diff options
| author | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-19 15:25:27 +0300 |
|---|---|---|
| committer | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-19 15:25:27 +0300 |
| commit | dabfd71101d4598f31ab474f6a7bfc75bfa0a045 (patch) | |
| tree | 6c4c8823512c14f92f9d87095702db813c7ce5c9 | |
| parent | 6ab51ec245e2dbec83b828bf685397fe1adc2e41 (diff) | |
| parent | 08833c9b52f33920d6ec584235ecc5d54066e477 (diff) | |
Merge branch 'fips-cleanup' into 'master'
Simplify building in FIPS mode
See merge request gitlab-org/gitlab-pages!734
| -rw-r--r-- | Makefile.build.mk | 15 | ||||
| -rw-r--r-- | doc/development.md | 5 | ||||
| -rw-r--r-- | internal/boring/boring.go | 9 | ||||
| -rw-r--r-- | internal/boring/notboring.go | 2 |
4 files changed, 22 insertions, 9 deletions
diff --git a/Makefile.build.mk b/Makefile.build.mk index 9e681d8e..915b1d02 100644 --- a/Makefile.build.mk +++ b/Makefile.build.mk @@ -1,5 +1,10 @@ BINDIR := $(CURDIR)/bin GO_BUILD_TAGS := continuous_profiler_stackdriver +FIPS_MODE ?= 0 +ifeq ($(FIPS_MODE), 1) + GO_BUILD_TAGS := $(GO_BUILD_TAGS),boringcrypto + CGO_ENABLED := 1 +endif # To compute a unique and deterministic value for GNU build-id, we build the Go binary a second time. # From the first build, we extract its unique and deterministic Go build-id, and use that to derive @@ -34,16 +39,12 @@ ifndef WITHOUT_BUILD_ID GNU_BUILD_ID=$$( echo $$GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \ $Q GOBIN=$(BINDIR) go install $(if $V,-v) -ldflags="$(VERSION_FLAGS) -B 0x$$GNU_BUILD_ID" -tags "${GO_BUILD_TAGS}" -buildmode exe $(IMPORT_PATH) endif +ifeq ($(FIPS_MODE), 1) + go tool nm $(BINDIR)/gitlab-pages | grep boringcrypto >/dev/null && echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1) +endif clean: $Q GOBIN=$(BINDIR) go clean -i -modcache -x gitlab-pages: build $Q cp -f $(BINDIR)/gitlab-pages . - -validate-fips-build: - go tool nm ./gitlab-pages | grep boringcrypto >/dev/null && echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1) - -gitlab-pages-fips: GO_BUILD_TAGS := $(GO_BUILD_TAGS),boringcrypto -gitlab-pages-fips: CGO_ENABLED := 1 -gitlab-pages-fips: gitlab-pages validate-fips-build diff --git a/doc/development.md b/doc/development.md index 2b8001a4..77603683 100644 --- a/doc/development.md +++ b/doc/development.md @@ -21,6 +21,11 @@ Build and start the app. For any changes, you must run `make` to build the app, make && ./gitlab-pages -config=gitlab-pages.conf ``` +To build in FIPS mode +``` +$ FIPS_MODE=1 make && ./gitlab-pages -config=gitlab-pages.conf +``` + Visit http://group.192.168.1.135.nip.io:8090/project/index.html (replace `192.168.1.135` with your IP) and you should see a `project-subdir` response diff --git a/internal/boring/boring.go b/internal/boring/boring.go index 0a59ec4a..e6d19aeb 100644 --- a/internal/boring/boring.go +++ b/internal/boring/boring.go @@ -9,10 +9,15 @@ import ( "gitlab.com/gitlab-org/labkit/log" ) +// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go +// compiler in https://github.com/golang-fips/go, this requires that: +// +// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). +// 2. A system OpenSSL can be dynamically loaded via ldopen(). func CheckBoring() { if boring.Enabled() { - log.Info("FIPS mode is enabled. Using BoringSSL.") + log.Info("FIPS mode is enabled. Using an external SSL library.") return } - log.Info("GitLab Pages was compiled with FIPS mode but BoringSSL is not enabled.") + log.Info("GitLab Pages was compiled with FIPS mode but an external SSL library was not enabled.") } diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go index 6dbf3c39..1a7eb52f 100644 --- a/internal/boring/notboring.go +++ b/internal/boring/notboring.go @@ -3,5 +3,7 @@ package boring +// CheckBoring does nothing when the boringcrypto tag is not in the +// build. func CheckBoring() { } |