From dfcb16b247e1e6eb8cd3938c8014cbca638fc6e4 Mon Sep 17 00:00:00 2001 From: Derek Parker Date: Thu, 30 May 2024 14:42:06 -0700 Subject: [PATCH] config: update openssl backend (#201) Co-authored-by: Derek Parker --- config/versions.json | 2 +- patches/001-initial-openssl-for-fips.patch | 97 ++++++++++------------ 2 files changed, 43 insertions(+), 56 deletions(-) diff --git a/config/versions.json b/config/versions.json index db42d6f84c..7eddfff9aa 100644 --- a/config/versions.json +++ b/config/versions.json @@ -1,5 +1,5 @@ { "github.com/golang-fips/go": "main", - "github.com/golang-fips/openssl": "85d31d0d257ce842c8a1e63c4d230ae850348136", + "github.com/golang-fips/openssl": "61a53ab338d5f1657c6fe5d856d24528bfdd731d", "github.com/golang/go": "go1.22.3" } diff --git a/patches/001-initial-openssl-for-fips.patch b/patches/001-initial-openssl-for-fips.patch index 98819c2b07..e584619003 100644 --- a/patches/001-initial-openssl-for-fips.patch +++ b/patches/001-initial-openssl-for-fips.patch @@ -3719,24 +3719,24 @@ index 3c592e1136..a594823783 100644 } else { testCurve = elliptic.P384() diff --git a/src/go.mod b/src/go.mod -index 737d78da5d..eafc127352 100644 +index 737d78da5d..a1610087fe 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,6 +3,7 @@ module std go 1.22 require ( -+ github.com/golang-fips/openssl/v2 v2.0.1 ++ github.com/golang-fips/openssl/v2 v2.0.3 golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb golang.org/x/net v0.19.1-0.20240412193750-db050b07227e ) diff --git a/src/go.sum b/src/go.sum -index 86d173c9e6..51fbaeecdf 100644 +index 86d173c9e6..c7def15f16 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ -+github.com/golang-fips/openssl/v2 v2.0.1 h1:oNIu7tARUHmSIY7Gqn5lbSCnHSduvkFJoM2FRq294lA= -+github.com/golang-fips/openssl/v2 v2.0.1/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= ++github.com/golang-fips/openssl/v2 v2.0.3 h1:9+J2R0BQio6Jz8+dPZf/0ylISByl0gZWjTEKm+J+y7Y= ++github.com/golang-fips/openssl/v2 v2.0.3/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb h1:1ceSY7sk6sJuiDREHpfyrqDnDljsLfEP2GuTClhBBfI= golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/net v0.19.1-0.20240412193750-db050b07227e h1:oDnvqaqHo3ho8OChMtkQbQAyp9eqnm3J7JRtt0+Cabc= @@ -3784,7 +3784,7 @@ index 0000000000..97e8515401 \ No newline at end of file diff --git a/src/vendor/github.com/golang-fips/openssl/v2/README.md b/src/vendor/github.com/golang-fips/openssl/v2/README.md new file mode 100644 -index 0000000000..ba6289ecff +index 0000000000..1bfbaf60f4 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -0,0 +1,66 @@ @@ -3816,7 +3816,7 @@ index 0000000000..ba6289ecff + +### Multiple OpenSSL versions supported + -+The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.0.x. ++The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.x. + +All supported OpenSSL versions pass a small set of automatic tests that ensure they can be built and that there are no major regressions. +These tests do not validate the cryptographic correctness of the `openssl` package. @@ -4022,16 +4022,17 @@ index 0000000000..6461f241f8 +type BigInt []uint diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go new file mode 100644 -index 0000000000..2b983c5411 +index 0000000000..72f7aebfc1 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go -@@ -0,0 +1,582 @@ +@@ -0,0 +1,569 @@ +//go:build !cmd_go_bootstrap + +package openssl + +// #include "goopenssl.h" +import "C" ++ +import ( + "crypto/cipher" + "encoding/binary" @@ -4173,8 +4174,6 @@ index 0000000000..2b983c5411 + +type evpCipher struct { + key []byte -+ enc_ctx C.GO_EVP_CIPHER_CTX_PTR -+ dec_ctx C.GO_EVP_CIPHER_CTX_PTR + kind cipherKind + blockSize int +} @@ -4187,19 +4186,9 @@ index 0000000000..2b983c5411 + c := &evpCipher{key: make([]byte, len(key)), kind: kind} + copy(c.key, key) + c.blockSize = int(C.go_openssl_EVP_CIPHER_get_block_size(cipher)) -+ runtime.SetFinalizer(c, (*evpCipher).finalize) + return c, nil +} + -+func (c *evpCipher) finalize() { -+ if c.enc_ctx != nil { -+ C.go_openssl_EVP_CIPHER_CTX_free(c.enc_ctx) -+ } -+ if c.dec_ctx != nil { -+ C.go_openssl_EVP_CIPHER_CTX_free(c.dec_ctx) -+ } -+} -+ +func (c *evpCipher) encrypt(dst, src []byte) error { + if len(src) < c.blockSize { + return errors.New("input not full block") @@ -4212,15 +4201,13 @@ index 0000000000..2b983c5411 + if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) { + return errors.New("invalid buffer overlap") + } -+ if c.enc_ctx == nil { -+ var err error -+ c.enc_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil) -+ if err != nil { -+ return err -+ } ++ enc_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil) ++ if err != nil { ++ return err + } ++ defer C.go_openssl_EVP_CIPHER_CTX_free(enc_ctx) + -+ if C.go_openssl_EVP_EncryptUpdate_wrapper(c.enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 { ++ if C.go_openssl_EVP_EncryptUpdate_wrapper(enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 { + return errors.New("EncryptUpdate failed") + } + runtime.KeepAlive(c) @@ -4239,18 +4226,17 @@ index 0000000000..2b983c5411 + if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) { + return errors.New("invalid buffer overlap") + } -+ if c.dec_ctx == nil { -+ var err error -+ c.dec_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil) -+ if err != nil { -+ return err -+ } -+ if C.go_openssl_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 { -+ return errors.New("could not disable cipher padding") -+ } ++ dec_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil) ++ if err != nil { ++ return err ++ } ++ defer C.go_openssl_EVP_CIPHER_CTX_free(dec_ctx) ++ ++ if C.go_openssl_EVP_CIPHER_CTX_set_padding(dec_ctx, 0) != 1 { ++ return errors.New("could not disable cipher padding") + } + -+ C.go_openssl_EVP_DecryptUpdate_wrapper(c.dec_ctx, base(dst), base(src), C.int(c.blockSize)) ++ C.go_openssl_EVP_DecryptUpdate_wrapper(dec_ctx, base(dst), base(src), C.int(c.blockSize)) + runtime.KeepAlive(c) + return nil +} @@ -4349,7 +4335,7 @@ index 0000000000..2b983c5411 +) + +type cipherGCM struct { -+ ctx C.GO_EVP_CIPHER_CTX_PTR ++ c *evpCipher + tls cipherGCMTLS + // minNextNonce is the minimum value that the next nonce can be, enforced by + // all TLS modes. @@ -4407,19 +4393,10 @@ index 0000000000..2b983c5411 +} + +func (c *evpCipher) newGCM(tls cipherGCMTLS) (cipher.AEAD, error) { -+ ctx, err := newCipherCtx(c.kind, cipherModeGCM, cipherOpNone, c.key, nil) -+ if err != nil { -+ return nil, err -+ } -+ g := &cipherGCM{ctx: ctx, tls: tls, blockSize: c.blockSize} -+ runtime.SetFinalizer(g, (*cipherGCM).finalize) ++ g := &cipherGCM{c: c, tls: tls, blockSize: c.blockSize} + return g, nil +} + -+func (g *cipherGCM) finalize() { -+ C.go_openssl_EVP_CIPHER_CTX_free(g.ctx) -+} -+ +func (g *cipherGCM) NonceSize() int { + return gcmStandardNonceSize +} @@ -4492,6 +4469,11 @@ index 0000000000..2b983c5411 + panic("cipher: invalid buffer overlap") + } + ++ ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil) ++ if err != nil { ++ panic(err) ++ } ++ defer C.go_openssl_EVP_CIPHER_CTX_free(ctx) + // Encrypt additional data. + // When sealing a TLS payload, OpenSSL app sets the additional data using + // 'EVP_CIPHER_CTX_ctrl(g.ctx, C.EVP_CTRL_AEAD_TLS1_AAD, C.EVP_AEAD_TLS1_AAD_LEN, base(additionalData))'. @@ -4499,7 +4481,7 @@ index 0000000000..2b983c5411 + // relying in the explicit nonce being securely set externally, + // and it also gives some interesting speed gains. + // Unfortunately we can't use it because Go expects AEAD.Seal to honor the provided nonce. -+ if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(g.ctx, base(out), base(nonce), ++ if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(ctx, base(out), base(nonce), + base(plaintext), C.int(len(plaintext)), + base(additionalData), C.int(len(additionalData))) != 1 { + @@ -4534,8 +4516,13 @@ index 0000000000..2b983c5411 + panic("cipher: invalid buffer overlap") + } + ++ ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil) ++ if err != nil { ++ return nil, err ++ } ++ defer C.go_openssl_EVP_CIPHER_CTX_free(ctx) + ok := C.go_openssl_EVP_CIPHER_CTX_open_wrapper( -+ g.ctx, base(out), base(nonce), ++ ctx, base(out), base(nonce), + base(ciphertext), C.int(len(ciphertext)), + base(additionalData), C.int(len(additionalData)), base(tag)) + runtime.KeepAlive(g) @@ -7826,7 +7813,7 @@ index 0000000000..a14663298b +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go new file mode 100644 -index 0000000000..dbf5ac448f +index 0000000000..5c09da86ee --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go @@ -0,0 +1,31 @@ @@ -7834,7 +7821,7 @@ index 0000000000..dbf5ac448f + +package openssl + -+// #cgo LDFLAGS: -ldl ++// #cgo LDFLAGS: -ldl -pthread +// #include +// #include +import "C" @@ -9688,11 +9675,11 @@ index 0000000000..5de62f95a7 + return nil +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 9a234e59b1..f65e24f457 100644 +index 9a234e59b1..a2dc68599f 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,7 @@ -+# github.com/golang-fips/openssl/v2 v2.0.1 ++# github.com/golang-fips/openssl/v2 v2.0.3 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig