From 8727e9a7ef7044bfc32a29b8b824c18ecc735dff Mon Sep 17 00:00:00 2001
From: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Date: Fri, 11 Oct 2024 11:31:09 +0200
Subject: [PATCH 1/2] Simplify IsBoringCrypto

---
 lib/auth/native/boring.go    | 16 ++++++++++++++++
 lib/auth/native/native.go    | 11 -----------
 lib/auth/native/notboring.go | 11 +++++++++++
 3 files changed, 27 insertions(+), 11 deletions(-)
 create mode 100644 lib/auth/native/boring.go
 create mode 100644 lib/auth/native/notboring.go

diff --git a/lib/auth/native/boring.go b/lib/auth/native/boring.go
new file mode 100644
index 0000000000000..c6ff66a4965f5
--- /dev/null
+++ b/lib/auth/native/boring.go
@@ -0,0 +1,16 @@
+//go:build boringcrypto
+
+package native
+
+import "crypto/boring"
+
+// IsBoringBinary checks if the binary was compiled with BoringCrypto.
+//
+// It's possible to enable the boringcrypto GOEXPERIMENT (which will enable the
+// boringcrypto build tag) even on platforms that don't support the boringcrypto
+// module, which results in crypto packages being available and working, but not
+// actually using a certified cryptographic module, so we have to check
+// [boring.Enabled] even if this is compiled in.
+func IsBoringBinary() bool {
+	return boring.Enabled()
+}
diff --git a/lib/auth/native/native.go b/lib/auth/native/native.go
index 6ab86fd24f436..7b7d015f3ac0a 100644
--- a/lib/auth/native/native.go
+++ b/lib/auth/native/native.go
@@ -20,10 +20,8 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
-	"reflect"
 	"sync"
 	"testing"
 	"time"
@@ -46,15 +44,6 @@ var precomputedKeys = make(chan *rsa.PrivateKey, 25)
 // startPrecomputeOnce is used to start the background task that precomputes key pairs.
 var startPrecomputeOnce sync.Once
 
-// IsBoringBinary checks if the binary was compiled with BoringCrypto.
-func IsBoringBinary() bool {
-	// Check the package name for one of the boring primitives, if the package
-	// path is from BoringCrypto, we know this binary was compiled against the
-	// dev.boringcrypto branch of Go.
-	hash := sha256.New()
-	return reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring"
-}
-
 // GenerateKeyPair generates a new RSA key pair.
 func GenerateKeyPair() ([]byte, []byte, error) {
 	priv, err := GeneratePrivateKey()
diff --git a/lib/auth/native/notboring.go b/lib/auth/native/notboring.go
new file mode 100644
index 0000000000000..97e4b746fddaf
--- /dev/null
+++ b/lib/auth/native/notboring.go
@@ -0,0 +1,11 @@
+//go:build !boringcrypto
+
+package native
+
+// IsBoringBinary checks if the binary was compiled with BoringCrypto.
+//
+// The boringcrypto GOEXPERIMENT always sets the boringcrypto build tag, so if
+// this is compiled in, we're not using BoringCrypto.
+func IsBoringBinary() bool {
+	return false
+}

From 10ca31733651a091503741731352130a93a4c43e Mon Sep 17 00:00:00 2001
From: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Date: Fri, 11 Oct 2024 16:07:42 +0200
Subject: [PATCH 2/2] fix-license for new files

---
 lib/auth/native/boring.go    | 16 ++++++++++++++++
 lib/auth/native/notboring.go | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/lib/auth/native/boring.go b/lib/auth/native/boring.go
index c6ff66a4965f5..0c4a8dfc30ede 100644
--- a/lib/auth/native/boring.go
+++ b/lib/auth/native/boring.go
@@ -1,3 +1,19 @@
+// Teleport
+// Copyright (C) 2024 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 //go:build boringcrypto
 
 package native
diff --git a/lib/auth/native/notboring.go b/lib/auth/native/notboring.go
index 97e4b746fddaf..3fa57fb55e5cb 100644
--- a/lib/auth/native/notboring.go
+++ b/lib/auth/native/notboring.go
@@ -1,3 +1,19 @@
+// Teleport
+// Copyright (C) 2024 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 //go:build !boringcrypto
 
 package native