kris
/
boringssl
1
0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
887 коммитов
12 Ветки
38 MiB
 
 
 
 
 
 
Дерево: d660b57208
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'd660b57208'
${ noResults }
boringssl/ssl/test/runner/key_agreement.go

777 строки
26 KiB
Исходник Вина История 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package main

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/elliptic"

  11. 	"crypto/md5"

  12. 	"crypto/rand"

  13. 	"crypto/rsa"

  14. 	"crypto/sha1"

  15. 	"crypto/x509"

  16. 	"encoding/asn1"

  17. 	"errors"

  18. 	"io"

  19. 	"math/big"

  20. )

  21. 

  22. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  23. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  24. 

  25. // rsaKeyAgreement implements the standard TLS key agreement where the client

  26. // encrypts the pre-master secret to the server's public key.

  27. type rsaKeyAgreement struct {

  28. 	clientVersion uint16

  29. }

  30. 

  31. func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  32. 	// Save the client version for comparison later.

  33. 	ka.clientVersion = versionToWire(clientHello.vers, clientHello.isDTLS)

  34. 

  35. 	if config.Bugs.RSAServerKeyExchange {

  36. 		// Send an empty ServerKeyExchange message.

  37. 		return &serverKeyExchangeMsg{}, nil

  38. 	}

  39. 

  40. 	return nil, nil

  41. }

  42. 

  43. func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  44. 	preMasterSecret := make([]byte, 48)

  45. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  46. 	if err != nil {

  47. 		return nil, err

  48. 	}

  49. 

  50. 	if len(ckx.ciphertext) < 2 {

  51. 		return nil, errClientKeyExchange

  52. 	}

  53. 

  54. 	ciphertext := ckx.ciphertext

  55. 	if version != VersionSSL30 {

  56. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  57. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  58. 			return nil, errClientKeyExchange

  59. 		}

  60. 		ciphertext = ckx.ciphertext[2:]

  61. 	}

  62. 

  63. 	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)

  64. 	if err != nil {

  65. 		return nil, err

  66. 	}

  67. 	// This check should be done in constant-time, but this is a testing

  68. 	// implementation. See the discussion at the end of section 7.4.7.1 of

  69. 	// RFC 4346.

  70. 	vers := uint16(preMasterSecret[0])<<8 | uint16(preMasterSecret[1])

  71. 	if ka.clientVersion != vers {

  72. 		return nil, errors.New("tls: invalid version in RSA premaster")

  73. 	}

  74. 	return preMasterSecret, nil

  75. }

  76. 

  77. func (ka *rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  78. 	return errors.New("tls: unexpected ServerKeyExchange")

  79. }

  80. 

  81. func (ka *rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  82. 	preMasterSecret := make([]byte, 48)

  83. 	vers := clientHello.vers

  84. 	if config.Bugs.RsaClientKeyExchangeVersion != 0 {

  85. 		vers = config.Bugs.RsaClientKeyExchangeVersion

  86. 	}

  87. 	vers = versionToWire(vers, clientHello.isDTLS)

  88. 	preMasterSecret[0] = byte(vers >> 8)

  89. 	preMasterSecret[1] = byte(vers)

  90. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  91. 	if err != nil {

  92. 		return nil, nil, err

  93. 	}

  94. 

  95. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)

  96. 	if err != nil {

  97. 		return nil, nil, err

  98. 	}

  99. 	ckx := new(clientKeyExchangeMsg)

  100. 	if clientHello.vers != VersionSSL30 && !config.Bugs.SSL3RSAKeyExchange {

  101. 		ckx.ciphertext = make([]byte, len(encrypted)+2)

  102. 		ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  103. 		ckx.ciphertext[1] = byte(len(encrypted))

  104. 		copy(ckx.ciphertext[2:], encrypted)

  105. 	} else {

  106. 		ckx.ciphertext = encrypted

  107. 	}

  108. 	return preMasterSecret, ckx, nil

  109. }

  110. 

  111. // sha1Hash calculates a SHA1 hash over the given byte slices.

  112. func sha1Hash(slices [][]byte) []byte {

  113. 	hsha1 := sha1.New()

  114. 	for _, slice := range slices {

  115. 		hsha1.Write(slice)

  116. 	}

  117. 	return hsha1.Sum(nil)

  118. }

  119. 

  120. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  121. // concatenation of an MD5 and SHA1 hash.

  122. func md5SHA1Hash(slices [][]byte) []byte {

  123. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  124. 	hmd5 := md5.New()

  125. 	for _, slice := range slices {

  126. 		hmd5.Write(slice)

  127. 	}

  128. 	copy(md5sha1, hmd5.Sum(nil))

  129. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  130. 	return md5sha1

  131. }

  132. 

  133. // hashForServerKeyExchange hashes the given slices and returns their digest

  134. // and the identifier of the hash function used. The hashFunc argument is only

  135. // used for >= TLS 1.2 and precisely identifies the hash function to use.

  136. func hashForServerKeyExchange(sigType, hashFunc uint8, version uint16, slices ...[]byte) ([]byte, crypto.Hash, error) {

  137. 	if version >= VersionTLS12 {

  138. 		hash, err := lookupTLSHash(hashFunc)

  139. 		if err != nil {

  140. 			return nil, 0, err

  141. 		}

  142. 		h := hash.New()

  143. 		for _, slice := range slices {

  144. 			h.Write(slice)

  145. 		}

  146. 		return h.Sum(nil), hash, nil

  147. 	}

  148. 	if sigType == signatureECDSA {

  149. 		return sha1Hash(slices), crypto.SHA1, nil

  150. 	}

  151. 	return md5SHA1Hash(slices), crypto.MD5SHA1, nil

  152. }

  153. 

  154. // pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a

  155. // ServerKeyExchange given the signature type being used and the client's

  156. // advertized list of supported signature and hash combinations.

  157. func pickTLS12HashForSignature(sigType uint8, clientSignatureAndHashes []signatureAndHash) (uint8, error) {

  158. 	if len(clientSignatureAndHashes) == 0 {

  159. 		// If the client didn't specify any signature_algorithms

  160. 		// extension then we can assume that it supports SHA1. See

  161. 		// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1

  162. 		return hashSHA1, nil

  163. 	}

  164. 

  165. 	for _, sigAndHash := range clientSignatureAndHashes {

  166. 		if sigAndHash.signature != sigType {

  167. 			continue

  168. 		}

  169. 		switch sigAndHash.hash {

  170. 		case hashSHA1, hashSHA256:

  171. 			return sigAndHash.hash, nil

  172. 		}

  173. 	}

  174. 

  175. 	return 0, errors.New("tls: client doesn't support any common hash functions")

  176. }

  177. 

  178. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  179. 	switch id {

  180. 	case CurveP256:

  181. 		return elliptic.P256(), true

  182. 	case CurveP384:

  183. 		return elliptic.P384(), true

  184. 	case CurveP521:

  185. 		return elliptic.P521(), true

  186. 	default:

  187. 		return nil, false

  188. 	}

  189. 

  190. }

  191. 

  192. // keyAgreementAuthentication is a helper interface that specifies how

  193. // to authenticate the ServerKeyExchange parameters.

  194. type keyAgreementAuthentication interface {

  195. 	signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error)

  196. 	verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error

  197. }

  198. 

  199. // nilKeyAgreementAuthentication does not authenticate the key

  200. // agreement parameters.

  201. type nilKeyAgreementAuthentication struct{}

  202. 

  203. func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {

  204. 	skx := new(serverKeyExchangeMsg)

  205. 	skx.key = params

  206. 	return skx, nil

  207. }

  208. 

  209. func (ka *nilKeyAgreementAuthentication) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error {

  210. 	return nil

  211. }

  212. 

  213. // signedKeyAgreement signs the ServerKeyExchange parameters with the

  214. // server's private key.

  215. type signedKeyAgreement struct {

  216. 	version uint16

  217. 	sigType uint8

  218. }

  219. 

  220. func (ka *signedKeyAgreement) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {

  221. 	var tls12HashId uint8

  222. 	var err error

  223. 	if ka.version >= VersionTLS12 {

  224. 		if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes); err != nil {

  225. 			return nil, err

  226. 		}

  227. 	}

  228. 

  229. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, hello.random, params)

  230. 	if err != nil {

  231. 		return nil, err

  232. 	}

  233. 

  234. 	if config.Bugs.InvalidSKXSignature {

  235. 		digest[0] ^= 0x80

  236. 	}

  237. 

  238. 	var sig []byte

  239. 	switch ka.sigType {

  240. 	case signatureECDSA:

  241. 		privKey, ok := cert.PrivateKey.(*ecdsa.PrivateKey)

  242. 		if !ok {

  243. 			return nil, errors.New("ECDHE ECDSA requires an ECDSA server private key")

  244. 		}

  245. 		r, s, err := ecdsa.Sign(config.rand(), privKey, digest)

  246. 		if err != nil {

  247. 			return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())

  248. 		}

  249. 		order := privKey.Curve.Params().N

  250. 		r = maybeCorruptECDSAValue(r, config.Bugs.BadECDSAR, order)

  251. 		s = maybeCorruptECDSAValue(s, config.Bugs.BadECDSAS, order)

  252. 		sig, err = asn1.Marshal(ecdsaSignature{r, s})

  253. 	case signatureRSA:

  254. 		privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)

  255. 		if !ok {

  256. 			return nil, errors.New("ECDHE RSA requires a RSA server private key")

  257. 		}

  258. 		sig, err = rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)

  259. 		if err != nil {

  260. 			return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())

  261. 		}

  262. 	default:

  263. 		return nil, errors.New("unknown ECDHE signature algorithm")

  264. 	}

  265. 

  266. 	skx := new(serverKeyExchangeMsg)

  267. 	if config.Bugs.UnauthenticatedECDH {

  268. 		skx.key = params

  269. 	} else {

  270. 		sigAndHashLen := 0

  271. 		if ka.version >= VersionTLS12 {

  272. 			sigAndHashLen = 2

  273. 		}

  274. 		skx.key = make([]byte, len(params)+sigAndHashLen+2+len(sig))

  275. 		copy(skx.key, params)

  276. 		k := skx.key[len(params):]

  277. 		if ka.version >= VersionTLS12 {

  278. 			k[0] = tls12HashId

  279. 			k[1] = ka.sigType

  280. 			k = k[2:]

  281. 		}

  282. 		k[0] = byte(len(sig) >> 8)

  283. 		k[1] = byte(len(sig))

  284. 		copy(k[2:], sig)

  285. 	}

  286. 

  287. 	return skx, nil

  288. }

  289. 

  290. func (ka *signedKeyAgreement) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) error {

  291. 	if len(sig) < 2 {

  292. 		return errServerKeyExchange

  293. 	}

  294. 

  295. 	var tls12HashId uint8

  296. 	if ka.version >= VersionTLS12 {

  297. 		// handle SignatureAndHashAlgorithm

  298. 		var sigAndHash []uint8

  299. 		sigAndHash, sig = sig[:2], sig[2:]

  300. 		if sigAndHash[1] != ka.sigType {

  301. 			return errServerKeyExchange

  302. 		}

  303. 		tls12HashId = sigAndHash[0]

  304. 		if len(sig) < 2 {

  305. 			return errServerKeyExchange

  306. 		}

  307. 

  308. 		if !isSupportedSignatureAndHash(signatureAndHash{ka.sigType, tls12HashId}, config.signatureAndHashesForClient()) {

  309. 			return errors.New("tls: unsupported hash function for ServerKeyExchange")

  310. 		}

  311. 	}

  312. 	sigLen := int(sig[0])<<8 | int(sig[1])

  313. 	if sigLen+2 != len(sig) {

  314. 		return errServerKeyExchange

  315. 	}

  316. 	sig = sig[2:]

  317. 

  318. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, serverHello.random, params)

  319. 	if err != nil {

  320. 		return err

  321. 	}

  322. 	switch ka.sigType {

  323. 	case signatureECDSA:

  324. 		pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)

  325. 		if !ok {

  326. 			return errors.New("ECDHE ECDSA requires a ECDSA server public key")

  327. 		}

  328. 		ecdsaSig := new(ecdsaSignature)

  329. 		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {

  330. 			return err

  331. 		}

  332. 		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

  333. 			return errors.New("ECDSA signature contained zero or negative values")

  334. 		}

  335. 		if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {

  336. 			return errors.New("ECDSA verification failure")

  337. 		}

  338. 	case signatureRSA:

  339. 		pubKey, ok := cert.PublicKey.(*rsa.PublicKey)

  340. 		if !ok {

  341. 			return errors.New("ECDHE RSA requires a RSA server public key")

  342. 		}

  343. 		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {

  344. 			return err

  345. 		}

  346. 	default:

  347. 		return errors.New("unknown ECDHE signature algorithm")

  348. 	}

  349. 

  350. 	return nil

  351. }

  352. 

  353. // ecdheRSAKeyAgreement implements a TLS key agreement where the server

  354. // generates a ephemeral EC public/private key pair and signs it. The

  355. // pre-master secret is then calculated using ECDH. The signature may

  356. // either be ECDSA or RSA.

  357. type ecdheKeyAgreement struct {

  358. 	auth       keyAgreementAuthentication

  359. 	privateKey []byte

  360. 	curve      elliptic.Curve

  361. 	x, y       *big.Int

  362. }

  363. 

  364. func maybeCorruptECDSAValue(n *big.Int, typeOfCorruption BadValue, limit *big.Int) *big.Int {

  365. 	switch typeOfCorruption {

  366. 	case BadValueNone:

  367. 		return n

  368. 	case BadValueNegative:

  369. 		return new(big.Int).Neg(n)

  370. 	case BadValueZero:

  371. 		return big.NewInt(0)

  372. 	case BadValueLimit:

  373. 		return limit

  374. 	case BadValueLarge:

  375. 		bad := new(big.Int).Set(limit)

  376. 		return bad.Lsh(bad, 20)

  377. 	default:

  378. 		panic("unknown BadValue type")

  379. 	}

  380. }

  381. 

  382. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  383. 	var curveid CurveID

  384. 	preferredCurves := config.curvePreferences()

  385. 

  386. NextCandidate:

  387. 	for _, candidate := range preferredCurves {

  388. 		for _, c := range clientHello.supportedCurves {

  389. 			if candidate == c {

  390. 				curveid = c

  391. 				break NextCandidate

  392. 			}

  393. 		}

  394. 	}

  395. 

  396. 	if curveid == 0 {

  397. 		return nil, errors.New("tls: no supported elliptic curves offered")

  398. 	}

  399. 

  400. 	var ok bool

  401. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  402. 		return nil, errors.New("tls: preferredCurves includes unsupported curve")

  403. 	}

  404. 

  405. 	var x, y *big.Int

  406. 	var err error

  407. 	ka.privateKey, x, y, err = elliptic.GenerateKey(ka.curve, config.rand())

  408. 	if err != nil {

  409. 		return nil, err

  410. 	}

  411. 	ecdhePublic := elliptic.Marshal(ka.curve, x, y)

  412. 

  413. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  414. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  415. 	serverECDHParams[0] = 3 // named curve

  416. 	serverECDHParams[1] = byte(curveid >> 8)

  417. 	serverECDHParams[2] = byte(curveid)

  418. 	if config.Bugs.InvalidSKXCurve {

  419. 		serverECDHParams[2] ^= 0xff

  420. 	}

  421. 	serverECDHParams[3] = byte(len(ecdhePublic))

  422. 	copy(serverECDHParams[4:], ecdhePublic)

  423. 

  424. 	return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams)

  425. }

  426. 

  427. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  428. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  429. 		return nil, errClientKeyExchange

  430. 	}

  431. 	x, y := elliptic.Unmarshal(ka.curve, ckx.ciphertext[1:])

  432. 	if x == nil {

  433. 		return nil, errClientKeyExchange

  434. 	}

  435. 	x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)

  436. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  437. 	xBytes := x.Bytes()

  438. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  439. 

  440. 	return preMasterSecret, nil

  441. }

  442. 

  443. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  444. 	if len(skx.key) < 4 {

  445. 		return errServerKeyExchange

  446. 	}

  447. 	if skx.key[0] != 3 { // named curve

  448. 		return errors.New("tls: server selected unsupported curve")

  449. 	}

  450. 	curveid := CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  451. 

  452. 	var ok bool

  453. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  454. 		return errors.New("tls: server selected unsupported curve")

  455. 	}

  456. 

  457. 	publicLen := int(skx.key[3])

  458. 	if publicLen+4 > len(skx.key) {

  459. 		return errServerKeyExchange

  460. 	}

  461. 	ka.x, ka.y = elliptic.Unmarshal(ka.curve, skx.key[4:4+publicLen])

  462. 	if ka.x == nil {

  463. 		return errServerKeyExchange

  464. 	}

  465. 	serverECDHParams := skx.key[:4+publicLen]

  466. 	sig := skx.key[4+publicLen:]

  467. 

  468. 	return ka.auth.verifyParameters(config, clientHello, serverHello, cert, serverECDHParams, sig)

  469. }

  470. 

  471. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  472. 	if ka.curve == nil {

  473. 		return nil, nil, errors.New("missing ServerKeyExchange message")

  474. 	}

  475. 	priv, mx, my, err := elliptic.GenerateKey(ka.curve, config.rand())

  476. 	if err != nil {

  477. 		return nil, nil, err

  478. 	}

  479. 	x, _ := ka.curve.ScalarMult(ka.x, ka.y, priv)

  480. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  481. 	xBytes := x.Bytes()

  482. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  483. 

  484. 	serialized := elliptic.Marshal(ka.curve, mx, my)

  485. 

  486. 	ckx := new(clientKeyExchangeMsg)

  487. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  488. 	ckx.ciphertext[0] = byte(len(serialized))

  489. 	copy(ckx.ciphertext[1:], serialized)

  490. 

  491. 	return preMasterSecret, ckx, nil

  492. }

  493. 

  494. // dheRSAKeyAgreement implements a TLS key agreement where the server generates

  495. // an ephemeral Diffie-Hellman public/private key pair and signs it. The

  496. // pre-master secret is then calculated using Diffie-Hellman.

  497. type dheKeyAgreement struct {

  498. 	auth    keyAgreementAuthentication

  499. 	p, g    *big.Int

  500. 	yTheirs *big.Int

  501. 	xOurs   *big.Int

  502. }

  503. 

  504. func (ka *dheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  505. 	// 2048-bit MODP Group with 256-bit Prime Order Subgroup (RFC

  506. 	// 5114, Section 2.3)

  507. 	ka.p, _ = new(big.Int).SetString("87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597", 16)

  508. 	ka.g, _ = new(big.Int).SetString("3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659", 16)

  509. 	q, _ := new(big.Int).SetString("8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3", 16)

  510. 

  511. 	var err error

  512. 	ka.xOurs, err = rand.Int(config.rand(), q)

  513. 	if err != nil {

  514. 		return nil, err

  515. 	}

  516. 	yOurs := new(big.Int).Exp(ka.g, ka.xOurs, ka.p)

  517. 

  518. 	// http://tools.ietf.org/html/rfc5246#section-7.4.3

  519. 	pBytes := ka.p.Bytes()

  520. 	gBytes := ka.g.Bytes()

  521. 	yBytes := yOurs.Bytes()

  522. 	serverDHParams := make([]byte, 0, 2+len(pBytes)+2+len(gBytes)+2+len(yBytes))

  523. 	serverDHParams = append(serverDHParams, byte(len(pBytes)>>8), byte(len(pBytes)))

  524. 	serverDHParams = append(serverDHParams, pBytes...)

  525. 	serverDHParams = append(serverDHParams, byte(len(gBytes)>>8), byte(len(gBytes)))

  526. 	serverDHParams = append(serverDHParams, gBytes...)

  527. 	serverDHParams = append(serverDHParams, byte(len(yBytes)>>8), byte(len(yBytes)))

  528. 	serverDHParams = append(serverDHParams, yBytes...)

  529. 

  530. 	return ka.auth.signParameters(config, cert, clientHello, hello, serverDHParams)

  531. }

  532. 

  533. func (ka *dheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  534. 	if len(ckx.ciphertext) < 2 {

  535. 		return nil, errClientKeyExchange

  536. 	}

  537. 	yLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1])

  538. 	if yLen != len(ckx.ciphertext)-2 {

  539. 		return nil, errClientKeyExchange

  540. 	}

  541. 	yTheirs := new(big.Int).SetBytes(ckx.ciphertext[2:])

  542. 	if yTheirs.Sign() <= 0 || yTheirs.Cmp(ka.p) >= 0 {

  543. 		return nil, errClientKeyExchange

  544. 	}

  545. 	return new(big.Int).Exp(yTheirs, ka.xOurs, ka.p).Bytes(), nil

  546. }

  547. 

  548. func (ka *dheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  549. 	// Read dh_p

  550. 	k := skx.key

  551. 	if len(k) < 2 {

  552. 		return errServerKeyExchange

  553. 	}

  554. 	pLen := (int(k[0]) << 8) | int(k[1])

  555. 	k = k[2:]

  556. 	if len(k) < pLen {

  557. 		return errServerKeyExchange

  558. 	}

  559. 	ka.p = new(big.Int).SetBytes(k[:pLen])

  560. 	k = k[pLen:]

  561. 

  562. 	// Read dh_g

  563. 	if len(k) < 2 {

  564. 		return errServerKeyExchange

  565. 	}

  566. 	gLen := (int(k[0]) << 8) | int(k[1])

  567. 	k = k[2:]

  568. 	if len(k) < gLen {

  569. 		return errServerKeyExchange

  570. 	}

  571. 	ka.g = new(big.Int).SetBytes(k[:gLen])

  572. 	k = k[gLen:]

  573. 

  574. 	// Read dh_Ys

  575. 	if len(k) < 2 {

  576. 		return errServerKeyExchange

  577. 	}

  578. 	yLen := (int(k[0]) << 8) | int(k[1])

  579. 	k = k[2:]

  580. 	if len(k) < yLen {

  581. 		return errServerKeyExchange

  582. 	}

  583. 	ka.yTheirs = new(big.Int).SetBytes(k[:yLen])

  584. 	k = k[yLen:]

  585. 	if ka.yTheirs.Sign() <= 0 || ka.yTheirs.Cmp(ka.p) >= 0 {

  586. 		return errServerKeyExchange

  587. 	}

  588. 

  589. 	sig := k

  590. 	serverDHParams := skx.key[:len(skx.key)-len(sig)]

  591. 

  592. 	return ka.auth.verifyParameters(config, clientHello, serverHello, cert, serverDHParams, sig)

  593. }

  594. 

  595. func (ka *dheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  596. 	if ka.p == nil || ka.g == nil || ka.yTheirs == nil {

  597. 		return nil, nil, errors.New("missing ServerKeyExchange message")

  598. 	}

  599. 

  600. 	xOurs, err := rand.Int(config.rand(), ka.p)

  601. 	if err != nil {

  602. 		return nil, nil, err

  603. 	}

  604. 	preMasterSecret := new(big.Int).Exp(ka.yTheirs, xOurs, ka.p).Bytes()

  605. 

  606. 	yOurs := new(big.Int).Exp(ka.g, xOurs, ka.p)

  607. 	yBytes := yOurs.Bytes()

  608. 	ckx := new(clientKeyExchangeMsg)

  609. 	ckx.ciphertext = make([]byte, 2+len(yBytes))

  610. 	ckx.ciphertext[0] = byte(len(yBytes) >> 8)

  611. 	ckx.ciphertext[1] = byte(len(yBytes))

  612. 	copy(ckx.ciphertext[2:], yBytes)

  613. 

  614. 	return preMasterSecret, ckx, nil

  615. }

  616. 

  617. // nilKeyAgreement is a fake key agreement used to implement the plain PSK key

  618. // exchange.

  619. type nilKeyAgreement struct{}

  620. 

  621. func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  622. 	return nil, nil

  623. }

  624. 

  625. func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  626. 	if len(ckx.ciphertext) != 0 {

  627. 		return nil, errClientKeyExchange

  628. 	}

  629. 

  630. 	// Although in plain PSK, otherSecret is all zeros, the base key

  631. 	// agreement does not access to the length of the pre-shared

  632. 	// key. pskKeyAgreement instead interprets nil to mean to use all zeros

  633. 	// of the appropriate length.

  634. 	return nil, nil

  635. }

  636. 

  637. func (ka *nilKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  638. 	if len(skx.key) != 0 {

  639. 		return errServerKeyExchange

  640. 	}

  641. 	return nil

  642. }

  643. 

  644. func (ka *nilKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  645. 	// Although in plain PSK, otherSecret is all zeros, the base key

  646. 	// agreement does not access to the length of the pre-shared

  647. 	// key. pskKeyAgreement instead interprets nil to mean to use all zeros

  648. 	// of the appropriate length.

  649. 	return nil, &clientKeyExchangeMsg{}, nil

  650. }

  651. 

  652. // makePSKPremaster formats a PSK pre-master secret based on otherSecret from

  653. // the base key exchange and psk.

  654. func makePSKPremaster(otherSecret, psk []byte) []byte {

  655. 	out := make([]byte, 0, 2+len(otherSecret)+2+len(psk))

  656. 	out = append(out, byte(len(otherSecret)>>8), byte(len(otherSecret)))

  657. 	out = append(out, otherSecret...)

  658. 	out = append(out, byte(len(psk)>>8), byte(len(psk)))

  659. 	out = append(out, psk...)

  660. 	return out

  661. }

  662. 

  663. // pskKeyAgreement implements the PSK key agreement.

  664. type pskKeyAgreement struct {

  665. 	base         keyAgreement

  666. 	identityHint string

  667. }

  668. 

  669. func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  670. 	// Assemble the identity hint.

  671. 	bytes := make([]byte, 2+len(config.PreSharedKeyIdentity))

  672. 	bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8)

  673. 	bytes[1] = byte(len(config.PreSharedKeyIdentity))

  674. 	copy(bytes[2:], []byte(config.PreSharedKeyIdentity))

  675. 

  676. 	// If there is one, append the base key agreement's

  677. 	// ServerKeyExchange.

  678. 	baseSkx, err := ka.base.generateServerKeyExchange(config, cert, clientHello, hello)

  679. 	if err != nil {

  680. 		return nil, err

  681. 	}

  682. 

  683. 	if baseSkx != nil {

  684. 		bytes = append(bytes, baseSkx.key...)

  685. 	} else if config.PreSharedKeyIdentity == "" {

  686. 		// ServerKeyExchange is optional if the identity hint is empty

  687. 		// and there would otherwise be no ServerKeyExchange.

  688. 		return nil, nil

  689. 	}

  690. 

  691. 	skx := new(serverKeyExchangeMsg)

  692. 	skx.key = bytes

  693. 	return skx, nil

  694. }

  695. 

  696. func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  697. 	// First, process the PSK identity.

  698. 	if len(ckx.ciphertext) < 2 {

  699. 		return nil, errClientKeyExchange

  700. 	}

  701. 	identityLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1])

  702. 	if 2+identityLen > len(ckx.ciphertext) {

  703. 		return nil, errClientKeyExchange

  704. 	}

  705. 	identity := string(ckx.ciphertext[2 : 2+identityLen])

  706. 

  707. 	if identity != config.PreSharedKeyIdentity {

  708. 		return nil, errors.New("tls: unexpected identity")

  709. 	}

  710. 

  711. 	if config.PreSharedKey == nil {

  712. 		return nil, errors.New("tls: pre-shared key not configured")

  713. 	}

  714. 

  715. 	// Process the remainder of the ClientKeyExchange to compute the base

  716. 	// pre-master secret.

  717. 	newCkx := new(clientKeyExchangeMsg)

  718. 	newCkx.ciphertext = ckx.ciphertext[2+identityLen:]

  719. 	otherSecret, err := ka.base.processClientKeyExchange(config, cert, newCkx, version)

  720. 	if err != nil {

  721. 		return nil, err

  722. 	}

  723. 

  724. 	if otherSecret == nil {

  725. 		// Special-case for the plain PSK key exchanges.

  726. 		otherSecret = make([]byte, len(config.PreSharedKey))

  727. 	}

  728. 	return makePSKPremaster(otherSecret, config.PreSharedKey), nil

  729. }

  730. 

  731. func (ka *pskKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  732. 	if len(skx.key) < 2 {

  733. 		return errServerKeyExchange

  734. 	}

  735. 	identityLen := (int(skx.key[0]) << 8) | int(skx.key[1])

  736. 	if 2+identityLen > len(skx.key) {

  737. 		return errServerKeyExchange

  738. 	}

  739. 	ka.identityHint = string(skx.key[2 : 2+identityLen])

  740. 

  741. 	// Process the remainder of the ServerKeyExchange.

  742. 	newSkx := new(serverKeyExchangeMsg)

  743. 	newSkx.key = skx.key[2+identityLen:]

  744. 	return ka.base.processServerKeyExchange(config, clientHello, serverHello, cert, newSkx)

  745. }

  746. 

  747. func (ka *pskKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  748. 	// The server only sends an identity hint but, for purposes of

  749. 	// test code, the server always sends the hint and it is

  750. 	// required to match.

  751. 	if ka.identityHint != config.PreSharedKeyIdentity {

  752. 		return nil, nil, errors.New("tls: unexpected identity")

  753. 	}

  754. 

  755. 	// Serialize the identity.

  756. 	bytes := make([]byte, 2+len(config.PreSharedKeyIdentity))

  757. 	bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8)

  758. 	bytes[1] = byte(len(config.PreSharedKeyIdentity))

  759. 	copy(bytes[2:], []byte(config.PreSharedKeyIdentity))

  760. 

  761. 	// Append the base key exchange's ClientKeyExchange.

  762. 	otherSecret, baseCkx, err := ka.base.generateClientKeyExchange(config, clientHello, cert)

  763. 	if err != nil {

  764. 		return nil, nil, err

  765. 	}

  766. 	ckx := new(clientKeyExchangeMsg)

  767. 	ckx.ciphertext = append(bytes, baseCkx.ciphertext...)

  768. 

  769. 	if config.PreSharedKey == nil {

  770. 		return nil, nil, errors.New("tls: pre-shared key not configured")

  771. 	}

  772. 	if otherSecret == nil {

  773. 		otherSecret = make([]byte, len(config.PreSharedKey))

  774. 	}

  775. 	return makePSKPremaster(otherSecret, config.PreSharedKey), ckx, nil

  776. }