From d389535ea30b9b647adbdcb48581746e76c97f0b Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 2 Feb 2023 19:32:21 -0600 Subject: [PATCH] Use tag boringcrypto instead of fips_strict --- cmd/pinniped-concierge-kube-cert-agent/main.go | 6 +++--- cmd/pinniped-server/main.go | 2 +- cmd/pinniped/main.go | 4 ++-- hack/Dockerfile_fips | 4 ++-- internal/crypto/fips/doc.go | 4 ++-- internal/crypto/fips/fips_strict.go | 4 ++-- internal/crypto/ptls/default.go | 6 +++--- internal/crypto/ptls/fips_strict.go | 4 ++-- internal/crypto/ptls/secure.go | 6 +++--- site/content/docs/reference/fips.md | 2 +- test/integration/securetls_fips_test.go | 6 +++--- test/testlib/securetls_preference_fips.go | 6 +++--- test/testlib/securetls_preference_nonfips.go | 6 +++--- 13 files changed, 30 insertions(+), 30 deletions(-) diff --git a/cmd/pinniped-concierge-kube-cert-agent/main.go b/cmd/pinniped-concierge-kube-cert-agent/main.go index af96c5f828..8213e6bfba 100644 --- a/cmd/pinniped-concierge-kube-cert-agent/main.go +++ b/cmd/pinniped-concierge-kube-cert-agent/main.go @@ -13,7 +13,7 @@ import ( "os" "time" - // This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode. + // This side effect import ensures that we use fipsonly crypto during TLS in boringcrypto mode. // // Commenting this out because it causes the runtime memory consumption of this binary to increase // from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS, @@ -25,8 +25,8 @@ import ( //nolint:godot // This is not sentence, it is a commented out line of import code. // _ "go.pinniped.dev/internal/crypto/ptls" - // This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode. - // Without this line, the binary will exit 133 upon startup in fips_strict mode. + // This side effect imports cgo so that runtime/cgo gets linked, when in boringcrypto mode. + // Without this line, the binary will exit 133 upon startup in boringcrypto mode. // It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled, // even though it shouldn't be used currently by this binary. _ "go.pinniped.dev/internal/crypto/fips" diff --git a/cmd/pinniped-server/main.go b/cmd/pinniped-server/main.go index df2917fbce..2cb3e30aae 100644 --- a/cmd/pinniped-server/main.go +++ b/cmd/pinniped-server/main.go @@ -15,7 +15,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" concierge "go.pinniped.dev/internal/concierge/server" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" lua "go.pinniped.dev/internal/localuserauthenticator" "go.pinniped.dev/internal/plog" diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index b4825b1ea4..dd57d7eaf4 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package main @@ -9,7 +9,7 @@ import ( "github.com/pkg/browser" "go.pinniped.dev/cmd/pinniped/cmd" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" ) diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 65dd85ea23..762b8995ea 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -32,8 +32,8 @@ RUN \ export GOOS=linux && \ export GOARCH=amd64 && \ export GOEXPERIMENT=boringcrypto && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator diff --git a/internal/crypto/fips/doc.go b/internal/crypto/fips/doc.go index e265bb8588..82c328656b 100644 --- a/internal/crypto/fips/doc.go +++ b/internal/crypto/fips/doc.go @@ -1,6 +1,6 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict. -// It will also cause cgo to be explicitly imported when compiling with fips_strict. +// Package fips can be imported to enable fipsonly tls mode when compiling with boringcrypto. +// It will also cause cgo to be explicitly imported when compiling with boringcrypto. package fips diff --git a/internal/crypto/fips/fips_strict.go b/internal/crypto/fips/fips_strict.go index b0679c3022..c0aa95b8b0 100644 --- a/internal/crypto/fips/fips_strict.go +++ b/internal/crypto/fips/fips_strict.go @@ -1,8 +1,8 @@ // Copyright 2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package fips diff --git a/internal/crypto/ptls/default.go b/internal/crypto/ptls/default.go index d929a4eba5..99fecfdec4 100644 --- a/internal/crypto/ptls/default.go +++ b/internal/crypto/ptls/default.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 2db12fcf85..2b2ba2d555 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -4,8 +4,8 @@ // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP // configs when Pinniped is built in fips-only mode. // All of these are the same because FIPs is already so limited. -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package ptls diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index ddea081660..4dbe4eebc0 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package ptls diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index b9eab7e89d..3621e354e3 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -11,7 +11,7 @@ menu: --- By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork. +the binaries yourself using `GOEXPERIMENT=boringcrypto`. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. diff --git a/test/integration/securetls_fips_test.go b/test/integration/securetls_fips_test.go index 19cfea7894..3b0b41625a 100644 --- a/test/integration/securetls_fips_test.go +++ b/test/integration/securetls_fips_test.go @@ -1,8 +1,8 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package integration diff --git a/test/testlib/securetls_preference_fips.go b/test/testlib/securetls_preference_fips.go index e61fc2051d..2920ec4c79 100644 --- a/test/testlib/securetls_preference_fips.go +++ b/test/testlib/securetls_preference_fips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto +// +build boringcrypto package testlib diff --git a/test/testlib/securetls_preference_nonfips.go b/test/testlib/securetls_preference_nonfips.go index 002d329d7d..beb5659c46 100644 --- a/test/testlib/securetls_preference_nonfips.go +++ b/test/testlib/securetls_preference_nonfips.go @@ -1,8 +1,8 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto +// +build !boringcrypto package testlib