diff --git a/Dockerfile b/Dockerfile index 47c4e3a160..a320fd72a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api RUN npm run build # Stage 3: Build go proxy -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder ARG TARGETOS ARG TARGETARCH @@ -76,7 +76,7 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/authentik ./cmd/server # Stage 4: MaxMind GeoIP diff --git a/go.mod b/go.mod index dbccb29a52..624b1f7248 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module goauthentik.io -go 1.23.0 - -toolchain go1.24.0 +go 1.24.0 require ( beryju.io/ldap v0.1.0 diff --git a/internal/crypto/backend/fips_disabled.go b/internal/crypto/backend/fips_disabled.go deleted file mode 100644 index 418cd1a144..0000000000 --- a/internal/crypto/backend/fips_disabled.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build requirefips - -package backend - -var FipsEnabled = true diff --git a/internal/crypto/backend/fips_enabled.go b/internal/crypto/backend/fips_enabled.go deleted file mode 100644 index 49a0c95bb4..0000000000 --- a/internal/crypto/backend/fips_enabled.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build !requirefips - -package backend - -var FipsEnabled = false diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go index fd8050042a..11a69fba30 100644 --- a/internal/outpost/ak/api.go +++ b/internal/outpost/ak/api.go @@ -2,6 +2,7 @@ package ak import ( "context" + "crypto/fips140" "fmt" "math/rand" "net/http" @@ -203,7 +204,7 @@ func (a *APIController) getWebsocketPingArgs() map[string]interface{} { "golangVersion": runtime.Version(), "opensslEnabled": cryptobackend.OpensslEnabled, "opensslVersion": cryptobackend.OpensslVersion(), - "fipsEnabled": cryptobackend.FipsEnabled, + "fipsEnabled": fips140.Enabled(), } hostname, err := os.Hostname() if err == nil { diff --git a/ldap.Dockerfile b/ldap.Dockerfile index 0882043827..53df209cce 100644 --- a/ldap.Dockerfile +++ b/ldap.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/ldap ./cmd/ldap # Stage 2: Run diff --git a/proxy.Dockerfile b/proxy.Dockerfile index 363d0729e8..95000c86b5 100644 --- a/proxy.Dockerfile +++ b/proxy.Dockerfile @@ -17,7 +17,7 @@ COPY web . RUN npm run build-proxy # Stage 2: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -43,7 +43,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/proxy ./cmd/proxy # Stage 3: Run diff --git a/rac.Dockerfile b/rac.Dockerfile index 892d0a407d..cede3972d0 100644 --- a/rac.Dockerfile +++ b/rac.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/rac ./cmd/rac # Stage 2: Run diff --git a/radius.Dockerfile b/radius.Dockerfile index b488b3b6b3..af7d246d8c 100644 --- a/radius.Dockerfile +++ b/radius.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/radius ./cmd/radius # Stage 2: Run