TUN-5549: Revert "TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64"

This reverts commit 157f5d1412.

FIPS compliant binaries (for linux/amd64) are causing HTTPS origins to not
be reachable by cloudflared in certain cases (e.g. with Let's Encrypt certificates).

Origins that are not HTTPS for cloudflared are not affected.

CHANGES.md

@@ -1,5 +1,9 @@
 **Experimental**: This is a new format for release notes. The format and availability is subject to change.
 
+## 2021.12.1
+### Bug Fixe
+ - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
+
 ## 2021.12.0
 ### New Features
 - Cloudflared binary released for amd64 linux is now FIPS compliant.

Makefile

@@ -3,6 +3,14 @@ MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
 #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
 
+ifeq ($(FIPS), true)
+	GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
+endif
+
+ifneq ($(GO_BUILD_TAGS),)
+	GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
+endif
+
 ifeq ($(NIGHTLY), true)
 	DEB_PACKAGE_NAME := cloudflared-nightly
 	NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
@@ -11,19 +19,7 @@ else
 endif
 
 DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
-VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
-
-LINK_FLAGS :=
-ifeq ($(FIPS), true)
-	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
-	# Prevent linking with libc regardless of CGO enabled or not.
-	GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
-endif
-
-LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
-ifneq ($(GO_BUILD_TAGS),)
-	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
-endif
+VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
 
 IMPORT_PATH   := github.com/cloudflare/cloudflared
 PACKAGE_DIR   := $(CURDIR)/packaging
@@ -84,15 +80,17 @@ clean:
 	go clean
 
 .PHONY: cloudflared
-cloudflared:
+cloudflared: 
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
-	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
+	-test -f fips/fips.go && mv fips/fips.go fips/fips.go.linux-amd64
+	mv fips/fips.go.linux-amd64 fips/fips.go
 endif
-	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
+
+	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
+
 ifeq ($(FIPS), true)
-	rm -f cmd/cloudflared/fips.go
-	./check-fips.sh cloudflared
+	mv fips/fips.go fips/fips.go.linux-amd64
 endif
 
 .PHONY: container
@@ -102,10 +100,10 @@ container:
 .PHONY: test
 test: vet
 ifndef CI
-	go test -v -mod=vendor -race $(LDFLAGS) ./...
+	go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
 else
 	@mkdir -p .cover
-	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
+	go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
 	go tool cover -html ".cover/c.out" -o .cover/all.html
 endif
 
@@ -249,8 +247,8 @@ tunnelrpc-deps:
 	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
 
 .PHONY: quic-deps
-quic-deps:
-	which capnp
+quic-deps: 
+	which capnp 
 	which capnpc-go
 	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
 
@@ -260,9 +258,9 @@ vet:
 	# go get github.com/sudarshan-reddy/go-sumtype (don't do this in build directory or this will cause vendor issues)
 	# Note: If you have github.com/BurntSushi/go-sumtype then you might have to use the repo above instead
 	# for now because it uses an older version of golang.org/x/tools.
-	which go-sumtype
+	which go-sumtype  
 	go-sumtype $$(go list -mod=vendor ./...)
 
 .PHONY: goimports
 goimports:
-	for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done
+	for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done

build-packages.sh

@@ -1,15 +1,12 @@
 VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
-
-# Avoid depending on C code since we don't need it.
 export CGO_ENABLED=0
-
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=built_artifacts/
 mkdir -p $ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 export TARGET_OS=windows
-for arch in ${windowsArchs[@]}; do
+for arch in ${windowsArchs[@]}; do 
     export TARGET_ARCH=$arch
     make cloudflared-msi
     mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
@@ -17,20 +14,15 @@ for arch in ${windowsArchs[@]}; do
 done
 
 
-# amd64 is last because we override settings for it
-linuxArchs=("386" "arm" "arm64" "amd64")
+export FIPS=true
+linuxArchs=("amd64" "386" "arm" "arm64")
 export TARGET_OS=linux
-for arch in ${linuxArchs[@]}; do
-    if [ "${arch}" = "amd64" ]; then
-        export FIPS=true
-        # For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
-        export CGO_ENABLED=1
-    fi
+for arch in ${linuxArchs[@]}; do 
     export TARGET_ARCH=$arch
     make cloudflared-deb
     mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 
-    # rpm packages invert the - and _ and use x86_64 instead of amd64.
+    # rpm packages invert the - and _ and use x86_64 instead of amd64. 
     RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
     RPMARCH=$arch
     if [ $arch == "amd64" ];then
@@ -45,3 +37,4 @@ for arch in ${linuxArchs[@]}; do
     # finally move the linux binary as well.
     mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
+

cfsetup.yaml

@@ -1,5 +1,5 @@
 pinned_go: &pinned_go go=1.17-1
-pinned_go_fips: &pinned_go_fips go-boring=1.16.6-7
+pinned_go_fips: &pinned_go_fips go-boring=1.16.6-6
 
 build_dir: &build_dir /cfsetup_build
 default-flavor: buster
@@ -41,6 +41,7 @@ stretch: &stretch
       - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
       - chmod a+x /usr/local/bin/wixl
     post-cache:
+      - export FIPS=true
       - ./build-packages.sh
   github-release-pkgs:
     build_dir: *build_dir

check-fips.sh

@@ -1,15 +0,0 @@
-# Pass the path to the executable to check for FIPS compliance
-exe=$1
-
-if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
-    # Asserts that executable is using FIPS-compliant boringcrypto
-    echo "${exe}: missing goboring symbols" >&2
-    exit 1
-fi
-if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
-    # Asserts that executable is using FIPS-only schemes
-    echo "${exe}: missing fipsonly symbols" >&2
-    exit 1
-fi
-
-echo "${exe} is FIPS-compliant"