[dev.boringcrypto] all: add boringcrypto build tags

A plain make.bash in this tree will produce a working, standard Go toolchain, not a BoringCrypto-enabled one. The BoringCrypto-enabled one will be created with: GOEXPERIMENT=boringcrypto ./make.bash For #51940. Change-Id: Ia9102ed993242eb1cb7f9b93eca97e81986a27b3 Reviewed-on: https://go-review.googlesource.com/c/go/+/395881 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2025-04-03 03:57:36 +03:00 · 2022-04-27 09:02:52 -04:00 · 2022-04-27 09:02:52 -04:00 · f9f1229355
commit f9f1229355
parent 707ce18f5e
7 changed files with 40 additions and 7 deletions
--- a/boring.go
+++ b/boring.go
@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build boringcrypto
+
 package tls

 import (
@ -124,5 +126,3 @@ func supportedSignatureAlgorithms() []SignatureScheme {
 	}
 	return fipsSupportedSignatureAlgorithms
 }
-
-var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
--- a/boring_test.go
+++ b/boring_test.go
@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build boringcrypto
+
 package tls

 import (
--- a/fipsonly/fipsonly.go
+++ b/fipsonly/fipsonly.go
@ -2,13 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build boringcrypto
+
 // Package fipsonly restricts all TLS configuration to FIPS-approved settings.
 //
 // The effect is triggered by importing the package anywhere in a program, as in:
 //
 //	import _ "crypto/tls/fipsonly"
 //
-// This package only exists in the dev.boringcrypto branch of Go.
+// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
 package fipsonly

 // This functionality is provided as a side effect of an import to make
--- a/fipsonly/fipsonly_test.go
+++ b/fipsonly/fipsonly_test.go
@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build boringcrypto
+
 package fipsonly

 import (
--- a/handshake_client.go
+++ b/handshake_client.go
@ -34,6 +34,8 @@ type clientHandshakeState struct {
 	session      *ClientSessionState
 }

+var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
+
 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	config := c.config
 	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
@ -859,13 +861,14 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {

 	if !c.config.InsecureSkipVerify {
 		opts := x509.VerifyOptions{
-			IsBoring: isBoringCertificate,
-
 			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
 			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}
+		if needFIPS() {
+			opts.IsBoring = isBoringCertificate
+		}
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
--- a/handshake_server.go
+++ b/handshake_server.go
@ -812,13 +812,14 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {

 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
 		opts := x509.VerifyOptions{
-			IsBoring: isBoringCertificate,
-
 			Roots:         c.config.ClientCAs,
 			CurrentTime:   c.config.time(),
 			Intermediates: x509.NewCertPool(),
 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		}
+		if needFIPS() {
+			opts.IsBoring = isBoringCertificate
+		}

 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
--- a/notboring.go
+++ b/notboring.go
@ -0,0 +1,23 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !boringcrypto
+
+package tls
+
+import "crypto/x509"
+
+func needFIPS() bool { return false }
+
+func supportedSignatureAlgorithms() []SignatureScheme {
+	return defaultSupportedSignatureAlgorithms
+}
+
+func fipsMinVersion(c *Config) uint16              { panic("fipsMinVersion") }
+func fipsMaxVersion(c *Config) uint16              { panic("fipsMaxVersion") }
+func fipsCurvePreferences(c *Config) []CurveID     { panic("fipsCurvePreferences") }
+func fipsCipherSuites(c *Config) []uint16          { panic("fipsCipherSuites") }
+func isBoringCertificate(c *x509.Certificate) bool { panic("isBoringCertificate") }
+
+var fipsSupportedSignatureAlgorithms []SignatureScheme