fips140.go

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package fips140
     6  
     7  import (
     8  	"crypto/internal/fips140deps/godebug"
     9  	"errors"
    10  	"runtime"
    11  )
    12  
    13  var Enabled bool
    14  
    15  var debug bool
    16  
    17  func init() {
    18  	v := godebug.Value("#fips140")
    19  	switch v {
    20  	case "on", "only":
    21  		Enabled = true
    22  	case "debug":
    23  		Enabled = true
    24  		debug = true
    25  	case "off", "":
    26  	default:
    27  		panic("fips140: unknown GODEBUG setting fips140=" + v)
    28  	}
    29  }
    30  
    31  // Supported returns an error if FIPS 140-3 mode can't be enabled.
    32  func Supported() error {
    33  	// Keep this in sync with fipsSupported in cmd/dist/test.go.
    34  
    35  	// The purego tag changes too much of the implementation to claim the
    36  	// validation still applies.
    37  	if puregoEnabled {
    38  		return errors.New("FIPS 140-3 mode is incompatible with the purego build tag")
    39  	}
    40  
    41  	// ASAN disapproves of reading swaths of global memory in fips140/check.
    42  	// One option would be to expose runtime.asanunpoison through
    43  	// crypto/internal/fips140deps and then call it to unpoison the range
    44  	// before reading it, but it is unclear whether that would then cause
    45  	// false negatives. For now, FIPS+ASAN doesn't need to work.
    46  	if asanEnabled {
    47  		return errors.New("FIPS 140-3 mode is incompatible with ASAN")
    48  	}
    49  
    50  	// See EnableFIPS in cmd/internal/obj/fips.go for commentary.
    51  	// Also, js/wasm and windows/386 don't have good enough timers
    52  	// for the CPU jitter entropy source.
    53  	switch {
    54  	case runtime.GOARCH == "wasm",
    55  		runtime.GOOS == "windows" && runtime.GOARCH == "386",
    56  		runtime.GOOS == "openbsd", // due to -fexecute-only, see #70880
    57  		runtime.GOOS == "aix":
    58  		return errors.New("FIPS 140-3 mode is not supported on " + runtime.GOOS + "-" + runtime.GOARCH)
    59  	}
    60  
    61  	if boringEnabled {
    62  		return errors.New("FIPS 140-3 mode is incompatible with GOEXPERIMENT=boringcrypto")
    63  	}
    64  
    65  	return nil
    66  }
    67  
    68  func Name() string {
    69  	return "Go Cryptographic Module"
    70  }
    71  
    72  // Version returns the formal version (such as "v1.0.0") if building against a
    73  // frozen module with GOFIPS140. Otherwise, it returns "latest".
    74  func Version() string {
    75  	// This return value is replaced by mkzip.go, it must not be changed or
    76  	// moved to a different file.
    77  	return "latest" //mkzip:version
    78  }
    79
View as plain text