[dev.boringcrypto] all: merge master into dev.boringcrypto

Change-Id: Ic1d89215bb3e37a722d3d3bc7698edea940a83d9

diff --cc src/cmd/compile/internal/gc/reflect.go
Simple merge

diff --cc src/cmd/go/go_test.go
Simple merge

diff --cc src/crypto/ecdsa/ecdsa.go
index 0e6bb8b23fc4679a0b249f4e86374c5533888bf5,ddc3b35ba30336c0618746bb364d151d9b57576b..be01a296062feee17d5eafbe48e88d261bcc3dc2
--- 1/src/crypto/ecdsa/ecdsa.go
--- 2/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@@@ -26,15 -27,8 +27,13 @@@ import 
        "errors"
        "io"
        "math/big"
- 
-       "crypto/internal/randutil"
  )
  
 +import (
 +      "crypto/internal/boring"
 +      "unsafe"
 +)
 +
  // A invertible implements fast inverse mod Curve.Params().N
  type invertible interface {
        // Inverse returns the inverse of k in GF(P)

diff --cc src/crypto/tls/boring.go
index 95256b19f7b9626cc44633662013e9a7b874e2af,0000000000000000000000000000000000000000..5b5c20ce1f9611a452c7852a1336db37992562b3
mode 100644,000000..100644
--- 1/src/crypto/tls/boring.go
--- /dev/null
+++ b/src/crypto/tls/boring.go
@@@ -1,128 -1,0 +1,137 @@@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +package tls
 +
 +import (
 +      "crypto/ecdsa"
 +      "crypto/internal/boring/fipstls"
 +      "crypto/rsa"
 +      "crypto/x509"
 +)
 +
 +// needFIPS returns fipstls.Required(); it avoids a new import in common.go.
 +func needFIPS() bool {
 +      return fipstls.Required()
 +}
 +
 +// fipsMinVersion replaces c.minVersion in FIPS-only mode.
 +func fipsMinVersion(c *Config) uint16 {
 +      // FIPS requires TLS 1.2.
 +      return VersionTLS12
 +}
 +
 +// fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
 +func fipsMaxVersion(c *Config) uint16 {
 +      // FIPS requires TLS 1.2.
 +      return VersionTLS12
 +}
 +
 +// default defaultFIPSCurvePreferences is the FIPS-allowed curves,
 +// in preference order (most preferable first).
 +var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}
 +
 +// fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode.
 +func fipsCurvePreferences(c *Config) []CurveID {
 +      if c == nil || len(c.CurvePreferences) == 0 {
 +              return defaultFIPSCurvePreferences
 +      }
 +      var list []CurveID
 +      for _, id := range c.CurvePreferences {
 +              for _, allowed := range defaultFIPSCurvePreferences {
 +                      if id == allowed {
 +                              list = append(list, id)
 +                              break
 +                      }
 +              }
 +      }
 +      return list
 +}
 +
 +// default FIPSCipherSuites is the FIPS-allowed cipher suites,
 +// in preference order (most preferable first).
 +var defaultFIPSCipherSuites = []uint16{
 +      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 +      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 +      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 +      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 +      TLS_RSA_WITH_AES_128_GCM_SHA256,
 +      TLS_RSA_WITH_AES_256_GCM_SHA384,
 +}
 +
 +// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode.
 +func fipsCipherSuites(c *Config) []uint16 {
 +      if c == nil || c.CipherSuites == nil {
 +              return defaultFIPSCipherSuites
 +      }
 +      var list []uint16
 +      for _, id := range c.CipherSuites {
 +              for _, allowed := range defaultFIPSCipherSuites {
 +                      if id == allowed {
 +                              list = append(list, id)
 +                              break
 +                      }
 +              }
 +      }
 +      return list
 +}
 +
 +// isBoringCertificate reports whether a certificate may be used
 +// when constructing a verified chain.
 +// It is called for each leaf, intermediate, and root certificate.
 +func isBoringCertificate(c *x509.Certificate) bool {
 +      if !needFIPS() {
 +              // Everything is OK if we haven't forced FIPS-only mode.
 +              return true
 +      }
 +
 +      // Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256.
 +      switch k := c.PublicKey.(type) {
 +      default:
 +              return false
 +      case *rsa.PublicKey:
 +              if size := k.N.BitLen(); size != 2048 && size != 3072 {
 +                      return false
 +              }
 +      case *ecdsa.PublicKey:
 +              if name := k.Curve.Params().Name; name != "P-256" && name != "P-384" {
 +                      return false
 +              }
 +      }
 +
 +      return true
 +}
 +
 +// fipsSupportedSignatureAlgorithms currently are a subset of
 +// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
 +var fipsSupportedSignatureAlgorithms = []SignatureScheme{
 +      PSSWithSHA256,
 +      PSSWithSHA384,
 +      PSSWithSHA512,
 +      PKCS1WithSHA256,
 +      ECDSAWithP256AndSHA256,
 +      PKCS1WithSHA384,
 +      ECDSAWithP384AndSHA384,
 +      PKCS1WithSHA512,
 +      ECDSAWithP521AndSHA512,
 +}
 +
 +// supportedSignatureAlgorithms returns the supported signature algorithms.
 +func supportedSignatureAlgorithms() []SignatureScheme {
 +      if !needFIPS() {
 +              return defaultSupportedSignatureAlgorithms
 +      }
 +      return fipsSupportedSignatureAlgorithms
 +}
 +
++// supportedSignatureAlgorithmsTLS12 returns the supported signature algorithms
++// for TLS 1.2. Issue 32425.
++func supportedSignatureAlgorithmsTLS12() []SignatureScheme {
++      if !needFIPS() {
++              return defaultSupportedSignatureAlgorithmsTLS12
++      }
++      return fipsSupportedSignatureAlgorithms[3:]
++}
++
 +var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme

diff --cc src/crypto/tls/boring_test.go
index c785c01fcc196d6e69e7e752019a8a2abdbd658f,0000000000000000000000000000000000000000..74c2636a8785f704d3c26540978a84b2e3364219
mode 100644,000000..100644
--- 1/src/crypto/tls/boring_test.go
--- /dev/null
+++ b/src/crypto/tls/boring_test.go
@@@ -1,631 -1,0 +1,634 @@@
-       serverConfig := testConfig.Clone()
-       serverConfig.Certificates = make([]Certificate, 1)
- 
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +package tls
 +
 +import (
 +      "crypto/ecdsa"
 +      "crypto/elliptic"
 +      "crypto/internal/boring/fipstls"
 +      "crypto/rand"
 +      "crypto/rsa"
 +      "crypto/x509"
 +      "crypto/x509/pkix"
 +      "encoding/pem"
 +      "fmt"
 +      "math/big"
 +      "net"
 +      "runtime"
 +      "strings"
 +      "testing"
 +      "time"
 +)
 +
 +func TestBoringServerProtocolVersion(t *testing.T) {
 +      test := func(name string, v uint16, msg string) {
 +              t.Run(name, func(t *testing.T) {
 +                      serverConfig := testConfig.Clone()
 +                      serverConfig.MinVersion = VersionSSL30
 +                      clientHello := &clientHelloMsg{
 +                              vers:               v,
 +                              random:             make([]byte, 32),
 +                              cipherSuites:       allCipherSuites(),
 +                              compressionMethods: []uint8{compressionNone},
 +                              supportedVersions:  []uint16{v},
 +                      }
 +                      testClientHelloFailure(t, serverConfig, clientHello, msg)
 +              })
 +      }
 +
 +      test("VersionSSL30", VersionSSL30, "")
 +      test("VersionTLS10", VersionTLS10, "")
 +      test("VersionTLS11", VersionTLS11, "")
 +      test("VersionTLS12", VersionTLS12, "")
 +      test("VersionTLS13", VersionTLS13, "")
 +
 +      fipstls.Force()
 +      defer fipstls.Abandon()
 +      test("VersionSSL30", VersionSSL30, "client offered only unsupported versions")
 +      test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
 +      test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
 +      test("VersionTLS12", VersionTLS12, "")
 +      test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
 +}
 +
 +func isBoringVersion(v uint16) bool {
 +      return v == VersionTLS12
 +}
 +
 +func isBoringCipherSuite(id uint16) bool {
 +      switch id {
 +      case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 +              TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 +              TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 +              TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 +              TLS_RSA_WITH_AES_128_GCM_SHA256,
 +              TLS_RSA_WITH_AES_256_GCM_SHA384:
 +              return true
 +      }
 +      return false
 +}
 +
 +func isBoringCurve(id CurveID) bool {
 +      switch id {
 +      case CurveP256, CurveP384, CurveP521:
 +              return true
 +      }
 +      return false
 +}
 +
 +func isECDSA(id uint16) bool {
 +      for _, suite := range cipherSuites {
 +              if suite.id == id {
 +                      return suite.flags&suiteECSign == suiteECSign
 +              }
 +      }
 +      panic(fmt.Sprintf("unknown cipher suite %#x", id))
 +}
 +
 +func isBoringSignatureScheme(alg SignatureScheme) bool {
 +      switch alg {
 +      default:
 +              return false
 +      case PKCS1WithSHA256,
 +              ECDSAWithP256AndSHA256,
 +              PKCS1WithSHA384,
 +              ECDSAWithP384AndSHA384,
 +              PKCS1WithSHA512,
 +              ECDSAWithP521AndSHA512,
 +              PSSWithSHA256,
 +              PSSWithSHA384,
 +              PSSWithSHA512:
 +              // ok
 +      }
 +      return true
 +}
 +
 +func TestBoringServerCipherSuites(t *testing.T) {
 +      serverConfig := testConfig.Clone()
 +      serverConfig.CipherSuites = allCipherSuites()
 +      serverConfig.Certificates = make([]Certificate, 1)
 +
 +      for _, id := range allCipherSuites() {
 +              if isECDSA(id) {
 +                      serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
 +                      serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
 +              } else {
 +                      serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate}
 +                      serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
 +              }
 +              serverConfig.BuildNameToCertificate()
 +              t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) {
 +                      clientHello := &clientHelloMsg{
 +                              vers:               VersionTLS12,
 +                              random:             make([]byte, 32),
 +                              cipherSuites:       []uint16{id},
 +                              compressionMethods: []uint8{compressionNone},
 +                              supportedCurves:    defaultCurvePreferences,
 +                              supportedPoints:    []uint8{pointFormatUncompressed},
 +                      }
 +
 +                      testClientHello(t, serverConfig, clientHello)
 +                      t.Run("fipstls", func(t *testing.T) {
 +                              fipstls.Force()
 +                              defer fipstls.Abandon()
 +                              msg := ""
 +                              if !isBoringCipherSuite(id) {
 +                                      msg = "no cipher suite supported by both client and server"
 +                              }
 +                              testClientHelloFailure(t, serverConfig, clientHello, msg)
 +                      })
 +              })
 +      }
 +}
 +
 +func TestBoringServerCurves(t *testing.T) {
 +      serverConfig := testConfig.Clone()
 +      serverConfig.Certificates = make([]Certificate, 1)
 +      serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
 +      serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
 +      serverConfig.BuildNameToCertificate()
 +
 +      for _, curveid := range defaultCurvePreferences {
 +              t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) {
 +                      clientHello := &clientHelloMsg{
 +                              vers:               VersionTLS12,
 +                              random:             make([]byte, 32),
 +                              cipherSuites:       []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
 +                              compressionMethods: []uint8{compressionNone},
 +                              supportedCurves:    []CurveID{curveid},
 +                              supportedPoints:    []uint8{pointFormatUncompressed},
 +                      }
 +
 +                      testClientHello(t, serverConfig, clientHello)
 +
 +                      // With fipstls forced, bad curves should be rejected.
 +                      t.Run("fipstls", func(t *testing.T) {
 +                              fipstls.Force()
 +                              defer fipstls.Abandon()
 +                              msg := ""
 +                              if !isBoringCurve(curveid) {
 +                                      msg = "no cipher suite supported by both client and server"
 +                              }
 +                              testClientHelloFailure(t, serverConfig, clientHello, msg)
 +                      })
 +              })
 +      }
 +}
 +
 +func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
 +      c, s := localPipe(t)
 +      client := Client(c, clientConfig)
 +      server := Server(s, serverConfig)
 +      done := make(chan error, 1)
 +      go func() {
 +              done <- client.Handshake()
 +              c.Close()
 +      }()
 +      serverErr = server.Handshake()
 +      s.Close()
 +      clientErr = <-done
 +      return
 +}
 +
 +func TestBoringServerSignatureAndHash(t *testing.T) {
-               testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
- 
 +      defer func() {
 +              testingOnlyForceClientHelloSignatureAlgorithms = nil
 +      }()
 +
 +      for _, sigHash := range defaultSupportedSignatureAlgorithms {
-                       switch sigHash {
-                       case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512,
-                               PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
 +              t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) {
-                       case Ed25519:
++                      serverConfig := testConfig.Clone()
++                      serverConfig.Certificates = make([]Certificate, 1)
++
++                      testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
++
++                      switch signatureFromSignatureScheme(sigHash) {
++                      case signaturePKCS1v15, signatureRSAPSS:
 +                              serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
 +                              serverConfig.Certificates[0].Certificate = [][]byte{testRSA2048Certificate}
 +                              serverConfig.Certificates[0].PrivateKey = testRSA2048PrivateKey
-                       default:
++                      case signatureEd25519:
 +                              serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
 +                              serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate}
 +                              serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey
-                       serverConfig.MaxVersion = VersionTLS12
++                      case signatureECDSA:
 +                              serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
 +                              serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
 +                              serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
 +                      }
 +                      serverConfig.BuildNameToCertificate()
 +                      // PKCS#1 v1.5 signature algorithms can't be used standalone in TLS
 +                      // 1.3, and the ECDSA ones bind to the curve used.
-                               if isBoringSignatureScheme(sigHash) {
++                      // RSA-PSS signatures are not supported in TLS 1.2. Issue 32425.
++                      if signatureFromSignatureScheme(sigHash) != signatureRSAPSS {
++                              serverConfig.MaxVersion = VersionTLS12
++                      }
 +
 +                      clientErr, serverErr := boringHandshake(t, testConfig, serverConfig)
 +                      if clientErr != nil {
 +                              t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
 +                      }
 +
 +                      // With fipstls forced, bad curves should be rejected.
 +                      t.Run("fipstls", func(t *testing.T) {
 +                              fipstls.Force()
 +                              defer fipstls.Abandon()
 +                              clientErr, _ := boringHandshake(t, testConfig, serverConfig)
++                              // RSA-PSS is only supported in TLS 1.3, prohibited by forcing fipstls. Issue 32425.
++                              if isBoringSignatureScheme(sigHash) && signatureFromSignatureScheme(sigHash) != signatureRSAPSS {
 +                                      if clientErr != nil {
 +                                              t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr)
 +                                      }
 +                              } else {
 +                                      if clientErr == nil {
 +                                              t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash)
 +                                      }
 +                              }
 +                      })
 +              })
 +      }
 +}
 +
 +func TestBoringClientHello(t *testing.T) {
 +      // Test that no matter what we put in the client config,
 +      // the client does not offer non-FIPS configurations.
 +      fipstls.Force()
 +      defer fipstls.Abandon()
 +
 +      c, s := net.Pipe()
 +      defer c.Close()
 +      defer s.Close()
 +
 +      clientConfig := testConfig.Clone()
 +      // All sorts of traps for the client to avoid.
 +      clientConfig.MinVersion = VersionSSL30
 +      clientConfig.MaxVersion = VersionTLS13
 +      clientConfig.CipherSuites = allCipherSuites()
 +      clientConfig.CurvePreferences = defaultCurvePreferences
 +
 +      go Client(c, testConfig).Handshake()
 +      srv := Server(s, testConfig)
 +      msg, err := srv.readHandshake()
 +      if err != nil {
 +              t.Fatal(err)
 +      }
 +      hello, ok := msg.(*clientHelloMsg)
 +      if !ok {
 +              t.Fatalf("unexpected message type %T", msg)
 +      }
 +
 +      if !isBoringVersion(hello.vers) {
 +              t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12)
 +      }
 +      for _, v := range hello.supportedVersions {
 +              if !isBoringVersion(v) {
 +                      t.Errorf("client offered disallowed version %#x", v)
 +              }
 +      }
 +      for _, id := range hello.cipherSuites {
 +              if !isBoringCipherSuite(id) {
 +                      t.Errorf("client offered disallowed suite %#x", id)
 +              }
 +      }
 +      for _, id := range hello.supportedCurves {
 +              if !isBoringCurve(id) {
 +                      t.Errorf("client offered disallowed curve %d", id)
 +              }
 +      }
 +      for _, sigHash := range hello.supportedSignatureAlgorithms {
 +              if !isBoringSignatureScheme(sigHash) {
 +                      t.Errorf("client offered disallowed signature-and-hash %v", sigHash)
 +              }
 +      }
 +}
 +
 +func TestBoringCertAlgs(t *testing.T) {
 +      // NaCl, arm and wasm time out generating keys. Nothing in this test is architecture-specific, so just don't bother on those.
 +      if runtime.GOOS == "nacl" || runtime.GOARCH == "arm" || runtime.GOOS == "js" {
 +              t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH)
 +      }
 +
 +      // Set up some roots, intermediate CAs, and leaf certs with various algorithms.
 +      // X_Y is X signed by Y.
 +      R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
 +      R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
 +
 +      M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
 +      M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
 +
 +      I_R1 := boringCert(t, "I_R1", boringRSAKey(t, 3072), R1, boringCertCA|boringCertFIPSOK)
 +      I_R2 := boringCert(t, "I_R2", I_R1.key, R2, boringCertCA|boringCertFIPSOK)
 +      I_M1 := boringCert(t, "I_M1", I_R1.key, M1_R1, boringCertCA|boringCertFIPSOK)
 +      I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
 +
 +      L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
 +      L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
 +
 +      // boringCert checked that isBoringCertificate matches the caller's boringCertFIPSOK bit.
 +      // If not, no point in building bigger end-to-end tests.
 +      if t.Failed() {
 +              t.Fatalf("isBoringCertificate failures; not continuing")
 +      }
 +
 +      // client verifying server cert
 +      testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
 +              clientConfig := testConfig.Clone()
 +              clientConfig.RootCAs = pool
 +              clientConfig.InsecureSkipVerify = false
 +              clientConfig.ServerName = "example.com"
 +
 +              serverConfig := testConfig.Clone()
 +              serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
 +              serverConfig.BuildNameToCertificate()
 +
 +              clientErr, _ := boringHandshake(t, clientConfig, serverConfig)
 +
 +              if (clientErr == nil) == ok {
 +                      if ok {
 +                              t.Logf("%s: accept", desc)
 +                      } else {
 +                              t.Logf("%s: reject", desc)
 +                      }
 +              } else {
 +                      if ok {
 +                              t.Errorf("%s: BAD reject (%v)", desc, clientErr)
 +                      } else {
 +                              t.Errorf("%s: BAD accept", desc)
 +                      }
 +              }
 +      }
 +
 +      // server verifying client cert
 +      testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
 +              clientConfig := testConfig.Clone()
 +              clientConfig.ServerName = "example.com"
 +              clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
 +
 +              serverConfig := testConfig.Clone()
 +              serverConfig.ClientCAs = pool
 +              serverConfig.ClientAuth = RequireAndVerifyClientCert
 +
 +              _, serverErr := boringHandshake(t, clientConfig, serverConfig)
 +
 +              if (serverErr == nil) == ok {
 +                      if ok {
 +                              t.Logf("%s: accept", desc)
 +                      } else {
 +                              t.Logf("%s: reject", desc)
 +                      }
 +              } else {
 +                      if ok {
 +                              t.Errorf("%s: BAD reject (%v)", desc, serverErr)
 +                      } else {
 +                              t.Errorf("%s: BAD accept", desc)
 +                      }
 +              }
 +      }
 +
 +      // Run simple basic test with known answers before proceeding to
 +      // exhaustive test with computed answers.
 +      r1pool := x509.NewCertPool()
 +      r1pool.AddCert(R1.cert)
 +      testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
 +      testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
 +      fipstls.Force()
 +      testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
 +      testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
 +      fipstls.Abandon()
 +
 +      if t.Failed() {
 +              t.Fatal("basic test failed, skipping exhaustive test")
 +      }
 +
 +      if testing.Short() {
 +              t.Logf("basic test passed; skipping exhaustive test in -short mode")
 +              return
 +      }
 +
 +      for l := 1; l <= 2; l++ {
 +              leaf := L1_I
 +              if l == 2 {
 +                      leaf = L2_I
 +              }
 +              for i := 0; i < 64; i++ {
 +                      reachable := map[string]bool{leaf.parentOrg: true}
 +                      reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK}
 +                      list := [][]byte{leaf.der}
 +                      listName := leaf.name
 +                      addList := func(cond int, c *boringCertificate) {
 +                              if cond != 0 {
 +                                      list = append(list, c.der)
 +                                      listName += "," + c.name
 +                                      if reachable[c.org] {
 +                                              reachable[c.parentOrg] = true
 +                                      }
 +                                      if reachableFIPS[c.org] && c.fipsOK {
 +                                              reachableFIPS[c.parentOrg] = true
 +                                      }
 +                              }
 +                      }
 +                      addList(i&1, I_R1)
 +                      addList(i&2, I_R2)
 +                      addList(i&4, I_M1)
 +                      addList(i&8, I_M2)
 +                      addList(i&16, M1_R1)
 +                      addList(i&32, M2_R1)
 +
 +                      for r := 1; r <= 3; r++ {
 +                              pool := x509.NewCertPool()
 +                              rootName := ","
 +                              shouldVerify := false
 +                              shouldVerifyFIPS := false
 +                              addRoot := func(cond int, c *boringCertificate) {
 +                                      if cond != 0 {
 +                                              rootName += "," + c.name
 +                                              pool.AddCert(c.cert)
 +                                              if reachable[c.org] {
 +                                                      shouldVerify = true
 +                                              }
 +                                              if reachableFIPS[c.org] && c.fipsOK {
 +                                                      shouldVerifyFIPS = true
 +                                              }
 +                                      }
 +                              }
 +                              addRoot(r&1, R1)
 +                              addRoot(r&2, R2)
 +                              rootName = rootName[1:] // strip leading comma
 +                              testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
 +                              testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
 +                              fipstls.Force()
 +                              testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS)
 +                              testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS)
 +                              fipstls.Abandon()
 +                      }
 +              }
 +      }
 +}
 +
 +const (
 +      boringCertCA = iota
 +      boringCertLeaf
 +      boringCertFIPSOK = 0x80
 +)
 +
 +func boringRSAKey(t *testing.T, size int) *rsa.PrivateKey {
 +      k, err := rsa.GenerateKey(rand.Reader, size)
 +      if err != nil {
 +              t.Fatal(err)
 +      }
 +      return k
 +}
 +
 +func boringECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey {
 +      k, err := ecdsa.GenerateKey(curve, rand.Reader)
 +      if err != nil {
 +              t.Fatal(err)
 +      }
 +      return k
 +}
 +
 +type boringCertificate struct {
 +      name      string
 +      org       string
 +      parentOrg string
 +      der       []byte
 +      cert      *x509.Certificate
 +      key       interface{}
 +      fipsOK    bool
 +}
 +
 +func boringCert(t *testing.T, name string, key interface{}, parent *boringCertificate, mode int) *boringCertificate {
 +      org := name
 +      parentOrg := ""
 +      if i := strings.Index(org, "_"); i >= 0 {
 +              org = org[:i]
 +              parentOrg = name[i+1:]
 +      }
 +      tmpl := &x509.Certificate{
 +              SerialNumber: big.NewInt(1),
 +              Subject: pkix.Name{
 +                      Organization: []string{org},
 +              },
 +              NotBefore: time.Unix(0, 0),
 +              NotAfter:  time.Unix(0, 0),
 +
 +              KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 +              ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 +              BasicConstraintsValid: true,
 +      }
 +      if mode&^boringCertFIPSOK == boringCertLeaf {
 +              tmpl.DNSNames = []string{"example.com"}
 +      } else {
 +              tmpl.IsCA = true
 +              tmpl.KeyUsage |= x509.KeyUsageCertSign
 +      }
 +
 +      var pcert *x509.Certificate
 +      var pkey interface{}
 +      if parent != nil {
 +              pcert = parent.cert
 +              pkey = parent.key
 +      } else {
 +              pcert = tmpl
 +              pkey = key
 +      }
 +
 +      var pub interface{}
 +      var desc string
 +      switch k := key.(type) {
 +      case *rsa.PrivateKey:
 +              pub = &k.PublicKey
 +              desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
 +      case *ecdsa.PrivateKey:
 +              pub = &k.PublicKey
 +              desc = "ECDSA-" + k.Curve.Params().Name
 +      default:
 +              t.Fatalf("invalid key %T", key)
 +      }
 +
 +      der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey)
 +      if err != nil {
 +              t.Fatal(err)
 +      }
 +      cert, err := x509.ParseCertificate(der)
 +      if err != nil {
 +              t.Fatal(err)
 +      }
 +
 +      // Tell isBoringCertificate to enforce FIPS restrictions for this check.
 +      fipstls.Force()
 +      defer fipstls.Abandon()
 +
 +      fipsOK := mode&boringCertFIPSOK != 0
 +      if isBoringCertificate(cert) != fipsOK {
 +              t.Errorf("isBoringCertificate(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
 +      }
 +      return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK}
 +}
 +
 +// A self-signed test certificate with an RSA key of size 2048, for testing
 +// RSA-PSS with SHA512. SAN of example.golang.
 +var (
 +      testRSA2048Certificate []byte
 +      testRSA2048PrivateKey  *rsa.PrivateKey
 +)
 +
 +func init() {
 +      block, _ := pem.Decode([]byte(`
 +-----BEGIN CERTIFICATE-----
 +MIIC/zCCAeegAwIBAgIRALHHX/kh4+4zMU9DarzBEcQwDQYJKoZIhvcNAQELBQAw
 +EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xMTAxMDExNTA0MDVaFw0yMDEyMjkxNTA0
 +MDVaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
 +ggEKAoIBAQCf8fk0N6ieCBX4IOVIfKitt4kGcOQLeimCfsjqqHcysMIVGEtFSM6E
 +4Ay141f/7IqdW0UtIqNb4PXhROID7yDxR284xL6XbCuv/t5hP3UcehYc3hmLiyVd
 +MkZQiZWtfUUJf/1qOtM+ohNg59LRWp4d+6iX0la1JL3EwCIckkNjJ9hQbF7Pb2CS
 ++ES9Yo55KAap8KOblpcR8MBSN38bqnwjfQdCXvOEOjam2HUxKzEFX5MA+fA0me4C
 +ioCcCRLWKl+GoN9F8fABfoZ+T+2eal4DLuO95rXR8SrOIVBh3XFOr/RVhjtXcNVF
 +ZKcvDt6d68V6jAKAYKm5nlj9GPpd4v+rAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIF
 +oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBkGA1UdEQQSMBCC
 +DmV4YW1wbGUuZ29sYW5nMA0GCSqGSIb3DQEBCwUAA4IBAQCOoYsVcFCBhboqe3WH
 +dC6V7XXXECmnjh01r8h80yv0NR379nSD3cw2M+HKvaXysWqrl5hjGVKw0vtwD81r
 +V4JzDu7IfIog5m8+QNC+7LqDZsz88vDKOrsoySVOmUCgmCKFXew+LA+eO/iQEJTr
 +7ensddOeXJEp27Ed5vW+kmWW3Qmglc2Gwy8wFrMDIqnrnOzBA4oCnDEgtXJt0zog
 +nRwbfEMAWi1aQRy5dT9KA3SP9mo5SeTFSzGGHiE4s4gHUe7jvsAFF2qgtD6+wH6s
 +z9b6shxnC7g5IlBKhI7SVB/Uqt2ydJ+kH1YbjMcIq6NAM5eNMKgZuJr3+zwsSgwh
 +GNaE
 +-----END CERTIFICATE-----`))
 +      testRSA2048Certificate = block.Bytes
 +
 +      block, _ = pem.Decode([]byte(`
 +-----BEGIN RSA PRIVATE KEY-----
 +MIIEpAIBAAKCAQEAn/H5NDeonggV+CDlSHyorbeJBnDkC3opgn7I6qh3MrDCFRhL
 +RUjOhOAMteNX/+yKnVtFLSKjW+D14UTiA+8g8UdvOMS+l2wrr/7eYT91HHoWHN4Z
 +i4slXTJGUImVrX1FCX/9ajrTPqITYOfS0VqeHfuol9JWtSS9xMAiHJJDYyfYUGxe
 +z29gkvhEvWKOeSgGqfCjm5aXEfDAUjd/G6p8I30HQl7zhDo2pth1MSsxBV+TAPnw
 +NJnuAoqAnAkS1ipfhqDfRfHwAX6Gfk/tnmpeAy7jvea10fEqziFQYd1xTq/0VYY7
 +V3DVRWSnLw7enevFeowCgGCpuZ5Y/Rj6XeL/qwIDAQABAoIBAQCNpMZifd/vg42h
 +HdCvLuZaYS0R7SunFlpoXEsltGdLFsnp0IfoJZ/ugFQBSAIIfLwMumU6oXA1z7Uv
 +98aIYV61DePrTCDVDFBsHbNmP8JAo8WtbusEbwd5zyoB7LYG2+clkJklWE73KqUq
 +rmI+UJeyScl2Gin7ZTxBXz1WPBk9VwcnwkeaXpgASIBW23fhECM9gnYEEwaBez5T
 +6Me8d1tHtYQv7vsKe7ro9w9/HKrRXejqYKK1LxkhfFriyV+m8LZJZn2nXOa6G3gF
 +Nb8Qk1Uk5PUBENBmyMFJhT4M/uuSq4YtMrrO2gi8Q+fPhuGzc5SshYKRBp0W4P5r
 +mtVCtEFRAoGBAMENBIFLrV2+HsGj0xYFasKov/QPe6HSTR1Hh2IZONp+oK4oszWE
 +jBT4VcnITmpl6tC1Wy4GcrxjNgKIFZAj+1x1LUULdorXkuG8yr0tAhG9zNyfWsSy
 +PrSovC0UVbzr8Jxxla+kQVxEQQqWQxPlEVuL8kXaIDA6Lyt1Hpua2LvPAoGBANQZ
 +c6Lq2T7+BxLxNdi2m8kZzej5kgzBp/XdVsbFWRlebIX2KrFHsrHzT9PUk3DE1vZK
 +M6pzTt94nQhWSkDgCaw1SohElJ3HFIFwcusF1SJAc3pQepd8ug6IYdlpDMLtBj/P
 +/5P6BVUtgo05E4+I/T3iYatmglQxTtlZ0RkSV2llAoGBALOXkKFX7ahPvf0WksDh
 +uTfuFOTPoowgQG0EpgW0wRdCxeg/JLic3lSD0gsttQV2WsRecryWcxaelRg10RmO
 +38BbogmhaF4xvgsSvujOfiZTE8oK1T43M+6NKsIlML3YILbpU/9aJxPWy0s2DqDr
 +cQJhZrlk+pzjBA7Bnf/URdwxAoGAKR/CNw14D+mrL3YLbbiCXiydqxVwxv5pdZdz
 +8thi3TNcsWC4iGURdcVqbfUinVPdJiXe/Kac3WGCeRJaFVgbKAOxLti1RB5MkIhg
 +D8eyupBqk4W1L1gkrxqsdj4TFlxkwMywjl2E2S4YyQ8PBt6V04DoVRZsIKzqz+PF
 +UionPq0CgYBCYXvqioJhPewkOq/Y5wrDBeZW1FQK5QD9W5M8/5zxd4rdvJtjhbJp
 +oOrtvMdrl6upy9Hz4BJD3FXwVFiPFE7jqeNqi0F21viLxBPMMD3UODF6LL5EyLiR
 +9V4xVMS8KXxvg7rxsuqzMPscViaWUL6WNVBhsD2+92dHxSXzz5EJKQ==
 +-----END RSA PRIVATE KEY-----`))
 +      var err error
 +      testRSA2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 +      if err != nil {
 +              panic(err)
 +      }
 +}

diff --cc src/crypto/tls/common.go
index 396676328a7097400635348ac566e906398267c0,d135b1fc994cf4bc1c653cc08eb0896d3acad33b..f7e0f8e1648ab27c2c1cca95b5a7f9ef3279589b
--- 1/src/crypto/tls/common.go
--- 2/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@@ -184,6 -182,21 +184,21 @@@ var defaultSupportedSignatureAlgorithm
        ECDSAWithP384AndSHA384,
        ECDSAWithP521AndSHA512,
        PKCS1WithSHA1,
 -// supportedSignatureAlgorithmsTLS12 contains the signature and hash algorithms
+       ECDSAWithSHA1,
+ }
+ 
 -var supportedSignatureAlgorithmsTLS12 = []SignatureScheme{
++// defaultSupportedSignatureAlgorithmsTLS12 contains the signature and hash algorithms
+ // that are supported in TLS 1.2, where it is possible to distinguish the
+ // protocol version. This is temporary, see Issue 32425.
++var defaultSupportedSignatureAlgorithmsTLS12 = []SignatureScheme{
+       PKCS1WithSHA256,
+       ECDSAWithP256AndSHA256,
+       Ed25519,
+       PKCS1WithSHA384,
+       PKCS1WithSHA512,
+       ECDSAWithP384AndSHA384,
+       ECDSAWithP521AndSHA512,
+       PKCS1WithSHA1,
        ECDSAWithSHA1,
  }
  

diff --cc src/crypto/tls/handshake_client.go
index e8f327e23fa861f2e906ccf9ac93757ddd4380ed,ed000eb6192a06b948d1b35f4bfbdeca05150a2c..1ff342214824fb7465177ab76db14c3096996b53
--- 1/src/crypto/tls/handshake_client.go
--- 2/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@@ -576,7 -573,7 +576,7 @@@ func (hs *clientHandshakeState) doFullH
                        return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey)
                }
  
-               signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, hs.hello.supportedSignatureAlgorithms, c.vers)
 -              signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12, c.vers)
++              signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12(), c.vers)
                if err != nil {
                        c.sendAlert(alertInternalError)
                        return err

diff --cc src/crypto/tls/handshake_server.go
index 969c4babefced21ee0f61739a0db604d99ac0e8f,a3d8848caf9c354b69b7360ba626fe8ed8ce69c4..366c19a0f5bdb0f4fc3746f016b85e79e01db439
--- 1/src/crypto/tls/handshake_server.go
--- 2/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@@ -466,7 -467,7 +467,7 @@@ func (hs *serverHandshakeState) doFullH
                }
                if c.vers >= VersionTLS12 {
                        certReq.hasSignatureAlgorithm = true
-                       certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
 -                      certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithmsTLS12
++                      certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithmsTLS12()
                }
  
                // An empty list of certificateAuthorities signals to

diff --cc src/crypto/tls/key_agreement.go
index fdf8f803a0304330293696140d057e319394ff22,2922017cc4dd08c5bf30a921ee54c7d1834a3484..c92dd2e5b5bafc4777651cf4db2ccf7d40fce4bf
--- 1/src/crypto/tls/key_agreement.go
--- 2/src/crypto/tls/key_agreement.go
+++ b/src/crypto/tls/key_agreement.go
@@@ -185,7 -185,7 +185,7 @@@ NextCandidate
                return nil, errors.New("tls: certificate private key does not implement crypto.Signer")
        }
  
-       signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms(), ka.version)
 -      signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12, ka.version)
++      signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12(), ka.version)
        if err != nil {
                return nil, err
        }