From 8b13c6647667d72321404d80a095ccba7c16a84e Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Thu, 31 Mar 2022 13:12:32 -0500 Subject: [PATCH] Rearrange FIPS patches, start at 0100 --- ...gopath_std_vendor-vendored-OpenSSL-m.patch | 37 -- ...h => 0100-Add-OpenSSL-crypto-module.patch} | 394 ++---------------- patches/0101-Integrate-OpenSSL-module.patch | 321 ++++++++++++++ ... 0102-Vendor-OpenSSL-crypto-library.patch} | 31 +- ...-Go-tests-to-work-with-crypto-module.patch | 73 ++++ 5 files changed, 425 insertions(+), 431 deletions(-) delete mode 100644 patches/0004-Skip-TestScript-gopath_std_vendor-vendored-OpenSSL-m.patch rename patches/{0003-Integrate-OpenSSL-crypto-module.patch => 0100-Add-OpenSSL-crypto-module.patch} (50%) create mode 100644 patches/0101-Integrate-OpenSSL-module.patch rename patches/{0002-Add-vendored-go-crypto-openssl-module.patch => 0102-Vendor-OpenSSL-crypto-library.patch} (98%) create mode 100644 patches/0103-Adjust-Go-tests-to-work-with-crypto-module.patch diff --git a/patches/0004-Skip-TestScript-gopath_std_vendor-vendored-OpenSSL-m.patch b/patches/0004-Skip-TestScript-gopath_std_vendor-vendored-OpenSSL-m.patch deleted file mode 100644 index ad26dc410ad..00000000000 --- a/patches/0004-Skip-TestScript-gopath_std_vendor-vendored-OpenSSL-m.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: microsoft-golang-bot -Date: Tue, 15 Mar 2022 18:30:30 -0500 -Subject: [PATCH] Skip TestScript/gopath_std_vendor: vendored OpenSSL module - interferes - -This test's program is only intended to import -golang.org/x/net/http2/hpack. However, it ends up importing -github.com/microsoft/go-crypto-openssl, too, starting in go1.18. This is -caused by the fuzz testing functionality. The dependency chain is: - -internal/fuzz -> crypto/sha256 -> crypto/internal/backend -> -vendor/github.com/microsoft/go-crypto-openssl/openssl - -The gopath_std_vendor test doesn't test specifically for -golang.org/x/net/http2/hpack import when checking dependency paths, so -the vendored openssl module interferes and makes the test fail. - -Skip the test entirely, for now: we are unlikely to cause a regression -in this functionality in the microsoft/go repository. See -https://github.com/microsoft/go/issues/481 ---- - src/cmd/go/testdata/script/gopath_std_vendor.txt | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt -index a0a41a50de..8c39d9a2bd 100644 ---- a/src/cmd/go/testdata/script/gopath_std_vendor.txt -+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt -@@ -1,6 +1,7 @@ - env GO111MODULE=off - - [!gc] skip -+skip 'This test uses a test program that is intended to import no vendored libraries other than golang.org/x/net/http2/hpack, but this is not true in microsoft/go boring 1.18+. https://github.com/microsoft/go/issues/481' - - go list -f '{{.Dir}}' vendor/golang.org/x/net/http2/hpack - stdout $GOPATH[/\\]src[/\\]vendor diff --git a/patches/0003-Integrate-OpenSSL-crypto-module.patch b/patches/0100-Add-OpenSSL-crypto-module.patch similarity index 50% rename from patches/0003-Integrate-OpenSSL-crypto-module.patch rename to patches/0100-Add-OpenSSL-crypto-module.patch index 152f5bbd23b..64e74abf787 100644 --- a/patches/0003-Integrate-OpenSSL-crypto-module.patch +++ b/patches/0100-Add-OpenSSL-crypto-module.patch @@ -1,159 +1,22 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot -Date: Thu, 27 Jan 2022 11:45:14 -0600 -Subject: [PATCH] Integrate OpenSSL crypto module +Date: Thu, 31 Mar 2022 13:09:04 -0500 +Subject: [PATCH] Add OpenSSL crypto module +github.com/microsoft/go-infra/cmd/git-go-patch command: patch number 0100 --- - src/cmd/link/internal/ld/lib.go | 2 +- - src/crypto/aes/cipher.go | 2 +- - src/crypto/aes/cipher_asm.go | 2 +- - src/crypto/boring/boring.go | 2 +- - src/crypto/boring/boring_test.go | 1 + - src/crypto/ecdsa/boring.go | 2 +- - src/crypto/ecdsa/ecdsa.go | 2 +- - src/crypto/hmac/hmac.go | 2 +- - src/crypto/hmac/hmac_test.go | 2 +- src/crypto/internal/backend/backend_test.go | 30 ++++ src/crypto/internal/backend/dummy.s | 10 ++ src/crypto/internal/backend/nobackend.go | 112 ++++++++++++++ src/crypto/internal/backend/openssl_linux.go | 145 +++++++++++++++++++ - src/crypto/rand/rand_unix.go | 2 +- - src/crypto/rsa/boring.go | 2 +- - src/crypto/rsa/pkcs1v15.go | 2 +- - src/crypto/rsa/pss.go | 2 +- - src/crypto/rsa/rsa.go | 2 +- - src/crypto/rsa/rsa_test.go | 2 +- - src/crypto/sha1/boring.go | 4 +- - src/crypto/sha1/sha1_test.go | 2 +- - src/crypto/sha256/sha256.go | 2 +- - src/crypto/sha256/sha256_test.go | 2 +- - src/crypto/sha512/sha512.go | 2 +- - src/crypto/sha512/sha512_test.go | 2 +- - src/crypto/tls/cipher_suites.go | 2 +- - src/go/build/deps_test.go | 13 +- - src/runtime/runtime_boring.go | 5 + - 28 files changed, 335 insertions(+), 25 deletions(-) + src/go.mod | 1 + + src/go.sum | 2 + + 6 files changed, 300 insertions(+) create mode 100644 src/crypto/internal/backend/backend_test.go create mode 100644 src/crypto/internal/backend/dummy.s create mode 100644 src/crypto/internal/backend/nobackend.go create mode 100644 src/crypto/internal/backend/openssl_linux.go -diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go -index 5b82dc287d..0e88b3ac94 100644 ---- a/src/cmd/link/internal/ld/lib.go -+++ b/src/cmd/link/internal/ld/lib.go -@@ -1015,7 +1015,7 @@ var hostobj []Hostobj - // These packages can use internal linking mode. - // Others trigger external mode. - var internalpkg = []string{ -- "crypto/internal/boring", -+ "vendor/github.com/microsoft/go-crypto-openssl/openssl", - "crypto/x509", - "net", - "os/user", -diff --git a/src/crypto/aes/cipher.go b/src/crypto/aes/cipher.go -index 29d01796eb..f3680ad6b4 100644 ---- a/src/crypto/aes/cipher.go -+++ b/src/crypto/aes/cipher.go -@@ -10,7 +10,7 @@ import ( - "strconv" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // The AES block size in bytes. - const BlockSize = 16 -diff --git a/src/crypto/aes/cipher_asm.go b/src/crypto/aes/cipher_asm.go -index ecc6ccbbfb..a8860527fa 100644 ---- a/src/crypto/aes/cipher_asm.go -+++ b/src/crypto/aes/cipher_asm.go -@@ -12,7 +12,7 @@ import ( - "internal/cpu" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // defined in asm_*.s - -diff --git a/src/crypto/boring/boring.go b/src/crypto/boring/boring.go -index 19e2a0876f..2829231f4a 100644 ---- a/src/crypto/boring/boring.go -+++ b/src/crypto/boring/boring.go -@@ -11,7 +11,7 @@ - // is satisfied, so that applications can tag files that use this package. - package boring - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // Enabled reports whether BoringCrypto handles supported crypto operations. - func Enabled() bool { -diff --git a/src/crypto/boring/boring_test.go b/src/crypto/boring/boring_test.go -index ace50de0c2..83ef05d872 100644 ---- a/src/crypto/boring/boring_test.go -+++ b/src/crypto/boring/boring_test.go -@@ -11,6 +11,7 @@ import ( - ) - - func TestEnabled(t *testing.T) { -+ t.Skip("upstream assumes boring is enabled at build time, we don't") - supportedPlatform := runtime.GOOS == "linux" && runtime.GOARCH == "amd64" - if supportedPlatform && !boring.Enabled() { - t.Error("Enabled returned false on a supported platform") -diff --git a/src/crypto/ecdsa/boring.go b/src/crypto/ecdsa/boring.go -index fa15ecb850..92c42e28d5 100644 ---- a/src/crypto/ecdsa/boring.go -+++ b/src/crypto/ecdsa/boring.go -@@ -5,7 +5,7 @@ - package ecdsa - - import ( -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "math/big" - "sync/atomic" - "unsafe" -diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go -index c1dd32a2d8..1471ec44fa 100644 ---- a/src/crypto/ecdsa/ecdsa.go -+++ b/src/crypto/ecdsa/ecdsa.go -@@ -35,7 +35,7 @@ import ( - ) - - import ( -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "unsafe" - ) - -diff --git a/src/crypto/hmac/hmac.go b/src/crypto/hmac/hmac.go -index 34805765d5..79fd58d0da 100644 ---- a/src/crypto/hmac/hmac.go -+++ b/src/crypto/hmac/hmac.go -@@ -26,7 +26,7 @@ import ( - "hash" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // FIPS 198-1: - // https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf -diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go -index 55415abf02..904925377b 100644 ---- a/src/crypto/hmac/hmac_test.go -+++ b/src/crypto/hmac/hmac_test.go -@@ -6,7 +6,7 @@ package hmac - - import ( - "bytes" -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "crypto/md5" - "crypto/sha1" - "crypto/sha256" diff --git a/src/crypto/internal/backend/backend_test.go b/src/crypto/internal/backend/backend_test.go new file mode 100644 index 0000000000..c2c06d3bff @@ -475,228 +338,25 @@ index 0000000000..9fa156894a +var SignRSAPSS = openssl.SignRSAPSS +var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15 +var VerifyRSAPSS = openssl.VerifyRSAPSS -diff --git a/src/crypto/rand/rand_unix.go b/src/crypto/rand/rand_unix.go -index 28f2f5b58b..8112183bfa 100644 ---- a/src/crypto/rand/rand_unix.go -+++ b/src/crypto/rand/rand_unix.go -@@ -22,7 +22,7 @@ import ( - "time" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - const urandomDevice = "/dev/urandom" - -diff --git a/src/crypto/rsa/boring.go b/src/crypto/rsa/boring.go -index 0f362a2f16..856bc26aea 100644 ---- a/src/crypto/rsa/boring.go -+++ b/src/crypto/rsa/boring.go -@@ -5,7 +5,7 @@ - package rsa - - import ( -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "math/big" - "sync/atomic" - "unsafe" -diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go -index 213ddb4add..5a44b4a71c 100644 ---- a/src/crypto/rsa/pkcs1v15.go -+++ b/src/crypto/rsa/pkcs1v15.go -@@ -14,7 +14,7 @@ import ( - "crypto/internal/randutil" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // This file implements encryption and decryption using PKCS #1 v1.5 padding. - -diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go -index 16ebc0e6a7..54afa8992e 100644 ---- a/src/crypto/rsa/pss.go -+++ b/src/crypto/rsa/pss.go -@@ -15,7 +15,7 @@ import ( - "math/big" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - // Per RFC 8017, Section 9.1 - // -diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go -index eef967f826..550e66fdd9 100644 ---- a/src/crypto/rsa/rsa.go -+++ b/src/crypto/rsa/rsa.go -@@ -36,7 +36,7 @@ import ( - ) - - import ( -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "unsafe" +diff --git a/src/go.mod b/src/go.mod +index bd6308add0..2e8b0faca8 100644 +--- a/src/go.mod ++++ b/src/go.mod +@@ -3,6 +3,7 @@ module std + go 1.18 + + require ( ++ github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71 + golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 + golang.org/x/net v0.0.0-20211209124913-491a49abca63 ) - -diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go -index 766d9a954f..f2602b94ab 100644 ---- a/src/crypto/rsa/rsa_test.go -+++ b/src/crypto/rsa/rsa_test.go -@@ -15,7 +15,7 @@ import ( - "testing" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - func TestKeyGeneration(t *testing.T) { - for _, size := range []int{128, 1024, 2048, 3072} { -diff --git a/src/crypto/sha1/boring.go b/src/crypto/sha1/boring.go -index 1cacf93f9b..0d4305f379 100644 ---- a/src/crypto/sha1/boring.go -+++ b/src/crypto/sha1/boring.go -@@ -12,11 +12,11 @@ - package sha1 - - import ( -- "crypto/internal/boring" -+ boring "crypto/internal/backend" - "hash" - ) - --const boringEnabled = boring.Enabled -+var boringEnabled = boring.Enabled - - func boringNewSHA1() hash.Hash { return boring.NewSHA1() } - -diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go -index f1a5448dd2..f5a8fe053d 100644 ---- a/src/crypto/sha1/sha1_test.go -+++ b/src/crypto/sha1/sha1_test.go -@@ -16,7 +16,7 @@ import ( - "testing" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - type sha1Test struct { - out string -diff --git a/src/crypto/sha256/sha256.go b/src/crypto/sha256/sha256.go -index 465d00e0e6..cec4a49c8c 100644 ---- a/src/crypto/sha256/sha256.go -+++ b/src/crypto/sha256/sha256.go -@@ -13,7 +13,7 @@ import ( - "hash" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - func init() { - crypto.RegisterHash(crypto.SHA224, New224) -diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go -index a762afc4d9..a30ad62f89 100644 ---- a/src/crypto/sha256/sha256_test.go -+++ b/src/crypto/sha256/sha256_test.go -@@ -16,7 +16,7 @@ import ( - "testing" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - type sha256Test struct { - out string -diff --git a/src/crypto/sha512/sha512.go b/src/crypto/sha512/sha512.go -index 1285cca7ee..4ac54ad5aa 100644 ---- a/src/crypto/sha512/sha512.go -+++ b/src/crypto/sha512/sha512.go -@@ -17,7 +17,7 @@ import ( - "hash" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - func init() { - crypto.RegisterHash(crypto.SHA384, New384) -diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go -index 99d1423527..9042fc5337 100644 ---- a/src/crypto/sha512/sha512_test.go -+++ b/src/crypto/sha512/sha512_test.go -@@ -17,7 +17,7 @@ import ( - "testing" - ) - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - type sha512Test struct { - out string -diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go -index 76312984ab..98bbeb9c47 100644 ---- a/src/crypto/tls/cipher_suites.go -+++ b/src/crypto/tls/cipher_suites.go -@@ -4,7 +4,7 @@ - - package tls - --import "crypto/internal/boring" -+import boring "crypto/internal/backend" - - import ( - "crypto" -diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index ed8ddcb307..0b5dbd3727 100644 ---- a/src/go/build/deps_test.go -+++ b/src/go/build/deps_test.go -@@ -416,7 +416,14 @@ var depsRules = ` - < crypto/ed25519/internal/edwards25519 - < crypto/cipher - < encoding/asn1 -- < crypto/internal/boring -+ < CRYPTO; -+ -+ CRYPTO < crypto/internal/boring; -+ -+ CRYPTO -+ < github.com/microsoft/go-crypto-openssl/openssl/internal/subtle -+ < github.com/microsoft/go-crypto-openssl/openssl -+ < crypto/internal/backend - < crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4, - crypto/sha1, crypto/sha256, crypto/sha512 - < crypto/rand -@@ -446,7 +453,7 @@ var depsRules = ` - crypto/internal/boring/sig, crypto/internal/boring/fipstls - < crypto/tls/fipsonly; - -- crypto/internal/boring -+ crypto/internal/backend - < crypto/boring; - - # crypto-aware packages -@@ -646,7 +653,7 @@ var buildIgnore = []byte("\n//go:build ignore") - - func findImports(pkg string) ([]string, error) { - vpkg := pkg -- if strings.HasPrefix(pkg, "golang.org") { -+ if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") { - vpkg = "vendor/" + pkg - } - dir := filepath.Join(Default.GOROOT, "src", vpkg) -diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go -index 5a98b20253..9042f2c279 100644 ---- a/src/runtime/runtime_boring.go -+++ b/src/runtime/runtime_boring.go -@@ -17,3 +17,8 @@ func boring_runtime_arg0() string { - - //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0 - func fipstls_runtime_arg0() string { return boring_runtime_arg0() } -+ -+//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0 -+func crypto_backend_runtime_arg0() string { -+ return boring_runtime_arg0() -+} +diff --git a/src/go.sum b/src/go.sum +index 8bf08531de..31448f838a 100644 +--- a/src/go.sum ++++ b/src/go.sum +@@ -1,3 +1,5 @@ ++github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71 h1:NO1CTk7yHEtgUjfV7eqU4+sRe8OHRqZAznWe8WpVj7I= ++github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71/go.mod h1:rC+rtBU3m60UCQifBmpWII0VETfu78w6YGZQvVc0rd4= + golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= + golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= + golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= diff --git a/patches/0101-Integrate-OpenSSL-module.patch b/patches/0101-Integrate-OpenSSL-module.patch new file mode 100644 index 00000000000..e22fb58837f --- /dev/null +++ b/patches/0101-Integrate-OpenSSL-module.patch @@ -0,0 +1,321 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: microsoft-golang-bot +Date: Thu, 31 Mar 2022 13:10:24 -0500 +Subject: [PATCH] Integrate OpenSSL module + +--- + src/cmd/link/internal/ld/lib.go | 2 +- + src/crypto/aes/cipher.go | 2 +- + src/crypto/aes/cipher_asm.go | 2 +- + src/crypto/boring/boring.go | 2 +- + src/crypto/ecdsa/boring.go | 2 +- + src/crypto/ecdsa/ecdsa.go | 2 +- + src/crypto/hmac/hmac.go | 2 +- + src/crypto/hmac/hmac_test.go | 2 +- + src/crypto/rand/rand_unix.go | 2 +- + src/crypto/rsa/boring.go | 2 +- + src/crypto/rsa/pkcs1v15.go | 2 +- + src/crypto/rsa/pss.go | 2 +- + src/crypto/rsa/rsa.go | 2 +- + src/crypto/rsa/rsa_test.go | 2 +- + src/crypto/sha1/boring.go | 4 ++-- + src/crypto/sha1/sha1_test.go | 2 +- + src/crypto/sha256/sha256.go | 2 +- + src/crypto/sha256/sha256_test.go | 2 +- + src/crypto/sha512/sha512.go | 2 +- + src/crypto/sha512/sha512_test.go | 2 +- + src/crypto/tls/cipher_suites.go | 2 +- + src/runtime/runtime_boring.go | 5 +++++ + 22 files changed, 27 insertions(+), 22 deletions(-) + +diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go +index 5b82dc287d..0e88b3ac94 100644 +--- a/src/cmd/link/internal/ld/lib.go ++++ b/src/cmd/link/internal/ld/lib.go +@@ -1015,7 +1015,7 @@ var hostobj []Hostobj + // These packages can use internal linking mode. + // Others trigger external mode. + var internalpkg = []string{ +- "crypto/internal/boring", ++ "vendor/github.com/microsoft/go-crypto-openssl/openssl", + "crypto/x509", + "net", + "os/user", +diff --git a/src/crypto/aes/cipher.go b/src/crypto/aes/cipher.go +index 29d01796eb..f3680ad6b4 100644 +--- a/src/crypto/aes/cipher.go ++++ b/src/crypto/aes/cipher.go +@@ -10,7 +10,7 @@ import ( + "strconv" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // The AES block size in bytes. + const BlockSize = 16 +diff --git a/src/crypto/aes/cipher_asm.go b/src/crypto/aes/cipher_asm.go +index ecc6ccbbfb..a8860527fa 100644 +--- a/src/crypto/aes/cipher_asm.go ++++ b/src/crypto/aes/cipher_asm.go +@@ -12,7 +12,7 @@ import ( + "internal/cpu" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // defined in asm_*.s + +diff --git a/src/crypto/boring/boring.go b/src/crypto/boring/boring.go +index 19e2a0876f..2829231f4a 100644 +--- a/src/crypto/boring/boring.go ++++ b/src/crypto/boring/boring.go +@@ -11,7 +11,7 @@ + // is satisfied, so that applications can tag files that use this package. + package boring + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // Enabled reports whether BoringCrypto handles supported crypto operations. + func Enabled() bool { +diff --git a/src/crypto/ecdsa/boring.go b/src/crypto/ecdsa/boring.go +index fa15ecb850..92c42e28d5 100644 +--- a/src/crypto/ecdsa/boring.go ++++ b/src/crypto/ecdsa/boring.go +@@ -5,7 +5,7 @@ + package ecdsa + + import ( +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "math/big" + "sync/atomic" + "unsafe" +diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go +index c1dd32a2d8..1471ec44fa 100644 +--- a/src/crypto/ecdsa/ecdsa.go ++++ b/src/crypto/ecdsa/ecdsa.go +@@ -35,7 +35,7 @@ import ( + ) + + import ( +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "unsafe" + ) + +diff --git a/src/crypto/hmac/hmac.go b/src/crypto/hmac/hmac.go +index 34805765d5..79fd58d0da 100644 +--- a/src/crypto/hmac/hmac.go ++++ b/src/crypto/hmac/hmac.go +@@ -26,7 +26,7 @@ import ( + "hash" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // FIPS 198-1: + // https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf +diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go +index 55415abf02..904925377b 100644 +--- a/src/crypto/hmac/hmac_test.go ++++ b/src/crypto/hmac/hmac_test.go +@@ -6,7 +6,7 @@ package hmac + + import ( + "bytes" +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "crypto/md5" + "crypto/sha1" + "crypto/sha256" +diff --git a/src/crypto/rand/rand_unix.go b/src/crypto/rand/rand_unix.go +index 28f2f5b58b..8112183bfa 100644 +--- a/src/crypto/rand/rand_unix.go ++++ b/src/crypto/rand/rand_unix.go +@@ -22,7 +22,7 @@ import ( + "time" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + const urandomDevice = "/dev/urandom" + +diff --git a/src/crypto/rsa/boring.go b/src/crypto/rsa/boring.go +index 0f362a2f16..856bc26aea 100644 +--- a/src/crypto/rsa/boring.go ++++ b/src/crypto/rsa/boring.go +@@ -5,7 +5,7 @@ + package rsa + + import ( +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "math/big" + "sync/atomic" + "unsafe" +diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go +index 213ddb4add..5a44b4a71c 100644 +--- a/src/crypto/rsa/pkcs1v15.go ++++ b/src/crypto/rsa/pkcs1v15.go +@@ -14,7 +14,7 @@ import ( + "crypto/internal/randutil" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // This file implements encryption and decryption using PKCS #1 v1.5 padding. + +diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go +index 16ebc0e6a7..54afa8992e 100644 +--- a/src/crypto/rsa/pss.go ++++ b/src/crypto/rsa/pss.go +@@ -15,7 +15,7 @@ import ( + "math/big" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + // Per RFC 8017, Section 9.1 + // +diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go +index eef967f826..550e66fdd9 100644 +--- a/src/crypto/rsa/rsa.go ++++ b/src/crypto/rsa/rsa.go +@@ -36,7 +36,7 @@ import ( + ) + + import ( +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "unsafe" + ) + +diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go +index 766d9a954f..f2602b94ab 100644 +--- a/src/crypto/rsa/rsa_test.go ++++ b/src/crypto/rsa/rsa_test.go +@@ -15,7 +15,7 @@ import ( + "testing" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + func TestKeyGeneration(t *testing.T) { + for _, size := range []int{128, 1024, 2048, 3072} { +diff --git a/src/crypto/sha1/boring.go b/src/crypto/sha1/boring.go +index 1cacf93f9b..0d4305f379 100644 +--- a/src/crypto/sha1/boring.go ++++ b/src/crypto/sha1/boring.go +@@ -12,11 +12,11 @@ + package sha1 + + import ( +- "crypto/internal/boring" ++ boring "crypto/internal/backend" + "hash" + ) + +-const boringEnabled = boring.Enabled ++var boringEnabled = boring.Enabled + + func boringNewSHA1() hash.Hash { return boring.NewSHA1() } + +diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go +index f1a5448dd2..f5a8fe053d 100644 +--- a/src/crypto/sha1/sha1_test.go ++++ b/src/crypto/sha1/sha1_test.go +@@ -16,7 +16,7 @@ import ( + "testing" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + type sha1Test struct { + out string +diff --git a/src/crypto/sha256/sha256.go b/src/crypto/sha256/sha256.go +index 465d00e0e6..cec4a49c8c 100644 +--- a/src/crypto/sha256/sha256.go ++++ b/src/crypto/sha256/sha256.go +@@ -13,7 +13,7 @@ import ( + "hash" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + func init() { + crypto.RegisterHash(crypto.SHA224, New224) +diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go +index a762afc4d9..a30ad62f89 100644 +--- a/src/crypto/sha256/sha256_test.go ++++ b/src/crypto/sha256/sha256_test.go +@@ -16,7 +16,7 @@ import ( + "testing" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + type sha256Test struct { + out string +diff --git a/src/crypto/sha512/sha512.go b/src/crypto/sha512/sha512.go +index 1285cca7ee..4ac54ad5aa 100644 +--- a/src/crypto/sha512/sha512.go ++++ b/src/crypto/sha512/sha512.go +@@ -17,7 +17,7 @@ import ( + "hash" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + func init() { + crypto.RegisterHash(crypto.SHA384, New384) +diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go +index 99d1423527..9042fc5337 100644 +--- a/src/crypto/sha512/sha512_test.go ++++ b/src/crypto/sha512/sha512_test.go +@@ -17,7 +17,7 @@ import ( + "testing" + ) + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + type sha512Test struct { + out string +diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go +index 76312984ab..98bbeb9c47 100644 +--- a/src/crypto/tls/cipher_suites.go ++++ b/src/crypto/tls/cipher_suites.go +@@ -4,7 +4,7 @@ + + package tls + +-import "crypto/internal/boring" ++import boring "crypto/internal/backend" + + import ( + "crypto" +diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go +index 5a98b20253..9042f2c279 100644 +--- a/src/runtime/runtime_boring.go ++++ b/src/runtime/runtime_boring.go +@@ -17,3 +17,8 @@ func boring_runtime_arg0() string { + + //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0 + func fipstls_runtime_arg0() string { return boring_runtime_arg0() } ++ ++//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0 ++func crypto_backend_runtime_arg0() string { ++ return boring_runtime_arg0() ++} diff --git a/patches/0002-Add-vendored-go-crypto-openssl-module.patch b/patches/0102-Vendor-OpenSSL-crypto-library.patch similarity index 98% rename from patches/0002-Add-vendored-go-crypto-openssl-module.patch rename to patches/0102-Vendor-OpenSSL-crypto-library.patch index 04b18729723..51245d41635 100644 --- a/patches/0002-Add-vendored-go-crypto-openssl-module.patch +++ b/patches/0102-Vendor-OpenSSL-crypto-library.patch @@ -1,11 +1,10 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot -Date: Thu, 27 Jan 2022 11:44:32 -0600 -Subject: [PATCH] Add vendored go-crypto-openssl module +Date: Thu, 31 Mar 2022 13:10:45 -0500 +Subject: [PATCH] Vendor OpenSSL crypto library +To reproduce, run 'go mod vendor' in 'go/src'. --- - src/go.mod | 1 + - src/go.sum | 2 + .../microsoft/go-crypto-openssl/LICENSE | 21 + .../go-crypto-openssl/openssl/aes.go | 487 ++++++++++++++++++ .../go-crypto-openssl/openssl/apibridge_1_1.c | 291 +++++++++++ @@ -22,7 +21,7 @@ Subject: [PATCH] Add vendored go-crypto-openssl module .../go-crypto-openssl/openssl/rsa.go | 397 ++++++++++++++ .../go-crypto-openssl/openssl/sha.go | 477 +++++++++++++++++ src/vendor/modules.txt | 4 + - 18 files changed, 2939 insertions(+) + 16 files changed, 2936 insertions(+) create mode 100644 src/vendor/github.com/microsoft/go-crypto-openssl/LICENSE create mode 100644 src/vendor/github.com/microsoft/go-crypto-openssl/openssl/aes.go create mode 100644 src/vendor/github.com/microsoft/go-crypto-openssl/openssl/apibridge_1_1.c @@ -39,28 +38,6 @@ Subject: [PATCH] Add vendored go-crypto-openssl module create mode 100644 src/vendor/github.com/microsoft/go-crypto-openssl/openssl/rsa.go create mode 100644 src/vendor/github.com/microsoft/go-crypto-openssl/openssl/sha.go -diff --git a/src/go.mod b/src/go.mod -index bd6308add0..2e8b0faca8 100644 ---- a/src/go.mod -+++ b/src/go.mod -@@ -3,6 +3,7 @@ module std - go 1.18 - - require ( -+ github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71 - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 - golang.org/x/net v0.0.0-20211209124913-491a49abca63 - ) -diff --git a/src/go.sum b/src/go.sum -index 8bf08531de..31448f838a 100644 ---- a/src/go.sum -+++ b/src/go.sum -@@ -1,3 +1,5 @@ -+github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71 h1:NO1CTk7yHEtgUjfV7eqU4+sRe8OHRqZAznWe8WpVj7I= -+github.com/microsoft/go-crypto-openssl v0.0.0-20220124101237-183c44c3cf71/go.mod h1:rC+rtBU3m60UCQifBmpWII0VETfu78w6YGZQvVc0rd4= - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= - golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY= diff --git a/src/vendor/github.com/microsoft/go-crypto-openssl/LICENSE b/src/vendor/github.com/microsoft/go-crypto-openssl/LICENSE new file mode 100644 index 0000000000..9e841e7a26 diff --git a/patches/0103-Adjust-Go-tests-to-work-with-crypto-module.patch b/patches/0103-Adjust-Go-tests-to-work-with-crypto-module.patch new file mode 100644 index 00000000000..152690a3ecb --- /dev/null +++ b/patches/0103-Adjust-Go-tests-to-work-with-crypto-module.patch @@ -0,0 +1,73 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: microsoft-golang-bot +Date: Thu, 31 Mar 2022 13:11:06 -0500 +Subject: [PATCH] Adjust Go tests to work with crypto module + +--- + src/cmd/go/testdata/script/gopath_std_vendor.txt | 1 + + src/crypto/boring/boring_test.go | 1 + + src/go/build/deps_test.go | 13 ++++++++++--- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt +index a0a41a50de..8c39d9a2bd 100644 +--- a/src/cmd/go/testdata/script/gopath_std_vendor.txt ++++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt +@@ -1,6 +1,7 @@ + env GO111MODULE=off + + [!gc] skip ++skip 'This test uses a test program that is intended to import no vendored libraries other than golang.org/x/net/http2/hpack, but this is not true in microsoft/go boring 1.18+. https://github.com/microsoft/go/issues/481' + + go list -f '{{.Dir}}' vendor/golang.org/x/net/http2/hpack + stdout $GOPATH[/\\]src[/\\]vendor +diff --git a/src/crypto/boring/boring_test.go b/src/crypto/boring/boring_test.go +index ace50de0c2..83ef05d872 100644 +--- a/src/crypto/boring/boring_test.go ++++ b/src/crypto/boring/boring_test.go +@@ -11,6 +11,7 @@ import ( + ) + + func TestEnabled(t *testing.T) { ++ t.Skip("upstream assumes boring is enabled at build time, we don't") + supportedPlatform := runtime.GOOS == "linux" && runtime.GOARCH == "amd64" + if supportedPlatform && !boring.Enabled() { + t.Error("Enabled returned false on a supported platform") +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index ed8ddcb307..0b5dbd3727 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -416,7 +416,14 @@ var depsRules = ` + < crypto/ed25519/internal/edwards25519 + < crypto/cipher + < encoding/asn1 +- < crypto/internal/boring ++ < CRYPTO; ++ ++ CRYPTO < crypto/internal/boring; ++ ++ CRYPTO ++ < github.com/microsoft/go-crypto-openssl/openssl/internal/subtle ++ < github.com/microsoft/go-crypto-openssl/openssl ++ < crypto/internal/backend + < crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4, + crypto/sha1, crypto/sha256, crypto/sha512 + < crypto/rand +@@ -446,7 +453,7 @@ var depsRules = ` + crypto/internal/boring/sig, crypto/internal/boring/fipstls + < crypto/tls/fipsonly; + +- crypto/internal/boring ++ crypto/internal/backend + < crypto/boring; + + # crypto-aware packages +@@ -646,7 +653,7 @@ var buildIgnore = []byte("\n//go:build ignore") + + func findImports(pkg string) ([]string, error) { + vpkg := pkg +- if strings.HasPrefix(pkg, "golang.org") { ++ if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") { + vpkg = "vendor/" + pkg + } + dir := filepath.Join(Default.GOROOT, "src", vpkg)