enforcement.go

     1  // Copyright 2025 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package fips140
     6  
     7  import (
     8  	"internal/godebug"
     9  	_ "unsafe" // for linkname
    10  )
    11  
    12  // WithoutEnforcement disables strict FIPS 140-3 enforcement while executing f.
    13  // Calling WithoutEnforcement without strict enforcement enabled
    14  // (GODEBUG=fips140=only is not set or already inside of a call to
    15  // WithoutEnforcement) is a no-op.
    16  //
    17  // WithoutEnforcement is inherited by any goroutines spawned while executing f.
    18  //
    19  // As this disables enforcement, it should be applied carefully to tightly
    20  // scoped functions.
    21  func WithoutEnforcement(f func()) {
    22  	if !Enabled() || !Enforced() {
    23  		f()
    24  		return
    25  	}
    26  	setBypass()
    27  	defer unsetBypass()
    28  	f()
    29  }
    30  
    31  var enabled = godebug.New("fips140").Value() == "only"
    32  
    33  // Enforced indicates if strict FIPS 140-3 enforcement is enabled. Strict
    34  // enforcement is enabled when a program is run with GODEBUG=fips140=only and
    35  // enforcement has not been disabled by a call to [WithoutEnforcement].
    36  func Enforced() bool {
    37  	return enabled && !isBypassed()
    38  }
    39  
    40  //go:linkname setBypass
    41  func setBypass()
    42  
    43  //go:linkname isBypassed
    44  func isBypassed() bool
    45  
    46  //go:linkname unsetBypass
    47  func unsetBypass()
    48
View as plain text