From 03caff28d576a086d4d5716a2168962716b6add3 Mon Sep 17 00:00:00 2001 From: George Adams Date: Thu, 16 Jan 2025 09:47:00 +0000 Subject: [PATCH 1/2] backends: update all vendor backends to latest --- patches/0002-Vendor-crypto-backends.patch | 168 ++++++++++++++++------ 1 file changed, 124 insertions(+), 44 deletions(-) diff --git a/patches/0002-Vendor-crypto-backends.patch b/patches/0002-Vendor-crypto-backends.patch index 548d456466..37cdfc006f 100644 --- a/patches/0002-Vendor-crypto-backends.patch +++ b/patches/0002-Vendor-crypto-backends.patch @@ -6,7 +6,7 @@ Subject: [PATCH] Vendor crypto backends To reproduce changes in 'src/vendor', run 'go mod vendor' in 'src'. Use a 'go' that was recently built by the current branch to ensure stable results. --- - src/crypto/internal/backend/deps_ignore.go | 19 + + src/crypto/internal/backend/deps_ignore.go | 22 + src/go.mod | 6 + src/go.sum | 6 + src/go/build/deps_test.go | 17 +- @@ -35,7 +35,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../github.com/golang-fips/openssl/v2/init.go | 64 ++ .../golang-fips/openssl/v2/init_unix.go | 31 + .../golang-fips/openssl/v2/init_windows.go | 36 + - .../golang-fips/openssl/v2/openssl.go | 469 ++++++++++++ + .../golang-fips/openssl/v2/openssl.go | 506 +++++++++++++ .../golang-fips/openssl/v2/params.go | 210 ++++++ .../golang-fips/openssl/v2/pbkdf2.go | 62 ++ .../golang-fips/openssl/v2/port_dsa.c | 85 +++ @@ -85,7 +85,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../microsoft/go-crypto-winnative/cng/dsa.go | 465 ++++++++++++ .../microsoft/go-crypto-winnative/cng/ecdh.go | 255 +++++++ .../go-crypto-winnative/cng/ecdsa.go | 169 +++++ - .../microsoft/go-crypto-winnative/cng/hash.go | 312 ++++++++ + .../microsoft/go-crypto-winnative/cng/hash.go | 325 ++++++++ .../microsoft/go-crypto-winnative/cng/hkdf.go | 124 +++ .../microsoft/go-crypto-winnative/cng/hmac.go | 35 + .../microsoft/go-crypto-winnative/cng/keys.go | 220 ++++++ @@ -93,7 +93,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../microsoft/go-crypto-winnative/cng/rand.go | 28 + .../microsoft/go-crypto-winnative/cng/rc4.go | 65 ++ .../microsoft/go-crypto-winnative/cng/rsa.go | 396 ++++++++++ - .../microsoft/go-crypto-winnative/cng/sha3.go | 284 +++++++ + .../microsoft/go-crypto-winnative/cng/sha3.go | 311 ++++++++ .../go-crypto-winnative/cng/tls1prf.go | 88 +++ .../internal/bcrypt/bcrypt_windows.go | 368 +++++++++ .../internal/bcrypt/ntstatus_windows.go | 45 ++ @@ -101,7 +101,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 16 + - 95 files changed, 13707 insertions(+), 3 deletions(-) + 95 files changed, 13787 insertions(+), 3 deletions(-) create mode 100644 src/crypto/internal/backend/deps_ignore.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml @@ -195,10 +195,10 @@ Use a 'go' that was recently built by the current branch to ensure stable result diff --git a/src/crypto/internal/backend/deps_ignore.go b/src/crypto/internal/backend/deps_ignore.go new file mode 100644 -index 00000000000000..ba6d196a54f69d +index 00000000000000..ae4055d2d71303 --- /dev/null +++ b/src/crypto/internal/backend/deps_ignore.go -@@ -0,0 +1,19 @@ +@@ -0,0 +1,22 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -211,6 +211,9 @@ index 00000000000000..ba6d196a54f69d + _ "github.com/golang-fips/openssl/v2" + _ "github.com/golang-fips/openssl/v2/bbig" + ++ _ "github.com/microsoft/go-crypto-darwin/bbig" ++ _ "github.com/microsoft/go-crypto-darwin/xcrypto" ++ + _ "github.com/microsoft/go-crypto-winnative/cng" + _ "github.com/microsoft/go-crypto-winnative/cng/bbig" +) @@ -219,7 +222,7 @@ index 00000000000000..ba6d196a54f69d +// that are used by the backend package. This allows to track +// their versions in a single patch file. diff --git a/src/go.mod b/src/go.mod -index 7a1318dcac32ba..45152e6f54937b 100644 +index 7a1318dcac32ba..18a071a7428728 100644 --- a/src/go.mod +++ b/src/go.mod @@ -11,3 +11,9 @@ require ( @@ -228,21 +231,21 @@ index 7a1318dcac32ba..45152e6f54937b 100644 ) + +require ( -+ github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 -+ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 -+ github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37 ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 ++ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c ++ github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 +) diff --git a/src/go.sum b/src/go.sum -index 9e661352f16e0b..5683f4da5e4f04 100644 +index 9e661352f16e0b..a2513aafc35631 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,9 @@ -+github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 h1:OhuURhDVbg+f/BvlG+qT5sQVkutwhI0Kmsy7koQ4l9A= -+github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 h1:xg58D1m8jeq0lkMf7TmcLZXCAK/PRlT0aG02PYlA6C0= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= -+github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37 h1:KB8xmJcFSPlZFMg2mxz5b6DCE8k1qpHy2HFevAJLELI= -+github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 h1:FFp7Q2AwYX+IQhhQt3ljQDdWtG5ZbRu0u3ohWQdFow8= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c h1:cPW7Q78w6ubgnQTxOFz5YuFmrXzt+p2UA+gSk/KAuDM= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= ++github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 h1:97wOagHu7OExwU929NjuPIlUEUaFIQtffQMaVj0mR5E= ++github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA= golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/net v0.32.1-0.20241206180132-552d8ac903a1 h1:+Yk1FZ5E+/ewA0nOO/HRYs9E4yeqpGOShuSAdzCNNoQ= @@ -5116,10 +5119,10 @@ index 00000000000000..3778e21227abb9 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/openssl.go b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go new file mode 100644 -index 00000000000000..145b082f1b771c +index 00000000000000..ec39bf1533cae0 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go -@@ -0,0 +1,469 @@ +@@ -0,0 +1,506 @@ +//go:build !cmd_go_bootstrap + +// Package openssl provides access to OpenSSL cryptographic functions. @@ -5256,6 +5259,37 @@ index 00000000000000..145b082f1b771c + } +} + ++// FIPSCapable returns true if the provider used by default matches the `fips=yes` query. ++// It is useful for checking whether OpenSSL is capable of running in FIPS mode regardless ++// of whether FIPS mode is explicitly enabled. For example, Azure Linux 3 doesn't set the ++// `fips=yes` query in the default properties, but sets the default provider to be SCOSSL, ++// which is FIPS-capable. ++// ++// Considerations: ++// - Multiple calls to FIPSCapable can return different values if [SetFIPS] is called in between. ++// - Can return true even if [FIPS] returns false, because [FIPS] also checks whether ++// the default properties contain `fips=yes`. ++// - When using OpenSSL 3, will always return true if [FIPS] returns true. ++// - When using OpenSSL 1, Will always return the same value as [FIPS]. ++// - OpenSSL 3 doesn't provide a way to know if a provider is FIPS-capable. This function uses ++// some heuristics that should be treated as an implementation detail that may change in the future. ++func FIPSCapable() bool { ++ if FIPS() { ++ return true ++ } ++ if vMajor == 3 { ++ // Load the provider with and without the `fips=yes` query. ++ // If the providers are the same, then the default provider is FIPS-capable. ++ provFIPS := sha256Provider(propFIPS) ++ if provFIPS == nil { ++ return false ++ } ++ provDefault := sha256Provider(nil) ++ return provFIPS == provDefault ++ } ++ return false ++} ++ +// isProviderAvailable checks if the provider with the given name is available. +// This function is used in export_test.go, but must be defined here as test files can't access C functions. +func isProviderAvailable(name string) bool { @@ -5315,16 +5349,22 @@ index 00000000000000..145b082f1b771c + } +} + -+// proveSHA256 checks if the SHA-256 algorithm is available ++// sha256Provider returns the provider for the SHA-256 algorithm +// using the given properties. -+func proveSHA256(props *C.char) bool { ++func sha256Provider(props *C.char) C.GO_OSSL_PROVIDER_PTR { + md := C.go_openssl_EVP_MD_fetch(nil, algorithmSHA256, props) + if md == nil { + C.go_openssl_ERR_clear_error() -+ return false ++ return nil + } -+ C.go_openssl_EVP_MD_free(md) -+ return true ++ defer C.go_openssl_EVP_MD_free(md) ++ return C.go_openssl_EVP_MD_get0_provider(md) ++} ++ ++// proveSHA256 checks if the SHA-256 algorithm is available ++// using the given properties. ++func proveSHA256(props *C.char) bool { ++ return sha256Provider(props) != nil +} + +// noescape hides a pointer from escape analysis. noescape is @@ -12434,10 +12474,10 @@ index 00000000000000..586e9ae2ebb0c9 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go new file mode 100644 -index 00000000000000..a674496f18a3af +index 00000000000000..b97e638e4a98ed --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go -@@ -0,0 +1,312 @@ +@@ -0,0 +1,325 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -12449,6 +12489,7 @@ index 00000000000000..a674496f18a3af +import ( + "bytes" + "crypto" ++ "errors" + "hash" + "runtime" + "unsafe" @@ -12690,6 +12731,18 @@ index 00000000000000..a674496f18a3af + return int(h.alg.blockSize) +} + ++func (hx *hashX) MarshalBinary() ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (hx *hashX) AppendBinary(b []byte) ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (hx *hashX) UnmarshalBinary(data []byte) error { ++ return errors.New("cng: hash state is not marshallable") ++} ++ +// hashData writes p to ctx. It panics on error. +func hashData(ctx bcrypt.HASH_HANDLE, p []byte) { + var n int @@ -13732,10 +13785,10 @@ index 00000000000000..0269f9cf86539e +} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go new file mode 100644 -index 00000000000000..d7aa193e00e653 +index 00000000000000..15c1345475a3b1 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go -@@ -0,0 +1,284 @@ +@@ -0,0 +1,311 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -13745,6 +13798,7 @@ index 00000000000000..d7aa193e00e653 +package cng + +import ( ++ "errors" + "hash" + "runtime" + "unsafe" @@ -13796,17 +13850,19 @@ index 00000000000000..d7aa193e00e653 + return out +} + -+// SupportsSHAKE128 returns true if the SHAKE128 extendable output function is -+// supported. -+func SupportsSHAKE128() bool { -+ _, err := loadHash(bcrypt.CSHAKE128_ALGORITHM, bcrypt.ALG_NONE_FLAG) -+ return err == nil -+} -+ -+// SupportsSHAKE256 returns true if the SHAKE256 extendable output function is -+// supported. -+func SupportsSHAKE256() bool { -+ _, err := loadHash(bcrypt.CSHAKE256_ALGORITHM, bcrypt.ALG_NONE_FLAG) ++// SupportsSHAKE returns true if the SHAKE and CSHAKE extendable output functions ++// with the given securityBits are supported. ++func SupportsSHAKE(securityBits int) bool { ++ var id string ++ switch securityBits { ++ case 128: ++ id = bcrypt.CSHAKE128_ALGORITHM ++ case 256: ++ id = bcrypt.CSHAKE256_ALGORITHM ++ default: ++ return false ++ } ++ _, err := loadHash(id, bcrypt.ALG_NONE_FLAG) + return err == nil +} + @@ -13900,6 +13956,18 @@ index 00000000000000..d7aa193e00e653 + return int(h.alg.blockSize) +} + ++func (ds *DigestSHA3) MarshalBinary() ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (ds *DigestSHA3) AppendBinary(b []byte) ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (ds *DigestSHA3) UnmarshalBinary(data []byte) error { ++ return errors.New("cng: hash state is not marshallable") ++} ++ +// NewSHA3_256 returns a new SHA256 hash. +func NewSHA3_256() *DigestSHA3 { + return newDigestSHA3(bcrypt.SHA3_256_ALGORITHM) @@ -14020,6 +14088,18 @@ index 00000000000000..d7aa193e00e653 +func (s *SHAKE) BlockSize() int { + return int(s.blockSize) +} ++ ++func (s *SHAKE) MarshalBinary() ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (s *SHAKE) AppendBinary(b []byte) ([]byte, error) { ++ return nil, errors.New("cng: hash state is not marshallable") ++} ++ ++func (s *SHAKE) UnmarshalBinary(data []byte) error { ++ return errors.New("cng: hash state is not marshallable") ++} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go new file mode 100644 index 00000000000000..5a3fb01606ef95 @@ -15057,20 +15137,20 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 1c8de570cc2f1f..aac6c2a60b6b80 100644 +index 1c8de570cc2f1f..2013c56709b909 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,19 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20250107115006-eb155dada337 ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 +## explicit; go 1.22 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig -+# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109125424-5d0e67f47146 ++# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c +## explicit; go 1.22 +github.com/microsoft/go-crypto-darwin/bbig +github.com/microsoft/go-crypto-darwin/internal/cryptokit +github.com/microsoft/go-crypto-darwin/xcrypto -+# github.com/microsoft/go-crypto-winnative v0.0.0-20250108090702-b49854c00e37 ++# github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 +## explicit; go 1.22 +github.com/microsoft/go-crypto-winnative/cng +github.com/microsoft/go-crypto-winnative/cng/bbig From ee2643c035efc4bf5912325a59e3a4267b06c6b9 Mon Sep 17 00:00:00 2001 From: George Adams Date: Thu, 16 Jan 2025 10:18:53 +0000 Subject: [PATCH 2/2] implement binary marshaller --- patches/0002-Vendor-crypto-backends.patch | 34 ++++-- patches/0004-Use-crypto-backends.patch | 137 ++++------------------ 2 files changed, 47 insertions(+), 124 deletions(-) diff --git a/patches/0002-Vendor-crypto-backends.patch b/patches/0002-Vendor-crypto-backends.patch index 37cdfc006f..4fbc263129 100644 --- a/patches/0002-Vendor-crypto-backends.patch +++ b/patches/0002-Vendor-crypto-backends.patch @@ -67,7 +67,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../go-crypto-darwin/xcrypto/ecdsa.go | 181 +++++ .../go-crypto-darwin/xcrypto/ed25519.go | 100 +++ .../microsoft/go-crypto-darwin/xcrypto/evp.go | 338 +++++++++ - .../go-crypto-darwin/xcrypto/hash.go | 391 ++++++++++ + .../go-crypto-darwin/xcrypto/hash.go | 403 ++++++++++ .../go-crypto-darwin/xcrypto/hkdf.go | 66 ++ .../go-crypto-darwin/xcrypto/hmac.go | 113 +++ .../go-crypto-darwin/xcrypto/pbkdf2.go | 65 ++ @@ -101,7 +101,7 @@ Use a 'go' that was recently built by the current branch to ensure stable result .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 16 + - 95 files changed, 13787 insertions(+), 3 deletions(-) + 95 files changed, 13799 insertions(+), 3 deletions(-) create mode 100644 src/crypto/internal/backend/deps_ignore.go create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml @@ -222,7 +222,7 @@ index 00000000000000..ae4055d2d71303 +// that are used by the backend package. This allows to track +// their versions in a single patch file. diff --git a/src/go.mod b/src/go.mod -index 7a1318dcac32ba..18a071a7428728 100644 +index 7a1318dcac32ba..a59c5f120e7dfb 100644 --- a/src/go.mod +++ b/src/go.mod @@ -11,3 +11,9 @@ require ( @@ -232,18 +232,18 @@ index 7a1318dcac32ba..18a071a7428728 100644 + +require ( + github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 -+ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c ++ github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67 + github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 +) diff --git a/src/go.sum b/src/go.sum -index 9e661352f16e0b..a2513aafc35631 100644 +index 9e661352f16e0b..b4273d691cbe36 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,9 @@ +github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 h1:FFp7Q2AwYX+IQhhQt3ljQDdWtG5ZbRu0u3ohWQdFow8= +github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c h1:cPW7Q78w6ubgnQTxOFz5YuFmrXzt+p2UA+gSk/KAuDM= -+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67 h1:SI0IFiHducwfamZR7pv6jb92oc5o/z5tn66wynS6ADE= ++github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ= +github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 h1:97wOagHu7OExwU929NjuPIlUEUaFIQtffQMaVj0mR5E= +github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA= golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= @@ -9716,10 +9716,10 @@ index 00000000000000..fcdce4c49b6723 +} diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go new file mode 100644 -index 00000000000000..2618e53134e915 +index 00000000000000..94442fde5def16 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go -@@ -0,0 +1,391 @@ +@@ -0,0 +1,403 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -9936,6 +9936,18 @@ index 00000000000000..2618e53134e915 + return append(b, digest...) +} + ++func (h *evpHash) MarshalBinary() ([]byte, error) { ++ return nil, errors.New("xcrypto: hash state is not marshallable") ++} ++ ++func (h *evpHash) AppendBinary(b []byte) ([]byte, error) { ++ return nil, errors.New("xcrypto: hash state is not marshallable") ++} ++ ++func (h *evpHash) UnmarshalBinary(data []byte) error { ++ return errors.New("xcrypto: hash state is not marshallable") ++} ++ +// Clone returns a new evpHash object that is a deep clone of itself. +// The duplicate object contains all state and data contained in the +// original object at the point of duplication. @@ -15137,7 +15149,7 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 1c8de570cc2f1f..2013c56709b909 100644 +index 1c8de570cc2f1f..a249bbfa93dac3 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,19 @@ @@ -15145,7 +15157,7 @@ index 1c8de570cc2f1f..2013c56709b909 100644 +## explicit; go 1.22 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig -+# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250109130249-2dee4e287e7c ++# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67 +## explicit; go 1.22 +github.com/microsoft/go-crypto-darwin/bbig +github.com/microsoft/go-crypto-darwin/internal/cryptokit diff --git a/patches/0004-Use-crypto-backends.patch b/patches/0004-Use-crypto-backends.patch index f01156c575..13348735e2 100644 --- a/patches/0004-Use-crypto-backends.patch +++ b/patches/0004-Use-crypto-backends.patch @@ -38,7 +38,7 @@ Subject: [PATCH] Use crypto backends src/crypto/internal/cryptotest/allocations.go | 2 +- .../internal/cryptotest/implementations.go | 2 +- src/crypto/md5/md5.go | 10 + - src/crypto/md5/md5_test.go | 21 ++ + src/crypto/md5/md5_test.go | 16 ++ src/crypto/pbkdf2/pbkdf2.go | 4 + src/crypto/pbkdf2/pbkdf2_test.go | 2 +- src/crypto/purego_test.go | 2 +- @@ -55,11 +55,11 @@ Subject: [PATCH] Use crypto backends src/crypto/rsa/rsa.go | 4 +- src/crypto/rsa/rsa_test.go | 15 +- src/crypto/sha1/sha1.go | 8 +- - src/crypto/sha1/sha1_test.go | 19 +- + src/crypto/sha1/sha1_test.go | 9 +- src/crypto/sha256/sha256.go | 6 +- - src/crypto/sha256/sha256_test.go | 29 +++ + src/crypto/sha256/sha256_test.go | 16 ++ src/crypto/sha512/sha512.go | 2 +- - src/crypto/sha512/sha512_test.go | 29 +++ + src/crypto/sha512/sha512_test.go | 16 ++ src/crypto/tls/cipher_suites.go | 2 +- src/crypto/tls/fipsonly/fipsonly.go | 2 +- src/crypto/tls/fipsonly/fipsonly_test.go | 2 +- @@ -75,13 +75,13 @@ Subject: [PATCH] Use crypto backends src/go/build/deps_test.go | 5 +- src/hash/boring_test.go | 9 + src/hash/example_test.go | 2 + - src/hash/marshal_test.go | 9 + + src/hash/marshal_test.go | 4 + src/hash/notboring_test.go | 9 + src/net/lookup_test.go | 3 + src/net/smtp/smtp_test.go | 72 ++++--- src/os/exec/exec_test.go | 9 + src/runtime/pprof/vminfo_darwin_test.go | 6 + - 77 files changed, 1143 insertions(+), 109 deletions(-) + 77 files changed, 1097 insertions(+), 109 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ecdsa/badlinkname.go @@ -1166,7 +1166,7 @@ index a0384e175f31bd..f7aa6da36f02de 100644 d.Reset() d.Write(data) diff --git a/src/crypto/md5/md5_test.go b/src/crypto/md5/md5_test.go -index 437d9b9d4c0e0d..ee28c55f846e81 100644 +index 437d9b9d4c0e0d..50728df60ea7ec 100644 --- a/src/crypto/md5/md5_test.go +++ b/src/crypto/md5/md5_test.go @@ -6,12 +6,14 @@ package md5 @@ -1184,19 +1184,7 @@ index 437d9b9d4c0e0d..ee28c55f846e81 100644 "testing" "unsafe" ) -@@ -88,6 +90,11 @@ func TestGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if boring.Enabled { -+ if _, ok := New().(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - for _, g := range golden { - h := New() - h2 := New() -@@ -96,6 +103,9 @@ func TestGoldenMarshal(t *testing.T) { +@@ -96,6 +98,9 @@ func TestGoldenMarshal(t *testing.T) { state, err := h.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { @@ -1206,7 +1194,7 @@ index 437d9b9d4c0e0d..ee28c55f846e81 100644 t.Errorf("could not marshal: %v", err) continue } -@@ -157,6 +167,9 @@ func TestLarge(t *testing.T) { +@@ -157,6 +162,9 @@ func TestLarge(t *testing.T) { // Tests that blockGeneric (pure Go) and block (in assembly for amd64, 386, arm) match. func TestBlockGeneric(t *testing.T) { @@ -1216,7 +1204,7 @@ index 437d9b9d4c0e0d..ee28c55f846e81 100644 gen, asm := New().(*digest), New().(*digest) buf := make([]byte, BlockSize*20) // arbitrary factor rand.Read(buf) -@@ -204,10 +217,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -204,10 +212,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { } func TestLargeHashes(t *testing.T) { @@ -1759,7 +1747,7 @@ index d2ffaac0aeb674..23d8ad44d0bd9a 100644 d.Reset() d.Write(data) diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go -index 9d707b7cde5c2d..8da08b3d860a85 100644 +index 9d707b7cde5c2d..8e1f92ea7304a8 100644 --- a/src/crypto/sha1/sha1_test.go +++ b/src/crypto/sha1/sha1_test.go @@ -8,13 +8,14 @@ package sha1 @@ -1778,19 +1766,7 @@ index 9d707b7cde5c2d..8da08b3d860a85 100644 "testing" ) -@@ -97,6 +98,11 @@ func TestGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if boring.Enabled { -+ if _, ok := New().(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - h := New() - h2 := New() - for _, g := range golden { -@@ -107,6 +113,9 @@ func TestGoldenMarshal(t *testing.T) { +@@ -107,6 +108,9 @@ func TestGoldenMarshal(t *testing.T) { state, err := h.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { @@ -1800,16 +1776,7 @@ index 9d707b7cde5c2d..8da08b3d860a85 100644 t.Errorf("could not marshal: %v", err) continue } -@@ -210,10 +219,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { - } - - func TestLargeHashes(t *testing.T) { -+ if boring.Enabled { -+ if _, ok := New().(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - for i, test := range largeUnmarshalTests { +@@ -214,6 +218,9 @@ func TestLargeHashes(t *testing.T) { h := New() if err := h.(encoding.BinaryUnmarshaler).UnmarshalBinary([]byte(test.state)); err != nil { @@ -1851,7 +1818,7 @@ index 069938a22dbc5a..8d0e06b86f4359 100644 } h := New224() diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go -index e1af9640e25547..c4f142c1430285 100644 +index e1af9640e25547..8896c6e85f4ada 100644 --- a/src/crypto/sha256/sha256_test.go +++ b/src/crypto/sha256/sha256_test.go @@ -8,11 +8,13 @@ package sha256 @@ -1868,19 +1835,7 @@ index e1af9640e25547..c4f142c1430285 100644 "testing" ) -@@ -155,6 +157,11 @@ func testGoldenMarshal(t *testing.T) { - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { -+ if boring.Enabled { -+ if _, ok := tt.newHash().(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - for _, g := range tt.gold { - h := tt.newHash() - h2 := tt.newHash() -@@ -163,6 +170,9 @@ func testGoldenMarshal(t *testing.T) { +@@ -163,6 +165,9 @@ func testGoldenMarshal(t *testing.T) { state, err := h.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { @@ -1890,18 +1845,8 @@ index e1af9640e25547..c4f142c1430285 100644 t.Errorf("could not marshal: %v", err) continue } -@@ -204,8 +214,19 @@ func TestMarshalTypeMismatch(t *testing.T) { - h1 := New() - h2 := New224() +@@ -206,6 +211,9 @@ func TestMarshalTypeMismatch(t *testing.T) { -+ if boring.Enabled { -+ _, ok1 := h1.(encoding.BinaryMarshaler) -+ _, ok2 := h2.(encoding.BinaryUnmarshaler) -+ if !ok1 || !ok2 { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } -+ state1, err := h1.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { + if strings.Contains(err.Error(), "hash state is not marshallable") { @@ -1910,7 +1855,7 @@ index e1af9640e25547..c4f142c1430285 100644 t.Errorf("could not marshal: %v", err) } -@@ -275,10 +296,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -275,10 +283,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { return h.Sum(nil), nil } func TestLargeHashes(t *testing.T) { @@ -1943,7 +1888,7 @@ index 1435eac1f5b5dc..17e8501154762a 100644 "hash" ) diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go -index 1fe9d132bb186d..97b7da8c2d3d88 100644 +index 1fe9d132bb186d..0692be8461e964 100644 --- a/src/crypto/sha512/sha512_test.go +++ b/src/crypto/sha512/sha512_test.go @@ -8,12 +8,14 @@ package sha512 @@ -1961,19 +1906,7 @@ index 1fe9d132bb186d..97b7da8c2d3d88 100644 "testing" ) -@@ -744,6 +746,11 @@ func testGoldenMarshal(t *testing.T) { - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - for _, test := range tt.golden { -+ if boring.Enabled { -+ if _, ok := tt.newHash().(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - h := tt.newHash() - h2 := tt.newHash() - -@@ -751,6 +758,9 @@ func testGoldenMarshal(t *testing.T) { +@@ -751,6 +753,9 @@ func testGoldenMarshal(t *testing.T) { state, err := h.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { @@ -1983,18 +1916,8 @@ index 1fe9d132bb186d..97b7da8c2d3d88 100644 t.Errorf("could not marshal: %v", err) return } -@@ -805,8 +815,19 @@ func TestMarshalMismatch(t *testing.T) { - h1 := fn1() - h2 := fn2() - -+ if boring.Enabled { -+ _, ok1 := h1.(encoding.BinaryMarshaler) -+ _, ok2 := h2.(encoding.BinaryUnmarshaler) -+ if !ok1 || !ok2 { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } -+ +@@ -807,6 +812,9 @@ func TestMarshalMismatch(t *testing.T) { + state, err := h1.(encoding.BinaryMarshaler).MarshalBinary() if err != nil { + if strings.Contains(err.Error(), "hash state is not marshallable") { @@ -2003,7 +1926,7 @@ index 1fe9d132bb186d..97b7da8c2d3d88 100644 t.Errorf("i=%d: could not marshal: %v", i, err) continue } -@@ -880,10 +901,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -880,10 +888,18 @@ func safeSum(h hash.Hash) (sum []byte, err error) { } func TestLargeHashes(t *testing.T) { @@ -2610,7 +2533,7 @@ index f07b9aaa2c4898..b380537215634d 100644 import ( diff --git a/src/hash/marshal_test.go b/src/hash/marshal_test.go -index 3091f7a67acede..23736034d5c352 100644 +index 3091f7a67acede..d952cf45797ac6 100644 --- a/src/hash/marshal_test.go +++ b/src/hash/marshal_test.go @@ -21,6 +21,7 @@ import ( @@ -2621,19 +2544,7 @@ index 3091f7a67acede..23736034d5c352 100644 "testing" ) -@@ -65,6 +66,11 @@ func TestMarshalHash(t *testing.T) { - } - - h := tt.new() -+ if boringEnabled { -+ if _, ok := h.(encoding.BinaryMarshaler); !ok { -+ t.Skip("BinaryMarshaler not implemented") -+ } -+ } - h.Write(buf[:256]) - sum := h.Sum(nil) - -@@ -80,6 +86,9 @@ func TestMarshalHash(t *testing.T) { +@@ -80,6 +81,9 @@ func TestMarshalHash(t *testing.T) { } enc, err := h2m.MarshalBinary() if err != nil {