45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
|
diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
|
||
|
index 3d3a9a36ee..8dc2d46b52 100644
|
||
|
--- a/src/crypto/internal/backend/openssl.go
|
||
|
+++ b/src/crypto/internal/backend/openssl.go
|
||
|
@@ -25,6 +25,22 @@ var enabled bool
|
||
|
var knownVersions = [...]string{"3", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
|
||
|
|
||
|
func init() {
|
||
|
+ // 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
|
||
|
+ // 1: FIPS required: abort the process if it is not enabled and can't be enabled.
|
||
|
+ // other values: do not override OpenSSL configured FIPS mode.
|
||
|
+ var fips string
|
||
|
+ if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
|
||
|
+ fips = v
|
||
|
+ } else if hostFIPSModeEnabled() {
|
||
|
+ // System configuration can only force FIPS mode.
|
||
|
+ fips = "1"
|
||
|
+ }
|
||
|
+
|
||
|
+ // Use Go standard crypto, do not load openssl
|
||
|
+ if (fips != "1") {
|
||
|
+ return
|
||
|
+ }
|
||
|
+
|
||
|
version, _ := syscall.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
|
||
|
if version == "" {
|
||
|
var fallbackVersion string
|
||
|
@@ -49,16 +65,6 @@ func init() {
|
||
|
if err := openssl.Init(version); err != nil {
|
||
|
panic("opensslcrypto: can't initialize OpenSSL " + version + ": " + err.Error())
|
||
|
}
|
||
|
- // 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
|
||
|
- // 1: FIPS required: abort the process if it is not enabled and can't be enabled.
|
||
|
- // other values: do not override OpenSSL configured FIPS mode.
|
||
|
- var fips string
|
||
|
- if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
|
||
|
- fips = v
|
||
|
- } else if hostFIPSModeEnabled() {
|
||
|
- // System configuration can only force FIPS mode.
|
||
|
- fips = "1"
|
||
|
- }
|
||
|
switch fips {
|
||
|
case "0":
|
||
|
if openssl.FIPS() {
|