...
Run Format

Source file src/crypto/tls/cipher_suites.go

     1	// Copyright 2010 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package tls
     6	
     7	import (
     8		"crypto/aes"
     9		"crypto/cipher"
    10		"crypto/des"
    11		"crypto/hmac"
    12		"crypto/rc4"
    13		"crypto/sha1"
    14		"crypto/x509"
    15		"hash"
    16	)
    17	
    18	// a keyAgreement implements the client and server side of a TLS key agreement
    19	// protocol by generating and processing key exchange messages.
    20	type keyAgreement interface {
    21		// On the server side, the first two methods are called in order.
    22	
    23		// In the case that the key agreement protocol doesn't use a
    24		// ServerKeyExchange message, generateServerKeyExchange can return nil,
    25		// nil.
    26		generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
    27		processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
    28	
    29		// On the client side, the next two methods are called in order.
    30	
    31		// This method may not be called if the server doesn't send a
    32		// ServerKeyExchange message.
    33		processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
    34		generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
    35	}
    36	
    37	const (
    38		// suiteECDH indicates that the cipher suite involves elliptic curve
    39		// Diffie-Hellman. This means that it should only be selected when the
    40		// client indicates that it supports ECC with a curve and point format
    41		// that we're happy with.
    42		suiteECDHE = 1 << iota
    43		// suiteECDSA indicates that the cipher suite involves an ECDSA
    44		// signature and therefore may only be selected when the server's
    45		// certificate is ECDSA. If this is not set then the cipher suite is
    46		// RSA based.
    47		suiteECDSA
    48		// suiteTLS12 indicates that the cipher suite should only be advertised
    49		// and accepted when using TLS 1.2.
    50		suiteTLS12
    51		// suiteSHA384 indicates that the cipher suite uses SHA384 as the
    52		// handshake hash.
    53		suiteSHA384
    54		// suiteDefaultOff indicates that this cipher suite is not included by
    55		// default.
    56		suiteDefaultOff
    57	)
    58	
    59	// A cipherSuite is a specific combination of key agreement, cipher and MAC
    60	// function. All cipher suites currently assume RSA key agreement.
    61	type cipherSuite struct {
    62		id uint16
    63		// the lengths, in bytes, of the key material needed for each component.
    64		keyLen int
    65		macLen int
    66		ivLen  int
    67		ka     func(version uint16) keyAgreement
    68		// flags is a bitmask of the suite* values, above.
    69		flags  int
    70		cipher func(key, iv []byte, isRead bool) interface{}
    71		mac    func(version uint16, macKey []byte) macFunction
    72		aead   func(key, fixedNonce []byte) cipher.AEAD
    73	}
    74	
    75	var cipherSuites = []*cipherSuite{
    76		// Ciphersuite order is chosen so that ECDHE comes before plain RSA
    77		// and RC4 comes before AES (because of the Lucky13 attack).
    78		{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
    79		{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
    80		{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    81		{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    82		{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
    83		{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
    84		{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    85		{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    86		{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    87		{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    88		{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
    89		{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    90		{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    91		{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
    92		{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
    93	}
    94	
    95	func cipherRC4(key, iv []byte, isRead bool) interface{} {
    96		cipher, _ := rc4.NewCipher(key)
    97		return cipher
    98	}
    99	
   100	func cipher3DES(key, iv []byte, isRead bool) interface{} {
   101		block, _ := des.NewTripleDESCipher(key)
   102		if isRead {
   103			return cipher.NewCBCDecrypter(block, iv)
   104		}
   105		return cipher.NewCBCEncrypter(block, iv)
   106	}
   107	
   108	func cipherAES(key, iv []byte, isRead bool) interface{} {
   109		block, _ := aes.NewCipher(key)
   110		if isRead {
   111			return cipher.NewCBCDecrypter(block, iv)
   112		}
   113		return cipher.NewCBCEncrypter(block, iv)
   114	}
   115	
   116	// macSHA1 returns a macFunction for the given protocol version.
   117	func macSHA1(version uint16, key []byte) macFunction {
   118		if version == VersionSSL30 {
   119			mac := ssl30MAC{
   120				h:   sha1.New(),
   121				key: make([]byte, len(key)),
   122			}
   123			copy(mac.key, key)
   124			return mac
   125		}
   126		return tls10MAC{hmac.New(sha1.New, key)}
   127	}
   128	
   129	type macFunction interface {
   130		Size() int
   131		MAC(digestBuf, seq, header, data []byte) []byte
   132	}
   133	
   134	// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
   135	// each call.
   136	type fixedNonceAEAD struct {
   137		// sealNonce and openNonce are buffers where the larger nonce will be
   138		// constructed. Since a seal and open operation may be running
   139		// concurrently, there is a separate buffer for each.
   140		sealNonce, openNonce []byte
   141		aead                 cipher.AEAD
   142	}
   143	
   144	func (f *fixedNonceAEAD) NonceSize() int { return 8 }
   145	func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
   146	
   147	func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
   148		copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
   149		return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
   150	}
   151	
   152	func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
   153		copy(f.openNonce[len(f.openNonce)-8:], nonce)
   154		return f.aead.Open(out, f.openNonce, plaintext, additionalData)
   155	}
   156	
   157	func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
   158		aes, err := aes.NewCipher(key)
   159		if err != nil {
   160			panic(err)
   161		}
   162		aead, err := cipher.NewGCM(aes)
   163		if err != nil {
   164			panic(err)
   165		}
   166	
   167		nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
   168		copy(nonce1, fixedNonce)
   169		copy(nonce2, fixedNonce)
   170	
   171		return &fixedNonceAEAD{nonce1, nonce2, aead}
   172	}
   173	
   174	// ssl30MAC implements the SSLv3 MAC function, as defined in
   175	// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
   176	type ssl30MAC struct {
   177		h   hash.Hash
   178		key []byte
   179	}
   180	
   181	func (s ssl30MAC) Size() int {
   182		return s.h.Size()
   183	}
   184	
   185	var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
   186	
   187	var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
   188	
   189	func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   190		padLength := 48
   191		if s.h.Size() == 20 {
   192			padLength = 40
   193		}
   194	
   195		s.h.Reset()
   196		s.h.Write(s.key)
   197		s.h.Write(ssl30Pad1[:padLength])
   198		s.h.Write(seq)
   199		s.h.Write(header[:1])
   200		s.h.Write(header[3:5])
   201		s.h.Write(data)
   202		digestBuf = s.h.Sum(digestBuf[:0])
   203	
   204		s.h.Reset()
   205		s.h.Write(s.key)
   206		s.h.Write(ssl30Pad2[:padLength])
   207		s.h.Write(digestBuf)
   208		return s.h.Sum(digestBuf[:0])
   209	}
   210	
   211	// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
   212	type tls10MAC struct {
   213		h hash.Hash
   214	}
   215	
   216	func (s tls10MAC) Size() int {
   217		return s.h.Size()
   218	}
   219	
   220	func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   221		s.h.Reset()
   222		s.h.Write(seq)
   223		s.h.Write(header)
   224		s.h.Write(data)
   225		return s.h.Sum(digestBuf[:0])
   226	}
   227	
   228	func rsaKA(version uint16) keyAgreement {
   229		return rsaKeyAgreement{}
   230	}
   231	
   232	func ecdheECDSAKA(version uint16) keyAgreement {
   233		return &ecdheKeyAgreement{
   234			sigType: signatureECDSA,
   235			version: version,
   236		}
   237	}
   238	
   239	func ecdheRSAKA(version uint16) keyAgreement {
   240		return &ecdheKeyAgreement{
   241			sigType: signatureRSA,
   242			version: version,
   243		}
   244	}
   245	
   246	// mutualCipherSuite returns a cipherSuite given a list of supported
   247	// ciphersuites and the id requested by the peer.
   248	func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
   249		for _, id := range have {
   250			if id == want {
   251				for _, suite := range cipherSuites {
   252					if suite.id == want {
   253						return suite
   254					}
   255				}
   256				return nil
   257			}
   258		}
   259		return nil
   260	}
   261	
   262	// A list of the possible cipher suite ids. Taken from
   263	// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
   264	const (
   265		TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
   266		TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
   267		TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
   268		TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
   269		TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
   270		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
   271		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
   272		TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
   273		TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
   274		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
   275		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
   276		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
   277		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
   278		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
   279		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
   280	
   281		// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
   282		// that the client is doing version fallback. See
   283		// https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00.
   284		TLS_FALLBACK_SCSV uint16 = 0x5600
   285	)
   286	

View as plain text