From 604788be59dc49ca6a9e55d3c4cbd89b5d1ba01c Mon Sep 17 00:00:00 2001 From: Edoardo Spadolini Date: Tue, 5 Nov 2024 19:11:54 +0100 Subject: [PATCH] [v15] Simplify `IsBoringCrypto` (#47501) * Simplify IsBoringCrypto * fix-license for new files --- lib/auth/native/boring.go | 32 ++++++++++++++++++++++++++++++++ lib/auth/native/native.go | 11 ----------- lib/auth/native/notboring.go | 27 +++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 11 deletions(-) create mode 100644 lib/auth/native/boring.go create mode 100644 lib/auth/native/notboring.go diff --git a/lib/auth/native/boring.go b/lib/auth/native/boring.go new file mode 100644 index 0000000000000..0c4a8dfc30ede --- /dev/null +++ b/lib/auth/native/boring.go @@ -0,0 +1,32 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +//go:build boringcrypto + +package native + +import "crypto/boring" + +// IsBoringBinary checks if the binary was compiled with BoringCrypto. +// +// It's possible to enable the boringcrypto GOEXPERIMENT (which will enable the +// boringcrypto build tag) even on platforms that don't support the boringcrypto +// module, which results in crypto packages being available and working, but not +// actually using a certified cryptographic module, so we have to check +// [boring.Enabled] even if this is compiled in. +func IsBoringBinary() bool { + return boring.Enabled() +} diff --git a/lib/auth/native/native.go b/lib/auth/native/native.go index f3b84d45de69a..6e1543cabc7ee 100644 --- a/lib/auth/native/native.go +++ b/lib/auth/native/native.go @@ -22,10 +22,8 @@ import ( "crypto/ed25519" "crypto/rand" "crypto/rsa" - "crypto/sha256" "crypto/x509" "encoding/pem" - "reflect" "sync" "testing" "time" @@ -48,15 +46,6 @@ var precomputedKeys = make(chan *rsa.PrivateKey, 25) // startPrecomputeOnce is used to start the background task that precomputes key pairs. var startPrecomputeOnce sync.Once -// IsBoringBinary checks if the binary was compiled with BoringCrypto. -func IsBoringBinary() bool { - // Check the package name for one of the boring primitives, if the package - // path is from BoringCrypto, we know this binary was compiled against the - // dev.boringcrypto branch of Go. - hash := sha256.New() - return reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring" -} - // GenerateKeyPair generates a new RSA key pair. func GenerateKeyPair() ([]byte, []byte, error) { priv, err := GeneratePrivateKey() diff --git a/lib/auth/native/notboring.go b/lib/auth/native/notboring.go new file mode 100644 index 0000000000000..3fa57fb55e5cb --- /dev/null +++ b/lib/auth/native/notboring.go @@ -0,0 +1,27 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +//go:build !boringcrypto + +package native + +// IsBoringBinary checks if the binary was compiled with BoringCrypto. +// +// The boringcrypto GOEXPERIMENT always sets the boringcrypto build tag, so if +// this is compiled in, we're not using BoringCrypto. +func IsBoringBinary() bool { + return false +}