golang-fips · derekparker · Sep 7, 2023 · Aug 16, 2023 · Sep 1, 2023 · Sep 5, 2023
diff --git a/config/versions.json b/config/versions.json
@@ -1,5 +1,5 @@
 {
-    "github.com/golang-fips/go": "go1.20-fips-release",
+    "github.com/golang-fips/go": "main",
     "github.com/golang-fips/openssl-fips": "b175be2ccd46683a51cba60a9a2087b09593317d",
-    "github.com/golang/go": "go1.20.7"
+    "github.com/golang/go": "go1.21.0"
 }
diff --git a/patches/000-initial-setup.patch b/patches/000-initial-setup.patch
@@ -1289,9 +1289,9 @@ index 63d86b9f3a..a8ee915041 100644
 --- a/src/crypto/tls/handshake_client.go
 +++ b/src/crypto/tls/handshake_client.go
 @@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) {
-
- 	var key *ecdh.PrivateKey
- 	if hello.supportedVersions[0] == VersionTLS13 {
+ 		if len(hello.supportedVersions) == 1 {
+ 			hello.cipherSuites = nil
+ 		}
 -		if hasAESGCMHardwareSupport {
 +		if needFIPS() {
 +			hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)

diff --git a/patches/001-initial-openssl-for-fips.patch b/patches/001-initial-openssl-for-fips.patch
diff --git a/patches/002-strict-fips-runtime-detection.patch b/patches/002-strict-fips-runtime-detection.patch
@@ -144,9 +144,9 @@ index 02e744362c..4ac7f480cf 100644
 --- a/src/internal/goexperiment/flags.go
 +++ b/src/internal/goexperiment/flags.go
 @@ -100,4 +100,6 @@ type Flags struct {
- 	// this compels the Go runtime to write to some arbitrary file, which
- 	// may be exploited.
- 	PageTrace bool
+ 	// CacheProg adds support to cmd/go to use a child process to implement
+ 	// the build cache; see https://github.com/golang/go/issues/59719.
+ 	CacheProg bool
 +
 +	StrictFIPSRuntime bool
  }
diff --git a/scripts/create-secondary-patch.sh b/scripts/create-secondary-patch.sh
@@ -37,8 +37,8 @@ replace="${1}"
 if [ -n "${replace}" ]; then
     echo "replace github.com/golang-fips/openssl-fips => ${replace}" >> go.mod
 fi
-go mod tidy
-go mod vendor
+../bin/go mod tidy
+../bin/go mod vendor
 
 # Generate the final patch.
 git add .

diff --git a/scripts/crypto-test.sh b/scripts/crypto-test.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+set -eE
+
+quiet () {
+  2>&1>/dev/null $@
+}
+
+# Find the GOROOT.
+# If using a release branch, expect the GOROOT
+# in the go submodule directory.
+GOROOT=$(readlink -f $(dirname $0)/..)
+quiet pushd $GOROOT
+if 2>/dev/null cat .gitmodules | grep -q "url = https://github.com/golang/go.git"; then
+  GOROOT=${GOROOT}/go
+fi
+quiet popd
+
+export GOCACHE=/tmp/go-cache
+export GO=${GOROOT}/bin/go
+
+# Test suites to run
+SUITES="crypto,tls"
+# Verbosity flags to pass to Go
+VERBOSE=""
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --suites)
+      SUITES=$2
+      shift;shift
+      ;;
+    -v)
+      VERBOSE="$VERBOSE -v"
+      set -x
+      shift
+      ;;
+    *)
+      >&2 echo "unsupported option $1"
+      exit 1
+      ;;
+   esac
+done
+
+notify_running() {
+  local mode=$1
+  local suite=$2
+  echo -e "\n##### ${suite} (${mode})"
+}
+
+run_crypto_test_suite () {
+  local mode=$1
+  local tags=$2
+  local suite="crypto-fips"
+  notify_running ${mode} ${suite}
+  quiet pushd ${GOROOT}/src/crypto
+  GOLANG_FIPS=1 OPENSSL_FORCE_FIPS_MODE=1 \
+    $GO test $tags -count=1 $($GO list ./... | grep -v tls) $VERBOSE
+
+  local suite="crypto-fips-parity-nocgo"
+  notify_running ${mode} ${suite}
+  GOLANG_FIPS=1 OPENSSL_FORCE_FIPS_MODE=1 \
+    CGO_ENABLED=0 $GO test $tags -count=1 $($GO list ./... | grep -v tls) $VERBOSE
+  quiet popd
+}
+
+run_tls_test_suite () {
+  local mode=$1
+  local tags=$2
+  local suite="tls-fips"
+  notify_running ${mode} ${suite}
+  quiet pushd ${GOROOT}/src
+  GOLANG_FIPS=1 OPENSSL_FORCE_FIPS_MODE=1 \
+    $GO test $tags -count=1 crypto/tls -run "^TestBoring" $VERBOSE
+  quiet popd
+}
+
+
+run_full_test_suite () {
+  local mode=$1
+  local tags=$2
+  for suite in ${SUITES//,/ }; do
+    if [[ "$suite" == "crypto" ]]; then
+      run_crypto_test_suite ${mode} ${tags}
+    elif [[ "$suite" == "tls" ]]; then
+      run_tls_test_suite ${mode} ${tags}
+    fi
+  done
+}
+
+# Run in default mode
+run_full_test_suite default ""
+
+# Run in strict fips mode
+export GOEXPERIMENT=strictfipsruntime
+run_full_test_suite strictfips "-tags=strictfipsruntime"
+
+echo ALL TESTS PASSED
diff --git a/scripts/full-initialize-repo.sh b/scripts/full-initialize-repo.sh
@@ -3,6 +3,12 @@
 # This script generates and applies FIPS
 # patches to a Go tree.
 
+echo "Host Go Version:"
+go version
+
+echo "Host Go Env:"
+go env
+
 SCRIPT_DIR=$(readlink -f $(dirname $0))
 GO_DIR=${SCRIPT_DIR}/../go
 

diff --git a/scripts/setup-initial-patch.sh b/scripts/setup-initial-patch.sh
@@ -38,6 +38,12 @@ shift $((OPTIND-1))
 cd ./go
 ORIGINAL_GIT_SHA=$(git rev-parse HEAD)
 
+# Build the Go toolchain before applying patches. This allows us to use this toolchain in later steps
+# when running `go mod` commands.
+pushd ./src
+./make.bash
+popd
+
 "${ROOT}"/scripts/apply-initial-patch.sh
 "${ROOT}"/scripts/create-secondary-patch.sh "${replacement}"