Add support for FIPS encryption (!4482) · Merge requests · GitLab.org / gitaly

Stan Hu requested to merge sh-fips-mode into master Apr 17, 2022

The native Go crypto is not FIPS-compliant, nor are there plans to make it compliant. See https://kupczynski.info/posts/fips-golang/ for full details.

This commit adds support of using a FIPS-validated SSL library with compiled Go executables when FIPS_MODE=1 make is run. A Go compiler that supports BoringSSL either directly (e.g. the dev.boringcrypto branch) or with a dynamically linked OpenSSL (e.g. https://github.com/golang-fips/go) is required.

This is similar to the changes to support FIPS in GitLab Runner and in GitLab Pages: gitlab-pages!716 (merged)

To test:

docker run -it -v $(pwd):/build registry.gitlab.com/gitlab-org/gitlab-omnibus-builder/staging/ubuntu_20.04_fips:sh-ubuntu-20-04-golang-fips
FIPS_MODE=1 V=1 make -C /build

On a FIPS-enabled system:

ubuntu@fips-test-gitaly-1:~$ cat /proc/sys/crypto/fips_enabled
1
ubuntu@fips-test-gitaly-1:~$ ./gitaly /var/opt/gitlab/gitaly/config.toml
INFO[0000] Starting GitalyversionGitaly, version 14.10.0-rc1-40-g5c3dc864a
INFO[0000] FIPS mode is enabled. Using an external SSL library.

Edited Apr 18, 2022 by Stan Hu

Add support for FIPS encryption

Merge request reports