From 3ada6af0ded04dceee47a4983ac460222c98b796 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Tue, 1 Mar 2022 20:57:56 +0000
Subject: [PATCH] tls: set min version to 1.2 and restrict cipher suites

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 .github/workflows/tls.yaml | 47 ++++++++++++++++++++++++++++++++++++++
 examples/config-tls.json   | 18 +++++++++++++++
 go.mod                     |  4 ++--
 go.sum                     |  4 ++++
 pkg/api/controller.go      | 26 +++++++++++++++------
 5 files changed, 90 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/tls.yaml
 create mode 100644 examples/config-tls.json

diff --git a/.github/workflows/tls.yaml b/.github/workflows/tls.yaml
new file mode 100644
index 00000000..13c60f5e
--- /dev/null
+++ b/.github/workflows/tls.yaml
@@ -0,0 +1,47 @@
+name: "TLS protocol scan"
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [main]
+
+jobs:
+  tls-check:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [linux]
+        arch: [amd64]
+    name: TLS check
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.x
+      - name: Install dependencies
+        run: |
+          cd $GITHUB_WORKSPACE
+          sudo apt-get update
+          sudo apt-get install -y apache2-utils openssl
+          mkdir -p test/data
+          cd test/data
+          ../scripts/gen_certs.sh
+          htpasswd -bBn test test123 > htpasswd
+      - name: Check for TLS settings
+        continue-on-error: true
+        run: |
+          cd $GITHUB_WORKSPACE
+          make OS=$OS ARCH=$ARCH binary
+          bin/zot-$OS-$ARCH serve examples/config-tls.json &
+          sleep 5
+          curl -kv --tls-max 1.0 -0  https://localhost:8080/v2/
+          if [[ "$?" -eq 0 ]]; then echo "TLSv1.0 detected"; exit 1; fi
+          curl -kv --tls-max 1.1 -0  https://localhost:8080/v2/
+          if [[ "$?" -eq 0 ]]; then echo "TLSv1.1 detected"; exit 1; fi
+          curl -kv --tls-max 1.2 -0  https://localhost:8080/v2/
+          if [[ "$?" -ne 0 ]]; then echo "TLSv1.2 missing"; exit 1; fi
+        env:
+          OS: ${{ matrix.os }}
+          ARCH: ${{ matrix.arch }}
diff --git a/examples/config-tls.json b/examples/config-tls.json
new file mode 100644
index 00000000..9e4a1b9b
--- /dev/null
+++ b/examples/config-tls.json
@@ -0,0 +1,18 @@
+{
+  "version":"0.1.0-dev",
+  "storage":{
+    "rootDirectory":"/tmp/zot"
+  },
+  "http": {
+    "address":"127.0.0.1",
+    "port":"8080",
+    "realm":"zot",
+    "tls": {
+      "cert":"test/data/server.cert",
+      "key":"test/data/server.key"
+    }
+  },
+  "log":{
+    "level":"debug"
+  }
+}
diff --git a/go.mod b/go.mod
index fcebcbd5..ea31481d 100644
--- a/go.mod
+++ b/go.mod
@@ -55,7 +55,7 @@ require (
 	github.com/urfave/cli/v2 v2.3.0
 	github.com/vektah/gqlparser/v2 v2.2.0
 	go.etcd.io/bbolt v1.3.6
-	golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
 	gopkg.in/resty.v1 v1.12.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -354,7 +354,7 @@ require (
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20211111160137-58aab5ef257a // indirect
+	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
diff --git a/go.sum b/go.sum
index fe103787..87d13d75 100644
--- a/go.sum
+++ b/go.sum
@@ -2580,6 +2580,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa h1:idItI2DDfCokpg0N51B2VtiLdJ4vAuXC9fnCb2gACo4=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -2717,6 +2719,8 @@ golang.org/x/net v0.0.0-20211005001312-d4b1ae081e3b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211111160137-58aab5ef257a h1:c83jeVQW0KGKNaKBRfelNYNHaev+qawl9yaA825s8XE=
 golang.org/x/net v0.0.0-20211111160137-58aab5ef257a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
index f51621d8..ad76e031 100644
--- a/pkg/api/controller.go
+++ b/pkg/api/controller.go
@@ -164,6 +164,23 @@ func (c *Controller) Run() error {
 	}
 
 	if c.Config.HTTP.TLS != nil && c.Config.HTTP.TLS.Key != "" && c.Config.HTTP.TLS.Cert != "" {
+		server.TLSConfig = &tls.Config{
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			},
+			CurvePreferences: []tls.CurveID{
+				tls.CurveP256,
+				tls.X25519,
+			},
+			PreferServerCipherSuites: true,
+			MinVersion:               tls.VersionTLS12,
+		}
+
 		if c.Config.HTTP.TLS.CACert != "" {
 			clientAuth := tls.VerifyClientCertIfGiven
 			if (c.Config.HTTP.Auth == nil || c.Config.HTTP.Auth.HTPasswd.Path == "") && !c.Config.HTTP.AllowReadAccess {
@@ -181,13 +198,8 @@ func (c *Controller) Run() error {
 				panic(errors.ErrBadCACert)
 			}
 
-			server.TLSConfig = &tls.Config{
-				ClientAuth:               clientAuth,
-				ClientCAs:                caCertPool,
-				PreferServerCipherSuites: true,
-				MinVersion:               tls.VersionTLS12,
-			}
-			server.TLSConfig.BuildNameToCertificate()
+			server.TLSConfig.ClientAuth = clientAuth
+			server.TLSConfig.ClientCAs = caCertPool
 		}
 
 		return server.ServeTLS(listener, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)