...

Source file src/crypto/internal/boring/fipstls/tls.go

Documentation: crypto/internal/boring/fipstls

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build boringcrypto
     6  
     7  // Package fipstls allows control over whether crypto/tls requires FIPS-approved settings.
     8  // This package only exists with GOEXPERIMENT=boringcrypto, but the effects are independent
     9  // of the use of BoringCrypto.
    10  package fipstls
    11  
    12  import "sync/atomic"
    13  
    14  var required atomic.Bool
    15  
    16  // Force forces crypto/tls to restrict TLS configurations to FIPS-approved settings.
    17  // By design, this call is impossible to undo (except in tests).
    18  //
    19  // Note that this call has an effect even in programs using
    20  // standard crypto (that is, even when Enabled = false).
    21  func Force() {
    22  	required.Store(true)
    23  }
    24  
    25  // Abandon allows non-FIPS-approved settings.
    26  // If called from a non-test binary, it panics.
    27  func Abandon() {
    28  	// Note: Not using boring.UnreachableExceptTests because we want
    29  	// this test to happen even when boring.Enabled = false.
    30  	name := runtime_arg0()
    31  	// Allow _test for Go command, .test for Bazel,
    32  	// NaClMain for NaCl (where all binaries run as NaClMain),
    33  	// and empty string for Windows (where runtime_arg0 can't easily find the name).
    34  	// Since this is an internal package, testing that this isn't used on the
    35  	// other operating systems should suffice to catch any mistakes.
    36  	if !hasSuffix(name, "_test") && !hasSuffix(name, ".test") && name != "NaClMain" && name != "" {
    37  		panic("fipstls: invalid use of Abandon in " + name)
    38  	}
    39  	required.Store(false)
    40  }
    41  
    42  // provided by runtime
    43  func runtime_arg0() string
    44  
    45  func hasSuffix(s, t string) bool {
    46  	return len(s) > len(t) && s[len(s)-len(t):] == t
    47  }
    48  
    49  // Required reports whether FIPS-approved settings are required.
    50  func Required() bool {
    51  	return required.Load()
    52  }
    53  

View as plain text