gitee.com/lh-her-team/common@v1.5.1/crypto/tls/key_schedule.go (about)

     1  // Copyright 2018 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto/elliptic"
     9  	"crypto/hmac"
    10  	"errors"
    11  	"hash"
    12  	"io"
    13  	"math/big"
    14  
    15  	"github.com/tjfoc/gmsm/sm2"
    16  
    17  	"golang.org/x/crypto/cryptobyte"
    18  	"golang.org/x/crypto/curve25519"
    19  	"golang.org/x/crypto/hkdf"
    20  )
    21  
    22  // This file contains the functions necessary to compute the TLS 1.3 key
    23  // schedule. See RFC 8446, Section 7.
    24  
    25  const (
    26  	resumptionBinderLabel         = "res binder"
    27  	clientHandshakeTrafficLabel   = "c hs traffic"
    28  	serverHandshakeTrafficLabel   = "s hs traffic"
    29  	clientApplicationTrafficLabel = "c ap traffic"
    30  	serverApplicationTrafficLabel = "s ap traffic"
    31  	exporterLabel                 = "exp master"
    32  	resumptionLabel               = "res master"
    33  	trafficUpdateLabel            = "traffic upd"
    34  )
    35  
    36  // expandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
    37  func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []byte, length int) []byte {
    38  	var hkdfLabel cryptobyte.Builder
    39  	hkdfLabel.AddUint16(uint16(length))
    40  	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
    41  		b.AddBytes([]byte("tls13 "))
    42  		b.AddBytes([]byte(label))
    43  	})
    44  	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
    45  		b.AddBytes(context)
    46  	})
    47  	out := make([]byte, length)
    48  	n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
    49  	if err != nil || n != length {
    50  		panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
    51  	}
    52  	return out
    53  }
    54  
    55  // deriveSecret implements Derive-Secret from RFC 8446, Section 7.1.
    56  func (c *cipherSuiteTLS13) deriveSecret(secret []byte, label string, transcript hash.Hash) []byte {
    57  	if transcript == nil {
    58  		transcript = c.hash.New()
    59  	}
    60  	return c.expandLabel(secret, label, transcript.Sum(nil), c.hash.Size())
    61  }
    62  
    63  // extract implements HKDF-Extract with the cipher suite hash.
    64  func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
    65  	if newSecret == nil {
    66  		newSecret = make([]byte, c.hash.Size())
    67  	}
    68  	return hkdf.Extract(c.hash.New, newSecret, currentSecret)
    69  }
    70  
    71  // nextTrafficSecret generates the next traffic secret, given the current one,
    72  // according to RFC 8446, Section 7.2.
    73  func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte {
    74  	return c.expandLabel(trafficSecret, trafficUpdateLabel, nil, c.hash.Size())
    75  }
    76  
    77  // trafficKey generates traffic keys according to RFC 8446, Section 7.3.
    78  func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key, iv []byte) {
    79  	key = c.expandLabel(trafficSecret, "key", nil, c.keyLen)
    80  	iv = c.expandLabel(trafficSecret, "iv", nil, aeadNonceLength)
    81  	return
    82  }
    83  
    84  // finishedHash generates the Finished verify_data or PskBinderEntry according
    85  // to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey
    86  // selection.
    87  func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte {
    88  	finishedKey := c.expandLabel(baseKey, "finished", nil, c.hash.Size())
    89  	verifyData := hmac.New(c.hash.New, finishedKey)
    90  	verifyData.Write(transcript.Sum(nil))
    91  	return verifyData.Sum(nil)
    92  }
    93  
    94  // exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to
    95  // RFC 8446, Section 7.5.
    96  func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript hash.Hash) func(string, []byte, int) ([]byte, error) {
    97  	expMasterSecret := c.deriveSecret(masterSecret, exporterLabel, transcript)
    98  	return func(label string, context []byte, length int) ([]byte, error) {
    99  		secret := c.deriveSecret(expMasterSecret, label, nil)
   100  		h := c.hash.New()
   101  		h.Write(context)
   102  		return c.expandLabel(secret, "exporter", h.Sum(nil), length), nil
   103  	}
   104  }
   105  
   106  // ecdheParameters implements Diffie-Hellman with either NIST curves or X25519,
   107  // according to RFC 8446, Section 4.2.8.2.
   108  type ecdheParameters interface {
   109  	CurveID() CurveID
   110  	PublicKey() []byte
   111  	SharedKey(peerPublicKey []byte) []byte
   112  }
   113  
   114  func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) {
   115  	if curveID == X25519 {
   116  		privateKey := make([]byte, curve25519.ScalarSize)
   117  		if _, err := io.ReadFull(rand, privateKey); err != nil {
   118  			return nil, err
   119  		}
   120  		publicKey, err := curve25519.X25519(privateKey, curve25519.Basepoint)
   121  		if err != nil {
   122  			return nil, err
   123  		}
   124  		return &x25519Parameters{privateKey: privateKey, publicKey: publicKey}, nil
   125  	}
   126  	curve, ok := curveForCurveID(curveID)
   127  	if !ok {
   128  		return nil, errors.New("tls: internal error: unsupported curve")
   129  	}
   130  	p := &nistParameters{curveID: curveID}
   131  	var err error
   132  	p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
   133  	if err != nil {
   134  		return nil, err
   135  	}
   136  	return p, nil
   137  }
   138  
   139  func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
   140  	switch id {
   141  	case CurveP256:
   142  		return elliptic.P256(), true
   143  	case CurveP384:
   144  		return elliptic.P384(), true
   145  	case CurveP521:
   146  		return elliptic.P521(), true
   147  	case SM2P256V1:
   148  		return sm2.P256Sm2(), true
   149  	default:
   150  		return nil, false
   151  	}
   152  }
   153  
   154  type nistParameters struct {
   155  	privateKey []byte
   156  	x, y       *big.Int // public key
   157  	curveID    CurveID
   158  }
   159  
   160  func (p *nistParameters) CurveID() CurveID {
   161  	return p.curveID
   162  }
   163  
   164  func (p *nistParameters) PublicKey() []byte {
   165  	curve, _ := curveForCurveID(p.curveID)
   166  	return elliptic.Marshal(curve, p.x, p.y)
   167  }
   168  
   169  func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
   170  	curve, _ := curveForCurveID(p.curveID)
   171  	// Unmarshal also checks whether the given point is on the curve.
   172  	x, y := elliptic.Unmarshal(curve, peerPublicKey)
   173  	if x == nil {
   174  		return nil
   175  	}
   176  	xShared, _ := curve.ScalarMult(x, y, p.privateKey)
   177  	sharedKey := make([]byte, (curve.Params().BitSize+7)>>3)
   178  	xBytes := xShared.Bytes()
   179  	copy(sharedKey[len(sharedKey)-len(xBytes):], xBytes)
   180  	return sharedKey
   181  }
   182  
   183  type x25519Parameters struct {
   184  	privateKey []byte
   185  	publicKey  []byte
   186  }
   187  
   188  func (p *x25519Parameters) CurveID() CurveID {
   189  	return X25519
   190  }
   191  
   192  func (p *x25519Parameters) PublicKey() []byte {
   193  	return p.publicKey[:]
   194  }
   195  
   196  func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte {
   197  	sharedKey, err := curve25519.X25519(p.privateKey, peerPublicKey)
   198  	if err != nil {
   199  		return nil
   200  	}
   201  	return sharedKey
   202  }