Go 1.22.0 (#160)

* Go 1.22rc1 * fix formatting on patch * fix build * remove uneccesary patch in 000 initial patch * Support 1.22.0 * Update openssl backend * skip test due to change in openssl * review feedback * fix test run in ./all.bash
golang-fips · Mar 11, 2024 · b86e774 · b86e774
1 parent 56ac3db
commit b86e774
Show file tree

Hide file tree

Showing 11 changed files with 595 additions and 251 deletions.
diff --git a/config/versions.json b/config/versions.json
@@ -1,5 +1,5 @@
 {
     "github.com/golang-fips/go": "main",
-    "github.com/golang-fips/openssl": "41b6eb24da2819f9ebf7818b82a0da94dc3ae309",
-    "github.com/golang/go": "go1.21.4"
-}
+    "github.com/golang-fips/openssl": "576fe0d377882f8d0fd6537762ef2ff7918facc8",
+    "github.com/golang/go": "go1.22.0"
+}
diff --git a/patches/000-initial-setup.patch b/patches/000-initial-setup.patch
@@ -880,25 +880,29 @@ index 3278a7ff30..b994daec19 100644
  		priv := new(PrivateKey)
  		priv.PublicKey = PublicKey{N: n, E: test.e}
 diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
-index 1827f76458..140b1a3dd8 100644
+index aad96b1c74..bbf3d38339 100644
 --- a/src/crypto/tls/boring.go
 +++ b/src/crypto/tls/boring.go
-@@ -8,8 +8,15 @@ package tls
-
- import (
- 	"crypto/internal/boring/fipstls"
+@@ -6,9 +6,16 @@
+
+ package tls
+
+-import (
+-	"crypto/internal/boring/fipstls"
+-)
++import (
 +	boring "crypto/internal/backend"
- )
-
++	"crypto/internal/boring/fipstls"
++)
++
 +func init() {
-+       if boring.Enabled && !boring.ExecutingTest() {
-+               fipstls.Force()
-+       }
++	if boring.Enabled && !boring.ExecutingTest() {
++		fipstls.Force()
++	}
 +}
-+
+ 
  // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
  func needFIPS() bool {
- 	return fipstls.Required()
 @@ -17,14 +24,18 @@ func needFIPS() bool {
 
  // fipsMinVersion replaces c.minVersion in FIPS-only mode.
@@ -953,7 +957,7 @@ index ba68f355eb..7bfe3f9417 100644
  	test("VersionTLS12", VersionTLS12, "")
 -	test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
 +	if boring.SupportsHKDF() {
-+		test("VersionTLS13", VersionTLS13, "")
++		test("VersionTLS13/fipstls", VersionTLS13, "")
 +	}
  }
 
@@ -963,17 +967,6 @@ index ba68f355eb..7bfe3f9417 100644
  }
 
  func isBoringCipherSuite(id uint16) bool {
-@@ -66,7 +74,9 @@ func isBoringCipherSuite(id uint16) bool {
- 		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- 		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- 		TLS_RSA_WITH_AES_128_GCM_SHA256,
--		TLS_RSA_WITH_AES_256_GCM_SHA384:
-+		TLS_RSA_WITH_AES_256_GCM_SHA384,
-+		TLS_AES_128_GCM_SHA256,
-+		TLS_AES_256_GCM_SHA384:
- 		return true
- 	}
- 	return false
 @@ -226,7 +236,14 @@ func TestBoringServerSignatureAndHash(t *testing.T) {
  			// 1.3, and the ECDSA ones bind to the curve used.
  			serverConfig.MaxVersion = VersionTLS12
@@ -1165,21 +1158,6 @@ index 5394d64ac6..db4e2dbf60 100644
  		if needFIPS() && (v < fipsMinVersion(c) || v > fipsMaxVersion(c)) {
  			continue
  		}
-diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
-index 63d86b9f3a..a8ee915041 100644
---- a/src/crypto/tls/handshake_client.go
-+++ b/src/crypto/tls/handshake_client.go
-@@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) {
- 		if len(hello.supportedVersions) == 1 {
- 			hello.cipherSuites = nil
- 		}
--		if hasAESGCMHardwareSupport {
-+		if needFIPS() {
-+			hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)
-+		} else if hasAESGCMHardwareSupport {
- 			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
- 		} else {
- 			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)
 diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
 index 22be38faff..d460eeb880 100644
 --- a/src/crypto/tls/handshake_client_test.go
@@ -1192,36 +1170,6 @@ index 22be38faff..d460eeb880 100644
  	c, s := localPipe(t)
  	done := make(chan bool)
 
-diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
-index 4a8661085e..87fe11de5c 100644
---- a/src/crypto/tls/handshake_client_tls13.go
-+++ b/src/crypto/tls/handshake_client_tls13.go
-@@ -41,10 +41,6 @@ type clientHandshakeStateTLS13 struct {
- func (hs *clientHandshakeStateTLS13) handshake() error {
- 	c := hs.c
-
--	if needFIPS() {
--		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
--	}
--
- 	// The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
- 	// sections 4.1.2 and 4.1.3.
- 	if c.handshakes > 0 {
-diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
-index b7b568cd84..af75e7dbe0 100644
---- a/src/crypto/tls/handshake_server_tls13.go
-+++ b/src/crypto/tls/handshake_server_tls13.go
-@@ -44,10 +44,6 @@ type serverHandshakeStateTLS13 struct {
- func (hs *serverHandshakeStateTLS13) handshake() error {
- 	c := hs.c
-
--	if needFIPS() {
--		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
--	}
--
- 	// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
- 	if err := hs.processClientHello(); err != nil {
- 		return err
 diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
 index ae8f80a7cf..30a8450f40 100644
 --- a/src/crypto/tls/key_schedule.go
@@ -1532,7 +1480,7 @@ index 780b481de8..63db9e9ed7 100644
 +		map2.Offset = (addr2 - map2.Start) + map2.Offset
 +		map2.Start = addr2
  		map2.BuildID, _ = elfBuildID(map2.File)
- 	case "windows":
+ 	case "windows", "darwin", "ios":
  		addr1 = uint64(abi.FuncPCABIInternal(f1))
 @@ -145,6 +150,29 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) {
  	return