Commit 6e8184d8 authored by Adam Langley's avatar Adam Langley

crypto/tls (part 1)

Rather than drop everything into a single, huge review, I've included
some simple bits of code here.

R=rsc
CC=go-dev
http://go/go-review/1016029
parent ba1424ba
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package tls
type alertLevel int
type alertType int
const (
alertLevelWarning alertLevel = 1;
alertLevelError alertLevel = 2;
)
const (
alertCloseNotify alertType = 0;
alertUnexpectedMessage alertType = 10;
alertBadRecordMAC alertType = 20;
alertDecryptionFailed alertType = 21;
alertRecordOverflow alertType = 22;
alertDecompressionFailure alertType = 30;
alertHandshakeFailure alertType = 40;
alertBadCertificate alertType = 42;
alertUnsupportedCertificate alertType = 43;
alertCertificateRevoked alertType = 44;
alertCertificateExpired alertType = 45;
alertCertificateUnknown alertType = 46;
alertIllegalParameter alertType = 47;
alertUnknownCA alertType = 48;
alertAccessDenied alertType = 49;
alertDecodeError alertType = 50;
alertDecryptError alertType = 51;
alertProtocolVersion alertType = 70;
alertInsufficientSecurity alertType = 71;
alertInternalError alertType = 80;
alertUserCanceled alertType = 90;
alertNoRenegotiation alertType = 100;
)
type alert struct {
level alertLevel;
error alertType;
}
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package tls
import (
"crypto/rsa";
"io";
"os";
)
const (
// maxTLSCiphertext is the maximum length of a plaintext payload.
maxTLSPlaintext = 16384;
// maxTLSCiphertext is the maximum length payload after compression and encryption.
maxTLSCiphertext = 16384+2048;
// maxHandshakeMsg is the largest single handshake message that we'll buffer.
maxHandshakeMsg = 65536;
)
// TLS record types.
type recordType uint8
const (
recordTypeChangeCipherSpec recordType = 20;
recordTypeAlert recordType = 21;
recordTypeHandshake recordType = 22;
recordTypeApplicationData recordType = 23;
)
// TLS handshake message types.
const (
typeClientHello uint8 = 1;
typeServerHello uint8 = 2;
typeCertificate uint8 = 11;
typeServerHelloDone uint8 = 14;
typeClientKeyExchange uint8 = 16;
typeFinished uint8 = 20;
)
// TLS cipher suites.
var (
TLS_RSA_WITH_RC4_128_SHA uint16 = 5;
)
// TLS compression types.
var (
compressionNone uint8 = 0;
)
type ConnectionState struct {
HandshakeComplete bool;
CipherSuite string;
Error alertType;
}
// A Config structure is used to configure a TLS client or server. After one
// has been passed to a TLS function it must not be modified.
type Config struct {
// Rand provides the source of entropy for nonces and RSA blinding.
Rand io.Reader;
// Time returns the current time as the number of seconds since the epoch.
Time func() int64;
Certificates []Certificate;
}
type Certificate struct {
Certificate [][]byte;
PrivateKey *rsa.PrivateKey;
}
// A TLS record.
type record struct {
contentType recordType;
major, minor uint8;
payload []byte;
}
type handshakeMessage interface {
marshal() []byte;
}
type encryptor interface {
// XORKeyStream xors the contents of the slice with bytes from the key stream.
XORKeyStream(buf []byte);
}
// mutualVersion returns the protocol version to use given the advertised
// version of the peer.
func mutualVersion(theirMajor, theirMinor uint8) (major, minor uint8, ok bool) {
// We don't deal with peers < TLS 1.0 (aka version 3.1).
if theirMajor < 3 || theirMajor == 3 && theirMinor < 1 {
return 0, 0, false;
}
major = 3;
minor = 2;
if theirMinor < minor {
minor = theirMinor;
}
ok = true;
return;
}
// A nop implements the NULL encryption and MAC algorithms.
type nop struct{}
func (nop) XORKeyStream(buf []byte) {}
func (nop) Write(buf []byte) (int, os.Error) {
return len(buf), nil;
}
func (nop) Sum() []byte {
return nil;
}
func (nop) Reset() {}
func (nop) Size() int {
return 0;
}
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package tls
import (
"bytes";
"crypto/hmac";
"crypto/md5";
"crypto/sha1";
"hash";
"os";
"strings";
)
// Split a premaster secret in two as specified in RFC 4346, section 5.
func splitPreMasterSecret(secret []byte) (s1, s2 []byte) {
s1 = secret[0 : (len(secret)+1)/2];
s2 = secret[len(secret)/2 : len(secret)];
return;
}
// pHash implements the P_hash function, as defined in RFC 4346, section 5.
func pHash(result, secret, seed []byte, hash hash.Hash) {
h := hmac.New(hash, secret);
h.Write(seed);
a := h.Sum();
j := 0;
for j < len(result) {
h.Reset();
h.Write(a);
h.Write(seed);
b := h.Sum();
todo := len(b);
if j+todo > len(result) {
todo = len(result)-j;
}
bytes.Copy(result[j : j+todo], b);
j += todo;
h.Reset();
h.Write(a);
a = h.Sum();
}
}
// pRF11 implements the TLS 1.1 pseudo-random function, as defined in RFC 4346, section 5.
func pRF11(result, secret, label, seed []byte) {
hashSHA1 := sha1.New();
hashMD5 := md5.New();
labelAndSeed := make([]byte, len(label)+len(seed));
bytes.Copy(labelAndSeed, label);
bytes.Copy(labelAndSeed[len(label):len(labelAndSeed)], seed);
s1, s2 := splitPreMasterSecret(secret);
pHash(result, s1, labelAndSeed, hashMD5);
result2 := make([]byte, len(result));
pHash(result2, s2, labelAndSeed, hashSHA1);
for i, b := range result2 {
result[i] ^= b;
}
}
const (
tlsRandomLength = 32; // Length of a random nonce in TLS 1.1.
masterSecretLength = 48; // Length of a master secret in TLS 1.1.
finishedVerifyLength = 12; // Length of verify_data in a Finished message.
)
var masterSecretLabel = strings.Bytes("master secret")
var keyExpansionLabel = strings.Bytes("key expansion")
var clientFinishedLabel = strings.Bytes("client finished")
var serverFinishedLabel = strings.Bytes("server finished")
// keysFromPreMasterSecret generates the connection keys from the pre master
// secret, given the lengths of the MAC and cipher keys, as defined in RFC
// 4346, section 6.3.
func keysFromPreMasterSecret11(preMasterSecret, clientRandom, serverRandom []byte, macLen, keyLen int) (masterSecret, clientMAC, serverMAC, clientKey, serverKey []byte) {
var seed [tlsRandomLength * 2]byte;
bytes.Copy(seed[0:len(clientRandom)], clientRandom);
bytes.Copy(seed[len(clientRandom):len(seed)], serverRandom);
masterSecret = make([]byte, masterSecretLength);
pRF11(masterSecret, preMasterSecret, masterSecretLabel, seed[0:len(seed)]);
bytes.Copy(seed[0:len(clientRandom)], serverRandom);
bytes.Copy(seed[len(serverRandom):len(seed)], clientRandom);
n := 2*macLen + 2*keyLen;
keyMaterial := make([]byte, n);
pRF11(keyMaterial, masterSecret, keyExpansionLabel, seed[0:len(seed)]);
clientMAC = keyMaterial[0:macLen];
serverMAC = keyMaterial[macLen : macLen*2];
clientKey = keyMaterial[macLen*2 : macLen*2 + keyLen];
serverKey = keyMaterial[macLen*2 + keyLen : len(keyMaterial)];
return;
}
// A finishedHash calculates the hash of a set of handshake messages suitable
// for including in a Finished message.
type finishedHash struct {
clientMD5 hash.Hash;
clientSHA1 hash.Hash;
serverMD5 hash.Hash;
serverSHA1 hash.Hash;
}
func newFinishedHash() finishedHash {
return finishedHash{md5.New(), sha1.New(), md5.New(), sha1.New()};
}
func (h finishedHash) Write(msg []byte) (n int, err os.Error) {
h.clientMD5.Write(msg);
h.clientSHA1.Write(msg);
h.serverMD5.Write(msg);
h.serverSHA1.Write(msg);
return len(msg), nil;
}
// finishedSum calculates the contents of the verify_data member of a Finished
// message given the MD5 and SHA1 hashes of a set of handshake messages.
func finishedSum(md5, sha1, label, masterSecret []byte) []byte {
seed := make([]byte, len(md5)+len(sha1));
bytes.Copy(seed, md5);
bytes.Copy(seed[len(md5):len(seed)], sha1);
out := make([]byte, finishedVerifyLength);
pRF11(out, masterSecret, label, seed);
return out;
}
// clientSum returns the contents of the verify_data member of a client's
// Finished message.
func (h finishedHash) clientSum(masterSecret []byte) []byte {
md5 := h.clientMD5.Sum();
sha1 := h.clientSHA1.Sum();
return finishedSum(md5, sha1, clientFinishedLabel, masterSecret);
}
// serverSum returns the contents of the verify_data member of a server's
// Finished message.
func (h finishedHash) serverSum(masterSecret []byte) []byte {
md5 := h.serverMD5.Sum();
sha1 := h.serverSHA1.Sum();
return finishedSum(md5, sha1, serverFinishedLabel, masterSecret);
}
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package tls
import (
"encoding/hex";
"testing";
)
type testSplitPreMasterSecretTest struct {
in, out1, out2 string;
}
var testSplitPreMasterSecretTests = []testSplitPreMasterSecretTest{
testSplitPreMasterSecretTest{"", "", ""},
testSplitPreMasterSecretTest{"00", "00", "00"},
testSplitPreMasterSecretTest{"0011", "00", "11"},
testSplitPreMasterSecretTest{"001122", "0011", "1122"},
testSplitPreMasterSecretTest{"00112233", "0011", "2233"},
}
func TestSplitPreMasterSecret(t *testing.T) {
for i, test := range testSplitPreMasterSecretTests {
in, _ := hex.DecodeString(test.in);
out1, out2 := splitPreMasterSecret(in);
s1 := hex.EncodeToString(out1);
s2 := hex.EncodeToString(out2);
if s1 != test.out1 || s2 != test.out2 {
t.Errorf("#%d: got: (%s, %s) want: (%s, %s)", i, s1, s2, test.out1, test.out2);
}
}
}
type testKeysFromTest struct {
preMasterSecret string;
clientRandom, serverRandom string;
masterSecret string;
clientMAC, serverMAC string;
clientKey, serverKey string;
macLen, keyLen int;
}
func TestKeysFromPreMasterSecret(t *testing.T) {
for i, test := range testKeysFromTests {
in, _ := hex.DecodeString(test.preMasterSecret);
clientRandom, _ := hex.DecodeString(test.clientRandom);
serverRandom, _ := hex.DecodeString(test.serverRandom);
master, clientMAC, serverMAC, clientKey, serverKey := keysFromPreMasterSecret11(in, clientRandom, serverRandom, test.macLen, test.keyLen);
masterString := hex.EncodeToString(master);
clientMACString := hex.EncodeToString(clientMAC);
serverMACString := hex.EncodeToString(serverMAC);
clientKeyString := hex.EncodeToString(clientKey);
serverKeyString := hex.EncodeToString(serverKey);
if masterString != test.masterSecret ||
clientMACString != test.clientMAC ||
serverMACString != test.serverMAC ||
clientKeyString != test.clientKey ||
serverKeyString != test.serverKey {
t.Errorf("#%d: got: (%s, %s, %s, %s, %s) want: (%s, %s, %s, %s %s)", i, masterString, clientMACString, serverMACString, clientKeyString, serverMACString, test.masterSecret, test.clientMAC, test.serverMAC, test.clientKey, test.serverKey);
}
}
}
// These test vectors were generated from GnuTLS using `gnutls-cli --insecure -d 9 `
var testKeysFromTests = []testKeysFromTest{
testKeysFromTest{
"0302cac83ad4b1db3b9ab49ad05957de2a504a634a386fc600889321e1a971f57479466830ac3e6f468e87f5385fa0c5",
"4ae66303755184a3917fcb44880605fcc53baa01912b22ed94473fc69cebd558",
"4ae663020ec16e6bb5130be918cfcafd4d765979a3136a5d50c593446e4e44db",
"3d851bab6e5556e959a16bc36d66cfae32f672bfa9ecdef6096cbb1b23472df1da63dbbd9827606413221d149ed08ceb",
"805aaa19b3d2c0a0759a4b6c9959890e08480119",
"2d22f9fe519c075c16448305ceee209fc24ad109",
"d50b5771244f850cd8117a9ccafe2cf1",
"e076e33206b30507a85c32855acd0919",
20,
16,
},
testKeysFromTest{
"03023f7527316bc12cbcd69e4b9e8275d62c028f27e65c745cfcddc7ce01bd3570a111378b63848127f1c36e5f9e4890",
"4ae66364b5ea56b20ce4e25555aed2d7e67f42788dd03f3fee4adae0459ab106",
"4ae66363ab815cbf6a248b87d6b556184e945e9b97fbdf247858b0bdafacfa1c",
"7d64be7c80c59b740200b4b9c26d0baaa1c5ae56705acbcf2307fe62beb4728c19392c83f20483801cce022c77645460",
"97742ed60a0554ca13f04f97ee193177b971e3b0",
"37068751700400e03a8477a5c7eec0813ab9e0dc",
"207cddbc600d2a200abac6502053ee5c",
"df3f94f6e1eacc753b815fe16055cd43",
20,
16,
},
testKeysFromTest{
"832d515f1d61eebb2be56ba0ef79879efb9b527504abb386fb4310ed5d0e3b1f220d3bb6b455033a2773e6d8bdf951d278a187482b400d45deb88a5d5a6bb7d6a7a1decc04eb9ef0642876cd4a82d374d3b6ff35f0351dc5d411104de431375355addc39bfb1f6329fb163b0bc298d658338930d07d313cd980a7e3d9196cac1",
"4ae663b2ee389c0de147c509d8f18f5052afc4aaf9699efe8cb05ece883d3a5e",
"4ae664d503fd4cff50cfc1fb8fc606580f87b0fcdac9554ba0e01d785bdf278e",
"1aff2e7a2c4279d0126f57a65a77a8d9d0087cf2733366699bec27eb53d5740705a8574bb1acc2abbe90e44f0dd28d6c",
"3c7647c93c1379a31a609542aa44e7f117a70085",
"0d73102994be74a575a3ead8532590ca32a526d4",
"ac7581b0b6c10d85bbd905ffbf36c65e",
"ff07edde49682b45466bd2e39464b306",
20,
16,
},
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment