kris
/
tls-tris
1
0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
502 コミット
4 ブランチ
2.5 MiB
ツリー: 963d5877be
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'963d5877be' から
${ noResults }
tls-tris/key_agreement.go

key_agreement.go 12 KiB
Raw 通常表示 履歴

crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto: add package. The crypto package is added as a common place to store identifiers for hash functions. At the moment, the rsa package has an enumeration of hash functions and knowledge of their digest lengths. This is an unfortunate coupling and other high level crypto packages tend to need to duplicate this enumeration and knowledge (i.e. openpgp). crypto pulls this code out into a common location. It would also make sense to add similar support for ciphers to crypto, but the problem there isn't as acute that isn't done in this change. R=bradfitzgo, r, rsc CC=golang-dev https://golang.org/cl/4080046
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
src/pkg/[a-m]*: gofix -r error -force=error R=golang-dev, iant CC=golang-dev https://golang.org/cl/5322051
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
renaming_2: gofix -r go1pkgrename src/pkg/[a-l]* R=rsc CC=golang-dev https://golang.org/cl/5358041
13年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13年前
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11年前
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
all: fix misprints in comments These were found by grepping the comments from the go code and feeding the output to aspell. Change-Id: Id734d6c8d1938ec3c36bd94a4dbbad577e3ad395 Reviewed-on: https://go-review.googlesource.com/10941 Reviewed-by: Aamir Khan <syst3m.w0rm@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
9年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
all: single space after period. The tree's pretty inconsistent about single space vs double space after a period in documentation. Make it consistently a single space, per earlier decisions. This means contributors won't be confused by misleading precedence. This CL doesn't use go/doc to parse. It only addresses // comments. It was generated with: $ perl -i -npe 's,^(\s*// .+[a-z]\.) +([A-Z]),$1 $2,' $(git grep -l -E '^\s*//(.+\.) +([A-Z])') $ go test go/doc -update Change-Id: Iccdb99c37c797ef1f804a94b22ba5ee4b500c4f7 Reviewed-on: https://go-review.googlesource.com/20022 Reviewed-by: Rob Pike <r@golang.org> Reviewed-by: Dave Day <djd@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Add a []byte argument to hash.Hash to allow an allocation to be saved. This is the result of running `gofix -r hashsum` over the tree, changing the hash function implementations by hand and then fixing a couple of instances where gofix didn't catch something. The changed implementations are as simple as possible while still working: I'm not trying to optimise in this CL. R=rsc, cw, rogpeppe CC=golang-dev https://golang.org/cl/5448065
13年前
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10年前
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7年前
all: fix article typos a -> an Change-Id: I7362bdc199e83073a712be657f5d9ba16df3077e Reviewed-on: https://go-review.googlesource.com/63850 Reviewed-by: Rob Pike <r@golang.org>
7年前
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: don't select ECC ciphersuites with no mutual curve. The existing code that tried to prevent ECC ciphersuites from being selected when there were no mutual curves still left |suite| set. This lead to a panic on a nil pointer when there were no acceptable ciphersuites at all. Thanks to George Kadianakis for pointing it out. R=golang-dev, r, bradfitz CC=golang-dev https://golang.org/cl/5857043
12年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11年前
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: make error prefix uniform. Error strings in this package were all over the place: some were prefixed with “tls:”, some with “crypto/tls:” and some didn't have a prefix. This change makes everything use the prefix “tls:”. Change-Id: Ie8b073c897764b691140412ecd6613da8c4e33a2 Reviewed-on: https://go-review.googlesource.com/21893 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: make use of crypto.Signer and crypto.Decrypter This change replaces all direct ECDSA/RSA sign and decrypt operations with calls through the crypto.Signer and crypto.Decrypter interfaces. This is a follow-up to https://go-review.googlesource.com/#/c/3900/ which added crypto.Decrypter and implemented it for RSA. Change-Id: Ie0f3928448b285f329efcd3a93ca3fd5e3b3e42d Reviewed-on: https://go-review.googlesource.com/7804 Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: don't check whether an ec point is on a curve twice The processClientKeyExchange and processServerKeyExchange functions unmarshal an encoded EC point and explicitly check whether the point is on the curve. The explicit check can be omitted because elliptic.Unmarshal fails if the point is not on the curve and the returned error would always be the same. Fixes #20496 Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb Reviewed-on: https://go-review.googlesource.com/44311 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Avelino <t@avelino.xxx> Run-TryBot: Adam Langley <agl@golang.org>
7年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: better error messages. LGTM=bradfitz R=golang-codereviews, bradfitz CC=golang-codereviews https://golang.org/cl/60580046
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: implement TLS 1.3 minimal server
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: implement TLS 1.3 minimal server
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: pick ECDHE curves based on server preference. Currently an ECDHE handshake uses the client's curve preference. This generally means that we use P-521. However, P-521's strength is mismatched with the rest of the cipher suite in most cases and we have a fast, constant-time implementation of P-256. With this change, Go servers will use P-256 where the client supports it although that can be overridden in the Config. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/66060043
10年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: don't check whether an ec point is on a curve twice The processClientKeyExchange and processServerKeyExchange functions unmarshal an encoded EC point and explicitly check whether the point is on the curve. The explicit check can be omitted because elliptic.Unmarshal fails if the point is not on the curve and the returned error would always be the same. Fixes #20496 Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb Reviewed-on: https://go-review.googlesource.com/44311 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Avelino <t@avelino.xxx> Run-TryBot: Adam Langley <agl@golang.org>
7年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
crypto/tls: replace signatureAndHash by SignatureScheme. Consolidate the signature and hash fields (SignatureAndHashAlgorithm in TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21). This makes it easier to add RSASSA-PSS for TLS 1.2 in the future. Fields were named like "signatureAlgorithm" rather than "signatureScheme" since that name is also used throughout the 1.3 draft. The only new public symbol is ECDSAWithSHA1, other than that this is an internal change with no new functionality. Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0 Reviewed-on: https://go-review.googlesource.com/62210 Reviewed-by: Adam Langley <agl@golang.org>
7年前
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9年前
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
respect goto restrictions R=gri CC=golang-dev https://golang.org/cl/4625044
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: consolidate signatures handling in SKE and CV ServerKeyExchange and CertificateVerify can share the same logic for picking a signature algorithm (based on the certificate public key and advertised algorithms), selecting a hash algorithm (depending on TLS version) and signature verification. Refactor the code to achieve code reuse, have common error checking (especially for intersecting supported signature algorithms) and to prepare for addition of new signature algorithms. Code should be easier to read since version-dependent logic is concentrated at one place. Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
7年前
crypto/tls: advertise support for RSA+SHA1 in TLS 1.2 handshake. Despite SHA256 support being required for TLS 1.2 handshakes, some servers are aborting handshakes that don't offer SHA1 support. This change adds support for signing TLS 1.2 ServerKeyExchange messages with SHA1. It does not add support for signing TLS 1.2 client certificates with SHA1 as that would require the handshake to be buffered. Fixes #6618. R=golang-dev, r CC=golang-dev https://golang.org/cl/15650043
11年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: make error prefix uniform. Error strings in this package were all over the place: some were prefixed with “tls:”, some with “crypto/tls:” and some didn't have a prefix. This change makes everything use the prefix “tls:”. Change-Id: Ie8b073c897764b691140412ecd6613da8c4e33a2 Reviewed-on: https://go-review.googlesource.com/21893 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
crypto/tls: support X25519. X25519 (RFC 7748) is now commonly used for key agreement in TLS connections, as specified in https://tools.ietf.org/html/draft-ietf-tls-curve25519-01. This change adds support for that in crypto/tls, but does not enabled it by default so that there's less test noise. A future change will enable it by default and will update all the test data at the same time. Change-Id: I91802ecd776d73aae5c65bcb653d12e23c413ed4 Reviewed-on: https://go-review.googlesource.com/30824 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
pkg: spelling tweaks, A-H R=ality, bradfitz, rsc, dsymonds, adg, qyzhai, dchest CC=golang-dev https://golang.org/cl/4536063
13年前
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14年前
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/elliptic"

  10. 	"crypto/md5"

  11. 	"crypto/rsa"

  12. 	"crypto/sha1"

  13. 	"errors"

  14. 	"io"

  15. 	"math/big"

  16. 

  17. 	"golang_org/x/crypto/curve25519"

  18. )

  19. 

  20. var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")

  21. var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")

  22. 

  23. // rsaKeyAgreement implements the standard TLS key agreement where the client

  24. // encrypts the pre-master secret to the server's public key.

  25. type rsaKeyAgreement struct{}

  26. 

  27. func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  28. 	return nil, nil

  29. }

  30. 

  31. func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  32. 	if len(ckx.ciphertext) < 2 {

  33. 		return nil, errClientKeyExchange

  34. 	}

  35. 

  36. 	ciphertext := ckx.ciphertext

  37. 	if version != VersionSSL30 {

  38. 		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])

  39. 		if ciphertextLen != len(ckx.ciphertext)-2 {

  40. 			return nil, errClientKeyExchange

  41. 		}

  42. 		ciphertext = ckx.ciphertext[2:]

  43. 	}

  44. 	priv, ok := sk.(crypto.Decrypter)

  45. 	if !ok {

  46. 		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")

  47. 	}

  48. 	// Perform constant time RSA PKCS#1 v1.5 decryption

  49. 	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})

  50. 	if err != nil {

  51. 		return nil, err

  52. 	}

  53. 	// We don't check the version number in the premaster secret. For one,

  54. 	// by checking it, we would leak information about the validity of the

  55. 	// encrypted pre-master secret. Secondly, it provides only a small

  56. 	// benefit against a downgrade attack and some implementations send the

  57. 	// wrong version anyway. See the discussion at the end of section

  58. 	// 7.4.7.1 of RFC 4346.

  59. 	return preMasterSecret, nil

  60. }

  61. 

  62. func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  63. 	return errors.New("tls: unexpected ServerKeyExchange")

  64. }

  65. 

  66. func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  67. 	preMasterSecret := make([]byte, 48)

  68. 	preMasterSecret[0] = byte(clientHello.vers >> 8)

  69. 	preMasterSecret[1] = byte(clientHello.vers)

  70. 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])

  71. 	if err != nil {

  72. 		return nil, nil, err

  73. 	}

  74. 

  75. 	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), pk.(*rsa.PublicKey), preMasterSecret)

  76. 	if err != nil {

  77. 		return nil, nil, err

  78. 	}

  79. 	ckx := new(clientKeyExchangeMsg)

  80. 	ckx.ciphertext = make([]byte, len(encrypted)+2)

  81. 	ckx.ciphertext[0] = byte(len(encrypted) >> 8)

  82. 	ckx.ciphertext[1] = byte(len(encrypted))

  83. 	copy(ckx.ciphertext[2:], encrypted)

  84. 	return preMasterSecret, ckx, nil

  85. }

  86. 

  87. // sha1Hash calculates a SHA1 hash over the given byte slices.

  88. func sha1Hash(slices [][]byte) []byte {

  89. 	hsha1 := sha1.New()

  90. 	for _, slice := range slices {

  91. 		hsha1.Write(slice)

  92. 	}

  93. 	return hsha1.Sum(nil)

  94. }

  95. 

  96. // md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the

  97. // concatenation of an MD5 and SHA1 hash.

  98. func md5SHA1Hash(slices [][]byte) []byte {

  99. 	md5sha1 := make([]byte, md5.Size+sha1.Size)

  100. 	hmd5 := md5.New()

  101. 	for _, slice := range slices {

  102. 		hmd5.Write(slice)

  103. 	}

  104. 	copy(md5sha1, hmd5.Sum(nil))

  105. 	copy(md5sha1[md5.Size:], sha1Hash(slices))

  106. 	return md5sha1

  107. }

  108. 

  109. // hashForServerKeyExchange hashes the given slices and returns their digest

  110. // using the given hash function.

  111. func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) ([]byte, error) {

  112. 	if version >= VersionTLS12 {

  113. 		h := hashFunc.New()

  114. 		for _, slice := range slices {

  115. 			h.Write(slice)

  116. 		}

  117. 		digest := h.Sum(nil)

  118. 		return digest, nil

  119. 	}

  120. 	if sigType == signatureECDSA {

  121. 		return sha1Hash(slices), nil

  122. 	}

  123. 	return md5SHA1Hash(slices), nil

  124. }

  125. 

  126. func curveForCurveID(id CurveID) (elliptic.Curve, bool) {

  127. 	switch id {

  128. 	case CurveP256:

  129. 		return elliptic.P256(), true

  130. 	case CurveP384:

  131. 		return elliptic.P384(), true

  132. 	case CurveP521:

  133. 		return elliptic.P521(), true

  134. 	default:

  135. 		return nil, false

  136. 	}

  137. 

  138. }

  139. 

  140. // ecdheKeyAgreement implements a TLS key agreement where the server

  141. // generates an ephemeral EC public/private key pair and signs it. The

  142. // pre-master secret is then calculated using ECDH. The signature may

  143. // either be ECDSA or RSA.

  144. type ecdheKeyAgreement struct {

  145. 	version    uint16

  146. 	isRSA      bool

  147. 	privateKey []byte

  148. 	curveid    CurveID

  149. 

  150. 	// publicKey is used to store the peer's public value when X25519 is

  151. 	// being used.

  152. 	publicKey []byte

  153. 	// x and y are used to store the peer's public value when one of the

  154. 	// NIST curves is being used.

  155. 	x, y *big.Int

  156. }

  157. 

  158. func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, sk crypto.PrivateKey, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {

  159. 	preferredCurves := config.curvePreferences()

  160. 

  161. NextCandidate:

  162. 	for _, candidate := range preferredCurves {

  163. 		for _, c := range clientHello.supportedCurves {

  164. 			if candidate == c {

  165. 				ka.curveid = c

  166. 				break NextCandidate

  167. 			}

  168. 		}

  169. 	}

  170. 

  171. 	if ka.curveid == 0 {

  172. 		return nil, errors.New("tls: no supported elliptic curves offered")

  173. 	}

  174. 

  175. 	var ecdhePublic []byte

  176. 

  177. 	if ka.curveid == X25519 {

  178. 		var scalar, public [32]byte

  179. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  180. 			return nil, err

  181. 		}

  182. 

  183. 		curve25519.ScalarBaseMult(&public, &scalar)

  184. 		ka.privateKey = scalar[:]

  185. 		ecdhePublic = public[:]

  186. 	} else {

  187. 		curve, ok := curveForCurveID(ka.curveid)

  188. 		if !ok {

  189. 			return nil, errors.New("tls: preferredCurves includes unsupported curve")

  190. 		}

  191. 

  192. 		var x, y *big.Int

  193. 		var err error

  194. 		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())

  195. 		if err != nil {

  196. 			return nil, err

  197. 		}

  198. 		ecdhePublic = elliptic.Marshal(curve, x, y)

  199. 	}

  200. 

  201. 	// http://tools.ietf.org/html/rfc4492#section-5.4

  202. 	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))

  203. 	serverECDHParams[0] = 3 // named curve

  204. 	serverECDHParams[1] = byte(ka.curveid >> 8)

  205. 	serverECDHParams[2] = byte(ka.curveid)

  206. 	serverECDHParams[3] = byte(len(ecdhePublic))

  207. 	copy(serverECDHParams[4:], ecdhePublic)

  208. 

  209. 	priv, ok := sk.(crypto.Signer)

  210. 	if !ok {

  211. 		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")

  212. 	}

  213. 

  214. 	signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version)

  215. 	if err != nil {

  216. 		return nil, err

  217. 	}

  218. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  219. 		return nil, errors.New("tls: certificate cannot be used with the selected cipher suite")

  220. 	}

  221. 

  222. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, hello.random, serverECDHParams)

  223. 	if err != nil {

  224. 		return nil, err

  225. 	}

  226. 

  227. 	var sig []byte

  228. 	signOpts := crypto.SignerOpts(hashFunc)

  229. 	if sigType == signatureRSAPSS {

  230. 		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc}

  231. 	}

  232. 	sig, err = priv.Sign(config.rand(), digest, signOpts)

  233. 	if err != nil {

  234. 		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())

  235. 	}

  236. 

  237. 	skx := new(serverKeyExchangeMsg)

  238. 	sigAndHashLen := 0

  239. 	if ka.version >= VersionTLS12 {

  240. 		sigAndHashLen = 2

  241. 	}

  242. 	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))

  243. 	copy(skx.key, serverECDHParams)

  244. 	k := skx.key[len(serverECDHParams):]

  245. 	if ka.version >= VersionTLS12 {

  246. 		k[0] = byte(signatureAlgorithm >> 8)

  247. 		k[1] = byte(signatureAlgorithm)

  248. 		k = k[2:]

  249. 	}

  250. 	k[0] = byte(len(sig) >> 8)

  251. 	k[1] = byte(len(sig))

  252. 	copy(k[2:], sig)

  253. 

  254. 	return skx, nil

  255. }

  256. 

  257. func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, sk crypto.PrivateKey, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {

  258. 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {

  259. 		return nil, errClientKeyExchange

  260. 	}

  261. 

  262. 	if ka.curveid == X25519 {

  263. 		if len(ckx.ciphertext) != 1+32 {

  264. 			return nil, errClientKeyExchange

  265. 		}

  266. 

  267. 		var theirPublic, sharedKey, scalar [32]byte

  268. 		copy(theirPublic[:], ckx.ciphertext[1:])

  269. 		copy(scalar[:], ka.privateKey)

  270. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  271. 		return sharedKey[:], nil

  272. 	}

  273. 

  274. 	curve, ok := curveForCurveID(ka.curveid)

  275. 	if !ok {

  276. 		panic("internal error")

  277. 	}

  278. 	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve

  279. 	if x == nil {

  280. 		return nil, errClientKeyExchange

  281. 	}

  282. 	x, _ = curve.ScalarMult(x, y, ka.privateKey)

  283. 	curveSize := (curve.Params().BitSize + 7) >> 3

  284. 	xBytes := x.Bytes()

  285. 	if len(xBytes) == curveSize {

  286. 		return xBytes, nil

  287. 	}

  288. 	preMasterSecret := make([]byte, curveSize)

  289. 	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  290. 	return preMasterSecret, nil

  291. }

  292. 

  293. func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, pk crypto.PublicKey, skx *serverKeyExchangeMsg) error {

  294. 	if len(skx.key) < 4 {

  295. 		return errServerKeyExchange

  296. 	}

  297. 	if skx.key[0] != 3 { // named curve

  298. 		return errors.New("tls: server selected unsupported curve")

  299. 	}

  300. 	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])

  301. 

  302. 	publicLen := int(skx.key[3])

  303. 	if publicLen+4 > len(skx.key) {

  304. 		return errServerKeyExchange

  305. 	}

  306. 	serverECDHParams := skx.key[:4+publicLen]

  307. 	publicKey := serverECDHParams[4:]

  308. 

  309. 	sig := skx.key[4+publicLen:]

  310. 	if len(sig) < 2 {

  311. 		return errServerKeyExchange

  312. 	}

  313. 

  314. 	if ka.curveid == X25519 {

  315. 		if len(publicKey) != 32 {

  316. 			return errors.New("tls: bad X25519 public value")

  317. 		}

  318. 		ka.publicKey = publicKey

  319. 	} else {

  320. 		curve, ok := curveForCurveID(ka.curveid)

  321. 		if !ok {

  322. 			return errors.New("tls: server selected unsupported curve")

  323. 		}

  324. 		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve

  325. 		if ka.x == nil {

  326. 			return errServerKeyExchange

  327. 		}

  328. 	}

  329. 

  330. 	var signatureAlgorithm SignatureScheme

  331. 	if ka.version >= VersionTLS12 {

  332. 		// handle SignatureAndHashAlgorithm

  333. 		signatureAlgorithm = SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1])

  334. 		sig = sig[2:]

  335. 		if len(sig) < 2 {

  336. 			return errServerKeyExchange

  337. 		}

  338. 	}

  339. 	_, sigType, hashFunc, err := pickSignatureAlgorithm(pk, []SignatureScheme{signatureAlgorithm}, clientHello.supportedSignatureAlgorithms, ka.version)

  340. 	if err != nil {

  341. 		return err

  342. 	}

  343. 	if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA {

  344. 		return errServerKeyExchange

  345. 	}

  346. 

  347. 	sigLen := int(sig[0])<<8 | int(sig[1])

  348. 	if sigLen+2 != len(sig) {

  349. 		return errServerKeyExchange

  350. 	}

  351. 	sig = sig[2:]

  352. 

  353. 	digest, err := hashForServerKeyExchange(sigType, hashFunc, ka.version, clientHello.random, serverHello.random, serverECDHParams)

  354. 	if err != nil {

  355. 		return err

  356. 	}

  357. 	return verifyHandshakeSignature(sigType, pk, hashFunc, digest, sig)

  358. }

  359. 

  360. func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, pk crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error) {

  361. 	if ka.curveid == 0 {

  362. 		return nil, nil, errors.New("tls: missing ServerKeyExchange message")

  363. 	}

  364. 

  365. 	var serialized, preMasterSecret []byte

  366. 

  367. 	if ka.curveid == X25519 {

  368. 		var ourPublic, theirPublic, sharedKey, scalar [32]byte

  369. 

  370. 		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {

  371. 			return nil, nil, err

  372. 		}

  373. 

  374. 		copy(theirPublic[:], ka.publicKey)

  375. 		curve25519.ScalarBaseMult(&ourPublic, &scalar)

  376. 		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)

  377. 		serialized = ourPublic[:]

  378. 		preMasterSecret = sharedKey[:]

  379. 	} else {

  380. 		curve, ok := curveForCurveID(ka.curveid)

  381. 		if !ok {

  382. 			panic("internal error")

  383. 		}

  384. 		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())

  385. 		if err != nil {

  386. 			return nil, nil, err

  387. 		}

  388. 		x, _ := curve.ScalarMult(ka.x, ka.y, priv)

  389. 		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)

  390. 		xBytes := x.Bytes()

  391. 		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)

  392. 

  393. 		serialized = elliptic.Marshal(curve, mx, my)

  394. 	}

  395. 

  396. 	ckx := new(clientKeyExchangeMsg)

  397. 	ckx.ciphertext = make([]byte, 1+len(serialized))

  398. 	ckx.ciphertext[0] = byte(len(serialized))

  399. 	copy(ckx.ciphertext[1:], serialized)

  400. 

  401. 	return preMasterSecret, ckx, nil

  402. }