elastic · ycombinator · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
@@ -32,7 +32,7 @@ type Config struct {
 	CipherSuites         []CipherSuite           `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
 	CAs                  []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
 	Certificate          CertificateConfig       `config:",inline" yaml:",inline"`
-	CurveTypes           []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
+	CurveTypes           []TLSCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
 	Renegotiation        TLSRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
 	CASha256             []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
 	CATrustedFingerprint string                  `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`

@@ -34,7 +34,7 @@ type ServerConfig struct {
 	CipherSuites     []CipherSuite       `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
 	CAs              []string            `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
 	Certificate      CertificateConfig   `config:",inline" yaml:",inline"`
-	CurveTypes       []tlsCurveType      `config:"curve_types" yaml:"curve_types,omitempty"`
+	CurveTypes       []TLSCurveType      `config:"curve_types" yaml:"curve_types,omitempty"`
 	ClientAuth       *TLSClientAuth      `config:"client_authentication" yaml:"client_authentication,omitempty"` //`none`, `optional` or `required`
 	CASha256         []string            `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
 }

@@ -96,12 +96,13 @@ func init() {
 	}
 }
 
-var supportedCurveTypes = make(map[tlsCurveType]string, len(tlsCurveTypes))
-var tlsCurveTypes = map[string]tlsCurveType{
-	"P-256":  tlsCurveType(tls.CurveP256),
-	"P-384":  tlsCurveType(tls.CurveP384),
-	"P-521":  tlsCurveType(tls.CurveP521),
-	"X25519": tlsCurveType(tls.X25519),
+var supportedCurveTypes = make(map[TLSCurveType]string, len(tlsCurveTypes))
+var tlsCurveTypes = map[string]TLSCurveType{
+	"P-256":          TLSCurveType(tls.CurveP256),
+	"P-384":          TLSCurveType(tls.CurveP384),
+	"P-521":          TLSCurveType(tls.CurveP521),
+	"X25519":         TLSCurveType(tls.X25519),
+	"X25519MLKEM768": TLSCurveType(tls.X25519MLKEM768),
 }
 
 var tlsRenegotiationSupportTypes = map[string]TLSRenegotiationSupport{
@@ -180,9 +181,9 @@ func (m *TLSVerificationMode) Unpack(in interface{}) error {
 		}
 		*m = mode
 	case int64:
-		*m = TLSVerificationMode(o)
+		*m = TLSVerificationMode(o) //nolint:gosec // o is much smaller than max uint8
 	case uint64:
-		*m = TLSVerificationMode(o)
+		*m = TLSVerificationMode(o) //nolint:gosec // o is much smaller than max uint8
 	default:
 		return fmt.Errorf("verification mode is an unknown type: %T", o)
 	}
@@ -228,7 +229,7 @@ func (m *TLSClientAuth) Unpack(in interface{}) error {
 
 		*m = mode
 	case uint64:
-		*m = TLSClientAuth(o)
+		*m = TLSClientAuth(o) //nolint:gosec // o is much smaller than max int
 	case int64: // underlying type is int so we need both uint64 and int64 as options for TLSClientAuth
 		*m = TLSClientAuth(o)
 	default:
@@ -249,9 +250,9 @@ func (cs *CipherSuite) Unpack(i interface{}) error {
 
 		*cs = suite
 	case int64:
-		*cs = CipherSuite(o)
+		*cs = CipherSuite(o) //nolint:gosec // o is much smaller than max uint16
 	case uint64:
-		*cs = CipherSuite(o)
+		*cs = CipherSuite(o) //nolint:gosec // o is much smaller than max uint16
 	default:
 		return fmt.Errorf("cipher suite is an unknown type: %T", o)
 	}
@@ -272,9 +273,9 @@ func (cs CipherSuite) String() string {
 	return unknownType
 }
 
-type tlsCurveType tls.CurveID
+type TLSCurveType tls.CurveID
 
-func (ct *tlsCurveType) Unpack(i interface{}) error {
+func (ct *TLSCurveType) Unpack(i interface{}) error {
 	switch o := i.(type) {
 	case string:
 		t, found := tlsCurveTypes[o]
@@ -284,16 +285,16 @@ func (ct *tlsCurveType) Unpack(i interface{}) error {
 
 		*ct = t
 	case int64:
-		*ct = tlsCurveType(o)
+		*ct = TLSCurveType(o) //nolint:gosec // o is much smaller than max uint16
 	case uint64:
-		*ct = tlsCurveType(o)
+		*ct = TLSCurveType(o) //nolint:gosec // o is much smaller than max uint16
 	default:
 		return fmt.Errorf("tls curve type is an unsupported input type: %T", o)
 	}
 	return nil
 }
 
-func (ct *tlsCurveType) Validate() error {
+func (ct *TLSCurveType) Validate() error {
 	if _, ok := supportedCurveTypes[*ct]; !ok {
 		return fmt.Errorf("unsupported curve type: %s", tls.CurveID(*ct).String())
 	}
@@ -321,7 +322,7 @@ func (r *TLSRenegotiationSupport) Unpack(i interface{}) error {
 	case int64:
 		*r = TLSRenegotiationSupport(o)
 	case uint64:
-		*r = TLSRenegotiationSupport(o)
+		*r = TLSRenegotiationSupport(o) //nolint:gosec // o is much smaller than max int
 	default:
 		return fmt.Errorf("tls renegotation support is an unknown type: %T", o)
 	}

@@ -462,7 +462,7 @@ func Test_tlsCurveType_Unpack(t *testing.T) {
 		name   string
 		hasErr bool
 		in     interface{}
-		exp    tlsCurveType
+		exp    TLSCurveType
 	}{{
 		name:   "unknown string",
 		hasErr: true,
@@ -471,25 +471,25 @@ func Test_tlsCurveType_Unpack(t *testing.T) {
 		name:   "string",
 		hasErr: false,
 		in:     "P-256",
-		exp:    tlsCurveType(tls.CurveP256),
+		exp:    TLSCurveType(tls.CurveP256),
 	}, {
 		name:   "int64",
 		hasErr: false,
 		in:     int64(23),
-		exp:    tlsCurveType(tls.CurveP256),
+		exp:    TLSCurveType(tls.CurveP256),
 	}, {
 		name:   "uint64",
 		hasErr: false,
 		in:     uint64(23),
-		exp:    tlsCurveType(tls.CurveP256),
+		exp:    TLSCurveType(tls.CurveP256),
 	}, {
 		name:   "unknown type",
 		hasErr: true,
 		in:     uint8(1),
 	}}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			v := new(tlsCurveType)
+			v := new(TLSCurveType)
 			err := v.Unpack(tc.in)
 			if tc.hasErr {
 				assert.Error(t, err)