diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml index ac2e66ef..0f5926d3 100644 --- a/.github/workflows/smoke.yml +++ b/.github/workflows/smoke.yml @@ -54,10 +54,10 @@ jobs: - name: setup docker image for fips140 working-directory: ./.github/workflows/smoke - run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 GODEBUG=fips140=only LDFLAGS=-checklinkname=0 ./build.sh + run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 LDFLAGS=-checklinkname=0 ./build.sh - name: run smoke-fips140 working-directory: ./.github/workflows/smoke - run: NAME="smoke-fips140" GODEBUG=fips140=only ./smoke.sh + run: NAME="smoke-fips140" ./smoke.sh timeout-minutes: 10 diff --git a/.github/workflows/smoke/smoke.sh b/.github/workflows/smoke/smoke.sh index f8a11128..cad9dde7 100755 --- a/.github/workflows/smoke/smoke.sh +++ b/.github/workflows/smoke/smoke.sh @@ -56,23 +56,18 @@ done CONTAINER="nebula:${NAME:-smoke}" -docker_run() { - # Pass along GODEBUG so we can test GODEBUG=fips140=... - docker run -e GODEBUG="$(go env GODEBUG)" "$@" -} +docker run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test +docker run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test +docker run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test +docker run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test -docker_run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test -docker_run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test -docker_run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test -docker_run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test - -docker_run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/ [lighthouse1] /' & +docker run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/ [lighthouse1] /' & sleep 1 -docker_run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/ [host2] /' & +docker run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/ [host2] /' & sleep 1 -docker_run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/ [host3] /' & +docker run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/ [host3] /' & sleep 1 -docker_run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/ [host4] /' & +docker run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/ [host4] /' & sleep 1 # grab tcpdump pcaps for debugging diff --git a/Makefile b/Makefile index eb605a22..ff6347d4 100644 --- a/Makefile +++ b/Makefile @@ -169,7 +169,7 @@ vet: go vet $(VET_FLAGS) -v ./... test: - go test -v ./... + $(TEST_ENV) go test $(TEST_FLAGS) -v ./... test-boringcrypto: GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go test -ldflags "-checklinkname=0" -v ./... @@ -218,7 +218,6 @@ endif fips140: @echo > $(NULL_FILE) $(eval GOENV += GOFIPS140=v1.0.0) - $(eval GOENV += GODEBUG=fips140=on) $(eval LDFLAGS += -checklinkname=0) $(eval TEST_FLAGS += -ldflags -checklinkname=0) $(eval TEST_ENV += $(GOENV)) @@ -226,17 +225,6 @@ ifeq ($(words $(MAKECMDGOALS)),1) @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory endif -fips140only: - @echo > $(NULL_FILE) - $(eval GOENV += GOFIPS140=v1.0.0) - $(eval GOENV += GODEBUG=fips140=only) - $(eval LDFLAGS += -checklinkname=0) - $(eval TEST_FLAGS += -ldflags -checklinkname=0) - $(eval TEST_ENV += $(GOENV)) -ifeq ($(words $(MAKECMDGOALS)),1) - @$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory -endif - bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert smoke-docker: bin-docker diff --git a/README.md b/README.md index 98476a29..1ba0dac1 100644 --- a/README.md +++ b/README.md @@ -156,15 +156,14 @@ make bin-boringcrypto make release-boringcrypto ``` -Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (this must be set at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode). +Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (This sets GOFIPS140=v1.0.0, +which must be done at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode). ```sh make fips140 make fips140 release ``` -You will then also need to run nebula with `GODEBUG=fips140=only` to enable usage at runtime. - This is not the recommended default deployment, but may be useful based on your compliance requirements. ## Credits diff --git a/boring.go b/boring.go index abe403fc..1969bfc7 100644 --- a/boring.go +++ b/boring.go @@ -4,4 +4,9 @@ package nebula import "crypto/boring" -var boringEnabled = boring.Enabled +func getFIPS140() string { + if boring.Enabled() { + return "boringcrypto" + } + return "off" +} diff --git a/fips140.go b/fips140.go deleted file mode 100644 index 4307dbda..00000000 --- a/fips140.go +++ /dev/null @@ -1,31 +0,0 @@ -package nebula - -import ( - "crypto/fips140" - "runtime/debug" -) - -func getFIPS140() string { - switch { - case fips140.Enforced(): - return "only" - case fips140.Enabled(): - return "on" - default: - return "off" - } -} - -func getFIPS140Version() string { - // The docs for fips140.Version mention this is more accurate to - // get the exact version - info, ok := debug.ReadBuildInfo() - if ok { - for _, s := range info.Settings { - if s.Key == "GOFIPS140" { - return s.Value - } - } - } - return fips140.Version() -} diff --git a/interface.go b/interface.go index 0017fe01..38168baf 100644 --- a/interface.go +++ b/interface.go @@ -232,9 +232,7 @@ func (f *Interface) activate() error { "networks", f.myVpnNetworks, "build", f.version, "udpAddr", addr, - "boringcrypto", boringEnabled(), "fips140", getFIPS140(), - "fips140version", getFIPS140Version(), ) if f.routines > 1 { diff --git a/notboring.go b/notboring.go index f138a0a6..3de08656 100644 --- a/notboring.go +++ b/notboring.go @@ -2,4 +2,31 @@ package nebula -var boringEnabled = func() bool { return false } +import ( + "crypto/fips140" + "runtime/debug" +) + +func getFIPS140() string { + switch { + case fips140.Enabled(): + return getFIPS140Version() + default: + return "off" + } +} + +func getFIPS140Version() string { + // The docs for fips140.Version mention this is more accurate to + // get the exact version + // - https://pkg.go.dev/crypto/fips140#Version + info, ok := debug.ReadBuildInfo() + if ok { + for _, s := range info.Settings { + if s.Key == "GOFIPS140" { + return s.Value + } + } + } + return fips140.Version() +} diff --git a/stats.go b/stats.go index 97ce7cf5..19d1a0a1 100644 --- a/stats.go +++ b/stats.go @@ -8,7 +8,6 @@ import ( "net" "net/http" "runtime" - "strconv" "sync" "sync/atomic" "time" @@ -288,9 +287,9 @@ func (s *statsServer) buildRuntime(cfg statsConfig) ([]func(), *http.Server) { Name: "info", Help: "Version information for the Nebula binary", ConstLabels: prometheus.Labels{ - "version": s.buildVersion, - "goversion": runtime.Version(), - "boringcrypto": strconv.FormatBool(boringEnabled()), + "version": s.buildVersion, + "goversion": runtime.Version(), + "fips140": getFIPS140(), }, }) pr.MustRegister(g)