ContainerImage.Pinniped/internal/crypto/ptls/fips_strict.go

// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
// configs when Pinniped is built in fips-only mode.
// All of these are the same because FIPs is already so limited.
//go:build fips_strict
// +build fips_strict

package ptls

import (
	"crypto/tls"
	"crypto/x509"
	"runtime"

	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.

	"go.pinniped.dev/internal/plog"
)

// Always use TLS 1.2 for FIPs
const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12

func init() {
	plog.Debug("using boring crypto in fips only mode", "go version", runtime.Version())
}

func Default(rootCAs *x509.CertPool) *tls.Config {
	return &tls.Config{
		// goboring requires TLS 1.2 and only TLS 1.2
		MinVersion: SecureTLSConfigMinTLSVersion,
		MaxVersion: SecureTLSConfigMinTLSVersion,

		// enable HTTP2 for go's 1.7 HTTP Server
		// setting this explicitly is only required in very specific circumstances
		// it is simpler to just set it here than to try and determine if we need to
		NextProtos: []string{"h2", "http/1.1"},

		// optional root CAs, nil means use the host's root CA set
		RootCAs: rootCAs,

		// This is all of the fips-approved ciphers.
		// The list is hard-coded for convenience of testing.
		// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
		},
	}
}

func Secure(rootCAs *x509.CertPool) *tls.Config {
	return Default(rootCAs)
}

func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
	return Default(rootCAs)
}
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`// Copyright 2022 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP`
			`// configs when Pinniped is built in fips-only mode.`
			`// All of these are the same because FIPs is already so limited.`
			`//go:build fips_strict`
			`// +build fips_strict`

			`package ptls`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"runtime"`

Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00			`"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent`
			`_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.`

Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`"go.pinniped.dev/internal/plog"`
			`)`

			`// Always use TLS 1.2 for FIPs`
			`const secureServingOptionsMinTLSVersion = "VersionTLS12"`
			`const SecureTLSConfigMinTLSVersion = tls.VersionTLS12`

			`func init() {`
Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00			`plog.Debug("using boring crypto in fips only mode", "go version", runtime.Version())`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`}`

			`func Default(rootCAs x509.CertPool) tls.Config {`
			`return &tls.Config{`
			`// goboring requires TLS 1.2 and only TLS 1.2`
			`MinVersion: SecureTLSConfigMinTLSVersion,`
			`MaxVersion: SecureTLSConfigMinTLSVersion,`

			`// enable HTTP2 for go's 1.7 HTTP Server`
			`// setting this explicitly is only required in very specific circumstances`
			`// it is simpler to just set it here than to try and determine if we need to`
			`NextProtos: []string{"h2", "http/1.1"},`

			`// optional root CAs, nil means use the host's root CA set`
			`RootCAs: rootCAs,`

			`// This is all of the fips-approved ciphers.`
			`// The list is hard-coded for convenience of testing.`
Add more details to FIPS comments Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 18:48:52 +00:00			`// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`CipherSuites: []uint16{`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`tls.TLS_RSA_WITH_AES_128_GCM_SHA256,`
			`tls.TLS_RSA_WITH_AES_256_GCM_SHA384,`
			`},`
			`}`
			`}`

			`func Secure(rootCAs x509.CertPool) tls.Config {`
			`return Default(rootCAs)`
			`}`

			`func DefaultLDAP(rootCAs x509.CertPool) tls.Config {`
			`return Default(rootCAs)`
			`}`