AudriusButkevicius · March 6, 2016 21:19
diff --git a/tls-patch.diff b/tls-patch.diff
 diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
 index 224ed1b..badf640 100644
 --- a/src/crypto/tls/cipher_suites.go
 +++ b/src/crypto/tls/cipher_suites.go
 @@ -9,6 +9,7 @@ import (
        "crypto/cipher"
        "crypto/des"
        "crypto/hmac"
 +       "crypto/md5"
        "crypto/rc4"
        "crypto/sha1"
        "crypto/x509"
 @@ -92,6 +93,8 @@ var cipherSuites = []*cipherSuite{
        {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
        {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
        {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
 +       {TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteDefaultOff, cipherNULL, macSHA1, nil},
 +       {TLS_RSA_WITH_NULL_MD5, 0, 16, 0, rsaKA, suiteDefaultOff, cipherNULL, macMD5, nil},
 }

 func cipherRC4(key, iv []byte, isRead bool) interface{} {
 @@ -115,6 +118,19 @@ func cipherAES(key, iv []byte, isRead bool) interface{} {
        return cipher.NewCBCEncrypter(block, iv)
 }

 +type nullCipher struct{}
 +
 +func (nullCipher) XORKeyStream(_, _ []byte) {}
 +
 +func cipherNULL(key, iv []byte, isRead bool) interface{} {
 +       return nullCipher{}
 +}
 +
 +// macMD5 returns a macFunction for the given protocol version.
 +func macMD5(version uint16, key []byte) macFunction {
 +       return tls10MAC{hmac.New(md5.New, key)}
 +}
 +
 // macSHA1 returns a macFunction for the given protocol version.
 func macSHA1(version uint16, key []byte) macFunction {
        if version == VersionSSL30 {
 @@ -281,6 +297,8 @@ const (
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
 +       TLS_RSA_WITH_NULL_SHA                   uint16 = 0x0002
 +       TLS_RSA_WITH_NULL_MD5                   uint16 = 0x0001

        // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
        // that the client is doing version fallback. See
	diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
	index 224ed1b..badf640 100644
	--- a/src/crypto/tls/cipher_suites.go
	+++ b/src/crypto/tls/cipher_suites.go
	@@ -9,6 +9,7 @@ import (
	"crypto/cipher"
	"crypto/des"
	"crypto/hmac"
	+ "crypto/md5"
	"crypto/rc4"
	"crypto/sha1"
	"crypto/x509"
	@@ -92,6 +93,8 @@ var cipherSuites = []*cipherSuite{
	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
	+ {TLS_RSA_WITH_NULL_SHA, 0, 20, 0, rsaKA, suiteDefaultOff, cipherNULL, macSHA1, nil},
	+ {TLS_RSA_WITH_NULL_MD5, 0, 16, 0, rsaKA, suiteDefaultOff, cipherNULL, macMD5, nil},
	}

	func cipherRC4(key, iv []byte, isRead bool) interface{} {
	@@ -115,6 +118,19 @@ func cipherAES(key, iv []byte, isRead bool) interface{} {
	return cipher.NewCBCEncrypter(block, iv)
	}

	+type nullCipher struct{}
	+
	+func (nullCipher) XORKeyStream(_, _ []byte) {}
	+
	+func cipherNULL(key, iv []byte, isRead bool) interface{} {
	+ return nullCipher{}
	+}
	+
	+// macMD5 returns a macFunction for the given protocol version.
	+func macMD5(version uint16, key []byte) macFunction {
	+ return tls10MAC{hmac.New(md5.New, key)}
	+}
	+
	// macSHA1 returns a macFunction for the given protocol version.
	func macSHA1(version uint16, key []byte) macFunction {
	if version == VersionSSL30 {
	@@ -281,6 +297,8 @@ const (
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
	+ TLS_RSA_WITH_NULL_SHA uint16 = 0x0002
	+ TLS_RSA_WITH_NULL_MD5 uint16 = 0x0001

	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
	// that the client is doing version fallback. See