Source file
src/crypto/tls/cipher_suites.go
1
2
3
4
5 package tls
6
7 import (
8 "crypto"
9 "crypto/aes"
10 "crypto/cipher"
11 "crypto/des"
12 "crypto/hmac"
13 "crypto/internal/boring"
14 "crypto/rc4"
15 "crypto/sha1"
16 "crypto/sha256"
17 "fmt"
18 "hash"
19 "internal/cpu"
20 "runtime"
21
22 "golang.org/x/crypto/chacha20poly1305"
23 )
24
25
26
27 type CipherSuite struct {
28 ID uint16
29 Name string
30
31
32
33 SupportedVersions []uint16
34
35
36
37 Insecure bool
38 }
39
40 var (
41 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12}
42 supportedOnlyTLS12 = []uint16{VersionTLS12}
43 supportedOnlyTLS13 = []uint16{VersionTLS13}
44 )
45
46
47
48
49
50
51
52
53 func CipherSuites() []*CipherSuite {
54 return []*CipherSuite{
55 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
56 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
57 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
58 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
59
60 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
61 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
62 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false},
63
64 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
65 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
66 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
67 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
68 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
69 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
70 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
71 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
72 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
74 }
75 }
76
77
78
79
80
81
82 func InsecureCipherSuites() []*CipherSuite {
83
84
85 return []*CipherSuite{
86 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
87 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
88 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
89 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
90 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
91 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
92 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
93 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
94 }
95 }
96
97
98
99
100 func CipherSuiteName(id uint16) string {
101 for _, c := range CipherSuites() {
102 if c.ID == id {
103 return c.Name
104 }
105 }
106 for _, c := range InsecureCipherSuites() {
107 if c.ID == id {
108 return c.Name
109 }
110 }
111 return fmt.Sprintf("0x%04X", id)
112 }
113
114 const (
115
116
117
118
119 suiteECDHE = 1 << iota
120
121
122
123
124 suiteECSign
125
126
127 suiteTLS12
128
129
130 suiteSHA384
131 )
132
133
134
135 type cipherSuite struct {
136 id uint16
137
138 keyLen int
139 macLen int
140 ivLen int
141 ka func(version uint16) keyAgreement
142
143 flags int
144 cipher func(key, iv []byte, isRead bool) any
145 mac func(key []byte) hash.Hash
146 aead func(key, fixedNonce []byte) aead
147 }
148
149 var cipherSuites = []*cipherSuite{
150 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
151 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
152 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
153 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
154 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
155 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
156 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
157 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
158 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil},
159 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
160 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
161 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
162 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
163 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
164 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
165 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
166 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
167 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
168 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
169 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil},
170 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil},
171 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil},
172 }
173
174
175
176 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
177 for _, id := range ids {
178 candidate := cipherSuiteByID(id)
179 if candidate == nil || !ok(candidate) {
180 continue
181 }
182
183 for _, suppID := range supportedIDs {
184 if id == suppID {
185 return candidate
186 }
187 }
188 }
189 return nil
190 }
191
192
193
194 type cipherSuiteTLS13 struct {
195 id uint16
196 keyLen int
197 aead func(key, fixedNonce []byte) aead
198 hash crypto.Hash
199 }
200
201 var cipherSuitesTLS13 = []*cipherSuiteTLS13{
202 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
203 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
204 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
205 }
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271 var cipherSuitesPreferenceOrder = []uint16{
272
273 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
274 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
275 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
276
277
278 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
279 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
280
281
282 TLS_RSA_WITH_AES_128_GCM_SHA256,
283 TLS_RSA_WITH_AES_256_GCM_SHA384,
284
285
286 TLS_RSA_WITH_AES_128_CBC_SHA,
287 TLS_RSA_WITH_AES_256_CBC_SHA,
288
289
290 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
291 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
292
293
294 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
295 TLS_RSA_WITH_AES_128_CBC_SHA256,
296
297
298 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
299 TLS_RSA_WITH_RC4_128_SHA,
300 }
301
302 var cipherSuitesPreferenceOrderNoAES = []uint16{
303
304 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
305
306
307 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
308 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
309
310
311 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
312 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
313 TLS_RSA_WITH_AES_128_GCM_SHA256,
314 TLS_RSA_WITH_AES_256_GCM_SHA384,
315 TLS_RSA_WITH_AES_128_CBC_SHA,
316 TLS_RSA_WITH_AES_256_CBC_SHA,
317 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
318 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
319 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
320 TLS_RSA_WITH_AES_128_CBC_SHA256,
321 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
322 TLS_RSA_WITH_RC4_128_SHA,
323 }
324
325
326
327 var disabledCipherSuites = []uint16{
328
329 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
330 TLS_RSA_WITH_AES_128_CBC_SHA256,
331
332
333 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
334 TLS_RSA_WITH_RC4_128_SHA,
335 }
336
337 var (
338 defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
339 defaultCipherSuites = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
340 )
341
342
343
344
345 var defaultCipherSuitesTLS13 = []uint16{
346 TLS_AES_128_GCM_SHA256,
347 TLS_AES_256_GCM_SHA384,
348 TLS_CHACHA20_POLY1305_SHA256,
349 }
350
351 var defaultCipherSuitesTLS13NoAES = []uint16{
352 TLS_CHACHA20_POLY1305_SHA256,
353 TLS_AES_128_GCM_SHA256,
354 TLS_AES_256_GCM_SHA384,
355 }
356
357 var (
358 hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
359 hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
360
361 hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
362 (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
363
364 hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
365 runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
366 runtime.GOARCH == "s390x" && hasGCMAsmS390X
367 )
368
369 var aesgcmCiphers = map[uint16]bool{
370
371 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true,
372 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true,
373 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true,
374 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true,
375
376 TLS_AES_128_GCM_SHA256: true,
377 TLS_AES_256_GCM_SHA384: true,
378 }
379
380 var nonAESGCMAEADCiphers = map[uint16]bool{
381
382 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: true,
383 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: true,
384
385 TLS_CHACHA20_POLY1305_SHA256: true,
386 }
387
388
389
390 func aesgcmPreferred(ciphers []uint16) bool {
391 for _, cID := range ciphers {
392 if c := cipherSuiteByID(cID); c != nil {
393 return aesgcmCiphers[cID]
394 }
395 if c := cipherSuiteTLS13ByID(cID); c != nil {
396 return aesgcmCiphers[cID]
397 }
398 }
399 return false
400 }
401
402 func cipherRC4(key, iv []byte, isRead bool) any {
403 cipher, _ := rc4.NewCipher(key)
404 return cipher
405 }
406
407 func cipher3DES(key, iv []byte, isRead bool) any {
408 block, _ := des.NewTripleDESCipher(key)
409 if isRead {
410 return cipher.NewCBCDecrypter(block, iv)
411 }
412 return cipher.NewCBCEncrypter(block, iv)
413 }
414
415 func cipherAES(key, iv []byte, isRead bool) any {
416 block, _ := aes.NewCipher(key)
417 if isRead {
418 return cipher.NewCBCDecrypter(block, iv)
419 }
420 return cipher.NewCBCEncrypter(block, iv)
421 }
422
423
424 func macSHA1(key []byte) hash.Hash {
425 h := sha1.New
426
427
428 if !boring.Enabled {
429 h = newConstantTimeHash(h)
430 }
431 return hmac.New(h, key)
432 }
433
434
435
436 func macSHA256(key []byte) hash.Hash {
437 return hmac.New(sha256.New, key)
438 }
439
440 type aead interface {
441 cipher.AEAD
442
443
444
445
446 explicitNonceLen() int
447 }
448
449 const (
450 aeadNonceLength = 12
451 noncePrefixLength = 4
452 )
453
454
455
456 type prefixNonceAEAD struct {
457
458 nonce [aeadNonceLength]byte
459 aead cipher.AEAD
460 }
461
462 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength }
463 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() }
464 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
465
466 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
467 copy(f.nonce[4:], nonce)
468 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
469 }
470
471 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
472 copy(f.nonce[4:], nonce)
473 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
474 }
475
476
477
478 type xorNonceAEAD struct {
479 nonceMask [aeadNonceLength]byte
480 aead cipher.AEAD
481 }
482
483 func (f *xorNonceAEAD) NonceSize() int { return 8 }
484 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
485 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
486
487 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
488 for i, b := range nonce {
489 f.nonceMask[4+i] ^= b
490 }
491 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
492 for i, b := range nonce {
493 f.nonceMask[4+i] ^= b
494 }
495
496 return result
497 }
498
499 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
500 for i, b := range nonce {
501 f.nonceMask[4+i] ^= b
502 }
503 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
504 for i, b := range nonce {
505 f.nonceMask[4+i] ^= b
506 }
507
508 return result, err
509 }
510
511 func aeadAESGCM(key, noncePrefix []byte) aead {
512 if len(noncePrefix) != noncePrefixLength {
513 panic("tls: internal error: wrong nonce length")
514 }
515 aes, err := aes.NewCipher(key)
516 if err != nil {
517 panic(err)
518 }
519 var aead cipher.AEAD
520 if boring.Enabled {
521 aead, err = boring.NewGCMTLS(aes)
522 } else {
523 boring.Unreachable()
524 aead, err = cipher.NewGCM(aes)
525 }
526 if err != nil {
527 panic(err)
528 }
529
530 ret := &prefixNonceAEAD{aead: aead}
531 copy(ret.nonce[:], noncePrefix)
532 return ret
533 }
534
535 func aeadAESGCMTLS13(key, nonceMask []byte) aead {
536 if len(nonceMask) != aeadNonceLength {
537 panic("tls: internal error: wrong nonce length")
538 }
539 aes, err := aes.NewCipher(key)
540 if err != nil {
541 panic(err)
542 }
543 aead, err := cipher.NewGCM(aes)
544 if err != nil {
545 panic(err)
546 }
547
548 ret := &xorNonceAEAD{aead: aead}
549 copy(ret.nonceMask[:], nonceMask)
550 return ret
551 }
552
553 func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
554 if len(nonceMask) != aeadNonceLength {
555 panic("tls: internal error: wrong nonce length")
556 }
557 aead, err := chacha20poly1305.New(key)
558 if err != nil {
559 panic(err)
560 }
561
562 ret := &xorNonceAEAD{aead: aead}
563 copy(ret.nonceMask[:], nonceMask)
564 return ret
565 }
566
567 type constantTimeHash interface {
568 hash.Hash
569 ConstantTimeSum(b []byte) []byte
570 }
571
572
573
574 type cthWrapper struct {
575 h constantTimeHash
576 }
577
578 func (c *cthWrapper) Size() int { return c.h.Size() }
579 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
580 func (c *cthWrapper) Reset() { c.h.Reset() }
581 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
582 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
583
584 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
585 boring.Unreachable()
586 return func() hash.Hash {
587 return &cthWrapper{h().(constantTimeHash)}
588 }
589 }
590
591
592 func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
593 h.Reset()
594 h.Write(seq)
595 h.Write(header)
596 h.Write(data)
597 res := h.Sum(out)
598 if extra != nil {
599 h.Write(extra)
600 }
601 return res
602 }
603
604 func rsaKA(version uint16) keyAgreement {
605 return rsaKeyAgreement{}
606 }
607
608 func ecdheECDSAKA(version uint16) keyAgreement {
609 return &ecdheKeyAgreement{
610 isRSA: false,
611 version: version,
612 }
613 }
614
615 func ecdheRSAKA(version uint16) keyAgreement {
616 return &ecdheKeyAgreement{
617 isRSA: true,
618 version: version,
619 }
620 }
621
622
623
624 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
625 for _, id := range have {
626 if id == want {
627 return cipherSuiteByID(id)
628 }
629 }
630 return nil
631 }
632
633 func cipherSuiteByID(id uint16) *cipherSuite {
634 for _, cipherSuite := range cipherSuites {
635 if cipherSuite.id == id {
636 return cipherSuite
637 }
638 }
639 return nil
640 }
641
642 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 {
643 for _, id := range have {
644 if id == want {
645 return cipherSuiteTLS13ByID(id)
646 }
647 }
648 return nil
649 }
650
651 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 {
652 for _, cipherSuite := range cipherSuitesTLS13 {
653 if cipherSuite.id == id {
654 return cipherSuite
655 }
656 }
657 return nil
658 }
659
660
661
662
663
664 const (
665
666 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
667 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
668 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
669 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
670 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
671 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
672 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
673 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
674 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
675 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
676 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
677 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
678 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
679 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
680 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
681 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
682 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
683 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
684 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
685 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
686 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8
687 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
688
689
690 TLS_AES_128_GCM_SHA256 uint16 = 0x1301
691 TLS_AES_256_GCM_SHA384 uint16 = 0x1302
692 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
693
694
695
696 TLS_FALLBACK_SCSV uint16 = 0x5600
697
698
699
700 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
701 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
702 )
703
View as plain text