Thanks to visit codestin.com
Credit goes to github.com

Skip to content

remove support for FIPS 140-2 with boringcrypto #21292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2025
Merged

remove support for FIPS 140-2 with boringcrypto #21292

merged 1 commit into from
May 16, 2025

Conversation

@aead
Copy link
Member

@aead aead commented May 16, 2025

Description

This commit removes FIPS 140-2 related code for the following reasons:

  • FIPS 140-2 is a compliance, not a security requirement. Being FIPS 140-2 compliant has no security implication on its own. From a tech. perspetive, a FIPS 140-2 compliant implementation is not necessarily secure and a non-FIPS 140-2 compliant implementation is not necessarily insecure. It depends on the concret design and crypto primitives/constructions used.
  • The boringcrypto branch used to achieve FIPS 140-2 compliance was never officially supported by the Go team and is now in maintainance mode. It is replaced by a built-in FIPS 140-3 module. It will be removed eventually. Ref: crypto: obtain a FIPS 140-3 validation golang/go#69536
  • FIPS 140-2 modules are no longer re-certified after Sep. 2026. Ref: https://csrc.nist.gov/projects/cryptographic-module-validation-program

Motivation and Context

FIPS

How to test this PR?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Unit tests added/updated
  • Internal documentation updated
  • Create a documentation update request here

@aead
remove support for FIPS 140-2 with boringcrypto
052931f 
This commit removes FIPS 140-2 related code for the following
reasons:
 - FIPS 140-2 is a compliance, not a security requirement. Being
   FIPS 140-2 compliant has no security implication on its own.
   From a tech. perspetive, a FIPS 140-2 compliant implementation
   is not necessarily secure and a non-FIPS 140-2 compliant implementation
   is not necessarily insecure. It depends on the concret design and
   crypto primitives/constructions used.
 - The boringcrypto branch used to achieve FIPS 140-2 compliance was never
   officially supported by the Go team and is now in maintainance mode.
   It is replaced by a built-in FIPS 140-3 module. It will be removed
   eventually. Ref: golang/go#69536
 - FIPS 140-2 modules are no longer re-certified after Sep. 2026.
   Ref: https://csrc.nist.gov/projects/cryptographic-module-validation-program

Signed-off-by: Andreas Auernhammer <[email protected]>
@aead aead requested review from donatello and harshavardhana May 16, 2025 07:35
@aead aead self-assigned this May 16, 2025
klauspost
klauspost approved these changes May 16, 2025
View reviewed changes
Copy link
Contributor

@klauspost klauspost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Good for maintenance.

@harshavardhana harshavardhana merged commit 1d50cae into master May 16, 2025
21 of 22 checks passed
@harshavardhana harshavardhana deleted the fips140-2 branch May 16, 2025 14:27
@dataBjunk
Copy link

Hi, by removing the code for FIPS-140-2 code and totally rely on go 1.24 or above for crypto, does that means minio is now FIPS-140-3 compliance then?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshavardhana harshavardhana harshavardhana approved these changes

@klauspost klauspost klauspost approved these changes

@donatello donatello Awaiting requested review from donatello

Assignees

@aead aead

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aead @dataBjunk @harshavardhana @klauspost