From ec9ddbec5f8676370fa3eac174c061646dfb9e63 Mon Sep 17 00:00:00 2001
From: Ti Chi Robot <ti-community-prow-bot@tidb.io>
Date: Mon, 11 Dec 2023 18:49:47 +0800
Subject: [PATCH] Makefile(ticdc): support build cdc in fips mode (#9961)
 (#10131)

close pingcap/tiflow#9962
---
 Makefile                  | 13 +++++++++++--
 cmd/cdc/fips.go           | 27 +++++++++++++++++++++++++++
 pkg/version/check.go      |  1 +
 pkg/version/check_test.go |  4 ++++
 4 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 cmd/cdc/fips.go

diff --git a/Makefile b/Makefile
index c23df7e6100..768e78d4ae7 100644
--- a/Makefile
+++ b/Makefile
@@ -40,7 +40,16 @@ ifeq (${CDC_ENABLE_VENDOR}, 1)
 GOVENDORFLAG := -mod=vendor
 endif
 
-GOBUILD  := CGO_ENABLED=0 $(GO) build $(BUILD_FLAG) -trimpath $(GOVENDORFLAG)
+BUILD_FLAG =
+GOEXPERIMENT=
+ifeq ("${ENABLE_FIPS}", "1")
+	BUILD_FLAG = -tags boringcrypto
+	GOEXPERIMENT = GOEXPERIMENT=boringcrypto
+	CGO := 1
+else
+	CGO := 0
+endif
+GOBUILD  := $(GOEXPERIMENT) CGO_ENABLED=$(CGO) $(GO) build $(BUILD_FLAG) -trimpath $(GOVENDORFLAG)
 GOBUILDNOVENDOR  := CGO_ENABLED=0 $(GO) build $(BUILD_FLAG) -trimpath
 GOTEST   := CGO_ENABLED=1 $(GO) test -p $(P) --race
 GOTESTNORACE := CGO_ENABLED=1 $(GO) test -p $(P)
@@ -136,7 +145,7 @@ build-failpoint: check_failpoint_ctl
 	$(FAILPOINT_DISABLE)
 
 cdc:
-	$(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc/main.go
+	$(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc ./cmd/cdc
 
 kafka_consumer:
 	$(GOBUILD) -ldflags '$(LDFLAGS)' -o bin/cdc_kafka_consumer ./cmd/kafka-consumer/main.go
diff --git a/cmd/cdc/fips.go b/cmd/cdc/fips.go
new file mode 100644
index 00000000000..36d0db733e6
--- /dev/null
+++ b/cmd/cdc/fips.go
@@ -0,0 +1,27 @@
+// Copyright 2020 PingCAP, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+	//
+	"github.com/pingcap/tiflow/pkg/version"
+)
+
+func init() {
+	version.ReleaseVersion += "-fips"
+}
diff --git a/pkg/version/check.go b/pkg/version/check.go
index 2be6566f2a3..fbd9a63bf86 100644
--- a/pkg/version/check.go
+++ b/pkg/version/check.go
@@ -67,6 +67,7 @@ func SanitizeVersion(v string) string {
 		return v
 	}
 	v = versionHash.ReplaceAllLiteralString(v, "")
+	v = strings.TrimSuffix(v, "-fips")
 	v = strings.TrimSuffix(v, "-dirty")
 	return strings.TrimPrefix(v, "v")
 }
diff --git a/pkg/version/check_test.go b/pkg/version/check_test.go
index fb13b356bf8..4f5a53c0ac6 100644
--- a/pkg/version/check_test.go
+++ b/pkg/version/check_test.go
@@ -266,6 +266,10 @@ func TestCompareVersion(t *testing.T) {
 	dirtyVersion := semver.New(SanitizeVersion("v6.3.0-dirty"))
 	require.Equal(t, 1, dirtyVersion.Compare(*MinTiCDCVersion))
 	require.Equal(t, 0, dirtyVersion.Compare(*semver.New("6.3.0")))
+
+	dirtyVersionWithFIPS := semver.New(SanitizeVersion("v6.3.0-dirty-fips"))
+	require.Equal(t, 1, dirtyVersionWithFIPS.Compare(*MinTiCDCVersion))
+	require.Equal(t, 0, dirtyVersionWithFIPS.Compare(*semver.New("6.3.0")))
 }
 
 func TestReleaseSemver(t *testing.T) {