Skip to content

Commit

Permalink
Merge pull request #1386 from microsoft/dev/qmuntal/azl3-clonehash
Browse files Browse the repository at this point in the history 
Support SymCrypt in TLS 1.3 handshakes
  • Loading branch information
@karianna
karianna authored Nov 8, 2024
2 parents 38d62e3 + e61cc80 commit 23b8689
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 31 deletions.
31 changes: 30 additions & 1 deletion patches/0002-Add-crypto-backend-foundation.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Subject: [PATCH] Add crypto backend foundation
src/crypto/tls/cipher_suites.go | 2 +-
src/crypto/tls/handshake_client.go | 25 ++-
src/crypto/tls/handshake_server.go | 25 ++-
src/crypto/tls/handshake_server_tls13.go | 10 +
src/crypto/tls/key_schedule.go | 18 +-
src/crypto/tls/prf.go | 77 +++++---
src/crypto/tls/prf_test.go | 12 +-
Expand All @@ -59,7 +60,7 @@ Subject: [PATCH] Add crypto backend foundation
src/hash/notboring_test.go | 5 +
src/net/smtp/smtp_test.go | 72 ++++---
src/runtime/runtime_boring.go | 5 +
55 files changed, 883 insertions(+), 106 deletions(-)
56 files changed, 893 insertions(+), 106 deletions(-)
create mode 100644 src/crypto/ed25519/boring.go
create mode 100644 src/crypto/ed25519/notboring.go
create mode 100644 src/crypto/internal/backend/backend_test.go
Expand Down Expand Up @@ -1645,6 +1646,34 @@ index bc4e51ba364cf1..8b4fc36e49fdf8 100644
if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
return err
}
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index b8cf4c3fa50b24..bc5d32a29c50c4 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -9,6 +9,7 @@ import (
"context"
"crypto"
"crypto/hmac"
+ boring "crypto/internal/backend"
"crypto/internal/mlkem768"
"crypto/rsa"
"errors"
@@ -441,6 +442,15 @@ func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
}
marshaler, ok := in.(binaryMarshaler)
if !ok {
+ if boring.Enabled {
+ // CNG and OpenSSL with SymCrypt hash functions do not implement the
+ // encoding.BinaryMarshaler interface, but they do implement the Clone method.
+ if cloner, ok := in.(interface{ Clone() (hash.Hash, error) }); ok {
+ if out, err := cloner.Clone(); err == nil {
+ return out
+ }
+ }
+ }
return nil
}
state, err := marshaler.MarshalBinary()
diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
index 1636baf79e7288..c9a5877d3d504f 100644
--- a/src/crypto/tls/key_schedule.go
Expand Down
31 changes: 1 addition & 30 deletions patches/0005-Add-CNG-crypto-backend.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ Subject: [PATCH] Add CNG crypto backend
src/crypto/tls/boring_test.go | 2 +-
src/crypto/tls/fipsonly/fipsonly.go | 2 +-
src/crypto/tls/fipsonly/fipsonly_test.go | 2 +-
src/crypto/tls/handshake_server_tls13.go | 10 +
src/crypto/tls/notboring.go | 2 +-
src/crypto/x509/boring.go | 2 +-
src/crypto/x509/boring_test.go | 2 +-
Expand All @@ -41,7 +40,7 @@ Subject: [PATCH] Add CNG crypto backend
.../goexperiment/exp_cngcrypto_off.go | 9 +
src/internal/goexperiment/exp_cngcrypto_on.go | 9 +
src/internal/goexperiment/flags.go | 1 +
37 files changed, 385 insertions(+), 27 deletions(-)
36 files changed, 375 insertions(+), 27 deletions(-)
create mode 100644 src/crypto/ecdsa/badlinkname.go
create mode 100644 src/crypto/internal/backend/bbig/big_cng.go
create mode 100644 src/crypto/internal/backend/cng_windows.go
Expand Down Expand Up @@ -639,34 +638,6 @@ index 9c1d3d279c472f..0ca7a863b73690 100644

package fipsonly

diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index b8cf4c3fa50b24..dd2c36ab1bef0b 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -14,6 +14,7 @@ import (
"errors"
"hash"
"internal/byteorder"
+ "internal/goexperiment"
"io"
"slices"
"time"
@@ -441,6 +442,15 @@ func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
}
marshaler, ok := in.(binaryMarshaler)
if !ok {
+ if goexperiment.CNGCrypto {
+ // CNGCrypto hashes do not implement the binaryMarshaler interface,
+ // but do implement the Clone method.
+ if cloner, ok := in.(interface{ Clone() (hash.Hash, error) }); ok {
+ if out, err := cloner.Clone(); err == nil {
+ return out
+ }
+ }
+ }
return nil
}
state, err := marshaler.MarshalBinary()
diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go
index 36b4ceab0046c6..c87df4ad695f1b 100644
--- a/src/crypto/tls/notboring.go
Expand Down

0 comments on commit 23b8689

Please sign in to comment.