// Package entropy provides the passive entropy source for the FIPS 140-3
// module. It is only used in FIPS mode by [crypto/internal/fips140/drbg.Read]
-// from the FIPS 140-3 Go Cryptographic Module v1.0.0. Later versions of the
-// module have an internal CPU jitter-based entropy source.
+// from the FIPS 140-3 Go Cryptographic Module v1.0.0.
+//
+// Later versions of the module use the CPU jitter-based entropy source in the
+// crypto/internal/entropy/v1.0.0 sub-package.
//
// This complied with IG 9.3.A, Additional Comment 12, which until January 1,
// 2026 allows new modules to meet an [earlier version] of Resolution 2(b):
package drbg
import (
+ entropy "crypto/internal/entropy/v1.0.0"
"crypto/internal/fips140"
- "crypto/internal/fips140/entropy"
"crypto/internal/randutil"
"crypto/internal/sysrand"
"io"
//
// DO NOT add new packages here just to make the tests pass.
var AllowedInternalPackages = map[string]bool{
- // entropy.Depleted is the external passive entropy source, and sysrand.Read
+ // entropy.Depleted/Seed is the entropy source, and sysrand.Read
// is the actual (but uncredited!) random bytes source.
- "crypto/internal/entropy": true,
- "crypto/internal/sysrand": true,
+ "crypto/internal/entropy": true,
+ "crypto/internal/entropy/v1.0.0": true,
+ "crypto/internal/sysrand": true,
// impl.Register is how the packages expose their alternative
// implementations to tests outside the module.
}
}
- // Ensure that all packages except check, check's dependencies, and the
- // entropy source (which is used only from .../fips140/drbg) import check.
+ // Ensure that all packages except check and check's dependencies import check.
for pkg := range allPackages {
switch pkg {
case "crypto/internal/fips140/check":
case "crypto/internal/fips140/sha3":
case "crypto/internal/fips140/sha256":
case "crypto/internal/fips140/sha512":
- case "crypto/internal/fips140/entropy":
default:
if !importCheck[pkg] {
t.Errorf("package %s does not import crypto/internal/fips140/check", pkg)
import (
"bytes"
"crypto/internal/cryptotest"
+ entropy "crypto/internal/entropy/v1.0.0"
"crypto/internal/fips140/drbg"
- "crypto/internal/fips140/entropy"
"crypto/rand"
"crypto/sha256"
"crypto/sha512"
testenv.MustHaveSource(t)
h := sha256.New()
- root := os.DirFS("../fips140/entropy")
+ root := os.DirFS("../entropy/v1.0.0")
if err := fs.WalkDir(root, ".", func(path string, d fs.DirEntry, err error) error {
if err != nil {
return err
t.Fatalf("WalkDir: %v", err)
}
- // The crypto/internal/fips140/entropy package is certified as a FIPS 140-3
+ // The crypto/internal/entropy/v1.0.0 package is certified as a FIPS 140-3
// entropy source through the Entropy Source Validation program,
// independently of the FIPS 140-3 module. It must not change even across
// FIPS 140-3 module versions, in order to reuse the ESV certificate.
exp := "2541273241ae8aafe55026328354ed3799df1e2fb308b2097833203a42911b53"
if got := hex.EncodeToString(h.Sum(nil)); got != exp {
- t.Errorf("hash of crypto/internal/fips140/entropy = %s, want %s", got, exp)
+ t.Errorf("hash of crypto/internal/entropy/v1.0.0 = %s, want %s", got, exp)
}
}
time, internal/syscall/windows < crypto/internal/fips140deps/time;
crypto/internal/fips140deps/time, errors, math/bits, sync/atomic, unsafe
- < crypto/internal/fips140/entropy;
+ < crypto/internal/entropy/v1.0.0;
STR, hash,
crypto/internal/impl,
crypto/internal/entropy,
crypto/internal/randutil,
- crypto/internal/fips140/entropy,
+ crypto/internal/entropy/v1.0.0,
crypto/internal/fips140deps/byteorder,
crypto/internal/fips140deps/cpu,
crypto/internal/fips140deps/godebug