Use goexperiment boringcrypto for golang 1.19 fips

- Only add boringcrypto where needed in omnibus

Use goexperiment boringcrypto for golang 1.19 fips
997ec16d · DJ Mountney · 00931854 · 997ec16d · 997ec16d · 997ec16d
Verified Commit 997ec16d authored 1 year ago by DJ Mountney
--- a/config/software/gitlab-pages.rb
+++ b/config/software/gitlab-pages.rb
@@ -35,7 +35,10 @@ build do
  
  # Pages compiles with CGO_ENABLED=0 by default, so we need to activate
  # FIPS mode explicitly.
-  env['FIPS_MODE'] = '1' if Build::Check.use_system_ssl?
+  if Build::Check.use_system_ssl?
+    env['FIPS_MODE'] = '1'
+    env['GOEXPERIMENT'] = 'boringcrypto' if Build::Check.boringcrypto_supported?
+  end
  
  make 'gitlab-pages', env: env
  

--- a/lib/gitlab/build/check.rb
+++ b/lib/gitlab/build/check.rb
@@ -21,6 +21,10 @@ module Build
        false
      end
  
+      def boringcrypto_supported?
+        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
+      end
+
      def use_system_ssl?
        # Once we implement the above TODO, we can get rid of this variable and
        # gate on `fips?` alone.

--- a/spec/lib/gitlab/build/check_spec.rb
+++ b/spec/lib/gitlab/build/check_spec.rb
@@ -322,4 +322,26 @@ RSpec.describe Build::Check do
      end
    end
  end
+
+  describe 'boringcrypto_supported?' do
+    context 'when using a golang with boringcrypto support' do
+      before do
+        allow(described_class).to receive(:system).with(hash_including('GOEXPERIMENT'), 'go', 'version').and_return(true)
+      end
+
+      it 'returns true' do
+        expect(described_class.boringcrypto_supported?).to be_truthy
+      end
+    end
+
+    context 'when using a golang withou boringcrypto support' do
+      before do
+        allow(described_class).to receive(:system).with(hash_including('GOEXPERIMENT'), 'go', 'version').and_return(false)
+      end
+
+      it 'returns true' do
+        expect(described_class.boringcrypto_supported?).to be_falsey
+      end
+    end
+  end
 end