kris
/
boringssl
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
1387 Коміти
12 Гілки
38 MiB
 
 
 
 
 
 
Дерево: cff0b90cbb
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з 'cff0b90cbb'
${ noResults }
boringssl/ssl/test/runner/key_agreement.go

843 рядки
28 KiB
Неформатований Звинувачення Історія 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package main

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/elliptic"

  11. 	"crypto/md5"

  12. 	"crypto/rand"

  13. 	"crypto/rsa"

  14. 	"crypto/sha1"

  15. 	"crypto/x509"

  16. 	"encoding/asn1"

  17. 	"errors"

  18. 	"io"

  19. 	"math/big"

  20. )

  21. 

  22. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  23. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  24. 

  25. // rsaKeyAgreement implements the standard TLS key agreement where the client

  26. // encrypts the pre-master secret to the server's public key.

  27. type rsaKeyAgreement struct {

  28. 	version       uint16

  29. 	clientVersion uint16

  30. 	exportKey     *rsa.PrivateKey

  31. }

  32. 

  33. func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  34. 	// Save the client version for comparison later.

  35. 	ka.clientVersion = versionToWire(clientHello.vers, clientHello.isDTLS)

  36. 

  37. 	if !config.Bugs.RSAEphemeralKey {

  38. 		return nil, nil

  39. 	}

  40. 

  41. 	// Generate an ephemeral RSA key to use instead of the real

  42. 	// one, as in RSA_EXPORT.

  43. 	key, err := rsa.GenerateKey(config.rand(), 512)

  44. 	if err != nil {

  45. 		return nil, err

  46. 	}

  47. 	ka.exportKey = key

  48. 

  49. 	modulus := key.N.Bytes()

  50. 	exponent := big.NewInt(int64(key.E)).Bytes()

  51. 	serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent))

  52. 	serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus)))

  53. 	serverRSAParams = append(serverRSAParams, modulus...)

  54. 	serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent)))

  55. 	serverRSAParams = append(serverRSAParams, exponent...)

  56. 

  57. 	var tls12HashId uint8

  58. 	if ka.version >= VersionTLS12 {

  59. 		if tls12HashId, err = pickTLS12HashForSignature(signatureRSA, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {

  60. 			return nil, err

  61. 		}

  62. 	}

  63. 

  64. 	digest, hashFunc, err := hashForServerKeyExchange(signatureRSA, tls12HashId, ka.version, clientHello.random, hello.random, serverRSAParams)

  65. 	if err != nil {

  66. 		return nil, err

  67. 	}

  68. 	privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)

  69. 	if !ok {

  70. 		return nil, errors.New("RSA ephemeral key requires an RSA server private key")

  71. 	}

  72. 	sig, err := rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)

  73. 	if err != nil {

  74. 		return nil, errors.New("failed to sign RSA parameters: " + err.Error())

  75. 	}

  76. 

  77. 	skx := new(serverKeyExchangeMsg)

  78. 	sigAndHashLen := 0

  79. 	if ka.version >= VersionTLS12 {

  80. 		sigAndHashLen = 2

  81. 	}

  82. 	skx.key = make([]byte, len(serverRSAParams)+sigAndHashLen+2+len(sig))

  83. 	copy(skx.key, serverRSAParams)

  84. 	k := skx.key[len(serverRSAParams):]

  85. 	if ka.version >= VersionTLS12 {

  86. 		k[0] = tls12HashId

  87. 		k[1] = signatureRSA

  88. 		k = k[2:]

  89. 	}

  90. 	k[0] = byte(len(sig) >> 8)

  91. 	k[1] = byte(len(sig))

  92. 	copy(k[2:], sig)

  93. 

  94. 	return skx, nil

  95. }

  96. 

  97. func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  98. 	preMasterSecret := make([]byte, 48)

  99. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  100. 	if err != nil {

  101. 		return nil, err

  102. 	}

  103. 

  104. 	if len(ckx.ciphertext) < 2 {

  105. 		return nil, errClientKeyExchange

  106. 	}

  107. 

  108. 	ciphertext := ckx.ciphertext

  109. 	if version != VersionSSL30 {

  110. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  111. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  112. 			return nil, errClientKeyExchange

  113. 		}

  114. 		ciphertext = ckx.ciphertext[2:]

  115. 	}

  116. 

  117. 	key := cert.PrivateKey.(*rsa.PrivateKey)

  118. 	if ka.exportKey != nil {

  119. 		key = ka.exportKey

  120. 	}

  121. 	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), key, ciphertext, preMasterSecret)

  122. 	if err != nil {

  123. 		return nil, err

  124. 	}

  125. 	// This check should be done in constant-time, but this is a testing

  126. 	// implementation. See the discussion at the end of section 7.4.7.1 of

  127. 	// RFC 4346.

  128. 	vers := uint16(preMasterSecret[0])<<8 | uint16(preMasterSecret[1])

  129. 	if ka.clientVersion != vers {

  130. 		return nil, errors.New("tls: invalid version in RSA premaster")

  131. 	}

  132. 	return preMasterSecret, nil

  133. }

  134. 

  135. func (ka *rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  136. 	return errors.New("tls: unexpected ServerKeyExchange")

  137. }

  138. 

  139. func (ka *rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  140. 	preMasterSecret := make([]byte, 48)

  141. 	vers := clientHello.vers

  142. 	if config.Bugs.RsaClientKeyExchangeVersion != 0 {

  143. 		vers = config.Bugs.RsaClientKeyExchangeVersion

  144. 	}

  145. 	vers = versionToWire(vers, clientHello.isDTLS)

  146. 	preMasterSecret[0] = byte(vers >> 8)

  147. 	preMasterSecret[1] = byte(vers)

  148. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  149. 	if err != nil {

  150. 		return nil, nil, err

  151. 	}

  152. 

  153. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)

  154. 	if err != nil {

  155. 		return nil, nil, err

  156. 	}

  157. 	ckx := new(clientKeyExchangeMsg)

  158. 	if clientHello.vers != VersionSSL30 && !config.Bugs.SSL3RSAKeyExchange {

  159. 		ckx.ciphertext = make([]byte, len(encrypted)+2)

  160. 		ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  161. 		ckx.ciphertext[1] = byte(len(encrypted))

  162. 		copy(ckx.ciphertext[2:], encrypted)

  163. 	} else {

  164. 		ckx.ciphertext = encrypted

  165. 	}

  166. 	return preMasterSecret, ckx, nil

  167. }

  168. 

  169. // sha1Hash calculates a SHA1 hash over the given byte slices.

  170. func sha1Hash(slices [][]byte) []byte {

  171. 	hsha1 := sha1.New()

  172. 	for _, slice := range slices {

  173. 		hsha1.Write(slice)

  174. 	}

  175. 	return hsha1.Sum(nil)

  176. }

  177. 

  178. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  179. // concatenation of an MD5 and SHA1 hash.

  180. func md5SHA1Hash(slices [][]byte) []byte {

  181. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  182. 	hmd5 := md5.New()

  183. 	for _, slice := range slices {

  184. 		hmd5.Write(slice)

  185. 	}

  186. 	copy(md5sha1, hmd5.Sum(nil))

  187. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  188. 	return md5sha1

  189. }

  190. 

  191. // hashForServerKeyExchange hashes the given slices and returns their digest

  192. // and the identifier of the hash function used. The hashFunc argument is only

  193. // used for >= TLS 1.2 and precisely identifies the hash function to use.

  194. func hashForServerKeyExchange(sigType, hashFunc uint8, version uint16, slices ...[]byte) ([]byte, crypto.Hash, error) {

  195. 	if version >= VersionTLS12 {

  196. 		hash, err := lookupTLSHash(hashFunc)

  197. 		if err != nil {

  198. 			return nil, 0, err

  199. 		}

  200. 		h := hash.New()

  201. 		for _, slice := range slices {

  202. 			h.Write(slice)

  203. 		}

  204. 		return h.Sum(nil), hash, nil

  205. 	}

  206. 	if sigType == signatureECDSA {

  207. 		return sha1Hash(slices), crypto.SHA1, nil

  208. 	}

  209. 	return md5SHA1Hash(slices), crypto.MD5SHA1, nil

  210. }

  211. 

  212. // pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a

  213. // ServerKeyExchange given the signature type being used and the client's

  214. // advertized list of supported signature and hash combinations.

  215. func pickTLS12HashForSignature(sigType uint8, clientList, serverList []signatureAndHash) (uint8, error) {

  216. 	if len(clientList) == 0 {

  217. 		// If the client didn't specify any signature_algorithms

  218. 		// extension then we can assume that it supports SHA1. See

  219. 		// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1

  220. 		return hashSHA1, nil

  221. 	}

  222. 

  223. 	for _, sigAndHash := range clientList {

  224. 		if sigAndHash.signature != sigType {

  225. 			continue

  226. 		}

  227. 		if isSupportedSignatureAndHash(sigAndHash, serverList) {

  228. 			return sigAndHash.hash, nil

  229. 		}

  230. 	}

  231. 

  232. 	return 0, errors.New("tls: client doesn't support any common hash functions")

  233. }

  234. 

  235. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  236. 	switch id {

  237. 	case CurveP224:

  238. 		return elliptic.P224(), true

  239. 	case CurveP256:

  240. 		return elliptic.P256(), true

  241. 	case CurveP384:

  242. 		return elliptic.P384(), true

  243. 	case CurveP521:

  244. 		return elliptic.P521(), true

  245. 	default:

  246. 		return nil, false

  247. 	}

  248. 

  249. }

  250. 

  251. // keyAgreementAuthentication is a helper interface that specifies how

  252. // to authenticate the ServerKeyExchange parameters.

  253. type keyAgreementAuthentication interface {

  254. 	signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error)

  255. 	verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error

  256. }

  257. 

  258. // nilKeyAgreementAuthentication does not authenticate the key

  259. // agreement parameters.

  260. type nilKeyAgreementAuthentication struct{}

  261. 

  262. func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {

  263. 	skx := new(serverKeyExchangeMsg)

  264. 	skx.key = params

  265. 	return skx, nil

  266. }

  267. 

  268. func (ka *nilKeyAgreementAuthentication) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error {

  269. 	return nil

  270. }

  271. 

  272. // signedKeyAgreement signs the ServerKeyExchange parameters with the

  273. // server's private key.

  274. type signedKeyAgreement struct {

  275. 	version uint16

  276. 	sigType uint8

  277. }

  278. 

  279. func (ka *signedKeyAgreement) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {

  280. 	var tls12HashId uint8

  281. 	var err error

  282. 	if ka.version >= VersionTLS12 {

  283. 		if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {

  284. 			return nil, err

  285. 		}

  286. 	}

  287. 

  288. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, hello.random, params)

  289. 	if err != nil {

  290. 		return nil, err

  291. 	}

  292. 

  293. 	if config.Bugs.InvalidSKXSignature {

  294. 		digest[0] ^= 0x80

  295. 	}

  296. 

  297. 	var sig []byte

  298. 	switch ka.sigType {

  299. 	case signatureECDSA:

  300. 		privKey, ok := cert.PrivateKey.(*ecdsa.PrivateKey)

  301. 		if !ok {

  302. 			return nil, errors.New("ECDHE ECDSA requires an ECDSA server private key")

  303. 		}

  304. 		r, s, err := ecdsa.Sign(config.rand(), privKey, digest)

  305. 		if err != nil {

  306. 			return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())

  307. 		}

  308. 		order := privKey.Curve.Params().N

  309. 		r = maybeCorruptECDSAValue(r, config.Bugs.BadECDSAR, order)

  310. 		s = maybeCorruptECDSAValue(s, config.Bugs.BadECDSAS, order)

  311. 		sig, err = asn1.Marshal(ecdsaSignature{r, s})

  312. 	case signatureRSA:

  313. 		privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)

  314. 		if !ok {

  315. 			return nil, errors.New("ECDHE RSA requires a RSA server private key")

  316. 		}

  317. 		sig, err = rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)

  318. 		if err != nil {

  319. 			return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())

  320. 		}

  321. 	default:

  322. 		return nil, errors.New("unknown ECDHE signature algorithm")

  323. 	}

  324. 

  325. 	skx := new(serverKeyExchangeMsg)

  326. 	if config.Bugs.UnauthenticatedECDH {

  327. 		skx.key = params

  328. 	} else {

  329. 		sigAndHashLen := 0

  330. 		if ka.version >= VersionTLS12 {

  331. 			sigAndHashLen = 2

  332. 		}

  333. 		skx.key = make([]byte, len(params)+sigAndHashLen+2+len(sig))

  334. 		copy(skx.key, params)

  335. 		k := skx.key[len(params):]

  336. 		if ka.version >= VersionTLS12 {

  337. 			k[0] = tls12HashId

  338. 			k[1] = ka.sigType

  339. 			k = k[2:]

  340. 		}

  341. 		k[0] = byte(len(sig) >> 8)

  342. 		k[1] = byte(len(sig))

  343. 		copy(k[2:], sig)

  344. 	}

  345. 

  346. 	return skx, nil

  347. }

  348. 

  349. func (ka *signedKeyAgreement) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error {

  350. 	if len(sig) < 2 {

  351. 		return errServerKeyExchange

  352. 	}

  353. 

  354. 	var tls12HashId uint8

  355. 	if ka.version >= VersionTLS12 {

  356. 		// handle SignatureAndHashAlgorithm

  357. 		var sigAndHash []uint8

  358. 		sigAndHash, sig = sig[:2], sig[2:]

  359. 		if sigAndHash[1] != ka.sigType {

  360. 			return errServerKeyExchange

  361. 		}

  362. 		tls12HashId = sigAndHash[0]

  363. 		if len(sig) < 2 {

  364. 			return errServerKeyExchange

  365. 		}

  366. 

  367. 		if !isSupportedSignatureAndHash(signatureAndHash{ka.sigType, tls12HashId}, config.signatureAndHashesForClient()) {

  368. 			return errors.New("tls: unsupported hash function for ServerKeyExchange")

  369. 		}

  370. 	}

  371. 	sigLen := int(sig[0])<<8 | int(sig[1])

  372. 	if sigLen+2 != len(sig) {

  373. 		return errServerKeyExchange

  374. 	}

  375. 	sig = sig[2:]

  376. 

  377. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, serverHello.random, params)

  378. 	if err != nil {

  379. 		return err

  380. 	}

  381. 	switch ka.sigType {

  382. 	case signatureECDSA:

  383. 		pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)

  384. 		if !ok {

  385. 			return errors.New("ECDHE ECDSA requires a ECDSA server public key")

  386. 		}

  387. 		ecdsaSig := new(ecdsaSignature)

  388. 		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {

  389. 			return err

  390. 		}

  391. 		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

  392. 			return errors.New("ECDSA signature contained zero or negative values")

  393. 		}

  394. 		if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {

  395. 			return errors.New("ECDSA verification failure")

  396. 		}

  397. 	case signatureRSA:

  398. 		pubKey, ok := cert.PublicKey.(*rsa.PublicKey)

  399. 		if !ok {

  400. 			return errors.New("ECDHE RSA requires a RSA server public key")

  401. 		}

  402. 		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {

  403. 			return err

  404. 		}

  405. 	default:

  406. 		return errors.New("unknown ECDHE signature algorithm")

  407. 	}

  408. 

  409. 	return nil

  410. }

  411. 

  412. // ecdheRSAKeyAgreement implements a TLS key agreement where the server

  413. // generates a ephemeral EC public/private key pair and signs it. The

  414. // pre-master secret is then calculated using ECDH. The signature may

  415. // either be ECDSA or RSA.

  416. type ecdheKeyAgreement struct {

  417. 	auth       keyAgreementAuthentication

  418. 	privateKey []byte

  419. 	curve      elliptic.Curve

  420. 	x, y       *big.Int

  421. }

  422. 

  423. func maybeCorruptECDSAValue(n *big.Int, typeOfCorruption BadValue, limit *big.Int) *big.Int {

  424. 	switch typeOfCorruption {

  425. 	case BadValueNone:

  426. 		return n

  427. 	case BadValueNegative:

  428. 		return new(big.Int).Neg(n)

  429. 	case BadValueZero:

  430. 		return big.NewInt(0)

  431. 	case BadValueLimit:

  432. 		return limit

  433. 	case BadValueLarge:

  434. 		bad := new(big.Int).Set(limit)

  435. 		return bad.Lsh(bad, 20)

  436. 	default:

  437. 		panic("unknown BadValue type")

  438. 	}

  439. }

  440. 

  441. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  442. 	var curveid CurveID

  443. 	preferredCurves := config.curvePreferences()

  444. 

  445. NextCandidate:

  446. 	for _, candidate := range preferredCurves {

  447. 		for _, c := range clientHello.supportedCurves {

  448. 			if candidate == c {

  449. 				curveid = c

  450. 				break NextCandidate

  451. 			}

  452. 		}

  453. 	}

  454. 

  455. 	if curveid == 0 {

  456. 		return nil, errors.New("tls: no supported elliptic curves offered")

  457. 	}

  458. 

  459. 	var ok bool

  460. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  461. 		return nil, errors.New("tls: preferredCurves includes unsupported curve")

  462. 	}

  463. 

  464. 	var x, y *big.Int

  465. 	var err error

  466. 	ka.privateKey, x, y, err = elliptic.GenerateKey(ka.curve, config.rand())

  467. 	if err != nil {

  468. 		return nil, err

  469. 	}

  470. 	ecdhePublic := elliptic.Marshal(ka.curve, x, y)

  471. 

  472. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  473. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  474. 	serverECDHParams[0] = 3 // named curve

  475. 	serverECDHParams[1] = byte(curveid >> 8)

  476. 	serverECDHParams[2] = byte(curveid)

  477. 	if config.Bugs.InvalidSKXCurve {

  478. 		serverECDHParams[2] ^= 0xff

  479. 	}

  480. 	serverECDHParams[3] = byte(len(ecdhePublic))

  481. 	copy(serverECDHParams[4:], ecdhePublic)

  482. 

  483. 	return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams)

  484. }

  485. 

  486. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  487. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  488. 		return nil, errClientKeyExchange

  489. 	}

  490. 	x, y := elliptic.Unmarshal(ka.curve, ckx.ciphertext[1:])

  491. 	if x == nil {

  492. 		return nil, errClientKeyExchange

  493. 	}

  494. 	x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)

  495. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  496. 	xBytes := x.Bytes()

  497. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  498. 

  499. 	return preMasterSecret, nil

  500. }

  501. 

  502. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  503. 	if len(skx.key) < 4 {

  504. 		return errServerKeyExchange

  505. 	}

  506. 	if skx.key[0] != 3 { // named curve

  507. 		return errors.New("tls: server selected unsupported curve")

  508. 	}

  509. 	curveid := CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  510. 

  511. 	var ok bool

  512. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  513. 		return errors.New("tls: server selected unsupported curve")

  514. 	}

  515. 

  516. 	publicLen := int(skx.key[3])

  517. 	if publicLen+4 > len(skx.key) {

  518. 		return errServerKeyExchange

  519. 	}

  520. 	ka.x, ka.y = elliptic.Unmarshal(ka.curve, skx.key[4:4+publicLen])

  521. 	if ka.x == nil {

  522. 		return errServerKeyExchange

  523. 	}

  524. 	serverECDHParams := skx.key[:4+publicLen]

  525. 	sig := skx.key[4+publicLen:]

  526. 

  527. 	return ka.auth.verifyParameters(config, clientHello, serverHello, cert, serverECDHParams, sig)

  528. }

  529. 

  530. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  531. 	if ka.curve == nil {

  532. 		return nil, nil, errors.New("missing ServerKeyExchange message")

  533. 	}

  534. 	priv, mx, my, err := elliptic.GenerateKey(ka.curve, config.rand())

  535. 	if err != nil {

  536. 		return nil, nil, err

  537. 	}

  538. 	x, _ := ka.curve.ScalarMult(ka.x, ka.y, priv)

  539. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  540. 	xBytes := x.Bytes()

  541. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  542. 

  543. 	serialized := elliptic.Marshal(ka.curve, mx, my)

  544. 

  545. 	ckx := new(clientKeyExchangeMsg)

  546. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  547. 	ckx.ciphertext[0] = byte(len(serialized))

  548. 	copy(ckx.ciphertext[1:], serialized)

  549. 

  550. 	return preMasterSecret, ckx, nil

  551. }

  552. 

  553. // dheRSAKeyAgreement implements a TLS key agreement where the server generates

  554. // an ephemeral Diffie-Hellman public/private key pair and signs it. The

  555. // pre-master secret is then calculated using Diffie-Hellman.

  556. type dheKeyAgreement struct {

  557. 	auth    keyAgreementAuthentication

  558. 	p, g    *big.Int

  559. 	yTheirs *big.Int

  560. 	xOurs   *big.Int

  561. }

  562. 

  563. func (ka *dheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  564. 	var q *big.Int

  565. 	if p := config.Bugs.DHGroupPrime; p != nil {

  566. 		ka.p = p

  567. 		ka.g = big.NewInt(2)

  568. 		q = p

  569. 	} else {

  570. 		// 2048-bit MODP Group with 256-bit Prime Order Subgroup (RFC

  571. 		// 5114, Section 2.3)

  572. 		ka.p, _ = new(big.Int).SetString("87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597", 16)

  573. 		ka.g, _ = new(big.Int).SetString("3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659", 16)

  574. 		q, _ = new(big.Int).SetString("8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3", 16)

  575. 	}

  576. 

  577. 	var err error

  578. 	ka.xOurs, err = rand.Int(config.rand(), q)

  579. 	if err != nil {

  580. 		return nil, err

  581. 	}

  582. 	yOurs := new(big.Int).Exp(ka.g, ka.xOurs, ka.p)

  583. 

  584. 	// http://tools.ietf.org/html/rfc5246#section-7.4.3

  585. 	pBytes := ka.p.Bytes()

  586. 	gBytes := ka.g.Bytes()

  587. 	yBytes := yOurs.Bytes()

  588. 	serverDHParams := make([]byte, 0, 2+len(pBytes)+2+len(gBytes)+2+len(yBytes))

  589. 	serverDHParams = append(serverDHParams, byte(len(pBytes)>>8), byte(len(pBytes)))

  590. 	serverDHParams = append(serverDHParams, pBytes...)

  591. 	serverDHParams = append(serverDHParams, byte(len(gBytes)>>8), byte(len(gBytes)))

  592. 	serverDHParams = append(serverDHParams, gBytes...)

  593. 	serverDHParams = append(serverDHParams, byte(len(yBytes)>>8), byte(len(yBytes)))

  594. 	serverDHParams = append(serverDHParams, yBytes...)

  595. 

  596. 	return ka.auth.signParameters(config, cert, clientHello, hello, serverDHParams)

  597. }

  598. 

  599. func (ka *dheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  600. 	if len(ckx.ciphertext) < 2 {

  601. 		return nil, errClientKeyExchange

  602. 	}

  603. 	yLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1])

  604. 	if yLen != len(ckx.ciphertext)-2 {

  605. 		return nil, errClientKeyExchange

  606. 	}

  607. 	yTheirs := new(big.Int).SetBytes(ckx.ciphertext[2:])

  608. 	if yTheirs.Sign() <= 0 || yTheirs.Cmp(ka.p) >= 0 {

  609. 		return nil, errClientKeyExchange

  610. 	}

  611. 	return new(big.Int).Exp(yTheirs, ka.xOurs, ka.p).Bytes(), nil

  612. }

  613. 

  614. func (ka *dheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  615. 	// Read dh_p

  616. 	k := skx.key

  617. 	if len(k) < 2 {

  618. 		return errServerKeyExchange

  619. 	}

  620. 	pLen := (int(k[0]) << 8) | int(k[1])

  621. 	k = k[2:]

  622. 	if len(k) < pLen {

  623. 		return errServerKeyExchange

  624. 	}

  625. 	ka.p = new(big.Int).SetBytes(k[:pLen])

  626. 	k = k[pLen:]

  627. 

  628. 	// Read dh_g

  629. 	if len(k) < 2 {

  630. 		return errServerKeyExchange

  631. 	}

  632. 	gLen := (int(k[0]) << 8) | int(k[1])

  633. 	k = k[2:]

  634. 	if len(k) < gLen {

  635. 		return errServerKeyExchange

  636. 	}

  637. 	ka.g = new(big.Int).SetBytes(k[:gLen])

  638. 	k = k[gLen:]

  639. 

  640. 	// Read dh_Ys

  641. 	if len(k) < 2 {

  642. 		return errServerKeyExchange

  643. 	}

  644. 	yLen := (int(k[0]) << 8) | int(k[1])

  645. 	k = k[2:]

  646. 	if len(k) < yLen {

  647. 		return errServerKeyExchange

  648. 	}

  649. 	ka.yTheirs = new(big.Int).SetBytes(k[:yLen])

  650. 	k = k[yLen:]

  651. 	if ka.yTheirs.Sign() <= 0 || ka.yTheirs.Cmp(ka.p) >= 0 {

  652. 		return errServerKeyExchange

  653. 	}

  654. 

  655. 	sig := k

  656. 	serverDHParams := skx.key[:len(skx.key)-len(sig)]

  657. 

  658. 	return ka.auth.verifyParameters(config, clientHello, serverHello, cert, serverDHParams, sig)

  659. }

  660. 

  661. func (ka *dheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  662. 	if ka.p == nil || ka.g == nil || ka.yTheirs == nil {

  663. 		return nil, nil, errors.New("missing ServerKeyExchange message")

  664. 	}

  665. 

  666. 	xOurs, err := rand.Int(config.rand(), ka.p)

  667. 	if err != nil {

  668. 		return nil, nil, err

  669. 	}

  670. 	preMasterSecret := new(big.Int).Exp(ka.yTheirs, xOurs, ka.p).Bytes()

  671. 

  672. 	yOurs := new(big.Int).Exp(ka.g, xOurs, ka.p)

  673. 	yBytes := yOurs.Bytes()

  674. 	ckx := new(clientKeyExchangeMsg)

  675. 	ckx.ciphertext = make([]byte, 2+len(yBytes))

  676. 	ckx.ciphertext[0] = byte(len(yBytes) >> 8)

  677. 	ckx.ciphertext[1] = byte(len(yBytes))

  678. 	copy(ckx.ciphertext[2:], yBytes)

  679. 

  680. 	return preMasterSecret, ckx, nil

  681. }

  682. 

  683. // nilKeyAgreement is a fake key agreement used to implement the plain PSK key

  684. // exchange.

  685. type nilKeyAgreement struct{}

  686. 

  687. func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  688. 	return nil, nil

  689. }

  690. 

  691. func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  692. 	if len(ckx.ciphertext) != 0 {

  693. 		return nil, errClientKeyExchange

  694. 	}

  695. 

  696. 	// Although in plain PSK, otherSecret is all zeros, the base key

  697. 	// agreement does not access to the length of the pre-shared

  698. 	// key. pskKeyAgreement instead interprets nil to mean to use all zeros

  699. 	// of the appropriate length.

  700. 	return nil, nil

  701. }

  702. 

  703. func (ka *nilKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  704. 	if len(skx.key) != 0 {

  705. 		return errServerKeyExchange

  706. 	}

  707. 	return nil

  708. }

  709. 

  710. func (ka *nilKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  711. 	// Although in plain PSK, otherSecret is all zeros, the base key

  712. 	// agreement does not access to the length of the pre-shared

  713. 	// key. pskKeyAgreement instead interprets nil to mean to use all zeros

  714. 	// of the appropriate length.

  715. 	return nil, &clientKeyExchangeMsg{}, nil

  716. }

  717. 

  718. // makePSKPremaster formats a PSK pre-master secret based on otherSecret from

  719. // the base key exchange and psk.

  720. func makePSKPremaster(otherSecret, psk []byte) []byte {

  721. 	out := make([]byte, 0, 2+len(otherSecret)+2+len(psk))

  722. 	out = append(out, byte(len(otherSecret)>>8), byte(len(otherSecret)))

  723. 	out = append(out, otherSecret...)

  724. 	out = append(out, byte(len(psk)>>8), byte(len(psk)))

  725. 	out = append(out, psk...)

  726. 	return out

  727. }

  728. 

  729. // pskKeyAgreement implements the PSK key agreement.

  730. type pskKeyAgreement struct {

  731. 	base         keyAgreement

  732. 	identityHint string

  733. }

  734. 

  735. func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  736. 	// Assemble the identity hint.

  737. 	bytes := make([]byte, 2+len(config.PreSharedKeyIdentity))

  738. 	bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8)

  739. 	bytes[1] = byte(len(config.PreSharedKeyIdentity))

  740. 	copy(bytes[2:], []byte(config.PreSharedKeyIdentity))

  741. 

  742. 	// If there is one, append the base key agreement's

  743. 	// ServerKeyExchange.

  744. 	baseSkx, err := ka.base.generateServerKeyExchange(config, cert, clientHello, hello)

  745. 	if err != nil {

  746. 		return nil, err

  747. 	}

  748. 

  749. 	if baseSkx != nil {

  750. 		bytes = append(bytes, baseSkx.key...)

  751. 	} else if config.PreSharedKeyIdentity == "" {

  752. 		// ServerKeyExchange is optional if the identity hint is empty

  753. 		// and there would otherwise be no ServerKeyExchange.

  754. 		return nil, nil

  755. 	}

  756. 

  757. 	skx := new(serverKeyExchangeMsg)

  758. 	skx.key = bytes

  759. 	return skx, nil

  760. }

  761. 

  762. func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  763. 	// First, process the PSK identity.

  764. 	if len(ckx.ciphertext) < 2 {

  765. 		return nil, errClientKeyExchange

  766. 	}

  767. 	identityLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1])

  768. 	if 2+identityLen > len(ckx.ciphertext) {

  769. 		return nil, errClientKeyExchange

  770. 	}

  771. 	identity := string(ckx.ciphertext[2 : 2+identityLen])

  772. 

  773. 	if identity != config.PreSharedKeyIdentity {

  774. 		return nil, errors.New("tls: unexpected identity")

  775. 	}

  776. 

  777. 	if config.PreSharedKey == nil {

  778. 		return nil, errors.New("tls: pre-shared key not configured")

  779. 	}

  780. 

  781. 	// Process the remainder of the ClientKeyExchange to compute the base

  782. 	// pre-master secret.

  783. 	newCkx := new(clientKeyExchangeMsg)

  784. 	newCkx.ciphertext = ckx.ciphertext[2+identityLen:]

  785. 	otherSecret, err := ka.base.processClientKeyExchange(config, cert, newCkx, version)

  786. 	if err != nil {

  787. 		return nil, err

  788. 	}

  789. 

  790. 	if otherSecret == nil {

  791. 		// Special-case for the plain PSK key exchanges.

  792. 		otherSecret = make([]byte, len(config.PreSharedKey))

  793. 	}

  794. 	return makePSKPremaster(otherSecret, config.PreSharedKey), nil

  795. }

  796. 

  797. func (ka *pskKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  798. 	if len(skx.key) < 2 {

  799. 		return errServerKeyExchange

  800. 	}

  801. 	identityLen := (int(skx.key[0]) << 8) | int(skx.key[1])

  802. 	if 2+identityLen > len(skx.key) {

  803. 		return errServerKeyExchange

  804. 	}

  805. 	ka.identityHint = string(skx.key[2 : 2+identityLen])

  806. 

  807. 	// Process the remainder of the ServerKeyExchange.

  808. 	newSkx := new(serverKeyExchangeMsg)

  809. 	newSkx.key = skx.key[2+identityLen:]

  810. 	return ka.base.processServerKeyExchange(config, clientHello, serverHello, cert, newSkx)

  811. }

  812. 

  813. func (ka *pskKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  814. 	// The server only sends an identity hint but, for purposes of

  815. 	// test code, the server always sends the hint and it is

  816. 	// required to match.

  817. 	if ka.identityHint != config.PreSharedKeyIdentity {

  818. 		return nil, nil, errors.New("tls: unexpected identity")

  819. 	}

  820. 

  821. 	// Serialize the identity.

  822. 	bytes := make([]byte, 2+len(config.PreSharedKeyIdentity))

  823. 	bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8)

  824. 	bytes[1] = byte(len(config.PreSharedKeyIdentity))

  825. 	copy(bytes[2:], []byte(config.PreSharedKeyIdentity))

  826. 

  827. 	// Append the base key exchange's ClientKeyExchange.

  828. 	otherSecret, baseCkx, err := ka.base.generateClientKeyExchange(config, clientHello, cert)

  829. 	if err != nil {

  830. 		return nil, nil, err

  831. 	}

  832. 	ckx := new(clientKeyExchangeMsg)

  833. 	ckx.ciphertext = append(bytes, baseCkx.ciphertext...)

  834. 

  835. 	if config.PreSharedKey == nil {

  836. 		return nil, nil, errors.New("tls: pre-shared key not configured")

  837. 	}

  838. 	if otherSecret == nil {

  839. 		otherSecret = make([]byte, len(config.PreSharedKey))

  840. 	}

  841. 	return makePSKPremaster(otherSecret, config.PreSharedKey), ckx, nil

  842. }