We have been working inside Google on a fork of Go that uses
BoringCrypto (the core of [BoringSSL][]) for various crypto
-primitives, in furtherance of some [work related to FIPS 140-2][3318].
+primitives, in furtherance of some [work related to FIPS 140-2][sp].
We have heard that some external users of Go would be interested in
this code as well, so this branch holds the patches to make Go use
BoringCrypto.
[BoringSSL]: https://boringssl.googlesource.com/boringssl/
-[3318]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3318.pdf
+[sp]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
Unlike typical dev branches, we do not intend any eventual merge of
this code into the master branch. Instead we intend to maintain in
--- /dev/null
+# Copyright 2020 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# This Docker image builds goboringcrypto_linux_amd64.syso according to the
+# Security Policy. To use it, build the image, run it, and then extract
+# /boring/godriver/goboringcrypto_linux_amd64.syso.
+#
+# $ docker build -t goboring:140sp3678 .
+# $ docker run -it --name goboring-140sp3678 goboring:140sp3678
+# $ docker cp goboring-140sp3678:/boring/godriver/goboringcrypto_linux_amd64.syso .
+# $ sha256sum goboringcrypto_linux_amd64.syso # compare to docker output
+
+FROM ubuntu:focal
+
+RUN mkdir /boring
+WORKDIR /boring
+
+# Following 140sp3678.pdf [0] page 19, install clang 7.0.1, Go 1.12.7, and
+# Ninja 1.9.0, then download and verify BoringSSL.
+#
+# [0]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
+
+RUN apt-get update && \
+ apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates clang-7
+RUN wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip && \
+ unzip ninja-linux.zip && \
+ rm ninja-linux.zip && \
+ mv ninja /usr/local/bin/
+RUN wget https://golang.org/dl/go1.12.7.linux-amd64.tar.gz && \
+ tar -C /usr/local -xzf go1.12.7.linux-amd64.tar.gz && \
+ rm go1.12.7.linux-amd64.tar.gz && \
+ ln -s /usr/local/go/bin/go /usr/local/bin/
+
+RUN wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz
+RUN [ "$(sha256sum boringssl-ae223d6138807a13006342edfeef32e813246b39.tar.xz | awk '{print $1}')" = \
+ 3b5fdf23274d4179c2077b5e8fa625d9debd7a390aac1d165b7e47234f648bb8 ]
+
+ADD goboringcrypto.h /boring/godriver/goboringcrypto.h
+ADD build.sh /boring/build.sh
+
+ENTRYPOINT ["/boring/build.sh"]
The goboringcrypto_linux_amd64.syso object file is built
from BoringSSL source code by build/build.sh and is covered
by the BoringSSL license reproduced below and also at
-https://boringssl.googlesource.com/boringssl/+/fips-20180730/LICENSE.
+https://boringssl.googlesource.com/boringssl/+/fips-20190808/LICENSE.
BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL
licensing. Files that are completely new have a Google copyright and an ISC
#!/bin/bash
-# Copyright 2017 The Go Authors. All rights reserved.
+# Copyright 2020 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
set -e
-echo running build_in_chroot.sh
id
date
export LANG=C
unset LANGUAGE
# Build BoringCrypto libcrypto.a.
-# Following https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3318.pdf page 19.
-if ! [ -e ./boringssl/build/tool/bssl ]; then
- export PATH=$PATH:/usr/lib/go-1.10/bin:/clangbin
-
- # Go requires -fPIC for linux/amd64 cgo builds.
- # Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
- # because the FIPS module itself is already built with -fPIC.
- mkdir /clangbin
- echo '#!/bin/bash
- exec clang-6.0 -fPIC "$@"
- ' >/clangbin/clang
- echo '#!/bin/bash
- exec clang++-6.0 -fPIC "$@"
- ' >/clangbin/clang++
- chmod +x /clangbin/clang /clangbin/clang++
-
- rm -rf boringssl
- tar xJf ../boringssl-*z
- cd boringssl
-
- # Verbatim instructions from BoringCrypto build docs.
- printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" >${HOME}/toolchain
- mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
- ninja
- ninja run_tests
-
- cd ../..
-fi
+# Following https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf page 19.
+
+tar xJf boringssl-*z
+
+# Go requires -fPIC for linux/amd64 cgo builds.
+# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
+# because the FIPS module itself is already built with -fPIC.
+echo '#!/bin/bash
+exec clang-7 -fPIC "$@"
+' >/usr/local/bin/clang
+echo '#!/bin/bash
+exec clang++-7 -fPIC "$@"
+' >/usr/local/bin/clang++
+chmod +x /usr/local/bin/clang /usr/local/bin/clang++
+
+# The BoringSSL tests use Go, and cgo would look for gcc.
+export CGO_ENABLED=0
+
+# Verbatim instructions from BoringCrypto build docs.
+printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" >${HOME}/toolchain
+cd boringssl
+mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
+ninja
+ninja run_tests
+
+cd ../..
+
if [ "$(./boringssl/build/tool/bssl isfips)" != 1 ]; then
echo "NOT FIPS"
exit 2
fi
-
# Build and run test C++ program to make sure goboringcrypto.h matches openssl/*.h.
# Also collect list of checked symbols in syms.txt
set -x
/typedef struct|enum ([a-z_]+ )?{|^[ \t]/ {print;next}
{gsub(/GO_/, ""); gsub(/enum go_/, "enum "); print}
' >goboringcrypto1.h
-clang++-6.0 -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc
+clang++ -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc
./a.out || exit 2
# Prepare copy of libcrypto.a with only the checked functions renamed and exported.
.section .note.GNU-stack,"",@progbits
EOF
-clang-6.0 -c -o umod.o umod.s
+clang -c -o umod.o umod.s
ld -r -nostdlib --whole-archive -o goboringcrypto.o libcrypto.a umod.o
echo __umodti3 _goboringcrypto___umodti3 >>renames.txt
+++ /dev/null
-This is not a Go package. The directory must not contain Go sources,
-to prevent it from being considered a Go package.
-
-This directory holds the script for building ../goboringcrypto_*.syso.
-Run build.sh on an Ubuntu system.
-See the comment at the top of build.sh for details.
+++ /dev/null
-#!/bin/bash
-# Copyright 2017 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# Run on Ubuntu system set up with:
-# sudo apt-get install debootstrap
-# sudo apt-get install squid-deb-proxy
-# sudo /etc/init.d/squid-deb-proxy start
-#
-# The script sets up an Ubuntu chroot and then runs the build
-# in that chroot, to make sure we know exactly what software
-# is being used for the build. To repeat the script reusing the
-# chroot installation, run build.sh -quick. This mode is useful
-# if all you've modified is goboringcrypto.c and ../goboringcrypto.h
-# (or some of the setup scripts in this directory).
-
-# Comment this setting out if not using squid-deb-proxy,
-# but it will be much slower to repeat the script.
-http_proxy=http://127.0.0.1:8000
-
-chroot=/var/tmp/boringssl
-
-sudo umount -f $chroot/proc
-sudo umount -f $chroot/sys
-sudo umount -f $chroot/dev/pts
-sudo umount -f $chroot/dev
-
-set -e
-if [ "$1" != "-quick" ]; then
- sudo rm -rf $chroot
- sudo http_proxy=$http_proxy debootstrap --variant=minbase disco $chroot
-fi
-
-sudo chown $(whoami) $chroot
-sudo chmod u+w $chroot
-
-sudo mount -t proc proc $chroot/proc
-sudo mount -t sysfs sys $chroot/sys
-sudo mount -o bind /dev $chroot/dev
-sudo mount -t devpts devpts $chroot/dev/pts
-
-sudo cp sources.list $chroot/etc/apt/sources.list
-
-cp *chroot.sh $chroot
-
-# Following https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3318.pdf page 19.
-if [ ! -e $chroot/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz ]; then
- wget -O $chroot/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz https://commondatastorage.googleapis.com/chromium-boringssl-docs/fips/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz
-fi
-if [ "$(sha256sum $chroot/boringssl-66005f41fbc3529ffe8d007708756720529da20d.tar.xz | awk '{print $1}')" != b12ad676ee533824f698741bd127f6fbc82c46344398a6d78d25e62c6c418c73 ]; then
- echo WRONG SHA256SUM
- exit 2
-fi
-
-rm -rf $chroot/godriver
-mkdir $chroot/godriver
-cp ../goboringcrypto.h $chroot/godriver
-
-sudo http_proxy=$http_proxy chroot $chroot /root_setup_in_chroot.sh
-sudo chroot --userspec=$(id -u):$(id -g) $chroot /build_in_chroot.sh
-cp $chroot/godriver/goboringcrypto_linux_amd64.syso ..
-sha256sum ../goboringcrypto_linux_amd64.syso
-echo DONE
+++ /dev/null
-#!/bin/bash
-# Copyright 2017 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-set -e
-id
-date
-echo http_proxy=$http_proxy
-export LANG=C
-unset LANGUAGE
-apt-get update
-apt-get install --no-install-recommends -y cmake clang-6.0 golang-1.10-go ninja-build xz-utils
+++ /dev/null
-deb http://archive.ubuntu.com/ubuntu/ disco main restricted
-deb http://archive.ubuntu.com/ubuntu/ disco-updates main restricted
-deb http://archive.ubuntu.com/ubuntu/ disco universe
-deb http://archive.ubuntu.com/ubuntu/ disco-updates universe
-deb http://archive.ubuntu.com/ubuntu/ disco multiverse
-deb http://archive.ubuntu.com/ubuntu/ disco-updates multiverse
-deb http://archive.ubuntu.com/ubuntu/ disco-backports main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu disco-security main restricted
-deb http://security.ubuntu.com/ubuntu disco-security universe
-deb http://security.ubuntu.com/ubuntu disco-security multiverse
size_t _goboringcrypto_EVP_AEAD_nonce_length(const GO_EVP_AEAD*);
size_t _goboringcrypto_EVP_AEAD_max_overhead(const GO_EVP_AEAD*);
size_t _goboringcrypto_EVP_AEAD_max_tag_len(const GO_EVP_AEAD*);
-typedef struct GO_EVP_AEAD_CTX { char data[24]; } GO_EVP_AEAD_CTX;
+typedef struct GO_EVP_AEAD_CTX { char data[600]; } GO_EVP_AEAD_CTX;
void _goboringcrypto_EVP_AEAD_CTX_zero(GO_EVP_AEAD_CTX*);
int _goboringcrypto_EVP_AEAD_CTX_init(GO_EVP_AEAD_CTX*, const GO_EVP_AEAD*, const uint8_t*, size_t, size_t, GO_ENGINE*);
void _goboringcrypto_EVP_AEAD_CTX_cleanup(GO_EVP_AEAD_CTX*);
void _goboringcrypto_RSA_get0_key(const GO_RSA*, const GO_BIGNUM **n, const GO_BIGNUM **e, const GO_BIGNUM **d);
void _goboringcrypto_RSA_get0_factors(const GO_RSA*, const GO_BIGNUM **p, const GO_BIGNUM **q);
void _goboringcrypto_RSA_get0_crt_params(const GO_RSA*, const GO_BIGNUM **dmp1, const GO_BIGNUM **dmp2, const GO_BIGNUM **iqmp);
-int _goboringcrypto_RSA_generate_key_ex(GO_RSA*, int, GO_BIGNUM*, GO_BN_GENCB*);
+int _goboringcrypto_RSA_generate_key_ex(GO_RSA*, int, const GO_BIGNUM*, GO_BN_GENCB*);
int _goboringcrypto_RSA_generate_key_fips(GO_RSA*, int, GO_BN_GENCB*);
enum {
GO_RSA_PKCS1_PADDING = 1,