[release-branch.go1.24] crypto/internal/fips140: make Version return latest when not frozen

Cherry-picked to allow running new mkzip.go on release-branch.go1.24.

Updates #75523
Updates #71820

Change-Id: I6a6a46563da281a7b20efc61eefdcbb2e146db33
Reviewed-on: https://go-review.googlesource.com/c/go/+/655795
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/701439
Reviewed-by: Mark Freeman <markfreeman@google.com>

3 files changed, 36 insertions, 1 deletions

diff --git a/src/cmd/go/internal/fips140/mkzip.go b/src/cmd/go/internal/fips140/mkzip.go
index 1fb1a14e73..7a6ba80324 100644
--- a/src/cmd/go/internal/fips140/mkzip.go
+++ b/src/cmd/go/internal/fips140/mkzip.go
@@ -95,6 +95,7 @@ func main() {
 
 	var zbuf2 bytes.Buffer
 	zw := zip.NewWriter(&zbuf2)
+	foundVersion := false
 	for _, f := range zr.File {
 		// golang.org/fips140@v1.2.3/dir/file.go ->
 		// golang.org/fips140@v1.2.3/fips140/v1.2.3/dir/file.go
@@ -102,6 +103,32 @@ func main() {
 			f.Name = "golang.org/fips140@" + version + "/fips140/" + version +
 				strings.TrimPrefix(f.Name, "golang.org/fips140@"+version)
 		}
+		// Inject version in [crypto/internal/fips140.Version].
+		if f.Name == "golang.org/fips140@"+version+"/fips140/"+version+"/fips140.go" {
+			rf, err := f.Open()
+			if err != nil {
+				log.Fatal(err)
+			}
+			contents, err := io.ReadAll(rf)
+			if err != nil {
+				log.Fatal(err)
+			}
+			returnLine := `return "latest" //mkzip:version`
+			if !bytes.Contains(contents, []byte(returnLine)) {
+				log.Fatalf("did not find %q in fips140.go", returnLine)
+			}
+			newLine := `return "` + version + `"`
+			contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine))
+			wf, err := zw.Create(f.Name)
+			if err != nil {
+				log.Fatal(err)
+			}
+			if _, err := wf.Write(contents); err != nil {
+				log.Fatal(err)
+			}
+			foundVersion = true
+			continue
+		}
 		wf, err := zw.CreateRaw(&f.FileHeader)
 		if err != nil {
 			log.Fatal(err)
@@ -117,6 +144,9 @@ func main() {
 	if err := zw.Close(); err != nil {
 		log.Fatal(err)
 	}
+	if !foundVersion {
+		log.Fatal("did not find fips140.go file")
+	}
 
 	err = os.WriteFile(version+".zip", zbuf2.Bytes(), 0666)
 	if err != nil {
diff --git a/src/crypto/internal/fips140/fips140.go b/src/crypto/internal/fips140/fips140.go
index c7b167b82a..e48706fbd5 100644
--- a/src/crypto/internal/fips140/fips140.go
+++ b/src/crypto/internal/fips140/fips140.go
@@ -62,6 +62,10 @@ func Name() string {
 	return "Go Cryptographic Module"
 }
 
+// Version returns the formal version (such as "v1.0.0") if building against a
+// frozen module with GOFIPS140. Otherwise, it returns "latest".
 func Version() string {
-	return "v1.0"
+	// This return value is replaced by mkzip.go, it must not be changed or
+	// moved to a different file.
+	return "latest" //mkzip:version
 }
diff --git a/src/runtime/debug/mod.go b/src/runtime/debug/mod.go
index 3eab08744f..917e734284 100644
--- a/src/runtime/debug/mod.go
+++ b/src/runtime/debug/mod.go
@@ -81,6 +81,7 @@ type Module struct {
 //   - GOARCH: the architecture target
 //   - GOAMD64/GOARM/GO386/etc: the architecture feature level for GOARCH
 //   - GOOS: the operating system target
+//   - GOFIPS140: the frozen FIPS 140-3 module version, if any
 //   - vcs: the version control system for the source tree where the build ran
 //   - vcs.revision: the revision identifier for the current commit or checkout
 //   - vcs.time: the modification time associated with vcs.revision, in RFC3339 format