mirror of
https://github.com/XTLS/REALITY.git
synced 2025-08-22 22:48:36 +00:00
5938152cb0
If a ClientHello only supports TLS 1.3, or if a CertificateRequest is sent after selecting TLS 1.3, we should not advertise TLS 1.2-only signature_algorithms like PKCS#1 v1.5 or SHA-1. However, since crypto/x509 still supports PKCS#1 v1.5, and a direct CertPool match might not care about the signature in the certificate at all, start sending a separate signature_algorithms_cert extension to indicate support for PKCS#1 v1.5 and SHA-1 in certificates. We were already correctly rejecting these algorithms if the peer selected them in a TLS 1.3 connection. Updates #72883 Change-Id: I6a6a4656ab60e1b7fb20fdedc32604dc156953ae Reviewed-on: https://go-review.googlesource.com/c/go/+/658215 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
127 lines
3.9 KiB
Go
127 lines
3.9 KiB
Go
// Copyright 2024 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package reality
|
|
|
|
import (
|
|
"slices"
|
|
_ "unsafe" // for linkname
|
|
)
|
|
|
|
// Defaults are collected in this file to allow distributions to more easily patch
|
|
// them to apply local policies.
|
|
|
|
//var tlsmlkem = godebug.New("tlsmlkem")
|
|
|
|
// defaultCurvePreferences is the default set of supported key exchanges, as
|
|
// well as the preference order.
|
|
func defaultCurvePreferences() []CurveID {
|
|
if false {
|
|
return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
|
|
}
|
|
return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
|
|
}
|
|
|
|
// defaultSupportedSignatureAlgorithms returns the signature and hash algorithms that
|
|
// the code advertises and supports in a TLS 1.2+ ClientHello and in a TLS 1.2+
|
|
// CertificateRequest. The two fields are merged to match with TLS 1.3.
|
|
// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
|
|
func defaultSupportedSignatureAlgorithms() []SignatureScheme {
|
|
return []SignatureScheme{
|
|
PSSWithSHA256,
|
|
ECDSAWithP256AndSHA256,
|
|
Ed25519,
|
|
PSSWithSHA384,
|
|
PSSWithSHA512,
|
|
PKCS1WithSHA256,
|
|
PKCS1WithSHA384,
|
|
PKCS1WithSHA512,
|
|
ECDSAWithP384AndSHA384,
|
|
ECDSAWithP521AndSHA512,
|
|
PKCS1WithSHA1,
|
|
ECDSAWithSHA1,
|
|
}
|
|
}
|
|
|
|
// defaultSupportedSignatureAlgorithmsCert returns the signature algorithms that
|
|
// the code advertises as supported for signatures in certificates.
|
|
//
|
|
// We include all algorithms, including SHA-1 and PKCS#1 v1.5, because it's more
|
|
// likely that something on our side will be willing to accept a *-with-SHA1
|
|
// certificate (e.g. with a custom VerifyConnection or by a direct match with
|
|
// the CertPool), than that the peer would have a better certificate but is just
|
|
// choosing not to send it. crypto/x509 will refuse to verify important SHA-1
|
|
// signatures anyway.
|
|
func defaultSupportedSignatureAlgorithmsCert() []SignatureScheme {
|
|
return []SignatureScheme{
|
|
PSSWithSHA256,
|
|
ECDSAWithP256AndSHA256,
|
|
Ed25519,
|
|
PSSWithSHA384,
|
|
PSSWithSHA512,
|
|
PKCS1WithSHA256,
|
|
PKCS1WithSHA384,
|
|
PKCS1WithSHA512,
|
|
ECDSAWithP384AndSHA384,
|
|
ECDSAWithP521AndSHA512,
|
|
PKCS1WithSHA1,
|
|
ECDSAWithSHA1,
|
|
}
|
|
}
|
|
|
|
//var tlsrsakex = godebug.New("tlsrsakex")
|
|
//var tls3des = godebug.New("tls3des")
|
|
|
|
func supportedCipherSuites(aesGCMPreferred bool) []uint16 {
|
|
if aesGCMPreferred {
|
|
return slices.Clone(cipherSuitesPreferenceOrder)
|
|
} else {
|
|
return slices.Clone(cipherSuitesPreferenceOrderNoAES)
|
|
}
|
|
}
|
|
|
|
func defaultCipherSuites(aesGCMPreferred bool) []uint16 {
|
|
cipherSuites := supportedCipherSuites(aesGCMPreferred)
|
|
return slices.DeleteFunc(cipherSuites, func(c uint16) bool {
|
|
return disabledCipherSuites[c] ||
|
|
rsaKexCiphers[c] ||
|
|
tdesCiphers[c]
|
|
})
|
|
}
|
|
|
|
// defaultCipherSuitesTLS13 is also the preference order, since there are no
|
|
// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
|
|
// cipherSuitesPreferenceOrder applies.
|
|
//
|
|
// defaultCipherSuitesTLS13 should be an internal detail,
|
|
// but widely used packages access it using linkname.
|
|
// Notable members of the hall of shame include:
|
|
// - github.com/quic-go/quic-go
|
|
// - github.com/sagernet/quic-go
|
|
//
|
|
// Do not remove or change the type signature.
|
|
// See go.dev/issue/67401.
|
|
//
|
|
//go:linkname defaultCipherSuitesTLS13
|
|
var defaultCipherSuitesTLS13 = []uint16{
|
|
TLS_AES_128_GCM_SHA256,
|
|
TLS_AES_256_GCM_SHA384,
|
|
TLS_CHACHA20_POLY1305_SHA256,
|
|
}
|
|
|
|
// defaultCipherSuitesTLS13NoAES should be an internal detail,
|
|
// but widely used packages access it using linkname.
|
|
// Notable members of the hall of shame include:
|
|
// - github.com/quic-go/quic-go
|
|
// - github.com/sagernet/quic-go
|
|
//
|
|
// Do not remove or change the type signature.
|
|
// See go.dev/issue/67401.
|
|
//
|
|
//go:linkname defaultCipherSuitesTLS13NoAES
|
|
var defaultCipherSuitesTLS13NoAES = []uint16{
|
|
TLS_CHACHA20_POLY1305_SHA256,
|
|
TLS_AES_128_GCM_SHA256,
|
|
TLS_AES_256_GCM_SHA384,
|
|
} |