Inicio Explorar Ayuda
Iniciar sesión
cloudflare
/
cfssl
espejo de https://github.com/cloudflare/cfssl
Seguir 1
Destacar 0
Fork 0
Archivos Incidencias
Rama: master
Ramas Etiquetas
cfssl
/
scan
/
crypto
/
tls
/
cipher_suites.go

cipher_suites.go 10 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290 
  1. // Copyright 2010 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. package tls
    6. 

  6. 

  7. import (
    8. 

  8. 	"crypto/aes"
    9. 

  9. 	"crypto/cipher"
    10. 

  10. 	"crypto/des"
    11. 

  11. 	"crypto/hmac"
    12. 

  12. 	"crypto/rc4"
    13. 

  13. 	"crypto/sha1"
    14. 

  14. 	"crypto/x509"
    15. 

  15. 	"hash"
    16. 

  16. )
    17. 

  17. 

  18. // a keyAgreement implements the client and server side of a TLS key agreement
    19. 

  19. // protocol by generating and processing key exchange messages.
    20. 

  20. type keyAgreement interface {
    21. 

  21. 	// On the server side, the first two methods are called in order.
    22. 

  22. 

  23. 	// In the case that the key agreement protocol doesn't use a
    24. 

  24. 	// ServerKeyExchange message, generateServerKeyExchange can return nil,
    25. 

  25. 	// nil.
    26. 

  26. 	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
    27. 

  27. 	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
    28. 

  28. 

  29. 	// On the client side, the next two methods are called in order.
    30. 

  30. 

  31. 	// This method may not be called if the server doesn't send a
    32. 

  32. 	// ServerKeyExchange message.
    33. 

  33. 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
    34. 

  34. 	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
    35. 

  35. }
    36. 

  36. 

  37. const (
    38. 

  38. 	// suiteECDH indicates that the cipher suite involves elliptic curve
    39. 

  39. 	// Diffie-Hellman. This means that it should only be selected when the
    40. 

  40. 	// client indicates that it supports ECC with a curve and point format
    41. 

  41. 	// that we're happy with.
    42. 

  42. 	suiteECDHE = 1 << iota
    43. 

  43. 	// suiteECDSA indicates that the cipher suite involves an ECDSA
    44. 

  44. 	// signature and therefore may only be selected when the server's
    45. 

  45. 	// certificate is ECDSA. If this is not set then the cipher suite is
    46. 

  46. 	// RSA based.
    47. 

  47. 	suiteECDSA
    48. 

  48. 	// suiteTLS12 indicates that the cipher suite should only be advertised
    49. 

  49. 	// and accepted when using TLS 1.2.
    50. 

  50. 	suiteTLS12
    51. 

  51. 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
    52. 

  52. 	// handshake hash.
    53. 

  53. 	suiteSHA384
    54. 

  54. 	// suiteDefaultOff indicates that this cipher suite is not included by
    55. 

  55. 	// default.
    56. 

  56. 	suiteDefaultOff
    57. 

  57. )
    58. 

  58. 

  59. // A cipherSuite is a specific combination of key agreement, cipher and MAC
    60. 

  60. // function. All cipher suites currently assume RSA key agreement.
    61. 

  61. type cipherSuite struct {
    62. 

  62. 	id uint16
    63. 

  63. 	// the lengths, in bytes, of the key material needed for each component.
    64. 

  64. 	keyLen int
    65. 

  65. 	macLen int
    66. 

  66. 	ivLen  int
    67. 

  67. 	ka     func(version uint16) keyAgreement
    68. 

  68. 	// flags is a bitmask of the suite* values, above.
    69. 

  69. 	flags  int
    70. 

  70. 	cipher func(key, iv []byte, isRead bool) interface{}
    71. 

  71. 	mac    func(version uint16, macKey []byte) macFunction
    72. 

  72. 	aead   func(key, fixedNonce []byte) cipher.AEAD
    73. 

  73. }
    74. 

  74. 

  75. var cipherSuites = []*cipherSuite{
    76. 

  76. 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA
    77. 

  77. 	// and RC4 comes before AES (because of the Lucky13 attack).
    78. 

  78. 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
    79. 

  79. 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
    80. 

  80. 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    81. 

  81. 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    82. 

  82. 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
    83. 

  83. 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
    84. 

  84. 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    85. 

  85. 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    86. 

  86. 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
    87. 

  87. 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
    88. 

  88. 	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
    89. 

  89. 	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    90. 

  90. 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
    91. 

  91. 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    92. 

  92. 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    93. 

  93. 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
    94. 

  94. 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
    95. 

  95. }
    96. 

  96. 

  97. func cipherRC4(key, iv []byte, isRead bool) interface{} {
    98. 

  98. 	cipher, _ := rc4.NewCipher(key)
    99. 

  99. 	return cipher
    100. 

  100. }
    101. 

  101. 

  102. func cipher3DES(key, iv []byte, isRead bool) interface{} {
    103. 

  103. 	block, _ := des.NewTripleDESCipher(key)
    104. 

  104. 	if isRead {
    105. 

  105. 		return cipher.NewCBCDecrypter(block, iv)
    106. 

  106. 	}
    107. 

  107. 	return cipher.NewCBCEncrypter(block, iv)
    108. 

  108. }
    109. 

  109. 

  110. func cipherAES(key, iv []byte, isRead bool) interface{} {
    111. 

  111. 	block, _ := aes.NewCipher(key)
    112. 

  112. 	if isRead {
    113. 

  113. 		return cipher.NewCBCDecrypter(block, iv)
    114. 

  114. 	}
    115. 

  115. 	return cipher.NewCBCEncrypter(block, iv)
    116. 

  116. }
    117. 

  117. 

  118. // macSHA1 returns a macFunction for the given protocol version.
    119. 

  119. func macSHA1(version uint16, key []byte) macFunction {
    120. 

  120. 	if version == VersionSSL30 {
    121. 

  121. 		mac := ssl30MAC{
    122. 

  122. 			h:   sha1.New(),
    123. 

  123. 			key: make([]byte, len(key)),
    124. 

  124. 		}
    125. 

  125. 		copy(mac.key, key)
    126. 

  126. 		return mac
    127. 

  127. 	}
    128. 

  128. 	return tls10MAC{hmac.New(sha1.New, key)}
    129. 

  129. }
    130. 

  130. 

  131. type macFunction interface {
    132. 

  132. 	Size() int
    133. 

  133. 	MAC(digestBuf, seq, header, data []byte) []byte
    134. 

  134. }
    135. 

  135. 

  136. // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
    137. 

  137. // each call.
    138. 

  138. type fixedNonceAEAD struct {
    139. 

  139. 	// sealNonce and openNonce are buffers where the larger nonce will be
    140. 

  140. 	// constructed. Since a seal and open operation may be running
    141. 

  141. 	// concurrently, there is a separate buffer for each.
    142. 

  142. 	sealNonce, openNonce []byte
    143. 

  143. 	aead                 cipher.AEAD
    144. 

  144. }
    145. 

  145. 

  146. func (f *fixedNonceAEAD) NonceSize() int { return 8 }
    147. 

  147. func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
    148. 

  148. 

  149. func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
    150. 

  150. 	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
    151. 

  151. 	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
    152. 

  152. }
    153. 

  153. 

  154. func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
    155. 

  155. 	copy(f.openNonce[len(f.openNonce)-8:], nonce)
    156. 

  156. 	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
    157. 

  157. }
    158. 

  158. 

  159. func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
    160. 

  160. 	aes, err := aes.NewCipher(key)
    161. 

  161. 	if err != nil {
    162. 

  162. 		panic(err)
    163. 

  163. 	}
    164. 

  164. 	aead, err := cipher.NewGCM(aes)
    165. 

  165. 	if err != nil {
    166. 

  166. 		panic(err)
    167. 

  167. 	}
    168. 

  168. 

  169. 	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
    170. 

  170. 	copy(nonce1, fixedNonce)
    171. 

  171. 	copy(nonce2, fixedNonce)
    172. 

  172. 

  173. 	return &fixedNonceAEAD{nonce1, nonce2, aead}
    174. 

  174. }
    175. 

  175. 

  176. // ssl30MAC implements the SSLv3 MAC function, as defined in
    177. 

  177. // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
    178. 

  178. type ssl30MAC struct {
    179. 

  179. 	h   hash.Hash
    180. 

  180. 	key []byte
    181. 

  181. }
    182. 

  182. 

  183. func (s ssl30MAC) Size() int {
    184. 

  184. 	return s.h.Size()
    185. 

  185. }
    186. 

  186. 

  187. var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
    188. 

  188. 

  189. var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
    190. 

  190. 

  191. func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
    192. 

  192. 	padLength := 48
    193. 

  193. 	if s.h.Size() == 20 {
    194. 

  194. 		padLength = 40
    195. 

  195. 	}
    196. 

  196. 

  197. 	s.h.Reset()
    198. 

  198. 	s.h.Write(s.key)
    199. 

  199. 	s.h.Write(ssl30Pad1[:padLength])
    200. 

  200. 	s.h.Write(seq)
    201. 

  201. 	s.h.Write(header[:1])
    202. 

  202. 	s.h.Write(header[3:5])
    203. 

  203. 	s.h.Write(data)
    204. 

  204. 	digestBuf = s.h.Sum(digestBuf[:0])
    205. 

  205. 

  206. 	s.h.Reset()
    207. 

  207. 	s.h.Write(s.key)
    208. 

  208. 	s.h.Write(ssl30Pad2[:padLength])
    209. 

  209. 	s.h.Write(digestBuf)
    210. 

  210. 	return s.h.Sum(digestBuf[:0])
    211. 

  211. }
    212. 

  212. 

  213. // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
    214. 

  214. type tls10MAC struct {
    215. 

  215. 	h hash.Hash
    216. 

  216. }
    217. 

  217. 

  218. func (s tls10MAC) Size() int {
    219. 

  219. 	return s.h.Size()
    220. 

  220. }
    221. 

  221. 

  222. func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
    223. 

  223. 	s.h.Reset()
    224. 

  224. 	s.h.Write(seq)
    225. 

  225. 	s.h.Write(header)
    226. 

  226. 	s.h.Write(data)
    227. 

  227. 	return s.h.Sum(digestBuf[:0])
    228. 

  228. }
    229. 

  229. 

  230. func rsaKA(version uint16) keyAgreement {
    231. 

  231. 	return rsaKeyAgreement{}
    232. 

  232. }
    233. 

  233. 

  234. func ecdheECDSAKA(version uint16) keyAgreement {
    235. 

  235. 	return &ecdheKeyAgreement{
    236. 

  236. 		sigType: signatureECDSA,
    237. 

  237. 		version: version,
    238. 

  238. 	}
    239. 

  239. }
    240. 

  240. 

  241. func ecdheRSAKA(version uint16) keyAgreement {
    242. 

  242. 	return &ecdheKeyAgreement{
    243. 

  243. 		sigType: signatureRSA,
    244. 

  244. 		version: version,
    245. 

  245. 	}
    246. 

  246. }
    247. 

  247. 

  248. // mutualCipherSuite returns a cipherSuite given a list of supported
    249. 

  249. // ciphersuites and the id requested by the peer.
    250. 

  250. func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
    251. 

  251. 	for _, id := range have {
    252. 

  252. 		if id == want {
    253. 

  253. 			for _, suite := range cipherSuites {
    254. 

  254. 				if suite.id == want {
    255. 

  255. 					return suite
    256. 

  256. 				}
    257. 

  257. 			}
    258. 

  258. 			return nil
    259. 

  259. 		}
    260. 

  260. 	}
    261. 

  261. 	return nil
    262. 

  262. }
    263. 

  263. 

  264. // A list of the possible cipher suite ids. Taken from
    265. 

  265. // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
    266. 

  266. const (
    267. 

  267. 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
    268. 

  268. 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
    269. 

  269. 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
    270. 

  270. 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
    271. 

  271. 	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
    272. 

  272. 	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
    273. 

  273. 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
    274. 

  274. 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
    275. 

  275. 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
    276. 

  276. 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
    277. 

  277. 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
    278. 

  278. 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
    279. 

  279. 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
    280. 

  280. 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
    281. 

  281. 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
    282. 

  282. 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
    283. 

  283. 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
    284. 

  284. 

  285. 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
    286. 

  286. 	// that the client is doing version fallback. See
    287. 

  287. 	// https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00.
    288. 

  288. 	TLS_FALLBACK_SCSV uint16 = 0x5600
    289. 

  289. )
    290. 

  290.