diff options
| author | Daniel Morsing <daniel.morsing@gmail.com> | 2025-11-24 13:08:10 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-11-26 14:26:06 -0800 |
| commit | 86bbea0cfa72041fb4315eb22099b0bc83caa314 (patch) | |
| tree | 3c3a008214e4a9d929a2d8f76f98fe1cf2f323d2 /src/runtime | |
| parent | e2cae9ecdf944a1cc5d8803ff8932180858b8ce6 (diff) | |
| download | go-86bbea0cfa72041fb4315eb22099b0bc83caa314.tar.xz | |
crypto/fips140: add WithoutEnforcement
WithoutEnforcement lets programs running under GODEBUG=fips140=only
selectively opt out of strict enforcement. This is especially helpful
for non-critical uses of cryptography routines like SHA-1 for content
addressable storage backends (E.g. git).
Fixes #74630
Change-Id: Iabba1f5eb63498db98047aca45e09c5dccf2fbdf
Reviewed-on: https://go-review.googlesource.com/c/go/+/723720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Diffstat (limited to 'src/runtime')
| -rw-r--r-- | src/runtime/fipsbypass.go | 22 | ||||
| -rw-r--r-- | src/runtime/proc.go | 4 | ||||
| -rw-r--r-- | src/runtime/runtime2.go | 1 |
3 files changed, 27 insertions, 0 deletions
diff --git a/src/runtime/fipsbypass.go b/src/runtime/fipsbypass.go new file mode 100644 index 0000000000..12df9c6b6a --- /dev/null +++ b/src/runtime/fipsbypass.go @@ -0,0 +1,22 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package runtime + +import _ "unsafe" + +//go:linkname fips140_setBypass crypto/fips140.setBypass +func fips140_setBypass() { + getg().fipsOnlyBypass = true +} + +//go:linkname fips140_unsetBypass crypto/fips140.unsetBypass +func fips140_unsetBypass() { + getg().fipsOnlyBypass = false +} + +//go:linkname fips140_isBypassed crypto/fips140.isBypassed +func fips140_isBypassed() bool { + return getg().fipsOnlyBypass +} diff --git a/src/runtime/proc.go b/src/runtime/proc.go index 58fb4bd681..3b98be1074 100644 --- a/src/runtime/proc.go +++ b/src/runtime/proc.go @@ -4481,6 +4481,7 @@ func gdestroy(gp *g) { gp.labels = nil gp.timer = nil gp.bubble = nil + gp.fipsOnlyBypass = false if gcBlackenEnabled != 0 && gp.gcAssistBytes > 0 { // Flush assist credit to the global pool. This gives @@ -5325,6 +5326,9 @@ func newproc1(fn *funcval, callergp *g, callerpc uintptr, parked bool, waitreaso traceRelease(trace) } + // fips140 bubble + newg.fipsOnlyBypass = callergp.fipsOnlyBypass + // Set up race context. if raceenabled { newg.racectx = racegostart(callerpc) diff --git a/src/runtime/runtime2.go b/src/runtime/runtime2.go index 3175ee55f5..58eaf80237 100644 --- a/src/runtime/runtime2.go +++ b/src/runtime/runtime2.go @@ -545,6 +545,7 @@ type g struct { runnableTime int64 // the amount of time spent runnable, cleared when running, only used when tracking lockedm muintptr fipsIndicator uint8 + fipsOnlyBypass bool syncSafePoint bool // set if g is stopped at a synchronous safe point. runningCleanups atomic.Bool sig uint32 |