From 86bbea0cfa72041fb4315eb22099b0bc83caa314 Mon Sep 17 00:00:00 2001
From: Daniel Morsing <daniel.morsing@gmail.com>
Date: Mon, 24 Nov 2025 13:08:10 +0000
Subject: crypto/fips140: add WithoutEnforcement

WithoutEnforcement lets programs running under GODEBUG=fips140=only
selectively opt out of strict enforcement. This is especially helpful
for non-critical uses of cryptography routines like SHA-1 for content
addressable storage backends (E.g. git).

Fixes #74630

Change-Id: Iabba1f5eb63498db98047aca45e09c5dccf2fbdf
Reviewed-on: https://go-review.googlesource.com/c/go/+/723720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 src/crypto/cipher/ctr.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/crypto/cipher/ctr.go')

diff --git a/src/crypto/cipher/ctr.go b/src/crypto/cipher/ctr.go
index 49512ca5dd..8e63ed7e66 100644
--- a/src/crypto/cipher/ctr.go
+++ b/src/crypto/cipher/ctr.go
@@ -42,7 +42,7 @@ func NewCTR(block Block, iv []byte) Stream {
 	if block, ok := block.(*aes.Block); ok {
 		return aesCtrWrapper{aes.NewCTR(block, iv)}
 	}
-	if fips140only.Enabled {
+	if fips140only.Enforced() {
 		panic("crypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only mode")
 	}
 	if ctr, ok := block.(ctrAble); ok {
-- 
cgit v1.3-5-g9baa