crypto/tls: disable SHA-1 signature algorithms in TLS 1.2

This implements RFC 9155 by removing support for SHA-1 algorithms: - we don't advertise them in ClientHello and CertificateRequest (where supportedSignatureAlgorithms is used directly) - we don't select them in our ServerKeyExchange and CertificateVerify (where supportedSignatureAlgorithms filters signatureSchemesForCertificate) - we reject them in the peer's ServerKeyExchange and CertificateVerify (where we check against the algorithms we advertised in ClientHello and CertificateRequest) Fixes #72883 Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818 Reviewed-on: https://go-review.googlesource.com/c/go/+/658216 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
author: Filippo Valsorda <filippo@golang.org> 2025-03-15 15:12:39 +0100
committer: Gopher Robot <gobot@golang.org> 2025-05-21 15:09:29 -0700
commit: 59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree: db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv10-RSA-RC4
parent: 4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download: go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz
1 files changed, 24 insertions, 25 deletions
diff --git a/src/crypto/tls/testdata/Client-TLSv10-RSA-RC4 b/src/crypto/tls/testdata/Client-TLSv10-RSA-RC4
index cf9ec918eb..c217b1112a 100644
--- a/src/crypto/tls/testdata/Client-TLSv10-RSA-RC4
+++ b/src/crypto/tls/testdata/Client-TLSv10-RSA-RC4
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 1c 01 00 01  18 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 18 01 00 01  14 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,23 +7,22 @@
 00000050  cc a8 c0 2b c0 2f c0 2c  c0 30 c0 09 c0 13 c0 0a  |...+./.,.0......|
 00000060  c0 14 00 9c 00 9d 00 2f  00 35 c0 12 00 0a c0 23  |......./.5.....#|
 00000070  c0 27 00 3c c0 07 c0 11  00 05 13 03 13 01 13 02  |.'.<............|
-00000080  01 00 00 9d 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
+00000080  01 00 00 99 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
 00000090  17 00 00 00 12 00 00 00  05 00 05 01 00 00 00 00  |................|
 000000a0  00 0a 00 0a 00 08 00 1d  00 17 00 18 00 19 00 0d  |................|
-000000b0  00 1a 00 18 08 04 04 03  08 07 08 05 08 06 04 01  |................|
-000000c0  05 01 06 01 05 03 06 03  02 01 02 03 00 32 00 1a  |.............2..|
-000000d0  00 18 08 04 04 03 08 07  08 05 08 06 04 01 05 01  |................|
-000000e0  06 01 05 03 06 03 02 01  02 03 00 2b 00 09 08 03  |...........+....|
-000000f0  04 03 03 03 02 03 01 00  33 00 26 00 24 00 1d 00  |........3.&.$...|
-00000100  20 2f e5 7d a3 47 cd 62  43 15 28 da ac 5f bb 29  | /.}.G.bC.(.._.)|
-00000110  07 30 ff f6 84 af c4 cf  c2 ed 90 99 5f 58 cb 3b  |.0.........._X.;|
-00000120  74                                                |t|
+000000b0  00 16 00 14 08 04 04 03  08 07 08 05 08 06 04 01  |................|
+000000c0  05 01 06 01 05 03 06 03  00 32 00 1a 00 18 08 04  |.........2......|
+000000d0  04 03 08 07 08 05 08 06  04 01 05 01 06 01 05 03  |................|
+000000e0  06 03 02 01 02 03 00 2b  00 09 08 03 04 03 03 03  |.......+........|
+000000f0  02 03 01 00 33 00 26 00  24 00 1d 00 20 2f e5 7d  |....3.&.$... /.}|
+00000100  a3 47 cd 62 43 15 28 da  ac 5f bb 29 07 30 ff f6  |.G.bC.(.._.).0..|
+00000110  84 af c4 cf c2 ed 90 99  5f 58 cb 3b 74           |........_X.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 01 00 55 02 00 00  51 03 01 2a bd da 4f 4d  |....U...Q..*..OM|
-00000010  29 da 36 8a ab 13 02 82  da 2e 53 56 77 18 69 8a  |).6.......SVw.i.|
-00000020  52 ab b2 36 83 38 80 ca  5b 10 38 20 66 2c a6 cf  |R..6.8..[.8 f,..|
-00000030  90 d0 b5 23 0a 4f ac d8  04 09 b3 3a 87 56 f5 8e  |...#.O.....:.V..|
-00000040  68 11 9c 41 2c 3e 14 ea  b8 ad e3 c4 00 05 00 00  |h..A,>..........|
+00000000  16 03 01 00 55 02 00 00  51 03 01 6a dd d7 0d bb  |....U...Q..j....|
+00000010  bd b4 9c de 87 94 32 27  fa 4b 66 e0 8b 95 f2 11  |......2'.Kf.....|
+00000020  a0 a5 30 15 34 6f 76 6b  f7 23 ec 20 ef 7d 52 7d  |..0.4ovk.#. .}R}|
+00000030  2c 3b 30 1b f2 16 e7 8f  b6 62 64 79 51 5b 31 36  |,;0......bdyQ[16|
+00000040  b7 59 b1 f9 d5 26 d6 21  94 ff 7f bd 00 05 00 00  |.Y...&.!........|
 00000050  09 ff 01 00 01 00 00 17  00 00 16 03 01 02 59 0b  |..............Y.|
 00000060  00 02 55 00 02 52 00 02  4f 30 82 02 4b 30 82 01  |..U..R..O0..K0..|
 00000070  b4 a0 03 02 01 02 02 09  00 e8 f0 9d 3f e2 5b ea  |............?.[.|
@@ -74,15 +73,15 @@
 00000060  c5 70 0f 08 83 48 e9 48  ef 6e 50 8b 05 7e e5 84  |.p...H.H.nP..~..|
 00000070  25 fa 55 c7 ae 31 02 27  00 ef 3f 98 86 20 12 89  |%.U..1.'..?.. ..|
 00000080  91 59 28 b4 f7 d7 af d2  69 61 35 14 03 01 00 01  |.Y(.....ia5.....|
-00000090  01 16 03 01 00 24 e7 0e  d1 a9 78 47 47 d3 9e c7  |.....$....xGG...|
-000000a0  76 6d f7 e7 5e b6 df ff  e0 e8 2f a6 9d b4 70 eb  |vm..^...../...p.|
-000000b0  06 00 c9 0e 42 f6 3f 2f  23 83                    |....B.?/#.|
+00000090  01 16 03 01 00 24 0e 49  42 d7 a8 ca 08 09 a6 63  |.....$.IB......c|
+000000a0  0f b1 4b 06 30 37 5e cb  3a c8 d6 ce f9 9c bf 2f  |..K.07^.:....../|
+000000b0  4a c1 c7 fb 2e 02 a6 b0  de ed                    |J.........|
 >>> Flow 4 (server to client)
-00000000  14 03 01 00 01 01 16 03  01 00 24 3f 6d ab 1f 62  |..........$?m..b|
-00000010  0c 70 c8 df ea 23 f2 36  cf a3 01 89 f2 c4 d6 56  |.p...#.6.......V|
-00000020  59 ac 59 13 24 40 31 19  2b 66 ad d3 5d b7 a4     |Y.Y.$@1.+f..]..|
+00000000  14 03 01 00 01 01 16 03  01 00 24 ea 96 7b ce ae  |..........$..{..|
+00000010  69 a8 0d 6d 0c af a7 4f  5f 27 8d 2a 99 38 18 5a  |i..m...O_'.*.8.Z|
+00000020  f4 4f 67 56 0a 6a f5 fc  f5 ee a0 44 01 b0 d0     |.OgV.j.....D...|
 >>> Flow 5 (client to server)
-00000000  17 03 01 00 1a a0 8c 45  7f 0d 75 48 6f 15 7b af  |.......E..uHo.{.|
-00000010  6c e5 d2 10 c6 f2 ba 1e  09 50 83 40 f2 96 7c 15  |l........P.@..|.|
-00000020  03 01 00 16 53 b3 bd 98  38 ed 20 35 0a 5a 03 f3  |....S...8. 5.Z..|
-00000030  49 5c 69 85 4d ae 7e f9  fc 9d                    |I\i.M.~...|
+00000000  17 03 01 00 1a d3 71 0b  8e 0d d4 e0 06 04 e2 30  |......q........0|
+00000010  59 2c fe 84 81 45 1c e4  59 90 b1 b1 11 85 cb 15  |Y,...E..Y.......|
+00000020  03 01 00 16 ad 5d 98 96  4e 9d 83 af b0 50 64 77  |.....]..N....Pdw|
+00000030  62 a1 2b 1a 63 59 16 9e  60 da                    |b.+.cY..`.|
author	Filippo Valsorda <filippo@golang.org>	2025-03-15 15:12:39 +0100
committer	Gopher Robot <gobot@golang.org>	2025-05-21 15:09:29 -0700
commit	59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree	db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv10-RSA-RC4
parent	4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download	go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz