From e769c803656dc0199f579af1abd716d0a75ddbef Mon Sep 17 00:00:00 2001 From: Nate Sales Date: Fri, 20 Oct 2023 04:30:12 -0400 Subject: [PATCH] feat: add tls-curve-preferences --- README.md | 19 +++++++------------ cli/flags.go | 1 + main.go | 1 + util/tls/tls.go | 20 ++++++++++++++++++++ 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index c95b388..62a388a 100644 --- a/README.md +++ b/README.md @@ -52,10 +52,8 @@ Application Options: --txtconcat Concatenate TXT responses --qid= Set query ID (-1 for random) (default: -1) --recaxfr Perform recursive AXFR - -f, --format= Output format (pretty, json, yaml, raw) - (default: pretty) - --pretty-ttls Format TTLs in human readable format (default: - true) + -f, --format= Output format (pretty, json, yaml, raw) (default: pretty) + --pretty-ttls Format TTLs in human readable format (default: true) --color Enable color output --question Show question section --answer Show answer section (default: true) @@ -65,13 +63,11 @@ Application Options: --all Show all sections and statistics -w Resolve ASN/ASName for A and AAAA records -r, --short Show record values only - -R, --resolve-ips Resolve PTR records for IP addresses in A and - AAAA records + -R, --resolve-ips Resolve PTR records for IP addresses in A and AAAA records --aa Set AA (Authoritative Answer) flag in query --ad Set AD (Authentic Data) flag in query --cd Set CD (Checking Disabled) flag in query - --rd Set RD (Recursion Desired) flag in query - (default: true) + --rd Set RD (Recursion Desired) flag in query (default: true) --ra Set RA (Recursion Available) flag in query --z Set Z (Zero) flag in query --t Set TC (Truncated) flag in query @@ -81,6 +77,7 @@ Application Options: --tls-max-version= Maximum TLS version to use (default: 1.3) --tls-next-protos= TLS next protocols for ALPN --tls-cipher-suites= TLS cipher suites + --tls-curve-preferences= TLS curve preferences --tls-client-cert= TLS client certificate file --tls-client-key= TLS client key file --tls-key-log-file= TLS key log file [$SSLKEYLOGFILE] @@ -90,12 +87,10 @@ Application Options: --quic-no-pmtud Disable QUIC PMTU discovery --quic-no-length-prefix Don't add RFC 9250 compliant length prefix --dnscrypt-tcp Use TCP for DNSCrypt (default UDP) - --dnscrypt-udp-size= Maximum size of a DNS response this client can - sent or receive (default: 0) + --dnscrypt-udp-size= Maximum size of a DNS response this client can sent or receive (default: 0) --dnscrypt-key= DNSCrypt public key --dnscrypt-provider= DNSCrypt provider name - --default-rr-types= Default record types (default: A, AAAA, NS, MX, - TXT, CNAME) + --default-rr-types= Default record types (default: A, AAAA, NS, MX, TXT, CNAME) --udp-buffer= Set EDNS0 UDP size in query (default: 1232) -v, --verbose Show verbose log messages --trace Show trace log messages diff --git a/cli/flags.go b/cli/flags.go index 8107a5f..539ba60 100644 --- a/cli/flags.go +++ b/cli/flags.go @@ -53,6 +53,7 @@ type Flags struct { TLSMaxVersion string `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"` TLSNextProtos []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"` TLSCipherSuites []string `long:"tls-cipher-suites" description:"TLS cipher suites"` + TLSCurvePreferences []string `long:"tls-curve-preferences" description:"TLS curve preferences"` TLSClientCertificate string `long:"tls-client-cert" description:"TLS client certificate file"` TLSClientKey string `long:"tls-client-key" description:"TLS client key file"` TLSKeyLogFile string `long:"tls-key-log-file" env:"SSLKEYLOGFILE" description:"TLS key log file"` diff --git a/main.go b/main.go index 5a250d8..ed6c0cd 100644 --- a/main.go +++ b/main.go @@ -400,6 +400,7 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation MaxVersion: tlsutil.Version(opts.TLSMaxVersion, tls.VersionTLS13), NextProtos: opts.TLSNextProtos, CipherSuites: tlsutil.ParseCipherSuites(opts.TLSCipherSuites), + CurvePreferences: tlsutil.ParseCurves(opts.TLSCurvePreferences), } // TLS client certificate authentication diff --git a/util/tls/tls.go b/util/tls/tls.go index 54ef6e5..2b81bad 100644 --- a/util/tls/tls.go +++ b/util/tls/tls.go @@ -38,6 +38,13 @@ var cipherSuiteToInt = map[string]uint16{ "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, } +var curveToInt = map[string]tls.CurveID{ + "P256": tls.CurveP256, + "P384": tls.CurveP384, + "P521": tls.CurveP521, + "X25519": tls.X25519, +} + // ParseCipherSuites converts a slice of cipher suite names to a slice of cipher suite ints func ParseCipherSuites(cipherSuites []string) []uint16 { var cipherSuiteInts []uint16 @@ -51,6 +58,19 @@ func ParseCipherSuites(cipherSuites []string) []uint16 { return cipherSuiteInts } +// ParseCurves parses a slice of curves into their IDs +func ParseCurves(curves []string) []tls.CurveID { + var curveIDs []tls.CurveID + for _, curve := range curves { + if curveID, ok := curveToInt[curve]; ok { + curveIDs = append(curveIDs, curveID) + } else { + log.Fatalf("Unknown TLS curve: %s", curve) + } + } + return curveIDs +} + // Version returns a TLS version number by given protocol string with a fallback func Version(version string, fallback uint16) uint16 { switch version {