mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
fips: fix order of elliptic curves (#15141)
This commit fixes the order of elliptic curves. As documented by https://pkg.go.dev/crypto/tls#Config ``` // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will // be used. The client will use the first preference as the type for // its key share in TLS 1.3. This may change in the future. ``` In general, we should prefer `X25519` over the NIST curves. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
cb097e6b0a
commit
825634d24e
@ -134,14 +134,14 @@ func TLSCiphersBackwardCompatible() []uint16 {
|
|||||||
// TLSCurveIDs returns a list of supported elliptic curve IDs
|
// TLSCurveIDs returns a list of supported elliptic curve IDs
|
||||||
// in preference order.
|
// in preference order.
|
||||||
func TLSCurveIDs() []tls.CurveID {
|
func TLSCurveIDs() []tls.CurveID {
|
||||||
curves := []tls.CurveID{tls.CurveP256}
|
var curves []tls.CurveID
|
||||||
|
if !Enabled {
|
||||||
|
curves = append(curves, tls.X25519) // Only enable X25519 in non-FIPS mode
|
||||||
|
}
|
||||||
|
curves = append(curves, tls.CurveP256)
|
||||||
if go18 {
|
if go18 {
|
||||||
// With go1.18 enable P384, P521 newer constant time implementations.
|
// With go1.18 enable P384, P521 newer constant time implementations.
|
||||||
curves = append(curves, []tls.CurveID{tls.CurveP384, tls.CurveP521}...)
|
curves = append(curves, tls.CurveP384, tls.CurveP521)
|
||||||
}
|
|
||||||
if !Enabled {
|
|
||||||
// No-FIPS we enable x25519 as well.
|
|
||||||
curves = append(curves, tls.X25519)
|
|
||||||
}
|
}
|
||||||
return curves
|
return curves
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user