diff options
Diffstat (limited to 'internal/boring/boring.go')
| -rw-r--r-- | internal/boring/boring.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/internal/boring/boring.go b/internal/boring/boring.go new file mode 100644 index 0000000..cc09fab --- /dev/null +++ b/internal/boring/boring.go @@ -0,0 +1,23 @@ +//go:build boringcrypto +// +build boringcrypto + +package boring + +import ( + "crypto/boring" + + "gitlab.com/gitlab-org/labkit/log" +) + +// CheckBoring checks whether FIPS crypto has been enabled. For the FIPS Go +// compiler in https://github.com/golang-fips/go, this requires that: +// +// 1. The kernel has FIPS enabled (e.g. `/proc/sys/crypto/fips_enabled` is 1). +// 2. A system OpenSSL can be dynamically loaded via ldopen(). +func CheckBoring() { + if boring.Enabled() { + log.Info("FIPS mode is enabled. Using an external SSL library.") + return + } + log.Info("Gitaly was compiled with FIPS mode, but an external SSL library was not enabled.") +} |