1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package qtls
6
7import (
8	"crypto"
9	"crypto/aes"
10	"crypto/cipher"
11	"crypto/des"
12	"crypto/hmac"
13	"crypto/rc4"
14	"crypto/sha1"
15	"crypto/sha256"
16	"crypto/x509"
17	"fmt"
18	"hash"
19
20	"golang.org/x/crypto/chacha20poly1305"
21)
22
23// CipherSuite is a TLS cipher suite. Note that most functions in this package
24// accept and expose cipher suite IDs instead of this type.
25type CipherSuite struct {
26	ID   uint16
27	Name string
28
29	// Supported versions is the list of TLS protocol versions that can
30	// negotiate this cipher suite.
31	SupportedVersions []uint16
32
33	// Insecure is true if the cipher suite has known security issues
34	// due to its primitives, design, or implementation.
35	Insecure bool
36}
37
38var (
39	supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12}
40	supportedOnlyTLS12 = []uint16{VersionTLS12}
41	supportedOnlyTLS13 = []uint16{VersionTLS13}
42)
43
44// CipherSuites returns a list of cipher suites currently implemented by this
45// package, excluding those with security issues, which are returned by
46// InsecureCipherSuites.
47//
48// The list is sorted by ID. Note that the default cipher suites selected by
49// this package might depend on logic that can't be captured by a static list.
50func CipherSuites() []*CipherSuite {
51	return []*CipherSuite{
52		{TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false},
53		{TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
54		{TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
55		{TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
56		{TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
57
58		{TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false},
59		{TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false},
60		{TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false},
61
62		{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
63		{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
64		{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, false},
65		{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false},
66		{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false},
67		{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
68		{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
69		{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false},
70		{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false},
71		{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
72		{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false},
73	}
74}
75
76// InsecureCipherSuites returns a list of cipher suites currently implemented by
77// this package and which have security issues.
78//
79// Most applications should not use the cipher suites in this list, and should
80// only use those returned by CipherSuites.
81func InsecureCipherSuites() []*CipherSuite {
82	// RC4 suites are broken because RC4 is.
83	// CBC-SHA256 suites have no Lucky13 countermeasures.
84	return []*CipherSuite{
85		{TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
86		{TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
87		{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
88		{TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true},
89		{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
90		{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true},
91	}
92}
93
94// CipherSuiteName returns the standard name for the passed cipher suite ID
95// (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation
96// of the ID value if the cipher suite is not implemented by this package.
97func CipherSuiteName(id uint16) string {
98	for _, c := range CipherSuites() {
99		if c.ID == id {
100			return c.Name
101		}
102	}
103	for _, c := range InsecureCipherSuites() {
104		if c.ID == id {
105			return c.Name
106		}
107	}
108	return fmt.Sprintf("0x%04X", id)
109}
110
111// a keyAgreement implements the client and server side of a TLS key agreement
112// protocol by generating and processing key exchange messages.
113type keyAgreement interface {
114	// On the server side, the first two methods are called in order.
115
116	// In the case that the key agreement protocol doesn't use a
117	// ServerKeyExchange message, generateServerKeyExchange can return nil,
118	// nil.
119	generateServerKeyExchange(*config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
120	processClientKeyExchange(*config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
121
122	// On the client side, the next two methods are called in order.
123
124	// This method may not be called if the server doesn't send a
125	// ServerKeyExchange message.
126	processServerKeyExchange(*config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
127	generateClientKeyExchange(*config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
128}
129
130const (
131	// suiteECDHE indicates that the cipher suite involves elliptic curve
132	// Diffie-Hellman. This means that it should only be selected when the
133	// client indicates that it supports ECC with a curve and point format
134	// that we're happy with.
135	suiteECDHE = 1 << iota
136	// suiteECSign indicates that the cipher suite involves an ECDSA or
137	// EdDSA signature and therefore may only be selected when the server's
138	// certificate is ECDSA or EdDSA. If this is not set then the cipher suite
139	// is RSA based.
140	suiteECSign
141	// suiteTLS12 indicates that the cipher suite should only be advertised
142	// and accepted when using TLS 1.2.
143	suiteTLS12
144	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
145	// handshake hash.
146	suiteSHA384
147	// suiteDefaultOff indicates that this cipher suite is not included by
148	// default.
149	suiteDefaultOff
150)
151
152// A cipherSuite is a specific combination of key agreement, cipher and MAC function.
153type cipherSuite struct {
154	id uint16
155	// the lengths, in bytes, of the key material needed for each component.
156	keyLen int
157	macLen int
158	ivLen  int
159	ka     func(version uint16) keyAgreement
160	// flags is a bitmask of the suite* values, above.
161	flags  int
162	cipher func(key, iv []byte, isRead bool) interface{}
163	mac    func(key []byte) hash.Hash
164	aead   func(key, fixedNonce []byte) aead
165}
166
167var cipherSuites = []*cipherSuite{
168	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and
169	// AEADs are the top preference.
170	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
171	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
172	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
173	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM},
174	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
175	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
176	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
177	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
178	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
179	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
180	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
181	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil},
182	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
183	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
184	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
185	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
186	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
187	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
188	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
189
190	// RC4-based cipher suites are disabled by default.
191	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
192	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
193	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteDefaultOff, cipherRC4, macSHA1, nil},
194}
195
196// selectCipherSuite returns the first cipher suite from ids which is also in
197// supportedIDs and passes the ok filter.
198func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
199	for _, id := range ids {
200		candidate := cipherSuiteByID(id)
201		if candidate == nil || !ok(candidate) {
202			continue
203		}
204
205		for _, suppID := range supportedIDs {
206			if id == suppID {
207				return candidate
208			}
209		}
210	}
211	return nil
212}
213
214// A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash
215// algorithm to be used with HKDF. See RFC 8446, Appendix B.4.
216type cipherSuiteTLS13 struct {
217	id     uint16
218	keyLen int
219	aead   func(key, fixedNonce []byte) aead
220	hash   crypto.Hash
221}
222
223type CipherSuiteTLS13 struct {
224	ID     uint16
225	KeyLen int
226	Hash   crypto.Hash
227	AEAD   func(key, fixedNonce []byte) cipher.AEAD
228}
229
230func (c *CipherSuiteTLS13) IVLen() int {
231	return aeadNonceLength
232}
233
234var cipherSuitesTLS13 = []*cipherSuiteTLS13{
235	{TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
236	{TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
237	{TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
238}
239
240func cipherRC4(key, iv []byte, isRead bool) interface{} {
241	cipher, _ := rc4.NewCipher(key)
242	return cipher
243}
244
245func cipher3DES(key, iv []byte, isRead bool) interface{} {
246	block, _ := des.NewTripleDESCipher(key)
247	if isRead {
248		return cipher.NewCBCDecrypter(block, iv)
249	}
250	return cipher.NewCBCEncrypter(block, iv)
251}
252
253func cipherAES(key, iv []byte, isRead bool) interface{} {
254	block, _ := aes.NewCipher(key)
255	if isRead {
256		return cipher.NewCBCDecrypter(block, iv)
257	}
258	return cipher.NewCBCEncrypter(block, iv)
259}
260
261// macSHA1 returns a SHA-1 based constant time MAC.
262func macSHA1(key []byte) hash.Hash {
263	return hmac.New(newConstantTimeHash(sha1.New), key)
264}
265
266// macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and
267// is currently only used in disabled-by-default cipher suites.
268func macSHA256(key []byte) hash.Hash {
269	return hmac.New(sha256.New, key)
270}
271
272type aead interface {
273	cipher.AEAD
274
275	// explicitNonceLen returns the number of bytes of explicit nonce
276	// included in each record. This is eight for older AEADs and
277	// zero for modern ones.
278	explicitNonceLen() int
279}
280
281const (
282	aeadNonceLength   = 12
283	noncePrefixLength = 4
284)
285
286// prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
287// each call.
288type prefixNonceAEAD struct {
289	// nonce contains the fixed part of the nonce in the first four bytes.
290	nonce [aeadNonceLength]byte
291	aead  cipher.AEAD
292}
293
294func (f *prefixNonceAEAD) NonceSize() int        { return aeadNonceLength - noncePrefixLength }
295func (f *prefixNonceAEAD) Overhead() int         { return f.aead.Overhead() }
296func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
297
298func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
299	copy(f.nonce[4:], nonce)
300	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
301}
302
303func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
304	copy(f.nonce[4:], nonce)
305	return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
306}
307
308// xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
309// before each call.
310type xorNonceAEAD struct {
311	nonceMask [aeadNonceLength]byte
312	aead      cipher.AEAD
313}
314
315func (f *xorNonceAEAD) NonceSize() int        { return 8 } // 64-bit sequence number
316func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
317func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
318
319func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
320	for i, b := range nonce {
321		f.nonceMask[4+i] ^= b
322	}
323	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
324	for i, b := range nonce {
325		f.nonceMask[4+i] ^= b
326	}
327
328	return result
329}
330
331func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
332	for i, b := range nonce {
333		f.nonceMask[4+i] ^= b
334	}
335	result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
336	for i, b := range nonce {
337		f.nonceMask[4+i] ^= b
338	}
339
340	return result, err
341}
342
343func aeadAESGCM(key, noncePrefix []byte) aead {
344	if len(noncePrefix) != noncePrefixLength {
345		panic("tls: internal error: wrong nonce length")
346	}
347	aes, err := aes.NewCipher(key)
348	if err != nil {
349		panic(err)
350	}
351	aead, err := cipher.NewGCM(aes)
352	if err != nil {
353		panic(err)
354	}
355
356	ret := &prefixNonceAEAD{aead: aead}
357	copy(ret.nonce[:], noncePrefix)
358	return ret
359}
360
361// AEADAESGCMTLS13 creates a new AES-GCM AEAD for TLS 1.3
362func AEADAESGCMTLS13(key, fixedNonce []byte) cipher.AEAD {
363	return aeadAESGCMTLS13(key, fixedNonce)
364}
365
366func aeadAESGCMTLS13(key, nonceMask []byte) aead {
367	if len(nonceMask) != aeadNonceLength {
368		panic("tls: internal error: wrong nonce length")
369	}
370	aes, err := aes.NewCipher(key)
371	if err != nil {
372		panic(err)
373	}
374	aead, err := cipher.NewGCM(aes)
375	if err != nil {
376		panic(err)
377	}
378
379	ret := &xorNonceAEAD{aead: aead}
380	copy(ret.nonceMask[:], nonceMask)
381	return ret
382}
383
384func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
385	if len(nonceMask) != aeadNonceLength {
386		panic("tls: internal error: wrong nonce length")
387	}
388	aead, err := chacha20poly1305.New(key)
389	if err != nil {
390		panic(err)
391	}
392
393	ret := &xorNonceAEAD{aead: aead}
394	copy(ret.nonceMask[:], nonceMask)
395	return ret
396}
397
398type constantTimeHash interface {
399	hash.Hash
400	ConstantTimeSum(b []byte) []byte
401}
402
403// cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
404// with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
405type cthWrapper struct {
406	h constantTimeHash
407}
408
409func (c *cthWrapper) Size() int                   { return c.h.Size() }
410func (c *cthWrapper) BlockSize() int              { return c.h.BlockSize() }
411func (c *cthWrapper) Reset()                      { c.h.Reset() }
412func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
413func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }
414
415func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
416	return func() hash.Hash {
417		return &cthWrapper{h().(constantTimeHash)}
418	}
419}
420
421// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3.
422func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
423	h.Reset()
424	h.Write(seq)
425	h.Write(header)
426	h.Write(data)
427	res := h.Sum(out)
428	if extra != nil {
429		h.Write(extra)
430	}
431	return res
432}
433
434func rsaKA(version uint16) keyAgreement {
435	return rsaKeyAgreement{}
436}
437
438func ecdheECDSAKA(version uint16) keyAgreement {
439	return &ecdheKeyAgreement{
440		isRSA:   false,
441		version: version,
442	}
443}
444
445func ecdheRSAKA(version uint16) keyAgreement {
446	return &ecdheKeyAgreement{
447		isRSA:   true,
448		version: version,
449	}
450}
451
452// mutualCipherSuite returns a cipherSuite given a list of supported
453// ciphersuites and the id requested by the peer.
454func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
455	for _, id := range have {
456		if id == want {
457			return cipherSuiteByID(id)
458		}
459	}
460	return nil
461}
462
463func cipherSuiteByID(id uint16) *cipherSuite {
464	for _, cipherSuite := range cipherSuites {
465		if cipherSuite.id == id {
466			return cipherSuite
467		}
468	}
469	return nil
470}
471
472func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 {
473	for _, id := range have {
474		if id == want {
475			return cipherSuiteTLS13ByID(id)
476		}
477	}
478	return nil
479}
480
481func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 {
482	for _, cipherSuite := range cipherSuitesTLS13 {
483		if cipherSuite.id == id {
484			return cipherSuite
485		}
486	}
487	return nil
488}
489
490// A list of cipher suite IDs that are, or have been, implemented by this
491// package.
492//
493// See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
494const (
495	// TLS 1.0 - 1.2 cipher suites.
496	TLS_RSA_WITH_RC4_128_SHA                      uint16 = 0x0005
497	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
498	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
499	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
500	TLS_RSA_WITH_AES_128_CBC_SHA256               uint16 = 0x003c
501	TLS_RSA_WITH_AES_128_GCM_SHA256               uint16 = 0x009c
502	TLS_RSA_WITH_AES_256_GCM_SHA384               uint16 = 0x009d
503	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              uint16 = 0xc007
504	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xc009
505	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xc00a
506	TLS_ECDHE_RSA_WITH_RC4_128_SHA                uint16 = 0xc011
507	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xc012
508	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xc013
509	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xc014
510	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xc023
511	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xc027
512	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xc02f
513	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xc02b
514	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xc030
515	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xc02c
516	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcca8
517	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9
518
519	// TLS 1.3 cipher suites.
520	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
521	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
522	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
523
524	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
525	// that the client is doing version fallback. See RFC 7507.
526	TLS_FALLBACK_SCSV uint16 = 0x5600
527
528	// Legacy names for the corresponding cipher suites with the correct _SHA256
529	// suffix, retained for backward compatibility.
530	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
531	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
532)
533