From 54a87ba3eff7c6cee963a142affd450581449325 Mon Sep 17 00:00:00 2001 From: mertakman Date: Mon, 9 Dec 2024 16:45:40 +0000 Subject: [PATCH 01/22] Add: DSA implementations for Win CNG and OpenSSL --- .../0002-Add-crypto-backend-foundation.patch | 240 +++++++++++++++++- .../0003-Add-BoringSSL-crypto-backend.patch | 31 ++- patches/0004-Add-OpenSSL-crypto-backend.patch | 58 ++++- patches/0005-Add-CNG-crypto-backend.patch | 28 +- 4 files changed, 335 insertions(+), 22 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 66257f9d55..66d1ec4eb6 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -8,13 +8,15 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/aes/cipher_asm.go | 2 +- src/crypto/boring/boring.go | 2 +- src/crypto/des/cipher.go | 7 + - src/crypto/dsa/dsa.go | 13 ++ + src/crypto/dsa/boring.go | 109 +++++++++ + src/crypto/dsa/dsa.go | 48 ++++ + src/crypto/dsa/notboring.go | 16 ++ src/crypto/ecdh/ecdh.go | 2 +- src/crypto/ecdh/nist.go | 2 +- src/crypto/ecdsa/boring.go | 4 +- src/crypto/ecdsa/ecdsa.go | 4 +- src/crypto/ecdsa/notboring.go | 2 +- - src/crypto/ed25519/boring.go | 71 +++++++ + src/crypto/ed25519/boring.go | 71 ++++++ src/crypto/ed25519/ed25519.go | 75 ++++++- src/crypto/ed25519/ed25519_test.go | 2 +- src/crypto/ed25519/notboring.go | 16 ++ @@ -22,9 +24,9 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/hmac/hmac_test.go | 2 +- src/crypto/internal/backend/backend_test.go | 30 +++ src/crypto/internal/backend/bbig/big.go | 17 ++ - src/crypto/internal/backend/common.go | 92 +++++++++ + src/crypto/internal/backend/common.go | 92 ++++++++ src/crypto/internal/backend/isrequirefips.go | 9 + - src/crypto/internal/backend/nobackend.go | 201 +++++++++++++++++++ + src/crypto/internal/backend/nobackend.go | 224 +++++++++++++++++++ src/crypto/internal/backend/norequirefips.go | 9 + src/crypto/internal/backend/stub.s | 10 + src/crypto/md5/md5.go | 7 + @@ -52,16 +54,18 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/tls/handshake_server.go | 25 ++- src/crypto/tls/handshake_server_tls13.go | 10 + src/crypto/tls/key_schedule.go | 18 +- - src/crypto/tls/prf.go | 77 ++++--- + src/crypto/tls/prf.go | 77 +++++-- src/crypto/tls/prf_test.go | 12 +- src/crypto/x509/boring_test.go | 5 + src/go/build/deps_test.go | 4 + src/hash/boring_test.go | 5 + src/hash/marshal_test.go | 5 + src/hash/notboring_test.go | 5 + - src/net/smtp/smtp_test.go | 72 ++++--- + src/net/smtp/smtp_test.go | 72 +++--- src/runtime/runtime_boring.go | 5 + - 57 files changed, 914 insertions(+), 106 deletions(-) + 59 files changed, 1097 insertions(+), 106 deletions(-) + create mode 100644 src/crypto/dsa/boring.go + create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ed25519/boring.go create mode 100644 src/crypto/ed25519/notboring.go create mode 100644 src/crypto/internal/backend/backend_test.go @@ -145,8 +149,123 @@ index 04b73e7d3bf758..0891652a4566fb 100644 c := new(tripleDESCipher) c.cipher1.generateSubkeys(key[:8]) +diff --git a/src/crypto/dsa/boring.go b/src/crypto/dsa/boring.go +new file mode 100644 +index 00000000000000..d01c955da8c9e5 +--- /dev/null ++++ b/src/crypto/dsa/boring.go +@@ -0,0 +1,109 @@ ++// Copyright 2017 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build boringcrypto || goexperiment.opensslcrypto || goexperiment.cngcrypto ++ ++package dsa ++ ++import ( ++ boring "crypto/internal/backend" ++ "crypto/internal/backend/bbig" ++ "crypto/internal/boring/bcache" ++ "math/big" ++) ++ ++// Cached conversions from Go PublicKey/PrivateKey to BoringCrypto. ++// ++// The first operation on a PublicKey or PrivateKey makes a parallel ++// BoringCrypto key and saves it in pubCache or privCache. ++// ++// We could just assume that once used in a sign/verify/encrypt/decrypt operation, ++// a particular key is never again modified, but that has not been a ++// stated assumption before. Just in case there is any existing code that ++// does modify the key between operations, we save the original values ++// alongside the cached BoringCrypto key and check that the real key ++// still matches before using the cached key. The theory is that the real ++// operations are significantly more expensive than the comparison. ++ ++type boringPub struct { ++ key *boring.PublicKeyDSA ++ orig PublicKey ++} ++ ++var pubCache bcache.Cache[PublicKey, boringPub] ++var privCache bcache.Cache[PrivateKey, boringPriv] ++ ++func init() { ++ pubCache.Register() ++ privCache.Register() ++} ++ ++func boringPublicKey(pub *PublicKey) (*boring.PublicKeyDSA, error) { ++ b := pubCache.Get(pub) ++ if b != nil && publicKeyEqual(&b.orig, pub) { ++ return b.key, nil ++ } ++ ++ b = new(boringPub) ++ b.orig = copyPublicKey(pub) ++ key, err := boring.NewPublicKeyDSA(bbig.Enc(b.orig.P), bbig.Enc(b.orig.Q), bbig.Enc(b.orig.G), bbig.Enc(b.orig.Y)) ++ if err != nil { ++ return nil, err ++ } ++ b.key = key ++ pubCache.Put(pub, b) ++ return key, nil ++} ++ ++type boringPriv struct { ++ key *boring.PrivateKeyDSA ++ orig PrivateKey ++} ++ ++func boringPrivateKey(priv *PrivateKey) (*boring.PrivateKeyDSA, error) { ++ b := privCache.Get(priv) ++ if b != nil && privateKeyEqual(&b.orig, priv) { ++ return b.key, nil ++ } ++ ++ b = new(boringPriv) ++ b.orig = copyPrivateKey(priv) ++ ++ P := b.orig.P ++ Q := b.orig.Q ++ G := b.orig.G ++ X := b.orig.X ++ Y := b.orig.Y ++ ++ key, err := boring.NewPrivateKeyDSA(bbig.Enc(P), bbig.Enc(Q), bbig.Enc(G), bbig.Enc(X), bbig.Enc(Y)) ++ if err != nil { ++ return nil, err ++ } ++ b.key = key ++ privCache.Put(priv, b) ++ return key, nil ++} ++ ++func publicKeyEqual(k1, k2 *PublicKey) bool { ++ return k1.Y != nil && k1.Y.Cmp(k2.Y) == 0 && k1.P.Cmp(k2.P) == 0 && k1.Q.Cmp(k2.Q) == 0 && k1.G.Cmp(k2.G) == 0 ++} ++ ++func copyPublicKey(k *PublicKey) PublicKey { ++ return PublicKey{ ++ Parameters{new(big.Int).Set(k.P), new(big.Int).Set(k.Q), new(big.Int).Set(k.G)}, ++ Y: new(big.Int).Set(k.Y), ++ } ++} ++ ++func privateKeyEqual(k1, k2 *PrivateKey) bool { ++ return publicKeyEqual(&k1.PublicKey, &k2.PublicKey) && ++ k1.X.Cmp(k2.X) == 0 ++} ++ ++func copyPrivateKey(k *PrivateKey) PrivateKey { ++ return PrivateKey{ ++ PublicKey: copyPublicKey(&k.PublicKey), ++ X: new(big.Int).Set(k.X), ++ } ++} diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go -index 4524bd492feba0..3937865aee7ef8 100644 +index 4524bd492feba0..787258c9526f74 100644 --- a/src/crypto/dsa/dsa.go +++ b/src/crypto/dsa/dsa.go @@ -18,6 +18,8 @@ import ( @@ -176,6 +295,84 @@ index 4524bd492feba0..3937865aee7ef8 100644 qBytes := make([]byte, N/8) pBytes := make([]byte, L/8) +@@ -161,6 +174,23 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { + return errors.New("crypto/dsa: parameters not set up before generating key") + } + ++ if boring.Enabled && boring.SupportsDSA(priv.P.BitLen(), priv.Q.BitLen()) { ++ b, err := boringPrivateKey(priv) ++ if err != nil { ++ return err ++ } ++ ++ generatedKey, err := boring.GenerateKeyDSA(bbig.Enc(priv.P), bbig.Enc(priv.Q), bbig.Enc(priv.G)) ++ if err != nil { ++ return err ++ } ++ ++ priv.X = bbig.Dec(generatedKey.X) ++ priv.Y = bbig.Dec(generatedKey.Y) ++ ++ return ++ } ++ + x := new(big.Int) + xBytes := make([]byte, priv.Q.BitLen()/8) + +@@ -212,6 +242,16 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err + err = ErrInvalidPublicKey + return + } ++ ++ if boring.Enabled && boring.SupportsDSA(priv.P.BitLen(), priv.Q.BitLen()) { ++ b, err := boringPrivateKey(priv) ++ if err != nil { ++ return err ++ } ++ ++ return boring.SignDSA(b, hash) ++ } ++ + n >>= 3 + + var attempts int +@@ -271,6 +311,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err + // to the byte-length of the subgroup. This function does not perform that + // truncation itself. + func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { ++ if boring.Enabled && boring.SupportsDSA(pub.P.BitLen(), priv.Q.BitLen()) { ++ b, err := boringPrivateKey(priv) ++ if err != nil { ++ return nil, err ++ } ++ ++ return boring.VerifyDSA(pub, hash, bbig.Enc(r), bbig.Enc(s)) ++ } + // FIPS 186-3, section 4.7 + + if pub.P.Sign() == 0 { +diff --git a/src/crypto/dsa/notboring.go b/src/crypto/dsa/notboring.go +new file mode 100644 +index 00000000000000..f8771d0189f990 +--- /dev/null ++++ b/src/crypto/dsa/notboring.go +@@ -0,0 +1,16 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build !boringcrypto && !goexperiment.opensslcrypto && !goexperiment.cngcrypto ++ ++package dsa ++ ++import boring "crypto/internal/backend" ++ ++func boringPublicKey(*PublicKey) (*boring.PublicKeyDSA, error) { ++ panic("boringcrypto: not available") ++} ++func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyDSA, error) { ++ panic("boringcrypto: not available") ++} diff --git a/src/crypto/ecdh/ecdh.go b/src/crypto/ecdh/ecdh.go index b7c26f91e57f02..7a12e2bbaaafd1 100644 --- a/src/crypto/ecdh/ecdh.go @@ -689,10 +886,10 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..9204848708436e +index 00000000000000..be18ecce6eabaa --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go -@@ -0,0 +1,201 @@ +@@ -0,0 +1,224 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -894,6 +1091,29 @@ index 00000000000000..9204848708436e +func GenerateDSAParameters(l, n int) (p, q, g BigInt, err error) { + panic("cryptobackend: not available") +} ++ ++type PublicKeyDSA struct{ _ int } ++type PrivateKeyDSA struct{ _ int } ++ ++func GenerateKeyDSA(p, q, g BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func NewPrivateKeyDSA(p, q, g, x, y BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func NewPublicKeyDSA(p, q, g, y BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s BigInt, error) { ++ panic("cryptobackend: not available") ++} ++ ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt) bool { ++ panic("cryptobackend: not available") ++} diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go new file mode 100644 index 00000000000000..26bfb5f6a643f3 diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 89cbb8792b..47abcee319 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend --- .../internal/backend/bbig/big_boring.go | 12 + - src/crypto/internal/backend/boring_linux.go | 233 ++++++++++++++++++ - 2 files changed, 245 insertions(+) + src/crypto/internal/backend/boring_linux.go | 256 ++++++++++++++++++ + 2 files changed, 268 insertions(+) create mode 100644 src/crypto/internal/backend/bbig/big_boring.go create mode 100644 src/crypto/internal/backend/boring_linux.go @@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..6cecf976fa6a9b +index 00000000000000..638164b1569a1e --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go -@@ -0,0 +1,233 @@ +@@ -0,0 +1,256 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -267,3 +267,26 @@ index 00000000000000..6cecf976fa6a9b +func GenerateDSAParameters(l, n int) (p, q, g boring.BigInt, err error) { + panic("cryptobackend: not available") +} ++ ++type PrivateKeyDSA struct{} ++type PrivateKeyDSA struct{} ++ ++func GenerateKeyDSA(p, q, g boring.BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func NewPrivateKeyDSA(p, q, g, x, y boring.BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func NewPublicKeyDSA(p, q, g, y boring.BigInt) (*PrivateKeyDSA, error) { ++ panic("cryptobackend: not available") ++} ++ ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s boring.BigInt, err error) { ++ panic("cryptobackend: not available") ++} ++ ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt) bool { ++ panic("cryptobackend: not available") ++} diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 2b9610745d..4ba27e51df 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 332 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 382 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 417 insertions(+), 25 deletions(-) + 36 files changed, 467 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..7ff09906b8d07b +index 00000000000000..dff302585913ae --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,332 @@ +@@ -0,0 +1,382 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -213,11 +213,13 @@ index 00000000000000..7ff09906b8d07b + "crypto/cipher" + "crypto/internal/boring/fipstls" + "crypto/internal/boring/sig" ++ "errors" + "hash" + "io" + "syscall" + + "github.com/golang-fips/openssl/v2" ++ "github.com/microsoft/go-crypto-winnative/cng" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -529,6 +531,54 @@ index 00000000000000..7ff09906b8d07b + params, err := openssl.GenerateDSAParameters(l, n) + return params.P, params.Q, params.G, err +} ++ ++func GenerateKeyDSA(p, q, g openssl.BigInt) (*openssl.PrivateKeyDSA, error) { ++ return openssl.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++} ++ ++func NewPrivateKeyDSA(p, q, g, x, y openssl.BigInt) (*openssl.PrivateKeyDSA, error) { ++ return openssl.NewPrivateKeyDSA(openssl.DSAParameters{p, q, g}, x, y) ++} ++ ++func NewPublicKeyDSA(p, q, g, y openssl.BigInt) (*openssl.PrivateKeyDSA, error) { ++ return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) ++} ++ ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, error) { ++ sig, err := openssl.SignDSA(priv, hash) ++ if err != nil { ++ return nil, err ++ } ++ ++ // BCRYPTSignHash generates DSA signatures in P1363 format, ++ // which is simply (r, s), each of them exactly half of the array. ++ if len(sig)%2 != 0 { ++ return nil, nil, errors.New("crypto/dsa: invalid signature size from bcrypt") ++ } ++ ++ return sig[:len(sig)/2], sig[len(sig)/2:], nil ++} ++ ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { ++ // As of FIPS 186-4 the maximum Q size is 32 bytes. ++ // ++ // See also: cbGroupSize at ++ // https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob_v2 ++ const maxGroupSize = 32 ++ ++ sig := make([]byte, 0, 2*maxGroupSize) ++ prependZeros := func(nonZeroBytes int) { ++ if zeros := int(size/2) - nonZeroBytes; zeros > 0 { ++ sig = append(sig, make([]byte, zeros)...) ++ } ++ } ++ prependZeros(len(r)) ++ sig = append(sig, r...) ++ prependZeros(len(s)) ++ sig = append(sig, s...) ++ ++ return openssl.VerifyDSA(pub, hash, sig) ++} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 --- a/src/crypto/internal/boring/fipstls/stub.s diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 0da11ecfda..5e45bf3320 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -13,7 +13,7 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big.go | 2 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 293 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 313 ++++++++++++++++++ src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 36 files changed, 388 insertions(+), 27 deletions(-) + 36 files changed, 408 insertions(+), 27 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..39c3c7043ab720 +index 00000000000000..7c718dfe66e51c --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,293 @@ +@@ -0,0 +1,313 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -480,6 +480,26 @@ index 00000000000000..39c3c7043ab720 + } + return params.P, params.Q, params.G, nil +} ++ ++func GenerateKeyDSA(p, q, g cng.BigInt) (*cng.PrivateKeyDSA, error) { ++ return cng.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++} ++ ++func NewPrivateKeyDSA(p, q, g, x, y cng.BigInt) (*cng.PrivateKeyDSA, error) { ++ return cng.NewPrivateKeyDSA(cng.DSAParameters{p, q, g}, x, y) ++} ++ ++func NewPublicKeyDSA(p, q, g, y cng.BigInt) (*cng.PrivateKeyDSA, error) { ++ return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y) ++} ++ ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s cng.BigInt, err error) { ++ return cng.SignDSA(priv, hash) ++} ++ ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt) bool { ++ return cng.VerifyDSA(pub, hash, sig) ++} diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go index bc595e91024f11..7766d674f5cfaf 100644 --- a/src/crypto/internal/backend/common.go From e51ccc69ec6105820d617624a8a59287343bd0c0 Mon Sep 17 00:00:00 2001 From: mertakman Date: Mon, 9 Dec 2024 16:58:00 +0000 Subject: [PATCH 02/22] fix:nobackend err --- patches/0002-Add-crypto-backend-foundation.patch | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 66d1ec4eb6..81eceff3d2 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -3,6 +3,7 @@ From: qmuntal Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation +fix:nobackend panic consistently without return --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- @@ -886,7 +887,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..be18ecce6eabaa +index 00000000000000..c8d1742872c484 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,224 @@ @@ -1107,7 +1108,7 @@ index 00000000000000..be18ecce6eabaa + panic("cryptobackend: not available") +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s BigInt, error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s BigInt, err error) { + panic("cryptobackend: not available") +} + From 5a9a991a42777b9d42bd53d3eab01efe54ed6aae Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 05:49:58 +0000 Subject: [PATCH 03/22] fix:export no fields on nobackend --- .../0002-Add-crypto-backend-foundation.patch | 46 +++++++++---------- .../0003-Add-BoringSSL-crypto-backend.patch | 4 +- patches/0004-Add-OpenSSL-crypto-backend.patch | 17 ++++--- patches/0005-Add-CNG-crypto-backend.patch | 17 ++++--- 4 files changed, 46 insertions(+), 38 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 81eceff3d2..9fae167a85 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -4,13 +4,15 @@ Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation fix:nobackend panic consistently without return + +002fix --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- src/crypto/boring/boring.go | 2 +- src/crypto/des/cipher.go | 7 + src/crypto/dsa/boring.go | 109 +++++++++ - src/crypto/dsa/dsa.go | 48 ++++ + src/crypto/dsa/dsa.go | 44 ++++ src/crypto/dsa/notboring.go | 16 ++ src/crypto/ecdh/ecdh.go | 2 +- src/crypto/ecdh/nist.go | 2 +- @@ -64,7 +66,7 @@ fix:nobackend panic consistently without return src/hash/notboring_test.go | 5 + src/net/smtp/smtp_test.go | 72 +++--- src/runtime/runtime_boring.go | 5 + - 59 files changed, 1097 insertions(+), 106 deletions(-) + 59 files changed, 1093 insertions(+), 106 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ed25519/boring.go @@ -266,7 +268,7 @@ index 00000000000000..d01c955da8c9e5 + } +} diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go -index 4524bd492feba0..787258c9526f74 100644 +index 4524bd492feba0..aa7970053f1a5d 100644 --- a/src/crypto/dsa/dsa.go +++ b/src/crypto/dsa/dsa.go @@ -18,6 +18,8 @@ import ( @@ -296,31 +298,25 @@ index 4524bd492feba0..787258c9526f74 100644 qBytes := make([]byte, N/8) pBytes := make([]byte, L/8) -@@ -161,6 +174,23 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { +@@ -161,6 +174,17 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { return errors.New("crypto/dsa: parameters not set up before generating key") } + if boring.Enabled && boring.SupportsDSA(priv.P.BitLen(), priv.Q.BitLen()) { -+ b, err := boringPrivateKey(priv) ++ x, y, err := boring.GenerateKeyDSA(bbig.Enc(priv.P), bbig.Enc(priv.Q), bbig.Enc(priv.G)) + if err != nil { + return err + } ++ priv.X = bbig.Dec(x) ++ priv.Y = bbig.Dec(y) + -+ generatedKey, err := boring.GenerateKeyDSA(bbig.Enc(priv.P), bbig.Enc(priv.Q), bbig.Enc(priv.G)) -+ if err != nil { -+ return err -+ } -+ -+ priv.X = bbig.Dec(generatedKey.X) -+ priv.Y = bbig.Dec(generatedKey.Y) -+ -+ return ++ return nil + } + x := new(big.Int) xBytes := make([]byte, priv.Q.BitLen()/8) -@@ -212,6 +242,16 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err +@@ -212,6 +236,18 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err err = ErrInvalidPublicKey return } @@ -328,26 +324,28 @@ index 4524bd492feba0..787258c9526f74 100644 + if boring.Enabled && boring.SupportsDSA(priv.P.BitLen(), priv.Q.BitLen()) { + b, err := boringPrivateKey(priv) + if err != nil { -+ return err ++ return nil, nil, err + } + -+ return boring.SignDSA(b, hash) ++ r, s, err := boring.SignDSA(b, hash) ++ ++ return bbig.Dec(r), bbig.Dec(s), err + } + n >>= 3 var attempts int -@@ -271,6 +311,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err +@@ -271,6 +307,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err // to the byte-length of the subgroup. This function does not perform that // truncation itself. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { -+ if boring.Enabled && boring.SupportsDSA(pub.P.BitLen(), priv.Q.BitLen()) { -+ b, err := boringPrivateKey(priv) ++ if boring.Enabled && boring.SupportsDSA(pub.P.BitLen(), pub.Q.BitLen()) { ++ bkey, err := boringPublicKey(pub) + if err != nil { -+ return nil, err ++ return false + } + -+ return boring.VerifyDSA(pub, hash, bbig.Enc(r), bbig.Enc(s)) ++ return boring.VerifyDSA(bkey, hash, bbig.Enc(r), bbig.Enc(s)) + } // FIPS 186-3, section 4.7 @@ -887,7 +885,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..c8d1742872c484 +index 00000000000000..af8cbf11c28f06 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,224 @@ @@ -1096,7 +1094,7 @@ index 00000000000000..c8d1742872c484 +type PublicKeyDSA struct{ _ int } +type PrivateKeyDSA struct{ _ int } + -+func GenerateKeyDSA(p, q, g BigInt) (*PrivateKeyDSA, error) { ++func GenerateKeyDSA(p, q, g BigInt) (x, y BigInt, err error) { + panic("cryptobackend: not available") +} + diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 47abcee319..e5d2ac38b3 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..638164b1569a1e +index 00000000000000..d0d7c51212da6c --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go @@ -0,0 +1,256 @@ @@ -271,7 +271,7 @@ index 00000000000000..638164b1569a1e +type PrivateKeyDSA struct{} +type PrivateKeyDSA struct{} + -+func GenerateKeyDSA(p, q, g boring.BigInt) (*PrivateKeyDSA, error) { ++func GenerateKeyDSA(p, q, g boring.BigInt) (x, y boring.BigInt, err error) { + panic("cryptobackend: not available") +} + diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 4ba27e51df..d9c36f384e 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 382 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 387 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 467 insertions(+), 25 deletions(-) + 36 files changed, 472 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..dff302585913ae +index 00000000000000..89ba8d7f698b41 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,382 @@ +@@ -0,0 +1,387 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -532,8 +532,13 @@ index 00000000000000..dff302585913ae + return params.P, params.Q, params.G, err +} + -+func GenerateKeyDSA(p, q, g openssl.BigInt) (*openssl.PrivateKeyDSA, error) { -+ return openssl.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++func GenerateKeyDSA(p, q, g openssl.BigInt) (x, y openssl.BigInt, err error) { ++ generatedKey, err := openssl.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++ if err != nil { ++ return nil, nil, err ++ } ++ ++ return generatedKey.X, generatedKey.Y, nil +} + +func NewPrivateKeyDSA(p, q, g, x, y openssl.BigInt) (*openssl.PrivateKeyDSA, error) { diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 5e45bf3320..5c2f569798 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -13,7 +13,7 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big.go | 2 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 313 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 318 ++++++++++++++++++ src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 36 files changed, 408 insertions(+), 27 deletions(-) + 36 files changed, 413 insertions(+), 27 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..7c718dfe66e51c +index 00000000000000..e06646456aefe0 --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,313 @@ +@@ -0,0 +1,318 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -481,8 +481,13 @@ index 00000000000000..7c718dfe66e51c + return params.P, params.Q, params.G, nil +} + -+func GenerateKeyDSA(p, q, g cng.BigInt) (*cng.PrivateKeyDSA, error) { -+ return cng.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++func GenerateKeyDSA(p, q, g cng.BigInt) (x, y cng.BigInt, err error) { ++ generatedKey, err := cng.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++ if err != nil { ++ return nil, nil, err ++ } ++ ++ return generatedKey.X, generatedKey.Y, nil +} + +func NewPrivateKeyDSA(p, q, g, x, y cng.BigInt) (*cng.PrivateKeyDSA, error) { From d20fd4413ae9a98581c4e342d050b759b9c645fd Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 06:05:54 +0000 Subject: [PATCH 04/22] fix:remove commit message --- patches/0002-Add-crypto-backend-foundation.patch | 3 --- 1 file changed, 3 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 9fae167a85..3dba297933 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -3,9 +3,6 @@ From: qmuntal Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation -fix:nobackend panic consistently without return - -002fix --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- From d510d914fd6456edad899b6682092a05060bde93 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 06:13:00 +0000 Subject: [PATCH 05/22] fix:remove commit message --- patches/0004-Add-OpenSSL-crypto-backend.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index d9c36f384e..95395b5af9 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..89ba8d7f698b41 +index 00000000000000..a264fa42af8198 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,387 @@ @@ -549,7 +549,7 @@ index 00000000000000..89ba8d7f698b41 + return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, err error) { + sig, err := openssl.SignDSA(priv, hash) + if err != nil { + return nil, err From e7fa9320841df01b1006e1408d87c8b063a1aa47 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 06:32:37 +0000 Subject: [PATCH 06/22] fix:update function signatures --- patches/0004-Add-OpenSSL-crypto-backend.patch | 4 ++-- patches/0005-Add-CNG-crypto-backend.patch | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 95395b5af9..bdf27f1c1a 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..a264fa42af8198 +index 00000000000000..4166b9a237cab3 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,387 @@ @@ -582,7 +582,7 @@ index 00000000000000..a264fa42af8198 + prependZeros(len(s)) + sig = append(sig, s...) + -+ return openssl.VerifyDSA(pub, hash, sig) ++ return openssl.VerifyDSA(pub, hashed, sig) +} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 5c2f569798..fc94173ab4 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -183,7 +183,7 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..e06646456aefe0 +index 00000000000000..2401bb177b900c --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go @@ -0,0 +1,318 @@ @@ -503,7 +503,7 @@ index 00000000000000..e06646456aefe0 +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt) bool { -+ return cng.VerifyDSA(pub, hash, sig) ++ return cng.VerifyDSA(pub, hashed, r, s) +} diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go index bc595e91024f11..7766d674f5cfaf 100644 From 9b22b1453617b54b36adcceeb6c76ad312a074b7 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 07:03:46 +0000 Subject: [PATCH 07/22] Fix:update patches correctly --- .../0003-Add-BoringSSL-crypto-backend.patch | 4 ++-- patches/0004-Add-OpenSSL-crypto-backend.patch | 18 ++++++++++-------- patches/0005-Add-CNG-crypto-backend.patch | 13 ++++++++----- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index e5d2ac38b3..781ada7e70 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..d0d7c51212da6c +index 00000000000000..03dd981dbbfa48 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go @@ -0,0 +1,256 @@ @@ -269,7 +269,7 @@ index 00000000000000..d0d7c51212da6c +} + +type PrivateKeyDSA struct{} -+type PrivateKeyDSA struct{} ++type PublicKeyDSA struct{} + +func GenerateKeyDSA(p, q, g boring.BigInt) (x, y boring.BigInt, err error) { + panic("cryptobackend: not available") diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index bdf27f1c1a..10fdd75940 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 387 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 389 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 472 insertions(+), 25 deletions(-) + 36 files changed, 474 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..4166b9a237cab3 +index 00000000000000..296665f9f8a896 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,387 @@ +@@ -0,0 +1,389 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -219,7 +219,6 @@ index 00000000000000..4166b9a237cab3 + "syscall" + + "github.com/golang-fips/openssl/v2" -+ "github.com/microsoft/go-crypto-winnative/cng" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -523,6 +522,9 @@ index 00000000000000..4166b9a237cab3 + return openssl.VerifyEd25519(pub, message, sig) +} + ++type PublicKeyDSA = openssl.PublicKeyDSA ++type PrivateKeyDSA = openssl.PrivateKeyDSA ++ +func SupportsDSA(l, n int) bool { + return openssl.SupportsDSA() +} @@ -533,7 +535,7 @@ index 00000000000000..4166b9a237cab3 +} + +func GenerateKeyDSA(p, q, g openssl.BigInt) (x, y openssl.BigInt, err error) { -+ generatedKey, err := openssl.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++ generatedKey, err := openssl.GenerateKeyDSA(openssl.DSAParameters{p, q, g}) + if err != nil { + return nil, nil, err + } @@ -545,14 +547,14 @@ index 00000000000000..4166b9a237cab3 + return openssl.NewPrivateKeyDSA(openssl.DSAParameters{p, q, g}, x, y) +} + -+func NewPublicKeyDSA(p, q, g, y openssl.BigInt) (*openssl.PrivateKeyDSA, error) { ++func NewPublicKeyDSA(p, q, g, y openssl.BigInt) (*openssl.PublicKeyDSA, error) { + return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) +} + +func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, err error) { + sig, err := openssl.SignDSA(priv, hash) + if err != nil { -+ return nil, err ++ return nil, nil, err + } + + // BCRYPTSignHash generates DSA signatures in P1363 format, diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index fc94173ab4..790c2b808d 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -13,7 +13,7 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big.go | 2 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 318 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 321 ++++++++++++++++++ src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 36 files changed, 413 insertions(+), 27 deletions(-) + 36 files changed, 416 insertions(+), 27 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..2401bb177b900c +index 00000000000000..542b21f1a25e05 --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,318 @@ +@@ -0,0 +1,321 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -468,6 +468,9 @@ index 00000000000000..2401bb177b900c + panic("cryptobackend: not available") +} + ++type PrivateKeyDSA = cng.PrivateKeyDSA ++type PublicKeyDSA = cng.PublicKeyDSA ++ +func SupportsDSA(l, n int) bool { + // These are the only N values supported by CNG + return n == 160 || n == 256 @@ -494,7 +497,7 @@ index 00000000000000..2401bb177b900c + return cng.NewPrivateKeyDSA(cng.DSAParameters{p, q, g}, x, y) +} + -+func NewPublicKeyDSA(p, q, g, y cng.BigInt) (*cng.PrivateKeyDSA, error) { ++func NewPublicKeyDSA(p, q, g, y cng.BigInt) (*cng.PublicKeyDSA, error) { + return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y) +} + From 363507c82603687221e17897451b90a054f59f64 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 07:22:09 +0000 Subject: [PATCH 08/22] fix:boringssl wrong import signature --- patches/0003-Add-BoringSSL-crypto-backend.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 781ada7e70..f4ce862eab 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..03dd981dbbfa48 +index 00000000000000..797e805300c4c9 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go @@ -0,0 +1,256 @@ @@ -279,7 +279,7 @@ index 00000000000000..03dd981dbbfa48 + panic("cryptobackend: not available") +} + -+func NewPublicKeyDSA(p, q, g, y boring.BigInt) (*PrivateKeyDSA, error) { ++func NewPublicKeyDSA(p, q, g, y boring.BigInt) (*PublicKeyDSA, error) { + panic("cryptobackend: not available") +} + From 0edd64b40fef6510f9d22e1b3a707ec5ad81ce87 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 07:36:00 +0000 Subject: [PATCH 09/22] fix:parameters --- .../0002-Add-crypto-backend-foundation.patch | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 3dba297933..546927091a 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -3,12 +3,15 @@ From: qmuntal Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation +fix:nobackend panic consistently without return + +002fix --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- src/crypto/boring/boring.go | 2 +- src/crypto/des/cipher.go | 7 + - src/crypto/dsa/boring.go | 109 +++++++++ + src/crypto/dsa/boring.go | 113 ++++++++++ src/crypto/dsa/dsa.go | 44 ++++ src/crypto/dsa/notboring.go | 16 ++ src/crypto/ecdh/ecdh.go | 2 +- @@ -63,7 +66,7 @@ Subject: [PATCH] Add crypto backend foundation src/hash/notboring_test.go | 5 + src/net/smtp/smtp_test.go | 72 +++--- src/runtime/runtime_boring.go | 5 + - 59 files changed, 1093 insertions(+), 106 deletions(-) + 59 files changed, 1097 insertions(+), 106 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ed25519/boring.go @@ -151,10 +154,10 @@ index 04b73e7d3bf758..0891652a4566fb 100644 c.cipher1.generateSubkeys(key[:8]) diff --git a/src/crypto/dsa/boring.go b/src/crypto/dsa/boring.go new file mode 100644 -index 00000000000000..d01c955da8c9e5 +index 00000000000000..3be888a0104809 --- /dev/null +++ b/src/crypto/dsa/boring.go -@@ -0,0 +1,109 @@ +@@ -0,0 +1,113 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -248,7 +251,11 @@ index 00000000000000..d01c955da8c9e5 + +func copyPublicKey(k *PublicKey) PublicKey { + return PublicKey{ -+ Parameters{new(big.Int).Set(k.P), new(big.Int).Set(k.Q), new(big.Int).Set(k.G)}, ++ Parameters: Parameters{ ++ P: new(big.Int).Set(k.P), ++ Q: new(big.Int).Set(k.Q), ++ G: new(big.Int).Set(k.G), ++ }, + Y: new(big.Int).Set(k.Y), + } +} From e408c08bd57a549e5ba5eb7eb754693ebef921db Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 07:56:53 +0000 Subject: [PATCH 10/22] fix: correct function signature for nobackend --- patches/0002-Add-crypto-backend-foundation.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 546927091a..1574121316 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -889,7 +889,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..af8cbf11c28f06 +index 00000000000000..2f6b54f20be6bf --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,224 @@ @@ -1106,7 +1106,7 @@ index 00000000000000..af8cbf11c28f06 + panic("cryptobackend: not available") +} + -+func NewPublicKeyDSA(p, q, g, y BigInt) (*PrivateKeyDSA, error) { ++func NewPublicKeyDSA(p, q, g, y BigInt) (*PublicKeyDSA, error) { + panic("cryptobackend: not available") +} + From b02069649d9c43d4067e016b70dba10304814695 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 15:34:42 +0000 Subject: [PATCH 11/22] fix: openssl conversions --- patches/0004-Add-OpenSSL-crypto-backend.patch | 58 +++++++++++-------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 10fdd75940..d505f7e0db 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 389 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 397 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 474 insertions(+), 25 deletions(-) + 36 files changed, 482 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..296665f9f8a896 +index 00000000000000..613a23b89dcd69 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,389 @@ +@@ -0,0 +1,397 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -219,6 +219,9 @@ index 00000000000000..296665f9f8a896 + "syscall" + + "github.com/golang-fips/openssl/v2" ++ "github.com/golang-fips/openssl/v2/bbig" ++ "golang.org/x/crypto/cryptobyte" ++ "golang.org/x/crypto/cryptobyte/asn1" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -557,34 +560,39 @@ index 00000000000000..296665f9f8a896 + return nil, nil, err + } + -+ // BCRYPTSignHash generates DSA signatures in P1363 format, -+ // which is simply (r, s), each of them exactly half of the array. -+ if len(sig)%2 != 0 { -+ return nil, nil, errors.New("crypto/dsa: invalid signature size from bcrypt") ++ r, s, err := parseSignature(sig) ++ if err != nil { ++ return nil, nil, err + } + -+ return sig[:len(sig)/2], sig[len(sig)/2:], nil ++ return bbig.Dec(r), bbig.Dec(s), nil +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { -+ // As of FIPS 186-4 the maximum Q size is 32 bytes. -+ // -+ // See also: cbGroupSize at -+ // https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob_v2 -+ const maxGroupSize = 32 -+ -+ sig := make([]byte, 0, 2*maxGroupSize) -+ prependZeros := func(nonZeroBytes int) { -+ if zeros := int(size/2) - nonZeroBytes; zeros > 0 { -+ sig = append(sig, make([]byte, zeros)...) -+ } ++ sig := encodeSignature(bbig.Enc(r), bbig.Enc(s)) ++ return openssl.VerifyDSA(pub, hashed, sig) ++} ++ ++func parseSignature(sig []byte) (r, s []byte, err error) { ++ var inner cryptobyte.String ++ input := cryptobyte.String(sig) ++ if !input.ReadASN1(&inner, asn1.SEQUENCE) || ++ !input.Empty() || ++ !inner.ReadASN1Integer(&r) || ++ !inner.ReadASN1Integer(&s) || ++ !inner.Empty() { ++ return nil, nil, errors.New("invalid ASN.1") + } -+ prependZeros(len(r)) -+ sig = append(sig, r...) -+ prependZeros(len(s)) -+ sig = append(sig, s...) ++ return r, s, nil ++} + -+ return openssl.VerifyDSA(pub, hashed, sig) ++func encodeSignature(r, s []byte) ([]byte, error) { ++ var b cryptobyte.Builder ++ b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { ++ addASN1IntBytes(b, r) ++ addASN1IntBytes(b, s) ++ }) ++ return b.Bytes() +} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 From f57d4f73fd841ba6127d3cdfb32ec248065e23be Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 15:50:09 +0000 Subject: [PATCH 12/22] fix:add missing signatures --- patches/0004-Add-OpenSSL-crypto-backend.patch | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index d505f7e0db..7ecb9e44b2 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 397 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 419 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 482 insertions(+), 25 deletions(-) + 36 files changed, 504 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..613a23b89dcd69 +index 00000000000000..f72aad4805a06b --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,397 @@ +@@ -0,0 +1,419 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -560,16 +560,20 @@ index 00000000000000..613a23b89dcd69 + return nil, nil, err + } + -+ r, s, err := parseSignature(sig) ++ rByte, sByte, err := parseSignature(sig) + if err != nil { + return nil, nil, err + } + -+ return bbig.Dec(r), bbig.Dec(s), nil ++ return bbig.Dec(rByte), bbig.Dec(sByte), nil +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { -+ sig := encodeSignature(bbig.Enc(r), bbig.Enc(s)) ++ sig, err := encodeSignature(bbig.Enc(r), bbig.Enc(s)) ++ if err != nil { ++ return false ++ } ++ + return openssl.VerifyDSA(pub, hashed, sig) +} + @@ -594,6 +598,24 @@ index 00000000000000..613a23b89dcd69 + }) + return b.Bytes() +} ++ ++// addASN1IntBytes encodes in ASN.1 a positive integer represented as ++// a big-endian byte slice with zero or more leading zeroes. ++func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { ++ for len(bytes) > 0 && bytes[0] == 0 { ++ bytes = bytes[1:] ++ } ++ if len(bytes) == 0 { ++ b.SetError(errors.New("invalid integer")) ++ return ++ } ++ b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) { ++ if bytes[0]&0x80 != 0 { ++ c.AddUint8(0) ++ } ++ c.AddBytes(bytes) ++ }) ++} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 --- a/src/crypto/internal/boring/fipstls/stub.s From 120c6b5ad97e4f6e446ae0afac754878bcd4860e Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 16:04:50 +0000 Subject: [PATCH 13/22] fix:bigint --- patches/0004-Add-OpenSSL-crypto-backend.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 7ecb9e44b2..88f6564bf8 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..f72aad4805a06b +index 00000000000000..0b4964d971f4bc --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,419 @@ @@ -211,6 +211,7 @@ index 00000000000000..f72aad4805a06b +import ( + "crypto" + "crypto/cipher" ++ "crypto/internal/backend/bbig" + "crypto/internal/boring/fipstls" + "crypto/internal/boring/sig" + "errors" @@ -219,7 +220,6 @@ index 00000000000000..f72aad4805a06b + "syscall" + + "github.com/golang-fips/openssl/v2" -+ "github.com/golang-fips/openssl/v2/bbig" + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/cryptobyte/asn1" +) From 41c3f930cffb583ac7dfc3d6ef03d57415dbd988 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 16:23:06 +0000 Subject: [PATCH 14/22] fix:openssl bigint --- patches/0004-Add-OpenSSL-crypto-backend.patch | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 88f6564bf8..54a1a278d6 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 419 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 418 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 504 insertions(+), 25 deletions(-) + 36 files changed, 503 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..0b4964d971f4bc +index 00000000000000..9186ae56d702a1 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,419 @@ +@@ -0,0 +1,418 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -211,7 +211,6 @@ index 00000000000000..0b4964d971f4bc +import ( + "crypto" + "crypto/cipher" -+ "crypto/internal/backend/bbig" + "crypto/internal/boring/fipstls" + "crypto/internal/boring/sig" + "errors" @@ -565,11 +564,11 @@ index 00000000000000..0b4964d971f4bc + return nil, nil, err + } + -+ return bbig.Dec(rByte), bbig.Dec(sByte), nil ++ return new(openssl.BigInt).SetBytes(rByte), new(openssl.BigInt).SetBytes(sByte), nil +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { -+ sig, err := encodeSignature(bbig.Enc(r), bbig.Enc(s)) ++ sig, err := encodeSignature(r.Bytes(), s.Bytes()) + if err != nil { + return false + } From e88e2531bf500404c04497f339f1d85b78c64494 Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 16:37:13 +0000 Subject: [PATCH 15/22] fix:bigint conversion --- patches/0004-Add-OpenSSL-crypto-backend.patch | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 54a1a278d6..1795b3fe18 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 418 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 419 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 503 insertions(+), 25 deletions(-) + 36 files changed, 504 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..9186ae56d702a1 +index 00000000000000..dbb7962d4370b7 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,418 @@ +@@ -0,0 +1,419 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -219,6 +219,7 @@ index 00000000000000..9186ae56d702a1 + "syscall" + + "github.com/golang-fips/openssl/v2" ++ "github.com/golang-fips/openssl/v2/bbig" + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/cryptobyte/asn1" +) @@ -564,11 +565,11 @@ index 00000000000000..9186ae56d702a1 + return nil, nil, err + } + -+ return new(openssl.BigInt).SetBytes(rByte), new(openssl.BigInt).SetBytes(sByte), nil ++ return bbig.Enc(new(big.Int).SetBytes(rByte)), bbig.Enc(new(big.BigInt).SetBytes(sByte)), nil +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { -+ sig, err := encodeSignature(r.Bytes(), s.Bytes()) ++ sig, err := encodeSignature(bbig.Dec(r).Bytes(), bbig.Dec(s).Bytes()) + if err != nil { + return false + } From b6673d060ddbb6baaf397d3cede91c0ced4e1a8b Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 16:47:12 +0000 Subject: [PATCH 16/22] fix:import math big --- patches/0004-Add-OpenSSL-crypto-backend.patch | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 1795b3fe18..06f586f275 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 419 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 420 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 504 insertions(+), 25 deletions(-) + 36 files changed, 505 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..dbb7962d4370b7 +index 00000000000000..736c0a5df7e80a --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,419 @@ +@@ -0,0 +1,420 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -216,6 +216,7 @@ index 00000000000000..dbb7962d4370b7 + "errors" + "hash" + "io" ++ "math/big" + "syscall" + + "github.com/golang-fips/openssl/v2" From 592171e0e139d814094a8d8a9935edea1714d1ad Mon Sep 17 00:00:00 2001 From: mertakman Date: Tue, 10 Dec 2024 16:50:45 +0000 Subject: [PATCH 17/22] fix bigint syntax --- patches/0004-Add-OpenSSL-crypto-backend.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 06f586f275..59412a9f2c 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..736c0a5df7e80a +index 00000000000000..3c3991993ee40a --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,420 @@ @@ -566,7 +566,7 @@ index 00000000000000..736c0a5df7e80a + return nil, nil, err + } + -+ return bbig.Enc(new(big.Int).SetBytes(rByte)), bbig.Enc(new(big.BigInt).SetBytes(sByte)), nil ++ return bbig.Enc(new(big.Int).SetBytes(rByte)), bbig.Enc(new(big.Int).SetBytes(sByte)), nil +} + +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { From 6110fbfa016194cc55dd04e9954b1b4a23380ece Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 12 Dec 2024 03:59:21 +0000 Subject: [PATCH 18/22] fix:dependency imports --- .../0002-Add-crypto-backend-foundation.patch | 3 --- patches/0004-Add-OpenSSL-crypto-backend.patch | 22 +++++++++++++------ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 1574121316..a0655a055f 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -3,9 +3,6 @@ From: qmuntal Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation -fix:nobackend panic consistently without return - -002fix --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 59412a9f2c..b9d186350c 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -32,7 +32,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/x509/notboring.go | 2 +- src/go.mod | 1 + src/go.sum | 2 + - src/go/build/deps_test.go | 7 +- + src/go/build/deps_test.go | 8 +- src/go/build/vendor_test.go | 1 + src/hash/boring_test.go | 2 +- src/hash/notboring_test.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 505 insertions(+), 25 deletions(-) + 36 files changed, 506 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..3c3991993ee40a +index 00000000000000..017baddcf79c06 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,420 @@ @@ -211,6 +211,7 @@ index 00000000000000..3c3991993ee40a +import ( + "crypto" + "crypto/cipher" ++ "crypto/internal/backend/bbig" + "crypto/internal/boring/fipstls" + "crypto/internal/boring/sig" + "errors" @@ -220,7 +221,6 @@ index 00000000000000..3c3991993ee40a + "syscall" + + "github.com/golang-fips/openssl/v2" -+ "github.com/golang-fips/openssl/v2/bbig" + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/cryptobyte/asn1" +) @@ -835,7 +835,7 @@ index b4efd6d3c50c11..4c3ca847c21cd2 100644 golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd h1:pHzwejE8Zkb94bG4nA+fUeskKPFp1HPldrhv62dabro= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 578b4d6f68504c..80a14d54739524 100644 +index 578b4d6f68504c..0a69b3e3167ee4 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -476,6 +476,8 @@ var depsRules = ` @@ -855,7 +855,15 @@ index 578b4d6f68504c..80a14d54739524 100644 < crypto/internal/boring/bbig < crypto/internal/backend/bbig < crypto/rand -@@ -812,7 +815,7 @@ var buildIgnore = []byte("\n//go:build ignore") +@@ -522,6 +525,7 @@ var depsRules = ` + < encoding/asn1 + < golang.org/x/crypto/cryptobyte/asn1 + < golang.org/x/crypto/cryptobyte ++ < crypto/internal/backend + < crypto/internal/bigmod + < crypto/dsa, crypto/elliptic, crypto/rsa + < crypto/ecdsa +@@ -812,7 +816,7 @@ var buildIgnore = []byte("\n//go:build ignore") func findImports(pkg string) ([]string, error) { vpkg := pkg @@ -864,7 +872,7 @@ index 578b4d6f68504c..80a14d54739524 100644 vpkg = "vendor/" + pkg } dir := filepath.Join(Default.GOROOT, "src", vpkg) -@@ -822,7 +825,7 @@ func findImports(pkg string) ([]string, error) { +@@ -822,7 +826,7 @@ func findImports(pkg string) ([]string, error) { } var imports []string var haveImport = map[string]bool{} From 234fe896793cca41268de8be8c26e0662812cb46 Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 12 Dec 2024 06:53:03 +0000 Subject: [PATCH 19/22] fix:restructure pkg layout --- .../0002-Add-crypto-backend-foundation.patch | 75 +++++++++++++++--- .../0003-Add-BoringSSL-crypto-backend.patch | 6 +- patches/0004-Add-OpenSSL-crypto-backend.patch | 79 +++---------------- patches/0005-Add-CNG-crypto-backend.patch | 6 +- 4 files changed, 81 insertions(+), 85 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index a0655a055f..6bb40d06a3 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -9,7 +9,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/boring/boring.go | 2 +- src/crypto/des/cipher.go | 7 + src/crypto/dsa/boring.go | 113 ++++++++++ - src/crypto/dsa/dsa.go | 44 ++++ + src/crypto/dsa/dsa.go | 88 ++++++++ src/crypto/dsa/notboring.go | 16 ++ src/crypto/ecdh/ecdh.go | 2 +- src/crypto/ecdh/nist.go | 2 +- @@ -63,7 +63,7 @@ Subject: [PATCH] Add crypto backend foundation src/hash/notboring_test.go | 5 + src/net/smtp/smtp_test.go | 72 +++--- src/runtime/runtime_boring.go | 5 + - 59 files changed, 1097 insertions(+), 106 deletions(-) + 59 files changed, 1141 insertions(+), 106 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ed25519/boring.go @@ -269,19 +269,23 @@ index 00000000000000..3be888a0104809 + } +} diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go -index 4524bd492feba0..aa7970053f1a5d 100644 +index 4524bd492feba0..9161e4b0a6ce85 100644 --- a/src/crypto/dsa/dsa.go +++ b/src/crypto/dsa/dsa.go -@@ -18,6 +18,8 @@ import ( +@@ -18,7 +18,12 @@ import ( "io" "math/big" + boring "crypto/internal/backend" + "crypto/internal/backend/bbig" "crypto/internal/randutil" ++ ++ "golang.org/x/crypto/cryptobyte" ++ "golang.org/x/crypto/cryptobyte/asn1" ) -@@ -86,6 +88,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes + // Parameters represents the domain parameters for a key. These parameters can +@@ -86,6 +91,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes return errors.New("crypto/dsa: invalid ParameterSizes") } @@ -299,7 +303,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644 qBytes := make([]byte, N/8) pBytes := make([]byte, L/8) -@@ -161,6 +174,17 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { +@@ -161,6 +177,17 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { return errors.New("crypto/dsa: parameters not set up before generating key") } @@ -317,7 +321,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644 x := new(big.Int) xBytes := make([]byte, priv.Q.BitLen()/8) -@@ -212,6 +236,18 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err +@@ -212,6 +239,18 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err err = ErrInvalidPublicKey return } @@ -328,7 +332,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644 + return nil, nil, err + } + -+ r, s, err := boring.SignDSA(b, hash) ++ r, s, err := boring.SignDSA(b, hash, parseSignature) + + return bbig.Dec(r), bbig.Dec(s), err + } @@ -336,7 +340,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644 n >>= 3 var attempts int -@@ -271,6 +307,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err +@@ -271,6 +310,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err // to the byte-length of the subgroup. This function does not perform that // truncation itself. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { @@ -346,11 +350,56 @@ index 4524bd492feba0..aa7970053f1a5d 100644 + return false + } + -+ return boring.VerifyDSA(bkey, hash, bbig.Enc(r), bbig.Enc(s)) ++ return boring.VerifyDSA(bkey, hash, bbig.Enc(r), bbig.Enc(s), encodeSignature) + } // FIPS 186-3, section 4.7 if pub.P.Sign() == 0 { +@@ -307,3 +354,44 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { + + return v.Cmp(r) == 0 + } ++ ++func parseSignature(sig []byte) ([]uint, []uint, error) { ++ var r, s []byte ++ var inner cryptobyte.String ++ input := cryptobyte.String(sig) ++ if !input.ReadASN1(&inner, asn1.SEQUENCE) || ++ !input.Empty() || ++ !inner.ReadASN1Integer(&r) || ++ !inner.ReadASN1Integer(&s) || ++ !inner.Empty() { ++ return nil, nil, errors.New("invalid ASN.1") ++ } ++ return []uint(bbig.Enc(new(big.Int).SetBytes(r))), []uint(bbig.Enc(new(big.Int).SetBytes(s))), nil ++} ++ ++func encodeSignature(r, s []uint) ([]byte, error) { ++ var b cryptobyte.Builder ++ b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { ++ addASN1IntBytes(b, bbig.Dec(r).Bytes()) ++ addASN1IntBytes(b, bbig.Dec(s).Bytes()) ++ }) ++ return b.Bytes() ++} ++ ++// addASN1IntBytes encodes in ASN.1 a positive integer represented as ++// a big-endian byte slice with zero or more leading zeroes. ++func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { ++ for len(bytes) > 0 && bytes[0] == 0 { ++ bytes = bytes[1:] ++ } ++ if len(bytes) == 0 { ++ b.SetError(errors.New("invalid integer")) ++ return ++ } ++ b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) { ++ if bytes[0]&0x80 != 0 { ++ c.AddUint8(0) ++ } ++ c.AddBytes(bytes) ++ }) ++} diff --git a/src/crypto/dsa/notboring.go b/src/crypto/dsa/notboring.go new file mode 100644 index 00000000000000..f8771d0189f990 @@ -886,7 +935,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..2f6b54f20be6bf +index 00000000000000..826732e87d4764 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,224 @@ @@ -1107,11 +1156,11 @@ index 00000000000000..2f6b54f20be6bf + panic("cryptobackend: not available") +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s BigInt, err error) { + panic("cryptobackend: not available") +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { + panic("cryptobackend: not available") +} diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index f4ce862eab..46c71341c5 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..797e805300c4c9 +index 00000000000000..8cf833cf2bf3f9 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go @@ -0,0 +1,256 @@ @@ -283,10 +283,10 @@ index 00000000000000..797e805300c4c9 + panic("cryptobackend: not available") +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s boring.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s boring.BigInt, err error) { + panic("cryptobackend: not available") +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { + panic("cryptobackend: not available") +} diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index b9d186350c..ffa29c6057 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 420 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 375 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -32,7 +32,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/x509/notboring.go | 2 +- src/go.mod | 1 + src/go.sum | 2 + - src/go/build/deps_test.go | 8 +- + src/go/build/deps_test.go | 7 +- src/go/build/vendor_test.go | 1 + src/hash/boring_test.go | 2 +- src/hash/notboring_test.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 506 insertions(+), 25 deletions(-) + 36 files changed, 460 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..017baddcf79c06 +index 00000000000000..939dc54a0e8014 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,420 @@ +@@ -0,0 +1,375 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -211,18 +211,13 @@ index 00000000000000..017baddcf79c06 +import ( + "crypto" + "crypto/cipher" -+ "crypto/internal/backend/bbig" + "crypto/internal/boring/fipstls" + "crypto/internal/boring/sig" -+ "errors" + "hash" + "io" -+ "math/big" + "syscall" + + "github.com/golang-fips/openssl/v2" -+ "golang.org/x/crypto/cryptobyte" -+ "golang.org/x/crypto/cryptobyte/asn1" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -555,68 +550,28 @@ index 00000000000000..017baddcf79c06 + return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s openssl.BigInt, err error) { + sig, err := openssl.SignDSA(priv, hash) + if err != nil { + return nil, nil, err + } + -+ rByte, sByte, err := parseSignature(sig) ++ r, s, err := parseSignature(sig) + if err != nil { + return nil, nil, err + } + -+ return bbig.Enc(new(big.Int).SetBytes(rByte)), bbig.Enc(new(big.Int).SetBytes(sByte)), nil ++ return openssl.BigInt(r), openssl.BigInt(s), nil +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool { -+ sig, err := encodeSignature(bbig.Dec(r).Bytes(), bbig.Dec(s).Bytes()) ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { ++ sig, err := encodeSignature(r, s) + if err != nil { + return false + } + + return openssl.VerifyDSA(pub, hashed, sig) +} -+ -+func parseSignature(sig []byte) (r, s []byte, err error) { -+ var inner cryptobyte.String -+ input := cryptobyte.String(sig) -+ if !input.ReadASN1(&inner, asn1.SEQUENCE) || -+ !input.Empty() || -+ !inner.ReadASN1Integer(&r) || -+ !inner.ReadASN1Integer(&s) || -+ !inner.Empty() { -+ return nil, nil, errors.New("invalid ASN.1") -+ } -+ return r, s, nil -+} -+ -+func encodeSignature(r, s []byte) ([]byte, error) { -+ var b cryptobyte.Builder -+ b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { -+ addASN1IntBytes(b, r) -+ addASN1IntBytes(b, s) -+ }) -+ return b.Bytes() -+} -+ -+// addASN1IntBytes encodes in ASN.1 a positive integer represented as -+// a big-endian byte slice with zero or more leading zeroes. -+func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { -+ for len(bytes) > 0 && bytes[0] == 0 { -+ bytes = bytes[1:] -+ } -+ if len(bytes) == 0 { -+ b.SetError(errors.New("invalid integer")) -+ return -+ } -+ b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) { -+ if bytes[0]&0x80 != 0 { -+ c.AddUint8(0) -+ } -+ c.AddBytes(bytes) -+ }) -+} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 --- a/src/crypto/internal/boring/fipstls/stub.s @@ -835,7 +790,7 @@ index b4efd6d3c50c11..4c3ca847c21cd2 100644 golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd h1:pHzwejE8Zkb94bG4nA+fUeskKPFp1HPldrhv62dabro= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 578b4d6f68504c..0a69b3e3167ee4 100644 +index 578b4d6f68504c..80a14d54739524 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -476,6 +476,8 @@ var depsRules = ` @@ -855,15 +810,7 @@ index 578b4d6f68504c..0a69b3e3167ee4 100644 < crypto/internal/boring/bbig < crypto/internal/backend/bbig < crypto/rand -@@ -522,6 +525,7 @@ var depsRules = ` - < encoding/asn1 - < golang.org/x/crypto/cryptobyte/asn1 - < golang.org/x/crypto/cryptobyte -+ < crypto/internal/backend - < crypto/internal/bigmod - < crypto/dsa, crypto/elliptic, crypto/rsa - < crypto/ecdsa -@@ -812,7 +816,7 @@ var buildIgnore = []byte("\n//go:build ignore") +@@ -812,7 +815,7 @@ var buildIgnore = []byte("\n//go:build ignore") func findImports(pkg string) ([]string, error) { vpkg := pkg @@ -872,7 +819,7 @@ index 578b4d6f68504c..0a69b3e3167ee4 100644 vpkg = "vendor/" + pkg } dir := filepath.Join(Default.GOROOT, "src", vpkg) -@@ -822,7 +826,7 @@ func findImports(pkg string) ([]string, error) { +@@ -822,7 +825,7 @@ func findImports(pkg string) ([]string, error) { } var imports []string var haveImport = map[string]bool{} diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 790c2b808d..34c6aab86b 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -183,7 +183,7 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..542b21f1a25e05 +index 00000000000000..3543e4eff7402d --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go @@ -0,0 +1,321 @@ @@ -501,11 +501,11 @@ index 00000000000000..542b21f1a25e05 + return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y) +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s cng.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s cng.BigInt, err error) { + return cng.SignDSA(priv, hash) +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { + return cng.VerifyDSA(pub, hashed, r, s) +} diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go From c18168d03ace1a9ae25a98cc0bb5ebd92e7ca0d5 Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 12 Dec 2024 07:46:55 +0000 Subject: [PATCH 20/22] fix:patch files --- patches/0002-Add-crypto-backend-foundation.patch | 14 +++++++------- patches/0003-Add-BoringSSL-crypto-backend.patch | 12 +++++++----- patches/0004-Add-OpenSSL-crypto-backend.patch | 16 +++++++++------- patches/0005-Add-CNG-crypto-backend.patch | 14 ++++++++------ 4 files changed, 31 insertions(+), 25 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 6bb40d06a3..8362542030 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -269,7 +269,7 @@ index 00000000000000..3be888a0104809 + } +} diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go -index 4524bd492feba0..9161e4b0a6ce85 100644 +index 4524bd492feba0..f8e20be38a3794 100644 --- a/src/crypto/dsa/dsa.go +++ b/src/crypto/dsa/dsa.go @@ -18,7 +18,12 @@ import ( @@ -360,7 +360,7 @@ index 4524bd492feba0..9161e4b0a6ce85 100644 return v.Cmp(r) == 0 } + -+func parseSignature(sig []byte) ([]uint, []uint, error) { ++func parseSignature(sig []byte) (boring.BigInt, boring.BigInt, error) { + var r, s []byte + var inner cryptobyte.String + input := cryptobyte.String(sig) @@ -371,10 +371,10 @@ index 4524bd492feba0..9161e4b0a6ce85 100644 + !inner.Empty() { + return nil, nil, errors.New("invalid ASN.1") + } -+ return []uint(bbig.Enc(new(big.Int).SetBytes(r))), []uint(bbig.Enc(new(big.Int).SetBytes(s))), nil ++ return bbig.Enc(new(big.Int).SetBytes(r)), bbig.Enc(new(big.Int).SetBytes(s)), nil +} + -+func encodeSignature(r, s []uint) ([]byte, error) { ++func encodeSignature(r, s boring.BigInt) ([]byte, error) { + var b cryptobyte.Builder + b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { + addASN1IntBytes(b, bbig.Dec(r).Bytes()) @@ -935,7 +935,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..826732e87d4764 +index 00000000000000..5a1f8da56d4fed --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,224 @@ @@ -1156,11 +1156,11 @@ index 00000000000000..826732e87d4764 + panic("cryptobackend: not available") +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (BigInt, BigInt, error)) (r, s BigInt, err error) { + panic("cryptobackend: not available") +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt, encodeSignature func(r, s BigInt) ([]byte, error)) bool { + panic("cryptobackend: not available") +} diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 46c71341c5..11a92c9292 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend --- .../internal/backend/bbig/big_boring.go | 12 + - src/crypto/internal/backend/boring_linux.go | 256 ++++++++++++++++++ - 2 files changed, 268 insertions(+) + src/crypto/internal/backend/boring_linux.go | 258 ++++++++++++++++++ + 2 files changed, 270 insertions(+) create mode 100644 src/crypto/internal/backend/bbig/big_boring.go create mode 100644 src/crypto/internal/backend/boring_linux.go @@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..8cf833cf2bf3f9 +index 00000000000000..39757223de3425 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go -@@ -0,0 +1,256 @@ +@@ -0,0 +1,258 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -55,6 +55,8 @@ index 00000000000000..8cf833cf2bf3f9 + +const Enabled = true + ++type BigInt = boring.BigInt ++ +const RandReader = boring.RandReader + +func SupportsHash(h crypto.Hash) bool { @@ -283,7 +285,7 @@ index 00000000000000..8cf833cf2bf3f9 + panic("cryptobackend: not available") +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s boring.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (boring.BigInt, boring.BigInt, error)) (r, s boring.BigInt, err error) { + panic("cryptobackend: not available") +} + diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index ffa29c6057..f944c639ba 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 375 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 377 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 460 insertions(+), 25 deletions(-) + 36 files changed, 462 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..939dc54a0e8014 +index 00000000000000..fcffdbf1162816 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,375 @@ +@@ -0,0 +1,377 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -223,6 +223,8 @@ index 00000000000000..939dc54a0e8014 +// Enabled controls whether FIPS crypto is enabled. +const Enabled = true + ++type BigInt = openssl.BigInt ++ +// knownVersions is a list of supported and well-known libcrypto.so suffixes in decreasing version order. +// FreeBSD library version numbering does not directly align to the version of OpenSSL. +// Its preferred search order is 11 -> 111. @@ -550,13 +552,13 @@ index 00000000000000..939dc54a0e8014 + return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s openssl.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (openssl.BigInt, openssl.BigInt, error)) (r, s openssl.BigInt, err error) { + sig, err := openssl.SignDSA(priv, hash) + if err != nil { + return nil, nil, err + } + -+ r, s, err := parseSignature(sig) ++ r, s, err = parseSignature(sig) + if err != nil { + return nil, nil, err + } @@ -564,7 +566,7 @@ index 00000000000000..939dc54a0e8014 + return openssl.BigInt(r), openssl.BigInt(s), nil +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt, encodeSignature func(r, s openssl.BigInt) ([]byte, error)) bool { + sig, err := encodeSignature(r, s) + if err != nil { + return false diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 34c6aab86b..f18c1b4283 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -13,7 +13,7 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big.go | 2 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 321 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 323 ++++++++++++++++++ src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 36 files changed, 416 insertions(+), 27 deletions(-) + 36 files changed, 418 insertions(+), 27 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..3543e4eff7402d +index 00000000000000..bb2915ace01223 --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,321 @@ +@@ -0,0 +1,323 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -213,6 +213,8 @@ index 00000000000000..3543e4eff7402d +// Enabled controls whether FIPS crypto is enabled. +const Enabled = true + ++type BigInt = cng.BigInt ++ +func init() { + // 1: FIPS required: abort the process if the system is not in FIPS mode. + // other values: continue regardless of system-configured FIPS mode. @@ -501,11 +503,11 @@ index 00000000000000..3543e4eff7402d + return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y) +} + -+func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s cng.BigInt, err error) { ++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (cng.BigInt, cng.BigInt, error)) (r, s cng.BigInt, err error) { + return cng.SignDSA(priv, hash) +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt, encodeSignature func(r, s cng.BigInt) ([]byte, error)) bool { + return cng.VerifyDSA(pub, hashed, r, s) +} diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go From 5916786ee8898b0fa21fc34a2d1684567e999f99 Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 12 Dec 2024 08:02:18 +0000 Subject: [PATCH 21/22] fix:boringssl update --- patches/0003-Add-BoringSSL-crypto-backend.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 11a92c9292..7c8331b25d 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..39757223de3425 +index 00000000000000..31e57a8dffd4c3 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go @@ -0,0 +1,258 @@ @@ -289,6 +289,6 @@ index 00000000000000..39757223de3425 + panic("cryptobackend: not available") +} + -+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool { ++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt, encodeSignature func(r, s boring.BigInt) ([]byte, error)) bool { + panic("cryptobackend: not available") +} From 279c65eaf08feba87a2a81f4f0fc4c131159171b Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 12 Dec 2024 13:16:16 +0000 Subject: [PATCH 22/22] fix linter --- patches/0004-Add-OpenSSL-crypto-backend.patch | 8 ++++---- patches/0005-Add-CNG-crypto-backend.patch | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index f944c639ba..0286fecd9f 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -193,7 +193,7 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..fcffdbf1162816 +index 00000000000000..85856d3c900eb8 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go @@ -0,0 +1,377 @@ @@ -536,7 +536,7 @@ index 00000000000000..fcffdbf1162816 +} + +func GenerateKeyDSA(p, q, g openssl.BigInt) (x, y openssl.BigInt, err error) { -+ generatedKey, err := openssl.GenerateKeyDSA(openssl.DSAParameters{p, q, g}) ++ generatedKey, err := openssl.GenerateKeyDSA(openssl.DSAParameters{P: p, Q: q, G: g}) + if err != nil { + return nil, nil, err + } @@ -545,11 +545,11 @@ index 00000000000000..fcffdbf1162816 +} + +func NewPrivateKeyDSA(p, q, g, x, y openssl.BigInt) (*openssl.PrivateKeyDSA, error) { -+ return openssl.NewPrivateKeyDSA(openssl.DSAParameters{p, q, g}, x, y) ++ return openssl.NewPrivateKeyDSA(openssl.DSAParameters{P: p, Q: q, G: g}, x, y) +} + +func NewPublicKeyDSA(p, q, g, y openssl.BigInt) (*openssl.PublicKeyDSA, error) { -+ return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y) ++ return openssl.NewPublicKeyDSA(openssl.DSAParameters{P: p, Q: q, G: g}, y) +} + +func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (openssl.BigInt, openssl.BigInt, error)) (r, s openssl.BigInt, err error) { diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index f18c1b4283..b2c1471549 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -183,7 +183,7 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..bb2915ace01223 +index 00000000000000..e6feb6256e4a0d --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go @@ -0,0 +1,323 @@ @@ -487,7 +487,7 @@ index 00000000000000..bb2915ace01223 +} + +func GenerateKeyDSA(p, q, g cng.BigInt) (x, y cng.BigInt, err error) { -+ generatedKey, err := cng.GenerateKeyDSA(cng.DSAParameters{p, q, g}) ++ generatedKey, err := cng.GenerateKeyDSA(cng.DSAParameters{P: p, Q: q, G: g}) + if err != nil { + return nil, nil, err + } @@ -496,11 +496,11 @@ index 00000000000000..bb2915ace01223 +} + +func NewPrivateKeyDSA(p, q, g, x, y cng.BigInt) (*cng.PrivateKeyDSA, error) { -+ return cng.NewPrivateKeyDSA(cng.DSAParameters{p, q, g}, x, y) ++ return cng.NewPrivateKeyDSA(cng.DSAParameters{P: p, Q: q, G: g}, x, y) +} + +func NewPublicKeyDSA(p, q, g, y cng.BigInt) (*cng.PublicKeyDSA, error) { -+ return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y) ++ return cng.NewPublicKeyDSA(cng.DSAParameters{P: p, Q: q, G: g}, y) +} + +func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) (cng.BigInt, cng.BigInt, error)) (r, s cng.BigInt, err error) {