From b2aa18b96cefb48641ec69a79bc67d030b93f093 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Tue, 7 Jan 2025 11:20:07 -0500 Subject: cmd/internal/hash: stop using md5, sha1 These break if the tools are run with GODEBUG=fips140=only, which happens if someone sets that during 'go test' (and a test binary must be built). The easiest fix is to make the tools compatible with this GODEBUG by just using sha256 as the underlying hash always. Just in case, I made the wrappers select different sections of the hash, but none of the call sites really care. This CL is for the Go 1.24 release, but a follow-up during the Go 1.25 dev cycle could change all the usage sites to only use Sum32/New32. For #70514 Fixes #70878 Change-Id: Id5fea779c83df51d1680dbe561e0949c56e8d1e5 Reviewed-on: https://go-review.googlesource.com/c/go/+/641096 Reviewed-by: Keith Randall Auto-Submit: Russ Cox LUCI-TryBot-Result: Go LUCI Reviewed-by: Keith Randall --- src/internal/pkgbits/encoder.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/internal/pkgbits') diff --git a/src/internal/pkgbits/encoder.go b/src/internal/pkgbits/encoder.go index c17a12399d..015842f58c 100644 --- a/src/internal/pkgbits/encoder.go +++ b/src/internal/pkgbits/encoder.go @@ -6,7 +6,7 @@ package pkgbits import ( "bytes" - "crypto/md5" + "crypto/sha256" "encoding/binary" "go/constant" "io" @@ -55,7 +55,7 @@ func NewPkgEncoder(version Version, syncFrames int) PkgEncoder { // DumpTo writes the package's encoded data to out0 and returns the // package fingerprint. func (pw *PkgEncoder) DumpTo(out0 io.Writer) (fingerprint [8]byte) { - h := md5.New() + h := sha256.New() out := io.MultiWriter(out0, h) writeUint32 := func(x uint32) { -- cgit v1.3