kris
/
tls-tris
1
0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Версии 0 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
446 Ревизии
4 Клонове
2.5 MiB
ИН на ревизия: 69dddf0612
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от '69dddf0612'
${ noResults }
tls-tris/cipher_suites.go

cipher_suites.go 15 KiB
Директен файл Normal View История

crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
crypto/tls: don't always use the default private key. When SNI based certificate selection is enabled, we previously used the default private key even if we selected a non-default certificate. Fixes #3367. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/5987058
преди 12 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
src/pkg/[a-m]*: gofix -r error -force=error R=golang-dev, iant CC=golang-dev https://golang.org/cl/5322051
преди 13 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
преди 11 години
crypto/tls: don't select TLS 1.2 cipher suites in prior versions. AES-GCM cipher suites are only defined for TLS 1.2, although there's nothing really version specific about them. However, development versions of NSS (meaning Firefox and Chrome) have an issue where they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello but then balk when the server selects one. This change causes Go clients not to advertise TLS 1.2 cipher suites unless TLS 1.2 is being used, and prevents servers from selecting them unless TLS 1.2 has been negotiated. https://code.google.com/p/chromium/issues/detail?id=297151 https://bugzilla.mozilla.org/show_bug.cgi?id=919677 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13573047
преди 11 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: disable RC4 by default. RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes #10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
преди 9 години
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
преди 11 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
tris: typos
преди 7 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
преди 14 години
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
преди 11 години
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
преди 11 години
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
tris: fix nonce length definition and actually use it All TLS 1.3 cipher suites so far use a nonce length of 12, but that does not have to be the case. Correct the cipher suite definition and use it. Spec: https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5.3 Note: there is no functional change, the values were previously unused. Fixes: ("[dev.tls] crypto/tls: implement TLS 1.3 cipher suites")
преди 6 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: enable ChaCha20-Poly1305 cipher suites by default. This change enables the ChaCha20-Poly1305 cipher suites by default. This changes the default ClientHello and thus requires updating all the tests. Change-Id: I6683a2647caaff4a11f9e932babb6f07912cad94 Reviewed-on: https://go-review.googlesource.com/30958 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 7 години
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 7 години
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: disable CBC cipher suites with SHA-256 by default As is, they were fully vulnerable to the Lucky13 attack. The SHA1 variants implement limited countermeasures (see f28cf8346c4) but the SHA256 ones are apparently used rarely enough (see 8741504888b) that it's not worth the extra code. Instead, disable them by default and update the warning. Updates #13385 Updates #15487 Change-Id: I45b8b716001e2fa0811b17e25be76e2512e5abb2 Reviewed-on: https://go-review.googlesource.com/35290 Reviewed-by: Adam Langley <alangley@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Matt Layher <mdlayher@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 7 години
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
преди 11 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: fix comment typo. This was pointed out in https://go-review.googlesource.com/#/c/27315/1 but I changed and uploaded the wrong branch. This actually makes the fix. Change-Id: Ib615b06c9141b914648b6abbeeb688c5ffa0d2e3 Reviewed-on: https://go-review.googlesource.com/27360 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: only store a single nonce for AES-GCM. Although an AEAD, in general, can be used concurrently in both the seal and open directions, TLS is easier. Since the transport keys are different for different directions in TLS, an AEAD will only ever be used in one direction. Thus we don't need separate buffers for seal and open because they can never happen concurrently. Also, fix the nonce size to twelve bytes since the fixed-prefix construction for AEADs is superseded and will never be used for anything else now. Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46 Reviewed-on: https://go-review.googlesource.com/30959 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
преди 11 години
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
преди 13 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
преди 13 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
преди 13 години
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
преди 11 години
crypto/tls: implement countermeasures against CBC padding oracles The aim is to make the decrypt() timing profile constant, irrespective of the CBC padding length or correctness. The old algorithm, on valid padding, would only MAC bytes up to the padding length threshold, making CBC ciphersuites vulnerable to plaintext recovery attacks as presented in the "Lucky Thirteen" paper. The new algorithm Write()s to the MAC all supposed payload, performs a constant time Sum()---which required implementing a constant time Sum() in crypto/sha1, see the "Lucky Microseconds" paper---and then Write()s the rest of the data. This is performed whether the padding is good or not. This should have no explicit secret-dependent timings, but it does NOT attempt to normalize memory accesses to prevent cache timing leaks. Updates #13385 Change-Id: I15d91dc3cc6eefc1d44f317f72ff8feb0a9888f7 Reviewed-on: https://go-review.googlesource.com/18130 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
преди 8 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
преди 11 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
преди 11 години
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
преди 7 години
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
преди 11 години
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
преди 11 години
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
преди 11 години
crypto/tls: add RSASSA-PSS support for handshake messages This adds support for RSASSA-PSS signatures in handshake messages as required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS when advertised in the Client Hello (this will be done later as the testdata will change). Updates #9671 Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
преди 7 години
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
преди 11 години
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
преди 13 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: document that the cipher suite list is non-exhaustive. Fixes #14370. Change-Id: Ieb95ee3494f592fb5fc74aa4b803479671816927 Reviewed-on: https://go-review.googlesource.com/20551 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
crypto/tls: remove TLS13CipherSuites. To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites, remove the distinction between both suites. TLS 1.3 suites are now always included in the default cipher list (and the client will send it if MaxVersion allows for it). Since TLS 1.3 is expected to become the default MaxVersion and applications might have set only TLS 1.2 cipher suites in their configuration, TLS 1.3 cipher suites are added when none are present. Alternatively, I considered disallowing overriding the TLS 1.3 suites, but that requires more complexity and has not much benefits. Provide a mechanism and do not dictate policy, application developers might want to fix a cipher suite for testing other implementations for example. Fixes https://github.com/cloudflare/tls-tris/pull/22
преди 7 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: add TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites Fixes #9894. Change-Id: I9c7ce771df2e2d1c99a06f800dce63c4e1875993 Reviewed-on: https://go-review.googlesource.com/16924 Run-TryBot: Minux Ma <minux@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: support AES-128-CBC cipher suites with SHA-256. These were new with TLS 1.2 and, reportedly, some servers require it. Since it's easy, this change adds suport for three flavours of AES-128-CBC with SHA-256 MACs. Other testdata/ files have to be updated because this changes the list of cipher suites offered by default by the client. Fixes #15487. Change-Id: I1b14330c31eeda20185409a37072343552c3464f Reviewed-on: https://go-review.googlesource.com/27315 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
преди 8 години
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
преди 11 години
crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289 Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256). Testdata were all updated to correspond with the new cipher suites in the handshake. Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f Reviewed-on: https://go-review.googlesource.com/3265 Reviewed-by: Adam Langley <agl@golang.org>
преди 9 години
crypto/tls: support ChaCha20-Poly1305. This change adds support for the ChaCha20-Poly1305 AEAD to crypto/tls, as specified in https://tools.ietf.org/html/rfc7905. Fixes #15499. Change-Id: Iaa689be90e03f208c40b574eca399e56f3c7ecf1 Reviewed-on: https://go-review.googlesource.com/30957 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
преди 10 години
crypto/tls: remove TLS13CipherSuites. To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites, remove the distinction between both suites. TLS 1.3 suites are now always included in the default cipher list (and the client will send it if MaxVersion allows for it). Since TLS 1.3 is expected to become the default MaxVersion and applications might have set only TLS 1.2 cipher suites in their configuration, TLS 1.3 cipher suites are added when none are present. Alternatively, I considered disallowing overriding the TLS 1.3 suites, but that requires more complexity and has not much benefits. Provide a mechanism and do not dictate policy, application developers might want to fix a cipher suite for testing other implementations for example. Fixes https://github.com/cloudflare/tls-tris/pull/22
преди 7 години
[dev.tls] crypto/tls: implement TLS 1.3 cipher suites I opted for adding a separate TLS13CipherSuites field to the Config because library users that did not set Config.MaxVersion are supposed to get TLS 1.3 support automatically, like it has been for HTTP/2, but having set CipherSuites would effectively disable it. Updates #9671 Change-Id: I26a2776b68374d6f5ee45629da09f9494fe723ad
преди 8 години
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
преди 10 години
crypto/tls: Update references to draft-ietf-tls-downgrade-scsv-00. It's RFC 7507 now. Change-Id: Iccd6c65f9d4b1f4d17ee068dee4576a512ba8405 Reviewed-on: https://go-review.googlesource.com/21154 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
преди 8 години
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
преди 10 години
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
преди 14 години
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto/aes"

  9. 	"crypto/cipher"

  10. 	"crypto/des"

  11. 	"crypto/hmac"

  12. 	"crypto/rc4"

  13. 	"crypto/sha1"

  14. 	"crypto/sha256"

  15. 	"crypto/x509"

  16. 	"hash"

  17. 

  18. 	"golang_org/x/crypto/chacha20poly1305"

  19. )

  20. 

  21. // a keyAgreement implements the client and server side of a TLS key agreement

  22. // protocol by generating and processing key exchange messages.

  23. type keyAgreement interface {

  24. 	// On the server side, the first two methods are called in order.

  25. 

  26. 	// In the case that the key agreement protocol doesn't use a

  27. 	// ServerKeyExchange message, generateServerKeyExchange can return nil,

  28. 	// nil.

  29. 	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)

  30. 	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)

  31. 

  32. 	// On the client side, the next two methods are called in order.

  33. 

  34. 	// This method may not be called if the server doesn't send a

  35. 	// ServerKeyExchange message.

  36. 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error

  37. 	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)

  38. }

  39. 

  40. const (

  41. 	// suiteECDH indicates that the cipher suite involves elliptic curve

  42. 	// Diffie-Hellman. This means that it should only be selected when the

  43. 	// client indicates that it supports ECC with a curve and point format

  44. 	// that we're happy with.

  45. 	suiteECDHE = 1 << iota

  46. 	// suiteECDSA indicates that the cipher suite involves an ECDSA

  47. 	// signature and therefore may only be selected when the server's

  48. 	// certificate is ECDSA. If this is not set then the cipher suite is

  49. 	// RSA based.

  50. 	suiteECDSA

  51. 	// suiteTLS12 indicates that the cipher suite should only be advertised

  52. 	// and accepted when using TLS 1.2.

  53. 	suiteTLS12

  54. 	// suiteTLS13 indicates that the ones and only cipher suites to be

  55. 	// advertised and accepted when using TLS 1.3.

  56. 	suiteTLS13

  57. 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the

  58. 	// handshake hash.

  59. 	suiteSHA384

  60. 	// suiteDefaultOff indicates that this cipher suite is not included by

  61. 	// default.

  62. 	suiteDefaultOff

  63. )

  64. 

  65. // A cipherSuite is a specific combination of key agreement, cipher and MAC

  66. // function.

  67. type cipherSuite struct {

  68. 	id uint16

  69. 	// the lengths, in bytes, of the key material needed for each component.

  70. 	keyLen int

  71. 	macLen int

  72. 	ivLen  int

  73. 	ka     func(version uint16) keyAgreement

  74. 	// flags is a bitmask of the suite* values, above.

  75. 	flags  int

  76. 	cipher func(key, iv []byte, isRead bool) interface{}

  77. 	mac    func(version uint16, macKey []byte) macFunction

  78. 	aead   func(key, fixedNonce []byte) cipher.AEAD

  79. }

  80. 

  81. var cipherSuites = []*cipherSuite{

  82. 	// TLS 1.3 ciphersuites specify only the AEAD and the HKDF hash.

  83. 	{TLS_CHACHA20_POLY1305_SHA256, 32, 0, 12, nil, suiteTLS13, nil, nil, aeadChaCha20Poly1305},

  84. 	{TLS_AES_128_GCM_SHA256, 16, 0, 12, nil, suiteTLS13, nil, nil, aeadAESGCM13},

  85. 	{TLS_AES_256_GCM_SHA384, 32, 0, 12, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM13},

  86. 

  87. 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and

  88. 	// AEADs are the top preference.

  89. 	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},

  90. 	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},

  91. 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM12},

  92. 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM12},

  93. 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  94. 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  95. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  96. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  97. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  98. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  99. 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  100. 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  101. 	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM12},

  102. 	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM12},

  103. 	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},

  104. 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  105. 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  106. 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},

  107. 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},

  108. 

  109. 	// RC4-based cipher suites are disabled by default.

  110. 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},

  111. 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},

  112. 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},

  113. }

  114. 

  115. func cipherRC4(key, iv []byte, isRead bool) interface{} {

  116. 	cipher, _ := rc4.NewCipher(key)

  117. 	return cipher

  118. }

  119. 

  120. func cipher3DES(key, iv []byte, isRead bool) interface{} {

  121. 	block, _ := des.NewTripleDESCipher(key)

  122. 	if isRead {

  123. 		return cipher.NewCBCDecrypter(block, iv)

  124. 	}

  125. 	return cipher.NewCBCEncrypter(block, iv)

  126. }

  127. 

  128. func cipherAES(key, iv []byte, isRead bool) interface{} {

  129. 	block, _ := aes.NewCipher(key)

  130. 	if isRead {

  131. 		return cipher.NewCBCDecrypter(block, iv)

  132. 	}

  133. 	return cipher.NewCBCEncrypter(block, iv)

  134. }

  135. 

  136. // macSHA1 returns a macFunction for the given protocol version.

  137. func macSHA1(version uint16, key []byte) macFunction {

  138. 	if version == VersionSSL30 {

  139. 		mac := ssl30MAC{

  140. 			h:   sha1.New(),

  141. 			key: make([]byte, len(key)),

  142. 		}

  143. 		copy(mac.key, key)

  144. 		return mac

  145. 	}

  146. 	return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}

  147. }

  148. 

  149. // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2

  150. // so the given version is ignored.

  151. func macSHA256(version uint16, key []byte) macFunction {

  152. 	return tls10MAC{hmac.New(sha256.New, key)}

  153. }

  154. 

  155. type macFunction interface {

  156. 	Size() int

  157. 	MAC(digestBuf, seq, header, data, extra []byte) []byte

  158. }

  159. 

  160. type aead interface {

  161. 	cipher.AEAD

  162. 

  163. 	// explicitIVLen returns the number of bytes used by the explicit nonce

  164. 	// that is included in the record. This is eight for older AEADs and

  165. 	// zero for modern ones.

  166. 	explicitNonceLen() int

  167. }

  168. 

  169. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to

  170. // each call.

  171. type fixedNonceAEAD struct {

  172. 	// nonce contains the fixed part of the nonce in the first four bytes.

  173. 	nonce [12]byte

  174. 	aead  cipher.AEAD

  175. }

  176. 

  177. func (f *fixedNonceAEAD) NonceSize() int        { return 8 }

  178. func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }

  179. func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }

  180. 

  181. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  182. 	copy(f.nonce[4:], nonce)

  183. 	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)

  184. }

  185. 

  186. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  187. 	copy(f.nonce[4:], nonce)

  188. 	return f.aead.Open(out, f.nonce[:], plaintext, additionalData)

  189. }

  190. 

  191. // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce

  192. // before each call.

  193. type xorNonceAEAD struct {

  194. 	nonceMask [12]byte

  195. 	aead      cipher.AEAD

  196. }

  197. 

  198. func (f *xorNonceAEAD) NonceSize() int        { return 8 }

  199. func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }

  200. func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }

  201. 

  202. func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  203. 	for i, b := range nonce {

  204. 		f.nonceMask[4+i] ^= b

  205. 	}

  206. 	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)

  207. 	for i, b := range nonce {

  208. 		f.nonceMask[4+i] ^= b

  209. 	}

  210. 

  211. 	return result

  212. }

  213. 

  214. func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  215. 	for i, b := range nonce {

  216. 		f.nonceMask[4+i] ^= b

  217. 	}

  218. 	result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)

  219. 	for i, b := range nonce {

  220. 		f.nonceMask[4+i] ^= b

  221. 	}

  222. 

  223. 	return result, err

  224. }

  225. 

  226. func aeadAESGCM12(key, fixedNonce []byte) cipher.AEAD {

  227. 	aes, err := aes.NewCipher(key)

  228. 	if err != nil {

  229. 		panic(err)

  230. 	}

  231. 	aead, err := cipher.NewGCM(aes)

  232. 	if err != nil {

  233. 		panic(err)

  234. 	}

  235. 

  236. 	ret := &fixedNonceAEAD{aead: aead}

  237. 	copy(ret.nonce[:], fixedNonce)

  238. 	return ret

  239. }

  240. 

  241. func aeadAESGCM13(key, fixedNonce []byte) cipher.AEAD {

  242. 	aes, err := aes.NewCipher(key)

  243. 	if err != nil {

  244. 		panic(err)

  245. 	}

  246. 	aead, err := cipher.NewGCM(aes)

  247. 	if err != nil {

  248. 		panic(err)

  249. 	}

  250. 

  251. 	ret := &xorNonceAEAD{aead: aead}

  252. 	copy(ret.nonceMask[:], fixedNonce)

  253. 	return ret

  254. }

  255. 

  256. func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {

  257. 	aead, err := chacha20poly1305.New(key)

  258. 	if err != nil {

  259. 		panic(err)

  260. 	}

  261. 

  262. 	ret := &xorNonceAEAD{aead: aead}

  263. 	copy(ret.nonceMask[:], fixedNonce)

  264. 	return ret

  265. }

  266. 

  267. // ssl30MAC implements the SSLv3 MAC function, as defined in

  268. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1

  269. type ssl30MAC struct {

  270. 	h   hash.Hash

  271. 	key []byte

  272. }

  273. 

  274. func (s ssl30MAC) Size() int {

  275. 	return s.h.Size()

  276. }

  277. 

  278. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}

  279. 

  280. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}

  281. 

  282. // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed

  283. // useless considering the similar, protocol-level POODLE vulnerability.

  284. func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {

  285. 	padLength := 48

  286. 	if s.h.Size() == 20 {

  287. 		padLength = 40

  288. 	}

  289. 

  290. 	s.h.Reset()

  291. 	s.h.Write(s.key)

  292. 	s.h.Write(ssl30Pad1[:padLength])

  293. 	s.h.Write(seq)

  294. 	s.h.Write(header[:1])

  295. 	s.h.Write(header[3:5])

  296. 	s.h.Write(data)

  297. 	digestBuf = s.h.Sum(digestBuf[:0])

  298. 

  299. 	s.h.Reset()

  300. 	s.h.Write(s.key)

  301. 	s.h.Write(ssl30Pad2[:padLength])

  302. 	s.h.Write(digestBuf)

  303. 	return s.h.Sum(digestBuf[:0])

  304. }

  305. 

  306. type constantTimeHash interface {

  307. 	hash.Hash

  308. 	ConstantTimeSum(b []byte) []byte

  309. }

  310. 

  311. // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces

  312. // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.

  313. type cthWrapper struct {

  314. 	h constantTimeHash

  315. }

  316. 

  317. func (c *cthWrapper) Size() int                   { return c.h.Size() }

  318. func (c *cthWrapper) BlockSize() int              { return c.h.BlockSize() }

  319. func (c *cthWrapper) Reset()                      { c.h.Reset() }

  320. func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }

  321. func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }

  322. 

  323. func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {

  324. 	return func() hash.Hash {

  325. 		return &cthWrapper{h().(constantTimeHash)}

  326. 	}

  327. }

  328. 

  329. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.

  330. type tls10MAC struct {

  331. 	h hash.Hash

  332. }

  333. 

  334. func (s tls10MAC) Size() int {

  335. 	return s.h.Size()

  336. }

  337. 

  338. // MAC is guaranteed to take constant time, as long as

  339. // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into

  340. // the MAC, but is only provided to make the timing profile constant.

  341. func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {

  342. 	s.h.Reset()

  343. 	s.h.Write(seq)

  344. 	s.h.Write(header)

  345. 	s.h.Write(data)

  346. 	res := s.h.Sum(digestBuf[:0])

  347. 	if extra != nil {

  348. 		s.h.Write(extra)

  349. 	}

  350. 	return res

  351. }

  352. 

  353. func rsaKA(version uint16) keyAgreement {

  354. 	return rsaKeyAgreement{}

  355. }

  356. 

  357. func ecdheECDSAKA(version uint16) keyAgreement {

  358. 	return &ecdheKeyAgreement{

  359. 		isRSA:   false,

  360. 		version: version,

  361. 	}

  362. }

  363. 

  364. func ecdheRSAKA(version uint16) keyAgreement {

  365. 	return &ecdheKeyAgreement{

  366. 		isRSA:   true,

  367. 		version: version,

  368. 	}

  369. }

  370. 

  371. // mutualCipherSuite returns a cipherSuite given a list of supported

  372. // ciphersuites and the id requested by the peer.

  373. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {

  374. 	for _, id := range have {

  375. 		if id == want {

  376. 			for _, suite := range cipherSuites {

  377. 				if suite.id == want {

  378. 					return suite

  379. 				}

  380. 			}

  381. 			return nil

  382. 		}

  383. 	}

  384. 	return nil

  385. }

  386. 

  387. // A list of cipher suite IDs that are, or have been, implemented by this

  388. // package.

  389. //

  390. // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

  391. const (

  392. 	// TLS 1.0 - 1.2 cipher suites.

  393. 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005

  394. 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a

  395. 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f

  396. 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035

  397. 	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c

  398. 	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c

  399. 	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d

  400. 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007

  401. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009

  402. 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a

  403. 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011

  404. 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012

  405. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013

  406. 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014

  407. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023

  408. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027

  409. 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f

  410. 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b

  411. 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030

  412. 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c

  413. 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    uint16 = 0xcca8

  414. 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  uint16 = 0xcca9

  415. 

  416. 	// TLS 1.3+ cipher suites.

  417. 	TLS_AES_128_GCM_SHA256       uint16 = 0x1301

  418. 	TLS_AES_256_GCM_SHA384       uint16 = 0x1302

  419. 	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303

  420. 

  421. 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator

  422. 	// that the client is doing version fallback. See

  423. 	// https://tools.ietf.org/html/rfc7507.

  424. 	TLS_FALLBACK_SCSV uint16 = 0x5600

  425. )