1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "crypto" 9 "crypto/ecdsa" 10 "crypto/ed25519" 11 "crypto/elliptic" 12 "crypto/rsa" 13 "crypto/subtle" 14 "crypto/x509" 15 "errors" 16 "fmt" 17 "io" 18 "math/big" 19 20 "boringssl.googlesource.com/boringssl/ssl/test/runner/hrss" 21 "golang.org/x/crypto/curve25519" 22) 23 24type keyType int 25 26const ( 27 keyTypeRSA keyType = iota + 1 28 keyTypeECDSA 29) 30 31var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message") 32var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message") 33 34// rsaKeyAgreement implements the standard TLS key agreement where the client 35// encrypts the pre-master secret to the server's public key. 36type rsaKeyAgreement struct { 37 version uint16 38 clientVersion uint16 39 exportKey *rsa.PrivateKey 40} 41 42func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { 43 // Save the client version for comparison later. 44 ka.clientVersion = clientHello.vers 45 46 if !config.Bugs.RSAEphemeralKey { 47 return nil, nil 48 } 49 50 // Generate an ephemeral RSA key to use instead of the real 51 // one, as in RSA_EXPORT. 52 key, err := rsa.GenerateKey(config.rand(), 512) 53 if err != nil { 54 return nil, err 55 } 56 ka.exportKey = key 57 58 modulus := key.N.Bytes() 59 exponent := big.NewInt(int64(key.E)).Bytes() 60 serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent)) 61 serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus))) 62 serverRSAParams = append(serverRSAParams, modulus...) 63 serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent))) 64 serverRSAParams = append(serverRSAParams, exponent...) 65 66 var sigAlg signatureAlgorithm 67 if ka.version >= VersionTLS12 { 68 sigAlg, err = selectSignatureAlgorithm(ka.version, cert.PrivateKey, config, clientHello.signatureAlgorithms) 69 if err != nil { 70 return nil, err 71 } 72 } 73 74 sig, err := signMessage(ka.version, cert.PrivateKey, config, sigAlg, serverRSAParams) 75 if err != nil { 76 return nil, errors.New("failed to sign RSA parameters: " + err.Error()) 77 } 78 79 skx := new(serverKeyExchangeMsg) 80 sigAlgsLen := 0 81 if ka.version >= VersionTLS12 { 82 sigAlgsLen = 2 83 } 84 skx.key = make([]byte, len(serverRSAParams)+sigAlgsLen+2+len(sig)) 85 copy(skx.key, serverRSAParams) 86 k := skx.key[len(serverRSAParams):] 87 if ka.version >= VersionTLS12 { 88 k[0] = byte(sigAlg >> 8) 89 k[1] = byte(sigAlg) 90 k = k[2:] 91 } 92 k[0] = byte(len(sig) >> 8) 93 k[1] = byte(len(sig)) 94 copy(k[2:], sig) 95 96 return skx, nil 97} 98 99func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { 100 preMasterSecret := make([]byte, 48) 101 _, err := io.ReadFull(config.rand(), preMasterSecret[2:]) 102 if err != nil { 103 return nil, err 104 } 105 106 if len(ckx.ciphertext) < 2 { 107 return nil, errClientKeyExchange 108 } 109 110 ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1]) 111 if ciphertextLen != len(ckx.ciphertext)-2 { 112 return nil, errClientKeyExchange 113 } 114 ciphertext := ckx.ciphertext[2:] 115 116 key := cert.PrivateKey.(*rsa.PrivateKey) 117 if ka.exportKey != nil { 118 key = ka.exportKey 119 } 120 err = rsa.DecryptPKCS1v15SessionKey(config.rand(), key, ciphertext, preMasterSecret) 121 if err != nil { 122 return nil, err 123 } 124 // This check should be done in constant-time, but this is a testing 125 // implementation. See the discussion at the end of section 7.4.7.1 of 126 // RFC 4346. 127 vers := uint16(preMasterSecret[0])<<8 | uint16(preMasterSecret[1]) 128 if ka.clientVersion != vers { 129 return nil, fmt.Errorf("tls: invalid version in RSA premaster (got %04x, wanted %04x)", vers, ka.clientVersion) 130 } 131 return preMasterSecret, nil 132} 133 134func (ka *rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, skx *serverKeyExchangeMsg) error { 135 return errors.New("tls: unexpected ServerKeyExchange") 136} 137 138func rsaSize(pub *rsa.PublicKey) int { 139 return (pub.N.BitLen() + 7) / 8 140} 141 142func rsaRawEncrypt(pub *rsa.PublicKey, msg []byte) ([]byte, error) { 143 k := rsaSize(pub) 144 if len(msg) != k { 145 return nil, errors.New("tls: bad padded RSA input") 146 } 147 m := new(big.Int).SetBytes(msg) 148 e := big.NewInt(int64(pub.E)) 149 m.Exp(m, e, pub.N) 150 unpadded := m.Bytes() 151 ret := make([]byte, k) 152 copy(ret[len(ret)-len(unpadded):], unpadded) 153 return ret, nil 154} 155 156// nonZeroRandomBytes fills the given slice with non-zero random octets. 157func nonZeroRandomBytes(s []byte, rand io.Reader) { 158 if _, err := io.ReadFull(rand, s); err != nil { 159 panic(err) 160 } 161 162 for i := range s { 163 for s[i] == 0 { 164 if _, err := io.ReadFull(rand, s[i:i+1]); err != nil { 165 panic(err) 166 } 167 } 168 } 169} 170 171func (ka *rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { 172 bad := config.Bugs.BadRSAClientKeyExchange 173 preMasterSecret := make([]byte, 48) 174 vers := clientHello.vers 175 if bad == RSABadValueWrongVersion1 { 176 vers ^= 1 177 } else if bad == RSABadValueWrongVersion2 { 178 vers ^= 0x100 179 } 180 preMasterSecret[0] = byte(vers >> 8) 181 preMasterSecret[1] = byte(vers) 182 _, err := io.ReadFull(config.rand(), preMasterSecret[2:]) 183 if err != nil { 184 return nil, nil, err 185 } 186 187 sentPreMasterSecret := preMasterSecret 188 if bad == RSABadValueTooLong { 189 sentPreMasterSecret = make([]byte, 1, len(sentPreMasterSecret)+1) 190 sentPreMasterSecret = append(sentPreMasterSecret, preMasterSecret...) 191 } else if bad == RSABadValueTooShort { 192 sentPreMasterSecret = sentPreMasterSecret[:len(sentPreMasterSecret)-1] 193 } 194 195 // Pad for PKCS#1 v1.5. 196 padded := make([]byte, rsaSize(cert.PublicKey.(*rsa.PublicKey))) 197 padded[1] = 2 198 nonZeroRandomBytes(padded[2:len(padded)-len(sentPreMasterSecret)-1], config.rand()) 199 copy(padded[len(padded)-len(sentPreMasterSecret):], sentPreMasterSecret) 200 201 if bad == RSABadValueWrongBlockType { 202 padded[1] = 3 203 } else if bad == RSABadValueWrongLeadingByte { 204 padded[0] = 1 205 } else if bad == RSABadValueNoZero { 206 for i := 2; i < len(padded); i++ { 207 if padded[i] == 0 { 208 padded[i]++ 209 } 210 } 211 } 212 213 encrypted, err := rsaRawEncrypt(cert.PublicKey.(*rsa.PublicKey), padded) 214 if err != nil { 215 return nil, nil, err 216 } 217 if bad == RSABadValueCorrupt { 218 encrypted[len(encrypted)-1] ^= 1 219 // Clear the high byte to ensure |encrypted| is still below the RSA modulus. 220 encrypted[0] = 0 221 } 222 ckx := new(clientKeyExchangeMsg) 223 ckx.ciphertext = make([]byte, len(encrypted)+2) 224 ckx.ciphertext[0] = byte(len(encrypted) >> 8) 225 ckx.ciphertext[1] = byte(len(encrypted)) 226 copy(ckx.ciphertext[2:], encrypted) 227 return preMasterSecret, ckx, nil 228} 229 230func (ka *rsaKeyAgreement) peerSignatureAlgorithm() signatureAlgorithm { 231 return 0 232} 233 234// A ecdhCurve is an instance of ECDH-style key agreement for TLS. 235type ecdhCurve interface { 236 // offer generates a keypair using rand. It returns the encoded |publicKey|. 237 offer(rand io.Reader) (publicKey []byte, err error) 238 239 // accept responds to the |peerKey| generated by |offer| with the acceptor's 240 // |publicKey|, and returns agreed-upon |preMasterSecret| to the acceptor. 241 accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) 242 243 // finish returns the computed |preMasterSecret|, given the |peerKey| 244 // generated by |accept|. 245 finish(peerKey []byte) (preMasterSecret []byte, err error) 246} 247 248// ellipticECDHCurve implements ecdhCurve with an elliptic.Curve. 249type ellipticECDHCurve struct { 250 curve elliptic.Curve 251 privateKey []byte 252 sendCompressed bool 253} 254 255func (e *ellipticECDHCurve) offer(rand io.Reader) (publicKey []byte, err error) { 256 var x, y *big.Int 257 e.privateKey, x, y, err = elliptic.GenerateKey(e.curve, rand) 258 if err != nil { 259 return nil, err 260 } 261 ret := elliptic.Marshal(e.curve, x, y) 262 if e.sendCompressed { 263 l := (len(ret) - 1) / 2 264 tmp := make([]byte, 1+l) 265 tmp[0] = byte(2 | y.Bit(0)) 266 copy(tmp[1:], ret[1:1+l]) 267 ret = tmp 268 } 269 return ret, nil 270} 271 272func (e *ellipticECDHCurve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) { 273 publicKey, err = e.offer(rand) 274 if err != nil { 275 return nil, nil, err 276 } 277 preMasterSecret, err = e.finish(peerKey) 278 if err != nil { 279 return nil, nil, err 280 } 281 return 282} 283 284func (e *ellipticECDHCurve) finish(peerKey []byte) (preMasterSecret []byte, err error) { 285 x, y := elliptic.Unmarshal(e.curve, peerKey) 286 if x == nil { 287 return nil, errors.New("tls: invalid peer key") 288 } 289 x, _ = e.curve.ScalarMult(x, y, e.privateKey) 290 preMasterSecret = make([]byte, (e.curve.Params().BitSize+7)>>3) 291 xBytes := x.Bytes() 292 copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes) 293 294 return preMasterSecret, nil 295} 296 297// x25519ECDHCurve implements ecdhCurve with X25519. 298type x25519ECDHCurve struct { 299 privateKey [32]byte 300 setHighBit bool 301} 302 303func (e *x25519ECDHCurve) offer(rand io.Reader) (publicKey []byte, err error) { 304 _, err = io.ReadFull(rand, e.privateKey[:]) 305 if err != nil { 306 return 307 } 308 var out [32]byte 309 curve25519.ScalarBaseMult(&out, &e.privateKey) 310 if e.setHighBit { 311 out[31] |= 0x80 312 } 313 return out[:], nil 314} 315 316func (e *x25519ECDHCurve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) { 317 publicKey, err = e.offer(rand) 318 if err != nil { 319 return nil, nil, err 320 } 321 preMasterSecret, err = e.finish(peerKey) 322 if err != nil { 323 return nil, nil, err 324 } 325 return 326} 327 328func (e *x25519ECDHCurve) finish(peerKey []byte) (preMasterSecret []byte, err error) { 329 if len(peerKey) != 32 { 330 return nil, errors.New("tls: invalid peer key") 331 } 332 var out, peerKeyCopy [32]byte 333 copy(peerKeyCopy[:], peerKey) 334 curve25519.ScalarMult(&out, &e.privateKey, &peerKeyCopy) 335 336 // Per RFC 7748, reject the all-zero value in constant time. 337 var zeros [32]byte 338 if subtle.ConstantTimeCompare(zeros[:], out[:]) == 1 { 339 return nil, errors.New("tls: X25519 value with wrong order") 340 } 341 342 return out[:], nil 343} 344 345// cecpq2Curve implements CECPQ2, which is HRSS+SXY combined with X25519. 346type cecpq2Curve struct { 347 x25519PrivateKey [32]byte 348 hrssPrivateKey hrss.PrivateKey 349} 350 351func (e *cecpq2Curve) offer(rand io.Reader) (publicKey []byte, err error) { 352 if _, err := io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil { 353 return nil, err 354 } 355 356 var x25519Public [32]byte 357 curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey) 358 359 e.hrssPrivateKey = hrss.GenerateKey(rand) 360 hrssPublic := e.hrssPrivateKey.PublicKey.Marshal() 361 362 var ret []byte 363 ret = append(ret, x25519Public[:]...) 364 ret = append(ret, hrssPublic...) 365 return ret, nil 366} 367 368func (e *cecpq2Curve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) { 369 if len(peerKey) != 32+hrss.PublicKeySize { 370 return nil, nil, errors.New("tls: bad length CECPQ2 offer") 371 } 372 373 if _, err := io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil { 374 return nil, nil, err 375 } 376 377 var x25519Shared, x25519PeerKey, x25519Public [32]byte 378 copy(x25519PeerKey[:], peerKey) 379 curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey) 380 curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey) 381 382 // Per RFC 7748, reject the all-zero value in constant time. 383 var zeros [32]byte 384 if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 { 385 return nil, nil, errors.New("tls: X25519 value with wrong order") 386 } 387 388 hrssPublicKey, ok := hrss.ParsePublicKey(peerKey[32:]) 389 if !ok { 390 return nil, nil, errors.New("tls: bad CECPQ2 offer") 391 } 392 393 hrssCiphertext, hrssShared := hrssPublicKey.Encap(rand) 394 395 publicKey = append(publicKey, x25519Public[:]...) 396 publicKey = append(publicKey, hrssCiphertext...) 397 preMasterSecret = append(preMasterSecret, x25519Shared[:]...) 398 preMasterSecret = append(preMasterSecret, hrssShared...) 399 400 return publicKey, preMasterSecret, nil 401} 402 403func (e *cecpq2Curve) finish(peerKey []byte) (preMasterSecret []byte, err error) { 404 if len(peerKey) != 32+hrss.CiphertextSize { 405 return nil, errors.New("tls: bad length CECPQ2 reply") 406 } 407 408 var x25519Shared, x25519PeerKey [32]byte 409 copy(x25519PeerKey[:], peerKey) 410 curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey) 411 412 // Per RFC 7748, reject the all-zero value in constant time. 413 var zeros [32]byte 414 if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 { 415 return nil, errors.New("tls: X25519 value with wrong order") 416 } 417 418 hrssShared, ok := e.hrssPrivateKey.Decap(peerKey[32:]) 419 if !ok { 420 return nil, errors.New("tls: invalid HRSS ciphertext") 421 } 422 423 preMasterSecret = append(preMasterSecret, x25519Shared[:]...) 424 preMasterSecret = append(preMasterSecret, hrssShared...) 425 426 return preMasterSecret, nil 427} 428 429func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) { 430 switch id { 431 case CurveP224: 432 return &ellipticECDHCurve{curve: elliptic.P224(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true 433 case CurveP256: 434 return &ellipticECDHCurve{curve: elliptic.P256(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true 435 case CurveP384: 436 return &ellipticECDHCurve{curve: elliptic.P384(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true 437 case CurveP521: 438 return &ellipticECDHCurve{curve: elliptic.P521(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true 439 case CurveX25519: 440 return &x25519ECDHCurve{setHighBit: config.Bugs.SetX25519HighBit}, true 441 case CurveCECPQ2: 442 return &cecpq2Curve{}, true 443 default: 444 return nil, false 445 } 446 447} 448 449// keyAgreementAuthentication is a helper interface that specifies how 450// to authenticate the ServerKeyExchange parameters. 451type keyAgreementAuthentication interface { 452 signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) 453 verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, params []byte, sig []byte) error 454} 455 456// nilKeyAgreementAuthentication does not authenticate the key 457// agreement parameters. 458type nilKeyAgreementAuthentication struct{} 459 460func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { 461 skx := new(serverKeyExchangeMsg) 462 skx.key = params 463 return skx, nil 464} 465 466func (ka *nilKeyAgreementAuthentication) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, params []byte, sig []byte) error { 467 return nil 468} 469 470// signedKeyAgreement signs the ServerKeyExchange parameters with the 471// server's private key. 472type signedKeyAgreement struct { 473 keyType keyType 474 version uint16 475 peerSignatureAlgorithm signatureAlgorithm 476} 477 478func (ka *signedKeyAgreement) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { 479 // The message to be signed is prepended by the randoms. 480 var msg []byte 481 msg = append(msg, clientHello.random...) 482 msg = append(msg, hello.random...) 483 msg = append(msg, params...) 484 485 var sigAlg signatureAlgorithm 486 var err error 487 if ka.version >= VersionTLS12 { 488 sigAlg, err = selectSignatureAlgorithm(ka.version, cert.PrivateKey, config, clientHello.signatureAlgorithms) 489 if err != nil { 490 return nil, err 491 } 492 } 493 494 sig, err := signMessage(ka.version, cert.PrivateKey, config, sigAlg, msg) 495 if err != nil { 496 return nil, err 497 } 498 if config.Bugs.SendSignatureAlgorithm != 0 { 499 sigAlg = config.Bugs.SendSignatureAlgorithm 500 } 501 502 skx := new(serverKeyExchangeMsg) 503 if config.Bugs.UnauthenticatedECDH { 504 skx.key = params 505 } else { 506 sigAlgsLen := 0 507 if ka.version >= VersionTLS12 { 508 sigAlgsLen = 2 509 } 510 skx.key = make([]byte, len(params)+sigAlgsLen+2+len(sig)) 511 copy(skx.key, params) 512 k := skx.key[len(params):] 513 if ka.version >= VersionTLS12 { 514 k[0] = byte(sigAlg >> 8) 515 k[1] = byte(sigAlg) 516 k = k[2:] 517 } 518 k[0] = byte(len(sig) >> 8) 519 k[1] = byte(len(sig)) 520 copy(k[2:], sig) 521 } 522 523 return skx, nil 524} 525 526func (ka *signedKeyAgreement) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, publicKey crypto.PublicKey, params []byte, sig []byte) error { 527 // The peer's key must match the cipher type. 528 switch ka.keyType { 529 case keyTypeECDSA: 530 _, edsaOk := publicKey.(*ecdsa.PublicKey) 531 _, ed25519Ok := publicKey.(ed25519.PublicKey) 532 if !edsaOk && !ed25519Ok { 533 return errors.New("tls: ECDHE ECDSA requires a ECDSA or Ed25519 server public key") 534 } 535 case keyTypeRSA: 536 _, ok := publicKey.(*rsa.PublicKey) 537 if !ok { 538 return errors.New("tls: ECDHE RSA requires a RSA server public key") 539 } 540 default: 541 return errors.New("tls: unknown key type") 542 } 543 544 // The message to be signed is prepended by the randoms. 545 var msg []byte 546 msg = append(msg, clientHello.random...) 547 msg = append(msg, serverHello.random...) 548 msg = append(msg, params...) 549 550 var sigAlg signatureAlgorithm 551 if ka.version >= VersionTLS12 { 552 if len(sig) < 2 { 553 return errServerKeyExchange 554 } 555 sigAlg = signatureAlgorithm(sig[0])<<8 | signatureAlgorithm(sig[1]) 556 sig = sig[2:] 557 // Stash the signature algorithm to be extracted by the handshake. 558 ka.peerSignatureAlgorithm = sigAlg 559 } 560 561 if len(sig) < 2 { 562 return errServerKeyExchange 563 } 564 sigLen := int(sig[0])<<8 | int(sig[1]) 565 if sigLen+2 != len(sig) { 566 return errServerKeyExchange 567 } 568 sig = sig[2:] 569 570 return verifyMessage(ka.version, publicKey, config, sigAlg, msg, sig) 571} 572 573// ecdheKeyAgreement implements a TLS key agreement where the server 574// generates a ephemeral EC public/private key pair and signs it. The 575// pre-master secret is then calculated using ECDH. The signature may 576// either be ECDSA or RSA. 577type ecdheKeyAgreement struct { 578 auth keyAgreementAuthentication 579 curve ecdhCurve 580 curveID CurveID 581 peerKey []byte 582} 583 584func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { 585 var curveid CurveID 586 preferredCurves := config.curvePreferences() 587 588NextCandidate: 589 for _, candidate := range preferredCurves { 590 if isPqGroup(candidate) && version < VersionTLS13 { 591 // CECPQ2 is TLS 1.3-only. 592 continue 593 } 594 595 for _, c := range clientHello.supportedCurves { 596 if candidate == c { 597 curveid = c 598 break NextCandidate 599 } 600 } 601 } 602 603 if curveid == 0 { 604 return nil, errors.New("tls: no supported elliptic curves offered") 605 } 606 607 var ok bool 608 if ka.curve, ok = curveForCurveID(curveid, config); !ok { 609 return nil, errors.New("tls: preferredCurves includes unsupported curve") 610 } 611 ka.curveID = curveid 612 613 publicKey, err := ka.curve.offer(config.rand()) 614 if err != nil { 615 return nil, err 616 } 617 618 // http://tools.ietf.org/html/rfc4492#section-5.4 619 serverECDHParams := make([]byte, 1+2+1+len(publicKey)) 620 serverECDHParams[0] = 3 // named curve 621 if config.Bugs.SendCurve != 0 { 622 curveid = config.Bugs.SendCurve 623 } 624 serverECDHParams[1] = byte(curveid >> 8) 625 serverECDHParams[2] = byte(curveid) 626 serverECDHParams[3] = byte(len(publicKey)) 627 copy(serverECDHParams[4:], publicKey) 628 if config.Bugs.InvalidECDHPoint { 629 serverECDHParams[4] ^= 0xff 630 } 631 632 return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams) 633} 634 635func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { 636 if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 { 637 return nil, errClientKeyExchange 638 } 639 return ka.curve.finish(ckx.ciphertext[1:]) 640} 641 642func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, skx *serverKeyExchangeMsg) error { 643 if len(skx.key) < 4 { 644 return errServerKeyExchange 645 } 646 if skx.key[0] != 3 { // named curve 647 return errors.New("tls: server selected unsupported curve") 648 } 649 curveid := CurveID(skx.key[1])<<8 | CurveID(skx.key[2]) 650 ka.curveID = curveid 651 652 var ok bool 653 if ka.curve, ok = curveForCurveID(curveid, config); !ok { 654 return errors.New("tls: server selected unsupported curve") 655 } 656 657 publicLen := int(skx.key[3]) 658 if publicLen+4 > len(skx.key) { 659 return errServerKeyExchange 660 } 661 // Save the peer key for later. 662 ka.peerKey = skx.key[4 : 4+publicLen] 663 664 // Check the signature. 665 serverECDHParams := skx.key[:4+publicLen] 666 sig := skx.key[4+publicLen:] 667 return ka.auth.verifyParameters(config, clientHello, serverHello, key, serverECDHParams, sig) 668} 669 670func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { 671 if ka.curve == nil { 672 return nil, nil, errors.New("missing ServerKeyExchange message") 673 } 674 675 publicKey, preMasterSecret, err := ka.curve.accept(config.rand(), ka.peerKey) 676 if err != nil { 677 return nil, nil, err 678 } 679 680 ckx := new(clientKeyExchangeMsg) 681 ckx.ciphertext = make([]byte, 1+len(publicKey)) 682 ckx.ciphertext[0] = byte(len(publicKey)) 683 copy(ckx.ciphertext[1:], publicKey) 684 if config.Bugs.InvalidECDHPoint { 685 ckx.ciphertext[1] ^= 0xff 686 } 687 688 return preMasterSecret, ckx, nil 689} 690 691func (ka *ecdheKeyAgreement) peerSignatureAlgorithm() signatureAlgorithm { 692 if auth, ok := ka.auth.(*signedKeyAgreement); ok { 693 return auth.peerSignatureAlgorithm 694 } 695 return 0 696} 697 698// nilKeyAgreement is a fake key agreement used to implement the plain PSK key 699// exchange. 700type nilKeyAgreement struct{} 701 702func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { 703 return nil, nil 704} 705 706func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { 707 if len(ckx.ciphertext) != 0 { 708 return nil, errClientKeyExchange 709 } 710 711 // Although in plain PSK, otherSecret is all zeros, the base key 712 // agreement does not access to the length of the pre-shared 713 // key. pskKeyAgreement instead interprets nil to mean to use all zeros 714 // of the appropriate length. 715 return nil, nil 716} 717 718func (ka *nilKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, skx *serverKeyExchangeMsg) error { 719 if len(skx.key) != 0 { 720 return errServerKeyExchange 721 } 722 return nil 723} 724 725func (ka *nilKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { 726 // Although in plain PSK, otherSecret is all zeros, the base key 727 // agreement does not access to the length of the pre-shared 728 // key. pskKeyAgreement instead interprets nil to mean to use all zeros 729 // of the appropriate length. 730 return nil, &clientKeyExchangeMsg{}, nil 731} 732 733func (ka *nilKeyAgreement) peerSignatureAlgorithm() signatureAlgorithm { 734 return 0 735} 736 737// makePSKPremaster formats a PSK pre-master secret based on otherSecret from 738// the base key exchange and psk. 739func makePSKPremaster(otherSecret, psk []byte) []byte { 740 out := make([]byte, 0, 2+len(otherSecret)+2+len(psk)) 741 out = append(out, byte(len(otherSecret)>>8), byte(len(otherSecret))) 742 out = append(out, otherSecret...) 743 out = append(out, byte(len(psk)>>8), byte(len(psk))) 744 out = append(out, psk...) 745 return out 746} 747 748// pskKeyAgreement implements the PSK key agreement. 749type pskKeyAgreement struct { 750 base keyAgreement 751 identityHint string 752} 753 754func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { 755 // Assemble the identity hint. 756 bytes := make([]byte, 2+len(config.PreSharedKeyIdentity)) 757 bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8) 758 bytes[1] = byte(len(config.PreSharedKeyIdentity)) 759 copy(bytes[2:], []byte(config.PreSharedKeyIdentity)) 760 761 // If there is one, append the base key agreement's 762 // ServerKeyExchange. 763 baseSkx, err := ka.base.generateServerKeyExchange(config, cert, clientHello, hello, version) 764 if err != nil { 765 return nil, err 766 } 767 768 if baseSkx != nil { 769 bytes = append(bytes, baseSkx.key...) 770 } else if config.PreSharedKeyIdentity == "" && !config.Bugs.AlwaysSendPreSharedKeyIdentityHint { 771 // ServerKeyExchange is optional if the identity hint is empty 772 // and there would otherwise be no ServerKeyExchange. 773 return nil, nil 774 } 775 776 skx := new(serverKeyExchangeMsg) 777 skx.key = bytes 778 return skx, nil 779} 780 781func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { 782 // First, process the PSK identity. 783 if len(ckx.ciphertext) < 2 { 784 return nil, errClientKeyExchange 785 } 786 identityLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1]) 787 if 2+identityLen > len(ckx.ciphertext) { 788 return nil, errClientKeyExchange 789 } 790 identity := string(ckx.ciphertext[2 : 2+identityLen]) 791 792 if identity != config.PreSharedKeyIdentity { 793 return nil, errors.New("tls: unexpected identity") 794 } 795 796 if config.PreSharedKey == nil { 797 return nil, errors.New("tls: pre-shared key not configured") 798 } 799 800 // Process the remainder of the ClientKeyExchange to compute the base 801 // pre-master secret. 802 newCkx := new(clientKeyExchangeMsg) 803 newCkx.ciphertext = ckx.ciphertext[2+identityLen:] 804 otherSecret, err := ka.base.processClientKeyExchange(config, cert, newCkx, version) 805 if err != nil { 806 return nil, err 807 } 808 809 if otherSecret == nil { 810 // Special-case for the plain PSK key exchanges. 811 otherSecret = make([]byte, len(config.PreSharedKey)) 812 } 813 return makePSKPremaster(otherSecret, config.PreSharedKey), nil 814} 815 816func (ka *pskKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, skx *serverKeyExchangeMsg) error { 817 if len(skx.key) < 2 { 818 return errServerKeyExchange 819 } 820 identityLen := (int(skx.key[0]) << 8) | int(skx.key[1]) 821 if 2+identityLen > len(skx.key) { 822 return errServerKeyExchange 823 } 824 ka.identityHint = string(skx.key[2 : 2+identityLen]) 825 826 // Process the remainder of the ServerKeyExchange. 827 newSkx := new(serverKeyExchangeMsg) 828 newSkx.key = skx.key[2+identityLen:] 829 return ka.base.processServerKeyExchange(config, clientHello, serverHello, key, newSkx) 830} 831 832func (ka *pskKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { 833 // The server only sends an identity hint but, for purposes of 834 // test code, the server always sends the hint and it is 835 // required to match. 836 if ka.identityHint != config.PreSharedKeyIdentity { 837 return nil, nil, errors.New("tls: unexpected identity") 838 } 839 840 // Serialize the identity. 841 bytes := make([]byte, 2+len(config.PreSharedKeyIdentity)) 842 bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8) 843 bytes[1] = byte(len(config.PreSharedKeyIdentity)) 844 copy(bytes[2:], []byte(config.PreSharedKeyIdentity)) 845 846 // Append the base key exchange's ClientKeyExchange. 847 otherSecret, baseCkx, err := ka.base.generateClientKeyExchange(config, clientHello, cert) 848 if err != nil { 849 return nil, nil, err 850 } 851 ckx := new(clientKeyExchangeMsg) 852 ckx.ciphertext = append(bytes, baseCkx.ciphertext...) 853 854 if config.PreSharedKey == nil { 855 return nil, nil, errors.New("tls: pre-shared key not configured") 856 } 857 if otherSecret == nil { 858 otherSecret = make([]byte, len(config.PreSharedKey)) 859 } 860 return makePSKPremaster(otherSecret, config.PreSharedKey), ckx, nil 861} 862 863func (ka *pskKeyAgreement) peerSignatureAlgorithm() signatureAlgorithm { 864 return 0 865} 866