diff --git a/Makefile b/Makefile index b23d4b88..2837ef3b 100644 --- a/Makefile +++ b/Makefile @@ -284,7 +284,10 @@ endif # Use `release-fips140` or `bin-fips140` to build release binaries fips140: @echo > $(NULL_FILE) - $(eval GOENV += GOFIPS140=v1.0.0) +ifeq ($(strip $(GOFIPS140)),) + $(eval GOFIPS140 = v1.0.0) +endif + $(eval GOENV += GOFIPS140=$(GOFIPS140)) $(eval LDFLAGS += -X runtime.godebugDefault=fips140=only) # To enforce fips140.Enforced() $(eval BUILD_ARGS += -tags fips140) @@ -292,9 +295,15 @@ fips140: # For smoke-docker $(eval CURVE = P256) ifeq ($(words $(MAKECMDGOALS)),1) - @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory + @$(MAKE) fips140 GOFIPS140=$(GOFIPS140) ${.DEFAULT_GOAL} --no-print-directory endif +# To test the future pending module +fips140-v1.26.0: GOFIPS140 = v1.26.0 +fips140-v1.26.0: fips140 +fips140-latest: GOFIPS140 = latest +fips140-latest: fips140 + # Useful to chain together, like: # - make boringcrypto e2evv # - make boringcrypto smoke-docker diff --git a/noiseutil/fips140_test.go b/noiseutil/fips140_test.go index 28bd3dc7..b7ee8b0c 100644 --- a/noiseutil/fips140_test.go +++ b/noiseutil/fips140_test.go @@ -33,10 +33,13 @@ func TestNewAESGCM(t *testing.T) { assert.Equal(t, expected, dst) // We expect this to fail since we are re-encrypting with a repeat IV - // TODO: the error message has changed between fips module versions, best way to verify it? - // assert.PanicsWithValue(t, "crypto/cipher: counter decreased", func() { - // assert.PanicsWithValue(t, "crypto/cipher: counter decreased or remained the same", func() { - assert.Panics(t, func() { - dst = aead.Seal([]byte{}, iv, plaintext, aad) - }) + if fips140.Version() == "v1.0.0" { + assert.PanicsWithValue(t, "crypto/cipher: counter decreased", func() { + dst = aead.Seal([]byte{}, iv, plaintext, aad) + }) + } else { + assert.PanicsWithValue(t, "crypto/cipher: counter decreased or remained the same", func() { + dst = aead.Seal([]byte{}, iv, plaintext, aad) + }) + } }