Enable building on Unix and Windows

corhere · corhere · commit 8ee8c4be8f8d · 2023-08-25T10:15:41.000-04:00
The Linux limitation is somewhat artificial. The only platform-specific
parts of the module are dynamic linking and loading of the OpenSSL
library, and the OpenSSL 1.0.2 threading callbacks. The implementations
of both are already portable to any Unix-like OS as dlfcn.h and pthreads
are part of the POSIX standard. The only issue with the dynamic loader
implementation is that it assumes the naming convention for the library
shared object is "libcrypto.so.&lt;version&gt;" which limits support for
darwin and other platforms which follow a different convention. Change
openssl.Init() and openssl.CheckVersion() to take the library file name
as its argument to make the bindings agnostic to the target platform's
library file naming convention. Widen the build constraints to allow
the module with the dlopen()-based loader to be built on any OS which
satisfies the "unix" Go build constraint.

Windows's dynamic library loader API is shaped very similarly to
POSIX's, aside from the function names. Add support for Windows by
adding Windows implementations for linking and loading the OpenSSL
library, and the threading callbacks.

Signed-off-by: Cory Snider &lt;csnider@mirantis.com&gt;
diff --git a/README.md b/README.md
@@ -50,9 +50,7 @@ This feature does not require any additional configuration, but it only works wi
 
 ## Limitations
 
-OpenSSL is used for a given build only in limited circumstances:
-
-- The platform must be `GOOS=linux`.
+- Only Unix, Unix-like and Windows platforms are supported.
 - The build must set `CGO_ENABLED=1`.
 
 ## Acknowledgements
diff --git a/aes.go b/aes.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/aes_test.go b/aes_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl
 
 import (
diff --git a/ec.go b/ec.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/ecdh.go b/ecdh.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/ecdh_test.go b/ecdh_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/ecdsa.go b/ecdsa.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/ecdsa_test.go b/ecdsa_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/evp.go b/evp.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/goopenssl.c b/goopenssl.c
@@ -1,8 +1,13 @@
-//go:build linux
+//go:build unix || windows
 
 #include "goopenssl.h"
 
-#include <dlfcn.h> // dlsym
+#ifdef _WIN32
+# include <windows.h>
+# define dlsym (void*)GetProcAddress
+#else
+# include <dlfcn.h> // dlsym
+#endif
 #include <stdio.h> // fprintf
 
 // Approach taken from .Net System.Security.Cryptography.Native
diff --git a/hkdf.go b/hkdf.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/hkdf_test.go b/hkdf_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/hmac.go b/hmac.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/hmac_test.go b/hmac_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl
 
 import (
diff --git a/init.go b/init.go
@@ -1,26 +1,23 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
 // #include "goopenssl.h"
-// #include <dlfcn.h>
 import "C"
 import (
 	"errors"
-	"unsafe"
 )
 
 // opensslInit loads and initialize OpenSSL.
 // If successful, it returns the major and minor OpenSSL version
 // as reported by the OpenSSL API.
 //
-// See Init() for details about version.
-func opensslInit(version string) (major, minor, patch int, err error) {
+// See Init() for details about file.
+func opensslInit(file string) (major, minor, patch int, err error) {
 	// Load the OpenSSL shared library using dlopen.
-	handle := dlopen(version)
-	if handle == nil {
-		errstr := C.GoString(C.dlerror())
-		return 0, 0, 0, errors.New("openssl: can't load libcrypto.so." + version + ": " + errstr)
+	handle, err := dlopen(file)
+	if err != nil {
+		return 0, 0, 0, err
 	}
 
 	// Retrieve the loaded OpenSSL version and check if it is supported.
@@ -64,9 +61,3 @@ func opensslInit(version string) (major, minor, patch int, err error) {
 	}
 	return major, minor, patch, nil
 }
-
-func dlopen(version string) unsafe.Pointer {
-	cv := C.CString("libcrypto.so." + version)
-	defer C.free(unsafe.Pointer(cv))
-	return C.dlopen(cv, C.RTLD_LAZY|C.RTLD_LOCAL)
-}
diff --git a/init_unix.go b/init_unix.go
@@ -0,0 +1,31 @@
+//go:build unix && !cmd_go_bootstrap
+
+package openssl
+
+// #cgo LDFLAGS: -ldl
+// #include <stdlib.h>
+// #include <dlfcn.h>
+import "C"
+import (
+	"errors"
+	"unsafe"
+)
+
+func dlopen(file string) (handle unsafe.Pointer, err error) {
+	cv := C.CString(file)
+	defer C.free(unsafe.Pointer(cv))
+	handle = C.dlopen(cv, C.RTLD_LAZY|C.RTLD_LOCAL)
+	if handle == nil {
+		errstr := C.GoString(C.dlerror())
+		return nil, errors.New("openssl: can't load " + file + ": " + errstr)
+	}
+	return handle, nil
+}
+
+func dlclose(handle unsafe.Pointer) error {
+	if C.dlclose(handle) != 0 {
+		errstr := C.GoString(C.dlerror())
+		return errors.New("openssl: can't close libcrypto: " + errstr)
+	}
+	return nil
+}
diff --git a/init_windows.go b/init_windows.go
@@ -0,0 +1,36 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+type dlopenError struct {
+	file string
+	err  error
+}
+
+func (e *dlopenError) Error() string {
+	return "openssl: can't load " + e.file + ": " + e.err.Error()
+}
+
+func (e *dlopenError) Unwrap() error {
+	return e.err
+}
+
+func dlopen(file string) (handle unsafe.Pointer, err error) {
+	// As Windows generally does not ship with a system OpenSSL library, let
+	// alone a FIPS 140 certified one, use the default library search order so
+	// that we preferentially load the DLL bundled with the application.
+	h, err := syscall.LoadLibrary(file)
+	if err != nil {
+		return nil, &dlopenError{file: file, err: err}
+	}
+	return unsafe.Pointer(h), nil
+}
+
+func dlclose(handle unsafe.Pointer) error {
+	return syscall.FreeLibrary(syscall.Handle(handle))
+}
diff --git a/openssl.go b/openssl.go
@@ -1,11 +1,9 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 // Package openssl provides access to OpenSSL cryptographic functions.
 package openssl
 
 // #include "goopenssl.h"
-// #include <dlfcn.h>
-// #cgo LDFLAGS: -ldl
 import "C"
 import (
 	"encoding/binary"
@@ -34,25 +32,25 @@ var nativeEndian binary.ByteOrder
 // and if the FIPS mode is enabled.
 // This function can be called before Init.
 func CheckVersion(version string) (exists, fips bool) {
-	handle := dlopen(version)
+	handle, _ := dlopen(version)
 	if handle == nil {
 		return false, false
 	}
-	defer C.dlclose(handle)
+	defer dlclose(handle)
 	fips = C.go_openssl_fips_enabled(handle) == 1
 	return true, fips
 }
 
-// Init loads and initializes OpenSSL.
+// Init loads and initializes OpenSSL from the shared library at path.
 // It must be called before any other OpenSSL call, except CheckVersion.
 //
-// Only the first call to Init is effective,
-// subsequent calls will return the same error result as the one from the first call.
+// Only the first call to Init is effective.
+// Subsequent calls will return the same error result as the one from the first call.
 //
-// version will be appended to the OpenSSL shared library name as a version suffix
-// when calling dlopen. For example, `version=1.1.1k-fips` makes Init look for
-// the shared library libcrypto.so.1.1.1k-fips.
-func Init(version string) error {
+// The file is passed to dlopen() verbatim to load the OpenSSL shared library.
+// For example, `file=libcrypto.so.1.1.1k-fips` makes Init look for the shared
+// library libcrypto.so.1.1.1k-fips.
+func Init(file string) error {
 	initOnce.Do(func() {
 		buf := [2]byte{}
 		*(*uint16)(unsafe.Pointer(&buf[0])) = uint16(0xABCD)
@@ -65,7 +63,7 @@ func Init(version string) error {
 		default:
 			panic("Could not determine native endianness.")
 		}
-		vMajor, vMinor, vPatch, initErr = opensslInit(version)
+		vMajor, vMinor, vPatch, initErr = opensslInit(file)
 	})
 	return initErr
 }
diff --git a/openssl_test.go b/openssl_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
@@ -16,22 +14,40 @@ import (
 func getVersion() string {
 	v := os.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
 	if v != "" {
+		if runtime.GOOS == "linux" {
+			return "libcrypto.so." + v
+		}
 		return v
 	}
 	// Try to find a supported version of OpenSSL on the system.
 	// This is useful for local testing, where the user may not
 	// have GO_OPENSSL_VERSION_OVERRIDE set.
-	for _, v = range [...]string{"3", "1.1.1", "1.1", "11", "111", "1.0.2", "1.0.0", "10"} {
+	versions := []string{"3", "1.1.1", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
+	if runtime.GOOS == "windows" {
+		if runtime.GOARCH == "amd64" {
+			versions = []string{"libcrypto-3-x64", "libcrypto-3", "libcrypto-1_1-x64", "libcrypto-1_1", "libeay64", "libeay32"}
+		} else {
+			versions = []string{"libcrypto-3", "libcrypto-1_1", "libeay32"}
+		}
+	}
+	for _, v = range versions {
+		if runtime.GOOS == "windows" {
+			v += ".dll"
+		} else if runtime.GOOS == "darwin" {
+			v = "libcrypto." + v + ".dylib"
+		} else {
+			v = "libcrypto.so." + v
+		}
 		if ok, _ := openssl.CheckVersion(v); ok {
 			return v
 		}
 	}
-	return ""
+	return "libcrypto.so"
 }
 
 func TestMain(m *testing.M) {
 	v := getVersion()
-	fmt.Printf("Using libcrypto.so.%s\n", v)
+	fmt.Printf("Using %s\n", v)
 	err := openssl.Init(v)
 	if err != nil {
 		// An error here could mean that this Linux distro does not have a supported OpenSSL version
diff --git a/pbkdf2.go b/pbkdf2.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/pbkdf2_test.go b/pbkdf2_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/port_evp_md5_sha1.c b/port_evp_md5_sha1.c
@@ -1,5 +1,3 @@
-//go:build linux
-
 // The following is a partial backport of crypto/evp/m_md5_sha1.c,
 // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
 // OpenSSL_1_1_0-stable branch.  The ctrl function has been removed.
diff --git a/rand.go b/rand.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/rand_test.go b/rand_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/rsa.go b/rsa.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/rsa_test.go b/rsa_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/sha.go b/sha.go
@@ -1,4 +1,4 @@
-//go:build linux && !cmd_go_bootstrap
+//go:build !cmd_go_bootstrap
 
 package openssl
 
diff --git a/sha_test.go b/sha_test.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 package openssl_test
 
 import (
diff --git a/thread_setup_unix.c b/thread_setup_unix.c
@@ -1,4 +1,4 @@
-//go:build linux
+//go:build unix
 
 #include "goopenssl.h"
 #include <pthread.h>
diff --git a/thread_setup_windows.c b/thread_setup_windows.c
diff --git a/tls1prf.go b/tls1prf.go
diff --git a/tls1prf_test.go b/tls1prf_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-//go:build linux && !cmd_go_bootstrap`
	`1`	`+//go:build !cmd_go_bootstrap`
`2`	`2`
`3`	`3`	`package openssl`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-//go:build linux`
`2`		`-`
`3`	`1`	`package openssl`
`4`	`2`
`5`	`3`	`import (`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-//go:build linux`
`2`		`-`
`3`	`1`	`package openssl_test`
`4`	`2`
`5`	`3`	`import (`