be more strict about reporting fips mode

qrkourier · qrkourier · commit c41bd3e38f3c · 2025-06-18T15:08:40.000-04:00
diff --git a/tlz/fips.go b/tlz/fips.go
@@ -1,10 +1,13 @@
-//go:build goexperiment.opensslcrypto
+//go:build goexperiment.opensslcrypto && requirefips
 
 package tlz
 
-import "crypto/boring"
+import (
+    "crypto/boring"
+    _ "crypto/tls/fipsonly"
+)
 
-// returns true if the binary was built with FIPS mode enabled
+// returns true if the OpenSSL FIPS provider is active at runtime
 func FipsEnabled() bool {
     return boring.Enabled()
 }
diff --git a/tlz/nofips.go b/tlz/nofips.go
@@ -1,4 +1,4 @@
-//go:build !goexperiment.opensslcrypto
+//go:build !goexperiment.opensslcrypto && !requirefips
 
 package tlz
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-//go:build !goexperiment.opensslcrypto`
	`1`	`+//go:build !goexperiment.opensslcrypto && !requirefips`
`2`	`2`
`3`	`3`	`package tlz`
`4`	`4`