open-consul/types/tls.go
Mike Morris 277c41d336
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576)
* xds: refactor ingress listener SDS configuration

* xds: update resolveListenerSDS call args in listeners_test

* ingress: add TLS min, max and cipher suites to GatewayTLSConfig

* xds: implement envoyTLSVersions and envoyTLSCipherSuites

* xds: merge TLS config

* xds: configure TLS parameters with ingress TLS context from leaf

* xds: nil check in resolveListenerTLSConfig validation

* xds: nil check in makeTLSParameters* functions

* changelog: add entry for TLS params on ingress config entries

* xds: remove indirection for TLS params in TLSConfig structs

* xds: return tlsContext, nil instead of ambiguous err

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* xds: switch zero checks to types.TLSVersionUnspecified

* ingress: add validation for ingress config entry TLS params

* ingress: validate listener TLS config

* xds: add basic ingress with TLS params tests

* xds: add ingress listeners mixed TLS min version defaults precedence test

* xds: add more explicit tests for ingress listeners inheriting gateway defaults

* xds: add test for single TLS listener on gateway without TLS defaults

* xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test

* types/tls: change TLSVersion to string

* types/tls: update TLSCipherSuite to string type

* types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private

* api: add TLS params to GatewayTLSConfig, add tests

* api: add TLSMinVersion to ingress gateway config entry test JSON

* xds: switch to Envoy TLS cipher suite encoding from types package

* xds: fixup validation for TLSv1_3 min version with cipher suites

* add some kitchen sink tests and add a missing struct tag

* xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites

* xds: update connectTLSEnabled comment

* xds: remove unsued resolveGatewayServiceTLSConfig function

 * xds: add makeCommonTLSContextFromLeafWithoutParams

* types/tls: add LessThan comparator function for concrete values

* types/tls: change tlsVersions validation map from string to TLSVersion keys

* types/tls: remove unused envoyTLSCipherSuites

* types/tls: enable chacha20 cipher suites for Consul agent

* types/tls: remove insecure cipher suites from allowed config

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source.

Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330

* types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private

* types/tls: return all unmatched cipher suites in validation errors

* xds: check that Envoy API value matching TLS version is found when building TlsParameters

* types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings

* types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String()

* xds: add TLSVersionUnspecified to list of configurable cipher suites

* structs: update note about config entry warning

* xds: remove TLS min version cipher suite unconfigurable test placeholder

* types/tls: update tests to remove assumption about private map values

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-01-11 11:46:42 -05:00

218 lines
7.6 KiB
Go

package types
import (
"fmt"
"strings"
)
// TLSVersion is a strongly-typed string for TLS versions
type TLSVersion string
const (
// Error value, excluded from lookup maps
TLSVersionInvalid TLSVersion = "TLS_INVALID"
// Explicit unspecified zero-value to avoid overwriting parent defaults
TLSVersionUnspecified TLSVersion = ""
// Explictly allow implementation to select TLS version
// May be useful to supercede defaults specified at a higher layer
TLSVersionAuto TLSVersion = "TLS_AUTO"
_ // Placeholder for SSLv3, hopefully we won't have to add this
// TLS versions
TLSv1_0 TLSVersion = "TLSv1_0"
TLSv1_1 TLSVersion = "TLSv1_1"
TLSv1_2 TLSVersion = "TLSv1_2"
TLSv1_3 TLSVersion = "TLSv1_3"
)
var (
tlsVersions = map[TLSVersion]struct{}{
TLSVersionAuto: {},
TLSv1_0: {},
TLSv1_1: {},
TLSv1_2: {},
TLSv1_3: {},
}
// NOTE: This interface is deprecated in favor of tlsVersions
// and should be eventually removed in a future release.
DeprecatedConsulAgentTLSVersions = map[string]TLSVersion{
"": TLSVersionAuto,
"tls10": TLSv1_0,
"tls11": TLSv1_1,
"tls12": TLSv1_2,
"tls13": TLSv1_3,
}
// NOTE: these currently map to the deprecated config strings to support the
// deployment pattern of upgrading servers first. This map should eventually
// be removed and any lookups updated to instead use the TLSVersion string
// values directly in a future release.
ConsulAutoConfigTLSVersionStrings = map[TLSVersion]string{
TLSVersionAuto: "",
TLSv1_0: "tls10",
TLSv1_1: "tls11",
TLSv1_2: "tls12",
TLSv1_3: "tls13",
}
TLSVersionsWithConfigurableCipherSuites = map[TLSVersion]struct{}{
// NOTE: these two are implementation-dependent, but it is not expected that
// either Go or Envoy would default to TLS 1.3 as a minimum version in the
// near future
TLSVersionUnspecified: {},
TLSVersionAuto: {},
TLSv1_0: {},
TLSv1_1: {},
TLSv1_2: {},
}
)
func (v *TLSVersion) String() string {
return string(*v)
}
var tlsVersionComparison = map[TLSVersion]uint{
TLSv1_0: 1,
TLSv1_1: 2,
TLSv1_2: 3,
TLSv1_3: 4,
}
// Will only return true for concrete versions and won't catch
// implementation-dependent conflicts with TLSVersionAuto or unspecified values
func (a TLSVersion) LessThan(b TLSVersion) (error, bool) {
for _, v := range []TLSVersion{a, b} {
if _, ok := tlsVersionComparison[v]; !ok {
return fmt.Errorf("can't compare implementation-dependent values"), false
}
}
return nil, tlsVersionComparison[a] < tlsVersionComparison[b]
}
func ValidateTLSVersion(v TLSVersion) error {
if _, ok := tlsVersions[v]; !ok {
return fmt.Errorf("no matching TLS version found for %s", v.String())
}
return nil
}
// IANA cipher suite string constants as defined at
// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
// This is the total list of TLS 1.2-style cipher suites
// which are currently supported by either Envoy 1.21 or the Consul agent
// via Go, and may change as some older suites are removed in future
// Envoy releases and Consul drops support for older Envoy versions,
// and as supported cipher suites in the Go runtime change.
//
// The naming convention for cipher suites changed in TLS 1.3
// but constant values should still be globally unqiue.
//
// Handling validation on distinct sets of TLS 1.3 and TLS 1.2 TLSCipherSuite
// constants would be a future exercise if cipher suites for TLS 1.3 ever
// become configurable in BoringSSL, Envoy, or other implementation.
type TLSCipherSuite string
const (
// Cipher suites used by both Envoy and Consul agent
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
// Older cipher suites not supported for Consul agent TLS,
// will eventually be removed from Envoy defaults
TLS_RSA_WITH_AES_128_GCM_SHA256 = "TLS_RSA_WITH_AES_128_GCM_SHA256"
TLS_RSA_WITH_AES_128_CBC_SHA = "TLS_RSA_WITH_AES_128_CBC_SHA"
TLS_RSA_WITH_AES_256_GCM_SHA384 = "TLS_RSA_WITH_AES_256_GCM_SHA384"
TLS_RSA_WITH_AES_256_CBC_SHA = "TLS_RSA_WITH_AES_256_CBC_SHA"
)
var (
consulAgentTLSCipherSuites = map[TLSCipherSuite]struct{}{
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: {},
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: {},
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: {},
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: {},
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: {},
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: {},
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: {},
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: {},
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: {},
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: {},
}
envoyTLSCipherSuiteStrings = map[TLSCipherSuite]string{
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "ECDHE-ECDSA-AES128-GCM-SHA256",
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: "ECDHE-ECDSA-CHACHA20-POLY1305",
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "ECDHE-RSA-AES128-GCM-SHA256",
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: "ECDHE-RSA-CHACHA20-POLY1305",
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "ECDHE-ECDSA-AES128-SHA",
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "ECDHE-RSA-AES128-SHA",
TLS_RSA_WITH_AES_128_GCM_SHA256: "AES128-GCM-SHA256",
TLS_RSA_WITH_AES_128_CBC_SHA: "AES128-SHA",
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "ECDHE-ECDSA-AES256-GCM-SHA384",
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "ECDHE-RSA-AES256-GCM-SHA384",
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "ECDHE-ECDSA-AES256-SHA",
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "ECDHE-RSA-AES256-SHA",
TLS_RSA_WITH_AES_256_GCM_SHA384: "AES256-GCM-SHA384",
TLS_RSA_WITH_AES_256_CBC_SHA: "AES256-SHA",
}
)
func (c *TLSCipherSuite) String() string {
return string(*c)
}
func ValidateConsulAgentCipherSuites(cipherSuites []TLSCipherSuite) error {
var unmatched []string
for _, c := range cipherSuites {
if _, ok := consulAgentTLSCipherSuites[c]; !ok {
unmatched = append(unmatched, c.String())
}
}
if len(unmatched) > 0 {
return fmt.Errorf("no matching Consul Agent TLS cipher suite found for %s", strings.Join(unmatched, ","))
}
return nil
}
func ValidateEnvoyCipherSuites(cipherSuites []TLSCipherSuite) error {
var unmatched []string
for _, c := range cipherSuites {
if _, ok := envoyTLSCipherSuiteStrings[c]; !ok {
unmatched = append(unmatched, c.String())
}
}
if len(unmatched) > 0 {
return fmt.Errorf("no matching Envoy TLS cipher suite found for %s", strings.Join(unmatched, ","))
}
return nil
}
func MarshalEnvoyTLSCipherSuiteStrings(cipherSuites []TLSCipherSuite) []string {
cipherSuiteStrings := []string{}
for _, c := range cipherSuites {
if s, ok := envoyTLSCipherSuiteStrings[c]; ok {
cipherSuiteStrings = append(cipherSuiteStrings, s)
}
}
return cipherSuiteStrings
}