Merge pull request #1841 from vmware-tanzu/new_fips_compiler

Support new golang fips compiler

Dockerfile

@@ -3,7 +3,7 @@
 # Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BUILD_IMAGE=golang:1.21.5@sha256:672a2286da3ee7a854c3e0a56e0838918d0dbb1c18652992930293312de898a6
+ARG BUILD_IMAGE=golang:1.21.6@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e80504e0a9615f2
 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:112a87f19e83c83711cc81ce8ed0b4d79acd65789682a6a272df57c4a0858534
 
 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform.

go.mod

@@ -53,7 +53,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
-	github.com/tdewolff/minify/v2 v2.20.12
+	github.com/tdewolff/minify/v2 v2.20.14
 	go.uber.org/zap v1.26.0
 	golang.org/x/crypto v0.18.0
 	golang.org/x/net v0.20.0
@@ -67,8 +67,8 @@ require (
 	k8s.io/apiserver v0.29.0
 	k8s.io/client-go v0.29.0
 	k8s.io/component-base v0.29.0
-	k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01
-	k8s.io/klog/v2 v2.110.1
+	k8s.io/gengo v0.0.0-20240110203215-22eea95d1e7a
+	k8s.io/klog/v2 v2.120.0
 	k8s.io/kube-aggregator v0.29.0
 	k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
@@ -151,7 +151,7 @@ require (
 	github.com/spf13/viper v1.16.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
-	github.com/tdewolff/parse/v2 v2.7.7 // indirect
+	github.com/tdewolff/parse/v2 v2.7.8 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.10 // indirect

go.sum

@@ -157,7 +157,6 @@ github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8V
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -553,10 +552,10 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tdewolff/minify/v2 v2.20.12 h1:ie5+91QGUUeEDbLkexhx2tlI9BQgwwnfY+/Qdj4BlQ4=
-github.com/tdewolff/minify/v2 v2.20.12/go.mod h1:8ktdncc9Rh41MkTX2KYaicHT9+VnpvIDjCyIVsr/nN8=
-github.com/tdewolff/parse/v2 v2.7.7 h1:V+50eFDH7Piw4IBwH8D8FtYeYbZp3T4SCtIvmBSIMyc=
-github.com/tdewolff/parse/v2 v2.7.7/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
+github.com/tdewolff/minify/v2 v2.20.14 h1:sktSuVixRwk0ryQjqvKBu/uYS+MWmkwEFMEWtFZ+TdE=
+github.com/tdewolff/minify/v2 v2.20.14/go.mod h1:qnIJbnG2dSzk7LIa/UUwgN2OjS8ir6RRlqc0T/1q2xY=
+github.com/tdewolff/parse/v2 v2.7.8 h1:1cnVqa8L63xFkc2vfRsZTM6Qy35nJpTvQ2Uvdv3vbvs=
+github.com/tdewolff/parse/v2 v2.7.8/go.mod h1:3FbJWZp3XT9OWVN3Hmfp0p/a08v4h8J9W1aghka0soA=
 github.com/tdewolff/test v1.0.11-0.20231101010635-f1265d231d52/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE=
 github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739 h1:IkjBCtQOOjIn03u/dMQK9g+Iw9ewps4mCl1nB8Sscbo=
 github.com/tdewolff/test v1.0.11-0.20240106005702-7de5f7df4739/go.mod h1:XPuWBzvdUzhCuxWO1ojpXsyzsA5bFoS3tO/Q3kFuTG8=
@@ -1078,11 +1077,11 @@ k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8=
 k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38=
 k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s=
 k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M=
-k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks=
-k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/gengo v0.0.0-20240110203215-22eea95d1e7a h1:zCwpCC6Ghs+RstFfEJZ3arc7dLZ9z0tlmLHDXGCkINY=
+k8s.io/gengo v0.0.0-20240110203215-22eea95d1e7a/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
-k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8=
+k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kms v0.29.0 h1:KJ1zaZt74CgvgV3NR7tnURJ/mJOKC5X3nwon/WdwgxI=
 k8s.io/kms v0.29.0/go.mod h1:mB0f9HLxRXeXUfHfn1A7rpwOlzXI1gIWu86z6buNoYA=
 k8s.io/kube-aggregator v0.29.0 h1:N4fmtePxOZ+bwiK1RhVEztOU+gkoVkvterHgpwAuiTw=

hack/Dockerfile_fips

@@ -16,7 +16,7 @@
 # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
 # and https://kupczynski.info/posts/fips-golang/ for details.
 
-ARG BUILD_IMAGE=golang:1.21.5@sha256:672a2286da3ee7a854c3e0a56e0838918d0dbb1c18652992930293312de898a6
+ARG BUILD_IMAGE=golang:1.21.6@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e80504e0a9615f2
 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:112a87f19e83c83711cc81ce8ed0b4d79acd65789682a6a272df57c4a0858534
 
 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build

internal/crypto/ptls/fips_strict.go

@@ -1,9 +1,8 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
+// The configurations here override the usual ptls.Default and ptls.DefaultLDAP
 // configs when Pinniped is built in fips-only mode.
-// All of these are the same because FIPs is already so limited.
 //go:build fips_strict
 
 package ptls
@@ -15,16 +14,16 @@ import (
 	"path/filepath"
 	"runtime"
 
-	"k8s.io/apiserver/pkg/server/options"
-
 	// Cause fipsonly tls mode with this side effect import.
 	_ "go.pinniped.dev/internal/crypto/fips"
 	"go.pinniped.dev/internal/plog"
 )
 
-// Always use TLS 1.2 for FIPs
-const secureServingOptionsMinTLSVersion = "VersionTLS12"
-const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
+// goboring now also supports TLS 1.3 starting in Golang 1.21.6
+// (see https://github.com/golang/go/issues/64717),
+// so we can use TLS 1.3 as the minimum TLS version for our "secure" configuration
+// profile in both FIPS and non-FIPS compiled binaries.
+// Hence, we no longer redefine the Secure() function in this file.
 
 func init() {
 	switch filepath.Base(os.Args[0]) {
@@ -40,40 +39,32 @@ func init() {
 
 func Default(rootCAs *x509.CertPool) *tls.Config {
 	return &tls.Config{
-		// goboring requires TLS 1.2 and only TLS 1.2
-		MinVersion: SecureTLSConfigMinTLSVersion,
+		MinVersion: tls.VersionTLS12,
+		// goboring now also supports TLS 1.3 (see https://github.com/golang/go/issues/64717)
+		// so this default configuration can allow either 1.2 or 1.3
 		MaxVersion: SecureTLSConfigMinTLSVersion,
 
-		// enable HTTP2 for go's 1.7 HTTP Server
-		// setting this explicitly is only required in very specific circumstances
-		// it is simpler to just set it here than to try and determine if we need to
-		NextProtos: []string{"h2", "http/1.1"},
-
-		// optional root CAs, nil means use the host's root CA set
-		RootCAs: rootCAs,
-
-		// This is all of the fips-approved ciphers.
+		// This is all the fips-approved TLS 1.2 ciphers.
 		// The list is hard-coded for convenience of testing.
-		// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
+		// If this list does not match the boring crypto compiler's list then the TestFIPSCipherSuites integration
+		// test should fail, which indicates that this list needs to be updated.
 		CipherSuites: []uint16{
 			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 		},
-	}
-}
 
-func Secure(rootCAs *x509.CertPool) *tls.Config {
-	return Default(rootCAs)
+		// enable HTTP2 for go's 1.7 HTTP Server
+		// setting this explicitly is only required in very specific circumstances
+		// it is simpler to just set it here than to try and determine if we need to
+		NextProtos: []string{"h2", "http/1.1"},
+
+		// optional root CAs, nil means use the host's root CA set
+		RootCAs: rootCAs,
+	}
 }
 
 func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
 	return Default(rootCAs)
 }
-
-func secureServing(opts *options.SecureServingOptionsWithLoopback) {
-	defaultServing(opts)
-}

internal/crypto/ptls/ptls_test.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package ptls
@@ -53,7 +53,7 @@ func TestMerge(t *testing.T) {
 		want          *tls.Config
 	}{
 		{
-			name:          "default no protos",
+			name:          "default without NextProtos",
 			tlsConfigFunc: Default,
 			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
 				ServerName: "something-to-check-passthrough",
@@ -73,7 +73,7 @@ func TestMerge(t *testing.T) {
 			},
 		},
 		{
-			name:          "default with protos",
+			name:          "default with NextProtos",
 			tlsConfigFunc: Default,
 			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
 				ServerName: "a different thing for passthrough",
@@ -94,42 +94,34 @@ func TestMerge(t *testing.T) {
 			},
 		},
 		{
-			name:          "secure no protos",
+			name:          "secure without NextProtos",
 			tlsConfigFunc: Secure,
 			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
 				ServerName: "something-to-check-passthrough",
 			},
 			want: &tls.Config{
-				ServerName: "something-to-check-passthrough",
-				MinVersion: tls.VersionTLS13,
-				CipherSuites: []uint16{
-					tls.TLS_AES_128_GCM_SHA256,
-					tls.TLS_AES_256_GCM_SHA384,
-					tls.TLS_CHACHA20_POLY1305_SHA256,
-				},
-				NextProtos: []string{"h2", "http/1.1"},
+				ServerName:   "something-to-check-passthrough",
+				MinVersion:   tls.VersionTLS13,
+				CipherSuites: nil,
+				NextProtos:   []string{"h2", "http/1.1"},
 			},
 		},
 		{
-			name:          "secure with protos",
+			name:          "secure with NextProtos",
 			tlsConfigFunc: Secure,
 			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
 				ServerName: "a different thing for passthrough",
 				NextProtos: []string{"panda"},
 			},
 			want: &tls.Config{
-				ServerName: "a different thing for passthrough",
-				MinVersion: tls.VersionTLS13,
-				CipherSuites: []uint16{
-					tls.TLS_AES_128_GCM_SHA256,
-					tls.TLS_AES_256_GCM_SHA384,
-					tls.TLS_CHACHA20_POLY1305_SHA256,
-				},
-				NextProtos: []string{"panda"},
+				ServerName:   "a different thing for passthrough",
+				MinVersion:   tls.VersionTLS13,
+				CipherSuites: nil,
+				NextProtos:   []string{"panda"},
 			},
 		},
 		{
-			name:          "default ldap no protos",
+			name:          "default ldap without NextProtos",
 			tlsConfigFunc: DefaultLDAP,
 			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
 				ServerName: "something-to-check-passthrough",
@@ -153,7 +145,7 @@ func TestMerge(t *testing.T) {
 			},
 		},
 		{
-			name:          "default ldap with protos",
+			name:          "default ldap with NextProtos",
 			tlsConfigFunc: DefaultLDAP,
 			tlsConfig: &tls.Config{
 				ServerName: "a different thing for passthrough",
@@ -178,7 +170,7 @@ func TestMerge(t *testing.T) {
 			},
 		},
 		{
-			name:          "legacy no protos",
+			name:          "legacy without NextProtos",
 			tlsConfigFunc: Legacy,
 			tlsConfig: &tls.Config{
 				ServerName: "something-to-check-passthrough",
@@ -209,7 +201,7 @@ func TestMerge(t *testing.T) {
 			},
 		},
 		{
-			name:          "legacy with protos",
+			name:          "legacy with NextProtos",
 			tlsConfigFunc: Legacy,
 			tlsConfig: &tls.Config{
 				ServerName: "a different thing for passthrough",

internal/crypto/ptls/secure.go

@@ -1,8 +1,6 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build !fips_strict
-
 package ptls
 
 import (
@@ -34,13 +32,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 	// https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=modern&guideline=5.6
 	c := Default(rootCAs)
 	c.MinVersion = SecureTLSConfigMinTLSVersion // max out the security
-	c.CipherSuites = []uint16{
-		// TLS 1.3 ciphers are not configurable, but we need to explicitly set them here to make our client hello behave correctly
-		// See https://github.com/golang/go/pull/49293
-		tls.TLS_AES_128_GCM_SHA256,
-		tls.TLS_AES_256_GCM_SHA384,
-		tls.TLS_CHACHA20_POLY1305_SHA256,
-	}
+	c.CipherSuites = nil                        // TLS 1.3 ciphers are not configurable
 	return c
 }
 

internal/testutil/tlsserver/tls13_ciphers.go

@@ -0,0 +1,31 @@
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !fips_strict
+
+package tlsserver
+
+import "crypto/tls"
+
+// GetExpectedTLS13Ciphers returns the expected TLS 1.3 cipher for a non-FIPS build.
+func GetExpectedTLS13Ciphers() []uint16 {
+	// TLS 1.3 ciphers are not configurable, so we can hard-code them here.
+	return []uint16{
+		tls.TLS_AES_128_GCM_SHA256,
+		tls.TLS_AES_256_GCM_SHA384,
+		tls.TLS_CHACHA20_POLY1305_SHA256,
+	}
+}
+
+// GetExpectedTLS13CipherNMapKeyExchangeInfoValue returns the expected key exchange info value
+// which is shown by nmap in parenthesis next to the cipher name for a non-FIPS build.
+func GetExpectedTLS13CipherNMapKeyExchangeInfoValue(cipher uint16) string {
+	switch cipher {
+	case tls.TLS_AES_128_GCM_SHA256,
+		tls.TLS_AES_256_GCM_SHA384,
+		tls.TLS_CHACHA20_POLY1305_SHA256:
+		return "ecdh_x25519"
+	default:
+		return "unknown key exchange value"
+	}
+}

internal/testutil/tlsserver/tls13_ciphers_fips.go

@@ -0,0 +1,30 @@
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build fips_strict
+
+package tlsserver
+
+import "crypto/tls"
+
+// GetExpectedTLS13Ciphers returns the expected TLS 1.3 cipher for a FIPS build.
+func GetExpectedTLS13Ciphers() []uint16 {
+	// TLS 1.3 ciphers are not configurable, so we can hard-code them here.
+	return []uint16{
+		tls.TLS_AES_128_GCM_SHA256,
+		tls.TLS_AES_256_GCM_SHA384,
+		// tls.TLS_CHACHA20_POLY1305_SHA256 is not supported by boring crypto
+	}
+}
+
+// GetExpectedTLS13CipherNMapKeyExchangeInfoValue returns the expected key exchange info value
+// which is shown by nmap in parenthesis next to the cipher name for a FIPS build.
+func GetExpectedTLS13CipherNMapKeyExchangeInfoValue(cipher uint16) string {
+	switch cipher {
+	case tls.TLS_AES_128_GCM_SHA256,
+		tls.TLS_AES_256_GCM_SHA384:
+		return "secp256r1"
+	default:
+		return "unknown key exchange value"
+	}
+}