This commit is contained in:
Wade Simmons
2026-06-01 10:21:34 -04:00
parent b5ad62aea1
commit 8671a4ebbd
4 changed files with 22 additions and 5 deletions
+3 -3
View File
@@ -58,9 +58,9 @@ jobs:
e2e-cmd: make e2evv e2e-cmd: make e2evv
- name: linux-boringcrypto - name: linux-boringcrypto
os: ubuntu-latest os: ubuntu-latest
build-cmd: make bin-boringcrypto build-cmd: make boringcrypto
test-cmd: make test-boringcrypto test-cmd: make boringcrypto test
e2e-cmd: make e2e GOEXPERIMENT=boringcrypto CGO_ENABLED=1 TEST_ENV="TEST_LOGS=1" TEST_FLAGS="-v -ldflags -checklinkname=0" e2e-cmd: make boringcrypto e2evv
- name: linux-fips140 - name: linux-fips140
os: ubuntu-latest os: ubuntu-latest
build-cmd: make fips140 build-cmd: make fips140
+14
View File
@@ -287,6 +287,20 @@ ifeq ($(words $(MAKECMDGOALS)),1)
@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
endif endif
# Useful to chain together, like:
# - make boringcrypto e2evv
# - make boringcrypto smoke-docker
# Use `release-boringcrypto` or `bin-boringcrypto` to build release binaries
boringcrypto:
@echo > $(NULL_FILE)
$(eval GOENV += GOEXPERIMENT=boringcrypto CGO_ENABLED=1)
$(eval LDFLAGS += -checklinkname=0)
$(eval TEST_FLAGS += -ldflags -checklinkname=0)
$(eval TEST_ENV += $(GOENV))
ifeq ($(words $(MAKECMDGOALS)),1)
@$(MAKE) boringcrypto ${.DEFAULT_GOAL} --no-print-directory
endif
bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
smoke-docker: bin-docker smoke-docker: bin-docker
+3
View File
@@ -29,6 +29,9 @@ type CipherState interface {
// NewCipherState wraps the post-handshake noise.CipherState in the per-cipher type that matches cipherFunc. // NewCipherState wraps the post-handshake noise.CipherState in the per-cipher type that matches cipherFunc.
// cipherFunc must be the same cipher used to build the noise CipherSuite that produced s. // cipherFunc must be the same cipher used to build the noise CipherSuite that produced s.
func NewCipherState(s *noise.CipherState, cipherFunc noise.CipherFunc) CipherState { func NewCipherState(s *noise.CipherState, cipherFunc noise.CipherFunc) CipherState {
if cs, ok := s.Cipher().(CipherState); ok {
return cs
}
switch cipherFunc.CipherName() { switch cipherFunc.CipherName() {
case CipherAESGCM.CipherName(): case CipherAESGCM.CipherName():
return NewCipherStateAESGCM(s) return NewCipherStateAESGCM(s)
+2 -2
View File
@@ -34,12 +34,12 @@ func (c cipherFn) Cipher(k [32]byte) noise.Cipher { return c.fn(k) }
func (c cipherFn) CipherName() string { return c.name } func (c cipherFn) CipherName() string { return c.name }
// CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled) // CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled)
var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCM, "AESGCM"} var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCMFIPS140, "AESGCM"}
// tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce // tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce
var emptyPrefix = []byte{0, 0, 0, 0} var emptyPrefix = []byte{0, 0, 0, 0}
func cipherAESGCM(k [32]byte) noise.Cipher { func cipherAESGCMFIPS140(k [32]byte) noise.Cipher {
gcm := aeadAESGCM(k[:], emptyPrefix) gcm := aeadAESGCM(k[:], emptyPrefix)
return aeadCipher{ return aeadCipher{
gcm, gcm,