Forbids use of --insecure in FIPS mode (#6191)

Forbids the use of the `--insecure` mode when FIPS mode is enabled in teleport Disables the `--insecure` tsh command line option when built with FIPS support See-Also: #5073
2024-10-21 17:53:28 +00:00 · 2021-05-14 09:22:46 +10:00 · 2021-05-14 09:22:46 +10:00 · 4284fc3586
parent 84a7230e6e
commit 4284fc3586
3 changed files with 23 additions and 4 deletions
--- a/lib/modules/modules.go
+++ b/lib/modules/modules.go
@ -19,7 +19,9 @@ limitations under the License.
 package modules

 import (
+	"crypto/sha256"
 	"fmt"
+	"reflect"
 	"runtime"
 	"sync"

@ -116,9 +118,12 @@ func (p *defaultModules) Features() Features {
 	}
 }

-// IsBoringBinary checks if the binary was compiled with BoringCrypto.
 func (p *defaultModules) IsBoringBinary() bool {
-	return false
+	// Check the package name for one of the boring primitives, if the package
+	// path is from BoringCrypto, we know this binary was compiled against the
+	// dev.boringcrypto branch of Go.
+	hash := sha256.New()
+	return reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring"
 }

 var (
--- a/tool/teleport/common/teleport.go
+++ b/tool/teleport/common/teleport.go
@ -189,8 +189,12 @@ func Run(options Options) (executedCommand string, conf *service.Config) {
 	// Create default configuration.
 	conf = service.MakeDefaultConfig()

-	// If FIPS mode is specified update defaults to be FIPS appropriate.
+	// If FIPS mode is specified update defaults to be FIPS appropriate and
+	// cross-validate the current config.
 	if ccf.FIPS {
+		if ccf.InsecureMode {
+			utils.FatalError(trace.BadParameter("--insecure not allowed in FIPS mode"))
+		}
 		service.ApplyFIPSDefaults(conf)
 	}

--- a/tool/tsh/tsh.go
+++ b/tool/tsh/tsh.go
@ -49,6 +49,7 @@ import (
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/kube/kubeconfig"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/session"
 	"github.com/gravitational/teleport/lib/sshutils"
@ -284,6 +285,8 @@ func Run(args []string, opts ...cliOption) error {
 	var cf CLIConf
 	utils.InitLogger(utils.LoggingForCLI, logrus.WarnLevel)

+	moduleCfg := modules.GetModules()
+
 	// configure CLI argument parser:
 	app := utils.InitCLIParser("tsh", "TSH: Teleport Authentication Gateway Client").Interspersed(false)
 	app.Flag("login", "Remote host login").Short('l').Envar(loginEnvVar).StringVar(&cf.NodeLogin)
@ -299,7 +302,14 @@ func Run(args []string, opts ...cliOption) error {
 	app.Flag("identity", "Identity file").Short('i').StringVar(&cf.IdentityFileIn)
 	app.Flag("compat", "OpenSSH compatibility flag").Hidden().StringVar(&cf.Compatibility)
 	app.Flag("cert-format", "SSH certificate format").StringVar(&cf.CertificateFormat)
-	app.Flag("insecure", "Do not verify server's certificate and host name. Use only in test environments").Default("false").BoolVar(&cf.InsecureSkipVerify)
+
+	if !moduleCfg.IsBoringBinary() {
+		// The user is *never* allowed to do this in FIPS mode.
+		app.Flag("insecure", "Do not verify server's certificate and host name. Use only in test environments").
+			Default("false").
+			BoolVar(&cf.InsecureSkipVerify)
+	}
+
 	app.Flag("auth", "Specify the type of authentication connector to use.").Envar(authEnvVar).StringVar(&cf.AuthConnector)
 	app.Flag("namespace", "Namespace of the cluster").Default(defaults.Namespace).Hidden().StringVar(&cf.Namespace)
 	app.Flag("gops", "Start gops endpoint on a given address").Hidden().BoolVar(&cf.Gops)