Disable DES, RC4, MD4, MD5 in FIPS mode

OpenSSL 1.0.2 FIPS mode will claim to support the aforementioned algorithms but will fail with the error "disabled for fips" when one tries to initialize an EVP context with one. Signed-off-by: Cory Snider <csnider@mirantis.com>
golang-fips · Oct 18, 2023 · 8723005 · 8723005
1 parent 09700e5
commit 8723005
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/des.go b/des.go
@@ -14,9 +14,9 @@ import (
 // If CBC is also supported, then the returned cipher.Block
 // will also implement NewCBCEncrypter and NewCBCDecrypter.
 func SupportsDESCipher() bool {
-	// True for stock OpenSSL 1.
+	// True for stock OpenSSL 1 w/o FIPS.
 	// False for stock OpenSSL 3 unless the legacy provider is available.
-	return loadCipher(cipherDES, cipherModeECB) != nil
+	return (versionAtOrAbove(1, 1, 0) || !FIPS()) && loadCipher(cipherDES, cipherModeECB) != nil
 }
 
 // SupportsTripleDESCipher returns true if NewTripleDESCipher is supported,

diff --git a/evp.go b/evp.go
@@ -72,9 +72,13 @@ func cryptoHashToMD(ch crypto.Hash) (md C.GO_EVP_MD_PTR) {
 	}
 	switch ch {
 	case crypto.MD4:
-		return C.go_openssl_EVP_md4()
+		if versionAtOrAbove(1, 1, 0) || !FIPS() {
+			return C.go_openssl_EVP_md4()
+		}
 	case crypto.MD5:
-		return C.go_openssl_EVP_md5()
+		if versionAtOrAbove(1, 1, 0) || !FIPS() {
+			return C.go_openssl_EVP_md5()
+		}
 	case crypto.SHA1:
 		return C.go_openssl_EVP_sha1()
 	case crypto.SHA224:

diff --git a/rc4.go b/rc4.go
@@ -8,9 +8,9 @@ import "runtime"
 
 // SupportsRC4 returns true if NewRC4Cipher is supported.
 func SupportsRC4() bool {
-	// True for stock OpenSSL 1.
+	// True for stock OpenSSL 1 w/o FIPS.
 	// False for stock OpenSSL 3 unless the legacy provider is available.
-	return loadCipher(cipherRC4, cipherModeNone) != nil
+	return (versionAtOrAbove(1, 1, 0) || !FIPS()) && loadCipher(cipherRC4, cipherModeNone) != nil
 }
 
 // A RC4Cipher is an instance of RC4 using a particular key.