Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

cmd/go,crypto/internal/fips140: prevent using FIPS 140-3 mode with purego tag

Browse source 
Change-Id: I6a6a696414f8d5d9dc77c65b0ac9edfc982c2798
Reviewed-on: https://go-review.googlesource.com/c/go/+/703095
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
This commit is contained in:
Filippo Valsorda 2025-09-12 00:19:55 +02:00 committed by Gopher Robot
parent 7f70ca8726
commit 8105d0ccc2
5 changed files with 30 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/cmd/dist/test.go vendored
View file

@ -1823,6 +1823,8 @@ func isEnvSet(evar string) bool {
func (t *tester) fipsSupported() bool { func (t *tester) fipsSupported() bool {
// Keep this in sync with [crypto/internal/fips140.Supported]. // Keep this in sync with [crypto/internal/fips140.Supported].
// We don't test with the purego tag, so no need to check it.
// Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both. // Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both.
if strings.Contains(goexperiment, "boringcrypto") { if strings.Contains(goexperiment, "boringcrypto") {
return false return false

4
src/cmd/go/internal/fips140/fips140.go
View file

@ -94,6 +94,7 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"slices"
"strings" "strings"
"golang.org/x/mod/module" "golang.org/x/mod/module"
@ -121,6 +122,9 @@ func Init() {
if cfg.ExperimentErr == nil && cfg.Experiment.BoringCrypto && Enabled() { if cfg.ExperimentErr == nil && cfg.Experiment.BoringCrypto && Enabled() {
base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto") base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto")
} }
if slices.Contains(cfg.BuildContext.BuildTags, "purego") && Enabled() {
base.Fatalf("go: cannot use GOFIPS140 with the purego build tag")
}
} }
var initDone bool var initDone bool

6
src/crypto/internal/fips140/fips140.go
View file

@ -33,6 +33,12 @@ func init() {
func Supported() error { func Supported() error {
// Keep this in sync with fipsSupported in cmd/dist/test.go. // Keep this in sync with fipsSupported in cmd/dist/test.go.
// The purego tag changes too much of the implementation to claim the
// validation still applies.
if puregoEnabled {
return errors.New("FIPS 140-3 mode is incompatible with the purego build tag")
}
// ASAN disapproves of reading swaths of global memory in fips140/check. // ASAN disapproves of reading swaths of global memory in fips140/check.
// One option would be to expose runtime.asanunpoison through // One option would be to expose runtime.asanunpoison through
// crypto/internal/fips140deps and then call it to unpoison the range // crypto/internal/fips140deps and then call it to unpoison the range

9
src/crypto/internal/fips140/notpurego.go Normal file
View file

@ -0,0 +1,9 @@
// Copyright 2025 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build !purego
package fips140
const puregoEnabled = false

9
src/crypto/internal/fips140/purego.go Normal file
View file

@ -0,0 +1,9 @@
// Copyright 2025 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build purego
package fips140
const puregoEnabled = true