Giters

microsoft / go

The Microsoft build of the Go toolset

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support OpenSSL crypto on Windows

corhere opened this issue · comments

commented

Supporting GOEXPERIMENT=opensslcrypto on Windows would allow users (not bound by Microsoft's internal crypto policies) to build Go binaries which, when installed in the same folder as an OpenSSL library containing a validated FIPS module, could constitute a "FIPS Inside" product. Such products would be FIPS compliant when deployed on all versions of Windows, including ones for which the system CNG module has not yet completed validation.

I propose that the FIPS mode of OpenSSL-crypto Windows binaries is set using the equivalent options to Linux binaries:

  1. Explicitly enable it by setting the environment variable GOFIPS=1.
  2. Explicitly disable it by setting the environment variable GOFIPS=0.
  3. Implicitly enable it by enabling the Windows FIPS policy. That is, the program implicitly enables FIPS mode if the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy dword value Enabled exists and is set to 1.