Update go to version 1.19.2
This commit is contained in:
		
							parent
							
								
									7f6247bbfd
								
							
						
					
					
						commit
						e0e29582fe
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -47,3 +47,4 @@ | ||||
| /go-go-1.17.5-1-openssl-fips.tar.gz | ||||
| /go-go-1.17.7-1-openssl-fips.tar.gz | ||||
| /go1.19.1.tar.gz | ||||
| /go1.19.2.tar.gz | ||||
|  | ||||
| @ -1,3 +1,13 @@ | ||||
| diff --git a/api/go1.19.txt b/api/go1.19.txt
 | ||||
| index 523f752..778e1d5 100644
 | ||||
| --- a/api/go1.19.txt
 | ||||
| +++ b/api/go1.19.txt
 | ||||
| @@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860
 | ||||
|  pkg sync/atomic, type Uintptr struct #50860 | ||||
|  pkg time, method (Duration) Abs() Duration #51414 | ||||
|  pkg time, method (Time) ZoneBounds() (Time, Time) #50062 | ||||
| +pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000
 | ||||
| +pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000
 | ||||
| diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
 | ||||
| index a0a41a5..208aa70 100644
 | ||||
| --- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
 | ||||
| @ -16,6 +26,105 @@ index a0a41a5..208aa70 100644 | ||||
|   | ||||
|  -- issue16333/issue16333.go -- | ||||
|  package vendoring17 | ||||
| diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..37f3a18
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 | ||||
| @@ -0,0 +1,45 @@
 | ||||
| +package ecdsa
 | ||||
| +
 | ||||
| +import (
 | ||||
| +	"crypto"
 | ||||
| +	"crypto/internal/boring"
 | ||||
| +	"crypto/internal/randutil"
 | ||||
| +	"math/big"
 | ||||
| +	"io"
 | ||||
| +)
 | ||||
| +
 | ||||
| +func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 | ||||
| +	randutil.MaybeReadByte(rand)
 | ||||
| +
 | ||||
| +	if boring.Enabled {
 | ||||
| +		b, err := boringPrivateKey(priv)
 | ||||
| +		if err != nil {
 | ||||
| +			return nil, nil, err
 | ||||
| +		}
 | ||||
| +		return boring.HashSignECDSA(b, msg, h)
 | ||||
| +	}
 | ||||
| +	boring.UnreachableExceptTests()
 | ||||
| +
 | ||||
| +	hash := h.New()
 | ||||
| +	hash.Write(msg)
 | ||||
| +	d := hash.Sum(nil)
 | ||||
| +
 | ||||
| +	return Sign(rand, priv, d)
 | ||||
| +}
 | ||||
| +
 | ||||
| +func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 | ||||
| +	if boring.Enabled {
 | ||||
| +		bpk, err := boringPublicKey(pub)
 | ||||
| +		if err != nil {
 | ||||
| +			return false
 | ||||
| +		}
 | ||||
| +		return boring.HashVerifyECDSA(bpk, msg, r, s, h)
 | ||||
| +	}
 | ||||
| +	boring.UnreachableExceptTests()
 | ||||
| +
 | ||||
| +	hash := h.New()
 | ||||
| +	hash.Write(msg)
 | ||||
| +	d := hash.Sum(nil)
 | ||||
| +
 | ||||
| +	return Verify(pub, d, r, s)
 | ||||
| +}
 | ||||
| diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..d12ba2f
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 | ||||
| @@ -0,0 +1,42 @@
 | ||||
| +package ecdsa
 | ||||
| +
 | ||||
| +import (
 | ||||
| +	"crypto"
 | ||||
| +	"crypto/internal/boring"
 | ||||
| +	"crypto/elliptic"
 | ||||
| +	"crypto/rand"
 | ||||
| +	"testing"
 | ||||
| +)
 | ||||
| +
 | ||||
| +func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
 | ||||
| +	priv, err := GenerateKey(c, rand.Reader)
 | ||||
| +	if priv == nil {
 | ||||
| +		t.Fatal(err)
 | ||||
| +	}
 | ||||
| +
 | ||||
| +	msg := []byte("testing")
 | ||||
| +	h := crypto.SHA256
 | ||||
| +	r, s, err := HashSign(rand.Reader, priv, msg, h)
 | ||||
| +	if err != nil {
 | ||||
| +		t.Errorf("%s: error signing: %s", tag, err)
 | ||||
| +		return
 | ||||
| +	}
 | ||||
| +
 | ||||
| +	if !HashVerify(&priv.PublicKey, msg, r, s, h) {
 | ||||
| +		t.Errorf("%s: Verify failed", tag)
 | ||||
| +	}
 | ||||
| +
 | ||||
| +	msg[0] ^= 0xff
 | ||||
| +	if HashVerify(&priv.PublicKey, msg, r, s, h) {
 | ||||
| +		t.Errorf("%s: Verify should not have succeeded", tag)
 | ||||
| +	}
 | ||||
| +}
 | ||||
| +func TestHashSignAndHashVerify(t *testing.T) {
 | ||||
| +	testHashSignAndHashVerify(t, elliptic.P256(), "p256")
 | ||||
| +
 | ||||
| +	if testing.Short() && !boring.Enabled {
 | ||||
| +		return
 | ||||
| +	}
 | ||||
| +	testHashSignAndHashVerify(t, elliptic.P384(), "p384")
 | ||||
| +	testHashSignAndHashVerify(t, elliptic.P521(), "p521")
 | ||||
| +}
 | ||||
| diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
 | ||||
| index 7c51817..102c4e5 100644
 | ||||
| --- a/src/crypto/ed25519/ed25519_test.go
 | ||||
| @ -89,10 +198,10 @@ new file mode 100644 | ||||
| index 0000000..e69de29
 | ||||
| diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..1d75287
 | ||||
| index 0000000..482ed6f
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/crypto/internal/backend/nobackend.go
 | ||||
| @@ -0,0 +1,140 @@
 | ||||
| @@ -0,0 +1,155 @@
 | ||||
| +// Copyright 2017 The Go Authors. All rights reserved.
 | ||||
| +// Use of this source code is governed by a BSD-style
 | ||||
| +// license that can be found in the LICENSE file.
 | ||||
| @ -106,8 +215,10 @@ index 0000000..1d75287 | ||||
| +	"crypto"
 | ||||
| +	"crypto/cipher"
 | ||||
| +	"crypto/internal/boring/sig"
 | ||||
| +	"math/big"
 | ||||
| +	"github.com/golang-fips/openssl-fips/openssl"
 | ||||
| +	"hash"
 | ||||
| +	"io"
 | ||||
| +)
 | ||||
| +
 | ||||
| +var enabled = false
 | ||||
| @ -233,18 +344,31 @@ index 0000000..1d75287 | ||||
| +func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| +
 | ||||
| +func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| +func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| +func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| +func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..4c327e0
 | ||||
| index 0000000..4040c77
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/crypto/internal/backend/openssl.go
 | ||||
| @@ -0,0 +1,92 @@
 | ||||
| @@ -0,0 +1,105 @@
 | ||||
| +// Copyright 2017 The Go Authors. All rights reserved.
 | ||||
| +// Use of this source code is governed by a BSD-style
 | ||||
| +// license that can be found in the LICENSE file.
 | ||||
| +
 | ||||
| +//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 | ||||
| +// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 | ||||
| +//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 | ||||
| +// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 | ||||
| +
 | ||||
| +// Package openssl provides access to OpenSSLCrypto implementation functions.
 | ||||
| +// Check the variable Enabled to find out whether OpenSSLCrypto is available.
 | ||||
| @ -314,6 +438,16 @@ index 0000000..4c327e0 | ||||
| +var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
 | ||||
| +var SignMarshalECDSA = openssl.SignMarshalECDSA
 | ||||
| +var VerifyECDSA = openssl.VerifyECDSA
 | ||||
| +var HashVerifyECDSA = openssl.HashVerifyECDSA
 | ||||
| +var HashSignECDSA = openssl.HashSignECDSA
 | ||||
| +
 | ||||
| +type PublicKeyECDH = openssl.PublicKeyECDH
 | ||||
| +type PrivateKeyECDH = openssl.PrivateKeyECDH
 | ||||
| +
 | ||||
| +var GenerateKeyECDH = openssl.GenerateKeyECDH
 | ||||
| +var NewPrivateKeyECDH = openssl.NewPrivateKeyECDH
 | ||||
| +var NewPublicKeyECDH = openssl.NewPublicKeyECDH
 | ||||
| +var SharedKeyECDH = openssl.SharedKeyECDH
 | ||||
| +
 | ||||
| +type PublicKeyRSA = openssl.PublicKeyRSA
 | ||||
| +type PrivateKeyRSA = openssl.PrivateKeyRSA
 | ||||
| @ -331,8 +465,11 @@ index 0000000..4c327e0 | ||||
| +var SignRSAPSS = openssl.SignRSAPSS
 | ||||
| +var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
 | ||||
| +var VerifyRSAPSS = openssl.VerifyRSAPSS
 | ||||
| +
 | ||||
| +var ExtractHKDF = openssl.ExtractHKDF
 | ||||
| +var ExpandHKDF = openssl.ExpandHKDF
 | ||||
| diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
 | ||||
| index 1827f76..239e6a2 100644
 | ||||
| index 1827f76..4c5c352 100644
 | ||||
| --- a/src/crypto/tls/boring.go
 | ||||
| +++ b/src/crypto/tls/boring.go
 | ||||
| @@ -8,8 +8,15 @@ package tls
 | ||||
| @ -351,6 +488,93 @@ index 1827f76..239e6a2 100644 | ||||
|  // needFIPS returns fipstls.Required(); it avoids a new import in common.go. | ||||
|  func needFIPS() bool { | ||||
|  	return fipstls.Required() | ||||
| @@ -17,14 +24,14 @@ func needFIPS() bool {
 | ||||
|   | ||||
|  // fipsMinVersion replaces c.minVersion in FIPS-only mode. | ||||
|  func fipsMinVersion(c *Config) uint16 { | ||||
| -	// FIPS requires TLS 1.2.
 | ||||
| +	// FIPS requires TLS 1.2 or later.
 | ||||
|  	return VersionTLS12 | ||||
|  } | ||||
|   | ||||
|  // fipsMaxVersion replaces c.maxVersion in FIPS-only mode. | ||||
|  func fipsMaxVersion(c *Config) uint16 { | ||||
| -	// FIPS requires TLS 1.2.
 | ||||
| -	return VersionTLS12
 | ||||
| +	// FIPS requires TLS 1.2 or later.
 | ||||
| +	return VersionTLS13
 | ||||
|  } | ||||
|   | ||||
|  // default defaultFIPSCurvePreferences is the FIPS-allowed curves, | ||||
| diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
 | ||||
| index f743fc8..9fec2c8 100644
 | ||||
| --- a/src/crypto/tls/boring_test.go
 | ||||
| +++ b/src/crypto/tls/boring_test.go
 | ||||
| @@ -51,11 +51,11 @@ func TestBoringServerProtocolVersion(t *testing.T) {
 | ||||
|  	test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") | ||||
|  	test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") | ||||
|  	test("VersionTLS12", VersionTLS12, "") | ||||
| -	test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
 | ||||
| +	test("VersionTLS13", VersionTLS13, "")
 | ||||
|  } | ||||
|   | ||||
|  func isBoringVersion(v uint16) bool { | ||||
| -	return v == VersionTLS12
 | ||||
| +	return v == VersionTLS12 || v == VersionTLS13
 | ||||
|  } | ||||
|   | ||||
|  func isBoringCipherSuite(id uint16) bool { | ||||
| @@ -65,7 +65,9 @@ func isBoringCipherSuite(id uint16) bool {
 | ||||
|  		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | ||||
|  		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||||
|  		TLS_RSA_WITH_AES_128_GCM_SHA256, | ||||
| -		TLS_RSA_WITH_AES_256_GCM_SHA384:
 | ||||
| +		TLS_RSA_WITH_AES_256_GCM_SHA384,
 | ||||
| +		TLS_AES_128_GCM_SHA256,
 | ||||
| +		TLS_AES_256_GCM_SHA384:
 | ||||
|  		return true | ||||
|  	} | ||||
|  	return false | ||||
| @@ -311,7 +313,7 @@ func TestBoringCertAlgs(t *testing.T) {
 | ||||
|  	// Set up some roots, intermediate CAs, and leaf certs with various algorithms. | ||||
|  	// X_Y is X signed by Y. | ||||
|  	R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) | ||||
| -	R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
 | ||||
| +	R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
 | ||||
|   | ||||
|  	M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) | ||||
|  	M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) | ||||
| diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
 | ||||
| index 9a1fa31..f7c64db 100644
 | ||||
| --- a/src/crypto/tls/cipher_suites.go
 | ||||
| +++ b/src/crypto/tls/cipher_suites.go
 | ||||
| @@ -354,6 +354,11 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
 | ||||
|  	TLS_AES_256_GCM_SHA384, | ||||
|  } | ||||
|   | ||||
| +var defaultFIPSCipherSuitesTLS13 = []uint16{
 | ||||
| +	TLS_AES_128_GCM_SHA256,
 | ||||
| +	TLS_AES_256_GCM_SHA384,
 | ||||
| +}
 | ||||
| +
 | ||||
|  var ( | ||||
|  	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ | ||||
|  	hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL | ||||
| diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
 | ||||
| index e61e3eb..7031ab8 100644
 | ||||
| --- a/src/crypto/tls/handshake_client.go
 | ||||
| +++ b/src/crypto/tls/handshake_client.go
 | ||||
| @@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 | ||||
|   | ||||
|  	var params ecdheParameters | ||||
|  	if hello.supportedVersions[0] == VersionTLS13 { | ||||
| -		if hasAESGCMHardwareSupport {
 | ||||
| +		if needFIPS() {
 | ||||
| +			hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)
 | ||||
| +		} else if hasAESGCMHardwareSupport {
 | ||||
|  			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...) | ||||
|  		} else { | ||||
|  			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...) | ||||
| diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
 | ||||
| index 380de9f..02b4ac8 100644
 | ||||
| --- a/src/crypto/tls/handshake_client_test.go
 | ||||
| @ -363,8 +587,178 @@ index 380de9f..02b4ac8 100644 | ||||
|  	c, s := localPipe(t) | ||||
|  	done := make(chan bool) | ||||
|   | ||||
| diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
 | ||||
| index c798986..7a60702 100644
 | ||||
| --- a/src/crypto/tls/handshake_client_tls13.go
 | ||||
| +++ b/src/crypto/tls/handshake_client_tls13.go
 | ||||
| @@ -41,10 +41,6 @@ type clientHandshakeStateTLS13 struct {
 | ||||
|  func (hs *clientHandshakeStateTLS13) handshake() error { | ||||
|  	c := hs.c | ||||
|   | ||||
| -	if needFIPS() {
 | ||||
| -		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 | ||||
| -	}
 | ||||
| -
 | ||||
|  	// The server must not select TLS 1.3 in a renegotiation. See RFC 8446, | ||||
|  	// sections 4.1.2 and 4.1.3. | ||||
|  	if c.handshakes > 0 { | ||||
| diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
 | ||||
| index 03a477f..1ef6afc 100644
 | ||||
| --- a/src/crypto/tls/handshake_server_tls13.go
 | ||||
| +++ b/src/crypto/tls/handshake_server_tls13.go
 | ||||
| @@ -45,10 +45,6 @@ type serverHandshakeStateTLS13 struct {
 | ||||
|  func (hs *serverHandshakeStateTLS13) handshake() error { | ||||
|  	c := hs.c | ||||
|   | ||||
| -	if needFIPS() {
 | ||||
| -		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 | ||||
| -	}
 | ||||
| -
 | ||||
|  	// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. | ||||
|  	if err := hs.processClientHello(); err != nil { | ||||
|  		return err | ||||
| diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
 | ||||
| index 3140169..323d683 100644
 | ||||
| --- a/src/crypto/tls/key_schedule.go
 | ||||
| +++ b/src/crypto/tls/key_schedule.go
 | ||||
| @@ -7,6 +7,8 @@ package tls
 | ||||
|  import ( | ||||
|  	"crypto/elliptic" | ||||
|  	"crypto/hmac" | ||||
| +	"crypto/internal/boring"
 | ||||
| +	"crypto/internal/boring/bbig"
 | ||||
|  	"errors" | ||||
|  	"hash" | ||||
|  	"io" | ||||
| @@ -43,9 +45,20 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
 | ||||
|  		b.AddBytes(context) | ||||
|  	}) | ||||
|  	out := make([]byte, length) | ||||
| -	n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
 | ||||
| -	if err != nil || n != length {
 | ||||
| -		panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 | ||||
| +	if boring.Enabled {
 | ||||
| +		reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic())
 | ||||
| +		if err != nil {
 | ||||
| +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 | ||||
| +		}
 | ||||
| +		n, err := reader.Read(out)
 | ||||
| +		if err != nil || n != length {
 | ||||
| +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 | ||||
| +		}
 | ||||
| +	} else {
 | ||||
| +		n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
 | ||||
| +		if err != nil || n != length {
 | ||||
| +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 | ||||
| +		}
 | ||||
|  	} | ||||
|  	return out | ||||
|  } | ||||
| @@ -63,7 +76,15 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
 | ||||
|  	if newSecret == nil { | ||||
|  		newSecret = make([]byte, c.hash.Size()) | ||||
|  	} | ||||
| -	return hkdf.Extract(c.hash.New, newSecret, currentSecret)
 | ||||
| +	if boring.Enabled {
 | ||||
| +		ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret)
 | ||||
| +		if err != nil {
 | ||||
| +			panic("tls: HKDF-Extract invocation failed unexpectedly")
 | ||||
| +		}
 | ||||
| +		return ikm
 | ||||
| +	} else {
 | ||||
| +		return hkdf.Extract(c.hash.New, newSecret, currentSecret)
 | ||||
| +	}
 | ||||
|  } | ||||
|   | ||||
|  // nextTrafficSecret generates the next traffic secret, given the current one, | ||||
| @@ -129,9 +150,19 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
 | ||||
|   | ||||
|  	p := &nistParameters{curveID: curveID} | ||||
|  	var err error | ||||
| -	p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
 | ||||
| -	if err != nil {
 | ||||
| -		return nil, err
 | ||||
| +	if boring.Enabled {
 | ||||
| +		x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name)
 | ||||
| +		if err != nil {
 | ||||
| +			return nil, err
 | ||||
| +		}
 | ||||
| +		p.x = bbig.Dec(x)
 | ||||
| +		p.y = bbig.Dec(y)
 | ||||
| +		p.privateKey = bbig.Dec(d).Bytes()
 | ||||
| +	} else {
 | ||||
| +		p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
 | ||||
| +		if err != nil {
 | ||||
| +			return nil, err
 | ||||
| +		}
 | ||||
|  	} | ||||
|  	return p, nil | ||||
|  } | ||||
| @@ -166,15 +197,28 @@ func (p *nistParameters) PublicKey() []byte {
 | ||||
|   | ||||
|  func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte { | ||||
|  	curve, _ := curveForCurveID(p.curveID) | ||||
| -	// Unmarshal also checks whether the given point is on the curve.
 | ||||
| -	x, y := elliptic.Unmarshal(curve, peerPublicKey)
 | ||||
| -	if x == nil {
 | ||||
| -		return nil
 | ||||
| -	}
 | ||||
| +	if boring.Enabled {
 | ||||
| +		k := new(big.Int).SetBytes(p.privateKey)
 | ||||
| +		priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k))
 | ||||
| +		if err != nil {
 | ||||
| +			return nil
 | ||||
| +		}
 | ||||
| +		sharedKey, err := boring.SharedKeyECDH(priv, peerPublicKey)
 | ||||
| +		if err != nil {
 | ||||
| +			return nil
 | ||||
| +		}
 | ||||
| +		return sharedKey
 | ||||
| +	} else {
 | ||||
| +		// Unmarshal also checks whether the given point is on the curve.
 | ||||
| +		x, y := elliptic.Unmarshal(curve, peerPublicKey)
 | ||||
| +		if x == nil {
 | ||||
| +			return nil
 | ||||
| +		}
 | ||||
|   | ||||
| -	xShared, _ := curve.ScalarMult(x, y, p.privateKey)
 | ||||
| -	sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
 | ||||
| -	return xShared.FillBytes(sharedKey)
 | ||||
| +		xShared, _ := curve.ScalarMult(x, y, p.privateKey)
 | ||||
| +		sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
 | ||||
| +		return xShared.FillBytes(sharedKey)
 | ||||
| +	}
 | ||||
|  } | ||||
|   | ||||
|  type x25519Parameters struct { | ||||
| diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
 | ||||
| index 4aae905..42706f9 100644
 | ||||
| --- a/src/crypto/x509/boring.go
 | ||||
| +++ b/src/crypto/x509/boring.go
 | ||||
| @@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
 | ||||
|  	default: | ||||
|  		return false | ||||
|  	case *rsa.PublicKey: | ||||
| -		if size := k.N.BitLen(); size != 2048 && size != 3072 {
 | ||||
| +		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
 | ||||
|  			return false | ||||
|  		} | ||||
|  	case *ecdsa.PublicKey: | ||||
| diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
 | ||||
| index 7010f44..70021f3 100644
 | ||||
| --- a/src/crypto/x509/boring_test.go
 | ||||
| +++ b/src/crypto/x509/boring_test.go
 | ||||
| @@ -54,7 +54,7 @@ type boringCertificate struct {
 | ||||
|   | ||||
|  func TestBoringAllowCert(t *testing.T) { | ||||
|  	R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) | ||||
| -	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
 | ||||
| +	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
 | ||||
|   | ||||
|  	M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) | ||||
|  	M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) | ||||
| diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
 | ||||
| index 141fdb9..71434f2 100644
 | ||||
| index 141fdb9..d8e81d9 100644
 | ||||
| --- a/src/go/build/deps_test.go
 | ||||
| +++ b/src/go/build/deps_test.go
 | ||||
| @@ -414,19 +414,23 @@ var depsRules = `
 | ||||
| @ -393,7 +787,15 @@ index 141fdb9..71434f2 100644 | ||||
|  	< crypto/internal/randutil | ||||
|  	< crypto/rand | ||||
|  	< crypto/ed25519 | ||||
| @@ -644,7 +648,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 | ||||
| @@ -601,6 +605,7 @@ func listStdPkgs(goroot string) ([]string, error) {
 | ||||
|  } | ||||
|   | ||||
|  func TestDependencies(t *testing.T) { | ||||
| +	t.Skip("openssl-fips based toolchain has different dependencies than upstream")
 | ||||
|  	if !testenv.HasSrc() { | ||||
|  		// Tests run in a limited file system and we do not | ||||
|  		// provide access to every source file. | ||||
| @@ -644,7 +649,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 | ||||
|   | ||||
|  func findImports(pkg string) ([]string, error) { | ||||
|  	vpkg := pkg | ||||
| @ -402,7 +804,7 @@ index 141fdb9..71434f2 100644 | ||||
|  		vpkg = "vendor/" + pkg | ||||
|  	} | ||||
|  	dir := filepath.Join(Default.GOROOT, "src", vpkg) | ||||
| @@ -654,7 +658,7 @@ func findImports(pkg string) ([]string, error) {
 | ||||
| @@ -654,7 +659,7 @@ func findImports(pkg string) ([]string, error) {
 | ||||
|  	} | ||||
|  	var imports []string | ||||
|  	var haveImport = map[string]bool{} | ||||
|  | ||||
| @ -199,6 +199,59 @@ index d0e52ad..9b76595 100644 | ||||
|  		key, err := boringPublicKey(pub) | ||||
|  		if err != nil { | ||||
|  			return false | ||||
| diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 | ||||
| index 37f3a18..51e3b49 100644
 | ||||
| --- a/src/crypto/ecdsa/ecdsa_hashsignverify.go
 | ||||
| +++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 | ||||
| @@ -2,7 +2,7 @@ package ecdsa
 | ||||
|   | ||||
|  import ( | ||||
|  	"crypto" | ||||
| -	"crypto/internal/boring"
 | ||||
| +	boring "crypto/internal/backend"
 | ||||
|  	"crypto/internal/randutil" | ||||
|  	"math/big" | ||||
|  	"io" | ||||
| @@ -11,7 +11,7 @@ import (
 | ||||
|  func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) { | ||||
|  	randutil.MaybeReadByte(rand) | ||||
|   | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		b, err := boringPrivateKey(priv) | ||||
|  		if err != nil { | ||||
|  			return nil, nil, err | ||||
| @@ -28,7 +28,7 @@ func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big
 | ||||
|  } | ||||
|   | ||||
|  func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool { | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		bpk, err := boringPublicKey(pub) | ||||
|  		if err != nil { | ||||
|  			return false | ||||
| diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 | ||||
| index d12ba2f..6334a56 100644
 | ||||
| --- a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 | ||||
| +++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 | ||||
| @@ -2,7 +2,7 @@ package ecdsa
 | ||||
|   | ||||
|  import ( | ||||
|  	"crypto" | ||||
| -	"crypto/internal/boring"
 | ||||
| +	boring "crypto/internal/backend"
 | ||||
|  	"crypto/elliptic" | ||||
|  	"crypto/rand" | ||||
|  	"testing" | ||||
| @@ -34,7 +34,7 @@ func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
 | ||||
|  func TestHashSignAndHashVerify(t *testing.T) { | ||||
|  	testHashSignAndHashVerify(t, elliptic.P256(), "p256") | ||||
|   | ||||
| -	if testing.Short() && !boring.Enabled {
 | ||||
| +	if testing.Short() && !boring.Enabled() {
 | ||||
|  		return | ||||
|  	} | ||||
|  	testHashSignAndHashVerify(t, elliptic.P384(), "p384") | ||||
| diff --git a/src/crypto/ecdsa/notboring.go b/src/crypto/ecdsa/notboring.go
 | ||||
| index 039bd82..21a35b7 100644
 | ||||
| --- a/src/crypto/ecdsa/notboring.go
 | ||||
| @ -1473,7 +1526,7 @@ index 921cdbb..a35165b 100644 | ||||
|  	} | ||||
|  	in := []byte("hello, world!") | ||||
| diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
 | ||||
| index 239e6a2..28462e0 100644
 | ||||
| index 4c5c352..76a0077 100644
 | ||||
| --- a/src/crypto/tls/boring.go
 | ||||
| +++ b/src/crypto/tls/boring.go
 | ||||
| @@ -2,7 +2,7 @@
 | ||||
| @ -1495,7 +1548,7 @@ index 239e6a2..28462e0 100644 | ||||
|         } | ||||
|  } | ||||
| diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
 | ||||
| index f743fc8..e56d96d 100644
 | ||||
| index 9fec2c8..068b5c2 100644
 | ||||
| --- a/src/crypto/tls/boring_test.go
 | ||||
| +++ b/src/crypto/tls/boring_test.go
 | ||||
| @@ -2,7 +2,7 @@
 | ||||
| @ -1508,7 +1561,7 @@ index f743fc8..e56d96d 100644 | ||||
|  package tls | ||||
|   | ||||
| diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
 | ||||
| index 9a1fa31..b0b6052 100644
 | ||||
| index f7c64db..703d5c7 100644
 | ||||
| --- a/src/crypto/tls/cipher_suites.go
 | ||||
| +++ b/src/crypto/tls/cipher_suites.go
 | ||||
| @@ -10,7 +10,7 @@ import (
 | ||||
| @ -1520,7 +1573,7 @@ index 9a1fa31..b0b6052 100644 | ||||
|  	"crypto/rc4" | ||||
|  	"crypto/sha1" | ||||
|  	"crypto/sha256" | ||||
| @@ -425,7 +425,7 @@ func macSHA1(key []byte) hash.Hash {
 | ||||
| @@ -430,7 +430,7 @@ func macSHA1(key []byte) hash.Hash {
 | ||||
|  	h := sha1.New | ||||
|  	// The BoringCrypto SHA1 does not have a constant-time | ||||
|  	// checksum function, so don't try to use it. | ||||
| @ -1529,7 +1582,7 @@ index 9a1fa31..b0b6052 100644 | ||||
|  		h = newConstantTimeHash(h) | ||||
|  	} | ||||
|  	return hmac.New(h, key) | ||||
| @@ -517,7 +517,7 @@ func aeadAESGCM(key, noncePrefix []byte) aead {
 | ||||
| @@ -522,7 +522,7 @@ func aeadAESGCM(key, noncePrefix []byte) aead {
 | ||||
|  		panic(err) | ||||
|  	} | ||||
|  	var aead cipher.AEAD | ||||
| @ -1538,6 +1591,57 @@ index 9a1fa31..b0b6052 100644 | ||||
|  		aead, err = boring.NewGCMTLS(aes) | ||||
|  	} else { | ||||
|  		boring.Unreachable() | ||||
| diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
 | ||||
| index 323d683..8bcee17 100644
 | ||||
| --- a/src/crypto/tls/key_schedule.go
 | ||||
| +++ b/src/crypto/tls/key_schedule.go
 | ||||
| @@ -7,8 +7,8 @@ package tls
 | ||||
|  import ( | ||||
|  	"crypto/elliptic" | ||||
|  	"crypto/hmac" | ||||
| -	"crypto/internal/boring"
 | ||||
| -	"crypto/internal/boring/bbig"
 | ||||
| +	boring "crypto/internal/backend"
 | ||||
| +	"crypto/internal/backend/bbig"
 | ||||
|  	"errors" | ||||
|  	"hash" | ||||
|  	"io" | ||||
| @@ -45,7 +45,7 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
 | ||||
|  		b.AddBytes(context) | ||||
|  	}) | ||||
|  	out := make([]byte, length) | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic()) | ||||
|  		if err != nil { | ||||
|  			panic("tls: HKDF-Expand-Label invocation failed unexpectedly") | ||||
| @@ -76,7 +76,7 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
 | ||||
|  	if newSecret == nil { | ||||
|  		newSecret = make([]byte, c.hash.Size()) | ||||
|  	} | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret) | ||||
|  		if err != nil { | ||||
|  			panic("tls: HKDF-Extract invocation failed unexpectedly") | ||||
| @@ -150,7 +150,7 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
 | ||||
|   | ||||
|  	p := &nistParameters{curveID: curveID} | ||||
|  	var err error | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name) | ||||
|  		if err != nil { | ||||
|  			return nil, err | ||||
| @@ -197,7 +197,7 @@ func (p *nistParameters) PublicKey() []byte {
 | ||||
|   | ||||
|  func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte { | ||||
|  	curve, _ := curveForCurveID(p.curveID) | ||||
| -	if boring.Enabled {
 | ||||
| +	if boring.Enabled() {
 | ||||
|  		k := new(big.Int).SetBytes(p.privateKey) | ||||
|  		priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k)) | ||||
|  		if err != nil { | ||||
| diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go
 | ||||
| index 7d85b39..fe27194 100644
 | ||||
| --- a/src/crypto/tls/notboring.go
 | ||||
| @ -1552,7 +1656,7 @@ index 7d85b39..fe27194 100644 | ||||
|  package tls | ||||
|   | ||||
| diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
 | ||||
| index 4aae905..4f7c0ad 100644
 | ||||
| index 42706f9..de4442e 100644
 | ||||
| --- a/src/crypto/x509/boring.go
 | ||||
| +++ b/src/crypto/x509/boring.go
 | ||||
| @@ -2,7 +2,7 @@
 | ||||
| @ -1565,7 +1669,7 @@ index 4aae905..4f7c0ad 100644 | ||||
|  package x509 | ||||
|   | ||||
| diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
 | ||||
| index 7010f44..22efb08 100644
 | ||||
| index 70021f3..7607c33 100644
 | ||||
| --- a/src/crypto/x509/boring_test.go
 | ||||
| +++ b/src/crypto/x509/boring_test.go
 | ||||
| @@ -2,7 +2,7 @@
 | ||||
| @ -1591,27 +1695,27 @@ index c83a727..0c7dea2 100644 | ||||
|  package x509 | ||||
|   | ||||
| diff --git a/src/go.mod b/src/go.mod
 | ||||
| index 94380d6..0768c57 100644
 | ||||
| index 6c31631..181ce9b 100644
 | ||||
| --- a/src/go.mod
 | ||||
| +++ b/src/go.mod
 | ||||
| @@ -3,6 +3,7 @@ module std
 | ||||
|  go 1.19 | ||||
|   | ||||
|  require ( | ||||
| +	github.com/golang-fips/openssl-fips v0.0.0-20220914203141-60f04d7f65e2
 | ||||
| +	github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c
 | ||||
|  	golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8 | ||||
|  	golang.org/x/net v0.0.0-20220517181318-183a9ca12b87 | ||||
|  	golang.org/x/net v0.0.0-20220907013720-d52c520e3766 | ||||
|  ) | ||||
| diff --git a/src/go.sum b/src/go.sum
 | ||||
| index a54b056..ddd5d69 100644
 | ||||
| index 2f90a33..7871ac3 100644
 | ||||
| --- a/src/go.sum
 | ||||
| +++ b/src/go.sum
 | ||||
| @@ -1,3 +1,5 @@
 | ||||
| +github.com/golang-fips/openssl-fips v0.0.0-20220914203141-60f04d7f65e2 h1:ZnpZRmIMhfs/ubxzWizPBAGhdHBkjb9DCDmtiWUGV84=
 | ||||
| +github.com/golang-fips/openssl-fips v0.0.0-20220914203141-60f04d7f65e2/go.mod h1:V2IU8imz/VkScnIbTOrdYsZ5R88ZFypCE0LzhRJ3HsI=
 | ||||
| +github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c h1:JAKv3y5+79PdvH8+aqBN9sGow464W4Iegvdx6qtqJJc=
 | ||||
| +github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c/go.mod h1:V2IU8imz/VkScnIbTOrdYsZ5R88ZFypCE0LzhRJ3HsI=
 | ||||
|  golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8 h1:y+mHpWoQJNAHt26Nhh6JP7hvM71IRZureyvZhoVALIs= | ||||
|  golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= | ||||
|  golang.org/x/net v0.0.0-20220517181318-183a9ca12b87 h1:cCR+9mKLOGyX4Zx+uBZDXEDAQsvKQ/XbW4vreG5v1jU= | ||||
|  golang.org/x/net v0.0.0-20220907013720-d52c520e3766 h1:D02YdIT3M6OQkZXTQiO761u/SmR3DDDiDXLN2oZIUac= | ||||
| diff --git a/src/vendor/github.com/golang-fips/openssl-fips/LICENSE b/src/vendor/github.com/golang-fips/openssl-fips/LICENSE
 | ||||
| new file mode 100644 | ||||
| index 0000000..093267e
 | ||||
| @ -2299,13 +2403,13 @@ index 0000000..0b61e79 | ||||
| +	return out[:outLen], nil
 | ||||
| +}
 | ||||
| diff --git a/src/crypto/internal/boring/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 | ||||
| similarity index 73% | ||||
| similarity index 60% | ||||
| rename from src/crypto/internal/boring/ecdsa.go | ||||
| rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go | ||||
| index 884c4b7..eb63507 100644
 | ||||
| index 884c4b7..b350140 100644
 | ||||
| --- a/src/crypto/internal/boring/ecdsa.go
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 | ||||
| @@ -2,12 +2,12 @@
 | ||||
| @@ -2,21 +2,24 @@
 | ||||
|  // Use of this source code is governed by a BSD-style | ||||
|  // license that can be found in the LICENSE file. | ||||
|   | ||||
| @ -2321,8 +2425,21 @@ index 884c4b7..eb63507 100644 | ||||
| +// #include "goopenssl.h"
 | ||||
|  import "C" | ||||
|  import ( | ||||
| +	"crypto"
 | ||||
| +	"encoding/asn1"
 | ||||
|  	"errors" | ||||
| @@ -36,11 +36,15 @@ func (k *PublicKeyECDSA) finalize() {
 | ||||
| +	"math/big"
 | ||||
|  	"runtime" | ||||
|  	"unsafe" | ||||
|  ) | ||||
|   | ||||
|  type ecdsaSignature struct { | ||||
| -	R, S BigInt
 | ||||
| +	R, S *big.Int
 | ||||
|  } | ||||
|   | ||||
|  type PrivateKeyECDSA struct { | ||||
| @@ -36,11 +39,15 @@ func (k *PublicKeyECDSA) finalize() {
 | ||||
|  } | ||||
|   | ||||
|  var errUnknownCurve = errors.New("boringcrypto: unknown elliptic curve") | ||||
| @ -2339,7 +2456,7 @@ index 884c4b7..eb63507 100644 | ||||
|  	case "P-256": | ||||
|  		return C.GO_NID_X9_62_prime256v1, nil | ||||
|  	case "P-384": | ||||
| @@ -72,13 +76,13 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
 | ||||
| @@ -72,13 +79,13 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
 | ||||
|  	} | ||||
|  	key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid) | ||||
|  	if key == nil { | ||||
| @ -2355,7 +2472,7 @@ index 884c4b7..eb63507 100644 | ||||
|  	} | ||||
|  	bx := bigToBN(X) | ||||
|  	by := bigToBN(Y) | ||||
| @@ -93,7 +97,7 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
 | ||||
| @@ -93,7 +100,7 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
 | ||||
|  	C._goboringcrypto_EC_POINT_free(pt) | ||||
|  	if !ok { | ||||
|  		C._goboringcrypto_EC_KEY_free(key) | ||||
| @ -2364,7 +2481,7 @@ index 884c4b7..eb63507 100644 | ||||
|  	} | ||||
|  	return key, nil | ||||
|  } | ||||
| @@ -110,7 +114,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
 | ||||
| @@ -110,7 +117,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
 | ||||
|  	} | ||||
|  	if !ok { | ||||
|  		C._goboringcrypto_EC_KEY_free(key) | ||||
| @ -2373,7 +2490,31 @@ index 884c4b7..eb63507 100644 | ||||
|  	} | ||||
|  	k := &PrivateKeyECDSA{key} | ||||
|  	// Note: Because of the finalizer, any time k.key is passed to cgo, | ||||
| @@ -125,15 +129,16 @@ func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
 | ||||
| @@ -121,19 +128,55 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
 | ||||
|  	return k, nil | ||||
|  } | ||||
|   | ||||
| +func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 | ||||
| +	size := C._goboringcrypto_ECDSA_size(priv.key)
 | ||||
| +	sig := make([]byte, size)
 | ||||
| +	var sigLen C.uint
 | ||||
| +	md := cryptoHashToMD(h)
 | ||||
| +	if md == nil {
 | ||||
| +		panic("boring: invalid hash")
 | ||||
| +	}
 | ||||
| +	if C._goboringcrypto_ECDSA_sign(md, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
 | ||||
| +		return nil, nil, NewOpenSSLError("ECDSA_sign failed")
 | ||||
| +	}
 | ||||
| +	runtime.KeepAlive(priv)
 | ||||
| +	sig = sig[:sigLen]
 | ||||
| +	var esig ecdsaSignature
 | ||||
| +	if _, err := asn1.Unmarshal(sig, &esig); err != nil {
 | ||||
| +		return nil, nil, err
 | ||||
| +	}
 | ||||
| +	return esig.R, esig.S, nil
 | ||||
| +}
 | ||||
| +
 | ||||
|  func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) { | ||||
|  	size := C._goboringcrypto_ECDSA_size(priv.key) | ||||
|  	sig := make([]byte, size) | ||||
|  	var sigLen C.uint | ||||
| @ -2387,14 +2528,28 @@ index 884c4b7..eb63507 100644 | ||||
|  	runtime.KeepAlive(priv) | ||||
|  	return sig[:sigLen], nil | ||||
|  } | ||||
| -
 | ||||
|   | ||||
|  func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool { | ||||
| -	ok := C._goboringcrypto_ECDSA_verify(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.size_t(len(sig)), pub.key) != 0
 | ||||
| +	ok := C._goboringcrypto_internal_ECDSA_verify(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
 | ||||
| +	runtime.KeepAlive(pub)
 | ||||
| +	return ok
 | ||||
| +}
 | ||||
| +
 | ||||
| +func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 | ||||
| +	md := cryptoHashToMD(h)
 | ||||
| +	if md == nil {
 | ||||
| +		panic("boring: invalid hash")
 | ||||
| +	}
 | ||||
| +	sig, err := asn1.Marshal(ecdsaSignature{r, s})
 | ||||
| +	if err != nil {
 | ||||
| +		return false
 | ||||
| +	}
 | ||||
| +	ok := C._goboringcrypto_ECDSA_verify(md, base(msg), C.size_t(len(msg)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
 | ||||
|  	runtime.KeepAlive(pub) | ||||
|  	return ok | ||||
|  } | ||||
| @@ -145,30 +150,30 @@ func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
 | ||||
| @@ -145,30 +188,30 @@ func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
 | ||||
|  	} | ||||
|  	key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid) | ||||
|  	if key == nil { | ||||
| @ -2434,10 +2589,10 @@ index 884c4b7..eb63507 100644 | ||||
|  } | ||||
| diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 | ||||
| new file mode 100644 | ||||
| index 0000000..6d6a562
 | ||||
| index 0000000..411fefd
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 | ||||
| @@ -0,0 +1,869 @@
 | ||||
| @@ -0,0 +1,954 @@
 | ||||
| +// Copyright 2017 The Go Authors. All rights reserved.
 | ||||
| +// Use of this source code is governed by a BSD-style
 | ||||
| +// license that can be found in the LICENSE file.
 | ||||
| @ -2704,7 +2859,7 @@ index 0000000..6d6a562 | ||||
| +static inline void
 | ||||
| +_goboringcrypto_HMAC_CTX_free(HMAC_CTX *ctx) {
 | ||||
| +   if (ctx != NULL) {
 | ||||
| +       _goboringcrypto_HMAC_CTX_cleanup(ctx);
 | ||||
| +       _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
 | ||||
| +       free(ctx);
 | ||||
| +   }
 | ||||
| +}
 | ||||
| @ -2753,8 +2908,8 @@ index 0000000..6d6a562 | ||||
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
 | ||||
| +	_goboringcrypto_HMAC_CTX_cleanup(ctx);
 | ||||
| +	_goboringcrypto_HMAC_CTX_init(ctx);
 | ||||
| +	_goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
 | ||||
| +	_goboringcrypto_internal_HMAC_CTX_init(ctx);
 | ||||
| +	return 0;
 | ||||
| +}
 | ||||
| +#else
 | ||||
| @ -2922,12 +3077,12 @@ index 0000000..6d6a562 | ||||
| +                               GO_RSA *key);
 | ||||
| +
 | ||||
| +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 | ||||
| +DEFINEFUNC(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
 | ||||
| +#else
 | ||||
| +DEFINEFUNCINTERNAL(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
 | ||||
| +DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
 | ||||
| +static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
 | ||||
| +	return _goboringcrypto_internal_EVP_MD_CTX_free(ctx);
 | ||||
| +	return _goboringcrypto_internal_EVP_MD_CTX_destroy(ctx);
 | ||||
| +}
 | ||||
| +#else
 | ||||
| +DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
 | ||||
| +#endif
 | ||||
| +
 | ||||
| +int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
 | ||||
| @ -3183,6 +3338,7 @@ index 0000000..6d6a562 | ||||
| +typedef EVP_PKEY_CTX GO_EVP_PKEY_CTX;
 | ||||
| +
 | ||||
| +DEFINEFUNC(GO_EVP_PKEY_CTX *, EVP_PKEY_CTX_new, (GO_EVP_PKEY * arg0, ENGINE *arg1), (arg0, arg1))
 | ||||
| +DEFINEFUNC(GO_EVP_PKEY_CTX *, EVP_PKEY_CTX_new_id, (int arg0, ENGINE *arg1), (arg0, arg1))
 | ||||
| +DEFINEFUNC(void, EVP_PKEY_CTX_free, (GO_EVP_PKEY_CTX * arg0), (arg0))
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_ctrl,
 | ||||
| +		   (EVP_PKEY_CTX * ctx, int keytype, int optype, int cmd, int p1, void *p2),
 | ||||
| @ -3294,25 +3450,109 @@ index 0000000..6d6a562 | ||||
| +	GO_EVP_PKEY_HKDF = EVP_PKEY_HKDF,
 | ||||
| +};
 | ||||
| +
 | ||||
| +DEFINEFUNC(GO_EVP_PKEY_CTX *, EVP_PKEY_CTX_new_id, (int arg0, ENGINE *arg1), (arg0, arg1))
 | ||||
| +
 | ||||
| +enum {
 | ||||
| +	GO_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY,
 | ||||
| +	GO_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY,
 | ||||
| +};
 | ||||
| +
 | ||||
| +#if OPENSSL_VERSION_NUMBER >= 0x30000000
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_set_hkdf_mode, (GO_EVP_PKEY_CTX *arg0, int arg1), (arg0, arg1))
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_set_hkdf_md, (GO_EVP_PKEY_CTX *arg0, const GO_EVP_MD *arg1), (arg0, arg1))
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_set1_hkdf_salt, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_set1_hkdf_key, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
 | ||||
| +DEFINEFUNC(int, EVP_PKEY_CTX_add1_hkdf_info, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
 | ||||
| +#else
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set_hkdf_mode(GO_EVP_PKEY_CTX *pctx, int mode)
 | ||||
| +{
 | ||||
| +	return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
 | ||||
| +						 EVP_PKEY_CTRL_HKDF_MODE, mode, NULL);
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set_hkdf_md(GO_EVP_PKEY_CTX *pctx, const GO_EVP_MD *md)
 | ||||
| +{
 | ||||
| +	return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
 | ||||
| +						 EVP_PKEY_CTRL_HKDF_MD, 0, (void *)(md));
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_salt(GO_EVP_PKEY_CTX *pctx, unsigned char *salt, int saltlen)
 | ||||
| +{
 | ||||
| +	return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
 | ||||
| +						 EVP_PKEY_CTRL_HKDF_SALT, saltlen, (void *)(salt));
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(GO_EVP_PKEY_CTX *pctx, unsigned char *key, int keylen)
 | ||||
| +{
 | ||||
| +	return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
 | ||||
| +						 EVP_PKEY_CTRL_HKDF_KEY, keylen, (void *)(key));
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_add1_hkdf_info(GO_EVP_PKEY_CTX *pctx, unsigned char *info, int infolen)
 | ||||
| +{
 | ||||
| +	return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
 | ||||
| +						 EVP_PKEY_CTRL_HKDF_INFO, infolen, (void *)(info));
 | ||||
| +}
 | ||||
| +#endif
 | ||||
| +
 | ||||
| +
 | ||||
| +#else
 | ||||
| +
 | ||||
| +/* As HKDF is not supported in earlier OpenSSL versions than 1.1.1 and
 | ||||
| + * fallback implementation cannot be provided in a FIPS compliant
 | ||||
| + * manner, we only provide stub definitions of the above symbols.  At
 | ||||
| + * run-time, HKDF operations in hkdf.go (see newHKDF) will return an
 | ||||
| + * error depending on the OpenSSL version.
 | ||||
| + */
 | ||||
| +
 | ||||
| +enum {
 | ||||
| +	GO_EVP_PKEY_HKDF,
 | ||||
| +};
 | ||||
| +
 | ||||
| +enum {
 | ||||
| +	GO_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY,
 | ||||
| +	GO_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY,
 | ||||
| +};
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set_hkdf_mode(GO_EVP_PKEY_CTX *arg0, int arg1)
 | ||||
| +{
 | ||||
| +	return -1;
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set_hkdf_md(GO_EVP_PKEY_CTX *arg0, const GO_EVP_MD *arg1)
 | ||||
| +{
 | ||||
| +	return -1;
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_salt(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
 | ||||
| +{
 | ||||
| +	return -1;
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
 | ||||
| +{
 | ||||
| +	return -1;
 | ||||
| +}
 | ||||
| +
 | ||||
| +static inline int
 | ||||
| +_goboringcrypto_EVP_PKEY_CTX_add1_hkdf_info(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
 | ||||
| +{
 | ||||
| +	return -1;
 | ||||
| +}
 | ||||
| +#endif
 | ||||
| diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..ae40b93
 | ||||
| index 0000000..4328a5c
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
 | ||||
| @@ -0,0 +1,100 @@
 | ||||
| @@ -0,0 +1,104 @@
 | ||||
| +// Copyright 2017 The Go Authors. All rights reserved.
 | ||||
| +// Use of this source code is governed by a BSD-style
 | ||||
| +// license that can be found in the LICENSE file.
 | ||||
| @ -3335,6 +3575,10 @@ index 0000000..ae40b93 | ||||
| +}
 | ||||
| +
 | ||||
| +func newHKDF(h func() hash.Hash, mode C.int) (*hkdf, error) {
 | ||||
| +	if openSSLVersion() < OPENSSL_VERSION_1_1_1 {
 | ||||
| +		return nil, NewOpenSSLError("HKDF is not supported")
 | ||||
| +	}
 | ||||
| +
 | ||||
| +	ch := h()
 | ||||
| +	md := hashToMD(ch)
 | ||||
| +	if md == nil {
 | ||||
| @ -3541,7 +3785,7 @@ diff --git a/src/crypto/internal/boring/notboring.go b/src/vendor/github.com/gol | ||||
| similarity index 69% | ||||
| rename from src/crypto/internal/boring/notboring.go | ||||
| rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go | ||||
| index 53096a6..7c0b5d6 100644
 | ||||
| index 53096a6..4a45e95 100644
 | ||||
| --- a/src/crypto/internal/boring/notboring.go
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
 | ||||
| @@ -2,33 +2,34 @@
 | ||||
| @ -3656,19 +3900,19 @@ index 53096a6..7c0b5d6 100644 | ||||
|  	panic("boringcrypto: not available") | ||||
|  } | ||||
| +
 | ||||
| +func ExtractHKDF(h func() hash.Hash, secret, salt []byte) []byte {
 | ||||
| +func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| +
 | ||||
| +func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) io.Reader {
 | ||||
| +func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
 | ||||
| +	panic("boringcrypto: not available")
 | ||||
| +}
 | ||||
| diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 | ||||
| new file mode 100644 | ||||
| index 0000000..d49194d
 | ||||
| index 0000000..86d7c6c
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 | ||||
| @@ -0,0 +1,247 @@
 | ||||
| @@ -0,0 +1,248 @@
 | ||||
| +// Copyright 2017 The Go Authors. All rights reserved.
 | ||||
| +// Use of this source code is governed by a BSD-style
 | ||||
| +// license that can be found in the LICENSE file.
 | ||||
| @ -3702,6 +3946,7 @@ index 0000000..d49194d | ||||
| +
 | ||||
| +const (
 | ||||
| +	OPENSSL_VERSION_1_1_0 = uint64(C.ulong(0x10100000))
 | ||||
| +	OPENSSL_VERSION_1_1_1 = uint64(C.ulong(0x10101000))
 | ||||
| +	OPENSSL_VERSION_3_0_0 = uint64(C.ulong(0x30000000))
 | ||||
| +)
 | ||||
| +
 | ||||
| @ -5433,11 +5678,11 @@ index 15b50c9..0b55ced 100644 | ||||
|   | ||||
|  type sha512Ctx struct { | ||||
| diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
 | ||||
| index dfb87ab..70df081 100644
 | ||||
| index 35c0208..f44bcb1 100644
 | ||||
| --- a/src/vendor/modules.txt
 | ||||
| +++ b/src/vendor/modules.txt
 | ||||
| @@ -1,3 +1,6 @@
 | ||||
| +# github.com/golang-fips/openssl-fips v0.0.0-20220914203141-60f04d7f65e2
 | ||||
| +# github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c
 | ||||
| +## explicit; go 1.18
 | ||||
| +github.com/golang-fips/openssl-fips/openssl
 | ||||
|  # golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8 | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 | ||||
| index 1d75287..2b99ea2 100644
 | ||||
| index 5f258a2..5dbbc42 100644
 | ||||
| --- a/src/crypto/internal/backend/nobackend.go
 | ||||
| +++ b/src/crypto/internal/backend/nobackend.go
 | ||||
| @@ -2,8 +2,8 @@
 | ||||
| @ -13,21 +13,6 @@ index 1d75287..2b99ea2 100644 | ||||
|   | ||||
|  package backend | ||||
|   | ||||
| diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 | ||||
| index 4c327e0..6786c1f 100644
 | ||||
| --- a/src/crypto/internal/backend/openssl.go
 | ||||
| +++ b/src/crypto/internal/backend/openssl.go
 | ||||
| @@ -2,8 +2,8 @@
 | ||||
|  // Use of this source code is governed by a BSD-style | ||||
|  // license that can be found in the LICENSE file. | ||||
|   | ||||
| -//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 | ||||
| -// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 | ||||
| +//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
 | ||||
| +// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
 | ||||
|   | ||||
|  // Package openssl provides access to OpenSSLCrypto implementation functions. | ||||
|  // Check the variable Enabled to find out whether OpenSSLCrypto is available. | ||||
| diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
 | ||||
| index d6d99b1..f2fe332 100644
 | ||||
| --- a/src/crypto/internal/boring/goboringcrypto.h
 | ||||
| @ -82,7 +67,7 @@ index 0b61e79..94d0c98 100644 | ||||
|  package openssl | ||||
|   | ||||
| diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 | ||||
| index eb63507..a3aeed1 100644
 | ||||
| index afec529..d822152 100644
 | ||||
| --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 | ||||
| +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 | ||||
| @@ -2,8 +2,8 @@
 | ||||
|  | ||||
							
								
								
									
										15
									
								
								golang.spec
									
									
									
									
									
								
							
							
						
						
									
										15
									
								
								golang.spec
									
									
									
									
									
								
							| @ -96,12 +96,13 @@ | ||||
| %endif | ||||
| 
 | ||||
| %global go_api 1.19 | ||||
| %global version 1.19.1 | ||||
| %global go_version 1.19.2 | ||||
| %global version %{go_version} | ||||
| %global pkg_release 1 | ||||
| 
 | ||||
| Name:           golang | ||||
| Version:        %{version} | ||||
| Release:        2%{?dist} | ||||
| Release:        1%{?dist} | ||||
| Summary:        The Go Programming Language | ||||
| # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain | ||||
| License:        BSD and Public Domain | ||||
| @ -156,9 +157,6 @@ Patch1:		001-initial-openssl-for-fips.patch | ||||
| Patch2: 	disable_static_tests_part1.patch | ||||
| Patch3: 	disable_static_tests_part2.patch | ||||
| 
 | ||||
| # Fix an issue with build tags when running notboring | ||||
| Patch4:		openssl_cgo_build_tag.patch | ||||
| 
 | ||||
| # Fix an issue where pprof tests look for the wrong | ||||
| # mapping | ||||
| Patch5:		runtime_pprof_wrong_mapping.patch | ||||
| @ -250,13 +248,12 @@ Requires:       %{name} = %{version}-%{release} | ||||
| %endif | ||||
| 
 | ||||
| %prep | ||||
| %setup -q -n go-go1.19.1 | ||||
| %setup -q -n go-go%{version} | ||||
| 
 | ||||
| %patch0 -p1 | ||||
| %patch1 -p1 | ||||
| %patch2 -p1 | ||||
| %patch3 -p1 | ||||
| %patch4 -p1 | ||||
| %patch5 -p1 | ||||
| 
 | ||||
| %patch221 -p1 | ||||
| @ -532,6 +529,10 @@ cd .. | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Oct 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-1 | ||||
| - Update go to version 1.19.2 | ||||
| - Resolves: rhbz#2134407 | ||||
| 
 | ||||
| * Wed Sep 14 2022 David Benoit <dbenoit@redhat.com> - 1.19.1-2 | ||||
| - Rebase to Go 1.19.1 | ||||
| - Temporarily disable crypto tests | ||||
|  | ||||
							
								
								
									
										2
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								sources
									
									
									
									
									
								
							| @ -1 +1 @@ | ||||
| SHA512 (go1.19.1.tar.gz) = 8f35dddfdfd4cc22f86c0a8af367038f7a5c9d88a21f4233ff234dd97e344b781f6c49741870fd5d292f41ae6b07e829080d5a0b0c578ce64f0fab5f6597f353 | ||||
| SHA512 (go1.19.2.tar.gz) = 4395f1c45bcd9383c65032f70bb9c38f0369303014d99f3c945c6f92dfed5c45d81f871683a09e478c103253fc9e85c2c285e55914feb25d1500ce5bfccc865e | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user