// Copyright 2025 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package fips140

import (
	"internal/godebug"
	_ "unsafe" // for linkname
)

// WithoutEnforcement disables strict FIPS 140-3 enforcement while executing f.
// Calling WithoutEnforcement without strict enforcement enabled
// (GODEBUG=fips140=only is not set or already inside of a call to
// WithoutEnforcement) is a no-op.
//
// WithoutEnforcement is inherited by any goroutines spawned while executing f.
//
// As this disables enforcement, it should be applied carefully to tightly
// scoped functions.
func WithoutEnforcement(f func()) {
	if !Enabled() || !Enforced() {
		f()
		return
	}
	setBypass()
	defer unsetBypass()
	f()
}

var enabled = godebug.New("fips140").Value() == "only"

// Enforced indicates if strict FIPS 140-3 enforcement is enabled. Strict
// enforcement is enabled when a program is run with GODEBUG=fips140=only and
// enforcement has not been disabled by a call to [WithoutEnforcement].
func Enforced() bool {
	return enabled && !isBypassed()
}

//go:linkname setBypass
func setBypass()

//go:linkname isBypassed
func isBypassed() bool

//go:linkname unsetBypass
func unsetBypass()