I am using the Microsoft version of Go lang as that is what my work instructed me to use. My only task was to build Grafana using FIPS (or as close to it as i can get). As i mentioned in Microsoft Go 1.20.5 i was able to build using GOEXPERIMENT=opensslcrypto, and GOFIPS=1, but it appears now that with 1.21 Go that is no longer working using the same exact method. I have tried to use GOEXPERIMENT=systemcrypto, but it fails as well.
I guess the ultimate question I have is do i even need to set GOFIPS=1 during compile to even make it FIPS compliant? it appears from Microsoft's FIPS page that it doesn't need to be set? https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md So am I correct to think as long as I set GOEXPERIMENT=systemcrypto and compile that I am good on the build side of it? I also have applied a few changes that removes the not so good Ciphers from the SSL that was taken from the Fedora Project page. What's interesting is if i just try to run: /usr/local/go/bin/go version, that fails if i have GOFIPS=1, and GOEXPERIMENT=systemcrypto, so i can even just simply have it print the version number which is strange. So not sure if when i manually compiled the Microsoft Go if i broke something or not? I am really just trying to understand how critical is it to set GOFIPS=1 during the build process? Is it a required option in order to build the go package? On Wednesday, July 3, 2024 at 6:45:37 PM UTC-7 dagood wrote: > Hi Devin, > > The FIPS functionality in Go (which, to be clear, is not supported for use > outside of Google) is documented here: > go/src/crypto/internal/boring/README.md > at release-branch.go1.21 · golang/go (github.com) > <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, > > and it's used by setting GOEXPERIMENT=boringcrypto. > > The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, > not official Go. > https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md is > actually hosted in the microsoft/go repository, where that fork is > maintained. I work on it, and I'm happy to help. (And, if you have any more > questions related to this fork in the future, feel free to file a GitHub > issue on microsoft/go directly.) > > The issue doesn't seem related to Grafana, but rather because *wire *was > built with the Microsoft fork of Go but without specifying a backend, but > with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a > backend, but it sees that FIPS is requested, so it fails safe. It isn't > clear what the caller's intent is and failing is an opportunity to catch a > mistake. You should either: > > 1. not set GOFIPS=1 until after calling *wire* (if at all!) or > 2. build *wire* with GOEXPERIMENT=systemcrypto. > > I would default to (1). But if you are trying to make a FIPS compliant > package build process, (2) would be the step towards that. > > Whether or not you need GOFIPS=1 at all depends on the purpose of your > script/build process. > > > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be > the case anymore. > > Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first > bullet in the 1.21 changelog > <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> > has > some details. > > Hope that helps! > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/693065ea-f27f-4f57-9ae3-8b6a30618f5bn%40googlegroups.com.
