fix:restructure pkg layout

microsoft · Dec 12, 2024 · 234fe89 · 234fe89
1 parent 6110fbf
commit 234fe89
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 85 deletions.
diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
@@ -9,7 +9,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/boring/boring.go                  |   2 +-
  src/crypto/des/cipher.go                     |   7 +
  src/crypto/dsa/boring.go                     | 113 ++++++++++
- src/crypto/dsa/dsa.go                        |  44 ++++
+ src/crypto/dsa/dsa.go                        |  88 ++++++++
  src/crypto/dsa/notboring.go                  |  16 ++
  src/crypto/ecdh/ecdh.go                      |   2 +-
  src/crypto/ecdh/nist.go                      |   2 +-
@@ -63,7 +63,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/hash/notboring_test.go                   |   5 +
  src/net/smtp/smtp_test.go                    |  72 +++---
  src/runtime/runtime_boring.go                |   5 +
- 59 files changed, 1097 insertions(+), 106 deletions(-)
+ 59 files changed, 1141 insertions(+), 106 deletions(-)
  create mode 100644 src/crypto/dsa/boring.go
  create mode 100644 src/crypto/dsa/notboring.go
  create mode 100644 src/crypto/ed25519/boring.go
@@ -269,19 +269,23 @@ index 00000000000000..3be888a0104809
 +	}
 +}
 diff --git a/src/crypto/dsa/dsa.go b/src/crypto/dsa/dsa.go
-index 4524bd492feba0..aa7970053f1a5d 100644
+index 4524bd492feba0..9161e4b0a6ce85 100644
 --- a/src/crypto/dsa/dsa.go
 +++ b/src/crypto/dsa/dsa.go
-@@ -18,6 +18,8 @@ import (
+@@ -18,7 +18,12 @@ import (
  	"io"
  	"math/big"
 
 +	boring "crypto/internal/backend"
 +	"crypto/internal/backend/bbig"
  	"crypto/internal/randutil"
++
++	"golang.org/x/crypto/cryptobyte"
++	"golang.org/x/crypto/cryptobyte/asn1"
  )
 
-@@ -86,6 +88,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes
+ // Parameters represents the domain parameters for a key. These parameters can
+@@ -86,6 +91,17 @@ func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes
  		return errors.New("crypto/dsa: invalid ParameterSizes")
  	}
 
@@ -299,7 +303,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644
  	qBytes := make([]byte, N/8)
  	pBytes := make([]byte, L/8)
 
-@@ -161,6 +174,17 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error {
+@@ -161,6 +177,17 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error {
  		return errors.New("crypto/dsa: parameters not set up before generating key")
  	}
 
@@ -317,7 +321,7 @@ index 4524bd492feba0..aa7970053f1a5d 100644
  	x := new(big.Int)
  	xBytes := make([]byte, priv.Q.BitLen()/8)
 
-@@ -212,6 +236,18 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
+@@ -212,6 +239,18 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
  		err = ErrInvalidPublicKey
  		return
  	}
@@ -328,15 +332,15 @@ index 4524bd492feba0..aa7970053f1a5d 100644
 +			return nil, nil, err
 +		}
 +
-+		r, s, err := boring.SignDSA(b, hash)
++		r, s, err := boring.SignDSA(b, hash, parseSignature)
 +
 +		return bbig.Dec(r), bbig.Dec(s), err
 +	}
 +
  	n >>= 3
 
  	var attempts int
-@@ -271,6 +307,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
+@@ -271,6 +310,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
  // to the byte-length of the subgroup. This function does not perform that
  // truncation itself.
  func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
@@ -346,11 +350,56 @@ index 4524bd492feba0..aa7970053f1a5d 100644
 +			return false
 +		}
 +
-+		return boring.VerifyDSA(bkey, hash, bbig.Enc(r), bbig.Enc(s))
++		return boring.VerifyDSA(bkey, hash, bbig.Enc(r), bbig.Enc(s), encodeSignature)
 +	}
  	// FIPS 186-3, section 4.7
 
  	if pub.P.Sign() == 0 {
+@@ -307,3 +354,44 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
+
+ 	return v.Cmp(r) == 0
+ }
++
++func parseSignature(sig []byte) ([]uint, []uint, error) {
++	var r, s []byte
++	var inner cryptobyte.String
++	input := cryptobyte.String(sig)
++	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
++		!input.Empty() ||
++		!inner.ReadASN1Integer(&r) ||
++		!inner.ReadASN1Integer(&s) ||
++		!inner.Empty() {
++		return nil, nil, errors.New("invalid ASN.1")
++	}
++	return []uint(bbig.Enc(new(big.Int).SetBytes(r))), []uint(bbig.Enc(new(big.Int).SetBytes(s))), nil
++}
++
++func encodeSignature(r, s []uint) ([]byte, error) {
++	var b cryptobyte.Builder
++	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
++		addASN1IntBytes(b, bbig.Dec(r).Bytes())
++		addASN1IntBytes(b, bbig.Dec(s).Bytes())
++	})
++	return b.Bytes()
++}
++
++// addASN1IntBytes encodes in ASN.1 a positive integer represented as
++// a big-endian byte slice with zero or more leading zeroes.
++func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
++	for len(bytes) > 0 && bytes[0] == 0 {
++		bytes = bytes[1:]
++	}
++	if len(bytes) == 0 {
++		b.SetError(errors.New("invalid integer"))
++		return
++	}
++	b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
++		if bytes[0]&0x80 != 0 {
++			c.AddUint8(0)
++		}
++		c.AddBytes(bytes)
++	})
++}
 diff --git a/src/crypto/dsa/notboring.go b/src/crypto/dsa/notboring.go
 new file mode 100644
 index 00000000000000..f8771d0189f990
@@ -886,7 +935,7 @@ index 00000000000000..e5d7570d6d4363
 +const isRequireFIPS = true
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
-index 00000000000000..2f6b54f20be6bf
+index 00000000000000..826732e87d4764
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
 @@ -0,0 +1,224 @@
@@ -1107,11 +1156,11 @@ index 00000000000000..2f6b54f20be6bf
 +	panic("cryptobackend: not available")
 +}
 +
-+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s BigInt, err error) {
++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s BigInt, err error) {
 +	panic("cryptobackend: not available")
 +}
 +
-+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt) bool {
++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool {
 +	panic("cryptobackend: not available")
 +}
 diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go

diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch
@@ -30,7 +30,7 @@ index 00000000000000..0b62cef68546d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
 new file mode 100644
-index 00000000000000..797e805300c4c9
+index 00000000000000..8cf833cf2bf3f9
 --- /dev/null
 +++ b/src/crypto/internal/backend/boring_linux.go
 @@ -0,0 +1,256 @@
@@ -283,10 +283,10 @@ index 00000000000000..797e805300c4c9
 +	panic("cryptobackend: not available")
 +}
 +
-+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s boring.BigInt, err error) {
++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s boring.BigInt, err error) {
 +	panic("cryptobackend: not available")
 +}
 +
-+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt) bool {
++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s boring.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool {
 +	panic("cryptobackend: not available")
 +}
diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  src/crypto/ecdsa/notboring.go                 |   2 +-
  src/crypto/internal/backend/bbig/big.go       |   2 +-
  .../internal/backend/bbig/big_openssl.go      |  12 +
- src/crypto/internal/backend/openssl_linux.go  | 420 ++++++++++++++++++
+ src/crypto/internal/backend/openssl_linux.go  | 375 ++++++++++++++++++
  src/crypto/internal/boring/fipstls/stub.s     |   2 +-
  src/crypto/internal/boring/fipstls/tls.go     |   2 +-
  src/crypto/rsa/boring.go                      |   2 +-
@@ -32,15 +32,15 @@ Subject: [PATCH] Add OpenSSL crypto backend
  src/crypto/x509/notboring.go                  |   2 +-
  src/go.mod                                    |   1 +
  src/go.sum                                    |   2 +
- src/go/build/deps_test.go                     |   8 +-
+ src/go/build/deps_test.go                     |   7 +-
  src/go/build/vendor_test.go                   |   1 +
  src/hash/boring_test.go                       |   2 +-
  src/hash/notboring_test.go                    |   2 +-
  .../goexperiment/exp_opensslcrypto_off.go     |   9 +
  .../goexperiment/exp_opensslcrypto_on.go      |   9 +
  src/internal/goexperiment/flags.go            |   1 +
  src/os/exec/exec_test.go                      |   9 +
- 36 files changed, 506 insertions(+), 25 deletions(-)
+ 36 files changed, 460 insertions(+), 25 deletions(-)
  create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go
  create mode 100644 src/crypto/internal/backend/openssl_linux.go
  create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go
@@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
 new file mode 100644
-index 00000000000000..017baddcf79c06
+index 00000000000000..939dc54a0e8014
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl_linux.go
-@@ -0,0 +1,420 @@
+@@ -0,0 +1,375 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -211,18 +211,13 @@ index 00000000000000..017baddcf79c06
 +import (
 +	"crypto"
 +	"crypto/cipher"
-+	"crypto/internal/backend/bbig"
 +	"crypto/internal/boring/fipstls"
 +	"crypto/internal/boring/sig"
-+	"errors"
 +	"hash"
 +	"io"
-+	"math/big"
 +	"syscall"
 +
 +	"github.com/golang-fips/openssl/v2"
-+	"golang.org/x/crypto/cryptobyte"
-+	"golang.org/x/crypto/cryptobyte/asn1"
 +)
 +
 +// Enabled controls whether FIPS crypto is enabled.
@@ -555,68 +550,28 @@ index 00000000000000..017baddcf79c06
 +	return openssl.NewPublicKeyDSA(openssl.DSAParameters{p, q, g}, y)
 +}
 +
-+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s openssl.BigInt, err error) {
++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s openssl.BigInt, err error) {
 +	sig, err := openssl.SignDSA(priv, hash)
 +	if err != nil {
 +		return nil, nil, err
 +	}
 +
-+	rByte, sByte, err := parseSignature(sig)
++	r, s, err := parseSignature(sig)
 +	if err != nil {
 +		return nil, nil, err
 +	}
 +
-+	return bbig.Enc(new(big.Int).SetBytes(rByte)), bbig.Enc(new(big.Int).SetBytes(sByte)), nil
++	return openssl.BigInt(r), openssl.BigInt(s), nil
 +}
 +
-+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool {
-+	sig, err := encodeSignature(bbig.Dec(r).Bytes(), bbig.Dec(s).Bytes())
++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool {
++	sig, err := encodeSignature(r, s)
 +	if err != nil {
 +		return false
 +	}
 +
 +	return openssl.VerifyDSA(pub, hashed, sig)
 +}
-+
-+func parseSignature(sig []byte) (r, s []byte, err error) {
-+	var inner cryptobyte.String
-+	input := cryptobyte.String(sig)
-+	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
-+		!input.Empty() ||
-+		!inner.ReadASN1Integer(&r) ||
-+		!inner.ReadASN1Integer(&s) ||
-+		!inner.Empty() {
-+		return nil, nil, errors.New("invalid ASN.1")
-+	}
-+	return r, s, nil
-+}
-+
-+func encodeSignature(r, s []byte) ([]byte, error) {
-+	var b cryptobyte.Builder
-+	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
-+		addASN1IntBytes(b, r)
-+		addASN1IntBytes(b, s)
-+	})
-+	return b.Bytes()
-+}
-+
-+// addASN1IntBytes encodes in ASN.1 a positive integer represented as
-+// a big-endian byte slice with zero or more leading zeroes.
-+func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
-+	for len(bytes) > 0 && bytes[0] == 0 {
-+		bytes = bytes[1:]
-+	}
-+	if len(bytes) == 0 {
-+		b.SetError(errors.New("invalid integer"))
-+		return
-+	}
-+	b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
-+		if bytes[0]&0x80 != 0 {
-+			c.AddUint8(0)
-+		}
-+		c.AddBytes(bytes)
-+	})
-+}
 diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s
 index f2e5a503eaacb6..1dc7116efdff2e 100644
 --- a/src/crypto/internal/boring/fipstls/stub.s
@@ -835,7 +790,7 @@ index b4efd6d3c50c11..4c3ca847c21cd2 100644
  golang.org/x/crypto v0.25.1-0.20240722173533-bb80217080b0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
  golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd h1:pHzwejE8Zkb94bG4nA+fUeskKPFp1HPldrhv62dabro=
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 578b4d6f68504c..0a69b3e3167ee4 100644
+index 578b4d6f68504c..80a14d54739524 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
 @@ -476,6 +476,8 @@ var depsRules = `
@@ -855,15 +810,7 @@ index 578b4d6f68504c..0a69b3e3167ee4 100644
  	< crypto/internal/boring/bbig
  	< crypto/internal/backend/bbig
  	< crypto/rand
-@@ -522,6 +525,7 @@ var depsRules = `
- 	< encoding/asn1
- 	< golang.org/x/crypto/cryptobyte/asn1
- 	< golang.org/x/crypto/cryptobyte
-+	< crypto/internal/backend
- 	< crypto/internal/bigmod
- 	< crypto/dsa, crypto/elliptic, crypto/rsa
- 	< crypto/ecdsa
-@@ -812,7 +816,7 @@ var buildIgnore = []byte("\n//go:build ignore")
+@@ -812,7 +815,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 
  func findImports(pkg string) ([]string, error) {
  	vpkg := pkg
@@ -872,7 +819,7 @@ index 578b4d6f68504c..0a69b3e3167ee4 100644
  		vpkg = "vendor/" + pkg
  	}
  	dir := filepath.Join(Default.GOROOT, "src", vpkg)
-@@ -822,7 +826,7 @@ func findImports(pkg string) ([]string, error) {
+@@ -822,7 +825,7 @@ func findImports(pkg string) ([]string, error) {
  	}
  	var imports []string
  	var haveImport = map[string]bool{}

diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch
@@ -183,7 +183,7 @@ index 00000000000000..92623031fd87d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go
 new file mode 100644
-index 00000000000000..542b21f1a25e05
+index 00000000000000..3543e4eff7402d
 --- /dev/null
 +++ b/src/crypto/internal/backend/cng_windows.go
 @@ -0,0 +1,321 @@
@@ -501,11 +501,11 @@ index 00000000000000..542b21f1a25e05
 +	return cng.NewPublicKeyDSA(cng.DSAParameters{p, q, g}, y)
 +}
 +
-+func SignDSA(priv *PrivateKeyDSA, hash []byte) (r, s cng.BigInt, err error) {
++func SignDSA(priv *PrivateKeyDSA, hash []byte, parseSignature func([]byte) ([]uint, []uint, error)) (r, s cng.BigInt, err error) {
 +	return cng.SignDSA(priv, hash)
 +}
 +
-+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt) bool {
++func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s cng.BigInt, encodeSignature func(r, s []uint) ([]byte, error)) bool {
 +	return cng.VerifyDSA(pub, hashed, r, s)
 +}
 diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go