kris
/
th5
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Alternative TLS implementation in Go
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
570 Коміти
3 Гілки
2.6 MiB
Гілка: master
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з 'master'
${ noResults }
th5/key_agreement.go

key_agreement.go 12 KiB
Неформатований Постійне посилання Звичайний вигляд Історія

crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Change package trs to th5
5 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto: add package. The crypto package is added as a common place to store identifiers for hash functions. At the moment, the rsa package has an enumeration of hash functions and knowledge of their digest lengths. This is an unfortunate coupling and other high level crypto packages tend to need to duplicate this enumeration and knowledge (i.e. openpgp). crypto pulls this code out into a common location. It would also make sense to add similar support for ciphers to crypto, but the problem there isn't as acute that isn't done in this change. R=bradfitzgo, r, rsc CC=golang-dev https://golang.org/cl/4080046
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
src/pkg/[a-m]*: gofix -r error -force=error R=golang-dev, iant CC=golang-dev https://golang.org/cl/5322051
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
renaming_2: gofix -r go1pkgrename src/pkg/[a-l]* R=rsc CC=golang-dev https://golang.org/cl/5358041
13 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
Changes needed to make tris a separated lib
5 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Add negotiated group to ConnectionState
5 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 роки тому
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 роки тому
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
all: fix misprints in comments These were found by grepping the comments from the go code and feeding the output to aspell. Change-Id: Id734d6c8d1938ec3c36bd94a4dbbad577e3ad395 Reviewed-on: https://go-review.googlesource.com/10941 Reviewed-by: Aamir Khan <syst3m.w0rm@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
9 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
all: single space after period. The tree's pretty inconsistent about single space vs double space after a period in documentation. Make it consistently a single space, per earlier decisions. This means contributors won't be confused by misleading precedence. This CL doesn't use go/doc to parse. It only addresses // comments. It was generated with: $ perl -i -npe 's,^(\s*// .+[a-z]\.) +([A-Z]),$1 $2,' $(git grep -l -E '^\s*//(.+\.) +([A-Z])') $ go test go/doc -update Change-Id: Iccdb99c37c797ef1f804a94b22ba5ee4b500c4f7 Reviewed-on: https://go-review.googlesource.com/20022 Reviewed-by: Rob Pike <r@golang.org> Reviewed-by: Dave Day <djd@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Add a []byte argument to hash.Hash to allow an allocation to be saved. This is the result of running `gofix -r hashsum` over the tree, changing the hash function implementations by hand and then fixing a couple of instances where gofix didn't catch something. The changed implementations are as simple as possible while still working: I'm not trying to optimise in this CL. R=rsc, cw, rogpeppe CC=golang-dev https://golang.org/cl/5448065
13 роки тому
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10 роки тому
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 роки тому
all: fix article typos a -> an Change-Id: I7362bdc199e83073a712be657f5d9ba16df3077e Reviewed-on: https://go-review.googlesource.com/63850 Reviewed-by: Rob Pike <r@golang.org>
7 роки тому
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Add negotiated group to ConnectionState
5 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: don't select ECC ciphersuites with no mutual curve. The existing code that tried to prevent ECC ciphersuites from being selected when there were no mutual curves still left |suite| set. This lead to a panic on a nil pointer when there were no acceptable ciphersuites at all. Thanks to George Kadianakis for pointing it out. R=golang-dev, r, bradfitz CC=golang-dev https://golang.org/cl/5857043
12 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 роки тому
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: make error prefix uniform. Error strings in this package were all over the place: some were prefixed with “tls:”, some with “crypto/tls:” and some didn't have a prefix. This change makes everything use the prefix “tls:”. Change-Id: Ie8b073c897764b691140412ecd6613da8c4e33a2 Reviewed-on: https://go-review.googlesource.com/21893 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: don't check whether an ec point is on a curve twice The processClientKeyExchange and processServerKeyExchange functions unmarshal an encoded EC point and explicitly check whether the point is on the curve. The explicit check can be omitted because elliptic.Unmarshal fails if the point is not on the curve and the returned error would always be the same. Fixes #20496 Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb Reviewed-on: https://go-review.googlesource.com/44311 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Avelino <t@avelino.xxx> Run-TryBot: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: implement TLS 1.3 minimal server
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: implement TLS 1.3 minimal server
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: don't check whether an ec point is on a curve twice The processClientKeyExchange and processServerKeyExchange functions unmarshal an encoded EC point and explicitly check whether the point is on the curve. The explicit check can be omitted because elliptic.Unmarshal fails if the point is not on the curve and the returned error would always be the same. Fixes #20496 Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb Reviewed-on: https://go-review.googlesource.com/44311 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Avelino <t@avelino.xxx> Run-TryBot: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7 роки тому
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 роки тому
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7 роки тому
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: make error prefix uniform. Error strings in this package were all over the place: some were prefixed with “tls:”, some with “crypto/tls:” and some didn't have a prefix. This change makes everything use the prefix “tls:”. Change-Id: Ie8b073c897764b691140412ecd6613da8c4e33a2 Reviewed-on: https://go-review.googlesource.com/21893 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
pkg: spelling tweaks, A-H R=ality, bradfitz, rsc, dsymonds, adg, qyzhai, dchest CC=golang-dev https://golang.org/cl/4536063
13 роки тому
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 роки тому
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package th5

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/elliptic"

  10. 	"crypto/md5"

  11. 	"crypto/rsa"

  12. 	"crypto/sha1"

  13. 	"errors"

  14. 	"io"

  15. 	"math/big"

  16. 

  17. 	"golang.org/x/crypto/curve25519"

  18. )

  19. 

  20. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  21. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  22. 

  23. // rsaKeyAgreement implements the standard TLS key agreement where the client

  24. // encrypts the pre-master secret to the server's public key.

  25. type rsaKeyAgreement struct{}

  26. 

  27. func (ka rsaKeyAgreement) NegotiatedGroup() CurveID {

  28. 	return CurveID(0)

  29. }

  30. 

  31. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  32. 	return nil, nil

  33. }

  34. 

  35. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  36. 	if len(ckx.ciphertext) < 2 {

  37. 		return nil, errClientKeyExchange

  38. 	}

  39. 

  40. 	ciphertext := ckx.ciphertext

  41. 	if version != VersionSSL30 {

  42. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  43. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  44. 			return nil, errClientKeyExchange

  45. 		}

  46. 		ciphertext = ckx.ciphertext[2:]

  47. 	}

  48. 	priv, ok := sk.(crypto.Decrypter)

  49. 	if !ok {

  50. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  51. 	}

  52. 	// Perform constant time RSA PKCS#1 v1.5 decryption

  53. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  54. 	if err != nil {

  55. 		return nil, err

  56. 	}

  57. 	// We don't check the version number in the premaster secret. For one,

  58. 	// by checking it, we would leak information about the validity of the

  59. 	// encrypted pre-master secret. Secondly, it provides only a small

  60. 	// benefit against a downgrade attack and some implementations send the

  61. 	// wrong version anyway. See the discussion at the end of section

  62. 	// 7.4.7.1 of RFC 4346.

  63. 	return preMasterSecret, nil

  64. }

  65. 

  66. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  67. 	return errors.New("tls: unexpected ServerKeyExchange")

  68. }

  69. 

  70. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  71. 	preMasterSecret := make([]byte, 48)

  72. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  73. 	preMasterSecret[1] = byte(clientHello.vers)

  74. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  75. 	if err != nil {

  76. 		return nil, nil, err

  77. 	}

  78. 

  79. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), pk.(*rsa.PublicKey), preMasterSecret)

  80. 	if err != nil {

  81. 		return nil, nil, err

  82. 	}

  83. 	ckx := new(clientKeyExchangeMsg)

  84. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  85. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  86. 	ckx.ciphertext[1] = byte(len(encrypted))

  87. 	copy(ckx.ciphertext[2:], encrypted)

  88. 	return preMasterSecret, ckx, nil

  89. }

  90. 

  91. // sha1Hash calculates a SHA1 hash over the given byte slices.

  92. func sha1Hash(slices [][]byte) []byte {

  93. 	hsha1 := sha1.New()

  94. 	for _, slice := range slices {

  95. 		hsha1.Write(slice)

  96. 	}

  97. 	return hsha1.Sum(nil)

  98. }

  99. 

  100. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  101. // concatenation of an MD5 and SHA1 hash.

  102. func md5SHA1Hash(slices [][]byte) []byte {

  103. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  104. 	hmd5 := md5.New()

  105. 	for _, slice := range slices {

  106. 		hmd5.Write(slice)

  107. 	}

  108. 	copy(md5sha1, hmd5.Sum(nil))

  109. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  110. 	return md5sha1

  111. }

  112. 

  113. // hashForServerKeyExchange hashes the given slices and returns their digest

  114. // using the given hash function.

  115. func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) ([]byte, error) {

  116. 	if version >= VersionTLS12 {

  117. 		h := hashFunc.New()

  118. 		for _, slice := range slices {

  119. 			h.Write(slice)

  120. 		}

  121. 		digest := h.Sum(nil)

  122. 		return digest, nil

  123. 	}

  124. 	if sigType == signatureECDSA {

  125. 		return sha1Hash(slices), nil

  126. 	}

  127. 	return md5SHA1Hash(slices), nil

  128. }

  129. 

  130. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  131. 	switch id {

  132. 	case CurveP256:

  133. 		return elliptic.P256(), true

  134. 	case CurveP384:

  135. 		return elliptic.P384(), true

  136. 	case CurveP521:

  137. 		return elliptic.P521(), true

  138. 	default:

  139. 		return nil, false

  140. 	}

  141. 

  142. }

  143. 

  144. // ecdheKeyAgreement implements a TLS key agreement where the server

  145. // generates an ephemeral EC public/private key pair and signs it. The

  146. // pre-master secret is then calculated using ECDH. The signature may

  147. // either be ECDSA or RSA.

  148. type ecdheKeyAgreement struct {

  149. 	version    uint16

  150. 	isRSA      bool

  151. 	privateKey []byte

  152. 	curveid    CurveID

  153. 

  154. 	// publicKey is used to store the peer's public value when X25519 is

  155. 	// being used.

  156. 	publicKey []byte

  157. 	// x and y are used to store the peer's public value when one of the

  158. 	// NIST curves is being used.

  159. 	x, y *big.Int

  160. }

  161. 

  162. func (ka *ecdheKeyAgreement) NegotiatedGroup() CurveID {

  163. 	return ka.curveid

  164. }

  165. 

  166. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  167. 	preferredCurves := config.curvePreferences()

  168. 

  169. NextCandidate:

  170. 	for _, candidate := range preferredCurves {

  171. 		for _, c := range clientHello.supportedCurves {

  172. 			if candidate == c {

  173. 				ka.curveid = c

  174. 				break NextCandidate

  175. 			}

  176. 		}

  177. 	}

  178. 

  179. 	if ka.curveid == 0 {

  180. 		return nil, errors.New("tls: no supported elliptic curves offered")

  181. 	}

  182. 

  183. 	var ecdhePublic []byte

  184. 

  185. 	if ka.curveid == X25519 {

  186. 		var scalar, public [32]byte

  187. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  188. 			return nil, err

  189. 		}

  190. 

  191. 		curve25519.ScalarBaseMult(&public, &scalar)

  192. 		ka.privateKey = scalar[:]

  193. 		ecdhePublic = public[:]

  194. 	} else {

  195. 		curve, ok := curveForCurveID(ka.curveid)

  196. 		if !ok {

  197. 			return nil, errors.New("tls: preferredCurves includes unsupported curve")

  198. 		}

  199. 

  200. 		var x, y *big.Int

  201. 		var err error

  202. 		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())

  203. 		if err != nil {

  204. 			return nil, err

  205. 		}

  206. 		ecdhePublic = elliptic.Marshal(curve, x, y)

  207. 	}

  208. 

  209. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  210. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  211. 	serverECDHParams[0] = 3 // named curve

  212. 	serverECDHParams[1] = byte(ka.curveid >> 8)

  213. 	serverECDHParams[2] = byte(ka.curveid)

  214. 	serverECDHParams[3] = byte(len(ecdhePublic))

  215. 	copy(serverECDHParams[4:], ecdhePublic)

  216. 

  217. 	priv, ok := sk.(crypto.Signer)

  218. 	if !ok {

  219. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  220. 	}

  221. 

  222. 	signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version)

  223. 	if err != nil {

  224. 		return nil, err

  225. 	}

  226. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  227. 		return nil, errors.New("tls: certificate cannot be used with the selected cipher suite")

  228. 	}

  229. 

  230. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, hello.random, serverECDHParams)

  231. 	if err != nil {

  232. 		return nil, err

  233. 	}

  234. 

  235. 	var sig []byte

  236. 	signOpts := crypto.SignerOpts(hashFunc)

  237. 	if sigType == signatureRSAPSS {

  238. 		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc}

  239. 	}

  240. 	sig, err = priv.Sign(config.rand(), digest, signOpts)

  241. 	if err != nil {

  242. 		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())

  243. 	}

  244. 

  245. 	skx := new(serverKeyExchangeMsg)

  246. 	sigAndHashLen := 0

  247. 	if ka.version >= VersionTLS12 {

  248. 		sigAndHashLen = 2

  249. 	}

  250. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  251. 	copy(skx.key, serverECDHParams)

  252. 	k := skx.key[len(serverECDHParams):]

  253. 	if ka.version >= VersionTLS12 {

  254. 		k[0] = byte(signatureAlgorithm >> 8)

  255. 		k[1] = byte(signatureAlgorithm)

  256. 		k = k[2:]

  257. 	}

  258. 	k[0] = byte(len(sig) >> 8)

  259. 	k[1] = byte(len(sig))

  260. 	copy(k[2:], sig)

  261. 

  262. 	return skx, nil

  263. }

  264. 

  265. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  266. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  267. 		return nil, errClientKeyExchange

  268. 	}

  269. 

  270. 	if ka.curveid == X25519 {

  271. 		if len(ckx.ciphertext) != 1+32 {

  272. 			return nil, errClientKeyExchange

  273. 		}

  274. 

  275. 		var theirPublic, sharedKey, scalar [32]byte

  276. 		copy(theirPublic[:], ckx.ciphertext[1:])

  277. 		copy(scalar[:], ka.privateKey)

  278. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  279. 		return sharedKey[:], nil

  280. 	}

  281. 

  282. 	curve, ok := curveForCurveID(ka.curveid)

  283. 	if !ok {

  284. 		panic("internal error")

  285. 	}

  286. 	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve

  287. 	if x == nil {

  288. 		return nil, errClientKeyExchange

  289. 	}

  290. 	x, _ = curve.ScalarMult(x, y, ka.privateKey)

  291. 	curveSize := (curve.Params().BitSize + 7) >> 3

  292. 	xBytes := x.Bytes()

  293. 	if len(xBytes) == curveSize {

  294. 		return xBytes, nil

  295. 	}

  296. 	preMasterSecret := make([]byte, curveSize)

  297. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  298. 	return preMasterSecret, nil

  299. }

  300. 

  301. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  302. 	if len(skx.key) < 4 {

  303. 		return errServerKeyExchange

  304. 	}

  305. 	if skx.key[0] != 3 { // named curve

  306. 		return errors.New("tls: server selected unsupported curve")

  307. 	}

  308. 	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  309. 

  310. 	publicLen := int(skx.key[3])

  311. 	if publicLen+4 > len(skx.key) {

  312. 		return errServerKeyExchange

  313. 	}

  314. 	serverECDHParams := skx.key[:4+publicLen]

  315. 	publicKey := serverECDHParams[4:]

  316. 

  317. 	sig := skx.key[4+publicLen:]

  318. 	if len(sig) < 2 {

  319. 		return errServerKeyExchange

  320. 	}

  321. 

  322. 	if ka.curveid == X25519 {

  323. 		if len(publicKey) != 32 {

  324. 			return errors.New("tls: bad X25519 public value")

  325. 		}

  326. 		ka.publicKey = publicKey

  327. 	} else {

  328. 		curve, ok := curveForCurveID(ka.curveid)

  329. 		if !ok {

  330. 			return errors.New("tls: server selected unsupported curve")

  331. 		}

  332. 		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve

  333. 		if ka.x == nil {

  334. 			return errServerKeyExchange

  335. 		}

  336. 	}

  337. 

  338. 	var signatureAlgorithm SignatureScheme

  339. 	if ka.version >= VersionTLS12 {

  340. 		// handle SignatureAndHashAlgorithm

  341. 		signatureAlgorithm = SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1])

  342. 		sig = sig[2:]

  343. 		if len(sig) < 2 {

  344. 			return errServerKeyExchange

  345. 		}

  346. 	}

  347. 	_, sigType, hashFunc, err := pickSignatureAlgorithm(pk, []SignatureScheme{signatureAlgorithm}, clientHello.supportedSignatureAlgorithms, ka.version)

  348. 	if err != nil {

  349. 		return err

  350. 	}

  351. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  352. 		return errServerKeyExchange

  353. 	}

  354. 

  355. 	sigLen := int(sig[0])<<8 | int(sig[1])

  356. 	if sigLen+2 != len(sig) {

  357. 		return errServerKeyExchange

  358. 	}

  359. 	sig = sig[2:]

  360. 

  361. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  362. 	if err != nil {

  363. 		return err

  364. 	}

  365. 	return verifyHandshakeSignature(sigType, pk, hashFunc, digest, sig)

  366. }

  367. 

  368. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  369. 	if ka.curveid == 0 {

  370. 		return nil, nil, errors.New("tls: missing ServerKeyExchange message")

  371. 	}

  372. 

  373. 	var serialized, preMasterSecret []byte

  374. 

  375. 	if ka.curveid == X25519 {

  376. 		var ourPublic, theirPublic, sharedKey, scalar [32]byte

  377. 

  378. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  379. 			return nil, nil, err

  380. 		}

  381. 

  382. 		copy(theirPublic[:], ka.publicKey)

  383. 		curve25519.ScalarBaseMult(&ourPublic, &scalar)

  384. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  385. 		serialized = ourPublic[:]

  386. 		preMasterSecret = sharedKey[:]

  387. 	} else {

  388. 		curve, ok := curveForCurveID(ka.curveid)

  389. 		if !ok {

  390. 			panic("internal error")

  391. 		}

  392. 		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())

  393. 		if err != nil {

  394. 			return nil, nil, err

  395. 		}

  396. 		x, _ := curve.ScalarMult(ka.x, ka.y, priv)

  397. 		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)

  398. 		xBytes := x.Bytes()

  399. 		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  400. 

  401. 		serialized = elliptic.Marshal(curve, mx, my)

  402. 	}

  403. 

  404. 	ckx := new(clientKeyExchangeMsg)

  405. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  406. 	ckx.ciphertext[0] = byte(len(serialized))

  407. 	copy(ckx.ciphertext[1:], serialized)

  408. 

  409. 	return preMasterSecret, ckx, nil

  410. }