diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 4659b3e82f..63e61ee10c 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -27,7 +27,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/internal/backend/norequirefips.go | 9 + src/crypto/internal/backend/stub.s | 10 + src/crypto/md5/md5.go | 7 + - src/crypto/md5/md5_test.go | 4 + + src/crypto/md5/md5_test.go | 14 ++ src/crypto/purego_test.go | 2 +- src/crypto/rand/rand.go | 2 +- src/crypto/rand/rand_test.go | 2 +- @@ -40,11 +40,11 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/rsa/rsa.go | 21 +- src/crypto/rsa/rsa_test.go | 2 +- src/crypto/sha1/sha1.go | 2 +- - src/crypto/sha1/sha1_test.go | 2 +- + src/crypto/sha1/sha1_test.go | 12 +- src/crypto/sha256/sha256.go | 6 +- - src/crypto/sha256/sha256_test.go | 2 +- + src/crypto/sha256/sha256_test.go | 20 +- src/crypto/sha512/sha512.go | 2 +- - src/crypto/sha512/sha512_test.go | 2 +- + src/crypto/sha512/sha512_test.go | 19 +- src/crypto/tls/boring_test.go | 5 + src/crypto/tls/cipher_suites.go | 2 +- src/crypto/tls/handshake_client.go | 25 ++- @@ -56,7 +56,7 @@ Subject: [PATCH] Add crypto backend foundation src/go/build/deps_test.go | 4 + src/net/smtp/smtp_test.go | 72 ++++--- src/runtime/runtime_boring.go | 5 + - 52 files changed, 802 insertions(+), 106 deletions(-) + 52 files changed, 857 insertions(+), 106 deletions(-) create mode 100644 src/crypto/ed25519/boring.go create mode 100644 src/crypto/ed25519/notboring.go create mode 100644 src/crypto/internal/backend/backend_test.go @@ -912,7 +912,7 @@ index c984c3f4968598..229dd457f8d53c 100644 d.Reset() d.Write(data) diff --git a/src/crypto/md5/md5_test.go b/src/crypto/md5/md5_test.go -index 6a8258a67e860c..3a973eebd284a4 100644 +index 6a8258a67e860c..b45f5d5f857d25 100644 --- a/src/crypto/md5/md5_test.go +++ b/src/crypto/md5/md5_test.go @@ -6,6 +6,7 @@ package md5 @@ -923,7 +923,19 @@ index 6a8258a67e860c..3a973eebd284a4 100644 "crypto/internal/cryptotest" "crypto/rand" "encoding" -@@ -157,6 +158,9 @@ func TestLarge(t *testing.T) { +@@ -90,6 +91,11 @@ func TestGolden(t *testing.T) { + func TestGoldenMarshal(t *testing.T) { + for _, g := range golden { + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryMarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + h2 := New() + + io.WriteString(h, g.in[:len(g.in)/2]) +@@ -157,6 +163,9 @@ func TestLarge(t *testing.T) { // Tests that blockGeneric (pure Go) and block (in assembly for amd64, 386, arm) match. func TestBlockGeneric(t *testing.T) { @@ -933,6 +945,18 @@ index 6a8258a67e860c..3a973eebd284a4 100644 gen, asm := New().(*digest), New().(*digest) buf := make([]byte, BlockSize*20) // arbitrary factor rand.Read(buf) +@@ -207,6 +216,11 @@ func TestLargeHashes(t *testing.T) { + for i, test := range largeUnmarshalTests { + + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryUnmarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + if err := h.(encoding.BinaryUnmarshaler).UnmarshalBinary([]byte(test.state)); err != nil { + t.Errorf("test %d could not unmarshal: %v", i, err) + continue diff --git a/src/crypto/purego_test.go b/src/crypto/purego_test.go index 62be347e0c6822..d284b5cf7814a6 100644 --- a/src/crypto/purego_test.go @@ -1255,7 +1279,7 @@ index 8189d1946d8ea5..8f5f7f27f26fea 100644 "hash" "internal/byteorder" diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go -index d03892c57d4e61..d44f70b92661b4 100644 +index d03892c57d4e61..ecfa507641e699 100644 --- a/src/crypto/sha1/sha1_test.go +++ b/src/crypto/sha1/sha1_test.go @@ -8,7 +8,7 @@ package sha1 @@ -1267,6 +1291,30 @@ index d03892c57d4e61..d44f70b92661b4 100644 "crypto/internal/cryptotest" "crypto/rand" "encoding" +@@ -98,6 +98,11 @@ func TestGolden(t *testing.T) { + + func TestGoldenMarshal(t *testing.T) { + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryMarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + h2 := New() + for _, g := range golden { + h.Reset() +@@ -213,6 +218,11 @@ func TestLargeHashes(t *testing.T) { + for i, test := range largeUnmarshalTests { + + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryUnmarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + if err := h.(encoding.BinaryUnmarshaler).UnmarshalBinary([]byte(test.state)); err != nil { + t.Errorf("test %d could not unmarshal: %v", i, err) + continue diff --git a/src/crypto/sha256/sha256.go b/src/crypto/sha256/sha256.go index d87c689c9001ad..7584c380af0cec 100644 --- a/src/crypto/sha256/sha256.go @@ -1299,7 +1347,7 @@ index d87c689c9001ad..7584c380af0cec 100644 } h := New224() diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go -index ffd16386515830..d2fa4369d068bf 100644 +index ffd16386515830..b780fa17724549 100644 --- a/src/crypto/sha256/sha256_test.go +++ b/src/crypto/sha256/sha256_test.go @@ -8,7 +8,7 @@ package sha256 @@ -1311,6 +1359,45 @@ index ffd16386515830..d2fa4369d068bf 100644 "crypto/internal/cryptotest" "encoding" "fmt" +@@ -159,6 +159,11 @@ func testGoldenMarshal(t *testing.T) { + t.Run(tt.name, func(t *testing.T) { + for _, g := range tt.gold { + h := tt.newHash() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryMarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + h2 := tt.newHash() + + io.WriteString(h, g.in[:len(g.in)/2]) +@@ -206,6 +211,14 @@ func TestMarshalTypeMismatch(t *testing.T) { + h1 := New() + h2 := New224() + ++ if boring.Enabled { ++ _, ok1 := h1.(encoding.BinaryMarshaler) ++ _, ok2 := h2.(encoding.BinaryUnmarshaler) ++ if !ok1 || !ok2 { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } ++ + state1, err := h1.(encoding.BinaryMarshaler).MarshalBinary() + if err != nil { + t.Errorf("could not marshal: %v", err) +@@ -280,6 +293,11 @@ func TestLargeHashes(t *testing.T) { + for i, test := range largeUnmarshalTests { + + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryUnmarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + if err := h.(encoding.BinaryUnmarshaler).UnmarshalBinary([]byte(test.state)); err != nil { + t.Errorf("test %d could not unmarshal: %v", i, err) + continue diff --git a/src/crypto/sha512/sha512.go b/src/crypto/sha512/sha512.go index 0a12fde7bc060b..ca752598e4343a 100644 --- a/src/crypto/sha512/sha512.go @@ -1325,7 +1412,7 @@ index 0a12fde7bc060b..ca752598e4343a 100644 "hash" ) diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go -index fdad37b1863ae8..736504b8fc85a5 100644 +index fdad37b1863ae8..e627fbacb35836 100644 --- a/src/crypto/sha512/sha512_test.go +++ b/src/crypto/sha512/sha512_test.go @@ -8,7 +8,7 @@ package sha512 @@ -1337,6 +1424,44 @@ index fdad37b1863ae8..736504b8fc85a5 100644 "crypto/internal/cryptotest" "encoding" "encoding/hex" +@@ -747,6 +747,11 @@ func testGoldenMarshal(t *testing.T) { + t.Run(tt.name, func(t *testing.T) { + for _, test := range tt.golden { + h := tt.newHash() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryMarshaler); !ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + h2 := tt.newHash() + + io.WriteString(h, test.in[:len(test.in)/2]) +@@ -806,6 +811,13 @@ func TestMarshalMismatch(t *testing.T) { + + h1 := fn1() + h2 := fn2() ++ if boring.Enabled { ++ _, ok1 := h1.(encoding.BinaryMarshaler) ++ _, ok2 := h2.(encoding.BinaryUnmarshaler) ++ if !ok1 || !ok2 { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + + state, err := h1.(encoding.BinaryMarshaler).MarshalBinary() + if err != nil { +@@ -885,6 +897,11 @@ func TestLargeHashes(t *testing.T) { + for i, test := range largeUnmarshalTests { + + h := New() ++ if boring.Enabled { ++ if _, ok := h.(encoding.BinaryMarshaler); ok { ++ t.Skip("BinaryMarshaler not implemented") ++ } ++ } + if err := h.(encoding.BinaryUnmarshaler).UnmarshalBinary([]byte(test.state)); err != nil { + t.Errorf("test %d could not unmarshal: %v", i, err) + continue diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go index 56050421985927..dcbd33167e4499 100644 --- a/src/crypto/tls/boring_test.go diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 6d96c71453..60b1ab78cc 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -17,16 +17,12 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/internal/backend/common.go | 13 +- src/crypto/internal/boring/fipstls/stub.s | 2 +- src/crypto/internal/boring/fipstls/tls.go | 2 +- - src/crypto/md5/md5_test.go | 7 + src/crypto/rsa/boring.go | 2 +- src/crypto/rsa/boring_test.go | 2 +- src/crypto/rsa/notboring.go | 2 +- src/crypto/rsa/pss.go | 2 +- src/crypto/rsa/pss_test.go | 2 +- src/crypto/rsa/rsa_test.go | 8 +- - src/crypto/sha1/sha1_test.go | 7 + - src/crypto/sha256/sha256_test.go | 10 + - src/crypto/sha512/sha512_test.go | 10 + src/crypto/tls/boring.go | 2 +- src/crypto/tls/boring_test.go | 2 +- src/crypto/tls/fipsonly/fipsonly.go | 2 +- @@ -45,7 +41,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 41 files changed, 428 insertions(+), 26 deletions(-) + 37 files changed, 394 insertions(+), 26 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -526,38 +522,6 @@ index f5b4827c688f3b..12df96069f6b83 100644 // Package fipstls allows control over whether crypto/tls requires FIPS-approved settings. // This package only exists with GOEXPERIMENT=boringcrypto, but the effects are independent -diff --git a/src/crypto/md5/md5_test.go b/src/crypto/md5/md5_test.go -index 3a973eebd284a4..5e24e07e2787e2 100644 ---- a/src/crypto/md5/md5_test.go -+++ b/src/crypto/md5/md5_test.go -@@ -12,6 +12,7 @@ import ( - "encoding" - "fmt" - "hash" -+ "internal/goexperiment" - "io" - "testing" - "unsafe" -@@ -89,6 +90,9 @@ func TestGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - for _, g := range golden { - h := New() - h2 := New() -@@ -208,6 +212,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { - } - - func TestLargeHashes(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - for i, test := range largeUnmarshalTests { - - h := New() diff --git a/src/crypto/rsa/boring.go b/src/crypto/rsa/boring.go index 220f8c05c3d94b..dd20b4af2e0472 100644 --- a/src/crypto/rsa/boring.go @@ -656,122 +620,6 @@ index dbcc1bec58bd46..b1e9d8e94c2c9e 100644 msg := []byte("test") enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) if err == ErrMessageTooLong { -diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go -index d44f70b92661b4..76726556f80fbd 100644 ---- a/src/crypto/sha1/sha1_test.go -+++ b/src/crypto/sha1/sha1_test.go -@@ -14,6 +14,7 @@ import ( - "encoding" - "fmt" - "hash" -+ "internal/goexperiment" - "io" - "testing" - ) -@@ -97,6 +98,9 @@ func TestGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - h := New() - h2 := New() - for _, g := range golden { -@@ -210,6 +214,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { - } - - func TestLargeHashes(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - for i, test := range largeUnmarshalTests { - - h := New() -diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go -index d2fa4369d068bf..027b705e96113f 100644 ---- a/src/crypto/sha256/sha256_test.go -+++ b/src/crypto/sha256/sha256_test.go -@@ -13,6 +13,7 @@ import ( - "encoding" - "fmt" - "hash" -+ "internal/goexperiment" - "internal/testenv" - "io" - "testing" -@@ -142,6 +143,9 @@ func testGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - cryptotest.TestAllImplementations(t, "crypto/sha256", testGoldenMarshal) - } - -@@ -203,6 +207,9 @@ func testGoldenMarshal(t *testing.T) { - } - - func TestMarshalTypeMismatch(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - h1 := New() - h2 := New224() - -@@ -277,6 +284,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { - return h.Sum(nil), nil - } - func TestLargeHashes(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - for i, test := range largeUnmarshalTests { - - h := New() -diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go -index 736504b8fc85a5..582ed2ae870e23 100644 ---- a/src/crypto/sha512/sha512_test.go -+++ b/src/crypto/sha512/sha512_test.go -@@ -14,6 +14,7 @@ import ( - "encoding/hex" - "fmt" - "hash" -+ "internal/goexperiment" - "internal/testenv" - "io" - "testing" -@@ -726,6 +727,9 @@ func testGolden(t *testing.T) { - } - - func TestGoldenMarshal(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - cryptotest.TestAllImplementations(t, "crypto/sha512", func(t *testing.T) { - testGoldenMarshal(t) - }) -@@ -791,6 +795,9 @@ func testGoldenMarshal(t *testing.T) { - } - - func TestMarshalMismatch(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshaling") -+ } - h := []func() hash.Hash{ - New, - New384, -@@ -882,6 +889,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { - } - - func TestLargeHashes(t *testing.T) { -+ if goexperiment.CNGCrypto { -+ t.Skip("CNGCrypto does not support hash marshalling") -+ } - for i, test := range largeUnmarshalTests { - - h := New() diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go index 698efc6751e12c..575d51b02298c8 100644 --- a/src/crypto/tls/boring.go