-
Notifications
You must be signed in to change notification settings - Fork 7
/
ech_config.go
165 lines (149 loc) · 4.27 KB
/
ech_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
// Copyright 2020 Cloudflare, Inc. All rights reserved. Use of this source code
// is governed by a BSD-style license that can be found in the LICENSE file.
package tls
import (
"errors"
"fmt"
"io"
"github.com/cloudflare/circl/hpke"
"github.com/cloudflare/circl/kem"
"golang.org/x/crypto/cryptobyte"
)
// ECHConfig represents an ECH configuration.
type ECHConfig struct {
pk kem.PublicKey
raw []byte
// Parsed from raw
version uint16
configId uint8
rawPublicName []byte
rawPublicKey []byte
kemId uint16
suites []hpkeSymmetricCipherSuite
maxNameLen uint8
ignoredExtensions []byte
}
// UnmarshalECHConfigs parses a sequence of ECH configurations.
func UnmarshalECHConfigs(raw []byte) ([]ECHConfig, error) {
var (
err error
config ECHConfig
t, contents cryptobyte.String
)
configs := make([]ECHConfig, 0)
s := cryptobyte.String(raw)
if !s.ReadUint16LengthPrefixed(&t) || !s.Empty() {
return configs, errors.New("error parsing configs")
}
raw = raw[2:]
ConfigsLoop:
for !t.Empty() {
l := len(t)
if !t.ReadUint16(&config.version) ||
!t.ReadUint16LengthPrefixed(&contents) {
return nil, errors.New("error parsing config")
}
n := l - len(t)
config.raw = raw[:n]
raw = raw[n:]
if config.version != extensionECH {
continue ConfigsLoop
}
if !readConfigContents(&contents, &config) {
return nil, errors.New("error parsing config contents")
}
kem := hpke.KEM(config.kemId)
if !kem.IsValid() {
continue ConfigsLoop
}
config.pk, err = kem.Scheme().UnmarshalBinaryPublicKey(config.rawPublicKey)
if err != nil {
return nil, fmt.Errorf("error parsing public key: %s", err)
}
configs = append(configs, config)
}
return configs, nil
}
func echMarshalConfigs(configs []ECHConfig) ([]byte, error) {
var b cryptobyte.Builder
b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
for _, config := range configs {
if config.raw == nil {
panic("config.raw not set")
}
b.AddBytes(config.raw)
}
})
return b.Bytes()
}
func readConfigContents(contents *cryptobyte.String, config *ECHConfig) bool {
var t cryptobyte.String
if !contents.ReadUint8(&config.configId) ||
!contents.ReadUint16(&config.kemId) ||
!contents.ReadUint16LengthPrefixed(&t) ||
!t.ReadBytes(&config.rawPublicKey, len(t)) ||
!contents.ReadUint16LengthPrefixed(&t) ||
len(t)%4 != 0 {
return false
}
config.suites = nil
for !t.Empty() {
var kdfId, aeadId uint16
if !t.ReadUint16(&kdfId) || !t.ReadUint16(&aeadId) {
// This indicates an internal bug.
panic("internal error while parsing contents.cipher_suites")
}
config.suites = append(config.suites, hpkeSymmetricCipherSuite{kdfId, aeadId})
}
if !contents.ReadUint8(&config.maxNameLen) ||
!contents.ReadUint8LengthPrefixed(&t) ||
!t.ReadBytes(&config.rawPublicName, len(t)) ||
!contents.ReadUint16LengthPrefixed(&t) ||
!t.ReadBytes(&config.ignoredExtensions, len(t)) ||
!contents.Empty() {
return false
}
return true
}
// setupSealer generates the client's HPKE context for use with the ECH
// extension. It returns the context and corresponding encapsulated key.
func (config *ECHConfig) setupSealer(rand io.Reader) (enc []byte, sealer hpke.Sealer, err error) {
if config.raw == nil {
panic("config.raw not set")
}
hpkeSuite, err := config.selectSuite()
if err != nil {
return nil, nil, err
}
info := append(append([]byte(echHpkeInfoSetup), 0), config.raw...)
sender, err := hpkeSuite.NewSender(config.pk, info)
if err != nil {
return nil, nil, err
}
return sender.Setup(rand)
}
// isPeerCipherSuiteSupported returns true if this configuration indicates
// support for the given ciphersuite.
func (config *ECHConfig) isPeerCipherSuiteSupported(suite hpkeSymmetricCipherSuite) bool {
for _, configSuite := range config.suites {
if suite == configSuite {
return true
}
}
return false
}
// selectSuite returns the first ciphersuite indicated by this
// configuration that is supported by the caller.
func (config *ECHConfig) selectSuite() (hpke.Suite, error) {
for _, suite := range config.suites {
hpkeSuite, err := hpkeAssembleSuite(
config.kemId,
suite.kdfId,
suite.aeadId,
)
if err == nil {
return hpkeSuite, nil
}
}
return hpke.Suite{}, errors.New("could not negotiate a ciphersuite")
}