mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
fips: fix order of elliptic curves (#15141)
This commit fixes the order of elliptic curves. As documented by https://pkg.go.dev/crypto/tls#Config ``` // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will // be used. The client will use the first preference as the type for // its key share in TLS 1.3. This may change in the future. ``` In general, we should prefer `X25519` over the NIST curves. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
cb097e6b0a
commit
825634d24e
@ -134,14 +134,14 @@ func TLSCiphersBackwardCompatible() []uint16 {
|
||||
// TLSCurveIDs returns a list of supported elliptic curve IDs
|
||||
// in preference order.
|
||||
func TLSCurveIDs() []tls.CurveID {
|
||||
curves := []tls.CurveID{tls.CurveP256}
|
||||
var curves []tls.CurveID
|
||||
if !Enabled {
|
||||
curves = append(curves, tls.X25519) // Only enable X25519 in non-FIPS mode
|
||||
}
|
||||
curves = append(curves, tls.CurveP256)
|
||||
if go18 {
|
||||
// With go1.18 enable P384, P521 newer constant time implementations.
|
||||
curves = append(curves, []tls.CurveID{tls.CurveP384, tls.CurveP521}...)
|
||||
}
|
||||
if !Enabled {
|
||||
// No-FIPS we enable x25519 as well.
|
||||
curves = append(curves, tls.X25519)
|
||||
curves = append(curves, tls.CurveP384, tls.CurveP521)
|
||||
}
|
||||
return curves
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user