This commit is contained in:
Joshua Casey 2023-02-02 23:02:22 -06:00
parent 5dc454de3d
commit 976dd6c8e1
10 changed files with 179 additions and 111 deletions

View File

@ -21,6 +21,7 @@ RUN \
export CGO_ENABLED=0 && \ export CGO_ENABLED=0 && \
export GOOS=linux && \ export GOOS=linux && \
export GOARCH=amd64 && \ export GOARCH=amd64 && \
export GOEXPERIMENT=boringcrypto && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \

73
ciphers.txt Normal file
View File

@ -0,0 +1,73 @@
Obtaining cipher list from LibreSSL 3.3.6.
Testing AEAD-AES256-GCM-SHA384...YES
Testing AEAD-CHACHA20-POLY1305-SHA256...YES
Testing AEAD-AES128-GCM-SHA256...YES
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES
Testing ECDHE-RSA-AES256-SHA384...YES
Testing ECDHE-ECDSA-AES256-SHA384...YES
Testing ECDHE-RSA-AES256-SHA...YES
Testing ECDHE-ECDSA-AES256-SHA...YES
Testing DHE-RSA-AES256-GCM-SHA384...YES
Testing DHE-RSA-AES256-SHA256...YES
Testing DHE-RSA-AES256-SHA...YES
Testing ECDHE-ECDSA-CHACHA20-POLY1305...YES
Testing ECDHE-RSA-CHACHA20-POLY1305...YES
Testing DHE-RSA-CHACHA20-POLY1305...YES
Testing GOST2012256-GOST89-GOST89...YES
Testing DHE-RSA-CAMELLIA256-SHA256...YES
Testing DHE-RSA-CAMELLIA256-SHA...YES
Testing GOST2001-GOST89-GOST89...YES
Testing AECDH-AES256-SHA...YES
Testing ADH-AES256-GCM-SHA384...YES
Testing ADH-AES256-SHA256...YES
Testing ADH-AES256-SHA...YES
Testing ADH-CAMELLIA256-SHA256...YES
Testing ADH-CAMELLIA256-SHA...YES
Testing AES256-GCM-SHA384...YES
Testing AES256-SHA256...YES
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA256...YES
Testing CAMELLIA256-SHA...YES
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing ECDHE-ECDSA-AES128-GCM-SHA256...YES
Testing ECDHE-RSA-AES128-SHA256...YES
Testing ECDHE-ECDSA-AES128-SHA256...YES
Testing ECDHE-RSA-AES128-SHA...YES
Testing ECDHE-ECDSA-AES128-SHA...YES
Testing DHE-RSA-AES128-GCM-SHA256...YES
Testing DHE-RSA-AES128-SHA256...YES
Testing DHE-RSA-AES128-SHA...YES
Testing DHE-RSA-CAMELLIA128-SHA256...YES
Testing DHE-RSA-CAMELLIA128-SHA...YES
Testing AECDH-AES128-SHA...YES
Testing ADH-AES128-GCM-SHA256...YES
Testing ADH-AES128-SHA256...YES
Testing ADH-AES128-SHA...YES
Testing ADH-CAMELLIA128-SHA256...YES
Testing ADH-CAMELLIA128-SHA...YES
Testing AES128-GCM-SHA256...YES
Testing AES128-SHA256...YES
Testing AES128-SHA...YES
Testing CAMELLIA128-SHA256...YES
Testing CAMELLIA128-SHA...YES
Testing ECDHE-RSA-RC4-SHA...YES
Testing ECDHE-ECDSA-RC4-SHA...YES
Testing AECDH-RC4-SHA...YES
Testing ADH-RC4-MD5...YES
Testing RC4-SHA...YES
Testing RC4-MD5...YES
Testing ECDHE-RSA-DES-CBC3-SHA...YES
Testing ECDHE-ECDSA-DES-CBC3-SHA...YES
Testing EDH-RSA-DES-CBC3-SHA...YES
Testing AECDH-DES-CBC3-SHA...YES
Testing ADH-DES-CBC3-SHA...YES
Testing DES-CBC3-SHA...YES
Testing ECDHE-RSA-NULL-SHA...YES
Testing ECDHE-ECDSA-NULL-SHA...YES
Testing GOST2012256-NULL-STREEBOG256...YES
Testing GOST2001-NULL-GOST94...YES
Testing AECDH-NULL-SHA...YES
Testing NULL-SHA256...YES
Testing NULL-SHA...YES
Testing NULL-MD5...YES

73
fips-ciphers.txt Normal file
View File

@ -0,0 +1,73 @@
Obtaining cipher list from LibreSSL 3.3.6.
Testing AEAD-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AEAD-CHACHA20-POLY1305-SHA256...NO (sslv3 alert handshake failure)
Testing AEAD-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES
Testing ECDHE-RSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing GOST2012256-GOST89-GOST89...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing GOST2001-GOST89-GOST89...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-SHA256...NO (sslv3 alert handshake failure)
Testing AES256-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...YES
Testing ECDHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-RC4-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-RC4-SHA...NO (sslv3 alert handshake failure)
Testing ADH-RC4-MD5...NO (sslv3 alert handshake failure)
Testing RC4-SHA...NO (sslv3 alert handshake failure)
Testing RC4-MD5...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing EDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing GOST2012256-NULL-STREEBOG256...NO (sslv3 alert handshake failure)
Testing GOST2001-NULL-GOST94...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)

View File

@ -1,12 +0,0 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build goexperiment.boringcrypto
// +build goexperiment.boringcrypto
package fips
import (
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
)

View File

@ -1,8 +1,8 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !boringcrypto //go:build !goexperiment.boringcrypto
// +build !boringcrypto // +build !goexperiment.boringcrypto
package ptls package ptls

View File

@ -1,80 +0,0 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
// configs when Pinniped is built in fips-only mode.
// All of these are the same because FIPs is already so limited.
//go:build goexperiment.boringcrypto
// +build goexperiment.boringcrypto
package ptls
import (
"crypto/tls"
"crypto/x509"
"os"
"path/filepath"
"runtime"
"k8s.io/apiserver/pkg/server/options"
// Cause fipsonly tls mode with this side effect import.
_ "go.pinniped.dev/internal/crypto/fips"
"go.pinniped.dev/internal/plog"
)
// Always use TLS 1.2 for FIPs
const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() {
switch filepath.Base(os.Args[0]) {
case "pinniped-server", "pinniped-supervisor", "pinniped-concierge", "pinniped-concierge-kube-cert-agent":
default:
return // do not print FIPS logs if we cannot confirm that we are running a server binary
}
// this init runs before we have parsed our config to determine our log level
// thus we must use a log statement that will always print instead of conditionally print
plog.Always("using boring crypto in fips only mode", "go version", runtime.Version())
}
func Default(rootCAs *x509.CertPool) *tls.Config {
return &tls.Config{
// goboring requires TLS 1.2 and only TLS 1.2
MinVersion: SecureTLSConfigMinTLSVersion,
MaxVersion: SecureTLSConfigMinTLSVersion,
// enable HTTP2 for go's 1.7 HTTP Server
// setting this explicitly is only required in very specific circumstances
// it is simpler to just set it here than to try and determine if we need to
NextProtos: []string{"h2", "http/1.1"},
// optional root CAs, nil means use the host's root CA set
RootCAs: rootCAs,
// This is all of the fips-approved ciphers.
// The list is hard-coded for convenience of testing.
// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}
}
func Secure(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
defaultServing(opts)
}

View File

@ -1,8 +1,8 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !boringcrypto //go:build !goexperiment.boringcrypto
// +build !boringcrypto // +build !goexperiment.boringcrypto
package ptls package ptls

View File

@ -1,13 +0,0 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build goexperiment.boringcrypto
// +build goexperiment.boringcrypto
package testlib
// Because of a bug in nmap, the cipher suite preference is
// incorrectly shown as 'client' in some cases.
// in fips-only mode, it correctly shows the cipher preference
// as 'server', while in non-fips mode it shows as 'client'.
const cipherSuitePreference = "server"

View File

@ -1,8 +1,8 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !boringcrypto //go:build !goexperiment.boringcrypto
// +build !boringcrypto // +build !goexperiment.boringcrypto
package testlib package testlib

26
test_ciphers.sh Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher :" ]] ; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done