golang/go
0
1
Fork 0
mirror of https://github.com/golang/go synced 2025-06-12 17:11:51 +00:00
Code Packages Activity

crypto/internal/fips: disable CASTs if FIPS mode is not enabled

Browse Source 
Change-Id: Idabfe29e16d9ae6da7fbb078f9738bb4a7c5347b
Reviewed-on: https://go-review.googlesource.com/c/go/+/626935
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
This commit is contained in:
Filippo Valsorda
2024-11-10 15:04:48 +01:00
committed by Gopher Robot
parent ed413f3fe0
commit 791d9827be
3 changed files with 19 additions and 7 deletions
src/crypto/internal/fips
cast.gocast_external_test.gofips.go

9
src/crypto/internal/fips/cast.go

@ -24,9 +24,9 @@ var failfipscast = godebug.New("#failfipscast")
// testingOnlyCASTHook is called during tests with each CAST name. // testingOnlyCASTHook is called during tests with each CAST name.
var testingOnlyCASTHook func(string) var testingOnlyCASTHook func(string)
// CAST runs the named Cryptographic Algorithm Self-Test (if compiled and // CAST runs the named Cryptographic Algorithm Self-Test (if operated in FIPS
// operated in FIPS mode) and aborts the program (stopping the module // mode) and aborts the program (stopping the module input/output and entering
// input/output and entering the "error state") if the self-test fails. // the "error state") if the self-test fails.
// //
// These are mandatory self-checks that must be performed by FIPS 140-3 modules // These are mandatory self-checks that must be performed by FIPS 140-3 modules
// before the algorithm is used. See Implementation Guidance 10.3.A. // before the algorithm is used. See Implementation Guidance 10.3.A.
@ -41,6 +41,9 @@ func CAST(name string, f func() error) {
if testingOnlyCASTHook != nil { if testingOnlyCASTHook != nil {
testingOnlyCASTHook(name) testingOnlyCASTHook(name)
} }
if !Enabled {
return
}
err := f() err := f()
if failfipscast.Value() != "" && strings.Contains(name, failfipscast.Value()) { if failfipscast.Value() != "" && strings.Contains(name, failfipscast.Value()) {

8
src/crypto/internal/fips/cast_external_test.go

@ -29,8 +29,10 @@ func TestCAST(t *testing.T) {
t.Errorf("no CASTs to test") t.Errorf("no CASTs to test")
} }
for _, name := range fips.AllCASTs { if fips.Enabled {
t.Logf("CAST %s completed successfully", name) for _, name := range fips.AllCASTs {
t.Logf("CAST %s completed successfully", name)
}
} }
t.Run("SimulateFailures", func(t *testing.T) { t.Run("SimulateFailures", func(t *testing.T) {
@ -40,7 +42,7 @@ func TestCAST(t *testing.T) {
t.Parallel() t.Parallel()
cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestCAST", "-test.v") cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestCAST", "-test.v")
cmd = testenv.CleanCmdEnv(cmd) cmd = testenv.CleanCmdEnv(cmd)
cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s", name)) cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
out, err := cmd.CombinedOutput() out, err := cmd.CombinedOutput()
if err == nil { if err == nil {
t.Error(err) t.Error(err)

9
src/crypto/internal/fips/fips.go

@ -6,4 +6,11 @@ package fips
import "internal/godebug" import "internal/godebug"
var Enabled = godebug.New("#fips140").Value() == "on" var Enabled bool
func init() {
switch godebug.New("#fips140").Value() {
case "on", "debug", "only":
Enabled = true
}
}