Commit ae820c6a authored by Roland Shoemaker's avatar Roland Shoemaker
Browse files

crypto/tls: remove RSA KEX ciphers from the default list

Removes the RSA KEX based ciphers from the default list. This can be
reverted using the tlsrsakex GODEBUG.

Fixes #63413

Change-Id: Id221be3eb2f6c24b91039d380313f0c87d339f98
Reviewed-on: https://go-review.googlesource.com/c/go/+/541517


LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: default avatarDamien Neil <dneil@google.com>
parent 3dc24108
Loading
Loading
Loading
Loading
+28 −2
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ import (
	"fmt"
	"hash"
	"internal/cpu"
	"internal/godebug"
	"runtime"

	"golang.org/x/crypto/chacha20poly1305"
@@ -335,10 +336,35 @@ var disabledCipherSuites = []uint16{
}

var (
	defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
	defaultCipherSuites    = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
	defaultCipherSuitesLen int
	defaultCipherSuites    []uint16
)

// rsaKexCiphers contains the ciphers which use RSA based key exchange,
// which we disable by default.
var rsaKexCiphers = map[uint16]bool{
	TLS_RSA_WITH_RC4_128_SHA:        true,
	TLS_RSA_WITH_3DES_EDE_CBC_SHA:   true,
	TLS_RSA_WITH_AES_128_CBC_SHA:    true,
	TLS_RSA_WITH_AES_256_CBC_SHA:    true,
	TLS_RSA_WITH_AES_128_CBC_SHA256: true,
	TLS_RSA_WITH_AES_128_GCM_SHA256: true,
	TLS_RSA_WITH_AES_256_GCM_SHA384: true,
}

var rsaKEXgodebug = godebug.New("tlsrsakex")

func init() {
	rsaKexEnabled := rsaKEXgodebug.Value() == "1"
	for _, c := range cipherSuitesPreferenceOrder[:len(cipherSuitesPreferenceOrder)-len(disabledCipherSuites)] {
		if !rsaKexEnabled && rsaKexCiphers[c] {
			continue
		}
		defaultCipherSuites = append(defaultCipherSuites, c)
	}
	defaultCipherSuitesLen = len(defaultCipherSuites)
}

// defaultCipherSuitesTLS13 is also the preference order, since there are no
// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
// cipherSuitesPreferenceOrder applies.
+3 −1
Original line number Diff line number Diff line
@@ -670,7 +670,9 @@ type Config struct {
	// the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.
	//
	// If CipherSuites is nil, a safe default list is used. The default cipher
	// suites might change over time.
	// suites might change over time. In Go 1.22 RSA key exchange based cipher
	// suites were removed from the default list, but can be re-added with the
	// GODEBUG setting tlsrsakex=1.
	CipherSuites []uint16

	// PreferServerCipherSuites is a legacy field and has no effect.
+5 −1
Original line number Diff line number Diff line
@@ -1288,6 +1288,7 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
			SignatureSchemes:  []SignatureScheme{PKCS1WithSHA1},
			SupportedVersions: []uint16{VersionTLS13, VersionTLS12},
			config: &Config{
				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
				MaxVersion:   VersionTLS12,
			},
		}, ""}, // Check that mutual version selection works.
@@ -1385,6 +1386,9 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) {
		{rsaCert, &ClientHelloInfo{
			CipherSuites:      []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
			SupportedVersions: []uint16{VersionTLS12},
			config: &Config{
				CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
			},
		}, ""}, // static RSA fallback
	}
	for i, tt := range tests {