aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorBas Westerbaan <[email protected]>2024-08-28 01:08:16 +0200
committerGitHub <[email protected]>2024-08-27 17:08:16 -0600
commitdcbf38d0b370cc0f412157b11961dd0b0e007251 (patch)
tree18c17028280788046a9fcc5b3550275c7574a0da
parent2028da4e74cd41f0f7f94222c6599da1a371d4b8 (diff)
downloadcaddy-dcbf38d0b370cc0f412157b11961dd0b0e007251.tar.gz
caddy-dcbf38d0b370cc0f412157b11961dd0b0e007251.zip
tls: use Go default kex for the moment that include PQC (#6542)
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement method that is enabled by default on Chrome. Go 1.23 does not expose the CurveID, so we cannot add it by specifying it in CurvePreferences. The reason is that X25519Kyber768 is a preliminary key agreement that will be supplanted by X25519MLKEM768. For the moment there is value in enabling it. A consequence of this is that by default Caddy will enable support for P-384 and P-521. This PR also removes the special code to add support for X25519Kyber768 via the Cloudflare Go branch. Cf #6540
-rw-r--r--cmd/caddy/main.go5
-rw-r--r--modules/caddytls/cf.go24
-rw-r--r--modules/caddytls/connpolicy.go10
-rw-r--r--modules/caddytls/values.go5
4 files changed, 19 insertions, 25 deletions
diff --git a/cmd/caddy/main.go b/cmd/caddy/main.go
index 48fa149aa..f1aeda0a4 100644
--- a/cmd/caddy/main.go
+++ b/cmd/caddy/main.go
@@ -1,3 +1,8 @@
+// The below line is required to enable post-quantum key agreement in Go 1.23
+// by default without insisting on setting a minimum version of 1.23 in go.mod.
+// See https://github.com/caddyserver/caddy/issues/6540#issuecomment-2313094905
+//go:debug tlskyber=1
+
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/modules/caddytls/cf.go b/modules/caddytls/cf.go
deleted file mode 100644
index e61a59c09..000000000
--- a/modules/caddytls/cf.go
+++ /dev/null
@@ -1,24 +0,0 @@
-//go:build cfgo
-
-package caddytls
-
-// This file adds support for X25519Kyber768Draft00, a post-quantum
-// key agreement that is currently being rolled out by Chrome [1]
-// and Cloudflare [2,3]. For more context, see the PR [4].
-//
-// [1] https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
-// [2] https://blog.cloudflare.com/post-quantum-for-all/
-// [3] https://blog.cloudflare.com/post-quantum-to-origins/
-// [4] https://github.com/caddyserver/caddy/pull/5852
-
-import (
- "crypto/tls"
-)
-
-func init() {
- SupportedCurves["X25519Kyber768Draft00"] = tls.X25519Kyber768Draft00
- defaultCurves = append(
- []tls.CurveID{tls.X25519Kyber768Draft00},
- defaultCurves...,
- )
-}
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 4ec0e673a..e2890c848 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -841,7 +841,15 @@ func setDefaultTLSParams(cfg *tls.Config) {
cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)
if len(cfg.CurvePreferences) == 0 {
- cfg.CurvePreferences = defaultCurves
+ // We would want to write
+ //
+ // cfg.CurvePreferences = defaultCurves
+ //
+ // but that would disable the post-quantum key agreement X25519Kyber768
+ // supported in Go 1.23, for which the CurveID is not exported.
+ // Instead, we'll set CurvePreferences to nil, which will enable PQC.
+ // See https://github.com/caddyserver/caddy/issues/6540
+ cfg.CurvePreferences = nil
}
if cfg.MinVersion == 0 {
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index 4e8c1adc2..20fe45ff8 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -108,6 +108,11 @@ var supportedCertKeyTypes = map[string]certmagic.KeyType{
// implementation exists (e.g. P256). The latter ones can be
// found here:
// https://github.com/golang/go/tree/master/src/crypto/elliptic
+//
+// Temporily we ignore these default, to take advantage of X25519Kyber768
+// in Go's defaults (X25519Kyber768, X25519, P-256, P-384, P-521), which
+// isn't exported. See https://github.com/caddyserver/caddy/issues/6540
+// nolint:unused
var defaultCurves = []tls.CurveID{
tls.X25519,
tls.CurveP256,