kris
/
th5
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
569 Commits
3 Branches
2.6 MiB
 
 
Tree: f6a12b1c9f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f6a12b1c9f'
${ noResults }
th5/key_agreement.go

411 lines
12 KiB
Raw Blame History 

  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package trs

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/elliptic"

  10. 	"crypto/md5"

  11. 	"crypto/rsa"

  12. 	"crypto/sha1"

  13. 	"errors"

  14. 	"io"

  15. 	"math/big"

  16. 

  17. 	"golang.org/x/crypto/curve25519"

  18. )

  19. 

  20. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  21. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  22. 

  23. // rsaKeyAgreement implements the standard TLS key agreement where the client

  24. // encrypts the pre-master secret to the server's public key.

  25. type rsaKeyAgreement struct{}

  26. 

  27. func (ka rsaKeyAgreement) NegotiatedGroup() CurveID {

  28. 	return CurveID(0)

  29. }

  30. 

  31. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  32. 	return nil, nil

  33. }

  34. 

  35. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  36. 	if len(ckx.ciphertext) < 2 {

  37. 		return nil, errClientKeyExchange

  38. 	}

  39. 

  40. 	ciphertext := ckx.ciphertext

  41. 	if version != VersionSSL30 {

  42. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  43. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  44. 			return nil, errClientKeyExchange

  45. 		}

  46. 		ciphertext = ckx.ciphertext[2:]

  47. 	}

  48. 	priv, ok := sk.(crypto.Decrypter)

  49. 	if !ok {

  50. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  51. 	}

  52. 	// Perform constant time RSA PKCS#1 v1.5 decryption

  53. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  54. 	if err != nil {

  55. 		return nil, err

  56. 	}

  57. 	// We don't check the version number in the premaster secret. For one,

  58. 	// by checking it, we would leak information about the validity of the

  59. 	// encrypted pre-master secret. Secondly, it provides only a small

  60. 	// benefit against a downgrade attack and some implementations send the

  61. 	// wrong version anyway. See the discussion at the end of section

  62. 	// 7.4.7.1 of RFC 4346.

  63. 	return preMasterSecret, nil

  64. }

  65. 

  66. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  67. 	return errors.New("tls: unexpected ServerKeyExchange")

  68. }

  69. 

  70. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  71. 	preMasterSecret := make([]byte, 48)

  72. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  73. 	preMasterSecret[1] = byte(clientHello.vers)

  74. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  75. 	if err != nil {

  76. 		return nil, nil, err

  77. 	}

  78. 

  79. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), pk.(*rsa.PublicKey), preMasterSecret)

  80. 	if err != nil {

  81. 		return nil, nil, err

  82. 	}

  83. 	ckx := new(clientKeyExchangeMsg)

  84. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  85. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  86. 	ckx.ciphertext[1] = byte(len(encrypted))

  87. 	copy(ckx.ciphertext[2:], encrypted)

  88. 	return preMasterSecret, ckx, nil

  89. }

  90. 

  91. // sha1Hash calculates a SHA1 hash over the given byte slices.

  92. func sha1Hash(slices [][]byte) []byte {

  93. 	hsha1 := sha1.New()

  94. 	for _, slice := range slices {

  95. 		hsha1.Write(slice)

  96. 	}

  97. 	return hsha1.Sum(nil)

  98. }

  99. 

  100. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  101. // concatenation of an MD5 and SHA1 hash.

  102. func md5SHA1Hash(slices [][]byte) []byte {

  103. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  104. 	hmd5 := md5.New()

  105. 	for _, slice := range slices {

  106. 		hmd5.Write(slice)

  107. 	}

  108. 	copy(md5sha1, hmd5.Sum(nil))

  109. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  110. 	return md5sha1

  111. }

  112. 

  113. // hashForServerKeyExchange hashes the given slices and returns their digest

  114. // using the given hash function.

  115. func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) ([]byte, error) {

  116. 	if version >= VersionTLS12 {

  117. 		h := hashFunc.New()

  118. 		for _, slice := range slices {

  119. 			h.Write(slice)

  120. 		}

  121. 		digest := h.Sum(nil)

  122. 		return digest, nil

  123. 	}

  124. 	if sigType == signatureECDSA {

  125. 		return sha1Hash(slices), nil

  126. 	}

  127. 	return md5SHA1Hash(slices), nil

  128. }

  129. 

  130. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  131. 	switch id {

  132. 	case CurveP256:

  133. 		return elliptic.P256(), true

  134. 	case CurveP384:

  135. 		return elliptic.P384(), true

  136. 	case CurveP521:

  137. 		return elliptic.P521(), true

  138. 	default:

  139. 		return nil, false

  140. 	}

  141. 

  142. }

  143. 

  144. // ecdheKeyAgreement implements a TLS key agreement where the server

  145. // generates an ephemeral EC public/private key pair and signs it. The

  146. // pre-master secret is then calculated using ECDH. The signature may

  147. // either be ECDSA or RSA.

  148. type ecdheKeyAgreement struct {

  149. 	version    uint16

  150. 	isRSA      bool

  151. 	privateKey []byte

  152. 	curveid    CurveID

  153. 

  154. 	// publicKey is used to store the peer's public value when X25519 is

  155. 	// being used.

  156. 	publicKey []byte

  157. 	// x and y are used to store the peer's public value when one of the

  158. 	// NIST curves is being used.

  159. 	x, y *big.Int

  160. }

  161. 

  162. func (ka *ecdheKeyAgreement) NegotiatedGroup() CurveID {

  163. 	return ka.curveid

  164. }

  165. 

  166. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  167. 	preferredCurves := config.curvePreferences()

  168. 

  169. NextCandidate:

  170. 	for _, candidate := range preferredCurves {

  171. 		for _, c := range clientHello.supportedCurves {

  172. 			if candidate == c {

  173. 				ka.curveid = c

  174. 				break NextCandidate

  175. 			}

  176. 		}

  177. 	}

  178. 

  179. 	if ka.curveid == 0 {

  180. 		return nil, errors.New("tls: no supported elliptic curves offered")

  181. 	}

  182. 

  183. 	var ecdhePublic []byte

  184. 

  185. 	if ka.curveid == X25519 {

  186. 		var scalar, public [32]byte

  187. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  188. 			return nil, err

  189. 		}

  190. 

  191. 		curve25519.ScalarBaseMult(&public, &scalar)

  192. 		ka.privateKey = scalar[:]

  193. 		ecdhePublic = public[:]

  194. 	} else {

  195. 		curve, ok := curveForCurveID(ka.curveid)

  196. 		if !ok {

  197. 			return nil, errors.New("tls: preferredCurves includes unsupported curve")

  198. 		}

  199. 

  200. 		var x, y *big.Int

  201. 		var err error

  202. 		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())

  203. 		if err != nil {

  204. 			return nil, err

  205. 		}

  206. 		ecdhePublic = elliptic.Marshal(curve, x, y)

  207. 	}

  208. 

  209. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  210. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  211. 	serverECDHParams[0] = 3 // named curve

  212. 	serverECDHParams[1] = byte(ka.curveid >> 8)

  213. 	serverECDHParams[2] = byte(ka.curveid)

  214. 	serverECDHParams[3] = byte(len(ecdhePublic))

  215. 	copy(serverECDHParams[4:], ecdhePublic)

  216. 

  217. 	priv, ok := sk.(crypto.Signer)

  218. 	if !ok {

  219. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  220. 	}

  221. 

  222. 	signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version)

  223. 	if err != nil {

  224. 		return nil, err

  225. 	}

  226. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  227. 		return nil, errors.New("tls: certificate cannot be used with the selected cipher suite")

  228. 	}

  229. 

  230. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, hello.random, serverECDHParams)

  231. 	if err != nil {

  232. 		return nil, err

  233. 	}

  234. 

  235. 	var sig []byte

  236. 	signOpts := crypto.SignerOpts(hashFunc)

  237. 	if sigType == signatureRSAPSS {

  238. 		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc}

  239. 	}

  240. 	sig, err = priv.Sign(config.rand(), digest, signOpts)

  241. 	if err != nil {

  242. 		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())

  243. 	}

  244. 

  245. 	skx := new(serverKeyExchangeMsg)

  246. 	sigAndHashLen := 0

  247. 	if ka.version >= VersionTLS12 {

  248. 		sigAndHashLen = 2

  249. 	}

  250. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  251. 	copy(skx.key, serverECDHParams)

  252. 	k := skx.key[len(serverECDHParams):]

  253. 	if ka.version >= VersionTLS12 {

  254. 		k[0] = byte(signatureAlgorithm >> 8)

  255. 		k[1] = byte(signatureAlgorithm)

  256. 		k = k[2:]

  257. 	}

  258. 	k[0] = byte(len(sig) >> 8)

  259. 	k[1] = byte(len(sig))

  260. 	copy(k[2:], sig)

  261. 

  262. 	return skx, nil

  263. }

  264. 

  265. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  266. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  267. 		return nil, errClientKeyExchange

  268. 	}

  269. 

  270. 	if ka.curveid == X25519 {

  271. 		if len(ckx.ciphertext) != 1+32 {

  272. 			return nil, errClientKeyExchange

  273. 		}

  274. 

  275. 		var theirPublic, sharedKey, scalar [32]byte

  276. 		copy(theirPublic[:], ckx.ciphertext[1:])

  277. 		copy(scalar[:], ka.privateKey)

  278. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  279. 		return sharedKey[:], nil

  280. 	}

  281. 

  282. 	curve, ok := curveForCurveID(ka.curveid)

  283. 	if !ok {

  284. 		panic("internal error")

  285. 	}

  286. 	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve

  287. 	if x == nil {

  288. 		return nil, errClientKeyExchange

  289. 	}

  290. 	x, _ = curve.ScalarMult(x, y, ka.privateKey)

  291. 	curveSize := (curve.Params().BitSize + 7) >> 3

  292. 	xBytes := x.Bytes()

  293. 	if len(xBytes) == curveSize {

  294. 		return xBytes, nil

  295. 	}

  296. 	preMasterSecret := make([]byte, curveSize)

  297. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  298. 	return preMasterSecret, nil

  299. }

  300. 

  301. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  302. 	if len(skx.key) < 4 {

  303. 		return errServerKeyExchange

  304. 	}

  305. 	if skx.key[0] != 3 { // named curve

  306. 		return errors.New("tls: server selected unsupported curve")

  307. 	}

  308. 	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  309. 

  310. 	publicLen := int(skx.key[3])

  311. 	if publicLen+4 > len(skx.key) {

  312. 		return errServerKeyExchange

  313. 	}

  314. 	serverECDHParams := skx.key[:4+publicLen]

  315. 	publicKey := serverECDHParams[4:]

  316. 

  317. 	sig := skx.key[4+publicLen:]

  318. 	if len(sig) < 2 {

  319. 		return errServerKeyExchange

  320. 	}

  321. 

  322. 	if ka.curveid == X25519 {

  323. 		if len(publicKey) != 32 {

  324. 			return errors.New("tls: bad X25519 public value")

  325. 		}

  326. 		ka.publicKey = publicKey

  327. 	} else {

  328. 		curve, ok := curveForCurveID(ka.curveid)

  329. 		if !ok {

  330. 			return errors.New("tls: server selected unsupported curve")

  331. 		}

  332. 		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve

  333. 		if ka.x == nil {

  334. 			return errServerKeyExchange

  335. 		}

  336. 	}

  337. 

  338. 	var signatureAlgorithm SignatureScheme

  339. 	if ka.version >= VersionTLS12 {

  340. 		// handle SignatureAndHashAlgorithm

  341. 		signatureAlgorithm = SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1])

  342. 		sig = sig[2:]

  343. 		if len(sig) < 2 {

  344. 			return errServerKeyExchange

  345. 		}

  346. 	}

  347. 	_, sigType, hashFunc, err := pickSignatureAlgorithm(pk, []SignatureScheme{signatureAlgorithm}, clientHello.supportedSignatureAlgorithms, ka.version)

  348. 	if err != nil {

  349. 		return err

  350. 	}

  351. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  352. 		return errServerKeyExchange

  353. 	}

  354. 

  355. 	sigLen := int(sig[0])<<8 | int(sig[1])

  356. 	if sigLen+2 != len(sig) {

  357. 		return errServerKeyExchange

  358. 	}

  359. 	sig = sig[2:]

  360. 

  361. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  362. 	if err != nil {

  363. 		return err

  364. 	}

  365. 	return verifyHandshakeSignature(sigType, pk, hashFunc, digest, sig)

  366. }

  367. 

  368. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  369. 	if ka.curveid == 0 {

  370. 		return nil, nil, errors.New("tls: missing ServerKeyExchange message")

  371. 	}

  372. 

  373. 	var serialized, preMasterSecret []byte

  374. 

  375. 	if ka.curveid == X25519 {

  376. 		var ourPublic, theirPublic, sharedKey, scalar [32]byte

  377. 

  378. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  379. 			return nil, nil, err

  380. 		}

  381. 

  382. 		copy(theirPublic[:], ka.publicKey)

  383. 		curve25519.ScalarBaseMult(&ourPublic, &scalar)

  384. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  385. 		serialized = ourPublic[:]

  386. 		preMasterSecret = sharedKey[:]

  387. 	} else {

  388. 		curve, ok := curveForCurveID(ka.curveid)

  389. 		if !ok {

  390. 			panic("internal error")

  391. 		}

  392. 		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())

  393. 		if err != nil {

  394. 			return nil, nil, err

  395. 		}

  396. 		x, _ := curve.ScalarMult(ka.x, ka.y, priv)

  397. 		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)

  398. 		xBytes := x.Bytes()

  399. 		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  400. 

  401. 		serialized = elliptic.Marshal(curve, mx, my)

  402. 	}

  403. 

  404. 	ckx := new(clientKeyExchangeMsg)

  405. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  406. 	ckx.ciphertext[0] = byte(len(serialized))

  407. 	copy(ckx.ciphertext[1:], serialized)

  408. 

  409. 	return preMasterSecret, ckx, nil

  410. }