crypto: implement fips140=only mode

Running the test suite in this mode is definitely not an option. Testing
this will probably look like a very long test that tries all functions.
Filed #70514 to track the tests.

For #70123

Change-Id: I6f67de83da37dd1e94e620b7f4f4f6aabe040c41
Reviewed-on: https://go-review.googlesource.com/c/go/+/631018
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

1 files changed, 26 insertions, 0 deletions

diff --git a/src/crypto/internal/fips140only/fips140only.go b/src/crypto/internal/fips140only/fips140only.go
new file mode 100644
index 0000000000..6ad97befbe
--- /dev/null
+++ b/src/crypto/internal/fips140only/fips140only.go
@@ -0,0 +1,26 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package fips140only
+
+import (
+	"crypto/internal/fips140/sha256"
+	"crypto/internal/fips140/sha3"
+	"crypto/internal/fips140/sha512"
+	"hash"
+	"internal/godebug"
+)
+
+// Enabled reports whether FIPS 140-only mode is enabled, in which non-approved
+// cryptography returns an error or panics.
+var Enabled = godebug.New("#fips140").Value() == "only"
+
+func ApprovedHash(h hash.Hash) bool {
+	switch h.(type) {
+	case *sha256.Digest, *sha512.Digest, *sha3.Digest:
+		return true
+	default:
+		return false
+	}
+}