Go 1.24 FIPS-only mode panics #23
Description
When using Vellum's Levenshtein package, Go 1.24's new FIPS-only mode makes the code panic:
$ make
GODEBUG=fips140=only go run .
panic: crypto/md5: use of MD5 is not allowed in FIPS 140-only mode
goroutine 1 [running]:
crypto/md5.(*digest).checkSum(0x8cc68500?)
/usr/lib/go/src/crypto/md5/md5.go:162 +0x105
crypto/md5.Sum({0xc00014bca0?, 0x20?, 0xc00014bcb0?})
/usr/lib/go/src/crypto/md5/md5.go:194 +0x98
github.com/blevesearch/vellum/levenshtein.getHash(0xc00014bd78)
/home/mariell/go/pkg/mod/github.com/blevesearch/[email protected]/levenshtein/parametric_dfa.go:348 +0x157
github.com/blevesearch/vellum/levenshtein.(*hash).getOrAllocate(0xc00014bea8, {{0x5f51a0, 0x0, 0x0}})
/home/mariell/go/pkg/mod/github.com/blevesearch/[email protected]/levenshtein/parametric_dfa.go:329 +0x3c
github.com/blevesearch/vellum/levenshtein.fromNfa(0xc00014beee)
/home/mariell/go/pkg/mod/github.com/blevesearch/[email protected]/levenshtein/parametric_dfa.go:250 +0xa9
github.com/blevesearch/vellum/levenshtein.NewLevenshteinAutomatonBuilder(0x0?, 0x0?)
/home/mariell/go/pkg/mod/github.com/blevesearch/[email protected]/levenshtein/levenshtein.go:45 +0x25
main.main()
/home/mariell/work/pocs/poc-vellum-fips-panic/main.go:10 +0x1d
exit status 2
make: *** [Makefile:2: reproduce] Error 1
package main
import (
"fmt"
"github.com/blevesearch/vellum/levenshtein"
)
func main() {
_, err := levenshtein.NewLevenshteinAutomatonBuilder(2, true)
if err != nil {
panic(err)
}
fmt.Println("successfully made automaton builder")
}Complete, minimal reproduction repository: https://codeberg.org/mariell/poc-vellum-fips-panic