Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Verify FIPS mode in golang boringssl

Tags:

go

boringssl

fips

how to verify if fips mode is enabled for binary in golang dev boring crypto branch ? I dont see an easy way apart from internal golang tests

like image 211
Akshay Khurd Avatar asked Oct 24 '25 10:10

Akshay Khurd


1 Answers

From this file:

https://go.googlesource.com/go/+/dev.boringcrypto/src/crypto/tls/fipsonly/fipsonly.go

// Package fipsonly restricts all TLS configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//  import _ "crypto/tls/fipsonly"
//
// This package only exists in the dev.boringcrypto branch of Go.

By including that import statement in your program, it will only compile if you're using the dev.boringcrypto branch.

Here's a test main.go:

package main

import (
    "fmt"
    _ "crypto/tls/fipsonly"
)

func main() {
    fmt.Println("Hello FIPS")
}

Using the dev.boringcrypto branch of Go:

$ go version
go version go1.12.9b4 linux/amd64
$ go run main.go
Hello FIPS

Using the normal release of Go:

$ go version
go version go1.12.9 darwin/amd64
$ go run main.go
main.go:4:2: cannot find package "crypto/tls/fipsonly" in any of:
    /Users/ray/.gimme/versions/go1.12.9.darwin.amd64/src/crypto/tls/fipsonly (from $GOROOT)
    /Users/ray/go/src/crypto/tls/fipsonly (from $GOPATH)
like image 121
rharris Avatar answered Oct 26 '25 01:10

rharris