From 345a0542c79e70cb4a76be76ee9968c7a882972d Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 05:21:09 -0700 Subject: [PATCH 1/4] Export tlscommon.TLSCurveType --- transport/tlscommon/config.go | 2 +- transport/tlscommon/server_config.go | 2 +- transport/tlscommon/types.go | 22 +++++++++++----------- transport/tlscommon/types_test.go | 10 +++++----- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/transport/tlscommon/config.go b/transport/tlscommon/config.go index ad0f8db..de1c06d 100644 --- a/transport/tlscommon/config.go +++ b/transport/tlscommon/config.go @@ -32,7 +32,7 @@ type Config struct { CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"` CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"` Certificate CertificateConfig `config:",inline" yaml:",inline"` - CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"` + CurveTypes []TLSCurveType `config:"curve_types" yaml:"curve_types,omitempty"` Renegotiation TLSRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"` CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"` diff --git a/transport/tlscommon/server_config.go b/transport/tlscommon/server_config.go index 65bd08f..66d03ba 100644 --- a/transport/tlscommon/server_config.go +++ b/transport/tlscommon/server_config.go @@ -34,7 +34,7 @@ type ServerConfig struct { CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"` CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"` Certificate CertificateConfig `config:",inline" yaml:",inline"` - CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"` + CurveTypes []TLSCurveType `config:"curve_types" yaml:"curve_types,omitempty"` ClientAuth *TLSClientAuth `config:"client_authentication" yaml:"client_authentication,omitempty"` //`none`, `optional` or `required` CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` } diff --git a/transport/tlscommon/types.go b/transport/tlscommon/types.go index 02c4bc8..a4c338c 100644 --- a/transport/tlscommon/types.go +++ b/transport/tlscommon/types.go @@ -96,12 +96,12 @@ func init() { } } -var supportedCurveTypes = make(map[tlsCurveType]string, len(tlsCurveTypes)) -var tlsCurveTypes = map[string]tlsCurveType{ - "P-256": tlsCurveType(tls.CurveP256), - "P-384": tlsCurveType(tls.CurveP384), - "P-521": tlsCurveType(tls.CurveP521), - "X25519": tlsCurveType(tls.X25519), +var supportedCurveTypes = make(map[TLSCurveType]string, len(tlsCurveTypes)) +var tlsCurveTypes = map[string]TLSCurveType{ + "P-256": TLSCurveType(tls.CurveP256), + "P-384": TLSCurveType(tls.CurveP384), + "P-521": TLSCurveType(tls.CurveP521), + "X25519": TLSCurveType(tls.X25519), } var tlsRenegotiationSupportTypes = map[string]TLSRenegotiationSupport{ @@ -272,9 +272,9 @@ func (cs CipherSuite) String() string { return unknownType } -type tlsCurveType tls.CurveID +type TLSCurveType tls.CurveID -func (ct *tlsCurveType) Unpack(i interface{}) error { +func (ct *TLSCurveType) Unpack(i interface{}) error { switch o := i.(type) { case string: t, found := tlsCurveTypes[o] @@ -284,16 +284,16 @@ func (ct *tlsCurveType) Unpack(i interface{}) error { *ct = t case int64: - *ct = tlsCurveType(o) + *ct = TLSCurveType(o) case uint64: - *ct = tlsCurveType(o) + *ct = TLSCurveType(o) default: return fmt.Errorf("tls curve type is an unsupported input type: %T", o) } return nil } -func (ct *tlsCurveType) Validate() error { +func (ct *TLSCurveType) Validate() error { if _, ok := supportedCurveTypes[*ct]; !ok { return fmt.Errorf("unsupported curve type: %s", tls.CurveID(*ct).String()) } diff --git a/transport/tlscommon/types_test.go b/transport/tlscommon/types_test.go index 451e362..79ef05a 100644 --- a/transport/tlscommon/types_test.go +++ b/transport/tlscommon/types_test.go @@ -462,7 +462,7 @@ func Test_tlsCurveType_Unpack(t *testing.T) { name string hasErr bool in interface{} - exp tlsCurveType + exp TLSCurveType }{{ name: "unknown string", hasErr: true, @@ -471,17 +471,17 @@ func Test_tlsCurveType_Unpack(t *testing.T) { name: "string", hasErr: false, in: "P-256", - exp: tlsCurveType(tls.CurveP256), + exp: TLSCurveType(tls.CurveP256), }, { name: "int64", hasErr: false, in: int64(23), - exp: tlsCurveType(tls.CurveP256), + exp: TLSCurveType(tls.CurveP256), }, { name: "uint64", hasErr: false, in: uint64(23), - exp: tlsCurveType(tls.CurveP256), + exp: TLSCurveType(tls.CurveP256), }, { name: "unknown type", hasErr: true, @@ -489,7 +489,7 @@ func Test_tlsCurveType_Unpack(t *testing.T) { }} for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - v := new(tlsCurveType) + v := new(TLSCurveType) err := v.Unpack(tc.in) if tc.hasErr { assert.Error(t, err) From f66603ce88c2019b4ff5d5ad1521223494f2400f Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 13:58:39 -0700 Subject: [PATCH 2/4] Add X25519MLKEM768 to list of curve types --- transport/tlscommon/types.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/transport/tlscommon/types.go b/transport/tlscommon/types.go index a4c338c..00186c8 100644 --- a/transport/tlscommon/types.go +++ b/transport/tlscommon/types.go @@ -98,10 +98,11 @@ func init() { var supportedCurveTypes = make(map[TLSCurveType]string, len(tlsCurveTypes)) var tlsCurveTypes = map[string]TLSCurveType{ - "P-256": TLSCurveType(tls.CurveP256), - "P-384": TLSCurveType(tls.CurveP384), - "P-521": TLSCurveType(tls.CurveP521), - "X25519": TLSCurveType(tls.X25519), + "P-256": TLSCurveType(tls.CurveP256), + "P-384": TLSCurveType(tls.CurveP384), + "P-521": TLSCurveType(tls.CurveP521), + "X25519": TLSCurveType(tls.X25519), + "X25519MLKEM768": TLSCurveType(tls.X25519MLKEM768), } var tlsRenegotiationSupportTypes = map[string]TLSRenegotiationSupport{ From d23f187f949df7eb3a22ebbfe7e4cdf82a400dec Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 13:58:56 -0700 Subject: [PATCH 3/4] Add linter exceptions --- transport/tlscommon/types.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/transport/tlscommon/types.go b/transport/tlscommon/types.go index 00186c8..cea3132 100644 --- a/transport/tlscommon/types.go +++ b/transport/tlscommon/types.go @@ -181,9 +181,9 @@ func (m *TLSVerificationMode) Unpack(in interface{}) error { } *m = mode case int64: - *m = TLSVerificationMode(o) + *m = TLSVerificationMode(o) //nolint:gosec // o is much smaller than max uint8 case uint64: - *m = TLSVerificationMode(o) + *m = TLSVerificationMode(o) //nolint:gosec // o is much smaller than max uint8 default: return fmt.Errorf("verification mode is an unknown type: %T", o) } @@ -229,9 +229,9 @@ func (m *TLSClientAuth) Unpack(in interface{}) error { *m = mode case uint64: - *m = TLSClientAuth(o) + *m = TLSClientAuth(o) //nolint:gosec // o is much smaller than max int case int64: // underlying type is int so we need both uint64 and int64 as options for TLSClientAuth - *m = TLSClientAuth(o) + *m = TLSClientAuth(o) //nolint:gosec // o is much smaller than max int default: return fmt.Errorf("client auth mode is an unknown type: %T", o) } @@ -250,9 +250,9 @@ func (cs *CipherSuite) Unpack(i interface{}) error { *cs = suite case int64: - *cs = CipherSuite(o) + *cs = CipherSuite(o) //nolint:gosec // o is much smaller than max uint16 case uint64: - *cs = CipherSuite(o) + *cs = CipherSuite(o) //nolint:gosec // o is much smaller than max uint16 default: return fmt.Errorf("cipher suite is an unknown type: %T", o) } @@ -285,9 +285,9 @@ func (ct *TLSCurveType) Unpack(i interface{}) error { *ct = t case int64: - *ct = TLSCurveType(o) + *ct = TLSCurveType(o) //nolint:gosec // o is much smaller than max uint16 case uint64: - *ct = TLSCurveType(o) + *ct = TLSCurveType(o) //nolint:gosec // o is much smaller than max uint16 default: return fmt.Errorf("tls curve type is an unsupported input type: %T", o) } @@ -320,9 +320,9 @@ func (r *TLSRenegotiationSupport) Unpack(i interface{}) error { *r = t case int64: - *r = TLSRenegotiationSupport(o) + *r = TLSRenegotiationSupport(o) //nolint:gosec // o is much smaller than max int case uint64: - *r = TLSRenegotiationSupport(o) + *r = TLSRenegotiationSupport(o) //nolint:gosec // o is much smaller than max int default: return fmt.Errorf("tls renegotation support is an unknown type: %T", o) } From 6cf55506e25b308cd085b0ba6974e8759bdaaa74 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Fri, 26 Sep 2025 14:01:32 -0700 Subject: [PATCH 4/4] Remove unnecessary linter exceptions --- transport/tlscommon/types.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/transport/tlscommon/types.go b/transport/tlscommon/types.go index cea3132..5d4530e 100644 --- a/transport/tlscommon/types.go +++ b/transport/tlscommon/types.go @@ -231,7 +231,7 @@ func (m *TLSClientAuth) Unpack(in interface{}) error { case uint64: *m = TLSClientAuth(o) //nolint:gosec // o is much smaller than max int case int64: // underlying type is int so we need both uint64 and int64 as options for TLSClientAuth - *m = TLSClientAuth(o) //nolint:gosec // o is much smaller than max int + *m = TLSClientAuth(o) default: return fmt.Errorf("client auth mode is an unknown type: %T", o) } @@ -320,7 +320,7 @@ func (r *TLSRenegotiationSupport) Unpack(i interface{}) error { *r = t case int64: - *r = TLSRenegotiationSupport(o) //nolint:gosec // o is much smaller than max int + *r = TLSRenegotiationSupport(o) case uint64: *r = TLSRenegotiationSupport(o) //nolint:gosec // o is much smaller than max int default: