mirror of
https://github.com/vbatts/go-fips.git
synced 2024-12-04 22:35:39 +00:00
.: adding kernel fips mode
and general clean up, so this could actually be useful for something
This commit is contained in:
parent
8fae0bf8e0
commit
c6b4ecc9c1
7 changed files with 95 additions and 19 deletions
12
errors.go
Normal file
12
errors.go
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
package fips
|
||||||
|
|
||||||
|
import "errors"
|
||||||
|
|
||||||
|
var (
|
||||||
|
// ErrFipsDisabled is returned when this package is built without fips build
|
||||||
|
// tag
|
||||||
|
ErrFipsDisabled = errors.New("not built with fips tags")
|
||||||
|
|
||||||
|
// ErrKernelNotSupported is whether the kernel can be checked for fips mode
|
||||||
|
ErrKernelNotSupported = errors.New("No FIPS check for this kernel")
|
||||||
|
)
|
22
fips.go
22
fips.go
|
@ -3,11 +3,6 @@
|
||||||
|
|
||||||
package fips
|
package fips
|
||||||
|
|
||||||
import "errors"
|
|
||||||
|
|
||||||
// ErrFipsDisabled is returned when this package is built without fips build tag
|
|
||||||
var ErrFipsDisabled = errors.New("not built with fips tags")
|
|
||||||
|
|
||||||
// ONOFF is either on or off
|
// ONOFF is either on or off
|
||||||
type ONOFF int
|
type ONOFF int
|
||||||
|
|
||||||
|
@ -25,3 +20,20 @@ func (oo ONOFF) String() string {
|
||||||
}
|
}
|
||||||
return "OFF"
|
return "OFF"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Mode checks whether is FIPS mode is on
|
||||||
|
func Mode() (ONOFF, error) {
|
||||||
|
return mode()
|
||||||
|
}
|
||||||
|
|
||||||
|
// ModeSet attempts to turn on FIPS for the context of this executable
|
||||||
|
func ModeSet(mode ONOFF) (ONOFF, error) {
|
||||||
|
return modeSet(mode)
|
||||||
|
}
|
||||||
|
|
||||||
|
// LastError is empty when fips is not built, or
|
||||||
|
// error:[error code]:[library name]:[function name]:[reason string]
|
||||||
|
// This error code can also be read with `openssl errstr <error code>`
|
||||||
|
func LastError() string {
|
||||||
|
return lastError()
|
||||||
|
}
|
||||||
|
|
|
@ -2,17 +2,14 @@
|
||||||
|
|
||||||
package fips
|
package fips
|
||||||
|
|
||||||
// Mode checks whether is FIPS mode is on
|
func mode() (ONOFF, error) {
|
||||||
func Mode() (ONOFF, error) {
|
|
||||||
return OFF, ErrFipsDisabled
|
return OFF, ErrFipsDisabled
|
||||||
}
|
}
|
||||||
|
|
||||||
// ModeSet attempts to turn on FIPS for the context of this executable
|
func modeSet(mode ONOFF) (ONOFF, error) {
|
||||||
func ModeSet(mode ONOFF) (ONOFF, error) {
|
|
||||||
return OFF, ErrFipsDisabled
|
return OFF, ErrFipsDisabled
|
||||||
}
|
}
|
||||||
|
|
||||||
// LastError is empty when fips is not built
|
func lastError() string {
|
||||||
func LastError() string {
|
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
12
fips_on.go
12
fips_on.go
|
@ -11,23 +11,19 @@ package fips
|
||||||
import "C"
|
import "C"
|
||||||
import "errors"
|
import "errors"
|
||||||
|
|
||||||
// Mode checks whether is FIPS mode is on
|
func mode() (ONOFF, error) {
|
||||||
func Mode() (ONOFF, error) {
|
|
||||||
return ONOFF(C.FIPS_mode()), nil
|
return ONOFF(C.FIPS_mode()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Attempt to turn on FIPS for the context of this executable
|
func modeSet(mode ONOFF) (ONOFF, error) {
|
||||||
func ModeSet(mode ONOFF) (ONOFF, error) {
|
|
||||||
o := ONOFF(C.FIPS_mode_set(C.int(mode)))
|
o := ONOFF(C.FIPS_mode_set(C.int(mode)))
|
||||||
if o != mode {
|
if o != mode {
|
||||||
return o, errors.New(LastError())
|
return o, errors.New(lastError())
|
||||||
}
|
}
|
||||||
return o, nil
|
return o, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// returns error:[error code]:[library name]:[function name]:[reason string]
|
func lastError() string {
|
||||||
// this error code can also be read with `openssl errstr <error code>`
|
|
||||||
func LastError() string {
|
|
||||||
buf := C.malloc(1024)
|
buf := C.malloc(1024)
|
||||||
e := C.ERR_get_error() // a C.ulong
|
e := C.ERR_get_error() // a C.ulong
|
||||||
C.ERR_load_crypto_strings()
|
C.ERR_load_crypto_strings()
|
||||||
|
|
8
kernel.go
Normal file
8
kernel.go
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
package fips
|
||||||
|
|
||||||
|
// KernelMode checks whether fips flags are present for the running kernel
|
||||||
|
//
|
||||||
|
// This is presently only for Linux kernels
|
||||||
|
func KernelMode() (ONOFF, error) {
|
||||||
|
return kernelMode()
|
||||||
|
}
|
44
kernel_linux.go
Normal file
44
kernel_linux.go
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
// +build linux
|
||||||
|
|
||||||
|
package fips
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
kernelCommandLine = "/proc/cmdline"
|
||||||
|
kernelFipsParameter = []byte("fips=")
|
||||||
|
)
|
||||||
|
|
||||||
|
func kernelMode() (ONOFF, error) {
|
||||||
|
if _, err := os.Stat(kernelCommandLine); os.IsNotExist(err) {
|
||||||
|
return OFF, ErrKernelNotSupported
|
||||||
|
}
|
||||||
|
fh, err := os.Open(kernelCommandLine)
|
||||||
|
if err != nil {
|
||||||
|
return OFF, err
|
||||||
|
}
|
||||||
|
defer fh.Close()
|
||||||
|
|
||||||
|
buf, err := ioutil.ReadAll(fh)
|
||||||
|
if err != nil {
|
||||||
|
return OFF, err
|
||||||
|
}
|
||||||
|
|
||||||
|
enabled := OFF
|
||||||
|
for _, chunk := range bytes.Split(buf, []byte(" ")) {
|
||||||
|
if bytes.HasPrefix(chunk, kernelFipsParameter) {
|
||||||
|
val := bytes.TrimPrefix(chunk, kernelFipsParameter)
|
||||||
|
if string(val) == "1" {
|
||||||
|
enabled = ON
|
||||||
|
} else if string(val) == "0" {
|
||||||
|
enabled = OFF
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return enabled, nil
|
||||||
|
}
|
7
kernel_notsupported.go
Normal file
7
kernel_notsupported.go
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
// +build !linux
|
||||||
|
|
||||||
|
package fips
|
||||||
|
|
||||||
|
func kernelMode() (ONOFF, error) {
|
||||||
|
return OFF, ErrKernelNotSupported
|
||||||
|
}
|
Loading…
Reference in a new issue