Skip to content

Commit

Permalink
fix:update patches
Browse files Browse the repository at this point in the history
  • Loading branch information
mertakman committed Dec 20, 2024
1 parent 6460860 commit 18eaed4
Showing 1 changed file with 60 additions and 15 deletions.
75 changes: 60 additions & 15 deletions patches/0002-Add-crypto-backend-foundation.patch
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Subject: [PATCH] Add crypto backend foundation
src/crypto/ed25519/boring.go | 71 ++++++
src/crypto/ed25519/ed25519.go | 73 ++++++
src/crypto/ed25519/notboring.go | 16 ++
src/crypto/hkdf/hkdf.go | 14 ++
src/crypto/hkdf/hkdf.go | 22 +-
src/crypto/hkdf/hkdf_test.go | 2 +-
src/crypto/hmac/hmac.go | 2 +-
src/crypto/hmac/hmac_test.go | 2 +-
Expand Down Expand Up @@ -65,7 +65,7 @@ Subject: [PATCH] Add crypto backend foundation
src/crypto/tls/fipsonly/fipsonly_test.go | 2 +-
src/crypto/tls/handshake_client.go | 10 +-
src/crypto/tls/handshake_server.go | 10 +-
src/crypto/tls/handshake_server_tls13.go | 10 +
src/crypto/tls/handshake_server_tls13.go | 24 +-
src/crypto/tls/internal/fips140tls/fipstls.go | 3 +-
src/crypto/tls/prf.go | 41 ++++
src/go/build/deps_test.go | 8 +-
Expand All @@ -75,7 +75,7 @@ Subject: [PATCH] Add crypto backend foundation
src/hash/notboring_test.go | 9 +
src/net/smtp/smtp_test.go | 72 ++++--
src/runtime/runtime_boring.go | 5 +
71 files changed, 1159 insertions(+), 80 deletions(-)
71 files changed, 1174 insertions(+), 87 deletions(-)
create mode 100644 src/crypto/dsa/boring.go
create mode 100644 src/crypto/dsa/notboring.go
create mode 100644 src/crypto/ed25519/boring.go
Expand Down Expand Up @@ -813,51 +813,60 @@ index 00000000000000..b0cdd44d81c753
+ panic("boringcrypto: not available")
+}
diff --git a/src/crypto/hkdf/hkdf.go b/src/crypto/hkdf/hkdf.go
index 7cfbe2c60de356..78139ed6170da5 100644
index 7cfbe2c60de356..925b839b73cb0c 100644
--- a/src/crypto/hkdf/hkdf.go
+++ b/src/crypto/hkdf/hkdf.go
@@ -11,6 +11,7 @@
@@ -11,8 +11,9 @@
package hkdf

import (
- "crypto/internal/fips140/hkdf"
+ boring "crypto/internal/backend"
"crypto/internal/fips140/hkdf"
"crypto/internal/fips140only"
+ "cryto/hkdf"
"errors"
@@ -27,6 +28,9 @@ func Extract[H hash.Hash](h func() H, secret, salt []byte) ([]byte, error) {
"hash"
)
@@ -27,7 +28,10 @@ func Extract[H hash.Hash](h func() H, secret, salt []byte) ([]byte, error) {
if err := checkFIPS140Only(h, secret); err != nil {
return nil, err
}
- return hkdf.Extract(h, secret, salt), nil
+ if boring.Enabled && boring.SupportsHKDF() {
+ return boring.ExtractHKDF(func() hash.Hash { return h() }, secret, salt)
+ }
return hkdf.Extract(h, secret, salt), nil
+ return hkdf.Extract(h, secret, salt)
}

@@ -47,6 +51,9 @@ func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen
// Expand derives a key from the given hash, key, and optional context info,
@@ -47,7 +51,10 @@ func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen
return nil, errors.New("hkdf: requested key length too large")
}

- return hkdf.Expand(h, pseudorandomKey, info, keyLength), nil
+ if boring.Enabled && boring.SupportsHKDF() {
+ return boring.ExpandHKDF(func() hash.Hash { return h() }, pseudorandomKey, []byte(info), keyLength)
+ }
return hkdf.Expand(h, pseudorandomKey, info, keyLength), nil
+ return hkdf.Expand(h, pseudorandomKey, info, keyLength)
}

@@ -63,6 +70,13 @@ func Key[Hash hash.Hash](h func() Hash, secret, salt []byte, info string, keyLen
// Key derives a key from the given hash, secret, salt and context info,
@@ -63,7 +70,14 @@ func Key[Hash hash.Hash](h func() Hash, secret, salt []byte, info string, keyLen
return nil, errors.New("hkdf: requested key length too large")
}

- return hkdf.Key(h, secret, salt, info, keyLength), nil
+ if boring.Enabled && boring.SupportsHKDF() {
+ pseudorandomKey, err := boring.ExtractHKDF(func() hash.Hash { return h() }, secret, salt)
+ if err != nil {
+ return nil, err
+ }
+ return boring.ExpandHKDF(func() hash.Hash { return h() }, pseudorandomKey, []byte(info), keyLength)
+ }
return hkdf.Key(h, secret, salt, info, keyLength), nil
+ return hkdf.Key(h, secret, salt, info, keyLength)
}

func checkFIPS140Only[H hash.Hash](h func() H, key []byte) error {
diff --git a/src/crypto/hkdf/hkdf_test.go b/src/crypto/hkdf/hkdf_test.go
index 201b440289bb2d..4ed4960ff35b66 100644
--- a/src/crypto/hkdf/hkdf_test.go
Expand Down Expand Up @@ -2125,17 +2134,24 @@ index 7c75977ad3ffb2..b9db95ca7b9d5a 100644

if err := hs.processClientHello(); err != nil {
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 3552d89ba3bc6f..958ec81dc64966 100644
index 3552d89ba3bc6f..cefacaca28bae0 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -9,6 +9,7 @@ import (
@@ -9,12 +9,13 @@ import (
"context"
"crypto"
"crypto/hmac"
- "crypto/internal/fips140/hkdf"
+ boring "crypto/internal/backend"
"crypto/internal/fips140/hkdf"
"crypto/internal/fips140/mlkem"
"crypto/internal/fips140/tls13"
"crypto/internal/hpke"
"crypto/rsa"
"crypto/tls/internal/fips140tls"
+ "cryto/hkdf"
"errors"
"hash"
"internal/byteorder"
@@ -477,6 +478,15 @@ func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
}
marshaler, ok := in.(binaryMarshaler)
Expand All @@ -2152,6 +2168,35 @@ index 3552d89ba3bc6f..958ec81dc64966 100644
return nil
}
state, err := marshaler.MarshalBinary()
@@ -572,8 +582,12 @@ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID)
if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil {
return nil, err
}
+ secret, err := hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil)
+ if err != nil {
+ return nil, err
+ }
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
- hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
+ secret,
"hrr ech accept confirmation",
confTranscript.Sum(nil),
8,
@@ -734,9 +748,13 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
if err := transcriptMsg(hs.hello, echTranscript); err != nil {
return err
}
+ secret, err := hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil)
+ if err != nil {
+ return err
+ }
// compute the acceptance message
acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
- hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
+ secret,
"ech accept confirmation",
echTranscript.Sum(nil),
8,
diff --git a/src/crypto/tls/internal/fips140tls/fipstls.go b/src/crypto/tls/internal/fips140tls/fipstls.go
index 24d78d60cf5b64..a6bfd3f17c1911 100644
--- a/src/crypto/tls/internal/fips140tls/fipstls.go
Expand Down

0 comments on commit 18eaed4

Please sign in to comment.