crypto/internal/fips: disable CASTs if FIPS mode is not enabled

Change-Id: Idabfe29e16d9ae6da7fbb078f9738bb4a7c5347b Reviewed-on: https://go-review.googlesource.com/c/go/+/626935 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Michael Knyszek <mknyszek@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
2025-05-29 15:20:52 +00:00 · 2024-11-10 15:04:48 +01:00
parent ed413f3fe0
commit 791d9827be
3 changed files with 19 additions and 7 deletions
--- a/src/crypto/internal/fips/cast.go
+++ b/src/crypto/internal/fips/cast.go
@ -24,9 +24,9 @@ var failfipscast = godebug.New("#failfipscast")
 // testingOnlyCASTHook is called during tests with each CAST name.
 var testingOnlyCASTHook func(string)

-// CAST runs the named Cryptographic Algorithm Self-Test (if compiled and
-// operated in FIPS mode) and aborts the program (stopping the module
-// input/output and entering the "error state") if the self-test fails.
+// CAST runs the named Cryptographic Algorithm Self-Test (if operated in FIPS
+// mode) and aborts the program (stopping the module input/output and entering
+// the "error state") if the self-test fails.
 //
 // These are mandatory self-checks that must be performed by FIPS 140-3 modules
 // before the algorithm is used. See Implementation Guidance 10.3.A.
@ -41,6 +41,9 @@ func CAST(name string, f func() error) {
 	if testingOnlyCASTHook != nil {
 		testingOnlyCASTHook(name)
 	}
+	if !Enabled {
+		return
+	}

 	err := f()
 	if failfipscast.Value() != "" && strings.Contains(name, failfipscast.Value()) {
--- a/src/crypto/internal/fips/cast_external_test.go
+++ b/src/crypto/internal/fips/cast_external_test.go
@ -29,8 +29,10 @@ func TestCAST(t *testing.T) {
 		t.Errorf("no CASTs to test")
 	}

-	for _, name := range fips.AllCASTs {
-		t.Logf("CAST %s completed successfully", name)
+	if fips.Enabled {
+		for _, name := range fips.AllCASTs {
+			t.Logf("CAST %s completed successfully", name)
+		}
 	}

 	t.Run("SimulateFailures", func(t *testing.T) {
@ -40,7 +42,7 @@ func TestCAST(t *testing.T) {
 				t.Parallel()
 				cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestCAST", "-test.v")
 				cmd = testenv.CleanCmdEnv(cmd)
-				cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s", name))
+				cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
 				out, err := cmd.CombinedOutput()
 				if err == nil {
 					t.Error(err)
--- a/src/crypto/internal/fips/fips.go
+++ b/src/crypto/internal/fips/fips.go
@ -6,4 +6,11 @@ package fips

 import "internal/godebug"

-var Enabled = godebug.New("#fips140").Value() == "on"
+var Enabled bool
+
+func init() {
+	switch godebug.New("#fips140").Value() {
+	case "on", "debug", "only":
+		Enabled = true
+	}
+}