Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/ecdsa: fips140=only does not allow any ecdsa key generation #70894

Closed
kruskall opened this issue Dec 18, 2024 · 6 comments
Closed

crypto/ecdsa: fips140=only does not allow any ecdsa key generation #70894

kruskall opened this issue Dec 18, 2024 · 6 comments
Assignees
@mauri870
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone
Go1.24

Comments

@kruskall
Copy link

Go version

go1.24-95b433e

Output of go env in your module/workspace:

GOFIPS140='latest'

What did you do?

package main

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"fmt"
)

func main() {
	_, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	fmt.Println(err)
}
  • gotip build -o bug main.go && GODEBUG=fips140=only ./bug
  • ./bug

What did you see happen?

program exited with the following error:

crypto/ecdsa: only crypto/rand.Reader is allowed in FIPS 140-only mode

What did you expect to see?

no error
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@kruskall
Copy link
Author

this if check is missing a !:

go/src/crypto/ecdsa/ecdsa.go

Line 186 in 95b433e

if fips140only.Enabled && fips140only.ApprovedRandomReader(rand) {

@mauri870
Copy link
Member

Thanks, looks like this was a mistake.

cc @FiloSottile

@mauri870 mauri870 added NeedsFix The path to resolution is known, but the work has not been done. help wanted labels Dec 18, 2024
@mauri870
Copy link
Member

cc @golang/release since this should be fixed in the next RC.

@mauri870 mauri870 mentioned this issue Dec 18, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/637455 mentions this issue: crypto/ecdsa: fix condition for FIPS check

@FiloSottile
Copy link
Contributor

Ooops, sorry! I need to put together a proper test for fips140=only.

@mauri870 mauri870 added this to the Go1.24 milestone Dec 18, 2024
@mauri870 mauri870 self-assigned this Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mauri870 mauri870

Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Milestone
Go1.24
Development

Successfully merging a pull request may close this issue.

crypto/ecdsa: fix condition for fips140=only check mauri870/go
5 participants
@FiloSottile @gopherbot @mauri870 @kruskall @gabyhelp