requires go1.26

.github/workflows/test.yml

@@ -72,6 +72,27 @@ jobs:
     - name: End 2 end
       run: make e2e GOEXPERIMENT=boringcrypto CGO_ENABLED=1 TEST_ENV="TEST_LOGS=1" TEST_FLAGS="-v -ldflags -checklinkname=0"
 
+  test-linux-fips140:
+    name: Build and test on linux with fips140=on
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: actions/checkout@v6
+
+    - uses: actions/setup-go@v6
+      with:
+        go-version: '1.25'
+        check-latest: true
+
+    - name: Build
+      run: make fips140
+
+    - name: Test
+      run: make fips140 test
+
+    - name: End 2 end
+      run: make fips140 e2evv
+
   test-linux-pkcs11:
     name: Build and test on linux with pkcs11
     runs-on: ubuntu-latest

Makefile

@@ -220,6 +220,8 @@ fips140:
 	$(eval GOENV += GOFIPS140=v1.0.0)
 	$(eval GOENV += GODEBUG=fips140=on)
 	$(eval LDFLAGS += -checklinkname=0)
+	$(eval TEST_FLAGS += -ldflags -checklinkname=0)
+	$(eval TEST_ENV += $(GOENV))
 ifeq ($(words $(MAKECMDGOALS)),1)
 	@$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory
 endif
@@ -229,6 +231,8 @@ fips140only:
 	$(eval GOENV += GOFIPS140=v1.0.0)
 	$(eval GOENV += GODEBUG=fips140=only)
 	$(eval LDFLAGS += -checklinkname=0)
+	$(eval TEST_FLAGS += -ldflags -checklinkname=0)
+	$(eval TEST_ENV += $(GOENV))
 ifeq ($(words $(MAKECMDGOALS)),1)
 	@$(MAKE) fips140only ${.DEFAULT_GOAL} --no-print-directory
 endif
@@ -236,14 +240,14 @@ endif
 bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert
 
 smoke-docker: bin-docker
-	cd .github/workflows/smoke/ && ./build.sh
-	cd .github/workflows/smoke/ && ./smoke.sh
-	cd .github/workflows/smoke/ && NAME="smoke-p256" CURVE="P256" ./build.sh
-	cd .github/workflows/smoke/ && NAME="smoke-p256" ./smoke.sh
+	cd .github/workflows/smoke/ && $(GOENV) ./build.sh
+	cd .github/workflows/smoke/ && $(GOENV)./smoke.sh
+	cd .github/workflows/smoke/ && $(GOENV) NAME="smoke-p256" CURVE="P256" ./build.sh
+	cd .github/workflows/smoke/ && $(GOENV) NAME="smoke-p256" ./smoke.sh
 
 smoke-relay-docker: bin-docker
-	cd .github/workflows/smoke/ && ./build-relay.sh
-	cd .github/workflows/smoke/ && ./smoke-relay.sh
+	cd .github/workflows/smoke/ && $(GOENV) ./build-relay.sh
+	cd .github/workflows/smoke/ && $(GOENV) ./smoke-relay.sh
 
 smoke-docker-race: BUILD_ARGS = -race
 smoke-docker-race: CGO_ENABLED = 1

fips140.go

@@ -2,16 +2,30 @@ package nebula
 
 import (
 	"crypto/fips140"
-	"fmt"
+	"runtime/debug"
 )
 
-func fips140version() string {
+func getFIPS140() string {
 	switch {
 	case fips140.Enforced():
-		return fmt.Sprintf("only,version=%s", fips140.Version())
+		return "only"
 	case fips140.Enabled():
-		return fmt.Sprintf("on,version=%s", fips140.Version())
+		return "on"
 	default:
 		return "off"
 	}
 }
+
+func getFIPS140Version() string {
+	// The docs for fips140.Version mention this is more accurate to
+	// get the exact version
+	info, ok := debug.ReadBuildInfo()
+	if ok {
+		for _, s := range info.Settings {
+			if s.Key == "GOFIPS140" {
+				return s.Value
+			}
+		}
+	}
+	return fips140.Version()
+}

interface.go

@@ -233,7 +233,8 @@ func (f *Interface) activate() error {
 		"build", f.version,
 		"udpAddr", addr,
 		"boringcrypto", boringEnabled(),
-		"fips140", fips140version(),
+		"fips140", getFIPS140(),
+		"fips140version", getFIPS140Version(),
 	)
 
 	if f.routines > 1 {