Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config: update openssl backend #201

Merged
merged 1 commit into from
May 30, 2024
Merged

config: update openssl backend #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/versions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"github.com/golang-fips/go": "main",
"github.com/golang-fips/openssl": "85d31d0d257ce842c8a1e63c4d230ae850348136",
"github.com/golang-fips/openssl": "61a53ab338d5f1657c6fe5d856d24528bfdd731d",
"github.com/golang/go": "go1.22.3"
}
97 changes: 42 additions & 55 deletions patches/001-initial-openssl-for-fips.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3719,24 +3719,24 @@ index 3c592e1136..a594823783 100644
} else {
testCurve = elliptic.P384()
diff --git a/src/go.mod b/src/go.mod
index 737d78da5d..eafc127352 100644
index 737d78da5d..a1610087fe 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -3,6 +3,7 @@ module std
go 1.22

require (
+ github.com/golang-fips/openssl/v2 v2.0.1
+ github.com/golang-fips/openssl/v2 v2.0.3
golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb
golang.org/x/net v0.19.1-0.20240412193750-db050b07227e
)
diff --git a/src/go.sum b/src/go.sum
index 86d173c9e6..51fbaeecdf 100644
index 86d173c9e6..c7def15f16 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -1,3 +1,5 @@
+github.com/golang-fips/openssl/v2 v2.0.1 h1:oNIu7tARUHmSIY7Gqn5lbSCnHSduvkFJoM2FRq294lA=
+github.com/golang-fips/openssl/v2 v2.0.1/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
+github.com/golang-fips/openssl/v2 v2.0.3 h1:9+J2R0BQio6Jz8+dPZf/0ylISByl0gZWjTEKm+J+y7Y=
+github.com/golang-fips/openssl/v2 v2.0.3/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb h1:1ceSY7sk6sJuiDREHpfyrqDnDljsLfEP2GuTClhBBfI=
golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
golang.org/x/net v0.19.1-0.20240412193750-db050b07227e h1:oDnvqaqHo3ho8OChMtkQbQAyp9eqnm3J7JRtt0+Cabc=
Expand Down Expand Up @@ -3784,7 +3784,7 @@ index 0000000000..97e8515401
\ No newline at end of file
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/README.md b/src/vendor/github.com/golang-fips/openssl/v2/README.md
new file mode 100644
index 0000000000..ba6289ecff
index 0000000000..1bfbaf60f4
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/README.md
@@ -0,0 +1,66 @@
Expand Down Expand Up @@ -3816,7 +3816,7 @@ index 0000000000..ba6289ecff
+
+### Multiple OpenSSL versions supported
+
+The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.0.x.
+The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.x.
+
+All supported OpenSSL versions pass a small set of automatic tests that ensure they can be built and that there are no major regressions.
+These tests do not validate the cryptographic correctness of the `openssl` package.
Expand Down Expand Up @@ -4022,16 +4022,17 @@ index 0000000000..6461f241f8
+type BigInt []uint
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
new file mode 100644
index 0000000000..2b983c5411
index 0000000000..72f7aebfc1
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
@@ -0,0 +1,582 @@
@@ -0,0 +1,569 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+
+import (
+ "crypto/cipher"
+ "encoding/binary"
Expand Down Expand Up @@ -4173,8 +4174,6 @@ index 0000000000..2b983c5411
+
+type evpCipher struct {
+ key []byte
+ enc_ctx C.GO_EVP_CIPHER_CTX_PTR
+ dec_ctx C.GO_EVP_CIPHER_CTX_PTR
+ kind cipherKind
+ blockSize int
+}
Expand All @@ -4187,19 +4186,9 @@ index 0000000000..2b983c5411
+ c := &evpCipher{key: make([]byte, len(key)), kind: kind}
+ copy(c.key, key)
+ c.blockSize = int(C.go_openssl_EVP_CIPHER_get_block_size(cipher))
+ runtime.SetFinalizer(c, (*evpCipher).finalize)
+ return c, nil
+}
+
+func (c *evpCipher) finalize() {
+ if c.enc_ctx != nil {
+ C.go_openssl_EVP_CIPHER_CTX_free(c.enc_ctx)
+ }
+ if c.dec_ctx != nil {
+ C.go_openssl_EVP_CIPHER_CTX_free(c.dec_ctx)
+ }
+}
+
+func (c *evpCipher) encrypt(dst, src []byte) error {
+ if len(src) < c.blockSize {
+ return errors.New("input not full block")
Expand All @@ -4212,15 +4201,13 @@ index 0000000000..2b983c5411
+ if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
+ return errors.New("invalid buffer overlap")
+ }
+ if c.enc_ctx == nil {
+ var err error
+ c.enc_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
+ if err != nil {
+ return err
+ }
+ enc_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
+ if err != nil {
+ return err
+ }
+ defer C.go_openssl_EVP_CIPHER_CTX_free(enc_ctx)
+
+ if C.go_openssl_EVP_EncryptUpdate_wrapper(c.enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
+ if C.go_openssl_EVP_EncryptUpdate_wrapper(enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
+ return errors.New("EncryptUpdate failed")
+ }
+ runtime.KeepAlive(c)
Expand All @@ -4239,18 +4226,17 @@ index 0000000000..2b983c5411
+ if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
+ return errors.New("invalid buffer overlap")
+ }
+ if c.dec_ctx == nil {
+ var err error
+ c.dec_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
+ if err != nil {
+ return err
+ }
+ if C.go_openssl_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 {
+ return errors.New("could not disable cipher padding")
+ }
+ dec_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
+ if err != nil {
+ return err
+ }
+ defer C.go_openssl_EVP_CIPHER_CTX_free(dec_ctx)
+
+ if C.go_openssl_EVP_CIPHER_CTX_set_padding(dec_ctx, 0) != 1 {
+ return errors.New("could not disable cipher padding")
+ }
+
+ C.go_openssl_EVP_DecryptUpdate_wrapper(c.dec_ctx, base(dst), base(src), C.int(c.blockSize))
+ C.go_openssl_EVP_DecryptUpdate_wrapper(dec_ctx, base(dst), base(src), C.int(c.blockSize))
+ runtime.KeepAlive(c)
+ return nil
+}
Expand Down Expand Up @@ -4349,7 +4335,7 @@ index 0000000000..2b983c5411
+)
+
+type cipherGCM struct {
+ ctx C.GO_EVP_CIPHER_CTX_PTR
+ c *evpCipher
+ tls cipherGCMTLS
+ // minNextNonce is the minimum value that the next nonce can be, enforced by
+ // all TLS modes.
Expand Down Expand Up @@ -4407,19 +4393,10 @@ index 0000000000..2b983c5411
+}
+
+func (c *evpCipher) newGCM(tls cipherGCMTLS) (cipher.AEAD, error) {
+ ctx, err := newCipherCtx(c.kind, cipherModeGCM, cipherOpNone, c.key, nil)
+ if err != nil {
+ return nil, err
+ }
+ g := &cipherGCM{ctx: ctx, tls: tls, blockSize: c.blockSize}
+ runtime.SetFinalizer(g, (*cipherGCM).finalize)
+ g := &cipherGCM{c: c, tls: tls, blockSize: c.blockSize}
+ return g, nil
+}
+
+func (g *cipherGCM) finalize() {
+ C.go_openssl_EVP_CIPHER_CTX_free(g.ctx)
+}
+
+func (g *cipherGCM) NonceSize() int {
+ return gcmStandardNonceSize
+}
Expand Down Expand Up @@ -4492,14 +4469,19 @@ index 0000000000..2b983c5411
+ panic("cipher: invalid buffer overlap")
+ }
+
+ ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
+ if err != nil {
+ panic(err)
+ }
+ defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
+ // Encrypt additional data.
+ // When sealing a TLS payload, OpenSSL app sets the additional data using
+ // 'EVP_CIPHER_CTX_ctrl(g.ctx, C.EVP_CTRL_AEAD_TLS1_AAD, C.EVP_AEAD_TLS1_AAD_LEN, base(additionalData))'.
+ // This makes the explicit nonce component to monotonically increase on every Seal operation without
+ // relying in the explicit nonce being securely set externally,
+ // and it also gives some interesting speed gains.
+ // Unfortunately we can't use it because Go expects AEAD.Seal to honor the provided nonce.
+ if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(g.ctx, base(out), base(nonce),
+ if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(ctx, base(out), base(nonce),
+ base(plaintext), C.int(len(plaintext)),
+ base(additionalData), C.int(len(additionalData))) != 1 {
+
Expand Down Expand Up @@ -4534,8 +4516,13 @@ index 0000000000..2b983c5411
+ panic("cipher: invalid buffer overlap")
+ }
+
+ ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
+ if err != nil {
+ return nil, err
+ }
+ defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
+ ok := C.go_openssl_EVP_CIPHER_CTX_open_wrapper(
+ g.ctx, base(out), base(nonce),
+ ctx, base(out), base(nonce),
+ base(ciphertext), C.int(len(ciphertext)),
+ base(additionalData), C.int(len(additionalData)), base(tag))
+ runtime.KeepAlive(g)
Expand Down Expand Up @@ -7826,15 +7813,15 @@ index 0000000000..a14663298b
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
new file mode 100644
index 0000000000..dbf5ac448f
index 0000000000..5c09da86ee
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
@@ -0,0 +1,31 @@
+//go:build unix && !cmd_go_bootstrap
+
+package openssl
+
+// #cgo LDFLAGS: -ldl
+// #cgo LDFLAGS: -ldl -pthread
+// #include <stdlib.h>
+// #include <dlfcn.h>
+import "C"
Expand Down Expand Up @@ -9688,11 +9675,11 @@ index 0000000000..5de62f95a7
+ return nil
+}
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 9a234e59b1..f65e24f457 100644
index 9a234e59b1..a2dc68599f 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -1,3 +1,7 @@
+# github.com/golang-fips/openssl/v2 v2.0.1
+# github.com/golang-fips/openssl/v2 v2.0.3
+## explicit; go 1.20
+github.com/golang-fips/openssl/v2
+github.com/golang-fips/openssl/v2/bbig
Expand Down
Loading