mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 20:47:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Expose DecryptTicketWith function (#61)

Browse source 
Expose DecryptTicketWith function
This commit is contained in:
maxb 2020-11-12 11:38:19 -08:00 committed by GitHub
parent 33a29038e7
commit 5801f3fc5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 65 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

17
ticket.go
View file

@ -171,7 +171,20 @@ func (c *Conn) encryptTicket(state []byte) ([]byte, error) {
return encrypted, nil return encrypted, nil
} }
// [uTLS] changed to use exported DecryptTicketWith func below
func (c *Conn) decryptTicket(encrypted []byte) (plaintext []byte, usedOldKey bool) { func (c *Conn) decryptTicket(encrypted []byte) (plaintext []byte, usedOldKey bool) {
tks := ticketKeys(c.config.ticketKeys()).ToPublic()
return DecryptTicketWith(encrypted, tks)
}
// DecryptTicketWith decrypts an encrypted session ticket
// using a TicketKeys (ie []TicketKey) struct
//
// usedOldKey will be true if the key used for decryption is
// not the first in the []TicketKey slice
//
// [uTLS] changed to be made public and take a TicketKeys instead of use a Conn receiver
func DecryptTicketWith(encrypted []byte, tks TicketKeys) (plaintext []byte, usedOldKey bool) {
if len(encrypted) < ticketKeyNameLen+aes.BlockSize+sha256.Size { if len(encrypted) < ticketKeyNameLen+aes.BlockSize+sha256.Size {
return nil, false return nil, false
} }
@ -181,7 +194,9 @@ func (c *Conn) decryptTicket(encrypted []byte) (plaintext []byte, usedOldKey boo
macBytes := encrypted[len(encrypted)-sha256.Size:] macBytes := encrypted[len(encrypted)-sha256.Size:]
ciphertext := encrypted[ticketKeyNameLen+aes.BlockSize : len(encrypted)-sha256.Size] ciphertext := encrypted[ticketKeyNameLen+aes.BlockSize : len(encrypted)-sha256.Size]
keys := c.config.ticketKeys() // keys := c.config.ticketKeys() // [uTLS] keys are received as a function argument
keys := tks.ToPrivate()
keyIndex := -1 keyIndex := -1
for i, candidateKey := range keys { for i, candidateKey := range keys {
if bytes.Equal(keyName, candidateKey.keyName[:]) { if bytes.Equal(keyName, candidateKey.keyName[:]) {

49
u_public.go
View file

@ -622,3 +622,52 @@ func (css *ClientSessionState) SetServerCertificates(ServerCertificates []*x509.
func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) { func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) {
css.verifiedChains = VerifiedChains css.verifiedChains = VerifiedChains
} }
// TicketKey is the internal representation of a session ticket key.
type TicketKey struct {
// KeyName is an opaque byte string that serves to identify the session
// ticket key. It's exposed as plaintext in every session ticket.
KeyName [ticketKeyNameLen]byte
AesKey [16]byte
HmacKey [16]byte
}
type TicketKeys []TicketKey
type ticketKeys []ticketKey
func TicketKeyFromBytes(b [32]byte) TicketKey {
tk := ticketKeyFromBytes(b)
return tk.ToPublic()
}
func (tk ticketKey) ToPublic() TicketKey {
return TicketKey{
KeyName: tk.keyName,
AesKey: tk.aesKey,
HmacKey: tk.hmacKey,
}
}
func (TK TicketKey) ToPrivate() ticketKey {
return ticketKey{
keyName: TK.KeyName,
aesKey: TK.AesKey,
hmacKey: TK.HmacKey,
}
}
func (tks ticketKeys) ToPublic() []TicketKey {
var TKS []TicketKey
for _, ks := range tks {
TKS = append(TKS, ks.ToPublic())
}
return TKS
}
func (TKS TicketKeys) ToPrivate() []ticketKey {
var tks []ticketKey
for _, TK := range TKS {
tks = append(tks, TK.ToPrivate())
}
return tks
}