--- /dev/null
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package fips140only_test
+
+import (
+ "crypto"
+ "crypto/aes"
+ "crypto/cipher"
+ "crypto/des"
+ "crypto/dsa"
+ "crypto/ecdh"
+ "crypto/ecdsa"
+ "crypto/ed25519"
+ "crypto/elliptic"
+ "crypto/hkdf"
+ "crypto/hmac"
+ "crypto/hpke"
+ "crypto/internal/cryptotest"
+ "crypto/internal/fips140"
+ "crypto/internal/fips140only"
+ "crypto/md5"
+ "crypto/mlkem"
+ "crypto/mlkem/mlkemtest"
+ "crypto/pbkdf2"
+ "crypto/rand"
+ "crypto/rc4"
+ "crypto/rsa"
+ "crypto/sha1"
+ "crypto/sha256"
+ _ "crypto/sha3"
+ _ "crypto/sha512"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "internal/godebug"
+ "internal/testenv"
+ "io"
+ "math/big"
+ "os"
+ "strings"
+ "testing"
+
+ "golang.org/x/crypto/chacha20poly1305"
+)
+
+func TestFIPS140Only(t *testing.T) {
+ cryptotest.MustSupportFIPS140(t)
+ if !fips140only.Enforced() {
+ cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestFIPS140Only$", "-test.v")
+ cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
+ out, err := cmd.CombinedOutput()
+ t.Logf("running with GODEBUG=fips140=only:\n%s", out)
+ if err != nil {
+ t.Errorf("fips140=only subprocess failed: %v", err)
+ }
+ return
+ }
+ t.Run("cryptocustomrand=0", func(t *testing.T) {
+ t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=0")
+ testFIPS140Only(t)
+ })
+ t.Run("cryptocustomrand=1", func(t *testing.T) {
+ t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=1")
+ testFIPS140Only(t)
+ })
+}
+
+func testFIPS140Only(t *testing.T) {
+ if !fips140only.Enforced() {
+ t.Fatal("FIPS 140-only mode not enforced")
+ }
+ t.Logf("GODEBUG=fips140=only enabled")
+ fips140.ResetServiceIndicator()
+
+ aesBlock, err := aes.NewCipher(make([]byte, 16))
+ if err != nil {
+ t.Fatal(err)
+ }
+ notAESBlock := blockWrap{aesBlock}
+ iv := make([]byte, aes.BlockSize)
+
+ cipher.NewCBCEncrypter(aesBlock, iv)
+ expectPanic(t, func() { cipher.NewCBCEncrypter(notAESBlock, iv) })
+ cipher.NewCBCDecrypter(aesBlock, iv)
+ expectPanic(t, func() { cipher.NewCBCDecrypter(notAESBlock, iv) })
+
+ expectPanic(t, func() { cipher.NewCFBEncrypter(aesBlock, iv) })
+ expectPanic(t, func() { cipher.NewCFBDecrypter(aesBlock, iv) })
+
+ cipher.NewCTR(aesBlock, iv)
+ expectPanic(t, func() { cipher.NewCTR(notAESBlock, iv) })
+
+ expectPanic(t, func() { cipher.NewOFB(aesBlock, iv) })
+
+ expectErr(t, errRet2(cipher.NewGCM(aesBlock)))
+ expectErr(t, errRet2(cipher.NewGCMWithNonceSize(aesBlock, 12)))
+ expectErr(t, errRet2(cipher.NewGCMWithTagSize(aesBlock, 12)))
+ expectNoErr(t, errRet2(cipher.NewGCMWithRandomNonce(aesBlock)))
+
+ expectErr(t, errRet2(des.NewCipher(make([]byte, 8))))
+ expectErr(t, errRet2(des.NewTripleDESCipher(make([]byte, 24))))
+
+ expectErr(t, errRet2(rc4.NewCipher(make([]byte, 16))))
+
+ expectErr(t, errRet2(chacha20poly1305.New(make([]byte, chacha20poly1305.KeySize))))
+ expectErr(t, errRet2(chacha20poly1305.NewX(make([]byte, chacha20poly1305.KeySize))))
+
+ expectPanic(t, func() { md5.New().Sum(nil) })
+ expectErr(t, errRet2(md5.New().Write(make([]byte, 16))))
+ expectPanic(t, func() { md5.Sum([]byte("foo")) })
+
+ expectPanic(t, func() { sha1.New().Sum(nil) })
+ expectErr(t, errRet2(sha1.New().Write(make([]byte, 16))))
+ expectPanic(t, func() { sha1.Sum([]byte("foo")) })
+
+ withApprovedHash(func(h crypto.Hash) { h.New().Sum(nil) })
+ withNonApprovedHash(func(h crypto.Hash) { expectPanic(t, func() { h.New().Sum(nil) }) })
+
+ expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 16), 1, 10)))
+ expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 10), 1, 14)))
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14)))
+ })
+ withApprovedHash(func(h crypto.Hash) {
+ expectNoErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14)))
+ })
+
+ expectPanic(t, func() { hmac.New(sha256.New, make([]byte, 10)) })
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectPanic(t, func() { hmac.New(h.New, make([]byte, 16)) })
+ })
+ withApprovedHash(func(h crypto.Hash) { hmac.New(h.New, make([]byte, 16)) })
+
+ expectErr(t, errRet2(hkdf.Key(sha256.New, make([]byte, 10), nil, "", 16)))
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16)))
+ })
+ withApprovedHash(func(h crypto.Hash) {
+ expectNoErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16)))
+ })
+
+ expectErr(t, errRet2(hkdf.Extract(sha256.New, make([]byte, 10), nil)))
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil)))
+ })
+ withApprovedHash(func(h crypto.Hash) {
+ expectNoErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil)))
+ })
+
+ expectErr(t, errRet2(hkdf.Expand(sha256.New, make([]byte, 10), "", 16)))
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16)))
+ })
+ withApprovedHash(func(h crypto.Hash) {
+ expectNoErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16)))
+ })
+
+ expectErr(t, errRet2(rand.Prime(rand.Reader, 10)))
+
+ expectErr(t, dsa.GenerateParameters(&dsa.Parameters{}, rand.Reader, dsa.L1024N160))
+ expectErr(t, dsa.GenerateKey(&dsa.PrivateKey{}, rand.Reader))
+ expectErr(t, errRet3(dsa.Sign(rand.Reader, &dsa.PrivateKey{}, make([]byte, 16))))
+ expectPanic(t, func() {
+ dsa.Verify(&dsa.PublicKey{}, make([]byte, 16), big.NewInt(1), big.NewInt(1))
+ })
+
+ expectErr(t, errRet2(ecdh.X25519().GenerateKey(rand.Reader)))
+ expectErr(t, errRet2(ecdh.X25519().NewPrivateKey(make([]byte, 32))))
+ expectErr(t, errRet2(ecdh.X25519().NewPublicKey(make([]byte, 32))))
+ for _, curve := range []ecdh.Curve{ecdh.P256(), ecdh.P384(), ecdh.P521()} {
+ expectErrIfCustomRand(t, errRet2(curve.GenerateKey(readerWrap{rand.Reader})))
+ k, err := curve.GenerateKey(rand.Reader)
+ if err != nil {
+ t.Fatal(err)
+ }
+ expectNoErr(t, errRet2(curve.NewPrivateKey(k.Bytes())))
+ expectNoErr(t, errRet2(curve.NewPublicKey(k.PublicKey().Bytes())))
+ }
+
+ for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} {
+ expectErrIfCustomRand(t, errRet2(ecdsa.GenerateKey(curve, readerWrap{rand.Reader})))
+ k, err := ecdsa.GenerateKey(curve, rand.Reader)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expectErrIfCustomRand(t, errRet2(k.Sign(readerWrap{rand.Reader}, make([]byte, 32), nil)))
+ expectErrIfCustomRand(t, errRet2(ecdsa.SignASN1(readerWrap{rand.Reader}, k, make([]byte, 32))))
+ expectErrIfCustomRand(t, errRet3(ecdsa.Sign(readerWrap{rand.Reader}, k, make([]byte, 32))))
+ expectNoErr(t, errRet2(k.Sign(rand.Reader, make([]byte, 32), nil)))
+ expectNoErr(t, errRet2(ecdsa.SignASN1(rand.Reader, k, make([]byte, 32))))
+ expectNoErr(t, errRet3(ecdsa.Sign(rand.Reader, k, make([]byte, 32))))
+
+ withNonApprovedHash(func(h crypto.Hash) {
+ expectErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h)))
+ })
+ withApprovedHash(func(h crypto.Hash) {
+ expectNoErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h)))
+ })
+ }
+ customCurve := &elliptic.CurveParams{Name: "custom", P: big.NewInt(1)}
+ expectErr(t, errRet2(ecdsa.GenerateKey(customCurve, rand.Reader)))
+
+ _, ed25519Key, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ t.Fatal(err)
+ }
+ expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), crypto.Hash(0))))
+ expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), crypto.SHA512)))
+ // ed25519ctx is not allowed (but ed25519ph with context is).
+ expectErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), &ed25519.Options{
+ Context: "test",
+ })))
+ expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{
+ Hash: crypto.SHA512, Context: "test",
+ })))
+ expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{
+ Hash: crypto.SHA512,
+ })))
+
+ expectErr(t, errRet2(rsa.GenerateMultiPrimeKey(rand.Reader, 3, 2048)))
+ expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 1024)))
+ expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 2049)))
+ expectErrIfCustomRand(t, errRet2(rsa.GenerateKey(readerWrap{rand.Reader}, 2048)))
+ rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+ expectNoErr(t, err)
+
+ smallKey := parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
+MIICXQIBAAKBgQDMrln6XoAa3Rjts+kRi5obbP86qSf/562RcuDO+yMXeTLHfi4M
+8ubyhoFY+UKBCGBLmmTO7ikbvQgdipkT3xVkU8nM3XTW4sxrnw0X5QXsl4PGlMo0
+5UufxYyQxe7bbjuwFz2XnN6Jz4orpOfO0s36/KVHj9lZRl+REpr/Jy+nJQIDAQAB
+AoGAJ9WEwGO01cWSzOwXH2mGX/EKCQ4TsUuS7XwogU/B6BcXyVhmuPFq/ecsdDbq
+ePc62mvdU6JpELNsyWcIXKQtYsRgJHxNS+KJkCQIq6YeiAWRG0XL6q+qVj+HtT8a
+1Qrmul9ZBd23Y9wLF8pg/xWDQYvb8DPAb/xJ0e/KEBZcWU8CQQDXFCFCGpCfwyxY
+Cq8G/3B94D9UYwk5mK6jRIH5m8LbaX9bKKetf8+If8TWVgeuiRjjN4WEQ78lPoSg
+3Fsz2qs3AkEA85/JCudNUf2FnY+T6h1c/2SWekZiZ1NS4lCh/C7iYuAN3oa8zGkf
+gjjR5e0+Z8rUAcZkTukxyLLaNqy6rs9GgwJAVR6pXvEGhcQHe7yWso1LpvWl+q7L
+StkrXIBTdEb54j4pYhl/6wFnUB1I+I7JsYCeseYaWFM7hfDtKoCrM6V6FwJBANxh
+KmfmnJcSkw/YlaEuNrYAs+6gRNvbEBsRfba2Yqu2qlUl5Ruz7IDMDXPEjLMvU2DX
+ql2HrTU0NRlIXwdLESkCQQDGJ54H6WK1eE1YvtxCaLm28zmogcFlvc21pym+PpM1
+bXVL8iKLrG91IYQByUHZIn3WVAd2bfi4MfKagRt0ggd4
+-----END RSA TESTING KEY-----`))
+
+ expectNoErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256)))
+ expectErr(t, errRet2(smallKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256)))
+ expectErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 20), crypto.SHA1)))
+ // rand is always ignored for PKCS1v15 signing
+ expectNoErr(t, errRet2(rsaKey.Sign(readerWrap{rand.Reader}, make([]byte, 32), crypto.SHA256)))
+
+ sigPKCS1v15, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32))
+ expectNoErr(t, err)
+ expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32))))
+ expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20))))
+ // rand is always ignored for PKCS1v15 signing
+ expectNoErr(t, errRet2(rsa.SignPKCS1v15(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32))))
+
+ expectNoErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15))
+ expectErr(t, rsa.VerifyPKCS1v15(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15))
+ expectErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPKCS1v15))
+
+ sigPSS, err := rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32), nil)
+ expectNoErr(t, err)
+ expectErr(t, errRet2(rsa.SignPSS(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32), nil)))
+ expectErr(t, errRet2(rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20), nil)))
+ expectErr(t, errRet2(rsa.SignPSS(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32), nil)))
+
+ expectNoErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil))
+ expectErr(t, rsa.VerifyPSS(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil))
+ expectErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPSS, nil))
+
+ k, err := mlkem.GenerateKey768()
+ expectNoErr(t, err)
+ expectErr(t, errRet3(mlkemtest.Encapsulate768(k.EncapsulationKey(), make([]byte, 32))))
+ k1024, err := mlkem.GenerateKey1024()
+ expectNoErr(t, err)
+ expectErr(t, errRet3(mlkemtest.Encapsulate1024(k1024.EncapsulationKey(), make([]byte, 32))))
+
+ for _, kem := range []hpke.KEM{
+ hpke.DHKEM(ecdh.P256()),
+ hpke.DHKEM(ecdh.P384()),
+ hpke.DHKEM(ecdh.P521()),
+ hpke.MLKEM768(),
+ hpke.MLKEM1024(),
+ hpke.MLKEM768P256(),
+ hpke.MLKEM1024P384(),
+ hpke.MLKEM768X25519(), // allowed as hybrid
+ } {
+ t.Run(fmt.Sprintf("HKPE KEM %04x", kem.ID()), func(t *testing.T) {
+ k, err := kem.GenerateKey()
+ expectNoErr(t, err)
+ expectNoErr(t, errRet2(kem.DeriveKeyPair(make([]byte, 64))))
+ kb, err := k.Bytes()
+ expectNoErr(t, err)
+ expectNoErr(t, errRet2(kem.NewPrivateKey(kb)))
+ expectNoErr(t, errRet2(kem.NewPublicKey(k.PublicKey().Bytes())))
+ if fips140.Version() == "v1.0.0" {
+ t.Skip("FIPS 140-3 Module v1.0.0 does not provide HPKE GCM modes")
+ }
+ c, err := hpke.Seal(k.PublicKey(), hpke.HKDFSHA256(), hpke.AES128GCM(), nil, nil)
+ expectNoErr(t, err)
+ _, err = hpke.Open(k, hpke.HKDFSHA256(), hpke.AES128GCM(), nil, c)
+ expectNoErr(t, err)
+ })
+ }
+ expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).GenerateKey()))
+ expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).DeriveKeyPair(make([]byte, 64))))
+ expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPrivateKey(make([]byte, 32))))
+ expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPublicKey(make([]byte, 32))))
+ hpkeK, err := hpke.MLKEM768().GenerateKey()
+ expectNoErr(t, err)
+ expectErr(t, errRet2(hpke.Seal(hpkeK.PublicKey(), hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, nil)))
+ expectErr(t, errRet2(hpke.Open(hpkeK, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, make([]byte, 2000))))
+
+ // fips140=only mode should prevent any operation that would make the FIPS
+ // 140-3 module set its service indicator to false.
+ if !fips140.ServiceIndicator() {
+ t.Errorf("service indicator not set")
+ }
+}
+
+type blockWrap struct {
+ cipher.Block
+}
+
+type readerWrap struct {
+ io.Reader
+}
+
+func withApprovedHash(f func(crypto.Hash)) {
+ f(crypto.SHA224)
+ f(crypto.SHA256)
+ f(crypto.SHA384)
+ f(crypto.SHA512)
+ f(crypto.SHA3_224)
+ f(crypto.SHA3_256)
+ f(crypto.SHA3_384)
+ f(crypto.SHA3_512)
+ f(crypto.SHA512_224)
+ f(crypto.SHA512_256)
+}
+
+func withNonApprovedHash(f func(crypto.Hash)) {
+ f(crypto.MD5)
+ f(crypto.SHA1)
+}
+
+func expectPanic(t *testing.T, f func()) {
+ t.Helper()
+ defer func() {
+ t.Helper()
+ if err := recover(); err == nil {
+ t.Errorf("expected panic")
+ } else {
+ if s, ok := err.(string); !ok || !strings.Contains(s, "FIPS 140-only") {
+ t.Errorf("unexpected panic: %v", err)
+ }
+ }
+ }()
+ f()
+}
+
+var cryptocustomrand = godebug.New("cryptocustomrand")
+
+func expectErr(t *testing.T, err error) {
+ t.Helper()
+ if err == nil {
+ t.Errorf("expected error")
+ } else if !strings.Contains(err.Error(), "FIPS 140-only") {
+ t.Errorf("unexpected error: %v", err)
+ }
+}
+
+func expectNoErr(t *testing.T, err error) {
+ t.Helper()
+ if err != nil {
+ t.Errorf("unexpected error: %v", err)
+ }
+}
+
+func expectErrIfCustomRand(t *testing.T, err error) {
+ t.Helper()
+ if cryptocustomrand.Value() == "1" {
+ expectErr(t, err)
+ } else {
+ expectNoErr(t, err)
+ }
+}
+
+func errRet2[T any](_ T, err error) error {
+ return err
+}
+
+func errRet3[T any](_, _ T, err error) error {
+ return err
+}
+
+func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
+
+func parseKey(s string) *rsa.PrivateKey {
+ p, _ := pem.Decode([]byte(s))
+ k, err := x509.ParsePKCS1PrivateKey(p.Bytes)
+ if err != nil {
+ panic(err)
+ }
+ return k
+}