| blob | d164991eec94c1c05f53d837e2bdadcded4c0717 |
1 // Copyright 2010 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 package tls
8 "crypto"
9 "crypto/aes"
10 "crypto/cipher"
11 "crypto/des"
12 "crypto/hmac"
13 "crypto/rc4"
14 "crypto/sha1"
15 "crypto/sha256"
16 "fmt"
17 "hash"
18 "internal/cpu"
19 "runtime"
21 "golang.org/x/crypto/chacha20poly1305"
22 )
24 // CipherSuite is a TLS cipher suite. Note that most functions in this package
25 // accept and expose cipher suite IDs instead of this type.
27 ID uint16
28 Name string
30 // Supported versions is the list of TLS protocol versions that can
31 // negotiate this cipher suite.
34 // Insecure is true if the cipher suite has known security issues
35 // due to its primitives, design, or implementation.
36 Insecure bool
37 }
43 )
45 // CipherSuites returns a list of cipher suites currently implemented by this
46 // package, excluding those with security issues, which are returned by
47 // InsecureCipherSuites.
48 //
49 // The list is sorted by ID. Note that the default cipher suites selected by
50 // this package might depend on logic that can't be captured by a static list,
51 // and might not match those returned by this function.
63 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
64 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73 }
74 }
76 // InsecureCipherSuites returns a list of cipher suites currently implemented by
77 // this package and which have security issues.
78 //
79 // Most applications should not use the cipher suites in this list, and should
80 // only use those returned by CipherSuites.
82 // This list includes RC4, CBC_SHA256, and 3DES cipher suites. See
83 // cipherSuitesPreferenceOrder for details.
88 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
90 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true},
91 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
92 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
93 }
94 }
96 // CipherSuiteName returns the standard name for the passed cipher suite ID
97 // (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation
98 // of the ID value if the cipher suite is not implemented by this package.
103 }
104 }
108 }
109 }
111 }
114 // suiteECDHE indicates that the cipher suite involves elliptic curve
115 // Diffie-Hellman. This means that it should only be selected when the
116 // client indicates that it supports ECC with a curve and point format
117 // that we're happy with.
119 // suiteECSign indicates that the cipher suite involves an ECDSA or
120 // EdDSA signature and therefore may only be selected when the server's
121 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite
122 // is RSA based.
123 suiteECSign
124 // suiteTLS12 indicates that the cipher suite should only be advertised
125 // and accepted when using TLS 1.2.
126 suiteTLS12
127 // suiteSHA384 indicates that the cipher suite uses SHA384 as the
128 // handshake hash.
129 suiteSHA384
130 )
132 // A cipherSuite is a TLS 1.0–1.2 cipher suite, and defines the key exchange
133 // mechanism, as well as the cipher+MAC pair or the AEAD.
135 id uint16
136 // the lengths, in bytes, of the key material needed for each component.
137 keyLen int
138 macLen int
139 ivLen int
141 // flags is a bitmask of the suite* values, above.
142 flags int
146 }
149 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
150 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
151 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
152 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
153 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
154 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
155 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
156 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
157 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil},
158 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
159 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
160 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
162 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
166 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
170 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil},
171 }
173 // selectCipherSuite returns the first TLS 1.0–1.2 cipher suite from ids which
174 // is also in supportedIDs and passes the ok filter.
179 continue
180 }
184 return candidate
185 }
186 }
187 }
189 }
191 // A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash
192 // algorithm to be used with HKDF. See RFC 8446, Appendix B.4.
194 id uint16
195 keyLen int
197 hash crypto.Hash
198 }
204 }
206 // cipherSuitesPreferenceOrder is the order in which we'll select (on the
207 // server) or advertise (on the client) TLS 1.0–1.2 cipher suites.
208 //
209 // Cipher suites are filtered but not reordered based on the application and
210 // peer's preferences, meaning we'll never select a suite lower in this list if
211 // any higher one is available. This makes it more defensible to keep weaker
212 // cipher suites enabled, especially on the server side where we get the last
213 // word, since there are no known downgrade attacks on cipher suites selection.
214 //
215 // The list is sorted by applying the following priority rules, stopping at the
216 // first (most important) applicable one:
217 //
218 // - Anything else comes before RC4
219 //
220 // RC4 has practically exploitable biases. See https://www.rc4nomore.com.
221 //
222 // - Anything else comes before CBC_SHA256
223 //
224 // SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
225 // countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
226 // https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
227 //
228 // - Anything else comes before 3DES
229 //
230 // 3DES has 64-bit blocks, which makes it fundamentally susceptible to
231 // birthday attacks. See https://sweet32.info.
232 //
233 // - ECDHE comes before anything else
234 //
235 // Once we got the broken stuff out of the way, the most important
236 // property a cipher suite can have is forward secrecy. We don't
237 // implement FFDHE, so that means ECDHE.
238 //
239 // - AEADs come before CBC ciphers
240 //
241 // Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites
242 // are fundamentally fragile, and suffered from an endless sequence of
243 // padding oracle attacks. See https://eprint.iacr.org/2015/1129,
244 // https://www.imperialviolet.org/2014/12/08/poodleagain.html, and
245 // https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/.
246 //
247 // - AES comes before ChaCha20
248 //
249 // When AES hardware is available, AES-128-GCM and AES-256-GCM are faster
250 // than ChaCha20Poly1305.
251 //
252 // When AES hardware is not available, AES-128-GCM is one or more of: much
253 // slower, way more complex, and less safe (because not constant time)
254 // than ChaCha20Poly1305.
255 //
256 // We use this list if we think both peers have AES hardware, and
257 // cipherSuitesPreferenceOrderNoAES otherwise.
258 //
259 // - AES-128 comes before AES-256
260 //
261 // The only potential advantages of AES-256 are better multi-target
262 // margins, and hypothetical post-quantum properties. Neither apply to
263 // TLS, and AES-256 is slower due to its four extra rounds (which don't
264 // contribute to the advantages above).
265 //
266 // - ECDSA comes before RSA
267 //
268 // The relative order of ECDSA and RSA cipher suites doesn't matter,
269 // as they depend on the certificate. Pick one to get a stable order.
270 //
272 // AEADs w/ ECDHE
277 // CBC w/ ECDHE
281 // AEADs w/o ECDHE
282 TLS_RSA_WITH_AES_128_GCM_SHA256,
283 TLS_RSA_WITH_AES_256_GCM_SHA384,
285 // CBC w/o ECDHE
286 TLS_RSA_WITH_AES_128_CBC_SHA,
287 TLS_RSA_WITH_AES_256_CBC_SHA,
289 // 3DES
290 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
291 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
293 // CBC_SHA256
295 TLS_RSA_WITH_AES_128_CBC_SHA256,
297 // RC4
299 TLS_RSA_WITH_RC4_128_SHA,
300 }
303 // ChaCha20Poly1305
306 // AES-GCM w/ ECDHE
310 // The rest of cipherSuitesPreferenceOrder.
313 TLS_RSA_WITH_AES_128_GCM_SHA256,
314 TLS_RSA_WITH_AES_256_GCM_SHA384,
315 TLS_RSA_WITH_AES_128_CBC_SHA,
316 TLS_RSA_WITH_AES_256_CBC_SHA,
317 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
318 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
320 TLS_RSA_WITH_AES_128_CBC_SHA256,
322 TLS_RSA_WITH_RC4_128_SHA,
323 }
325 // disabledCipherSuites are not used unless explicitly listed in
326 // Config.CipherSuites. They MUST be at the end of cipherSuitesPreferenceOrder.
328 // CBC_SHA256
330 TLS_RSA_WITH_AES_128_CBC_SHA256,
332 // RC4
334 TLS_RSA_WITH_RC4_128_SHA,
335 }
340 )
342 // defaultCipherSuitesTLS13 is also the preference order, since there are no
343 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
344 // cipherSuitesPreferenceOrder applies.
346 TLS_AES_128_GCM_SHA256,
347 TLS_AES_256_GCM_SHA384,
348 TLS_CHACHA20_POLY1305_SHA256,
349 }
352 TLS_CHACHA20_POLY1305_SHA256,
353 TLS_AES_128_GCM_SHA256,
354 TLS_AES_256_GCM_SHA384,
355 }
360 // Keep in sync with crypto/aes/cipher_s390x.go.
367 )
370 // TLS 1.2
375 // TLS 1.3
378 }
381 // TLS 1.2
384 // TLS 1.3
386 }
388 // aesgcmPreferred returns whether the first known cipher in the preference list
389 // is an AES-GCM cipher, implying the peer has hardware support for it.
394 }
397 }
398 }
400 }
404 return cipher
405 }
411 }
413 }
419 }
421 }
423 // macSHA1 returns a SHA-1 based constant time MAC.
426 }
428 // macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and
429 // is currently only used in disabled-by-default cipher suites.
432 }
435 cipher.AEAD
437 // explicitNonceLen returns the number of bytes of explicit nonce
438 // included in each record. This is eight for older AEADs and
439 // zero for modern ones.
441 }
446 )
448 // prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
449 // each call.
451 // nonce contains the fixed part of the nonce in the first four bytes.
453 aead cipher.AEAD
454 }
463 }
468 }
470 // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
471 // before each call.
474 aead cipher.AEAD
475 }
484 }
488 }
490 return result
491 }
496 }
500 }
503 }
508 }
512 }
516 }
520 return ret
521 }
526 }
530 }
534 }
538 return ret
539 }
544 }
548 }
552 return ret
553 }
556 hash.Hash
558 }
560 // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
561 // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
563 h constantTimeHash
564 }
575 }
576 }
578 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3.
587 }
588 return res
589 }
593 }
599 }
600 }
606 }
607 }
609 // mutualCipherSuite returns a cipherSuite given a list of supported
610 // ciphersuites and the id requested by the peer.
615 }
616 }
618 }
623 return cipherSuite
624 }
625 }
627 }
633 }
634 }
636 }
641 return cipherSuite
642 }
643 }
645 }
647 // A list of cipher suite IDs that are, or have been, implemented by this
648 // package.
649 //
650 // See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
652 // TLS 1.0 - 1.2 cipher suites.
676 // TLS 1.3 cipher suites.
681 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
682 // that the client is doing version fallback. See RFC 7507.
685 // Legacy names for the corresponding cipher suites with the correct _SHA256
686 // suffix, retained for backward compatibility.
687 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
688 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
689 )