github.com/ooni/psiphon/tunnel-core@v0.0.0-20230105123940-fe12a24c96ee/oovendor/qtls-go1-15/cipher_suites.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package qtls 6 7 import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/rc4" 14 "crypto/sha1" 15 "crypto/sha256" 16 "crypto/x509" 17 "fmt" 18 "hash" 19 20 "golang.org/x/crypto/chacha20poly1305" 21 ) 22 23 // CipherSuite is a TLS cipher suite. Note that most functions in this package 24 // accept and expose cipher suite IDs instead of this type. 25 type CipherSuite struct { 26 ID uint16 27 Name string 28 29 // Supported versions is the list of TLS protocol versions that can 30 // negotiate this cipher suite. 31 SupportedVersions []uint16 32 33 // Insecure is true if the cipher suite has known security issues 34 // due to its primitives, design, or implementation. 35 Insecure bool 36 } 37 38 var ( 39 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} 40 supportedOnlyTLS12 = []uint16{VersionTLS12} 41 supportedOnlyTLS13 = []uint16{VersionTLS13} 42 ) 43 44 // CipherSuites returns a list of cipher suites currently implemented by this 45 // package, excluding those with security issues, which are returned by 46 // InsecureCipherSuites. 47 // 48 // The list is sorted by ID. Note that the default cipher suites selected by 49 // this package might depend on logic that can't be captured by a static list. 50 func CipherSuites() []*CipherSuite { 51 return []*CipherSuite{ 52 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 53 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 54 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 55 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 56 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 57 58 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, 59 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, 60 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, 61 62 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 63 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 64 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 73 } 74 } 75 76 // InsecureCipherSuites returns a list of cipher suites currently implemented by 77 // this package and which have security issues. 78 // 79 // Most applications should not use the cipher suites in this list, and should 80 // only use those returned by CipherSuites. 81 func InsecureCipherSuites() []*CipherSuite { 82 // RC4 suites are broken because RC4 is. 83 // CBC-SHA256 suites have no Lucky13 countermeasures. 84 return []*CipherSuite{ 85 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 86 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 87 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 88 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 89 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 90 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 91 } 92 } 93 94 // CipherSuiteName returns the standard name for the passed cipher suite ID 95 // (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation 96 // of the ID value if the cipher suite is not implemented by this package. 97 func CipherSuiteName(id uint16) string { 98 for _, c := range CipherSuites() { 99 if c.ID == id { 100 return c.Name 101 } 102 } 103 for _, c := range InsecureCipherSuites() { 104 if c.ID == id { 105 return c.Name 106 } 107 } 108 return fmt.Sprintf("0x%04X", id) 109 } 110 111 // a keyAgreement implements the client and server side of a TLS key agreement 112 // protocol by generating and processing key exchange messages. 113 type keyAgreement interface { 114 // On the server side, the first two methods are called in order. 115 116 // In the case that the key agreement protocol doesn't use a 117 // ServerKeyExchange message, generateServerKeyExchange can return nil, 118 // nil. 119 generateServerKeyExchange(*config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 120 processClientKeyExchange(*config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 121 122 // On the client side, the next two methods are called in order. 123 124 // This method may not be called if the server doesn't send a 125 // ServerKeyExchange message. 126 processServerKeyExchange(*config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 127 generateClientKeyExchange(*config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 128 } 129 130 const ( 131 // suiteECDHE indicates that the cipher suite involves elliptic curve 132 // Diffie-Hellman. This means that it should only be selected when the 133 // client indicates that it supports ECC with a curve and point format 134 // that we're happy with. 135 suiteECDHE = 1 << iota 136 // suiteECSign indicates that the cipher suite involves an ECDSA or 137 // EdDSA signature and therefore may only be selected when the server's 138 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite 139 // is RSA based. 140 suiteECSign 141 // suiteTLS12 indicates that the cipher suite should only be advertised 142 // and accepted when using TLS 1.2. 143 suiteTLS12 144 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 145 // handshake hash. 146 suiteSHA384 147 // suiteDefaultOff indicates that this cipher suite is not included by 148 // default. 149 suiteDefaultOff 150 ) 151 152 // A cipherSuite is a specific combination of key agreement, cipher and MAC function. 153 type cipherSuite struct { 154 id uint16 155 // the lengths, in bytes, of the key material needed for each component. 156 keyLen int 157 macLen int 158 ivLen int 159 ka func(version uint16) keyAgreement 160 // flags is a bitmask of the suite* values, above. 161 flags int 162 cipher func(key, iv []byte, isRead bool) interface{} 163 mac func(version uint16, macKey []byte) macFunction 164 aead func(key, fixedNonce []byte) aead 165 } 166 167 var cipherSuites = []*cipherSuite{ 168 // Ciphersuite order is chosen so that ECDHE comes before plain RSA and 169 // AEADs are the top preference. 170 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 171 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 172 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 173 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, 174 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 175 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 176 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 177 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 178 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 179 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 180 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 181 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 182 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 183 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 184 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 185 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 186 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 187 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 188 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 189 190 // RC4-based cipher suites are disabled by default. 191 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil}, 192 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil}, 193 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteDefaultOff, cipherRC4, macSHA1, nil}, 194 } 195 196 // selectCipherSuite returns the first cipher suite from ids which is also in 197 // supportedIDs and passes the ok filter. 198 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { 199 for _, id := range ids { 200 candidate := cipherSuiteByID(id) 201 if candidate == nil || !ok(candidate) { 202 continue 203 } 204 205 for _, suppID := range supportedIDs { 206 if id == suppID { 207 return candidate 208 } 209 } 210 } 211 return nil 212 } 213 214 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 215 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 216 type cipherSuiteTLS13 struct { 217 id uint16 218 keyLen int 219 aead func(key, fixedNonce []byte) aead 220 hash crypto.Hash 221 } 222 223 type CipherSuiteTLS13 struct { 224 ID uint16 225 KeyLen int 226 Hash crypto.Hash 227 AEAD func(key, fixedNonce []byte) cipher.AEAD 228 } 229 230 func (c *CipherSuiteTLS13) IVLen() int { 231 return aeadNonceLength 232 } 233 234 var cipherSuitesTLS13 = []*cipherSuiteTLS13{ 235 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 236 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 237 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 238 } 239 240 func cipherRC4(key, iv []byte, isRead bool) interface{} { 241 cipher, _ := rc4.NewCipher(key) 242 return cipher 243 } 244 245 func cipher3DES(key, iv []byte, isRead bool) interface{} { 246 block, _ := des.NewTripleDESCipher(key) 247 if isRead { 248 return cipher.NewCBCDecrypter(block, iv) 249 } 250 return cipher.NewCBCEncrypter(block, iv) 251 } 252 253 func cipherAES(key, iv []byte, isRead bool) interface{} { 254 block, _ := aes.NewCipher(key) 255 if isRead { 256 return cipher.NewCBCDecrypter(block, iv) 257 } 258 return cipher.NewCBCEncrypter(block, iv) 259 } 260 261 // macSHA1 returns a macFunction for the given protocol version. 262 func macSHA1(version uint16, key []byte) macFunction { 263 return tls10MAC{h: hmac.New(newConstantTimeHash(sha1.New), key)} 264 } 265 266 // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2 267 // so the given version is ignored. 268 func macSHA256(version uint16, key []byte) macFunction { 269 return tls10MAC{h: hmac.New(sha256.New, key)} 270 } 271 272 type macFunction interface { 273 // Size returns the length of the MAC. 274 Size() int 275 // MAC appends the MAC of (seq, header, data) to out. The extra data is fed 276 // into the MAC after obtaining the result to normalize timing. The result 277 // is only valid until the next invocation of MAC as the buffer is reused. 278 MAC(seq, header, data, extra []byte) []byte 279 } 280 281 type aead interface { 282 cipher.AEAD 283 284 // explicitNonceLen returns the number of bytes of explicit nonce 285 // included in each record. This is eight for older AEADs and 286 // zero for modern ones. 287 explicitNonceLen() int 288 } 289 290 const ( 291 aeadNonceLength = 12 292 noncePrefixLength = 4 293 ) 294 295 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 296 // each call. 297 type prefixNonceAEAD struct { 298 // nonce contains the fixed part of the nonce in the first four bytes. 299 nonce [aeadNonceLength]byte 300 aead cipher.AEAD 301 } 302 303 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 304 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 305 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 306 307 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 308 copy(f.nonce[4:], nonce) 309 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 310 } 311 312 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 313 copy(f.nonce[4:], nonce) 314 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 315 } 316 317 // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 318 // before each call. 319 type xorNonceAEAD struct { 320 nonceMask [aeadNonceLength]byte 321 aead cipher.AEAD 322 } 323 324 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 325 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 326 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 327 328 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 329 for i, b := range nonce { 330 f.nonceMask[4+i] ^= b 331 } 332 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 333 for i, b := range nonce { 334 f.nonceMask[4+i] ^= b 335 } 336 337 return result 338 } 339 340 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 341 for i, b := range nonce { 342 f.nonceMask[4+i] ^= b 343 } 344 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 345 for i, b := range nonce { 346 f.nonceMask[4+i] ^= b 347 } 348 349 return result, err 350 } 351 352 func aeadAESGCM(key, noncePrefix []byte) aead { 353 if len(noncePrefix) != noncePrefixLength { 354 panic("tls: internal error: wrong nonce length") 355 } 356 aes, err := aes.NewCipher(key) 357 if err != nil { 358 panic(err) 359 } 360 aead, err := cipher.NewGCM(aes) 361 if err != nil { 362 panic(err) 363 } 364 365 ret := &prefixNonceAEAD{aead: aead} 366 copy(ret.nonce[:], noncePrefix) 367 return ret 368 } 369 370 // AEADAESGCMTLS13 creates a new AES-GCM AEAD for TLS 1.3 371 func AEADAESGCMTLS13(key, fixedNonce []byte) cipher.AEAD { 372 return aeadAESGCMTLS13(key, fixedNonce) 373 } 374 375 func aeadAESGCMTLS13(key, nonceMask []byte) aead { 376 if len(nonceMask) != aeadNonceLength { 377 panic("tls: internal error: wrong nonce length") 378 } 379 aes, err := aes.NewCipher(key) 380 if err != nil { 381 panic(err) 382 } 383 aead, err := cipher.NewGCM(aes) 384 if err != nil { 385 panic(err) 386 } 387 388 ret := &xorNonceAEAD{aead: aead} 389 copy(ret.nonceMask[:], nonceMask) 390 return ret 391 } 392 393 func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 394 if len(nonceMask) != aeadNonceLength { 395 panic("tls: internal error: wrong nonce length") 396 } 397 aead, err := chacha20poly1305.New(key) 398 if err != nil { 399 panic(err) 400 } 401 402 ret := &xorNonceAEAD{aead: aead} 403 copy(ret.nonceMask[:], nonceMask) 404 return ret 405 } 406 407 type constantTimeHash interface { 408 hash.Hash 409 ConstantTimeSum(b []byte) []byte 410 } 411 412 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 413 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 414 type cthWrapper struct { 415 h constantTimeHash 416 } 417 418 func (c *cthWrapper) Size() int { return c.h.Size() } 419 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 420 func (c *cthWrapper) Reset() { c.h.Reset() } 421 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 422 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 423 424 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 425 return func() hash.Hash { 426 return &cthWrapper{h().(constantTimeHash)} 427 } 428 } 429 430 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 431 type tls10MAC struct { 432 h hash.Hash 433 buf []byte 434 } 435 436 func (s tls10MAC) Size() int { 437 return s.h.Size() 438 } 439 440 // MAC is guaranteed to take constant time, as long as 441 // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into 442 // the MAC, but is only provided to make the timing profile constant. 443 func (s tls10MAC) MAC(seq, header, data, extra []byte) []byte { 444 s.h.Reset() 445 s.h.Write(seq) 446 s.h.Write(header) 447 s.h.Write(data) 448 res := s.h.Sum(s.buf[:0]) 449 if extra != nil { 450 s.h.Write(extra) 451 } 452 return res 453 } 454 455 func rsaKA(version uint16) keyAgreement { 456 return rsaKeyAgreement{} 457 } 458 459 func ecdheECDSAKA(version uint16) keyAgreement { 460 return &ecdheKeyAgreement{ 461 isRSA: false, 462 version: version, 463 } 464 } 465 466 func ecdheRSAKA(version uint16) keyAgreement { 467 return &ecdheKeyAgreement{ 468 isRSA: true, 469 version: version, 470 } 471 } 472 473 // mutualCipherSuite returns a cipherSuite given a list of supported 474 // ciphersuites and the id requested by the peer. 475 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 476 for _, id := range have { 477 if id == want { 478 return cipherSuiteByID(id) 479 } 480 } 481 return nil 482 } 483 484 func cipherSuiteByID(id uint16) *cipherSuite { 485 for _, cipherSuite := range cipherSuites { 486 if cipherSuite.id == id { 487 return cipherSuite 488 } 489 } 490 return nil 491 } 492 493 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 494 for _, id := range have { 495 if id == want { 496 return cipherSuiteTLS13ByID(id) 497 } 498 } 499 return nil 500 } 501 502 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 503 for _, cipherSuite := range cipherSuitesTLS13 { 504 if cipherSuite.id == id { 505 return cipherSuite 506 } 507 } 508 return nil 509 } 510 511 // A list of cipher suite IDs that are, or have been, implemented by this 512 // package. 513 // 514 // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 515 const ( 516 // TLS 1.0 - 1.2 cipher suites. 517 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 518 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 519 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 520 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 521 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 522 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 523 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 524 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 525 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 526 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 527 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 528 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 529 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 530 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 531 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 532 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 533 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 534 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 535 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 536 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 537 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 538 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 539 540 // TLS 1.3 cipher suites. 541 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 542 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 543 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 544 545 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 546 // that the client is doing version fallback. See RFC 7507. 547 TLS_FALLBACK_SCSV uint16 = 0x5600 548 549 // Legacy names for the corresponding cipher suites with the correct _SHA256 550 // suffix, retained for backward compatibility. 551 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 552 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 553 )