From 7221d7e69e10a49960be686ec4594b3642183f77 Mon Sep 17 00:00:00 2001 From: Areg Harutyunyan Date: Thu, 28 Jan 2021 16:10:19 +0000 Subject: [PATCH] TUN-3826: Use go-fips when building cloudflared for linux/amd64 --- Makefile | 13 ++++++++++--- cfsetup.yaml | 20 ++++++++++++++------ cmd/cloudflared/fips.go | 5 +++++ 3 files changed, 29 insertions(+), 9 deletions(-) create mode 100644 cmd/cloudflared/fips.go diff --git a/Makefile b/Makefile index 2d545cde..1f264f50 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,17 @@ VERSION := $(shell git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*") -DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC') -VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"' MSI_VERSION := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-) #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup. #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI. +ifeq ($(FIPS), true) + GO_BUILD_TAGS := "$(GO_BUILD_TAGS) fips" + VERSION := $(VERSION)-fips + MSI_VERSION := $(MSI_VERSION)-fips +endif + +DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC') +VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"' + IMPORT_PATH := github.com/cloudflare/cloudflared PACKAGE_DIR := $(CURDIR)/packaging INSTALL_BINDIR := /usr/bin/ @@ -71,7 +78,7 @@ clean: .PHONY: cloudflared cloudflared: tunnel-deps - GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared + GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor -tags $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared .PHONY: container container: diff --git a/cfsetup.yaml b/cfsetup.yaml index 14a5546e..9bd8c760 100644 --- a/cfsetup.yaml +++ b/cfsetup.yaml @@ -1,26 +1,30 @@ pinned_go: &pinned_go go=1.15.7-1 +pinned_go_fips: &pinned_go_fips go-fips=1.15.5-3 + build_dir: &build_dir /cfsetup_build default-flavor: buster stretch: &stretch build: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips - make cloudflared build-deb: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential - fakeroot - rubygem-fpm post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips - make cloudflared-deb build-deb-arm64: build_dir: *build_dir @@ -36,7 +40,7 @@ stretch: &stretch publish-deb: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential - fakeroot - rubygem-fpm @@ -44,20 +48,22 @@ stretch: &stretch post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips - make publish-deb release-linux-amd64: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips - make release github-release-linux-amd64: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential - python3-setuptools - python3-pip @@ -66,6 +72,7 @@ stretch: &stretch post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips - make github-release release-linux-armv6: build_dir: *build_dir @@ -185,11 +192,12 @@ stretch: &stretch test: build_dir: *build_dir builddeps: - - *pinned_go + - *pinned_go_fips - build-essential post-cache: - export GOOS=linux - export GOARCH=amd64 + - export GO_BUILD_TAGS=fips # cd to a non-module directory: https://github.com/golang/go/issues/24250 - (cd / && go get github.com/BurntSushi/go-sumtype) - export PATH="$HOME/go/bin:$PATH" diff --git a/cmd/cloudflared/fips.go b/cmd/cloudflared/fips.go new file mode 100644 index 00000000..e6b3585b --- /dev/null +++ b/cmd/cloudflared/fips.go @@ -0,0 +1,5 @@ +// +build fips + +package main + +import _ "crypto/tls/fipsonly"