feat: allow P-521 curve in fips mode (#318)

kruskall · web-flow · commit de30be3d8700 · 2025-05-07T16:03:09.000+02:00
diff --git a/transport/tlscommon/types_fips.go b/transport/tlscommon/types_fips.go
@@ -37,10 +37,13 @@ func init() {
 			supportedCipherSuites[i] = cipherName
 		}
 	}
-	// only allow P256, P384.
+	// Elliptic curves approved for use in ECDSA are specified in SP 800-186,
+	// as implemented in FIPS 186-5.
+	// Based on NIST SP 800-186 section 3 and SP 800-56A Rev.3
+	// only allows P-256, P-384, P-521
 	for name, curveType := range tlsCurveTypes {
 		switch tls.CurveID(curveType) {
-		case tls.CurveP256, tls.CurveP384:
+		case tls.CurveP256, tls.CurveP384, tls.CurveP521:
 			supportedCurveTypes[curveType] = name
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -37,10 +37,13 @@ func init() {`
`37`	`37`	`supportedCipherSuites[i] = cipherName`
`38`	`38`	`}`
`39`	`39`	`}`
`40`		`- // only allow P256, P384.`
	`40`	`+ // Elliptic curves approved for use in ECDSA are specified in SP 800-186,`
	`41`	`+ // as implemented in FIPS 186-5.`
	`42`	`+ // Based on NIST SP 800-186 section 3 and SP 800-56A Rev.3`
	`43`	`+ // only allows P-256, P-384, P-521`
`41`	`44`	`for name, curveType := range tlsCurveTypes {`
`42`	`45`	`switch tls.CurveID(curveType) {`
`43`		`- case tls.CurveP256, tls.CurveP384:`
	`46`	`+ case tls.CurveP256, tls.CurveP384, tls.CurveP521:`
`44`	`47`	`supportedCurveTypes[curveType] = name`
`45`	`48`	`}`
`46`	`49`	`}`