github.com/ice-blockchain/go/src@v0.0.0-20240403114104-1564d284e521/crypto/tls/cipher_suites.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/internal/boring" 14 "crypto/rc4" 15 "crypto/sha1" 16 "crypto/sha256" 17 "fmt" 18 "hash" 19 "internal/cpu" 20 "runtime" 21 22 "golang.org/x/crypto/chacha20poly1305" 23 ) 24 25 // CipherSuite is a TLS cipher suite. Note that most functions in this package 26 // accept and expose cipher suite IDs instead of this type. 27 type CipherSuite struct { 28 ID uint16 29 Name string 30 31 // Supported versions is the list of TLS protocol versions that can 32 // negotiate this cipher suite. 33 SupportedVersions []uint16 34 35 // Insecure is true if the cipher suite has known security issues 36 // due to its primitives, design, or implementation. 37 Insecure bool 38 } 39 40 var ( 41 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} 42 supportedOnlyTLS12 = []uint16{VersionTLS12} 43 supportedOnlyTLS13 = []uint16{VersionTLS13} 44 ) 45 46 // CipherSuites returns a list of cipher suites currently implemented by this 47 // package, excluding those with security issues, which are returned by 48 // [InsecureCipherSuites]. 49 // 50 // The list is sorted by ID. Note that the default cipher suites selected by 51 // this package might depend on logic that can't be captured by a static list, 52 // and might not match those returned by this function. 53 func CipherSuites() []*CipherSuite { 54 return []*CipherSuite{ 55 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, 56 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, 57 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, 58 59 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 60 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 61 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 62 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 63 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 64 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 65 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 66 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 67 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 68 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 69 } 70 } 71 72 // InsecureCipherSuites returns a list of cipher suites currently implemented by 73 // this package and which have security issues. 74 // 75 // Most applications should not use the cipher suites in this list, and should 76 // only use those returned by [CipherSuites]. 77 func InsecureCipherSuites() []*CipherSuite { 78 // This list includes RC4, CBC_SHA256, and 3DES cipher suites. See 79 // cipherSuitesPreferenceOrder for details. 80 return []*CipherSuite{ 81 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 82 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, 83 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, true}, 84 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, true}, 85 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 86 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, true}, 87 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, true}, 88 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 89 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 90 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, 91 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 92 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 93 } 94 } 95 96 // CipherSuiteName returns the standard name for the passed cipher suite ID 97 // (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation 98 // of the ID value if the cipher suite is not implemented by this package. 99 func CipherSuiteName(id uint16) string { 100 for _, c := range CipherSuites() { 101 if c.ID == id { 102 return c.Name 103 } 104 } 105 for _, c := range InsecureCipherSuites() { 106 if c.ID == id { 107 return c.Name 108 } 109 } 110 return fmt.Sprintf("0x%04X", id) 111 } 112 113 const ( 114 // suiteECDHE indicates that the cipher suite involves elliptic curve 115 // Diffie-Hellman. This means that it should only be selected when the 116 // client indicates that it supports ECC with a curve and point format 117 // that we're happy with. 118 suiteECDHE = 1 << iota 119 // suiteECSign indicates that the cipher suite involves an ECDSA or 120 // EdDSA signature and therefore may only be selected when the server's 121 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite 122 // is RSA based. 123 suiteECSign 124 // suiteTLS12 indicates that the cipher suite should only be advertised 125 // and accepted when using TLS 1.2. 126 suiteTLS12 127 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 128 // handshake hash. 129 suiteSHA384 130 ) 131 132 // A cipherSuite is a TLS 1.0–1.2 cipher suite, and defines the key exchange 133 // mechanism, as well as the cipher+MAC pair or the AEAD. 134 type cipherSuite struct { 135 id uint16 136 // the lengths, in bytes, of the key material needed for each component. 137 keyLen int 138 macLen int 139 ivLen int 140 ka func(version uint16) keyAgreement 141 // flags is a bitmask of the suite* values, above. 142 flags int 143 cipher func(key, iv []byte, isRead bool) any 144 mac func(key []byte) hash.Hash 145 aead func(key, fixedNonce []byte) aead 146 } 147 148 var cipherSuites = []*cipherSuite{ // TODO: replace with a map, since the order doesn't matter. 149 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 150 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 151 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 152 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, 153 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 154 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 155 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, 156 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 157 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil}, 158 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 159 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 160 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 161 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 162 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 163 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 164 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 165 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 166 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 167 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 168 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil}, 169 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil}, 170 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil}, 171 } 172 173 // selectCipherSuite returns the first TLS 1.0–1.2 cipher suite from ids which 174 // is also in supportedIDs and passes the ok filter. 175 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { 176 for _, id := range ids { 177 candidate := cipherSuiteByID(id) 178 if candidate == nil || !ok(candidate) { 179 continue 180 } 181 182 for _, suppID := range supportedIDs { 183 if id == suppID { 184 return candidate 185 } 186 } 187 } 188 return nil 189 } 190 191 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 192 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 193 type cipherSuiteTLS13 struct { 194 id uint16 195 keyLen int 196 aead func(key, fixedNonce []byte) aead 197 hash crypto.Hash 198 } 199 200 var cipherSuitesTLS13 = []*cipherSuiteTLS13{ // TODO: replace with a map. 201 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 202 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 203 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 204 } 205 206 // cipherSuitesPreferenceOrder is the order in which we'll select (on the 207 // server) or advertise (on the client) TLS 1.0–1.2 cipher suites. 208 // 209 // Cipher suites are filtered but not reordered based on the application and 210 // peer's preferences, meaning we'll never select a suite lower in this list if 211 // any higher one is available. This makes it more defensible to keep weaker 212 // cipher suites enabled, especially on the server side where we get the last 213 // word, since there are no known downgrade attacks on cipher suites selection. 214 // 215 // The list is sorted by applying the following priority rules, stopping at the 216 // first (most important) applicable one: 217 // 218 // - Anything else comes before RC4 219 // 220 // RC4 has practically exploitable biases. See https://www.rc4nomore.com. 221 // 222 // - Anything else comes before CBC_SHA256 223 // 224 // SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 225 // countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and 226 // https://www.imperialviolet.org/2013/02/04/luckythirteen.html. 227 // 228 // - Anything else comes before 3DES 229 // 230 // 3DES has 64-bit blocks, which makes it fundamentally susceptible to 231 // birthday attacks. See https://sweet32.info. 232 // 233 // - ECDHE comes before anything else 234 // 235 // Once we got the broken stuff out of the way, the most important 236 // property a cipher suite can have is forward secrecy. We don't 237 // implement FFDHE, so that means ECDHE. 238 // 239 // - AEADs come before CBC ciphers 240 // 241 // Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites 242 // are fundamentally fragile, and suffered from an endless sequence of 243 // padding oracle attacks. See https://eprint.iacr.org/2015/1129, 244 // https://www.imperialviolet.org/2014/12/08/poodleagain.html, and 245 // https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/. 246 // 247 // - AES comes before ChaCha20 248 // 249 // When AES hardware is available, AES-128-GCM and AES-256-GCM are faster 250 // than ChaCha20Poly1305. 251 // 252 // When AES hardware is not available, AES-128-GCM is one or more of: much 253 // slower, way more complex, and less safe (because not constant time) 254 // than ChaCha20Poly1305. 255 // 256 // We use this list if we think both peers have AES hardware, and 257 // cipherSuitesPreferenceOrderNoAES otherwise. 258 // 259 // - AES-128 comes before AES-256 260 // 261 // The only potential advantages of AES-256 are better multi-target 262 // margins, and hypothetical post-quantum properties. Neither apply to 263 // TLS, and AES-256 is slower due to its four extra rounds (which don't 264 // contribute to the advantages above). 265 // 266 // - ECDSA comes before RSA 267 // 268 // The relative order of ECDSA and RSA cipher suites doesn't matter, 269 // as they depend on the certificate. Pick one to get a stable order. 270 var cipherSuitesPreferenceOrder = []uint16{ 271 // AEADs w/ ECDHE 272 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 273 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 274 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 275 276 // CBC w/ ECDHE 277 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 278 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 279 280 // AEADs w/o ECDHE 281 TLS_RSA_WITH_AES_128_GCM_SHA256, 282 TLS_RSA_WITH_AES_256_GCM_SHA384, 283 284 // CBC w/o ECDHE 285 TLS_RSA_WITH_AES_128_CBC_SHA, 286 TLS_RSA_WITH_AES_256_CBC_SHA, 287 288 // 3DES 289 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 290 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 291 292 // CBC_SHA256 293 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 294 TLS_RSA_WITH_AES_128_CBC_SHA256, 295 296 // RC4 297 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, 298 TLS_RSA_WITH_RC4_128_SHA, 299 } 300 301 var cipherSuitesPreferenceOrderNoAES = []uint16{ 302 // ChaCha20Poly1305 303 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 304 305 // AES-GCM w/ ECDHE 306 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 307 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 308 309 // The rest of cipherSuitesPreferenceOrder. 310 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 311 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 312 TLS_RSA_WITH_AES_128_GCM_SHA256, 313 TLS_RSA_WITH_AES_256_GCM_SHA384, 314 TLS_RSA_WITH_AES_128_CBC_SHA, 315 TLS_RSA_WITH_AES_256_CBC_SHA, 316 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 317 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 318 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 319 TLS_RSA_WITH_AES_128_CBC_SHA256, 320 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, 321 TLS_RSA_WITH_RC4_128_SHA, 322 } 323 324 // disabledCipherSuites are not used unless explicitly listed in Config.CipherSuites. 325 var disabledCipherSuites = map[uint16]bool{ 326 // CBC_SHA256 327 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: true, 328 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: true, 329 TLS_RSA_WITH_AES_128_CBC_SHA256: true, 330 331 // RC4 332 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: true, 333 TLS_ECDHE_RSA_WITH_RC4_128_SHA: true, 334 TLS_RSA_WITH_RC4_128_SHA: true, 335 } 336 337 // rsaKexCiphers contains the ciphers which use RSA based key exchange, 338 // which we also disable by default unless a GODEBUG is set. 339 var rsaKexCiphers = map[uint16]bool{ 340 TLS_RSA_WITH_RC4_128_SHA: true, 341 TLS_RSA_WITH_3DES_EDE_CBC_SHA: true, 342 TLS_RSA_WITH_AES_128_CBC_SHA: true, 343 TLS_RSA_WITH_AES_256_CBC_SHA: true, 344 TLS_RSA_WITH_AES_128_CBC_SHA256: true, 345 TLS_RSA_WITH_AES_128_GCM_SHA256: true, 346 TLS_RSA_WITH_AES_256_GCM_SHA384: true, 347 } 348 349 var defaultCipherSuites []uint16 350 var defaultCipherSuitesWithRSAKex []uint16 351 352 func init() { 353 defaultCipherSuites = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) 354 defaultCipherSuitesWithRSAKex = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) 355 for _, c := range cipherSuitesPreferenceOrder { 356 if disabledCipherSuites[c] { 357 continue 358 } 359 if !rsaKexCiphers[c] { 360 defaultCipherSuites = append(defaultCipherSuites, c) 361 } 362 defaultCipherSuitesWithRSAKex = append(defaultCipherSuitesWithRSAKex, c) 363 } 364 } 365 366 // defaultCipherSuitesTLS13 is also the preference order, since there are no 367 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as 368 // cipherSuitesPreferenceOrder applies. 369 var defaultCipherSuitesTLS13 = []uint16{ 370 TLS_AES_128_GCM_SHA256, 371 TLS_AES_256_GCM_SHA384, 372 TLS_CHACHA20_POLY1305_SHA256, 373 } 374 375 var defaultCipherSuitesTLS13NoAES = []uint16{ 376 TLS_CHACHA20_POLY1305_SHA256, 377 TLS_AES_128_GCM_SHA256, 378 TLS_AES_256_GCM_SHA384, 379 } 380 381 var ( 382 hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ 383 hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL 384 // Keep in sync with crypto/aes/cipher_s390x.go. 385 hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && 386 (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM) 387 388 hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 || 389 runtime.GOARCH == "arm64" && hasGCMAsmARM64 || 390 runtime.GOARCH == "s390x" && hasGCMAsmS390X 391 ) 392 393 var aesgcmCiphers = map[uint16]bool{ 394 // TLS 1.2 395 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true, 396 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true, 397 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true, 398 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true, 399 // TLS 1.3 400 TLS_AES_128_GCM_SHA256: true, 401 TLS_AES_256_GCM_SHA384: true, 402 } 403 404 // aesgcmPreferred returns whether the first known cipher in the preference list 405 // is an AES-GCM cipher, implying the peer has hardware support for it. 406 func aesgcmPreferred(ciphers []uint16) bool { 407 for _, cID := range ciphers { 408 if c := cipherSuiteByID(cID); c != nil { 409 return aesgcmCiphers[cID] 410 } 411 if c := cipherSuiteTLS13ByID(cID); c != nil { 412 return aesgcmCiphers[cID] 413 } 414 } 415 return false 416 } 417 418 func cipherRC4(key, iv []byte, isRead bool) any { 419 cipher, _ := rc4.NewCipher(key) 420 return cipher 421 } 422 423 func cipher3DES(key, iv []byte, isRead bool) any { 424 block, _ := des.NewTripleDESCipher(key) 425 if isRead { 426 return cipher.NewCBCDecrypter(block, iv) 427 } 428 return cipher.NewCBCEncrypter(block, iv) 429 } 430 431 func cipherAES(key, iv []byte, isRead bool) any { 432 block, _ := aes.NewCipher(key) 433 if isRead { 434 return cipher.NewCBCDecrypter(block, iv) 435 } 436 return cipher.NewCBCEncrypter(block, iv) 437 } 438 439 // macSHA1 returns a SHA-1 based constant time MAC. 440 func macSHA1(key []byte) hash.Hash { 441 h := sha1.New 442 // The BoringCrypto SHA1 does not have a constant-time 443 // checksum function, so don't try to use it. 444 if !boring.Enabled { 445 h = newConstantTimeHash(h) 446 } 447 return hmac.New(h, key) 448 } 449 450 // macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and 451 // is currently only used in disabled-by-default cipher suites. 452 func macSHA256(key []byte) hash.Hash { 453 return hmac.New(sha256.New, key) 454 } 455 456 type aead interface { 457 cipher.AEAD 458 459 // explicitNonceLen returns the number of bytes of explicit nonce 460 // included in each record. This is eight for older AEADs and 461 // zero for modern ones. 462 explicitNonceLen() int 463 } 464 465 const ( 466 aeadNonceLength = 12 467 noncePrefixLength = 4 468 ) 469 470 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 471 // each call. 472 type prefixNonceAEAD struct { 473 // nonce contains the fixed part of the nonce in the first four bytes. 474 nonce [aeadNonceLength]byte 475 aead cipher.AEAD 476 } 477 478 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 479 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 480 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 481 482 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 483 copy(f.nonce[4:], nonce) 484 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 485 } 486 487 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 488 copy(f.nonce[4:], nonce) 489 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 490 } 491 492 // xorNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 493 // before each call. 494 type xorNonceAEAD struct { 495 nonceMask [aeadNonceLength]byte 496 aead cipher.AEAD 497 } 498 499 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 500 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 501 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 502 503 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 504 for i, b := range nonce { 505 f.nonceMask[4+i] ^= b 506 } 507 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 508 for i, b := range nonce { 509 f.nonceMask[4+i] ^= b 510 } 511 512 return result 513 } 514 515 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 516 for i, b := range nonce { 517 f.nonceMask[4+i] ^= b 518 } 519 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 520 for i, b := range nonce { 521 f.nonceMask[4+i] ^= b 522 } 523 524 return result, err 525 } 526 527 func aeadAESGCM(key, noncePrefix []byte) aead { 528 if len(noncePrefix) != noncePrefixLength { 529 panic("tls: internal error: wrong nonce length") 530 } 531 aes, err := aes.NewCipher(key) 532 if err != nil { 533 panic(err) 534 } 535 var aead cipher.AEAD 536 if boring.Enabled { 537 aead, err = boring.NewGCMTLS(aes) 538 } else { 539 boring.Unreachable() 540 aead, err = cipher.NewGCM(aes) 541 } 542 if err != nil { 543 panic(err) 544 } 545 546 ret := &prefixNonceAEAD{aead: aead} 547 copy(ret.nonce[:], noncePrefix) 548 return ret 549 } 550 551 func aeadAESGCMTLS13(key, nonceMask []byte) aead { 552 if len(nonceMask) != aeadNonceLength { 553 panic("tls: internal error: wrong nonce length") 554 } 555 aes, err := aes.NewCipher(key) 556 if err != nil { 557 panic(err) 558 } 559 aead, err := cipher.NewGCM(aes) 560 if err != nil { 561 panic(err) 562 } 563 564 ret := &xorNonceAEAD{aead: aead} 565 copy(ret.nonceMask[:], nonceMask) 566 return ret 567 } 568 569 func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 570 if len(nonceMask) != aeadNonceLength { 571 panic("tls: internal error: wrong nonce length") 572 } 573 aead, err := chacha20poly1305.New(key) 574 if err != nil { 575 panic(err) 576 } 577 578 ret := &xorNonceAEAD{aead: aead} 579 copy(ret.nonceMask[:], nonceMask) 580 return ret 581 } 582 583 type constantTimeHash interface { 584 hash.Hash 585 ConstantTimeSum(b []byte) []byte 586 } 587 588 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 589 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 590 type cthWrapper struct { 591 h constantTimeHash 592 } 593 594 func (c *cthWrapper) Size() int { return c.h.Size() } 595 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 596 func (c *cthWrapper) Reset() { c.h.Reset() } 597 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 598 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 599 600 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 601 boring.Unreachable() 602 return func() hash.Hash { 603 return &cthWrapper{h().(constantTimeHash)} 604 } 605 } 606 607 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 608 func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte { 609 h.Reset() 610 h.Write(seq) 611 h.Write(header) 612 h.Write(data) 613 res := h.Sum(out) 614 if extra != nil { 615 h.Write(extra) 616 } 617 return res 618 } 619 620 func rsaKA(version uint16) keyAgreement { 621 return rsaKeyAgreement{} 622 } 623 624 func ecdheECDSAKA(version uint16) keyAgreement { 625 return &ecdheKeyAgreement{ 626 isRSA: false, 627 version: version, 628 } 629 } 630 631 func ecdheRSAKA(version uint16) keyAgreement { 632 return &ecdheKeyAgreement{ 633 isRSA: true, 634 version: version, 635 } 636 } 637 638 // mutualCipherSuite returns a cipherSuite given a list of supported 639 // ciphersuites and the id requested by the peer. 640 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 641 for _, id := range have { 642 if id == want { 643 return cipherSuiteByID(id) 644 } 645 } 646 return nil 647 } 648 649 func cipherSuiteByID(id uint16) *cipherSuite { 650 for _, cipherSuite := range cipherSuites { 651 if cipherSuite.id == id { 652 return cipherSuite 653 } 654 } 655 return nil 656 } 657 658 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 659 for _, id := range have { 660 if id == want { 661 return cipherSuiteTLS13ByID(id) 662 } 663 } 664 return nil 665 } 666 667 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 668 for _, cipherSuite := range cipherSuitesTLS13 { 669 if cipherSuite.id == id { 670 return cipherSuite 671 } 672 } 673 return nil 674 } 675 676 // A list of cipher suite IDs that are, or have been, implemented by this 677 // package. 678 // 679 // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 680 const ( 681 // TLS 1.0 - 1.2 cipher suites. 682 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 683 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 684 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 685 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 686 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 687 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 688 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 689 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 690 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 691 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 692 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 693 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 694 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 695 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 696 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 697 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 698 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 699 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 700 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 701 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 702 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 703 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 704 705 // TLS 1.3 cipher suites. 706 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 707 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 708 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 709 710 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 711 // that the client is doing version fallback. See RFC 7507. 712 TLS_FALLBACK_SCSV uint16 = 0x5600 713 714 // Legacy names for the corresponding cipher suites with the correct _SHA256 715 // suffix, retained for backward compatibility. 716 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 717 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 718 )