libgo/go/crypto/tls/cipher_suites.go

   1 // Copyright 2010 The Go Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style
   3 // license that can be found in the LICENSE file.
   4
   5 package tls
   6
   7 import (
   8         "crypto/aes"
   9         "crypto/cipher"
  10         "crypto/des"
  11         "crypto/hmac"
  12         "crypto/rc4"
  13         "crypto/sha1"
  14         "crypto/x509"
  15         "hash"
  16 )
  17
  18 // a keyAgreement implements the client and server side of a TLS key agreement
  19 // protocol by generating and processing key exchange messages.
  20 type keyAgreement interface {
  21         // On the server side, the first two methods are called in order.
  22
  23         // In the case that the key agreement protocol doesn't use a
  24         // ServerKeyExchange message, generateServerKeyExchange can return nil,
  25         // nil.
  26         generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
  27         processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
  28
  29         // On the client side, the next two methods are called in order.
  30
  31         // This method may not be called if the server doesn't send a
  32         // ServerKeyExchange message.
  33         processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
  34         generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
  35 }
  36
  37 const (
  38         // suiteECDH indicates that the cipher suite involves elliptic curve
  39         // Diffie-Hellman. This means that it should only be selected when the
  40         // client indicates that it supports ECC with a curve and point format
  41         // that we're happy with.
  42         suiteECDHE = 1 << iota
  43         // suiteECDSA indicates that the cipher suite involves an ECDSA
  44         // signature and therefore may only be selected when the server's
  45         // certificate is ECDSA. If this is not set then the cipher suite is
  46         // RSA based.
  47         suiteECDSA
  48         // suiteTLS12 indicates that the cipher suite should only be advertised
  49         // and accepted when using TLS 1.2.
  50         suiteTLS12
  51 )
  52
  53 // A cipherSuite is a specific combination of key agreement, cipher and MAC
  54 // function. All cipher suites currently assume RSA key agreement.
  55 type cipherSuite struct {
  56         id uint16
  57         // the lengths, in bytes, of the key material needed for each component.
  58         keyLen int
  59         macLen int
  60         ivLen  int
  61         ka     func(version uint16) keyAgreement
  62         // flags is a bitmask of the suite* values, above.
  63         flags  int
  64         cipher func(key, iv []byte, isRead bool) interface{}
  65         mac    func(version uint16, macKey []byte) macFunction
  66         aead   func(key, fixedNonce []byte) cipher.AEAD
  67 }
  68
  69 var cipherSuites = []*cipherSuite{
  70         // Ciphersuite order is chosen so that ECDHE comes before plain RSA
  71         // and RC4 comes before AES (because of the Lucky13 attack).
  72         {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
  73         {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
  74         {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil},
  75         {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherRC4, macSHA1, nil},
  76         {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  77         {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  78         {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
  79         {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
  80         {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil},
  81         {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  82         {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
  83         {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
  84         {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
  85 }
  86
  87 func cipherRC4(key, iv []byte, isRead bool) interface{} {
  88         cipher, _ := rc4.NewCipher(key)
  89         return cipher
  90 }
  91
  92 func cipher3DES(key, iv []byte, isRead bool) interface{} {
  93         block, _ := des.NewTripleDESCipher(key)
  94         if isRead {
  95                 return cipher.NewCBCDecrypter(block, iv)
  96         }
  97         return cipher.NewCBCEncrypter(block, iv)
  98 }
  99
 100 func cipherAES(key, iv []byte, isRead bool) interface{} {
 101         block, _ := aes.NewCipher(key)
 102         if isRead {
 103                 return cipher.NewCBCDecrypter(block, iv)
 104         }
 105         return cipher.NewCBCEncrypter(block, iv)
 106 }
 107
 108 // macSHA1 returns a macFunction for the given protocol version.
 109 func macSHA1(version uint16, key []byte) macFunction {
 110         if version == VersionSSL30 {
 111                 mac := ssl30MAC{
 112                         h:   sha1.New(),
 113                         key: make([]byte, len(key)),
 114                 }
 115                 copy(mac.key, key)
 116                 return mac
 117         }
 118         return tls10MAC{hmac.New(sha1.New, key)}
 119 }
 120
 121 type macFunction interface {
 122         Size() int
 123         MAC(digestBuf, seq, header, data []byte) []byte
 124 }
 125
 126 // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
 127 // each call.
 128 type fixedNonceAEAD struct {
 129         // sealNonce and openNonce are buffers where the larger nonce will be
 130         // constructed. Since a seal and open operation may be running
 131         // concurrently, there is a separate buffer for each.
 132         sealNonce, openNonce []byte
 133         aead                 cipher.AEAD
 134 }
 135
 136 func (f *fixedNonceAEAD) NonceSize() int { return 8 }
 137 func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
 138
 139 func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
 140         copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
 141         return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
 142 }
 143
 144 func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
 145         copy(f.openNonce[len(f.openNonce)-8:], nonce)
 146         return f.aead.Open(out, f.openNonce, plaintext, additionalData)
 147 }
 148
 149 func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
 150         aes, err := aes.NewCipher(key)
 151         if err != nil {
 152                 panic(err)
 153         }
 154         aead, err := cipher.NewGCM(aes)
 155         if err != nil {
 156                 panic(err)
 157         }
 158
 159         nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
 160         copy(nonce1, fixedNonce)
 161         copy(nonce2, fixedNonce)
 162
 163         return &fixedNonceAEAD{nonce1, nonce2, aead}
 164 }
 165
 166 // ssl30MAC implements the SSLv3 MAC function, as defined in
 167 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
 168 type ssl30MAC struct {
 169         h   hash.Hash
 170         key []byte
 171 }
 172
 173 func (s ssl30MAC) Size() int {
 174         return s.h.Size()
 175 }
 176
 177 var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
 178
 179 var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
 180
 181 func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
 182         padLength := 48
 183         if s.h.Size() == 20 {
 184                 padLength = 40
 185         }
 186
 187         s.h.Reset()
 188         s.h.Write(s.key)
 189         s.h.Write(ssl30Pad1[:padLength])
 190         s.h.Write(seq)
 191         s.h.Write(header[:1])
 192         s.h.Write(header[3:5])
 193         s.h.Write(data)
 194         digestBuf = s.h.Sum(digestBuf[:0])
 195
 196         s.h.Reset()
 197         s.h.Write(s.key)
 198         s.h.Write(ssl30Pad2[:padLength])
 199         s.h.Write(digestBuf)
 200         return s.h.Sum(digestBuf[:0])
 201 }
 202
 203 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
 204 type tls10MAC struct {
 205         h hash.Hash
 206 }
 207
 208 func (s tls10MAC) Size() int {
 209         return s.h.Size()
 210 }
 211
 212 func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
 213         s.h.Reset()
 214         s.h.Write(seq)
 215         s.h.Write(header)
 216         s.h.Write(data)
 217         return s.h.Sum(digestBuf[:0])
 218 }
 219
 220 func rsaKA(version uint16) keyAgreement {
 221         return rsaKeyAgreement{}
 222 }
 223
 224 func ecdheECDSAKA(version uint16) keyAgreement {
 225         return &ecdheKeyAgreement{
 226                 sigType: signatureECDSA,
 227                 version: version,
 228         }
 229 }
 230
 231 func ecdheRSAKA(version uint16) keyAgreement {
 232         return &ecdheKeyAgreement{
 233                 sigType: signatureRSA,
 234                 version: version,
 235         }
 236 }
 237
 238 // mutualCipherSuite returns a cipherSuite given a list of supported
 239 // ciphersuites and the id requested by the peer.
 240 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
 241         for _, id := range have {
 242                 if id == want {
 243                         for _, suite := range cipherSuites {
 244                                 if suite.id == want {
 245                                         return suite
 246                                 }
 247                         }
 248                         return nil
 249                 }
 250         }
 251         return nil
 252 }
 253
 254 // A list of the possible cipher suite ids. Taken from
 255 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 256 const (
 257         TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
 258         TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
 259         TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
 260         TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
 261         TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
 262         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
 263         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
 264         TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
 265         TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
 266         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
 267         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
 268         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
 269         TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
 270 )