mirror of
https://github.com/WiiLink24/wfc-server.git
synced 2026-03-21 17:44:58 -05:00
706 lines
19 KiB
Go
706 lines
19 KiB
Go
package nas
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"crypto/hmac"
|
|
"crypto/md5"
|
|
"crypto/rand"
|
|
"crypto/rc4"
|
|
"crypto/rsa"
|
|
"crypto/sha1"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/binary"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"hash"
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
"wwfc/common"
|
|
"wwfc/logging"
|
|
|
|
"github.com/logrusorgru/aurora/v3"
|
|
)
|
|
|
|
// Buffered conn for passing to regular TLS after peeking the client hello
|
|
type bufferedConn struct {
|
|
r *bufio.Reader
|
|
net.Conn
|
|
}
|
|
|
|
func newBufferedConn(c net.Conn) bufferedConn {
|
|
return bufferedConn{bufio.NewReader(c), c}
|
|
}
|
|
|
|
func (b bufferedConn) Peek(n int) ([]byte, error) {
|
|
return b.r.Peek(n)
|
|
}
|
|
|
|
func (b bufferedConn) Read(p []byte) (int, error) {
|
|
return b.r.Read(p)
|
|
}
|
|
|
|
// Bare minimum TLS 1.0 server implementation for the Wii's /dev/net/ssl client
|
|
// Use this with a certificate that exploits the Wii's SSL certificate bug to impersonate naswii.nintendowifi.net
|
|
// See here: https://github.com/shutterbug2000/wii-ssl-bug
|
|
|
|
// Don't use this for anything else, it's not secure
|
|
|
|
func startHTTPSProxy(config common.Config) {
|
|
address := *config.NASAddressHTTPS + ":" + config.NASPortHTTPS
|
|
nasAddr := *config.NASAddress + ":" + config.NASPort
|
|
privKeyPath := config.KeyPath
|
|
certsPath := config.CertPath
|
|
|
|
logging.Notice("NAS-TLS", "Starting HTTPS server on", address)
|
|
l, err := net.Listen("tcp", address)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
if !*config.EnableHTTPSExploit {
|
|
// Only handle real TLS requests
|
|
for {
|
|
conn, err := l.Accept()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
moduleName := "NAS-TLS:" + conn.RemoteAddr().String()
|
|
|
|
go func() {
|
|
handleRealTLS(moduleName, conn, nasAddr, privKeyPath, certsPath)
|
|
}()
|
|
}
|
|
}
|
|
|
|
// Handle requests from Wii and regular TLS
|
|
cert, err := os.ReadFile(config.CertPathWii)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
rsaData, err := os.ReadFile(config.KeyPathWii)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
rsaBlock, _ := pem.Decode(rsaData)
|
|
parsedKey, err := x509.ParsePKCS8PrivateKey(rsaBlock.Bytes)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
rsaKey, ok := parsedKey.(*rsa.PrivateKey)
|
|
if !ok {
|
|
panic("unexpected key type")
|
|
}
|
|
|
|
serverCertsRecord := []byte{0x16, 0x03, 0x01}
|
|
|
|
// Length of the record
|
|
certLen := uint32(len(cert))
|
|
serverCertsRecord = append(serverCertsRecord, []byte{
|
|
byte((certLen + 10) >> 8),
|
|
byte(certLen + 10),
|
|
}...)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, 0xB)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, []byte{
|
|
byte((certLen + 6) >> 16),
|
|
byte((certLen + 6) >> 8),
|
|
byte(certLen + 6),
|
|
}...)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, []byte{
|
|
byte((certLen + 3) >> 16),
|
|
byte((certLen + 3) >> 8),
|
|
byte(certLen + 3),
|
|
}...)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, []byte{
|
|
byte(certLen >> 16),
|
|
byte(certLen >> 8),
|
|
byte(certLen),
|
|
}...)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, cert...)
|
|
|
|
serverCertsRecord = append(serverCertsRecord, []byte{
|
|
0x16, 0x03, 0x01, 0x00, 0x04, 0x0E, 0x00, 0x00, 0x00,
|
|
}...)
|
|
|
|
for {
|
|
conn, err := l.Accept()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
logging.Info("NAS-TLS", "Receiving HTTPS request from", aurora.BrightCyan(conn.RemoteAddr()))
|
|
moduleName := "NAS-TLS:" + conn.RemoteAddr().String()
|
|
|
|
go handleWiiTLS(moduleName, conn, nasAddr, privKeyPath, certsPath, serverCertsRecord, certLen, rsaKey)
|
|
}
|
|
}
|
|
|
|
// handleWiiTLS handles the TLS request from the Wii. It may call handleRealTLS if the request is from a modern web browser.
|
|
func handleWiiTLS(moduleName string, rawConn net.Conn, nasAddr string, privKeyPath string, certsPath string, serverCertsRecord []byte, certLen uint32, rsaKey *rsa.PrivateKey) {
|
|
conn := newBufferedConn(rawConn)
|
|
|
|
defer conn.Close()
|
|
|
|
// Read client hello
|
|
// fmt.Printf("Client Hello:\n")
|
|
for index := 0; index < 0x1D; index++ {
|
|
helloBytes, err := conn.Peek(index + 1)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to peek from client:", err)
|
|
return
|
|
}
|
|
|
|
if helloBytes[index] != []byte{
|
|
0x80, 0x2B, 0x01, 0x03, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x10, 0x00,
|
|
0x00, 0x35, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x09, 0x00,
|
|
0x00, 0x05, 0x00, 0x00, 0x04,
|
|
}[index] {
|
|
logging.Info(moduleName, "Forwarding client hello:", aurora.Cyan(fmt.Sprintf("% X ", helloBytes)))
|
|
handleRealTLS(moduleName, conn, nasAddr, privKeyPath, certsPath)
|
|
return
|
|
}
|
|
}
|
|
// fmt.Printf("\n")
|
|
|
|
clientHello := make([]byte, 0x2D)
|
|
_, err := io.ReadFull(conn.r, clientHello)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to read from client:", err)
|
|
return
|
|
}
|
|
|
|
finishHash := newFinishedHash()
|
|
finishHash.Write(clientHello[0x2:0x2D])
|
|
|
|
// The random bytes are padded to 32 bytes with 0x00 (data is right justified)
|
|
clientRandom := append(make([]byte, 16), clientHello[0x1D:0x1D+0x10]...)
|
|
|
|
serverHello := []byte{0x16, 0x03, 0x01, 0x00, 0x2A, 0x02, 0x00, 0x00, 0x26, 0x03, 0x01}
|
|
|
|
serverRandom := make([]byte, 0x20)
|
|
_, err = rand.Read(serverRandom)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to generate random bytes:", err)
|
|
return
|
|
}
|
|
|
|
serverHello = append(serverHello, serverRandom...)
|
|
|
|
// Send an empty session ID
|
|
serverHello = append(serverHello, 0x00)
|
|
|
|
// Select cipher suite TLS_RSA_WITH_RC4_128_MD5 (0x0004)
|
|
serverHello = append(serverHello, []byte{
|
|
0x00, 0x04, 0x00,
|
|
}...)
|
|
|
|
// Append the certs record to the server hello buffer
|
|
serverHello = append(serverHello, serverCertsRecord...)
|
|
|
|
// fmt.Printf("Server Hello:\n% X\n", serverHello)
|
|
|
|
finishHash.Write(serverHello[0x5:0x2F])
|
|
finishHash.Write(serverHello[0x34 : 0x34+(certLen+10)])
|
|
finishHash.Write(serverHello[0x34+(certLen+10)+5 : 0x34+(certLen+10)+5+4])
|
|
|
|
_, err = conn.Write(serverHello)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to write to client:", err)
|
|
return
|
|
}
|
|
|
|
// fmt.Printf("Client key exchange:\n")
|
|
buf := make([]byte, 0x1000)
|
|
index := 0
|
|
// Read client key exchange (+ change cipher spec + finished)
|
|
for {
|
|
n, err := conn.Read(buf[index:])
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to read from client:", err)
|
|
return
|
|
}
|
|
|
|
// fmt.Printf("% X ", buf[index:index+n])
|
|
index += n
|
|
|
|
// Check client key exchange header
|
|
if !bytes.HasPrefix([]byte{
|
|
0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00, 0x82, 0x00, 0x80,
|
|
}, buf[:min(index, 0x0B)]) {
|
|
logging.Error(moduleName, "Invalid client key exchange header:", aurora.Cyan(fmt.Sprintf("% X ", buf[:min(index, 0x0B)])))
|
|
return
|
|
}
|
|
|
|
if index > 0x8B {
|
|
// Check change cipher spec + finished header
|
|
if !bytes.HasPrefix(buf[0x8B:min(index, 0x8B+0x0B)], []byte{
|
|
0x14, 0x03, 0x01, 0x00, 0x01, 0x01, 0x16, 0x03, 0x01, 0x00, 0x20,
|
|
}) {
|
|
logging.Error(moduleName, "Invalid client change cipher spec + finished header:", aurora.Cyan(fmt.Sprintf("%X ", buf[0x8B:min(index, 0x8B+0x0B)])))
|
|
return
|
|
}
|
|
}
|
|
|
|
if index == 0xB6 {
|
|
buf = buf[:index]
|
|
break
|
|
}
|
|
|
|
if index > 0xB6 {
|
|
logging.Error(moduleName, "Invalid client key exchange length:", aurora.BrightCyan(index))
|
|
return
|
|
}
|
|
}
|
|
// fmt.Printf("\n")
|
|
|
|
encryptedPreMasterSecret := buf[0x0B : 0x0B+0x80]
|
|
clientFinish := buf[0x96 : 0x96+0x20]
|
|
|
|
finishHash.Write(buf[0x5 : 0x5+0x86])
|
|
|
|
// Decrypt the pre master secret using our RSA key
|
|
preMasterSecret, err := rsa.DecryptPKCS1v15(rand.Reader, rsaKey, encryptedPreMasterSecret)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to decrypt pre master secret:", err)
|
|
return
|
|
}
|
|
|
|
// fmt.Printf("Pre master secret:\n% X\n", preMasterSecret)
|
|
|
|
if len(preMasterSecret) != 48 {
|
|
logging.Error(moduleName, "Invalid pre master secret length:", aurora.BrightCyan(len(preMasterSecret)))
|
|
return
|
|
}
|
|
|
|
if !bytes.Equal(preMasterSecret[:2], []byte{0x03, 0x01}) {
|
|
logging.Error(moduleName, "Invalid TLS version in pre master secret:", aurora.BrightCyan(preMasterSecret[:2]))
|
|
return
|
|
}
|
|
|
|
clientServerRandom := append(bytes.Clone(clientRandom), serverRandom[:0x20]...)
|
|
|
|
masterSecret := make([]byte, 48)
|
|
prf10(masterSecret, preMasterSecret, []byte("master secret"), clientServerRandom)
|
|
|
|
// fmt.Printf("Master secret:\n% X\n", masterSecret)
|
|
|
|
_, serverMAC, clientKey, serverKey, _, _ := keysFromMasterSecret(masterSecret, clientRandom, serverRandom, 16, 16, 16)
|
|
|
|
// fmt.Printf("Client MAC:\n% X\n", clientMAC)
|
|
// fmt.Printf("Server MAC:\n% X\n", serverMAC)
|
|
// fmt.Printf("Client key:\n% X\n", clientKey)
|
|
// fmt.Printf("Server key:\n% X\n", serverKey)
|
|
// fmt.Printf("Client IV:\n% X\n", clientIV)
|
|
// fmt.Printf("Server IV:\n% X\n", serverIV)
|
|
|
|
// Create the server RC4 cipher
|
|
cipher, err := rc4.NewCipher(serverKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
// Create the client RC4 cipher
|
|
clientCipher, err := rc4.NewCipher(clientKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
// Create the hmac cipher
|
|
macFn := hmac.New(md5.New, serverMAC)
|
|
|
|
// Create the hmac cipher
|
|
// clientMacFn := hmac.New(md5.New, clientMAC)
|
|
|
|
// Decrypt client finish
|
|
clientCipher.XORKeyStream(clientFinish, clientFinish)
|
|
finishHash.Write(clientFinish[:0x10])
|
|
|
|
// fmt.Printf("Client Finish:\n% X\n", clientFinish)
|
|
|
|
// Send ChangeCipherSpec
|
|
_, err = conn.Write([]byte{0x14, 0x03, 0x01, 0x00, 0x01, 0x01})
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
finishedRecord := []byte{0x16, 0x03, 0x01, 0x00, 0x10}
|
|
|
|
out := finishHash.serverSum(masterSecret)
|
|
|
|
// Encrypt the finished record
|
|
finishedRecord, _ = encryptTLS(macFn, cipher, append([]byte{0x14, 0x00, 0x00, 0x0C}, out[:12]...), 0, finishedRecord)
|
|
|
|
_, err = conn.Write(finishedRecord)
|
|
|
|
// Open a connection to NAS
|
|
newConn, err := net.Dial("tcp", nasAddr)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
defer newConn.Close()
|
|
|
|
// Read bytes from the HTTP server and forward them through the TLS connection
|
|
go func() {
|
|
recvBuf := make([]byte, 0x100)
|
|
|
|
seq := uint64(1)
|
|
for {
|
|
n, err := newConn.Read(recvBuf)
|
|
if err != nil {
|
|
if errors.Is(err, io.EOF) || strings.Contains(err.Error(), "use of closed network connection") {
|
|
return
|
|
}
|
|
|
|
logging.Error(moduleName, "Failed to read from HTTP server:", err)
|
|
return
|
|
}
|
|
|
|
// fmt.Printf("Sent:\n% X ", recvBuf[:n])
|
|
var record []byte
|
|
record, seq = encryptTLS(macFn, cipher, recvBuf[:n], seq, []byte{0x17, 0x03, 0x01, byte(n >> 8), byte(n)})
|
|
|
|
_, err = conn.Write(record)
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to write to client:", err)
|
|
return
|
|
}
|
|
}
|
|
}()
|
|
|
|
// Read encrypted content from the client and forward it to the HTTP server
|
|
index = 0
|
|
total := 0
|
|
buf = make([]byte, 0x1000)
|
|
for {
|
|
n, err := conn.Read(buf[index:])
|
|
if err != nil {
|
|
if errors.Is(err, io.EOF) || strings.Contains(err.Error(), "use of closed network connection") {
|
|
logging.Info(moduleName, "Connection closed by client after", aurora.BrightCyan(total), "bytes")
|
|
return
|
|
}
|
|
|
|
logging.Error(moduleName, "Failed to read from client:", err)
|
|
return
|
|
}
|
|
|
|
// fmt.Printf("Received:\n% X ", buf[index:index+n])
|
|
index += n
|
|
total += n
|
|
|
|
for {
|
|
if index < 5 {
|
|
break
|
|
}
|
|
|
|
if buf[0] < 0x15 || buf[0] > 0x17 {
|
|
logging.Error(moduleName, "Invalid record type")
|
|
return
|
|
}
|
|
|
|
if buf[1] != 0x03 || buf[2] != 0x01 {
|
|
logging.Error(moduleName, "Invalid TLS version")
|
|
return
|
|
}
|
|
|
|
recordLength := binary.BigEndian.Uint16(buf[3:5])
|
|
if recordLength < 17 || (recordLength+5) > 0x1000 {
|
|
logging.Error(moduleName, "Invalid record length")
|
|
return
|
|
}
|
|
|
|
if index < int(recordLength)+5 {
|
|
break
|
|
}
|
|
|
|
// Decrypt content
|
|
clientCipher.XORKeyStream(buf[5:5+recordLength], buf[5:5+recordLength])
|
|
// fmt.Printf("\nDecrypted content:\n% X \n", buf[5:5+recordLength])
|
|
|
|
if buf[0] != 0x17 {
|
|
if buf[0] == 0x15 || buf[5] == 0x01 || buf[6] == 0x00 {
|
|
logging.Info(moduleName, "Alert connection close by client after", aurora.BrightCyan(total), "bytes")
|
|
return
|
|
}
|
|
|
|
logging.Error(moduleName, "Non-application data received:", aurora.Cyan(fmt.Sprintf("% X ", buf[:5+recordLength])))
|
|
return
|
|
} else {
|
|
// Send the decrypted content to the HTTP server
|
|
_, err = newConn.Write(buf[5 : 5+recordLength-16])
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to write to HTTP server:", err)
|
|
return
|
|
}
|
|
}
|
|
|
|
buf = buf[5+recordLength:]
|
|
buf = append(buf, make([]byte, 0x1000-len(buf))...)
|
|
index -= 5 + int(recordLength)
|
|
}
|
|
}
|
|
}
|
|
|
|
// handleRealTLS handles the TLS request legitimately using crypto/tls
|
|
func handleRealTLS(moduleName string, conn net.Conn, nasAddr string, privKeyPath string, certsPath string) {
|
|
// Read server key and certs
|
|
// TODO: Cache this
|
|
serverKey, err := os.ReadFile(privKeyPath)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
serverCerts, err := os.ReadFile(certsPath)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
cert, err := tls.X509KeyPair(serverCerts, serverKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
config := tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
}
|
|
|
|
tlsConn := tls.Server(conn, &config)
|
|
|
|
err = tlsConn.Handshake()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
newConn, err := net.Dial("tcp", nasAddr)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
defer newConn.Close()
|
|
|
|
// Read bytes from the HTTP server and forward them through the TLS connection
|
|
go func() {
|
|
recvBuf := make([]byte, 0x100)
|
|
|
|
for {
|
|
n, err := newConn.Read(recvBuf)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
_, err = tlsConn.Write(recvBuf[:n])
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to write to client:", err)
|
|
return
|
|
}
|
|
}
|
|
}()
|
|
|
|
// Read encrypted content from the client and forward it to the HTTP server
|
|
buf := make([]byte, 0x1000)
|
|
for {
|
|
n, err := tlsConn.Read(buf)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
_, err = newConn.Write(buf[:n])
|
|
if err != nil {
|
|
logging.Error(moduleName, "Failed to write to HTTP server:", err)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// The following functions are modified from the crypto standard library
|
|
//
|
|
// Copyright (c) 2009 The Go Authors. All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are
|
|
// met:
|
|
//
|
|
// * Redistributions of source code must retain the above copyright
|
|
// notice, this list of conditions and the following disclaimer.
|
|
// * Redistributions in binary form must reproduce the above
|
|
// copyright notice, this list of conditions and the following disclaimer
|
|
// in the documentation and/or other materials provided with the
|
|
// distribution.
|
|
// * Neither the name of Google Inc. nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
// Split a premaster secret in two as specified in RFC 4346, Section 5.
|
|
func splitPreMasterSecret(secret []byte) (s1, s2 []byte) {
|
|
s1 = secret[0 : (len(secret)+1)/2]
|
|
s2 = secret[len(secret)/2:]
|
|
return
|
|
}
|
|
|
|
// pHash implements the P_hash function, as defined in RFC 4346, Section 5.
|
|
func pHash(result, secret, seed []byte, hash func() hash.Hash) {
|
|
h := hmac.New(hash, secret)
|
|
h.Write(seed)
|
|
a := h.Sum(nil)
|
|
|
|
j := 0
|
|
for j < len(result) {
|
|
h.Reset()
|
|
h.Write(a)
|
|
h.Write(seed)
|
|
b := h.Sum(nil)
|
|
copy(result[j:], b)
|
|
j += len(b)
|
|
|
|
h.Reset()
|
|
h.Write(a)
|
|
a = h.Sum(nil)
|
|
}
|
|
}
|
|
|
|
// prf10 implements the TLS 1.0 pseudo-random function, as defined in RFC 2246, Section 5.
|
|
func prf10(result, secret, label, seed []byte) {
|
|
hashSHA1 := sha1.New
|
|
hashMD5 := md5.New
|
|
labelAndSeed := make([]byte, len(label)+len(seed))
|
|
|
|
copy(labelAndSeed, label)
|
|
copy(labelAndSeed[len(label):], seed)
|
|
s1, s2 := splitPreMasterSecret(secret)
|
|
|
|
pHash(result, s1, labelAndSeed, hashMD5)
|
|
result2 := make([]byte, len(result))
|
|
pHash(result2, s2, labelAndSeed, hashSHA1)
|
|
|
|
for i, b := range result2 {
|
|
result[i] ^= b
|
|
}
|
|
}
|
|
|
|
// keysFromMasterSecret generates the connection keys from the master
|
|
// secret, given the lengths of the MAC key, cipher key and IV, as defined in
|
|
// RFC 2246, Section 6.3.
|
|
func keysFromMasterSecret(masterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte) {
|
|
seed := make([]byte, 0, len(serverRandom)+len(clientRandom))
|
|
seed = append(seed, serverRandom...)
|
|
seed = append(seed, clientRandom...)
|
|
|
|
n := 2*macLen + 2*keyLen + 2*ivLen
|
|
keyMaterial := make([]byte, n)
|
|
prf10(keyMaterial, masterSecret, []byte("key expansion"), seed)
|
|
clientMAC = keyMaterial[:macLen]
|
|
keyMaterial = keyMaterial[macLen:]
|
|
serverMAC = keyMaterial[:macLen]
|
|
keyMaterial = keyMaterial[macLen:]
|
|
clientKey = keyMaterial[:keyLen]
|
|
keyMaterial = keyMaterial[keyLen:]
|
|
serverKey = keyMaterial[:keyLen]
|
|
keyMaterial = keyMaterial[keyLen:]
|
|
clientIV = keyMaterial[:ivLen]
|
|
keyMaterial = keyMaterial[ivLen:]
|
|
serverIV = keyMaterial[:ivLen]
|
|
return
|
|
}
|
|
|
|
func newFinishedHash() finishedHash {
|
|
return finishedHash{sha1.New(), sha1.New(), md5.New(), md5.New(), prf10}
|
|
}
|
|
|
|
// A finishedHash calculates the hash of a set of handshake messages suitable
|
|
// for including in a Finished message.
|
|
type finishedHash struct {
|
|
client hash.Hash
|
|
server hash.Hash
|
|
|
|
// Prior to TLS 1.2, an additional MD5 hash is required.
|
|
clientMD5 hash.Hash
|
|
serverMD5 hash.Hash
|
|
|
|
prf func(result, secret, label, seed []byte)
|
|
}
|
|
|
|
func (h *finishedHash) Write(msg []byte) int {
|
|
// fmt.Printf("Write finished hash: % X\n", msg)
|
|
|
|
h.client.Write(msg)
|
|
h.server.Write(msg)
|
|
|
|
h.clientMD5.Write(msg)
|
|
h.serverMD5.Write(msg)
|
|
|
|
return len(msg)
|
|
}
|
|
|
|
func (h finishedHash) Sum() []byte {
|
|
out := make([]byte, 0, md5.Size+sha1.Size)
|
|
out = h.clientMD5.Sum(out)
|
|
return h.client.Sum(out)
|
|
}
|
|
|
|
// clientSum returns the contents of the verify_data member of a client's
|
|
// Finished message.
|
|
func (h finishedHash) clientSum(masterSecret []byte) []byte {
|
|
out := make([]byte, 12)
|
|
h.prf(out, masterSecret, []byte("client finished"), h.Sum())
|
|
return out
|
|
}
|
|
|
|
// serverSum returns the contents of the verify_data member of a server's
|
|
// Finished message.
|
|
func (h finishedHash) serverSum(masterSecret []byte) []byte {
|
|
out := make([]byte, 12)
|
|
h.prf(out, masterSecret, []byte("server finished"), h.Sum())
|
|
return out
|
|
}
|
|
|
|
func encryptTLS(macFn hash.Hash, cipher *rc4.Cipher, payload []byte, seq uint64, record []byte) ([]byte, uint64) {
|
|
mac := tls10MAC(macFn, []byte{}, binary.BigEndian.AppendUint64([]byte{}, seq), record[:5], payload, nil)
|
|
record = append(append(bytes.Clone(record[:5]), payload...), mac...)
|
|
cipher.XORKeyStream(record[5:], record[5:])
|
|
|
|
// Update length to include nonce, MAC and any block padding needed.
|
|
n := len(record) - 5
|
|
record[3] = byte(n >> 8)
|
|
record[4] = byte(n)
|
|
|
|
return record, seq + 1
|
|
}
|
|
|
|
// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3.
|
|
func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
|
|
h.Reset()
|
|
h.Write(seq)
|
|
h.Write(header)
|
|
h.Write(data)
|
|
res := h.Sum(out)
|
|
if extra != nil {
|
|
h.Write(extra)
|
|
}
|
|
return res
|
|
}
|