On Thu, Jul 4, 2024, 4:47 AM Michael Oguidan <michaelogui...@gmail.com> wrote:
> Hi Dagood, > Please can you tell me what FIPS's for? And why we can't use it outside > Google. > You can use GOEXPERIMENT=boringcrypto, as described in the README. However, there is no promise that the Go team will fix any problems you encounter. It is not supported. Ian On Thursday, July 4, 2024 at 1:45:37 AM UTC dagood wrote: > >> Hi Devin, >> >> The FIPS functionality in Go (which, to be clear, is not supported for >> use outside of Google) is documented here: >> go/src/crypto/internal/boring/README.md >> at release-branch.go1.21 · golang/go (github.com) >> <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, >> and it's used by setting GOEXPERIMENT=boringcrypto. >> >> The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, >> not official Go. >> https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md is >> actually hosted in the microsoft/go repository, where that fork is >> maintained. I work on it, and I'm happy to help. (And, if you have any more >> questions related to this fork in the future, feel free to file a GitHub >> issue on microsoft/go directly.) >> >> The issue doesn't seem related to Grafana, but rather because *wire *was >> built with the Microsoft fork of Go but without specifying a backend, but >> with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a >> backend, but it sees that FIPS is requested, so it fails safe. It isn't >> clear what the caller's intent is and failing is an opportunity to catch a >> mistake. You should either: >> >> 1. not set GOFIPS=1 until after calling *wire* (if at all!) or >> 2. build *wire* with GOEXPERIMENT=systemcrypto. >> >> I would default to (1). But if you are trying to make a FIPS compliant >> package build process, (2) would be the step towards that. >> >> Whether or not you need GOFIPS=1 at all depends on the purpose of your >> script/build process. >> >> > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be >> the case anymore. >> >> Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first >> bullet in the 1.21 changelog >> <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> >> has >> some details. >> >> Hope that helps! >> > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/64e0eb63-0daa-4d5a-8fac-ad48dcb803dfn%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/64e0eb63-0daa-4d5a-8fac-ad48dcb803dfn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcWsNz1ywa4A8n-f%3Ds620ghFSxbsJ%2B4p0YAst3JZPJnEWA%40mail.gmail.com.
