plugin/tls/tls.go

package tls

import (
	ctls "crypto/tls"

	"github.com/coredns/coredns/core/dnsserver"
	"github.com/coredns/coredns/plugin"
	"github.com/coredns/coredns/plugin/pkg/tls"

	"github.com/caddyserver/caddy"
)

func init() { plugin.Register("tls", setup) }

func setup(c *caddy.Controller) error {
	err := parseTLS(c)
	if err != nil {
		return plugin.Error("tls", err)
	}
	return nil
}

func setTLSDefaults(tls *ctls.Config) {
	tls.MinVersion = ctls.VersionTLS12
	tls.MaxVersion = ctls.VersionTLS13
	tls.CipherSuites = []uint16{
		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
		ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	}
	tls.PreferServerCipherSuites = true
}

func parseTLS(c *caddy.Controller) error {
	config := dnsserver.GetConfig(c)

	if config.TLSConfig != nil {
		return plugin.Error("tls", c.Errf("TLS already configured for this server instance"))
	}

	for c.Next() {
		args := c.RemainingArgs()
		if len(args) < 2 || len(args) > 3 {
			return plugin.Error("tls", c.ArgErr())
		}
		clientAuth := ctls.NoClientCert
		for c.NextBlock() {
			switch c.Val() {
			case "client_auth":
				authTypeArgs := c.RemainingArgs()
				if len(authTypeArgs) != 1 {
					return c.ArgErr()
				}
				switch authTypeArgs[0] {
				case "nocert":
					clientAuth = ctls.NoClientCert
				case "request":
					clientAuth = ctls.RequestClientCert
				case "require":
					clientAuth = ctls.RequireAnyClientCert
				case "verify_if_given":
					clientAuth = ctls.VerifyClientCertIfGiven
				case "require_and_verify":
					clientAuth = ctls.RequireAndVerifyClientCert
				default:
					return c.Errf("unknown authentication type '%s'", authTypeArgs[0])
				}
			default:
				return c.Errf("unknown option '%s'", c.Val())
			}
		}
		tls, err := tls.NewTLSConfigFromArgs(args...)
		if err != nil {
			return err
		}
		tls.ClientAuth = clientAuth
		// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
		tls.ClientCAs = tls.RootCAs

		setTLSDefaults(tls)

		config.TLSConfig = tls
	}
	return nil
}
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`package tls`

			`import (`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`ctls "crypto/tls"`

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`"github.com/coredns/coredns/core/dnsserver"`
Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`"github.com/coredns/coredns/plugin"`
			`"github.com/coredns/coredns/plugin/pkg/tls"`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00
Update Caddy to 1.0.1, and update import path (#2961) * Update Caddy to 1.0.1, and update import path This fix updates caddy to 1.0.1 and also updates the import path to github.com/caddyserver/caddy This fix fixes 2959 Signed-off-by: Yong Tang <yong.tang.github@outlook.com> * Also update plugin.cfg Signed-off-by: Yong Tang <yong.tang.github@outlook.com> * Update and bump zplugin.go Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2019-07-03 09:04:47 +08:00			`"github.com/caddyserver/caddy"`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`)`

plugin register (#3321) These plugins where missed in #3287 because their setup is done in a file other than setup.go Signed-off-by: Miek Gieben <miek@miek.nl> 2019-09-28 10:40:43 +01:00			`func init() { plugin.Register("tls", setup) }`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00
			`func setup(c *caddy.Controller) error {`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`err := parseTLS(c)`
			`if err != nil {`
			`return plugin.Error("tls", err)`
			`}`
			`return nil`
			`}`

TLS hardening (#2938) Automatically submitted. 2019-06-28 14:03:34 +03:00			`func setTLSDefaults(tls *ctls.Config) {`
			`tls.MinVersion = ctls.VersionTLS12`
			`tls.MaxVersion = ctls.VersionTLS13`
			`tls.CipherSuites = []uint16{`
			`ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`ctls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,`
			`ctls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,`
			`ctls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
			`ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`ctls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
			`ctls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
			`ctls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`}`
			`tls.PreferServerCipherSuites = true`
			`}`

make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`func parseTLS(c *caddy.Controller) error {`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`config := dnsserver.GetConfig(c)`

			`if config.TLSConfig != nil {`
Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`return plugin.Error("tls", c.Errf("TLS already configured for this server instance"))`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`}`

			`for c.Next() {`
			`args := c.RemainingArgs()`
plugin/tls: make CA parameter optional (#1800) 2018-05-15 19:53:46 +03:00			`if len(args) < 2 \|\| len(args) > 3 {`
Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`return plugin.Error("tls", c.ArgErr())`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`}`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`clientAuth := ctls.NoClientCert`
			`for c.NextBlock() {`
			`switch c.Val() {`
			`case "client_auth":`
			`authTypeArgs := c.RemainingArgs()`
			`if len(authTypeArgs) != 1 {`
			`return c.ArgErr()`
			`}`
			`switch authTypeArgs[0] {`
			`case "nocert":`
			`clientAuth = ctls.NoClientCert`
			`case "request":`
			`clientAuth = ctls.RequestClientCert`
			`case "require":`
			`clientAuth = ctls.RequireAnyClientCert`
			`case "verify_if_given":`
			`clientAuth = ctls.VerifyClientCertIfGiven`
			`case "require_and_verify":`
			`clientAuth = ctls.RequireAndVerifyClientCert`
			`default:`
			`return c.Errf("unknown authentication type '%s'", authTypeArgs[0])`
			`}`
			`default:`
			`return c.Errf("unknown option '%s'", c.Val())`
			`}`
			`}`
plugin/tls: make CA parameter optional (#1800) 2018-05-15 19:53:46 +03:00			`tls, err := tls.NewTLSConfigFromArgs(args...)`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`if err != nil {`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`return err`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`}`
make sure client CA and auth type are set if CA is explicitly specified. (#2825) * make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README 2019-05-31 09:30:15 -07:00			`tls.ClientAuth = clientAuth`
			`// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.`
			`tls.ClientCAs = tls.RootCAs`
TLS hardening (#2938) Automatically submitted. 2019-06-28 14:03:34 +03:00
			`setTLSDefaults(tls)`

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`config.TLSConfig = tls`
			`}`
			`return nil`
			`}`