Repository for FIPS enabled Go using OpenSSL.
The cryptographic routines in the Go standard library cannot be FIPS certified and must instead rely on an external cryptographic implementation which can be FIPS certified. This repository and the upstream sources it is based on contain the necessary modifications for the Go crypto library to use an external cryptographic library in a FIPS compliant way.
This repository contains a fork of the Go toolchain dev.boringcrypto branch.
The dev.boringcrypto branch itself is a fork maintained separately from the main Go repository branches. This upstream
branch modifies the crypto/* packages to use BoringCrypto for cryptographic operations.
This branch uses a pre-compiled shared object which the Go toolchain can statically link against.
The modifications contained in this repository add support for using OpenSSL as the crypto backend when the host system is in FIPS mode.
Main differences from the upstream BoringCrypto fork are:
- Uses OpenSSL as cryptographic library instead of BoringSSL.
- Not statically linked, we instead use
dlopento call into OpenSSL. - FIPS mode (or
boringmode as the package is named) is enabled either via an environment variableGOLANG_FIPS=1or by virtue of the host being in FIPS mode. - A few more downstream modifications to ensure complete test coverage, and some downstream code changes to support various versions of OpenSSL
The main branch contains only a license file and this README. The FIPS patches are stored on versioned branches
which follow the naming convention: go1.x-openssl-fips.