Documentation
¶
Index ¶
Constants ¶
const BoringCryptoSymbolToken = "_Cfunc__goboringcrypto_"
boringCryptoSymbolToken matches the pattern BoringCrypto symbols should match as described in https://go.googlesource.com/go/+/refs/heads/dev.boringcrypto.go1.12/misc/boring/ and https://github.com/golang/go/blob/d003f0850a7d22a2047c1cd6830fca07944f18d1/src/crypto/internal/boring/goboringcrypto.h#L5-L9
Variables ¶
This section is empty.
Functions ¶
func CheckCompliance ¶
func CheckCompliance(path string, reader io.ReaderAt, write WriteFIPSMessage) error
CheckCompliance parses the ELF executable represented by reader and located at path -- which should be the source of the running executable image -- and performs the following checks:
1. The executable must be running on an acceptable architecture (that is, one we know has a FIPS compliant Go compiler);
2. It has more than 1 BoringCrypto symbol (see BoringCryptoSymbolToken).
On any failure, including the checks above, an informative error is returned. On success, the write function is called to emit a success message.
func Compliant ¶
func Compliant()
Compliant opens the current executable and then performs checks in CheckCompliance; any failure is logged to standard out with an "go_ensurefips: " prefix and then forces the process to exit with -1.
Use this in init() inside a main_linux.go to get easy FIPS compliance! If this fails, or you need more flexibility, use CheckCompliance, though note you will be responsible for documenting and presenting to auditors the format of your FIPS compliance attestation.
Types ¶
type WriteFIPSMessage ¶
type WriteFIPSMessage func(format string, v ...interface{})
WriteFIPSMessage describes a function that can be passed to CheckCompliance to output a FIPS success message
Source Files