crypto/tls: disable SHA-1 signature algorithms in TLS 1.2

This implements RFC 9155 by removing support for SHA-1 algorithms: - we don't advertise them in ClientHello and CertificateRequest (where supportedSignatureAlgorithms is used directly) - we don't select them in our ServerKeyExchange and CertificateVerify (where supportedSignatureAlgorithms filters signatureSchemesForCertificate) - we reject them in the peer's ServerKeyExchange and CertificateVerify (where we check against the algorithms we advertised in ClientHello and CertificateRequest) Fixes #72883 Change-Id: I6a6a4656e2aafd2c38cdd32090d3d8a9a8047818 Reviewed-on: https://go-review.googlesource.com/c/go/+/658216 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
author: Filippo Valsorda <filippo@golang.org> 2025-03-15 15:12:39 +0100
committer: Gopher Robot <gobot@golang.org> 2025-05-21 15:09:29 -0700
commit: 59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree: db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv12-RSA-RC4
parent: 4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download: go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz
1 files changed, 24 insertions, 25 deletions
diff --git a/src/crypto/tls/testdata/Client-TLSv12-RSA-RC4 b/src/crypto/tls/testdata/Client-TLSv12-RSA-RC4
index 1bc33d7451..faa48c7843 100644
--- a/src/crypto/tls/testdata/Client-TLSv12-RSA-RC4
+++ b/src/crypto/tls/testdata/Client-TLSv12-RSA-RC4
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 1c 01 00 01  18 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 18 01 00 01  14 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,23 +7,22 @@
 00000050  cc a8 c0 2b c0 2f c0 2c  c0 30 c0 09 c0 13 c0 0a  |...+./.,.0......|
 00000060  c0 14 00 9c 00 9d 00 2f  00 35 c0 12 00 0a c0 23  |......./.5.....#|
 00000070  c0 27 00 3c c0 07 c0 11  00 05 13 03 13 01 13 02  |.'.<............|
-00000080  01 00 00 9d 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
+00000080  01 00 00 99 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
 00000090  17 00 00 00 12 00 00 00  05 00 05 01 00 00 00 00  |................|
 000000a0  00 0a 00 0a 00 08 00 1d  00 17 00 18 00 19 00 0d  |................|
-000000b0  00 1a 00 18 08 04 04 03  08 07 08 05 08 06 04 01  |................|
-000000c0  05 01 06 01 05 03 06 03  02 01 02 03 00 32 00 1a  |.............2..|
-000000d0  00 18 08 04 04 03 08 07  08 05 08 06 04 01 05 01  |................|
-000000e0  06 01 05 03 06 03 02 01  02 03 00 2b 00 09 08 03  |...........+....|
-000000f0  04 03 03 03 02 03 01 00  33 00 26 00 24 00 1d 00  |........3.&.$...|
-00000100  20 2f e5 7d a3 47 cd 62  43 15 28 da ac 5f bb 29  | /.}.G.bC.(.._.)|
-00000110  07 30 ff f6 84 af c4 cf  c2 ed 90 99 5f 58 cb 3b  |.0.........._X.;|
-00000120  74                                                |t|
+000000b0  00 16 00 14 08 04 04 03  08 07 08 05 08 06 04 01  |................|
+000000c0  05 01 06 01 05 03 06 03  00 32 00 1a 00 18 08 04  |.........2......|
+000000d0  04 03 08 07 08 05 08 06  04 01 05 01 06 01 05 03  |................|
+000000e0  06 03 02 01 02 03 00 2b  00 09 08 03 04 03 03 03  |.......+........|
+000000f0  02 03 01 00 33 00 26 00  24 00 1d 00 20 2f e5 7d  |....3.&.$... /.}|
+00000100  a3 47 cd 62 43 15 28 da  ac 5f bb 29 07 30 ff f6  |.G.bC.(.._.).0..|
+00000110  84 af c4 cf c2 ed 90 99  5f 58 cb 3b 74           |........_X.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 55 02 00 00  51 03 03 e6 2c 7a 70 96  |....U...Q...,zp.|
-00000010  c0 bf e7 e6 2e 51 35 c7  3e 0a 4c 1e 2a 0b 54 08  |.....Q5.>.L.*.T.|
-00000020  57 e1 66 22 94 26 fe df  ce 7e bf 20 26 07 f0 81  |W.f".&...~. &...|
-00000030  7d 73 2c 70 6f d1 1b 85  f5 af 97 7e 5b 3f 5e a0  |}s,po......~[?^.|
-00000040  fc 9b 7d 5a c3 e2 05 30  b5 f5 47 05 00 05 00 00  |..}Z...0..G.....|
+00000000  16 03 03 00 55 02 00 00  51 03 03 c4 5b d6 0f d4  |....U...Q...[...|
+00000010  64 3a 37 34 a3 84 9d 3d  1b 33 c3 d4 4f 42 f7 3a  |d:74...=.3..OB.:|
+00000020  e8 da 8c 8b 97 1a e5 f4  56 a4 bd 20 03 30 25 fd  |........V.. .0%.|
+00000030  d9 01 7a 7c b8 9d 63 f0  a3 7a 1c 00 6b 75 16 d8  |..z|..c..z..ku..|
+00000040  68 5c 7a 8d 4a ae ed 52  fc 92 e5 03 00 05 00 00  |h\z.J..R........|
 00000050  09 ff 01 00 01 00 00 17  00 00 16 03 03 02 59 0b  |..............Y.|
 00000060  00 02 55 00 02 52 00 02  4f 30 82 02 4b 30 82 01  |..U..R..O0..K0..|
 00000070  b4 a0 03 02 01 02 02 09  00 e8 f0 9d 3f e2 5b ea  |............?.[.|
@@ -74,15 +73,15 @@
 00000060  c5 70 0f 08 83 48 e9 48  ef 6e 50 8b 05 7e e5 84  |.p...H.H.nP..~..|
 00000070  25 fa 55 c7 ae 31 02 27  00 ef 3f 98 86 20 12 89  |%.U..1.'..?.. ..|
 00000080  91 59 28 b4 f7 d7 af d2  69 61 35 14 03 03 00 01  |.Y(.....ia5.....|
-00000090  01 16 03 03 00 24 ad c5  35 7b 7c 74 c7 24 58 ef  |.....$..5{|t.$X.|
-000000a0  55 3f 8d c1 52 97 f8 91  93 46 02 ff cf 06 00 ba  |U?..R....F......|
-000000b0  26 91 ec c4 91 23 60 b2  c8 77                    |&....#`..w|
+00000090  01 16 03 03 00 24 83 66  73 cf 08 6f c7 29 1b ea  |.....$.fs..o.)..|
+000000a0  86 aa 02 66 2d d9 d4 7b  19 0d cc e5 9e dc e9 20  |...f-..{....... |
+000000b0  d9 62 82 59 bd e9 91 6b  90 62                    |.b.Y...k.b|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 e6 06 60 54 3e  |..........$..`T>|
-00000010  39 d8 22 df 83 a7 7a 4d  b4 63 03 77 3d 5d e8 06  |9."...zM.c.w=]..|
-00000020  6f fe 0a 70 4b b3 82 cc  a8 aa 48 2e f2 72 7b     |o..pK.....H..r{|
+00000000  14 03 03 00 01 01 16 03  03 00 24 ef bb 0c 3b fb  |..........$...;.|
+00000010  4e 36 53 b9 fa d4 c3 d0  37 5e 2b 22 a2 12 b6 9e  |N6S.....7^+"....|
+00000020  1c a3 f7 93 74 60 38 18  f1 cc 72 e4 ba 1a 3d     |....t`8...r...=|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 1a e5 e3 38  a3 34 e4 02 f1 c4 96 14  |.......8.4......|
-00000010  13 fb 50 7d 6a 26 cf 49  f8 d6 e5 f0 d8 7c b5 15  |..P}j&.I.....|..|
-00000020  03 03 00 16 a4 cd 6c b6  b2 45 d7 35 df 56 ba ae  |......l..E.5.V..|
-00000030  a9 41 09 85 67 bb 16 c0  3e d0                    |.A..g...>.|
+00000000  17 03 03 00 1a 62 a3 b3  3a 89 25 05 89 bc 5a 21  |.....b..:.%...Z!|
+00000010  30 61 84 b0 97 52 26 a2  18 87 25 43 17 1a 52 15  |0a...R&...%C..R.|
+00000020  03 03 00 16 97 d6 18 0c  30 b3 9b 8f 2b f1 f9 3f  |........0...+..?|
+00000030  c7 8d a2 e1 ff 36 0c d6  c2 f1                    |.....6....|
author	Filippo Valsorda <filippo@golang.org>	2025-03-15 15:12:39 +0100
committer	Gopher Robot <gobot@golang.org>	2025-05-21 15:09:29 -0700
commit	59211acb5dbde14647e025eb7379675debcf3930 (patch)
tree	db98ad31b32d59f381e701cadda32590233d096c /src/crypto/tls/testdata/Client-TLSv12-RSA-RC4
parent	4158ca8d7c521aee5cc48f285f559e74845e973c (diff)
download	go-59211acb5dbde14647e025eb7379675debcf3930.tar.xz