Skip to content

Use crypto/sha256 instead of crypto/md5 for FIPS compliance. #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: v3
Choose a base branch
from
Open

Use crypto/sha256 instead of crypto/md5 for FIPS compliance. #1056

wants to merge 2 commits into from

Conversation

BillBuilt
Copy link

Use crypto/sha256 instead of crypto/md5 for FIPS compliance.

Update deps

@smithcoin smithcoin mentioned this pull request Sep 25, 2025
Closed
@smithcoin
Copy link

Not only for fips, many linters now suggest avoiding md5 for any reason.

@moorereason
Copy link
Contributor

The comment in line 374 should be updated to not reference md5.

What are the implications of this change? From what I can see, the machine ID is only used here:

resty/util.go

Line 375 in 66256ef

b[4], b[5], b[6] = machineID[0], machineID[1], machineID[2]

Which is only called from here:

resty/request.go

Line 1385 in 66256ef

r.RetryTraceID = newGUID()

@BillBuilt
Copy link
Author

BillBuilt commented Sep 29, 2025
edited
Loading

When running go code using GOFIPS140=v1.0.0 GODEBUG=fips140=only, if any package is not compliant (MD5), it will fail to build regardless of how it is used.

https://go.dev/doc/security/fips140

I will update the comment. Thanks!

@BillBuilt BillBuilt mentioned this pull request Sep 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BillBuilt @smithcoin @moorereason