Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parse equal-preference cipher groups #6461

Merged
merged 1 commit into from
May 24, 2024
Merged

Parse equal-preference cipher groups #6461

merged 1 commit into from
May 24, 2024

Conversation

tsaarni
Copy link
Member

@tsaarni tsaarni commented May 23, 2024
edited
Loading

This change corrects the parsing of cipher configuration by adding support for equal-preference cipher groups [cipher1|cipher2|...]:

  • The ValidTLSCiphers list now contains only individual cipher names, not groups.
  • When configuring a group, the group is split into individual ciphers before comparing against cipher names in valid TLS cipher list.
  • User is now able to configure ciphers ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 individually, whereas previously they were only accepted as part of the hardcoded groups.
  • User can now define their own equal-preference ciphers groups.

Fixes #6380

Background:

Prior this change the list of valid TLS ciphers had hardcoded ciphers in bracketed format

contour/apis/projectcontour/v1alpha1/ciphersuites.go

Lines 44 to 45 in 0796cd9

"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]": {},
"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]": {},

This is simply a copy from Envoy documentation (link) but on further inspection Boringssl doc (link) says:

An equal-preference is specified with square brackets, combining multiple selectors separated by |. For example:
[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]

We should not use the hardcoded groups when validating user's cipher configuration, instead we should parse the groups into individual cipher names and validate them.

@tsaarni tsaarni requested a review from a team as a code owner May 23, 2024 10:18
@tsaarni tsaarni requested review from skriss and sunjayBhatia and removed request for a team May 23, 2024 10:18
@sunjayBhatia sunjayBhatia requested review from a team, davinci26 and clayton-gonsalves and removed request for a team May 23, 2024 10:19
@tsaarni tsaarni added the release-note/small A small change that needs one line of explanation in the release notes. label May 23, 2024
@codecov Codecov
Copy link

codecov bot commented May 23, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.63%. Comparing base (0796cd9) to head (8cf36b2).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #6461   +/-   ##
=======================================
  Coverage   81.63%   81.63%           
=======================================
  Files         133      133           
  Lines       15869    15869           
=======================================
  Hits        12955    12955           
  Misses       2620     2620           
  Partials      294      294

skriss
skriss approved these changes May 23, 2024
View reviewed changes
Copy link
Member

@skriss skriss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @tsaarni

sunjayBhatia
sunjayBhatia reviewed May 23, 2024
View reviewed changes
apis/projectcontour/v1alpha1/contourconfig_helpers.go Outdated
func isValidTLSCipher(cipherSpec string) bool {
// Equal-preference group: [cipher1|cipher2|...]
if strings.HasPrefix(cipherSpec, "[") && strings.HasSuffix(cipherSpec, "]") {
for _, cipher := range strings.Split(cipherSpec[1:len(cipherSpec)-1], "|") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could use strings.Trim instead of the slice indexing here just to be safe: https://pkg.go.dev/strings#Trim

sunjayBhatia
sunjayBhatia reviewed May 23, 2024
View reviewed changes
Copy link
Member

@sunjayBhatia sunjayBhatia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could add a couple negative tests for the new parsing logic otherwise just one nit and lgtm, nice fix!

@tsaarni
Copy link
Member Author

tsaarni commented May 24, 2024
edited
Loading

could add a couple negative tests for the new parsing logic otherwise just one nit and lgtm, nice fix!

Fixed!

Suddently codespell started to complain for unchanged files, although I thought codespell version in actions is fixed 😲 Anyways, I fixed the complaints.

@sunjayBhatia sunjayBhatia merged commit bfffa94 into projectcontour:main May 24, 2024
26 checks passed
SamMHD pushed a commit to SamMHD/contour that referenced this pull request Sep 8, 2024
@tsaarni @SamMHD
Parse equal-preference cipher groups (projectcontour#6461)
a4db6a3 
Signed-off-by: Tero Saarni <[email protected]>
Signed-off-by: Saman Mahdanian <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunjayBhatia sunjayBhatia sunjayBhatia approved these changes

@skriss skriss skriss approved these changes

@davinci26 davinci26 Awaiting requested review from davinci26 davinci26 was automatically assigned from projectcontour/contour-reviewers

@clayton-gonsalves clayton-gonsalves Awaiting requested review from clayton-gonsalves clayton-gonsalves was automatically assigned from projectcontour/contour-reviewers

Assignees
No one assigned
Labels
release-note/small A small change that needs one line of explanation in the release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cipher configuration issue
3 participants
@tsaarni @skriss @sunjayBhatia