config: update openssl backend (#201)

derekparker · web-flow · commit dfcb16b247e1 · 2024-05-30T14:42:06.000-07:00
Co-authored-by: Derek Parker &lt;deparker@redhat.com&gt;
diff --git a/config/versions.json b/config/versions.json
@@ -1,5 +1,5 @@
 {
   "github.com/golang-fips/go": "main",
-  "github.com/golang-fips/openssl": "85d31d0d257ce842c8a1e63c4d230ae850348136",
+  "github.com/golang-fips/openssl": "61a53ab338d5f1657c6fe5d856d24528bfdd731d",
   "github.com/golang/go": "go1.22.3"
 }
diff --git a/patches/001-initial-openssl-for-fips.patch b/patches/001-initial-openssl-for-fips.patch
@@ -3719,24 +3719,24 @@ index 3c592e1136..a594823783 100644
  	} else {
  		testCurve = elliptic.P384()
 diff --git a/src/go.mod b/src/go.mod
-index 737d78da5d..eafc127352 100644
+index 737d78da5d..a1610087fe 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -3,6 +3,7 @@ module std
  go 1.22
  
  require (
-+	github.com/golang-fips/openssl/v2 v2.0.1
++	github.com/golang-fips/openssl/v2 v2.0.3
  	golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb
  	golang.org/x/net v0.19.1-0.20240412193750-db050b07227e
  )
 diff --git a/src/go.sum b/src/go.sum
-index 86d173c9e6..51fbaeecdf 100644
+index 86d173c9e6..c7def15f16 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,5 @@
-+github.com/golang-fips/openssl/v2 v2.0.1 h1:oNIu7tARUHmSIY7Gqn5lbSCnHSduvkFJoM2FRq294lA=
-+github.com/golang-fips/openssl/v2 v2.0.1/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
++github.com/golang-fips/openssl/v2 v2.0.3 h1:9+J2R0BQio6Jz8+dPZf/0ylISByl0gZWjTEKm+J+y7Y=
++github.com/golang-fips/openssl/v2 v2.0.3/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
  golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb h1:1ceSY7sk6sJuiDREHpfyrqDnDljsLfEP2GuTClhBBfI=
  golang.org/x/crypto v0.16.1-0.20231129163542-152cdb1503eb/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
  golang.org/x/net v0.19.1-0.20240412193750-db050b07227e h1:oDnvqaqHo3ho8OChMtkQbQAyp9eqnm3J7JRtt0+Cabc=
@@ -3784,7 +3784,7 @@ index 0000000000..97e8515401
 \ No newline at end of file
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/README.md b/src/vendor/github.com/golang-fips/openssl/v2/README.md
 new file mode 100644
-index 0000000000..ba6289ecff
+index 0000000000..1bfbaf60f4
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/README.md
 @@ -0,0 +1,66 @@
@@ -3816,7 +3816,7 @@ index 0000000000..ba6289ecff
 +
 +### Multiple OpenSSL versions supported
 +
-+The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.0.x.
++The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.x.
 +
 +All supported OpenSSL versions pass a small set of automatic tests that ensure they can be built and that there are no major regressions.
 +These tests do not validate the cryptographic correctness of the `openssl` package.
@@ -4022,16 +4022,17 @@ index 0000000000..6461f241f8
 +type BigInt []uint
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
 new file mode 100644
-index 0000000000..2b983c5411
+index 0000000000..72f7aebfc1
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
-@@ -0,0 +1,582 @@
+@@ -0,0 +1,569 @@
 +//go:build !cmd_go_bootstrap
 +
 +package openssl
 +
 +// #include "goopenssl.h"
 +import "C"
++
 +import (
 +	"crypto/cipher"
 +	"encoding/binary"
@@ -4173,8 +4174,6 @@ index 0000000000..2b983c5411
 +
 +type evpCipher struct {
 +	key       []byte
-+	enc_ctx   C.GO_EVP_CIPHER_CTX_PTR
-+	dec_ctx   C.GO_EVP_CIPHER_CTX_PTR
 +	kind      cipherKind
 +	blockSize int
 +}
@@ -4187,19 +4186,9 @@ index 0000000000..2b983c5411
 +	c := &evpCipher{key: make([]byte, len(key)), kind: kind}
 +	copy(c.key, key)
 +	c.blockSize = int(C.go_openssl_EVP_CIPHER_get_block_size(cipher))
-+	runtime.SetFinalizer(c, (*evpCipher).finalize)
 +	return c, nil
 +}
 +
-+func (c *evpCipher) finalize() {
-+	if c.enc_ctx != nil {
-+		C.go_openssl_EVP_CIPHER_CTX_free(c.enc_ctx)
-+	}
-+	if c.dec_ctx != nil {
-+		C.go_openssl_EVP_CIPHER_CTX_free(c.dec_ctx)
-+	}
-+}
-+
 +func (c *evpCipher) encrypt(dst, src []byte) error {
 +	if len(src) < c.blockSize {
 +		return errors.New("input not full block")
@@ -4212,15 +4201,13 @@ index 0000000000..2b983c5411
 +	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
 +		return errors.New("invalid buffer overlap")
 +	}
-+	if c.enc_ctx == nil {
-+		var err error
-+		c.enc_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
-+		if err != nil {
-+			return err
-+		}
++	enc_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
++	if err != nil {
++		return err
 +	}
++	defer C.go_openssl_EVP_CIPHER_CTX_free(enc_ctx)
 +
-+	if C.go_openssl_EVP_EncryptUpdate_wrapper(c.enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
++	if C.go_openssl_EVP_EncryptUpdate_wrapper(enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
 +		return errors.New("EncryptUpdate failed")
 +	}
 +	runtime.KeepAlive(c)
@@ -4239,18 +4226,17 @@ index 0000000000..2b983c5411
 +	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
 +		return errors.New("invalid buffer overlap")
 +	}
-+	if c.dec_ctx == nil {
-+		var err error
-+		c.dec_ctx, err = newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
-+		if err != nil {
-+			return err
-+		}
-+		if C.go_openssl_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 {
-+			return errors.New("could not disable cipher padding")
-+		}
++	dec_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
++	if err != nil {
++		return err
++	}
++	defer C.go_openssl_EVP_CIPHER_CTX_free(dec_ctx)
++
++	if C.go_openssl_EVP_CIPHER_CTX_set_padding(dec_ctx, 0) != 1 {
++		return errors.New("could not disable cipher padding")
 +	}
 +
-+	C.go_openssl_EVP_DecryptUpdate_wrapper(c.dec_ctx, base(dst), base(src), C.int(c.blockSize))
++	C.go_openssl_EVP_DecryptUpdate_wrapper(dec_ctx, base(dst), base(src), C.int(c.blockSize))
 +	runtime.KeepAlive(c)
 +	return nil
 +}
@@ -4349,7 +4335,7 @@ index 0000000000..2b983c5411
 +)
 +
 +type cipherGCM struct {
-+	ctx C.GO_EVP_CIPHER_CTX_PTR
++	c   *evpCipher
 +	tls cipherGCMTLS
 +	// minNextNonce is the minimum value that the next nonce can be, enforced by
 +	// all TLS modes.
@@ -4407,19 +4393,10 @@ index 0000000000..2b983c5411
 +}
 +
 +func (c *evpCipher) newGCM(tls cipherGCMTLS) (cipher.AEAD, error) {
-+	ctx, err := newCipherCtx(c.kind, cipherModeGCM, cipherOpNone, c.key, nil)
-+	if err != nil {
-+		return nil, err
-+	}
-+	g := &cipherGCM{ctx: ctx, tls: tls, blockSize: c.blockSize}
-+	runtime.SetFinalizer(g, (*cipherGCM).finalize)
++	g := &cipherGCM{c: c, tls: tls, blockSize: c.blockSize}
 +	return g, nil
 +}
 +
-+func (g *cipherGCM) finalize() {
-+	C.go_openssl_EVP_CIPHER_CTX_free(g.ctx)
-+}
-+
 +func (g *cipherGCM) NonceSize() int {
 +	return gcmStandardNonceSize
 +}
@@ -4492,14 +4469,19 @@ index 0000000000..2b983c5411
 +		panic("cipher: invalid buffer overlap")
 +	}
 +
++	ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
++	if err != nil {
++		panic(err)
++	}
++	defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
 +	// Encrypt additional data.
 +	// When sealing a TLS payload, OpenSSL app sets the additional data using
 +	// 'EVP_CIPHER_CTX_ctrl(g.ctx, C.EVP_CTRL_AEAD_TLS1_AAD, C.EVP_AEAD_TLS1_AAD_LEN, base(additionalData))'.
 +	// This makes the explicit nonce component to monotonically increase on every Seal operation without
 +	// relying in the explicit nonce being securely set externally,
 +	// and it also gives some interesting speed gains.
 +	// Unfortunately we can't use it because Go expects AEAD.Seal to honor the provided nonce.
-+	if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(g.ctx, base(out), base(nonce),
++	if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(ctx, base(out), base(nonce),
 +		base(plaintext), C.int(len(plaintext)),
 +		base(additionalData), C.int(len(additionalData))) != 1 {
 +
@@ -4534,8 +4516,13 @@ index 0000000000..2b983c5411
 +		panic("cipher: invalid buffer overlap")
 +	}
 +
++	ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
++	if err != nil {
++		return nil, err
++	}
++	defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
 +	ok := C.go_openssl_EVP_CIPHER_CTX_open_wrapper(
-+		g.ctx, base(out), base(nonce),
++		ctx, base(out), base(nonce),
 +		base(ciphertext), C.int(len(ciphertext)),
 +		base(additionalData), C.int(len(additionalData)), base(tag))
 +	runtime.KeepAlive(g)
@@ -7826,15 +7813,15 @@ index 0000000000..a14663298b
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
 new file mode 100644
-index 0000000000..dbf5ac448f
+index 0000000000..5c09da86ee
 --- /dev/null
 +++ b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
 @@ -0,0 +1,31 @@
 +//go:build unix && !cmd_go_bootstrap
 +
 +package openssl
 +
-+// #cgo LDFLAGS: -ldl
++// #cgo LDFLAGS: -ldl -pthread
 +// #include <stdlib.h>
 +// #include <dlfcn.h>
 +import "C"
@@ -9688,11 +9675,11 @@ index 0000000000..5de62f95a7
 +	return nil
 +}
 diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
-index 9a234e59b1..f65e24f457 100644
+index 9a234e59b1..a2dc68599f 100644
 --- a/src/vendor/modules.txt
 +++ b/src/vendor/modules.txt
 @@ -1,3 +1,7 @@
-+# github.com/golang-fips/openssl/v2 v2.0.1
++# github.com/golang-fips/openssl/v2 v2.0.3
 +## explicit; go 1.20
 +github.com/golang-fips/openssl/v2
 +github.com/golang-fips/openssl/v2/bbig

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"github.com/golang-fips/go": "main",`
`3`		`- "github.com/golang-fips/openssl": "85d31d0d257ce842c8a1e63c4d230ae850348136",`
	`3`	`+ "github.com/golang-fips/openssl": "61a53ab338d5f1657c6fe5d856d24528bfdd731d",`
`4`	`4`	`"github.com/golang/go": "go1.22.3"`
`5`	`5`	`}`