Audit codebase for FIPS-140 compliance #13925
Description
Component(s)
No response
Describe the issue you're reporting
FIPS-140 is a U.S. Government standard that sets security requirements for cryptographic modules (hardware, software, or firmware that performs cryptographic operations). U.S. Federal agencies and sometimes other organizations (e.g. in the banking industry) require that software deployed in their environments comply to this standard as a way of ensuring that a certain, well-established baseline of security is met.
In the context of the OpenTelemetry Collector, this means that deploying a distribution in U.S. Federal or certain other organizations' environments may first require that the collector — starting with core and then extending to the components in contrib — are FIPS-140 capable. Note that I'm deliberately using the word "capable" here instead of "compliant" as the latter has a stronger connotation of the software being formally validated under the Cryptographic Module Validation Program (CMVP).
To this end, I'd like to propose the following ideas:
- Use the unit tests in this repository (core) to surface any uses of cryptographic algorithms used by the collector core codebase (provided these are exercised by the unit tests) that would violate the FIPS-140 requirements. Concretely, this could be done via a new Makefile target that runs the unit tests with
GODEBUG=fips140=only. - Look at the results from the above step and decide whether each use is a) OK as-is because it's a false positive (e.g. using SHA-1, which is not FIPS-compliant, in a non-cryptographic context) or b) needs to be updated to a FIPS-compliant algorithm.
- Consider creating a new FIPS distribution for the OpenTelemetry Colllector. This distribution may, for instance, choose to be built using the Microsoft Go fork as it allows for building FIPS-capable applications until crypto: obtain a FIPS 140-3 validation golang/go#69536 is resolved.
- Consider the ideas above in the contrib repository as well, perhaps starting with only a small set of components and then gradually adding more over time.
Tip
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.