Source file
src/crypto/tls/cipher_suites.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "crypto/aes"
10 "crypto/cipher"
11 "crypto/des"
12 "crypto/hmac"
13 "crypto/rc4"
14 "crypto/sha1"
15 "crypto/sha256"
16 "fmt"
17 "hash"
18 "internal/cpu"
19 "runtime"
20
21 "golang.org/x/crypto/chacha20poly1305"
22 )
23
24
25
26 type CipherSuite struct {
27 ID uint16
28 Name string
29
30
31
32 SupportedVersions []uint16
33
34
35
36 Insecure bool
37 }
38
39 var (
40 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12}
41 supportedOnlyTLS12 = []uint16{VersionTLS12}
42 supportedOnlyTLS13 = []uint16{VersionTLS13}
43 )
44
45
46
47
48
49
50
51
52 func CipherSuites() []*CipherSuite {
53 return []*CipherSuite{
54 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
55 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
56 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
57 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
58
59 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
60 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
61 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false},
62
63 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
64 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73 }
74 }
75
76
77
78
79
80
81 func InsecureCipherSuites() []*CipherSuite {
82
83
84 return []*CipherSuite{
85 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
86 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
87 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
88 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
89 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
90 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
91 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
92 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
93 }
94 }
95
96
97
98
99 func CipherSuiteName(id uint16) string {
100 for _, c := range CipherSuites() {
101 if c.ID == id {
102 return c.Name
103 }
104 }
105 for _, c := range InsecureCipherSuites() {
106 if c.ID == id {
107 return c.Name
108 }
109 }
110 return fmt.Sprintf("0x%04X", id)
111 }
112
113 const (
114
115
116
117
118 suiteECDHE = 1 << iota
119
120
121
122
123 suiteECSign
124
125
126 suiteTLS12
127
128
129 suiteSHA384
130 )
131
132
133
134 type cipherSuite struct {
135 id uint16
136
137 keyLen int
138 macLen int
139 ivLen int
140 ka func(version uint16) keyAgreement
141
142 flags int
143 cipher func(key, iv []byte, isRead bool) interface{}
144 mac func(key []byte) hash.Hash
145 aead func(key, fixedNonce []byte) aead
146 }
147
148 var cipherSuites = []*cipherSuite{
149 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
150 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
151 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
152 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
153 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
154 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
155 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
156 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
157 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil},
158 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
159 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
160 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
161 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
162 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
163 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
164 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
165 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
166 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
167 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
168 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil},
169 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil},
170 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil},
171 }
172
173
174
175 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
176 for _, id := range ids {
177 candidate := cipherSuiteByID(id)
178 if candidate == nil || !ok(candidate) {
179 continue
180 }
181
182 for _, suppID := range supportedIDs {
183 if id == suppID {
184 return candidate
185 }
186 }
187 }
188 return nil
189 }
190
191
192
193 type cipherSuiteTLS13 struct {
194 id uint16
195 keyLen int
196 aead func(key, fixedNonce []byte) aead
197 hash crypto.Hash
198 }
199
200 var cipherSuitesTLS13 = []*cipherSuiteTLS13{
201 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
202 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
203 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
204 }
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271 var cipherSuitesPreferenceOrder = []uint16{
272
273 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
274 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
275 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
276
277
278 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
279 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
280
281
282 TLS_RSA_WITH_AES_128_GCM_SHA256,
283 TLS_RSA_WITH_AES_256_GCM_SHA384,
284
285
286 TLS_RSA_WITH_AES_128_CBC_SHA,
287 TLS_RSA_WITH_AES_256_CBC_SHA,
288
289
290 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
291 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
292
293
294 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
295 TLS_RSA_WITH_AES_128_CBC_SHA256,
296
297
298 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
299 TLS_RSA_WITH_RC4_128_SHA,
300 }
301
302 var cipherSuitesPreferenceOrderNoAES = []uint16{
303
304 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
305
306
307 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
308 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
309
310
311 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
312 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
313 TLS_RSA_WITH_AES_128_GCM_SHA256,
314 TLS_RSA_WITH_AES_256_GCM_SHA384,
315 TLS_RSA_WITH_AES_128_CBC_SHA,
316 TLS_RSA_WITH_AES_256_CBC_SHA,
317 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
318 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
319 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
320 TLS_RSA_WITH_AES_128_CBC_SHA256,
321 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
322 TLS_RSA_WITH_RC4_128_SHA,
323 }
324
325
326
327 var disabledCipherSuites = []uint16{
328
329 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
330 TLS_RSA_WITH_AES_128_CBC_SHA256,
331
332
333 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
334 TLS_RSA_WITH_RC4_128_SHA,
335 }
336
337 var (
338 defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
339 defaultCipherSuites = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
340 )
341
342
343
344
345 var defaultCipherSuitesTLS13 = []uint16{
346 TLS_AES_128_GCM_SHA256,
347 TLS_AES_256_GCM_SHA384,
348 TLS_CHACHA20_POLY1305_SHA256,
349 }
350
351 var defaultCipherSuitesTLS13NoAES = []uint16{
352 TLS_CHACHA20_POLY1305_SHA256,
353 TLS_AES_128_GCM_SHA256,
354 TLS_AES_256_GCM_SHA384,
355 }
356
357 var (
358 hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
359 hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
360
361 hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
362 (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
363
364 hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
365 runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
366 runtime.GOARCH == "s390x" && hasGCMAsmS390X
367 )
368
369 var aesgcmCiphers = map[uint16]bool{
370
371 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true,
372 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true,
373 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true,
374 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true,
375
376 TLS_AES_128_GCM_SHA256: true,
377 TLS_AES_256_GCM_SHA384: true,
378 }
379
380 var nonAESGCMAEADCiphers = map[uint16]bool{
381
382 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: true,
383 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: true,
384
385 TLS_CHACHA20_POLY1305_SHA256: true,
386 }
387
388
389
390 func aesgcmPreferred(ciphers []uint16) bool {
391 for _, cID := range ciphers {
392 if c := cipherSuiteByID(cID); c != nil {
393 return aesgcmCiphers[cID]
394 }
395 if c := cipherSuiteTLS13ByID(cID); c != nil {
396 return aesgcmCiphers[cID]
397 }
398 }
399 return false
400 }
401
402 func cipherRC4(key, iv []byte, isRead bool) interface{} {
403 cipher, _ := rc4.NewCipher(key)
404 return cipher
405 }
406
407 func cipher3DES(key, iv []byte, isRead bool) interface{} {
408 block, _ := des.NewTripleDESCipher(key)
409 if isRead {
410 return cipher.NewCBCDecrypter(block, iv)
411 }
412 return cipher.NewCBCEncrypter(block, iv)
413 }
414
415 func cipherAES(key, iv []byte, isRead bool) interface{} {
416 block, _ := aes.NewCipher(key)
417 if isRead {
418 return cipher.NewCBCDecrypter(block, iv)
419 }
420 return cipher.NewCBCEncrypter(block, iv)
421 }
422
423
424 func macSHA1(key []byte) hash.Hash {
425 return hmac.New(newConstantTimeHash(sha1.New), key)
426 }
427
428
429
430 func macSHA256(key []byte) hash.Hash {
431 return hmac.New(sha256.New, key)
432 }
433
434 type aead interface {
435 cipher.AEAD
436
437
438
439
440 explicitNonceLen() int
441 }
442
443 const (
444 aeadNonceLength = 12
445 noncePrefixLength = 4
446 )
447
448
449
450 type prefixNonceAEAD struct {
451
452 nonce [aeadNonceLength]byte
453 aead cipher.AEAD
454 }
455
456 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength }
457 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() }
458 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
459
460 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
461 copy(f.nonce[4:], nonce)
462 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
463 }
464
465 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
466 copy(f.nonce[4:], nonce)
467 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
468 }
469
470
471
472 type xorNonceAEAD struct {
473 nonceMask [aeadNonceLength]byte
474 aead cipher.AEAD
475 }
476
477 func (f *xorNonceAEAD) NonceSize() int { return 8 }
478 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
479 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
480
481 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
482 for i, b := range nonce {
483 f.nonceMask[4+i] ^= b
484 }
485 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
486 for i, b := range nonce {
487 f.nonceMask[4+i] ^= b
488 }
489
490 return result
491 }
492
493 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
494 for i, b := range nonce {
495 f.nonceMask[4+i] ^= b
496 }
497 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
498 for i, b := range nonce {
499 f.nonceMask[4+i] ^= b
500 }
501
502 return result, err
503 }
504
505 func aeadAESGCM(key, noncePrefix []byte) aead {
506 if len(noncePrefix) != noncePrefixLength {
507 panic("tls: internal error: wrong nonce length")
508 }
509 aes, err := aes.NewCipher(key)
510 if err != nil {
511 panic(err)
512 }
513 aead, err := cipher.NewGCM(aes)
514 if err != nil {
515 panic(err)
516 }
517
518 ret := &prefixNonceAEAD{aead: aead}
519 copy(ret.nonce[:], noncePrefix)
520 return ret
521 }
522
523 func aeadAESGCMTLS13(key, nonceMask []byte) aead {
524 if len(nonceMask) != aeadNonceLength {
525 panic("tls: internal error: wrong nonce length")
526 }
527 aes, err := aes.NewCipher(key)
528 if err != nil {
529 panic(err)
530 }
531 aead, err := cipher.NewGCM(aes)
532 if err != nil {
533 panic(err)
534 }
535
536 ret := &xorNonceAEAD{aead: aead}
537 copy(ret.nonceMask[:], nonceMask)
538 return ret
539 }
540
541 func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
542 if len(nonceMask) != aeadNonceLength {
543 panic("tls: internal error: wrong nonce length")
544 }
545 aead, err := chacha20poly1305.New(key)
546 if err != nil {
547 panic(err)
548 }
549
550 ret := &xorNonceAEAD{aead: aead}
551 copy(ret.nonceMask[:], nonceMask)
552 return ret
553 }
554
555 type constantTimeHash interface {
556 hash.Hash
557 ConstantTimeSum(b []byte) []byte
558 }
559
560
561
562 type cthWrapper struct {
563 h constantTimeHash
564 }
565
566 func (c *cthWrapper) Size() int { return c.h.Size() }
567 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
568 func (c *cthWrapper) Reset() { c.h.Reset() }
569 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
570 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
571
572 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
573 return func() hash.Hash {
574 return &cthWrapper{h().(constantTimeHash)}
575 }
576 }
577
578
579 func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
580 h.Reset()
581 h.Write(seq)
582 h.Write(header)
583 h.Write(data)
584 res := h.Sum(out)
585 if extra != nil {
586 h.Write(extra)
587 }
588 return res
589 }
590
591 func rsaKA(version uint16) keyAgreement {
592 return rsaKeyAgreement{}
593 }
594
595 func ecdheECDSAKA(version uint16) keyAgreement {
596 return &ecdheKeyAgreement{
597 isRSA: false,
598 version: version,
599 }
600 }
601
602 func ecdheRSAKA(version uint16) keyAgreement {
603 return &ecdheKeyAgreement{
604 isRSA: true,
605 version: version,
606 }
607 }
608
609
610
611 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
612 for _, id := range have {
613 if id == want {
614 return cipherSuiteByID(id)
615 }
616 }
617 return nil
618 }
619
620 func cipherSuiteByID(id uint16) *cipherSuite {
621 for _, cipherSuite := range cipherSuites {
622 if cipherSuite.id == id {
623 return cipherSuite
624 }
625 }
626 return nil
627 }
628
629 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 {
630 for _, id := range have {
631 if id == want {
632 return cipherSuiteTLS13ByID(id)
633 }
634 }
635 return nil
636 }
637
638 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 {
639 for _, cipherSuite := range cipherSuitesTLS13 {
640 if cipherSuite.id == id {
641 return cipherSuite
642 }
643 }
644 return nil
645 }
646
647
648
649
650
651 const (
652
653 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
654 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
655 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
656 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
657 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
658 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
659 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
660 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
661 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
662 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
663 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
664 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
665 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
666 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
667 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
668 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
669 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
670 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
671 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
672 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
673 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8
674 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
675
676
677 TLS_AES_128_GCM_SHA256 uint16 = 0x1301
678 TLS_AES_256_GCM_SHA384 uint16 = 0x1302
679 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
680
681
682
683 TLS_FALLBACK_SCSV uint16 = 0x5600
684
685
686
687 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
688 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
689 )
690
View as plain text