7 files changed, 40 insertions, 7 deletions

diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
index dabc67423dc..c40d4a0e484 100644
--- a/src/crypto/tls/boring.go
+++ b/src/crypto/tls/boring.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build boringcrypto
+
 package tls
 
 import (
@@ -124,5 +126,3 @@ func supportedSignatureAlgorithms() []SignatureScheme {
 	}
 	return fipsSupportedSignatureAlgorithms
 }
-
-var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
index 8dd477a0214..12a7d937cb3 100644
--- a/src/crypto/tls/boring_test.go
+++ b/src/crypto/tls/boring_test.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build boringcrypto
+
 package tls
 
 import (
diff --git a/src/crypto/tls/fipsonly/fipsonly.go b/src/crypto/tls/fipsonly/fipsonly.go
index 85b3532d26d..e5e47835e2f 100644
--- a/src/crypto/tls/fipsonly/fipsonly.go
+++ b/src/crypto/tls/fipsonly/fipsonly.go
@@ -2,13 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build boringcrypto
+
 // Package fipsonly restricts all TLS configuration to FIPS-approved settings.
 //
 // The effect is triggered by importing the package anywhere in a program, as in:
 //
 //	import _ "crypto/tls/fipsonly"
 //
-// This package only exists in the dev.boringcrypto branch of Go.
+// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
 package fipsonly
 
 // This functionality is provided as a side effect of an import to make
diff --git a/src/crypto/tls/fipsonly/fipsonly_test.go b/src/crypto/tls/fipsonly/fipsonly_test.go
index facd24807dc..f8485dc3ca1 100644
--- a/src/crypto/tls/fipsonly/fipsonly_test.go
+++ b/src/crypto/tls/fipsonly/fipsonly_test.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build boringcrypto
+
 package fipsonly
 
 import (
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 7bf0f84417c..de19b7ede57 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -34,6 +34,8 @@ type clientHandshakeState struct {
 	session      *ClientSessionState
 }
 
+var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
+
 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	config := c.config
 	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
@@ -859,13 +861,14 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 
 	if !c.config.InsecureSkipVerify {
 		opts := x509.VerifyOptions{
-			IsBoring: isBoringCertificate,
-
 			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
 			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}
+		if needFIPS() {
+			opts.IsBoring = isBoringCertificate
+		}
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 5db605681e4..2d71d0869a1 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -812,13 +812,14 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
 
 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
 		opts := x509.VerifyOptions{
-			IsBoring: isBoringCertificate,
-
 			Roots:         c.config.ClientCAs,
 			CurrentTime:   c.config.time(),
 			Intermediates: x509.NewCertPool(),
 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		}
+		if needFIPS() {
+			opts.IsBoring = isBoringCertificate
+		}
 
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go
new file mode 100644
index 00000000000..d79ea21a0b4
--- /dev/null
+++ b/src/crypto/tls/notboring.go
@@ -0,0 +1,23 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !boringcrypto
+
+package tls
+
+import "crypto/x509"
+
+func needFIPS() bool { return false }
+
+func supportedSignatureAlgorithms() []SignatureScheme {
+	return defaultSupportedSignatureAlgorithms
+}
+
+func fipsMinVersion(c *Config) uint16              { panic("fipsMinVersion") }
+func fipsMaxVersion(c *Config) uint16              { panic("fipsMaxVersion") }
+func fipsCurvePreferences(c *Config) []CurveID     { panic("fipsCurvePreferences") }
+func fipsCipherSuites(c *Config) []uint16          { panic("fipsCipherSuites") }
+func isBoringCertificate(c *x509.Certificate) bool { panic("isBoringCertificate") }
+
+var fipsSupportedSignatureAlgorithms []SignatureScheme