diff --git a/patches/022-openssl-negative-tests.patch b/patches/022-openssl-negative-tests.patch index d7dd52deea..676e36af6d 100644 --- a/patches/022-openssl-negative-tests.patch +++ b/patches/022-openssl-negative-tests.patch @@ -1001,3 +1001,171 @@ index b16184f32a..578d114f63 100644 test.expectedChains = nil } testVerify(t, test, false) +diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go +index e412a29269..015f47fda0 100644 +--- a/src/crypto/hmac/hmac_test.go ++++ b/src/crypto/hmac/hmac_test.go +@@ -6,6 +6,7 @@ package hmac + + import ( + boring "crypto/internal/backend" ++ "crypto/internal/backend/boringtest" + "crypto/internal/cryptotest" + "crypto/md5" + "crypto/sha1" +@@ -549,17 +550,21 @@ var hmacTests = []hmacTest{ + } + + func TestHMAC(t *testing.T) { +- for i, tt := range hmacTests { +- if boring.Enabled() && tt.size == sha1.New().Size() { +- defer func() { +- r := recover() +- if s, ok := r.(string); ok { ++ var hsh hash.Hash ++ if boring.Enabled() { ++ defer func() { ++ r := recover() ++ if s, ok := r.(string); ok { ++ if (hsh == sha1.New() && !boringtest.Supports(t, "SHA1")) || hsh == md5.New() { + if !strings.Contains(s, "unrecognized hmac in FIPS mode") { + panic(s) + } + } +- }() +- } ++ } ++ }() ++ } ++ for i, tt := range hmacTests { ++ hsh = tt.hash() + h := New(tt.hash, tt.key) + if s := h.Size(); s != tt.size { + t.Errorf("Size: got %v, want %v", s, tt.size) +@@ -587,7 +592,8 @@ func TestHMAC(t *testing.T) { + + // Third and fourth iteration: make sure hmac works on + // hashes without MarshalBinary/UnmarshalBinary +- if j == 1 { ++ if j == 1 && !boring.Enabled() { // Skip in boring mode as the hash is obscured and won't be recognized. ++ fmt.Println("JUST HASH!!!") + h = New(func() hash.Hash { return justHash{tt.hash()} }, tt.key) + } + } +diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go +index 8af84825a2..840ddfd604 100644 +--- a/src/crypto/rsa/pkcs1v15_test.go ++++ b/src/crypto/rsa/pkcs1v15_test.go +@@ -97,7 +97,7 @@ func TestEncryptPKCS1v15(t *testing.T) { + + ciphertext, err := EncryptPKCS1v15(random, &rsaPrivateKey.PublicKey, in) + if err != nil { +- if boring.Enabled() && !boringtest.Supports(t, "PKCSv1.5") { ++ if boring.Enabled() && !boringtest.Supports(t, "PKCSv1.5") && rsaPrivateKey.Size() < 256 { + if strings.Contains(err.Error(), "invalid key length") { + return false + } +diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go +index c7efa8cea1..feae2663f6 100644 +--- a/src/crypto/rsa/pss_test.go ++++ b/src/crypto/rsa/pss_test.go +@@ -236,7 +236,7 @@ func TestPSSSigning(t *testing.T) { + opts.SaltLength = test.signSaltLength + sig, err := SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, &opts) + if err != nil { +- if boring.Enabled() && !boringtest.Supports(t, "SHA1") { ++ if boring.Enabled() && hash == crypto.SHA1 && !boringtest.Supports(t, "SHA1") { + if strings.Contains(err.Error(), "invalid key length") { + continue + } +diff --git a/src/vendor/github.com/golang-fips/openssl/v2/evp.go b/src/vendor/github.com/golang-fips/openssl/v2/evp.go +index a9237a6a0c..19df5a1adb 100644 +--- a/src/vendor/github.com/golang-fips/openssl/v2/evp.go ++++ b/src/vendor/github.com/golang-fips/openssl/v2/evp.go +@@ -4,9 +4,11 @@ package openssl + + // #include "goopenssl.h" + import "C" ++ + import ( + "crypto" + "errors" ++ "fmt" + "hash" + "strconv" + "sync" +@@ -39,6 +41,7 @@ func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR { + case *sha3_512Hash: + ch = crypto.SHA3_512 + } ++ fmt.Printf("CH: %#v h: %#v\n", ch, h) + if ch != 0 { + return cryptoHashToMD(ch) + } +@@ -142,14 +145,17 @@ func generateEVPPKey(id C.int, bits int, curve string) (C.GO_EVP_PKEY_PTR, error + return pkey, nil + } + +-type withKeyFunc func(func(C.GO_EVP_PKEY_PTR) C.int) C.int +-type initFunc func(C.GO_EVP_PKEY_CTX_PTR) error +-type cryptFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, *C.size_t, *C.uchar, C.size_t) error +-type verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size_t) error ++type ( ++ withKeyFunc func(func(C.GO_EVP_PKEY_PTR) C.int) C.int ++ initFunc func(C.GO_EVP_PKEY_CTX_PTR) error ++ cryptFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, *C.size_t, *C.uchar, C.size_t) error ++ verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size_t) error ++) + + func setupEVP(withKey withKeyFunc, padding C.int, + h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash, +- init initFunc) (_ C.GO_EVP_PKEY_CTX_PTR, err error) { ++ init initFunc, ++) (_ C.GO_EVP_PKEY_CTX_PTR, err error) { + var ctx C.GO_EVP_PKEY_CTX_PTR + withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int { + ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil) +@@ -272,8 +278,8 @@ func setupEVP(withKey withKeyFunc, padding C.int, + + func cryptEVP(withKey withKeyFunc, padding C.int, + h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash, +- init initFunc, crypt cryptFunc, in []byte) ([]byte, error) { +- ++ init initFunc, crypt cryptFunc, in []byte, ++) ([]byte, error) { + ctx, err := setupEVP(withKey, padding, h, mgfHash, label, saltLen, ch, init) + if err != nil { + return nil, err +@@ -295,8 +301,8 @@ func cryptEVP(withKey withKeyFunc, padding C.int, + func verifyEVP(withKey withKeyFunc, padding C.int, + h hash.Hash, label []byte, saltLen C.int, ch crypto.Hash, + init initFunc, verify verifyFunc, +- sig, in []byte) error { +- ++ sig, in []byte, ++) error { + ctx, err := setupEVP(withKey, padding, h, nil, label, saltLen, ch, init) + if err != nil { + return err +diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hmac.go b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go +index ef8116ce66..7fa99d9653 100644 +--- a/src/vendor/github.com/golang-fips/openssl/v2/hmac.go ++++ b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go +@@ -4,7 +4,9 @@ package openssl + + // #include "goopenssl.h" + import "C" ++ + import ( ++ "fmt" + "hash" + "runtime" + "sync" +@@ -26,6 +28,7 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { + ch := h() + md := hashToMD(ch) + if md == nil { ++ fmt.Printf("MD == nil, h: %#v, md: %#v", h(), md) + return nil + } +