Merge pull request #1052 from microsoft/dev/qmuntal/md5

Implement support for crypto/md5 using OpenSSL/CNG
microsoft · Oct 11, 2023 · f1230ae · f1230ae
2 parents fed1389 + 8aefa1e
commit f1230ae
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 72 deletions.
diff --git a/go b/go
diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
@@ -20,9 +20,11 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/internal/backend/bbig/big.go      |  17 +++
  src/crypto/internal/backend/common.go        |  78 ++++++++++
  src/crypto/internal/backend/isrequirefips.go |   9 ++
- src/crypto/internal/backend/nobackend.go     | 143 +++++++++++++++++++
+ src/crypto/internal/backend/nobackend.go     | 145 +++++++++++++++++++
  src/crypto/internal/backend/norequirefips.go |   9 ++
  src/crypto/internal/backend/stub.s           |  10 ++
+ src/crypto/md5/md5.go                        |   7 +
+ src/crypto/md5/md5_test.go                   |   4 +
  src/crypto/rand/rand_unix.go                 |   2 +-
  src/crypto/rsa/boring.go                     |   4 +-
  src/crypto/rsa/notboring.go                  |   2 +-
@@ -44,7 +46,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/tls/prf_test.go                   |  12 +-
  src/go/build/deps_test.go                    |   2 +
  src/runtime/runtime_boring.go                |   5 +
- 40 files changed, 460 insertions(+), 65 deletions(-)
+ 42 files changed, 473 insertions(+), 65 deletions(-)
  create mode 100644 src/crypto/internal/backend/backend_test.go
  create mode 100644 src/crypto/internal/backend/bbig/big.go
  create mode 100644 src/crypto/internal/backend/common.go
@@ -125,7 +127,7 @@ index 699e5177aef5d5..7e9c2a74adf74b 100644
  	c := new(tripleDESCipher)
  	c.cipher1.generateSubkeys(key[:8])
 diff --git a/src/crypto/ecdh/ecdh.go b/src/crypto/ecdh/ecdh.go
-index b86f5217878251..a48043a044f309 100644
+index b21b5697d0e37f..5e373cd27b350f 100644
 --- a/src/crypto/ecdh/ecdh.go
 +++ b/src/crypto/ecdh/ecdh.go
 @@ -8,7 +8,7 @@ package ecdh
@@ -393,10 +395,10 @@ index 00000000000000..e5d7570d6d4363
 +const isRequireFIPS = true
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
-index 00000000000000..75eb22290bcc92
+index 00000000000000..275a6078f90514
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
-@@ -0,0 +1,143 @@
+@@ -0,0 +1,145 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -426,12 +428,14 @@ index 00000000000000..75eb22290bcc92
 +
 +func SupportsHash(h crypto.Hash) bool { panic("cryptobackend: not available") }
 +
++func NewMD5() hash.Hash    { panic("cryptobackend: not available") }
 +func NewSHA1() hash.Hash   { panic("cryptobackend: not available") }
 +func NewSHA224() hash.Hash { panic("cryptobackend: not available") }
 +func NewSHA256() hash.Hash { panic("cryptobackend: not available") }
 +func NewSHA384() hash.Hash { panic("cryptobackend: not available") }
 +func NewSHA512() hash.Hash { panic("cryptobackend: not available") }
 +
++func MD5(p []byte) (sum [16]byte)    { panic("cryptobackend: not available") }
 +func SHA1(p []byte) (sum [20]byte)   { panic("cryptobackend: not available") }
 +func SHA224(p []byte) (sum [28]byte) { panic("cryptobackend: not available") }
 +func SHA256(p []byte) (sum [32]byte) { panic("cryptobackend: not available") }
@@ -571,6 +575,60 @@ index 00000000000000..5e4b436554d44d
 +// Having this assembly file keeps the go command
 +// from complaining about the missing body
 +// (because the implementation might be here).
+diff --git a/src/crypto/md5/md5.go b/src/crypto/md5/md5.go
+index ccee4ea3a9914f..206249f5bf261e 100644
+--- a/src/crypto/md5/md5.go
++++ b/src/crypto/md5/md5.go
+@@ -12,6 +12,7 @@ package md5
+
+ import (
+ 	"crypto"
++	boring "crypto/internal/backend"
+ 	"encoding/binary"
+ 	"errors"
+ 	"hash"
+@@ -99,6 +100,9 @@ func consumeUint32(b []byte) ([]byte, uint32) {
+ // implements encoding.BinaryMarshaler and encoding.BinaryUnmarshaler to
+ // marshal and unmarshal the internal state of the hash.
+ func New() hash.Hash {
++	if boring.Enabled && boring.SupportsHash(crypto.MD5) {
++		return boring.NewMD5()
++	}
+ 	d := new(digest)
+ 	d.Reset()
+ 	return d
+@@ -176,6 +180,9 @@ func (d *digest) checkSum() [Size]byte {
+
+ // Sum returns the MD5 checksum of the data.
+ func Sum(data []byte) [Size]byte {
++	if boring.Enabled && boring.SupportsHash(crypto.MD5) {
++		return boring.MD5(data)
++	}
+ 	var d digest
+ 	d.Reset()
+ 	d.Write(data)
+diff --git a/src/crypto/md5/md5_test.go b/src/crypto/md5/md5_test.go
+index 851e7fb10d42f5..f9d1037c9b82b9 100644
+--- a/src/crypto/md5/md5_test.go
++++ b/src/crypto/md5/md5_test.go
+@@ -6,6 +6,7 @@ package md5
+
+ import (
+ 	"bytes"
++	boring "crypto/internal/backend"
+ 	"crypto/rand"
+ 	"encoding"
+ 	"fmt"
+@@ -144,6 +145,9 @@ func TestLarge(t *testing.T) {
+
+ // Tests that blockGeneric (pure Go) and block (in assembly for amd64, 386, arm) match.
+ func TestBlockGeneric(t *testing.T) {
++	if boring.Enabled {
++		t.Skip("digest is not used when boring.Enabled is set")
++	}
+ 	gen, asm := New().(*digest), New().(*digest)
+ 	buf := make([]byte, BlockSize*20) // arbitrary factor
+ 	rand.Read(buf)
 diff --git a/src/crypto/rand/rand_unix.go b/src/crypto/rand/rand_unix.go
 index 40fce36314adfa..1d6231ae91d5ae 100644
 --- a/src/crypto/rand/rand_unix.go

diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch
@@ -5,8 +5,8 @@ Subject: [PATCH] Add BoringSSL crypto backend
 
 ---
  .../internal/backend/bbig/big_boring.go       |  12 ++
- src/crypto/internal/backend/boring_linux.go   | 173 ++++++++++++++++++
- 2 files changed, 185 insertions(+)
+ src/crypto/internal/backend/boring_linux.go   | 175 ++++++++++++++++++
+ 2 files changed, 187 insertions(+)
  create mode 100644 src/crypto/internal/backend/bbig/big_boring.go
  create mode 100644 src/crypto/internal/backend/boring_linux.go
 
@@ -30,10 +30,10 @@ index 00000000000000..0b62cef68546d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
 new file mode 100644
-index 00000000000000..ea2ec3c2527dcc
+index 00000000000000..bc5c54b02acf2f
 --- /dev/null
 +++ b/src/crypto/internal/backend/boring_linux.go
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,175 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -66,12 +66,14 @@ index 00000000000000..ea2ec3c2527dcc
 +	}
 +}
 +
++func NewMD5() hash.Hash    { panic("cryptobackend: not available") }
 +func NewSHA1() hash.Hash   { return boring.NewSHA1() }
 +func NewSHA224() hash.Hash { return boring.NewSHA224() }
 +func NewSHA256() hash.Hash { return boring.NewSHA256() }
 +func NewSHA384() hash.Hash { return boring.NewSHA384() }
 +func NewSHA512() hash.Hash { return boring.NewSHA512() }
 +
++func MD5(p []byte) (sum [16]byte)    { panic("cryptobackend: not available") }
 +func SHA1(p []byte) (sum [20]byte)   { return boring.SHA1(p) }
 +func SHA224(p []byte) (sum [28]byte) { return boring.SHA224(p) }
 +func SHA256(p []byte) (sum [32]byte) { return boring.SHA256(p) }

diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  src/crypto/ecdsa/notboring.go                 |   2 +-
  src/crypto/internal/backend/bbig/big.go       |   2 +-
  .../internal/backend/bbig/big_openssl.go      |  12 +
- src/crypto/internal/backend/openssl_linux.go  | 277 ++++++++++++++++++
+ src/crypto/internal/backend/openssl_linux.go  | 279 ++++++++++++++++++
  src/crypto/internal/boring/fipstls/stub.s     |   2 +-
  src/crypto/internal/boring/fipstls/tls.go     |   2 +-
  src/crypto/rsa/boring.go                      |   2 +-
@@ -37,7 +37,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  .../goexperiment/exp_opensslcrypto_on.go      |   9 +
  src/internal/goexperiment/flags.go            |   1 +
  src/os/exec/exec_test.go                      |   9 +
- 33 files changed, 359 insertions(+), 23 deletions(-)
+ 33 files changed, 361 insertions(+), 23 deletions(-)
  create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go
  create mode 100644 src/crypto/internal/backend/openssl_linux.go
  create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go
@@ -57,10 +57,10 @@ index f0e3575637c62a..0e9aceeb832d3b 100644
  package main
 
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
-index 5e57c0c427bf71..439f8198e4121e 100644
+index 9635c4fb616ecf..ba12fbee276416 100644
 --- a/src/cmd/dist/test.go
 +++ b/src/cmd/dist/test.go
-@@ -1206,12 +1206,11 @@ func (t *tester) registerCgoTests(heading string) {
+@@ -1211,12 +1211,11 @@ func (t *tester) registerCgoTests(heading string) {
  			// a C linker warning on Linux.
  			// in function `bio_ip_and_port_to_socket_and_addr':
  			// warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
@@ -190,10 +190,10 @@ index 00000000000000..e6695dd66b1d02
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
 new file mode 100644
-index 00000000000000..bc10293bb719ff
+index 00000000000000..d342e4b0f11e23
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl_linux.go
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,279 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -322,12 +322,14 @@ index 00000000000000..bc10293bb719ff
 +	return openssl.SupportsHash(h)
 +}
 +
++func NewMD5() hash.Hash   { return openssl.NewMD5() }
 +func NewSHA1() hash.Hash   { return openssl.NewSHA1() }
 +func NewSHA224() hash.Hash { return openssl.NewSHA224() }
 +func NewSHA256() hash.Hash { return openssl.NewSHA256() }
 +func NewSHA384() hash.Hash { return openssl.NewSHA384() }
 +func NewSHA512() hash.Hash { return openssl.NewSHA512() }
 +
++func MD5(p []byte) (sum [16]byte)   { return openssl.MD5(p) }
 +func SHA1(p []byte) (sum [20]byte)   { return openssl.SHA1(p) }
 +func SHA224(p []byte) (sum [28]byte) { return openssl.SHA224(p) }
 +func SHA256(p []byte) (sum [32]byte) { return openssl.SHA256(p) }
@@ -667,29 +669,29 @@ index c83a7272c9f01f..a0548a7f9179c5 100644
  package x509
 
 diff --git a/src/go.mod b/src/go.mod
-index 021d00b3f6f519..5fe135982d20ee 100644
+index 8f7dd5c0b69932..b5222cd4fb66b3 100644
 --- a/src/go.mod
 +++ b/src/go.mod
 @@ -3,6 +3,7 @@ module std
  go 1.22
 
  require (
 +	github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6
- 	golang.org/x/crypto v0.12.0
- 	golang.org/x/net v0.14.1-0.20230809150940-1e23797619c9
+ 	golang.org/x/crypto v0.14.0
+ 	golang.org/x/net v0.17.0
  )
 diff --git a/src/go.sum b/src/go.sum
-index cae131c06ee904..daaf12048cf9f7 100644
+index 22511da608a07b..2e071695221e13 100644
 --- a/src/go.sum
 +++ b/src/go.sum
 @@ -1,3 +1,5 @@
 +github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6 h1:htngJbDceHA29WbezaO55msU/iITDkdto1p1iHHmjC0=
 +github.com/golang-fips/openssl/v2 v2.0.0-rc.3.0.20230926133027-251d5fd9efa6/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg=
- golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
- golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
- golang.org/x/net v0.14.1-0.20230809150940-1e23797619c9 h1:eQR0jFW5dN2q8lFzSF7rjkRCOOnBf0llczNvITm6ICs=
+ golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+ golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 0fc11c2fb3ae7b..07bc42530a2cca 100644
+index f10ecff5168acc..79d02564926b37 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
 @@ -427,6 +427,8 @@ var depsRules = `
@@ -709,7 +711,7 @@ index 0fc11c2fb3ae7b..07bc42530a2cca 100644
  	< crypto/internal/boring/bbig
  	< crypto/internal/backend/bbig
  	< crypto/rand
-@@ -709,7 +712,7 @@ var buildIgnore = []byte("\n//go:build ignore")
+@@ -712,7 +715,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 
  func findImports(pkg string) ([]string, error) {
  	vpkg := pkg
@@ -718,7 +720,7 @@ index 0fc11c2fb3ae7b..07bc42530a2cca 100644
  		vpkg = "vendor/" + pkg
  	}
  	dir := filepath.Join(Default.GOROOT, "src", vpkg)
-@@ -719,7 +722,7 @@ func findImports(pkg string) ([]string, error) {
+@@ -722,7 +725,7 @@ func findImports(pkg string) ([]string, error) {
  	}
  	var imports []string
  	var haveImport = map[string]bool{}