import golang-1.19.4-1.module+el8.8.0+17628+80ec917c
This commit is contained in:
parent
8856a18b10
commit
c315dab3da
3
.gitignore
vendored
3
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/go1.19.2.tar.gz
|
||||
SOURCES/go1.19.4-1-openssl-fips.tar.gz
|
||||
SOURCES/go1.19.4.tar.gz
|
||||
|
@ -1 +1,2 @@
|
||||
1324ae800bf3b78c8cfda83fb9d69d7d46c51bf1 SOURCES/go1.19.2.tar.gz
|
||||
9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz
|
||||
6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz
|
||||
|
@ -1,829 +0,0 @@
|
||||
diff --git a/api/go1.19.txt b/api/go1.19.txt
|
||||
index 523f752..778e1d5 100644
|
||||
--- a/api/go1.19.txt
|
||||
+++ b/api/go1.19.txt
|
||||
@@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860
|
||||
pkg sync/atomic, type Uintptr struct #50860
|
||||
pkg time, method (Duration) Abs() Duration #51414
|
||||
pkg time, method (Time) ZoneBounds() (Time, Time) #50062
|
||||
+pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000
|
||||
+pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000
|
||||
diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
|
||||
index a0a41a5..208aa70 100644
|
||||
--- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
|
||||
+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
|
||||
@@ -21,11 +21,11 @@ go build .
|
||||
|
||||
go list -deps -f '{{.ImportPath}} {{.Dir}}' .
|
||||
stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
|
||||
-! stdout $GOROOT[/\\]src[/\\]vendor
|
||||
+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
|
||||
|
||||
go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
|
||||
stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
|
||||
-! stdout $GOROOT[/\\]src[/\\]vendor
|
||||
+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
|
||||
|
||||
-- issue16333/issue16333.go --
|
||||
package vendoring17
|
||||
diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
|
||||
new file mode 100644
|
||||
index 0000000..37f3a18
|
||||
--- /dev/null
|
||||
+++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
|
||||
@@ -0,0 +1,45 @@
|
||||
+package ecdsa
|
||||
+
|
||||
+import (
|
||||
+ "crypto"
|
||||
+ "crypto/internal/boring"
|
||||
+ "crypto/internal/randutil"
|
||||
+ "math/big"
|
||||
+ "io"
|
||||
+)
|
||||
+
|
||||
+func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
|
||||
+ randutil.MaybeReadByte(rand)
|
||||
+
|
||||
+ if boring.Enabled {
|
||||
+ b, err := boringPrivateKey(priv)
|
||||
+ if err != nil {
|
||||
+ return nil, nil, err
|
||||
+ }
|
||||
+ return boring.HashSignECDSA(b, msg, h)
|
||||
+ }
|
||||
+ boring.UnreachableExceptTests()
|
||||
+
|
||||
+ hash := h.New()
|
||||
+ hash.Write(msg)
|
||||
+ d := hash.Sum(nil)
|
||||
+
|
||||
+ return Sign(rand, priv, d)
|
||||
+}
|
||||
+
|
||||
+func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool {
|
||||
+ if boring.Enabled {
|
||||
+ bpk, err := boringPublicKey(pub)
|
||||
+ if err != nil {
|
||||
+ return false
|
||||
+ }
|
||||
+ return boring.HashVerifyECDSA(bpk, msg, r, s, h)
|
||||
+ }
|
||||
+ boring.UnreachableExceptTests()
|
||||
+
|
||||
+ hash := h.New()
|
||||
+ hash.Write(msg)
|
||||
+ d := hash.Sum(nil)
|
||||
+
|
||||
+ return Verify(pub, d, r, s)
|
||||
+}
|
||||
diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
|
||||
new file mode 100644
|
||||
index 0000000..d12ba2f
|
||||
--- /dev/null
|
||||
+++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
|
||||
@@ -0,0 +1,42 @@
|
||||
+package ecdsa
|
||||
+
|
||||
+import (
|
||||
+ "crypto"
|
||||
+ "crypto/internal/boring"
|
||||
+ "crypto/elliptic"
|
||||
+ "crypto/rand"
|
||||
+ "testing"
|
||||
+)
|
||||
+
|
||||
+func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
|
||||
+ priv, err := GenerateKey(c, rand.Reader)
|
||||
+ if priv == nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+
|
||||
+ msg := []byte("testing")
|
||||
+ h := crypto.SHA256
|
||||
+ r, s, err := HashSign(rand.Reader, priv, msg, h)
|
||||
+ if err != nil {
|
||||
+ t.Errorf("%s: error signing: %s", tag, err)
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
+ if !HashVerify(&priv.PublicKey, msg, r, s, h) {
|
||||
+ t.Errorf("%s: Verify failed", tag)
|
||||
+ }
|
||||
+
|
||||
+ msg[0] ^= 0xff
|
||||
+ if HashVerify(&priv.PublicKey, msg, r, s, h) {
|
||||
+ t.Errorf("%s: Verify should not have succeeded", tag)
|
||||
+ }
|
||||
+}
|
||||
+func TestHashSignAndHashVerify(t *testing.T) {
|
||||
+ testHashSignAndHashVerify(t, elliptic.P256(), "p256")
|
||||
+
|
||||
+ if testing.Short() && !boring.Enabled {
|
||||
+ return
|
||||
+ }
|
||||
+ testHashSignAndHashVerify(t, elliptic.P384(), "p384")
|
||||
+ testHashSignAndHashVerify(t, elliptic.P521(), "p521")
|
||||
+}
|
||||
diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
|
||||
index 7c51817..102c4e5 100644
|
||||
--- a/src/crypto/ed25519/ed25519_test.go
|
||||
+++ b/src/crypto/ed25519/ed25519_test.go
|
||||
@@ -187,6 +187,7 @@ func TestMalleability(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestAllocations(t *testing.T) {
|
||||
+ t.Skip("Allocations test broken with openssl linkage")
|
||||
if boring.Enabled {
|
||||
t.Skip("skipping allocations test with BoringCrypto")
|
||||
}
|
||||
diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
|
||||
index f933f28..223ce04 100644
|
||||
--- a/src/crypto/ed25519/ed25519vectors_test.go
|
||||
+++ b/src/crypto/ed25519/ed25519vectors_test.go
|
||||
@@ -72,6 +72,7 @@ func TestEd25519Vectors(t *testing.T) {
|
||||
}
|
||||
|
||||
func downloadEd25519Vectors(t *testing.T) []byte {
|
||||
+ t.Skip("skipping test that downloads external data")
|
||||
testenv.MustHaveExternalNetwork(t)
|
||||
|
||||
// Create a temp dir and modcache subdir.
|
||||
diff --git a/src/crypto/internal/backend/bbig/big.go b/src/crypto/internal/backend/bbig/big.go
|
||||
new file mode 100644
|
||||
index 0000000..c0800df
|
||||
--- /dev/null
|
||||
+++ b/src/crypto/internal/backend/bbig/big.go
|
||||
@@ -0,0 +1,38 @@
|
||||
+// Copyright 2022 The Go Authors. All rights reserved.
|
||||
+// Use of this source code is governed by a BSD-style
|
||||
+// license that can be found in the LICENSE file.
|
||||
+
|
||||
+// This is a mirror of crypto/internal/boring/bbig/big.go.
|
||||
+
|
||||
+package bbig
|
||||
+
|
||||
+import (
|
||||
+ "math/big"
|
||||
+ "unsafe"
|
||||
+
|
||||
+ "github.com/golang-fips/openssl-fips/openssl"
|
||||
+)
|
||||
+
|
||||
+func Enc(b *big.Int) openssl.BigInt {
|
||||
+ if b == nil {
|
||||
+ return nil
|
||||
+ }
|
||||
+ x := b.Bits()
|
||||
+ if len(x) == 0 {
|
||||
+ return openssl.BigInt{}
|
||||
+ }
|
||||
+ // TODO: Use unsafe.Slice((*uint)(&x[0]), len(x)) once go1.16 is no longer supported.
|
||||
+ return (*(*[]uint)(unsafe.Pointer(&x)))[:len(x)]
|
||||
+}
|
||||
+
|
||||
+func Dec(b openssl.BigInt) *big.Int {
|
||||
+ if b == nil {
|
||||
+ return nil
|
||||
+ }
|
||||
+ if len(b) == 0 {
|
||||
+ return new(big.Int)
|
||||
+ }
|
||||
+ // TODO: Use unsafe.Slice((*uint)(&b[0]), len(b)) once go1.16 is no longer supported.
|
||||
+ x := (*(*[]big.Word)(unsafe.Pointer(&b)))[:len(b)]
|
||||
+ return new(big.Int).SetBits(x)
|
||||
+}
|
||||
diff --git a/src/crypto/internal/backend/dummy.s b/src/crypto/internal/backend/dummy.s
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
|
||||
new file mode 100644
|
||||
index 0000000..482ed6f
|
||||
--- /dev/null
|
||||
+++ b/src/crypto/internal/backend/nobackend.go
|
||||
@@ -0,0 +1,155 @@
|
||||
+// Copyright 2017 The Go Authors. All rights reserved.
|
||||
+// Use of this source code is governed by a BSD-style
|
||||
+// license that can be found in the LICENSE file.
|
||||
+
|
||||
+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
|
||||
+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
|
||||
+
|
||||
+package backend
|
||||
+
|
||||
+import (
|
||||
+ "crypto"
|
||||
+ "crypto/cipher"
|
||||
+ "crypto/internal/boring/sig"
|
||||
+ "math/big"
|
||||
+ "github.com/golang-fips/openssl-fips/openssl"
|
||||
+ "hash"
|
||||
+ "io"
|
||||
+)
|
||||
+
|
||||
+var enabled = false
|
||||
+
|
||||
+// Unreachable marks code that should be unreachable
|
||||
+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
|
||||
+func Unreachable() {
|
||||
+ // Code that's unreachable when using BoringCrypto
|
||||
+ // is exactly the code we want to detect for reporting
|
||||
+ // standard Go crypto.
|
||||
+ sig.StandardCrypto()
|
||||
+}
|
||||
+
|
||||
+// UnreachableExceptTests marks code that should be unreachable
|
||||
+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
|
||||
+func UnreachableExceptTests() {}
|
||||
+
|
||||
+func ExecutingTest() bool { return false }
|
||||
+
|
||||
+// This is a noop withotu BoringCrytpo.
|
||||
+func PanicIfStrictFIPS(v interface{}) {}
|
||||
+
|
||||
+type randReader int
|
||||
+
|
||||
+func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
|
||||
+
|
||||
+const RandReader = randReader(0)
|
||||
+
|
||||
+func Enabled() bool { return false }
|
||||
+func NewSHA1() hash.Hash { panic("boringcrypto: not available") }
|
||||
+func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
|
||||
+func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
|
||||
+func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
|
||||
+func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
|
||||
+func SHA1(_ []byte) [20]byte { panic("boringcrypto: not available") }
|
||||
+func SHA224(_ []byte) [28]byte { panic("boringcrypto: not available") }
|
||||
+func SHA256(_ []byte) [32]byte { panic("boringcrypto: not available") }
|
||||
+func SHA384(_ []byte) [48]byte { panic("boringcrypto: not available") }
|
||||
+func SHA512(_ []byte) [64]byte { panic("boringcrypto: not available") }
|
||||
+
|
||||
+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
|
||||
+
|
||||
+func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
|
||||
+
|
||||
+type PublicKeyECDSA struct{ _ int }
|
||||
+type PrivateKeyECDSA struct{ _ int }
|
||||
+
|
||||
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func GenerateKeyECDSA(curve string) (X, Y, D openssl.BigInt, err error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPrivateKeyECDSA(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDSA, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPublicKeyECDSA(curve string, X, Y openssl.BigInt) (*PublicKeyECDSA, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s openssl.BigInt, err error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func VerifyECDSA(pub *PublicKeyECDSA, hash, sig []byte) bool {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+
|
||||
+type PublicKeyECDH struct{ _ int }
|
||||
+type PrivateKeyECDH struct{ _ int }
|
||||
+
|
||||
+func GenerateKeyECDH(curve string) (X, Y, D openssl.BigInt, err error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPrivateKeyECDH(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDH, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPublicKeyECDH(curve string, X, Y openssl.BigInt) (*PublicKeyECDH, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+
|
||||
+type PublicKeyRSA struct{ _ int }
|
||||
+type PrivateKeyRSA struct{ _ int }
|
||||
+
|
||||
+func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt, err error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt) (*PrivateKeyRSA, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func NewPublicKeyRSA(N, E openssl.BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
|
||||
+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+
|
||||
+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
+func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
|
||||
+ panic("boringcrypto: not available")
|
||||
+}
|
||||
diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
|
||||
new file mode 100644
|
||||
index 0000000..4040c77
|
||||
--- /dev/null
|
||||
+++ b/src/crypto/internal/backend/openssl.go
|
||||
@@ -0,0 +1,105 @@
|
||||
+// Copyright 2017 The Go Authors. All rights reserved.
|
||||
+// Use of this source code is governed by a BSD-style
|
||||
+// license that can be found in the LICENSE file.
|
||||
+
|
||||
+//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
|
||||
+// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
|
||||
+
|
||||
+// Package openssl provides access to OpenSSLCrypto implementation functions.
|
||||
+// Check the variable Enabled to find out whether OpenSSLCrypto is available.
|
||||
+// If OpenSSLCrypto is not available, the functions in this package all panic.
|
||||
+package backend
|
||||
+
|
||||
+import (
|
||||
+ "github.com/golang-fips/openssl-fips/openssl"
|
||||
+)
|
||||
+
|
||||
+// Enabled controls whether FIPS crypto is enabled.
|
||||
+var Enabled = openssl.Enabled
|
||||
+
|
||||
+// Unreachable marks code that should be unreachable
|
||||
+// when OpenSSLCrypto is in use. It panics only when
|
||||
+// the system is in FIPS mode.
|
||||
+func Unreachable() {
|
||||
+ if Enabled() {
|
||||
+ panic("opensslcrypto: invalid code execution")
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// Provided by runtime.crypto_backend_runtime_arg0 to avoid os import.
|
||||
+func runtime_arg0() string
|
||||
+
|
||||
+func hasSuffix(s, t string) bool {
|
||||
+ return len(s) > len(t) && s[len(s)-len(t):] == t
|
||||
+}
|
||||
+
|
||||
+// UnreachableExceptTests marks code that should be unreachable
|
||||
+// when OpenSSLCrypto is in use. It panics.
|
||||
+func UnreachableExceptTests() {
|
||||
+ name := runtime_arg0()
|
||||
+ // If OpenSSLCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
|
||||
+ if Enabled() && !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
|
||||
+ println("opensslcrypto: unexpected code execution in", name)
|
||||
+ panic("opensslcrypto: invalid code execution")
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+var ExecutingTest = openssl.ExecutingTest
|
||||
+
|
||||
+const RandReader = openssl.RandReader
|
||||
+
|
||||
+var NewGCMTLS = openssl.NewGCMTLS
|
||||
+var NewSHA1 = openssl.NewSHA1
|
||||
+var NewSHA224 = openssl.NewSHA224
|
||||
+var NewSHA256 = openssl.NewSHA256
|
||||
+var NewSHA384 = openssl.NewSHA384
|
||||
+var NewSHA512 = openssl.NewSHA512
|
||||
+
|
||||
+var SHA1 = openssl.SHA1
|
||||
+var SHA224 = openssl.SHA224
|
||||
+var SHA256 = openssl.SHA256
|
||||
+var SHA384 = openssl.SHA384
|
||||
+var SHA512 = openssl.SHA512
|
||||
+
|
||||
+var NewHMAC = openssl.NewHMAC
|
||||
+
|
||||
+var NewAESCipher = openssl.NewAESCipher
|
||||
+
|
||||
+type PublicKeyECDSA = openssl.PublicKeyECDSA
|
||||
+type PrivateKeyECDSA = openssl.PrivateKeyECDSA
|
||||
+
|
||||
+var GenerateKeyECDSA = openssl.GenerateKeyECDSA
|
||||
+var NewPrivateKeyECDSA = openssl.NewPrivateKeyECDSA
|
||||
+var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
|
||||
+var SignMarshalECDSA = openssl.SignMarshalECDSA
|
||||
+var VerifyECDSA = openssl.VerifyECDSA
|
||||
+var HashVerifyECDSA = openssl.HashVerifyECDSA
|
||||
+var HashSignECDSA = openssl.HashSignECDSA
|
||||
+
|
||||
+type PublicKeyECDH = openssl.PublicKeyECDH
|
||||
+type PrivateKeyECDH = openssl.PrivateKeyECDH
|
||||
+
|
||||
+var GenerateKeyECDH = openssl.GenerateKeyECDH
|
||||
+var NewPrivateKeyECDH = openssl.NewPrivateKeyECDH
|
||||
+var NewPublicKeyECDH = openssl.NewPublicKeyECDH
|
||||
+var SharedKeyECDH = openssl.SharedKeyECDH
|
||||
+
|
||||
+type PublicKeyRSA = openssl.PublicKeyRSA
|
||||
+type PrivateKeyRSA = openssl.PrivateKeyRSA
|
||||
+
|
||||
+var DecryptRSAOAEP = openssl.DecryptRSAOAEP
|
||||
+var DecryptRSAPKCS1 = openssl.DecryptRSAPKCS1
|
||||
+var DecryptRSANoPadding = openssl.DecryptRSANoPadding
|
||||
+var EncryptRSAOAEP = openssl.EncryptRSAOAEP
|
||||
+var EncryptRSAPKCS1 = openssl.EncryptRSAPKCS1
|
||||
+var EncryptRSANoPadding = openssl.EncryptRSANoPadding
|
||||
+var GenerateKeyRSA = openssl.GenerateKeyRSA
|
||||
+var NewPrivateKeyRSA = openssl.NewPrivateKeyRSA
|
||||
+var NewPublicKeyRSA = openssl.NewPublicKeyRSA
|
||||
+var SignRSAPKCS1v15 = openssl.SignRSAPKCS1v15
|
||||
+var SignRSAPSS = openssl.SignRSAPSS
|
||||
+var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
|
||||
+var VerifyRSAPSS = openssl.VerifyRSAPSS
|
||||
+
|
||||
+var ExtractHKDF = openssl.ExtractHKDF
|
||||
+var ExpandHKDF = openssl.ExpandHKDF
|
||||
diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
|
||||
index 1827f76..4c5c352 100644
|
||||
--- a/src/crypto/tls/boring.go
|
||||
+++ b/src/crypto/tls/boring.go
|
||||
@@ -8,8 +8,15 @@ package tls
|
||||
|
||||
import (
|
||||
"crypto/internal/boring/fipstls"
|
||||
+ boring "crypto/internal/backend"
|
||||
)
|
||||
|
||||
+func init() {
|
||||
+ if boring.Enabled && !boring.ExecutingTest() {
|
||||
+ fipstls.Force()
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
// needFIPS returns fipstls.Required(); it avoids a new import in common.go.
|
||||
func needFIPS() bool {
|
||||
return fipstls.Required()
|
||||
@@ -17,14 +24,14 @@ func needFIPS() bool {
|
||||
|
||||
// fipsMinVersion replaces c.minVersion in FIPS-only mode.
|
||||
func fipsMinVersion(c *Config) uint16 {
|
||||
- // FIPS requires TLS 1.2.
|
||||
+ // FIPS requires TLS 1.2 or later.
|
||||
return VersionTLS12
|
||||
}
|
||||
|
||||
// fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
|
||||
func fipsMaxVersion(c *Config) uint16 {
|
||||
- // FIPS requires TLS 1.2.
|
||||
- return VersionTLS12
|
||||
+ // FIPS requires TLS 1.2 or later.
|
||||
+ return VersionTLS13
|
||||
}
|
||||
|
||||
// default defaultFIPSCurvePreferences is the FIPS-allowed curves,
|
||||
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
|
||||
index f743fc8..9fec2c8 100644
|
||||
--- a/src/crypto/tls/boring_test.go
|
||||
+++ b/src/crypto/tls/boring_test.go
|
||||
@@ -51,11 +51,11 @@ func TestBoringServerProtocolVersion(t *testing.T) {
|
||||
test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
|
||||
test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
|
||||
test("VersionTLS12", VersionTLS12, "")
|
||||
- test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
|
||||
+ test("VersionTLS13", VersionTLS13, "")
|
||||
}
|
||||
|
||||
func isBoringVersion(v uint16) bool {
|
||||
- return v == VersionTLS12
|
||||
+ return v == VersionTLS12 || v == VersionTLS13
|
||||
}
|
||||
|
||||
func isBoringCipherSuite(id uint16) bool {
|
||||
@@ -65,7 +65,9 @@ func isBoringCipherSuite(id uint16) bool {
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||
- TLS_RSA_WITH_AES_256_GCM_SHA384:
|
||||
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||
+ TLS_AES_128_GCM_SHA256,
|
||||
+ TLS_AES_256_GCM_SHA384:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
@@ -311,7 +313,7 @@ func TestBoringCertAlgs(t *testing.T) {
|
||||
// Set up some roots, intermediate CAs, and leaf certs with various algorithms.
|
||||
// X_Y is X signed by Y.
|
||||
R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
|
||||
- R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
|
||||
+ R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
|
||||
|
||||
M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
|
||||
M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
|
||||
diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
|
||||
index 9a1fa31..f7c64db 100644
|
||||
--- a/src/crypto/tls/cipher_suites.go
|
||||
+++ b/src/crypto/tls/cipher_suites.go
|
||||
@@ -354,6 +354,11 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
|
||||
TLS_AES_256_GCM_SHA384,
|
||||
}
|
||||
|
||||
+var defaultFIPSCipherSuitesTLS13 = []uint16{
|
||||
+ TLS_AES_128_GCM_SHA256,
|
||||
+ TLS_AES_256_GCM_SHA384,
|
||||
+}
|
||||
+
|
||||
var (
|
||||
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
|
||||
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
|
||||
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
|
||||
index e61e3eb..7031ab8 100644
|
||||
--- a/src/crypto/tls/handshake_client.go
|
||||
+++ b/src/crypto/tls/handshake_client.go
|
||||
@@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
|
||||
|
||||
var params ecdheParameters
|
||||
if hello.supportedVersions[0] == VersionTLS13 {
|
||||
- if hasAESGCMHardwareSupport {
|
||||
+ if needFIPS() {
|
||||
+ hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)
|
||||
+ } else if hasAESGCMHardwareSupport {
|
||||
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
|
||||
} else {
|
||||
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)
|
||||
diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
|
||||
index 380de9f..02b4ac8 100644
|
||||
--- a/src/crypto/tls/handshake_client_test.go
|
||||
+++ b/src/crypto/tls/handshake_client_test.go
|
||||
@@ -2135,6 +2135,7 @@ func testBuffering(t *testing.T, version uint16) {
|
||||
}
|
||||
|
||||
func TestAlertFlushing(t *testing.T) {
|
||||
+ t.Skip("unsupported in FIPS mode, different error returned")
|
||||
c, s := localPipe(t)
|
||||
done := make(chan bool)
|
||||
|
||||
diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
|
||||
index c798986..7a60702 100644
|
||||
--- a/src/crypto/tls/handshake_client_tls13.go
|
||||
+++ b/src/crypto/tls/handshake_client_tls13.go
|
||||
@@ -41,10 +41,6 @@ type clientHandshakeStateTLS13 struct {
|
||||
func (hs *clientHandshakeStateTLS13) handshake() error {
|
||||
c := hs.c
|
||||
|
||||
- if needFIPS() {
|
||||
- return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
||||
- }
|
||||
-
|
||||
// The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
|
||||
// sections 4.1.2 and 4.1.3.
|
||||
if c.handshakes > 0 {
|
||||
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
|
||||
index 03a477f..1ef6afc 100644
|
||||
--- a/src/crypto/tls/handshake_server_tls13.go
|
||||
+++ b/src/crypto/tls/handshake_server_tls13.go
|
||||
@@ -45,10 +45,6 @@ type serverHandshakeStateTLS13 struct {
|
||||
func (hs *serverHandshakeStateTLS13) handshake() error {
|
||||
c := hs.c
|
||||
|
||||
- if needFIPS() {
|
||||
- return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
|
||||
- }
|
||||
-
|
||||
// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
|
||||
if err := hs.processClientHello(); err != nil {
|
||||
return err
|
||||
diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
|
||||
index 3140169..323d683 100644
|
||||
--- a/src/crypto/tls/key_schedule.go
|
||||
+++ b/src/crypto/tls/key_schedule.go
|
||||
@@ -7,6 +7,8 @@ package tls
|
||||
import (
|
||||
"crypto/elliptic"
|
||||
"crypto/hmac"
|
||||
+ "crypto/internal/boring"
|
||||
+ "crypto/internal/boring/bbig"
|
||||
"errors"
|
||||
"hash"
|
||||
"io"
|
||||
@@ -43,9 +45,20 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
|
||||
b.AddBytes(context)
|
||||
})
|
||||
out := make([]byte, length)
|
||||
- n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
|
||||
- if err != nil || n != length {
|
||||
- panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
|
||||
+ if boring.Enabled {
|
||||
+ reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic())
|
||||
+ if err != nil {
|
||||
+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
|
||||
+ }
|
||||
+ n, err := reader.Read(out)
|
||||
+ if err != nil || n != length {
|
||||
+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
|
||||
+ }
|
||||
+ } else {
|
||||
+ n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
|
||||
+ if err != nil || n != length {
|
||||
+ panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
|
||||
+ }
|
||||
}
|
||||
return out
|
||||
}
|
||||
@@ -63,7 +76,15 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
|
||||
if newSecret == nil {
|
||||
newSecret = make([]byte, c.hash.Size())
|
||||
}
|
||||
- return hkdf.Extract(c.hash.New, newSecret, currentSecret)
|
||||
+ if boring.Enabled {
|
||||
+ ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret)
|
||||
+ if err != nil {
|
||||
+ panic("tls: HKDF-Extract invocation failed unexpectedly")
|
||||
+ }
|
||||
+ return ikm
|
||||
+ } else {
|
||||
+ return hkdf.Extract(c.hash.New, newSecret, currentSecret)
|
||||
+ }
|
||||
}
|
||||
|
||||
// nextTrafficSecret generates the next traffic secret, given the current one,
|
||||
@@ -129,9 +150,19 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
|
||||
|
||||
p := &nistParameters{curveID: curveID}
|
||||
var err error
|
||||
- p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
|
||||
- if err != nil {
|
||||
- return nil, err
|
||||
+ if boring.Enabled {
|
||||
+ x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name)
|
||||
+ if err != nil {
|
||||
+ return nil, err
|
||||
+ }
|
||||
+ p.x = bbig.Dec(x)
|
||||
+ p.y = bbig.Dec(y)
|
||||
+ p.privateKey = bbig.Dec(d).Bytes()
|
||||
+ } else {
|
||||
+ p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
|
||||
+ if err != nil {
|
||||
+ return nil, err
|
||||
+ }
|
||||
}
|
||||
return p, nil
|
||||
}
|
||||
@@ -166,15 +197,28 @@ func (p *nistParameters) PublicKey() []byte {
|
||||
|
||||
func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
|
||||
curve, _ := curveForCurveID(p.curveID)
|
||||
- // Unmarshal also checks whether the given point is on the curve.
|
||||
- x, y := elliptic.Unmarshal(curve, peerPublicKey)
|
||||
- if x == nil {
|
||||
- return nil
|
||||
- }
|
||||
+ if boring.Enabled {
|
||||
+ k := new(big.Int).SetBytes(p.privateKey)
|
||||
+ priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k))
|
||||
+ if err != nil {
|
||||
+ return nil
|
||||
+ }
|
||||
+ sharedKey, err := boring.SharedKeyECDH(priv, peerPublicKey)
|
||||
+ if err != nil {
|
||||
+ return nil
|
||||
+ }
|
||||
+ return sharedKey
|
||||
+ } else {
|
||||
+ // Unmarshal also checks whether the given point is on the curve.
|
||||
+ x, y := elliptic.Unmarshal(curve, peerPublicKey)
|
||||
+ if x == nil {
|
||||
+ return nil
|
||||
+ }
|
||||
|
||||
- xShared, _ := curve.ScalarMult(x, y, p.privateKey)
|
||||
- sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
|
||||
- return xShared.FillBytes(sharedKey)
|
||||
+ xShared, _ := curve.ScalarMult(x, y, p.privateKey)
|
||||
+ sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
|
||||
+ return xShared.FillBytes(sharedKey)
|
||||
+ }
|
||||
}
|
||||
|
||||
type x25519Parameters struct {
|
||||
diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
|
||||
index 4aae905..42706f9 100644
|
||||
--- a/src/crypto/x509/boring.go
|
||||
+++ b/src/crypto/x509/boring.go
|
||||
@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
|
||||
default:
|
||||
return false
|
||||
case *rsa.PublicKey:
|
||||
- if size := k.N.BitLen(); size != 2048 && size != 3072 {
|
||||
+ if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
|
||||
return false
|
||||
}
|
||||
case *ecdsa.PublicKey:
|
||||
diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
|
||||
index 7010f44..70021f3 100644
|
||||
--- a/src/crypto/x509/boring_test.go
|
||||
+++ b/src/crypto/x509/boring_test.go
|
||||
@@ -54,7 +54,7 @@ type boringCertificate struct {
|
||||
|
||||
func TestBoringAllowCert(t *testing.T) {
|
||||
R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
|
||||
- R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
|
||||
+ R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
|
||||
|
||||
M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
|
||||
M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
|
||||
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
|
||||
index 141fdb9..d8e81d9 100644
|
||||
--- a/src/go/build/deps_test.go
|
||||
+++ b/src/go/build/deps_test.go
|
||||
@@ -414,19 +414,23 @@ var depsRules = `
|
||||
< crypto/internal/edwards25519
|
||||
< crypto/cipher;
|
||||
|
||||
- crypto/cipher,
|
||||
+ fmt, crypto/cipher,
|
||||
crypto/internal/boring/bcache
|
||||
< crypto/internal/boring
|
||||
+ < github.com/golang-fips/openssl-fips/openssl
|
||||
+ < crypto/internal/backend
|
||||
< crypto/boring
|
||||
< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
|
||||
crypto/sha1, crypto/sha256, crypto/sha512
|
||||
< CRYPTO;
|
||||
|
||||
- CGO, fmt, net !< CRYPTO;
|
||||
+ CGO, net !< CRYPTO;
|
||||
|
||||
# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
|
||||
CRYPTO, FMT, math/big, embed
|
||||
+ < github.com/golang-fips/openssl-fips/openssl/bbig
|
||||
< crypto/internal/boring/bbig
|
||||
+ < crypto/internal/backend/bbig
|
||||
< crypto/internal/randutil
|
||||
< crypto/rand
|
||||
< crypto/ed25519
|
||||
@@ -601,6 +605,7 @@ func listStdPkgs(goroot string) ([]string, error) {
|
||||
}
|
||||
|
||||
func TestDependencies(t *testing.T) {
|
||||
+ t.Skip("openssl-fips based toolchain has different dependencies than upstream")
|
||||
if !testenv.HasSrc() {
|
||||
// Tests run in a limited file system and we do not
|
||||
// provide access to every source file.
|
||||
@@ -644,7 +649,7 @@ var buildIgnore = []byte("\n//go:build ignore")
|
||||
|
||||
func findImports(pkg string) ([]string, error) {
|
||||
vpkg := pkg
|
||||
- if strings.HasPrefix(pkg, "golang.org") {
|
||||
+ if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
|
||||
vpkg = "vendor/" + pkg
|
||||
}
|
||||
dir := filepath.Join(Default.GOROOT, "src", vpkg)
|
||||
@@ -654,7 +659,7 @@ func findImports(pkg string) ([]string, error) {
|
||||
}
|
||||
var imports []string
|
||||
var haveImport = map[string]bool{}
|
||||
- if pkg == "crypto/internal/boring" {
|
||||
+ if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl-fips/openssl" {
|
||||
haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
|
||||
}
|
||||
fset := token.NewFileSet()
|
||||
diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
|
||||
index 5a98b20..dc25cdc 100644
|
||||
--- a/src/runtime/runtime_boring.go
|
||||
+++ b/src/runtime/runtime_boring.go
|
||||
@@ -17,3 +17,8 @@ func boring_runtime_arg0() string {
|
||||
|
||||
//go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0
|
||||
func fipstls_runtime_arg0() string { return boring_runtime_arg0() }
|
||||
+
|
||||
+//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0
|
||||
+func crypto_backend_runtime_arg0() string {
|
||||
+ return boring_runtime_arg0()
|
||||
+}
|
||||
\ No newline at end of file
|
File diff suppressed because it is too large
Load Diff
@ -1,348 +0,0 @@
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
|
||||
index b3501400e0..5e1e789da0 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
|
||||
@@ -131,7 +131,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
|
||||
func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
|
||||
size := C._goboringcrypto_ECDSA_size(priv.key)
|
||||
sig := make([]byte, size)
|
||||
- var sigLen C.uint
|
||||
+ var sigLen C.size_t
|
||||
md := cryptoHashToMD(h)
|
||||
if md == nil {
|
||||
panic("boring: invalid hash")
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
|
||||
index 411fefdf78..217b320e4a 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
|
||||
@@ -218,10 +218,16 @@ DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
|
||||
DEFINEFUNC(const GO_EVP_MD *, EVP_md_null, (void), ())
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
|
||||
+DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
|
||||
+static inline int
|
||||
+_goboringcrypto_EVP_MD_get_size(const GO_EVP_MD *arg0)
|
||||
+{
|
||||
+ return _goboringcrypto_internal_EVP_MD_size(arg0);
|
||||
+}
|
||||
#else
|
||||
DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
|
||||
+DEFINEFUNC(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
|
||||
#endif
|
||||
-DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
|
||||
DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
|
||||
|
||||
# include <openssl/md5.h>
|
||||
@@ -275,26 +281,16 @@ DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
static inline size_t
|
||||
_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
|
||||
- return _goboringcrypto_internal_EVP_MD_size(arg0->md);
|
||||
+ return _goboringcrypto_EVP_MD_get_size(arg0->md);
|
||||
}
|
||||
#else
|
||||
DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
|
||||
-# if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
-static inline size_t
|
||||
-_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
|
||||
- const EVP_MD* md;
|
||||
- md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
|
||||
- return _goboringcrypto_internal_EVP_MD_size(md);
|
||||
-}
|
||||
-# else
|
||||
-DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
|
||||
static inline size_t
|
||||
_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
|
||||
const EVP_MD* md;
|
||||
md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
|
||||
- return _goboringcrypto_internal_EVP_MD_get_size(md);
|
||||
+ return _goboringcrypto_EVP_MD_get_size(md);
|
||||
}
|
||||
-# endif
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
@@ -370,6 +366,7 @@ DEFINEFUNC(unsigned int, BN_num_bits, (const GO_BIGNUM *arg0), (arg0))
|
||||
DEFINEFUNC(int, BN_is_negative, (const GO_BIGNUM *arg0), (arg0))
|
||||
DEFINEFUNC(GO_BIGNUM *, BN_bin2bn, (const uint8_t *arg0, size_t arg1, GO_BIGNUM *arg2), (arg0, arg1, arg2))
|
||||
DEFINEFUNC(GO_BIGNUM *, BN_lebin2bn, (const unsigned char *s, size_t len, BIGNUM *ret), (s, len, ret))
|
||||
+DEFINEFUNC(int, BN_bn2binpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
|
||||
DEFINEFUNC(int, BN_bn2lebinpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
|
||||
|
||||
static inline unsigned int
|
||||
@@ -418,7 +415,7 @@ typedef ECDSA_SIG GO_ECDSA_SIG;
|
||||
DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_SIG_new, (void), ())
|
||||
DEFINEFUNC(void, ECDSA_SIG_free, (GO_ECDSA_SIG * arg0), (arg0))
|
||||
DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_do_sign, (const uint8_t *arg0, size_t arg1, const GO_EC_KEY *arg2), (arg0, arg1, arg2))
|
||||
-DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, const GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
|
||||
+DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
|
||||
DEFINEFUNC(size_t, ECDSA_size, (const GO_EC_KEY *arg0), (arg0))
|
||||
|
||||
DEFINEFUNCINTERNAL(int, ECDSA_sign,
|
||||
@@ -453,25 +450,25 @@ _goboringcrypto_EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *rsa) {
|
||||
}
|
||||
|
||||
DEFINEFUNC(int, EVP_DigestSignInit,
|
||||
- (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
|
||||
+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
|
||||
(ctx, pctx, type, e, pkey))
|
||||
|
||||
DEFINEFUNC(int, EVP_DigestUpdate,
|
||||
(EVP_MD_CTX* ctx, const void *d, size_t cnt),
|
||||
(ctx, d, cnt))
|
||||
DEFINEFUNC(int, EVP_DigestSignFinal,
|
||||
- (EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
|
||||
+ (EVP_MD_CTX* ctx, unsigned char *sig, size_t *siglen),
|
||||
(ctx, sig, siglen))
|
||||
|
||||
DEFINEFUNC(int, EVP_DigestVerifyInit,
|
||||
- (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
|
||||
+ (EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
|
||||
(ctx, pctx, type, e, pkey))
|
||||
DEFINEFUNC(int, EVP_DigestVerifyFinal,
|
||||
(EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
|
||||
(ctx, sig, siglen))
|
||||
|
||||
typedef RSA GO_RSA;
|
||||
-int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
|
||||
+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
|
||||
int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
|
||||
size_t msgLen, uint8_t *sig, size_t *slen,
|
||||
GO_RSA *key);
|
||||
@@ -490,7 +487,7 @@ static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
|
||||
DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
|
||||
#endif
|
||||
|
||||
-int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
|
||||
+int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, size_t *arg4, GO_EC_KEY *arg5);
|
||||
int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
|
||||
|
||||
#include <openssl/rsa.h>
|
||||
@@ -498,7 +495,7 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
|
||||
// Note: order of struct fields here is unchecked.
|
||||
typedef BN_GENCB GO_BN_GENCB;
|
||||
|
||||
-int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
|
||||
+int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
|
||||
int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
|
||||
|
||||
DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
|
||||
@@ -800,10 +797,10 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
|
||||
}
|
||||
|
||||
DEFINEFUNC(int, EVP_PKEY_decrypt,
|
||||
- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
|
||||
+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
|
||||
(arg0, arg1, arg2, arg3, arg4))
|
||||
DEFINEFUNC(int, EVP_PKEY_encrypt,
|
||||
- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
|
||||
+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
|
||||
(arg0, arg1, arg2, arg3, arg4))
|
||||
DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
|
||||
DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
|
||||
index 86d7c6c212..2f45dabca2 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
|
||||
@@ -14,6 +14,7 @@ package openssl
|
||||
*/
|
||||
import "C"
|
||||
import (
|
||||
+ "encoding/binary"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math/bits"
|
||||
@@ -184,25 +185,73 @@ type fail string
|
||||
|
||||
func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
|
||||
|
||||
-func wbase(b BigInt) *C.uint8_t {
|
||||
- if len(b) == 0 {
|
||||
- return nil
|
||||
+const wordBytes = bits.UintSize / 8
|
||||
+
|
||||
+// These two functions were copied from `math/big` package, which
|
||||
+// defines `big.Int` with a similar representation.
|
||||
+func (z BigInt) writeBytes(buf []byte) (i int) {
|
||||
+ i = len(buf)
|
||||
+ for _, d := range z {
|
||||
+ for j := 0; j < wordBytes; j++ {
|
||||
+ i--
|
||||
+ if i >= 0 {
|
||||
+ buf[i] = byte(d)
|
||||
+ } else if byte(d) != 0 {
|
||||
+ panic("boringcrypto: buffer too small to fit value")
|
||||
+ }
|
||||
+ d >>= 8
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if i < 0 {
|
||||
+ i = 0
|
||||
+ }
|
||||
+ for i < len(buf) && buf[i] == 0 {
|
||||
+ i++
|
||||
}
|
||||
- return (*C.uint8_t)(unsafe.Pointer(&b[0]))
|
||||
+
|
||||
+ return
|
||||
}
|
||||
|
||||
-const wordBytes = bits.UintSize / 8
|
||||
+func bytesToBig(buf []byte) BigInt {
|
||||
+ z := make(BigInt, (len(buf) + wordBytes - 1) / wordBytes)
|
||||
+ i := len(buf)
|
||||
+ for k := 0; i >= wordBytes; k++ {
|
||||
+ if bits.UintSize == 64 {
|
||||
+ z[k] = uint(binary.BigEndian.Uint64(buf[i-wordBytes : i]))
|
||||
+ } else {
|
||||
+ z[k] = uint(binary.BigEndian.Uint32(buf[i-wordBytes : i]))
|
||||
+ }
|
||||
+ i -= wordBytes
|
||||
+ }
|
||||
+ if i > 0 {
|
||||
+ var d uint
|
||||
+ for s := uint(0); i > 0; s += 8 {
|
||||
+ d |= uint(buf[i-1]) << s
|
||||
+ i--
|
||||
+ }
|
||||
+ z[len(z)-1] = d
|
||||
+ }
|
||||
+
|
||||
+ i = len(z)
|
||||
+ for i > 0 && z[i-1] == 0 {
|
||||
+ i--
|
||||
+ }
|
||||
+ return z[0:i]
|
||||
+}
|
||||
|
||||
func bigToBN(x BigInt) *C.GO_BIGNUM {
|
||||
- return C._goboringcrypto_BN_lebin2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
|
||||
+ buf := make([]byte, len(x)*wordBytes)
|
||||
+ buf = buf[x.writeBytes(buf):]
|
||||
+ return C._goboringcrypto_BN_bin2bn(base(buf), C.size_t(len(buf)), nil)
|
||||
}
|
||||
|
||||
func bnToBig(bn *C.GO_BIGNUM) BigInt {
|
||||
- x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
|
||||
- if C._goboringcrypto_BN_bn2lebinpad(bn, wbase(x), C.size_t(len(x)*wordBytes)) == 0 {
|
||||
+ buf := make([]byte, C._goboringcrypto_BN_num_bytes(bn))
|
||||
+ if C._goboringcrypto_BN_bn2binpad(bn, base(buf), C.size_t(len(buf))) == 0 {
|
||||
panic("boringcrypto: bignum conversion failed")
|
||||
}
|
||||
- return x
|
||||
+ return bytesToBig(buf)
|
||||
}
|
||||
|
||||
func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool {
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
|
||||
index 2349db1fd9..714d18f1e8 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
|
||||
@@ -7,7 +7,7 @@
|
||||
#include "goopenssl.h"
|
||||
|
||||
int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *msg, size_t msgLen,
|
||||
- uint8_t *sig, unsigned int *slen,
|
||||
+ uint8_t *sig, size_t *slen,
|
||||
GO_EC_KEY *eckey) {
|
||||
int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
|
||||
index 43790198c6..76bac5bc01 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
|
||||
@@ -7,7 +7,7 @@
|
||||
#include "goopenssl.h"
|
||||
|
||||
int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
|
||||
- size_t msgLen, uint8_t *sig, unsigned int *slen,
|
||||
+ size_t msgLen, uint8_t *sig, size_t *slen,
|
||||
EVP_PKEY *key) {
|
||||
EVP_MD_CTX *mdctx = NULL;
|
||||
int ret = 0;
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
|
||||
index 28241470f5..bf39656b45 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
|
||||
@@ -21,7 +21,7 @@ int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
|
||||
}
|
||||
|
||||
int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(
|
||||
- GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
|
||||
+ GO_RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
|
||||
const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md,
|
||||
int salt_len) {
|
||||
EVP_PKEY_CTX *ctx;
|
||||
@@ -184,7 +184,7 @@ err:
|
||||
|
||||
int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
|
||||
unsigned int msgLen, uint8_t *sig,
|
||||
- unsigned int *slen, RSA *rsa) {
|
||||
+ size_t *slen, RSA *rsa) {
|
||||
int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
if (!key) {
|
||||
@@ -216,4 +216,4 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
|
||||
err:
|
||||
_goboringcrypto_EVP_PKEY_free(key);
|
||||
return result;
|
||||
-}
|
||||
\ No newline at end of file
|
||||
+}
|
||||
diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
|
||||
index 915c840834..f48c57adff 100644
|
||||
--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
|
||||
+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
|
||||
@@ -199,7 +199,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
|
||||
init func(*C.GO_EVP_PKEY_CTX) C.int,
|
||||
- crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
|
||||
+ crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.size_t) C.int,
|
||||
in []byte) ([]byte, error) {
|
||||
|
||||
pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
|
||||
@@ -209,12 +209,12 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
defer C._goboringcrypto_EVP_PKEY_free(pkey)
|
||||
defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
|
||||
|
||||
- var outLen C.uint
|
||||
- if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
|
||||
+ var outLen C.size_t
|
||||
+ if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 {
|
||||
return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
|
||||
}
|
||||
out := make([]byte, outLen)
|
||||
- if crypt(ctx, base(out), &outLen, base(in), C.uint(len(in))) <= 0 {
|
||||
+ if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) <= 0 {
|
||||
return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
|
||||
}
|
||||
return out[:outLen], nil
|
||||
@@ -250,7 +250,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
|
||||
return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
|
||||
}
|
||||
|
||||
-func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
|
||||
+func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
|
||||
return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
|
||||
}
|
||||
|
||||
@@ -258,7 +258,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
|
||||
return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
|
||||
}
|
||||
|
||||
-func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
|
||||
+func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
|
||||
return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
|
||||
}
|
||||
|
||||
@@ -326,7 +326,7 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
|
||||
}
|
||||
|
||||
var out []byte
|
||||
- var outLen C.uint
|
||||
+ var outLen C.size_t
|
||||
|
||||
if priv.withKey(func(key *C.GO_RSA) C.int {
|
||||
return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
|
13
SOURCES/fix-test-1024-leaf-certs.patch
Normal file
13
SOURCES/fix-test-1024-leaf-certs.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
|
||||
index 10d1cf0..51feb3b 100644
|
||||
--- a/src/crypto/tls/boring_test.go
|
||||
+++ b/src/crypto/tls/boring_test.go
|
||||
@@ -326,7 +326,7 @@ func TestBoringCertAlgs(t *testing.T) {
|
||||
I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
|
||||
|
||||
L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
|
||||
- L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf|boringCertNotBoring)
|
||||
+ L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
|
||||
|
||||
// client verifying server cert
|
||||
testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
|
122
SOURCES/ppc64le-internal-linker-fix.patch
Normal file
122
SOURCES/ppc64le-internal-linker-fix.patch
Normal file
@ -0,0 +1,122 @@
|
||||
diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
|
||||
new file mode 100644
|
||||
index 0000000000000..bca897c16d054
|
||||
--- /dev/null
|
||||
+++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
|
||||
@@ -0,0 +1,100 @@
|
||||
+# Verify PPC64 does not reuse a trampoline which is too far away.
|
||||
+# This tests an edge case where the direct call relocation addend should
|
||||
+# be ignored when computing the distance from the direct call to the
|
||||
+# already placed trampoline
|
||||
+[short] skip
|
||||
+[!ppc64] [!ppc64le] skip
|
||||
+[aix] skip
|
||||
+
|
||||
+# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
|
||||
+# assembly 2^26 or so times.
|
||||
+#
|
||||
+# We build something which should be laid out as such:
|
||||
+#
|
||||
+# bar.Bar
|
||||
+# main.Func1
|
||||
+# bar.Bar+400-tramp0
|
||||
+# main.BigAsm
|
||||
+# main.Func2
|
||||
+# bar.Bar+400-tramp1
|
||||
+#
|
||||
+# bar.Bar needs to be placed far enough away to generate relocations
|
||||
+# from main package calls. and main.Func1 and main.Func2 are placed
|
||||
+# a bit more than the direct call limit apart, but not more than 0x400
|
||||
+# bytes beyond it (to verify the reloc calc).
|
||||
+
|
||||
+go build
|
||||
+
|
||||
+-- go.mod --
|
||||
+
|
||||
+module foo
|
||||
+
|
||||
+go 1.19
|
||||
+
|
||||
+-- main.go --
|
||||
+
|
||||
+package main
|
||||
+
|
||||
+import "foo/bar"
|
||||
+
|
||||
+func Func1()
|
||||
+
|
||||
+func main() {
|
||||
+ Func1()
|
||||
+ bar.Bar2()
|
||||
+}
|
||||
+
|
||||
+-- foo.s --
|
||||
+
|
||||
+TEXT main·Func1(SB),0,$0-0
|
||||
+ CALL bar·Bar+0x400(SB)
|
||||
+ CALL main·BigAsm(SB)
|
||||
+// A trampoline will be placed here to bar.Bar
|
||||
+
|
||||
+// This creates a gap sufficiently large to prevent trampoline reuse
|
||||
+#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
|
||||
+#define NOP256 NOP64 NOP64 NOP64 NOP64
|
||||
+#define NOP2S10 NOP256 NOP256 NOP256 NOP256
|
||||
+#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
|
||||
+#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
|
||||
+#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
|
||||
+#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
|
||||
+#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
|
||||
+#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
|
||||
+#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
|
||||
+#define BIGNOP NOP2S24 NOP2S24
|
||||
+TEXT main·BigAsm(SB),0,$0-0
|
||||
+ // Fill to the direct call limit so Func2 must generate a new trampoline.
|
||||
+ // As the implicit trampoline above is just barely unreachable.
|
||||
+ BIGNOP
|
||||
+ MOVD $main·Func2(SB), R3
|
||||
+
|
||||
+TEXT main·Func2(SB),0,$0-0
|
||||
+ CALL bar·Bar+0x400(SB)
|
||||
+// Another trampoline should be placed here.
|
||||
+
|
||||
+-- bar/bar.s --
|
||||
+
|
||||
+#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
|
||||
+#define NOP256 NOP64 NOP64 NOP64 NOP64
|
||||
+#define NOP2S10 NOP256 NOP256 NOP256 NOP256
|
||||
+#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
|
||||
+#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
|
||||
+#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
|
||||
+#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
|
||||
+#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
|
||||
+#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
|
||||
+#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
|
||||
+#define BIGNOP NOP2S24 NOP2S24 NOP2S10
|
||||
+// A very big not very interesting function.
|
||||
+TEXT bar·Bar(SB),0,$0-0
|
||||
+ BIGNOP
|
||||
+
|
||||
+-- bar/bar.go --
|
||||
+
|
||||
+package bar
|
||||
+
|
||||
+func Bar()
|
||||
+
|
||||
+func Bar2() {
|
||||
+}
|
||||
diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
|
||||
index 5d5fbe2a97735..6313879da083c 100644
|
||||
--- a/src/cmd/link/internal/ppc64/asm.go
|
||||
+++ b/src/cmd/link/internal/ppc64/asm.go
|
||||
@@ -900,8 +900,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
|
||||
if ldr.SymValue(tramp) == 0 {
|
||||
break
|
||||
}
|
||||
-
|
||||
- t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
|
||||
+ // Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
|
||||
+ // trampoline itself.
|
||||
+ t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
|
||||
|
||||
// With internal linking, the trampoline can be used if it is not too far.
|
||||
// With external linking, the trampoline must be in this section for it to be reused.
|
@ -96,19 +96,26 @@
|
||||
%endif
|
||||
|
||||
%global go_api 1.19
|
||||
%global version 1.19.2
|
||||
%global version 1.19.4
|
||||
%global pkg_release 1
|
||||
|
||||
Name: golang
|
||||
Version: %{version}
|
||||
Release: 4%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: The Go Programming Language
|
||||
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
|
||||
License: BSD and Public Domain
|
||||
URL: http://golang.org/
|
||||
Source0: https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
|
||||
# Go's FIPS mode bindings are now provided as a standalone
|
||||
# module instead of in tree. This makes it easier to see
|
||||
# the actual changes vs upstream Go. The module source is
|
||||
# located at https://github.com/golang-fips/openssl-fips,
|
||||
# And pre-genetated patches to set up the module for a given
|
||||
# Go release are located at https://github.com/golang-fips/go.
|
||||
Source1: https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
|
||||
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
|
||||
Source1: fedora.go
|
||||
Source2: fedora.go
|
||||
|
||||
# The compiler is written in Go. Needs go(1.4+) compiler for build.
|
||||
# Actual Go based bootstrap compiler provided by above source.
|
||||
@ -139,11 +146,10 @@ Patch221: fix_TestScript_list_std.patch
|
||||
|
||||
Patch1939923: skip_test_rhbz1939923.patch
|
||||
|
||||
Patch0: 000-initial-setup.patch
|
||||
Patch1: 001-initial-openssl-for-fips.patch
|
||||
Patch2: disable_static_tests_part1.patch
|
||||
Patch3: disable_static_tests_part2.patch
|
||||
Patch4: enable-big-endian-fips-mode.patch
|
||||
Patch4: ppc64le-internal-linker-fix.patch
|
||||
Patch5: fix-test-1024-leaf-certs.patch
|
||||
|
||||
Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
|
||||
|
||||
@ -236,18 +242,23 @@ Requires: %{name} = %{version}-%{release}
|
||||
%prep
|
||||
%setup -q -n go-go%{version}
|
||||
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
pushd ..
|
||||
tar -xf %{SOURCE1}
|
||||
popd
|
||||
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
|
||||
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
|
||||
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%patch221 -p1
|
||||
|
||||
%patch1939923 -p1
|
||||
%patch227 -p1
|
||||
|
||||
cp %{SOURCE1} ./src/runtime/
|
||||
cp %{SOURCE2} ./src/runtime/
|
||||
|
||||
%build
|
||||
set -xe
|
||||
@ -519,6 +530,14 @@ cd ..
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
|
||||
- Rebase to Go 1.19.4
|
||||
- Fix ppc64le linker issue
|
||||
- Remove defunct patches
|
||||
- Remove downstream generated FIPS mode patches
|
||||
- Add golang-fips/go as the source for FIPS mode patches
|
||||
- Resolves: rhbz#2144542
|
||||
|
||||
* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
|
||||
- Enable big endian support in FIPS mode
|
||||
- Resolves: rhbz#1969844
|
||||
|
Loading…
Reference in New Issue
Block a user