Prefer GODEBUG=fips140 over GOFIPS #1503
Conversation
qmuntal
requested review from
a team and
microsoft-golang-review-bot
as code owners
(I assume "Removing it will make life more difficult" should be "Removing it would have made life more difficult" or similar, because this PR adds it back in?) Why are we supporting this situation? My reading of the ADR is that we will intentionally make this situation harder--there is no provision for this halfway point. In the PR thread, my sense was that it only makes sense in a testing scenario, and we should instead document how the user can properly enable OpenSSL FIPS "locally-ish" on the test machine. |
| + | ||
| +// Enabled reports whether FIPS 140 mode is enabled by using GOFIPS=1, GOLANG_FIPS=1, | ||
| +var fips140GODEBUG = godebug.New("#fips140") |
There was a problem hiding this comment.
@qmuntal I am reading this code and I am not sure if this is a typo, or if it correct. Everywhere else I see calls to godebug.New("fips140") what is the meaning of a leading #? I also don't see anywhere for GODEBUG=#fips140=on to be set.
There was a problem hiding this comment.
# is consumed by New: https://pkg.go.dev/internal/godebug#New.
GODEBUGs meant for use by end users must be listed in ../godebugs/table.go, which is used for generating and checking various documentation. If the name is not listed in that table, New will succeed but calling Value on the returned Setting will panic. To disable that panic for access to an undocumented setting, prefix the name with a #, as in godebug.New("#gofsystrace"). The # is a signal to New but not part of the key used in $GODEBUG.
There was a problem hiding this comment.
Related: upstream changed theirs from #fips140 to fips140 post-1.24, in golang/go@10cef81. (I don't think still having # should hurt, though.)
This PR makes our backends to fail if
GODEBUG=fips140=1is set but FIPS mode is not enabled, as agreed in https://github.com/microsoft/go-lab/blob/main/docs/adr/0012-remove-gofips.md.openssl.SetFIPS(true)😢 . Removing it will make life more difficult for applications running on non-FIPS distros (like Mariner 2 when not running on FIPS mode) which have properly configured OpenSSL to be FIPS-compliant, as most times one still need to callFIPS_mode_set(true). On the upside, since #1496 we useopenssl.FIPSCapableinstead ofopenssl.FIPS, which makes it less likely to end up callingopenssl.SetFIPS. Most importantly, we no longer call that function when running on Azure Linux 3, which was my main goal with #1496.For #1445.