golang-fips · karianna · Feb 17, 2025 · Feb 17, 2025
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,7 +6,7 @@ jobs:
       fail-fast: false
       matrix:
         go-version: [1.22.x, 1.23.x]
-        openssl-version: [1.0.2, 1.1.0, 1.1.1, 3.0.1, 3.0.13, 3.1.5, 3.2.1, 3.3.0, 3.3.1]
+        openssl-version: [1.1.0, 1.1.1, 3.0.1, 3.0.13, 3.1.5, 3.2.1, 3.3.0, 3.3.1]
     runs-on: ubuntu-20.04
     steps:
     - name: Install build tools

diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ On the other hand, Google maintains a branch that uses cgo and BoringSSL to impl
 
 ### Multiple OpenSSL versions supported
 
-The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.x.
+The `openssl` package has support for multiple OpenSSL versions, namely 1.1.0, 1.1.1 and 3.x.
 
 All supported OpenSSL versions pass a small set of automatic tests that ensure they can be built and that there are no major regressions.
 These tests do not validate the cryptographic correctness of the `openssl` package.

diff --git a/cmd/checkheader/main.go b/cmd/checkheader/main.go
@@ -289,18 +289,12 @@ func tryConvertDefineFunc(w io.Writer, l string, i int) bool {
 		writeDefineFunc("")
 	case "DEFINEFUNC_LEGACY_1_1":
 		writeDefineFunc("(OPENSSL_VERSION_NUMBER >= 0x10100000L) && (OPENSSL_VERSION_NUMBER < 0x30000000L)")
-	case "DEFINEFUNC_LEGACY_1_0":
-		writeDefineFunc("OPENSSL_VERSION_NUMBER < 0x10100000L")
 	case "DEFINEFUNC_LEGACY_1":
 		writeDefineFunc("OPENSSL_VERSION_NUMBER < 0x30000000L")
-	case "DEFINEFUNC_1_1":
-		writeDefineFunc("OPENSSL_VERSION_NUMBER >= 0x10100000L")
 	case "DEFINEFUNC_1_1_1":
 		writeDefineFunc("OPENSSL_VERSION_NUMBER >= 0x10101000L")
 	case "DEFINEFUNC_3_0":
 		writeDefineFunc("OPENSSL_VERSION_NUMBER >= 0x30000000L")
-	case "DEFINEFUNC_RENAMED_1_1":
-		writeDefineFuncRename("OPENSSL_VERSION_NUMBER < 0x10100000L")
 	case "DEFINEFUNC_RENAMED_3_0":
 		writeDefineFuncRename("OPENSSL_VERSION_NUMBER < 0x30000000L")
 	default:

diff --git a/dsa.go b/dsa.go
@@ -91,11 +91,7 @@ func GenerateParametersDSA(l, n int) (DSAParameters, error) {
 	switch vMajor {
 	case 1:
 		dsa := getDSA(pkey)
-		if vMinor == 0 {
-			C.go_openssl_DSA_get0_pqg_backport(dsa, &p, &q, &g)
-		} else {
-			C.go_openssl_DSA_get0_pqg(dsa, &p, &q, &g)
-		}
+		C.go_openssl_DSA_get0_pqg(dsa, &p, &q, &g)
 	case 3:
 		defer func() {
 			C.go_openssl_BN_free(p)
@@ -157,11 +153,7 @@ func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {
 	switch vMajor {
 	case 1:
 		dsa := getDSA(pkey)
-		if vMinor == 0 {
-			C.go_openssl_DSA_get0_key_backport(dsa, &by, &bx)
-		} else {
-			C.go_openssl_DSA_get0_key(dsa, &by, &bx)
-		}
+		C.go_openssl_DSA_get0_key(dsa, &by, &bx)
 	case 3:
 		defer func() {
 			C.go_openssl_BN_clear_free(bx)
@@ -212,12 +204,7 @@ func newDSA1(params DSAParameters, x, y BigInt) (pkey C.GO_EVP_PKEY_PTR, err err
 	}()
 
 	p, q, g := bigToBN(params.P), bigToBN(params.Q), bigToBN(params.G)
-	var ret C.int
-	if vMinor == 0 {
-		ret = C.go_openssl_DSA_set0_pqg_backport(dsa, p, q, g)
-	} else {
-		ret = C.go_openssl_DSA_set0_pqg(dsa, p, q, g)
-	}
+	ret := C.go_openssl_DSA_set0_pqg(dsa, p, q, g)
 	if ret != 1 {
 		C.go_openssl_BN_free(p)
 		C.go_openssl_BN_free(q)
@@ -226,11 +213,7 @@ func newDSA1(params DSAParameters, x, y BigInt) (pkey C.GO_EVP_PKEY_PTR, err err
 	}
 	if y != nil {
 		pub, priv := bigToBN(y), bigToBN(x)
-		if vMinor == 0 {
-			ret = C.go_openssl_DSA_set0_key_backport(dsa, pub, priv)
-		} else {
-			ret = C.go_openssl_DSA_set0_key(dsa, pub, priv)
-		}
+		ret = C.go_openssl_DSA_set0_key(dsa, pub, priv)
 		if ret != 1 {
 			C.go_openssl_BN_free(pub)
 			C.go_openssl_BN_clear_free(priv)
@@ -308,14 +291,8 @@ func newDSA3(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) {
 // getDSA returns the DSA from pkey.
 // If pkey does not contain an DSA it panics.
 // The returned key should not be freed.
-func getDSA(pkey C.GO_EVP_PKEY_PTR) (key C.GO_DSA_PTR) {
-	if vMajor == 1 && vMinor == 0 {
-		if key0 := C.go_openssl_EVP_PKEY_get0(pkey); key0 != nil {
-			key = C.GO_DSA_PTR(key0)
-		}
-	} else {
-		key = C.go_openssl_EVP_PKEY_get0_DSA(pkey)
-	}
+func getDSA(pkey C.GO_EVP_PKEY_PTR) C.GO_DSA_PTR {
+	key := C.go_openssl_EVP_PKEY_get0_DSA(pkey)
 	if key == nil {
 		panic("pkey does not contain an DSA")
 	}

diff --git a/evp.go b/evp.go
@@ -95,12 +95,7 @@ func loadHash(ch crypto.Hash) *hashAlgorithm {
 		hash.magic = md5Magic
 		hash.marshalledSize = md5MarshaledSize
 	case crypto.MD5SHA1:
-		if vMajor == 1 && vMinor == 0 {
-			// OpenSSL 1.0.2 does not support MD5SHA1.
-			hash.md = nil
-		} else {
-			hash.md = C.go_openssl_EVP_md5_sha1()
-		}
+		hash.md = C.go_openssl_EVP_md5_sha1()
 	case crypto.SHA1:
 		hash.md = C.go_openssl_EVP_sha1()
 		hash.magic = sha1Magic
@@ -522,14 +517,8 @@ func newEVPPKEY(key C.GO_EC_KEY_PTR) (C.GO_EVP_PKEY_PTR, error) {
 // getECKey returns the EC_KEY from pkey.
 // If pkey does not contain an EC_KEY it panics.
 // The returned key should not be freed.
-func getECKey(pkey C.GO_EVP_PKEY_PTR) (key C.GO_EC_KEY_PTR) {
-	if vMajor == 1 && vMinor == 0 {
-		if key0 := C.go_openssl_EVP_PKEY_get0(pkey); key0 != nil {
-			key = C.GO_EC_KEY_PTR(key0)
-		}
-	} else {
-		key = C.go_openssl_EVP_PKEY_get0_EC_KEY(pkey)
-	}
+func getECKey(pkey C.GO_EVP_PKEY_PTR) C.GO_EC_KEY_PTR {
+	key := C.go_openssl_EVP_PKEY_get0_EC_KEY(pkey)
 	if key == nil {
 		panic("pkey does not contain an EC_KEY")
 	}

diff --git a/goopenssl.c b/goopenssl.c
@@ -15,25 +15,19 @@
 
 #define DEFINEFUNC(ret, func, args, argscall)                  ret (*_g_##func)args;
 #define DEFINEFUNC_LEGACY_1_1(ret, func, args, argscall)       DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)       DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)         DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_1_1(ret, func, args, argscall)              DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_1_1_1(ret, func, args, argscall)            DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_3_0(ret, func, args, argscall)              DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall) DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall) DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_VARIADIC_3_0(ret, func, newname, args, argscall)  DEFINEFUNC(ret, newname, args, argscall)
 
 FOR_ALL_OPENSSL_FUNCTIONS
 
 #undef DEFINEFUNC
 #undef DEFINEFUNC_LEGACY_1_1
-#undef DEFINEFUNC_LEGACY_1_0
 #undef DEFINEFUNC_LEGACY_1
-#undef DEFINEFUNC_1_1
 #undef DEFINEFUNC_1_1_1
 #undef DEFINEFUNC_3_0
-#undef DEFINEFUNC_RENAMED_1_1
 #undef DEFINEFUNC_RENAMED_3_0
 #undef DEFINEFUNC_VARIADIC_3_0
 
@@ -99,21 +93,11 @@ go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor,
     {                                                     \
         DEFINEFUNC_INTERNAL(func, #func)                  \
     }
-#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)  \
-    if (major == 1 && minor == 0)                         \
-    {                                                     \
-        DEFINEFUNC_INTERNAL(func, #func)                  \
-    }
 #define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)  \
     if (major == 1)                                     \
     {                                                   \
         DEFINEFUNC_INTERNAL(func, #func)                \
     }
-#define DEFINEFUNC_1_1(ret, func, args, argscall)     \
-    if (major == 3 || (major == 1 && minor == 1))     \
-    {                                                 \
-        DEFINEFUNC_INTERNAL(func, #func)              \
-    }
 #define DEFINEFUNC_1_1_1(ret, func, args, argscall)     \
     if (major == 3 || (major == 1 && minor == 1 && patch == 1))     \
     {                                                 \
@@ -124,15 +108,6 @@ go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor,
     {                                                 \
         DEFINEFUNC_INTERNAL(func, #func)              \
     }
-#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall)  \
-    if (major == 1 && minor == 0)                                   \
-    {                                                               \
-        DEFINEFUNC_INTERNAL(func, #oldfunc)                         \
-    }                                                               \
-    else                                                            \
-    {                                                               \
-        DEFINEFUNC_INTERNAL(func, #func)                            \
-    }
 #define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall)  \
     if (major == 1)                                                 \
     {                                                               \
@@ -152,12 +127,9 @@ FOR_ALL_OPENSSL_FUNCTIONS
 
 #undef DEFINEFUNC
 #undef DEFINEFUNC_LEGACY_1_1
-#undef DEFINEFUNC_LEGACY_1_0
 #undef DEFINEFUNC_LEGACY_1
-#undef DEFINEFUNC_1_1
 #undef DEFINEFUNC_1_1_1
 #undef DEFINEFUNC_3_0
-#undef DEFINEFUNC_RENAMED_1_1
 #undef DEFINEFUNC_RENAMED_3_0
 #undef DEFINEFUNC_VARIADIC_3_0
 }
@@ -171,11 +143,6 @@ version_num(void* handle)
     if (fn != NULL)
         return fn();
 
-    // SSLeay is defined in OpenSSL 1.0.2.
-    fn = (unsigned long (*)(void))dlsym(handle, "SSLeay");
-    if (fn != NULL)
-        return fn();
-
     return 0;
 } 
 

diff --git a/goopenssl.h b/goopenssl.h
@@ -25,12 +25,7 @@ int go_openssl_fips_enabled(void* handle);
 int go_openssl_version_major(void* handle);
 int go_openssl_version_minor(void* handle);
 int go_openssl_version_patch(void* handle);
-int go_openssl_thread_setup(void);
 void go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor, unsigned int patch);
-void go_openssl_DSA_get0_pqg_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *p, GO_BIGNUM_PTR *q, GO_BIGNUM_PTR *g);
-int go_openssl_DSA_set0_pqg_backport(GO_DSA_PTR d, GO_BIGNUM_PTR p, GO_BIGNUM_PTR q, GO_BIGNUM_PTR g);
-void go_openssl_DSA_get0_key_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *pub_key, GO_BIGNUM_PTR *priv_key);
-int go_openssl_DSA_set0_key_backport(GO_DSA_PTR d, GO_BIGNUM_PTR pub_key, GO_BIGNUM_PTR priv_key);
 
 // Define pointers to all the used OpenSSL functions.
 // Calling C function pointers from Go is currently not supported.
@@ -44,18 +39,12 @@ int go_openssl_DSA_set0_key_backport(GO_DSA_PTR d, GO_BIGNUM_PTR pub_key, GO_BIG
     }
 #define DEFINEFUNC_LEGACY_1_1(ret, func, args, argscall)    \
     DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)    \
-    DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)  \
     DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_1_1(ret, func, args, argscall)   \
-    DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_1_1_1(ret, func, args, argscall)     \
     DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_3_0(ret, func, args, argscall)     \
     DEFINEFUNC(ret, func, args, argscall)
-#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall)     \
-    DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall)     \
     DEFINEFUNC(ret, func, args, argscall)
 #define DEFINEFUNC_VARIADIC_3_0(ret, func, newname, args, argscall)     \
@@ -65,12 +54,9 @@ FOR_ALL_OPENSSL_FUNCTIONS
 
 #undef DEFINEFUNC
 #undef DEFINEFUNC_LEGACY_1_1
-#undef DEFINEFUNC_LEGACY_1_0
 #undef DEFINEFUNC_LEGACY_1
-#undef DEFINEFUNC_1_1
 #undef DEFINEFUNC_1_1_1
 #undef DEFINEFUNC_3_0
-#undef DEFINEFUNC_RENAMED_1_1
 #undef DEFINEFUNC_RENAMED_3_0
 #undef DEFINEFUNC_VARIADIC_3_0
 
@@ -246,16 +232,3 @@ go_openssl_EVP_CIPHER_CTX_open_wrapper(const GO_EVP_CIPHER_CTX_PTR ctx,
 
     return 1;
 }
-
-// Hand-roll custom wrappers for CRYPTO_malloc and CRYPTO_free which cast the
-// function pointers to the correct signatures for OpenSSL 1.0.2.
-
-static inline void *
-go_openssl_CRYPTO_malloc_legacy102(int num, const char *file, int line) {
-    return ((void *(*)(int, const char *, int))_g_CRYPTO_malloc)(num, file, line);
-}
-
-static inline void
-go_openssl_CRYPTO_free_legacy102(void *str) {
-    ((void (*)(void *))_g_CRYPTO_free)(str);
-}
diff --git a/hmac.go b/hmac.go
@@ -76,7 +76,7 @@ type opensslHMAC struct {
 }
 
 func newHMAC1(key []byte, md C.GO_EVP_MD_PTR) hmacCtx1 {
-	ctx := hmacCtxNew()
+	ctx := C.go_openssl_HMAC_CTX_new()
 	if ctx == nil {
 		panic("openssl: EVP_MAC_CTX_new failed")
 	}
@@ -188,7 +188,7 @@ func (h *opensslHMAC) Reset() {
 func (h *opensslHMAC) finalize() {
 	switch vMajor {
 	case 1:
-		hmacCtxFree(h.ctx1.ctx)
+		C.go_openssl_HMAC_CTX_free(h.ctx1.ctx)
 	case 3:
 		C.go_openssl_EVP_MAC_CTX_free(h.ctx3.ctx)
 	default:
@@ -230,11 +230,11 @@ func (h *opensslHMAC) Sum(in []byte) []byte {
 	// and the second Sum acts as if the first didn't happen.
 	switch vMajor {
 	case 1:
-		ctx2 := hmacCtxNew()
+		ctx2 := C.go_openssl_HMAC_CTX_new()
 		if ctx2 == nil {
 			panic("openssl: HMAC_CTX_new failed")
 		}
-		defer hmacCtxFree(ctx2)
+		defer C.go_openssl_HMAC_CTX_free(ctx2)
 		if C.go_openssl_HMAC_CTX_copy(ctx2, h.ctx1.ctx) == 0 {
 			panic("openssl: HMAC_CTX_copy failed")
 		}
@@ -251,24 +251,3 @@ func (h *opensslHMAC) Sum(in []byte) []byte {
 	}
 	return append(in, h.sum...)
 }
-
-func hmacCtxNew() C.GO_HMAC_CTX_PTR {
-	if vMajor == 1 && vMinor == 0 {
-		// 0x120 is the sizeof value when building against OpenSSL 1.0.2 on Ubuntu 16.04.
-		ctx := (C.GO_HMAC_CTX_PTR)(C.malloc(0x120))
-		if ctx != nil {
-			C.go_openssl_HMAC_CTX_init(ctx)
-		}
-		return ctx
-	}
-	return C.go_openssl_HMAC_CTX_new()
-}
-
-func hmacCtxFree(ctx C.GO_HMAC_CTX_PTR) {
-	if vMajor == 1 && vMinor == 0 {
-		C.go_openssl_HMAC_CTX_cleanup(ctx)
-		C.free(unsafe.Pointer(ctx))
-		return
-	}
-	C.go_openssl_HMAC_CTX_free(ctx)
-}
diff --git a/init.go b/init.go
@@ -33,7 +33,7 @@ func opensslInit(file string) (major, minor, patch uint, err error) {
 	major, minor, patch = uint(imajor), uint(iminor), uint(ipatch)
 	var supported bool
 	if major == 1 {
-		supported = minor == 0 || minor == 1
+		supported = minor == 1
 	} else if major == 3 {
 		// OpenSSL guarantees API and ABI compatibility within the same major version since OpenSSL 3.
 		supported = true
@@ -48,17 +48,9 @@ func opensslInit(file string) (major, minor, patch uint, err error) {
 
 	// Initialize OpenSSL.
 	C.go_openssl_OPENSSL_init()
-	if major == 1 && minor == 0 {
-		if C.go_openssl_thread_setup() != 1 {
-			return 0, 0, 0, fail("openssl: thread setup")
-		}
-		C.go_openssl_OPENSSL_add_all_algorithms_conf()
-		C.go_openssl_ERR_load_crypto_strings()
-	} else {
-		flags := C.uint64_t(C.GO_OPENSSL_INIT_ADD_ALL_CIPHERS | C.GO_OPENSSL_INIT_ADD_ALL_DIGESTS | C.GO_OPENSSL_INIT_LOAD_CONFIG | C.GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
-		if C.go_openssl_OPENSSL_init_crypto(flags, nil) != 1 {
-			return 0, 0, 0, fail("openssl: init crypto")
-		}
+	flags := C.uint64_t(C.GO_OPENSSL_INIT_ADD_ALL_CIPHERS | C.GO_OPENSSL_INIT_ADD_ALL_DIGESTS | C.GO_OPENSSL_INIT_LOAD_CONFIG | C.GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
+	if C.go_openssl_OPENSSL_init_crypto(flags, nil) != 1 {
+		return 0, 0, 0, fail("openssl: init crypto")
 	}
 	return major, minor, patch, nil
 }
diff --git a/init_unix.go b/init_unix.go
@@ -2,7 +2,7 @@
 
 package openssl
 
-// #cgo LDFLAGS: -ldl -pthread
+// #cgo LDFLAGS: -ldl
 // #include <stdlib.h>
 // #include <dlfcn.h>
 import "C"