crypto/internal/fips140: make Version return latest when not frozen

Fixes #71820

Change-Id: I6a6a46563da281a7b20efc61eefdcbb2e146db33
Reviewed-on: https://go-review.googlesource.com/c/go/+/655795
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

src/cmd/go/internal/fips140/mkzip.go

@@ -95,6 +95,7 @@ func main() {
 
 	var zbuf2 bytes.Buffer
 	zw := zip.NewWriter(&zbuf2)
+	foundVersion := false
 	for _, f := range zr.File {
 		// golang.org/fips140@v1.2.3/dir/file.go ->
 		// golang.org/fips140@v1.2.3/fips140/v1.2.3/dir/file.go
@@ -102,6 +103,32 @@ func main() {
 			f.Name = "golang.org/fips140@" + version + "/fips140/" + version +
 				strings.TrimPrefix(f.Name, "golang.org/fips140@"+version)
 		}
+		// Inject version in [crypto/internal/fips140.Version].
+		if f.Name == "golang.org/fips140@"+version+"/fips140/"+version+"/fips140.go" {
+			rf, err := f.Open()
+			if err != nil {
+				log.Fatal(err)
+			}
+			contents, err := io.ReadAll(rf)
+			if err != nil {
+				log.Fatal(err)
+			}
+			returnLine := `return "latest" //mkzip:version`
+			if !bytes.Contains(contents, []byte(returnLine)) {
+				log.Fatalf("did not find %q in fips140.go", returnLine)
+			}
+			newLine := `return "` + version + `"`
+			contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine))
+			wf, err := zw.Create(f.Name)
+			if err != nil {
+				log.Fatal(err)
+			}
+			if _, err := wf.Write(contents); err != nil {
+				log.Fatal(err)
+			}
+			foundVersion = true
+			continue
+		}
 		wf, err := zw.CreateRaw(&f.FileHeader)
 		if err != nil {
 			log.Fatal(err)
@@ -117,6 +144,9 @@ func main() {
 	if err := zw.Close(); err != nil {
 		log.Fatal(err)
 	}
+	if !foundVersion {
+		log.Fatal("did not find fips140.go file")
+	}
 
 	err = os.WriteFile(version+".zip", zbuf2.Bytes(), 0666)
 	if err != nil {

src/crypto/internal/fips140/fips140.go

@@ -62,6 +62,10 @@ func Name() string {
 	return "Go Cryptographic Module"
 }
 
+// Version returns the formal version (such as "v1.0") if building against a
+// frozen module with GOFIPS140. Otherwise, it returns "latest".
 func Version() string {
-	return "v1.0"
+	// This return value is replaced by mkzip.go, it must not be changed or
+	// moved to a different file.
+	return "latest" //mkzip:version
 }

src/crypto/internal/fips140test/fips_test.go

@@ -36,6 +36,7 @@ import (
 	"crypto/internal/fips140/tls13"
 	"crypto/rand"
 	"encoding/hex"
+	"runtime/debug"
 	"strings"
 	"testing"
 )
@@ -63,6 +64,32 @@ func moduleStatus(t *testing.T) {
 	}
 }
 
+func TestVersion(t *testing.T) {
+	bi, ok := debug.ReadBuildInfo()
+	if !ok {
+		t.Skip("no build info")
+	}
+	for _, setting := range bi.Settings {
+		if setting.Key != "GOFIPS140" {
+			continue
+		}
+		exp := setting.Value
+		if exp == "v1.0.0" {
+			// Unfortunately we enshrined the version of the first module as
+			// v1.0 before deciding to go for full versions.
+			exp = "v1.0"
+		}
+		if v := fips140.Version(); v != exp {
+			t.Errorf("Version is %q, expected %q", v, exp)
+		}
+		return
+	}
+	// Without GOFIPS140, the Version should be "latest".
+	if v := fips140.Version(); v != "latest" {
+		t.Errorf("Version is %q, expected latest", v)
+	}
+}
+
 func TestFIPS140(t *testing.T) {
 	moduleStatus(t)
 	if boring.Enabled {

src/runtime/debug/mod.go

@@ -81,6 +81,7 @@ type Module struct {
 //   - GOARCH: the architecture target
 //   - GOAMD64/GOARM/GO386/etc: the architecture feature level for GOARCH
 //   - GOOS: the operating system target
+//   - GOFIPS140: the frozen FIPS 140-3 module version, if any
 //   - vcs: the version control system for the source tree where the build ran
 //   - vcs.revision: the revision identifier for the current commit or checkout
 //   - vcs.time: the modification time associated with vcs.revision, in RFC3339 format