crypto/hmac,crypto/hkdf,crypto/pbkdf2,crypto/rsa: can't be used with crypto/sha3 when GODEBUG=fips140=only is set

[qmuntal]

Go version

go version devel go1.24-c8fb6ae617 Sun Dec 8 15:34:47 2024 +0000 windows/amd64

Output of go env in your module/workspace:

set AR=ar
set CC=gcc
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_ENABLED=1
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set CXX=g++
set GCCGO=gccgo
set GO111MODULE=
set GOAMD64=v1
set GOARCH=amd64
set GOAUTH=netrc
set GOBIN=
set GOCACHE=C:\Users\qmuntaldiaz\AppData\Local\go-build
set GODEBUG=fips140=
set GOENV=C:\Users\qmuntaldiaz\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFIPS140=off
set GOFLAGS=
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\QMUNTA~1\AppData\Local\Temp\go-build3921600416=/tmp/go-build -gno-record-gcc-switches
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMOD=C:\Users\qmuntaldiaz\code\golang-go\src\go.mod
set GOMODCACHE=C:\Users\qmuntaldiaz\go\pkg\mod
set GONOPROXY=github.com/microsoft/*,dev.azure.com/*
set GONOSUMDB=github.com/microsoft/*,dev.azure.com/*
set GOOS=windows
set GOPATH=C:\Users\qmuntaldiaz\go
set GOPRIVATE=github.com/microsoft/*,dev.azure.com/*
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Users\qmuntaldiaz\code\golang-go
set GOSUMDB=sum.golang.org
set GOTELEMETRY=on
set GOTELEMETRYDIR=C:\Users\qmuntaldiaz\AppData\Roaming\go\telemetry
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Users\qmuntaldiaz\code\golang-go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=devel go1.24-c8fb6ae617 Sun Dec 8 15:34:47 2024 +0000
set GOWORK=
set PKG_CONFIG=pkg-config

What did you do?

package main

import (
	"crypto/hmac"
	"crypto/sha3"
	"hash"
)

func main() {
	hmac.New(func() hash.Hash { return sha3.New256() }, make([]byte, 64))
	println("done!")
}

Run the previous code with GODEBUG=fips140=only set.

What did you see happen?

done!

What did you expect to see?

panic: crypto/hmac: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode

goroutine 1 [running]:
crypto/hmac.New(0xe6be8, {0xc0000105c0, 0x40, 0x40})
        C:/Users/qmuntaldiaz/code/golang-go/src/crypto/hmac/hmac.go:51 +0xf4
main.main()
        C:/Users/qmuntaldiaz/code/golang-go/src/crypto/hmac/a/main.go:10 +0x3c

[gabyhelp]

Related Issues

• cmd/go: `go test` doesn't work with `GODEBUG=fips140=only` #70878
• boringcrypto: SHA functions do not use FIPS compliant openssl APIs #66520 (closed)
• crypto: mechanism to enable FIPS mode #70123 (closed)
• "use of internal package not allowed" error #64005 (closed)
• RSA verification fails for some of the test cases when boring crypto is enabled instead of native go crytpo #68645 (closed)
• boringcrypto: Not using FIPS compliant calls for SHA functions (also should we add md5? for easy proof of FIPS mode on) #66513 (closed)
• x/crypto/sha3: unsafe pointer conversion #37644 (closed)
• x/crypto: update go directive to at least 1.20 #68035 (closed)
• cmd/go: add fips140 module selection mechanism #70200

Related Code Changes

• crypto/internal/fips140/sha3/_asm: remove unnecessary x/crypto dependency

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[qmuntal]

@golang/security @FiloSottile @golang/release.

Tentatively marking this as release blocker.

[qmuntal]

This issue happens because crypto/internal/fips140only checks for crypto/internal/fips140/sha3.Digest, but crypto/sha3.New256() returns a crypto/sha3.SHA3 object which wraps the former.

go/src/crypto/internal/fips140only/fips140only.go

Line 23 in 1218566

case *sha256.Digest, *sha512.Digest, *sha3.Digest:

go/src/crypto/sha3/sha3.go

Line 110 in 1218566

return &SHA3{*sha3.New256()}