mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 08:12:43 -04:00 
			
		
		
		
	
		
			Some checks failed
		
		
	
	Tests / test (./cmd/caddy/caddy, ~1.23.6, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m37s
				
			Tests / test (./cmd/caddy/caddy, ~1.24.0, ubuntu-latest, 0, 1.24, linux) (push) Failing after 1m12s
				
			Tests / test (s390x on IBM Z) (push) Has been skipped
				
			Tests / goreleaser-check (push) Has been skipped
				
			Cross-Build / build (~1.23.6, 1.23, aix) (push) Successful in 1m25s
				
			Cross-Build / build (~1.23.6, 1.23, darwin) (push) Successful in 1m22s
				
			Cross-Build / build (~1.23.6, 1.23, dragonfly) (push) Successful in 1m24s
				
			Cross-Build / build (~1.23.6, 1.23, freebsd) (push) Successful in 1m29s
				
			Cross-Build / build (~1.23.6, 1.23, illumos) (push) Successful in 1m26s
				
			Cross-Build / build (~1.23.6, 1.23, linux) (push) Successful in 1m24s
				
			Cross-Build / build (~1.23.6, 1.23, netbsd) (push) Successful in 1m22s
				
			Cross-Build / build (~1.23.6, 1.23, openbsd) (push) Successful in 1m20s
				
			Cross-Build / build (~1.23.6, 1.23, solaris) (push) Successful in 1m21s
				
			Cross-Build / build (~1.23.6, 1.23, windows) (push) Successful in 1m36s
				
			Cross-Build / build (~1.24.0, 1.24, aix) (push) Successful in 1m13s
				
			Cross-Build / build (~1.24.0, 1.24, darwin) (push) Successful in 1m17s
				
			Cross-Build / build (~1.24.0, 1.24, dragonfly) (push) Successful in 1m14s
				
			Cross-Build / build (~1.24.0, 1.24, freebsd) (push) Successful in 1m13s
				
			Cross-Build / build (~1.24.0, 1.24, illumos) (push) Successful in 1m13s
				
			Cross-Build / build (~1.24.0, 1.24, linux) (push) Successful in 1m14s
				
			Cross-Build / build (~1.24.0, 1.24, netbsd) (push) Successful in 1m13s
				
			Cross-Build / build (~1.24.0, 1.24, openbsd) (push) Successful in 1m23s
				
			Cross-Build / build (~1.24.0, 1.24, solaris) (push) Successful in 1m13s
				
			Cross-Build / build (~1.24.0, 1.24, windows) (push) Successful in 1m16s
				
			Lint / lint (ubuntu-latest, linux) (push) Successful in 2m6s
				
			Lint / govulncheck (push) Failing after 1m24s
				
			Tests / test (./cmd/caddy/caddy, ~1.23.6, macos-14, 0, 1.23, mac) (push) Has been cancelled
				
			Tests / test (./cmd/caddy/caddy, ~1.24.0, macos-14, 0, 1.24, mac) (push) Has been cancelled
				
			Tests / test (./cmd/caddy/caddy.exe, ~1.23.6, windows-latest, True, 1.23, windows) (push) Has been cancelled
				
			Tests / test (./cmd/caddy/caddy.exe, ~1.24.0, windows-latest, True, 1.24, windows) (push) Has been cancelled
				
			Lint / lint (macos-14, mac) (push) Has been cancelled
				
			Lint / lint (windows-latest, windows) (push) Has been cancelled
				
			
		
			
				
	
	
		
			159 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			159 lines
		
	
	
		
			4.8 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2015 Matthew Holt and The Caddy Authors
 | |
| //
 | |
| // Licensed under the Apache License, Version 2.0 (the "License");
 | |
| // you may not use this file except in compliance with the License.
 | |
| // You may obtain a copy of the License at
 | |
| //
 | |
| //     http://www.apache.org/licenses/LICENSE-2.0
 | |
| //
 | |
| // Unless required by applicable law or agreed to in writing, software
 | |
| // distributed under the License is distributed on an "AS IS" BASIS,
 | |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| // See the License for the specific language governing permissions and
 | |
| // limitations under the License.
 | |
| 
 | |
| package caddytls
 | |
| 
 | |
| import (
 | |
| 	"crypto/tls"
 | |
| 	"crypto/x509"
 | |
| 	"fmt"
 | |
| 
 | |
| 	"github.com/caddyserver/certmagic"
 | |
| 	"github.com/klauspost/cpuid/v2"
 | |
| )
 | |
| 
 | |
| // CipherSuiteNameSupported returns true if name is
 | |
| // a supported cipher suite.
 | |
| func CipherSuiteNameSupported(name string) bool {
 | |
| 	return CipherSuiteID(name) != 0
 | |
| }
 | |
| 
 | |
| // CipherSuiteID returns the ID of the cipher suite associated with
 | |
| // the given name, or 0 if the name is not recognized/supported.
 | |
| func CipherSuiteID(name string) uint16 {
 | |
| 	for _, cs := range SupportedCipherSuites() {
 | |
| 		if cs.Name == name {
 | |
| 			return cs.ID
 | |
| 		}
 | |
| 	}
 | |
| 	return 0
 | |
| }
 | |
| 
 | |
| // SupportedCipherSuites returns a list of all the cipher suites
 | |
| // Caddy supports. The list is NOT ordered by security preference.
 | |
| func SupportedCipherSuites() []*tls.CipherSuite {
 | |
| 	return tls.CipherSuites()
 | |
| }
 | |
| 
 | |
| // defaultCipherSuites is the ordered list of all the cipher
 | |
| // suites we want to support by default, assuming AES-NI
 | |
| // (hardware acceleration for AES).
 | |
| var defaultCipherSuitesWithAESNI = []uint16{
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 | |
| }
 | |
| 
 | |
| // defaultCipherSuites is the ordered list of all the cipher
 | |
| // suites we want to support by default, assuming lack of
 | |
| // AES-NI (NO hardware acceleration for AES).
 | |
| var defaultCipherSuitesWithoutAESNI = []uint16{
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 | |
| 	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 | |
| 	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 | |
| }
 | |
| 
 | |
| // getOptimalDefaultCipherSuites returns an appropriate cipher
 | |
| // suite to use depending on the hardware support for AES.
 | |
| //
 | |
| // See https://github.com/caddyserver/caddy/issues/1674
 | |
| func getOptimalDefaultCipherSuites() []uint16 {
 | |
| 	if cpuid.CPU.Supports(cpuid.AESNI) {
 | |
| 		return defaultCipherSuitesWithAESNI
 | |
| 	}
 | |
| 	return defaultCipherSuitesWithoutAESNI
 | |
| }
 | |
| 
 | |
| // SupportedCurves is the unordered map of supported curves
 | |
| // or key exchange mechanisms ("curves" traditionally).
 | |
| // https://golang.org/pkg/crypto/tls/#CurveID
 | |
| var SupportedCurves = map[string]tls.CurveID{
 | |
| 	"x25519mlkem768": tls.X25519MLKEM768,
 | |
| 	"x25519":         tls.X25519,
 | |
| 	"secp256r1":      tls.CurveP256,
 | |
| 	"secp384r1":      tls.CurveP384,
 | |
| 	"secp521r1":      tls.CurveP521,
 | |
| }
 | |
| 
 | |
| // supportedCertKeyTypes is all the key types that are supported
 | |
| // for certificates that are obtained through ACME.
 | |
| var supportedCertKeyTypes = map[string]certmagic.KeyType{
 | |
| 	"rsa2048": certmagic.RSA2048,
 | |
| 	"rsa4096": certmagic.RSA4096,
 | |
| 	"p256":    certmagic.P256,
 | |
| 	"p384":    certmagic.P384,
 | |
| 	"ed25519": certmagic.ED25519,
 | |
| }
 | |
| 
 | |
| // defaultCurves is the list of only the curves or key exchange
 | |
| // mechanisms we want to use by default. The order is irrelevant.
 | |
| //
 | |
| // This list should only include mechanisms which are fast by
 | |
| // design (e.g. X25519) and those for which an optimized assembly
 | |
| // implementation exists (e.g. P256). The latter ones can be
 | |
| // found here:
 | |
| // https://github.com/golang/go/tree/master/src/crypto/elliptic
 | |
| var defaultCurves = []tls.CurveID{
 | |
| 	tls.X25519MLKEM768,
 | |
| 	tls.X25519,
 | |
| 	tls.CurveP256,
 | |
| }
 | |
| 
 | |
| // SupportedProtocols is a map of supported protocols.
 | |
| var SupportedProtocols = map[string]uint16{
 | |
| 	"tls1.2": tls.VersionTLS12,
 | |
| 	"tls1.3": tls.VersionTLS13,
 | |
| }
 | |
| 
 | |
| // unsupportedProtocols is a map of unsupported protocols.
 | |
| // Used for logging only, not enforcement.
 | |
| var unsupportedProtocols = map[string]uint16{
 | |
| 	//nolint:staticcheck
 | |
| 	"ssl3.0": tls.VersionSSL30,
 | |
| 	"tls1.0": tls.VersionTLS10,
 | |
| 	"tls1.1": tls.VersionTLS11,
 | |
| }
 | |
| 
 | |
| // publicKeyAlgorithms is the map of supported public key algorithms.
 | |
| var publicKeyAlgorithms = map[string]x509.PublicKeyAlgorithm{
 | |
| 	"rsa":   x509.RSA,
 | |
| 	"dsa":   x509.DSA,
 | |
| 	"ecdsa": x509.ECDSA,
 | |
| }
 | |
| 
 | |
| // ProtocolName returns the standard name for the passed protocol version ID
 | |
| // (e.g.  "TLS1.3") or a fallback representation of the ID value if the version
 | |
| // is not supported.
 | |
| func ProtocolName(id uint16) string {
 | |
| 	for k, v := range SupportedProtocols {
 | |
| 		if v == id {
 | |
| 			return k
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	for k, v := range unsupportedProtocols {
 | |
| 		if v == id {
 | |
| 			return k
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return fmt.Sprintf("0x%04x", id)
 | |
| }
 |