diff --git a/patches/0006-Add-Darwin-crypto-backend.patch b/patches/0006-Add-Darwin-crypto-backend.patch index c3f556aa98..9e5dbaec7d 100644 --- a/patches/0006-Add-Darwin-crypto-backend.patch +++ b/patches/0006-Add-Darwin-crypto-backend.patch @@ -741,26 +741,26 @@ index 7d7115cff81cea..d3ba67fe4d0611 100644 } default: diff --git a/src/go.mod b/src/go.mod -index 96bdcd421e1129..f6d6bee65d0cd5 100644 +index 96bdcd421e1129..04eb0c1c82ebb8 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.24 require ( github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 -+ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250107204503-9cc4ff035cc1 ++ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37 golang.org/x/crypto v0.30.0 golang.org/x/net v0.32.1-0.20241206180132-552d8ac903a1 diff --git a/src/go.sum b/src/go.sum -index abebb59dcd7739..61b84a86e0e66c 100644 +index abebb59dcd7739..5683f4da5e4f04 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 h1:OhuURhDVbg+f/BvlG+qT5sQVkutwhI0Kmsy7koQ4l9A= github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250107204503-9cc4ff035cc1 h1:T8v8j/vr3sqmsP3BuriGfTYWu2JpEF3QoisX6hOjerU= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250107204503-9cc4ff035cc1/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 h1:xg58D1m8jeq0lkMf7TmcLZXCAK/PRlT0aG02PYlA6C0= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37 h1:KB8xmJcFSPlZFMg2mxz5b6DCE8k1qpHy2HFevAJLELI= github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA= golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= diff --git a/patches/0007-Vendor-crypto-backends.patch b/patches/0007-Vendor-crypto-backends.patch index e922fabef1..b416f62f93 100644 --- a/patches/0007-Vendor-crypto-backends.patch +++ b/patches/0007-Vendor-crypto-backends.patch @@ -5,97 +5,97 @@ Subject: [PATCH] Vendor crypto backends To reproduce, run 'go mod vendor' in 'go/src'. --- - .../golang-fips/openssl/v2/.gitignore | 1 + - .../golang-fips/openssl/v2/.gitleaks.toml | 9 + - .../github.com/golang-fips/openssl/v2/LICENSE | 20 + - .../golang-fips/openssl/v2/README.md | 66 ++ - .../github.com/golang-fips/openssl/v2/aes.go | 147 +++ - .../golang-fips/openssl/v2/bbig/big.go | 37 + - .../github.com/golang-fips/openssl/v2/big.go | 11 + - .../golang-fips/openssl/v2/cgo_go124.go | 18 + - .../golang-fips/openssl/v2/cipher.go | 569 +++++++++ - .../github.com/golang-fips/openssl/v2/des.go | 114 ++ - .../github.com/golang-fips/openssl/v2/dsa.go | 323 +++++ - .../github.com/golang-fips/openssl/v2/ec.go | 68 ++ - .../github.com/golang-fips/openssl/v2/ecdh.go | 303 +++++ - .../golang-fips/openssl/v2/ecdsa.go | 208 ++++ - .../golang-fips/openssl/v2/ed25519.go | 218 ++++ - .../github.com/golang-fips/openssl/v2/evp.go | 569 +++++++++ - .../golang-fips/openssl/v2/goopenssl.c | 248 ++++ - .../golang-fips/openssl/v2/goopenssl.h | 262 +++++ - .../github.com/golang-fips/openssl/v2/hash.go | 1041 +++++++++++++++++ - .../github.com/golang-fips/openssl/v2/hkdf.go | 322 +++++ - .../github.com/golang-fips/openssl/v2/hmac.go | 274 +++++ - .../github.com/golang-fips/openssl/v2/init.go | 64 + - .../golang-fips/openssl/v2/init_unix.go | 31 + - .../golang-fips/openssl/v2/init_windows.go | 36 + - .../golang-fips/openssl/v2/openssl.go | 469 ++++++++ - .../golang-fips/openssl/v2/params.go | 210 ++++ - .../golang-fips/openssl/v2/pbkdf2.go | 62 + - .../golang-fips/openssl/v2/port_dsa.c | 85 ++ - .../openssl/v2/port_evp_md5_sha1.c | 126 ++ - .../github.com/golang-fips/openssl/v2/rand.go | 20 + - .../github.com/golang-fips/openssl/v2/rc4.go | 66 ++ - .../github.com/golang-fips/openssl/v2/rsa.go | 408 +++++++ - .../github.com/golang-fips/openssl/v2/shims.h | 416 +++++++ - .../golang-fips/openssl/v2/thread_setup.go | 14 + - .../golang-fips/openssl/v2/thread_setup.h | 4 + - .../openssl/v2/thread_setup_unix.c | 64 + - .../openssl/v2/thread_setup_windows.c | 64 + - .../golang-fips/openssl/v2/tls1prf.go | 160 +++ - .../github.com/golang-fips/openssl/v2/zaes.go | 86 ++ - .../microsoft/go-crypto-darwin/LICENSE | 21 + - .../microsoft/go-crypto-darwin/bbig/big.go | 31 + - .../internal/cryptokit/cryptokit.go | 34 + - .../internal/cryptokit/cryptokit.h | 43 + - .../internal/cryptokit/ed25519.go | 72 ++ - .../internal/cryptokit/gcm.go | 36 + - .../internal/cryptokit/hkdf.go | 77 ++ - .../microsoft/go-crypto-darwin/xcrypto/aes.go | 306 +++++ - .../microsoft/go-crypto-darwin/xcrypto/big.go | 16 + - .../go-crypto-darwin/xcrypto/cgo_go124.go | 21 + - .../go-crypto-darwin/xcrypto/cipher.go | 122 ++ - .../microsoft/go-crypto-darwin/xcrypto/des.go | 117 ++ - .../microsoft/go-crypto-darwin/xcrypto/ec.go | 32 + - .../go-crypto-darwin/xcrypto/ecdh.go | 135 +++ - .../go-crypto-darwin/xcrypto/ecdsa.go | 181 +++ - .../go-crypto-darwin/xcrypto/ed25519.go | 100 ++ - .../microsoft/go-crypto-darwin/xcrypto/evp.go | 338 ++++++ - .../go-crypto-darwin/xcrypto/hash.go | 391 +++++++ - .../go-crypto-darwin/xcrypto/hkdf.go | 66 ++ - .../go-crypto-darwin/xcrypto/hmac.go | 113 ++ - .../go-crypto-darwin/xcrypto/pbkdf2.go | 65 + - .../go-crypto-darwin/xcrypto/rand.go | 26 + - .../microsoft/go-crypto-darwin/xcrypto/rc4.go | 83 ++ - .../microsoft/go-crypto-darwin/xcrypto/rsa.go | 194 +++ - .../go-crypto-darwin/xcrypto/xcrypto.go | 59 + - .../microsoft/go-crypto-winnative/LICENSE | 21 + - .../microsoft/go-crypto-winnative/cng/aes.go | 393 +++++++ - .../go-crypto-winnative/cng/bbig/big.go | 31 + - .../microsoft/go-crypto-winnative/cng/big.go | 30 + - .../go-crypto-winnative/cng/cipher.go | 52 + - .../microsoft/go-crypto-winnative/cng/cng.go | 131 +++ - .../microsoft/go-crypto-winnative/cng/des.go | 106 ++ - .../microsoft/go-crypto-winnative/cng/dsa.go | 465 ++++++++ - .../microsoft/go-crypto-winnative/cng/ecdh.go | 255 ++++ - .../go-crypto-winnative/cng/ecdsa.go | 169 +++ - .../microsoft/go-crypto-winnative/cng/hash.go | 312 +++++ - .../microsoft/go-crypto-winnative/cng/hkdf.go | 124 ++ - .../microsoft/go-crypto-winnative/cng/hmac.go | 35 + - .../microsoft/go-crypto-winnative/cng/keys.go | 220 ++++ - .../go-crypto-winnative/cng/pbkdf2.go | 70 ++ - .../microsoft/go-crypto-winnative/cng/rand.go | 28 + - .../microsoft/go-crypto-winnative/cng/rc4.go | 65 + - .../microsoft/go-crypto-winnative/cng/rsa.go | 396 +++++++ - .../microsoft/go-crypto-winnative/cng/sha3.go | 284 +++++ - .../go-crypto-winnative/cng/tls1prf.go | 88 ++ - .../internal/bcrypt/bcrypt_windows.go | 368 ++++++ - .../internal/bcrypt/ntstatus_windows.go | 45 + - .../internal/bcrypt/zsyscall_windows.go | 412 +++++++ - .../internal/subtle/aliasing.go | 32 + - .../internal/sysdll/sys_windows.go | 55 + - src/vendor/modules.txt | 16 + - 90 files changed, 14095 insertions(+) + .../golang-fips/openssl/v2/.gitignore | 1 + + .../golang-fips/openssl/v2/.gitleaks.toml | 9 + + .../github.com/golang-fips/openssl/v2/LICENSE | 20 + + .../golang-fips/openssl/v2/README.md | 66 ++ + .../github.com/golang-fips/openssl/v2/aes.go | 147 ++++ + .../golang-fips/openssl/v2/bbig/big.go | 37 + + .../github.com/golang-fips/openssl/v2/big.go | 11 + + .../golang-fips/openssl/v2/cgo_go124.go | 18 + + .../golang-fips/openssl/v2/cipher.go | 569 ++++++++++++++ + .../github.com/golang-fips/openssl/v2/des.go | 114 +++ + .../github.com/golang-fips/openssl/v2/dsa.go | 323 ++++++++ + .../github.com/golang-fips/openssl/v2/ec.go | 68 ++ + .../github.com/golang-fips/openssl/v2/ecdh.go | 303 ++++++++ + .../golang-fips/openssl/v2/ecdsa.go | 208 +++++ + .../golang-fips/openssl/v2/ed25519.go | 228 ++++++ + .../github.com/golang-fips/openssl/v2/evp.go | 580 ++++++++++++++ + .../golang-fips/openssl/v2/goopenssl.c | 248 ++++++ + .../golang-fips/openssl/v2/goopenssl.h | 261 +++++++ + .../github.com/golang-fips/openssl/v2/hash.go | 714 ++++++++++++++++++ + .../github.com/golang-fips/openssl/v2/hkdf.go | 322 ++++++++ + .../github.com/golang-fips/openssl/v2/hmac.go | 274 +++++++ + .../github.com/golang-fips/openssl/v2/init.go | 64 ++ + .../golang-fips/openssl/v2/init_unix.go | 31 + + .../golang-fips/openssl/v2/init_windows.go | 36 + + .../golang-fips/openssl/v2/openssl.go | 469 ++++++++++++ + .../golang-fips/openssl/v2/params.go | 210 ++++++ + .../golang-fips/openssl/v2/pbkdf2.go | 62 ++ + .../golang-fips/openssl/v2/port_dsa.c | 85 +++ + .../github.com/golang-fips/openssl/v2/rand.go | 20 + + .../github.com/golang-fips/openssl/v2/rc4.go | 66 ++ + .../github.com/golang-fips/openssl/v2/rsa.go | 408 ++++++++++ + .../github.com/golang-fips/openssl/v2/shims.h | 413 ++++++++++ + .../golang-fips/openssl/v2/thread_setup.go | 14 + + .../golang-fips/openssl/v2/thread_setup.h | 4 + + .../openssl/v2/thread_setup_unix.c | 64 ++ + .../openssl/v2/thread_setup_windows.c | 64 ++ + .../golang-fips/openssl/v2/tls1prf.go | 160 ++++ + .../github.com/golang-fips/openssl/v2/zaes.go | 86 +++ + .../microsoft/go-crypto-darwin/LICENSE | 21 + + .../microsoft/go-crypto-darwin/bbig/big.go | 31 + + .../internal/cryptokit/CryptoKit.o | Bin 0 -> 100952 bytes + .../internal/cryptokit/cryptokit.go | 34 + + .../internal/cryptokit/cryptokit.h | 43 ++ + .../internal/cryptokit/ed25519.go | 72 ++ + .../internal/cryptokit/gcm.go | 36 + + .../internal/cryptokit/hkdf.go | 77 ++ + .../microsoft/go-crypto-darwin/xcrypto/aes.go | 306 ++++++++ + .../microsoft/go-crypto-darwin/xcrypto/big.go | 16 + + .../go-crypto-darwin/xcrypto/cgo_go124.go | 21 + + .../go-crypto-darwin/xcrypto/cipher.go | 122 +++ + .../microsoft/go-crypto-darwin/xcrypto/des.go | 117 +++ + .../microsoft/go-crypto-darwin/xcrypto/ec.go | 32 + + .../go-crypto-darwin/xcrypto/ecdh.go | 135 ++++ + .../go-crypto-darwin/xcrypto/ecdsa.go | 181 +++++ + .../go-crypto-darwin/xcrypto/ed25519.go | 100 +++ + .../microsoft/go-crypto-darwin/xcrypto/evp.go | 338 +++++++++ + .../go-crypto-darwin/xcrypto/hash.go | 391 ++++++++++ + .../go-crypto-darwin/xcrypto/hkdf.go | 66 ++ + .../go-crypto-darwin/xcrypto/hmac.go | 113 +++ + .../go-crypto-darwin/xcrypto/pbkdf2.go | 65 ++ + .../go-crypto-darwin/xcrypto/rand.go | 26 + + .../microsoft/go-crypto-darwin/xcrypto/rc4.go | 83 ++ + .../microsoft/go-crypto-darwin/xcrypto/rsa.go | 194 +++++ + .../go-crypto-darwin/xcrypto/xcrypto.go | 59 ++ + .../microsoft/go-crypto-winnative/LICENSE | 21 + + .../microsoft/go-crypto-winnative/cng/aes.go | 393 ++++++++++ + .../go-crypto-winnative/cng/bbig/big.go | 31 + + .../microsoft/go-crypto-winnative/cng/big.go | 30 + + .../go-crypto-winnative/cng/cipher.go | 52 ++ + .../microsoft/go-crypto-winnative/cng/cng.go | 131 ++++ + .../microsoft/go-crypto-winnative/cng/des.go | 106 +++ + .../microsoft/go-crypto-winnative/cng/dsa.go | 465 ++++++++++++ + .../microsoft/go-crypto-winnative/cng/ecdh.go | 255 +++++++ + .../go-crypto-winnative/cng/ecdsa.go | 169 +++++ + .../microsoft/go-crypto-winnative/cng/hash.go | 312 ++++++++ + .../microsoft/go-crypto-winnative/cng/hkdf.go | 124 +++ + .../microsoft/go-crypto-winnative/cng/hmac.go | 35 + + .../microsoft/go-crypto-winnative/cng/keys.go | 220 ++++++ + .../go-crypto-winnative/cng/pbkdf2.go | 70 ++ + .../microsoft/go-crypto-winnative/cng/rand.go | 28 + + .../microsoft/go-crypto-winnative/cng/rc4.go | 65 ++ + .../microsoft/go-crypto-winnative/cng/rsa.go | 396 ++++++++++ + .../microsoft/go-crypto-winnative/cng/sha3.go | 284 +++++++ + .../go-crypto-winnative/cng/tls1prf.go | 88 +++ + .../internal/bcrypt/bcrypt_windows.go | 368 +++++++++ + .../internal/bcrypt/ntstatus_windows.go | 45 ++ + .../internal/bcrypt/zsyscall_windows.go | 412 ++++++++++ + .../internal/subtle/aliasing.go | 32 + + .../internal/sysdll/sys_windows.go | 55 ++ + src/vendor/modules.txt | 16 + + 90 files changed, 13659 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE @@ -124,7 +124,6 @@ To reproduce, run 'go mod vendor' in 'go/src'. create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/params.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/pbkdf2.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/port_dsa.c - create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/port_evp_md5_sha1.c create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rand.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rc4.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rsa.go @@ -137,6 +136,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/zaes.go create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/LICENSE create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/bbig/big.go + create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.h create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/ed25519.go @@ -2167,10 +2167,10 @@ index 00000000000000..bc5f1117fd4355 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go b/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go new file mode 100644 -index 00000000000000..cd237025109997 +index 00000000000000..f96db2cd5efcad --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go -@@ -0,0 +1,218 @@ +@@ -0,0 +1,228 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -2263,7 +2263,7 @@ index 00000000000000..cd237025109997 + if err := extractPKEYPubEd25519(k._pkey, pub); err != nil { + return nil, err + } -+ pubk, err := NewPublicKeyEd25119(pub) ++ pubk, err := NewPublicKeyEd25519(pub) + if err != nil { + return nil, err + } @@ -2281,14 +2281,24 @@ index 00000000000000..cd237025109997 + return priv, nil +} + ++// Deprecated: use NewPrivateKeyEd25519 instead. +func NewPrivateKeyEd25119(priv []byte) (*PrivateKeyEd25519, error) { ++ return NewPrivateKeyEd25519(priv) ++} ++ ++func NewPrivateKeyEd25519(priv []byte) (*PrivateKeyEd25519, error) { + if len(priv) != privateKeySizeEd25519 { + panic("ed25519: bad private key length: " + strconv.Itoa(len(priv))) + } + return NewPrivateKeyEd25519FromSeed(priv[:seedSizeEd25519]) +} + ++// Deprecated: use NewPublicKeyEd25519 instead. +func NewPublicKeyEd25119(pub []byte) (*PublicKeyEd25519, error) { ++ return NewPublicKeyEd25519(pub) ++} ++ ++func NewPublicKeyEd25519(pub []byte) (*PublicKeyEd25519, error) { + if len(pub) != publicKeySizeEd25519 { + panic("ed25519: bad public key length: " + strconv.Itoa(len(pub))) + } @@ -2391,10 +2401,10 @@ index 00000000000000..cd237025109997 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/evp.go b/src/vendor/github.com/golang-fips/openssl/v2/evp.go new file mode 100644 -index 00000000000000..ef68bbfb8fb065 +index 00000000000000..8b5b367f9f8092 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/evp.go -@@ -0,0 +1,569 @@ +@@ -0,0 +1,580 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -2445,29 +2455,8 @@ index 00000000000000..ef68bbfb8fb065 + +// hashToMD converts a hash.Hash implementation from this package to a GO_EVP_MD_PTR. +func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR { -+ var ch crypto.Hash -+ switch h.(type) { -+ case *sha1Hash, *sha1Marshal: -+ ch = crypto.SHA1 -+ case *sha224Hash, *sha224Marshal: -+ ch = crypto.SHA224 -+ case *sha256Hash, *sha256Marshal: -+ ch = crypto.SHA256 -+ case *sha384Hash, *sha384Marshal: -+ ch = crypto.SHA384 -+ case *sha512Hash, *sha512Marshal: -+ ch = crypto.SHA512 -+ case *sha3_224Hash: -+ ch = crypto.SHA3_224 -+ case *sha3_256Hash: -+ ch = crypto.SHA3_256 -+ case *sha3_384Hash: -+ ch = crypto.SHA3_384 -+ case *sha3_512Hash: -+ ch = crypto.SHA3_512 -+ } -+ if ch != 0 { -+ return cryptoHashToMD(ch) ++ if h, ok := h.(*evpHash); ok { ++ return h.alg.md + } + return nil +} @@ -2486,78 +2475,110 @@ index 00000000000000..ef68bbfb8fb065 + return md, nil +} + -+// cryptoHashToMD converts a crypto.Hash to a GO_EVP_MD_PTR. -+func cryptoHashToMD(ch crypto.Hash) (md C.GO_EVP_MD_PTR) { ++type hashAlgorithm struct { ++ md C.GO_EVP_MD_PTR ++ ch crypto.Hash ++ size int ++ blockSize int ++ marshallable bool ++ magic string ++ marshalledSize int ++} ++ ++// loadHash converts a crypto.Hash to a EVP_MD. ++func loadHash(ch crypto.Hash) *hashAlgorithm { + if v, ok := cacheMD.Load(ch); ok { -+ return v.(C.GO_EVP_MD_PTR) -+ } -+ defer func() { -+ if md != nil { -+ switch vMajor { -+ case 1: -+ // On OpenSSL 1 EVP_MD objects can be not-nil even -+ // when they are not supported. We need to pass the md -+ // to a EVP_MD_CTX to really know if they can be used. -+ ctx := C.go_openssl_EVP_MD_CTX_new() -+ if C.go_openssl_EVP_DigestInit_ex(ctx, md, nil) != 1 { -+ md = nil -+ } -+ C.go_openssl_EVP_MD_CTX_free(ctx) -+ case 3: -+ // On OpenSSL 3, directly operating on a EVP_MD object -+ // not created by EVP_MD_fetch has negative performance -+ // implications, as digest operations will have -+ // to fetch it on every call. Better to just fetch it once here. -+ md = C.go_openssl_EVP_MD_fetch(nil, C.go_openssl_EVP_MD_get0_name(md), nil) -+ default: -+ panic(errUnsupportedVersion()) -+ } -+ } -+ cacheMD.Store(ch, md) -+ }() -+ // SupportsHash returns false for MD5SHA1 because we don't -+ // provide a hash.Hash implementation for it. Yet, it can -+ // still be used when signing/verifying with an RSA key. -+ if ch == crypto.MD5SHA1 { -+ if vMajor == 1 && vMinor == 0 { -+ return C.go_openssl_EVP_md5_sha1_backport() -+ } else { -+ return C.go_openssl_EVP_md5_sha1() -+ } ++ return v.(*hashAlgorithm) + } ++ ++ var hash hashAlgorithm + switch ch { ++ case crypto.RIPEMD160: ++ hash.md = C.go_openssl_EVP_ripemd160() + case crypto.MD4: -+ return C.go_openssl_EVP_md4() ++ hash.md = C.go_openssl_EVP_md4() + case crypto.MD5: -+ return C.go_openssl_EVP_md5() ++ hash.md = C.go_openssl_EVP_md5() ++ hash.magic = md5Magic ++ hash.marshalledSize = md5MarshaledSize ++ case crypto.MD5SHA1: ++ if vMajor == 1 && vMinor == 0 { ++ // OpenSSL 1.0.2 does not support MD5SHA1. ++ hash.md = nil ++ } else { ++ hash.md = C.go_openssl_EVP_md5_sha1() ++ } + case crypto.SHA1: -+ return C.go_openssl_EVP_sha1() ++ hash.md = C.go_openssl_EVP_sha1() ++ hash.magic = sha1Magic ++ hash.marshalledSize = sha1MarshaledSize + case crypto.SHA224: -+ return C.go_openssl_EVP_sha224() ++ hash.md = C.go_openssl_EVP_sha224() ++ hash.magic = magic224 ++ hash.marshalledSize = marshaledSize256 + case crypto.SHA256: -+ return C.go_openssl_EVP_sha256() ++ hash.md = C.go_openssl_EVP_sha256() ++ hash.magic = magic256 ++ hash.marshalledSize = marshaledSize256 + case crypto.SHA384: -+ return C.go_openssl_EVP_sha384() ++ hash.md = C.go_openssl_EVP_sha384() ++ hash.magic = magic384 ++ hash.marshalledSize = marshaledSize512 + case crypto.SHA512: -+ return C.go_openssl_EVP_sha512() ++ hash.md = C.go_openssl_EVP_sha512() ++ hash.magic = magic512 ++ hash.marshalledSize = marshaledSize512 ++ case crypto.SHA512_224: ++ if versionAtOrAbove(1, 1, 1) { ++ hash.md = C.go_openssl_EVP_sha512_224() ++ hash.magic = magic512_224 ++ hash.marshalledSize = marshaledSize512 ++ } ++ case crypto.SHA512_256: ++ if versionAtOrAbove(1, 1, 1) { ++ hash.md = C.go_openssl_EVP_sha512_256() ++ hash.magic = magic512_256 ++ hash.marshalledSize = marshaledSize512 ++ } + case crypto.SHA3_224: + if versionAtOrAbove(1, 1, 1) { -+ return C.go_openssl_EVP_sha3_224() ++ hash.md = C.go_openssl_EVP_sha3_224() + } + case crypto.SHA3_256: + if versionAtOrAbove(1, 1, 1) { -+ return C.go_openssl_EVP_sha3_256() ++ hash.md = C.go_openssl_EVP_sha3_256() + } + case crypto.SHA3_384: + if versionAtOrAbove(1, 1, 1) { -+ return C.go_openssl_EVP_sha3_384() ++ hash.md = C.go_openssl_EVP_sha3_384() + } + case crypto.SHA3_512: + if versionAtOrAbove(1, 1, 1) { -+ return C.go_openssl_EVP_sha3_512() ++ hash.md = C.go_openssl_EVP_sha3_512() + } + } -+ return nil ++ if hash.md == nil { ++ cacheMD.Store(ch, (*hashAlgorithm)(nil)) ++ return nil ++ } ++ hash.ch = ch ++ hash.size = int(C.go_openssl_EVP_MD_get_size(hash.md)) ++ hash.blockSize = int(C.go_openssl_EVP_MD_get_block_size(hash.md)) ++ if vMajor == 3 { ++ // On OpenSSL 3, directly operating on a EVP_MD object ++ // not created by EVP_MD_fetch has negative performance ++ // implications, as digest operations will have ++ // to fetch it on every call. Better to just fetch it once here. ++ md := C.go_openssl_EVP_MD_fetch(nil, C.go_openssl_EVP_MD_get0_name(hash.md), nil) ++ // Don't overwrite md in case it can't be fetched, as the md may still be used ++ // outside of EVP_MD_CTX, for example to sign and verify RSA signatures. ++ if md != nil { ++ hash.md = md ++ } ++ } ++ hash.marshallable = hash.magic != "" && isHashMarshallable(hash.md) ++ cacheMD.Store(ch, &hash) ++ return &hash +} + +// generateEVPPKey generates a new EVP_PKEY with the given id and properties. @@ -2699,11 +2720,11 @@ index 00000000000000..ef68bbfb8fb065 + } + } + case C.GO_RSA_PKCS1_PSS_PADDING: -+ md := cryptoHashToMD(ch) -+ if md == nil { ++ alg := loadHash(ch) ++ if alg == nil { + return nil, errors.New("crypto/rsa: unsupported hash function") + } -+ if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(md)) != 1 { ++ if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { + return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") + } + // setPadding must happen after setting EVP_PKEY_CTRL_MD. @@ -2719,11 +2740,11 @@ index 00000000000000..ef68bbfb8fb065 + case C.GO_RSA_PKCS1_PADDING: + if ch != 0 { + // We support unhashed messages. -+ md := cryptoHashToMD(ch) -+ if md == nil { ++ alg := loadHash(ch) ++ if alg == nil { + return nil, errors.New("crypto/rsa: unsupported hash function") + } -+ if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(md)) != 1 { ++ if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { + return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") + } + if err := setPadding(); err != nil { @@ -2838,8 +2859,8 @@ index 00000000000000..ef68bbfb8fb065 +} + +func evpHashSign(withKey withKeyFunc, h crypto.Hash, msg []byte) ([]byte, error) { -+ md := cryptoHashToMD(h) -+ if md == nil { ++ alg := loadHash(h) ++ if alg == nil { + return nil, errors.New("unsupported hash function: " + strconv.Itoa(int(h))) + } + var out []byte @@ -2850,7 +2871,7 @@ index 00000000000000..ef68bbfb8fb065 + } + defer C.go_openssl_EVP_MD_CTX_free(ctx) + if withKey(func(key C.GO_EVP_PKEY_PTR) C.int { -+ return C.go_openssl_EVP_DigestSignInit(ctx, nil, md, nil, key) ++ return C.go_openssl_EVP_DigestSignInit(ctx, nil, alg.md, nil, key) + }) != 1 { + return nil, newOpenSSLError("EVP_DigestSignInit failed") + } @@ -2870,8 +2891,8 @@ index 00000000000000..ef68bbfb8fb065 +} + +func evpHashVerify(withKey withKeyFunc, h crypto.Hash, msg, sig []byte) error { -+ md := cryptoHashToMD(h) -+ if md == nil { ++ alg := loadHash(h) ++ if alg == nil { + return errors.New("unsupported hash function: " + strconv.Itoa(int(h))) + } + ctx := C.go_openssl_EVP_MD_CTX_new() @@ -2880,7 +2901,7 @@ index 00000000000000..ef68bbfb8fb065 + } + defer C.go_openssl_EVP_MD_CTX_free(ctx) + if withKey(func(key C.GO_EVP_PKEY_PTR) C.int { -+ return C.go_openssl_EVP_DigestVerifyInit(ctx, nil, md, nil, key) ++ return C.go_openssl_EVP_DigestVerifyInit(ctx, nil, alg.md, nil, key) + }) != 1 { + return newOpenSSLError("EVP_DigestVerifyInit failed") + } @@ -3220,10 +3241,10 @@ index 00000000000000..626f184badc53d +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h new file mode 100644 -index 00000000000000..1165f99157c663 +index 00000000000000..f5cdced630679f --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h -@@ -0,0 +1,262 @@ +@@ -0,0 +1,261 @@ +// This header file describes the OpenSSL ABI as built for use in Go. + +#include // size_t @@ -3253,7 +3274,6 @@ index 00000000000000..1165f99157c663 +int go_openssl_version_patch(void* handle); +int go_openssl_thread_setup(void); +void go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor, unsigned int patch); -+const GO_EVP_MD_PTR go_openssl_EVP_md5_sha1_backport(void); +void go_openssl_DSA_get0_pqg_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *p, GO_BIGNUM_PTR *q, GO_BIGNUM_PTR *g); +int go_openssl_DSA_set0_pqg_backport(GO_DSA_PTR d, GO_BIGNUM_PTR p, GO_BIGNUM_PTR q, GO_BIGNUM_PTR g); +void go_openssl_DSA_get0_key_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *pub_key, GO_BIGNUM_PTR *priv_key); @@ -3489,10 +3509,10 @@ index 00000000000000..1165f99157c663 \ No newline at end of file diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hash.go b/src/vendor/github.com/golang-fips/openssl/v2/hash.go new file mode 100644 -index 00000000000000..6fd3a518906004 +index 00000000000000..b2109857b49bdf --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/hash.go -@@ -0,0 +1,1041 @@ +@@ -0,0 +1,714 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -3509,6 +3529,9 @@ index 00000000000000..6fd3a518906004 + "unsafe" +) + ++// maxHashSize is the size of SHA52 and SHA3_512, the largest hashes we support. ++const maxHashSize = 64 ++ +// NOTE: Implementation ported from https://go-review.googlesource.com/c/go/+/404295. +// The cgo calls in this file are arranged to avoid marking the parameters as escaping. +// To do that, we call noescape (including via addr). @@ -3521,7 +3544,7 @@ index 00000000000000..6fd3a518906004 +// This is all to preserve compatibility with the allocation behavior of the non-openssl implementations. + +func hashOneShot(ch crypto.Hash, p []byte, sum []byte) bool { -+ return C.go_openssl_EVP_Digest(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), (*C.uchar)(unsafe.Pointer(&*addr(sum))), nil, cryptoHashToMD(ch), nil) != 0 ++ return C.go_openssl_EVP_Digest(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), (*C.uchar)(unsafe.Pointer(&*addr(sum))), nil, loadHash(ch).md, nil) != 0 +} + +func MD4(p []byte) (sum [16]byte) { @@ -3573,9 +3596,43 @@ index 00000000000000..6fd3a518906004 + return +} + -+// SupportsHash returns true if a hash.Hash implementation is supported for h. ++func SHA512_224(p []byte) (sum [28]byte) { ++ if !hashOneShot(crypto.SHA512_224, p, sum[:]) { ++ panic("openssl: SHA512 failed") ++ } ++ return ++} ++ ++func SHA512_256(p []byte) (sum [32]byte) { ++ if !hashOneShot(crypto.SHA512_256, p, sum[:]) { ++ panic("openssl: SHA512_256 failed") ++ } ++ return ++} ++ ++// cacheHashSupported is a cache of crypto.Hash support. ++var cacheHashSupported sync.Map ++ ++// SupportsHash reports whether the current OpenSSL version supports the given hash. +func SupportsHash(h crypto.Hash) bool { -+ return cryptoHashToMD(h) != nil ++ if v, ok := cacheHashSupported.Load(h); ok { ++ return v.(bool) ++ } ++ alg := loadHash(h) ++ if alg == nil { ++ cacheHashSupported.Store(h, false) ++ return false ++ } ++ // EVP_MD objects can be non-nil even when they can't be used ++ // in a EVP_MD_CTX, e.g. MD5 in FIPS mode. We need to prove ++ // if they can be used by passing them to a EVP_MD_CTX. ++ var supported bool ++ if ctx := C.go_openssl_EVP_MD_CTX_new(); ctx != nil { ++ supported = C.go_openssl_EVP_DigestInit_ex(ctx, alg.md, nil) == 1 ++ C.go_openssl_EVP_MD_CTX_free(ctx) ++ } ++ cacheHashSupported.Store(h, supported) ++ return supported +} + +func SHA3_224(p []byte) (sum [28]byte) { @@ -3606,21 +3663,79 @@ index 00000000000000..6fd3a518906004 + return +} + -+var isMarshallableCache sync.Map ++// NewMD4 returns a new MD4 hash. ++// The returned hash doesn't implement encoding.BinaryMarshaler and ++// encoding.BinaryUnmarshaler. ++func NewMD4() hash.Hash { ++ return newEvpHash(crypto.MD4) ++} ++ ++// NewMD5 returns a new MD5 hash. ++func NewMD5() hash.Hash { ++ return newEvpHash(crypto.MD5) ++} + -+// isHashMarshallable returns true if the memory layout of cb ++// NewSHA1 returns a new SHA1 hash. ++func NewSHA1() hash.Hash { ++ return newEvpHash(crypto.SHA1) ++} ++ ++// NewSHA224 returns a new SHA224 hash. ++func NewSHA224() hash.Hash { ++ return newEvpHash(crypto.SHA224) ++} ++ ++// NewSHA256 returns a new SHA256 hash. ++func NewSHA256() hash.Hash { ++ return newEvpHash(crypto.SHA256) ++} ++ ++// NewSHA384 returns a new SHA384 hash. ++func NewSHA384() hash.Hash { ++ return newEvpHash(crypto.SHA384) ++} ++ ++// NewSHA512 returns a new SHA512 hash. ++func NewSHA512() hash.Hash { ++ return newEvpHash(crypto.SHA512) ++} ++ ++// NewSHA512_224 returns a new SHA512_224 hash. ++func NewSHA512_224() hash.Hash { ++ return newEvpHash(crypto.SHA512_224) ++} ++ ++// NewSHA512_256 returns a new SHA512_256 hash. ++func NewSHA512_256() hash.Hash { ++ return newEvpHash(crypto.SHA512_256) ++} ++ ++// NewSHA3_224 returns a new SHA3-224 hash. ++func NewSHA3_224() hash.Hash { ++ return newEvpHash(crypto.SHA3_224) ++} ++ ++// NewSHA3_256 returns a new SHA3-256 hash. ++func NewSHA3_256() hash.Hash { ++ return newEvpHash(crypto.SHA3_256) ++} ++ ++// NewSHA3_384 returns a new SHA3-384 hash. ++func NewSHA3_384() hash.Hash { ++ return newEvpHash(crypto.SHA3_384) ++} ++ ++// NewSHA3_512 returns a new SHA3-512 hash. ++func NewSHA3_512() hash.Hash { ++ return newEvpHash(crypto.SHA3_512) ++} ++ ++// isHashMarshallable returns true if the memory layout of md +// is known by this library and can therefore be marshalled. -+func isHashMarshallable(ch crypto.Hash) bool { ++func isHashMarshallable(md C.GO_EVP_MD_PTR) bool { + if vMajor == 1 { + return true + } -+ if v, ok := isMarshallableCache.Load(ch); ok { -+ return v.(bool) -+ } -+ md := cryptoHashToMD(ch) -+ if md == nil { -+ return false -+ } + prov := C.go_openssl_EVP_MD_get0_provider(md) + if prov == nil { + return false @@ -3633,51 +3748,73 @@ index 00000000000000..6fd3a518906004 + // We only know the memory layout of the built-in providers. + // See evpHash.hashState for more details. + marshallable := name == "default" || name == "fips" -+ isMarshallableCache.Store(ch, marshallable) + return marshallable +} + ++// cloneHash is an interface that defines a Clone method. ++// ++// hahs.CloneHash will probably be added in Go 1.25, see https://golang.org/issue/69521, ++// but we need it now. ++type cloneHash interface { ++ hash.Hash ++ // Clone returns a separate Hash instance with the same state as h. ++ Clone() hash.Hash ++} ++ ++var _ hash.Hash = (*evpHash)(nil) ++var _ cloneHash = (*evpHash)(nil) ++ +// evpHash implements generic hash methods. +type evpHash struct { ++ alg *hashAlgorithm + ctx C.GO_EVP_MD_CTX_PTR + // ctx2 is used in evpHash.sum to avoid changing + // the state of ctx. Having it here allows reusing the + // same allocated object multiple times. -+ ctx2 C.GO_EVP_MD_CTX_PTR -+ size int -+ blockSize int -+ marshallable bool ++ ctx2 C.GO_EVP_MD_CTX_PTR +} + +func newEvpHash(ch crypto.Hash) *evpHash { -+ md := cryptoHashToMD(ch) -+ if md == nil { ++ alg := loadHash(ch) ++ if alg == nil { + panic("openssl: unsupported hash function: " + strconv.Itoa(int(ch))) + } -+ ctx := C.go_openssl_EVP_MD_CTX_new() -+ if C.go_openssl_EVP_DigestInit_ex(ctx, md, nil) != 1 { -+ C.go_openssl_EVP_MD_CTX_free(ctx) -+ panic(newOpenSSLError("EVP_DigestInit_ex")) -+ } -+ ctx2 := C.go_openssl_EVP_MD_CTX_new() -+ blockSize := int(C.go_openssl_EVP_MD_get_block_size(md)) -+ h := &evpHash{ -+ ctx: ctx, -+ ctx2: ctx2, -+ size: ch.Size(), -+ blockSize: blockSize, -+ marshallable: isHashMarshallable(ch), -+ } -+ runtime.SetFinalizer(h, (*evpHash).finalize) ++ h := &evpHash{alg: alg} ++ // Don't call init() yet, it would be wasteful ++ // if the caller only wants to know the hash type. This ++ // is a common pattern in this package, as some functions ++ // accept a `func() hash.Hash` parameter and call it just ++ // to know the hash type. + return h +} + +func (h *evpHash) finalize() { -+ C.go_openssl_EVP_MD_CTX_free(h.ctx) -+ C.go_openssl_EVP_MD_CTX_free(h.ctx2) ++ if h.ctx != nil { ++ C.go_openssl_EVP_MD_CTX_free(h.ctx) ++ } ++ if h.ctx2 != nil { ++ C.go_openssl_EVP_MD_CTX_free(h.ctx2) ++ } ++} ++ ++func (h *evpHash) init() { ++ if h.ctx != nil { ++ return ++ } ++ h.ctx = C.go_openssl_EVP_MD_CTX_new() ++ if C.go_openssl_EVP_DigestInit_ex(h.ctx, h.alg.md, nil) != 1 { ++ C.go_openssl_EVP_MD_CTX_free(h.ctx) ++ panic(newOpenSSLError("EVP_DigestInit_ex")) ++ } ++ h.ctx2 = C.go_openssl_EVP_MD_CTX_new() ++ runtime.SetFinalizer(h, (*evpHash).finalize) +} + +func (h *evpHash) Reset() { ++ if h.ctx == nil { ++ // The hash is not initialized yet, no need to reset. ++ return ++ } + // There is no need to reset h.ctx2 because it is always reset after + // use in evpHash.sum. + if C.go_openssl_EVP_DigestInit_ex(h.ctx, nil, nil) != 1 { @@ -3687,7 +3824,11 @@ index 00000000000000..6fd3a518906004 +} + +func (h *evpHash) Write(p []byte) (int, error) { -+ if len(p) > 0 && C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(&*addr(p)), C.size_t(len(p))) != 1 { ++ if len(p) == 0 { ++ return 0, nil ++ } ++ h.init() ++ if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(&*addr(p)), C.size_t(len(p))) != 1 { + panic(newOpenSSLError("EVP_DigestUpdate")) + } + runtime.KeepAlive(h) @@ -3695,7 +3836,11 @@ index 00000000000000..6fd3a518906004 +} + +func (h *evpHash) WriteString(s string) (int, error) { -+ if len(s) > 0 && C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(unsafe.StringData(s)), C.size_t(len(s))) == 0 { ++ if len(s) == 0 { ++ return 0, nil ++ } ++ h.init() ++ if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(unsafe.StringData(s)), C.size_t(len(s))) == 0 { + panic("openssl: EVP_DigestUpdate failed") + } + runtime.KeepAlive(h) @@ -3703,6 +3848,7 @@ index 00000000000000..6fd3a518906004 +} + +func (h *evpHash) WriteByte(c byte) error { ++ h.init() + if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(&c), 1) == 0 { + panic("openssl: EVP_DigestUpdate failed") + } @@ -3711,56 +3857,53 @@ index 00000000000000..6fd3a518906004 +} + +func (h *evpHash) Size() int { -+ return h.size ++ return h.alg.size +} + +func (h *evpHash) BlockSize() int { -+ return h.blockSize ++ return h.alg.blockSize +} + -+func (h *evpHash) sum(out []byte) { ++func (h *evpHash) Sum(in []byte) []byte { ++ h.init() ++ out := make([]byte, h.Size(), maxHashSize) // explicit cap to allow stack allocation + if C.go_hash_sum(h.ctx, h.ctx2, base(out)) != 1 { + panic(newOpenSSLError("go_hash_sum")) + } + runtime.KeepAlive(h) ++ return append(in, out...) +} + -+// clone returns a new evpHash object that is a deep clone of itself. ++// Clone returns a new evpHash object that is a deep clone of itself. +// The duplicate object contains all state and data contained in the +// original object at the point of duplication. -+func (h *evpHash) clone() (*evpHash, error) { -+ ctx := C.go_openssl_EVP_MD_CTX_new() -+ if ctx == nil { -+ return nil, newOpenSSLError("EVP_MD_CTX_new") -+ } -+ if C.go_openssl_EVP_MD_CTX_copy_ex(ctx, h.ctx) != 1 { -+ C.go_openssl_EVP_MD_CTX_free(ctx) -+ return nil, newOpenSSLError("EVP_MD_CTX_copy") -+ } -+ ctx2 := C.go_openssl_EVP_MD_CTX_new() -+ if ctx2 == nil { -+ C.go_openssl_EVP_MD_CTX_free(ctx) -+ return nil, newOpenSSLError("EVP_MD_CTX_new") -+ } -+ cloned := &evpHash{ -+ ctx: ctx, -+ ctx2: ctx2, -+ size: h.size, -+ blockSize: h.blockSize, -+ marshallable: h.marshallable, ++func (h *evpHash) Clone() hash.Hash { ++ h2 := &evpHash{alg: h.alg} ++ if h.ctx != nil { ++ h2.ctx = C.go_openssl_EVP_MD_CTX_new() ++ if h2.ctx == nil { ++ panic(newOpenSSLError("EVP_MD_CTX_new")) ++ } ++ if C.go_openssl_EVP_MD_CTX_copy_ex(h2.ctx, h.ctx) != 1 { ++ C.go_openssl_EVP_MD_CTX_free(h2.ctx) ++ panic(newOpenSSLError("EVP_MD_CTX_copy")) ++ } ++ h2.ctx2 = C.go_openssl_EVP_MD_CTX_new() ++ if h2.ctx2 == nil { ++ C.go_openssl_EVP_MD_CTX_free(h2.ctx) ++ panic(newOpenSSLError("EVP_MD_CTX_new")) ++ } ++ runtime.SetFinalizer(h2, (*evpHash).finalize) + } -+ runtime.SetFinalizer(cloned, (*evpHash).finalize) -+ return cloned, nil ++ runtime.KeepAlive(h) ++ return h2 +} + +// hashState returns a pointer to the internal hash structure. +// +// The EVP_MD_CTX memory layout has changed in OpenSSL 3 +// and the property holding the internal structure is no longer md_data but algctx. -+func (h *evpHash) hashState() unsafe.Pointer { -+ if !h.marshallable { -+ panic("openssl: hash state is not marshallable") -+ } ++func hashState(ctx C.GO_EVP_MD_CTX_PTR) unsafe.Pointer { + switch vMajor { + case 1: + // https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/crypto/evp/evp_local.h#L12. @@ -3769,7 +3912,7 @@ index 00000000000000..6fd3a518906004 + _ C.ulong + md_data unsafe.Pointer + } -+ return (*mdCtx)(unsafe.Pointer(h.ctx)).md_data ++ return (*mdCtx)(unsafe.Pointer(ctx)).md_data + case 3: + // https://github.com/openssl/openssl/blob/5675a5aaf6a2e489022bcfc18330dae9263e598e/crypto/evp/evp_local.h#L16. + type mdCtx struct { @@ -3778,49 +3921,98 @@ index 00000000000000..6fd3a518906004 + _ [3]unsafe.Pointer + algctx unsafe.Pointer + } -+ return (*mdCtx)(unsafe.Pointer(h.ctx)).algctx ++ return (*mdCtx)(unsafe.Pointer(ctx)).algctx + default: + panic(errUnsupportedVersion()) + } +} + -+// NewMD4 returns a new MD4 hash. -+// The returned hash doesn't implement encoding.BinaryMarshaler and -+// encoding.BinaryUnmarshaler. -+func NewMD4() hash.Hash { -+ return &md4Hash{ -+ evpHash: newEvpHash(crypto.MD4), ++func (d *evpHash) MarshalBinary() ([]byte, error) { ++ if !d.alg.marshallable { ++ return nil, errors.New("openssl: hash state is not marshallable") + } ++ buf := make([]byte, 0, d.alg.marshalledSize) ++ return d.AppendBinary(buf) +} + -+type md4Hash struct { -+ *evpHash -+ out [16]byte -+} -+ -+func (h *md4Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *md4Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err ++func (d *evpHash) AppendBinary(buf []byte) ([]byte, error) { ++ defer runtime.KeepAlive(d) ++ d.init() ++ if !d.alg.marshallable { ++ return nil, errors.New("openssl: hash state is not marshallable") ++ } ++ state := hashState(d.ctx) ++ if state == nil { ++ return nil, errors.New("openssl: can't retrieve hash state") ++ } ++ var appender interface { ++ AppendBinary([]byte) ([]byte, error) ++ } ++ switch d.alg.ch { ++ case crypto.MD5: ++ appender = (*md5State)(state) ++ case crypto.SHA1: ++ appender = (*sha1State)(state) ++ case crypto.SHA224: ++ appender = (*sha256State)(state) ++ case crypto.SHA256: ++ appender = (*sha256State)(state) ++ case crypto.SHA384: ++ appender = (*sha512State)(state) ++ case crypto.SHA512: ++ appender = (*sha512State)(state) ++ case crypto.SHA512_224: ++ appender = (*sha512State)(state) ++ case crypto.SHA512_256: ++ appender = (*sha512State)(state) ++ default: ++ panic("openssl: unsupported hash function: " + strconv.Itoa(int(d.alg.ch))) + } -+ return &md4Hash{evpHash: c}, nil ++ buf = append(buf, d.alg.magic[:]...) ++ return appender.AppendBinary(buf) +} + -+// NewMD5 returns a new MD5 hash. -+func NewMD5() hash.Hash { -+ h := md5Hash{evpHash: newEvpHash(crypto.MD5)} -+ if h.marshallable { -+ return &md5Marshal{h} ++func (d *evpHash) UnmarshalBinary(b []byte) error { ++ defer runtime.KeepAlive(d) ++ d.init() ++ if !d.alg.marshallable { ++ return errors.New("openssl: hash state is not marshallable") ++ } ++ if len(b) < len(d.alg.magic) || string(b[:len(d.alg.magic)]) != string(d.alg.magic[:]) { ++ return errors.New("openssl: invalid hash state identifier") ++ } ++ if len(b) != d.alg.marshalledSize { ++ return errors.New("openssl: invalid hash state size") ++ } ++ state := hashState(d.ctx) ++ if state == nil { ++ return errors.New("openssl: can't retrieve hash state") ++ } ++ b = b[len(d.alg.magic):] ++ var unmarshaler interface { ++ UnmarshalBinary([]byte) error ++ } ++ switch d.alg.ch { ++ case crypto.MD5: ++ unmarshaler = (*md5State)(state) ++ case crypto.SHA1: ++ unmarshaler = (*sha1State)(state) ++ case crypto.SHA224: ++ unmarshaler = (*sha256State)(state) ++ case crypto.SHA256: ++ unmarshaler = (*sha256State)(state) ++ case crypto.SHA384: ++ unmarshaler = (*sha512State)(state) ++ case crypto.SHA512: ++ unmarshaler = (*sha512State)(state) ++ case crypto.SHA512_224: ++ unmarshaler = (*sha512State)(state) ++ case crypto.SHA512_256: ++ unmarshaler = (*sha512State)(state) ++ default: ++ panic("openssl: unsupported hash function: " + strconv.Itoa(int(d.alg.ch))) + } -+ return &h ++ return unmarshaler.UnmarshalBinary(b) +} + +// md5State layout is taken from @@ -3832,53 +4024,12 @@ index 00000000000000..6fd3a518906004 + nx uint32 +} + -+type md5Hash struct { -+ *evpHash -+ out [16]byte -+} -+ -+func (h *md5Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *md5Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &md5Hash{evpHash: c}, nil -+} -+ +const ( + md5Magic = "md5\x01" + md5MarshaledSize = len(md5Magic) + 4*4 + 64 + 8 +) + -+type md5Marshal struct { -+ md5Hash -+} -+ -+func (h *md5Marshal) MarshalBinary() ([]byte, error) { -+ buf := make([]byte, 0, md5MarshaledSize) -+ return h.AppendBinary(buf) -+} -+ -+func (h *md5Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(md5Magic) || string(b[:len(md5Magic)]) != md5Magic { -+ return errors.New("crypto/md5: invalid hash state identifier") -+ } -+ if len(b) != md5MarshaledSize { -+ return errors.New("crypto/md5: invalid hash state size") -+ } -+ d := (*md5State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/md5: can't retrieve hash state") -+ } -+ b = b[len(md5Magic):] ++func (d *md5State) UnmarshalBinary(b []byte) error { + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) @@ -3891,13 +4042,7 @@ index 00000000000000..6fd3a518906004 + return nil +} + -+func (h *md5Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*md5State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/md5: can't retrieve hash state") -+ } -+ -+ buf = append(buf, md5Magic...) ++func (d *md5State) AppendBinary(buf []byte) ([]byte, error) { + buf = appendUint32(buf, d.h[0]) + buf = appendUint32(buf, d.h[1]) + buf = appendUint32(buf, d.h[2]) @@ -3908,36 +4053,6 @@ index 00000000000000..6fd3a518906004 + return buf, nil +} + -+// NewSHA1 returns a new SHA1 hash. -+func NewSHA1() hash.Hash { -+ h := sha1Hash{evpHash: newEvpHash(crypto.SHA1)} -+ if h.marshallable { -+ return &sha1Marshal{h} -+ } -+ return &h -+} -+ -+type sha1Hash struct { -+ *evpHash -+ out [20]byte -+} -+ -+func (h *sha1Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha1Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha1Hash{evpHash: c}, nil -+} -+ +// sha1State layout is taken from +// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/sha.h#L34. +type sha1State struct { @@ -3950,29 +4065,9 @@ index 00000000000000..6fd3a518906004 +const ( + sha1Magic = "sha\x01" + sha1MarshaledSize = len(sha1Magic) + 5*4 + 64 + 8 -+) -+ -+type sha1Marshal struct { -+ sha1Hash -+} -+ -+func (h *sha1Marshal) MarshalBinary() ([]byte, error) { -+ buf := make([]byte, 0, sha1MarshaledSize) -+ return h.AppendBinary(buf) -+} -+ -+func (h *sha1Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(sha1Magic) || string(b[:len(sha1Magic)]) != sha1Magic { -+ return errors.New("crypto/sha1: invalid hash state identifier") -+ } -+ if len(b) != sha1MarshaledSize { -+ return errors.New("crypto/sha1: invalid hash state size") -+ } -+ d := (*sha1State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/sha1: can't retrieve hash state") -+ } -+ b = b[len(sha1Magic):] ++) ++ ++func (d *sha1State) UnmarshalBinary(b []byte) error { + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) @@ -3986,12 +4081,7 @@ index 00000000000000..6fd3a518906004 + return nil +} + -+func (h *sha1Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*sha1State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/sha1: can't retrieve hash state") -+ } -+ buf = append(buf, sha1Magic...) ++func (d *sha1State) AppendBinary(buf []byte) ([]byte, error) { + buf = appendUint32(buf, d.h[0]) + buf = appendUint32(buf, d.h[1]) + buf = appendUint32(buf, d.h[2]) @@ -4003,66 +4093,6 @@ index 00000000000000..6fd3a518906004 + return buf, nil +} + -+// NewSHA224 returns a new SHA224 hash. -+func NewSHA224() hash.Hash { -+ h := sha224Hash{evpHash: newEvpHash(crypto.SHA224)} -+ if h.marshallable { -+ return &sha224Marshal{h} -+ } -+ return &h -+} -+ -+type sha224Hash struct { -+ *evpHash -+ out [224 / 8]byte -+} -+ -+func (h *sha224Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha224Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha224Hash{evpHash: c}, nil -+} -+ -+// NewSHA256 returns a new SHA256 hash. -+func NewSHA256() hash.Hash { -+ h := sha256Hash{evpHash: newEvpHash(crypto.SHA256)} -+ if h.marshallable { -+ return &sha256Marshal{h} -+ } -+ return &h -+} -+ -+type sha256Hash struct { -+ *evpHash -+ out [256 / 8]byte -+} -+ -+func (h *sha256Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha256Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha256Hash{evpHash: c}, nil -+} -+ +const ( + magic224 = "sha\x02" + magic256 = "sha\x03" @@ -4078,64 +4108,7 @@ index 00000000000000..6fd3a518906004 + nx uint32 +} + -+type sha224Marshal struct { -+ sha224Hash -+} -+ -+type sha256Marshal struct { -+ sha256Hash -+} -+ -+func (h *sha224Marshal) MarshalBinary() ([]byte, error) { -+ buf := make([]byte, 0, marshaledSize256) -+ return h.AppendBinary(buf) -+} -+ -+func (h *sha256Marshal) MarshalBinary() ([]byte, error) { -+ buf := make([]byte, 0, marshaledSize256) -+ return h.AppendBinary(buf) -+} -+ -+func (h *sha224Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(magic224) || string(b[:len(magic224)]) != magic224 { -+ return errors.New("crypto/sha256: invalid hash state identifier") -+ } -+ if len(b) != marshaledSize256 { -+ return errors.New("crypto/sha256: invalid hash state size") -+ } -+ d := (*sha256State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/sha256: can't retrieve hash state") -+ } -+ b = b[len(magic224):] -+ b, d.h[0] = consumeUint32(b) -+ b, d.h[1] = consumeUint32(b) -+ b, d.h[2] = consumeUint32(b) -+ b, d.h[3] = consumeUint32(b) -+ b, d.h[4] = consumeUint32(b) -+ b, d.h[5] = consumeUint32(b) -+ b, d.h[6] = consumeUint32(b) -+ b, d.h[7] = consumeUint32(b) -+ b = b[copy(d.x[:], b):] -+ _, n := consumeUint64(b) -+ d.nl = uint32(n << 3) -+ d.nh = uint32(n >> 29) -+ d.nx = uint32(n) % 64 -+ return nil -+} -+ -+func (h *sha256Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(magic256) || string(b[:len(magic256)]) != magic256 { -+ return errors.New("crypto/sha256: invalid hash state identifier") -+ } -+ if len(b) != marshaledSize256 { -+ return errors.New("crypto/sha256: invalid hash state size") -+ } -+ d := (*sha256State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/sha256: can't retrieve hash state") -+ } -+ b = b[len(magic256):] ++func (d *sha256State) UnmarshalBinary(b []byte) error { + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) @@ -4152,32 +4125,7 @@ index 00000000000000..6fd3a518906004 + return nil +} + -+func (h *sha224Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*sha256State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/sha256: can't retrieve hash state") -+ } -+ buf = append(buf, magic224...) -+ buf = appendUint32(buf, d.h[0]) -+ buf = appendUint32(buf, d.h[1]) -+ buf = appendUint32(buf, d.h[2]) -+ buf = appendUint32(buf, d.h[3]) -+ buf = appendUint32(buf, d.h[4]) -+ buf = appendUint32(buf, d.h[5]) -+ buf = appendUint32(buf, d.h[6]) -+ buf = appendUint32(buf, d.h[7]) -+ buf = append(buf, d.x[:d.nx]...) -+ buf = append(buf, make([]byte, len(d.x)-int(d.nx))...) -+ buf = appendUint64(buf, uint64(d.nl)>>3|uint64(d.nh)<<29) -+ return buf, nil -+} -+ -+func (h *sha256Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*sha256State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/sha256: can't retrieve hash state") -+ } -+ buf = append(buf, magic256...) ++func (d *sha256State) AppendBinary(buf []byte) ([]byte, error) { + buf = appendUint32(buf, d.h[0]) + buf = appendUint32(buf, d.h[1]) + buf = appendUint32(buf, d.h[2]) @@ -4192,66 +4140,6 @@ index 00000000000000..6fd3a518906004 + return buf, nil +} + -+// NewSHA384 returns a new SHA384 hash. -+func NewSHA384() hash.Hash { -+ h := sha384Hash{evpHash: newEvpHash(crypto.SHA384)} -+ if h.marshallable { -+ return &sha384Marshal{h} -+ } -+ return &h -+} -+ -+type sha384Hash struct { -+ *evpHash -+ out [384 / 8]byte -+} -+ -+func (h *sha384Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha384Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha384Hash{evpHash: c}, nil -+} -+ -+// NewSHA512 returns a new SHA512 hash. -+func NewSHA512() hash.Hash { -+ h := sha512Hash{evpHash: newEvpHash(crypto.SHA512)} -+ if h.marshallable { -+ return &sha512Marshal{h} -+ } -+ return &h -+} -+ -+type sha512Hash struct { -+ *evpHash -+ out [512 / 8]byte -+} -+ -+func (h *sha512Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha512Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha512Hash{evpHash: c}, nil -+} -+ +// sha512State layout is taken from +// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/sha.h#L95. +type sha512State struct { @@ -4269,70 +4157,12 @@ index 00000000000000..6fd3a518906004 + marshaledSize512 = len(magic512) + 8*8 + 128 + 8 +) + -+type sha384Marshal struct { -+ sha384Hash -+} -+ -+type sha512Marshal struct { -+ sha512Hash -+} -+ -+func (h *sha384Marshal) MarshalBinary() ([]byte, error) { -+ buf := make([]byte, 0, marshaledSize512) -+ return h.AppendBinary(buf) -+} -+ -+func (h *sha512Marshal) MarshalBinary() ([]byte, error) { ++func (d *sha512State) MarshalBinary() ([]byte, error) { + buf := make([]byte, 0, marshaledSize512) -+ return h.AppendBinary(buf) ++ return d.AppendBinary(buf) +} + -+func (h *sha384Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(magic512) { -+ return errors.New("crypto/sha512: invalid hash state identifier") -+ } -+ if string(b[:len(magic384)]) != magic384 { -+ return errors.New("crypto/sha512: invalid hash state identifier") -+ } -+ if len(b) != marshaledSize512 { -+ return errors.New("crypto/sha512: invalid hash state size") -+ } -+ d := (*sha512State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/sha512: can't retrieve hash state") -+ } -+ b = b[len(magic512):] -+ b, d.h[0] = consumeUint64(b) -+ b, d.h[1] = consumeUint64(b) -+ b, d.h[2] = consumeUint64(b) -+ b, d.h[3] = consumeUint64(b) -+ b, d.h[4] = consumeUint64(b) -+ b, d.h[5] = consumeUint64(b) -+ b, d.h[6] = consumeUint64(b) -+ b, d.h[7] = consumeUint64(b) -+ b = b[copy(d.x[:], b):] -+ _, n := consumeUint64(b) -+ d.nl = n << 3 -+ d.nh = n >> 61 -+ d.nx = uint32(n) % 128 -+ return nil -+} -+ -+func (h *sha512Marshal) UnmarshalBinary(b []byte) error { -+ if len(b) < len(magic512) { -+ return errors.New("crypto/sha512: invalid hash state identifier") -+ } -+ if string(b[:len(magic512)]) != magic512 { -+ return errors.New("crypto/sha512: invalid hash state identifier") -+ } -+ if len(b) != marshaledSize512 { -+ return errors.New("crypto/sha512: invalid hash state size") -+ } -+ d := (*sha512State)(h.hashState()) -+ if d == nil { -+ return errors.New("crypto/sha512: can't retrieve hash state") -+ } -+ b = b[len(magic512):] ++func (d *sha512State) UnmarshalBinary(b []byte) error { + b, d.h[0] = consumeUint64(b) + b, d.h[1] = consumeUint64(b) + b, d.h[2] = consumeUint64(b) @@ -4349,32 +4179,7 @@ index 00000000000000..6fd3a518906004 + return nil +} + -+func (h *sha384Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*sha512State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/sha512: can't retrieve hash state") -+ } -+ buf = append(buf, magic384...) -+ buf = appendUint64(buf, d.h[0]) -+ buf = appendUint64(buf, d.h[1]) -+ buf = appendUint64(buf, d.h[2]) -+ buf = appendUint64(buf, d.h[3]) -+ buf = appendUint64(buf, d.h[4]) -+ buf = appendUint64(buf, d.h[5]) -+ buf = appendUint64(buf, d.h[6]) -+ buf = appendUint64(buf, d.h[7]) -+ buf = append(buf, d.x[:d.nx]...) -+ buf = append(buf, make([]byte, len(d.x)-int(d.nx))...) -+ buf = appendUint64(buf, d.nl>>3|d.nh<<61) -+ return buf, nil -+} -+ -+func (h *sha512Marshal) AppendBinary(buf []byte) ([]byte, error) { -+ d := (*sha512State)(h.hashState()) -+ if d == nil { -+ return nil, errors.New("crypto/sha512: can't retrieve hash state") -+ } -+ buf = append(buf, magic512...) ++func (d *sha512State) AppendBinary(buf []byte) ([]byte, error) { + buf = appendUint64(buf, d.h[0]) + buf = appendUint64(buf, d.h[1]) + buf = appendUint64(buf, d.h[2]) @@ -4389,118 +4194,6 @@ index 00000000000000..6fd3a518906004 + return buf, nil +} + -+// NewSHA3_224 returns a new SHA3-224 hash. -+func NewSHA3_224() hash.Hash { -+ return &sha3_224Hash{ -+ evpHash: newEvpHash(crypto.SHA3_224), -+ } -+} -+ -+type sha3_224Hash struct { -+ *evpHash -+ out [224 / 8]byte -+} -+ -+func (h *sha3_224Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha3_224Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha3_224Hash{evpHash: c}, nil -+} -+ -+// NewSHA3_256 returns a new SHA3-256 hash. -+func NewSHA3_256() hash.Hash { -+ return &sha3_256Hash{ -+ evpHash: newEvpHash(crypto.SHA3_256), -+ } -+} -+ -+type sha3_256Hash struct { -+ *evpHash -+ out [256 / 8]byte -+} -+ -+func (h *sha3_256Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha3_256Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha3_256Hash{evpHash: c}, nil -+} -+ -+// NewSHA3_384 returns a new SHA3-384 hash. -+func NewSHA3_384() hash.Hash { -+ return &sha3_384Hash{ -+ evpHash: newEvpHash(crypto.SHA3_384), -+ } -+} -+ -+type sha3_384Hash struct { -+ *evpHash -+ out [384 / 8]byte -+} -+ -+func (h *sha3_384Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha3_384Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha3_384Hash{evpHash: c}, nil -+} -+ -+// NewSHA3_512 returns a new SHA3-512 hash. -+func NewSHA3_512() hash.Hash { -+ return &sha3_512Hash{ -+ evpHash: newEvpHash(crypto.SHA3_512), -+ } -+} -+ -+type sha3_512Hash struct { -+ *evpHash -+ out [512 / 8]byte -+} -+ -+func (h *sha3_512Hash) Sum(in []byte) []byte { -+ h.sum(h.out[:]) -+ return append(in, h.out[:]...) -+} -+ -+// Clone returns a new [hash.Hash] object that is a deep clone of itself. -+// The duplicate object contains all state and data contained in the -+// original object at the point of duplication. -+func (h *sha3_512Hash) Clone() (hash.Hash, error) { -+ c, err := h.clone() -+ if err != nil { -+ return nil, err -+ } -+ return &sha3_512Hash{evpHash: c}, nil -+} -+ +// appendUint64 appends x into b as a big endian byte sequence. +func appendUint64(b []byte, x uint64) []byte { + return append(b, @@ -6142,138 +5835,6 @@ index 00000000000000..5a948eafdbc6a7 + return 1; +} \ No newline at end of file -diff --git a/src/vendor/github.com/golang-fips/openssl/v2/port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl/v2/port_evp_md5_sha1.c -new file mode 100644 -index 00000000000000..50d49b1f103351 ---- /dev/null -+++ b/src/vendor/github.com/golang-fips/openssl/v2/port_evp_md5_sha1.c -@@ -0,0 +1,126 @@ -+// The following is a partial backport of crypto/evp/m_md5_sha1.c, -+// commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the -+// OpenSSL_1_1_0-stable branch. The ctrl function has been removed. -+ -+/* -+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "goopenssl.h" -+ -+#define NID_md5_sha1 114 -+ -+#define MD5_CBLOCK 64 -+#define MD5_LBLOCK (MD5_CBLOCK/4) -+#define MD5_DIGEST_LENGTH 16 -+#define SHA_LBLOCK 16 -+#define SHA_DIGEST_LENGTH 20 -+ -+#define EVP_PKEY_NULL_method NULL,NULL,{0,0,0,0} -+ -+// Change: MD5_LONG and SHA_LONG have been expanded to unsigned int, -+// which is always 32 bits. This avoids adding some obscure logic -+// to support 16-bit platforms. -+ -+# define MD5_LONG unsigned int -+# define SHA_LONG unsigned int -+ -+typedef struct env_md_st EVP_MD; -+typedef struct env_md_ctx_st EVP_MD_CTX; -+ -+struct env_md_ctx_st { -+ void *digest; -+ void *engine; -+ unsigned long flags; -+ void *md_data; -+ void *pctx; -+ void *update; -+} /* EVP_MD_CTX */ ; -+ -+struct env_md_st { -+ int type; -+ int pkey_type; -+ int md_size; -+ unsigned long flags; -+ int (*init) (EVP_MD_CTX *ctx); -+ int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); -+ int (*final) (EVP_MD_CTX *ctx, unsigned char *md); -+ void *copy; -+ void *cleanup; -+ void *sign; -+ void *verify; -+ int required_pkey_type[5]; -+ int block_size; -+ int ctx_size; -+ void *md_ctrl; -+} /* EVP_MD */ ; -+ -+typedef struct MD5state_st { -+ MD5_LONG A, B, C, D; -+ MD5_LONG Nl, Nh; -+ MD5_LONG data[MD5_LBLOCK]; -+ MD5_LONG num; -+} MD5_CTX; -+ -+typedef struct SHAstate_st { -+ SHA_LONG h0, h1, h2, h3, h4; -+ SHA_LONG Nl, Nh; -+ SHA_LONG data[SHA_LBLOCK]; -+ SHA_LONG num; -+} SHA_CTX; -+ -+struct md5_sha1_ctx { -+ MD5_CTX md5; -+ SHA_CTX sha1; -+}; -+ -+static int md5_sha1_init(EVP_MD_CTX *ctx) { -+ struct md5_sha1_ctx *mctx = ctx->md_data; -+ if (!go_openssl_MD5_Init(&mctx->md5)) -+ return 0; -+ return go_openssl_SHA1_Init(&mctx->sha1); -+} -+ -+static int md5_sha1_update(EVP_MD_CTX *ctx, const void *data, -+ size_t count) { -+ struct md5_sha1_ctx *mctx = ctx->md_data; -+ if (!go_openssl_MD5_Update(&mctx->md5, data, count)) -+ return 0; -+ return go_openssl_SHA1_Update(&mctx->sha1, data, count); -+} -+ -+static int md5_sha1_final(EVP_MD_CTX *ctx, unsigned char *md) { -+ struct md5_sha1_ctx *mctx = ctx->md_data; -+ if (!go_openssl_MD5_Final(md, &mctx->md5)) -+ return 0; -+ return go_openssl_SHA1_Final(md + MD5_DIGEST_LENGTH, &mctx->sha1); -+} -+ -+// Change: Removed: -+// static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms) -+ -+static const EVP_MD md5_sha1_md = { -+ NID_md5_sha1, -+ NID_md5_sha1, -+ MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, -+ 0, -+ md5_sha1_init, -+ md5_sha1_update, -+ md5_sha1_final, -+ NULL, -+ NULL, -+ EVP_PKEY_NULL_method, // Change: inserted -+ MD5_CBLOCK, -+ sizeof(EVP_MD *) + sizeof(struct md5_sha1_ctx), -+ NULL, // Change: was ctrl -+}; -+ -+// Change: Apply name mangling. -+const GO_EVP_MD_PTR go_openssl_EVP_md5_sha1_backport(void) { -+ return (const GO_EVP_MD_PTR)&md5_sha1_md; -+} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/rand.go b/src/vendor/github.com/golang-fips/openssl/v2/rand.go new file mode 100644 index 00000000000000..9fd709635c3b40 @@ -6788,10 +6349,10 @@ index 00000000000000..da5c7636173775 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/shims.h b/src/vendor/github.com/golang-fips/openssl/v2/shims.h new file mode 100644 -index 00000000000000..c8f599f71c0b20 +index 00000000000000..437312ad795fc3 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/shims.h -@@ -0,0 +1,416 @@ +@@ -0,0 +1,413 @@ +#include // size_t +#include // uint64_t + @@ -7024,13 +6585,8 @@ index 00000000000000..c8f599f71c0b20 +DEFINEFUNC(int, EVP_DigestVerifyInit, (GO_EVP_MD_CTX_PTR ctx, GO_EVP_PKEY_CTX_PTR *pctx, const GO_EVP_MD_PTR type, GO_ENGINE_PTR e, GO_EVP_PKEY_PTR pkey), (ctx, pctx, type, e, pkey)) \ +DEFINEFUNC(int, EVP_DigestVerifyFinal, (GO_EVP_MD_CTX_PTR ctx, const unsigned char *sig, size_t siglen), (ctx, sig, siglen)) \ +DEFINEFUNC_1_1_1(int, EVP_DigestVerify, (GO_EVP_MD_CTX_PTR ctx, const unsigned char *sigret, size_t siglen, const unsigned char *tbs, size_t tbslen), (ctx, sigret, siglen, tbs, tbslen)) \ -+DEFINEFUNC_LEGACY_1_0(int, MD5_Init, (GO_MD5_CTX_PTR c), (c)) \ -+DEFINEFUNC_LEGACY_1_0(int, MD5_Update, (GO_MD5_CTX_PTR c, const void *data, size_t len), (c, data, len)) \ -+DEFINEFUNC_LEGACY_1_0(int, MD5_Final, (unsigned char *md, GO_MD5_CTX_PTR c), (md, c)) \ -+DEFINEFUNC_LEGACY_1_0(int, SHA1_Init, (GO_SHA_CTX_PTR c), (c)) \ -+DEFINEFUNC_LEGACY_1_0(int, SHA1_Update, (GO_SHA_CTX_PTR c, const void *data, size_t len), (c, data, len)) \ -+DEFINEFUNC_LEGACY_1_0(int, SHA1_Final, (unsigned char *md, GO_SHA_CTX_PTR c), (md, c)) \ +DEFINEFUNC_1_1(const GO_EVP_MD_PTR, EVP_md5_sha1, (void), ()) \ ++DEFINEFUNC(const GO_EVP_MD_PTR, EVP_ripemd160, (void), ()) \ +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_md4, (void), ()) \ +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_md5, (void), ()) \ +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha1, (void), ()) \ @@ -7038,6 +6594,8 @@ index 00000000000000..c8f599f71c0b20 +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha256, (void), ()) \ +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha384, (void), ()) \ +DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha512, (void), ()) \ ++DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha512_224, (void), ()) \ ++DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha512_256, (void), ()) \ +DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_224, (void), ()) \ +DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_256, (void), ()) \ +DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_384, (void), ()) \ @@ -7380,7 +6938,7 @@ index 00000000000000..93281d6cffc352 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go b/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go new file mode 100644 -index 00000000000000..f342f221ea0c92 +index 00000000000000..33134548830d3e --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go @@ -0,0 +1,160 @@ @@ -7421,7 +6979,7 @@ index 00000000000000..f342f221ea0c92 + // that the caller wants to use TLS 1.0/1.1 PRF. + // OpenSSL detects this case by checking if the hash + // function is MD5SHA1. -+ md = cryptoHashToMD(crypto.MD5SHA1) ++ md = loadHash(crypto.MD5SHA1).md + } else { + h, err := hashFuncHash(fh) + if err != nil { @@ -7700,6 +7258,572 @@ index 00000000000000..73891afeab93d7 + } + return new(big.Int).SetBytes(b) +} +diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o +new file mode 100644 +index 0000000000000000000000000000000000000000..cedd5b03bd3078586649300d1baa94c8b12549f1 +GIT binary patch +literal 100952 +zcmeFa3t&{$wLX3(6CglLq6CeKVN_J8jwHNHl++oMz(gk!Nr3dqWD=5rq=Y2qp+rSv +z1Da`|jf%b0>TPIkn{d6ow4z4E8pKDev<0zBtJa{XV5nk?7!=I!`_A5b=FCYZiH|<+ +z|IdMwZ`NLW?Z?_{uf6s@^Z4!OkN-x~vw_xM1 +zVZX1PfxBZQ{@8HiIvsZ@nPINUDT2{U8C;6yVFK?lOvL5&*7{b~ir0e9%goOU((2XD +z3&bmy7m1g)%QfvMY*?h$AUNW$*IQmz>#Hs*PoAYGc)g+Jsd9Ll!K>?HQJ$bQEk?bN +z==B!Y)K-^OEDO+~<#o$;c_n|3sl14O<<;C!wzPJpx3<2@SM6JBZl7ba5LhAQQl<+1 +zC%OB#jaksX%8Htx0?p<9QkJLM@pD<8EWRIjy}nZK((0lWKEX1Vw^^2#6eaj=D34~) +ziuUd3SK2`B%W&p7gBiP%#A}C4+H;90Ps`ObSw%22UU|KhOTJy~En88v%vV;iw9@Mh +zEzg!LvMbpH*rDosNI{bDdP|CGi-H_;d6Q*%tul)Z<*~mGv@bp=7I?++SW#6}T +zDqs`g%BigO&8e)bfHKP}D`YtX)rWk!zUu4CihVW66~4Uc`l{N>tI7g~9j4xlvYO@2 +z>Lq2h)w1F+`9j*J>b2p8sh?T%WSuOBrfK54D~pTDoprUPzKYtiV%1sXV}4uz{JFm3 +zy6UppdY#X4!DgK)GI{Zpb(F-v5uSna&PC3J&IQiAT-R*} +z_kfe_-;wQq-sR8kaQPQ>y8M67@_(M(C+hWQZg4d_dR_j^7NA2mrZd*n*nP+~yfAzVZLI30OKkb4n#&I(QUH*F# +zkRvmBpDf~MDIl}g?2BFV8@Nta^D2zEC&ATRH`!$orDXZpT%>e>+ZjxKF3bN%q{O)_ +zpQ+wrRK$=q-!C-!Cd4+on(q;#klEUo6UTm|BW$%zZ|jqjb*O8C3czS^`#(@^Td8x{ +ztt$PMXb{XZ%GG?5&d|II8vI($ESn&tnKyIJpKu24tgGjZsy +zyZK4Bsm=+#pvjrk4=gQnXQ1E(Xyqqpep{A*k1k0it-b?(L8QYBGh6y{qFn3J*b+U< +zZyb2_IKw-a|9MfJe|zlY5jRZIwAhm!ajxexyTH_39sG-{n^n5kt>}8n21-b*8_|uH +zx%l*nSA%QxbFQZn1)=BFvq|+CYnM%TH;-Uu*SaT#em{T(=pwOk?51G)(^FzkPPe%p +z7v*Yue`CX|#~79B>f0&W(!2^r^ErBok%P`xwYi!f7SlkV0(#<;G+(6W1EkcGg(4}( +zki@Y>E)JwBy9w%T5QP6t9o_!-bbNyD7xls9>N;hPJ+5`WJ=Z!HJ3Y<i{`h%cU+h@^bFI@o#^a}=h0YF#-p(gepzz12PCY-eP1FuT +zq8Im>V2#DS^y1iwtC0gfxh2#eHy)hq^8d{>X+t68J-338s|AKmC-@SD|(PUmAxcRtC#dOoL~(W%?Mp3Ava +z&!L;C+rOa0slRfqc`0`Fqu|i9iGDo-+lKeah<(KOLhK`%zr~BX7x8D+j@U;$zr%|a +zzmI(+dlwR30^!+>KMP*QpUgkHw(X6=TC>@;?Y+3HZEq)JZF|d>wXJ(HnAv~G+O{_( +zYuh_Xu5E8m&f4}K81E*ywsj-pz9{f_La_6@*{}52Gm~G+Onxo7586Nv^}n5&$uDFk +z|26rw%w#y+BgvrmCBK9vt;0R~GxzA8?9uPK#%6*zZ-`fxI-=*-!T*4!~zuaKWcO?efE!NLLb^0R8OWmE}K@<%j1Ii?N@}nRKCC +zI96@Ide#av+#vMXoZxDPrxf1EweF-p314)Z%hE+(vF(gw +zI-5LQO{-qOnvGY#&1lMgF{5e0j*KRle3S3@8BHtx(6nG@Q{AqNrp%X`vUfY0>Rxs< +zt@@*D-Gs@m#_d?*uwaU4f>Y_h5h%x9{I+Y`XEyhgw`13y!sd4frS@G8tqK9G{Can# +z4Ryw@{x1l^jS3f-K?IA%x=fj8Th82i!kq)J1TZ8ng&9&ICYOJ*1ZRjTK1YF +zS+N;d0!#s0U_kY7;?FR9SIG3Ew_Vzj1Rwee?u((ITXDxubo7g7>BZds7u|3QS^nQ+ +z^6$*@f1HIy%Mdo`@#%oUtgkH?e$tVPNH%QviRhOrZ%~G-t&|a~^gt1_Z$m&Jvq8qn +z2o(Bf&GNsOZFvW4v2W*5e0GAL+r`Rh8}{{LBtim)7t0?h$4GG>Z-X%5N} +z(Z1qpmd(UGZbsmTS?O+Ofc+uL-|TK))!_Djiiy?Lmy23IOg{2BS5deBXkTs$qOZw% +z%|Bx_gb<#=B!B@AY^TGuZk^6(ewgDyBSM&fXhOzj+5ThqLqCOE~!oSwR3NyPzaLEDYc#HNA6eeQOb{=Sj+Oqv02Q;T==eA|r +z``=7H0!REh^;#T%r_1u&zPB)l@TqX0AN8E$@^8ay8$HbT^*kT-#JHNP5?mKnA=tY` +z3pdL@x!MSy(PwhxjZpvuUM +zedI__j=Q-A*1jA|MSzh#QA5O)cjr&^MKgZpT`!~2XRH5P} +z7v>^13bP|>PoHh6%P=lV*r|V_pG+{OVm$SknJY*0FM1f{QQ5Z#!-u6UIcgTH>8y?T +z)^=C3zB`nTPRi@ky)Mg}$uA|p +zAcd^gLO`r9daS29VyPWHJEG1ea&@4mys%WGxHm;R^*)K0+x7TH^v&Q~a4-VT3rl*g +z?-~Rzdt_!+p9_Au`Rd;0tej7_@kFpTF7}ZZ)?E|#$*!|^xvUWA;!#jA9(6U}kl<>b +z(|g1*Kca3FR+1e#KVQ=KGoQ)j4hI`@wS&(YaJ37riybm& +z=fFANg^Slm06s{L*DevUeG?nfXK1j+vw!WfyqbKZ?>(3Qw{T1FK7XV4c^a>6Q=X1( +z*r4b7o6-B+!6c3gqSfp!_#m+@$2zI%K{TY-hqER9oaT=Rg5W$i(|I;-x9I^rN^tw( +z^A5fa17NI*=^Maj-WZIm4i)`8ccY>zCs9j%( +z#`g$gcpS#yZf3mYX~GtwBisL8Sj+fTf6Hh^QnvpYH@iaP=!9{ILB#aM+Mw(LdkHz} +zpJn-15#;SGN(p`JXBqq0Ked!7wu0gpI&l>NbnsH1jM`9?Iwuw>YiC +zj&}ghJyEm6PEv7a#jWc7-kU>5p +z+#vVN(YsAwf%6Z9v|>u}Bvc-&iPIPvu^4OwB~ppHct7og?B55QKlv{Iix{>n|6%Mx +z12f|}>@s^@%~v`Gm;zb;cLzvy`Ma^%ue}k6#yerNtsk&4TGr=CV$8{Pc96qurF{R{QP#TzkLVF@fgYV{C2$TJ5b2ioHc%0k_TZGqb1B7 +z_}0vhz8o8lOS1G6AlP`Pt8vv%t@e!UHGjQjJQjWIGmfihK{x1EPz+ka=o(>!*xyM* +z6+8BItI(6D)jZ&Y&NO5-yc9++8xf^CgF0#N()gd>eww(W7v4Os!IC_K2f>3`|SKnS3TsGz&cI`M=I@E(L1h!G#plwrnV;elk4z|1aP|vBr +z?B?1@3E3Cc;)zQ`23UG#G10ObKX+vNKWCwJ=d6CMc3Hz`me@6SLszo6j49o*4JYf> +z@9D`kNK$=DMR?uDX)ILE-YTu4L&p9dV}JigFP(>{She;*7UqLZvtdmMh#M>EnV-de +zWQl$>pb%`rMU;;4lTo-Zx#q>_EON%_&5(!udSgFOe#|}P@9c4vqhG^=tu=HaTp%g- +z?RBupHMoC_n`fcM_-!cvR4V2pwx3v1W)Nf!On%d981`rCs +zAU{;o7CA%%pYMcv`VO2yYkIyDFZ&L};I)3d*@0ZaO)=KMPHqQMFhHBR#qfVh(q@>+ +zoJl-J_OxIVzo9k}X4d3dgPHHyiMcJGHlb%7*cJ6eG8w+zp;mG*y6ArcU2pcl!{5&Z +z9n-%-coDtTqUq`Z5o~qc!(!S0ZI-_?i(Bs%VmdqN)aiVLMDS(6rOOa$1De_*i`CtM +z@aoRkN1kcywwM;apf#!Z=!?eN=JjAGI{5sw@nEUjpWTF~r}|;jZk#na{l@~!22VQl +zXQ!C^VIGD0ph+1>7_HL>OB^7%+imF)b`v;JR>NdA$1XTPU4_{e9NQXCZZX`>#%KDR +zjmNAvxZxq-J->l9;>zOaR(enW3fK!CvS88b+l#*_sBUMlOK@S*(aW9Ic$l_!V52^f +zc$9-ai!dfQzRH$=NxL3qi9Pd&opbVVb4t70E>BuiPs9^norzUO;?sQW=~h;aXQ;4Z +zs8n~?3*xY&M+kYy)tuewoR25zqGUvOm_}l5e1Hu=V*SgHEWE{i3 +zp%!$M-jUtBG)kWzA2|D7hA3BSOh2AsV}(13t_qLYj7QsC+IoA=6ID~NdS(iGx;uBJ_9rg3!4o)u-o4ePsiSS&{ +z3AHw-;D9Jfy!P`92uwLj9xQQn7$zV0&`AS4VBq=^oUgYXa%tSqAz{c +z8s6~$U8q^xf18THPE105W%!G1m5hMRlMvldlMpL5{>#Ody?E8x_#7tT=hoOe{2bbK +zBjR!Hidl#gT+G7%5ht1AX|Ml&?x*zWh$4C3c@{)4m&C3MJ{r3)F(2g{A&|7eEgZ30 +zT@b$o7DnvE2b#rMn4t78IIl9!V%ciBBIO4I%70ixI`!V^LF+%Njvg=E#y?V<%3!6b +zZc~=N4yWDzUVY7bOTF2_r6HJTO=G5Oghk_AXtETO6U|{782^!oy%ou1C%Yb*swhVWP8} +zZ)U)J^Q5>c56&4mopd+zmZ}n`@?z0vlMUw7tZ(^oCdm_MT{D;$s!w73%^3KbyK#Sl +zJ0JeW2hnQWjkv#$+vso9GzgiA`iY!8-;&ehU&VJWM0BDbLDroKPlhwdr~07%KKL{Y +zt#o*Pt9~NrEZ82H*5a)Oq9cX_y?*DJINtgc=b3+Y6(2%~rQ}mYV`*-6@zf$;&Bgj# +z3?&ng;VWhiyouGew5Y7yS7N)NthUtVtFErBzSO2^nH7WcBO*~qeSOtjO@HOBlITpH +z?yMEBbC-o;y`FO}PL?UFBtlceP}abEkS#aP*DNdJEOF7JqFT`DNhpfN^mt8rHJAIW$Q8^tx6#mw{_S7{u3xHLQ#;J%-!Mc!&F#)p +z?eWR+xS~?Alhj#F#na_6U7x;~6v$>wj4SapvWj*G6#&QPBH`!dCq|N1> +z6DFUz{djsCa+&$x2;m0bb3c^557$1g{DSs2+;UGE!hX#98g99tD1C&n%P(8*65aYx +z_}5(Sv@fWKaCR6k`~79deYkoVZa(w;j~GIK=KR;2$MLGc{n69r@=bo!Ja2}YSO09j +zS+DrmkhrdhiF3vzIAd&$*6+bq%>5Xr@<}xF`8gQ<3giF6*^{|F@?$wc`%iDgD$?Jd +zhRbJe*HG>Ls{DXo4Abwi2E7>9dzJiE&@pP1TJ7{=K0$oJ7e^(2Y@${AaO*rQx*tMj10)B7cJ1luKW>U%ij#nVEhIYbh^bFR(>b>VxzLc)kPKhbn(4zFtIVwE;@BFA(Mj($x!_ +zcoC^+Gs<}smLDes!s@3GoWb-zl)P<-@f%8>J^w28H^9ez75Sm;kK;4g_zu;-ugXsv +zqJIr&-(d6W&=B%A$m0rYKQ^8Huj5ny5mAw0=kHMMbFlq`%4zOCL`y|enc)7&Uz?YHlE!gdEEn3>Ez~6&@mUax9 +zpK{v?d=!WeYT17ctU@~<0KR~HtAXc&UIqLe=mkI+&-kl=-Jnx}l$!ypM7~pjzec(h +z_+ym&Ix^#piS|uE(mw{GYxdhErULQbK1pJX#P?w#TOfxzHJnY@yMUDAdBFc5eLe8M +zP~JKq%Z09Wz8A>yu97$v7!5ieh{s#@&oM5f_ep#K_%PBpOZrDZJP5Wwgi8Mc91Eqh +zpGVQj9|7M7-UECc$n@UXo~&Y5*J9kQsOry9*z}u_y-{KKO*rSi8o8k0pi_Y_NyeF0)#2p +zFOccy0BO%%F`D)$a61r9v$q3j*BgPf>mLGHj}J)u{U(t1I~_>-JsU{-Jp)Ml9S5Xd +zV}MoY7r(fH_S=o8SCc^h2}t|>6%cwJ{|g|;?;arKT7Z?v=LfPqHNc0!F9K3;-7p%C +z&r3ks-?KpK^*2EB9|dx}?f}wmt7Q68Ano^CK+0b(af-x~fcS6kg%QvW-vW|;9!Pur +zrKIl$(k@p?x(dj4F9%km-BVB2w0FTzl&DGc0V}{S0PX|-TR^sVJ`iu)Nz0J@yMb?k +z|1yyJe@x;>K-O~*$a)G+5&YYLP|aC&z(1m#=YW35S+OzaxbcQ$_hxBud>1$$@6KjDb0l62WIM(I*}hRS{TTAI9UlVQfZag0<4-`g<0T;5@feWp +z_%V>}Xa=&r>ru`c;M3U1v%W_q-Ys#p#7ZFRcS(A-#AKO1TGGeyg)S`TZHcc+ydTJR +zTq^0)B}N0;{v!!Ou1Df)z@H+02ax@E7RdR~31m6H0J1+<0$JbXK$bHN$niKANIgsd +zQhq#;a>vkL%Dn)j9v+g|3gmc5Bxduy$EFa&j8uJ +zr+}>I9w6(vS>k9QT#MZTr2LzxhwXg{$Z^{aWP7&)S>D4ymUADF<&*;1-h3d(EnU*H +zfShN^z#7b}BD9nAVj$_;fpEq4A4vQ;uo3b=vWfz<1E;B!dd3S5bN4+EbEy-A?G +z97uf@0O^nC1F83`fYkeJ$v+E7eUFs*A@oN2RUrLqDi%SwQ2T{ImNyZ|bu$w9BFZ@m +zJ?;RGK2Nmkb1Wuo-y1;6y$qzj`H^x$Es@bi; +zt;qkuxg!5QAjji%AjjiXAoaZyNPWKmq`sdLXnz=psb~KQ5URA_3%n8ez7M4R+ySfy +zeLaxlQVHa^lma;}1p@7PK$hbKvYb@lD&)Hu$a2mH-VFK_AjfYkkmDB#__^e71X92E0;$)#fzF{8SriNV*~I_;IlyLr4x7)_#-Y5v<4)7IgsUC3gmcB +z2XdUfGW|b*9G_eu$L&^`ej|{2t^wW#{1tE?>T3t$Oe^gtzyy^0ED(OiZqYRD4;C#O +zb3%Iwh~-?{4Mg4ABS2)+HUVb>p9M|@{x2{M_$%O5z^8$kGW}b?r$FaQdKnOVg6twm +z!yWT%Z!s|$Lu?aRKwM|hVlsf_6Q_ai5?DaI1N?HyCr$?+F(k2oxEB2Nl24og{sw^s +z#M{AtM)Ha1Q*@WW0wS)M!}!DciL=1(6<9!ou3{$O5BbDPz_$r3Ai}O=+>%dB0Y67z +z0nrNn&5}<{1;0UH0WlK%2PL0)Dfk#OVgYdk_=vIf`iYl;zeivJaU}SMC7(DO{9b_t +z#8KeKqmgVs5n~vgAh3WK1^#TwCw>!rhrj|N;_a9c$tPY8eyP9$BK&5|TFECmz;6*) +zK!lCOYyq-B94uTh7!{uPlSy`#|bPTwqSg@zfA|9 +z2%C&f5m-RyeTPs{^?w_K#T`}t>hE`1N;_&1;p{-KPdUcYr)?vuz-m5E#_s(CoTqmkH7-rY2Y80e4+<@ +zey<|1fS3S&JSI8&Pb>gGL0|##bns_OKG6%lLtp{%4Dd@NpI8WfslWo_nc%OLd}0y! +zEdmRO@aZuRN4zm92j%kGD`|(MPl7TjUnS{8Nw-M)Qc34PiM%Q#-EGrJEf#}7`NFdW{a=#K +zIZx0pNV-bWqcK>_-y-Q5lHM$7ucUWM`YsNxMbi#R`YFk`oiEBCi*aFj4oRm=x6;}z +z8k2(Zt0jGnr0w!kv}(VU^axI-k=Ub18ejLN(_JR|kcm!!ljWuIJ4|$y +ziEcH~T_(EML{Em(HkO}nq8m(ftBLM3(fdtw+=Zd#rfoq$ElSiZwVS4mp6e}jp?*+lO#(Od+L6Mb^ +zxfa{gAn7(qH%a=iq+29?_PHYe21(~jx>eE-NV-kZuSt5dq%W8xa_YbA;R{@z6I0ln0UgBXMS#RmD+SjQ$AXud?1+^g#s>8nkA +z$}9feQeM&FJFyl|0W~cqw@!pYkd`i^aOc_A8qCslNu?yp+6=Pk9y3Iin8iJXeD2$O9$nRe7*jY +zMTYfK-XUovpJb9Z@+q(4*R4`s(c$Ece9EhM_n?$lw32t2>NoQB{>%2BhIL)<{}Ao( +zHt;F0;_1tzyrNb8=KdS`lvnZhGAXa3ta +zUxd +zmr8j>hm$w*Dc>UH+oZgr!^s=@l;14ncT0Iihm$w*DZf+7e=g+}9ZufJr~Dx)pFC6O +zPti)=Jim;5%B%CQ0x7R(C2!WhkxzLC;(lJ6q`ab)yhG;($Ir;8e1nvKOUf%+$(!46 +zg>D|wr#|3*ILbFlB=^{A9r +zbU1k$eSl +zn|u||Es?Z}e;$&winn4SMgBsR&Fd^l3kuJ+B(2u36iGM8^(#}-D*pVIq*Xk4gQQh_ +zwpP+AUizV=Rs7NhnmSY0TP8YoL@56<6TQqt`%U!kO!N^Gos4q@WBvIidX0&`&qTj# +zqQ5yRw7dsR^eIuH{45iFvx)xDL}!i;mH(BAe#=CU8xxxU8Wa6p6a7aMeb_`#92;7m +z$3!=o=!odh{CAn?H%#>BCVJvYq4G;i^!+9}HYPOx3=_S}M0;XG^WR~je{7;3HPL%b +z^idOiG90VXzAiJ-xh8tKiN4=NKWU=hFwq~H=p!cjtdm3AGs#3dO?179zSl%QX`(+i +z(Gl2}8v7q-qG#*0Lrs6}Y7@=(#apx>f0K!R(L{e>qQ~LkvQd7ziOx6C*XwkkIod5I +z`gej2Xi +zDqlU4%2!;Olv`FaGpnL@`m}}K+?@KFnF~OqES#HL=Da$$EVruOnT^-Aa|UQfGJa{a +z8b8fAKtrb2;Co+uwf);tQ&e6n+cF)EWgEUy6KcwqRb-Y-n>jN%HTjY%bgih?hrX$b +zFIj<~s>4rPx{{Kzq&`w1az)+JrM_x(&(LA7Gb?wQ=&@^V?y>=UJiSDGosBaycW!!i +za?+Y3<_}=bO-d?5oii)&bAvt*-v%+gsHg-lm-A(9(K5U&=gZ2vTD)B0!a#&H +z2Lo_T=*_{%nTx-)g&pRXjuie}Ux +z<*M*ShuELy4H<8c0l&c4fw`%9`>RCr4%Q~YHK{=J8YY|O4H-?{J0t~vxiWb=e)tvh +zAh))%8q+U*=92naU(Kv?-6J{Ea~I|=^TMkXFD)KQa+X&Y&AmQ%+4akY%6y4e)R0>? +zoV=Awm)7`dhm$wEs9()9@oSm2Wy|U+>uRoG-*Vtv`PEhnDr$)0y2*>ndBaxm!->qMU)-eKnI)0}E4fQhHtW^*-Gb +z&$}cSZW+H2IxjgXX!i?~D +zo7}I{Ur)KtxhuW3R}~wJ@28~sH{| +z$e|v69sWYPa?Y(U{t}H7Ryb5msR2K^FnLy4&BCJcvJ#HH-YYM=mAho6_d0K_v3JSS +zX!yz;=ili3_Eqz})k)srbrOozdKiHQ>02D3({&2S;Y^_7JFNOXE- +ziEp7<7lUN2UpW^(@RDp14VGjkDJK}z#k84{+rOsls?gp~M}ReNIwHV%Gb*cm72cV3 +z{5j<08AXO4vIgDHBRMlubA3hl62vPiS1$BAoynnHUy13Sm6R1S-TxzO%{3@V)-1wI +zbNwN;t?XZ&GjrzE3{SBZV}f2~Y;M09dfj|EL&LU5mL)7<0H0}^^ZgxWP^q#gvnBM; +zV44fT3b4Z3cH|3ulSYFnMNGjjyhx5)ns9`>8bcPj}Dyadt +zGB;@fXxXjV4D_v*5u@)_JN +zI-NsK>|kpVPl%{%S!gpum5Mf&&oQ-SR<6rAZRV_noR)MsYE#|cQ>dI~RR_{dcFFYV +zDKmyyGII`8vYtLb$upCu4YOqC9H?YH-BfZ)Rt2{32u3USn?V +ztfDIT(31N4++01l$<4i*J}-BXamw{GGZmNSF4A+?Bqz(Cr=MF_TeEP+vg*nkP-2;0 +zVomZ)FOCK(YQ1$8<(0+DeW;8<$&Ix&$+Nh}ou`{We%{_!w89XH)J&W14MzFS>gu9; +zwVx47PtCMh8NQ`Ob>+2?#R`Cv6JK>zWw{=ZE))$LG|K?>*NAw#W@aY8B3G&BkEmIhN!Eu8sC*$;?13w%bhK*;?m_cwadLFMb$TyLE&Eg>v_F% +z=FLyf^t$IcGrW^TQhMczDl~gZS$SD)Jvxn{=We8aP?2h1aK|@D#*CpV&nT-w<;A6g +zlrgM|vgTb?Ry#-`^Ok(uhl8@~eTdb=Y9c=e+!ekR#Z~CMP*+ho%m!9N1GOYSn7p?GRRnVefbHmD%RgvwhEn;w$i(QVf;6-J% +z6$obXik6fIlB+|j$N5_k$6WNGt^!K{dhaXI4U1FEIKjknm^3S^qP(oacSX{|dc-)3 +zuyM#+I-{b*i(&@KpPb|_s$S;H#W{{|m=ZI+q5HOZ!>Xtr!DVr7-uxTYRJbIw+_wUI +zzxlQL-piTp&097TZC$3?8hT_pJ>;Y$ME%StJ!{fS~L&# +zIM5(Ci$iz!i^^f$a@5NzYHEvcP66ZLq=rfOXp%g8G8pB+<-%*4hHB9~*qU+EAB;c( +zq2!`@oW`>Hs_IJ4IPa3mmA(>hWmVC2bv~R-mDSW@=&-(flY@Cnd^NSzmGwj9HT$zr +z2j?v>zkUULedQ8ULkB*cFl@wfm+1}v_c&|sKQVI`v&DHSofWOwR!S+0))QK}D>fT#`FI +zS#zgP!#y4M48$AtE0$CuBCs+3^zyeGY=cD7=KS6&n~Z&N?i^Z_SO3umu*D-vGdp*g +zEoff-R;EF754k*;rR(*+%{5dwh&|haliOSldK+x>Ak(d%F1}0yIHAl9_%h{iGJVx@ +z%o8c-rK){P%NeCtR`3y14N%K;dFNCkcuv-q;z{?#zTs^Yu(b(1oxrb?poVappWwb= +z_%dQsGyMGNmB!uD@a5FrX!sJ?zzjdLzGWJI_Hf(8ekBYmP<3+w8N@fxcVuVinZ$P3 +zTct?h0_YL0s1<3!dDL(2=Pom68FIq+7g26{pg=_9KC+x;j}V!K@HsZ)atqlyd7ie4VBf)r!K3s>+esgw2Sko{t1G; +zysUQW#Y^hS%1fr=aIoArRXK>geRhLtH!#3!ZL +z`D=Txb#RY2j2*PT2!;CpkTbd=iwHem9x}VWXD?k|vh@GdG}If+Alvwc?f&LuV4FVl +z@elf}h4Ibg{hIUd@)4AONjt)yh4*(d|Lk-66OZSN4~7OivnxOGc#encd?)RR$8+J{ +zVr)F+9QdG1nvp5C_-9Z1L0nSk0{ms3_wbC@{JiJHgDd&Q$j}&NFo$D0r9JVGAnY6a +zhn{sNT@Lc(R6Q~ZMy@9w5>(=Cl7nlZ-zonWdtT8`d|=<{4u00bk1b;s{VI}>*ozDrQE;l_13ZvNI` +zxT_G~L&_@(-!I5Z(Ik1}Yy0%e>(xJ8C@K7woHs8sKQBNAUOafdc**kkot33&_}xdo +zh}0ScNBqSHrOWW)(xUQY(ExLKn`Jrp+ByB|!1tZwD;)zDzJ4#{!Y5Mku@rn(R;HTE +z>y+hrCBMs59-C;q|5fwwJ4VKWPnM_J@dH_2K*03E>-Cj-m-5Z)f?+OCeQ#?Q#(~!clt(k@M*E)8Q$qjrZ(oKp +z&l$|4e)q;9lV~TpSuNCmKQ5S2zVdo2mwda}Tebq<(!}qH!`C*2l(%83$cV3{)UQ^Q +zr}{3FLcoiU8rK#Dlg#C*-`#1IS=wa#9B3cD`mW!_{^FC#_zYoP1wO%y5AM4&jF}us +zg0gWg;d0^oZgu^kykwCS(p(Y=xDQ>6`amSD!tVpZ_NO7uhMTsb|Dv9DlKxuPon?j< +zKSQB^Cx22t33)#|TAHa(vWug&=?S1iHjZ1vv~9I%{_ +zPYbXP+>-|?r`nh6tG*tezpVi`d_I0H9FP6a}W{@J;3~p^Wvd*0|oN +z25)csx!SJD7Q8+i?XX5|!n)NG7vVUnMO^;M0jqXrR2uHT-h9_&OVo>P)>C^YTC_V= +z8K0rNc$Cp}&cL!`AnS(g6if7r?TzDmFNdtT4*cHmoo9gW1*&pet?_!>+N|S-Y}a(O +z>(&VTl&5t17>{G>+@tYduw$Wqrp`Hf0`f +zq|6z*%v&gXywvrAGqs0XF@_c`s+sveMgG5|Ep3gpfi%^=w#J3MXIrDt?$h=1k0S3U +z$h!q&+BC*-bW7s`v>|@e#>PdxPguwIzGXdglV-X66}Ip3c`5B3uO*>x324Kq=kte5@?R*UVgAQ77W4!T` +zs!kP +zWwAJa%{-k}+V-b^V_6Sd6GG~F3wl)TMm*NCn&XVVQwPk?a>pS3N{i#@l@qn2t_vcd +z$1^rrP;Z3o*h}e_hWU{|=AAqWve5rV>jJ$`ZPr}9pRLftMr)p))_TWvoX_i98|U|K +zY|Ld_)_3dnB*viijw+qcIs{MH*>vdQD8_VSV;;s?*Z}38O1JDfep4pqdIsivI_CZr +z@Bz;DW0lXfby~fz97g{>gPpY2T+u%H*e$yshn`2HKU1J1^egVd`nHZMEn}M<5xNErmepP8+e;Gh4w-&-hU44)-t;1-AFCZ$Yc6= +zq|ZV6Mr%&58t;3o+EF#;9B#>4=8; +z=R%i}urKz7dEndhSO;HOulw?IH0?$FT;NAN*6-YV>v8Kx2cxvSzD5mtw!oKacfvPq +z8jX7TinZQ8^sDDGEj1c+4DOR~$Ktl&j>CO2Zu&1PZfqG|8i9Kx?lHKd@H4uwzb)PH +zaeLuo*`D{Uj@1359H|E`aHRHJ=t!OV#>(9*o~+v4bDAUdqcf2{)scE|x+C?_C63gK +z?=RiGc2(i-(FOUt4^4EW#wEITCx0_%ccCYLcTcP%b?-Pw>bW-;?k+*Tp0S|Mb)@=G +z)<~4ua~bNfST;pjPQo37J9^Xdv$Rt%rkje+%6X_u8-uhFxFc~}acj6whEIvxbo?e~ +zJM?iU?Th+5JnuJHXM}EOZ&(j?{r%nAbg%N=mL$hx5v7iL_K|arK4mZL_pmiW@Auu7 +z-bX1L$dCD@=Kn;urF}2*v);q=p4RP}^&VODBxuxoQ$+i5w8sHm9)_*|9p%i_v>pVw +z+|dPm%2StWAN?*u%Zt)BpYl{hRL>ZlFV;O{``8XKC&k?3c(>kCxZ7g6;@9{Z^LUHa +zi*aTc&T;O=SZeVif4tt8vtM`I#d#Exra6Co{H80=UMJ@1cD)aM)`(rb-bm0RkUkRq +z7}b7!yX8)<0Ux7IVYiN>!lyZo?mgGq-u(xx_r=0Tjig44 +zSM8p195!(YXxQ=?$c=@}fy=ej{pnijXvjuG=KZ;lzl!|Q-BFM^Fi%T8n5(6tjyvC9 +zq@~WVOxD*`jw{Ex8|fUkWa#1&_>n2c3-6v~Ij!faQCeR7$Bw%=A5~uF=eV_EP2ubP +z5n9ijky>6&gjgFVYNz%@ZT`W%r=Tp#&hj|nhr`QvL4GNG5amCPIJM_FVGHXgYU5GP +zJ@=L(9r3|Odtsv-C+Il7?`_QIQ5x2zV7Yo9&=1u<+LzM58sFnL&Bgf5!8m5Z|7Nsf +zTmy51cB*drnfq|>$L+x24jHdu9Y2P6?Nb@A9mX2`8RpATv_ZsdLEC1`7Bxhyb_rsl +zKEy<7j!~w~n%q8=oF3yLPBX@MtyuqcdBi@$lMjs%TM;t~`O}7!55{t*2V%J+u$5lu +zp~xDKG~xSO5t~sr8zaup?T};EdPl0ho-(#l^NBGTW4O1l#;RCsyiI%fk+)OZA3==S +zjTmV!;up$ySWoH2zMv%m@whP#d<5(0enY-CtogU;@tKGn)wv +z&x`nS+@{A6TfN0~9BX0IM3Ig)WBxg~-^r-Wk +z?Ppt}dftuJ@)!f1ioMk1sGt4(3HWczwy}Mj%d}g*<{pLqU&QJn&SN^;#F(EpKTx}l +zAkJnC$JkKWt_AVjX=u-^O7=6DUSvJBXAWYT4(O9|$6z~L*DmWT+-=NPYCV1V`S8`M +zUq&AFLphf5_l)OGD*tgtrfV;3Axy`4zw8p)VD2jho5 +z0BF{u#$hR_&sA7Vw;#XKrTOhSSK +zHx_>_2lr&$Rk)2Y5XWlbXzjXIP0O1&Lc7js(ekDrcHD*iMLg%74X+^r`y3aDX+Xyt +zBcMmdrYxs0LOc2iVrM1GSeLe__XquGV1LlBZ9qN$5yxGsOwb|i4=saj +z2>PMDXp_EP>3cxfi9Y5*U9g{%xt?9)c&tlnnl&2jk2=e7*BGaEr^_<=yEaQyGxJ!Y +z9Y>jObe1!C34wKhfE#$hUuOS%I{g{iYuEWyTacw#P|3hEbgngKpSEKcDC~U-;31e@pGs;JmVt%T# +z12I-S%TRkz#___>4tLJQVQ{dfY8T;7!HsLsaq6>LcCoFk*3;qNg{|^z<%{TD$x$!%~U!eW^*$v0Cb=0Npq}BWk#0-s$IpTxy +zhJ|ai(3|jMLZ3FQRq4>jLpZ1CI)!>a6Z(zU*L&*zu#9#7D(yz>6R_vS8PnFrgs^-2 +zjc*A1Y18-iN%!NlTUB?^p2T@t+o+Y& +z$HTVK#zN>NXhXs$)5o(fJfG@sLyWh@IxO~uLWX1ZRcz|hWlta;w;(Q$Kzwe+{tD-z +zR-A=mFHd{o+*Ni#KY0f1!ZpPFpMiNyyD*MD*KeN1wT`-M;IU61Z0va^C;HB@$GXC$ +zWj)80_QY6J=yH5uPV?+U?Vp7%gJp=li;5edKg^xuH)Wvz>CnR!(1#P}L(i(UWbk>n +zUE9@*J;yQZIe3O7))F!QsJp@RrRGs8=E~)mD+A4=csa)sux~HY=aPsSR17ruTsl24 +zmllM~C7$1ka%O4`cl{XpM2vse{Xo|^rMJ^DpK#s=TRj~%#y$LJSYv-YO8e-)v9=ZI +zXT~C~V9fOx<}_mx>VRXzn`anmj<;fNGi^Zx=QQIiA!~dc95YdGaP9}&y8!KEe9ALw +zjz8s}fX`Fq{iyGj-93nL)OwHgAZ|?k6CG15W15d)zSoIhCQ>H&vtBtUtk~m_k(3AKNjpu +z9s1%x{eG-XQCOQ;?{kPb&1JJ**3Y_~$NKWlv}iMK9i?4&8_sD|+ZluM91^}Xz7G8p +zYZ1>RCmKQqW~Si~54!lozCPNi>S84pJ!^qh|~ +zgbuW|zYc=^4sFBuFC2$5)}#ZNg!=*9`M7ZnYo2~8&jx5akU^X%&Mov08Tql1YWQ^hn$2^$qB+O^wi$7 +zwSNqKtLKBCT$_&PHWvMCdhmH|*~Rw=9LBu<81uSUt}C1;%Jw<0&*Z*$h`)ga}&>E!p_ad-cD(U(`s1{UqE}K4qCA<0_wKL +zeUzSNP3UcHjL>5?<1;7vd}aSiM$Ln3U{|Gqy|P-5f@f-+&)-L$e`Fhy{=wzLF8`tJ +zr|yLfY3tvCuGMpQu9MswbMA59xlf*DbBxH-#|*epj@jd{-q23oUYU<$_yGKcdCc0j +zM+AJz+cNK#MRmF?%lx|h3D+E>KWUY19?V{ZKNL3pMg7ToH2yH|JQ%ClpC}zDJ686K +zbgt+6JosnvR2(AqjTj$`_AsCKc28`WZ__S+h39~3o)&)2v&-P~-O#q`{w&^Hp7~7k +zEu3i<;Y^d|tLN<~M?cp*((haoz6|GwdTfmI!zL|imdY#6-$TzMRo%za#hIw^8$zFy +z<9<*t>twEVe1DKQ?>3(C^2~DB<%}M@oPqQ++%(k&L;b98F(>pUe_(=x;l1mnGvwxva7_|X>|e^Sq;|2)j4HciW{ +zDCS!+!}9fd_$_&w{>ob=QUB_5@j7=|DAwya=gRlxDv8k4FqBoFXKcLX#`&6MWuhf6 +zdZNCLesICck5st?^Wru>dUmLM88NyV&3eFIQe3VWn^H3q%=t28HnYCW +z`5a;LncGD<<7MXCj7+>%wlCz3UN#=-1cW-iwB*2aY@2sC`r+fUkf{j2%rahiIbWbY +zlO37!xm0;yGT%_`|Ehd*djtI%qW=Lsx}@Eyetr$;7&S_*QhI54X5PmaMu1#I22#%F|0h}61-P7GEkuDg^WMK^64Mo+QafY!G}u- +z%V&InkA#KgGoBc%eK|wa?*Jc{@=Ag-{FU|?mY;#VgZ0lb1b>pKE3E!)L-3_y!pbua +z7)(Dy$#cE`D)L;{@!lg@jp&T=?@;w~{r)QTbDbVc-hsvpHhx33@2m11L-bFsuVL+v +z>*-+qqkqN~);|8#{GsO8Q2xoGcW?0dJJ|Sgef%o?q1yLV`NPytzxlJpTToLM%Gn^XP}J;REHKRmWI55m +zlTc42@MIvKG3eFOfI_h$`%n61l#S?grwvcLK+N +z-U_7L1HeBay#@GN>P4WZ3CQ|a3-mMq^?HCTFGu15wk2Qps{ka~9m@nI4-o(mAuTG2VIBlZ>``?ng%{_xft*iO0@G4}oCg<4oFFkyVx+`pPzmSLeL&`KkeDygA<+gzmF@`w)1ra$Ds-;ZB=vfVl)G18+CJd#z<(XM6Sx&fy>@vOR~#$#Q_4C$9s4kMtct+Etf8 +z&oe;kyHlWNE0A{eAdq&`0%U*I3iOmqx>VA6K=yBjOiz;O6M*cW1O0l0h&KwbUo#{o +z0NJl&;Im(cWdHX8+1@?CmyzBDWP6_x=;;Kqy;}u(I)H3%8&LPJK(@C*pr;(jc9fvL +zUjaK$7wy<0ajnD#iRD1H%O&aA5|d>5z64Rk$$O%h9iY?lp)A$Cs?m=-7b +zhwuRi%I^cRzdIz|DRDFK4`@dlko|o?pyxgyrj&gHkmauivfmD%u3sR_n+)W5CjhCx +zc!8ccAj^vu=!pWdoL=aMAE0E=`2eMx+0zEeaX%~xSdcI6|0qHj~fHz^>90Jqw&_AZ<0GaL+vdysw*$oB6S=-CH^s@>fJ(>j6g +zA>Vz1U%o-0rv*qoHUUwjeKqh^l+z&4b2AYByL_cUPc3j2%B>QZRtltC3GhSYD-`Hi +z47?fn@&%^l0S|$nBhcd#XiotiMEVSYo+RKckh@4=+GOBg!Jj11GeMv|8h8NdQ35@Y +zz*`}w2~0b7mZrTAey>2!A%XVSfz<0(;NQUS5a`(gY=Hb`foTr{{|yuS@I%VkxzE0BKiMK)5J(xxlnS +z$^08Ro%1M%O^Kl>rS{~RH|PoU>@AnopDAnj)- +zkoL1fpr;E+`*}uSS|^b9vsIvHi$HrD5dZD>;m>5?df;~;*CH^j3CMZZ0K5(9Hw#Rw +z0@Civ1$s(>w}4+FFs%?syIU;KlPA#b0^+}YHvX`_8NfA=OA?qi8OZuw!I|Zh70a;%s@OGqc6`1xQ +zQ1>4|+If>e&uU-;@-+xdyBSD3Un$U2CD2|1WWD)7)|&(LL(VNQEd$7UX9Js%o+2>K +z2E-EOo**zS5@EB8OdJ2K`Z;J(b@`0-$mnSf-2}rrsK-x=# +zK+nxU+Q&+Po?0O7r%GVj13=2P0y*yY3G{3La-7!-^t1qPh1^>{Ya|3C2E`e#Qf$V1k@O9|pW`UksAWY5P3dFi+w`iL7nMGTLK53r=5esO2 +zKEoO$~6K8{;A~2Eo5cqkLPedD{^93dnJHW4%eBw93Unww=_-pVVlzigl +z;BOX~NQ5q8UY2~K1N=P#6NwSv9|N-eL?`$Z0wxkMA7d^8l25z>{3L;i#7OWLOFl6j +z{6c|=#F5~ymwaLd_!|T!5=Vo-Rq~0@d32}1L?YISnAatrI0yW0fr&(naSYFu*goQ1 +z@S_AK65$79E|Pqr3rR@=6N%VI$K**qF$?^Bfr&({YcV|6V)?`?!RL7wFp-FLG^Py* +zo0&j#ga4qwL?ZeW^Ni#Zv%&8Ym`HpWe4e{eo_IC*R5~z`_$2rffaDYBfo~I-NW}gx +zhUb0c6LY}N7nn%=4fwT^PrL?vo+|z7yOGxi1LYx +z!A}yHNQA$MSuFWP5BP-w6N!lLW7bPPu>kxH0uza6fWJlZiC*wK1SS&C1pj5pCl-Rg +zM_?jx0{Dj|pI8KbufRm&S>VTG5>h|JCEzCrOe7|PKST0~#o(t1OeDf*#w?b6VhQ+# +z0uzZg@NbrUq7VEAfr-Sk!GA#ViA%w66PQRm2YjBFvVBDO*65uA6N%@7e^~N~rQr7p +zOe9VMf5IpsPb>r9CNPnB9{95*pZIO?9Rd@H=Yzjk@`=mAFBF(aya4>0fovbK9Q+1> +ziA1bhF%L*SaRvBo0uzZ-z=vDaMn-5cQNSo5&VV%ds+a_z6=(yF0HQ2yG%yJ`3YY?n +z08;J-)KA1(6;1h-poz#E&2s8N6O%#PfH#6BP6N$yZvsu64muxr8))JT(51je&_t|> +z(N)0Jpoz0UHvn%3O}qqj3$O_^F$FY0U*~KCy;)*8%Y1lLg{C1K>AY$kbbieNdMRX +zq#tYr(%*Fg>DRh}^j~ZY%8a2ur9W~2>30f&^e+uS`jJ*3{Y58`exV!4`Oi+A2DAY= +zpB+HX+d?4cX9JM)uocMp)(Pai>IT|?JcK_RXak-DbO6r<(tk_>HUQ59wgPFdoxlr# +z-N4B}Dvx#+6|vUZVvUMeZEeEewulEKq9P7kdM!~AJ1jf#x5a|5po=&h*&7)Zv1LTZ +z2;?8tG72dpdq+k^92|LQ-DE?I1N&#wcu~}>HAKPis(9h2mW^czxJ*^wyo>BGhA9J+ZuaG2G~oQF|eCtOKd$# +zq&_S;&=d7V>&x+zC2wf(Oo>kvV~S+>VT)N%2&l5Efd>eKv3Y~jYJjn+m@&ABfvSKD +zXsg?LMY=hKH#mR`c$v}Z4{tGsEJzA(*g5Z=L*94zA^M|9hWP?~e7|?@@7{C2&pq#v +zZ~KMq4c@cc&%yEd_T}wf@AYjP+aRxPZ^Lo%@ukNbyr-U6d7{C4^T`jM^m-S4OFq!S +zch=YFUGbfU<4NBsxN_;K%TG0UKiY9?N27Ob$9Xs|>{x{3#b@4r26B1k0vwM&vkb?L +zr*Ayn=so-Nxu>DL&z^s_(R<;!i_d|!&#l98;kiXPUfy+O7sT0h4vr^wpWF@H-OF%1 +z-L%>S`e-W})N1fVu+e)Za5d22T@PFczXAzE9JFay!co#YsJ0X7O`A(>Z&U0|S+Ia?!OI^piK-#s~)#&}G^A=n= +z*R=*$&UBrHE2q0w;drgzBg5$#8 +zML2%cbqnI$?D_!WAMal7h8FBzg5!pMLxu@})pVJ|oo|PWZA#^+hI)oNO!0ox! +z110LY1jn_W^B_ImyW9(H)VtK%=)DzMfb&bC%Mky3XdU9;=)DP7uJ>+$^lI-lI6vEa +z4vwdKSK!LqeV6(gychZ|_Cd|}t;6|p-w8P0>Ro{2jsBbcaJ_%MzrlO1e+|yB_iaGT +zi-T_uLTe6Q7z7;#&%^ok!3{WG9lQotE)QOT^M&wY7_=R{1y^nkegIcag;(IpiSWrV +z^s(?VoUet?!|`nR99&rqpMm4jzT^9#r27`(czS4c2y_^_3CGppGs6wumEqHHJU_e+ +z$8*DLaJ)2p8IBi+-yVjt4=;?sl;%0~7z{?3n-VZSF&qZ`E)4NXiKS{m}lOcv*5MCkdg-HtIpC!DDFh59jkZ|`_ +zhyOa^*9fEk7WwOh(Z7orZywkICO^bG2|tgMA(a0rIIl4T2y37h2G;l1b_aJ6zY8Wy +z3|xN~VUom{4U9H(#G&5SQIe5#|Xbfc%1MXgqI1g5xzqB +z=Y)MQ`D18?#Rb#D{WFHI5XOBnhM(f%1NwZKun+1LV#5IN^T6e?@qd@cV?n +zOc?#bm|m1H`lAtN2(J-dAlwN3NFAKaT@HK()rZWbv4Zd7X{uBxUos(N4OQoQ^Sgf-#73w;lm{V2H{!4|3ElR`13x8KTo)w +z@B(3r@Dkw@gqI2bGvbF9JS&9%hwv)l9Zxy(vxJ)ouMzGiyiPby_#)v`gf9{P5#cL@ +z8^B1%{I3yiCcHuTCBioe`W`$Esi52s?7-vjW8;(@}S!nzY>0N?2MRq=;_XMm;h +zcPsqAfOTT0g7FlxWOKvLZ&b*Uzm@XDbqV>5tMOGi@_od|bp!c~;ndC_%qlw|#{7K_ +zwDm!LfbdJiXN>Vt|Mt&05fCF^l_Q_+y<5a*%zRZ}~HoClK%p^;hM{ +zXZ!XV@fl8OZRXOt6KL1PNGiLsNyL6@cQ{~9#0rL*=88g3I@KrhTyQzR56Q42jy98gABcJyR +zzXR*O-G3=P=JyId$45Ex*D3xu@fkC}Tkuu6U4Ghs%oCsYC(Oq_gaPp=9w5N}34BA~C%`UI^BWiV4+VZp +z;P(XHxyzm2u)wbfjCPHh{|SK~fI5icfr4CLz60^2EQIeL0IsyY^iq4}z)r#b#Tb*u +z_IZ%fK#c99%CUV1iN8dA#>~h2QyB0I`KlcGyr2Cs@fl-$%%8e%k*~^;kI(C2_$l!j +zGhgbj%8`GQ_&15qnEBmaCw;`IzbZ#Q@4tt@4#E0kjPWb!ugZ~+&*Nb*h|ie$Qh!yB +zeDqsjm?b`A=KJsj0)C{8c&f +z*8OZRXOt6 +z-}oQIXIzc1%8}3h$?ZX>{uo!|t8(PCKeLzkjH~fgIr7>6d5rjsncwAfk7E6)a^$nW +z^fd7qGygHcSLMiO|LRTRGiH9b;Hz@vvp@FPR;T_LGhgbj%8}3h+k?bs%=|%-zbZ#Q +z`+L7ie8$!IsvP<3AO1G+88ctjpDIT_`;-5h_>8OZRXOt6{~T^}>W^_XzA8sP`>Wq1 +zK4a#~`d8)1Xa6?5^TnP&7&Bj%pXFa`hq|M-!LNT5xUs`6-!Jeca+ +zza{WhfgkO3r)LU$T;T5uyag&!EpNZT_~)al{2hU@KGpRe&5kV(_=@Y_8-#g%{Q?kB +z&i2%6gkhSq!{d+u%6WeOF5};Fd{bEduKT`#k2(tiM_PyFI^V&8H*D=-^OqzrT4l +zlAZ0(C#UhR^!!>nb7X%io`g4*YlE%BRx*~G)dKiF>#(LB*{5lKEox=rN3H0PRe(#0 +zxqX@u&j!QETubwWY3wg#g9ib$PYf7webk5>>4H82=ehn0dibq*ct7%Vu7V;hS@{1y +zD_5>dHj>DZE-j!e>Tp*oWaF`9U$i+G^mq8%(onQW&VsUW#%*)(ie7l7_n@YQsXjV@ +z(vzQ=u`*CRrNE{hHeybR2M3H;#S*tfoxe5I`;39mh+jKW%BjCt-T30~0ZofTp1~x% +zO4tJMGJuvyBnqcT@H7{R!D#|dQ~4a6&J99CxYU6Lc+vgA#@IgqMQ|L%q$M&;w6_U_eK=m-Tmzoqbp59-v +zU7Fi5!D8Q}6#Fx&Im5D|u3i+#!j+-wNxS-=$8@zfz~a1s=f$zircO+7la}eGVo{PuwseHBv%eEipR{V?8gUM`U +z#tLbLSE8ngA7gUpP~T9ZfBa>cMgVJQ!XG#gNye-L7R*S{o>r(lGbdulbSho2^J>ne +zg43ydGUx8h#c5h;2#2ccT2DK?usoNVP9=1Gq^#CCnqL-6*C+Q^)_W8$cN7;UzZS}8 +zj#~CiJl1Bwva?tq4!oMk&xCHfK5!*UMsoR#)iRUHs5v+Vz>M{M+P-4T +zK|c06d|P#;4-}^FKsl!uZkAI=ah{y;x5l#*kwiR-ZEu&##9|p!^X4mNPA#3k89P3A +z#{;kGFAp6sGn!dn;nXbeT{ozm>b>m*N?x~J%OgqA&6Cn%X1n@yG!2!2G&>$Sb$@JRN6|K!F(1bJAWXe +z=m=PuGH8D7>oBYc{26vnYJS4hb-%ml^Dx}QTG%z*f4^$ZSxAX;cFatfzpmysU!I-b +z7aT?N6xL!GphK#O*NcJ)y#!DaL&HgjuRoN=o*G@(5xqlp-kA%(iR} +z3?j9NmDh-hNuafUhg51AvZql8OiYh))tmEJ_3l9U=s-xdCwS3)9Oc@`R)rNL32J~^BVfK~;*mrEw~M;I>A)^&3-*L#b;aCjx+@iQ +zO!Ny~T8%-yIoLXZ!xE<)-c*;*6dY4lb@96Bmw3IUJy2)L7_(B!_Vo%W2mQ@;ri?Kw +zrEFgpDYu7{u!RTHWGn#M`|HR-GGtC=ayv)EXpN*{4viKHhG82whB1nBo-wHoxw3A? +zcBwIG$IklwrU8p!GB%LUWhVl$OzIe<7`Ic*`hzC829h~5pG>5tk64fy8YQphvi?@w +zePO(I?%`Ilh%GWcQNP+h=&eD@@Ztb;ZBKbtl$s0T;RwkWF*h|!eqgc%- +z74pwI_I5Vdm&v3u&dS64RmwH!6s99Mbi=Tor{CjmCC?76QZWkY~aq;G^b~e +zWOGN%Xe4ti4)twjkHu$lX8+iMP@g$GruUjVolBwATpF~ViYMZ^0+bnA9ycR}nv{%H +zGP!F+?A?5G8%dexdZv>&8%*4%U&3hz`` +zBmun!mTVVx65~tudo2!F2`iGd_*%@$jTh2Z56ouC7%cjukvS`z#0~{ruC7Sot4EtCfT=SH`-kzFKr(7Va+Tuywc$u6W*OklvFc<5P51U~tgeg-U}H`j +z;|E^l5z*F{u;#!lJdm@uV0y?Lj|D;380v~;Y@;%|J*X`%$BD}Wb6b8qHZE`yxkE=8 +zRxF2TlC*9Itx@}S(_f{=%j$1(4Ek%O#?hzUoBzoK^nU6U@nkj^0izl^7Y=&pG8T4O +zbWJIpwsN{Ksfs3?9D}~7`UFY_O3~7s9K&Hw*{3rp9FgW!YTk;PsdVI(yakS{cs7TY +zKA5*qdX5{lvbjvEP%AFhn4fAc;Iw+8tl)xjfc_RQExr*OuxY4ItZ0nJ%-fus5n*Mr?`nkXi$ktN_6;+FF}u +z#pW6e5NYvAt)%UuTboj9mU(>6UFuo}uC8-Z1A3^!KKAyTV{F?SS?VpDR|cBG)hk2oPMfENCjY%iOLmcak>+L%?{p(^ +zckq**2GjxSm=8QfCE$LeXE@XhpBDH8;1dLUq%b#?0!zUMQ@d&6E53X+3~d?TO#8?* +z2Dh|3Dbs#87>J!am{M%Se5F2CwldX>z3JK^*#*0714@Q9I-;*M!eu&8+LF#S##~ul +z+=&7>s-yyUk`9ijyG=)qrqWcEv1Srz#ix>Z2PzBSp1wh|KLf_K-!lU@!gpKsZ6sjp +zQ@nX$WMB>=qojOuRN6Px&v7g-O@$wN~~ +zyL(&u8S=GwO!53oxw5VZckUR%yFBO+x~m7g9ACtJAKl$OYj@vAr#vMy_G$a* +z#GdW5v;AZ9zry~4Mddq#(rt+{3-|tRqP)8P|Li6#=aJ;yw#{(2*1{*VoU_WXq*r=e +zv}~!o-RErCJHN?;r!t>=_wXz#VBZ#~@OUq7B8A;@w@(4P9+oXj-LHu6`Gf0NQoMy! +z;Tc_Fo4Fq1_208cvP*ltI(E|bEg`on&*iJzGzqt}dDH0j-hK8+bmsrk=(P1kYg>J+ +zyS!H^V)4_EU(zo!)JM+C)cI6ynH6tsJLdEKTY0cM-t5Oc_iyE?&wI(cf3;kDiTk(m +z&=-%-{2>TX}NZcK`mC+hDof`()Bh>Na6&O*q1td;eZS +o)t?7!KI%kW*0{mSca}!?T06*XUUsb2uT>t<8 + +literal 0 +HcmV?d00001 + diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go new file mode 100644 index 00000000000000..5d331b8ed22252 @@ -9078,7 +9202,7 @@ index 00000000000000..f59e6f9af58cd4 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go new file mode 100644 -index 00000000000000..f253eeac15bcc0 +index 00000000000000..fcdce4c49b6723 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go @@ -0,0 +1,338 @@ @@ -9326,7 +9450,7 @@ index 00000000000000..f253eeac15bcc0 +// bytesToCFData turns a byte slice into a CFDataRef. Caller then "owns" the +// CFDataRef and must CFRelease the CFDataRef when done. +func bytesToCFData(buf []byte) C.CFDataRef { -+ return C.CFDataCreate(C.kCFAllocatorDefault, (*C.UInt8)(unsafe.Pointer(&buf[0])), C.CFIndex(len(buf))) ++ return C.CFDataCreate(C.kCFAllocatorDefault, base(buf), C.CFIndex(len(buf))) +} + +// cfDataToBytes turns a CFDataRef into a byte slice. @@ -14803,15 +14927,15 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 1c8de570cc2f1f..eff1538ca84b8a 100644 +index 1c8de570cc2f1f..aac6c2a60b6b80 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,19 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20241211125030-65f2a3ae34cf ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 +## explicit; go 1.22 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig -+# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250107204503-9cc4ff035cc1 ++# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 +## explicit; go 1.22 +github.com/microsoft/go-crypto-darwin/bbig +github.com/microsoft/go-crypto-darwin/internal/cryptokit