Support OpenSSL crypto on Windows
corhere opened this issue · comments
Cory Snider commented
- Related: golang-fips/openssl#98
Supporting GOEXPERIMENT=opensslcrypto
on Windows would allow users (not bound by Microsoft's internal crypto policies) to build Go binaries which, when installed in the same folder as an OpenSSL library containing a validated FIPS module, could constitute a "FIPS Inside" product. Such products would be FIPS compliant when deployed on all versions of Windows, including ones for which the system CNG module has not yet completed validation.
I propose that the FIPS mode of OpenSSL-crypto Windows binaries is set using the equivalent options to Linux binaries:
- Explicitly enable it by setting the environment variable
GOFIPS=1.
- Explicitly disable it by setting the environment variable
GOFIPS=0.
- Implicitly enable it by enabling the Windows FIPS policy. That is, the program implicitly enables FIPS mode if the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
dword valueEnabled
exists and is set to1
.