Go GOST TLS 1.3

This is a fork of Go 1.25.0 with:

* crypto/x509 crypto/x509 supporting GOST 34.10-2012 X.509 certificates
  and PKCS#8 private keys
* crypto/tls supporting GOST TLS 1.3

=> Go

You can build it with the following steps:

* clone Go's repository and add gostls13 remote:

    $ git clone https://go.googlesource.com/go
    $ cd go
    $ git remote add gostls13 git://git.cypherpunks.su/gostls13.git
    $ git fetch --tags gostls13
    $ git checkout go1.25.0-gost

* verify tag's OpenSSH signature with the following [PUBKEY.asc]:

    pub   rsa2048/0x6D3CFF7C76DADF42 2020-09-03
          ADC9 BE5B 198E 8B56 90A8  EC50 6D3C FF7C 76DA DF42
    uid   Go GOST TLS 1.3 <gostls13 at cypherpunks dot su>

    $ gpg --auto-key-locate dane --locate-keys gostls13 at cypherpunks dot su
    $ gpg --auto-key-locate  wkd --locate-keys gostls13 at cypherpunks dot su

  It is signed by author's one: http://www.stargrave.org/Contacts.html

    $ gpg --verify PUBKEY-SSH.pub.asc
    $ git config gpg.ssh.allowedSignersFile `realpath PUBKEY-SSH.pub`
    $ git tag --verify go1.25.0-gost

* run GoGOST installer:

    $ ./gogost-install

  => GoGOST

* build Go ordinary way, for example:

    # $ ./debash # can help on adequate systems without GNU Bash
    $ cd src ; GOROOT_BOOTSTRAP=$HOME/go1.22 ./all.bash

  Dependencies-related unittests will expectedly fail.

GOST-related crypto/tls.SignatureSchemes are not enabled by default,
simply because it will fail native unittests. crypto/tls also does not
provide ability to control TLS 1.3 CipherSuite choice and GOST-related
suites are not enabled by default too. You can use tls.GOSTInstall*()
functions for enabling all of that.

Pay attention that:

* GOST X.509 certificates uses reversed digest (relatively to native
  gogost/gost3410 output) during signing, so you should use
  gogost/gost3410.PrivateKeyReverseDigest crypto.Signer
* GOST TLS 1.3 uses both reversed digest and signature values, so you
  should use gogost/gost3410.PrivateKeyReverseDigestAndSignature in that case
* GoGOST is quite slow, do not expect high performance

Look at src/crypto/x509/x509_test.go and
src/crypto/tls/gost_test.go for example usage.

If you want to always enable GOST TLS 1.3 support, then you can just simply:

    $ cat >>src/crypto/tls/gost.go <<EOF
    func init() {
        GOSTInstall()
    }
    EOF

GOST preferred client connection:

    serverCAs := x509.NewCertPool()
    serverCAs.AddCert(serverCertGOST)
    clientConfig := &tls.Config{
        MinVersion:       tls.VersionTLS13,
        MaxVersion:       tls.VersionTLS13,
        CurvePreferences: []tls.CurveID{tls.GOSTCurve256A},
        RootCAs:          serverCAs,
        ServerName:       "server.com",
    }
    conn, err := tls.Dial("tcp", "...", clientConfig)