1 // Copyright 2010 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package runner 6 7 import ( 8 "crypto/aes" 9 "crypto/cipher" 10 "crypto/des" 11 "crypto/hmac" 12 "crypto/md5" 13 "crypto/rc4" 14 "crypto/sha1" 15 "crypto/sha256" 16 "crypto/sha512" 17 "crypto/x509" 18 "hash" 19 ) 20 21 // a keyAgreement implements the client and server side of a TLS key agreement 22 // protocol by generating and processing key exchange messages. 23 type keyAgreement interface { 24 // On the server side, the first two methods are called in order. 25 26 // In the case that the key agreement protocol doesn't use a 27 // ServerKeyExchange message, generateServerKeyExchange can return nil, 28 // nil. 29 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 30 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 31 32 // On the client side, the next two methods are called in order. 33 34 // This method may not be called if the server doesn't send a 35 // ServerKeyExchange message. 36 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 37 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 38 } 39 40 const ( 41 // suiteECDH indicates that the cipher suite involves elliptic curve 42 // Diffie-Hellman. This means that it should only be selected when the 43 // client indicates that it supports ECC with a curve and point format 44 // that we're happy with. 45 suiteECDHE = 1 << iota 46 // suiteECDSA indicates that the cipher suite involves an ECDSA 47 // signature and therefore may only be selected when the server's 48 // certificate is ECDSA. If this is not set then the cipher suite is 49 // RSA based. 50 suiteECDSA 51 // suiteTLS12 indicates that the cipher suite should only be advertised 52 // and accepted when using TLS 1.2. 53 suiteTLS12 54 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 55 // handshake hash. 56 suiteSHA384 57 // suiteNoDTLS indicates that the cipher suite cannot be used 58 // in DTLS. 59 suiteNoDTLS 60 // suitePSK indicates that the cipher suite authenticates with 61 // a pre-shared key rather than a server private key. 62 suitePSK 63 ) 64 65 type tlsAead struct { 66 cipher.AEAD 67 explicitNonce bool 68 } 69 70 // A cipherSuite is a specific combination of key agreement, cipher and MAC 71 // function. All cipher suites currently assume RSA key agreement. 72 type cipherSuite struct { 73 id uint16 74 // the lengths, in bytes, of the key material needed for each component. 75 keyLen int 76 macLen int 77 ivLen int 78 ka func(version uint16) keyAgreement 79 // flags is a bitmask of the suite* values, above. 80 flags int 81 cipher func(key, iv []byte, isRead bool) interface{} 82 mac func(version uint16, macKey []byte) macFunction 83 aead func(key, fixedNonce []byte) *tlsAead 84 } 85 86 var cipherSuites = []*cipherSuite{ 87 // Ciphersuite order is chosen so that ECDHE comes before plain RSA 88 // and RC4 comes before AES (because of the Lucky13 attack). 89 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 90 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 91 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old}, 92 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305Old}, 93 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 94 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM}, 95 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 96 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 97 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteNoDTLS, cipherRC4, macSHA1, nil}, 98 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteNoDTLS, cipherRC4, macSHA1, nil}, 99 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, 100 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil}, 101 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 102 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 103 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 104 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 105 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 106 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 107 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM}, 108 {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 109 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil}, 110 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil}, 111 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, dheRSAKA, 0, cipherAES, macSHA1, nil}, 112 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, dheRSAKA, 0, cipherAES, macSHA1, nil}, 113 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 114 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 115 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil}, 116 {TLS_RSA_WITH_RC4_128_MD5, 16, 16, 0, rsaKA, suiteNoDTLS, cipherRC4, macMD5, nil}, 117 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 118 {TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 119 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 120 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 121 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 122 {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, dheRSAKA, 0, cipher3DES, macSHA1, nil}, 123 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 124 {TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 125 {TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 126 {TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 127 {TLS_PSK_WITH_RC4_128_SHA, 16, 20, 0, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil}, 128 {TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil}, 129 {TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, 16, pskKA, suitePSK, cipherAES, macSHA1, nil}, 130 {TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil}, 131 } 132 133 type nullCipher struct{} 134 135 func cipherNull(key, iv []byte, isRead bool) interface{} { 136 return nullCipher{} 137 } 138 139 func cipherRC4(key, iv []byte, isRead bool) interface{} { 140 cipher, _ := rc4.NewCipher(key) 141 return cipher 142 } 143 144 func cipher3DES(key, iv []byte, isRead bool) interface{} { 145 block, _ := des.NewTripleDESCipher(key) 146 if isRead { 147 return cipher.NewCBCDecrypter(block, iv) 148 } 149 return cipher.NewCBCEncrypter(block, iv) 150 } 151 152 func cipherAES(key, iv []byte, isRead bool) interface{} { 153 block, _ := aes.NewCipher(key) 154 if isRead { 155 return cipher.NewCBCDecrypter(block, iv) 156 } 157 return cipher.NewCBCEncrypter(block, iv) 158 } 159 160 // macSHA1 returns a macFunction for the given protocol version. 161 func macSHA1(version uint16, key []byte) macFunction { 162 if version == VersionSSL30 { 163 mac := ssl30MAC{ 164 h: sha1.New(), 165 key: make([]byte, len(key)), 166 } 167 copy(mac.key, key) 168 return mac 169 } 170 return tls10MAC{hmac.New(sha1.New, key)} 171 } 172 173 func macMD5(version uint16, key []byte) macFunction { 174 if version == VersionSSL30 { 175 mac := ssl30MAC{ 176 h: md5.New(), 177 key: make([]byte, len(key)), 178 } 179 copy(mac.key, key) 180 return mac 181 } 182 return tls10MAC{hmac.New(md5.New, key)} 183 } 184 185 func macSHA256(version uint16, key []byte) macFunction { 186 if version == VersionSSL30 { 187 mac := ssl30MAC{ 188 h: sha256.New(), 189 key: make([]byte, len(key)), 190 } 191 copy(mac.key, key) 192 return mac 193 } 194 return tls10MAC{hmac.New(sha256.New, key)} 195 } 196 197 func macSHA384(version uint16, key []byte) macFunction { 198 if version == VersionSSL30 { 199 mac := ssl30MAC{ 200 h: sha512.New384(), 201 key: make([]byte, len(key)), 202 } 203 copy(mac.key, key) 204 return mac 205 } 206 return tls10MAC{hmac.New(sha512.New384, key)} 207 } 208 209 type macFunction interface { 210 Size() int 211 MAC(digestBuf, seq, header, length, data []byte) []byte 212 } 213 214 // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 215 // each call. 216 type fixedNonceAEAD struct { 217 // sealNonce and openNonce are buffers where the larger nonce will be 218 // constructed. Since a seal and open operation may be running 219 // concurrently, there is a separate buffer for each. 220 sealNonce, openNonce []byte 221 aead cipher.AEAD 222 } 223 224 func (f *fixedNonceAEAD) NonceSize() int { return 8 } 225 func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } 226 227 func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 228 copy(f.sealNonce[len(f.sealNonce)-8:], nonce) 229 return f.aead.Seal(out, f.sealNonce, plaintext, additionalData) 230 } 231 232 func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 233 copy(f.openNonce[len(f.openNonce)-8:], nonce) 234 return f.aead.Open(out, f.openNonce, plaintext, additionalData) 235 } 236 237 func aeadAESGCM(key, fixedNonce []byte) *tlsAead { 238 aes, err := aes.NewCipher(key) 239 if err != nil { 240 panic(err) 241 } 242 aead, err := cipher.NewGCM(aes) 243 if err != nil { 244 panic(err) 245 } 246 247 nonce1, nonce2 := make([]byte, 12), make([]byte, 12) 248 copy(nonce1, fixedNonce) 249 copy(nonce2, fixedNonce) 250 251 return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true} 252 } 253 254 func aeadCHACHA20POLY1305Old(key, fixedNonce []byte) *tlsAead { 255 aead, err := newChaCha20Poly1305Old(key) 256 if err != nil { 257 panic(err) 258 } 259 return &tlsAead{aead, false} 260 } 261 262 func xorSlice(out, in []byte) { 263 for i := range out { 264 out[i] ^= in[i] 265 } 266 } 267 268 // xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded 269 // if necessary, each call. 270 type xorNonceAEAD struct { 271 // sealNonce and openNonce are buffers where the larger nonce will be 272 // constructed. Since a seal and open operation may be running 273 // concurrently, there is a separate buffer for each. 274 sealNonce, openNonce []byte 275 aead cipher.AEAD 276 } 277 278 func (x *xorNonceAEAD) NonceSize() int { return 8 } 279 func (x *xorNonceAEAD) Overhead() int { return x.aead.Overhead() } 280 281 func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 282 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 283 ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData) 284 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 285 return ret 286 } 287 288 func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 289 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 290 ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData) 291 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 292 return ret, err 293 } 294 295 func aeadCHACHA20POLY1305(key, fixedNonce []byte) *tlsAead { 296 aead, err := newChaCha20Poly1305(key) 297 if err != nil { 298 panic(err) 299 } 300 301 nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce)) 302 copy(nonce1, fixedNonce) 303 copy(nonce2, fixedNonce) 304 305 return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} 306 } 307 308 // ssl30MAC implements the SSLv3 MAC function, as defined in 309 // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1 310 type ssl30MAC struct { 311 h hash.Hash 312 key []byte 313 } 314 315 func (s ssl30MAC) Size() int { 316 return s.h.Size() 317 } 318 319 var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36} 320 321 var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c} 322 323 func (s ssl30MAC) MAC(digestBuf, seq, header, length, data []byte) []byte { 324 padLength := 48 325 if s.h.Size() == 20 { 326 padLength = 40 327 } 328 329 s.h.Reset() 330 s.h.Write(s.key) 331 s.h.Write(ssl30Pad1[:padLength]) 332 s.h.Write(seq) 333 s.h.Write(header[:1]) 334 s.h.Write(length) 335 s.h.Write(data) 336 digestBuf = s.h.Sum(digestBuf[:0]) 337 338 s.h.Reset() 339 s.h.Write(s.key) 340 s.h.Write(ssl30Pad2[:padLength]) 341 s.h.Write(digestBuf) 342 return s.h.Sum(digestBuf[:0]) 343 } 344 345 // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3. 346 type tls10MAC struct { 347 h hash.Hash 348 } 349 350 func (s tls10MAC) Size() int { 351 return s.h.Size() 352 } 353 354 func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte { 355 s.h.Reset() 356 s.h.Write(seq) 357 s.h.Write(header) 358 s.h.Write(length) 359 s.h.Write(data) 360 return s.h.Sum(digestBuf[:0]) 361 } 362 363 func rsaKA(version uint16) keyAgreement { 364 return &rsaKeyAgreement{version: version} 365 } 366 367 func ecdheECDSAKA(version uint16) keyAgreement { 368 return &ecdheKeyAgreement{ 369 auth: &signedKeyAgreement{ 370 sigType: signatureECDSA, 371 version: version, 372 }, 373 } 374 } 375 376 func ecdheRSAKA(version uint16) keyAgreement { 377 return &ecdheKeyAgreement{ 378 auth: &signedKeyAgreement{ 379 sigType: signatureRSA, 380 version: version, 381 }, 382 } 383 } 384 385 func dheRSAKA(version uint16) keyAgreement { 386 return &dheKeyAgreement{ 387 auth: &signedKeyAgreement{ 388 sigType: signatureRSA, 389 version: version, 390 }, 391 } 392 } 393 394 func pskKA(version uint16) keyAgreement { 395 return &pskKeyAgreement{ 396 base: &nilKeyAgreement{}, 397 } 398 } 399 400 func ecdhePSKKA(version uint16) keyAgreement { 401 return &pskKeyAgreement{ 402 base: &ecdheKeyAgreement{ 403 auth: &nilKeyAgreementAuthentication{}, 404 }, 405 } 406 } 407 408 // mutualCipherSuite returns a cipherSuite given a list of supported 409 // ciphersuites and the id requested by the peer. 410 func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 411 for _, id := range have { 412 if id == want { 413 for _, suite := range cipherSuites { 414 if suite.id == want { 415 return suite 416 } 417 } 418 return nil 419 } 420 } 421 return nil 422 } 423 424 // A list of the possible cipher suite ids. Taken from 425 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml 426 const ( 427 TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 428 TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004 429 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 430 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 431 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016 432 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 433 TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033 434 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 435 TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039 436 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 437 TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d 438 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067 439 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b 440 TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a 441 TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c 442 TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d 443 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 444 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 445 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e 446 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f 447 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 448 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 449 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 450 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 451 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 452 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 453 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 454 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 455 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 456 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 457 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028 458 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 459 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 460 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 461 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 462 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035 463 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036 464 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 465 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 466 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xccac 467 renegotiationSCSV uint16 = 0x00ff 468 fallbackSCSV uint16 = 0x5600 469 ) 470 471 // Additional cipher suite IDs, not IANA-assigned. 472 const ( 473 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD uint16 = 0xcc13 474 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD uint16 = 0xcc14 475 ) 476
