-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support new golang fips compiler #1841
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1841 +/- ##
=======================================
Coverage 79.09% 79.10%
=======================================
Files 173 173
Lines 16207 16201 -6
=======================================
- Hits 12819 12815 -4
+ Misses 3068 3066 -2
Partials 320 320 ☔ View full report in Codecov by Sentry. |
0513827
to
8bc7b67
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Just to create some cross-link reference for a related issue: #1605 |
The release of Go 1.21.6 includes the new boring crypto when compiling with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 and golang/go#64717. This new version of boring crypto allows the use of TLS v1.3 for the first time, so we changed the Pinniped code to use TLS v1.3 where appropriate when compiled with the FIPS compiler. It also changed the allowed TLS v1.2 ciphers, so we updated those as well. After this commit, the project must be compiled by at least Go v1.21.6 when compiling in fips mode. The hack/Dockerfile_fips was already updated to use that version of Go in a previous commit. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
8bc7b67
to
50e4d6d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All green, lgtm!
Support the new Go FIPS compiler which was upgraded inside Go 1.21.6
The release of Go 1.21.6 includes the new boring crypto when compiling with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 (search for 1.21.6 in that doc) and golang/go#64717.
This new version of boring crypto allows the use of TLS v1.3 for the first time, so we changed the Pinniped code to use TLS v1.3 where appropriate when compiled with the FIPS compiler. It also changed the allowed TLS v1.2 ciphers, so we updated those as well (it appears to have dropped
TLS_RSA_WITH_AES_128_GCM_SHA256
andTLS_RSA_WITH_AES_256_GCM_SHA384
).After this commit, the project must be compiled by at least Go v1.21.6 when compiling in fips mode. The
hack/Dockerfile_fips
was already updated to use that version of Go in a previous commit.Release note:
Update February 8, 2024: Much of this work had to be reverted when Go downgraded goboring. See #1863.