Patches Prior to OpenSSLV2 Branch Not FIPS Compliant with OpenSSL3

[manistal]

Ran into this issue auditing these patches for FIPS Compliance and noticed that the pairwise consistency tests were not being executed when calling ecdsa.GenerateKey() due to the go SDK invoking the deprecated EC_KEY_generate_key functions (deprecated in OpenSSL3: https://www.openssl.org/docs/man3.0/man3/EC_KEY_generate_key.html)

This looks like it was addressed in an update to the golang-fipss/openssl library here: https://github.com/golang-fips/openssl/commit/1607c24fa1d464ac8a8d7daf92aa760a2f22b4d2

But was never included in the FIPS Patches for Go on the go1.20-fips-release branch here: https://github.com/golang-fips/go/blob/go1.20-fips-release/patches/001-initial-openssl-for-fips.patch#L2367-L2368

Which seem to reference this version here: https://github.com/golang-fips/openssl/blob/b175be2ccd46/openssl/ecdsa.go#L194

Is this something that could be backported to the Go 1.21 branch? Or at least documented as being a branch that is not FIPS Compliant under OpenSSL 3.

[ueno]

That is correct, indeed. Without the change, PCT and public key validation check as in SP800 56A rev3 are not performed under OpenSSL 3. I guess we should backport it to the 1.21 branch. @dbenoit17 what do you think?

[dbenoit17]

Sgtm, thanks!