cleanup, no GODEBUG needed

.github/workflows/smoke.yml

@@ -54,10 +54,10 @@ jobs:
 
     - name: setup docker image for fips140
       working-directory: ./.github/workflows/smoke
-      run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 GODEBUG=fips140=only LDFLAGS=-checklinkname=0 ./build.sh
+      run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 LDFLAGS=-checklinkname=0 ./build.sh
 
     - name: run smoke-fips140
       working-directory: ./.github/workflows/smoke
-      run: NAME="smoke-fips140" GODEBUG=fips140=only ./smoke.sh
+      run: NAME="smoke-fips140" ./smoke.sh
 
     timeout-minutes: 10

.github/workflows/smoke/smoke.sh

@@ -56,23 +56,18 @@ done
 
 CONTAINER="nebula:${NAME:-smoke}"
 
-docker_run() {
-    # Pass along GODEBUG so we can test GODEBUG=fips140=...
-    docker run -e GODEBUG="$(go env GODEBUG)" "$@"
-}
+docker run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test
+docker run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
+docker run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
+docker run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
 
-docker_run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test
-docker_run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
-docker_run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
-docker_run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
-
-docker_run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/  [lighthouse1]  /' &
+docker run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/  [lighthouse1]  /' &
 sleep 1
-docker_run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/  [host2]  /' &
+docker run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/  [host2]  /' &
 sleep 1
-docker_run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/  [host3]  /' &
+docker run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/  [host3]  /' &
 sleep 1
-docker_run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/  [host4]  /' &
+docker run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/  [host4]  /' &
 sleep 1
 
 # grab tcpdump pcaps for debugging

Makefile

@@ -169,7 +169,7 @@ vet:
 	go vet $(VET_FLAGS) -v ./...
 
 test:
-	go test -v ./...
+	$(TEST_ENV) go test $(TEST_FLAGS) -v ./...
 
 test-boringcrypto:
 	GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go test -ldflags "-checklinkname=0" -v ./...
@@ -218,7 +218,6 @@ endif
 fips140:
 	@echo > $(NULL_FILE)
 	$(eval GOENV += GOFIPS140=v1.0.0)
-	$(eval GOENV += GODEBUG=fips140=on)
 	$(eval LDFLAGS += -checklinkname=0)
 	$(eval TEST_FLAGS += -ldflags -checklinkname=0)
 	$(eval TEST_ENV += $(GOENV))
@@ -226,17 +225,6 @@ ifeq ($(words $(MAKECMDGOALS)),1)
 	@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
 endif
 
-fips140only:
-	@echo > $(NULL_FILE)
-	$(eval GOENV += GOFIPS140=v1.0.0)
-	$(eval GOENV += GODEBUG=fips140=only)
-	$(eval LDFLAGS += -checklinkname=0)
-	$(eval TEST_FLAGS += -ldflags -checklinkname=0)
-	$(eval TEST_ENV += $(GOENV))
-ifeq ($(words $(MAKECMDGOALS)),1)
-	@$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory
-endif
-
 bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
 
 smoke-docker: bin-docker

README.md

@@ -156,15 +156,14 @@ make bin-boringcrypto
 make release-boringcrypto
 ```
 
-Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (this must be set at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode).
+Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (This sets GOFIPS140=v1.0.0,
+which must be done at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode).
 
 ```sh
 make fips140
 make fips140 release
 ```
 
-You will then also need to run nebula with `GODEBUG=fips140=only` to enable usage at runtime.
-
 This is not the recommended default deployment, but may be useful based on your compliance requirements.
 
 ## Credits

boring.go

@@ -4,4 +4,9 @@ package nebula
 
 import "crypto/boring"
 
-var boringEnabled = boring.Enabled
+func getFIPS140() string {
+	if boring.Enabled() {
+		return "boringcrypto"
+	}
+	return "off"
+}

fips140.go

@@ -1,31 +0,0 @@
-package nebula
-
-import (
-	"crypto/fips140"
-	"runtime/debug"
-)
-
-func getFIPS140() string {
-	switch {
-	case fips140.Enforced():
-		return "only"
-	case fips140.Enabled():
-		return "on"
-	default:
-		return "off"
-	}
-}
-
-func getFIPS140Version() string {
-	// The docs for fips140.Version mention this is more accurate to
-	// get the exact version
-	info, ok := debug.ReadBuildInfo()
-	if ok {
-		for _, s := range info.Settings {
-			if s.Key == "GOFIPS140" {
-				return s.Value
-			}
-		}
-	}
-	return fips140.Version()
-}

interface.go

@@ -232,9 +232,7 @@ func (f *Interface) activate() error {
 		"networks", f.myVpnNetworks,
 		"build", f.version,
 		"udpAddr", addr,
-		"boringcrypto", boringEnabled(),
 		"fips140", getFIPS140(),
-		"fips140version", getFIPS140Version(),
 	)
 
 	if f.routines > 1 {

notboring.go

@@ -2,4 +2,31 @@
 
 package nebula
 
-var boringEnabled = func() bool { return false }
+import (
+	"crypto/fips140"
+	"runtime/debug"
+)
+
+func getFIPS140() string {
+	switch {
+	case fips140.Enabled():
+		return getFIPS140Version()
+	default:
+		return "off"
+	}
+}
+
+func getFIPS140Version() string {
+	// The docs for fips140.Version mention this is more accurate to
+	// get the exact version
+	// - https://pkg.go.dev/crypto/fips140#Version
+	info, ok := debug.ReadBuildInfo()
+	if ok {
+		for _, s := range info.Settings {
+			if s.Key == "GOFIPS140" {
+				return s.Value
+			}
+		}
+	}
+	return fips140.Version()
+}

stats.go

@@ -8,7 +8,6 @@ import (
 	"net"
 	"net/http"
 	"runtime"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -288,9 +287,9 @@ func (s *statsServer) buildRuntime(cfg statsConfig) ([]func(), *http.Server) {
 			Name:      "info",
 			Help:      "Version information for the Nebula binary",
 			ConstLabels: prometheus.Labels{
-				"version":      s.buildVersion,
-				"goversion":    runtime.Version(),
-				"boringcrypto": strconv.FormatBool(boringEnabled()),
+				"version":   s.buildVersion,
+				"goversion": runtime.Version(),
+				"fips140":   getFIPS140(),
 			},
 		})
 		pr.MustRegister(g)