Yes, these questions are specific to the Microsoft fork of Go (and to varying degrees, could apply to other FIPS-focused forks of Go). To repeat from earlier, in case it helps anyone seeing this thread later:
> The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, not official Go. https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md is actually hosted in the microsoft/go repository, where that fork is maintained. I work on it, and I'm happy to help. (And, if you have any more questions related to this fork in the future, feel free to file a GitHub issue on microsoft/go directly.) It looks like this has been opened in an issue now: microsoft/go#1267 <https://github.com/microsoft/go/issues/1267>, and I'll reply there soon. On Friday, July 5, 2024 at 8:11:39 PM UTC-7 Kurtis Rader wrote: > GOFIPS doesn't appear anywhere in the official Google Go source, AFAICT. > And the document at > https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md > > is reasonably clear that simply setting GOEXPERIMENT=boringcrypto is all > that is needed using the official Go implementation. I can't speak to the > Microsoft fork of Go. While asking here about the Microsoft fork is a > reasonable thing to do you may want to look for any discussion forums > dedicated to the Microsoft fork. > > On Fri, Jul 5, 2024 at 6:41 PM Damien A <linuxg...@gmail.com> wrote: > >> I am using the Microsoft version of Go lang as that is what my work >> instructed me to use. My only task was to build Grafana using FIPS (or as >> close to it as i can get). As i mentioned in Microsoft Go 1.20.5 i was able >> to build using GOEXPERIMENT=opensslcrypto, and GOFIPS=1, but it appears now >> that with 1.21 Go that is no longer working using the same exact method. I >> have tried to use GOEXPERIMENT=systemcrypto, but it fails as well. >> >> I guess the ultimate question I have is do i even need to set GOFIPS=1 >> during compile to even make it FIPS compliant? it appears from Microsoft's >> FIPS page that it doesn't need to be set? >> https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md >> So am I correct to think as long as I set GOEXPERIMENT=systemcrypto and >> compile that I am good on the build side of it? I also have applied a few >> changes that removes the not so good Ciphers from the SSL that was taken >> from the Fedora Project page. >> >> What's interesting is if i just try to run: /usr/local/go/bin/go version, >> that fails if i have GOFIPS=1, and GOEXPERIMENT=systemcrypto, so i can even >> just simply have it print the version number which is strange. So not sure >> if when i manually compiled the Microsoft Go if i broke something or not? I >> am really just trying to understand how critical is it to set GOFIPS=1 >> during the build process? Is it a required option in order to build the go >> package? >> >> On Wednesday, July 3, 2024 at 6:45:37 PM UTC-7 dagood wrote: >> >>> Hi Devin, >>> >>> The FIPS functionality in Go (which, to be clear, is not supported for >>> use outside of Google) is documented here: >>> go/src/crypto/internal/boring/README.md >>> at release-branch.go1.21 · golang/go (github.com) >>> <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, >>> >>> and it's used by setting GOEXPERIMENT=boringcrypto. >>> >>> The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, >>> not official Go. >>> https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md >>> is >>> actually hosted in the microsoft/go repository, where that fork is >>> maintained. I work on it, and I'm happy to help. (And, if you have any more >>> questions related to this fork in the future, feel free to file a GitHub >>> issue on microsoft/go directly.) >>> >>> The issue doesn't seem related to Grafana, but rather because *wire *was >>> built with the Microsoft fork of Go but without specifying a backend, but >>> with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a >>> backend, but it sees that FIPS is requested, so it fails safe. It isn't >>> clear what the caller's intent is and failing is an opportunity to catch a >>> mistake. You should either: >>> >>> 1. not set GOFIPS=1 until after calling *wire* (if at all!) or >>> 2. build *wire* with GOEXPERIMENT=systemcrypto. >>> >>> I would default to (1). But if you are trying to make a FIPS compliant >>> package build process, (2) would be the step towards that. >>> >>> Whether or not you need GOFIPS=1 at all depends on the purpose of your >>> script/build process. >>> >>> > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to >>> be the case anymore. >>> >>> Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first >>> bullet in the 1.21 changelog >>> <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> >>> has >>> some details. >>> >> > -- > Kurtis Rader > Caretaker of the exceptional canines Junior and Hank > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/a197f1a7-8aa8-449a-a427-e64c4caba4a2n%40googlegroups.com.
