caddytls: Support post-quantum key exchange mechanism X25519MLKEM768

Also bump minimum Go version to 1.24.
2025-02-15 20:46:32 +01:00 · 2025-02-11 22:43:54 -07:00 · 2025-02-11 22:43:54 -07:00 · 172136a0a0
commit 172136a0a0
parent 22563a70eb
3 changed files with 21 additions and 27 deletions
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,6 @@
 module github.com/caddyserver/caddy/v2

-go 1.22.3
-
-toolchain go1.23.0
+go 1.24

 require (
 	github.com/BurntSushi/toml v1.4.0
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@ -884,19 +884,17 @@ func setDefaultTLSParams(cfg *tls.Config) {
 	cfg.CipherSuites = append([]uint16{tls.TLS_FALLBACK_SCSV}, cfg.CipherSuites...)

 	if len(cfg.CurvePreferences) == 0 {
-		// We would want to write
-		//
-		//	cfg.CurvePreferences = defaultCurves
-		//
-		// but that would disable the post-quantum key agreement X25519Kyber768
-		// supported in Go 1.23, for which the CurveID is not exported.
-		// Instead, we'll set CurvePreferences to nil, which will enable PQC.
-		// See https://github.com/caddyserver/caddy/issues/6540
-		cfg.CurvePreferences = nil
+		cfg.CurvePreferences = defaultCurves
 	}

 	if cfg.MinVersion == 0 {
+		// crypto/tls docs:
+		// "If EncryptedClientHelloKeys is set, MinVersion, if set, must be VersionTLS13."
+		if cfg.EncryptedClientHelloKeys == nil {
 			cfg.MinVersion = tls.VersionTLS12
+		} else {
+			cfg.MinVersion = tls.VersionTLS13
+		}
 	}
 	if cfg.MaxVersion == 0 {
 		cfg.MaxVersion = tls.VersionTLS13
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@ -81,9 +81,11 @@ func getOptimalDefaultCipherSuites() []uint16 {
 	return defaultCipherSuitesWithoutAESNI
 }

-// SupportedCurves is the unordered map of supported curves.
+// SupportedCurves is the unordered map of supported curves
+// or key exchange mechanisms ("curves" traditionally).
 // https://golang.org/pkg/crypto/tls/#CurveID
 var SupportedCurves = map[string]tls.CurveID{
+	"X25519mlkem768": tls.X25519MLKEM768,
 	"x25519":         tls.X25519,
 	"secp256r1":      tls.CurveP256,
 	"secp384r1":      tls.CurveP384,
@ -100,20 +102,16 @@ var supportedCertKeyTypes = map[string]certmagic.KeyType{
 	"ed25519": certmagic.ED25519,
 }

-// defaultCurves is the list of only the curves we want to use
-// by default, in descending order of preference.
+// defaultCurves is the list of only the curves or key exchange
+// mechanisms we want to use by default. The order is irrelevant.
 //
-// This list should only include curves which are fast by design
-// (e.g. X25519) and those for which an optimized assembly
+// This list should only include mechanisms which are fast by
+// design (e.g. X25519) and those for which an optimized assembly
 // implementation exists (e.g. P256). The latter ones can be
 // found here:
 // https://github.com/golang/go/tree/master/src/crypto/elliptic
-//
-// Temporily we ignore these default, to take advantage of X25519Kyber768
-// in Go's defaults (X25519Kyber768, X25519, P-256, P-384, P-521), which
-// isn't exported. See https://github.com/caddyserver/caddy/issues/6540
-// nolint:unused
 var defaultCurves = []tls.CurveID{
+	tls.X25519MLKEM768,
 	tls.X25519,
 	tls.CurveP256,
 }