search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.46k stars 17.59k forks source link

crypto/rsa: can generate digital signature when hash algorithm (digest method) is set to MD5 in FIPS mode #45565

Open ijajmulani opened 3 years ago

ijajmulani commented 3 years ago

I am able to generate signature with md5 hash algorithm in FIPS mode. According to FIPS 140-2 md5 should not be use for digital signature.

What version of Go are you using (go version)?

$ go version
go version go1.15.4 linux/amd64

Does this issue reproduce with the latest release?

Not checked

What operating system and processor architecture are you using (go env)?

GOARCH="amd64" GOHOSTOS="linux" OS=redhat 7.5

What did you do?

below code I'm using to generate digital signature

data := []byte("Checking fips mode")
hash := md5.New()
hash.Write(data)
bytesData := hash.Sum(nil)

signData, err := rsa.SignPKCS1v15(nil, privKeyObj, crypto.MD5, bytesData[:])
if err != nil {
        return "", err
}

I have build this code with go-toolset GOOS=linux GOARCH=amd64 scl enable go-toolset-1.14 'go build -v -o fips-compliance-check'

When I run generated go binary in FIPS enabled host it should fail but unfortunately code is generating signature

I don't know whether is this issue or not. Or am I lacking some understanding here?

seankhliao commented 3 years ago

cc @FiloSottile

ijajmulani commented 3 years ago

I checked, my binary uses boringcrypto instead of native boringcrypto

` go tool nm fips-compliance-check | grep _Cfunc_goboringcrypto

4016b0 T _cgo_18935346a3e2_Cfuncgoboringcrypto_BN_bin2bn 401730 T _cgo_18935346a3e2_Cfunc__goboringcrypto_BN_bn2bin 401840 T _cgo_18935346a3e2_Cfuncgoboringcrypto_DLOPEN_OPENSSL 401ab0 T _cgo_18935346a3e2_Cfunc__goboringcrypto_ECDSA_sig `

also I executed my binary with below command. ./fips-compliance-check -fipsMode=true

Still digital signature is generated with MD5 digest

Note -- The container where I'm building my code is not FIPS compliant. But machine where I'm executing binary is FIPS mode enabled.

elagergren-spideroak commented 3 years ago

It's true that the boringcrypto branch allows MD5:

https://github.com/golang/go/blob/b397e0c028e9fb5a1169ea6a84a7138b92f4af8c/src/crypto/internal/boring/rsa.go#L305-L314 https://github.com/golang/go/blob/b397e0c028e9fb5a1169ea6a84a7138b92f4af8c/src/crypto/internal/boring/hmac.go#L41-L44

elagergren-spideroak commented 3 years ago

Also, the only FIPS 140-2 approved[1,2,3] hash functions are SHA-1, SHA-224, SHA-256, SHA-384 SHA-512, SHA-512/224, and SHA-512/256.

FiloSottile commented 1 year ago

AFAIK, Go+BoringCrypto will not actively stop you from using unapproved algorithms, and the Security Policy mentions it. It's up to the application to operate within the SP requirements. @agl can you confirm this is working as intended?