Google Git
Sign in
go / go / eedf5c452974fc518bd6ec385730b61f016ddadf / . / src / pkg / crypto / tls / prf.go
blob: 478cf65f91c41f4795ae6f88febe89b7079d8cf8 [file] [log] [blame]
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package tls
6
7import (
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]8 "crypto/hmac"
9 "crypto/md5"
10 "crypto/sha1"
11 "hash"
12 "os"
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]13)
14
15// Split a premaster secret in two as specified in RFC 4346, section 5.
16func splitPreMasterSecret(secret []byte) (s1, s2 []byte) {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]17 s1 = secret[0 : (len(secret)+1)/2]
18 s2 = secret[len(secret)/2:]
19 return
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]20}
21
22// pHash implements the P_hash function, as defined in RFC 4346, section 5.
Jukka-Pekka Kekkonenba5b09f2010-08-26 13:32:29 -0400[diff] [blame]23func pHash(result, secret, seed []byte, hash func() hash.Hash) {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]24 h := hmac.New(hash, secret)
25 h.Write(seed)
26 a := h.Sum()
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]27
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]28 j := 0
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]29 for j < len(result) {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]30 h.Reset()
31 h.Write(a)
32 h.Write(seed)
33 b := h.Sum()
34 todo := len(b)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]35 if j+todo > len(result) {
Robert Griesemerbaba2922009-11-09 21:13:17 -0800[diff] [blame]36 todo = len(result) - j
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]37 }
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]38 copy(result[j:j+todo], b)
39 j += todo
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]40
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]41 h.Reset()
42 h.Write(a)
43 a = h.Sum()
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]44 }
45}
46
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]47// pRF10 implements the TLS 1.0 pseudo-random function, as defined in RFC 2246, section 5.
48func pRF10(result, secret, label, seed []byte) {
Jukka-Pekka Kekkonenba5b09f2010-08-26 13:32:29 -0400[diff] [blame]49 hashSHA1 := sha1.New
50 hashMD5 := md5.New
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]51
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]52 labelAndSeed := make([]byte, len(label)+len(seed))
53 copy(labelAndSeed, label)
54 copy(labelAndSeed[len(label):], seed)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]55
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]56 s1, s2 := splitPreMasterSecret(secret)
57 pHash(result, s1, labelAndSeed, hashMD5)
58 result2 := make([]byte, len(result))
59 pHash(result2, s2, labelAndSeed, hashSHA1)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]60
61 for i, b := range result2 {
Robert Griesemer40621d52009-11-09 12:07:39 -0800[diff] [blame]62 result[i] ^= b
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]63 }
64}
65
66const (
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]67 tlsRandomLength = 32 // Length of a random nonce in TLS 1.1.
68 masterSecretLength = 48 // Length of a master secret in TLS 1.1.
69 finishedVerifyLength = 12 // Length of verify_data in a Finished message.
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]70)
71
Russ Cox9750adb2010-02-25 16:01:29 -0800[diff] [blame]72var masterSecretLabel = []byte("master secret")
73var keyExpansionLabel = []byte("key expansion")
74var clientFinishedLabel = []byte("client finished")
75var serverFinishedLabel = []byte("server finished")
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]76
77// keysFromPreMasterSecret generates the connection keys from the pre master
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]78// secret, given the lengths of the MAC key, cipher key and IV, as defined in
79// RFC 2246, section 6.3.
80func keysFromPreMasterSecret10(preMasterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (masterSecret, clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte) {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]81 var seed [tlsRandomLength * 2]byte
82 copy(seed[0:len(clientRandom)], clientRandom)
83 copy(seed[len(clientRandom):], serverRandom)
84 masterSecret = make([]byte, masterSecretLength)
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]85 pRF10(masterSecret, preMasterSecret, masterSecretLabel, seed[0:])
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]86
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]87 copy(seed[0:len(clientRandom)], serverRandom)
88 copy(seed[len(serverRandom):], clientRandom)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]89
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]90 n := 2*macLen + 2*keyLen + 2*ivLen
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]91 keyMaterial := make([]byte, n)
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]92 pRF10(keyMaterial, masterSecret, keyExpansionLabel, seed[0:])
93 clientMAC = keyMaterial[:macLen]
94 keyMaterial = keyMaterial[macLen:]
95 serverMAC = keyMaterial[:macLen]
96 keyMaterial = keyMaterial[macLen:]
97 clientKey = keyMaterial[:keyLen]
98 keyMaterial = keyMaterial[keyLen:]
99 serverKey = keyMaterial[:keyLen]
100 keyMaterial = keyMaterial[keyLen:]
101 clientIV = keyMaterial[:ivLen]
102 keyMaterial = keyMaterial[ivLen:]
103 serverIV = keyMaterial[:ivLen]
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]104 return
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]105}
106
107// A finishedHash calculates the hash of a set of handshake messages suitable
108// for including in a Finished message.
109type finishedHash struct {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]110 clientMD5 hash.Hash
111 clientSHA1 hash.Hash
112 serverMD5 hash.Hash
113 serverSHA1 hash.Hash
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]114}
115
116func newFinishedHash() finishedHash {
Robert Griesemer40621d52009-11-09 12:07:39 -0800[diff] [blame]117 return finishedHash{md5.New(), sha1.New(), md5.New(), sha1.New()}
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]118}
119
120func (h finishedHash) Write(msg []byte) (n int, err os.Error) {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]121 h.clientMD5.Write(msg)
122 h.clientSHA1.Write(msg)
123 h.serverMD5.Write(msg)
124 h.serverSHA1.Write(msg)
125 return len(msg), nil
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]126}
127
128// finishedSum calculates the contents of the verify_data member of a Finished
129// message given the MD5 and SHA1 hashes of a set of handshake messages.
130func finishedSum(md5, sha1, label, masterSecret []byte) []byte {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]131 seed := make([]byte, len(md5)+len(sha1))
132 copy(seed, md5)
133 copy(seed[len(md5):], sha1)
134 out := make([]byte, finishedVerifyLength)
Adam Langleyeedf5c42010-12-15 11:49:55 -0500[diff] [blame^]135 pRF10(out, masterSecret, label, seed)
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]136 return out
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]137}
138
139// clientSum returns the contents of the verify_data member of a client's
140// Finished message.
141func (h finishedHash) clientSum(masterSecret []byte) []byte {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]142 md5 := h.clientMD5.Sum()
143 sha1 := h.clientSHA1.Sum()
144 return finishedSum(md5, sha1, clientFinishedLabel, masterSecret)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]145}
146
147// serverSum returns the contents of the verify_data member of a server's
148// Finished message.
149func (h finishedHash) serverSum(masterSecret []byte) []byte {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]150 md5 := h.serverMD5.Sum()
151 sha1 := h.serverSHA1.Sum()
152 return finishedSum(md5, sha1, serverFinishedLabel, masterSecret)
Adam Langley6e8184d2009-11-02 18:25:20 -0800[diff] [blame]153}