[dev.boringcrypto] crypto/tls/fipsonly: new package to force FIPS-allowed TLS settings

Change-Id: I3268cab2de8aed9e2424e9c3bc7667083bc5e1ce Reviewed-on: https://go-review.googlesource.com/65250 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2025-12-08 06:10:04 +00:00 · 2017-09-20 13:50:35 -04:00 · 2017-09-20 13:50:35 -04:00 · 3ed08db261
commit 3ed08db261
parent 2ba76155cd
20 changed files with 960 additions and 14 deletions
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@ -99,7 +99,11 @@ NextCipherSuite:
 	}

 	if hello.vers >= VersionTLS12 {
-		hello.signatureAndHashes = supportedSignatureAlgorithms
+		hello.signatureAndHashes = supportedSignatureAlgorithms()
+	}
+
+	if testingOnlyForceClientHelloSignatureAndHashes != nil {
+		hello.signatureAndHashes = testingOnlyForceClientHelloSignatureAndHashes
 	}

 	var session *ClientSessionState
@ -285,6 +289,8 @@ func (hs *clientHandshakeState) doFullHandshake() error {

 		if !c.config.InsecureSkipVerify {
 			opts := x509.VerifyOptions{
+				IsBoring: isBoringCertificate,
+
 				Roots:         c.config.RootCAs,
 				CurrentTime:   c.config.time(),
 				DNSName:       c.config.ServerName,