mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-01 19:17:36 +03:00
9abc9d7132
Consolidates handling of FIPS 140-3 considerations for the tls package. Considerations specific to certificates are now handled in tls instead of x509 to limit the area-of-effect of FIPS as much as possible. Boringcrypto specific prefixes are renamed as appropriate. For #69536 Co-authored-by: Filippo Valsorda <filippo@golang.org> Change-Id: I1b1fef83c3599e4c9b98ad81db582ac93253030b Reviewed-on: https://go-review.googlesource.com/c/go/+/629675 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Russ Cox <rsc@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
37 lines
912 B
Go
37 lines
912 B
Go
// Copyright 2024 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package fips140tls controls whether crypto/tls requires FIPS-approved settings.
|
|
package fips140tls
|
|
|
|
import (
|
|
"crypto/internal/fips140"
|
|
"sync/atomic"
|
|
)
|
|
|
|
var required atomic.Bool
|
|
|
|
func init() {
|
|
if fips140.Enabled {
|
|
Force()
|
|
}
|
|
}
|
|
|
|
// Force forces crypto/tls to restrict TLS configurations to FIPS-approved settings.
|
|
// By design, this call is impossible to undo (except in tests).
|
|
func Force() {
|
|
required.Store(true)
|
|
}
|
|
|
|
// Required reports whether FIPS-approved settings are required.
|
|
//
|
|
// Required is true if FIPS 140-3 mode is enabled with GODEBUG=fips140=on, or if
|
|
// the crypto/tls/fipsonly package is imported by a Go+BoringCrypto build.
|
|
func Required() bool {
|
|
return required.Load()
|
|
}
|
|
|
|
func TestingOnlyAbandon() {
|
|
required.Store(false)
|
|
}
|