diff --git a/go b/go index d9cc4944ce..d524e1eccd 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit d9cc4944ce3f36fc8fd1c63f35c206b308a3503f +Subproject commit d524e1eccd559b40130c3bac77f3f7dc33d476ab diff --git a/patches/0002-Vendor-crypto-backends.patch b/patches/0002-Vendor-crypto-backends.patch index 7b33e81f68..a56ef98252 100644 --- a/patches/0002-Vendor-crypto-backends.patch +++ b/patches/0002-Vendor-crypto-backends.patch @@ -222,12 +222,12 @@ index 00000000000000..ae4055d2d71303 +// that are used by the backend package. This allows to track +// their versions in a single patch file. diff --git a/src/go.mod b/src/go.mod -index ccfdbd8ea22d77..8279edd727aada 100644 +index c0bbca7e29bcc4..bfdd6e7bfc1213 100644 --- a/src/go.mod +++ b/src/go.mod @@ -11,3 +11,9 @@ require ( - golang.org/x/sys v0.28.0 // indirect - golang.org/x/text v0.21.0 // indirect + golang.org/x/sys v0.30.0 // indirect + golang.org/x/text v0.22.0 // indirect ) + +require ( @@ -236,7 +236,7 @@ index ccfdbd8ea22d77..8279edd727aada 100644 + github.com/microsoft/go-crypto-winnative v0.0.0-20250211154640-f49c8e1379ea +) diff --git a/src/go.sum b/src/go.sum -index 4d6a33e34a4e63..501aecb4cccb41 100644 +index 61223c0bbb6ee0..8828ddafccac4d 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,9 @@ @@ -246,14 +246,14 @@ index 4d6a33e34a4e63..501aecb4cccb41 100644 +github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= +github.com/microsoft/go-crypto-winnative v0.0.0-20250211154640-f49c8e1379ea h1:JuRzAUOV9uaQdoNeuHyOEAJbpRahsICnwfPPGzzuzRw= +github.com/microsoft/go-crypto-winnative v0.0.0-20250211154640-f49c8e1379ea/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA= - golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= - golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= - golang.org/x/net v0.32.1-0.20250121202134-9a960c88dd98 h1:36bTiCRO7f/J3t+LumnLTJDXqxsp1x6Q7754SsRD9u4= + golang.org/x/crypto v0.33.1-0.20250210163342-e47973b1c108 h1:FwaGHNRX5GDt6vHr+Ly+yRTs0ADe4xTlGOzwaga4ZOs= + golang.org/x/crypto v0.33.1-0.20250210163342-e47973b1c108/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= + golang.org/x/net v0.35.1-0.20250213222735-884432780bfd h1:NtufTkm/X6BNpniJAbESf1Mvax5jGy+/oP53IEn5RiA= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index e3e01077c18b17..72e56b5da8e582 100644 +index 580500c033e1fc..065ddf6ab67c9a 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go -@@ -493,6 +493,24 @@ var depsRules = ` +@@ -497,6 +497,24 @@ var depsRules = ` < crypto/internal/fips140/rsa < FIPS; @@ -278,7 +278,7 @@ index e3e01077c18b17..72e56b5da8e582 100644 FIPS, internal/godebug < crypto/fips140; crypto, hash !< FIPS; -@@ -506,13 +524,12 @@ var depsRules = ` +@@ -510,13 +528,12 @@ var depsRules = ` FIPS, internal/godebug, hash, embed, crypto/internal/boring/sig, crypto/internal/boring/syso, @@ -296,7 +296,7 @@ index e3e01077c18b17..72e56b5da8e582 100644 < crypto/internal/boring < crypto/boring < crypto/aes, -@@ -533,6 +550,10 @@ var depsRules = ` +@@ -537,6 +554,10 @@ var depsRules = ` # CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok. @@ -15170,7 +15170,7 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index d42f50b43ccdba..8f04bd6fc8fd78 100644 +index 791a7d8e874bae..5c0d5b8b520ebd 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,19 @@ @@ -15190,6 +15190,6 @@ index d42f50b43ccdba..8f04bd6fc8fd78 100644 +github.com/microsoft/go-crypto-winnative/internal/bcrypt +github.com/microsoft/go-crypto-winnative/internal/subtle +github.com/microsoft/go-crypto-winnative/internal/sysdll - # golang.org/x/crypto v0.30.0 + # golang.org/x/crypto v0.33.1-0.20250210163342-e47973b1c108 ## explicit; go 1.20 golang.org/x/crypto/chacha20 diff --git a/patches/0004-Use-crypto-backends.patch b/patches/0004-Use-crypto-backends.patch index b9feee870d..b91b64cbfb 100644 --- a/patches/0004-Use-crypto-backends.patch +++ b/patches/0004-Use-crypto-backends.patch @@ -40,7 +40,9 @@ Subject: [PATCH] Use crypto backends src/crypto/hmac/hmac_test.go | 2 +- src/crypto/internal/cryptotest/allocations.go | 2 +- .../internal/cryptotest/implementations.go | 2 +- - src/crypto/internal/fips140test/check_test.go | 8 +- + src/crypto/internal/fips140test/acvp_test.go | 6 + + src/crypto/internal/fips140test/check_test.go | 16 ++ + src/crypto/internal/fips140test/fips_test.go | 2 +- src/crypto/md5/md5.go | 10 + src/crypto/md5/md5_test.go | 16 ++ src/crypto/pbkdf2/pbkdf2.go | 7 + @@ -85,7 +87,7 @@ Subject: [PATCH] Use crypto backends src/net/smtp/smtp_test.go | 72 ++++--- src/os/exec/exec_test.go | 9 + src/runtime/pprof/vminfo_darwin_test.go | 6 + - 81 files changed, 1138 insertions(+), 112 deletions(-) + 83 files changed, 1154 insertions(+), 112 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ecdsa/badlinkname.go @@ -111,10 +113,10 @@ index f0e3575637c62a..9eab3b4e66e60b 100644 package main diff --git a/src/cmd/dist/build.go b/src/cmd/dist/build.go -index 1f467647f56143..4d770d7fc239e2 100644 +index 4fcc508f8ed48e..eb5ef7df6eaca1 100644 --- a/src/cmd/dist/build.go +++ b/src/cmd/dist/build.go -@@ -1543,6 +1543,19 @@ func cmdbootstrap() { +@@ -1534,6 +1534,19 @@ func cmdbootstrap() { xprintf("Building Go toolchain2 using go_bootstrap and Go toolchain1.\n") os.Setenv("CC", compilerEnvLookup("CC", defaultcc, goos, goarch)) // Now that cmd/go is in charge of the build process, enable GOEXPERIMENT. @@ -135,7 +137,7 @@ index 1f467647f56143..4d770d7fc239e2 100644 // No need to enable PGO for toolchain2. goInstall(toolenv(), goBootstrap, append([]string{"-pgo=off"}, toolchain...)...) diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go -index 005e1da86a1dc2..7536a83a124740 100644 +index b137c7db7990bd..73c39e8f4e5eda 100644 --- a/src/cmd/dist/test.go +++ b/src/cmd/dist/test.go @@ -710,7 +710,7 @@ func (t *tester) registerTests() { @@ -145,7 +147,7 @@ index 005e1da86a1dc2..7536a83a124740 100644 - if t.fipsSupported() { + if false { // Disable these tests, they don't work if CNG/OpenSSL FIPS mode is not enabled. We already have dedicated builders for this. // Test standard crypto packages with fips140=on. - t.registerTest("GODEBUG=fips140=on go test crypto/...", &goTest{ + t.registerTest("GOFIPS140=latest go test crypto/...", &goTest{ variant: "gofips140", @@ -1165,6 +1165,11 @@ func (t *tester) internalLink() bool { if goos == "windows" && goarch == "arm64" { @@ -272,7 +274,7 @@ index b2d4ad7cb0e7f6..2859879041ff8f 100644 *mode = BuildModePIE default: diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go -index 2d8f964f3594c6..a587e1abde57c9 100644 +index b114ca2a3d4115..0be0f3d218b09b 100644 --- a/src/cmd/link/internal/ld/lib.go +++ b/src/cmd/link/internal/ld/lib.go @@ -1172,6 +1172,7 @@ var hostobj []Hostobj @@ -1081,7 +1083,7 @@ index 00000000000000..77b69a3be88183 + panic("boringcrypto: not available") +} diff --git a/src/crypto/fips140/fips140.go b/src/crypto/fips140/fips140.go -index 41d0d170cf9fc8..b6b413532d8104 100644 +index 1c4036d5e74735..05266dea864aa3 100644 --- a/src/crypto/fips140/fips140.go +++ b/src/crypto/fips140/fips140.go @@ -5,6 +5,7 @@ @@ -1210,29 +1212,52 @@ index 3fa730459050f6..1f28f12a6e7b4f 100644 "crypto/internal/impl" "internal/goos" "internal/testenv" +diff --git a/src/crypto/internal/fips140test/acvp_test.go b/src/crypto/internal/fips140test/acvp_test.go +index ddb234bab655e1..75cfc0440b8837 100644 +--- a/src/crypto/internal/fips140test/acvp_test.go ++++ b/src/crypto/internal/fips140test/acvp_test.go +@@ -22,6 +22,8 @@ import ( + "bufio" + "bytes" + "crypto/elliptic" ++ boring "crypto/internal/backend" ++ bfips140 "crypto/internal/backend/fips140" + "crypto/internal/cryptotest" + "crypto/internal/fips140" + "crypto/internal/fips140/aes" +@@ -2072,6 +2074,10 @@ func cmdKtsIfcResponderAft(h func() fips140.Hash) command { + func TestACVP(t *testing.T) { + testenv.SkipIfShortAndSlow(t) + ++ if boring.Enabled && !bfips140.Enabled() { ++ t.Skipf("skipping: FIPS is not enabled") ++ } ++ + const ( + bsslModule = "boringssl.googlesource.com/boringssl.git" + bsslVersion = "v0.0.0-20250207174145-0bb19f6126cb" diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go -index 6b0cd3f39e1695..aa586ed30454a2 100644 +index c014fff2a6d80d..be2df5988694ef 100644 --- a/src/crypto/internal/fips140test/check_test.go +++ b/src/crypto/internal/fips140test/check_test.go -@@ -5,6 +5,8 @@ - package fipstest +@@ -6,6 +6,8 @@ package fipstest import ( + "bytes" + boring "crypto/internal/backend" + bfips140 "crypto/internal/backend/fips140" "crypto/internal/fips140" . "crypto/internal/fips140/check" "crypto/internal/fips140/check/checktest" -@@ -18,7 +20,7 @@ import ( - "unsafe" - ) - --const enableFIPSTest = true -+const enableFIPSTest = boring.Enabled +@@ -31,10 +33,18 @@ func TestIntegrityCheck(t *testing.T) { + t.Fatalf("GODEBUG=fips140=on but verification did not run") + } - func TestFIPSCheckVerify(t *testing.T) { - if Verified { -@@ -38,6 +40,10 @@ func TestFIPSCheckVerify(t *testing.T) { ++ if !boring.Enabled { ++ t.Skip("skipping: boring not enabled") ++ } ++ + if err := fips140.Supported(); err != nil { t.Skipf("skipping: %v", err) } @@ -1240,9 +1265,42 @@ index 6b0cd3f39e1695..aa586ed30454a2 100644 + t.Skipf("skipping: FIPS is not enabled") + } + - cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestFIPSCheck") + cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestIntegrityCheck") cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on") out, err := cmd.CombinedOutput() +@@ -47,6 +57,9 @@ func TestIntegrityCheck(t *testing.T) { + func TestIntegrityCheckFailure(t *testing.T) { + moduleStatus(t) + testenv.MustHaveExec(t) ++ if !boring.Enabled { ++ t.Skip("skipping: boring not enabled") ++ } + if err := fips140.Supported(); err != nil { + t.Skipf("skipping: %v", err) + } +@@ -90,6 +103,9 @@ func TestIntegrityCheckFailure(t *testing.T) { + } + + func TestIntegrityCheckInfo(t *testing.T) { ++ if !boring.Enabled { ++ t.Skip("skipping: boring not enabled") ++ } + if err := fips140.Supported(); err != nil { + t.Skipf("skipping: %v", err) + } +diff --git a/src/crypto/internal/fips140test/fips_test.go b/src/crypto/internal/fips140test/fips_test.go +index 81ccd0cf7fdd1d..34fdd6f5aed6cd 100644 +--- a/src/crypto/internal/fips140test/fips_test.go ++++ b/src/crypto/internal/fips140test/fips_test.go +@@ -15,7 +15,7 @@ package fipstest + + import ( + "bytes" +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "crypto/internal/fips140" + "crypto/internal/fips140/aes" + "crypto/internal/fips140/aes/gcm" diff --git a/src/crypto/md5/md5.go b/src/crypto/md5/md5.go index a0384e175f31bd..f7aa6da36f02de 100644 --- a/src/crypto/md5/md5.go @@ -1803,7 +1861,7 @@ index 95bb4becd2ff8c..73991434dabaf1 100644 "crypto/internal/fips140/rsa" "crypto/internal/fips140only" diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go -index 73b0c3749eedb2..1a712a0e1c5d95 100644 +index 795439d1c13df0..cc497755a2de28 100644 --- a/src/crypto/rsa/rsa_test.go +++ b/src/crypto/rsa/rsa_test.go @@ -8,7 +8,7 @@ import ( @@ -1815,7 +1873,7 @@ index 73b0c3749eedb2..1a712a0e1c5d95 100644 "crypto/internal/cryptotest" "crypto/rand" . "crypto/rsa" -@@ -146,6 +146,11 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) { +@@ -149,6 +149,11 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) { if priv.D.Cmp(priv.N) > 0 { t.Errorf("private exponent too large") } @@ -1827,7 +1885,7 @@ index 73b0c3749eedb2..1a712a0e1c5d95 100644 msg := []byte("hi!") enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) -@@ -226,6 +231,11 @@ func testEverything(t *testing.T, priv *PrivateKey) { +@@ -229,6 +234,11 @@ func testEverything(t *testing.T, priv *PrivateKey) { if err := priv.Validate(); err != nil { t.Errorf("Validate() failed: %s", err) } @@ -1839,7 +1897,7 @@ index 73b0c3749eedb2..1a712a0e1c5d95 100644 msg := []byte("test") enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) -@@ -853,6 +863,9 @@ func TestDecryptOAEP(t *testing.T) { +@@ -927,6 +937,9 @@ func TestDecryptOAEP(t *testing.T) { } func Test2DecryptOAEP(t *testing.T) { @@ -2607,7 +2665,7 @@ index e7369542a73270..ff52175e4ac636 100644 } } diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index f9c403aba45f5c..c956d394776ea0 100644 +index 1889403cac91e0..01609e5e6a9d62 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -520,7 +520,7 @@ var depsRules = `