defaults.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"internal/godebug"
     9  	"slices"
    10  	_ "unsafe" // for linkname
    11  )
    12  
    13  // Defaults are collected in this file to allow distributions to more easily patch
    14  // them to apply local policies.
    15  
    16  // tlsmlkem=0 restores the pre-Go 1.24 default key exchanges.
    17  var tlsmlkem = godebug.New("tlsmlkem")
    18  
    19  // tlssecpmlkem=0 restores the pre-Go 1.26 default key exchanges.
    20  var tlssecpmlkem = godebug.New("tlssecpmlkem")
    21  
    22  // defaultCurveEnabled returns whether the key exchange c is enabled by default.
    23  func defaultCurveEnabled(c CurveID) bool {
    24  	switch c {
    25  	case X25519, CurveP256, CurveP384, CurveP521:
    26  		return true
    27  	case X25519MLKEM768:
    28  		return tlsmlkem.Value() != "0"
    29  	case SecP256r1MLKEM768, SecP384r1MLKEM1024:
    30  		return tlsmlkem.Value() != "0" && tlssecpmlkem.Value() != "0"
    31  	default:
    32  		return false
    33  	}
    34  }
    35  
    36  // curvePreferenceOrder is the fixed preference order of key exchanges. It must
    37  // include every supported key exchange.
    38  func curvePreferenceOrder() []CurveID {
    39  	return []CurveID{
    40  		X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024, MLKEM1024,
    41  		X25519, CurveP256, CurveP384, CurveP521,
    42  	}
    43  }
    44  
    45  // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
    46  // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
    47  // CertificateRequest. The two fields are merged to match with TLS 1.3.
    48  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
    49  func defaultSupportedSignatureAlgorithms() []SignatureScheme {
    50  	return []SignatureScheme{
    51  		MLDSA44,
    52  		MLDSA65,
    53  		MLDSA87,
    54  		PSSWithSHA256,
    55  		ECDSAWithP256AndSHA256,
    56  		Ed25519,
    57  		PSSWithSHA384,
    58  		PSSWithSHA512,
    59  		PKCS1WithSHA256,
    60  		PKCS1WithSHA384,
    61  		PKCS1WithSHA512,
    62  		ECDSAWithP384AndSHA384,
    63  		ECDSAWithP521AndSHA512,
    64  		PKCS1WithSHA1,
    65  		ECDSAWithSHA1,
    66  	}
    67  }
    68  
    69  func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
    70  	if aesGCMPreferred {
    71  		return slices.Clone(cipherSuitesPreferenceOrder)
    72  	} else {
    73  		return slices.Clone(cipherSuitesPreferenceOrderNoAES)
    74  	}
    75  }
    76  
    77  func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
    78  	cipherSuites := supportedCipherSuites(aesGCMPreferred)
    79  	return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
    80  		return disabledCipherSuites[c]
    81  	})
    82  }
    83  
    84  // defaultCipherSuitesTLS13 is also the preference order, since there are no
    85  // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
    86  // cipherSuitesPreferenceOrder applies.
    87  //
    88  // defaultCipherSuitesTLS13 should be an internal detail,
    89  // but widely used packages access it using linkname.
    90  // Notable members of the hall of shame include:
    91  //   - github.com/quic-go/quic-go
    92  //   - github.com/sagernet/quic-go
    93  //
    94  // Do not remove or change the type signature.
    95  // See go.dev/issue/67401.
    96  //
    97  //go:linkname defaultCipherSuitesTLS13
    98  var defaultCipherSuitesTLS13 = []uint16{
    99  	TLS_AES_128_GCM_SHA256,
   100  	TLS_AES_256_GCM_SHA384,
   101  	TLS_CHACHA20_POLY1305_SHA256,
   102  }
   103  
   104  // defaultCipherSuitesTLS13NoAES should be an internal detail,
   105  // but widely used packages access it using linkname.
   106  // Notable members of the hall of shame include:
   107  //   - github.com/quic-go/quic-go
   108  //   - github.com/sagernet/quic-go
   109  //
   110  // Do not remove or change the type signature.
   111  // See go.dev/issue/67401.
   112  //
   113  //go:linkname defaultCipherSuitesTLS13NoAES
   114  var defaultCipherSuitesTLS13NoAES = []uint16{
   115  	TLS_CHACHA20_POLY1305_SHA256,
   116  	TLS_AES_128_GCM_SHA256,
   117  	TLS_AES_256_GCM_SHA384,
   118  }
   119
View as plain text