mirror of
https://github.com/vbatts/go-fips.git
synced 2024-12-04 06:15:40 +00:00
.: adding kernel fips mode
and general clean up, so this could actually be useful for something
This commit is contained in:
parent
8fae0bf8e0
commit
c6b4ecc9c1
7 changed files with 95 additions and 19 deletions
12
errors.go
Normal file
12
errors.go
Normal file
|
@ -0,0 +1,12 @@
|
|||
package fips
|
||||
|
||||
import "errors"
|
||||
|
||||
var (
|
||||
// ErrFipsDisabled is returned when this package is built without fips build
|
||||
// tag
|
||||
ErrFipsDisabled = errors.New("not built with fips tags")
|
||||
|
||||
// ErrKernelNotSupported is whether the kernel can be checked for fips mode
|
||||
ErrKernelNotSupported = errors.New("No FIPS check for this kernel")
|
||||
)
|
22
fips.go
22
fips.go
|
@ -3,11 +3,6 @@
|
|||
|
||||
package fips
|
||||
|
||||
import "errors"
|
||||
|
||||
// ErrFipsDisabled is returned when this package is built without fips build tag
|
||||
var ErrFipsDisabled = errors.New("not built with fips tags")
|
||||
|
||||
// ONOFF is either on or off
|
||||
type ONOFF int
|
||||
|
||||
|
@ -25,3 +20,20 @@ func (oo ONOFF) String() string {
|
|||
}
|
||||
return "OFF"
|
||||
}
|
||||
|
||||
// Mode checks whether is FIPS mode is on
|
||||
func Mode() (ONOFF, error) {
|
||||
return mode()
|
||||
}
|
||||
|
||||
// ModeSet attempts to turn on FIPS for the context of this executable
|
||||
func ModeSet(mode ONOFF) (ONOFF, error) {
|
||||
return modeSet(mode)
|
||||
}
|
||||
|
||||
// LastError is empty when fips is not built, or
|
||||
// error:[error code]:[library name]:[function name]:[reason string]
|
||||
// This error code can also be read with `openssl errstr <error code>`
|
||||
func LastError() string {
|
||||
return lastError()
|
||||
}
|
||||
|
|
|
@ -2,17 +2,14 @@
|
|||
|
||||
package fips
|
||||
|
||||
// Mode checks whether is FIPS mode is on
|
||||
func Mode() (ONOFF, error) {
|
||||
func mode() (ONOFF, error) {
|
||||
return OFF, ErrFipsDisabled
|
||||
}
|
||||
|
||||
// ModeSet attempts to turn on FIPS for the context of this executable
|
||||
func ModeSet(mode ONOFF) (ONOFF, error) {
|
||||
func modeSet(mode ONOFF) (ONOFF, error) {
|
||||
return OFF, ErrFipsDisabled
|
||||
}
|
||||
|
||||
// LastError is empty when fips is not built
|
||||
func LastError() string {
|
||||
func lastError() string {
|
||||
return ""
|
||||
}
|
||||
|
|
12
fips_on.go
12
fips_on.go
|
@ -11,23 +11,19 @@ package fips
|
|||
import "C"
|
||||
import "errors"
|
||||
|
||||
// Mode checks whether is FIPS mode is on
|
||||
func Mode() (ONOFF, error) {
|
||||
func mode() (ONOFF, error) {
|
||||
return ONOFF(C.FIPS_mode()), nil
|
||||
}
|
||||
|
||||
// Attempt to turn on FIPS for the context of this executable
|
||||
func ModeSet(mode ONOFF) (ONOFF, error) {
|
||||
func modeSet(mode ONOFF) (ONOFF, error) {
|
||||
o := ONOFF(C.FIPS_mode_set(C.int(mode)))
|
||||
if o != mode {
|
||||
return o, errors.New(LastError())
|
||||
return o, errors.New(lastError())
|
||||
}
|
||||
return o, nil
|
||||
}
|
||||
|
||||
// returns error:[error code]:[library name]:[function name]:[reason string]
|
||||
// this error code can also be read with `openssl errstr <error code>`
|
||||
func LastError() string {
|
||||
func lastError() string {
|
||||
buf := C.malloc(1024)
|
||||
e := C.ERR_get_error() // a C.ulong
|
||||
C.ERR_load_crypto_strings()
|
||||
|
|
8
kernel.go
Normal file
8
kernel.go
Normal file
|
@ -0,0 +1,8 @@
|
|||
package fips
|
||||
|
||||
// KernelMode checks whether fips flags are present for the running kernel
|
||||
//
|
||||
// This is presently only for Linux kernels
|
||||
func KernelMode() (ONOFF, error) {
|
||||
return kernelMode()
|
||||
}
|
44
kernel_linux.go
Normal file
44
kernel_linux.go
Normal file
|
@ -0,0 +1,44 @@
|
|||
// +build linux
|
||||
|
||||
package fips
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
)
|
||||
|
||||
var (
|
||||
kernelCommandLine = "/proc/cmdline"
|
||||
kernelFipsParameter = []byte("fips=")
|
||||
)
|
||||
|
||||
func kernelMode() (ONOFF, error) {
|
||||
if _, err := os.Stat(kernelCommandLine); os.IsNotExist(err) {
|
||||
return OFF, ErrKernelNotSupported
|
||||
}
|
||||
fh, err := os.Open(kernelCommandLine)
|
||||
if err != nil {
|
||||
return OFF, err
|
||||
}
|
||||
defer fh.Close()
|
||||
|
||||
buf, err := ioutil.ReadAll(fh)
|
||||
if err != nil {
|
||||
return OFF, err
|
||||
}
|
||||
|
||||
enabled := OFF
|
||||
for _, chunk := range bytes.Split(buf, []byte(" ")) {
|
||||
if bytes.HasPrefix(chunk, kernelFipsParameter) {
|
||||
val := bytes.TrimPrefix(chunk, kernelFipsParameter)
|
||||
if string(val) == "1" {
|
||||
enabled = ON
|
||||
} else if string(val) == "0" {
|
||||
enabled = OFF
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return enabled, nil
|
||||
}
|
7
kernel_notsupported.go
Normal file
7
kernel_notsupported.go
Normal file
|
@ -0,0 +1,7 @@
|
|||
// +build !linux
|
||||
|
||||
package fips
|
||||
|
||||
func kernelMode() (ONOFF, error) {
|
||||
return OFF, ErrKernelNotSupported
|
||||
}
|
Loading…
Reference in a new issue