Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.03] FIPS #2625

Merged
merged 15 commits into from
May 11, 2018
Merged

[18.03] FIPS #2625

merged 15 commits into from
May 11, 2018

Commits on May 7, 2018

  1. Vendor in fernet-go to provide AES-128-CBC 

    Signed-off-by: cyli <cyli@twistedmatrix.com>
(cherry picked from commit 0f21845)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    6306b4c View commit details
    Browse the repository at this point in the history

  2. Add fernet encryption mechanism for raft WAL and snapshots. 

    Signed-off-by: cyli <cyli@twistedmatrix.com>
(cherry picked from commit 25c6575)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    80c7df1 View commit details
    Browse the repository at this point in the history

  3. Move MultiDecrypter to encryption package and provide some niceties a… 

    …round

constructing one.  Also make it a map instead of a list so that as
available algorithms increase not every single algorithm needs to be tried
to decrypt.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 34ac12e)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    96129bd View commit details
    Browse the repository at this point in the history

  4. Move fips environment variable check to its own package, so we can ch… 

    …eck it

from the encryption package to determine the encryption defaults.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 899202e)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    9bcceab View commit details
    Browse the repository at this point in the history

  5. Stop encrypting the raft root CA key entirely based on env vars, since 

    that feature was deprecated almost a year ago.  Rely on MTLS for
encryption in transit and raft log encryption for encryption at rest.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 9369c1e)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    3aebbb2 View commit details
    Browse the repository at this point in the history

  6. Rather than use an environment variable to determine whether somethin… 

    …g requires FIPS:

(1) require that users of the keyutil package instead use a key formatter object,
    which could either be the default non-FIPS utility or the FIPS utility.
(2) require that users that request encryption defaults specify whether FIPS compliance
    is needed

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 2a31867)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    110e8db View commit details
    Browse the repository at this point in the history

  7. Use the default keyutil formatter for tests, and remove fips checks f… 

    …or the root CA

because we no longer support encrypting the root CA key, and PKCS8 vs PKCS1 only
matters for fips if we encrypt.  We want to keep the root key PKCS1 so that mixed
version clusters will continue to work.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 971930e)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    48128f5 View commit details
    Browse the repository at this point in the history

  8. Add a key formatter parameter to the NewKeyReadWriter, and use that t… 

    …o encrypt and

decrypt keys. It can be set using a setter function.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 4ffb0ec)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    790696f View commit details
    Browse the repository at this point in the history

  9. Add a FIPS bool to the node object, and propagate that boolean to the 

    KeyReadWriter used in the node object.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 43f607a)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    45e5892 View commit details
    Browse the repository at this point in the history

  10. Add a fips boolean to the node config. 

    Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 6847b6c)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    02ae7c1 View commit details
    Browse the repository at this point in the history

  11. The agent now reports its FIPS status as part of the node description. 

    Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 7c61add)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    c142f4f View commit details
    Browse the repository at this point in the history

  12. Add a FIPS boolean to the cluster object and the node description. Wh… 

    …en a

cluster is first created, the FIPS value should be set and it should not
be changed through the lifetime of the cluster, because converting from
non-FIPS to FIPS should not be possible (to avoid compliance issues, even
if there were a migration process, we'd have to provide a validation tool
to ensure that the migration was complete across the cluster).

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 6197cc5)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    0e8fc3a View commit details
    Browse the repository at this point in the history

  13. If the cluster requires FIPS, the cluster ID and join token will also… 

    … reflect

this property. So all TLS certs will have the cluster ID, which says whether
the cluster is FIPS, in the Org field.

If a node loads up its TLS cert, sees that that the cluster requires FIPS,
and FIPS mode is not enabled on that node, the node will shut down.  If a
non-FIPS node gets a join token that indicate that the cluster mandates
FIPS, it will refuse to join.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 9943770)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    3688812 View commit details
    Browse the repository at this point in the history

  14. Propagate the FIPS bool to the raft DEK manager so that the DEK is en… 

    …crypted

using fernet.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 905d35b)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    1a9dd8e View commit details
    Browse the repository at this point in the history

  15. Propagate the FIPS boolean from node.go to the manager and hence to t… 

    …he raft

storage layer.  Also propagate it to the RaftDEKData objects in node.go
and to the RaftDEKManager in the manager.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit ba11e51)
    @cyli
    cyli committed May 7, 2018
    Configuration menu
    Copy the full SHA
    1194ebd View commit details
    Browse the repository at this point in the history