Pages fails to build on FIPS due to incorrect check
Summary
Gitlab Pages fails to build with go-fips
1.22.4 due to a check in the makefile for boringcrypto
. This check only works on go-fips
versions prior to 1.22. In that version, the openssl-fips
module that go-fips
depends on was replaced with a new one that no longer presents a boringcrypto
interface. In addition, the check was only a proxy for a FIPS build because Go wasn't actually using BoringSSL anyway. The Scooby Gang has unmasked BoringSSL in openssl-fips
to reveal that all crypto calls were actually getting passed through to the system OpenSSL via a dlopen()
ed shared object.
If checking for FIPS is desired, the correct check is to simply look for symbols containing FIPS
. These symbols only occur in binaries built by go-fips
and do not occur in non-FIPS builds.
Relevant logs and/or screenshots
See this CNG pipeline failure (the same happens for omnibus-gitlab
as well):
#8 35.93 go tool nm /tmp/build/gitlab-pages-master/bin/gitlab-pages | grep boringcrypto >/dev/null && echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1)
#8 36.00 binary is not correctly built in FIPS mode
#8 36.00 make: *** [Makefile.build.mk:33: build] Error 1
#8 ERROR: process "/bin/sh -c ldconfig && mkdir /assets && ln -sf /usr/local/go/bin/* /usr/local/bin && /gitlab-fetch \"${API_URL}\" \"${NAMESPACE}\" \"${PROJECT}\" \"${VERSION}\" && cd ${PROJECT}-${VERSION} && FIPS_MODE=${FIPS_MODE} GOEXPERIMENT=${EXTRA_EXPERIMENT_FLAGS} make 'gitlab-pages' \"LAST_TAG=v${VERSION}\" \"VERSION=${VERSION}\" && install -D -m +x ./gitlab-pages /assets/usr/local/bin/gitlab-pages && mkdir /assets/licenses && cp LICENSE /assets/licenses/GitLab.txt" did not complete successfully: exit code: 2
------
> [3/3] RUN ldconfig && mkdir /assets && ln -sf /usr/local/go/bin/* /usr/local/bin && /gitlab-fetch "https://gitlab.com/api/v4" "gitlab-org" "gitlab-pages" "master" && cd gitlab-pages-master && FIPS_MODE=1 GOEXPERIMENT=boringcrypto make 'gitlab-pages' "LAST_TAG=vmaster" "VERSION=master" && install -D -m +x ./gitlab-pages /assets/usr/local/bin/gitlab-pages && mkdir /assets/licenses && cp LICENSE /assets/licenses/GitLab.txt:
30.96 cloud.google.com/go/profiler
31.05 gitlab.com/gitlab-org/labkit/monitoring
31.13 gitlab.com/gitlab-org/gitlab-pages
33.51 GO_BUILD_ID=$( go tool buildid /tmp/build/gitlab-pages-master/bin/gitlab-pages ) && \
33.51 GNU_BUILD_ID=$( echo $GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \
33.51 GOBIN=/tmp/build/gitlab-pages-master/bin GOEXPERIMENT=boringcrypto go install -v -ldflags="-X "main.VERSION=master" -X "main.REVISION=unknown" -B 0x$GNU_BUILD_ID" -tags "continuous_profiler_stackdriver,fips" -buildmode exe gitlab.com/gitlab-org/gitlab-pages
33.71 gitlab.com/gitlab-org/gitlab-pages
35.93 go tool nm /tmp/build/gitlab-pages-master/bin/gitlab-pages | grep boringcrypto >/dev/null && echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1)
36.00 binary is not correctly built in FIPS mode
36.00 make: *** [Makefile.build.mk:33: build] Error 1