Open ijajmulani opened 3 years ago
cc @FiloSottile
I checked, my binary uses boringcrypto instead of native boringcrypto
` go tool nm fips-compliance-check | grep _Cfunc_goboringcrypto
4016b0 T _cgo_18935346a3e2_Cfuncgoboringcrypto_BN_bin2bn 401730 T _cgo_18935346a3e2_Cfunc__goboringcrypto_BN_bn2bin 401840 T _cgo_18935346a3e2_Cfuncgoboringcrypto_DLOPEN_OPENSSL 401ab0 T _cgo_18935346a3e2_Cfunc__goboringcrypto_ECDSA_sig `
also I executed my binary with below command.
./fips-compliance-check -fipsMode=true
Still digital signature is generated with MD5 digest
Note -- The container where I'm building my code is not FIPS compliant. But machine where I'm executing binary is FIPS mode enabled.
Also, the only FIPS 140-2 approved[1,2,3] hash functions are SHA-1, SHA-224, SHA-256, SHA-384 SHA-512, SHA-512/224, and SHA-512/256.
AFAIK, Go+BoringCrypto will not actively stop you from using unapproved algorithms, and the Security Policy mentions it. It's up to the application to operate within the SP requirements. @agl can you confirm this is working as intended?
I am able to generate signature with md5 hash algorithm in FIPS mode. According to FIPS 140-2 md5 should not be use for digital signature.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Not checked
What operating system and processor architecture are you using (
go env
)?GOARCH="amd64" GOHOSTOS="linux" OS=redhat 7.5
What did you do?
below code I'm using to generate digital signature
I have build this code with go-toolset
GOOS=linux GOARCH=amd64 scl enable go-toolset-1.14 'go build -v -o fips-compliance-check'
When I run generated go binary in FIPS enabled host it should fail but unfortunately code is generating signature
I don't know whether is this issue or not. Or am I lacking some understanding here?