Skip to content

Commit

Permalink
TLS: Add CurvePreferences (to enable kyber768) (#3991)
Browse files Browse the repository at this point in the history 
Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
  • Loading branch information
@Fangliding @RPRX
Fangliding and RPRX authored Nov 11, 2024
1 parent 1ffb8a9 commit 5717774
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 10 deletions.
4 changes: 4 additions & 0 deletions infra/conf/transport_internet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,7 @@ type TLSConfig struct {
RejectUnknownSNI bool `json:"rejectUnknownSni"`
PinnedPeerCertificateChainSha256 *[]string `json:"pinnedPeerCertificateChainSha256"`
PinnedPeerCertificatePublicKeySha256 *[]string `json:"pinnedPeerCertificatePublicKeySha256"`
CurvePreferences *StringList `json:"curvePreferences"`
MasterKeyLog string `json:"masterKeyLog"`
}

Expand All @@ -478,6 +479,9 @@ func (c *TLSConfig) Build() (proto.Message, error) {
if c.ALPN != nil && len(*c.ALPN) > 0 {
config.NextProtocol = []string(*c.ALPN)
}
if c.CurvePreferences != nil && len(*c.CurvePreferences) > 0 {
config.CurvePreferences = []string(*c.CurvePreferences)
}
config.EnableSessionResumption = c.EnableSessionResumption
config.DisableSystemRoot = c.DisableSystemRoot
config.MinVersion = c.MinVersion
Expand Down
24 changes: 24 additions & 0 deletions transport/internet/tls/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,10 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
config.ServerName = sn
}

if len(c.CurvePreferences) > 0 {
config.CurvePreferences = ParseCurveName(c.CurvePreferences)
}

if len(config.NextProtos) == 0 {
config.NextProtos = []string{"h2", "http/1.1"}
}
Expand Down Expand Up @@ -429,3 +433,23 @@ func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config {
}
return config
}

func ParseCurveName(curveNames []string) []tls.CurveID {
curveMap := map[string]tls.CurveID{
"curvep256": tls.CurveP256,
"curvep384": tls.CurveP384,
"curvep521": tls.CurveP521,
"x25519": tls.X25519,
"x25519kyber768draft00": 0x6399,
}

var curveIDs []tls.CurveID
for _, name := range curveNames {
if curveID, ok := curveMap[strings.ToLower(name)]; ok {
curveIDs = append(curveIDs, curveID)
} else {
errors.LogWarning(context.Background(), "unsupported curve name: "+name)
}
}
return curveIDs
}
32 changes: 22 additions & 10 deletions transport/internet/tls/config.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions transport/internet/tls/config.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,7 @@ message Config {
repeated bytes pinned_peer_certificate_public_key_sha256 = 14;

string master_key_log = 15;

// Lists of string as CurvePreferences values.
repeated string curve_preferences = 16;
}

0 comments on commit 5717774

Please sign in to comment.