From 08833c9b52f33920d6ec584235ecc5d54066e477 Mon Sep 17 00:00:00 2001
From: Vishal Tak <vtak@gitlab.com>
Date: Mon, 18 Apr 2022 13:43:14 +0530
Subject: Add compile time flag for building in FIPS

---
 internal/boring/boring.go    | 9 +++++++--
 internal/boring/notboring.go | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'internal')

diff --git a/internal/boring/boring.go b/internal/boring/boring.go
index 0a59ec4a..e6d19aeb 100644
--- a/internal/boring/boring.go
+++ b/internal/boring/boring.go
@@ -9,10 +9,15 @@ import (
 	"gitlab.com/gitlab-org/labkit/log"
 )
 
+// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go
+// compiler in https://github.com/golang-fips/go, this requires that:
+//
+// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1).
+// 2. A system OpenSSL can be dynamically loaded via ldopen().
 func CheckBoring() {
 	if boring.Enabled() {
-		log.Info("FIPS mode is enabled. Using BoringSSL.")
+		log.Info("FIPS mode is enabled. Using an external SSL library.")
 		return
 	}
-	log.Info("GitLab Pages was compiled with FIPS mode but BoringSSL is not enabled.")
+	log.Info("GitLab Pages was compiled with FIPS mode but an external SSL library was not enabled.")
 }
diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go
index 6dbf3c39..1a7eb52f 100644
--- a/internal/boring/notboring.go
+++ b/internal/boring/notboring.go
@@ -3,5 +3,7 @@
 
 package boring
 
+// CheckBoring does nothing when the boringcrypto tag is not in the
+// build.
 func CheckBoring() {
 }
-- 
cgit v1.2.3