Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: no documentation for GODEBUG=fips140 #71666

Closed
terinjokes opened this issue Feb 11, 2025 · 14 comments
Closed

crypto: no documentation for GODEBUG=fips140 #71666

terinjokes opened this issue Feb 11, 2025 · 14 comments
Labels
Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.25

Comments

@terinjokes
Copy link
Contributor

terinjokes commented Feb 11, 2025
edited
Loading

The release note for Go 1.24 mentions a fips140 GODEBUG that is not documented on the GODEBUG page.

The new fips140 GODEBUG setting can be used to enable FIPS 140-3 mode at runtime.
@gopherbot gopherbot added the Documentation Issues describing a change to documentation. label Feb 11, 2025
@seankhliao
Copy link
Member

cc @golang/security

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 11, 2025
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@seankhliao seankhliao changed the title crypto: GODEBUG fips140 not documented go1.24 crypto: no documentation for GODEBUG=fips140 Feb 11, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/648520 mentions this issue: doc/godebug: mention GODEBUG=fips140

@ameukam
Copy link

ameukam commented Feb 13, 2025
edited
Loading

Update(02/13/25):
with this directive in a go.mod file:

godebug fips140=on

I get

go.mod:7: unknown godebug "fips140"

@ianlancetaylor
Copy link
Member

@ameukam What "godebug" program are you running?

@terinjokes
Copy link
Contributor Author

@ianlancetaylor I think that was saying with the godebug fips140=on directive in go.mod the go toolchain gives an error. I get the same error when I add the directive.

@ianlancetaylor
Copy link
Member

Ah, thanks.

@terinjokes
Copy link
Contributor Author

FWIW I also get the same error when using //go:debug fips140=off. I'm not really sure how this feature is supposed to be interacting with GODEBUG, but it seems to be different than other settings, and might need more in the way of clarifying documentation.

@ianlancetaylor
Copy link
Member

I sent https://go.dev/cl/649495 to address that.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/649495 mentions this issue: internal/godebugs: add fips140 as an opaque godebug setting

@FiloSottile
Copy link
Contributor

Ah, I didn't realize if it's not in godebugs.All it wouldn't be available from go.mod and source files, that was definitely not intended, good catch.

@gopherbot please open a backport issue for Go 1.24. We should probably backport https://go.dev/cl/649495 to fix that, and I think https://go.dev/cl/648520 so it will show up at https://go.dev/doc/godebug?

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #71745 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Feb 14, 2025
Closed
gopherbot pushed a commit that referenced this issue Feb 15, 2025
@ianlancetaylor @gopherbot
internal/godebugs: add fips140 as an opaque godebug setting
10cef81 
This permits using "godebug fips140=on" in go.mod and
using "//go:debug fips140=on" in the main package.

Change code references to the godebug setting to remove the #
which is no longer required.

For #71666

Change-Id: I3a60ecc55b03848dadd6d431eb43137b6df6568b
Reviewed-on: https://go-review.googlesource.com/c/go/+/649495
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/650596 mentions this issue: [release-branch.go1.24] doc/godebug: mention GODEBUG=fips140

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/650675 mentions this issue: [release-branch.go1.24] internal/godebugs: add fips140 as an opaque godebug setting

@dmitshur dmitshur added this to the Go1.25 milestone Feb 19, 2025
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 19, 2025
gopherbot pushed a commit that referenced this issue Feb 19, 2025
@ianlancetaylor @gopherbot
[release-branch.go1.24] doc/godebug: mention GODEBUG=fips140
0f7b760 
For #71666
For #71745

Change-Id: Ice816cf2943c5b6660f05934b4c7ca38545714b0
Reviewed-on: https://go-review.googlesource.com/c/go/+/648520
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Commit-Queue: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
(cherry picked from commit 5f65e5c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/650596
Reviewed-by: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Feb 26, 2025
@ianlancetaylor @gopherbot
[release-branch.go1.24] internal/godebugs: add fips140 as an opaque g…
f5c3883 
…odebug setting

This permits using "godebug fips140=on" in go.mod and
using "//go:debug fips140=on" in the main package.

Change code references to the godebug setting to remove the #
which is no longer required.

For #71666
Fixes #71745

Change-Id: I3a60ecc55b03848dadd6d431eb43137b6df6568b
Reviewed-on: https://go-review.googlesource.com/c/go/+/649495
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 2b43ce0a9d5825d66aa42a6fa9076f2fb9c181ea)
Reviewed-on: https://go-review.googlesource.com/c/go/+/650675
Commit-Queue: Ian Lance Taylor <iant@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation Issues describing a change to documentation. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.25
Development

No branches or pull requests
8 participants
@terinjokes @FiloSottile @dmitshur @ameukam @ianlancetaylor @gopherbot @seankhliao @gabyhelp