package fips140

import "crypto/internal/fips140"

Index ¶

• Variables
• func CAST(name string, f func() error)
• func Name() string
• func PCT(name string, f func() error) error
• func RecordApproved()
• func RecordNonApproved()
• func ResetServiceIndicator()
• func ServiceIndicator() bool
• func Supported() error
• func Version() string
• type Hash

Variables ¶

var Enabled bool

Functions ¶

func CAST ¶

func CAST(name string, f func() error)

CAST runs the named Cryptographic Algorithm Self-Test (if operated in FIPS mode) and aborts the program (stopping the module input/output and entering the "error state") if the self-test fails.

CASTs are mandatory self-checks that must be performed by FIPS 140-3 modules before the algorithm is used. See Implementation Guidance 10.3.A.

The name must not contain commas, colons, hashes, or equal signs.

If a package p calls CAST from its init function, an import of p should also be added to crypto/internal/fips140test. If a package p calls CAST on the first use of the algorithm, an invocation of that algorithm should be added to fipstest.TestConditionals.

func Name ¶

func Name() string

func PCT ¶

func PCT(name string, f func() error) error

PCT runs the named Pairwise Consistency Test (if operated in FIPS mode) and returns any errors. If an error is returned, the key must not be used.

PCTs are mandatory for every key pair that is generated/imported, including ephemeral keys (which effectively doubles the cost of key establishment). See Implementation Guidance 10.3.A Additional Comment 1.

The name must not contain commas, colons, hashes, or equal signs.

If a package p calls PCT during key generation, an invocation of that function should be added to fipstest.TestConditionals.

func RecordApproved ¶

func RecordApproved()

RecordApproved is an internal function that records the use of an approved service. It does not override RecordNonApproved calls in the same span.

It should be called by exposed functions that perform a whole cryptographic alrgorithm (e.g. by Sum, not by New, unless a cryptographic Instantiate algorithm is performed) and should be called after any checks that may cause the function to error out or panic.

func RecordNonApproved ¶

func RecordNonApproved()

RecordNonApproved is an internal function that records the use of a non-approved service. It overrides any RecordApproved calls in the same span.

func ResetServiceIndicator ¶

func ResetServiceIndicator()

ResetServiceIndicator clears the service indicator for the running goroutine.

func ServiceIndicator ¶

func ServiceIndicator() bool

ServiceIndicator returns true if and only if all services invoked by this goroutine since the last ResetServiceIndicator call are approved.

If ResetServiceIndicator was not called before by this goroutine, its return value is undefined.

func Supported ¶

func Supported() error

Supported returns an error if FIPS 140-3 mode can't be enabled.

func Version ¶

func Version() string

Types ¶

type Hash ¶

type Hash interface {
	// Write (via the embedded io.Writer interface) adds more data to the
	// running hash. It never returns an error.
	io.Writer

	// Sum appends the current hash to b and returns the resulting slice.
	// It does not change the underlying hash state.
	Sum(b []byte) []byte

	// Reset resets the Hash to its initial state.
	Reset()

	// Size returns the number of bytes Sum will return.
	Size() int

	// BlockSize returns the hash's underlying block size.
	// The Write method must be able to accept any amount
	// of data, but it may operate more efficiently if all writes
	// are a multiple of the block size.
	BlockSize() int
}

Hash is the common interface implemented by all hash functions. It is a copy of hash.Hash from the standard library, to avoid depending on security definitions from outside of the module.

Source Files ¶

cast.go fips140.go hash.go indicator.go notasan.go notboring.go

Directories ¶