Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypto/internal/hpke: separate KEM and PublicKey/PrivateKey interfaces

Browse source 
Updates #75300

Change-Id: I87ed26e8f57180d741408bdbda1696d46a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/719560
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Filippo Valsorda 2025-11-11 13:10:17 +01:00 committed by Gopher Robot
parent e15800c0ec
commit 7db2f0bb9a
6 changed files with 1743 additions and 792 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/crypto/tls/ech.go
View file

@ -149,7 +149,7 @@ func parseECHConfigList(data []byte) ([]echConfig, error) {
return configs, nil
}
func pickECHConfig(list []echConfig) (*echConfig, hpke.KEMSender, hpke.KDF, hpke.AEAD) {
func pickECHConfig(list []echConfig) (*echConfig, hpke.PublicKey, hpke.KDF, hpke.AEAD) {
for _, ec := range list {
if !validDNSName(string(ec.PublicName)) {
continue
@ -166,10 +166,16 @@ func pickECHConfig(list []echConfig) (*echConfig, hpke.KEMSender, hpke.KDF, hpke
if unsupportedExt {
continue
}
s, err := hpke.NewKEMSender(ec.KemID, ec.PublicKey)
kem, err := hpke.NewKEM(ec.KemID)
if err != nil {
continue
}
pub, err := kem.NewPublicKey(ec.PublicKey)
if err != nil {
// This is an error in the config, but killing the connection feels
// excessive.
continue
}
for _, cs := range ec.SymmetricCipherSuite {
// All of the supported AEADs and KDFs are fine, rather than
// imposing some sort of preference here, we just pick the first
@ -182,7 +188,7 @@ func pickECHConfig(list []echConfig) (*echConfig, hpke.KEMSender, hpke.KDF, hpke
if err != nil {
continue
}
return &ec, s, kdf, aead
return &ec, pub, kdf, aead
}
}
return nil, nil, nil, nil
@ -568,7 +574,12 @@ func (c *Conn) processECHClientHello(outer *clientHelloMsg, echKeys []EncryptedC
if skip {
continue
}
echPriv, err := hpke.NewKEMRecipient(config.KemID, echKey.PrivateKey)
kem, err := hpke.NewKEM(config.KemID)
if err != nil {
c.sendAlert(alertInternalError)
return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKey Config KEM: %s", err)
}
echPriv, err := kem.NewPrivateKey(echKey.PrivateKey)
if err != nil {
c.sendAlert(alertInternalError)
return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKey PrivateKey: %s", err)