crypto/md5,crypto/sha1: apply fips140=only to Write and Sum, not New

New is called to get a Hash which can then be rejected with an error
(instead of a panic) from fips140only.ApprovedHash.

Also, it's reasonable to call New().Size() and then not use the hash.

Change-Id: I6a6a4656c43528d169c4b28c8b6de48448236d4f
Reviewed-on: https://go-review.googlesource.com/c/go/+/641317
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/crypto/md5/md5.go

@@ -104,9 +104,6 @@ func consumeUint32(b []byte) ([]byte, uint32) {
 // [encoding.BinaryUnmarshaler] to marshal and unmarshal the internal
 // state of the hash.
 func New() hash.Hash {
-	if fips140only.Enabled {
-		panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
-	}
 	d := new(digest)
 	d.Reset()
 	return d
@@ -117,6 +114,9 @@ func (d *digest) Size() int { return Size }
 func (d *digest) BlockSize() int { return BlockSize }
 
 func (d *digest) Write(p []byte) (nn int, err error) {
+	if fips140only.Enabled {
+		return 0, errors.New("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
+	}
 	// Note that we currently call block or blockGeneric
 	// directly (guarded using haveAsm) because this allows
 	// escape analysis to see that p and d don't escape.
@@ -158,6 +158,10 @@ func (d *digest) Sum(in []byte) []byte {
 }
 
 func (d *digest) checkSum() [Size]byte {
+	if fips140only.Enabled {
+		panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
+	}
+
 	// Append 0x80 to the end of the message and then append zeros
 	// until the length is a multiple of 56 bytes. Finally append
 	// 8 bytes representing the message length in bits.
@@ -184,9 +188,6 @@ func (d *digest) checkSum() [Size]byte {
 
 // Sum returns the MD5 checksum of the data.
 func Sum(data []byte) [Size]byte {
-	if fips140only.Enabled {
-		panic("crypto/md5: use of MD5 is not allowed in FIPS 140-only mode")
-	}
 	var d digest
 	d.Reset()
 	d.Write(data)

src/crypto/sha1/sha1.go

@@ -111,9 +111,6 @@ func New() hash.Hash {
 	if boring.Enabled {
 		return boring.NewSHA1()
 	}
-	if fips140only.Enabled {
-		panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode")
-	}
 	d := new(digest)
 	d.Reset()
 	return d
@@ -124,6 +121,9 @@ func (d *digest) Size() int { return Size }
 func (d *digest) BlockSize() int { return BlockSize }
 
 func (d *digest) Write(p []byte) (nn int, err error) {
+	if fips140only.Enabled {
+		return 0, errors.New("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+	}
 	boring.Unreachable()
 	nn = len(p)
 	d.len += uint64(nn)
@@ -156,6 +156,10 @@ func (d *digest) Sum(in []byte) []byte {
 }
 
 func (d *digest) checkSum() [Size]byte {
+	if fips140only.Enabled {
+		panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+	}
+
 	len := d.len
 	// Padding.  Add a 1 bit and 0 bits until 56 bytes mod 64.
 	var tmp [64 + 8]byte // padding + length buffer
@@ -196,6 +200,10 @@ func (d *digest) ConstantTimeSum(in []byte) []byte {
 }
 
 func (d *digest) constSum() [Size]byte {
+	if fips140only.Enabled {
+		panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
+	}
+
 	var length [8]byte
 	l := d.len << 3
 	for i := uint(0); i < 8; i++ {
@@ -262,7 +270,7 @@ func Sum(data []byte) [Size]byte {
 		return boring.SHA1(data)
 	}
 	if fips140only.Enabled {
-		panic("crypto/sha1: use of weak SHA-1 is not allowed in FIPS 140-only mode")
+		panic("crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode")
 	}
 	var d digest
 	d.Reset()