From c90637398dbddde1bbadcde6c4e99217bc43bde5 Mon Sep 17 00:00:00 2001 From: Pinny Date: Tue, 18 Feb 2025 14:10:15 +0000 Subject: [PATCH 1/5] Bump dependencies --- Dockerfile | 2 +- generated/1.30/apis/go.mod | 2 +- generated/1.30/client/go.mod | 2 +- generated/1.31/apis/go.mod | 2 +- generated/1.31/client/go.mod | 2 +- go.mod | 6 +++--- go.sum | 8 ++++---- hack/Dockerfile_fips | 2 +- hack/update-go-mod/go.mod | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 99cdfb19e..25d4ca71a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959 +ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform. diff --git a/generated/1.30/apis/go.mod b/generated/1.30/apis/go.mod index 0a2d9c7f6..f3c2dacae 100644 --- a/generated/1.30/apis/go.mod +++ b/generated/1.30/apis/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/apis go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require ( k8s.io/api v0.30.9 diff --git a/generated/1.30/client/go.mod b/generated/1.30/client/go.mod index ba4822b3d..b7ffe3d15 100644 --- a/generated/1.30/client/go.mod +++ b/generated/1.30/client/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.30/client go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 replace go.pinniped.dev/generated/1.30/apis => ../apis diff --git a/generated/1.31/apis/go.mod b/generated/1.31/apis/go.mod index 29f5f1af4..0723d75b1 100644 --- a/generated/1.31/apis/go.mod +++ b/generated/1.31/apis/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/apis go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require ( k8s.io/api v0.31.5 diff --git a/generated/1.31/client/go.mod b/generated/1.31/client/go.mod index a2ece04b5..ce5c1d3ff 100644 --- a/generated/1.31/client/go.mod +++ b/generated/1.31/client/go.mod @@ -3,7 +3,7 @@ module go.pinniped.dev/generated/1.31/client go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 replace go.pinniped.dev/generated/1.31/apis => ../apis diff --git a/go.mod b/go.mod index 1581fc855..2072281db 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module go.pinniped.dev go 1.23.0 -toolchain go1.23.6 +toolchain go1.24.0 // When using v0.31.5, need to use this version of structured-merge-diff. // See https://github.com/kubernetes/apimachinery/blob/v0.31.5/go.mod#L30 @@ -39,7 +39,7 @@ require ( github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c github.com/pkg/errors v0.9.1 github.com/sclevine/spec v1.4.0 - github.com/spf13/cobra v1.8.1 + github.com/spf13/cobra v1.9.1 github.com/spf13/pflag v1.0.6 github.com/stretchr/testify v1.10.0 github.com/tdewolff/minify/v2 v2.21.3 @@ -78,7 +78,7 @@ require ( github.com/chromedp/sysutil v1.1.0 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/cristalhq/jwt/v4 v4.0.2 // indirect github.com/dgraph-io/ristretto v1.0.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect diff --git a/go.sum b/go.sum index 2b49846d5..10338d607 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= @@ -528,8 +528,8 @@ github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/ github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 3fbecdcac..81309df53 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -16,7 +16,7 @@ # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md # and https://kupczynski.info/posts/fips-golang/ for details. -ARG BUILD_IMAGE=golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959 +ARG BUILD_IMAGE=golang:1.24.0@sha256:2b1cbf278ce05a2a310a3d695ebb176420117a8cfcfcc4e5e68a1bef5f6354da ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:6ec5aa99dc335666e79dc64e4a6c8b89c33a543a1967f20d360922a80dd21f02 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build diff --git a/hack/update-go-mod/go.mod b/hack/update-go-mod/go.mod index 091e79b72..18197c220 100644 --- a/hack/update-go-mod/go.mod +++ b/hack/update-go-mod/go.mod @@ -2,6 +2,6 @@ module go.pinniped.dev/update-go-mod go 1.22.0 -toolchain go1.23.6 +toolchain go1.24.0 require golang.org/x/mod v0.22.0 From 8cfc1c08ec9bf9e01308345ebecb8090a451786c Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 18 Feb 2025 10:46:59 -0800 Subject: [PATCH 2/5] allow both TLS v1.2 and v1.3 in fips mode, supported starting in Go 1.24 --- ...e_max_tls_version_for_fips_default_value.go | 4 ++-- test/integration/limited_ciphers_fips_test.go | 8 ++++---- test/integration/ptls_fips_test.go | 18 +++++++----------- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go index 0490ffa5a..8d721300a 100644 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go +++ b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build !fips_enable_tls13_max_for_default_profile @@ -7,4 +7,4 @@ package ptls import "crypto/tls" -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS12 +const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 // Starting in Go 1.24, boringcrypto supports TLS 1.3 by default, so this build tag is no longer needed diff --git a/test/integration/limited_ciphers_fips_test.go b/test/integration/limited_ciphers_fips_test.go index 7eeb6993b..b25a67438 100644 --- a/test/integration/limited_ciphers_fips_test.go +++ b/test/integration/limited_ciphers_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -26,7 +26,7 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { // Expected server configuration for the Supervisor's OIDC endpoints. &tls.Config{ MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ // Supervisor OIDC endpoints configured with EC certs use only EC ciphers. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, @@ -35,8 +35,8 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { }, // Expected server configuration for the Supervisor and Concierge aggregated API endpoints. &tls.Config{ - MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, diff --git a/test/integration/ptls_fips_test.go b/test/integration/ptls_fips_test.go index fcea5fb6c..ae57c991b 100644 --- a/test/integration/ptls_fips_test.go +++ b/test/integration/ptls_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -77,7 +77,7 @@ func TestDefault_Parallel(t *testing.T) { actual := ptls.Default(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -94,7 +94,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) { actual := ptls.DefaultLDAP(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -110,10 +110,8 @@ func TestSecure_Parallel(t *testing.T) { actual := ptls.Secure(aCertPool) expected := &tls.Config{ - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for the secure profile, we cannot do that in FIPS mode - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MinVersion: tls.VersionTLS12, // allow TLS 1.2 in FIPS mode + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -135,10 +133,8 @@ func TestSecureServing_Parallel(t *testing.T) { require.Equal(t, options.SecureServingOptionsWithLoopback{ SecureServingOptions: &options.SecureServingOptions{ - CipherSuites: expectedFIPSCipherSuiteNames, - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for secure serving for aggregated API servers, we cannot do that in FIPS mode - MinTLSVersion: "VersionTLS12", + CipherSuites: expectedFIPSCipherSuiteNames, + MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode }, }, *opts) } From 39a86e7d5271919985bcb63879c949763158cdc0 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 18 Feb 2025 10:47:24 -0800 Subject: [PATCH 3/5] upgrade Go linter to current latest --- hack/lib/lint-version.txt | 2 +- internal/concierge/impersonator/impersonator.go | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hack/lib/lint-version.txt b/hack/lib/lint-version.txt index 1180c5942..65d11a24b 100644 --- a/hack/lib/lint-version.txt +++ b/hack/lib/lint-version.txt @@ -1 +1 @@ -1.63.4 +1.64.5 diff --git a/internal/concierge/impersonator/impersonator.go b/internal/concierge/impersonator/impersonator.go index bdd37212d..29c0210bd 100644 --- a/internal/concierge/impersonator/impersonator.go +++ b/internal/concierge/impersonator/impersonator.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package impersonator @@ -650,7 +650,6 @@ func getTransportForUser(ctx context.Context, userInfo user.Info, delegate, dele } func canImpersonateFully(userInfo user.Info) bool { - //nolint:gosimple // this structure is on purpose because we plan to expand this function if len(userInfo.GetUID()) == 0 { return true } From 4e04f5b606377248b82e8d21a6bd500f8bf5a676 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 18 Feb 2025 13:50:26 -0800 Subject: [PATCH 4/5] remove fips_strict insecure ciphers which do not seem to be in Go 1.24 --- internal/crypto/ptls/profiles_fips_strict.go | 21 ++++++++++--------- test/integration/limited_ciphers_fips_test.go | 2 -- test/integration/ptls_fips_test.go | 2 -- 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/internal/crypto/ptls/profiles_fips_strict.go b/internal/crypto/ptls/profiles_fips_strict.go index b26fbd273..13c5058b3 100644 --- a/internal/crypto/ptls/profiles_fips_strict.go +++ b/internal/crypto/ptls/profiles_fips_strict.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // This file overrides profiles.go when Pinniped is built in FIPS-only mode. @@ -37,11 +37,9 @@ var ( // insecureCipherSuiteIDs is a list of additional ciphers that should be allowed for both clients // and servers when using TLS 1.2. // - // FIPS allows the use of these specific ciphers that golang considers insecure. - insecureCipherSuiteIDs = []uint16{ - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - } + // Previous versions of FIPS allowed the use of some specific ciphers that golang considers insecure. + // Go 1.24 does not anymore, so now this list is empty. + insecureCipherSuiteIDs []uint16 // additionalSecureCipherSuiteIDsOnlyForLDAPClients are additional ciphers to use only for LDAP clients // when using TLS 1.2. These can be used when the Pinniped Supervisor is making calls to an LDAP server @@ -72,7 +70,7 @@ func init() { // and insecureCipherSuiteIDs values defined above. func Default(rootCAs *x509.CertPool) *tls.Config { config := buildTLSConfig(rootCAs, allHardcodedAllowedCipherSuites(), getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo()) - // Until goboring supports TLS 1.3, make the max version 1.2 by default. Allow it to be overridden by a build tag. + // Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. config.MaxVersion = DefaultProfileMaxTLSVersionForFIPS return config } @@ -86,15 +84,18 @@ func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { // Secure: see comment in profiles.go. // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode. -// Until goboring supports TLS 1.3, make the Secure profile the same as the Default profile in FIPS mode. -// Until then, this is not any different from the Default profile in FIPS mode. +// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. +// However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to +// make the Secure profile the same as the Default profile in FIPS mode, to allow both TLS 1.2 and 1.3. func Secure(rootCAs *x509.CertPool) *tls.Config { return Default(rootCAs) } // SecureServing: see comment in profiles.go. // This chooses different cipher suites and/or TLS versions compared to non-FIPS mode. -// Until goboring supports TLS 1.3, make SecureServing use the same as the defaultServing profile in FIPS mode. +// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. +// However, until it is safe to assume that a FIPS-compiled k8s server supports TLS 1.3, continue to +// make SecureServing use the same as the defaultServing profile in FIPS mode, to allow both TLS 1.2 and 1.3. func SecureServing(opts *options.SecureServingOptionsWithLoopback) { defaultServing(opts) } diff --git a/test/integration/limited_ciphers_fips_test.go b/test/integration/limited_ciphers_fips_test.go index b25a67438..f8fd3c261 100644 --- a/test/integration/limited_ciphers_fips_test.go +++ b/test/integration/limited_ciphers_fips_test.go @@ -21,7 +21,6 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_GCM_SHA384", // this is an insecure cipher but allowed for FIPS }, // Expected server configuration for the Supervisor's OIDC endpoints. &tls.Config{ @@ -41,7 +40,6 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, }, }, ) diff --git a/test/integration/ptls_fips_test.go b/test/integration/ptls_fips_test.go index ae57c991b..8609aa97d 100644 --- a/test/integration/ptls_fips_test.go +++ b/test/integration/ptls_fips_test.go @@ -65,8 +65,6 @@ var expectedFIPSCipherSuites = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } func TestDefault_Parallel(t *testing.T) { From 3a6573f89eca35dc92831743d7596dd2e99e35bb Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 19 Feb 2025 11:47:34 -0800 Subject: [PATCH 5/5] remove fips_enable_tls13_max_for_default_profile build tag --- .../default_profile_max_tls_version_for_fips_13.go | 10 ---------- ...t_profile_max_tls_version_for_fips_default_value.go | 10 ---------- internal/crypto/ptls/profiles_fips_strict.go | 5 ++--- 3 files changed, 2 insertions(+), 23 deletions(-) delete mode 100644 internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go delete mode 100644 internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go deleted file mode 100644 index b1c5a4b7e..000000000 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build fips_enable_tls13_max_for_default_profile - -package ptls - -import "crypto/tls" - -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go deleted file mode 100644 index 8d721300a..000000000 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build !fips_enable_tls13_max_for_default_profile - -package ptls - -import "crypto/tls" - -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 // Starting in Go 1.24, boringcrypto supports TLS 1.3 by default, so this build tag is no longer needed diff --git a/internal/crypto/ptls/profiles_fips_strict.go b/internal/crypto/ptls/profiles_fips_strict.go index 13c5058b3..97fbc126d 100644 --- a/internal/crypto/ptls/profiles_fips_strict.go +++ b/internal/crypto/ptls/profiles_fips_strict.go @@ -60,8 +60,7 @@ func init() { // this init runs before we have parsed our config to determine our log level // thus we must use a log statement that will always print instead of conditionally print plog.Always("this server was compiled to use boring crypto in FIPS-only mode", - "go version", runtime.Version(), - "DefaultProfileMaxTLSVersionForFIPS", tls.VersionName(DefaultProfileMaxTLSVersionForFIPS)) + "go version", runtime.Version()) } // Default: see comment in profiles.go. @@ -71,7 +70,7 @@ func init() { func Default(rootCAs *x509.CertPool) *tls.Config { config := buildTLSConfig(rootCAs, allHardcodedAllowedCipherSuites(), getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo()) // Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here. - config.MaxVersion = DefaultProfileMaxTLSVersionForFIPS + config.MaxVersion = tls.VersionTLS13 return config }