From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 27 Jan 2025 13:18:02 +0000 (+0100)
Subject: crypto/internal/fips140/aes: set FIPS 140 service indicator for CTR and CBC
X-Git-Tag: go1.24rc3~2^2~17
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=3f791c8dfb;p=gostls13.git

crypto/internal/fips140/aes: set FIPS 140 service indicator for CTR and CBC

This is a very late Go 1.24 change, but it is necessary for the frozen
FIPS module, and doesn't impact anything else than the FIPS status
indicator value.

Change-Id: I6a6a4656f1ac94ac46d631c90a206ac8b6ddcf4c
Reviewed-on: https://go-review.googlesource.com/c/go/+/644635
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
---

diff --git a/src/crypto/internal/fips140/aes/cbc.go b/src/crypto/internal/fips140/aes/cbc.go
index f92af23a2a..a5a079453f 100644
--- a/src/crypto/internal/fips140/aes/cbc.go
+++ b/src/crypto/internal/fips140/aes/cbc.go
@@ -5,6 +5,7 @@
 package aes
 
 import (
+	"crypto/internal/fips140"
 	"crypto/internal/fips140/alias"
 	"crypto/internal/fips140/subtle"
 )
@@ -32,6 +33,7 @@ func (c *CBCEncrypter) CryptBlocks(dst, src []byte) {
 	if alias.InexactOverlap(dst[:len(src)], src) {
 		panic("crypto/cipher: invalid buffer overlap")
 	}
+	fips140.RecordApproved()
 	if len(src) == 0 {
 		return
 	}
@@ -85,6 +87,7 @@ func (c *CBCDecrypter) CryptBlocks(dst, src []byte) {
 	if alias.InexactOverlap(dst[:len(src)], src) {
 		panic("crypto/cipher: invalid buffer overlap")
 	}
+	fips140.RecordApproved()
 	if len(src) == 0 {
 		return
 	}
diff --git a/src/crypto/internal/fips140/aes/ctr.go b/src/crypto/internal/fips140/aes/ctr.go
index 2b0ee44cdd..2e55d233d3 100644
--- a/src/crypto/internal/fips140/aes/ctr.go
+++ b/src/crypto/internal/fips140/aes/ctr.go
@@ -5,6 +5,7 @@
 package aes
 
 import (
+	"crypto/internal/fips140"
 	"crypto/internal/fips140/alias"
 	"crypto/internal/fips140/subtle"
 	"crypto/internal/fips140deps/byteorder"
@@ -71,6 +72,7 @@ func (c *CTR) XORKeyStreamAt(dst, src []byte, offset uint64) {
 	if alias.InexactOverlap(dst, src) {
 		panic("crypto/aes: invalid buffer overlap")
 	}
+	fips140.RecordApproved()
 
 	ivlo, ivhi := add128(c.ivlo, c.ivhi, offset/BlockSize)