Source file src/crypto/internal/fips140/fips140.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package fips140
     6  
     7  import (
     8  	"crypto/internal/fips140deps/godebug"
     9  	"errors"
    10  	"runtime"
    11  )
    12  
    13  var Enabled bool
    14  
    15  var debug bool
    16  
    17  func init() {
    18  	v := godebug.Value("#fips140")
    19  	switch v {
    20  	case "on", "only":
    21  		Enabled = true
    22  	case "debug":
    23  		Enabled = true
    24  		debug = true
    25  	case "off", "":
    26  	default:
    27  		panic("fips140: unknown GODEBUG setting fips140=" + v)
    28  	}
    29  }
    30  
    31  // Supported returns an error if FIPS 140-3 mode can't be enabled.
    32  func Supported() error {
    33  	// Keep this in sync with fipsSupported in cmd/dist/test.go.
    34  
    35  	// ASAN disapproves of reading swaths of global memory in fips140/check.
    36  	// One option would be to expose runtime.asanunpoison through
    37  	// crypto/internal/fips140deps and then call it to unpoison the range
    38  	// before reading it, but it is unclear whether that would then cause
    39  	// false negatives. For now, FIPS+ASAN doesn't need to work.
    40  	if asanEnabled {
    41  		return errors.New("FIPS 140-3 mode is incompatible with ASAN")
    42  	}
    43  
    44  	// See EnableFIPS in cmd/internal/obj/fips.go for commentary.
    45  	switch {
    46  	case runtime.GOARCH == "wasm",
    47  		runtime.GOOS == "windows" && runtime.GOARCH == "386",
    48  		runtime.GOOS == "windows" && runtime.GOARCH == "arm",
    49  		runtime.GOOS == "openbsd", // due to -fexecute-only, see #70880
    50  		runtime.GOOS == "aix":
    51  		return errors.New("FIPS 140-3 mode is not supported on " + runtime.GOOS + "-" + runtime.GOARCH)
    52  	}
    53  
    54  	if boringEnabled {
    55  		return errors.New("FIPS 140-3 mode is incompatible with GOEXPERIMENT=boringcrypto")
    56  	}
    57  
    58  	return nil
    59  }
    60  
    61  func Name() string {
    62  	return "Go Cryptographic Module"
    63  }
    64  
    65  func Version() string {
    66  	return "v1.0"
    67  }
    68  

View as plain text