mirror of
https://github.com/XTLS/REALITY.git
synced 2025-08-22 06:28:35 +00:00
5938152cb0
If a ClientHello only supports TLS 1.3, or if a CertificateRequest is sent after selecting TLS 1.3, we should not advertise TLS 1.2-only signature_algorithms like PKCS#1 v1.5 or SHA-1. However, since crypto/x509 still supports PKCS#1 v1.5, and a direct CertPool match might not care about the signature in the certificate at all, start sending a separate signature_algorithms_cert extension to indicate support for PKCS#1 v1.5 and SHA-1 in certificates. We were already correctly rejecting these algorithms if the peer selected them in a TLS 1.3 connection. Updates #72883 Change-Id: I6a6a4656ab60e1b7fb20fdedc32604dc156953ae Reviewed-on: https://go-review.googlesource.com/c/go/+/658215 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
69 lines
1.7 KiB
Go
69 lines
1.7 KiB
Go
// Copyright 2025 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
//go:build boringcrypto
|
|
|
|
package reality
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
)
|
|
|
|
// These Go+BoringCrypto policies mostly match BoringSSL's
|
|
// ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2.
|
|
// https://cs.opensource.google/boringssl/boringssl/+/master:ssl/ssl_lib.cc;l=3289;drc=ea7a88fa
|
|
//
|
|
// P-521 is allowed per https://go.dev/issue/71757.
|
|
//
|
|
// They are applied when crypto/tls/fipsonly is imported with GOEXPERIMENT=boringcrypto.
|
|
|
|
var (
|
|
allowedSupportedVersionsFIPS = []uint16{
|
|
VersionTLS12,
|
|
VersionTLS13,
|
|
}
|
|
allowedCurvePreferencesFIPS = []CurveID{
|
|
CurveP256,
|
|
CurveP384,
|
|
CurveP521,
|
|
}
|
|
allowedSignatureAlgorithmsFIPS = []SignatureScheme{
|
|
PSSWithSHA256,
|
|
PSSWithSHA384,
|
|
PSSWithSHA512,
|
|
PKCS1WithSHA256,
|
|
ECDSAWithP256AndSHA256,
|
|
PKCS1WithSHA384,
|
|
ECDSAWithP384AndSHA384,
|
|
PKCS1WithSHA512,
|
|
ECDSAWithP521AndSHA512,
|
|
}
|
|
allowedCipherSuitesFIPS = []uint16{
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
}
|
|
allowedCipherSuitesTLS13FIPS = []uint16{
|
|
TLS_AES_128_GCM_SHA256,
|
|
TLS_AES_256_GCM_SHA384,
|
|
}
|
|
)
|
|
|
|
func isCertificateAllowedFIPS(c *x509.Certificate) bool {
|
|
// The key must be RSA 2048, RSA 3072, RSA 4096,
|
|
// or ECDSA P-256, P-384, P-521.
|
|
switch k := c.PublicKey.(type) {
|
|
case *rsa.PublicKey:
|
|
size := k.N.BitLen()
|
|
return size == 2048 || size == 3072 || size == 4096
|
|
case *ecdsa.PublicKey:
|
|
return k.Curve == elliptic.P256() || k.Curve == elliptic.P384() || k.Curve == elliptic.P521()
|
|
}
|
|
|
|
return false
|
|
} |