Go and FIPS 140 May update
v1.0.0 got its certificate, v1.26.0 is on the MIP list, post-quantum updates, and SP 800-133r3 ipd
Certificate #5247 issued for v1.0.0
The CMVP issued Certificate #5247 to the FIPS 140-3 Go Cryptographic Module v1.0.0, included in Go 1.24 and later.
If you are interested in a rebrand, please get in contact ASAP.
Starting with upcoming Go 1.27, Go 1.26.3, and Go 1.25.10, you will be able to use GOFIPS140=certified as an alias of GOFIPS140=v1.0.0 that will be updated to future versions of the module once they become certified.
v1.26.0 on Modules In Process List
You can now find the FIPS 140-3 Go Cryptographic Module v1.26.0, included in Go 1.26 and later, in the Modules In Process List.
The Security Policy draft is in the shared folder.
A changelog is available in the public documentation and reproduced here:
- Implemented ML-DSA.
- testing/cryptotest.SetGlobalRandom is now supported.
- Introduced new AES-GCM compliance APIs, for use in
crypto/hpkeand future exposed APIs.- The Go Cryptographic Module now uses a CPU jitter Entropy Source, with ESV Certificate #E318 and CAVP Certificate A7715. (The platform CSPRNG is still used as an uncredited additional data source for all random bytes.)
- Various safety and performance improvements.
Starting with upcoming Go 1.27 and Go 1.26.3, GOFIPS140=inprocess will be updated to be an alias of GOFIPS140=v1.26.0 instead of GOFIPS140=v1.0.0.
TLS hybrids enforcement bypass backports
Go 1.26 introduced crypto/fips140.WithoutEnforcement to bypass GODEBUG=fips140=only enforcement when appropriate, e.g. when using SHA-1 in a non-security setting, or for the non-Approved part of a hybrid key exchange.
The TLS X25519MLKEM768 and SecP256r1MLKEM768 hybrid implementations were mistakenly left out when applying WithoutEnforcement to the standard library. This is being backported to Go 1.26.3.
We want to take the opportunity to point out that the mechanism to enable FIPS 140-3 mode recommended by Geomys and by the Security Policy is the GOFIPS140 build-time environment variable alone, and that the new public docs discourage the use of GODEBUG=fips140=only mode in production:
Note that this is a best effort mode meant for testing, assessment, and debugging. It is not intended to be used in production, it is not required by the Security Policy, it introduces crashes and potentially unhandled errors by design, and it may have false positives or false negatives.
Post-quantum and Go 1.27 proposals
You might be interested in a few open proposals that are provisionally planned for Go 1.27 (which will be released in August):
- crypto/mldsa: new package
- crypto/tls: implement MLKEM1024 key exchange
- crypto/x509,crypto/tls: add ML-DSA support
These are all compatible with FIPS 140-3 Go Cryptographic Module v1.26.0 and its In Process validation, and the MLKEM1024 key exchange is also compatible with FIPS 140-3 Go Cryptographic Module v1.0.0.
We are also discussing introducing TLS profiles, to simplify requiring e.g. a CNSA 2.0 complaint configuration, or to override the default FIPS 140-3 compliant configuration that is currently enforced in FIPS 140-3 mode.
SP 800-133 Initial Public Draft
NIST has published an Initial Public Draft of SP 800-133 Rev. 3, which governs symmetric key and asymmetric seed generation (and derivation).
Geomys provided some comments and we noted that this explicitly blesses a number of schemes we have adopted or developed.
Relatedly, HKDF (RFC 5869) was added to SP 800-140D, the top-level list of official Approved SSP Generation and Establishment Methods for FIPS 140-3 purposes. The CMVP announced its addition with the comment “even though it is technically compliant to SP 800-56C which is already listed” proving it had always been FIPS 140-3 compliant, as we discussed.
(Why is SP 800-140D a web page and how does it have FIPS 140-3 standing, you ask? Well, FIPS 140-3 is basically an empty pointer that references paywalled ISO/IEC 19790:2012(E). SP 800-140A/B/C/D/E/F modify/replace Annex A/B/C/D/E/F of that standard, because changing an ISO or FIPS standard is too painful. Annex D, replaced by SP 800-140D, are the Approved Generation and Establishment Methods. SP 800-140D Rev. 2, the latest, is an empty pointer to https://csrc.nist.gov/projects/cmvp/sp800-140d, because changing an SP is too painful. This was all supposed to make FIPS 140 easier by making it a modular ISO standard.)