kris
/
tls-tris
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
543 Cometimentos
4 Ramos
2.5 MiB
 
 
 
 
 
 
Árvore: 9fc345bd63
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de '9fc345bd63'
${ noResults }
tls-tris/ticket.go

327 linhas
8.4 KiB
Em bruto Responsabilidade Histórico 

  1. // Copyright 2012 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto/aes"

  10. 	"crypto/cipher"

  11. 	"crypto/hmac"

  12. 	"crypto/sha256"

  13. 	"crypto/subtle"

  14. 	"errors"

  15. 	"io"

  16. )

  17. 

  18. // A SessionTicketSealer provides a way to securely encapsulate

  19. // session state for storage on the client. All methods are safe for

  20. // concurrent use.

  21. type SessionTicketSealer interface {

  22. 	// Seal returns a session ticket value that can be later passed to Unseal

  23. 	// to recover the content, usually by encrypting it. The ticket will be sent

  24. 	// to the client to be stored, and will be sent back in plaintext, so it can

  25. 	// be read and modified by an attacker.

  26. 	Seal(cs *ConnectionState, content []byte) (ticket []byte, err error)

  27. 

  28. 	// Unseal returns a session ticket contents. The ticket can't be safely

  29. 	// assumed to have been generated by Seal.

  30. 	// If unable to unseal the ticket, the connection will proceed with a

  31. 	// complete handshake.

  32. 	Unseal(chi *ClientHelloInfo, ticket []byte) (content []byte, success bool)

  33. }

  34. 

  35. // sessionState contains the information that is serialized into a session

  36. // ticket in order to later resume a connection.

  37. type sessionState struct {

  38. 	vers         uint16

  39. 	cipherSuite  uint16

  40. 	usedEMS      bool

  41. 	masterSecret []byte

  42. 	certificates [][]byte

  43. 	// usedOldKey is true if the ticket from which this session came from

  44. 	// was encrypted with an older key and thus should be refreshed.

  45. 	usedOldKey bool

  46. }

  47. 

  48. func (s *sessionState) equal(i interface{}) bool {

  49. 	s1, ok := i.(*sessionState)

  50. 	if !ok {

  51. 		return false

  52. 	}

  53. 

  54. 	if s.vers != s1.vers ||

  55. 		s.usedEMS != s1.usedEMS ||

  56. 		s.cipherSuite != s1.cipherSuite ||

  57. 		!bytes.Equal(s.masterSecret, s1.masterSecret) {

  58. 		return false

  59. 	}

  60. 

  61. 	if len(s.certificates) != len(s1.certificates) {

  62. 		return false

  63. 	}

  64. 

  65. 	for i := range s.certificates {

  66. 		if !bytes.Equal(s.certificates[i], s1.certificates[i]) {

  67. 			return false

  68. 		}

  69. 	}

  70. 

  71. 	return true

  72. }

  73. 

  74. func (s *sessionState) marshal() []byte {

  75. 	length := 2 + 2 + 2 + len(s.masterSecret) + 2

  76. 	for _, cert := range s.certificates {

  77. 		length += 4 + len(cert)

  78. 	}

  79. 

  80. 	ret := make([]byte, length)

  81. 	x := ret

  82. 	was_used := byte(0)

  83. 	if s.usedEMS {

  84. 		was_used = byte(0x80)

  85. 	}

  86. 

  87. 	x[0] = byte(s.vers>>8) | byte(was_used)

  88. 	x[1] = byte(s.vers)

  89. 	x[2] = byte(s.cipherSuite >> 8)

  90. 	x[3] = byte(s.cipherSuite)

  91. 	x[4] = byte(len(s.masterSecret) >> 8)

  92. 	x[5] = byte(len(s.masterSecret))

  93. 	x = x[6:]

  94. 	copy(x, s.masterSecret)

  95. 	x = x[len(s.masterSecret):]

  96. 

  97. 	x[0] = byte(len(s.certificates) >> 8)

  98. 	x[1] = byte(len(s.certificates))

  99. 	x = x[2:]

  100. 

  101. 	for _, cert := range s.certificates {

  102. 		x[0] = byte(len(cert) >> 24)

  103. 		x[1] = byte(len(cert) >> 16)

  104. 		x[2] = byte(len(cert) >> 8)

  105. 		x[3] = byte(len(cert))

  106. 		copy(x[4:], cert)

  107. 		x = x[4+len(cert):]

  108. 	}

  109. 

  110. 	return ret

  111. }

  112. 

  113. func (s *sessionState) unmarshal(data []byte) alert {

  114. 	if len(data) < 8 {

  115. 		return alertDecodeError

  116. 	}

  117. 

  118. 	s.vers = (uint16(data[0])<<8 | uint16(data[1])) & 0x7fff

  119. 	s.cipherSuite = uint16(data[2])<<8 | uint16(data[3])

  120. 	s.usedEMS = (data[0] & 0x80) == 0x80

  121. 	masterSecretLen := int(data[4])<<8 | int(data[5])

  122. 	data = data[6:]

  123. 	if len(data) < masterSecretLen {

  124. 		return alertDecodeError

  125. 	}

  126. 

  127. 	s.masterSecret = data[:masterSecretLen]

  128. 	data = data[masterSecretLen:]

  129. 

  130. 	if len(data) < 2 {

  131. 		return alertDecodeError

  132. 	}

  133. 

  134. 	numCerts := int(data[0])<<8 | int(data[1])

  135. 	data = data[2:]

  136. 

  137. 	s.certificates = make([][]byte, numCerts)

  138. 	for i := range s.certificates {

  139. 		if len(data) < 4 {

  140. 			return alertDecodeError

  141. 		}

  142. 		certLen := int(data[0])<<24 | int(data[1])<<16 | int(data[2])<<8 | int(data[3])

  143. 		data = data[4:]

  144. 		if certLen < 0 {

  145. 			return alertDecodeError

  146. 		}

  147. 		if len(data) < certLen {

  148. 			return alertDecodeError

  149. 		}

  150. 		s.certificates[i] = data[:certLen]

  151. 		data = data[certLen:]

  152. 	}

  153. 

  154. 	if len(data) != 0 {

  155. 		return alertDecodeError

  156. 	}

  157. 	return alertSuccess

  158. }

  159. 

  160. type sessionState13 struct {

  161. 	vers            uint16

  162. 	suite           uint16

  163. 	ageAdd          uint32

  164. 	createdAt       uint64

  165. 	maxEarlyDataLen uint32

  166. 	pskSecret       []byte

  167. 	alpnProtocol    string

  168. 	SNI             string

  169. }

  170. 

  171. func (s *sessionState13) equal(i interface{}) bool {

  172. 	s1, ok := i.(*sessionState13)

  173. 	if !ok {

  174. 		return false

  175. 	}

  176. 

  177. 	return s.vers == s1.vers &&

  178. 		s.suite == s1.suite &&

  179. 		s.ageAdd == s1.ageAdd &&

  180. 		s.createdAt == s1.createdAt &&

  181. 		s.maxEarlyDataLen == s1.maxEarlyDataLen &&

  182. 		subtle.ConstantTimeCompare(s.pskSecret, s1.pskSecret) == 1 &&

  183. 		s.alpnProtocol == s1.alpnProtocol &&

  184. 		s.SNI == s1.SNI

  185. }

  186. 

  187. func (s *sessionState13) marshal() []byte {

  188. 	length := 2 + 2 + 4 + 8 + 4 + 2 + len(s.pskSecret) + 2 + len(s.alpnProtocol) + 2 + len(s.SNI)

  189. 

  190. 	x := make([]byte, length)

  191. 	x[0] = byte(s.vers >> 8)

  192. 	x[1] = byte(s.vers)

  193. 	x[2] = byte(s.suite >> 8)

  194. 	x[3] = byte(s.suite)

  195. 	x[4] = byte(s.ageAdd >> 24)

  196. 	x[5] = byte(s.ageAdd >> 16)

  197. 	x[6] = byte(s.ageAdd >> 8)

  198. 	x[7] = byte(s.ageAdd)

  199. 	x[8] = byte(s.createdAt >> 56)

  200. 	x[9] = byte(s.createdAt >> 48)

  201. 	x[10] = byte(s.createdAt >> 40)

  202. 	x[11] = byte(s.createdAt >> 32)

  203. 	x[12] = byte(s.createdAt >> 24)

  204. 	x[13] = byte(s.createdAt >> 16)

  205. 	x[14] = byte(s.createdAt >> 8)

  206. 	x[15] = byte(s.createdAt)

  207. 	x[16] = byte(s.maxEarlyDataLen >> 24)

  208. 	x[17] = byte(s.maxEarlyDataLen >> 16)

  209. 	x[18] = byte(s.maxEarlyDataLen >> 8)

  210. 	x[19] = byte(s.maxEarlyDataLen)

  211. 	x[20] = byte(len(s.pskSecret) >> 8)

  212. 	x[21] = byte(len(s.pskSecret))

  213. 	copy(x[22:], s.pskSecret)

  214. 	z := x[22+len(s.pskSecret):]

  215. 	z[0] = byte(len(s.alpnProtocol) >> 8)

  216. 	z[1] = byte(len(s.alpnProtocol))

  217. 	copy(z[2:], s.alpnProtocol)

  218. 	z = z[2+len(s.alpnProtocol):]

  219. 	z[0] = byte(len(s.SNI) >> 8)

  220. 	z[1] = byte(len(s.SNI))

  221. 	copy(z[2:], s.SNI)

  222. 

  223. 	return x

  224. }

  225. 

  226. func (s *sessionState13) unmarshal(data []byte) alert {

  227. 	if len(data) < 24 {

  228. 		return alertDecodeError

  229. 	}

  230. 

  231. 	s.vers = uint16(data[0])<<8 | uint16(data[1])

  232. 	s.suite = uint16(data[2])<<8 | uint16(data[3])

  233. 	s.ageAdd = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])

  234. 	s.createdAt = uint64(data[8])<<56 | uint64(data[9])<<48 | uint64(data[10])<<40 | uint64(data[11])<<32 |

  235. 		uint64(data[12])<<24 | uint64(data[13])<<16 | uint64(data[14])<<8 | uint64(data[15])

  236. 	s.maxEarlyDataLen = uint32(data[16])<<24 | uint32(data[17])<<16 | uint32(data[18])<<8 | uint32(data[19])

  237. 

  238. 	l := int(data[20])<<8 | int(data[21])

  239. 	if len(data) < 22+l+2 {

  240. 		return alertDecodeError

  241. 	}

  242. 	s.pskSecret = data[22 : 22+l]

  243. 	z := data[22+l:]

  244. 

  245. 	l = int(z[0])<<8 | int(z[1])

  246. 	if len(z) < 2+l+2 {

  247. 		return alertDecodeError

  248. 	}

  249. 	s.alpnProtocol = string(z[2 : 2+l])

  250. 	z = z[2+l:]

  251. 

  252. 	l = int(z[0])<<8 | int(z[1])

  253. 	if len(z) != 2+l {

  254. 		return alertDecodeError

  255. 	}

  256. 	s.SNI = string(z[2 : 2+l])

  257. 

  258. 	return alertSuccess

  259. }

  260. 

  261. func (c *Conn) encryptTicket(serialized []byte) ([]byte, error) {

  262. 	encrypted := make([]byte, ticketKeyNameLen+aes.BlockSize+len(serialized)+sha256.Size)

  263. 	keyName := encrypted[:ticketKeyNameLen]

  264. 	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]

  265. 	macBytes := encrypted[len(encrypted)-sha256.Size:]

  266. 

  267. 	if _, err := io.ReadFull(c.config.rand(), iv); err != nil {

  268. 		return nil, err

  269. 	}

  270. 	key := c.config.ticketKeys()[0]

  271. 	copy(keyName, key.keyName[:])

  272. 	block, err := aes.NewCipher(key.aesKey[:])

  273. 	if err != nil {

  274. 		return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error())

  275. 	}

  276. 	cipher.NewCTR(block, iv).XORKeyStream(encrypted[ticketKeyNameLen+aes.BlockSize:], serialized)

  277. 

  278. 	mac := hmac.New(sha256.New, key.hmacKey[:])

  279. 	mac.Write(encrypted[:len(encrypted)-sha256.Size])

  280. 	mac.Sum(macBytes[:0])

  281. 

  282. 	return encrypted, nil

  283. }

  284. 

  285. func (c *Conn) decryptTicket(encrypted []byte) (serialized []byte, usedOldKey bool) {

  286. 	if c.config.SessionTicketsDisabled ||

  287. 		len(encrypted) < ticketKeyNameLen+aes.BlockSize+sha256.Size {

  288. 		return nil, false

  289. 	}

  290. 

  291. 	keyName := encrypted[:ticketKeyNameLen]

  292. 	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]

  293. 	macBytes := encrypted[len(encrypted)-sha256.Size:]

  294. 

  295. 	keys := c.config.ticketKeys()

  296. 	keyIndex := -1

  297. 	for i, candidateKey := range keys {

  298. 		if bytes.Equal(keyName, candidateKey.keyName[:]) {

  299. 			keyIndex = i

  300. 			break

  301. 		}

  302. 	}

  303. 

  304. 	if keyIndex == -1 {

  305. 		return nil, false

  306. 	}

  307. 	key := &keys[keyIndex]

  308. 

  309. 	mac := hmac.New(sha256.New, key.hmacKey[:])

  310. 	mac.Write(encrypted[:len(encrypted)-sha256.Size])

  311. 	expected := mac.Sum(nil)

  312. 

  313. 	if subtle.ConstantTimeCompare(macBytes, expected) != 1 {

  314. 		return nil, false

  315. 	}

  316. 

  317. 	block, err := aes.NewCipher(key.aesKey[:])

  318. 	if err != nil {

  319. 		return nil, false

  320. 	}

  321. 	ciphertext := encrypted[ticketKeyNameLen+aes.BlockSize : len(encrypted)-sha256.Size]

  322. 	plaintext := ciphertext

  323. 	cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext)

  324. 

  325. 	return plaintext, keyIndex > 0

  326. }