From d4578ef94c3a7833c47fee0888264f3bfc3fe8c0 Mon Sep 17 00:00:00 2001 From: George Adams Date: Tue, 17 Dec 2024 12:15:56 +0000 Subject: [PATCH] Implement crypto/pbkdf2 with the OpenSSL/CNG backends --- .../0002-Add-crypto-backend-foundation.patch | 36 ++++++++++++++++--- .../0003-Add-BoringSSL-crypto-backend.patch | 14 +++++--- patches/0004-Add-OpenSSL-crypto-backend.patch | 18 +++++++--- patches/0005-Add-CNG-crypto-backend.patch | 14 +++++--- 4 files changed, 65 insertions(+), 17 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index 7612ea62ed..411d846547 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -33,12 +33,13 @@ Subject: [PATCH] Add crypto backend foundation .../internal/backend/fips140/isrequirefips.go | 9 + .../internal/backend/fips140/norequirefips.go | 9 + .../backend/fips140/nosystemcrypto.go | 11 + - src/crypto/internal/backend/nobackend.go | 223 ++++++++++++++++++ + src/crypto/internal/backend/nobackend.go | 229 ++++++++++++++++++ src/crypto/internal/backend/stub.s | 10 + src/crypto/internal/cryptotest/allocations.go | 2 +- .../internal/cryptotest/implementations.go | 2 +- src/crypto/md5/md5.go | 7 + src/crypto/md5/md5_test.go | 14 ++ + src/crypto/pbkdf2/pbkdf2.go | 4 + src/crypto/pbkdf2/pbkdf2_test.go | 2 +- src/crypto/purego_test.go | 2 +- src/crypto/rand/rand.go | 2 +- @@ -73,7 +74,7 @@ Subject: [PATCH] Add crypto backend foundation src/hash/notboring_test.go | 9 + src/net/smtp/smtp_test.go | 72 ++++-- src/runtime/runtime_boring.go | 5 + - 69 files changed, 1135 insertions(+), 80 deletions(-) + 70 files changed, 1145 insertions(+), 80 deletions(-) create mode 100644 src/crypto/dsa/boring.go create mode 100644 src/crypto/dsa/notboring.go create mode 100644 src/crypto/ed25519/boring.go @@ -1099,10 +1100,10 @@ index 00000000000000..83691d7dd42d51 +} diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 00000000000000..ffa8d38e5d490f +index 00000000000000..71e0ec9dc25a02 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go -@@ -0,0 +1,223 @@ +@@ -0,0 +1,229 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -1235,6 +1236,12 @@ index 00000000000000..ffa8d38e5d490f + panic("cryptobackend: not available") +} + ++func SupportsPBKDF2() bool { panic("cryptobackend: not available") } ++ ++func PBKDF2(password, salt []byte, iter, keyLen int, fh func() hash.Hash) ([]byte, error) { ++ panic("cryptobackend: not available") ++} ++ +func SupportsTLS1PRF() bool { panic("cryptobackend: not available") } + +func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error { @@ -1446,6 +1453,27 @@ index 437d9b9d4c0e0d..5bc3e7b0f8435f 100644 for i, test := range largeUnmarshalTests { h := New() +diff --git a/src/crypto/pbkdf2/pbkdf2.go b/src/crypto/pbkdf2/pbkdf2.go +index 0fdd9e822d40a5..bc8e560487a6ef 100644 +--- a/src/crypto/pbkdf2/pbkdf2.go ++++ b/src/crypto/pbkdf2/pbkdf2.go +@@ -19,6 +19,7 @@ pbkdf2.Key. + package pbkdf2 + + import ( ++ boring "crypto/internal/backend" + "crypto/internal/fips140/pbkdf2" + "crypto/internal/fips140only" + "errors" +@@ -53,5 +54,8 @@ func Key[Hash hash.Hash](h func() Hash, password string, salt []byte, iter, keyL + return nil, errors.New("crypto/pbkdf2: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode") + } + } ++ if boring.Enabled && boring.SupportsPBKDF2() { ++ return boring.PBKDF2([]byte(password), salt, iter, keyLength, func() hash.Hash { return h() }) ++ } + return pbkdf2.Key(h, password, salt, iter, keyLength) + } diff --git a/src/crypto/pbkdf2/pbkdf2_test.go b/src/crypto/pbkdf2/pbkdf2_test.go index 03980c7e54d3be..4968a666fad4e5 100644 --- a/src/crypto/pbkdf2/pbkdf2_test.go diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch index 8a7c0aaa2d..d60a06344d 100644 --- a/patches/0003-Add-BoringSSL-crypto-backend.patch +++ b/patches/0003-Add-BoringSSL-crypto-backend.patch @@ -5,9 +5,9 @@ Subject: [PATCH] Add BoringSSL crypto backend --- .../internal/backend/bbig/big_boring.go | 12 + - src/crypto/internal/backend/boring_linux.go | 257 ++++++++++++++++++ + src/crypto/internal/backend/boring_linux.go | 263 ++++++++++++++++++ src/crypto/internal/backend/fips140/boring.go | 11 + - 3 files changed, 281 insertions(+) + 3 files changed, 286 insertions(+) create mode 100644 src/crypto/internal/backend/bbig/big_boring.go create mode 100644 src/crypto/internal/backend/boring_linux.go create mode 100644 src/crypto/internal/backend/fips140/boring.go @@ -32,10 +32,10 @@ index 00000000000000..0b62cef68546d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go new file mode 100644 -index 00000000000000..31e57a8dffd4c3 +index 00000000000000..b1bd6d5ba756d7 --- /dev/null +++ b/src/crypto/internal/backend/boring_linux.go -@@ -0,0 +1,257 @@ +@@ -0,0 +1,263 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -196,6 +196,12 @@ index 00000000000000..31e57a8dffd4c3 + panic("cryptobackend: not available") +} + ++func SupportsPBKDF2() bool { return false } ++ ++func PBKDF2(password, salt []byte, iter, keyLen int, fh func() hash.Hash) ([]byte, error) { ++ panic("cryptobackend: not available") ++} ++ +func SupportsTLS1PRF() bool { return false } + +func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error { diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 318411a5b7..e2c6876267 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -9,7 +9,7 @@ Subject: [PATCH] Add OpenSSL crypto backend src/cmd/link/internal/ld/lib.go | 1 + .../internal/backend/bbig/big_openssl.go | 12 + .../internal/backend/fips140/openssl.go | 41 +++ - src/crypto/internal/backend/openssl_linux.go | 323 ++++++++++++++++++ + src/crypto/internal/backend/openssl_linux.go | 331 ++++++++++++++++++ src/crypto/rsa/rsa_test.go | 3 + src/go.mod | 1 + src/go.sum | 2 + @@ -19,7 +19,7 @@ Subject: [PATCH] Add OpenSSL crypto backend .../goexperiment/exp_opensslcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + src/os/exec/exec_test.go | 9 + - 15 files changed, 428 insertions(+), 5 deletions(-) + 15 files changed, 436 insertions(+), 5 deletions(-) create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go create mode 100644 src/crypto/internal/backend/fips140/openssl.go create mode 100644 src/crypto/internal/backend/openssl_linux.go @@ -142,10 +142,10 @@ index 00000000000000..118efa3a492a7d +} diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go new file mode 100644 -index 00000000000000..06329e4faef026 +index 00000000000000..2dea051fa44ed0 --- /dev/null +++ b/src/crypto/internal/backend/openssl_linux.go -@@ -0,0 +1,323 @@ +@@ -0,0 +1,331 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -362,6 +362,14 @@ index 00000000000000..06329e4faef026 + return openssl.ExtractHKDF(h, secret, salt) +} + ++func SupportsPBKDF2() bool { ++ return openssl.SupportsPBKDF2() ++} ++ ++func PBKDF2(pass, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { ++ return openssl.PBKDF2(pass, salt, iter, keyLen, h) ++} ++ +func SupportsTLS1PRF() bool { + return openssl.SupportsTLS1PRF() +} @@ -506,7 +514,7 @@ index 9e661352f16e0b..0a58eccb57a869 100644 golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/net v0.32.1-0.20241206180132-552d8ac903a1 h1:+Yk1FZ5E+/ewA0nOO/HRYs9E4yeqpGOShuSAdzCNNoQ= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index afbdd6770f3f79..2694c2ec84d091 100644 +index 58082b3636f209..37cb128ba9409a 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -516,8 +516,10 @@ var depsRules = ` diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 3d4d8cb372..4ed2d8c497 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -7,7 +7,7 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/ecdsa/badlinkname.go | 17 + src/crypto/internal/backend/backend_test.go | 4 +- src/crypto/internal/backend/bbig/big_cng.go | 12 + - src/crypto/internal/backend/cng_windows.go | 310 ++++++++++++++++++ + src/crypto/internal/backend/cng_windows.go | 316 ++++++++++++++++++ src/crypto/internal/backend/common.go | 9 +- src/crypto/internal/backend/fips140/cng.go | 33 ++ src/crypto/rsa/pss_test.go | 2 +- @@ -18,7 +18,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 14 files changed, 410 insertions(+), 5 deletions(-) + 14 files changed, 416 insertions(+), 5 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -84,10 +84,10 @@ index 00000000000000..92623031fd87d0 +var Dec = bbig.Dec diff --git a/src/crypto/internal/backend/cng_windows.go b/src/crypto/internal/backend/cng_windows.go new file mode 100644 -index 00000000000000..2d7a18eaec2e23 +index 00000000000000..c37247c8a2c7c6 --- /dev/null +++ b/src/crypto/internal/backend/cng_windows.go -@@ -0,0 +1,310 @@ +@@ -0,0 +1,316 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -295,6 +295,12 @@ index 00000000000000..2d7a18eaec2e23 + return cng.ExtractHKDF(h, secret, salt) +} + ++func SupportsPBKDF2() bool { return true } ++ ++func PBKDF2(password, salt []byte, iter, keyLen int, h func() hash.Hash) ([]byte, error) { ++ return cng.PBKDF2(password, salt, iter, keyLen, h) ++} ++ +func SupportsTLS1PRF() bool { + return true +}