Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

429 lines
15 KiB

  1. // Copyright 2010 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package tls
  5. import (
  6. "crypto"
  7. "crypto/aes"
  8. "crypto/cipher"
  9. "crypto/des"
  10. "crypto/hmac"
  11. "crypto/rc4"
  12. "crypto/sha1"
  13. "crypto/sha256"
  14. "hash"
  15. "golang.org/x/crypto/chacha20poly1305"
  16. )
  17. // a keyAgreement implements the client and server side of a TLS key agreement
  18. // protocol by generating and processing key exchange messages.
  19. type keyAgreement interface {
  20. // On the server side, the first two methods are called in order.
  21. // In the case that the key agreement protocol doesn't use a
  22. // ServerKeyExchange message, generateServerKeyExchange can return nil,
  23. // nil.
  24. generateServerKeyExchange(*Config, crypto.PrivateKey, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
  25. processClientKeyExchange(*Config, crypto.PrivateKey, *clientKeyExchangeMsg, uint16) ([]byte, error)
  26. // On the client side, the next two methods are called in order.
  27. // This method may not be called if the server doesn't send a
  28. // ServerKeyExchange message.
  29. processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, crypto.PublicKey, *serverKeyExchangeMsg) error
  30. generateClientKeyExchange(*Config, *clientHelloMsg, crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error)
  31. }
  32. const (
  33. // suiteECDH indicates that the cipher suite involves elliptic curve
  34. // Diffie-Hellman. This means that it should only be selected when the
  35. // client indicates that it supports ECC with a curve and point format
  36. // that we're happy with.
  37. suiteECDHE = 1 << iota
  38. // suiteECDSA indicates that the cipher suite involves an ECDSA
  39. // signature and therefore may only be selected when the server's
  40. // certificate is ECDSA. If this is not set then the cipher suite is
  41. // RSA based.
  42. suiteECDSA
  43. // suiteTLS12 indicates that the cipher suite should only be advertised
  44. // and accepted when using TLS 1.2.
  45. suiteTLS12
  46. // suiteTLS13 indicates that the ones and only cipher suites to be
  47. // advertised and accepted when using TLS 1.3.
  48. suiteTLS13
  49. // suiteSHA384 indicates that the cipher suite uses SHA384 as the
  50. // handshake hash.
  51. suiteSHA384
  52. // suiteDefaultOff indicates that this cipher suite is not included by
  53. // default.
  54. suiteDefaultOff
  55. )
  56. // A cipherSuite is a specific combination of key agreement, cipher and MAC
  57. // function.
  58. type cipherSuite struct {
  59. id uint16
  60. // the lengths, in bytes, of the key material needed for each component.
  61. keyLen int
  62. macLen int
  63. ivLen int
  64. ka func(version uint16) keyAgreement
  65. // flags is a bitmask of the suite* values, above.
  66. flags int
  67. cipher func(key, iv []byte, isRead bool) interface{}
  68. mac func(version uint16, macKey []byte) macFunction
  69. aead func(key, fixedNonce []byte) cipher.AEAD
  70. }
  71. var cipherSuites = []*cipherSuite{
  72. // TLS 1.3 ciphersuites specify only the AEAD and the HKDF hash.
  73. {TLS_CHACHA20_POLY1305_SHA256, 32, 0, 12, nil, suiteTLS13, nil, nil, aeadChaCha20Poly1305},
  74. {TLS_AES_128_GCM_SHA256, 16, 0, 12, nil, suiteTLS13, nil, nil, aeadAESGCM13},
  75. {TLS_AES_256_GCM_SHA384, 32, 0, 12, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13},
  76. // Ciphersuite order is chosen so that ECDHE comes before plain RSA and
  77. // AEADs are the top preference.
  78. {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
  79. {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
  80. {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM12},
  81. {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM12},
  82. {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  83. {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  84. {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  85. {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  86. {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  87. {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  88. {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  89. {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  90. {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM12},
  91. {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  92. {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  93. {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  94. {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  95. {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
  96. {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
  97. // RC4-based cipher suites are disabled by default.
  98. {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
  99. {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
  100. {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
  101. }
  102. func cipherRC4(key, iv []byte, isRead bool) interface{} {
  103. cipher, _ := rc4.NewCipher(key)
  104. return cipher
  105. }
  106. func cipher3DES(key, iv []byte, isRead bool) interface{} {
  107. block, _ := des.NewTripleDESCipher(key)
  108. if isRead {
  109. return cipher.NewCBCDecrypter(block, iv)
  110. }
  111. return cipher.NewCBCEncrypter(block, iv)
  112. }
  113. func cipherAES(key, iv []byte, isRead bool) interface{} {
  114. block, _ := aes.NewCipher(key)
  115. if isRead {
  116. return cipher.NewCBCDecrypter(block, iv)
  117. }
  118. return cipher.NewCBCEncrypter(block, iv)
  119. }
  120. // macSHA1 returns a macFunction for the given protocol version.
  121. func macSHA1(version uint16, key []byte) macFunction {
  122. if version == VersionSSL30 {
  123. mac := ssl30MAC{
  124. h: sha1.New(),
  125. key: make([]byte, len(key)),
  126. }
  127. copy(mac.key, key)
  128. return mac
  129. }
  130. return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}
  131. }
  132. // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2
  133. // so the given version is ignored.
  134. func macSHA256(version uint16, key []byte) macFunction {
  135. return tls10MAC{hmac.New(sha256.New, key)}
  136. }
  137. type macFunction interface {
  138. Size() int
  139. MAC(digestBuf, seq, header, data, extra []byte) []byte
  140. }
  141. type aead interface {
  142. cipher.AEAD
  143. // explicitIVLen returns the number of bytes used by the explicit nonce
  144. // that is included in the record. This is eight for older AEADs and
  145. // zero for modern ones.
  146. explicitNonceLen() int
  147. }
  148. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
  149. // each call.
  150. type fixedNonceAEAD struct {
  151. // nonce contains the fixed part of the nonce in the first four bytes.
  152. nonce [12]byte
  153. aead cipher.AEAD
  154. }
  155. func (f *fixedNonceAEAD) NonceSize() int { return 8 }
  156. // Overhead returns the maximum difference between the lengths of a
  157. // plaintext and its ciphertext.
  158. func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
  159. func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
  160. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
  161. copy(f.nonce[4:], nonce)
  162. return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
  163. }
  164. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
  165. copy(f.nonce[4:], nonce)
  166. return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
  167. }
  168. // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
  169. // before each call.
  170. type xorNonceAEAD struct {
  171. nonceMask [12]byte
  172. aead cipher.AEAD
  173. }
  174. func (f *xorNonceAEAD) NonceSize() int { return 8 }
  175. func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
  176. func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
  177. func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
  178. for i, b := range nonce {
  179. f.nonceMask[4+i] ^= b
  180. }
  181. result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
  182. for i, b := range nonce {
  183. f.nonceMask[4+i] ^= b
  184. }
  185. return result
  186. }
  187. func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
  188. for i, b := range nonce {
  189. f.nonceMask[4+i] ^= b
  190. }
  191. result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)
  192. for i, b := range nonce {
  193. f.nonceMask[4+i] ^= b
  194. }
  195. return result, err
  196. }
  197. func aeadAESGCM12(key, fixedNonce []byte) cipher.AEAD {
  198. aes, err := aes.NewCipher(key)
  199. if err != nil {
  200. panic(err)
  201. }
  202. aead, err := cipher.NewGCM(aes)
  203. if err != nil {
  204. panic(err)
  205. }
  206. ret := &fixedNonceAEAD{aead: aead}
  207. copy(ret.nonce[:], fixedNonce)
  208. return ret
  209. }
  210. func aeadAESGCM13(key, fixedNonce []byte) cipher.AEAD {
  211. aes, err := aes.NewCipher(key)
  212. if err != nil {
  213. panic(err)
  214. }
  215. aead, err := cipher.NewGCM(aes)
  216. if err != nil {
  217. panic(err)
  218. }
  219. ret := &xorNonceAEAD{aead: aead}
  220. copy(ret.nonceMask[:], fixedNonce)
  221. return ret
  222. }
  223. func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
  224. aead, err := chacha20poly1305.New(key)
  225. if err != nil {
  226. panic(err)
  227. }
  228. ret := &xorNonceAEAD{aead: aead}
  229. copy(ret.nonceMask[:], fixedNonce)
  230. return ret
  231. }
  232. // ssl30MAC implements the SSLv3 MAC function, as defined in
  233. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
  234. type ssl30MAC struct {
  235. h hash.Hash
  236. key []byte
  237. }
  238. func (s ssl30MAC) Size() int {
  239. return s.h.Size()
  240. }
  241. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
  242. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
  243. // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed
  244. // useless considering the similar, protocol-level POODLE vulnerability.
  245. func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
  246. padLength := 48
  247. if s.h.Size() == 20 {
  248. padLength = 40
  249. }
  250. s.h.Reset()
  251. s.h.Write(s.key)
  252. s.h.Write(ssl30Pad1[:padLength])
  253. s.h.Write(seq)
  254. s.h.Write(header[:1])
  255. s.h.Write(header[3:5])
  256. s.h.Write(data)
  257. digestBuf = s.h.Sum(digestBuf[:0])
  258. s.h.Reset()
  259. s.h.Write(s.key)
  260. s.h.Write(ssl30Pad2[:padLength])
  261. s.h.Write(digestBuf)
  262. return s.h.Sum(digestBuf[:0])
  263. }
  264. type constantTimeHash interface {
  265. hash.Hash
  266. ConstantTimeSum(b []byte) []byte
  267. }
  268. // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
  269. // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
  270. type cthWrapper struct {
  271. h constantTimeHash
  272. }
  273. func (c *cthWrapper) Size() int { return c.h.Size() }
  274. func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
  275. func (c *cthWrapper) Reset() { c.h.Reset() }
  276. func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
  277. func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
  278. func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
  279. return func() hash.Hash {
  280. return &cthWrapper{h().(constantTimeHash)}
  281. }
  282. }
  283. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
  284. type tls10MAC struct {
  285. h hash.Hash
  286. }
  287. func (s tls10MAC) Size() int {
  288. return s.h.Size()
  289. }
  290. // MAC is guaranteed to take constant time, as long as
  291. // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into
  292. // the MAC, but is only provided to make the timing profile constant.
  293. func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
  294. s.h.Reset()
  295. s.h.Write(seq)
  296. s.h.Write(header)
  297. s.h.Write(data)
  298. res := s.h.Sum(digestBuf[:0])
  299. if extra != nil {
  300. s.h.Write(extra)
  301. }
  302. return res
  303. }
  304. func rsaKA(version uint16) keyAgreement {
  305. return rsaKeyAgreement{}
  306. }
  307. func ecdheECDSAKA(version uint16) keyAgreement {
  308. return &ecdheKeyAgreement{
  309. isRSA: false,
  310. version: version,
  311. }
  312. }
  313. func ecdheRSAKA(version uint16) keyAgreement {
  314. return &ecdheKeyAgreement{
  315. isRSA: true,
  316. version: version,
  317. }
  318. }
  319. // mutualCipherSuite returns a cipherSuite given a list of supported
  320. // ciphersuites and the id requested by the peer.
  321. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
  322. for _, id := range have {
  323. if id == want {
  324. for _, suite := range cipherSuites {
  325. if suite.id == want {
  326. return suite
  327. }
  328. }
  329. return nil
  330. }
  331. }
  332. return nil
  333. }
  334. // A list of cipher suite IDs that are, or have been, implemented by this
  335. // package.
  336. //
  337. // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
  338. const (
  339. // TLS 1.0 - 1.2 cipher suites.
  340. TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
  341. TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
  342. TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
  343. TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
  344. TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
  345. TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
  346. TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
  347. TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
  348. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
  349. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
  350. TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
  351. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
  352. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
  353. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
  354. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
  355. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
  356. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
  357. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
  358. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
  359. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
  360. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca8
  361. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca9
  362. // TLS 1.3+ cipher suites.
  363. TLS_AES_128_GCM_SHA256 uint16 = 0x1301
  364. TLS_AES_256_GCM_SHA384 uint16 = 0x1302
  365. TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
  366. // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
  367. // that the client is doing version fallback. See
  368. // https://tools.ietf.org/html/rfc7507.
  369. TLS_FALLBACK_SCSV uint16 = 0x5600
  370. )