From: Filippo Valsorda <filippo@golang.org>
Date: Sun, 10 Nov 2024 14:04:48 +0000 (+0100)
Subject: crypto/internal/fips: disable CASTs if FIPS mode is not enabled
X-Git-Tag: go1.24rc1~243
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=791d9827be8675c70ccd7cfeb0bf42406027e0db;p=gostls13.git

crypto/internal/fips: disable CASTs if FIPS mode is not enabled

Change-Id: Idabfe29e16d9ae6da7fbb078f9738bb4a7c5347b
Reviewed-on: https://go-review.googlesource.com/c/go/+/626935
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
---

diff --git a/src/crypto/internal/fips/cast.go b/src/crypto/internal/fips/cast.go
index 7ab86e6d7d..17c92c1c3e 100644
--- a/src/crypto/internal/fips/cast.go
+++ b/src/crypto/internal/fips/cast.go
@@ -24,9 +24,9 @@ var failfipscast = godebug.New("#failfipscast")
 // testingOnlyCASTHook is called during tests with each CAST name.
 var testingOnlyCASTHook func(string)
 
-// CAST runs the named Cryptographic Algorithm Self-Test (if compiled and
-// operated in FIPS mode) and aborts the program (stopping the module
-// input/output and entering the "error state") if the self-test fails.
+// CAST runs the named Cryptographic Algorithm Self-Test (if operated in FIPS
+// mode) and aborts the program (stopping the module input/output and entering
+// the "error state") if the self-test fails.
 //
 // These are mandatory self-checks that must be performed by FIPS 140-3 modules
 // before the algorithm is used. See Implementation Guidance 10.3.A.
@@ -41,6 +41,9 @@ func CAST(name string, f func() error) {
 	if testingOnlyCASTHook != nil {
 		testingOnlyCASTHook(name)
 	}
+	if !Enabled {
+		return
+	}
 
 	err := f()
 	if failfipscast.Value() != "" && strings.Contains(name, failfipscast.Value()) {
diff --git a/src/crypto/internal/fips/cast_external_test.go b/src/crypto/internal/fips/cast_external_test.go
index 2698f9a9d8..3c5007ff8d 100644
--- a/src/crypto/internal/fips/cast_external_test.go
+++ b/src/crypto/internal/fips/cast_external_test.go
@@ -29,8 +29,10 @@ func TestCAST(t *testing.T) {
 		t.Errorf("no CASTs to test")
 	}
 
-	for _, name := range fips.AllCASTs {
-		t.Logf("CAST %s completed successfully", name)
+	if fips.Enabled {
+		for _, name := range fips.AllCASTs {
+			t.Logf("CAST %s completed successfully", name)
+		}
 	}
 
 	t.Run("SimulateFailures", func(t *testing.T) {
@@ -40,7 +42,7 @@ func TestCAST(t *testing.T) {
 				t.Parallel()
 				cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestCAST", "-test.v")
 				cmd = testenv.CleanCmdEnv(cmd)
-				cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s", name))
+				cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
 				out, err := cmd.CombinedOutput()
 				if err == nil {
 					t.Error(err)
diff --git a/src/crypto/internal/fips/fips.go b/src/crypto/internal/fips/fips.go
index 8a20a761da..e7628beac2 100644
--- a/src/crypto/internal/fips/fips.go
+++ b/src/crypto/internal/fips/fips.go
@@ -6,4 +6,11 @@ package fips
 
 import "internal/godebug"
 
-var Enabled = godebug.New("#fips140").Value() == "on"
+var Enabled bool
+
+func init() {
+	switch godebug.New("#fips140").Value() {
+	case "on", "debug", "only":
+		Enabled = true
+	}
+}