TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64
This commit is contained in:
parent
7024d193c9
commit
157f5d1412
36
Makefile
36
Makefile
|
@ -3,14 +3,6 @@ MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut
|
||||||
#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
|
#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
|
||||||
#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
|
#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
|
||||||
|
|
||||||
ifeq ($(FIPS), true)
|
|
||||||
GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifneq ($(GO_BUILD_TAGS),)
|
|
||||||
GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(NIGHTLY), true)
|
ifeq ($(NIGHTLY), true)
|
||||||
DEB_PACKAGE_NAME := cloudflared-nightly
|
DEB_PACKAGE_NAME := cloudflared-nightly
|
||||||
NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
|
NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
|
||||||
|
@ -19,7 +11,19 @@ else
|
||||||
endif
|
endif
|
||||||
|
|
||||||
DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
|
DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
|
||||||
VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
|
VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
|
||||||
|
|
||||||
|
LINK_FLAGS :=
|
||||||
|
ifeq ($(FIPS), true)
|
||||||
|
LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
|
||||||
|
# Prevent linking with libc regardless of CGO enabled or not.
|
||||||
|
GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
|
||||||
|
endif
|
||||||
|
|
||||||
|
LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
|
||||||
|
ifneq ($(GO_BUILD_TAGS),)
|
||||||
|
GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
|
||||||
|
endif
|
||||||
|
|
||||||
IMPORT_PATH := github.com/cloudflare/cloudflared
|
IMPORT_PATH := github.com/cloudflare/cloudflared
|
||||||
PACKAGE_DIR := $(CURDIR)/packaging
|
PACKAGE_DIR := $(CURDIR)/packaging
|
||||||
|
@ -83,14 +87,12 @@ clean:
|
||||||
cloudflared:
|
cloudflared:
|
||||||
ifeq ($(FIPS), true)
|
ifeq ($(FIPS), true)
|
||||||
$(info Building cloudflared with go-fips)
|
$(info Building cloudflared with go-fips)
|
||||||
-test -f fips/fips.go && mv fips/fips.go fips/fips.go.linux-amd64
|
cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
|
||||||
mv fips/fips.go.linux-amd64 fips/fips.go
|
|
||||||
endif
|
endif
|
||||||
|
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
|
||||||
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
|
|
||||||
|
|
||||||
ifeq ($(FIPS), true)
|
ifeq ($(FIPS), true)
|
||||||
mv fips/fips.go fips/fips.go.linux-amd64
|
rm -f cmd/cloudflared/fips.go
|
||||||
|
./check-fips.sh cloudflared
|
||||||
endif
|
endif
|
||||||
|
|
||||||
.PHONY: container
|
.PHONY: container
|
||||||
|
@ -100,10 +102,10 @@ container:
|
||||||
.PHONY: test
|
.PHONY: test
|
||||||
test: vet
|
test: vet
|
||||||
ifndef CI
|
ifndef CI
|
||||||
go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
|
go test -v -mod=vendor -race $(LDFLAGS) ./...
|
||||||
else
|
else
|
||||||
@mkdir -p .cover
|
@mkdir -p .cover
|
||||||
go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
|
go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
|
||||||
go tool cover -html ".cover/c.out" -o .cover/all.html
|
go tool cover -html ".cover/c.out" -o .cover/all.html
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
|
VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
|
||||||
echo $VERSION
|
echo $VERSION
|
||||||
|
|
||||||
|
# Avoid depending on C code since we don't need it.
|
||||||
export CGO_ENABLED=0
|
export CGO_ENABLED=0
|
||||||
|
|
||||||
# This controls the directory the built artifacts go into
|
# This controls the directory the built artifacts go into
|
||||||
export ARTIFACT_DIR=built_artifacts/
|
export ARTIFACT_DIR=built_artifacts/
|
||||||
mkdir -p $ARTIFACT_DIR
|
mkdir -p $ARTIFACT_DIR
|
||||||
|
@ -14,10 +17,15 @@ for arch in ${windowsArchs[@]}; do
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
export FIPS=true
|
# amd64 is last because we override settings for it
|
||||||
linuxArchs=("amd64" "386" "arm" "arm64")
|
linuxArchs=("386" "arm" "arm64" "amd64")
|
||||||
export TARGET_OS=linux
|
export TARGET_OS=linux
|
||||||
for arch in ${linuxArchs[@]}; do
|
for arch in ${linuxArchs[@]}; do
|
||||||
|
if [ "${arch}" = "amd64" ]; then
|
||||||
|
export FIPS=true
|
||||||
|
# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
|
||||||
|
export CGO_ENABLED=1
|
||||||
|
fi
|
||||||
export TARGET_ARCH=$arch
|
export TARGET_ARCH=$arch
|
||||||
make cloudflared-deb
|
make cloudflared-deb
|
||||||
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
|
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
|
||||||
|
@ -37,4 +45,3 @@ for arch in ${linuxArchs[@]}; do
|
||||||
# finally move the linux binary as well.
|
# finally move the linux binary as well.
|
||||||
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
|
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
pinned_go: &pinned_go go=1.17-1
|
pinned_go: &pinned_go go=1.17-1
|
||||||
pinned_go_fips: &pinned_go_fips go-boring=1.16.6-6
|
pinned_go_fips: &pinned_go_fips go-boring=1.16.6-7
|
||||||
|
|
||||||
build_dir: &build_dir /cfsetup_build
|
build_dir: &build_dir /cfsetup_build
|
||||||
default-flavor: buster
|
default-flavor: buster
|
||||||
|
@ -41,7 +41,6 @@ stretch: &stretch
|
||||||
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
|
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
|
||||||
- chmod a+x /usr/local/bin/wixl
|
- chmod a+x /usr/local/bin/wixl
|
||||||
post-cache:
|
post-cache:
|
||||||
- export FIPS=true
|
|
||||||
- ./build-packages.sh
|
- ./build-packages.sh
|
||||||
github-release-pkgs:
|
github-release-pkgs:
|
||||||
build_dir: *build_dir
|
build_dir: *build_dir
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Pass the path to the executable to check for FIPS compliance
|
||||||
|
exe=$1
|
||||||
|
|
||||||
|
if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
|
||||||
|
# Asserts that executable is using FIPS-compliant boringcrypto
|
||||||
|
echo "${exe}: missing goboring symbols" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
|
||||||
|
# Asserts that executable is using FIPS-only schemes
|
||||||
|
echo "${exe}: missing fipsonly symbols" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "${exe} is FIPS-compliant"
|
Loading…
Reference in New Issue