...
Run Format

Source file src/crypto/tls/cipher_suites.go

     1	// Copyright 2010 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package tls
     6	
     7	import (
     8		"crypto/aes"
     9		"crypto/cipher"
    10		"crypto/des"
    11		"crypto/hmac"
    12		"crypto/rc4"
    13		"crypto/sha1"
    14		"crypto/x509"
    15		"hash"
    16	)
    17	
    18	// a keyAgreement implements the client and server side of a TLS key agreement
    19	// protocol by generating and processing key exchange messages.
    20	type keyAgreement interface {
    21		// On the server side, the first two methods are called in order.
    22	
    23		// In the case that the key agreement protocol doesn't use a
    24		// ServerKeyExchange message, generateServerKeyExchange can return nil,
    25		// nil.
    26		generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
    27		processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
    28	
    29		// On the client side, the next two methods are called in order.
    30	
    31		// This method may not be called if the server doesn't send a
    32		// ServerKeyExchange message.
    33		processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
    34		generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
    35	}
    36	
    37	const (
    38		// suiteECDH indicates that the cipher suite involves elliptic curve
    39		// Diffie-Hellman. This means that it should only be selected when the
    40		// client indicates that it supports ECC with a curve and point format
    41		// that we're happy with.
    42		suiteECDHE = 1 << iota
    43		// suiteECDSA indicates that the cipher suite involves an ECDSA
    44		// signature and therefore may only be selected when the server's
    45		// certificate is ECDSA. If this is not set then the cipher suite is
    46		// RSA based.
    47		suiteECDSA
    48		// suiteTLS12 indicates that the cipher suite should only be advertised
    49		// and accepted when using TLS 1.2.
    50		suiteTLS12
    51		// suiteSHA384 indicates that the cipher suite uses SHA384 as the
    52		// handshake hash.
    53		suiteSHA384
    54		// suiteDefaultOff indicates that this cipher suite is not included by
    55		// default.
    56		suiteDefaultOff
    57	)
    58	
    59	// A cipherSuite is a specific combination of key agreement, cipher and MAC
    60	// function. All cipher suites currently assume RSA key agreement.
    61	type cipherSuite struct {
    62		id uint16
    63		// the lengths, in bytes, of the key material needed for each component.
    64		keyLen int
    65		macLen int
    66		ivLen  int
    67		ka     func(version uint16) keyAgreement
    68		// flags is a bitmask of the suite* values, above.
    69		flags  int
    70		cipher func(key, iv []byte, isRead bool) interface{}
    71		mac    func(version uint16, macKey []byte) macFunction
    72		aead   func(key, fixedNonce []byte) cipher.AEAD
    73	}
    74	
    75	var cipherSuites = []*cipherSuite{
    76		// Ciphersuite order is chosen so that ECDHE comes before plain RSA
    77		// and RC4 comes before AES-CBC (because of the Lucky13 attack).
    78		{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
    79		{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
    80		{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    81		{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    82		{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
    83		{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
    84		{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    85		{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    86		{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    87		{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    88		{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
    89		{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    90		{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
    91		{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    92		{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    93		{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
    94		{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
    95	}
    96	
    97	func cipherRC4(key, iv []byte, isRead bool) interface{} {
    98		cipher, _ := rc4.NewCipher(key)
    99		return cipher
   100	}
   101	
   102	func cipher3DES(key, iv []byte, isRead bool) interface{} {
   103		block, _ := des.NewTripleDESCipher(key)
   104		if isRead {
   105			return cipher.NewCBCDecrypter(block, iv)
   106		}
   107		return cipher.NewCBCEncrypter(block, iv)
   108	}
   109	
   110	func cipherAES(key, iv []byte, isRead bool) interface{} {
   111		block, _ := aes.NewCipher(key)
   112		if isRead {
   113			return cipher.NewCBCDecrypter(block, iv)
   114		}
   115		return cipher.NewCBCEncrypter(block, iv)
   116	}
   117	
   118	// macSHA1 returns a macFunction for the given protocol version.
   119	func macSHA1(version uint16, key []byte) macFunction {
   120		if version == VersionSSL30 {
   121			mac := ssl30MAC{
   122				h:   sha1.New(),
   123				key: make([]byte, len(key)),
   124			}
   125			copy(mac.key, key)
   126			return mac
   127		}
   128		return tls10MAC{hmac.New(sha1.New, key)}
   129	}
   130	
   131	type macFunction interface {
   132		Size() int
   133		MAC(digestBuf, seq, header, data []byte) []byte
   134	}
   135	
   136	// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
   137	// each call.
   138	type fixedNonceAEAD struct {
   139		// sealNonce and openNonce are buffers where the larger nonce will be
   140		// constructed. Since a seal and open operation may be running
   141		// concurrently, there is a separate buffer for each.
   142		sealNonce, openNonce []byte
   143		aead                 cipher.AEAD
   144	}
   145	
   146	func (f *fixedNonceAEAD) NonceSize() int { return 8 }
   147	func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
   148	
   149	func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
   150		copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
   151		return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
   152	}
   153	
   154	func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
   155		copy(f.openNonce[len(f.openNonce)-8:], nonce)
   156		return f.aead.Open(out, f.openNonce, plaintext, additionalData)
   157	}
   158	
   159	func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
   160		aes, err := aes.NewCipher(key)
   161		if err != nil {
   162			panic(err)
   163		}
   164		aead, err := cipher.NewGCM(aes)
   165		if err != nil {
   166			panic(err)
   167		}
   168	
   169		nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
   170		copy(nonce1, fixedNonce)
   171		copy(nonce2, fixedNonce)
   172	
   173		return &fixedNonceAEAD{nonce1, nonce2, aead}
   174	}
   175	
   176	// ssl30MAC implements the SSLv3 MAC function, as defined in
   177	// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
   178	type ssl30MAC struct {
   179		h   hash.Hash
   180		key []byte
   181	}
   182	
   183	func (s ssl30MAC) Size() int {
   184		return s.h.Size()
   185	}
   186	
   187	var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
   188	
   189	var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
   190	
   191	func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   192		padLength := 48
   193		if s.h.Size() == 20 {
   194			padLength = 40
   195		}
   196	
   197		s.h.Reset()
   198		s.h.Write(s.key)
   199		s.h.Write(ssl30Pad1[:padLength])
   200		s.h.Write(seq)
   201		s.h.Write(header[:1])
   202		s.h.Write(header[3:5])
   203		s.h.Write(data)
   204		digestBuf = s.h.Sum(digestBuf[:0])
   205	
   206		s.h.Reset()
   207		s.h.Write(s.key)
   208		s.h.Write(ssl30Pad2[:padLength])
   209		s.h.Write(digestBuf)
   210		return s.h.Sum(digestBuf[:0])
   211	}
   212	
   213	// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
   214	type tls10MAC struct {
   215		h hash.Hash
   216	}
   217	
   218	func (s tls10MAC) Size() int {
   219		return s.h.Size()
   220	}
   221	
   222	func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
   223		s.h.Reset()
   224		s.h.Write(seq)
   225		s.h.Write(header)
   226		s.h.Write(data)
   227		return s.h.Sum(digestBuf[:0])
   228	}
   229	
   230	func rsaKA(version uint16) keyAgreement {
   231		return rsaKeyAgreement{}
   232	}
   233	
   234	func ecdheECDSAKA(version uint16) keyAgreement {
   235		return &ecdheKeyAgreement{
   236			sigType: signatureECDSA,
   237			version: version,
   238		}
   239	}
   240	
   241	func ecdheRSAKA(version uint16) keyAgreement {
   242		return &ecdheKeyAgreement{
   243			sigType: signatureRSA,
   244			version: version,
   245		}
   246	}
   247	
   248	// mutualCipherSuite returns a cipherSuite given a list of supported
   249	// ciphersuites and the id requested by the peer.
   250	func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
   251		for _, id := range have {
   252			if id == want {
   253				for _, suite := range cipherSuites {
   254					if suite.id == want {
   255						return suite
   256					}
   257				}
   258				return nil
   259			}
   260		}
   261		return nil
   262	}
   263	
   264	// A list of cipher suite IDs that are, or have been, implemented by this
   265	// package.
   266	//
   267	// Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
   268	const (
   269		TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
   270		TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
   271		TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
   272		TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
   273		TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
   274		TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
   275		TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
   276		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
   277		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
   278		TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
   279		TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
   280		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
   281		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
   282		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
   283		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
   284		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
   285		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
   286	
   287		// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
   288		// that the client is doing version fallback. See
   289		// https://tools.ietf.org/html/rfc7507.
   290		TLS_FALLBACK_SCSV uint16 = 0x5600
   291	)
   292	

View as plain text