2021-06-25 12:39:45 +02:00
|
|
|
package netxlite
|
2021-02-02 12:05:47 +01:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
2021-06-08 15:39:25 +02:00
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
2021-02-02 12:05:47 +01:00
|
|
|
"fmt"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
tlsVersionString = map[uint16]string{
|
|
|
|
tls.VersionTLS10: "TLSv1",
|
|
|
|
tls.VersionTLS11: "TLSv1.1",
|
|
|
|
tls.VersionTLS12: "TLSv1.2",
|
|
|
|
tls.VersionTLS13: "TLSv1.3",
|
|
|
|
0: "", // guarantee correct behaviour
|
|
|
|
}
|
|
|
|
|
|
|
|
tlsCipherSuiteString = map[uint16]string{
|
|
|
|
tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256: "TLS_RSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256: "TLS_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384: "TLS_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
|
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
|
|
|
tls.TLS_AES_128_GCM_SHA256: "TLS_AES_128_GCM_SHA256",
|
|
|
|
tls.TLS_AES_256_GCM_SHA384: "TLS_AES_256_GCM_SHA384",
|
|
|
|
tls.TLS_CHACHA20_POLY1305_SHA256: "TLS_CHACHA20_POLY1305_SHA256",
|
|
|
|
0: "", // guarantee correct behaviour
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2021-06-25 12:39:45 +02:00
|
|
|
// TLSVersionString returns a TLS version string.
|
|
|
|
func TLSVersionString(value uint16) string {
|
2021-02-02 12:05:47 +01:00
|
|
|
if str, found := tlsVersionString[value]; found {
|
|
|
|
return str
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("TLS_VERSION_UNKNOWN_%d", value)
|
|
|
|
}
|
|
|
|
|
2021-06-25 12:39:45 +02:00
|
|
|
// TLSCipherSuiteString returns the TLS cipher suite as a string.
|
|
|
|
func TLSCipherSuiteString(value uint16) string {
|
2021-02-02 12:05:47 +01:00
|
|
|
if str, found := tlsCipherSuiteString[value]; found {
|
|
|
|
return str
|
|
|
|
}
|
|
|
|
return fmt.Sprintf("TLS_CIPHER_SUITE_UNKNOWN_%d", value)
|
|
|
|
}
|
2021-06-08 15:39:25 +02:00
|
|
|
|
|
|
|
// NewDefaultCertPool returns a copy of the default x509
|
|
|
|
// certificate pool that we bundle from Mozilla.
|
|
|
|
func NewDefaultCertPool() *x509.CertPool {
|
|
|
|
pool := x509.NewCertPool()
|
|
|
|
// Assumption: AppendCertsFromPEM cannot fail because we
|
|
|
|
// run this function already in the generate.go file
|
|
|
|
pool.AppendCertsFromPEM([]byte(pemcerts))
|
|
|
|
return pool
|
|
|
|
}
|
|
|
|
|
|
|
|
// ErrInvalidTLSVersion indicates that you passed us a string
|
|
|
|
// that does not represent a valid TLS version.
|
|
|
|
var ErrInvalidTLSVersion = errors.New("invalid TLS version")
|
|
|
|
|
|
|
|
// ConfigureTLSVersion configures the correct TLS version into
|
|
|
|
// the specified *tls.Config or returns an error.
|
|
|
|
func ConfigureTLSVersion(config *tls.Config, version string) error {
|
|
|
|
switch version {
|
|
|
|
case "TLSv1.3":
|
|
|
|
config.MinVersion = tls.VersionTLS13
|
|
|
|
config.MaxVersion = tls.VersionTLS13
|
|
|
|
case "TLSv1.2":
|
|
|
|
config.MinVersion = tls.VersionTLS12
|
|
|
|
config.MaxVersion = tls.VersionTLS12
|
|
|
|
case "TLSv1.1":
|
|
|
|
config.MinVersion = tls.VersionTLS11
|
|
|
|
config.MaxVersion = tls.VersionTLS11
|
|
|
|
case "TLSv1.0", "TLSv1":
|
|
|
|
config.MinVersion = tls.VersionTLS10
|
|
|
|
config.MaxVersion = tls.VersionTLS10
|
|
|
|
case "":
|
|
|
|
// nothing
|
|
|
|
default:
|
|
|
|
return ErrInvalidTLSVersion
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|