From 4815b155775af2f93c1efa36f65a242efb065376 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 06:45:48 -0700 Subject: [PATCH 1/3] Bump Go version to 1.25.1 (#5562) * Bump Go version to 1.25.1 * Update CHANGELOG entry * Bump the version of golangci-lint * Remove references to the ms_tls13kdf build tag * Download go module dependencies before GODEBUG=fips140=only is set * Exclude X25519 curve types when testing in FIPS-140 mode * Stricter check * Add missing license header * Exclude X25519 curve types when testing in FIPS-140-only mode * Use stricter check * Update NOTICE files * Remove IsFIPS140Only helper function * Set GODEBUG=tlsmlkem=0 for FIPS140-only unit tests * Remove replace directive from go.mod * Try not pre-downloading dependencies (cherry picked from commit 15b8c8ac65955c68ba66e2cdd49a9c264a375d9e) --- .go-version | 2 +- .golangci.yml | 2 +- .../1758819869-bump-golang-1.25.1.yaml | 32 ++++ dev-tools/go.mod | 2 +- docs/fips.md | 97 ++++++++++++ go.mod | 2 +- magefile.go | 141 ++++++++++++++++++ testing/go.mod | 2 +- 8 files changed, 275 insertions(+), 5 deletions(-) create mode 100644 changelog/fragments/1758819869-bump-golang-1.25.1.yaml create mode 100644 docs/fips.md diff --git a/.go-version b/.go-version index 8407e26008..d905a6d1d6 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.7 +1.25.1 diff --git a/.golangci.yml b/.golangci.yml index 24663cbf0e..de51457140 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,7 +4,7 @@ run: timeout: 1m build-tags: - integration - go: "1.24.7" + go: "1.25.1" issues: # Maximum count of issues with the same text. diff --git a/changelog/fragments/1758819869-bump-golang-1.25.1.yaml b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml new file mode 100644 index 0000000000..9d7955c853 --- /dev/null +++ b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: Update Go to v1.25.1 + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: fleet-server + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/fleet-server/pull/5562 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/dev-tools/go.mod b/dev-tools/go.mod index 31d66003bc..1a81c1e55e 100644 --- a/dev-tools/go.mod +++ b/dev-tools/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/dev-tools -go 1.24.7 +go 1.25.1 tool ( github.com/elastic/go-json-schema-generate/cmd/schema-generate diff --git a/docs/fips.md b/docs/fips.md new file mode 100644 index 0000000000..c0680f035e --- /dev/null +++ b/docs/fips.md @@ -0,0 +1,97 @@ +# FIPS support + +**NOTE: FIPS Support is in-progress** + +The fleet-server can be built in a FIPS capable mode. +This forces the use of a FIPS provider to handle any cryptographic calls. + +Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution. +This toolchain must be present for local compilation. + +## Build changes + +As we are using micrsoft/go as a base we follow their conventions. + +Our FIPS changes require the `requirefips` build tag. +When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set. +Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go). + +The `FIPS=true` env var is used by our magefile as the FIPS toggle. +This env var applies to all targets, at a minimum the `requirefips` tag will be set. +For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set. + +For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain. +See [Multipass VM Usage](#multipass-vm-usage) for additional details. + +### Multipass VM Usage + +A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them. +When you try to run one the following error occurs: +``` +GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml +panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider + +goroutine 1 [running]: +crypto/internal/backend.init.1() + /usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210 +``` + +In order to be able to run a FIPS enabled binary, openssl must have a fips provider. +Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md). + +A TLDR for our multipass container is: + +1. Download and compile the FIPS provider for openssl in the VM by running: +``` +wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz +tar -xzf openssl-3.0.13.tar.gz +cd openssl-3.0.13 +./Configure enable-fips +make test +sudo make install_fips +sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so +``` + +2. Copy the `fips.so` module to the system library, in order to find the location run: +``` +openssl version -m +``` + +On my VM I would copy the `fips.so` module with: +``` +sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so +``` + +3. Create an openssl.cnf for the program to use with the contents: +``` +config_diagnostics = 1 +openssl_conf = openssl_init + +.include /usr/local/ssl/fipsmodule.cnf + +[openssl_init] +providers = provider_sect +alg_section = algorithm_sect + +[provider_sect] +fips = fips_sect +base = base_sect + +[base_sect] +activate = 1 + +[algorithm_sect] +default_properties = fips=yes +``` + +4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e., +``` +OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml +23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0 +i... +``` + +## Usage + +Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider. +The system/image is required to have a FIPS provider available. diff --git a/go.mod b/go.mod index 6da12c1ee3..f8d25a2a5e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/v7 -go 1.24.7 +go 1.25.1 require ( github.com/Pallinder/go-randomdata v1.2.0 diff --git a/magefile.go b/magefile.go index 0cdbe4d101..2d2584940c 100644 --- a/magefile.go +++ b/magefile.go @@ -309,6 +309,12 @@ var ( if isSnapshot() { tags = append(tags, "snapshot") } +<<<<<<< HEAD +======= + if isFIPS() { + tags = append(tags, "requirefips") + } +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) return strings.Join(tags, ",") }) @@ -453,11 +459,50 @@ func (Check) Notice() { mg.SerialDeps(mg.F(genNotice)) } +<<<<<<< HEAD // genNotice generates the NOTICE.txt func genNotice() error { tags := []string{} outFile := "NOTICE.txt" log.Println("Generating NOTICE.txt.") +======= +// DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries. +// Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2" +func (Check) DetectFIPSCryptoImports() error { + tags := []string{"requirefips"} + mods, err := getModules(tags...) + if err != nil { + return err + } + + args := append([]string{"list", "-m"}, mods...) + output, err := sh.Output("go", args...) + if err != nil { + return err + } + for _, line := range strings.Split(output, "\n") { + // keywords are crypto for x/crypto imports, gokrb5 for kerberos, and pbkdf2 for pbkdf2 generation + for _, keyword := range []string{"crypto", "gokrb5", "pbkdf2"} { + if strings.Contains(line, keyword) { + err = errors.Join(err, fmt.Errorf("Detected import %s may implement crypto functionality", line)) + } + } + } + return err +} + +// genNotice generates the NOTICE.txt or the NOTICE-fips.txt file. +func genNotice(fips bool) error { + tags := []string{} + outFile := "NOTICE.txt" + if fips { + log.Println("Generating NOTICE-fips.txt.") + tags = append(tags, "requirefips") + outFile = "NOTICE-fips.txt" + } else { + log.Println("Generating NOTICE.txt.") + } +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // Clean up modfile and download all needed files before building NOTICE err := sh.Run("go", "mod", "tidy") @@ -1072,6 +1117,10 @@ func (Docker) CustomAgentImage() error { // Unit runs unit tests. // Produces a unit test output file, and test coverage file in the build directory. // SNAPSHOT adds the snapshot build tag. +<<<<<<< HEAD +======= +// FIPS adds the requirefips build tag. +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) Unit() error { mg.Deps(mg.F(mkDir, "build")) output, err := teeCommand(environMap(), "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") @@ -1079,8 +1128,35 @@ func (Test) Unit() error { return err } +<<<<<<< HEAD // Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment. // SNAPSHOT runs integration tests with the snapshot build tag. +======= +// UnitFIPSOnly runs unit tests and injects GODEBUG=fips140=only into the environment. +// This is done because mage may have issues when running with fips140=only set. +// Produces a unit test output file, and test coverage file in the build directory. +// SNAPSHOT adds the snapshot build tag. +// FIPS adds the requirefips build tag. +func (Test) UnitFIPSOnly() error { + mg.Deps(mg.F(mkDir, "build")) + + // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key + // exchange mechanism; without this setting and with the GODEBUG=fips140=only + // setting, we get errors in tests like so: + // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode + // Note that we are only disabling this TLS key exchange mechanism in tests! + env := environMap() + env["GODEBUG"] = "fips140=only,tlsmlkem=0" + + output, err := teeCommand(env, "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") + err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-fipsonly-"+runtime.GOOS+".out"), output, 0o644)) + return err +} + +// Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment. +// SNAPSHOT runs integration tests with the snapshot build tag. +// FIPS runs the integration tests the requirefips build tag. +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) Integration() { mg.SerialDeps(mg.F(mkDir, "build"), Test.IntegrationUp, Test.IntegrationRun, Test.IntegrationDown) } @@ -1094,6 +1170,10 @@ func (Test) IntegrationUp() error { // Assumes that the integration test environment is up. // Produces an integration test output file in the build directory. // SNAPSHOT runs integration tests with the snapshot build tag. +<<<<<<< HEAD +======= +// FIPS runs the integration tests the requirefips build tag. +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) IntegrationRun(ctx context.Context) error { env, err := readEnvFile(filepath.Join("dev-tools", "integration", ".env")) if err != nil { @@ -1419,6 +1499,59 @@ func unzip(sourceFile, destinationDir string) error { return nil } +<<<<<<< HEAD +======= +// checkFIPSBinary ensures the binary located at path has fips capable markers set. +func checkFIPSBinary(path string) error { + log.Printf("Verifiying binary in %q for FIPS capable markers.", path) + info, err := buildinfo.ReadFile(path) + if err != nil { + return fmt.Errorf("unable to read buildinfo: %w", err) + } + var checkLinks, foundTags, foundExperiment bool + + for _, setting := range info.Settings { + switch setting.Key { + case "-tags": + foundTags = true + if !strings.Contains(setting.Value, "requirefips") { + return fmt.Errorf("requirefips tag not found in %s", setting.Value) + } + continue + case "GOEXPERIMENT": + foundExperiment = true + if !strings.Contains(setting.Value, "systemcrypto") { + return fmt.Errorf("did not find GOEXPIRIMENT=systemcrypto") + } + continue + case "-ldflags": + if !strings.Contains(setting.Value, "-s") { + checkLinks = true + continue + } + } + } + + if !foundTags { + return fmt.Errorf("did not find build tags") + } + if !foundExperiment { + return fmt.Errorf("did not find GOEXPERIMENT") + } + if checkLinks { + log.Println("Binary is not stripped, checking symbols table.") + output, err := sh.Output("go", "tool", "nm", path) + if err != nil { + return fmt.Errorf("go tool nm failed: %w", err) + } + if runtime.GOOS == "linux" && !strings.Contains(output, "OpenSSL_version") { // TODO may need different check for windows/darwin + return fmt.Errorf("failed to find OpenSSL symbol links within binary") + } + } + return nil +} + +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // JunitReport produces junit report files from test-output files in the build dir. func (Test) JunitReport() error { return filepath.WalkDir("build", func(name string, d fs.DirEntry, err error) error { @@ -1455,6 +1588,10 @@ func (Test) JunitReport() error { // All runs unit and integration tests and produces junit reports for all the tests. // SNAPSHOT adds the snapshot build tag. +<<<<<<< HEAD +======= +// FIPS adds the requirefips build tag. +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) All() { mg.SerialDeps(mg.F(mkDir, "build"), Test.Unit, Test.Integration, Test.JunitReport) } @@ -1462,6 +1599,10 @@ func (Test) All() { // Benchmark runs the included benchmarks // Produces a benchmark file in the build directory. // SNAPSHOT adds the snapshot build tag. +<<<<<<< HEAD +======= +// FIPS adds the requirefips build tag. +>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // BENCHMARK_FILTER can be used to filter what benchmarks run. // BENCHMARK_ARGS can be used to change what is being benchmarked. Default: -count=10 -benchtime=3s -benchmem. // BENCH_BASE can be used to change the output file name. diff --git a/testing/go.mod b/testing/go.mod index f754deb8b2..9f26796160 100644 --- a/testing/go.mod +++ b/testing/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/testing -go 1.24.7 +go 1.25.1 replace ( github.com/elastic/fleet-server/pkg/api => ../pkg/api From 86359cefedd71134e2ae53ab7f504e70b36bb926 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 12:10:19 -0700 Subject: [PATCH 2/3] Remove FIPS doc --- docs/fips.md | 97 ---------------------------------------------------- 1 file changed, 97 deletions(-) delete mode 100644 docs/fips.md diff --git a/docs/fips.md b/docs/fips.md deleted file mode 100644 index c0680f035e..0000000000 --- a/docs/fips.md +++ /dev/null @@ -1,97 +0,0 @@ -# FIPS support - -**NOTE: FIPS Support is in-progress** - -The fleet-server can be built in a FIPS capable mode. -This forces the use of a FIPS provider to handle any cryptographic calls. - -Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution. -This toolchain must be present for local compilation. - -## Build changes - -As we are using micrsoft/go as a base we follow their conventions. - -Our FIPS changes require the `requirefips` build tag. -When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set. -Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go). - -The `FIPS=true` env var is used by our magefile as the FIPS toggle. -This env var applies to all targets, at a minimum the `requirefips` tag will be set. -For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set. - -For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain. -See [Multipass VM Usage](#multipass-vm-usage) for additional details. - -### Multipass VM Usage - -A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them. -When you try to run one the following error occurs: -``` -GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml -panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider - -goroutine 1 [running]: -crypto/internal/backend.init.1() - /usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210 -``` - -In order to be able to run a FIPS enabled binary, openssl must have a fips provider. -Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md). - -A TLDR for our multipass container is: - -1. Download and compile the FIPS provider for openssl in the VM by running: -``` -wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz -tar -xzf openssl-3.0.13.tar.gz -cd openssl-3.0.13 -./Configure enable-fips -make test -sudo make install_fips -sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so -``` - -2. Copy the `fips.so` module to the system library, in order to find the location run: -``` -openssl version -m -``` - -On my VM I would copy the `fips.so` module with: -``` -sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so -``` - -3. Create an openssl.cnf for the program to use with the contents: -``` -config_diagnostics = 1 -openssl_conf = openssl_init - -.include /usr/local/ssl/fipsmodule.cnf - -[openssl_init] -providers = provider_sect -alg_section = algorithm_sect - -[provider_sect] -fips = fips_sect -base = base_sect - -[base_sect] -activate = 1 - -[algorithm_sect] -default_properties = fips=yes -``` - -4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e., -``` -OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml -23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0 -i... -``` - -## Usage - -Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider. -The system/image is required to have a FIPS provider available. From 9e5433719db233ff8e677c6c7e4c56793d6aceef Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 12:19:59 -0700 Subject: [PATCH 3/3] Fixing conflicts --- magefile.go | 141 ---------------------------------------------------- 1 file changed, 141 deletions(-) diff --git a/magefile.go b/magefile.go index 2d2584940c..0cdbe4d101 100644 --- a/magefile.go +++ b/magefile.go @@ -309,12 +309,6 @@ var ( if isSnapshot() { tags = append(tags, "snapshot") } -<<<<<<< HEAD -======= - if isFIPS() { - tags = append(tags, "requirefips") - } ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) return strings.Join(tags, ",") }) @@ -459,50 +453,11 @@ func (Check) Notice() { mg.SerialDeps(mg.F(genNotice)) } -<<<<<<< HEAD // genNotice generates the NOTICE.txt func genNotice() error { tags := []string{} outFile := "NOTICE.txt" log.Println("Generating NOTICE.txt.") -======= -// DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries. -// Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2" -func (Check) DetectFIPSCryptoImports() error { - tags := []string{"requirefips"} - mods, err := getModules(tags...) - if err != nil { - return err - } - - args := append([]string{"list", "-m"}, mods...) - output, err := sh.Output("go", args...) - if err != nil { - return err - } - for _, line := range strings.Split(output, "\n") { - // keywords are crypto for x/crypto imports, gokrb5 for kerberos, and pbkdf2 for pbkdf2 generation - for _, keyword := range []string{"crypto", "gokrb5", "pbkdf2"} { - if strings.Contains(line, keyword) { - err = errors.Join(err, fmt.Errorf("Detected import %s may implement crypto functionality", line)) - } - } - } - return err -} - -// genNotice generates the NOTICE.txt or the NOTICE-fips.txt file. -func genNotice(fips bool) error { - tags := []string{} - outFile := "NOTICE.txt" - if fips { - log.Println("Generating NOTICE-fips.txt.") - tags = append(tags, "requirefips") - outFile = "NOTICE-fips.txt" - } else { - log.Println("Generating NOTICE.txt.") - } ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // Clean up modfile and download all needed files before building NOTICE err := sh.Run("go", "mod", "tidy") @@ -1117,10 +1072,6 @@ func (Docker) CustomAgentImage() error { // Unit runs unit tests. // Produces a unit test output file, and test coverage file in the build directory. // SNAPSHOT adds the snapshot build tag. -<<<<<<< HEAD -======= -// FIPS adds the requirefips build tag. ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) Unit() error { mg.Deps(mg.F(mkDir, "build")) output, err := teeCommand(environMap(), "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") @@ -1128,35 +1079,8 @@ func (Test) Unit() error { return err } -<<<<<<< HEAD // Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment. // SNAPSHOT runs integration tests with the snapshot build tag. -======= -// UnitFIPSOnly runs unit tests and injects GODEBUG=fips140=only into the environment. -// This is done because mage may have issues when running with fips140=only set. -// Produces a unit test output file, and test coverage file in the build directory. -// SNAPSHOT adds the snapshot build tag. -// FIPS adds the requirefips build tag. -func (Test) UnitFIPSOnly() error { - mg.Deps(mg.F(mkDir, "build")) - - // We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key - // exchange mechanism; without this setting and with the GODEBUG=fips140=only - // setting, we get errors in tests like so: - // Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode - // Note that we are only disabling this TLS key exchange mechanism in tests! - env := environMap() - env["GODEBUG"] = "fips140=only,tlsmlkem=0" - - output, err := teeCommand(env, "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...") - err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-fipsonly-"+runtime.GOOS+".out"), output, 0o644)) - return err -} - -// Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment. -// SNAPSHOT runs integration tests with the snapshot build tag. -// FIPS runs the integration tests the requirefips build tag. ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) Integration() { mg.SerialDeps(mg.F(mkDir, "build"), Test.IntegrationUp, Test.IntegrationRun, Test.IntegrationDown) } @@ -1170,10 +1094,6 @@ func (Test) IntegrationUp() error { // Assumes that the integration test environment is up. // Produces an integration test output file in the build directory. // SNAPSHOT runs integration tests with the snapshot build tag. -<<<<<<< HEAD -======= -// FIPS runs the integration tests the requirefips build tag. ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) IntegrationRun(ctx context.Context) error { env, err := readEnvFile(filepath.Join("dev-tools", "integration", ".env")) if err != nil { @@ -1499,59 +1419,6 @@ func unzip(sourceFile, destinationDir string) error { return nil } -<<<<<<< HEAD -======= -// checkFIPSBinary ensures the binary located at path has fips capable markers set. -func checkFIPSBinary(path string) error { - log.Printf("Verifiying binary in %q for FIPS capable markers.", path) - info, err := buildinfo.ReadFile(path) - if err != nil { - return fmt.Errorf("unable to read buildinfo: %w", err) - } - var checkLinks, foundTags, foundExperiment bool - - for _, setting := range info.Settings { - switch setting.Key { - case "-tags": - foundTags = true - if !strings.Contains(setting.Value, "requirefips") { - return fmt.Errorf("requirefips tag not found in %s", setting.Value) - } - continue - case "GOEXPERIMENT": - foundExperiment = true - if !strings.Contains(setting.Value, "systemcrypto") { - return fmt.Errorf("did not find GOEXPIRIMENT=systemcrypto") - } - continue - case "-ldflags": - if !strings.Contains(setting.Value, "-s") { - checkLinks = true - continue - } - } - } - - if !foundTags { - return fmt.Errorf("did not find build tags") - } - if !foundExperiment { - return fmt.Errorf("did not find GOEXPERIMENT") - } - if checkLinks { - log.Println("Binary is not stripped, checking symbols table.") - output, err := sh.Output("go", "tool", "nm", path) - if err != nil { - return fmt.Errorf("go tool nm failed: %w", err) - } - if runtime.GOOS == "linux" && !strings.Contains(output, "OpenSSL_version") { // TODO may need different check for windows/darwin - return fmt.Errorf("failed to find OpenSSL symbol links within binary") - } - } - return nil -} - ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // JunitReport produces junit report files from test-output files in the build dir. func (Test) JunitReport() error { return filepath.WalkDir("build", func(name string, d fs.DirEntry, err error) error { @@ -1588,10 +1455,6 @@ func (Test) JunitReport() error { // All runs unit and integration tests and produces junit reports for all the tests. // SNAPSHOT adds the snapshot build tag. -<<<<<<< HEAD -======= -// FIPS adds the requirefips build tag. ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) func (Test) All() { mg.SerialDeps(mg.F(mkDir, "build"), Test.Unit, Test.Integration, Test.JunitReport) } @@ -1599,10 +1462,6 @@ func (Test) All() { // Benchmark runs the included benchmarks // Produces a benchmark file in the build directory. // SNAPSHOT adds the snapshot build tag. -<<<<<<< HEAD -======= -// FIPS adds the requirefips build tag. ->>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562)) // BENCHMARK_FILTER can be used to filter what benchmarks run. // BENCHMARK_ARGS can be used to change what is being benchmarked. Default: -count=10 -benchtime=3s -benchmem. // BENCH_BASE can be used to change the output file name.