diff options
author | Stan Hu <stanhu@gmail.com> | 2022-04-17 07:14:47 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2022-04-17 08:11:19 +0300 |
commit | fdcb9f0499c8fe2468cbce02b2aa5180dddf3168 (patch) | |
tree | e29ff746a6f1c0c5f92de29e8d9bce3e8d84ce05 | |
parent | fa2d37aadad24b730c4d85caf43465864b8e1a5d (diff) |
Add support for FIPS encryptionsh-fips-mode
This commit adds support of using a FIPS-validated SSL library with
compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler
that supports BoringSSL either directly (e.g. the `dev.boringcrypto`
branch) or with a dynamically linked OpenSSL
(e.g. https://github.com/golang-fips/go) is required.
This is similar to the changes to support FIPS in GitLab Runner and in
GitLab Pages:
https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716
Changelog: added
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | cmd/gitaly/main.go | 3 | ||||
-rw-r--r-- | internal/boring/boring.go | 23 | ||||
-rw-r--r-- | internal/boring/notboring.go | 9 |
4 files changed, 41 insertions, 0 deletions
@@ -42,6 +42,7 @@ bindir ?= ${exec_prefix}/bin INSTALL_DEST_DIR := ${DESTDIR}${bindir} ## The prefix where Git will be installed to. GIT_PREFIX ?= ${GIT_DEFAULT_PREFIX} +FIPS_MODE ?= 0 # Tools GIT := $(shell command -v git) @@ -68,6 +69,11 @@ GO_LDFLAGS := -X ${GITALY_PACKAGE}/internal/version.version=${GITALY_VERS SERVER_BUILD_TAGS := tracer_static,tracer_static_jaeger,tracer_static_stackdriver,continuous_profiler_stackdriver GIT2GO_BUILD_TAGS := static,system_libgit2 +ifeq (${FIPS_MODE}, 1) + SERVER_BUILD_TAGS := ${SERVER_BUILD_TAGS},boringcrypto + GIT2GO_BUILD_TAGS := ${GIT2GO_BUILD_TAGS},boringcrypto +endif + # Dependency versions GOLANGCI_LINT_VERSION ?= 1.44.2 GOCOVER_COBERTURA_VERSION ?= aaee18c8195c3f2d90e5ef80ca918d265463842a diff --git a/cmd/gitaly/main.go b/cmd/gitaly/main.go index c7386180d..b0c124038 100644 --- a/cmd/gitaly/main.go +++ b/cmd/gitaly/main.go @@ -15,6 +15,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v14/internal/backchannel" "gitlab.com/gitlab-org/gitaly/v14/internal/bootstrap" "gitlab.com/gitlab-org/gitaly/v14/internal/bootstrap/starter" + "gitlab.com/gitlab-org/gitaly/v14/internal/boring" "gitlab.com/gitlab-org/gitaly/v14/internal/cache" "gitlab.com/gitlab-org/gitaly/v14/internal/cgroups" "gitlab.com/gitlab-org/gitaly/v14/internal/git" @@ -91,6 +92,8 @@ func main() { } log.Info("Starting Gitaly", "version", version.GetVersionString()) + boring.CheckBoring() + cfg, err := configure(flag.Arg(0)) if err != nil { log.Fatal(err) diff --git a/internal/boring/boring.go b/internal/boring/boring.go new file mode 100644 index 000000000..cc09fab9d --- /dev/null +++ b/internal/boring/boring.go @@ -0,0 +1,23 @@ +//go:build boringcrypto +// +build boringcrypto + +package boring + +import ( + "crypto/boring" + + "gitlab.com/gitlab-org/labkit/log" +) + +// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go +// compiler in https://github.com/golang-fips/go, this requires that: +// +// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). +// 2. A system OpenSSL can be dynamically loaded via ldopen(). +func CheckBoring() { + if boring.Enabled() { + log.Info("FIPS mode is enabled. Using an external SSL library.") + return + } + log.Info("Gitaly was compiled with FIPS mode, but an external SSL library was not enabled.") +} diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go new file mode 100644 index 000000000..1a7eb52f7 --- /dev/null +++ b/internal/boring/notboring.go @@ -0,0 +1,9 @@ +//go:build !boringcrypto +// +build !boringcrypto + +package boring + +// CheckBoring does nothing when the boringcrypto tag is not in the +// build. +func CheckBoring() { +} |