Open FiloSottile opened 1 month ago
gabyhelp
commented
1 month ago Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
DejeroDaniel
commented
1 month ago I was just about to ask a question regarding Ed25519 usage in the other ticket when this was posted. Exciting news! Is Ed25519 support planned to be certified in this new native implementation?
FiloSottile
commented
1 month ago Is Ed25519 support planned to be certified in this new native implementation?
Yes, we'll post a full list of algorithms once we are close to finalizing it, but it approximates to "everything that's NIST approved and not frozen, deprecated, or legacy-use".
mateusz834
commented
1 month ago Users will be able to select the module to use at build time, for example choosing between a certified version, a version in the In Process list, or the latest unvalidated update.
How this is going to be achieved? Build tags? The default is going to be non-FIPS validated?
FiloSottile
commented
1 month ago How this is going to be achieved? Build tags?
Probably something more explicit, such as a go build flag. I suspect build tags won't be flexible enough, but I might be wrong! We'll bring up a dedicated proposal to discuss that.
The default is going to be non-FIPS validated?
Yes.
gopherbot
commented
1 month ago Change https://go.dev/cl/614495 mentions this issue: crypto/sha256,crypto/sha512: make assembly structure consistent
gopherbot
commented
1 month ago Change https://go.dev/cl/614656 mentions this issue: crypto/sha256,crypto/sha512: test fallback implementations
gopherbot
commented
1 month ago Change https://go.dev/cl/615235 mentions this issue: crypto/sha256,crypto/sha512: move implementation to crypto/internal/fips
gopherbot
commented
1 month ago Change https://go.dev/cl/615816 mentions this issue: crypto/internal: add FIPS module test wrapper
manistal
commented
1 month ago Out of curiosity, how will Go natively handle the key zeroization requirements of FIPS?
gopherbot
commented
1 month ago Change https://go.dev/cl/616636 mentions this issue: crypto/hmac: move implementation to crypto/internal/fips
gopherbot
commented
1 month ago Change https://go.dev/cl/616717 mentions this issue: crypto/internal/fips/sha3: import x/crypto/sha3
gopherbot
commented
1 month ago Change https://go.dev/cl/616716 mentions this issue: crypto/internal/fips/subtle: provide XORBytes
gopherbot
commented
1 month ago Change https://go.dev/cl/616715 mentions this issue: internal/cpu: add ARM64.HasSHA3
gopherbot
commented
1 month ago Change https://go.dev/cl/617357 mentions this issue: crypto/internal/fips/sha3: restructure as an internal package
gopherbot
commented
1 month ago Change https://go.dev/cl/617359 mentions this issue: crypto/internal/fips/sha3: reduce s390x divergence
gopherbot
commented
1 month ago Change https://go.dev/cl/617535 mentions this issue: crypto/internal/fips/sha3: test alternative s390x implementation
gopherbot
commented
1 month ago Change https://go.dev/cl/619477 mentions this issue: crypto/internal/fips: import x/crypto/pbkdf2
gopherbot
commented
1 month ago Change https://go.dev/cl/619236 mentions this issue: crypto/internal/fips/pbkdf2: stub service indicator
gopherbot
commented
1 month ago Change https://go.dev/cl/620795 mentions this issue: crypto/internal/fips: add service indicator mechanism
gopherbot
commented
4 weeks ago Change https://go.dev/cl/621075 mentions this issue: crypto/internal/fips: add self-test mechanism
gopherbot
commented
3 weeks ago Change https://go.dev/cl/621275 mentions this issue: crypto/internal/fips/hkdf: new package
gopherbot
commented
3 weeks ago Change https://go.dev/cl/622275 mentions this issue: crypto/internal/alias: move to crypto/internal/fips/alias
gopherbot
commented
3 weeks ago Change https://go.dev/cl/622276 mentions this issue: crypto/subtle: document and test XORBytes overlap rules
gopherbot
commented
2 weeks ago Change https://go.dev/cl/623195 mentions this issue: crypto/internal/fips/pbkdf2: add CAST testing
gopherbot
commented
2 weeks ago Change https://go.dev/cl/624395 mentions this issue: crypto/aes: move to crypto/internal/fips/aes
aclements
commented
2 weeks ago @FiloSottile can you post a list of the proposals that this depends on? Also, my sense is that some of the proposals are required, while others are more "nice to have". If that's right, please indicate that in the list. Thanks!
FiloSottile
commented
2 weeks ago @aclements the following proposals are necessary to expose the functionality of the module to applications. They are not strictly speaking necessary to validate the module, but a validated module with algorithms that can't be used by applications is not very useful :)
The following is nice-to-have but still relevant, since we are not validating these modes.
There there's a few other crypto proposals in flight, of which the ones to wire ML-KEM into crypto/tls are somewhat related and would be important to land in Go 1.24.
Finally there are a couple hash proposals that are related to https://github.com/golang/go/issues/69982 above, but that are not really blocking anything.
gopherbot
commented
1 week ago Change https://go.dev/cl/624736 mentions this issue: crypto/internal/fips/gcm: move GCM from .../aes and crypto/cipher
gopherbot
commented
1 week ago Change https://go.dev/cl/624975 mentions this issue: crypto/rand: replace crypto/aes with internal/chacha8rand for plan9
gopherbot
commented
1 week ago Change https://go.dev/cl/624977 mentions this issue: crypto/internal/fips/drbg: implement CTR_DRBG
gopherbot
commented
1 week ago Change https://go.dev/cl/624978 mentions this issue: crypto/internal/fips/drbg: implement FIPS-mode randomness generation
gopherbot
commented
1 week ago Change https://go.dev/cl/624976 mentions this issue: crypto/rand: move OS interaction to crypto/internal/sysrand
gopherbot
commented
1 week ago Change https://go.dev/cl/625435 mentions this issue: crypto/internal/fips/drbg: add CAST and service indicator
gopherbot
commented
1 week ago Change https://go.dev/cl/625815 mentions this issue: crypto/internal/fips: avoid some non-relocatable global initializers
gopherbot
commented
1 week ago Change https://go.dev/cl/626000 mentions this issue: all: enable FIPS verification code
gopherbot
commented
1 week ago Change https://go.dev/cl/625997 mentions this issue: cmd/compile, cmd/link: add FIPS verification support
gopherbot
commented
1 week ago Change https://go.dev/cl/625995 mentions this issue: cmd/internal/objabi, cmd/link: add FIPS symbol kinds
gopherbot
commented
1 week ago Change https://go.dev/cl/625998 mentions this issue: crypto/internal/fips/check: add new package
gopherbot
commented
1 week ago Change https://go.dev/cl/625999 mentions this issue: cmd/dist: add more pie tests, fips tests
gopherbot
commented
1 week ago Change https://go.dev/cl/626175 mentions this issue: crypto/rsa: port PrivateKey.Validate to bigmod, add validations
erahn
commented
1 week ago Apologies if this isn't the right place to ask - but do you know the full set of algorithms you plan to certify? One annoying thing that I've hit with certifying openssl / openssh is that the SSH KDF (along with IKE for IPsec, the CAK -> SAK stuff for MACsec) is part of FIPS 140 but was not part of the FIPS 140 module for openssl. This means that to certify a system using ssh I've had to add the SSH KDF into the openssl FIPS module.
I'm interested in understanding if you plan to add in algorithms like SSH KDF so that one could have, say, a pure Go implementation of SSH that would be covered under FIPS 140?
FiloSottile
commented
1 week ago I'm interested in understanding if you plan to add in algorithms like SSH KDF so that one could have, say, a pure Go implementation of SSH that would be covered under FIPS 140?
Yes, we plan to include the SSH KDF in the validation, and to update x/crypto/ssh to use the module. (Once the validation is finalized, we'll also share a complete table of the validated algorithms.)
gopherbot
commented
1 week ago Change https://go.dev/cl/626437 mentions this issue: crypto/internal/fips/aes: add CAST
gopherbot
commented
1 week ago Change https://go.dev/cl/626675 mentions this issue: crypto/internal/fips/aes/gcm: add GCMForTLS12 and GCMForTLS13
gopherbot
commented
1 week ago Change https://go.dev/cl/624916 mentions this issue: crypto/internal/fips/aes/gcm: add SealWithRandomNonce
gopherbot
commented
1 week ago Change https://go.dev/cl/626835 mentions this issue: crypto/internal/fips/aes: add service indicators
gopherbot
commented
1 week ago Change https://go.dev/cl/626837 mentions this issue: crypto/internal/fips/tls12: implement TLS 1.2 KDF
gopherbot
commented
1 week ago Change https://go.dev/cl/626836 mentions this issue: crypto/internal/fips/tls13: implement TLS 1.3 KDF
gopherbot
commented
1 week ago Change https://go.dev/cl/626875 mentions this issue: crypto/internal/fips/ssh: implement SSH KDF
Background
FIPS 140 is a set of U.S. Government requirements for cryptographic modules. A number of companies must comply with them, for example as part of a broader FedRAMP compliance posture. (If that's not you, you can ignore this. Run!)
Current solutions for Go program compliance are based on cgo, and replace some of the crypto packages internals with FIPS 140 validated non-memory safe modules. These solutions come with varying levels of support (for example the Go+BoringCrypto solution is not officially supported and its compliance profile is left to the user to assess), introduce memory unsafe code, sometimes delay Go version updates, can have performance issues, affect the developer experience (for example inhibiting cross-compilation), and their compliance profile is debatable. As Go is adopted more and more in regulated settings, this is going to affect Go's adoption and developer experience.
The Go FIPS module
We plan to pursue a FIPS 140-3 validation for the NIST approved components of the Go standard library. The resulting module will be distributed as part of the standard library under the same license as the rest of the Go project, and will be transparently used by the relevant standard library packages with no API changes (wherever possible).
Users will be able to select the module to use at build time, for example choosing between a certified version, a version in the In Process list, or the latest unvalidated update. Moreover, we'll provide some mechanism for applications to disable the use of non-approved algorithms and modes at runtime.
Further planning details
The goal is shipping the module as part of Go 1.24, assuming our validation strategy is successful. This is the first time as far as we know that a Go library (or any non-Java memory safe library) is validated.
Unless completely unavoidable, we'll not compromise on security to achieve compliance. For example, we will inject random bytes from the kernel as additional input per SP 800-90Ar1, Section 8.7.2, every time we use the mandatory DRBG, and we'll use a dedicated DRBG for ECDSA to implement a "hedged" nonce generation equivalent to what crypto/ecdsa does now (safer than both NIST options of fully random and deterministic). Also, we'll try to add minimal complexity to regular non-FIPS builds.
NIST approved packages will be prioritized in being moved to the standard library (#65269) to get validated along the rest.
We'll test at least on Linux on amd64 and arm64. Further details will be available later in the process. (If you have specific requirements, please inquire about becoming a sponsor, see below.)
We aim to deprecate and hopefully remove Go+BoringCrypto once the module lands.
After the initial validation, we plan to revalidate at least every year, and every time a CVE affects the module with no standard library-side mitigation.
All work will be done on Gerrit, tracked in the issue tracker, and the testing harnesses will be committed in the tree.
This is an umbrella issue to track related issues and CLs, and to provide updates to the community. We'll file separate proposals for the exact build-time settings, for the FIPS-only policy mechanism, for any new APIs, and for any behavior changes.
We have started working with a CMVP testing laboratory, and contracted @cpu to help. This is an industry-sponsored effort that I (@FiloSottile) am leading as an independent maintainer, not a Google or Go team project (although it is coordinated with the Go team and @golang/security). We're funded by a few major stakeholders, and we're available to accept sponsorships and offer commercial support (reach out to filippo@golang.org if interested).