Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GenerateDSAParameters and SupportsDSA functions #1421

Open
wants to merge 4 commits into
base: microsoft/main
Choose a base branch
from
Open

Add GenerateDSAParameters and SupportsDSA functions #1421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f3c66c8
add initial DSA support
qmuntal Nov 18, 2024
dfcf6a2
fix:update supportdsa and generatedsaparameters functions
mertakman Nov 27, 2024
7099b26
fix:revert changes accidentally committed to submodule
mertakman Nov 27, 2024
6ff3e01
fix:consistently panic in nobackend
mertakman Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 48 additions & 7 deletions patches/0002-Add-crypto-backend-foundation.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@ From: qmuntal <qmuntaldiaz@microsoft.com>
Date: Thu, 30 Jun 2022 10:03:03 +0200
Subject: [PATCH] Add crypto backend foundation

fix:nobackend panic consistently without return
---
src/crypto/aes/cipher.go | 2 +-
src/crypto/aes/cipher_asm.go | 2 +-
src/crypto/boring/boring.go | 2 +-
src/crypto/des/cipher.go | 7 +
src/crypto/dsa/dsa.go | 13 ++
src/crypto/ecdh/ecdh.go | 2 +-
src/crypto/ecdh/nist.go | 2 +-
src/crypto/ecdsa/boring.go | 4 +-
Expand All @@ -23,7 +25,7 @@ Subject: [PATCH] Add crypto backend foundation
src/crypto/internal/backend/bbig/big.go | 17 ++
src/crypto/internal/backend/common.go | 92 +++++++++
src/crypto/internal/backend/isrequirefips.go | 9 +
src/crypto/internal/backend/nobackend.go | 193 +++++++++++++++++++
src/crypto/internal/backend/nobackend.go | 201 +++++++++++++++++++
src/crypto/internal/backend/norequirefips.go | 9 +
src/crypto/internal/backend/stub.s | 10 +
src/crypto/md5/md5.go | 7 +
Expand Down Expand Up @@ -51,7 +53,7 @@ Subject: [PATCH] Add crypto backend foundation
src/crypto/tls/handshake_server.go | 25 ++-
src/crypto/tls/handshake_server_tls13.go | 10 +
src/crypto/tls/key_schedule.go | 18 +-
src/crypto/tls/prf.go | 77 +++++---
src/crypto/tls/prf.go | 77 ++++---
src/crypto/tls/prf_test.go | 12 +-
src/crypto/x509/boring_test.go | 5 +
src/go/build/deps_test.go | 4 +
Expand All @@ -60,7 +62,7 @@ Subject: [PATCH] Add crypto backend foundation
src/hash/notboring_test.go | 5 +
src/net/smtp/smtp_test.go | 72 ++++---
src/runtime/runtime_boring.go | 5 +
56 files changed, 893 insertions(+), 106 deletions(-)
57 files changed, 914 insertions(+), 106 deletions(-)
create mode 100644 src/crypto/ed25519/boring.go
create mode 100644 src/crypto/ed25519/notboring.go
create mode 100644 src/crypto/internal/backend/backend_test.go
Expand Down Expand Up @@ -144,6 +146,37 @@ index 04b73e7d3bf758..0891652a4566fb 100644

c := new(tripleDESCipher)
c.cipher1.generateSubkeys(key[:8])
diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go
index 4524bd492feba0..3937865aee7ef8 100644
--- a/src/crypto/dsa/dsa.go
+++ b/src/crypto/dsa/dsa.go
@@ -18,6 +18,8 @@ import (
"io"
"math/big"

+ boring "crypto/internal/backend"
+ "crypto/internal/backend/bbig"
"crypto/internal/randutil"
)

@@ -86,6 +88,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes
return errors.New("crypto/dsa: invalid ParameterSizes")
}

+ if boring.Enabled && boring.SupportsDSA(L, N) {
+ p, q, g, err := boring.GenerateDSAParameters(L, N)
+ if err != nil {
+ return err
+ }
+ params.P = bbig.Dec(p)
+ params.Q = bbig.Dec(q)
+ params.G = bbig.Dec(g)
+ return nil
+ }
+
qBytes := make([]byte, N/8)
pBytes := make([]byte, L/8)

diff --git a/src/crypto/ecdh/ecdh.go b/src/crypto/ecdh/ecdh.go
index b7c26f91e57f02..7a12e2bbaaafd1 100644
--- a/src/crypto/ecdh/ecdh.go
Expand Down Expand Up @@ -657,10 +690,10 @@ index 00000000000000..e5d7570d6d4363
+const isRequireFIPS = true
diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
new file mode 100644
index 00000000000000..08600a2c833ac7
index 00000000000000..9204848708436e
--- /dev/null
+++ b/src/crypto/internal/backend/nobackend.go
@@ -0,0 +1,193 @@
@@ -0,0 +1,201 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
Expand Down Expand Up @@ -706,8 +739,8 @@ index 00000000000000..08600a2c833ac7
+
+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("cryptobackend: not available") }
+
+func NewAESCipher(key []byte) (cipher.Block, error) { panic("cryptobackend: not available") }
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
+func NewAESCipher(key []byte) (cipher.Block, error) { panic("cryptobackend: not available") }
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { panic("cryptobackend: not available") }
+
+type PublicKeyECDSA struct{ _ int }
Expand Down Expand Up @@ -854,6 +887,14 @@ index 00000000000000..08600a2c833ac7
+func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
+ panic("cryptobackend: not available")
+}
+
+func SupportsDSA(l, n int) bool {
+ panic("cryptobackend: not available")
+}
+
+func GenerateDSAParameters(l, n int) (p, q, g BigInt, err error) {
+ panic("cryptobackend: not available")
+}
diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go
new file mode 100644
index 00000000000000..26bfb5f6a643f3
Expand Down
20 changes: 14 additions & 6 deletions patches/0003-Add-BoringSSL-crypto-backend.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend

---
.../internal/backend/bbig/big_boring.go | 12 +
src/crypto/internal/backend/boring_linux.go | 225 ++++++++++++++++++
2 files changed, 237 insertions(+)
src/crypto/internal/backend/boring_linux.go | 233 ++++++++++++++++++
2 files changed, 245 insertions(+)
create mode 100644 src/crypto/internal/backend/bbig/big_boring.go
create mode 100644 src/crypto/internal/backend/boring_linux.go

Expand All @@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
new file mode 100644
index 00000000000000..7c5fbeea717618
index 00000000000000..6cecf976fa6a9b
--- /dev/null
+++ b/src/crypto/internal/backend/boring_linux.go
@@ -0,0 +1,225 @@
@@ -0,0 +1,233 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
Expand Down Expand Up @@ -82,8 +82,8 @@ index 00000000000000..7c5fbeea717618
+
+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { return boring.NewHMAC(h, key) }
+
+func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) }
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) }
+func NewAESCipher(key []byte) (cipher.Block, error) { return boring.NewAESCipher(key) }
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS(c) }
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { return boring.NewGCMTLS13(c) }
+
+type PublicKeyECDSA = boring.PublicKeyECDSA
Expand Down Expand Up @@ -259,3 +259,11 @@ index 00000000000000..7c5fbeea717618
+func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
+ panic("cryptobackend: not available")
+}
+
+func SupportsDSA(l, n int) bool {
+ return false
mertakman marked this conversation as resolved.
Show resolved Hide resolved
+}
+
+func GenerateDSAParameters(l, n int) (p, q, g boring.BigInt, err error) {
+ panic("cryptobackend: not available")
+}
21 changes: 15 additions & 6 deletions patches/0004-Add-OpenSSL-crypto-backend.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
src/crypto/ecdsa/notboring.go | 2 +-
src/crypto/internal/backend/bbig/big.go | 2 +-
.../internal/backend/bbig/big_openssl.go | 12 +
src/crypto/internal/backend/openssl_linux.go | 323 ++++++++++++++++++
src/crypto/internal/backend/openssl_linux.go | 332 ++++++++++++++++++
src/crypto/internal/boring/fipstls/stub.s | 2 +-
src/crypto/internal/boring/fipstls/tls.go | 2 +-
src/crypto/rsa/boring.go | 2 +-
Expand All @@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
.../goexperiment/exp_opensslcrypto_on.go | 9 +
src/internal/goexperiment/flags.go | 1 +
src/os/exec/exec_test.go | 9 +
36 files changed, 408 insertions(+), 25 deletions(-)
36 files changed, 417 insertions(+), 25 deletions(-)
create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go
create mode 100644 src/crypto/internal/backend/openssl_linux.go
create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go
Expand Down Expand Up @@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
new file mode 100644
index 00000000000000..69af0ffe2fcf80
index 00000000000000..7ff09906b8d07b
--- /dev/null
+++ b/src/crypto/internal/backend/openssl_linux.go
@@ -0,0 +1,323 @@
@@ -0,0 +1,332 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
Expand Down Expand Up @@ -520,6 +520,15 @@ index 00000000000000..69af0ffe2fcf80
+func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
+ return openssl.VerifyEd25519(pub, message, sig)
+}
+
+func SupportsDSA(l, n int) bool {
+ return openssl.SupportsDSA()
+}
+
+func GenerateDSAParameters(l, n int) (p, q, g openssl.BigInt, err error) {
+ params, err := openssl.GenerateDSAParameters(l, n)
+ return params.P, params.Q, params.G, err
+}
diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s
index f2e5a503eaacb6..1dc7116efdff2e 100644
--- a/src/crypto/internal/boring/fipstls/stub.s
Expand Down Expand Up @@ -586,10 +595,10 @@ index 34c22c8fbba7da..933ac569e034a8 100644
package rsa

diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
index 86466e67e87eeb..dbcc1bec58bd46 100644
index c6294694521c69..ab99b176ac9540 100644
--- a/src/crypto/rsa/rsa_test.go
+++ b/src/crypto/rsa/rsa_test.go
@@ -690,6 +690,9 @@ func TestDecryptOAEP(t *testing.T) {
@@ -700,6 +700,9 @@ func TestDecryptOAEP(t *testing.T) {
}

func Test2DecryptOAEP(t *testing.T) {
Expand Down
22 changes: 17 additions & 5 deletions patches/0005-Add-CNG-crypto-backend.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ Subject: [PATCH] Add CNG crypto backend
src/cmd/api/boring_test.go | 2 +-
src/cmd/go/go_boring_test.go | 2 +-
src/crypto/boring/boring.go | 2 +-
src/crypto/ecdsa/badlinkname.go | 17 ++
src/crypto/ecdsa/badlinkname.go | 17 +
src/crypto/ecdsa/boring.go | 2 +-
src/crypto/ecdsa/notboring.go | 2 +-
src/crypto/internal/backend/backend_test.go | 4 +-
src/crypto/internal/backend/bbig/big.go | 2 +-
src/crypto/internal/backend/bbig/big_cng.go | 12 +
src/crypto/internal/backend/cng_windows.go | 280 ++++++++++++++++++
src/crypto/internal/backend/cng_windows.go | 292 ++++++++++++++++++
src/crypto/internal/backend/common.go | 13 +-
src/crypto/internal/boring/fipstls/stub.s | 2 +-
src/crypto/internal/boring/fipstls/tls.go | 2 +-
Expand All @@ -40,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend
.../goexperiment/exp_cngcrypto_off.go | 9 +
src/internal/goexperiment/exp_cngcrypto_on.go | 9 +
src/internal/goexperiment/flags.go | 1 +
36 files changed, 375 insertions(+), 27 deletions(-)
36 files changed, 387 insertions(+), 27 deletions(-)
create mode 100644 src/crypto/ecdsa/badlinkname.go
create mode 100644 src/crypto/internal/backend/bbig/big_cng.go
create mode 100644 src/crypto/internal/backend/cng_windows.go
Expand Down Expand Up @@ -183,10 +183,10 @@ index 00000000000000..92623031fd87d0
+var Dec = bbig.Dec
diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go
new file mode 100644
index 00000000000000..3d3d13709de5ac
index 00000000000000..6c62c79982bdd6
--- /dev/null
+++ b/src/crypto/internal/backend/cng_windows.go
@@ -0,0 +1,280 @@
@@ -0,0 +1,292 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
Expand Down Expand Up @@ -467,6 +467,18 @@ index 00000000000000..3d3d13709de5ac
+func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
+ panic("cryptobackend: not available")
+}
+
+func SupportsDSA(l, n int) bool {
+ return n != 224
Copy link
Member

@dagood dagood Nov 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems unusual to me to support all sizes except for one... add a comment? Or add a cng.SupportsDSA function to the CNG backend repo and call that to let it decide and document this instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree that this deserve a comment. Having cng.SupportsDSA might be an overkill for now.

+}
+
+func GenerateDSAParameters(l, n int) (p, q, g cng.BigInt, err error) {
+ params, err := cng.GenerateDSAParameters(l)
+ if err != nil {
+ return nil, nil, nil, err
+ }
+ return params.P, params.Q, params.G, nil
+}
diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
index bc595e91024f11..7766d674f5cfaf 100644
--- a/src/crypto/internal/backend/common.go
Expand Down
Loading