From: Filippo Valsorda Date: Mon, 6 Jan 2025 17:49:45 +0000 (+0100) Subject: crypto/md5,crypto/sha1: apply fips140=only to Write and Sum, not New X-Git-Tag: go1.24rc3~2^2~63 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=54693a81fd605a9c1abbee83da072c61e38d3ebf;p=gostls13.git crypto/md5,crypto/sha1: apply fips140=only to Write and Sum, not New New is called to get a Hash which can then be rejected with an error (instead of a panic) from fips140only.ApprovedHash. Also, it's reasonable to call New().Size() and then not use the hash. Change-Id: I6a6a4656c43528d169c4b28c8b6de48448236d4f Reviewed-on: https://go-review.googlesource.com/c/go/+/641317 Auto-Submit: Filippo Valsorda Reviewed-by: Daniel McCarney Reviewed-by: Russ Cox Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI --- diff --git a/src/crypto/md5/md5.go b/src/crypto/md5/md5.go index 75e1fc7404..a0384e175f 100644 --- a/src/crypto/md5/md5.go +++ b/src/crypto/md5/md5.go @@ -104,9 +104,6 @@ func consumeUint32(b []byte) ([]byte, uint32) { // [encoding.BinaryUnmarshaler] to marshal and unmarshal the internal // state of the hash. func New() hash.Hash { - if fips140only.Enabled { - panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode") - } d := new(digest) d.Reset() return d @@ -117,6 +114,9 @@ func (d *digest) Size() int { return Size } func (d *digest) BlockSize() int { return BlockSize } func (d *digest) Write(p []byte) (nn int, err error) { + if fips140only.Enabled { + return 0, errors.New("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode") + } // Note that we currently call block or blockGeneric // directly (guarded using haveAsm) because this allows // escape analysis to see that p and d don't escape. @@ -158,6 +158,10 @@ func (d *digest) Sum(in []byte) []byte { } func (d *digest) checkSum() [Size]byte { + if fips140only.Enabled { + panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode") + } + // Append 0x80 to the end of the message and then append zeros // until the length is a multiple of 56 bytes. Finally append // 8 bytes representing the message length in bits. @@ -184,9 +188,6 @@ func (d *digest) checkSum() [Size]byte { // Sum returns the MD5 checksum of the data. func Sum(data []byte) [Size]byte { - if fips140only.Enabled { - panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode") - } var d digest d.Reset() d.Write(data) diff --git a/src/crypto/sha1/sha1.go b/src/crypto/sha1/sha1.go index b799f0d2fb..d2ffaac0ae 100644 --- a/src/crypto/sha1/sha1.go +++ b/src/crypto/sha1/sha1.go @@ -111,9 +111,6 @@ func New() hash.Hash { if boring.Enabled { return boring.NewSHA1() } - if fips140only.Enabled { - panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode") - } d := new(digest) d.Reset() return d @@ -124,6 +121,9 @@ func (d *digest) Size() int { return Size } func (d *digest) BlockSize() int { return BlockSize } func (d *digest) Write(p []byte) (nn int, err error) { + if fips140only.Enabled { + return 0, errors.New("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode") + } boring.Unreachable() nn = len(p) d.len += uint64(nn) @@ -156,6 +156,10 @@ func (d *digest) Sum(in []byte) []byte { } func (d *digest) checkSum() [Size]byte { + if fips140only.Enabled { + panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode") + } + len := d.len // Padding. Add a 1 bit and 0 bits until 56 bytes mod 64. var tmp [64 + 8]byte // padding + length buffer @@ -196,6 +200,10 @@ func (d *digest) ConstantTimeSum(in []byte) []byte { } func (d *digest) constSum() [Size]byte { + if fips140only.Enabled { + panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode") + } + var length [8]byte l := d.len << 3 for i := uint(0); i < 8; i++ { @@ -262,7 +270,7 @@ func Sum(data []byte) [Size]byte { return boring.SHA1(data) } if fips140only.Enabled { - panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode") + panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode") } var d digest d.Reset()