Source file src/crypto/tls/defaults.go 

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"internal/godebug"
     9  	"slices"
    10  	_ "unsafe" // for linkname
    11  )
    12  
    13  // Defaults are collected in this file to allow distributions to more easily patch
    14  // them to apply local policies.
    15  
    16  var tlsmlkem = godebug.New("tlsmlkem")
    17  
    18  // defaultCurvePreferences is the default set of supported key exchanges, as
    19  // well as the preference order.
    20  func defaultCurvePreferences() []CurveID {
    21  	if tlsmlkem.Value() == "0" {
    22  		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
    23  	}
    24  	return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
    25  }
    26  
    27  // defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
    28  // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
    29  // CertificateRequest. The two fields are merged to match with TLS 1.3.
    30  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
    31  var defaultSupportedSignatureAlgorithms = []SignatureScheme{
    32  	PSSWithSHA256,
    33  	ECDSAWithP256AndSHA256,
    34  	Ed25519,
    35  	PSSWithSHA384,
    36  	PSSWithSHA512,
    37  	PKCS1WithSHA256,
    38  	PKCS1WithSHA384,
    39  	PKCS1WithSHA512,
    40  	ECDSAWithP384AndSHA384,
    41  	ECDSAWithP521AndSHA512,
    42  	PKCS1WithSHA1,
    43  	ECDSAWithSHA1,
    44  }
    45  
    46  var tlsrsakex = godebug.New("tlsrsakex")
    47  var tls3des = godebug.New("tls3des")
    48  
    49  func defaultCipherSuites() []uint16 {
    50  	suites := slices.Clone(cipherSuitesPreferenceOrder)
    51  	return slices.DeleteFunc(suites, func(c uint16) bool {
    52  		return disabledCipherSuites[c] ||
    53  			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
    54  			tls3des.Value() != "1" && tdesCiphers[c]
    55  	})
    56  }
    57  
    58  // defaultCipherSuitesTLS13 is also the preference order, since there are no
    59  // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
    60  // cipherSuitesPreferenceOrder applies.
    61  //
    62  // defaultCipherSuitesTLS13 should be an internal detail,
    63  // but widely used packages access it using linkname.
    64  // Notable members of the hall of shame include:
    65  //   - github.com/quic-go/quic-go
    66  //   - github.com/sagernet/quic-go
    67  //
    68  // Do not remove or change the type signature.
    69  // See go.dev/issue/67401.
    70  //
    71  //go:linkname defaultCipherSuitesTLS13
    72  var defaultCipherSuitesTLS13 = []uint16{
    73  	TLS_AES_128_GCM_SHA256,
    74  	TLS_AES_256_GCM_SHA384,
    75  	TLS_CHACHA20_POLY1305_SHA256,
    76  }
    77  
    78  // defaultCipherSuitesTLS13NoAES should be an internal detail,
    79  // but widely used packages access it using linkname.
    80  // Notable members of the hall of shame include:
    81  //   - github.com/quic-go/quic-go
    82  //   - github.com/sagernet/quic-go
    83  //
    84  // Do not remove or change the type signature.
    85  // See go.dev/issue/67401.
    86  //
    87  //go:linkname defaultCipherSuitesTLS13NoAES
    88  var defaultCipherSuitesTLS13NoAES = []uint16{
    89  	TLS_CHACHA20_POLY1305_SHA256,
    90  	TLS_AES_128_GCM_SHA256,
    91  	TLS_AES_256_GCM_SHA384,
    92  }
    93  
    94  // The FIPS-only policies below match BoringSSL's
    95  // ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2.
    96  // https://cs.opensource.google/boringssl/boringssl/+/master:ssl/ssl_lib.cc;l=3289;drc=ea7a88fa
    97  
    98  var defaultSupportedVersionsFIPS = []uint16{
    99  	VersionTLS12,
   100  	VersionTLS13,
   101  }
   102  
   103  // defaultCurvePreferencesFIPS are the FIPS-allowed curves,
   104  // in preference order (most preferable first).
   105  var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384}
   106  
   107  // defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
   108  // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
   109  var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
   110  	PSSWithSHA256,
   111  	PSSWithSHA384,
   112  	PSSWithSHA512,
   113  	PKCS1WithSHA256,
   114  	ECDSAWithP256AndSHA256,
   115  	PKCS1WithSHA384,
   116  	ECDSAWithP384AndSHA384,
   117  	PKCS1WithSHA512,
   118  }
   119  
   120  // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
   121  var defaultCipherSuitesFIPS = []uint16{
   122  	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   123  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
   124  	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
   125  	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
   126  }
   127  
   128  // defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
   129  var defaultCipherSuitesTLS13FIPS = []uint16{
   130  	TLS_AES_128_GCM_SHA256,
   131  	TLS_AES_256_GCM_SHA384,
   132  }
   133  

View as plain text

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.