kris
/
th5
1
0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
Alternative TLS implementation in Go
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
570 коммитов
3 Ветки
2.6 MiB
ветка: master
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
th5/cipher_suites.go

cipher_suites.go 15 KiB
Исходник Постоянная ссылка Обычный вид История

crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
Change package trs to th5
5 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
Changes needed to make tris a separated lib
5 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 лет назад
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 лет назад
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 лет назад
Refactor the keyAgreement interface It's sufficient to pass in the *tls.Certificate (resp. *x509.Certificate) to the server functions (resp. client funcctions), but not necessary; the existing keyAgreement implementations only makes use of the private key (resp. public key). Moreover, this change is necessary for implementing the delegated credentials extension, which replaces the private key (resp. public key) used in the handshake.
6 лет назад
Add negotiated group to ConnectionState
5 лет назад
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 лет назад
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 лет назад
crypto/tls: don't select TLS 1.2 cipher suites in prior versions. AES-GCM cipher suites are only defined for TLS 1.2, although there's nothing really version specific about them. However, development versions of NSS (meaning Firefox and Chrome) have an issue where they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello but then balk when the server selects one. This change causes Go clients not to advertise TLS 1.2 cipher suites unless TLS 1.2 is being used, and prevents servers from selecting them unless TLS 1.2 has been negotiated. https://code.google.com/p/chromium/issues/detail?id=297151 https://bugzilla.mozilla.org/show_bug.cgi?id=919677 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13573047
11 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: disable RC4 by default. RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes #10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
9 лет назад
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
tris: typos
7 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
14 лет назад
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 лет назад
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 лет назад
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
tris: fix nonce length definition and actually use it All TLS 1.3 cipher suites so far use a nonce length of 12, but that does not have to be the case. Correct the cipher suite definition and use it. Spec: https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5.3 Note: there is no functional change, the values were previously unused. Fixes: ("[dev.tls] crypto/tls: implement TLS 1.3 cipher suites")
6 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: enable ChaCha20-Poly1305 cipher suites by default. This change enables the ChaCha20-Poly1305 cipher suites by default. This changes the default ClientHello and thus requires updating all the tests. Change-Id: I6683a2647caaff4a11f9e932babb6f07912cad94 Reviewed-on: https://go-review.googlesource.com/30958 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
7 лет назад
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
7 лет назад
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
7 лет назад
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: fix comment typo. This was pointed out in https://go-review.googlesource.com/#/c/27315/1 but I changed and uploaded the wrong branch. This actually makes the fix. Change-Id: Ib615b06c9141b914648b6abbeeb688c5ffa0d2e3 Reviewed-on: https://go-review.googlesource.com/27360 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
Minimal number of changes needed to udpate to draft-28 (#115) * includes AD in authentication check of TLS records As per 5.2 of TLS 1.3 draft-28, the additional data is record header. * tests: Update tests in order to support draft-28 * Interoperability: Updates NSS and BoringSSL versions to the one supporting draft-28 * Bogo: Updates revision number to use tests for draft-28 * FIX: makefile was using test-compat target instead of test-interop * DC test: constify * Use binary interface to encode in big-endian
6 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 лет назад
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
13 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
13 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 лет назад
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 лет назад
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
8 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 лет назад
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 лет назад
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 лет назад
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 лет назад
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 лет назад
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 лет назад
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 лет назад
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
7 лет назад
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 лет назад
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: document that the cipher suite list is non-exhaustive. Fixes #14370. Change-Id: Ieb95ee3494f592fb5fc74aa4b803479671816927 Reviewed-on: https://go-review.googlesource.com/20551 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77) Temporarily reverts update to go1.10
6 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
crypto/tls: remove TLS13CipherSuites. To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites, remove the distinction between both suites. TLS 1.3 suites are now always included in the default cipher list (and the client will send it if MaxVersion allows for it). Since TLS 1.3 is expected to become the default MaxVersion and applications might have set only TLS 1.2 cipher suites in their configuration, TLS 1.3 cipher suites are added when none are present. Alternatively, I considered disallowing overriding the TLS 1.3 suites, but that requires more complexity and has not much benefits. Provide a mechanism and do not dictate policy, application developers might want to fix a cipher suite for testing other implementations for example. Fixes https://github.com/cloudflare/tls-tris/pull/22
7 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: add TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites Fixes #9894. Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993 Reviewed-on: https://go-review.googlesource.com/16924 Run-TryBot: Minux Ma <minux@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
8 лет назад
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 лет назад
crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289 Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256). Testdata were all updated to correspond with the new cipher suites in the handshake. Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f Reviewed-on: https://go-review.googlesource.com/3265 Reviewed-by: Adam Langley <agl@golang.org>
9 лет назад
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
10 лет назад
crypto/tls: remove TLS13CipherSuites. To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites, remove the distinction between both suites. TLS 1.3 suites are now always included in the default cipher list (and the client will send it if MaxVersion allows for it). Since TLS 1.3 is expected to become the default MaxVersion and applications might have set only TLS 1.2 cipher suites in their configuration, TLS 1.3 cipher suites are added when none are present. Alternatively, I considered disallowing overriding the TLS 1.3 suites, but that requires more complexity and has not much benefits. Provide a mechanism and do not dictate policy, application developers might want to fix a cipher suite for testing other implementations for example. Fixes https://github.com/cloudflare/tls-tris/pull/22
7 лет назад
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
8 лет назад
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
10 лет назад
crypto/tls: Update references to draft-ietf-tls-downgrade-scsv-00. It's RFC 7507 now. Change-Id: Iccd6c65f9d4b1f4d17ee068dee4576a512ba8405 Reviewed-on: https://go-review.googlesource.com/21154 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
8 лет назад
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
10 лет назад
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 лет назад
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package th5

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/aes"

  10. 	"crypto/cipher"

  11. 	"crypto/des"

  12. 	"crypto/hmac"

  13. 	"crypto/rc4"

  14. 	"crypto/sha1"

  15. 	"crypto/sha256"

  16. 	"hash"

  17. 

  18. 	"golang.org/x/crypto/chacha20poly1305"

  19. )

  20. 

  21. // a keyAgreement implements the client and server side of a TLS key agreement

  22. // protocol by generating and processing key exchange messages.

  23. type keyAgreement interface {

  24. 	// On the server side, the first two methods are called in order.

  25. 

  26. 	// In the case that the key agreement protocol doesn't use a

  27. 	// ServerKeyExchange message, generateServerKeyExchange can return nil,

  28. 	// nil.

  29. 	generateServerKeyExchange(*Config, crypto.PrivateKey, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)

  30. 	processClientKeyExchange(*Config, crypto.PrivateKey, *clientKeyExchangeMsg, uint16) ([]byte, error)

  31. 

  32. 	// On the client side, the next two methods are called in order.

  33. 

  34. 	// This method may not be called if the server doesn't send a

  35. 	// ServerKeyExchange message.

  36. 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, crypto.PublicKey, *serverKeyExchangeMsg) error

  37. 	generateClientKeyExchange(*Config, *clientHelloMsg, crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error)

  38. 

  39. 	// Returns ID of negotiated group

  40. 	NegotiatedGroup() CurveID

  41. }

  42. 

  43. const (

  44. 	// suiteECDH indicates that the cipher suite involves elliptic curve

  45. 	// Diffie-Hellman. This means that it should only be selected when the

  46. 	// client indicates that it supports ECC with a curve and point format

  47. 	// that we're happy with.

  48. 	suiteECDHE = 1 << iota

  49. 	// suiteECDSA indicates that the cipher suite involves an ECDSA

  50. 	// signature and therefore may only be selected when the server's

  51. 	// certificate is ECDSA. If this is not set then the cipher suite is

  52. 	// RSA based.

  53. 	suiteECDSA

  54. 	// suiteTLS12 indicates that the cipher suite should only be advertised

  55. 	// and accepted when using TLS 1.2.

  56. 	suiteTLS12

  57. 	// suiteTLS13 indicates that the ones and only cipher suites to be

  58. 	// advertised and accepted when using TLS 1.3.

  59. 	suiteTLS13

  60. 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the

  61. 	// handshake hash.

  62. 	suiteSHA384

  63. 	// suiteDefaultOff indicates that this cipher suite is not included by

  64. 	// default.

  65. 	suiteDefaultOff

  66. )

  67. 

  68. // A cipherSuite is a specific combination of key agreement, cipher and MAC

  69. // function.

  70. type cipherSuite struct {

  71. 	id uint16

  72. 	// the lengths, in bytes, of the key material needed for each component.

  73. 	keyLen int

  74. 	macLen int

  75. 	ivLen  int

  76. 	ka     func(version uint16) keyAgreement

  77. 	// flags is a bitmask of the suite* values, above.

  78. 	flags  int

  79. 	cipher func(key, iv []byte, isRead bool) interface{}

  80. 	mac    func(version uint16, macKey []byte) macFunction

  81. 	aead   func(key, fixedNonce []byte) cipher.AEAD

  82. }

  83. 

  84. var cipherSuites = []*cipherSuite{

  85. 	// TLS 1.3 ciphersuites specify only the AEAD and the HKDF hash.

  86. 	{TLS_CHACHA20_POLY1305_SHA256, 32, 0, 12, nil, suiteTLS13, nil, nil, aeadChaCha20Poly1305},

  87. 	{TLS_AES_128_GCM_SHA256, 16, 0, 12, nil, suiteTLS13, nil, nil, aeadAESGCM13},

  88. 	{TLS_AES_256_GCM_SHA384, 32, 0, 12, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13},

  89. 

  90. 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and

  91. 	// AEADs are the top preference.

  92. 	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},

  93. 	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},

  94. 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM12},

  95. 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM12},

  96. 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  97. 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  98. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  99. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  100. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  101. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  102. 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  103. 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  104. 	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM12},

  105. 	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  106. 	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  107. 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  108. 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  109. 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},

  110. 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},

  111. 

  112. 	// RC4-based cipher suites are disabled by default.

  113. 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},

  114. 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},

  115. 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},

  116. }

  117. 

  118. func cipherRC4(key, iv []byte, isRead bool) interface{} {

  119. 	cipher, _ := rc4.NewCipher(key)

  120. 	return cipher

  121. }

  122. 

  123. func cipher3DES(key, iv []byte, isRead bool) interface{} {

  124. 	block, _ := des.NewTripleDESCipher(key)

  125. 	if isRead {

  126. 		return cipher.NewCBCDecrypter(block, iv)

  127. 	}

  128. 	return cipher.NewCBCEncrypter(block, iv)

  129. }

  130. 

  131. func cipherAES(key, iv []byte, isRead bool) interface{} {

  132. 	block, _ := aes.NewCipher(key)

  133. 	if isRead {

  134. 		return cipher.NewCBCDecrypter(block, iv)

  135. 	}

  136. 	return cipher.NewCBCEncrypter(block, iv)

  137. }

  138. 

  139. // macSHA1 returns a macFunction for the given protocol version.

  140. func macSHA1(version uint16, key []byte) macFunction {

  141. 	if version == VersionSSL30 {

  142. 		mac := ssl30MAC{

  143. 			h:   sha1.New(),

  144. 			key: make([]byte, len(key)),

  145. 		}

  146. 		copy(mac.key, key)

  147. 		return mac

  148. 	}

  149. 	return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}

  150. }

  151. 

  152. // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2

  153. // so the given version is ignored.

  154. func macSHA256(version uint16, key []byte) macFunction {

  155. 	return tls10MAC{hmac.New(sha256.New, key)}

  156. }

  157. 

  158. type macFunction interface {

  159. 	Size() int

  160. 	MAC(digestBuf, seq, header, data, extra []byte) []byte

  161. }

  162. 

  163. type aead interface {

  164. 	cipher.AEAD

  165. 

  166. 	// explicitIVLen returns the number of bytes used by the explicit nonce

  167. 	// that is included in the record. This is eight for older AEADs and

  168. 	// zero for modern ones.

  169. 	explicitNonceLen() int

  170. }

  171. 

  172. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to

  173. // each call.

  174. type fixedNonceAEAD struct {

  175. 	// nonce contains the fixed part of the nonce in the first four bytes.

  176. 	nonce [12]byte

  177. 	aead  cipher.AEAD

  178. }

  179. 

  180. func (f *fixedNonceAEAD) NonceSize() int { return 8 }

  181. 

  182. // Overhead returns the maximum difference between the lengths of a

  183. // plaintext and its ciphertext.

  184. func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }

  185. func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }

  186. 

  187. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  188. 	copy(f.nonce[4:], nonce)

  189. 	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)

  190. }

  191. 

  192. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  193. 	copy(f.nonce[4:], nonce)

  194. 	return f.aead.Open(out, f.nonce[:], plaintext, additionalData)

  195. }

  196. 

  197. // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce

  198. // before each call.

  199. type xorNonceAEAD struct {

  200. 	nonceMask [12]byte

  201. 	aead      cipher.AEAD

  202. }

  203. 

  204. func (f *xorNonceAEAD) NonceSize() int        { return 8 }

  205. func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }

  206. func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }

  207. 

  208. func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  209. 	for i, b := range nonce {

  210. 		f.nonceMask[4+i] ^= b

  211. 	}

  212. 	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)

  213. 	for i, b := range nonce {

  214. 		f.nonceMask[4+i] ^= b

  215. 	}

  216. 

  217. 	return result

  218. }

  219. 

  220. func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  221. 	for i, b := range nonce {

  222. 		f.nonceMask[4+i] ^= b

  223. 	}

  224. 	result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)

  225. 	for i, b := range nonce {

  226. 		f.nonceMask[4+i] ^= b

  227. 	}

  228. 

  229. 	return result, err

  230. }

  231. 

  232. func aeadAESGCM12(key, fixedNonce []byte) cipher.AEAD {

  233. 	aes, err := aes.NewCipher(key)

  234. 	if err != nil {

  235. 		panic(err)

  236. 	}

  237. 	aead, err := cipher.NewGCM(aes)

  238. 	if err != nil {

  239. 		panic(err)

  240. 	}

  241. 

  242. 	ret := &fixedNonceAEAD{aead: aead}

  243. 	copy(ret.nonce[:], fixedNonce)

  244. 	return ret

  245. }

  246. 

  247. func aeadAESGCM13(key, fixedNonce []byte) cipher.AEAD {

  248. 	aes, err := aes.NewCipher(key)

  249. 	if err != nil {

  250. 		panic(err)

  251. 	}

  252. 	aead, err := cipher.NewGCM(aes)

  253. 	if err != nil {

  254. 		panic(err)

  255. 	}

  256. 

  257. 	ret := &xorNonceAEAD{aead: aead}

  258. 	copy(ret.nonceMask[:], fixedNonce)

  259. 	return ret

  260. }

  261. 

  262. func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {

  263. 	aead, err := chacha20poly1305.New(key)

  264. 	if err != nil {

  265. 		panic(err)

  266. 	}

  267. 

  268. 	ret := &xorNonceAEAD{aead: aead}

  269. 	copy(ret.nonceMask[:], fixedNonce)

  270. 	return ret

  271. }

  272. 

  273. // ssl30MAC implements the SSLv3 MAC function, as defined in

  274. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1

  275. type ssl30MAC struct {

  276. 	h   hash.Hash

  277. 	key []byte

  278. }

  279. 

  280. func (s ssl30MAC) Size() int {

  281. 	return s.h.Size()

  282. }

  283. 

  284. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}

  285. 

  286. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}

  287. 

  288. // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed

  289. // useless considering the similar, protocol-level POODLE vulnerability.

  290. func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {

  291. 	padLength := 48

  292. 	if s.h.Size() == 20 {

  293. 		padLength = 40

  294. 	}

  295. 

  296. 	s.h.Reset()

  297. 	s.h.Write(s.key)

  298. 	s.h.Write(ssl30Pad1[:padLength])

  299. 	s.h.Write(seq)

  300. 	s.h.Write(header[:1])

  301. 	s.h.Write(header[3:5])

  302. 	s.h.Write(data)

  303. 	digestBuf = s.h.Sum(digestBuf[:0])

  304. 

  305. 	s.h.Reset()

  306. 	s.h.Write(s.key)

  307. 	s.h.Write(ssl30Pad2[:padLength])

  308. 	s.h.Write(digestBuf)

  309. 	return s.h.Sum(digestBuf[:0])

  310. }

  311. 

  312. type constantTimeHash interface {

  313. 	hash.Hash

  314. 	ConstantTimeSum(b []byte) []byte

  315. }

  316. 

  317. // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces

  318. // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.

  319. type cthWrapper struct {

  320. 	h constantTimeHash

  321. }

  322. 

  323. func (c *cthWrapper) Size() int                   { return c.h.Size() }

  324. func (c *cthWrapper) BlockSize() int              { return c.h.BlockSize() }

  325. func (c *cthWrapper) Reset()                      { c.h.Reset() }

  326. func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }

  327. func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }

  328. 

  329. func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {

  330. 	return func() hash.Hash {

  331. 		return &cthWrapper{h().(constantTimeHash)}

  332. 	}

  333. }

  334. 

  335. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.

  336. type tls10MAC struct {

  337. 	h hash.Hash

  338. }

  339. 

  340. func (s tls10MAC) Size() int {

  341. 	return s.h.Size()

  342. }

  343. 

  344. // MAC is guaranteed to take constant time, as long as

  345. // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into

  346. // the MAC, but is only provided to make the timing profile constant.

  347. func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {

  348. 	s.h.Reset()

  349. 	s.h.Write(seq)

  350. 	s.h.Write(header)

  351. 	s.h.Write(data)

  352. 	res := s.h.Sum(digestBuf[:0])

  353. 	if extra != nil {

  354. 		s.h.Write(extra)

  355. 	}

  356. 	return res

  357. }

  358. 

  359. func rsaKA(version uint16) keyAgreement {

  360. 	return rsaKeyAgreement{}

  361. }

  362. 

  363. func ecdheECDSAKA(version uint16) keyAgreement {

  364. 	return &ecdheKeyAgreement{

  365. 		isRSA:   false,

  366. 		version: version,

  367. 	}

  368. }

  369. 

  370. func ecdheRSAKA(version uint16) keyAgreement {

  371. 	return &ecdheKeyAgreement{

  372. 		isRSA:   true,

  373. 		version: version,

  374. 	}

  375. }

  376. 

  377. // mutualCipherSuite returns a cipherSuite given a list of supported

  378. // ciphersuites and the id requested by the peer.

  379. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {

  380. 	for _, id := range have {

  381. 		if id == want {

  382. 			for _, suite := range cipherSuites {

  383. 				if suite.id == want {

  384. 					return suite

  385. 				}

  386. 			}

  387. 			return nil

  388. 		}

  389. 	}

  390. 	return nil

  391. }

  392. 

  393. // A list of cipher suite IDs that are, or have been, implemented by this

  394. // package.

  395. //

  396. // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

  397. const (

  398. 	// TLS 1.0 - 1.2 cipher suites.

  399. 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005

  400. 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a

  401. 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f

  402. 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035

  403. 	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c

  404. 	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c

  405. 	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d

  406. 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007

  407. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009

  408. 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a

  409. 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011

  410. 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012

  411. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013

  412. 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014

  413. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023

  414. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027

  415. 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f

  416. 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b

  417. 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030

  418. 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c

  419. 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    uint16 = 0xcca8

  420. 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  uint16 = 0xcca9

  421. 

  422. 	// TLS 1.3+ cipher suites.

  423. 	TLS_AES_128_GCM_SHA256       uint16 = 0x1301

  424. 	TLS_AES_256_GCM_SHA384       uint16 = 0x1302

  425. 	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303

  426. 

  427. 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator

  428. 	// that the client is doing version fallback. See

  429. 	// https://tools.ietf.org/html/rfc7507.

  430. 	TLS_FALLBACK_SCSV uint16 = 0x5600

  431. )