Skip to content

Comments

Enable GODEBUG=fips140=only with systemcrypto backends#2149

Open
gdams wants to merge 5 commits intomicrosoft/mainfrom
dev/gadams/fipsmodeonly
Open

Enable GODEBUG=fips140=only with systemcrypto backends#2149
gdams wants to merge 5 commits intomicrosoft/mainfrom
dev/gadams/fipsmodeonly

Conversation

@gdams
Copy link
Member

@gdams gdams commented Feb 19, 2026

Fixes: #1656

Will need documentation before merging but pushing up the code changes for testing/review

@gdams gdams requested a review from a team as a code owner February 19, 2026 11:07
gdams
gdams commented Feb 19, 2026
View reviewed changes
@gdams gdams marked this pull request as draft February 19, 2026 13:15
@microsoft microsoft deleted a comment from github-actions bot Feb 23, 2026
@microsoft microsoft deleted a comment from github-actions bot Feb 23, 2026
gdams
gdams commented Feb 23, 2026
View reviewed changes
patches/0004-Use-crypto-backends.patch
+ expectedAllocations := 0.0
+ if boring.Enabled {
+ expectedAllocations = 2
+ expectedAllocations = 6
Copy link
Member Author

@gdams gdams Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@qmuntal I wanted you to sanity check this increase in allocations please :)

@gdams gdams marked this pull request as ready for review February 23, 2026 16:49
@github-actions
Copy link

github-actions bot commented Feb 23, 2026

Patch Consistency Review - PR #2149

I've completed a thorough review of the patch file changes in this PR. Here are my findings:

Vendor Patch Consistency (0001-Vendor-external-dependencies.patch)

The vendor patch properly updates all three backend dependencies:

  • go.mod updated with new versions
  • go.sum updated with new checksums
  • modules.txt updated with version references

Version updates:

  • golang-fips/openssl/v2: v2.0.4-0.20260217140351 → v2.0.4-0.20260218141142
  • go-crypto-darwin: v0.0.3-0.20260130143703 → v0.0.3-0.20260223145157
  • go-crypto-winnative: v0.0.0-20260127024749 → v0.0.0-20260218135539

Cross-Backend Consistency

The changes add new FIPS 140-only mode support across backends:

  1. FIPSApproved() method: Added consistently to all three backends (openssl, darwin, winnative) with correct backend-specific logic:

    • OpenSSL includes SHA224, SHA512_224, SHA512_256 (because it supports them)
    • Darwin/CNG exclude SHA224, SHA512_224, SHA512_256 (because they don't support these variants)

  2. NewFIPSCBC methods: Added consistently across all backends that support CBC:

    • NewFIPSCBCEncrypter()
    • NewFIPSCBCDecrypter()

  3. NewFIPSCTR method: Only added to OpenSSL backend (correct, as darwin/winnative don't implement CTR mode)

Backend Implementation Patch (0003-Implement-crypto-internal-backend.patch)

  • Adds SHA512_224/SHA512_256 stubs to darwin backend (correctly marked as "not available")
  • Updates file statistics (432 vs 430 lines) to reflect additions

Usage Patch (0004-Use-crypto-backends.patch)

  • Integrates FIPS 140-only mode enforcement throughout crypto packages
  • Adds proper SHA512_224/256 support with boring crypto fallbacks
  • Moves FIPS enforcement checks to correct locations (before boring checks)

📋 Summary

No consistency issues found. The patches maintain proper cross-backend consistency while respecting backend-specific capabilities. The changes implement FIPS 140-only mode support (GODEBUG=fips140=only) in a well-structured manner across all three system crypto backends.

The PR is ready from a patch consistency perspective. ✅

AI generated by Patch Consistency Review Agent

@microsoft microsoft deleted a comment from github-actions bot Feb 23, 2026
@gdams gdams requested review from dagood and qmuntal February 23, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qmuntal qmuntal Awaiting requested review from qmuntal

@dagood dagood Awaiting requested review from dagood

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support GODEBUG=fips140=only

1 participant

@gdams