Skip to content

Commit

Permalink
build: 🔒Enable and enforce boringcrypto experiment (#2353)
Browse files Browse the repository at this point in the history
  • Loading branch information
@zoido
zoido authored Jun 24, 2024
1 parent e5a20f3 commit bf87803
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
6 changes: 3 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,10 @@ test-ui-watch: ## Run UI unit tests
cd ui && $(MAKE) test

build-server: ## Build server for current OS/Arch
go build $(LDFLAGS) -o waved cmd/wave/main.go
GOEXPERIMENT=boringcrypto go build $(LDFLAGS) -o waved cmd/wave/main.go

build-db: ## Build database server for current OS/Arch
go build $(LDFLAGS) -o wavedb cmd/wavedb/main.go
GOEXPERIMENT=boringcrypto go build $(LDFLAGS) -o wavedb cmd/wavedb/main.go

build-db-micro:
go build -ldflags '-s -w -X main.Version=$(VERSION) -X main.BuildDate=$(BUILD_DATE)' -o wavedb cmd/wavedb/main.go
Expand Down Expand Up @@ -201,7 +201,7 @@ release-os:
rm -rf test/cypress/screenshots/*.*
rm -rf test/cypress/videos/*.*
rsync --exclude node_modules -a test build/$(REL)/
GOOS=$(OS) GOARCH=$(ARCH) go build $(LDFLAGS) -o build/$(REL)/waved$(EXE_EXT) cmd/wave/main.go
GOOS=$(OS) GOARCH=$(ARCH) GOEXPERIMENT=boringcrypto go build $(LDFLAGS) -o build/$(REL)/waved$(EXE_EXT) cmd/wave/main.go
cd build && tar -czf $(REL).tar.gz --exclude='*.state' --exclude='__pycache__' $(REL)

.PHONY: website
Expand Down
7 changes: 7 additions & 0 deletions cmd/wave/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ import (
"strings"
"time"

// Blank import of "crypto/tls/fipsonly" enforces that only FIPS-approved algorithms
// are used for TLS.
// Package is only available only when GOEXPERIMENT=boringcrypto is set.
// We do not hide the import behind a build tag so that we enforce that the binary is built with
// the boring crypto experiment enabled.
_ "crypto/tls/fipsonly"

"github.com/h2oai/goconfig"
_ "github.com/h2oai/goconfig/env"
"github.com/h2oai/wave"
Expand Down
7 changes: 7 additions & 0 deletions cmd/wavedb/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,13 @@ import (
"fmt"
"runtime"

// Blank import of "crypto/tls/fipsonly" enforces that only FIPS-approved algorithms
// are used for TLS.
// Package is only available only when GOEXPERIMENT=boringcrypto is set.
// We do not hide the import behind a build tag so that we enforce that the binary is built with
// the boring crypto experiment enabled.
_ "crypto/tls/fipsonly"

"github.com/h2oai/wave/pkg/db"
"github.com/h2oai/wave/pkg/keychain"
)
Expand Down

0 comments on commit bf87803

Please sign in to comment.