crypto/ecdsa: ecdsa.Sign() has become indeterministic in go 1.21.6

[sAnjAy060897]

Go version

go version go1.21.6 X:boringcrypto linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/go/.cache'
GOENV='/home/skumar12/.config/go/env'
GOEXE=''
GOEXPERIMENT='boringcrypto'
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/skumar12/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/skumar12/go'
GOPRIVATE=''
GOPROXY=''
GOROOT='/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot-native/usr/lib/go'
GOSUMDB='sum.golang.org'
GOTMPDIR='/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/build-tmp'
GOTOOLCHAIN=''
GOTOOLDIR='/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot-native/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.6 X:boringcrypto'
GCCGO='gccgo'
GOAMD64='v1'
AR='x86_64-ion-linux-gcc-ar'
CC='x86_64-ion-linux-gcc  -m64 -march=nehalem -mtune=generic -mfpmath=sse -msse4.2 --sysroot=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot'
CXX='x86_64-ion-linux-g++  -m64 -march=nehalem -mtune=generic -mfpmath=sse -msse4.2 --sysroot=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot= -fdebug-prefix-map=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot-native='
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot= -fdebug-prefix-map=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot-native= -fvisibility-inlines-hidden'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -no-pie'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-mtune=generic -mfpmath=sse -msse4.2 --sysroot=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/recipe-sysroot -I . -fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/ws2/skumar12/element_code2/ap/build/tmp/work/corei7-64-ion-linux/go/1.21.6-r0/build-tmp/go-build1011848331=/tmp/go-build -gno-record-gcc-switches'

What did you do?

We are working on getting FIPS certification for our products and one of the requirement is to run ECDSA and RSA PSS known answer test during boot up time.
We have our own go program which has predefined values for random, private, public keys, message and pre-computed signatures for comparison.

What did you see happen?

In 1.21.6, it seems even with all inputs to ecdsa Sign were predefined, it always generates indeterministic signature.

What did you expect to see?

It used to generate same set of signatures till 1.18.9. Was this a behaviour change recently? Is there a way to make ECDSA signature generation deterministic?

In the same context, is there a way to set RSA PSS salt length to be 0 so that it becomes deterministic which is possible with openssl?

[Jorropo]

This looks like a duplicate #58637's discussion to me.
3adcce5 added this note to the SignASN1 function:

// The signature is randomized. Most applications should use [crypto/rand.Reader]
// as rand. Note that the returned signature does not depend deterministically on
// the bytes read from rand, and may change between calls and/or between versions.

[sAnjAy060897]

@Jorropo ,
Thanks for pointing out the documentation.

I'm wondering if there is a way it can be made deterministic with a flag or some tweaks?

[Jorropo]

I don't know, cc @FiloSottile as far as I can tell https://pkg.go.dev/filippo.io/keygen only help with deterministic key generation, not the actual Sign functions.

[FiloSottile]

First of all, Go+BoringCrypto is not a supported mode, and we definitely can't assist with FIPS validation requirements in relation to it. Still, I am a bit confused by what you are trying to do, because the BoringCrypto module already has boot self-tests.

Anyway, the fact that Sign is not deterministic and that you can't expect it to stay the same across versions is clearly documented.

// The signature is randomized. Most applications should use [crypto/rand.Reader]
// as rand. Note that the returned signature does not depend deterministically on
// the bytes read from rand, and may change between calls and/or between versions.

We might at some point support deterministic ECDSA, see #64802, but we don't currently.