diff options
| author | Filippo Valsorda <filippo@golang.org> | 2024-12-16 19:30:58 +0100 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2024-12-17 08:02:43 -0800 |
| commit | b47ce8b0e997f09abd6e1e5c23eb59d6e9d5be2c (patch) | |
| tree | 5e057f4c4b29c8b33af889366728b27f2c19bfb7 /src/crypto | |
| parent | dd7a7ba38f36dd6abc1e14b8d0e8bf05a5383161 (diff) | |
| download | go-b47ce8b0e997f09abd6e1e5c23eb59d6e9d5be2c.tar.xz | |
crypto/cipher: block non-AES CTR and CBC in fips140=only mode
Somehow I had missed these.
For #69536
Change-Id: I5e60b6f052bbfb707742ad15f663517c6c5f68d3
Reviewed-on: https://go-review.googlesource.com/c/go/+/636795
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/cipher/cbc.go | 7 | ||||
| -rw-r--r-- | src/crypto/cipher/ctr.go | 4 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/crypto/cipher/cbc.go b/src/crypto/cipher/cbc.go index b4536aceb9..8e61406296 100644 --- a/src/crypto/cipher/cbc.go +++ b/src/crypto/cipher/cbc.go @@ -15,6 +15,7 @@ import ( "bytes" "crypto/internal/fips140/aes" "crypto/internal/fips140/alias" + "crypto/internal/fips140only" "crypto/subtle" ) @@ -53,6 +54,9 @@ func NewCBCEncrypter(b Block, iv []byte) BlockMode { if b, ok := b.(*aes.Block); ok { return aes.NewCBCEncrypter(b, [16]byte(iv)) } + if fips140only.Enabled { + panic("crypto/cipher: use of CBC with non-AES ciphers is not allowed in FIPS 140-only mode") + } if cbc, ok := b.(cbcEncAble); ok { return cbc.NewCBCEncrypter(iv) } @@ -129,6 +133,9 @@ func NewCBCDecrypter(b Block, iv []byte) BlockMode { if b, ok := b.(*aes.Block); ok { return aes.NewCBCDecrypter(b, [16]byte(iv)) } + if fips140only.Enabled { + panic("crypto/cipher: use of CBC with non-AES ciphers is not allowed in FIPS 140-only mode") + } if cbc, ok := b.(cbcDecAble); ok { return cbc.NewCBCDecrypter(iv) } diff --git a/src/crypto/cipher/ctr.go b/src/crypto/cipher/ctr.go index c868635b8a..49512ca5dd 100644 --- a/src/crypto/cipher/ctr.go +++ b/src/crypto/cipher/ctr.go @@ -16,6 +16,7 @@ import ( "bytes" "crypto/internal/fips140/aes" "crypto/internal/fips140/alias" + "crypto/internal/fips140only" "crypto/subtle" ) @@ -41,6 +42,9 @@ func NewCTR(block Block, iv []byte) Stream { if block, ok := block.(*aes.Block); ok { return aesCtrWrapper{aes.NewCTR(block, iv)} } + if fips140only.Enabled { + panic("crypto/cipher: use of CTR with non-AES ciphers is not allowed in FIPS 140-only mode") + } if ctr, ok := block.(ctrAble); ok { return ctr.NewCTR(iv) } |