caddytls: Update cipher suite names and curve names

Now using IANA-compliant names and Go 1.14's CipherSuites() function so we don't have to maintain our own mapping of currently-secure cipher suites.
2024-12-16 21:56:40 -05:00 · 2020-04-01 14:09:29 -06:00 · 2020-04-01 14:09:29 -06:00 · ce3ca541d8
commit ce3ca541d8
parent 581f1defcb
4 changed files with 33 additions and 40 deletions
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@ -166,7 +166,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {

 			case "ciphers":
 				for h.NextArg() {
-					if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok {
+					if !caddytls.CipherSuiteNameSupported(h.Val()) {
 						return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
 					}
 					cp.CipherSuites = append(cp.CipherSuites, h.Val())
--- a/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
+++ b/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
@ -274,9 +274,9 @@ func (t Transport) buildEnv(r *http.Request) (map[string]string, error) {
 			env["SSL_PROTOCOL"] = v
 		}
 		// and pass the cipher suite in a manner compatible with apache's mod_ssl
-		for k, v := range caddytls.SupportedCipherSuites {
-			if v == r.TLS.CipherSuite {
-				env["SSL_CIPHER"] = k
+		for _, cs := range caddytls.SupportedCipherSuites() {
+			if cs.ID == r.TLS.CipherSuite {
+				env["SSL_CIPHER"] = cs.Name
 				break
 			}
 		}
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@ -214,7 +214,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 	// add all the cipher suites in order, without duplicates
 	cipherSuitesAdded := make(map[uint16]struct{})
 	for _, csName := range p.CipherSuites {
-		csID := SupportedCipherSuites[csName]
+		csID := CipherSuiteID(csName)
+		if csID == 0 {
+			return fmt.Errorf("unsupported cipher suite: %s", csName)
+		}
 		if _, ok := cipherSuitesAdded[csID]; !ok {
 			cipherSuitesAdded[csID] = struct{}{}
 			cfg.CipherSuites = append(cfg.CipherSuites, csID)
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@ -23,35 +23,27 @@ import (
 	"github.com/klauspost/cpuid"
 )

-// SupportedCipherSuites is the unordered map of cipher suite
-// string names to their definition in crypto/tls. All values
-// should be IANA-reserved names. See
-// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
-// Two of the cipher suite constants in the standard lib do not use the
-// full IANA name, but we do; see:
-// https://github.com/golang/go/issues/32061 and
-// https://github.com/golang/go/issues/30325#issuecomment-512862374.
-// TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
-var SupportedCipherSuites = map[string]uint16{
-	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_GCM_SHA256":               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-	"TLS_RSA_WITH_AES_256_GCM_SHA384":               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-	"TLS_RSA_WITH_AES_256_CBC_SHA":                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-	"TLS_RSA_WITH_AES_128_CBC_SHA256":               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-	"TLS_RSA_WITH_AES_128_CBC_SHA":                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+// CipherSuiteNameSupported returns true if name is
+// a supported cipher suite.
+func CipherSuiteNameSupported(name string) bool {
+	return CipherSuiteID(name) != 0
+}
+
+// CipherSuiteID returns the ID of the cipher suite associated with
+// the given name, or 0 if the name is not recognized/supported.
+func CipherSuiteID(name string) uint16 {
+	for _, cs := range SupportedCipherSuites() {
+		if cs.Name == name {
+			return cs.ID
+		}
+	}
+	return 0
+}
+
+// SupportedCipherSuites returns a list of all the cipher suites
+// Caddy supports. The list is NOT ordered by security preference.
+func SupportedCipherSuites() []*tls.CipherSuite {
+	return tls.CipherSuites()
 }

 // defaultCipherSuites is the ordered list of all the cipher
@ -92,12 +84,10 @@ func getOptimalDefaultCipherSuites() []uint16 {
 // SupportedCurves is the unordered map of supported curves.
 // https://golang.org/pkg/crypto/tls/#CurveID
 var SupportedCurves = map[string]tls.CurveID{
-	// TODO: Use IANA names, probably? see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
-	// All named crypto/elliptic curves have secpXXXr1 IANA names.
-	"x25519": tls.X25519,    // x25519, 29
-	"p256":   tls.CurveP256, // secp256r1, 23
-	"p384":   tls.CurveP384, // secp384r1, 24
-	"p521":   tls.CurveP521, // secp521r1, 25
+	"x25519":    tls.X25519,
+	"secp256r1": tls.CurveP256,
+	"secp384r1": tls.CurveP384,
+	"secp521r1": tls.CurveP521,
 }

 // supportedCertKeyTypes is all the key types that are supported