A tiny sample application to run go-openssl-shim across multiple distros.

It can be either run with a docker container or directly from an debian based distribution. It supports following docker containers:

• alpine
• jessie
• stretch
• trusty
• xenial

    # build docker image of particular distro
    $ make build DISTRO=jessie # it could be anything
    # run the hello world
    $ make run DISTRO=jessie

To run it without docker, you must have a working golang compiler installed with all its environment variable setup.

    # clone this repository in your $GOPATH
    # setup your system
    $ sudo ./scripts/setup.sh
    # export required environment variables
    $ source srcipts/env.sh
    # run the hello world program
    $ go run main.go

OpenSSL has a method called FIPS_mode_set() that we invoke before execution to enter FIPS mode of operation, if the FIPS Object Module successfully enters FIPS mode, the function will return that non-zero value and a power-up self-test is performed automatically with its call. These self-tests can also be optionally invoked at any time by the FIPS_selftest() call in C code.

Its being done in openssl package as follows:

package openssl

// #cgo pkg-config: openssl
// #cgo LDFLAGS: -lcrypto -ldl
// #cgo CFLAGS: -std=c99
// #include <openssl/err.h>
// #include <openssl/crypto.h>
// #include <stdlib.h>
// extern int FIPS_init(void);
// extern void schedule_thread_cleanup(void);
import "C"
import (
	"log"
	"runtime"
	"strings"
)

func init() {
	runtime.LockOSThread()
	defer runtime.UnlockOSThread()
	if C.FIPS_init() != 1 {
		log.Fatal(GetError())
	}
}

Here C.FIPS_init() is a function that wraps over OpenSSL's FIPS_mode_set() which is being called in init function, so whenever openssl package is included anywhere, it automatically initiates the FIPS mode thus resulting in running all the self-tests.