defaults.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"internal/godebug"
     9  	"slices"
    10  	_ "unsafe" // for linkname
    11  )
    12  
    13  // Defaults are collected in this file to allow distributions to more easily patch
    14  // them to apply local policies.
    15  
    16  var tlsmlkem = godebug.New("tlsmlkem")
    17  var tlssecpmlkem = godebug.New("tlssecpmlkem")
    18  
    19  // defaultCurvePreferences is the default set of supported key exchanges, as
    20  // well as the preference order.
    21  func defaultCurvePreferences() []CurveID {
    22  	switch {
    23  	// tlsmlkem=0 restores the pre-Go 1.24 default.
    24  	case tlsmlkem.Value() == "0":
    25  		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
    26  	// tlssecpmlkem=0 restores the pre-Go 1.26 default.
    27  	case tlssecpmlkem.Value() == "0":
    28  		return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
    29  	default:
    30  		return []CurveID{
    31  			X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024,
    32  			X25519, CurveP256, CurveP384, CurveP521,
    33  		}
    34  	}
    35  }
    36  
    37  // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
    38  // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
    39  // CertificateRequest. The two fields are merged to match with TLS 1.3.
    40  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
    41  func defaultSupportedSignatureAlgorithms() []SignatureScheme {
    42  	return []SignatureScheme{
    43  		PSSWithSHA256,
    44  		ECDSAWithP256AndSHA256,
    45  		Ed25519,
    46  		PSSWithSHA384,
    47  		PSSWithSHA512,
    48  		PKCS1WithSHA256,
    49  		PKCS1WithSHA384,
    50  		PKCS1WithSHA512,
    51  		ECDSAWithP384AndSHA384,
    52  		ECDSAWithP521AndSHA512,
    53  		PKCS1WithSHA1,
    54  		ECDSAWithSHA1,
    55  	}
    56  }
    57  
    58  var tlsrsakex = godebug.New("tlsrsakex")
    59  var tls3des = godebug.New("tls3des")
    60  
    61  func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
    62  	if aesGCMPreferred {
    63  		return slices.Clone(cipherSuitesPreferenceOrder)
    64  	} else {
    65  		return slices.Clone(cipherSuitesPreferenceOrderNoAES)
    66  	}
    67  }
    68  
    69  func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
    70  	cipherSuites := supportedCipherSuites(aesGCMPreferred)
    71  	return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
    72  		return disabledCipherSuites[c] ||
    73  			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
    74  			tls3des.Value() != "1" && tdesCiphers[c]
    75  	})
    76  }
    77  
    78  // defaultCipherSuitesTLS13 is also the preference order, since there are no
    79  // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
    80  // cipherSuitesPreferenceOrder applies.
    81  //
    82  // defaultCipherSuitesTLS13 should be an internal detail,
    83  // but widely used packages access it using linkname.
    84  // Notable members of the hall of shame include:
    85  //   - github.com/quic-go/quic-go
    86  //   - github.com/sagernet/quic-go
    87  //
    88  // Do not remove or change the type signature.
    89  // See go.dev/issue/67401.
    90  //
    91  //go:linkname defaultCipherSuitesTLS13
    92  var defaultCipherSuitesTLS13 = []uint16{
    93  	TLS_AES_128_GCM_SHA256,
    94  	TLS_AES_256_GCM_SHA384,
    95  	TLS_CHACHA20_POLY1305_SHA256,
    96  }
    97  
    98  // defaultCipherSuitesTLS13NoAES should be an internal detail,
    99  // but widely used packages access it using linkname.
   100  // Notable members of the hall of shame include:
   101  //   - github.com/quic-go/quic-go
   102  //   - github.com/sagernet/quic-go
   103  //
   104  // Do not remove or change the type signature.
   105  // See go.dev/issue/67401.
   106  //
   107  //go:linkname defaultCipherSuitesTLS13NoAES
   108  var defaultCipherSuitesTLS13NoAES = []uint16{
   109  	TLS_CHACHA20_POLY1305_SHA256,
   110  	TLS_AES_128_GCM_SHA256,
   111  	TLS_AES_256_GCM_SHA384,
   112  }
   113
View as plain text