crypto/rsa: can generate digital signature when hash algorithm (digest method) is set to MD5 in FIPS mode

[ijajmulani]

I am able to generate signature with md5 hash algorithm in FIPS mode. According to FIPS 140-2 md5 should not be use for digital signature.

What version of Go are you using (go version)?

$ go version
go version go1.15.4 linux/amd64

Does this issue reproduce with the latest release?

Not checked

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOHOSTOS="linux"
OS=redhat 7.5

What did you do?

below code I'm using to generate digital signature

data := []byte("Checking fips mode")
hash := md5.New()
hash.Write(data)
bytesData := hash.Sum(nil)

signData, err := rsa.SignPKCS1v15(nil, privKeyObj, crypto.MD5, bytesData[:])
if err != nil {
        return "", err
}

I have build this code with go-toolset
GOOS=linux GOARCH=amd64 scl enable go-toolset-1.14 'go build -v -o fips-compliance-check'

When I run generated go binary in FIPS enabled host it should fail but unfortunately code is generating signature

I don't know whether is this issue or not.
Or am I lacking some understanding here?

[seankhliao]

cc @FiloSottile

[ijajmulani]

I checked, my binary uses boringcrypto instead of native boringcrypto

`
go tool nm fips-compliance-check | grep Cfunc__goboringcrypto

4016b0 T _cgo_18935346a3e2_Cfunc__goboringcrypto_BN_bin2bn
401730 T _cgo_18935346a3e2_Cfunc__goboringcrypto_BN_bn2bin
401840 T _cgo_18935346a3e2_Cfunc__goboringcrypto_DLOPEN_OPENSSL
401ab0 T _cgo_18935346a3e2_Cfunc__goboringcrypto_ECDSA_sig
`

also I executed my binary with below command.
./fips-compliance-check -fipsMode=true

Still digital signature is generated with MD5 digest

Note --
The container where I'm building my code is not FIPS compliant. But machine where I'm executing binary is FIPS mode enabled.

[elagergren-spideroak]

It's true that the boringcrypto branch allows MD5:

go/src/crypto/internal/boring/rsa.go

Lines 305 to 314 in b397e0c

	md := cryptoHashToMD(h)
	if md == nil {
	return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
	}
	nid := C._goboringcrypto_EVP_MD_type(md)
	var out []byte
	var outLen C.uint
	if priv.withKey(func(key *C.GO_RSA) C.int {
	out = make([]byte, C._goboringcrypto_RSA_size(key))
	return C._goboringcrypto_RSA_sign(nid, base(hashed), C.uint(len(hashed)),

go/src/crypto/internal/boring/hmac.go

Lines 41 to 44 in b397e0c

	func cryptoHashToMD(ch crypto.Hash) *C.GO_EVP_MD {
	switch ch {
	case crypto.MD5:
	return C._goboringcrypto_EVP_md5()

[elagergren-spideroak]

Also, the only FIPS 140-2 approved[1,2,3] hash functions are SHA-1, SHA-224, SHA-256, SHA-384 SHA-512, SHA-512/224, and SHA-512/256.

[FiloSottile]

AFAIK, Go+BoringCrypto will not actively stop you from using unapproved algorithms, and the Security Policy mentions it. It's up to the application to operate within the SP requirements. @agl can you confirm this is working as intended?