From: Filippo Valsorda <filippo@golang.org>
Date: Thu, 6 Feb 2025 10:34:20 +0000 (+0100)
Subject: crypto/tls: document FIPS 140-3 mode behavior
X-Git-Tag: go1.25rc1~1062
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=fc0049fb20fe5998232a365b5ee08d6730693f1b;p=gostls13.git

crypto/tls: document FIPS 140-3 mode behavior

Change-Id: I6a6a465612cf76d148b9758ee3fcdc8606497830
Reviewed-on: https://go-review.googlesource.com/c/go/+/648835
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
---

diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go
index f3089f0ed6..c64201abc1 100644
--- a/src/crypto/tls/tls.go
+++ b/src/crypto/tls/tls.go
@@ -4,6 +4,15 @@
 
 // Package tls partially implements TLS 1.2, as specified in RFC 5246,
 // and TLS 1.3, as specified in RFC 8446.
+//
+// # FIPS 140-3 mode
+//
+// When the program is in [FIPS 140-3 mode], this package behaves as if
+// only protocol versions, cipher suites, signature algorithms, and
+// key exchange algorithms approved by NIST SP 800-52r2 are implemented.
+// Others are silently ignored and not negotiated.
+//
+// [FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 package tls
 
 // BUG(agl): The crypto/tls package only implements some countermeasures