personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2026-05-16 04:47:38 +02:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

cleanup, no GODEBUG needed

Browse Source
This commit is contained in:
Wade Simmons
2026-04-28 11:58:43 -04:00
parent 65450f9d21
commit ae58085032
9 changed files with 50 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/smoke.yml vendored
View File

@@ -54,10 +54,10 @@ jobs:
- name: setup docker image for fips140 - name: setup docker image for fips140
working-directory: ./.github/workflows/smoke working-directory: ./.github/workflows/smoke
run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 GODEBUG=fips140=only LDFLAGS=-checklinkname=0 ./build.sh run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 LDFLAGS=-checklinkname=0 ./build.sh
- name: run smoke-fips140 - name: run smoke-fips140
working-directory: ./.github/workflows/smoke working-directory: ./.github/workflows/smoke
run: NAME="smoke-fips140" GODEBUG=fips140=only ./smoke.sh run: NAME="smoke-fips140" ./smoke.sh
timeout-minutes: 10 timeout-minutes: 10

21
.github/workflows/smoke/smoke.sh vendored
View File

@@ -56,23 +56,18 @@ done
CONTAINER="nebula:${NAME:-smoke}" CONTAINER="nebula:${NAME:-smoke}"
docker_run() { docker run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test
# Pass along GODEBUG so we can test GODEBUG=fips140=... docker run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
docker run -e GODEBUG="$(go env GODEBUG)" "$@" docker run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
} docker run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
docker_run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test docker run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/ [lighthouse1] /' &
docker_run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
docker_run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
docker_run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
docker_run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/ [lighthouse1] /' &
sleep 1 sleep 1
docker_run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/ [host2] /' & docker run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/ [host2] /' &
sleep 1 sleep 1
docker_run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/ [host3] /' & docker run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/ [host3] /' &
sleep 1 sleep 1
docker_run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/ [host4] /' & docker run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/ [host4] /' &
sleep 1 sleep 1
# grab tcpdump pcaps for debugging # grab tcpdump pcaps for debugging

14
Makefile
View File

@@ -169,7 +169,7 @@ vet:
go vet $(VET_FLAGS) -v ./... go vet $(VET_FLAGS) -v ./...
test: test:
go test -v ./... $(TEST_ENV) go test $(TEST_FLAGS) -v ./...
test-boringcrypto: test-boringcrypto:
GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go test -ldflags "-checklinkname=0" -v ./... GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go test -ldflags "-checklinkname=0" -v ./...
@@ -218,7 +218,6 @@ endif
fips140: fips140:
@echo > $(NULL_FILE) @echo > $(NULL_FILE)
$(eval GOENV += GOFIPS140=v1.0.0) $(eval GOENV += GOFIPS140=v1.0.0)
$(eval GOENV += GODEBUG=fips140=on)
$(eval LDFLAGS += -checklinkname=0) $(eval LDFLAGS += -checklinkname=0)
$(eval TEST_FLAGS += -ldflags -checklinkname=0) $(eval TEST_FLAGS += -ldflags -checklinkname=0)
$(eval TEST_ENV += $(GOENV)) $(eval TEST_ENV += $(GOENV))
@@ -226,17 +225,6 @@ ifeq ($(words $(MAKECMDGOALS)),1)
@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
endif endif
fips140only:
@echo > $(NULL_FILE)
$(eval GOENV += GOFIPS140=v1.0.0)
$(eval GOENV += GODEBUG=fips140=only)
$(eval LDFLAGS += -checklinkname=0)
$(eval TEST_FLAGS += -ldflags -checklinkname=0)
$(eval TEST_ENV += $(GOENV))
ifeq ($(words $(MAKECMDGOALS)),1)
@$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory
endif
bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
smoke-docker: bin-docker smoke-docker: bin-docker

5
README.md
View File

@@ -156,15 +156,14 @@ make bin-boringcrypto
make release-boringcrypto make release-boringcrypto
``` ```
Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (this must be set at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode). Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (This sets GOFIPS140=v1.0.0,
which must be done at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode).
```sh ```sh
make fips140 make fips140
make fips140 release make fips140 release
``` ```
You will then also need to run nebula with `GODEBUG=fips140=only` to enable usage at runtime.
This is not the recommended default deployment, but may be useful based on your compliance requirements. This is not the recommended default deployment, but may be useful based on your compliance requirements.
## Credits ## Credits

7
boring.go
View File

@@ -4,4 +4,9 @@ package nebula
import "crypto/boring" import "crypto/boring"
var boringEnabled = boring.Enabled func getFIPS140() string {
if boring.Enabled() {
return "boringcrypto"
}
return "off"
}

31
fips140.go
View File

@@ -1,31 +0,0 @@
package nebula
import (
"crypto/fips140"
"runtime/debug"
)
func getFIPS140() string {
switch {
case fips140.Enforced():
return "only"
case fips140.Enabled():
return "on"
default:
return "off"
}
}
func getFIPS140Version() string {
// The docs for fips140.Version mention this is more accurate to
// get the exact version
info, ok := debug.ReadBuildInfo()
if ok {
for _, s := range info.Settings {
if s.Key == "GOFIPS140" {
return s.Value
}
}
}
return fips140.Version()
}

2
interface.go
View File

@@ -232,9 +232,7 @@ func (f *Interface) activate() error {
"networks", f.myVpnNetworks, "networks", f.myVpnNetworks,
"build", f.version, "build", f.version,
"udpAddr", addr, "udpAddr", addr,
"boringcrypto", boringEnabled(),
"fips140", getFIPS140(), "fips140", getFIPS140(),
"fips140version", getFIPS140Version(),
) )
if f.routines > 1 { if f.routines > 1 {

29
notboring.go
View File

@@ -2,4 +2,31 @@
package nebula package nebula
var boringEnabled = func() bool { return false } import (
"crypto/fips140"
"runtime/debug"
)
func getFIPS140() string {
switch {
case fips140.Enabled():
return getFIPS140Version()
default:
return "off"
}
}
func getFIPS140Version() string {
// The docs for fips140.Version mention this is more accurate to
// get the exact version
// - https://pkg.go.dev/crypto/fips140#Version
info, ok := debug.ReadBuildInfo()
if ok {
for _, s := range info.Settings {
if s.Key == "GOFIPS140" {
return s.Value
}
}
}
return fips140.Version()
}

3
stats.go
View File

@@ -8,7 +8,6 @@ import (
"net" "net"
"net/http" "net/http"
"runtime" "runtime"
"strconv"
"sync" "sync"
"sync/atomic" "sync/atomic"
"time" "time"
@@ -290,7 +289,7 @@ func (s *statsServer) buildRuntime(cfg statsConfig) ([]func(), *http.Server) {
ConstLabels: prometheus.Labels{ ConstLabels: prometheus.Labels{
"version": s.buildVersion, "version": s.buildVersion,
"goversion": runtime.Version(), "goversion": runtime.Version(),
"boringcrypto": strconv.FormatBool(boringEnabled()), "fips140": getFIPS140(),
}, },
}) })
pr.MustRegister(g) pr.MustRegister(g)