feat: add tls-curve-preferences

README.md

@@ -52,10 +52,8 @@ Application Options:
       --txtconcat              Concatenate TXT responses
       --qid=                   Set query ID (-1 for random) (default: -1)
       --recaxfr                Perform recursive AXFR
-  -f, --format=                Output format (pretty, json, yaml, raw)
-                               (default: pretty)
-      --pretty-ttls            Format TTLs in human readable format (default:
-                               true)
+  -f, --format=                Output format (pretty, json, yaml, raw) (default: pretty)
+      --pretty-ttls            Format TTLs in human readable format (default: true)
       --color                  Enable color output
       --question               Show question section
       --answer                 Show answer section (default: true)
@@ -65,13 +63,11 @@ Application Options:
       --all                    Show all sections and statistics
   -w                           Resolve ASN/ASName for A and AAAA records
   -r, --short                  Show record values only
-  -R, --resolve-ips            Resolve PTR records for IP addresses in A and
-                               AAAA records
+  -R, --resolve-ips            Resolve PTR records for IP addresses in A and AAAA records
       --aa                     Set AA (Authoritative Answer) flag in query
       --ad                     Set AD (Authentic Data) flag in query
       --cd                     Set CD (Checking Disabled) flag in query
-      --rd                     Set RD (Recursion Desired) flag in query
-                               (default: true)
+      --rd                     Set RD (Recursion Desired) flag in query (default: true)
       --ra                     Set RA (Recursion Available) flag in query
       --z                      Set Z (Zero) flag in query
       --t                      Set TC (Truncated) flag in query
@@ -81,6 +77,7 @@ Application Options:
       --tls-max-version=       Maximum TLS version to use (default: 1.3)
       --tls-next-protos=       TLS next protocols for ALPN
       --tls-cipher-suites=     TLS cipher suites
+      --tls-curve-preferences= TLS curve preferences
       --tls-client-cert=       TLS client certificate file
       --tls-client-key=        TLS client key file
       --tls-key-log-file=      TLS key log file [$SSLKEYLOGFILE]
@@ -90,12 +87,10 @@ Application Options:
       --quic-no-pmtud          Disable QUIC PMTU discovery
       --quic-no-length-prefix  Don't add RFC 9250 compliant length prefix
       --dnscrypt-tcp           Use TCP for DNSCrypt (default UDP)
-      --dnscrypt-udp-size=     Maximum size of a DNS response this client can
-                               sent or receive (default: 0)
+      --dnscrypt-udp-size=     Maximum size of a DNS response this client can sent or receive (default: 0)
       --dnscrypt-key=          DNSCrypt public key
       --dnscrypt-provider=     DNSCrypt provider name
-      --default-rr-types=      Default record types (default: A, AAAA, NS, MX,
-                               TXT, CNAME)
+      --default-rr-types=      Default record types (default: A, AAAA, NS, MX, TXT, CNAME)
       --udp-buffer=            Set EDNS0 UDP size in query (default: 1232)
   -v, --verbose                Show verbose log messages
       --trace                  Show trace log messages

cli/flags.go

@@ -53,6 +53,7 @@ type Flags struct {
 	TLSMaxVersion        string   `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"`
 	TLSNextProtos        []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"`
 	TLSCipherSuites      []string `long:"tls-cipher-suites" description:"TLS cipher suites"`
+	TLSCurvePreferences  []string `long:"tls-curve-preferences" description:"TLS curve preferences"`
 	TLSClientCertificate string   `long:"tls-client-cert" description:"TLS client certificate file"`
 	TLSClientKey         string   `long:"tls-client-key" description:"TLS client key file"`
 	TLSKeyLogFile        string   `long:"tls-key-log-file" env:"SSLKEYLOGFILE" description:"TLS key log file"`

main.go

@@ -400,6 +400,7 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation
 		MaxVersion:         tlsutil.Version(opts.TLSMaxVersion, tls.VersionTLS13),
 		NextProtos:         opts.TLSNextProtos,
 		CipherSuites:       tlsutil.ParseCipherSuites(opts.TLSCipherSuites),
+		CurvePreferences:   tlsutil.ParseCurves(opts.TLSCurvePreferences),
 	}
 
 	// TLS client certificate authentication

util/tls/tls.go

@@ -38,6 +38,13 @@ var cipherSuiteToInt = map[string]uint16{
 	"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
 }
 
+var curveToInt = map[string]tls.CurveID{
+	"P256":   tls.CurveP256,
+	"P384":   tls.CurveP384,
+	"P521":   tls.CurveP521,
+	"X25519": tls.X25519,
+}
+
 // ParseCipherSuites converts a slice of cipher suite names to a slice of cipher suite ints
 func ParseCipherSuites(cipherSuites []string) []uint16 {
 	var cipherSuiteInts []uint16
@@ -51,6 +58,19 @@ func ParseCipherSuites(cipherSuites []string) []uint16 {
 	return cipherSuiteInts
 }
 
+// ParseCurves parses a slice of curves into their IDs
+func ParseCurves(curves []string) []tls.CurveID {
+	var curveIDs []tls.CurveID
+	for _, curve := range curves {
+		if curveID, ok := curveToInt[curve]; ok {
+			curveIDs = append(curveIDs, curveID)
+		} else {
+			log.Fatalf("Unknown TLS curve: %s", curve)
+		}
+	}
+	return curveIDs
+}
+
 // Version returns a TLS version number by given protocol string with a fallback
 func Version(version string, fallback uint16) uint16 {
 	switch version {