// Copyright 2015 Light Code Labs, LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package httpserver import ( "bytes" "context" "crypto/tls" "io" "net" "net/http" "strconv" "strings" "sync" "github.com/mholt/caddy/caddytls" "github.com/mholt/caddy/telemetry" ) // tlsHandler is a http.Handler that will inject a value // into the request context indicating if the TLS // connection is likely being intercepted. type tlsHandler struct { next http.Handler listener *tlsHelloListener closeOnMITM bool // whether to close connection on MITM; TODO: expose through new directive } // ServeHTTP checks the User-Agent. For the four main browsers (Chrome, // Edge, Firefox, and Safari) indicated by the User-Agent, the properties // of the TLS Client Hello will be compared. The context value "mitm" will // be set to a value indicating if it is likely that the underlying TLS // connection is being intercepted. // // Note that due to Microsoft's decision to intentionally make IE/Edge // user agents obscure (and look like other browsers), this may offer // less accuracy for IE/Edge clients. // // This MITM detection capability is based on research done by Durumeric, // Halderman, et. al. in "The Security Impact of HTTPS Interception" (NDSS '17): // https://jhalderm.com/pub/papers/interception-ndss17.pdf func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // TODO: one request per connection, we should report UA in connection with // handshake (reported in caddytls package) and our MITM assessment if h.listener == nil { h.next.ServeHTTP(w, r) return } h.listener.helloInfosMu.RLock() info := h.listener.helloInfos[r.RemoteAddr] h.listener.helloInfosMu.RUnlock() ua := r.Header.Get("User-Agent") // report this request's UA in connection with this ClientHello go telemetry.AppendUnique("tls_client_hello_ua:"+caddytls.ClientHelloInfo(info).Key(), ua) var checked, mitm bool if r.Header.Get("X-BlueCoat-Via") != "" || // Blue Coat (masks User-Agent header to generic values) r.Header.Get("X-FCCKV2") != "" || // Fortinet info.advertisesHeartbeatSupport() { // no major browsers have ever implemented Heartbeat checked = true mitm = true } else if strings.Contains(ua, "Edge") || strings.Contains(ua, "MSIE") || strings.Contains(ua, "Trident") { checked = true mitm = !info.looksLikeEdge() } else if strings.Contains(ua, "Chrome") { checked = true mitm = !info.looksLikeChrome() } else if strings.Contains(ua, "CriOS") { // Chrome on iOS sometimes uses iOS-provided TLS stack (which looks exactly like Safari) // but for connections that don't render a web page (favicon, etc.) it uses its own... checked = true mitm = !info.looksLikeChrome() && !info.looksLikeSafari() } else if strings.Contains(ua, "Firefox") { checked = true if strings.Contains(ua, "Windows") { ver := getVersion(ua, "Firefox") if ver == 45.0 || ver == 52.0 { mitm = !info.looksLikeTor() } else { mitm = !info.looksLikeFirefox() } } else { mitm = !info.looksLikeFirefox() } } else if strings.Contains(ua, "Safari") { checked = true mitm = !info.looksLikeSafari() } if checked { r = r.WithContext(context.WithValue(r.Context(), MitmCtxKey, mitm)) if mitm { go telemetry.AppendUnique("http_mitm", "likely") } else { go telemetry.AppendUnique("http_mitm", "unlikely") } } else { go telemetry.AppendUnique("http_mitm", "unknown") } if mitm && h.closeOnMITM { // TODO: This termination might need to happen later in the middleware // chain in order to be picked up by the log directive, in case the site // owner still wants to log this event. It'll probably require a new // directive. If this feature is useful, we can finish implementing this. r.Close = true return } h.next.ServeHTTP(w, r) } // getVersion returns a (possibly simplified) representation of the version string // from a UserAgent string. It returns a float, so it can represent major and minor // versions; the rest of the version is just tacked on behind the decimal point. // The purpose of this is to stay simple while allowing for basic, fast comparisons. // If the version for softwareName is not found in ua, -1 is returned. func getVersion(ua, softwareName string) float64 { search := softwareName + "/" start := strings.Index(ua, search) if start < 0 { return -1 } start += len(search) end := strings.Index(ua[start:], " ") if end < 0 { end = len(ua) } else { end += start } strVer := strings.Replace(ua[start:end], "-", "", -1) firstDot := strings.Index(strVer, ".") if firstDot >= 0 { strVer = strVer[:firstDot+1] + strings.Replace(strVer[firstDot+1:], ".", "", -1) } ver, err := strconv.ParseFloat(strVer, 64) if err != nil { return -1 } return ver } // clientHelloConn reads the ClientHello // and stores it in the attached listener. type clientHelloConn struct { net.Conn listener *tlsHelloListener readHello bool // whether ClientHello has been read buf *bytes.Buffer } // Read reads from c.Conn (by letting the standard library // do the reading off the wire), with the exception of // getting a copy of the ClientHello so it can parse it. func (c *clientHelloConn) Read(b []byte) (n int, err error) { // if we've already read the ClientHello, pass thru if c.readHello { return c.Conn.Read(b) } // we let the standard lib read off the wire for us, and // tee that into our buffer so we can read the ClientHello tee := io.TeeReader(c.Conn, c.buf) n, err = tee.Read(b) if err != nil { return } if c.buf.Len() < 5 { return // need to read more bytes for header } // read the header bytes hdr := make([]byte, 5) _, err = io.ReadFull(c.buf, hdr) if err != nil { return // this would be highly unusual and sad } // get length of the ClientHello message and read it length := int(uint16(hdr[3])<<8 | uint16(hdr[4])) if c.buf.Len() < length { return // need to read more bytes } hello := make([]byte, length) _, err = io.ReadFull(c.buf, hello) if err != nil { return } bufpool.Put(c.buf) // buffer no longer needed // parse the ClientHello and store it in the map rawParsed := parseRawClientHello(hello) c.listener.helloInfosMu.Lock() c.listener.helloInfos[c.Conn.RemoteAddr().String()] = rawParsed c.listener.helloInfosMu.Unlock() // report this ClientHello to telemetry chKey := caddytls.ClientHelloInfo(rawParsed).Key() go telemetry.SetNested("tls_client_hello", chKey, rawParsed) go telemetry.AppendUnique("tls_client_hello_count", chKey) c.readHello = true return } // parseRawClientHello parses data which contains the raw // TLS Client Hello message. It extracts relevant information // into info. Any error reading the Client Hello (such as // insufficient length or invalid length values) results in // a silent error and an incomplete info struct, since there // is no good way to handle an error like this during Accept(). // The data is expected to contain the whole ClientHello and // ONLY the ClientHello. // // The majority of this code is borrowed from the Go standard // library, which is (c) The Go Authors. It has been modified // to fit this use case. func parseRawClientHello(data []byte) (info rawHelloInfo) { if len(data) < 42 { return } info.Version = uint16(data[4])<<8 | uint16(data[5]) sessionIDLen := int(data[38]) if sessionIDLen > 32 || len(data) < 39+sessionIDLen { return } data = data[39+sessionIDLen:] if len(data) < 2 { return } // cipherSuiteLen is the number of bytes of cipher suite numbers. Since // they are uint16s, the number must be even. cipherSuiteLen := int(data[0])<<8 | int(data[1]) if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen { return } numCipherSuites := cipherSuiteLen / 2 // read in the cipher suites info.CipherSuites = make([]uint16, numCipherSuites) for i := 0; i < numCipherSuites; i++ { info.CipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i]) } data = data[2+cipherSuiteLen:] if len(data) < 1 { return } // read in the compression methods compressionMethodsLen := int(data[0]) if len(data) < 1+compressionMethodsLen { return } info.CompressionMethods = data[1 : 1+compressionMethodsLen] data = data[1+compressionMethodsLen:] // ClientHello is optionally followed by extension data if len(data) < 2 { return } extensionsLength := int(data[0])<<8 | int(data[1]) data = data[2:] if extensionsLength != len(data) { return } // read in each extension, and extract any relevant information // from extensions we care about for len(data) != 0 { if len(data) < 4 { return } extension := uint16(data[0])<<8 | uint16(data[1]) length := int(data[2])<<8 | int(data[3]) data = data[4:] if len(data) < length { return } // record that the client advertised support for this extension info.Extensions = append(info.Extensions, extension) switch extension { case extensionSupportedCurves: // http://tools.ietf.org/html/rfc4492#section-5.5.1 if length < 2 { return } l := int(data[0])<<8 | int(data[1]) if l%2 == 1 || length != l+2 { return } numCurves := l / 2 info.Curves = make([]tls.CurveID, numCurves) d := data[2:] for i := 0; i < numCurves; i++ { info.Curves[i] = tls.CurveID(d[0])<<8 | tls.CurveID(d[1]) d = d[2:] } case extensionSupportedPoints: // http://tools.ietf.org/html/rfc4492#section-5.5.2 if length < 1 { return } l := int(data[0]) if length != l+1 { return } info.Points = make([]uint8, l) copy(info.Points, data[1:]) } data = data[length:] } return } // newTLSListener returns a new tlsHelloListener that wraps ln. func newTLSListener(ln net.Listener, config *tls.Config) *tlsHelloListener { return &tlsHelloListener{ Listener: ln, config: config, helloInfos: make(map[string]rawHelloInfo), } } // tlsHelloListener is a TLS listener that is specially designed // to read the ClientHello manually so we can extract necessary // information from it. Each ClientHello message is mapped by // the remote address of the client, which must be removed when // the connection is closed (use ConnState). type tlsHelloListener struct { net.Listener config *tls.Config helloInfos map[string]rawHelloInfo helloInfosMu sync.RWMutex } // Accept waits for and returns the next connection to the listener. // After it accepts the underlying connection, it reads the // ClientHello message and stores the parsed data into a map on l. func (l *tlsHelloListener) Accept() (net.Conn, error) { conn, err := l.Listener.Accept() if err != nil { return nil, err } buf := bufpool.Get().(*bytes.Buffer) buf.Reset() helloConn := &clientHelloConn{Conn: conn, listener: l, buf: buf} return tls.Server(helloConn, l.config), nil } // rawHelloInfo contains the "raw" data parsed from the TLS // Client Hello. No interpretation is done on the raw data. // // The methods on this type implement heuristics described // by Durumeric, Halderman, et. al. in // "The Security Impact of HTTPS Interception": // https://jhalderm.com/pub/papers/interception-ndss17.pdf type rawHelloInfo caddytls.ClientHelloInfo // advertisesHeartbeatSupport returns true if info indicates // that the client supports the Heartbeat extension. func (info rawHelloInfo) advertisesHeartbeatSupport() bool { for _, ext := range info.Extensions { if ext == extensionHeartbeat { return true } } return false } // looksLikeFirefox returns true if info looks like a handshake // from a modern version of Firefox. func (info rawHelloInfo) looksLikeFirefox() bool { // "To determine whether a Firefox session has been // intercepted, we check for the presence and order // of extensions, cipher suites, elliptic curves, // EC point formats, and handshake compression methods." (early 2016) // We check for the presence and order of the extensions. // Note: Sometimes 0x15 (21, padding) is present, sometimes not. // Note: Firefox 51+ does not advertise 0x3374 (13172, NPN). // Note: Firefox doesn't advertise 0x0 (0, SNI) when connecting to IP addresses. // Note: Firefox 55+ doesn't appear to advertise 0xFF03 (65283, short headers). It used to be between 5 and 13. // Note: Firefox on Fedora (or RedHat) doesn't include ECC suites because of patent liability. requiredExtensionsOrder := []uint16{23, 65281, 10, 11, 35, 16, 5, 13} if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) { return false } // We check for both presence of curves and their ordering. requiredCurves := []tls.CurveID{29, 23, 24, 25} if len(info.Curves) < len(requiredCurves) { return false } for i := range requiredCurves { if info.Curves[i] != requiredCurves[i] { return false } } if len(info.Curves) > len(requiredCurves) { // newer Firefox (55 Nightly?) may have additional curves at end of list allowedCurves := []tls.CurveID{256, 257} for i := range allowedCurves { if info.Curves[len(requiredCurves)+i] != allowedCurves[i] { return false } } } if hasGreaseCiphers(info.CipherSuites) { return false } // We check for order of cipher suites but not presence, since // according to the paper, cipher suites may be not be added // or reordered by the user, but they may be disabled. expectedCipherSuiteOrder := []uint16{ TLS_AES_128_GCM_SHA256, // 0x1301 TLS_CHACHA20_POLY1305_SHA256, // 0x1303 TLS_AES_256_GCM_SHA384, // 0x1302 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // 0xcca9 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // 0xcca8 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, // 0x33 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, // 0x39 tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // 0xa } return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false) } // looksLikeChrome returns true if info looks like a handshake // from a modern version of Chrome. func (info rawHelloInfo) looksLikeChrome() bool { // "We check for ciphers and extensions that Chrome is known // to not support, but do not check for the inclusion of // specific ciphers or extensions, nor do we validate their // order. When appropriate, we check the presence and order // of elliptic curves, compression methods, and EC point formats." (early 2016) // Not in Chrome 56, but present in Safari 10 (Feb. 2017): // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) // TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) // TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) // TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) // TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) // Not in Chrome 56, but present in Firefox 51 (Feb. 2017): // TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) // TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) // TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) // TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) // Selected ciphers present in Chrome mobile (Feb. 2017): // 0xc00a, 0xc014, 0xc009, 0x9c, 0x9d, 0x2f, 0x35, 0xa chromeCipherExclusions := map[uint16]struct{}{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: {}, // 0xc024 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: {}, // 0xc023 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: {}, // 0xc028 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: {}, // 0xc027 TLS_RSA_WITH_AES_256_CBC_SHA256: {}, // 0x3d tls.TLS_RSA_WITH_AES_128_CBC_SHA256: {}, // 0x3c TLS_DHE_RSA_WITH_AES_128_CBC_SHA: {}, // 0x33 TLS_DHE_RSA_WITH_AES_256_CBC_SHA: {}, // 0x39 } for _, ext := range info.CipherSuites { if _, ok := chromeCipherExclusions[ext]; ok { return false } } // Chrome does not include curve 25 (CurveP521) (as of Chrome 56, Feb. 2017). for _, curve := range info.Curves { if curve == 25 { return false } } if !hasGreaseCiphers(info.CipherSuites) { return false } return true } // looksLikeEdge returns true if info looks like a handshake // from a modern version of MS Edge. func (info rawHelloInfo) looksLikeEdge() bool { // "SChannel connections can by uniquely identified because SChannel // is the only TLS library we tested that includes the OCSP status // request extension before the supported groups and EC point formats // extensions." (early 2016) // // More specifically, the OCSP status request extension appears // *directly* before the other two extensions, which occur in that // order. (I contacted the authors for clarification and verified it.) for i, ext := range info.Extensions { if ext == extensionOCSPStatusRequest { if len(info.Extensions) <= i+2 { return false } if info.Extensions[i+1] != extensionSupportedCurves || info.Extensions[i+2] != extensionSupportedPoints { return false } } } for _, cs := range info.CipherSuites { // As of Feb. 2017, Edge does not have 0xff, but Avast adds it if cs == scsvRenegotiation { return false } // Edge and modern IE do not have 0x4 or 0x5, but Blue Coat does if cs == TLS_RSA_WITH_RC4_128_MD5 || cs == tls.TLS_RSA_WITH_RC4_128_SHA { return false } } if hasGreaseCiphers(info.CipherSuites) { return false } return true } // looksLikeSafari returns true if info looks like a handshake // from a modern version of MS Safari. func (info rawHelloInfo) looksLikeSafari() bool { // "One unique aspect of Secure Transport is that it includes // the TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) cipher first, // whereas the other libraries we investigated include the // cipher last. Similar to Microsoft, Apple has changed // TLS behavior in minor OS updates, which are not indicated // in the HTTP User-Agent header. We allow for any of the // updates when validating handshakes, and we check for the // presence and ordering of ciphers, extensions, elliptic // curves, and compression methods." (early 2016) // Note that any C lib (e.g. curl) compiled on macOS // will probably use Secure Transport which will also // share the TLS handshake characteristics of Safari. // We check for the presence and order of the extensions. requiredExtensionsOrder := []uint16{10, 11, 13, 13172, 16, 5, 18, 23} if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) { // Safari on iOS 11 (beta) uses different set/ordering of extensions requiredExtensionsOrderiOS11 := []uint16{65281, 0, 23, 13, 5, 13172, 18, 16, 11, 10} if !assertPresenceAndOrdering(requiredExtensionsOrderiOS11, info.Extensions, true) { return false } } else { // For these versions of Safari, expect TLS_EMPTY_RENEGOTIATION_INFO_SCSV first. if len(info.CipherSuites) < 1 { return false } if info.CipherSuites[0] != scsvRenegotiation { return false } } if hasGreaseCiphers(info.CipherSuites) { return false } // We check for order and presence of cipher suites expectedCipherSuiteOrder := []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, // 0xc024 tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // 0xc023 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, // 0xc028 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, // 0xc027 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // 0x9d tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // 0x9c TLS_RSA_WITH_AES_256_CBC_SHA256, // 0x3d tls.TLS_RSA_WITH_AES_128_CBC_SHA256, // 0x3c tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35 tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f } return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, true) } // looksLikeTor returns true if the info looks like a ClientHello from Tor browser // (based on Firefox). func (info rawHelloInfo) looksLikeTor() bool { requiredExtensionsOrder := []uint16{10, 11, 16, 5, 13} if !assertPresenceAndOrdering(requiredExtensionsOrder, info.Extensions, true) { return false } // check for session tickets support; Tor doesn't support them to prevent tracking for _, ext := range info.Extensions { if ext == 35 { return false } } // We check for both presence of curves and their ordering, including // an optional curve at the beginning (for Tor based on Firefox 52) infoCurves := info.Curves if len(info.Curves) == 4 { if info.Curves[0] != 29 { return false } infoCurves = info.Curves[1:] } requiredCurves := []tls.CurveID{23, 24, 25} if len(infoCurves) < len(requiredCurves) { return false } for i := range requiredCurves { if infoCurves[i] != requiredCurves[i] { return false } } if hasGreaseCiphers(info.CipherSuites) { return false } // We check for order of cipher suites but not presence, since // according to the paper, cipher suites may be not be added // or reordered by the user, but they may be disabled. expectedCipherSuiteOrder := []uint16{ TLS_AES_128_GCM_SHA256, // 0x1301 TLS_CHACHA20_POLY1305_SHA256, // 0x1303 TLS_AES_256_GCM_SHA384, // 0x1302 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, // 0xc02b tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // 0xc02f tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // 0xcca9 tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // 0xcca8 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // 0xc02c tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, // 0xc030 tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // 0xc00a tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // 0xc009 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // 0xc013 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // 0xc014 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, // 0x33 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, // 0x39 tls.TLS_RSA_WITH_AES_128_CBC_SHA, // 0x2f tls.TLS_RSA_WITH_AES_256_CBC_SHA, // 0x35 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // 0xa } return assertPresenceAndOrdering(expectedCipherSuiteOrder, info.CipherSuites, false) } // assertPresenceAndOrdering will return true if candidateList contains // the items in requiredItems in the same order as requiredItems. // // If requiredIsSubset is true, then all items in requiredItems must be // present in candidateList. If requiredIsSubset is false, then requiredItems // may contain items that are not in candidateList. // // In all cases, the order of requiredItems is enforced. func assertPresenceAndOrdering(requiredItems, candidateList []uint16, requiredIsSubset bool) bool { superset := requiredItems subset := candidateList if requiredIsSubset { superset = candidateList subset = requiredItems } var j int for _, item := range subset { var found bool for j < len(superset) { if superset[j] == item { found = true break } j++ } if j == len(superset) && !found { return false } } return true } func hasGreaseCiphers(cipherSuites []uint16) bool { for _, cipher := range cipherSuites { if _, ok := greaseCiphers[cipher]; ok { return true } } return false } // pool buffers so we can reuse allocations over time var bufpool = sync.Pool{ New: func() interface{} { return new(bytes.Buffer) }, } var greaseCiphers = map[uint16]struct{}{ 0x0A0A: {}, 0x1A1A: {}, 0x2A2A: {}, 0x3A3A: {}, 0x4A4A: {}, 0x5A5A: {}, 0x6A6A: {}, 0x7A7A: {}, 0x8A8A: {}, 0x9A9A: {}, 0xAAAA: {}, 0xBABA: {}, 0xCACA: {}, 0xDADA: {}, 0xEAEA: {}, 0xFAFA: {}, } // Define variables used for TLS communication const ( extensionOCSPStatusRequest = 5 extensionSupportedCurves = 10 // also called "SupportedGroups" extensionSupportedPoints = 11 extensionHeartbeat = 15 scsvRenegotiation = 0xff // cipher suites missing from the crypto/tls package, // in no particular order here TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xc024 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xc028 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x33 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x39 TLS_RSA_WITH_RC4_128_MD5 = 0x4 // new PSK ciphers introduced by TLS 1.3, not (yet) in crypto/tls // https://tlswg.github.io/tls13-spec/#rfc.appendix.A.4) TLS_AES_128_GCM_SHA256 = 0x1301 TLS_AES_256_GCM_SHA384 = 0x1302 TLS_CHACHA20_POLY1305_SHA256 = 0x1303 TLS_AES_128_CCM_SHA256 = 0x1304 TLS_AES_128_CCM_8_SHA256 = 0x1305 )