From 825634d24e6256de5abb8cfee6e8c56af6e11384 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <hi@aead.dev>
Date: Wed, 22 Jun 2022 17:09:28 +0200
Subject: [PATCH] fips: fix order of elliptic curves (#15141)

This commit fixes the order of elliptic curves.
As documented by https://pkg.go.dev/crypto/tls#Config
```
// CurvePreferences contains the elliptic curves that will be used in
// an ECDHE handshake, in preference order. If empty, the default will
// be used. The client will use the first preference as the type for
// its key share in TLS 1.3. This may change in the future.
```

In general, we should prefer `X25519` over the NIST curves.

Signed-off-by: Andreas Auernhammer <hi@aead.dev>
---
 internal/fips/api.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/internal/fips/api.go b/internal/fips/api.go
index cbb64fef3..388d98c14 100644
--- a/internal/fips/api.go
+++ b/internal/fips/api.go
@@ -134,14 +134,14 @@ func TLSCiphersBackwardCompatible() []uint16 {
 // TLSCurveIDs returns a list of supported elliptic curve IDs
 // in preference order.
 func TLSCurveIDs() []tls.CurveID {
-	curves := []tls.CurveID{tls.CurveP256}
+	var curves []tls.CurveID
+	if !Enabled {
+		curves = append(curves, tls.X25519) // Only enable X25519 in non-FIPS mode
+	}
+	curves = append(curves, tls.CurveP256)
 	if go18 {
 		// With go1.18 enable P384, P521 newer constant time implementations.
-		curves = append(curves, []tls.CurveID{tls.CurveP384, tls.CurveP521}...)
-	}
-	if !Enabled {
-		// No-FIPS we enable x25519 as well.
-		curves = append(curves, tls.X25519)
+		curves = append(curves, tls.CurveP384, tls.CurveP521)
 	}
 	return curves
 }