From f9532f42447fd3f04c4e26fd98b985a4f736f0f1 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Mon, 27 Apr 2026 17:16:28 -0400 Subject: [PATCH] requires go1.26 --- .github/workflows/test.yml | 21 +++++++++++++++++++++ Makefile | 16 ++++++++++------ fips140.go | 22 ++++++++++++++++++---- interface.go | 3 ++- 4 files changed, 51 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index aeaea294..80f3e633 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -72,6 +72,27 @@ jobs: - name: End 2 end run: make e2e GOEXPERIMENT=boringcrypto CGO_ENABLED=1 TEST_ENV="TEST_LOGS=1" TEST_FLAGS="-v -ldflags -checklinkname=0" + test-linux-fips140: + name: Build and test on linux with fips140=on + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v6 + + - uses: actions/setup-go@v6 + with: + go-version: '1.25' + check-latest: true + + - name: Build + run: make fips140 + + - name: Test + run: make fips140 test + + - name: End 2 end + run: make fips140 e2evv + test-linux-pkcs11: name: Build and test on linux with pkcs11 runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 482acfe2..eb605a22 100644 --- a/Makefile +++ b/Makefile @@ -220,6 +220,8 @@ fips140: $(eval GOENV += GOFIPS140=v1.0.0) $(eval GOENV += GODEBUG=fips140=on) $(eval LDFLAGS += -checklinkname=0) + $(eval TEST_FLAGS += -ldflags -checklinkname=0) + $(eval TEST_ENV += $(GOENV)) ifeq ($(words $(MAKECMDGOALS)),1) @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory endif @@ -229,6 +231,8 @@ fips140only: $(eval GOENV += GOFIPS140=v1.0.0) $(eval GOENV += GODEBUG=fips140=only) $(eval LDFLAGS += -checklinkname=0) + $(eval TEST_FLAGS += -ldflags -checklinkname=0) + $(eval TEST_ENV += $(GOENV)) ifeq ($(words $(MAKECMDGOALS)),1) @$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory endif @@ -236,14 +240,14 @@ endif bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert smoke-docker: bin-docker - cd .github/workflows/smoke/ && ./build.sh - cd .github/workflows/smoke/ && ./smoke.sh - cd .github/workflows/smoke/ && NAME="smoke-p256" CURVE="P256" ./build.sh - cd .github/workflows/smoke/ && NAME="smoke-p256" ./smoke.sh + cd .github/workflows/smoke/ && $(GOENV) ./build.sh + cd .github/workflows/smoke/ && $(GOENV)./smoke.sh + cd .github/workflows/smoke/ && $(GOENV) NAME="smoke-p256" CURVE="P256" ./build.sh + cd .github/workflows/smoke/ && $(GOENV) NAME="smoke-p256" ./smoke.sh smoke-relay-docker: bin-docker - cd .github/workflows/smoke/ && ./build-relay.sh - cd .github/workflows/smoke/ && ./smoke-relay.sh + cd .github/workflows/smoke/ && $(GOENV) ./build-relay.sh + cd .github/workflows/smoke/ && $(GOENV) ./smoke-relay.sh smoke-docker-race: BUILD_ARGS = -race smoke-docker-race: CGO_ENABLED = 1 diff --git a/fips140.go b/fips140.go index 1ed824c6..4307dbda 100644 --- a/fips140.go +++ b/fips140.go @@ -2,16 +2,30 @@ package nebula import ( "crypto/fips140" - "fmt" + "runtime/debug" ) -func fips140version() string { +func getFIPS140() string { switch { case fips140.Enforced(): - return fmt.Sprintf("only,version=%s", fips140.Version()) + return "only" case fips140.Enabled(): - return fmt.Sprintf("on,version=%s", fips140.Version()) + return "on" default: return "off" } } + +func getFIPS140Version() string { + // The docs for fips140.Version mention this is more accurate to + // get the exact version + info, ok := debug.ReadBuildInfo() + if ok { + for _, s := range info.Settings { + if s.Key == "GOFIPS140" { + return s.Value + } + } + } + return fips140.Version() +} diff --git a/interface.go b/interface.go index 7d6f90a7..0017fe01 100644 --- a/interface.go +++ b/interface.go @@ -233,7 +233,8 @@ func (f *Interface) activate() error { "build", f.version, "udpAddr", addr, "boringcrypto", boringEnabled(), - "fips140", fips140version(), + "fips140", getFIPS140(), + "fips140version", getFIPS140Version(), ) if f.routines > 1 {