xref: /aosp_15_r20/external/boringssl/src/ssl/test/runner/cipher_suites.go (revision 8fb009dc861624b67b6cdb62ea21f0f22d0c584b) 
1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"crypto"
9	"crypto/aes"
10	"crypto/cipher"
11	"crypto/des"
12	"crypto/hmac"
13	"crypto/md5"
14	"crypto/sha1"
15	"crypto/sha256"
16	"crypto/sha512"
17	"crypto/x509"
18	"hash"
19
20	"golang.org/x/crypto/chacha20poly1305"
21)
22
23// a keyAgreement implements the client and server side of a TLS key agreement
24// protocol by generating and processing key exchange messages.
25type keyAgreement interface {
26	// On the server side, the first two methods are called in order.
27
28	// In the case that the key agreement protocol doesn't use a
29	// ServerKeyExchange message, generateServerKeyExchange can return nil,
30	// nil.
31	generateServerKeyExchange(*Config, *Credential, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error)
32	processClientKeyExchange(*Config, *Credential, *clientKeyExchangeMsg, uint16) ([]byte, error)
33
34	// On the client side, the next two methods are called in order.
35
36	// This method may not be called if the server doesn't send a
37	// ServerKeyExchange message.
38	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, crypto.PublicKey, *serverKeyExchangeMsg) error
39	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
40
41	// peerSignatureAlgorithm returns the signature algorithm used by the
42	// peer, or zero if not applicable.
43	peerSignatureAlgorithm() signatureAlgorithm
44}
45
46const (
47	// suiteECDH indicates that the cipher suite involves elliptic curve
48	// Diffie-Hellman. This means that it should only be selected when the
49	// client indicates that it supports ECC with a curve and point format
50	// that we're happy with.
51	suiteECDHE = 1 << iota
52	// suiteECDSA indicates that the cipher suite involves an ECDSA
53	// signature and therefore may only be selected when the server's
54	// certificate is ECDSA. If this is not set then the cipher suite is
55	// RSA based.
56	suiteECDSA
57	// suiteTLS12 indicates that the cipher suite should only be advertised
58	// and accepted when using TLS 1.2 or greater.
59	suiteTLS12
60	// suiteTLS13 indicates that the cipher suite can be used with TLS 1.3.
61	// Cipher suites lacking this flag may not be used with TLS 1.3.
62	suiteTLS13
63	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
64	// handshake hash.
65	suiteSHA384
66	// suitePSK indicates that the cipher suite authenticates with
67	// a pre-shared key rather than a server private key.
68	suitePSK
69)
70
71type tlsAead struct {
72	cipher.AEAD
73	explicitNonce bool
74}
75
76// A cipherSuite is a specific combination of key agreement, cipher and MAC
77// function. All cipher suites currently assume RSA key agreement.
78type cipherSuite struct {
79	id uint16
80	// the lengths, in bytes, of the key material needed for each component.
81	keyLen int
82	macLen int
83	ivLen  func(version uint16) int
84	ka     func(version uint16) keyAgreement
85	// flags is a bitmask of the suite* values, above.
86	flags  int
87	cipher func(key, iv []byte, isRead bool) any
88	mac    func(version uint16, macKey []byte) macFunction
89	aead   func(version uint16, key, fixedNonce []byte) *tlsAead
90}
91
92func (cs cipherSuite) hash() crypto.Hash {
93	if cs.flags&suiteSHA384 != 0 {
94		return crypto.SHA384
95	}
96	return crypto.SHA256
97}
98
99var cipherSuites = []*cipherSuite{
100	{TLS_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, nil, suiteTLS13, nil, nil, aeadCHACHA20POLY1305},
101	{TLS_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, nil, suiteTLS13, nil, nil, aeadAESGCM},
102	{TLS_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM},
103	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
104	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
105	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
106	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
107	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
108	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
109	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil},
110	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil},
111	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
112	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
113	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
114	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
115	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
116	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
117	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
118	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
119	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
120	{TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil},
121	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
122	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
123	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
124	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil},
125	{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
126	{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
127	{TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
128	{TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
129	{TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil},
130}
131
132func ivLenChaCha20Poly1305(vers uint16) int {
133	return 12
134}
135
136func ivLenAESGCM(vers uint16) int {
137	if vers >= VersionTLS13 {
138		return 12
139	}
140	return 4
141}
142
143func ivLenAES(vers uint16) int {
144	return 16
145}
146
147func ivLen3DES(vers uint16) int {
148	return 8
149}
150
151type nullCipher struct{}
152
153func cipherNull(key, iv []byte, isRead bool) any {
154	return nullCipher{}
155}
156
157func cipher3DES(key, iv []byte, isRead bool) any {
158	block, _ := des.NewTripleDESCipher(key)
159	if isRead {
160		return cipher.NewCBCDecrypter(block, iv)
161	}
162	return cipher.NewCBCEncrypter(block, iv)
163}
164
165func cipherAES(key, iv []byte, isRead bool) any {
166	block, _ := aes.NewCipher(key)
167	if isRead {
168		return cipher.NewCBCDecrypter(block, iv)
169	}
170	return cipher.NewCBCEncrypter(block, iv)
171}
172
173// macSHA1 returns a macFunction for the given protocol version.
174func macSHA1(version uint16, key []byte) macFunction {
175	return tls10MAC{hmac.New(sha1.New, key)}
176}
177
178func macMD5(version uint16, key []byte) macFunction {
179	return tls10MAC{hmac.New(md5.New, key)}
180}
181
182func macSHA256(version uint16, key []byte) macFunction {
183	return tls10MAC{hmac.New(sha256.New, key)}
184}
185
186func macSHA384(version uint16, key []byte) macFunction {
187	return tls10MAC{hmac.New(sha512.New384, key)}
188}
189
190type macFunction interface {
191	Size() int
192	MAC(digestBuf, seq, header, length, data []byte) []byte
193}
194
195// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
196// each call.
197type fixedNonceAEAD struct {
198	// sealNonce and openNonce are buffers where the larger nonce will be
199	// constructed. Since a seal and open operation may be running
200	// concurrently, there is a separate buffer for each.
201	sealNonce, openNonce []byte
202	aead                 cipher.AEAD
203}
204
205func (f *fixedNonceAEAD) NonceSize() int { return 8 }
206func (f *fixedNonceAEAD) Overhead() int  { return f.aead.Overhead() }
207
208func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
209	copy(f.sealNonce[len(f.sealNonce)-8:], nonce)
210	return f.aead.Seal(out, f.sealNonce, plaintext, additionalData)
211}
212
213func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
214	copy(f.openNonce[len(f.openNonce)-8:], nonce)
215	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
216}
217
218func aeadAESGCM(version uint16, key, fixedNonce []byte) *tlsAead {
219	aes, err := aes.NewCipher(key)
220	if err != nil {
221		panic(err)
222	}
223	aead, err := cipher.NewGCM(aes)
224	if err != nil {
225		panic(err)
226	}
227
228	nonce1, nonce2 := make([]byte, 12), make([]byte, 12)
229	copy(nonce1, fixedNonce)
230	copy(nonce2, fixedNonce)
231
232	if version >= VersionTLS13 {
233		return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false}
234	}
235
236	return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true}
237}
238
239func xorSlice(out, in []byte) {
240	for i := range out {
241		out[i] ^= in[i]
242	}
243}
244
245// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded
246// if necessary, each call.
247type xorNonceAEAD struct {
248	// sealNonce and openNonce are buffers where the larger nonce will be
249	// constructed. Since a seal and open operation may be running
250	// concurrently, there is a separate buffer for each.
251	sealNonce, openNonce []byte
252	aead                 cipher.AEAD
253}
254
255func (x *xorNonceAEAD) NonceSize() int { return 8 }
256func (x *xorNonceAEAD) Overhead() int  { return x.aead.Overhead() }
257
258func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
259	xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
260	ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData)
261	xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce)
262	return ret
263}
264
265func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
266	xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
267	ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData)
268	xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce)
269	return ret, err
270}
271
272func aeadCHACHA20POLY1305(version uint16, key, fixedNonce []byte) *tlsAead {
273	aead, err := chacha20poly1305.New(key)
274	if err != nil {
275		panic(err)
276	}
277
278	nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce))
279	copy(nonce1, fixedNonce)
280	copy(nonce2, fixedNonce)
281
282	return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false}
283}
284
285// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
286type tls10MAC struct {
287	h hash.Hash
288}
289
290func (s tls10MAC) Size() int {
291	return s.h.Size()
292}
293
294func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
295	s.h.Reset()
296	s.h.Write(seq)
297	s.h.Write(header)
298	s.h.Write(length)
299	s.h.Write(data)
300	return s.h.Sum(digestBuf[:0])
301}
302
303func rsaKA(version uint16) keyAgreement {
304	return &rsaKeyAgreement{version: version}
305}
306
307func ecdheECDSAKA(version uint16) keyAgreement {
308	return &ecdheKeyAgreement{
309		auth: &signedKeyAgreement{
310			keyType: keyTypeECDSA,
311			version: version,
312		},
313	}
314}
315
316func ecdheRSAKA(version uint16) keyAgreement {
317	return &ecdheKeyAgreement{
318		auth: &signedKeyAgreement{
319			keyType: keyTypeRSA,
320			version: version,
321		},
322	}
323}
324
325func pskKA(version uint16) keyAgreement {
326	return &pskKeyAgreement{
327		base: &nilKeyAgreement{},
328	}
329}
330
331func ecdhePSKKA(version uint16) keyAgreement {
332	return &pskKeyAgreement{
333		base: &ecdheKeyAgreement{
334			auth: &nilKeyAgreementAuthentication{},
335		},
336	}
337}
338
339// mutualCipherSuite returns a cipherSuite given a list of supported
340// ciphersuites and the id requested by the peer.
341func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
342	for _, id := range have {
343		if id == want {
344			return cipherSuiteFromID(id)
345		}
346	}
347	return nil
348}
349
350func cipherSuiteFromID(id uint16) *cipherSuite {
351	for _, suite := range cipherSuites {
352		if suite.id == id {
353			return suite
354		}
355	}
356	return nil
357}
358
359// A list of the possible cipher suite ids. Taken from
360// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
361const (
362	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
363	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
364	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
365	TLS_RSA_WITH_AES_128_CBC_SHA256               uint16 = 0x003c
366	TLS_RSA_WITH_AES_256_CBC_SHA256               uint16 = 0x003d
367	TLS_PSK_WITH_AES_128_CBC_SHA                  uint16 = 0x008c
368	TLS_PSK_WITH_AES_256_CBC_SHA                  uint16 = 0x008d
369	TLS_RSA_WITH_AES_128_GCM_SHA256               uint16 = 0x009c
370	TLS_RSA_WITH_AES_256_GCM_SHA384               uint16 = 0x009d
371	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xc009
372	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xc00a
373	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xc012
374	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xc013
375	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xc014
376	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xc023
377	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384       uint16 = 0xc024
378	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xc027
379	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384         uint16 = 0xc028
380	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xc02b
381	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xc02c
382	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xc02f
383	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xc030
384	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA            uint16 = 0xc035
385	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA            uint16 = 0xc036
386	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcca8
387	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
388	TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xccac
389	renegotiationSCSV                             uint16 = 0x00ff
390	fallbackSCSV                                  uint16 = 0x5600
391)
392
393// Additional cipher suite IDs, not IANA-assigned.
394const (
395	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
396	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
397	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
398)
399