1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/md5" 14 "crypto/sha1" 15 "crypto/sha256" 16 "crypto/sha512" 17 "crypto/x509" 18 "hash" 19 20 "golang.org/x/crypto/chacha20poly1305" 21) 22 23// a keyAgreement implements the client and server side of a TLS key agreement 24// protocol by generating and processing key exchange messages. 25type keyAgreement interface { 26 // On the server side, the first two methods are called in order. 27 28 // In the case that the key agreement protocol doesn't use a 29 // ServerKeyExchange message, generateServerKeyExchange can return nil, 30 // nil. 31 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error) 32 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 33 34 // On the client side, the next two methods are called in order. 35 36 // This method may not be called if the server doesn't send a 37 // ServerKeyExchange message. 38 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, crypto.PublicKey, *serverKeyExchangeMsg) error 39 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 40 41 // peerSignatureAlgorithm returns the signature algorithm used by the 42 // peer, or zero if not applicable. 43 peerSignatureAlgorithm() signatureAlgorithm 44} 45 46const ( 47 // suiteECDH indicates that the cipher suite involves elliptic curve 48 // Diffie-Hellman. This means that it should only be selected when the 49 // client indicates that it supports ECC with a curve and point format 50 // that we're happy with. 51 suiteECDHE = 1 << iota 52 // suiteECDSA indicates that the cipher suite involves an ECDSA 53 // signature and therefore may only be selected when the server's 54 // certificate is ECDSA. If this is not set then the cipher suite is 55 // RSA based. 56 suiteECDSA 57 // suiteTLS12 indicates that the cipher suite should only be advertised 58 // and accepted when using TLS 1.2 or greater. 59 suiteTLS12 60 // suiteTLS13 indicates that the cipher suite can be used with TLS 1.3. 61 // Cipher suites lacking this flag may not be used with TLS 1.3. 62 suiteTLS13 63 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 64 // handshake hash. 65 suiteSHA384 66 // suitePSK indicates that the cipher suite authenticates with 67 // a pre-shared key rather than a server private key. 68 suitePSK 69) 70 71type tlsAead struct { 72 cipher.AEAD 73 explicitNonce bool 74} 75 76// A cipherSuite is a specific combination of key agreement, cipher and MAC 77// function. All cipher suites currently assume RSA key agreement. 78type cipherSuite struct { 79 id uint16 80 // the lengths, in bytes, of the key material needed for each component. 81 keyLen int 82 macLen int 83 ivLen func(version uint16) int 84 ka func(version uint16) keyAgreement 85 // flags is a bitmask of the suite* values, above. 86 flags int 87 cipher func(key, iv []byte, isRead bool) interface{} 88 mac func(version uint16, macKey []byte) macFunction 89 aead func(version uint16, key, fixedNonce []byte) *tlsAead 90} 91 92func (cs cipherSuite) hash() crypto.Hash { 93 if cs.flags&suiteSHA384 != 0 { 94 return crypto.SHA384 95 } 96 return crypto.SHA256 97} 98 99var cipherSuites = []*cipherSuite{ 100 {TLS_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, nil, suiteTLS13, nil, nil, aeadCHACHA20POLY1305}, 101 {TLS_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, nil, suiteTLS13, nil, nil, aeadAESGCM}, 102 {TLS_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM}, 103 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 104 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 105 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 106 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM}, 107 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 108 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 109 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, 110 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil}, 111 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 112 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 113 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 114 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 115 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 116 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 117 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 118 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 119 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 120 {TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 121 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, 122 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, 123 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 124 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil}, 125 {TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 126 {TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 127 {TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 128 {TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, 129 {TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, 130 {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil}, 131} 132 133func noIV(vers uint16) int { 134 return 0 135} 136 137func ivLenChaCha20Poly1305(vers uint16) int { 138 return 12 139} 140 141func ivLenAESGCM(vers uint16) int { 142 if vers >= VersionTLS13 { 143 return 12 144 } 145 return 4 146} 147 148func ivLenAES(vers uint16) int { 149 return 16 150} 151 152func ivLen3DES(vers uint16) int { 153 return 8 154} 155 156type nullCipher struct{} 157 158func cipherNull(key, iv []byte, isRead bool) interface{} { 159 return nullCipher{} 160} 161 162func cipher3DES(key, iv []byte, isRead bool) interface{} { 163 block, _ := des.NewTripleDESCipher(key) 164 if isRead { 165 return cipher.NewCBCDecrypter(block, iv) 166 } 167 return cipher.NewCBCEncrypter(block, iv) 168} 169 170func cipherAES(key, iv []byte, isRead bool) interface{} { 171 block, _ := aes.NewCipher(key) 172 if isRead { 173 return cipher.NewCBCDecrypter(block, iv) 174 } 175 return cipher.NewCBCEncrypter(block, iv) 176} 177 178// macSHA1 returns a macFunction for the given protocol version. 179func macSHA1(version uint16, key []byte) macFunction { 180 return tls10MAC{hmac.New(sha1.New, key)} 181} 182 183func macMD5(version uint16, key []byte) macFunction { 184 return tls10MAC{hmac.New(md5.New, key)} 185} 186 187func macSHA256(version uint16, key []byte) macFunction { 188 return tls10MAC{hmac.New(sha256.New, key)} 189} 190 191func macSHA384(version uint16, key []byte) macFunction { 192 return tls10MAC{hmac.New(sha512.New384, key)} 193} 194 195type macFunction interface { 196 Size() int 197 MAC(digestBuf, seq, header, length, data []byte) []byte 198} 199 200// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 201// each call. 202type fixedNonceAEAD struct { 203 // sealNonce and openNonce are buffers where the larger nonce will be 204 // constructed. Since a seal and open operation may be running 205 // concurrently, there is a separate buffer for each. 206 sealNonce, openNonce []byte 207 aead cipher.AEAD 208} 209 210func (f *fixedNonceAEAD) NonceSize() int { return 8 } 211func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } 212 213func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 214 copy(f.sealNonce[len(f.sealNonce)-8:], nonce) 215 return f.aead.Seal(out, f.sealNonce, plaintext, additionalData) 216} 217 218func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 219 copy(f.openNonce[len(f.openNonce)-8:], nonce) 220 return f.aead.Open(out, f.openNonce, plaintext, additionalData) 221} 222 223func aeadAESGCM(version uint16, key, fixedNonce []byte) *tlsAead { 224 aes, err := aes.NewCipher(key) 225 if err != nil { 226 panic(err) 227 } 228 aead, err := cipher.NewGCM(aes) 229 if err != nil { 230 panic(err) 231 } 232 233 nonce1, nonce2 := make([]byte, 12), make([]byte, 12) 234 copy(nonce1, fixedNonce) 235 copy(nonce2, fixedNonce) 236 237 if version >= VersionTLS13 { 238 return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} 239 } 240 241 return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true} 242} 243 244func xorSlice(out, in []byte) { 245 for i := range out { 246 out[i] ^= in[i] 247 } 248} 249 250// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded 251// if necessary, each call. 252type xorNonceAEAD struct { 253 // sealNonce and openNonce are buffers where the larger nonce will be 254 // constructed. Since a seal and open operation may be running 255 // concurrently, there is a separate buffer for each. 256 sealNonce, openNonce []byte 257 aead cipher.AEAD 258} 259 260func (x *xorNonceAEAD) NonceSize() int { return 8 } 261func (x *xorNonceAEAD) Overhead() int { return x.aead.Overhead() } 262 263func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 264 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 265 ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData) 266 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 267 return ret 268} 269 270func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 271 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 272 ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData) 273 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 274 return ret, err 275} 276 277func aeadCHACHA20POLY1305(version uint16, key, fixedNonce []byte) *tlsAead { 278 aead, err := chacha20poly1305.New(key) 279 if err != nil { 280 panic(err) 281 } 282 283 nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce)) 284 copy(nonce1, fixedNonce) 285 copy(nonce2, fixedNonce) 286 287 return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} 288} 289 290// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3. 291type tls10MAC struct { 292 h hash.Hash 293} 294 295func (s tls10MAC) Size() int { 296 return s.h.Size() 297} 298 299func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte { 300 s.h.Reset() 301 s.h.Write(seq) 302 s.h.Write(header) 303 s.h.Write(length) 304 s.h.Write(data) 305 return s.h.Sum(digestBuf[:0]) 306} 307 308func rsaKA(version uint16) keyAgreement { 309 return &rsaKeyAgreement{version: version} 310} 311 312func ecdheECDSAKA(version uint16) keyAgreement { 313 return &ecdheKeyAgreement{ 314 auth: &signedKeyAgreement{ 315 keyType: keyTypeECDSA, 316 version: version, 317 }, 318 } 319} 320 321func ecdheRSAKA(version uint16) keyAgreement { 322 return &ecdheKeyAgreement{ 323 auth: &signedKeyAgreement{ 324 keyType: keyTypeRSA, 325 version: version, 326 }, 327 } 328} 329 330func pskKA(version uint16) keyAgreement { 331 return &pskKeyAgreement{ 332 base: &nilKeyAgreement{}, 333 } 334} 335 336func ecdhePSKKA(version uint16) keyAgreement { 337 return &pskKeyAgreement{ 338 base: &ecdheKeyAgreement{ 339 auth: &nilKeyAgreementAuthentication{}, 340 }, 341 } 342} 343 344// mutualCipherSuite returns a cipherSuite given a list of supported 345// ciphersuites and the id requested by the peer. 346func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 347 for _, id := range have { 348 if id == want { 349 return cipherSuiteFromID(id) 350 } 351 } 352 return nil 353} 354 355func cipherSuiteFromID(id uint16) *cipherSuite { 356 for _, suite := range cipherSuites { 357 if suite.id == id { 358 return suite 359 } 360 } 361 return nil 362} 363 364// A list of the possible cipher suite ids. Taken from 365// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml 366const ( 367 TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 368 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 369 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 370 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 371 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 372 TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d 373 TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c 374 TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d 375 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 376 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 377 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 378 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 379 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 380 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 381 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 382 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 383 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 385 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028 386 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 387 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 388 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 389 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 390 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035 391 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036 392 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 393 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 394 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xccac 395 renegotiationSCSV uint16 = 0x00ff 396 fallbackSCSV uint16 = 0x5600 397) 398 399// Additional cipher suite IDs, not IANA-assigned. 400const ( 401 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 402 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 403 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 404) 405