diff options
author | Vishal Tak <vtak@gitlab.com> | 2022-04-27 07:45:22 +0300 |
---|---|---|
committer | Vishal Tak <vtak@gitlab.com> | 2022-04-27 09:14:52 +0300 |
commit | 21cfe26446f7862e2a65c9129ef573a1881f296d (patch) | |
tree | 172ae1116e1e076c133dc433b73b35bcc8f3e997 | |
parent | f114a581206c07813031f20ca4dc47a9d8a2e045 (diff) |
Use labkit for fips check
Changelog: changed
-rw-r--r-- | Makefile.build.mk | 2 | ||||
-rw-r--r-- | go.mod | 3 | ||||
-rw-r--r-- | go.sum | 4 | ||||
-rw-r--r-- | internal/boring/boring.go | 23 | ||||
-rw-r--r-- | internal/boring/notboring.go | 9 | ||||
-rw-r--r-- | main.go | 4 |
6 files changed, 7 insertions, 38 deletions
diff --git a/Makefile.build.mk b/Makefile.build.mk index 915b1d02..ba672739 100644 --- a/Makefile.build.mk +++ b/Makefile.build.mk @@ -2,7 +2,7 @@ BINDIR := $(CURDIR)/bin GO_BUILD_TAGS := continuous_profiler_stackdriver FIPS_MODE ?= 0 ifeq ($(FIPS_MODE), 1) - GO_BUILD_TAGS := $(GO_BUILD_TAGS),boringcrypto + GO_BUILD_TAGS := $(GO_BUILD_TAGS),fips CGO_ENABLED := 1 endif @@ -26,7 +26,7 @@ require ( gitlab.com/feistel/go-contentencoding v1.0.0 gitlab.com/gitlab-org/go-mimedb v1.45.0 gitlab.com/gitlab-org/golang-archive-zip v0.1.1 - gitlab.com/gitlab-org/labkit v1.13.0 + gitlab.com/gitlab-org/labkit v1.14.0 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 golang.org/x/net v0.0.0-20211008194852-3b03d305991f golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 @@ -47,6 +47,7 @@ require ( github.com/google/pprof v0.0.0-20210804190019-f964ff605595 // indirect github.com/googleapis/gax-go/v2 v2.0.5 // indirect github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/kr/text v0.2.0 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect github.com/oklog/ulid/v2 v2.0.2 // indirect github.com/pkg/errors v0.9.1 // indirect @@ -460,8 +460,8 @@ gitlab.com/gitlab-org/go-mimedb v1.45.0 h1:PO8dx6HEWzPYU6MQTYnCbpQEJzhJLW/Bh43+2 gitlab.com/gitlab-org/go-mimedb v1.45.0/go.mod h1:wa9y/zOSFKmTXLyBs4clz2FNVhZQmmEQM9TxslPAjZ0= gitlab.com/gitlab-org/golang-archive-zip v0.1.1 h1:35k9giivbxwF03+8A05Cm8YoxoakU8FBCj5gysjCTCE= gitlab.com/gitlab-org/golang-archive-zip v0.1.1/go.mod h1:ZDtqpWPGPB9qBuZnZDrKQjIdJtkN7ZAoVwhT6H2o2kE= -gitlab.com/gitlab-org/labkit v1.13.0 h1:db+7T3LPTPkN7i+ngcMSvJnto5BW3FwiTbv9WqgVVk4= -gitlab.com/gitlab-org/labkit v1.13.0/go.mod h1:uS4O6ORqN47VuEN8P9Dx0PSFc/gsr6fMpe4zJa1+g2Q= +gitlab.com/gitlab-org/labkit v1.14.0 h1:LSrvHgybidPyH8fHnsy1GBghrLR4kFObFrtZwUfCgAI= +gitlab.com/gitlab-org/labkit v1.14.0/go.mod h1:bcxc4ZpAC+WyACgyKl7FcvT2XXAbl8CrzN6UY+w8cMc= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= diff --git a/internal/boring/boring.go b/internal/boring/boring.go deleted file mode 100644 index e6d19aeb..00000000 --- a/internal/boring/boring.go +++ /dev/null @@ -1,23 +0,0 @@ -//go:build boringcrypto -// +build boringcrypto - -package boring - -import ( - "crypto/boring" - - "gitlab.com/gitlab-org/labkit/log" -) - -// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go -// compiler in https://github.com/golang-fips/go, this requires that: -// -// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). -// 2. A system OpenSSL can be dynamically loaded via ldopen(). -func CheckBoring() { - if boring.Enabled() { - log.Info("FIPS mode is enabled. Using an external SSL library.") - return - } - log.Info("GitLab Pages was compiled with FIPS mode but an external SSL library was not enabled.") -} diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go deleted file mode 100644 index 1a7eb52f..00000000 --- a/internal/boring/notboring.go +++ /dev/null @@ -1,9 +0,0 @@ -//go:build !boringcrypto -// +build !boringcrypto - -package boring - -// CheckBoring does nothing when the boringcrypto tag is not in the -// build. -func CheckBoring() { -} @@ -8,9 +8,9 @@ import ( "github.com/sirupsen/logrus" "gitlab.com/gitlab-org/labkit/errortracking" + "gitlab.com/gitlab-org/labkit/fips" "gitlab.com/gitlab-org/labkit/log" - "gitlab.com/gitlab-org/gitlab-pages/internal/boring" cfg "gitlab.com/gitlab-org/gitlab-pages/internal/config" "gitlab.com/gitlab-org/gitlab-pages/internal/logging" "gitlab.com/gitlab-org/gitlab-pages/internal/validateargs" @@ -74,7 +74,7 @@ func appMain() { if err := os.Chdir(config.General.RootDir); err != nil { fatal(err, "could not change directory into pagesRoot") } - boring.CheckBoring() + fips.Check() runApp(config) } |