all: rename crypto/internal/fips to crypto/internal/fips140

Sometimes we've used the 140 suffix (GOFIPS140, crypto/fips140) and sometimes not (crypto/internal/fips, cmd/go/internal/fips). Use it always, to avoid having to remember which is which. Also, there are other FIPS standards, like AES (FIPS 197), SHA-2 (FIPS 180), and so on, which have nothing to do with FIPS 140. Best to be clear. For #70123. Change-Id: I33b29dabd9e8b2703d2af25e428f88bc81c7c307 Reviewed-on: https://go-review.googlesource.com/c/go/+/630115 Reviewed-by: Filippo Valsorda <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Auto-Submit: Russ Cox <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
golang · Nov 20, 2024 · 4a3cef2 · 4a3cef2
1 parent 5254e98
commit 4a3cef2
Show file tree

Hide file tree

Showing 319 changed files with 689 additions and 692 deletions.
diff --git a/lib/fips140/Makefile b/lib/fips140/Makefile
@@ -13,7 +13,7 @@
 #
 # Note that once published a snapshot zip file should never
 # be modified. We record the sha256 hashes of the zip files
-# in fips140.sum, and the cmd/go/internal/fips test checks
+# in fips140.sum, and the cmd/go/internal/fips140 test checks
 # that the zips match.
 #
 # When the zip file is finalized, run 'make updatesum' to update
@@ -27,7 +27,7 @@ default:
 # copy and edit the 'go run' command by hand to use a different branch.
 v%.zip:
 	git fetch origin master
-	go run ../../src/cmd/go/internal/fips/mkzip.go -b master v$*
+	go run ../../src/cmd/go/internal/fips140/mkzip.go -b master v$*
 
 # normally mkzip refuses to overwrite an existing zip file.
 # make v1.2.3.rm removes the zip file and and unpacked
@@ -43,4 +43,4 @@ v%.test:
 
 # make updatesum updates the fips140.sum file.
 updatesum:
-	go test cmd/go/internal/fips -update
+	go test cmd/go/internal/fips140 -update
diff --git a/lib/fips140/README.md b/lib/fips140/README.md
@@ -1,9 +1,9 @@
-This directory holds snapshots of the crypto/internal/fips tree
+This directory holds snapshots of the crypto/internal/fips140 tree
 that are being validated and certified for FIPS-140 use.
 The file x.txt (for example, inprocess.txt, certified.txt)
 defines the meaning of the FIPS version alias x, listing
 the exact version to use.
 
-The zip files are created by cmd/go/internal/fips/mkzip.go.
+The zip files are created by cmd/go/internal/fips140/mkzip.go.
 The fips140.sum file lists checksums for the zip files.
 See the Makefile for recipes.
diff --git a/lib/fips140/fips140.sum b/lib/fips140/fips140.sum
@@ -7,5 +7,5 @@
 # remove zip files from the list when they are removed from
 # this directory. To update this file:
 #
-#	go test cmd/go/internal/fips -update
+#	go test cmd/go/internal/fips140 -update
 #
diff --git a/src/cmd/compile/internal/ssa/stmtlines_test.go b/src/cmd/compile/internal/ssa/stmtlines_test.go
@@ -103,7 +103,7 @@ func TestStmtLines(t *testing.T) {
 		if pkgname == "runtime" {
 			continue
 		}
-		if pkgname == "crypto/internal/fips/nistec/fiat" {
+		if pkgname == "crypto/internal/fips140/nistec/fiat" {
 			continue // golang.org/issue/49372
 		}
 		if e.Val(dwarf.AttrStmtList) == nil {

diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
@@ -834,7 +834,7 @@ func (t *tester) registerTests() {
 				buildmode: "pie",
 				ldflags:   "-linkmode=internal",
 				env:       []string{"CGO_ENABLED=0"},
-				pkg:       "crypto/internal/fips/check",
+				pkg:       "crypto/internal/fips140/check",
 			})
 		// Also test a cgo package.
 		if t.cgoEnabled && t.internalLink() && !disablePIE {
@@ -857,7 +857,7 @@ func (t *tester) registerTests() {
 				buildmode: "exe",
 				ldflags:   "-linkmode=external",
 				env:       []string{"CGO_ENABLED=1"},
-				pkg:       "crypto/internal/fips/check",
+				pkg:       "crypto/internal/fips140/check",
 			})
 		if t.externalLinkPIE() && !disablePIE {
 			t.registerTest("external linking, -buildmode=pie",
@@ -867,7 +867,7 @@ func (t *tester) registerTests() {
 					buildmode: "pie",
 					ldflags:   "-linkmode=external",
 					env:       []string{"CGO_ENABLED=1"},
-					pkg:       "crypto/internal/fips/check",
+					pkg:       "crypto/internal/fips140/check",
 				})
 		}
 	}

diff --git a/src/cmd/go/internal/fips/fips.go → src/cmd/go/internal/fips140/fips140.go b/src/cmd/go/internal/fips/fips.go → src/cmd/go/internal/fips140/fips140.go
@@ -9,8 +9,8 @@
 //   - Whether binaries are built to default to running in FIPS-140 mode,
 //     meaning whether they default to GODEBUG=fips140=on or =off.
 //
-//   - Which copy of the crypto/internal/fips source code to use.
-//     The default is obviously GOROOT/src/crypto/internal/fips,
+//   - Which copy of the crypto/internal/fips140 source code to use.
+//     The default is obviously GOROOT/src/crypto/internal/fips140,
 //     but earlier snapshots that have differing levels of external
 //     validation and certification are stored in GOROOT/lib/fips140
 //     and can be substituted into the build instead.
@@ -51,7 +51,7 @@
 //
 // When GOFIPS140 is set to something besides off and latest, [Snapshot]
 // returns true, indicating that the build should replace the latest copy
-// of crypto/internal/fips with an earlier snapshot. The reason to do
+// of crypto/internal/fips140 with an earlier snapshot. The reason to do
 // this is to use a copy that has been through additional lab validation
 // (an "in-process" module) or NIST certification (a "certified" module).
 // The snapshots are stored in GOROOT/lib/fips140 in module zip form.
@@ -60,19 +60,19 @@
 //
 // A FIPS snapshot like v1.2.3 is integrated into the build in two different ways.
 //
-// First, the snapshot's fips140 directory replaces crypto/internal/fips
-// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips
+// First, the snapshot's fips140 directory replaces crypto/internal/fips140
+// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips140
 // and everything below it, replacing it with the single subdirectory
-// crypto/internal/fips/v1.2.3, which now has the FIPS packages.
+// crypto/internal/fips140/v1.2.3, which now has the FIPS packages.
 // This virtual file system replacement makes patterns like std and crypto...
 // automatically see the snapshot packages instead of the original packages
-// as they walk GOROOT/src/crypto/internal/fips.
+// as they walk GOROOT/src/crypto/internal/fips140.
 //
-// Second, ResolveImport is called to resolve an import like crypto/internal/fips/sha256.
+// Second, ResolveImport is called to resolve an import like crypto/internal/fips140/sha256.
 // When snapshot v1.2.3 is being used, ResolveImport translates that path to
-// crypto/internal/fips/v1.2.3/sha256 and returns the actual source directory
+// crypto/internal/fips140/v1.2.3/sha256 and returns the actual source directory
 // in the unpacked snapshot. Using the actual directory instead of the
-// virtual directory GOROOT/src/crypto/internal/fips/v1.2.3 makes sure
+// virtual directory GOROOT/src/crypto/internal/fips140/v1.2.3 makes sure
 // that other tools using go list -json output can find the sources,
 // as well as making sure builds have a real directory in which to run the
 // assembler, compiler, and so on. The translation of the import path happens
@@ -83,15 +83,12 @@
 // a snapshot - we could make things work without doing that - but including
 // the v1.2.3 gives a different version of the code a different name, which is
 // always a good general rule. In particular, it will mean that govulncheck need
-// not have any special cases for crypto/internal/fips at all. The reports simply
+// not have any special cases for crypto/internal/fips140 at all. The reports simply
 // need to list the relevant symbols in a given Go version. (For example, if a bug
 // is only in the in-tree copy but not the snapshots, it doesn't list the snapshot
 // symbols; if it's in any snapshots, it has to list the specific snapshot symbols
 // in addition to the “normal” symbol.)
-//
-// TODO: crypto/internal/fips is going to move to crypto/internal/fips140,
-// at which point all the crypto/internal/fips references need to be updated.
-package fips
+package fips140
 
 import (
 	"cmd/go/internal/base"
@@ -120,7 +117,7 @@ func Init() {
 	initVersion()
 	initDir()
 	if Snapshot() {
-		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips"))
+		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))
 	}
 }
 
@@ -150,7 +147,7 @@ func Enabled() bool {
 }
 
 // Snapshot reports whether FIPS mode is using a source snapshot
-// rather than $GOROOT/src/crypto/internal/fips.
+// rather than $GOROOT/src/crypto/internal/fips140.
 // That is, it reports whether GOFIPS140 is set to something besides "latest" or "off".
 func Snapshot() bool {
 	checkInit()
@@ -200,11 +197,11 @@ func initVersion() {
 	base.Fatalf("go: unknown GOFIPS140 version %q", v)
 }
 
-// Dir reports the directory containing the crypto/internal/fips source code.
-// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips.
+// Dir reports the directory containing the crypto/internal/fips140 source code.
+// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips140.
 // Otherwise Dir ensures that the snapshot has been unpacked into the
 // module cache and then returns the directory in the module cache
-// corresponding to the crypto/internal/fips directory.
+// corresponding to the crypto/internal/fips140 directory.
 func Dir() string {
 	checkInit()
 	return dir
@@ -215,7 +212,7 @@ var dir string
 func initDir() {
 	v := version
 	if v == "latest" || v == "off" {
-		dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips")
+		dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140")
 		return
 	}
 
@@ -230,15 +227,15 @@ func initDir() {
 }
 
 // ResolveImport resolves the import path imp.
-// If it is of the form crypto/internal/fips/foo
-// (not crypto/internal/fips/v1.2.3/foo)
+// If it is of the form crypto/internal/fips140/foo
+// (not crypto/internal/fips140/v1.2.3/foo)
 // and we are using a snapshot, then LookupImport
-// rewrites the path to crypto/internal/fips/v1.2.3/foo
+// rewrites the path to crypto/internal/fips140/v1.2.3/foo
 // and returns that path and its location in the unpacked
 // FIPS snapshot.
 func ResolveImport(imp string) (newPath, dir string, ok bool) {
 	checkInit()
-	const fips = "crypto/internal/fips"
+	const fips = "crypto/internal/fips140"
 	if !Snapshot() || !str.HasPathPrefix(imp, fips) {
 		return "", "", false
 	}

diff --git a/src/cmd/go/internal/fips/fips_test.go → src/cmd/go/internal/fips140/fips_test.go b/src/cmd/go/internal/fips/fips_test.go → src/cmd/go/internal/fips140/fips_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package fips
+package fips140
 
 import (
 	"crypto/sha256"

diff --git a/src/cmd/go/internal/fips/mkzip.go → src/cmd/go/internal/fips140/mkzip.go b/src/cmd/go/internal/fips/mkzip.go → src/cmd/go/internal/fips140/mkzip.go
@@ -11,7 +11,7 @@
 // Usage:
 //
 //	cd GOROOT/lib/fips140
-//	go run ../../src/cmd/go/internal/fips/mkzip.go [-b branch] v1.2.3
+//	go run ../../src/cmd/go/internal/fips140/mkzip.go [-b branch] v1.2.3
 //
 // Mkzip creates a zip file named for the version on the command line
 // using the sources in the named branch (default origin/master,
@@ -73,21 +73,21 @@ func main() {
 	// and it is the path where the zip file will be unpacked in the module cache.
 	// The path must begin with a domain name to satisfy the module validation rules,
 	// but otherwise the path is not used. The cmd/go code using these zips
-	// knows that the zip contains crypto/internal/fips.
+	// knows that the zip contains crypto/internal/fips140.
 	goroot := "../.."
 	var zbuf bytes.Buffer
 	err = modzip.CreateFromVCS(&zbuf,
 		module.Version{Path: "golang.org/fips140", Version: version},
-		goroot, *flagBranch, "src/crypto/internal/fips")
+		goroot, *flagBranch, "src/crypto/internal/fips140")
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// Write new zip file with longer paths: fips140/v1.2.3/foo.go instead of foo.go.
 	// That way we can bind the fips140 directory onto the
-	// GOROOT/src/crypto/internal/fips directory and get a
-	// crypto/internal/fips/v1.2.3 with the snapshot code
-	// and an otherwise empty crypto/internal/fips directory.
+	// GOROOT/src/crypto/internal/fips140 directory and get a
+	// crypto/internal/fips140/v1.2.3 with the snapshot code
+	// and an otherwise empty crypto/internal/fips140 directory.
 	zr, err := zip.NewReader(bytes.NewReader(zbuf.Bytes()), int64(zbuf.Len()))
 	if err != nil {
 		log.Fatal(err)

diff --git a/src/cmd/go/internal/load/godebug.go b/src/cmd/go/internal/load/godebug.go
@@ -14,7 +14,7 @@ import (
 	"strconv"
 	"strings"
 
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/modload"
 )
@@ -65,7 +65,7 @@ func defaultGODEBUG(p *Package, directives, testDirectives, xtestDirectives []bu
 
 	// If GOFIPS140 is set to anything but "off",
 	// default to GODEBUG=fips140=on.
-	if fips.Enabled() {
+	if fips140.Enabled() {
 		if m == nil {
 			m = make(map[string]string)
 		}

diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
@@ -32,7 +32,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/imports"
@@ -407,7 +407,7 @@ func (p *Package) copyBuild(opts PackageOpts, pp *build.Package) {
 	p.BinaryOnly = pp.BinaryOnly
 
 	// TODO? Target
-	p.Goroot = pp.Goroot || fips.Snapshot() && str.HasFilePathPrefix(p.Dir, fips.Dir())
+	p.Goroot = pp.Goroot || fips140.Snapshot() && str.HasFilePathPrefix(p.Dir, fips140.Dir())
 	p.Standard = p.Goroot && p.ImportPath != "" && search.IsStandardImportPath(p.ImportPath)
 	p.GoFiles = pp.GoFiles
 	p.CgoFiles = pp.CgoFiles
@@ -885,7 +885,7 @@ func loadPackageData(ctx context.Context, path, parentPath, parentDir, parentRoo
 	}
 	r := resolvedImportCache.Do(importKey, func() resolvedImport {
 		var r resolvedImport
-		if newPath, dir, ok := fips.ResolveImport(path); ok {
+		if newPath, dir, ok := fips140.ResolveImport(path); ok {
 			r.path = newPath
 			r.dir = dir
 		} else if cfg.ModulesEnabled {
@@ -1523,15 +1523,15 @@ func disallowInternal(ctx context.Context, srcDir string, importer *Package, imp
 	// directory, so the usual directory rules don't work apply, or rather they
 	// apply differently depending on whether we are using a snapshot or the
 	// in-tree copy of the code. We apply a consistent rule here:
-	// crypto/internal/fips can only see crypto/internal, never top-of-tree internal.
-	// Similarly, crypto/... can see crypto/internal/fips even though the usual rules
+	// crypto/internal/fips140 can only see crypto/internal, never top-of-tree internal.
+	// Similarly, crypto/... can see crypto/internal/fips140 even though the usual rules
 	// would not allow it in snapshot mode.
-	if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips") {
-		return nil // crypto can use crypto/internal/fips
+	if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips140") {
+		return nil // crypto can use crypto/internal/fips140
 	}
-	if str.HasPathPrefix(importerPath, "crypto/internal/fips") {
+	if str.HasPathPrefix(importerPath, "crypto/internal/fips140") {
 		if str.HasPathPrefix(p.ImportPath, "crypto/internal") {
-			return nil // crypto/internal/fips can use crypto/internal
+			return nil // crypto/internal/fips140 can use crypto/internal
 		}
 		// TODO: Delete this switch once the usages are removed.
 		switch p.ImportPath {
@@ -2462,8 +2462,8 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 	if cfg.RawGOEXPERIMENT != "" {
 		appendSetting("GOEXPERIMENT", cfg.RawGOEXPERIMENT)
 	}
-	if fips.Enabled() {
-		appendSetting("GOFIPS140", fips.Version())
+	if fips140.Enabled() {
+		appendSetting("GOFIPS140", fips140.Version())
 	}
 	appendSetting("GOOS", cfg.BuildContext.GOOS)
 	if key, val, _ := cfg.GetArchEnv(); key != "" && val != "" {

diff --git a/src/cmd/go/internal/modload/init.go b/src/cmd/go/internal/modload/init.go
@@ -23,7 +23,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/lockedfile"
@@ -356,7 +356,7 @@ func BinDir() string {
 // for example 'go mod tidy', that don't operate in workspace mode.
 func InitWorkfile() {
 	// Initialize fsys early because we need overlay to read go.work file.
-	fips.Init()
+	fips140.Init()
 	if err := fsys.Init(); err != nil {
 		base.Fatal(err)
 	}
@@ -416,7 +416,7 @@ func Init() {
 	}
 	initialized = true
 
-	fips.Init()
+	fips140.Init()
 
 	// Keep in sync with WillBeEnabled. We perform extra validation here, and
 	// there are lots of diagnostics and side effects, so we can't use

diff --git a/src/cmd/go/internal/modload/load.go b/src/cmd/go/internal/modload/load.go
@@ -115,7 +115,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/imports"
@@ -1958,7 +1958,7 @@ func (ld *loader) pkgTest(ctx context.Context, pkg *loadPkg, testFlags loadPkgFl
 // stdVendor returns the canonical import path for the package with the given
 // path when imported from the standard-library package at parentPath.
 func (ld *loader) stdVendor(parentPath, path string) string {
-	if p, _, ok := fips.ResolveImport(path); ok {
+	if p, _, ok := fips140.ResolveImport(path); ok {
 		return p
 	}
 	if search.IsStandardImportPath(path) {