diff options
Diffstat (limited to 'src/crypto/tls')
-rw-r--r-- | src/crypto/tls/boring.go | 4 | ||||
-rw-r--r-- | src/crypto/tls/boring_test.go | 2 | ||||
-rw-r--r-- | src/crypto/tls/fipsonly/fipsonly.go | 4 | ||||
-rw-r--r-- | src/crypto/tls/fipsonly/fipsonly_test.go | 2 | ||||
-rw-r--r-- | src/crypto/tls/handshake_client.go | 7 | ||||
-rw-r--r-- | src/crypto/tls/handshake_server.go | 5 | ||||
-rw-r--r-- | src/crypto/tls/notboring.go | 23 |
7 files changed, 40 insertions, 7 deletions
diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go index dabc67423dc..c40d4a0e484 100644 --- a/src/crypto/tls/boring.go +++ b/src/crypto/tls/boring.go @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build boringcrypto + package tls import ( @@ -124,5 +126,3 @@ func supportedSignatureAlgorithms() []SignatureScheme { } return fipsSupportedSignatureAlgorithms } - -var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go index 8dd477a0214..12a7d937cb3 100644 --- a/src/crypto/tls/boring_test.go +++ b/src/crypto/tls/boring_test.go @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build boringcrypto + package tls import ( diff --git a/src/crypto/tls/fipsonly/fipsonly.go b/src/crypto/tls/fipsonly/fipsonly.go index 85b3532d26d..e5e47835e2f 100644 --- a/src/crypto/tls/fipsonly/fipsonly.go +++ b/src/crypto/tls/fipsonly/fipsonly.go @@ -2,13 +2,15 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build boringcrypto + // Package fipsonly restricts all TLS configuration to FIPS-approved settings. // // The effect is triggered by importing the package anywhere in a program, as in: // // import _ "crypto/tls/fipsonly" // -// This package only exists in the dev.boringcrypto branch of Go. +// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto. package fipsonly // This functionality is provided as a side effect of an import to make diff --git a/src/crypto/tls/fipsonly/fipsonly_test.go b/src/crypto/tls/fipsonly/fipsonly_test.go index facd24807dc..f8485dc3ca1 100644 --- a/src/crypto/tls/fipsonly/fipsonly_test.go +++ b/src/crypto/tls/fipsonly/fipsonly_test.go @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. +//go:build boringcrypto + package fipsonly import ( diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index 7bf0f84417c..de19b7ede57 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -34,6 +34,8 @@ type clientHandshakeState struct { session *ClientSessionState } +var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme + func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { config := c.config if len(config.ServerName) == 0 && !config.InsecureSkipVerify { @@ -859,13 +861,14 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { if !c.config.InsecureSkipVerify { opts := x509.VerifyOptions{ - IsBoring: isBoringCertificate, - Roots: c.config.RootCAs, CurrentTime: c.config.time(), DNSName: c.config.ServerName, Intermediates: x509.NewCertPool(), } + if needFIPS() { + opts.IsBoring = isBoringCertificate + } for _, cert := range certs[1:] { opts.Intermediates.AddCert(cert) } diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index 5db605681e4..2d71d0869a1 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -812,13 +812,14 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error { if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { opts := x509.VerifyOptions{ - IsBoring: isBoringCertificate, - Roots: c.config.ClientCAs, CurrentTime: c.config.time(), Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, } + if needFIPS() { + opts.IsBoring = isBoringCertificate + } for _, cert := range certs[1:] { opts.Intermediates.AddCert(cert) diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go new file mode 100644 index 00000000000..d79ea21a0b4 --- /dev/null +++ b/src/crypto/tls/notboring.go @@ -0,0 +1,23 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !boringcrypto + +package tls + +import "crypto/x509" + +func needFIPS() bool { return false } + +func supportedSignatureAlgorithms() []SignatureScheme { + return defaultSupportedSignatureAlgorithms +} + +func fipsMinVersion(c *Config) uint16 { panic("fipsMinVersion") } +func fipsMaxVersion(c *Config) uint16 { panic("fipsMaxVersion") } +func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") } +func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") } +func isBoringCertificate(c *x509.Certificate) bool { panic("isBoringCertificate") } + +var fipsSupportedSignatureAlgorithms []SignatureScheme |