diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py index e5b88af..6d78a20 100644 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py @@ -76,6 +76,14 @@ class SignatureAlgorithm: class NameType: host_name = 0 +class ECCurveType: + explicit_prime = 1 + explicit_char2 = 2 + named_curve = 3 + +class NamedCurve: + secp256r1 = 23 + class AlertLevel: warning = 1 fatal = 2 @@ -178,11 +186,19 @@ class CipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E + TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011 + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f + tripleDESSuites = [] tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) + tripleDESSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) aes128Suites = [] aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) @@ -192,6 +208,8 @@ class CipherSuite: aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) + aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) aes256Suites = [] aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) @@ -201,14 +219,17 @@ class CipherSuite: aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) + aes256Suites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) aes128GcmSuites = [] aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) + aes128GcmSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) rc4Suites = [] rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) + rc4Suites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) shaSuites = [] shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) @@ -226,6 +247,10 @@ class CipherSuite: shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) + shaSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) + shaSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) sha256Suites = [] sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) @@ -234,6 +259,9 @@ class CipherSuite: sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) + sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) + sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) + aeadSuites = aes128GcmSuites @@ -275,6 +303,8 @@ class CipherSuite: keyExchangeSuites += CipherSuite.certSuites if "dhe_rsa" in keyExchangeNames: keyExchangeSuites += CipherSuite.dheCertSuites + if "ecdhe_rsa" in keyExchangeNames: + keyExchangeSuites += CipherSuite.ecdheCertSuites if "srp_sha" in keyExchangeNames: keyExchangeSuites += CipherSuite.srpSuites if "srp_sha_rsa" in keyExchangeNames: @@ -335,7 +365,19 @@ class CipherSuite: def getDheCertSuites(settings, version=None): return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, version) - certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites = [] + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) + + @staticmethod + def getEcdheCertSuites(settings, version=None): + return CipherSuite._filterSuites(CipherSuite.ecdheCertSuites, settings, version) + + certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites anonSuites = [] anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) @@ -346,6 +388,7 @@ class CipherSuite: return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, version) dhAllSuites = dheCertSuites + anonSuites + ecdhAllSuites = ecdheCertSuites @staticmethod def canonicalCipherName(ciphersuite): diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py index e752834..605ed42 100644 --- a/third_party/tlslite/tlslite/handshakesettings.py +++ b/third_party/tlslite/tlslite/handshakesettings.py @@ -14,7 +14,7 @@ from .utils import cipherfactory CIPHER_NAMES = ["aes128gcm", "rc4", "aes256", "aes128", "3des"] MAC_NAMES = ["sha", "sha256", "aead"] # Don't allow "md5" by default. ALL_MAC_NAMES = MAC_NAMES + ["md5"] -KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] +KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] CERTIFICATE_TYPES = ["x509"] TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py index f2e2cfc..9aeff6d 100644 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py @@ -509,10 +509,13 @@ class ServerKeyExchange(HandshakeMsg): self.srp_g = 0 self.srp_s = bytearray(0) self.srp_B = 0 - # Anon DH params: + # DH params: self.dh_p = 0 self.dh_g = 0 self.dh_Ys = 0 + # ECDH params: + self.ecdhCurve = 0 + self.ecdhPublic = bytearray(0) self.signature = bytearray(0) def createSRP(self, srp_N, srp_g, srp_s, srp_B): @@ -528,6 +531,11 @@ class ServerKeyExchange(HandshakeMsg): self.dh_Ys = dh_Ys return self + def createECDH(self, ecdhCurve, ecdhPublic): + self.ecdhCurve = ecdhCurve + self.ecdhPublic = ecdhPublic + return self + def parse(self, p): p.startLengthCheck(3) if self.cipherSuite in CipherSuite.srpAllSuites: @@ -555,6 +563,10 @@ class ServerKeyExchange(HandshakeMsg): w.addVarSeq(numberToByteArray(self.dh_p), 1, 2) w.addVarSeq(numberToByteArray(self.dh_g), 1, 2) w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2) + elif self.cipherSuite in CipherSuite.ecdhAllSuites: + w.add(ECCurveType.named_curve, 1) + w.add(self.ecdhCurve, 2) + w.addVarSeq(self.ecdhPublic, 1, 1) else: assert(False) return w.bytes @@ -626,7 +638,9 @@ class ClientKeyExchange(HandshakeMsg): else: raise AssertionError() elif self.cipherSuite in CipherSuite.dhAllSuites: - self.dh_Yc = bytesToNumber(p.getVarBytes(2)) + self.dh_Yc = bytesToNumber(p.getVarBytes(2)) + elif self.cipherSuite in CipherSuite.ecdhAllSuites: + self.ecdh_Yc = p.getVarBytes(1) else: raise AssertionError() p.stopLengthCheck() diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py index 0a85d3c..dfac274 100644 --- a/third_party/tlslite/tlslite/tlsconnection.py +++ b/third_party/tlslite/tlslite/tlsconnection.py @@ -24,6 +24,7 @@ from .mathtls import * from .handshakesettings import HandshakeSettings from .utils.tackwrapper import * from .utils.rsakey import RSAKey +from .utils import p256 class KeyExchange(object): def __init__(self, cipherSuite, clientHello, serverHello, privateKey): @@ -127,6 +128,25 @@ DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 S = powMod(dh_Yc, self.dh_Xs, self.dh_p) return numberToByteArray(S) +class ECDHE_RSAKeyExchange(KeyExchange): + def makeServerKeyExchange(self): + public, self.private = p256.generatePublicPrivate() + + version = self.serverHello.server_version + serverKeyExchange = ServerKeyExchange(self.cipherSuite, version) + serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public)) + hashBytes = serverKeyExchange.hash(self.clientHello.random, + self.serverHello.random) + if version >= (3,3): + # TODO: Signature algorithm negotiation not supported. + hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes) + serverKeyExchange.signature = self.privateKey.sign(hashBytes) + return serverKeyExchange + + def processClientKeyExchange(self, clientKeyExchange): + ecdh_Yc = clientKeyExchange.ecdh_Yc + return bytearray(p256.generateSharedValue(bytes(ecdh_Yc), self.private)) + class TLSConnection(TLSRecordLayer): """ This class wraps a socket and provides TLS handshaking and data @@ -1321,9 +1341,8 @@ class TLSConnection(TLSRecordLayer): else: break premasterSecret = result - # Perform the RSA or DHE_RSA key exchange - elif (cipherSuite in CipherSuite.certSuites or - cipherSuite in CipherSuite.dheCertSuites): + # Perform a certificate-based key exchange + elif cipherSuite in CipherSuite.certAllSuites: if cipherSuite in CipherSuite.certSuites: keyExchange = RSAKeyExchange(cipherSuite, clientHello, @@ -1334,6 +1353,11 @@ class TLSConnection(TLSRecordLayer): clientHello, serverHello, privateKey) + elif cipherSuite in CipherSuite.ecdheCertSuites: + keyExchange = ECDHE_RSAKeyExchange(cipherSuite, + clientHello, + serverHello, + privateKey) else: assert(False) for result in self._serverCertKeyExchange(clientHello, serverHello, @@ -1450,6 +1474,7 @@ class TLSConnection(TLSRecordLayer): CipherSuite.getSrpCertSuites(settings, self.version) cipherSuites += CipherSuite.getSrpSuites(settings, self.version) elif certChain: + cipherSuites += CipherSuite.getEcdheCertSuites(settings, self.version) cipherSuites += CipherSuite.getDheCertSuites(settings, self.version) cipherSuites += CipherSuite.getCertSuites(settings, self.version) elif anon: diff --git a/third_party/tlslite/tlslite/utils/p256.py b/third_party/tlslite/tlslite/utils/p256.py index e69de29..6eb9a77 100644 --- a/third_party/tlslite/tlslite/utils/p256.py +++ b/third_party/tlslite/tlslite/utils/p256.py @@ -0,0 +1,162 @@ +# Author: Google +# See the LICENSE file for legal information regarding use of this file. + +import os + +p = ( + 115792089210356248762697446949407573530086143415290314195533631308867097853951) +order = ( + 115792089210356248762697446949407573529996955224135760342422259061068512044369) +p256B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b + +baseX = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296 +baseY = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5 +basePoint = (baseX, baseY) + + +def _pointAdd(a, b): + Z1Z1 = (a[2] * a[2]) % p + Z2Z2 = (b[2] * b[2]) % p + U1 = (a[0] * Z2Z2) % p + U2 = (b[0] * Z1Z1) % p + S1 = (a[1] * b[2] * Z2Z2) % p + S2 = (b[1] * a[2] * Z1Z1) % p + if U1 == U2 and S1 == S2: + return pointDouble(a) + H = (U2 - U1) % p + I = (4 * H * H) % p + J = (H * I) % p + r = (2 * (S2 - S1)) % p + V = (U1 * I) % p + X3 = (r * r - J - 2 * V) % p + Y3 = (r * (V - X3) - 2 * S1 * J) % p + Z3 = (((a[2] + b[2]) * (a[2] + b[2]) - Z1Z1 - Z2Z2) * H) % p + + return (X3, Y3, Z3) + + +def _pointDouble(a): + delta = (a[2] * a[2]) % p + gamma = (a[1] * a[1]) % p + beta = (a[0] * gamma) % p + alpha = (3 * (a[0] - delta) * (a[0] + delta)) % p + X3 = (alpha * alpha - 8 * beta) % p + Z3 = ((a[1] + a[2]) * (a[1] + a[2]) - gamma - delta) % p + Y3 = (alpha * (4 * beta - X3) - 8 * gamma * gamma) % p + + return (X3, Y3, Z3) + + +def _square(n): + return (n * n) + + +def _modpow(a, n, p): + if n == 0: + return 1 + if n == 1: + return a + r = _square(_modpow(a, n >> 1, p)) % p + if n & 1 == 1: + r = (r * a) % p + return r + + +def _scalarMult(k, point): + accum = (0, 0, 0) + accumIsInfinity = True + jacobianPoint = (point[0], point[1], 1) + + for bit in range(255, -1, -1): + if not accumIsInfinity: + accum = _pointDouble(accum) + + if (k >> bit) & 1 == 1: + if accumIsInfinity: + accum = jacobianPoint + accumIsInfinity = False + else: + accum = _pointAdd(accum, jacobianPoint) + + if accumIsInfinity: + return (0, 0) + + zInv = _modpow(accum[2], p - 2, p) + return ((accum[0] * zInv * zInv) % p, (accum[1] * zInv * zInv * zInv) % p) + + +def _scalarBaseMult(k): + return _scalarMult(k, basePoint) + + +def _decodeBigEndian(b): + return sum([ord(b[len(b) - i - 1]) << 8 * i for i in range(len(b))]) + + +def _encodeBigEndian(n): + b = [] + while n != 0: + b.append(chr(n & 0xff)) + n >>= 8 + + if len(b) == 0: + b.append(0) + b.reverse() + + return "".join(b) + + +def _zeroPad(b, length): + if len(b) < length: + return ("\x00" * (length - len(b))) + b + return b + + +def _encodePoint(point): + x = point[0] + y = point[1] + if (y * y) % p != (x * x * x - 3 * x + p256B) % p: + raise "point not on curve" + return "\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad( + _encodeBigEndian(point[1]), 32) + + +def _decodePoint(b): + if len(b) != 1 + 32 + 32 or ord(b[0]) != 4: + raise "invalid encoded ec point" + x = _decodeBigEndian(b[1:33]) + y = _decodeBigEndian(b[33:65]) + if (y * y) % p != (x * x * x - 3 * x + p256B) % p: + raise "point not on curve" + return (x, y) + + +def generatePublicPrivate(): + """generatePublicPrivate returns a tuple of (X9.62 encoded public point, + private value), where the private value is generated from os.urandom.""" + private = _decodeBigEndian(os.urandom(40)) % order + return _encodePoint(_scalarBaseMult(private)), private + + +def generateSharedValue(theirPublic, private): + """generateSharedValue returns the encoded x-coordinate of the + multiplication of a peer's X9.62 encoded point and a private value.""" + return _zeroPad( + _encodeBigEndian(_scalarMult(private, _decodePoint(theirPublic))[0]), + 32) + +if __name__ == "__main__": + alice, alicePrivate = generatePublicPrivate() + bob, bobPrivate = generatePublicPrivate() + + if generateSharedValue(alice, bobPrivate) != generateSharedValue( + bob, alicePrivate): + raise "simple DH test failed" + + (x, _) = _scalarBaseMult(1) + + for i in range(1000): + (x, _) = _scalarBaseMult(x) + + if x != 2428281965257598569040586318034812501729437946720808289049534492833635302706: + raise "loop test failed"