1// Copyright 2024 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package tls
6
7import (
8	"internal/godebug"
9	"slices"
10	_ "unsafe" // for linkname
11)
12
13// Defaults are collected in this file to allow distributions to more easily patch
14// them to apply local policies.
15
16var tlskyber = godebug.New("tlskyber")
17
18func defaultCurvePreferences() []CurveID {
19	if tlskyber.Value() == "0" {
20		return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
21	}
22	// For now, x25519Kyber768Draft00 must always be followed by X25519.
23	return []CurveID{x25519Kyber768Draft00, X25519, CurveP256, CurveP384, CurveP521}
24}
25
26// defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
27// the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
28// CertificateRequest. The two fields are merged to match with TLS 1.3.
29// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
30var defaultSupportedSignatureAlgorithms = []SignatureScheme{
31	PSSWithSHA256,
32	ECDSAWithP256AndSHA256,
33	Ed25519,
34	PSSWithSHA384,
35	PSSWithSHA512,
36	PKCS1WithSHA256,
37	PKCS1WithSHA384,
38	PKCS1WithSHA512,
39	ECDSAWithP384AndSHA384,
40	ECDSAWithP521AndSHA512,
41	PKCS1WithSHA1,
42	ECDSAWithSHA1,
43}
44
45var tlsrsakex = godebug.New("tlsrsakex")
46var tls3des = godebug.New("tls3des")
47
48func defaultCipherSuites() []uint16 {
49	suites := slices.Clone(cipherSuitesPreferenceOrder)
50	return slices.DeleteFunc(suites, func(c uint16) bool {
51		return disabledCipherSuites[c] ||
52			tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
53			tls3des.Value() != "1" && tdesCiphers[c]
54	})
55}
56
57// defaultCipherSuitesTLS13 is also the preference order, since there are no
58// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
59// cipherSuitesPreferenceOrder applies.
60//
61// defaultCipherSuitesTLS13 should be an internal detail,
62// but widely used packages access it using linkname.
63// Notable members of the hall of shame include:
64//   - github.com/quic-go/quic-go
65//   - github.com/sagernet/quic-go
66//
67// Do not remove or change the type signature.
68// See go.dev/issue/67401.
69//
70//go:linkname defaultCipherSuitesTLS13
71var defaultCipherSuitesTLS13 = []uint16{
72	TLS_AES_128_GCM_SHA256,
73	TLS_AES_256_GCM_SHA384,
74	TLS_CHACHA20_POLY1305_SHA256,
75}
76
77// defaultCipherSuitesTLS13NoAES should be an internal detail,
78// but widely used packages access it using linkname.
79// Notable members of the hall of shame include:
80//   - github.com/quic-go/quic-go
81//   - github.com/sagernet/quic-go
82//
83// Do not remove or change the type signature.
84// See go.dev/issue/67401.
85//
86//go:linkname defaultCipherSuitesTLS13NoAES
87var defaultCipherSuitesTLS13NoAES = []uint16{
88	TLS_CHACHA20_POLY1305_SHA256,
89	TLS_AES_128_GCM_SHA256,
90	TLS_AES_256_GCM_SHA384,
91}
92
93var defaultSupportedVersionsFIPS = []uint16{
94	VersionTLS12,
95}
96
97// defaultCurvePreferencesFIPS are the FIPS-allowed curves,
98// in preference order (most preferable first).
99var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}
100
101// defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
102// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
103var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
104	PSSWithSHA256,
105	PSSWithSHA384,
106	PSSWithSHA512,
107	PKCS1WithSHA256,
108	ECDSAWithP256AndSHA256,
109	PKCS1WithSHA384,
110	ECDSAWithP384AndSHA384,
111	PKCS1WithSHA512,
112	ECDSAWithP521AndSHA512,
113}
114
115// defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
116var defaultCipherSuitesFIPS = []uint16{
117	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
118	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
119	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
120	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
121	TLS_RSA_WITH_AES_128_GCM_SHA256,
122	TLS_RSA_WITH_AES_256_GCM_SHA384,
123}
124
125// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
126var defaultCipherSuitesTLS13FIPS = []uint16{
127	TLS_AES_128_GCM_SHA256,
128	TLS_AES_256_GCM_SHA384,
129}
130