kris
/
th5
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Alternative TLS implementation in Go
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
561 Révisions
3 Branches
2.6 MiB
 
 
Aborescence: 12f7b294ba
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '12f7b294ba'
${ noResults }
th5/key_agreement.go

403 lignes
12 KiB
Brut Annotations Historique 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/elliptic"

  10. 	"crypto/md5"

  11. 	"crypto/rsa"

  12. 	"crypto/sha1"

  13. 	"errors"

  14. 	"io"

  15. 	"math/big"

  16. 

  17. 	"golang.org/x/crypto/curve25519"

  18. )

  19. 

  20. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  21. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  22. 

  23. // rsaKeyAgreement implements the standard TLS key agreement where the client

  24. // encrypts the pre-master secret to the server's public key.

  25. type rsaKeyAgreement struct{}

  26. 

  27. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  28. 	return nil, nil

  29. }

  30. 

  31. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  32. 	if len(ckx.ciphertext) < 2 {

  33. 		return nil, errClientKeyExchange

  34. 	}

  35. 

  36. 	ciphertext := ckx.ciphertext

  37. 	if version != VersionSSL30 {

  38. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  39. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  40. 			return nil, errClientKeyExchange

  41. 		}

  42. 		ciphertext = ckx.ciphertext[2:]

  43. 	}

  44. 	priv, ok := sk.(crypto.Decrypter)

  45. 	if !ok {

  46. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  47. 	}

  48. 	// Perform constant time RSA PKCS#1 v1.5 decryption

  49. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  50. 	if err != nil {

  51. 		return nil, err

  52. 	}

  53. 	// We don't check the version number in the premaster secret. For one,

  54. 	// by checking it, we would leak information about the validity of the

  55. 	// encrypted pre-master secret. Secondly, it provides only a small

  56. 	// benefit against a downgrade attack and some implementations send the

  57. 	// wrong version anyway. See the discussion at the end of section

  58. 	// 7.4.7.1 of RFC 4346.

  59. 	return preMasterSecret, nil

  60. }

  61. 

  62. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  63. 	return errors.New("tls: unexpected ServerKeyExchange")

  64. }

  65. 

  66. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  67. 	preMasterSecret := make([]byte, 48)

  68. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  69. 	preMasterSecret[1] = byte(clientHello.vers)

  70. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  71. 	if err != nil {

  72. 		return nil, nil, err

  73. 	}

  74. 

  75. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), pk.(*rsa.PublicKey), preMasterSecret)

  76. 	if err != nil {

  77. 		return nil, nil, err

  78. 	}

  79. 	ckx := new(clientKeyExchangeMsg)

  80. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  81. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  82. 	ckx.ciphertext[1] = byte(len(encrypted))

  83. 	copy(ckx.ciphertext[2:], encrypted)

  84. 	return preMasterSecret, ckx, nil

  85. }

  86. 

  87. // sha1Hash calculates a SHA1 hash over the given byte slices.

  88. func sha1Hash(slices [][]byte) []byte {

  89. 	hsha1 := sha1.New()

  90. 	for _, slice := range slices {

  91. 		hsha1.Write(slice)

  92. 	}

  93. 	return hsha1.Sum(nil)

  94. }

  95. 

  96. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  97. // concatenation of an MD5 and SHA1 hash.

  98. func md5SHA1Hash(slices [][]byte) []byte {

  99. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  100. 	hmd5 := md5.New()

  101. 	for _, slice := range slices {

  102. 		hmd5.Write(slice)

  103. 	}

  104. 	copy(md5sha1, hmd5.Sum(nil))

  105. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  106. 	return md5sha1

  107. }

  108. 

  109. // hashForServerKeyExchange hashes the given slices and returns their digest

  110. // using the given hash function.

  111. func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) ([]byte, error) {

  112. 	if version >= VersionTLS12 {

  113. 		h := hashFunc.New()

  114. 		for _, slice := range slices {

  115. 			h.Write(slice)

  116. 		}

  117. 		digest := h.Sum(nil)

  118. 		return digest, nil

  119. 	}

  120. 	if sigType == signatureECDSA {

  121. 		return sha1Hash(slices), nil

  122. 	}

  123. 	return md5SHA1Hash(slices), nil

  124. }

  125. 

  126. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  127. 	switch id {

  128. 	case CurveP256:

  129. 		return elliptic.P256(), true

  130. 	case CurveP384:

  131. 		return elliptic.P384(), true

  132. 	case CurveP521:

  133. 		return elliptic.P521(), true

  134. 	default:

  135. 		return nil, false

  136. 	}

  137. 

  138. }

  139. 

  140. // ecdheKeyAgreement implements a TLS key agreement where the server

  141. // generates an ephemeral EC public/private key pair and signs it. The

  142. // pre-master secret is then calculated using ECDH. The signature may

  143. // either be ECDSA or RSA.

  144. type ecdheKeyAgreement struct {

  145. 	version    uint16

  146. 	isRSA      bool

  147. 	privateKey []byte

  148. 	curveid    CurveID

  149. 

  150. 	// publicKey is used to store the peer's public value when X25519 is

  151. 	// being used.

  152. 	publicKey []byte

  153. 	// x and y are used to store the peer's public value when one of the

  154. 	// NIST curves is being used.

  155. 	x, y *big.Int

  156. }

  157. 

  158. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  159. 	preferredCurves := config.curvePreferences()

  160. 

  161. NextCandidate:

  162. 	for _, candidate := range preferredCurves {

  163. 		for _, c := range clientHello.supportedCurves {

  164. 			if candidate == c {

  165. 				ka.curveid = c

  166. 				break NextCandidate

  167. 			}

  168. 		}

  169. 	}

  170. 

  171. 	if ka.curveid == 0 {

  172. 		return nil, errors.New("tls: no supported elliptic curves offered")

  173. 	}

  174. 

  175. 	var ecdhePublic []byte

  176. 

  177. 	if ka.curveid == X25519 {

  178. 		var scalar, public [32]byte

  179. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  180. 			return nil, err

  181. 		}

  182. 

  183. 		curve25519.ScalarBaseMult(&public, &scalar)

  184. 		ka.privateKey = scalar[:]

  185. 		ecdhePublic = public[:]

  186. 	} else {

  187. 		curve, ok := curveForCurveID(ka.curveid)

  188. 		if !ok {

  189. 			return nil, errors.New("tls: preferredCurves includes unsupported curve")

  190. 		}

  191. 

  192. 		var x, y *big.Int

  193. 		var err error

  194. 		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())

  195. 		if err != nil {

  196. 			return nil, err

  197. 		}

  198. 		ecdhePublic = elliptic.Marshal(curve, x, y)

  199. 	}

  200. 

  201. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  202. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  203. 	serverECDHParams[0] = 3 // named curve

  204. 	serverECDHParams[1] = byte(ka.curveid >> 8)

  205. 	serverECDHParams[2] = byte(ka.curveid)

  206. 	serverECDHParams[3] = byte(len(ecdhePublic))

  207. 	copy(serverECDHParams[4:], ecdhePublic)

  208. 

  209. 	priv, ok := sk.(crypto.Signer)

  210. 	if !ok {

  211. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  212. 	}

  213. 

  214. 	signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version)

  215. 	if err != nil {

  216. 		return nil, err

  217. 	}

  218. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  219. 		return nil, errors.New("tls: certificate cannot be used with the selected cipher suite")

  220. 	}

  221. 

  222. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, hello.random, serverECDHParams)

  223. 	if err != nil {

  224. 		return nil, err

  225. 	}

  226. 

  227. 	var sig []byte

  228. 	signOpts := crypto.SignerOpts(hashFunc)

  229. 	if sigType == signatureRSAPSS {

  230. 		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc}

  231. 	}

  232. 	sig, err = priv.Sign(config.rand(), digest, signOpts)

  233. 	if err != nil {

  234. 		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())

  235. 	}

  236. 

  237. 	skx := new(serverKeyExchangeMsg)

  238. 	sigAndHashLen := 0

  239. 	if ka.version >= VersionTLS12 {

  240. 		sigAndHashLen = 2

  241. 	}

  242. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  243. 	copy(skx.key, serverECDHParams)

  244. 	k := skx.key[len(serverECDHParams):]

  245. 	if ka.version >= VersionTLS12 {

  246. 		k[0] = byte(signatureAlgorithm >> 8)

  247. 		k[1] = byte(signatureAlgorithm)

  248. 		k = k[2:]

  249. 	}

  250. 	k[0] = byte(len(sig) >> 8)

  251. 	k[1] = byte(len(sig))

  252. 	copy(k[2:], sig)

  253. 

  254. 	return skx, nil

  255. }

  256. 

  257. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  258. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  259. 		return nil, errClientKeyExchange

  260. 	}

  261. 

  262. 	if ka.curveid == X25519 {

  263. 		if len(ckx.ciphertext) != 1+32 {

  264. 			return nil, errClientKeyExchange

  265. 		}

  266. 

  267. 		var theirPublic, sharedKey, scalar [32]byte

  268. 		copy(theirPublic[:], ckx.ciphertext[1:])

  269. 		copy(scalar[:], ka.privateKey)

  270. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  271. 		return sharedKey[:], nil

  272. 	}

  273. 

  274. 	curve, ok := curveForCurveID(ka.curveid)

  275. 	if !ok {

  276. 		panic("internal error")

  277. 	}

  278. 	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve

  279. 	if x == nil {

  280. 		return nil, errClientKeyExchange

  281. 	}

  282. 	x, _ = curve.ScalarMult(x, y, ka.privateKey)

  283. 	curveSize := (curve.Params().BitSize + 7) >> 3

  284. 	xBytes := x.Bytes()

  285. 	if len(xBytes) == curveSize {

  286. 		return xBytes, nil

  287. 	}

  288. 	preMasterSecret := make([]byte, curveSize)

  289. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  290. 	return preMasterSecret, nil

  291. }

  292. 

  293. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  294. 	if len(skx.key) < 4 {

  295. 		return errServerKeyExchange

  296. 	}

  297. 	if skx.key[0] != 3 { // named curve

  298. 		return errors.New("tls: server selected unsupported curve")

  299. 	}

  300. 	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  301. 

  302. 	publicLen := int(skx.key[3])

  303. 	if publicLen+4 > len(skx.key) {

  304. 		return errServerKeyExchange

  305. 	}

  306. 	serverECDHParams := skx.key[:4+publicLen]

  307. 	publicKey := serverECDHParams[4:]

  308. 

  309. 	sig := skx.key[4+publicLen:]

  310. 	if len(sig) < 2 {

  311. 		return errServerKeyExchange

  312. 	}

  313. 

  314. 	if ka.curveid == X25519 {

  315. 		if len(publicKey) != 32 {

  316. 			return errors.New("tls: bad X25519 public value")

  317. 		}

  318. 		ka.publicKey = publicKey

  319. 	} else {

  320. 		curve, ok := curveForCurveID(ka.curveid)

  321. 		if !ok {

  322. 			return errors.New("tls: server selected unsupported curve")

  323. 		}

  324. 		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve

  325. 		if ka.x == nil {

  326. 			return errServerKeyExchange

  327. 		}

  328. 	}

  329. 

  330. 	var signatureAlgorithm SignatureScheme

  331. 	if ka.version >= VersionTLS12 {

  332. 		// handle SignatureAndHashAlgorithm

  333. 		signatureAlgorithm = SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1])

  334. 		sig = sig[2:]

  335. 		if len(sig) < 2 {

  336. 			return errServerKeyExchange

  337. 		}

  338. 	}

  339. 	_, sigType, hashFunc, err := pickSignatureAlgorithm(pk, []SignatureScheme{signatureAlgorithm}, clientHello.supportedSignatureAlgorithms, ka.version)

  340. 	if err != nil {

  341. 		return err

  342. 	}

  343. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  344. 		return errServerKeyExchange

  345. 	}

  346. 

  347. 	sigLen := int(sig[0])<<8 | int(sig[1])

  348. 	if sigLen+2 != len(sig) {

  349. 		return errServerKeyExchange

  350. 	}

  351. 	sig = sig[2:]

  352. 

  353. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  354. 	if err != nil {

  355. 		return err

  356. 	}

  357. 	return verifyHandshakeSignature(sigType, pk, hashFunc, digest, sig)

  358. }

  359. 

  360. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  361. 	if ka.curveid == 0 {

  362. 		return nil, nil, errors.New("tls: missing ServerKeyExchange message")

  363. 	}

  364. 

  365. 	var serialized, preMasterSecret []byte

  366. 

  367. 	if ka.curveid == X25519 {

  368. 		var ourPublic, theirPublic, sharedKey, scalar [32]byte

  369. 

  370. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  371. 			return nil, nil, err

  372. 		}

  373. 

  374. 		copy(theirPublic[:], ka.publicKey)

  375. 		curve25519.ScalarBaseMult(&ourPublic, &scalar)

  376. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  377. 		serialized = ourPublic[:]

  378. 		preMasterSecret = sharedKey[:]

  379. 	} else {

  380. 		curve, ok := curveForCurveID(ka.curveid)

  381. 		if !ok {

  382. 			panic("internal error")

  383. 		}

  384. 		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())

  385. 		if err != nil {

  386. 			return nil, nil, err

  387. 		}

  388. 		x, _ := curve.ScalarMult(ka.x, ka.y, priv)

  389. 		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)

  390. 		xBytes := x.Bytes()

  391. 		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  392. 

  393. 		serialized = elliptic.Marshal(curve, mx, my)

  394. 	}

  395. 

  396. 	ckx := new(clientKeyExchangeMsg)

  397. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  398. 	ckx.ciphertext[0] = byte(len(serialized))

  399. 	copy(ckx.ciphertext[1:], serialized)

  400. 

  401. 	return preMasterSecret, ckx, nil

  402. }