Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict cipher suites for Desktop Access in FIPS mode #42277

Merged
merged 23 commits into from
Jun 18, 2024
Merged

Restrict cipher suites for Desktop Access in FIPS mode #42277

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
2bb003e
Updates to the new boring fork's hash with FIPS enforcement.
May 12, 2024
ab8738f
reverts previous changes such that we are again using clang 12.0.0 ra…
May 13, 2024
3702f90
Updates to latest boring hash
May 31, 2024
24bbc50
removes rdp client for fips builds on arm64
May 31, 2024
4665940
updates e to isaiah/enforce-fips head
May 31, 2024
2a5ad22
Updates boring ref
ibeckermayer Jun 3, 2024
4fa5227
Updates boring ref
ibeckermayer Jun 3, 2024
fd7e7dd
Update Makefile
Jun 3, 2024
ab64baa
Adds note about desktop access fips to fedramp docs
Jun 6, 2024
ca15ef9
Updates boring hash to now-merged HEAD of the `teleport` branch
Jun 6, 2024
faf6c8f
update e to latest head
Jun 6, 2024
3b5066c
Merge branch 'master' into isaiah/enforce-fips
Jun 6, 2024
038e15e
try adding --nocheck to see if that fixes arm64 builds
Jun 11, 2024
b3771d6
udates to latest HEAD
Jun 11, 2024
43cb5ba
Merge branch 'master' into isaiah/enforce-fips
Jun 11, 2024
3cf3bc4
latest e
Jun 11, 2024
d9715c6
Merge branch 'master' into isaiah/enforce-fips
Jun 11, 2024
a45d7f7
Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx
Jun 12, 2024
fd1de23
Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx
Jun 12, 2024
0296743
Update docs/pages/access-controls/compliance-frameworks/fedramp.mdx
Jun 12, 2024
4937b77
Merge branch 'master' into isaiah/enforce-fips
Jun 12, 2024
da34c26
Merge branch 'master' into isaiah/enforce-fips
Jun 17, 2024
7ce065d
noteable --> notable
Jun 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
584 changes: 306 additions & 278 deletions Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

11 changes: 10 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,23 @@ ifeq ($(RDPCLIENT_SKIP_BUILD),0)
ifneq ($(CHECK_RUST),)
ifneq ($(CHECK_CARGO),)

# Do not build RDP client on ARM or 386.
is_fips_on_arm64 := no
ifneq ("$(FIPS)","")
ifeq ("$(ARCH)","arm64")
is_fips_on_arm64 := yes
endif
endif

# Do not build RDP client on 32-bit ARM or 386, or for FIPS builds on arm64.
ifneq ("$(ARCH)","arm")
ifneq ("$(ARCH)","386")
ifneq ("$(is_fips_on_arm64)","yes")
with_rdpclient := yes
RDPCLIENT_MESSAGE := with-Windows-RDP-client
RDPCLIENT_TAG := desktop_access_rdp
endif
endif
endif

endif
endif
Expand Down
58 changes: 27 additions & 31 deletions build.assets/Dockerfile-centos7-assets
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,17 @@ RUN yum groupinstall -y 'Development Tools' && \
yum update -y && \
yum install -y centos-release-scl-rh && \
yum install -y \
centos-release-scl \
cmake3 \
git \
scl-utils && \
centos-release-scl \
cmake3 \
git \
scl-utils && \
yum clean all

# As mentioned above, these packages are unsigned.
RUN yum install --nogpgcheck -y \
${DEVTOOLSET}-gcc \
${DEVTOOLSET}-gcc-c++ \
${DEVTOOLSET}-make && \
${DEVTOOLSET}-gcc \
${DEVTOOLSET}-gcc-c++ \
${DEVTOOLSET}-make && \
yum clean all

## NINJA-BUILD ###################################################################
Expand All @@ -43,13 +43,13 @@ FROM --platform=$BUILDPLATFORM centos-devtoolset AS ninja-build

# Install additional required dependencies.
RUN yum install -y expat-devel \
gettext \
libcurl-devel \
openssl-devel \
pcre-devel \
xmlto \
zlib-devel \
&& yum clean all
gettext \
libcurl-devel \
openssl-devel \
pcre-devel \
xmlto \
zlib-devel \
&& yum clean all

# mno-outline-atomics flag is needed to make the build works on ARM64 docker.
RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
Expand All @@ -60,21 +60,18 @@ RUN git clone --depth=1 https://github.com/Kitware/CMake.git -b v3.28.1 && \
ENV PATH="/opt/cmake/bin:$PATH"

RUN git clone --depth=1 https://github.com/ninja-build/ninja.git -b v1.11.1 && \
cd ninja && \
[ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
cd ninja && \
[ "$(git rev-parse HEAD)" = 'a524bf3f6bacd1b4ad85d719eed2737d8562f27a' ] && \
scl enable ${DEVTOOLSET} "cmake -Bbuild-cmake && \
cmake --build build-cmake -j"$(nproc)" && \
cmake --build build-cmake --target install"

# Use just created devtool image with newer GCC and Cmake
FROM --platform=$BUILDPLATFORM centos-devtoolset as clang14
FROM --platform=$BUILDPLATFORM centos-devtoolset as clang12
ibeckermayer marked this conversation as resolved.
Show resolved Hide resolved

ARG DEVTOOLSET

# Bring in our custom ninja build, needed for building clang.
COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja

# Compile Clang 14.0.6 from source. It is needed to create BoringSSL and BPF files.
# Compile Clang 12.0.0 from source. It is needed to create BoringSSL and BPF files.
# CentOS 7 doesn't provide it as a package unfortunately.
# This version of Clang is explicitly required for FIPS compliance when building BoringSSL.
# For more information please refer to the section 12. Guidance and Secure Operation of:
Expand All @@ -83,18 +80,17 @@ COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
# CLANG_BUILD_TOOLS must be on, it builds clang binary,
# LLVM_BUILD_TOOLS must be on, it builds llvm-strip binary.
# the rest is disabled to speedup the compilation.
RUN git clone --branch llvmorg-14.0.6 --depth=1 https://github.com/llvm/llvm-project.git && \
RUN git clone --branch llvmorg-12.0.0 --depth=1 https://github.com/llvm/llvm-project.git && \
cd llvm-project/ && \
[ "$(git rev-parse HEAD)" = 'f28c006a5895fc0e329fe15fead81e37457cb1d1' ] && \
[ "$(git rev-parse HEAD)" = 'd28af7c654d8db0b68c175db5ce212d74fb5e9bc' ] && \
mkdir build && cd build/ && \
scl enable ${DEVTOOLSET} 'bash -c "cmake3 \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=/opt/llvm \
-DLLVM_ENABLE_PROJECTS=\"clang;libcxx;libcxxabi\" \
-DLLVM_ENABLE_LIBCXX=ON \
-G \"Ninja\" ../llvm && \
cmake3 --build . && \
cmake3 -DCMAKE_INSTALL_PREFIX=/opt/llvm -P cmake_install.cmake"' && \
-DLLVM_ENABLE_PROJECTS=clang \
-DLLVM_BUILD_TOOLS=ON \
-G \"Unix Makefiles\" ../llvm && \
make -j$(grep -c processor /proc/cpuinfo) install-llvm-strip install-clang-format install-clang install-clang-resource-headers install-libclang"' && \
cd ../.. && \
rm -rf llvm-project

Expand All @@ -109,7 +105,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
yumdownloader --source elfutils-libelf-devel-static && \
yum-builddep -y elfutils-libelf-devel-static && \
export DIST=$(rpm -qp --queryformat '%{RELEASE}' elfutils-*.src.rpm | cut -d '.' -f 2) && \
rpmbuild --rebuild --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
rpmbuild --rebuild --nocheck --define "optflags `rpm -E %{optflags}` -fPIC" --define "dist .${DIST}" elfutils-*.src.rpm && \
if [ "${BUILDARCH}" = "arm64" ]; then export BUILDARCH="aarch64"; fi && \
cp /root/rpmbuild/RPMS/${BUILDARCH}/elfutils-libelf-devel-static-*${DIST}.${BUILDARCH}.rpm /opt/custom-packages/

Expand All @@ -127,7 +123,7 @@ RUN mkdir -p /opt/custom-packages && cd /opt && \
FROM scratch AS buildbox-centos7-assets

# Copy Clang into the final image.
COPY --from=clang14 /opt/llvm /opt/llvm/
COPY --from=clang12 /opt/llvm /opt/llvm/

# Copy ninja into the final image.
COPY --from=ninja-build /usr/local/bin/ninja /usr/local/bin/ninja
Expand Down
4 changes: 2 additions & 2 deletions common.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ ifneq ("$(wildcard /usr/libbpf-${LIBBPF_VER}/include/bpf/bpf.h)","")
with_bpf := yes
BPF_TAG := bpf
BPF_MESSAGE := with-BPF-support
CLANG ?= $(shell which clang || which clang-14)
LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-14)
CLANG ?= $(shell which clang || which clang-12)
LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-12)
KERNEL_ARCH := $(shell uname -m | sed 's/x86_64/x86/g; s/aarch64/arm64/g')
INCLUDES :=
ER_BPF_BUILDDIR := lib/bpf/bytecode
Expand Down
8 changes: 8 additions & 0 deletions docs/pages/access-controls/compliance-frameworks/fedramp.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,3 +282,11 @@
- All uses of non-compliant algorithms such as NaCl are removed and replaced with compliant algorithms such as AES-GCM.
- Teleport is compiled with [BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407).
- User, host, and CA certificates (and host keys for recording proxy mode) only use 2048-bit RSA private keys.

## Desktop Access

Check failure on line 286 in docs/pages/access-controls/compliance-frameworks/fedramp.mdx

View workflow job for this annotation

GitHub Actions / Lint docs prose style 

[vale] reported by reviewdog 🐶
[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., "Database Access" or "Server Access". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.

Raw Output:
{"message": "[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., \"Database Access\" or \"Server Access\". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.", "location": {"path": "docs/pages/access-controls/compliance-frameworks/fedramp.mdx", "range": {"start": {"line": 286, "column": 4}}}, "severity": "ERROR"}
ibeckermayer marked this conversation as resolved.
Show resolved Hide resolved

Teleport's Desktop Access feature uses Rust for RDP connections, and thus uses a fork of Cloudflare's [`boring`](https://github.com/gravitational/boring)

Check failure on line 288 in docs/pages/access-controls/compliance-frameworks/fedramp.mdx

View workflow job for this annotation

GitHub Actions / Lint docs prose style 

[vale] reported by reviewdog 🐶
[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., "Database Access" or "Server Access". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.

Raw Output:
{"message": "[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., \"Database Access\" or \"Server Access\". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.", "location": {"path": "docs/pages/access-controls/compliance-frameworks/fedramp.mdx", "range": {"start": {"line": 288, "column": 12}}}, "severity": "ERROR"}
ibeckermayer marked this conversation as resolved.
Show resolved Hide resolved
library under the hood for FIPS-compliant TLS cryptography. The primary noteable difference to the specifications listed above is that
TLS is restricted to TLS 1.2 only (1.3 is not supported).

Note that Teleport's Desktop Access feature is not available in FIPS mode on `arm64`.

Check failure on line 292 in docs/pages/access-controls/compliance-frameworks/fedramp.mdx

View workflow job for this annotation

GitHub Actions / Lint docs prose style 

[vale] reported by reviewdog 🐶
[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., "Database Access" or "Server Access". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.

Raw Output:
{"message": "[messaging.protocol-products] Avoid the impression that Teleport consists of multiple products for secure access, e.g., \"Database Access\" or \"Server Access\". Instead, talk about enrolling resources in your Teleport cluster, protecting resources with Teleport, or the ability for Teleport to proxy various protocols.", "location": {"path": "docs/pages/access-controls/compliance-frameworks/fedramp.mdx", "range": {"start": {"line": 292, "column": 22}}}, "severity": "ERROR"}
ibeckermayer marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion e
Open in desktop
Submodule e updated from 88e18a to fb3ea3
4 changes: 2 additions & 2 deletions lib/srv/desktop/rdp/rdpclient/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ crate-type = ["staticlib"]

[dependencies]
bitflags = "2.5.0"
boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
byteorder = "1.5.0"
bytes = "1.6.0"
env_logger = "0.11.3"
Expand All @@ -35,7 +35,7 @@ rsa = "0.9.6"
sspi = { git = "https://github.com/Devolutions/sspi-rs", rev="d54bdfcafa0e10d9d78224ebacc4f2a0992a6b79", features = ["network_client"] }
static_init = "1.0.3"
tokio = { version = "1.38", features = ["full"] }
tokio-boring = { git = "https://github.com/gravitational/boring", rev="605253d99d5e363e178bcf97e1d4622e33844cd5", optional = true }
tokio-boring = { git = "https://github.com/gravitational/boring", rev="99897308abb5976ea05625b8314c24b16eebb01b", optional = true }
utf16string = "0.2.0"
uuid = { version = "1.8.0", features = ["v4"] }

Expand Down
2 changes: 1 addition & 1 deletion lib/srv/desktop/rdp/rdpclient/src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ use crate::rdpdr::scard::SCARD_DEVICE_ID;
use crate::rdpdr::TeleportRdpdrBackend;
use crate::ssl::TlsStream;
#[cfg(feature = "fips")]
use tokio_boring::{HandshakeError, SslStream};
use tokio_boring::HandshakeError;

const RDP_CONNECT_TIMEOUT: Duration = Duration::from_secs(5);

Expand Down
1 change: 1 addition & 0 deletions lib/srv/desktop/rdp/rdpclient/src/ssl.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ pub(crate) async fn upgrade(
use tokio::io::AsyncWriteExt;
let mut builder = SslConnector::builder(SslMethod::tls_client())?;
builder.set_verify(SslVerifyMode::NONE);
builder.set_fips_compliance_policy()?;
let configuration = builder.build().configure()?;
let mut tls_stream =
tokio_boring::connect(configuration, server_name, initial_stream).await?;
Expand Down
Loading