all: rename crypto/internal/fips to crypto/internal/fips140

Sometimes we've used the 140 suffix (GOFIPS140, crypto/fips140)
and sometimes not (crypto/internal/fips, cmd/go/internal/fips).
Use it always, to avoid having to remember which is which.

Also, there are other FIPS standards, like AES (FIPS 197), SHA-2 (FIPS 180),
and so on, which have nothing to do with FIPS 140. Best to be clear.

For #70123.

Change-Id: I33b29dabd9e8b2703d2af25e428f88bc81c7c307
Reviewed-on: https://go-review.googlesource.com/c/go/+/630115
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

lib/fips140/Makefile

@@ -13,7 +13,7 @@
 #
 # Note that once published a snapshot zip file should never
 # be modified. We record the sha256 hashes of the zip files
-# in fips140.sum, and the cmd/go/internal/fips test checks
+# in fips140.sum, and the cmd/go/internal/fips140 test checks
 # that the zips match.
 #
 # When the zip file is finalized, run 'make updatesum' to update
@@ -27,7 +27,7 @@ default:
 # copy and edit the 'go run' command by hand to use a different branch.
 v%.zip:
 	git fetch origin master
-	go run ../../src/cmd/go/internal/fips/mkzip.go -b master v$*
+	go run ../../src/cmd/go/internal/fips140/mkzip.go -b master v$*
 
 # normally mkzip refuses to overwrite an existing zip file.
 # make v1.2.3.rm removes the zip file and and unpacked
@@ -43,4 +43,4 @@ v%.test:
 
 # make updatesum updates the fips140.sum file.
 updatesum:
-	go test cmd/go/internal/fips -update
+	go test cmd/go/internal/fips140 -update

lib/fips140/README.md

@@ -1,9 +1,9 @@
-This directory holds snapshots of the crypto/internal/fips tree
+This directory holds snapshots of the crypto/internal/fips140 tree
 that are being validated and certified for FIPS-140 use.
 The file x.txt (for example, inprocess.txt, certified.txt)
 defines the meaning of the FIPS version alias x, listing
 the exact version to use.
 
-The zip files are created by cmd/go/internal/fips/mkzip.go.
+The zip files are created by cmd/go/internal/fips140/mkzip.go.
 The fips140.sum file lists checksums for the zip files.
 See the Makefile for recipes.

lib/fips140/fips140.sum

@@ -7,5 +7,5 @@
 # remove zip files from the list when they are removed from
 # this directory. To update this file:
 #
-#	go test cmd/go/internal/fips -update
+#	go test cmd/go/internal/fips140 -update
 #

src/cmd/compile/internal/ssa/stmtlines_test.go

@@ -103,7 +103,7 @@ func TestStmtLines(t *testing.T) {
 		if pkgname == "runtime" {
 			continue
 		}
-		if pkgname == "crypto/internal/fips/nistec/fiat" {
+		if pkgname == "crypto/internal/fips140/nistec/fiat" {
 			continue // golang.org/issue/49372
 		}
 		if e.Val(dwarf.AttrStmtList) == nil {

src/cmd/dist/test.go

@@ -834,7 +834,7 @@ func (t *tester) registerTests() {
 				buildmode: "pie",
 				ldflags:   "-linkmode=internal",
 				env:       []string{"CGO_ENABLED=0"},
-				pkg:       "crypto/internal/fips/check",
+				pkg:       "crypto/internal/fips140/check",
 			})
 		// Also test a cgo package.
 		if t.cgoEnabled && t.internalLink() && !disablePIE {
@@ -857,7 +857,7 @@ func (t *tester) registerTests() {
 				buildmode: "exe",
 				ldflags:   "-linkmode=external",
 				env:       []string{"CGO_ENABLED=1"},
-				pkg:       "crypto/internal/fips/check",
+				pkg:       "crypto/internal/fips140/check",
 			})
 		if t.externalLinkPIE() && !disablePIE {
 			t.registerTest("external linking, -buildmode=pie",
@@ -867,7 +867,7 @@ func (t *tester) registerTests() {
 					buildmode: "pie",
 					ldflags:   "-linkmode=external",
 					env:       []string{"CGO_ENABLED=1"},
-					pkg:       "crypto/internal/fips/check",
+					pkg:       "crypto/internal/fips140/check",
 				})
 		}
 	}

src/cmd/go/internal/fips140/fips140.go

@@ -9,8 +9,8 @@
 //   - Whether binaries are built to default to running in FIPS-140 mode,
 //     meaning whether they default to GODEBUG=fips140=on or =off.
 //
-//   - Which copy of the crypto/internal/fips source code to use.
-//     The default is obviously GOROOT/src/crypto/internal/fips,
+//   - Which copy of the crypto/internal/fips140 source code to use.
+//     The default is obviously GOROOT/src/crypto/internal/fips140,
 //     but earlier snapshots that have differing levels of external
 //     validation and certification are stored in GOROOT/lib/fips140
 //     and can be substituted into the build instead.
@@ -51,7 +51,7 @@
 //
 // When GOFIPS140 is set to something besides off and latest, [Snapshot]
 // returns true, indicating that the build should replace the latest copy
-// of crypto/internal/fips with an earlier snapshot. The reason to do
+// of crypto/internal/fips140 with an earlier snapshot. The reason to do
 // this is to use a copy that has been through additional lab validation
 // (an "in-process" module) or NIST certification (a "certified" module).
 // The snapshots are stored in GOROOT/lib/fips140 in module zip form.
@@ -60,19 +60,19 @@
 //
 // A FIPS snapshot like v1.2.3 is integrated into the build in two different ways.
 //
-// First, the snapshot's fips140 directory replaces crypto/internal/fips
-// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips
+// First, the snapshot's fips140 directory replaces crypto/internal/fips140
+// using fsys.Bind. The effect is to appear to have deleted crypto/internal/fips140
 // and everything below it, replacing it with the single subdirectory
-// crypto/internal/fips/v1.2.3, which now has the FIPS packages.
+// crypto/internal/fips140/v1.2.3, which now has the FIPS packages.
 // This virtual file system replacement makes patterns like std and crypto...
 // automatically see the snapshot packages instead of the original packages
-// as they walk GOROOT/src/crypto/internal/fips.
+// as they walk GOROOT/src/crypto/internal/fips140.
 //
-// Second, ResolveImport is called to resolve an import like crypto/internal/fips/sha256.
+// Second, ResolveImport is called to resolve an import like crypto/internal/fips140/sha256.
 // When snapshot v1.2.3 is being used, ResolveImport translates that path to
-// crypto/internal/fips/v1.2.3/sha256 and returns the actual source directory
+// crypto/internal/fips140/v1.2.3/sha256 and returns the actual source directory
 // in the unpacked snapshot. Using the actual directory instead of the
-// virtual directory GOROOT/src/crypto/internal/fips/v1.2.3 makes sure
+// virtual directory GOROOT/src/crypto/internal/fips140/v1.2.3 makes sure
 // that other tools using go list -json output can find the sources,
 // as well as making sure builds have a real directory in which to run the
 // assembler, compiler, and so on. The translation of the import path happens
@@ -83,15 +83,12 @@
 // a snapshot - we could make things work without doing that - but including
 // the v1.2.3 gives a different version of the code a different name, which is
 // always a good general rule. In particular, it will mean that govulncheck need
-// not have any special cases for crypto/internal/fips at all. The reports simply
+// not have any special cases for crypto/internal/fips140 at all. The reports simply
 // need to list the relevant symbols in a given Go version. (For example, if a bug
 // is only in the in-tree copy but not the snapshots, it doesn't list the snapshot
 // symbols; if it's in any snapshots, it has to list the specific snapshot symbols
 // in addition to the “normal” symbol.)
-//
-// TODO: crypto/internal/fips is going to move to crypto/internal/fips140,
-// at which point all the crypto/internal/fips references need to be updated.
-package fips
+package fips140
 
 import (
 	"cmd/go/internal/base"
@@ -120,7 +117,7 @@ func Init() {
 	initVersion()
 	initDir()
 	if Snapshot() {
-		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips"))
+		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))
 	}
 }
 
@@ -150,7 +147,7 @@ func Enabled() bool {
 }
 
 // Snapshot reports whether FIPS mode is using a source snapshot
-// rather than $GOROOT/src/crypto/internal/fips.
+// rather than $GOROOT/src/crypto/internal/fips140.
 // That is, it reports whether GOFIPS140 is set to something besides "latest" or "off".
 func Snapshot() bool {
 	checkInit()
@@ -200,11 +197,11 @@ func initVersion() {
 	base.Fatalf("go: unknown GOFIPS140 version %q", v)
 }
 
-// Dir reports the directory containing the crypto/internal/fips source code.
-// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips.
+// Dir reports the directory containing the crypto/internal/fips140 source code.
+// If Snapshot() is false, Dir returns GOROOT/src/crypto/internal/fips140.
 // Otherwise Dir ensures that the snapshot has been unpacked into the
 // module cache and then returns the directory in the module cache
-// corresponding to the crypto/internal/fips directory.
+// corresponding to the crypto/internal/fips140 directory.
 func Dir() string {
 	checkInit()
 	return dir
@@ -215,7 +212,7 @@ var dir string
 func initDir() {
 	v := version
 	if v == "latest" || v == "off" {
-		dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips")
+		dir = filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140")
 		return
 	}
 
@@ -230,15 +227,15 @@ func initDir() {
 }
 
 // ResolveImport resolves the import path imp.
-// If it is of the form crypto/internal/fips/foo
-// (not crypto/internal/fips/v1.2.3/foo)
+// If it is of the form crypto/internal/fips140/foo
+// (not crypto/internal/fips140/v1.2.3/foo)
 // and we are using a snapshot, then LookupImport
-// rewrites the path to crypto/internal/fips/v1.2.3/foo
+// rewrites the path to crypto/internal/fips140/v1.2.3/foo
 // and returns that path and its location in the unpacked
 // FIPS snapshot.
 func ResolveImport(imp string) (newPath, dir string, ok bool) {
 	checkInit()
-	const fips = "crypto/internal/fips"
+	const fips = "crypto/internal/fips140"
 	if !Snapshot() || !str.HasPathPrefix(imp, fips) {
 		return "", "", false
 	}

src/cmd/go/internal/fips140/fips_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package fips
+package fips140
 
 import (
 	"crypto/sha256"

src/cmd/go/internal/fips140/mkzip.go

@@ -11,7 +11,7 @@
 // Usage:
 //
 //	cd GOROOT/lib/fips140
-//	go run ../../src/cmd/go/internal/fips/mkzip.go [-b branch] v1.2.3
+//	go run ../../src/cmd/go/internal/fips140/mkzip.go [-b branch] v1.2.3
 //
 // Mkzip creates a zip file named for the version on the command line
 // using the sources in the named branch (default origin/master,
@@ -73,21 +73,21 @@ func main() {
 	// and it is the path where the zip file will be unpacked in the module cache.
 	// The path must begin with a domain name to satisfy the module validation rules,
 	// but otherwise the path is not used. The cmd/go code using these zips
-	// knows that the zip contains crypto/internal/fips.
+	// knows that the zip contains crypto/internal/fips140.
 	goroot := "../.."
 	var zbuf bytes.Buffer
 	err = modzip.CreateFromVCS(&zbuf,
 		module.Version{Path: "golang.org/fips140", Version: version},
-		goroot, *flagBranch, "src/crypto/internal/fips")
+		goroot, *flagBranch, "src/crypto/internal/fips140")
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// Write new zip file with longer paths: fips140/v1.2.3/foo.go instead of foo.go.
 	// That way we can bind the fips140 directory onto the
-	// GOROOT/src/crypto/internal/fips directory and get a
-	// crypto/internal/fips/v1.2.3 with the snapshot code
-	// and an otherwise empty crypto/internal/fips directory.
+	// GOROOT/src/crypto/internal/fips140 directory and get a
+	// crypto/internal/fips140/v1.2.3 with the snapshot code
+	// and an otherwise empty crypto/internal/fips140 directory.
 	zr, err := zip.NewReader(bytes.NewReader(zbuf.Bytes()), int64(zbuf.Len()))
 	if err != nil {
 		log.Fatal(err)

src/cmd/go/internal/load/godebug.go

@@ -14,7 +14,7 @@ import (
 	"strconv"
 	"strings"
 
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/modload"
 )
@@ -65,7 +65,7 @@ func defaultGODEBUG(p *Package, directives, testDirectives, xtestDirectives []bu
 
 	// If GOFIPS140 is set to anything but "off",
 	// default to GODEBUG=fips140=on.
-	if fips.Enabled() {
+	if fips140.Enabled() {
 		if m == nil {
 			m = make(map[string]string)
 		}

src/cmd/go/internal/load/pkg.go

@@ -32,7 +32,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/imports"
@@ -407,7 +407,7 @@ func (p *Package) copyBuild(opts PackageOpts, pp *build.Package) {
 	p.BinaryOnly = pp.BinaryOnly
 
 	// TODO? Target
-	p.Goroot = pp.Goroot || fips.Snapshot() && str.HasFilePathPrefix(p.Dir, fips.Dir())
+	p.Goroot = pp.Goroot || fips140.Snapshot() && str.HasFilePathPrefix(p.Dir, fips140.Dir())
 	p.Standard = p.Goroot && p.ImportPath != "" && search.IsStandardImportPath(p.ImportPath)
 	p.GoFiles = pp.GoFiles
 	p.CgoFiles = pp.CgoFiles
@@ -885,7 +885,7 @@ func loadPackageData(ctx context.Context, path, parentPath, parentDir, parentRoo
 	}
 	r := resolvedImportCache.Do(importKey, func() resolvedImport {
 		var r resolvedImport
-		if newPath, dir, ok := fips.ResolveImport(path); ok {
+		if newPath, dir, ok := fips140.ResolveImport(path); ok {
 			r.path = newPath
 			r.dir = dir
 		} else if cfg.ModulesEnabled {
@@ -1523,15 +1523,15 @@ func disallowInternal(ctx context.Context, srcDir string, importer *Package, imp
 	// directory, so the usual directory rules don't work apply, or rather they
 	// apply differently depending on whether we are using a snapshot or the
 	// in-tree copy of the code. We apply a consistent rule here:
-	// crypto/internal/fips can only see crypto/internal, never top-of-tree internal.
-	// Similarly, crypto/... can see crypto/internal/fips even though the usual rules
+	// crypto/internal/fips140 can only see crypto/internal, never top-of-tree internal.
+	// Similarly, crypto/... can see crypto/internal/fips140 even though the usual rules
 	// would not allow it in snapshot mode.
-	if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips") {
-		return nil // crypto can use crypto/internal/fips
+	if str.HasPathPrefix(importerPath, "crypto") && str.HasPathPrefix(p.ImportPath, "crypto/internal/fips140") {
+		return nil // crypto can use crypto/internal/fips140
 	}
-	if str.HasPathPrefix(importerPath, "crypto/internal/fips") {
+	if str.HasPathPrefix(importerPath, "crypto/internal/fips140") {
 		if str.HasPathPrefix(p.ImportPath, "crypto/internal") {
-			return nil // crypto/internal/fips can use crypto/internal
+			return nil // crypto/internal/fips140 can use crypto/internal
 		}
 		// TODO: Delete this switch once the usages are removed.
 		switch p.ImportPath {
@@ -2462,8 +2462,8 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 	if cfg.RawGOEXPERIMENT != "" {
 		appendSetting("GOEXPERIMENT", cfg.RawGOEXPERIMENT)
 	}
-	if fips.Enabled() {
-		appendSetting("GOFIPS140", fips.Version())
+	if fips140.Enabled() {
+		appendSetting("GOFIPS140", fips140.Version())
 	}
 	appendSetting("GOOS", cfg.BuildContext.GOOS)
 	if key, val, _ := cfg.GetArchEnv(); key != "" && val != "" {

src/cmd/go/internal/modload/init.go

@@ -23,7 +23,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/lockedfile"
@@ -356,7 +356,7 @@ func BinDir() string {
 // for example 'go mod tidy', that don't operate in workspace mode.
 func InitWorkfile() {
 	// Initialize fsys early because we need overlay to read go.work file.
-	fips.Init()
+	fips140.Init()
 	if err := fsys.Init(); err != nil {
 		base.Fatal(err)
 	}
@@ -416,7 +416,7 @@ func Init() {
 	}
 	initialized = true
 
-	fips.Init()
+	fips140.Init()
 
 	// Keep in sync with WillBeEnabled. We perform extra validation here, and
 	// there are lots of diagnostics and side effects, so we can't use

src/cmd/go/internal/modload/load.go

@@ -115,7 +115,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/imports"
@@ -1958,7 +1958,7 @@ func (ld *loader) pkgTest(ctx context.Context, pkg *loadPkg, testFlags loadPkgFl
 // stdVendor returns the canonical import path for the package with the given
 // path when imported from the standard-library package at parentPath.
 func (ld *loader) stdVendor(parentPath, path string) string {
-	if p, _, ok := fips.ResolveImport(path); ok {
+	if p, _, ok := fips140.ResolveImport(path); ok {
 		return p
 	}
 	if search.IsStandardImportPath(path) {

src/cmd/go/internal/work/buildid.go

@@ -15,7 +15,7 @@ import (
 	"cmd/go/internal/base"
 	"cmd/go/internal/cache"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/str"
 	"cmd/internal/buildid"
@@ -457,7 +457,7 @@ func (b *Builder) useCache(a *Action, actionHash cache.ActionID, target string,
 	// to $WORK/b001 from the cache,
 	// but we went years without caching binaries anyway,
 	// so not caching them for FIPS will be fine, at least to start.
-	if a.Mode == "link" && fips.Enabled() && a.Package != nil && !strings.HasSuffix(a.Package.ImportPath, ".test") {
+	if a.Mode == "link" && fips140.Enabled() && a.Package != nil && !strings.HasSuffix(a.Package.ImportPath, ".test") {
 		return false
 	}
 
@@ -520,7 +520,7 @@ func (b *Builder) useCache(a *Action, actionHash cache.ActionID, target string,
 				oldBuildID := a.buildID
 				a.buildID = id[1] + buildIDSeparator + id[2]
 				linkID := buildid.HashToString(b.linkActionID(a.triggers[0]))
-				if id[0] == linkID && !fips.Enabled() {
+				if id[0] == linkID && !fips140.Enabled() {
 					// Best effort attempt to display output from the compile and link steps.
 					// If it doesn't work, it doesn't work: reusing the cached binary is more
 					// important than reprinting diagnostic information.

src/cmd/go/internal/work/gc.go

@@ -19,7 +19,7 @@ import (
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/cfg"
-	"cmd/go/internal/fips"
+	"cmd/go/internal/fips140"
 	"cmd/go/internal/fsys"
 	"cmd/go/internal/gover"
 	"cmd/go/internal/load"
@@ -615,7 +615,7 @@ func (gcToolchain) ld(b *Builder, root *Action, targetPath, importcfg, mainpkg s
 	if cfg.BuildBuildmode == "plugin" {
 		ldflags = append(ldflags, "-pluginpath", pluginPath(root))
 	}
-	if fips.Enabled() {
+	if fips140.Enabled() {
 		ldflags = append(ldflags, "-fipso", filepath.Join(root.Objdir, "fips.o"))
 	}
 

src/cmd/go/testdata/script/fipssnap.txt

@@ -13,15 +13,15 @@ stdout fips140=on
 
 # std lists fips snapshot and not regular fips
 go list std
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
 
 # build does not use regular fips
 go list -json -test
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
 
 # again with GOFIPS140=$alias
 env GOFIPS140=$alias
@@ -32,15 +32,15 @@ stdout fips140=on
 
 # std lists fips snapshot and not regular fips
 go list std
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
 
 # build does not use regular fips
 go list -json -test
-stdout crypto/internal/fips/$snap/sha256
-! stdout crypto/internal/fips/sha256
-! stdout crypto/internal/fips/check
+stdout crypto/internal/fips140/$snap/sha256
+! stdout crypto/internal/fips140/sha256
+! stdout crypto/internal/fips140/check
 
 [short] skip
 

src/cmd/internal/obj/fips140.go

@@ -26,14 +26,14 @@ restrict those to the actual cryptographic packages.
 
 Since we're not hashing the whole binary, we need to record the parts
 of the binary that contain FIPS code, specifically the part of the
-binary corresponding to the crypto/internal/fips package subtree.
+binary corresponding to the crypto/internal/fips140 package subtree.
 To do that, we create special symbol types STEXTFIPS, SRODATAFIPS,
 SNOPTRDATAFIPS, and SDATAFIPS, which those packages use instead of
 STEXT, SRODATA, SNOPTRDATA, and SDATA. The linker groups symbols by
 their type, so that naturally makes the FIPS parts contiguous within a
 given type. The linker then writes out in a special symbol the start
 and end of each of these FIPS-specific sections, alongside the
-expected HMAC-SHA256 of them. At startup, the crypto/internal/fips/check
+expected HMAC-SHA256 of them. At startup, the crypto/internal/fips140/check
 package has an init function that recomputes the hash and checks it
 against the recorded expectation.
 
@@ -74,11 +74,11 @@ A similar issue happens with:
 
 The compiler invents an anonymous array and then treats the code as in
 the first example. In both cases, a load-time relocation applied
-before the crypto/internal/fips/check init function would invalidate
+before the crypto/internal/fips140/check init function would invalidate
 the hash. Instead, we disable the “link time initialization” optimizations
 in the compiler (package staticinit) for the fips packages.
 That way, the slice initialization is deferred to its own init function.
-As long as the package in question imports crypto/internal/fips/check,
+As long as the package in question imports crypto/internal/fips140/check,
 the hash check will happen before the package's own init function
 runs, and so the hash check will see the slice header written by the
 linker, with a slice base pointer predictably nil instead of the
@@ -95,11 +95,11 @@ for every new relocation in a symbol in a FIPS package (as reported by
 
 The cryptographic code+data must be included in the hash-verified
 data. In general we accomplish that by putting all symbols from
-crypto/internal/fips/... packages into the hash-verified data.
+crypto/internal/fips140/... packages into the hash-verified data.
 But not all.
 
 Note that wrapper code that layers a Go API atop the cryptographic
-core is unverified. For example, crypto/internal/fips/sha256 is part of
+core is unverified. For example, crypto/internal/fips140/sha256 is part of
 the FIPS module and verified but the crypto/sha256 package that wraps
 it is outside the module and unverified. Also, runtime support like
 the implementation of malloc and garbage collection is outside the
@@ -146,7 +146,7 @@ import (
 
 const enableFIPS = true
 
-// IsFIPS reports whether we are compiling one of the crypto/internal/fips/... packages.
+// IsFIPS reports whether we are compiling one of the crypto/internal/fips140/... packages.
 func (ctxt *Link) IsFIPS() bool {
 	if strings.HasSuffix(ctxt.Pkgpath, "_test") {
 		// External test packages are outside the FIPS hash scope.
@@ -154,7 +154,7 @@ func (ctxt *Link) IsFIPS() bool {
 		// emit absolute relocations in the global data.
 		return false
 	}
-	return ctxt.Pkgpath == "crypto/internal/fips" || strings.HasPrefix(ctxt.Pkgpath, "crypto/internal/fips/")
+	return ctxt.Pkgpath == "crypto/internal/fips140" || strings.HasPrefix(ctxt.Pkgpath, "crypto/internal/fips140/")
 }
 
 // bisectFIPS controls bisect-based debugging of FIPS symbol assignment.
@@ -191,7 +191,7 @@ func EnableFIPS() bool {
 	// It should instead pass -shared to the compiler to get true
 	// position-independent code, at which point FIPS verification
 	// would work fine. FIPS verification does work fine on -buildmode=exe,
-	// but -buildmode=pie is the default, so crypto/internal/fips/check
+	// but -buildmode=pie is the default, so crypto/internal/fips140/check
 	// would fail during all.bash if we enabled FIPS here.
 	// Perhaps the default should be changed back to -buildmode=exe,
 	// after which we could remove this case, but until then,
@@ -221,11 +221,11 @@ func (s *LSym) setFIPSType(ctxt *Link) {
 		return
 	}
 
-	// Name must begin with crypto/internal/fips, then dot or slash.
+	// Name must begin with crypto/internal/fips140, then dot or slash.
 	// The quick check for 'c' before the string compare is probably overkill,
 	// but this function is called a fair amount, and we don't want to
 	// slow down all the non-FIPS compilations.
-	const prefix = "crypto/internal/fips"
+	const prefix = "crypto/internal/fips140"
 	name := s.Name
 	if len(name) <= len(prefix) || (name[len(prefix)] != '.' && name[len(prefix)] != '/') || name[0] != 'c' || name[:len(prefix)] != prefix {
 		return
@@ -239,7 +239,7 @@ func (s *LSym) setFIPSType(ctxt *Link) {
 	// Now we're at least handling a FIPS symbol.
 	// It's okay to be slower now, since this code only runs when compiling a few packages.
 
-	// Even in the crypto/internal/fips packages,
+	// Even in the crypto/internal/fips140 packages,
 	// we exclude various Go runtime metadata,
 	// so that it can be allowed to contain data relocations.
 	if strings.Contains(name, ".init") ||
@@ -257,7 +257,7 @@ func (s *LSym) setFIPSType(ctxt *Link) {
 
 	// This symbol is linknamed to go:fipsinfo,
 	// so we shouldn't see it, but skip it just in case.
-	if s.Name == "crypto/internal/fips/check.linkinfo" {
+	if s.Name == "crypto/internal/fips140/check.linkinfo" {
 		return
 	}
 
@@ -289,7 +289,7 @@ func (s *LSym) setFIPSType(ctxt *Link) {
 // checkFIPSReloc should be called for every relocation applied to s.
 // It rejects absolute (non-PC-relative) address relocations when building
 // with go build -buildmode=pie (which triggers the compiler's -shared flag),
-// because those relocations will be applied before crypto/internal/fips/check
+// because those relocations will be applied before crypto/internal/fips140/check
 // can hash-verify the FIPS code+data, which will make the verification fail.
 func (s *LSym) checkFIPSReloc(ctxt *Link, rel Reloc) {
 	if !ctxt.Flag_shared {

src/cmd/link/internal/ld/fips140.go

@@ -43,7 +43,7 @@ The new special symbols are created by [loadfips].
 
 Having collated the FIPS symbols, we need to compute the hash
 and then leave both the expected hash and the FIPS address ranges
-for the run-time check in crypto/internal/fips/check.
+for the run-time check in crypto/internal/fips140/check.
 We do that by creating a special symbol named go:fipsinfo of the form
 
 	struct {
@@ -55,7 +55,7 @@ We do that by creating a special symbol named go:fipsinfo of the form
 		}
 	}
 
-The crypto/internal/fips/check uses linkname to access this symbol,
+The crypto/internal/fips140/check uses linkname to access this symbol,
 which is of course not included in the hash.
 
 # FIPS Info Calculation
@@ -85,7 +85,7 @@ two random 32-byte strings differ. For debugging, the linker flag
 -fipso can be set to the name of a file (such as /tmp/fips.o)
 where the linker will write the “FIPS object” that is being hashed.
 
-There is also commented-out code in crypto/internal/fips/check that
+There is also commented-out code in crypto/internal/fips140/check that
 will write /tmp/fipscheck.o during the run-time verification.
 
 When the hashes differ, the first step is to uncomment the
@@ -151,7 +151,7 @@ func loadfips(ctxt *Link) {
 	if ctxt.BuildMode == BuildModePlugin { // not sure why this doesn't work
 		return
 	}
-	// Write the fipsinfo symbol, which crypto/internal/fips/check uses.
+	// Write the fipsinfo symbol, which crypto/internal/fips140/check uses.
 	ldr := ctxt.loader
 	// TODO lock down linkname
 	info := ldr.CreateSymForUpdate("go:fipsinfo", 0)

src/cmd/link/internal/loader/loader.go

@@ -2337,7 +2337,7 @@ var blockedLinknames = map[string][]string{
 	"runtime.coroswitch": {"iter"},
 	"runtime.newcoro":    {"iter"},
 	// fips info
-	"go:fipsinfo": {"crypto/internal/fips/check"},
+	"go:fipsinfo": {"crypto/internal/fips140/check"},
 }
 
 // check if a linkname reference to symbol s from pkg is allowed

src/crypto/aes/aes.go

@@ -16,7 +16,7 @@ package aes
 import (
 	"crypto/cipher"
 	"crypto/internal/boring"
-	"crypto/internal/fips/aes"
+	"crypto/internal/fips140/aes"
 	"strconv"
 )
 

src/crypto/cipher/cbc.go

@@ -13,8 +13,8 @@ package cipher
 
 import (
 	"bytes"
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/alias"
 	"crypto/subtle"
 )
 

src/crypto/cipher/cfb.go

@@ -7,7 +7,7 @@
 package cipher
 
 import (
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/alias"
 	"crypto/subtle"
 )
 

src/crypto/cipher/ctr.go

@@ -14,8 +14,8 @@ package cipher
 
 import (
 	"bytes"
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/alias"
 	"crypto/subtle"
 )
 

src/crypto/cipher/ctr_aes_test.go

@@ -16,7 +16,7 @@ import (
 	"crypto/cipher"
 	"crypto/internal/boring"
 	"crypto/internal/cryptotest"
-	fipsaes "crypto/internal/fips/aes"
+	fipsaes "crypto/internal/fips140/aes"
 	"encoding/hex"
 	"fmt"
 	"math/rand"

src/crypto/cipher/gcm.go

@@ -5,9 +5,9 @@
 package cipher
 
 import (
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/aes/gcm"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/aes/gcm"
+	"crypto/internal/fips140/alias"
 	"crypto/subtle"
 	"errors"
 	"internal/byteorder"
@@ -127,7 +127,7 @@ func (g gcmWithRandomNonce) Seal(dst, nonce, plaintext, additionalData []byte) [
 	// In Seal, we could work through the input backwards or intentionally load
 	// ahead before writing.
 	//
-	// However, the crypto/internal/fips/aes/gcm APIs also check for exact overlap,
+	// However, the crypto/internal/fips140/aes/gcm APIs also check for exact overlap,
 	// so for now we just do a memmove if we detect overlap.
 	//
 	//     ┌───────────────────────────┬ ─ ─
@@ -209,7 +209,7 @@ func newGCMFallback(cipher Block, nonceSize, tagSize int) (AEAD, error) {
 
 // gcmFallback is only used for non-AES ciphers, which regrettably we
 // theoretically support. It's a copy of the generic implementation from
-// crypto/internal/fips/aes/gcm/gcm_generic.go, refer to that file for more details.
+// crypto/internal/fips140/aes/gcm/gcm_generic.go, refer to that file for more details.
 type gcmFallback struct {
 	cipher    Block
 	nonceSize int

src/crypto/cipher/gcm_test.go

@@ -10,9 +10,9 @@ import (
 	"crypto/cipher"
 	"crypto/internal/boring"
 	"crypto/internal/cryptotest"
-	"crypto/internal/fips"
-	fipsaes "crypto/internal/fips/aes"
-	"crypto/internal/fips/aes/gcm"
+	"crypto/internal/fips140"
+	fipsaes "crypto/internal/fips140/aes"
+	"crypto/internal/fips140/aes/gcm"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
@@ -744,9 +744,9 @@ func TestFIPSServiceIndicator(t *testing.T) {
 		return aead
 	}
 	tryNonce := func(aead cipher.AEAD, nonce []byte) bool {
-		fips.ResetServiceIndicator()
+		fips140.ResetServiceIndicator()
 		aead.Seal(nil, nonce, []byte("x"), nil)
-		return fips.ServiceIndicator()
+		return fips140.ServiceIndicator()
 	}
 	expectTrue := func(t *testing.T, aead cipher.AEAD, nonce []byte) {
 		t.Helper()

src/crypto/cipher/ofb.go

@@ -7,7 +7,7 @@
 package cipher
 
 import (
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/alias"
 	"crypto/subtle"
 )
 

src/crypto/des/cipher.go

@@ -6,7 +6,7 @@ package des
 
 import (
 	"crypto/cipher"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140/alias"
 	"internal/byteorder"
 	"strconv"
 )

src/crypto/ecdh/nist.go

@@ -7,7 +7,7 @@ package ecdh
 import (
 	"bytes"
 	"crypto/internal/boring"
-	"crypto/internal/fips/ecdh"
+	"crypto/internal/fips140/ecdh"
 	"errors"
 	"io"
 )

src/crypto/ecdh/x25519.go

@@ -6,7 +6,7 @@ package ecdh
 
 import (
 	"bytes"
-	"crypto/internal/fips/edwards25519/field"
+	"crypto/internal/fips140/edwards25519/field"
 	"crypto/internal/randutil"
 	"errors"
 	"io"

src/crypto/ecdsa/ecdsa.go

@@ -20,7 +20,7 @@ import (
 	"crypto/elliptic"
 	"crypto/internal/boring"
 	"crypto/internal/boring/bbig"
-	"crypto/internal/fips/ecdsa"
+	"crypto/internal/fips140/ecdsa"
 	"crypto/internal/randutil"
 	"crypto/sha512"
 	"crypto/subtle"

src/crypto/ed25519/ed25519.go

@@ -17,7 +17,7 @@ package ed25519
 
 import (
 	"crypto"
-	"crypto/internal/fips/ed25519"
+	"crypto/internal/fips140/ed25519"
 	cryptorand "crypto/rand"
 	"crypto/subtle"
 	"errors"

src/crypto/elliptic/nistec.go

@@ -5,7 +5,7 @@
 package elliptic
 
 import (
-	"crypto/internal/fips/nistec"
+	"crypto/internal/fips140/nistec"
 	"errors"
 	"math/big"
 )

src/crypto/elliptic/nistec_p256.go

@@ -7,7 +7,7 @@
 package elliptic
 
 import (
-	"crypto/internal/fips/nistec"
+	"crypto/internal/fips140/nistec"
 	"math/big"
 )
 

src/crypto/hmac/hmac.go

@@ -23,7 +23,7 @@ package hmac
 
 import (
 	"crypto/internal/boring"
-	"crypto/internal/fips/hmac"
+	"crypto/internal/fips140/hmac"
 	"crypto/subtle"
 	"hash"
 )

src/crypto/internal/entropy/entropy.go

@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 
 // Package entropy provides the passive entropy source for the FIPS 140-3
-// module. It is only used in FIPS mode by [crypto/internal/fips/drbg.Read].
+// module. It is only used in FIPS mode by [crypto/internal/fips140/drbg.Read].
 //
 // This complies with IG 9.3.A, Additional Comment 12, which until January 1,
 // 2026 allows new modules to meet an [earlier version] of Resolution 2(b):

src/crypto/internal/fips/check/checktest/asm.s

@@ -1,6 +0,0 @@
-//go:build !purego && !wasm
-
-#include "textflag.h"
-
-DATA crypto∕internal∕fips∕check∕checktest·RODATA(SB)/4, $2
-GLOBL crypto∕internal∕fips∕check∕checktest·RODATA(SB), RODATA, $4

src/crypto/internal/fips140/aes/aes.go

@@ -5,8 +5,8 @@
 package aes
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/alias"
 	"strconv"
 )
 
@@ -103,7 +103,7 @@ func (c *Block) Encrypt(dst, src []byte) {
 	if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
 		panic("crypto/aes: invalid buffer overlap")
 	}
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	encryptBlock(c, dst, src)
 }
 
@@ -117,6 +117,6 @@ func (c *Block) Decrypt(dst, src []byte) {
 	if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) {
 		panic("crypto/aes: invalid buffer overlap")
 	}
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	decryptBlock(c, dst, src)
 }

src/crypto/internal/fips140/aes/aes_asm.go

@@ -7,8 +7,8 @@
 package aes
 
 import (
-	"crypto/internal/fipsdeps/cpu"
-	"crypto/internal/fipsdeps/godebug"
+	"crypto/internal/fips140deps/cpu"
+	"crypto/internal/fips140deps/godebug"
 	"crypto/internal/impl"
 )
 

src/crypto/internal/fips140/aes/aes_generic.go

@@ -36,7 +36,7 @@
 
 package aes
 
-import "crypto/internal/fipsdeps/byteorder"
+import "crypto/internal/fips140deps/byteorder"
 
 // Encrypt one block from src into dst, using the expanded key xk.
 func encryptBlockGeneric(c *blockExpanded, dst, src []byte) {

src/crypto/internal/fips140/aes/aes_s390x.go

@@ -7,7 +7,7 @@
 package aes
 
 import (
-	"crypto/internal/fipsdeps/cpu"
+	"crypto/internal/fips140deps/cpu"
 	"crypto/internal/impl"
 )
 

src/crypto/internal/fips140/aes/cast.go

@@ -6,13 +6,13 @@ package aes
 
 import (
 	"bytes"
-	"crypto/internal/fips"
-	_ "crypto/internal/fips/check"
+	"crypto/internal/fips140"
+	_ "crypto/internal/fips140/check"
 	"errors"
 )
 
 func init() {
-	fips.CAST("AES-CBC", func() error {
+	fips140.CAST("AES-CBC", func() error {
 		key := []byte{
 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,

src/crypto/internal/fips140/aes/cbc.go

@@ -5,8 +5,8 @@
 package aes
 
 import (
-	"crypto/internal/fips/alias"
-	"crypto/internal/fips/subtle"
+	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140/subtle"
 )
 
 type CBCEncrypter struct {

src/crypto/internal/fips140/aes/ctr.go

@@ -5,9 +5,9 @@
 package aes
 
 import (
-	"crypto/internal/fips/alias"
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/byteorder"
+	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/byteorder"
 	"math/bits"
 )
 

src/crypto/internal/fips140/aes/ctr_s390x.go

@@ -7,8 +7,8 @@
 package aes
 
 import (
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/byteorder"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/byteorder"
 )
 
 func ctrBlocks1(b *Block, dst, src *[BlockSize]byte, ivlo, ivhi uint64) {

src/crypto/internal/fips140/aes/gcm/cast.go

@@ -5,17 +5,17 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/aes"
-	_ "crypto/internal/fips/check"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/aes"
+	_ "crypto/internal/fips140/check"
 	"errors"
 )
 
 func init() {
 	// Counter KDF covers CMAC per IG 10.3.B, and CMAC covers GCM per IG 10.3.A
 	// Resolution 1.d(i). AES decryption is covered by the CBC CAST in package
-	// crypto/internal/fips/aes.
-	fips.CAST("CounterKDF", func() error {
+	// crypto/internal/fips140/aes.
+	fips140.CAST("CounterKDF", func() error {
 		key := []byte{
 			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
 			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,

src/crypto/internal/fips140/aes/gcm/cmac.go

@@ -5,9 +5,9 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/subtle"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/subtle"
 )
 
 // CMAC implements the CMAC mode from NIST SP 800-38B.
@@ -38,7 +38,7 @@ func (c *CMAC) deriveSubkeys() {
 }
 
 func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	_ = c.b // Hoist the nil check out of the loop.
 	var x [aes.BlockSize]byte
 	if len(m) == 0 {

src/crypto/internal/fips140/aes/gcm/ctrkdf.go

@@ -5,8 +5,8 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/aes"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/aes"
 )
 
 // CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES,
@@ -30,7 +30,7 @@ func NewCounterKDF(b *aes.Block) *CounterKDF {
 
 // DeriveKey derives a key from the given label and context.
 func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	var output [32]byte
 
 	var input [aes.BlockSize]byte

src/crypto/internal/fips140/aes/gcm/gcm.go

@@ -5,9 +5,9 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/alias"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/alias"
 	"errors"
 )
 
@@ -61,7 +61,7 @@ func (g *GCM) Overhead() int {
 }
 
 func (g *GCM) Seal(dst, nonce, plaintext, data []byte) []byte {
-	fips.RecordNonApproved()
+	fips140.RecordNonApproved()
 	return g.sealAfterIndicator(dst, nonce, plaintext, data)
 }
 
@@ -115,7 +115,7 @@ func (g *GCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 		panic("crypto/cipher: invalid buffer overlap of output and additional data")
 	}
 
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	if err := open(out, g, nonce, ciphertext, data); err != nil {
 		// We sometimes decrypt and authenticate concurrently, so we overwrite
 		// dst in the event of a tag mismatch. To be consistent across platforms

src/crypto/internal/fips140/aes/gcm/gcm_asm.go

@@ -7,9 +7,9 @@
 package gcm
 
 import (
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/cpu"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/cpu"
 	"crypto/internal/impl"
 )
 

src/crypto/internal/fips140/aes/gcm/gcm_generic.go

@@ -5,9 +5,9 @@
 package gcm
 
 import (
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/byteorder"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/byteorder"
 )
 
 func sealGeneric(out []byte, g *GCM, nonce, plaintext, additionalData []byte) {

src/crypto/internal/fips140/aes/gcm/gcm_nonces.go

@@ -5,11 +5,11 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/alias"
-	"crypto/internal/fips/drbg"
-	"crypto/internal/fipsdeps/byteorder"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140/drbg"
+	"crypto/internal/fips140deps/byteorder"
 	"math"
 )
 
@@ -37,7 +37,7 @@ func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte) {
 	if alias.AnyOverlap(out, additionalData) {
 		panic("crypto/cipher: invalid buffer overlap of output and additional data")
 	}
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	drbg.Read(nonce)
 	seal(out, g, nonce, plaintext, additionalData)
 }
@@ -94,12 +94,12 @@ func (g *GCMWithCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte {
 	}
 	g.next = counter + 1
 
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
 }
 
 func (g *GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.Open(dst, nonce, ciphertext, data)
 }
 
@@ -141,12 +141,12 @@ func (g *GCMForTLS12) Seal(dst, nonce, plaintext, data []byte) []byte {
 	}
 	g.next = counter + 1
 
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
 }
 
 func (g *GCMForTLS12) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.Open(dst, nonce, ciphertext, data)
 }
 
@@ -193,12 +193,12 @@ func (g *GCMForTLS13) Seal(dst, nonce, plaintext, data []byte) []byte {
 	}
 	g.next = counter + 1
 
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
 }
 
 func (g *GCMForTLS13) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.Open(dst, nonce, ciphertext, data)
 }
 
@@ -247,11 +247,11 @@ func (g *GCMForSSH) Seal(dst, nonce, plaintext, data []byte) []byte {
 	}
 	g.next = counter + 1
 
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.sealAfterIndicator(dst, nonce, plaintext, data)
 }
 
 func (g *GCMForSSH) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	fips.RecordApproved()
+	fips140.RecordApproved()
 	return g.g.Open(dst, nonce, ciphertext, data)
 }

src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.go

@@ -7,10 +7,10 @@
 package gcm
 
 import (
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/byteorder"
-	"crypto/internal/fipsdeps/godebug"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/byteorder"
+	"crypto/internal/fips140deps/godebug"
 	"crypto/internal/impl"
 	"runtime"
 )

src/crypto/internal/fips140/aes/gcm/gcm_s390x.go

@@ -7,10 +7,10 @@
 package gcm
 
 import (
-	"crypto/internal/fips/aes"
-	"crypto/internal/fips/subtle"
-	"crypto/internal/fipsdeps/byteorder"
-	"crypto/internal/fipsdeps/cpu"
+	"crypto/internal/fips140/aes"
+	"crypto/internal/fips140/subtle"
+	"crypto/internal/fips140deps/byteorder"
+	"crypto/internal/fips140deps/cpu"
 	"crypto/internal/impl"
 )
 

src/crypto/internal/fips140/aes/gcm/ghash.go

@@ -5,8 +5,8 @@
 package gcm
 
 import (
-	"crypto/internal/fips"
-	"crypto/internal/fipsdeps/byteorder"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140deps/byteorder"
 )
 
 // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
@@ -25,7 +25,7 @@ type gcmFieldElement struct {
 // It is not allowed as a stand-alone operation in FIPS mode because it
 // is not ACVP tested.
 func GHASH(key *[16]byte, inputs ...[]byte) []byte {
-	fips.RecordNonApproved()
+	fips140.RecordNonApproved()
 	var out [gcmBlockSize]byte
 	ghash(&out, key, inputs...)
 	return out[:]

src/crypto/internal/fips140/aes/gcm/interface_test.go

@@ -6,7 +6,7 @@ package gcm_test
 
 import (
 	"crypto/cipher"
-	"crypto/internal/fips/aes/gcm"
+	"crypto/internal/fips140/aes/gcm"
 )
 
 var _ cipher.AEAD = (*gcm.GCM)(nil)

src/crypto/internal/fips140/aes/interface_test.go

@@ -6,7 +6,7 @@ package aes_test
 
 import (
 	"crypto/cipher"
-	"crypto/internal/fips/aes"
+	"crypto/internal/fips140/aes"
 )
 
 var _ cipher.Block = (*aes.Block)(nil)

src/crypto/internal/fips140/bigmod/_asm/go.mod

@@ -1,4 +1,4 @@
-module crypto/internal/fips/bigmod/_asm
+module crypto/internal/fips140/bigmod/_asm
 
 go 1.19
 

src/crypto/internal/fips140/bigmod/_asm/nat_amd64_asm.go

@@ -15,7 +15,7 @@ import (
 //go:generate go run . -out ../nat_amd64.s -pkg bigmod
 
 func main() {
-	Package("crypto/internal/fips/bigmod")
+	Package("crypto/internal/fips140/bigmod")
 	ConstraintExpr("!purego")
 
 	addMulVVW(1024)

src/crypto/internal/fips140/bigmod/nat.go

@@ -5,8 +5,8 @@
 package bigmod
 
 import (
-	_ "crypto/internal/fips/check"
-	"crypto/internal/fipsdeps/byteorder"
+	_ "crypto/internal/fips140/check"
+	"crypto/internal/fips140deps/byteorder"
 	"errors"
 	"math/bits"
 )

src/crypto/internal/fips140/bigmod/nat_asm.go

@@ -7,7 +7,7 @@
 package bigmod
 
 import (
-	"crypto/internal/fipsdeps/cpu"
+	"crypto/internal/fips140deps/cpu"
 	"crypto/internal/impl"
 )
 

src/crypto/internal/fips140/bigmod/nat_loong64.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// derived from crypto/internal/fips/bigmod/nat_riscv64.s
+// derived from crypto/internal/fips140/bigmod/nat_riscv64.s
 
 //go:build !purego