diff --git a/errors.go b/errors.go new file mode 100644 index 0000000..bd9decc --- /dev/null +++ b/errors.go @@ -0,0 +1,12 @@ +package fips + +import "errors" + +var ( + // ErrFipsDisabled is returned when this package is built without fips build + // tag + ErrFipsDisabled = errors.New("not built with fips tags") + + // ErrKernelNotSupported is whether the kernel can be checked for fips mode + ErrKernelNotSupported = errors.New("No FIPS check for this kernel") +) diff --git a/fips.go b/fips.go index 852d0c0..9c939f8 100644 --- a/fips.go +++ b/fips.go @@ -3,11 +3,6 @@ package fips -import "errors" - -// ErrFipsDisabled is returned when this package is built without fips build tag -var ErrFipsDisabled = errors.New("not built with fips tags") - // ONOFF is either on or off type ONOFF int @@ -25,3 +20,20 @@ func (oo ONOFF) String() string { } return "OFF" } + +// Mode checks whether is FIPS mode is on +func Mode() (ONOFF, error) { + return mode() +} + +// ModeSet attempts to turn on FIPS for the context of this executable +func ModeSet(mode ONOFF) (ONOFF, error) { + return modeSet(mode) +} + +// LastError is empty when fips is not built, or +// error:[error code]:[library name]:[function name]:[reason string] +// This error code can also be read with `openssl errstr ` +func LastError() string { + return lastError() +} diff --git a/fips_off.go b/fips_off.go index 01aa9e8..5512d8d 100644 --- a/fips_off.go +++ b/fips_off.go @@ -2,17 +2,14 @@ package fips -// Mode checks whether is FIPS mode is on -func Mode() (ONOFF, error) { +func mode() (ONOFF, error) { return OFF, ErrFipsDisabled } -// ModeSet attempts to turn on FIPS for the context of this executable -func ModeSet(mode ONOFF) (ONOFF, error) { +func modeSet(mode ONOFF) (ONOFF, error) { return OFF, ErrFipsDisabled } -// LastError is empty when fips is not built -func LastError() string { +func lastError() string { return "" } diff --git a/fips_on.go b/fips_on.go index 3f7c1a1..0dc2840 100644 --- a/fips_on.go +++ b/fips_on.go @@ -11,23 +11,19 @@ package fips import "C" import "errors" -// Mode checks whether is FIPS mode is on -func Mode() (ONOFF, error) { +func mode() (ONOFF, error) { return ONOFF(C.FIPS_mode()), nil } -// Attempt to turn on FIPS for the context of this executable -func ModeSet(mode ONOFF) (ONOFF, error) { +func modeSet(mode ONOFF) (ONOFF, error) { o := ONOFF(C.FIPS_mode_set(C.int(mode))) if o != mode { - return o, errors.New(LastError()) + return o, errors.New(lastError()) } return o, nil } -// returns error:[error code]:[library name]:[function name]:[reason string] -// this error code can also be read with `openssl errstr ` -func LastError() string { +func lastError() string { buf := C.malloc(1024) e := C.ERR_get_error() // a C.ulong C.ERR_load_crypto_strings() diff --git a/kernel.go b/kernel.go new file mode 100644 index 0000000..a4a5a85 --- /dev/null +++ b/kernel.go @@ -0,0 +1,8 @@ +package fips + +// KernelMode checks whether fips flags are present for the running kernel +// +// This is presently only for Linux kernels +func KernelMode() (ONOFF, error) { + return kernelMode() +} diff --git a/kernel_linux.go b/kernel_linux.go new file mode 100644 index 0000000..e8c8548 --- /dev/null +++ b/kernel_linux.go @@ -0,0 +1,44 @@ +// +build linux + +package fips + +import ( + "bytes" + "io/ioutil" + "os" +) + +var ( + kernelCommandLine = "/proc/cmdline" + kernelFipsParameter = []byte("fips=") +) + +func kernelMode() (ONOFF, error) { + if _, err := os.Stat(kernelCommandLine); os.IsNotExist(err) { + return OFF, ErrKernelNotSupported + } + fh, err := os.Open(kernelCommandLine) + if err != nil { + return OFF, err + } + defer fh.Close() + + buf, err := ioutil.ReadAll(fh) + if err != nil { + return OFF, err + } + + enabled := OFF + for _, chunk := range bytes.Split(buf, []byte(" ")) { + if bytes.HasPrefix(chunk, kernelFipsParameter) { + val := bytes.TrimPrefix(chunk, kernelFipsParameter) + if string(val) == "1" { + enabled = ON + } else if string(val) == "0" { + enabled = OFF + } + } + } + + return enabled, nil +} diff --git a/kernel_notsupported.go b/kernel_notsupported.go new file mode 100644 index 0000000..2fbdf8e --- /dev/null +++ b/kernel_notsupported.go @@ -0,0 +1,7 @@ +// +build !linux + +package fips + +func kernelMode() (ONOFF, error) { + return OFF, ErrKernelNotSupported +}