crypto/fips140: add Version

Fixes #75301

Change-Id: If953b4382499570d5437491036f91cbe4fec7c01
Reviewed-on: https://go-review.googlesource.com/c/go/+/723101
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

3 files changed, 17 insertions, 0 deletions

diff --git a/api/next/75301.txt b/api/next/75301.txt
new file mode 100644
index 0000000000..8d16837091
--- /dev/null
+++ b/api/next/75301.txt
@@ -0,0 +1 @@
+pkg crypto/fips140, func Version() string #75301
diff --git a/doc/next/6-stdlib/99-minor/crypto/fips140/75301.md b/doc/next/6-stdlib/99-minor/crypto/fips140/75301.md
new file mode 100644
index 0000000000..2dd77f61ef
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/fips140/75301.md
@@ -0,0 +1 @@
+[Version] returns the resolved FIPS 140-3 Go Cryptographic Module version when building against a frozen module with GOFIPS140.
diff --git a/src/crypto/fips140/fips140.go b/src/crypto/fips140/fips140.go
index 830b6f80af..f44f3b399b 100644
--- a/src/crypto/fips140/fips140.go
+++ b/src/crypto/fips140/fips140.go
@@ -23,3 +23,18 @@ func Enabled() bool {
 	}
 	return fips140.Enabled
 }
+
+// Version returns the FIPS 140-3 Go Cryptographic Module version (such as
+// "v1.0.0"), as referenced in the Security Policy for the module, if building
+// against a frozen module with GOFIPS140. Otherwise, it returns "latest". If an
+// alias is in use (such as "inprogress") the actual resolved version is
+// returned.
+//
+// The returned version may not uniquely identify the frozen module which was
+// used to build the program, if there are multiple copies of the frozen module
+// at the same version. The uniquely identifying version suffix can be found by
+// checking the value of the GOFIPS140 setting in
+// runtime/debug.BuildInfo.Settings.
+func Version() string {
+	return fips140.Version()
+}