mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-04-27 08:46:35 +00:00
70e675f42c
This is a cherry-pick of 157f5d1412
followed by build/CI changes so that amd64/linux FIPS compliance is
provided by new/separate binaries/artifacts/packages.
The reasoning being that FIPS compliance places excessive requirements
in the encryption algorithms used for regular users that do not care
about that. This can cause cloudflared to reject HTTPS origins that
would otherwise be accepted without FIPS checks.
This way, by having separate binaries, existing ones remain as they
were, and only FIPS-needy users will opt-in to the new FIPS binaries.
16 lines
524 B
Bash
Executable File
16 lines
524 B
Bash
Executable File
# Pass the path to the executable to check for FIPS compliance
|
|
exe=$1
|
|
|
|
if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
|
|
# Asserts that executable is using FIPS-compliant boringcrypto
|
|
echo "${exe}: missing goboring symbols" >&2
|
|
exit 1
|
|
fi
|
|
if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
|
|
# Asserts that executable is using FIPS-only schemes
|
|
echo "${exe}: missing fipsonly symbols" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "${exe} is FIPS-compliant"
|