Add compile time flag for building in FIPS

author: Vishal Tak <vtak@gitlab.com> 2022-04-18 11:13:14 +0300
committer: Vishal Tak <vtak@gitlab.com> 2022-04-18 11:48:43 +0300
commit: 08833c9b52f33920d6ec584235ecc5d54066e477 (patch)
tree: 6c4c8823512c14f92f9d87095702db813c7ce5c9 /internal
parent: 6ab51ec245e2dbec83b828bf685397fe1adc2e41 (diff)
2 files changed, 9 insertions, 2 deletions
diff --git a/internal/boring/boring.go b/internal/boring/boring.go
index 0a59ec4a..e6d19aeb 100644
--- a/internal/boring/boring.go
+++ b/internal/boring/boring.go
@@ -9,10 +9,15 @@ import (
 	"gitlab.com/gitlab-org/labkit/log"
 )
 
+// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go
+// compiler in https://github.com/golang-fips/go, this requires that:
+//
+// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1).
+// 2. A system OpenSSL can be dynamically loaded via ldopen().
 func CheckBoring() {
 	if boring.Enabled() {
-		log.Info("FIPS mode is enabled. Using BoringSSL.")
+		log.Info("FIPS mode is enabled. Using an external SSL library.")
 		return
 	}
-	log.Info("GitLab Pages was compiled with FIPS mode but BoringSSL is not enabled.")
+	log.Info("GitLab Pages was compiled with FIPS mode but an external SSL library was not enabled.")
 }
diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go
index 6dbf3c39..1a7eb52f 100644
--- a/internal/boring/notboring.go
+++ b/internal/boring/notboring.go
@@ -3,5 +3,7 @@
 
 package boring
 
+// CheckBoring does nothing when the boringcrypto tag is not in the
+// build.
 func CheckBoring() {
 }
author	Vishal Tak <vtak@gitlab.com>	2022-04-18 11:13:14 +0300
committer	Vishal Tak <vtak@gitlab.com>	2022-04-18 11:48:43 +0300
commit	08833c9b52f33920d6ec584235ecc5d54066e477 (patch)
tree	6c4c8823512c14f92f9d87095702db813c7ce5c9 /internal
parent	6ab51ec245e2dbec83b828bf685397fe1adc2e41 (diff)