github.com/Carcraftz/utls@v0.0.0-20220413235215-6b7c52fd78b6/cipher_suites.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/cipher" 10 "crypto/des" 11 "crypto/hmac" 12 "crypto/rc4" 13 "crypto/sha1" 14 "crypto/sha256" 15 "crypto/x509" 16 "golang.org/x/crypto/chacha20poly1305" 17 "hash" 18 ) 19 20 // a keyAgreement implements the client and server side of a TLS key agreement 21 // protocol by generating and processing key exchange messages. 22 type keyAgreement interface { 23 // On the server side, the first two methods are called in order. 24 25 // In the case that the key agreement protocol doesn't use a 26 // ServerKeyExchange message, generateServerKeyExchange can return nil, 27 // nil. 28 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 29 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 30 31 // On the client side, the next two methods are called in order. 32 33 // This method may not be called if the server doesn't send a 34 // ServerKeyExchange message. 35 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 36 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 37 } 38 39 const ( 40 // suiteECDH indicates that the cipher suite involves elliptic curve 41 // Diffie-Hellman. This means that it should only be selected when the 42 // client indicates that it supports ECC with a curve and point format 43 // that we're happy with. 44 suiteECDHE = 1 << iota 45 // suiteECDSA indicates that the cipher suite involves an ECDSA 46 // signature and therefore may only be selected when the server's 47 // certificate is ECDSA. If this is not set then the cipher suite is 48 // RSA based. 49 suiteECDSA 50 // suiteTLS12 indicates that the cipher suite should only be advertised 51 // and accepted when using TLS 1.2. 52 suiteTLS12 53 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 54 // handshake hash. 55 suiteSHA384 56 // suiteDefaultOff indicates that this cipher suite is not included by 57 // default. 58 suiteDefaultOff 59 ) 60 61 // A cipherSuite is a specific combination of key agreement, cipher and MAC function. 62 type cipherSuite struct { 63 id uint16 64 // the lengths, in bytes, of the key material needed for each component. 65 keyLen int 66 macLen int 67 ivLen int 68 ka func(version uint16) keyAgreement 69 // flags is a bitmask of the suite* values, above. 70 flags int 71 cipher func(key, iv []byte, isRead bool) interface{} 72 mac func(version uint16, macKey []byte) macFunction 73 aead func(key, fixedNonce []byte) aead 74 } 75 76 var cipherSuites = []*cipherSuite{ 77 // Ciphersuite order is chosen so that ECDHE comes before plain RSA and 78 // AEADs are the top preference. 79 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 80 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 81 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 82 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM}, 83 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 84 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 85 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 86 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 87 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 88 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 89 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 90 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 91 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 92 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 93 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 94 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 95 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 96 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 97 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 98 99 // RC4-based cipher suites are disabled by default. 100 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil}, 101 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil}, 102 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil}, 103 } 104 105 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 106 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 107 type cipherSuiteTLS13 struct { 108 id uint16 109 keyLen int 110 aead func(key, fixedNonce []byte) aead 111 hash crypto.Hash 112 } 113 114 var cipherSuitesTLS13 = []*cipherSuiteTLS13{ 115 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 116 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 117 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 118 } 119 120 func cipherRC4(key, iv []byte, isRead bool) interface{} { 121 cipher, _ := rc4.NewCipher(key) 122 return cipher 123 } 124 125 func cipher3DES(key, iv []byte, isRead bool) interface{} { 126 block, _ := des.NewTripleDESCipher(key) 127 if isRead { 128 return cipher.NewCBCDecrypter(block, iv) 129 } 130 return cipher.NewCBCEncrypter(block, iv) 131 } 132 133 func cipherAES(key, iv []byte, isRead bool) interface{} { 134 block, _ := aesNewCipher(key) 135 if isRead { 136 return cipher.NewCBCDecrypter(block, iv) 137 } 138 return cipher.NewCBCEncrypter(block, iv) 139 } 140 141 // macSHA1 returns a macFunction for the given protocol version. 142 func macSHA1(version uint16, key []byte) macFunction { 143 if version == VersionSSL30 { 144 mac := ssl30MAC{ 145 h: sha1.New(), 146 key: make([]byte, len(key)), 147 } 148 copy(mac.key, key) 149 return mac 150 } 151 return tls10MAC{h: hmac.New(newConstantTimeHash(sha1.New), key)} 152 } 153 154 // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2 155 // so the given version is ignored. 156 func macSHA256(version uint16, key []byte) macFunction { 157 return tls10MAC{h: hmac.New(sha256.New, key)} 158 } 159 160 type macFunction interface { 161 // Size returns the length of the MAC. 162 Size() int 163 // MAC appends the MAC of (seq, header, data) to out. The extra data is fed 164 // into the MAC after obtaining the result to normalize timing. The result 165 // is only valid until the next invocation of MAC as the buffer is reused. 166 MAC(seq, header, data, extra []byte) []byte 167 } 168 169 type aead interface { 170 cipher.AEAD 171 172 // explicitNonceLen returns the number of bytes of explicit nonce 173 // included in each record. This is eight for older AEADs and 174 // zero for modern ones. 175 explicitNonceLen() int 176 } 177 178 const ( 179 aeadNonceLength = 12 180 noncePrefixLength = 4 181 ) 182 183 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 184 // each call. 185 type prefixNonceAEAD struct { 186 // nonce contains the fixed part of the nonce in the first four bytes. 187 nonce [aeadNonceLength]byte 188 aead cipher.AEAD 189 } 190 191 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 192 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 193 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 194 195 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 196 copy(f.nonce[4:], nonce) 197 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 198 } 199 200 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 201 copy(f.nonce[4:], nonce) 202 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 203 } 204 205 // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 206 // before each call. 207 type xorNonceAEAD struct { 208 nonceMask [aeadNonceLength]byte 209 aead cipher.AEAD 210 } 211 212 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 213 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 214 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 215 216 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 217 for i, b := range nonce { 218 f.nonceMask[4+i] ^= b 219 } 220 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 221 for i, b := range nonce { 222 f.nonceMask[4+i] ^= b 223 } 224 225 return result 226 } 227 228 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 229 for i, b := range nonce { 230 f.nonceMask[4+i] ^= b 231 } 232 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 233 for i, b := range nonce { 234 f.nonceMask[4+i] ^= b 235 } 236 237 return result, err 238 } 239 240 func aeadAESGCM(key, noncePrefix []byte) aead { 241 if len(noncePrefix) != noncePrefixLength { 242 panic("tls: internal error: wrong nonce length") 243 } 244 aes, err := aesNewCipher(key) 245 if err != nil { 246 panic(err) 247 } 248 aead, err := cipher.NewGCM(aes) 249 if err != nil { 250 panic(err) 251 } 252 253 ret := &prefixNonceAEAD{aead: aead} 254 copy(ret.nonce[:], noncePrefix) 255 return ret 256 } 257 258 func aeadAESGCMTLS13(key, nonceMask []byte) aead { 259 if len(nonceMask) != aeadNonceLength { 260 panic("tls: internal error: wrong nonce length") 261 } 262 aes, err := aesNewCipher(key) 263 if err != nil { 264 panic(err) 265 } 266 aead, err := cipher.NewGCM(aes) 267 if err != nil { 268 panic(err) 269 } 270 271 ret := &xorNonceAEAD{aead: aead} 272 copy(ret.nonceMask[:], nonceMask) 273 return ret 274 } 275 276 func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 277 if len(nonceMask) != aeadNonceLength { 278 panic("tls: internal error: wrong nonce length") 279 } 280 aead, err := chacha20poly1305.New(key) 281 if err != nil { 282 panic(err) 283 } 284 285 ret := &xorNonceAEAD{aead: aead} 286 copy(ret.nonceMask[:], nonceMask) 287 return ret 288 } 289 290 // ssl30MAC implements the SSLv3 MAC function, as defined in 291 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1 292 type ssl30MAC struct { 293 h hash.Hash 294 key []byte 295 buf []byte 296 } 297 298 func (s ssl30MAC) Size() int { 299 return s.h.Size() 300 } 301 302 var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36} 303 304 var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c} 305 306 // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed 307 // useless considering the similar, protocol-level POODLE vulnerability. 308 func (s ssl30MAC) MAC(seq, header, data, extra []byte) []byte { 309 padLength := 48 310 if s.h.Size() == 20 { 311 padLength = 40 312 } 313 314 s.h.Reset() 315 s.h.Write(s.key) 316 s.h.Write(ssl30Pad1[:padLength]) 317 s.h.Write(seq) 318 s.h.Write(header[:1]) 319 s.h.Write(header[3:5]) 320 s.h.Write(data) 321 s.buf = s.h.Sum(s.buf[:0]) 322 323 s.h.Reset() 324 s.h.Write(s.key) 325 s.h.Write(ssl30Pad2[:padLength]) 326 s.h.Write(s.buf) 327 return s.h.Sum(s.buf[:0]) 328 } 329 330 type constantTimeHash interface { 331 hash.Hash 332 ConstantTimeSum(b []byte) []byte 333 } 334 335 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 336 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 337 type cthWrapper struct { 338 h constantTimeHash 339 } 340 341 func (c *cthWrapper) Size() int { return c.h.Size() } 342 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 343 func (c *cthWrapper) Reset() { c.h.Reset() } 344 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 345 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 346 347 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 348 return func() hash.Hash { 349 return &cthWrapper{h().(constantTimeHash)} 350 } 351 } 352 353 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 354 type tls10MAC struct { 355 h hash.Hash 356 buf []byte 357 } 358 359 func (s tls10MAC) Size() int { 360 return s.h.Size() 361 } 362 363 // MAC is guaranteed to take constant time, as long as 364 // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into 365 // the MAC, but is only provided to make the timing profile constant. 366 func (s tls10MAC) MAC(seq, header, data, extra []byte) []byte { 367 s.h.Reset() 368 s.h.Write(seq) 369 s.h.Write(header) 370 s.h.Write(data) 371 res := s.h.Sum(s.buf[:0]) 372 if extra != nil { 373 s.h.Write(extra) 374 } 375 return res 376 } 377 378 func rsaKA(version uint16) keyAgreement { 379 return rsaKeyAgreement{} 380 } 381 382 func ecdheECDSAKA(version uint16) keyAgreement { 383 return &ecdheKeyAgreement{ 384 isRSA: false, 385 version: version, 386 } 387 } 388 389 func ecdheRSAKA(version uint16) keyAgreement { 390 return &ecdheKeyAgreement{ 391 isRSA: true, 392 version: version, 393 } 394 } 395 396 // mutualCipherSuite returns a cipherSuite given a list of supported 397 // ciphersuites and the id requested by the peer. 398 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 399 for _, id := range have { 400 if id == want { 401 return cipherSuiteByID(id) 402 } 403 } 404 return nil 405 } 406 407 func cipherSuiteByID(id uint16) *cipherSuite { 408 for _, cipherSuite := range utlsSupportedCipherSuites { 409 if cipherSuite.id == id { 410 return cipherSuite 411 } 412 } 413 return nil 414 } 415 416 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 417 for _, id := range have { 418 if id == want { 419 return cipherSuiteTLS13ByID(id) 420 } 421 } 422 return nil 423 } 424 425 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 426 for _, cipherSuite := range cipherSuitesTLS13 { 427 if cipherSuite.id == id { 428 return cipherSuite 429 } 430 } 431 return nil 432 } 433 434 // A list of cipher suite IDs that are, or have been, implemented by this 435 // package. 436 // 437 // Taken from https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 438 const ( 439 // TLS 1.0 - 1.2 cipher suites. 440 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 441 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 442 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 443 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 444 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 445 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 446 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 447 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 448 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 449 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 450 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 451 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 452 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 453 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 454 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 455 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 456 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 457 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 458 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 459 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 460 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca8 461 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca9 462 463 // TLS 1.3 cipher suites. 464 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 465 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 466 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 467 468 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 469 // that the client is doing version fallback. See RFC 7507. 470 TLS_FALLBACK_SCSV uint16 = 0x5600 471 )