Use Labkit for FIPS check (!3954) · Merge requests · GitLab.org / gitlab-runner

Stan Hu requested to merge sh-use-labkit-fips-check into main Mar 02, 2023

We can reduce code duplication used for the FIPS check by using LabKit's implementation.

LabKit uses the fips tag instead of the boringcrypto tag, which is deprecated in any case and replaced with GOEXPERIMENT=boringcrypto due to https://github.com/golang/go/issues/51940.

This commit changes the message on a FIPS system from:

FIPS mode enabled. Using BoringSSL.

to:

FIPS mode is enabled. Using an external SSL library.

On a non-FIPS system, this commit changes the message from:

GitLab Runner was compiled with FIPS mode but BoringSSL is not enabled.

to:

Binary was compiled with FIPS mode, but an external SSL library was not enabled.

The test in https://gitlab.com/gitlab-org/ci-cd/tests/runner-incept/-/blob/21f4635639574814ddd4e553e3f56a9155e0c027/spec/before_main_after_spec.rb#L9 needs to be adjusted to account for this.

Edited Mar 02, 2023 by Stan Hu

Use Labkit for FIPS check

Merge request reports