Commit e1ea58b7 authored by elcore's avatar elcore Committed by Matt Holt

Customize curve preferences, closes #1117 (#1159)

* Feature Request: #1117

* The order of the curves matter
parent e9ce45ce
...@@ -35,6 +35,9 @@ type Config struct { ...@@ -35,6 +35,9 @@ type Config struct {
// Whether to prefer server cipher suites // Whether to prefer server cipher suites
PreferServerCipherSuites bool PreferServerCipherSuites bool
// The list of preferred curves
CurvePreferences []tls.CurveID
// Client authentication policy // Client authentication policy
ClientAuth tls.ClientAuthType ClientAuth tls.ClientAuthType
...@@ -220,6 +223,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) { ...@@ -220,6 +223,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
config := new(tls.Config) config := new(tls.Config)
ciphersAdded := make(map[uint16]struct{}) ciphersAdded := make(map[uint16]struct{})
curvesAdded := make(map[tls.CurveID]struct{})
configMap := make(configGroup) configMap := make(configGroup)
for i, cfg := range configs { for i, cfg := range configs {
...@@ -264,6 +268,14 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) { ...@@ -264,6 +268,14 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
} }
config.PreferServerCipherSuites = cfg.PreferServerCipherSuites config.PreferServerCipherSuites = cfg.PreferServerCipherSuites
// Union curves
for _, curv := range cfg.CurvePreferences {
if _, ok := curvesAdded[curv]; !ok {
curvesAdded[curv] = struct{}{}
config.CurvePreferences = append(config.CurvePreferences, curv)
}
}
// Go with the widest range of protocol versions // Go with the widest range of protocol versions
if config.MinVersion == 0 || cfg.ProtocolMinVersion < config.MinVersion { if config.MinVersion == 0 || cfg.ProtocolMinVersion < config.MinVersion {
config.MinVersion = cfg.ProtocolMinVersion config.MinVersion = cfg.ProtocolMinVersion
...@@ -441,6 +453,14 @@ var defaultCiphers = []uint16{ ...@@ -441,6 +453,14 @@ var defaultCiphers = []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA,
} }
// Map of supported curves
// https://golang.org/pkg/crypto/tls/#CurveID
var supportedCurvesMap = map[string]tls.CurveID{
"P256": tls.CurveP256,
"P384": tls.CurveP384,
"P521": tls.CurveP521,
}
const ( const (
// HTTPChallengePort is the officially designated port for // HTTPChallengePort is the officially designated port for
// the HTTP challenge. // the HTTP challenge.
......
...@@ -105,6 +105,14 @@ func setupTLS(c *caddy.Controller) error { ...@@ -105,6 +105,14 @@ func setupTLS(c *caddy.Controller) error {
} }
config.Ciphers = append(config.Ciphers, value) config.Ciphers = append(config.Ciphers, value)
} }
case "curves":
for c.NextArg() {
value, ok := supportedCurvesMap[strings.ToUpper(c.Val())]
if !ok {
return c.Errf("Wrong curve name or curve not supported: '%s'", c.Val())
}
config.CurvePreferences = append(config.CurvePreferences, value)
}
case "clients": case "clients":
clientCertList := c.RemainingArgs() clientCertList := c.RemainingArgs()
if len(clientCertList) == 0 { if len(clientCertList) == 0 {
......
...@@ -179,6 +179,18 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) { ...@@ -179,6 +179,18 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) {
if err == nil { if err == nil {
t.Errorf("Expected errors, but no error returned") t.Errorf("Expected errors, but no error returned")
} }
// Test curves wrong params
params = `tls {
curves ab123, cd456, ef789
}`
cfg = new(Config)
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
c = caddy.NewTestController("", params)
err = setupTLS(c)
if err == nil {
t.Errorf("Expected errors, but no error returned")
}
} }
func TestSetupParseWithClientAuth(t *testing.T) { func TestSetupParseWithClientAuth(t *testing.T) {
...@@ -269,6 +281,31 @@ func TestSetupParseWithKeyType(t *testing.T) { ...@@ -269,6 +281,31 @@ func TestSetupParseWithKeyType(t *testing.T) {
} }
} }
func TestSetupParseWithCurves(t *testing.T) {
params := `tls {
curves p256 p384 p521
}`
cfg := new(Config)
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
c := caddy.NewTestController("", params)
err := setupTLS(c)
if err != nil {
t.Errorf("Expected no errors, got: %v", err)
}
if len(cfg.CurvePreferences) != 3 {
t.Errorf("Expected 3 curves, got %v", len(cfg.CurvePreferences))
}
expectedCurveOrder := []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}
for i := range cfg.CurvePreferences {
if cfg.CurvePreferences[i] != expectedCurveOrder[i] {
t.Errorf("Expected %v as curve, got %v", expectedCurveOrder[i], cfg.CurvePreferences[i])
}
}
}
func TestSetupParseWithOneTLSProtocol(t *testing.T) { func TestSetupParseWithOneTLSProtocol(t *testing.T) {
params := `tls { params := `tls {
protocols tls1.2 protocols tls1.2
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment