openssl: implement cgoless wrappers for C functions

.github/workflows/test.yml

@@ -5,120 +5,127 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.23.x, 1.24.x]
-        openssl-version: [1.1.0, 1.1.1, 3.0.1, 3.0.13, 3.1.5, 3.2.1, 3.3.0, 3.3.1]
+        go-version: [1.24.x, 1.25.x]
+        openssl-version:
+          [1.1.0, 1.1.1, 3.0.1, 3.0.13, 3.1.5, 3.2.1, 3.3.0, 3.3.1]
     runs-on: ubuntu-22.04
     steps:
-    - name: Install build tools
-      run: sudo apt-get install -y build-essential
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Verify go generate leaves no changes
-      run: |
-        go generate ./...
-        git diff --exit-code
-    - name: Install OpenSSL
-      run: sudo sh ./scripts/openssl.sh ${{ matrix.openssl-version }}
-    - name: Check headers
-      working-directory: ./cmd/checkheader
-      run: |
-        go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../internal/ossl/shims.h
-    - name: Set OpenSSL config and prove FIPS
-      run: |
-        sudo cp ./scripts/openssl-3.cnf /usr/local/ssl/openssl.cnf
-        go test -v -count 0 . | grep -q "FIPS enabled: true"
-      if: ${{ matrix.openssl-version == '3.0.1' }}
-      env:
-        GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
-    - name: Run Test
-      # Run each test 10 times so the garbage collector chimes in 
-      # and exercises the multiple finalizers we use.
-      # This can detect use-after-free and double-free issues.
-      run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
-      env:
-        GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
-    - name: Run Test with address sanitizer
-      run: |
-        ok=true
-        for t in $(go test ./... -list=. | grep '^Test'); do
-          go test ./... -gcflags=all=-d=checkptr -asan -run ^$t$ -v || ok=false
-        done
-        $ok
-      env:
-        GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Install build tools
+        run: sudo apt-get install -y build-essential
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Verify go generate leaves no changes
+        run: |
+          go generate ./...
+          git diff --exit-code
+      - name: Install OpenSSL
+        run: sudo sh ./scripts/openssl.sh ${{ matrix.openssl-version }}
+      - name: Check headers
+        working-directory: ./cmd/checkheader
+        run: |
+          go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../internal/ossl/shims.h
+      - name: Set OpenSSL config and prove FIPS
+        run: |
+          sudo cp ./scripts/openssl-3.cnf /usr/local/ssl/openssl.cnf
+          go test -v -count 0 . | grep -q "FIPS enabled: true"
+        if: ${{ matrix.openssl-version == '3.0.1' }}
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Run Test
+        # Run each test 10 times so the garbage collector chimes in
+        # and exercises the multiple finalizers we use.
+        # This can detect use-after-free and double-free issues.
+        run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+          CGO_ENABLED: 0
+      - name: Run Test CGO disabled
+        run: go test -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Run Test with address sanitizer
+        run: |
+          ok=true
+          for t in $(go test ./... -list=. | grep '^Test'); do
+            go test ./... -gcflags=all=-d=checkptr -asan -run ^$t$ -v || ok=false
+          done
+          $ok
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+
   wintest:
     runs-on: windows-2022
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.22.x, 1.23.x]
+        go-version: [1.24.x, 1.25.x]
         openssl-version: [libcrypto-1_1-x64.dll, libcrypto-3-x64.dll]
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Run Test
-      run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
-      env:
-        GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Test
+        run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+          CGO_ENABLED: 1
+      - name: Run Test CGO disabled
+        run: go test -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+          CGO_ENABLED: 0
+
   mactest:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.22.x, 1.23.x]
+        go-version: [1.24.x, 1.25.x]
         openssl-version: [/usr/local/opt/openssl@3/lib/libcrypto.3.dylib]
     runs-on: macos-13
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Run Test
-      run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
-      env:
-        GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run Test
+        run: go test -gcflags=all=-d=checkptr -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+      - name: Run Test CGO disabled
+        run: go test -count 10 -v ./...
+        env:
+          GO_OPENSSL_VERSION_OVERRIDE: ${{ matrix.openssl-version }}
+          CGO_ENABLED: 0
+
   azurelinux:
     runs-on: ubuntu-latest
     container: mcr.microsoft.com/oss/go/microsoft/golang:1.23-azurelinux3.0
     steps:
-    - name: Checkout code
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - name: Run Test
-      run: go test -v ./...
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Run Test
+        run: go test -v ./...
+      - name: Run Test CGO disabled
+        run: go test -v ./...
+        env:
+          CGO_ENABLED: 0
+
   mariner2:
     runs-on: ubuntu-latest
     container: mcr.microsoft.com/oss/go/microsoft/golang:1.23.1-3-cbl-mariner2.0
     steps:
-    - name: Checkout code
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - name: Run Test
-      run: go test -v ./...
-
-  # Verify that golang-fips/openssl builds successfully without cgo enabled.
-  #
-  # A project can avoid attempting to build the openssl package by only
-  # importing it from Go files with a cgo build tag. However, this isn't always
-  # reasonable. In that case, we can help by making sure the openssl package
-  # builds successfully even without cgo.
-  #
-  # For example, the Microsoft build of Go compiles this module without cgo when
-  # running a cross-platform build.
-  #
-  # The golang-fips/openssl module can't do any crypto when built without cgo,
-  # but it exports a few simple functions and types.
-  cgolessbuild:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - name: Run Build
-      run: CGO_ENABLED=0 go build ./...
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Run Test  CGO disabled
+        run: go test -v ./...
+        env:
+          CGO_ENABLED: 0

aes.go

@@ -2,7 +2,6 @@
 
 package openssl
 
-import "C"
 import (
 	"crypto/cipher"
 	"errors"

cipher.go

@@ -2,8 +2,6 @@
 
 package openssl
 
-import "C"
-
 import (
 	"crypto/cipher"
 	"errors"

cmd/checkheader/main.go

@@ -28,7 +28,7 @@ import (
 
 const description = `
 Example: A check operation:
-  go run ./cmd/checkheader --ossl-include /usr/local/src/openssl-1.1.1/include -shim ./internal/ossl/shims.h 
+  go run ./cmd/checkheader --ossl-include /usr/local/src/openssl-1.1.1/include -shim ./internal/ossl/shims.h
 Checkheader generates a C program and compiles it with gcc. The compilation verifies types and functions defined in the target
 header file match the definitions in --ossl-include.
 `
@@ -119,15 +119,17 @@ func generate(header string) (string, error) {
 	}
 
 	for _, enum := range src.Enums {
-		if enum.Name == "_EVP_PKEY_OP_DERIVE" {
-			// This is defined differently in OpenSSL 3,
-			// but in our code it is only used in OpenSSL 1.
-			continue
+		for _, enumValue := range enum.Values {
+			if enumValue.Name == "_EVP_PKEY_OP_DERIVE" {
+				// This is defined differently in OpenSSL 3,
+				// but in our code it is only used in OpenSSL 1.
+				continue
+			}
+			name := strings.TrimPrefix(enumValue.Name, "_")
+			fmt.Fprintf(w, "#ifdef %s\n", name)
+			fmt.Fprintf(w, "_Static_assert(%s == %s, \"%s\");\n", enumValue.Value, name, enumValue.Name)
+			fmt.Fprintln(w, "#endif")
 		}
-		name := strings.TrimPrefix(enum.Name, "_")
-		fmt.Fprintf(w, "#ifdef %s\n", name)
-		fmt.Fprintf(w, "_Static_assert(%s == %s, \"%s\");\n", enum.Value, name, enum.Name)
-		fmt.Fprintln(w, "#endif")
 	}
 
 	for _, def := range src.TypeDefs {

cmd/genaesmodes/main.go

@@ -39,7 +39,7 @@ func main() {
 	if gopackage := os.Getenv("GOPACKAGE"); gopackage != "" {
 		pkg = gopackage
 	}
-	fmt.Fprint(&b, "//go:build cgo && !cmd_go_bootstrap\n\n")
+	fmt.Fprint(&b, "//go:build !cmd_go_bootstrap\n\n")
 	fmt.Fprintf(&b, "package %s\n\n", pkg)
 	fmt.Fprint(&b, `import "crypto/cipher"`+"\n\n")