[go] crypto/internal/fips140/aes/gcm: don't panic on bad nonces out of FIPS 140-3 mode

1 view

Skip to first unread message

Filippo Valsorda (Gerrit)

unread,

Dec 10, 2025, 4:42:01 PM (2 days ago) Dec 10

to Filippo Valsorda, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Dmitri Shuralyov, David Chase, Go LUCI, Roland Shoemaker, Daniel McCarney, golang-co...@googlegroups.com

Filippo Valsorda submitted the change with unreviewed changes

Unreviewed changes

4 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: src/crypto/cipher/gcm_test.go
Insertions: 2, Deletions: 2.

@@ -762,10 +762,10 @@
 	})
 }
 
-func TestGCMNonces(t *testing.T) {
+func TestGCMNoncesFIPSV1(t *testing.T) {
 	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enabled {
-		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNonces$", "-test.v")
+		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV1$", "-test.v")
 		cmd = testenv.CleanCmdEnv(cmd)
 		cmd.Env = append(cmd.Env, "GODEBUG=fips140=on")
 		out, err := cmd.CombinedOutput()
```

Change information

Commit message:

crypto/internal/fips140/aes/gcm: don't panic on bad nonces out of FIPS 140-3 mode

The enforcement is good beyond compliance if it is correct, but I am
more nervous about accidental DoS due to mismatches between how the
caller calculates a nonce and how the enforcement expects it to be
calculated.

We need to have this enforcement in FIPS 140-3 mode, but no need to blow
ourselves up when it's off.

If all goes well, this code is unreachable anyway.

Change-Id: If73ec59ebbd283b0e5506354961a87a06a6a6964

Reviewed-on: https://go-review.googlesource.com/c/go/+/728504

Auto-Submit: Filippo Valsorda <fil...@golang.org>

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: Roland Shoemaker <rol...@golang.org>

Reviewed-by: David Chase <drc...@google.com>

Files: