...
Run Format

Source file src/pkg/crypto/tls/cipher_suites.go

     1	// Copyright 2010 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package tls
     6	
     7	import (
     8		"crypto/aes"
     9		"crypto/cipher"
    10		"crypto/des"
    11		"crypto/hmac"
    12		"crypto/rc4"
    13		"crypto/sha1"
    14		"crypto/x509"
    15		"hash"
    16	)
    17	
    18	// a keyAgreement implements the client and server side of a TLS key agreement
    19	// protocol by generating and processing key exchange messages.
    20	type keyAgreement interface {
    21		// On the server side, the first two methods are called in order.
    22	
    23		// In the case that the key agreement protocol doesn't use a
    24		// ServerKeyExchange message, generateServerKeyExchange can return nil,
    25		// nil.
    26		generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
    27		processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
    28	
    29		// On the client side, the next two methods are called in order.
    30	
    31		// This method may not be called if the server doesn't send a
    32		// ServerKeyExchange message.
    33		processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
    34		generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
    35	}
    36	
    37	const (
    38		// suiteECDH indicates that the cipher suite involves elliptic curve
    39		// Diffie-Hellman. This means that it should only be selected when the
    40		// client indicates that it supports ECC with a curve and point format
    41		// that we're happy with.
    42		suiteECDHE = 1 << iota
    43		// suiteECDSA indicates that the cipher suite involves an ECDSA
    44		// signature and therefore may only be selected when the server's
    45		// certificate is ECDSA. If this is not set then the cipher suite is
    46		// RSA based.
    47		suiteECDSA
    48		// suiteTLS12 indicates that the cipher suite should only be advertised
    49		// and accepted when using TLS 1.2.
    50		suiteTLS12
    51	)
    52	
    53	// A cipherSuite is a specific combination of key agreement, cipher and MAC
    54	// function. All cipher suites currently assume RSA key agreement.
    55	type cipherSuite struct {
    56		id uint16
    57		// the lengths, in bytes, of the key material needed for each component.
    58		keyLen int
    59		macLen int
    60		ivLen  int
    61		ka     func(version uint16) keyAgreement
    62		// flags is a bitmask of the suite* values, above.
    63		flags  int
    64		cipher func(key, iv []byte, isRead bool) interface{}
    65		mac    func(version uint16, macKey []byte) macFunction
    66		aead   func(key, fixedNonce []byte) cipher.AEAD
    67	}
    68	
    69	var cipherSuites = []*cipherSuite{
    70		// Ciphersuite order is chosen so that ECDHE comes before plain RSA
    71		// and RC4 comes before AES (because of the Lucky13 attack).
    72		{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
    73		{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
    74		{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil},
    75		{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherRC4, macSHA1, nil},
    76		{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    77		{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    78		{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    79		{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    80		{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil},
    81		{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    82		{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    83		{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
    84		{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
    85	}
    86	
    87	func cipherRC4(key, iv []byte, isRead bool) interface{} {
    88		cipher, _ := rc4.NewCipher(key)
    89		return cipher
    90	}
    91	
    92	func cipher3DES(key, iv []byte, isRead bool) interface{} {
    93		block, _ := des.NewTripleDESCipher(key)
    94		if isRead {
    95			return cipher.NewCBCDecrypter(block, iv)
    96		}
    97		return cipher.NewCBCEncrypter(block, iv)
    98	}
    99	
   100	func cipherAES(key, iv []byte, isRead bool) interface{} {
   101		block, _ := aes.NewCipher(key)
   102		if isRead {
   103			return cipher.NewCBCDecrypter(block, iv)
   104		}
   105		return cipher.NewCBCEncrypter(block, iv)
   106	}
   107	
   108	// macSHA1 returns a macFunction for the given protocol version.
   109	func macSHA1(version uint16, key []byte) macFunction {
   110		if version == VersionSSL30 {
   111			mac := ssl30MAC{
   112				h:   sha1.New(),
   113				key: make([]byte, len(key)),
   114			}
   115			copy(mac.key, key)
   116			return mac
   117		}
   118		return tls10MAC{hmac.New(sha1.New, key)}
   119	}
   120	
   121	type macFunction interface {
   122		Size() int
   123		MAC(digestBuf, seq, header, data []byte) []byte
   124	}
   125	
   126	// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
   127	// each call.
   128	type fixedNonceAEAD struct {
   129		// sealNonce and openNonce are buffers where the larger nonce will be
   130		// constructed. Since a seal and open operation may be running
   131		// concurrently, there is a separate buffer for each.
   132		sealNonce, openNonce []byte
   133		aead                 cipher.AEAD
   134	}
   135	
   136	func (f *fixedNonceAEAD) NonceSize() int { return 8 }
   137	func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
   138	
   139	func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
   140		copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
   141		return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
   142	}
   143	
   144	func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
   145		copy(f.openNonce[len(f.openNonce)-8:], nonce)
   146		return f.aead.Open(out, f.openNonce, plaintext, additionalData)
   147	}
   148	
   149	func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
   150		aes, err := aes.NewCipher(key)
   151		if err != nil {
   152			panic(err)
   153		}
   154		aead, err := cipher.NewGCM(aes)
   155		if err != nil {
   156			panic(err)
   157		}
   158	
   159		nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
   160		copy(nonce1, fixedNonce)
   161		copy(nonce2, fixedNonce)
   162	
   163		return &fixedNonceAEAD{nonce1, nonce2, aead}
   164	}
   165	
   166	// ssl30MAC implements the SSLv3 MAC function, as defined in
   167	// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
   168	type ssl30MAC struct {
   169		h   hash.Hash
   170		key []byte
   171	}
   172	
   173	func (s ssl30MAC) Size() int {
   174		return s.h.Size()
   175	}
   176	
   177	var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
   178	
   179	var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
   180	
   181	func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   182		padLength := 48
   183		if s.h.Size() == 20 {
   184			padLength = 40
   185		}
   186	
   187		s.h.Reset()
   188		s.h.Write(s.key)
   189		s.h.Write(ssl30Pad1[:padLength])
   190		s.h.Write(seq)
   191		s.h.Write(header[:1])
   192		s.h.Write(header[3:5])
   193		s.h.Write(data)
   194		digestBuf = s.h.Sum(digestBuf[:0])
   195	
   196		s.h.Reset()
   197		s.h.Write(s.key)
   198		s.h.Write(ssl30Pad2[:padLength])
   199		s.h.Write(digestBuf)
   200		return s.h.Sum(digestBuf[:0])
   201	}
   202	
   203	// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
   204	type tls10MAC struct {
   205		h hash.Hash
   206	}
   207	
   208	func (s tls10MAC) Size() int {
   209		return s.h.Size()
   210	}
   211	
   212	func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   213		s.h.Reset()
   214		s.h.Write(seq)
   215		s.h.Write(header)
   216		s.h.Write(data)
   217		return s.h.Sum(digestBuf[:0])
   218	}
   219	
   220	func rsaKA(version uint16) keyAgreement {
   221		return rsaKeyAgreement{}
   222	}
   223	
   224	func ecdheECDSAKA(version uint16) keyAgreement {
   225		return &ecdheKeyAgreement{
   226			sigType: signatureECDSA,
   227			version: version,
   228		}
   229	}
   230	
   231	func ecdheRSAKA(version uint16) keyAgreement {
   232		return &ecdheKeyAgreement{
   233			sigType: signatureRSA,
   234			version: version,
   235		}
   236	}
   237	
   238	// mutualCipherSuite returns a cipherSuite given a list of supported
   239	// ciphersuites and the id requested by the peer.
   240	func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
   241		for _, id := range have {
   242			if id == want {
   243				for _, suite := range cipherSuites {
   244					if suite.id == want {
   245						return suite
   246					}
   247				}
   248				return nil
   249			}
   250		}
   251		return nil
   252	}
   253	
   254	// A list of the possible cipher suite ids. Taken from
   255	// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
   256	const (
   257		TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
   258		TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
   259		TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
   260		TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
   261		TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
   262		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
   263		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
   264		TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
   265		TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
   266		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
   267		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
   268		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
   269		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
   270	)
   271	

View as plain text