-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggesting to replace syscall.Getenv("GOFIPS") with Read registry key #1429
Comments
I might not be understanding your suggestion, but I think it might already work in the way you want. On Windows, FIPS mode cannot be enabled or disabled for a specific application: it's always a system-wide setting, and changing that registry key is one way to configure it. On Windows,
go/patches/0005-Add-CNG-crypto-backend.patch Lines 216 to 227 in 8122764
It sounds like GOFIPS isn't useful for your case (a Windows service), and that's fine--there's no need to use it for every program. On Windows, it's just a small feature that lets you potentially detect misconfigured systems. |
According to the documentation Usage Common Configuration Using GOEXPERIMENT=systemcrypto which is the default, can be used to create a compliant app. FIPS mode is automatically enabled at runtime if it is configured systemwide or GOFIPS=1. To run as FIPS compliant it is required that the Windows FIPS policy will be enabled as a prerequisite. Is that correct? In our use case we install and run a Windows service. Assuming that the FIPS policy is enabled but GOFIPS var is not defined system wide the question was what are the options in order for the service to immediately start running using CNG, FIPS compliant? Windows services spawned by SCM. SCM starts on early boot stage and acquires the environment, all services will inherit SCM's environment. Even the newly added/installed service might get a stale SCM environment. Please consider the following scenario: The option of dynamically adding GOFIPS=1 after the service was started will have the same affect as having a predefined system wide GOFIPS=1 var? |
Ah, apologies, that only describes the OpenSSL backend, not CNG/Windows. I'll get that fixed. That particular note might not have been revised since the CNG backend was added--OpenSSL was first. On Windows, the Go application is not responsible for enabling FIPS mode. https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#windows-fips-mode-cng is correct, sorry about the conflicting information.
The Go application just reads the environment variable upon startup (during an For clarity: none of the language in the doc is intended to say anything about defining environment variables system-wide or specific to a certain process. I'll give the doc a pass-through to try to make sure this is clear. (In my experience, on Linux it's a little clearer that this concept won't affect anything, so some of the current wording might be muddy when reading for Windows.)
There are two factors here:
|
Missed this Q, I think it's a good one for me to answer directly to make sure everything makes sense together: 🙂
Yes, and the only other prerequisite is that the app is built with |
Thanks @dagood, it is clear now. |
We haven't provided a supported API to check FIPS mode--a bit more background about why in this issue:
There also aren't any external indicators like event viewer, etc. (Note that #999 also mentions that upstream has accepted a proposal that includes adding a built-in function to check the mode, Summary: for now, there is no straightforward way. In 1.24 there might be. |
Thanks @dagood. Also, does the changes from building with the goexperiment.systemcrypto or goexperiment.cngcrypto tags, replace the standard crypto package https://pkg.go.dev/crypto including the https://pkg.go.dev/crypto/tls in the vendor and vendor-patched modules? What is the expected impact of running in FIPS mode if the app is using weak hash such as MD5? |
I think that if you need to check FIPS mode, the workaround in the description of #999 is currently the best way to do it (if using an ordinary build of Microsoft Go). I think that checking whether FIPS local security policy is enabled by some other means and then making a conclusion about FIPS mode could maybe end up ok, but I'm not familiar with that and the potential caveats.
I'm not sure I understand "the vendor and vendor-patched modules". If you mean you have an app, it imports some packages from external modules, and you've called
I would expect it to succeed, but the app would not be considered FIPS compliant if the MD5 call was performed for a cryptographic purpose.
It should be restricted to FIPS approved settings (and I see this happen with my example program at #1434 (comment)):
|
Hi,
In the documentation you recommend using GOFIPS and set at runtime to support both option of running in FIPS mode or non-FIPS.
The problem is that unless set before service installation, adding GOFIPS during the installation, requires restart of the Windows in order for the GOFIPS change to be visible to the service.
I want to suggest to replace syscall.Getenv("GOFIPS") with read of the registry GOFIPS key to check to decide how to run a service and avoid the restart.
Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Similar to enableSystemWideFIPS(), microsoft-go/eng/_util/cmd/run-builder/systemfips_windows.go
Thanks,
Lilach
The text was updated successfully, but these errors were encountered: