Add support for FIPS encryption

This commit adds support of using a FIPS-validated SSL library with
compiled Go executables when `FIPS_MODE=1 make` is run. A Go compiler
that supports BoringSSL either directly (e.g. the `dev.boringcrypto`
branch) or with a dynamically linked OpenSSL
(e.g. https://github.com/golang-fips/go) is required.

This is similar to the changes to support FIPS in GitLab Runner and in
GitLab Pages:
https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/716

Changelog: added

4 files changed, 40 insertions, 0 deletions

diff --git a/Makefile b/Makefile
index 5518171..338b631 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,15 @@
 .PHONY: validate verify verify_ruby verify_golang test test_ruby test_golang coverage coverage_golang setup _script_install build compile check clean install
 
+FIPS_MODE ?= 0
 GO_SOURCES := $(shell find . -name '*.go')
 VERSION_STRING := $(shell git describe --match v* 2>/dev/null || awk '$$0="v"$$0' VERSION 2>/dev/null || echo unknown)
 BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S)
 BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
+
+ifeq (${FIPS_MODE}, 1)
+    BUILD_TAGS += boringcrypto
+endif
+
 GOBUILD_FLAGS := -ldflags "-X main.Version=$(VERSION_STRING) -X main.BuildTime=$(BUILD_TIME)" -tags "$(BUILD_TAGS)" -mod=mod
 
 PREFIX ?= /usr/local
diff --git a/cmd/gitlab-shell/main.go b/cmd/gitlab-shell/main.go
index 370dc2d..61d2e1c 100644
--- a/cmd/gitlab-shell/main.go
+++ b/cmd/gitlab-shell/main.go
@@ -11,6 +11,7 @@ import (
 	"gitlab.com/gitlab-org/labkit/log"
 
 	shellCmd "gitlab.com/gitlab-org/gitlab-shell/cmd/gitlab-shell/command"
+	"gitlab.com/gitlab-org/gitlab-shell/internal/boring"
 	"gitlab.com/gitlab-org/gitlab-shell/internal/command"
 	"gitlab.com/gitlab-org/gitlab-shell/internal/command/readwriter"
 	"gitlab.com/gitlab-org/gitlab-shell/internal/config"
@@ -73,6 +74,7 @@ func main() {
 	cmdName := reflect.TypeOf(cmd).String()
 	ctxlog := log.ContextLogger(ctx)
 	ctxlog.WithFields(log.Fields{"env": env, "command": cmdName}).Info("gitlab-shell: main: executing command")
+	boring.CheckBoring()
 
 	if err := cmd.Execute(ctx); err != nil {
 		ctxlog.WithError(err).Warn("gitlab-shell: main: command execution failed")
diff --git a/internal/boring/boring.go b/internal/boring/boring.go
new file mode 100644
index 0000000..cc09fab
--- /dev/null
+++ b/internal/boring/boring.go
@@ -0,0 +1,23 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package boring
+
+import (
+	"crypto/boring"
+
+	"gitlab.com/gitlab-org/labkit/log"
+)
+
+// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go
+// compiler in https://github.com/golang-fips/go, this requires that:
+//
+// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1).
+// 2. A system OpenSSL can be dynamically loaded via ldopen().
+func CheckBoring() {
+	if boring.Enabled() {
+		log.Info("FIPS mode is enabled. Using an external SSL library.")
+		return
+	}
+	log.Info("Gitaly was compiled with FIPS mode, but an external SSL library was not enabled.")
+}
diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go
new file mode 100644
index 0000000..1a7eb52
--- /dev/null
+++ b/internal/boring/notboring.go
@@ -0,0 +1,9 @@
+//go:build !boringcrypto
+// +build !boringcrypto
+
+package boring
+
+// CheckBoring does nothing when the boringcrypto tag is not in the
+// build.
+func CheckBoring() {
+}