diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index 6c5e96c42e..9aedd79d14 100644
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -435,12 +435,20 @@ func (hs *serverHandshakeState) establishKeys() error {
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
 		keysFromMasterSecret(c.vers, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
 
-	clientCipher := hs.suite.cipher(clientKey, clientIV, true /* for reading */)
-	clientHash := hs.suite.mac(c.vers, clientMAC)
-	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
+	var clientCipher, serverCipher interface{}
+	var clientHash, serverHash macFunction
 
-	serverCipher := hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
-	serverHash := hs.suite.mac(c.vers, serverMAC)
+	if hs.suite.aead == nil {
+		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
+		clientHash = hs.suite.mac(c.vers, clientMAC)
+		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
+		serverHash = hs.suite.mac(c.vers, serverMAC)
+	} else {
+		clientCipher = hs.suite.aead(clientKey, clientIV)
+		serverCipher = hs.suite.aead(serverKey, serverIV)
+	}
+
+	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
 	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
 
 	return nil
diff --git a/src/pkg/crypto/tls/handshake_server_test.go b/src/pkg/crypto/tls/handshake_server_test.go
index 4f57e506dd..27504ae74d 100644
--- a/src/pkg/crypto/tls/handshake_server_test.go
+++ b/src/pkg/crypto/tls/handshake_server_test.go
@@ -309,6 +309,13 @@ func TestTLS11Server(t *testing.T) {
 	testServerScript(t, "TLS11", tls11ECDHEAESServerScript, &config, nil)
 }
 
+func TestAESGCM(t *testing.T) {
+	var config = *testConfig
+	config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
+	config.MaxVersion = VersionTLS12
+	testServerScript(t, "AES-GCM", aesGCMServerScript, &config, nil)
+}
+
 // recordingConn is a net.Conn that records the traffic that passes through it.
 // WriteTo can be used to produce Go code that contains the recorded traffic.
 type recordingConn struct {
@@ -3483,3 +3490,238 @@ var clientauthECDSATests = []clientauthTest{
 		},
 	}},
 }
+
+var aesGCMServerScript = [][]byte{
+	{
+		0x16, 0x03, 0x01, 0x01, 0x1c, 0x01, 0x00, 0x01,
+		0x18, 0x03, 0x03, 0x52, 0x1e, 0x74, 0xf0, 0xb0,
+		0xc1, 0x8b, 0x16, 0xf9, 0x74, 0xfc, 0x16, 0xc4,
+		0x11, 0x18, 0x96, 0x08, 0x25, 0x38, 0x4f, 0x98,
+		0x98, 0xbe, 0xb5, 0x61, 0xdf, 0x94, 0x15, 0xcc,
+		0x9b, 0x61, 0xef, 0x00, 0x00, 0x80, 0xc0, 0x30,
+		0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
+		0xc0, 0x0a, 0x00, 0xa3, 0x00, 0x9f, 0x00, 0x6b,
+		0x00, 0x6a, 0x00, 0x39, 0x00, 0x38, 0xc0, 0x32,
+		0xc0, 0x2e, 0xc0, 0x2a, 0xc0, 0x26, 0xc0, 0x0f,
+		0xc0, 0x05, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
+		0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x13,
+		0xc0, 0x0d, 0xc0, 0x03, 0x00, 0x0a, 0xc0, 0x2f,
+		0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
+		0xc0, 0x09, 0x00, 0xa2, 0x00, 0x9e, 0x00, 0x67,
+		0x00, 0x40, 0x00, 0x33, 0x00, 0x32, 0xc0, 0x31,
+		0xc0, 0x2d, 0xc0, 0x29, 0xc0, 0x25, 0xc0, 0x0e,
+		0xc0, 0x04, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
+		0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c, 0xc0, 0x02,
+		0x00, 0x05, 0x00, 0x04, 0x00, 0x15, 0x00, 0x12,
+		0x00, 0x09, 0x00, 0x14, 0x00, 0x11, 0x00, 0x08,
+		0x00, 0x06, 0x00, 0x03, 0x00, 0xff, 0x01, 0x00,
+		0x00, 0x6f, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00,
+		0x01, 0x02, 0x00, 0x0a, 0x00, 0x34, 0x00, 0x32,
+		0x00, 0x0e, 0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b,
+		0x00, 0x0c, 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a,
+		0x00, 0x16, 0x00, 0x17, 0x00, 0x08, 0x00, 0x06,
+		0x00, 0x07, 0x00, 0x14, 0x00, 0x15, 0x00, 0x04,
+		0x00, 0x05, 0x00, 0x12, 0x00, 0x13, 0x00, 0x01,
+		0x00, 0x02, 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10,
+		0x00, 0x11, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d,
+		0x00, 0x22, 0x00, 0x20, 0x06, 0x01, 0x06, 0x02,
+		0x06, 0x03, 0x05, 0x01, 0x05, 0x02, 0x05, 0x03,
+		0x04, 0x01, 0x04, 0x02, 0x04, 0x03, 0x03, 0x01,
+		0x03, 0x02, 0x03, 0x03, 0x02, 0x01, 0x02, 0x02,
+		0x02, 0x03, 0x01, 0x01, 0x00, 0x0f, 0x00, 0x01,
+		0x01,
+	},
+	{
+		0x16, 0x03, 0x03, 0x00, 0x30, 0x02, 0x00, 0x00,
+		0x2c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0xc0, 0x2f, 0x00, 0x00,
+		0x04, 0x00, 0x23, 0x00, 0x00, 0x16, 0x03, 0x03,
+		0x02, 0xbe, 0x0b, 0x00, 0x02, 0xba, 0x00, 0x02,
+		0xb7, 0x00, 0x02, 0xb4, 0x30, 0x82, 0x02, 0xb0,
+		0x30, 0x82, 0x02, 0x19, 0xa0, 0x03, 0x02, 0x01,
+		0x02, 0x02, 0x09, 0x00, 0x85, 0xb0, 0xbb, 0xa4,
+		0x8a, 0x7f, 0xb8, 0xca, 0x30, 0x0d, 0x06, 0x09,
+		0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+		0x05, 0x05, 0x00, 0x30, 0x45, 0x31, 0x0b, 0x30,
+		0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+		0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+		0x55, 0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d,
+		0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31,
+		0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a,
+		0x13, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+		0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69,
+		0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c,
+		0x74, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30,
+		0x30, 0x34, 0x32, 0x34, 0x30, 0x39, 0x30, 0x39,
+		0x33, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30,
+		0x34, 0x32, 0x34, 0x30, 0x39, 0x30, 0x39, 0x33,
+		0x38, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09,
+		0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41,
+		0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+		0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d, 0x65,
+		0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21,
+		0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+		0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+		0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74,
+		0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74,
+		0x64, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09,
+		0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+		0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
+		0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xbb, 0x79,
+		0xd6, 0xf5, 0x17, 0xb5, 0xe5, 0xbf, 0x46, 0x10,
+		0xd0, 0xdc, 0x69, 0xbe, 0xe6, 0x2b, 0x07, 0x43,
+		0x5a, 0xd0, 0x03, 0x2d, 0x8a, 0x7a, 0x43, 0x85,
+		0xb7, 0x14, 0x52, 0xe7, 0xa5, 0x65, 0x4c, 0x2c,
+		0x78, 0xb8, 0x23, 0x8c, 0xb5, 0xb4, 0x82, 0xe5,
+		0xde, 0x1f, 0x95, 0x3b, 0x7e, 0x62, 0xa5, 0x2c,
+		0xa5, 0x33, 0xd6, 0xfe, 0x12, 0x5c, 0x7a, 0x56,
+		0xfc, 0xf5, 0x06, 0xbf, 0xfa, 0x58, 0x7b, 0x26,
+		0x3f, 0xb5, 0xcd, 0x04, 0xd3, 0xd0, 0xc9, 0x21,
+		0x96, 0x4a, 0xc7, 0xf4, 0x54, 0x9f, 0x5a, 0xbf,
+		0xef, 0x42, 0x71, 0x00, 0xfe, 0x18, 0x99, 0x07,
+		0x7f, 0x7e, 0x88, 0x7d, 0x7d, 0xf1, 0x04, 0x39,
+		0xc4, 0xa2, 0x2e, 0xdb, 0x51, 0xc9, 0x7c, 0xe3,
+		0xc0, 0x4c, 0x3b, 0x32, 0x66, 0x01, 0xcf, 0xaf,
+		0xb1, 0x1d, 0xb8, 0x71, 0x9a, 0x1d, 0xdb, 0xdb,
+		0x89, 0x6b, 0xae, 0xda, 0x2d, 0x79, 0x02, 0x03,
+		0x01, 0x00, 0x01, 0xa3, 0x81, 0xa7, 0x30, 0x81,
+		0xa4, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
+		0x04, 0x16, 0x04, 0x14, 0xb1, 0xad, 0xe2, 0x85,
+		0x5a, 0xcf, 0xcb, 0x28, 0xdb, 0x69, 0xce, 0x23,
+		0x69, 0xde, 0xd3, 0x26, 0x8e, 0x18, 0x88, 0x39,
+		0x30, 0x75, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
+		0x6e, 0x30, 0x6c, 0x80, 0x14, 0xb1, 0xad, 0xe2,
+		0x85, 0x5a, 0xcf, 0xcb, 0x28, 0xdb, 0x69, 0xce,
+		0x23, 0x69, 0xde, 0xd3, 0x26, 0x8e, 0x18, 0x88,
+		0x39, 0xa1, 0x49, 0xa4, 0x47, 0x30, 0x45, 0x31,
+		0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+		0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11,
+		0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x53,
+		0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74,
+		0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
+		0x04, 0x0a, 0x13, 0x18, 0x49, 0x6e, 0x74, 0x65,
+		0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64,
+		0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79,
+		0x20, 0x4c, 0x74, 0x64, 0x82, 0x09, 0x00, 0x85,
+		0xb0, 0xbb, 0xa4, 0x8a, 0x7f, 0xb8, 0xca, 0x30,
+		0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
+		0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06,
+		0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+		0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00,
+		0x08, 0x6c, 0x45, 0x24, 0xc7, 0x6b, 0xb1, 0x59,
+		0xab, 0x0c, 0x52, 0xcc, 0xf2, 0xb0, 0x14, 0xd7,
+		0x87, 0x9d, 0x7a, 0x64, 0x75, 0xb5, 0x5a, 0x95,
+		0x66, 0xe4, 0xc5, 0x2b, 0x8e, 0xae, 0x12, 0x66,
+		0x1f, 0xeb, 0x4f, 0x38, 0xb3, 0x6e, 0x60, 0xd3,
+		0x92, 0xfd, 0xf7, 0x41, 0x08, 0xb5, 0x25, 0x13,
+		0xb1, 0x18, 0x7a, 0x24, 0xfb, 0x30, 0x1d, 0xba,
+		0xed, 0x98, 0xb9, 0x17, 0xec, 0xe7, 0xd7, 0x31,
+		0x59, 0xdb, 0x95, 0xd3, 0x1d, 0x78, 0xea, 0x50,
+		0x56, 0x5c, 0xd5, 0x82, 0x5a, 0x2d, 0x5a, 0x5f,
+		0x33, 0xc4, 0xb6, 0xd8, 0xc9, 0x75, 0x90, 0x96,
+		0x8c, 0x0f, 0x52, 0x98, 0xb5, 0xcd, 0x98, 0x1f,
+		0x89, 0x20, 0x5f, 0xf2, 0xa0, 0x1c, 0xa3, 0x1b,
+		0x96, 0x94, 0xdd, 0xa9, 0xfd, 0x57, 0xe9, 0x70,
+		0xe8, 0x26, 0x6d, 0x71, 0x99, 0x9b, 0x26, 0x6e,
+		0x38, 0x50, 0x29, 0x6c, 0x90, 0xa7, 0xbd, 0xd9,
+		0x16, 0x03, 0x03, 0x01, 0x11, 0x0c, 0x00, 0x01,
+		0x0d, 0x03, 0x00, 0x19, 0x85, 0x04, 0x01, 0x39,
+		0xdc, 0xee, 0x44, 0x17, 0x5e, 0xdb, 0xd7, 0x27,
+		0xaf, 0xb6, 0x56, 0xd9, 0xb4, 0x43, 0x5a, 0x99,
+		0xcf, 0xaa, 0x31, 0x37, 0x0c, 0x6f, 0x3a, 0xa0,
+		0xf8, 0x53, 0xc4, 0x74, 0xd1, 0x91, 0x0a, 0x46,
+		0xf5, 0x38, 0x3b, 0x5c, 0x09, 0xd8, 0x97, 0xdc,
+		0x4b, 0xaa, 0x70, 0x26, 0x48, 0xf2, 0xd6, 0x0b,
+		0x31, 0xc9, 0xf8, 0xd4, 0x98, 0x43, 0xe1, 0x6c,
+		0xd5, 0xc7, 0xb2, 0x8e, 0x0b, 0x01, 0xe6, 0xb6,
+		0x00, 0x28, 0x80, 0x7b, 0xfc, 0x96, 0x8f, 0x0d,
+		0xa2, 0x4f, 0xb0, 0x79, 0xaf, 0xdc, 0x61, 0x28,
+		0x63, 0x33, 0x78, 0xf6, 0x31, 0x39, 0xfd, 0x8a,
+		0xf4, 0x15, 0x18, 0x11, 0xfe, 0xdb, 0xd5, 0x07,
+		0xda, 0x2c, 0xed, 0x49, 0xa0, 0x23, 0xbf, 0xd0,
+		0x3a, 0x38, 0x1d, 0x54, 0xae, 0x1c, 0x7b, 0xea,
+		0x29, 0xee, 0xd0, 0x38, 0xc1, 0x76, 0xa7, 0x7f,
+		0x2a, 0xf4, 0xce, 0x1e, 0xac, 0xcc, 0x94, 0x79,
+		0x90, 0x33, 0x04, 0x01, 0x00, 0x80, 0x0d, 0x8e,
+		0x79, 0xe6, 0x86, 0xf6, 0xb6, 0xfb, 0x6b, 0x6a,
+		0xcc, 0x55, 0xe4, 0x80, 0x4d, 0xc5, 0x0c, 0xc6,
+		0xa3, 0x9f, 0x1d, 0x39, 0xd2, 0x98, 0x57, 0x31,
+		0xa2, 0x90, 0x73, 0xe8, 0xd2, 0xcd, 0xb0, 0x93,
+		0x1a, 0x60, 0x0f, 0x38, 0x02, 0x3b, 0x1b, 0x25,
+		0x56, 0xec, 0x44, 0xab, 0xbe, 0x2e, 0x0c, 0xc0,
+		0x6e, 0x54, 0x91, 0x50, 0xd6, 0xb1, 0xa2, 0x98,
+		0x14, 0xa8, 0x35, 0x62, 0x9d, 0xca, 0xfb, 0x0f,
+		0x64, 0x2b, 0x05, 0xa0, 0xa0, 0x57, 0xef, 0xcd,
+		0x95, 0x45, 0x13, 0x5a, 0x9b, 0x3d, 0xdb, 0x42,
+		0x54, 0x7f, 0xb9, 0x17, 0x08, 0x7f, 0xb2, 0xf0,
+		0xb1, 0xc3, 0xdf, 0x67, 0x95, 0xe2, 0x73, 0xf2,
+		0x76, 0xa3, 0x97, 0xfd, 0x9c, 0x92, 0x4a, 0xdb,
+		0x95, 0x1e, 0x91, 0x95, 0xae, 0x3d, 0xae, 0x58,
+		0xb5, 0x03, 0x6f, 0x5c, 0x3a, 0x19, 0xab, 0x92,
+		0xa5, 0x09, 0x6b, 0x40, 0x61, 0xb0, 0x16, 0x03,
+		0x03, 0x00, 0x04, 0x0e, 0x00, 0x00, 0x00,
+	},
+	{
+		0x16, 0x03, 0x03, 0x00, 0x8a, 0x10, 0x00, 0x00,
+		0x86, 0x85, 0x04, 0x01, 0xba, 0xb8, 0xad, 0x69,
+		0x20, 0x5e, 0xc1, 0x61, 0xc3, 0x0f, 0xb4, 0x30,
+		0x64, 0x66, 0x70, 0x96, 0x33, 0x3c, 0x8e, 0x12,
+		0x56, 0xbf, 0x6d, 0xb8, 0x6d, 0xc6, 0xba, 0xea,
+		0xfc, 0x38, 0xc0, 0x8b, 0x87, 0xa8, 0xf3, 0x87,
+		0xa1, 0xd5, 0xb6, 0xb0, 0x72, 0xc7, 0xd4, 0x19,
+		0x56, 0xa0, 0x91, 0xe1, 0x45, 0xc7, 0xf1, 0x7d,
+		0xb0, 0x1d, 0x78, 0x18, 0xf6, 0x3d, 0xbf, 0x1a,
+		0x23, 0x93, 0x0b, 0x19, 0xb1, 0x00, 0x56, 0xc9,
+		0x5e, 0x89, 0xd4, 0x9d, 0xd9, 0x5b, 0xe0, 0xb8,
+		0xff, 0x2f, 0x7d, 0x93, 0xae, 0x5b, 0xa5, 0x1f,
+		0x1f, 0x2b, 0x09, 0xe5, 0xf6, 0x07, 0x26, 0xa3,
+		0xed, 0xcb, 0x6a, 0x1a, 0xd6, 0x14, 0x83, 0x9b,
+		0xd3, 0x9d, 0x47, 0x1b, 0xf3, 0x72, 0x5f, 0x69,
+		0x21, 0x8f, 0xfa, 0x09, 0x38, 0x1a, 0x6b, 0x91,
+		0xcf, 0x19, 0x32, 0x54, 0x58, 0x8e, 0xee, 0xaf,
+		0xeb, 0x06, 0x9b, 0x3a, 0x34, 0x16, 0x66, 0x14,
+		0x03, 0x03, 0x00, 0x01, 0x01, 0x16, 0x03, 0x03,
+		0x00, 0x28, 0xc6, 0x96, 0x67, 0x62, 0xcc, 0x47,
+		0x01, 0xb5, 0xbd, 0xb7, 0x24, 0xd3, 0xb6, 0xfd,
+		0xb8, 0x46, 0xce, 0x82, 0x6d, 0x31, 0x1f, 0x15,
+		0x11, 0x8f, 0xed, 0x62, 0x71, 0x5f, 0xae, 0xb6,
+		0xa9, 0x0c, 0x24, 0x1d, 0xe8, 0x26, 0x51, 0xca,
+		0x7c, 0x42,
+	},
+	{
+		0x16, 0x03, 0x03, 0x00, 0x72, 0x04, 0x00, 0x00,
+		0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65,
+		0xea, 0x8b, 0xfb, 0xef, 0xba, 0xc8, 0x88, 0x94,
+		0x44, 0x99, 0x5f, 0x02, 0x68, 0x3a, 0x12, 0x67,
+		0x7f, 0xb9, 0x39, 0x71, 0x84, 0xe0, 0x30, 0xe6,
+		0x90, 0x6c, 0xcf, 0x32, 0x29, 0x29, 0x5c, 0x5a,
+		0x8b, 0x7d, 0xaa, 0x11, 0x28, 0x26, 0xb5, 0xce,
+		0xd2, 0x88, 0xd5, 0xb0, 0x5f, 0x94, 0x37, 0xa2,
+		0x48, 0xd9, 0x53, 0xb2, 0xab, 0x59, 0x23, 0x3d,
+		0x81, 0x6e, 0x64, 0x89, 0xca, 0x1a, 0x84, 0x16,
+		0xdf, 0x31, 0x10, 0xde, 0x52, 0x7f, 0x50, 0xf3,
+		0xd9, 0x27, 0xa0, 0xe8, 0x34, 0x15, 0x9e, 0x11,
+		0xdd, 0xba, 0xce, 0x40, 0x17, 0xf3, 0x67, 0x14,
+		0x03, 0x03, 0x00, 0x01, 0x01, 0x16, 0x03, 0x03,
+		0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x35, 0xcb, 0x17, 0x66, 0xee, 0xfd,
+		0x27, 0xdb, 0xb8, 0xa8, 0x8a, 0xf1, 0x56, 0x67,
+		0x89, 0x0d, 0x13, 0xac, 0xe2, 0x31, 0xb9, 0xa2,
+		0x26, 0xbb, 0x1c, 0xcf, 0xd1, 0xb2, 0x48, 0x1d,
+		0x0d, 0xb1, 0x17, 0x03, 0x03, 0x00, 0x25, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc0,
+		0x89, 0x7c, 0x58, 0x6a, 0x9b, 0x00, 0x05, 0x8c,
+		0x7f, 0x28, 0x54, 0x61, 0x44, 0x10, 0xee, 0x85,
+		0x26, 0xa8, 0x04, 0xcd, 0xca, 0x85, 0x60, 0xf2,
+		0xeb, 0x22, 0xbd, 0x9e, 0x15, 0x03, 0x03, 0x00,
+		0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x02, 0x10, 0xe4, 0xe5, 0xf9, 0x85, 0xe3, 0xb0,
+		0xec, 0x84, 0x29, 0x91, 0x05, 0x7d, 0x86, 0xe3,
+		0x97, 0xeb, 0xb2,
+	},
+}
author	Adam Langley <agl@golang.org>	2013-08-29 17:18:59 -0400
committer	Adam Langley <agl@golang.org>	2013-08-29 17:18:59 -0400
commit	2fe9a5a3e826d8b2dc45652e1b5d1c23eeeb428b (patch)
tree	bcf30de95ec461ce3e6d275858a4e83dfcc99232 /src/pkg/crypto
parent	c4aa9c5c4ef32cdc65d29ac7e7cfa96fdbf7d394 (diff)
download	go-2fe9a5a3e826d8b2dc45652e1b5d1c23eeeb428b.tar.xz