diff --git a/.gitignore b/.gitignore
index 2aa713c..a4a244e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/go1.19.2.tar.gz
+SOURCES/go1.19.4-1-openssl-fips.tar.gz
+SOURCES/go1.19.4.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index e917f29..2d6b49a 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1,2 @@
-1324ae800bf3b78c8cfda83fb9d69d7d46c51bf1 SOURCES/go1.19.2.tar.gz
+9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz
+6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz
diff --git a/SOURCES/000-initial-setup.patch b/SOURCES/000-initial-setup.patch
deleted file mode 100644
index 4f23333..0000000
--- a/SOURCES/000-initial-setup.patch
+++ /dev/null
@@ -1,829 +0,0 @@
-diff --git a/api/go1.19.txt b/api/go1.19.txt
-index 523f752..778e1d5 100644
---- a/api/go1.19.txt
-+++ b/api/go1.19.txt
-@@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860
- pkg sync/atomic, type Uintptr struct #50860
- pkg time, method (Duration) Abs() Duration #51414
- pkg time, method (Time) ZoneBounds() (Time, Time) #50062
-+pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000
-+pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000
-diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-index a0a41a5..208aa70 100644
---- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
-+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-@@ -21,11 +21,11 @@ go build .
-
- go list -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
-
- go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
-
- -- issue16333/issue16333.go --
- package vendoring17
-diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
-new file mode 100644
-index 0000000..37f3a18
---- /dev/null
-+++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
-@@ -0,0 +1,45 @@
-+package ecdsa
-+
-+import (
-+ "crypto"
-+ "crypto/internal/boring"
-+ "crypto/internal/randutil"
-+ "math/big"
-+ "io"
-+)
-+
-+func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
-+ randutil.MaybeReadByte(rand)
-+
-+ if boring.Enabled {
-+ b, err := boringPrivateKey(priv)
-+ if err != nil {
-+ return nil, nil, err
-+ }
-+ return boring.HashSignECDSA(b, msg, h)
-+ }
-+ boring.UnreachableExceptTests()
-+
-+ hash := h.New()
-+ hash.Write(msg)
-+ d := hash.Sum(nil)
-+
-+ return Sign(rand, priv, d)
-+}
-+
-+func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool {
-+ if boring.Enabled {
-+ bpk, err := boringPublicKey(pub)
-+ if err != nil {
-+ return false
-+ }
-+ return boring.HashVerifyECDSA(bpk, msg, r, s, h)
-+ }
-+ boring.UnreachableExceptTests()
-+
-+ hash := h.New()
-+ hash.Write(msg)
-+ d := hash.Sum(nil)
-+
-+ return Verify(pub, d, r, s)
-+}
-diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
-new file mode 100644
-index 0000000..d12ba2f
---- /dev/null
-+++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
-@@ -0,0 +1,42 @@
-+package ecdsa
-+
-+import (
-+ "crypto"
-+ "crypto/internal/boring"
-+ "crypto/elliptic"
-+ "crypto/rand"
-+ "testing"
-+)
-+
-+func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
-+ priv, err := GenerateKey(c, rand.Reader)
-+ if priv == nil {
-+ t.Fatal(err)
-+ }
-+
-+ msg := []byte("testing")
-+ h := crypto.SHA256
-+ r, s, err := HashSign(rand.Reader, priv, msg, h)
-+ if err != nil {
-+ t.Errorf("%s: error signing: %s", tag, err)
-+ return
-+ }
-+
-+ if !HashVerify(&priv.PublicKey, msg, r, s, h) {
-+ t.Errorf("%s: Verify failed", tag)
-+ }
-+
-+ msg[0] ^= 0xff
-+ if HashVerify(&priv.PublicKey, msg, r, s, h) {
-+ t.Errorf("%s: Verify should not have succeeded", tag)
-+ }
-+}
-+func TestHashSignAndHashVerify(t *testing.T) {
-+ testHashSignAndHashVerify(t, elliptic.P256(), "p256")
-+
-+ if testing.Short() && !boring.Enabled {
-+ return
-+ }
-+ testHashSignAndHashVerify(t, elliptic.P384(), "p384")
-+ testHashSignAndHashVerify(t, elliptic.P521(), "p521")
-+}
-diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
-index 7c51817..102c4e5 100644
---- a/src/crypto/ed25519/ed25519_test.go
-+++ b/src/crypto/ed25519/ed25519_test.go
-@@ -187,6 +187,7 @@ func TestMalleability(t *testing.T) {
- }
-
- func TestAllocations(t *testing.T) {
-+ t.Skip("Allocations test broken with openssl linkage")
- if boring.Enabled {
- t.Skip("skipping allocations test with BoringCrypto")
- }
-diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
-index f933f28..223ce04 100644
---- a/src/crypto/ed25519/ed25519vectors_test.go
-+++ b/src/crypto/ed25519/ed25519vectors_test.go
-@@ -72,6 +72,7 @@ func TestEd25519Vectors(t *testing.T) {
- }
-
- func downloadEd25519Vectors(t *testing.T) []byte {
-+ t.Skip("skipping test that downloads external data")
- testenv.MustHaveExternalNetwork(t)
-
- // Create a temp dir and modcache subdir.
-diff --git a/src/crypto/internal/backend/bbig/big.go b/src/crypto/internal/backend/bbig/big.go
-new file mode 100644
-index 0000000..c0800df
---- /dev/null
-+++ b/src/crypto/internal/backend/bbig/big.go
-@@ -0,0 +1,38 @@
-+// Copyright 2022 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+// This is a mirror of crypto/internal/boring/bbig/big.go.
-+
-+package bbig
-+
-+import (
-+ "math/big"
-+ "unsafe"
-+
-+ "github.com/golang-fips/openssl-fips/openssl"
-+)
-+
-+func Enc(b *big.Int) openssl.BigInt {
-+ if b == nil {
-+ return nil
-+ }
-+ x := b.Bits()
-+ if len(x) == 0 {
-+ return openssl.BigInt{}
-+ }
-+ // TODO: Use unsafe.Slice((*uint)(&x[0]), len(x)) once go1.16 is no longer supported.
-+ return (*(*[]uint)(unsafe.Pointer(&x)))[:len(x)]
-+}
-+
-+func Dec(b openssl.BigInt) *big.Int {
-+ if b == nil {
-+ return nil
-+ }
-+ if len(b) == 0 {
-+ return new(big.Int)
-+ }
-+ // TODO: Use unsafe.Slice((*uint)(&b[0]), len(b)) once go1.16 is no longer supported.
-+ x := (*(*[]big.Word)(unsafe.Pointer(&b)))[:len(b)]
-+ return new(big.Int).SetBits(x)
-+}
-diff --git a/src/crypto/internal/backend/dummy.s b/src/crypto/internal/backend/dummy.s
-new file mode 100644
-index 0000000..e69de29
-diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
-new file mode 100644
-index 0000000..482ed6f
---- /dev/null
-+++ b/src/crypto/internal/backend/nobackend.go
-@@ -0,0 +1,155 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
-+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
-+
-+package backend
-+
-+import (
-+ "crypto"
-+ "crypto/cipher"
-+ "crypto/internal/boring/sig"
-+ "math/big"
-+ "github.com/golang-fips/openssl-fips/openssl"
-+ "hash"
-+ "io"
-+)
-+
-+var enabled = false
-+
-+// Unreachable marks code that should be unreachable
-+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-+func Unreachable() {
-+ // Code that's unreachable when using BoringCrypto
-+ // is exactly the code we want to detect for reporting
-+ // standard Go crypto.
-+ sig.StandardCrypto()
-+}
-+
-+// UnreachableExceptTests marks code that should be unreachable
-+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-+func UnreachableExceptTests() {}
-+
-+func ExecutingTest() bool { return false }
-+
-+// This is a noop withotu BoringCrytpo.
-+func PanicIfStrictFIPS(v interface{}) {}
-+
-+type randReader int
-+
-+func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
-+
-+const RandReader = randReader(0)
-+
-+func Enabled() bool { return false }
-+func NewSHA1() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
-+func SHA1(_ []byte) [20]byte { panic("boringcrypto: not available") }
-+func SHA224(_ []byte) [28]byte { panic("boringcrypto: not available") }
-+func SHA256(_ []byte) [32]byte { panic("boringcrypto: not available") }
-+func SHA384(_ []byte) [48]byte { panic("boringcrypto: not available") }
-+func SHA512(_ []byte) [64]byte { panic("boringcrypto: not available") }
-+
-+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
-+
-+func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
-+
-+type PublicKeyECDSA struct{ _ int }
-+type PrivateKeyECDSA struct{ _ int }
-+
-+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
-+ panic("boringcrypto: not available")
-+}
-+func GenerateKeyECDSA(curve string) (X, Y, D openssl.BigInt, err error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyECDSA(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDSA, error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPublicKeyECDSA(curve string, X, Y openssl.BigInt) (*PublicKeyECDSA, error) {
-+ panic("boringcrypto: not available")
-+}
-+func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s openssl.BigInt, err error) {
-+ panic("boringcrypto: not available")
-+}
-+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func VerifyECDSA(pub *PublicKeyECDSA, hash, sig []byte) bool {
-+ panic("boringcrypto: not available")
-+}
-+
-+type PublicKeyECDH struct{ _ int }
-+type PrivateKeyECDH struct{ _ int }
-+
-+func GenerateKeyECDH(curve string) (X, Y, D openssl.BigInt, err error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyECDH(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDH, error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPublicKeyECDH(curve string, X, Y openssl.BigInt) (*PublicKeyECDH, error) {
-+ panic("boringcrypto: not available")
-+}
-+func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+
-+type PublicKeyRSA struct{ _ int }
-+type PrivateKeyRSA struct{ _ int }
-+
-+func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt, err error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt) (*PrivateKeyRSA, error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPublicKeyRSA(N, E openssl.BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
-+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
-+ panic("boringcrypto: not available")
-+}
-+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
-+ panic("boringcrypto: not available")
-+}
-+
-+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
-+ panic("boringcrypto: not available")
-+}
-+func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
-+ panic("boringcrypto: not available")
-+}
-+func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
-+ panic("boringcrypto: not available")
-+}
-diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
-new file mode 100644
-index 0000000..4040c77
---- /dev/null
-+++ b/src/crypto/internal/backend/openssl.go
-@@ -0,0 +1,105 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+// Package openssl provides access to OpenSSLCrypto implementation functions.
-+// Check the variable Enabled to find out whether OpenSSLCrypto is available.
-+// If OpenSSLCrypto is not available, the functions in this package all panic.
-+package backend
-+
-+import (
-+ "github.com/golang-fips/openssl-fips/openssl"
-+)
-+
-+// Enabled controls whether FIPS crypto is enabled.
-+var Enabled = openssl.Enabled
-+
-+// Unreachable marks code that should be unreachable
-+// when OpenSSLCrypto is in use. It panics only when
-+// the system is in FIPS mode.
-+func Unreachable() {
-+ if Enabled() {
-+ panic("opensslcrypto: invalid code execution")
-+ }
-+}
-+
-+// Provided by runtime.crypto_backend_runtime_arg0 to avoid os import.
-+func runtime_arg0() string
-+
-+func hasSuffix(s, t string) bool {
-+ return len(s) > len(t) && s[len(s)-len(t):] == t
-+}
-+
-+// UnreachableExceptTests marks code that should be unreachable
-+// when OpenSSLCrypto is in use. It panics.
-+func UnreachableExceptTests() {
-+ name := runtime_arg0()
-+ // If OpenSSLCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
-+ if Enabled() && !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
-+ println("opensslcrypto: unexpected code execution in", name)
-+ panic("opensslcrypto: invalid code execution")
-+ }
-+}
-+
-+var ExecutingTest = openssl.ExecutingTest
-+
-+const RandReader = openssl.RandReader
-+
-+var NewGCMTLS = openssl.NewGCMTLS
-+var NewSHA1 = openssl.NewSHA1
-+var NewSHA224 = openssl.NewSHA224
-+var NewSHA256 = openssl.NewSHA256
-+var NewSHA384 = openssl.NewSHA384
-+var NewSHA512 = openssl.NewSHA512
-+
-+var SHA1 = openssl.SHA1
-+var SHA224 = openssl.SHA224
-+var SHA256 = openssl.SHA256
-+var SHA384 = openssl.SHA384
-+var SHA512 = openssl.SHA512
-+
-+var NewHMAC = openssl.NewHMAC
-+
-+var NewAESCipher = openssl.NewAESCipher
-+
-+type PublicKeyECDSA = openssl.PublicKeyECDSA
-+type PrivateKeyECDSA = openssl.PrivateKeyECDSA
-+
-+var GenerateKeyECDSA = openssl.GenerateKeyECDSA
-+var NewPrivateKeyECDSA = openssl.NewPrivateKeyECDSA
-+var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
-+var SignMarshalECDSA = openssl.SignMarshalECDSA
-+var VerifyECDSA = openssl.VerifyECDSA
-+var HashVerifyECDSA = openssl.HashVerifyECDSA
-+var HashSignECDSA = openssl.HashSignECDSA
-+
-+type PublicKeyECDH = openssl.PublicKeyECDH
-+type PrivateKeyECDH = openssl.PrivateKeyECDH
-+
-+var GenerateKeyECDH = openssl.GenerateKeyECDH
-+var NewPrivateKeyECDH = openssl.NewPrivateKeyECDH
-+var NewPublicKeyECDH = openssl.NewPublicKeyECDH
-+var SharedKeyECDH = openssl.SharedKeyECDH
-+
-+type PublicKeyRSA = openssl.PublicKeyRSA
-+type PrivateKeyRSA = openssl.PrivateKeyRSA
-+
-+var DecryptRSAOAEP = openssl.DecryptRSAOAEP
-+var DecryptRSAPKCS1 = openssl.DecryptRSAPKCS1
-+var DecryptRSANoPadding = openssl.DecryptRSANoPadding
-+var EncryptRSAOAEP = openssl.EncryptRSAOAEP
-+var EncryptRSAPKCS1 = openssl.EncryptRSAPKCS1
-+var EncryptRSANoPadding = openssl.EncryptRSANoPadding
-+var GenerateKeyRSA = openssl.GenerateKeyRSA
-+var NewPrivateKeyRSA = openssl.NewPrivateKeyRSA
-+var NewPublicKeyRSA = openssl.NewPublicKeyRSA
-+var SignRSAPKCS1v15 = openssl.SignRSAPKCS1v15
-+var SignRSAPSS = openssl.SignRSAPSS
-+var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
-+var VerifyRSAPSS = openssl.VerifyRSAPSS
-+
-+var ExtractHKDF = openssl.ExtractHKDF
-+var ExpandHKDF = openssl.ExpandHKDF
-diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
-index 1827f76..4c5c352 100644
---- a/src/crypto/tls/boring.go
-+++ b/src/crypto/tls/boring.go
-@@ -8,8 +8,15 @@ package tls
-
- import (
- "crypto/internal/boring/fipstls"
-+ boring "crypto/internal/backend"
- )
-
-+func init() {
-+ if boring.Enabled && !boring.ExecutingTest() {
-+ fipstls.Force()
-+ }
-+}
-+
- // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
- func needFIPS() bool {
- return fipstls.Required()
-@@ -17,14 +24,14 @@ func needFIPS() bool {
-
- // fipsMinVersion replaces c.minVersion in FIPS-only mode.
- func fipsMinVersion(c *Config) uint16 {
-- // FIPS requires TLS 1.2.
-+ // FIPS requires TLS 1.2 or later.
- return VersionTLS12
- }
-
- // fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
- func fipsMaxVersion(c *Config) uint16 {
-- // FIPS requires TLS 1.2.
-- return VersionTLS12
-+ // FIPS requires TLS 1.2 or later.
-+ return VersionTLS13
- }
-
- // default defaultFIPSCurvePreferences is the FIPS-allowed curves,
-diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
-index f743fc8..9fec2c8 100644
---- a/src/crypto/tls/boring_test.go
-+++ b/src/crypto/tls/boring_test.go
-@@ -51,11 +51,11 @@ func TestBoringServerProtocolVersion(t *testing.T) {
- test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
- test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
- test("VersionTLS12", VersionTLS12, "")
-- test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
-+ test("VersionTLS13", VersionTLS13, "")
- }
-
- func isBoringVersion(v uint16) bool {
-- return v == VersionTLS12
-+ return v == VersionTLS12 || v == VersionTLS13
- }
-
- func isBoringCipherSuite(id uint16) bool {
-@@ -65,7 +65,9 @@ func isBoringCipherSuite(id uint16) bool {
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
-- TLS_RSA_WITH_AES_256_GCM_SHA384:
-+ TLS_RSA_WITH_AES_256_GCM_SHA384,
-+ TLS_AES_128_GCM_SHA256,
-+ TLS_AES_256_GCM_SHA384:
- return true
- }
- return false
-@@ -311,7 +313,7 @@ func TestBoringCertAlgs(t *testing.T) {
- // Set up some roots, intermediate CAs, and leaf certs with various algorithms.
- // X_Y is X signed by Y.
- R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
-- R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
-+ R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
-
- M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
- M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
-diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
-index 9a1fa31..f7c64db 100644
---- a/src/crypto/tls/cipher_suites.go
-+++ b/src/crypto/tls/cipher_suites.go
-@@ -354,6 +354,11 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
- TLS_AES_256_GCM_SHA384,
- }
-
-+var defaultFIPSCipherSuitesTLS13 = []uint16{
-+ TLS_AES_128_GCM_SHA256,
-+ TLS_AES_256_GCM_SHA384,
-+}
-+
- var (
- hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
- hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
-index e61e3eb..7031ab8 100644
---- a/src/crypto/tls/handshake_client.go
-+++ b/src/crypto/tls/handshake_client.go
-@@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
-
- var params ecdheParameters
- if hello.supportedVersions[0] == VersionTLS13 {
-- if hasAESGCMHardwareSupport {
-+ if needFIPS() {
-+ hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)
-+ } else if hasAESGCMHardwareSupport {
- hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
- } else {
- hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)
-diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
-index 380de9f..02b4ac8 100644
---- a/src/crypto/tls/handshake_client_test.go
-+++ b/src/crypto/tls/handshake_client_test.go
-@@ -2135,6 +2135,7 @@ func testBuffering(t *testing.T, version uint16) {
- }
-
- func TestAlertFlushing(t *testing.T) {
-+ t.Skip("unsupported in FIPS mode, different error returned")
- c, s := localPipe(t)
- done := make(chan bool)
-
-diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
-index c798986..7a60702 100644
---- a/src/crypto/tls/handshake_client_tls13.go
-+++ b/src/crypto/tls/handshake_client_tls13.go
-@@ -41,10 +41,6 @@ type clientHandshakeStateTLS13 struct {
- func (hs *clientHandshakeStateTLS13) handshake() error {
- c := hs.c
-
-- if needFIPS() {
-- return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
-- }
--
- // The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
- // sections 4.1.2 and 4.1.3.
- if c.handshakes > 0 {
-diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
-index 03a477f..1ef6afc 100644
---- a/src/crypto/tls/handshake_server_tls13.go
-+++ b/src/crypto/tls/handshake_server_tls13.go
-@@ -45,10 +45,6 @@ type serverHandshakeStateTLS13 struct {
- func (hs *serverHandshakeStateTLS13) handshake() error {
- c := hs.c
-
-- if needFIPS() {
-- return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
-- }
--
- // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
- if err := hs.processClientHello(); err != nil {
- return err
-diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
-index 3140169..323d683 100644
---- a/src/crypto/tls/key_schedule.go
-+++ b/src/crypto/tls/key_schedule.go
-@@ -7,6 +7,8 @@ package tls
- import (
- "crypto/elliptic"
- "crypto/hmac"
-+ "crypto/internal/boring"
-+ "crypto/internal/boring/bbig"
- "errors"
- "hash"
- "io"
-@@ -43,9 +45,20 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
- b.AddBytes(context)
- })
- out := make([]byte, length)
-- n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
-- if err != nil || n != length {
-- panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
-+ if boring.Enabled {
-+ reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic())
-+ if err != nil {
-+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
-+ }
-+ n, err := reader.Read(out)
-+ if err != nil || n != length {
-+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
-+ }
-+ } else {
-+ n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
-+ if err != nil || n != length {
-+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
-+ }
- }
- return out
- }
-@@ -63,7 +76,15 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
- if newSecret == nil {
- newSecret = make([]byte, c.hash.Size())
- }
-- return hkdf.Extract(c.hash.New, newSecret, currentSecret)
-+ if boring.Enabled {
-+ ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret)
-+ if err != nil {
-+ panic("tls: HKDF-Extract invocation failed unexpectedly")
-+ }
-+ return ikm
-+ } else {
-+ return hkdf.Extract(c.hash.New, newSecret, currentSecret)
-+ }
- }
-
- // nextTrafficSecret generates the next traffic secret, given the current one,
-@@ -129,9 +150,19 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
-
- p := &nistParameters{curveID: curveID}
- var err error
-- p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
-- if err != nil {
-- return nil, err
-+ if boring.Enabled {
-+ x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name)
-+ if err != nil {
-+ return nil, err
-+ }
-+ p.x = bbig.Dec(x)
-+ p.y = bbig.Dec(y)
-+ p.privateKey = bbig.Dec(d).Bytes()
-+ } else {
-+ p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
-+ if err != nil {
-+ return nil, err
-+ }
- }
- return p, nil
- }
-@@ -166,15 +197,28 @@ func (p *nistParameters) PublicKey() []byte {
-
- func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
- curve, _ := curveForCurveID(p.curveID)
-- // Unmarshal also checks whether the given point is on the curve.
-- x, y := elliptic.Unmarshal(curve, peerPublicKey)
-- if x == nil {
-- return nil
-- }
-+ if boring.Enabled {
-+ k := new(big.Int).SetBytes(p.privateKey)
-+ priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k))
-+ if err != nil {
-+ return nil
-+ }
-+ sharedKey, err := boring.SharedKeyECDH(priv, peerPublicKey)
-+ if err != nil {
-+ return nil
-+ }
-+ return sharedKey
-+ } else {
-+ // Unmarshal also checks whether the given point is on the curve.
-+ x, y := elliptic.Unmarshal(curve, peerPublicKey)
-+ if x == nil {
-+ return nil
-+ }
-
-- xShared, _ := curve.ScalarMult(x, y, p.privateKey)
-- sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
-- return xShared.FillBytes(sharedKey)
-+ xShared, _ := curve.ScalarMult(x, y, p.privateKey)
-+ sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
-+ return xShared.FillBytes(sharedKey)
-+ }
- }
-
- type x25519Parameters struct {
-diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
-index 4aae905..42706f9 100644
---- a/src/crypto/x509/boring.go
-+++ b/src/crypto/x509/boring.go
-@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
- default:
- return false
- case *rsa.PublicKey:
-- if size := k.N.BitLen(); size != 2048 && size != 3072 {
-+ if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
- return false
- }
- case *ecdsa.PublicKey:
-diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
-index 7010f44..70021f3 100644
---- a/src/crypto/x509/boring_test.go
-+++ b/src/crypto/x509/boring_test.go
-@@ -54,7 +54,7 @@ type boringCertificate struct {
-
- func TestBoringAllowCert(t *testing.T) {
- R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
-- R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
-+ R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
-
- M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
- M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
-diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 141fdb9..d8e81d9 100644
---- a/src/go/build/deps_test.go
-+++ b/src/go/build/deps_test.go
-@@ -414,19 +414,23 @@ var depsRules = `
- < crypto/internal/edwards25519
- < crypto/cipher;
-
-- crypto/cipher,
-+ fmt, crypto/cipher,
- crypto/internal/boring/bcache
- < crypto/internal/boring
-+ < github.com/golang-fips/openssl-fips/openssl
-+ < crypto/internal/backend
- < crypto/boring
- < crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
- crypto/sha1, crypto/sha256, crypto/sha512
- < CRYPTO;
-
-- CGO, fmt, net !< CRYPTO;
-+ CGO, net !< CRYPTO;
-
- # CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
- CRYPTO, FMT, math/big, embed
-+ < github.com/golang-fips/openssl-fips/openssl/bbig
- < crypto/internal/boring/bbig
-+ < crypto/internal/backend/bbig
- < crypto/internal/randutil
- < crypto/rand
- < crypto/ed25519
-@@ -601,6 +605,7 @@ func listStdPkgs(goroot string) ([]string, error) {
- }
-
- func TestDependencies(t *testing.T) {
-+ t.Skip("openssl-fips based toolchain has different dependencies than upstream")
- if !testenv.HasSrc() {
- // Tests run in a limited file system and we do not
- // provide access to every source file.
-@@ -644,7 +649,7 @@ var buildIgnore = []byte("\n//go:build ignore")
-
- func findImports(pkg string) ([]string, error) {
- vpkg := pkg
-- if strings.HasPrefix(pkg, "golang.org") {
-+ if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
- vpkg = "vendor/" + pkg
- }
- dir := filepath.Join(Default.GOROOT, "src", vpkg)
-@@ -654,7 +659,7 @@ func findImports(pkg string) ([]string, error) {
- }
- var imports []string
- var haveImport = map[string]bool{}
-- if pkg == "crypto/internal/boring" {
-+ if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl-fips/openssl" {
- haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
- }
- fset := token.NewFileSet()
-diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
-index 5a98b20..dc25cdc 100644
---- a/src/runtime/runtime_boring.go
-+++ b/src/runtime/runtime_boring.go
-@@ -17,3 +17,8 @@ func boring_runtime_arg0() string {
-
- //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0
- func fipstls_runtime_arg0() string { return boring_runtime_arg0() }
-+
-+//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0
-+func crypto_backend_runtime_arg0() string {
-+ return boring_runtime_arg0()
-+}
-\ No newline at end of file
diff --git a/SOURCES/001-initial-openssl-for-fips.patch b/SOURCES/001-initial-openssl-for-fips.patch
deleted file mode 100644
index 2cfec4f..0000000
--- a/SOURCES/001-initial-openssl-for-fips.patch
+++ /dev/null
@@ -1,5690 +0,0 @@
-diff --git a/src/cmd/api/goapi_boring_test.go b/src/cmd/api/goapi_boring_test.go
-index f0e3575..a413916 100644
---- a/src/cmd/api/goapi_boring_test.go
-+++ b/src/cmd/api/goapi_boring_test.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package main
-
-@@ -12,6 +12,6 @@ import (
- )
-
- func init() {
-- fmt.Printf("SKIP with boringcrypto enabled\n")
-+ fmt.Printf("SKIP with !no_openssl enabled\n")
- os.Exit(0)
- }
-diff --git a/src/crypto/aes/cipher.go b/src/crypto/aes/cipher.go
-index db0ee38..67c32c0 100644
---- a/src/crypto/aes/cipher.go
-+++ b/src/crypto/aes/cipher.go
-@@ -6,7 +6,7 @@ package aes
-
- import (
- "crypto/cipher"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/internal/subtle"
- "strconv"
- )
-@@ -38,7 +38,7 @@ func NewCipher(key []byte) (cipher.Block, error) {
- case 16, 24, 32:
- break
- }
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.NewAESCipher(key)
- }
- return newCipher(key)
-diff --git a/src/crypto/aes/cipher_asm.go b/src/crypto/aes/cipher_asm.go
-index 1482b22..5f54514 100644
---- a/src/crypto/aes/cipher_asm.go
-+++ b/src/crypto/aes/cipher_asm.go
-@@ -8,7 +8,7 @@ package aes
-
- import (
- "crypto/cipher"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/internal/subtle"
- "internal/cpu"
- "internal/goarch"
-diff --git a/src/crypto/boring/boring.go b/src/crypto/boring/boring.go
-index 097c37e..47618fe 100644
---- a/src/crypto/boring/boring.go
-+++ b/src/crypto/boring/boring.go
-@@ -13,9 +13,9 @@
- // is satisfied, so that applications can tag files that use this package.
- package boring
-
--import "crypto/internal/boring"
-+import boring "crypto/internal/backend"
-
- // Enabled reports whether BoringCrypto handles supported crypto operations.
- func Enabled() bool {
-- return boring.Enabled
-+ return boring.Enabled()
- }
-diff --git a/src/crypto/boring/boring_test.go b/src/crypto/boring/boring_test.go
-deleted file mode 100644
-index 9e8fd35..0000000
---- a/src/crypto/boring/boring_test.go
-+++ /dev/null
-@@ -1,22 +0,0 @@
--// Copyright 2020 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--//go:build boringcrypto
--
--package boring_test
--
--import (
-- "crypto/boring"
-- "runtime"
-- "testing"
--)
--
--func TestEnabled(t *testing.T) {
-- supportedPlatform := runtime.GOOS == "linux" && runtime.GOARCH == "amd64"
-- if supportedPlatform && !boring.Enabled() {
-- t.Error("Enabled returned false on a supported platform")
-- } else if !supportedPlatform && boring.Enabled() {
-- t.Error("Enabled returned true on an unsupported platform")
-- }
--}
-diff --git a/src/crypto/boring/notboring_test.go b/src/crypto/boring/notboring_test.go
-deleted file mode 100644
-index ffe18e9..0000000
---- a/src/crypto/boring/notboring_test.go
-+++ /dev/null
-@@ -1,14 +0,0 @@
--// Copyright 2020 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--//go:build (goexperiment.boringcrypto && !boringcrypto) || (!goexperiment.boringcrypto && boringcrypto)
--// +build goexperiment.boringcrypto,!boringcrypto !goexperiment.boringcrypto,boringcrypto
--
--package boring_test
--
--import "testing"
--
--func TestNotBoring(t *testing.T) {
-- t.Error("goexperiment.boringcrypto and boringcrypto should be equivalent build tags")
--}
-diff --git a/src/crypto/ecdsa/boring.go b/src/crypto/ecdsa/boring.go
-index 4495730..c2137d6 100644
---- a/src/crypto/ecdsa/boring.go
-+++ b/src/crypto/ecdsa/boring.go
-@@ -2,13 +2,13 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package ecdsa
-
- import (
-- "crypto/internal/boring"
-- "crypto/internal/boring/bbig"
-+ boring "crypto/internal/backend"
-+ "crypto/internal/backend/bbig"
- "crypto/internal/boring/bcache"
- "math/big"
- "unsafe"
-diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go
-index d0e52ad..9b76595 100644
---- a/src/crypto/ecdsa/ecdsa.go
-+++ b/src/crypto/ecdsa/ecdsa.go
-@@ -24,8 +24,8 @@ import (
- "crypto/aes"
- "crypto/cipher"
- "crypto/elliptic"
-- "crypto/internal/boring"
-- "crypto/internal/boring/bbig"
-+ boring "crypto/internal/backend"
-+ "crypto/internal/backend/bbig"
- "crypto/internal/randutil"
- "crypto/sha512"
- "errors"
-@@ -109,7 +109,7 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
- // where the private part is kept in, for example, a hardware module. Common
- // uses can use the SignASN1 function in this package directly.
- func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
-- if boring.Enabled && rand == boring.RandReader {
-+ if boring.Enabled() && rand == boring.RandReader {
- b, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
-@@ -154,7 +154,7 @@ func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error)
-
- // GenerateKey generates a public and private key pair.
- func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
-- if boring.Enabled && rand == boring.RandReader {
-+ if boring.Enabled() && rand == boring.RandReader {
- x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
- if err != nil {
- return nil, err
-@@ -214,7 +214,7 @@ var errZeroParam = errors.New("zero parameter")
- func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
- randutil.MaybeReadByte(rand)
-
-- if boring.Enabled && rand == boring.RandReader {
-+ if boring.Enabled() && rand == boring.RandReader {
- b, err := boringPrivateKey(priv)
- if err != nil {
- return nil, nil, err
-@@ -231,7 +231,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
- !inner.ReadASN1Integer(&r) ||
- !inner.ReadASN1Integer(&s) ||
- !inner.Empty() {
-- return nil, nil, errors.New("invalid ASN.1 from boringcrypto")
-+ return nil, nil, errors.New("invalid ASN.1 from !no_openssl")
- }
- return &r, &s, nil
- }
-@@ -333,7 +333,7 @@ func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
- // return value records whether the signature is valid. Most applications should
- // use VerifyASN1 instead of dealing directly with r, s.
- func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
-- if boring.Enabled {
-+ if boring.Enabled() {
- key, err := boringPublicKey(pub)
- if err != nil {
- return false
-diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
-index 37f3a18..51e3b49 100644
---- a/src/crypto/ecdsa/ecdsa_hashsignverify.go
-+++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
-@@ -2,7 +2,7 @@ package ecdsa
-
- import (
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/internal/randutil"
- "math/big"
- "io"
-@@ -11,7 +11,7 @@ import (
- func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
- randutil.MaybeReadByte(rand)
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- b, err := boringPrivateKey(priv)
- if err != nil {
- return nil, nil, err
-@@ -28,7 +28,7 @@ func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big
- }
-
- func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool {
-- if boring.Enabled {
-+ if boring.Enabled() {
- bpk, err := boringPublicKey(pub)
- if err != nil {
- return false
-diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
-index d12ba2f..6334a56 100644
---- a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
-+++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
-@@ -2,7 +2,7 @@ package ecdsa
-
- import (
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/elliptic"
- "crypto/rand"
- "testing"
-@@ -34,7 +34,7 @@ func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
- func TestHashSignAndHashVerify(t *testing.T) {
- testHashSignAndHashVerify(t, elliptic.P256(), "p256")
-
-- if testing.Short() && !boring.Enabled {
-+ if testing.Short() && !boring.Enabled() {
- return
- }
- testHashSignAndHashVerify(t, elliptic.P384(), "p384")
-diff --git a/src/crypto/ecdsa/notboring.go b/src/crypto/ecdsa/notboring.go
-index 039bd82..21a35b7 100644
---- a/src/crypto/ecdsa/notboring.go
-+++ b/src/crypto/ecdsa/notboring.go
-@@ -2,15 +2,15 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !boringcrypto
-+//go:build no_openssl
-
- package ecdsa
-
--import "crypto/internal/boring"
-+import boring "crypto/internal/backend"
-
- func boringPublicKey(*PublicKey) (*boring.PublicKeyECDSA, error) {
-- panic("boringcrypto: not available")
-+ panic("!no_openssl: not available")
- }
- func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyECDSA, error) {
-- panic("boringcrypto: not available")
-+ panic("!no_openssl: not available")
- }
-diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
-index 102c4e5..e442bcc 100644
---- a/src/crypto/ed25519/ed25519_test.go
-+++ b/src/crypto/ed25519/ed25519_test.go
-@@ -9,7 +9,7 @@ import (
- "bytes"
- "compress/gzip"
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/rand"
- "encoding/hex"
- "os"
-@@ -188,7 +188,7 @@ func TestMalleability(t *testing.T) {
-
- func TestAllocations(t *testing.T) {
- t.Skip("Allocations test broken with openssl linkage")
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("skipping allocations test with BoringCrypto")
- }
- if strings.HasSuffix(os.Getenv("GO_BUILDER_NAME"), "-noopt") {
-diff --git a/src/crypto/hmac/hmac.go b/src/crypto/hmac/hmac.go
-index ed3ebc0..9941228 100644
---- a/src/crypto/hmac/hmac.go
-+++ b/src/crypto/hmac/hmac.go
-@@ -22,7 +22,7 @@ timing side-channels:
- package hmac
-
- import (
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/subtle"
- "hash"
- )
-@@ -127,7 +127,7 @@ func (h *hmac) Reset() {
- // the returned Hash does not implement encoding.BinaryMarshaler
- // or encoding.BinaryUnmarshaler.
- func New(h func() hash.Hash, key []byte) hash.Hash {
-- if boring.Enabled {
-+ if boring.Enabled() {
- hm := boring.NewHMAC(h, key)
- if hm != nil {
- return hm
-diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go
-index 55415ab..0edd7a6 100644
---- a/src/crypto/hmac/hmac_test.go
-+++ b/src/crypto/hmac/hmac_test.go
-@@ -6,7 +6,7 @@ package hmac
-
- import (
- "bytes"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/md5"
- "crypto/sha1"
- "crypto/sha256"
-@@ -584,8 +584,8 @@ func TestHMAC(t *testing.T) {
- }
-
- func TestNonUniqueHash(t *testing.T) {
-- if boring.Enabled {
-- t.Skip("hash.Hash provided by boringcrypto are not comparable")
-+ if boring.Enabled() {
-+ t.Skip("hash.Hash provided by !no_openssl are not comparable")
- }
- sha := sha256.New()
- defer func() {
-diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
-deleted file mode 100644
-index eaa1adc..0000000
---- a/src/crypto/internal/boring/aes.go
-+++ /dev/null
-@@ -1,386 +0,0 @@
--// Copyright 2017 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
--
--package boring
--
--/*
--
--#include "goboringcrypto.h"
--
--// These wrappers allocate out_len on the C stack, and check that it matches the expected
--// value, to avoid having to pass a pointer from Go, which would escape to the heap.
--
--int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
-- size_t exp_out_len,
-- const uint8_t *nonce, size_t nonce_len,
-- const uint8_t *in, size_t in_len,
-- const uint8_t *ad, size_t ad_len) {
-- size_t out_len;
-- int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len,
-- nonce, nonce_len, in, in_len, ad, ad_len);
-- if (out_len != exp_out_len) {
-- return 0;
-- }
-- return ok;
--};
--
--int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
-- size_t exp_out_len,
-- const uint8_t *nonce, size_t nonce_len,
-- const uint8_t *in, size_t in_len,
-- const uint8_t *ad, size_t ad_len) {
-- size_t out_len;
-- int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len,
-- nonce, nonce_len, in, in_len, ad, ad_len);
-- if (out_len != exp_out_len) {
-- return 0;
-- }
-- return ok;
--};
--
--*/
--import "C"
--import (
-- "crypto/cipher"
-- "errors"
-- "runtime"
-- "strconv"
-- "unsafe"
--)
--
--type aesKeySizeError int
--
--func (k aesKeySizeError) Error() string {
-- return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
--}
--
--const aesBlockSize = 16
--
--type aesCipher struct {
-- key []byte
-- enc C.GO_AES_KEY
-- dec C.GO_AES_KEY
--}
--
--type extraModes interface {
-- // Copied out of crypto/aes/modes.go.
-- NewCBCEncrypter(iv []byte) cipher.BlockMode
-- NewCBCDecrypter(iv []byte) cipher.BlockMode
-- NewCTR(iv []byte) cipher.Stream
-- NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
--}
--
--var _ extraModes = (*aesCipher)(nil)
--
--func NewAESCipher(key []byte) (cipher.Block, error) {
-- c := &aesCipher{key: make([]byte, len(key))}
-- copy(c.key, key)
-- // Note: 0 is success, contradicting the usual BoringCrypto convention.
-- if C._goboringcrypto_AES_set_decrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.dec) != 0 ||
-- C._goboringcrypto_AES_set_encrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.enc) != 0 {
-- return nil, aesKeySizeError(len(key))
-- }
-- return c, nil
--}
--
--func (c *aesCipher) BlockSize() int { return aesBlockSize }
--
--func (c *aesCipher) Encrypt(dst, src []byte) {
-- if inexactOverlap(dst, src) {
-- panic("crypto/cipher: invalid buffer overlap")
-- }
-- if len(src) < aesBlockSize {
-- panic("crypto/aes: input not full block")
-- }
-- if len(dst) < aesBlockSize {
-- panic("crypto/aes: output not full block")
-- }
-- C._goboringcrypto_AES_encrypt(
-- (*C.uint8_t)(unsafe.Pointer(&src[0])),
-- (*C.uint8_t)(unsafe.Pointer(&dst[0])),
-- &c.enc)
--}
--
--func (c *aesCipher) Decrypt(dst, src []byte) {
-- if inexactOverlap(dst, src) {
-- panic("crypto/cipher: invalid buffer overlap")
-- }
-- if len(src) < aesBlockSize {
-- panic("crypto/aes: input not full block")
-- }
-- if len(dst) < aesBlockSize {
-- panic("crypto/aes: output not full block")
-- }
-- C._goboringcrypto_AES_decrypt(
-- (*C.uint8_t)(unsafe.Pointer(&src[0])),
-- (*C.uint8_t)(unsafe.Pointer(&dst[0])),
-- &c.dec)
--}
--
--type aesCBC struct {
-- key *C.GO_AES_KEY
-- mode C.int
-- iv [aesBlockSize]byte
--}
--
--func (x *aesCBC) BlockSize() int { return aesBlockSize }
--
--func (x *aesCBC) CryptBlocks(dst, src []byte) {
-- if inexactOverlap(dst, src) {
-- panic("crypto/cipher: invalid buffer overlap")
-- }
-- if len(src)%aesBlockSize != 0 {
-- panic("crypto/cipher: input not full blocks")
-- }
-- if len(dst) < len(src) {
-- panic("crypto/cipher: output smaller than input")
-- }
-- if len(src) > 0 {
-- C._goboringcrypto_AES_cbc_encrypt(
-- (*C.uint8_t)(unsafe.Pointer(&src[0])),
-- (*C.uint8_t)(unsafe.Pointer(&dst[0])),
-- C.size_t(len(src)), x.key,
-- (*C.uint8_t)(unsafe.Pointer(&x.iv[0])), x.mode)
-- }
--}
--
--func (x *aesCBC) SetIV(iv []byte) {
-- if len(iv) != aesBlockSize {
-- panic("cipher: incorrect length IV")
-- }
-- copy(x.iv[:], iv)
--}
--
--func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
-- x := &aesCBC{key: &c.enc, mode: C.GO_AES_ENCRYPT}
-- copy(x.iv[:], iv)
-- return x
--}
--
--func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
-- x := &aesCBC{key: &c.dec, mode: C.GO_AES_DECRYPT}
-- copy(x.iv[:], iv)
-- return x
--}
--
--type aesCTR struct {
-- key *C.GO_AES_KEY
-- iv [aesBlockSize]byte
-- num C.uint
-- ecount_buf [16]C.uint8_t
--}
--
--func (x *aesCTR) XORKeyStream(dst, src []byte) {
-- if inexactOverlap(dst, src) {
-- panic("crypto/cipher: invalid buffer overlap")
-- }
-- if len(dst) < len(src) {
-- panic("crypto/cipher: output smaller than input")
-- }
-- if len(src) == 0 {
-- return
-- }
-- C._goboringcrypto_AES_ctr128_encrypt(
-- (*C.uint8_t)(unsafe.Pointer(&src[0])),
-- (*C.uint8_t)(unsafe.Pointer(&dst[0])),
-- C.size_t(len(src)), x.key, (*C.uint8_t)(unsafe.Pointer(&x.iv[0])),
-- &x.ecount_buf[0], &x.num)
--}
--
--func (c *aesCipher) NewCTR(iv []byte) cipher.Stream {
-- x := &aesCTR{key: &c.enc}
-- copy(x.iv[:], iv)
-- return x
--}
--
--type aesGCM struct {
-- ctx C.GO_EVP_AEAD_CTX
-- aead *C.GO_EVP_AEAD
--}
--
--const (
-- gcmBlockSize = 16
-- gcmTagSize = 16
-- gcmStandardNonceSize = 12
--)
--
--type aesNonceSizeError int
--
--func (n aesNonceSizeError) Error() string {
-- return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n))
--}
--
--type noGCM struct {
-- cipher.Block
--}
--
--func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
-- if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
-- return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
-- }
-- // Fall back to standard library for GCM with non-standard nonce or tag size.
-- if nonceSize != gcmStandardNonceSize {
-- return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
-- }
-- if tagSize != gcmTagSize {
-- return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
-- }
-- return c.newGCM(false)
--}
--
--func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
-- return c.(*aesCipher).newGCM(true)
--}
--
--func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
-- var aead *C.GO_EVP_AEAD
-- switch len(c.key) * 8 {
-- case 128:
-- if tls {
-- aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
-- } else {
-- aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
-- }
-- case 256:
-- if tls {
-- aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
-- } else {
-- aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
-- }
-- default:
-- // Fall back to standard library for GCM with non-standard key size.
-- return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize)
-- }
--
-- g := &aesGCM{aead: aead}
-- if C._goboringcrypto_EVP_AEAD_CTX_init(&g.ctx, aead, (*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.size_t(len(c.key)), C.GO_EVP_AEAD_DEFAULT_TAG_LENGTH, nil) == 0 {
-- return nil, fail("EVP_AEAD_CTX_init")
-- }
-- // Note: Because of the finalizer, any time g.ctx is passed to cgo,
-- // that call must be followed by a call to runtime.KeepAlive(g),
-- // to make sure g is not collected (and finalized) before the cgo
-- // call returns.
-- runtime.SetFinalizer(g, (*aesGCM).finalize)
-- if g.NonceSize() != gcmStandardNonceSize {
-- panic("boringcrypto: internal confusion about nonce size")
-- }
-- if g.Overhead() != gcmTagSize {
-- panic("boringcrypto: internal confusion about tag size")
-- }
--
-- return g, nil
--}
--
--func (g *aesGCM) finalize() {
-- C._goboringcrypto_EVP_AEAD_CTX_cleanup(&g.ctx)
--}
--
--func (g *aesGCM) NonceSize() int {
-- return int(C._goboringcrypto_EVP_AEAD_nonce_length(g.aead))
--}
--
--func (g *aesGCM) Overhead() int {
-- return int(C._goboringcrypto_EVP_AEAD_max_overhead(g.aead))
--}
--
--// base returns the address of the underlying array in b,
--// being careful not to panic when b has zero length.
--func base(b []byte) *C.uint8_t {
-- if len(b) == 0 {
-- return nil
-- }
-- return (*C.uint8_t)(unsafe.Pointer(&b[0]))
--}
--
--func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
-- if len(nonce) != gcmStandardNonceSize {
-- panic("cipher: incorrect nonce length given to GCM")
-- }
-- if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
-- panic("cipher: message too large for GCM")
-- }
-- if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
-- panic("cipher: message too large for buffer")
-- }
--
-- // Make room in dst to append plaintext+overhead.
-- n := len(dst)
-- for cap(dst) < n+len(plaintext)+gcmTagSize {
-- dst = append(dst[:cap(dst)], 0)
-- }
-- dst = dst[:n+len(plaintext)+gcmTagSize]
--
-- // Check delayed until now to make sure len(dst) is accurate.
-- if inexactOverlap(dst[n:], plaintext) {
-- panic("cipher: invalid buffer overlap")
-- }
--
-- outLen := C.size_t(len(plaintext) + gcmTagSize)
-- ok := C.EVP_AEAD_CTX_seal_wrapper(
-- &g.ctx,
-- (*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen,
-- base(nonce), C.size_t(len(nonce)),
-- base(plaintext), C.size_t(len(plaintext)),
-- base(additionalData), C.size_t(len(additionalData)))
-- runtime.KeepAlive(g)
-- if ok == 0 {
-- panic(fail("EVP_AEAD_CTX_seal"))
-- }
-- return dst[:n+int(outLen)]
--}
--
--var errOpen = errors.New("cipher: message authentication failed")
--
--func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-- if len(nonce) != gcmStandardNonceSize {
-- panic("cipher: incorrect nonce length given to GCM")
-- }
-- if len(ciphertext) < gcmTagSize {
-- return nil, errOpen
-- }
-- if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
-- return nil, errOpen
-- }
--
-- // Make room in dst to append ciphertext without tag.
-- n := len(dst)
-- for cap(dst) < n+len(ciphertext)-gcmTagSize {
-- dst = append(dst[:cap(dst)], 0)
-- }
-- dst = dst[:n+len(ciphertext)-gcmTagSize]
--
-- // Check delayed until now to make sure len(dst) is accurate.
-- if inexactOverlap(dst[n:], ciphertext) {
-- panic("cipher: invalid buffer overlap")
-- }
--
-- outLen := C.size_t(len(ciphertext) - gcmTagSize)
-- ok := C.EVP_AEAD_CTX_open_wrapper(
-- &g.ctx,
-- base(dst[n:]), outLen,
-- base(nonce), C.size_t(len(nonce)),
-- base(ciphertext), C.size_t(len(ciphertext)),
-- base(additionalData), C.size_t(len(additionalData)))
-- runtime.KeepAlive(g)
-- if ok == 0 {
-- return nil, errOpen
-- }
-- return dst[:n+int(outLen)], nil
--}
--
--func anyOverlap(x, y []byte) bool {
-- return len(x) > 0 && len(y) > 0 &&
-- uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
-- uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
--}
--
--func inexactOverlap(x, y []byte) bool {
-- if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
-- return false
-- }
-- return anyOverlap(x, y)
--}
-diff --git a/src/crypto/internal/boring/bbig/big.go b/src/crypto/internal/boring/bbig/big.go
-deleted file mode 100644
-index 5ce4697..0000000
---- a/src/crypto/internal/boring/bbig/big.go
-+++ /dev/null
-@@ -1,33 +0,0 @@
--// Copyright 2022 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--package bbig
--
--import (
-- "crypto/internal/boring"
-- "math/big"
-- "unsafe"
--)
--
--func Enc(b *big.Int) boring.BigInt {
-- if b == nil {
-- return nil
-- }
-- x := b.Bits()
-- if len(x) == 0 {
-- return boring.BigInt{}
-- }
-- return unsafe.Slice((*uint)(&x[0]), len(x))
--}
--
--func Dec(b boring.BigInt) *big.Int {
-- if b == nil {
-- return nil
-- }
-- if len(b) == 0 {
-- return new(big.Int)
-- }
-- x := unsafe.Slice((*big.Word)(&b[0]), len(b))
-- return new(big.Int).SetBits(x)
--}
-diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
-deleted file mode 100644
-index c560679..0000000
---- a/src/crypto/internal/boring/boring.go
-+++ /dev/null
-@@ -1,123 +0,0 @@
--// Copyright 2017 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
--
--package boring
--
--/*
--// goboringcrypto_linux_amd64.syso references pthread functions.
--#cgo LDFLAGS: "-pthread"
--
--#include "goboringcrypto.h"
--*/
--import "C"
--import (
-- "crypto/internal/boring/sig"
-- _ "crypto/internal/boring/syso"
-- "math/bits"
-- "unsafe"
--)
--
--const available = true
--
--func init() {
-- C._goboringcrypto_BORINGSSL_bcm_power_on_self_test()
-- if C._goboringcrypto_FIPS_mode() != 1 {
-- panic("boringcrypto: not in FIPS mode")
-- }
-- sig.BoringCrypto()
--}
--
--// Unreachable marks code that should be unreachable
--// when BoringCrypto is in use. It panics.
--func Unreachable() {
-- panic("boringcrypto: invalid code execution")
--}
--
--// provided by runtime to avoid os import
--func runtime_arg0() string
--
--func hasSuffix(s, t string) bool {
-- return len(s) > len(t) && s[len(s)-len(t):] == t
--}
--
--// UnreachableExceptTests marks code that should be unreachable
--// when BoringCrypto is in use. It panics.
--func UnreachableExceptTests() {
-- name := runtime_arg0()
-- // If BoringCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
-- if !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
-- println("boringcrypto: unexpected code execution in", name)
-- panic("boringcrypto: invalid code execution")
-- }
--}
--
--type fail string
--
--func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
--
--func wbase(b BigInt) *C.uint8_t {
-- if len(b) == 0 {
-- return nil
-- }
-- return (*C.uint8_t)(unsafe.Pointer(&b[0]))
--}
--
--const wordBytes = bits.UintSize / 8
--
--func bigToBN(x BigInt) *C.GO_BIGNUM {
-- return C._goboringcrypto_BN_le2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
--}
--
--func bnToBig(bn *C.GO_BIGNUM) BigInt {
-- x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
-- if C._goboringcrypto_BN_bn2le_padded(wbase(x), C.size_t(len(x)*wordBytes), bn) == 0 {
-- panic("boringcrypto: bignum conversion failed")
-- }
-- return x
--}
--
--func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool {
-- if *bnp != nil {
-- C._goboringcrypto_BN_free(*bnp)
-- *bnp = nil
-- }
-- if b == nil {
-- return true
-- }
-- bn := bigToBN(b)
-- if bn == nil {
-- return false
-- }
-- *bnp = bn
-- return true
--}
--
--// noescape hides a pointer from escape analysis. noescape is
--// the identity function but escape analysis doesn't think the
--// output depends on the input. noescape is inlined and currently
--// compiles down to zero instructions.
--// USE CAREFULLY!
--//
--//go:nosplit
--func noescape(p unsafe.Pointer) unsafe.Pointer {
-- x := uintptr(p)
-- return unsafe.Pointer(x ^ 0)
--}
--
--var zero byte
--
--// addr converts p to its base addr, including a noescape along the way.
--// If p is nil, addr returns a non-nil pointer, so that the result can always
--// be dereferenced.
--//
--//go:nosplit
--func addr(p []byte) *byte {
-- if len(p) == 0 {
-- return &zero
-- }
-- return (*byte)(noescape(unsafe.Pointer(&p[0])))
--}
-diff --git a/src/crypto/internal/boring/boring_test.go b/src/crypto/internal/boring/boring_test.go
-deleted file mode 100644
-index 83bbbd3..0000000
---- a/src/crypto/internal/boring/boring_test.go
-+++ /dev/null
-@@ -1,34 +0,0 @@
--// Copyright 2017 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--// Most functionality in this package is tested by replacing existing code
--// and inheriting that code's tests.
--
--package boring
--
--import "testing"
--
--// Test that func init does not panic.
--func TestInit(t *testing.T) {}
--
--// Test that Unreachable panics.
--func TestUnreachable(t *testing.T) {
-- defer func() {
-- if Enabled {
-- if err := recover(); err == nil {
-- t.Fatal("expected Unreachable to panic")
-- }
-- } else {
-- if err := recover(); err != nil {
-- t.Fatalf("expected Unreachable to be a no-op")
-- }
-- }
-- }()
-- Unreachable()
--}
--
--// Test that UnreachableExceptTests does not panic (this is a test).
--func TestUnreachableExceptTests(t *testing.T) {
-- UnreachableExceptTests()
--}
-diff --git a/src/crypto/internal/boring/doc.go b/src/crypto/internal/boring/doc.go
-deleted file mode 100644
-index 6060fe5..0000000
---- a/src/crypto/internal/boring/doc.go
-+++ /dev/null
-@@ -1,19 +0,0 @@
--// Copyright 2017 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--// Package boring provides access to BoringCrypto implementation functions.
--// Check the constant Enabled to find out whether BoringCrypto is available.
--// If BoringCrypto is not available, the functions in this package all panic.
--package boring
--
--// Enabled reports whether BoringCrypto is available.
--// When enabled is false, all functions in this package panic.
--//
--// BoringCrypto is only available on linux/amd64 systems.
--const Enabled = available
--
--// A BigInt is the raw words from a BigInt.
--// This definition allows us to avoid importing math/big.
--// Conversion between BigInt and *big.Int is in crypto/internal/boring/bbig.
--type BigInt []uint
-diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s
-index f2e5a50..65918a4 100644
---- a/src/crypto/internal/boring/fipstls/stub.s
-+++ b/src/crypto/internal/boring/fipstls/stub.s
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- // runtime_arg0 is declared in tls.go without a body.
- // It's provided by package runtime,
-diff --git a/src/crypto/internal/boring/fipstls/tls.go b/src/crypto/internal/boring/fipstls/tls.go
-index 701700e..c840d98 100644
---- a/src/crypto/internal/boring/fipstls/tls.go
-+++ b/src/crypto/internal/boring/fipstls/tls.go
-@@ -2,10 +2,10 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- // Package fipstls allows control over whether crypto/tls requires FIPS-approved settings.
--// This package only exists with GOEXPERIMENT=boringcrypto, but the effects are independent
-+// This package only exists with GOEXPERIMENT=!no_openssl, but the effects are independent
- // of the use of BoringCrypto.
- package fipstls
-
-diff --git a/src/crypto/rand/rand_unix.go b/src/crypto/rand/rand_unix.go
-index 746e90c..c9233bd 100644
---- a/src/crypto/rand/rand_unix.go
-+++ b/src/crypto/rand/rand_unix.go
-@@ -10,7 +10,7 @@
- package rand
-
- import (
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "errors"
- "io"
- "os"
-@@ -23,7 +23,7 @@ import (
- const urandomDevice = "/dev/urandom"
-
- func init() {
-- if boring.Enabled {
-+ if boring.Enabled() {
- Reader = boring.RandReader
- return
- }
-diff --git a/src/crypto/rsa/boring.go b/src/crypto/rsa/boring.go
-index 9b1db56..a984f76 100644
---- a/src/crypto/rsa/boring.go
-+++ b/src/crypto/rsa/boring.go
-@@ -2,13 +2,13 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package rsa
-
- import (
-- "crypto/internal/boring"
-- "crypto/internal/boring/bbig"
-+ boring "crypto/internal/backend"
-+ "crypto/internal/backend/bbig"
- "crypto/internal/boring/bcache"
- "math/big"
- "unsafe"
-diff --git a/src/crypto/rsa/boring_test.go b/src/crypto/rsa/boring_test.go
-index 6223244..ad76d6a 100644
---- a/src/crypto/rsa/boring_test.go
-+++ b/src/crypto/rsa/boring_test.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- // Note: Can run these tests against the non-BoringCrypto
- // version of the code by using "CGO_ENABLED=0 go test".
-diff --git a/src/crypto/rsa/notboring.go b/src/crypto/rsa/notboring.go
-index 2abc043..a83be6d 100644
---- a/src/crypto/rsa/notboring.go
-+++ b/src/crypto/rsa/notboring.go
-@@ -2,15 +2,15 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !boringcrypto
-+//go:build no_openssl
-
- package rsa
-
--import "crypto/internal/boring"
-+import boring "crypto/internal/backend"
-
- func boringPublicKey(*PublicKey) (*boring.PublicKeyRSA, error) {
-- panic("boringcrypto: not available")
-+ panic("!no_openssl: not available")
- }
- func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyRSA, error) {
-- panic("boringcrypto: not available")
-+ panic("!no_openssl: not available")
- }
-diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
-index ab19229..87b0ec9 100644
---- a/src/crypto/rsa/pkcs1v15.go
-+++ b/src/crypto/rsa/pkcs1v15.go
-@@ -6,7 +6,7 @@ package rsa
-
- import (
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/internal/randutil"
- "crypto/subtle"
- "errors"
-@@ -47,7 +47,7 @@ func EncryptPKCS1v15(random io.Reader, pub *PublicKey, msg []byte) ([]byte, erro
- return nil, ErrMessageTooLong
- }
-
-- if boring.Enabled && random == boring.RandReader {
-+ if boring.Enabled() && random == boring.RandReader {
- bkey, err := boringPublicKey(pub)
- if err != nil {
- return nil, err
-@@ -67,7 +67,7 @@ func EncryptPKCS1v15(random io.Reader, pub *PublicKey, msg []byte) ([]byte, erro
- em[len(em)-len(msg)-1] = 0
- copy(mm, msg)
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- var bkey *boring.PublicKeyRSA
- bkey, err = boringPublicKey(pub)
- if err != nil {
-@@ -94,7 +94,7 @@ func DecryptPKCS1v15(random io.Reader, priv *PrivateKey, ciphertext []byte) ([]b
- return nil, err
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
-@@ -173,7 +173,7 @@ func decryptPKCS1v15(random io.Reader, priv *PrivateKey, ciphertext []byte) (val
- return
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- var bkey *boring.PrivateKeyRSA
- bkey, err = boringPrivateKey(priv)
- if err != nil {
-@@ -285,12 +285,12 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
- return nil, ErrMessageTooLong
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
- }
-- return boring.SignRSAPKCS1v15(bkey, hash, hashed)
-+ return boring.SignRSAPKCS1v15(bkey, hash, hashed, true)
- }
-
- // EM = 0x00 || 0x01 || PS || 0x00 || T
-@@ -317,12 +317,12 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
- // returning a nil error. If hash is zero then hashed is used directly. This
- // isn't advisable except for interoperability.
- func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPublicKey(pub)
- if err != nil {
- return err
- }
-- if err := boring.VerifyRSAPKCS1v15(bkey, hash, hashed, sig); err != nil {
-+ if err := boring.VerifyRSAPKCS1v15(bkey, hash, hashed, sig, hash != crypto.Hash(0)); err != nil {
- return ErrVerification
- }
- return nil
-diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
-index 29e79bd..e7431e8 100644
---- a/src/crypto/rsa/pss.go
-+++ b/src/crypto/rsa/pss.go
-@@ -9,7 +9,7 @@ package rsa
- import (
- "bytes"
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "errors"
- "hash"
- "io"
-@@ -215,7 +215,7 @@ func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed,
- return nil, err
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
-@@ -290,7 +290,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
- saltLength = hash.Size()
- }
-
-- if boring.Enabled && rand == boring.RandReader {
-+ if boring.Enabled() && rand == boring.RandReader {
- bkey, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
-@@ -313,7 +313,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
- // argument may be nil, in which case sensible defaults are used. opts.Hash is
- // ignored.
- func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPublicKey(pub)
- if err != nil {
- return err
-diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
-index c941124..7ea291c 100644
---- a/src/crypto/rsa/rsa.go
-+++ b/src/crypto/rsa/rsa.go
-@@ -24,8 +24,8 @@ package rsa
-
- import (
- "crypto"
-- "crypto/internal/boring"
-- "crypto/internal/boring/bbig"
-+ boring "crypto/internal/backend"
-+ "crypto/internal/backend/bbig"
- "crypto/internal/randutil"
- "crypto/rand"
- "crypto/subtle"
-@@ -257,7 +257,7 @@ func GenerateKey(random io.Reader, bits int) (*PrivateKey, error) {
- func GenerateMultiPrimeKey(random io.Reader, nprimes int, bits int) (*PrivateKey, error) {
- randutil.MaybeReadByte(random)
-
-- if boring.Enabled && random == boring.RandReader && nprimes == 2 && (bits == 2048 || bits == 3072) {
-+ if boring.Enabled() && random == boring.RandReader && nprimes == 2 && (bits == 2048 || bits == 3072) {
- bN, bE, bD, bP, bQ, bDp, bDq, bQinv, err := boring.GenerateKeyRSA(bits)
- if err != nil {
- return nil, err
-@@ -453,7 +453,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
- return nil, ErrMessageTooLong
- }
-
-- if boring.Enabled && random == boring.RandReader {
-+ if boring.Enabled() && random == boring.RandReader {
- bkey, err := boringPublicKey(pub)
- if err != nil {
- return nil, err
-@@ -482,7 +482,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
- mgf1XOR(db, hash, seed)
- mgf1XOR(seed, hash, db)
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- var bkey *boring.PublicKeyRSA
- bkey, err = boringPublicKey(pub)
- if err != nil {
-@@ -660,7 +660,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
- return nil, ErrDecryption
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- bkey, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
-diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
-index 766d9a9..608110d 100644
---- a/src/crypto/rsa/rsa_test.go
-+++ b/src/crypto/rsa/rsa_test.go
-@@ -15,7 +15,7 @@ import (
- "testing"
- )
-
--import "crypto/internal/boring"
-+import boring "crypto/internal/backend"
-
- func TestKeyGeneration(t *testing.T) {
- for _, size := range []int{128, 1024, 2048, 3072} {
-@@ -114,7 +114,7 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
- t.Errorf("private exponent too large")
- }
-
-- if boring.Enabled {
-+ if boring.Enabled() {
- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
- msg := []byte("hi!")
- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
-@@ -181,7 +181,7 @@ func init() {
- }
-
- func BenchmarkRSA2048Decrypt(b *testing.B) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- b.Skip("no raw decrypt in BoringCrypto")
- }
-
-@@ -207,7 +207,7 @@ func BenchmarkRSA2048Sign(b *testing.B) {
- }
-
- func Benchmark3PrimeRSA2048Decrypt(b *testing.B) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- b.Skip("no raw decrypt in BoringCrypto")
- }
-
-diff --git a/src/crypto/sha1/boring.go b/src/crypto/sha1/boring.go
-index b5786d1..9bd03f3 100644
---- a/src/crypto/sha1/boring.go
-+++ b/src/crypto/sha1/boring.go
-@@ -12,11 +12,11 @@
- package sha1
-
- import (
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "hash"
- )
-
--const boringEnabled = boring.Enabled
-+var boringEnabled = boring.Enabled()
-
- func boringNewSHA1() hash.Hash { return boring.NewSHA1() }
-
-diff --git a/src/crypto/sha1/notboring.go b/src/crypto/sha1/notboring.go
-index 42ef879..c1a3205 100644
---- a/src/crypto/sha1/notboring.go
-+++ b/src/crypto/sha1/notboring.go
-@@ -11,10 +11,10 @@ import (
- "hash"
- )
-
--const boringEnabled = false
-+var boringEnabled = false
-
--func boringNewSHA1() hash.Hash { panic("boringcrypto: not available") }
-+func boringNewSHA1() hash.Hash { panic("!no_openssl: not available") }
-
- func boringUnreachable() {}
-
--func boringSHA1([]byte) [20]byte { panic("boringcrypto: not available") }
-+func boringSHA1([]byte) [20]byte { panic("!no_openssl: not available") }
-diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go
-index 85ed126..71f4b46 100644
---- a/src/crypto/sha1/sha1_test.go
-+++ b/src/crypto/sha1/sha1_test.go
-@@ -8,7 +8,7 @@ package sha1
-
- import (
- "bytes"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/rand"
- "encoding"
- "fmt"
-@@ -78,7 +78,7 @@ func TestGolden(t *testing.T) {
- io.WriteString(c, g.in[len(g.in)/2:])
- sum = c.Sum(nil)
- case 3:
-- if boring.Enabled {
-+ if boring.Enabled() {
- continue
- }
- io.WriteString(c, g.in[0:len(g.in)/2])
-@@ -145,7 +145,7 @@ func TestBlockSize(t *testing.T) {
-
- // Tests that blockGeneric (pure Go) and block (in assembly for some architectures) match.
- func TestBlockGeneric(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't expose digest")
- }
- for i := 1; i < 30; i++ { // arbitrary factor
-@@ -218,7 +218,7 @@ func TestLargeHashes(t *testing.T) {
- }
-
- func TestAllocations(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't allocate the same way as stdlib")
- }
- in := []byte("hello, world!")
-diff --git a/src/crypto/sha256/sha256.go b/src/crypto/sha256/sha256.go
-index e3c15e6..9a98baa 100644
---- a/src/crypto/sha256/sha256.go
-+++ b/src/crypto/sha256/sha256.go
-@@ -8,7 +8,7 @@ package sha256
-
- import (
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "encoding/binary"
- "errors"
- "hash"
-@@ -160,7 +160,7 @@ func (d *digest) Reset() {
- // encoding.BinaryUnmarshaler to marshal and unmarshal the internal
- // state of the hash.
- func New() hash.Hash {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.NewSHA256()
- }
- d := new(digest)
-@@ -170,7 +170,7 @@ func New() hash.Hash {
-
- // New224 returns a new hash.Hash computing the SHA224 checksum.
- func New224() hash.Hash {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.NewSHA224()
- }
- d := new(digest)
-@@ -261,7 +261,7 @@ func (d *digest) checkSum() [Size]byte {
-
- // Sum256 returns the SHA256 checksum of the data.
- func Sum256(data []byte) [Size]byte {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.SHA256(data)
- }
- var d digest
-@@ -272,7 +272,7 @@ func Sum256(data []byte) [Size]byte {
-
- // Sum224 returns the SHA224 checksum of the data.
- func Sum224(data []byte) [Size224]byte {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.SHA224(data)
- }
- var d digest
-diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go
-index 7304678..a073d31 100644
---- a/src/crypto/sha256/sha256_test.go
-+++ b/src/crypto/sha256/sha256_test.go
-@@ -8,7 +8,7 @@ package sha256
-
- import (
- "bytes"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/rand"
- "encoding"
- "fmt"
-@@ -217,7 +217,7 @@ func TestBlockSize(t *testing.T) {
-
- // Tests that blockGeneric (pure Go) and block (in assembly for some architectures) match.
- func TestBlockGeneric(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't expose digest")
- }
- gen, asm := New().(*digest), New().(*digest)
-@@ -294,7 +294,7 @@ func TestLargeHashes(t *testing.T) {
- }
-
- func TestAllocations(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't allocate the same way as stdlib")
- }
- in := []byte("hello, world!")
-diff --git a/src/crypto/sha512/sha512.go b/src/crypto/sha512/sha512.go
-index c800a29..cab2477 100644
---- a/src/crypto/sha512/sha512.go
-+++ b/src/crypto/sha512/sha512.go
-@@ -12,7 +12,7 @@ package sha512
-
- import (
- "crypto"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "encoding/binary"
- "errors"
- "hash"
-@@ -212,7 +212,7 @@ func consumeUint64(b []byte) ([]byte, uint64) {
-
- // New returns a new hash.Hash computing the SHA-512 checksum.
- func New() hash.Hash {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.NewSHA512()
- }
- d := &digest{function: crypto.SHA512}
-@@ -236,7 +236,7 @@ func New512_256() hash.Hash {
-
- // New384 returns a new hash.Hash computing the SHA-384 checksum.
- func New384() hash.Hash {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.NewSHA384()
- }
- d := &digest{function: crypto.SHA384}
-@@ -343,7 +343,7 @@ func (d *digest) checkSum() [Size]byte {
-
- // Sum512 returns the SHA512 checksum of the data.
- func Sum512(data []byte) [Size]byte {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.SHA512(data)
- }
- d := digest{function: crypto.SHA512}
-@@ -354,7 +354,7 @@ func Sum512(data []byte) [Size]byte {
-
- // Sum384 returns the SHA384 checksum of the data.
- func Sum384(data []byte) [Size384]byte {
-- if boring.Enabled {
-+ if boring.Enabled() {
- return boring.SHA384(data)
- }
- d := digest{function: crypto.SHA384}
-diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go
-index 921cdbb..a35165b 100644
---- a/src/crypto/sha512/sha512_test.go
-+++ b/src/crypto/sha512/sha512_test.go
-@@ -8,7 +8,7 @@ package sha512
-
- import (
- "bytes"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/rand"
- "encoding"
- "encoding/hex"
-@@ -823,7 +823,7 @@ func TestBlockSize(t *testing.T) {
-
- // Tests that blockGeneric (pure Go) and block (in assembly for some architectures) match.
- func TestBlockGeneric(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't expose digest")
- }
- gen, asm := New().(*digest), New().(*digest)
-@@ -893,7 +893,7 @@ func TestLargeHashes(t *testing.T) {
- }
-
- func TestAllocations(t *testing.T) {
-- if boring.Enabled {
-+ if boring.Enabled() {
- t.Skip("BoringCrypto doesn't allocate the same way as stdlib")
- }
- in := []byte("hello, world!")
-diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
-index 4c5c352..76a0077 100644
---- a/src/crypto/tls/boring.go
-+++ b/src/crypto/tls/boring.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package tls
-
-@@ -12,7 +12,7 @@ import (
- )
-
- func init() {
-- if boring.Enabled && !boring.ExecutingTest() {
-+ if boring.Enabled() && !boring.ExecutingTest() {
- fipstls.Force()
- }
- }
-diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
-index 9fec2c8..068b5c2 100644
---- a/src/crypto/tls/boring_test.go
-+++ b/src/crypto/tls/boring_test.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package tls
-
-diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
-index f7c64db..703d5c7 100644
---- a/src/crypto/tls/cipher_suites.go
-+++ b/src/crypto/tls/cipher_suites.go
-@@ -10,7 +10,7 @@ import (
- "crypto/cipher"
- "crypto/des"
- "crypto/hmac"
-- "crypto/internal/boring"
-+ boring "crypto/internal/backend"
- "crypto/rc4"
- "crypto/sha1"
- "crypto/sha256"
-@@ -430,7 +430,7 @@ func macSHA1(key []byte) hash.Hash {
- h := sha1.New
- // The BoringCrypto SHA1 does not have a constant-time
- // checksum function, so don't try to use it.
-- if !boring.Enabled {
-+ if !boring.Enabled() {
- h = newConstantTimeHash(h)
- }
- return hmac.New(h, key)
-@@ -522,7 +522,7 @@ func aeadAESGCM(key, noncePrefix []byte) aead {
- panic(err)
- }
- var aead cipher.AEAD
-- if boring.Enabled {
-+ if boring.Enabled() {
- aead, err = boring.NewGCMTLS(aes)
- } else {
- boring.Unreachable()
-diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
-index 323d683..8bcee17 100644
---- a/src/crypto/tls/key_schedule.go
-+++ b/src/crypto/tls/key_schedule.go
-@@ -7,8 +7,8 @@ package tls
- import (
- "crypto/elliptic"
- "crypto/hmac"
-- "crypto/internal/boring"
-- "crypto/internal/boring/bbig"
-+ boring "crypto/internal/backend"
-+ "crypto/internal/backend/bbig"
- "errors"
- "hash"
- "io"
-@@ -45,7 +45,7 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
- b.AddBytes(context)
- })
- out := make([]byte, length)
-- if boring.Enabled {
-+ if boring.Enabled() {
- reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic())
- if err != nil {
- panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
-@@ -76,7 +76,7 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
- if newSecret == nil {
- newSecret = make([]byte, c.hash.Size())
- }
-- if boring.Enabled {
-+ if boring.Enabled() {
- ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret)
- if err != nil {
- panic("tls: HKDF-Extract invocation failed unexpectedly")
-@@ -150,7 +150,7 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
-
- p := &nistParameters{curveID: curveID}
- var err error
-- if boring.Enabled {
-+ if boring.Enabled() {
- x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name)
- if err != nil {
- return nil, err
-@@ -197,7 +197,7 @@ func (p *nistParameters) PublicKey() []byte {
-
- func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
- curve, _ := curveForCurveID(p.curveID)
-- if boring.Enabled {
-+ if boring.Enabled() {
- k := new(big.Int).SetBytes(p.privateKey)
- priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k))
- if err != nil {
-diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go
-index 7d85b39..fe27194 100644
---- a/src/crypto/tls/notboring.go
-+++ b/src/crypto/tls/notboring.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !boringcrypto
-+//go:build no_openssl
-
- package tls
-
-diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
-index 42706f9..de4442e 100644
---- a/src/crypto/x509/boring.go
-+++ b/src/crypto/x509/boring.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package x509
-
-diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
-index 70021f3..7607c33 100644
---- a/src/crypto/x509/boring_test.go
-+++ b/src/crypto/x509/boring_test.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto
-+//go:build !no_openssl
-
- package x509
-
-diff --git a/src/crypto/x509/notboring.go b/src/crypto/x509/notboring.go
-index c83a727..0c7dea2 100644
---- a/src/crypto/x509/notboring.go
-+++ b/src/crypto/x509/notboring.go
-@@ -2,7 +2,7 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !boringcrypto
-+//go:build no_openssl
-
- package x509
-
-diff --git a/src/go.mod b/src/go.mod
-index 6c31631..181ce9b 100644
---- a/src/go.mod
-+++ b/src/go.mod
-@@ -3,6 +3,7 @@ module std
- go 1.19
-
- require (
-+ github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c
- golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8
- golang.org/x/net v0.0.0-20220907013720-d52c520e3766
- )
-diff --git a/src/go.sum b/src/go.sum
-index 2f90a33..7871ac3 100644
---- a/src/go.sum
-+++ b/src/go.sum
-@@ -1,3 +1,5 @@
-+github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c h1:JAKv3y5+79PdvH8+aqBN9sGow464W4Iegvdx6qtqJJc=
-+github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c/go.mod h1:V2IU8imz/VkScnIbTOrdYsZ5R88ZFypCE0LzhRJ3HsI=
- golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8 h1:y+mHpWoQJNAHt26Nhh6JP7hvM71IRZureyvZhoVALIs=
- golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
- golang.org/x/net v0.0.0-20220907013720-d52c520e3766 h1:D02YdIT3M6OQkZXTQiO761u/SmR3DDDiDXLN2oZIUac=
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/LICENSE b/src/vendor/github.com/golang-fips/openssl-fips/LICENSE
-new file mode 100644
-index 0000000..093267e
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/LICENSE
-@@ -0,0 +1,20 @@
-+The MIT License (MIT)
-+
-+Copyright (c) 2022 Red Hat, Inc.
-+
-+Permission is hereby granted, free of charge, to any person obtaining a copy of
-+this software and associated documentation files (the "Software"), to deal in
-+the Software without restriction, including without limitation the rights to
-+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-+the Software, and to permit persons to whom the Software is furnished to do so,
-+subject to the following conditions:
-+
-+The above copyright notice and this permission notice shall be included in all
-+copies or substantial portions of the Software.
-+
-+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-\ No newline at end of file
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
-new file mode 100644
-index 0000000..079fc3c
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
-@@ -0,0 +1,516 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+package openssl
-+
-+// #include "goopenssl.h"
-+import "C"
-+import (
-+ "crypto/cipher"
-+ "errors"
-+ "runtime"
-+ "strconv"
-+ "unsafe"
-+)
-+
-+type aesKeySizeError int
-+
-+func (k aesKeySizeError) Error() string {
-+ return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
-+}
-+
-+const aesBlockSize = 16
-+
-+type aesCipher struct {
-+ key []byte
-+ enc_ctx *C.EVP_CIPHER_CTX
-+ dec_ctx *C.EVP_CIPHER_CTX
-+ cipher *C.EVP_CIPHER
-+}
-+
-+type extraModes interface {
-+ // Copied out of crypto/aes/modes.go.
-+ NewCBCEncrypter(iv []byte) cipher.BlockMode
-+ NewCBCDecrypter(iv []byte) cipher.BlockMode
-+ NewCTR(iv []byte) cipher.Stream
-+ NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
-+
-+ // Invented for BoringCrypto.
-+ NewGCMTLS() (cipher.AEAD, error)
-+}
-+
-+var _ extraModes = (*aesCipher)(nil)
-+
-+func NewAESCipher(key []byte) (cipher.Block, error) {
-+ c := &aesCipher{key: make([]byte, len(key))}
-+ copy(c.key, key)
-+
-+ switch len(c.key) * 8 {
-+ case 128:
-+ c.cipher = C._goboringcrypto_EVP_aes_128_ecb()
-+ case 192:
-+ c.cipher = C._goboringcrypto_EVP_aes_192_ecb()
-+ case 256:
-+ c.cipher = C._goboringcrypto_EVP_aes_256_ecb()
-+ default:
-+ return nil, errors.New("crypto/cipher: Invalid key size")
-+ }
-+
-+ runtime.SetFinalizer(c, (*aesCipher).finalize)
-+
-+ return c, nil
-+}
-+
-+func (c *aesCipher) finalize() {
-+ if c.enc_ctx != nil {
-+ C._goboringcrypto_EVP_CIPHER_CTX_free(c.enc_ctx)
-+ }
-+ if c.dec_ctx != nil {
-+ C._goboringcrypto_EVP_CIPHER_CTX_free(c.dec_ctx)
-+ }
-+}
-+
-+func (c *aesCipher) BlockSize() int { return aesBlockSize }
-+
-+func (c *aesCipher) Encrypt(dst, src []byte) {
-+ if inexactOverlap(dst, src) {
-+ panic("crypto/cipher: invalid buffer overlap")
-+ }
-+ if len(src) < aesBlockSize {
-+ panic("crypto/aes: input not full block")
-+ }
-+ if len(dst) < aesBlockSize {
-+ panic("crypto/aes: output not full block")
-+ }
-+
-+ if c.enc_ctx == nil {
-+ c.enc_ctx = C._goboringcrypto_EVP_CIPHER_CTX_new()
-+ if c.enc_ctx == nil {
-+ panic("cipher: unable to create EVP cipher ctx")
-+ }
-+
-+ k := (*C.uchar)(unsafe.Pointer(&c.key[0]))
-+
-+ if C.int(1) != C._goboringcrypto_EVP_CipherInit_ex(c.enc_ctx, c.cipher, nil, k, nil, C.GO_AES_ENCRYPT) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ }
-+
-+ outlen := C.int(0)
-+ C._goboringcrypto_EVP_CipherUpdate(c.enc_ctx, (*C.uchar)(unsafe.Pointer(&dst[0])), &outlen, (*C.uchar)(unsafe.Pointer(&src[0])), C.int(aesBlockSize))
-+ runtime.KeepAlive(c)
-+}
-+
-+func (c *aesCipher) Decrypt(dst, src []byte) {
-+ if inexactOverlap(dst, src) {
-+ panic("crypto/cipher: invalid buffer overlap")
-+ }
-+ if len(src) < aesBlockSize {
-+ panic("crypto/aes: input not full block")
-+ }
-+ if len(dst) < aesBlockSize {
-+ panic("crypto/aes: output not full block")
-+ }
-+ if c.dec_ctx == nil {
-+ c.dec_ctx = C._goboringcrypto_EVP_CIPHER_CTX_new()
-+ if c.dec_ctx == nil {
-+ panic("cipher: unable to create EVP cipher ctx")
-+ }
-+
-+ k := (*C.uchar)(unsafe.Pointer(&c.key[0]))
-+
-+ if C.int(1) != C._goboringcrypto_EVP_CipherInit_ex(c.dec_ctx, c.cipher, nil, k, nil, C.GO_AES_DECRYPT) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ }
-+ // Workaround - padding detection is broken but we don't need it
-+ // since we check for full blocks
-+ if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 {
-+ panic("crypto/cipher: could not disable cipher padding")
-+ }
-+ outlen := C.int(0)
-+ C._goboringcrypto_EVP_CipherUpdate(c.dec_ctx, (*C.uchar)(unsafe.Pointer(&dst[0])), &outlen, (*C.uchar)(unsafe.Pointer(&src[0])), C.int(aesBlockSize))
-+ runtime.KeepAlive(c)
-+}
-+
-+type aesCBC struct {
-+ key []byte
-+ mode C.int
-+ iv [aesBlockSize]byte
-+ ctx *C.EVP_CIPHER_CTX
-+}
-+
-+func (x *aesCBC) BlockSize() int { return aesBlockSize }
-+
-+func (x *aesCBC) CryptBlocks(dst, src []byte) {
-+ if inexactOverlap(dst, src) {
-+ panic("crypto/cipher: invalid buffer overlap")
-+ }
-+ if len(src)%aesBlockSize != 0 {
-+ panic("crypto/cipher: input not full blocks")
-+ }
-+ if len(dst) < len(src) {
-+ panic("crypto/cipher: output smaller than input")
-+ }
-+ if len(src) > 0 {
-+ outlen := C.int(0)
-+ // Workaround - padding detection is broken but we don't need it
-+ // since we check for full blocks
-+ if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(x.ctx, 0) != 1 {
-+ panic("crypto/cipher: could not disable cipher padding")
-+ }
-+ if C._goboringcrypto_EVP_CipherUpdate(
-+ x.ctx,
-+ base(dst), &outlen,
-+ base(src), C.int(len(src)),
-+ ) != 1 {
-+ panic("crypto/cipher: CipherUpdate failed")
-+ }
-+ runtime.KeepAlive(x)
-+ }
-+}
-+
-+func (x *aesCBC) SetIV(iv []byte) {
-+ if len(iv) != aesBlockSize {
-+ panic("cipher: incorrect length IV")
-+ }
-+ copy(x.iv[:], iv)
-+ if C.int(1) != C._goboringcrypto_EVP_CipherInit_ex(x.ctx, nil, nil, nil, (*C.uchar)(unsafe.Pointer(&x.iv[0])), -1) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+}
-+
-+func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
-+ x := &aesCBC{key: c.key, mode: C.GO_AES_ENCRYPT}
-+ copy(x.iv[:], iv)
-+
-+ x.ctx = C._goboringcrypto_EVP_CIPHER_CTX_new()
-+ if x.ctx == nil {
-+ panic("cipher: unable to create EVP cipher ctx")
-+ }
-+
-+ k := (*C.uchar)(unsafe.Pointer(&x.key[0]))
-+ vec := (*C.uchar)(unsafe.Pointer(&x.iv[0]))
-+
-+ var cipher *C.EVP_CIPHER
-+ switch len(c.key) * 8 {
-+ case 128:
-+ cipher = C._goboringcrypto_EVP_aes_128_cbc()
-+ case 192:
-+ cipher = C._goboringcrypto_EVP_aes_192_cbc()
-+ case 256:
-+ cipher = C._goboringcrypto_EVP_aes_256_cbc()
-+ default:
-+ panic("crypto/boring: unsupported key length")
-+ }
-+ if C.int(1) != C._goboringcrypto_EVP_CipherInit_ex(x.ctx, cipher, nil, k, vec, x.mode) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+
-+ runtime.SetFinalizer(x, (*aesCBC).finalize)
-+
-+ return x
-+}
-+
-+func (c *aesCBC) finalize() {
-+ C._goboringcrypto_EVP_CIPHER_CTX_free(c.ctx)
-+}
-+
-+func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
-+ x := &aesCBC{key: c.key, mode: C.GO_AES_DECRYPT}
-+ copy(x.iv[:], iv)
-+
-+ x.ctx = C._goboringcrypto_EVP_CIPHER_CTX_new()
-+ if x.ctx == nil {
-+ panic("cipher: unable to create EVP cipher ctx")
-+ }
-+
-+ k := (*C.uchar)(unsafe.Pointer(&x.key[0]))
-+ vec := (*C.uchar)(unsafe.Pointer(&x.iv[0]))
-+
-+ var cipher *C.EVP_CIPHER
-+ switch len(c.key) * 8 {
-+ case 128:
-+ cipher = C._goboringcrypto_EVP_aes_128_cbc()
-+ case 192:
-+ cipher = C._goboringcrypto_EVP_aes_192_cbc()
-+ case 256:
-+ cipher = C._goboringcrypto_EVP_aes_256_cbc()
-+ default:
-+ panic("crypto/boring: unsupported key length")
-+ }
-+ if C.int(1) != C._goboringcrypto_EVP_CipherInit_ex(x.ctx, cipher, nil, k, vec, x.mode) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ if C.int(1) != C._goboringcrypto_EVP_CIPHER_CTX_set_padding(x.ctx, 0) {
-+ panic("cipher: unable to set padding")
-+ }
-+
-+ runtime.SetFinalizer(x, (*aesCBC).finalize)
-+ return x
-+}
-+
-+type aesCTR struct {
-+ key []byte
-+ iv [aesBlockSize]byte
-+ ctx *C.EVP_CIPHER_CTX
-+ num C.uint
-+ ecount_buf [16]C.uint8_t
-+}
-+
-+func (x *aesCTR) XORKeyStream(dst, src []byte) {
-+ if inexactOverlap(dst, src) {
-+ panic("crypto/cipher: invalid buffer overlap")
-+ }
-+ if len(dst) < len(src) {
-+ panic("crypto/cipher: output smaller than input")
-+ }
-+ if len(src) == 0 {
-+ return
-+ }
-+ C._goboringcrypto_EVP_AES_ctr128_enc(
-+ x.ctx,
-+ (*C.uint8_t)(unsafe.Pointer(&src[0])),
-+ (*C.uint8_t)(unsafe.Pointer(&dst[0])),
-+ C.size_t(len(src)))
-+ runtime.KeepAlive(x)
-+}
-+
-+func (c *aesCipher) NewCTR(iv []byte) cipher.Stream {
-+ x := &aesCTR{key: c.key}
-+ copy(x.iv[:], iv)
-+
-+ x.ctx = C._goboringcrypto_EVP_CIPHER_CTX_new()
-+ if x.ctx == nil {
-+ panic("cipher: unable to create EVP cipher ctx")
-+ }
-+
-+ k := (*C.uchar)(unsafe.Pointer(&x.key[0]))
-+ vec := (*C.uchar)(unsafe.Pointer(&x.iv[0]))
-+
-+ switch len(c.key) * 8 {
-+ case 128:
-+ if C.int(1) != C._goboringcrypto_EVP_EncryptInit_ex(x.ctx, C._goboringcrypto_EVP_aes_128_ctr(), nil, k, vec) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ case 192:
-+ if C.int(1) != C._goboringcrypto_EVP_EncryptInit_ex(x.ctx, C._goboringcrypto_EVP_aes_192_ctr(), nil, k, vec) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ case 256:
-+ if C.int(1) != C._goboringcrypto_EVP_EncryptInit_ex(x.ctx, C._goboringcrypto_EVP_aes_256_ctr(), nil, k, vec) {
-+ panic("cipher: unable to initialize EVP cipher ctx")
-+ }
-+ }
-+
-+ runtime.SetFinalizer(x, (*aesCTR).finalize)
-+
-+ return x
-+}
-+
-+func (c *aesCTR) finalize() {
-+ C._goboringcrypto_EVP_CIPHER_CTX_free(c.ctx)
-+}
-+
-+type aesGCM struct {
-+ key []byte
-+ tls bool
-+}
-+
-+const (
-+ gcmBlockSize = 16
-+ gcmTagSize = 16
-+ gcmStandardNonceSize = 12
-+)
-+
-+type aesNonceSizeError int
-+
-+func (n aesNonceSizeError) Error() string {
-+ return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n))
-+}
-+
-+type noGCM struct {
-+ cipher.Block
-+}
-+
-+func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
-+ if !ExecutingTest() || IsStrictFips() {
-+ if nonceSize != gcmStandardNonceSize {
-+ return nil, errors.New("crypto/aes: GCM nonce size can't be non-standard")
-+ }
-+ if tagSize != gcmTagSize {
-+ return nil, errors.New("crypto/aes: GCM tag size can't be non-standard")
-+ }
-+ } else {
-+ // Be more lenient if we're running via a test binary so that
-+ // we don't have to be as invasive with skipping tests in the standard
-+ // library.
-+ if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
-+ return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
-+ }
-+ // Fall back to standard library for GCM with non-standard nonce or tag size.
-+ if nonceSize != gcmStandardNonceSize {
-+ return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
-+ }
-+ if tagSize != gcmTagSize {
-+ return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
-+ }
-+ }
-+ return c.newGCM(false)
-+}
-+
-+// NewGCMTLS returns a GCM cipher specific to TLS
-+// and should not be used for non-TLS purposes.
-+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
-+ return c.(*aesCipher).NewGCMTLS()
-+}
-+
-+func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
-+ return c.newGCM(true)
-+}
-+
-+func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
-+ keyLen := len(c.key) * 8
-+
-+ if keyLen != 128 && keyLen != 256 {
-+ if ExecutingTest() {
-+ // Fall back to standard library for GCM with non-standard key size.
-+ return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize)
-+ }
-+ // Return error for GCM with non-standard key size.
-+ return nil, fail("GCM invoked with non-standard key size")
-+ }
-+
-+ g := &aesGCM{key: c.key, tls: tls}
-+ if g.NonceSize() != gcmStandardNonceSize {
-+ panic("boringcrypto: internal confusion about nonce size")
-+ }
-+ if g.Overhead() != gcmTagSize {
-+ panic("boringcrypto: internal confusion about tag size")
-+ }
-+
-+ return g, nil
-+}
-+
-+func (g *aesGCM) NonceSize() int {
-+ return gcmStandardNonceSize
-+}
-+
-+func (g *aesGCM) Overhead() int {
-+ return gcmTagSize
-+}
-+
-+// base returns the address of the underlying array in b,
-+// being careful not to panic when b has zero length.
-+func base(b []byte) *C.uint8_t {
-+ if len(b) == 0 {
-+ return nil
-+ }
-+ return (*C.uint8_t)(unsafe.Pointer(&b[0]))
-+}
-+
-+func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
-+ if len(nonce) != gcmStandardNonceSize {
-+ panic("cipher: incorrect nonce length given to GCM")
-+ }
-+ if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
-+ panic("cipher: message too large for GCM")
-+ }
-+ if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
-+ panic("cipher: message too large for buffer")
-+ }
-+
-+ // Make room in dst to append plaintext+overhead.
-+ n := len(dst)
-+ for cap(dst) < n+len(plaintext)+gcmTagSize {
-+ dst = append(dst[:cap(dst)], 0)
-+ }
-+ dst = dst[:n+len(plaintext)+gcmTagSize]
-+
-+ // Check delayed until now to make sure len(dst) is accurate.
-+ if inexactOverlap(dst[n:], plaintext) {
-+ panic("cipher: invalid buffer overlap")
-+ }
-+
-+ var ciphertextLen C.size_t
-+
-+ if ok := C._goboringcrypto_EVP_CIPHER_CTX_seal(
-+ (*C.uint8_t)(unsafe.Pointer(&dst[n])),
-+ base(nonce), base(additionalData), C.size_t(len(additionalData)),
-+ base(plaintext), C.size_t(len(plaintext)), &ciphertextLen,
-+ base(g.key), C.int(len(g.key)*8)); ok != 1 {
-+ panic("boringcrypto: EVP_CIPHER_CTX_seal fail")
-+ }
-+ runtime.KeepAlive(g)
-+
-+ if ciphertextLen != C.size_t(len(plaintext)+gcmTagSize) {
-+ panic("boringcrypto: [seal] internal confusion about GCM tag size")
-+ }
-+ return dst[:n+int(ciphertextLen)]
-+}
-+
-+var errOpen = errors.New("cipher: message authentication failed")
-+
-+func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-+ if len(nonce) != gcmStandardNonceSize {
-+ panic("cipher: incorrect nonce length given to GCM")
-+ }
-+ if len(ciphertext) < gcmTagSize {
-+ return nil, errOpen
-+ }
-+ if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
-+ return nil, errOpen
-+ }
-+
-+ // Make room in dst to append ciphertext without tag.
-+ n := len(dst)
-+ for cap(dst) < n+len(ciphertext)-gcmTagSize {
-+ dst = append(dst[:cap(dst)], 0)
-+ }
-+ dst = dst[:n+len(ciphertext)-gcmTagSize]
-+
-+ // Check delayed until now to make sure len(dst) is accurate.
-+ if inexactOverlap(dst[n:], ciphertext) {
-+ panic("cipher: invalid buffer overlap")
-+ }
-+
-+ tag := ciphertext[len(ciphertext)-gcmTagSize:]
-+
-+ var outLen C.size_t
-+
-+ ok := C._goboringcrypto_EVP_CIPHER_CTX_open(
-+ base(ciphertext), C.int(len(ciphertext)-gcmTagSize),
-+ base(additionalData), C.int(len(additionalData)),
-+ base(tag), base(g.key), C.int(len(g.key)*8),
-+ base(nonce), C.int(len(nonce)),
-+ base(dst[n:]), &outLen)
-+ runtime.KeepAlive(g)
-+ if ok == 0 {
-+ // Zero output buffer on error.
-+ for i := range dst {
-+ dst[i] = 0
-+ }
-+ return nil, errOpen
-+ }
-+ if outLen != C.size_t(len(ciphertext)-gcmTagSize) {
-+ panic("boringcrypto: [open] internal confusion about GCM tag size")
-+ }
-+ return dst[:n+int(outLen)], nil
-+}
-+
-+func anyOverlap(x, y []byte) bool {
-+ return len(x) > 0 && len(y) > 0 &&
-+ uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
-+ uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
-+}
-+
-+func inexactOverlap(x, y []byte) bool {
-+ if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
-+ return false
-+ }
-+ return anyOverlap(x, y)
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/doc.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/doc.go
-new file mode 100644
-index 0000000..cdc7f6a
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/doc.go
-@@ -0,0 +1,17 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+// package openssl provides access to OpenSSL implementation functions.
-+package openssl
-+
-+// Enabled returns whether or not the boring package is enabled. When
-+// the boring package is enabled that means FIPS mode is enabled.
-+func Enabled() bool {
-+ return enabled
-+}
-+
-+// A BigInt is the raw words from a BigInt.
-+// This definition allows us to avoid importing math/big.
-+// Conversion between BigInt and *big.Int is in crypto/internal/boring/bbig.
-+type BigInt []uint
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
-new file mode 100644
-index 0000000..0b61e79
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
-@@ -0,0 +1,108 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+package openssl
-+
-+// #include "goopenssl.h"
-+import "C"
-+import "runtime"
-+
-+// ECDH keys are compatible with ECDSA
-+type PublicKeyECDH = PublicKeyECDSA
-+type PrivateKeyECDH = PrivateKeyECDSA
-+
-+var NewPublicKeyECDH = NewPublicKeyECDSA
-+var NewPrivateKeyECDH = NewPrivateKeyECDSA
-+var GenerateKeyECDH = GenerateKeyECDSA
-+
-+func (k *PrivateKeyECDH) withKey(f func(*C.GO_EC_KEY) C.int) C.int {
-+ // Because of the finalizer, any time _key is passed to cgo, that call must
-+ // be followed by a call to runtime.KeepAlive, to make sure k is not
-+ // collected (and finalized) before the cgo call returns.
-+ defer runtime.KeepAlive(k)
-+ return f(k.key)
-+}
-+
-+func (k *PublicKeyECDH) withKey(f func(*C.GO_EC_KEY) C.int) C.int {
-+ // Because of the finalizer, any time _key is passed to cgo, that call must
-+ // be followed by a call to runtime.KeepAlive, to make sure k is not
-+ // collected (and finalized) before the cgo call returns.
-+ defer runtime.KeepAlive(k)
-+ return f(k.key)
-+}
-+
-+func getPeerKey(priv *PrivateKeyECDH, pubBytes []byte) (*PublicKeyECDH, error) {
-+ eckey := C._goboringcrypto_EC_KEY_new()
-+ if priv.withKey(func(key *C.GO_EC_KEY) C.int {
-+ group := C._goboringcrypto_EC_KEY_get0_group(key)
-+ return C._goboringcrypto_EC_KEY_set_group(eckey, group)
-+ }) != 1 {
-+ return nil, NewOpenSSLError("EC_KEY_set_group")
-+ }
-+ if C._goboringcrypto_EC_KEY_oct2key(eckey,
-+ base(pubBytes), C.size_t(len(pubBytes)),
-+ nil) != 1 {
-+ return nil, NewOpenSSLError("EC_KEY_oct2key")
-+ }
-+ k := &PublicKeyECDSA{eckey}
-+ // Note: Because of the finalizer, any time k.key is passed to cgo,
-+ // that call must be followed by a call to runtime.KeepAlive(k),
-+ // to make sure k is not collected (and finalized) before the cgo
-+ // call returns.
-+ runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
-+ return k, nil
-+}
-+
-+func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
-+ pkeyOurs := C._goboringcrypto_EVP_PKEY_new()
-+ if pkeyOurs == nil {
-+ return nil, NewOpenSSLError("EVP_PKEY_new failed")
-+ }
-+ defer C._goboringcrypto_EVP_PKEY_free(pkeyOurs)
-+ if priv.withKey(func(key *C.GO_EC_KEY) C.int {
-+ return C._goboringcrypto_EVP_PKEY_set1_EC_KEY(pkeyOurs, key)
-+ }) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_set1_EC_KEY")
-+ }
-+
-+ pub, err := getPeerKey(priv, peerPublicKey)
-+ if err != nil {
-+ return nil, err
-+ }
-+
-+ pkeyPeers := C._goboringcrypto_EVP_PKEY_new()
-+ if pkeyPeers == nil {
-+ return nil, NewOpenSSLError("EVP_PKEY_new failed")
-+ }
-+ defer C._goboringcrypto_EVP_PKEY_free(pkeyPeers)
-+ if pub.withKey(func(key *C.GO_EC_KEY) C.int {
-+ return C._goboringcrypto_EVP_PKEY_set1_EC_KEY(pkeyPeers, key)
-+ }) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_set1_EC_KEY")
-+ }
-+
-+ ctx := C._goboringcrypto_EVP_PKEY_CTX_new(pkeyOurs, nil)
-+ if ctx == nil {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_new failed")
-+ }
-+ defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
-+ if C._goboringcrypto_EVP_PKEY_derive_init(ctx) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_init failed")
-+ }
-+ if C._goboringcrypto_EVP_PKEY_derive_set_peer_ex(ctx, pkeyPeers, 1) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_set_peer_ex failed")
-+ }
-+ var outLen C.size_t
-+ if C._goboringcrypto_EVP_PKEY_derive(ctx, nil, &outLen) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_init failed")
-+ }
-+ out := make([]byte, outLen)
-+ if C._goboringcrypto_EVP_PKEY_derive(ctx, base(out), &outLen) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_init failed")
-+ }
-+ return out[:outLen], nil
-+}
-diff --git a/src/crypto/internal/boring/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-similarity index 60%
-rename from src/crypto/internal/boring/ecdsa.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-index 884c4b7..b350140 100644
---- a/src/crypto/internal/boring/ecdsa.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-@@ -2,21 +2,24 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-
--package boring
-+package openssl
-
--// #include "goboringcrypto.h"
-+// #include "goopenssl.h"
- import "C"
- import (
-+ "crypto"
-+ "encoding/asn1"
- "errors"
-+ "math/big"
- "runtime"
- "unsafe"
- )
-
- type ecdsaSignature struct {
-- R, S BigInt
-+ R, S *big.Int
- }
-
- type PrivateKeyECDSA struct {
-@@ -36,11 +39,15 @@ func (k *PublicKeyECDSA) finalize() {
- }
-
- var errUnknownCurve = errors.New("boringcrypto: unknown elliptic curve")
-+var errUnsupportedCurve = errors.New("boringcrypto: unsupported elliptic curve")
-
- func curveNID(curve string) (C.int, error) {
- switch curve {
- case "P-224":
-- return C.GO_NID_secp224r1, nil
-+ if ExecutingTest() {
-+ return C.GO_NID_secp224r1, nil
-+ }
-+ return 0, errUnsupportedCurve
- case "P-256":
- return C.GO_NID_X9_62_prime256v1, nil
- case "P-384":
-@@ -72,13 +79,13 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
- }
- key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
- if key == nil {
-- return nil, fail("EC_KEY_new_by_curve_name")
-+ return nil, NewOpenSSLError("EC_KEY_new_by_curve_name failed")
- }
- group := C._goboringcrypto_EC_KEY_get0_group(key)
- pt := C._goboringcrypto_EC_POINT_new(group)
- if pt == nil {
- C._goboringcrypto_EC_KEY_free(key)
-- return nil, fail("EC_POINT_new")
-+ return nil, NewOpenSSLError("EC_POINT_new failed")
- }
- bx := bigToBN(X)
- by := bigToBN(Y)
-@@ -93,7 +100,7 @@ func newECKey(curve string, X, Y BigInt) (*C.GO_EC_KEY, error) {
- C._goboringcrypto_EC_POINT_free(pt)
- if !ok {
- C._goboringcrypto_EC_KEY_free(key)
-- return nil, fail("EC_POINT_set_affine_coordinates_GFp")
-+ return nil, NewOpenSSLError("EC_POINT_free failed")
- }
- return key, nil
- }
-@@ -110,7 +117,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
- }
- if !ok {
- C._goboringcrypto_EC_KEY_free(key)
-- return nil, fail("EC_KEY_set_private_key")
-+ return nil, NewOpenSSLError("EC_KEY_set_private_key failed")
- }
- k := &PrivateKeyECDSA{key}
- // Note: Because of the finalizer, any time k.key is passed to cgo,
-@@ -121,19 +128,55 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
- return k, nil
- }
-
-+func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
-+ size := C._goboringcrypto_ECDSA_size(priv.key)
-+ sig := make([]byte, size)
-+ var sigLen C.uint
-+ md := cryptoHashToMD(h)
-+ if md == nil {
-+ panic("boring: invalid hash")
-+ }
-+ if C._goboringcrypto_ECDSA_sign(md, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
-+ return nil, nil, NewOpenSSLError("ECDSA_sign failed")
-+ }
-+ runtime.KeepAlive(priv)
-+ sig = sig[:sigLen]
-+ var esig ecdsaSignature
-+ if _, err := asn1.Unmarshal(sig, &esig); err != nil {
-+ return nil, nil, err
-+ }
-+ return esig.R, esig.S, nil
-+}
-+
- func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
- size := C._goboringcrypto_ECDSA_size(priv.key)
- sig := make([]byte, size)
- var sigLen C.uint
-- if C._goboringcrypto_ECDSA_sign(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
-- return nil, fail("ECDSA_sign")
-+ ok := C._goboringcrypto_internal_ECDSA_sign(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) > 0
-+ if !ok {
-+ return nil, NewOpenSSLError(("ECDSA_sign failed"))
- }
-+
- runtime.KeepAlive(priv)
- return sig[:sigLen], nil
- }
-
- func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
-- ok := C._goboringcrypto_ECDSA_verify(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.size_t(len(sig)), pub.key) != 0
-+ ok := C._goboringcrypto_internal_ECDSA_verify(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
-+ runtime.KeepAlive(pub)
-+ return ok
-+}
-+
-+func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
-+ md := cryptoHashToMD(h)
-+ if md == nil {
-+ panic("boring: invalid hash")
-+ }
-+ sig, err := asn1.Marshal(ecdsaSignature{r, s})
-+ if err != nil {
-+ return false
-+ }
-+ ok := C._goboringcrypto_ECDSA_verify(md, base(msg), C.size_t(len(msg)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
- runtime.KeepAlive(pub)
- return ok
- }
-@@ -145,30 +188,30 @@ func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
- }
- key := C._goboringcrypto_EC_KEY_new_by_curve_name(nid)
- if key == nil {
-- return nil, nil, nil, fail("EC_KEY_new_by_curve_name")
-+ return nil, nil, nil, NewOpenSSLError("EC_KEY_new_by_curve_name failed")
- }
- defer C._goboringcrypto_EC_KEY_free(key)
-- if C._goboringcrypto_EC_KEY_generate_key_fips(key) == 0 {
-- return nil, nil, nil, fail("EC_KEY_generate_key_fips")
-+ if C._goboringcrypto_EC_KEY_generate_key(key) == 0 {
-+ return nil, nil, nil, NewOpenSSLError("EC_KEY_generate_key failed")
- }
- group := C._goboringcrypto_EC_KEY_get0_group(key)
- pt := C._goboringcrypto_EC_KEY_get0_public_key(key)
- bd := C._goboringcrypto_EC_KEY_get0_private_key(key)
- if pt == nil || bd == nil {
-- return nil, nil, nil, fail("EC_KEY_get0_private_key")
-+ return nil, nil, nil, NewOpenSSLError("EC_KEY_get0_private_key failed")
- }
- bx := C._goboringcrypto_BN_new()
- if bx == nil {
-- return nil, nil, nil, fail("BN_new")
-+ return nil, nil, nil, NewOpenSSLError("BN_new failed")
- }
- defer C._goboringcrypto_BN_free(bx)
- by := C._goboringcrypto_BN_new()
- if by == nil {
-- return nil, nil, nil, fail("BN_new")
-+ return nil, nil, nil, NewOpenSSLError("BN_new failed")
- }
- defer C._goboringcrypto_BN_free(by)
- if C._goboringcrypto_EC_POINT_get_affine_coordinates_GFp(group, pt, bx, by, nil) == 0 {
-- return nil, nil, nil, fail("EC_POINT_get_affine_coordinates_GFp")
-+ return nil, nil, nil, NewOpenSSLError("EC_POINT_get_affine_coordinates_GFp failed")
- }
- return bnToBig(bx), bnToBig(by), bnToBig(bd), nil
- }
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-new file mode 100644
-index 0000000..411fefd
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-@@ -0,0 +1,954 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+// This header file describes the OpenSSL ABI as built for use in Go.
-+
-+#include <stdlib.h> // size_t
-+#include <stdint.h> // uint8_t
-+
-+#include <openssl/ossl_typ.h>
-+
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
-+#define OPENSSL_DLSYM_CALL(handle, func) dlsym(handle, func)
-+#else
-+#define __USE_GNU
-+#define OPENSSL_DLSYM_CALL(handle, func) dlvsym(handle, func, "OPENSSL_3.0.0")
-+#endif
-+
-+#include <dlfcn.h>
-+
-+#define unlikely(x) __builtin_expect(!!(x), 0)
-+#define DEFINEFUNC(ret, func, args, argscall) \
-+ typedef ret(*_goboringcrypto_PTR_##func) args; \
-+ static _goboringcrypto_PTR_##func _g_##func = 0; \
-+ static inline ret _goboringcrypto_##func args \
-+ { \
-+ if (unlikely(!_g_##func)) \
-+ { \
-+ _g_##func = OPENSSL_DLSYM_CALL(handle, #func); \
-+ } \
-+ return _g_##func argscall; \
-+ }
-+
-+#define DEFINEFUNCINTERNAL(ret, func, args, argscall) \
-+ typedef ret(*_goboringcrypto_internal_PTR_##func) args; \
-+ static _goboringcrypto_internal_PTR_##func _g_internal_##func = 0; \
-+ static inline ret _goboringcrypto_internal_##func args \
-+ { \
-+ if (unlikely(!_g_internal_##func)) \
-+ { \
-+ _g_internal_##func = OPENSSL_DLSYM_CALL(handle, #func); \
-+ } \
-+ return _g_internal_##func argscall; \
-+ }
-+
-+#define DEFINEMACRO(ret, func, args, argscall) \
-+ static inline ret _goboringcrypto_##func args \
-+ { \
-+ return func argscall; \
-+ }
-+
-+
-+static void* handle;
-+static void*
-+_goboringcrypto_DLOPEN_OPENSSL(void)
-+{
-+ if (handle)
-+ {
-+ return handle;
-+ }
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ handle = dlopen("libcrypto.so.10", RTLD_NOW | RTLD_GLOBAL);
-+#elif OPENSSL_VERSION_NUMBER < 0x30000000L
-+ handle = dlopen("libcrypto.so.1.1", RTLD_NOW | RTLD_GLOBAL);
-+#else
-+ handle = dlopen("libcrypto.so.3", RTLD_NOW | RTLD_GLOBAL);
-+#endif
-+ return handle;
-+}
-+
-+#include <openssl/opensslv.h>
-+#include <openssl/ssl.h>
-+
-+DEFINEFUNCINTERNAL(void, OPENSSL_init, (void), ())
-+
-+static unsigned long _goboringcrypto_internal_OPENSSL_VERSION_NUMBER(void) {
-+ return OPENSSL_VERSION_NUMBER;
-+}
-+
-+static void
-+_goboringcrypto_OPENSSL_setup(void) {
-+ _goboringcrypto_internal_OPENSSL_init();
-+}
-+
-+#include <openssl/err.h>
-+DEFINEFUNCINTERNAL(void, ERR_print_errors_fp, (FILE* fp), (fp))
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
-+DEFINEFUNCINTERNAL(unsigned long, ERR_get_error_line_data,
-+ (const char **file, int *line, const char **data, int *flags),
-+ (file, line, data, flags))
-+static inline unsigned long
-+_goboringcrypto_internal_ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
-+{
-+ unsigned long e = _goboringcrypto_internal_ERR_get_error_line_data(file, line, data, flags);
-+ if (e == 0 && func != NULL) {
-+ *func = "unknown";
-+ }
-+ return e;
-+}
-+#else
-+DEFINEFUNCINTERNAL(unsigned long, ERR_get_error_all,
-+ (const char **file, int *line, const char **func, const char **data, int *flags),
-+ (file, line, func, data, flags))
-+#endif
-+DEFINEFUNCINTERNAL(void, ERR_error_string_n, (unsigned long e, unsigned char *buf, size_t len), (e, buf, len))
-+
-+#include <openssl/crypto.h>
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(int, CRYPTO_num_locks, (void), ())
-+#else
-+static inline int
-+_goboringcrypto_CRYPTO_num_locks(void) {
-+ return CRYPTO_num_locks(); /* defined as macro */
-+}
-+#endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(void, CRYPTO_set_id_callback, (unsigned long (*id_function)(void)), (id_function))
-+#else
-+static inline void
-+_goboringcrypto_CRYPTO_set_id_callback(unsigned long (*id_function)(void)) {
-+ CRYPTO_set_id_callback(id_function); /* defined as macro */
-+}
-+#endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(void, CRYPTO_set_locking_callback,
-+ (void (*locking_function)(int mode, int n, const char *file, int line)),
-+ (locking_function))
-+#else
-+static inline void
-+_goboringcrypto_CRYPTO_set_locking_callback(void (*locking_function)(int mode, int n, const char *file, int line)) {
-+ CRYPTO_set_locking_callback(locking_function); /* defined as macro */
-+}
-+#endif
-+
-+int _goboringcrypto_OPENSSL_thread_setup(void);
-+
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+DEFINEFUNC(int, FIPS_mode, (void), ())
-+DEFINEFUNC(int, FIPS_mode_set, (int r), (r))
-+#else
-+DEFINEFUNC(int, EVP_default_properties_is_fips_enabled, (OSSL_LIB_CTX *libctx), (libctx))
-+static inline int _goboringcrypto_FIPS_mode(void) {
-+ return _goboringcrypto_EVP_default_properties_is_fips_enabled(NULL);
-+}
-+#endif
-+
-+#include <openssl/rand.h>
-+
-+DEFINEFUNC(int, RAND_set_rand_method, (const RAND_METHOD *rand), (rand))
-+DEFINEFUNC(const RAND_METHOD*, RAND_get_rand_method, (void), ())
-+DEFINEFUNC(int, RAND_bytes, (uint8_t * arg0, size_t arg1), (arg0, arg1))
-+
-+int _goboringcrypto_stub_openssl_rand(void);
-+int _goboringcrypto_restore_openssl_rand(void);
-+int fbytes(unsigned char *buf, int num);
-+
-+
-+#include <openssl/obj_mac.h>
-+
-+enum
-+{
-+ GO_NID_md5_sha1 = NID_md5_sha1,
-+
-+ GO_NID_secp224r1 = NID_secp224r1,
-+ GO_NID_X9_62_prime256v1 = NID_X9_62_prime256v1,
-+ GO_NID_secp384r1 = NID_secp384r1,
-+ GO_NID_secp521r1 = NID_secp521r1,
-+
-+ GO_NID_sha224 = NID_sha224,
-+ GO_NID_sha256 = NID_sha256,
-+ GO_NID_sha384 = NID_sha384,
-+ GO_NID_sha512 = NID_sha512,
-+};
-+
-+#include <openssl/sha.h>
-+
-+typedef SHA_CTX GO_SHA_CTX;
-+
-+DEFINEFUNC(int, SHA1_Init, (GO_SHA_CTX * arg0), (arg0))
-+DEFINEFUNC(int, SHA1_Update, (GO_SHA_CTX * arg0, const void *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, SHA1_Final, (uint8_t * arg0, GO_SHA_CTX *arg1), (arg0, arg1))
-+
-+typedef SHA256_CTX GO_SHA256_CTX;
-+
-+DEFINEFUNC(int, SHA224_Init, (GO_SHA256_CTX * arg0), (arg0))
-+DEFINEFUNC(int, SHA224_Update, (GO_SHA256_CTX * arg0, const void *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, SHA224_Final, (uint8_t * arg0, GO_SHA256_CTX *arg1), (arg0, arg1))
-+
-+DEFINEFUNC(int, SHA256_Init, (GO_SHA256_CTX * arg0), (arg0))
-+DEFINEFUNC(int, SHA256_Update, (GO_SHA256_CTX * arg0, const void *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, SHA256_Final, (uint8_t * arg0, GO_SHA256_CTX *arg1), (arg0, arg1))
-+
-+typedef SHA512_CTX GO_SHA512_CTX;
-+DEFINEFUNC(int, SHA384_Init, (GO_SHA512_CTX * arg0), (arg0))
-+DEFINEFUNC(int, SHA384_Update, (GO_SHA512_CTX * arg0, const void *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, SHA384_Final, (uint8_t * arg0, GO_SHA512_CTX *arg1), (arg0, arg1))
-+
-+DEFINEFUNC(int, SHA512_Init, (GO_SHA512_CTX * arg0), (arg0))
-+DEFINEFUNC(int, SHA512_Update, (GO_SHA512_CTX * arg0, const void *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, SHA512_Final, (uint8_t * arg0, GO_SHA512_CTX *arg1), (arg0, arg1))
-+
-+#include <openssl/evp.h>
-+
-+typedef EVP_MD GO_EVP_MD;
-+DEFINEFUNC(const GO_EVP_MD *, EVP_md4, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_md5, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_sha1, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_sha224, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_sha256, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_sha384, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
-+DEFINEFUNC(const GO_EVP_MD *, EVP_md_null, (void), ())
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
-+#else
-+DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
-+#endif
-+DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
-+
-+# include <openssl/md5.h>
-+DEFINEFUNCINTERNAL(int, MD5_Init, (MD5_CTX *c), (c))
-+DEFINEFUNCINTERNAL(int, MD5_Update, (MD5_CTX *c, const void *data, size_t len), (c, data, len))
-+DEFINEFUNCINTERNAL(int, MD5_Final, (unsigned char *md, MD5_CTX *c), (md, c))
-+
-+static inline int
-+_goboringcrypto_EVP_MD_type(const GO_EVP_MD *md) {
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+ return _goboringcrypto_internal_EVP_MD_type(md);
-+#else
-+ return _goboringcrypto_internal_EVP_MD_get_type(md);
-+#endif
-+}
-+
-+const GO_EVP_MD* _goboringcrypto_backport_EVP_md5_sha1(void);
-+static inline const GO_EVP_MD*
-+_goboringcrypto_EVP_md5_sha1(void) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ return _goboringcrypto_backport_EVP_md5_sha1();
-+#else
-+ return _goboringcrypto_internal_EVP_md5_sha1();
-+#endif
-+}
-+
-+#include <openssl/hmac.h>
-+
-+typedef HMAC_CTX GO_HMAC_CTX;
-+
-+DEFINEFUNC(int, HMAC_Init_ex,
-+ (GO_HMAC_CTX * arg0, const void *arg1, int arg2, const GO_EVP_MD *arg3, ENGINE *arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+DEFINEFUNC(int, HMAC_Update, (GO_HMAC_CTX * arg0, const uint8_t *arg1, size_t arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, HMAC_Final, (GO_HMAC_CTX * arg0, uint8_t *arg1, unsigned int *arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(size_t, HMAC_CTX_copy, (GO_HMAC_CTX *dest, GO_HMAC_CTX *src), (dest, src))
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_cleanup, (GO_HMAC_CTX * arg0), (arg0))
-+static inline void
-+_goboringcrypto_HMAC_CTX_free(HMAC_CTX *ctx) {
-+ if (ctx != NULL) {
-+ _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
-+ free(ctx);
-+ }
-+}
-+#else
-+DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+static inline size_t
-+_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
-+ return _goboringcrypto_internal_EVP_MD_size(arg0->md);
-+}
-+#else
-+DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
-+# if OPENSSL_VERSION_NUMBER < 0x30000000L
-+static inline size_t
-+_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
-+ const EVP_MD* md;
-+ md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-+ return _goboringcrypto_internal_EVP_MD_size(md);
-+}
-+# else
-+DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
-+static inline size_t
-+_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
-+ const EVP_MD* md;
-+ md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-+ return _goboringcrypto_internal_EVP_MD_get_size(md);
-+}
-+# endif
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_init, (GO_HMAC_CTX * arg0), (arg0))
-+static inline GO_HMAC_CTX*
-+_goboringcrypto_HMAC_CTX_new(void) {
-+ GO_HMAC_CTX* ctx = malloc(sizeof(GO_HMAC_CTX));
-+ if (ctx != NULL)
-+ _goboringcrypto_internal_HMAC_CTX_init(ctx);
-+ return ctx;
-+}
-+#else
-+DEFINEFUNC(GO_HMAC_CTX*, HMAC_CTX_new, (void), ())
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+static inline int
-+_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
-+ _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
-+ _goboringcrypto_internal_HMAC_CTX_init(ctx);
-+ return 0;
-+}
-+#else
-+DEFINEFUNC(int, HMAC_CTX_reset, (GO_HMAC_CTX * arg0), (arg0))
-+#endif
-+
-+int _goboringcrypto_HMAC_CTX_copy_ex(GO_HMAC_CTX *dest, const GO_HMAC_CTX *src);
-+
-+#include <openssl/evp.h>
-+#include <openssl/aes.h>
-+
-+DEFINEFUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, (void), ())
-+DEFINEFUNC(int, EVP_CIPHER_CTX_set_padding, (EVP_CIPHER_CTX *x, int padding), (x, padding))
-+DEFINEFUNC(int, EVP_CipherInit_ex,
-+ (EVP_CIPHER_CTX * ctx, const EVP_CIPHER *type, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc),
-+ (ctx, type, impl, key, iv, enc))
-+DEFINEFUNC(int, EVP_CipherUpdate,
-+ (EVP_CIPHER_CTX * ctx, unsigned char *out, int *outl, const unsigned char *in, int inl),
-+ (ctx, out, outl, in, inl))
-+
-+void _goboringcrypto_EVP_AES_ctr128_enc(EVP_CIPHER_CTX *ctx, const uint8_t *in, uint8_t *out, size_t len);
-+
-+int _goboringcrypto_EVP_AES_encrypt(EVP_CIPHER_CTX *ctx, const uint8_t *in, size_t in_len, uint8_t *out);
-+
-+enum
-+{
-+ GO_AES_ENCRYPT = 1,
-+ GO_AES_DECRYPT = 0
-+};
-+void _goboringcrypto_EVP_AES_cbc_encrypt(EVP_CIPHER_CTX *ctx, const uint8_t *arg0, uint8_t *arg1, size_t arg2, const uint8_t *a, const int arg5);
-+DEFINEFUNC(void, AES_cbc_encrypt,
-+ (const unsigned char *in, unsigned char *out,
-+ size_t length, const AES_KEY *key,
-+ unsigned char *ivec, const int enc),
-+ (in, out, length, key, ivec, enc))
-+
-+void EVP_AES_cbc_enc(EVP_CIPHER_CTX *ctx, const uint8_t *in, uint8_t *out, size_t len);
-+
-+void EVP_AES_cbc_dec(EVP_CIPHER_CTX *ctx, const uint8_t *in, uint8_t *out, size_t len);
-+
-+typedef ENGINE GO_ENGINE;
-+
-+#include <openssl/bn.h>
-+
-+typedef BN_CTX GO_BN_CTX;
-+typedef BIGNUM GO_BIGNUM;
-+
-+DEFINEFUNC(GO_BIGNUM *, BN_new, (void), ())
-+DEFINEFUNC(void, BN_free, (GO_BIGNUM * arg0), (arg0))
-+DEFINEFUNC(void, BN_clear_free, (GO_BIGNUM * arg0), (arg0))
-+DEFINEFUNC(int, BN_set_word, (BIGNUM *a, BN_ULONG w), (a, w))
-+DEFINEFUNC(unsigned int, BN_num_bits, (const GO_BIGNUM *arg0), (arg0))
-+DEFINEFUNC(int, BN_is_negative, (const GO_BIGNUM *arg0), (arg0))
-+DEFINEFUNC(GO_BIGNUM *, BN_bin2bn, (const uint8_t *arg0, size_t arg1, GO_BIGNUM *arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(GO_BIGNUM *, BN_lebin2bn, (const unsigned char *s, size_t len, BIGNUM *ret), (s, len, ret))
-+DEFINEFUNC(int, BN_bn2lebinpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
-+
-+static inline unsigned int
-+_goboringcrypto_BN_num_bytes(const GO_BIGNUM* a) {
-+ return ((_goboringcrypto_BN_num_bits(a)+7)/8);
-+}
-+
-+#include <openssl/ec.h>
-+
-+typedef EC_GROUP GO_EC_GROUP;
-+
-+DEFINEFUNC(GO_EC_GROUP *, EC_GROUP_new_by_curve_name, (int arg0), (arg0))
-+DEFINEFUNC(void, EC_GROUP_free, (GO_EC_GROUP * arg0), (arg0))
-+
-+typedef EC_POINT GO_EC_POINT;
-+
-+DEFINEFUNC(GO_EC_POINT *, EC_POINT_new, (const GO_EC_GROUP *arg0), (arg0))
-+DEFINEFUNC(void, EC_POINT_free, (GO_EC_POINT * arg0), (arg0))
-+DEFINEFUNC(int, EC_POINT_get_affine_coordinates_GFp,
-+ (const GO_EC_GROUP *arg0, const GO_EC_POINT *arg1, GO_BIGNUM *arg2, GO_BIGNUM *arg3, GO_BN_CTX *arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+DEFINEFUNC(int, EC_POINT_set_affine_coordinates_GFp,
-+ (const GO_EC_GROUP *arg0, GO_EC_POINT *arg1, const GO_BIGNUM *arg2, const GO_BIGNUM *arg3, GO_BN_CTX *arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+
-+typedef EC_KEY GO_EC_KEY;
-+
-+DEFINEFUNC(GO_EC_KEY *, EC_KEY_new, (void), ())
-+DEFINEFUNC(GO_EC_KEY *, EC_KEY_new_by_curve_name, (int arg0), (arg0))
-+DEFINEFUNC(int, EC_KEY_oct2key, (GO_EC_KEY *arg0, const unsigned char *arg1, size_t arg2, BN_CTX *arg3), (arg0, arg1, arg2, arg3))
-+DEFINEFUNC(void, EC_KEY_free, (GO_EC_KEY * arg0), (arg0))
-+DEFINEFUNC(const GO_EC_GROUP *, EC_KEY_get0_group, (const GO_EC_KEY *arg0), (arg0))
-+DEFINEFUNC(int, EC_KEY_set_group, (GO_EC_KEY *arg0, const EC_GROUP *arg1), (arg0, arg1))
-+DEFINEFUNC(int, EC_KEY_generate_key, (GO_EC_KEY * arg0), (arg0))
-+DEFINEFUNC(int, EC_KEY_set_private_key, (GO_EC_KEY * arg0, const GO_BIGNUM *arg1), (arg0, arg1))
-+DEFINEFUNC(int, EC_KEY_set_public_key, (GO_EC_KEY * arg0, const GO_EC_POINT *arg1), (arg0, arg1))
-+DEFINEFUNC(const GO_BIGNUM *, EC_KEY_get0_private_key, (const GO_EC_KEY *arg0), (arg0))
-+DEFINEFUNC(const GO_EC_POINT *, EC_KEY_get0_public_key, (const GO_EC_KEY *arg0), (arg0))
-+
-+// TODO: EC_KEY_check_fips?
-+
-+#include <openssl/ecdsa.h>
-+
-+typedef ECDSA_SIG GO_ECDSA_SIG;
-+
-+DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_SIG_new, (void), ())
-+DEFINEFUNC(void, ECDSA_SIG_free, (GO_ECDSA_SIG * arg0), (arg0))
-+DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_do_sign, (const uint8_t *arg0, size_t arg1, const GO_EC_KEY *arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, const GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
-+DEFINEFUNC(size_t, ECDSA_size, (const GO_EC_KEY *arg0), (arg0))
-+
-+DEFINEFUNCINTERNAL(int, ECDSA_sign,
-+ (int type, const unsigned char *dgst, size_t dgstlen, unsigned char *sig, unsigned int *siglen, EC_KEY *eckey),
-+ (type, dgst, dgstlen, sig, siglen, eckey))
-+
-+DEFINEFUNCINTERNAL(int, ECDSA_verify,
-+ (int type, const unsigned char *dgst, size_t dgstlen, const unsigned char *sig, unsigned int siglen, EC_KEY *eckey),
-+ (type, dgst, dgstlen, sig, siglen, eckey))
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
-+#else
-+DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_new, (void), ())
-+static inline EVP_MD_CTX* _goboringcrypto_EVP_MD_CTX_create(void) {
-+ return _goboringcrypto_internal_EVP_MD_CTX_new();
-+}
-+#endif
-+
-+DEFINEFUNCINTERNAL(int, EVP_PKEY_assign,
-+ (EVP_PKEY *pkey, int type, void *eckey),
-+ (pkey, type, eckey))
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, GO_EC_KEY *eckey) {
-+ return _goboringcrypto_internal_EVP_PKEY_assign(pkey, EVP_PKEY_EC, (char *)(eckey));
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *rsa) {
-+ return _goboringcrypto_internal_EVP_PKEY_assign(pkey, EVP_PKEY_RSA, (char *)(rsa));
-+}
-+
-+DEFINEFUNC(int, EVP_DigestSignInit,
-+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
-+ (ctx, pctx, type, e, pkey))
-+
-+DEFINEFUNC(int, EVP_DigestUpdate,
-+ (EVP_MD_CTX* ctx, const void *d, size_t cnt),
-+ (ctx, d, cnt))
-+DEFINEFUNC(int, EVP_DigestSignFinal,
-+ (EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
-+ (ctx, sig, siglen))
-+
-+DEFINEFUNC(int, EVP_DigestVerifyInit,
-+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
-+ (ctx, pctx, type, e, pkey))
-+DEFINEFUNC(int, EVP_DigestVerifyFinal,
-+ (EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
-+ (ctx, sig, siglen))
-+
-+typedef RSA GO_RSA;
-+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
-+int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-+ size_t msgLen, uint8_t *sig, size_t *slen,
-+ GO_RSA *key);
-+
-+int _goboringcrypto_EVP_verify(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, EVP_PKEY *key);
-+int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
-+ const uint8_t *sig, unsigned int slen,
-+ GO_RSA *key);
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
-+static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
-+ return _goboringcrypto_internal_EVP_MD_CTX_destroy(ctx);
-+}
-+#else
-+DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
-+#endif
-+
-+int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
-+int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
-+
-+#include <openssl/rsa.h>
-+
-+// Note: order of struct fields here is unchecked.
-+typedef BN_GENCB GO_BN_GENCB;
-+
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
-+int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
-+
-+DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
-+DEFINEFUNC(void, RSA_free, (GO_RSA * arg0), (arg0))
-+DEFINEFUNC(int, RSA_private_encrypt,
-+ (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
-+ (flen, from, to, rsa, padding))
-+DEFINEFUNC(int, RSA_public_decrypt,
-+ (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
-+ (flen, from, to, rsa, padding))
-+DEFINEFUNC(int, RSA_sign,
-+ (int arg0, const uint8_t *arg1, unsigned int arg2, uint8_t *arg3, unsigned int *arg4, GO_RSA *arg5),
-+ (arg0, arg1, arg2, arg3, arg4, arg5))
-+DEFINEFUNC(int, RSA_verify,
-+ (int arg0, const uint8_t *arg1, unsigned int arg2, const uint8_t *arg3, unsigned int arg4, GO_RSA *arg5),
-+ (arg0, arg1, arg2, arg3, arg4, arg5))
-+DEFINEFUNC(int, RSA_generate_key_ex,
-+ (GO_RSA * arg0, int arg1, GO_BIGNUM *arg2, GO_BN_GENCB *arg3),
-+ (arg0, arg1, arg2, arg3))
-+
-+DEFINEFUNCINTERNAL(int, RSA_set0_factors,
-+ (GO_RSA * rsa, GO_BIGNUM *p, GO_BIGNUM *q),
-+ (rsa, p, q))
-+
-+static inline int
-+_goboringcrypto_RSA_set0_factors(GO_RSA * r, GO_BIGNUM *p, GO_BIGNUM *q) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ /* If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL)
-+ || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ _goboringcrypto_BN_clear_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ _goboringcrypto_BN_clear_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+#else
-+ return _goboringcrypto_internal_RSA_set0_factors(r, p, q);
-+#endif
-+}
-+
-+DEFINEFUNCINTERNAL(int, RSA_set0_crt_params,
-+ (GO_RSA * rsa, GO_BIGNUM *dmp1, GO_BIGNUM *dmp2, GO_BIGNUM *iqmp),
-+ (rsa, dmp1, dmp2, iqmp))
-+
-+static inline int
-+_goboringcrypto_RSA_set0_crt_params(GO_RSA * r, GO_BIGNUM *dmp1, GO_BIGNUM *dmq1, GO_BIGNUM *iqmp) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL)
-+ || (r->dmq1 == NULL && dmq1 == NULL)
-+ || (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ _goboringcrypto_BN_clear_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ _goboringcrypto_BN_clear_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ _goboringcrypto_BN_clear_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+#else
-+ return _goboringcrypto_internal_RSA_set0_crt_params(r, dmp1, dmq1, iqmp);
-+#endif
-+}
-+
-+DEFINEFUNCINTERNAL(void, RSA_get0_crt_params,
-+ (const GO_RSA *r, const GO_BIGNUM **dmp1, const GO_BIGNUM **dmq1, const GO_BIGNUM **iqmp),
-+ (r, dmp1, dmq1, iqmp))
-+static inline void
-+_goboringcrypto_RSA_get0_crt_params(const GO_RSA *r, const GO_BIGNUM **dmp1, const GO_BIGNUM **dmq1, const GO_BIGNUM **iqmp) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+#else
-+ _goboringcrypto_internal_RSA_get0_crt_params(r, dmp1, dmq1, iqmp);
-+#endif
-+}
-+
-+
-+DEFINEFUNCINTERNAL(int, RSA_set0_key,
-+ (GO_RSA * r, GO_BIGNUM *n, GO_BIGNUM *e, GO_BIGNUM *d),
-+ (r, n, e, d))
-+static inline int
-+_goboringcrypto_RSA_set0_key(GO_RSA * r, GO_BIGNUM *n, GO_BIGNUM *e, GO_BIGNUM *d) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ /* If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL)
-+ || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ _goboringcrypto_BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ _goboringcrypto_BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ _goboringcrypto_BN_clear_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+#else
-+ return _goboringcrypto_internal_RSA_set0_key(r, n, e, d);
-+#endif
-+}
-+
-+DEFINEFUNCINTERNAL(void, RSA_get0_factors,
-+ (const GO_RSA *rsa, const GO_BIGNUM **p, const GO_BIGNUM **q),
-+ (rsa, p, q))
-+static inline void
-+_goboringcrypto_RSA_get0_factors(const GO_RSA *rsa, const GO_BIGNUM **p, const GO_BIGNUM **q) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ if (p)
-+ *p = rsa->p;
-+ if (q)
-+ *q = rsa->q;
-+#else
-+ _goboringcrypto_internal_RSA_get0_factors(rsa, p, q);
-+#endif
-+}
-+
-+DEFINEFUNCINTERNAL(void, RSA_get0_key,
-+ (const GO_RSA *rsa, const GO_BIGNUM **n, const GO_BIGNUM **e, const GO_BIGNUM **d),
-+ (rsa, n, e, d))
-+static inline void
-+_goboringcrypto_RSA_get0_key(const GO_RSA *rsa, const GO_BIGNUM **n, const GO_BIGNUM **e, const GO_BIGNUM **d) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ if (n)
-+ *n = rsa->n;
-+ if (e)
-+ *e = rsa->e;
-+ if (d)
-+ *d = rsa->d;
-+#else
-+ _goboringcrypto_internal_RSA_get0_key(rsa, n, e, d);
-+#endif
-+}
-+
-+int _goboringcrypto_RSA_generate_key_fips(GO_RSA *, int, GO_BN_GENCB *);
-+enum
-+{
-+ GO_RSA_PKCS1_PADDING = 1,
-+ GO_RSA_NO_PADDING = 3,
-+ GO_RSA_PKCS1_OAEP_PADDING = 4,
-+ GO_RSA_PKCS1_PSS_PADDING = 6,
-+};
-+
-+int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *, unsigned int *out_len, uint8_t *out, unsigned int max_out, const uint8_t *in, unsigned int in_len, GO_EVP_MD *md, const GO_EVP_MD *mgf1_md, int salt_len);
-+
-+int _goboringcrypto_RSA_verify_pss_mgf1(GO_RSA *, const uint8_t *msg, unsigned int msg_len, GO_EVP_MD *md, const GO_EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, unsigned int sig_len);
-+
-+DEFINEFUNC(unsigned int, RSA_size, (const GO_RSA *arg0), (arg0))
-+DEFINEFUNC(int, RSA_check_key, (const GO_RSA *arg0), (arg0))
-+
-+DEFINEFUNC(int, EVP_EncryptInit_ex,
-+ (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ENGINE *impl, const unsigned char *key, const unsigned char *iv),
-+ (ctx, type, impl, key, iv))
-+DEFINEFUNC(int, EVP_EncryptUpdate,
-+ (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl),
-+ (ctx, out, outl, in, inl))
-+DEFINEFUNC(int, EVP_EncryptFinal_ex,
-+ (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl),
-+ (ctx, out, outl))
-+
-+DEFINEFUNC(int, EVP_DecryptInit_ex,
-+ (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ENGINE *impl, const unsigned char *key, const unsigned char *iv),
-+ (ctx, type, impl, key, iv))
-+DEFINEFUNC(int, EVP_DecryptUpdate,
-+ (EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl),
-+ (ctx, out, outl, in, inl))
-+DEFINEFUNC(int, EVP_DecryptFinal_ex,
-+ (EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl),
-+ (ctx, outm, outl))
-+
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_128_gcm, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_128_cbc, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_128_ctr, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_128_ecb, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_192_cbc, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_192_ctr, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_192_ecb, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_192_gcm, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_256_cbc, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_256_ctr, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_256_ecb, (void), ())
-+DEFINEFUNC(const EVP_CIPHER*, EVP_aes_256_gcm, (void), ())
-+
-+DEFINEFUNC(void, EVP_CIPHER_CTX_free, (EVP_CIPHER_CTX* arg0), (arg0))
-+DEFINEFUNC(int, EVP_CIPHER_CTX_ctrl, (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr), (ctx, type, arg, ptr))
-+
-+int _goboringcrypto_EVP_CIPHER_CTX_seal(
-+ uint8_t *out, uint8_t *nonce,
-+ uint8_t *aad, size_t aad_len,
-+ uint8_t *plaintext, size_t plaintext_len,
-+ size_t *ciphertext_len, uint8_t *key, int key_size);
-+
-+int _goboringcrypto_EVP_CIPHER_CTX_open(
-+ uint8_t *ciphertext, int ciphertext_len,
-+ uint8_t *aad, int aad_len,
-+ uint8_t *tag, uint8_t *key, int key_size,
-+ uint8_t *nonce, int nonce_len,
-+ uint8_t *plaintext, size_t *plaintext_len);
-+
-+typedef EVP_PKEY GO_EVP_PKEY;
-+
-+DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
-+DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
-+DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
-+DEFINEFUNC(int, EVP_PKEY_verify,
-+ (EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
-+ (ctx, sig, siglen, tbs, tbslen))
-+
-+typedef EVP_PKEY_CTX GO_EVP_PKEY_CTX;
-+
-+DEFINEFUNC(GO_EVP_PKEY_CTX *, EVP_PKEY_CTX_new, (GO_EVP_PKEY * arg0, ENGINE *arg1), (arg0, arg1))
-+DEFINEFUNC(GO_EVP_PKEY_CTX *, EVP_PKEY_CTX_new_id, (int arg0, ENGINE *arg1), (arg0, arg1))
-+DEFINEFUNC(void, EVP_PKEY_CTX_free, (GO_EVP_PKEY_CTX * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_CTX_ctrl,
-+ (EVP_PKEY_CTX * ctx, int keytype, int optype, int cmd, int p1, void *p2),
-+ (ctx, keytype, optype, cmd, p1, p2))
-+DEFINEFUNCINTERNAL(int, RSA_pkey_ctx_ctrl,
-+ (EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2),
-+ (ctx, optype, cmd, p1, p2))
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(GO_EVP_PKEY_CTX* ctx, int pad) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL);
-+#else
-+ return _goboringcrypto_internal_RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL);
-+#endif
-+}
-+
-+#if OPENSSL_VERSION_NUMBER < 0x30000000
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)l);
-+}
-+#else
-+DEFINEFUNC(int, EVP_PKEY_CTX_set0_rsa_oaep_label,
-+ (GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen),
-+ (ctx, l, llen))
-+#endif
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(GO_EVP_PKEY_CTX *ctx, const GO_EVP_MD *md)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(GO_EVP_PKEY_CTX * arg0, int arg1) {
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(arg0, EVP_PKEY_RSA,
-+ (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY),
-+ EVP_PKEY_CTRL_RSA_PSS_SALTLEN,
-+ arg1, NULL);
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md);
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP_MD *md) {
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
-+ EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,
-+ EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md);
-+}
-+
-+DEFINEFUNC(int, EVP_PKEY_decrypt,
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+DEFINEFUNC(int, EVP_PKEY_encrypt,
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_sign_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_verify_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_sign,
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
-+ (arg0, arg1, arg2, arg3, arg4))
-+
-+DEFINEFUNC(int, EVP_PKEY_derive_init, (GO_EVP_PKEY_CTX *arg0), (arg0))
-+DEFINEFUNC(int, EVP_PKEY_derive, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, size_t *arg2), (arg0, arg1, arg2))
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+DEFINEFUNC(int, EVP_PKEY_derive_set_peer_ex, (GO_EVP_PKEY_CTX *arg0, GO_EVP_PKEY *arg1, int arg2), (arg0, arg1, arg2))
-+#else
-+DEFINEFUNC(int, EVP_PKEY_derive_set_peer, (GO_EVP_PKEY_CTX *arg0, GO_EVP_PKEY *arg1), (arg0, arg1))
-+
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+DEFINEFUNC(int, EVP_PKEY_public_check, (EVP_PKEY_CTX *arg0), (arg0))
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_derive_set_peer_ex(GO_EVP_PKEY_CTX *ctx, GO_EVP_PKEY *key, int validate)
-+{
-+ EVP_PKEY_CTX *check_ctx = _goboringcrypto_EVP_PKEY_CTX_new(key, NULL);
-+ if (check_ctx == NULL) {
-+ return -1;
-+ }
-+ int ok = _goboringcrypto_EVP_PKEY_public_check(check_ctx);
-+ _goboringcrypto_EVP_PKEY_CTX_free(check_ctx);
-+ if (ok != 1) {
-+ return -1;
-+ }
-+ return _goboringcrypto_EVP_PKEY_derive_set_peer(ctx, key);
-+}
-+# else
-+static inline int
-+_goboringcrypto_EVP_PKEY_derive_set_peer_ex(GO_EVP_PKEY_CTX *ctx, GO_EVP_PKEY *key, int validate)
-+{
-+ /* No way to validate public key in OpenSSL 1.0.2 */
-+ (void)validate;
-+ return _goboringcrypto_EVP_PKEY_derive_set_peer(ctx, key);
-+}
-+# endif
-+#endif
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-+#include <openssl/kdf.h>
-+
-+enum {
-+ GO_EVP_PKEY_HKDF = EVP_PKEY_HKDF,
-+};
-+
-+enum {
-+ GO_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY,
-+ GO_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY,
-+};
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000
-+DEFINEFUNC(int, EVP_PKEY_CTX_set_hkdf_mode, (GO_EVP_PKEY_CTX *arg0, int arg1), (arg0, arg1))
-+DEFINEFUNC(int, EVP_PKEY_CTX_set_hkdf_md, (GO_EVP_PKEY_CTX *arg0, const GO_EVP_MD *arg1), (arg0, arg1))
-+DEFINEFUNC(int, EVP_PKEY_CTX_set1_hkdf_salt, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, EVP_PKEY_CTX_set1_hkdf_key, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
-+DEFINEFUNC(int, EVP_PKEY_CTX_add1_hkdf_info, (GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2), (arg0, arg1, arg2))
-+#else
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_hkdf_mode(GO_EVP_PKEY_CTX *pctx, int mode)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
-+ EVP_PKEY_CTRL_HKDF_MODE, mode, NULL);
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_hkdf_md(GO_EVP_PKEY_CTX *pctx, const GO_EVP_MD *md)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
-+ EVP_PKEY_CTRL_HKDF_MD, 0, (void *)(md));
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_salt(GO_EVP_PKEY_CTX *pctx, unsigned char *salt, int saltlen)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
-+ EVP_PKEY_CTRL_HKDF_SALT, saltlen, (void *)(salt));
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(GO_EVP_PKEY_CTX *pctx, unsigned char *key, int keylen)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
-+ EVP_PKEY_CTRL_HKDF_KEY, keylen, (void *)(key));
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_add1_hkdf_info(GO_EVP_PKEY_CTX *pctx, unsigned char *info, int infolen)
-+{
-+ return _goboringcrypto_EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE,
-+ EVP_PKEY_CTRL_HKDF_INFO, infolen, (void *)(info));
-+}
-+#endif
-+
-+
-+#else
-+
-+/* As HKDF is not supported in earlier OpenSSL versions than 1.1.1 and
-+ * fallback implementation cannot be provided in a FIPS compliant
-+ * manner, we only provide stub definitions of the above symbols. At
-+ * run-time, HKDF operations in hkdf.go (see newHKDF) will return an
-+ * error depending on the OpenSSL version.
-+ */
-+
-+enum {
-+ GO_EVP_PKEY_HKDF,
-+};
-+
-+enum {
-+ GO_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY,
-+ GO_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY,
-+};
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_hkdf_mode(GO_EVP_PKEY_CTX *arg0, int arg1)
-+{
-+ return -1;
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set_hkdf_md(GO_EVP_PKEY_CTX *arg0, const GO_EVP_MD *arg1)
-+{
-+ return -1;
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_salt(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
-+{
-+ return -1;
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
-+{
-+ return -1;
-+}
-+
-+static inline int
-+_goboringcrypto_EVP_PKEY_CTX_add1_hkdf_info(GO_EVP_PKEY_CTX *arg0, unsigned char *arg1, int arg2)
-+{
-+ return -1;
-+}
-+#endif
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
-new file mode 100644
-index 0000000..4328a5c
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
-@@ -0,0 +1,104 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+package openssl
-+
-+// #include "goopenssl.h"
-+import "C"
-+import (
-+ "hash"
-+ "io"
-+ "runtime"
-+)
-+
-+type hkdf struct {
-+ ctx *C.GO_EVP_PKEY_CTX
-+}
-+
-+func newHKDF(h func() hash.Hash, mode C.int) (*hkdf, error) {
-+ if openSSLVersion() < OPENSSL_VERSION_1_1_1 {
-+ return nil, NewOpenSSLError("HKDF is not supported")
-+ }
-+
-+ ch := h()
-+ md := hashToMD(ch)
-+ if md == nil {
-+ return nil, NewOpenSSLError("Unknown hash algorithm")
-+ }
-+
-+ ctx := C._goboringcrypto_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_HKDF, nil)
-+ if ctx == nil {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_new_id failed")
-+ }
-+ c := &hkdf{ctx: ctx}
-+ runtime.SetFinalizer(c, (*hkdf).finalize)
-+ defer runtime.KeepAlive(c)
-+
-+ if C._goboringcrypto_EVP_PKEY_derive_init(ctx) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_init failed")
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_set_hkdf_mode(ctx, mode) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_set_hkdf_mode failed")
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_set_hkdf_md(ctx, md) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_set_hkdf_md failed")
-+ }
-+
-+ return c, nil
-+}
-+
-+func (c *hkdf) finalize() {
-+ if c.ctx != nil {
-+ C._goboringcrypto_EVP_PKEY_CTX_free(c.ctx)
-+ }
-+}
-+
-+func (c *hkdf) Read(p []byte) (int, error) {
-+ defer runtime.KeepAlive(c)
-+
-+ outLen := C.size_t(len(p))
-+ if C._goboringcrypto_EVP_PKEY_derive(c.ctx, base(p), &outLen) != 1 {
-+ return 0, NewOpenSSLError("EVP_PKEY_derive failed")
-+ }
-+ return int(outLen), nil
-+}
-+
-+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
-+ c, err := newHKDF(h, C.GO_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)
-+ if err != nil {
-+ return nil, err
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(c.ctx, base(secret), C.int(len(secret))) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key failed")
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_set1_hkdf_salt(c.ctx, base(salt), C.int(len(salt))) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_set1_hkdf_salt failed")
-+ }
-+ var outLen C.size_t
-+ if C._goboringcrypto_EVP_PKEY_derive(c.ctx, nil, &outLen) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive_init failed")
-+ }
-+ out := make([]byte, outLen)
-+ if C._goboringcrypto_EVP_PKEY_derive(c.ctx, base(out), &outLen) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_derive failed")
-+ }
-+ return out[:outLen], nil
-+}
-+
-+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
-+ c, err := newHKDF(h, C.GO_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)
-+ if err != nil {
-+ return nil, err
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_set1_hkdf_key(c.ctx, base(pseudorandomKey), C.int(len(pseudorandomKey))) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key failed")
-+ }
-+ if C._goboringcrypto_EVP_PKEY_CTX_add1_hkdf_info(c.ctx, base(info), C.int(len(info))) != 1 {
-+ return nil, NewOpenSSLError("EVP_PKEY_CTX_add1_hkdf_info failed")
-+ }
-+ return c, nil
-+}
-diff --git a/src/crypto/internal/boring/hmac.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
-similarity index 69%
-rename from src/crypto/internal/boring/hmac.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
-index c36fe6b..6f00177 100644
---- a/src/crypto/internal/boring/hmac.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
-@@ -2,12 +2,12 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-
--package boring
-+package openssl
-
--// #include "goboringcrypto.h"
-+// #include "goopenssl.h"
- import "C"
- import (
- "crypto"
-@@ -67,14 +67,25 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash {
- return nil
- }
-
-- // Note: Could hash down long keys here using EVP_Digest.
-- hkey := make([]byte, len(key))
-- copy(hkey, key)
-+ var hkey []byte
-+ if key != nil && len(key) > 0 {
-+ // Note: Could hash down long keys here using EVP_Digest.
-+ hkey = make([]byte, len(key))
-+ copy(hkey, key)
-+ } else {
-+ // This is supported in BoringSSL/Standard lib and as such
-+ // we must support it here. When using HMAC with a null key
-+ // HMAC_Init will try and reuse the key from the ctx. This is
-+ // not the bahavior previously implemented, so as a workaround
-+ // we pass an "empty" key.
-+ hkey = make([]byte, C.EVP_MAX_MD_SIZE)
-+ }
- hmac := &boringHMAC{
- md: md,
- size: ch.Size(),
- blockSize: ch.BlockSize(),
- key: hkey,
-+ ctx: C._goboringcrypto_HMAC_CTX_new(),
- }
- hmac.Reset()
- return hmac
-@@ -82,8 +93,8 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash {
-
- type boringHMAC struct {
- md *C.GO_EVP_MD
-- ctx C.GO_HMAC_CTX
-- ctx2 C.GO_HMAC_CTX
-+ ctx *C.GO_HMAC_CTX
-+ ctx2 *C.GO_HMAC_CTX
- size int
- blockSize int
- key []byte
-@@ -92,9 +103,7 @@ type boringHMAC struct {
- }
-
- func (h *boringHMAC) Reset() {
-- if h.needCleanup {
-- C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx)
-- } else {
-+ if !h.needCleanup {
- h.needCleanup = true
- // Note: Because of the finalizer, any time h.ctx is passed to cgo,
- // that call must be followed by a call to runtime.KeepAlive(h),
-@@ -102,13 +111,13 @@ func (h *boringHMAC) Reset() {
- // call returns.
- runtime.SetFinalizer(h, (*boringHMAC).finalize)
- }
-- C._goboringcrypto_HMAC_CTX_init(&h.ctx)
-+ C._goboringcrypto_HMAC_CTX_reset(h.ctx)
-
-- if C._goboringcrypto_HMAC_Init(&h.ctx, unsafe.Pointer(base(h.key)), C.int(len(h.key)), h.md) == 0 {
-+ if C._goboringcrypto_HMAC_Init_ex(h.ctx, unsafe.Pointer(base(h.key)), C.int(len(h.key)), h.md, nil) == 0 {
- panic("boringcrypto: HMAC_Init failed")
- }
-- if int(C._goboringcrypto_HMAC_size(&h.ctx)) != h.size {
-- println("boringcrypto: HMAC size:", C._goboringcrypto_HMAC_size(&h.ctx), "!=", h.size)
-+ if int(C._goboringcrypto_HMAC_size(h.ctx)) != h.size {
-+ println("boringcrypto: HMAC size:", C._goboringcrypto_HMAC_size(h.ctx), "!=", h.size)
- panic("boringcrypto: HMAC size mismatch")
- }
- runtime.KeepAlive(h) // Next line will keep h alive too; just making doubly sure.
-@@ -116,12 +125,12 @@ func (h *boringHMAC) Reset() {
- }
-
- func (h *boringHMAC) finalize() {
-- C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx)
-+ C._goboringcrypto_HMAC_CTX_free(h.ctx)
- }
-
- func (h *boringHMAC) Write(p []byte) (int, error) {
- if len(p) > 0 {
-- C._goboringcrypto_HMAC_Update(&h.ctx, (*C.uint8_t)(unsafe.Pointer(&p[0])), C.size_t(len(p)))
-+ C._goboringcrypto_HMAC_Update(h.ctx, (*C.uint8_t)(unsafe.Pointer(&p[0])), C.size_t(len(p)))
- }
- runtime.KeepAlive(h)
- return len(p), nil
-@@ -144,11 +153,11 @@ func (h *boringHMAC) Sum(in []byte) []byte {
- // that Sum has no effect on the underlying stream.
- // In particular it is OK to Sum, then Write more, then Sum again,
- // and the second Sum acts as if the first didn't happen.
-- C._goboringcrypto_HMAC_CTX_init(&h.ctx2)
-- if C._goboringcrypto_HMAC_CTX_copy_ex(&h.ctx2, &h.ctx) == 0 {
-+ h.ctx2 = C._goboringcrypto_HMAC_CTX_new()
-+ if C._goboringcrypto_HMAC_CTX_copy_ex(h.ctx2, h.ctx) == 0 {
- panic("boringcrypto: HMAC_CTX_copy_ex failed")
- }
-- C._goboringcrypto_HMAC_Final(&h.ctx2, (*C.uint8_t)(unsafe.Pointer(&h.sum[0])), nil)
-- C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx2)
-+ C._goboringcrypto_HMAC_Final(h.ctx2, (*C.uint8_t)(unsafe.Pointer(&h.sum[0])), nil)
-+ C._goboringcrypto_HMAC_CTX_free(h.ctx2)
- return append(in, h.sum...)
- }
-diff --git a/src/crypto/internal/boring/notboring.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
-similarity index 69%
-rename from src/crypto/internal/boring/notboring.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
-index 53096a6..4a45e95 100644
---- a/src/crypto/internal/boring/notboring.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
-@@ -2,33 +2,34 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !boringcrypto || !linux || !amd64 || !cgo || android || cmd_go_bootstrap || msan
--// +build !boringcrypto !linux !amd64 !cgo android cmd_go_bootstrap msan
-+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
-+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
-
--package boring
-+package openssl
-
- import (
- "crypto"
- "crypto/cipher"
-- "crypto/internal/boring/sig"
- "hash"
-+ "io"
- )
-
--const available = false
-+var enabled = false
-
- // Unreachable marks code that should be unreachable
- // when BoringCrypto is in use. It is a no-op without BoringCrypto.
- func Unreachable() {
-- // Code that's unreachable when using BoringCrypto
-- // is exactly the code we want to detect for reporting
-- // standard Go crypto.
-- sig.StandardCrypto()
- }
-
- // UnreachableExceptTests marks code that should be unreachable
- // when BoringCrypto is in use. It is a no-op without BoringCrypto.
- func UnreachableExceptTests() {}
-
-+func ExecutingTest() bool { return false }
-+
-+// This is a noop withotu BoringCrytpo.
-+func PanicIfStrictFIPS(v interface{}) {}
-+
- type randReader int
-
- func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
-@@ -41,16 +42,9 @@ func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
- func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
- func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
-
--func SHA1([]byte) [20]byte { panic("boringcrypto: not available") }
--func SHA224([]byte) [28]byte { panic("boringcrypto: not available") }
--func SHA256([]byte) [32]byte { panic("boringcrypto: not available") }
--func SHA384([]byte) [48]byte { panic("boringcrypto: not available") }
--func SHA512([]byte) [64]byte { panic("boringcrypto: not available") }
--
- func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
-
- func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
--func NewGCMTLS(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") }
-
- type PublicKeyECDSA struct{ _ int }
- type PrivateKeyECDSA struct{ _ int }
-@@ -64,10 +58,29 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)
- func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
- panic("boringcrypto: not available")
- }
--func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
-+func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s BigInt, err error) {
- panic("boringcrypto: not available")
- }
--func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
-+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, r, s BigInt, h crypto.Hash) bool {
-+ panic("boringcrypto: not available")
-+}
-+
-+type PublicKeyECDH struct{ _ int }
-+type PrivateKeyECDH struct{ _ int }
-+
-+func GenerateKeyECDH(curve string) (X, Y, D BigInt, err error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyECDH(curve string, X, Y, D BigInt) (*PrivateKeyECDH, error) {
-+ panic("boringcrypto: not available")
-+}
-+func NewPublicKeyECDH(curve string, X, Y BigInt) (*PublicKeyECDH, error) {
-+ panic("boringcrypto: not available")
-+}
-+func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
- panic("boringcrypto: not available")
- }
-
-@@ -99,15 +112,23 @@ func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error
- panic("boringcrypto: not available")
- }
- func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
--func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
-+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
- panic("boringcrypto: not available")
- }
- func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
- panic("boringcrypto: not available")
- }
--func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
-+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
- panic("boringcrypto: not available")
- }
- func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
- panic("boringcrypto: not available")
- }
-+
-+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
-+ panic("boringcrypto: not available")
-+}
-+
-+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
-+ panic("boringcrypto: not available")
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
-new file mode 100644
-index 0000000..86d7c6c
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
-@@ -0,0 +1,248 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+package openssl
-+
-+/*
-+#cgo LDFLAGS: -ldl
-+
-+#include "goopenssl.h"
-+*/
-+import "C"
-+import (
-+ "errors"
-+ "fmt"
-+ "math/bits"
-+ "os"
-+ "runtime"
-+ "unsafe"
-+)
-+
-+const (
-+ fipsOn = C.int(1)
-+ fipsOff = C.int(0)
-+)
-+
-+const GoStrictFipsEnv = "GOLANG_STRICT_FIPS"
-+
-+const (
-+ OPENSSL_VERSION_1_1_0 = uint64(C.ulong(0x10100000))
-+ OPENSSL_VERSION_1_1_1 = uint64(C.ulong(0x10101000))
-+ OPENSSL_VERSION_3_0_0 = uint64(C.ulong(0x30000000))
-+)
-+
-+// Enabled controls whether FIPS crypto is enabled.
-+var enabled = false
-+
-+// When this variable is true, the go crypto API will panic when a caller
-+// tries to use the API in a non-compliant manner. When this is false, the
-+// go crypto API will allow existing go crypto APIs to be used even
-+// if they aren't FIPS compliant. However, all the underlying crypto operations
-+// will still be done by OpenSSL.
-+var strictFIPS = false
-+
-+func init() {
-+ runtime.LockOSThread()
-+ defer runtime.UnlockOSThread()
-+
-+ // Check if we can `dlopen` OpenSSL
-+ if C._goboringcrypto_DLOPEN_OPENSSL() == C.NULL {
-+ return
-+ }
-+
-+ // Initialize the OpenSSL library.
-+ C._goboringcrypto_OPENSSL_setup()
-+
-+ // Check to see if the system is running in FIPS mode, if so
-+ // enable "boring" mode to call into OpenSSL for FIPS compliance.
-+ if fipsModeEnabled() {
-+ enableBoringFIPSMode()
-+ }
-+}
-+
-+func openSSLVersion() uint64 {
-+ return uint64(C._goboringcrypto_internal_OPENSSL_VERSION_NUMBER())
-+}
-+
-+func enableBoringFIPSMode() {
-+ enabled = true
-+
-+ if os.Getenv(GoStrictFipsEnv) == "1" {
-+ strictFIPS = true
-+ }
-+
-+ if C._goboringcrypto_OPENSSL_thread_setup() != 1 {
-+ panic("boringcrypto: OpenSSL thread setup failed")
-+ }
-+}
-+
-+func fipsModeEnabled() bool {
-+ // Due to the way providers work in openssl 3, the FIPS methods are not
-+ // necessarily going to be available for us to load based on the GOLANG_FIPS
-+ // environment variable alone. For now, we must rely on the config to tell
-+ // us if the provider is configured and active.
-+ fipsConfigured := C._goboringcrypto_FIPS_mode() == fipsOn
-+ openSSLVersion := openSSLVersion()
-+ if openSSLVersion >= OPENSSL_VERSION_3_0_0 {
-+ if !fipsConfigured && os.Getenv("GOLANG_FIPS") == "1" {
-+ panic("GOLANG_FIPS=1 specified but OpenSSL FIPS provider is not configured")
-+ }
-+ return fipsConfigured
-+
-+ } else {
-+ return os.Getenv("GOLANG_FIPS") == "1" || fipsConfigured
-+ }
-+}
-+
-+var randstub bool
-+
-+func RandStubbed() bool {
-+ return randstub
-+}
-+
-+func StubOpenSSLRand() {
-+ if !randstub {
-+ randstub = true
-+ C._goboringcrypto_stub_openssl_rand()
-+ }
-+}
-+
-+func RestoreOpenSSLRand() {
-+ if randstub {
-+ randstub = false
-+ C._goboringcrypto_restore_openssl_rand()
-+ }
-+}
-+
-+func hasSuffix(s, t string) bool {
-+ return len(s) > len(t) && s[len(s)-len(t):] == t
-+}
-+
-+func PanicIfStrictFIPS(msg string) {
-+ if IsStrictFips() {
-+ panic(msg)
-+ }
-+}
-+
-+func IsStrictFips() bool {
-+ return os.Getenv(GoStrictFipsEnv) == "1" || strictFIPS
-+}
-+
-+func NewOpenSSLError(msg string) error {
-+ var e C.ulong
-+ message := fmt.Sprintf("\n%v\nopenssl error(s):", msg)
-+ for {
-+ var buf [256]C.char
-+ var file, fnc, data *C.char
-+ var line, flags C.int
-+ e = C._goboringcrypto_internal_ERR_get_error_all(&file, &line, &fnc, &data, &flags)
-+ if e == 0 {
-+ break
-+ }
-+
-+ C._goboringcrypto_internal_ERR_error_string_n(e, (*C.uchar)(unsafe.Pointer(&buf[0])), C.size_t(len(buf)))
-+ message = fmt.Sprintf(
-+ "%v\nfile: %v\nline: %v\nfunction: %v\nflags: %v\nerror string: %s\n",
-+ message, C.GoString(file), line, C.GoString(fnc), flags, C.GoString(&(buf[0])))
-+
-+ }
-+ return errors.New(message)
-+}
-+
-+// Unreachable marks code that should be unreachable
-+// when FIPS mode. It panics only when
-+// the system is in FIPS mode.
-+func Unreachable() {
-+ if Enabled() {
-+ panic("openssl: invalid code execution")
-+ }
-+}
-+
-+// UnreachableExceptTests marks code that should be unreachable
-+// when FIPS mode is active. It panics only when the system is in FIPS mode
-+// and not executing under tests.
-+func UnreachableExceptTests() {
-+ name := os.Args[0]
-+ if Enabled() && !ExecutingTest() {
-+ println("openssl: unexpected code execution in", name)
-+ panic("openssl: invalid code execution")
-+ }
-+}
-+
-+// ExecutingTest returns a boolean indicating if we're
-+// executing under a test binary or not.
-+func ExecutingTest() bool {
-+ name := os.Args[0]
-+ return hasSuffix(name, "_test") || hasSuffix(name, ".test")
-+}
-+
-+type fail string
-+
-+func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
-+
-+func wbase(b BigInt) *C.uint8_t {
-+ if len(b) == 0 {
-+ return nil
-+ }
-+ return (*C.uint8_t)(unsafe.Pointer(&b[0]))
-+}
-+
-+const wordBytes = bits.UintSize / 8
-+
-+func bigToBN(x BigInt) *C.GO_BIGNUM {
-+ return C._goboringcrypto_BN_lebin2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
-+}
-+
-+func bnToBig(bn *C.GO_BIGNUM) BigInt {
-+ x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
-+ if C._goboringcrypto_BN_bn2lebinpad(bn, wbase(x), C.size_t(len(x)*wordBytes)) == 0 {
-+ panic("boringcrypto: bignum conversion failed")
-+ }
-+ return x
-+}
-+
-+func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool {
-+ if *bnp != nil {
-+ C._goboringcrypto_BN_free(*bnp)
-+ *bnp = nil
-+ }
-+ if b == nil {
-+ return true
-+ }
-+ bn := bigToBN(b)
-+ if bn == nil {
-+ return false
-+ }
-+ *bnp = bn
-+ return true
-+}
-+
-+// noescape hides a pointer from escape analysis. noescape is
-+// the identity function but escape analysis doesn't think the
-+// output depends on the input. noescape is inlined and currently
-+// compiles down to zero instructions.
-+// USE CAREFULLY!
-+//
-+//go:nosplit
-+func noescape(p unsafe.Pointer) unsafe.Pointer {
-+ x := uintptr(p)
-+ return unsafe.Pointer(x ^ 0)
-+}
-+
-+var zero byte
-+
-+// addr converts p to its base addr, including a noescape along the way.
-+// If p is nil, addr returns a non-nil pointer, so that the result can always
-+// be dereferenced.
-+//
-+//go:nosplit
-+func addr(p []byte) *byte {
-+ if len(p) == 0 {
-+ return &zero
-+ }
-+ return (*byte)(noescape(unsafe.Pointer(&p[0])))
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
-new file mode 100644
-index 0000000..2349db1
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
-@@ -0,0 +1,46 @@
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+
-+int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *msg, size_t msgLen,
-+ uint8_t *sig, unsigned int *slen,
-+ GO_EC_KEY *eckey) {
-+ int result;
-+ EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-+ if (!key) {
-+ return 0;
-+ }
-+ if (!_goboringcrypto_EVP_PKEY_set1_EC_KEY(key, eckey)) {
-+ result = 0;
-+ goto err;
-+ }
-+ result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
-+err:
-+ _goboringcrypto_EVP_PKEY_free(key);
-+ return result;
-+}
-+
-+int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *msg, size_t msgLen,
-+ const uint8_t *sig, unsigned int slen,
-+ GO_EC_KEY *eckey) {
-+
-+ int result;
-+ EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-+ if (!key) {
-+ return 0;
-+ }
-+ if (!_goboringcrypto_EVP_PKEY_set1_EC_KEY(key, eckey)) {
-+ result = 0;
-+ goto err;
-+ }
-+
-+ result = _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
-+
-+err:
-+ _goboringcrypto_EVP_PKEY_free(key);
-+ return result;
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-new file mode 100644
-index 0000000..4379019
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-@@ -0,0 +1,128 @@
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+
-+int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-+ size_t msgLen, uint8_t *sig, unsigned int *slen,
-+ EVP_PKEY *key) {
-+ EVP_MD_CTX *mdctx = NULL;
-+ int ret = 0;
-+
-+ if (!(mdctx = _goboringcrypto_EVP_MD_CTX_create()))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_DigestSignInit(mdctx, &ctx, md, NULL, key))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_DigestUpdate(mdctx, msg, msgLen))
-+ goto err;
-+
-+ /* Obtain the signature length */
-+ if (1 != _goboringcrypto_EVP_DigestSignFinal(mdctx, NULL, slen))
-+ goto err;
-+ /* Obtain the signature */
-+ if (1 != _goboringcrypto_EVP_DigestSignFinal(mdctx, sig, slen))
-+ goto err;
-+
-+ /* Success */
-+ ret = 1;
-+
-+err:
-+ if (mdctx)
-+ _goboringcrypto_EVP_MD_CTX_free(mdctx);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-+ size_t msgLen, uint8_t *sig, size_t *slen,
-+ GO_RSA *rsa_key) {
-+ int ret = 0;
-+ GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
-+ _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
-+
-+ if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_PKEY_sign_init(ctx))
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_PKEY_sign(ctx, sig, slen, msg, msgLen))
-+ goto err;
-+
-+ /* Success */
-+ ret = 1;
-+
-+err:
-+ if (ctx)
-+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_EVP_verify(EVP_MD *md, EVP_PKEY_CTX *ctx,
-+ const uint8_t *msg, size_t msgLen,
-+ const uint8_t *sig, unsigned int slen,
-+ EVP_PKEY *key) {
-+ EVP_MD_CTX *mdctx = NULL;
-+ int ret = 0;
-+
-+ if (!(mdctx = _goboringcrypto_EVP_MD_CTX_create()))
-+ goto err;
-+ if (1 != _goboringcrypto_EVP_DigestVerifyInit(mdctx, &ctx, md, NULL, key))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_DigestUpdate(mdctx, msg, msgLen))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_DigestVerifyFinal(mdctx, sig, slen)) {
-+ goto err;
-+ }
-+
-+ /* Success */
-+ ret = 1;
-+
-+err:
-+ if (mdctx)
-+ _goboringcrypto_EVP_MD_CTX_free(mdctx);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
-+ const uint8_t *sig, unsigned int slen,
-+ GO_RSA *rsa_key) {
-+
-+ int ret = 0;
-+ EVP_PKEY_CTX *ctx;
-+ GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
-+ _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
-+
-+ if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_PKEY_verify_init(ctx))
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_PKEY_verify(ctx, sig, slen, msg, msgLen))
-+ goto err;
-+
-+ /* Success */
-+ ret = 1;
-+
-+err:
-+ if (ctx)
-+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-+
-+ return ret;
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
-new file mode 100644
-index 0000000..49d40a7
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
-@@ -0,0 +1,49 @@
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+#include <openssl/err.h>
-+#include <pthread.h>
-+#include <stdio.h>
-+#include <sys/syscall.h>
-+#include <sys/types.h>
-+
-+#define _GNU_SOURCE
-+#include <unistd.h>
-+
-+#define MUTEX_TYPE pthread_mutex_t
-+#define MUTEX_SETUP(x) pthread_mutex_init(&(x), NULL)
-+#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
-+#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
-+#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
-+#define THREAD_ID pthread_self()
-+
-+/* This array will store all of the mutexes available to OpenSSL. */
-+static MUTEX_TYPE *mutex_buf = NULL;
-+
-+static void locking_function(int mode, int n, const char *file, int line) {
-+ if (mode & CRYPTO_LOCK)
-+ MUTEX_LOCK(mutex_buf[n]);
-+ else
-+ MUTEX_UNLOCK(mutex_buf[n]);
-+}
-+
-+static unsigned long id_function(void) {
-+ return ((unsigned long)syscall(__NR_gettid));
-+}
-+
-+int _goboringcrypto_OPENSSL_thread_setup(void) {
-+ int i;
-+
-+ mutex_buf = malloc(_goboringcrypto_CRYPTO_num_locks() * sizeof(MUTEX_TYPE));
-+ if (!mutex_buf)
-+ return 0;
-+ for (i = 0; i < _goboringcrypto_CRYPTO_num_locks(); i++)
-+ MUTEX_SETUP(mutex_buf[i]);
-+ _goboringcrypto_CRYPTO_set_id_callback(id_function);
-+ _goboringcrypto_CRYPTO_set_locking_callback(locking_function);
-+ return 1;
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
-new file mode 100644
-index 0000000..7eb645e
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
-@@ -0,0 +1,171 @@
-+// This file contains a port of the BoringSSL AEAD interface.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+#include <openssl/err.h>
-+
-+int _goboringcrypto_EVP_CIPHER_CTX_seal(uint8_t *out, uint8_t *iv, uint8_t *aad,
-+ size_t aad_len, uint8_t *plaintext,
-+ size_t plaintext_len,
-+ size_t *ciphertext_len, uint8_t *key,
-+ int key_size) {
-+
-+ EVP_CIPHER_CTX *ctx;
-+ int len;
-+ int ret;
-+
-+ if (plaintext_len == 0) {
-+ plaintext = "";
-+ }
-+
-+ if (aad_len == 0) {
-+ aad = "";
-+ }
-+
-+ // Create and initialise the context.
-+ if (!(ctx = _goboringcrypto_EVP_CIPHER_CTX_new())) {
-+ goto err;
-+ }
-+
-+ switch (key_size) {
-+ case 128:
-+ if (!_goboringcrypto_EVP_EncryptInit_ex(
-+ ctx, _goboringcrypto_EVP_aes_128_gcm(), NULL, NULL, NULL)) {
-+ goto err;
-+ }
-+ break;
-+ case 256:
-+ if (!_goboringcrypto_EVP_EncryptInit_ex(
-+ ctx, _goboringcrypto_EVP_aes_256_gcm(), NULL, NULL, NULL)) {
-+ goto err;
-+ }
-+ break;
-+ default:
-+ goto err;
-+ }
-+
-+ // Initialize IV.
-+ if (!_goboringcrypto_EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL)) {
-+ goto err;
-+ }
-+ if (!_goboringcrypto_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 12,
-+ 0)) {
-+ goto err;
-+ }
-+ if (!_goboringcrypto_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IV_FIXED, -1,
-+ iv)) {
-+ goto err;
-+ }
-+ if (!_goboringcrypto_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_IV_GEN, 0, iv)) {
-+ goto err;
-+ }
-+
-+ // Provide AAD data.
-+ if (!_goboringcrypto_EVP_EncryptUpdate(ctx, NULL, &len, aad, aad_len)) {
-+ goto err;
-+ }
-+
-+ if (!_goboringcrypto_EVP_EncryptUpdate(ctx, out, &len, plaintext,
-+ plaintext_len)) {
-+ goto err;
-+ }
-+ *ciphertext_len = len;
-+
-+ if (!_goboringcrypto_EVP_EncryptFinal_ex(ctx, out + len, &len)) {
-+ goto err;
-+ }
-+ *ciphertext_len += len;
-+
-+ if (!_goboringcrypto_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16,
-+ out + (*ciphertext_len))) {
-+ goto err;
-+ }
-+ *ciphertext_len += 16;
-+ ret = 1;
-+
-+err:
-+ _goboringcrypto_EVP_CIPHER_CTX_free(ctx);
-+
-+ if (ret > 0) {
-+ return ret;
-+ } else {
-+ return 0;
-+ }
-+}
-+
-+int _goboringcrypto_EVP_CIPHER_CTX_open(uint8_t *ciphertext, int ciphertext_len,
-+ uint8_t *aad, int aad_len, uint8_t *tag,
-+ uint8_t *key, int key_size, uint8_t *iv,
-+ int iv_len, uint8_t *plaintext,
-+ size_t *plaintext_len) {
-+
-+ EVP_CIPHER_CTX *ctx;
-+ int len;
-+ int ret;
-+
-+ if (aad_len == 0) {
-+ aad = "";
-+ }
-+
-+ // Create and initialise the context.
-+ if (!(ctx = _goboringcrypto_EVP_CIPHER_CTX_new()))
-+ return 0;
-+
-+ switch (key_size) {
-+ case 128:
-+ if (!_goboringcrypto_EVP_DecryptInit_ex(
-+ ctx, _goboringcrypto_EVP_aes_128_gcm(), NULL, NULL, NULL)) {
-+ goto err;
-+ }
-+ break;
-+ case 256:
-+ if (!_goboringcrypto_EVP_DecryptInit_ex(
-+ ctx, _goboringcrypto_EVP_aes_256_gcm(), NULL, NULL, NULL)) {
-+ goto err;
-+ }
-+ break;
-+ }
-+
-+ // Initialize key and nonce.
-+ if (!_goboringcrypto_EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) {
-+ goto err;
-+ }
-+
-+ // Provide any AAD data.
-+ if (!_goboringcrypto_EVP_DecryptUpdate(ctx, NULL, &len, aad, aad_len)) {
-+ goto err;
-+ }
-+
-+ // Provide the message to be decrypted, and obtain the plaintext output.
-+ if (!_goboringcrypto_EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext,
-+ ciphertext_len)) {
-+ goto err;
-+ }
-+ *plaintext_len = len;
-+
-+ // Set expected tag value. Works in OpenSSL 1.0.1d and later.
-+ if (!_goboringcrypto_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16,
-+ tag)) {
-+ goto err;
-+ }
-+
-+ // Finalise the decryption. A positive return value indicates success,
-+ // anything else is a failure - the plaintext is not trustworthy.
-+ ret = _goboringcrypto_EVP_DecryptFinal_ex(ctx, plaintext + len, &len);
-+
-+err:
-+ _goboringcrypto_EVP_CIPHER_CTX_free(ctx);
-+
-+ if (ret > 0) {
-+ // Success
-+ *plaintext_len += len;
-+ return ret;
-+ } else {
-+ // Verify failed
-+ return 0;
-+ }
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
-new file mode 100644
-index 0000000..df4ebe3
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
-@@ -0,0 +1,13 @@
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+
-+void _goboringcrypto_EVP_AES_ctr128_enc(EVP_CIPHER_CTX *ctx, const uint8_t *in,
-+ uint8_t *out, size_t in_len) {
-+ int len;
-+ _goboringcrypto_EVP_EncryptUpdate(ctx, out, &len, in, in_len);
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
-new file mode 100644
-index 0000000..2eedd5b
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
-@@ -0,0 +1,90 @@
-+// This file contains a backport of the EVP_md5_sha1 method.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+// The following is a partial backport of crypto/evp/m_md5_sha1.c,
-+// commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
-+// OpenSSL_1_1_0-stable branch. The ctrl function has been removed.
-+
-+#include "goopenssl.h"
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+// New in OpenSSL 1.1.
-+static inline void *
-+_goboringcrypto_internal_EVP_MD_CTX_md_data(EVP_MD_CTX *ctx) {
-+ return ctx->md_data;
-+}
-+
-+/*
-+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#if !defined(OPENSSL_NO_MD5)
-+
-+#include <openssl/evp.h>
-+#include <openssl/md5.h>
-+#include <openssl/objects.h>
-+#include <openssl/rsa.h>
-+#include <openssl/sha.h>
-+#include <openssl/x509.h>
-+
-+struct md5_sha1_ctx {
-+ MD5_CTX md5;
-+ SHA_CTX sha1;
-+};
-+
-+static int _goboringcrypto_internal_init(EVP_MD_CTX *ctx) {
-+ struct md5_sha1_ctx *mctx = _goboringcrypto_internal_EVP_MD_CTX_md_data(ctx);
-+ if (!_goboringcrypto_internal_MD5_Init(&mctx->md5))
-+ return 0;
-+ return _goboringcrypto_SHA1_Init(&mctx->sha1);
-+}
-+
-+static int _goboringcrypto_internal_update(EVP_MD_CTX *ctx, const void *data,
-+ size_t count) {
-+ struct md5_sha1_ctx *mctx = _goboringcrypto_internal_EVP_MD_CTX_md_data(ctx);
-+ if (!_goboringcrypto_internal_MD5_Update(&mctx->md5, data, count))
-+ return 0;
-+ return _goboringcrypto_SHA1_Update(&mctx->sha1, data, count);
-+}
-+
-+static int _goboringcrypto_internal_final(EVP_MD_CTX *ctx, unsigned char *md) {
-+ struct md5_sha1_ctx *mctx = _goboringcrypto_internal_EVP_MD_CTX_md_data(ctx);
-+ if (!_goboringcrypto_internal_MD5_Final(md, &mctx->md5))
-+ return 0;
-+ return _goboringcrypto_SHA1_Final(md + MD5_DIGEST_LENGTH, &mctx->sha1);
-+}
-+
-+// Change: Removed:
-+// static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms)
-+
-+static const EVP_MD md5_sha1_md = {
-+ NID_md5_sha1,
-+ NID_md5_sha1,
-+ MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
-+ 0,
-+ _goboringcrypto_internal_init,
-+ _goboringcrypto_internal_update,
-+ _goboringcrypto_internal_final,
-+ NULL,
-+ NULL,
-+ EVP_PKEY_NULL_method, // Change: inserted
-+ MD5_CBLOCK,
-+ sizeof(EVP_MD *) + sizeof(struct md5_sha1_ctx),
-+ NULL, // Change: was ctrl
-+};
-+
-+// Change: Apply name mangling.
-+const GO_EVP_MD *_goboringcrypto_backport_EVP_md5_sha1(void) {
-+ return &md5_sha1_md;
-+}
-+#endif
-+#endif
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
-new file mode 100644
-index 0000000..362d9e5
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
-@@ -0,0 +1,16 @@
-+// This file contains HMAC portability wrappers.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+
-+// Not in OpenSSL 1.1. However, HMAC_CTX_copy expects an initialized
-+// target in OpenSSL 1.1.
-+int _goboringcrypto_HMAC_CTX_copy_ex(GO_HMAC_CTX *dest,
-+ const GO_HMAC_CTX *src) {
-+ // HMAC_CTX_copy lacks the const qualifier for the second parameter.
-+ return _goboringcrypto_HMAC_CTX_copy(dest, (GO_HMAC_CTX *)src);
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
-new file mode 100644
-index 0000000..2824147
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
-@@ -0,0 +1,219 @@
-+// This file contains RSA portability wrappers.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+
-+// Only in BoringSSL.
-+int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
-+ GO_BN_GENCB *cb) {
-+ // BoringSSL's RSA_generate_key_fips hard-codes e to 65537.
-+ BIGNUM *e = _goboringcrypto_BN_new();
-+ if (e == NULL)
-+ return 0;
-+ int ret = _goboringcrypto_BN_set_word(e, RSA_F4) &&
-+ _goboringcrypto_RSA_generate_key_ex(rsa, size, e, cb);
-+ _goboringcrypto_BN_free(e);
-+ return ret;
-+}
-+
-+int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(
-+ GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
-+ const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md,
-+ int salt_len) {
-+ EVP_PKEY_CTX *ctx;
-+ unsigned int siglen;
-+
-+ int ret = 0;
-+ EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-+ if (!key) {
-+ goto err;
-+ }
-+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa))
-+ goto err;
-+ ctx = _goboringcrypto_EVP_PKEY_CTX_new(key, NULL /* no engine */);
-+ if (!ctx)
-+ goto err;
-+
-+ EVP_MD_CTX *mdctx = NULL;
-+ if (!(mdctx = _goboringcrypto_EVP_MD_CTX_create()))
-+ goto err;
-+
-+ if (1 != _goboringcrypto_EVP_DigestSignInit(mdctx, &ctx, md, NULL, key))
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx,
-+ RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
-+ goto err;
-+ if (mgf1_md)
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
-+ goto err;
-+ if (1 != _goboringcrypto_EVP_DigestUpdate(mdctx, in, in_len))
-+ goto err;
-+
-+ /* Obtain the signature length */
-+ if (1 != _goboringcrypto_EVP_DigestSignFinal(mdctx, NULL, out_len))
-+ goto err;
-+ /* Obtain the signature */
-+ if (1 != _goboringcrypto_EVP_DigestSignFinal(mdctx, out, out_len))
-+ goto err;
-+
-+ ret = 1;
-+
-+err:
-+ if (mdctx)
-+ _goboringcrypto_EVP_MD_CTX_free(mdctx);
-+ if (ctx)
-+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-+ if (key)
-+ _goboringcrypto_EVP_PKEY_free(key);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len,
-+ uint8_t *out, unsigned int max_out,
-+ const uint8_t *in, unsigned int in_len,
-+ EVP_MD *md, const EVP_MD *mgf1_md,
-+ int salt_len) {
-+ EVP_PKEY_CTX *ctx;
-+ EVP_PKEY *pkey;
-+ size_t siglen;
-+
-+ int ret = 0;
-+ pkey = _goboringcrypto_EVP_PKEY_new();
-+ if (!pkey)
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
-+ goto err;
-+
-+ ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
-+ if (!ctx)
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx,
-+ RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
-+ goto err;
-+ if (mgf1_md)
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
-+ goto err;
-+ /* Determine buffer length */
-+ if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0)
-+ goto err;
-+
-+ if (max_out < siglen)
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0)
-+ goto err;
-+
-+ *out_len = siglen;
-+ ret = 1;
-+
-+err:
-+ if (ctx)
-+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-+ if (pkey)
-+ _goboringcrypto_EVP_PKEY_free(pkey);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
-+ unsigned int msg_len, EVP_MD *md,
-+ const EVP_MD *mgf1_md, int salt_len,
-+ const uint8_t *sig,
-+ unsigned int sig_len) {
-+ EVP_PKEY_CTX *ctx;
-+ EVP_PKEY *pkey;
-+
-+ int ret = 0;
-+
-+ pkey = _goboringcrypto_EVP_PKEY_new();
-+ if (!pkey)
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
-+ goto err;
-+
-+ ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
-+ if (!ctx)
-+ goto err;
-+
-+ if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx,
-+ RSA_PKCS1_PSS_PADDING) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
-+ goto err;
-+ if (mgf1_md)
-+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
-+ goto err;
-+ if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0)
-+ goto err;
-+
-+ ret = 1;
-+
-+err:
-+ if (ctx)
-+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-+ if (pkey)
-+ _goboringcrypto_EVP_PKEY_free(pkey);
-+
-+ return ret;
-+}
-+
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
-+ unsigned int msgLen, uint8_t *sig,
-+ unsigned int *slen, RSA *rsa) {
-+ int result;
-+ EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-+ if (!key) {
-+ return 0;
-+ }
-+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa)) {
-+ result = 0;
-+ goto err;
-+ }
-+ result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
-+err:
-+ _goboringcrypto_EVP_PKEY_free(key);
-+ return result;
-+}
-+
-+int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
-+ unsigned int msgLen, const uint8_t *sig,
-+ unsigned int slen, GO_RSA *rsa) {
-+ int result;
-+ EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-+ if (!key) {
-+ return 0;
-+ }
-+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa)) {
-+ result = 0;
-+ goto err;
-+ }
-+ result = _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
-+err:
-+ _goboringcrypto_EVP_PKEY_free(key);
-+ return result;
-+}
-\ No newline at end of file
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
-new file mode 100644
-index 0000000..22bd865
---- /dev/null
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
-@@ -0,0 +1,45 @@
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+
-+#include "goopenssl.h"
-+#include <openssl/rand.h>
-+
-+static RAND_METHOD fake_rand;
-+static const RAND_METHOD *old_rand;
-+
-+int _goboringcrypto_stub_openssl_rand(void) {
-+ /* save old rand method */
-+ if ((old_rand = _goboringcrypto_RAND_get_rand_method()) == NULL)
-+ return 0;
-+
-+ fake_rand.seed = old_rand->seed;
-+ fake_rand.cleanup = old_rand->cleanup;
-+ fake_rand.add = old_rand->add;
-+ fake_rand.status = old_rand->status;
-+ /* use own random function */
-+ fake_rand.bytes = fbytes;
-+ fake_rand.pseudorand = old_rand->bytes;
-+ /* set new RAND_METHOD */
-+ if (!_goboringcrypto_RAND_set_rand_method(&fake_rand))
-+ return 0;
-+ return 1;
-+}
-+
-+int _goboringcrypto_restore_openssl_rand(void) {
-+ if (!_goboringcrypto_RAND_set_rand_method(old_rand))
-+ return 0;
-+ else
-+ return 1;
-+}
-+
-+int fbytes(unsigned char *buf, int num) {
-+ // return old_rand->bytes(buf, num);
-+ int i;
-+ for (i = 0; i < num; i++) {
-+ buf[i] = 1;
-+ }
-+ return 1;
-+}
-diff --git a/src/crypto/internal/boring/rand.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
-similarity index 70%
-rename from src/crypto/internal/boring/rand.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
-index d2e432e..b3668b8 100644
---- a/src/crypto/internal/boring/rand.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
-@@ -2,12 +2,12 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-
--package boring
-+package openssl
-
--// #include "goboringcrypto.h"
-+// #include "goopenssl.h"
- import "C"
- import "unsafe"
-
-@@ -17,7 +17,7 @@ func (randReader) Read(b []byte) (int, error) {
- // Note: RAND_bytes should never fail; the return value exists only for historical reasons.
- // We check it even so.
- if len(b) > 0 && C._goboringcrypto_RAND_bytes((*C.uint8_t)(unsafe.Pointer(&b[0])), C.size_t(len(b))) == 0 {
-- return 0, fail("RAND_bytes")
-+ return 0, NewOpenSSLError("RAND_bytes")
- }
- return len(b), nil
- }
-diff --git a/src/crypto/internal/boring/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-similarity index 58%
-rename from src/crypto/internal/boring/rsa.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-index 64c83c2..915c840 100644
---- a/src/crypto/internal/boring/rsa.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-@@ -2,16 +2,15 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-
--package boring
-+package openssl
-
--// #include "goboringcrypto.h"
-+// #include "goopenssl.h"
- import "C"
- import (
- "crypto"
-- "crypto/subtle"
- "errors"
- "hash"
- "runtime"
-@@ -26,12 +25,12 @@ func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
-
- key := C._goboringcrypto_RSA_new()
- if key == nil {
-- return bad(fail("RSA_new"))
-+ return bad(NewOpenSSLError("RSA_new failed"))
- }
- defer C._goboringcrypto_RSA_free(key)
-
- if C._goboringcrypto_RSA_generate_key_fips(key, C.int(bits), nil) == 0 {
-- return bad(fail("RSA_generate_key_fips"))
-+ return bad(NewOpenSSLError("RSA_generate_key_fips failed"))
- }
-
- var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
-@@ -49,12 +48,12 @@ type PublicKeyRSA struct {
- func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) {
- key := C._goboringcrypto_RSA_new()
- if key == nil {
-- return nil, fail("RSA_new")
-- }
-- if !bigToBn(&key.n, N) ||
-- !bigToBn(&key.e, E) {
-- return nil, fail("BN_bin2bn")
-+ return nil, NewOpenSSLError("RSA_new failed")
- }
-+ var n, e *C.GO_BIGNUM
-+ n = bigToBN(N)
-+ e = bigToBN(E)
-+ C._goboringcrypto_RSA_set0_key(key, n, e, nil)
- k := &PublicKeyRSA{_key: key}
- runtime.SetFinalizer(k, (*PublicKeyRSA).finalize)
- return k, nil
-@@ -80,17 +79,23 @@ type PrivateKeyRSA struct {
- func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) {
- key := C._goboringcrypto_RSA_new()
- if key == nil {
-- return nil, fail("RSA_new")
-- }
-- if !bigToBn(&key.n, N) ||
-- !bigToBn(&key.e, E) ||
-- !bigToBn(&key.d, D) ||
-- !bigToBn(&key.p, P) ||
-- !bigToBn(&key.q, Q) ||
-- !bigToBn(&key.dmp1, Dp) ||
-- !bigToBn(&key.dmq1, Dq) ||
-- !bigToBn(&key.iqmp, Qinv) {
-- return nil, fail("BN_bin2bn")
-+ return nil, NewOpenSSLError("RSA_new failed")
-+ }
-+ var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
-+ n = bigToBN(N)
-+ e = bigToBN(E)
-+ d = bigToBN(D)
-+ C._goboringcrypto_RSA_set0_key(key, n, e, d)
-+ if P != nil && Q != nil {
-+ p = bigToBN(P)
-+ q = bigToBN(Q)
-+ C._goboringcrypto_RSA_set0_factors(key, p, q)
-+ }
-+ if Dp != nil && Dq != nil && Qinv != nil {
-+ dp = bigToBN(Dp)
-+ dq = bigToBN(Dq)
-+ qinv = bigToBN(Qinv)
-+ C._goboringcrypto_RSA_set0_crt_params(key, dp, dq, qinv)
- }
- k := &PrivateKeyRSA{_key: key}
- runtime.SetFinalizer(k, (*PrivateKeyRSA).finalize)
-@@ -127,7 +132,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
-
- pkey = C._goboringcrypto_EVP_PKEY_new()
- if pkey == nil {
-- return nil, nil, fail("EVP_PKEY_new")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_new failed")
- }
- if withKey(func(key *C.GO_RSA) C.int {
- return C._goboringcrypto_EVP_PKEY_set1_RSA(pkey, key)
-@@ -136,13 +141,13 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- }
- ctx = C._goboringcrypto_EVP_PKEY_CTX_new(pkey, nil)
- if ctx == nil {
-- return nil, nil, fail("EVP_PKEY_CTX_new")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_new failed")
- }
- if init(ctx) == 0 {
-- return nil, nil, fail("EVP_PKEY_operation_init")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_operation_init failed")
- }
- if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, padding) == 0 {
-- return nil, nil, fail("EVP_PKEY_CTX_set_rsa_padding")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_set_rsa_padding failed")
- }
- if padding == C.GO_RSA_PKCS1_OAEP_PADDING {
- md := hashToMD(h)
-@@ -150,22 +155,33 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- return nil, nil, errors.New("crypto/rsa: unsupported hash function")
- }
- if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) == 0 {
-- return nil, nil, fail("EVP_PKEY_set_rsa_oaep_md")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_oaep_md failed")
- }
- // ctx takes ownership of label, so malloc a copy for BoringCrypto to free.
-- clabel := (*C.uint8_t)(C._goboringcrypto_OPENSSL_malloc(C.size_t(len(label))))
-- if clabel == nil {
-- return nil, nil, fail("OPENSSL_malloc")
-+ var clabel *C.uint8_t
-+ clabel = nil
-+ // OpenSSL 1.1.1 does not take ownership of the label if the length is zero.
-+ // Depending on the malloc implementation, if clabel is allocated with malloc(0),
-+ // metadata for the size-zero allocation is never cleaned up, which is a memory leak.
-+ // As such, we must only allocate clabel if the label is of non zero length.
-+ if (len(label) > 0) || (openSSLVersion() > OPENSSL_VERSION_3_0_0) {
-+ clabel = (*C.uint8_t)(C.malloc(C.size_t(len(label))))
-+ if clabel == nil {
-+ return nil, nil, fail("OPENSSL_malloc")
-+ }
-+ copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
- }
-- copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
-- if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.size_t(len(label))) == 0 {
-- return nil, nil, fail("EVP_PKEY_CTX_set0_rsa_oaep_label")
-+ if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) != 1 {
-+ if clabel != nil {
-+ C.free(unsafe.Pointer(clabel))
-+ }
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
- }
- }
- if padding == C.GO_RSA_PKCS1_PSS_PADDING {
- if saltLen != 0 {
- if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, C.int(saltLen)) == 0 {
-- return nil, nil, fail("EVP_PKEY_set_rsa_pss_saltlen")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_pss_saltlen failed")
- }
- }
- md := cryptoHashToMD(ch)
-@@ -173,7 +189,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- return nil, nil, errors.New("crypto/rsa: unsupported hash function")
- }
- if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) == 0 {
-- return nil, nil, fail("EVP_PKEY_set_rsa_mgf1_md")
-+ return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_mgf1_md failed")
- }
- }
-
-@@ -183,7 +199,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
- init func(*C.GO_EVP_PKEY_CTX) C.int,
-- crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.size_t) C.int,
-+ crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
- in []byte) ([]byte, error) {
-
- pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
-@@ -193,13 +209,13 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- defer C._goboringcrypto_EVP_PKEY_free(pkey)
- defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
-
-- var outLen C.size_t
-- if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 {
-- return nil, fail("EVP_PKEY_decrypt/encrypt")
-+ var outLen C.uint
-+ if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
-+ return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- }
- out := make([]byte, outLen)
-- if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) == 0 {
-- return nil, fail("EVP_PKEY_decrypt/encrypt")
-+ if crypt(ctx, base(out), &outLen, base(in), C.uint(len(in))) <= 0 {
-+ return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- }
- return out[:outLen], nil
- }
-@@ -234,7 +250,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
- }
-
--func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
-+func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -242,7 +258,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
- }
-
--func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
-+func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -255,11 +271,11 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int)
- saltLen = -1
- }
- var out []byte
-- var outLen C.size_t
-+ var outLen C.uint
- if priv.withKey(func(key *C.GO_RSA) C.int {
- out = make([]byte, C._goboringcrypto_RSA_size(key))
-- return C._goboringcrypto_RSA_sign_pss_mgf1(key, &outLen, base(out), C.size_t(len(out)),
-- base(hashed), C.size_t(len(hashed)), md, nil, C.int(saltLen))
-+ return C._goboringcrypto_RSA_sign_pss_mgf1(key, &outLen, base(out), C.uint(len(out)),
-+ base(hashed), C.uint(len(hashed)), md, nil, C.int(saltLen))
- }) == 0 {
- return nil, fail("RSA_sign_pss_mgf1")
- }
-@@ -276,72 +292,120 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
- saltLen = -2 // auto-recover
- }
- if pub.withKey(func(key *C.GO_RSA) C.int {
-- return C._goboringcrypto_RSA_verify_pss_mgf1(key, base(hashed), C.size_t(len(hashed)),
-- md, nil, C.int(saltLen), base(sig), C.size_t(len(sig)))
-+ return C._goboringcrypto_RSA_verify_pss_mgf1(key, base(hashed), C.uint(len(hashed)),
-+ md, nil, C.int(saltLen), base(sig), C.uint(len(sig)))
- }) == 0 {
- return fail("RSA_verify_pss_mgf1")
- }
- return nil
- }
-
--func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
-- if h == 0 {
-- // No hashing.
-+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed bool) ([]byte, error) {
-+ if h == 0 && ExecutingTest() {
-+ return signRSAPKCS1v15Raw(priv, msg, C._goboringcrypto_EVP_md_null())
-+ }
-+
-+ md := cryptoHashToMD(h)
-+ if md == nil {
-+ return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
-+ }
-+
-+ if msgIsHashed {
- var out []byte
-- var outLen C.size_t
-+ var outLen C.uint
-+ PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
-+ nid := C._goboringcrypto_EVP_MD_type(md)
- if priv.withKey(func(key *C.GO_RSA) C.int {
- out = make([]byte, C._goboringcrypto_RSA_size(key))
-- return C._goboringcrypto_RSA_sign_raw(key, &outLen, base(out), C.size_t(len(out)),
-- base(hashed), C.size_t(len(hashed)), C.GO_RSA_PKCS1_PADDING)
-+ return C._goboringcrypto_RSA_sign(nid, base(msg), C.uint(len(msg)), base(out), &outLen, key)
- }) == 0 {
-- return nil, fail("RSA_sign_raw")
-+ return nil, NewOpenSSLError("RSA_sign")
- }
-+ runtime.KeepAlive(priv)
- return out[:outLen], nil
- }
-
-- md := cryptoHashToMD(h)
-- if md == nil {
-- return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
-- }
-- nid := C._goboringcrypto_EVP_MD_type(md)
- var out []byte
- var outLen C.uint
-+
-+ if priv.withKey(func(key *C.GO_RSA) C.int {
-+ return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
-+ }) == 0 {
-+ return nil, NewOpenSSLError("RSA_sign")
-+ }
-+ return out[:outLen], nil
-+}
-+
-+func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byte, error) {
-+ var out []byte
-+ var outLen C.size_t
-+ PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
-+
- if priv.withKey(func(key *C.GO_RSA) C.int {
- out = make([]byte, C._goboringcrypto_RSA_size(key))
-- return C._goboringcrypto_RSA_sign(nid, base(hashed), C.uint(len(hashed)),
-- base(out), &outLen, key)
-+ outLen = C.size_t(len(out))
-+ return C._goboringcrypto_EVP_sign_raw(md, nil, base(msg),
-+ C.size_t(len(msg)), base(out), &outLen, key)
- }) == 0 {
-- return nil, fail("RSA_sign")
-+ return nil, NewOpenSSLError("RSA_sign")
- }
-+ runtime.KeepAlive(priv)
- return out[:outLen], nil
- }
-
--func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
-- if h == 0 {
-- var out []byte
-- var outLen C.size_t
-+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsHashed bool) error {
-+ if h == 0 && ExecutingTest() {
-+ return verifyRSAPKCS1v15Raw(pub, msg, sig)
-+ }
-+
-+ md := cryptoHashToMD(h)
-+ if md == nil {
-+ return errors.New("crypto/rsa: unsupported hash function")
-+ }
-+
-+ if pub.withKey(func(key *C.GO_RSA) C.int {
-+ size := int(C._goboringcrypto_RSA_size(key))
-+ if len(sig) < size {
-+ return 0
-+ }
-+ return 1
-+ }) == 0 {
-+ return errors.New("crypto/rsa: verification error")
-+ }
-+
-+ if msgIsHashed {
-+ PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 verification and use HashVerifyPKCS1v15 instead of VerifyPKCS1v15")
-+ nid := C._goboringcrypto_EVP_MD_type(md)
- if pub.withKey(func(key *C.GO_RSA) C.int {
-- out = make([]byte, C._goboringcrypto_RSA_size(key))
-- return C._goboringcrypto_RSA_verify_raw(key, &outLen, base(out),
-- C.size_t(len(out)), base(sig), C.size_t(len(sig)), C.GO_RSA_PKCS1_PADDING)
-+ return C._goboringcrypto_RSA_verify(nid, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
- }) == 0 {
-- return fail("RSA_verify")
-- }
-- if subtle.ConstantTimeCompare(hashed, out[:outLen]) != 1 {
-- return fail("RSA_verify")
-+ return NewOpenSSLError("RSA_verify failed")
- }
- return nil
- }
-- md := cryptoHashToMD(h)
-- if md == nil {
-- return errors.New("crypto/rsa: unsupported hash function")
-+
-+ if pub.withKey(func(key *C.GO_RSA) C.int {
-+ return C._goboringcrypto_EVP_RSA_verify(md, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
-+ }) == 0 {
-+ return NewOpenSSLError("RSA_verify failed")
-+ }
-+ return nil
-+}
-+
-+func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte) error {
-+ if pub.withKey(func(key *C.GO_RSA) C.int {
-+ size := int(C._goboringcrypto_RSA_size(key))
-+ if len(sig) < size {
-+ return 0
-+ }
-+ return 1
-+ }) == 0 {
-+ return errors.New("crypto/rsa: verification error")
- }
-- nid := C._goboringcrypto_EVP_MD_type(md)
- if pub.withKey(func(key *C.GO_RSA) C.int {
-- return C._goboringcrypto_RSA_verify(nid, base(hashed), C.size_t(len(hashed)),
-- base(sig), C.size_t(len(sig)), key)
-+ return C._goboringcrypto_EVP_verify_raw(base(msg), C.size_t(len(msg)), base(sig), C.uint(len(sig)), key)
- }) == 0 {
-- return fail("RSA_verify")
-+ return NewOpenSSLError("RSA_verify failed")
- }
- return nil
- }
-diff --git a/src/crypto/internal/boring/sha.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
-similarity index 78%
-rename from src/crypto/internal/boring/sha.go
-rename to src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
-index 15b50c9..0b55ced 100644
---- a/src/crypto/internal/boring/sha.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
-@@ -2,13 +2,13 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build boringcrypto && linux && amd64 && !android && !cmd_go_bootstrap && !msan
--// +build boringcrypto,linux,amd64,!android,!cmd_go_bootstrap,!msan
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-
--package boring
-+package openssl
-
- /*
--#include "goboringcrypto.h"
-+#include "goopenssl.h"
-
- int
- _goboringcrypto_gosha1(void *p, size_t n, void *out)
-@@ -18,7 +18,6 @@ _goboringcrypto_gosha1(void *p, size_t n, void *out)
- return _goboringcrypto_SHA1_Update(&ctx, p, n) &&
- _goboringcrypto_SHA1_Final(out, &ctx);
- }
--
- int
- _goboringcrypto_gosha224(void *p, size_t n, void *out)
- {
-@@ -27,7 +26,6 @@ _goboringcrypto_gosha224(void *p, size_t n, void *out)
- return _goboringcrypto_SHA224_Update(&ctx, p, n) &&
- _goboringcrypto_SHA224_Final(out, &ctx);
- }
--
- int
- _goboringcrypto_gosha256(void *p, size_t n, void *out)
- {
-@@ -36,7 +34,6 @@ _goboringcrypto_gosha256(void *p, size_t n, void *out)
- return _goboringcrypto_SHA256_Update(&ctx, p, n) &&
- _goboringcrypto_SHA256_Final(out, &ctx);
- }
--
- int
- _goboringcrypto_gosha384(void *p, size_t n, void *out)
- {
-@@ -45,7 +42,6 @@ _goboringcrypto_gosha384(void *p, size_t n, void *out)
- return _goboringcrypto_SHA384_Update(&ctx, p, n) &&
- _goboringcrypto_SHA384_Final(out, &ctx);
- }
--
- int
- _goboringcrypto_gosha512(void *p, size_t n, void *out)
- {
-@@ -54,7 +50,6 @@ _goboringcrypto_gosha512(void *p, size_t n, void *out)
- return _goboringcrypto_SHA512_Update(&ctx, p, n) &&
- _goboringcrypto_SHA512_Final(out, &ctx);
- }
--
- */
- import "C"
- import (
-@@ -127,31 +122,24 @@ type sha1Ctx struct {
- nx uint32
- }
-
--func (h *sha1Hash) noescapeCtx() *C.GO_SHA_CTX {
-- return (*C.GO_SHA_CTX)(noescape(unsafe.Pointer(&h.ctx)))
--}
--
--func (h *sha1Hash) Reset() {
-- C._goboringcrypto_SHA1_Init(h.noescapeCtx())
--}
--
--func (h *sha1Hash) Size() int { return 20 }
--func (h *sha1Hash) BlockSize() int { return 64 }
--func (h *sha1Hash) Sum(dst []byte) []byte { return h.sum(dst) }
-+func (h *sha1Hash) Reset() { C._goboringcrypto_SHA1_Init(&h.ctx) }
-+func (h *sha1Hash) Size() int { return 20 }
-+func (h *sha1Hash) BlockSize() int { return 64 }
-+func (h *sha1Hash) Sum(in []byte) []byte { return append(in, h.sum()...) }
-
- func (h *sha1Hash) Write(p []byte) (int, error) {
-- if len(p) > 0 && C._goboringcrypto_SHA1_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
-+ if len(p) > 0 && C._goboringcrypto_SHA1_Update(&h.ctx, unsafe.Pointer(&p[0]), C.size_t(len(p))) == 0 {
- panic("boringcrypto: SHA1_Update failed")
- }
- return len(p), nil
- }
-
--func (h0 *sha1Hash) sum(dst []byte) []byte {
-+func (h0 *sha1Hash) sum() []byte {
- h := *h0 // make copy so future Write+Sum is valid
-- if C._goboringcrypto_SHA1_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
-+ if C._goboringcrypto_SHA1_Final((*C.uint8_t)(unsafe.Pointer(&h.out[0])), &h.ctx) == 0 {
- panic("boringcrypto: SHA1_Final failed")
- }
-- return append(dst, h.out[:]...)
-+ return h.out[:]
- }
-
- const (
-@@ -208,30 +196,24 @@ type sha224Hash struct {
- out [224 / 8]byte
- }
-
--func (h *sha224Hash) noescapeCtx() *C.GO_SHA256_CTX {
-- return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx)))
--}
--
--func (h *sha224Hash) Reset() {
-- C._goboringcrypto_SHA224_Init(h.noescapeCtx())
--}
--func (h *sha224Hash) Size() int { return 224 / 8 }
--func (h *sha224Hash) BlockSize() int { return 64 }
--func (h *sha224Hash) Sum(dst []byte) []byte { return h.sum(dst) }
-+func (h *sha224Hash) Reset() { C._goboringcrypto_SHA224_Init(&h.ctx) }
-+func (h *sha224Hash) Size() int { return 224 / 8 }
-+func (h *sha224Hash) BlockSize() int { return 64 }
-+func (h *sha224Hash) Sum(in []byte) []byte { return append(in, h.sum()...) }
-
- func (h *sha224Hash) Write(p []byte) (int, error) {
-- if len(p) > 0 && C._goboringcrypto_SHA224_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
-+ if len(p) > 0 && C._goboringcrypto_SHA224_Update(&h.ctx, unsafe.Pointer(&p[0]), C.size_t(len(p))) == 0 {
- panic("boringcrypto: SHA224_Update failed")
- }
- return len(p), nil
- }
-
--func (h0 *sha224Hash) sum(dst []byte) []byte {
-+func (h0 *sha224Hash) sum() []byte {
- h := *h0 // make copy so future Write+Sum is valid
-- if C._goboringcrypto_SHA224_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
-+ if C._goboringcrypto_SHA224_Final((*C.uint8_t)(unsafe.Pointer(&h.out[0])), &h.ctx) == 0 {
- panic("boringcrypto: SHA224_Final failed")
- }
-- return append(dst, h.out[:]...)
-+ return h.out[:]
- }
-
- // NewSHA256 returns a new SHA256 hash.
-@@ -246,30 +228,24 @@ type sha256Hash struct {
- out [256 / 8]byte
- }
-
--func (h *sha256Hash) noescapeCtx() *C.GO_SHA256_CTX {
-- return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx)))
--}
--
--func (h *sha256Hash) Reset() {
-- C._goboringcrypto_SHA256_Init(h.noescapeCtx())
--}
--func (h *sha256Hash) Size() int { return 256 / 8 }
--func (h *sha256Hash) BlockSize() int { return 64 }
--func (h *sha256Hash) Sum(dst []byte) []byte { return h.sum(dst) }
-+func (h *sha256Hash) Reset() { C._goboringcrypto_SHA256_Init(&h.ctx) }
-+func (h *sha256Hash) Size() int { return 256 / 8 }
-+func (h *sha256Hash) BlockSize() int { return 64 }
-+func (h *sha256Hash) Sum(in []byte) []byte { return append(in, h.sum()...) }
-
- func (h *sha256Hash) Write(p []byte) (int, error) {
-- if len(p) > 0 && C._goboringcrypto_SHA256_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
-+ if len(p) > 0 && C._goboringcrypto_SHA256_Update(&h.ctx, unsafe.Pointer(&p[0]), C.size_t(len(p))) == 0 {
- panic("boringcrypto: SHA256_Update failed")
- }
- return len(p), nil
- }
-
--func (h0 *sha256Hash) sum(dst []byte) []byte {
-+func (h0 *sha256Hash) sum() []byte {
- h := *h0 // make copy so future Write+Sum is valid
-- if C._goboringcrypto_SHA256_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
-+ if C._goboringcrypto_SHA256_Final((*C.uint8_t)(unsafe.Pointer(&h.out[0])), &h.ctx) == 0 {
- panic("boringcrypto: SHA256_Final failed")
- }
-- return append(dst, h.out[:]...)
-+ return h.out[:]
- }
-
- const (
-@@ -383,30 +359,24 @@ type sha384Hash struct {
- out [384 / 8]byte
- }
-
--func (h *sha384Hash) noescapeCtx() *C.GO_SHA512_CTX {
-- return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx)))
--}
--
--func (h *sha384Hash) Reset() {
-- C._goboringcrypto_SHA384_Init(h.noescapeCtx())
--}
--func (h *sha384Hash) Size() int { return 384 / 8 }
--func (h *sha384Hash) BlockSize() int { return 128 }
--func (h *sha384Hash) Sum(dst []byte) []byte { return h.sum(dst) }
-+func (h *sha384Hash) Reset() { C._goboringcrypto_SHA384_Init(&h.ctx) }
-+func (h *sha384Hash) Size() int { return 384 / 8 }
-+func (h *sha384Hash) BlockSize() int { return 128 }
-+func (h *sha384Hash) Sum(in []byte) []byte { return append(in, h.sum()...) }
-
- func (h *sha384Hash) Write(p []byte) (int, error) {
-- if len(p) > 0 && C._goboringcrypto_SHA384_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
-+ if len(p) > 0 && C._goboringcrypto_SHA384_Update(&h.ctx, unsafe.Pointer(&p[0]), C.size_t(len(p))) == 0 {
- panic("boringcrypto: SHA384_Update failed")
- }
- return len(p), nil
- }
-
--func (h0 *sha384Hash) sum(dst []byte) []byte {
-+func (h0 *sha384Hash) sum() []byte {
- h := *h0 // make copy so future Write+Sum is valid
-- if C._goboringcrypto_SHA384_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
-+ if C._goboringcrypto_SHA384_Final((*C.uint8_t)(unsafe.Pointer(&h.out[0])), &h.ctx) == 0 {
- panic("boringcrypto: SHA384_Final failed")
- }
-- return append(dst, h.out[:]...)
-+ return h.out[:]
- }
-
- // NewSHA512 returns a new SHA512 hash.
-@@ -421,30 +391,24 @@ type sha512Hash struct {
- out [512 / 8]byte
- }
-
--func (h *sha512Hash) noescapeCtx() *C.GO_SHA512_CTX {
-- return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx)))
--}
--
--func (h *sha512Hash) Reset() {
-- C._goboringcrypto_SHA512_Init(h.noescapeCtx())
--}
--func (h *sha512Hash) Size() int { return 512 / 8 }
--func (h *sha512Hash) BlockSize() int { return 128 }
--func (h *sha512Hash) Sum(dst []byte) []byte { return h.sum(dst) }
-+func (h *sha512Hash) Reset() { C._goboringcrypto_SHA512_Init(&h.ctx) }
-+func (h *sha512Hash) Size() int { return 512 / 8 }
-+func (h *sha512Hash) BlockSize() int { return 128 }
-+func (h *sha512Hash) Sum(in []byte) []byte { return append(in, h.sum()...) }
-
- func (h *sha512Hash) Write(p []byte) (int, error) {
-- if len(p) > 0 && C._goboringcrypto_SHA512_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 {
-+ if len(p) > 0 && C._goboringcrypto_SHA512_Update(&h.ctx, unsafe.Pointer(&p[0]), C.size_t(len(p))) == 0 {
- panic("boringcrypto: SHA512_Update failed")
- }
- return len(p), nil
- }
-
--func (h0 *sha512Hash) sum(dst []byte) []byte {
-+func (h0 *sha512Hash) sum() []byte {
- h := *h0 // make copy so future Write+Sum is valid
-- if C._goboringcrypto_SHA512_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 {
-+ if C._goboringcrypto_SHA512_Final((*C.uint8_t)(unsafe.Pointer(&h.out[0])), &h.ctx) == 0 {
- panic("boringcrypto: SHA512_Final failed")
- }
-- return append(dst, h.out[:]...)
-+ return h.out[:]
- }
-
- type sha512Ctx struct {
-diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index 35c0208..f44bcb1 100644
---- a/src/vendor/modules.txt
-+++ b/src/vendor/modules.txt
-@@ -1,3 +1,6 @@
-+# github.com/golang-fips/openssl-fips v0.0.0-20221018135344-eeda1baae76c
-+## explicit; go 1.18
-+github.com/golang-fips/openssl-fips/openssl
- # golang.org/x/crypto v0.0.0-20220516162934-403b01795ae8
- ## explicit; go 1.17
- golang.org/x/crypto/chacha20
diff --git a/SOURCES/enable-big-endian-fips-mode.patch b/SOURCES/enable-big-endian-fips-mode.patch
deleted file mode 100644
index f9756e1..0000000
--- a/SOURCES/enable-big-endian-fips-mode.patch
+++ /dev/null
@@ -1,348 +0,0 @@
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-index b3501400e0..5e1e789da0 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-@@ -131,7 +131,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
- func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
- size := C._goboringcrypto_ECDSA_size(priv.key)
- sig := make([]byte, size)
-- var sigLen C.uint
-+ var sigLen C.size_t
- md := cryptoHashToMD(h)
- if md == nil {
- panic("boring: invalid hash")
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-index 411fefdf78..217b320e4a 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-@@ -218,10 +218,16 @@ DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
- DEFINEFUNC(const GO_EVP_MD *, EVP_md_null, (void), ())
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
-+static inline int
-+_goboringcrypto_EVP_MD_get_size(const GO_EVP_MD *arg0)
-+{
-+ return _goboringcrypto_internal_EVP_MD_size(arg0);
-+}
- #else
- DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNC(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
- #endif
--DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
- DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
-
- # include <openssl/md5.h>
-@@ -275,26 +281,16 @@ DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- static inline size_t
- _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
-- return _goboringcrypto_internal_EVP_MD_size(arg0->md);
-+ return _goboringcrypto_EVP_MD_get_size(arg0->md);
- }
- #else
- DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
--# if OPENSSL_VERSION_NUMBER < 0x30000000L
--static inline size_t
--_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
-- const EVP_MD* md;
-- md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-- return _goboringcrypto_internal_EVP_MD_size(md);
--}
--# else
--DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
- static inline size_t
- _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
- const EVP_MD* md;
- md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-- return _goboringcrypto_internal_EVP_MD_get_size(md);
-+ return _goboringcrypto_EVP_MD_get_size(md);
- }
--# endif
- #endif
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-@@ -370,6 +366,7 @@ DEFINEFUNC(unsigned int, BN_num_bits, (const GO_BIGNUM *arg0), (arg0))
- DEFINEFUNC(int, BN_is_negative, (const GO_BIGNUM *arg0), (arg0))
- DEFINEFUNC(GO_BIGNUM *, BN_bin2bn, (const uint8_t *arg0, size_t arg1, GO_BIGNUM *arg2), (arg0, arg1, arg2))
- DEFINEFUNC(GO_BIGNUM *, BN_lebin2bn, (const unsigned char *s, size_t len, BIGNUM *ret), (s, len, ret))
-+DEFINEFUNC(int, BN_bn2binpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
- DEFINEFUNC(int, BN_bn2lebinpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
-
- static inline unsigned int
-@@ -418,7 +415,7 @@ typedef ECDSA_SIG GO_ECDSA_SIG;
- DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_SIG_new, (void), ())
- DEFINEFUNC(void, ECDSA_SIG_free, (GO_ECDSA_SIG * arg0), (arg0))
- DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_do_sign, (const uint8_t *arg0, size_t arg1, const GO_EC_KEY *arg2), (arg0, arg1, arg2))
--DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, const GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
-+DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
- DEFINEFUNC(size_t, ECDSA_size, (const GO_EC_KEY *arg0), (arg0))
-
- DEFINEFUNCINTERNAL(int, ECDSA_sign,
-@@ -453,25 +450,25 @@ _goboringcrypto_EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *rsa) {
- }
-
- DEFINEFUNC(int, EVP_DigestSignInit,
-- (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
-+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
- (ctx, pctx, type, e, pkey))
-
- DEFINEFUNC(int, EVP_DigestUpdate,
- (EVP_MD_CTX* ctx, const void *d, size_t cnt),
- (ctx, d, cnt))
- DEFINEFUNC(int, EVP_DigestSignFinal,
-- (EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
-+ (EVP_MD_CTX* ctx, unsigned char *sig, size_t *siglen),
- (ctx, sig, siglen))
-
- DEFINEFUNC(int, EVP_DigestVerifyInit,
-- (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
-+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
- (ctx, pctx, type, e, pkey))
- DEFINEFUNC(int, EVP_DigestVerifyFinal,
- (EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
- (ctx, sig, siglen))
-
- typedef RSA GO_RSA;
--int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
-+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
- int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
- size_t msgLen, uint8_t *sig, size_t *slen,
- GO_RSA *key);
-@@ -490,7 +487,7 @@ static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
- DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
- #endif
-
--int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
-+int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, size_t *arg4, GO_EC_KEY *arg5);
- int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
-
- #include <openssl/rsa.h>
-@@ -498,7 +495,7 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
- // Note: order of struct fields here is unchecked.
- typedef BN_GENCB GO_BN_GENCB;
-
--int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
- int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
-
- DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
-@@ -800,10 +797,10 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
- }
-
- DEFINEFUNC(int, EVP_PKEY_decrypt,
-- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
- (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_encrypt,
-- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
- (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
- DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
-index 86d7c6c212..2f45dabca2 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
-@@ -14,6 +14,7 @@ package openssl
- */
- import "C"
- import (
-+ "encoding/binary"
- "errors"
- "fmt"
- "math/bits"
-@@ -184,25 +185,73 @@ type fail string
-
- func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
-
--func wbase(b BigInt) *C.uint8_t {
-- if len(b) == 0 {
-- return nil
-+const wordBytes = bits.UintSize / 8
-+
-+// These two functions were copied from `math/big` package, which
-+// defines `big.Int` with a similar representation.
-+func (z BigInt) writeBytes(buf []byte) (i int) {
-+ i = len(buf)
-+ for _, d := range z {
-+ for j := 0; j < wordBytes; j++ {
-+ i--
-+ if i >= 0 {
-+ buf[i] = byte(d)
-+ } else if byte(d) != 0 {
-+ panic("boringcrypto: buffer too small to fit value")
-+ }
-+ d >>= 8
-+ }
-+ }
-+
-+ if i < 0 {
-+ i = 0
-+ }
-+ for i < len(buf) && buf[i] == 0 {
-+ i++
- }
-- return (*C.uint8_t)(unsafe.Pointer(&b[0]))
-+
-+ return
- }
-
--const wordBytes = bits.UintSize / 8
-+func bytesToBig(buf []byte) BigInt {
-+ z := make(BigInt, (len(buf) + wordBytes - 1) / wordBytes)
-+ i := len(buf)
-+ for k := 0; i >= wordBytes; k++ {
-+ if bits.UintSize == 64 {
-+ z[k] = uint(binary.BigEndian.Uint64(buf[i-wordBytes : i]))
-+ } else {
-+ z[k] = uint(binary.BigEndian.Uint32(buf[i-wordBytes : i]))
-+ }
-+ i -= wordBytes
-+ }
-+ if i > 0 {
-+ var d uint
-+ for s := uint(0); i > 0; s += 8 {
-+ d |= uint(buf[i-1]) << s
-+ i--
-+ }
-+ z[len(z)-1] = d
-+ }
-+
-+ i = len(z)
-+ for i > 0 && z[i-1] == 0 {
-+ i--
-+ }
-+ return z[0:i]
-+}
-
- func bigToBN(x BigInt) *C.GO_BIGNUM {
-- return C._goboringcrypto_BN_lebin2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
-+ buf := make([]byte, len(x)*wordBytes)
-+ buf = buf[x.writeBytes(buf):]
-+ return C._goboringcrypto_BN_bin2bn(base(buf), C.size_t(len(buf)), nil)
- }
-
- func bnToBig(bn *C.GO_BIGNUM) BigInt {
-- x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
-- if C._goboringcrypto_BN_bn2lebinpad(bn, wbase(x), C.size_t(len(x)*wordBytes)) == 0 {
-+ buf := make([]byte, C._goboringcrypto_BN_num_bytes(bn))
-+ if C._goboringcrypto_BN_bn2binpad(bn, base(buf), C.size_t(len(buf))) == 0 {
- panic("boringcrypto: bignum conversion failed")
- }
-- return x
-+ return bytesToBig(buf)
- }
-
- func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool {
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
-index 2349db1fd9..714d18f1e8 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
-@@ -7,7 +7,7 @@
- #include "goopenssl.h"
-
- int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *msg, size_t msgLen,
-- uint8_t *sig, unsigned int *slen,
-+ uint8_t *sig, size_t *slen,
- GO_EC_KEY *eckey) {
- int result;
- EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-index 43790198c6..76bac5bc01 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-@@ -7,7 +7,7 @@
- #include "goopenssl.h"
-
- int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-- size_t msgLen, uint8_t *sig, unsigned int *slen,
-+ size_t msgLen, uint8_t *sig, size_t *slen,
- EVP_PKEY *key) {
- EVP_MD_CTX *mdctx = NULL;
- int ret = 0;
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
-index 28241470f5..bf39656b45 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
-@@ -21,7 +21,7 @@ int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
- }
-
- int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(
-- GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
-+ GO_RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
- const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md,
- int salt_len) {
- EVP_PKEY_CTX *ctx;
-@@ -184,7 +184,7 @@ err:
-
- int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
- unsigned int msgLen, uint8_t *sig,
-- unsigned int *slen, RSA *rsa) {
-+ size_t *slen, RSA *rsa) {
- int result;
- EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
- if (!key) {
-@@ -216,4 +216,4 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
- err:
- _goboringcrypto_EVP_PKEY_free(key);
- return result;
--}
-\ No newline at end of file
-+}
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-index 915c840834..f48c57adff 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-@@ -199,7 +199,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
- init func(*C.GO_EVP_PKEY_CTX) C.int,
-- crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
-+ crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.size_t) C.int,
- in []byte) ([]byte, error) {
-
- pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
-@@ -209,12 +209,12 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- defer C._goboringcrypto_EVP_PKEY_free(pkey)
- defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
-
-- var outLen C.uint
-- if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
-+ var outLen C.size_t
-+ if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 {
- return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- }
- out := make([]byte, outLen)
-- if crypt(ctx, base(out), &outLen, base(in), C.uint(len(in))) <= 0 {
-+ if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) <= 0 {
- return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- }
- return out[:outLen], nil
-@@ -250,7 +250,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
- }
-
--func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -258,7 +258,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
- }
-
--func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -326,7 +326,7 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
- }
-
- var out []byte
-- var outLen C.uint
-+ var outLen C.size_t
-
- if priv.withKey(func(key *C.GO_RSA) C.int {
- return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
diff --git a/SOURCES/fix-test-1024-leaf-certs.patch b/SOURCES/fix-test-1024-leaf-certs.patch
new file mode 100644
index 0000000..ee6b25a
--- /dev/null
+++ b/SOURCES/fix-test-1024-leaf-certs.patch
@@ -0,0 +1,13 @@
+diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
+index 10d1cf0..51feb3b 100644
+--- a/src/crypto/tls/boring_test.go
++++ b/src/crypto/tls/boring_test.go
+@@ -326,7 +326,7 @@ func TestBoringCertAlgs(t *testing.T) {
+ I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
+
+ L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
+- L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf|boringCertNotBoring)
++ L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
+
+ // client verifying server cert
+ testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
diff --git a/SOURCES/ppc64le-internal-linker-fix.patch b/SOURCES/ppc64le-internal-linker-fix.patch
new file mode 100644
index 0000000..f54a83b
--- /dev/null
+++ b/SOURCES/ppc64le-internal-linker-fix.patch
@@ -0,0 +1,122 @@
+diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
+new file mode 100644
+index 0000000000000..bca897c16d054
+--- /dev/null
++++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
+@@ -0,0 +1,100 @@
++# Verify PPC64 does not reuse a trampoline which is too far away.
++# This tests an edge case where the direct call relocation addend should
++# be ignored when computing the distance from the direct call to the
++# already placed trampoline
++[short] skip
++[!ppc64] [!ppc64le] skip
++[aix] skip
++
++# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
++# assembly 2^26 or so times.
++#
++# We build something which should be laid out as such:
++#
++# bar.Bar
++# main.Func1
++# bar.Bar+400-tramp0
++# main.BigAsm
++# main.Func2
++# bar.Bar+400-tramp1
++#
++# bar.Bar needs to be placed far enough away to generate relocations
++# from main package calls. and main.Func1 and main.Func2 are placed
++# a bit more than the direct call limit apart, but not more than 0x400
++# bytes beyond it (to verify the reloc calc).
++
++go build
++
++-- go.mod --
++
++module foo
++
++go 1.19
++
++-- main.go --
++
++package main
++
++import "foo/bar"
++
++func Func1()
++
++func main() {
++ Func1()
++ bar.Bar2()
++}
++
++-- foo.s --
++
++TEXT main·Func1(SB),0,$0-0
++ CALL bar·Bar+0x400(SB)
++ CALL main·BigAsm(SB)
++// A trampoline will be placed here to bar.Bar
++
++// This creates a gap sufficiently large to prevent trampoline reuse
++#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
++#define NOP256 NOP64 NOP64 NOP64 NOP64
++#define NOP2S10 NOP256 NOP256 NOP256 NOP256
++#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
++#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
++#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
++#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
++#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
++#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
++#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
++#define BIGNOP NOP2S24 NOP2S24
++TEXT main·BigAsm(SB),0,$0-0
++ // Fill to the direct call limit so Func2 must generate a new trampoline.
++ // As the implicit trampoline above is just barely unreachable.
++ BIGNOP
++ MOVD $main·Func2(SB), R3
++
++TEXT main·Func2(SB),0,$0-0
++ CALL bar·Bar+0x400(SB)
++// Another trampoline should be placed here.
++
++-- bar/bar.s --
++
++#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
++#define NOP256 NOP64 NOP64 NOP64 NOP64
++#define NOP2S10 NOP256 NOP256 NOP256 NOP256
++#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
++#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
++#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
++#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
++#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
++#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
++#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
++#define BIGNOP NOP2S24 NOP2S24 NOP2S10
++// A very big not very interesting function.
++TEXT bar·Bar(SB),0,$0-0
++ BIGNOP
++
++-- bar/bar.go --
++
++package bar
++
++func Bar()
++
++func Bar2() {
++}
+diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
+index 5d5fbe2a97735..6313879da083c 100644
+--- a/src/cmd/link/internal/ppc64/asm.go
++++ b/src/cmd/link/internal/ppc64/asm.go
+@@ -900,8 +900,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
+ if ldr.SymValue(tramp) == 0 {
+ break
+ }
+-
+- t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
++ // Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
++ // trampoline itself.
++ t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
+
+ // With internal linking, the trampoline can be used if it is not too far.
+ // With external linking, the trampoline must be in this section for it to be reused.
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index c7be79d..87abaa8 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -96,19 +96,26 @@
%endif
%global go_api 1.19
-%global version 1.19.2
+%global version 1.19.4
%global pkg_release 1
Name: golang
Version: %{version}
-Release: 4%{?dist}
+Release: 1%{?dist}
Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
URL: http://golang.org/
Source0: https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
+# Go's FIPS mode bindings are now provided as a standalone
+# module instead of in tree. This makes it easier to see
+# the actual changes vs upstream Go. The module source is
+# located at https://github.com/golang-fips/openssl-fips,
+# And pre-genetated patches to set up the module for a given
+# Go release are located at https://github.com/golang-fips/go.
+Source1: https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
-Source1: fedora.go
+Source2: fedora.go
# The compiler is written in Go. Needs go(1.4+) compiler for build.
# Actual Go based bootstrap compiler provided by above source.
@@ -139,11 +146,10 @@ Patch221: fix_TestScript_list_std.patch
Patch1939923: skip_test_rhbz1939923.patch
-Patch0: 000-initial-setup.patch
-Patch1: 001-initial-openssl-for-fips.patch
Patch2: disable_static_tests_part1.patch
Patch3: disable_static_tests_part2.patch
-Patch4: enable-big-endian-fips-mode.patch
+Patch4: ppc64le-internal-linker-fix.patch
+Patch5: fix-test-1024-leaf-certs.patch
Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
@@ -236,18 +242,23 @@ Requires: %{name} = %{version}-%{release}
%prep
%setup -q -n go-go%{version}
-%patch0 -p1
-%patch1 -p1
+pushd ..
+tar -xf %{SOURCE1}
+popd
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
+
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
%patch221 -p1
%patch1939923 -p1
%patch227 -p1
-cp %{SOURCE1} ./src/runtime/
+cp %{SOURCE2} ./src/runtime/
%build
set -xe
@@ -519,6 +530,14 @@ cd ..
%endif
%changelog
+* Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
+- Rebase to Go 1.19.4
+- Fix ppc64le linker issue
+- Remove defunct patches
+- Remove downstream generated FIPS mode patches
+- Add golang-fips/go as the source for FIPS mode patches
+- Resolves: rhbz#2144542
+
* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
- Enable big endian support in FIPS mode
- Resolves: rhbz#1969844