Golang crypto/tls: X25519MLKEM768 curve causes panics under GODEBUG=fips140=only

Go version

go version go1.25.1 darwin/arm64

Output of go env in your module/workspace:

AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/peter.woodman/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/peter.woodman/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/rb/vq1_48297rn2q1p9gsgbqs280000gp/T/go-build1454052979=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/peter.woodman/src/tlstest/go.mod'
GOMODCACHE='/Users/peter.woodman/opt/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/peter.woodman/opt/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.25.1/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='on'
GOTELEMETRYDIR='/Users/peter.woodman/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.25.1/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.1'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I created a test case to reproduce the most basic HTTPS transaction possible, creating a test HTTPS server using net/http/httptest and then connecting to this endpoint, ran it under default runtime conditions, then ran with GODEBUG=fips140=only, then ran it with GODEBUG=fips140=only,tlsmlkem=0.

This code lives at https://github.com/pjjw/go-fips-tls-reproducer

What did you see happen?

The normal run and the MLKEM disabled run succeeded, but the GODEBUG=fips140=only run fails.

What did you expect to see?

I would expect all three of these runs to work successfully, as I'm using the default settings for FIPS. The code in crypto/tls appears to think the MLKEM curve should work in FIPS mode, and says fairly explicitly that this should be fine for the native module.

Comment From: gabyhelp

Related Issues

• crypto/fips140: TLS handshake fails with go1.25 and FIPS-140-3 strict mode #75166 (closed)
• crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode #75148 (closed)
• x/crypto/ssh: panic stating scalarBaseMult was not 32 bytes on FIPS enabled host with curve25519 #75061
• crypto: can't be used with `crypto/sha3` when `GODEBUG=fips140=only` is set #70879 (closed)
• cmd/go: `go test` doesn't work with `GODEBUG=fips140=only` #70878 (closed)
• crypto/tls: X25519MLKEM768 not enabled by default #75453 (closed)
• crypto/internal/fips140: segfault from hmac memmove #70880 (closed)
• crypto/tls: FIPS 140-3 modes reject ECDSA w/ curve P-521/SHA-512 in TLS #71757 (closed)

Related Code Changes

• internal/godebug,crypto/fips140: support readonly settings
• cmd/dist: skip fips140=on testing for ASAN

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: mknyszek

CC @golang/security

Comment From: FiloSottile

We're aware, it's one of the main limitations of fips140=only (which at the moment should be considered a debug mode, not a production one). It will be fixed by #74630.