Source file
src/crypto/tls/cipher_suites.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "crypto/aes"
10 "crypto/cipher"
11 "crypto/des"
12 "crypto/hmac"
13 "crypto/rc4"
14 "crypto/sha1"
15 "crypto/sha256"
16 "crypto/x509"
17 "fmt"
18 "hash"
19
20 "golang.org/x/crypto/chacha20poly1305"
21 )
22
23
24
25 type CipherSuite struct {
26 ID uint16
27 Name string
28
29
30
31 SupportedVersions []uint16
32
33
34
35 Insecure bool
36 }
37
38 var (
39 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12}
40 supportedOnlyTLS12 = []uint16{VersionTLS12}
41 supportedOnlyTLS13 = []uint16{VersionTLS13}
42 )
43
44
45
46
47
48
49
50 func CipherSuites() []*CipherSuite {
51 return []*CipherSuite{
52 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false},
53 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
54 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
55 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
56 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
57
58 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
59 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
60 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false},
61
62 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
63 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
64 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false},
65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73 }
74 }
75
76
77
78
79
80
81 func InsecureCipherSuites() []*CipherSuite {
82
83
84 return []*CipherSuite{
85 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
86 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
87 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
88 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
89 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
90 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
91 }
92 }
93
94
95
96
97 func CipherSuiteName(id uint16) string {
98 for _, c := range CipherSuites() {
99 if c.ID == id {
100 return c.Name
101 }
102 }
103 for _, c := range InsecureCipherSuites() {
104 if c.ID == id {
105 return c.Name
106 }
107 }
108 return fmt.Sprintf("0x%04X", id)
109 }
110
111
112
113 type keyAgreement interface {
114
115
116
117
118
119 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
120 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
121
122
123
124
125
126 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
127 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
128 }
129
130 const (
131
132
133
134
135 suiteECDHE = 1 << iota
136
137
138
139
140 suiteECSign
141
142
143 suiteTLS12
144
145
146 suiteSHA384
147
148
149 suiteDefaultOff
150 )
151
152
153 type cipherSuite struct {
154 id uint16
155
156 keyLen int
157 macLen int
158 ivLen int
159 ka func(version uint16) keyAgreement
160
161 flags int
162 cipher func(key, iv []byte, isRead bool) interface{}
163 mac func(version uint16, macKey []byte) macFunction
164 aead func(key, fixedNonce []byte) aead
165 }
166
167 var cipherSuites = []*cipherSuite{
168
169
170 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
171 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
172 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
173 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
174 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
175 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
176 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
177 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
178 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
179 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
180 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
181 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
182 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
183 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
184 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
185 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
186 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
187 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
188 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
189
190
191 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
192 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
193 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteDefaultOff, cipherRC4, macSHA1, nil},
194 }
195
196
197
198 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
199 for _, id := range ids {
200 candidate := cipherSuiteByID(id)
201 if candidate == nil || !ok(candidate) {
202 continue
203 }
204
205 for _, suppID := range supportedIDs {
206 if id == suppID {
207 return candidate
208 }
209 }
210 }
211 return nil
212 }
213
214
215
216 type cipherSuiteTLS13 struct {
217 id uint16
218 keyLen int
219 aead func(key, fixedNonce []byte) aead
220 hash crypto.Hash
221 }
222
223 var cipherSuitesTLS13 = []*cipherSuiteTLS13{
224 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
225 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
226 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
227 }
228
229 func cipherRC4(key, iv []byte, isRead bool) interface{} {
230 cipher, _ := rc4.NewCipher(key)
231 return cipher
232 }
233
234 func cipher3DES(key, iv []byte, isRead bool) interface{} {
235 block, _ := des.NewTripleDESCipher(key)
236 if isRead {
237 return cipher.NewCBCDecrypter(block, iv)
238 }
239 return cipher.NewCBCEncrypter(block, iv)
240 }
241
242 func cipherAES(key, iv []byte, isRead bool) interface{} {
243 block, _ := aes.NewCipher(key)
244 if isRead {
245 return cipher.NewCBCDecrypter(block, iv)
246 }
247 return cipher.NewCBCEncrypter(block, iv)
248 }
249
250
251 func macSHA1(version uint16, key []byte) macFunction {
252 return tls10MAC{h: hmac.New(newConstantTimeHash(sha1.New), key)}
253 }
254
255
256
257 func macSHA256(version uint16, key []byte) macFunction {
258 return tls10MAC{h: hmac.New(sha256.New, key)}
259 }
260
261 type macFunction interface {
262
263 Size() int
264
265
266
267 MAC(seq, header, data, extra []byte) []byte
268 }
269
270 type aead interface {
271 cipher.AEAD
272
273
274
275
276 explicitNonceLen() int
277 }
278
279 const (
280 aeadNonceLength = 12
281 noncePrefixLength = 4
282 )
283
284
285
286 type prefixNonceAEAD struct {
287
288 nonce [aeadNonceLength]byte
289 aead cipher.AEAD
290 }
291
292 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength }
293 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() }
294 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
295
296 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
297 copy(f.nonce[4:], nonce)
298 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
299 }
300
301 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
302 copy(f.nonce[4:], nonce)
303 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
304 }
305
306
307
308 type xorNonceAEAD struct {
309 nonceMask [aeadNonceLength]byte
310 aead cipher.AEAD
311 }
312
313 func (f *xorNonceAEAD) NonceSize() int { return 8 }
314 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
315 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
316
317 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
318 for i, b := range nonce {
319 f.nonceMask[4+i] ^= b
320 }
321 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
322 for i, b := range nonce {
323 f.nonceMask[4+i] ^= b
324 }
325
326 return result
327 }
328
329 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
330 for i, b := range nonce {
331 f.nonceMask[4+i] ^= b
332 }
333 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
334 for i, b := range nonce {
335 f.nonceMask[4+i] ^= b
336 }
337
338 return result, err
339 }
340
341 func aeadAESGCM(key, noncePrefix []byte) aead {
342 if len(noncePrefix) != noncePrefixLength {
343 panic("tls: internal error: wrong nonce length")
344 }
345 aes, err := aes.NewCipher(key)
346 if err != nil {
347 panic(err)
348 }
349 aead, err := cipher.NewGCM(aes)
350 if err != nil {
351 panic(err)
352 }
353
354 ret := &prefixNonceAEAD{aead: aead}
355 copy(ret.nonce[:], noncePrefix)
356 return ret
357 }
358
359 func aeadAESGCMTLS13(key, nonceMask []byte) aead {
360 if len(nonceMask) != aeadNonceLength {
361 panic("tls: internal error: wrong nonce length")
362 }
363 aes, err := aes.NewCipher(key)
364 if err != nil {
365 panic(err)
366 }
367 aead, err := cipher.NewGCM(aes)
368 if err != nil {
369 panic(err)
370 }
371
372 ret := &xorNonceAEAD{aead: aead}
373 copy(ret.nonceMask[:], nonceMask)
374 return ret
375 }
376
377 func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
378 if len(nonceMask) != aeadNonceLength {
379 panic("tls: internal error: wrong nonce length")
380 }
381 aead, err := chacha20poly1305.New(key)
382 if err != nil {
383 panic(err)
384 }
385
386 ret := &xorNonceAEAD{aead: aead}
387 copy(ret.nonceMask[:], nonceMask)
388 return ret
389 }
390
391 type constantTimeHash interface {
392 hash.Hash
393 ConstantTimeSum(b []byte) []byte
394 }
395
396
397
398 type cthWrapper struct {
399 h constantTimeHash
400 }
401
402 func (c *cthWrapper) Size() int { return c.h.Size() }
403 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
404 func (c *cthWrapper) Reset() { c.h.Reset() }
405 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
406 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
407
408 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
409 return func() hash.Hash {
410 return &cthWrapper{h().(constantTimeHash)}
411 }
412 }
413
414
415 type tls10MAC struct {
416 h hash.Hash
417 buf []byte
418 }
419
420 func (s tls10MAC) Size() int {
421 return s.h.Size()
422 }
423
424
425
426
427 func (s tls10MAC) MAC(seq, header, data, extra []byte) []byte {
428 s.h.Reset()
429 s.h.Write(seq)
430 s.h.Write(header)
431 s.h.Write(data)
432 res := s.h.Sum(s.buf[:0])
433 if extra != nil {
434 s.h.Write(extra)
435 }
436 return res
437 }
438
439 func rsaKA(version uint16) keyAgreement {
440 return rsaKeyAgreement{}
441 }
442
443 func ecdheECDSAKA(version uint16) keyAgreement {
444 return &ecdheKeyAgreement{
445 isRSA: false,
446 version: version,
447 }
448 }
449
450 func ecdheRSAKA(version uint16) keyAgreement {
451 return &ecdheKeyAgreement{
452 isRSA: true,
453 version: version,
454 }
455 }
456
457
458
459 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
460 for _, id := range have {
461 if id == want {
462 return cipherSuiteByID(id)
463 }
464 }
465 return nil
466 }
467
468 func cipherSuiteByID(id uint16) *cipherSuite {
469 for _, cipherSuite := range cipherSuites {
470 if cipherSuite.id == id {
471 return cipherSuite
472 }
473 }
474 return nil
475 }
476
477 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 {
478 for _, id := range have {
479 if id == want {
480 return cipherSuiteTLS13ByID(id)
481 }
482 }
483 return nil
484 }
485
486 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 {
487 for _, cipherSuite := range cipherSuitesTLS13 {
488 if cipherSuite.id == id {
489 return cipherSuite
490 }
491 }
492 return nil
493 }
494
495
496
497
498
499 const (
500
501 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
502 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
503 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
504 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
505 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
506 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
507 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
508 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
509 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
510 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
511 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
512 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
513 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
514 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
515 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
516 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
517 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
518 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
519 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
520 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
521 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8
522 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
523
524
525 TLS_AES_128_GCM_SHA256 uint16 = 0x1301
526 TLS_AES_256_GCM_SHA384 uint16 = 0x1302
527 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
528
529
530
531 TLS_FALLBACK_SCSV uint16 = 0x5600
532
533
534
535 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
536 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
537 )
538
View as plain text