kris
/
tls-tris
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
290 Révisions
4 Branches
2.5 MiB
Aborescence: 0d6f47c2a7
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '0d6f47c2a7'
${ noResults }
tls-tris/cipher_suites.go

cipher_suites.go 11 KiB
Brut Vue normale Historique

crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
crypto/tls: don't always use the default private key. When SNI based certificate selection is enabled, we previously used the default private key even if we selected a non-default certificate. Fixes #3367. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/5987058
il y a 12 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
src/pkg/[a-m]*: gofix -r error -force=error R=golang-dev, iant CC=golang-dev https://golang.org/cl/5322051
il y a 13 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
il y a 11 ans
crypto/tls: don't select TLS 1.2 cipher suites in prior versions. AES-GCM cipher suites are only defined for TLS 1.2, although there's nothing really version specific about them. However, development versions of NSS (meaning Firefox and Chrome) have an issue where they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello but then balk when the server selects one. This change causes Go clients not to advertise TLS 1.2 cipher suites unless TLS 1.2 is being used, and prevents servers from selecting them unless TLS 1.2 has been negotiated. https://code.google.com/p/chromium/issues/detail?id=297151 https://bugzilla.mozilla.org/show_bug.cgi?id=919677 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13573047
il y a 11 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: disable RC4 by default. RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes #10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
il y a 9 ans
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
il y a 11 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
il y a 14 ans
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
il y a 11 ans
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
il y a 11 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: add TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites Fixes #9894. Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993 Reviewed-on: https://go-review.googlesource.com/16924 Run-TryBot: Minux Ma <minux@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/hmac: Deprecate hmac.NewMD5, hmac.NewSHA1 and hmac.NewSHA256 Remove NewMD5, NewSHA1 and NewSHA256 in favor of using New and explicitly importing the used hash-function. This way when using, for example, HMAC with RIPEMD there's no md5, sha1 and sha256 linked in through the hmac package. A gofix rule is included, and applied to the standard library (3 files altered). This change is the result of a discussion at https://golang.org/cl/5550043/ to pull the discussion about deprecating these functions out of that issue. R=golang-dev, agl CC=golang-dev, r, rsc https://golang.org/cl/5556058
il y a 12 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: fix comment typo. This was pointed out in https://go-review.googlesource.com/#/c/27315/1 but I changed and uploaded the wrong branch. This actually makes the fix. Change-Id: Ib615b06c9141b914648b6abbeeb688c5ffa0d2e3 Reviewed-on: https://go-review.googlesource.com/27360 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
il y a 8 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
il y a 11 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
il y a 13 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
il y a 13 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
il y a 13 ans
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
il y a 11 ans
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
il y a 11 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
il y a 11 ans
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
il y a 11 ans
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
il y a 11 ans
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
il y a 11 ans
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
il y a 13 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: document that the cipher suite list is non-exhaustive. Fixes #14370. Change-Id: Ieb95ee3494f592fb5fc74aa4b803479671816927 Reviewed-on: https://go-review.googlesource.com/20551 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
il y a 8 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
il y a 11 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: add TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites Fixes #9894. Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993 Reviewed-on: https://go-review.googlesource.com/16924 Run-TryBot: Minux Ma <minux@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
il y a 11 ans
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
il y a 8 ans
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
il y a 11 ans
crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289 Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256). Testdata were all updated to correspond with the new cipher suites in the handshake. Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f Reviewed-on: https://go-review.googlesource.com/3265 Reviewed-by: Adam Langley <agl@golang.org>
il y a 9 ans
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
il y a 10 ans
crypto/tls: Update references to draft-ietf-tls-downgrade-scsv-00. It's RFC 7507 now. Change-Id: Iccd6c65f9d4b1f4d17ee068dee4576a512ba8405 Reviewed-on: https://go-review.googlesource.com/21154 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
il y a 8 ans
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
il y a 10 ans
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
il y a 14 ans
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto/aes"

  9. 	"crypto/cipher"

  10. 	"crypto/des"

  11. 	"crypto/hmac"

  12. 	"crypto/rc4"

  13. 	"crypto/sha1"

  14. 	"crypto/sha256"

  15. 	"crypto/x509"

  16. 	"hash"

  17. )

  18. 

  19. // a keyAgreement implements the client and server side of a TLS key agreement

  20. // protocol by generating and processing key exchange messages.

  21. type keyAgreement interface {

  22. 	// On the server side, the first two methods are called in order.

  23. 

  24. 	// In the case that the key agreement protocol doesn't use a

  25. 	// ServerKeyExchange message, generateServerKeyExchange can return nil,

  26. 	// nil.

  27. 	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)

  28. 	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)

  29. 

  30. 	// On the client side, the next two methods are called in order.

  31. 

  32. 	// This method may not be called if the server doesn't send a

  33. 	// ServerKeyExchange message.

  34. 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error

  35. 	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)

  36. }

  37. 

  38. const (

  39. 	// suiteECDH indicates that the cipher suite involves elliptic curve

  40. 	// Diffie-Hellman. This means that it should only be selected when the

  41. 	// client indicates that it supports ECC with a curve and point format

  42. 	// that we're happy with.

  43. 	suiteECDHE = 1 << iota

  44. 	// suiteECDSA indicates that the cipher suite involves an ECDSA

  45. 	// signature and therefore may only be selected when the server's

  46. 	// certificate is ECDSA. If this is not set then the cipher suite is

  47. 	// RSA based.

  48. 	suiteECDSA

  49. 	// suiteTLS12 indicates that the cipher suite should only be advertised

  50. 	// and accepted when using TLS 1.2.

  51. 	suiteTLS12

  52. 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the

  53. 	// handshake hash.

  54. 	suiteSHA384

  55. 	// suiteDefaultOff indicates that this cipher suite is not included by

  56. 	// default.

  57. 	suiteDefaultOff

  58. )

  59. 

  60. // A cipherSuite is a specific combination of key agreement, cipher and MAC

  61. // function. All cipher suites currently assume RSA key agreement.

  62. type cipherSuite struct {

  63. 	id uint16

  64. 	// the lengths, in bytes, of the key material needed for each component.

  65. 	keyLen int

  66. 	macLen int

  67. 	ivLen  int

  68. 	ka     func(version uint16) keyAgreement

  69. 	// flags is a bitmask of the suite* values, above.

  70. 	flags  int

  71. 	cipher func(key, iv []byte, isRead bool) interface{}

  72. 	mac    func(version uint16, macKey []byte) macFunction

  73. 	aead   func(key, fixedNonce []byte) cipher.AEAD

  74. }

  75. 

  76. var cipherSuites = []*cipherSuite{

  77. 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and

  78. 	// GCM is top preference.

  79. 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},

  80. 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},

  81. 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

  82. 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

  83. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},

  84. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  85. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil},

  86. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  87. 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  88. 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  89. 	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},

  90. 	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

  91. 	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},

  92. 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  93. 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  94. 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},

  95. 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},

  96. 

  97. 	// RC4-based cipher suites are disabled by default.

  98. 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},

  99. 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},

  100. 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},

  101. }

  102. 

  103. func cipherRC4(key, iv []byte, isRead bool) interface{} {

  104. 	cipher, _ := rc4.NewCipher(key)

  105. 	return cipher

  106. }

  107. 

  108. func cipher3DES(key, iv []byte, isRead bool) interface{} {

  109. 	block, _ := des.NewTripleDESCipher(key)

  110. 	if isRead {

  111. 		return cipher.NewCBCDecrypter(block, iv)

  112. 	}

  113. 	return cipher.NewCBCEncrypter(block, iv)

  114. }

  115. 

  116. func cipherAES(key, iv []byte, isRead bool) interface{} {

  117. 	block, _ := aes.NewCipher(key)

  118. 	if isRead {

  119. 		return cipher.NewCBCDecrypter(block, iv)

  120. 	}

  121. 	return cipher.NewCBCEncrypter(block, iv)

  122. }

  123. 

  124. // macSHA1 returns a macFunction for the given protocol version.

  125. func macSHA1(version uint16, key []byte) macFunction {

  126. 	if version == VersionSSL30 {

  127. 		mac := ssl30MAC{

  128. 			h:   sha1.New(),

  129. 			key: make([]byte, len(key)),

  130. 		}

  131. 		copy(mac.key, key)

  132. 		return mac

  133. 	}

  134. 	return tls10MAC{hmac.New(sha1.New, key)}

  135. }

  136. 

  137. // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2

  138. // so the given version is ignored.

  139. func macSHA256(version uint16, key []byte) macFunction {

  140. 	return tls10MAC{hmac.New(sha256.New, key)}

  141. }

  142. 

  143. type macFunction interface {

  144. 	Size() int

  145. 	MAC(digestBuf, seq, header, data []byte) []byte

  146. }

  147. 

  148. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to

  149. // each call.

  150. type fixedNonceAEAD struct {

  151. 	// sealNonce and openNonce are buffers where the larger nonce will be

  152. 	// constructed. Since a seal and open operation may be running

  153. 	// concurrently, there is a separate buffer for each.

  154. 	sealNonce, openNonce []byte

  155. 	aead                 cipher.AEAD

  156. }

  157. 

  158. func (f *fixedNonceAEAD) NonceSize() int { return 8 }

  159. func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }

  160. 

  161. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  162. 	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)

  163. 	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)

  164. }

  165. 

  166. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  167. 	copy(f.openNonce[len(f.openNonce)-8:], nonce)

  168. 	return f.aead.Open(out, f.openNonce, plaintext, additionalData)

  169. }

  170. 

  171. func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {

  172. 	aes, err := aes.NewCipher(key)

  173. 	if err != nil {

  174. 		panic(err)

  175. 	}

  176. 	aead, err := cipher.NewGCM(aes)

  177. 	if err != nil {

  178. 		panic(err)

  179. 	}

  180. 

  181. 	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)

  182. 	copy(nonce1, fixedNonce)

  183. 	copy(nonce2, fixedNonce)

  184. 

  185. 	return &fixedNonceAEAD{nonce1, nonce2, aead}

  186. }

  187. 

  188. // ssl30MAC implements the SSLv3 MAC function, as defined in

  189. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1

  190. type ssl30MAC struct {

  191. 	h   hash.Hash

  192. 	key []byte

  193. }

  194. 

  195. func (s ssl30MAC) Size() int {

  196. 	return s.h.Size()

  197. }

  198. 

  199. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}

  200. 

  201. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}

  202. 

  203. func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {

  204. 	padLength := 48

  205. 	if s.h.Size() == 20 {

  206. 		padLength = 40

  207. 	}

  208. 

  209. 	s.h.Reset()

  210. 	s.h.Write(s.key)

  211. 	s.h.Write(ssl30Pad1[:padLength])

  212. 	s.h.Write(seq)

  213. 	s.h.Write(header[:1])

  214. 	s.h.Write(header[3:5])

  215. 	s.h.Write(data)

  216. 	digestBuf = s.h.Sum(digestBuf[:0])

  217. 

  218. 	s.h.Reset()

  219. 	s.h.Write(s.key)

  220. 	s.h.Write(ssl30Pad2[:padLength])

  221. 	s.h.Write(digestBuf)

  222. 	return s.h.Sum(digestBuf[:0])

  223. }

  224. 

  225. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.

  226. type tls10MAC struct {

  227. 	h hash.Hash

  228. }

  229. 

  230. func (s tls10MAC) Size() int {

  231. 	return s.h.Size()

  232. }

  233. 

  234. func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {

  235. 	s.h.Reset()

  236. 	s.h.Write(seq)

  237. 	s.h.Write(header)

  238. 	s.h.Write(data)

  239. 	return s.h.Sum(digestBuf[:0])

  240. }

  241. 

  242. func rsaKA(version uint16) keyAgreement {

  243. 	return rsaKeyAgreement{}

  244. }

  245. 

  246. func ecdheECDSAKA(version uint16) keyAgreement {

  247. 	return &ecdheKeyAgreement{

  248. 		sigType: signatureECDSA,

  249. 		version: version,

  250. 	}

  251. }

  252. 

  253. func ecdheRSAKA(version uint16) keyAgreement {

  254. 	return &ecdheKeyAgreement{

  255. 		sigType: signatureRSA,

  256. 		version: version,

  257. 	}

  258. }

  259. 

  260. // mutualCipherSuite returns a cipherSuite given a list of supported

  261. // ciphersuites and the id requested by the peer.

  262. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {

  263. 	for _, id := range have {

  264. 		if id == want {

  265. 			for _, suite := range cipherSuites {

  266. 				if suite.id == want {

  267. 					return suite

  268. 				}

  269. 			}

  270. 			return nil

  271. 		}

  272. 	}

  273. 	return nil

  274. }

  275. 

  276. // A list of cipher suite IDs that are, or have been, implemented by this

  277. // package.

  278. //

  279. // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

  280. const (

  281. 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005

  282. 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a

  283. 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f

  284. 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035

  285. 	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c

  286. 	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c

  287. 	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d

  288. 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007

  289. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009

  290. 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a

  291. 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011

  292. 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012

  293. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013

  294. 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014

  295. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023

  296. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027

  297. 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f

  298. 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b

  299. 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030

  300. 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c

  301. 

  302. 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator

  303. 	// that the client is doing version fallback. See

  304. 	// https://tools.ietf.org/html/rfc7507.

  305. 	TLS_FALLBACK_SCSV uint16 = 0x5600

  306. )