crypto/internal/fips140: make Version return latest when not frozen

Fixes #71820

Change-Id: I6a6a46563da281a7b20efc61eefdcbb2e146db33
Reviewed-on: https://go-review.googlesource.com/c/go/+/655795
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/src/cmd/go/internal/fips140/mkzip.go b/src/cmd/go/internal/fips140/mkzip.go
index 1fb1a14e736868bc044cb73ae847582b7c7c17e1..7a6ba803248e37d763d48742c8d45dd0fbfcd4ca 100644 (file)
--- a/src/cmd/go/internal/fips140/mkzip.go
+++ b/src/cmd/go/internal/fips140/mkzip.go
@@ -95,6 +95,7 @@ func main() {
 
        var zbuf2 bytes.Buffer
        zw := zip.NewWriter(&zbuf2)
+       foundVersion := false
        for _, f := range zr.File {
                // golang.org/fips140@v1.2.3/dir/file.go ->
                // golang.org/fips140@v1.2.3/fips140/v1.2.3/dir/file.go
@@ -102,6 +103,32 @@ func main() {
                        f.Name = "golang.org/fips140@" + version + "/fips140/" + version +
                                strings.TrimPrefix(f.Name, "golang.org/fips140@"+version)
                }
+               // Inject version in [crypto/internal/fips140.Version].
+               if f.Name == "golang.org/fips140@"+version+"/fips140/"+version+"/fips140.go" {
+                       rf, err := f.Open()
+                       if err != nil {
+                               log.Fatal(err)
+                       }
+                       contents, err := io.ReadAll(rf)
+                       if err != nil {
+                               log.Fatal(err)
+                       }
+                       returnLine := `return "latest" //mkzip:version`
+                       if !bytes.Contains(contents, []byte(returnLine)) {
+                               log.Fatalf("did not find %q in fips140.go", returnLine)
+                       }
+                       newLine := `return "` + version + `"`
+                       contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine))
+                       wf, err := zw.Create(f.Name)
+                       if err != nil {
+                               log.Fatal(err)
+                       }
+                       if _, err := wf.Write(contents); err != nil {
+                               log.Fatal(err)
+                       }
+                       foundVersion = true
+                       continue
+               }
                wf, err := zw.CreateRaw(&f.FileHeader)
                if err != nil {
                        log.Fatal(err)
@@ -117,6 +144,9 @@ func main() {
        if err := zw.Close(); err != nil {
                log.Fatal(err)
        }
+       if !foundVersion {
+               log.Fatal("did not find fips140.go file")
+       }
 
        err = os.WriteFile(version+".zip", zbuf2.Bytes(), 0666)
        if err != nil {

diff --git a/src/crypto/internal/fips140/fips140.go b/src/crypto/internal/fips140/fips140.go
index c7b167b82a14129f0101f97f6768307a1fe7c486..e05ad663749b1c17c3ad03600da51384139c64ec 100644 (file)
--- a/src/crypto/internal/fips140/fips140.go
+++ b/src/crypto/internal/fips140/fips140.go
@@ -62,6 +62,10 @@ func Name() string {
        return "Go Cryptographic Module"
 }
 
+// Version returns the formal version (such as "v1.0") if building against a
+// frozen module with GOFIPS140. Otherwise, it returns "latest".
 func Version() string {
-       return "v1.0"
+       // This return value is replaced by mkzip.go, it must not be changed or
+       // moved to a different file.
+       return "latest" //mkzip:version
 }

diff --git a/src/crypto/internal/fips140test/fips_test.go b/src/crypto/internal/fips140test/fips_test.go
index 3ed6152ea380d02284ba2a9a89c16ceda5e1b63b..08d60933ef38b8dad6da6f5df06cf326e8ee24f9 100644 (file)
--- a/src/crypto/internal/fips140test/fips_test.go
+++ b/src/crypto/internal/fips140test/fips_test.go
@@ -36,6 +36,7 @@ import (
        "crypto/internal/fips140/tls13"
        "crypto/rand"
        "encoding/hex"
+       "runtime/debug"
        "strings"
        "testing"
 )
@@ -63,6 +64,32 @@ func moduleStatus(t *testing.T) {
        }
 }
 
+func TestVersion(t *testing.T) {
+       bi, ok := debug.ReadBuildInfo()
+       if !ok {
+               t.Skip("no build info")
+       }
+       for _, setting := range bi.Settings {
+               if setting.Key != "GOFIPS140" {
+                       continue
+               }
+               exp := setting.Value
+               if exp == "v1.0.0" {
+                       // Unfortunately we enshrined the version of the first module as
+                       // v1.0 before deciding to go for full versions.
+                       exp = "v1.0"
+               }
+               if v := fips140.Version(); v != exp {
+                       t.Errorf("Version is %q, expected %q", v, exp)
+               }
+               return
+       }
+       // Without GOFIPS140, the Version should be "latest".
+       if v := fips140.Version(); v != "latest" {
+               t.Errorf("Version is %q, expected latest", v)
+       }
+}
+
 func TestFIPS140(t *testing.T) {
        moduleStatus(t)
        if boring.Enabled {

diff --git a/src/runtime/debug/mod.go b/src/runtime/debug/mod.go
index 3eab08744f5c298e81d46369d810cf3c926e83d7..917e734284f44abb2d9e48ccbe493533c8a52265 100644 (file)
--- a/src/runtime/debug/mod.go
+++ b/src/runtime/debug/mod.go
@@ -81,6 +81,7 @@ type Module struct {
 //   - GOARCH: the architecture target
 //   - GOAMD64/GOARM/GO386/etc: the architecture feature level for GOARCH
 //   - GOOS: the operating system target
+//   - GOFIPS140: the frozen FIPS 140-3 module version, if any
 //   - vcs: the version control system for the source tree where the build ran
 //   - vcs.revision: the revision identifier for the current commit or checkout
 //   - vcs.time: the modification time associated with vcs.revision, in RFC3339 format