| 48 | } |
| 49 | |
| 50 | func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { |
| 51 | if len(ckx.ciphertext) < 2 { |
| 52 | return nil, errClientKeyExchange |
| 53 | } |
| 54 | ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1]) |
| 55 | if ciphertextLen != len(ckx.ciphertext)-2 { |
| 56 | return nil, errClientKeyExchange |
| 57 | } |
| 58 | ciphertext := ckx.ciphertext[2:] |
| 59 | |
| 60 | priv, ok := cert.PrivateKey.(crypto.Decrypter) |
| 61 | if !ok { |
| 62 | return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter") |
| 63 | } |
| 64 | // Perform constant time RSA PKCS #1 v1.5 decryption |
| 65 | preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48}) |
| 66 | if err != nil { |
| 67 | return nil, err |
| 68 | } |
| 69 | // We don't check the version number in the premaster secret. For one, |
| 70 | // by checking it, we would leak information about the validity of the |
| 71 | // encrypted pre-master secret. Secondly, it provides only a small |
| 72 | // benefit against a downgrade attack and some implementations send the |
| 73 | // wrong version anyway. See the discussion at the end of section |
| 74 | // 7.4.7.1 of RFC 4346. |
| 75 | return preMasterSecret, nil |
| 76 | } |
| 77 | |
| 78 | func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error { |
| 79 | return errors.New("tls: unexpected ServerKeyExchange") |