Skip to content

Commit

Permalink
Restrict cipher suites for Desktop Access in FIPS mode (#42277)
Browse files Browse the repository at this point in the history
* Updates to the new boring fork's hash with FIPS enforcement.

This hash is on a branch and should be changed once that branch is merged.

It includes the `set_fips_compliance_policy` function which is used to
enforce FIPS-valid ciphers in the connection.

This commit also updates `Cargo.lock` generally by having called
`cargo update` before committing the changes.

* reverts previous changes such that we are again using clang 12.0.0 rather than 14.0.6

* Updates to latest boring hash

* removes rdp client for fips builds on arm64

* updates e to isaiah/enforce-fips head

* Updates boring ref

* Updates boring ref

* Update Makefile

Co-authored-by: Zac Bergquist <[email protected]>

* Adds note about desktop access fips to fedramp docs

* Updates boring hash to now-merged HEAD of the `teleport` branch

* update e to latest head

* try adding --nocheck to see if that fixes arm64 builds

* udates to latest HEAD

* latest e

* Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx

Co-authored-by: Zac Bergquist <[email protected]>

* Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx

Co-authored-by: Zac Bergquist <[email protected]>

* Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx

Co-authored-by: Zac Bergquist <[email protected]>

* noteable --> notable

---------

Co-authored-by: Zac Bergquist <[email protected]>
  • Loading branch information
Isaiah Becker-Mayer and zmb3 authored Jun 18, 2024
1 parent 8410d1e commit d6fe42b
Show file tree
Hide file tree
Showing 8 changed files with 366 additions and 324 deletions.
584 changes: 306 additions & 278 deletions Cargo.lock

Large diffs are not rendered by default.

11 changes: 10 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,23 @@ ifeq ($(RDPCLIENT_SKIP_BUILD),0)
ifneq ($(CHECK_RUST),)
ifneq ($(CHECK_CARGO),)

# Do not build RDP client on ARM or 386.
is_fips_on_arm64 := no
ifneq ("$(FIPS)","")
ifeq ("$(ARCH)","arm64")
is_fips_on_arm64 := yes
endif
endif

# Do not build RDP client on 32-bit ARM or 386, or for FIPS builds on arm64.
ifneq ("$(ARCH)","arm")
ifneq ("$(ARCH)","386")
ifneq ("$(is_fips_on_arm64)","yes")
with_rdpclient := yes
RDPCLIENT_MESSAGE := with-Windows-RDP-client
RDPCLIENT_TAG := desktop_access_rdp
endif
endif
endif

endif
endif
Expand Down
58 changes: 27 additions & 31 deletions build.assets/Dockerfile-centos7-assets
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,17 @@ RUN yum groupinstall -y 'Development Tools' && \
yum update -y && \
yum install -y centos-release-scl-rh && \
yum install -y \
centos-release-scl \
cmake3 \
git \
scl-utils && \
centos-release-scl \
cmake3 \
git \
scl-utils && \
yum clean all

# As mentioned above, these packages are unsigned.
RUN yum install --nogpgcheck -y \
${DEVTOOLSET}-gcc \
${DEVTOOLSET}-gcc-c++ \
${DEVTOOLSET}-make && \
${DEVTOOLSET}-gcc \
${DEVTOOLSET}-gcc-c++ \
${DEVTOOLSET}-make && \
yum clean all

## NINJA-BUILD ###################################################################
Expand All @@ -43,13 +43,13 @@ FROM --platform=$BUILDPLATFORM centos-devtoolset AS ninja-build

# Install additional required dependencies.
RUN yum install -y expat-devel \
gettext \
libcurl-devel \
openssl-devel \
pcre-devel \
xmlto \
zlib-devel \
&& yum clean all
gettext \
libcurl-devel \
openssl-devel \
pcre-devel \
xmlto \
zlib-devel \
&& yum clean all

# mno-outline-atomics flag is needed to make the build works on ARM64 docker.
RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
Expand All @@ -60,21 +60,18 @@ RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
ENV PATH="/opt/cmake/bin:$PATH"

RUN git clone --depth=1 https://github.com/ninja-build/ninja.git -b v1.11.1 && \
cd ninja && \
[ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
cd ninja && \
[ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
cmake --build build-cmake -j"$(nproc)" && \
cmake --build build-cmake --target install"

# Use just created devtool image with newer GCC and Cmake
FROM --platform=$BUILDPLATFORM centos-devtoolset as clang14
FROM --platform=$BUILDPLATFORM centos-devtoolset as clang12

ARG DEVTOOLSET

# Bring in our custom ninja build, needed for building clang.
COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja

# Compile Clang 14.0.6 from source. It is needed to create BoringSSL and BPF files.
# Compile Clang 12.0.0 from source. It is needed to create BoringSSL and BPF files.
# CentOS 7 doesn't provide it as a package unfortunately.
# This version of Clang is explicitly required for FIPS compliance when building BoringSSL.
# For more information please refer to the section 12. Guidance and Secure Operation of:
Expand All @@ -83,18 +80,17 @@ COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
# CLANG_BUILD_TOOLS must be on, it builds clang binary,
# LLVM_BUILD_TOOLS must be on, it builds llvm-strip binary.
# the rest is disabled to speedup the compilation.
RUN git clone --branch llvmorg-14.0.6 --depth=1 https://github.com/llvm/llvm-project.git && \
RUN git clone --branch llvmorg-12.0.0 --depth=1 https://github.com/llvm/llvm-project.git && \
cd llvm-project/ && \
[ "$(git rev-parse HEAD)" = 'f28c006a5895fc0e329fe15fead81e37457cb1d1' ] && \
[ "$(git rev-parse HEAD)" = 'd28af7c654d8db0b68c175db5ce212d74fb5e9bc' ] && \
mkdir build && cd build/ && \
scl enable ${DEVTOOLSET} 'bash -c "cmake3 \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=/opt/llvm \
-DLLVM_ENABLE_PROJECTS=\"clang;libcxx;libcxxabi\" \
-DLLVM_ENABLE_LIBCXX=ON \
-G \"Ninja\" ../llvm && \
cmake3 --build . && \
cmake3 -DCMAKE_INSTALL_PREFIX=/opt/llvm -P cmake_install.cmake"' && \
-DLLVM_ENABLE_PROJECTS=clang \
-DLLVM_BUILD_TOOLS=ON \
-G \"Unix Makefiles\" ../llvm && \
make -j$(grep -c processor /proc/cpuinfo) install-llvm-strip install-clang-format install-clang install-clang-resource-headers install-libclang"' && \
cd ../.. && \
rm -rf llvm-project

Expand All @@ -109,7 +105,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
yumdownloader --source elfutils-libelf-devel-static && \
yum-builddep -y elfutils-libelf-devel-static && \
export DIST=$(rpm -qp --queryformat '%{RELEASE}' elfutils-*.src.rpm | cut -d '.' -f 2) && \
rpmbuild --nocheck --rebuild --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
rpmbuild --rebuild --nocheck --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
if [ "${BUILDARCH}" = "arm64" ]; then export BUILDARCH="aarch64"; fi && \
cp /root/rpmbuild/RPMS/${BUILDARCH}/elfutils-libelf-devel-static-*${DIST}.${BUILDARCH}.rpm /opt/custom-packages/

Expand All @@ -127,7 +123,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
FROM scratch AS buildbox-centos7-assets

# Copy Clang into the final image.
COPY --from=clang14 /opt/llvm /opt/llvm/
COPY --from=clang12 /opt/llvm /opt/llvm/

# Copy ninja into the final image.
COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
Expand Down
4 changes: 2 additions & 2 deletions common.mk
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ ifneq ("$(wildcard /usr/libbpf-${LIBBPF_VER}/include/bpf/bpf.h)","")
with_bpf := yes
BPF_TAG := bpf
BPF_MESSAGE := with-BPF-support
CLANG ?= $(shell which clang || which clang-14)
LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-14)
CLANG ?= $(shell which clang || which clang-12)
LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-12)
KERNEL_ARCH := $(shell uname -m | sed 's/x86_64/x86/g; s/aarch64/arm64/g')
INCLUDES :=
ER_BPF_BUILDDIR := lib/bpf/bytecode
Expand Down
26 changes: 17 additions & 9 deletions docs/pages/access-controls/compliance-frameworks/fedramp.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ title: FedRAMP Compliance for Infrastructure Access
description: How to configure SSH, Kubernetes, database, and web app access to be FedRAMP compliant, including support for FIPS 140-2.
---

Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure.
Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure.
This includes support for the Federal Information Processing Standard [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS\_140-2).
This standard is the US government approved standard for cryptographic modules. This document explains how
This standard is the US government approved standard for cryptographic modules. This document explains how
Teleport FIPS mode works and how it can help your company to become FedRAMP authorized.

## Obtain FedRAMP authorization with Teleport
Expand All @@ -14,7 +14,7 @@ Teleport includes FedRAMP and FIPS 140-2 features to support companies that sell
government agencies.

### Access controls

| Control | Teleport Features |
| - | - |
| [AC-02 Account Management]((=fedramp.control_url=)AC-02) | Audit events are emitted in the Auth Service when a user is created, updated, deleted, locked, or unlocked. |
Expand Down Expand Up @@ -62,7 +62,7 @@ government agencies.

Teleport implements mTLS for all communications between user clients and Teleport servers with several exceptions listed below.

Following successful authentication to SSO Identity Provider, Teleport issues the authenticated user x.509 client certificates signed by its own internal x.509 CA. Target Teleport services and clients require valid x.509 certificates and mTLS for all target SSH, K8s, database, and web application connections.
Following successful authentication to SSO Identity Provider, Teleport issues the authenticated user x.509 client certificates signed by its own internal x.509 CA. Target Teleport services and clients require valid x.509 certificates and mTLS for all target SSH, K8s, database, and web application connections.

Inside the ATO boundary, mTLS is used for communication between the Teleport proxy and internal hosts running all protocols.

Expand All @@ -79,8 +79,8 @@ In FIPS builds, Teleport uses Go’s BoringCrypto-based networking stack for all

For a detailed list of cryptographic algorithms used in FIPS mode please consult [Teleport FIPS documentation](#default-cryptographic-algorithms).

You also can follow the [Installation instructions](../../installation.mdx#linux) for
Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for
You also can follow the [Installation instructions](../../installation.mdx#linux) for
Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for
your operating environment and package manager or from compressed archive (tarball).

For example, you can download and install from the compressed archive by running the following commands:
Expand All @@ -102,9 +102,9 @@ $ cd teleport-ent
$ sudo ./install
```

After you download and install, all of the Teleport Enterprise binaries are
After you download and install, all of the Teleport Enterprise binaries are
installed in the `/usr/local/bin` directory. You can verify you have FIPS-compliant
binaries installed by running the `teleport version` command and verifying that
binaries installed by running the `teleport version` command and verifying that
the `X:boringcrypto` library is listed. For example:

```code
Expand All @@ -113,7 +113,7 @@ Teleport Enterprise (= teleport.version =) (= teleport.git =) (= teleport.golang
```

If your Teleport cluster runs on AWS, the cluster can run in US-East or US-West regions for services
with low or moderate impact levels. For services with a high impact level, the cluster must run
with low or moderate impact levels. For services with a high impact level, the cluster must run
in a GovCloud region to support FIPS.

## Configure the Teleport Auth Service
Expand Down Expand Up @@ -282,3 +282,11 @@ is emitted to the Audit Log.
- All uses of non-compliant algorithms such as NaCl are removed and replaced with compliant algorithms such as AES-GCM.
- Teleport is compiled with [BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
- User, host, and CA certificates (and host keys for recording proxy mode) only use 2048-bit RSA private keys.

## Remote desktop access

Teleport uses Rust for RDP connections, and thus uses a fork of Cloudflare's [`boring`](https://github.com/gravitational/boring)
library under the hood for FIPS-compliant TLS cryptography. The primary notable difference to the specifications listed above is that
TLS is restricted to TLS 1.2 only (1.3 is not supported).

Note that `arm64` FIPS builds do not support access to Windows desktops.
4 changes: 2 additions & 2 deletions lib/srv/desktop/rdp/rdpclient/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ crate-type = ["staticlib"]

[dependencies]
bitflags = "2.5.0"
boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
byteorder = "1.5.0"
bytes = "1.6.0"
env_logger = "0.11.3"
Expand All @@ -35,7 +35,7 @@ rsa = "0.9.6"
sspi = { git = "https://github.com/Devolutions/sspi-rs", rev="d54bdfcafa0e10d9d78224ebacc4f2a0992a6b79", features = ["network_client"] }
static_init = "1.0.3"
tokio = { version = "1.38", features = ["full"] }
tokio-boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
tokio-boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
utf16string = "0.2.0"
uuid = { version = "1.8.0", features = ["v4"] }

Expand Down
2 changes: 1 addition & 1 deletion lib/srv/desktop/rdp/rdpclient/src/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ use crate::rdpdr::scard::SCARD_DEVICE_ID;
use crate::rdpdr::TeleportRdpdrBackend;
use crate::ssl::TlsStream;
#[cfg(feature = "fips")]
use tokio_boring::{HandshakeError, SslStream};
use tokio_boring::HandshakeError;

const RDP_CONNECT_TIMEOUT: Duration = Duration::from_secs(5);

Expand Down
1 change: 1 addition & 0 deletions lib/srv/desktop/rdp/rdpclient/src/ssl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ pub(crate) async fn upgrade(
use tokio::io::AsyncWriteExt;
let mut builder = SslConnector::builder(SslMethod::tls_client())?;
builder.set_verify(SslVerifyMode::NONE);
builder.set_fips_compliance_policy()?;
let configuration = builder.build().configure()?;
let mut tls_stream =
tokio_boring::connect(configuration, server_name, initial_stream).await?;
Expand Down

0 comments on commit d6fe42b

Please sign in to comment.