| // Copyright 2012 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package runner |
| |
| import ( |
| "crypto/aes" |
| "crypto/cipher" |
| "crypto/hmac" |
| "crypto/sha256" |
| "crypto/subtle" |
| "encoding/binary" |
| "errors" |
| "io" |
| "time" |
| ) |
| |
| // sessionState contains the information that is serialized into a session |
| // ticket in order to later resume a connection. |
| type sessionState struct { |
| vers uint16 |
| cipherSuite uint16 |
| masterSecret []byte |
| handshakeHash []byte |
| certificates [][]byte |
| extendedMasterSecret bool |
| ticketCreationTime time.Time |
| ticketExpiration time.Time |
| ticketFlags uint32 |
| ticketAgeAdd uint32 |
| } |
| |
| func (s *sessionState) marshal() []byte { |
| msg := newByteBuilder() |
| msg.addU16(s.vers) |
| msg.addU16(s.cipherSuite) |
| masterSecret := msg.addU16LengthPrefixed() |
| masterSecret.addBytes(s.masterSecret) |
| handshakeHash := msg.addU16LengthPrefixed() |
| handshakeHash.addBytes(s.handshakeHash) |
| msg.addU16(uint16(len(s.certificates))) |
| for _, cert := range s.certificates { |
| certMsg := msg.addU32LengthPrefixed() |
| certMsg.addBytes(cert) |
| } |
| |
| if s.extendedMasterSecret { |
| msg.addU8(1) |
| } else { |
| msg.addU8(0) |
| } |
| |
| if s.vers >= VersionTLS13 { |
| msg.addU64(uint64(s.ticketCreationTime.UnixNano())) |
| msg.addU64(uint64(s.ticketExpiration.UnixNano())) |
| msg.addU32(s.ticketFlags) |
| msg.addU32(s.ticketAgeAdd) |
| } |
| |
| return msg.finish() |
| } |
| |
| func (s *sessionState) unmarshal(data []byte) bool { |
| if len(data) < 8 { |
| return false |
| } |
| |
| s.vers = uint16(data[0])<<8 | uint16(data[1]) |
| s.cipherSuite = uint16(data[2])<<8 | uint16(data[3]) |
| masterSecretLen := int(data[4])<<8 | int(data[5]) |
| data = data[6:] |
| if len(data) < masterSecretLen { |
| return false |
| } |
| |
| s.masterSecret = data[:masterSecretLen] |
| data = data[masterSecretLen:] |
| |
| if len(data) < 2 { |
| return false |
| } |
| |
| handshakeHashLen := int(data[0])<<8 | int(data[1]) |
| data = data[2:] |
| if len(data) < handshakeHashLen { |
| return false |
| } |
| |
| s.handshakeHash = data[:handshakeHashLen] |
| data = data[handshakeHashLen:] |
| |
| if len(data) < 2 { |
| return false |
| } |
| |
| numCerts := int(data[0])<<8 | int(data[1]) |
| data = data[2:] |
| |
| s.certificates = make([][]byte, numCerts) |
| for i := range s.certificates { |
| if len(data) < 4 { |
| return false |
| } |
| certLen := int(data[0])<<24 | int(data[1])<<16 | int(data[2])<<8 | int(data[3]) |
| data = data[4:] |
| if certLen < 0 { |
| return false |
| } |
| if len(data) < certLen { |
| return false |
| } |
| s.certificates[i] = data[:certLen] |
| data = data[certLen:] |
| } |
| |
| if len(data) < 1 { |
| return false |
| } |
| |
| s.extendedMasterSecret = false |
| if data[0] == 1 { |
| s.extendedMasterSecret = true |
| } |
| data = data[1:] |
| |
| if s.vers >= VersionTLS13 { |
| if len(data) < 24 { |
| return false |
| } |
| s.ticketCreationTime = time.Unix(0, int64(binary.BigEndian.Uint64(data))) |
| data = data[8:] |
| s.ticketExpiration = time.Unix(0, int64(binary.BigEndian.Uint64(data))) |
| data = data[8:] |
| s.ticketFlags = binary.BigEndian.Uint32(data) |
| data = data[4:] |
| s.ticketAgeAdd = binary.BigEndian.Uint32(data) |
| data = data[4:] |
| } |
| |
| if len(data) > 0 { |
| return false |
| } |
| |
| return true |
| } |
| |
| func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) { |
| serialized := state.marshal() |
| encrypted := make([]byte, aes.BlockSize+len(serialized)+sha256.Size) |
| iv := encrypted[:aes.BlockSize] |
| macBytes := encrypted[len(encrypted)-sha256.Size:] |
| |
| if _, err := io.ReadFull(c.config.rand(), iv); err != nil { |
| return nil, err |
| } |
| block, err := aes.NewCipher(c.config.SessionTicketKey[:16]) |
| if err != nil { |
| return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error()) |
| } |
| cipher.NewCTR(block, iv).XORKeyStream(encrypted[aes.BlockSize:], serialized) |
| |
| mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32]) |
| mac.Write(encrypted[:len(encrypted)-sha256.Size]) |
| mac.Sum(macBytes[:0]) |
| |
| return encrypted, nil |
| } |
| |
| func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) { |
| if len(encrypted) < aes.BlockSize+sha256.Size { |
| return nil, false |
| } |
| |
| iv := encrypted[:aes.BlockSize] |
| macBytes := encrypted[len(encrypted)-sha256.Size:] |
| |
| mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32]) |
| mac.Write(encrypted[:len(encrypted)-sha256.Size]) |
| expected := mac.Sum(nil) |
| |
| if subtle.ConstantTimeCompare(macBytes, expected) != 1 { |
| return nil, false |
| } |
| |
| block, err := aes.NewCipher(c.config.SessionTicketKey[:16]) |
| if err != nil { |
| return nil, false |
| } |
| ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size] |
| plaintext := make([]byte, len(ciphertext)) |
| cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext) |
| |
| state := new(sessionState) |
| ok := state.unmarshal(plaintext) |
| return state, ok |
| } |