Golang crypto: upgrade to BoringCrypto fips-20230428 [freeze exception]

This only affects GOEXPERIMENT=boringcrypto

Previous BoringCrypto upgrade was at https://github.com/golang/go/issues/64717

CMVP #4953 was issued on 1/27/2025 and should have been upgraded in go but hasn't.

It doesn't remove any services, but has the following new validated services in approved mode: * AES-GMAC * KAS-FFC-SSC * KDA HDKF * TLS v1.2 KDF RFC7627 * TLS v1.3 KDF

The TLS v1.2 KDF RFC7627 is important, because almost all other FIPS operating system now require it - RHEL 9, Amazon Linux 2023, Ubuntu 22.04, Chainguard among many others.

The first step of getting access to these algorithms in approved mode is to actually upgrade the boringcrypto module used in the build.

I have prepared and submitted this change at https://go-review.googlesource.com/c/go/+/681675 All tests pass in GOEXPERIMENT=boringcrypto mode.

Once the module upgrade lands, and if there is time additional work can be done to wire up access to boringcrypto implementation of those algorithms.

Comment From: gopherbot

Change https://go.dev/cl/681675 mentions this issue: crypto/internal/boring: upgrade module to fips-2023042800 / CMVP #4953

Comment From: gabyhelp

Related Issues

Related Code Changes

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}