github.com/x04/go/src@v0.0.0-20200202162449-3d481ceb3525/crypto/tls/cipher_suites.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "github.com/x04/go/src/crypto" 9 "github.com/x04/go/src/crypto/aes" 10 "github.com/x04/go/src/crypto/cipher" 11 "github.com/x04/go/src/crypto/des" 12 "github.com/x04/go/src/crypto/hmac" 13 "github.com/x04/go/src/crypto/rc4" 14 "github.com/x04/go/src/crypto/sha1" 15 "github.com/x04/go/src/crypto/sha256" 16 "github.com/x04/go/src/crypto/x509" 17 "github.com/x04/go/src/fmt" 18 "github.com/x04/go/src/hash" 19 20 "github.com/x04/go/src/golang.org/x/crypto/chacha20poly1305" 21 ) 22 23 // CipherSuite is a TLS cipher suite. Note that most functions in this package 24 // accept and expose cipher suite IDs instead of this type. 25 type CipherSuite struct { 26 ID uint16 27 Name string 28 29 // Supported versions is the list of TLS protocol versions that can 30 // negotiate this cipher suite. 31 SupportedVersions []uint16 32 33 // Insecure is true if the cipher suite has known security issues 34 // due to its primitives, design, or implementation. 35 Insecure bool 36 } 37 38 var ( 39 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} 40 supportedOnlyTLS12 = []uint16{VersionTLS12} 41 supportedOnlyTLS13 = []uint16{VersionTLS13} 42 ) 43 44 // CipherSuites returns a list of cipher suites currently implemented by this 45 // package, excluding those with security issues, which are returned by 46 // InsecureCipherSuites. 47 // 48 // The list is sorted by ID. Note that the default cipher suites selected by 49 // this package might depend on logic that can't be captured by a static list. 50 func CipherSuites() []*CipherSuite { 51 return []*CipherSuite{ 52 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 53 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 54 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 55 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 56 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 57 58 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, 59 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, 60 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, 61 62 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 63 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 64 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 73 } 74 } 75 76 // InsecureCipherSuites returns a list of cipher suites currently implemented by 77 // this package and which have security issues. 78 // 79 // Most applications should not use the cipher suites in this list, and should 80 // only use those returned by CipherSuites. 81 func InsecureCipherSuites() []*CipherSuite { 82 // RC4 suites are broken because RC4 is. 83 // CBC-SHA256 suites have no Lucky13 countermeasures. 84 return []*CipherSuite{ 85 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 86 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 87 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 88 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 89 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 90 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 91 } 92 } 93 94 // CipherSuiteName returns the standard name for the passed cipher suite ID 95 // (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation 96 // of the ID value if the cipher suite is not implemented by this package. 97 func CipherSuiteName(id uint16) string { 98 for _, c := range CipherSuites() { 99 if c.ID == id { 100 return c.Name 101 } 102 } 103 for _, c := range InsecureCipherSuites() { 104 if c.ID == id { 105 return c.Name 106 } 107 } 108 return fmt.Sprintf("0x%04X", id) 109 } 110 111 // a keyAgreement implements the client and server side of a TLS key agreement 112 // protocol by generating and processing key exchange messages. 113 type keyAgreement interface { 114 // On the server side, the first two methods are called in order. 115 116 // In the case that the key agreement protocol doesn't use a 117 // ServerKeyExchange message, generateServerKeyExchange can return nil, 118 // nil. 119 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 120 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 121 122 // On the client side, the next two methods are called in order. 123 124 // This method may not be called if the server doesn't send a 125 // ServerKeyExchange message. 126 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 127 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 128 } 129 130 const ( 131 // suiteECDHE indicates that the cipher suite involves elliptic curve 132 // Diffie-Hellman. This means that it should only be selected when the 133 // client indicates that it supports ECC with a curve and point format 134 // that we're happy with. 135 suiteECDHE = 1 << iota 136 // suiteECSign indicates that the cipher suite involves an ECDSA or 137 // EdDSA signature and therefore may only be selected when the server's 138 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite 139 // is RSA based. 140 suiteECSign 141 // suiteTLS12 indicates that the cipher suite should only be advertised 142 // and accepted when using TLS 1.2. 143 suiteTLS12 144 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 145 // handshake hash. 146 suiteSHA384 147 // suiteDefaultOff indicates that this cipher suite is not included by 148 // default. 149 suiteDefaultOff 150 ) 151 152 // A cipherSuite is a specific combination of key agreement, cipher and MAC function. 153 type cipherSuite struct { 154 id uint16 155 // the lengths, in bytes, of the key material needed for each component. 156 keyLen int 157 macLen int 158 ivLen int 159 ka func(version uint16) keyAgreement 160 // flags is a bitmask of the suite* values, above. 161 flags int 162 cipher func(key, iv []byte, isRead bool) interface{} 163 mac func(version uint16, macKey []byte) macFunction 164 aead func(key, fixedNonce []byte) aead 165 } 166 167 var cipherSuites = []*cipherSuite{ 168 // Ciphersuite order is chosen so that ECDHE comes before plain RSA and 169 // AEADs are the top preference. 170 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 171 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 172 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 173 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, 174 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 175 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 176 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 177 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 178 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 179 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 180 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 181 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 182 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 183 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 184 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 185 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 186 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 187 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 188 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 189 190 // RC4-based cipher suites are disabled by default. 191 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil}, 192 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil}, 193 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteDefaultOff, cipherRC4, macSHA1, nil}, 194 } 195 196 // selectCipherSuite returns the first cipher suite from ids which is also in 197 // supportedIDs and passes the ok filter. 198 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { 199 for _, id := range ids { 200 candidate := cipherSuiteByID(id) 201 if candidate == nil || !ok(candidate) { 202 continue 203 } 204 205 for _, suppID := range supportedIDs { 206 if id == suppID { 207 return candidate 208 } 209 } 210 } 211 return nil 212 } 213 214 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 215 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 216 type cipherSuiteTLS13 struct { 217 id uint16 218 keyLen int 219 aead func(key, fixedNonce []byte) aead 220 hash crypto.Hash 221 } 222 223 var cipherSuitesTLS13 = []*cipherSuiteTLS13{ 224 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 225 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 226 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 227 } 228 229 func cipherRC4(key, iv []byte, isRead bool) interface{} { 230 cipher, _ := rc4.NewCipher(key) 231 return cipher 232 } 233 234 func cipher3DES(key, iv []byte, isRead bool) interface{} { 235 block, _ := des.NewTripleDESCipher(key) 236 if isRead { 237 return cipher.NewCBCDecrypter(block, iv) 238 } 239 return cipher.NewCBCEncrypter(block, iv) 240 } 241 242 func cipherAES(key, iv []byte, isRead bool) interface{} { 243 block, _ := aes.NewCipher(key) 244 if isRead { 245 return cipher.NewCBCDecrypter(block, iv) 246 } 247 return cipher.NewCBCEncrypter(block, iv) 248 } 249 250 // macSHA1 returns a macFunction for the given protocol version. 251 func macSHA1(version uint16, key []byte) macFunction { 252 return tls10MAC{h: hmac.New(newConstantTimeHash(sha1.New), key)} 253 } 254 255 // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2 256 // so the given version is ignored. 257 func macSHA256(version uint16, key []byte) macFunction { 258 return tls10MAC{h: hmac.New(sha256.New, key)} 259 } 260 261 type macFunction interface { 262 // Size returns the length of the MAC. 263 Size() int 264 // MAC appends the MAC of (seq, header, data) to out. The extra data is fed 265 // into the MAC after obtaining the result to normalize timing. The result 266 // is only valid until the next invocation of MAC as the buffer is reused. 267 MAC(seq, header, data, extra []byte) []byte 268 } 269 270 type aead interface { 271 cipher.AEAD 272 273 // explicitNonceLen returns the number of bytes of explicit nonce 274 // included in each record. This is eight for older AEADs and 275 // zero for modern ones. 276 explicitNonceLen() int 277 } 278 279 const ( 280 aeadNonceLength = 12 281 noncePrefixLength = 4 282 ) 283 284 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 285 // each call. 286 type prefixNonceAEAD struct { 287 // nonce contains the fixed part of the nonce in the first four bytes. 288 nonce [aeadNonceLength]byte 289 aead cipher.AEAD 290 } 291 292 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 293 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 294 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 295 296 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 297 copy(f.nonce[4:], nonce) 298 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 299 } 300 301 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 302 copy(f.nonce[4:], nonce) 303 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 304 } 305 306 // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 307 // before each call. 308 type xorNonceAEAD struct { 309 nonceMask [aeadNonceLength]byte 310 aead cipher.AEAD 311 } 312 313 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 314 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 315 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 316 317 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 318 for i, b := range nonce { 319 f.nonceMask[4+i] ^= b 320 } 321 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 322 for i, b := range nonce { 323 f.nonceMask[4+i] ^= b 324 } 325 326 return result 327 } 328 329 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 330 for i, b := range nonce { 331 f.nonceMask[4+i] ^= b 332 } 333 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 334 for i, b := range nonce { 335 f.nonceMask[4+i] ^= b 336 } 337 338 return result, err 339 } 340 341 func aeadAESGCM(key, noncePrefix []byte) aead { 342 if len(noncePrefix) != noncePrefixLength { 343 panic("tls: internal error: wrong nonce length") 344 } 345 aes, err := aes.NewCipher(key) 346 if err != nil { 347 panic(err) 348 } 349 aead, err := cipher.NewGCM(aes) 350 if err != nil { 351 panic(err) 352 } 353 354 ret := &prefixNonceAEAD{aead: aead} 355 copy(ret.nonce[:], noncePrefix) 356 return ret 357 } 358 359 func aeadAESGCMTLS13(key, nonceMask []byte) aead { 360 if len(nonceMask) != aeadNonceLength { 361 panic("tls: internal error: wrong nonce length") 362 } 363 aes, err := aes.NewCipher(key) 364 if err != nil { 365 panic(err) 366 } 367 aead, err := cipher.NewGCM(aes) 368 if err != nil { 369 panic(err) 370 } 371 372 ret := &xorNonceAEAD{aead: aead} 373 copy(ret.nonceMask[:], nonceMask) 374 return ret 375 } 376 377 func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 378 if len(nonceMask) != aeadNonceLength { 379 panic("tls: internal error: wrong nonce length") 380 } 381 aead, err := chacha20poly1305.New(key) 382 if err != nil { 383 panic(err) 384 } 385 386 ret := &xorNonceAEAD{aead: aead} 387 copy(ret.nonceMask[:], nonceMask) 388 return ret 389 } 390 391 type constantTimeHash interface { 392 hash.Hash 393 ConstantTimeSum(b []byte) []byte 394 } 395 396 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 397 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 398 type cthWrapper struct { 399 h constantTimeHash 400 } 401 402 func (c *cthWrapper) Size() int { return c.h.Size() } 403 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 404 func (c *cthWrapper) Reset() { c.h.Reset() } 405 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 406 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 407 408 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 409 return func() hash.Hash { 410 return &cthWrapper{h().(constantTimeHash)} 411 } 412 } 413 414 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 415 type tls10MAC struct { 416 h hash.Hash 417 buf []byte 418 } 419 420 func (s tls10MAC) Size() int { 421 return s.h.Size() 422 } 423 424 // MAC is guaranteed to take constant time, as long as 425 // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into 426 // the MAC, but is only provided to make the timing profile constant. 427 func (s tls10MAC) MAC(seq, header, data, extra []byte) []byte { 428 s.h.Reset() 429 s.h.Write(seq) 430 s.h.Write(header) 431 s.h.Write(data) 432 res := s.h.Sum(s.buf[:0]) 433 if extra != nil { 434 s.h.Write(extra) 435 } 436 return res 437 } 438 439 func rsaKA(version uint16) keyAgreement { 440 return rsaKeyAgreement{} 441 } 442 443 func ecdheECDSAKA(version uint16) keyAgreement { 444 return &ecdheKeyAgreement{ 445 isRSA: false, 446 version: version, 447 } 448 } 449 450 func ecdheRSAKA(version uint16) keyAgreement { 451 return &ecdheKeyAgreement{ 452 isRSA: true, 453 version: version, 454 } 455 } 456 457 // mutualCipherSuite returns a cipherSuite given a list of supported 458 // ciphersuites and the id requested by the peer. 459 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 460 for _, id := range have { 461 if id == want { 462 return cipherSuiteByID(id) 463 } 464 } 465 return nil 466 } 467 468 func cipherSuiteByID(id uint16) *cipherSuite { 469 for _, cipherSuite := range cipherSuites { 470 if cipherSuite.id == id { 471 return cipherSuite 472 } 473 } 474 return nil 475 } 476 477 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 478 for _, id := range have { 479 if id == want { 480 return cipherSuiteTLS13ByID(id) 481 } 482 } 483 return nil 484 } 485 486 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 487 for _, cipherSuite := range cipherSuitesTLS13 { 488 if cipherSuite.id == id { 489 return cipherSuite 490 } 491 } 492 return nil 493 } 494 495 // A list of cipher suite IDs that are, or have been, implemented by this 496 // package. 497 // 498 // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 499 const ( 500 // TLS 1.0 - 1.2 cipher suites. 501 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 502 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 503 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 504 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 505 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 506 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 507 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 508 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 509 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 510 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 511 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 512 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 513 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 514 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 515 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 516 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 517 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 518 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 519 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 520 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 521 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 522 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 523 524 // TLS 1.3 cipher suites. 525 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 526 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 527 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 528 529 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 530 // that the client is doing version fallback. See RFC 7507. 531 TLS_FALLBACK_SCSV uint16 = 0x5600 532 533 // Legacy names for the corresponding cipher suites with the correct _SHA256 534 // suffix, retained for backward compatibility. 535 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 536 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 537 )