Hi Michael, Ian's clarification of "support" matches what I meant. In fact, the FIPS features in microsoft/go rely on many of the boringcrypto code changes. We've found it to be a good foundation for our implementation despite not being supported.
For background information about FIPS, look for info about FIPS 140 <https://en.wikipedia.org/wiki/FIPS_140> compliance. It's a US government security and cryptography standard, not specific to a particular programming language. The goal of these FIPS related features is to allow devs to build Go apps that are FIPS compliant, but it's important to note that even with these features, it's not straightforward. (See the disclaimers in the boringcrypto and microsoft/go readmes.) On Thursday, July 4, 2024 at 2:47:05 AM UTC-7 Michael Oguidan wrote: > Hi Dagood, > Please can you tell me what FIPS's for? And why we can't use it outside > Google. > > On Thursday, July 4, 2024 at 1:45:37 AM UTC dagood wrote: > >> Hi Devin, >> >> The FIPS functionality in Go (which, to be clear, is not supported for >> use outside of Google) is documented here: >> go/src/crypto/internal/boring/README.md >> at release-branch.go1.21 · golang/go (github.com) >> <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, >> >> and it's used by setting GOEXPERIMENT=boringcrypto. >> >> The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, >> not official Go. >> https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md >> is >> actually hosted in the microsoft/go repository, where that fork is >> maintained. I work on it, and I'm happy to help. (And, if you have any more >> questions related to this fork in the future, feel free to file a GitHub >> issue on microsoft/go directly.) >> >> The issue doesn't seem related to Grafana, but rather because *wire *was >> built with the Microsoft fork of Go but without specifying a backend, but >> with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a >> backend, but it sees that FIPS is requested, so it fails safe. It isn't >> clear what the caller's intent is and failing is an opportunity to catch a >> mistake. You should either: >> >> 1. not set GOFIPS=1 until after calling *wire* (if at all!) or >> 2. build *wire* with GOEXPERIMENT=systemcrypto. >> >> I would default to (1). But if you are trying to make a FIPS compliant >> package build process, (2) would be the step towards that. >> >> Whether or not you need GOFIPS=1 at all depends on the purpose of your >> script/build process. >> >> > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be >> the case anymore. >> >> Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first >> bullet in the 1.21 changelog >> <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> >> has >> some details. >> >> Hope that helps! >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/3a1d3079-a626-4b74-a0de-8530a1fcc619n%40googlegroups.com.
