Verify FIPS mode in golang boringssl

Question

how to verify if fips mode is enabled for binary in golang dev boring crypto branch ? I dont see an easy way apart from internal golang tests

Answer 1

From this file:

https://go.googlesource.com/go/+/dev.boringcrypto/src/crypto/tls/fipsonly/fipsonly.go

// Package fipsonly restricts all TLS configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//  import _ "crypto/tls/fipsonly"
//
// This package only exists in the dev.boringcrypto branch of Go.

By including that import statement in your program, it will only compile if you're using the dev.boringcrypto branch.

Here's a test main.go:

package main

import (
    "fmt"
    _ "crypto/tls/fipsonly"
)

func main() {
    fmt.Println("Hello FIPS")
}

Using the dev.boringcrypto branch of Go:

$ go version
go version go1.12.9b4 linux/amd64
$ go run main.go
Hello FIPS

Using the normal release of Go:

$ go version
go version go1.12.9 darwin/amd64
$ go run main.go
main.go:4:2: cannot find package "crypto/tls/fipsonly" in any of:
    /Users/ray/.gimme/versions/go1.12.9.darwin.amd64/src/crypto/tls/fipsonly (from $GOROOT)
    /Users/ray/go/src/crypto/tls/fipsonly (from $GOPATH)