crypto/md5,crypto/sha1: apply fips140=only to Write and Sum, not New

New is called to get a Hash which can then be rejected with an error
(instead of a panic) from fips140only.ApprovedHash.

Also, it's reasonable to call New().Size() and then not use the hash.

Change-Id: I6a6a4656c43528d169c4b28c8b6de48448236d4f
Reviewed-on: https://go-review.googlesource.com/c/go/+/641317
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/crypto/md5/md5.go b/src/crypto/md5/md5.go
index 75e1fc7404724a8ce233ea496e48e6142a1a57e2..a0384e175f31bdb6215d610d8edfb954b46397a3 100644 (file)
--- a/src/crypto/md5/md5.go
+++ b/src/crypto/md5/md5.go
@@ -104,9 +104,6 @@ func consumeUint32(b []byte) ([]byte, uint32) {
 // [encoding.BinaryUnmarshaler] to marshal and unmarshal the internal
 // state of the hash.
 func New() hash.Hash {
-       if fips140only.Enabled {
-               panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
-       }
        d := new(digest)
        d.Reset()
        return d
@@ -117,6 +114,9 @@ func (d *digest) Size() int { return Size }
 func (d *digest) BlockSize() int { return BlockSize }
 
 func (d *digest) Write(p []byte) (nn int, err error) {
+       if fips140only.Enabled {
+               return 0, errors.New("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
+       }
        // Note that we currently call block or blockGeneric
        // directly (guarded using haveAsm) because this allows
        // escape analysis to see that p and d don't escape.
@@ -158,6 +158,10 @@ func (d *digest) Sum(in []byte) []byte {
 }
 
 func (d *digest) checkSum() [Size]byte {
+       if fips140only.Enabled {
+               panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
+       }
+
        // Append 0x80 to the end of the message and then append zeros
        // until the length is a multiple of 56 bytes. Finally append
        // 8 bytes representing the message length in bits.
@@ -184,9 +188,6 @@ func (d *digest) checkSum() [Size]byte {
 
 // Sum returns the MD5 checksum of the data.
 func Sum(data []byte) [Size]byte {
-       if fips140only.Enabled {
-               panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
-       }
        var d digest
        d.Reset()
        d.Write(data)

diff --git a/src/crypto/sha1/sha1.go b/src/crypto/sha1/sha1.go
index b799f0d2fb154886877c800214abd5b3e06ebfd8..d2ffaac0aeb674cf4065934b5763cb5ab0c63277 100644 (file)
--- a/src/crypto/sha1/sha1.go
+++ b/src/crypto/sha1/sha1.go
@@ -111,9 +111,6 @@ func New() hash.Hash {
        if boring.Enabled {
                return boring.NewSHA1()
        }
-       if fips140only.Enabled {
-               panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode")
-       }
        d := new(digest)
        d.Reset()
        return d
@@ -124,6 +121,9 @@ func (d *digest) Size() int { return Size }
 func (d *digest) BlockSize() int { return BlockSize }
 
 func (d *digest) Write(p []byte) (nn int, err error) {
+       if fips140only.Enabled {
+               return 0, errors.New("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+       }
        boring.Unreachable()
        nn = len(p)
        d.len += uint64(nn)
@@ -156,6 +156,10 @@ func (d *digest) Sum(in []byte) []byte {
 }
 
 func (d *digest) checkSum() [Size]byte {
+       if fips140only.Enabled {
+               panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+       }
+
        len := d.len
        // Padding.  Add a 1 bit and 0 bits until 56 bytes mod 64.
        var tmp [64 + 8]byte // padding + length buffer
@@ -196,6 +200,10 @@ func (d *digest) ConstantTimeSum(in []byte) []byte {
 }
 
 func (d *digest) constSum() [Size]byte {
+       if fips140only.Enabled {
+               panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+       }
+
        var length [8]byte
        l := d.len << 3
        for i := uint(0); i < 8; i++ {
@@ -262,7 +270,7 @@ func Sum(data []byte) [Size]byte {
                return boring.SHA1(data)
        }
        if fips140only.Enabled {
-               panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode")
+               panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
        }
        var d digest
        d.Reset()