update CheckVersion to return exists=false for non-OpenSSL libraries

golang-fips · Sep 24, 2024 · 39277d8 · 39277d8
1 parent 1839dfa
commit 39277d8
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/goopenssl.c b/goopenssl.c
@@ -36,6 +36,7 @@ FOR_ALL_OPENSSL_FUNCTIONS
 #undef DEFINEFUNC_RENAMED_3_0
 
 // go_openssl_fips_enabled returns 1 if FIPS mode is enabled, 0 otherwise.
+// As a special case, it returns -1 if it cannot determine if FIPS mode is enabled.
 // See openssl.FIPS for details about its implementation.
 //
 // This function is reimplemented here because openssl.FIPS assumes that
@@ -63,7 +64,7 @@ go_openssl_fips_enabled(void* handle)
 
     if (EVP_default_properties_is_fips_enabled == NULL || EVP_MD_fetch == NULL || EVP_MD_free == NULL) {
         // Shouldn't happen, but if it does, we can't determine if FIPS mode is enabled.
-        return 0;
+        return -1;
     }
 
     if (EVP_default_properties_is_fips_enabled(NULL) != 1)

diff --git a/openssl.go b/openssl.go
@@ -38,8 +38,14 @@ func CheckVersion(version string) (exists, fips bool) {
 		return false, false
 	}
 	defer dlclose(handle)
-	fips = C.go_openssl_fips_enabled(handle) == 1
-	return true, fips
+	enabled := C.go_openssl_fips_enabled(handle)
+	fips = enabled == 1
+	// If go_openssl_fips_enabled returns -1, it means that all or some of the necessary
+	// functions are not available. This can be due to the version of OpenSSL being too old,
+	// too incompatible, or the shared library not being an OpenSSL library. In any case,
+	// we shouldn't consider this library to be valid for our purposes.
+	exists = enabled != -1
+	return
 }
 
 // Init loads and initializes OpenSSL from the shared library at path.