1 // Copyright 2024 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4 5 package tls
6 7 import (
8 "internal/godebug"
9 "slices"
10 _ "unsafe" // for linkname
11 )
12 13 // Defaults are collected in this file to allow distributions to more easily patch
14 // them to apply local policies.
15 16 var tlsmlkem = godebug.New("tlsmlkem")
17 var tlssecpmlkem = godebug.New("tlssecpmlkem")
18 19 // defaultCurvePreferences is the default set of supported key exchanges, as
20 // well as the preference order.
21 func defaultCurvePreferences() []CurveID {
22 switch {
23 // tlsmlkem=0 restores the pre-Go 1.24 default.
24 case tlsmlkem.Value() == "0":
25 return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
26 // tlssecpmlkem=0 restores the pre-Go 1.26 default.
27 case tlssecpmlkem.Value() == "0":
28 return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
29 default:
30 return []CurveID{
31 X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024,
32 X25519, CurveP256, CurveP384, CurveP521,
33 }
34 }
35 }
36 37 // defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
38 // the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
39 // CertificateRequest. The two fields are merged to match with TLS 1.3.
40 // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
41 func defaultSupportedSignatureAlgorithms() []SignatureScheme {
42 return []SignatureScheme{
43 PSSWithSHA256,
44 ECDSAWithP256AndSHA256,
45 Ed25519,
46 PSSWithSHA384,
47 PSSWithSHA512,
48 PKCS1WithSHA256,
49 PKCS1WithSHA384,
50 PKCS1WithSHA512,
51 ECDSAWithP384AndSHA384,
52 ECDSAWithP521AndSHA512,
53 PKCS1WithSHA1,
54 ECDSAWithSHA1,
55 }
56 }
57 58 var tlsrsakex = godebug.New("tlsrsakex")
59 var tls3des = godebug.New("tls3des")
60 61 func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
62 if aesGCMPreferred {
63 return slices.Clone(cipherSuitesPreferenceOrder)
64 } else {
65 return slices.Clone(cipherSuitesPreferenceOrderNoAES)
66 }
67 }
68 69 func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
70 cipherSuites := supportedCipherSuites(aesGCMPreferred)
71 return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
72 return disabledCipherSuites[c] ||
73 tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
74 tls3des.Value() != "1" && tdesCiphers[c]
75 })
76 }
77 78 // defaultCipherSuitesTLS13 is also the preference order, since there are no
79 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
80 // cipherSuitesPreferenceOrder applies.
81 //
82 // defaultCipherSuitesTLS13 should be an internal detail,
83 // but widely used packages access it using linkname.
84 // Notable members of the hall of shame include:
85 // - github.com/quic-go/quic-go
86 // - github.com/sagernet/quic-go
87 //
88 // Do not remove or change the type signature.
89 // See go.dev/issue/67401.
90 //
91 //go:linkname defaultCipherSuitesTLS13
92 var defaultCipherSuitesTLS13 = []uint16{
93 TLS_AES_128_GCM_SHA256,
94 TLS_AES_256_GCM_SHA384,
95 TLS_CHACHA20_POLY1305_SHA256,
96 }
97 98 // defaultCipherSuitesTLS13NoAES should be an internal detail,
99 // but widely used packages access it using linkname.
100 // Notable members of the hall of shame include:
101 // - github.com/quic-go/quic-go
102 // - github.com/sagernet/quic-go
103 //
104 // Do not remove or change the type signature.
105 // See go.dev/issue/67401.
106 //
107 //go:linkname defaultCipherSuitesTLS13NoAES
108 var defaultCipherSuitesTLS13NoAES = []uint16{
109 TLS_CHACHA20_POLY1305_SHA256,
110 TLS_AES_128_GCM_SHA256,
111 TLS_AES_256_GCM_SHA384,
112 }
113