[dev.boringcrypto] crypto/tls: permit P-521 in FIPS mode While BoringCrypto has a certification for P-521, the go code disallows certificates with it. This change permits those certificates to be used. Change-Id: I451c91a845f22ff0e4c3e922eaf8bf82466e80ae Reviewed-on: https://go-review.googlesource.com/c/go/+/343880 Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Trust: Dmitri Shuralyov <dmitshur@golang.org>

commit: 5ae200d5268aa8a2d56a0ba9885466c9b72e79b4 [log] [tgz]
author: Watson Ladd <watson@cloudflare.com> Fri Aug 20 15:52:08 2021 -0700
committer: Filippo Valsorda <filippo@golang.org> Fri Aug 27 12:51:19 2021 +0000
tree: 2cc05b885194c261bd86e8cd2477cbd684d70047
parent: 083811d079a659f459eaad4a9dbafec7a50e1a20 [diff]
diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
index 09f71c1..dabc674 100644
--- a/src/crypto/tls/boring.go
+++ b/src/crypto/tls/boring.go

@@ -6,6 +6,7 @@
 
 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/internal/boring/fipstls"
 	"crypto/rsa"
 	"crypto/x509"
@@ -85,7 +86,7 @@
 		return true
 	}
 
-	// Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256.
+	// Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
 	switch k := c.PublicKey.(type) {
 	default:
 		return false
@@ -94,7 +95,7 @@
 			return false
 		}
 	case *ecdsa.PublicKey:
-		if name := k.Curve.Params().Name; name != "P-256" && name != "P-384" {
+		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
 			return false
 		}
 	}
commit	5ae200d5268aa8a2d56a0ba9885466c9b72e79b4	[log] [tgz]
author	Watson Ladd <watson@cloudflare.com>	Fri Aug 20 15:52:08 2021 -0700
committer	Filippo Valsorda <filippo@golang.org>	Fri Aug 27 12:51:19 2021 +0000
tree	2cc05b885194c261bd86e8cd2477cbd684d70047
parent	083811d079a659f459eaad4a9dbafec7a50e1a20 [diff]