Restrict cipher suites for Desktop Access in FIPS mode

Makefile

@@ -115,14 +115,23 @@ ifeq ($(RDPCLIENT_SKIP_BUILD),0)
 ifneq ($(CHECK_RUST),)
 ifneq ($(CHECK_CARGO),)
 
-# Do not build RDP client on ARM or 386.
+is_fips_on_arm64 := no
+ifneq ("$(FIPS)","")
+ifeq ("$(ARCH)","arm64")
+is_fips_on_arm64 := yes
+endif
+endif
+
+# Do not build RDP client on 32-bit ARM or 386, or for FIPS builds on arm64.
 ifneq ("$(ARCH)","arm")
 ifneq ("$(ARCH)","386")
+ifneq ("$(is_fips_on_arm64)","yes")
 with_rdpclient := yes
 RDPCLIENT_MESSAGE := with-Windows-RDP-client
 RDPCLIENT_TAG := desktop_access_rdp
 endif
 endif
+endif
 
 endif
 endif

build.assets/Dockerfile-centos7-assets

@@ -22,17 +22,17 @@ RUN yum groupinstall -y 'Development Tools' && \
     yum update -y && \
     yum install -y centos-release-scl-rh && \
     yum install -y \
-        centos-release-scl \
-        cmake3 \
-        git \
-        scl-utils && \
+    centos-release-scl \
+    cmake3 \
+    git \
+    scl-utils && \
     yum clean all
 
 # As mentioned above, these packages are unsigned.
 RUN yum install --nogpgcheck -y \
-        ${DEVTOOLSET}-gcc \
-        ${DEVTOOLSET}-gcc-c++ \
-        ${DEVTOOLSET}-make && \
+    ${DEVTOOLSET}-gcc \
+    ${DEVTOOLSET}-gcc-c++ \
+    ${DEVTOOLSET}-make && \
     yum clean all
 
 ## NINJA-BUILD ###################################################################
@@ -43,13 +43,13 @@ FROM --platform=$BUILDPLATFORM centos-devtoolset AS ninja-build
 
 # Install additional required dependencies.
 RUN  yum install -y expat-devel \
-     gettext \
-     libcurl-devel \
-     openssl-devel \
-     pcre-devel \
-     xmlto \
-     zlib-devel \
-     && yum clean all
+    gettext \
+    libcurl-devel \
+    openssl-devel \
+    pcre-devel \
+    xmlto \
+    zlib-devel \
+    && yum clean all
 
 # mno-outline-atomics flag is needed to make the build works on ARM64 docker.
 RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
@@ -60,21 +60,18 @@ RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
 ENV PATH="/opt/cmake/bin:$PATH"
 
 RUN git clone --depth=1 https://github.com/ninja-build/ninja.git -b v1.11.1 && \
-        cd ninja && \
-        [ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
-        scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
+    cd ninja && \
+    [ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
+    scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
     cmake --build build-cmake -j"$(nproc)" && \
     cmake --build build-cmake --target  install"
 
 # Use just created devtool image with newer GCC and Cmake
-FROM --platform=$BUILDPLATFORM centos-devtoolset as clang14
+FROM --platform=$BUILDPLATFORM centos-devtoolset as clang12
 
 ARG DEVTOOLSET
 
-# Bring in our custom ninja build, needed for building clang.
-COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
-
-# Compile Clang 14.0.6 from source. It is needed to create BoringSSL and BPF files.
+# Compile Clang 12.0.0 from source. It is needed to create BoringSSL and BPF files.
 # CentOS 7 doesn't provide it as a package unfortunately.
 # This version of Clang is explicitly required for FIPS compliance when building BoringSSL.
 # For more information please refer to the section 12. Guidance and Secure Operation of:
@@ -83,18 +80,17 @@ COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
 # CLANG_BUILD_TOOLS must be on, it builds clang binary,
 # LLVM_BUILD_TOOLS must be on, it builds llvm-strip binary.
 # the rest is disabled to speedup the compilation.
-RUN git clone --branch llvmorg-14.0.6 --depth=1 https://github.com/llvm/llvm-project.git && \
+RUN git clone --branch llvmorg-12.0.0 --depth=1 https://github.com/llvm/llvm-project.git && \
     cd llvm-project/ && \
-    [ "$(git rev-parse HEAD)" = 'f28c006a5895fc0e329fe15fead81e37457cb1d1' ] && \
+    [ "$(git rev-parse HEAD)" = 'd28af7c654d8db0b68c175db5ce212d74fb5e9bc' ] && \
     mkdir build && cd build/ && \
     scl enable ${DEVTOOLSET} 'bash -c "cmake3 \
     -DCMAKE_BUILD_TYPE=Release \
     -DCMAKE_INSTALL_PREFIX=/opt/llvm \
-    -DLLVM_ENABLE_PROJECTS=\"clang;libcxx;libcxxabi\" \
-    -DLLVM_ENABLE_LIBCXX=ON \
-    -G \"Ninja\" ../llvm && \
-    cmake3 --build . && \
-    cmake3 -DCMAKE_INSTALL_PREFIX=/opt/llvm -P cmake_install.cmake"' && \
+    -DLLVM_ENABLE_PROJECTS=clang \
+    -DLLVM_BUILD_TOOLS=ON \
+    -G \"Unix Makefiles\" ../llvm && \
+    make -j$(grep -c processor /proc/cpuinfo) install-llvm-strip install-clang-format install-clang install-clang-resource-headers install-libclang"' && \
     cd ../.. && \
     rm -rf llvm-project
 
@@ -109,7 +105,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
     yumdownloader --source elfutils-libelf-devel-static && \
     yum-builddep -y elfutils-libelf-devel-static && \
     export DIST=$(rpm -qp --queryformat '%{RELEASE}' elfutils-*.src.rpm | cut -d '.' -f 2) && \
-    rpmbuild --nocheck --rebuild --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
+    rpmbuild --rebuild --nocheck --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
     if [ "${BUILDARCH}" = "arm64" ]; then export BUILDARCH="aarch64"; fi && \
     cp /root/rpmbuild/RPMS/${BUILDARCH}/elfutils-libelf-devel-static-*${DIST}.${BUILDARCH}.rpm /opt/custom-packages/
 
@@ -127,7 +123,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
 FROM scratch AS buildbox-centos7-assets
 
 # Copy Clang into the final image.
-COPY --from=clang14 /opt/llvm /opt/llvm/
+COPY --from=clang12 /opt/llvm /opt/llvm/
 
 # Copy ninja into the final image.
 COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja

common.mk

@@ -23,8 +23,8 @@ ifneq ("$(wildcard /usr/libbpf-${LIBBPF_VER}/include/bpf/bpf.h)","")
 with_bpf := yes
 BPF_TAG := bpf
 BPF_MESSAGE := with-BPF-support
-CLANG ?= $(shell which clang || which clang-14)
-LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-14)
+CLANG ?= $(shell which clang || which clang-12)
+LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-12)
 KERNEL_ARCH := $(shell uname -m | sed 's/x86_64/x86/g; s/aarch64/arm64/g')
 INCLUDES :=
 ER_BPF_BUILDDIR := lib/bpf/bytecode

docs/pages/access-controls/compliance-frameworks/fedramp.mdx

@@ -3,9 +3,9 @@ title: FedRAMP Compliance for Infrastructure Access
 description: How to configure SSH, Kubernetes, database, and web app access to be FedRAMP compliant, including support for FIPS 140-2.
 ---
 
-Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure. 
+Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure.
 This includes support for the Federal Information Processing Standard [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS\_140-2).
-This standard is the US government approved standard for cryptographic modules. This document explains how  
+This standard is the US government approved standard for cryptographic modules. This document explains how
 Teleport FIPS mode works and how it can help your company to become FedRAMP authorized.
 
 ## Obtain FedRAMP authorization with Teleport
@@ -14,7 +14,7 @@ Teleport includes FedRAMP and FIPS 140-2 features to support companies that sell
 government agencies.
 
 ### Access controls
-											
+
 |  Control | Teleport Features |
 | - | - |
 | [AC-02 Account Management]((=fedramp.control_url=)AC-02) | Audit events are emitted in the Auth Service when a user is created, updated, deleted, locked, or unlocked. |
@@ -62,7 +62,7 @@ government agencies.
 
 Teleport implements mTLS for all communications between user clients and Teleport servers with several exceptions listed below.
 
-Following successful authentication to SSO Identity Provider, Teleport issues the authenticated user x.509 client certificates signed by its own internal x.509 CA. Target Teleport services and clients require valid x.509 certificates and mTLS for all target SSH, K8s, database, and web application connections. 
+Following successful authentication to SSO Identity Provider, Teleport issues the authenticated user x.509 client certificates signed by its own internal x.509 CA. Target Teleport services and clients require valid x.509 certificates and mTLS for all target SSH, K8s, database, and web application connections.
 
 Inside the ATO boundary, mTLS is used for communication between the Teleport proxy and internal hosts running all protocols.
 
@@ -79,8 +79,8 @@ In FIPS builds, Teleport uses Go’s BoringCrypto-based networking stack for all
 
 For a detailed list of cryptographic algorithms used in FIPS mode please consult [Teleport FIPS documentation](#default-cryptographic-algorithms).
 
-You also can follow the [Installation instructions](../../installation.mdx#linux) for 
-Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for 
+You also can follow the [Installation instructions](../../installation.mdx#linux) for
+Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for
 your operating environment and package manager or from compressed archive (tarball).
 
 For example, you can download and install from the compressed archive by running the following commands:
@@ -102,9 +102,9 @@ $ cd teleport-ent
 $ sudo ./install
 ```
 
-After you download and install, all of the Teleport Enterprise binaries are 
+After you download and install, all of the Teleport Enterprise binaries are
 installed in the `/usr/local/bin` directory. You can verify you have FIPS-compliant
-binaries installed by running the `teleport version` command and verifying that 
+binaries installed by running the `teleport version` command and verifying that
 the `X:boringcrypto` library is listed. For example:
 
 ```code
@@ -113,7 +113,7 @@ Teleport Enterprise (= teleport.version =) (= teleport.git =) (= teleport.golang
 ```
 
 If your Teleport cluster runs on AWS, the cluster can run in US-East or US-West regions for services
-with low or moderate impact levels. For services with a high impact level, the cluster must run 
+with low or moderate impact levels. For services with a high impact level, the cluster must run
 in a GovCloud region to support FIPS.
 
 ## Configure the Teleport Auth Service
@@ -282,3 +282,11 @@ is emitted to the Audit Log.
 - All uses of non-compliant algorithms such as NaCl are removed and replaced with compliant algorithms such as AES-GCM.
 - Teleport is compiled with [BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
 - User, host, and CA certificates (and host keys for recording proxy mode) only use 2048-bit RSA private keys.
+
+## Remote desktop access
+
+Teleport uses Rust for RDP connections, and thus uses a fork of Cloudflare's [`boring`](https://github.com/gravitational/boring)
+library under the hood for FIPS-compliant TLS cryptography. The primary notable difference to the specifications listed above is that
+TLS is restricted to TLS 1.2 only (1.3 is not supported).
+
+Note that `arm64` FIPS builds do not support access to Windows desktops.

lib/srv/desktop/rdp/rdpclient/Cargo.toml

@@ -10,7 +10,7 @@ crate-type = ["staticlib"]
 
 [dependencies]
 bitflags = "2.5.0"
-boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
+boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
 byteorder = "1.5.0"
 bytes = "1.6.0"
 env_logger = "0.11.3"
@@ -35,7 +35,7 @@ rsa = "0.9.6"
 sspi = { git = "https://github.com/Devolutions/sspi-rs", rev="d54bdfcafa0e10d9d78224ebacc4f2a0992a6b79", features = ["network_client"] }
 static_init = "1.0.3"
 tokio = { version = "1.38", features = ["full"] }
-tokio-boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
+tokio-boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
 utf16string = "0.2.0"
 uuid = { version = "1.8.0", features = ["v4"] }
 

lib/srv/desktop/rdp/rdpclient/src/client.rs

@@ -70,7 +70,7 @@ use crate::rdpdr::scard::SCARD_DEVICE_ID;
 use crate::rdpdr::TeleportRdpdrBackend;
 use crate::ssl::TlsStream;
 #[cfg(feature = "fips")]
-use tokio_boring::{HandshakeError, SslStream};
+use tokio_boring::HandshakeError;
 
 const RDP_CONNECT_TIMEOUT: Duration = Duration::from_secs(5);
 

lib/srv/desktop/rdp/rdpclient/src/ssl.rs

@@ -48,6 +48,7 @@ pub(crate) async fn upgrade(
         use tokio::io::AsyncWriteExt;
         let mut builder = SslConnector::builder(SslMethod::tls_client())?;
         builder.set_verify(SslVerifyMode::NONE);
+        builder.set_fips_compliance_policy()?;
         let configuration = builder.build().configure()?;
         let mut tls_stream =
             tokio_boring::connect(configuration, server_name, initial_stream).await?;