diff options
author | James Fargher <proglottis@gmail.com> | 2022-04-20 00:42:29 +0300 |
---|---|---|
committer | James Fargher <proglottis@gmail.com> | 2022-04-20 00:42:29 +0300 |
commit | 5591e2b54cff1fbfa38d19a3747c18fb847f9b4a (patch) | |
tree | dcd717176fb5e98d2d8f78b181fea639f536b2b5 | |
parent | d0809beb86fb02142c6f0d689929c08fd005b3fd (diff) | |
parent | fdcb9f0499c8fe2468cbce02b2aa5180dddf3168 (diff) |
Merge branch 'sh-fips-mode' into 'master'
Add support for FIPS encryption
See merge request gitlab-org/gitaly!4482
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | cmd/gitaly/main.go | 3 | ||||
-rw-r--r-- | internal/boring/boring.go | 23 | ||||
-rw-r--r-- | internal/boring/notboring.go | 9 |
4 files changed, 41 insertions, 0 deletions
@@ -42,6 +42,7 @@ bindir ?= ${exec_prefix}/bin INSTALL_DEST_DIR := ${DESTDIR}${bindir} ## The prefix where Git will be installed to. GIT_PREFIX ?= ${GIT_DEFAULT_PREFIX} +FIPS_MODE ?= 0 # Tools GIT := $(shell command -v git) @@ -68,6 +69,11 @@ GO_LDFLAGS := -X ${GITALY_PACKAGE}/internal/version.version=${GITALY_VERS SERVER_BUILD_TAGS := tracer_static,tracer_static_jaeger,tracer_static_stackdriver,continuous_profiler_stackdriver GIT2GO_BUILD_TAGS := static,system_libgit2 +ifeq (${FIPS_MODE}, 1) + SERVER_BUILD_TAGS := ${SERVER_BUILD_TAGS},boringcrypto + GIT2GO_BUILD_TAGS := ${GIT2GO_BUILD_TAGS},boringcrypto +endif + # Dependency versions GOLANGCI_LINT_VERSION ?= 1.44.2 GOCOVER_COBERTURA_VERSION ?= aaee18c8195c3f2d90e5ef80ca918d265463842a diff --git a/cmd/gitaly/main.go b/cmd/gitaly/main.go index c7386180d..b0c124038 100644 --- a/cmd/gitaly/main.go +++ b/cmd/gitaly/main.go @@ -15,6 +15,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v14/internal/backchannel" "gitlab.com/gitlab-org/gitaly/v14/internal/bootstrap" "gitlab.com/gitlab-org/gitaly/v14/internal/bootstrap/starter" + "gitlab.com/gitlab-org/gitaly/v14/internal/boring" "gitlab.com/gitlab-org/gitaly/v14/internal/cache" "gitlab.com/gitlab-org/gitaly/v14/internal/cgroups" "gitlab.com/gitlab-org/gitaly/v14/internal/git" @@ -91,6 +92,8 @@ func main() { } log.Info("Starting Gitaly", "version", version.GetVersionString()) + boring.CheckBoring() + cfg, err := configure(flag.Arg(0)) if err != nil { log.Fatal(err) diff --git a/internal/boring/boring.go b/internal/boring/boring.go new file mode 100644 index 000000000..cc09fab9d --- /dev/null +++ b/internal/boring/boring.go @@ -0,0 +1,23 @@ +//go:build boringcrypto +// +build boringcrypto + +package boring + +import ( + "crypto/boring" + + "gitlab.com/gitlab-org/labkit/log" +) + +// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go +// compiler in https://github.com/golang-fips/go, this requires that: +// +// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). +// 2. A system OpenSSL can be dynamically loaded via ldopen(). +func CheckBoring() { + if boring.Enabled() { + log.Info("FIPS mode is enabled. Using an external SSL library.") + return + } + log.Info("Gitaly was compiled with FIPS mode, but an external SSL library was not enabled.") +} diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go new file mode 100644 index 000000000..1a7eb52f7 --- /dev/null +++ b/internal/boring/notboring.go @@ -0,0 +1,9 @@ +//go:build !boringcrypto +// +build !boringcrypto + +package boring + +// CheckBoring does nothing when the boringcrypto tag is not in the +// build. +func CheckBoring() { +} |