// Copyright 2012 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package runner import ( "crypto/aes" "crypto/cipher" "crypto/hmac" "crypto/sha256" "crypto/subtle" "encoding/binary" "errors" "io" "time" ) // sessionState contains the information that is serialized into a session // ticket in order to later resume a connection. type sessionState struct { vers uint16 cipherSuite uint16 masterSecret []byte handshakeHash []byte certificates [][]byte extendedMasterSecret bool earlyALPN []byte ticketCreationTime time.Time ticketExpiration time.Time ticketFlags uint32 ticketAgeAdd uint32 } func (s *sessionState) marshal() []byte { msg := newByteBuilder() msg.addU16(s.vers) msg.addU16(s.cipherSuite) masterSecret := msg.addU16LengthPrefixed() masterSecret.addBytes(s.masterSecret) handshakeHash := msg.addU16LengthPrefixed() handshakeHash.addBytes(s.handshakeHash) msg.addU16(uint16(len(s.certificates))) for _, cert := range s.certificates { certMsg := msg.addU32LengthPrefixed() certMsg.addBytes(cert) } if s.extendedMasterSecret { msg.addU8(1) } else { msg.addU8(0) } if s.vers >= VersionTLS13 { msg.addU64(uint64(s.ticketCreationTime.UnixNano())) msg.addU64(uint64(s.ticketExpiration.UnixNano())) msg.addU32(s.ticketFlags) msg.addU32(s.ticketAgeAdd) } earlyALPN := msg.addU16LengthPrefixed() earlyALPN.addBytes(s.earlyALPN) return msg.finish() } func (s *sessionState) unmarshal(data []byte) bool { if len(data) < 8 { return false } s.vers = uint16(data[0])<<8 | uint16(data[1]) s.cipherSuite = uint16(data[2])<<8 | uint16(data[3]) masterSecretLen := int(data[4])<<8 | int(data[5]) data = data[6:] if len(data) < masterSecretLen { return false } s.masterSecret = data[:masterSecretLen] data = data[masterSecretLen:] if len(data) < 2 { return false } handshakeHashLen := int(data[0])<<8 | int(data[1]) data = data[2:] if len(data) < handshakeHashLen { return false } s.handshakeHash = data[:handshakeHashLen] data = data[handshakeHashLen:] if len(data) < 2 { return false } numCerts := int(data[0])<<8 | int(data[1]) data = data[2:] s.certificates = make([][]byte, numCerts) for i := range s.certificates { if len(data) < 4 { return false } certLen := int(data[0])<<24 | int(data[1])<<16 | int(data[2])<<8 | int(data[3]) data = data[4:] if certLen < 0 { return false } if len(data) < certLen { return false } s.certificates[i] = data[:certLen] data = data[certLen:] } if len(data) < 1 { return false } s.extendedMasterSecret = false if data[0] == 1 { s.extendedMasterSecret = true } data = data[1:] if s.vers >= VersionTLS13 { if len(data) < 24 { return false } s.ticketCreationTime = time.Unix(0, int64(binary.BigEndian.Uint64(data))) data = data[8:] s.ticketExpiration = time.Unix(0, int64(binary.BigEndian.Uint64(data))) data = data[8:] s.ticketFlags = binary.BigEndian.Uint32(data) data = data[4:] s.ticketAgeAdd = binary.BigEndian.Uint32(data) data = data[4:] } earlyALPNLen := int(data[0])<<8 | int(data[1]) data = data[2:] if len(data) < earlyALPNLen { return false } s.earlyALPN = data[:earlyALPNLen] data = data[earlyALPNLen:] if len(data) > 0 { return false } return true } func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) { serialized := state.marshal() encrypted := make([]byte, aes.BlockSize+len(serialized)+sha256.Size) iv := encrypted[:aes.BlockSize] macBytes := encrypted[len(encrypted)-sha256.Size:] if _, err := io.ReadFull(c.config.rand(), iv); err != nil { return nil, err } block, err := aes.NewCipher(c.config.SessionTicketKey[:16]) if err != nil { return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error()) } cipher.NewCTR(block, iv).XORKeyStream(encrypted[aes.BlockSize:], serialized) mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32]) mac.Write(encrypted[:len(encrypted)-sha256.Size]) mac.Sum(macBytes[:0]) return encrypted, nil } func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) { if len(encrypted) < aes.BlockSize+sha256.Size { return nil, false } iv := encrypted[:aes.BlockSize] macBytes := encrypted[len(encrypted)-sha256.Size:] mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32]) mac.Write(encrypted[:len(encrypted)-sha256.Size]) expected := mac.Sum(nil) if subtle.ConstantTimeCompare(macBytes, expected) != 1 { return nil, false } block, err := aes.NewCipher(c.config.SessionTicketKey[:16]) if err != nil { return nil, false } ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size] plaintext := make([]byte, len(ciphertext)) cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext) state := new(sessionState) ok := state.unmarshal(plaintext) return state, ok }