Consolidates handling of FIPS 140-3 considerations for the tls package.
Considerations specific to certificates are now handled in tls instead
of x509 to limit the area-of-effect of FIPS as much as possible.
Boringcrypto specific prefixes are renamed as appropriate.
For #69536
Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I1b1fef83c3599e4c9b98ad81db582ac93253030b
Reviewed-on: https://go-review.googlesource.com/c/go/+/629675
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
* build(deps): bump github.com/quic-go/quic-go from 0.40.1 to 0.42.0
Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.40.1 to 0.42.0.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.40.1...v0.42.0)
---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
* update: remove dependency of quic-go
We now vendor the quicvarint submodule from quic-go for a minimal dependency tree.
This also updates the minimal Go version requirement to Go 1.21, given uTLS promised to support 2 most recent minor versions of Go.
Signed-off-by: Gaukas Wang <i@gaukas.wang>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Gaukas Wang <i@gaukas.wang>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gaukas Wang <i@gaukas.wang>
* ci: use latest Go 1.21 build
Use `1.21.x` instead of `1.21.0` to automatically select the latest.
* fix: remove unused fipsonly package
Remove an unused package that was unintendedly introduced as a conditional dependency of upstream
* update: use boring package not global var
Align with the upstream to use `boring` as a name for a package. No functional changes.
* new: name aliasing
Create u_alias.go to hold any alias names created by version upgrades or other necessary changes (e.g., upstream breaking change) to prevent further breaking the API.
* feat: byte to clienthellospecs conversion
* feat: specific case for GREASE and ALPS
Will automatically add "h2" to ALPS and write to log when GREASE extension is imported in `ImportTLSClientHello()`
* fix: ReadCompressionMethods
ReadCompressionMethods didn't advance the s and fails reading extensions
* fix: remove debug log
* fix: use cryptobyte for internal helper
`helper.Uint8to16()` now calls `(*cryptobyte.String).ReadUint16()`
* fix: preshared key fingerprinter test
updated fingerprinter test to test with PreSharedKey extension
* fix: naming of FakePreSharedKeyExt
It is a Fake extension since `crypto/tls` doesn't really implement PSK-based resumption and neither do we.
* feat: Properly check GREASE
Adopted from #148.
Co-Authored-By: gfw-report <gfw.report@protonmail.com>
* feat: add fakeExtensionEncryptThenMAC
And reordered `fakeExtensionDelegatedCredentials`.
The new `Fingerprinter` is expected to account for the `fakeExtensionEncryptThenMAC` using a `GenericExtension` when `allowBluntMimicry` is set.
Co-Authored-By: gfw-report <gfw.report@protonmail.com>
* fix: remove keepPSK and minor
- Removed all presence of keepPSK flag.
- Added check before using the field of a map.
---------
Co-authored-by: gfw-report <gfw.report@protonmail.com>
