// Copyright 2024 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package tls import ( "internal/godebug" "slices" _ "unsafe" // for linkname ) // Defaults are collected in this file to allow distributions to more easily patch // them to apply local policies. var tlsmlkem = godebug.New("tlsmlkem") // defaultCurvePreferences is the default set of supported key exchanges, as // well as the preference order. func defaultCurvePreferences() []CurveID { if tlsmlkem.Value() == "0" { return []CurveID{X25519, CurveP256, CurveP384, CurveP521} } return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521} } // defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+ // CertificateRequest. The two fields are merged to match with TLS 1.3. // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc. var defaultSupportedSignatureAlgorithms = []SignatureScheme{ PSSWithSHA256, ECDSAWithP256AndSHA256, Ed25519, PSSWithSHA384, PSSWithSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA1, ECDSAWithSHA1, } var tlsrsakex = godebug.New("tlsrsakex") var tls3des = godebug.New("tls3des") func defaultCipherSuites() []uint16 { suites := slices.Clone(cipherSuitesPreferenceOrder) return slices.DeleteFunc(suites, func(c uint16) bool { return disabledCipherSuites[c] || tlsrsakex.Value() != "1" && rsaKexCiphers[c] || tls3des.Value() != "1" && tdesCiphers[c] }) } // defaultCipherSuitesTLS13 is also the preference order, since there are no // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as // cipherSuitesPreferenceOrder applies. // // defaultCipherSuitesTLS13 should be an internal detail, // but widely used packages access it using linkname. // Notable members of the hall of shame include: // - github.com/quic-go/quic-go // - github.com/sagernet/quic-go // // Do not remove or change the type signature. // See go.dev/issue/67401. // //go:linkname defaultCipherSuitesTLS13 var defaultCipherSuitesTLS13 = []uint16{ TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, } // defaultCipherSuitesTLS13NoAES should be an internal detail, // but widely used packages access it using linkname. // Notable members of the hall of shame include: // - github.com/quic-go/quic-go // - github.com/sagernet/quic-go // // Do not remove or change the type signature. // See go.dev/issue/67401. // //go:linkname defaultCipherSuitesTLS13NoAES var defaultCipherSuitesTLS13NoAES = []uint16{ TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, } // The FIPS-only policies below match BoringSSL's // ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2. // https://cs.opensource.google/boringssl/boringssl/+/master:ssl/ssl_lib.cc;l=3289;drc=ea7a88fa var defaultSupportedVersionsFIPS = []uint16{ VersionTLS12, VersionTLS13, } // defaultCurvePreferencesFIPS are the FIPS-allowed curves, // in preference order (most preferable first). var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384} // defaultSupportedSignatureAlgorithmsFIPS currently are a subset of // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1. var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{ PSSWithSHA256, PSSWithSHA384, PSSWithSHA512, PKCS1WithSHA256, ECDSAWithP256AndSHA256, PKCS1WithSHA384, ECDSAWithP384AndSHA384, PKCS1WithSHA512, } // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites. var defaultCipherSuitesFIPS = []uint16{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, } // defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3. var defaultCipherSuitesTLS13FIPS = []uint16{ TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, }