Bring back FIPSCapable#10
Conversation
There was a problem hiding this comment.
Pull request overview
This PR reintroduces a distinct FIPSCapable check in osslsetup, separating “FIPS mode is enabled” from “the default provider is FIPS-capable”, and updates tests/output to reflect both signals (aligning with how the Go toolchain uses these concepts).
Changes:
- Refines
FIPS()semantics for OpenSSL 3+/4 to require both “FIPS enabled in default properties” and proof that a FIPS-matching provider can supply SHA-256. - Adds
FIPSCapable()to detect whether the default provider effectively satisfies a FIPS property query even when FIPS mode isn’t explicitly enabled. - Updates
openssl_test.goto print both values and adds a newTestFIPSCapable.
Show a summary per file
| File | Description |
|---|---|
osslsetup/fips.go |
Reworks FIPS detection and adds FIPSCapable heuristics for OpenSSL 3+/4. |
openssl/openssl_test.go |
Updates test output and adds coverage for FIPSCapable. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 5
Benchmark Results✅ No significant regressions detected ✅ |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…rypto-openssl into dev/qmuntal/fipsc
FIPSandFIPSCapableare both used in the Go toolchain for good reasons. I recently consolidated them, and that was a mistake,.