forked from Trisia/gotlcp
/
cipher_suites.go
291 lines (255 loc) · 8.52 KB
/
cipher_suites.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
// Copyright (c) 2022 QuanGuanyu
// gotlcp is licensed under Mulan PSL v2.
// You can use this software according to the terms and conditions of the Mulan PSL v2.
// You may obtain a copy of Mulan PSL v2 at:
// http://license.coscl.org.cn/MulanPSL2
// THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
// EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
// MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
// See the Mulan PSL v2 for more details.
package tlcp
import (
"crypto/cipher"
"crypto/hmac"
"fmt"
"hash"
"github.com/emmansun/gmsm/sm3"
"github.com/emmansun/gmsm/sm4"
)
// CipherSuite 密码套件
//
// 在该程序库中大部分方法都只接受密码套件的ID而不是该对象
type CipherSuite struct {
ID uint16
Name string
// 该套件支持的TLCP协议版本
SupportedVersions []uint16
// Insecure 为true表示该套件是已经具有安全问题的密码套件
Insecure bool
}
var (
supportedOnlyTLCP = []uint16{VersionTLCP}
)
// CipherSuites 返回支持的密码算法套件列表
func CipherSuites() []*CipherSuite {
return []*CipherSuite{
{ECDHE_SM4_CBC_SM3, "ECDHE_SM4_CBC_SM3", supportedOnlyTLCP, false},
{ECDHE_SM4_GCM_SM3, "ECDHE_SM4_GCM_SM3", supportedOnlyTLCP, false},
{ECC_SM4_CBC_SM3, "ECC_SM4_CBC_SM3", supportedOnlyTLCP, false},
{ECC_SM4_GCM_SM3, "ECC_SM4_GCM_SM3", supportedOnlyTLCP, false},
}
}
// InsecureCipherSuites 已知的不安全的密码套件列表
func InsecureCipherSuites() []*CipherSuite {
return []*CipherSuite{}
}
// CipherSuiteName 通过密码套件ID返还密码套件的标准名称。
// (如: "ECC_SM4_CBC_SM3")
func CipherSuiteName(id uint16) string {
for _, c := range CipherSuites() {
if c.ID == id {
return c.Name
}
}
for _, c := range InsecureCipherSuites() {
if c.ID == id {
return c.Name
}
}
return fmt.Sprintf("0x%04X", id)
}
const (
// suiteECDHE indicates that the cipher suite involves elliptic curve
// Diffie-Hellman. This means that it should only be selected when the
// client indicates that it supports ECC with a curve and point format
// that we're happy with.
suiteECDHE = 1 << iota
// suiteECSign indicates that the cipher suite involves an ECDSA or
// EdDSA signature and therefore may only be selected when the server's
// certificate is ECDSA or EdDSA. If this is not set then the cipher suite
// is RSA based.
suiteECSign
)
// A cipherSuite is a TLS 1.0–1.2 cipher suite, and defines the key exchange
// mechanism, as well as the cipher+MAC pair or the AEAD.
type cipherSuite struct {
id uint16
// the lengths, in bytes, of the key material needed for each component.
keyLen int
macLen int
ivLen int
ka func(version uint16) keyAgreementProtocol
// flags is a bitmask of the suite* values, above.
flags int
cipher func(key, iv []byte, isRead bool) interface{}
mac func(key []byte) hash.Hash
aead func(key, fixedNonce []byte) aead
}
var cipherSuites = map[uint16]*cipherSuite{
ECC_SM4_GCM_SM3: {ECC_SM4_GCM_SM3, 16, 0, 4, eccKA, suiteECSign, nil, nil, aeadSM4GCM},
ECC_SM4_CBC_SM3: {ECC_SM4_CBC_SM3, 16, 32, 16, eccKA, suiteECSign, cipherSM4, macSM3, nil},
ECDHE_SM4_GCM_SM3: {ECDHE_SM4_GCM_SM3, 16, 0, 4, ecdheKA, suiteECSign | suiteECDHE, nil, nil, aeadSM4GCM},
ECDHE_SM4_CBC_SM3: {ECDHE_SM4_CBC_SM3, 16, 32, 16, ecdheKA, suiteECSign | suiteECDHE, cipherSM4, macSM3, nil},
}
// selectCipherSuite 从推荐ID和候选ID中选择出符合条件的密钥套件
func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite {
for _, id := range ids {
candidate := cipherSuites[id]
if candidate == nil || !ok(candidate) {
continue
}
for _, suppID := range supportedIDs {
if id == suppID {
return candidate
}
}
}
return nil
}
// 推荐的密码套件列表(顺序表示优先级)
var cipherSuitesPreferenceOrder = []uint16{
ECC_SM4_GCM_SM3,
ECC_SM4_CBC_SM3,
// 根据 GM/T 38636-2016 6.4.5.8 要求:使用ECDHE算法时,要求客户端发送证书。
ECDHE_SM4_GCM_SM3,
ECDHE_SM4_CBC_SM3,
}
// disabledCipherSuites 禁用的密码套件
var disabledCipherSuites = []uint16{}
var (
defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
defaultCipherSuites = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
)
// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3.
func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte {
h.Reset()
h.Write(seq)
h.Write(header)
h.Write(data)
res := h.Sum(out)
if extra != nil {
h.Write(extra)
}
return res
}
// mutualCipherSuite 通过密码套件ID,从所有的 密码套件ID列表中,
// 返回期待的密码套件对象。
func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
for _, id := range have {
if id == want {
return cipherSuites[id]
}
}
return nil
}
// 密码套件ID,见 GB/T 38636-2016 6.4.5.2.1 表 2 密码套件列表
const (
TLCP_ECDHE_SM4_CBC_SM3 uint16 = 0xe011
TLCP_ECDHE_SM4_GCM_SM3 uint16 = 0xe051
TLCP_ECC_SM4_CBC_SM3 uint16 = 0xe013
TLCP_ECC_SM4_GCM_SM3 uint16 = 0xe053
TLCP_IBSDH_SM4_CBC_SM3 uint16 = 0xe015
TLCP_IBSDH_SM4_GCM_SM3 uint16 = 0xe055
TLCP_IBC_SM4_CBC_SM3 uint16 = 0xe017
TLCP_IBC_SM4_GCM_SM3 uint16 = 0xe057
TLCP_RSA_SM4_CBC_SM3 uint16 = 0xe019
TLCP_RSA_SM4_GCM_SM3 uint16 = 0xe059
TLCP_RSA_SM4_CBC_SHA256 uint16 = 0xe01e
TLCP_RSA_SM4_GCM_SHA256 uint16 = 0xe05a
//
// 常量命名与 GBT 38636-2020 6.4.5.2.1 保持一致
//
ECDHE_SM4_CBC_SM3 uint16 = 0xe011
ECDHE_SM4_GCM_SM3 uint16 = 0xe051
ECC_SM4_CBC_SM3 uint16 = 0xe013
ECC_SM4_GCM_SM3 uint16 = 0xe053
IBSDH_SM4_CBC_SM3 uint16 = 0xe015
IBSDH_SM4_GCM_SM3 uint16 = 0xe055
IBC_SM4_CBC_SM3 uint16 = 0xe017
IBC_SM4_GCM_SM3 uint16 = 0xe057
RSA_SM4_CBC_SM3 uint16 = 0xe019
RSA_SM4_GCM_SM3 uint16 = 0xe059
RSA_SM4_CBC_SHA256 uint16 = 0xe01e
RSA_SM4_GCM_SHA256 uint16 = 0xe05a
)
// SignatureAlgorithm 签名算法 见 GB/T 38636-2016 6.4.5.9 Certificate Verify 消息
type SignatureAlgorithm uint16
const (
NONE SignatureAlgorithm = 0
RSA_SHA256 SignatureAlgorithm = 1
RSA_SM3 SignatureAlgorithm = 2
ECC_SM3 SignatureAlgorithm = 3
IBS_SM3 SignatureAlgorithm = 4
)
const (
aeadNonceLength = 12
noncePrefixLength = 4
)
type aead interface {
cipher.AEAD
// explicitNonceLen returns the number of bytes of explicit nonce
// included in each record. This is eight for older AEADs and
// zero for modern ones.
explicitNonceLen() int
}
// prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
// each call.
type prefixNonceAEAD struct {
// nonce contains the fixed part of the nonce in the first four bytes.
nonce [aeadNonceLength]byte
aead cipher.AEAD
}
func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength }
func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() }
func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }
func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
copy(f.nonce[4:], nonce)
return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
}
func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
copy(f.nonce[4:], nonce)
return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
}
// SM2 加密证书密钥交换
func eccKA(version uint16) keyAgreementProtocol {
return &eccKeyAgreement{
version: version,
}
}
// SM2 ECDHE 密钥协商协议
func ecdheKA(version uint16) keyAgreementProtocol {
return &sm2ECDHEKeyAgreement{}
}
func cipherSM4(key, iv []byte, isRead bool) interface{} {
block, _ := sm4.NewCipher(key)
if isRead {
return cipher.NewCBCDecrypter(block, iv)
}
return cipher.NewCBCEncrypter(block, iv)
}
func macSM3(key []byte) hash.Hash {
return hmac.New(sm3.New, key)
}
// aeadSM4GCM SM4 GCM向前加解密函数
// key: 对称密钥
// nonce: 隐式随机数 (implicit nonce 4 Byte)
func aeadSM4GCM(key []byte, nonce []byte) aead {
if len(nonce) != noncePrefixLength {
panic("tls: internal error: wrong implicit nonce length")
}
block, err := sm4.NewCipher(key)
if err != nil {
panic(err)
}
aead, err := cipher.NewGCMWithNonceSize(block, 12)
if err != nil {
panic(err)
}
// AEAD 使用的随机数应由显式和隐式两部分构成,
// 显式部分即 nonce explicit,客户端和服务端使用隐式部分
// 分别来自 client_write_iv 和 server_write_iv。
// AEAD使用的随机数和计数器的构造参见 RFC 5116
ret := &prefixNonceAEAD{aead: aead}
copy(ret.nonce[:], nonce)
return ret
}