microsoft
diff --git a/‎eng/_util/cmd/run-builder/systemfips_fallback.go
Lines changed: 1 addition & 2 deletions b/‎eng/_util/cmd/run-builder/systemfips_fallback.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎eng/_util/cmd/run-builder/systemfips_linux.go
Lines changed: 31 additions & 0 deletions b/‎eng/_util/cmd/run-builder/systemfips_linux.go
Lines changed: 31 additions & 0 deletions
diff --git a/‎patches/0003-Implement-crypto-internal-backend.patch
Lines changed: 6 additions & 5 deletions b/‎patches/0003-Implement-crypto-internal-backend.patch
Lines changed: 6 additions & 5 deletions
diff --git a/‎patches/0004-Use-crypto-backends.patch
Lines changed: 26 additions & 1 deletion b/‎patches/0004-Use-crypto-backends.patch
Lines changed: 26 additions & 1 deletion
diff --git a/‎patches/0008-add-support-for-logging-used-Windows-APIs.patch renamed to ‎patches/0007-add-support-for-logging-used-Windows-APIs.patch b/‎patches/0008-add-support-for-logging-used-Windows-APIs.patch renamed to ‎patches/0007-add-support-for-logging-used-Windows-APIs.patch
diff --git a/‎patches/0007-unset-GOFIPS-when-running-the-Go-toolchain.patch
Lines changed: 0 additions & 76 deletions b/‎patches/0007-unset-GOFIPS-when-running-the-Go-toolchain.patch
Lines changed: 0 additions & 76 deletions
diff --git a/‎patches/0009-remove-long-path-support-hack.patch renamed to ‎patches/0008-remove-long-path-support-hack.patch b/‎patches/0009-remove-long-path-support-hack.patch renamed to ‎patches/0008-remove-long-path-support-hack.patch
diff --git a/‎patches/0010-Omit-internal-go.mod-files-used-for-codegen.patch renamed to ‎patches/0009-Omit-internal-go.mod-files-used-for-codegen.patch b/‎patches/0010-Omit-internal-go.mod-files-used-for-codegen.patch renamed to ‎patches/0009-Omit-internal-go.mod-files-used-for-codegen.patch
diff --git a/‎patches/0011-Support-curve-P-521-when-TLS-fipsonly-mode-is-enable.patch renamed to ‎patches/0010-Support-curve-P-521-when-TLS-fipsonly-mode-is-enable.patch b/‎patches/0011-Support-curve-P-521-when-TLS-fipsonly-mode-is-enable.patch renamed to ‎patches/0010-Support-curve-P-521-when-TLS-fipsonly-mode-is-enable.patch
@@ -1,8 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-//go:build !windows
-// +build !windows
+//go:build !windows && !linux
 
 package main
 
 
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package main
+
+import (
+	"log"
+	"os"
+)
+
+// enableSystemWideFIPS enables Mariner and Azure Linux 3 process-wide FIPS mode.
+func enableSystemWideFIPS() (restore func(), err error) {
+	// FIPS mode is enabled if OPENSSL_FORCE_FIPS_MODE is set, regardless of the value.
+	_, ok := os.LookupEnv("OPENSSL_FORCE_FIPS_MODE")
+	if ok {
+		log.Println("FIPS mode already enabled.")
+		return nil, nil
+	}
+
+	env("OPENSSL_FORCE_FIPS_MODE", "1")
+	log.Println("Enabled Mariner and Azure Linux 3 FIPS mode.")
+
+	return func() {
+		err := os.Unsetenv("OPENSSL_FORCE_FIPS_MODE")
+		if err != nil {
+			log.Printf("Unable to unset OPENSSL_FORCE_FIPS_MODE: %v\n", err)
+			return
+		}
+		log.Println("Successfully unset OPENSSL_FORCE_FIPS_MODE.")
+	}, nil
+}
@@ -15,7 +15,7 @@ Subject: [PATCH] Implement crypto/internal/backend
  .../internal/backend/bbig/big_openssl.go      |  12 +
  src/crypto/internal/backend/boring_linux.go   | 279 ++++++++++++++
  src/crypto/internal/backend/cng_windows.go    | 336 ++++++++++++++++
- src/crypto/internal/backend/common.go         |  58 +++
+ src/crypto/internal/backend/common.go         |  59 +++
  src/crypto/internal/backend/darwin_darwin.go  | 359 +++++++++++++++++
  src/crypto/internal/backend/fips140/boring.go |  11 +
  src/crypto/internal/backend/fips140/cng.go    |  33 ++
@@ -45,7 +45,7 @@ Subject: [PATCH] Implement crypto/internal/backend
  ...ckenderr_gen_requirefips_nosystemcrypto.go |  17 +
  .../backenderr_gen_systemcrypto_nobackend.go  |  16 +
  src/runtime/runtime_boring.go                 |   5 +
- 41 files changed, 2491 insertions(+), 1 deletion(-)
+ 41 files changed, 2492 insertions(+), 1 deletion(-)
  create mode 100644 src/crypto/internal/backend/backend_test.go
  create mode 100644 src/crypto/internal/backend/backendgen.go
  create mode 100644 src/crypto/internal/backend/backendgen_test.go
@@ -1173,10 +1173,10 @@ index 00000000000000..31dfc9b19ee63e
 +}
 diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
 new file mode 100644
-index 00000000000000..84447174284ffd
+index 00000000000000..9436b00381aaf8
 --- /dev/null
 +++ b/src/crypto/internal/backend/common.go
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,59 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -1186,11 +1186,12 @@ index 00000000000000..84447174284ffd
 +import (
 +	"crypto/internal/backend/fips140"
 +	"crypto/internal/boring/sig"
++	"internal/goexperiment"
 +	"runtime"
 +)
 +
 +func init() {
-+	if fips140.Enabled() {
++	if !goexperiment.AllowCryptoFallback && fips140.Enabled() {
 +		if !Enabled {
 +			if runtime.GOOS != "linux" && runtime.GOOS != "windows" && runtime.GOOS != "darwin" {
 +				panic("FIPS mode requested (" + fips140.Message + ") but no crypto backend is supported on " + runtime.GOOS)
 
@@ -5,6 +5,7 @@ Subject: [PATCH] Use crypto backends
 
 ---
  src/cmd/api/boring_test.go                    |   2 +-
+ src/cmd/dist/build.go                         |  13 ++
  src/cmd/dist/test.go                          |   8 +-
  src/cmd/go/go_boring_test.go                  |  11 +-
  src/cmd/go/testdata/script/darwin_no_cgo.txt  |   2 +
@@ -81,7 +82,7 @@ Subject: [PATCH] Use crypto backends
  src/net/smtp/smtp_test.go                     |  72 ++++---
  src/os/exec/exec_test.go                      |   9 +
  src/runtime/pprof/vminfo_darwin_test.go       |   6 +
- 77 files changed, 1097 insertions(+), 109 deletions(-)
+ 78 files changed, 1110 insertions(+), 109 deletions(-)
  create mode 100644 src/crypto/dsa/boring.go
  create mode 100644 src/crypto/dsa/notboring.go
  create mode 100644 src/crypto/ecdsa/badlinkname.go
@@ -106,6 +107,30 @@ index f0e3575637c62a..9eab3b4e66e60b 100644
 
  package main
 
+diff --git a/src/cmd/dist/build.go b/src/cmd/dist/build.go
+index 1f467647f56143..4d770d7fc239e2 100644
+--- a/src/cmd/dist/build.go
++++ b/src/cmd/dist/build.go
+@@ -1543,6 +1543,19 @@ func cmdbootstrap() {
+ 	xprintf("Building Go toolchain2 using go_bootstrap and Go toolchain1.\n")
+ 	os.Setenv("CC", compilerEnvLookup("CC", defaultcc, goos, goarch))
+ 	// Now that cmd/go is in charge of the build process, enable GOEXPERIMENT.
++	//
++	// Build the Go toolchain with "GOEXPERIMENT=allowcryptofallback". This
++	// allows toolchains not built with "GOEXPERIMENT=systemcrypto" to be used
++	// when GOFIPS=1 is set. For example, when running "GOFIPS=1 go test ./..."
++	// or "GOFIPS=1 go run .".
++	// Shadow goexperiment so that the global variable is not modified.
++	goexperiment := goexperiment
++	if !strings.Contains(goexperiment, "allowcryptofallback") {
++		if goexperiment != "" {
++			goexperiment += ","
++		}
++		goexperiment += "allowcryptofallback"
++	}
+ 	os.Setenv("GOEXPERIMENT", goexperiment)
+ 	// No need to enable PGO for toolchain2.
+ 	goInstall(toolenv(), goBootstrap, append([]string{"-pgo=off"}, toolchain...)...)
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
 index 0c992118f4287b..3316bb52a61ff1 100644
 --- a/src/cmd/dist/test.go