microsoft · gdams · Apr 20, 2026 · Apr 20, 2026
@@ -58,7 +58,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../github.com/golang-fips/openssl/v2/hash.go |  502 ++++
  .../golang-fips/openssl/v2/hashclone.go       |   14 +
  .../golang-fips/openssl/v2/hashclone_go125.go |    9 +
- .../github.com/golang-fips/openssl/v2/hkdf.go |  455 ++++
+ .../github.com/golang-fips/openssl/v2/hkdf.go |  445 +++
  .../github.com/golang-fips/openssl/v2/hmac.go |  282 ++
  .../openssl/v2/internal/fakecgo/abi_amd64.h   |   99 +
  .../openssl/v2/internal/fakecgo/abi_arm64.h   |   39 +
@@ -138,7 +138,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../v2/internal/ossl/zossl_cgo_go124.go       |   45 +
  .../openssl/v2/internal/ossl/zossl_nocgo.go   | 2390 +++++++++++++++++
  .../golang-fips/openssl/v2/mlkem.go           |  371 +++
- .../golang-fips/openssl/v2/openssl.go         |  253 ++
+ .../golang-fips/openssl/v2/openssl.go         |  259 ++
  .../golang-fips/openssl/v2/openssl_cgo.go     |   16 +
  .../golang-fips/openssl/v2/openssl_nocgo.go   |   32 +
  .../golang-fips/openssl/v2/osslsetup/fips.go  |  165 ++
@@ -149,7 +149,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../openssl/v2/osslsetup/osslsetup.go         |   74 +
  .../openssl/v2/osslsetup/osslsetup_cgo.go     |   11 +
  .../openssl/v2/osslsetup/osslsetup_nocgo.go   |   21 +
- .../golang-fips/openssl/v2/params.go          |  184 ++
+ .../golang-fips/openssl/v2/params.go          |  194 ++
  .../golang-fips/openssl/v2/pbkdf2.go          |   54 +
  .../golang-fips/openssl/v2/provideropenssl.go |  239 ++
  .../openssl/v2/providersymcrypt.go            |  330 +++
@@ -277,7 +277,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  .../internal/subtle/aliasing.go               |   32 +
  .../internal/sysdll/sys_windows.go            |   55 +
  src/vendor/modules.txt                        |   23 +
- 269 files changed, 34097 insertions(+), 7 deletions(-)
+ 269 files changed, 34103 insertions(+), 7 deletions(-)
  create mode 100644 src/cmd/internal/telemetry/counter/deps_ignore.go
  create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/LICENSE
  create mode 100644 src/cmd/vendor/github.com/microsoft/go-infra/telemetry/README.md
@@ -541,7 +541,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result
  create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/sysdll/sys_windows.go
 
 diff --git a/src/cmd/go.mod b/src/cmd/go.mod
-index 85e8c4cb5fb305..4a356ea777dc10 100644
+index 14107c2d8ed9f3..1b51923f77e32e 100644
 --- a/src/cmd/go.mod
 +++ b/src/cmd/go.mod
 @@ -4,6 +4,8 @@ go 1.26
@@ -554,7 +554,7 @@ index 85e8c4cb5fb305..4a356ea777dc10 100644
  	golang.org/x/build v0.0.0-20251128064159-b9bfd88b30e8
  	golang.org/x/mod v0.30.1-0.20251115032019-269c237cf350
 diff --git a/src/cmd/go.sum b/src/cmd/go.sum
-index 61c88e52530940..e67353c20c352f 100644
+index c4920417b21b3d..4591d4c5da550d 100644
 --- a/src/cmd/go.sum
 +++ b/src/cmd/go.sum
 @@ -4,6 +4,10 @@ github.com/google/pprof v0.0.0-20251114195745-4902fdda35c8 h1:3DsUAV+VNEQa2CUVLx
@@ -2163,7 +2163,7 @@ index 00000000000000..d592037b570130
 +	return ok
 +}
 diff --git a/src/cmd/vendor/modules.txt b/src/cmd/vendor/modules.txt
-index 9c179c4bcd4c30..cb57323fb05a24 100644
+index 4e2260af522911..e4a084bebaba13 100644
 --- a/src/cmd/vendor/modules.txt
 +++ b/src/cmd/vendor/modules.txt
 @@ -16,6 +16,17 @@ github.com/google/pprof/third_party/svgpan
@@ -2213,7 +2213,7 @@ index 00000000000000..ae4055d2d71303
 +// that are used by the backend package. This allows to track
 +// their versions in a single patch file.
 diff --git a/src/go.mod b/src/go.mod
-index efc07451b53448..92c3c1585973d2 100644
+index efc07451b53448..5b76c18a2dd6c1 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -11,3 +11,9 @@ require (
@@ -2222,17 +2222,17 @@ index efc07451b53448..92c3c1585973d2 100644
  )
 +
 +require (
-+	github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4
++	github.com/golang-fips/openssl/v2 v2.0.4-0.20260417093650-92feff2e2bc8
 +	github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357
 +	github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9
 +)
 diff --git a/src/go.sum b/src/go.sum
-index b6b841b44d8e38..351d0574653a2a 100644
+index b6b841b44d8e38..e226409b5cbd71 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,9 @@
-+github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4 h1:2kbDvyeg2zT1dsjfp6I445SCP4ryK88vnIODU+x0W3o=
-+github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw=
++github.com/golang-fips/openssl/v2 v2.0.4-0.20260417093650-92feff2e2bc8 h1:fcNImjBFdN1W3Da0+qgX8R6I6j44wHKqFF/SflF+B6A=
++github.com/golang-fips/openssl/v2 v2.0.4-0.20260417093650-92feff2e2bc8/go.mod h1:EtVnMfLGkB4pihGOH+tXEV0WlXxewWdT1n3GLJEHvpw=
 +github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357 h1:ILqgGD8SGjjtSweSBanrXyX8Aco33yFSJEqsnJgmXHU=
 +github.com/microsoft/go-crypto-darwin v0.0.3-0.20260130143703-78cb726ef357/go.mod h1:MTii5PQwRlfUjYpGoF8CPLGwXSHTbLHGRN9FVNML5N0=
 +github.com/microsoft/go-crypto-winnative v0.0.0-20260127024749-832b168a84e9 h1:joliMChkkfHV3vAPKzu9kefdw0K+d89A8r9gTm3MFS4=
@@ -6401,10 +6401,10 @@ index 00000000000000..f1f2364c7246d4
 +type HashCloner = hash.Cloner
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go b/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go
 new file mode 100644
-index 00000000000000..7e059d023ef00b
+index 00000000000000..09f2412e45a97d
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go
-@@ -0,0 +1,455 @@
+@@ -0,0 +1,445 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -6759,9 +6759,7 @@ index 00000000000000..7e059d023ef00b
 +	bld.addOctetString(_OSSL_KDF_PARAM_PREFIX, []byte("tls13 "))
 +	bld.addOctetString(_OSSL_KDF_PARAM_LABEL, label)
 +	bld.addOctetString(_OSSL_KDF_PARAM_DATA, context)
-+	if len(pseudorandomKey) > 0 {
-+		bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
-+	}
++	bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
 +
 +	params, err := bld.build()
 +	if err != nil {
@@ -6812,18 +6810,10 @@ index 00000000000000..7e059d023ef00b
 +	}
 +	bld.addUTF8String(_OSSL_KDF_PARAM_DIGEST, ossl.EVP_MD_get0_name(md), 0)
 +	bld.addInt32(_OSSL_KDF_PARAM_MODE, int32(mode))
-+	if len(secret) > 0 {
-+		bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
-+	}
-+	if len(salt) > 0 {
-+		bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
-+	}
-+	if len(pseudorandomKey) > 0 {
-+		bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
-+	}
-+	if len(info) > 0 {
-+		bld.addOctetString(_OSSL_KDF_PARAM_INFO, info)
-+	}
++	bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
++	bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
++	bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
++	bld.addOctetString(_OSSL_KDF_PARAM_INFO, info)
 +	params, err := bld.build()
 +	if err != nil {
 +		return ctx, err
@@ -19688,10 +19678,10 @@ index 00000000000000..38ed8f5d69d946
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/openssl.go b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go
 new file mode 100644
-index 00000000000000..30ed1f38392629
+index 00000000000000..2aa620a69ce530
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go
-@@ -0,0 +1,253 @@
+@@ -0,0 +1,259 @@
 +//go:build !cmd_go_bootstrap
 +
 +// Package openssl provides access to OpenSSL cryptographic functions.
@@ -19822,6 +19812,12 @@ index 00000000000000..30ed1f38392629
 +	return unsafe.SliceData(b)
 +}
 +
++// pbaseNeverEmpty returns the address of the underlying array in b.
++// If b has zero length, it returns a pointer to a zero byte.
++func pbaseNeverEmpty(b []byte) unsafe.Pointer {
++	return unsafe.Pointer(baseNeverEmpty(b))
++}
++
 +// pbase returns the address of the underlying array in b,
 +// being careful not to panic when b has zero length.
 +func pbase(b []byte) unsafe.Pointer {
@@ -20585,10 +20581,10 @@ index 00000000000000..fd1cad5692a0bc
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/params.go b/src/vendor/github.com/golang-fips/openssl/v2/params.go
 new file mode 100644
-index 00000000000000..3bdc8037c0c9af
+index 00000000000000..6cf91de44bc2f9
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/params.go
-@@ -0,0 +1,184 @@
+@@ -0,0 +1,194 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -20704,10 +20700,20 @@ index 00000000000000..3bdc8037c0c9af
 +	if !b.check() {
 +		return
 +	}
++	if value == nil {
++		// Short-circuit a nil slice: don't pass anything at all to OpenSSL.
++		// OpenSSL 3.5.6 raises an error when passed null, and expects users
++		// to not call this function at all in this case.
++		// See https://github.com/openssl/openssl/issues/30728
++		//
++		// Don't short-circuit empty slices, as they might have a meaning.
++		// For example, in KDFs an empty salt is different from a nil salt.
++		return
++	}
 +	if len(value) != 0 {
 +		b.pinner.Pin(&value[0])
 +	}
-+	if _, err := ossl.OSSL_PARAM_BLD_push_octet_string(b.bld, name.ptr(), pbase(value), len(value)); err != nil {
++	if _, err := ossl.OSSL_PARAM_BLD_push_octet_string(b.bld, name.ptr(), pbaseNeverEmpty(value), len(value)); err != nil {
 +		b.err = addParamError{name.str(), err}
 +	}
 +}
@@ -38317,11 +38323,11 @@ index 00000000000000..1722410e5af193
 +	return getSystemDirectory() + "\\" + dll
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index b6f6376eac041a..d1a867d0452fed 100644
+index b6f6376eac041a..ee1e3a5d5d34f5 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,26 @@
-+# github.com/golang-fips/openssl/v2 v2.0.4-0.20260217140351-4e237614ceb4
++# github.com/golang-fips/openssl/v2 v2.0.4-0.20260417093650-92feff2e2bc8
 +## explicit; go 1.24
 +github.com/golang-fips/openssl/v2
 +github.com/golang-fips/openssl/v2/bbig