From e6eeb3709b3b19bcb75650845d2726bb3fcb150f Mon Sep 17 00:00:00 2001
From: Wade Simmons <wsimmons@slack-corp.com>
Date: Mon, 27 Apr 2026 16:27:58 -0400
Subject: [PATCH] fix smoke tests

---
 .github/workflows/smoke.yml      |  4 ++--
 .github/workflows/smoke/smoke.sh | 21 +++++++++++++--------
 Makefile                         | 10 ++++++++++
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
index 88b802c1..9eb37e9b 100644
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -54,10 +54,10 @@ jobs:
 
     - name: setup docker image for fips140
       working-directory: ./.github/workflows/smoke
-      run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 LDFLAGS=-checklinkname=0 ./build.sh
+      run: NAME="smoke-fips140" CURVE=P256 GOFIPS140=v1.0.0 GODEBUG=fips140=only LDFLAGS=-checklinkname=0 ./build.sh
 
     - name: run smoke-fips140
       working-directory: ./.github/workflows/smoke
-      run: NAME="smoke-fips140" ./smoke.sh
+      run: NAME="smoke-fips140" GODEBUG=fips140=only ./smoke.sh
 
     timeout-minutes: 10
diff --git a/.github/workflows/smoke/smoke.sh b/.github/workflows/smoke/smoke.sh
index cad9dde7..f8a11128 100755
--- a/.github/workflows/smoke/smoke.sh
+++ b/.github/workflows/smoke/smoke.sh
@@ -56,18 +56,23 @@ done
 
 CONTAINER="nebula:${NAME:-smoke}"
 
-docker run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test
-docker run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
-docker run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
-docker run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
+docker_run() {
+    # Pass along GODEBUG so we can test GODEBUG=fips140=...
+    docker run -e GODEBUG="$(go env GODEBUG)" "$@"
+}
 
-docker run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/  [lighthouse1]  /' &
+docker_run --name lighthouse1 --rm "$CONTAINER" -config lighthouse1.yml -test
+docker_run --name host2 --rm -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" "$CONTAINER" -config host2.yml -test
+docker_run --name host3 --rm -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" "$CONTAINER" -config host3.yml -test
+docker_run --name host4 --rm -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" "$CONTAINER" -config host4.yml -test
+
+docker_run --name lighthouse1 --network "$NETWORK" --ip "$LIGHTHOUSE_IP" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config lighthouse1.yml 2>&1 | tee logs/lighthouse1 | sed -u 's/^/  [lighthouse1]  /' &
 sleep 1
-docker run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/  [host2]  /' &
+docker_run --name host2 --network "$NETWORK" --ip "$HOST2_IP" -v "$PWD/build/host2.yml:/nebula/host2.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host2.yml 2>&1 | tee logs/host2 | sed -u 's/^/  [host2]  /' &
 sleep 1
-docker run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/  [host3]  /' &
+docker_run --name host3 --network "$NETWORK" --ip "$HOST3_IP" -v "$PWD/build/host3.yml:/nebula/host3.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host3.yml 2>&1 | tee logs/host3 | sed -u 's/^/  [host3]  /' &
 sleep 1
-docker run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/  [host4]  /' &
+docker_run --name host4 --network "$NETWORK" --ip "$HOST4_IP" -v "$PWD/build/host4.yml:/nebula/host4.yml:ro" --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm "$CONTAINER" -config host4.yml 2>&1 | tee logs/host4 | sed -u 's/^/  [host4]  /' &
 sleep 1
 
 # grab tcpdump pcaps for debugging
diff --git a/Makefile b/Makefile
index 9dffa0e3..482acfe2 100644
--- a/Makefile
+++ b/Makefile
@@ -218,11 +218,21 @@ endif
 fips140:
 	@echo > $(NULL_FILE)
 	$(eval GOENV += GOFIPS140=v1.0.0)
+	$(eval GOENV += GODEBUG=fips140=on)
 	$(eval LDFLAGS += -checklinkname=0)
 ifeq ($(words $(MAKECMDGOALS)),1)
 	@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
 endif
 
+fips140only:
+	@echo > $(NULL_FILE)
+	$(eval GOENV += GOFIPS140=v1.0.0)
+	$(eval GOENV += GODEBUG=fips140=only)
+	$(eval LDFLAGS += -checklinkname=0)
+ifeq ($(words $(MAKECMDGOALS)),1)
+	@$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory
+endif
+
 bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
 
 smoke-docker: bin-docker