Skip to content

crypto/internal/fips140/drbg: remove global lock #71155

New issue
New issue
Closed
Bug
Closed
crypto/internal/fips140/drbg: remove global lock#71155
Bug
Labels
BugReportIssues describing a possible bug in the Go implementation.FixPendingIssues that have a fix which has not yet been reviewed or submitted.FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.release-blocker
Milestone
Go1.24
@rsc

Description

@rsc
rsc
opened on Jan 7, 2025

There is still a global lock in the drbg package, so that crypto/rand.Read during fips mode will have significantly more contention than without. Worse, the code is inside the fips140 boundary, meaning it will take years for any change made after the release to be recertified and propagate out into actual (fips140) usage.

I believe we should change the drbg state to be per-P, before the release. This only affects the fips140 code path, not ordinary programs running in the default (non-fips140) mode, so it should be fairly low risk.

I will look into doing this.

/cc @FiloSottile

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.FixPendingIssues that have a fix which has not yet been reviewed or submitted.FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.release-blocker

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions