From f3c66c88dda3da35a2b16899187fd9e7cd30f455 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 18 Nov 2024 15:20:34 +0100 Subject: [PATCH 1/4] add initial DSA support --- .../0002-Add-crypto-backend-foundation.patch | 54 ++++++++++++++++--- .../0003-Add-BoringSSL-crypto-backend.patch | 20 ++++--- patches/0004-Add-OpenSSL-crypto-backend.patch | 22 +++++--- patches/0005-Add-CNG-crypto-backend.patch | 22 ++++++-- 4 files changed, 94 insertions(+), 24 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 159be26ee4..1d1729c911 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -8,6 +8,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/aes/cipher_asm.go | 2 +- src/crypto/boring/boring.go | 2 +- src/crypto/des/cipher.go | 7 + + src/crypto/dsa/dsa.go | 13 ++ src/crypto/ecdh/ecdh.go | 2 +- src/crypto/ecdh/nist.go | 2 +- src/crypto/ecdsa/boring.go | 4 +- @@ -23,7 +24,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/internal/backend/bbig/big.go | 17 ++ src/crypto/internal/backend/common.go | 92 +++++++++ src/crypto/internal/backend/isrequirefips.go | 9 + - src/crypto/internal/backend/nobackend.go | 193 +++++++++++++++++++ + src/crypto/internal/backend/nobackend.go | 201 +++++++++++++++++++ src/crypto/internal/backend/norequirefips.go | 9 + src/crypto/internal/backend/stub.s | 10 + src/crypto/md5/md5.go | 7 + @@ -51,7 +52,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/tls/handshake_server.go | 25 ++- src/crypto/tls/handshake_server_tls13.go | 10 + src/crypto/tls/key_schedule.go | 18 +- - src/crypto/tls/prf.go | 77 +++++--- + src/crypto/tls/prf.go | 77 ++++--- src/crypto/tls/prf_test.go | 12 +- src/crypto/x509/boring_test.go | 5 + src/go/build/deps_test.go | 4 + @@ -60,7 +61,7 @@ Subject: [PATCH] Add crypto backend foundation src/hash/notboring_test.go | 5 + src/net/smtp/smtp_test.go | 72 ++++--- src/runtime/runtime_boring.go | 5 + - 56 files changed, 893 insertions(+), 106 deletions(-) + 57 files changed, 914 insertions(+), 106 deletions(-) create mode 100644 src/crypto/ed25519/boring.go create mode 100644 src/crypto/ed25519/notboring.go create mode 100644 src/crypto/internal/backend/backend_test.go @@ -144,6 +145,37 @@ index 04b73e7d3bf758..0891652a4566fb 100644 c := new(tripleDESCipher) c.cipher1.generateSubkeys(key[:8]) +diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go +index 4524bd492feba0..3937865aee7ef8 100644 +--- a/src/crypto/dsa/dsa.go ++++ b/src/crypto/dsa/dsa.go +@@ -18,6 +18,8 @@ import ( + "io" + "math/big" + ++ boring "crypto/internal/backend" ++ "crypto/internal/backend/bbig" + "crypto/internal/randutil" + ) + +@@ -86,6 +88,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes + return errors.New("crypto/dsa: invalid ParameterSizes") + } + ++ if boring.Enabled && boring.SupportsDSA(L, N) { ++ p, q, g, err := boring.GenerateDSAParameters(L, N) ++ if err != nil { ++ return err ++ } ++ params.P = bbig.Dec(p) ++ params.Q = bbig.Dec(q) ++ params.G = bbig.Dec(g) ++ return nil ++ } ++ + qBytes := make([]byte, N/8) + pBytes := make([]byte, L/8) + diff --git a/src/crypto/ecdh/ecdh.go b/src/crypto/ecdh/ecdh.go index b7c26f91e57f02..7a12e2bbaaafd1 100644 --- a/src/crypto/ecdh/ecdh.go @@ -657,10 +689,10 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..08600a2c833ac7 +index 00000000000000..cc224d339ee4e9 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go -@@ -0,0 +1,193 @@ +@@ -0,0 +1,201 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -706,8 +738,8 @@ index 00000000000000..08600a2c833ac7 + +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("cryptobackend: not available") } + -+func NewAESCipher(key []byte) (cipher.Block, error) { panic("cryptobackend: not available") } -+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") } ++func NewAESCipher(key []byte) (cipher.Block, error) { panic("cryptobackend: not available") } ++func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") } +func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") } + +type PublicKeyECDSA struct{ _ int } @@ -854,6 +886,14 @@ index 00000000000000..08600a2c833ac7 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error { + panic("cryptobackend: not available") +} ++ ++func SupportsDSA(l, n int) bool { ++ return false ++} ++ ++func GenerateDSAParameters(l, n int) (p, q, g BigInt, err error) { ++ panic("cryptobackend: not available") ++} diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go new file mode 100644 index 00000000000000..26bfb5f6a643f3 diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 430b91187d..89cbb8792b 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend --- .../internal/backend/bbig/big_boring.go | 12 + - src/crypto/internal/backend/boring_linux.go | 225 ++++++++++++++++++ - 2 files changed, 237 insertions(+) + src/crypto/internal/backend/boring_linux.go | 233 ++++++++++++++++++ + 2 files changed, 245 insertions(+) create mode 100644 src/crypto/internal/backend/bbig/big_boring.go create mode 100644 src/crypto/internal/backend/boring_linux.go @@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..7c5fbeea717618 +index 00000000000000..6cecf976fa6a9b --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go -@@ -0,0 +1,225 @@ +@@ -0,0 +1,233 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -82,8 +82,8 @@ index 00000000000000..7c5fbeea717618 + +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { return boring.NewHMAC(h, key) } + -+func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) } -+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) } ++func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) } ++func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) } +func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS13(c) } + +type PublicKeyECDSA = boring.PublicKeyECDSA @@ -259,3 +259,11 @@ index 00000000000000..7c5fbeea717618 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error { + panic("cryptobackend: not available") +} ++ ++func SupportsDSA(l, n int) bool { ++ return false ++} ++ ++func GenerateDSAParameters(l, n int) (p, q, g boring.BigInt, err error) { ++ panic("cryptobackend: not available") ++} diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 938e6927e2..83188497d7 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 323 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 333 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 408 insertions(+), 25 deletions(-) + 36 files changed, 418 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..69af0ffe2fcf80 +index 00000000000000..e0208441429955 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,323 @@ +@@ -0,0 +1,333 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -218,6 +218,7 @@ index 00000000000000..69af0ffe2fcf80 + "syscall" + + "github.com/golang-fips/openssl/v2" ++ "github.com/microsoft/go-crypto-winnative/cng" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -520,6 +521,15 @@ index 00000000000000..69af0ffe2fcf80 +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error { + return openssl.VerifyEd25519(pub, message, sig) +} ++ ++func SupportsDSA(l, n int) bool { ++ return false ++} ++ ++func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) { ++ // TODO ++ panic("Mert should implement") ++} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 --- a/src/crypto/internal/boring/fipstls/stub.s @@ -586,10 +596,10 @@ index 34c22c8fbba7da..933ac569e034a8 100644 package rsa diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go -index 86466e67e87eeb..dbcc1bec58bd46 100644 +index c6294694521c69..ab99b176ac9540 100644 --- a/src/crypto/rsa/rsa_test.go +++ b/src/crypto/rsa/rsa_test.go -@@ -690,6 +690,9 @@ func TestDecryptOAEP(t *testing.T) { +@@ -700,6 +700,9 @@ func TestDecryptOAEP(t *testing.T) { } func Test2DecryptOAEP(t *testing.T) { diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index adac4e6644..43d89c4635 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -7,13 +7,13 @@ Subject: [PATCH] Add CNG crypto backend src/cmd/api/boring_test.go | 2 +- src/cmd/go/go_boring_test.go | 2 +- src/crypto/boring/boring.go | 2 +- - src/crypto/ecdsa/badlinkname.go | 17 ++ + src/crypto/ecdsa/badlinkname.go | 17 + src/crypto/ecdsa/boring.go | 2 +- src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big.go | 2 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 280 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 292 ++++++++++++++++++ src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 36 files changed, 375 insertions(+), 27 deletions(-) + 36 files changed, 387 insertions(+), 27 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..3d3d13709de5ac +index 00000000000000..6c62c79982bdd6 --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,280 @@ +@@ -0,0 +1,292 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -467,6 +467,18 @@ index 00000000000000..3d3d13709de5ac +func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error { + panic("cryptobackend: not available") +} ++ ++func SupportsDSA(l, n int) bool { ++ return n != 224 ++} ++ ++func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) { ++ params, err := cng.GenerateDSAParameters(l) ++ if err != nil { ++ return nil, nil, nil, err ++ } ++ return params.P, params.Q, params.G, nil ++} diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go index bc595e91024f11..7766d674f5cfaf 100644 --- a/src/crypto/internal/backend/common.go From dfcf6a29edd185b8737bfd58e8936679a28ffebd Mon Sep 17 00:00:00 2001 From: mertakman Date: Wed, 27 Nov 2024 14:54:47 +0000 Subject: [PATCH 2/4] fix:update supportdsa and generatedsaparameters functions --- go | 2 +- patches/0004-Add-OpenSSL-crypto-backend.patch | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/go b/go index b33fc480a2..a1407f0327 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit b33fc480a25c30d38104a9efaf73326c888e8557 +Subproject commit a1407f03270450f2e56605b69bddebcb881a0658 diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 83188497d7..2b9610745d 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/crypto/ecdsa/notboring.go | 2 +- src/crypto/internal/backend/bbig/big.go | 2 +- .../internal/backend/bbig/big_openssl.go | 12 + - src/crypto/internal/backend/openssl_linux.go | 333 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 332 ++++++++++++++++++ src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- src/crypto/rsa/boring.go | 2 +- @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 36 files changed, 418 insertions(+), 25 deletions(-) + 36 files changed, 417 insertions(+), 25 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..e0208441429955 +index 00000000000000..7ff09906b8d07b --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,333 @@ +@@ -0,0 +1,332 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -218,7 +218,6 @@ index 00000000000000..e0208441429955 + "syscall" + + "github.com/golang-fips/openssl/v2" -+ "github.com/microsoft/go-crypto-winnative/cng" +) + +// Enabled controls whether FIPS crypto is enabled. @@ -523,12 +522,12 @@ index 00000000000000..e0208441429955 +} + +func SupportsDSA(l, n int) bool { -+ return false ++ return openssl.SupportsDSA() +} + -+func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) { -+ // TODO -+ panic("Mert should implement") ++func GenerateDSAParameters(l, n int) (p, q, g openssl.BigInt, err error) { ++ params, err := openssl.GenerateDSAParameters(l, n) ++ return params.P, params.Q, params.G, err +} diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s index f2e5a503eaacb6..1dc7116efdff2e 100644 From 7099b2667089f07104e89be1c4e57ebbfa7f6330 Mon Sep 17 00:00:00 2001 From: mertakman Date: Wed, 27 Nov 2024 15:01:04 +0000 Subject: [PATCH 3/4] fix:revert changes accidentally committed to submodule --- go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go b/go index a1407f0327..b33fc480a2 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit a1407f03270450f2e56605b69bddebcb881a0658 +Subproject commit b33fc480a25c30d38104a9efaf73326c888e8557 From 6ff3e0120d15c064f191fa3a83320f6836359a2e Mon Sep 17 00:00:00 2001 From: mertakman Date: Thu, 28 Nov 2024 17:03:10 +0000 Subject: [PATCH 4/4] fix:consistently panic in nobackend --- patches/0002-Add-crypto-backend-foundation.patch | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 1d1729c911..2bee5dcda1 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -3,6 +3,7 @@ From: qmuntal Date: Thu, 30 Jun 2022 10:03:03 +0200 Subject: [PATCH] Add crypto backend foundation +fix:nobackend panic consistently without return --- src/crypto/aes/cipher.go | 2 +- src/crypto/aes/cipher_asm.go | 2 +- @@ -689,7 +690,7 @@ index 00000000000000..e5d7570d6d4363 +const isRequireFIPS = true diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..cc224d339ee4e9 +index 00000000000000..9204848708436e --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,201 @@ @@ -888,7 +889,7 @@ index 00000000000000..cc224d339ee4e9 +} + +func SupportsDSA(l, n int) bool { -+ return false ++ panic("cryptobackend: not available") +} + +func GenerateDSAParameters(l, n int) (p, q, g BigInt, err error) {