GOFIPS doesn't appear anywhere in the official Google Go source, AFAICT. And the document at https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md is reasonably clear that simply setting GOEXPERIMENT=boringcrypto is all that is needed using the official Go implementation. I can't speak to the Microsoft fork of Go. While asking here about the Microsoft fork is a reasonable thing to do you may want to look for any discussion forums dedicated to the Microsoft fork.
On Fri, Jul 5, 2024 at 6:41 PM Damien A <linuxguru...@gmail.com> wrote: > I am using the Microsoft version of Go lang as that is what my work > instructed me to use. My only task was to build Grafana using FIPS (or as > close to it as i can get). As i mentioned in Microsoft Go 1.20.5 i was able > to build using GOEXPERIMENT=opensslcrypto, and GOFIPS=1, but it appears now > that with 1.21 Go that is no longer working using the same exact method. I > have tried to use GOEXPERIMENT=systemcrypto, but it fails as well. > > I guess the ultimate question I have is do i even need to set GOFIPS=1 > during compile to even make it FIPS compliant? it appears from Microsoft's > FIPS page that it doesn't need to be set? > https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md > So am I correct to think as long as I set GOEXPERIMENT=systemcrypto and > compile that I am good on the build side of it? I also have applied a few > changes that removes the not so good Ciphers from the SSL that was taken > from the Fedora Project page. > > What's interesting is if i just try to run: /usr/local/go/bin/go version, > that fails if i have GOFIPS=1, and GOEXPERIMENT=systemcrypto, so i can even > just simply have it print the version number which is strange. So not sure > if when i manually compiled the Microsoft Go if i broke something or not? I > am really just trying to understand how critical is it to set GOFIPS=1 > during the build process? Is it a required option in order to build the go > package? > > On Wednesday, July 3, 2024 at 6:45:37 PM UTC-7 dagood wrote: > >> Hi Devin, >> >> The FIPS functionality in Go (which, to be clear, is not supported for >> use outside of Google) is documented here: >> go/src/crypto/internal/boring/README.md >> at release-branch.go1.21 · golang/go (github.com) >> <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, >> and it's used by setting GOEXPERIMENT=boringcrypto. >> >> The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, >> not official Go. >> https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md is >> actually hosted in the microsoft/go repository, where that fork is >> maintained. I work on it, and I'm happy to help. (And, if you have any more >> questions related to this fork in the future, feel free to file a GitHub >> issue on microsoft/go directly.) >> >> The issue doesn't seem related to Grafana, but rather because *wire *was >> built with the Microsoft fork of Go but without specifying a backend, but >> with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a >> backend, but it sees that FIPS is requested, so it fails safe. It isn't >> clear what the caller's intent is and failing is an opportunity to catch a >> mistake. You should either: >> >> 1. not set GOFIPS=1 until after calling *wire* (if at all!) or >> 2. build *wire* with GOEXPERIMENT=systemcrypto. >> >> I would default to (1). But if you are trying to make a FIPS compliant >> package build process, (2) would be the step towards that. >> >> Whether or not you need GOFIPS=1 at all depends on the purpose of your >> script/build process. >> >> > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be >> the case anymore. >> >> Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first >> bullet in the 1.21 changelog >> <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> >> has >> some details. >> > -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CABx2%3DD95hRwMkyMMLamAfb9Wzh5YG_-FzuNQ%2B%2BL6_zeavw3ahQ%40mail.gmail.com.
