1// Copyright 2010 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "crypto" 9 "crypto/aes" 10 "crypto/cipher" 11 "crypto/des" 12 "crypto/hmac" 13 "crypto/rc4" 14 "crypto/sha1" 15 "crypto/sha256" 16 "crypto/x509" 17 "fmt" 18 "hash" 19 20 "golang.org/x/crypto/chacha20poly1305" 21) 22 23// CipherSuite is a TLS cipher suite. Note that most functions in this package 24// accept and expose cipher suite IDs instead of this type. 25type CipherSuite struct { 26 ID uint16 27 Name string 28 29 // Supported versions is the list of TLS protocol versions that can 30 // negotiate this cipher suite. 31 SupportedVersions []uint16 32 33 // Insecure is true if the cipher suite has known security issues 34 // due to its primitives, design, or implementation. 35 Insecure bool 36} 37 38var ( 39 supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} 40 supportedOnlyTLS12 = []uint16{VersionTLS12} 41 supportedOnlyTLS13 = []uint16{VersionTLS13} 42) 43 44// CipherSuites returns a list of cipher suites currently implemented by this 45// package, excluding those with security issues, which are returned by 46// InsecureCipherSuites. 47// 48// The list is sorted by ID. Note that the default cipher suites selected by 49// this package might depend on logic that can't be captured by a static list. 50func CipherSuites() []*CipherSuite { 51 return []*CipherSuite{ 52 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 53 {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 54 {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 55 {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 56 {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 57 58 {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, 59 {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, 60 {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, 61 62 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 63 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 64 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false}, 65 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, 66 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, 67 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 68 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 69 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, 70 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, 71 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 72 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, 73 } 74} 75 76// InsecureCipherSuites returns a list of cipher suites currently implemented by 77// this package and which have security issues. 78// 79// Most applications should not use the cipher suites in this list, and should 80// only use those returned by CipherSuites. 81func InsecureCipherSuites() []*CipherSuite { 82 // RC4 suites are broken because RC4 is. 83 // CBC-SHA256 suites have no Lucky13 countermeasures. 84 return []*CipherSuite{ 85 {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 86 {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 87 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 88 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, 89 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 90 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, 91 } 92} 93 94// CipherSuiteName returns the standard name for the passed cipher suite ID 95// (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation 96// of the ID value if the cipher suite is not implemented by this package. 97func CipherSuiteName(id uint16) string { 98 for _, c := range CipherSuites() { 99 if c.ID == id { 100 return c.Name 101 } 102 } 103 for _, c := range InsecureCipherSuites() { 104 if c.ID == id { 105 return c.Name 106 } 107 } 108 return fmt.Sprintf("0x%04X", id) 109} 110 111// a keyAgreement implements the client and server side of a TLS key agreement 112// protocol by generating and processing key exchange messages. 113type keyAgreement interface { 114 // On the server side, the first two methods are called in order. 115 116 // In the case that the key agreement protocol doesn't use a 117 // ServerKeyExchange message, generateServerKeyExchange can return nil, 118 // nil. 119 generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) 120 processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) 121 122 // On the client side, the next two methods are called in order. 123 124 // This method may not be called if the server doesn't send a 125 // ServerKeyExchange message. 126 processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error 127 generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) 128} 129 130const ( 131 // suiteECDHE indicates that the cipher suite involves elliptic curve 132 // Diffie-Hellman. This means that it should only be selected when the 133 // client indicates that it supports ECC with a curve and point format 134 // that we're happy with. 135 suiteECDHE = 1 << iota 136 // suiteECSign indicates that the cipher suite involves an ECDSA or 137 // EdDSA signature and therefore may only be selected when the server's 138 // certificate is ECDSA or EdDSA. If this is not set then the cipher suite 139 // is RSA based. 140 suiteECSign 141 // suiteTLS12 indicates that the cipher suite should only be advertised 142 // and accepted when using TLS 1.2. 143 suiteTLS12 144 // suiteSHA384 indicates that the cipher suite uses SHA384 as the 145 // handshake hash. 146 suiteSHA384 147 // suiteDefaultOff indicates that this cipher suite is not included by 148 // default. 149 suiteDefaultOff 150) 151 152// A cipherSuite is a specific combination of key agreement, cipher and MAC function. 153type cipherSuite struct { 154 id uint16 155 // the lengths, in bytes, of the key material needed for each component. 156 keyLen int 157 macLen int 158 ivLen int 159 ka func(version uint16) keyAgreement 160 // flags is a bitmask of the suite* values, above. 161 flags int 162 cipher func(key, iv []byte, isRead bool) interface{} 163 mac func(key []byte) hash.Hash 164 aead func(key, fixedNonce []byte) aead 165} 166 167var cipherSuites = []*cipherSuite{ 168 // Ciphersuite order is chosen so that ECDHE comes before plain RSA and 169 // AEADs are the top preference. 170 {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 171 {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, 172 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, 173 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, 174 {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 175 {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 176 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 177 {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 178 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 179 {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 180 {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, 181 {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, 182 {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, 183 {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, 184 {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil}, 185 {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 186 {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, 187 {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, 188 {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, 189 190 // RC4-based cipher suites are disabled by default. 191 {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil}, 192 {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil}, 193 {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteDefaultOff, cipherRC4, macSHA1, nil}, 194} 195 196// selectCipherSuite returns the first cipher suite from ids which is also in 197// supportedIDs and passes the ok filter. 198func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { 199 for _, id := range ids { 200 candidate := cipherSuiteByID(id) 201 if candidate == nil || !ok(candidate) { 202 continue 203 } 204 205 for _, suppID := range supportedIDs { 206 if id == suppID { 207 return candidate 208 } 209 } 210 } 211 return nil 212} 213 214// A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash 215// algorithm to be used with HKDF. See RFC 8446, Appendix B.4. 216type cipherSuiteTLS13 struct { 217 id uint16 218 keyLen int 219 aead func(key, fixedNonce []byte) aead 220 hash crypto.Hash 221} 222 223var cipherSuitesTLS13 = []*cipherSuiteTLS13{ 224 {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, 225 {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, 226 {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, 227} 228 229func cipherRC4(key, iv []byte, isRead bool) interface{} { 230 cipher, _ := rc4.NewCipher(key) 231 return cipher 232} 233 234func cipher3DES(key, iv []byte, isRead bool) interface{} { 235 block, _ := des.NewTripleDESCipher(key) 236 if isRead { 237 return cipher.NewCBCDecrypter(block, iv) 238 } 239 return cipher.NewCBCEncrypter(block, iv) 240} 241 242func cipherAES(key, iv []byte, isRead bool) interface{} { 243 block, _ := aes.NewCipher(key) 244 if isRead { 245 return cipher.NewCBCDecrypter(block, iv) 246 } 247 return cipher.NewCBCEncrypter(block, iv) 248} 249 250// macSHA1 returns a SHA-1 based constant time MAC. 251func macSHA1(key []byte) hash.Hash { 252 return hmac.New(newConstantTimeHash(sha1.New), key) 253} 254 255// macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and 256// is currently only used in disabled-by-default cipher suites. 257func macSHA256(key []byte) hash.Hash { 258 return hmac.New(sha256.New, key) 259} 260 261type aead interface { 262 cipher.AEAD 263 264 // explicitNonceLen returns the number of bytes of explicit nonce 265 // included in each record. This is eight for older AEADs and 266 // zero for modern ones. 267 explicitNonceLen() int 268} 269 270const ( 271 aeadNonceLength = 12 272 noncePrefixLength = 4 273) 274 275// prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to 276// each call. 277type prefixNonceAEAD struct { 278 // nonce contains the fixed part of the nonce in the first four bytes. 279 nonce [aeadNonceLength]byte 280 aead cipher.AEAD 281} 282 283func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } 284func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } 285func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } 286 287func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 288 copy(f.nonce[4:], nonce) 289 return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) 290} 291 292func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 293 copy(f.nonce[4:], nonce) 294 return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) 295} 296 297// xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce 298// before each call. 299type xorNonceAEAD struct { 300 nonceMask [aeadNonceLength]byte 301 aead cipher.AEAD 302} 303 304func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number 305func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } 306func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } 307 308func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { 309 for i, b := range nonce { 310 f.nonceMask[4+i] ^= b 311 } 312 result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) 313 for i, b := range nonce { 314 f.nonceMask[4+i] ^= b 315 } 316 317 return result 318} 319 320func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { 321 for i, b := range nonce { 322 f.nonceMask[4+i] ^= b 323 } 324 result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) 325 for i, b := range nonce { 326 f.nonceMask[4+i] ^= b 327 } 328 329 return result, err 330} 331 332func aeadAESGCM(key, noncePrefix []byte) aead { 333 if len(noncePrefix) != noncePrefixLength { 334 panic("tls: internal error: wrong nonce length") 335 } 336 aes, err := aes.NewCipher(key) 337 if err != nil { 338 panic(err) 339 } 340 aead, err := cipher.NewGCM(aes) 341 if err != nil { 342 panic(err) 343 } 344 345 ret := &prefixNonceAEAD{aead: aead} 346 copy(ret.nonce[:], noncePrefix) 347 return ret 348} 349 350func aeadAESGCMTLS13(key, nonceMask []byte) aead { 351 if len(nonceMask) != aeadNonceLength { 352 panic("tls: internal error: wrong nonce length") 353 } 354 aes, err := aes.NewCipher(key) 355 if err != nil { 356 panic(err) 357 } 358 aead, err := cipher.NewGCM(aes) 359 if err != nil { 360 panic(err) 361 } 362 363 ret := &xorNonceAEAD{aead: aead} 364 copy(ret.nonceMask[:], nonceMask) 365 return ret 366} 367 368func aeadChaCha20Poly1305(key, nonceMask []byte) aead { 369 if len(nonceMask) != aeadNonceLength { 370 panic("tls: internal error: wrong nonce length") 371 } 372 aead, err := chacha20poly1305.New(key) 373 if err != nil { 374 panic(err) 375 } 376 377 ret := &xorNonceAEAD{aead: aead} 378 copy(ret.nonceMask[:], nonceMask) 379 return ret 380} 381 382type constantTimeHash interface { 383 hash.Hash 384 ConstantTimeSum(b []byte) []byte 385} 386 387// cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces 388// with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. 389type cthWrapper struct { 390 h constantTimeHash 391} 392 393func (c *cthWrapper) Size() int { return c.h.Size() } 394func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } 395func (c *cthWrapper) Reset() { c.h.Reset() } 396func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } 397func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } 398 399func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { 400 return func() hash.Hash { 401 return &cthWrapper{h().(constantTimeHash)} 402 } 403} 404 405// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. 406func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte { 407 h.Reset() 408 h.Write(seq) 409 h.Write(header) 410 h.Write(data) 411 res := h.Sum(out) 412 if extra != nil { 413 h.Write(extra) 414 } 415 return res 416} 417 418func rsaKA(version uint16) keyAgreement { 419 return rsaKeyAgreement{} 420} 421 422func ecdheECDSAKA(version uint16) keyAgreement { 423 return &ecdheKeyAgreement{ 424 isRSA: false, 425 version: version, 426 } 427} 428 429func ecdheRSAKA(version uint16) keyAgreement { 430 return &ecdheKeyAgreement{ 431 isRSA: true, 432 version: version, 433 } 434} 435 436// mutualCipherSuite returns a cipherSuite given a list of supported 437// ciphersuites and the id requested by the peer. 438func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { 439 for _, id := range have { 440 if id == want { 441 return cipherSuiteByID(id) 442 } 443 } 444 return nil 445} 446 447func cipherSuiteByID(id uint16) *cipherSuite { 448 for _, cipherSuite := range cipherSuites { 449 if cipherSuite.id == id { 450 return cipherSuite 451 } 452 } 453 return nil 454} 455 456func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { 457 for _, id := range have { 458 if id == want { 459 return cipherSuiteTLS13ByID(id) 460 } 461 } 462 return nil 463} 464 465func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { 466 for _, cipherSuite := range cipherSuitesTLS13 { 467 if cipherSuite.id == id { 468 return cipherSuite 469 } 470 } 471 return nil 472} 473 474// A list of cipher suite IDs that are, or have been, implemented by this 475// package. 476// 477// See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml 478const ( 479 // TLS 1.0 - 1.2 cipher suites. 480 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 481 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a 482 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f 483 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 484 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c 485 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c 486 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d 487 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 488 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 489 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a 490 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 491 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 492 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 493 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 494 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 495 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 496 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f 497 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b 498 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 499 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c 500 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 501 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 502 503 // TLS 1.3 cipher suites. 504 TLS_AES_128_GCM_SHA256 uint16 = 0x1301 505 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 506 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 507 508 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator 509 // that the client is doing version fallback. See RFC 7507. 510 TLS_FALLBACK_SCSV uint16 = 0x5600 511 512 // Legacy names for the corresponding cipher suites with the correct _SHA256 513 // suffix, retained for backward compatibility. 514 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 515 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 516) 517