Go cryptography security audit (The Go Blog)

Date:
Mon, 19 May 2025 17:48:44 +0000

Description:
Roland Shoemaker has published a blog post about a
recent security audit of the cryptography packages shipped as part of
the Go standard library. The audit, performed by the Trail of Bits security firm,
uncovered one low-severity vulnerability in the legacy Go+BoringCrypto integration, as well as a handful of informational findings. During the review, there were a number of questions about our
cgo-based Go+BoringCrypto integration, which provides a FIPS 140-2
compliant cryptography mode for internal usage at Google. The
Go+BoringCrypto code is not supported by the Go team for external use,
but has been critical for Google's internal usage of Go. The Trail of Bits team found one vulnerability and one non-security relevant bug ,
both of which were results of the manual memory management required to
interact with a C library. Since the Go team does not support usage of
this code outside of Google, we have chosen not to issue a CVE or Go vulnerability database entry for this issue, but we fixed it in the Go 1.25 development
tree . The entire report is available as a PDF for those who enjoy a little light security reading.

======================================================================
Link to news story:
https://lwn.net/Articles/1021745/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)