fix(tls): TLS12 ecdh params

Author: developStorm

tls/key_agreement.go

@@ -8,6 +8,7 @@ import (
 	"crypto"
 	"crypto/dsa"
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/md5"
 	"crypto/rand"
 	"crypto/rsa"
@@ -33,20 +34,6 @@ type keyAgreementAuthentication interface {
 	verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) ([]byte, error)
 }
 
-// nilKeyAgreementAuthentication does not authenticate the key
-// agreement parameters.
-type nilKeyAgreementAuthentication struct{}
-
-func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {
-	skx := new(serverKeyExchangeMsg)
-	skx.key = params
-	return skx, nil
-}
-
-func (ka *nilKeyAgreementAuthentication) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, params []byte, sig []byte) ([]byte, error) {
-	return nil, nil
-}
-
 // signedKeyAgreement signs the ServerKeyExchange parameters with the
 // server's private key.
 type signedKeyAgreement struct {
@@ -382,7 +369,8 @@ func pickTLS12HashForSignature(sigType uint8, clientList, serverList []SigAndHas
 // pre-master secret is then calculated using ECDH. The signature may
 // be ECDSA, Ed25519 or RSA.
 type ecdheKeyAgreement struct {
-	auth keyAgreementAuthentication
+	auth         keyAgreementAuthentication
+	serverParams ecdheParameters
 
 	version uint16
 	isRSA   bool
@@ -417,6 +405,7 @@ func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Cer
 		return nil, err
 	}
 	ka.params = params
+	ka.serverParams.Clone()
 
 	// See RFC 4492, Section 5.4.
 	ecdhePublic := params.PublicKey()
@@ -495,6 +484,20 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
 		return nil, errClientKeyExchange
 	}
 
+	// This part is solely for logging purposes. Later in MakeLog(), we only have access to ka.params
+	// for the client key exchange parameters. We need to store the client's public key here
+	// to make the log later. The Go TLS library doesn't store the parsed client public key anywhere.
+	ka.params = nil
+	if ka.serverParams.CurveID() == X25519 {
+		ka.params = &x25519Parameters{publicKey: ckx.ciphertext[1:]}
+	} else {
+		curve, ok := curveForCurveID(ka.serverParams.CurveID())
+		if ok {
+			x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:])
+			ka.params = &nistParameters{x: x, y: y, curveID: ka.serverParams.CurveID()}
+		}
+	}
+
 	return preMasterSecret, nil
 }
 
@@ -519,8 +522,15 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
 		return errServerKeyExchange
 	}
 
-	if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
+	if curve, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
 		return errors.New("tls: server selected unsupported curve")
+	} else {
+		if curveID == X25519 {
+			ka.serverParams = &x25519Parameters{publicKey: publicKey}
+		} else {
+			x, y := elliptic.Unmarshal(curve, publicKey)
+			ka.serverParams = &nistParameters{x: x, y: y, curveID: curveID}
+		}
 	}
 
 	params, err := generateECDHEParameters(config.rand(), curveID)

tls/key_schedule.go

@@ -12,6 +12,7 @@ import (
 	"io"
 	"math/big"
 
+	jsonKeys "github.com/zmap/zcrypto/json"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/hkdf"
@@ -107,6 +108,9 @@ type ecdheParameters interface {
 	CurveID() CurveID
 	PublicKey() []byte
 	SharedKey(peerPublicKey []byte) []byte
+
+	Clone() ecdheParameters
+	MakeLog() (*jsonKeys.ECPoint, *jsonKeys.ECDHPrivateParams)
 }
 
 func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) {
@@ -177,6 +181,49 @@ func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
 	return xShared.FillBytes(sharedKey)
 }
 
+func (p *nistParameters) Clone() ecdheParameters {
+	clone := *p
+
+	if p.privateKey != nil {
+		clone.privateKey = make([]byte, len(p.privateKey))
+		copy(clone.privateKey, p.privateKey)
+	}
+
+	if p.x != nil {
+		clone.x = new(big.Int).Set(p.x)
+	}
+
+	if p.y != nil {
+		clone.y = new(big.Int).Set(p.y)
+	}
+
+	return &clone
+}
+
+func (p *nistParameters) MakeLog() (*jsonKeys.ECPoint, *jsonKeys.ECDHPrivateParams) {
+	public := new(jsonKeys.ECPoint)
+
+	if p.x != nil {
+		public.X = new(big.Int)
+		public.X.Set(p.x)
+	}
+
+	if p.y != nil {
+		public.Y = new(big.Int)
+		public.Y.Set(p.y)
+	}
+
+	var private *jsonKeys.ECDHPrivateParams
+	if len(p.privateKey) > 0 {
+		private = new(jsonKeys.ECDHPrivateParams)
+		private.Length = len(p.privateKey)
+		private.Value = make([]byte, len(p.privateKey))
+		copy(private.Value, p.privateKey)
+	}
+
+	return public, private
+}
+
 type x25519Parameters struct {
 	privateKey []byte
 	publicKey  []byte
@@ -197,3 +244,38 @@ func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte {
 	}
 	return sharedKey
 }
+
+func (p *x25519Parameters) Clone() ecdheParameters {
+	clone := *p
+
+	if p.privateKey != nil {
+		clone.privateKey = make([]byte, len(p.privateKey))
+		copy(clone.privateKey, p.privateKey)
+	}
+
+	if p.publicKey != nil {
+		clone.publicKey = make([]byte, len(p.publicKey))
+		copy(clone.publicKey, p.publicKey)
+	}
+
+	return &clone
+}
+
+func (p *x25519Parameters) MakeLog() (*jsonKeys.ECPoint, *jsonKeys.ECDHPrivateParams) {
+	public := new(jsonKeys.ECPoint)
+
+	if p.publicKey != nil {
+		public.X = new(big.Int)
+		public.X.SetBytes(p.publicKey)
+	}
+
+	var private *jsonKeys.ECDHPrivateParams
+	if len(p.privateKey) > 0 {
+		private = new(jsonKeys.ECDHPrivateParams)
+		private.Length = len(p.privateKey)
+		private.Value = make([]byte, len(p.privateKey))
+		copy(private.Value, p.privateKey)
+	}
+
+	return public, private
+}

tls/tls_ka.go

@@ -90,54 +90,24 @@ func (ka *signedKeyAgreement) Signature() *DigitalSignature {
 
 func (ka *rsaKeyAgreement) RSAParams() *jsonKeys.RSAPublicKey {
 	out := new(jsonKeys.RSAPublicKey)
-	//out.PublicKey = ka.publicKey
 	return out
 }
 
 func (ka *ecdheKeyAgreement) ECDHParams() *jsonKeys.ECDHParams {
 	out := new(jsonKeys.ECDHParams)
-	out.TLSCurveID = jsonKeys.TLSCurveID(ka.params.CurveID())
-	out.ServerPublic = &jsonKeys.ECPoint{}
-	/*
-		if ka.x != nil {
-			out.ServerPublic.X = new(big.Int)
-			out.ServerPublic.X.Set(ka.x)
-		}
-		if ka.y != nil {
-			out.ServerPublic.Y = new(big.Int)
-			out.ServerPublic.Y.Set(ka.y)
-		}
-		if len(ka.serverPrivKey) > 0 {
-			out.ServerPrivate = new(jsonKeys.ECDHPrivateParams)
-			out.ServerPrivate.Length = len(ka.serverPrivKey)
-			out.ServerPrivate.Value = make([]byte, len(ka.serverPrivKey))
-			copy(out.ServerPrivate.Value, ka.serverPrivKey)
-		}
-	*/
+	out.TLSCurveID = jsonKeys.TLSCurveID(ka.serverParams.CurveID())
+
+	out.ServerPublic, out.ServerPrivate = ka.serverParams.MakeLog()
+
 	return out
 }
 
 func (ka *ecdheKeyAgreement) ClientECDHParams() *jsonKeys.ECDHParams {
 	out := new(jsonKeys.ECDHParams)
 	out.TLSCurveID = jsonKeys.TLSCurveID(ka.params.CurveID())
-	out.ClientPublic = &jsonKeys.ECPoint{}
-	/*
-		if ka.clientX != nil {
-			out.ClientPublic.X = new(big.Int)
-			out.ClientPublic.X.Set(ka.clientX)
-		}
-		if ka.clientY != nil {
-			out.ClientPublic.Y = new(big.Int)
-			out.ClientPublic.Y.Set(ka.clientY)
-		}
 
-		if len(ka.clientPrivKey) > 0 {
-			out.ClientPrivate = new(jsonKeys.ECDHPrivateParams)
-			out.ClientPrivate.Length = len(ka.clientPrivKey)
-			out.ClientPrivate.Value = make([]byte, len(ka.clientPrivKey))
-			copy(out.ClientPrivate.Value, ka.clientPrivKey)
-		}
-	*/
+	out.ClientPublic, out.ClientPrivate = ka.params.MakeLog()
+
 	return out
 }