mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-03 20:17:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

[dev.boringcrypto] all: merge commit 9d0819b27c (CL 314609) into dev.boringcrypto

Browse source 
There used to be two BoringCrypto-specific behaviors related to cipher
suites in crypto/tls:

1. in FIPS-only mode, only a restricted set of AES ciphers is allowed

2. NOT in FIPS-only mode, AES would be prioritized over ChaCha20 even if
   AES hardware was not available

The motivation of (2) is unclear, and BoringSSL doesn't have equivalent
logic. This merge drops (2), and keeps (1). Note that the list of
FIPS-only ciphers does not have priority semantics anymore, but the
default logic still sorts them the same way as they used to be.

Change-Id: I50544011085cfa2b087f323aebf5338c0bd2dd33
This commit is contained in:
Filippo Valsorda 2021-05-12 19:23:21 +02:00
commit 91c310694c
80 changed files with 4335 additions and 4101 deletions
Download patch file Download diff file Expand all files Collapse all files

15
boring.go
View file

@ -6,15 +6,11 @@ package tls
import (
"crypto/ecdsa"
"crypto/internal/boring"
"crypto/internal/boring/fipstls"
"crypto/rsa"
"crypto/x509"
)
// boringEnabled is an alias of boring.Enabled to avoid a new import in common.go.
const boringEnabled = boring.Enabled
// needFIPS returns fipstls.Required(); it avoids a new import in common.go.
func needFIPS() bool {
return fipstls.Required()
@ -53,9 +49,8 @@ func fipsCurvePreferences(c *Config) []CurveID {
return list
}
// default FIPSCipherSuites is the FIPS-allowed cipher suites,
// in preference order (most preferable first).
var defaultFIPSCipherSuites = []uint16{
// defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
var defaultCipherSuitesFIPS = []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@ -67,11 +62,11 @@ var defaultFIPSCipherSuites = []uint16{
// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode.
func fipsCipherSuites(c *Config) []uint16 {
if c == nil || c.CipherSuites == nil {
return defaultFIPSCipherSuites
return defaultCipherSuitesFIPS
}
var list []uint16
list := make([]uint16, 0, len(defaultCipherSuitesFIPS))
for _, id := range c.CipherSuites {
for _, allowed := range defaultFIPSCipherSuites {
for _, allowed := range defaultCipherSuitesFIPS {
if id == allowed {
list = append(list, id)
break