add initial DSA support

microsoft · Nov 18, 2024 · a7df47e · a7df47e
1 parent 123de8f
commit a7df47e
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 24 deletions.
diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
@@ -8,6 +8,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/aes/cipher_asm.go                 |   2 +-
  src/crypto/boring/boring.go                  |   2 +-
  src/crypto/des/cipher.go                     |   7 +
+ src/crypto/dsa/dsa.go                        |  13 ++
  src/crypto/ecdh/ecdh.go                      |   2 +-
  src/crypto/ecdh/nist.go                      |   2 +-
  src/crypto/ecdsa/boring.go                   |   4 +-
@@ -23,7 +24,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/internal/backend/bbig/big.go      |  17 ++
  src/crypto/internal/backend/common.go        |  92 +++++++++
  src/crypto/internal/backend/isrequirefips.go |   9 +
- src/crypto/internal/backend/nobackend.go     | 193 +++++++++++++++++++
+ src/crypto/internal/backend/nobackend.go     | 201 +++++++++++++++++++
  src/crypto/internal/backend/norequirefips.go |   9 +
  src/crypto/internal/backend/stub.s           |  10 +
  src/crypto/md5/md5.go                        |   7 +
@@ -51,7 +52,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/tls/handshake_server.go           |  25 ++-
  src/crypto/tls/handshake_server_tls13.go     |  10 +
  src/crypto/tls/key_schedule.go               |  18 +-
- src/crypto/tls/prf.go                        |  77 +++++---
+ src/crypto/tls/prf.go                        |  77 ++++---
  src/crypto/tls/prf_test.go                   |  12 +-
  src/crypto/x509/boring_test.go               |   5 +
  src/go/build/deps_test.go                    |   4 +
@@ -60,7 +61,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/hash/notboring_test.go                   |   5 +
  src/net/smtp/smtp_test.go                    |  72 ++++---
  src/runtime/runtime_boring.go                |   5 +
- 56 files changed, 893 insertions(+), 106 deletions(-)
+ 57 files changed, 914 insertions(+), 106 deletions(-)
  create mode 100644 src/crypto/ed25519/boring.go
  create mode 100644 src/crypto/ed25519/notboring.go
  create mode 100644 src/crypto/internal/backend/backend_test.go
@@ -144,6 +145,37 @@ index 04b73e7d3bf758..0891652a4566fb 100644
 
  	c := new(tripleDESCipher)
  	c.cipher1.generateSubkeys(key[:8])
+diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go
+index 4524bd492feba0..3937865aee7ef8 100644
+--- a/src/crypto/dsa/dsa.go
++++ b/src/crypto/dsa/dsa.go
+@@ -18,6 +18,8 @@ import (
+ 	"io"
+ 	"math/big"
+
++	boring "crypto/internal/backend"
++	"crypto/internal/backend/bbig"
+ 	"crypto/internal/randutil"
+ )
+
+@@ -86,6 +88,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes
+ 		return errors.New("crypto/dsa: invalid ParameterSizes")
+ 	}
+
++	if boring.Enabled && boring.SupportsDSA(L, N) {
++		p, q, g, err := boring.GenerateDSAParameters(L, N)
++		if err != nil {
++			return err
++		}
++		params.P = bbig.Dec(p)
++		params.Q = bbig.Dec(q)
++		params.G = bbig.Dec(g)
++		return nil
++	}
++
+ 	qBytes := make([]byte, N/8)
+ 	pBytes := make([]byte, L/8)
+
 diff --git a/src/crypto/ecdh/ecdh.go b/src/crypto/ecdh/ecdh.go
 index b7c26f91e57f02..7a12e2bbaaafd1 100644
 --- a/src/crypto/ecdh/ecdh.go
@@ -657,10 +689,10 @@ index 00000000000000..e5d7570d6d4363
 +const isRequireFIPS = true
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
-index 00000000000000..08600a2c833ac7
+index 00000000000000..cc224d339ee4e9
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,201 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -706,8 +738,8 @@ index 00000000000000..08600a2c833ac7
 +
 +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("cryptobackend: not available") }
 +
-+func NewAESCipher(key []byte) (cipher.Block, error) { panic("cryptobackend: not available") }
-+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
++func NewAESCipher(key []byte) (cipher.Block, error)   { panic("cryptobackend: not available") }
++func NewGCMTLS(c cipher.Block) (cipher.AEAD, error)   { panic("cryptobackend: not available") }
 +func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
 +
 +type PublicKeyECDSA struct{ _ int }
@@ -854,6 +886,14 @@ index 00000000000000..08600a2c833ac7
 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
 +	panic("cryptobackend: not available")
 +}
++
++func SupportsDSA(l, n int) bool {
++	return false
++}
++
++func GenerateDSAParameters(l, n int) (p, q, g BigInt, err error) {
++	panic("cryptobackend: not available")
++}
 diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go
 new file mode 100644
 index 00000000000000..26bfb5f6a643f3

diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch
@@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend
 
 ---
  .../internal/backend/bbig/big_boring.go       |  12 +
- src/crypto/internal/backend/boring_linux.go   | 225 ++++++++++++++++++
- 2 files changed, 237 insertions(+)
+ src/crypto/internal/backend/boring_linux.go   | 233 ++++++++++++++++++
+ 2 files changed, 245 insertions(+)
  create mode 100644 src/crypto/internal/backend/bbig/big_boring.go
  create mode 100644 src/crypto/internal/backend/boring_linux.go
 
@@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
 new file mode 100644
-index 00000000000000..7c5fbeea717618
+index 00000000000000..6cecf976fa6a9b
 --- /dev/null
 +++ b/src/crypto/internal/backend/boring_linux.go
-@@ -0,0 +1,225 @@
+@@ -0,0 +1,233 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -82,8 +82,8 @@ index 00000000000000..7c5fbeea717618
 +
 +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { return boring.NewHMAC(h, key) }
 +
-+func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) }
-+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) }
++func NewAESCipher(key []byte) (cipher.Block, error)   { return boring.NewAESCipher(key) }
++func NewGCMTLS(c cipher.Block) (cipher.AEAD, error)   { return boring.NewGCMTLS(c) }
 +func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS13(c) }
 +
 +type PublicKeyECDSA = boring.PublicKeyECDSA
@@ -259,3 +259,11 @@ index 00000000000000..7c5fbeea717618
 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
 +	panic("cryptobackend: not available")
 +}
++
++func SupportsDSA(l, n int) bool {
++	return false
++}
++
++func GenerateDSAParameters(l, n int) (p, q, g boring.BigInt, err error) {
++	panic("cryptobackend: not available")
++}
diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  src/crypto/ecdsa/notboring.go                 |   2 +-
  src/crypto/internal/backend/bbig/big.go       |   2 +-
  .../internal/backend/bbig/big_openssl.go      |  12 +
- src/crypto/internal/backend/openssl_linux.go  | 323 ++++++++++++++++++
+ src/crypto/internal/backend/openssl_linux.go  | 333 ++++++++++++++++++
  src/crypto/internal/boring/fipstls/stub.s     |   2 +-
  src/crypto/internal/boring/fipstls/tls.go     |   2 +-
  src/crypto/rsa/boring.go                      |   2 +-
@@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  .../goexperiment/exp_opensslcrypto_on.go      |   9 +
  src/internal/goexperiment/flags.go            |   1 +
  src/os/exec/exec_test.go                      |   9 +
- 36 files changed, 408 insertions(+), 25 deletions(-)
+ 36 files changed, 418 insertions(+), 25 deletions(-)
  create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go
  create mode 100644 src/crypto/internal/backend/openssl_linux.go
  create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go
@@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
 new file mode 100644
-index 00000000000000..69af0ffe2fcf80
+index 00000000000000..e0208441429955
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl_linux.go
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,333 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -218,6 +218,7 @@ index 00000000000000..69af0ffe2fcf80
 +	"syscall"
 +
 +	"github.com/golang-fips/openssl/v2"
++	"github.com/microsoft/go-crypto-winnative/cng"
 +)
 +
 +// Enabled controls whether FIPS crypto is enabled.
@@ -520,6 +521,15 @@ index 00000000000000..69af0ffe2fcf80
 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
 +	return openssl.VerifyEd25519(pub, message, sig)
 +}
++
++func SupportsDSA(l, n int) bool {
++	return false
++}
++
++func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) {
++	// TODO
++	panic("Mert should implement")
++}
 diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s
 index f2e5a503eaacb6..1dc7116efdff2e 100644
 --- a/src/crypto/internal/boring/fipstls/stub.s
@@ -586,10 +596,10 @@ index 34c22c8fbba7da..933ac569e034a8 100644
  package rsa
 
 diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
-index 86466e67e87eeb..dbcc1bec58bd46 100644
+index c6294694521c69..ab99b176ac9540 100644
 --- a/src/crypto/rsa/rsa_test.go
 +++ b/src/crypto/rsa/rsa_test.go
-@@ -690,6 +690,9 @@ func TestDecryptOAEP(t *testing.T) {
+@@ -700,6 +700,9 @@ func TestDecryptOAEP(t *testing.T) {
  }
 
  func Test2DecryptOAEP(t *testing.T) {

diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch
@@ -7,13 +7,13 @@ Subject: [PATCH] Add CNG crypto backend
  src/cmd/api/boring_test.go                    |   2 +-
  src/cmd/go/go_boring_test.go                  |   2 +-
  src/crypto/boring/boring.go                   |   2 +-
- src/crypto/ecdsa/badlinkname.go               |  17 ++
+ src/crypto/ecdsa/badlinkname.go               |  17 +
  src/crypto/ecdsa/boring.go                    |   2 +-
  src/crypto/ecdsa/notboring.go                 |   2 +-
  src/crypto/internal/backend/backend_test.go   |   4 +-
  src/crypto/internal/backend/bbig/big.go       |   2 +-
  src/crypto/internal/backend/bbig/big_cng.go   |  12 +
- src/crypto/internal/backend/cng_windows.go    | 280 ++++++++++++++++++
+ src/crypto/internal/backend/cng_windows.go    | 292 ++++++++++++++++++
  src/crypto/internal/backend/common.go         |  13 +-
  src/crypto/internal/boring/fipstls/stub.s     |   2 +-
  src/crypto/internal/boring/fipstls/tls.go     |   2 +-
@@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend
  .../goexperiment/exp_cngcrypto_off.go         |   9 +
  src/internal/goexperiment/exp_cngcrypto_on.go |   9 +
  src/internal/goexperiment/flags.go            |   1 +
- 36 files changed, 375 insertions(+), 27 deletions(-)
+ 36 files changed, 387 insertions(+), 27 deletions(-)
  create mode 100644 src/crypto/ecdsa/badlinkname.go
  create mode 100644 src/crypto/internal/backend/bbig/big_cng.go
  create mode 100644 src/crypto/internal/backend/cng_windows.go
@@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go
 new file mode 100644
-index 00000000000000..3d3d13709de5ac
+index 00000000000000..6c62c79982bdd6
 --- /dev/null
 +++ b/src/crypto/internal/backend/cng_windows.go
-@@ -0,0 +1,280 @@
+@@ -0,0 +1,292 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -467,6 +467,18 @@ index 00000000000000..3d3d13709de5ac
 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
 +	panic("cryptobackend: not available")
 +}
++
++func SupportsDSA(l, n int) bool {
++	return n != 224
++}
++
++func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) {
++	params, err := cng.GenerateDSAParameters(l)
++	if err != nil {
++		return nil, nil, nil, err
++	}
++	return params.P, params.Q, params.G, nil
++}
 diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
 index bc595e91024f11..7766d674f5cfaf 100644
 --- a/src/crypto/internal/backend/common.go