Skip to content

Comments

Enable GODEBUG=fips140=only with systemcrypto backends#2149

Draft
gdams wants to merge 1 commit intomicrosoft/mainfrom
dev/gadams/fipsmodeonly
Draft

Enable GODEBUG=fips140=only with systemcrypto backends#2149
gdams wants to merge 1 commit intomicrosoft/mainfrom
dev/gadams/fipsmodeonly

Conversation

@gdams
Copy link
Member

@gdams gdams commented Feb 19, 2026

Fixes: #1656

Will need documentation before merging but pushing up the code changes for testing/review

@gdams gdams requested a review from a team as a code owner February 19, 2026 11:07
gdams
gdams commented Feb 19, 2026
View reviewed changes
patches/0004-Use-crypto-backends.patch
// technically a violation of draft-irtf-cfrg-det-sigs-with-noise-04 but in
// our API we don't get to know what it was, and this has no security impact.
- sig, err := ecdsa.Sign(c, sha512.New, k, rand, hash)
+ // Use the FIPS module's SHA-512 directly to ensure the service indicator
Copy link
Member Author

@gdams gdams Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this change is neccessary, adding a comment to remind me

@github-actions
Copy link

github-actions bot commented Feb 19, 2026

Patch Consistency Review - ✅ No Issues Found

I've reviewed PR #2149 for patch consistency across the two modified patch files:

  • patches/0001-Vendor-external-dependencies.patch
  • patches/0004-Use-crypto-backends.patch

Review Findings

Vendor Patch Compliance: The changes to vendor dependencies (updating github.com/golang-fips/openssl/v2, github.com/microsoft/go-crypto-darwin, and github.com/microsoft/go-crypto-winnative to newer versions) are correctly placed in 0001-Vendor-external-dependencies.patch, which is the designated patch for all vendor directory modifications.

Dependency File Updates: The vendor patch properly updates all three required dependency files:

  • src/go.mod - Updated with new version refs
  • src/go.sum - Updated with new checksums
  • src/vendor/modules.txt - Updated with new module info

Patch Naming Convention: Both patches follow the established naming convention (numbered prefix with descriptive names).

Logical Consistency: The changes demonstrate proper coordination between patches:

  • The vendor patch (0001) updates backend libraries to versions that include FIPSApproved() method support
  • The crypto-backends patch (0004) adds code to utilize this new capability for GODEBUG=fips140=only enforcement
  • Changes are appropriately scoped to their respective patches based on purpose

No Redundancy: The changes don't duplicate functionality already covered by existing patches. The new FIPSApproved() interface method check in fips140only.ApprovedHash() is an additive enhancement that complements the existing type-based checks.

Summary

The patch changes maintain consistency and follow the repository's patch management conventions correctly. The vendor library updates in patch 0001 and the corresponding usage in patch 0004 are well-coordinated and appropriately separated by concern.

AI generated by Patch Consistency Review Agent

@gdams gdams marked this pull request as draft February 19, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support GODEBUG=fips140=only

1 participant

@gdams