crypto/tls: Support TLS 1.3 and Ed25519 signature algorithm in FIPS-mode

reedloden · reedloden · commit db85a0eca426 · 2023-08-30T02:58:14.000-07:00
TLS 1.3 is permitted by NIST SP 800-52 Rev. 2 and will be required starting January 1, 2024. Ed25519 as a signature algorithm is permitted by FIPS 186-5. Fixes #62372.
diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
@@ -17,18 +17,19 @@ func needFIPS() bool {
 
 // fipsMinVersion replaces c.minVersion in FIPS-only mode.
 func fipsMinVersion(c *Config) uint16 {
-	// FIPS requires TLS 1.2.
+	// FIPS required minimum of TLS 1.2 (see NIST SP 800-52).
 	return VersionTLS12
 }
 
 // fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
 func fipsMaxVersion(c *Config) uint16 {
-	// FIPS requires TLS 1.2.
-	return VersionTLS12
+	// FIPS required maximum of TLS 1.3 (see NIST SP 800-52).
+	return VersionTLS13
 }
 
 // default defaultFIPSCurvePreferences is the FIPS-allowed curves,
 // in preference order (most preferable first).
+// See NIST SP 800-186.
 var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}
 
 // fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode.
@@ -49,7 +50,10 @@ func fipsCurvePreferences(c *Config) []CurveID {
 }
 
 // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.
+// See NIST SP 800-52.
 var defaultCipherSuitesFIPS = []uint16{
+	TLS_AES_128_GCM_SHA256,
+	TLS_AES_256_GCM_SHA384,
 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -76,8 +80,10 @@ func fipsCipherSuites(c *Config) []uint16 {
 }
 
 // fipsSupportedSignatureAlgorithms currently are a subset of
-// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
+// defaultSupportedSignatureAlgorithms without SHA-1.
+// See FIPS 186-5.
 var fipsSupportedSignatureAlgorithms = []SignatureScheme{
+	Ed25519,
 	PSSWithSHA256,
 	PSSWithSHA384,
 	PSSWithSHA512,
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
@@ -52,16 +52,22 @@ func TestBoringServerProtocolVersion(t *testing.T) {
 	test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
 	test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
 	test("VersionTLS12", VersionTLS12, "")
-	test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
+	test("VersionTLS13", VersionTLS13, "")
 }
 
 func isBoringVersion(v uint16) bool {
-	return v == VersionTLS12
+	switch v {
+	case VersionTLS12, VersionTLS13:
+		return true
+	}
+	return false
 }
 
 func isBoringCipherSuite(id uint16) bool {
 	switch id {
-	case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	case TLS_AES_128_GCM_SHA256,
+		TLS_AES_256_GCM_SHA384,
+		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -93,7 +99,8 @@ func isBoringSignatureScheme(alg SignatureScheme) bool {
 	switch alg {
 	default:
 		return false
-	case PKCS1WithSHA256,
+	case Ed25519,
+		PKCS1WithSHA256,
 		ECDSAWithP256AndSHA256,
 		PKCS1WithSHA384,
 		ECDSAWithP384AndSHA384,
