Source file
src/crypto/tls/cipher_suites.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "crypto/aes"
10 "crypto/cipher"
11 "crypto/des"
12 "crypto/hmac"
13 "crypto/internal/boring"
14 "crypto/rc4"
15 "crypto/sha1"
16 "crypto/sha256"
17 "fmt"
18 "hash"
19 "internal/cpu"
20 "runtime"
21
22 "golang.org/x/crypto/chacha20poly1305"
23 )
24
25
26
27 type CipherSuite struct {
28 ID uint16
29 Name string
30
31
32
33 SupportedVersions []uint16
34
35
36
37 Insecure bool
38 }
39
40 var (
41 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12}
42 supportedOnlyTLS12 = []uint16{VersionTLS12}
43 supportedOnlyTLS13 = []uint16{VersionTLS13}
44 )
45
46
47
48
49
50
51
52
53 func CipherSuites() []*CipherSuite {
54 return []*CipherSuite{
55 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
56 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
57 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
58 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
59
60 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
61 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
62 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false},
63
64 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
65 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
66 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
67 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
68 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
69 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
70 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
71 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
72 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
74 }
75 }
76
77
78
79
80
81
82 func InsecureCipherSuites() []*CipherSuite {
83
84
85 return []*CipherSuite{
86 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
87 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
88 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
89 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
90 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
91 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
92 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
93 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
94 }
95 }
96
97
98
99
100 func CipherSuiteName(id uint16) string {
101 for _, c := range CipherSuites() {
102 if c.ID == id {
103 return c.Name
104 }
105 }
106 for _, c := range InsecureCipherSuites() {
107 if c.ID == id {
108 return c.Name
109 }
110 }
111 return fmt.Sprintf("0x%04X", id)
112 }
113
114 const (
115
116
117
118
119 suiteECDHE = 1 << iota
120
121
122
123
124 suiteECSign
125
126
127 suiteTLS12
128
129
130 suiteSHA384
131 )
132
133
134
135 type cipherSuite struct {
136 id uint16
137
138 keyLen int
139 macLen int
140 ivLen int
141 ka func(version uint16) keyAgreement
142
143 flags int
144 cipher func(key, iv []byte, isRead bool) any
145 mac func(key []byte) hash.Hash
146 aead func(key, fixedNonce []byte) aead
147 }
148
149 var cipherSuites = []*cipherSuite{
150 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
151 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
152 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
153 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
154 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
155 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
156 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
157 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
158 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil},
159 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
160 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
161 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
162 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
163 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
164 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
165 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
166 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
167 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
168 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
169 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil},
170 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil},
171 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil},
172 }
173
174
175
176 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
177 for _, id := range ids {
178 candidate := cipherSuiteByID(id)
179 if candidate == nil || !ok(candidate) {
180 continue
181 }
182
183 for _, suppID := range supportedIDs {
184 if id == suppID {
185 return candidate
186 }
187 }
188 }
189 return nil
190 }
191
192
193
194 type cipherSuiteTLS13 struct {
195 id uint16
196 keyLen int
197 aead func(key, fixedNonce []byte) aead
198 hash crypto.Hash
199 }
200
201 var cipherSuitesTLS13 = []*cipherSuiteTLS13{
202 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
203 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
204 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
205 }
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271 var cipherSuitesPreferenceOrder = []uint16{
272
273 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
274 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
275 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
276
277
278 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
279 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
280
281
282 TLS_RSA_WITH_AES_128_GCM_SHA256,
283 TLS_RSA_WITH_AES_256_GCM_SHA384,
284
285
286 TLS_RSA_WITH_AES_128_CBC_SHA,
287 TLS_RSA_WITH_AES_256_CBC_SHA,
288
289
290 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
291 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
292
293
294 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
295 TLS_RSA_WITH_AES_128_CBC_SHA256,
296
297
298 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
299 TLS_RSA_WITH_RC4_128_SHA,
300 }
301
302 var cipherSuitesPreferenceOrderNoAES = []uint16{
303
304 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
305
306
307 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
308 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
309
310
311 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
312 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
313 TLS_RSA_WITH_AES_128_GCM_SHA256,
314 TLS_RSA_WITH_AES_256_GCM_SHA384,
315 TLS_RSA_WITH_AES_128_CBC_SHA,
316 TLS_RSA_WITH_AES_256_CBC_SHA,
317 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
318 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
319 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
320 TLS_RSA_WITH_AES_128_CBC_SHA256,
321 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
322 TLS_RSA_WITH_RC4_128_SHA,
323 }
324
325
326
327 var disabledCipherSuites = []uint16{
328
329 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
330 TLS_RSA_WITH_AES_128_CBC_SHA256,
331
332
333 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
334 TLS_RSA_WITH_RC4_128_SHA,
335 }
336
337 var (
338 defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
339 defaultCipherSuites = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
340 )
341
342
343
344
345 var defaultCipherSuitesTLS13 = []uint16{
346 TLS_AES_128_GCM_SHA256,
347 TLS_AES_256_GCM_SHA384,
348 TLS_CHACHA20_POLY1305_SHA256,
349 }
350
351 var defaultCipherSuitesTLS13NoAES = []uint16{
352 TLS_CHACHA20_POLY1305_SHA256,
353 TLS_AES_128_GCM_SHA256,
354 TLS_AES_256_GCM_SHA384,
355 }
356
357 var (
358 hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
359 hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
360
361 hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
362 (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
363
364 hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
365 runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
366 runtime.GOARCH == "s390x" && hasGCMAsmS390X
367 )
368
369 var aesgcmCiphers = map[uint16]bool{
370
371 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true,
372 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true,
373 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true,
374 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true,
375
376 TLS_AES_128_GCM_SHA256: true,
377 TLS_AES_256_GCM_SHA384: true,
378 }
379
380
381
382 func aesgcmPreferred(ciphers []uint16) bool {
383 for _, cID := range ciphers {
384 if c := cipherSuiteByID(cID); c != nil {
385 return aesgcmCiphers[cID]
386 }
387 if c := cipherSuiteTLS13ByID(cID); c != nil {
388 return aesgcmCiphers[cID]
389 }
390 }
391 return false
392 }
393
394 func cipherRC4(key, iv []byte, isRead bool) any {
395 cipher, _ := rc4.NewCipher(key)
396 return cipher
397 }
398
399 func cipher3DES(key, iv []byte, isRead bool) any {
400 block, _ := des.NewTripleDESCipher(key)
401 if isRead {
402 return cipher.NewCBCDecrypter(block, iv)
403 }
404 return cipher.NewCBCEncrypter(block, iv)
405 }
406
407 func cipherAES(key, iv []byte, isRead bool) any {
408 block, _ := aes.NewCipher(key)
409 if isRead {
410 return cipher.NewCBCDecrypter(block, iv)
411 }
412 return cipher.NewCBCEncrypter(block, iv)
413 }
414
415
416 func macSHA1(key []byte) hash.Hash {
417 h := sha1.New
418
419
420 if !boring.Enabled {
421 h = newConstantTimeHash(h)
422 }
423 return hmac.New(h, key)
424 }
425
426
427
428 func macSHA256(key []byte) hash.Hash {
429 return hmac.New(sha256.New, key)
430 }
431
432 type aead interface {
433 cipher.AEAD
434
435
436
437
438 explicitNonceLen() int
439 }
440
441 const (
442 aeadNonceLength = 12
443 noncePrefixLength = 4
444 )
445
446
447
448 type prefixNonceAEAD struct {
449
450 nonce [aeadNonceLength]byte
451 aead cipher.AEAD
452 }
453
454 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength }
455 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() }
456 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
457
458 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
459 copy(f.nonce[4:], nonce)
460 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
461 }
462
463 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
464 copy(f.nonce[4:], nonce)
465 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
466 }
467
468
469
470 type xorNonceAEAD struct {
471 nonceMask [aeadNonceLength]byte
472 aead cipher.AEAD
473 }
474
475 func (f *xorNonceAEAD) NonceSize() int { return 8 }
476 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
477 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
478
479 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
480 for i, b := range nonce {
481 f.nonceMask[4+i] ^= b
482 }
483 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
484 for i, b := range nonce {
485 f.nonceMask[4+i] ^= b
486 }
487
488 return result
489 }
490
491 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
492 for i, b := range nonce {
493 f.nonceMask[4+i] ^= b
494 }
495 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
496 for i, b := range nonce {
497 f.nonceMask[4+i] ^= b
498 }
499
500 return result, err
501 }
502
503 func aeadAESGCM(key, noncePrefix []byte) aead {
504 if len(noncePrefix) != noncePrefixLength {
505 panic("tls: internal error: wrong nonce length")
506 }
507 aes, err := aes.NewCipher(key)
508 if err != nil {
509 panic(err)
510 }
511 var aead cipher.AEAD
512 if boring.Enabled {
513 aead, err = boring.NewGCMTLS(aes)
514 } else {
515 boring.Unreachable()
516 aead, err = cipher.NewGCM(aes)
517 }
518 if err != nil {
519 panic(err)
520 }
521
522 ret := &prefixNonceAEAD{aead: aead}
523 copy(ret.nonce[:], noncePrefix)
524 return ret
525 }
526
527 func aeadAESGCMTLS13(key, nonceMask []byte) aead {
528 if len(nonceMask) != aeadNonceLength {
529 panic("tls: internal error: wrong nonce length")
530 }
531 aes, err := aes.NewCipher(key)
532 if err != nil {
533 panic(err)
534 }
535 aead, err := cipher.NewGCM(aes)
536 if err != nil {
537 panic(err)
538 }
539
540 ret := &xorNonceAEAD{aead: aead}
541 copy(ret.nonceMask[:], nonceMask)
542 return ret
543 }
544
545 func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
546 if len(nonceMask) != aeadNonceLength {
547 panic("tls: internal error: wrong nonce length")
548 }
549 aead, err := chacha20poly1305.New(key)
550 if err != nil {
551 panic(err)
552 }
553
554 ret := &xorNonceAEAD{aead: aead}
555 copy(ret.nonceMask[:], nonceMask)
556 return ret
557 }
558
559 type constantTimeHash interface {
560 hash.Hash
561 ConstantTimeSum(b []byte) []byte
562 }
563
564
565
566 type cthWrapper struct {
567 h constantTimeHash
568 }
569
570 func (c *cthWrapper) Size() int { return c.h.Size() }
571 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
572 func (c *cthWrapper) Reset() { c.h.Reset() }
573 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
574 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
575
576 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
577 boring.Unreachable()
578 return func() hash.Hash {
579 return &cthWrapper{h().(constantTimeHash)}
580 }
581 }
582
583
584 func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
585 h.Reset()
586 h.Write(seq)
587 h.Write(header)
588 h.Write(data)
589 res := h.Sum(out)
590 if extra != nil {
591 h.Write(extra)
592 }
593 return res
594 }
595
596 func rsaKA(version uint16) keyAgreement {
597 return rsaKeyAgreement{}
598 }
599
600 func ecdheECDSAKA(version uint16) keyAgreement {
601 return &ecdheKeyAgreement{
602 isRSA: false,
603 version: version,
604 }
605 }
606
607 func ecdheRSAKA(version uint16) keyAgreement {
608 return &ecdheKeyAgreement{
609 isRSA: true,
610 version: version,
611 }
612 }
613
614
615
616 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
617 for _, id := range have {
618 if id == want {
619 return cipherSuiteByID(id)
620 }
621 }
622 return nil
623 }
624
625 func cipherSuiteByID(id uint16) *cipherSuite {
626 for _, cipherSuite := range cipherSuites {
627 if cipherSuite.id == id {
628 return cipherSuite
629 }
630 }
631 return nil
632 }
633
634 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 {
635 for _, id := range have {
636 if id == want {
637 return cipherSuiteTLS13ByID(id)
638 }
639 }
640 return nil
641 }
642
643 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 {
644 for _, cipherSuite := range cipherSuitesTLS13 {
645 if cipherSuite.id == id {
646 return cipherSuite
647 }
648 }
649 return nil
650 }
651
652
653
654
655
656 const (
657
658 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
659 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
660 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
661 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
662 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
663 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
664 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
665 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
666 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
667 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
668 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
669 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
670 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
671 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
672 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
673 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
674 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
675 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
676 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
677 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
678 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8
679 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
680
681
682 TLS_AES_128_GCM_SHA256 uint16 = 0x1301
683 TLS_AES_256_GCM_SHA384 uint16 = 0x1302
684 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
685
686
687
688 TLS_FALLBACK_SCSV uint16 = 0x5600
689
690
691
692 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
693 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
694 )
695
View as plain text