Skip to content

Take into account the OpenSSL FIPS mode when setting GODEBUG=fips140 #1519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 4, 2025
Merged

Take into account the OpenSSL FIPS mode when setting GODEBUG=fips140 #1519

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7160471
check OpenSSL config
qmuntal Jan 31, 2025
bdce45b
add tests
qmuntal Jan 31, 2025
0438c99
simplify deps
qmuntal Jan 31, 2025
fef4b59
fix bootstrap
qmuntal Jan 31, 2025
0fccd13
fix compilation
qmuntal Jan 31, 2025
a708c69
review suggestions
qmuntal Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 44 additions & 24 deletions patches/0002-Vendor-crypto-backends.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
src/crypto/internal/backend/deps_ignore.go | 22 +
src/go.mod | 6 +
src/go.sum | 6 +
src/go/build/deps_test.go | 17 +-
src/go/build/deps_test.go | 35 +-
src/go/build/vendor_test.go | 3 +
.../golang-fips/openssl/v2/.gitignore | 1 +
.../golang-fips/openssl/v2/.gitleaks.toml | 9 +
Expand Down Expand Up @@ -101,7 +101,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
.../internal/subtle/aliasing.go | 32 +
.../internal/sysdll/sys_windows.go | 55 ++
src/vendor/modules.txt | 16 +
95 files changed, 13799 insertions(+), 3 deletions(-)
95 files changed, 13813 insertions(+), 7 deletions(-)
create mode 100644 src/crypto/internal/backend/deps_ignore.go
create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore
create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
Expand Down Expand Up @@ -250,44 +250,64 @@ index 4d6a33e34a4e63..6a09a77031befa 100644
golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/net v0.32.1-0.20250121202134-9a960c88dd98 h1:36bTiCRO7f/J3t+LumnLTJDXqxsp1x6Q7754SsRD9u4=
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index e3e01077c18b17..e017efb1562379 100644
index e3e01077c18b17..72e56b5da8e582 100644
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -503,7 +503,7 @@ var depsRules = `
NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
sync/atomic < crypto/internal/boring/bcache;
@@ -493,6 +493,24 @@ var depsRules = `
< crypto/internal/fips140/rsa
< FIPS;

- FIPS, internal/godebug, hash, embed,
+ FIPS, internal/godebug, hash, embed, encoding/binary,
crypto/internal/boring/sig,
crypto/internal/boring/syso,
crypto/internal/boring/bcache
@@ -513,6 +513,14 @@ var depsRules = `
< crypto/sha3
< crypto/internal/fips140hash
< crypto/cipher
+ < github.com/golang-fips/openssl/v2/internal/subtle
+ FIPS, hash < crypto/internal/fips140only;
+ crypto/internal/fips140/subtle, hash < crypto;
+ crypto/internal/fips140/subtle < crypto/subtle;
+ crypto/subtle, crypto/internal/fips140only < crypto/cipher;
+
+ crypto,
+ crypto/subtle,
+ encoding/binary,
+ hash,
+ crypto/cipher
+ < github.com/golang-fips/openssl/v2
+ < github.com/microsoft/go-crypto-darwin/internal/cryptokit
+ < github.com/microsoft/go-crypto-darwin/xcrypto
+ < github.com/microsoft/go-crypto-winnative/internal/subtle
+ < github.com/microsoft/go-crypto-winnative/internal/sysdll
+ < github.com/microsoft/go-crypto-winnative/internal/bcrypt
+ < github.com/microsoft/go-crypto-winnative/cng
+ < github.com/microsoft/go-crypto-winnative/cng;
+
FIPS, internal/godebug < crypto/fips140;

crypto, hash !< FIPS;
@@ -506,13 +524,12 @@ var depsRules = `
FIPS, internal/godebug, hash, embed,
crypto/internal/boring/sig,
crypto/internal/boring/syso,
- crypto/internal/boring/bcache
- < crypto/internal/fips140only
- < crypto
- < crypto/subtle
+ crypto/internal/boring/bcache,
+ crypto/internal/fips140only,
+ crypto,
+ crypto/cipher
< crypto/sha3
< crypto/internal/fips140hash
- < crypto/cipher
< crypto/internal/boring
< crypto/boring
< crypto/aes,
@@ -534,6 +542,9 @@ var depsRules = `
@@ -533,6 +550,10 @@ var depsRules = `

# CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok.

+ math/big, github.com/golang-fips/openssl/v2 < github.com/golang-fips/openssl/v2/bbig;
+ math/big, github.com/microsoft/go-crypto-darwin/xcrypto < github.com/microsoft/go-crypto-darwin/bbig;
+ math/big, github.com/microsoft/go-crypto-winnative/cng < github.com/microsoft/go-crypto-winnative/cng/bbig;
+
CRYPTO, FMT, math/big
+ < github.com/golang-fips/openssl/v2/bbig
+ < github.com/microsoft/go-crypto-darwin/bbig
+ < github.com/microsoft/go-crypto-winnative/cng/bbig
< crypto/internal/boring/bbig
< crypto/rand
< crypto/ed25519 # depends on crypto/rand.Reader
@@ -837,7 +848,7 @@ var buildIgnore = []byte("\n//go:build ignore")
@@ -837,7 +858,7 @@ var buildIgnore = []byte("\n//go:build ignore")

func findImports(pkg string) ([]string, error) {
vpkg := pkg
Expand All @@ -296,7 +316,7 @@ index e3e01077c18b17..e017efb1562379 100644
vpkg = "vendor/" + pkg
}
dir := filepath.Join(Default.GOROOT, "src", vpkg)
@@ -847,7 +858,7 @@ func findImports(pkg string) ([]string, error) {
@@ -847,7 +868,7 @@ func findImports(pkg string) ([]string, error) {
}
var imports []string
var haveImport = map[string]bool{}
Expand Down
Loading
Loading