kris
/
th5
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Alternative TLS implementation in Go
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
226 Commit
3 Rami (Branch)
2.6 MiB
 
 
Albero (Tree): 0269b0170f
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '0269b0170f'
${ noResults }
th5/key_agreement.go

412 righe
12 KiB
Originale Blame Cronologia 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/elliptic"

  11. 	"crypto/md5"

  12. 	"crypto/rsa"

  13. 	"crypto/sha1"

  14. 	"crypto/sha256"

  15. 	"crypto/x509"

  16. 	"encoding/asn1"

  17. 	"errors"

  18. 	"io"

  19. 	"math/big"

  20. )

  21. 

  22. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  23. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  24. 

  25. // rsaKeyAgreement implements the standard TLS key agreement where the client

  26. // encrypts the pre-master secret to the server's public key.

  27. type rsaKeyAgreement struct{}

  28. 

  29. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  30. 	return nil, nil

  31. }

  32. 

  33. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  34. 	if len(ckx.ciphertext) < 2 {

  35. 		return nil, errClientKeyExchange

  36. 	}

  37. 

  38. 	ciphertext := ckx.ciphertext

  39. 	if version != VersionSSL30 {

  40. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  41. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  42. 			return nil, errClientKeyExchange

  43. 		}

  44. 		ciphertext = ckx.ciphertext[2:]

  45. 	}

  46. 	priv, ok := cert.PrivateKey.(crypto.Decrypter)

  47. 	if !ok {

  48. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  49. 	}

  50. 	// Perform contant time RSA PKCS#1 v1.5 decryption

  51. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  52. 	if err != nil {

  53. 		return nil, err

  54. 	}

  55. 	// We don't check the version number in the premaster secret.  For one,

  56. 	// by checking it, we would leak information about the validity of the

  57. 	// encrypted pre-master secret. Secondly, it provides only a small

  58. 	// benefit against a downgrade attack and some implementations send the

  59. 	// wrong version anyway. See the discussion at the end of section

  60. 	// 7.4.7.1 of RFC 4346.

  61. 	return preMasterSecret, nil

  62. }

  63. 

  64. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  65. 	return errors.New("tls: unexpected ServerKeyExchange")

  66. }

  67. 

  68. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  69. 	preMasterSecret := make([]byte, 48)

  70. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  71. 	preMasterSecret[1] = byte(clientHello.vers)

  72. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  73. 	if err != nil {

  74. 		return nil, nil, err

  75. 	}

  76. 

  77. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)

  78. 	if err != nil {

  79. 		return nil, nil, err

  80. 	}

  81. 	ckx := new(clientKeyExchangeMsg)

  82. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  83. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  84. 	ckx.ciphertext[1] = byte(len(encrypted))

  85. 	copy(ckx.ciphertext[2:], encrypted)

  86. 	return preMasterSecret, ckx, nil

  87. }

  88. 

  89. // sha1Hash calculates a SHA1 hash over the given byte slices.

  90. func sha1Hash(slices [][]byte) []byte {

  91. 	hsha1 := sha1.New()

  92. 	for _, slice := range slices {

  93. 		hsha1.Write(slice)

  94. 	}

  95. 	return hsha1.Sum(nil)

  96. }

  97. 

  98. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  99. // concatenation of an MD5 and SHA1 hash.

  100. func md5SHA1Hash(slices [][]byte) []byte {

  101. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  102. 	hmd5 := md5.New()

  103. 	for _, slice := range slices {

  104. 		hmd5.Write(slice)

  105. 	}

  106. 	copy(md5sha1, hmd5.Sum(nil))

  107. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  108. 	return md5sha1

  109. }

  110. 

  111. // sha256Hash implements TLS 1.2's hash function.

  112. func sha256Hash(slices [][]byte) []byte {

  113. 	h := sha256.New()

  114. 	for _, slice := range slices {

  115. 		h.Write(slice)

  116. 	}

  117. 	return h.Sum(nil)

  118. }

  119. 

  120. // hashForServerKeyExchange hashes the given slices and returns their digest

  121. // and the identifier of the hash function used. The hashFunc argument is only

  122. // used for >= TLS 1.2 and precisely identifies the hash function to use.

  123. func hashForServerKeyExchange(sigType, hashFunc uint8, version uint16, slices ...[]byte) ([]byte, crypto.Hash, error) {

  124. 	if version >= VersionTLS12 {

  125. 		switch hashFunc {

  126. 		case hashSHA256:

  127. 			return sha256Hash(slices), crypto.SHA256, nil

  128. 		case hashSHA1:

  129. 			return sha1Hash(slices), crypto.SHA1, nil

  130. 		default:

  131. 			return nil, crypto.Hash(0), errors.New("tls: unknown hash function used by peer")

  132. 		}

  133. 	}

  134. 	if sigType == signatureECDSA {

  135. 		return sha1Hash(slices), crypto.SHA1, nil

  136. 	}

  137. 	return md5SHA1Hash(slices), crypto.MD5SHA1, nil

  138. }

  139. 

  140. // pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a

  141. // ServerKeyExchange given the signature type being used and the client's

  142. // advertised list of supported signature and hash combinations.

  143. func pickTLS12HashForSignature(sigType uint8, clientSignatureAndHashes []signatureAndHash) (uint8, error) {

  144. 	if len(clientSignatureAndHashes) == 0 {

  145. 		// If the client didn't specify any signature_algorithms

  146. 		// extension then we can assume that it supports SHA1. See

  147. 		// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1

  148. 		return hashSHA1, nil

  149. 	}

  150. 

  151. 	for _, sigAndHash := range clientSignatureAndHashes {

  152. 		if sigAndHash.signature != sigType {

  153. 			continue

  154. 		}

  155. 		switch sigAndHash.hash {

  156. 		case hashSHA1, hashSHA256:

  157. 			return sigAndHash.hash, nil

  158. 		}

  159. 	}

  160. 

  161. 	return 0, errors.New("tls: client doesn't support any common hash functions")

  162. }

  163. 

  164. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  165. 	switch id {

  166. 	case CurveP256:

  167. 		return elliptic.P256(), true

  168. 	case CurveP384:

  169. 		return elliptic.P384(), true

  170. 	case CurveP521:

  171. 		return elliptic.P521(), true

  172. 	default:

  173. 		return nil, false

  174. 	}

  175. 

  176. }

  177. 

  178. // ecdheRSAKeyAgreement implements a TLS key agreement where the server

  179. // generates a ephemeral EC public/private key pair and signs it. The

  180. // pre-master secret is then calculated using ECDH. The signature may

  181. // either be ECDSA or RSA.

  182. type ecdheKeyAgreement struct {

  183. 	version    uint16

  184. 	sigType    uint8

  185. 	privateKey []byte

  186. 	curve      elliptic.Curve

  187. 	x, y       *big.Int

  188. }

  189. 

  190. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  191. 	var curveid CurveID

  192. 	preferredCurves := config.curvePreferences()

  193. 

  194. NextCandidate:

  195. 	for _, candidate := range preferredCurves {

  196. 		for _, c := range clientHello.supportedCurves {

  197. 			if candidate == c {

  198. 				curveid = c

  199. 				break NextCandidate

  200. 			}

  201. 		}

  202. 	}

  203. 

  204. 	if curveid == 0 {

  205. 		return nil, errors.New("tls: no supported elliptic curves offered")

  206. 	}

  207. 

  208. 	var ok bool

  209. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  210. 		return nil, errors.New("tls: preferredCurves includes unsupported curve")

  211. 	}

  212. 

  213. 	var x, y *big.Int

  214. 	var err error

  215. 	ka.privateKey, x, y, err = elliptic.GenerateKey(ka.curve, config.rand())

  216. 	if err != nil {

  217. 		return nil, err

  218. 	}

  219. 	ecdhePublic := elliptic.Marshal(ka.curve, x, y)

  220. 

  221. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  222. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  223. 	serverECDHParams[0] = 3 // named curve

  224. 	serverECDHParams[1] = byte(curveid >> 8)

  225. 	serverECDHParams[2] = byte(curveid)

  226. 	serverECDHParams[3] = byte(len(ecdhePublic))

  227. 	copy(serverECDHParams[4:], ecdhePublic)

  228. 

  229. 	var tls12HashId uint8

  230. 	if ka.version >= VersionTLS12 {

  231. 		if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes); err != nil {

  232. 			return nil, err

  233. 		}

  234. 	}

  235. 

  236. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, hello.random, serverECDHParams)

  237. 	if err != nil {

  238. 		return nil, err

  239. 	}

  240. 

  241. 	priv, ok := cert.PrivateKey.(crypto.Signer)

  242. 	if !ok {

  243. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  244. 	}

  245. 	var sig []byte

  246. 	switch ka.sigType {

  247. 	case signatureECDSA:

  248. 		_, ok := priv.Public().(*ecdsa.PublicKey)

  249. 		if !ok {

  250. 			return nil, errors.New("ECDHE ECDSA requires an ECDSA server key")

  251. 		}

  252. 	case signatureRSA:

  253. 		_, ok := priv.Public().(*rsa.PublicKey)

  254. 		if !ok {

  255. 			return nil, errors.New("ECDHE RSA requires a RSA server key")

  256. 		}

  257. 	default:

  258. 		return nil, errors.New("unknown ECDHE signature algorithm")

  259. 	}

  260. 	sig, err = priv.Sign(config.rand(), digest, hashFunc)

  261. 	if err != nil {

  262. 		return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())

  263. 	}

  264. 

  265. 	skx := new(serverKeyExchangeMsg)

  266. 	sigAndHashLen := 0

  267. 	if ka.version >= VersionTLS12 {

  268. 		sigAndHashLen = 2

  269. 	}

  270. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  271. 	copy(skx.key, serverECDHParams)

  272. 	k := skx.key[len(serverECDHParams):]

  273. 	if ka.version >= VersionTLS12 {

  274. 		k[0] = tls12HashId

  275. 		k[1] = ka.sigType

  276. 		k = k[2:]

  277. 	}

  278. 	k[0] = byte(len(sig) >> 8)

  279. 	k[1] = byte(len(sig))

  280. 	copy(k[2:], sig)

  281. 

  282. 	return skx, nil

  283. }

  284. 

  285. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  286. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  287. 		return nil, errClientKeyExchange

  288. 	}

  289. 	x, y := elliptic.Unmarshal(ka.curve, ckx.ciphertext[1:])

  290. 	if x == nil {

  291. 		return nil, errClientKeyExchange

  292. 	}

  293. 	if !ka.curve.IsOnCurve(x, y) {

  294. 		return nil, errClientKeyExchange

  295. 	}

  296. 	x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)

  297. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  298. 	xBytes := x.Bytes()

  299. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  300. 

  301. 	return preMasterSecret, nil

  302. }

  303. 

  304. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {

  305. 	if len(skx.key) < 4 {

  306. 		return errServerKeyExchange

  307. 	}

  308. 	if skx.key[0] != 3 { // named curve

  309. 		return errors.New("tls: server selected unsupported curve")

  310. 	}

  311. 	curveid := CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  312. 

  313. 	var ok bool

  314. 	if ka.curve, ok = curveForCurveID(curveid); !ok {

  315. 		return errors.New("tls: server selected unsupported curve")

  316. 	}

  317. 

  318. 	publicLen := int(skx.key[3])

  319. 	if publicLen+4 > len(skx.key) {

  320. 		return errServerKeyExchange

  321. 	}

  322. 	ka.x, ka.y = elliptic.Unmarshal(ka.curve, skx.key[4:4+publicLen])

  323. 	if ka.x == nil {

  324. 		return errServerKeyExchange

  325. 	}

  326. 	if !ka.curve.IsOnCurve(ka.x, ka.y) {

  327. 		return errServerKeyExchange

  328. 	}

  329. 	serverECDHParams := skx.key[:4+publicLen]

  330. 

  331. 	sig := skx.key[4+publicLen:]

  332. 	if len(sig) < 2 {

  333. 		return errServerKeyExchange

  334. 	}

  335. 

  336. 	var tls12HashId uint8

  337. 	if ka.version >= VersionTLS12 {

  338. 		// handle SignatureAndHashAlgorithm

  339. 		var sigAndHash []uint8

  340. 		sigAndHash, sig = sig[:2], sig[2:]

  341. 		if sigAndHash[1] != ka.sigType {

  342. 			return errServerKeyExchange

  343. 		}

  344. 		tls12HashId = sigAndHash[0]

  345. 		if len(sig) < 2 {

  346. 			return errServerKeyExchange

  347. 		}

  348. 	}

  349. 	sigLen := int(sig[0])<<8 | int(sig[1])

  350. 	if sigLen+2 != len(sig) {

  351. 		return errServerKeyExchange

  352. 	}

  353. 	sig = sig[2:]

  354. 

  355. 	digest, hashFunc, err := hashForServerKeyExchange(ka.sigType, tls12HashId, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  356. 	if err != nil {

  357. 		return err

  358. 	}

  359. 	switch ka.sigType {

  360. 	case signatureECDSA:

  361. 		pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)

  362. 		if !ok {

  363. 			return errors.New("ECDHE ECDSA requires a ECDSA server public key")

  364. 		}

  365. 		ecdsaSig := new(ecdsaSignature)

  366. 		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {

  367. 			return err

  368. 		}

  369. 		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

  370. 			return errors.New("ECDSA signature contained zero or negative values")

  371. 		}

  372. 		if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {

  373. 			return errors.New("ECDSA verification failure")

  374. 		}

  375. 	case signatureRSA:

  376. 		pubKey, ok := cert.PublicKey.(*rsa.PublicKey)

  377. 		if !ok {

  378. 			return errors.New("ECDHE RSA requires a RSA server public key")

  379. 		}

  380. 		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {

  381. 			return err

  382. 		}

  383. 	default:

  384. 		return errors.New("unknown ECDHE signature algorithm")

  385. 	}

  386. 

  387. 	return nil

  388. }

  389. 

  390. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {

  391. 	if ka.curve == nil {

  392. 		return nil, nil, errors.New("missing ServerKeyExchange message")

  393. 	}

  394. 	priv, mx, my, err := elliptic.GenerateKey(ka.curve, config.rand())

  395. 	if err != nil {

  396. 		return nil, nil, err

  397. 	}

  398. 	x, _ := ka.curve.ScalarMult(ka.x, ka.y, priv)

  399. 	preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)

  400. 	xBytes := x.Bytes()

  401. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  402. 

  403. 	serialized := elliptic.Marshal(ka.curve, mx, my)

  404. 

  405. 	ckx := new(clientKeyExchangeMsg)

  406. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  407. 	ckx.ciphertext[0] = byte(len(serialized))

  408. 	copy(ckx.ciphertext[1:], serialized)

  409. 

  410. 	return preMasterSecret, ckx, nil

  411. }