kris
/
th5
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
505 Commits
3 Branches
2.6 MiB
 
 
Tree: 1ea9624098
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '1ea9624098'
${ noResults }
th5/key_agreement.go

403 regels
12 KiB
Ruw Blame Geschiedenis 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/elliptic"

  10. 	"crypto/md5"

  11. 	"crypto/rsa"

  12. 	"crypto/sha1"

  13. 	"errors"

  14. 	"io"

  15. 	"math/big"

  16. 

  17. 	"golang_org/x/crypto/curve25519"

  18. )

  19. 

  20. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  21. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  22. 

  23. // rsaKeyAgreement implements the standard TLS key agreement where the client

  24. // encrypts the pre-master secret to the server's public key.

  25. type rsaKeyAgreement struct{}

  26. 

  27. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  28. 	return nil, nil

  29. }

  30. 

  31. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  32. 	if len(ckx.ciphertext) < 2 {

  33. 		return nil, errClientKeyExchange

  34. 	}

  35. 

  36. 	ciphertext := ckx.ciphertext

  37. 	if version != VersionSSL30 {

  38. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  39. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  40. 			return nil, errClientKeyExchange

  41. 		}

  42. 		ciphertext = ckx.ciphertext[2:]

  43. 	}

  44. 	priv, ok := sk.(crypto.Decrypter)

  45. 	if !ok {

  46. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  47. 	}

  48. 	// Perform constant time RSA PKCS#1 v1.5 decryption

  49. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  50. 	if err != nil {

  51. 		return nil, err

  52. 	}

  53. 	// We don't check the version number in the premaster secret. For one,

  54. 	// by checking it, we would leak information about the validity of the

  55. 	// encrypted pre-master secret. Secondly, it provides only a small

  56. 	// benefit against a downgrade attack and some implementations send the

  57. 	// wrong version anyway. See the discussion at the end of section

  58. 	// 7.4.7.1 of RFC 4346.

  59. 	return preMasterSecret, nil

  60. }

  61. 

  62. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  63. 	return errors.New("tls: unexpected ServerKeyExchange")

  64. }

  65. 

  66. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  67. 	preMasterSecret := make([]byte, 48)

  68. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  69. 	preMasterSecret[1] = byte(clientHello.vers)

  70. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  71. 	if err != nil {

  72. 		return nil, nil, err

  73. 	}

  74. 

  75. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), pk.(*rsa.PublicKey), preMasterSecret)

  76. 	if err != nil {

  77. 		return nil, nil, err

  78. 	}

  79. 	ckx := new(clientKeyExchangeMsg)

  80. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  81. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  82. 	ckx.ciphertext[1] = byte(len(encrypted))

  83. 	copy(ckx.ciphertext[2:], encrypted)

  84. 	return preMasterSecret, ckx, nil

  85. }

  86. 

  87. // sha1Hash calculates a SHA1 hash over the given byte slices.

  88. func sha1Hash(slices [][]byte) []byte {

  89. 	hsha1 := sha1.New()

  90. 	for _, slice := range slices {

  91. 		hsha1.Write(slice)

  92. 	}

  93. 	return hsha1.Sum(nil)

  94. }

  95. 

  96. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  97. // concatenation of an MD5 and SHA1 hash.

  98. func md5SHA1Hash(slices [][]byte) []byte {

  99. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  100. 	hmd5 := md5.New()

  101. 	for _, slice := range slices {

  102. 		hmd5.Write(slice)

  103. 	}

  104. 	copy(md5sha1, hmd5.Sum(nil))

  105. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  106. 	return md5sha1

  107. }

  108. 

  109. // hashForServerKeyExchange hashes the given slices and returns their digest

  110. // using the given hash function.

  111. func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) ([]byte, error) {

  112. 	if version >= VersionTLS12 {

  113. 		h := hashFunc.New()

  114. 		for _, slice := range slices {

  115. 			h.Write(slice)

  116. 		}

  117. 		digest := h.Sum(nil)

  118. 		return digest, nil

  119. 	}

  120. 	if sigType == signatureECDSA {

  121. 		return sha1Hash(slices), nil

  122. 	}

  123. 	return md5SHA1Hash(slices), nil

  124. }

  125. 

  126. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  127. 	switch id {

  128. 	case CurveP256:

  129. 		return elliptic.P256(), true

  130. 	case CurveP384:

  131. 		return elliptic.P384(), true

  132. 	case CurveP521:

  133. 		return elliptic.P521(), true

  134. 	default:

  135. 		return nil, false

  136. 	}

  137. 

  138. }

  139. 

  140. // ecdheKeyAgreement implements a TLS key agreement where the server

  141. // generates an ephemeral EC public/private key pair and signs it. The

  142. // pre-master secret is then calculated using ECDH. The signature may

  143. // either be ECDSA or RSA.

  144. type ecdheKeyAgreement struct {

  145. 	version    uint16

  146. 	isRSA      bool

  147. 	privateKey []byte

  148. 	curveid    CurveID

  149. 

  150. 	// publicKey is used to store the peer's public value when X25519 is

  151. 	// being used.

  152. 	publicKey []byte

  153. 	// x and y are used to store the peer's public value when one of the

  154. 	// NIST curves is being used.

  155. 	x, y *big.Int

  156. }

  157. 

  158. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  159. 	preferredCurves := config.curvePreferences()

  160. 

  161. NextCandidate:

  162. 	for _, candidate := range preferredCurves {

  163. 		for _, c := range clientHello.supportedCurves {

  164. 			if candidate == c {

  165. 				ka.curveid = c

  166. 				break NextCandidate

  167. 			}

  168. 		}

  169. 	}

  170. 

  171. 	if ka.curveid == 0 {

  172. 		return nil, errors.New("tls: no supported elliptic curves offered")

  173. 	}

  174. 

  175. 	var ecdhePublic []byte

  176. 

  177. 	if ka.curveid == X25519 {

  178. 		var scalar, public [32]byte

  179. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  180. 			return nil, err

  181. 		}

  182. 

  183. 		curve25519.ScalarBaseMult(&public, &scalar)

  184. 		ka.privateKey = scalar[:]

  185. 		ecdhePublic = public[:]

  186. 	} else {

  187. 		curve, ok := curveForCurveID(ka.curveid)

  188. 		if !ok {

  189. 			return nil, errors.New("tls: preferredCurves includes unsupported curve")

  190. 		}

  191. 

  192. 		var x, y *big.Int

  193. 		var err error

  194. 		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())

  195. 		if err != nil {

  196. 			return nil, err

  197. 		}

  198. 		ecdhePublic = elliptic.Marshal(curve, x, y)

  199. 	}

  200. 

  201. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  202. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  203. 	serverECDHParams[0] = 3 // named curve

  204. 	serverECDHParams[1] = byte(ka.curveid >> 8)

  205. 	serverECDHParams[2] = byte(ka.curveid)

  206. 	serverECDHParams[3] = byte(len(ecdhePublic))

  207. 	copy(serverECDHParams[4:], ecdhePublic)

  208. 

  209. 	priv, ok := sk.(crypto.Signer)

  210. 	if !ok {

  211. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  212. 	}

  213. 

  214. 	signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version)

  215. 	if err != nil {

  216. 		return nil, err

  217. 	}

  218. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  219. 		return nil, errors.New("tls: certificate cannot be used with the selected cipher suite")

  220. 	}

  221. 

  222. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, hello.random, serverECDHParams)

  223. 	if err != nil {

  224. 		return nil, err

  225. 	}

  226. 

  227. 	var sig []byte

  228. 	signOpts := crypto.SignerOpts(hashFunc)

  229. 	if sigType == signatureRSAPSS {

  230. 		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc}

  231. 	}

  232. 	sig, err = priv.Sign(config.rand(), digest, signOpts)

  233. 	if err != nil {

  234. 		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())

  235. 	}

  236. 

  237. 	skx := new(serverKeyExchangeMsg)

  238. 	sigAndHashLen := 0

  239. 	if ka.version >= VersionTLS12 {

  240. 		sigAndHashLen = 2

  241. 	}

  242. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  243. 	copy(skx.key, serverECDHParams)

  244. 	k := skx.key[len(serverECDHParams):]

  245. 	if ka.version >= VersionTLS12 {

  246. 		k[0] = byte(signatureAlgorithm >> 8)

  247. 		k[1] = byte(signatureAlgorithm)

  248. 		k = k[2:]

  249. 	}

  250. 	k[0] = byte(len(sig) >> 8)

  251. 	k[1] = byte(len(sig))

  252. 	copy(k[2:], sig)

  253. 

  254. 	return skx, nil

  255. }

  256. 

  257. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  258. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  259. 		return nil, errClientKeyExchange

  260. 	}

  261. 

  262. 	if ka.curveid == X25519 {

  263. 		if len(ckx.ciphertext) != 1+32 {

  264. 			return nil, errClientKeyExchange

  265. 		}

  266. 

  267. 		var theirPublic, sharedKey, scalar [32]byte

  268. 		copy(theirPublic[:], ckx.ciphertext[1:])

  269. 		copy(scalar[:], ka.privateKey)

  270. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  271. 		return sharedKey[:], nil

  272. 	}

  273. 

  274. 	curve, ok := curveForCurveID(ka.curveid)

  275. 	if !ok {

  276. 		panic("internal error")

  277. 	}

  278. 	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve

  279. 	if x == nil {

  280. 		return nil, errClientKeyExchange

  281. 	}

  282. 	x, _ = curve.ScalarMult(x, y, ka.privateKey)

  283. 	curveSize := (curve.Params().BitSize + 7) >> 3

  284. 	xBytes := x.Bytes()

  285. 	if len(xBytes) == curveSize {

  286. 		return xBytes, nil

  287. 	}

  288. 	preMasterSecret := make([]byte, curveSize)

  289. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  290. 	return preMasterSecret, nil

  291. }

  292. 

  293. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  294. 	if len(skx.key) < 4 {

  295. 		return errServerKeyExchange

  296. 	}

  297. 	if skx.key[0] != 3 { // named curve

  298. 		return errors.New("tls: server selected unsupported curve")

  299. 	}

  300. 	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  301. 

  302. 	publicLen := int(skx.key[3])

  303. 	if publicLen+4 > len(skx.key) {

  304. 		return errServerKeyExchange

  305. 	}

  306. 	serverECDHParams := skx.key[:4+publicLen]

  307. 	publicKey := serverECDHParams[4:]

  308. 

  309. 	sig := skx.key[4+publicLen:]

  310. 	if len(sig) < 2 {

  311. 		return errServerKeyExchange

  312. 	}

  313. 

  314. 	if ka.curveid == X25519 {

  315. 		if len(publicKey) != 32 {

  316. 			return errors.New("tls: bad X25519 public value")

  317. 		}

  318. 		ka.publicKey = publicKey

  319. 	} else {

  320. 		curve, ok := curveForCurveID(ka.curveid)

  321. 		if !ok {

  322. 			return errors.New("tls: server selected unsupported curve")

  323. 		}

  324. 		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve

  325. 		if ka.x == nil {

  326. 			return errServerKeyExchange

  327. 		}

  328. 	}

  329. 

  330. 	var signatureAlgorithm SignatureScheme

  331. 	if ka.version >= VersionTLS12 {

  332. 		// handle SignatureAndHashAlgorithm

  333. 		signatureAlgorithm = SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1])

  334. 		sig = sig[2:]

  335. 		if len(sig) < 2 {

  336. 			return errServerKeyExchange

  337. 		}

  338. 	}

  339. 	_, sigType, hashFunc, err := pickSignatureAlgorithm(pk, []SignatureScheme{signatureAlgorithm}, clientHello.supportedSignatureAlgorithms, ka.version)

  340. 	if err != nil {

  341. 		return err

  342. 	}

  343. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  344. 		return errServerKeyExchange

  345. 	}

  346. 

  347. 	sigLen := int(sig[0])<<8 | int(sig[1])

  348. 	if sigLen+2 != len(sig) {

  349. 		return errServerKeyExchange

  350. 	}

  351. 	sig = sig[2:]

  352. 

  353. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  354. 	if err != nil {

  355. 		return err

  356. 	}

  357. 	return verifyHandshakeSignature(sigType, pk, hashFunc, digest, sig)

  358. }

  359. 

  360. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  361. 	if ka.curveid == 0 {

  362. 		return nil, nil, errors.New("tls: missing ServerKeyExchange message")

  363. 	}

  364. 

  365. 	var serialized, preMasterSecret []byte

  366. 

  367. 	if ka.curveid == X25519 {

  368. 		var ourPublic, theirPublic, sharedKey, scalar [32]byte

  369. 

  370. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  371. 			return nil, nil, err

  372. 		}

  373. 

  374. 		copy(theirPublic[:], ka.publicKey)

  375. 		curve25519.ScalarBaseMult(&ourPublic, &scalar)

  376. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  377. 		serialized = ourPublic[:]

  378. 		preMasterSecret = sharedKey[:]

  379. 	} else {

  380. 		curve, ok := curveForCurveID(ka.curveid)

  381. 		if !ok {

  382. 			panic("internal error")

  383. 		}

  384. 		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())

  385. 		if err != nil {

  386. 			return nil, nil, err

  387. 		}

  388. 		x, _ := curve.ScalarMult(ka.x, ka.y, priv)

  389. 		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)

  390. 		xBytes := x.Bytes()

  391. 		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  392. 

  393. 		serialized = elliptic.Marshal(curve, mx, my)

  394. 	}

  395. 

  396. 	ckx := new(clientKeyExchangeMsg)

  397. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  398. 	ckx.ciphertext[0] = byte(len(serialized))

  399. 	copy(ckx.ciphertext[1:], serialized)

  400. 

  401. 	return preMasterSecret, ckx, nil

  402. }