From 86bbea0cfa72041fb4315eb22099b0bc83caa314 Mon Sep 17 00:00:00 2001
From: Daniel Morsing <daniel.morsing@gmail.com>
Date: Mon, 24 Nov 2025 13:08:10 +0000
Subject: crypto/fips140: add WithoutEnforcement

WithoutEnforcement lets programs running under GODEBUG=fips140=only
selectively opt out of strict enforcement. This is especially helpful
for non-critical uses of cryptography routines like SHA-1 for content
addressable storage backends (E.g. git).

Fixes #74630

Change-Id: Iabba1f5eb63498db98047aca45e09c5dccf2fbdf
Reviewed-on: https://go-review.googlesource.com/c/go/+/723720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 src/runtime/fipsbypass.go | 22 ++++++++++++++++++++++
 src/runtime/proc.go       |  4 ++++
 src/runtime/runtime2.go   |  1 +
 3 files changed, 27 insertions(+)
 create mode 100644 src/runtime/fipsbypass.go

(limited to 'src/runtime')

diff --git a/src/runtime/fipsbypass.go b/src/runtime/fipsbypass.go
new file mode 100644
index 0000000000..12df9c6b6a
--- /dev/null
+++ b/src/runtime/fipsbypass.go
@@ -0,0 +1,22 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package runtime
+
+import _ "unsafe"
+
+//go:linkname fips140_setBypass crypto/fips140.setBypass
+func fips140_setBypass() {
+	getg().fipsOnlyBypass = true
+}
+
+//go:linkname fips140_unsetBypass crypto/fips140.unsetBypass
+func fips140_unsetBypass() {
+	getg().fipsOnlyBypass = false
+}
+
+//go:linkname fips140_isBypassed crypto/fips140.isBypassed
+func fips140_isBypassed() bool {
+	return getg().fipsOnlyBypass
+}
diff --git a/src/runtime/proc.go b/src/runtime/proc.go
index 58fb4bd681..3b98be1074 100644
--- a/src/runtime/proc.go
+++ b/src/runtime/proc.go
@@ -4481,6 +4481,7 @@ func gdestroy(gp *g) {
 	gp.labels = nil
 	gp.timer = nil
 	gp.bubble = nil
+	gp.fipsOnlyBypass = false
 
 	if gcBlackenEnabled != 0 && gp.gcAssistBytes > 0 {
 		// Flush assist credit to the global pool. This gives
@@ -5325,6 +5326,9 @@ func newproc1(fn *funcval, callergp *g, callerpc uintptr, parked bool, waitreaso
 		traceRelease(trace)
 	}
 
+	// fips140 bubble
+	newg.fipsOnlyBypass = callergp.fipsOnlyBypass
+
 	// Set up race context.
 	if raceenabled {
 		newg.racectx = racegostart(callerpc)
diff --git a/src/runtime/runtime2.go b/src/runtime/runtime2.go
index 3175ee55f5..58eaf80237 100644
--- a/src/runtime/runtime2.go
+++ b/src/runtime/runtime2.go
@@ -545,6 +545,7 @@ type g struct {
 	runnableTime    int64 // the amount of time spent runnable, cleared when running, only used when tracking
 	lockedm         muintptr
 	fipsIndicator   uint8
+	fipsOnlyBypass  bool
 	syncSafePoint   bool // set if g is stopped at a synchronous safe point.
 	runningCleanups atomic.Bool
 	sig             uint32
-- 
cgit v1.3