Open manistal opened 6 months ago
That is correct, indeed. Without the change, PCT and public key validation check as in SP800 56A rev3 are not performed under OpenSSL 3. I guess we should backport it to the 1.21 branch. @dbenoit17 what do you think?
Sgtm, thanks!
Ran into this issue auditing these patches for FIPS Compliance and noticed that the pairwise consistency tests were not being executed when calling
ecdsa.GenerateKey()
due to the go SDK invoking the deprecatedEC_KEY_generate_key
functions (deprecated in OpenSSL3: https://www.openssl.org/docs/man3.0/man3/EC_KEY_generate_key.html)This looks like it was addressed in an update to the golang-fipss/openssl library here: https://github.com/golang-fips/openssl/commit/1607c24fa1d464ac8a8d7daf92aa760a2f22b4d2
But was never included in the FIPS Patches for Go on the
go1.20-fips-release
branch here: https://github.com/golang-fips/go/blob/go1.20-fips-release/patches/001-initial-openssl-for-fips.patch#L2367-L2368Which seem to reference this version here: https://github.com/golang-fips/openssl/blob/b175be2ccd46/openssl/ecdsa.go#L194
Is this something that could be backported to the Go 1.21 branch? Or at least documented as being a branch that is not FIPS Compliant under OpenSSL 3.