func (t *tester) fipsSupported() bool {
// Keep this in sync with [crypto/internal/fips140.Supported].
+ // We don't test with the purego tag, so no need to check it.
+
// Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both.
if strings.Contains(goexperiment, "boringcrypto") {
return false
"os"
"path"
"path/filepath"
+ "slices"
"strings"
"golang.org/x/mod/module"
if cfg.ExperimentErr == nil && cfg.Experiment.BoringCrypto && Enabled() {
base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto")
}
+ if slices.Contains(cfg.BuildContext.BuildTags, "purego") && Enabled() {
+ base.Fatalf("go: cannot use GOFIPS140 with the purego build tag")
+ }
}
var initDone bool
func Supported() error {
// Keep this in sync with fipsSupported in cmd/dist/test.go.
+ // The purego tag changes too much of the implementation to claim the
+ // validation still applies.
+ if puregoEnabled {
+ return errors.New("FIPS 140-3 mode is incompatible with the purego build tag")
+ }
+
// ASAN disapproves of reading swaths of global memory in fips140/check.
// One option would be to expose runtime.asanunpoison through
// crypto/internal/fips140deps and then call it to unpoison the range
--- /dev/null
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !purego
+
+package fips140
+
+const puregoEnabled = false
--- /dev/null
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build purego
+
+package fips140
+
+const puregoEnabled = true