diff options
author | Vishal Tak <vtak@gitlab.com> | 2022-03-28 09:22:05 +0300 |
---|---|---|
committer | Vishal Tak <vtak@gitlab.com> | 2022-03-28 09:22:05 +0300 |
commit | 2e4b84b6ac95087b96e346916b3ced662269b15d (patch) | |
tree | 5edbc6a6c7d540fce04b226b1d537474fe1a03e4 | |
parent | 65bf4a6024e01fae8b4c88d6e577e3ad145d87d7 (diff) |
Add FIPS support
Changelog: added
-rw-r--r-- | Makefile.build.mk | 15 | ||||
-rw-r--r-- | internal/boring/boring.go | 10 | ||||
-rw-r--r-- | internal/boring/notboring.go | 7 | ||||
-rw-r--r-- | main.go | 2 |
4 files changed, 34 insertions, 0 deletions
diff --git a/Makefile.build.mk b/Makefile.build.mk index 88d74dbf..806d21db 100644 --- a/Makefile.build.mk +++ b/Makefile.build.mk @@ -1,5 +1,9 @@ BINDIR := $(CURDIR)/bin GO_BUILD_TAGS := continuous_profiler_stackdriver +GO_BUILD_TAGS_FIPS := boringcrypto +ifneq ($(GO_BUILD_TAGS),) + GO_BUILD_TAGS_FIPS := $(GO_BUILD_TAGS),$(GO_BUILD_TAGS_FIPS) +endif # To compute a unique and deterministic value for GNU build-id, we build the Go binary a second time. # From the first build, we extract its unique and deterministic Go build-id, and use that to derive @@ -40,3 +44,14 @@ clean: gitlab-pages: build $Q cp -f $(BINDIR)/gitlab-pages . + +build-fips: .GOPATH/.ok + $Q GOBIN=$(BINDIR) CGO_ENABLED=1 go install $(if $V,-v) -ldflags="$(VERSION_FLAGS)" -tags "${GO_BUILD_TAGS_FIPS}" -buildmode exe $(IMPORT_PATH) +ifndef WITHOUT_BUILD_ID + GO_BUILD_ID=$$( go tool buildid $(BINDIR)/gitlab-pages ) && \ + GNU_BUILD_ID=$$( echo $$GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \ + $Q GOBIN=$(BINDIR) CGO_ENABLED=1 go install $(if $V,-v) -ldflags="$(VERSION_FLAGS) -B 0x$$GNU_BUILD_ID" -tags "${GO_BUILD_TAGS_FIPS}" -buildmode exe $(IMPORT_PATH) +endif + +gitlab-pages-fips: build-fips + $Q cp -f $(BINDIR)/gitlab-pages . diff --git a/internal/boring/boring.go b/internal/boring/boring.go new file mode 100644 index 00000000..6e125210 --- /dev/null +++ b/internal/boring/boring.go @@ -0,0 +1,10 @@ +//go:build boringcrypto +// +build boringcrypto + +package boring + +import "gitlab.com/gitlab-org/labkit/log" + +func CheckBoring() { + log.Info("FIPS mode is enabled. Using BoringSSL.") +} diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go new file mode 100644 index 00000000..6dbf3c39 --- /dev/null +++ b/internal/boring/notboring.go @@ -0,0 +1,7 @@ +//go:build !boringcrypto +// +build !boringcrypto + +package boring + +func CheckBoring() { +} @@ -10,6 +10,7 @@ import ( "gitlab.com/gitlab-org/labkit/errortracking" "gitlab.com/gitlab-org/labkit/log" + "gitlab.com/gitlab-org/gitlab-pages/internal/boring" cfg "gitlab.com/gitlab-org/gitlab-pages/internal/config" "gitlab.com/gitlab-org/gitlab-pages/internal/logging" "gitlab.com/gitlab-org/gitlab-pages/internal/validateargs" @@ -73,6 +74,7 @@ func appMain() { if err := os.Chdir(config.General.RootDir); err != nil { fatal(err, "could not change directory into pagesRoot") } + boring.CheckBoring() runApp(config) } |