curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-5549: Revert "TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64" 

This reverts commit 157f5d1412.

FIPS compliant binaries (for linux/amd64) are causing HTTPS origins to not
be reachable by cloudflared in certain cases (e.g. with Let's Encrypt certificates).

Origins that are not HTTPS for cloudflared are not affected.
This commit is contained in:
Nuno Diegues 2021-12-16 00:26:05 +00:00
parent 8d41f99f2f
commit 2dc5f6ec8c
5 changed files with 34 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES.md
View File

@ -1,5 +1,9 @@
**Experimental**: This is a new format for release notes. The format and availability is subject to change. **Experimental**: This is a new format for release notes. The format and availability is subject to change.
## 2021.12.1
### Bug Fixe
- Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
## 2021.12.0 ## 2021.12.0
### New Features ### New Features
- Cloudflared binary released for amd64 linux is now FIPS compliant. - Cloudflared binary released for amd64 linux is now FIPS compliant.

46
Makefile
View File

@ -3,6 +3,14 @@ MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut
#MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup. #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
#e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI. #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
ifeq ($(FIPS), true)
GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
endif
ifneq ($(GO_BUILD_TAGS),)
GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
endif
ifeq ($(NIGHTLY), true) ifeq ($(NIGHTLY), true)
DEB_PACKAGE_NAME := cloudflared-nightly DEB_PACKAGE_NAME := cloudflared-nightly
NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
@ -11,19 +19,7 @@ else
endif endif
DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC') DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)" VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
LINK_FLAGS :=
ifeq ($(FIPS), true)
LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
# Prevent linking with libc regardless of CGO enabled or not.
GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
endif
LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
ifneq ($(GO_BUILD_TAGS),)
GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
endif
IMPORT_PATH := github.com/cloudflare/cloudflared IMPORT_PATH := github.com/cloudflare/cloudflared
PACKAGE_DIR := $(CURDIR)/packaging PACKAGE_DIR := $(CURDIR)/packaging
@ -84,15 +80,17 @@ clean:
go clean go clean
.PHONY: cloudflared .PHONY: cloudflared
cloudflared: cloudflared:
ifeq ($(FIPS), true) ifeq ($(FIPS), true)
$(info Building cloudflared with go-fips) $(info Building cloudflared with go-fips)
cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go -test -f fips/fips.go && mv fips/fips.go fips/fips.go.linux-amd64
mv fips/fips.go.linux-amd64 fips/fips.go
endif endif
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
ifeq ($(FIPS), true) ifeq ($(FIPS), true)
rm -f cmd/cloudflared/fips.go mv fips/fips.go fips/fips.go.linux-amd64
./check-fips.sh cloudflared
endif endif
.PHONY: container .PHONY: container
@ -102,10 +100,10 @@ container:
.PHONY: test .PHONY: test
test: vet test: vet
ifndef CI ifndef CI
go test -v -mod=vendor -race $(LDFLAGS) ./... go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
else else
@mkdir -p .cover @mkdir -p .cover
go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./... go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
go tool cover -html ".cover/c.out" -o .cover/all.html go tool cover -html ".cover/c.out" -o .cover/all.html
endif endif
@ -249,8 +247,8 @@ tunnelrpc-deps:
capnp compile -ogo tunnelrpc/tunnelrpc.capnp capnp compile -ogo tunnelrpc/tunnelrpc.capnp
.PHONY: quic-deps .PHONY: quic-deps
quic-deps: quic-deps:
which capnp which capnp
which capnpc-go which capnpc-go
capnp compile -ogo quic/schema/quic_metadata_protocol.capnp capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
@ -260,9 +258,9 @@ vet:
# go get github.com/sudarshan-reddy/go-sumtype (don't do this in build directory or this will cause vendor issues) # go get github.com/sudarshan-reddy/go-sumtype (don't do this in build directory or this will cause vendor issues)
# Note: If you have github.com/BurntSushi/go-sumtype then you might have to use the repo above instead # Note: If you have github.com/BurntSushi/go-sumtype then you might have to use the repo above instead
# for now because it uses an older version of golang.org/x/tools. # for now because it uses an older version of golang.org/x/tools.
which go-sumtype which go-sumtype
go-sumtype $$(go list -mod=vendor ./...) go-sumtype $$(go list -mod=vendor ./...)
.PHONY: goimports .PHONY: goimports
goimports: goimports:
for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done for d in $$(go list -mod=readonly -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc) ; do goimports -format-only -local github.com/cloudflare/cloudflared -w $$d ; done

19
build-packages.sh
View File

@ -1,15 +1,12 @@
VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*") VERSION=$(git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION echo $VERSION
# Avoid depending on C code since we don't need it.
export CGO_ENABLED=0 export CGO_ENABLED=0
# This controls the directory the built artifacts go into # This controls the directory the built artifacts go into
export ARTIFACT_DIR=built_artifacts/ export ARTIFACT_DIR=built_artifacts/
mkdir -p $ARTIFACT_DIR mkdir -p $ARTIFACT_DIR
windowsArchs=("amd64" "386") windowsArchs=("amd64" "386")
export TARGET_OS=windows export TARGET_OS=windows
for arch in ${windowsArchs[@]}; do for arch in ${windowsArchs[@]}; do
export TARGET_ARCH=$arch export TARGET_ARCH=$arch
make cloudflared-msi make cloudflared-msi
mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe mv ./cloudflared.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
@ -17,20 +14,15 @@ for arch in ${windowsArchs[@]}; do
done done
# amd64 is last because we override settings for it export FIPS=true
linuxArchs=("386" "arm" "arm64" "amd64") linuxArchs=("amd64" "386" "arm" "arm64")
export TARGET_OS=linux export TARGET_OS=linux
for arch in ${linuxArchs[@]}; do for arch in ${linuxArchs[@]}; do
if [ "${arch}" = "amd64" ]; then
export FIPS=true
# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
export CGO_ENABLED=1
fi
export TARGET_ARCH=$arch export TARGET_ARCH=$arch
make cloudflared-deb make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64. # rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g') RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch RPMARCH=$arch
if [ $arch == "amd64" ];then if [ $arch == "amd64" ];then
@ -45,3 +37,4 @@ for arch in ${linuxArchs[@]}; do
# finally move the linux binary as well. # finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
done done

3
cfsetup.yaml
View File

@ -1,5 +1,5 @@
pinned_go: &pinned_go go=1.17-1 pinned_go: &pinned_go go=1.17-1
pinned_go_fips: &pinned_go_fips go-boring=1.16.6-7 pinned_go_fips: &pinned_go_fips go-boring=1.16.6-6
build_dir: &build_dir /cfsetup_build build_dir: &build_dir /cfsetup_build
default-flavor: buster default-flavor: buster
@ -41,6 +41,7 @@ stretch: &stretch
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
- chmod a+x /usr/local/bin/wixl - chmod a+x /usr/local/bin/wixl
post-cache: post-cache:
- export FIPS=true
- ./build-packages.sh - ./build-packages.sh
github-release-pkgs: github-release-pkgs:
build_dir: *build_dir build_dir: *build_dir

15
check-fips.sh
View File

@ -1,15 +0,0 @@
# Pass the path to the executable to check for FIPS compliance
exe=$1
if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
# Asserts that executable is using FIPS-compliant boringcrypto
echo "${exe}: missing goboring symbols" >&2
exit 1
fi
if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
# Asserts that executable is using FIPS-only schemes
echo "${exe}: missing fipsonly symbols" >&2
exit 1
fi
echo "${exe} is FIPS-compliant"