.: adding kernel fips mode

and general clean up, so this could actually be useful for something

errors.go

@@ -0,0 +1,12 @@
+package fips
+
+import "errors"
+
+var (
+	// ErrFipsDisabled is returned when this package is built without fips build
+	// tag
+	ErrFipsDisabled = errors.New("not built with fips tags")
+
+	// ErrKernelNotSupported is whether the kernel can be checked for fips mode
+	ErrKernelNotSupported = errors.New("No FIPS check for this kernel")
+)

fips.go

@@ -3,11 +3,6 @@
 
 package fips
 
-import "errors"
-
-// ErrFipsDisabled is returned when this package is built without fips build tag
-var ErrFipsDisabled = errors.New("not built with fips tags")
-
 // ONOFF is either on or off
 type ONOFF int
 
@@ -25,3 +20,20 @@ func (oo ONOFF) String() string {
 	}
 	return "OFF"
 }
+
+// Mode checks whether is FIPS mode is on
+func Mode() (ONOFF, error) {
+	return mode()
+}
+
+// ModeSet attempts to turn on FIPS for the context of this executable
+func ModeSet(mode ONOFF) (ONOFF, error) {
+	return modeSet(mode)
+}
+
+// LastError is empty when fips is not built, or
+//  error:[error code]:[library name]:[function name]:[reason string]
+// This error code can also be read with `openssl errstr <error code>`
+func LastError() string {
+	return lastError()
+}

fips_off.go

@@ -2,17 +2,14 @@
 
 package fips
 
-// Mode checks whether is FIPS mode is on
-func Mode() (ONOFF, error) {
+func mode() (ONOFF, error) {
 	return OFF, ErrFipsDisabled
 }
 
-// ModeSet attempts to turn on FIPS for the context of this executable
-func ModeSet(mode ONOFF) (ONOFF, error) {
+func modeSet(mode ONOFF) (ONOFF, error) {
 	return OFF, ErrFipsDisabled
 }
 
-// LastError is empty when fips is not built
-func LastError() string {
+func lastError() string {
 	return ""
 }

fips_on.go

@@ -11,23 +11,19 @@ package fips
 import "C"
 import "errors"
 
-// Mode checks whether is FIPS mode is on
-func Mode() (ONOFF, error) {
+func mode() (ONOFF, error) {
 	return ONOFF(C.FIPS_mode()), nil
 }
 
-// Attempt to turn on FIPS for the context of this executable
-func ModeSet(mode ONOFF) (ONOFF, error) {
+func modeSet(mode ONOFF) (ONOFF, error) {
 	o := ONOFF(C.FIPS_mode_set(C.int(mode)))
 	if o != mode {
-		return o, errors.New(LastError())
+		return o, errors.New(lastError())
 	}
 	return o, nil
 }
 
-// returns error:[error code]:[library name]:[function name]:[reason string]
-// this error code can also be read with `openssl errstr <error code>`
-func LastError() string {
+func lastError() string {
 	buf := C.malloc(1024)
 	e := C.ERR_get_error() // a C.ulong
 	C.ERR_load_crypto_strings()

kernel.go

@@ -0,0 +1,8 @@
+package fips
+
+// KernelMode checks whether fips flags are present for the running kernel
+//
+// This is presently only for Linux kernels
+func KernelMode() (ONOFF, error) {
+	return kernelMode()
+}

kernel_linux.go

@@ -0,0 +1,44 @@
+// +build linux
+
+package fips
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+)
+
+var (
+	kernelCommandLine   = "/proc/cmdline"
+	kernelFipsParameter = []byte("fips=")
+)
+
+func kernelMode() (ONOFF, error) {
+	if _, err := os.Stat(kernelCommandLine); os.IsNotExist(err) {
+		return OFF, ErrKernelNotSupported
+	}
+	fh, err := os.Open(kernelCommandLine)
+	if err != nil {
+		return OFF, err
+	}
+	defer fh.Close()
+
+	buf, err := ioutil.ReadAll(fh)
+	if err != nil {
+		return OFF, err
+	}
+
+	enabled := OFF
+	for _, chunk := range bytes.Split(buf, []byte(" ")) {
+		if bytes.HasPrefix(chunk, kernelFipsParameter) {
+			val := bytes.TrimPrefix(chunk, kernelFipsParameter)
+			if string(val) == "1" {
+				enabled = ON
+			} else if string(val) == "0" {
+				enabled = OFF
+			}
+		}
+	}
+
+	return enabled, nil
+}

kernel_notsupported.go

@@ -0,0 +1,7 @@
+// +build !linux
+
+package fips
+
+func kernelMode() (ONOFF, error) {
+	return OFF, ErrKernelNotSupported
+}