Add a check whether boringssl is being used by using the Enabled method
What does this MR do?
Actually checks the boring
package and whether it can be compiled and if it's actually enabled.
If there's a misconfiguration it will fail during compile time as it won't find the package, if it does get compiled it will do a series of checks and determine whether it can run in FIPS mode:
From the fips compiler: https://pagure.io/go/blob/go1.17-openssl-fips/f/src/crypto/internal/boring/boring.go#_41
func init() {
runtime.LockOSThread()
defer runtime.UnlockOSThread()
// Check if we can `dlopen` OpenSSL
if C._goboringcrypto_DLOPEN_OPENSSL() == C.NULL {
return
}
// Initialize the OpenSSL library.
C._goboringcrypto_OPENSSL_setup()
// Check to see if the system is running in FIPS mode, if so
// enable "boring" mode to call into OpenSSL for FIPS compliance.
if fipsModeEnabled() {
enableBoringFIPSMode()
}
sig.BoringCrypto()
}
func enableBoringFIPSMode() {
enabled = true
if C._goboringcrypto_OPENSSL_thread_setup() != 1 {
panic("boringcrypto: OpenSSL thread setup failed")
}
fipstls.Force()
}
Why was this MR needed?
It's better to incldue these checks rather than just rely on our own flag as there might be issues on the system preventing GitLab Runner from Running in FIPS mode properly.
What's the best way to test this MR?
The fips binary should print GitLab Runner was compiled with FIPS mode but BoringSSL is not enabled.
on any Linux VM. We offload the FIPS checking to the boring library, so we don't need to check for that.