VictoriaMetrics/lib/netutil/tls.go

package netutil

import (
	"crypto/tls"
	"fmt"
	"strconv"
	"strings"
	"sync"

	"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"
)

// GetServerTLSConfig returns TLS config for the server.
func GetServerTLSConfig(tlsCertFile, tlsKeyFile, tlsMinVersion string, tlsCipherSuites []string) (*tls.Config, error) {
	_, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
	if err != nil {
		return nil, fmt.Errorf("cannot load TLS certificate and key files: %w", err)
	}

	minVersion, err := ParseTLSVersion(tlsMinVersion)
	if err != nil {
		return nil, fmt.Errorf("cannnot use TLS min version from tlsMinVersion=%q. Supported TLS versions (TLS10, TLS11, TLS12, TLS13): %w", tlsMinVersion, err)
	}
	cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)
	if err != nil {
		return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)
	}
	cfg := &tls.Config{
		MinVersion: minVersion,

		// Do not set MaxVersion, since this has no sense from security PoV.
		// This can only result in lower security level if improperly set.

		CipherSuites: cipherSuites,
	}

	cfg.GetCertificate = newGetCertificateFunc(tlsCertFile, tlsKeyFile)
	return cfg, nil
}

func newGetCertificateFunc(tlsCertFile, tlsKeyFile string) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
	var certLock sync.Mutex
	var certDeadline uint64
	var cert *tls.Certificate
	return func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
		certLock.Lock()
		defer certLock.Unlock()
		if fasttime.UnixTimestamp() > certDeadline {
			c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
			if err != nil {
				return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
			}
			certDeadline = fasttime.UnixTimestamp() + 1
			cert = &c
		}
		return cert, nil
	}
}

func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
	if len(cipherSuiteNames) == 0 {
		return nil, nil
	}

	css := tls.CipherSuites()

	cssByName := make(map[string]uint16, len(css))
	for _, cs := range css {
		cssByName[strings.ToLower(cs.Name)] = cs.ID
	}

	cssByID := make(map[uint16]bool, len(css))
	for _, cs := range css {
		cssByID[cs.ID] = true
	}

	cipherSuites := make([]uint16, 0, len(cipherSuiteNames))
	for _, name := range cipherSuiteNames {
		id, ok := cssByName[strings.ToLower(name)]
		if !ok {
			// Try searching by ID
			idKey, err := strconv.ParseUint(name, 0, 16)
			if err != nil || !cssByID[uint16(idKey)] {
				return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)
			}
			id = uint16(idKey)
		}
		cipherSuites = append(cipherSuites, id)
	}
	return cipherSuites, nil
}

// ParseTLSVersion returns tls version from the given string s.
func ParseTLSVersion(s string) (uint16, error) {
	switch strings.ToUpper(s) {
	case "":
		// Special case - use default TLS version provided by tls package.
		return 0, nil
	case "TLS13":
		return tls.VersionTLS13, nil
	case "TLS12":
		return tls.VersionTLS12, nil
	case "TLS11":
		return tls.VersionTLS11, nil
	case "TLS10":
		return tls.VersionTLS10, nil
	default:
		return 0, fmt.Errorf("unsupported TLS version %q", s)
	}
}
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`package netutil`

			`import (`
			`"crypto/tls"`
			`"fmt"`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00			`"strconv"`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`"strings"`
			`"sync"`

			`"github.com/VictoriaMetrics/VictoriaMetrics/lib/fasttime"`
			`)`

app/vmstorage: add support for mTLS cipher suites via `-cluster.tlsCipherSuites` command-line flag Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/2404 2022-04-16 13:32:17 +00:00			`// GetServerTLSConfig returns TLS config for the server.`
lib/netutil/tls.go: consistently use tlsMinVersion name across source code This should simplify further code maintenance and refactoring This is a follow-up after 6ab1cede62f15a529c49eed1378cf37b6036f616 2022-09-26 14:57:59 +00:00			`func GetServerTLSConfig(tlsCertFile, tlsKeyFile, tlsMinVersion string, tlsCipherSuites []string) (*tls.Config, error) {`
lib/netutil: validate TLS cert and key files immediately (#6621) Validate files specified via `-tlsKeyFile` and `-tlsCertFile` cmd-line flags on the process start-up. Previously, validation happened on the first connection accepted by HTTP server. https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6608 --------- Co-authored-by: hagen1778 <roman@victoriametrics.com> 2024-07-29 11:58:53 +00:00			`_, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot load TLS certificate and key files: %w", err)`
			`}`

lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00			`minVersion, err := ParseTLSVersion(tlsMinVersion)`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`if err != nil {`
lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00			`return nil, fmt.Errorf("cannnot use TLS min version from tlsMinVersion=%q. Supported TLS versions (TLS10, TLS11, TLS12, TLS13): %w", tlsMinVersion, err)`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`}`
			`cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)`
			`}`
			`cfg := &tls.Config{`
lib/{httpserver,netutil}: allow to define min and max TLS version of the http server (#3109) * lib/{httpserver,netutil}: allow to define min and max TLS version of the http server * lib/httpserver: added descriptions about tls supported versions * lib/netutil: check minimal tls version, added supported tls versions to error * wip Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-09-26 14:35:45 +00:00			`MinVersion: minVersion,`
lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00
lib/{httpserver,netutil}: allow to define min and max TLS version of the http server (#3109) * lib/{httpserver,netutil}: allow to define min and max TLS version of the http server * lib/httpserver: added descriptions about tls supported versions * lib/netutil: check minimal tls version, added supported tls versions to error * wip Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-09-26 14:35:45 +00:00			`// Do not set MaxVersion, since this has no sense from security PoV.`
			`// This can only result in lower security level if improperly set.`
lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`CipherSuites: cipherSuites,`
			`}`
lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00
			`cfg.GetCertificate = newGetCertificateFunc(tlsCertFile, tlsKeyFile)`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`return cfg, nil`
			`}`

lib/netutil: move creation of GetCertificate callback into a separate function This improves code readability a bit 2024-04-17 20:10:40 +00:00			`func newGetCertificateFunc(tlsCertFile, tlsKeyFile string) func(hello tls.ClientHelloInfo) (tls.Certificate, error) {`
			`var certLock sync.Mutex`
			`var certDeadline uint64`
			`var cert *tls.Certificate`
			`return func(_ tls.ClientHelloInfo) (tls.Certificate, error) {`
			`certLock.Lock()`
			`defer certLock.Unlock()`
			`if fasttime.UnixTimestamp() > certDeadline {`
			`c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)`
			`if err != nil {`
			`return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)`
			`}`
			`certDeadline = fasttime.UnixTimestamp() + 1`
			`cert = &c`
			`}`
			`return cert, nil`
			`}`
			`}`

lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {`
			`if len(cipherSuiteNames) == 0 {`
			`return nil, nil`
			`}`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`css := tls.CipherSuites()`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00
			`cssByName := make(map[string]uint16, len(css))`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`for _, cs := range css {`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00			`cssByName[strings.ToLower(cs.Name)] = cs.ID`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`}`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00
			`cssByID := make(map[uint16]bool, len(css))`
			`for _, cs := range css {`
			`cssByID[cs.ID] = true`
			`}`

lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`cipherSuites := make([]uint16, 0, len(cipherSuiteNames))`
			`for _, name := range cipherSuiteNames {`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00			`id, ok := cssByName[strings.ToLower(name)]`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`if !ok {`
all: upgrade Go builder from Go1.21.7 to Go1.22.0 See https://go.dev/doc/go1.22 2024-02-12 19:59:41 +00:00			`// Try searching by ID`
			`idKey, err := strconv.ParseUint(name, 0, 16)`
			`if err != nil \|\| !cssByID[uint16(idKey)] {`
			`return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)`
			`}`
			`id = uint16(idKey)`
lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go This syncs the corresponding code with cluster branch 2022-04-16 12:51:34 +00:00			`}`
			`cipherSuites = append(cipherSuites, id)`
			`}`
			`return cipherSuites, nil`
			`}`
lib/{httpserver,netutil}: allow to define min and max TLS version of the http server (#3109) * lib/{httpserver,netutil}: allow to define min and max TLS version of the http server * lib/httpserver: added descriptions about tls supported versions * lib/netutil: check minimal tls version, added supported tls versions to error * wip Co-authored-by: Aliaksandr Valialkin <valyala@victoriametrics.com> 2022-09-26 14:35:45 +00:00
			`// ParseTLSVersion returns tls version from the given string s.`
			`func ParseTLSVersion(s string) (uint16, error) {`
			`switch strings.ToUpper(s) {`
			`case "":`
			`// Special case - use default TLS version provided by tls package.`
			`return 0, nil`
			`case "TLS13":`
			`return tls.VersionTLS13, nil`
			`case "TLS12":`
			`return tls.VersionTLS12, nil`
			`case "TLS11":`
			`return tls.VersionTLS11, nil`
			`case "TLS10":`
			`return tls.VersionTLS10, nil`
			`default:`
			`return 0, fmt.Errorf("unsupported TLS version %q", s)`
			`}`
			`}`