// Copyright 2025 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package fips140only_test import ( "crypto" "crypto/aes" "crypto/cipher" "crypto/des" "crypto/dsa" "crypto/ecdh" "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" "crypto/hkdf" "crypto/hmac" "crypto/hpke" "crypto/internal/cryptotest" "crypto/internal/fips140" "crypto/internal/fips140only" "crypto/md5" "crypto/mlkem" "crypto/mlkem/mlkemtest" "crypto/pbkdf2" "crypto/rand" "crypto/rc4" "crypto/rsa" "crypto/sha1" "crypto/sha256" _ "crypto/sha3" _ "crypto/sha512" "crypto/x509" "encoding/pem" "fmt" "internal/godebug" "internal/testenv" "io" "math/big" "os" "strings" "testing" "golang.org/x/crypto/chacha20poly1305" ) func TestFIPS140Only(t *testing.T) { cryptotest.MustSupportFIPS140(t) if !fips140only.Enforced() { cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestFIPS140Only$", "-test.v") cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only") out, err := cmd.CombinedOutput() t.Logf("running with GODEBUG=fips140=only:\n%s", out) if err != nil { t.Errorf("fips140=only subprocess failed: %v", err) } return } t.Run("cryptocustomrand=0", func(t *testing.T) { t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=0") testFIPS140Only(t) }) t.Run("cryptocustomrand=1", func(t *testing.T) { t.Setenv("GODEBUG", os.Getenv("GODEBUG")+",cryptocustomrand=1") testFIPS140Only(t) }) } func testFIPS140Only(t *testing.T) { if !fips140only.Enforced() { t.Fatal("FIPS 140-only mode not enforced") } t.Logf("GODEBUG=fips140=only enabled") fips140.ResetServiceIndicator() aesBlock, err := aes.NewCipher(make([]byte, 16)) if err != nil { t.Fatal(err) } notAESBlock := blockWrap{aesBlock} iv := make([]byte, aes.BlockSize) cipher.NewCBCEncrypter(aesBlock, iv) expectPanic(t, func() { cipher.NewCBCEncrypter(notAESBlock, iv) }) cipher.NewCBCDecrypter(aesBlock, iv) expectPanic(t, func() { cipher.NewCBCDecrypter(notAESBlock, iv) }) expectPanic(t, func() { cipher.NewCFBEncrypter(aesBlock, iv) }) expectPanic(t, func() { cipher.NewCFBDecrypter(aesBlock, iv) }) cipher.NewCTR(aesBlock, iv) expectPanic(t, func() { cipher.NewCTR(notAESBlock, iv) }) expectPanic(t, func() { cipher.NewOFB(aesBlock, iv) }) expectErr(t, errRet2(cipher.NewGCM(aesBlock))) expectErr(t, errRet2(cipher.NewGCMWithNonceSize(aesBlock, 12))) expectErr(t, errRet2(cipher.NewGCMWithTagSize(aesBlock, 12))) expectNoErr(t, errRet2(cipher.NewGCMWithRandomNonce(aesBlock))) expectErr(t, errRet2(des.NewCipher(make([]byte, 8)))) expectErr(t, errRet2(des.NewTripleDESCipher(make([]byte, 24)))) expectErr(t, errRet2(rc4.NewCipher(make([]byte, 16)))) expectErr(t, errRet2(chacha20poly1305.New(make([]byte, chacha20poly1305.KeySize)))) expectErr(t, errRet2(chacha20poly1305.NewX(make([]byte, chacha20poly1305.KeySize)))) expectPanic(t, func() { md5.New().Sum(nil) }) expectErr(t, errRet2(md5.New().Write(make([]byte, 16)))) expectPanic(t, func() { md5.Sum([]byte("foo")) }) expectPanic(t, func() { sha1.New().Sum(nil) }) expectErr(t, errRet2(sha1.New().Write(make([]byte, 16)))) expectPanic(t, func() { sha1.Sum([]byte("foo")) }) withApprovedHash(func(h crypto.Hash) { h.New().Sum(nil) }) withNonApprovedHash(func(h crypto.Hash) { expectPanic(t, func() { h.New().Sum(nil) }) }) expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 16), 1, 10))) expectErr(t, errRet2(pbkdf2.Key(sha256.New, "password", make([]byte, 10), 1, 14))) withNonApprovedHash(func(h crypto.Hash) { expectErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14))) }) withApprovedHash(func(h crypto.Hash) { expectNoErr(t, errRet2(pbkdf2.Key(h.New, "password", make([]byte, 16), 1, 14))) }) expectPanic(t, func() { hmac.New(sha256.New, make([]byte, 10)) }) withNonApprovedHash(func(h crypto.Hash) { expectPanic(t, func() { hmac.New(h.New, make([]byte, 16)) }) }) withApprovedHash(func(h crypto.Hash) { hmac.New(h.New, make([]byte, 16)) }) expectErr(t, errRet2(hkdf.Key(sha256.New, make([]byte, 10), nil, "", 16))) withNonApprovedHash(func(h crypto.Hash) { expectErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16))) }) withApprovedHash(func(h crypto.Hash) { expectNoErr(t, errRet2(hkdf.Key(h.New, make([]byte, 16), nil, "", 16))) }) expectErr(t, errRet2(hkdf.Extract(sha256.New, make([]byte, 10), nil))) withNonApprovedHash(func(h crypto.Hash) { expectErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil))) }) withApprovedHash(func(h crypto.Hash) { expectNoErr(t, errRet2(hkdf.Extract(h.New, make([]byte, 16), nil))) }) expectErr(t, errRet2(hkdf.Expand(sha256.New, make([]byte, 10), "", 16))) withNonApprovedHash(func(h crypto.Hash) { expectErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16))) }) withApprovedHash(func(h crypto.Hash) { expectNoErr(t, errRet2(hkdf.Expand(h.New, make([]byte, 16), "", 16))) }) expectErr(t, errRet2(rand.Prime(rand.Reader, 10))) expectErr(t, dsa.GenerateParameters(&dsa.Parameters{}, rand.Reader, dsa.L1024N160)) expectErr(t, dsa.GenerateKey(&dsa.PrivateKey{}, rand.Reader)) expectErr(t, errRet3(dsa.Sign(rand.Reader, &dsa.PrivateKey{}, make([]byte, 16)))) expectPanic(t, func() { dsa.Verify(&dsa.PublicKey{}, make([]byte, 16), big.NewInt(1), big.NewInt(1)) }) expectErr(t, errRet2(ecdh.X25519().GenerateKey(rand.Reader))) expectErr(t, errRet2(ecdh.X25519().NewPrivateKey(make([]byte, 32)))) expectErr(t, errRet2(ecdh.X25519().NewPublicKey(make([]byte, 32)))) for _, curve := range []ecdh.Curve{ecdh.P256(), ecdh.P384(), ecdh.P521()} { expectErrIfCustomRand(t, errRet2(curve.GenerateKey(readerWrap{rand.Reader}))) k, err := curve.GenerateKey(rand.Reader) if err != nil { t.Fatal(err) } expectNoErr(t, errRet2(curve.NewPrivateKey(k.Bytes()))) expectNoErr(t, errRet2(curve.NewPublicKey(k.PublicKey().Bytes()))) } for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} { expectErrIfCustomRand(t, errRet2(ecdsa.GenerateKey(curve, readerWrap{rand.Reader}))) k, err := ecdsa.GenerateKey(curve, rand.Reader) if err != nil { t.Fatal(err) } expectErrIfCustomRand(t, errRet2(k.Sign(readerWrap{rand.Reader}, make([]byte, 32), nil))) expectErrIfCustomRand(t, errRet2(ecdsa.SignASN1(readerWrap{rand.Reader}, k, make([]byte, 32)))) expectErrIfCustomRand(t, errRet3(ecdsa.Sign(readerWrap{rand.Reader}, k, make([]byte, 32)))) expectNoErr(t, errRet2(k.Sign(rand.Reader, make([]byte, 32), nil))) expectNoErr(t, errRet2(ecdsa.SignASN1(rand.Reader, k, make([]byte, 32)))) expectNoErr(t, errRet3(ecdsa.Sign(rand.Reader, k, make([]byte, 32)))) withNonApprovedHash(func(h crypto.Hash) { expectErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h))) }) withApprovedHash(func(h crypto.Hash) { expectNoErr(t, errRet2(k.Sign(nil, make([]byte, h.Size()), h))) }) } customCurve := &elliptic.CurveParams{Name: "custom", P: big.NewInt(1)} expectErr(t, errRet2(ecdsa.GenerateKey(customCurve, rand.Reader))) _, ed25519Key, err := ed25519.GenerateKey(rand.Reader) if err != nil { t.Fatal(err) } expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), crypto.Hash(0)))) expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), crypto.SHA512))) // ed25519ctx is not allowed (but ed25519ph with context is). expectErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 32), &ed25519.Options{ Context: "test", }))) expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{ Hash: crypto.SHA512, Context: "test", }))) expectNoErr(t, errRet2(ed25519Key.Sign(nil, make([]byte, 64), &ed25519.Options{ Hash: crypto.SHA512, }))) expectErr(t, errRet2(rsa.GenerateMultiPrimeKey(rand.Reader, 3, 2048))) expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 1024))) expectErr(t, errRet2(rsa.GenerateKey(rand.Reader, 2049))) expectErrIfCustomRand(t, errRet2(rsa.GenerateKey(readerWrap{rand.Reader}, 2048))) rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) expectNoErr(t, err) smallKey := parseKey(testingKey(`-----BEGIN RSA TESTING KEY----- MIICXQIBAAKBgQDMrln6XoAa3Rjts+kRi5obbP86qSf/562RcuDO+yMXeTLHfi4M 8ubyhoFY+UKBCGBLmmTO7ikbvQgdipkT3xVkU8nM3XTW4sxrnw0X5QXsl4PGlMo0 5UufxYyQxe7bbjuwFz2XnN6Jz4orpOfO0s36/KVHj9lZRl+REpr/Jy+nJQIDAQAB AoGAJ9WEwGO01cWSzOwXH2mGX/EKCQ4TsUuS7XwogU/B6BcXyVhmuPFq/ecsdDbq ePc62mvdU6JpELNsyWcIXKQtYsRgJHxNS+KJkCQIq6YeiAWRG0XL6q+qVj+HtT8a 1Qrmul9ZBd23Y9wLF8pg/xWDQYvb8DPAb/xJ0e/KEBZcWU8CQQDXFCFCGpCfwyxY Cq8G/3B94D9UYwk5mK6jRIH5m8LbaX9bKKetf8+If8TWVgeuiRjjN4WEQ78lPoSg 3Fsz2qs3AkEA85/JCudNUf2FnY+T6h1c/2SWekZiZ1NS4lCh/C7iYuAN3oa8zGkf gjjR5e0+Z8rUAcZkTukxyLLaNqy6rs9GgwJAVR6pXvEGhcQHe7yWso1LpvWl+q7L StkrXIBTdEb54j4pYhl/6wFnUB1I+I7JsYCeseYaWFM7hfDtKoCrM6V6FwJBANxh KmfmnJcSkw/YlaEuNrYAs+6gRNvbEBsRfba2Yqu2qlUl5Ruz7IDMDXPEjLMvU2DX ql2HrTU0NRlIXwdLESkCQQDGJ54H6WK1eE1YvtxCaLm28zmogcFlvc21pym+PpM1 bXVL8iKLrG91IYQByUHZIn3WVAd2bfi4MfKagRt0ggd4 -----END RSA TESTING KEY-----`)) expectNoErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256))) expectErr(t, errRet2(smallKey.Sign(rand.Reader, make([]byte, 32), crypto.SHA256))) expectErr(t, errRet2(rsaKey.Sign(rand.Reader, make([]byte, 20), crypto.SHA1))) // rand is always ignored for PKCS1v15 signing expectNoErr(t, errRet2(rsaKey.Sign(readerWrap{rand.Reader}, make([]byte, 32), crypto.SHA256))) sigPKCS1v15, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32)) expectNoErr(t, err) expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32)))) expectErr(t, errRet2(rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20)))) // rand is always ignored for PKCS1v15 signing expectNoErr(t, errRet2(rsa.SignPKCS1v15(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32)))) expectNoErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15)) expectErr(t, rsa.VerifyPKCS1v15(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPKCS1v15)) expectErr(t, rsa.VerifyPKCS1v15(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPKCS1v15)) sigPSS, err := rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA256, make([]byte, 32), nil) expectNoErr(t, err) expectErr(t, errRet2(rsa.SignPSS(rand.Reader, smallKey, crypto.SHA256, make([]byte, 32), nil))) expectErr(t, errRet2(rsa.SignPSS(rand.Reader, rsaKey, crypto.SHA1, make([]byte, 20), nil))) expectErr(t, errRet2(rsa.SignPSS(readerWrap{rand.Reader}, rsaKey, crypto.SHA256, make([]byte, 32), nil))) expectNoErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil)) expectErr(t, rsa.VerifyPSS(&smallKey.PublicKey, crypto.SHA256, make([]byte, 32), sigPSS, nil)) expectErr(t, rsa.VerifyPSS(&rsaKey.PublicKey, crypto.SHA1, make([]byte, 20), sigPSS, nil)) k, err := mlkem.GenerateKey768() expectNoErr(t, err) expectErr(t, errRet3(mlkemtest.Encapsulate768(k.EncapsulationKey(), make([]byte, 32)))) k1024, err := mlkem.GenerateKey1024() expectNoErr(t, err) expectErr(t, errRet3(mlkemtest.Encapsulate1024(k1024.EncapsulationKey(), make([]byte, 32)))) for _, kem := range []hpke.KEM{ hpke.DHKEM(ecdh.P256()), hpke.DHKEM(ecdh.P384()), hpke.DHKEM(ecdh.P521()), hpke.MLKEM768(), hpke.MLKEM1024(), hpke.MLKEM768P256(), hpke.MLKEM1024P384(), hpke.MLKEM768X25519(), // allowed as hybrid } { t.Run(fmt.Sprintf("HKPE KEM %04x", kem.ID()), func(t *testing.T) { k, err := kem.GenerateKey() expectNoErr(t, err) expectNoErr(t, errRet2(kem.DeriveKeyPair(make([]byte, 64)))) kb, err := k.Bytes() expectNoErr(t, err) expectNoErr(t, errRet2(kem.NewPrivateKey(kb))) expectNoErr(t, errRet2(kem.NewPublicKey(k.PublicKey().Bytes()))) if fips140.Version() == "v1.0.0" { t.Skip("FIPS 140-3 Module v1.0.0 does not provide HPKE GCM modes") } c, err := hpke.Seal(k.PublicKey(), hpke.HKDFSHA256(), hpke.AES128GCM(), nil, nil) expectNoErr(t, err) _, err = hpke.Open(k, hpke.HKDFSHA256(), hpke.AES128GCM(), nil, c) expectNoErr(t, err) }) } expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).GenerateKey())) expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).DeriveKeyPair(make([]byte, 64)))) expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPrivateKey(make([]byte, 32)))) expectErr(t, errRet2(hpke.DHKEM(ecdh.X25519()).NewPublicKey(make([]byte, 32)))) hpkeK, err := hpke.MLKEM768().GenerateKey() expectNoErr(t, err) expectErr(t, errRet2(hpke.Seal(hpkeK.PublicKey(), hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, nil))) expectErr(t, errRet2(hpke.Open(hpkeK, hpke.HKDFSHA256(), hpke.ChaCha20Poly1305(), nil, make([]byte, 2000)))) // fips140=only mode should prevent any operation that would make the FIPS // 140-3 module set its service indicator to false. if !fips140.ServiceIndicator() { t.Errorf("service indicator not set") } } type blockWrap struct { cipher.Block } type readerWrap struct { io.Reader } func withApprovedHash(f func(crypto.Hash)) { f(crypto.SHA224) f(crypto.SHA256) f(crypto.SHA384) f(crypto.SHA512) f(crypto.SHA3_224) f(crypto.SHA3_256) f(crypto.SHA3_384) f(crypto.SHA3_512) f(crypto.SHA512_224) f(crypto.SHA512_256) } func withNonApprovedHash(f func(crypto.Hash)) { f(crypto.MD5) f(crypto.SHA1) } func expectPanic(t *testing.T, f func()) { t.Helper() defer func() { t.Helper() if err := recover(); err == nil { t.Errorf("expected panic") } else { if s, ok := err.(string); !ok || !strings.Contains(s, "FIPS 140-only") { t.Errorf("unexpected panic: %v", err) } } }() f() } var cryptocustomrand = godebug.New("cryptocustomrand") func expectErr(t *testing.T, err error) { t.Helper() if err == nil { t.Errorf("expected error") } else if !strings.Contains(err.Error(), "FIPS 140-only") { t.Errorf("unexpected error: %v", err) } } func expectNoErr(t *testing.T, err error) { t.Helper() if err != nil { t.Errorf("unexpected error: %v", err) } } func expectErrIfCustomRand(t *testing.T, err error) { t.Helper() if cryptocustomrand.Value() == "1" { expectErr(t, err) } else { expectNoErr(t, err) } } func errRet2[T any](_ T, err error) error { return err } func errRet3[T any](_, _ T, err error) error { return err } func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } func parseKey(s string) *rsa.PrivateKey { p, _ := pem.Decode([]byte(s)) k, err := x509.ParsePKCS1PrivateKey(p.Bytes) if err != nil { panic(err) } return k }