ContainerImage.Pinniped/internal/crypto/ptls/secure.go

// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

//go:build !fips_strict
// +build !fips_strict

package ptls

import (
	"crypto/tls"
	"crypto/x509"

	"k8s.io/apiserver/pkg/server/options"
)

// secureServingOptionsMinTLSVersion is the minimum tls version in the format
// expected by SecureServingOptions.MinTLSVersion from
// k8s.io/apiserver/pkg/server/options.
const secureServingOptionsMinTLSVersion = "VersionTLS13"

// SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected
// by tls.Config.
const SecureTLSConfigMinTLSVersion = tls.VersionTLS13

func Secure(rootCAs *x509.CertPool) *tls.Config {
	// as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports:
	// - Firefox 63
	// - Android 10.0
	// - Chrome 70
	// - Edge 75
	// - Java 11
	// - OpenSSL 1.1.1
	// - Opera 57
	// - Safari 12.1
	// https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=modern&guideline=5.6
	c := Default(rootCAs)
	c.MinVersion = SecureTLSConfigMinTLSVersion // max out the security
	c.CipherSuites = []uint16{
		// TLS 1.3 ciphers are not configurable, but we need to explicitly set them here to make our client hello behave correctly
		// See https://github.com/golang/go/pull/49293
		tls.TLS_AES_128_GCM_SHA256,
		tls.TLS_AES_256_GCM_SHA384,
		tls.TLS_CHACHA20_POLY1305_SHA256,
	}
	return c
}

func secureServing(opts *options.SecureServingOptionsWithLoopback) {
	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
	opts.CipherSuites = nil
}
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`//go:build !fips_strict`
			`// +build !fips_strict`

			`package ptls`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
Explicitly set defaultServing ciphers in FIPS mode This is a no-op today, but could change in the future when we add support for FIPS in non-strict mode. Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 21:07:47 +00:00
			`"k8s.io/apiserver/pkg/server/options"`
Introduce FIPS compatibility Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-03-29 23:58:41 +00:00			`)`

			`// secureServingOptionsMinTLSVersion is the minimum tls version in the format`
			`// expected by SecureServingOptions.MinTLSVersion from`
			`// k8s.io/apiserver/pkg/server/options.`
			`const secureServingOptionsMinTLSVersion = "VersionTLS13"`

			`// SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected`
			`// by tls.Config.`
			`const SecureTLSConfigMinTLSVersion = tls.VersionTLS13`

			`func Secure(rootCAs x509.CertPool) tls.Config {`
			`// as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports:`
			`// - Firefox 63`
			`// - Android 10.0`
			`// - Chrome 70`
			`// - Edge 75`
			`// - Java 11`
			`// - OpenSSL 1.1.1`
			`// - Opera 57`
			`// - Safari 12.1`
			`// https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=modern&guideline=5.6`
			`c := Default(rootCAs)`
			`c.MinVersion = SecureTLSConfigMinTLSVersion // max out the security`
			`c.CipherSuites = []uint16{`
			`// TLS 1.3 ciphers are not configurable, but we need to explicitly set them here to make our client hello behave correctly`
			`// See https://github.com/golang/go/pull/49293`
			`tls.TLS_AES_128_GCM_SHA256,`
			`tls.TLS_AES_256_GCM_SHA384,`
			`tls.TLS_CHACHA20_POLY1305_SHA256,`
			`}`
			`return c`
			`}`
Explicitly set defaultServing ciphers in FIPS mode This is a no-op today, but could change in the future when we add support for FIPS in non-strict mode. Signed-off-by: Monis Khan <mok@vmware.com> 2022-03-31 21:07:47 +00:00
			`func secureServing(opts *options.SecureServingOptionsWithLoopback) {`
			`opts.MinTLSVersion = secureServingOptionsMinTLSVersion`
			`opts.CipherSuites = nil`
			`}`