From b1a0ee7fd650152e72d14cfebfa33e09fade7644 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 31 Oct 2022 23:59:15 +0900
Subject: [PATCH] Make crypto tests work with OpenSSL 3.0 under FIPS

There are a few restrictions enforced when OpenSSL 3.0 is used under
FIPS mode, that are incompatible with the Go tests, namely:

- For creating signature, encrypting, and decrypting, RSA key size
  must be equal to or longer than 2048 bits
- For verifying signature, RSA key size must be equal to or longer
  than 1024 bits
- PKCS#1 v1.5 is not supported for encryption and decryption (signing
  and verification are still allowed)

This either skips the relevant tests or increases key size used for
testing.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 patches/000-initial-setup.patch | 451 ++++++++++++++++++++++++--------
 1 file changed, 342 insertions(+), 109 deletions(-)

diff --git a/patches/000-initial-setup.patch b/patches/000-initial-setup.patch
index d1e235a3d3..5f5f1f3be7 100644
--- a/patches/000-initial-setup.patch
+++ b/patches/000-initial-setup.patch
@@ -1,65 +1,5 @@
-diff --git a/src/runtime/pprof/proto_test.go b/src/runtime/pprof/proto_test.go
-index 84a051a536..a2cd97f14d 100644
---- a/src/runtime/pprof/proto_test.go
-+++ b/src/runtime/pprof/proto_test.go
-@@ -15,6 +15,7 @@ import (
- 	"os/exec"
- 	"reflect"
- 	"runtime"
-+	"strconv"
- 	"strings"
- 	"testing"
- 	"unsafe"
-@@ -95,11 +96,15 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) {
- 			// region of memory.
- 			t.Skipf("need 2 or more mappings, got %v", len(mprof.Mapping))
- 		}
--		addr1 = mprof.Mapping[0].Start
-+		addr1 = findAddrInExecutableSection(t, mmap, mprof.Mapping[0])
- 		map1 = mprof.Mapping[0]
-+		map1.Offset = (addr1 - map1.Start) + map1.Offset
-+		map1.Start = addr1
- 		map1.BuildID, _ = elfBuildID(map1.File)
--		addr2 = mprof.Mapping[1].Start
-+		addr2 = findAddrInExecutableSection(t, mmap, mprof.Mapping[1])
- 		map2 = mprof.Mapping[1]
-+		map2.Offset = (addr2 - map2.Start) + map2.Offset
-+		map2.Start = addr2
- 		map2.BuildID, _ = elfBuildID(map2.File)
- 	case "js":
- 		addr1 = uint64(abi.FuncPCABIInternal(f1))
-@@ -115,6 +120,29 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) {
- 	return
- }
- 
-+func findAddrInExecutableSection(t *testing.T, mmap []byte, m *profile.Mapping) uint64 {
-+	mappings := strings.Split(string(mmap), "\n")
-+	for _, mapping := range mappings {
-+		parts := strings.Fields(mapping)
-+		if len(parts) < 6 {
-+			continue
-+		}
-+		if !strings.Contains(parts[1], "x") {
-+			continue
-+		}
-+		addr, err := strconv.ParseUint(strings.Split(parts[0], "-")[0], 16, 64)
-+		if err != nil {
-+			t.Fatal(err)
-+		}
-+		if addr >= m.Start && addr < m.Limit {
-+			return addr
-+		}
-+	}
-+
-+	t.Error("could not find executable section in /proc/self/maps")
-+	return 0
-+}
-+
- func TestConvertCPUProfile(t *testing.T) {
- 	addr1, addr2, map1, map2 := testPCs(t)
- 
 diff --git a/api/go1.19.txt b/api/go1.19.txt
-index 523f752d70..e9f2f7d173 100644
+index 523f752d70..778e1d5a7f 100644
 --- a/api/go1.19.txt
 +++ b/api/go1.19.txt
 @@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860
@@ -68,9 +8,27 @@ index 523f752d70..e9f2f7d173 100644
  pkg time, method (Time) ZoneBounds() (Time, Time) #50062
 +pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000
 +pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000
+diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
+index a0a41a50de..208aa7008a 100644
+--- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
++++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
+@@ -21,11 +21,11 @@ go build .
+ 
+ go list -deps -f '{{.ImportPath}} {{.Dir}}' .
+ stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
+-! stdout $GOROOT[/\\]src[/\\]vendor
++! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
+ 
+ go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
+ stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
+-! stdout $GOROOT[/\\]src[/\\]vendor
++! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
+ 
+ -- issue16333/issue16333.go --
+ package vendoring17
 diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 new file mode 100644
-index 0000000000..54db9ae178
+index 0000000000..37f3a18223
 --- /dev/null
 +++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 @@ -0,0 +1,45 @@
@@ -121,7 +79,7 @@ index 0000000000..54db9ae178
 +}
 diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 new file mode 100644
-index 0000000000..8f95e8af1f
+index 0000000000..d12ba2f441
 --- /dev/null
 +++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 @@ -0,0 +1,42 @@
@@ -167,24 +125,6 @@ index 0000000000..8f95e8af1f
 +	testHashSignAndHashVerify(t, elliptic.P384(), "p384")
 +	testHashSignAndHashVerify(t, elliptic.P521(), "p521")
 +}
-diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-index a0a41a50de..208aa7008a 100644
---- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
-+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-@@ -21,11 +21,11 @@ go build .
- 
- go list -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
- 
- go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
- 
- -- issue16333/issue16333.go --
- package vendoring17
 diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
 index 7c5181788f..102c4e5355 100644
 --- a/src/crypto/ed25519/ed25519_test.go
@@ -258,7 +198,7 @@ new file mode 100644
 index 0000000000..e69de29bb2
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
-index 0000000000..98066f55fc
+index 0000000000..482ed6f470
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
 @@ -0,0 +1,155 @@
@@ -419,7 +359,7 @@ index 0000000000..98066f55fc
 +}
 diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 new file mode 100644
-index 0000000000..7dc24420a0
+index 0000000000..4040c77bc1
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl.go
 @@ -0,0 +1,105 @@
@@ -528,6 +468,213 @@ index 0000000000..7dc24420a0
 +
 +var ExtractHKDF = openssl.ExtractHKDF
 +var ExpandHKDF = openssl.ExpandHKDF
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index 69c509a771..ae68f03dc9 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -7,6 +7,7 @@ package rsa
+ import (
+ 	"bytes"
+ 	"crypto"
++	"crypto/internal/boring"
+ 	"crypto/rand"
+ 	"crypto/sha1"
+ 	"crypto/sha256"
+@@ -52,6 +53,10 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestDecryptPKCS1v15(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto")
++	}
++
+ 	decryptionFuncs := []func([]byte) ([]byte, error){
+ 		func(ciphertext []byte) (plaintext []byte, err error) {
+ 			return DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
+@@ -76,6 +81,10 @@ func TestDecryptPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto")
++	}
++
+ 	random := rand.Reader
+ 	k := (rsaPrivateKey.N.BitLen() + 7) / 8
+ 
+@@ -137,6 +146,10 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto")
++	}
++
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		key := []byte("FAIL")
+ 		err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, decodeBase64(test.in), key)
+@@ -151,6 +164,10 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto")
++	}
++
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		plaintext, err := rsaPrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
+ 		if err != nil {
+@@ -235,6 +252,10 @@ func TestOverlongMessagePKCS1v15(t *testing.T) {
+ }
+ 
+ func TestUnpaddedSignature(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("TODO: skipping PKCS#1 v1.5 signature test with BoringCrypto: too short key")
++	}
++
+ 	msg := []byte("Thu Dec 19 18:06:16 EST 2013\n")
+ 	// This base64 value was generated with:
+ 	// % echo Thu Dec 19 18:06:16 EST 2013 > /tmp/msg
+@@ -257,6 +278,10 @@ func TestUnpaddedSignature(t *testing.T) {
+ }
+ 
+ func TestShortSessionKey(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PKCS#1 v1.5 short session key decrypt test with BoringCrypto")
++	}
++
+ 	// This tests that attempting to decrypt a session key where the
+ 	// ciphertext is too small doesn't run outside the array bounds.
+ 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &rsaPrivateKey.PublicKey, []byte{1})
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index 51f9760187..93bbc26bd0 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"bytes"
+ 	"compress/bzip2"
+ 	"crypto"
++	"crypto/internal/boring"
+ 	"crypto/rand"
+ 	"crypto/sha1"
+ 	"crypto/sha256"
+@@ -76,6 +77,9 @@ func TestEMSAPSS(t *testing.T) {
+ // TestPSSGolden tests all the test vectors in pss-vect.txt from
+ // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
+ func TestPSSGolden(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PSS test with BoringCrypto: SHA-1 not allowed")
++	}
+ 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
+ 	if err != nil {
+ 		t.Fatalf("Failed to open input file: %s", err)
+@@ -167,6 +171,10 @@ func TestPSSGolden(t *testing.T) {
+ // TestPSSOpenSSL ensures that we can verify a PSS signature from OpenSSL with
+ // the default options. OpenSSL sets the salt length to be maximal.
+ func TestPSSOpenSSL(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PSS test with BoringCrypto: too short key")
++	}
++
+ 	hash := crypto.SHA256
+ 	h := hash.New()
+ 	h.Write([]byte("testing"))
+@@ -194,10 +202,15 @@ func TestPSSNilOpts(t *testing.T) {
+ 	h.Write([]byte("testing"))
+ 	hashed := h.Sum(nil)
+ 
++	// Shouldn't this check return value?
+ 	SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, nil)
+ }
+ 
+ func TestPSSSigning(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("skipping PSS test with BoringCrypto: too short key")
++	}
++
+ 	var saltLengthCombinations = []struct {
+ 		signSaltLength, verifySaltLength int
+ 		good                             bool
+@@ -233,7 +246,7 @@ func TestPSSSigning(t *testing.T) {
+ }
+ 
+ func TestSignWithPSSSaltLengthAuto(t *testing.T) {
+-	key, err := GenerateKey(rand.Reader, 513)
++	key, err := GenerateKey(rand.Reader, 2048)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
+index 766d9a954f..9118c86165 100644
+--- a/src/crypto/rsa/rsa_test.go
++++ b/src/crypto/rsa/rsa_test.go
+@@ -26,6 +26,10 @@ func TestKeyGeneration(t *testing.T) {
+ 		if bits := priv.N.BitLen(); bits != size {
+ 			t.Errorf("key too short (%d vs %d)", bits, size)
+ 		}
++		if boring.Enabled && size < 1024 {
++			t.Logf("skipping short key with BoringCrypto: %d", size)
++			continue;
++		}
+ 		testKeyBasics(t, priv)
+ 		if testing.Short() {
+ 			break
+@@ -115,21 +119,7 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
+ 	}
+ 
+ 	if boring.Enabled {
+-		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
+-		msg := []byte("hi!")
+-		enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+-		if err != nil {
+-			t.Errorf("EncryptPKCS1v15: %v", err)
+-			return
+-		}
+-		dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
+-		if err != nil {
+-			t.Errorf("DecryptPKCS1v15: %v", err)
+-			return
+-		}
+-		if !bytes.Equal(dec, msg) {
+-			t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+-		}
++		t.Logf("skipping encryption tests with BoringCrypto")
+ 		return
+ 	}
+ 
+@@ -253,6 +243,10 @@ func TestEncryptOAEP(t *testing.T) {
+ 	n := new(big.Int)
+ 	for i, test := range testEncryptOAEPData {
+ 		n.SetString(test.modulus, 16)
++		if boring.Enabled && n.BitLen() < 2048 {
++			t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen())
++			continue
++		}
+ 		public := PublicKey{N: n, E: test.e}
+ 
+ 		for j, message := range test.msgs {
+@@ -276,6 +270,10 @@ func TestDecryptOAEP(t *testing.T) {
+ 	d := new(big.Int)
+ 	for i, test := range testEncryptOAEPData {
+ 		n.SetString(test.modulus, 16)
++		if boring.Enabled && n.BitLen() < 2048 {
++			t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen())
++			continue
++		}
+ 		d.SetString(test.d, 16)
+ 		private := new(PrivateKey)
+ 		private.PublicKey = PublicKey{N: n, E: test.e}
+@@ -309,6 +307,10 @@ func TestEncryptDecryptOAEP(t *testing.T) {
+ 	d := new(big.Int)
+ 	for i, test := range testEncryptOAEPData {
+ 		n.SetString(test.modulus, 16)
++		if boring.Enabled && n.BitLen() < 2048 {
++			t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen())
++			continue
++		}
+ 		d.SetString(test.d, 16)
+ 		priv := new(PrivateKey)
+ 		priv.PublicKey = PublicKey{N: n, E: test.e}
 diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
 index 1827f76458..4c5c3527a4 100644
 --- a/src/crypto/tls/boring.go
@@ -791,6 +938,58 @@ index 314016979a..323d683788 100644
  }
  
  type x25519Parameters struct {
+diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
+index 4aae90570d..42706f93c4 100644
+--- a/src/crypto/x509/boring.go
++++ b/src/crypto/x509/boring.go
+@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
+ 	default:
+ 		return false
+ 	case *rsa.PublicKey:
+-		if size := k.N.BitLen(); size != 2048 && size != 3072 {
++		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
+ 			return false
+ 		}
+ 	case *ecdsa.PublicKey:
+diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
+index 7010f44b32..70021f3bdd 100644
+--- a/src/crypto/x509/boring_test.go
++++ b/src/crypto/x509/boring_test.go
+@@ -54,7 +54,7 @@ type boringCertificate struct {
+ 
+ func TestBoringAllowCert(t *testing.T) {
+ 	R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
+-	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
++	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
+ 
+ 	M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
+ 	M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index cba44f6f8c..b6597cf1f9 100644
+--- a/src/crypto/x509/x509_test.go
++++ b/src/crypto/x509/x509_test.go
+@@ -11,6 +11,7 @@ import (
+ 	"crypto/ecdsa"
+ 	"crypto/ed25519"
+ 	"crypto/elliptic"
++	"crypto/internal/boring"
+ 	"crypto/rand"
+ 	"crypto/rsa"
+ 	_ "crypto/sha256"
+@@ -600,6 +601,13 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
+ 	extraExtensionData := []byte("extra extension")
+ 
+ 	for _, test := range tests {
++		if boring.Enabled && test.sigAlgo.isRSAPSS() {
++			key, _ := test.priv.(*rsa.PrivateKey)
++			if key.PublicKey.N.BitLen() < 2048 {
++				t.Logf("skipping short key with BoringCrypto: %d", key.PublicKey.N.BitLen())
++				continue
++			}
++		}
+ 		commonName := "test.example.com"
+ 		template := Certificate{
+ 			SerialNumber: big.NewInt(1),
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
 index 141fdb9fbd..d8e81d921d 100644
 --- a/src/go/build/deps_test.go
@@ -847,6 +1046,66 @@ index 141fdb9fbd..d8e81d921d 100644
  		haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
  	}
  	fset := token.NewFileSet()
+diff --git a/src/runtime/pprof/proto_test.go b/src/runtime/pprof/proto_test.go
+index 84a051a536..a2cd97f14d 100644
+--- a/src/runtime/pprof/proto_test.go
++++ b/src/runtime/pprof/proto_test.go
+@@ -15,6 +15,7 @@ import (
+ 	"os/exec"
+ 	"reflect"
+ 	"runtime"
++	"strconv"
+ 	"strings"
+ 	"testing"
+ 	"unsafe"
+@@ -95,11 +96,15 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) {
+ 			// region of memory.
+ 			t.Skipf("need 2 or more mappings, got %v", len(mprof.Mapping))
+ 		}
+-		addr1 = mprof.Mapping[0].Start
++		addr1 = findAddrInExecutableSection(t, mmap, mprof.Mapping[0])
+ 		map1 = mprof.Mapping[0]
++		map1.Offset = (addr1 - map1.Start) + map1.Offset
++		map1.Start = addr1
+ 		map1.BuildID, _ = elfBuildID(map1.File)
+-		addr2 = mprof.Mapping[1].Start
++		addr2 = findAddrInExecutableSection(t, mmap, mprof.Mapping[1])
+ 		map2 = mprof.Mapping[1]
++		map2.Offset = (addr2 - map2.Start) + map2.Offset
++		map2.Start = addr2
+ 		map2.BuildID, _ = elfBuildID(map2.File)
+ 	case "js":
+ 		addr1 = uint64(abi.FuncPCABIInternal(f1))
+@@ -115,6 +120,29 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) {
+ 	return
+ }
+ 
++func findAddrInExecutableSection(t *testing.T, mmap []byte, m *profile.Mapping) uint64 {
++	mappings := strings.Split(string(mmap), "\n")
++	for _, mapping := range mappings {
++		parts := strings.Fields(mapping)
++		if len(parts) < 6 {
++			continue
++		}
++		if !strings.Contains(parts[1], "x") {
++			continue
++		}
++		addr, err := strconv.ParseUint(strings.Split(parts[0], "-")[0], 16, 64)
++		if err != nil {
++			t.Fatal(err)
++		}
++		if addr >= m.Start && addr < m.Limit {
++			return addr
++		}
++	}
++
++	t.Error("could not find executable section in /proc/self/maps")
++	return 0
++}
++
+ func TestConvertCPUProfile(t *testing.T) {
+ 	addr1, addr2, map1, map2 := testPCs(t)
+ 
 diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
 index 5a98b20253..dc25cdcfd5 100644
 --- a/src/runtime/runtime_boring.go
@@ -861,29 +1120,3 @@ index 5a98b20253..dc25cdcfd5 100644
 +	return boring_runtime_arg0()
 +}
 \ No newline at end of file
-diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
-index 4aae90570d..42706f93c4 100644
---- a/src/crypto/x509/boring.go
-+++ b/src/crypto/x509/boring.go
-@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
- 	default:
- 		return false
- 	case *rsa.PublicKey:
--		if size := k.N.BitLen(); size != 2048 && size != 3072 {
-+		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
- 			return false
- 		}
- 	case *ecdsa.PublicKey:
-diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
-index 7010f44b32..70021f3bdd 100644
---- a/src/crypto/x509/boring_test.go
-+++ b/src/crypto/x509/boring_test.go
-@@ -54,7 +54,7 @@ type boringCertificate struct {
- 
- func TestBoringAllowCert(t *testing.T) {
- 	R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
--	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
-+	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
- 
- 	M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
- 	M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)