From a5d622179e1182f1743d5bb9030f55def1067713 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 2 Feb 2023 19:32:21 -0600 Subject: [PATCH] Use tag boringcrypto instead of fips_strict --- cmd/pinniped-concierge-kube-cert-agent/main.go | 6 +++--- cmd/pinniped-server/main.go | 2 +- cmd/pinniped/main.go | 4 ++-- hack/Dockerfile_fips | 4 ++-- internal/crypto/fips/doc.go | 4 ++-- internal/crypto/fips/fips_strict.go | 4 ++-- internal/crypto/ptls/default.go | 6 +++--- internal/crypto/ptls/fips_strict.go | 4 ++-- internal/crypto/ptls/secure.go | 6 +++--- site/content/docs/reference/fips.md | 2 +- test/integration/securetls_fips_test.go | 6 +++--- test/testlib/securetls_preference_fips.go | 6 +++--- test/testlib/securetls_preference_nonfips.go | 6 +++--- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/cmd/pinniped-concierge-kube-cert-agent/main.go b/cmd/pinniped-concierge-kube-cert-agent/main.go index af96c5f8..8213e6bf 100644 --- a/cmd/pinniped-concierge-kube-cert-agent/main.go +++ b/cmd/pinniped-concierge-kube-cert-agent/main.go @@ -13,7 +13,7 @@ import ( "os" "time" - // This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode. + // This side effect import ensures that we use fipsonly crypto during TLS in boringcrypto mode. // // Commenting this out because it causes the runtime memory consumption of this binary to increase // from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS, @@ -25,8 +25,8 @@ import ( //nolint:godot // This is not sentence, it is a commented out line of import code. // _ "go.pinniped.dev/internal/crypto/ptls" - // This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode. - // Without this line, the binary will exit 133 upon startup in fips_strict mode. + // This side effect imports cgo so that runtime/cgo gets linked, when in boringcrypto mode. + // Without this line, the binary will exit 133 upon startup in boringcrypto mode. // It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled, // even though it shouldn't be used currently by this binary. _ "go.pinniped.dev/internal/crypto/fips" diff --git a/cmd/pinniped-server/main.go b/cmd/pinniped-server/main.go index df2917fb..2cb3e30a 100644 --- a/cmd/pinniped-server/main.go +++ b/cmd/pinniped-server/main.go @@ -15,7 +15,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" concierge "go.pinniped.dev/internal/concierge/server" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" lua "go.pinniped.dev/internal/localuserauthenticator" "go.pinniped.dev/internal/plog" diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index b4825b1e..dd57d7ea 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package main @@ -9,7 +9,7 @@ import ( "github.com/pkg/browser" "go.pinniped.dev/cmd/pinniped/cmd" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" ) diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 7425ddf9..0155950c 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -34,8 +34,8 @@ RUN \ export GOOS=linux && \ export GOARCH=amd64 && \ export GOEXPERIMENT=boringcrypto && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator diff --git a/internal/crypto/fips/doc.go b/internal/crypto/fips/doc.go index e265bb85..82c32865 100644 --- a/internal/crypto/fips/doc.go +++ b/internal/crypto/fips/doc.go @@ -1,6 +1,6 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict. -// It will also cause cgo to be explicitly imported when compiling with fips_strict. +// Package fips can be imported to enable fipsonly tls mode when compiling with boringcrypto. +// It will also cause cgo to be explicitly imported when compiling with boringcrypto. package fips diff --git a/internal/crypto/fips/fips_strict.go b/internal/crypto/fips/fips_strict.go index b0679c30..c0aa95b8 100644 --- a/internal/crypto/fips/fips_strict.go +++ b/internal/crypto/fips/fips_strict.go @@ -1,8 +1,8 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package fips diff --git a/internal/crypto/ptls/default.go b/internal/crypto/ptls/default.go index d929a4eb..99fecfde 100644 --- a/internal/crypto/ptls/default.go +++ b/internal/crypto/ptls/default.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 2db12fcf..2b2ba2d5 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -4,8 +4,8 @@ // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP // configs when Pinniped is built in fips-only mode. // All of these are the same because FIPs is already so limited. -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package ptls diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index ddea0816..4dbe4eeb 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index b9eab7e8..3621e354 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -11,7 +11,7 @@ menu: --- By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork. +the binaries yourself using `GOEXPERIMENT=boringcrypto`. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. diff --git a/test/integration/securetls_fips_test.go b/test/integration/securetls_fips_test.go index 19cfea78..3b0b4162 100644 --- a/test/integration/securetls_fips_test.go +++ b/test/integration/securetls_fips_test.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package integration diff --git a/test/testlib/securetls_preference_fips.go b/test/testlib/securetls_preference_fips.go index e61fc205..2920ec4c 100644 --- a/test/testlib/securetls_preference_fips.go +++ b/test/testlib/securetls_preference_fips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package testlib diff --git a/test/testlib/securetls_preference_nonfips.go b/test/testlib/securetls_preference_nonfips.go index 002d329d..beb5659c 100644 --- a/test/testlib/securetls_preference_nonfips.go +++ b/test/testlib/securetls_preference_nonfips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package testlib