Source URL: https://devblogs.microsoft.com/go/go-1-24-fips-update/
Source: Hacker News
Title: Microsoft Go 1.24 FIPS changes
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the advancements in Go 1.24’s cryptography packages towards achieving FIPS 140-3 compliance, emphasizing significant changes that enhance security for developers using Go. Key improvements include native support for FIPS-compliant libraries, streamlined configuration, and updates to support macOS and Azure Linux.
Detailed Description: The detailed information provided highlights the updates made to the Go 1.24 cryptography packages focusing on achieving FIPS 140-3 compliance, which is crucial for organizations needing to meet regulatory security standards.
– **Key Updates in Go 1.24:**
– The Go standard library’s cryptography modules have been extensively refactored to ensure compliance with the FIPS 140-3 standard.
– This change is significant as it allows the Go standard library to utilize a certified cryptographic module entirely written in Go and Go assembly without relying on third-party libraries.
– In Go 1.23, developers had to utilize an experimental approach to build FIPS-compliant applications using the BoringCrypto library, which was not widely supported beyond Google.
– **Microsoft’s Approach:**
– Microsoft has maintained its strategy in Go 1.24 by continuing to rely on system libraries for cryptographic operations, such as OpenSSL on Linux and CNG on Windows.
– An evaluation was conducted to consider switching to the new Go FIPS module, but it ultimately did not align with Microsoft’s internal policies.
– **New Features and Configuration:**
– The Microsoft Go toolchain has incorporated new FIPS-related settings that supersede older settings while maintaining backward compatibility.
– Key environment variables settings introduced:
– `GODEBUG=fips140=on`: Enables the FIPS 140-3 compliant cryptographic module.
– `GODEBUG=fips140=only`: Panics if a non-compliant algorithm is used.
– `GOFIPS140=latest`: Automatically applies FIPS settings during build.
– **Platform Support Enhancements:**
– **macOS Support:** Preview support for macOS is now included, allowing integration with FIPS-certified Common Crypto and CryptoKit libraries for compliant cryptographic operations.
– **Azure Linux Improvements:** Azure Linux, which is already FIPS compliant, has seen enhancements to better support third-party OpenSSL providers like SCOSSL, leveraging the FIPS 140-3 compliant SymCrypt provider.
Overall, these changes represent a strategic move towards enhancing security compliance for Go developers, giving them tools and frameworks that align with stringent regulatory requirements while also expanding the library’s flexibility and usability across different platforms. This is especially relevant for security and compliance professionals advocating for secure software development practices.