#
# Note that once published a snapshot zip file should never
# be modified. We record the sha256 hashes of the zip files
-# in fips140.sum, and the cmd/go/internal/fips test checks
+# in fips140.sum, and the cmd/go/internal/fips140 test checks
# that the zips match.
#
# When the zip file is finalized, run 'make updatesum' to update
# copy and edit the 'go run' command by hand to use a different branch.
v%.zip:
git fetch origin master
- go run ../../src/cmd/go/internal/fips/mkzip.go -b master v$*
+ go run ../../src/cmd/go/internal/fips140/mkzip.go -b master v$*
# normally mkzip refuses to overwrite an existing zip file.
# make v1.2.3.rm removes the zip file and and unpacked
# make updatesum updates the fips140.sum file.
updatesum:
- go test cmd/go/internal/fips -update
+ go test cmd/go/internal/fips140 -update
-This directory holds snapshots of the crypto/internal/fips tree
+This directory holds snapshots of the crypto/internal/fips140 tree
that are being validated and certified for FIPS-140 use.
The file x.txt (for example, inprocess.txt, certified.txt)
defines the meaning of the FIPS version alias x, listing
the exact version to use.
-The zip files are created by cmd/go/internal/fips/mkzip.go.
+The zip files are created by cmd/go/internal/fips140/mkzip.go.
The fips140.sum file lists checksums for the zip files.
See the Makefile for recipes.
# remove zip files from the list when they are removed from
# this directory. To update this file:
#
-# go test cmd/go/internal/fips -update
+# go test cmd/go/internal/fips140 -update
#
if pkgname == "runtime" {
continue
}
- if pkgname == "crypto/internal/fips/nistec/fiat" {
+ if pkgname == "crypto/internal/fips140/nistec/fiat" {
continue // golang.org/issue/49372
}
if e.Val(dwarf.AttrStmtList) == nil {
buildmode: "pie",
ldflags: "-linkmode=internal",
env: []string{"CGO_ENABLED=0"},
- pkg: "crypto/internal/fips/check",
+ pkg: "crypto/internal/fips140/check",
})
// Also test a cgo package.
if t.cgoEnabled && t.internalLink() && !disablePIE {
buildmode: "exe",
ldflags: "-linkmode=external",
env: []string{"CGO_ENABLED=1"},
- pkg: "crypto/internal/fips/check",
+ pkg: "crypto/internal/fips140/check",
})
if t.externalLinkPIE() && !disablePIE {
t.registerTest("external linking, -buildmode=pie",
buildmode: "pie",
ldflags: "-linkmode=external",
env: []string{"CGO_ENABLED=1"},
- pkg: "crypto/internal/fips/check",
+ pkg: "crypto/internal/fips140/check",
})
}
}
// - Whether binaries are built to default to running in FIPS-140 mode,
// meaning whether they default to GODEBUG=fips140=on or =off.
//
-// - Which copy of the crypto/internal/fips source code to use.
-// The default is obviously GOROOT/src/crypto/internal/fips,
+// - Which copy of the crypto/internal/fips140 source code to use.
+// The default is obviously GOROOT/src/crypto/internal/fips140,
// but earlier snapshots that have differing levels of external
// validation and certification are stored in GOROOT/lib/fips140
// and can be substituted into the build instead.
//
// When GOFIPS140 is set to something besides off and latest, [Snapshot]
// returns true, indicating that the build should replace the latest copy
-// of crypto/internal/fips with an earlier snapshot. The reason to do
+// of crypto/internal/fips140 with an earlier snapshot. The reason to do
// this is to use a copy that has been through additional lab validation
// (an "in-process" module) or NIST certification (a "certified" module).
// The snapshots are stored in GOROOT/lib/fips140 in module zip form.
//
// A FIPS snapshot like v1.2.3 is integrated into the build in two different ways.
//
-// First, the snapshot's fips140 directory replaces crypto/internal/fips
-// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips
+// First, the snapshot's fips140 directory replaces crypto/internal/fips140
+// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips140
// and everything below it, replacing it with the single subdirectory
-// crypto/internal/fips/v1.2.3, which now has the FIPS packages.
+// crypto/internal/fips140/v1.2.3, which now has the FIPS packages.
// This virtual file system replacement makes patterns like std and crypto...
// automatically see the snapshot packages instead of the original packages
-// as they walk GOROOT/src/crypto/internal/fips.
+// as they walk GOROOT/src/crypto/internal/fips140.
//
-// Second, ResolveImport is called to resolve an import like crypto/internal/fips/sha256.
+// Second, ResolveImport is called to resolve an import like crypto/internal/fips140/sha256.
// When snapshot v1.2.3 is being used, ResolveImport translates that path to
-// crypto/internal/fips/v1.2.3/sha256 and returns the actual source directory
+// crypto/internal/fips140/v1.2.3/sha256 and returns the actual source directory
// in the unpacked snapshot. Using the actual directory instead of the
-// virtual directory GOROOT/src/crypto/internal/fips/v1.2.3 makes sure
+// virtual directory GOROOT/src/crypto/internal/fips140/v1.2.3 makes sure
// that other tools using go list -json output can find the sources,
// as well as making sure builds have a real directory in which to run the
// assembler, compiler, and so on. The translation of the import path happens
// a snapshot - we could make things work without doing that - but including
// the v1.2.3 gives a different version of the code a different name, which is
// always a good general rule. In particular, it will mean that govulncheck need
-// not have any special cases for crypto/internal/fips at all. The reports simply
+// not have any special cases for crypto/internal/fips140 at all. The reports simply
// need to list the relevant symbols in a given Go version. (For example, if a bug
// is only in the in-tree copy but not the snapshots, it doesn't list the snapshot
// symbols; if it's in any snapshots, it has to list the specific snapshot symbols
// in addition to the “normal” symbol.)
-//
-// TODO: crypto/internal/fips is going to move to crypto/internal/fips140,
-// at which point all the crypto/internal/fips references need to be updated.
-package fips
+package fips140
import (
"cmd/go/internal/base"
initVersion()
initDir()
if Snapshot() {
- fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips"))
+ fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))
}
}
}
// Snapshot reports whether FIPS mode is using a source snapshot
-// rather than $GOROOT/src/crypto/internal/fips.
+// rather than $GOROOT/src/crypto/internal/fips140.
// That is, it reports whether GOFIPS140 is set to something besides "latest" or "off".
func Snapshot() bool {
checkInit()
base.Fatalf("go: unknown GOFIPS140 version %q", v)
}
-// Dir reports the directory containing the crypto/internal/fips source code.
-// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips.
+// Dir reports the directory containing the crypto/internal/fips140 source code.
+// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips140.
// Otherwise Dir ensures that the snapshot has been unpacked into the
// module cache and then returns the directory in the module cache
-// corresponding to the crypto/internal/fips directory.
+// corresponding to the crypto/internal/fips140 directory.
func Dir() string {
checkInit()
return dir
func initDir() {
v := version
if v == "latest" || v == "off" {
- dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips")
+ dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140")
return
}
}
// ResolveImport resolves the import path imp.
-// If it is of the form crypto/internal/fips/foo
-// (not crypto/internal/fips/v1.2.3/foo)
+// If it is of the form crypto/internal/fips140/foo
+// (not crypto/internal/fips140/v1.2.3/foo)
// and we are using a snapshot, then LookupImport
-// rewrites the path to crypto/internal/fips/v1.2.3/foo
+// rewrites the path to crypto/internal/fips140/v1.2.3/foo
// and returns that path and its location in the unpacked
// FIPS snapshot.
func ResolveImport(imp string) (newPath, dir string, ok bool) {
checkInit()
- const fips = "crypto/internal/fips"
+ const fips = "crypto/internal/fips140"
if !Snapshot() || !str.HasPathPrefix(imp, fips) {
return "", "", false
}
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package fips
+package fips140
import (
"crypto/sha256"
// Usage:
//
// cd GOROOT/lib/fips140
-// go run ../../src/cmd/go/internal/fips/mkzip.go [-b branch] v1.2.3
+// go run ../../src/cmd/go/internal/fips140/mkzip.go [-b branch] v1.2.3
//
// Mkzip creates a zip file named for the version on the command line
// using the sources in the named branch (default origin/master,
// and it is the path where the zip file will be unpacked in the module cache.
// The path must begin with a domain name to satisfy the module validation rules,
// but otherwise the path is not used. The cmd/go code using these zips
- // knows that the zip contains crypto/internal/fips.
+ // knows that the zip contains crypto/internal/fips140.
goroot := "../.."
var zbuf bytes.Buffer
err = modzip.CreateFromVCS(&zbuf,
module.Version{Path: "golang.org/fips140", Version: version},
- goroot, *flagBranch, "src/crypto/internal/fips")
+ goroot, *flagBranch, "src/crypto/internal/fips140")
if err != nil {
log.Fatal(err)
}
// Write new zip file with longer paths: fips140/v1.2.3/foo.go instead of foo.go.
// That way we can bind the fips140 directory onto the
- // GOROOT/src/crypto/internal/fips directory and get a
- // crypto/internal/fips/v1.2.3 with the snapshot code
- // and an otherwise empty crypto/internal/fips directory.
+ // GOROOT/src/crypto/internal/fips140 directory and get a
+ // crypto/internal/fips140/v1.2.3 with the snapshot code
+ // and an otherwise empty crypto/internal/fips140 directory.
zr, err := zip.NewReader(bytes.NewReader(zbuf.Bytes()), int64(zbuf.Len()))
if err != nil {
log.Fatal(err)
"strconv"
"strings"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/gover"
"cmd/go/internal/modload"
)
// If GOFIPS140 is set to anything but "off",
// default to GODEBUG=fips140=on.
- if fips.Enabled() {
+ if fips140.Enabled() {
if m == nil {
m = make(map[string]string)
}
"cmd/go/internal/base"
"cmd/go/internal/cfg"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/fsys"
"cmd/go/internal/gover"
"cmd/go/internal/imports"
p.BinaryOnly = pp.BinaryOnly
// TODO? Target
- p.Goroot = pp.Goroot || fips.Snapshot() && str.HasFilePathPrefix(p.Dir, fips.Dir())
+ p.Goroot = pp.Goroot || fips140.Snapshot() && str.HasFilePathPrefix(p.Dir, fips140.Dir())
p.Standard = p.Goroot && p.ImportPath != "" && search.IsStandardImportPath(p.ImportPath)
p.GoFiles = pp.GoFiles
p.CgoFiles = pp.CgoFiles
}
r := resolvedImportCache.Do(importKey, func() resolvedImport {
var r resolvedImport
- if newPath, dir, ok := fips.ResolveImport(path); ok {
+ if newPath, dir, ok := fips140.ResolveImport(path); ok {
r.path = newPath
r.dir = dir
} else if cfg.ModulesEnabled {
// directory, so the usual directory rules don't work apply, or rather they
// apply differently depending on whether we are using a snapshot or the
// in-tree copy of the code. We apply a consistent rule here:
- // crypto/internal/fips can only see crypto/internal, never top-of-tree internal.
- // Similarly, crypto/... can see crypto/internal/fips even though the usual rules
+ // crypto/internal/fips140 can only see crypto/internal, never top-of-tree internal.
+ // Similarly, crypto/... can see crypto/internal/fips140 even though the usual rules
// would not allow it in snapshot mode.
- if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips") {
- return nil // crypto can use crypto/internal/fips
+ if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips140") {
+ return nil // crypto can use crypto/internal/fips140
}
- if str.HasPathPrefix(importerPath, "crypto/internal/fips") {
+ if str.HasPathPrefix(importerPath, "crypto/internal/fips140") {
if str.HasPathPrefix(p.ImportPath, "crypto/internal") {
- return nil // crypto/internal/fips can use crypto/internal
+ return nil // crypto/internal/fips140 can use crypto/internal
}
// TODO: Delete this switch once the usages are removed.
switch p.ImportPath {
if cfg.RawGOEXPERIMENT != "" {
appendSetting("GOEXPERIMENT", cfg.RawGOEXPERIMENT)
}
- if fips.Enabled() {
- appendSetting("GOFIPS140", fips.Version())
+ if fips140.Enabled() {
+ appendSetting("GOFIPS140", fips140.Version())
}
appendSetting("GOOS", cfg.BuildContext.GOOS)
if key, val, _ := cfg.GetArchEnv(); key != "" && val != "" {
"cmd/go/internal/base"
"cmd/go/internal/cfg"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/fsys"
"cmd/go/internal/gover"
"cmd/go/internal/lockedfile"
// for example 'go mod tidy', that don't operate in workspace mode.
func InitWorkfile() {
// Initialize fsys early because we need overlay to read go.work file.
- fips.Init()
+ fips140.Init()
if err := fsys.Init(); err != nil {
base.Fatal(err)
}
}
initialized = true
- fips.Init()
+ fips140.Init()
// Keep in sync with WillBeEnabled. We perform extra validation here, and
// there are lots of diagnostics and side effects, so we can't use
"cmd/go/internal/base"
"cmd/go/internal/cfg"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/fsys"
"cmd/go/internal/gover"
"cmd/go/internal/imports"
// stdVendor returns the canonical import path for the package with the given
// path when imported from the standard-library package at parentPath.
func (ld *loader) stdVendor(parentPath, path string) string {
- if p, _, ok := fips.ResolveImport(path); ok {
+ if p, _, ok := fips140.ResolveImport(path); ok {
return p
}
if search.IsStandardImportPath(path) {
"cmd/go/internal/base"
"cmd/go/internal/cache"
"cmd/go/internal/cfg"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/fsys"
"cmd/go/internal/str"
"cmd/internal/buildid"
// to $WORK/b001 from the cache,
// but we went years without caching binaries anyway,
// so not caching them for FIPS will be fine, at least to start.
- if a.Mode == "link" && fips.Enabled() && a.Package != nil && !strings.HasSuffix(a.Package.ImportPath, ".test") {
+ if a.Mode == "link" && fips140.Enabled() && a.Package != nil && !strings.HasSuffix(a.Package.ImportPath, ".test") {
return false
}
oldBuildID := a.buildID
a.buildID = id[1] + buildIDSeparator + id[2]
linkID := buildid.HashToString(b.linkActionID(a.triggers[0]))
- if id[0] == linkID && !fips.Enabled() {
+ if id[0] == linkID && !fips140.Enabled() {
// Best effort attempt to display output from the compile and link steps.
// If it doesn't work, it doesn't work: reusing the cached binary is more
// important than reprinting diagnostic information.
"cmd/go/internal/base"
"cmd/go/internal/cfg"
- "cmd/go/internal/fips"
+ "cmd/go/internal/fips140"
"cmd/go/internal/fsys"
"cmd/go/internal/gover"
"cmd/go/internal/load"
if cfg.BuildBuildmode == "plugin" {
ldflags = append(ldflags, "-pluginpath", pluginPath(root))
}
- if fips.Enabled() {
+ if fips140.Enabled() {
ldflags = append(ldflags, "-fipso", filepath.Join(root.Objdir, "fips.o"))
}
# std lists fips snapshot and not regular fips
go list std
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
# build does not use regular fips
go list -json -test
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
# again with GOFIPS140=$alias
env GOFIPS140=$alias
# std lists fips snapshot and not regular fips
go list std
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
# build does not use regular fips
go list -json -test
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
[short] skip
Since we're not hashing the whole binary, we need to record the parts
of the binary that contain FIPS code, specifically the part of the
-binary corresponding to the crypto/internal/fips package subtree.
+binary corresponding to the crypto/internal/fips140 package subtree.
To do that, we create special symbol types STEXTFIPS, SRODATAFIPS,
SNOPTRDATAFIPS, and SDATAFIPS, which those packages use instead of
STEXT, SRODATA, SNOPTRDATA, and SDATA. The linker groups symbols by
their type, so that naturally makes the FIPS parts contiguous within a
given type. The linker then writes out in a special symbol the start
and end of each of these FIPS-specific sections, alongside the
-expected HMAC-SHA256 of them. At startup, the crypto/internal/fips/check
+expected HMAC-SHA256 of them. At startup, the crypto/internal/fips140/check
package has an init function that recomputes the hash and checks it
against the recorded expectation.
The compiler invents an anonymous array and then treats the code as in
the first example. In both cases, a load-time relocation applied
-before the crypto/internal/fips/check init function would invalidate
+before the crypto/internal/fips140/check init function would invalidate
the hash. Instead, we disable the “link time initialization” optimizations
in the compiler (package staticinit) for the fips packages.
That way, the slice initialization is deferred to its own init function.
-As long as the package in question imports crypto/internal/fips/check,
+As long as the package in question imports crypto/internal/fips140/check,
the hash check will happen before the package's own init function
runs, and so the hash check will see the slice header written by the
linker, with a slice base pointer predictably nil instead of the
The cryptographic code+data must be included in the hash-verified
data. In general we accomplish that by putting all symbols from
-crypto/internal/fips/... packages into the hash-verified data.
+crypto/internal/fips140/... packages into the hash-verified data.
But not all.
Note that wrapper code that layers a Go API atop the cryptographic
-core is unverified. For example, crypto/internal/fips/sha256 is part of
+core is unverified. For example, crypto/internal/fips140/sha256 is part of
the FIPS module and verified but the crypto/sha256 package that wraps
it is outside the module and unverified. Also, runtime support like
the implementation of malloc and garbage collection is outside the
const enableFIPS = true
-// IsFIPS reports whether we are compiling one of the crypto/internal/fips/... packages.
+// IsFIPS reports whether we are compiling one of the crypto/internal/fips140/... packages.
func (ctxt *Link) IsFIPS() bool {
if strings.HasSuffix(ctxt.Pkgpath, "_test") {
// External test packages are outside the FIPS hash scope.
// emit absolute relocations in the global data.
return false
}
- return ctxt.Pkgpath == "crypto/internal/fips" || strings.HasPrefix(ctxt.Pkgpath, "crypto/internal/fips/")
+ return ctxt.Pkgpath == "crypto/internal/fips140" || strings.HasPrefix(ctxt.Pkgpath, "crypto/internal/fips140/")
}
// bisectFIPS controls bisect-based debugging of FIPS symbol assignment.
// It should instead pass -shared to the compiler to get true
// position-independent code, at which point FIPS verification
// would work fine. FIPS verification does work fine on -buildmode=exe,
- // but -buildmode=pie is the default, so crypto/internal/fips/check
+ // but -buildmode=pie is the default, so crypto/internal/fips140/check
// would fail during all.bash if we enabled FIPS here.
// Perhaps the default should be changed back to -buildmode=exe,
// after which we could remove this case, but until then,
return
}
- // Name must begin with crypto/internal/fips, then dot or slash.
+ // Name must begin with crypto/internal/fips140, then dot or slash.
// The quick check for 'c' before the string compare is probably overkill,
// but this function is called a fair amount, and we don't want to
// slow down all the non-FIPS compilations.
- const prefix = "crypto/internal/fips"
+ const prefix = "crypto/internal/fips140"
name := s.Name
if len(name) <= len(prefix) || (name[len(prefix)] != '.' && name[len(prefix)] != '/') || name[0] != 'c' || name[:len(prefix)] != prefix {
return
// Now we're at least handling a FIPS symbol.
// It's okay to be slower now, since this code only runs when compiling a few packages.
- // Even in the crypto/internal/fips packages,
+ // Even in the crypto/internal/fips140 packages,
// we exclude various Go runtime metadata,
// so that it can be allowed to contain data relocations.
if strings.Contains(name, ".init") ||
// This symbol is linknamed to go:fipsinfo,
// so we shouldn't see it, but skip it just in case.
- if s.Name == "crypto/internal/fips/check.linkinfo" {
+ if s.Name == "crypto/internal/fips140/check.linkinfo" {
return
}
// checkFIPSReloc should be called for every relocation applied to s.
// It rejects absolute (non-PC-relative) address relocations when building
// with go build -buildmode=pie (which triggers the compiler's -shared flag),
-// because those relocations will be applied before crypto/internal/fips/check
+// because those relocations will be applied before crypto/internal/fips140/check
// can hash-verify the FIPS code+data, which will make the verification fail.
func (s *LSym) checkFIPSReloc(ctxt *Link, rel Reloc) {
if !ctxt.Flag_shared {
Having collated the FIPS symbols, we need to compute the hash
and then leave both the expected hash and the FIPS address ranges
-for the run-time check in crypto/internal/fips/check.
+for the run-time check in crypto/internal/fips140/check.
We do that by creating a special symbol named go:fipsinfo of the form
struct {
}
}
-The crypto/internal/fips/check uses linkname to access this symbol,
+The crypto/internal/fips140/check uses linkname to access this symbol,
which is of course not included in the hash.
# FIPS Info Calculation
-fipso can be set to the name of a file (such as /tmp/fips.o)
where the linker will write the “FIPS object” that is being hashed.
-There is also commented-out code in crypto/internal/fips/check that
+There is also commented-out code in crypto/internal/fips140/check that
will write /tmp/fipscheck.o during the run-time verification.
When the hashes differ, the first step is to uncomment the
if ctxt.BuildMode == BuildModePlugin { // not sure why this doesn't work
return
}
- // Write the fipsinfo symbol, which crypto/internal/fips/check uses.
+ // Write the fipsinfo symbol, which crypto/internal/fips140/check uses.
ldr := ctxt.loader
// TODO lock down linkname
info := ldr.CreateSymForUpdate("go:fipsinfo", 0)
"runtime.coroswitch": {"iter"},
"runtime.newcoro": {"iter"},
// fips info
- "go:fipsinfo": {"crypto/internal/fips/check"},
+ "go:fipsinfo": {"crypto/internal/fips140/check"},
}
// check if a linkname reference to symbol s from pkg is allowed
import (
"crypto/cipher"
"crypto/internal/boring"
- "crypto/internal/fips/aes"
+ "crypto/internal/fips140/aes"
"strconv"
)
import (
"bytes"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/alias"
"crypto/subtle"
)
package cipher
import (
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/alias"
"crypto/subtle"
)
import (
"bytes"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/alias"
"crypto/subtle"
)
"crypto/cipher"
"crypto/internal/boring"
"crypto/internal/cryptotest"
- fipsaes "crypto/internal/fips/aes"
+ fipsaes "crypto/internal/fips140/aes"
"encoding/hex"
"fmt"
"math/rand"
package cipher
import (
- "crypto/internal/fips/aes"
- "crypto/internal/fips/aes/gcm"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/aes/gcm"
+ "crypto/internal/fips140/alias"
"crypto/subtle"
"errors"
"internal/byteorder"
// In Seal, we could work through the input backwards or intentionally load
// ahead before writing.
//
- // However, the crypto/internal/fips/aes/gcm APIs also check for exact overlap,
+ // However, the crypto/internal/fips140/aes/gcm APIs also check for exact overlap,
// so for now we just do a memmove if we detect overlap.
//
// ┌───────────────────────────┬ ─ ─
// gcmFallback is only used for non-AES ciphers, which regrettably we
// theoretically support. It's a copy of the generic implementation from
-// crypto/internal/fips/aes/gcm/gcm_generic.go, refer to that file for more details.
+// crypto/internal/fips140/aes/gcm/gcm_generic.go, refer to that file for more details.
type gcmFallback struct {
cipher Block
nonceSize int
"crypto/cipher"
"crypto/internal/boring"
"crypto/internal/cryptotest"
- "crypto/internal/fips"
- fipsaes "crypto/internal/fips/aes"
- "crypto/internal/fips/aes/gcm"
+ "crypto/internal/fips140"
+ fipsaes "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/aes/gcm"
"crypto/rand"
"encoding/hex"
"errors"
return aead
}
tryNonce := func(aead cipher.AEAD, nonce []byte) bool {
- fips.ResetServiceIndicator()
+ fips140.ResetServiceIndicator()
aead.Seal(nil, nonce, []byte("x"), nil)
- return fips.ServiceIndicator()
+ return fips140.ServiceIndicator()
}
expectTrue := func(t *testing.T, aead cipher.AEAD, nonce []byte) {
t.Helper()
package cipher
import (
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/alias"
"crypto/subtle"
)
import (
"crypto/cipher"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/alias"
"internal/byteorder"
"strconv"
)
import (
"bytes"
"crypto/internal/boring"
- "crypto/internal/fips/ecdh"
+ "crypto/internal/fips140/ecdh"
"errors"
"io"
)
import (
"bytes"
- "crypto/internal/fips/edwards25519/field"
+ "crypto/internal/fips140/edwards25519/field"
"crypto/internal/randutil"
"errors"
"io"
"crypto/elliptic"
"crypto/internal/boring"
"crypto/internal/boring/bbig"
- "crypto/internal/fips/ecdsa"
+ "crypto/internal/fips140/ecdsa"
"crypto/internal/randutil"
"crypto/sha512"
"crypto/subtle"
import (
"crypto"
- "crypto/internal/fips/ed25519"
+ "crypto/internal/fips140/ed25519"
cryptorand "crypto/rand"
"crypto/subtle"
"errors"
package elliptic
import (
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140/nistec"
"errors"
"math/big"
)
package elliptic
import (
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140/nistec"
"math/big"
)
import (
"crypto/internal/boring"
- "crypto/internal/fips/hmac"
+ "crypto/internal/fips140/hmac"
"crypto/subtle"
"hash"
)
// license that can be found in the LICENSE file.
// Package entropy provides the passive entropy source for the FIPS 140-3
-// module. It is only used in FIPS mode by [crypto/internal/fips/drbg.Read].
+// module. It is only used in FIPS mode by [crypto/internal/fips140/drbg.Read].
//
// This complies with IG 9.3.A, Additional Comment 12, which until January 1,
// 2026 allows new modules to meet an [earlier version] of Resolution 2(b):
+++ /dev/null
-//go:build !purego && !wasm
-
-#include "textflag.h"
-
-DATA crypto∕internal∕fips∕check∕checktest·RODATA(SB)/4, $2
-GLOBL crypto∕internal∕fips∕check∕checktest·RODATA(SB), RODATA, $4
package aes
import (
- "crypto/internal/fips"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/alias"
"strconv"
)
if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
panic("crypto/aes: invalid buffer overlap")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
encryptBlock(c, dst, src)
}
if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
panic("crypto/aes: invalid buffer overlap")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
decryptBlock(c, dst, src)
}
package aes
import (
- "crypto/internal/fipsdeps/cpu"
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140deps/cpu"
+ "crypto/internal/fips140deps/godebug"
"crypto/internal/impl"
)
package aes
-import "crypto/internal/fipsdeps/byteorder"
+import "crypto/internal/fips140deps/byteorder"
// Encrypt one block from src into dst, using the expanded key xk.
func encryptBlockGeneric(c *blockExpanded, dst, src []byte) {
package aes
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
"errors"
)
func init() {
- fips.CAST("AES-CBC", func() error {
+ fips140.CAST("AES-CBC", func() error {
key := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package aes
import (
- "crypto/internal/fips/alias"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/alias"
+ "crypto/internal/fips140/subtle"
)
type CBCEncrypter struct {
package aes
import (
- "crypto/internal/fips/alias"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140/alias"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
"math/bits"
)
package aes
import (
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
)
func ctrBlocks1(b *Block, dst, src *[BlockSize]byte, ivlo, ivhi uint64) {
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
+ _ "crypto/internal/fips140/check"
"errors"
)
func init() {
// Counter KDF covers CMAC per IG 10.3.B, and CMAC covers GCM per IG 10.3.A
// Resolution 1.d(i). AES decryption is covered by the CBC CAST in package
- // crypto/internal/fips/aes.
- fips.CAST("CounterKDF", func() error {
+ // crypto/internal/fips140/aes.
+ fips140.CAST("CounterKDF", func() error {
key := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
)
// CMAC implements the CMAC mode from NIST SP 800-38B.
}
func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {
- fips.RecordApproved()
+ fips140.RecordApproved()
_ = c.b // Hoist the nil check out of the loop.
var x [aes.BlockSize]byte
if len(m) == 0 {
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
)
// CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES,
// DeriveKey derives a key from the given label and context.
func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte {
- fips.RecordApproved()
+ fips140.RecordApproved()
var output [32]byte
var input [aes.BlockSize]byte
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/alias"
"errors"
)
}
func (g *GCM) Seal(dst, nonce, plaintext, data []byte) []byte {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return g.sealAfterIndicator(dst, nonce, plaintext, data)
}
panic("crypto/cipher: invalid buffer overlap of output and additional data")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
if err := open(out, g, nonce, ciphertext, data); err != nil {
// We sometimes decrypt and authenticate concurrently, so we overwrite
// dst in the event of a tag mismatch. To be consistent across platforms
package gcm
import (
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package gcm
import (
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
)
func sealGeneric(out []byte, g *GCM, nonce, plaintext, additionalData []byte) {
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/alias"
- "crypto/internal/fips/drbg"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/alias"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140deps/byteorder"
"math"
)
if alias.AnyOverlap(out, additionalData) {
panic("crypto/cipher: invalid buffer overlap of output and additional data")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
drbg.Read(nonce)
seal(out, g, nonce, plaintext, additionalData)
}
}
g.next = counter + 1
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
}
func (g *GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.Open(dst, nonce, ciphertext, data)
}
}
g.next = counter + 1
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
}
func (g *GCMForTLS12) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.Open(dst, nonce, ciphertext, data)
}
}
g.next = counter + 1
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
}
func (g *GCMForTLS13) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.Open(dst, nonce, ciphertext, data)
}
}
g.next = counter + 1
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
}
func (g *GCMForSSH) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
return g.g.Open(dst, nonce, ciphertext, data)
}
package gcm
import (
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
+ "crypto/internal/fips140deps/godebug"
"crypto/internal/impl"
"runtime"
)
package gcm
import (
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package gcm
import (
- "crypto/internal/fips"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140deps/byteorder"
)
// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
// It is not allowed as a stand-alone operation in FIPS mode because it
// is not ACVP tested.
func GHASH(key *[16]byte, inputs ...[]byte) []byte {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
var out [gcmBlockSize]byte
ghash(&out, key, inputs...)
return out[:]
import (
"crypto/cipher"
- "crypto/internal/fips/aes/gcm"
+ "crypto/internal/fips140/aes/gcm"
)
var _ cipher.AEAD = (*gcm.GCM)(nil)
import (
"crypto/cipher"
- "crypto/internal/fips/aes"
+ "crypto/internal/fips140/aes"
)
var _ cipher.Block = (*aes.Block)(nil)
-module crypto/internal/fips/bigmod/_asm
+module crypto/internal/fips140/bigmod/_asm
go 1.19
//go:generate go run . -out ../nat_amd64.s -pkg bigmod
func main() {
- Package("crypto/internal/fips/bigmod")
+ Package("crypto/internal/fips140/bigmod")
ConstraintExpr("!purego")
addMulVVW(1024)
package bigmod
import (
- _ "crypto/internal/fips/check"
- "crypto/internal/fipsdeps/byteorder"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
)
package bigmod
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// derived from crypto/internal/fips/bigmod/nat_riscv64.s
+// derived from crypto/internal/fips140/bigmod/nat_riscv64.s
//go:build !purego
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package fips
+package fips140
import (
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140deps/godebug"
"errors"
"strings"
_ "unsafe" // for go:linkname
// fatal is [runtime.fatal], pushed via linkname.
//
-//go:linkname fatal crypto/internal/fips.fatal
+//go:linkname fatal crypto/internal/fips140.fatal
func fatal(string)
// failfipscast is a GODEBUG key allowing simulation of a CAST or PCT failure,
// The name must not contain commas, colons, hashes, or equal signs.
//
// If a package p calls CAST from its init function, an import of p should also
-// be added to crypto/internal/fipstest. If a package p calls CAST on the first
+// be added to crypto/internal/fips140test. If a package p calls CAST on the first
// use of the algorithm, an invocation of that algorithm should be added to
// fipstest.TestConditionals.
func CAST(name string, f func() error) {
// Package check implements the FIPS-140 load-time code+data verification.
// Every FIPS package providing cryptographic functionality except hmac and sha256
-// must import crypto/internal/fips/check, so that the verification happens
+// must import crypto/internal/fips140/check, so that the verification happens
// before initialization of package global variables.
// The hmac and sha256 packages are used by this package, so they cannot import it.
// Instead, those packages must be careful not to change global variables during init.
package check
import (
- "crypto/internal/fips/hmac"
- "crypto/internal/fips/sha256"
- "crypto/internal/fipsdeps/byteorder"
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140/hmac"
+ "crypto/internal/fips140/sha256"
+ "crypto/internal/fips140deps/byteorder"
+ "crypto/internal/fips140deps/godebug"
"io"
"runtime"
"unsafe"
if asanEnabled {
// ASAN disapproves of reading swaths of global memory below.
// One option would be to expose runtime.asanunpoison through
- // crypto/internal/fipsdeps and then call it to unpoison the range
+ // crypto/internal/fips140deps and then call it to unpoison the range
// before reading it, but it is unclear whether that would then cause
// false negatives. For now, FIPS+ASAN doesn't need to work.
// If this is made to work, also re-enable the test in check_test.go.
--- /dev/null
+//go:build !purego && !wasm
+
+#include "textflag.h"
+
+DATA crypto∕internal∕fips140∕check∕checktest·RODATA(SB)/4, $2
+GLOBL crypto∕internal∕fips140∕check∕checktest·RODATA(SB), RODATA, $4
// license that can be found in the LICENSE file.
// Package checktest defines some code and data for use in
-// the crypto/internal/fips/check test.
+// the crypto/internal/fips140/check test.
package checktest
import (
- _ "crypto/internal/fips/check"
+ _ "crypto/internal/fips140/check"
"runtime"
_ "unsafe" // go:linkname
)
// The linkname here disables asan registration of this global,
// because asan gets mad about rodata globals.
//
-//go:linkname RODATA crypto/internal/fips/check/checktest.RODATA
+//go:linkname RODATA crypto/internal/fips140/check/checktest.RODATA
var RODATA int32 // set to 2 in asm.s
// DATA needs to have both a pointer and an int so that _some_ of it gets
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
"errors"
)
// Per IG 10.3.A, Resolution 7: "A KAT of a DRBG may be performed by:
// Instantiate with known data, Reseed with other known data, Generate and
// then compare the result to a pre-computed value."
- fips.CAST("CTR_DRBG", func() error {
+ fips140.CAST("CTR_DRBG", func() error {
entropy := &[SeedSize]byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package drbg
import (
- "crypto/internal/fips"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
"math/bits"
)
func NewCounter(entropy *[SeedSize]byte) *Counter {
// CTR_DRBG_Instantiate_algorithm, per Section 10.2.1.3.1.
- fips.RecordApproved()
+ fips140.RecordApproved()
K := make([]byte, keySize)
V := make([]byte, aes.BlockSize)
func (c *Counter) Reseed(entropy, additionalInput *[SeedSize]byte) {
// CTR_DRBG_Reseed_algorithm, per Section 10.2.1.4.1.
- fips.RecordApproved()
+ fips140.RecordApproved()
var seed [SeedSize]byte
subtle.XORBytes(seed[:], entropy[:], additionalInput[:])
// Generate produces at most maxRequestSize bytes of random data in out.
func (c *Counter) Generate(out []byte, additionalInput *[SeedSize]byte) (reseedRequired bool) {
// CTR_DRBG_Generate_algorithm, per Section 10.2.1.5.1.
- fips.RecordApproved()
+ fips140.RecordApproved()
if len(out) > maxRequestSize {
panic("crypto/drbg: internal error: request size exceeds maximum")
import (
"crypto/internal/entropy"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"crypto/internal/sysrand"
"sync"
)
// uses an SP 800-90A Rev. 1 Deterministic Random Bit Generator (DRBG).
// Otherwise, it uses the operating system's random number generator.
func Read(b []byte) {
- if !fips.Enabled {
+ if !fips140.Enabled {
sysrand.Read(b)
return
}
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/nistec"
"errors"
"sync"
)
var fipsSelfTest = sync.OnceFunc(func() {
// Per IG D.F, Scenario 2, path (1).
- fips.CAST("KAS-ECC-SSC P-256", func() error {
+ fips140.CAST("KAS-ECC-SSC P-256", func() error {
privateKey := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/nistec"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/nistec"
+ "crypto/internal/fips140deps/byteorder"
"crypto/internal/randutil"
"errors"
"io"
// DRBG (and the function runs considerably slower).
func GenerateKeyP224(rand io.Reader) (privateKey, publicKey []byte, err error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return generateKey(rand, nistec.NewP224Point, p224Order)
}
// DRBG (and the function runs considerably slower).
func GenerateKeyP256(rand io.Reader) (privateKey, publicKey []byte, err error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return generateKey(rand, nistec.NewP256Point, p256Order)
}
// DRBG (and the function runs considerably slower).
func GenerateKeyP384(rand io.Reader) (privateKey, publicKey []byte, err error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return generateKey(rand, nistec.NewP384Point, p384Order)
}
// DRBG (and the function runs considerably slower).
func GenerateKeyP521(rand io.Reader) (privateKey, publicKey []byte, err error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return generateKey(rand, nistec.NewP521Point, p521Order)
}
for {
key := make([]byte, len(scalarOrder))
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(key)
} else {
randutil.MaybeReadByte(rand)
}
func ImportKeyP224(privateKey []byte) (publicKey []byte, err error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return checkKeyAndComputePublicKey(privateKey, nistec.NewP224Point, p224Order)
}
func ImportKeyP256(privateKey []byte) (publicKey []byte, err error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return checkKeyAndComputePublicKey(privateKey, nistec.NewP256Point, p256Order)
}
func ImportKeyP384(privateKey []byte) (publicKey []byte, err error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return checkKeyAndComputePublicKey(privateKey, nistec.NewP384Point, p384Order)
}
func ImportKeyP521(privateKey []byte) (publicKey []byte, err error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return checkKeyAndComputePublicKey(privateKey, nistec.NewP521Point, p521Order)
}
// Comment 1 goes out of its way to say that "the PCT shall be performed
// consistent [...], even if the underlying standard does not require a
// PCT". So we do it. And make ECDH nearly 50% slower (only) in FIPS mode.
- if err := fips.PCT("ECDH PCT", func() error {
+ if err := fips140.PCT("ECDH PCT", func() error {
p1, err := newPoint().ScalarBaseMult(key)
if err != nil {
return err
func CheckPublicKeyP224(publicKey []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return checkPublicKey(publicKey, nistec.NewP224Point)
}
func CheckPublicKeyP256(publicKey []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return checkPublicKey(publicKey, nistec.NewP256Point)
}
func CheckPublicKeyP384(publicKey []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return checkPublicKey(publicKey, nistec.NewP384Point)
}
func CheckPublicKeyP521(publicKey []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return checkPublicKey(publicKey, nistec.NewP521Point)
}
func ECDHP224(privateKey, publicKey []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return ecdh(privateKey, publicKey, nistec.NewP224Point)
}
func ECDHP256(privateKey, publicKey []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return ecdh(privateKey, publicKey, nistec.NewP256Point)
}
func ECDHP384(privateKey, publicKey []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return ecdh(privateKey, publicKey, nistec.NewP384Point)
}
func ECDHP521(privateKey, publicKey []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return ecdh(privateKey, publicKey, nistec.NewP521Point)
}
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/sha512"
"errors"
"sync"
)
}
func fipsPCT[P Point[P]](c *Curve[P], k *PrivateKey) error {
- return fips.PCT("ECDSA PCT", func() error {
+ return fips140.PCT("ECDSA PCT", func() error {
hash := testHash()
sig, err := Sign(c, sha512.New, k, nil, hash)
if err != nil {
}
var fipsSelfTest = sync.OnceFunc(func() {
- fips.CAST("ECDSA P-256 SHA2-512 sign and verify", func() error {
+ fips140.CAST("ECDSA P-256 SHA2-512 sign and verify", func() error {
k := testPrivateKey()
Z := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
})
var fipsSelfTestDeterministic = sync.OnceFunc(func() {
- fips.CAST("DetECDSA P-256 SHA2-512 sign", func() error {
+ fips140.CAST("DetECDSA P-256 SHA2-512 sign", func() error {
k := testPrivateKey()
hash := testHash()
want := &Signature{
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/bigmod"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/bigmod"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/nistec"
"crypto/internal/randutil"
"errors"
"io"
0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09}
func NewPrivateKey[P Point[P]](c *Curve[P], D, Q []byte) (*PrivateKey, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
pub, err := NewPublicKey(c, Q)
if err != nil {
return nil, err
//
// In FIPS mode, rand is ignored.
func GenerateKey[P Point[P]](c *Curve[P], rand io.Reader) (*PrivateKey, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
k, Q, err := randomPoint(c, func(b []byte) error {
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(b)
return nil
} else {
// to that length.
//
// The signature is randomized. If FIPS mode is enabled, rand is ignored.
-func Sign[P Point[P], H fips.Hash](c *Curve[P], h func() H, priv *PrivateKey, rand io.Reader, hash []byte) (*Signature, error) {
+func Sign[P Point[P], H fips140.Hash](c *Curve[P], h func() H, priv *PrivateKey, rand io.Reader, hash []byte) (*Signature, error) {
if priv.pub.curve != c.curve {
return nil, errors.New("ecdsa: private key does not match curve")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
fipsSelfTest()
// Random ECDSA is dangerous, because a failure of the RNG would immediately
// advantage of closely resembling Deterministic ECDSA.
Z := make([]byte, len(priv.d))
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(Z)
} else {
randutil.MaybeReadByte(rand)
// hash is longer than the bit-length of the private key's curve order, the hash
// will be truncated to that length. This applies Deterministic ECDSA as
// specified in FIPS 186-5 and RFC 6979.
-func SignDeterministic[P Point[P], H fips.Hash](c *Curve[P], h func() H, priv *PrivateKey, hash []byte) (*Signature, error) {
+func SignDeterministic[P Point[P], H fips140.Hash](c *Curve[P], h func() H, priv *PrivateKey, hash []byte) (*Signature, error) {
if priv.pub.curve != c.curve {
return nil, errors.New("ecdsa: private key does not match curve")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
fipsSelfTestDeterministic()
drbg := newDRBG(h, priv.d, bits2octets(c, hash), nil) // RFC 6979, Section 3.3
return sign(c, priv, drbg, hash)
if pub.curve != c.curve {
return errors.New("ecdsa: public key does not match curve")
}
- fips.RecordApproved()
+ fips140.RecordApproved()
fipsSelfTest()
return verify(c, pub, hash, sig)
}
package ecdsa
import (
- "crypto/internal/fips/bigmod"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140/bigmod"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
"errors"
)
import (
"bytes"
- "crypto/internal/fips/bigmod"
+ "crypto/internal/fips140/bigmod"
"crypto/rand"
"io"
"testing"
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/hmac"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hmac"
)
// hmacDRBG is an SP 800-90A Rev. 1 HMAC_DRBG.
isPersonalizationString()
}
-func newDRBG[H fips.Hash](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG {
+func newDRBG[H fips140.Hash](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG {
// HMAC_DRBG_Instantiate_algorithm, per Section 10.1.2.3.
- fips.RecordApproved()
+ fips140.RecordApproved()
d := &hmacDRBG{
newHMAC: func(key []byte) *hmac.HMAC {
// Generate produces at most maxRequestSize bytes of random data in out.
func (d *hmacDRBG) Generate(out []byte) {
// HMAC_DRBG_Generate_algorithm, per Section 10.1.2.5.
- fips.RecordApproved()
+ fips140.RecordApproved()
if len(out) > maxRequestSize {
panic("ecdsa: internal error: request size exceeds maximum")
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
"errors"
"sync"
)
func fipsPCT(k *PrivateKey) error {
- return fips.PCT("Ed25519 sign and verify PCT", func() error {
+ return fips140.PCT("Ed25519 sign and verify PCT", func() error {
return pairwiseTest(k)
})
}
}
var fipsSelfTest = sync.OnceFunc(func() {
- fips.CAST("Ed25519 sign and verify", func() error {
+ fips140.CAST("Ed25519 sign and verify", func() error {
seed := [32]byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/edwards25519"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/edwards25519"
+ "crypto/internal/fips140/sha512"
"errors"
"io"
"strconv"
}
func generateKey(priv *PrivateKey, rand io.Reader) (*PrivateKey, error) {
- fips.RecordApproved()
- if fips.Enabled {
+ fips140.RecordApproved()
+ if fips140.Enabled {
drbg.Read(priv.seed[:])
} else {
if _, err := io.ReadFull(rand, priv.seed[:]); err != nil {
}
func newPrivateKeyFromSeed(priv *PrivateKey, seed []byte) (*PrivateKey, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
if l := len(seed); l != seedSize {
return nil, errors.New("ed25519: bad seed length: " + strconv.Itoa(l))
}
}
func newPrivateKey(priv *PrivateKey, privBytes []byte) (*PrivateKey, error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
if l := len(privBytes); l != privateKeySize {
return nil, errors.New("ed25519: bad private key length: " + strconv.Itoa(l))
}
func sign(signature []byte, priv *PrivateKey, message []byte) []byte {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return signWithDom(signature, priv, message, domPrefixPure, "")
}
func signPH(signature []byte, priv *PrivateKey, message []byte, context string) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
if l := len(message); l != sha512Size {
return nil, errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l))
}
func signCtx(signature []byte, priv *PrivateKey, message []byte, context string) ([]byte, error) {
fipsSelfTest()
// FIPS 186-5 specifies Ed25519 and Ed25519ph (with context), but not Ed25519ctx.
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
// Note that per RFC 8032, Section 5.1, the context SHOULD NOT be empty.
if l := len(context); l > 255 {
return nil, errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l))
func verify(pub *PublicKey, message, sig []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
return verifyWithDom(pub, message, sig, domPrefixPure, "")
}
func VerifyPH(pub *PublicKey, message []byte, sig []byte, context string) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
if l := len(message); l != sha512Size {
return errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l))
}
func VerifyCtx(pub *PublicKey, message []byte, sig []byte, context string) error {
fipsSelfTest()
// FIPS 186-5 specifies Ed25519 and Ed25519ph (with context), but not Ed25519ctx.
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
if l := len(context); l > 255 {
return errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l))
}
package edwards25519
import (
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/edwards25519/field"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/edwards25519/field"
"errors"
)
package edwards25519
import (
- "crypto/internal/fips/edwards25519/field"
+ "crypto/internal/fips140/edwards25519/field"
"encoding/hex"
"reflect"
"testing"
//go:generate go run . -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field
func main() {
- Package("crypto/internal/fips/edwards25519/field")
+ Package("crypto/internal/fips140/edwards25519/field")
ConstraintExpr("!purego")
feMul()
feSquare()
-module crypto/internal/fips/edwards25519/field/_asm
+module crypto/internal/fips140/edwards25519/field/_asm
go 1.19
package field
import (
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
)
package edwards25519
import (
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140deps/byteorder"
"errors"
)
package edwards25519
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
)
// A dynamic lookup table for variable-base, constant-time scalar muls.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package fips
+package fips140
-import "crypto/internal/fipsdeps/godebug"
+import "crypto/internal/fips140deps/godebug"
var Enabled bool
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package fips
+package fips140
import "io"
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/sha256"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/sha256"
"errors"
)
func init() {
- fips.CAST("HKDF-SHA2-256", func() error {
+ fips140.CAST("HKDF-SHA2-256", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package hkdf
import (
- "crypto/internal/fips"
- "crypto/internal/fips/hmac"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hmac"
)
-func Extract[H fips.Hash](h func() H, secret, salt []byte) []byte {
+func Extract[H fips140.Hash](h func() H, secret, salt []byte) []byte {
if len(secret) < 112/8 {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
if salt == nil {
salt = make([]byte, h().Size())
return extractor.Sum(nil)
}
-func Expand[H fips.Hash](h func() H, pseudorandomKey, info []byte, keyLen int) []byte {
+func Expand[H fips140.Hash](h func() H, pseudorandomKey, info []byte, keyLen int) []byte {
out := make([]byte, 0, keyLen)
expander := hmac.New(h, pseudorandomKey)
hmac.MarkAsUsedInHKDF(expander)
return out
}
-func Key[H fips.Hash](h func() H, secret, salt, info []byte, keyLen int) []byte {
+func Key[H fips140.Hash](h func() H, secret, salt, info []byte, keyLen int) []byte {
prk := Extract(h, secret, salt)
return Expand(h, prk, info, keyLen)
}
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/sha256"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/sha256"
"errors"
)
func init() {
- fips.CAST("HMAC-SHA2-256", func() error {
+ fips140.CAST("HMAC-SHA2-256", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package hmac
import (
- "crypto/internal/fips"
- "crypto/internal/fips/sha256"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/sha256"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/sha512"
)
// key is zero padded to the block size of the hash function
type HMAC struct {
opad, ipad []byte
- outer, inner fips.Hash
+ outer, inner fips140.Hash
// If marshaled is true, then opad and ipad do not contain a padded
// copy of the key, but rather the marshaled state of outer/inner after
// legacy use (i.e. verification only) and we don't support that. However,
// HKDF uses the HMAC key for the salt, which is allowed to be shorter.
if h.keyLen < 112/8 && !h.forHKDF {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
switch h.inner.(type) {
case *sha256.Digest, *sha512.Digest, *sha3.Digest:
default:
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
origLen := len(in)
h.marshaled = true
}
-// New returns a new HMAC hash using the given [fips.Hash] type and key.
-func New[H fips.Hash](h func() H, key []byte) *HMAC {
+// New returns a new HMAC hash using the given [fips140.Hash] type and key.
+func New[H fips140.Hash](h func() H, key []byte) *HMAC {
hm := &HMAC{keyLen: len(key)}
hm.outer = h()
hm.inner = h()
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-package fips
+package fips140
import _ "unsafe" // for go:linkname
// negative. Finally, we expose indicatorUnset as negative to the user, so that
// we don't need to explicitly annotate fully non-approved services.
-//go:linkname getIndicator crypto/internal/fips.getIndicator
+//go:linkname getIndicator crypto/internal/fips140.getIndicator
func getIndicator() uint8
-//go:linkname setIndicator crypto/internal/fips.setIndicator
+//go:linkname setIndicator crypto/internal/fips140.setIndicator
func setIndicator(uint8)
const (
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
"errors"
)
func init() {
- fips.CAST("ML-KEM-768", func() error {
+ fips140.CAST("ML-KEM-768", func() error {
var d = &[32]byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package mlkem
import (
- "crypto/internal/fips/sha3"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140deps/byteorder"
"errors"
)
package mlkem
import (
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/subtle"
"errors"
)
var z [32]byte
drbg.Read(z[:])
kemKeyGen1024(dk, &d, &z)
- if err := fips.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
+ if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
// This clearly can't happen, but FIPS 140-3 requires us to check.
panic(err)
}
- fips.RecordApproved()
+ fips140.RecordApproved()
return dk, nil
}
d := (*[32]byte)(seed[:32])
z := (*[32]byte)(seed[32:])
kemKeyGen1024(dk, d, z)
- if err := fips.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
+ if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
// This clearly can't happen, but FIPS 140-3 requires us to check.
panic(err)
}
- fips.RecordApproved()
+ fips140.RecordApproved()
return dk, nil
}
drbg.Read(m[:])
// Note that the modulus check (step 2 of the encapsulation key check from
// FIPS 203, Section 7.2) is performed by polyByteDecode in parseEK1024.
- fips.RecordApproved()
+ fips140.RecordApproved()
return kemEncaps1024(cc, ek, &m)
}
//
// It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18.
func kemDecaps1024(dk *DecapsulationKey1024, c *[CiphertextSize1024]byte) (K []byte) {
- fips.RecordApproved()
+ fips140.RecordApproved()
m := pkeDecrypt1024(&dk.decryptionKey1024, c)
g := sha3.New512()
g.Write(m[:])
//go:generate go run generate1024.go -input mlkem768.go -output mlkem1024.go
import (
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/subtle"
"errors"
)
var z [32]byte
drbg.Read(z[:])
kemKeyGen(dk, &d, &z)
- if err := fips.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
+ if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
// This clearly can't happen, but FIPS 140-3 requires us to check.
panic(err)
}
- fips.RecordApproved()
+ fips140.RecordApproved()
return dk, nil
}
d := (*[32]byte)(seed[:32])
z := (*[32]byte)(seed[32:])
kemKeyGen(dk, d, z)
- if err := fips.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
+ if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
// This clearly can't happen, but FIPS 140-3 requires us to check.
panic(err)
}
- fips.RecordApproved()
+ fips140.RecordApproved()
return dk, nil
}
drbg.Read(m[:])
// Note that the modulus check (step 2 of the encapsulation key check from
// FIPS 203, Section 7.2) is performed by polyByteDecode in parseEK.
- fips.RecordApproved()
+ fips140.RecordApproved()
return kemEncaps(cc, ek, &m)
}
//
// It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18.
func kemDecaps(dk *DecapsulationKey768, c *[CiphertextSize768]byte) (K []byte) {
- fips.RecordApproved()
+ fips140.RecordApproved()
m := pkeDecrypt(&dk.decryptionKey, c)
g := sha3.New512()
g.Write(m[:])
-module crypto/internal/fips/nistec/_asm
+module crypto/internal/fips140/nistec/_asm
go 1.24
)
func main() {
- Package("crypto/internal/fips/nistec")
+ Package("crypto/internal/fips140/nistec")
ConstraintExpr("!purego")
p256MovCond()
p256NegCond()
package nistec_test
import (
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140/nistec"
"crypto/rand"
"testing"
)
package fiat_test
import (
- "crypto/internal/fips/nistec/fiat"
+ "crypto/internal/fips140/nistec/fiat"
"testing"
)
package fiat
-import _ "crypto/internal/fips/check"
+import _ "crypto/internal/fips140/check"
package fiat
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
"errors"
)
package fiat
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
"errors"
)
package fiat
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
"errors"
)
package fiat
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
"errors"
)
package fiat
import (
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/subtle"
"errors"
)
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/nistec/fiat"
+ "crypto/internal/fips140/subtle"
"errors"
"sync"
)
// can't be represented.
package nistec
-import _ "crypto/internal/fips/check"
+import _ "crypto/internal/fips140/check"
//go:generate go run generate.go
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/nistec/fiat"
+ "crypto/internal/fips140/subtle"
"errors"
"sync"
)
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
+ "crypto/internal/fips140/nistec/fiat"
"sync"
)
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/byteorder"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140/nistec/fiat"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/byteorder"
+ "crypto/internal/fips140deps/cpu"
"errors"
"math/bits"
"sync"
package nistec
import (
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
"runtime"
import (
"bytes"
- "crypto/internal/fips/nistec/fiat"
+ "crypto/internal/fips140/nistec/fiat"
"fmt"
"testing"
)
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/nistec/fiat"
+ "crypto/internal/fips140/subtle"
"errors"
"sync"
)
package nistec
import (
- "crypto/internal/fips/nistec/fiat"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/nistec/fiat"
+ "crypto/internal/fips140/subtle"
"errors"
"sync"
)
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/bigmod"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/bigmod"
+ _ "crypto/internal/fips140/check"
"errors"
"sync"
)
}
var fipsSelfTest = sync.OnceFunc(func() {
- fips.CAST("RSASSA-PKCS-v1.5 2048-bit sign and verify", func() error {
+ fips140.CAST("RSASSA-PKCS-v1.5 2048-bit sign and verify", func() error {
k := testPrivateKey()
hash := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
import (
"bytes"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"errors"
)
// or the empty string to indicate that the message is signed directly.
func SignPKCS1v15(priv *PrivateKey, hash string, hashed []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHashName(hash)
return signPKCS1v15(priv, hash, hashed)
// or the empty string to indicate that the message is signed directly.
func VerifyPKCS1v15(pub *PublicKey, hash string, hashed []byte, sig []byte) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHashName(hash)
return verifyPKCS1v15(pub, hash, hashed, sig)
case "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256",
"SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512":
default:
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
}
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/sha256"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/sha512"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/sha256"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/sha512"
+ "crypto/internal/fips140/subtle"
"errors"
"io"
)
// mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
// specified in PKCS #1 v2.1.
-func mgf1XOR(out []byte, hash fips.Hash, seed []byte) {
+func mgf1XOR(out []byte, hash fips140.Hash, seed []byte) {
var counter [4]byte
var digest []byte
}
}
-func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash fips.Hash) ([]byte, error) {
+func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash fips140.Hash) ([]byte, error) {
// See RFC 8017, Section 9.1.1.
hLen := hash.Size()
const pssSaltLengthAutodetect = -1
-func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash fips.Hash) error {
+func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash fips140.Hash) error {
// See RFC 8017, Section 9.1.2.
hLen := hash.Size()
// FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen)
// shall satisfy 0 ≤ sLen ≤ hLen".
if sLen > hLen {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
// 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
// PSSMaxSaltLength returns the maximum salt length for a given public key and
// hash function.
-func PSSMaxSaltLength(pub *PublicKey, hash fips.Hash) (int, error) {
+func PSSMaxSaltLength(pub *PublicKey, hash fips140.Hash) (int, error) {
saltLength := (pub.N.BitLen()-1+7)/8 - 2 - hash.Size()
if saltLength < 0 {
return 0, ErrMessageTooLong
}
// FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen)
// shall satisfy 0 ≤ sLen ≤ hLen".
- if fips.Enabled && saltLength > hash.Size() {
+ if fips140.Enabled && saltLength > hash.Size() {
return hash.Size(), nil
}
return saltLength, nil
// SignPSS calculates the signature of hashed using RSASSA-PSS.
//
// In FIPS mode, rand is ignored and can be nil.
-func SignPSS(rand io.Reader, priv *PrivateKey, hash fips.Hash, hashed []byte, saltLength int) ([]byte, error) {
+func SignPSS(rand io.Reader, priv *PrivateKey, hash fips140.Hash, hashed []byte, saltLength int) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHash(hash)
// Note that while we don't commit to deterministic execution with respect
// FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen)
// shall satisfy 0 ≤ sLen ≤ hLen".
if saltLength > hash.Size() {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
salt := make([]byte, saltLength)
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(salt)
} else {
if _, err := io.ReadFull(rand, salt); err != nil {
}
// VerifyPSS verifies sig with RSASSA-PSS automatically detecting the salt length.
-func VerifyPSS(pub *PublicKey, hash fips.Hash, digest []byte, sig []byte) error {
+func VerifyPSS(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte) error {
return verifyPSS(pub, hash, digest, sig, pssSaltLengthAutodetect)
}
// VerifyPSS verifies sig with RSASSA-PSS and an expected salt length.
-func VerifyPSSWithSaltLength(pub *PublicKey, hash fips.Hash, digest []byte, sig []byte, saltLength int) error {
+func VerifyPSSWithSaltLength(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte, saltLength int) error {
if saltLength < 0 {
return errors.New("crypto/rsa: salt length cannot be negative")
}
return verifyPSS(pub, hash, digest, sig, saltLength)
}
-func verifyPSS(pub *PublicKey, hash fips.Hash, digest []byte, sig []byte, saltLength int) error {
+func verifyPSS(pub *PublicKey, hash fips140.Hash, digest []byte, sig []byte, saltLength int) error {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHash(hash)
if err := checkPublicKey(pub); err != nil {
return err
return emsaPSSVerify(digest, em, emBits, saltLength, hash)
}
-func checkApprovedHash(hash fips.Hash) {
+func checkApprovedHash(hash fips140.Hash) {
switch hash.(type) {
case *sha256.Digest, *sha512.Digest, *sha3.Digest:
default:
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
}
// EncryptOAEP encrypts the given message with RSAES-OAEP.
//
// In FIPS mode, random is ignored and can be nil.
-func EncryptOAEP(hash fips.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) {
+func EncryptOAEP(hash fips140.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) {
// Note that while we don't commit to deterministic execution with respect
// to the random stream, we also don't apply MaybeReadByte, so per Hyrum's
// Law it's probably relied upon by some. It's a tolerable promise because a
// well-specified way.
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHash(hash)
if err := checkPublicKey(pub); err != nil {
return nil, err
db[len(db)-len(msg)-1] = 1
copy(db[len(db)-len(msg):], msg)
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(seed)
} else {
_, err := io.ReadFull(random, seed)
}
// DecryptOAEP decrypts ciphertext using RSAES-OAEP.
-func DecryptOAEP(hash, mgfHash fips.Hash, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
+func DecryptOAEP(hash, mgfHash fips140.Hash, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) {
fipsSelfTest()
- fips.RecordApproved()
+ fips140.RecordApproved()
checkApprovedHash(hash)
k := priv.pub.Size()
package rsa
import (
- "crypto/internal/fips"
- "crypto/internal/fips/bigmod"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/bigmod"
"errors"
)
// TODO(filippo): implement CRT computation. For now, NewPrivateKey is
// always called with CRT values.
if dP == nil || dQ == nil || qInv == nil {
- panic("crypto/internal/fips/rsa: internal error: missing CRT parameters")
+ panic("crypto/internal/fips140/rsa: internal error: missing CRT parameters")
}
qInvN, err := bigmod.NewNat().SetBytes(qInv, p)
if err != nil {
return errors.New("crypto/rsa: missing public modulus")
}
if pub.N.BitLen() < 2048 || pub.N.BitLen() > 16384 {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
if pub.E < 2 {
return errors.New("crypto/rsa: public exponent too small or negative")
// FIPS 186-5, Section 5.5(e): "The exponent e shall be an odd, positive
// integer such that 2¹⁶ < e < 2²⁵⁶."
if pub.E <= 1<<16 || pub.E&1 == 0 {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
// We require pub.E to fit into a 32-bit integer so that we
// do not have different behavior depending on whether
// Encrypt performs the RSA public key operation.
func Encrypt(pub *PublicKey, plaintext []byte) ([]byte, error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
if err := checkPublicKey(pub); err != nil {
return nil, err
}
// DecryptWithoutCheck performs the RSA private key operation.
func DecryptWithoutCheck(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return decrypt(priv, ciphertext, noCheck)
}
// DecryptWithCheck performs the RSA private key operation and checks the
// result to defend against errors in the CRT computation.
func DecryptWithCheck(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
return decrypt(priv, ciphertext, withCheck)
}
if priv.dP == nil {
// Legacy codepath for deprecated multi-prime keys.
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
m = bigmod.NewNat().Exp(c, priv.d.Bytes(N), N)
} else {
os.Setenv("GOOS", "linux")
os.Setenv("GOARCH", "amd64")
- Package("crypto/internal/fips/sha256")
+ Package("crypto/internal/fips140/sha256")
ConstraintExpr("!purego")
blockAMD64()
blockAVX2()
import (
"bytes"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"errors"
)
func init() {
- fips.CAST("SHA2-256", func() error {
+ fips140.CAST("SHA2-256", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package sha256
import (
- "crypto/internal/fips"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140deps/byteorder"
"errors"
)
}
func (d *Digest) Sum(in []byte) []byte {
- fips.RecordApproved()
+ fips140.RecordApproved()
// Make a copy of d so that caller can keep writing and summing.
d0 := *d
hash := d0.checkSum()
package sha256
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package sha256
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package sha256
import (
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140deps/godebug"
"crypto/internal/impl"
)
package sha256
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
os.Setenv("GOOS", "linux")
os.Setenv("GOARCH", "amd64")
- Package("crypto/internal/fips/sha3")
+ Package("crypto/internal/fips140/sha3")
ConstraintExpr("!purego")
keccakF1600()
Generate()
import (
"bytes"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"errors"
)
func init() {
- fips.CAST("cSHAKE128", func() error {
+ fips140.CAST("cSHAKE128", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package sha3
import (
- "crypto/internal/fipsdeps/byteorder"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/byteorder"
+ "crypto/internal/fips140deps/cpu"
"math/bits"
"unsafe"
)
package sha3
import (
- "crypto/internal/fips"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/subtle"
"errors"
)
// Sum appends the current hash to b and returns the resulting slice.
// It does not change the underlying hash state.
func (d *Digest) Sum(b []byte) []byte {
- fips.RecordApproved()
+ fips140.RecordApproved()
return d.sum(b)
}
package sha3
import (
- "crypto/internal/fips/subtle"
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140/subtle"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
import (
"bytes"
- "crypto/internal/fips"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
)
func (s *SHAKE) Write(p []byte) (n int, err error) { return s.d.Write(p) }
func (s *SHAKE) Read(out []byte) (n int, err error) {
- fips.RecordApproved()
+ fips140.RecordApproved()
// Note that read is not exposed on Digest since SHA-3 does not offer
// variable output length. It is only used internally by Sum.
return s.d.read(out)
os.Setenv("GOOS", "linux")
os.Setenv("GOARCH", "amd64")
- Package("crypto/internal/fips/sha512")
+ Package("crypto/internal/fips140/sha512")
ConstraintExpr("!purego")
blockAMD64()
blockAVX2()
import (
"bytes"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"errors"
)
func init() {
- fips.CAST("SHA2-512", func() error {
+ fips140.CAST("SHA2-512", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package sha512
import (
- "crypto/internal/fips"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140deps/byteorder"
"errors"
)
}
func (d *Digest) Sum(in []byte) []byte {
- fips.RecordApproved()
+ fips140.RecordApproved()
// Make a copy of d so that caller can keep writing and summing.
d0 := new(Digest)
*d0 = *d
package sha512
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package sha512
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package sha512
import (
- "crypto/internal/fipsdeps/godebug"
+ "crypto/internal/fips140deps/godebug"
"crypto/internal/impl"
)
package sha512
import (
- "crypto/internal/fipsdeps/cpu"
+ "crypto/internal/fips140deps/cpu"
"crypto/internal/impl"
)
package ssh
import (
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
)
type Direction struct {
ClientKeys = Direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
}
-func Keys[Hash fips.Hash](hash func() Hash, d Direction,
+func Keys[Hash fips140.Hash](hash func() Hash, d Direction,
K, H, sessionID []byte,
ivKeyLen, keyLen, macKeyLen int,
) (ivKey, key, macKey []byte) {
package subtle
-import "crypto/internal/fips/alias"
+import "crypto/internal/fips140/alias"
// XORBytes sets dst[i] = x[i] ^ y[i] for all i < n = min(len(x), len(y)),
// returning n, the number of bytes written to dst.
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/sha256"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/sha256"
"errors"
)
func init() {
- fips.CAST("TLSv1.2-SHA2-256", func() error {
+ fips140.CAST("TLSv1.2-SHA2-256", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package tls12
import (
- "crypto/internal/fips"
- "crypto/internal/fips/hmac"
- "crypto/internal/fips/sha256"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hmac"
+ "crypto/internal/fips140/sha256"
+ "crypto/internal/fips140/sha512"
)
// PRF implements the TLS 1.2 pseudo-random function, as defined in RFC 5246,
// Section 5 and allowed by SP 800-135, Revision 1, Section 4.2.2.
-func PRF[H fips.Hash](hash func() H, secret []byte, label string, seed []byte, keyLen int) []byte {
+func PRF[H fips140.Hash](hash func() H, secret []byte, label string, seed []byte, keyLen int) []byte {
labelAndSeed := make([]byte, len(label)+len(seed))
copy(labelAndSeed, label)
copy(labelAndSeed[len(label):], seed)
}
// pHash implements the P_hash function, as defined in RFC 5246, Section 5.
-func pHash[H fips.Hash](hash func() H, result, secret, seed []byte) {
+func pHash[H fips140.Hash](hash func() H, result, secret, seed []byte) {
h := hmac.New(hash, secret)
h.Write(seed)
a := h.Sum(nil)
// MasterSecret implements the TLS 1.2 extended master secret derivation, as
// defined in RFC 7627 and allowed by SP 800-135, Revision 1, Section 4.2.2.
-func MasterSecret[H fips.Hash](hash func() H, preMasterSecret, transcript []byte) []byte {
+func MasterSecret[H fips140.Hash](hash func() H, preMasterSecret, transcript []byte) []byte {
// "The TLS 1.2 KDF is an approved KDF when the following conditions are
// satisfied: [...] (3) P_HASH uses either SHA-256, SHA-384 or SHA-512."
h := hash()
switch any(h).(type) {
case *sha256.Digest:
if h.Size() != 32 {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
case *sha512.Digest:
if h.Size() != 46 && h.Size() != 64 {
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
default:
- fips.RecordNonApproved()
+ fips140.RecordNonApproved()
}
return PRF(hash, preMasterSecret, extendedMasterSecretLabel, transcript, masterSecretLength)
import (
"bytes"
- "crypto/internal/fips"
- _ "crypto/internal/fips/check"
- "crypto/internal/fips/sha256"
+ "crypto/internal/fips140"
+ _ "crypto/internal/fips140/check"
+ "crypto/internal/fips140/sha256"
"errors"
)
func init() {
- fips.CAST("TLSv1.3-SHA2-256", func() error {
+ fips140.CAST("TLSv1.3-SHA2-256", func() error {
input := []byte{
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
package tls13
import (
- "crypto/internal/fips"
- "crypto/internal/fips/hkdf"
- "crypto/internal/fipsdeps/byteorder"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hkdf"
+ "crypto/internal/fips140deps/byteorder"
)
// We don't set the service indicator in this package but we delegate that to
// its own.
// ExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
-func ExpandLabel[H fips.Hash](hash func() H, secret []byte, label string, context []byte, length int) []byte {
+func ExpandLabel[H fips140.Hash](hash func() H, secret []byte, label string, context []byte, length int) []byte {
if len("tls13 ")+len(label) > 255 || len(context) > 255 {
// It should be impossible for this to panic: labels are fixed strings,
// and context is either a fixed-length computed hash, or parsed from a
return hkdf.Expand(hash, secret, hkdfLabel, length)
}
-func extract[H fips.Hash](hash func() H, newSecret, currentSecret []byte) []byte {
+func extract[H fips140.Hash](hash func() H, newSecret, currentSecret []byte) []byte {
if newSecret == nil {
newSecret = make([]byte, hash().Size())
}
return hkdf.Extract(hash, newSecret, currentSecret)
}
-func deriveSecret[H fips.Hash](hash func() H, secret []byte, label string, transcript fips.Hash) []byte {
+func deriveSecret[H fips140.Hash](hash func() H, secret []byte, label string, transcript fips140.Hash) []byte {
if transcript == nil {
transcript = hash()
}
type EarlySecret struct {
secret []byte
- hash func() fips.Hash
+ hash func() fips140.Hash
}
-func NewEarlySecret[H fips.Hash](hash func() H, psk []byte) *EarlySecret {
+func NewEarlySecret[H fips140.Hash](hash func() H, psk []byte) *EarlySecret {
return &EarlySecret{
secret: extract(hash, psk, nil),
- hash: func() fips.Hash { return hash() },
+ hash: func() fips140.Hash { return hash() },
}
}
// ClientEarlyTrafficSecret derives the client_early_traffic_secret from the
// early secret and the transcript up to the ClientHello.
-func (s *EarlySecret) ClientEarlyTrafficSecret(transcript fips.Hash) []byte {
+func (s *EarlySecret) ClientEarlyTrafficSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, clientEarlyTrafficLabel, transcript)
}
type HandshakeSecret struct {
secret []byte
- hash func() fips.Hash
+ hash func() fips140.Hash
}
func (s *EarlySecret) HandshakeSecret(sharedSecret []byte) *HandshakeSecret {
// ClientHandshakeTrafficSecret derives the client_handshake_traffic_secret from
// the handshake secret and the transcript up to the ServerHello.
-func (s *HandshakeSecret) ClientHandshakeTrafficSecret(transcript fips.Hash) []byte {
+func (s *HandshakeSecret) ClientHandshakeTrafficSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, clientHandshakeTrafficLabel, transcript)
}
// ServerHandshakeTrafficSecret derives the server_handshake_traffic_secret from
// the handshake secret and the transcript up to the ServerHello.
-func (s *HandshakeSecret) ServerHandshakeTrafficSecret(transcript fips.Hash) []byte {
+func (s *HandshakeSecret) ServerHandshakeTrafficSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, serverHandshakeTrafficLabel, transcript)
}
type MasterSecret struct {
secret []byte
- hash func() fips.Hash
+ hash func() fips140.Hash
}
func (s *HandshakeSecret) MasterSecret() *MasterSecret {
// ClientApplicationTrafficSecret derives the client_application_traffic_secret_0
// from the master secret and the transcript up to the server Finished.
-func (s *MasterSecret) ClientApplicationTrafficSecret(transcript fips.Hash) []byte {
+func (s *MasterSecret) ClientApplicationTrafficSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, clientApplicationTrafficLabel, transcript)
}
// ServerApplicationTrafficSecret derives the server_application_traffic_secret_0
// from the master secret and the transcript up to the server Finished.
-func (s *MasterSecret) ServerApplicationTrafficSecret(transcript fips.Hash) []byte {
+func (s *MasterSecret) ServerApplicationTrafficSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, serverApplicationTrafficLabel, transcript)
}
// ResumptionMasterSecret derives the resumption_master_secret from the master secret
// and the transcript up to the client Finished.
-func (s *MasterSecret) ResumptionMasterSecret(transcript fips.Hash) []byte {
+func (s *MasterSecret) ResumptionMasterSecret(transcript fips140.Hash) []byte {
return deriveSecret(s.hash, s.secret, resumptionLabel, transcript)
}
type ExporterMasterSecret struct {
secret []byte
- hash func() fips.Hash
+ hash func() fips140.Hash
}
// ExporterMasterSecret derives the exporter_master_secret from the master secret
// and the transcript up to the server Finished.
-func (s *MasterSecret) ExporterMasterSecret(transcript fips.Hash) *ExporterMasterSecret {
+func (s *MasterSecret) ExporterMasterSecret(transcript fips140.Hash) *ExporterMasterSecret {
return &ExporterMasterSecret{
secret: deriveSecret(s.hash, s.secret, exporterLabel, transcript),
hash: s.hash,
// EarlyExporterMasterSecret derives the exporter_master_secret from the early secret
// and the transcript up to the ClientHello.
-func (s *EarlySecret) EarlyExporterMasterSecret(transcript fips.Hash) *ExporterMasterSecret {
+func (s *EarlySecret) EarlyExporterMasterSecret(transcript fips140.Hash) *ExporterMasterSecret {
return &ExporterMasterSecret{
secret: deriveSecret(s.hash, s.secret, earlyExporterLabel, transcript),
hash: s.hash,
// Package fipsdeps contains wrapper packages for internal APIs that are exposed
// to the FIPS module. Since modules are frozen upon validation and supported
-// for a number of future versions, APIs exposed by crypto/internal/fipsdeps/...
+// for a number of future versions, APIs exposed by crypto/internal/fips140deps/...
// must not be changed until the modules that use them are no longer supported.
package fipsdeps
{{end -}}
{{range .XTestImports -}}
{{$path}} {{.}}
-{{end -}}`, "crypto/internal/fips/...")
+{{end -}}`, "crypto/internal/fips140/...")
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("go list: %v\n%s", err, out)
allPackages := make(map[string]bool)
- // importCheck is the set of packages that import crypto/internal/fips/check.
+ // importCheck is the set of packages that import crypto/internal/fips140/check.
importCheck := make(map[string]bool)
for _, line := range strings.Split(string(out), "\n") {
allPackages[pkg] = true
- if importedPkg == "crypto/internal/fips/check" {
+ if importedPkg == "crypto/internal/fips140/check" {
importCheck[pkg] = true
}
// Ensure we don't import any unexpected internal package from the FIPS
// module, since we can't change the module source after it starts
// validation. This locks in the API of otherwise internal packages.
- if importedPkg == "crypto/internal/fips" ||
- strings.HasPrefix(importedPkg, "crypto/internal/fips/") ||
- strings.HasPrefix(importedPkg, "crypto/internal/fipsdeps/") {
+ if importedPkg == "crypto/internal/fips140" ||
+ strings.HasPrefix(importedPkg, "crypto/internal/fips140/") ||
+ strings.HasPrefix(importedPkg, "crypto/internal/fips140deps/") {
continue
}
if AllowedInternalPackages[importedPkg] {
// Ensure that all packages except check and check's dependencies import check.
for pkg := range allPackages {
switch pkg {
- case "crypto/internal/fips/check":
- case "crypto/internal/fips":
- case "crypto/internal/fips/alias":
- case "crypto/internal/fips/subtle":
- case "crypto/internal/fips/hmac":
- case "crypto/internal/fips/sha3":
- case "crypto/internal/fips/sha256":
- case "crypto/internal/fips/sha512":
+ case "crypto/internal/fips140/check":
+ case "crypto/internal/fips140":
+ case "crypto/internal/fips140/alias":
+ case "crypto/internal/fips140/subtle":
+ case "crypto/internal/fips140/hmac":
+ case "crypto/internal/fips140/sha3":
+ case "crypto/internal/fips140/sha256":
+ case "crypto/internal/fips140/sha512":
default:
if !importCheck[pkg] {
- t.Errorf("package %s does not import crypto/internal/fips/check", pkg)
+ t.Errorf("package %s does not import crypto/internal/fips140/check", pkg)
}
}
}
"bufio"
"bytes"
"crypto/internal/cryptotest"
- "crypto/internal/fips"
- "crypto/internal/fips/hmac"
- "crypto/internal/fips/sha256"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hmac"
+ "crypto/internal/fips140/sha256"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/sha512"
_ "embed"
"encoding/binary"
"errors"
"SHA3-512": cmdHashAft(sha3.New512()),
"SHA3-512/MCT": cmdSha3Mct(sha3.New512()),
- "HMAC-SHA2-224": cmdHmacAft(func() fips.Hash { return sha256.New224() }),
- "HMAC-SHA2-256": cmdHmacAft(func() fips.Hash { return sha256.New() }),
- "HMAC-SHA2-384": cmdHmacAft(func() fips.Hash { return sha512.New384() }),
- "HMAC-SHA2-512": cmdHmacAft(func() fips.Hash { return sha512.New() }),
- "HMAC-SHA2-512/224": cmdHmacAft(func() fips.Hash { return sha512.New512_224() }),
- "HMAC-SHA2-512/256": cmdHmacAft(func() fips.Hash { return sha512.New512_256() }),
- "HMAC-SHA3-224": cmdHmacAft(func() fips.Hash { return sha3.New224() }),
- "HMAC-SHA3-256": cmdHmacAft(func() fips.Hash { return sha3.New256() }),
- "HMAC-SHA3-384": cmdHmacAft(func() fips.Hash { return sha3.New384() }),
- "HMAC-SHA3-512": cmdHmacAft(func() fips.Hash { return sha3.New512() }),
+ "HMAC-SHA2-224": cmdHmacAft(func() fips140.Hash { return sha256.New224() }),
+ "HMAC-SHA2-256": cmdHmacAft(func() fips140.Hash { return sha256.New() }),
+ "HMAC-SHA2-384": cmdHmacAft(func() fips140.Hash { return sha512.New384() }),
+ "HMAC-SHA2-512": cmdHmacAft(func() fips140.Hash { return sha512.New() }),
+ "HMAC-SHA2-512/224": cmdHmacAft(func() fips140.Hash { return sha512.New512_224() }),
+ "HMAC-SHA2-512/256": cmdHmacAft(func() fips140.Hash { return sha512.New512_256() }),
+ "HMAC-SHA3-224": cmdHmacAft(func() fips140.Hash { return sha3.New224() }),
+ "HMAC-SHA3-256": cmdHmacAft(func() fips140.Hash { return sha3.New256() }),
+ "HMAC-SHA3-384": cmdHmacAft(func() fips140.Hash { return sha3.New384() }),
+ "HMAC-SHA3-512": cmdHmacAft(func() fips140.Hash { return sha3.New512() }),
}
)
// and writes the resulting digest as a response.
//
// See https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html
-func cmdHashAft(h fips.Hash) command {
+func cmdHashAft(h fips140.Hash) command {
return command{
requiredArgs: 1, // Message to hash.
handler: func(args [][]byte) ([][]byte, error) {
//
// [0]: https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html#section-6.2
// [1]: https://boringssl.googlesource.com/boringssl/+/refs/heads/master/util/fipstools/acvp/ACVP.md#testing-other-fips-modules
-func cmdHashMct(h fips.Hash) command {
+func cmdHashMct(h fips140.Hash) command {
return command{
requiredArgs: 1, // Seed message.
handler: func(args [][]byte) ([][]byte, error) {
// like that handler it does not perform the outer 100 iterations.
//
// [0]: https://pages.nist.gov/ACVP/draft-celi-acvp-sha3.html#section-6.2.1
-func cmdSha3Mct(h fips.Hash) command {
+func cmdSha3Mct(h fips140.Hash) command {
return command{
requiredArgs: 1, // Seed message.
handler: func(args [][]byte) ([][]byte, error) {
}
}
-func cmdHmacAft(h func() fips.Hash) command {
+func cmdHmacAft(h func() fips140.Hash) command {
return command{
requiredArgs: 2, // Message and key
handler: func(args [][]byte) ([][]byte, error) {
package fipstest
import (
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/alias"
"testing"
)
"testing"
// Import packages that define CASTs to test them.
- _ "crypto/internal/fips/aes"
- _ "crypto/internal/fips/aes/gcm"
- _ "crypto/internal/fips/drbg"
- "crypto/internal/fips/ecdh"
- "crypto/internal/fips/ecdsa"
- "crypto/internal/fips/ed25519"
- _ "crypto/internal/fips/hkdf"
- _ "crypto/internal/fips/hmac"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/rsa"
- "crypto/internal/fips/sha256"
- _ "crypto/internal/fips/sha3"
- _ "crypto/internal/fips/sha512"
- _ "crypto/internal/fips/tls12"
- _ "crypto/internal/fips/tls13"
+ _ "crypto/internal/fips140/aes"
+ _ "crypto/internal/fips140/aes/gcm"
+ _ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/ecdh"
+ "crypto/internal/fips140/ecdsa"
+ "crypto/internal/fips140/ed25519"
+ _ "crypto/internal/fips140/hkdf"
+ _ "crypto/internal/fips140/hmac"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/rsa"
+ "crypto/internal/fips140/sha256"
+ _ "crypto/internal/fips140/sha3"
+ _ "crypto/internal/fips140/sha512"
+ _ "crypto/internal/fips140/tls12"
+ _ "crypto/internal/fips140/tls13"
)
func findAllCASTs(t *testing.T) map[string]struct{} {
testenv.MustHaveSource(t)
- // Ask "go list" for the location of the crypto/internal/fips tree, as it
+ // Ask "go list" for the location of the crypto/internal/fips140 tree, as it
// might be the unpacked frozen tree selected with GOFIPS140.
- cmd := testenv.Command(t, testenv.GoToolPath(t), "list", "-f", `{{.Dir}}`, "crypto/internal/fips")
+ cmd := testenv.Command(t, testenv.GoToolPath(t), "list", "-f", `{{.Dir}}`, "crypto/internal/fips140")
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("go list: %v\n%s", err, out)
fipsDir := strings.TrimSpace(string(out))
t.Logf("FIPS module directory: %s", fipsDir)
- // Find all invocations of fips.CAST or fips.PCT.
+ // Find all invocations of fips140.CAST or fips140.PCT.
allCASTs := make(map[string]struct{})
- castRe := regexp.MustCompile(`fips\.(CAST|PCT)\("([^"]+)"`)
+ castRe := regexp.MustCompile(`fips140\.(CAST|PCT)\("([^"]+)"`)
if err := fs.WalkDir(os.DirFS(fipsDir), ".", func(path string, d fs.DirEntry, err error) error {
if err != nil {
return err
package fipstest
import (
- . "crypto/internal/fips/check"
- "crypto/internal/fips/check/checktest"
+ . "crypto/internal/fips140/check"
+ "crypto/internal/fips140/check/checktest"
"fmt"
"internal/abi"
"internal/asan"
import (
"bytes"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/aes/gcm"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/aes/gcm"
"testing"
)
import (
"bytes"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/subtle"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/subtle"
"testing"
)
import (
"crypto/internal/cryptotest"
- . "crypto/internal/fips/edwards25519"
+ . "crypto/internal/fips140/edwards25519"
"testing"
)
// license that can be found in the LICENSE file.
// Package fipstest collects external tests that would ordinarily live in
-// crypto/internal/fips/... packages. That tree gets snapshot at each
+// crypto/internal/fips140/... packages. That tree gets snapshot at each
// validation, while we want tests to evolve and still apply to all versions of
// the module. Also, we can't fix failing tests in a module snapshot, so we need
// to either minimize, skip, or remove them. Finally, the module needs to avoid
import (
"bytes"
"crypto/internal/boring"
- "crypto/internal/fips"
- "crypto/internal/fips/hkdf"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/hkdf"
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
t.Skip("in BoringCrypto mode HMAC is not from the Go FIPS module")
}
- fips.ResetServiceIndicator()
+ fips140.ResetServiceIndicator()
hkdf.Key(sha256.New, []byte("YELLOW SUBMARINE"), nil, nil, 32)
- if !fips.ServiceIndicator() {
+ if !fips140.ServiceIndicator() {
t.Error("FIPS service indicator should be set")
}
// Key too short.
- fips.ResetServiceIndicator()
+ fips140.ResetServiceIndicator()
hkdf.Key(sha256.New, []byte("key"), nil, nil, 32)
- if fips.ServiceIndicator() {
+ if fips140.ServiceIndicator() {
t.Error("FIPS service indicator should not be set")
}
// Salt and info are short, which is ok, but translates to a short HMAC key.
- fips.ResetServiceIndicator()
+ fips140.ResetServiceIndicator()
hkdf.Key(sha256.New, []byte("YELLOW SUBMARINE"), []byte("salt"), []byte("info"), 32)
- if !fips.ServiceIndicator() {
+ if !fips140.ServiceIndicator() {
t.Error("FIPS service indicator should be set")
}
}
package fipstest
import (
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"testing"
)
func TestIndicator(t *testing.T) {
- fips.ResetServiceIndicator()
- if fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ if fips140.ServiceIndicator() {
t.Error("indicator should be false if no calls are made")
}
- fips.ResetServiceIndicator()
- fips.RecordApproved()
- if !fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ fips140.RecordApproved()
+ if !fips140.ServiceIndicator() {
t.Error("indicator should be true if RecordApproved is called")
}
- fips.ResetServiceIndicator()
- fips.RecordApproved()
- fips.RecordApproved()
- if !fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ fips140.RecordApproved()
+ fips140.RecordApproved()
+ if !fips140.ServiceIndicator() {
t.Error("indicator should be true if RecordApproved is called multiple times")
}
- fips.ResetServiceIndicator()
- fips.RecordNonApproved()
- if fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ fips140.RecordNonApproved()
+ if fips140.ServiceIndicator() {
t.Error("indicator should be false if RecordNonApproved is called")
}
- fips.ResetServiceIndicator()
- fips.RecordApproved()
- fips.RecordNonApproved()
- if fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ fips140.RecordApproved()
+ fips140.RecordNonApproved()
+ if fips140.ServiceIndicator() {
t.Error("indicator should be false if both RecordApproved and RecordNonApproved are called")
}
- fips.ResetServiceIndicator()
- fips.RecordNonApproved()
- fips.RecordApproved()
- if fips.ServiceIndicator() {
+ fips140.ResetServiceIndicator()
+ fips140.RecordNonApproved()
+ fips140.RecordApproved()
+ if fips140.ServiceIndicator() {
t.Error("indicator should be false if both RecordNonApproved and RecordApproved are called")
}
- fips.ResetServiceIndicator()
- fips.RecordNonApproved()
+ fips140.ResetServiceIndicator()
+ fips140.RecordNonApproved()
done := make(chan struct{})
go func() {
- fips.ResetServiceIndicator()
- fips.RecordApproved()
+ fips140.ResetServiceIndicator()
+ fips140.RecordApproved()
close(done)
}()
<-done
- if fips.ServiceIndicator() {
+ if fips140.ServiceIndicator() {
t.Error("indicator should be false if RecordApproved is called in a different goroutine")
}
- fips.ResetServiceIndicator()
- fips.RecordApproved()
+ fips140.ResetServiceIndicator()
+ fips140.RecordApproved()
done = make(chan struct{})
go func() {
- fips.ResetServiceIndicator()
- fips.RecordNonApproved()
+ fips140.ResetServiceIndicator()
+ fips140.RecordNonApproved()
close(done)
}()
<-done
- if !fips.ServiceIndicator() {
+ if !fips140.ServiceIndicator() {
t.Error("indicator should be true if RecordNonApproved is called in a different goroutine")
}
}
import (
"bytes"
- . "crypto/internal/fips/mlkem"
- "crypto/internal/fips/sha3"
+ . "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/sha3"
"crypto/rand"
_ "embed"
"encoding/hex"
import (
"bytes"
"crypto/elliptic"
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140/nistec"
"math/big"
"testing"
)
"bytes"
"crypto/elliptic"
"crypto/internal/cryptotest"
- "crypto/internal/fips/nistec"
+ "crypto/internal/fips140/nistec"
"fmt"
"math/big"
"math/rand"
import (
"bytes"
"crypto/internal/cryptotest"
- "crypto/internal/fips"
- . "crypto/internal/fips/sha3"
+ "crypto/internal/fips140"
+ . "crypto/internal/fips140/sha3"
"encoding"
"encoding/hex"
"fmt"
}
// TODO(filippo): move this to crypto/internal/cryptotest.
-func testMarshalUnmarshal(t *testing.T, h fips.Hash) {
+func testMarshalUnmarshal(t *testing.T, h fips140.Hash) {
buf := make([]byte, 200)
rand.Read(buf)
n := rand.Intn(200)
}
// benchmarkHash tests the speed to hash num buffers of buflen each.
-func benchmarkHash(b *testing.B, h fips.Hash, size, num int) {
+func benchmarkHash(b *testing.B, h fips140.Hash, size, num int) {
b.StopTimer()
h.Reset()
data := sequentialBytes(size)
import (
"bytes"
- "crypto/internal/fips/ssh"
+ "crypto/internal/fips140/ssh"
"crypto/sha256"
"encoding/hex"
"testing"
import (
"bytes"
"crypto/internal/cryptotest"
- "crypto/internal/fips/aes"
- "crypto/internal/fips/aes/gcm"
- "crypto/internal/fips/drbg"
- "crypto/internal/fips/sha3"
+ "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/aes/gcm"
+ "crypto/internal/fips140/drbg"
+ "crypto/internal/fips140/sha3"
"encoding/hex"
"runtime"
"testing"
"crypto/aes"
"crypto/cipher"
"crypto/ecdh"
- "crypto/internal/fips/hkdf"
+ "crypto/internal/fips140/hkdf"
"crypto/rand"
"errors"
"internal/byteorder"
import (
"crypto/internal/boring"
- "crypto/internal/fips"
- "crypto/internal/fips/drbg"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140/drbg"
"crypto/internal/sysrand"
"io"
_ "unsafe"
func (r *reader) Read(b []byte) (n int, err error) {
boring.Unreachable()
- if fips.Enabled {
+ if fips140.Enabled {
drbg.Read(b)
} else {
sysrand.Read(b)
package rc4
import (
- "crypto/internal/fips/alias"
+ "crypto/internal/fips140/alias"
"strconv"
)
import (
"crypto"
"crypto/internal/boring"
- "crypto/internal/fips/rsa"
+ "crypto/internal/fips140/rsa"
"errors"
"hash"
"io"
import (
"crypto/internal/boring"
- "crypto/internal/fips/rsa"
+ "crypto/internal/fips140/rsa"
"crypto/internal/randutil"
"crypto/subtle"
"io"
"bufio"
"compress/bzip2"
"crypto"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"crypto/rand"
. "crypto/rsa"
"crypto/sha256"
opts.SaltLength = test.verifySaltLength
err = VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, &opts)
good := test.good
- if fips.Enabled {
+ if fips140.Enabled {
good = test.fipsGood
}
if (err == nil) != good {
"crypto"
"crypto/internal/boring"
"crypto/internal/boring/bbig"
- "crypto/internal/fips/bigmod"
- "crypto/internal/fips/rsa"
+ "crypto/internal/fips140/bigmod"
+ "crypto/internal/fips140/rsa"
"crypto/internal/randutil"
"crypto/rand"
"crypto/subtle"
"bytes"
"crypto"
"crypto/internal/cryptotest"
- "crypto/internal/fips"
+ "crypto/internal/fips140"
"crypto/rand"
. "crypto/rsa"
"crypto/sha1"
}
func TestEncryptOAEP(t *testing.T) {
- if fips.Enabled {
+ if fips140.Enabled {
t.Skip("FIPS mode overrides the deterministic random source")
}
sha1 := sha1.New()
import (
"crypto"
"crypto/internal/boring"
- "crypto/internal/fips/sha256"
+ "crypto/internal/fips140/sha256"
"hash"
)
import (
"crypto"
"crypto/internal/boring"
- "crypto/internal/fips/sha512"
+ "crypto/internal/fips140/sha512"
"hash"
)
// code but require careful thought to use correctly.
package subtle
-import "crypto/internal/fips/subtle"
+import "crypto/internal/fips140/subtle"
// ConstantTimeCompare returns 1 if the two slices, x and y, have equal contents
// and 0 otherwise. The time taken is a function of the length of the slices and
package subtle
-import "crypto/internal/fips/subtle"
+import "crypto/internal/fips140/subtle"
// XORBytes sets dst[i] = x[i] ^ y[i] for all i < n = min(len(x), len(y)),
// returning n, the number of bytes written to dst.
"crypto/des"
"crypto/hmac"
"crypto/internal/boring"
- fipsaes "crypto/internal/fips/aes"
- "crypto/internal/fips/aes/gcm"
+ fipsaes "crypto/internal/fips140/aes"
+ "crypto/internal/fips140/aes/gcm"
"crypto/rc4"
"crypto/sha1"
"crypto/sha256"
}
var (
- // Keep in sync with crypto/internal/fips/aes/gcm.supportsAESGCM.
+ // Keep in sync with crypto/internal/fips140/aes/gcm.supportsAESGCM.
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ && cpu.X86.HasSSE41 && cpu.X86.HasSSSE3
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCTR && cpu.S390X.HasGHASH
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/tls13"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/tls13"
"crypto/internal/hpke"
"crypto/rsa"
"crypto/subtle"
"context"
"crypto"
"crypto/hmac"
- "crypto/internal/fips/hkdf"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/tls13"
+ "crypto/internal/fips140/hkdf"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/tls13"
"crypto/rsa"
"crypto/subtle"
"errors"
"context"
"crypto"
"crypto/hmac"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/tls13"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/tls13"
"crypto/rsa"
"errors"
"hash"
import (
"crypto/ecdh"
"crypto/hmac"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/sha3"
- "crypto/internal/fips/tls13"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/sha3"
+ "crypto/internal/fips140/tls13"
"errors"
"hash"
"io"
import (
"bytes"
- "crypto/internal/fips/mlkem"
- "crypto/internal/fips/tls13"
+ "crypto/internal/fips140/mlkem"
+ "crypto/internal/fips140/tls13"
"crypto/sha256"
"encoding/hex"
"strings"
import (
"crypto"
"crypto/hmac"
- "crypto/internal/fips/tls12"
+ "crypto/internal/fips140/tls12"
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
OS < crypto/internal/sysrand
< crypto/internal/entropy;
- internal/byteorder < crypto/internal/fipsdeps/byteorder;
- internal/cpu, internal/goarch < crypto/internal/fipsdeps/cpu;
- internal/godebug < crypto/internal/fipsdeps/godebug;
+ internal/byteorder < crypto/internal/fips140deps/byteorder;
+ internal/cpu, internal/goarch < crypto/internal/fips140deps/cpu;
+ internal/godebug < crypto/internal/fips140deps/godebug;
# FIPS is the FIPS 140 module.
# It must not depend on external crypto packages.
STR, crypto/internal/impl,
crypto/internal/entropy,
crypto/internal/randutil,
- crypto/internal/fipsdeps/byteorder,
- crypto/internal/fipsdeps/cpu,
- crypto/internal/fipsdeps/godebug
- < crypto/internal/fips
- < crypto/internal/fips/alias
- < crypto/internal/fips/subtle
- < crypto/internal/fips/sha256
- < crypto/internal/fips/sha512
- < crypto/internal/fips/sha3
- < crypto/internal/fips/hmac
- < crypto/internal/fips/check
- < crypto/internal/fips/aes
- < crypto/internal/fips/drbg
- < crypto/internal/fips/aes/gcm
- < crypto/internal/fips/hkdf
- < crypto/internal/fips/mlkem
- < crypto/internal/fips/ssh
- < crypto/internal/fips/tls12
- < crypto/internal/fips/tls13
- < crypto/internal/fips/bigmod
- < crypto/internal/fips/nistec/fiat
- < crypto/internal/fips/nistec
- < crypto/internal/fips/ecdh
- < crypto/internal/fips/ecdsa
- < crypto/internal/fips/edwards25519/field
- < crypto/internal/fips/edwards25519
- < crypto/internal/fips/ed25519
- < crypto/internal/fips/rsa
+ crypto/internal/fips140deps/byteorder,
+ crypto/internal/fips140deps/cpu,
+ crypto/internal/fips140deps/godebug
+ < crypto/internal/fips140
+ < crypto/internal/fips140/alias
+ < crypto/internal/fips140/subtle
+ < crypto/internal/fips140/sha256
+ < crypto/internal/fips140/sha512
+ < crypto/internal/fips140/sha3
+ < crypto/internal/fips140/hmac
+ < crypto/internal/fips140/check
+ < crypto/internal/fips140/aes
+ < crypto/internal/fips140/drbg
+ < crypto/internal/fips140/aes/gcm
+ < crypto/internal/fips140/hkdf
+ < crypto/internal/fips140/mlkem
+ < crypto/internal/fips140/ssh
+ < crypto/internal/fips140/tls12
+ < crypto/internal/fips140/tls13
+ < crypto/internal/fips140/bigmod
+ < crypto/internal/fips140/nistec/fiat
+ < crypto/internal/fips140/nistec
+ < crypto/internal/fips140/ecdh
+ < crypto/internal/fips140/ecdsa
+ < crypto/internal/fips140/edwards25519/field
+ < crypto/internal/fips140/edwards25519
+ < crypto/internal/fips140/ed25519
+ < crypto/internal/fips140/rsa
< FIPS;
- FIPS < crypto/internal/fips/check/checktest;
+ FIPS < crypto/internal/fips140/check/checktest;
NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
sync/atomic < crypto/internal/boring/bcache, crypto/internal/boring/fipstls;
< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
crypto/sha1, crypto/sha256, crypto/sha512;
- crypto/boring, crypto/internal/fips/edwards25519/field
+ crypto/boring, crypto/internal/fips140/edwards25519/field
< crypto/ecdh;
# Unfortunately, stuck with reflect via encoding/binary.
fatal(s)
}
-//go:linkname fips_fatal crypto/internal/fips.fatal
+//go:linkname fips_fatal crypto/internal/fips140.fatal
func fips_fatal(s string) {
fatal(s)
}
return id
}
-//go:linkname fips_getIndicator crypto/internal/fips.getIndicator
+//go:linkname fips_getIndicator crypto/internal/fips140.getIndicator
func fips_getIndicator() uint8 {
return getg().fipsIndicator
}
-//go:linkname fips_setIndicator crypto/internal/fips.setIndicator
+//go:linkname fips_setIndicator crypto/internal/fips140.setIndicator
func fips_setIndicator(indicator uint8) {
getg().fipsIndicator = indicator
}
return false
}
// TODO: use a runtime/unsafe facility once one becomes available. See issue 12445.
- // Also see crypto/internal/fips/alias/alias.go:AnyOverlap
+ // Also see crypto/internal/fips140/alias/alias.go:AnyOverlap
return uintptr(unsafe.Pointer(&a[0])) <= uintptr(unsafe.Pointer(&b[len(b)-1]))+(elemSize-1) &&
uintptr(unsafe.Pointer(&b[0])) <= uintptr(unsafe.Pointer(&a[len(a)-1]))+(elemSize-1)
}