...

Source file src/k8s.io/component-base/cli/flag/ciphersuites_flag.go

Documentation: k8s.io/component-base/cli/flag 

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package flag
    18  
    19  import (
    20  	"crypto/tls"
    21  	"fmt"
    22  
    23  	"k8s.io/apimachinery/pkg/util/sets"
    24  )
    25  
    26  var (
    27  	// ciphers maps strings into tls package cipher constants in
    28  	// https://golang.org/pkg/crypto/tls/#pkg-constants
    29  	ciphers         = map[string]uint16{}
    30  	insecureCiphers = map[string]uint16{}
    31  )
    32  
    33  func init() {
    34  	for _, suite := range tls.CipherSuites() {
    35  		ciphers[suite.Name] = suite.ID
    36  	}
    37  	// keep legacy names for backward compatibility
    38  	ciphers["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"] = tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    39  	ciphers["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"] = tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    40  
    41  	for _, suite := range tls.InsecureCipherSuites() {
    42  		insecureCiphers[suite.Name] = suite.ID
    43  	}
    44  }
    45  
    46  // InsecureTLSCiphers returns the cipher suites implemented by crypto/tls which have
    47  // security issues.
    48  func InsecureTLSCiphers() map[string]uint16 {
    49  	cipherKeys := make(map[string]uint16, len(insecureCiphers))
    50  	for k, v := range insecureCiphers {
    51  		cipherKeys[k] = v
    52  	}
    53  	return cipherKeys
    54  }
    55  
    56  // InsecureTLSCipherNames returns a list of cipher suite names implemented by crypto/tls
    57  // which have security issues.
    58  func InsecureTLSCipherNames() []string {
    59  	cipherKeys := sets.NewString()
    60  	for key := range insecureCiphers {
    61  		cipherKeys.Insert(key)
    62  	}
    63  	return cipherKeys.List()
    64  }
    65  
    66  // PreferredTLSCipherNames returns a list of cipher suite names implemented by crypto/tls.
    67  func PreferredTLSCipherNames() []string {
    68  	cipherKeys := sets.NewString()
    69  	for key := range ciphers {
    70  		cipherKeys.Insert(key)
    71  	}
    72  	return cipherKeys.List()
    73  }
    74  
    75  func allCiphers() map[string]uint16 {
    76  	acceptedCiphers := make(map[string]uint16, len(ciphers)+len(insecureCiphers))
    77  	for k, v := range ciphers {
    78  		acceptedCiphers[k] = v
    79  	}
    80  	for k, v := range insecureCiphers {
    81  		acceptedCiphers[k] = v
    82  	}
    83  	return acceptedCiphers
    84  }
    85  
    86  // TLSCipherPossibleValues returns all acceptable cipher suite names.
    87  // This is a combination of both InsecureTLSCipherNames() and PreferredTLSCipherNames().
    88  func TLSCipherPossibleValues() []string {
    89  	cipherKeys := sets.NewString()
    90  	acceptedCiphers := allCiphers()
    91  	for key := range acceptedCiphers {
    92  		cipherKeys.Insert(key)
    93  	}
    94  	return cipherKeys.List()
    95  }
    96  
    97  // TLSCipherSuites returns a list of cipher suite IDs from the cipher suite names passed.
    98  func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
    99  	if len(cipherNames) == 0 {
   100  		return nil, nil
   101  	}
   102  	ciphersIntSlice := make([]uint16, 0)
   103  	possibleCiphers := allCiphers()
   104  	for _, cipher := range cipherNames {
   105  		intValue, ok := possibleCiphers[cipher]
   106  		if !ok {
   107  			return nil, fmt.Errorf("Cipher suite %s not supported or doesn't exist", cipher)
   108  		}
   109  		ciphersIntSlice = append(ciphersIntSlice, intValue)
   110  	}
   111  	return ciphersIntSlice, nil
   112  }
   113  
   114  var versions = map[string]uint16{
   115  	"VersionTLS10": tls.VersionTLS10,
   116  	"VersionTLS11": tls.VersionTLS11,
   117  	"VersionTLS12": tls.VersionTLS12,
   118  	"VersionTLS13": tls.VersionTLS13,
   119  }
   120  
   121  // TLSPossibleVersions returns all acceptable values for TLS Version.
   122  func TLSPossibleVersions() []string {
   123  	versionsKeys := sets.NewString()
   124  	for key := range versions {
   125  		versionsKeys.Insert(key)
   126  	}
   127  	return versionsKeys.List()
   128  }
   129  
   130  // TLSVersion returns the TLS Version ID for the version name passed.
   131  func TLSVersion(versionName string) (uint16, error) {
   132  	if len(versionName) == 0 {
   133  		return DefaultTLSVersion(), nil
   134  	}
   135  	if version, ok := versions[versionName]; ok {
   136  		return version, nil
   137  	}
   138  	return 0, fmt.Errorf("unknown tls version %q", versionName)
   139  }
   140  
   141  // DefaultTLSVersion defines the default TLS Version.
   142  func DefaultTLSVersion() uint16 {
   143  	// Can't use SSLv3 because of POODLE and BEAST
   144  	// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
   145  	// Can't use TLSv1.1 because of RC4 cipher usage
   146  	return tls.VersionTLS12
   147  }
   148  

View as plain text