Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: zmap/zcrypto
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: COMSYS/zcrypto
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Can’t automatically merge. Don’t worry, you can still create the pull request.
  • 1 commit
  • 12 files changed
  • 1 contributor

Commits on Nov 18, 2021

  1. Copy the full SHA
    5d519a3 View commit details
Showing with 484 additions and 136 deletions.
  1. +27 −27 tls/alert.go
  2. +129 −6 tls/cipher_suites.go
  3. +49 −40 tls/common.go
  4. +9 −9 tls/conn.go
  5. +7 −5 tls/handshake_client.go
  6. +64 −0 tls/handshake_offline.go
  7. +7 −7 tls/handshake_server.go
  8. +13 −13 tls/key_agreement.go
  9. +8 −8 tls/prf.go
  10. +116 −9 tls/tls_handshake.go
  11. +3 −3 tls/tls_ka.go
  12. +52 −9 tls/tls_names.go
54 changes: 27 additions & 27 deletions tls/alert.go
Original file line number Diff line number Diff line change
@@ -6,40 +6,40 @@ package tls

import "strconv"

type alert uint8
type Alert uint8

const (
// alert level
// Alert level
alertLevelWarning = 1
alertLevelError = 2
)

const (
alertCloseNotify alert = 0
alertUnexpectedMessage alert = 10
alertBadRecordMAC alert = 20
alertDecryptionFailed alert = 21
alertRecordOverflow alert = 22
alertDecompressionFailure alert = 30
alertHandshakeFailure alert = 40
alertBadCertificate alert = 42
alertUnsupportedCertificate alert = 43
alertCertificateRevoked alert = 44
alertCertificateExpired alert = 45
alertCertificateUnknown alert = 46
alertIllegalParameter alert = 47
alertUnknownCA alert = 48
alertAccessDenied alert = 49
alertDecodeError alert = 50
alertDecryptError alert = 51
alertProtocolVersion alert = 70
alertInsufficientSecurity alert = 71
alertInternalError alert = 80
alertUserCanceled alert = 90
alertNoRenegotiation alert = 100
alertCloseNotify Alert = 0
alertUnexpectedMessage Alert = 10
alertBadRecordMAC Alert = 20
alertDecryptionFailed Alert = 21
alertRecordOverflow Alert = 22
alertDecompressionFailure Alert = 30
alertHandshakeFailure Alert = 40
alertBadCertificate Alert = 42
alertUnsupportedCertificate Alert = 43
alertCertificateRevoked Alert = 44
alertCertificateExpired Alert = 45
alertCertificateUnknown Alert = 46
alertIllegalParameter Alert = 47
alertUnknownCA Alert = 48
alertAccessDenied Alert = 49
alertDecodeError Alert = 50
alertDecryptError Alert = 51
alertProtocolVersion Alert = 70
alertInsufficientSecurity Alert = 71
alertInternalError Alert = 80
alertUserCanceled Alert = 90
alertNoRenegotiation Alert = 100
)

var alertText = map[alert]string{
var alertText = map[Alert]string{
alertCloseNotify: "close notify",
alertUnexpectedMessage: "unexpected message",
alertBadRecordMAC: "bad record MAC",
@@ -64,14 +64,14 @@ var alertText = map[alert]string{
alertNoRenegotiation: "no renegotiation",
}

func (e alert) String() string {
func (e Alert) String() string {
s, ok := alertText[e]
if ok {
return s
}
return "alert(" + strconv.Itoa(int(e)) + ")"
}

func (e alert) Error() string {
func (e Alert) Error() string {
return e.String()
}
135 changes: 129 additions & 6 deletions tls/cipher_suites.go
Original file line number Diff line number Diff line change
@@ -428,7 +428,7 @@ func rsaKA(version uint16) keyAgreement {
return &rsaKeyAgreement{
version: version,
auth: &signedKeyAgreement{
sigType: signatureRSA,
sigType: SignatureRSA,
version: version,
},
}
@@ -439,7 +439,7 @@ func rsaEphemeralKA(version uint16) keyAgreement {
version: version,
ephemeral: true,
auth: &signedKeyAgreement{
sigType: signatureRSA,
sigType: SignatureRSA,
version: version,
},
}
@@ -448,7 +448,7 @@ func rsaEphemeralKA(version uint16) keyAgreement {
func ecdheECDSAKA(version uint16) keyAgreement {
return &ecdheKeyAgreement{
auth: &signedKeyAgreement{
sigType: signatureECDSA,
sigType: SignatureECDSA,
version: version,
},
}
@@ -457,7 +457,7 @@ func ecdheECDSAKA(version uint16) keyAgreement {
func ecdheRSAKA(version uint16) keyAgreement {
return &ecdheKeyAgreement{
auth: &signedKeyAgreement{
sigType: signatureRSA,
sigType: SignatureRSA,
version: version,
},
}
@@ -466,7 +466,7 @@ func ecdheRSAKA(version uint16) keyAgreement {
func dheRSAKA(version uint16) keyAgreement {
return &dheKeyAgreement{
auth: &signedKeyAgreement{
sigType: signatureRSA,
sigType: SignatureRSA,
version: version,
},
}
@@ -475,7 +475,7 @@ func dheRSAKA(version uint16) keyAgreement {
func dheDSSKA(version uint16) keyAgreement {
return &dheKeyAgreement{
auth: &signedKeyAgreement{
sigType: signatureDSA,
sigType: SignatureDSA,
version: version,
},
}
@@ -1101,6 +1101,129 @@ var SafariNoDHECiphers []uint16 = []uint16{
TLS_RSA_WITH_RC4_128_MD5,
}

var ThesisRecommended []uint16 = []uint16{
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS_DHE_RSA_WITH_AES_256_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
// not explicitly recommended by BSI, but by NIST
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_DHE_RSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
}

var ThesisNoPFS []uint16 = []uint16{
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DH_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DH_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
TLS_DH_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DH_DSS_WITH_AES_128_CBC_SHA256,
}

var ThesisInsecure []uint16 = []uint16{
TLS_NULL_WITH_NULL_NULL,
TLS_RSA_WITH_NULL_MD5,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_ECDH_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDH_RSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_ECDH_ANON_WITH_NULL_SHA,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_RC4_128_SHA,
TLS_DH_ANON_WITH_RC4_128_MD5,
TLS_DHE_DSS_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ANON_WITH_RC4_128_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
TLS_DH_DSS_WITH_DES_CBC_SHA,
TLS_DH_RSA_WITH_DES_CBC_SHA,
TLS_DHE_DSS_WITH_DES_CBC_SHA,
TLS_DHE_RSA_WITH_DES_CBC_SHA,
TLS_DH_ANON_WITH_DES_CBC_SHA,
TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
// 3DES might still be considered weakly secure?
//TLS_RSA_WITH_3DES_EDE_CBC_SHA,
//TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
//TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
//TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
//TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
//TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
//TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
//TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
//TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

//?
//TLS_RSA_WITH_AES_128_CBC_SHA,
//TLS_RSA_WITH_AES_128_CBC_SHA256,
//TLS_RSA_WITH_AES_256_CBC_SHA256,
//TLS_RSA_WITH_AES_128_CCM,
//TLS_RSA_WITH_AES_256_CCM,
//TLS_RSA_WITH_AES_128_CCM_8,
//TLS_RSA_WITH_AES_256_CCM_8,
SSL_RSA_WITH_RC2_CBC_MD5,
SSL_RSA_WITH_IDEA_CBC_MD5,
SSL_RSA_WITH_DES_CBC_MD5,
SSL_RSA_WITH_3DES_EDE_CBC_MD5,
SSL_EN_RC2_128_CBC_WITH_MD5,
}

func cipherIDInCipherIDList(cipher uint16, cipherIDList []uint16) bool {
for _, val := range cipherIDList {
if cipher == val {
89 changes: 49 additions & 40 deletions tls/common.go
Original file line number Diff line number Diff line change
@@ -189,34 +189,39 @@ const (

// Certificate types (for certificateRequestMsg)
const (
certTypeRSASign = 1 // A certificate containing an RSA key
certTypeDSSSign = 2 // A certificate containing a DSA key
certTypeRSAFixedDH = 3 // A certificate containing a static DH key
certTypeDSSFixedDH = 4 // A certificate containing a static DH key
CertTypeRSASign = 1 // A certificate containing an RSA key
CertTypeDSSSign = 2 // A certificate containing a DSA key
CertTypeRSAFixedDH = 3 // A certificate containing a static DH key
CertTypeDSSFixedDH = 4 // A certificate containing a static DH key

// See RFC4492 sections 3 and 5.5.
certTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
certTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
CertTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
CertTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
CertTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.

// Rest of these are reserved by the TLS spec
)

// Hash functions for TLS 1.2 (See RFC 5246, section A.4.1)
const (
hashMD5 uint8 = 1
hashSHA1 uint8 = 2
hashSHA224 uint8 = 3
hashSHA256 uint8 = 4
hashSHA384 uint8 = 5
hashSHA512 uint8 = 6
HashNone uint8 = 0
HashMD5 uint8 = 1
HashSHA1 uint8 = 2
HashSHA224 uint8 = 3
HashSHA256 uint8 = 4
HashSHA384 uint8 = 5
HashSHA512 uint8 = 6
HashIntrinsic uint8 = 8
)

// Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)
const (
signatureRSA uint8 = 1
signatureDSA uint8 = 2
signatureECDSA uint8 = 3
SignatureAnonymous uint8 = 0
SignatureRSA uint8 = 1
SignatureDSA uint8 = 2
SignatureECDSA uint8 = 3
SignatureED25519 uint8 = 7
SignatureED448 uint8 = 8
)

// SigAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See
@@ -228,39 +233,39 @@ type SigAndHash struct {
// supportedSKXSignatureAlgorithms contains the signature and hash algorithms
// that the code advertises as supported in a TLS 1.2 ClientHello.
var supportedSKXSignatureAlgorithms = []SigAndHash{
{signatureRSA, hashSHA512},
{signatureECDSA, hashSHA512},
{signatureDSA, hashSHA512},
{signatureRSA, hashSHA384},
{signatureECDSA, hashSHA384},
{signatureDSA, hashSHA384},
{signatureRSA, hashSHA256},
{signatureECDSA, hashSHA256},
{signatureDSA, hashSHA256},
{signatureRSA, hashSHA224},
{signatureECDSA, hashSHA224},
{signatureDSA, hashSHA224},
{signatureRSA, hashSHA1},
{signatureECDSA, hashSHA1},
{signatureDSA, hashSHA1},
{signatureRSA, hashMD5},
{signatureECDSA, hashMD5},
{signatureDSA, hashMD5},
{SignatureRSA, HashSHA512},
{SignatureECDSA, HashSHA512},
{SignatureDSA, HashSHA512},
{SignatureRSA, HashSHA384},
{SignatureECDSA, HashSHA384},
{SignatureDSA, HashSHA384},
{SignatureRSA, HashSHA256},
{SignatureECDSA, HashSHA256},
{SignatureDSA, HashSHA256},
{SignatureRSA, HashSHA224},
{SignatureECDSA, HashSHA224},
{SignatureDSA, HashSHA224},
{SignatureRSA, HashSHA1},
{SignatureECDSA, HashSHA1},
{SignatureDSA, HashSHA1},
{SignatureRSA, HashMD5},
{SignatureECDSA, HashMD5},
{SignatureDSA, HashMD5},
}

var defaultSKXSignatureAlgorithms = []SigAndHash{
{signatureRSA, hashSHA256},
{signatureECDSA, hashSHA256},
{signatureRSA, hashSHA1},
{signatureECDSA, hashSHA1},
{SignatureRSA, HashSHA256},
{SignatureECDSA, HashSHA256},
{SignatureRSA, HashSHA1},
{SignatureECDSA, HashSHA1},
}

// supportedClientCertSignatureAlgorithms contains the signature and hash
// algorithms that the code advertises as supported in a TLS 1.2
// CertificateRequest.
var supportedClientCertSignatureAlgorithms = []SigAndHash{
{signatureRSA, hashSHA256},
{signatureECDSA, hashSHA256},
{SignatureRSA, HashSHA256},
{SignatureECDSA, HashSHA256},
}

// ConnectionState records basic TLS details about the connection.
@@ -514,6 +519,10 @@ type Config struct {
// this Config is returned by a GetConfigForClient callback. It's used
// by serverInit in order to copy session ticket keys if needed.
originalConfig *Config

// Use the first client certificate, even if it does not match the
// requested DN given by the server
IgnoreClientCaName bool
}

// ticketKeyNameLen is the number of bytes of identifier that is prepended to
Loading