mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-03 20:17:36 +03:00
sync: merge changes from go 1.24.0
This commit is contained in:
Mingye Chen
commit
a99feacec2
50 changed files with 2505 additions and 2734 deletions
19
defaults.go
19
defaults.go
|
|
@ -12,17 +12,18 @@ import (
|
|||
// Defaults are collected in this file to allow distributions to more easily patch
|
||||
// them to apply local policies.
|
||||
|
||||
// var tlskyber = godebug.New("tlskyber") [uTLS]
|
||||
// var tlsmlkem = godebug.New("tlsmlkem") [uTLS]
|
||||
|
||||
// defaultCurvePreferences is the default set of supported key exchanges, as
|
||||
// well as the preference order.
|
||||
func defaultCurvePreferences() []CurveID {
|
||||
// [uTLS section begins]
|
||||
// if tlskyber.Value() == "0" {
|
||||
// if tlsmlkem.Value() == "0" {
|
||||
// return []CurveID{X25519, CurveP256, CurveP384, CurveP521}
|
||||
// }
|
||||
// [uTLS section ends]
|
||||
|
||||
// For now, x25519Kyber768Draft00 must always be followed by X25519.
|
||||
return []CurveID{x25519Kyber768Draft00, X25519, CurveP256, CurveP384, CurveP521}
|
||||
return []CurveID{X25519MLKEM768, X25519, CurveP256, CurveP384, CurveP521}
|
||||
}
|
||||
|
||||
// defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that
|
||||
|
|
@ -98,13 +99,18 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
|
|||
TLS_AES_256_GCM_SHA384,
|
||||
}
|
||||
|
||||
// The FIPS-only policies below match BoringSSL's
|
||||
// ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2.
|
||||
// https://cs.opensource.google/boringssl/boringssl/+/master:ssl/ssl_lib.cc;l=3289;drc=ea7a88fa
|
||||
|
||||
var defaultSupportedVersionsFIPS = []uint16{
|
||||
VersionTLS12,
|
||||
VersionTLS13,
|
||||
}
|
||||
|
||||
// defaultCurvePreferencesFIPS are the FIPS-allowed curves,
|
||||
// in preference order (most preferable first).
|
||||
var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}
|
||||
var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384}
|
||||
|
||||
// defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
|
||||
// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
|
||||
|
|
@ -117,7 +123,6 @@ var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
|
|||
PKCS1WithSHA384,
|
||||
ECDSAWithP384AndSHA384,
|
||||
PKCS1WithSHA512,
|
||||
ECDSAWithP521AndSHA512,
|
||||
}
|
||||
|
||||
// defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
|
||||
|
|
@ -126,8 +131,6 @@ var defaultCipherSuitesFIPS = []uint16{
|
|||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
}
|
||||
|
||||
// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue