Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align with upstream how we enable OpenSSL backend #548

Closed
qmuntal opened this issue May 9, 2022 · 3 comments
Closed

Align with upstream how we enable OpenSSL backend #548

qmuntal opened this issue May 9, 2022 · 3 comments
Labels
fips

Comments

@qmuntal
Copy link
Member

qmuntal commented May 9, 2022
edited
Loading

Context: #501

Go team has merged dev.boringcrypto into master, and for this they have improved how boringcrypto is enabled.
There is no official documentation yet available, this is what I inferred by going through the code:

  • There still will be two toolchain flavors [source]:
    • Default toolchain. Won't use BoringCrypto by default.
    • BoringCrypto toolchain, created with GOEXPERIMENT=boringcrypto ./make.bash [source]. Will use boringcrypto by default.
  • All BoringCrypto-related code is gated behind the boringcrypto build tag [source].
  • When using the default toolchain, one can generate a boring-enabled binary by building with GOEXPERIMENT=boringcrypto set.
  • When using the BoringCrypto toolchain, one can opt-out from boring by building with GOEXPERIMENT=none set.

Our plan for Microsoft Go toolchain is to follow the upstream pattern, with these additional features:

  • Support OpenSSL backend by creating a new experiment flag: opensslcrypto.
  • Disable OpenSSL backend at run-time when GOFIPS=0 or GOLANG_FIPS=0.
  • Enable OpenSSL backend via system wide FIPS mode.
@dagood dagood added the fips label May 10, 2022
@qmuntal
Copy link
Member Author

qmuntal commented May 11, 2022

I've updated the description with some new findings. The main change is that GOEXPERIMENT supports enabling and disabling an experiment when building a binary, regardless of the experiment set when building the toolchain. More info here: https://pkg.go.dev/internal/goexperiment

@dagood
Copy link
Member

dagood commented May 27, 2022

Here's a tester program I ran in a CBL-Mariner container based on a Go microsoft/main/1.19 build on 66c1d7c to confirm we're meeting the plan:

package main

import (
        "crypto/sha256"
        "fmt"
        "strings"
)

func main() {
        s := fmt.Sprintf("%#+v\n", sha256.New())
        fmt.Printf("%q %v\n", s[:20], strings.Contains(s, "openssl"))
}
# GOEXPERIMENT=opensslcrypto go build main.go && GOFIPS=1 ./main
"&openssl.sha256Hash{" true

# GOEXPERIMENT=opensslcrypto GOFIPS=1 go build main.go && ./main
"&sha256.digest{h:[8]" false

# go build main.go && GOEXPERIMENT=opensslcrypto GOFIPS=1 ./main
"&sha256.digest{h:[8]" false

We only have OpenSSL-backed crypto if:

  • GOEXPERIMENT=opensslcrypto is set during go build
  • And GOFIPS=1 / GOLANG_FIPS=1 is set during ./main. (Or systemwide FIPS is enabled. I tested that on my Mariner VM.)

GOEXPERIMENT=opensslcrypto has no effect at runtime, and GOFIPS=1 at build time doesn't affect the built binary. And, this is all done with a Go toolset that was itself built without any GOEXPERIMENT.

@dagood dagood mentioned this issue May 27, 2022
Closed
@dagood dagood mentioned this issue Jun 9, 2022
Merged
@qmuntal
Copy link
Member Author

qmuntal commented Jul 11, 2022

Done in #598

@qmuntal qmuntal closed this as completed Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fips
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qmuntal @dagood