Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3 [1.21 backport] #64719

Closed
gopherbot opened this issue Dec 14, 2023 · 6 comments
Closed

crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3 [1.21 backport] #64719

gopherbot opened this issue Dec 14, 2023 · 6 comments
Labels
CherryPickApproved Used during the release process for point releases
Milestone
Go1.21.6

Comments

@gopherbot
Copy link
Contributor

@FiloSottile requested issue #64717 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues. All supported Go versions need to be able to comply with NIST SP 800-52 Rev. 2 in GOEXPERIMENT=boringcrypto mode.

/cc @golang/release @golang/security @rsc
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Dec 14, 2023
@gopherbot gopherbot mentioned this issue Dec 14, 2023
Closed
@gopherbot gopherbot added this to the Go1.21.6 milestone Dec 14, 2023
@cagedmantis cagedmantis added the CherryPickApproved Used during the release process for point releases label Dec 20, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Dec 20, 2023
@mdempsky
Copy link
Contributor

mdempsky commented Jan 3, 2024

@FiloSottile Do you plan to create a backport CL? Thanks.

@FiloSottile
Copy link
Contributor

Sorry, I had missed the transition to CherryPickApproved. Mailing it today.

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/553856 mentions this issue: [release-branch.go1.21] crypto/tls: align FIPS-only mode with BoringSSL policy

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/553855 mentions this issue: [release-branch.go1.21] crypto/internal/boring: upgrade module to fips-20220613

@gopherbot
Copy link
Contributor Author

Closed by merging d2cb140 to release-branch.go1.21.

@gopherbot
Copy link
Contributor Author

Closed by merging 368e2a9 to release-branch.go1.21.

gopherbot pushed a commit that referenced this issue Jan 4, 2024
@FiloSottile @gopherbot
[release-branch.go1.21] crypto/internal/boring: upgrade module to fip…
368e2a9 
…s-20220613

Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a
following CL, to avoid rebuilding the syso twice.

Updates #64717
Updates #62372
Updates #64719

Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce
Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-boringcrypto
Reviewed-on: https://go-review.googlesource.com/c/go/+/549695
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/553855
Auto-Submit: Matthew Dempsky <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Run-TryBot: Matthew Dempsky <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
gopherbot pushed a commit that referenced this issue Jan 4, 2024
@FiloSottile @gopherbot
[release-branch.go1.21] crypto/tls: align FIPS-only mode with BoringS…
d2cb140 
…SL policy

This enables TLS 1.3, disables P-521, and disables non-ECDHE suites.

Updates #64717
Updates #62372
Fixes #64719

Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091
Reviewed-on: https://go-review.googlesource.com/c/go/+/549975
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/553856
Auto-Submit: Matthew Dempsky <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
@valerian-roche valerian-roche mentioned this issue Jan 10, 2024
Open
hjiawei added a commit to projectcalico/calico that referenced this issue Jan 22, 2024
@hjiawei
Fix crypto UT after upgrading to golang v1.21.6
26900b4 
Fix crypto UT after upgradeing to golang v1.21.6 due to the changes in
BoringCrypto fips-20220613 [1].

[1] golang/go#64719
@hjiawei hjiawei mentioned this issue Jan 22, 2024
Merged
3 tasks
hjiawei added a commit to projectcalico/calico that referenced this issue Feb 2, 2024
@hjiawei
Fix crypto UT after upgrading to golang v1.21.6
5e1331d 
Fix crypto UT after upgradeing to golang v1.21.6 due to the changes in
BoringCrypto fips-20220613 [1].

[1] golang/go#64719
@hjiawei hjiawei mentioned this issue Feb 2, 2024
Merged
3 tasks
mazdakn pushed a commit to mazdakn/calico that referenced this issue Mar 6, 2024
@hjiawei @mazdakn
Fix crypto UT after upgrading to golang v1.21.6
5d63aba 
Fix crypto UT after upgradeing to golang v1.21.6 due to the changes in
BoringCrypto fips-20220613 [1].

[1] golang/go#64719
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases
Projects
None yet
Milestone
Go1.21.6
Development

No branches or pull requests
4 participants
@mdempsky @cagedmantis @FiloSottile @gopherbot