Skip to content

Commit 79db5e2

Browse files
qmuntalqmuntal
committed
Take into account the OpenSSL FIPS mode when setting GODEBUG=fips140 (#1519)
* check OpenSSL config * add tests * simplify deps * fix bootstrap * fix compilation * review suggestions
1 parent 12dd5c7 commit 79db5e2

3 files changed

+343
-105
lines changed

patches/0002-Vendor-crypto-backends.patch

+44-24
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
99
src/crypto/internal/backend/deps_ignore.go | 22 +
1010
src/go.mod | 6 +
1111
src/go.sum | 6 +
12-
src/go/build/deps_test.go | 17 +-
12+
src/go/build/deps_test.go | 35 +-
1313
src/go/build/vendor_test.go | 3 +
1414
.../golang-fips/openssl/v2/.gitignore | 1 +
1515
.../golang-fips/openssl/v2/.gitleaks.toml | 9 +
@@ -101,7 +101,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
101101
.../internal/subtle/aliasing.go | 32 +
102102
.../internal/sysdll/sys_windows.go | 55 ++
103103
src/vendor/modules.txt | 16 +
104-
95 files changed, 13799 insertions(+), 3 deletions(-)
104+
95 files changed, 13813 insertions(+), 7 deletions(-)
105105
create mode 100644 src/crypto/internal/backend/deps_ignore.go
106106
create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore
107107
create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
@@ -250,44 +250,64 @@ index 4d6a33e34a4e63..6a09a77031befa 100644
250250
golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
251251
golang.org/x/net v0.32.1-0.20250121202134-9a960c88dd98 h1:36bTiCRO7f/J3t+LumnLTJDXqxsp1x6Q7754SsRD9u4=
252252
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
253-
index e3e01077c18b17..e017efb1562379 100644
253+
index e3e01077c18b17..72e56b5da8e582 100644
254254
--- a/src/go/build/deps_test.go
255255
+++ b/src/go/build/deps_test.go
256-
@@ -503,7 +503,7 @@ var depsRules = `
257-
NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
258-
sync/atomic < crypto/internal/boring/bcache;
256+
@@ -493,6 +493,24 @@ var depsRules = `
257+
< crypto/internal/fips140/rsa
258+
< FIPS;
259259

260-
- FIPS, internal/godebug, hash, embed,
261-
+ FIPS, internal/godebug, hash, embed, encoding/binary,
262-
crypto/internal/boring/sig,
263-
crypto/internal/boring/syso,
264-
crypto/internal/boring/bcache
265-
@@ -513,6 +513,14 @@ var depsRules = `
266-
< crypto/sha3
267-
< crypto/internal/fips140hash
268-
< crypto/cipher
269-
+ < github.com/golang-fips/openssl/v2/internal/subtle
260+
+ FIPS, hash < crypto/internal/fips140only;
261+
+ crypto/internal/fips140/subtle, hash < crypto;
262+
+ crypto/internal/fips140/subtle < crypto/subtle;
263+
+ crypto/subtle, crypto/internal/fips140only < crypto/cipher;
264+
+
265+
+ crypto,
266+
+ crypto/subtle,
267+
+ encoding/binary,
268+
+ hash,
269+
+ crypto/cipher
270270
+ < github.com/golang-fips/openssl/v2
271271
+ < github.com/microsoft/go-crypto-darwin/internal/cryptokit
272272
+ < github.com/microsoft/go-crypto-darwin/xcrypto
273273
+ < github.com/microsoft/go-crypto-winnative/internal/subtle
274274
+ < github.com/microsoft/go-crypto-winnative/internal/sysdll
275275
+ < github.com/microsoft/go-crypto-winnative/internal/bcrypt
276-
+ < github.com/microsoft/go-crypto-winnative/cng
276+
+ < github.com/microsoft/go-crypto-winnative/cng;
277+
+
278+
FIPS, internal/godebug < crypto/fips140;
279+
280+
crypto, hash !< FIPS;
281+
@@ -506,13 +524,12 @@ var depsRules = `
282+
FIPS, internal/godebug, hash, embed,
283+
crypto/internal/boring/sig,
284+
crypto/internal/boring/syso,
285+
- crypto/internal/boring/bcache
286+
- < crypto/internal/fips140only
287+
- < crypto
288+
- < crypto/subtle
289+
+ crypto/internal/boring/bcache,
290+
+ crypto/internal/fips140only,
291+
+ crypto,
292+
+ crypto/cipher
293+
< crypto/sha3
294+
< crypto/internal/fips140hash
295+
- < crypto/cipher
277296
< crypto/internal/boring
278297
< crypto/boring
279298
< crypto/aes,
280-
@@ -534,6 +542,9 @@ var depsRules = `
299+
@@ -533,6 +550,10 @@ var depsRules = `
300+
281301
# CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok.
282302

303+
+ math/big, github.com/golang-fips/openssl/v2 < github.com/golang-fips/openssl/v2/bbig;
304+
+ math/big, github.com/microsoft/go-crypto-darwin/xcrypto < github.com/microsoft/go-crypto-darwin/bbig;
305+
+ math/big, github.com/microsoft/go-crypto-winnative/cng < github.com/microsoft/go-crypto-winnative/cng/bbig;
306+
+
283307
CRYPTO, FMT, math/big
284-
+ < github.com/golang-fips/openssl/v2/bbig
285-
+ < github.com/microsoft/go-crypto-darwin/bbig
286-
+ < github.com/microsoft/go-crypto-winnative/cng/bbig
287308
< crypto/internal/boring/bbig
288309
< crypto/rand
289-
< crypto/ed25519 # depends on crypto/rand.Reader
290-
@@ -837,7 +848,7 @@ var buildIgnore = []byte("\n//go:build ignore")
310+
@@ -837,7 +858,7 @@ var buildIgnore = []byte("\n//go:build ignore")
291311

292312
func findImports(pkg string) ([]string, error) {
293313
vpkg := pkg
@@ -296,7 +316,7 @@ index e3e01077c18b17..e017efb1562379 100644
296316
vpkg = "vendor/" + pkg
297317
}
298318
dir := filepath.Join(Default.GOROOT, "src", vpkg)
299-
@@ -847,7 +858,7 @@ func findImports(pkg string) ([]string, error) {
319+
@@ -847,7 +868,7 @@ func findImports(pkg string) ([]string, error) {
300320
}
301321
var imports []string
302322
var haveImport = map[string]bool{}

0 commit comments

Comments
 (0)