From 86bbea0cfa72041fb4315eb22099b0bc83caa314 Mon Sep 17 00:00:00 2001
From: Daniel Morsing <daniel.morsing@gmail.com>
Date: Mon, 24 Nov 2025 13:08:10 +0000
Subject: crypto/fips140: add WithoutEnforcement

WithoutEnforcement lets programs running under GODEBUG=fips140=only
selectively opt out of strict enforcement. This is especially helpful
for non-critical uses of cryptography routines like SHA-1 for content
addressable storage backends (E.g. git).

Fixes #74630

Change-Id: Iabba1f5eb63498db98047aca45e09c5dccf2fbdf
Reviewed-on: https://go-review.googlesource.com/c/go/+/723720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 src/runtime/proc.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/runtime/proc.go')

diff --git a/src/runtime/proc.go b/src/runtime/proc.go
index 58fb4bd681..3b98be1074 100644
--- a/src/runtime/proc.go
+++ b/src/runtime/proc.go
@@ -4481,6 +4481,7 @@ func gdestroy(gp *g) {
 	gp.labels = nil
 	gp.timer = nil
 	gp.bubble = nil
+	gp.fipsOnlyBypass = false
 
 	if gcBlackenEnabled != 0 && gp.gcAssistBytes > 0 {
 		// Flush assist credit to the global pool. This gives
@@ -5325,6 +5326,9 @@ func newproc1(fn *funcval, callergp *g, callerpc uintptr, parked bool, waitreaso
 		traceRelease(trace)
 	}
 
+	// fips140 bubble
+	newg.fipsOnlyBypass = callergp.fipsOnlyBypass
+
 	// Set up race context.
 	if raceenabled {
 		newg.racectx = racegostart(callerpc)
-- 
cgit v1.3-5-g9baa