forked from spiffe/spire
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow requiring use of a post-quantum-safe KEM (spiffe#5601)
* Allow configuration of mandatory PQ KEM: implementation * Allow configuration of mandatory PQ KEM: docs * Allow configuration of mandatory PQ KEM: tests --------- Signed-off-by: Hugo Landau <hl@messier42.com> Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>
- Loading branch information
Showing
28 changed files
with
267 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
// Package tlspolicy provides for configuration and enforcement of policies | ||
// relating to TLS. | ||
package tlspolicy | ||
|
||
import ( | ||
"crypto/tls" | ||
|
||
"github.com/hashicorp/go-hclog" | ||
) | ||
|
||
// Policy describes policy options to be applied to a TLS configuration. | ||
// | ||
// A zero-initialised Policy provides reasonable defaults. | ||
type Policy struct { | ||
// RequirePQKEM determines if a post-quantum-safe KEM should be required for | ||
// TLS connections. | ||
RequirePQKEM bool | ||
} | ||
|
||
// Not exported by crypto/tls, so we define it here from the I-D. | ||
const x25519Kyber768Draft00 tls.CurveID = 0x6399 | ||
|
||
// LogPolicy logs an informational message reporting the configured policy, | ||
// aiding administrators to determine what policy options have been | ||
// successfully enabled. | ||
func LogPolicy(policy Policy, logger hclog.Logger) { | ||
if policy.RequirePQKEM { | ||
logger.Debug("Experimental option 'require_pq_kem' is enabled; all TLS connections will require use of a post-quantum safe KEM") | ||
} | ||
} | ||
|
||
// ApplyPolicy applies the policy options in policy to a given tls.Config, | ||
// which is assumed to have already been obtained from the go-spiffe tlsconfig | ||
// package. | ||
func ApplyPolicy(config *tls.Config, policy Policy) error { | ||
if policy.RequirePQKEM { | ||
// List only known PQ-safe KEMs as valid curves. | ||
config.CurvePreferences = []tls.CurveID{ | ||
x25519Kyber768Draft00, | ||
} | ||
|
||
// Require TLS 1.3, as all PQ-safe KEMs require it anyway. | ||
if config.MinVersion < tls.VersionTLS13 { | ||
config.MinVersion = tls.VersionTLS13 | ||
} | ||
} | ||
|
||
return nil | ||
} |
Oops, something went wrong.