mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 20:47:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

[dev.boringcrypto] all: add boringcrypto build tags

Browse source 
A plain make.bash in this tree will produce a working,
standard Go toolchain, not a BoringCrypto-enabled one.

The BoringCrypto-enabled one will be created with:

	GOEXPERIMENT=boringcrypto ./make.bash

For #51940.

Change-Id: Ia9102ed993242eb1cb7f9b93eca97e81986a27b3
Reviewed-on: https://go-review.googlesource.com/c/go/+/395881
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
This commit is contained in:
Russ Cox 2022-04-27 09:02:52 -04:00
parent 707ce18f5e
commit f9f1229355
7 changed files with 40 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
boring.go
View file

@ -2,6 +2,8 @@
// Use of this source code is governed by a BSD-style // Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file. // license that can be found in the LICENSE file.
//go:build boringcrypto
package tls package tls
import ( import (
@ -124,5 +126,3 @@ func supportedSignatureAlgorithms() []SignatureScheme {
} }
return fipsSupportedSignatureAlgorithms return fipsSupportedSignatureAlgorithms
} }
var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme

2
boring_test.go
View file

@ -2,6 +2,8 @@
// Use of this source code is governed by a BSD-style // Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file. // license that can be found in the LICENSE file.
//go:build boringcrypto
package tls package tls
import ( import (

4
fipsonly/fipsonly.go
View file

@ -2,13 +2,15 @@
// Use of this source code is governed by a BSD-style // Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file. // license that can be found in the LICENSE file.
//go:build boringcrypto
// Package fipsonly restricts all TLS configuration to FIPS-approved settings. // Package fipsonly restricts all TLS configuration to FIPS-approved settings.
// //
// The effect is triggered by importing the package anywhere in a program, as in: // The effect is triggered by importing the package anywhere in a program, as in:
// //
// import _ "crypto/tls/fipsonly" // import _ "crypto/tls/fipsonly"
// //
// This package only exists in the dev.boringcrypto branch of Go. // This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
package fipsonly package fipsonly
// This functionality is provided as a side effect of an import to make // This functionality is provided as a side effect of an import to make

2
fipsonly/fipsonly_test.go
View file

@ -2,6 +2,8 @@
// Use of this source code is governed by a BSD-style // Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file. // license that can be found in the LICENSE file.
//go:build boringcrypto
package fipsonly package fipsonly
import ( import (

7
handshake_client.go
View file

@ -34,6 +34,8 @@ type clientHandshakeState struct {
session *ClientSessionState session *ClientSessionState
} }
var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
config := c.config config := c.config
if len(config.ServerName) == 0 && !config.InsecureSkipVerify { if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
@ -859,13 +861,14 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
if !c.config.InsecureSkipVerify { if !c.config.InsecureSkipVerify {
opts := x509.VerifyOptions{ opts := x509.VerifyOptions{
IsBoring: isBoringCertificate,
Roots: c.config.RootCAs, Roots: c.config.RootCAs,
CurrentTime: c.config.time(), CurrentTime: c.config.time(),
DNSName: c.config.ServerName, DNSName: c.config.ServerName,
Intermediates: x509.NewCertPool(), Intermediates: x509.NewCertPool(),
} }
if needFIPS() {
opts.IsBoring = isBoringCertificate
}
for _, cert := range certs[1:] { for _, cert := range certs[1:] {
opts.Intermediates.AddCert(cert) opts.Intermediates.AddCert(cert)
} }

5
handshake_server.go
View file

@ -812,13 +812,14 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
opts := x509.VerifyOptions{ opts := x509.VerifyOptions{
IsBoring: isBoringCertificate,
Roots: c.config.ClientCAs, Roots: c.config.ClientCAs,
CurrentTime: c.config.time(), CurrentTime: c.config.time(),
Intermediates: x509.NewCertPool(), Intermediates: x509.NewCertPool(),
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
} }
if needFIPS() {
opts.IsBoring = isBoringCertificate
}
for _, cert := range certs[1:] { for _, cert := range certs[1:] {
opts.Intermediates.AddCert(cert) opts.Intermediates.AddCert(cert)

23
notboring.go Normal file
View file

@ -0,0 +1,23 @@
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build !boringcrypto
package tls
import "crypto/x509"
func needFIPS() bool { return false }
func supportedSignatureAlgorithms() []SignatureScheme {
return defaultSupportedSignatureAlgorithms
}
func fipsMinVersion(c *Config) uint16 { panic("fipsMinVersion") }
func fipsMaxVersion(c *Config) uint16 { panic("fipsMaxVersion") }
func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") }
func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") }
func isBoringCertificate(c *x509.Certificate) bool { panic("isBoringCertificate") }
var fipsSupportedSignatureAlgorithms []SignatureScheme