crypto/tls: remove RSA KEX ciphers from the default list

[gostls13.git] / src / crypto / tls / cipher_suites.go

diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
index 9a1fa3104b7acc512e9f8df86a2fa2adbb414dc5..eaeb7e04e6ccfdd118823151c375c9a50d00dd44 100644 (file)
--- a/src/crypto/tls/cipher_suites.go
+++ b/src/crypto/tls/cipher_suites.go
@@ -17,6 +17,7 @@ import (
        "fmt"
        "hash"
        "internal/cpu"
+       "internal/godebug"
        "runtime"
 
        "golang.org/x/crypto/chacha20poly1305"
@@ -45,7 +46,7 @@ var (
 
 // CipherSuites returns a list of cipher suites currently implemented by this
 // package, excluding those with security issues, which are returned by
-// InsecureCipherSuites.
+// [InsecureCipherSuites].
 //
 // The list is sorted by ID. Note that the default cipher suites selected by
 // this package might depend on logic that can't be captured by a static list,
@@ -78,7 +79,7 @@ func CipherSuites() []*CipherSuite {
 // this package and which have security issues.
 //
 // Most applications should not use the cipher suites in this list, and should
-// only use those returned by CipherSuites.
+// only use those returned by [CipherSuites].
 func InsecureCipherSuites() []*CipherSuite {
        // This list includes RC4, CBC_SHA256, and 3DES cipher suites. See
        // cipherSuitesPreferenceOrder for details.
@@ -335,10 +336,35 @@ var disabledCipherSuites = []uint16{
 }
 
 var (
-       defaultCipherSuitesLen = len(cipherSuitesPreferenceOrder) - len(disabledCipherSuites)
-       defaultCipherSuites    = cipherSuitesPreferenceOrder[:defaultCipherSuitesLen]
+       defaultCipherSuitesLen int
+       defaultCipherSuites    []uint16
 )
 
+// rsaKexCiphers contains the ciphers which use RSA based key exchange,
+// which we disable by default.
+var rsaKexCiphers = map[uint16]bool{
+       TLS_RSA_WITH_RC4_128_SHA:        true,
+       TLS_RSA_WITH_3DES_EDE_CBC_SHA:   true,
+       TLS_RSA_WITH_AES_128_CBC_SHA:    true,
+       TLS_RSA_WITH_AES_256_CBC_SHA:    true,
+       TLS_RSA_WITH_AES_128_CBC_SHA256: true,
+       TLS_RSA_WITH_AES_128_GCM_SHA256: true,
+       TLS_RSA_WITH_AES_256_GCM_SHA384: true,
+}
+
+var rsaKEXgodebug = godebug.New("tlsrsakex")
+
+func init() {
+       rsaKexEnabled := rsaKEXgodebug.Value() == "1"
+       for _, c := range cipherSuitesPreferenceOrder[:len(cipherSuitesPreferenceOrder)-len(disabledCipherSuites)] {
+               if !rsaKexEnabled && rsaKexCiphers[c] {
+                       continue
+               }
+               defaultCipherSuites = append(defaultCipherSuites, c)
+       }
+       defaultCipherSuitesLen = len(defaultCipherSuites)
+}
+
 // defaultCipherSuitesTLS13 is also the preference order, since there are no
 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
 // cipherSuitesPreferenceOrder applies.
@@ -377,14 +403,6 @@ var aesgcmCiphers = map[uint16]bool{
        TLS_AES_256_GCM_SHA384: true,
 }
 
-var nonAESGCMAEADCiphers = map[uint16]bool{
-       // TLS 1.2
-       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:   true,
-       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: true,
-       // TLS 1.3
-       TLS_CHACHA20_POLY1305_SHA256: true,
-}
-
 // aesgcmPreferred returns whether the first known cipher in the preference list
 // is an AES-GCM cipher, implying the peer has hardware support for it.
 func aesgcmPreferred(ciphers []uint16) bool {
@@ -473,7 +491,7 @@ func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([
        return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
 }
 
-// xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
+// xorNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
 // before each call.
 type xorNonceAEAD struct {
        nonceMask [aeadNonceLength]byte