[dev.boringcrypto] all: add boringcrypto build tags

A plain make.bash in this tree will produce a working, standard Go toolchain, not a BoringCrypto-enabled one. The BoringCrypto-enabled one will be created with: GOEXPERIMENT=boringcrypto ./make.bash For #51940. Change-Id: Ia9102ed993242eb1cb7f9b93eca97e81986a27b3 Reviewed-on: https://go-review.googlesource.com/c/go/+/395881 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2025-12-08 06:10:04 +00:00 · 2022-04-27 09:02:52 -04:00 · 2022-04-27 09:02:52 -04:00 · f4c0f42f99
commit f4c0f42f99
parent 1f0547c4ec
37 changed files with 153 additions and 43 deletions
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@ -34,6 +34,8 @@ type clientHandshakeState struct {
 	session      *ClientSessionState
 }

+var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
+
 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	config := c.config
 	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
@ -859,13 +861,14 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {

 	if !c.config.InsecureSkipVerify {
 		opts := x509.VerifyOptions{
-			IsBoring: isBoringCertificate,
-
 			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
 			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}
+		if needFIPS() {
+			opts.IsBoring = isBoringCertificate
+		}
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}