[go] crypto/internal/fips140/entropy: move to crypto/internal/entropy/v1.0.0
2 views
Skip to first unread message
Filippo Valsorda (Gerrit)
Oct 8, 2025, 7:31:09 AM (8 days ago) Oct 8
to Roland Shoemaker, Daniel McCarney, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Daniel McCarney and Roland Shoemaker
Filippo Valsorda has uploaded the change for review![]( "Open in Gerrit")
Filippo Valsorda would like Roland Shoemaker and Daniel McCarney to review this change.
Commit message
crypto/internal/fips140/entropy: move to crypto/internal/entropy/v1.0.0
The lab confirmed the that entropy source doesn't have to be inside the
module boundary, although changing the entropy source of a module does
require recertification.
Move the v1.0.0 entropy source out of crypto/internal/fips140, to a
versioned path that lets us keep multiple versions (which would be used
by different modules) if we wish to.
Change-Id: I6a6a69647e9dfca1c375650a0869bdc001d65173
Change diff
diff --git a/src/crypto/internal/entropy/entropy.go b/src/crypto/internal/entropy/entropy.go
index 73fd529..6e16f19 100644
--- a/src/crypto/internal/entropy/entropy.go
+++ b/src/crypto/internal/entropy/entropy.go
@@ -4,8 +4,10 @@
// Package entropy provides the passive entropy source for the FIPS 140-3
// module. It is only used in FIPS mode by [crypto/internal/fips140/drbg.Read]
-// from the FIPS 140-3 Go Cryptographic Module v1.0.0. Later versions of the
-// module have an internal CPU jitter-based entropy source.
+// from the FIPS 140-3 Go Cryptographic Module v1.0.0.
+//
+// Later versions of the module use the CPU jitter-based entropy source in the
+// crypto/internal/entropy/v1.0.0 sub-package.
//
// This complied with IG 9.3.A, Additional Comment 12, which until January 1,
// 2026 allows new modules to meet an [earlier version] of Resolution 2(b):
diff --git a/src/crypto/internal/fips140/entropy/entropy.go b/src/crypto/internal/entropy/v1.0.0/entropy.go
similarity index 100%
rename from src/crypto/internal/fips140/entropy/entropy.go
rename to src/crypto/internal/entropy/v1.0.0/entropy.go
diff --git a/src/crypto/internal/fips140/entropy/sha384.go b/src/crypto/internal/entropy/v1.0.0/sha384.go
similarity index 100%
rename from src/crypto/internal/fips140/entropy/sha384.go
rename to src/crypto/internal/entropy/v1.0.0/sha384.go
diff --git a/src/crypto/internal/fips140/drbg/rand.go b/src/crypto/internal/fips140/drbg/rand.go
index 3ccb018..cec697c 100644
--- a/src/crypto/internal/fips140/drbg/rand.go
+++ b/src/crypto/internal/fips140/drbg/rand.go
@@ -9,8 +9,8 @@
package drbg
import (
+ entropy "crypto/internal/entropy/v1.0.0"
"crypto/internal/fips140"
- "crypto/internal/fips140/entropy"
"crypto/internal/randutil"
"crypto/internal/sysrand"
"io"
diff --git a/src/crypto/internal/fips140deps/fipsdeps_test.go b/src/crypto/internal/fips140deps/fipsdeps_test.go
index 97552dc..3eaae18 100644
--- a/src/crypto/internal/fips140deps/fipsdeps_test.go
+++ b/src/crypto/internal/fips140deps/fipsdeps_test.go
@@ -16,10 +16,11 @@
//
// DO NOT add new packages here just to make the tests pass.
var AllowedInternalPackages = map[string]bool{
- // entropy.Depleted is the external passive entropy source, and sysrand.Read
+ // entropy.Depleted/Seed is the entropy source, and sysrand.Read
// is the actual (but uncredited!) random bytes source.
- "crypto/internal/entropy": true,
- "crypto/internal/sysrand": true,
+ "crypto/internal/entropy": true,
+ "crypto/internal/entropy/v1.0.0": true,
+ "crypto/internal/sysrand": true,
// impl.Register is how the packages expose their alternative
// implementations to tests outside the module.
@@ -88,8 +89,7 @@
}
}
- // Ensure that all packages except check, check's dependencies, and the
- // entropy source (which is used only from .../fips140/drbg) import check.
+ // Ensure that all packages except check and check's dependencies import check.
for pkg := range allPackages {
switch pkg {
case "crypto/internal/fips140/check":
@@ -100,7 +100,6 @@
case "crypto/internal/fips140/sha3":
case "crypto/internal/fips140/sha256":
case "crypto/internal/fips140/sha512":
- case "crypto/internal/fips140/entropy":
default:
if !importCheck[pkg] {
t.Errorf("package %s does not import crypto/internal/fips140/check", pkg)
diff --git a/src/crypto/internal/fips140test/entropy_test.go b/src/crypto/internal/fips140test/entropy_test.go
index b3b7027..e50e3c5 100644
--- a/src/crypto/internal/fips140test/entropy_test.go
+++ b/src/crypto/internal/fips140test/entropy_test.go
@@ -9,8 +9,8 @@
import (
"bytes"
"crypto/internal/cryptotest"
+ entropy "crypto/internal/entropy/v1.0.0"
"crypto/internal/fips140/drbg"
- "crypto/internal/fips140/entropy"
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
@@ -222,7 +222,7 @@
testenv.MustHaveSource(t)
h := sha256.New()
- root := os.DirFS("../fips140/entropy")
+ root := os.DirFS("../entropy/v1.0.0")
if err := fs.WalkDir(root, ".", func(path string, d fs.DirEntry, err error) error {
if err != nil {
return err
@@ -242,13 +242,13 @@
t.Fatalf("WalkDir: %v", err)
}
- // The crypto/internal/fips140/entropy package is certified as a FIPS 140-3
+ // The crypto/internal/entropy/v1.0.0 package is certified as a FIPS 140-3
// entropy source through the Entropy Source Validation program,
// independently of the FIPS 140-3 module. It must not change even across
// FIPS 140-3 module versions, in order to reuse the ESV certificate.
exp := "472d144f757d68604e110e8b016f71b8a267975878ab871bd10929bbdb5b2dcf"
if got := hex.EncodeToString(h.Sum(nil)); got != exp {
- t.Errorf("hash of crypto/internal/fips140/entropy = %s, want %s", got, exp)
+ t.Errorf("hash of crypto/internal/entropy/v1.0.0 = %s, want %s", got, exp)
}
}
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index 8966254..a5cf381 100644
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -490,13 +490,13 @@
time, internal/syscall/windows < crypto/internal/fips140deps/time;
crypto/internal/fips140deps/time, errors, math/bits, sync/atomic, unsafe
- < crypto/internal/fips140/entropy;
+ < crypto/internal/entropy/v1.0.0;
STR, hash,
crypto/internal/impl,
crypto/internal/entropy,
crypto/internal/randutil,
- crypto/internal/fips140/entropy,
+ crypto/internal/entropy/v1.0.0,
crypto/internal/fips140deps/byteorder,
crypto/internal/fips140deps/cpu,
crypto/internal/fips140deps/godebug
Change information
Files:
- M src/crypto/internal/entropy/entropy.go
- R src/crypto/internal/entropy/v1.0.0/entropy.go
- R src/crypto/internal/entropy/v1.0.0/sha384.go
- M src/crypto/internal/fips140/drbg/rand.go
- M src/crypto/internal/fips140deps/fipsdeps_test.go
- M src/crypto/internal/fips140test/entropy_test.go
- M src/go/build/deps_test.go
Change size: S
Delta: 7 files changed, 16 insertions(+), 15 deletions(-)
Related details
Attention is currently required from:
- Daniel McCarney
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Daniel McCarney (Gerrit)
Oct 8, 2025, 9:24:50 AM (8 days ago) Oct 8
to goph...@pubsubhelper.golang.org, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Roland Shoemaker
Daniel McCarney voted and added 1 comment![]( "Open in Gerrit")
Votes added by Daniel McCarney
| Code-Review | +2 |
1 comment
Patchset-level comments
File-level comment, Patchset 1 (Latest):
Daniel McCarney . resolved
Looks reasonable to me, but I think [one of the failed checks](https://logs.chromium.org/logs/golang/buildbucket/cr-buildbucket/8701580623516152737/+/u/step/46/log/2) might be relevant and need a patch.
Related details
Attention is currently required from:
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Oct 13, 2025, 6:41:44 AM (3 days ago) Oct 13
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Roland Shoemaker
Filippo Valsorda uploaded new patchset![]( "Open in Gerrit")
Filippo Valsorda uploaded patch set #2 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
Related details
Attention is currently required from:
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
3:56 PM (8 hours ago) 3:56 PM
to goph...@pubsubhelper.golang.org, Go LUCI, Daniel McCarney, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Filippo Valsorda voted Commit-Queue+1![]( "Open in Gerrit")
Attention is currently required from:
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
4:15 PM (8 hours ago) 4:15 PM
to goph...@pubsubhelper.golang.org, Go LUCI, Daniel McCarney, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Filippo Valsorda voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages