1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/md5" 14 "crypto/rc4" 15 "crypto/sha1" 16 "crypto/sha256" 17 "crypto/sha512" 18 "crypto/x509" 19 "hash" 20) 21 22// a keyAgreement implements the client and server side of a TLS key agreement 23// protocol by generating and processing key exchange messages. 24type keyAgreement interface { 25 // On the server side, the first two methods are called in order. 26 27 // In the case that the key agreement protocol doesn't use a 28 // ServerKeyExchange message, generateServerKeyExchange can return nil, 29 // nil. 30 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 31 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 32 33 // On the client side, the next two methods are called in order. 34 35 // This method may not be called if the server doesn't send a 36 // ServerKeyExchange message. 37 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 38 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 39 40 // peerSignatureAlgorithm returns the signature algorithm used by the 41 // peer, or zero if not applicable. 42 peerSignatureAlgorithm() signatureAlgorithm 43} 44 45const ( 46 // suiteECDH indicates that the cipher suite involves elliptic curve 47 // Diffie-Hellman. This means that it should only be selected when the 48 // client indicates that it supports ECC with a curve and point format 49 // that we're happy with. 50 suiteECDHE = 1 << iota 51 // suiteDHE indicates that the cipher suite involves Diffie-Hellman. 52 suiteDHE 53 // suiteECDSA indicates that the cipher suite involves an ECDSA 54 // signature and therefore may only be selected when the server's 55 // certificate is ECDSA. If this is not set then the cipher suite is 56 // RSA based. 57 suiteECDSA 58 // suiteTLS12 indicates that the cipher suite should only be advertised 59 // and accepted when using TLS 1.2 or greater. 60 suiteTLS12 61 // suiteTLS13 indicates that the cipher suite can be used with TLS 1.3. 62 // Cipher suites lacking this flag may not be used with TLS 1.3. 63 suiteTLS13 64 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 65 // handshake hash. 66 suiteSHA384 67 // suiteNoDTLS indicates that the cipher suite cannot be used 68 // in DTLS. 69 suiteNoDTLS 70 // suitePSK indicates that the cipher suite authenticates with 71 // a pre-shared key rather than a server private key. 72 suitePSK 73) 74 75type tlsAead struct { 76 cipher.AEAD 77 explicitNonce bool 78} 79 80// A cipherSuite is a specific combination of key agreement, cipher and MAC 81// function. All cipher suites currently assume RSA key agreement. 82type cipherSuite struct { 83 id uint16 84 // the lengths, in bytes, of the key material needed for each component. 85 keyLen int 86 macLen int 87 ivLen func(version uint16) int 88 ka func(version uint16) keyAgreement 89 // flags is a bitmask of the suite* values, above. 90 flags int 91 cipher func(key, iv []byte, isRead bool) interface{} 92 mac func(version uint16, macKey []byte) macFunction 93 aead func(version uint16, key, fixedNonce []byte) *tlsAead 94} 95 96func (cs cipherSuite) hash() crypto.Hash { 97 if cs.flags&suiteSHA384 != 0 { 98 return crypto.SHA384 99 } 100 return crypto.SHA256 101} 102 103var cipherSuites = []*cipherSuite{ 104 // Ciphersuite order is chosen so that ECDHE comes before plain RSA 105 // and RC4 comes before AES (because of the Lucky13 attack). 106 {TLS_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, nil, suiteTLS13, nil, nil, aeadCHACHA20POLY1305}, 107 {TLS_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, nil, suiteTLS13, nil, nil, aeadAESGCM}, 108 {TLS_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, nil, suiteTLS13 | suiteSHA384, nil, nil, aeadAESGCM}, 109 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 110 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 111 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 112 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM}, 113 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 114 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 115 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, noIV, ecdheRSAKA, suiteECDHE | suiteNoDTLS, cipherRC4, macSHA1, nil}, 116 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, noIV, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteNoDTLS, cipherRC4, macSHA1, nil}, 117 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, 118 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, cipherAES, macSHA256, nil}, 119 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 120 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 121 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 122 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, 123 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 124 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, 125 {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteDHE, nil, nil, aeadAESGCM}, 126 {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384 | suiteDHE, nil, nil, aeadAESGCM}, 127 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil}, 128 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil}, 129 {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil}, 130 {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil}, 131 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 132 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 133 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, noIV, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil}, 134 {TLS_RSA_WITH_RC4_128_MD5, 16, 16, noIV, rsaKA, suiteNoDTLS, cipherRC4, macMD5, nil}, 135 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 136 {TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, 137 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, 138 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, 139 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 140 {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, dheRSAKA, suiteDHE, cipher3DES, macSHA1, nil}, 141 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil}, 142 {TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, 143 {TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 144 {TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, 145 {TLS_PSK_WITH_RC4_128_SHA, 16, 20, noIV, pskKA, suiteNoDTLS | suitePSK, cipherRC4, macSHA1, nil}, 146 {TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, 147 {TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, 148 {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, suiteNoDTLS, cipherNull, macSHA1, nil}, 149} 150 151func noIV(vers uint16) int { 152 return 0 153} 154 155func ivLenChaCha20Poly1305(vers uint16) int { 156 return 12 157} 158 159func ivLenAESGCM(vers uint16) int { 160 if vers >= VersionTLS13 { 161 return 12 162 } 163 return 4 164} 165 166func ivLenAES(vers uint16) int { 167 return 16 168} 169 170func ivLen3DES(vers uint16) int { 171 return 8 172} 173 174type nullCipher struct{} 175 176func cipherNull(key, iv []byte, isRead bool) interface{} { 177 return nullCipher{} 178} 179 180func cipherRC4(key, iv []byte, isRead bool) interface{} { 181 cipher, _ := rc4.NewCipher(key) 182 return cipher 183} 184 185func cipher3DES(key, iv []byte, isRead bool) interface{} { 186 block, _ := des.NewTripleDESCipher(key) 187 if isRead { 188 return cipher.NewCBCDecrypter(block, iv) 189 } 190 return cipher.NewCBCEncrypter(block, iv) 191} 192 193func cipherAES(key, iv []byte, isRead bool) interface{} { 194 block, _ := aes.NewCipher(key) 195 if isRead { 196 return cipher.NewCBCDecrypter(block, iv) 197 } 198 return cipher.NewCBCEncrypter(block, iv) 199} 200 201// macSHA1 returns a macFunction for the given protocol version. 202func macSHA1(version uint16, key []byte) macFunction { 203 if version == VersionSSL30 { 204 mac := ssl30MAC{ 205 h: sha1.New(), 206 key: make([]byte, len(key)), 207 } 208 copy(mac.key, key) 209 return mac 210 } 211 return tls10MAC{hmac.New(sha1.New, key)} 212} 213 214func macMD5(version uint16, key []byte) macFunction { 215 if version == VersionSSL30 { 216 mac := ssl30MAC{ 217 h: md5.New(), 218 key: make([]byte, len(key)), 219 } 220 copy(mac.key, key) 221 return mac 222 } 223 return tls10MAC{hmac.New(md5.New, key)} 224} 225 226func macSHA256(version uint16, key []byte) macFunction { 227 if version == VersionSSL30 { 228 mac := ssl30MAC{ 229 h: sha256.New(), 230 key: make([]byte, len(key)), 231 } 232 copy(mac.key, key) 233 return mac 234 } 235 return tls10MAC{hmac.New(sha256.New, key)} 236} 237 238func macSHA384(version uint16, key []byte) macFunction { 239 if version == VersionSSL30 { 240 mac := ssl30MAC{ 241 h: sha512.New384(), 242 key: make([]byte, len(key)), 243 } 244 copy(mac.key, key) 245 return mac 246 } 247 return tls10MAC{hmac.New(sha512.New384, key)} 248} 249 250type macFunction interface { 251 Size() int 252 MAC(digestBuf, seq, header, length, data []byte) []byte 253} 254 255// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 256// each call. 257type fixedNonceAEAD struct { 258 // sealNonce and openNonce are buffers where the larger nonce will be 259 // constructed. Since a seal and open operation may be running 260 // concurrently, there is a separate buffer for each. 261 sealNonce, openNonce []byte 262 aead cipher.AEAD 263} 264 265func (f *fixedNonceAEAD) NonceSize() int { return 8 } 266func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } 267 268func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 269 copy(f.sealNonce[len(f.sealNonce)-8:], nonce) 270 return f.aead.Seal(out, f.sealNonce, plaintext, additionalData) 271} 272 273func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 274 copy(f.openNonce[len(f.openNonce)-8:], nonce) 275 return f.aead.Open(out, f.openNonce, plaintext, additionalData) 276} 277 278func aeadAESGCM(version uint16, key, fixedNonce []byte) *tlsAead { 279 aes, err := aes.NewCipher(key) 280 if err != nil { 281 panic(err) 282 } 283 aead, err := cipher.NewGCM(aes) 284 if err != nil { 285 panic(err) 286 } 287 288 nonce1, nonce2 := make([]byte, 12), make([]byte, 12) 289 copy(nonce1, fixedNonce) 290 copy(nonce2, fixedNonce) 291 292 if version >= VersionTLS13 { 293 return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} 294 } 295 296 return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true} 297} 298 299func xorSlice(out, in []byte) { 300 for i := range out { 301 out[i] ^= in[i] 302 } 303} 304 305// xorNonceAEAD wraps an AEAD and XORs a fixed portion of the nonce, left-padded 306// if necessary, each call. 307type xorNonceAEAD struct { 308 // sealNonce and openNonce are buffers where the larger nonce will be 309 // constructed. Since a seal and open operation may be running 310 // concurrently, there is a separate buffer for each. 311 sealNonce, openNonce []byte 312 aead cipher.AEAD 313} 314 315func (x *xorNonceAEAD) NonceSize() int { return 8 } 316func (x *xorNonceAEAD) Overhead() int { return x.aead.Overhead() } 317 318func (x *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 319 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 320 ret := x.aead.Seal(out, x.sealNonce, plaintext, additionalData) 321 xorSlice(x.sealNonce[len(x.sealNonce)-len(nonce):], nonce) 322 return ret 323} 324 325func (x *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { 326 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 327 ret, err := x.aead.Open(out, x.openNonce, plaintext, additionalData) 328 xorSlice(x.openNonce[len(x.openNonce)-len(nonce):], nonce) 329 return ret, err 330} 331 332func aeadCHACHA20POLY1305(version uint16, key, fixedNonce []byte) *tlsAead { 333 aead, err := newChaCha20Poly1305(key) 334 if err != nil { 335 panic(err) 336 } 337 338 nonce1, nonce2 := make([]byte, len(fixedNonce)), make([]byte, len(fixedNonce)) 339 copy(nonce1, fixedNonce) 340 copy(nonce2, fixedNonce) 341 342 return &tlsAead{&xorNonceAEAD{nonce1, nonce2, aead}, false} 343} 344 345// ssl30MAC implements the SSLv3 MAC function, as defined in 346// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1 347type ssl30MAC struct { 348 h hash.Hash 349 key []byte 350} 351 352func (s ssl30MAC) Size() int { 353 return s.h.Size() 354} 355 356var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36} 357 358var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c} 359 360func (s ssl30MAC) MAC(digestBuf, seq, header, length, data []byte) []byte { 361 padLength := 48 362 if s.h.Size() == 20 { 363 padLength = 40 364 } 365 366 s.h.Reset() 367 s.h.Write(s.key) 368 s.h.Write(ssl30Pad1[:padLength]) 369 s.h.Write(seq) 370 s.h.Write(header[:1]) 371 s.h.Write(length) 372 s.h.Write(data) 373 digestBuf = s.h.Sum(digestBuf[:0]) 374 375 s.h.Reset() 376 s.h.Write(s.key) 377 s.h.Write(ssl30Pad2[:padLength]) 378 s.h.Write(digestBuf) 379 return s.h.Sum(digestBuf[:0]) 380} 381 382// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3. 383type tls10MAC struct { 384 h hash.Hash 385} 386 387func (s tls10MAC) Size() int { 388 return s.h.Size() 389} 390 391func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte { 392 s.h.Reset() 393 s.h.Write(seq) 394 s.h.Write(header) 395 s.h.Write(length) 396 s.h.Write(data) 397 return s.h.Sum(digestBuf[:0]) 398} 399 400func rsaKA(version uint16) keyAgreement { 401 return &rsaKeyAgreement{version: version} 402} 403 404func ecdheECDSAKA(version uint16) keyAgreement { 405 return &ecdheKeyAgreement{ 406 auth: &signedKeyAgreement{ 407 keyType: keyTypeECDSA, 408 version: version, 409 }, 410 } 411} 412 413func ecdheRSAKA(version uint16) keyAgreement { 414 return &ecdheKeyAgreement{ 415 auth: &signedKeyAgreement{ 416 keyType: keyTypeRSA, 417 version: version, 418 }, 419 } 420} 421 422func dheRSAKA(version uint16) keyAgreement { 423 return &dheKeyAgreement{ 424 auth: &signedKeyAgreement{ 425 keyType: keyTypeRSA, 426 version: version, 427 }, 428 } 429} 430 431func pskKA(version uint16) keyAgreement { 432 return &pskKeyAgreement{ 433 base: &nilKeyAgreement{}, 434 } 435} 436 437func ecdhePSKKA(version uint16) keyAgreement { 438 return &pskKeyAgreement{ 439 base: &ecdheKeyAgreement{ 440 auth: &nilKeyAgreementAuthentication{}, 441 }, 442 } 443} 444 445// mutualCipherSuite returns a cipherSuite given a list of supported 446// ciphersuites and the id requested by the peer. 447func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 448 for _, id := range have { 449 if id == want { 450 return cipherSuiteFromID(id) 451 } 452 } 453 return nil 454} 455 456func cipherSuiteFromID(id uint16) *cipherSuite { 457 for _, suite := range cipherSuites { 458 if suite.id == id { 459 return suite 460 } 461 } 462 return nil 463} 464 465// A list of the possible cipher suite ids. Taken from 466// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml 467const ( 468 TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 469 TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004 470 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 471 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 472 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016 473 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 474 TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033 475 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 476 TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039 477 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 478 TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d 479 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067 480 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b 481 TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a 482 TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c 483 TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d 484 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 485 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 486 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e 487 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f 488 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 489 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 490 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 491 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 492 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 493 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 494 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 495 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 496 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc024 497 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 498 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 uint16 = 0xc028 499 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 500 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 501 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 502 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 503 TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA uint16 = 0xc035 504 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA uint16 = 0xc036 505 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 506 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 507 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xccac 508 renegotiationSCSV uint16 = 0x00ff 509 fallbackSCSV uint16 = 0x5600 510) 511 512// Additional cipher suite IDs, not IANA-assigned. 513const ( 514 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 515 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 516 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 517) 518