4 files changed, 34 insertions, 0 deletions

diff --git a/Makefile.build.mk b/Makefile.build.mk
index 88d74dbf..9e681d8e 100644
--- a/Makefile.build.mk
+++ b/Makefile.build.mk
@@ -40,3 +40,10 @@ clean:
 
 gitlab-pages: build
 	$Q cp -f $(BINDIR)/gitlab-pages .
+
+validate-fips-build:
+	go tool nm ./gitlab-pages | grep boringcrypto >/dev/null &&  echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1)
+
+gitlab-pages-fips: GO_BUILD_TAGS := $(GO_BUILD_TAGS),boringcrypto
+gitlab-pages-fips: CGO_ENABLED := 1
+gitlab-pages-fips: gitlab-pages validate-fips-build
diff --git a/internal/boring/boring.go b/internal/boring/boring.go
new file mode 100644
index 00000000..0a59ec4a
--- /dev/null
+++ b/internal/boring/boring.go
@@ -0,0 +1,18 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package boring
+
+import (
+	"crypto/boring"
+
+	"gitlab.com/gitlab-org/labkit/log"
+)
+
+func CheckBoring() {
+	if boring.Enabled() {
+		log.Info("FIPS mode is enabled. Using BoringSSL.")
+		return
+	}
+	log.Info("GitLab Pages was compiled with FIPS mode but BoringSSL is not enabled.")
+}
diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go
new file mode 100644
index 00000000..6dbf3c39
--- /dev/null
+++ b/internal/boring/notboring.go
@@ -0,0 +1,7 @@
+//go:build !boringcrypto
+// +build !boringcrypto
+
+package boring
+
+func CheckBoring() {
+}
diff --git a/main.go b/main.go
index 79f4a1da..b7bfde17 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 	"gitlab.com/gitlab-org/labkit/errortracking"
 	"gitlab.com/gitlab-org/labkit/log"
 
+	"gitlab.com/gitlab-org/gitlab-pages/internal/boring"
 	cfg "gitlab.com/gitlab-org/gitlab-pages/internal/config"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/logging"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/validateargs"
@@ -73,6 +74,7 @@ func appMain() {
 	if err := os.Chdir(config.General.RootDir); err != nil {
 		fatal(err, "could not change directory into pagesRoot")
 	}
+	boring.CheckBoring()
 
 	runApp(config)
 }