TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64

2025-07-27 15:49:58 +00:00 · 2021-11-09 11:37:51 +00:00
parent 7024d193c9
commit 157f5d1412
4 changed files with 53 additions and 30 deletions
--- a/check-fips.sh
+++ b/check-fips.sh
@@ -0,0 +1,15 @@
+# Pass the path to the executable to check for FIPS compliance
+exe=$1
+
+if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
+    # Asserts that executable is using FIPS-compliant boringcrypto
+    echo "${exe}: missing goboring symbols" >&2
+    exit 1
+fi
+if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
+    # Asserts that executable is using FIPS-only schemes
+    echo "${exe}: missing fipsonly symbols" >&2
+    exit 1
+fi
+
+echo "${exe} is FIPS-compliant"