As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.

Skip to content
Snippets Groups Projects
Commit cf487941 authored by Igor Drozdov's avatar Igor Drozdov
Browse files

Merge branch 'sh-fips-mode' into 'main' 

Add support for FIPS encryption

See merge request gitlab-org/gitlab-shell!597
parents 5fe0d17f 3a17a8de
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Makefile
+ 6
0
View file @ cf487941
.PHONY: validate verify verify_ruby verify_golang test test_ruby test_golang coverage coverage_golang setup _script_install build compile check clean install
FIPS_MODE ?= 0
GO_SOURCES := $(shell find . -name '*.go')
VERSION_STRING := $(shell git describe --match v* 2>/dev/null || awk '$$0="v"$$0' VERSION 2>/dev/null || echo unknown)
BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S)
BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
ifeq (${FIPS_MODE}, 1)
BUILD_TAGS += boringcrypto
endif
GOBUILD_FLAGS := -ldflags "-X main.Version=$(VERSION_STRING) -X main.BuildTime=$(BUILD_TIME)" -tags "$(BUILD_TAGS)" -mod=mod
PREFIX ?= /usr/local
cmd/gitlab-shell/main.go
+ 2
0
View file @ cf487941
@@ -11,6 +11,7 @@ import (
"gitlab.com/gitlab-org/labkit/log"
shellCmd "gitlab.com/gitlab-org/gitlab-shell/cmd/gitlab-shell/command"
"gitlab.com/gitlab-org/gitlab-shell/internal/boring"
"gitlab.com/gitlab-org/gitlab-shell/internal/command"
"gitlab.com/gitlab-org/gitlab-shell/internal/command/readwriter"
"gitlab.com/gitlab-org/gitlab-shell/internal/config"
@@ -73,6 +74,7 @@ func main() {
cmdName := reflect.TypeOf(cmd).String()
ctxlog := log.ContextLogger(ctx)
ctxlog.WithFields(log.Fields{"env": env, "command": cmdName}).Info("gitlab-shell: main: executing command")
boring.CheckBoring()
if err := cmd.Execute(ctx); err != nil {
ctxlog.WithError(err).Warn("gitlab-shell: main: command execution failed")
internal/boring/boring.go 0 → 100644
+ 23
0
View file @ cf487941
//go:build boringcrypto
// +build boringcrypto
package boring
import (
"crypto/boring"
"gitlab.com/gitlab-org/labkit/log"
)
// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go
// compiler in https://github.com/golang-fips/go, this requires that:
//
// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1).
// 2. A system OpenSSL can be dynamically loaded via ldopen().
func CheckBoring() {
if boring.Enabled() {
log.Info("FIPS mode is enabled. Using an external SSL library.")
return
}
log.Info("Gitaly was compiled with FIPS mode, but an external SSL library was not enabled.")
}
internal/boring/notboring.go 0 → 100644
+ 9
0
View file @ cf487941
//go:build !boringcrypto
// +build !boringcrypto
package boring
// CheckBoring does nothing when the boringcrypto tag is not in the
// build.
func CheckBoring() {
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.