From 2dc5f6ec8c22857f21d58a231beeabe2e2c3e09e Mon Sep 17 00:00:00 2001 From: Nuno Diegues Date: Thu, 16 Dec 2021 00:26:05 +0000 Subject: [PATCH] TUN-5549: Revert "TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64" This reverts commit 157f5d141215ec8a77a06a93ee2f9f1376b31811. FIPS compliant binaries (for linux/amd64) are causing HTTPS origins to not be reachable by cloudflared in certain cases (e.g. with Let's Encrypt certificates). Origins that are not HTTPS for cloudflared are not affected. --- CHANGES.md | 4 ++++ Makefile | 46 ++++++++++++++++++++++------------------------ build-packages.sh | 19 ++++++------------- cfsetup.yaml | 3 ++- check-fips.sh | 15 --------------- 5 files changed, 34 insertions(+), 53 deletions(-) delete mode 100755 check-fips.sh diff --git a/CHANGES.md b/CHANGES.md index 3efd8e2e..61c120a8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,9 @@ **Experimental**: This is a new format for release notes. The format and availability is subject to change. +## 2021.12.1 +### Bug Fixe + - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before). + ## 2021.12.0 ### New Features - Cloudflared binary released for amd64 linux is now FIPS compliant. diff --git a/Makefile b/Makefile index c1b0e29b..9bce8cbc 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,14 @@ MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup. #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI. +ifeq ($(FIPS), true) + GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips +endif + +ifneq ($(GO_BUILD_TAGS),) + GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS) +endif + ifeq ($(NIGHTLY), true) DEB_PACKAGE_NAME := cloudflared-nightly NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared @@ -11,19 +19,7 @@ else endif DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC') -VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)" - -LINK_FLAGS := -ifeq ($(FIPS), true) - LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS) - # Prevent linking with libc regardless of CGO enabled or not. - GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips -endif - -LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)' -ifneq ($(GO_BUILD_TAGS),) - GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)" -endif +VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"' IMPORT_PATH := github.com/cloudflare/cloudflared PACKAGE_DIR := $(CURDIR)/packaging @@ -84,15 +80,17 @@ clean: go clean .PHONY: cloudflared -cloudflared: +cloudflared: ifeq ($(FIPS), true) $(info Building cloudflared with go-fips) - cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go + -test -f fips/fips.go && mv fips/fips.go fips/fips.go.linux-amd64 + mv fips/fips.go.linux-amd64 fips/fips.go endif - GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared + + GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared + ifeq ($(FIPS), true) - rm -f cmd/cloudflared/fips.go - ./check-fips.sh cloudflared + mv fips/fips.go fips/fips.go.linux-amd64 endif .PHONY: container @@ -102,10 +100,10 @@ container: .PHONY: test test: vet ifndef CI - go test -v -mod=vendor -race $(LDFLAGS) ./... + go test -v -mod=vendor -race $(VERSION_FLAGS) ./... else @mkdir -p .cover - go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./... + go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./... go tool cover -html ".cover/c.out" -o .cover/all.html endif @@ -249,8 +247,8 @@ tunnelrpc-deps: capnp compile -ogo tunnelrpc/tunnelrpc.capnp .PHONY: quic-deps -quic-deps: - which capnp +quic-deps: + which capnp which capnpc-go capnp compile -ogo quic/schema/quic_metadata_protocol.capnp @@ -260,9 +258,9 @@ vet: # go get github.com/sudarshan-reddy/go-sumtype (don't do this in build directory or this will cause vendor issues) # Note: If you have github.com/BurntSushi/go-sumtype then you might have to use the repo above instead # for now because it uses an older version of golang.org/x/tools. - which go-sumtype + which go-sumtype go-sumtype $$(go list -mod=vendor ./...) .PHONY: goimports goimports: - for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done \ No newline at end of file + for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done diff --git a/build-packages.sh b/build-packages.sh index 88b2866a..7b4ece82 100755 --- a/build-packages.sh +++ b/build-packages.sh @@ -1,15 +1,12 @@ VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*") echo $VERSION - -# Avoid depending on C code since we don't need it. export CGO_ENABLED=0 - # This controls the directory the built artifacts go into export ARTIFACT_DIR=built_artifacts/ mkdir -p $ARTIFACT_DIR windowsArchs=("amd64" "386") export TARGET_OS=windows -for arch in ${windowsArchs[@]}; do +for arch in ${windowsArchs[@]}; do export TARGET_ARCH=$arch make cloudflared-msi mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe @@ -17,20 +14,15 @@ for arch in ${windowsArchs[@]}; do done -# amd64 is last because we override settings for it -linuxArchs=("386" "arm" "arm64" "amd64") +export FIPS=true +linuxArchs=("amd64" "386" "arm" "arm64") export TARGET_OS=linux -for arch in ${linuxArchs[@]}; do - if [ "${arch}" = "amd64" ]; then - export FIPS=true - # For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails. - export CGO_ENABLED=1 - fi +for arch in ${linuxArchs[@]}; do export TARGET_ARCH=$arch make cloudflared-deb mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb - # rpm packages invert the - and _ and use x86_64 instead of amd64. + # rpm packages invert the - and _ and use x86_64 instead of amd64. RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g') RPMARCH=$arch if [ $arch == "amd64" ];then @@ -45,3 +37,4 @@ for arch in ${linuxArchs[@]}; do # finally move the linux binary as well. mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch done + diff --git a/cfsetup.yaml b/cfsetup.yaml index fb7314b2..383fab86 100644 --- a/cfsetup.yaml +++ b/cfsetup.yaml @@ -1,5 +1,5 @@ pinned_go: &pinned_go go=1.17-1 -pinned_go_fips: &pinned_go_fips go-boring=1.16.6-7 +pinned_go_fips: &pinned_go_fips go-boring=1.16.6-6 build_dir: &build_dir /cfsetup_build default-flavor: buster @@ -41,6 +41,7 @@ stretch: &stretch - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin - chmod a+x /usr/local/bin/wixl post-cache: + - export FIPS=true - ./build-packages.sh github-release-pkgs: build_dir: *build_dir diff --git a/check-fips.sh b/check-fips.sh deleted file mode 100755 index 98c05af1..00000000 --- a/check-fips.sh +++ /dev/null @@ -1,15 +0,0 @@ -# Pass the path to the executable to check for FIPS compliance -exe=$1 - -if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then - # Asserts that executable is using FIPS-compliant boringcrypto - echo "${exe}: missing goboring symbols" >&2 - exit 1 -fi -if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then - # Asserts that executable is using FIPS-only schemes - echo "${exe}: missing fipsonly symbols" >&2 - exit 1 -fi - -echo "${exe} is FIPS-compliant"