mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 04:27:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: move defaults into defaults.go

Browse source 
Fixes #65265
Updates #60790

Change-Id: Iaa5f475d614d3ed87f091c93a3f888b7eb3433f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/587296
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Derek Parker <parkerderek86@gmail.com>
This commit is contained in:
Filippo Valsorda 2024-05-22 12:51:03 +02:00 committed by Gopher Robot
parent 470b5f1f9d
commit 72f81ff7ec
7 changed files with 152 additions and 170 deletions
Download patch file Download diff file Expand all files Collapse all files

30
cipher_suites.go
View file

@ -17,9 +17,7 @@ import (
"fmt"
"hash"
"internal/cpu"
"internal/godebug"
"runtime"
"slices"
"golang.org/x/crypto/chacha20poly1305"
)
@ -336,8 +334,6 @@ var disabledCipherSuites = map[uint16]bool{
TLS_RSA_WITH_RC4_128_SHA: true,
}
var tlsrsakex = godebug.New("tlsrsakex")
// rsaKexCiphers contains the ciphers which use RSA based key exchange,
// which we also disable by default unless a GODEBUG is set.
var rsaKexCiphers = map[uint16]bool{
@ -350,8 +346,6 @@ var rsaKexCiphers = map[uint16]bool{
TLS_RSA_WITH_AES_256_GCM_SHA384: true,
}
var tls3des = godebug.New("tls3des")
// tdesCiphers contains 3DES ciphers,
// which we also disable by default unless a GODEBUG is set.
var tdesCiphers = map[uint16]bool{
@ -359,30 +353,6 @@ var tdesCiphers = map[uint16]bool{
TLS_RSA_WITH_3DES_EDE_CBC_SHA: true,
}
func defaultCipherSuites() []uint16 {
suites := slices.Clone(cipherSuitesPreferenceOrder)
return slices.DeleteFunc(suites, func(c uint16) bool {
return disabledCipherSuites[c] ||
tlsrsakex.Value() != "1" && rsaKexCiphers[c] ||
tls3des.Value() != "1" && tdesCiphers[c]
})
}
// defaultCipherSuitesTLS13 is also the preference order, since there are no
// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
// cipherSuitesPreferenceOrder applies.
var defaultCipherSuitesTLS13 = []uint16{
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,
}
var defaultCipherSuitesTLS13NoAES = []uint16{
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
}
var (
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL