crypto/ed25519: use FIPS 140-3 GenerateKey and enforce fips140=only

Fixes #77594

Change-Id: I2685931ec37d9beb99de2e0398ab6f456a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/745800
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go
index a0263638ef..ed599ad290 100644
--- a/src/crypto/ed25519/ed25519.go
+++ b/src/crypto/ed25519/ed25519.go
@@ -160,6 +160,19 @@ func GenerateKey(random io.Reader) (PublicKey, PrivateKey, error) {
 		}
 	}
 
+	if fips140only.Enforced() && !fips140only.ApprovedRandomReader(random) {
+		return nil, nil, errors.New("crypto/ed25519: only crypto/rand.Reader is allowed in FIPS 140-only mode")
+	}
+
+	if rand.IsDefaultReader(random) {
+		privateKey, err := ed25519.GenerateKey()
+		if err != nil {
+			return nil, nil, err
+		}
+		publicKey := PublicKey(privateKey.PublicKey())
+		return publicKey, PrivateKey(privateKey.Bytes()), nil
+	}
+
 	seed := make([]byte, SeedSize)
 	if _, err := io.ReadFull(random, seed); err != nil {
 		return nil, nil, err