gitlab.com/go-extension/tls@v0.0.0-20240304171319-e6745021905e/cipher_suites.go (about) 1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/rc4" 14 "crypto/sha1" 15 "crypto/sha256" 16 "crypto/sha512" 17 "fmt" 18 "hash" 19 "runtime" 20 21 "golang.org/x/sys/cpu" 22 23 "github.com/RyuaNerin/go-krypto/aria" 24 "github.com/pedroalbanese/camellia" 25 "gitlab.com/go-extension/aes-ccm" 26 "golang.org/x/crypto/chacha20poly1305" 27 ) 28 29 // CipherSuite is a TLS cipher suite. Note that most functions in this package 30 // accept and expose cipher suite IDs instead of this type. 31 type CipherSuite struct { 32 ID uint16 33 Name string 34 35 // Supported versions is the list of TLS protocol versions that can 36 // negotiate this cipher suite. 37 SupportedVersions []uint16 38 39 // Insecure is true if the cipher suite has known security issues 40 // due to its primitives, design, or implementation. 41 Insecure bool 42 } 43 44 var ( 45 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} 46 supportedOnlyTLS12 = []uint16{VersionTLS12} 47 supportedOnlyTLS13 = []uint16{VersionTLS13} 48 ) 49 50 // CipherSuites returns a list of cipher suites currently implemented by this 51 // package, excluding those with security issues, which are returned by 52 // [InsecureCipherSuites]. 53 // 54 // The list is sorted by ID. Note that the default cipher suites selected by 55 // this package might depend on logic that can't be captured by a static list, 56 // and might not match those returned by this function. 57 func CipherSuites() []*CipherSuite { 58 return []*CipherSuite{ 59 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, 60 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, 61 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, 62 {TLS_AES_128_CCM_SHA256, "TLS_AES_128_CCM_SHA256", supportedOnlyTLS13, false}, 63 {TLS_AES_128_CCM_8_SHA256, "TLS_AES_128_CCM_8_SHA256", supportedOnlyTLS13, false}, 64 65 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 66 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 67 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 68 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 69 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", supportedOnlyTLS12, false}, 70 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 71 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 72 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 73 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 74 75 {TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", supportedUpToTLS12, false}, 76 {TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", supportedUpToTLS12, false}, 77 {TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", supportedOnlyTLS12, false}, 78 {TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", supportedOnlyTLS12, false}, 79 {TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", supportedOnlyTLS12, false}, 80 {TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", supportedOnlyTLS12, false}, 81 82 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", supportedOnlyTLS12, false}, 83 {TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", supportedOnlyTLS12, false}, 84 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", supportedOnlyTLS12, false}, 85 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", supportedOnlyTLS12, false}, 86 {TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", supportedOnlyTLS12, false}, 87 {TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", supportedOnlyTLS12, false}, 88 89 {TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256", supportedOnlyTLS12, false}, 90 {TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256", supportedOnlyTLS12, false}, 91 {TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256", supportedOnlyTLS12, false}, 92 {TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256", supportedOnlyTLS12, false}, 93 94 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 95 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 96 } 97 } 98 99 // InsecureCipherSuites returns a list of cipher suites currently implemented by 100 // this package and which have security issues. 101 // 102 // Most applications should not use the cipher suites in this list, and should 103 // only use those returned by [CipherSuites]. 104 func InsecureCipherSuites() []*CipherSuite { 105 // This list includes RC4, CBC_SHA256, and 3DES cipher suites. See 106 // cipherSuitesPreferenceOrder for details. 107 return []*CipherSuite{ 108 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 109 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, 110 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, true}, 111 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, true}, 112 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 113 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, true}, 114 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, true}, 115 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 116 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, 117 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 118 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, 119 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 120 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 121 {TLS_RSA_WITH_ARIA_128_CBC_SHA256, "TLS_RSA_WITH_ARIA_128_CBC_SHA256", supportedUpToTLS12, true}, 122 {TLS_RSA_WITH_ARIA_256_CBC_SHA384, "TLS_RSA_WITH_ARIA_256_CBC_SHA384", supportedUpToTLS12, true}, 123 {TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", supportedUpToTLS12, true}, 124 {TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", supportedUpToTLS12, true}, 125 {TLS_RSA_WITH_ARIA_128_GCM_SHA256, "TLS_RSA_WITH_ARIA_128_GCM_SHA256", supportedOnlyTLS12, true}, 126 {TLS_RSA_WITH_ARIA_256_GCM_SHA384, "TLS_RSA_WITH_ARIA_256_GCM_SHA384", supportedOnlyTLS12, true}, 127 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", supportedOnlyTLS12, true}, 128 {TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", supportedOnlyTLS12, true}, 129 {TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", supportedOnlyTLS12, true}, 130 {TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", supportedOnlyTLS12, true}, 131 {TLS_RSA_WITH_AES_128_CCM_SHA256, "TLS_RSA_WITH_AES_128_CCM_SHA256", supportedOnlyTLS12, true}, 132 {TLS_RSA_WITH_AES_256_CCM_SHA256, "TLS_RSA_WITH_AES_256_CCM_SHA256", supportedOnlyTLS12, true}, 133 {TLS_RSA_WITH_AES_128_CCM_8_SHA256, "TLS_RSA_WITH_AES_128_CCM_8_SHA256", supportedOnlyTLS12, true}, 134 {TLS_RSA_WITH_AES_256_CCM_8_SHA256, "TLS_RSA_WITH_AES_256_CCM_8_SHA256", supportedOnlyTLS12, true}, 135 } 136 } 137 138 // CipherSuiteName returns the standard name for the passed cipher suite ID 139 // (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation 140 // of the ID value if the cipher suite is not implemented by this package. 141 func CipherSuiteName(id uint16) string { 142 for _, c := range CipherSuites() { 143 if c.ID == id { 144 return c.Name 145 } 146 } 147 for _, c := range InsecureCipherSuites() { 148 if c.ID == id { 149 return c.Name 150 } 151 } 152 return fmt.Sprintf("0x%04X", id) 153 } 154 155 const ( 156 // suiteECDHE indicates that the cipher suite involves elliptic curve 157 // Diffie-Hellman. This means that it should only be selected when the 158 // client indicates that it supports ECC with a curve and point format 159 // that we're happy with. 160 suiteECDHE = 1 << iota 161 // suiteECSign indicates that the cipher suite involves an ECDSA or 162 // EdDSA signature and therefore may only be selected when the server's 163 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite 164 // is RSA based. 165 suiteECSign 166 // suiteTLS12 indicates that the cipher suite should only be advertised 167 // and accepted when using TLS 1.2. 168 suiteTLS12 169 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 170 // handshake hash. 171 suiteSHA384 172 ) 173 174 // A cipherSuite is a TLS 1.0–1.2 cipher suite, and defines the key exchange 175 // mechanism, as well as the cipher+MAC pair or the AEAD. 176 type cipherSuite struct { 177 id uint16 178 // the lengths, in bytes, of the key material needed for each component. 179 keyLen int 180 macLen int 181 ivLen int 182 ka func(version uint16) keyAgreement 183 // flags is a bitmask of the suite* values, above. 184 flags int 185 cipher func(key, iv []byte, isRead bool) any 186 mac func(key []byte) hash.Hash 187 aead func(key, fixedNonce []byte) aead 188 } 189 190 var cipherSuites = []*cipherSuite{ // TODO: replace with a map, since the order doesn't matter. 191 {TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESCCM8}, 192 {TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESCCM8}, 193 {TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESCCM}, 194 {TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESCCM}, 195 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 196 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 197 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 198 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, 199 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 200 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 201 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, 202 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 203 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil}, 204 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 205 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 206 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 207 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 208 {TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadARIAGCM}, 209 {TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadARIAGCM}, 210 {TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadARIAGCM}, 211 {TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadARIAGCM}, 212 {TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherARIA, macSHA256, nil}, 213 {TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteSHA384, cipherARIA, macSHA384, nil}, 214 {TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE, cipherARIA, macSHA256, nil}, 215 {TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA, suiteECDHE | suiteSHA384, cipherARIA, macSHA384, nil}, 216 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadCAMELLIAGCM}, 217 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadCAMELLIAGCM}, 218 {TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCAMELLIAGCM}, 219 {TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadCAMELLIAGCM}, 220 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherCAMELLIA, macSHA256, nil}, 221 {TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, cipherCAMELLIA, macSHA384, nil}, 222 {TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherCAMELLIA, macSHA256, nil}, 223 {TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherCAMELLIA, macSHA384, nil}, 224 {TLS_RSA_WITH_ARIA_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadARIAGCM}, 225 {TLS_RSA_WITH_ARIA_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadARIAGCM}, 226 {TLS_RSA_WITH_ARIA_128_CBC_SHA256, 16, 32, 16, rsaKA, 0, cipherARIA, macSHA256, nil}, 227 {TLS_RSA_WITH_ARIA_256_CBC_SHA384, 32, 48, 16, rsaKA, suiteSHA384, cipherARIA, macSHA384, nil}, 228 {TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadCAMELLIAGCM}, 229 {TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadCAMELLIAGCM}, 230 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 231 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 232 {TLS_RSA_WITH_AES_128_CCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESCCM}, 233 {TLS_RSA_WITH_AES_256_CCM_SHA256, 32, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESCCM}, 234 {TLS_RSA_WITH_AES_128_CCM_8_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESCCM8}, 235 {TLS_RSA_WITH_AES_256_CCM_8_SHA256, 32, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESCCM8}, 236 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 237 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 238 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 239 {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheECDSAKA, suiteECDHE | suiteECSign, cipher3DES, macSHA1, nil}, 240 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 241 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 242 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil}, 243 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil}, 244 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil}, 245 } 246 247 // selectCipherSuite returns the first TLS 1.0–1.2 cipher suite from ids which 248 // is also in supportedIDs and passes the ok filter. 249 func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { 250 for _, id := range ids { 251 candidate := cipherSuiteByID(id) 252 if candidate == nil || !ok(candidate) { 253 continue 254 } 255 256 for _, suppID := range supportedIDs { 257 if id == suppID { 258 return candidate 259 } 260 } 261 } 262 return nil 263 } 264 265 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 266 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 267 type cipherSuiteTLS13 struct { 268 id uint16 269 keyLen int 270 aead func(key, fixedNonce []byte) aead 271 hash crypto.Hash 272 } 273 274 var cipherSuitesTLS13 = []*cipherSuiteTLS13{ // TODO: replace with a map. 275 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 276 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 277 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 278 {TLS_AES_128_CCM_SHA256, 16, aeadAESCCMTLS13, crypto.SHA256}, 279 {TLS_AES_128_CCM_8_SHA256, 16, aeadAESCCM8TLS13, crypto.SHA256}, 280 } 281 282 // cipherSuitesPreferenceOrder is the order in which we'll select (on the 283 // server) or advertise (on the client) TLS 1.0–1.3 cipher suites. 284 // 285 // Cipher suites are filtered but not reordered based on the application and 286 // peer's preferences, meaning we'll never select a suite lower in this list if 287 // any higher one is available. This makes it more defensible to keep weaker 288 // cipher suites enabled, especially on the server side where we get the last 289 // word, since there are no known downgrade attacks on cipher suites selection. 290 // 291 // The list is sorted by applying the following priority rules, stopping at the 292 // first (most important) applicable one: 293 // 294 // - Anything else comes before RC4 295 // 296 // RC4 has practically exploitable biases. See https://www.rc4nomore.com. 297 // 298 // - Anything else comes before CBC_SHA256 299 // 300 // SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 301 // countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and 302 // https://www.imperialviolet.org/2013/02/04/luckythirteen.html. 303 // 304 // - Anything else comes before 3DES 305 // 306 // 3DES has 64-bit blocks, which makes it fundamentally susceptible to 307 // birthday attacks. See https://sweet32.info. 308 // 309 // - ECDHE comes before anything else 310 // 311 // Once we got the broken stuff out of the way, the most important 312 // property a cipher suite can have is forward secrecy. We don't 313 // implement FFDHE, so that means ECDHE. 314 // 315 // - AEADs come before CBC ciphers 316 // 317 // Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites 318 // are fundamentally fragile, and suffered from an endless sequence of 319 // padding oracle attacks. See https://eprint.iacr.org/2015/1129, 320 // https://www.imperialviolet.org/2014/12/08/poodleagain.html, and 321 // https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/. 322 // 323 // - AES comes before ChaCha20 324 // 325 // When AES hardware is available, AES-128-GCM and AES-256-GCM are faster 326 // than ChaCha20Poly1305. 327 // 328 // When AES hardware is not available, AES-128-GCM is one or more of: much 329 // slower, way more complex, and less safe (because not constant time) 330 // than ChaCha20Poly1305. 331 // 332 // We use this list if we think both peers have AES hardware, and 333 // cipherSuitesPreferenceOrderNoAES otherwise. 334 // 335 // - AES-128 comes before AES-256 336 // 337 // The only potential advantages of AES-256 are better multi-target 338 // margins, and hypothetical post-quantum properties. Neither apply to 339 // TLS, and AES-256 is slower due to its four extra rounds (which don't 340 // contribute to the advantages above). 341 // 342 // - ECDSA comes before RSA 343 // 344 // The relative order of ECDSA and RSA cipher suites doesn't matter, 345 // as they depend on the certificate. Pick one to get a stable order. 346 var cipherSuitesPreferenceOrder = []uint16{ 347 // TLS 1.3 348 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 349 TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, 350 TLS_CHACHA20_POLY1305_SHA256, 351 352 // AEADs w/ ECDHE 353 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 354 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 355 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256, 356 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256, 357 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, 358 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, 359 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, 360 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, 361 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 362 363 // CBC w/ ECDHE 364 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 365 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 366 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, 367 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, 368 369 // AEADs w/o ECDHE 370 TLS_RSA_WITH_AES_128_GCM_SHA256, 371 TLS_RSA_WITH_AES_256_GCM_SHA384, 372 TLS_RSA_WITH_AES_128_CCM_SHA256, 373 TLS_RSA_WITH_AES_128_CCM_8_SHA256, 374 TLS_RSA_WITH_AES_256_CCM_SHA256, 375 TLS_RSA_WITH_AES_256_CCM_8_SHA256, 376 TLS_RSA_WITH_ARIA_128_GCM_SHA256, 377 TLS_RSA_WITH_ARIA_256_GCM_SHA384, 378 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, 379 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, 380 381 // CBC w/o ECDHE 382 TLS_RSA_WITH_AES_128_CBC_SHA, 383 TLS_RSA_WITH_AES_256_CBC_SHA, 384 TLS_RSA_WITH_ARIA_256_CBC_SHA384, 385 386 // 3DES 387 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 388 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 389 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 390 391 // CBC_SHA256 392 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 393 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 394 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 395 TLS_RSA_WITH_AES_128_CBC_SHA256, 396 TLS_RSA_WITH_ARIA_128_CBC_SHA256, 397 398 // RC4 399 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, 400 TLS_RSA_WITH_RC4_128_SHA, 401 } 402 403 var cipherSuitesPreferenceOrderNoAES = []uint16{ 404 // TLS 1.3 405 TLS_CHACHA20_POLY1305_SHA256, 406 TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 407 TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, 408 409 // ChaCha20Poly1305 410 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 411 412 // AES-GCM w/ ECDHE 413 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 414 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 415 416 // AES-CCM w/ ECDHE 417 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256, 418 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256, 419 420 // ARIA-GCM w/ ECDHE 421 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, 422 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, 423 424 // CAMELLIA-GCM w/ ECDHE 425 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, 426 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, 427 428 // The rest of cipherSuitesPreferenceOrder. 429 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 430 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 431 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, 432 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, 433 TLS_RSA_WITH_AES_128_GCM_SHA256, 434 TLS_RSA_WITH_AES_256_GCM_SHA384, 435 TLS_RSA_WITH_AES_128_CCM_SHA256, 436 TLS_RSA_WITH_AES_128_CCM_8_SHA256, 437 TLS_RSA_WITH_AES_256_CCM_SHA256, 438 TLS_RSA_WITH_AES_256_CCM_8_SHA256, 439 TLS_RSA_WITH_ARIA_128_GCM_SHA256, 440 TLS_RSA_WITH_ARIA_256_GCM_SHA384, 441 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, 442 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, 443 TLS_RSA_WITH_AES_128_CBC_SHA, 444 TLS_RSA_WITH_AES_256_CBC_SHA, 445 TLS_RSA_WITH_ARIA_256_CBC_SHA384, 446 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 447 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 448 TLS_RSA_WITH_3DES_EDE_CBC_SHA, 449 450 // CBC_SHA256 451 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 452 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 453 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, 454 TLS_RSA_WITH_AES_128_CBC_SHA256, 455 TLS_RSA_WITH_ARIA_128_CBC_SHA256, 456 457 // RC4 458 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, 459 TLS_RSA_WITH_RC4_128_SHA, 460 } 461 462 // disabledCipherSuites are not used unless explicitly listed in Config.CipherSuites. 463 var disabledCipherSuites = map[uint16]bool{ 464 // CBC_SHA256 465 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: true, 466 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: true, 467 468 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: true, 469 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: true, 470 471 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: true, 472 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: true, 473 474 TLS_RSA_WITH_AES_128_CBC_SHA256: true, 475 TLS_RSA_WITH_ARIA_128_CBC_SHA256: true, 476 477 // RC4 478 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: true, 479 TLS_ECDHE_RSA_WITH_RC4_128_SHA: true, 480 TLS_RSA_WITH_RC4_128_SHA: true, 481 } 482 483 // rsaKexCiphers contains the ciphers which use RSA based key exchange, 484 // which we also disable by default unless a GODEBUG is set. 485 var rsaKexCiphers = map[uint16]bool{ 486 TLS_RSA_WITH_RC4_128_SHA: true, 487 TLS_RSA_WITH_3DES_EDE_CBC_SHA: true, 488 TLS_RSA_WITH_AES_128_CBC_SHA: true, 489 TLS_RSA_WITH_AES_256_CBC_SHA: true, 490 TLS_RSA_WITH_AES_128_CBC_SHA256: true, 491 TLS_RSA_WITH_ARIA_128_CBC_SHA256: true, 492 TLS_RSA_WITH_ARIA_256_CBC_SHA384: true, 493 TLS_RSA_WITH_AES_128_GCM_SHA256: true, 494 TLS_RSA_WITH_AES_256_GCM_SHA384: true, 495 TLS_RSA_WITH_AES_128_CCM_SHA256: true, 496 TLS_RSA_WITH_AES_256_CCM_SHA256: true, 497 TLS_RSA_WITH_AES_128_CCM_8_SHA256: true, 498 TLS_RSA_WITH_AES_256_CCM_8_SHA256: true, 499 TLS_RSA_WITH_ARIA_128_GCM_SHA256: true, 500 TLS_RSA_WITH_ARIA_256_GCM_SHA384: true, 501 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: true, 502 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: true, 503 } 504 505 var defaultCipherSuites []uint16 506 var defaultCipherSuitesWithRSAKex []uint16 507 508 func init() { 509 defaultCipherSuites = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) 510 defaultCipherSuitesWithRSAKex = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) 511 for _, c := range cipherSuitesPreferenceOrder { 512 if disabledCipherSuites[c] { 513 continue 514 } 515 if !rsaKexCiphers[c] { 516 defaultCipherSuites = append(defaultCipherSuites, c) 517 } 518 defaultCipherSuitesWithRSAKex = append(defaultCipherSuitesWithRSAKex, c) 519 } 520 } 521 522 // defaultCipherSuitesTLS13 is also the preference order, since there are no 523 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as 524 // cipherSuitesPreferenceOrder applies. 525 var defaultCipherSuitesTLS13 = []uint16{ 526 TLS_AES_128_GCM_SHA256, 527 TLS_AES_256_GCM_SHA384, 528 TLS_AES_128_CCM_SHA256, 529 TLS_AES_128_CCM_8_SHA256, 530 TLS_CHACHA20_POLY1305_SHA256, 531 } 532 533 var defaultCipherSuitesTLS13NoAES = []uint16{ 534 TLS_CHACHA20_POLY1305_SHA256, 535 TLS_AES_128_GCM_SHA256, 536 TLS_AES_256_GCM_SHA384, 537 TLS_AES_128_CCM_SHA256, 538 TLS_AES_128_CCM_8_SHA256, 539 } 540 541 var ( 542 hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ 543 hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL 544 // Keep in sync with crypto/aes/cipher_s390x.go. 545 hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && 546 (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM) 547 548 hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 || 549 runtime.GOARCH == "arm64" && hasGCMAsmARM64 || 550 runtime.GOARCH == "s390x" && hasGCMAsmS390X 551 ) 552 553 var aesCiphers = map[uint16]bool{ 554 // TLS 1.2 555 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true, 556 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true, 557 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true, 558 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true, 559 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256: true, 560 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256: true, 561 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256: true, 562 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256: true, 563 // TLS 1.3 564 TLS_AES_128_GCM_SHA256: true, 565 TLS_AES_256_GCM_SHA384: true, 566 TLS_AES_128_CCM_SHA256: true, 567 TLS_AES_128_CCM_8_SHA256: true, 568 } 569 570 // aesgcmPreferred returns whether the first known cipher in the preference list 571 // is an AES-GCM cipher, implying the peer has hardware support for it. 572 func aesgcmPreferred(ciphers []uint16) bool { 573 for _, cID := range ciphers { 574 if c := cipherSuiteByID(cID); c != nil { 575 return aesCiphers[cID] 576 } 577 if c := cipherSuiteTLS13ByID(cID); c != nil { 578 return aesCiphers[cID] 579 } 580 } 581 return false 582 } 583 584 func cipherRC4(key, iv []byte, isRead bool) any { 585 cipher, _ := rc4.NewCipher(key) 586 return cipher 587 } 588 589 func cipher3DES(key, iv []byte, isRead bool) any { 590 block, _ := des.NewTripleDESCipher(key) 591 if isRead { 592 return cipher.NewCBCDecrypter(block, iv) 593 } 594 return cipher.NewCBCEncrypter(block, iv) 595 } 596 597 func cipherAES(key, iv []byte, isRead bool) any { 598 block, _ := aes.NewCipher(key) 599 if isRead { 600 return cipher.NewCBCDecrypter(block, iv) 601 } 602 return cipher.NewCBCEncrypter(block, iv) 603 } 604 605 func cipherARIA(key, iv []byte, isRead bool) any { 606 block, _ := aria.NewCipher(key) 607 if isRead { 608 return cipher.NewCBCDecrypter(block, iv) 609 } 610 return cipher.NewCBCEncrypter(block, iv) 611 } 612 613 func cipherCAMELLIA(key, iv []byte, isRead bool) any { 614 block, _ := camellia.NewCipher(key) 615 if isRead { 616 return cipher.NewCBCDecrypter(block, iv) 617 } 618 return cipher.NewCBCEncrypter(block, iv) 619 } 620 621 // macSHA1 returns a SHA-1 based constant time MAC. 622 func macSHA1(key []byte) hash.Hash { 623 return hmac.New(newConstantTimeHash(sha1.New), key) 624 } 625 626 // macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and 627 // is currently only used in disabled-by-default cipher suites. 628 func macSHA256(key []byte) hash.Hash { 629 return hmac.New(sha256.New, key) 630 } 631 632 // macSHA384 returns a SHA384 based MAC. This is only supported in TLS 1.2 and 633 // is currently only used in disabled-by-default cipher suites. 634 func macSHA384(key []byte) hash.Hash { 635 return hmac.New(sha512.New384, key) 636 } 637 638 type aead interface { 639 cipher.AEAD 640 641 // explicitNonceLen returns the number of bytes of explicit nonce 642 // included in each record. This is eight for older AEADs and 643 // zero for modern ones. 644 explicitNonceLen() int 645 } 646 647 const ( 648 aeadNonceLength = 12 649 noncePrefixLength = 4 650 ) 651 652 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 653 // each call. 654 type prefixNonceAEAD struct { 655 // nonce contains the fixed part of the nonce in the first four bytes. 656 nonce [aeadNonceLength]byte 657 aead cipher.AEAD 658 } 659 660 func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 661 func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 662 func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 663 664 func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 665 copy(f.nonce[4:], nonce) 666 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 667 } 668 669 func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 670 copy(f.nonce[4:], nonce) 671 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 672 } 673 674 // xorNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 675 // before each call. 676 type xorNonceAEAD struct { 677 nonceMask [aeadNonceLength]byte 678 aead cipher.AEAD 679 } 680 681 func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 682 func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 683 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 684 685 func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 686 for i, b := range nonce { 687 f.nonceMask[4+i] ^= b 688 } 689 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 690 for i, b := range nonce { 691 f.nonceMask[4+i] ^= b 692 } 693 694 return result 695 } 696 697 func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 698 for i, b := range nonce { 699 f.nonceMask[4+i] ^= b 700 } 701 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 702 for i, b := range nonce { 703 f.nonceMask[4+i] ^= b 704 } 705 706 return result, err 707 } 708 709 func aeadAESGCM(key, noncePrefix []byte) aead { 710 if len(noncePrefix) != noncePrefixLength { 711 panic("tls: internal error: wrong nonce length") 712 } 713 aes, err := aes.NewCipher(key) 714 if err != nil { 715 panic(err) 716 } 717 aead, err := cipher.NewGCM(aes) 718 if err != nil { 719 panic(err) 720 } 721 722 ret := &prefixNonceAEAD{aead: aead} 723 copy(ret.nonce[:], noncePrefix) 724 return ret 725 } 726 727 func aeadAESCCM(key, noncePrefix []byte) aead { 728 if len(noncePrefix) != noncePrefixLength { 729 panic("tls: internal error: wrong nonce length") 730 } 731 aes, err := aes.NewCipher(key) 732 if err != nil { 733 panic(err) 734 } 735 aead, err := ccm.NewCCM(aes) 736 if err != nil { 737 panic(err) 738 } 739 740 ret := &prefixNonceAEAD{aead: aead} 741 copy(ret.nonce[:], noncePrefix) 742 return ret 743 } 744 745 func aeadAESCCM8(key, noncePrefix []byte) aead { 746 if len(noncePrefix) != noncePrefixLength { 747 panic("tls: internal error: wrong nonce length") 748 } 749 aes, err := aes.NewCipher(key) 750 if err != nil { 751 panic(err) 752 } 753 aead, err := ccm.NewCCMWithTagSize(aes, 8) 754 if err != nil { 755 panic(err) 756 } 757 758 ret := &prefixNonceAEAD{aead: aead} 759 copy(ret.nonce[:], noncePrefix) 760 return ret 761 } 762 763 func aeadARIAGCM(key, noncePrefix []byte) aead { 764 if len(noncePrefix) != noncePrefixLength { 765 panic("tls: internal error: wrong nonce length") 766 } 767 aes, err := aria.NewCipher(key) 768 if err != nil { 769 panic(err) 770 } 771 aead, err := cipher.NewGCM(aes) 772 if err != nil { 773 panic(err) 774 } 775 776 ret := &prefixNonceAEAD{aead: aead} 777 copy(ret.nonce[:], noncePrefix) 778 return ret 779 } 780 781 func aeadCAMELLIAGCM(key, noncePrefix []byte) aead { 782 if len(noncePrefix) != noncePrefixLength { 783 panic("tls: internal error: wrong nonce length") 784 } 785 aes, err := camellia.NewCipher(key) 786 if err != nil { 787 panic(err) 788 } 789 aead, err := cipher.NewGCM(aes) 790 if err != nil { 791 panic(err) 792 } 793 794 ret := &prefixNonceAEAD{aead: aead} 795 copy(ret.nonce[:], noncePrefix) 796 return ret 797 } 798 799 func aeadAESGCMTLS13(key, nonceMask []byte) aead { 800 if len(nonceMask) != aeadNonceLength { 801 panic("tls: internal error: wrong nonce length") 802 } 803 aes, err := aes.NewCipher(key) 804 if err != nil { 805 panic(err) 806 } 807 aead, err := cipher.NewGCM(aes) 808 if err != nil { 809 panic(err) 810 } 811 812 ret := &xorNonceAEAD{aead: aead} 813 copy(ret.nonceMask[:], nonceMask) 814 return ret 815 } 816 817 func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 818 if len(nonceMask) != aeadNonceLength { 819 panic("tls: internal error: wrong nonce length") 820 } 821 aead, err := chacha20poly1305.New(key) 822 if err != nil { 823 panic(err) 824 } 825 826 ret := &xorNonceAEAD{aead: aead} 827 copy(ret.nonceMask[:], nonceMask) 828 return ret 829 } 830 831 func aeadAESCCMTLS13(key, nonceMask []byte) aead { 832 if len(nonceMask) != aeadNonceLength { 833 panic("tls: internal error: wrong nonce length") 834 } 835 aes, err := aes.NewCipher(key) 836 if err != nil { 837 panic(err) 838 } 839 aead, err := ccm.NewCCM(aes) 840 if err != nil { 841 panic(err) 842 } 843 844 ret := &xorNonceAEAD{aead: aead} 845 copy(ret.nonceMask[:], nonceMask) 846 return ret 847 } 848 849 func aeadAESCCM8TLS13(key, nonceMask []byte) aead { 850 if len(nonceMask) != aeadNonceLength { 851 panic("tls: internal error: wrong nonce length") 852 } 853 aes, err := aes.NewCipher(key) 854 if err != nil { 855 panic(err) 856 } 857 aead, err := ccm.NewCCMWithTagSize(aes, 8) 858 if err != nil { 859 panic(err) 860 } 861 862 ret := &xorNonceAEAD{aead: aead} 863 copy(ret.nonceMask[:], nonceMask) 864 return ret 865 } 866 867 type constantTimeHash interface { 868 hash.Hash 869 ConstantTimeSum(b []byte) []byte 870 } 871 872 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 873 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 874 type cthWrapper struct { 875 h constantTimeHash 876 } 877 878 func (c *cthWrapper) Size() int { return c.h.Size() } 879 func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 880 func (c *cthWrapper) Reset() { c.h.Reset() } 881 func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 882 func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 883 884 func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 885 return func() hash.Hash { 886 return &cthWrapper{h().(constantTimeHash)} 887 } 888 } 889 890 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 891 func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte { 892 h.Reset() 893 h.Write(seq) 894 h.Write(header) 895 h.Write(data) 896 res := h.Sum(out) 897 if extra != nil { 898 h.Write(extra) 899 } 900 return res 901 } 902 903 func rsaKA(version uint16) keyAgreement { 904 return rsaKeyAgreement{} 905 } 906 907 func ecdheECDSAKA(version uint16) keyAgreement { 908 return &ecdheKeyAgreement{ 909 isRSA: false, 910 version: version, 911 } 912 } 913 914 func ecdheRSAKA(version uint16) keyAgreement { 915 return &ecdheKeyAgreement{ 916 isRSA: true, 917 version: version, 918 } 919 } 920 921 // mutualCipherSuite returns a cipherSuite given a list of supported 922 // ciphersuites and the id requested by the peer. 923 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 924 for _, id := range have { 925 if id == want { 926 return cipherSuiteByID(id) 927 } 928 } 929 return nil 930 } 931 932 func cipherSuiteByID(id uint16) *cipherSuite { 933 for _, cipherSuite := range cipherSuites { 934 if cipherSuite.id == id { 935 return cipherSuite 936 } 937 } 938 return nil 939 } 940 941 func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 942 for _, id := range have { 943 if id == want { 944 return cipherSuiteTLS13ByID(id) 945 } 946 } 947 return nil 948 } 949 950 func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 951 for _, cipherSuite := range cipherSuitesTLS13 { 952 if cipherSuite.id == id { 953 return cipherSuite 954 } 955 } 956 return nil 957 } 958 959 // A list of cipher suite IDs that are, or have been, implemented by this 960 // package. 961 // 962 // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 963 const ( 964 // TLS 1.0 - 1.2 cipher suites. 965 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 966 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 967 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 968 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 969 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 970 TLS_RSA_WITH_ARIA_128_CBC_SHA256 uint16 = 0xc03c 971 TLS_RSA_WITH_ARIA_256_CBC_SHA384 uint16 = 0xc03d 972 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 973 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 974 TLS_RSA_WITH_AES_128_CCM_SHA256 uint16 = 0xc09c 975 TLS_RSA_WITH_AES_256_CCM_SHA256 uint16 = 0xc09d 976 TLS_RSA_WITH_AES_128_CCM_8_SHA256 uint16 = 0xc0a0 977 TLS_RSA_WITH_AES_256_CCM_8_SHA256 uint16 = 0xc0a1 978 TLS_RSA_WITH_ARIA_128_GCM_SHA256 uint16 = 0xc050 979 TLS_RSA_WITH_ARIA_256_GCM_SHA384 uint16 = 0xc051 980 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 uint16 = 0xc07a 981 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 uint16 = 0xc07b 982 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 983 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 984 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 985 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 986 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 987 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 988 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 989 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc008 990 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 991 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 992 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 993 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 uint16 = 0xc048 994 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 uint16 = 0xc04c 995 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 uint16 = 0xc049 996 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 uint16 = 0xc04d 997 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0xc072 998 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0xc076 999 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 uint16 = 0xc073 1000 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 uint16 = 0xc077 1001 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 1002 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 1003 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 1004 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 1005 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_SHA256 uint16 = 0xc0ac 1006 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_SHA256 uint16 = 0xc0ad 1007 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_SHA256 uint16 = 0xc0ae 1008 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8_SHA256 uint16 = 0xc0af 1009 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 1010 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 1011 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 uint16 = 0xc05c 1012 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 uint16 = 0xc060 1013 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 uint16 = 0xc05d 1014 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 uint16 = 0xc061 1015 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 uint16 = 0xc086 1016 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 uint16 = 0xc08a 1017 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 uint16 = 0xc08b 1018 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 uint16 = 0xc087 1019 1020 // TLS 1.3 cipher suites. 1021 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 1022 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 1023 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 1024 TLS_AES_128_CCM_SHA256 uint16 = 0x1304 1025 TLS_AES_128_CCM_8_SHA256 uint16 = 0x1305 1026 1027 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 1028 // that the client is doing version fallback. See RFC 7507. 1029 TLS_FALLBACK_SCSV uint16 = 0x5600 1030 1031 // Legacy names for the corresponding cipher suites with the correct _SHA256 1032 // suffix, retained for backward compatibility. 1033 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 1034 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 1035 )