From abbddbbdcb3b103dfdfc8a01b4355ed3e60bae9e Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 6 Mar 2025 17:08:02 +0100 Subject: [PATCH] [release-branch.go1.24] crypto/internal/fips140: make Version return latest when not frozen Cherry-picked to allow running new mkzip.go on release-branch.go1.24. Updates #75523 Updates #71820 Change-Id: I6a6a46563da281a7b20efc61eefdcbb2e146db33 Reviewed-on: https://go-review.googlesource.com/c/go/+/655795 LUCI-TryBot-Result: Go LUCI Reviewed-by: Daniel McCarney Reviewed-by: Junyang Shao Auto-Submit: Filippo Valsorda Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/701439 Reviewed-by: Mark Freeman --- src/cmd/go/internal/fips140/mkzip.go | 30 ++++++++++++++++++++++++++ src/crypto/internal/fips140/fips140.go | 6 +++++- src/runtime/debug/mod.go | 1 + 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/src/cmd/go/internal/fips140/mkzip.go b/src/cmd/go/internal/fips140/mkzip.go index 1fb1a14e73..7a6ba80324 100644 --- a/src/cmd/go/internal/fips140/mkzip.go +++ b/src/cmd/go/internal/fips140/mkzip.go @@ -95,6 +95,7 @@ func main() { var zbuf2 bytes.Buffer zw := zip.NewWriter(&zbuf2) + foundVersion := false for _, f := range zr.File { // golang.org/fips140@v1.2.3/dir/file.go -> // golang.org/fips140@v1.2.3/fips140/v1.2.3/dir/file.go @@ -102,6 +103,32 @@ func main() { f.Name = "golang.org/fips140@" + version + "/fips140/" + version + strings.TrimPrefix(f.Name, "golang.org/fips140@"+version) } + // Inject version in [crypto/internal/fips140.Version]. + if f.Name == "golang.org/fips140@"+version+"/fips140/"+version+"/fips140.go" { + rf, err := f.Open() + if err != nil { + log.Fatal(err) + } + contents, err := io.ReadAll(rf) + if err != nil { + log.Fatal(err) + } + returnLine := `return "latest" //mkzip:version` + if !bytes.Contains(contents, []byte(returnLine)) { + log.Fatalf("did not find %q in fips140.go", returnLine) + } + newLine := `return "` + version + `"` + contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine)) + wf, err := zw.Create(f.Name) + if err != nil { + log.Fatal(err) + } + if _, err := wf.Write(contents); err != nil { + log.Fatal(err) + } + foundVersion = true + continue + } wf, err := zw.CreateRaw(&f.FileHeader) if err != nil { log.Fatal(err) @@ -117,6 +144,9 @@ func main() { if err := zw.Close(); err != nil { log.Fatal(err) } + if !foundVersion { + log.Fatal("did not find fips140.go file") + } err = os.WriteFile(version+".zip", zbuf2.Bytes(), 0666) if err != nil { diff --git a/src/crypto/internal/fips140/fips140.go b/src/crypto/internal/fips140/fips140.go index c7b167b82a..e48706fbd5 100644 --- a/src/crypto/internal/fips140/fips140.go +++ b/src/crypto/internal/fips140/fips140.go @@ -62,6 +62,10 @@ func Name() string { return "Go Cryptographic Module" } +// Version returns the formal version (such as "v1.0.0") if building against a +// frozen module with GOFIPS140. Otherwise, it returns "latest". func Version() string { - return "v1.0" + // This return value is replaced by mkzip.go, it must not be changed or + // moved to a different file. + return "latest" //mkzip:version } diff --git a/src/runtime/debug/mod.go b/src/runtime/debug/mod.go index 3eab08744f..917e734284 100644 --- a/src/runtime/debug/mod.go +++ b/src/runtime/debug/mod.go @@ -81,6 +81,7 @@ type Module struct { // - GOARCH: the architecture target // - GOAMD64/GOARM/GO386/etc: the architecture feature level for GOARCH // - GOOS: the operating system target +// - GOFIPS140: the frozen FIPS 140-3 module version, if any // - vcs: the version control system for the source tree where the build ran // - vcs.revision: the revision identifier for the current commit or checkout // - vcs.time: the modification time associated with vcs.revision, in RFC3339 format -- 2.52.0