go/src/crypto/tls/defaults_fips140.go

// Copyright 2025 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

//go:build !boringcrypto

package tls

import (
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rsa"
	"crypto/x509"
)

// These FIPS 140-3 policies allow anything approved by SP 800-140C
// and SP 800-140D, and tested as part of the Go Cryptographic Module.
//
// Notably, not SHA-1, 3DES, RC4, ChaCha20Poly1305, RSA PKCS #1 v1.5 key
// transport, or TLS 1.0—1.1 (because we don't test its KDF).
//
// These are not default lists, but filters to apply to the default or
// configured lists. Missing items are treated as if they were not implemented.
//
// They are applied when the fips140 GODEBUG is "on" or "only".

var (
	allowedSupportedVersionsFIPS = []uint16{
		VersionTLS12,
		VersionTLS13,
	}
	allowedCurvePreferencesFIPS = []CurveID{
		X25519MLKEM768,
		SecP256r1MLKEM768,
		SecP384r1MLKEM1024,
		CurveP256,
		CurveP384,
		CurveP521,
	}
	allowedSignatureAlgorithmsFIPS = []SignatureScheme{
		PSSWithSHA256,
		ECDSAWithP256AndSHA256,
		Ed25519,
		PSSWithSHA384,
		PSSWithSHA512,
		PKCS1WithSHA256,
		PKCS1WithSHA384,
		PKCS1WithSHA512,
		ECDSAWithP384AndSHA384,
		ECDSAWithP521AndSHA512,
	}
	allowedCipherSuitesFIPS = []uint16{
		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
	}
	allowedCipherSuitesTLS13FIPS = []uint16{
		TLS_AES_128_GCM_SHA256,
		TLS_AES_256_GCM_SHA384,
	}
)

func isCertificateAllowedFIPS(c *x509.Certificate) bool {
	switch k := c.PublicKey.(type) {
	case *rsa.PublicKey:
		return k.N.BitLen() >= 2048
	case *ecdsa.PublicKey:
		return k.Curve == elliptic.P256() || k.Curve == elliptic.P384() || k.Curve == elliptic.P521()
	case ed25519.PublicKey:
		return true
	default:
		return false
	}
}
crypto/tls: relax native FIPS 140-3 mode We are going to stick to BoringSSL's policy for Go+BoringCrypto, but when using the native FIPS 140-3 module we can allow Ed25519, ML-KEM, and P-521. NIST SP 800-52r2 is stricter, but it only applies to some entities, so they can restrict the profile with Config. Fixes #71757 Change-Id: I6a6a4656eb02e56d079f0a22f98212275a40a679 Reviewed-on: https://go-review.googlesource.com/c/go/+/650576 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: David Chase <drchase@google.com> 2025-02-19 12:29:31 +01:00			`// Copyright 2025 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`//go:build !boringcrypto`

			`package tls`

			`import (`
			`"crypto/ecdsa"`
			`"crypto/ed25519"`
			`"crypto/elliptic"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`)`

			`// These FIPS 140-3 policies allow anything approved by SP 800-140C`
			`// and SP 800-140D, and tested as part of the Go Cryptographic Module.`
			`//`
			`// Notably, not SHA-1, 3DES, RC4, ChaCha20Poly1305, RSA PKCS #1 v1.5 key`
			`// transport, or TLS 1.0—1.1 (because we don't test its KDF).`
			`//`
			`// These are not default lists, but filters to apply to the default or`
			`// configured lists. Missing items are treated as if they were not implemented.`
			`//`
			`// They are applied when the fips140 GODEBUG is "on" or "only".`

			`var (`
			`allowedSupportedVersionsFIPS = []uint16{`
			`VersionTLS12,`
			`VersionTLS13,`
			`}`
			`allowedCurvePreferencesFIPS = []CurveID{`
			`X25519MLKEM768,`
crypto/tls: add SecP256r1/SecP384r1MLKEM1024 hybrid post-quantum key exchanges Fixes #71206 Change-Id: If3cf75261c56828b87ae6805bd2913f56a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/722140 Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2025-11-19 17:32:42 +01:00			`SecP256r1MLKEM768,`
			`SecP384r1MLKEM1024,`
crypto/tls: relax native FIPS 140-3 mode We are going to stick to BoringSSL's policy for Go+BoringCrypto, but when using the native FIPS 140-3 module we can allow Ed25519, ML-KEM, and P-521. NIST SP 800-52r2 is stricter, but it only applies to some entities, so they can restrict the profile with Config. Fixes #71757 Change-Id: I6a6a4656eb02e56d079f0a22f98212275a40a679 Reviewed-on: https://go-review.googlesource.com/c/go/+/650576 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: David Chase <drchase@google.com> 2025-02-19 12:29:31 +01:00			`CurveP256,`
			`CurveP384,`
			`CurveP521,`
			`}`
crypto/tls: don't advertise TLS 1.2-only sigAlgs in TLS 1.3 If a ClientHello only supports TLS 1.3, or if a CertificateRequest is sent after selecting TLS 1.3, we should not advertise TLS 1.2-only signature_algorithms like PKCS#1 v1.5 or SHA-1. However, since crypto/x509 still supports PKCS#1 v1.5, and a direct CertPool match might not care about the signature in the certificate at all, start sending a separate signature_algorithms_cert extension to indicate support for PKCS#1 v1.5 and SHA-1 in certificates. We were already correctly rejecting these algorithms if the peer selected them in a TLS 1.3 connection. Updates #72883 Change-Id: I6a6a4656ab60e1b7fb20fdedc32604dc156953ae Reviewed-on: https://go-review.googlesource.com/c/go/+/658215 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> 2025-03-15 12:12:22 +01:00			`allowedSignatureAlgorithmsFIPS = []SignatureScheme{`
crypto/tls: relax native FIPS 140-3 mode We are going to stick to BoringSSL's policy for Go+BoringCrypto, but when using the native FIPS 140-3 module we can allow Ed25519, ML-KEM, and P-521. NIST SP 800-52r2 is stricter, but it only applies to some entities, so they can restrict the profile with Config. Fixes #71757 Change-Id: I6a6a4656eb02e56d079f0a22f98212275a40a679 Reviewed-on: https://go-review.googlesource.com/c/go/+/650576 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: David Chase <drchase@google.com> 2025-02-19 12:29:31 +01:00			`PSSWithSHA256,`
			`ECDSAWithP256AndSHA256,`
			`Ed25519,`
			`PSSWithSHA384,`
			`PSSWithSHA512,`
			`PKCS1WithSHA256,`
			`PKCS1WithSHA384,`
			`PKCS1WithSHA512,`
			`ECDSAWithP384AndSHA384,`
			`ECDSAWithP521AndSHA512,`
			`}`
			`allowedCipherSuitesFIPS = []uint16{`
			`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,`
			`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,`
			`}`
			`allowedCipherSuitesTLS13FIPS = []uint16{`
			`TLS_AES_128_GCM_SHA256,`
			`TLS_AES_256_GCM_SHA384,`
			`}`
			`)`

			`func isCertificateAllowedFIPS(c *x509.Certificate) bool {`
			`switch k := c.PublicKey.(type) {`
			`case *rsa.PublicKey:`
			`return k.N.BitLen() >= 2048`
			`case *ecdsa.PublicKey:`
			`return k.Curve == elliptic.P256() \|\| k.Curve == elliptic.P384() \|\| k.Curve == elliptic.P521()`
			`case ed25519.PublicKey:`
			`return true`
			`default:`
			`return false`
			`}`
			`}`