Upgrade CNG backend to 19f07bc6df3d

patches/0005-Add-CNG-crypto-backend.patch

@@ -691,26 +691,26 @@ index a0548a7f9179c5..ae6117a1554b7f 100644
  package x509
 
 diff --git a/src/go.mod b/src/go.mod
-index 12d8c8f4f97321..39d84e4165d654 100644
+index 12d8c8f4f97321..8a95b6f65c63ef 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -4,6 +4,7 @@ go 1.24
 
  require (
  	github.com/golang-fips/openssl/v2 v2.0.4-0.20241031074328-c51a090851d3
-+	github.com/microsoft/go-crypto-winnative v0.0.0-20240929074641-3e2be6d20709
++	github.com/microsoft/go-crypto-winnative v0.0.0-20241031174928-19f07bc6df3d
  	golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0
  	golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd
  )
 diff --git a/src/go.sum b/src/go.sum
-index 4c3ca847c21cd2..116a769b257e34 100644
+index 4c3ca847c21cd2..54c859b46edd1c 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,5 +1,7 @@
  github.com/golang-fips/openssl/v2 v2.0.4-0.20241031074328-c51a090851d3 h1:5QU8ZbOJ8pUBEhxIOm6+teyQMgeBFu3Gos5ue7Rvlgg=
  github.com/golang-fips/openssl/v2 v2.0.4-0.20241031074328-c51a090851d3/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0=
-+github.com/microsoft/go-crypto-winnative v0.0.0-20240929074641-3e2be6d20709 h1:Kno3m3hOXCrrJF9YphNJWNXm6MjIpflQrHWxAIRSIqA=
-+github.com/microsoft/go-crypto-winnative v0.0.0-20240929074641-3e2be6d20709/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA=
++github.com/microsoft/go-crypto-winnative v0.0.0-20241031174928-19f07bc6df3d h1:UKPx/2ug3daetm1rPOKyEHovWbh3hekPK8p1wygTcOI=
++github.com/microsoft/go-crypto-winnative v0.0.0-20241031174928-19f07bc6df3d/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA=
  golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0 h1:wxHbFWyu21uEPJJnYaSDaHSWbvnZ9gLSSOPwnEc3lLM=
  golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
  golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd h1:pHzwejE8Zkb94bG4nA+fUeskKPFp1HPldrhv62dabro=

patches/0006-Vendor-crypto-backends.patch

@@ -50,12 +50,12 @@ To reproduce, run 'go mod vendor' in 'go/src'.
  .../microsoft/go-crypto-winnative/cng/big.go  |   30 +
  .../go-crypto-winnative/cng/cipher.go         |   52 +
  .../microsoft/go-crypto-winnative/cng/cng.go  |  131 +++
- .../microsoft/go-crypto-winnative/cng/des.go  |  107 ++
+ .../microsoft/go-crypto-winnative/cng/des.go  |  106 ++
  .../microsoft/go-crypto-winnative/cng/dsa.go  |  469 ++++++++
  .../microsoft/go-crypto-winnative/cng/ecdh.go |  255 ++++
  .../go-crypto-winnative/cng/ecdsa.go          |  169 +++
- .../microsoft/go-crypto-winnative/cng/hash.go |  316 +++++
- .../microsoft/go-crypto-winnative/cng/hkdf.go |  175 +++
+ .../microsoft/go-crypto-winnative/cng/hash.go |  306 +++++
+ .../microsoft/go-crypto-winnative/cng/hkdf.go |  180 +++
  .../microsoft/go-crypto-winnative/cng/hmac.go |   35 +
  .../microsoft/go-crypto-winnative/cng/keys.go |  220 ++++
  .../go-crypto-winnative/cng/pbkdf2.go         |   70 ++
@@ -68,7 +68,7 @@ To reproduce, run 'go mod vendor' in 'go/src'.
  .../internal/subtle/aliasing.go               |   32 +
  .../internal/sysdll/sys_windows.go            |   55 +
  src/vendor/modules.txt                        |   11 +
- 63 files changed, 10964 insertions(+)
+ 63 files changed, 10958 insertions(+)
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
  create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE
@@ -7491,7 +7491,7 @@ index 00000000000000..9e841e7a26e4eb
 +    SOFTWARE
 diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
 new file mode 100644
-index 00000000000000..caac632894556e
+index 00000000000000..097a0fc77f0adb
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
 @@ -0,0 +1,393 @@
@@ -7504,6 +7504,7 @@ index 00000000000000..caac632894556e
 +package cng
 +
 +import (
++	"bytes"
 +	"crypto/cipher"
 +	"errors"
 +	"runtime"
@@ -7525,8 +7526,7 @@ index 00000000000000..caac632894556e
 +	if err != nil {
 +		return nil, err
 +	}
-+	c := &aesCipher{kh: kh, key: make([]byte, len(key))}
-+	copy(c.key, key)
++	c := &aesCipher{kh: kh, key: bytes.Clone(key)}
 +	runtime.SetFinalizer(c, (*aesCipher).finalize)
 +	return c, nil
 +}
@@ -8158,10 +8158,10 @@ index 00000000000000..d1916f94a0a76d
 +}
 diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go
 new file mode 100644
-index 00000000000000..b0784affba0aa4
+index 00000000000000..de3f05b84f1d82
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,106 @@
 +// Copyright (c) Microsoft Corporation.
 +// Licensed under the MIT License.
 +
@@ -8171,6 +8171,7 @@ index 00000000000000..b0784affba0aa4
 +package cng
 +
 +import (
++	"bytes"
 +	"crypto/cipher"
 +	"runtime"
 +
@@ -8191,8 +8192,7 @@ index 00000000000000..b0784affba0aa4
 +	if err != nil {
 +		return nil, err
 +	}
-+	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: make([]byte, len(key))}
-+	copy(c.key, key)
++	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}
 +	runtime.SetFinalizer(c, (*desCipher).finalize)
 +	return c, nil
 +}
@@ -8202,8 +8202,7 @@ index 00000000000000..b0784affba0aa4
 +	if err != nil {
 +		return nil, err
 +	}
-+	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: make([]byte, len(key))}
-+	copy(c.key, key)
++	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}
 +	runtime.SetFinalizer(c, (*desCipher).finalize)
 +	return c, nil
 +}
@@ -9182,10 +9181,10 @@ index 00000000000000..586e9ae2ebb0c9
 +}
 diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go
 new file mode 100644
-index 00000000000000..c4f01e17dd4ca1
+index 00000000000000..87b1c95dc7f911
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go
-@@ -0,0 +1,316 @@
+@@ -0,0 +1,306 @@
 +// Copyright (c) Microsoft Corporation.
 +// Licensed under the MIT License.
 +
@@ -9195,6 +9194,7 @@ index 00000000000000..c4f01e17dd4ca1
 +package cng
 +
 +import (
++	"bytes"
 +	"crypto"
 +	"hash"
 +	"runtime"
@@ -9382,12 +9382,7 @@ index 00000000000000..c4f01e17dd4ca1
 +	if err != nil {
 +		panic(err)
 +	}
-+	h := new(hashX)
-+	h.alg = alg
-+	if len(key) > 0 {
-+		h.key = make([]byte, len(key))
-+		copy(h.key, key)
-+	}
++	h := &hashX{alg: alg, key: bytes.Clone(key)}
 +	// Don't allocate hx.buf nor call bcrypt.CreateHash yet,
 +	// which would be wasteful if the caller only wants to know
 +	// the hash type. This is a common pattern in this package,
@@ -9415,13 +9410,7 @@ index 00000000000000..c4f01e17dd4ca1
 +}
 +
 +func (h *hashX) Clone() (hash.Hash, error) {
-+	h2 := &hashX{
-+		alg: h.alg,
-+	}
-+	if h.key != nil {
-+		h2.key = make([]byte, len(h.key))
-+		copy(h2.key, h.key)
-+	}
++	h2 := &hashX{alg: h.alg, key: bytes.Clone(h.key)}
 +	err := h.withCtx(func(ctx bcrypt.HASH_HANDLE) error {
 +		return bcrypt.DuplicateHash(ctx, &h2._ctx, nil, 0)
 +	})
@@ -9504,10 +9493,10 @@ index 00000000000000..c4f01e17dd4ca1
 +}
 diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go
 new file mode 100644
-index 00000000000000..655926ef635224
+index 00000000000000..5338fb5c7b187c
 --- /dev/null
 +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,180 @@
 +// Copyright (c) Microsoft Corporation.
 +// Licensed under the MIT License.
 +
@@ -9666,14 +9655,19 @@ index 00000000000000..655926ef635224
 +		return nil, errors.New("cng: unknown key data blob version")
 +	}
 +	// KEY_DATA_BLOB_VERSION1 format is:
-+	// cbHash uint32 // Big-endian
-+	// hashName [cbHash]byte
++	// cbHashName uint32 // Big-endian
++	// pHashName [cbHash]byte
 +	// key []byte // Rest of the blob
 +	if len(blob) < 4 {
 +		return nil, errors.New("cng: exported key is corrupted")
 +	}
-+	hashLength := binary.BigEndian.Uint32(blob[:])
-+	return blob[4+hashLength:], nil
++	cbHashName := binary.BigEndian.Uint32(blob)
++	blob = blob[4:]
++	if len(blob) < int(cbHashName) {
++		return nil, errors.New("cng: exported key is corrupted")
++	}
++	// Skip pHashName.
++	return blob[cbHashName:], nil
 +}
 +
 +func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
@@ -11461,15 +11455,15 @@ index 00000000000000..1722410e5af193
 +	return getSystemDirectory() + "\\" + dll
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index cf5c0b83c9eeef..be1319fc942882 100644
+index cf5c0b83c9eeef..7c9bf41ea0bc87 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,14 @@
 +# github.com/golang-fips/openssl/v2 v2.0.4-0.20241031074328-c51a090851d3
 +## explicit; go 1.22
 +github.com/golang-fips/openssl/v2
 +github.com/golang-fips/openssl/v2/bbig
-+# github.com/microsoft/go-crypto-winnative v0.0.0-20240929074641-3e2be6d20709
++# github.com/microsoft/go-crypto-winnative v0.0.0-20241031174928-19f07bc6df3d
 +## explicit; go 1.22
 +github.com/microsoft/go-crypto-winnative/cng
 +github.com/microsoft/go-crypto-winnative/cng/bbig