From c7e035479c52395f3fc34fde63f8949bf0b3b2fe Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Tue, 2 Jun 2026 16:36:58 -0400 Subject: [PATCH] enforce GODEBUG=fips140=only This makes it much nicer to prove we are using the fips140 module for all crypto. --- cmd/nebula-cert/fips140.go | 13 +++++++++++++ cmd/nebula-service/fips140.go | 13 +++++++++++++ cmd/nebula/fips140.go | 13 +++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 cmd/nebula-cert/fips140.go create mode 100644 cmd/nebula-service/fips140.go create mode 100644 cmd/nebula/fips140.go diff --git a/cmd/nebula-cert/fips140.go b/cmd/nebula-cert/fips140.go new file mode 100644 index 00000000..80f33773 --- /dev/null +++ b/cmd/nebula-cert/fips140.go @@ -0,0 +1,13 @@ +//go:build fips140v1.0 || fips140v1.26 + +package main + +import ( + "crypto/fips140" +) + +func init() { + if !fips140.Enforced() { + panic("Nebula compiled with fips140 expects FIPS140 to be enforced. Do not set GODEBUG=fips140, or if you do it must be set as GODEBUG=fips140=only") + } +} diff --git a/cmd/nebula-service/fips140.go b/cmd/nebula-service/fips140.go new file mode 100644 index 00000000..80f33773 --- /dev/null +++ b/cmd/nebula-service/fips140.go @@ -0,0 +1,13 @@ +//go:build fips140v1.0 || fips140v1.26 + +package main + +import ( + "crypto/fips140" +) + +func init() { + if !fips140.Enforced() { + panic("Nebula compiled with fips140 expects FIPS140 to be enforced. Do not set GODEBUG=fips140, or if you do it must be set as GODEBUG=fips140=only") + } +} diff --git a/cmd/nebula/fips140.go b/cmd/nebula/fips140.go new file mode 100644 index 00000000..80f33773 --- /dev/null +++ b/cmd/nebula/fips140.go @@ -0,0 +1,13 @@ +//go:build fips140v1.0 || fips140v1.26 + +package main + +import ( + "crypto/fips140" +) + +func init() { + if !fips140.Enforced() { + panic("Nebula compiled with fips140 expects FIPS140 to be enforced. Do not set GODEBUG=fips140, or if you do it must be set as GODEBUG=fips140=only") + } +}