From caca3bf427232cc608530e5e44cdc7794caf38bf Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Mon, 1 Dec 2025 12:17:58 -0800
Subject: Enable FIPS 140-3 compliant crypto by default (#7590)

* Enable FIPS 140-3 compliant crypto by default

Addresses #6889

- Enable GOEXPERIMENT=systemcrypto by default in all Makefiles
- Enable GOEXPERIMENT=systemcrypto by default in all Dockerfiles
- Go 1.24+ has native FIPS 140-3 support via this setting
- Users can disable by setting GOEXPERIMENT= (empty)

Algorithms used (all FIPS approved):
- AES-256-GCM for data encryption
- AES-256-CTR for SSE-C
- HMAC-SHA256 for S3 signatures
- TLS 1.2/1.3 for transport encryption

* Fix: Remove invalid GOEXPERIMENT=systemcrypto

Go 1.24 uses GODEBUG=fips140=on at runtime, not GOEXPERIMENT at build time.

- Remove GOEXPERIMENT=systemcrypto from all Makefiles
- Remove GOEXPERIMENT=systemcrypto from all Dockerfiles

FIPS 140-3 mode can be enabled at runtime:
  GODEBUG=fips140=on ./weed server ...

* Add FIPS 140-3 support enabled by default

Addresses #6889

- FIPS 140-3 mode is ON by default in Docker containers
- Sets GODEBUG=fips140=on via entrypoint.sh
- To disable: docker run -e GODEBUG=fips140=off ...
---
 docker/entrypoint.sh | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'docker/entrypoint.sh')

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index afbc5ef6e..822f2fa6e 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+# Enable FIPS 140-3 mode by default (Go 1.24+)
+# To disable: docker run -e GODEBUG=fips140=off ...
+export GODEBUG="${GODEBUG:+$GODEBUG,}fips140=on"
+
 # Fix permissions for mounted volumes
 # If /data is mounted from host, it might have different ownership
 # Fix this by ensuring seaweed user owns the directory
-- 
cgit v1.2.3