Home | History | Annotate | Download | only in runner 
      1 // Copyright 2010 The Go Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style
      3 // license that can be found in the LICENSE file.
      4 
      5 package main
      6 
      7 import (
      8 	"crypto/aes"
      9 	"crypto/cipher"
     10 	"crypto/des"
     11 	"crypto/hmac"
     12 	"crypto/md5"
     13 	"crypto/rc4"
     14 	"crypto/sha1"
     15 	"crypto/sha256"
     16 	"crypto/sha512"
     17 	"crypto/x509"
     18 	"hash"
     19 )
     20 
     21 // a keyAgreement implements the client and server side of a TLS key agreement
     22 // protocol by generating and processing key exchange messages.
     23 type keyAgreement interface {
     24 	// On the server side, the first two methods are called in order.
     25 
     26 	// In the case that the key agreement protocol doesn't use a
     27 	// ServerKeyExchange message, generateServerKeyExchange can return nil,
     28 	// nil.
     29 	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
     30 	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
     31 
     32 	// On the client side, the next two methods are called in order.
     33 
     34 	// This method may not be called if the server doesn't send a
     35 	// ServerKeyExchange message.
     36 	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
     37 	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
     38 }
     39 
     40 const (
     41 	// suiteECDH indicates that the cipher suite involves elliptic curve
     42 	// Diffie-Hellman. This means that it should only be selected when the
     43 	// client indicates that it supports ECC with a curve and point format
     44 	// that we're happy with.
     45 	suiteECDHE = 1 << iota
     46 	// suiteECDSA indicates that the cipher suite involves an ECDSA
     47 	// signature and therefore may only be selected when the server's
     48 	// certificate is ECDSA. If this is not set then the cipher suite is
     49 	// RSA based.
     50 	suiteECDSA
     51 	// suiteTLS12 indicates that the cipher suite should only be advertised
     52 	// and accepted when using TLS 1.2.
     53 	suiteTLS12
     54 	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
     55 	// handshake hash.
     56 	suiteSHA384
     57 	// suiteNoDTLS indicates that the cipher suite cannot be used
     58 	// in DTLS.
     59 	suiteNoDTLS
     60 )
     61 
     62 // A cipherSuite is a specific combination of key agreement, cipher and MAC
     63 // function. All cipher suites currently assume RSA key agreement.
     64 type cipherSuite struct {
     65 	id uint16
     66 	// the lengths, in bytes, of the key material needed for each component.
     67 	keyLen int
     68 	macLen int
     69 	ivLen  int
     70 	ka     func(version uint16) keyAgreement
     71 	// flags is a bitmask of the suite* values, above.
     72 	flags  int
     73 	cipher func(key, iv []byte, isRead bool) interface{}
     74 	mac    func(version uint16, macKey []byte) macFunction
     75 	aead   func(key, fixedNonce []byte) cipher.AEAD
     76 }
     77 
     78 var cipherSuites = []*cipherSuite{
     79 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA
     80 	// and RC4 comes before AES (because of the Lucky13 attack).
     81 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
     82 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
     83 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
     84 	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
     85 	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteNoDTLS, cipherRC4, macSHA1, nil},
     86 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteNoDTLS, cipherRC4, macSHA1, nil},
     87 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
     88 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil},
     89 	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
     90 	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
     91 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
     92 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
     93 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
     94 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
     95 	{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM},
     96 	{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
     97 	{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil},
     98 	{TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil},
     99 	{TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, dheRSAKA, 0, cipherAES, macSHA1, nil},
    100 	{TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, dheRSAKA, 0, cipherAES, macSHA1, nil},
    101 	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
    102 	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
    103 	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil},
    104 	{TLS_RSA_WITH_RC4_128_MD5, 16, 16, 0, rsaKA, suiteNoDTLS, cipherRC4, macMD5, nil},
    105 	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
    106 	{TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
    107 	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    108 	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
    109 	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
    110 	{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, dheRSAKA, 0, cipher3DES, macSHA1, nil},
    111 	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
    112 }
    113 
    114 func cipherRC4(key, iv []byte, isRead bool) interface{} {
    115 	cipher, _ := rc4.NewCipher(key)
    116 	return cipher
    117 }
    118 
    119 func cipher3DES(key, iv []byte, isRead bool) interface{} {
    120 	block, _ := des.NewTripleDESCipher(key)
    121 	if isRead {
    122 		return cipher.NewCBCDecrypter(block, iv)
    123 	}
    124 	return cipher.NewCBCEncrypter(block, iv)
    125 }
    126 
    127 func cipherAES(key, iv []byte, isRead bool) interface{} {
    128 	block, _ := aes.NewCipher(key)
    129 	if isRead {
    130 		return cipher.NewCBCDecrypter(block, iv)
    131 	}
    132 	return cipher.NewCBCEncrypter(block, iv)
    133 }
    134 
    135 // macSHA1 returns a macFunction for the given protocol version.
    136 func macSHA1(version uint16, key []byte) macFunction {
    137 	if version == VersionSSL30 {
    138 		mac := ssl30MAC{
    139 			h:   sha1.New(),
    140 			key: make([]byte, len(key)),
    141 		}
    142 		copy(mac.key, key)
    143 		return mac
    144 	}
    145 	return tls10MAC{hmac.New(sha1.New, key)}
    146 }
    147 
    148 func macMD5(version uint16, key []byte) macFunction {
    149 	if version == VersionSSL30 {
    150 		mac := ssl30MAC{
    151 			h:   md5.New(),
    152 			key: make([]byte, len(key)),
    153 		}
    154 		copy(mac.key, key)
    155 		return mac
    156 	}
    157 	return tls10MAC{hmac.New(md5.New, key)}
    158 }
    159 
    160 func macSHA256(version uint16, key []byte) macFunction {
    161 	if version == VersionSSL30 {
    162 		mac := ssl30MAC{
    163 			h:   sha256.New(),
    164 			key: make([]byte, len(key)),
    165 		}
    166 		copy(mac.key, key)
    167 		return mac
    168 	}
    169 	return tls10MAC{hmac.New(sha256.New, key)}
    170 }
    171 
    172 func macSHA384(version uint16, key []byte) macFunction {
    173 	if version == VersionSSL30 {
    174 		mac := ssl30MAC{
    175 			h:   sha512.New384(),
    176 			key: make([]byte, len(key)),
    177 		}
    178 		copy(mac.key, key)
    179 		return mac
    180 	}
    181 	return tls10MAC{hmac.New(sha512.New384, key)}
    182 }
    183 
    184 type macFunction interface {
    185 	Size() int
    186 	MAC(digestBuf, seq, header, length, data []byte) []byte
    187 }
    188 
    189 // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
    190 // each call.
    191 type fixedNonceAEAD struct {
    192 	// sealNonce and openNonce are buffers where the larger nonce will be
    193 	// constructed. Since a seal and open operation may be running
    194 	// concurrently, there is a separate buffer for each.
    195 	sealNonce, openNonce []byte
    196 	aead                 cipher.AEAD
    197 }
    198 
    199 func (f *fixedNonceAEAD) NonceSize() int { return 8 }
    200 func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
    201 
    202 func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
    203 	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
    204 	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
    205 }
    206 
    207 func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
    208 	copy(f.openNonce[len(f.openNonce)-8:], nonce)
    209 	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
    210 }
    211 
    212 func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
    213 	aes, err := aes.NewCipher(key)
    214 	if err != nil {
    215 		panic(err)
    216 	}
    217 	aead, err := cipher.NewGCM(aes)
    218 	if err != nil {
    219 		panic(err)
    220 	}
    221 
    222 	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
    223 	copy(nonce1, fixedNonce)
    224 	copy(nonce2, fixedNonce)
    225 
    226 	return &fixedNonceAEAD{nonce1, nonce2, aead}
    227 }
    228 
    229 // ssl30MAC implements the SSLv3 MAC function, as defined in
    230 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
    231 type ssl30MAC struct {
    232 	h   hash.Hash
    233 	key []byte
    234 }
    235 
    236 func (s ssl30MAC) Size() int {
    237 	return s.h.Size()
    238 }
    239 
    240 var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
    241 
    242 var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
    243 
    244 func (s ssl30MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
    245 	padLength := 48
    246 	if s.h.Size() == 20 {
    247 		padLength = 40
    248 	}
    249 
    250 	s.h.Reset()
    251 	s.h.Write(s.key)
    252 	s.h.Write(ssl30Pad1[:padLength])
    253 	s.h.Write(seq)
    254 	s.h.Write(header[:1])
    255 	s.h.Write(length)
    256 	s.h.Write(data)
    257 	digestBuf = s.h.Sum(digestBuf[:0])
    258 
    259 	s.h.Reset()
    260 	s.h.Write(s.key)
    261 	s.h.Write(ssl30Pad2[:padLength])
    262 	s.h.Write(digestBuf)
    263 	return s.h.Sum(digestBuf[:0])
    264 }
    265 
    266 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
    267 type tls10MAC struct {
    268 	h hash.Hash
    269 }
    270 
    271 func (s tls10MAC) Size() int {
    272 	return s.h.Size()
    273 }
    274 
    275 func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
    276 	s.h.Reset()
    277 	s.h.Write(seq)
    278 	s.h.Write(header)
    279 	s.h.Write(length)
    280 	s.h.Write(data)
    281 	return s.h.Sum(digestBuf[:0])
    282 }
    283 
    284 func rsaKA(version uint16) keyAgreement {
    285 	return rsaKeyAgreement{}
    286 }
    287 
    288 func ecdheECDSAKA(version uint16) keyAgreement {
    289 	return &ecdheKeyAgreement{
    290 		signedKeyAgreement: signedKeyAgreement{
    291 			sigType: signatureECDSA,
    292 			version: version,
    293 		},
    294 	}
    295 }
    296 
    297 func ecdheRSAKA(version uint16) keyAgreement {
    298 	return &ecdheKeyAgreement{
    299 		signedKeyAgreement: signedKeyAgreement{
    300 			sigType: signatureRSA,
    301 			version: version,
    302 		},
    303 	}
    304 }
    305 
    306 func dheRSAKA(version uint16) keyAgreement {
    307 	return &dheKeyAgreement{
    308 		signedKeyAgreement: signedKeyAgreement{
    309 			sigType: signatureRSA,
    310 			version: version,
    311 		},
    312 	}
    313 }
    314 
    315 // mutualCipherSuite returns a cipherSuite given a list of supported
    316 // ciphersuites and the id requested by the peer.
    317 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
    318 	for _, id := range have {
    319 		if id == want {
    320 			for _, suite := range cipherSuites {
    321 				if suite.id == want {
    322 					return suite
    323 				}
    324 			}
    325 			return nil
    326 		}
    327 	}
    328 	return nil
    329 }
    330 
    331 // A list of the possible cipher suite ids. Taken from
    332 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
    333 const (
    334 	TLS_RSA_WITH_RC4_128_MD5                uint16 = 0x0004
    335 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
    336 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
    337 	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       uint16 = 0x0016
    338 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
    339 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA        uint16 = 0x0033
    340 	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
    341 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA        uint16 = 0x0039
    342 	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c
    343 	TLS_RSA_WITH_AES_256_CBC_SHA256         uint16 = 0x003d
    344 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     uint16 = 0x0067
    345 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     uint16 = 0x006b
    346 	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
    347 	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
    348 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     uint16 = 0x009e
    349 	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     uint16 = 0x009f
    350 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
    351 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
    352 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
    353 	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
    354 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
    355 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
    356 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
    357 	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
    358 	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024
    359 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027
    360 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   uint16 = 0xc028
    361 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
    362 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
    363 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
    364 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
    365 	fallbackSCSV                            uint16 = 0x5600
    366 )
    367