diff --git a/patches/0001-Vendor-external-dependencies.patch b/patches/0001-Vendor-external-dependencies.patch index 2b4156f9af..a965136ec8 100644 --- a/patches/0001-Vendor-external-dependencies.patch +++ b/patches/0001-Vendor-external-dependencies.patch @@ -41,7 +41,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../golang-fips/openssl/v2/.gitleaks.toml | 9 + .../github.com/golang-fips/openssl/v2/LICENSE | 20 + .../golang-fips/openssl/v2/README.md | 66 + - .../github.com/golang-fips/openssl/v2/aes.go | 145 + + .../github.com/golang-fips/openssl/v2/aes.go | 157 ++ .../golang-fips/openssl/v2/bbig/big.go | 37 + .../github.com/golang-fips/openssl/v2/big.go | 11 + .../openssl/v2/chacha20poly1305.go | 149 + @@ -55,7 +55,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../golang-fips/openssl/v2/ecdsa.go | 222 ++ .../golang-fips/openssl/v2/ed25519.go | 210 ++ .../github.com/golang-fips/openssl/v2/evp.go | 620 +++++ - .../github.com/golang-fips/openssl/v2/hash.go | 502 ++++ + .../github.com/golang-fips/openssl/v2/hash.go | 514 ++++ .../golang-fips/openssl/v2/hashclone.go | 14 + .../golang-fips/openssl/v2/hashclone_go125.go | 9 + .../github.com/golang-fips/openssl/v2/hkdf.go | 455 ++++ @@ -161,11 +161,11 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../microsoft/go-crypto-darwin/LICENSE | 21 + .../microsoft/go-crypto-darwin/bbig/big.go | 31 + .../internal/commoncrypto/commoncrypto.go | 9 + - .../internal/commoncrypto/shims.h | 72 + + .../internal/commoncrypto/shims.h | 77 + .../internal/commoncrypto/syscall_nocgo.go | 15 + .../internal/commoncrypto/zcommoncrypto.c | 47 + - .../internal/commoncrypto/zcommoncrypto.go | 50 + - .../internal/commoncrypto/zcommoncrypto.h | 69 + + .../internal/commoncrypto/zcommoncrypto.go | 55 + + .../internal/commoncrypto/zcommoncrypto.h | 74 + .../internal/commoncrypto/zcommoncrypto.s | 74 + .../commoncrypto/zcommoncrypto_cgo.go | 60 + .../commoncrypto/zcommoncrypto_go124.go | 11 + @@ -226,10 +226,10 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../internal/xsyscall/xsyscall.go | 6 + .../go-crypto-darwin/internal/xsyscall/zdl.s | 56 + .../internal/xsyscall/zdl_nocgo.go | 48 + - .../microsoft/go-crypto-darwin/xcrypto/aes.go | 144 + + .../microsoft/go-crypto-darwin/xcrypto/aes.go | 160 ++ .../microsoft/go-crypto-darwin/xcrypto/big.go | 16 + .../xcrypto/chacha20poly1305.go | 88 + - .../go-crypto-darwin/xcrypto/cipher.go | 114 + + .../go-crypto-darwin/xcrypto/cipher.go | 172 ++ .../microsoft/go-crypto-darwin/xcrypto/des.go | 111 + .../microsoft/go-crypto-darwin/xcrypto/ec.go | 39 + .../go-crypto-darwin/xcrypto/ecdh.go | 146 + @@ -237,7 +237,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../go-crypto-darwin/xcrypto/ed25519.go | 124 + .../microsoft/go-crypto-darwin/xcrypto/evp.go | 339 +++ .../microsoft/go-crypto-darwin/xcrypto/gcm.go | 218 ++ - .../go-crypto-darwin/xcrypto/hash.go | 320 +++ + .../go-crypto-darwin/xcrypto/hash.go | 331 +++ .../go-crypto-darwin/xcrypto/hashclone.go | 17 + .../xcrypto/hashclone_go125.go | 12 + .../go-crypto-darwin/xcrypto/hkdf.go | 103 + @@ -248,7 +248,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../microsoft/go-crypto-darwin/xcrypto/rc4.go | 81 + .../microsoft/go-crypto-darwin/xcrypto/rsa.go | 208 ++ .../microsoft/go-crypto-winnative/LICENSE | 21 + - .../microsoft/go-crypto-winnative/cng/aes.go | 427 +++ + .../microsoft/go-crypto-winnative/cng/aes.go | 435 +++ .../go-crypto-winnative/cng/bbig/big.go | 31 + .../microsoft/go-crypto-winnative/cng/big.go | 30 + .../cng/chacha20poly1305.go | 119 + @@ -258,7 +258,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../microsoft/go-crypto-winnative/cng/dsa.go | 465 ++++ .../microsoft/go-crypto-winnative/cng/ecdh.go | 255 ++ .../go-crypto-winnative/cng/ecdsa.go | 169 ++ - .../microsoft/go-crypto-winnative/cng/hash.go | 327 +++ + .../microsoft/go-crypto-winnative/cng/hash.go | 338 +++ .../go-crypto-winnative/cng/hashclone.go | 18 + .../cng/hashclone_go125.go | 13 + .../microsoft/go-crypto-winnative/cng/hkdf.go | 133 + @@ -277,7 +277,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 + src/vendor/modules.txt | 23 + - 269 files changed, 34097 insertions(+), 7 deletions(-) + 269 files changed, 34240 insertions(+), 7 deletions(-) create mode 100644 src/cmd/internal/telemetry/counter/deps_ignore.go create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/LICENSE create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/README.md @@ -2213,7 +2213,7 @@ index 00000000000000..ae4055d2d71303 +// that are used by the backend package. This allows to track +// their versions in a single patch file. diff --git a/src/go.mod b/src/go.mod -index d6c515017a7009..15ab996b3e47e5 100644 +index d6c515017a7009..d6a3706d423d5d 100644 --- a/src/go.mod +++ b/src/go.mod @@ -11,3 +11,9 @@ require ( @@ -2222,21 +2222,21 @@ index d6c515017a7009..15ab996b3e47e5 100644 ) + +require ( -+ github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4 -+ github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357 -+ github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9 ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20260218141142-bc5414004e2c ++ github.com/microsoft/go-crypto-darwin v0.0.3-0.20260218125244-fad94c75cb26 ++ github.com/microsoft/go-crypto-winnative v0.0.0-20260218135539-0dea5b47f571 +) diff --git a/src/go.sum b/src/go.sum -index 2223d2a7c231c1..11a1b9af830278 100644 +index 2223d2a7c231c1..653e027f5ce2d3 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,9 @@ -+github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4 h1:2kbDvyeg2zT1dsjfp6I445SCP4ryK88vnIODU+x0W3o= -+github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw= -+github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357 h1:ILqgGD8SGjjtSweSBanrXyX8Aco33yFSJEqsnJgmXHU= -+github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357/go.mod h1:MTii5PQwRlfUjYpGoF8CPLGwXSHTbLHGRN9FVNML5N0= -+github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9 h1:joliMChkkfHV3vAPKzu9kefdw0K+d89A8r9gTm3MFS4= -+github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9/go.mod h1:gD686525Li/blRSYwSzFJ6/LJQVFJp7Y0MKp+dmqFbc= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20260218141142-bc5414004e2c h1:E5YJQAqiQiW0Ab5Kx+PT1rJqmp5IRgdGh2qFCKTc9yA= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20260218141142-bc5414004e2c/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw= ++github.com/microsoft/go-crypto-darwin v0.0.3-0.20260218125244-fad94c75cb26 h1:jFpFYSWR97Eb5jSRVePiYzowTx2kKXWbSHE5SaK5vWQ= ++github.com/microsoft/go-crypto-darwin v0.0.3-0.20260218125244-fad94c75cb26/go.mod h1:MTii5PQwRlfUjYpGoF8CPLGwXSHTbLHGRN9FVNML5N0= ++github.com/microsoft/go-crypto-winnative v0.0.0-20260218135539-0dea5b47f571 h1:OPx6ADUNbW8X6KRZjafdJPsMY7EoffIrMTwJ1pDrMcE= ++github.com/microsoft/go-crypto-winnative v0.0.0-20260218135539-0dea5b47f571/go.mod h1:gD686525Li/blRSYwSzFJ6/LJQVFJp7Y0MKp+dmqFbc= golang.org/x/crypto v0.47.1-0.20260113154411-7d0074ccc6f1 h1:peTBrYsTa5Rr+jB2pbgd7X08cFAun6ME4So3jfEkYL4= golang.org/x/crypto v0.47.1-0.20260113154411-7d0074ccc6f1/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/net v0.49.1-0.20260122225915-f2078620ee33 h1:pNHjOZ0w6qb8R9EDmEsBXmV4o2YKLvtRiEk4q5gN5Hg= @@ -2478,10 +2478,10 @@ index 00000000000000..0a6d0d0ef2c0c6 +This project adopts the Go code of conduct: https://go.dev/conduct. diff --git a/src/vendor/github.com/golang-fips/openssl/v2/aes.go b/src/vendor/github.com/golang-fips/openssl/v2/aes.go new file mode 100644 -index 00000000000000..654566d2bff4e0 +index 00000000000000..8d5d44db2ba360 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/aes.go -@@ -0,0 +1,145 @@ +@@ -0,0 +1,157 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -2574,14 +2574,26 @@ index 00000000000000..654566d2bff4e0 + return c.cipher.newCBC(iv, cipherOpEncrypt) +} + ++func (c cipherWithCBC) NewFIPSCBCEncrypter(iv []byte) cipher.BlockMode { ++ return c.cipher.newCBC(iv, cipherOpEncrypt) ++} ++ +func (c cipherWithCBC) NewCBCDecrypter(iv []byte) cipher.BlockMode { + return c.cipher.newCBC(iv, cipherOpDecrypt) +} + ++func (c cipherWithCBC) NewFIPSCBCDecrypter(iv []byte) cipher.BlockMode { ++ return c.cipher.newCBC(iv, cipherOpDecrypt) ++} ++ +func (c cipherWithCTR) NewCTR(iv []byte) cipher.Stream { + return c.cipher.newCTR(iv) +} + ++func (c cipherWithCTR) NewFIPSCTR(iv []byte) cipher.Stream { ++ return c.cipher.newCTR(iv) ++} ++ +func (c cipherWithGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { + return c.cipher.newGCMChecked(nonceSize, tagSize) +} @@ -5858,10 +5870,10 @@ index 00000000000000..4c70cd75a1a553 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hash.go b/src/vendor/github.com/golang-fips/openssl/v2/hash.go new file mode 100644 -index 00000000000000..eb0a84acf2232f +index 00000000000000..d9195a1ddfa0a5 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/hash.go -@@ -0,0 +1,502 @@ +@@ -0,0 +1,514 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -6089,6 +6101,18 @@ index 00000000000000..eb0a84acf2232f +var _ hash.Hash = (*Hash)(nil) +var _ HashCloner = (*Hash)(nil) + ++// FIPSApproved reports whether this hash algorithm is FIPS 140-3 approved. ++func (h *Hash) FIPSApproved() bool { ++ switch h.alg.ch { ++ case crypto.SHA224, crypto.SHA256, crypto.SHA384, crypto.SHA512, ++ crypto.SHA512_224, crypto.SHA512_256, ++ crypto.SHA3_224, crypto.SHA3_256, crypto.SHA3_384, crypto.SHA3_512: ++ return true ++ default: ++ return false ++ } ++} ++ +// hashBufSize is the size of the buffer used for hashing. +// 256 bytes is a reasonable compromise for general purpose use, +// and the resulting evpHash size is still similar to the @@ -22572,10 +22596,10 @@ index 00000000000000..e1b9ee1d005406 +//go:generate go run ../../cmd/mkcgo -out zcommoncrypto.go -nocgo -package commoncrypto --noerrors shims.h diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/shims.h b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/shims.h new file mode 100644 -index 00000000000000..b186cf8723ed20 +index 00000000000000..9b49fe87e9e421 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/shims.h -@@ -0,0 +1,72 @@ +@@ -0,0 +1,77 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -22602,8 +22626,13 @@ index 00000000000000..b186cf8723ed20 + +typedef enum { + kCCModeCBC = 2, ++ kCCModeCTR = 4, +} CCMode; + ++enum { ++ kCCModeOptionCTR_BE = 2, ++}; ++ +typedef enum { + KCCOptionECBMode = 2, +} CCOptions; @@ -22724,10 +22753,10 @@ index 00000000000000..24f6e3d3f50dc1 + diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.go new file mode 100644 -index 00000000000000..0a25e0621df627 +index 00000000000000..27e33d384aae54 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.go -@@ -0,0 +1,50 @@ +@@ -0,0 +1,55 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -22742,6 +22771,11 @@ index 00000000000000..0a25e0621df627 + +const ( + KCCModeCBC CCMode = 2 ++ KCCModeCTR CCMode = 4 ++) ++ ++const ( ++ KCCModeOptionCTR_BE = 2 +) + +const ( @@ -22780,10 +22814,10 @@ index 00000000000000..0a25e0621df627 +) diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.h b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.h new file mode 100644 -index 00000000000000..016e73758ac4e0 +index 00000000000000..ec30bd526df986 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/commoncrypto/zcommoncrypto.h -@@ -0,0 +1,69 @@ +@@ -0,0 +1,74 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -22805,8 +22839,13 @@ index 00000000000000..016e73758ac4e0 + +typedef enum { + kCCModeCBC = 2, ++ kCCModeCTR = 4, +} CCMode; + ++enum { ++ kCCModeOptionCTR_BE = 2, ++}; ++ +typedef enum { + KCCOptionECBMode = 2, +} CCOptions; @@ -30464,10 +30503,10 @@ index 00000000000000..a30d07b27ed848 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go new file mode 100644 -index 00000000000000..cc4bc4f25fefa4 +index 00000000000000..eeb6ece5766a2e --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go -@@ -0,0 +1,144 @@ +@@ -0,0 +1,160 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -30591,10 +30630,26 @@ index 00000000000000..cc4bc4f25fefa4 + return newCBC(commoncrypto.KCCEncrypt, c.kind, c.key, iv) +} + ++func (c *aesCipher) NewFIPSCBCEncrypter(iv []byte) cipher.BlockMode { ++ return newCBC(commoncrypto.KCCEncrypt, c.kind, c.key, iv) ++} ++ +func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode { + return newCBC(commoncrypto.KCCDecrypt, c.kind, c.key, iv) +} + ++func (c *aesCipher) NewFIPSCBCDecrypter(iv []byte) cipher.BlockMode { ++ return newCBC(commoncrypto.KCCDecrypt, c.kind, c.key, iv) ++} ++ ++func (c *aesCipher) NewCTR(iv []byte) cipher.Stream { ++ return newCTR(c.kind, c.key, iv) ++} ++ ++func (c *aesCipher) NewFIPSCTR(iv []byte) cipher.Stream { ++ return newCTR(c.kind, c.key, iv) ++} ++ +// sliceForAppend is a mirror of crypto/cipher.sliceForAppend. +func sliceForAppend(in []byte, n int) (head, tail []byte) { + if total := len(in) + n; cap(in) >= total { @@ -30730,10 +30785,10 @@ index 00000000000000..b0ad6c0aeaff09 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go new file mode 100644 -index 00000000000000..d4c550b90fafae +index 00000000000000..1c68abc9f84325 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go -@@ -0,0 +1,114 @@ +@@ -0,0 +1,172 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -30834,6 +30889,64 @@ index 00000000000000..d4c550b90fafae + runtime.KeepAlive(x) +} + ++// ctrStream implements cipher.Stream using CommonCrypto's CTR mode. ++type ctrStream struct { ++ cryptor commoncrypto.CCCryptorRef ++} ++ ++func newCTR(kind commoncrypto.CCAlgorithm, key, iv []byte) *ctrStream { ++ x := &ctrStream{} ++ // CTR mode: encryption and decryption are the same operation (XOR with keystream), ++ // so we always use KCCEncrypt. ++ status := commoncrypto.CCCryptorCreateWithMode( ++ commoncrypto.KCCEncrypt, ++ commoncrypto.KCCModeCTR, ++ commoncrypto.CCAlgorithm(kind), ++ commoncrypto.CcNoPadding, ++ iv, ++ key, ++ nil, ++ 0, ++ commoncrypto.KCCModeOptionCTR_BE, ++ &x.cryptor, ++ ) ++ if status != commoncrypto.KCCSuccess { ++ panic("crypto/cipher: CCCryptorCreateWithMode CTR failed") ++ } ++ runtime.SetFinalizer(x, (*ctrStream).finalize) ++ return x ++} ++ ++func (x *ctrStream) finalize() { ++ if x.cryptor != nil { ++ commoncrypto.CCCryptorRelease(x.cryptor) ++ x.cryptor = nil ++ } ++} ++ ++func (x *ctrStream) XORKeyStream(dst, src []byte) { ++ if len(dst) < len(src) { ++ panic("crypto/cipher: output smaller than input") ++ } ++ if inexactOverlap(dst[:len(src)], src) { ++ panic("crypto/cipher: invalid buffer overlap") ++ } ++ if len(src) == 0 { ++ return ++ } ++ var outLength int ++ status := commoncrypto.CCCryptorUpdate( ++ x.cryptor, ++ src, ++ dst, ++ &outLength, ++ ) ++ if status != commoncrypto.KCCSuccess { ++ panic("crypto/cipher: CCCryptorUpdate CTR failed") ++ } ++ runtime.KeepAlive(x) ++} ++ +// The following two functions are a mirror of golang.org/x/crypto/internal/subtle. + +func anyOverlap(x, y []byte) bool { @@ -32023,10 +32136,10 @@ index 00000000000000..82a961d974f129 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go new file mode 100644 -index 00000000000000..e03ae435ac563f +index 00000000000000..a9726c4f8c7590 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go -@@ -0,0 +1,320 @@ +@@ -0,0 +1,331 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -32264,6 +32377,17 @@ index 00000000000000..e03ae435ac563f + return h.alg.size +} + ++// FIPSApproved reports whether this hash algorithm is FIPS 140-3 approved. ++func (h *Hash) FIPSApproved() bool { ++ switch h.alg.ch { ++ case crypto.SHA256, crypto.SHA384, crypto.SHA512, ++ crypto.SHA3_256, crypto.SHA3_384, crypto.SHA3_512: ++ return true ++ default: ++ return false ++ } ++} ++ +var _ hash.Hash = (*Hash)(nil) +var _ HashCloner = (*Hash)(nil) + @@ -33327,10 +33451,10 @@ index 00000000000000..9e841e7a26e4eb + SOFTWARE diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go new file mode 100644 -index 00000000000000..99fe3c7189d9d2 +index 00000000000000..3c235d27562871 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go -@@ -0,0 +1,427 @@ +@@ -0,0 +1,435 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -33424,10 +33548,18 @@ index 00000000000000..99fe3c7189d9d2 + return newCBC(true, bcrypt.AES_ALGORITHM, c.key, iv) +} + ++func (c *aesCipher) NewFIPSCBCEncrypter(iv []byte) cipher.BlockMode { ++ return newCBC(true, bcrypt.AES_ALGORITHM, c.key, iv) ++} ++ +func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode { + return newCBC(false, bcrypt.AES_ALGORITHM, c.key, iv) +} + ++func (c *aesCipher) NewFIPSCBCDecrypter(iv []byte) cipher.BlockMode { ++ return newCBC(false, bcrypt.AES_ALGORITHM, c.key, iv) ++} ++ +type noGCM struct { + cipher.Block +} @@ -35181,10 +35313,10 @@ index 00000000000000..586e9ae2ebb0c9 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go new file mode 100644 -index 00000000000000..124f7418740ef4 +index 00000000000000..94572966b49ebf --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go -@@ -0,0 +1,327 @@ +@@ -0,0 +1,338 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -35347,6 +35479,17 @@ index 00000000000000..124f7418740ef4 +var _ hash.Hash = (*Hash)(nil) +var _ HashCloner = (*Hash)(nil) + ++// FIPSApproved reports whether this hash algorithm is FIPS 140-3 approved. ++func (h *Hash) FIPSApproved() bool { ++ switch h.alg.id { ++ case bcrypt.SHA256_ALGORITHM, bcrypt.SHA384_ALGORITHM, bcrypt.SHA512_ALGORITHM, ++ bcrypt.SHA3_256_ALGORITHM, bcrypt.SHA3_384_ALGORITHM, bcrypt.SHA3_512_ALGORITHM: ++ return true ++ default: ++ return false ++ } ++} ++ +// Hash implements [hash.Hash]. +type Hash struct { + alg *hashAlgorithm @@ -38317,18 +38460,18 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 48967bc9ee3bd2..1f87e000dbdbc9 100644 +index 48967bc9ee3bd2..7645df4c015069 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,26 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4 ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20260218141142-bc5414004e2c +## explicit; go 1.24 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig +github.com/golang-fips/openssl/v2/internal/fakecgo +github.com/golang-fips/openssl/v2/internal/ossl +github.com/golang-fips/openssl/v2/osslsetup -+# github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357 ++# github.com/microsoft/go-crypto-darwin v0.0.3-0.20260218125244-fad94c75cb26 +## explicit; go 1.24 +github.com/microsoft/go-crypto-darwin/bbig +github.com/microsoft/go-crypto-darwin/internal/commoncrypto @@ -38337,7 +38480,7 @@ index 48967bc9ee3bd2..1f87e000dbdbc9 100644 +github.com/microsoft/go-crypto-darwin/internal/security +github.com/microsoft/go-crypto-darwin/internal/xsyscall +github.com/microsoft/go-crypto-darwin/xcrypto -+# github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9 ++# github.com/microsoft/go-crypto-winnative v0.0.0-20260218135539-0dea5b47f571 +## explicit; go 1.24 +github.com/microsoft/go-crypto-winnative/cng +github.com/microsoft/go-crypto-winnative/cng/bbig diff --git a/patches/0004-Use-crypto-backends.patch b/patches/0004-Use-crypto-backends.patch index 2ad2192675..4bcb8cef86 100644 --- a/patches/0004-Use-crypto-backends.patch +++ b/patches/0004-Use-crypto-backends.patch @@ -15,6 +15,8 @@ Subject: [PATCH] Use crypto backends src/crypto/aes/aes.go | 2 +- src/crypto/aes/aes_test.go | 2 +- src/crypto/boring/boring.go | 4 +- + src/crypto/cipher/cbc.go | 14 ++ + src/crypto/cipher/ctr.go | 7 + src/crypto/cipher/ctr_aes_test.go | 2 +- src/crypto/cipher/gcm.go | 59 +++++- src/crypto/cipher/gcm_test.go | 9 +- @@ -29,7 +31,7 @@ Subject: [PATCH] Use crypto backends src/crypto/ecdh/x25519.go | 49 +++++ src/crypto/ecdsa/badlinkname.go | 19 ++ src/crypto/ecdsa/boring.go | 6 +- - src/crypto/ecdsa/ecdsa.go | 10 +- + src/crypto/ecdsa/ecdsa.go | 16 +- src/crypto/ecdsa/notboring.go | 4 +- src/crypto/ed25519/boring.go | 71 +++++++ src/crypto/ed25519/ed25519.go | 70 +++++++ @@ -39,14 +41,16 @@ Subject: [PATCH] Use crypto backends src/crypto/fips140/fips140.go | 3 +- src/crypto/hkdf/hkdf.go | 14 ++ src/crypto/hkdf/hkdf_test.go | 2 +- - src/crypto/hmac/hmac.go | 2 +- + src/crypto/hmac/hmac.go | 22 +- src/crypto/hmac/hmac_test.go | 2 +- src/crypto/hpke/aead.go | 14 +- src/crypto/internal/cryptotest/allocations.go | 6 - src/crypto/internal/cryptotest/fips140.go | 8 + src/crypto/internal/cryptotest/hash.go | 3 +- .../internal/cryptotest/implementations.go | 2 +- - .../internal/fips140only/fips140only_test.go | 6 + + src/crypto/internal/fips140hash/hash.go | 3 +- + .../internal/fips140only/fips140only.go | 6 +- + .../internal/fips140only/fips140only_test.go | 44 ++-- src/crypto/internal/fips140test/acvp_test.go | 6 + src/crypto/internal/fips140test/cast_test.go | 2 + src/crypto/internal/fips140test/fips_test.go | 2 +- @@ -63,19 +67,19 @@ Subject: [PATCH] Use crypto backends src/crypto/rc4/rc4.go | 18 ++ src/crypto/rsa/boring.go | 13 +- src/crypto/rsa/boring_test.go | 2 +- - src/crypto/rsa/darwin.go | 71 +++ - src/crypto/rsa/fips.go | 22 +- + src/crypto/rsa/darwin.go | 71 +++++++ + src/crypto/rsa/fips.go | 84 ++++---- src/crypto/rsa/notboring.go | 4 +- src/crypto/rsa/pkcs1v15.go | 10 +- src/crypto/rsa/pkcs1v15_test.go | 5 + src/crypto/rsa/pss_test.go | 14 +- - src/crypto/rsa/rsa.go | 16 +- + src/crypto/rsa/rsa.go | 29 +-- src/crypto/rsa/rsa_test.go | 7 +- - src/crypto/sha1/sha1.go | 8 +- + src/crypto/sha1/sha1.go | 11 +- src/crypto/sha1/sha1_test.go | 11 +- src/crypto/sha256/sha256.go | 6 +- src/crypto/sha256/sha256_test.go | 44 ++-- - src/crypto/sha3/sha3.go | 124 +++++++++-- + src/crypto/sha3/sha3.go | 133 ++++++++++-- src/crypto/sha3/sha3_test.go | 18 +- src/crypto/sha512/sha512.go | 2 +- src/crypto/sha512/sha512_test.go | 32 ++- @@ -100,7 +104,7 @@ Subject: [PATCH] Use crypto backends src/hash/notboring_test.go | 9 + src/net/lookup_test.go | 3 + src/os/exec/exec_test.go | 9 + - 96 files changed, 1505 insertions(+), 179 deletions(-) + 100 files changed, 1614 insertions(+), 253 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ecdsa/badlinkname.go @@ -126,7 +130,7 @@ index f0e3575637c62a..9eab3b4e66e60b 100644 package main diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go -index b651104235adcc..a54fc6124b1e0e 100644 +index 91502c9a23f724..41cde9ef2206af 100644 --- a/src/cmd/dist/test.go +++ b/src/cmd/dist/test.go @@ -720,7 +720,7 @@ func (t *tester) registerTests() { @@ -138,7 +142,7 @@ index b651104235adcc..a54fc6124b1e0e 100644 // Test standard crypto packages with fips140=on. t.registerTest("GOFIPS140=latest go test crypto/...", &goTest{ variant: "gofips140", -@@ -1388,12 +1388,11 @@ func (t *tester) registerCgoTests(heading string) { +@@ -1383,12 +1383,11 @@ func (t *tester) registerCgoTests(heading string) { // a C linker warning on Linux. // in function `bio_ip_and_port_to_socket_and_addr': // warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking @@ -307,6 +311,76 @@ index 097c37e343fdb8..a5d603896d3890 100644 // Enabled reports whether BoringCrypto handles supported crypto operations. func Enabled() bool { +diff --git a/src/crypto/cipher/cbc.go b/src/crypto/cipher/cbc.go +index 87bafee08ade4f..d724c21e76f7f1 100644 +--- a/src/crypto/cipher/cbc.go ++++ b/src/crypto/cipher/cbc.go +@@ -44,6 +44,10 @@ type cbcEncAble interface { + NewCBCEncrypter(iv []byte) BlockMode + } + ++type fipsCBCEncAble interface { ++ NewFIPSCBCEncrypter(iv []byte) BlockMode ++} ++ + // NewCBCEncrypter returns a BlockMode which encrypts in cipher block chaining + // mode, using the given Block. The length of iv must be the same as the + // Block's block size. +@@ -54,6 +58,9 @@ func NewCBCEncrypter(b Block, iv []byte) BlockMode { + if b, ok := b.(*aes.Block); ok { + return aes.NewCBCEncrypter(b, [16]byte(iv)) + } ++ if cbc, ok := b.(fipsCBCEncAble); ok { ++ return cbc.NewFIPSCBCEncrypter(iv) ++ } + if fips140only.Enforced() { + panic("crypto/cipher: use of CBC with non-AES ciphers is not allowed in FIPS 140-only mode") + } +@@ -123,6 +130,10 @@ type cbcDecAble interface { + NewCBCDecrypter(iv []byte) BlockMode + } + ++type fipsCBCDecAble interface { ++ NewFIPSCBCDecrypter(iv []byte) BlockMode ++} ++ + // NewCBCDecrypter returns a BlockMode which decrypts in cipher block chaining + // mode, using the given Block. The length of iv must be the same as the + // Block's block size and must match the iv used to encrypt the data. +@@ -133,6 +144,9 @@ func NewCBCDecrypter(b Block, iv []byte) BlockMode { + if b, ok := b.(*aes.Block); ok { + return aes.NewCBCDecrypter(b, [16]byte(iv)) + } ++ if cbc, ok := b.(fipsCBCDecAble); ok { ++ return cbc.NewFIPSCBCDecrypter(iv) ++ } + if fips140only.Enforced() { + panic("crypto/cipher: use of CBC with non-AES ciphers is not allowed in FIPS 140-only mode") + } +diff --git a/src/crypto/cipher/ctr.go b/src/crypto/cipher/ctr.go +index 8e63ed7e668a4c..10ed72d2540b6e 100644 +--- a/src/crypto/cipher/ctr.go ++++ b/src/crypto/cipher/ctr.go +@@ -36,12 +36,19 @@ type ctrAble interface { + NewCTR(iv []byte) Stream + } + ++type fipsCTRAble interface { ++ NewFIPSCTR(iv []byte) Stream ++} ++ + // NewCTR returns a [Stream] which encrypts/decrypts using the given [Block] in + // counter mode. The length of iv must be the same as the [Block]'s block size. + func NewCTR(block Block, iv []byte) Stream { + if block, ok := block.(*aes.Block); ok { + return aesCtrWrapper{aes.NewCTR(block, iv)} + } ++ if ctr, ok := block.(fipsCTRAble); ok { ++ return ctr.NewFIPSCTR(iv) ++ } + if fips140only.Enforced() { + panic("crypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only mode") + } diff --git a/src/crypto/cipher/ctr_aes_test.go b/src/crypto/cipher/ctr_aes_test.go index 1d8ae78674ebe2..1ce8f093834d55 100644 --- a/src/crypto/cipher/ctr_aes_test.go @@ -1058,10 +1132,10 @@ index 275c60b4de49eb..ff8bddf28c4545 100644 "math/big" ) diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go -index b336f32eb69ef5..1eb2604505e229 100644 +index b336f32eb69ef5..8a204e3a40e7d2 100644 --- a/src/crypto/ecdsa/ecdsa.go +++ b/src/crypto/ecdsa/ecdsa.go -@@ -20,8 +20,8 @@ import ( +@@ -20,15 +20,15 @@ import ( "crypto" "crypto/ecdh" "crypto/elliptic" @@ -1071,7 +1145,15 @@ index b336f32eb69ef5..1eb2604505e229 100644 + "crypto/internal/backend/bbig" "crypto/internal/fips140/ecdsa" "crypto/internal/fips140/nistec" ++ fipsSha512 "crypto/internal/fips140/sha512" "crypto/internal/fips140cache" + "crypto/internal/fips140hash" + "crypto/internal/fips140only" + "crypto/internal/rand" +- "crypto/sha512" + "crypto/subtle" + "errors" + "io" @@ -334,7 +334,7 @@ func (priv *PrivateKey) Sign(random io.Reader, digest []byte, opts crypto.Signer // ignored unless GODEBUG=cryptocustomrand=1 is set. This setting will be removed // in a future Go release. Instead, use [testing/cryptotest.SetGlobalRandom]. @@ -1090,7 +1172,18 @@ index b336f32eb69ef5..1eb2604505e229 100644 b, err := boringPrivateKey(priv) if err != nil { return nil, err -@@ -494,7 +494,7 @@ func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { +@@ -416,7 +416,9 @@ func signFIPS[P ecdsa.Point[P]](c *ecdsa.Curve[P], priv *PrivateKey, rand io.Rea + // Always using SHA-512 instead of the hash that computed hash is + // technically a violation of draft-irtf-cfrg-det-sigs-with-noise-04 but in + // our API we don't get to know what it was, and this has no security impact. +- sig, err := ecdsa.Sign(c, sha512.New, k, rand, hash) ++ // Use the FIPS module's SHA-512 directly to ensure the service indicator ++ // recognizes the hash type when the backend doesn't handle ECDSA. ++ sig, err := ecdsa.Sign(c, fipsSha512.New, k, rand, hash) + if err != nil { + return nil, err + } +@@ -494,7 +496,7 @@ func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { // The inputs are not considered confidential, and may leak through timing side // channels, or if an attacker has control of part of the inputs. func VerifyASN1(pub *PublicKey, hash, sig []byte) bool { @@ -1346,7 +1439,7 @@ index c8a23e3246a949..02dc683fa1a1b4 100644 t.Errorf("different signature result on line %d: %x vs %x", lineNo, sig, sig2) } -@@ -373,6 +376,11 @@ func TestAllocations(t *testing.T) { +@@ -371,6 +374,11 @@ func TestAllocations(t *testing.T) { cryptotest.SkipTestAllocations(t) seed := make([]byte, SeedSize) priv := NewKeyFromSeed(seed) @@ -1358,7 +1451,7 @@ index c8a23e3246a949..02dc683fa1a1b4 100644 if allocs := testing.AllocsPerRun(100, func() { message := []byte("Hello, world!") pub := priv.Public().(PublicKey) -@@ -380,8 +386,8 @@ func TestAllocations(t *testing.T) { +@@ -378,8 +386,8 @@ func TestAllocations(t *testing.T) { if !Verify(pub, message, signature) { t.Fatal("signature didn't verify") } @@ -1494,7 +1587,7 @@ index 57d90f88e93e75..4069ab057a2525 100644 "crypto/md5" "crypto/sha1" diff --git a/src/crypto/hmac/hmac.go b/src/crypto/hmac/hmac.go -index e7976e25193dfe..9578e1e985c02d 100644 +index e7976e25193dfe..5dd85b693c4083 100644 --- a/src/crypto/hmac/hmac.go +++ b/src/crypto/hmac/hmac.go @@ -22,7 +22,7 @@ timing side-channels: @@ -1506,6 +1599,40 @@ index e7976e25193dfe..9578e1e985c02d 100644 "crypto/internal/fips140/hmac" "crypto/internal/fips140hash" "crypto/internal/fips140only" +@@ -37,23 +37,23 @@ import ( + // the returned Hash does not implement [encoding.BinaryMarshaler] + // or [encoding.BinaryUnmarshaler]. + func New(h func() hash.Hash, key []byte) hash.Hash { +- if boring.Enabled { +- hm := boring.NewHMAC(h, key) +- if hm != nil { +- return hm +- } +- // BoringCrypto did not recognize h, so fall through to standard Go code. +- } +- h = fips140hash.UnwrapNew(h) ++ fh := fips140hash.UnwrapNew(h) + if fips140only.Enforced() { + if len(key) < 112/8 { + panic("crypto/hmac: use of keys shorter than 112 bits is not allowed in FIPS 140-only mode") + } +- if !fips140only.ApprovedHash(h()) { ++ if !fips140only.ApprovedHash(fh()) { + panic("crypto/hmac: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") + } + } +- return hmac.New(h, key) ++ if boring.Enabled { ++ hm := boring.NewHMAC(h, key) ++ if hm != nil { ++ return hm ++ } ++ // BoringCrypto did not recognize h, so fall through to standard Go code. ++ } ++ return hmac.New(fh, key) + } + + // Equal compares two MACs for equality without leaking timing information. diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go index 4046a9555a8e35..4721a2a7ac04f7 100644 --- a/src/crypto/hmac/hmac_test.go @@ -1635,8 +1762,46 @@ index 2b6cf4b75fc6b7..3a1b9e5cc67ecc 100644 "crypto/internal/impl" "internal/goarch" "internal/goos" +diff --git a/src/crypto/internal/fips140hash/hash.go b/src/crypto/internal/fips140hash/hash.go +index 6d67ee8b3429a1..8f8d5937ea913c 100644 +--- a/src/crypto/internal/fips140hash/hash.go ++++ b/src/crypto/internal/fips140hash/hash.go +@@ -5,14 +5,13 @@ + package fips140hash + + import ( +- fsha3 "crypto/internal/fips140/sha3" + "crypto/sha3" + "hash" + _ "unsafe" + ) + + //go:linkname sha3Unwrap +-func sha3Unwrap(*sha3.SHA3) *fsha3.Digest ++func sha3Unwrap(*sha3.SHA3) hash.Hash + + // Unwrap returns h, or a crypto/internal/fips140 inner implementation of h. + // +diff --git a/src/crypto/internal/fips140only/fips140only.go b/src/crypto/internal/fips140only/fips140only.go +index 1b0a4be6ba5897..3225763ebb1da8 100644 +--- a/src/crypto/internal/fips140only/fips140only.go ++++ b/src/crypto/internal/fips140only/fips140only.go +@@ -24,9 +24,11 @@ func ApprovedHash(h hash.Hash) bool { + switch h.(type) { + case *sha256.Digest, *sha512.Digest, *sha3.Digest: + return true +- default: +- return false + } ++ if fa, ok := h.(interface{ FIPSApproved() bool }); ok { ++ return fa.FIPSApproved() ++ } ++ return false + } + + func ApprovedRandomReader(r io.Reader) bool { diff --git a/src/crypto/internal/fips140only/fips140only_test.go b/src/crypto/internal/fips140only/fips140only_test.go -index 96df536d56f345..5ed6026962a17c 100644 +index 96df536d56f345..31d07e73f201bc 100644 --- a/src/crypto/internal/fips140only/fips140only_test.go +++ b/src/crypto/internal/fips140only/fips140only_test.go @@ -17,6 +17,7 @@ import ( @@ -1647,18 +1812,63 @@ index 96df536d56f345..5ed6026962a17c 100644 "crypto/internal/cryptotest" "crypto/internal/fips140" "crypto/internal/fips140only" -@@ -47,6 +48,11 @@ import ( +@@ -310,13 +311,16 @@ bXVL8iKLrG91IYQByUHZIn3WVAd2bfi4MfKagRt0ggd4 + expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPublicKey(make([]byte, 32)))) + hpkeK, err := hpke.MLKEM768().GenerateKey() + expectNoErr(t, err) +- expectErr(t, errRet2(hpke.Seal(hpkeK.PublicKey(), hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, nil))) +- expectErr(t, errRet2(hpke.Open(hpkeK, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, make([]byte, 2000)))) +- +- // fips140=only mode should prevent any operation that would make the FIPS +- // 140-3 module set its service indicator to false. +- if !fips140.ServiceIndicator() { +- t.Errorf("service indicator not set") ++ if !boring.Enabled { ++ // TODO implement error handling in backends that check for fips140only.Enforced(). ++ expectErr(t, errRet2(hpke.Seal(hpkeK.PublicKey(), hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, nil))) ++ expectErr(t, errRet2(hpke.Open(hpkeK, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, make([]byte, 2000)))) ++ ++ // fips140=only mode should prevent any operation that would make the FIPS ++ // 140-3 module set its service indicator to false. ++ if !fips140.ServiceIndicator() { ++ t.Errorf("service indicator not set") ++ } + } + } - func TestFIPS140Only(t *testing.T) { - cryptotest.MustSupportFIPS140(t) -+ // TODO: Remove this skip when SystemCrypto supports fips140=only mode. -+ // https://github.com/microsoft/go/issues/1656 -+ if boring.Enabled { -+ t.Skip("SystemCrypto does not support fips140=only mode") +@@ -329,16 +333,22 @@ type readerWrap struct { + } + + func withApprovedHash(f func(crypto.Hash)) { +- f(crypto.SHA224) +- f(crypto.SHA256) +- f(crypto.SHA384) +- f(crypto.SHA512) +- f(crypto.SHA3_224) +- f(crypto.SHA3_256) +- f(crypto.SHA3_384) +- f(crypto.SHA3_512) +- f(crypto.SHA512_224) +- f(crypto.SHA512_256) ++ for _, h := range []crypto.Hash{ ++ crypto.SHA224, crypto.SHA256, crypto.SHA384, crypto.SHA512, ++ crypto.SHA512_224, crypto.SHA512_256, ++ } { ++ if boring.Enabled && !boring.SupportsHash(h) { ++ continue ++ } ++ f(h) ++ } ++ for _, h := range []crypto.Hash{crypto.SHA3_224, crypto.SHA3_256, crypto.SHA3_384, crypto.SHA3_512} { ++ if boring.Enabled { ++ // TODO implement fallbacks that checks hash.Hash ++ continue ++ } ++ f(h) + } - if !fips140only.Enforced() { - cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestFIPS140Only$", "-test.v") - cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only") + } + + func withNonApprovedHash(f func(crypto.Hash)) { diff --git a/src/crypto/internal/fips140test/acvp_test.go b/src/crypto/internal/fips140test/acvp_test.go index 6a0b46af2bbe40..fbe7ba6992d0ce 100644 --- a/src/crypto/internal/fips140test/acvp_test.go @@ -1730,7 +1940,7 @@ index 29648b9f386ed7..b3113a3ee2e1fa 100644 "crypto/internal/randutil" "internal/godebug" diff --git a/src/crypto/md5/md5.go b/src/crypto/md5/md5.go -index f1287887ff5e25..b2e26308349566 100644 +index f1287887ff5e25..61e9cc23e5667f 100644 --- a/src/crypto/md5/md5.go +++ b/src/crypto/md5/md5.go @@ -12,6 +12,7 @@ package md5 @@ -1745,7 +1955,7 @@ index f1287887ff5e25..b2e26308349566 100644 // [encoding.BinaryUnmarshaler] to marshal and unmarshal the internal // state of the hash. func New() hash.Hash { -+ if boring.Enabled && boring.SupportsHash(crypto.MD5) { ++ if boring.Enabled && boring.SupportsHash(crypto.MD5) && !fips140only.Enforced() { + return boring.NewMD5() + } d := new(digest) @@ -2425,7 +2635,7 @@ index 00000000000000..bff8ac449c9a3b + return builder.Bytes() +} diff --git a/src/crypto/rsa/fips.go b/src/crypto/rsa/fips.go -index fb2395886b053b..ac0ad4f9490a8b 100644 +index fb2395886b053b..18334e731f9349 100644 --- a/src/crypto/rsa/fips.go +++ b/src/crypto/rsa/fips.go @@ -6,7 +6,7 @@ package rsa @@ -2437,24 +2647,72 @@ index fb2395886b053b..ac0ad4f9490a8b 100644 "crypto/internal/fips140/rsa" "crypto/internal/fips140hash" "crypto/internal/fips140only" -@@ -71,7 +71,7 @@ func SignPSS(random io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte +@@ -71,7 +71,17 @@ func SignPSS(random io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte hash = opts.Hash } - if boring.Enabled && rand.IsDefaultReader(random) { ++ if err := checkFIPS140OnlyPrivateKey(priv); err != nil { ++ return nil, err ++ } ++ if fips140only.Enforced() && !fips140only.ApprovedHash(hash.New()) { ++ return nil, errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") ++ } ++ if fips140only.Enforced() && !fips140only.ApprovedRandomReader(random) { ++ return nil, errors.New("crypto/rsa: only crypto/rand.Reader is allowed in FIPS 140-only mode") ++ } ++ + if boring.Enabled && rand.IsDefaultReader(random) && boring.SupportsRSASaltLength(true, opts.saltLength()) && boring.SupportsRSAPrivateKey(priv.N.BitLen(), len(priv.Primes)) && boring.SupportsHash(hash) { bkey, err := boringPrivateKey(priv) if err != nil { return nil, err -@@ -134,7 +134,7 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts +@@ -82,16 +92,6 @@ func SignPSS(random io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte + + h := fips140hash.Unwrap(hash.New()) + +- if err := checkFIPS140OnlyPrivateKey(priv); err != nil { +- return nil, err +- } +- if fips140only.Enforced() && !fips140only.ApprovedHash(h) { +- return nil, errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") +- } +- if fips140only.Enforced() && !fips140only.ApprovedRandomReader(random) { +- return nil, errors.New("crypto/rsa: only crypto/rand.Reader is allowed in FIPS 140-only mode") +- } +- + k, err := fipsPrivateKey(priv) + if err != nil { + return nil, err +@@ -134,7 +134,14 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts return err } - if boring.Enabled { ++ if err := checkFIPS140OnlyPublicKey(pub); err != nil { ++ return err ++ } ++ if fips140only.Enforced() && !fips140only.ApprovedHash(hash.New()) { ++ return errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") ++ } ++ + if boring.Enabled && boring.SupportsRSASaltLength(false, opts.saltLength()) && boring.SupportsRSAPublicKey(pub.N.BitLen()) && boring.SupportsHash(hash) { bkey, err := boringPublicKey(pub) if err != nil { return err +@@ -147,13 +154,6 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts + + h := fips140hash.Unwrap(hash.New()) + +- if err := checkFIPS140OnlyPublicKey(pub); err != nil { +- return err +- } +- if fips140only.Enforced() && !fips140only.ApprovedHash(h) { +- return errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") +- } +- + k, err := fipsPublicKey(pub) + if err != nil { + return err @@ -203,10 +203,12 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l // // See [EncryptOAEP] for additional details. @@ -2489,24 +2747,66 @@ index fb2395886b053b..ac0ad4f9490a8b 100644 k := priv.Size() if len(ciphertext) > k || k < hash.Size()*2+2 { -@@ -331,7 +333,7 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [ +@@ -331,7 +333,14 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [ return nil, err } - if boring.Enabled { ++ if err := checkFIPS140OnlyPrivateKey(priv); err != nil { ++ return nil, err ++ } ++ if fips140only.Enforced() && hash != crypto.Hash(0) && !fips140only.ApprovedHash(hash.New()) { ++ return nil, errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") ++ } ++ + if boring.Enabled && boring.SupportsRSAPrivateKey(priv.N.BitLen(), len(priv.Primes)) && boring.SupportsRSAPKCS1v15Signature(hash) { bkey, err := boringPrivateKey(priv) if err != nil { return nil, err -@@ -374,7 +376,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) +@@ -339,13 +348,6 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [ + return boring.SignRSAPKCS1v15(bkey, hash, hashed) + } + +- if err := checkFIPS140OnlyPrivateKey(priv); err != nil { +- return nil, err +- } +- if fips140only.Enforced() && !fips140only.ApprovedHash(fips140hash.Unwrap(hash.New())) { +- return nil, errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") +- } +- + k, err := fipsPrivateKey(priv) + if err != nil { + return nil, err +@@ -374,7 +376,14 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) return err } - if boring.Enabled { ++ if err := checkFIPS140OnlyPublicKey(pub); err != nil { ++ return err ++ } ++ if fips140only.Enforced() && hash != crypto.Hash(0) && !fips140only.ApprovedHash(hash.New()) { ++ return errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") ++ } ++ + if boring.Enabled && boring.SupportsRSAPublicKey(pub.N.BitLen()) && boring.SupportsRSAPKCS1v15Signature(hash) { bkey, err := boringPublicKey(pub) if err != nil { return err +@@ -385,13 +394,6 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) + return nil + } + +- if err := checkFIPS140OnlyPublicKey(pub); err != nil { +- return err +- } +- if fips140only.Enforced() && !fips140only.ApprovedHash(fips140hash.Unwrap(hash.New())) { +- return errors.New("crypto/rsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") +- } +- + k, err := fipsPublicKey(pub) + if err != nil { + return err diff --git a/src/crypto/rsa/notboring.go b/src/crypto/rsa/notboring.go index 2abc0436405f8a..3e4d6f3eef61e6 100644 --- a/src/crypto/rsa/notboring.go @@ -2601,7 +2901,7 @@ diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go index e03f4ab06603c6..a9d9daba2fd6ce 100644 --- a/src/crypto/rsa/pss_test.go +++ b/src/crypto/rsa/pss_test.go -@@ -8,6 +8,7 @@ import ( +@@ -8,14 +8,17 @@ import ( "bufio" "compress/bzip2" "crypto" @@ -2609,7 +2909,6 @@ index e03f4ab06603c6..a9d9daba2fd6ce 100644 "crypto/internal/fips140" "crypto/rand" . "crypto/rsa" -@@ -14,8 +15,10 @@ import ( "crypto/sha256" "crypto/sha512" "encoding/hex" @@ -2630,7 +2929,7 @@ index e03f4ab06603c6..a9d9daba2fd6ce 100644 t.Error(err) } default: -@@ -185,6 +191,10 @@ func TestPSSSigning(t *testing.T) { +@@ -180,6 +186,10 @@ func TestPSSSigning(t *testing.T) { continue } @@ -2641,7 +2940,7 @@ index e03f4ab06603c6..a9d9daba2fd6ce 100644 opts.SaltLength = test.verifySaltLength err = VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, &opts) good := test.good -@@ -246,7 +256,9 @@ func fromHex(hexStr string) []byte { +@@ -241,7 +251,9 @@ func fromHex(hexStr string) []byte { func TestInvalidPSSSaltLength(t *testing.T) { t.Setenv("GODEBUG", "rsa1024min=0") @@ -2653,7 +2952,7 @@ index e03f4ab06603c6..a9d9daba2fd6ce 100644 t.Fatal(err) } diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go -index b94b129867727b..9482325d58fe06 100644 +index b94b129867727b..149dd4321f8d72 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -43,8 +43,8 @@ package rsa @@ -2684,16 +2983,36 @@ index b94b129867727b..9482325d58fe06 100644 case *PKCS1v15DecryptOptions: if l := opts.SessionKeyLen; l > 0 { -@@ -314,8 +315,7 @@ func GenerateKey(random io.Reader, bits int) (*PrivateKey, error) { +@@ -314,8 +315,14 @@ func GenerateKey(random io.Reader, bits int) (*PrivateKey, error) { return nil, err } - if boring.Enabled && rand.IsDefaultReader(random) && - (bits == 2048 || bits == 3072 || bits == 4096) { ++ if fips140only.Enforced() && bits < 2048 { ++ return nil, errors.New("crypto/rsa: use of keys smaller than 2048 bits is not allowed in FIPS 140-only mode") ++ } ++ if fips140only.Enforced() && bits%2 == 1 { ++ return nil, errors.New("crypto/rsa: use of keys with odd size is not allowed in FIPS 140-only mode") ++ } ++ + if boring.Enabled && rand.IsDefaultReader(random) && boring.SupportsRSAPublicKey(bits) { bN, bE, bD, bP, bQ, bDp, bDq, bQinv, err := boring.GenerateKeyRSA(bits) if err != nil { return nil, err +@@ -352,12 +359,6 @@ func GenerateKey(random io.Reader, bits int) (*PrivateKey, error) { + + random = rand.CustomReader(random) + +- if fips140only.Enforced() && bits < 2048 { +- return nil, errors.New("crypto/rsa: use of keys smaller than 2048 bits is not allowed in FIPS 140-only mode") +- } +- if fips140only.Enforced() && bits%2 == 1 { +- return nil, errors.New("crypto/rsa: use of keys with odd size is not allowed in FIPS 140-only mode") +- } + if fips140only.Enforced() && !fips140only.ApprovedRandomReader(random) { + return nil, errors.New("crypto/rsa: only crypto/rand.Reader is allowed in FIPS 140-only mode") + } diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go index 124fba1e8a4faa..af6d8e9291af62 100644 --- a/src/crypto/rsa/rsa_test.go @@ -2720,7 +3039,7 @@ index 124fba1e8a4faa..af6d8e9291af62 100644 msg := []byte("hi!") enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) diff --git a/src/crypto/sha1/sha1.go b/src/crypto/sha1/sha1.go -index 46e47df1d32cf2..0fb56a3831c8a2 100644 +index 46e47df1d32cf2..05a1368f9833e5 100644 --- a/src/crypto/sha1/sha1.go +++ b/src/crypto/sha1/sha1.go @@ -10,7 +10,7 @@ package sha1 @@ -2732,7 +3051,24 @@ index 46e47df1d32cf2..0fb56a3831c8a2 100644 "crypto/internal/fips140only" "errors" "hash" -@@ -271,12 +271,12 @@ func (d *digest) constSum() [Size]byte { +@@ -113,7 +113,7 @@ func (d *digest) Reset() { + // [encoding.BinaryUnmarshaler] to marshal and unmarshal the internal + // state of the hash. + func New() hash.Hash { +- if boring.Enabled { ++ if boring.Enabled && !fips140only.Enforced() { + return boring.NewSHA1() + } + d := new(digest) +@@ -153,7 +153,6 @@ func (d *digest) Write(p []byte) (nn int, err error) { + } + + func (d *digest) Sum(in []byte) []byte { +- boring.Unreachable() + // Make a copy of d so that caller can keep writing and summing. + d0 := *d + hash := d0.checkSum() +@@ -271,12 +270,12 @@ func (d *digest) constSum() [Size]byte { // Sum returns the SHA-1 checksum of the data. func Sum(data []byte) [Size]byte { @@ -2943,7 +3279,7 @@ index a18a536ba2896f..7b3b37c3b0c10d 100644 } } diff --git a/src/crypto/sha3/sha3.go b/src/crypto/sha3/sha3.go -index 48c67e9fe11005..3fe46309e0fda8 100644 +index 48c67e9fe11005..57c1126b53d804 100644 --- a/src/crypto/sha3/sha3.go +++ b/src/crypto/sha3/sha3.go @@ -8,6 +8,7 @@ package sha3 @@ -3014,7 +3350,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 // Outline the allocation for up to 512 bits of output to the caller's stack. out := make([]byte, 64) return sumSHAKE256(out, data, length) -@@ -99,7 +118,9 @@ func sumSHAKE256(out, data []byte, length int) []byte { +@@ -99,36 +118,57 @@ func sumSHAKE256(out, data []byte, length int) []byte { // SHA3 is an instance of a SHA-3 hash. It implements [hash.Hash]. // The zero value is a usable SHA3-256 hash. type SHA3 struct { @@ -3025,8 +3361,18 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 } //go:linkname fips140hash_sha3Unwrap crypto/internal/fips140hash.sha3Unwrap -@@ -109,26 +130,38 @@ func fips140hash_sha3Unwrap(sha3 *SHA3) *sha3.Digest { +-func fips140hash_sha3Unwrap(sha3 *SHA3) *sha3.Digest { ++func fips140hash_sha3Unwrap(sha3 *SHA3) hash.Hash { ++ if sha3.boringS != nil { ++ return sha3.boringS ++ } + return &sha3.s + } ++// FIPSApproved reports whether this hash algorithm is FIPS 140-3 approved. ++// All SHA-3 hash variants (224, 256, 384, 512) are approved. ++func (s *SHA3) FIPSApproved() bool { return true } ++ // New224 creates a new SHA3-224 hash. func New224() *SHA3 { - return &SHA3{*sha3.New224()} @@ -3069,7 +3415,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 *s = *New256() } } -@@ -136,53 +169,81 @@ func (s *SHA3) init() { +@@ -136,53 +176,81 @@ func (s *SHA3) init() { // Write absorbs more data into the hash's state. func (s *SHA3) Write(p []byte) (n int, err error) { s.init() @@ -3152,7 +3498,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 r := *d return &r, nil } -@@ -190,23 +251,30 @@ func (d *SHA3) Clone() (hash.Cloner, error) { +@@ -190,23 +258,30 @@ func (d *SHA3) Clone() (hash.Cloner, error) { // SHAKE is an instance of a SHAKE extendable output function. // The zero value is a usable SHAKE256 hash. type SHAKE struct { @@ -3187,7 +3533,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 } // NewCSHAKE128 creates a new cSHAKE128 XOF. -@@ -215,7 +283,10 @@ func NewSHAKE256() *SHAKE { +@@ -215,7 +290,10 @@ func NewSHAKE256() *SHAKE { // cSHAKE is desired. S is a customization byte string used for domain // separation. When N and S are both empty, this is equivalent to NewSHAKE128. func NewCSHAKE128(N, S []byte) *SHAKE { @@ -3199,7 +3545,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 } // NewCSHAKE256 creates a new cSHAKE256 XOF. -@@ -224,7 +295,10 @@ func NewCSHAKE128(N, S []byte) *SHAKE { +@@ -224,7 +302,10 @@ func NewCSHAKE128(N, S []byte) *SHAKE { // cSHAKE is desired. S is a customization byte string used for domain // separation. When N and S are both empty, this is equivalent to NewSHAKE256. func NewCSHAKE256(N, S []byte) *SHAKE { @@ -3211,7 +3557,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 } // Write absorbs more data into the XOF's state. -@@ -232,6 +306,9 @@ func NewCSHAKE256(N, S []byte) *SHAKE { +@@ -232,6 +313,9 @@ func NewCSHAKE256(N, S []byte) *SHAKE { // It panics if any output has already been read. func (s *SHAKE) Write(p []byte) (n int, err error) { s.init() @@ -3221,7 +3567,7 @@ index 48c67e9fe11005..3fe46309e0fda8 100644 return s.s.Write(p) } -@@ -240,35 +317,54 @@ func (s *SHAKE) Write(p []byte) (n int, err error) { +@@ -240,35 +324,54 @@ func (s *SHAKE) Write(p []byte) (n int, err error) { // Any call to Write after a call to Read will panic. func (s *SHAKE) Read(p []byte) (n int, err error) { s.init() @@ -4124,5 +4470,3 @@ index 2746ad8783ab22..c39f32c8fba6fc 100644 // Force network usage, to verify the epoll (or whatever) fd // doesn't leak to the child, ln, err := net.Listen("tcp", "127.0.0.1:0") - if err != nil { - t.Fatal(err)