2018-01-03 19:19:49 +00:00
|
|
|
package mint
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto"
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/binary"
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/bifurcation/mint/syntax"
|
|
|
|
)
|
|
|
|
|
|
|
|
type HandshakeMessageBody interface {
|
|
|
|
Type() HandshakeType
|
|
|
|
Marshal() ([]byte, error)
|
|
|
|
Unmarshal(data []byte) (int, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
|
|
|
|
// Random random;
|
|
|
|
// opaque legacy_session_id<0..32>;
|
|
|
|
// CipherSuite cipher_suites<2..2^16-2>;
|
|
|
|
// opaque legacy_compression_methods<1..2^8-1>;
|
|
|
|
// Extension extensions<0..2^16-1>;
|
|
|
|
// } ClientHello;
|
|
|
|
type ClientHelloBody struct {
|
2018-01-17 04:32:31 +00:00
|
|
|
LegacyVersion uint16
|
2018-01-03 19:19:49 +00:00
|
|
|
Random [32]byte
|
|
|
|
LegacySessionID []byte
|
|
|
|
CipherSuites []CipherSuite
|
|
|
|
Extensions ExtensionList
|
|
|
|
}
|
|
|
|
|
2018-01-17 04:32:31 +00:00
|
|
|
type clientHelloBodyInnerTLS struct {
|
2018-01-03 19:19:49 +00:00
|
|
|
LegacyVersion uint16
|
|
|
|
Random [32]byte
|
|
|
|
LegacySessionID []byte `tls:"head=1,max=32"`
|
|
|
|
CipherSuites []CipherSuite `tls:"head=2,min=2"`
|
|
|
|
LegacyCompressionMethods []byte `tls:"head=1,min=1"`
|
|
|
|
Extensions []Extension `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
2018-01-17 04:32:31 +00:00
|
|
|
type clientHelloBodyInnerDTLS struct {
|
|
|
|
LegacyVersion uint16
|
|
|
|
Random [32]byte
|
|
|
|
LegacySessionID []byte `tls:"head=1,max=32"`
|
|
|
|
EmptyCookie uint8
|
|
|
|
CipherSuites []CipherSuite `tls:"head=2,min=2"`
|
|
|
|
LegacyCompressionMethods []byte `tls:"head=1,min=1"`
|
|
|
|
Extensions []Extension `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
2018-01-03 19:19:49 +00:00
|
|
|
func (ch ClientHelloBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeClientHello
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ch ClientHelloBody) Marshal() ([]byte, error) {
|
2018-01-17 04:32:31 +00:00
|
|
|
if ch.LegacyVersion == tls12Version {
|
|
|
|
return syntax.Marshal(clientHelloBodyInnerTLS{
|
|
|
|
LegacyVersion: ch.LegacyVersion,
|
|
|
|
Random: ch.Random,
|
|
|
|
LegacySessionID: []byte{},
|
|
|
|
CipherSuites: ch.CipherSuites,
|
|
|
|
LegacyCompressionMethods: []byte{0},
|
|
|
|
Extensions: ch.Extensions,
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
return syntax.Marshal(clientHelloBodyInnerDTLS{
|
|
|
|
LegacyVersion: ch.LegacyVersion,
|
|
|
|
Random: ch.Random,
|
|
|
|
LegacySessionID: []byte{},
|
|
|
|
CipherSuites: ch.CipherSuites,
|
|
|
|
LegacyCompressionMethods: []byte{0},
|
|
|
|
Extensions: ch.Extensions,
|
|
|
|
})
|
2018-01-03 19:19:49 +00:00
|
|
|
}
|
|
|
|
|
2018-01-17 04:32:31 +00:00
|
|
|
}
|
2018-01-03 19:19:49 +00:00
|
|
|
|
2018-01-17 04:32:31 +00:00
|
|
|
func (ch *ClientHelloBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
var read int
|
|
|
|
var err error
|
|
|
|
|
|
|
|
// Note that this might be 0, in which case we do TLS. That
|
|
|
|
// makes the tests easier.
|
|
|
|
if ch.LegacyVersion != dtls12WireVersion {
|
|
|
|
var inner clientHelloBodyInnerTLS
|
|
|
|
read, err = syntax.Unmarshal(data, &inner)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(inner.LegacyCompressionMethods) != 1 || inner.LegacyCompressionMethods[0] != 0 {
|
|
|
|
return 0, fmt.Errorf("tls.clienthello: Invalid compression method")
|
|
|
|
}
|
|
|
|
|
|
|
|
ch.LegacyVersion = inner.LegacyVersion
|
|
|
|
ch.Random = inner.Random
|
|
|
|
ch.LegacySessionID = inner.LegacySessionID
|
|
|
|
ch.CipherSuites = inner.CipherSuites
|
|
|
|
ch.Extensions = inner.Extensions
|
|
|
|
} else {
|
|
|
|
var inner clientHelloBodyInnerDTLS
|
|
|
|
read, err = syntax.Unmarshal(data, &inner)
|
|
|
|
if err != nil {
|
|
|
|
return 0, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if inner.EmptyCookie != 0 {
|
|
|
|
return 0, fmt.Errorf("tls.clienthello: Invalid cookie")
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(inner.LegacyCompressionMethods) != 1 || inner.LegacyCompressionMethods[0] != 0 {
|
|
|
|
return 0, fmt.Errorf("tls.clienthello: Invalid compression method")
|
|
|
|
}
|
|
|
|
|
|
|
|
ch.LegacyVersion = inner.LegacyVersion
|
|
|
|
ch.Random = inner.Random
|
|
|
|
ch.LegacySessionID = inner.LegacySessionID
|
|
|
|
ch.CipherSuites = inner.CipherSuites
|
|
|
|
ch.Extensions = inner.Extensions
|
2018-01-03 19:19:49 +00:00
|
|
|
}
|
|
|
|
return read, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: File a spec bug to clarify this
|
|
|
|
func (ch ClientHelloBody) Truncated() ([]byte, error) {
|
|
|
|
if len(ch.Extensions) == 0 {
|
|
|
|
return nil, fmt.Errorf("tls.clienthello.truncate: No extensions")
|
|
|
|
}
|
|
|
|
|
|
|
|
pskExt := ch.Extensions[len(ch.Extensions)-1]
|
|
|
|
if pskExt.ExtensionType != ExtensionTypePreSharedKey {
|
|
|
|
return nil, fmt.Errorf("tls.clienthello.truncate: Last extension is not PSK")
|
|
|
|
}
|
|
|
|
|
|
|
|
body, err := ch.Marshal()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
chm := &HandshakeMessage{
|
|
|
|
msgType: ch.Type(),
|
|
|
|
body: body,
|
|
|
|
length: uint32(len(body)),
|
|
|
|
}
|
|
|
|
chData := chm.Marshal()
|
|
|
|
|
|
|
|
psk := PreSharedKeyExtension{
|
|
|
|
HandshakeType: HandshakeTypeClientHello,
|
|
|
|
}
|
|
|
|
_, err = psk.Unmarshal(pskExt.ExtensionData)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Marshal just the binders so that we know how much to truncate
|
|
|
|
binders := struct {
|
|
|
|
Binders []PSKBinderEntry `tls:"head=2,min=33"`
|
|
|
|
}{Binders: psk.Binders}
|
|
|
|
binderData, _ := syntax.Marshal(binders)
|
|
|
|
binderLen := len(binderData)
|
|
|
|
|
|
|
|
chLen := len(chData)
|
|
|
|
return chData[:chLen-binderLen], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
|
|
|
|
// Random random;
|
|
|
|
// opaque legacy_session_id_echo<0..32>;
|
|
|
|
// CipherSuite cipher_suite;
|
|
|
|
// uint8 legacy_compression_method = 0;
|
|
|
|
// Extension extensions<6..2^16-1>;
|
|
|
|
// } ServerHello;
|
|
|
|
type ServerHelloBody struct {
|
|
|
|
Version uint16
|
|
|
|
Random [32]byte
|
|
|
|
LegacySessionID []byte `tls:"head=1,max=32"`
|
|
|
|
CipherSuite CipherSuite
|
|
|
|
LegacyCompressionMethod uint8
|
|
|
|
Extensions ExtensionList `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sh ServerHelloBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeServerHello
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sh ServerHelloBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(sh)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sh *ServerHelloBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, sh)
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// opaque verify_data[verify_data_length];
|
|
|
|
// } Finished;
|
|
|
|
//
|
|
|
|
// verifyDataLen is not a field in the TLS struct, but we add it here so
|
|
|
|
// that calling code can tell us how much data to expect when we marshal /
|
|
|
|
// unmarshal. (We could add this to the marshal/unmarshal methods, but let's
|
|
|
|
// try to keep the signature consistent for now.)
|
|
|
|
//
|
|
|
|
// For similar reasons, we don't use the `syntax` module here, because this
|
|
|
|
// struct doesn't map well to standard TLS presentation language concepts.
|
|
|
|
//
|
|
|
|
// TODO: File a spec bug
|
|
|
|
type FinishedBody struct {
|
|
|
|
VerifyDataLen int
|
|
|
|
VerifyData []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fin FinishedBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeFinished
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fin FinishedBody) Marshal() ([]byte, error) {
|
|
|
|
if len(fin.VerifyData) != fin.VerifyDataLen {
|
|
|
|
return nil, fmt.Errorf("tls.finished: data length mismatch")
|
|
|
|
}
|
|
|
|
|
|
|
|
body := make([]byte, len(fin.VerifyData))
|
|
|
|
copy(body, fin.VerifyData)
|
|
|
|
return body, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (fin *FinishedBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
if len(data) < fin.VerifyDataLen {
|
|
|
|
return 0, fmt.Errorf("tls.finished: Malformed finished; too short")
|
|
|
|
}
|
|
|
|
|
|
|
|
fin.VerifyData = make([]byte, fin.VerifyDataLen)
|
|
|
|
copy(fin.VerifyData, data[:fin.VerifyDataLen])
|
|
|
|
return fin.VerifyDataLen, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// Extension extensions<0..2^16-1>;
|
|
|
|
// } EncryptedExtensions;
|
|
|
|
//
|
|
|
|
// Marshal() and Unmarshal() are handled by ExtensionList
|
|
|
|
type EncryptedExtensionsBody struct {
|
|
|
|
Extensions ExtensionList `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ee EncryptedExtensionsBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeEncryptedExtensions
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ee EncryptedExtensionsBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(ee)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ee *EncryptedExtensionsBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, ee)
|
|
|
|
}
|
|
|
|
|
|
|
|
// opaque ASN1Cert<1..2^24-1>;
|
|
|
|
//
|
|
|
|
// struct {
|
|
|
|
// ASN1Cert cert_data;
|
|
|
|
// Extension extensions<0..2^16-1>
|
|
|
|
// } CertificateEntry;
|
|
|
|
//
|
|
|
|
// struct {
|
|
|
|
// opaque certificate_request_context<0..2^8-1>;
|
|
|
|
// CertificateEntry certificate_list<0..2^24-1>;
|
|
|
|
// } Certificate;
|
|
|
|
type CertificateEntry struct {
|
|
|
|
CertData *x509.Certificate
|
|
|
|
Extensions ExtensionList
|
|
|
|
}
|
|
|
|
|
|
|
|
type CertificateBody struct {
|
|
|
|
CertificateRequestContext []byte
|
|
|
|
CertificateList []CertificateEntry
|
|
|
|
}
|
|
|
|
|
|
|
|
type certificateEntryInner struct {
|
|
|
|
CertData []byte `tls:"head=3,min=1"`
|
|
|
|
Extensions ExtensionList `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type certificateBodyInner struct {
|
|
|
|
CertificateRequestContext []byte `tls:"head=1"`
|
|
|
|
CertificateList []certificateEntryInner `tls:"head=3"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c CertificateBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeCertificate
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c CertificateBody) Marshal() ([]byte, error) {
|
|
|
|
inner := certificateBodyInner{
|
|
|
|
CertificateRequestContext: c.CertificateRequestContext,
|
|
|
|
CertificateList: make([]certificateEntryInner, len(c.CertificateList)),
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, entry := range c.CertificateList {
|
|
|
|
inner.CertificateList[i] = certificateEntryInner{
|
|
|
|
CertData: entry.CertData.Raw,
|
|
|
|
Extensions: entry.Extensions,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return syntax.Marshal(inner)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *CertificateBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
inner := certificateBodyInner{}
|
|
|
|
read, err := syntax.Unmarshal(data, &inner)
|
|
|
|
if err != nil {
|
|
|
|
return read, err
|
|
|
|
}
|
|
|
|
|
|
|
|
c.CertificateRequestContext = inner.CertificateRequestContext
|
|
|
|
c.CertificateList = make([]CertificateEntry, len(inner.CertificateList))
|
|
|
|
|
|
|
|
for i, entry := range inner.CertificateList {
|
|
|
|
c.CertificateList[i].CertData, err = x509.ParseCertificate(entry.CertData)
|
|
|
|
if err != nil {
|
|
|
|
return 0, fmt.Errorf("tls:certificate: Certificate failed to parse: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.CertificateList[i].Extensions = entry.Extensions
|
|
|
|
}
|
|
|
|
|
|
|
|
return read, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// SignatureScheme algorithm;
|
|
|
|
// opaque signature<0..2^16-1>;
|
|
|
|
// } CertificateVerify;
|
|
|
|
type CertificateVerifyBody struct {
|
|
|
|
Algorithm SignatureScheme
|
|
|
|
Signature []byte `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv CertificateVerifyBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeCertificateVerify
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv CertificateVerifyBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(cv)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv *CertificateVerifyBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, cv)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv *CertificateVerifyBody) EncodeSignatureInput(data []byte) []byte {
|
|
|
|
// TODO: Change context for client auth
|
|
|
|
// TODO: Put this in a const
|
|
|
|
const context = "TLS 1.3, server CertificateVerify"
|
|
|
|
sigInput := bytes.Repeat([]byte{0x20}, 64)
|
|
|
|
sigInput = append(sigInput, []byte(context)...)
|
|
|
|
sigInput = append(sigInput, []byte{0}...)
|
|
|
|
sigInput = append(sigInput, data...)
|
|
|
|
return sigInput
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv *CertificateVerifyBody) Sign(privateKey crypto.Signer, handshakeHash []byte) (err error) {
|
|
|
|
sigInput := cv.EncodeSignatureInput(handshakeHash)
|
|
|
|
cv.Signature, err = sign(cv.Algorithm, privateKey, sigInput)
|
|
|
|
logf(logTypeHandshake, "Signed: alg=[%04x] sigInput=[%x], sig=[%x]", cv.Algorithm, sigInput, cv.Signature)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cv *CertificateVerifyBody) Verify(publicKey crypto.PublicKey, handshakeHash []byte) error {
|
|
|
|
sigInput := cv.EncodeSignatureInput(handshakeHash)
|
|
|
|
logf(logTypeHandshake, "About to verify: alg=[%04x] sigInput=[%x], sig=[%x]", cv.Algorithm, sigInput, cv.Signature)
|
|
|
|
return verify(cv.Algorithm, publicKey, sigInput, cv.Signature)
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// opaque certificate_request_context<0..2^8-1>;
|
|
|
|
// Extension extensions<2..2^16-1>;
|
|
|
|
// } CertificateRequest;
|
|
|
|
type CertificateRequestBody struct {
|
|
|
|
CertificateRequestContext []byte `tls:"head=1"`
|
|
|
|
Extensions ExtensionList `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cr CertificateRequestBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeCertificateRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cr CertificateRequestBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(cr)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (cr *CertificateRequestBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, cr)
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {
|
|
|
|
// uint32 ticket_lifetime;
|
|
|
|
// uint32 ticket_age_add;
|
|
|
|
// opaque ticket_nonce<1..255>;
|
|
|
|
// opaque ticket<1..2^16-1>;
|
|
|
|
// Extension extensions<0..2^16-2>;
|
|
|
|
// } NewSessionTicket;
|
|
|
|
type NewSessionTicketBody struct {
|
|
|
|
TicketLifetime uint32
|
|
|
|
TicketAgeAdd uint32
|
|
|
|
TicketNonce []byte `tls:"head=1,min=1"`
|
|
|
|
Ticket []byte `tls:"head=2,min=1"`
|
|
|
|
Extensions ExtensionList `tls:"head=2"`
|
|
|
|
}
|
|
|
|
|
|
|
|
const ticketNonceLen = 16
|
|
|
|
|
|
|
|
func NewSessionTicket(ticketLen int, ticketLifetime uint32) (*NewSessionTicketBody, error) {
|
|
|
|
buf := make([]byte, 4+ticketNonceLen+ticketLen)
|
|
|
|
_, err := prng.Read(buf)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
tkt := &NewSessionTicketBody{
|
|
|
|
TicketLifetime: ticketLifetime,
|
|
|
|
TicketAgeAdd: binary.BigEndian.Uint32(buf[:4]),
|
|
|
|
TicketNonce: buf[4 : 4+ticketNonceLen],
|
|
|
|
Ticket: buf[4+ticketNonceLen:],
|
|
|
|
}
|
|
|
|
|
|
|
|
return tkt, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tkt NewSessionTicketBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeNewSessionTicket
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tkt NewSessionTicketBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(tkt)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tkt *NewSessionTicketBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, tkt)
|
|
|
|
}
|
|
|
|
|
|
|
|
// enum {
|
|
|
|
// update_not_requested(0), update_requested(1), (255)
|
|
|
|
// } KeyUpdateRequest;
|
|
|
|
//
|
|
|
|
// struct {
|
|
|
|
// KeyUpdateRequest request_update;
|
|
|
|
// } KeyUpdate;
|
|
|
|
type KeyUpdateBody struct {
|
|
|
|
KeyUpdateRequest KeyUpdateRequest
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ku KeyUpdateBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeKeyUpdate
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ku KeyUpdateBody) Marshal() ([]byte, error) {
|
|
|
|
return syntax.Marshal(ku)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ku *KeyUpdateBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return syntax.Unmarshal(data, ku)
|
|
|
|
}
|
|
|
|
|
|
|
|
// struct {} EndOfEarlyData;
|
|
|
|
type EndOfEarlyDataBody struct{}
|
|
|
|
|
|
|
|
func (eoed EndOfEarlyDataBody) Type() HandshakeType {
|
|
|
|
return HandshakeTypeEndOfEarlyData
|
|
|
|
}
|
|
|
|
|
|
|
|
func (eoed EndOfEarlyDataBody) Marshal() ([]byte, error) {
|
|
|
|
return []byte{}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (eoed *EndOfEarlyDataBody) Unmarshal(data []byte) (int, error) {
|
|
|
|
return 0, nil
|
|
|
|
}
|