Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: test fips140=only mode #70514

Open
FiloSottile opened this issue Nov 22, 2024 · 4 comments
Open

crypto: test fips140=only mode #70514

FiloSottile opened this issue Nov 22, 2024 · 4 comments
Assignees
@FiloSottile
Labels
NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Milestone
Go1.25

Comments

@FiloSottile
Copy link
Contributor

fips140=only from #70123 breaks any non-FIPS cryptography. Testing a mode designed to break things is tricky.

Running the whole test suite is prohibitive. Instead, we should probably write a dedicated test that goes through things that are expected to work, and things that are not expected to work.
@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 22, 2024
@FiloSottile FiloSottile added this to the Go1.24 milestone Nov 22, 2024
@FiloSottile FiloSottile self-assigned this Nov 22, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631018 mentions this issue: crypto: implement fips140=only mode

@gabyhelp
Copy link

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@dmitshur dmitshur added the Testing An issue that has been verified to require only test changes, not just a test failure. label Nov 22, 2024
gopherbot pushed a commit that referenced this issue Nov 22, 2024
@FiloSottile @gopherbot
crypto: implement fips140=only mode
b299e9a 
Running the test suite in this mode is definitely not an option. Testing
this will probably look like a very long test that tries all functions.
Filed #70514 to track the tests.

For #70123

Change-Id: I6f67de83da37dd1e94e620b7f4f4f6aabe040c41
Reviewed-on: https://go-review.googlesource.com/c/go/+/631018
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
aravindhkudiyarasan pushed a commit to aravindhkudiyarasan/google-go-fips that referenced this issue Dec 11, 2024
@FiloSottile @AravindhKudiyarasan-ET
crypto: implement fips140=only mode
b2df703 
Running the test suite in this mode is definitely not an option. Testing
this will probably look like a very long test that tries all functions.
Filed golang#70514 to track the tests.

For golang#70123

Change-Id: I6f67de83da37dd1e94e620b7f4f4f6aabe040c41
Reviewed-on: https://go-review.googlesource.com/c/go/+/631018
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/639196 mentions this issue: cmd/go: disable fips140=only during test binary compilation

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/641096 mentions this issue: cmd/internal/hash: stop using md5, sha1

gopherbot pushed a commit that referenced this issue Jan 7, 2025
@rsc @gopherbot
cmd/internal/hash: stop using md5, sha1
b2aa18b 
These break if the tools are run with GODEBUG=fips140=only,
which happens if someone sets that during 'go test' (and a test
binary must be built).

The easiest fix is to make the tools compatible with this GODEBUG
by just using sha256 as the underlying hash always. Just in case,
I made the wrappers select different sections of the hash, but
none of the call sites really care.

This CL is for the Go 1.24 release, but a follow-up during the Go 1.25
dev cycle could change all the usage sites to only use Sum32/New32.

For #70514
Fixes #70878

Change-Id: Id5fea779c83df51d1680dbe561e0949c56e8d1e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/641096
Reviewed-by: Keith Randall <khr@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@google.com>
wyf9661 pushed a commit to wyf9661/go that referenced this issue Jan 21, 2025
@rsc @wyf9661
cmd/internal/hash: stop using md5, sha1
34ae364 
These break if the tools are run with GODEBUG=fips140=only,
which happens if someone sets that during 'go test' (and a test
binary must be built).

The easiest fix is to make the tools compatible with this GODEBUG
by just using sha256 as the underlying hash always. Just in case,
I made the wrappers select different sections of the hash, but
none of the call sites really care.

This CL is for the Go 1.24 release, but a follow-up during the Go 1.25
dev cycle could change all the usage sites to only use Sum32/New32.

For golang#70514
Fixes golang#70878

Change-Id: Id5fea779c83df51d1680dbe561e0949c56e8d1e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/641096
Reviewed-by: Keith Randall <khr@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@google.com>
@gopherbot gopherbot modified the milestones: Go1.24, Go1.25 Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FiloSottile FiloSottile

Labels
NeedsFix The path to resolution is known, but the work has not been done. Testing An issue that has been verified to require only test changes, not just a test failure.
Projects
None yet
Milestone
Go1.25
Development

No branches or pull requests
4 participants
@FiloSottile @dmitshur @gopherbot @gabyhelp