istio

1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14

15
package model
16

17
import (
18
	gotls "crypto/tls"
19

20
	tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
21

22
	common_features "istio.io/istio/pkg/features"
23
	"istio.io/istio/pkg/log"
24
)
25

26
var fipsCiphers = []string{
27
	"ECDHE-ECDSA-AES128-GCM-SHA256",
28
	"ECDHE-RSA-AES128-GCM-SHA256",
29
	"ECDHE-ECDSA-AES256-GCM-SHA384",
30
	"ECDHE-RSA-AES256-GCM-SHA384",
31
}
32

33
var fipsGoCiphers = []uint16{
34
	gotls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
35
	gotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
36
	gotls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
37
	gotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
38
}
39

40
func index(ciphers []string) map[string]struct{} {
41
	out := make(map[string]struct{})
42
	for _, cipher := range ciphers {
43
		out[cipher] = struct{}{}
44
	}
45
	return out
46
}
47

48
var fipsCipherIndex = index(fipsCiphers)
49

50
// EnforceGoCompliance limits the TLS settings to the compliant values.
51
// This should be called as the last policy.
52
func EnforceGoCompliance(ctx *gotls.Config) {
53
	switch common_features.CompliancePolicy {
54
	case "":
55
		return
56
	case common_features.FIPS_140_2:
57
		ctx.MinVersion = gotls.VersionTLS12
58
		ctx.MaxVersion = gotls.VersionTLS12
59
		ctx.CipherSuites = fipsGoCiphers
60
		ctx.CurvePreferences = []gotls.CurveID{gotls.CurveP256}
61
		return
62
	default:
63
		log.Warnf("unknown compliance policy: %q", common_features.CompliancePolicy)
64
		return
65
	}
66
}
67

68
// EnforceCompliance limits the TLS settings to the compliant values.
69
// This should be called as the last policy.
70
func EnforceCompliance(ctx *tls.CommonTlsContext) {
71
	switch common_features.CompliancePolicy {
72
	case "":
73
		return
74
	case common_features.FIPS_140_2:
75
		if ctx.TlsParams == nil {
76
			ctx.TlsParams = &tls.TlsParameters{}
77
		}
78
		ctx.TlsParams.TlsMinimumProtocolVersion = tls.TlsParameters_TLSv1_2
79
		ctx.TlsParams.TlsMaximumProtocolVersion = tls.TlsParameters_TLSv1_2
80
		// Default (unset) cipher suites field in the FIPS build of Envoy uses only the FIPS ciphers.
81
		// Therefore, we only filter this field when it is set.
82
		if len(ctx.TlsParams.CipherSuites) > 0 {
83
			ciphers := []string{}
84
			for _, cipher := range ctx.TlsParams.CipherSuites {
85
				if _, ok := fipsCipherIndex[cipher]; ok {
86
					ciphers = append(ciphers, cipher)
87
				}
88
			}
89
			ctx.TlsParams.CipherSuites = ciphers
90
		}
91
		// Default (unset) is P-256
92
		ctx.TlsParams.EcdhCurves = nil
93
		return
94
	default:
95
		log.Warnf("unknown compliance policy: %q", common_features.CompliancePolicy)
96
		return
97
	}
98
}
99