1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
20
tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
22
common_features "istio.io/istio/pkg/features"
23
"istio.io/istio/pkg/log"
26
var fipsCiphers = []string{
27
"ECDHE-ECDSA-AES128-GCM-SHA256",
28
"ECDHE-RSA-AES128-GCM-SHA256",
29
"ECDHE-ECDSA-AES256-GCM-SHA384",
30
"ECDHE-RSA-AES256-GCM-SHA384",
33
var fipsGoCiphers = []uint16{
34
gotls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
35
gotls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
36
gotls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
37
gotls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
40
func index(ciphers []string) map[string]struct{} {
41
out := make(map[string]struct{})
42
for _, cipher := range ciphers {
43
out[cipher] = struct{}{}
48
var fipsCipherIndex = index(fipsCiphers)
50
// EnforceGoCompliance limits the TLS settings to the compliant values.
51
// This should be called as the last policy.
52
func EnforceGoCompliance(ctx *gotls.Config) {
53
switch common_features.CompliancePolicy {
56
case common_features.FIPS_140_2:
57
ctx.MinVersion = gotls.VersionTLS12
58
ctx.MaxVersion = gotls.VersionTLS12
59
ctx.CipherSuites = fipsGoCiphers
60
ctx.CurvePreferences = []gotls.CurveID{gotls.CurveP256}
63
log.Warnf("unknown compliance policy: %q", common_features.CompliancePolicy)
68
// EnforceCompliance limits the TLS settings to the compliant values.
69
// This should be called as the last policy.
70
func EnforceCompliance(ctx *tls.CommonTlsContext) {
71
switch common_features.CompliancePolicy {
74
case common_features.FIPS_140_2:
75
if ctx.TlsParams == nil {
76
ctx.TlsParams = &tls.TlsParameters{}
78
ctx.TlsParams.TlsMinimumProtocolVersion = tls.TlsParameters_TLSv1_2
79
ctx.TlsParams.TlsMaximumProtocolVersion = tls.TlsParameters_TLSv1_2
80
// Default (unset) cipher suites field in the FIPS build of Envoy uses only the FIPS ciphers.
81
// Therefore, we only filter this field when it is set.
82
if len(ctx.TlsParams.CipherSuites) > 0 {
84
for _, cipher := range ctx.TlsParams.CipherSuites {
85
if _, ok := fipsCipherIndex[cipher]; ok {
86
ciphers = append(ciphers, cipher)
89
ctx.TlsParams.CipherSuites = ciphers
91
// Default (unset) is P-256
92
ctx.TlsParams.EcdhCurves = nil
95
log.Warnf("unknown compliance policy: %q", common_features.CompliancePolicy)