kris
/
tls-tris
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
231 Commity
4 Gałęzie
2.5 MiB
Drzewo: c757de320b
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'c757de320b'
${ noResults }
tls-tris/cipher_suites.go

cipher_suites.go 9.9 KiB
Czysty Zwykły widok Historia

crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
crypto/tls: don't always use the default private key. When SNI based certificate selection is enabled, we previously used the default private key even if we selected a non-default certificate. Fixes #3367. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/5987058
12 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
src/pkg/[a-m]*: gofix -r error -force=error R=golang-dev, iant CC=golang-dev https://golang.org/cl/5322051
13 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 lat temu
crypto/tls: don't select TLS 1.2 cipher suites in prior versions. AES-GCM cipher suites are only defined for TLS 1.2, although there's nothing really version specific about them. However, development versions of NSS (meaning Firefox and Chrome) have an issue where they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello but then balk when the server selects one. This change causes Go clients not to advertise TLS 1.2 cipher suites unless TLS 1.2 is being used, and prevents servers from selecting them unless TLS 1.2 has been negotiated. https://code.google.com/p/chromium/issues/detail?id=297151 https://bugzilla.mozilla.org/show_bug.cgi?id=919677 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13573047
11 lat temu
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 lat temu
crypto/tls: disable RC4 by default. RC4 is frowned upon[1] at this point and major providers are disabling it by default[2]. Those who still need RC4 support in crypto/tls can enable it by specifying the CipherSuites slice in crypto/tls.Config explicitly. Fixes #10094. [1] https://tools.ietf.org/html/rfc7465 [2] https://blog.cloudflare.com/killing-rc4-the-long-goodbye/ Change-Id: Ia03a456f7e7a4362b706392b0e3c4cc93ce06f9f Reviewed-on: https://go-review.googlesource.com/7647 Reviewed-by: Andrew Gerrand <adg@golang.org>
9 lat temu
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
14 lat temu
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 lat temu
crypto/tls: don't select ECDSA ciphersuites with only an RSA certificate. 47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the cipher suite selection to take that into account. Thus Go servers could try and select an ECDSA cipher suite while only having an RSA certificate, leading to connection failures. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/13239053
11 lat temu
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: change advertised ciphersuite order. TLS clients send ciphersuites in preference order (most prefereable first). This change alters the order so that ECDHE comes before plain RSA, and RC4 comes before AES (because of the Lucky13 attack). This is unlikely to have much effect: as a server, the code uses the client's ciphersuite order by default and, as a client, the non-Go server probably imposes its order. R=golang-dev, r, raggi, jsing CC=golang-dev https://golang.org/cl/10372045
11 lat temu
crypto/tls: decouple handshake signatures from the handshake hash. Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
9 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: add 3DES ciphersuites The following ciphersuites are added: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA This change helps conform to the TLS1.1 standard because the first ciphersuite is "mandatory" in RFC4346 R=golang-dev, agl, rsc CC=golang-dev https://golang.org/cl/5164042
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/hmac: Deprecate hmac.NewMD5, hmac.NewSHA1 and hmac.NewSHA256 Remove NewMD5, NewSHA1 and NewSHA256 in favor of using New and explicitly importing the used hash-function. This way when using, for example, HMAC with RIPEMD there's no md5, sha1 and sha256 linked in through the hmac package. A gofix rule is included, and applied to the standard library (3 files altered). This change is the result of a discussion at https://golang.org/cl/5550043/ to pull the discussion about deprecating these functions out of that issue. R=golang-dev, agl CC=golang-dev, r, rsc https://golang.org/cl/5556058
12 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
13 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
13 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto/tls: support SSLv3 It would be nice not to have to support this since all the clients that we care about support TLSv1 by now. However, due to buggy implementations of SSLv3 on the Internet which can't do version negotiation correctly, browsers will sometimes switch to SSLv3. Since there's no good way for a browser tell a network problem from a buggy server, this downgrade can occur even if the server in question is actually working correctly. So we need to support SSLv3 for robustness :( Fixes #1703. R=bradfitz CC=golang-dev https://golang.org/cl/5018045
13 lat temu
crypto/tls: support TLS 1.1. The significant change between TLS 1.0 and 1.1 is the addition of an explicit IV in the case of CBC encrypted records. Support for TLS 1.1 is needed in order to support TLS 1.2. R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/7880043
11 lat temu
crypto: allocate less. The code in hash functions themselves could write directly into the output buffer for a savings of about 50ns. But it's a little ugly so I wasted a copy. R=bradfitz CC=golang-dev https://golang.org/cl/5440111
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 lat temu
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 lat temu
crypto/tls: Add support for ECDHE-ECDSA Add support for ECDHE-ECDSA (RFC4492), which uses an ephemeral server key pair to perform ECDH with ECDSA signatures. Like ECDHE-RSA, ECDHE-ECDSA also provides PFS. R=agl CC=golang-dev https://golang.org/cl/7006047
11 lat temu
crypto/tls: implement TLS 1.2. This does not include AES-GCM yet. Also, it assumes that the handshake and certificate signature hash are always SHA-256, which is true of the ciphersuites that we currently support. R=golang-dev, rsc CC=golang-dev https://golang.org/cl/10762044
11 lat temu
crypto/tls: add ECDHE support (ECDHE is "Elliptic Curve Diffie Hellman Ephemeral") R=rsc CC=golang-dev https://golang.org/cl/3668042
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: commit fixes which I hadn't saved. R=rsc CC=golang-dev https://golang.org/cl/3685041
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: don't rely on map iteration order. Previously we were using the map iteration order to set the order of the cipher suites in the ClientHello. R=bradfitz CC=golang-dev https://golang.org/cl/5440048
13 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
crypto/tls: support AES-GCM. AES-GCM is the only current TLS ciphersuite that doesn't have cryptographic weaknesses (RC4), nor major construction issues (CBC mode ciphers) and has some deployment (i.e. not-CCM). R=golang-dev, bradfitz CC=golang-dev https://golang.org/cl/13249044
11 lat temu
crypto/tls: add support for AES_256_GCM_SHA384 cipher suites specified in RFC5289 Generalizes PRF calculation for TLS 1.2 to support arbitrary hashes (SHA-384 instead of SHA-256). Testdata were all updated to correspond with the new cipher suites in the handshake. Change-Id: I3d9fc48c19d1043899e38255a53c80dc952ee08f Reviewed-on: https://go-review.googlesource.com/3265 Reviewed-by: Adam Langley <agl@golang.org>
9 lat temu
crypto/tls: support TLS_FALLBACK_SCSV as a server. A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only supports SSLv3 as a server, not as a client. An easy fix is to change the default minimum version to TLS 1.0 but that seems a little much this late in the 1.4 process as it may break some things. Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a mechanism for solving the fallback problem overall. Chrome has implemented this since February and Google has urged others to do so in light of yesterday's news. With this change, clients can indicate that they are doing a fallback connection and Go servers will be able to correctly reject them. [1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html [2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 LGTM=rsc R=rsc CC=golang-codereviews https://golang.org/cl/157090043
10 lat temu
crypto/tls: support CBC ciphers This is largely based on ality's CL 2747042. crypto/rc4: API break in order to conform to crypto/cipher's Stream interface cipher/cipher: promote to the default build Since CBC differs between TLS 1.0 and 1.1, we downgrade and support only 1.0 at the current time. 1.0 is what most of the world uses. Given this CL, it would be trival to add support for AES 256, SHA 256 etc, but I haven't in order to keep the change smaller. R=rsc CC=ality, golang-dev https://golang.org/cl/3659041
14 lat temu
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285 
  1. // Copyright 2010 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto/aes"

  9. 	"crypto/cipher"

  10. 	"crypto/des"

  11. 	"crypto/hmac"

  12. 	"crypto/rc4"

  13. 	"crypto/sha1"

  14. 	"crypto/x509"

  15. 	"hash"

  16. )

  17. 

  18. // a keyAgreement implements the client and server side of a TLS key agreement

  19. // protocol by generating and processing key exchange messages.

  20. type keyAgreement interface {

  21. 	// On the server side, the first two methods are called in order.

  22. 

  23. 	// In the case that the key agreement protocol doesn't use a

  24. 	// ServerKeyExchange message, generateServerKeyExchange can return nil,

  25. 	// nil.

  26. 	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)

  27. 	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)

  28. 

  29. 	// On the client side, the next two methods are called in order.

  30. 

  31. 	// This method may not be called if the server doesn't send a

  32. 	// ServerKeyExchange message.

  33. 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error

  34. 	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)

  35. }

  36. 

  37. const (

  38. 	// suiteECDH indicates that the cipher suite involves elliptic curve

  39. 	// Diffie-Hellman. This means that it should only be selected when the

  40. 	// client indicates that it supports ECC with a curve and point format

  41. 	// that we're happy with.

  42. 	suiteECDHE = 1 << iota

  43. 	// suiteECDSA indicates that the cipher suite involves an ECDSA

  44. 	// signature and therefore may only be selected when the server's

  45. 	// certificate is ECDSA. If this is not set then the cipher suite is

  46. 	// RSA based.

  47. 	suiteECDSA

  48. 	// suiteTLS12 indicates that the cipher suite should only be advertised

  49. 	// and accepted when using TLS 1.2.

  50. 	suiteTLS12

  51. 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the

  52. 	// handshake hash.

  53. 	suiteSHA384

  54. 	// suiteDefaultOff indicates that this cipher suite is not included by

  55. 	// default.

  56. 	suiteDefaultOff

  57. )

  58. 

  59. // A cipherSuite is a specific combination of key agreement, cipher and MAC

  60. // function. All cipher suites currently assume RSA key agreement.

  61. type cipherSuite struct {

  62. 	id uint16

  63. 	// the lengths, in bytes, of the key material needed for each component.

  64. 	keyLen int

  65. 	macLen int

  66. 	ivLen  int

  67. 	ka     func(version uint16) keyAgreement

  68. 	// flags is a bitmask of the suite* values, above.

  69. 	flags  int

  70. 	cipher func(key, iv []byte, isRead bool) interface{}

  71. 	mac    func(version uint16, macKey []byte) macFunction

  72. 	aead   func(key, fixedNonce []byte) cipher.AEAD

  73. }

  74. 

  75. var cipherSuites = []*cipherSuite{

  76. 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA

  77. 	// and RC4 comes before AES (because of the Lucky13 attack).

  78. 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},

  79. 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},

  80. 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

  81. 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},

  82. 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},

  83. 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},

  84. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  85. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  86. 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},

  87. 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},

  88. 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},

  89. 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  90. 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},

  91. 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},

  92. 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},

  93. }

  94. 

  95. func cipherRC4(key, iv []byte, isRead bool) interface{} {

  96. 	cipher, _ := rc4.NewCipher(key)

  97. 	return cipher

  98. }

  99. 

  100. func cipher3DES(key, iv []byte, isRead bool) interface{} {

  101. 	block, _ := des.NewTripleDESCipher(key)

  102. 	if isRead {

  103. 		return cipher.NewCBCDecrypter(block, iv)

  104. 	}

  105. 	return cipher.NewCBCEncrypter(block, iv)

  106. }

  107. 

  108. func cipherAES(key, iv []byte, isRead bool) interface{} {

  109. 	block, _ := aes.NewCipher(key)

  110. 	if isRead {

  111. 		return cipher.NewCBCDecrypter(block, iv)

  112. 	}

  113. 	return cipher.NewCBCEncrypter(block, iv)

  114. }

  115. 

  116. // macSHA1 returns a macFunction for the given protocol version.

  117. func macSHA1(version uint16, key []byte) macFunction {

  118. 	if version == VersionSSL30 {

  119. 		mac := ssl30MAC{

  120. 			h:   sha1.New(),

  121. 			key: make([]byte, len(key)),

  122. 		}

  123. 		copy(mac.key, key)

  124. 		return mac

  125. 	}

  126. 	return tls10MAC{hmac.New(sha1.New, key)}

  127. }

  128. 

  129. type macFunction interface {

  130. 	Size() int

  131. 	MAC(digestBuf, seq, header, data []byte) []byte

  132. }

  133. 

  134. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to

  135. // each call.

  136. type fixedNonceAEAD struct {

  137. 	// sealNonce and openNonce are buffers where the larger nonce will be

  138. 	// constructed. Since a seal and open operation may be running

  139. 	// concurrently, there is a separate buffer for each.

  140. 	sealNonce, openNonce []byte

  141. 	aead                 cipher.AEAD

  142. }

  143. 

  144. func (f *fixedNonceAEAD) NonceSize() int { return 8 }

  145. func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }

  146. 

  147. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {

  148. 	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)

  149. 	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)

  150. }

  151. 

  152. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {

  153. 	copy(f.openNonce[len(f.openNonce)-8:], nonce)

  154. 	return f.aead.Open(out, f.openNonce, plaintext, additionalData)

  155. }

  156. 

  157. func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {

  158. 	aes, err := aes.NewCipher(key)

  159. 	if err != nil {

  160. 		panic(err)

  161. 	}

  162. 	aead, err := cipher.NewGCM(aes)

  163. 	if err != nil {

  164. 		panic(err)

  165. 	}

  166. 

  167. 	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)

  168. 	copy(nonce1, fixedNonce)

  169. 	copy(nonce2, fixedNonce)

  170. 

  171. 	return &fixedNonceAEAD{nonce1, nonce2, aead}

  172. }

  173. 

  174. // ssl30MAC implements the SSLv3 MAC function, as defined in

  175. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1

  176. type ssl30MAC struct {

  177. 	h   hash.Hash

  178. 	key []byte

  179. }

  180. 

  181. func (s ssl30MAC) Size() int {

  182. 	return s.h.Size()

  183. }

  184. 

  185. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}

  186. 

  187. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}

  188. 

  189. func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {

  190. 	padLength := 48

  191. 	if s.h.Size() == 20 {

  192. 		padLength = 40

  193. 	}

  194. 

  195. 	s.h.Reset()

  196. 	s.h.Write(s.key)

  197. 	s.h.Write(ssl30Pad1[:padLength])

  198. 	s.h.Write(seq)

  199. 	s.h.Write(header[:1])

  200. 	s.h.Write(header[3:5])

  201. 	s.h.Write(data)

  202. 	digestBuf = s.h.Sum(digestBuf[:0])

  203. 

  204. 	s.h.Reset()

  205. 	s.h.Write(s.key)

  206. 	s.h.Write(ssl30Pad2[:padLength])

  207. 	s.h.Write(digestBuf)

  208. 	return s.h.Sum(digestBuf[:0])

  209. }

  210. 

  211. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.

  212. type tls10MAC struct {

  213. 	h hash.Hash

  214. }

  215. 

  216. func (s tls10MAC) Size() int {

  217. 	return s.h.Size()

  218. }

  219. 

  220. func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {

  221. 	s.h.Reset()

  222. 	s.h.Write(seq)

  223. 	s.h.Write(header)

  224. 	s.h.Write(data)

  225. 	return s.h.Sum(digestBuf[:0])

  226. }

  227. 

  228. func rsaKA(version uint16) keyAgreement {

  229. 	return rsaKeyAgreement{}

  230. }

  231. 

  232. func ecdheECDSAKA(version uint16) keyAgreement {

  233. 	return &ecdheKeyAgreement{

  234. 		sigType: signatureECDSA,

  235. 		version: version,

  236. 	}

  237. }

  238. 

  239. func ecdheRSAKA(version uint16) keyAgreement {

  240. 	return &ecdheKeyAgreement{

  241. 		sigType: signatureRSA,

  242. 		version: version,

  243. 	}

  244. }

  245. 

  246. // mutualCipherSuite returns a cipherSuite given a list of supported

  247. // ciphersuites and the id requested by the peer.

  248. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {

  249. 	for _, id := range have {

  250. 		if id == want {

  251. 			for _, suite := range cipherSuites {

  252. 				if suite.id == want {

  253. 					return suite

  254. 				}

  255. 			}

  256. 			return nil

  257. 		}

  258. 	}

  259. 	return nil

  260. }

  261. 

  262. // A list of the possible cipher suite ids. Taken from

  263. // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

  264. const (

  265. 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005

  266. 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a

  267. 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f

  268. 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035

  269. 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007

  270. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009

  271. 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a

  272. 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011

  273. 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012

  274. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013

  275. 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014

  276. 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f

  277. 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b

  278. 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030

  279. 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c

  280. 

  281. 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator

  282. 	// that the client is doing version fallback. See

  283. 	// https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00.

  284. 	TLS_FALLBACK_SCSV uint16 = 0x5600

  285. )