src/crypto/tls/defaults.go - go - Git at Google

 // Copyright 2024 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package tls

 import (
 	"internal/godebug"
 	"slices"
 	_ "unsafe" // for linkname
 )

 // Defaults are collected in this file to allow distributions to more easily patch
 // them to apply local policies.

 var tlskyber = godebug.New("tlskyber")

 func defaultCurvePreferences() []CurveID {
 	if tlskyber.Value() == "0" {
 		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
 	}
 	// For now, x25519Kyber768Draft00 must always be followed by X25519.
 	return []CurveID{x25519Kyber768Draft00, X25519, CurveP256, CurveP384, CurveP521}
 }

 // defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
 // the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
 // CertificateRequest. The two fields are merged to match with TLS 1.3.
 // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
 var defaultSupportedSignatureAlgorithms = []SignatureScheme{
 	PSSWithSHA256,
 	ECDSAWithP256AndSHA256,
 	Ed25519,
 	PSSWithSHA384,
 	PSSWithSHA512,
 	PKCS1WithSHA256,
 	PKCS1WithSHA384,
 	PKCS1WithSHA512,
 	ECDSAWithP384AndSHA384,
 	ECDSAWithP521AndSHA512,
 	PKCS1WithSHA1,
 	ECDSAWithSHA1,
 }

 var tlsrsakex = godebug.New("tlsrsakex")
 var tls3des = godebug.New("tls3des")

 func defaultCipherSuites() []uint16 {
 	suites := slices.Clone(cipherSuitesPreferenceOrder)
 	return slices.DeleteFunc(suites, func(c uint16) bool {
 		return disabledCipherSuites[c] ||
 			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
 			tls3des.Value() != "1" && tdesCiphers[c]
 	})
 }

 // defaultCipherSuitesTLS13 is also the preference order, since there are no
 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
 // cipherSuitesPreferenceOrder applies.
 //
 // defaultCipherSuitesTLS13 should be an internal detail,
 // but widely used packages access it using linkname.
 // Notable members of the hall of shame include:
 //   - github.com/quic-go/quic-go
 //   - github.com/sagernet/quic-go
 //
 // Do not remove or change the type signature.
 // See go.dev/issue/67401.
 //
 //go:linkname defaultCipherSuitesTLS13
 var defaultCipherSuitesTLS13 = []uint16{
 	TLS_AES_128_GCM_SHA256,
 	TLS_AES_256_GCM_SHA384,
 	TLS_CHACHA20_POLY1305_SHA256,
 }

 // defaultCipherSuitesTLS13NoAES should be an internal detail,
 // but widely used packages access it using linkname.
 // Notable members of the hall of shame include:
 //   - github.com/quic-go/quic-go
 //   - github.com/sagernet/quic-go
 //
 // Do not remove or change the type signature.
 // See go.dev/issue/67401.
 //
 //go:linkname defaultCipherSuitesTLS13NoAES
 var defaultCipherSuitesTLS13NoAES = []uint16{
 	TLS_CHACHA20_POLY1305_SHA256,
 	TLS_AES_128_GCM_SHA256,
 	TLS_AES_256_GCM_SHA384,
 }

 var defaultSupportedVersionsFIPS = []uint16{
 	VersionTLS12,
 }

 // defaultCurvePreferencesFIPS are the FIPS-allowed curves,
 // in preference order (most preferable first).
 var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}

 // defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
 // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
 var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
 	PSSWithSHA256,
 	PSSWithSHA384,
 	PSSWithSHA512,
 	PKCS1WithSHA256,
 	ECDSAWithP256AndSHA256,
 	PKCS1WithSHA384,
 	ECDSAWithP384AndSHA384,
 	PKCS1WithSHA512,
 	ECDSAWithP521AndSHA512,
 }

 // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
 var defaultCipherSuitesFIPS = []uint16{
 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	TLS_RSA_WITH_AES_128_GCM_SHA256,
 	TLS_RSA_WITH_AES_256_GCM_SHA384,
 }

 // defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
 var defaultCipherSuitesTLS13FIPS = []uint16{
 	TLS_AES_128_GCM_SHA256,
 	TLS_AES_256_GCM_SHA384,
 }
	// Copyright 2024 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package tls

	import (
	"internal/godebug"
	"slices"
	_ "unsafe" // for linkname
	)

	// Defaults are collected in this file to allow distributions to more easily patch
	// them to apply local policies.

	var tlskyber = godebug.New("tlskyber")

	func defaultCurvePreferences() []CurveID {
	if tlskyber.Value() == "0" {
	return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
	}
	// For now, x25519Kyber768Draft00 must always be followed by X25519.
	return []CurveID{x25519Kyber768Draft00, X25519, CurveP256, CurveP384, CurveP521}
	}

	// defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
	// the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
	// CertificateRequest. The two fields are merged to match with TLS 1.3.
	// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
	var defaultSupportedSignatureAlgorithms = []SignatureScheme{
	PSSWithSHA256,
	ECDSAWithP256AndSHA256,
	Ed25519,
	PSSWithSHA384,
	PSSWithSHA512,
	PKCS1WithSHA256,
	PKCS1WithSHA384,
	PKCS1WithSHA512,
	ECDSAWithP384AndSHA384,
	ECDSAWithP521AndSHA512,
	PKCS1WithSHA1,
	ECDSAWithSHA1,
	}

	var tlsrsakex = godebug.New("tlsrsakex")
	var tls3des = godebug.New("tls3des")

	func defaultCipherSuites() []uint16 {
	suites := slices.Clone(cipherSuitesPreferenceOrder)
	return slices.DeleteFunc(suites, func(c uint16) bool {
	return disabledCipherSuites[c] \|\|
	tlsrsakex.Value() != "1" && rsaKexCiphers[c] \|\|
	tls3des.Value() != "1" && tdesCiphers[c]
	})
	}

	// defaultCipherSuitesTLS13 is also the preference order, since there are no
	// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
	// cipherSuitesPreferenceOrder applies.
	//
	// defaultCipherSuitesTLS13 should be an internal detail,
	// but widely used packages access it using linkname.
	// Notable members of the hall of shame include:
	// - github.com/quic-go/quic-go
	// - github.com/sagernet/quic-go
	//
	// Do not remove or change the type signature.
	// See go.dev/issue/67401.
	//
	//go:linkname defaultCipherSuitesTLS13
	var defaultCipherSuitesTLS13 = []uint16{
	TLS_AES_128_GCM_SHA256,
	TLS_AES_256_GCM_SHA384,
	TLS_CHACHA20_POLY1305_SHA256,
	}

	// defaultCipherSuitesTLS13NoAES should be an internal detail,
	// but widely used packages access it using linkname.
	// Notable members of the hall of shame include:
	// - github.com/quic-go/quic-go
	// - github.com/sagernet/quic-go
	//
	// Do not remove or change the type signature.
	// See go.dev/issue/67401.
	//
	//go:linkname defaultCipherSuitesTLS13NoAES
	var defaultCipherSuitesTLS13NoAES = []uint16{
	TLS_CHACHA20_POLY1305_SHA256,
	TLS_AES_128_GCM_SHA256,
	TLS_AES_256_GCM_SHA384,
	}

	var defaultSupportedVersionsFIPS = []uint16{
	VersionTLS12,
	}

	// defaultCurvePreferencesFIPS are the FIPS-allowed curves,
	// in preference order (most preferable first).
	var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}

	// defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
	// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
	var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
	PSSWithSHA256,
	PSSWithSHA384,
	PSSWithSHA512,
	PKCS1WithSHA256,
	ECDSAWithP256AndSHA256,
	PKCS1WithSHA384,
	ECDSAWithP384AndSHA384,
	PKCS1WithSHA512,
	ECDSAWithP521AndSHA512,
	}

	// defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
	var defaultCipherSuitesFIPS = []uint16{
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	TLS_RSA_WITH_AES_128_GCM_SHA256,
	TLS_RSA_WITH_AES_256_GCM_SHA384,
	}

	// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
	var defaultCipherSuitesTLS13FIPS = []uint16{
	TLS_AES_128_GCM_SHA256,
	TLS_AES_256_GCM_SHA384,
	}