Go and FIPS 140 December update
v2.0.0 → v1.26.0, ESV submitted, new QUIC and HPKE GCM nonces, and v1.26.0 testing starting
v2.0.0 is now v1.26.0
Since the GOFIPS140 mechanism reuses some of the Go module tooling, we can't actually call a module v2 without changing import paths.
Instead, we decided to version Go FIPS 140-3 Cryptographic Modules after the Go release they are frozen from and first released with.
The module which we will validate in January will be v1.26.0.
ESV submitted
Our Entropy Source Validation was submitted. An ESV certificate is effectively a requirement for any modules submitted from 2026 onwards.
You can find the validation report and the Public Use Document in the resources folder.
We're hopeful we'll get to use this ESV certificate for a few years, adding OEs if necessary.
More GCM nonce modes
FIPS 140-3 is very annoying strict about AES-GCM nonces.
The Go FIPS 140-3 Cryptographic Module v1.0.0 supports:
- random nonces (IG C.H Scenario 2) exposed as
NewGCMWithRandomNonce name || counternonces (IG C.H Scenario 3), not yet exposed- TLS 1.2 nonces (IG C.H Scenario 1.a), used in
crypto/tls - TLS 1.3 nonces (IG C.H Scenario 1.a), used in
crypto/tls - SSH nonces (IG C.H Scenario 1.d), to be used in
x/crypto/ssh
v1.26.0 will additionally support:
name XOR counternonces (IG C.H Scenario 3), not yet exposed- QUIC nonces (IG C.H Scenario 5), not yet exposed
- HPKE nonces (IG C.H Scenario 5), used in
crypto/hpke
The implementation (CL 723760, CL 728503) neatly groups them all into just two types: fixed || counter (TLS 1.2 and SSH) and fixed XOR counter (the rest). They are justified using different sections of the IG, though: we argue the explicit name XOR counter is just an implementation of counter-based Scenario 3, while QUIC and HPKE use Scenario 5 which allows implementing well-known standards.
The only difference is that QUIC can start the counter from not-zero (when keys are rotated), so we added a method to set the fixed mask. You can read more about making quic-go FIPS 140-3 compliant.
We might be the first module to enable a FIPS 140-3 compliant HPKE?
v1.26.0 algorithm and functional testing starting
We are getting started with the algorithm and functional testing for Go FIPS 140-3 Cryptographic Module v1.26.0, while we wait for the ESV certificate to be issued.
The time to let us know about any Vendor Affirmed OEs is now. Same if you wish your OEs to be listed on the Security Policy differently from how we are listing them on ESV/CAVP.
Go 1.26rc1 will be issued soon, with a release candidate of the v1.26.0 module called, unfortunately, v1.1.0-rc1 (we had not yet decided on the new versioning scheme, it will be removed in the final release anyway). If you wish to test it, you can use GOFIPS140=v1.1.0-rc1.
v1.0.0 entering In Review any day now
There were at some point only 6 (!) Review Pending modules ahead of us on the Modules In Progress list.
There are now 13.
¯\_(ツ)_/¯
Still, we are essentially at the front of the queue and expect to move to In Review soon.