Browse Source

tls: don't set the deprecated tls.Config.PreferServerCipherSuites field (#1845)

The field has been deprecated since Go 1.17.
pull/1853/head
Marten Seemann 2 years ago
committed by GitHub
parent
commit
277b96e421
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 33
      p2p/security/tls/crypto.go

33
p2p/security/tls/crypto.go

@ -16,8 +16,6 @@ import (
"runtime/debug"
"time"
"golang.org/x/sys/cpu"
ic "github.com/libp2p/go-libp2p/core/crypto"
"github.com/libp2p/go-libp2p/core/peer"
)
@ -75,11 +73,10 @@ func NewIdentity(privKey ic.PrivKey, opts ...IdentityOption) (*Identity, error)
}
return &Identity{
config: tls.Config{
MinVersion: tls.VersionTLS13,
PreferServerCipherSuites: preferServerCipherSuites(),
InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
ClientAuth: tls.RequireAnyClientCert,
Certificates: []tls.Certificate{*cert},
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: true, // This is not insecure here. We will verify the cert chain ourselves.
ClientAuth: tls.RequireAnyClientCert,
Certificates: []tls.Certificate{*cert},
VerifyPeerCertificate: func(_ [][]byte, _ [][]*x509.Certificate) error {
panic("tls config not specialized for peer")
},
@ -271,25 +268,3 @@ func certTemplate() (*x509.Certificate, error) {
Subject: pkix.Name{SerialNumber: subjectSN.String()},
}, nil
}
// We want nodes without AES hardware (e.g. ARM) support to always use ChaCha.
// Only if both nodes have AES hardware support (e.g. x86), AES should be used.
// x86->x86: AES, ARM->x86: ChaCha, x86->ARM: ChaCha and ARM->ARM: Chacha
// This function returns true if we don't have AES hardware support, and false otherwise.
// Thus, ARM servers will always use their own cipher suite preferences (ChaCha first),
// and x86 servers will always use the client's cipher suite preferences.
func preferServerCipherSuites() bool {
// Copied from the Go TLS implementation.
// Check the cpu flags for each platform that has optimized GCM implementations.
// Worst case, these variables will just all be false.
var (
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
// Keep in sync with crypto/aes/cipher_s390x.go.
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
)
return !hasGCMAsm
}

Loading…
Cancel
Save