upgrade openssl backend

microsoft · Sep 26, 2023 · 0ed41ca · 0ed41ca
1 parent ec91976
commit 0ed41ca
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 38 deletions.
diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -651,24 +651,24 @@ index c83a7272c9f01f..a0548a7f9179c5 100644
  package x509
 
 diff --git a/src/go.mod b/src/go.mod
-index beb4d13d8bdc6f..e7fb80cab94b01 100644
+index beb4d13d8bdc6f..8bc13536fc98c0 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -3,6 +3,7 @@ module std
  go 1.22
 
  require (
-+	github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74
++	github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6
  	golang.org/x/crypto v0.12.0
  	golang.org/x/net v0.14.1-0.20230809150940-1e23797619c9
  )
 diff --git a/src/go.sum b/src/go.sum
-index 81b83159f77a36..91eca9cd0b05e6 100644
+index 81b83159f77a36..fca63cfe4a8d1d 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,5 @@
-+github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74 h1:rTL9t7VhLvvOt4e/EZvXfJISo2igRm7GqK0pX1OQnx8=
-+github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
++github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6 h1:htngJbDceHA29WbezaO55msU/iITDkdto1p1iHHmjC0=
++github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
  golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
  golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
  golang.org/x/net v0.14.1-0.20230809150940-1e23797619c9 h1:eQR0jFW5dN2q8lFzSF7rjkRCOOnBf0llczNvITm6ICs=

diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch
@@ -1016,24 +1016,24 @@ index a0548a7f9179c5..ae6117a1554b7f 100644
  package x509
 
 diff --git a/src/go.mod b/src/go.mod
-index e7fb80cab94b01..9e86277d8e3bbe 100644
+index 8bc13536fc98c0..da1926b3982c3a 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -4,6 +4,7 @@ go 1.22
 
  require (
- 	github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74
+ 	github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6
 +	github.com/microsoft/go-crypto-winnative v0.0.0-20230919193409-4899d534a7ff
  	golang.org/x/crypto v0.12.0
  	golang.org/x/net v0.14.1-0.20230809150940-1e23797619c9
  )
 diff --git a/src/go.sum b/src/go.sum
-index 91eca9cd0b05e6..d40c2bc8984d29 100644
+index fca63cfe4a8d1d..0c5126e6ced297 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,5 +1,7 @@
- github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74 h1:rTL9t7VhLvvOt4e/EZvXfJISo2igRm7GqK0pX1OQnx8=
- github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
+ github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6 h1:htngJbDceHA29WbezaO55msU/iITDkdto1p1iHHmjC0=
+ github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
 +github.com/microsoft/go-crypto-winnative v0.0.0-20230919193409-4899d534a7ff h1:m0Cr4tuDOCmNoHtQV7RRTTH54d5Q9yV2g0AC2SO/7uI=
 +github.com/microsoft/go-crypto-winnative v0.0.0-20230919193409-4899d534a7ff/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4=
  golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=

diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch
@@ -8,12 +8,12 @@ To reproduce, run 'go mod vendor' in 'go/src'.
  .../golang-fips/openssl/v2/.gitleaks.toml     |   9 +
  .../github.com/golang-fips/openssl/v2/LICENSE |  20 +
  .../golang-fips/openssl/v2/README.md          |  62 ++
- .../github.com/golang-fips/openssl/v2/aes.go  |  84 ++
+ .../github.com/golang-fips/openssl/v2/aes.go  |  90 ++
  .../golang-fips/openssl/v2/bbig/big.go        |  37 +
  .../github.com/golang-fips/openssl/v2/big.go  |  11 +
  .../golang-fips/openssl/v2/cgo_go122.go       |  13 +
- .../golang-fips/openssl/v2/cipher.go          | 509 +++++++++++
- .../github.com/golang-fips/openssl/v2/des.go  | 107 +++
+ .../golang-fips/openssl/v2/cipher.go          | 511 +++++++++++
+ .../github.com/golang-fips/openssl/v2/des.go  | 113 +++
  .../github.com/golang-fips/openssl/v2/ec.go   |  59 ++
  .../github.com/golang-fips/openssl/v2/ecdh.go | 323 +++++++
  .../golang-fips/openssl/v2/ecdsa.go           | 217 +++++
@@ -57,7 +57,7 @@ To reproduce, run 'go mod vendor' in 'go/src'.
  .../internal/subtle/aliasing.go               |  32 +
  .../internal/sysdll/sys_windows.go            |  55 ++
  src/vendor/modules.txt                        |  11 +
- 52 files changed, 8354 insertions(+)
+ 52 files changed, 8368 insertions(+)
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md
@@ -222,10 +222,10 @@ index 00000000000000..e12474e6b54e43
 +- The portable OpenSSL implementation is ported from Microsoft's [.NET runtime](https://github.com/dotnet/runtime) cryptography module.
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/aes.go b/src/vendor/github.com/golang-fips/openssl/v2/aes.go
 new file mode 100644
-index 00000000000000..ecda35a992410f
+index 00000000000000..1fc11f00cdd704
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/aes.go
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,90 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -284,11 +284,17 @@ index 00000000000000..ecda35a992410f
 +}
 +
 +func (c *aesCipher) Encrypt(dst, src []byte) {
-+	c.encrypt(dst, src)
++	if err := c.encrypt(dst, src); err != nil {
++		// crypto/aes expects that the panic message starts with "crypto/aes: ".
++		panic("crypto/aes: " + err.Error())
++	}
 +}
 +
 +func (c *aesCipher) Decrypt(dst, src []byte) {
-+	c.decrypt(dst, src)
++	if err := c.decrypt(dst, src); err != nil {
++		// crypto/aes expects that the panic message starts with "crypto/aes: ".
++		panic("crypto/aes: " + err.Error())
++	}
 +}
 +
 +func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
@@ -391,10 +397,10 @@ index 00000000000000..555f58c59979a8
 +import "C"
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
 new file mode 100644
-index 00000000000000..df6c40f1d9b95b
+index 00000000000000..c88286905ee4d8
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
-@@ -0,0 +1,509 @@
+@@ -0,0 +1,511 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -563,57 +569,59 @@ index 00000000000000..df6c40f1d9b95b
 +	}
 +}
 +
-+func (c *evpCipher) encrypt(dst, src []byte) {
++func (c *evpCipher) encrypt(dst, src []byte) error {
 +	if len(src) < c.blockSize {
-+		panic("crypto/cipher: input not full block")
++		return errors.New("input not full block")
 +	}
 +	if len(dst) < c.blockSize {
-+		panic("crypto/cipher: output not full block")
++		return errors.New("output not full block")
 +	}
 +	// Only check for overlap between the parts of src and dst that will actually be used.
 +	// This matches Go standard library behavior.
 +	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
-+		panic("crypto/cipher: invalid buffer overlap")
++		return errors.New("invalid buffer overlap")
 +	}
 +	if c.enc_ctx == nil {
 +		var err error
 +		c.enc_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
 +		if err != nil {
-+			panic(err)
++			return err
 +		}
 +	}
 +
 +	if C.go_openssl_EVP_EncryptUpdate_wrapper(c.enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
-+		panic("crypto/cipher: EncryptUpdate failed")
++		return errors.New("EncryptUpdate failed")
 +	}
 +	runtime.KeepAlive(c)
++	return nil
 +}
 +
-+func (c *evpCipher) decrypt(dst, src []byte) {
++func (c *evpCipher) decrypt(dst, src []byte) error {
 +	if len(src) < c.blockSize {
-+		panic("crypto/cipher: input not full block")
++		return errors.New("input not full block")
 +	}
 +	if len(dst) < c.blockSize {
-+		panic("crypto/cipher: output not full block")
++		return errors.New("output not full block")
 +	}
 +	// Only check for overlap between the parts of src and dst that will actually be used.
 +	// This matches Go standard library behavior.
 +	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
-+		panic("crypto/cipher: invalid buffer overlap")
++		return errors.New("invalid buffer overlap")
 +	}
 +	if c.dec_ctx == nil {
 +		var err error
 +		c.dec_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
 +		if err != nil {
-+			panic(err)
++			return err
 +		}
 +		if C.go_openssl_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 {
-+			panic("crypto/cipher: could not disable cipher padding")
++			return errors.New("could not disable cipher padding")
 +		}
 +	}
 +
 +	C.go_openssl_EVP_DecryptUpdate_wrapper(c.dec_ctx, base(dst), base(src), C.int(c.blockSize))
 +	runtime.KeepAlive(c)
++	return nil
 +}
 +
 +type cipherCBC struct {
@@ -906,10 +914,10 @@ index 00000000000000..df6c40f1d9b95b
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/des.go b/src/vendor/github.com/golang-fips/openssl/v2/des.go
 new file mode 100644
-index 00000000000000..5f5e3748899a78
+index 00000000000000..98b15d2d208a22
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/des.go
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,113 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
@@ -987,11 +995,17 @@ index 00000000000000..5f5e3748899a78
 +}
 +
 +func (c *desCipher) Encrypt(dst, src []byte) {
-+	c.encrypt(dst, src)
++	if err := c.encrypt(dst, src); err != nil {
++		// crypto/des expects that the panic message starts with "crypto/des: ".
++		panic("crypto/des: " + err.Error())
++	}
 +}
 +
 +func (c *desCipher) Decrypt(dst, src []byte) {
-+	c.decrypt(dst, src)
++	if err := c.decrypt(dst, src); err != nil {
++		// crypto/des expects that the panic message starts with "crypto/des: ".
++		panic("crypto/des: " + err.Error())
++	}
 +}
 +
 +func (c *desCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
@@ -8762,11 +8776,11 @@ index 00000000000000..1722410e5af193
 +	return getSystemDirectory() + "\\" + dll
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index abd3f0b5193381..e62e6149066c22 100644
+index abd3f0b5193381..929469ecc4d448 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,14 @@
-+# github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230919070839-9783f40bfa74
++# github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6
 +## explicit; go 1.20
 +github.com/golang-fips/openssl/v2
 +github.com/golang-fips/openssl/v2/bbig