Implement draft-ietf-tls-chacha20-poly1305-04 in Go.
This will be used to test the C implementation against. Change-Id: I2d396d27630937ea610144e381518eae76f78dab Reviewed-on: https://boringssl-review.googlesource.com/6685 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
2089fdd10e
commit
37489902ba
@ -86,6 +86,8 @@ type cipherSuite struct {
|
|||||||
var cipherSuites = []*cipherSuite{
|
var cipherSuites = []*cipherSuite{
|
||||||
// Ciphersuite order is chosen so that ECDHE comes before plain RSA
|
// Ciphersuite order is chosen so that ECDHE comes before plain RSA
|
||||||
// and RC4 comes before AES (because of the Lucky13 attack).
|
// and RC4 comes before AES (because of the Lucky13 attack).
|
||||||
|
{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
|
||||||
|
{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
|
||||||
{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old},
|
{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old},
|
||||||
{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old},
|
{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old},
|
||||||
{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
|
{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
|
||||||
@ -119,11 +121,12 @@ var cipherSuites = []*cipherSuite{
|
|||||||
{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
|
{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
|
||||||
{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, dheRSAKA, 0, cipher3DES, macSHA1, nil},
|
{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, dheRSAKA, 0, cipher3DES, macSHA1, nil},
|
||||||
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
|
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
|
||||||
|
{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
|
||||||
|
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
|
||||||
|
{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
|
||||||
{TLS_PSK_WITH_RC4_128_SHA, 16, 20, 0, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
|
{TLS_PSK_WITH_RC4_128_SHA, 16, 20, 0, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
|
||||||
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil},
|
{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil},
|
||||||
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil},
|
{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil},
|
||||||
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
|
|
||||||
{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
|
|
||||||
{TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
|
{TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -256,6 +259,52 @@ func aeadCHACHA20POLY1305Old(key, fixedNonce []byte) *tlsAead {
|
|||||||
return &tlsAead{aead, false}
|
return &tlsAead{aead, false}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func xorSlice(out, in []byte) {
|
||||||
|
for i := range out {
|
||||||
|
out[i] ^= in[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded
|
||||||
|
// if necessary, each call.
|
||||||
|
type xorNonceAEAD struct {
|
||||||
|
// sealNonce and openNonce are buffers where the larger nonce will be
|
||||||
|
// constructed. Since a seal and open operation may be running
|
||||||
|
// concurrently, there is a separate buffer for each.
|
||||||
|
sealNonce, openNonce []byte
|
||||||
|
aead cipher.AEAD
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *xorNonceAEAD) NonceSize() int { return 8 }
|
||||||
|
func (x *xorNonceAEAD) Overhead() int { return x.aead.Overhead() }
|
||||||
|
|
||||||
|
func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
|
||||||
|
xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
|
||||||
|
ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData)
|
||||||
|
xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
|
||||||
|
xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
|
||||||
|
ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData)
|
||||||
|
xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
|
||||||
|
return ret, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func aeadCHACHA20POLY1305(key, fixedNonce []byte) *tlsAead {
|
||||||
|
aead, err := newChaCha20Poly1305(key)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce))
|
||||||
|
copy(nonce1, fixedNonce)
|
||||||
|
copy(nonce2, fixedNonce)
|
||||||
|
|
||||||
|
return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false}
|
||||||
|
}
|
||||||
|
|
||||||
// ssl30MAC implements the SSLv3 MAC function, as defined in
|
// ssl30MAC implements the SSLv3 MAC function, as defined in
|
||||||
// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
|
// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
|
||||||
type ssl30MAC struct {
|
type ssl30MAC struct {
|
||||||
@ -375,45 +424,48 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
|
|||||||
// A list of the possible cipher suite ids. Taken from
|
// A list of the possible cipher suite ids. Taken from
|
||||||
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
|
||||||
const (
|
const (
|
||||||
TLS_RSA_WITH_NULL_SHA uint16 = 0x0002
|
TLS_RSA_WITH_NULL_SHA uint16 = 0x0002
|
||||||
TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004
|
TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004
|
||||||
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
|
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
|
||||||
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
|
||||||
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016
|
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016
|
||||||
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
|
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
|
||||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033
|
||||||
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
|
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
|
||||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039
|
||||||
TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
|
TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
|
||||||
TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d
|
TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d
|
||||||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067
|
||||||
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b
|
||||||
TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a
|
TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a
|
||||||
TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c
|
TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c
|
||||||
TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d
|
TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d
|
||||||
TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
|
TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
|
||||||
TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
|
TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
|
||||||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e
|
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e
|
||||||
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f
|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f
|
||||||
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
|
||||||
TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
|
||||||
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
|
||||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
|
||||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024
|
||||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
|
||||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
|
||||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
|
||||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
|
||||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
|
||||||
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035
|
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035
|
||||||
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036
|
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036
|
||||||
renegotiationSCSV uint16 = 0x00ff
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8
|
||||||
fallbackSCSV uint16 = 0x5600
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
|
||||||
|
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xccac
|
||||||
|
renegotiationSCSV uint16 = 0x00ff
|
||||||
|
fallbackSCSV uint16 = 0x5600
|
||||||
)
|
)
|
||||||
|
|
||||||
// Additional cipher suite IDs, not IANA-assigned.
|
// Additional cipher suite IDs, not IANA-assigned.
|
||||||
|
Loading…
Reference in New Issue
Block a user