cloudflared-mirror/check-fips.sh

# Pass the path to the executable to check for FIPS compliance
exe=$1

if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
    # Asserts that executable is using FIPS-compliant boringcrypto
    echo "${exe}: missing goboring symbols" >&2
    exit 1
fi
if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
    # Asserts that executable is using FIPS-only schemes
    echo "${exe}: missing fipsonly symbols" >&2
    exit 1
fi

echo "${exe} is FIPS-compliant"
TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries This is a cherry-pick of 157f5d141215ec8a77a06a93ee2f9f1376b31811 followed by build/CI changes so that amd64/linux FIPS compliance is provided by new/separate binaries/artifacts/packages. The reasoning being that FIPS compliance places excessive requirements in the encryption algorithms used for regular users that do not care about that. This can cause cloudflared to reject HTTPS origins that would otherwise be accepted without FIPS checks. This way, by having separate binaries, existing ones remain as they were, and only FIPS-needy users will opt-in to the new FIPS binaries. 2021-11-09 11:37:51 +00:00			`# Pass the path to the executable to check for FIPS compliance`
			`exe=$1`

			`if [ "$(go tool nm "${exe}" \| grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then`
			`# Asserts that executable is using FIPS-compliant boringcrypto`
			`echo "${exe}: missing goboring symbols" >&2`
			`exit 1`
			`fi`
			`if [ "$(go tool nm "${exe}" \| grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then`
			`# Asserts that executable is using FIPS-only schemes`
			`echo "${exe}: missing fipsonly symbols" >&2`
			`exit 1`
			`fi`

			`echo "${exe} is FIPS-compliant"`