From: Ian Lance Taylor <iant@golang.org>
Date: Thu, 13 Feb 2025 22:40:01 +0000 (-0800)
Subject: [release-branch.go1.24] internal/godebugs: add fips140 as an opaque godebug setting
X-Git-Tag: go1.24.1~14
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=f5c388313f5ca4c6d71ddc2d8e14d552e5c7648b;p=gostls13.git

[release-branch.go1.24] internal/godebugs: add fips140 as an opaque godebug setting

This permits using "godebug fips140=on" in go.mod and
using "//go:debug fips140=on" in the main package.

Change code references to the godebug setting to remove the #
which is no longer required.

For #71666
Fixes #71745

Change-Id: I3a60ecc55b03848dadd6d431eb43137b6df6568b
Reviewed-on: https://go-review.googlesource.com/c/go/+/649495
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 2b43ce0a9d5825d66aa42a6fa9076f2fb9c181ea)
Reviewed-on: https://go-review.googlesource.com/c/go/+/650675
Commit-Queue: Ian Lance Taylor <iant@google.com>
---

diff --git a/src/crypto/fips140/fips140.go b/src/crypto/fips140/fips140.go
index 41d0d170cf..1c4036d5e7 100644
--- a/src/crypto/fips140/fips140.go
+++ b/src/crypto/fips140/fips140.go
@@ -10,7 +10,7 @@ import (
 	"internal/godebug"
 )
 
-var fips140GODEBUG = godebug.New("#fips140")
+var fips140GODEBUG = godebug.New("fips140")
 
 // Enabled reports whether the cryptography libraries are operating in FIPS
 // 140-3 mode.
diff --git a/src/crypto/internal/fips140/check/check.go b/src/crypto/internal/fips140/check/check.go
index f8a5d7a41e..454cd6c738 100644
--- a/src/crypto/internal/fips140/check/check.go
+++ b/src/crypto/internal/fips140/check/check.go
@@ -100,7 +100,7 @@ func init() {
 	clear(nbuf[:])
 	h.Reset()
 
-	if godebug.Value("#fips140") == "debug" {
+	if godebug.Value("fips140") == "debug" {
 		println("fips140: verified code+data")
 	}
 
diff --git a/src/crypto/internal/fips140only/fips140only.go b/src/crypto/internal/fips140only/fips140only.go
index 7126781af0..147877a34f 100644
--- a/src/crypto/internal/fips140only/fips140only.go
+++ b/src/crypto/internal/fips140only/fips140only.go
@@ -16,7 +16,7 @@ import (
 
 // Enabled reports whether FIPS 140-only mode is enabled, in which non-approved
 // cryptography returns an error or panics.
-var Enabled = godebug.New("#fips140").Value() == "only"
+var Enabled = godebug.New("fips140").Value() == "only"
 
 func ApprovedHash(h hash.Hash) bool {
 	switch h.(type) {
diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go
index 6b0cd3f39e..e635a24809 100644
--- a/src/crypto/internal/fips140test/check_test.go
+++ b/src/crypto/internal/fips140test/check_test.go
@@ -26,7 +26,7 @@ func TestFIPSCheckVerify(t *testing.T) {
 		return
 	}
 
-	if godebug.New("#fips140").Value() == "on" {
+	if godebug.New("fips140").Value() == "on" {
 		t.Fatalf("GODEBUG=fips140=on but verification did not run")
 	}
 
diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
index 9c48a923f0..e0fde01f09 100644
--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
@@ -28,6 +28,7 @@ var All = []Info{
 	{Name: "asynctimerchan", Package: "time", Changed: 23, Old: "1"},
 	{Name: "dataindependenttiming", Package: "crypto/subtle", Opaque: true},
 	{Name: "execerrdot", Package: "os/exec"},
+	{Name: "fips140", Package: "crypto/fips140", Opaque: true},
 	{Name: "gocachehash", Package: "cmd/go"},
 	{Name: "gocachetest", Package: "cmd/go"},
 	{Name: "gocacheverify", Package: "cmd/go"},