From: Filippo Valsorda <filippo@golang.org>
Date: Sat, 28 Dec 2024 21:32:59 +0000 (+0100)
Subject: crypto/internal/fips140only: test fips140=only mode
X-Git-Tag: go1.26rc2~7^2~68
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=65b71c11d469029f755328c5e51742139f6b8686;p=gostls13.git

crypto/internal/fips140only: test fips140=only mode

Fixes #70514
Updates #70878

Change-Id: I6a6a46561d872c8f7e9ea333ff208064b0bd44c1
Reviewed-on: https://go-review.googlesource.com/c/go/+/728506
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
---

diff --git a/src/crypto/internal/fips140only/fips140only_test.go b/src/crypto/internal/fips140only/fips140only_test.go
new file mode 100644
index 0000000000..96df536d56
--- /dev/null
+++ b/src/crypto/internal/fips140only/fips140only_test.go
@@ -0,0 +1,408 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package fips140only_test
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+	"crypto/dsa"
+	"crypto/ecdh"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/hkdf"
+	"crypto/hmac"
+	"crypto/hpke"
+	"crypto/internal/cryptotest"
+	"crypto/internal/fips140"
+	"crypto/internal/fips140only"
+	"crypto/md5"
+	"crypto/mlkem"
+	"crypto/mlkem/mlkemtest"
+	"crypto/pbkdf2"
+	"crypto/rand"
+	"crypto/rc4"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	_ "crypto/sha3"
+	_ "crypto/sha512"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"internal/godebug"
+	"internal/testenv"
+	"io"
+	"math/big"
+	"os"
+	"strings"
+	"testing"
+
+	"golang.org/x/crypto/chacha20poly1305"
+)
+
+func TestFIPS140Only(t *testing.T) {
+	cryptotest.MustSupportFIPS140(t)
+	if !fips140only.Enforced() {
+		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestFIPS140Only$", "-test.v")
+		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
+		out, err := cmd.CombinedOutput()
+		t.Logf("running with GODEBUG=fips140=only:\n%s", out)
+		if err != nil {
+			t.Errorf("fips140=only subprocess failed: %v", err)
+		}
+		return
+	}
+	t.Run("cryptocustomrand=0", func(t *testing.T) {
+		t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=0")
+		testFIPS140Only(t)
+	})
+	t.Run("cryptocustomrand=1", func(t *testing.T) {
+		t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=1")
+		testFIPS140Only(t)
+	})
+}
+
+func testFIPS140Only(t *testing.T) {
+	if !fips140only.Enforced() {
+		t.Fatal("FIPS 140-only mode not enforced")
+	}
+	t.Logf("GODEBUG=fips140=only enabled")
+	fips140.ResetServiceIndicator()
+
+	aesBlock, err := aes.NewCipher(make([]byte, 16))
+	if err != nil {
+		t.Fatal(err)
+	}
+	notAESBlock := blockWrap{aesBlock}
+	iv := make([]byte, aes.BlockSize)
+
+	cipher.NewCBCEncrypter(aesBlock, iv)
+	expectPanic(t, func() { cipher.NewCBCEncrypter(notAESBlock, iv) })
+	cipher.NewCBCDecrypter(aesBlock, iv)
+	expectPanic(t, func() { cipher.NewCBCDecrypter(notAESBlock, iv) })
+
+	expectPanic(t, func() { cipher.NewCFBEncrypter(aesBlock, iv) })
+	expectPanic(t, func() { cipher.NewCFBDecrypter(aesBlock, iv) })
+
+	cipher.NewCTR(aesBlock, iv)
+	expectPanic(t, func() { cipher.NewCTR(notAESBlock, iv) })
+
+	expectPanic(t, func() { cipher.NewOFB(aesBlock, iv) })
+
+	expectErr(t, errRet2(cipher.NewGCM(aesBlock)))
+	expectErr(t, errRet2(cipher.NewGCMWithNonceSize(aesBlock, 12)))
+	expectErr(t, errRet2(cipher.NewGCMWithTagSize(aesBlock, 12)))
+	expectNoErr(t, errRet2(cipher.NewGCMWithRandomNonce(aesBlock)))
+
+	expectErr(t, errRet2(des.NewCipher(make([]byte, 8))))
+	expectErr(t, errRet2(des.NewTripleDESCipher(make([]byte, 24))))
+
+	expectErr(t, errRet2(rc4.NewCipher(make([]byte, 16))))
+
+	expectErr(t, errRet2(chacha20poly1305.New(make([]byte, chacha20poly1305.KeySize))))
+	expectErr(t, errRet2(chacha20poly1305.NewX(make([]byte, chacha20poly1305.KeySize))))
+
+	expectPanic(t, func() { md5.New().Sum(nil) })
+	expectErr(t, errRet2(md5.New().Write(make([]byte, 16))))
+	expectPanic(t, func() { md5.Sum([]byte("foo")) })
+
+	expectPanic(t, func() { sha1.New().Sum(nil) })
+	expectErr(t, errRet2(sha1.New().Write(make([]byte, 16))))
+	expectPanic(t, func() { sha1.Sum([]byte("foo")) })
+
+	withApprovedHash(func(h crypto.Hash) { h.New().Sum(nil) })
+	withNonApprovedHash(func(h crypto.Hash) { expectPanic(t, func() { h.New().Sum(nil) }) })
+
+	expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 16), 1, 10)))
+	expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 10), 1, 14)))
+	withNonApprovedHash(func(h crypto.Hash) {
+		expectErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14)))
+	})
+	withApprovedHash(func(h crypto.Hash) {
+		expectNoErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14)))
+	})
+
+	expectPanic(t, func() { hmac.New(sha256.New, make([]byte, 10)) })
+	withNonApprovedHash(func(h crypto.Hash) {
+		expectPanic(t, func() { hmac.New(h.New, make([]byte, 16)) })
+	})
+	withApprovedHash(func(h crypto.Hash) { hmac.New(h.New, make([]byte, 16)) })
+
+	expectErr(t, errRet2(hkdf.Key(sha256.New, make([]byte, 10), nil, "", 16)))
+	withNonApprovedHash(func(h crypto.Hash) {
+		expectErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16)))
+	})
+	withApprovedHash(func(h crypto.Hash) {
+		expectNoErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16)))
+	})
+
+	expectErr(t, errRet2(hkdf.Extract(sha256.New, make([]byte, 10), nil)))
+	withNonApprovedHash(func(h crypto.Hash) {
+		expectErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil)))
+	})
+	withApprovedHash(func(h crypto.Hash) {
+		expectNoErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil)))
+	})
+
+	expectErr(t, errRet2(hkdf.Expand(sha256.New, make([]byte, 10), "", 16)))
+	withNonApprovedHash(func(h crypto.Hash) {
+		expectErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16)))
+	})
+	withApprovedHash(func(h crypto.Hash) {
+		expectNoErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16)))
+	})
+
+	expectErr(t, errRet2(rand.Prime(rand.Reader, 10)))
+
+	expectErr(t, dsa.GenerateParameters(&dsa.Parameters{}, rand.Reader, dsa.L1024N160))
+	expectErr(t, dsa.GenerateKey(&dsa.PrivateKey{}, rand.Reader))
+	expectErr(t, errRet3(dsa.Sign(rand.Reader, &dsa.PrivateKey{}, make([]byte, 16))))
+	expectPanic(t, func() {
+		dsa.Verify(&dsa.PublicKey{}, make([]byte, 16), big.NewInt(1), big.NewInt(1))
+	})
+
+	expectErr(t, errRet2(ecdh.X25519().GenerateKey(rand.Reader)))
+	expectErr(t, errRet2(ecdh.X25519().NewPrivateKey(make([]byte, 32))))
+	expectErr(t, errRet2(ecdh.X25519().NewPublicKey(make([]byte, 32))))
+	for _, curve := range []ecdh.Curve{ecdh.P256(), ecdh.P384(), ecdh.P521()} {
+		expectErrIfCustomRand(t, errRet2(curve.GenerateKey(readerWrap{rand.Reader})))
+		k, err := curve.GenerateKey(rand.Reader)
+		if err != nil {
+			t.Fatal(err)
+		}
+		expectNoErr(t, errRet2(curve.NewPrivateKey(k.Bytes())))
+		expectNoErr(t, errRet2(curve.NewPublicKey(k.PublicKey().Bytes())))
+	}
+
+	for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} {
+		expectErrIfCustomRand(t, errRet2(ecdsa.GenerateKey(curve, readerWrap{rand.Reader})))
+		k, err := ecdsa.GenerateKey(curve, rand.Reader)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		expectErrIfCustomRand(t, errRet2(k.Sign(readerWrap{rand.Reader}, make([]byte, 32), nil)))
+		expectErrIfCustomRand(t, errRet2(ecdsa.SignASN1(readerWrap{rand.Reader}, k, make([]byte, 32))))
+		expectErrIfCustomRand(t, errRet3(ecdsa.Sign(readerWrap{rand.Reader}, k, make([]byte, 32))))
+		expectNoErr(t, errRet2(k.Sign(rand.Reader, make([]byte, 32), nil)))
+		expectNoErr(t, errRet2(ecdsa.SignASN1(rand.Reader, k, make([]byte, 32))))
+		expectNoErr(t, errRet3(ecdsa.Sign(rand.Reader, k, make([]byte, 32))))
+
+		withNonApprovedHash(func(h crypto.Hash) {
+			expectErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h)))
+		})
+		withApprovedHash(func(h crypto.Hash) {
+			expectNoErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h)))
+		})
+	}
+	customCurve := &elliptic.CurveParams{Name: "custom", P: big.NewInt(1)}
+	expectErr(t, errRet2(ecdsa.GenerateKey(customCurve, rand.Reader)))
+
+	_, ed25519Key, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), crypto.Hash(0))))
+	expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), crypto.SHA512)))
+	// ed25519ctx is not allowed (but ed25519ph with context is).
+	expectErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), &ed25519.Options{
+		Context: "test",
+	})))
+	expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{
+		Hash: crypto.SHA512, Context: "test",
+	})))
+	expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{
+		Hash: crypto.SHA512,
+	})))
+
+	expectErr(t, errRet2(rsa.GenerateMultiPrimeKey(rand.Reader, 3, 2048)))
+	expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 1024)))
+	expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 2049)))
+	expectErrIfCustomRand(t, errRet2(rsa.GenerateKey(readerWrap{rand.Reader}, 2048)))
+	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	expectNoErr(t, err)
+
+	smallKey := parseKey(testingKey(`-----BEGIN RSA TESTING KEY-----
+MIICXQIBAAKBgQDMrln6XoAa3Rjts+kRi5obbP86qSf/562RcuDO+yMXeTLHfi4M
+8ubyhoFY+UKBCGBLmmTO7ikbvQgdipkT3xVkU8nM3XTW4sxrnw0X5QXsl4PGlMo0
+5UufxYyQxe7bbjuwFz2XnN6Jz4orpOfO0s36/KVHj9lZRl+REpr/Jy+nJQIDAQAB
+AoGAJ9WEwGO01cWSzOwXH2mGX/EKCQ4TsUuS7XwogU/B6BcXyVhmuPFq/ecsdDbq
+ePc62mvdU6JpELNsyWcIXKQtYsRgJHxNS+KJkCQIq6YeiAWRG0XL6q+qVj+HtT8a
+1Qrmul9ZBd23Y9wLF8pg/xWDQYvb8DPAb/xJ0e/KEBZcWU8CQQDXFCFCGpCfwyxY
+Cq8G/3B94D9UYwk5mK6jRIH5m8LbaX9bKKetf8+If8TWVgeuiRjjN4WEQ78lPoSg
+3Fsz2qs3AkEA85/JCudNUf2FnY+T6h1c/2SWekZiZ1NS4lCh/C7iYuAN3oa8zGkf
+gjjR5e0+Z8rUAcZkTukxyLLaNqy6rs9GgwJAVR6pXvEGhcQHe7yWso1LpvWl+q7L
+StkrXIBTdEb54j4pYhl/6wFnUB1I+I7JsYCeseYaWFM7hfDtKoCrM6V6FwJBANxh
+KmfmnJcSkw/YlaEuNrYAs+6gRNvbEBsRfba2Yqu2qlUl5Ruz7IDMDXPEjLMvU2DX
+ql2HrTU0NRlIXwdLESkCQQDGJ54H6WK1eE1YvtxCaLm28zmogcFlvc21pym+PpM1
+bXVL8iKLrG91IYQByUHZIn3WVAd2bfi4MfKagRt0ggd4
+-----END RSA TESTING KEY-----`))
+
+	expectNoErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256)))
+	expectErr(t, errRet2(smallKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256)))
+	expectErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 20), crypto.SHA1)))
+	// rand is always ignored for PKCS1v15 signing
+	expectNoErr(t, errRet2(rsaKey.Sign(readerWrap{rand.Reader}, make([]byte, 32), crypto.SHA256)))
+
+	sigPKCS1v15, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32))
+	expectNoErr(t, err)
+	expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32))))
+	expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20))))
+	// rand is always ignored for PKCS1v15 signing
+	expectNoErr(t, errRet2(rsa.SignPKCS1v15(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32))))
+
+	expectNoErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15))
+	expectErr(t, rsa.VerifyPKCS1v15(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15))
+	expectErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPKCS1v15))
+
+	sigPSS, err := rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32), nil)
+	expectNoErr(t, err)
+	expectErr(t, errRet2(rsa.SignPSS(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32), nil)))
+	expectErr(t, errRet2(rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20), nil)))
+	expectErr(t, errRet2(rsa.SignPSS(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32), nil)))
+
+	expectNoErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil))
+	expectErr(t, rsa.VerifyPSS(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil))
+	expectErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPSS, nil))
+
+	k, err := mlkem.GenerateKey768()
+	expectNoErr(t, err)
+	expectErr(t, errRet3(mlkemtest.Encapsulate768(k.EncapsulationKey(), make([]byte, 32))))
+	k1024, err := mlkem.GenerateKey1024()
+	expectNoErr(t, err)
+	expectErr(t, errRet3(mlkemtest.Encapsulate1024(k1024.EncapsulationKey(), make([]byte, 32))))
+
+	for _, kem := range []hpke.KEM{
+		hpke.DHKEM(ecdh.P256()),
+		hpke.DHKEM(ecdh.P384()),
+		hpke.DHKEM(ecdh.P521()),
+		hpke.MLKEM768(),
+		hpke.MLKEM1024(),
+		hpke.MLKEM768P256(),
+		hpke.MLKEM1024P384(),
+		hpke.MLKEM768X25519(), // allowed as hybrid
+	} {
+		t.Run(fmt.Sprintf("HKPE KEM %04x", kem.ID()), func(t *testing.T) {
+			k, err := kem.GenerateKey()
+			expectNoErr(t, err)
+			expectNoErr(t, errRet2(kem.DeriveKeyPair(make([]byte, 64))))
+			kb, err := k.Bytes()
+			expectNoErr(t, err)
+			expectNoErr(t, errRet2(kem.NewPrivateKey(kb)))
+			expectNoErr(t, errRet2(kem.NewPublicKey(k.PublicKey().Bytes())))
+			if fips140.Version() == "v1.0.0" {
+				t.Skip("FIPS 140-3 Module v1.0.0 does not provide HPKE GCM modes")
+			}
+			c, err := hpke.Seal(k.PublicKey(), hpke.HKDFSHA256(), hpke.AES128GCM(), nil, nil)
+			expectNoErr(t, err)
+			_, err = hpke.Open(k, hpke.HKDFSHA256(), hpke.AES128GCM(), nil, c)
+			expectNoErr(t, err)
+		})
+	}
+	expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).GenerateKey()))
+	expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).DeriveKeyPair(make([]byte, 64))))
+	expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPrivateKey(make([]byte, 32))))
+	expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPublicKey(make([]byte, 32))))
+	hpkeK, err := hpke.MLKEM768().GenerateKey()
+	expectNoErr(t, err)
+	expectErr(t, errRet2(hpke.Seal(hpkeK.PublicKey(), hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, nil)))
+	expectErr(t, errRet2(hpke.Open(hpkeK, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, make([]byte, 2000))))
+
+	// fips140=only mode should prevent any operation that would make the FIPS
+	// 140-3 module set its service indicator to false.
+	if !fips140.ServiceIndicator() {
+		t.Errorf("service indicator not set")
+	}
+}
+
+type blockWrap struct {
+	cipher.Block
+}
+
+type readerWrap struct {
+	io.Reader
+}
+
+func withApprovedHash(f func(crypto.Hash)) {
+	f(crypto.SHA224)
+	f(crypto.SHA256)
+	f(crypto.SHA384)
+	f(crypto.SHA512)
+	f(crypto.SHA3_224)
+	f(crypto.SHA3_256)
+	f(crypto.SHA3_384)
+	f(crypto.SHA3_512)
+	f(crypto.SHA512_224)
+	f(crypto.SHA512_256)
+}
+
+func withNonApprovedHash(f func(crypto.Hash)) {
+	f(crypto.MD5)
+	f(crypto.SHA1)
+}
+
+func expectPanic(t *testing.T, f func()) {
+	t.Helper()
+	defer func() {
+		t.Helper()
+		if err := recover(); err == nil {
+			t.Errorf("expected panic")
+		} else {
+			if s, ok := err.(string); !ok || !strings.Contains(s, "FIPS 140-only") {
+				t.Errorf("unexpected panic: %v", err)
+			}
+		}
+	}()
+	f()
+}
+
+var cryptocustomrand = godebug.New("cryptocustomrand")
+
+func expectErr(t *testing.T, err error) {
+	t.Helper()
+	if err == nil {
+		t.Errorf("expected error")
+	} else if !strings.Contains(err.Error(), "FIPS 140-only") {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func expectNoErr(t *testing.T, err error) {
+	t.Helper()
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+}
+
+func expectErrIfCustomRand(t *testing.T, err error) {
+	t.Helper()
+	if cryptocustomrand.Value() == "1" {
+		expectErr(t, err)
+	} else {
+		expectNoErr(t, err)
+	}
+}
+
+func errRet2[T any](_ T, err error) error {
+	return err
+}
+
+func errRet3[T any](_, _ T, err error) error {
+	return err
+}
+
+func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
+
+func parseKey(s string) *rsa.PrivateKey {
+	p, _ := pem.Decode([]byte(s))
+	k, err := x509.ParsePKCS1PrivateKey(p.Bytes)
+	if err != nil {
+		panic(err)
+	}
+	return k
+}