Amended v1.0.0 module

The upcoming Go 1.25.2 and Go 1.24.8 releases will include an amended version of the In Process v1.0.0 module to comply with the clarified rules on Pairwise Consistency Tests.

The amended module is in lib/fips140/v1.0.0-c2097c7c.zip, but the "official" version remains v1.0.0, and you can continue using GOFIPS140=v1.0.0.

The updated Security Policy has been submitted to the lab, and you can find a copy along with an updated attestation in your shared folder.

ESV Operating Environments

We submitted the new entropy source upstream, and we are close to completing sample collection.

The list of Operating Environments is here, with changes compared to the v1.0.0 CMVP submission in bold.

The source is somewhat slow and conservative, because we intend for it to be used for many years unchanged on disparate platforms. Measuring fewer memory accesses would have been sufficient on e.g. linux/amd64, but resulted in failed self-tests on a faster M2 Ultra with lower timer resolution. Let us know if you encounter any performance issue on the first use of random bytes.

x/crypto/ssh FIPS 140-3 mode

Like crypto/tls, golang.org/x/crypto/ssh now also automatically disables non-approved algorithms if FIPS 140-3 mode is enabled (e.g. with GOFIPS140=v1.0.0).

Note that until the new enforcement bypass is implemented this will not work with the stricter GODEBUG=fips140=only mode, because the default key exchange is an approved hybrid of an approved PQ KEM (ML-KEM) and a non-approved ECDH key exchange (X25519).

At the moment, we recommend using GODEBUG=fips140=only as a debug tool, not in production.