Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go 1.22.0 #160

Merged
merged 9 commits into from
Mar 11, 2024
Merged

Go 1.22.0 #160

merged 9 commits into from
Mar 11, 2024

Conversation

derekparker
Copy link
Contributor

No description provided.

@derekparker derekparker changed the title Go 1.22rc1 Go 1.22.0 Feb 16, 2024
@derekparker
Copy link
Contributor Author

Relies also on golang-fips/openssl#137, will update this PR when that is merged.

@derekparker
Copy link
Contributor Author

Updated since golang-fips/openssl#137 merged, this should land by the end of the week.

derekparker
derekparker commented Feb 22, 2024
View reviewed changes
patches/000-initial-setup.patch
func (hs *clientHandshakeStateTLS13) handshake() error {
c := hs.c

- if needFIPS() {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ueno wanted to call your attention to this change and the one below, and ensure it makes sense for supporting TLS 1.3 or do we need to check for HKDF support as well?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point; if HKDF from a FIPS certified module cannot be used, we probably shouldn't enable TLS 1.3 in FIPS mode, though this could probably be checked elsewhere at the library initialization, not at every handshake attempt.

derekparker
derekparker commented Feb 22, 2024
View reviewed changes
patches/011-122-fixes.patch
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_256_GCM_SHA384:
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ueno also wanted to call your attention to this change to ensure cipher suite is correct.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Afaik TLS_CHACHA20_POLY1305_SHA256 is still not approved in FIPS mode.

ajayk
ajayk reviewed Feb 29, 2024
View reviewed changes
patches/000-initial-setup.patch
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_256_GCM_SHA384:
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the guidelines https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf and Boring implementation
For TLS 1.3 implementations, NIST SP 800-52 and SSL Labs jointly recommend the use of the
following FIPS-approved ciphers in this order of preference (from highest to lowest):

  1. TLS_AES_256_GCM_SHA384
  2. TLS_AES_128_GCM_SHA256
  3. TLS_AES_128_CCM_SHA256
  4. TLS_AES_128_CCM_8_SHA256

@ajayk ajayk mentioned this pull request Feb 29, 2024
Closed
10 tasks
simo5
simo5 reviewed Mar 7, 2024
View reviewed changes
patches/011-122-fixes.patch Outdated
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_AES_128_GCM_SHA256,
+ TLS_AES_256_GCM_SHA384,
+ TLS_CHACHA20_POLY1305_SHA256:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs to be removed indeed.

@derekparker
Copy link
Contributor Author

@ueno @simo5 thanks for the review! Patch set has been updated.

ueno
ueno approved these changes Mar 9, 2024
View reviewed changes
Copy link
Collaborator

@ueno ueno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@derekparker derekparker merged commit b86e774 into golang-fips:main Mar 11, 2024
6 checks passed
@derekparker derekparker deleted the go1.22rc1 branch March 11, 2024 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simo5 simo5 simo5 left review comments

@ajayk ajayk ajayk left review comments

@dbenoit17 dbenoit17 dbenoit17 approved these changes

@ueno ueno ueno approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@derekparker @ueno @ajayk @simo5 @dbenoit17