|
|
@@ -86,6 +86,8 @@ type cipherSuite struct { |
|
|
|
var cipherSuites = []*cipherSuite{ |
|
|
|
// Ciphersuite order is chosen so that ECDHE comes before plain RSA |
|
|
|
// and RC4 comes before AES (because of the Lucky13 attack). |
|
|
|
{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, |
|
|
|
{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, |
|
|
|
{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old}, |
|
|
|
{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old}, |
|
|
|
{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, |
|
|
@@ -119,11 +121,12 @@ var cipherSuites = []*cipherSuite{ |
|
|
|
{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, |
|
|
|
{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, dheRSAKA, 0, cipher3DES, macSHA1, nil}, |
|
|
|
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, |
|
|
|
{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, |
|
|
|
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_PSK_WITH_RC4_128_SHA, 16, 20, 0, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil}, |
|
|
|
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, |
|
|
|
{TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil}, |
|
|
|
} |
|
|
|
|
|
|
@@ -256,6 +259,52 @@ func aeadCHACHA20POLY1305Old(key, fixedNonce []byte) *tlsAead { |
|
|
|
return &tlsAead{aead, false} |
|
|
|
} |
|
|
|
|
|
|
|
func xorSlice(out, in []byte) { |
|
|
|
for i := range out { |
|
|
|
out[i] ^= in[i] |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded |
|
|
|
// if necessary, each call. |
|
|
|
type xorNonceAEAD struct { |
|
|
|
// sealNonce and openNonce are buffers where the larger nonce will be |
|
|
|
// constructed. Since a seal and open operation may be running |
|
|
|
// concurrently, there is a separate buffer for each. |
|
|
|
sealNonce, openNonce []byte |
|
|
|
aead cipher.AEAD |
|
|
|
} |
|
|
|
|
|
|
|
func (x *xorNonceAEAD) NonceSize() int { return 8 } |
|
|
|
func (x *xorNonceAEAD) Overhead() int { return x.aead.Overhead() } |
|
|
|
|
|
|
|
func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { |
|
|
|
xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) |
|
|
|
ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData) |
|
|
|
xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) |
|
|
|
return ret |
|
|
|
} |
|
|
|
|
|
|
|
func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { |
|
|
|
xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) |
|
|
|
ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData) |
|
|
|
xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) |
|
|
|
return ret, err |
|
|
|
} |
|
|
|
|
|
|
|
func aeadCHACHA20POLY1305(key, fixedNonce []byte) *tlsAead { |
|
|
|
aead, err := newChaCha20Poly1305(key) |
|
|
|
if err != nil { |
|
|
|
panic(err) |
|
|
|
} |
|
|
|
|
|
|
|
nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce)) |
|
|
|
copy(nonce1, fixedNonce) |
|
|
|
copy(nonce2, fixedNonce) |
|
|
|
|
|
|
|
return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} |
|
|
|
} |
|
|
|
|
|
|
|
// ssl30MAC implements the SSLv3 MAC function, as defined in |
|
|
|
// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1 |
|
|
|
type ssl30MAC struct { |
|
|
@@ -375,45 +424,48 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { |
|
|
|
// A list of the possible cipher suite ids. Taken from |
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml |
|
|
|
const ( |
|
|
|
TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 |
|
|
|
TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004 |
|
|
|
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 |
|
|
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a |
|
|
|
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016 |
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f |
|
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033 |
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 |
|
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039 |
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c |
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d |
|
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067 |
|
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b |
|
|
|
TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a |
|
|
|
TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c |
|
|
|
TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d |
|
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c |
|
|
|
TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d |
|
|
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e |
|
|
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f |
|
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a |
|
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 |
|
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 |
|
|
|
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035 |
|
|
|
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036 |
|
|
|
renegotiationSCSV uint16 = 0x00ff |
|
|
|
fallbackSCSV uint16 = 0x5600 |
|
|
|
TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 |
|
|
|
TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004 |
|
|
|
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 |
|
|
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a |
|
|
|
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016 |
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f |
|
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033 |
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 |
|
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039 |
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c |
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d |
|
|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067 |
|
|
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b |
|
|
|
TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a |
|
|
|
TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c |
|
|
|
TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d |
|
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c |
|
|
|
TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d |
|
|
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e |
|
|
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f |
|
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a |
|
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 |
|
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028 |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b |
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c |
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f |
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 |
|
|
|
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035 |
|
|
|
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036 |
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 |
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 |
|
|
|
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xccac |
|
|
|
renegotiationSCSV uint16 = 0x00ff |
|
|
|
fallbackSCSV uint16 = 0x5600 |
|
|
|
) |
|
|
|
|
|
|
|
// Additional cipher suite IDs, not IANA-assigned. |
|
|
|