Add support for FIPS encryption
The native Go crypto is not FIPS-compliant, nor are there plans to make it compliant. See https://kupczynski.info/posts/fips-golang/ for full details.
This commit adds support of using a FIPS-validated SSL library with
compiled Go executables when FIPS_MODE=1 make
is run. A Go compiler
that supports BoringSSL either directly (e.g. the dev.boringcrypto
branch) or with a dynamically linked OpenSSL
(e.g. https://github.com/golang-fips/go) is required.
This is similar to the changes to support FIPS in GitLab Runner and in GitLab Pages: gitlab-pages!716 (merged)
To test:
docker run -it -v $(pwd):/build registry.gitlab.com/gitlab-org/gitlab-omnibus-builder/staging/ubuntu_20.04_fips:sh-ubuntu-20-04-golang-fips
FIPS_MODE=1 V=1 make -C /build
On a FIPS-enabled system:
ubuntu@fips-test-gitaly-1:~$ cat /proc/sys/crypto/fips_enabled
1
ubuntu@fips-test-gitaly-1:~$ ./gitaly /var/opt/gitlab/gitaly/config.toml
INFO[0000] Starting GitalyversionGitaly, version 14.10.0-rc1-40-g5c3dc864a
INFO[0000] FIPS mode is enabled. Using an external SSL library.
Edited by Stan Hu