gopherbot
commented
6 days ago Change https://go.dev/cl/626877 mentions this issue: crypto/internal/fips/hkdf: correctly set the service indicator for short salts
Open FiloSottile opened 1 month ago
gopherbot
commented
6 days ago Change https://go.dev/cl/626877 mentions this issue: crypto/internal/fips/hkdf: correctly set the service indicator for short salts
gopherbot
commented
6 days ago Change https://go.dev/cl/626879 mentions this issue: crypto/internal/mlkem768: move to crypto/internal/fips/mlkem
gopherbot
commented
6 days ago Change https://go.dev/cl/626936 mentions this issue: crypto/internal/fips/mlkem: implement Pairwise Consistency Check
gopherbot
commented
2 days ago Change https://go.dev/cl/627956 mentions this issue: crypto/internal/fips: wrap and lock internal dependencies
gopherbot
commented
2 days ago Change https://go.dev/cl/627955 mentions this issue: crypto/internal/fips: move most tests to crypto/internal/fipstest
gopherbot
commented
2 days ago Change https://go.dev/cl/627957 mentions this issue: crypto/internal/nistec: move to crypto/internal/fips/nistec
gopherbot
commented
1 day ago Change https://go.dev/cl/628315 mentions this issue: crypto/ecdh: move implementation to crypto/internal/fips/ecdh
gopherbot
commented
9 hours ago Change https://go.dev/cl/628679 mentions this issue: crypto/ecdsa: move s390x assembly to crypto/internal/fips/ecdsa
gopherbot
commented
9 hours ago Change https://go.dev/cl/628676 mentions this issue: crypto/internal/bigmod: move to crypto/internal/fips/bigmod
gopherbot
commented
9 hours ago Change https://go.dev/cl/628677 mentions this issue: crypto/ecdsa: move implementation to crypto/internal/fips/ecdsa
gopherbot
commented
9 hours ago Change https://go.dev/cl/628678 mentions this issue: crypto/internal/fips/ecdsa: add CAST, PCT, DRBG, and FIPS 186-5 references
gopherbot
commented
9 hours ago Change https://go.dev/cl/628680 mentions this issue: crypto/internal/fips/ecdsa: add HMAC_DRBG
Background
FIPS 140 is a set of U.S. Government requirements for cryptographic modules. A number of companies must comply with them, for example as part of a broader FedRAMP compliance posture. (If that's not you, you can ignore this. Run!)
Current solutions for Go program compliance are based on cgo, and replace some of the crypto packages internals with FIPS 140 validated non-memory safe modules. These solutions come with varying levels of support (for example the Go+BoringCrypto solution is not officially supported and its compliance profile is left to the user to assess), introduce memory unsafe code, sometimes delay Go version updates, can have performance issues, affect the developer experience (for example inhibiting cross-compilation), and their compliance profile is debatable. As Go is adopted more and more in regulated settings, this is going to affect Go's adoption and developer experience.
The Go FIPS module
We plan to pursue a FIPS 140-3 validation for the NIST approved components of the Go standard library. The resulting module will be distributed as part of the standard library under the same license as the rest of the Go project, and will be transparently used by the relevant standard library packages with no API changes (wherever possible).
Users will be able to select the module to use at build time, for example choosing between a certified version, a version in the In Process list, or the latest unvalidated update. Moreover, we'll provide some mechanism for applications to disable the use of non-approved algorithms and modes at runtime.
Further planning details
The goal is shipping the module as part of Go 1.24, assuming our validation strategy is successful. This is the first time as far as we know that a Go library (or any non-Java memory safe library) is validated.
Unless completely unavoidable, we'll not compromise on security to achieve compliance. For example, we will inject random bytes from the kernel as additional input per SP 800-90Ar1, Section 8.7.2, every time we use the mandatory DRBG, and we'll use a dedicated DRBG for ECDSA to implement a "hedged" nonce generation equivalent to what crypto/ecdsa does now (safer than both NIST options of fully random and deterministic). Also, we'll try to add minimal complexity to regular non-FIPS builds.
NIST approved packages will be prioritized in being moved to the standard library (#65269) to get validated along the rest.
We'll test at least on Linux on amd64 and arm64. Further details will be available later in the process. (If you have specific requirements, please inquire about becoming a sponsor, see below.)
We aim to deprecate and hopefully remove Go+BoringCrypto once the module lands.
After the initial validation, we plan to revalidate at least every year, and every time a CVE affects the module with no standard library-side mitigation.
All work will be done on Gerrit, tracked in the issue tracker, and the testing harnesses will be committed in the tree.
This is an umbrella issue to track related issues and CLs, and to provide updates to the community. We'll file separate proposals for the exact build-time settings, for the FIPS-only policy mechanism, for any new APIs, and for any behavior changes.
We have started working with a CMVP testing laboratory, and contracted @cpu to help. This is an industry-sponsored effort that I (@FiloSottile) am leading as an independent maintainer, not a Google or Go team project (although it is coordinated with the Go team and @golang/security). We're funded by a few major stakeholders, and we're available to accept sponsorships and offer commercial support (reach out to filippo@golang.org if interested).