crypto/tls: disable SHA-1 signature algorithms in TLS 1.2

This implements RFC 9155 by removing support for SHA-1 algorithms: - we don't advertise them in ClientHello and CertificateRequest (where supportedSignatureAlgorithms is used directly) - we don't select them in our ServerKeyExchange and CertificateVerify (where supportedSignatureAlgorithms filters signatureSchemesForCertificate) - we reject them in the peer's ServerKeyExchange and CertificateVerify (where we check against the algorithms we advertised in ClientHello and CertificateRequest) Fixes #72883 Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818 Reviewed-on: https://go-review.googlesource.com/c/go/+/658216 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
author: Filippo Valsorda <filippo@golang.org> 2025-03-15 15:12:39 +0100
committer: Gopher Robot <gobot@golang.org> 2025-05-21 15:09:29 -0700
commit: 59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree: db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv11-RSA-RC4
parent: 4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download: go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz
1 files changed, 24 insertions, 25 deletions
diff --git a/src/crypto/tls/testdata/Client-TLSv11-RSA-RC4 b/src/crypto/tls/testdata/Client-TLSv11-RSA-RC4
index bb770e61b1..64b06a8f17 100644
--- a/src/crypto/tls/testdata/Client-TLSv11-RSA-RC4
+++ b/src/crypto/tls/testdata/Client-TLSv11-RSA-RC4
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 1c 01 00 01  18 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 18 01 00 01  14 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,23 +7,22 @@
 00000050  cc a8 c0 2b c0 2f c0 2c  c0 30 c0 09 c0 13 c0 0a  |...+./.,.0......|
 00000060  c0 14 00 9c 00 9d 00 2f  00 35 c0 12 00 0a c0 23  |......./.5.....#|
 00000070  c0 27 00 3c c0 07 c0 11  00 05 13 03 13 01 13 02  |.'.<............|
-00000080  01 00 00 9d 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
+00000080  01 00 00 99 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
 00000090  17 00 00 00 12 00 00 00  05 00 05 01 00 00 00 00  |................|
 000000a0  00 0a 00 0a 00 08 00 1d  00 17 00 18 00 19 00 0d  |................|
-000000b0  00 1a 00 18 08 04 04 03  08 07 08 05 08 06 04 01  |................|
-000000c0  05 01 06 01 05 03 06 03  02 01 02 03 00 32 00 1a  |.............2..|
-000000d0  00 18 08 04 04 03 08 07  08 05 08 06 04 01 05 01  |................|
-000000e0  06 01 05 03 06 03 02 01  02 03 00 2b 00 09 08 03  |...........+....|
-000000f0  04 03 03 03 02 03 01 00  33 00 26 00 24 00 1d 00  |........3.&.$...|
-00000100  20 2f e5 7d a3 47 cd 62  43 15 28 da ac 5f bb 29  | /.}.G.bC.(.._.)|
-00000110  07 30 ff f6 84 af c4 cf  c2 ed 90 99 5f 58 cb 3b  |.0.........._X.;|
-00000120  74                                                |t|
+000000b0  00 16 00 14 08 04 04 03  08 07 08 05 08 06 04 01  |................|
+000000c0  05 01 06 01 05 03 06 03  00 32 00 1a 00 18 08 04  |.........2......|
+000000d0  04 03 08 07 08 05 08 06  04 01 05 01 06 01 05 03  |................|
+000000e0  06 03 02 01 02 03 00 2b  00 09 08 03 04 03 03 03  |.......+........|
+000000f0  02 03 01 00 33 00 26 00  24 00 1d 00 20 2f e5 7d  |....3.&.$... /.}|
+00000100  a3 47 cd 62 43 15 28 da  ac 5f bb 29 07 30 ff f6  |.G.bC.(.._.).0..|
+00000110  84 af c4 cf c2 ed 90 99  5f 58 cb 3b 74           |........_X.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 02 00 55 02 00 00  51 03 02 fa ec 74 4b af  |....U...Q....tK.|
-00000010  f7 bb 7c 03 0a 35 f9 91  1e 62 c8 d7 9d b0 cc 29  |..|..5...b.....)|
-00000020  0c 67 f1 a9 c6 be ff aa  ee 45 2c 20 7e 02 45 29  |.g.......E, ~.E)|
-00000030  e8 01 2c 76 c9 49 9c bf  ca b7 0c b0 86 69 2a d0  |..,v.I.......i*.|
-00000040  34 59 2c 16 b1 bd 67 1a  e8 f9 97 3d 00 05 00 00  |4Y,...g....=....|
+00000000  16 03 02 00 55 02 00 00  51 03 02 3d a4 ea 71 81  |....U...Q..=..q.|
+00000010  c9 47 24 2b 53 22 83 07  df 5a 9e 76 ef ca d8 1b  |.G$+S"...Z.v....|
+00000020  1f 16 15 cd 7e e4 62 93  1e 5d a7 20 9d ac ea 5a  |....~.b..]. ...Z|
+00000030  9e e3 7c 14 94 9d 1b 9e  2a 7b 2d 80 55 85 2f 9e  |..|.....*{-.U./.|
+00000040  ed 17 20 79 66 a2 6c 88  81 cb b0 79 00 05 00 00  |.. yf.l....y....|
 00000050  09 ff 01 00 01 00 00 17  00 00 16 03 02 02 59 0b  |..............Y.|
 00000060  00 02 55 00 02 52 00 02  4f 30 82 02 4b 30 82 01  |..U..R..O0..K0..|
 00000070  b4 a0 03 02 01 02 02 09  00 e8 f0 9d 3f e2 5b ea  |............?.[.|
@@ -74,15 +73,15 @@
 00000060  c5 70 0f 08 83 48 e9 48  ef 6e 50 8b 05 7e e5 84  |.p...H.H.nP..~..|
 00000070  25 fa 55 c7 ae 31 02 27  00 ef 3f 98 86 20 12 89  |%.U..1.'..?.. ..|
 00000080  91 59 28 b4 f7 d7 af d2  69 61 35 14 03 02 00 01  |.Y(.....ia5.....|
-00000090  01 16 03 02 00 24 8b f8  3f ae 9d 41 27 8e 52 ca  |.....$..?..A'.R.|
-000000a0  75 8c 1b 76 fa 20 4f 7f  97 62 ac a6 85 33 71 32  |u..v. O..b...3q2|
-000000b0  34 8d 4b e3 d4 a1 a0 bc  9c 29                    |4.K......)|
+00000090  01 16 03 02 00 24 30 52  7f 8a 5c 3a 31 65 87 8c  |.....$0R..\:1e..|
+000000a0  9e 31 8f b1 22 15 ed af  99 6c 19 47 46 fd e1 3b  |.1.."....l.GF..;|
+000000b0  b3 f4 3a 5b d8 e5 a6 1a  7c 5e                    |..:[....|^|
 >>> Flow 4 (server to client)
-00000000  14 03 02 00 01 01 16 03  02 00 24 1d d6 e8 70 53  |..........$...pS|
-00000010  f2 9e 4f ce 5f 35 4e 8d  41 1f 78 9a 72 79 2b cc  |..O._5N.A.x.ry+.|
-00000020  17 cd 48 16 b0 69 8b 41  b7 5a c6 df ec f6 5d     |..H..i.A.Z....]|
+00000000  14 03 02 00 01 01 16 03  02 00 24 c1 5d da 6d 6e  |..........$.].mn|
+00000010  55 3e 70 a4 52 15 d9 ba  88 a1 b7 f0 40 71 09 fa  |U>p.R.......@q..|
+00000020  3f 00 6f 39 72 88 89 a1  3d cf 7a 7a 97 15 b7     |?.o9r...=.zz...|
 >>> Flow 5 (client to server)
-00000000  17 03 02 00 1a 69 a6 2b  fe 20 e2 2e e6 b2 ed 03  |.....i.+. ......|
-00000010  92 ae e0 ff 84 56 12 f3  60 01 92 c0 f3 0e 8f 15  |.....V..`.......|
-00000020  03 02 00 16 d1 05 c5 6f  f3 3c 18 63 2b 9c 68 39  |.......o.<.c+.h9|
-00000030  c4 45 90 f1 ef 3f e1 00  2f 78                    |.E...?../x|
+00000000  17 03 02 00 1a 56 ea a4  ed 0f 9d 98 3b 48 bc 76  |.....V......;H.v|
+00000010  35 3f fb 78 92 d9 ce ef  53 b2 ef a6 13 9a 4c 15  |5?.x....S.....L.|
+00000020  03 02 00 16 b5 41 d0 98  50 73 73 90 c0 fe ec 11  |.....A..Pss.....|
+00000030  ec 98 d5 fb 02 c0 11 11  29 1c                    |........).|
author	Filippo Valsorda <filippo@golang.org>	2025-03-15 15:12:39 +0100
committer	Gopher Robot <gobot@golang.org>	2025-05-21 15:09:29 -0700
commit	59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree	db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv11-RSA-RC4
parent	4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download	go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz