• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"crypto"
9	"crypto/aes"
10	"crypto/cipher"
11	"crypto/des"
12	"crypto/hmac"
13	"crypto/md5"
14	"crypto/rc4"
15	"crypto/sha1"
16	"crypto/sha256"
17	"crypto/sha512"
18	"crypto/x509"
19	"hash"
20)
21
22// a keyAgreement implements the client and server side of a TLS key agreement
23// protocol by generating and processing key exchange messages.
24type keyAgreement interface {
25	// On the server side, the first two methods are called in order.
26
27	// In the case that the key agreement protocol doesn't use a
28	// ServerKeyExchange message, generateServerKeyExchange can return nil,
29	// nil.
30	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
31	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
32
33	// On the client side, the next two methods are called in order.
34
35	// This method may not be called if the server doesn't send a
36	// ServerKeyExchange message.
37	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
38	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
39
40	// peerSignatureAlgorithm returns the signature algorithm used by the
41	// peer, or zero if not applicable.
42	peerSignatureAlgorithm() signatureAlgorithm
43}
44
45const (
46	// suiteECDH indicates that the cipher suite involves elliptic curve
47	// Diffie-Hellman. This means that it should only be selected when the
48	// client indicates that it supports ECC with a curve and point format
49	// that we're happy with.
50	suiteECDHE = 1 << iota
51	// suiteDHE indicates that the cipher suite involves Diffie-Hellman.
52	suiteDHE
53	// suiteECDSA indicates that the cipher suite involves an ECDSA
54	// signature and therefore may only be selected when the server's
55	// certificate is ECDSA. If this is not set then the cipher suite is
56	// RSA based.
57	suiteECDSA
58	// suiteTLS12 indicates that the cipher suite should only be advertised
59	// and accepted when using TLS 1.2 or greater.
60	suiteTLS12
61	// suiteTLS13 indicates that the cipher suite can be used with TLS 1.3.
62	// Cipher suites lacking this flag may not be used with TLS 1.3.
63	suiteTLS13
64	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
65	// handshake hash.
66	suiteSHA384
67	// suiteNoDTLS indicates that the cipher suite cannot be used
68	// in DTLS.
69	suiteNoDTLS
70	// suitePSK indicates that the cipher suite authenticates with
71	// a pre-shared key rather than a server private key.
72	suitePSK
73)
74
75type tlsAead struct {
76	cipher.AEAD
77	explicitNonce bool
78}
79
80// A cipherSuite is a specific combination of key agreement, cipher and MAC
81// function. All cipher suites currently assume RSA key agreement.
82type cipherSuite struct {
83	id uint16
84	// the lengths, in bytes, of the key material needed for each component.
85	keyLen int
86	macLen int
87	ivLen  func(version uint16) int
88	ka     func(version uint16) keyAgreement
89	// flags is a bitmask of the suite* values, above.
90	flags  int
91	cipher func(key, iv []byte, isRead bool) interface{}
92	mac    func(version uint16, macKey []byte) macFunction
93	aead   func(version uint16, key, fixedNonce []byte) *tlsAead
94}
95
96func (cs cipherSuite) hash() crypto.Hash {
97	if cs.flags&suiteSHA384 != 0 {
98		return crypto.SHA384
99	}
100	return crypto.SHA256
101}
102
103var cipherSuites = []*cipherSuite{
104	// Ciphersuite order is chosen so that ECDHE comes before plain RSA
105	// and RC4 comes before AES (because of the Lucky13 attack).
106	{TLS_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, nil, suiteTLS13, nil, nil, aeadCHACHA20POLY1305},
107	{TLS_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, nil, suiteTLS13, nil, nil, aeadAESGCM},
108	{TLS_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM},
109	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
110	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
111	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
112	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
113	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
114	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
115	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, noIV, ecdheRSAKA, suiteECDHE | suiteNoDTLS, cipherRC4, macSHA1, nil},
116	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, noIV, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteNoDTLS, cipherRC4, macSHA1, nil},
117	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
118	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil},
119	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
120	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
121	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
122	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
123	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
124	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
125	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
126	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
127	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, noIV, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil},
128	{TLS_RSA_WITH_RC4_128_MD5, 16, 16, noIV, rsaKA, suiteNoDTLS, cipherRC4, macMD5, nil},
129	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
130	{TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
131	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
132	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
133	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
134	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil},
135	{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
136	{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
137	{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
138	{TLS_PSK_WITH_RC4_128_SHA, 16, 20, noIV, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil},
139	{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
140	{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
141	{TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil},
142}
143
144func noIV(vers uint16) int {
145	return 0
146}
147
148func ivLenChaCha20Poly1305(vers uint16) int {
149	return 12
150}
151
152func ivLenAESGCM(vers uint16) int {
153	if vers >= VersionTLS13 {
154		return 12
155	}
156	return 4
157}
158
159func ivLenAES(vers uint16) int {
160	return 16
161}
162
163func ivLen3DES(vers uint16) int {
164	return 8
165}
166
167type nullCipher struct{}
168
169func cipherNull(key, iv []byte, isRead bool) interface{} {
170	return nullCipher{}
171}
172
173func cipherRC4(key, iv []byte, isRead bool) interface{} {
174	cipher, _ := rc4.NewCipher(key)
175	return cipher
176}
177
178func cipher3DES(key, iv []byte, isRead bool) interface{} {
179	block, _ := des.NewTripleDESCipher(key)
180	if isRead {
181		return cipher.NewCBCDecrypter(block, iv)
182	}
183	return cipher.NewCBCEncrypter(block, iv)
184}
185
186func cipherAES(key, iv []byte, isRead bool) interface{} {
187	block, _ := aes.NewCipher(key)
188	if isRead {
189		return cipher.NewCBCDecrypter(block, iv)
190	}
191	return cipher.NewCBCEncrypter(block, iv)
192}
193
194// macSHA1 returns a macFunction for the given protocol version.
195func macSHA1(version uint16, key []byte) macFunction {
196	if version == VersionSSL30 {
197		mac := ssl30MAC{
198			h:   sha1.New(),
199			key: make([]byte, len(key)),
200		}
201		copy(mac.key, key)
202		return mac
203	}
204	return tls10MAC{hmac.New(sha1.New, key)}
205}
206
207func macMD5(version uint16, key []byte) macFunction {
208	if version == VersionSSL30 {
209		mac := ssl30MAC{
210			h:   md5.New(),
211			key: make([]byte, len(key)),
212		}
213		copy(mac.key, key)
214		return mac
215	}
216	return tls10MAC{hmac.New(md5.New, key)}
217}
218
219func macSHA256(version uint16, key []byte) macFunction {
220	if version == VersionSSL30 {
221		mac := ssl30MAC{
222			h:   sha256.New(),
223			key: make([]byte, len(key)),
224		}
225		copy(mac.key, key)
226		return mac
227	}
228	return tls10MAC{hmac.New(sha256.New, key)}
229}
230
231func macSHA384(version uint16, key []byte) macFunction {
232	if version == VersionSSL30 {
233		mac := ssl30MAC{
234			h:   sha512.New384(),
235			key: make([]byte, len(key)),
236		}
237		copy(mac.key, key)
238		return mac
239	}
240	return tls10MAC{hmac.New(sha512.New384, key)}
241}
242
243type macFunction interface {
244	Size() int
245	MAC(digestBuf, seq, header, length, data []byte) []byte
246}
247
248// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
249// each call.
250type fixedNonceAEAD struct {
251	// sealNonce and openNonce are buffers where the larger nonce will be
252	// constructed. Since a seal and open operation may be running
253	// concurrently, there is a separate buffer for each.
254	sealNonce, openNonce []byte
255	aead                 cipher.AEAD
256}
257
258func (f *fixedNonceAEAD) NonceSize() int { return 8 }
259func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
260
261func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
262	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
263	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
264}
265
266func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
267	copy(f.openNonce[len(f.openNonce)-8:], nonce)
268	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
269}
270
271func aeadAESGCM(version uint16, key, fixedNonce []byte) *tlsAead {
272	aes, err := aes.NewCipher(key)
273	if err != nil {
274		panic(err)
275	}
276	aead, err := cipher.NewGCM(aes)
277	if err != nil {
278		panic(err)
279	}
280
281	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
282	copy(nonce1, fixedNonce)
283	copy(nonce2, fixedNonce)
284
285	if version >= VersionTLS13 {
286		return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false}
287	}
288
289	return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true}
290}
291
292func xorSlice(out, in []byte) {
293	for i := range out {
294		out[i] ^= in[i]
295	}
296}
297
298// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded
299// if necessary, each call.
300type xorNonceAEAD struct {
301	// sealNonce and openNonce are buffers where the larger nonce will be
302	// constructed. Since a seal and open operation may be running
303	// concurrently, there is a separate buffer for each.
304	sealNonce, openNonce []byte
305	aead                 cipher.AEAD
306}
307
308func (x *xorNonceAEAD) NonceSize() int { return 8 }
309func (x *xorNonceAEAD) Overhead() int  { return x.aead.Overhead() }
310
311func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
312	xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
313	ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData)
314	xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
315	return ret
316}
317
318func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
319	xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
320	ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData)
321	xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
322	return ret, err
323}
324
325func aeadCHACHA20POLY1305(version uint16, key, fixedNonce []byte) *tlsAead {
326	aead, err := newChaCha20Poly1305(key)
327	if err != nil {
328		panic(err)
329	}
330
331	nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce))
332	copy(nonce1, fixedNonce)
333	copy(nonce2, fixedNonce)
334
335	return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false}
336}
337
338// ssl30MAC implements the SSLv3 MAC function, as defined in
339// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
340type ssl30MAC struct {
341	h   hash.Hash
342	key []byte
343}
344
345func (s ssl30MAC) Size() int {
346	return s.h.Size()
347}
348
349var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
350
351var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
352
353func (s ssl30MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
354	padLength := 48
355	if s.h.Size() == 20 {
356		padLength = 40
357	}
358
359	s.h.Reset()
360	s.h.Write(s.key)
361	s.h.Write(ssl30Pad1[:padLength])
362	s.h.Write(seq)
363	s.h.Write(header[:1])
364	s.h.Write(length)
365	s.h.Write(data)
366	digestBuf = s.h.Sum(digestBuf[:0])
367
368	s.h.Reset()
369	s.h.Write(s.key)
370	s.h.Write(ssl30Pad2[:padLength])
371	s.h.Write(digestBuf)
372	return s.h.Sum(digestBuf[:0])
373}
374
375// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
376type tls10MAC struct {
377	h hash.Hash
378}
379
380func (s tls10MAC) Size() int {
381	return s.h.Size()
382}
383
384func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
385	s.h.Reset()
386	s.h.Write(seq)
387	s.h.Write(header)
388	s.h.Write(length)
389	s.h.Write(data)
390	return s.h.Sum(digestBuf[:0])
391}
392
393func rsaKA(version uint16) keyAgreement {
394	return &rsaKeyAgreement{version: version}
395}
396
397func ecdheECDSAKA(version uint16) keyAgreement {
398	return &ecdheKeyAgreement{
399		auth: &signedKeyAgreement{
400			keyType: keyTypeECDSA,
401			version: version,
402		},
403	}
404}
405
406func ecdheRSAKA(version uint16) keyAgreement {
407	return &ecdheKeyAgreement{
408		auth: &signedKeyAgreement{
409			keyType: keyTypeRSA,
410			version: version,
411		},
412	}
413}
414
415func pskKA(version uint16) keyAgreement {
416	return &pskKeyAgreement{
417		base: &nilKeyAgreement{},
418	}
419}
420
421func ecdhePSKKA(version uint16) keyAgreement {
422	return &pskKeyAgreement{
423		base: &ecdheKeyAgreement{
424			auth: &nilKeyAgreementAuthentication{},
425		},
426	}
427}
428
429// mutualCipherSuite returns a cipherSuite given a list of supported
430// ciphersuites and the id requested by the peer.
431func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
432	for _, id := range have {
433		if id == want {
434			return cipherSuiteFromID(id)
435		}
436	}
437	return nil
438}
439
440func cipherSuiteFromID(id uint16) *cipherSuite {
441	for _, suite := range cipherSuites {
442		if suite.id == id {
443			return suite
444		}
445	}
446	return nil
447}
448
449// A list of the possible cipher suite ids. Taken from
450// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
451const (
452	TLS_RSA_WITH_NULL_SHA                         uint16 = 0x0002
453	TLS_RSA_WITH_RC4_128_MD5                      uint16 = 0x0004
454	TLS_RSA_WITH_RC4_128_SHA                      uint16 = 0x0005
455	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
456	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
457	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
458	TLS_RSA_WITH_AES_128_CBC_SHA256               uint16 = 0x003c
459	TLS_RSA_WITH_AES_256_CBC_SHA256               uint16 = 0x003d
460	TLS_PSK_WITH_RC4_128_SHA                      uint16 = 0x008a
461	TLS_PSK_WITH_AES_128_CBC_SHA                  uint16 = 0x008c
462	TLS_PSK_WITH_AES_256_CBC_SHA                  uint16 = 0x008d
463	TLS_RSA_WITH_AES_128_GCM_SHA256               uint16 = 0x009c
464	TLS_RSA_WITH_AES_256_GCM_SHA384               uint16 = 0x009d
465	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              uint16 = 0xc007
466	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xc009
467	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xc00a
468	TLS_ECDHE_RSA_WITH_RC4_128_SHA                uint16 = 0xc011
469	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xc012
470	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xc013
471	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xc014
472	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xc023
473	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384       uint16 = 0xc024
474	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xc027
475	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384         uint16 = 0xc028
476	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xc02b
477	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xc02c
478	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xc02f
479	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xc030
480	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA            uint16 = 0xc035
481	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA            uint16 = 0xc036
482	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcca8
483	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
484	TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xccac
485	renegotiationSCSV                             uint16 = 0x00ff
486	fallbackSCSV                                  uint16 = 0x5600
487)
488
489// Additional cipher suite IDs, not IANA-assigned.
490const (
491	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
492	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
493	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
494)
495