Repository for FIPS enabled Go using OpenSSL.
The cryptographic routines in the Go standard library cannot be FIPS certified and must instead rely on an external cryptographic implementation which can be FIPS certified. This repository and the upstream sources it is based on contain the necessary modifications for the Go crypto library to use an external cryptographic library in a FIPS compliant way.
This repository contains a fork of the Go toolchain dev.boringcrypto branch.
The dev.boringcrypto branch itself is a fork maintained separately from the main Go repository branches. This upstream
branch modifies the crypto/* packages to use BoringCrypto for cryptographic operations.
This branch uses a pre-compiled shared object which the Go toolchain can statically link against.
The modifications contained in this repository add support for using OpenSSL as the crypto backend when the host system is in FIPS mode.
Main differences from the upstream BoringCrypto fork are:
dlopen to call into OpenSSL.boring mode as the package is named) is enabled either via an environment variable GOLANG_FIPS=1 or by virtue of the host being in FIPS mode.The main branch contains only a license file and this README. The FIPS patches are stored on versioned branches
which follow the naming convention: go1.x-openssl-fips.
There is a script called scripts/setup-initial-patch.sh which will apply the initial patch and then generate a new one which
will finalize the OpenSSL FIPS backend support. When setting up a new branch just run the script and supply the name of the upstream Go
branch you would like to check out in the git submodule like so:
$ ./scripts/setup-initial-patch.sh dev.boringcrypto.go1.x