Skip to content

Commit 09b5de4

Browse files
FiloSottilegopherbot
FiloSottile
authored and
gopherbot
committed
Revert "crypto/internal/boring: upgrade module to fips-20220613" +1
This reverts commit 7383b2a ("crypto/internal/boring: upgrade module to fips-20220613") and commit 4106de9 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
1 parent b6d1eb7 commit 09b5de4

19 files changed

Lines changed: 73 additions & 156 deletions

src/crypto/internal/boring/Dockerfile

Lines changed: 11 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,21 +13,15 @@ WORKDIR /boring
1313
ENV LANG=C
1414
ENV LANGUAGE=
1515

16-
# Following NIST submission draft for In Progress module validation.
17-
# This corresponds to boringssl.googlesource.com/boringssl tag fips-20220613.
16+
# Following NIST submission draft dated July 3, 2021.
17+
# This corresponds to boringssl.googlesource.com/boringssl tag fips-20210429.
18+
ENV ClangV=12
1819
RUN apt-get update && \
19-
apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates python lsb-release software-properties-common gnupg
20-
21-
# Install Clang.
22-
ENV ClangV=14
23-
RUN \
24-
wget https://apt.llvm.org/llvm.sh && \
25-
chmod +x llvm.sh && \
26-
./llvm.sh $ClangV
20+
apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates clang-$ClangV python
2721

2822
# Download, validate, unpack, build, and install Ninja.
29-
ENV NinjaV=1.10.1
30-
ENV NinjaH=a6b6f7ac360d4aabd54e299cc1d8fa7b234cd81b9401693da21221c62569a23e
23+
ENV NinjaV=1.10.2
24+
ENV NinjaH=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
3125
RUN \
3226
wget https://github.com/ninja-build/ninja/archive/refs/tags/v$NinjaV.tar.gz && \
3327
echo "$NinjaH v$NinjaV.tar.gz" >sha && sha256sum -c sha && \
@@ -39,9 +33,9 @@ RUN \
3933

4034
# Download, validate, unpack, and install Go.
4135
ARG GOARCH
42-
ENV GoV=1.18.1
43-
ENV GoHamd64=b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334
44-
ENV GoHarm64=56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633
36+
ENV GoV=1.16.5
37+
ENV GoHamd64=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
38+
ENV GoHarm64=d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799
4539
RUN \
4640
eval GoH=\${GoH$GOARCH} && \
4741
wget https://golang.org/dl/go$GoV.linux-$GOARCH.tar.gz && \
@@ -51,8 +45,8 @@ RUN \
5145
ln -s /usr/local/go/bin/go /usr/local/bin/
5246

5347
# Download, validate, and unpack BoringCrypto.
54-
ENV BoringV=0c6f40132b828e92ba365c6b7680e32820c63fa7
55-
ENV BoringH=62f733289f2d677c2723f556aa58034c438f3a7bbca6c12b156538a88e38da8a
48+
ENV BoringV=853ca1ea1168dff08011e5d42d94609cc0ca2e27
49+
ENV BoringH=a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2
5650
RUN \
5751
wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-$BoringV.tar.xz && \
5852
echo "$BoringH boringssl-$BoringV.tar.xz" >sha && sha256sum -c sha && \

src/crypto/internal/boring/LICENSE

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ When building with GOEXPERIMENT=boringcrypto, the following applies.
66
The goboringcrypto_linux_amd64.syso object file is built
77
from BoringSSL source code by build/build.sh and is covered
88
by the BoringSSL license reproduced below and also at
9-
https://boringssl.googlesource.com/boringssl/+/fips-20220613/LICENSE.
9+
https://boringssl.googlesource.com/boringssl/+/fips-20190808/LICENSE.
1010

1111
BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL
1212
licensing. Files that are completely new have a Google copyright and an ISC

src/crypto/internal/boring/README.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,14 +27,13 @@ syso/goboringcrypto_linux_arm64.syso is built with:
2727

2828
GOARCH=arm64 ./build.sh
2929

30-
Both run using Docker.
31-
30+
Both run on an x86 Debian Linux system using Docker.
3231
For the arm64 build to run on an x86 system, you need
3332

3433
apt-get install qemu-user-static qemu-binfmt-support
3534

3635
to allow the x86 kernel to run arm64 binaries via QEMU.
3736

38-
For the amd64 build to run on an Apple Silicon macOS, you need Rosetta 2.
39-
4037
See build.sh for more details about the build.
38+
39+

src/crypto/internal/boring/aes.go

Lines changed: 7 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -228,41 +228,26 @@ func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
228228
if tagSize != gcmTagSize {
229229
return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
230230
}
231-
return c.newGCM(0)
231+
return c.newGCM(false)
232232
}
233233

234-
const (
235-
VersionTLS12 = 0x0303
236-
VersionTLS13 = 0x0304
237-
)
238-
239234
func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
240-
return c.(*aesCipher).newGCM(VersionTLS12)
241-
}
242-
243-
func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) {
244-
return c.(*aesCipher).newGCM(VersionTLS13)
235+
return c.(*aesCipher).newGCM(true)
245236
}
246237

247-
func (c *aesCipher) newGCM(tlsVersion uint16) (cipher.AEAD, error) {
238+
func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
248239
var aead *C.GO_EVP_AEAD
249240
switch len(c.key) * 8 {
250241
case 128:
251-
switch tlsVersion {
252-
case VersionTLS12:
242+
if tls {
253243
aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
254-
case VersionTLS13:
255-
aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls13()
256-
default:
244+
} else {
257245
aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
258246
}
259247
case 256:
260-
switch tlsVersion {
261-
case VersionTLS12:
248+
if tls {
262249
aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
263-
case VersionTLS13:
264-
aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls13()
265-
default:
250+
} else {
266251
aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
267252
}
268253
default:

src/crypto/internal/boring/build-goboring.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ awk -f boringx.awk goboringcrypto.h # writes goboringcrypto.x
122122
awk -f boringh.awk goboringcrypto.h # writes goboringcrypto[01].h
123123

124124
ls -l ../boringssl/include
125-
clang++ -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc
125+
clang++ -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc
126126
./a.out || exit 2
127127

128128
# clang implements u128 % u128 -> u128 by calling __umodti3,

src/crypto/internal/boring/build.sh

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -22,12 +22,6 @@ platform=""
2222
buildargs=""
2323
case "$GOARCH" in
2424
amd64)
25-
if ! docker run --rm -t amd64/ubuntu:focal uname -m >/dev/null 2>&1; then
26-
echo "# Docker cannot run amd64 binaries."
27-
exit 1
28-
fi
29-
platform="--platform linux/amd64"
30-
buildargs="--build-arg ubuntu=amd64/ubuntu"
3125
;;
3226
arm64)
3327
if ! docker run --rm -t arm64v8/ubuntu:focal uname -m >/dev/null 2>&1; then

src/crypto/internal/boring/goboringcrypto.h

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -125,9 +125,7 @@ void _goboringcrypto_EVP_AEAD_CTX_cleanup(GO_EVP_AEAD_CTX*);
125125
int _goboringcrypto_EVP_AEAD_CTX_seal(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t);
126126
int _goboringcrypto_EVP_AEAD_CTX_open(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t);
127127
const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls12(void);
128-
const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls13(void);
129128
const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls12(void);
130-
const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls13(void);
131129
enum go_evp_aead_direction_t {
132130
go_evp_aead_open = 0,
133131
go_evp_aead_seal = 1

src/crypto/internal/boring/notboring.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,6 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: no
5050

5151
func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
5252
func NewGCMTLS(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") }
53-
func NewGCMTLS13(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") }
5453

5554
type PublicKeyECDSA struct{ _ int }
5655
type PrivateKeyECDSA struct{ _ int }

src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso

126 KB
Binary file not shown.

src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso

-123 KB
Binary file not shown.

0 commit comments

Comments
 (0)