GO and FIPS 140-2 / 140-3 certified cryptography

The current FIPS 140-2 and ongoing FIPS 140-3 certification efforts by SUSE cover a wide range of system libraries and its users, and the Linux Kernel.

One gap recently closed is the missing FIPS 140 support for applications written in the GO language.

To allow building GO binaries with cryptography compliant to FIPS 140, SUSE has shipped a GO compiler flavor that links its cryptography against the system openssl library.

This way the GO compiled binaries use the FIPS 140-2 or 140-3 cryptography from openssl and do not need to get certified on their own.

SUSE has so far shipped the following packages to the Development Tools modules of SUSE Linux Enterprise Server 15 SP4 and SP5.

• go1.19-openssl
• go1.20-openssl

The go1.21-openssl package is currently under development.

As soon as you install the go1.xx-openssl flavor, they can be used by using the “go” commandline as usual.

During RPM builds you can specify it via BuildRequires:

BuildRequires: go1.20-openssl

SUSE is also providing BCI GO language containers including the current supported GO versions, please see https://registry.suse.com/

OCI urls:

• registry.suse.com/bci/golang:1.19-openssl
• registry.suse.com/bci/golang:1.20-openssl

Also SUSE provides aliases to the stable GO openssl release, and the previous “old stable”:

• registry.suse.com/bci/golang:stable-openssl
• registry.suse.com/bci/golang:oldstable-openssl

Usually you do not need to change the build setup to enable this cryptography.
However you can do the following to limit e.g. TLS ciphers to FIPS validated ones and avoid potential aborts on non-FIPS ciphers.

import _ "crypto/tls/fipsonly"