You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
wireguard is inherently non-fips. wireguard requires one to use Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF which either are not yet unapproved; or unlikely to ever be approved (blake participated in SHA-3 contest and did not get selected).
When using go fips toolchains, it would be nice to ensure that when fips enforcement is turned on, one doesn't build the wireguard backend.
There are a few popular build tags / experiments for it; and also golang 1.24 introduced a default way for it see all the defails in https://tip.golang.org/doc/security/fips140
I wonder if flannel would be receptive to adding build-tags to automatically compile-out / turn off wireguard backend, when flannel is built with a go toolchain in FIPS enforcement mode.
The text was updated successfully, but these errors were encountered:
wireguard is inherently non-fips. wireguard requires one to use Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF which either are not yet unapproved; or unlikely to ever be approved (blake participated in SHA-3 contest and did not get selected).
When using go fips toolchains, it would be nice to ensure that when fips enforcement is turned on, one doesn't build the wireguard backend.
There are a few popular build tags / experiments for it; and also golang 1.24 introduced a default way for it see all the defails in https://tip.golang.org/doc/security/fips140
I wonder if flannel would be receptive to adding build-tags to automatically compile-out / turn off wireguard backend, when flannel is built with a go toolchain in FIPS enforcement mode.
The text was updated successfully, but these errors were encountered: