diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 555fcaef..6d4afbc3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -58,9 +58,9 @@ jobs: e2e-cmd: make e2evv - name: linux-boringcrypto os: ubuntu-latest - build-cmd: make bin-boringcrypto - test-cmd: make test-boringcrypto - e2e-cmd: make e2e GOEXPERIMENT=boringcrypto CGO_ENABLED=1 TEST_ENV="TEST_LOGS=1" TEST_FLAGS="-v -ldflags -checklinkname=0" + build-cmd: make boringcrypto + test-cmd: make boringcrypto test + e2e-cmd: make boringcrypto e2evv - name: linux-fips140 os: ubuntu-latest build-cmd: make fips140 diff --git a/Makefile b/Makefile index 2d544719..e69c2f4f 100644 --- a/Makefile +++ b/Makefile @@ -287,6 +287,20 @@ ifeq ($(words $(MAKECMDGOALS)),1) @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory endif +# Useful to chain together, like: +# - make boringcrypto e2evv +# - make boringcrypto smoke-docker +# Use `release-boringcrypto` or `bin-boringcrypto` to build release binaries +boringcrypto: + @echo > $(NULL_FILE) + $(eval GOENV += GOEXPERIMENT=boringcrypto CGO_ENABLED=1) + $(eval LDFLAGS += -checklinkname=0) + $(eval TEST_FLAGS += -ldflags -checklinkname=0) + $(eval TEST_ENV += $(GOENV)) +ifeq ($(words $(MAKECMDGOALS)),1) + @$(MAKE) boringcrypto ${.DEFAULT_GOAL} --no-print-directory +endif + bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert smoke-docker: bin-docker diff --git a/noiseutil/cipher_state.go b/noiseutil/cipher_state.go index bb316385..3aef2cff 100644 --- a/noiseutil/cipher_state.go +++ b/noiseutil/cipher_state.go @@ -29,6 +29,9 @@ type CipherState interface { // NewCipherState wraps the post-handshake noise.CipherState in the per-cipher type that matches cipherFunc. // cipherFunc must be the same cipher used to build the noise CipherSuite that produced s. func NewCipherState(s *noise.CipherState, cipherFunc noise.CipherFunc) CipherState { + if cs, ok := s.Cipher().(CipherState); ok { + return cs + } switch cipherFunc.CipherName() { case CipherAESGCM.CipherName(): return NewCipherStateAESGCM(s) diff --git a/noiseutil/fips140.go b/noiseutil/fips140.go index c0824ae3..14ea03ce 100644 --- a/noiseutil/fips140.go +++ b/noiseutil/fips140.go @@ -34,12 +34,12 @@ func (c cipherFn) Cipher(k [32]byte) noise.Cipher { return c.fn(k) } func (c cipherFn) CipherName() string { return c.name } // CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled) -var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCM, "AESGCM"} +var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCMFIPS140, "AESGCM"} // tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce var emptyPrefix = []byte{0, 0, 0, 0} -func cipherAESGCM(k [32]byte) noise.Cipher { +func cipherAESGCMFIPS140(k [32]byte) noise.Cipher { gcm := aeadAESGCM(k[:], emptyPrefix) return aeadCipher{ gcm,