crypto: implement fips140=only mode

Running the test suite in this mode is definitely not an option. Testing this will probably look like a very long test that tries all functions. Filed #70514 to track the tests. For #70123 Change-Id: I6f67de83da37dd1e94e620b7f4f4f6aabe040c41 Reviewed-on: https://go-review.googlesource.com/c/go/+/631018 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
author: Filippo Valsorda <filippo@golang.org> 2024-11-22 04:21:12 +0100
committer: Gopher Robot <gobot@golang.org> 2024-11-22 03:48:06 +0000
commit: b299e9a44f298e72815ca0513bcc6ccca075f3fc (patch)
tree: ed61881d01d27c7b71552d632cb10a9e30656d47 /src/crypto/cipher
parent: 07b42666051841352077c0d04ba67d510247fd1d (diff)
download: go-b299e9a44f298e72815ca0513bcc6ccca075f3fc.tar.xz
3 files changed, 25 insertions, 0 deletions
diff --git a/src/crypto/cipher/cfb.go b/src/crypto/cipher/cfb.go
index eccb1afa7d..b9f9efa574 100644
--- a/src/crypto/cipher/cfb.go
+++ b/src/crypto/cipher/cfb.go
@@ -8,6 +8,7 @@ package cipher
 
 import (
 	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140only"
 	"crypto/subtle"
 )
 
@@ -54,6 +55,9 @@ func (x *cfb) XORKeyStream(dst, src []byte) {
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
 func NewCFBEncrypter(block Block, iv []byte) Stream {
+	if fips140only.Enabled {
+		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
+	}
 	return newCFB(block, iv, false)
 }
 
@@ -61,6 +65,9 @@ func NewCFBEncrypter(block Block, iv []byte) Stream {
 // using the given [Block]. The iv must be the same length as the [Block]'s block
 // size.
 func NewCFBDecrypter(block Block, iv []byte) Stream {
+	if fips140only.Enabled {
+		panic("crypto/cipher: use of CFB is not allowed in FIPS 140-only mode")
+	}
 	return newCFB(block, iv, true)
 }
 
diff --git a/src/crypto/cipher/gcm.go b/src/crypto/cipher/gcm.go
index ca60008111..5580f96d55 100644
--- a/src/crypto/cipher/gcm.go
+++ b/src/crypto/cipher/gcm.go
@@ -8,6 +8,7 @@ import (
 	"crypto/internal/fips140/aes"
 	"crypto/internal/fips140/aes/gcm"
 	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140only"
 	"crypto/subtle"
 	"errors"
 	"internal/byteorder"
@@ -27,6 +28,9 @@ const (
 // An exception is when the underlying [Block] was created by aes.NewCipher
 // on systems with hardware support for AES. See the [crypto/aes] package documentation for details.
 func NewGCM(cipher Block) (AEAD, error) {
+	if fips140only.Enabled {
+		return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce")
+	}
 	return newGCM(cipher, gcmStandardNonceSize, gcmTagSize)
 }
 
@@ -38,6 +42,9 @@ func NewGCM(cipher Block) (AEAD, error) {
 // cryptosystem that uses non-standard nonce lengths. All other users should use
 // [NewGCM], which is faster and more resistant to misuse.
 func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) {
+	if fips140only.Enabled {
+		return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce")
+	}
 	return newGCM(cipher, size, gcmTagSize)
 }
 
@@ -50,12 +57,18 @@ func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) {
 // cryptosystem that uses non-standard tag lengths. All other users should use
 // [NewGCM], which is more resistant to misuse.
 func NewGCMWithTagSize(cipher Block, tagSize int) (AEAD, error) {
+	if fips140only.Enabled {
+		return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce")
+	}
 	return newGCM(cipher, gcmStandardNonceSize, tagSize)
 }
 
 func newGCM(cipher Block, nonceSize, tagSize int) (AEAD, error) {
 	c, ok := cipher.(*aes.Block)
 	if !ok {
+		if fips140only.Enabled {
+			return nil, errors.New("crypto/cipher: use of GCM with non-AES ciphers is not allowed in FIPS 140-only mode")
+		}
 		return newGCMFallback(cipher, nonceSize, tagSize)
 	}
 	// We don't return gcm.New directly, because it would always return a non-nil
diff --git a/src/crypto/cipher/ofb.go b/src/crypto/cipher/ofb.go
index 549dc91962..abdc0225c0 100644
--- a/src/crypto/cipher/ofb.go
+++ b/src/crypto/cipher/ofb.go
@@ -8,6 +8,7 @@ package cipher
 
 import (
 	"crypto/internal/fips140/alias"
+	"crypto/internal/fips140only"
 	"crypto/subtle"
 )
 
@@ -22,6 +23,10 @@ type ofb struct {
 // in output feedback mode. The initialization vector iv's length must be equal
 // to b's block size.
 func NewOFB(b Block, iv []byte) Stream {
+	if fips140only.Enabled {
+		panic("crypto/cipher: use of OFB is not allowed in FIPS 140-only mode")
+	}
+
 	blockSize := b.BlockSize()
 	if len(iv) != blockSize {
 		panic("cipher.NewOFB: IV length must equal block size")
author	Filippo Valsorda <filippo@golang.org>	2024-11-22 04:21:12 +0100
committer	Gopher Robot <gobot@golang.org>	2024-11-22 03:48:06 +0000
commit	b299e9a44f298e72815ca0513bcc6ccca075f3fc (patch)
tree	ed61881d01d27c7b71552d632cb10a9e30656d47 /src/crypto/cipher
parent	07b42666051841352077c0d04ba67d510247fd1d (diff)
download	go-b299e9a44f298e72815ca0513bcc6ccca075f3fc.tar.xz