mirror of https://github.com/k3s-io/k3s
106 lines
3.9 KiB
Go
106 lines
3.9 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package flag
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
)
|
|
|
|
// ciphers maps strings into tls package cipher constants in
|
|
// https://golang.org/pkg/crypto/tls/#pkg-constants
|
|
var ciphers = map[string]uint16{
|
|
"TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA,
|
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
"TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
"TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
|
"TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
"TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
"TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
|
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
}
|
|
|
|
func TLSCipherPossibleValues() []string {
|
|
cipherKeys := sets.NewString()
|
|
for key := range ciphers {
|
|
cipherKeys.Insert(key)
|
|
}
|
|
return cipherKeys.List()
|
|
}
|
|
|
|
func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
|
|
if len(cipherNames) == 0 {
|
|
return nil, nil
|
|
}
|
|
ciphersIntSlice := make([]uint16, 0)
|
|
for _, cipher := range cipherNames {
|
|
intValue, ok := ciphers[cipher]
|
|
if !ok {
|
|
return nil, fmt.Errorf("Cipher suite %s not supported or doesn't exist", cipher)
|
|
}
|
|
ciphersIntSlice = append(ciphersIntSlice, intValue)
|
|
}
|
|
return ciphersIntSlice, nil
|
|
}
|
|
|
|
var versions = map[string]uint16{
|
|
"VersionTLS10": tls.VersionTLS10,
|
|
"VersionTLS11": tls.VersionTLS11,
|
|
"VersionTLS12": tls.VersionTLS12,
|
|
}
|
|
|
|
func TLSPossibleVersions() []string {
|
|
versionsKeys := sets.NewString()
|
|
for key := range versions {
|
|
versionsKeys.Insert(key)
|
|
}
|
|
return versionsKeys.List()
|
|
}
|
|
|
|
func TLSVersion(versionName string) (uint16, error) {
|
|
if len(versionName) == 0 {
|
|
return DefaultTLSVersion(), nil
|
|
}
|
|
if version, ok := versions[versionName]; ok {
|
|
return version, nil
|
|
}
|
|
return 0, fmt.Errorf("unknown tls version %q", versionName)
|
|
}
|
|
|
|
func DefaultTLSVersion() uint16 {
|
|
// Can't use SSLv3 because of POODLE and BEAST
|
|
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
|
|
// Can't use TLSv1.1 because of RC4 cipher usage
|
|
return tls.VersionTLS12
|
|
}
|