Skip to content

crypto: align FIPS mode GenerateKey behavior with non-FIPS mode #70772

New issue
New issue
Closed
Closed
crypto: align FIPS mode GenerateKey behavior with non-FIPS mode#70772
Assignees
FiloSottile
Labels
NeedsFixThe path to resolution is known, but the work has not been done.okay-after-rc1Used by release team to mark a release-blocker issue as okay to resolve either before or after rc1release-blocker
Milestone
Go1.24
@FiloSottile

Description

@FiloSottile
FiloSottile
opened on Dec 11, 2024

I initially made the GenerateKey functions ignore the rand parameter, because using anything but the FIPS DRBG makes the key non-compliant. However, this is the only subtle behavior difference between FIPS and non-FIPS mode (the others are the explicit change in crypto/tls behavior, and stuff getting slower).

We discussed this with @rsc and @rolandshoemaker and agreed to change it to work like Go+BoringCrypto for now, and then maybe consider ignoring the rand parameter entirely in Go 1.25 (regardless of FIPS mode).

Tracking issue for making the change in Go 1.24. See #69536.

Metadata

Metadata

Assignees

Labels

NeedsFixThe path to resolution is known, but the work has not been done.okay-after-rc1Used by release team to mark a release-blocker issue as okay to resolve either before or after rc1release-blocker

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions