VictoriaMetrics/lib/netutil/tls.go

package netutil

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"strings"
	"sync"

	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"
	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fs"
)

// GetServerTLSConfig returns TLS config for the server with possible client verification (mTLS) if tlsCAFile isn't empty.
func GetServerTLSConfig(tlsCAFile, tlsCertFile, tlsKeyFile string, tlsCipherSuites []string) (*tls.Config, error) {
	var certLock sync.Mutex
	var certDeadline uint64
	var cert *tls.Certificate
	c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
	if err != nil {
		return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
	}
	cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)
	if err != nil {
		return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)
	}
	cert = &c
	cfg := &tls.Config{
		MinVersion:               tls.VersionTLS12,
		PreferServerCipherSuites: true,
		GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
			certLock.Lock()
			defer certLock.Unlock()
			if fasttime.UnixTimestamp() > certDeadline {
				c, err = tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
				if err != nil {
					return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
				}
				certDeadline = fasttime.UnixTimestamp() + 1
				cert = &c
			}
			return cert, nil
		},
		CipherSuites: cipherSuites,
	}
	if tlsCAFile != "" {
		// Enable mTLS ( https://en.wikipedia.org/wiki/Mutual_authentication#mTLS )
		cfg.ClientAuth = tls.RequireAndVerifyClientCert
		cp := x509.NewCertPool()
		caPEM, err := fs.ReadFileOrHTTP(tlsCAFile)
		if err != nil {
			return nil, fmt.Errorf("cannot read tlsCAFile=%q: %w", tlsCAFile, err)
		}
		if !cp.AppendCertsFromPEM(caPEM) {
			return nil, fmt.Errorf("cannot parse data for tlsCAFile=%q: %s", tlsCAFile, caPEM)
		}
		cfg.ClientCAs = cp
	}
	return cfg, nil
}

func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
	if len(cipherSuiteNames) == 0 {
		return nil, nil
	}
	css := tls.CipherSuites()
	cssMap := make(map[string]uint16, len(css))
	for _, cs := range css {
		cssMap[strings.ToLower(cs.Name)] = cs.ID
	}
	cipherSuites := make([]uint16, 0, len(cipherSuiteNames))
	for _, name := range cipherSuiteNames {
		id, ok := cssMap[strings.ToLower(name)]
		if !ok {
			return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)
		}
		cipherSuites = append(cipherSuites, id)
	}
	return cipherSuites, nil
}
lib/httpserver: extract the code responsible for initializing server-side TLS config into netutil.GetServerTLSConfig 2022-03-17 17:42:10 +00:00			`package netutil`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"fmt"`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`"strings"`
lib/httpserver: extract the code responsible for initializing server-side TLS config into netutil.GetServerTLSConfig 2022-03-17 17:42:10 +00:00			`"sync"`

			`"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"`
			`"github.com/VictoriaMetrics/VictoriaMetrics/lib/fs"`
			`)`

			`// GetServerTLSConfig returns TLS config for the server with possible client verification (mTLS) if tlsCAFile isn't empty.`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`func GetServerTLSConfig(tlsCAFile, tlsCertFile, tlsKeyFile string, tlsCipherSuites []string) (*tls.Config, error) {`
lib/httpserver: extract the code responsible for initializing server-side TLS config into netutil.GetServerTLSConfig 2022-03-17 17:42:10 +00:00			`var certLock sync.Mutex`
			`var certDeadline uint64`
			`var cert *tls.Certificate`
			`c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)`
			`}`
lib/httpserver: follow up after def0032c7d6b60da6b3a343d94fc977d4e095a68 2022-04-16 12:27:21 +00:00			`cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)`
			`}`
lib/httpserver: extract the code responsible for initializing server-side TLS config into netutil.GetServerTLSConfig 2022-03-17 17:42:10 +00:00			`cert = &c`
			`cfg := &tls.Config{`
			`MinVersion: tls.VersionTLS12,`
			`PreferServerCipherSuites: true,`
			`GetCertificate: func(info tls.ClientHelloInfo) (tls.Certificate, error) {`
			`certLock.Lock()`
			`defer certLock.Unlock()`
			`if fasttime.UnixTimestamp() > certDeadline {`
			`c, err = tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)`
			`}`
			`certDeadline = fasttime.UnixTimestamp() + 1`
			`cert = &c`
			`}`
			`return cert, nil`
			`},`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`CipherSuites: cipherSuites,`
lib/httpserver: extract the code responsible for initializing server-side TLS config into netutil.GetServerTLSConfig 2022-03-17 17:42:10 +00:00			`}`
			`if tlsCAFile != "" {`
			`// Enable mTLS ( https://en.wikipedia.org/wiki/Mutual_authentication#mTLS )`
			`cfg.ClientAuth = tls.RequireAndVerifyClientCert`
			`cp := x509.NewCertPool()`
			`caPEM, err := fs.ReadFileOrHTTP(tlsCAFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot read tlsCAFile=%q: %w", tlsCAFile, err)`
			`}`
			`if !cp.AppendCertsFromPEM(caPEM) {`
			`return nil, fmt.Errorf("cannot parse data for tlsCAFile=%q: %s", tlsCAFile, caPEM)`
			`}`
			`cfg.ClientCAs = cp`
			`}`
			`return cfg, nil`
			`}`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00
lib/httpserver: follow up after def0032c7d6b60da6b3a343d94fc977d4e095a68 2022-04-16 12:27:21 +00:00			`func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {`
			`if len(cipherSuiteNames) == 0 {`
			`return nil, nil`
			`}`
			`css := tls.CipherSuites()`
			`cssMap := make(map[string]uint16, len(css))`
			`for _, cs := range css {`
			`cssMap[strings.ToLower(cs.Name)] = cs.ID`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`}`
lib/httpserver: follow up after def0032c7d6b60da6b3a343d94fc977d4e095a68 2022-04-16 12:27:21 +00:00			`cipherSuites := make([]uint16, 0, len(cipherSuiteNames))`
			`for _, name := range cipherSuiteNames {`
			`id, ok := cssMap[strings.ToLower(name)]`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`if !ok {`
lib/httpserver: follow up after def0032c7d6b60da6b3a343d94fc977d4e095a68 2022-04-16 12:27:21 +00:00			`return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)`
lib/httpserver: added tlsCipherSuites flag (#2468) * lib/httpserver: added tlsCipherSuites flag * lib/httpserver: compare lower case strings * lib/httpserver: use EqualFold * lib/httpserver: used flagutil.NewArray, supported only strings cipher suites * lib/httpserver: updated flag description, added flag to documentation * Update lib/httpserver/httpserver.go Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-04-16 12:07:07 +00:00			`}`
			`cipherSuites = append(cipherSuites, id)`
			`}`
			`return cipherSuites, nil`
			`}`