From 9e4abed39bf75d37490e2c14737f32b1d7dc495b Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 14 Dec 2023 17:07:19 +0100 Subject: [release-branch.go1.20] crypto/internal/boring: upgrade module to fips-20220613 Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates #64717 Updates #62372 Updates #64718 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:go1.20-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/553875 Auto-Submit: Matthew Dempsky Reviewed-by: Matthew Dempsky LUCI-TryBot-Result: Go LUCI --- src/crypto/internal/boring/Dockerfile | 28 +++++++++++++-------- src/crypto/internal/boring/LICENSE | 2 +- src/crypto/internal/boring/README.md | 7 +++--- src/crypto/internal/boring/build-goboring.sh | 2 +- src/crypto/internal/boring/build.sh | 6 +++++ src/crypto/internal/boring/goboringcrypto.h | 2 ++ .../boring/syso/goboringcrypto_linux_amd64.syso | Bin 2555664 -> 2427120 bytes .../boring/syso/goboringcrypto_linux_arm64.syso | Bin 1980296 -> 2105896 bytes 8 files changed, 31 insertions(+), 16 deletions(-) diff --git a/src/crypto/internal/boring/Dockerfile b/src/crypto/internal/boring/Dockerfile index 58eb028e8a..8fde5c0018 100644 --- a/src/crypto/internal/boring/Dockerfile +++ b/src/crypto/internal/boring/Dockerfile @@ -13,15 +13,21 @@ WORKDIR /boring ENV LANG=C ENV LANGUAGE= -# Following NIST submission draft dated July 3, 2021. -# This corresponds to boringssl.googlesource.com/boringssl tag fips-20210429. -ENV ClangV=12 +# Following NIST submission draft for In Progress module validation. +# This corresponds to boringssl.googlesource.com/boringssl tag fips-20220613. RUN apt-get update && \ - apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates clang-$ClangV python + apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates python lsb-release software-properties-common gnupg + +# Install Clang. +ENV ClangV=14 +RUN \ + wget https://apt.llvm.org/llvm.sh && \ + chmod +x llvm.sh && \ + ./llvm.sh $ClangV # Download, validate, unpack, build, and install Ninja. -ENV NinjaV=1.10.2 -ENV NinjaH=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed +ENV NinjaV=1.10.1 +ENV NinjaH=a6b6f7ac360d4aabd54e299cc1d8fa7b234cd81b9401693da21221c62569a23e RUN \ wget https://github.com/ninja-build/ninja/archive/refs/tags/v$NinjaV.tar.gz && \ echo "$NinjaH v$NinjaV.tar.gz" >sha && sha256sum -c sha && \ @@ -33,9 +39,9 @@ RUN \ # Download, validate, unpack, and install Go. ARG GOARCH -ENV GoV=1.16.5 -ENV GoHamd64=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061 -ENV GoHarm64=d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799 +ENV GoV=1.18.1 +ENV GoHamd64=b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334 +ENV GoHarm64=56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633 RUN \ eval GoH=\${GoH$GOARCH} && \ wget https://golang.org/dl/go$GoV.linux-$GOARCH.tar.gz && \ @@ -45,8 +51,8 @@ RUN \ ln -s /usr/local/go/bin/go /usr/local/bin/ # Download, validate, and unpack BoringCrypto. -ENV BoringV=853ca1ea1168dff08011e5d42d94609cc0ca2e27 -ENV BoringH=a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 +ENV BoringV=0c6f40132b828e92ba365c6b7680e32820c63fa7 +ENV BoringH=62f733289f2d677c2723f556aa58034c438f3a7bbca6c12b156538a88e38da8a RUN \ wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-$BoringV.tar.xz && \ echo "$BoringH boringssl-$BoringV.tar.xz" >sha && sha256sum -c sha && \ diff --git a/src/crypto/internal/boring/LICENSE b/src/crypto/internal/boring/LICENSE index 38990bdb77..05b0963f5e 100644 --- a/src/crypto/internal/boring/LICENSE +++ b/src/crypto/internal/boring/LICENSE @@ -6,7 +6,7 @@ When building with GOEXPERIMENT=boringcrypto, the following applies. The goboringcrypto_linux_amd64.syso object file is built from BoringSSL source code by build/build.sh and is covered by the BoringSSL license reproduced below and also at -https://boringssl.googlesource.com/boringssl/+/fips-20190808/LICENSE. +https://boringssl.googlesource.com/boringssl/+/fips-20220613/LICENSE. BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL licensing. Files that are completely new have a Google copyright and an ISC diff --git a/src/crypto/internal/boring/README.md b/src/crypto/internal/boring/README.md index ec02786d96..62106cdc70 100644 --- a/src/crypto/internal/boring/README.md +++ b/src/crypto/internal/boring/README.md @@ -27,13 +27,14 @@ syso/goboringcrypto_linux_arm64.syso is built with: GOARCH=arm64 ./build.sh -Both run on an x86 Debian Linux system using Docker. +Both run using Docker. + For the arm64 build to run on an x86 system, you need apt-get install qemu-user-static qemu-binfmt-support to allow the x86 kernel to run arm64 binaries via QEMU. -See build.sh for more details about the build. - +For the amd64 build to run on an Apple Silicon macOS, you need Rosetta 2. +See build.sh for more details about the build. diff --git a/src/crypto/internal/boring/build-goboring.sh b/src/crypto/internal/boring/build-goboring.sh index 4938b5eac3..c43fad24e8 100755 --- a/src/crypto/internal/boring/build-goboring.sh +++ b/src/crypto/internal/boring/build-goboring.sh @@ -122,7 +122,7 @@ awk -f boringx.awk goboringcrypto.h # writes goboringcrypto.x awk -f boringh.awk goboringcrypto.h # writes goboringcrypto[01].h ls -l ../boringssl/include -clang++ -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc +clang++ -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc ./a.out || exit 2 # clang implements u128 % u128 -> u128 by calling __umodti3, diff --git a/src/crypto/internal/boring/build.sh b/src/crypto/internal/boring/build.sh index ec960d729d..e2026018a3 100755 --- a/src/crypto/internal/boring/build.sh +++ b/src/crypto/internal/boring/build.sh @@ -22,6 +22,12 @@ platform="" buildargs="" case "$GOARCH" in amd64) + if ! docker run --rm -t amd64/ubuntu:focal uname -m >/dev/null 2>&1; then + echo "# Docker cannot run amd64 binaries." + exit 1 + fi + platform="--platform linux/amd64" + buildargs="--build-arg ubuntu=amd64/ubuntu" ;; arm64) if ! docker run --rm -t arm64v8/ubuntu:focal uname -m >/dev/null 2>&1; then diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h index 2b11049728..3663a1b1c3 100644 --- a/src/crypto/internal/boring/goboringcrypto.h +++ b/src/crypto/internal/boring/goboringcrypto.h @@ -125,7 +125,9 @@ void _goboringcrypto_EVP_AEAD_CTX_cleanup(GO_EVP_AEAD_CTX*); int _goboringcrypto_EVP_AEAD_CTX_seal(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t); int _goboringcrypto_EVP_AEAD_CTX_open(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t); const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls12(void); +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls13(void); const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls12(void); +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls13(void); enum go_evp_aead_direction_t { go_evp_aead_open = 0, go_evp_aead_seal = 1 diff --git a/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso b/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso index 6cea789355..b99e7f5766 100644 Binary files a/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso and b/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso differ diff --git a/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso b/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso index 9659aa1a5e..143a47a0aa 100644 Binary files a/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso and b/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso differ -- cgit v1.2.3-54-g00ecf