diff --git a/lib/fips140/fips140.sum b/lib/fips140/fips140.sum index 66b1e23dfe..703d1dc60e 100644 --- a/lib/fips140/fips140.sum +++ b/lib/fips140/fips140.sum @@ -9,4 +9,4 @@ # # go test cmd/go/internal/fips140 -update # -v1.0.0.zip b50508feaeff05d22516b21e1fd210bbf5d6a1e422eaf2cfa23fe379342713b8 +v1.0.0-c2097c7c.zip daf3614e0406f67ae6323c902db3f953a1effb199142362a039e7526dfb9368b diff --git a/lib/fips140/inprocess.txt b/lib/fips140/inprocess.txt index 0ec25f7505..efd3caba85 100644 --- a/lib/fips140/inprocess.txt +++ b/lib/fips140/inprocess.txt @@ -1 +1 @@ -v1.0.0 +v1.0.0-c2097c7c diff --git a/lib/fips140/v1.0.0.zip b/lib/fips140/v1.0.0-c2097c7c.zip similarity index 78% rename from lib/fips140/v1.0.0.zip rename to lib/fips140/v1.0.0-c2097c7c.zip index bd9d3c19d0..aabf762d0f 100644 Binary files a/lib/fips140/v1.0.0.zip and b/lib/fips140/v1.0.0-c2097c7c.zip differ diff --git a/lib/fips140/v1.0.0.txt b/lib/fips140/v1.0.0.txt new file mode 100644 index 0000000000..efd3caba85 --- /dev/null +++ b/lib/fips140/v1.0.0.txt @@ -0,0 +1 @@ +v1.0.0-c2097c7c diff --git a/src/cmd/go/internal/fips140/mkzip.go b/src/cmd/go/internal/fips140/mkzip.go index 7a6ba80324..a139a0f2e2 100644 --- a/src/cmd/go/internal/fips140/mkzip.go +++ b/src/cmd/go/internal/fips140/mkzip.go @@ -27,10 +27,10 @@ import ( "log" "os" "path/filepath" - "regexp" "strings" "golang.org/x/mod/module" + "golang.org/x/mod/semver" modzip "golang.org/x/mod/zip" ) @@ -61,7 +61,7 @@ func main() { // Must have valid version, and must not overwrite existing file. version := flag.Arg(0) - if !regexp.MustCompile(`^v\d+\.\d+\.\d+$`).MatchString(version) { + if semver.Canonical(version) != version { log.Fatalf("invalid version %q; must be vX.Y.Z", version) } if _, err := os.Stat(version + ".zip"); err == nil { @@ -117,7 +117,9 @@ func main() { if !bytes.Contains(contents, []byte(returnLine)) { log.Fatalf("did not find %q in fips140.go", returnLine) } - newLine := `return "` + version + `"` + // Use only the vX.Y.Z part of a possible vX.Y.Z-hash version. + v, _, _ := strings.Cut(version, "-") + newLine := `return "` + v + `"` contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine)) wf, err := zw.Create(f.Name) if err != nil { diff --git a/src/cmd/go/testdata/script/fipssnap.txt b/src/cmd/go/testdata/script/fipssnap.txt index 9888bc82f1..4d96aedf2a 100644 --- a/src/cmd/go/testdata/script/fipssnap.txt +++ b/src/cmd/go/testdata/script/fipssnap.txt @@ -1,4 +1,4 @@ -env snap=v1.0.0 +env snap=v1.0.0-c2097c7c env alias=inprocess env GOFIPS140=$snap @@ -23,8 +23,7 @@ stdout crypto/internal/fips140/$snap/sha256 ! stdout crypto/internal/fips140/check # again with GOFIPS140=$alias -# TODO: enable when we add inprocess.txt -# env GOFIPS140=$alias +env GOFIPS140=$alias # default GODEBUG includes fips140=on go list -f '{{.DefaultGODEBUG}}' diff --git a/src/internal/buildcfg/cfg.go b/src/internal/buildcfg/cfg.go index fca09bf8d3..ecdabb3d0a 100644 --- a/src/internal/buildcfg/cfg.go +++ b/src/internal/buildcfg/cfg.go @@ -85,7 +85,7 @@ func gofips140() string { } // isFIPSVersion reports whether v is a valid FIPS version, -// of the form vX.Y.Z. +// of the form vX.Y.Z or vX.Y.Z-hash. func isFIPSVersion(v string) bool { if !strings.HasPrefix(v, "v") { return false @@ -99,7 +99,8 @@ func isFIPSVersion(v string) bool { return false } v, ok = skipNum(v[len("."):]) - return ok && v == "" + hasHash := strings.HasPrefix(v, "-") && len(v) == len("-")+8 + return ok && (v == "" || hasHash) } // skipNum skips the leading text matching [0-9]+