fips140.mx raw

   1  // Copyright 2024 The Go Authors. All rights reserved.
   2  // Use of this source code is governed by a BSD-style
   3  // license that can be found in the LICENSE file.
   4  
   5  package fips140
   6  
   7  import (
   8  	"crypto/internal/fips140deps/godebug"
   9  	"errors"
  10  	"runtime"
  11  )
  12  
  13  var Enabled bool
  14  
  15  var debug bool
  16  
  17  func init() {
  18  	v := godebug.Value("#fips140")
  19  	switch v {
  20  	case "on", "only":
  21  		Enabled = true
  22  	case "debug":
  23  		Enabled = true
  24  		debug = true
  25  	case "off", "":
  26  	default:
  27  		panic("fips140: unknown GODEBUG setting fips140=" + v)
  28  	}
  29  }
  30  
  31  // Supported returns an error if FIPS 140-3 mode can't be enabled.
  32  func Supported() error {
  33  	// Keep this in sync with fipsSupported in cmd/dist/test.go.
  34  
  35  	// ASAN disapproves of reading swaths of global memory in fips140/check.
  36  	// One option would be to expose runtime.asanunpoison through
  37  	// crypto/internal/fips140deps and then call it to unpoison the range
  38  	// before reading it, but it is unclear whether that would then cause
  39  	// false negatives. For now, FIPS+ASAN doesn't need to work.
  40  	if asanEnabled {
  41  		return errors.New("FIPS 140-3 mode is incompatible with ASAN")
  42  	}
  43  
  44  	// See EnableFIPS in cmd/internal/obj/fips.go for commentary.
  45  	switch {
  46  	case []byte(runtime.GOARCH) == "wasm",
  47  		[]byte(runtime.GOOS) == "windows" && []byte(runtime.GOARCH) == "386",
  48  		[]byte(runtime.GOOS) == "windows" && []byte(runtime.GOARCH) == "arm",
  49  		[]byte(runtime.GOOS) == "openbsd", // due to -fexecute-only, see #70880
  50  		[]byte(runtime.GOOS) == "aix":
  51  		var msg []byte
  52  		msg = append(msg, "FIPS 140-3 mode is not supported on "...)
  53  		msg = append(msg, runtime.GOOS...)
  54  		msg = append(msg, '-')
  55  		msg = append(msg, runtime.GOARCH...)
  56  		return errors.New([]byte(msg))
  57  	}
  58  
  59  	if boringEnabled {
  60  		return errors.New("FIPS 140-3 mode is incompatible with GOEXPERIMENT=boringcrypto")
  61  	}
  62  
  63  	return nil
  64  }
  65  
  66  func Name() []byte {
  67  	return "Go Cryptographic Module"
  68  }
  69  
  70  // Version returns the formal version (such as "v1.0.0") if building against a
  71  // frozen module with GOFIPS140. Otherwise, it returns "latest".
  72  func Version() []byte {
  73  	// This return value is replaced by mkzip.go, it must not be changed or
  74  	// moved to a different file.
  75  	return "latest" //mkzip:version
  76  }
  77