defaults.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"internal/godebug"
     9  	"slices"
    10  	_ "unsafe" // for linkname
    11  )
    12  
    13  // Defaults are collected in this file to allow distributions to more easily patch
    14  // them to apply local policies.
    15  
    16  var tlsmlkem = godebug.New("tlsmlkem")
    17  
    18  // defaultCurvePreferences is the default set of supported key exchanges, as
    19  // well as the preference order.
    20  func defaultCurvePreferences() []CurveID {
    21  	if tlsmlkem.Value() == "0" {
    22  		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
    23  	}
    24  	return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
    25  }
    26  
    27  // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
    28  // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
    29  // CertificateRequest. The two fields are merged to match with TLS 1.3.
    30  // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
    31  func defaultSupportedSignatureAlgorithms() []SignatureScheme {
    32  	return []SignatureScheme{
    33  		PSSWithSHA256,
    34  		ECDSAWithP256AndSHA256,
    35  		Ed25519,
    36  		PSSWithSHA384,
    37  		PSSWithSHA512,
    38  		PKCS1WithSHA256,
    39  		PKCS1WithSHA384,
    40  		PKCS1WithSHA512,
    41  		ECDSAWithP384AndSHA384,
    42  		ECDSAWithP521AndSHA512,
    43  		PKCS1WithSHA1,
    44  		ECDSAWithSHA1,
    45  	}
    46  }
    47  
    48  var tlsrsakex = godebug.New("tlsrsakex")
    49  var tls3des = godebug.New("tls3des")
    50  
    51  func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
    52  	if aesGCMPreferred {
    53  		return slices.Clone(cipherSuitesPreferenceOrder)
    54  	} else {
    55  		return slices.Clone(cipherSuitesPreferenceOrderNoAES)
    56  	}
    57  }
    58  
    59  func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
    60  	cipherSuites := supportedCipherSuites(aesGCMPreferred)
    61  	return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
    62  		return disabledCipherSuites[c] ||
    63  			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
    64  			tls3des.Value() != "1" && tdesCiphers[c]
    65  	})
    66  }
    67  
    68  // defaultCipherSuitesTLS13 is also the preference order, since there are no
    69  // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
    70  // cipherSuitesPreferenceOrder applies.
    71  //
    72  // defaultCipherSuitesTLS13 should be an internal detail,
    73  // but widely used packages access it using linkname.
    74  // Notable members of the hall of shame include:
    75  //   - github.com/quic-go/quic-go
    76  //   - github.com/sagernet/quic-go
    77  //
    78  // Do not remove or change the type signature.
    79  // See go.dev/issue/67401.
    80  //
    81  //go:linkname defaultCipherSuitesTLS13
    82  var defaultCipherSuitesTLS13 = []uint16{
    83  	TLS_AES_128_GCM_SHA256,
    84  	TLS_AES_256_GCM_SHA384,
    85  	TLS_CHACHA20_POLY1305_SHA256,
    86  }
    87  
    88  // defaultCipherSuitesTLS13NoAES should be an internal detail,
    89  // but widely used packages access it using linkname.
    90  // Notable members of the hall of shame include:
    91  //   - github.com/quic-go/quic-go
    92  //   - github.com/sagernet/quic-go
    93  //
    94  // Do not remove or change the type signature.
    95  // See go.dev/issue/67401.
    96  //
    97  //go:linkname defaultCipherSuitesTLS13NoAES
    98  var defaultCipherSuitesTLS13NoAES = []uint16{
    99  	TLS_CHACHA20_POLY1305_SHA256,
   100  	TLS_AES_128_GCM_SHA256,
   101  	TLS_AES_256_GCM_SHA384,
   102  }
   103
View as plain text