Skip to content

Commit 6b96eb7

Browse files
stanhustanhu
committed
Use Labkit for FIPS check
We can reduce code duplication used for the FIPS check by using LabKit's implementation. LabKit uses the `fips` tag instead of the `boringcrypto` tag, which is deprecated in any case and replaced with `GOEXPERIMENT=boringcrypto` due to golang/go#51940. This commit changes the message on a FIPS system from: ``` FIPS mode enabled. Using BoringSSL. ``` to: ``` FIPS mode is enabled. Using an external SSL library. ``` On a non-FIPS system, this commit changes the message from: ``` GitLab Runner was compiled with FIPS mode but BoringSSL is not enabled. ``` to: ``` Binary was compiled with FIPS mode, but an external SSL library was not enabled. ```
1 parent 194c194 commit 6b96eb7

File tree

7 files changed

+23
-105
lines changed

7 files changed

+23
-105
lines changed

Makefile.build.mk

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ runner-bin-fips: export GOARCH ?= amd64
1010
runner-bin-fips:
1111
# Building $(NAME) in version $(VERSION) for FIPS $(GOOS) $(GOARCH)
1212
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
13-
-tags boringcrypto \
13+
-tags fips \
1414
-ldflags "$(GO_LDFLAGS)" \
1515
-o="out/binaries/$(NAME)-$(GOOS)-$(GOARCH)-fips" \
1616
$(PKG)

Makefile.runner_helper.mk

+1-1
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ ${BASE_BINARY_PATH}-fips: export GOARCH ?= amd64
105105
${BASE_BINARY_PATH}-fips: APP_NAME := "gitlab-runner-helper"
106106
${BASE_BINARY_PATH}-fips: $(HELPER_GO_FILES)
107107
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
108-
-tags boringcrypto \
108+
-tags fips \
109109
-ldflags "$(GO_LDFLAGS)" \
110110
-o="${BASE_BINARY_PATH}.$(GO_ARCH_NAME_$(GOARCH))-fips" \
111111
$(PKG)/apps/gitlab-runner-helper

boring/boring.go

-17
This file was deleted.

boring/notboring.go

-6
This file was deleted.

go.mod

+6-2
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ require (
1818
github.com/docker/go-units v0.5.0
1919
github.com/docker/machine v0.7.1-0.20170120224952-7b7a141da844
2020
github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
21-
github.com/getsentry/sentry-go v0.11.0
21+
github.com/getsentry/sentry-go v0.13.0
2222
github.com/golang/mock v1.6.0
2323
github.com/googleapis/gax-go/v2 v2.7.0
2424
github.com/gorhill/cronexpr v0.0.0-20160318121724-f0984319b442
@@ -48,6 +48,7 @@ require (
4848
gitlab.com/gitlab-org/fleeting/taskscaler/metrics/prometheus v0.0.0-20221107182235-c41f6499e083
4949
gitlab.com/gitlab-org/gitlab-terminal v0.0.0-20210104151801-2a71b03b4462
5050
gitlab.com/gitlab-org/golang-cli-helpers v0.0.0-20210929155855-70bef318ae0a
51+
gitlab.com/gitlab-org/labkit v1.17.0
5152
gocloud.dev v0.27.0
5253
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
5354
golang.org/x/net v0.5.0
@@ -76,6 +77,7 @@ require (
7677
github.com/Microsoft/go-winio v0.5.2 // indirect
7778
github.com/beorn7/perks v1.0.1 // indirect
7879
github.com/cespare/xxhash/v2 v2.1.2 // indirect
80+
github.com/client9/reopen v1.0.0 // indirect
7981
github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
8082
github.com/davecgh/go-spew v1.1.1 // indirect
8183
github.com/docker/docker-credential-helpers v0.6.3 // indirect
@@ -89,7 +91,7 @@ require (
8991
github.com/go-openapi/swag v0.21.1 // indirect
9092
github.com/gofrs/uuid v4.2.0+incompatible // indirect
9193
github.com/gogo/protobuf v1.3.2 // indirect
92-
github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
94+
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
9395
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
9496
github.com/golang/protobuf v1.5.2 // indirect
9597
github.com/golang/snappy v0.0.4 // indirect
@@ -141,6 +143,7 @@ require (
141143
github.com/morikuni/aec v1.0.0 // indirect
142144
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
143145
github.com/oklog/run v1.1.0 // indirect
146+
github.com/oklog/ulid/v2 v2.0.2 // indirect
144147
github.com/opencontainers/go-digest v1.0.0 // indirect
145148
github.com/opencontainers/image-spec v1.0.2 // indirect
146149
github.com/pierrec/lz4 v2.0.5+incompatible // indirect
@@ -151,6 +154,7 @@ require (
151154
github.com/russross/blackfriday/v2 v2.0.1 // indirect
152155
github.com/ryanuber/go-glob v1.0.0 // indirect
153156
github.com/saracen/zipextra v0.0.0-20220303013732-0187cb0159ea // indirect
157+
github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a // indirect
154158
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
155159
github.com/spf13/pflag v1.0.5 // indirect
156160
github.com/stretchr/objx v0.5.0 // indirect

0 commit comments

Comments
 (0)