| /* |
| Copyright 2017 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package flag |
| |
| import ( |
| "crypto/tls" |
| "fmt" |
| |
| "k8s.io/apimachinery/pkg/util/sets" |
| ) |
| |
| // ciphers maps strings into tls package cipher constants in |
| // https://golang.org/pkg/crypto/tls/#pkg-constants |
| var ciphers = map[string]uint16{ |
| "TLS_RSA_WITH_RC4_128_SHA": tls.TLS_RSA_WITH_RC4_128_SHA, |
| "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, |
| "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, |
| "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, |
| "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, |
| "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, |
| "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, |
| "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| "TLS_ECDHE_RSA_WITH_RC4_128_SHA": tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
| "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, |
| "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, |
| "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, |
| "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, |
| } |
| |
| func TLSCipherPossibleValues() []string { |
| cipherKeys := sets.NewString() |
| for key := range ciphers { |
| cipherKeys.Insert(key) |
| } |
| return cipherKeys.List() |
| } |
| |
| func TLSCipherSuites(cipherNames []string) ([]uint16, error) { |
| if len(cipherNames) == 0 { |
| return nil, nil |
| } |
| ciphersIntSlice := make([]uint16, 0) |
| for _, cipher := range cipherNames { |
| intValue, ok := ciphers[cipher] |
| if !ok { |
| return nil, fmt.Errorf("Cipher suite %s not supported or doesn't exist", cipher) |
| } |
| ciphersIntSlice = append(ciphersIntSlice, intValue) |
| } |
| return ciphersIntSlice, nil |
| } |
| |
| var versions = map[string]uint16{ |
| "VersionTLS10": tls.VersionTLS10, |
| "VersionTLS11": tls.VersionTLS11, |
| "VersionTLS12": tls.VersionTLS12, |
| } |
| |
| func TLSPossibleVersions() []string { |
| versionsKeys := sets.NewString() |
| for key := range versions { |
| versionsKeys.Insert(key) |
| } |
| return versionsKeys.List() |
| } |
| |
| func TLSVersion(versionName string) (uint16, error) { |
| if len(versionName) == 0 { |
| return DefaultTLSVersion(), nil |
| } |
| if version, ok := versions[versionName]; ok { |
| return version, nil |
| } |
| return 0, fmt.Errorf("unknown tls version %q", versionName) |
| } |
| |
| func DefaultTLSVersion() uint16 { |
| // Can't use SSLv3 because of POODLE and BEAST |
| // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher |
| // Can't use TLSv1.1 because of RC4 cipher usage |
| return tls.VersionTLS12 |
| } |