Skip to content

Commit

Permalink
Merge pull request #1124 from microsoft/dev/qmuntal/go121tls13
Browse files Browse the repository at this point in the history
[release-branch.go1.21] Support TLS 1.3 in fipstls mode
  • Loading branch information
qmuntal authored Feb 5, 2024
2 parents 5b6ff83 + 55c7166 commit 8881038
Show file tree
Hide file tree
Showing 4 changed files with 374 additions and 13 deletions.
26 changes: 15 additions & 11 deletions eng/doc/fips/UserGuide.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,12 @@ The Go crypto documentation is available online at https://pkg.go.dev/crypto.
- [crypto/sha512](#cryptosha512)
- [func New](#func-new-3)
- [func New384](#func-new384)
- [func New512_224](#func-new512_224)
- [func New512_256](#func-new512_256)
- [func New512\_224](#func-new512_224)
- [func New512\_256](#func-new512_256)
- [func Sum384](#func-sum384)
- [func Sum512](#func-sum512)
- [func Sum512_224](#func-sum512_224)
- [func Sum512_256](#func-sum512_256)
- [func Sum512\_224](#func-sum512_224)
- [func Sum512\_256](#func-sum512_256)
- [crypto/rsa](#cryptorsa)
- [func DecryptOAEP](#func-decryptoaep)
- [func DecryptPKCS1v15](#func-decryptpkcs1v15)
Expand Down Expand Up @@ -1235,18 +1235,22 @@ Package tls will automatically use FIPS compliant primitives implemented in othe

When using TLS in FIPS-only mode the TLS handshake has the following restrictions:

- TLS versions: `tls.VersionTLS12`
- TLS versions:
- `tls.VersionTLS12`
- `tls.VersionTLS13`
- ECDSA elliptic curves:
- `tls.CurveP256`
- `tls.CurveP384`
- `tls.CurveP521`
- Cipher suites:
- `tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
- `tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
- `tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
- `tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
- `tls.TLS_RSA_WITH_AES_128_GCM_SHA256`
- `tls.TLS_RSA_WITH_AES_256_GCM_SHA384`
- TLS 1.2:
- `tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
- `tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
- `tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
- `tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
- TLS 1.3:
- `tls.TLS_AES_128_GCM_SHA256`
- `tls.TLS_AES_256_GCM_SHA384`
- x509 certificate public key:
- `rsa.PublicKey` with a bit length of 2048 or 3072. Bit length of 4096 is still not supported, see [this issue](https://github.com/golang/go/issues/41147) for more info.
- `ecdsa.PublicKey` with a supported elliptic curve.
Expand Down
2 changes: 1 addition & 1 deletion go
Submodule go updated 44 files
+17 −0 src/cmd/compile/internal/types2/issues_test.go
+1 −0 src/cmd/compile/internal/types2/subst.go
+0 −1 src/cmd/compile/internal/types2/typeset.go
+2 −0 src/cmd/go/internal/generate/generate.go
+104 −44 src/cmd/go/internal/toolchain/select.go
+27 −0 src/cmd/go/testdata/script/generate_workspace.txt
+45 −0 src/cmd/go/testdata/script/install_modcacherw_issue64282.txt
+11 −17 src/crypto/internal/boring/Dockerfile
+1 −1 src/crypto/internal/boring/LICENSE
+3 −4 src/crypto/internal/boring/README.md
+7 −22 src/crypto/internal/boring/aes.go
+1 −1 src/crypto/internal/boring/build-goboring.sh
+0 −6 src/crypto/internal/boring/build.sh
+0 −2 src/crypto/internal/boring/goboringcrypto.h
+0 −1 src/crypto/internal/boring/notboring.go
+ src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
+ src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
+11 −15 src/crypto/tls/boring.go
+18 −51 src/crypto/tls/boring_test.go
+1 −7 src/crypto/tls/cipher_suites.go
+1 −3 src/crypto/tls/handshake_client.go
+4 −0 src/crypto/tls/handshake_client_tls13.go
+9 −19 src/crypto/tls/handshake_server_test.go
+4 −3 src/crypto/tls/handshake_server_tls13.go
+0 −2 src/crypto/tls/notboring.go
+2 −2 src/crypto/x509/boring.go
+30 −5 src/crypto/x509/verify_test.go
+17 −0 src/go/types/issues_test.go
+1 −0 src/go/types/subst.go
+0 −1 src/go/types/typeset.go
+70 −0 src/runtime/cgocall.go
+17 −0 src/runtime/crash_cgo_test.go
+6 −0 src/runtime/crash_unix_test.go
+4 −0 src/runtime/export_test.go
+117 −95 src/runtime/lockrank.go
+34 −8 src/runtime/mklockrank.go
+1 −4 src/runtime/pinner.go
+19 −24 src/runtime/proc.go
+47 −5 src/runtime/rwmutex.go
+4 −0 src/runtime/rwmutex_test.go
+147 −0 src/runtime/testdata/testprogcgo/stackswitch.c
+43 −0 src/runtime/testdata/testprogcgo/stackswitch.go
+3 −6 src/runtime/traceback.go
+5 −5 src/slices/slices_test.go
2 changes: 1 addition & 1 deletion patches/0003-Add-BoringSSL-crypto-backend.patch
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ index 00000000000000..590d84f90fb16c
+
+func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) }
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) }
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS13(c) }
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
+
+type PublicKeyECDSA = boring.PublicKeyECDSA
+type PrivateKeyECDSA = boring.PrivateKeyECDSA
Expand Down
Loading

0 comments on commit 8881038

Please sign in to comment.