bc7ffd37a6
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
81 lines
2.5 KiB
Go
81 lines
2.5 KiB
Go
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
|
|
// configs when Pinniped is built in fips-only mode.
|
|
// All of these are the same because FIPs is already so limited.
|
|
//go:build fips_strict
|
|
// +build fips_strict
|
|
|
|
package ptls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
|
|
"k8s.io/apiserver/pkg/server/options"
|
|
|
|
// Cause fipsonly tls mode with this side effect import.
|
|
_ "go.pinniped.dev/internal/crypto/fips"
|
|
"go.pinniped.dev/internal/plog"
|
|
)
|
|
|
|
// Always use TLS 1.2 for FIPs
|
|
const secureServingOptionsMinTLSVersion = "VersionTLS12"
|
|
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
|
|
|
|
func init() {
|
|
switch filepath.Base(os.Args[0]) {
|
|
case "pinniped-server", "pinniped-supervisor", "pinniped-concierge", "pinniped-concierge-kube-cert-agent":
|
|
default:
|
|
return // do not print FIPS logs if we cannot confirm that we are running a server binary
|
|
}
|
|
|
|
// this init runs before we have parsed our config to determine our log level
|
|
// thus we must use a log statement that will always print instead of conditionally print
|
|
plog.Always("using boring crypto in fips only mode", "go version", runtime.Version())
|
|
}
|
|
|
|
func Default(rootCAs *x509.CertPool) *tls.Config {
|
|
return &tls.Config{
|
|
// goboring requires TLS 1.2 and only TLS 1.2
|
|
MinVersion: SecureTLSConfigMinTLSVersion,
|
|
MaxVersion: SecureTLSConfigMinTLSVersion,
|
|
|
|
// enable HTTP2 for go's 1.7 HTTP Server
|
|
// setting this explicitly is only required in very specific circumstances
|
|
// it is simpler to just set it here than to try and determine if we need to
|
|
NextProtos: []string{"h2", "http/1.1"},
|
|
|
|
// optional root CAs, nil means use the host's root CA set
|
|
RootCAs: rootCAs,
|
|
|
|
// This is all of the fips-approved ciphers.
|
|
// The list is hard-coded for convenience of testing.
|
|
// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
},
|
|
}
|
|
}
|
|
|
|
func Secure(rootCAs *x509.CertPool) *tls.Config {
|
|
return Default(rootCAs)
|
|
}
|
|
|
|
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
|
|
return Default(rootCAs)
|
|
}
|
|
|
|
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
|
|
defaultServing(opts)
|
|
}
|