Alternative TLS implementation in Go
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

432 lignes
15 KiB

  1. // Copyright 2010 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package trs
  5. import (
  6. "crypto"
  7. "crypto/aes"
  8. "crypto/cipher"
  9. "crypto/des"
  10. "crypto/hmac"
  11. "crypto/rc4"
  12. "crypto/sha1"
  13. "crypto/sha256"
  14. "hash"
  15. "golang.org/x/crypto/chacha20poly1305"
  16. )
  17. // a keyAgreement implements the client and server side of a TLS key agreement
  18. // protocol by generating and processing key exchange messages.
  19. type keyAgreement interface {
  20. // On the server side, the first two methods are called in order.
  21. // In the case that the key agreement protocol doesn't use a
  22. // ServerKeyExchange message, generateServerKeyExchange can return nil,
  23. // nil.
  24. generateServerKeyExchange(*Config, crypto.PrivateKey, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
  25. processClientKeyExchange(*Config, crypto.PrivateKey, *clientKeyExchangeMsg, uint16) ([]byte, error)
  26. // On the client side, the next two methods are called in order.
  27. // This method may not be called if the server doesn't send a
  28. // ServerKeyExchange message.
  29. processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, crypto.PublicKey, *serverKeyExchangeMsg) error
  30. generateClientKeyExchange(*Config, *clientHelloMsg, crypto.PublicKey) ([]byte, *clientKeyExchangeMsg, error)
  31. // Returns ID of negotiated group
  32. NegotiatedGroup() CurveID
  33. }
  34. const (
  35. // suiteECDH indicates that the cipher suite involves elliptic curve
  36. // Diffie-Hellman. This means that it should only be selected when the
  37. // client indicates that it supports ECC with a curve and point format
  38. // that we're happy with.
  39. suiteECDHE = 1 << iota
  40. // suiteECDSA indicates that the cipher suite involves an ECDSA
  41. // signature and therefore may only be selected when the server's
  42. // certificate is ECDSA. If this is not set then the cipher suite is
  43. // RSA based.
  44. suiteECDSA
  45. // suiteTLS12 indicates that the cipher suite should only be advertised
  46. // and accepted when using TLS 1.2.
  47. suiteTLS12
  48. // suiteTLS13 indicates that the ones and only cipher suites to be
  49. // advertised and accepted when using TLS 1.3.
  50. suiteTLS13
  51. // suiteSHA384 indicates that the cipher suite uses SHA384 as the
  52. // handshake hash.
  53. suiteSHA384
  54. // suiteDefaultOff indicates that this cipher suite is not included by
  55. // default.
  56. suiteDefaultOff
  57. )
  58. // A cipherSuite is a specific combination of key agreement, cipher and MAC
  59. // function.
  60. type cipherSuite struct {
  61. id uint16
  62. // the lengths, in bytes, of the key material needed for each component.
  63. keyLen int
  64. macLen int
  65. ivLen int
  66. ka func(version uint16) keyAgreement
  67. // flags is a bitmask of the suite* values, above.
  68. flags int
  69. cipher func(key, iv []byte, isRead bool) interface{}
  70. mac func(version uint16, macKey []byte) macFunction
  71. aead func(key, fixedNonce []byte) cipher.AEAD
  72. }
  73. var cipherSuites = []*cipherSuite{
  74. // TLS 1.3 ciphersuites specify only the AEAD and the HKDF hash.
  75. {TLS_CHACHA20_POLY1305_SHA256, 32, 0, 12, nil, suiteTLS13, nil, nil, aeadChaCha20Poly1305},
  76. {TLS_AES_128_GCM_SHA256, 16, 0, 12, nil, suiteTLS13, nil, nil, aeadAESGCM13},
  77. {TLS_AES_256_GCM_SHA384, 32, 0, 12, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13},
  78. // Ciphersuite order is chosen so that ECDHE comes before plain RSA and
  79. // AEADs are the top preference.
  80. {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
  81. {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
  82. {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM12},
  83. {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM12},
  84. {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  85. {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  86. {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  87. {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  88. {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  89. {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  90. {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  91. {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  92. {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM12},
  93. {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},
  94. {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
  95. {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  96. {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  97. {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
  98. {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
  99. // RC4-based cipher suites are disabled by default.
  100. {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
  101. {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
  102. {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
  103. }
  104. func cipherRC4(key, iv []byte, isRead bool) interface{} {
  105. cipher, _ := rc4.NewCipher(key)
  106. return cipher
  107. }
  108. func cipher3DES(key, iv []byte, isRead bool) interface{} {
  109. block, _ := des.NewTripleDESCipher(key)
  110. if isRead {
  111. return cipher.NewCBCDecrypter(block, iv)
  112. }
  113. return cipher.NewCBCEncrypter(block, iv)
  114. }
  115. func cipherAES(key, iv []byte, isRead bool) interface{} {
  116. block, _ := aes.NewCipher(key)
  117. if isRead {
  118. return cipher.NewCBCDecrypter(block, iv)
  119. }
  120. return cipher.NewCBCEncrypter(block, iv)
  121. }
  122. // macSHA1 returns a macFunction for the given protocol version.
  123. func macSHA1(version uint16, key []byte) macFunction {
  124. if version == VersionSSL30 {
  125. mac := ssl30MAC{
  126. h: sha1.New(),
  127. key: make([]byte, len(key)),
  128. }
  129. copy(mac.key, key)
  130. return mac
  131. }
  132. return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}
  133. }
  134. // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2
  135. // so the given version is ignored.
  136. func macSHA256(version uint16, key []byte) macFunction {
  137. return tls10MAC{hmac.New(sha256.New, key)}
  138. }
  139. type macFunction interface {
  140. Size() int
  141. MAC(digestBuf, seq, header, data, extra []byte) []byte
  142. }
  143. type aead interface {
  144. cipher.AEAD
  145. // explicitIVLen returns the number of bytes used by the explicit nonce
  146. // that is included in the record. This is eight for older AEADs and
  147. // zero for modern ones.
  148. explicitNonceLen() int
  149. }
  150. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
  151. // each call.
  152. type fixedNonceAEAD struct {
  153. // nonce contains the fixed part of the nonce in the first four bytes.
  154. nonce [12]byte
  155. aead cipher.AEAD
  156. }
  157. func (f *fixedNonceAEAD) NonceSize() int { return 8 }
  158. // Overhead returns the maximum difference between the lengths of a
  159. // plaintext and its ciphertext.
  160. func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
  161. func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
  162. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
  163. copy(f.nonce[4:], nonce)
  164. return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
  165. }
  166. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
  167. copy(f.nonce[4:], nonce)
  168. return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
  169. }
  170. // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
  171. // before each call.
  172. type xorNonceAEAD struct {
  173. nonceMask [12]byte
  174. aead cipher.AEAD
  175. }
  176. func (f *xorNonceAEAD) NonceSize() int { return 8 }
  177. func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() }
  178. func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
  179. func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
  180. for i, b := range nonce {
  181. f.nonceMask[4+i] ^= b
  182. }
  183. result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
  184. for i, b := range nonce {
  185. f.nonceMask[4+i] ^= b
  186. }
  187. return result
  188. }
  189. func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
  190. for i, b := range nonce {
  191. f.nonceMask[4+i] ^= b
  192. }
  193. result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)
  194. for i, b := range nonce {
  195. f.nonceMask[4+i] ^= b
  196. }
  197. return result, err
  198. }
  199. func aeadAESGCM12(key, fixedNonce []byte) cipher.AEAD {
  200. aes, err := aes.NewCipher(key)
  201. if err != nil {
  202. panic(err)
  203. }
  204. aead, err := cipher.NewGCM(aes)
  205. if err != nil {
  206. panic(err)
  207. }
  208. ret := &fixedNonceAEAD{aead: aead}
  209. copy(ret.nonce[:], fixedNonce)
  210. return ret
  211. }
  212. func aeadAESGCM13(key, fixedNonce []byte) cipher.AEAD {
  213. aes, err := aes.NewCipher(key)
  214. if err != nil {
  215. panic(err)
  216. }
  217. aead, err := cipher.NewGCM(aes)
  218. if err != nil {
  219. panic(err)
  220. }
  221. ret := &xorNonceAEAD{aead: aead}
  222. copy(ret.nonceMask[:], fixedNonce)
  223. return ret
  224. }
  225. func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
  226. aead, err := chacha20poly1305.New(key)
  227. if err != nil {
  228. panic(err)
  229. }
  230. ret := &xorNonceAEAD{aead: aead}
  231. copy(ret.nonceMask[:], fixedNonce)
  232. return ret
  233. }
  234. // ssl30MAC implements the SSLv3 MAC function, as defined in
  235. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
  236. type ssl30MAC struct {
  237. h hash.Hash
  238. key []byte
  239. }
  240. func (s ssl30MAC) Size() int {
  241. return s.h.Size()
  242. }
  243. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
  244. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
  245. // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed
  246. // useless considering the similar, protocol-level POODLE vulnerability.
  247. func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
  248. padLength := 48
  249. if s.h.Size() == 20 {
  250. padLength = 40
  251. }
  252. s.h.Reset()
  253. s.h.Write(s.key)
  254. s.h.Write(ssl30Pad1[:padLength])
  255. s.h.Write(seq)
  256. s.h.Write(header[:1])
  257. s.h.Write(header[3:5])
  258. s.h.Write(data)
  259. digestBuf = s.h.Sum(digestBuf[:0])
  260. s.h.Reset()
  261. s.h.Write(s.key)
  262. s.h.Write(ssl30Pad2[:padLength])
  263. s.h.Write(digestBuf)
  264. return s.h.Sum(digestBuf[:0])
  265. }
  266. type constantTimeHash interface {
  267. hash.Hash
  268. ConstantTimeSum(b []byte) []byte
  269. }
  270. // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
  271. // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
  272. type cthWrapper struct {
  273. h constantTimeHash
  274. }
  275. func (c *cthWrapper) Size() int { return c.h.Size() }
  276. func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() }
  277. func (c *cthWrapper) Reset() { c.h.Reset() }
  278. func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
  279. func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
  280. func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
  281. return func() hash.Hash {
  282. return &cthWrapper{h().(constantTimeHash)}
  283. }
  284. }
  285. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
  286. type tls10MAC struct {
  287. h hash.Hash
  288. }
  289. func (s tls10MAC) Size() int {
  290. return s.h.Size()
  291. }
  292. // MAC is guaranteed to take constant time, as long as
  293. // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into
  294. // the MAC, but is only provided to make the timing profile constant.
  295. func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
  296. s.h.Reset()
  297. s.h.Write(seq)
  298. s.h.Write(header)
  299. s.h.Write(data)
  300. res := s.h.Sum(digestBuf[:0])
  301. if extra != nil {
  302. s.h.Write(extra)
  303. }
  304. return res
  305. }
  306. func rsaKA(version uint16) keyAgreement {
  307. return rsaKeyAgreement{}
  308. }
  309. func ecdheECDSAKA(version uint16) keyAgreement {
  310. return &ecdheKeyAgreement{
  311. isRSA: false,
  312. version: version,
  313. }
  314. }
  315. func ecdheRSAKA(version uint16) keyAgreement {
  316. return &ecdheKeyAgreement{
  317. isRSA: true,
  318. version: version,
  319. }
  320. }
  321. // mutualCipherSuite returns a cipherSuite given a list of supported
  322. // ciphersuites and the id requested by the peer.
  323. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
  324. for _, id := range have {
  325. if id == want {
  326. for _, suite := range cipherSuites {
  327. if suite.id == want {
  328. return suite
  329. }
  330. }
  331. return nil
  332. }
  333. }
  334. return nil
  335. }
  336. // A list of cipher suite IDs that are, or have been, implemented by this
  337. // package.
  338. //
  339. // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
  340. const (
  341. // TLS 1.0 - 1.2 cipher suites.
  342. TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
  343. TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
  344. TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
  345. TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
  346. TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
  347. TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
  348. TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
  349. TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
  350. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
  351. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
  352. TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
  353. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
  354. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
  355. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
  356. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
  357. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
  358. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
  359. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
  360. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
  361. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
  362. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca8
  363. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca9
  364. // TLS 1.3+ cipher suites.
  365. TLS_AES_128_GCM_SHA256 uint16 = 0x1301
  366. TLS_AES_256_GCM_SHA384 uint16 = 0x1302
  367. TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
  368. // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
  369. // that the client is doing version fallback. See
  370. // https://tools.ietf.org/html/rfc7507.
  371. TLS_FALLBACK_SCSV uint16 = 0x5600
  372. )