cmd/go,crypto: reject using Go+BoringCrypto and fips140 together

FiloSottile · gopherbot · commit 8ff4cee56491 · 2024-12-18T08:49:21.000-08:00
The combination is untested and nonsensical. Both are solutions to the same problem. For #69536 Change-Id: I95cc3baaf03b64ce08096e304e311a29e9577385 Reviewed-on: https://go-review.googlesource.com/c/go/+/637177 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Russ Cox <rsc@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com>
diff --git a/src/cmd/go/internal/fips140/fips140.go b/src/cmd/go/internal/fips140/fips140.go
@@ -119,6 +119,10 @@ func Init() {
 	if Snapshot() {
 		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))
 	}
+
+	if cfg.Experiment.BoringCrypto && Enabled() {
+		base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto")
+	}
 }
 
 var initDone bool
diff --git a/src/cmd/go/testdata/script/env_changed.txt b/src/cmd/go/testdata/script/env_changed.txt
@@ -1,5 +1,8 @@
 # Test query for non-defaults in the env
 
+# Go+BoringCrypto conflicts with GOFIPS140.
+[GOEXPERIMENT:boringcrypto] skip
+
 env GOROOT=./a
 env GOTOOLCHAIN=local
 env GOSUMDB=nodefault
diff --git a/src/cmd/go/testdata/script/fips.txt b/src/cmd/go/testdata/script/fips.txt
@@ -1,3 +1,6 @@
+# Go+BoringCrypto conflicts with GOFIPS140.
+[GOEXPERIMENT:boringcrypto] skip
+
 # list with GOFIPS140=off
 env GOFIPS140=off
 go list -f '{{.DefaultGODEBUG}}'
diff --git a/src/cmd/go/testdata/script/fipssnap.txt b/src/cmd/go/testdata/script/fipssnap.txt
@@ -7,6 +7,9 @@ env alias=inprocess
 skip 'no snapshots yet'
 env GOFIPS140=$snap
 
+# Go+BoringCrypto conflicts with GOFIPS140.
+[GOEXPERIMENT:boringcrypto] skip
+
 # default GODEBUG includes fips140=on
 go list -f '{{.DefaultGODEBUG}}'
 stdout fips140=on
diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
@@ -16,6 +16,7 @@ import "C"
 import (
 	"crypto/internal/boring/sig"
 	_ "crypto/internal/boring/syso"
+	"crypto/internal/fips140"
 	"internal/stringslite"
 	"math/bits"
 	"unsafe"
@@ -31,6 +32,12 @@ func init() {
 	sig.BoringCrypto()
 }
 
+func init() {
+	if fips140.Enabled {
+		panic("boringcrypto: cannot use GODEBUG=fips140 with GOEXPERIMENT=boringcrypto")
+	}
+}
+
 // Unreachable marks code that should be unreachable
 // when BoringCrypto is in use. It panics.
 func Unreachable() {
diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go
@@ -5,6 +5,7 @@
 package fipstest
 
 import (
+	"crypto/internal/boring"
 	. "crypto/internal/fips140/check"
 	"crypto/internal/fips140/check/checktest"
 	"fmt"
@@ -22,6 +23,10 @@ import (
 const enableFIPSTest = true
 
 func TestFIPSCheckVerify(t *testing.T) {
+	if boring.Enabled {
+		t.Skip("not testing fips140 with boringcrypto enabled")
+	}
+
 	if Verified {
 		t.Logf("verified")
 		return

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,10 @@ func Init() {`
`119`	`119`	`if Snapshot() {`
`120`	`120`	`fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))`
`121`	`121`	`}`
	`122`	`+`
	`123`	`+ if cfg.Experiment.BoringCrypto && Enabled() {`
	`124`	`+ base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto")`
	`125`	`+ }`
`122`	`126`	`}`
`123`	`127`
`124`	`128`	`var initDone bool`