diff --git a/eng/_core/supportdata/supportdata.go b/eng/_core/supportdata/supportdata.go
index 2da8f17ef02..9579c77f990 100644
--- a/eng/_core/supportdata/supportdata.go
+++ b/eng/_core/supportdata/supportdata.go
@@ -24,6 +24,7 @@ const (
Archive ArtifactKind = "archive"
Installer ArtifactKind = "installer"
Source ArtifactKind = "source"
+ Manifest ArtifactKind = "manifest"
)
type LatestLink struct {
diff --git a/eng/_util/cmd/updatelinktable/updatelinktable.go b/eng/_util/cmd/updatelinktable/updatelinktable.go
index 429069f20fe..2a4b778f16e 100644
--- a/eng/_util/cmd/updatelinktable/updatelinktable.go
+++ b/eng/_util/cmd/updatelinktable/updatelinktable.go
@@ -31,6 +31,7 @@ var supported = []version{
"linux-armv6l": {},
"windows-amd64": {},
"src": {},
+ "assets": {},
},
},
{
@@ -42,12 +43,14 @@ var supported = []version{
"linux-armv6l": {},
"windows-amd64": {},
"src": {},
+ "assets": {},
},
},
}
var platformPrettyNames = map[string]string{
- "src": "Source code",
+ "src": "Source code",
+ "assets": "Metadata",
}
type version struct {
@@ -86,6 +89,14 @@ var sourceFiles = []goFileType{
},
}
+var assetsFiles = []goFileType{
+ {
+ Kind: supportdata.Manifest,
+ Name: "Asset manifest (json)",
+ Ext: ".json",
+ },
+}
+
type goFileType struct {
Kind supportdata.ArtifactKind
Name string
@@ -211,7 +222,7 @@ func data() (string, []supportdata.Branch) {
b.WriteString("\n|")
for _, p := range platforms() {
os, arch, _ := strings.Cut(p, "-")
- if p == "src" {
+ if p == "src" || p == "assets" {
os = ""
}
b.WriteString(" ")
@@ -253,16 +264,16 @@ func platforms() []string {
platforms[p] = struct{}{}
}
}
- // Sort the platforms, but keep "src" always on top because it's very different and shouldn't be
+ // Sort the platforms, but keep "src" and "assets" always on top because it's very different and shouldn't be
// mixed in with the others. (Upstream also does this at go.dev/dl.)
keys := make([]string, 0, len(platforms))
for k := range platforms {
- if k != "src" {
+ if k != "src" && k != "assets" {
keys = append(keys, k)
}
}
sort.Strings(keys)
- keys = append([]string{"src"}, keys...)
+ keys = append([]string{"src", "assets"}, keys...)
return keys
}
@@ -283,5 +294,8 @@ func fileTypes(platform string) []goFileType {
if platform == "src" {
return sourceFiles
}
+ if platform == "assets" {
+ return assetsFiles
+ }
return nil
}
diff --git a/eng/doc/Downloads.md b/eng/doc/Downloads.md
index 55a5b19b3eb..c5ab85e3968 100644
--- a/eng/doc/Downloads.md
+++ b/eng/doc/Downloads.md
@@ -12,6 +12,7 @@ This document contains a list of links to the binary releases of the Microsoft b
| | 1.20 | 1.19 |
| --- | --- | --- |
| Source code | - [Source (tar.gz)](https://aka.ms/golang/release/latest/go1.20.src.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sig)
| - [Source (tar.gz)](https://aka.ms/golang/release/latest/go1.19.src.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sig)
|
+ Metadata | - [Asset manifest (json)](https://aka.ms/golang/release/latest/go1.20.assets.json)
| - [Asset manifest (json)](https://aka.ms/golang/release/latest/go1.19.assets.json)
|
linux-amd64 | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz.sig)
| - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz.sig)
|
linux-arm64 | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz.sig)
| - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz.sig)
|
linux-armv6l | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz.sig)
| - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz)
- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz.sha256)
- [Signature1](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz.sig)
|
diff --git a/eng/doc/fips/README.md b/eng/doc/fips/README.md
index 8e1cb5269aa..b72e4bb95f3 100644
--- a/eng/doc/fips/README.md
+++ b/eng/doc/fips/README.md
@@ -234,7 +234,10 @@ The `opensslcrypto` Go runtime automatically loads the OpenSSL shared library `l
The `libcrypto` shared library file name varies among different platforms, so a best effort is done to find and load the right file:
- The base name is always `libcrypto.so.`
-- Well-known version strings are appended to the base name, until the file is found, in the following order: `3` -> `1.1` -> `11` -> `111` -> `1.0.2` -> `1.0.0`.
+- Well-known version strings are appended to the base name in this order: `3` -> `1.1` -> `11` -> `111` -> `1.0.2` -> `1.0.0`.
+- This may find multiple libraries installed on the machine, so to pick one:
+ - A matching library with FIPS mode on by default (e.g. set by system configuration) is chosen immediately.
+ - If none have FIPS mode on by default, the first match is used.
This algorithm can be overridden by setting the environment variable `GO_OPENSSL_VERSION_OVERRIDE` to the desired version string. For example, `GO_OPENSSL_VERSION_OVERRIDE="1.1.1k-fips"` makes the runtime look for the shared library `libcrypto.so.1.1.1k-fips` before running the checks for well-known versions.
diff --git a/eng/doc/release-branch-links.json b/eng/doc/release-branch-links.json
index bc4d7c89377..b58e144cffa 100644
--- a/eng/doc/release-branch-links.json
+++ b/eng/doc/release-branch-links.json
@@ -14,6 +14,14 @@
"checksumURL": "https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sha256",
"signatureURL": "https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sig"
},
+ {
+ "filename": "go1.20.assets.json",
+ "os": "",
+ "arch": "",
+ "version": "go1.20",
+ "kind": "manifest",
+ "url": "https://aka.ms/golang/release/latest/go1.20.assets.json"
+ },
{
"filename": "go1.20.linux-amd64.tar.gz",
"os": "linux",
@@ -70,6 +78,14 @@
"checksumURL": "https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sha256",
"signatureURL": "https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sig"
},
+ {
+ "filename": "go1.19.assets.json",
+ "os": "",
+ "arch": "",
+ "version": "go1.19",
+ "kind": "manifest",
+ "url": "https://aka.ms/golang/release/latest/go1.19.assets.json"
+ },
{
"filename": "go1.19.linux-amd64.tar.gz",
"os": "linux",
diff --git a/go b/go
index 5b72f45dd17..af8f94e3c58 160000
--- a/go
+++ b/go
@@ -1 +1 @@
-Subproject commit 5b72f45dd17314af39627c2fcac0fbc099b67603
+Subproject commit af8f94e3c5885647d6f85d2d5227b5fc6b637c52
diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
index b541176c946..93d9eedd3b2 100644
--- a/patches/0002-Add-crypto-backend-foundation.patch
+++ b/patches/0002-Add-crypto-backend-foundation.patch
@@ -4,47 +4,47 @@ Date: Thu, 30 Jun 2022 10:03:03 +0200
Subject: [PATCH] Add crypto backend foundation
---
- src/crypto/aes/cipher.go | 2 +-
- src/crypto/aes/cipher_asm.go | 2 +-
- src/crypto/boring/boring.go | 2 +-
- src/crypto/ecdh/ecdh.go | 2 +-
- src/crypto/ecdh/nist.go | 2 +-
- src/crypto/ecdsa/boring.go | 4 +-
- src/crypto/ecdsa/ecdsa.go | 4 +-
- src/crypto/ecdsa/notboring.go | 2 +-
- src/crypto/ed25519/ed25519_test.go | 2 +-
- src/crypto/hmac/hmac.go | 2 +-
- src/crypto/hmac/hmac_test.go | 2 +-
- src/crypto/internal/backend/backend_test.go | 30 +++++
- src/crypto/internal/backend/bbig/big.go | 17 +++
- src/crypto/internal/backend/common.go | 65 +++++++++++
- src/crypto/internal/backend/iscgo.go | 10 ++
- src/crypto/internal/backend/nobackend.go | 116 ++++++++++++++++++++
- src/crypto/internal/backend/nocgo.go | 10 ++
- src/crypto/internal/backend/stub.s | 10 ++
- src/crypto/rand/rand_unix.go | 2 +-
- src/crypto/rsa/boring.go | 4 +-
- src/crypto/rsa/notboring.go | 2 +-
- src/crypto/rsa/pkcs1v15.go | 2 +-
- src/crypto/rsa/pss.go | 2 +-
- src/crypto/rsa/rsa.go | 4 +-
- src/crypto/rsa/rsa_test.go | 2 +-
- src/crypto/sha1/boring.go | 2 +-
- src/crypto/sha1/sha1_test.go | 2 +-
- src/crypto/sha256/sha256.go | 2 +-
- src/crypto/sha256/sha256_test.go | 2 +-
- src/crypto/sha512/sha512.go | 2 +-
- src/crypto/sha512/sha512_test.go | 2 +-
- src/crypto/tls/cipher_suites.go | 2 +-
- src/go/build/deps_test.go | 2 +
- src/runtime/runtime_boring.go | 5 +
- 34 files changed, 294 insertions(+), 29 deletions(-)
+ src/crypto/aes/cipher.go | 2 +-
+ src/crypto/aes/cipher_asm.go | 2 +-
+ src/crypto/boring/boring.go | 2 +-
+ src/crypto/ecdh/ecdh.go | 2 +-
+ src/crypto/ecdh/nist.go | 2 +-
+ src/crypto/ecdsa/boring.go | 4 +-
+ src/crypto/ecdsa/ecdsa.go | 4 +-
+ src/crypto/ecdsa/notboring.go | 2 +-
+ src/crypto/ed25519/ed25519_test.go | 2 +-
+ src/crypto/hmac/hmac.go | 2 +-
+ src/crypto/hmac/hmac_test.go | 2 +-
+ src/crypto/internal/backend/backend_test.go | 30 +++++
+ src/crypto/internal/backend/bbig/big.go | 17 +++
+ src/crypto/internal/backend/common.go | 78 +++++++++++++
+ src/crypto/internal/backend/isrequirefips.go | 9 ++
+ src/crypto/internal/backend/nobackend.go | 116 +++++++++++++++++++
+ src/crypto/internal/backend/norequirefips.go | 9 ++
+ src/crypto/internal/backend/stub.s | 10 ++
+ src/crypto/rand/rand_unix.go | 2 +-
+ src/crypto/rsa/boring.go | 4 +-
+ src/crypto/rsa/notboring.go | 2 +-
+ src/crypto/rsa/pkcs1v15.go | 2 +-
+ src/crypto/rsa/pss.go | 2 +-
+ src/crypto/rsa/rsa.go | 4 +-
+ src/crypto/rsa/rsa_test.go | 2 +-
+ src/crypto/sha1/boring.go | 2 +-
+ src/crypto/sha1/sha1_test.go | 2 +-
+ src/crypto/sha256/sha256.go | 2 +-
+ src/crypto/sha256/sha256_test.go | 2 +-
+ src/crypto/sha512/sha512.go | 2 +-
+ src/crypto/sha512/sha512_test.go | 2 +-
+ src/crypto/tls/cipher_suites.go | 2 +-
+ src/go/build/deps_test.go | 2 +
+ src/runtime/runtime_boring.go | 5 +
+ 34 files changed, 305 insertions(+), 29 deletions(-)
create mode 100644 src/crypto/internal/backend/backend_test.go
create mode 100644 src/crypto/internal/backend/bbig/big.go
create mode 100644 src/crypto/internal/backend/common.go
- create mode 100644 src/crypto/internal/backend/iscgo.go
+ create mode 100644 src/crypto/internal/backend/isrequirefips.go
create mode 100644 src/crypto/internal/backend/nobackend.go
- create mode 100644 src/crypto/internal/backend/nocgo.go
+ create mode 100644 src/crypto/internal/backend/norequirefips.go
create mode 100644 src/crypto/internal/backend/stub.s
diff --git a/src/crypto/aes/cipher.go b/src/crypto/aes/cipher.go
@@ -256,10 +256,10 @@ index 00000000000000..85bd3ed083f5b2
+}
diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
new file mode 100644
-index 00000000000000..007d8070538247
+index 00000000000000..efdd080a1b7708
--- /dev/null
+++ b/src/crypto/internal/backend/common.go
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,78 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
@@ -273,25 +273,38 @@ index 00000000000000..007d8070538247
+)
+
+func init() {
-+ if v, _ := envGoFIPS(); v == "1" {
-+ if runtime.GOOS != "linux" {
-+ panic("FIPS mode requested (GOFIPS=1) but not supported on " + runtime.GOOS)
-+ } else if !iscgo {
-+ panic("FIPS mode requested (GOFIPS=1) but not supported with cgo disabled")
++ if v, r, ok := envGoFIPS(); ok && v == "1" {
++ if !Enabled {
++ if runtime.GOOS != "linux" && runtime.GOOS != "windows" {
++ panic("FIPS mode requested (" + r + ") but no crypto backend is supported on " + runtime.GOOS)
++ }
++ panic("FIPS mode requested (" + r + ") but no supported crypto backend is enabled")
+ }
+ }
+}
+
-+func envGoFIPS() (string, bool) {
-+ if v, ok := syscall.Getenv("GOFIPS"); ok {
-+ return v, true
-+ }
++func envGoFIPS() (value string, reason string, ok bool) {
+ // TODO: Decide which environment variable to use.
+ // See https://github.com/microsoft/go/issues/397.
-+ if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
-+ return v, true
++ var varName string
++ if value, ok = syscall.Getenv("GOFIPS"); ok {
++ varName = "GOFIPS"
++ } else if value, ok = syscall.Getenv("GOLANG_FIPS"); ok {
++ varName = "GOLANG_FIPS"
++ }
++ if isRequireFIPS {
++ if ok && value != "1" {
++ panic("the 'requirefips' build tag is enabled, but it conflicts " +
++ "with the detected env variable " +
++ varName + "=" + value +
++ " which would disable FIPS mode")
++ }
++ return "1", "requirefips tag set", true
+ }
-+ return "", false
++ if ok {
++ return value, "environment variable " + varName + "=1", true
++ }
++ return "", "", false
+}
+
+// Unreachable marks code that should be unreachable
@@ -325,22 +338,21 @@ index 00000000000000..007d8070538247
+ }
+ }
+}
-diff --git a/src/crypto/internal/backend/iscgo.go b/src/crypto/internal/backend/iscgo.go
+diff --git a/src/crypto/internal/backend/isrequirefips.go b/src/crypto/internal/backend/isrequirefips.go
new file mode 100644
-index 00000000000000..1e0d3cf8c18b55
+index 00000000000000..e5d7570d6d4363
--- /dev/null
-+++ b/src/crypto/internal/backend/iscgo.go
-@@ -0,0 +1,10 @@
++++ b/src/crypto/internal/backend/isrequirefips.go
+@@ -0,0 +1,9 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
-+//go:build cgo
-+// +build cgo
++//go:build requirefips
+
+package backend
+
-+const iscgo = true
++const isRequireFIPS = true
diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
new file mode 100644
index 00000000000000..ad6081552af15d
@@ -463,22 +475,21 @@ index 00000000000000..ad6081552af15d
+func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error) { panic("cryptobackend: not available") }
+func (*PublicKeyECDH) Bytes() []byte { panic("cryptobackend: not available") }
+func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { panic("cryptobackend: not available") }
-diff --git a/src/crypto/internal/backend/nocgo.go b/src/crypto/internal/backend/nocgo.go
+diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go
new file mode 100644
-index 00000000000000..63c13fc4b01cba
+index 00000000000000..26bfb5f6a643f3
--- /dev/null
-+++ b/src/crypto/internal/backend/nocgo.go
-@@ -0,0 +1,10 @@
++++ b/src/crypto/internal/backend/norequirefips.go
+@@ -0,0 +1,9 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
-+//go:build !cgo
-+// +build !cgo
++//go:build !requirefips
+
+package backend
+
-+const iscgo = false
++const isRequireFIPS = false
diff --git a/src/crypto/internal/backend/stub.s b/src/crypto/internal/backend/stub.s
new file mode 100644
index 00000000000000..5e4b436554d44d
diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch
index 3474cb2c4d3..d1754cc28c7 100644
--- a/patches/0003-Add-BoringSSL-crypto-backend.patch
+++ b/patches/0003-Add-BoringSSL-crypto-backend.patch
@@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
new file mode 100644
-index 00000000000000..b22886bb6cc88f
+index 00000000000000..3b5504b6afc5c6
--- /dev/null
+++ b/src/crypto/internal/backend/boring_linux.go
@@ -0,0 +1,135 @@
@@ -38,7 +38,7 @@ index 00000000000000..b22886bb6cc88f
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
-+//go:build goexperiment.boringcrypto && linux && cgo && amd64 && !android && !cmd_go_bootstrap && !msan
++//go:build goexperiment.boringcrypto && linux && cgo && (amd64 || arm64) && !android && !msan
+
+// Package boring provides access to BoringCrypto implementation functions.
+// Check the variable Enabled to find out whether BoringCrypto is available.
diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
index 43c26937b5b..d4cf121548f 100644
--- a/patches/0004-Add-OpenSSL-crypto-backend.patch
+++ b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -189,7 +189,7 @@ index 00000000000000..61ef3fdd90b607
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
new file mode 100644
-index 00000000000000..68ea43ea892e1d
+index 00000000000000..34c2b8a90c9526
--- /dev/null
+++ b/src/crypto/internal/backend/openssl_linux.go
@@ -0,0 +1,203 @@
@@ -197,7 +197,7 @@ index 00000000000000..68ea43ea892e1d
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
-+//go:build goexperiment.opensslcrypto && linux && cgo && !android && !cmd_go_bootstrap && !msan
++//go:build goexperiment.opensslcrypto && linux && cgo && !android
+
+// Package openssl provides access to OpenSSLCrypto implementation functions.
+// Check the variable Enabled to find out whether OpenSSLCrypto is available.
@@ -226,7 +226,7 @@ index 00000000000000..68ea43ea892e1d
+ // 1: FIPS required: abort the process if it is not enabled and can't be enabled.
+ // other values: do not override OpenSSL configured FIPS mode.
+ var fips string
-+ if v, ok := envGoFIPS(); ok {
++ if v, _, ok := envGoFIPS(); ok {
+ fips = v
+ } else if systemFIPSMode() {
+ // System configuration can only force FIPS mode.
diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch
index 0126c40a22d..08fb96525d1 100644
--- a/patches/0005-Add-CNG-crypto-backend.patch
+++ b/patches/0005-Add-CNG-crypto-backend.patch
@@ -12,8 +12,8 @@ Subject: [PATCH] Add CNG crypto backend
src/crypto/internal/backend/backend_test.go | 4 +-
src/crypto/internal/backend/bbig/big.go | 2 +-
src/crypto/internal/backend/bbig/big_cng.go | 12 +
- src/crypto/internal/backend/cng_windows.go | 205 ++++++++++++++++++
- src/crypto/internal/backend/common.go | 38 +++-
+ src/crypto/internal/backend/cng_windows.go | 207 ++++++++++++++++++
+ src/crypto/internal/backend/common.go | 33 ++-
src/crypto/internal/boring/fipstls/stub.s | 2 +-
src/crypto/internal/boring/fipstls/tls.go | 2 +-
src/crypto/rand/rand_windows.go | 9 +-
@@ -167,15 +167,15 @@ index 00000000000000..92623031fd87d0
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go
new file mode 100644
-index 00000000000000..9d1bbf010c0fb6
+index 00000000000000..bea98e0f838b41
--- /dev/null
+++ b/src/crypto/internal/backend/cng_windows.go
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,207 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
-+//go:build goexperiment.cngcrypto && windows && !cmd_go_bootstrap && !msan
++//go:build goexperiment.cngcrypto && windows
+
+// Package cng provides access to CNGCrypto implementation functions.
+// Check the variable Enabled to find out whether CNGCrypto is available.
@@ -196,7 +196,9 @@ index 00000000000000..9d1bbf010c0fb6
+const Enabled = true
+
+func init() {
-+ if v, ok := envGoFIPS(); ok && v == "1" {
++ // 1: FIPS required: abort the process if the system is not in FIPS mode.
++ // other values: continue regardless of system-configured FIPS mode.
++ if v, _, ok := envGoFIPS(); ok && v == "1" {
+ enabled, err := cng.FIPS()
+ if err != nil {
+ panic("cngcrypto: unknown FIPS mode: " + err.Error())
@@ -377,10 +379,10 @@ index 00000000000000..9d1bbf010c0fb6
+ return cng.NewPublicKeyECDH(curve, bytes)
+}
diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
-index 007d8070538247..114f72c3d10ee4 100644
+index 19f6fc47e4daa3..7df07e9a8379fa 100644
--- a/src/crypto/internal/backend/common.go
+++ b/src/crypto/internal/backend/common.go
-@@ -5,16 +5,19 @@
+@@ -5,7 +5,9 @@
package backend
import (
@@ -390,19 +392,7 @@ index 007d8070538247..114f72c3d10ee4 100644
"runtime"
"syscall"
)
-
- func init() {
- if v, _ := envGoFIPS(); v == "1" {
-- if runtime.GOOS != "linux" {
-+ if runtime.GOOS != "linux" && runtime.GOOS != "windows" {
- panic("FIPS mode requested (GOFIPS=1) but not supported on " + runtime.GOOS)
-- } else if !iscgo {
-+ }
-+ if runtime.GOOS == "linux" && !iscgo {
- panic("FIPS mode requested (GOFIPS=1) but not supported with cgo disabled")
- }
- }
-@@ -54,7 +57,11 @@ func hasSuffix(s, t string) bool {
+@@ -70,7 +72,11 @@ func hasSuffix(s, t string) bool {
// UnreachableExceptTests marks code that should be unreachable
// when backend is in use. It panics.
func UnreachableExceptTests() {
@@ -415,7 +405,7 @@ index 007d8070538247..114f72c3d10ee4 100644
name := runtime_arg0()
// If ran on Windows we'd need to allow _test.exe and .test.exe as well.
if !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
-@@ -63,3 +70,28 @@ func UnreachableExceptTests() {
+@@ -79,3 +85,28 @@ func UnreachableExceptTests() {
}
}
}
diff --git a/patches/0007-Add-backend-code-gen.patch b/patches/0007-Add-backend-code-gen.patch
index e4d1758e522..e8623d17481 100644
--- a/patches/0007-Add-backend-code-gen.patch
+++ b/patches/0007-Add-backend-code-gen.patch
@@ -33,7 +33,7 @@ the repository to run the generators.
src/cmd/link/link_test.go | 4 +-
src/cmd/vet/vet_test.go | 2 +-
src/crypto/internal/backend/backendgen.go | 20 ++
- .../internal/backend/backendgen_test.go | 273 ++++++++++++++++++
+ .../internal/backend/backendgen_test.go | 279 ++++++++++++++++++
src/crypto/internal/backend/nobackend.go | 2 +-
.../backenderr_gen_conflict_boring_cng.go | 17 ++
.../backenderr_gen_conflict_boring_openssl.go | 17 ++
@@ -41,9 +41,10 @@ the repository to run the generators.
.../backenderr_gen_nofallback_boring.go | 19 ++
src/runtime/backenderr_gen_nofallback_cng.go | 19 ++
.../backenderr_gen_nofallback_openssl.go | 19 ++
+ ...ckenderr_gen_requirefips_nosystemcrypto.go | 17 ++
.../backenderr_gen_systemcrypto_nobackend.go | 16 +
src/syscall/exec_linux_test.go | 2 +-
- 18 files changed, 440 insertions(+), 8 deletions(-)
+ 19 files changed, 463 insertions(+), 8 deletions(-)
create mode 100644 src/crypto/internal/backend/backendgen.go
create mode 100644 src/crypto/internal/backend/backendgen_test.go
create mode 100644 src/runtime/backenderr_gen_conflict_boring_cng.go
@@ -52,6 +53,7 @@ the repository to run the generators.
create mode 100644 src/runtime/backenderr_gen_nofallback_boring.go
create mode 100644 src/runtime/backenderr_gen_nofallback_cng.go
create mode 100644 src/runtime/backenderr_gen_nofallback_openssl.go
+ create mode 100644 src/runtime/backenderr_gen_requirefips_nosystemcrypto.go
create mode 100644 src/runtime/backenderr_gen_systemcrypto_nobackend.go
diff --git a/src/cmd/dist/build.go b/src/cmd/dist/build.go
@@ -207,10 +209,10 @@ index 00000000000000..acf0113bbefb6c
+//go:generate go test -run TestGenerated -fix
diff --git a/src/crypto/internal/backend/backendgen_test.go b/src/crypto/internal/backend/backendgen_test.go
new file mode 100644
-index 00000000000000..0013ffec084722
+index 00000000000000..1cc4952e7ca9c2
--- /dev/null
+++ b/src/crypto/internal/backend/backendgen_test.go
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,279 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
@@ -345,6 +347,8 @@ index 00000000000000..0013ffec084722
+ }
+ f := testUnsatisfied(t, backends)
+ delete(existingFiles, f)
++ f = testRequireFIPSWithoutBackend(t)
++ delete(existingFiles, f)
+
+ for f := range existingFiles {
+ if *fix {
@@ -363,14 +367,12 @@ index 00000000000000..0013ffec084722
+// testConflict checks/generates a file that fails if two backends are enabled
+// at the same time.
+func testConflict(t *testing.T, a, b string) string {
-+ f := filepath.Join(runtimePackageDir, backendErrPrefix+"conflict_"+a+"_"+b+".go")
-+ testErrorFile(
++ return testErrorFile(
+ t,
-+ f,
++ filepath.Join(runtimePackageDir, backendErrPrefix+"conflict_"+a+"_"+b+".go"),
+ "//go:build goexperiment."+a+"crypto && goexperiment."+b+"crypto",
+ "The "+a+" and "+b+" backends are both enabled, but they are mutually exclusive.",
+ "Please make sure only one crypto backend experiment is enabled by GOEXPERIMENT or '-tags'.")
-+ return f
+}
+
+func testPreventUnintendedFallback(t *testing.T, backend *backend) string {
@@ -383,16 +385,14 @@ index 00000000000000..0013ffec084722
+ },
+ Y: &constraint.NotExpr{X: optOutTag},
+ }
-+ f := filepath.Join(runtimePackageDir, backendErrPrefix+"nofallback_"+backend.name+".go")
-+ testErrorFile(
++ return testErrorFile(
+ t,
-+ f,
++ filepath.Join(runtimePackageDir, backendErrPrefix+"nofallback_"+backend.name+".go"),
+ "//go:build "+c.String(),
+ "The "+expTag.String()+" tag is specified, but other tags required to enable that backend were not met.",
+ "Required build tags:",
+ " "+backend.constraint.String(),
+ "Please check your build environment and build command for a reason one or more of these tags weren't specified.")
-+ return f
+}
+
+// testUnsatisfied checks/generates a file that fails if systemcrypto is enabled
@@ -402,19 +402,26 @@ index 00000000000000..0013ffec084722
+ for _, b := range backends {
+ constraint += ` && !goexperiment.` + b.name + "crypto"
+ }
-+ f := filepath.Join(runtimePackageDir, backendErrPrefix+"systemcrypto_nobackend.go")
-+ testErrorFile(
++ return testErrorFile(
+ t,
-+ f,
++ filepath.Join(runtimePackageDir, backendErrPrefix+"systemcrypto_nobackend.go"),
+ constraint,
+ "The systemcrypto feature is enabled, but it was unable to enable an appropriate crypto backend for the target GOOS.")
-+ return f
++}
++
++func testRequireFIPSWithoutBackend(t *testing.T) string {
++ return testErrorFile(
++ t,
++ filepath.Join(runtimePackageDir, backendErrPrefix+"requirefips_nosystemcrypto.go"),
++ "//go:build requirefips && !goexperiment.systemcrypto",
++ "The requirefips tag is enabled, but no crypto backend is enabled.",
++ "A crypto backend is required to enable FIPS mode.")
+}
+
+// testErrorFile checks/generates a Go file with a given build constraint that
+// fails to compile. The file uses an unused string to convey an error message
+// to the dev on the "go build" command line.
-+func testErrorFile(t *testing.T, file, constraint string, message ...string) {
++func testErrorFile(t *testing.T, file, constraint string, message ...string) string {
+ const header = `// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
@@ -441,6 +448,7 @@ index 00000000000000..0013ffec084722
+ t.Log("would generate:", c)
+ }
+ }
++ return file
+}
+
+type backend struct {
@@ -485,7 +493,7 @@ index 00000000000000..0013ffec084722
+ return bs
+}
diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
-index ad6081552af15d..2615bf04f7d53a 100644
+index ad6081552af15d..64d2330186e795 100644
--- a/src/crypto/internal/backend/nobackend.go
+++ b/src/crypto/internal/backend/nobackend.go
@@ -4,7 +4,7 @@
@@ -493,7 +501,7 @@ index ad6081552af15d..2615bf04f7d53a 100644
// Do not edit the build constraint by hand. It is generated by "backendgen.go".
-//go:build ignore
-+//go:build !(goexperiment.boringcrypto && linux && cgo && amd64 && !android && !cmd_go_bootstrap && !msan) && !(goexperiment.cngcrypto && windows && !cmd_go_bootstrap && !msan) && !(goexperiment.opensslcrypto && linux && cgo && !android && !cmd_go_bootstrap && !msan)
++//go:build !(goexperiment.boringcrypto && linux && cgo && (amd64 || arm64) && !android && !msan) && !(goexperiment.cngcrypto && windows) && !(goexperiment.opensslcrypto && linux && cgo && !android)
package backend
@@ -568,7 +576,7 @@ index 00000000000000..bf44084570bbbc
+}
diff --git a/src/runtime/backenderr_gen_nofallback_boring.go b/src/runtime/backenderr_gen_nofallback_boring.go
new file mode 100644
-index 00000000000000..29db6ff02df7ff
+index 00000000000000..764172d1159e17
--- /dev/null
+++ b/src/runtime/backenderr_gen_nofallback_boring.go
@@ -0,0 +1,19 @@
@@ -578,7 +586,7 @@ index 00000000000000..29db6ff02df7ff
+
+// This file is generated by crypto/internal/backend. DO NOT EDIT. DO NOT manually create files with the prefix "backenderr_gen_".
+
-+//go:build goexperiment.boringcrypto && !(goexperiment.boringcrypto && linux && cgo && amd64 && !android && !cmd_go_bootstrap && !msan) && !allow_missing_crypto_backend_fallback
++//go:build goexperiment.boringcrypto && !(goexperiment.boringcrypto && linux && cgo && (amd64 || arm64) && !android && !msan) && !allow_missing_crypto_backend_fallback
+
+package runtime
+
@@ -586,14 +594,14 @@ index 00000000000000..29db6ff02df7ff
+ `
+ The goexperiment.boringcrypto tag is specified, but other tags required to enable that backend were not met.
+ Required build tags:
-+ goexperiment.boringcrypto && linux && cgo && amd64 && !android && !cmd_go_bootstrap && !msan
++ goexperiment.boringcrypto && linux && cgo && (amd64 || arm64) && !android && !msan
+ Please check your build environment and build command for a reason one or more of these tags weren't specified.
+ For more information, visit https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips
+ `
+}
diff --git a/src/runtime/backenderr_gen_nofallback_cng.go b/src/runtime/backenderr_gen_nofallback_cng.go
new file mode 100644
-index 00000000000000..1b71b79e7483e6
+index 00000000000000..3187f794dd49a4
--- /dev/null
+++ b/src/runtime/backenderr_gen_nofallback_cng.go
@@ -0,0 +1,19 @@
@@ -603,7 +611,7 @@ index 00000000000000..1b71b79e7483e6
+
+// This file is generated by crypto/internal/backend. DO NOT EDIT. DO NOT manually create files with the prefix "backenderr_gen_".
+
-+//go:build goexperiment.cngcrypto && !(goexperiment.cngcrypto && windows && !cmd_go_bootstrap && !msan) && !allow_missing_crypto_backend_fallback
++//go:build goexperiment.cngcrypto && !(goexperiment.cngcrypto && windows) && !allow_missing_crypto_backend_fallback
+
+package runtime
+
@@ -611,14 +619,14 @@ index 00000000000000..1b71b79e7483e6
+ `
+ The goexperiment.cngcrypto tag is specified, but other tags required to enable that backend were not met.
+ Required build tags:
-+ goexperiment.cngcrypto && windows && !cmd_go_bootstrap && !msan
++ goexperiment.cngcrypto && windows
+ Please check your build environment and build command for a reason one or more of these tags weren't specified.
+ For more information, visit https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips
+ `
+}
diff --git a/src/runtime/backenderr_gen_nofallback_openssl.go b/src/runtime/backenderr_gen_nofallback_openssl.go
new file mode 100644
-index 00000000000000..d90c0cafebd623
+index 00000000000000..36ea1ea1884d8c
--- /dev/null
+++ b/src/runtime/backenderr_gen_nofallback_openssl.go
@@ -0,0 +1,19 @@
@@ -628,7 +636,7 @@ index 00000000000000..d90c0cafebd623
+
+// This file is generated by crypto/internal/backend. DO NOT EDIT. DO NOT manually create files with the prefix "backenderr_gen_".
+
-+//go:build goexperiment.opensslcrypto && !(goexperiment.opensslcrypto && linux && cgo && !android && !cmd_go_bootstrap && !msan) && !allow_missing_crypto_backend_fallback
++//go:build goexperiment.opensslcrypto && !(goexperiment.opensslcrypto && linux && cgo && !android) && !allow_missing_crypto_backend_fallback
+
+package runtime
+
@@ -636,11 +644,34 @@ index 00000000000000..d90c0cafebd623
+ `
+ The goexperiment.opensslcrypto tag is specified, but other tags required to enable that backend were not met.
+ Required build tags:
-+ goexperiment.opensslcrypto && linux && cgo && !android && !cmd_go_bootstrap && !msan
++ goexperiment.opensslcrypto && linux && cgo && !android
+ Please check your build environment and build command for a reason one or more of these tags weren't specified.
+ For more information, visit https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips
+ `
+}
+diff --git a/src/runtime/backenderr_gen_requirefips_nosystemcrypto.go b/src/runtime/backenderr_gen_requirefips_nosystemcrypto.go
+new file mode 100644
+index 00000000000000..1c015dd2b08972
+--- /dev/null
++++ b/src/runtime/backenderr_gen_requirefips_nosystemcrypto.go
+@@ -0,0 +1,17 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// This file is generated by crypto/internal/backend. DO NOT EDIT. DO NOT manually create files with the prefix "backenderr_gen_".
++
++//go:build requirefips && !goexperiment.systemcrypto
++
++package runtime
++
++func init() {
++ `
++ The requirefips tag is enabled, but no crypto backend is enabled.
++ A crypto backend is required to enable FIPS mode.
++ For more information, visit https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips
++ `
++}
diff --git a/src/runtime/backenderr_gen_systemcrypto_nobackend.go b/src/runtime/backenderr_gen_systemcrypto_nobackend.go
new file mode 100644
index 00000000000000..97ba7da6260b50