diff options
author | Vishal Tak <vtak@gitlab.com> | 2022-04-18 11:13:14 +0300 |
---|---|---|
committer | Vishal Tak <vtak@gitlab.com> | 2022-04-18 11:48:43 +0300 |
commit | 08833c9b52f33920d6ec584235ecc5d54066e477 (patch) | |
tree | 6c4c8823512c14f92f9d87095702db813c7ce5c9 /internal | |
parent | 6ab51ec245e2dbec83b828bf685397fe1adc2e41 (diff) |
Add compile time flag for building in FIPS
Diffstat (limited to 'internal')
-rw-r--r-- | internal/boring/boring.go | 9 | ||||
-rw-r--r-- | internal/boring/notboring.go | 2 |
2 files changed, 9 insertions, 2 deletions
diff --git a/internal/boring/boring.go b/internal/boring/boring.go index 0a59ec4a..e6d19aeb 100644 --- a/internal/boring/boring.go +++ b/internal/boring/boring.go @@ -9,10 +9,15 @@ import ( "gitlab.com/gitlab-org/labkit/log" ) +// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go +// compiler in https://github.com/golang-fips/go, this requires that: +// +// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). +// 2. A system OpenSSL can be dynamically loaded via ldopen(). func CheckBoring() { if boring.Enabled() { - log.Info("FIPS mode is enabled. Using BoringSSL.") + log.Info("FIPS mode is enabled. Using an external SSL library.") return } - log.Info("GitLab Pages was compiled with FIPS mode but BoringSSL is not enabled.") + log.Info("GitLab Pages was compiled with FIPS mode but an external SSL library was not enabled.") } diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go index 6dbf3c39..1a7eb52f 100644 --- a/internal/boring/notboring.go +++ b/internal/boring/notboring.go @@ -3,5 +3,7 @@ package boring +// CheckBoring does nothing when the boringcrypto tag is not in the +// build. func CheckBoring() { } |