Use labkit for FIPS check (!607) · Merge requests · GitLab.org / gitlab-shell

Igor Drozdov requested to merge id-fips-labkit into main Apr 27, 2022

New version of LabKit provides FIPS checks that we can use instead of the custom code.

Build:

docker run -it -v $(pwd):/build registry.gitlab.com/gitlab-org/gitlab-omnibus-builder/staging/ubuntu_20.04_fips:sh-ubuntu-20-04-golang-fips

root@ba922d5d434e:/# FIPS_MODE=1 make -C /build
make: Entering directory '/build'
GOBIN="/build/bin" go install -ldflags "-X main.Version=v13.25.2-11-gf1d7689 -X main.BuildTime=20220427.090346" -tags "tracer_static tracer_static_jaeger continuous_profiler_stackdriver fips" -mod=mod ./cmd/...

Verify:

root@ba922d5d434e:/# go tool nm build/bin/gitlab-shell | grep _Cfunc__goboringcrypto_
  402120 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bin2bn
  4021a0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bn2bin
  402210 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_free
  402520 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_new
  402250 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_num_bytes
  4022c0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_DLOPEN_OPENSSL

Use labkit for FIPS check

Build:

Verify:

Merge request reports