Source file src/crypto/tls/defaults.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"internal/godebug"
     9  	"slices"
    10  	_ "unsafe" // for linkname
    11  )
    12  
    13  // Defaults are collected in this file to allow distributions to more easily patch
    14  // them to apply local policies.
    15  
    16  var tlskyber = godebug.New("tlskyber")
    17  
    18  func defaultCurvePreferences() []CurveID {
    19  	if tlskyber.Value() == "0" {
    20  		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
    21  	}
    22  	// For now, x25519Kyber768Draft00 must always be followed by X25519.
    23  	return []CurveID{x25519Kyber768Draft00, X25519, CurveP256, CurveP384, CurveP521}
    24  }
    25  
    26  // defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
    27  // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
    28  // CertificateRequest. The two fields are merged to match with TLS 1.3.
    29  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
    30  var defaultSupportedSignatureAlgorithms = []SignatureScheme{
    31  	PSSWithSHA256,
    32  	ECDSAWithP256AndSHA256,
    33  	Ed25519,
    34  	PSSWithSHA384,
    35  	PSSWithSHA512,
    36  	PKCS1WithSHA256,
    37  	PKCS1WithSHA384,
    38  	PKCS1WithSHA512,
    39  	ECDSAWithP384AndSHA384,
    40  	ECDSAWithP521AndSHA512,
    41  	PKCS1WithSHA1,
    42  	ECDSAWithSHA1,
    43  }
    44  
    45  var tlsrsakex = godebug.New("tlsrsakex")
    46  var tls3des = godebug.New("tls3des")
    47  
    48  func defaultCipherSuites() []uint16 {
    49  	suites := slices.Clone(cipherSuitesPreferenceOrder)
    50  	return slices.DeleteFunc(suites, func(c uint16) bool {
    51  		return disabledCipherSuites[c] ||
    52  			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
    53  			tls3des.Value() != "1" && tdesCiphers[c]
    54  	})
    55  }
    56  
    57  // defaultCipherSuitesTLS13 is also the preference order, since there are no
    58  // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
    59  // cipherSuitesPreferenceOrder applies.
    60  //
    61  // defaultCipherSuitesTLS13 should be an internal detail,
    62  // but widely used packages access it using linkname.
    63  // Notable members of the hall of shame include:
    64  //   - github.com/quic-go/quic-go
    65  //   - github.com/sagernet/quic-go
    66  //
    67  // Do not remove or change the type signature.
    68  // See go.dev/issue/67401.
    69  //
    70  //go:linkname defaultCipherSuitesTLS13
    71  var defaultCipherSuitesTLS13 = []uint16{
    72  	TLS_AES_128_GCM_SHA256,
    73  	TLS_AES_256_GCM_SHA384,
    74  	TLS_CHACHA20_POLY1305_SHA256,
    75  }
    76  
    77  // defaultCipherSuitesTLS13NoAES should be an internal detail,
    78  // but widely used packages access it using linkname.
    79  // Notable members of the hall of shame include:
    80  //   - github.com/quic-go/quic-go
    81  //   - github.com/sagernet/quic-go
    82  //
    83  // Do not remove or change the type signature.
    84  // See go.dev/issue/67401.
    85  //
    86  //go:linkname defaultCipherSuitesTLS13NoAES
    87  var defaultCipherSuitesTLS13NoAES = []uint16{
    88  	TLS_CHACHA20_POLY1305_SHA256,
    89  	TLS_AES_128_GCM_SHA256,
    90  	TLS_AES_256_GCM_SHA384,
    91  }
    92  
    93  var defaultSupportedVersionsFIPS = []uint16{
    94  	VersionTLS12,
    95  }
    96  
    97  // defaultCurvePreferencesFIPS are the FIPS-allowed curves,
    98  // in preference order (most preferable first).
    99  var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}
   100  
   101  // defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
   102  // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
   103  var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
   104  	PSSWithSHA256,
   105  	PSSWithSHA384,
   106  	PSSWithSHA512,
   107  	PKCS1WithSHA256,
   108  	ECDSAWithP256AndSHA256,
   109  	PKCS1WithSHA384,
   110  	ECDSAWithP384AndSHA384,
   111  	PKCS1WithSHA512,
   112  	ECDSAWithP521AndSHA512,
   113  }
   114  
   115  // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
   116  var defaultCipherSuitesFIPS = []uint16{
   117  	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   118  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
   119  	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
   120  	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
   121  	TLS_RSA_WITH_AES_128_GCM_SHA256,
   122  	TLS_RSA_WITH_AES_256_GCM_SHA384,
   123  }
   124  
   125  // defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
   126  var defaultCipherSuitesTLS13FIPS = []uint16{
   127  	TLS_AES_128_GCM_SHA256,
   128  	TLS_AES_256_GCM_SHA384,
   129  }
   130  

View as plain text