mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-08 07:11:53 +00:00
50e4d6db6c
The release of Go 1.21.6 includes the new boring crypto when compiling with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 and https://github.com/golang/go/issues/64717. This new version of boring crypto allows the use of TLS v1.3 for the first time, so we changed the Pinniped code to use TLS v1.3 where appropriate when compiled with the FIPS compiler. It also changed the allowed TLS v1.2 ciphers, so we updated those as well. After this commit, the project must be compiled by at least Go v1.21.6 when compiling in fips mode. The hack/Dockerfile_fips was already updated to use that version of Go in a previous commit. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
32 lines
947 B
Go
32 lines
947 B
Go
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
//go:build !fips_strict
|
|
|
|
package tlsserver
|
|
|
|
import "crypto/tls"
|
|
|
|
// GetExpectedTLS13Ciphers returns the expected TLS 1.3 cipher for a non-FIPS build.
|
|
func GetExpectedTLS13Ciphers() []uint16 {
|
|
// TLS 1.3 ciphers are not configurable, so we can hard-code them here.
|
|
return []uint16{
|
|
tls.TLS_AES_128_GCM_SHA256,
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
}
|
|
}
|
|
|
|
// GetExpectedTLS13CipherNMapKeyExchangeInfoValue returns the expected key exchange info value
|
|
// which is shown by nmap in parenthesis next to the cipher name for a non-FIPS build.
|
|
func GetExpectedTLS13CipherNMapKeyExchangeInfoValue(cipher uint16) string {
|
|
switch cipher {
|
|
case tls.TLS_AES_128_GCM_SHA256,
|
|
tls.TLS_AES_256_GCM_SHA384,
|
|
tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
return "ecdh_x25519"
|
|
default:
|
|
return "unknown key exchange value"
|
|
}
|
|
}
|