From 47766371f020c368b6d7270ea0be01ce77c2fdc7 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Thu, 25 Jul 2024 08:40:26 -0700 Subject: [PATCH 01/42] [microsoft/release-branch.go1.23] Update submodule for 1.23 (#1281) * Update submodule for 1.23 * Ignore failing telemetry if cngcrypto experiment enabled --- go | 2 +- ...elemetry-counters-with-cngcrypto-exp.patch | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 patches/0015-Ignore-missing-telemetry-counters-with-cngcrypto-exp.patch diff --git a/go b/go index f0de94ff127..f5e4e45ef72 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit f0de94ff127db9b53f3f5877088d28afe1a85692 +Subproject commit f5e4e45ef720765600413c941c01b424f1486438 diff --git a/patches/0015-Ignore-missing-telemetry-counters-with-cngcrypto-exp.patch b/patches/0015-Ignore-missing-telemetry-counters-with-cngcrypto-exp.patch new file mode 100644 index 00000000000..1b28dca38d9 --- /dev/null +++ b/patches/0015-Ignore-missing-telemetry-counters-with-cngcrypto-exp.patch @@ -0,0 +1,32 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Davis Goodin +Date: Wed, 24 Jul 2024 17:52:52 -0700 +Subject: [PATCH] Ignore missing telemetry counters with cngcrypto experiment + +Unblocks TestScript tests until the issue is resolved upstream by allowing +the test to pass as if telemetry is disabled. +Upstream issue: https://github.com/golang/go/issues/68579. +--- + src/cmd/go/script_test.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go +index a38dec3610561e..b1dae3b592e99d 100644 +--- a/src/cmd/go/script_test.go ++++ b/src/cmd/go/script_test.go +@@ -15,6 +15,7 @@ import ( + "context" + _ "embed" + "flag" ++ "internal/goexperiment" + "internal/testenv" + "internal/txtar" + "net/url" +@@ -417,4 +418,6 @@ const disabledOnPlatform = false || + // These platforms fundamentally can't be supported: + runtime.GOOS == "js" || // #60971 + runtime.GOOS == "wasip1" || // #60971 +- runtime.GOOS == "plan9" // https://github.com/golang/go/issues/57540#issuecomment-1470766639 ++ runtime.GOOS == "plan9" || // https://github.com/golang/go/issues/57540#issuecomment-1470766639 ++ // On Windows, setting a GOEXPERIMENT prevents the telemetry counters from being written. https://github.com/golang/go/issues/68579 ++ goexperiment.CNGCrypto From e4b8b7a5a0dfa51f52ba8084d7b2d6a092bed78a Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Mon, 5 Aug 2024 18:29:28 -0500 Subject: [PATCH 02/42] Update submodule to latest 1.23 (7adb0122058) --- go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go b/go index f5e4e45ef72..7adb0122058 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit f5e4e45ef720765600413c941c01b424f1486438 +Subproject commit 7adb01220584115365acc9ebda0317d530288a1a From 2f5347ff3f9b552bd8daf702ca2b9bb328228b5f Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 13 Aug 2024 17:29:09 +0000 Subject: [PATCH 03/42] Update submodule to latest release-branch.go1.23 (6885bad7): [release-branch.go1.23] go1.23.0 --- VERSION | 1 + go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 VERSION diff --git a/VERSION b/VERSION new file mode 100644 index 00000000000..9a2a4365579 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +go1.23.0 \ No newline at end of file diff --git a/go b/go index 7adb0122058..6885bad7dd8 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 7adb01220584115365acc9ebda0317d530288a1a +Subproject commit 6885bad7dd86880be6929c02085e5c7a67ff2887 From 2b7b08425c8320454c3eca9e96ec668be2478bd1 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Wed, 14 Aug 2024 14:09:42 -0700 Subject: [PATCH 04/42] Add an hour to all builder timeouts (#1300) (cherry picked from commit a976ecee6547b3f1cb63fc9224df79384b20b9a0) --- eng/pipeline/stages/run-stage.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/eng/pipeline/stages/run-stage.yml b/eng/pipeline/stages/run-stage.yml index 7f54fcc2d33..d5f31e36cfd 100644 --- a/eng/pipeline/stages/run-stage.yml +++ b/eng/pipeline/stages/run-stage.yml @@ -57,10 +57,12 @@ stages: # longtest has been seen to succeed after 53 minutes. Give around 3x headroom. In the future, # we should also give the tests a shorter timeout to make sure this doesn't balloon too far: # https://github.com/microsoft/go/issues/568 - timeoutInMinutes: 180 - ${{ if startsWith(parameters.builder.config, 'codeql') }}: + timeoutInMinutes: 240 + ${{ elseif startsWith(parameters.builder.config, 'codeql') }}: # Allow CodeQL to take a while. https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines#other-issues - timeoutInMinutes: 360 + timeoutInMinutes: 420 + ${{ else }}: + timeoutInMinutes: 120 pool: ${{ parameters.pool }} From 2d9dad60981fc4b66f29eb9cd6bfe5ae4b00fef5 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Thu, 5 Sep 2024 17:19:06 +0000 Subject: [PATCH 05/42] Update submodule to latest release-branch.go1.23 (69234ded): [release-branch.go1.23] go1.23.1 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 9a2a4365579..90f235968f6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.0 \ No newline at end of file +go1.23.1 \ No newline at end of file diff --git a/go b/go index 6885bad7dd8..69234ded306 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 6885bad7dd86880be6929c02085e5c7a67ff2887 +Subproject commit 69234ded30614a471c35cef5d87b0e0d3c136cd9 From eb81e303332262069ac2176aba9a1fbe57f214d7 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Fri, 6 Sep 2024 18:48:11 -0700 Subject: [PATCH 06/42] Update openssl to ms-go1.23-support, 17d05d3f692c (#1307) --- patches/0004-Add-OpenSSL-crypto-backend.patch | 24 ++++----- patches/0005-Add-CNG-crypto-backend.patch | 50 +++++++++---------- patches/0006-Vendor-crypto-backends.patch | 19 ++++--- 3 files changed, 48 insertions(+), 45 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 6c37a3da0cb..f8a55675323 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -58,10 +58,10 @@ index f0e3575637c62a..0e9aceeb832d3b 100644 package main diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go -index d7cbadf7b17aef..61685c5359bfde 100644 +index 0ffcabe4164af6..056f3ea5ae9beb 100644 --- a/src/cmd/dist/test.go +++ b/src/cmd/dist/test.go -@@ -1238,12 +1238,11 @@ func (t *tester) registerCgoTests(heading string) { +@@ -1225,12 +1225,11 @@ func (t *tester) registerCgoTests(heading string) { // a C linker warning on Linux. // in function `bio_ip_and_port_to_socket_and_addr': // warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking @@ -108,7 +108,7 @@ index 4aaf46b5d0f0dc..6fe798cf4a94e9 100644 go list -f '{{.Dir}}' vendor/golang.org/x/net/http2/hpack diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go -index 755c889585e729..bcb591a380b74c 100644 +index d66027387b97f8..8e4dfab49f6b6b 100644 --- a/src/cmd/link/internal/ld/lib.go +++ b/src/cmd/link/internal/ld/lib.go @@ -1162,6 +1162,7 @@ var hostobj []Hostobj @@ -714,29 +714,29 @@ index c83a7272c9f01f..a0548a7f9179c5 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index b38dee7e6ddc28..097f35ca01aa5b 100644 +index 789f5aaa1d3e26..2f397cf20abb0a 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,6 +3,7 @@ module std go 1.23 require ( -+ github.com/golang-fips/openssl/v2 v2.0.3 ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index c5eab7d4b2f93b..fac8a0626146bc 100644 +index a75ea98c7312df..7729cca493647c 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ -+github.com/golang-fips/openssl/v2 v2.0.3 h1:9+J2R0BQio6Jz8+dPZf/0ylISByl0gZWjTEKm+J+y7Y= -+github.com/golang-fips/openssl/v2 v2.0.3/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c h1:q7tCgQctS2aXmDVWjTV0951iRioF7Svx/hSQxymkZYo= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 68d3b0578d18b1..15f4bb124b8528 100644 +index 6eea04ef9269af..4bf45495afa19b 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -459,6 +459,8 @@ var depsRules = ` @@ -756,7 +756,7 @@ index 68d3b0578d18b1..15f4bb124b8528 100644 < crypto/internal/boring/bbig < crypto/internal/backend/bbig < crypto/rand -@@ -793,7 +796,7 @@ var buildIgnore = []byte("\n//go:build ignore") +@@ -796,7 +799,7 @@ var buildIgnore = []byte("\n//go:build ignore") func findImports(pkg string) ([]string, error) { vpkg := pkg @@ -765,7 +765,7 @@ index 68d3b0578d18b1..15f4bb124b8528 100644 vpkg = "vendor/" + pkg } dir := filepath.Join(Default.GOROOT, "src", vpkg) -@@ -803,7 +806,7 @@ func findImports(pkg string) ([]string, error) { +@@ -806,7 +809,7 @@ func findImports(pkg string) ([]string, error) { } var imports []string var haveImport = map[string]bool{} @@ -829,7 +829,7 @@ index 777337d92d3c72..ef00871d619651 100644 // SystemCrypto enables the OpenSSL or CNG crypto experiment depending on // which one is appropriate on the target GOOS. diff --git a/src/os/exec/exec_test.go b/src/os/exec/exec_test.go -index dbe59fea119e70..c3df1f9ac49b82 100644 +index a0bb89e203ddf1..2b4a2680dcdd7e 100644 --- a/src/os/exec/exec_test.go +++ b/src/os/exec/exec_test.go @@ -14,6 +14,7 @@ import ( diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 2d3f121539a..d46303ef806 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -559,10 +559,10 @@ index f5b4827c688f3b..12df96069f6b83 100644 // Package fipstls allows control over whether crypto/tls requires FIPS-approved settings. // This package only exists with GOEXPERIMENT=boringcrypto, but the effects are independent diff --git a/src/crypto/md5/md5_test.go b/src/crypto/md5/md5_test.go -index f9d1037c9b82b9..6b91d4388b73fe 100644 +index 7031d0abdaa13b..ada2d5be13f986 100644 --- a/src/crypto/md5/md5_test.go +++ b/src/crypto/md5/md5_test.go -@@ -11,6 +11,7 @@ import ( +@@ -12,6 +12,7 @@ import ( "encoding" "fmt" "hash" @@ -570,7 +570,7 @@ index f9d1037c9b82b9..6b91d4388b73fe 100644 "io" "testing" "unsafe" -@@ -88,6 +89,9 @@ func TestGolden(t *testing.T) { +@@ -89,6 +90,9 @@ func TestGolden(t *testing.T) { } func TestGoldenMarshal(t *testing.T) { @@ -580,7 +580,7 @@ index f9d1037c9b82b9..6b91d4388b73fe 100644 for _, g := range golden { h := New() h2 := New() -@@ -195,6 +199,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -196,6 +200,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { } func TestLargeHashes(t *testing.T) { @@ -831,10 +831,10 @@ index dbcc1bec58bd46..b1e9d8e94c2c9e 100644 enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) if err == ErrMessageTooLong { diff --git a/src/crypto/sha1/sha1_test.go b/src/crypto/sha1/sha1_test.go -index bc169888786321..e0d6f4c5040d91 100644 +index d0a9b1b46727fa..10ea3e8eeb6efd 100644 --- a/src/crypto/sha1/sha1_test.go +++ b/src/crypto/sha1/sha1_test.go -@@ -13,6 +13,7 @@ import ( +@@ -14,6 +14,7 @@ import ( "encoding" "fmt" "hash" @@ -842,7 +842,7 @@ index bc169888786321..e0d6f4c5040d91 100644 "io" "testing" ) -@@ -96,6 +97,9 @@ func TestGolden(t *testing.T) { +@@ -97,6 +98,9 @@ func TestGolden(t *testing.T) { } func TestGoldenMarshal(t *testing.T) { @@ -852,7 +852,7 @@ index bc169888786321..e0d6f4c5040d91 100644 h := New() h2 := New() for _, g := range golden { -@@ -197,6 +201,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -198,6 +202,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { } func TestLargeHashes(t *testing.T) { @@ -907,10 +907,10 @@ index 02c597d785ef68..268f1fdd49ecd3 100644 } var d digest diff --git a/src/crypto/sha256/sha256_test.go b/src/crypto/sha256/sha256_test.go -index 7437655badee23..95c8688904c088 100644 +index 755ed4d238ee5a..b7212e3f3c2175 100644 --- a/src/crypto/sha256/sha256_test.go +++ b/src/crypto/sha256/sha256_test.go -@@ -13,6 +13,7 @@ import ( +@@ -14,6 +14,7 @@ import ( "encoding" "fmt" "hash" @@ -918,7 +918,7 @@ index 7437655badee23..95c8688904c088 100644 "io" "testing" ) -@@ -139,6 +140,9 @@ func TestGolden(t *testing.T) { +@@ -140,6 +141,9 @@ func TestGolden(t *testing.T) { } func TestGoldenMarshal(t *testing.T) { @@ -928,7 +928,7 @@ index 7437655badee23..95c8688904c088 100644 tests := []struct { name string newHash func() hash.Hash -@@ -184,6 +188,9 @@ func TestGoldenMarshal(t *testing.T) { +@@ -185,6 +189,9 @@ func TestGoldenMarshal(t *testing.T) { } func TestMarshalTypeMismatch(t *testing.T) { @@ -938,7 +938,7 @@ index 7437655badee23..95c8688904c088 100644 h1 := New() h2 := New224() -@@ -273,6 +280,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -274,6 +281,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { return h.Sum(nil), nil } func TestLargeHashes(t *testing.T) { @@ -949,10 +949,10 @@ index 7437655badee23..95c8688904c088 100644 h := New() diff --git a/src/crypto/sha512/sha512_test.go b/src/crypto/sha512/sha512_test.go -index 2fef7ddae07480..979e4c69ab710c 100644 +index b63e3af59f3829..121cf04e54cd87 100644 --- a/src/crypto/sha512/sha512_test.go +++ b/src/crypto/sha512/sha512_test.go -@@ -14,6 +14,7 @@ import ( +@@ -15,6 +15,7 @@ import ( "encoding/hex" "fmt" "hash" @@ -960,7 +960,7 @@ index 2fef7ddae07480..979e4c69ab710c 100644 "io" "testing" ) -@@ -719,6 +720,9 @@ func TestGolden(t *testing.T) { +@@ -720,6 +721,9 @@ func TestGolden(t *testing.T) { } func TestGoldenMarshal(t *testing.T) { @@ -970,7 +970,7 @@ index 2fef7ddae07480..979e4c69ab710c 100644 tests := []struct { name string newHash func() hash.Hash -@@ -766,6 +770,9 @@ func TestGoldenMarshal(t *testing.T) { +@@ -767,6 +771,9 @@ func TestGoldenMarshal(t *testing.T) { } func TestMarshalMismatch(t *testing.T) { @@ -980,7 +980,7 @@ index 2fef7ddae07480..979e4c69ab710c 100644 h := []func() hash.Hash{ New, New384, -@@ -872,6 +879,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { +@@ -873,6 +880,9 @@ func safeSum(h hash.Hash) (sum []byte, err error) { } func TestLargeHashes(t *testing.T) { @@ -1043,7 +1043,7 @@ index 9c1d3d279c472f..0ca7a863b73690 100644 package fipsonly diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go -index f24c2671acd435..f88fcad4e78f0d 100644 +index 503a732e05765e..db8919aaf9cbdd 100644 --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go @@ -14,6 +14,7 @@ import ( @@ -1123,31 +1123,31 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 097f35ca01aa5b..fe0aa0cc92b35b 100644 +index 2f397cf20abb0a..3340fe1de869ab 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 require ( - github.com/golang-fips/openssl/v2 v2.0.3 + github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c + github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index fac8a0626146bc..43ae325dc538d2 100644 +index 7729cca493647c..3f8f33aa3fba93 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ - github.com/golang-fips/openssl/v2 v2.0.3 h1:9+J2R0BQio6Jz8+dPZf/0ylISByl0gZWjTEKm+J+y7Y= - github.com/golang-fips/openssl/v2 v2.0.3/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= + github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c h1:q7tCgQctS2aXmDVWjTV0951iRioF7Svx/hSQxymkZYo= + github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= +github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 h1:KQsPPal3pKvKzAPTaR7sEriaqrHmRWw0dWG/7E5FNNk= +github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 15f4bb124b8528..82b38763d02d6c 100644 +index 4bf45495afa19b..31e2c1aef5c411 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -459,6 +459,10 @@ var depsRules = ` diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index f4b8a4a02e4..65a0cbb9db1 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -35,7 +35,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../github.com/golang-fips/openssl/v2/shims.h | 371 ++++++++ .../golang-fips/openssl/v2/thread_setup.go | 14 + .../golang-fips/openssl/v2/thread_setup.h | 4 + - .../openssl/v2/thread_setup_unix.c | 61 ++ + .../openssl/v2/thread_setup_unix.c | 64 ++ .../openssl/v2/thread_setup_windows.c | 64 ++ .../golang-fips/openssl/v2/tls1prf.go | 104 +++ .../microsoft/go-crypto-winnative/LICENSE | 21 + @@ -61,7 +61,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 11 + - 56 files changed, 9045 insertions(+) + 56 files changed, 9048 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -5807,10 +5807,10 @@ index 00000000000000..98d12f82a27c37 +extern volatile unsigned int go_openssl_threads_cleaned_up; diff --git a/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c new file mode 100644 -index 00000000000000..53ea9d03d7d54c +index 00000000000000..c837f9cb4dd7a3 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c -@@ -0,0 +1,61 @@ +@@ -0,0 +1,64 @@ +//go:build unix + +#include "goopenssl.h" @@ -5841,8 +5841,11 @@ index 00000000000000..53ea9d03d7d54c + // per-thread error state, so this function is guaranteed to be executed at + // least once on any thread with associated error state. The thread-local + // variable needs to be set to a non-NULL value so that the destructor will -+ // be called when the thread exits. The actual value does not matter. -+ (void) pthread_setspecific(destructor_key, (void*)1); ++ // be called when the thread exits. ++ // The actual value does not matter, but should be a pointer with a valid size. ++ // See https://github.com/golang-fips/openssl/pull/162 ++ static char stub; ++ (void) pthread_setspecific(destructor_key, &stub); +} + +static void cleanup_thread_state(void *ignored) @@ -9485,11 +9488,11 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index 2868749b894fb2..5b911da9df470b 100644 +index b8a0b84a282a32..d6dcd31f88c56b 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ -+# github.com/golang-fips/openssl/v2 v2.0.3 ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig From fed3174798c13d1bb034ecafc7596f8b022ca035 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Mon, 9 Sep 2024 12:05:30 -0500 Subject: [PATCH 07/42] Update openssl to ms-go1.23-support, 0a2f211a8f95 --- patches/0004-Add-OpenSSL-crypto-backend.patch | 10 ++--- patches/0005-Add-CNG-crypto-backend.patch | 10 ++--- patches/0006-Vendor-crypto-backends.patch | 41 ++++++++++--------- 3 files changed, 31 insertions(+), 30 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index f8a55675323..116b84cfcfe 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -714,24 +714,24 @@ index c83a7272c9f01f..a0548a7f9179c5 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 789f5aaa1d3e26..2f397cf20abb0a 100644 +index 789f5aaa1d3e26..14ced0e416fde8 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,6 +3,7 @@ module std go 1.23 require ( -+ github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index a75ea98c7312df..7729cca493647c 100644 +index a75ea98c7312df..9fad90e123a9f6 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ -+github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c h1:q7tCgQctS2aXmDVWjTV0951iRioF7Svx/hSQxymkZYo= -+github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 h1:e+JGYwsNT8K58Z9JysRNadrPzxNlGf+0wQXcdlHiv5M= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index d46303ef806..5f974c24012 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1123,24 +1123,24 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 2f397cf20abb0a..3340fe1de869ab 100644 +index 14ced0e416fde8..b2e1fa24bcda18 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 require ( - github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c + github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 + github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index 7729cca493647c..3f8f33aa3fba93 100644 +index 9fad90e123a9f6..6bd576f5fbb07e 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ - github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c h1:q7tCgQctS2aXmDVWjTV0951iRioF7Svx/hSQxymkZYo= - github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= + github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 h1:e+JGYwsNT8K58Z9JysRNadrPzxNlGf+0wQXcdlHiv5M= + github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= +github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 h1:KQsPPal3pKvKzAPTaR7sEriaqrHmRWw0dWG/7E5FNNk= +github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index 65a0cbb9db1..10043f59a99 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -12,7 +12,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../golang-fips/openssl/v2/bbig/big.go | 37 + .../github.com/golang-fips/openssl/v2/big.go | 11 + .../golang-fips/openssl/v2/cipher.go | 569 +++++++++++++ - .../github.com/golang-fips/openssl/v2/des.go | 113 +++ + .../github.com/golang-fips/openssl/v2/des.go | 114 +++ .../github.com/golang-fips/openssl/v2/ec.go | 59 ++ .../github.com/golang-fips/openssl/v2/ecdh.go | 323 +++++++ .../golang-fips/openssl/v2/ecdsa.go | 217 +++++ @@ -61,7 +61,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 11 + - 56 files changed, 9048 insertions(+) + 56 files changed, 9049 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -975,10 +975,10 @@ index 00000000000000..72f7aebfc130e7 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/des.go b/src/vendor/github.com/golang-fips/openssl/v2/des.go new file mode 100644 -index 00000000000000..71b13333a28513 +index 00000000000000..c98a276ec33fb0 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/des.go -@@ -0,0 +1,113 @@ +@@ -0,0 +1,114 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -1014,27 +1014,22 @@ index 00000000000000..71b13333a28513 + if len(key) != 8 { + return nil, errors.New("crypto/des: invalid key size") + } -+ c, err := newEVPCipher(key, cipherDES) -+ if err != nil { -+ return nil, err -+ } -+ // Should always be true for stock OpenSSL. -+ if loadCipher(cipherDES, cipherModeCBC) == nil { -+ return &desCipherWithoutCBC{c}, nil -+ } -+ return &desCipher{c}, nil ++ return newDESCipher(key, cipherDES) +} + +func NewTripleDESCipher(key []byte) (cipher.Block, error) { + if len(key) != 24 { + return nil, errors.New("crypto/des: invalid key size") + } -+ c, err := newEVPCipher(key, cipherDES3) ++ return newDESCipher(key, cipherDES3) ++} ++ ++func newDESCipher(key []byte, kind cipherKind) (cipher.Block, error) { ++ c, err := newEVPCipher(key, kind) + if err != nil { + return nil, err + } -+ // Should always be true for stock OpenSSL. -+ if loadCipher(cipherDES, cipherModeCBC) != nil { ++ if loadCipher(kind, cipherModeCBC) == nil { + return &desCipherWithoutCBC{c}, nil + } + return &desCipher{c}, nil @@ -1086,11 +1081,17 @@ index 00000000000000..71b13333a28513 +} + +func (c *desCipherWithoutCBC) Encrypt(dst, src []byte) { -+ c.encrypt(dst, src) ++ if err := c.encrypt(dst, src); err != nil { ++ // crypto/des expects that the panic message starts with "crypto/des: ". ++ panic("crypto/des: " + err.Error()) ++ } +} + +func (c *desCipherWithoutCBC) Decrypt(dst, src []byte) { -+ c.decrypt(dst, src) ++ if err := c.decrypt(dst, src); err != nil { ++ // crypto/des expects that the panic message starts with "crypto/des: ". ++ panic("crypto/des: " + err.Error()) ++ } +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ec.go b/src/vendor/github.com/golang-fips/openssl/v2/ec.go new file mode 100644 @@ -9488,11 +9489,11 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index b8a0b84a282a32..d6dcd31f88c56b 100644 +index b8a0b84a282a32..69417c384eb8c0 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20240905155948-17d05d3f692c ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig From a14aab4f2defdec9f3c7eda337fd28d89229e6ca Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 10 Sep 2024 17:17:46 +0000 Subject: [PATCH 08/42] Update submodule to latest release-branch.go1.23 (69234ded): [release-branch.go1.23] go1.23.1 --- MICROSOFT_REVISION | 1 + 1 file changed, 1 insertion(+) create mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION new file mode 100644 index 00000000000..d8263ee9860 --- /dev/null +++ b/MICROSOFT_REVISION @@ -0,0 +1 @@ +2 \ No newline at end of file From 4d37f6d9c155111c8057e975be11535ff826a800 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Wed, 25 Sep 2024 10:48:03 -0700 Subject: [PATCH 09/42] Update CNG backend to ms-go1.22-support b29b5cde7fdd (#1334) --- patches/0005-Add-CNG-crypto-backend.patch | 10 +++++----- patches/0006-Vendor-crypto-backends.patch | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 5f974c24012..304de410570 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1123,26 +1123,26 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 14ced0e416fde8..b2e1fa24bcda18 100644 +index 14ced0e416fde8..41ff48ef919672 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 require ( github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 -+ github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 ++ github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index 9fad90e123a9f6..6bd576f5fbb07e 100644 +index 9fad90e123a9f6..acdcbd6cd5bcb2 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 h1:e+JGYwsNT8K58Z9JysRNadrPzxNlGf+0wQXcdlHiv5M= github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= -+github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 h1:KQsPPal3pKvKzAPTaR7sEriaqrHmRWw0dWG/7E5FNNk= -+github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= ++github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd h1:2ziav5Bdjyv0VYCCftEExmA+QQZ193w8BvSgoEZ+qAY= ++github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index 10043f59a99..aafb8e44eb1 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -6751,7 +6751,7 @@ index 00000000000000..844c087287cabe +} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go new file mode 100644 -index 00000000000000..2172f03e860418 +index 00000000000000..b0784affba0aa4 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go @@ -0,0 +1,107 @@ @@ -6780,7 +6780,7 @@ index 00000000000000..2172f03e860418 +} + +func NewDESCipher(key []byte) (cipher.Block, error) { -+ kh, err := newCipherHandle(bcrypt.DES_ALGORITHM, "", key) ++ kh, err := newCipherHandle(bcrypt.DES_ALGORITHM, bcrypt.CHAIN_MODE_ECB, key) + if err != nil { + return nil, err + } @@ -6791,7 +6791,7 @@ index 00000000000000..2172f03e860418 +} + +func NewTripleDESCipher(key []byte) (cipher.Block, error) { -+ kh, err := newCipherHandle(bcrypt.DES3_ALGORITHM, "", key) ++ kh, err := newCipherHandle(bcrypt.DES3_ALGORITHM, bcrypt.CHAIN_MODE_ECB, key) + if err != nil { + return nil, err + } @@ -9489,7 +9489,7 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index b8a0b84a282a32..69417c384eb8c0 100644 +index b8a0b84a282a32..3677388dc80929 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ @@ -9497,7 +9497,7 @@ index b8a0b84a282a32..69417c384eb8c0 100644 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig -+# github.com/microsoft/go-crypto-winnative v0.0.0-20240109184443-a968e40d3103 ++# github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd +## explicit; go 1.17 +github.com/microsoft/go-crypto-winnative/cng +github.com/microsoft/go-crypto-winnative/cng/bbig From db2aeb474ec951cc1ffb7258712481891dddc53d Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Wed, 25 Sep 2024 19:29:50 +0000 Subject: [PATCH 10/42] Update submodule to latest release-branch.go1.23 (69234ded): [release-branch.go1.23] go1.23.1 --- MICROSOFT_REVISION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION index d8263ee9860..e440e5c8425 100644 --- a/MICROSOFT_REVISION +++ b/MICROSOFT_REVISION @@ -1 +1 @@ -2 \ No newline at end of file +3 \ No newline at end of file From eb44a2195fe966b266a0d40e606891a92c7b3bc6 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 1 Oct 2024 19:03:43 +0000 Subject: [PATCH 11/42] Update submodule to latest release-branch.go1.23 (ed07b321): [release-branch.go1.23] go1.23.2 --- MICROSOFT_REVISION | 1 - VERSION | 2 +- go | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION deleted file mode 100644 index e440e5c8425..00000000000 --- a/MICROSOFT_REVISION +++ /dev/null @@ -1 +0,0 @@ -3 \ No newline at end of file diff --git a/VERSION b/VERSION index 90f235968f6..4e2313c04fb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.1 \ No newline at end of file +go1.23.2 \ No newline at end of file diff --git a/go b/go index 69234ded306..ed07b321aef 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 69234ded30614a471c35cef5d87b0e0d3c136cd9 +Subproject commit ed07b321aef7632f956ce991dd10fdd7e1abd827 From adc145ef1c6a52929c31d00f116c2191af515826 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Thu, 7 Nov 2024 09:50:24 +0100 Subject: [PATCH 12/42] upgrade openssl --- patches/0004-Add-OpenSSL-crypto-backend.patch | 6 +-- patches/0005-Add-CNG-crypto-backend.patch | 6 +-- patches/0006-Vendor-crypto-backends.patch | 48 ++++++++++++------- 3 files changed, 36 insertions(+), 24 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 116b84cfcfe..824774ebe12 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -721,7 +721,7 @@ index 789f5aaa1d3e26..14ced0e416fde8 100644 go 1.23 require ( -+ github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) @@ -730,8 +730,8 @@ index a75ea98c7312df..9fad90e123a9f6 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ -+github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 h1:e+JGYwsNT8K58Z9JysRNadrPzxNlGf+0wQXcdlHiv5M= -+github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 h1:LSalTbQ1mC7dgzyVZTvgVBV3RY503kOtn5iIvIXTBvY= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 304de410570..437e4a7513f 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1129,7 +1129,7 @@ index 14ced0e416fde8..41ff48ef919672 100644 @@ -4,6 +4,7 @@ go 1.23 require ( - github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 + github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 + github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c @@ -1139,8 +1139,8 @@ index 9fad90e123a9f6..acdcbd6cd5bcb2 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ - github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 h1:e+JGYwsNT8K58Z9JysRNadrPzxNlGf+0wQXcdlHiv5M= - github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= + github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 h1:LSalTbQ1mC7dgzyVZTvgVBV3RY503kOtn5iIvIXTBvY= + github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= +github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd h1:2ziav5Bdjyv0VYCCftEExmA+QQZ193w8BvSgoEZ+qAY= +github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index aafb8e44eb1..5cc54d6481f 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -17,7 +17,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../github.com/golang-fips/openssl/v2/ecdh.go | 323 +++++++ .../golang-fips/openssl/v2/ecdsa.go | 217 +++++ .../golang-fips/openssl/v2/ed25519.go | 218 +++++ - .../github.com/golang-fips/openssl/v2/evp.go | 471 +++++++++++ + .../github.com/golang-fips/openssl/v2/evp.go | 483 +++++++++++ .../golang-fips/openssl/v2/goopenssl.c | 218 +++++ .../golang-fips/openssl/v2/goopenssl.h | 255 ++++++ .../github.com/golang-fips/openssl/v2/hash.go | 793 ++++++++++++++++++ @@ -61,7 +61,7 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 11 + - 56 files changed, 9049 insertions(+) + 56 files changed, 9061 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -1936,10 +1936,10 @@ index 00000000000000..f74bd8f8d7a993 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/evp.go b/src/vendor/github.com/golang-fips/openssl/v2/evp.go new file mode 100644 -index 00000000000000..a9237a6a0ce9aa +index 00000000000000..ff07f5f55bf974 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/evp.go -@@ -0,0 +1,471 @@ +@@ -0,0 +1,483 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -1993,12 +1993,28 @@ index 00000000000000..a9237a6a0ce9aa + return v.(C.GO_EVP_MD_PTR) + } + defer func() { -+ if md != nil && vMajor == 3 { -+ // On OpenSSL 3, directly operating on a EVP_MD object -+ // not created by EVP_MD_fetch has negative performance -+ // implications, as digest operations will have -+ // to fetch it on every call. Better to just fetch it once here. -+ md = C.go_openssl_EVP_MD_fetch(nil, C.go_openssl_EVP_MD_get0_name(md), nil) ++ if md != nil { ++ switch vMajor { ++ case 1: ++ // On OpenSSL 1 EVP_MD objects can be not-nil even ++ // when they are not supported. We need to pass the md ++ // to a EVP_MD_CTX to really know if they can be used. ++ ctx := C.go_openssl_EVP_MD_CTX_new() ++ if ctx != nil { ++ if C.go_openssl_EVP_DigestInit_ex(ctx, md, nil) != 1 { ++ md = nil ++ } ++ C.go_openssl_EVP_MD_CTX_free(ctx) ++ } ++ case 3: ++ // On OpenSSL 3, directly operating on a EVP_MD object ++ // not created by EVP_MD_fetch has negative performance ++ // implications, as digest operations will have ++ // to fetch it on every call. Better to just fetch it once here. ++ md = C.go_openssl_EVP_MD_fetch(nil, C.go_openssl_EVP_MD_get0_name(md), nil) ++ default: ++ panic(errUnsupportedVersion()) ++ } + } + cacheMD.Store(ch, md) + }() @@ -2014,13 +2030,9 @@ index 00000000000000..a9237a6a0ce9aa + } + switch ch { + case crypto.MD4: -+ if versionAtOrAbove(1, 1, 0) || !FIPS() { -+ return C.go_openssl_EVP_md4() -+ } ++ return C.go_openssl_EVP_md4() + case crypto.MD5: -+ if versionAtOrAbove(1, 1, 0) || !FIPS() { -+ return C.go_openssl_EVP_md5() -+ } ++ return C.go_openssl_EVP_md5() + case crypto.SHA1: + return C.go_openssl_EVP_sha1() + case crypto.SHA224: @@ -9489,11 +9501,11 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index b8a0b84a282a32..3677388dc80929 100644 +index b8a0b84a282a32..fa72eda0979db6 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20240909165545-0a2f211a8f95 ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig From 4b504de4b8636950c38334988efa368df03855dc Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Thu, 7 Nov 2024 16:42:56 +0000 Subject: [PATCH 13/42] Update submodule to latest release-branch.go1.23 (c390a1c2): [release-branch.go1.23] go1.23.3 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 4e2313c04fb..09f8e16ac8d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.2 \ No newline at end of file +go1.23.3 \ No newline at end of file diff --git a/go b/go index ed07b321aef..c390a1c22e8 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit ed07b321aef7632f956ce991dd10fdd7e1abd827 +Subproject commit c390a1c22e8951263e6c01346a4281d604b25062 From d5e4814447d135caa26c98cb04abcc2c52d61ffa Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 18 Nov 2024 12:03:00 +0100 Subject: [PATCH 14/42] upgrade openssl backend to c5672cc7 --- patches/0004-Add-OpenSSL-crypto-backend.patch | 10 +- patches/0005-Add-CNG-crypto-backend.patch | 10 +- patches/0006-Vendor-crypto-backends.patch | 278 ++++++++++++++---- 3 files changed, 229 insertions(+), 69 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 824774ebe12..4630d16097e 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -714,24 +714,24 @@ index c83a7272c9f01f..a0548a7f9179c5 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 789f5aaa1d3e26..14ced0e416fde8 100644 +index 789f5aaa1d3e26..49d6362771d4b2 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,6 +3,7 @@ module std go 1.23 require ( -+ github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 ++ github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index a75ea98c7312df..9fad90e123a9f6 100644 +index a75ea98c7312df..f88678bf643820 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ -+github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 h1:LSalTbQ1mC7dgzyVZTvgVBV3RY503kOtn5iIvIXTBvY= -+github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 h1:6Mb55x7RlLVNEPY6liVYeVTMR5FuZqHViyyrr7tih7A= ++github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 437e4a7513f..8d605c1edca 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1123,24 +1123,24 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 14ced0e416fde8..41ff48ef919672 100644 +index 49d6362771d4b2..1cba724d406b3a 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 require ( - github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 + github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 + github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index 9fad90e123a9f6..acdcbd6cd5bcb2 100644 +index f88678bf643820..c86114e6cf3c8a 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ - github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 h1:LSalTbQ1mC7dgzyVZTvgVBV3RY503kOtn5iIvIXTBvY= - github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= + github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 h1:6Mb55x7RlLVNEPY6liVYeVTMR5FuZqHViyyrr7tih7A= + github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= +github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd h1:2ziav5Bdjyv0VYCCftEExmA+QQZ193w8BvSgoEZ+qAY= +github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index 5cc54d6481f..c680c2d8493 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -8,44 +8,44 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../golang-fips/openssl/v2/.gitleaks.toml | 9 + .../github.com/golang-fips/openssl/v2/LICENSE | 20 + .../golang-fips/openssl/v2/README.md | 66 ++ - .../github.com/golang-fips/openssl/v2/aes.go | 100 +++ + .../github.com/golang-fips/openssl/v2/aes.go | 117 +++ .../golang-fips/openssl/v2/bbig/big.go | 37 + .../github.com/golang-fips/openssl/v2/big.go | 11 + - .../golang-fips/openssl/v2/cipher.go | 569 +++++++++++++ + .../golang-fips/openssl/v2/cipher.go | 569 +++++++++++ .../github.com/golang-fips/openssl/v2/des.go | 114 +++ .../github.com/golang-fips/openssl/v2/ec.go | 59 ++ .../github.com/golang-fips/openssl/v2/ecdh.go | 323 +++++++ .../golang-fips/openssl/v2/ecdsa.go | 217 +++++ .../golang-fips/openssl/v2/ed25519.go | 218 +++++ - .../github.com/golang-fips/openssl/v2/evp.go | 483 +++++++++++ + .../github.com/golang-fips/openssl/v2/evp.go | 483 ++++++++++ .../golang-fips/openssl/v2/goopenssl.c | 218 +++++ - .../golang-fips/openssl/v2/goopenssl.h | 255 ++++++ - .../github.com/golang-fips/openssl/v2/hash.go | 793 ++++++++++++++++++ + .../golang-fips/openssl/v2/goopenssl.h | 255 +++++ + .../github.com/golang-fips/openssl/v2/hash.go | 895 ++++++++++++++++++ .../github.com/golang-fips/openssl/v2/hkdf.go | 174 ++++ - .../github.com/golang-fips/openssl/v2/hmac.go | 238 ++++++ + .../github.com/golang-fips/openssl/v2/hmac.go | 238 +++++ .../github.com/golang-fips/openssl/v2/init.go | 64 ++ .../golang-fips/openssl/v2/init_unix.go | 31 + .../golang-fips/openssl/v2/init_windows.go | 36 + - .../golang-fips/openssl/v2/openssl.go | 419 +++++++++ + .../golang-fips/openssl/v2/openssl.go | 456 +++++++++ .../golang-fips/openssl/v2/pbkdf2.go | 28 + .../openssl/v2/port_evp_md5_sha1.c | 126 +++ .../github.com/golang-fips/openssl/v2/rand.go | 20 + .../github.com/golang-fips/openssl/v2/rc4.go | 66 ++ - .../github.com/golang-fips/openssl/v2/rsa.go | 435 ++++++++++ - .../github.com/golang-fips/openssl/v2/shims.h | 371 ++++++++ + .../github.com/golang-fips/openssl/v2/rsa.go | 435 +++++++++ + .../github.com/golang-fips/openssl/v2/shims.h | 375 ++++++++ .../golang-fips/openssl/v2/thread_setup.go | 14 + .../golang-fips/openssl/v2/thread_setup.h | 4 + .../openssl/v2/thread_setup_unix.c | 64 ++ .../openssl/v2/thread_setup_windows.c | 64 ++ - .../golang-fips/openssl/v2/tls1prf.go | 104 +++ + .../golang-fips/openssl/v2/tls1prf.go | 104 ++ .../microsoft/go-crypto-winnative/LICENSE | 21 + - .../microsoft/go-crypto-winnative/cng/aes.go | 389 +++++++++ + .../microsoft/go-crypto-winnative/cng/aes.go | 389 ++++++++ .../go-crypto-winnative/cng/bbig/big.go | 31 + .../microsoft/go-crypto-winnative/cng/big.go | 30 + .../go-crypto-winnative/cng/cipher.go | 56 ++ .../microsoft/go-crypto-winnative/cng/cng.go | 130 +++ .../microsoft/go-crypto-winnative/cng/des.go | 107 +++ - .../microsoft/go-crypto-winnative/cng/ecdh.go | 260 ++++++ + .../microsoft/go-crypto-winnative/cng/ecdh.go | 260 +++++ .../go-crypto-winnative/cng/ecdsa.go | 175 ++++ .../microsoft/go-crypto-winnative/cng/hash.go | 320 +++++++ .../microsoft/go-crypto-winnative/cng/hkdf.go | 179 ++++ @@ -54,14 +54,14 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../go-crypto-winnative/cng/pbkdf2.go | 74 ++ .../microsoft/go-crypto-winnative/cng/rand.go | 28 + .../microsoft/go-crypto-winnative/cng/rc4.go | 61 ++ - .../microsoft/go-crypto-winnative/cng/rsa.go | 374 +++++++++ + .../microsoft/go-crypto-winnative/cng/rsa.go | 374 ++++++++ .../go-crypto-winnative/cng/tls1prf.go | 92 ++ - .../internal/bcrypt/bcrypt_windows.go | 284 +++++++ - .../internal/bcrypt/zsyscall_windows.go | 389 +++++++++ + .../internal/bcrypt/bcrypt_windows.go | 284 ++++++ + .../internal/bcrypt/zsyscall_windows.go | 389 ++++++++ .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 11 + - 56 files changed, 9061 insertions(+) + 56 files changed, 9221 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -234,10 +234,10 @@ index 00000000000000..1bfbaf60f4dd58 +This project adopts the Go code of conduct: https://go.dev/conduct. diff --git a/src/vendor/github.com/golang-fips/openssl/v2/aes.go b/src/vendor/github.com/golang-fips/openssl/v2/aes.go new file mode 100644 -index 00000000000000..231b75e2adbc39 +index 00000000000000..95daeacf71e96f --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/aes.go -@@ -0,0 +1,100 @@ +@@ -0,0 +1,117 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -260,7 +260,7 @@ index 00000000000000..231b75e2adbc39 + NewGCMTLS() (cipher.AEAD, error) +} + -+var _ extraModes = (*aesCipher)(nil) ++var _ extraModes = (*aesWithCTR)(nil) + +func NewAESCipher(key []byte) (cipher.Block, error) { + var kind cipherKind @@ -278,19 +278,32 @@ index 00000000000000..231b75e2adbc39 + if err != nil { + return nil, err + } -+ return &aesCipher{c}, nil ++ ac := aesCipher{c} ++ // The SymCrypt provider doesn't support AES-CTR. ++ // Prove that the provider supports AES-CTR before ++ // returning an aesWithCTR. ++ if loadCipher(kind, cipherModeCTR) != nil { ++ return &aesWithCTR{ac}, nil ++ } ++ return &ac, nil +} + +// NewGCMTLS returns a GCM cipher specific to TLS +// and should not be used for non-TLS purposes. +func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { -+ return c.(*aesCipher).NewGCMTLS() ++ if c, ok := c.(*aesCipher); ok { ++ return c.NewGCMTLS() ++ } ++ return c.(*aesWithCTR).NewGCMTLS() +} + +// NewGCMTLS13 returns a GCM cipher specific to TLS 1.3 and should not be used +// for non-TLS purposes. +func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) { -+ return c.(*aesCipher).NewGCMTLS13() ++ if c, ok := c.(*aesCipher); ok { ++ return c.NewGCMTLS13() ++ } ++ return c.(*aesWithCTR).NewGCMTLS13() +} + +type aesCipher struct { @@ -323,10 +336,6 @@ index 00000000000000..231b75e2adbc39 + return c.newCBC(iv, cipherOpDecrypt) +} + -+func (c *aesCipher) NewCTR(iv []byte) cipher.Stream { -+ return c.newCTR(iv) -+} -+ +func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { + return c.newGCMChecked(nonceSize, tagSize) +} @@ -338,6 +347,14 @@ index 00000000000000..231b75e2adbc39 +func (c *aesCipher) NewGCMTLS13() (cipher.AEAD, error) { + return c.newGCM(cipherGCMTLS13) +} ++ ++type aesWithCTR struct { ++ aesCipher ++} ++ ++func (c *aesWithCTR) NewCTR(iv []byte) cipher.Stream { ++ return c.newCTR(iv) ++} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go b/src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go new file mode 100644 index 00000000000000..a81cbdbef93148 @@ -2911,10 +2928,10 @@ index 00000000000000..e488bf20142010 \ No newline at end of file diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hash.go b/src/vendor/github.com/golang-fips/openssl/v2/hash.go new file mode 100644 -index 00000000000000..646b4ce295896c +index 00000000000000..120fc41271f715 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/hash.go -@@ -0,0 +1,793 @@ +@@ -0,0 +1,895 @@ +//go:build !cmd_go_bootstrap + +package openssl @@ -2927,6 +2944,7 @@ index 00000000000000..646b4ce295896c + "hash" + "runtime" + "strconv" ++ "sync" + "unsafe" +) + @@ -3027,6 +3045,37 @@ index 00000000000000..646b4ce295896c + return +} + ++var isMarshallableCache sync.Map ++ ++// isHashMarshallable returns true if the memory layout of cb ++// is known by this library and can therefore be marshalled. ++func isHashMarshallable(ch crypto.Hash) bool { ++ if vMajor == 1 { ++ return true ++ } ++ if v, ok := isMarshallableCache.Load(ch); ok { ++ return v.(bool) ++ } ++ md := cryptoHashToMD(ch) ++ if md == nil { ++ return false ++ } ++ prov := C.go_openssl_EVP_MD_get0_provider(md) ++ if prov == nil { ++ return false ++ } ++ cname := C.go_openssl_OSSL_PROVIDER_get0_name(prov) ++ if cname == nil { ++ return false ++ } ++ name := C.GoString(cname) ++ // We only know the memory layout of the built-in providers. ++ // See evpHash.hashState for more details. ++ marshallable := name == "default" || name == "fips" ++ isMarshallableCache.Store(ch, marshallable) ++ return marshallable ++} ++ +// evpHash implements generic hash methods. +type evpHash struct { + ctx C.GO_EVP_MD_CTX_PTR @@ -3036,6 +3085,8 @@ index 00000000000000..646b4ce295896c + ctx2 C.GO_EVP_MD_CTX_PTR + size int + blockSize int ++ ++ marshallable bool +} + +func newEvpHash(ch crypto.Hash, size, blockSize int) *evpHash { @@ -3054,6 +3105,8 @@ index 00000000000000..646b4ce295896c + ctx2: ctx2, + size: size, + blockSize: blockSize, ++ ++ marshallable: isHashMarshallable(ch), + } + runtime.SetFinalizer(h, (*evpHash).finalize) + return h @@ -3112,11 +3165,44 @@ index 00000000000000..646b4ce295896c + runtime.KeepAlive(h) +} + ++// clone returns a new evpHash object that is a deep clone of itself. ++// The duplicate object contains all state and data contained in the ++// original object at the point of duplication. ++func (h *evpHash) clone() (*evpHash, error) { ++ ctx := C.go_openssl_EVP_MD_CTX_new() ++ if ctx == nil { ++ return nil, newOpenSSLError("EVP_MD_CTX_new") ++ } ++ if C.go_openssl_EVP_MD_CTX_copy_ex(ctx, h.ctx) != 1 { ++ C.go_openssl_EVP_MD_CTX_free(ctx) ++ return nil, newOpenSSLError("EVP_MD_CTX_copy_ex") ++ } ++ ctx2 := C.go_openssl_EVP_MD_CTX_new() ++ if ctx2 == nil { ++ C.go_openssl_EVP_MD_CTX_free(ctx) ++ return nil, newOpenSSLError("EVP_MD_CTX_new") ++ } ++ cloned := &evpHash{ ++ ctx: ctx, ++ ctx2: ctx2, ++ size: h.size, ++ blockSize: h.blockSize, ++ marshallable: h.marshallable, ++ } ++ runtime.SetFinalizer(cloned, (*evpHash).finalize) ++ return cloned, nil ++} ++ ++var testNotMarshalable bool // Used in tests. ++ +// hashState returns a pointer to the internal hash structure. +// +// The EVP_MD_CTX memory layout has changed in OpenSSL 3 +// and the property holding the internal structure is no longer md_data but algctx. +func (h *evpHash) hashState() unsafe.Pointer { ++ if !h.marshallable || testNotMarshalable { ++ return nil ++ } + switch vMajor { + case 1: + // https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/crypto/evp/evp_local.h#L12. @@ -3452,6 +3538,17 @@ index 00000000000000..646b4ce295896c + return nil +} + ++// Clone returns a new [hash.Hash] object that is a deep clone of itself. ++// The duplicate object contains all state and data contained in the ++// original object at the point of duplication. ++func (h *sha256Hash) Clone() (hash.Hash, error) { ++ c, err := h.clone() ++ if err != nil { ++ return nil, err ++ } ++ return &sha256Hash{evpHash: c}, nil ++} ++ +// NewSHA384 returns a new SHA384 hash. +func NewSHA384() hash.Hash { + return &sha384Hash{ @@ -3464,6 +3561,17 @@ index 00000000000000..646b4ce295896c + out [384 / 8]byte +} + ++// Clone returns a new [hash.Hash] object that is a deep clone of itself. ++// The duplicate object contains all state and data contained in the ++// original object at the point of duplication. ++func (h *sha384Hash) Clone() (hash.Hash, error) { ++ c, err := h.clone() ++ if err != nil { ++ return nil, err ++ } ++ return &sha384Hash{evpHash: c}, nil ++} ++ +func (h *sha384Hash) Sum(in []byte) []byte { + h.sum(h.out[:]) + return append(in, h.out[:]...) @@ -3607,6 +3715,17 @@ index 00000000000000..646b4ce295896c + return nil +} + ++// Clone returns a new [hash.Hash] object that is a deep clone of itself. ++// The duplicate object contains all state and data contained in the ++// original object at the point of duplication. ++func (h *sha512Hash) Clone() (hash.Hash, error) { ++ c, err := h.clone() ++ if err != nil { ++ return nil, err ++ } ++ return &sha512Hash{evpHash: c}, nil ++} ++ +// NewSHA3_224 returns a new SHA3-224 hash. +func NewSHA3_224() hash.Hash { + return &sha3_224Hash{ @@ -4283,10 +4402,10 @@ index 00000000000000..3778e21227abb9 +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/openssl.go b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go new file mode 100644 -index 00000000000000..691bb16f728c9d +index 00000000000000..a9df964f0ce5e7 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go -@@ -0,0 +1,419 @@ +@@ -0,0 +1,456 @@ +//go:build !cmd_go_bootstrap + +// Package openssl provides access to OpenSSL cryptographic functions. @@ -4378,23 +4497,33 @@ index 00000000000000..691bb16f728c9d +var ( + providerNameFips = C.CString("fips") + providerNameDefault = C.CString("default") ++ propFIPS = C.CString("fips=yes") ++ propNoFIPS = C.CString("-fips") ++ ++ algorithmSHA256 = C.CString("SHA2-256") +) + -+// FIPS returns true if OpenSSL is running in FIPS mode, else returns false. ++// FIPS returns true if OpenSSL is running in FIPS mode and there is ++// a provider available that supports FIPS. It returns false otherwise. +func FIPS() bool { + switch vMajor { + case 1: + return C.go_openssl_FIPS_mode() == 1 + case 3: -+ // If FIPS is not enabled via default properties, then we are sure FIPS is not used. -+ if C.go_openssl_EVP_default_properties_is_fips_enabled(nil) == 0 { ++ // Check if the default properties contain `fips=1`. ++ if C.go_openssl_EVP_default_properties_is_fips_enabled(nil) != 1 { ++ // Note that it is still possible that the provider used by default is FIPS-compliant, ++ // but that wouldn't be a system or user requirement. + return false + } -+ // EVP_default_properties_is_fips_enabled can return true even if the FIPS provider isn't loaded, -+ // it is only based on the default properties. -+ // We can be sure that the FIPS provider is available if we can fetch an algorithm, e.g., SHA2-256, -+ // explicitly setting `fips=yes`. -+ return C.go_openssl_OSSL_PROVIDER_available(nil, providerNameFips) == 1 ++ // Check if the SHA-256 algorithm is available. If it is, then we can be sure that there is a provider available that matches ++ // the `fips=1` query. Most notably, this works for the common case of using the built-in FIPS provider. ++ // ++ // Note that this approach has a small chance of false negative if the FIPS provider doesn't provide the SHA-256 algorithm, ++ // but that is highly unlikely because SHA-256 is one of the most common algorithms and fundamental to many cryptographic operations. ++ // It also has a small chance of false positive if the FIPS provider implements the SHA-256 algorithm but not the other algorithms ++ // used by the caller application, but that is also unlikely because the FIPS provider should provide all common algorithms. ++ return proveSHA256(nil) + default: + panic(errUnsupportedVersion()) + } @@ -4402,11 +4531,15 @@ index 00000000000000..691bb16f728c9d + +// SetFIPS enables or disables FIPS mode. +// -+// For OpenSSL 3, the `fips` provider is loaded if enabled is true, -+// else the `default` provider is loaded. -+func SetFIPS(enabled bool) error { ++// For OpenSSL 3, if there is no provider available that supports FIPS mode, ++// SetFIPS will try to load a built-in provider that supports FIPS mode. ++func SetFIPS(enable bool) error { ++ if FIPS() == enable { ++ // Already in the desired state. ++ return nil ++ } + var mode C.int -+ if enabled { ++ if enable { + mode = C.int(1) + } else { + mode = C.int(0) @@ -4418,25 +4551,25 @@ index 00000000000000..691bb16f728c9d + } + return nil + case 3: -+ var provName *C.char -+ if enabled { ++ var shaProps, provName *C.char ++ if enable { ++ shaProps = propFIPS + provName = providerNameFips + } else { ++ shaProps = propNoFIPS + provName = providerNameDefault + } -+ // Check if there is any provider that matches props. -+ if C.go_openssl_OSSL_PROVIDER_available(nil, provName) != 1 { -+ // If not, fallback to provName provider. -+ if C.go_openssl_OSSL_PROVIDER_load(nil, provName) == nil { -+ return newOpenSSLError("OSSL_PROVIDER_try_load") -+ } -+ // Make sure we now have a provider available. -+ if C.go_openssl_OSSL_PROVIDER_available(nil, provName) != 1 { -+ return fail("SetFIPS(" + strconv.FormatBool(enabled) + ") not supported") ++ if !proveSHA256(shaProps) { ++ // There is no provider available that supports the desired FIPS mode. ++ // Try to load the built-in provider associated with the given mode. ++ if C.go_openssl_OSSL_PROVIDER_try_load(nil, provName, 1) == nil { ++ // The built-in provider was not loaded successfully, we can't enable FIPS mode. ++ C.go_openssl_ERR_clear_error() ++ return errors.New("openssl: FIPS mode not supported by any provider") + } + } + if C.go_openssl_EVP_default_properties_enable_fips(nil, mode) != 1 { -+ return newOpenSSLError("openssl: EVP_default_properties_enable_fips") ++ return newOpenSSLError("EVP_default_properties_enable_fips") + } + return nil + default: @@ -4444,6 +4577,29 @@ index 00000000000000..691bb16f728c9d + } +} + ++// proveSHA256 checks if the SHA-256 algorithm is available ++// using the given properties. ++func proveSHA256(props *C.char) bool { ++ md := C.go_openssl_EVP_MD_fetch(nil, algorithmSHA256, props) ++ if md == nil { ++ C.go_openssl_ERR_clear_error() ++ return false ++ } ++ C.go_openssl_EVP_MD_free(md) ++ return true ++} ++ ++// isProviderAvailable checks if the provider with the given name is available. ++// This function is used in export_test.go, but must be defined here as test files can't access C functions. ++func isProviderAvailable(name string) bool { ++ if vMajor == 1 { ++ return false ++ } ++ providerName := C.CString(name) ++ defer C.free(unsafe.Pointer(providerName)) ++ return C.go_openssl_OSSL_PROVIDER_available(nil, providerName) == 1 ++} ++ +// noescape hides a pointer from escape analysis. noescape is +// the identity function but escape analysis doesn't think the +// output depends on the input. noescape is inlined and currently @@ -5413,10 +5569,10 @@ index 00000000000000..f28d323adcbb3a +} diff --git a/src/vendor/github.com/golang-fips/openssl/v2/shims.h b/src/vendor/github.com/golang-fips/openssl/v2/shims.h new file mode 100644 -index 00000000000000..99656f0cf20a36 +index 00000000000000..deddeb934568c9 --- /dev/null +++ b/src/vendor/github.com/golang-fips/openssl/v2/shims.h -@@ -0,0 +1,371 @@ +@@ -0,0 +1,375 @@ +#include // size_t +#include // uint64_t + @@ -5586,6 +5742,7 @@ index 00000000000000..99656f0cf20a36 +// #endif +#define FOR_ALL_OPENSSL_FUNCTIONS \ +DEFINEFUNC(void, ERR_error_string_n, (unsigned long e, char *buf, size_t len), (e, buf, len)) \ ++DEFINEFUNC(void, ERR_clear_error, (void), ()) \ +DEFINEFUNC_LEGACY_1(unsigned long, ERR_get_error_line, (const char **file, int *line), (file, line)) \ +DEFINEFUNC_3_0(unsigned long, ERR_get_error_all, (const char **file, int *line, const char **func, const char **data, int *flags), (file, line, func, data, flags)) \ +DEFINEFUNC_RENAMED_1_1(const char *, OpenSSL_version, SSLeay_version, (int type), (type)) \ @@ -5608,14 +5765,17 @@ index 00000000000000..99656f0cf20a36 +DEFINEFUNC_3_0(int, EVP_default_properties_is_fips_enabled, (GO_OSSL_LIB_CTX_PTR libctx), (libctx)) \ +DEFINEFUNC_3_0(int, EVP_default_properties_enable_fips, (GO_OSSL_LIB_CTX_PTR libctx, int enable), (libctx, enable)) \ +DEFINEFUNC_3_0(int, OSSL_PROVIDER_available, (GO_OSSL_LIB_CTX_PTR libctx, const char *name), (libctx, name)) \ -+DEFINEFUNC_3_0(GO_OSSL_PROVIDER_PTR, OSSL_PROVIDER_load, (GO_OSSL_LIB_CTX_PTR libctx, const char *name), (libctx, name)) \ ++DEFINEFUNC_3_0(GO_OSSL_PROVIDER_PTR, OSSL_PROVIDER_try_load, (GO_OSSL_LIB_CTX_PTR libctx, const char *name, int retain_fallbacks), (libctx, name, retain_fallbacks)) \ ++DEFINEFUNC_3_0(const char *, OSSL_PROVIDER_get0_name, (const GO_OSSL_PROVIDER_PTR prov), (prov)) \ +DEFINEFUNC_3_0(GO_EVP_MD_PTR, EVP_MD_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \ +DEFINEFUNC_3_0(void, EVP_MD_free, (GO_EVP_MD_PTR md), (md)) \ +DEFINEFUNC_3_0(const char *, EVP_MD_get0_name, (const GO_EVP_MD_PTR md), (md)) \ ++DEFINEFUNC_3_0(const GO_OSSL_PROVIDER_PTR, EVP_MD_get0_provider, (const GO_EVP_MD_PTR md), (md)) \ +DEFINEFUNC(int, RAND_bytes, (unsigned char *arg0, int arg1), (arg0, arg1)) \ +DEFINEFUNC_RENAMED_1_1(GO_EVP_MD_CTX_PTR, EVP_MD_CTX_new, EVP_MD_CTX_create, (void), ()) \ +DEFINEFUNC_RENAMED_1_1(void, EVP_MD_CTX_free, EVP_MD_CTX_destroy, (GO_EVP_MD_CTX_PTR ctx), (ctx)) \ +DEFINEFUNC(int, EVP_MD_CTX_copy, (GO_EVP_MD_CTX_PTR out, const GO_EVP_MD_CTX_PTR in), (out, in)) \ ++DEFINEFUNC(int, EVP_MD_CTX_copy_ex, (GO_EVP_MD_CTX_PTR out, const GO_EVP_MD_CTX_PTR in), (out, in)) \ +DEFINEFUNC(int, EVP_Digest, (const void *data, size_t count, unsigned char *md, unsigned int *size, const GO_EVP_MD_PTR type, GO_ENGINE_PTR impl), (data, count, md, size, type, impl)) \ +DEFINEFUNC(int, EVP_DigestInit_ex, (GO_EVP_MD_CTX_PTR ctx, const GO_EVP_MD_PTR type, GO_ENGINE_PTR impl), (ctx, type, impl)) \ +DEFINEFUNC(int, EVP_DigestInit, (GO_EVP_MD_CTX_PTR ctx, const GO_EVP_MD_PTR type), (ctx, type)) \ @@ -9501,11 +9661,11 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index b8a0b84a282a32..fa72eda0979db6 100644 +index b8a0b84a282a32..8329b1b4649b69 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ -+# github.com/golang-fips/openssl/v2 v2.0.4-0.20241106131105-4bcac10661a9 ++# github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig From 13c4b38239ccec4daa09fb3b390574f2d41e597d Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 18 Nov 2024 14:23:44 +0100 Subject: [PATCH 15/42] add Azure Linux 3 to CI pipelines --- eng/pipeline/pr-outerloop-pipeline.yml | 2 ++ eng/pipeline/pr-pipeline.yml | 2 ++ eng/pipeline/rolling-innerloop-pipeline.yml | 2 ++ eng/pipeline/rolling-pipeline.yml | 2 ++ eng/pipeline/stages/builders-to-stages.yml | 2 +- eng/pipeline/stages/go-builder-matrix-stages.yml | 2 ++ eng/pipeline/stages/run-stage.yml | 7 ++++++- eng/pipeline/stages/shorthand-builders-to-builders.yml | 4 ++-- eng/pipeline/stages/sign-stage.yml | 2 +- 9 files changed, 20 insertions(+), 5 deletions(-) diff --git a/eng/pipeline/pr-outerloop-pipeline.yml b/eng/pipeline/pr-outerloop-pipeline.yml index ebba7ae920a..45fc8743775 100644 --- a/eng/pipeline/pr-outerloop-pipeline.yml +++ b/eng/pipeline/pr-outerloop-pipeline.yml @@ -24,6 +24,8 @@ resources: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 - container: mariner1arm64 image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-arm64-1.0-20220314-a003148 + - container: azurelinux3 + image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241024144202-a3a1203 stages: - template: stages/go-builder-matrix-stages.yml diff --git a/eng/pipeline/pr-pipeline.yml b/eng/pipeline/pr-pipeline.yml index 8a511b43bfd..ce50b025817 100644 --- a/eng/pipeline/pr-pipeline.yml +++ b/eng/pipeline/pr-pipeline.yml @@ -21,6 +21,8 @@ resources: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 - container: mariner1arm64 image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-arm64-1.0-20220314-a003148 + - container: azurelinux3 + image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241024144202-a3a1203 stages: - template: stages/go-builder-matrix-stages.yml diff --git a/eng/pipeline/rolling-innerloop-pipeline.yml b/eng/pipeline/rolling-innerloop-pipeline.yml index cc58fed09f0..85ba25c14b2 100644 --- a/eng/pipeline/rolling-innerloop-pipeline.yml +++ b/eng/pipeline/rolling-innerloop-pipeline.yml @@ -44,6 +44,8 @@ extends: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 mariner1arm64: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-arm64-1.0-20220314-a003148 + azurelinux3: + image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241024144202-a3a1203 stages: - template: stages/go-builder-matrix-stages.yml diff --git a/eng/pipeline/rolling-pipeline.yml b/eng/pipeline/rolling-pipeline.yml index fd7cb59ed16..e360909614b 100644 --- a/eng/pipeline/rolling-pipeline.yml +++ b/eng/pipeline/rolling-pipeline.yml @@ -37,6 +37,8 @@ extends: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-1.0.20211027-20211201-0cccc22 mariner1arm64: image: golangpublicimages.azurecr.io/go-infra-images/prereqs:cbl-mariner-arm64-1.0-20220314-a003148 + azurelinux3: + image: mcr.microsoft.com/microsoft-go/infra-images:azurelinux-3.0-amd64-default-20241024144202-a3a1203 stages: - template: stages/go-builder-matrix-stages.yml diff --git a/eng/pipeline/stages/builders-to-stages.yml b/eng/pipeline/stages/builders-to-stages.yml index f3e14134e6e..f5d29d3ede2 100644 --- a/eng/pipeline/stages/builders-to-stages.yml +++ b/eng/pipeline/stages/builders-to-stages.yml @@ -5,7 +5,7 @@ # This template expands a list of builders into a list of jobs. parameters: - # [] of { id, os, arch, hostarch, config, distro?, experiment? } + # [] of { id, os, arch, hostarch, config, distro?, experiment?, broken? } builders: [] # If true, include a signing stage+job that depends on all 'buildandpack' builder jobs finishing. sign: false diff --git a/eng/pipeline/stages/go-builder-matrix-stages.yml b/eng/pipeline/stages/go-builder-matrix-stages.yml index 0c4cc12d153..60e3b51638d 100644 --- a/eng/pipeline/stages/go-builder-matrix-stages.yml +++ b/eng/pipeline/stages/go-builder-matrix-stages.yml @@ -77,9 +77,11 @@ stages: - { os: linux, arch: amd64, config: devscript } - { os: linux, arch: amd64, config: test } - { os: linux, arch: amd64, config: test, distro: ubuntu } + - { os: linux, arch: amd64, config: test, distro: azurelinux3 } - { experiment: opensslcrypto, os: linux, arch: amd64, config: test } - { experiment: opensslcrypto, os: linux, arch: amd64, config: test, fips: true } - { experiment: opensslcrypto, os: linux, arch: amd64, config: test, distro: ubuntu } + - { experiment: opensslcrypto, os: linux, arch: amd64, config: test, distro: azurelinux3, broken: true } - { experiment: boringcrypto, os: linux, arch: amd64, config: test } - { experiment: boringcrypto, os: linux, arch: amd64, config: test, distro: ubuntu } - { os: windows, arch: amd64, config: devscript } diff --git a/eng/pipeline/stages/run-stage.yml b/eng/pipeline/stages/run-stage.yml index d5f31e36cfd..d9d5ec2b055 100644 --- a/eng/pipeline/stages/run-stage.yml +++ b/eng/pipeline/stages/run-stage.yml @@ -5,7 +5,7 @@ # This job runs a builder for any OS. parameters: - # { id, os, arch, hostArch, config, distro?, experiment?, fips? } + # { id, os, arch, hostArch, config, distro?, experiment?, fips?, broken? } - name: builder type: object @@ -71,6 +71,8 @@ stages: ${{ if eq(parameters.builder.hostArch, 'amd64') }}: ${{ if eq(parameters.builder.distro, 'ubuntu') }}: container: ubuntu2204 + ${{ elseif eq(parameters.builder.distro, 'azurelinux3') }}: + container: azurelinux3 ${{ else }}: container: mariner1 ${{ elseif eq(parameters.builder.hostArch, 'arm64') }}: @@ -266,6 +268,9 @@ stages: condition: and(ne(variables['TEST_BUILDER_SUCCESSFUL'], 'true'), succeeded()) ${{ if ne(attempt, 'FINAL') }}: ignoreLASTEXITCODE: true + ${{ elseif eq(parameters.builder.broken, true) }}: + # Don't fail the job if we are at the last retry and the builder is marked as broken. + continueOnError: true # - ${{ if eq(parameters.builder.config, 'buildandpack' ) }}: # - ${{ if ne(parameters.releaseVersion, 'nil') }}: diff --git a/eng/pipeline/stages/shorthand-builders-to-builders.yml b/eng/pipeline/stages/shorthand-builders-to-builders.yml index 815ea652fb8..123790bcad9 100644 --- a/eng/pipeline/stages/shorthand-builders-to-builders.yml +++ b/eng/pipeline/stages/shorthand-builders-to-builders.yml @@ -11,13 +11,13 @@ # to be used by template expressions, as of writing. parameters: - # [] of { os, arch, hostArch, config, distro?, experiment? } + # [] of { os, arch, hostArch, config, distro?, experiment?, broken? } # If hostArch is not defined, defaults to the arch value. # The job ID is generated based on these values. shorthandBuilders: [] # The inner jobs template to pass the filed-out builders into. # - # It should accept parameter "builders", [] of { id, os, arch, hostArch, config, distro?, fips? } + # It should accept parameter "builders", [] of { id, os, arch, hostArch, config, distro?, fips?, broken? } jobsTemplate: "" jobsParameters: {} diff --git a/eng/pipeline/stages/sign-stage.yml b/eng/pipeline/stages/sign-stage.yml index 1ae4e7cfbc9..73e1e046a58 100644 --- a/eng/pipeline/stages/sign-stage.yml +++ b/eng/pipeline/stages/sign-stage.yml @@ -6,7 +6,7 @@ # publishes the signed files and signatures into a consolidated pipeline artifact. parameters: - # [] of { id, os, arch, config, distro?, experiment? } + # [] of { id, os, arch, config, distro?, experiment?, broken? } builders: [] stages: From 6c3287b258ea1d35db5cfdaad0327c437fbfec89 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 18 Nov 2024 15:38:21 +0100 Subject: [PATCH 16/42] support TLS 1.3 resumption with SymCrypt --- .../0002-Add-crypto-backend-foundation.patch | 23 +++++++++++++- patches/0005-Add-CNG-crypto-backend.patch | 31 +------------------ 2 files changed, 23 insertions(+), 31 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index a8be14fb16f..e2a9522506a 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -48,6 +48,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/tls/cipher_suites.go | 2 +- src/crypto/tls/handshake_client.go | 25 ++- src/crypto/tls/handshake_server.go | 25 ++- + src/crypto/tls/handshake_server_tls13.go | 9 + src/crypto/tls/key_schedule.go | 18 +- src/crypto/tls/prf.go | 77 +++++--- src/crypto/tls/prf_test.go | 12 +- @@ -55,7 +56,7 @@ Subject: [PATCH] Add crypto backend foundation src/go/build/deps_test.go | 4 + src/net/smtp/smtp_test.go | 72 ++++--- src/runtime/runtime_boring.go | 5 + - 51 files changed, 764 insertions(+), 93 deletions(-) + 52 files changed, 773 insertions(+), 93 deletions(-) create mode 100644 src/crypto/ed25519/boring.go create mode 100644 src/crypto/ed25519/notboring.go create mode 100644 src/crypto/internal/backend/backend_test.go @@ -1338,6 +1339,26 @@ index ac3d915d1746d7..631db82b9ab3ae 100644 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { return err } +diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go +index 503a732e05765e..ad6585d8653cf5 100644 +--- a/src/crypto/tls/handshake_server_tls13.go ++++ b/src/crypto/tls/handshake_server_tls13.go +@@ -435,6 +435,15 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error { + // interfaces implemented by standard library hashes to clone the state of in + // to a new instance of h. It returns nil if the operation fails. + func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash { ++ if boring.Enabled { ++ // CNG and OpenSSL with SymCrypt hash functions do not implement the ++ // encoding.BinaryMarshaler interface, but they do implement the Clone method. ++ if cloner, ok := in.(interface{ Clone() (hash.Hash, error) }); ok { ++ if out, err := cloner.Clone(); err == nil { ++ return out ++ } ++ } ++ } + // Recreate the interface to avoid importing encoding. + type binaryMarshaler interface { + MarshalBinary() (data []byte, err error) diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go index 1636baf79e7288..c9a5877d3d504f 100644 --- a/src/crypto/tls/key_schedule.go diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 8d605c1edca..13e4eba3084 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -35,7 +35,6 @@ Subject: [PATCH] Add CNG crypto backend src/crypto/tls/boring_test.go | 2 +- src/crypto/tls/fipsonly/fipsonly.go | 2 +- src/crypto/tls/fipsonly/fipsonly_test.go | 2 +- - src/crypto/tls/handshake_server_tls13.go | 10 + src/crypto/tls/notboring.go | 2 +- src/crypto/x509/boring.go | 2 +- src/crypto/x509/boring_test.go | 2 +- @@ -49,7 +48,7 @@ Subject: [PATCH] Add CNG crypto backend .../goexperiment/exp_cngcrypto_off.go | 9 + src/internal/goexperiment/exp_cngcrypto_on.go | 9 + src/internal/goexperiment/flags.go | 1 + - 45 files changed, 495 insertions(+), 40 deletions(-) + 44 files changed, 485 insertions(+), 40 deletions(-) create mode 100644 src/crypto/ecdsa/badlinkname.go create mode 100644 src/crypto/internal/backend/bbig/big_cng.go create mode 100644 src/crypto/internal/backend/cng_windows.go @@ -1042,34 +1041,6 @@ index 9c1d3d279c472f..0ca7a863b73690 100644 package fipsonly -diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go -index 503a732e05765e..db8919aaf9cbdd 100644 ---- a/src/crypto/tls/handshake_server_tls13.go -+++ b/src/crypto/tls/handshake_server_tls13.go -@@ -14,6 +14,7 @@ import ( - "errors" - "hash" - "internal/byteorder" -+ "internal/goexperiment" - "io" - "slices" - "time" -@@ -442,6 +443,15 @@ func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash { - } - marshaler, ok := in.(binaryMarshaler) - if !ok { -+ if goexperiment.CNGCrypto { -+ // CNGCrypto hashes do not implement the binaryMarshaler interface, -+ // but do implement the Clone method. -+ if cloner, ok := in.(interface{ Clone() (hash.Hash, error) }); ok { -+ if out, err := cloner.Clone(); err == nil { -+ return out -+ } -+ } -+ } - return nil - } - state, err := marshaler.MarshalBinary() diff --git a/src/crypto/tls/notboring.go b/src/crypto/tls/notboring.go index 36b4ceab0046c6..c87df4ad695f1b 100644 --- a/src/crypto/tls/notboring.go From 33d5fb24b666b5342b53b8c555d1495d97cf3f41 Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 18 Nov 2024 15:52:40 +0100 Subject: [PATCH 17/42] fix missing import --- patches/0002-Add-crypto-backend-foundation.patch | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch index e2a9522506a..0b858b49f58 100644 --- a/patches/0002-Add-crypto-backend-foundation.patch +++ b/patches/0002-Add-crypto-backend-foundation.patch @@ -48,7 +48,7 @@ Subject: [PATCH] Add crypto backend foundation src/crypto/tls/cipher_suites.go | 2 +- src/crypto/tls/handshake_client.go | 25 ++- src/crypto/tls/handshake_server.go | 25 ++- - src/crypto/tls/handshake_server_tls13.go | 9 + + src/crypto/tls/handshake_server_tls13.go | 10 + src/crypto/tls/key_schedule.go | 18 +- src/crypto/tls/prf.go | 77 +++++--- src/crypto/tls/prf_test.go | 12 +- @@ -56,7 +56,7 @@ Subject: [PATCH] Add crypto backend foundation src/go/build/deps_test.go | 4 + src/net/smtp/smtp_test.go | 72 ++++--- src/runtime/runtime_boring.go | 5 + - 52 files changed, 773 insertions(+), 93 deletions(-) + 52 files changed, 774 insertions(+), 93 deletions(-) create mode 100644 src/crypto/ed25519/boring.go create mode 100644 src/crypto/ed25519/notboring.go create mode 100644 src/crypto/internal/backend/backend_test.go @@ -1340,10 +1340,18 @@ index ac3d915d1746d7..631db82b9ab3ae 100644 return err } diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go -index 503a732e05765e..ad6585d8653cf5 100644 +index 503a732e05765e..53dfce967b3c2a 100644 --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go -@@ -435,6 +435,15 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error { +@@ -10,6 +10,7 @@ import ( + "crypto" + "crypto/hmac" + "crypto/internal/mlkem768" ++ boring "crypto/internal/backend" + "crypto/rsa" + "errors" + "hash" +@@ -435,6 +436,15 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error { // interfaces implemented by standard library hashes to clone the state of in // to a new instance of h. It returns nil if the operation fails. func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash { From f5ec19b4955149d6465c9cd93ed22c4847fbcca6 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Mon, 2 Dec 2024 21:11:20 +0000 Subject: [PATCH 18/42] Update submodule to latest release-branch.go1.23 (c390a1c2): [release-branch.go1.23] go1.23.3 --- MICROSOFT_REVISION | 1 + 1 file changed, 1 insertion(+) create mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION new file mode 100644 index 00000000000..d8263ee9860 --- /dev/null +++ b/MICROSOFT_REVISION @@ -0,0 +1 @@ +2 \ No newline at end of file From 8358dd5b6d32589d0ba45ca80b8d92630c3b22c0 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 3 Dec 2024 20:22:43 +0000 Subject: [PATCH 19/42] Update submodule to latest release-branch.go1.23 (194de8fb): [release-branch.go1.23] go1.23.4 --- MICROSOFT_REVISION | 1 - VERSION | 2 +- go | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION deleted file mode 100644 index d8263ee9860..00000000000 --- a/MICROSOFT_REVISION +++ /dev/null @@ -1 +0,0 @@ -2 \ No newline at end of file diff --git a/VERSION b/VERSION index 09f8e16ac8d..9a0ff44742d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.3 \ No newline at end of file +go1.23.4 \ No newline at end of file diff --git a/go b/go index c390a1c22e8..194de8fbfaf 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit c390a1c22e8951263e6c01346a4281d604b25062 +Subproject commit 194de8fbfaf4c3ed54e1a3c1b14fc67a830b8d95 From ba8c270269212f71eab50c669a5d81fdfa106fc2 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Thu, 16 Jan 2025 20:09:10 +0000 Subject: [PATCH 20/42] Update submodule to latest release-branch.go1.23 (d04e3cbc): [release-branch.go1.23] go1.23.5 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 9a0ff44742d..27525416120 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.4 \ No newline at end of file +go1.23.5 \ No newline at end of file diff --git a/go b/go index 194de8fbfaf..d04e3cbc924 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 194de8fbfaf4c3ed54e1a3c1b14fc67a830b8d95 +Subproject commit d04e3cbc9240e25de449dcae2ec33d03062f347b From d260b1ffbbe0d8fcec09294d4703707252122b13 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 4 Feb 2025 17:54:36 +0000 Subject: [PATCH 21/42] Update submodule to latest release-branch.go1.23 (a991f9c3): [release-branch.go1.23] go1.23.6 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 27525416120..4b4471fdd3a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.5 \ No newline at end of file +go1.23.6 \ No newline at end of file diff --git a/go b/go index d04e3cbc924..a991f9c34d4 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit d04e3cbc9240e25de449dcae2ec33d03062f347b +Subproject commit a991f9c34d454d3d844f21dc08f2d05df35a8c60 From 9a606bdb358303dfd36db4f4741848375e27e370 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Tue, 4 Feb 2025 20:22:31 -0800 Subject: [PATCH 22/42] Add dotnet-public NuGet feed to Release Studio project This helps the project be resilient to .NET SDK version changes in the build agent. (cherry picked from commit 7dc0b5eaa6ac80d24ac03252381944e4e877cd46) --- eng/release-studio/NuGet.config | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/eng/release-studio/NuGet.config b/eng/release-studio/NuGet.config index ec763b4e4a8..6ea4355ea85 100644 --- a/eng/release-studio/NuGet.config +++ b/eng/release-studio/NuGet.config @@ -7,6 +7,12 @@ + + From 185c050c9238db0931d7af8b80fa6b318525fa1c Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Tue, 11 Feb 2025 17:37:06 +0000 Subject: [PATCH 23/42] upgrade CNG backend (#1544) --- patches/0005-Add-CNG-crypto-backend.patch | 10 +++++----- patches/0006-Vendor-crypto-backends.patch | 13 +++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 13e4eba3084..3c70ccf396f 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1094,26 +1094,26 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 49d6362771d4b2..1cba724d406b3a 100644 +index 49d6362771d4b2..e6732366baebd4 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 require ( github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 -+ github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd ++ github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c ) diff --git a/src/go.sum b/src/go.sum -index f88678bf643820..c86114e6cf3c8a 100644 +index f88678bf643820..73e7bc41ab2fe2 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 h1:6Mb55x7RlLVNEPY6liVYeVTMR5FuZqHViyyrr7tih7A= github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= -+github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd h1:2ziav5Bdjyv0VYCCftEExmA+QQZ193w8BvSgoEZ+qAY= -+github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= ++github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec h1:sgB+KKrkX1u1v8C1kFrGThsVw0rPUSqNmWYmzGs0Iy4= ++github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= diff --git a/patches/0006-Vendor-crypto-backends.patch b/patches/0006-Vendor-crypto-backends.patch index c680c2d8493..cc6e9e85240 100644 --- a/patches/0006-Vendor-crypto-backends.patch +++ b/patches/0006-Vendor-crypto-backends.patch @@ -55,13 +55,13 @@ To reproduce, run 'go mod vendor' in 'go/src'. .../microsoft/go-crypto-winnative/cng/rand.go | 28 + .../microsoft/go-crypto-winnative/cng/rc4.go | 61 ++ .../microsoft/go-crypto-winnative/cng/rsa.go | 374 ++++++++ - .../go-crypto-winnative/cng/tls1prf.go | 92 ++ + .../go-crypto-winnative/cng/tls1prf.go | 93 ++ .../internal/bcrypt/bcrypt_windows.go | 284 ++++++ .../internal/bcrypt/zsyscall_windows.go | 389 ++++++++ .../internal/subtle/aliasing.go | 32 + .../internal/sysdll/sys_windows.go | 55 ++ src/vendor/modules.txt | 11 + - 56 files changed, 9221 insertions(+) + 56 files changed, 9222 insertions(+) create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md @@ -8780,10 +8780,10 @@ index 00000000000000..7e3f7abe3487cb +} diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go new file mode 100644 -index 00000000000000..30ef2242bc3cf3 +index 00000000000000..e8f5c904fec325 --- /dev/null +++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go -@@ -0,0 +1,92 @@ +@@ -0,0 +1,93 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + @@ -8834,6 +8834,7 @@ index 00000000000000..30ef2242bc3cf3 + if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, secret, 0); err != nil { + return err + } ++ defer bcrypt.DestroyKey(kh) + + buffers := make([]bcrypt.Buffer, 0, 3) + if len(label) > 0 { @@ -9661,7 +9662,7 @@ index 00000000000000..1722410e5af193 + return getSystemDirectory() + "\\" + dll +} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt -index b8a0b84a282a32..8329b1b4649b69 100644 +index b8a0b84a282a32..676e784fcf04e2 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,3 +1,14 @@ @@ -9669,7 +9670,7 @@ index b8a0b84a282a32..8329b1b4649b69 100644 +## explicit; go 1.20 +github.com/golang-fips/openssl/v2 +github.com/golang-fips/openssl/v2/bbig -+# github.com/microsoft/go-crypto-winnative v0.0.0-20240925170411-b29b5cde7fdd ++# github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec +## explicit; go 1.17 +github.com/microsoft/go-crypto-winnative/cng +github.com/microsoft/go-crypto-winnative/cng/bbig From 5344cff53567126826976dc9dc54109934ab2dcd Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 11 Feb 2025 17:55:55 +0000 Subject: [PATCH 24/42] Update submodule to latest release-branch.go1.23 (a991f9c3): [release-branch.go1.23] go1.23.6 --- MICROSOFT_REVISION | 1 + 1 file changed, 1 insertion(+) create mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION new file mode 100644 index 00000000000..d8263ee9860 --- /dev/null +++ b/MICROSOFT_REVISION @@ -0,0 +1 @@ +2 \ No newline at end of file From 13238822e2fa95791452444a0e3da2cdb2501a05 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Tue, 11 Feb 2025 14:33:47 -0800 Subject: [PATCH 25/42] Fix single-feed error with Release Studio nuget.config (#1549) (cherry picked from commit 376cd32df307b0cd3793d8f6f149701d483618a9) --- eng/release-studio/NuGet.config | 7 +------ eng/release-studio/ReleaseStudio.csproj | 12 +++++++++++- eng/signing/NuGet.config | 1 + 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/eng/release-studio/NuGet.config b/eng/release-studio/NuGet.config index 6ea4355ea85..cfde83028f8 100644 --- a/eng/release-studio/NuGet.config +++ b/eng/release-studio/NuGet.config @@ -6,13 +6,8 @@ + - - diff --git a/eng/release-studio/ReleaseStudio.csproj b/eng/release-studio/ReleaseStudio.csproj index 0c90dde172d..c7139c2c0ea 100644 --- a/eng/release-studio/ReleaseStudio.csproj +++ b/eng/release-studio/ReleaseStudio.csproj @@ -3,7 +3,17 @@ - net7.0 + + net$(BundledNETCoreAppTargetFrameworkVersion) diff --git a/eng/signing/NuGet.config b/eng/signing/NuGet.config index 080b3fce698..89f4af3da13 100644 --- a/eng/signing/NuGet.config +++ b/eng/signing/NuGet.config @@ -6,6 +6,7 @@ + From b8a310d93dc47f3da70f9988a9e3aa5021299d7f Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Tue, 11 Feb 2025 16:42:42 -0800 Subject: [PATCH 26/42] Fix Release Studio script gathering: stable target dir (#1550) (cherry picked from commit 43e5ee4c8a90c850ac9e75c710de1ef5fc189983) --- eng/pipeline/stages/public-publish-stage.yml | 3 ++- eng/release-studio/ReleaseStudio.csproj | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/eng/pipeline/stages/public-publish-stage.yml b/eng/pipeline/stages/public-publish-stage.yml index 7dc8d5a32bf..614f57e9c8f 100644 --- a/eng/pipeline/stages/public-publish-stage.yml +++ b/eng/pipeline/stages/public-publish-stage.yml @@ -48,7 +48,7 @@ stages: - name: GoBinariesDir value: $(Pipeline.Workspace)/Binaries Signed - name: NetCorePublishingScripts - value: $(Build.SourcesDirectory)/eng/release-studio/bin/Debug/net7.0/MsGoPublishingScripts + value: $(Build.SourcesDirectory)/eng/release-studio/bin/MsGoPublishingScripts # This is read directly by release studio scripts through env. - name: RMExecutionEnvironment @@ -70,6 +70,7 @@ stages: projects: '$(Build.SourcesDirectory)/eng/release-studio/ReleaseStudio.csproj' custom: build arguments: >- + /p:NetCorePublishingScripts=$(NetCorePublishingScripts) /bl:eng/release-studio/Build.binlog /v:n diff --git a/eng/release-studio/ReleaseStudio.csproj b/eng/release-studio/ReleaseStudio.csproj index c7139c2c0ea..2f5570c4a97 100644 --- a/eng/release-studio/ReleaseStudio.csproj +++ b/eng/release-studio/ReleaseStudio.csproj @@ -14,10 +14,27 @@ We aren't actually building an app anyway, we just need the RM package. --> net$(BundledNETCoreAppTargetFrameworkVersion) + + + $(MSBuildThisFileDirectory)bin\MsGoPublishingScripts + + + + + + From 6e1471a6e6817f6f7ccd5fe02ecb67f80e1cd2d0 Mon Sep 17 00:00:00 2001 From: microsoft-golang-bot Date: Tue, 4 Mar 2025 19:15:56 +0000 Subject: [PATCH 27/42] Update submodule to latest release-branch.go1.23 (c01c4d41): [release-branch.go1.23] go1.23.7 --- MICROSOFT_REVISION | 1 - VERSION | 2 +- go | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 MICROSOFT_REVISION diff --git a/MICROSOFT_REVISION b/MICROSOFT_REVISION deleted file mode 100644 index d8263ee9860..00000000000 --- a/MICROSOFT_REVISION +++ /dev/null @@ -1 +0,0 @@ -2 \ No newline at end of file diff --git a/VERSION b/VERSION index 4b4471fdd3a..63894fc46d5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.6 \ No newline at end of file +go1.23.7 \ No newline at end of file diff --git a/go b/go index a991f9c34d4..c01c4d41d6b 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit a991f9c34d454d3d844f21dc08f2d05df35a8c60 +Subproject commit c01c4d41d6b49bc6317f8cfb3a33a92f25681b34 From 8f3a49d55f0a5badba90e969c1d68254aed76fb3 Mon Sep 17 00:00:00 2001 From: "bot-for-go[bot]" <199222863+bot-for-go[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 16:54:14 +0000 Subject: [PATCH 28/42] Update submodule to latest release-branch.go1.23 (7a2cfb70): [release-branch.go1.23] go1.23.8 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 63894fc46d5..89431859ba0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.7 \ No newline at end of file +go1.23.8 \ No newline at end of file diff --git a/go b/go index c01c4d41d6b..7a2cfb70b01 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit c01c4d41d6b49bc6317f8cfb3a33a92f25681b34 +Subproject commit 7a2cfb70b01f069c2125adcf7126d7f3376cb8b7 From 02f00eaf3fee2af332cbb2bd969017e51c50bf76 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Tue, 1 Apr 2025 10:09:28 -0700 Subject: [PATCH 29/42] Fix patch conflicts: clean 3-way am --- patches/0004-Add-OpenSSL-crypto-backend.patch | 8 ++++---- patches/0005-Add-CNG-crypto-backend.patch | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch index 4630d16097e..2d8368cf7c8 100644 --- a/patches/0004-Add-OpenSSL-crypto-backend.patch +++ b/patches/0004-Add-OpenSSL-crypto-backend.patch @@ -714,7 +714,7 @@ index c83a7272c9f01f..a0548a7f9179c5 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 789f5aaa1d3e26..49d6362771d4b2 100644 +index 96513ccfc92eab..70a4909e7b7bc1 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,6 +3,7 @@ module std @@ -723,10 +723,10 @@ index 789f5aaa1d3e26..49d6362771d4b2 100644 require ( + github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a - golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c + golang.org/x/net v0.25.1-0.20250304182835-b70a9e3eaa27 ) diff --git a/src/go.sum b/src/go.sum -index a75ea98c7312df..f88678bf643820 100644 +index 7d2f0b01d502fb..b7b1b65177e1b4 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,3 +1,5 @@ @@ -734,7 +734,7 @@ index a75ea98c7312df..f88678bf643820 100644 +github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15/go.mod h1:7tuBqX2Zov8Yq5mJ2yzlKhpnxOnWyEzi38AzeWRuQdg= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= - golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= + golang.org/x/net v0.25.1-0.20250304182835-b70a9e3eaa27 h1:BLroQt2NWk69+mgdbJFxbd1Y6nc8r9UCc/iPQ0FgpNs= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go index 6eea04ef9269af..4bf45495afa19b 100644 --- a/src/go/build/deps_test.go diff --git a/patches/0005-Add-CNG-crypto-backend.patch b/patches/0005-Add-CNG-crypto-backend.patch index 3c70ccf396f..3da989f6b04 100644 --- a/patches/0005-Add-CNG-crypto-backend.patch +++ b/patches/0005-Add-CNG-crypto-backend.patch @@ -1094,7 +1094,7 @@ index a0548a7f9179c5..ae6117a1554b7f 100644 package x509 diff --git a/src/go.mod b/src/go.mod -index 49d6362771d4b2..e6732366baebd4 100644 +index 70a4909e7b7bc1..db54b5f1efea80 100644 --- a/src/go.mod +++ b/src/go.mod @@ -4,6 +4,7 @@ go 1.23 @@ -1103,10 +1103,10 @@ index 49d6362771d4b2..e6732366baebd4 100644 github.com/golang-fips/openssl/v2 v2.0.4-0.20241114123251-c5672cc7ce15 + github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a - golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c + golang.org/x/net v0.25.1-0.20250304182835-b70a9e3eaa27 ) diff --git a/src/go.sum b/src/go.sum -index f88678bf643820..73e7bc41ab2fe2 100644 +index b7b1b65177e1b4..bdde901da4294f 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,5 +1,7 @@ @@ -1116,7 +1116,7 @@ index f88678bf643820..73e7bc41ab2fe2 100644 +github.com/microsoft/go-crypto-winnative v0.0.0-20250211161411-fea4f38f45ec/go.mod h1:fveERXKbeK+XLmOyU24caKnIT/S5nniAX9XCRHfnrM4= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a h1:37MIv+iGfwMYzWJECGyrPCtd5nuqcciRUeJfkNCkCf0= golang.org/x/crypto v0.23.1-0.20240603234054-0b431c7de36a/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= - golang.org/x/net v0.25.1-0.20240603202750-6249541f2a6c h1:CR/7/SLUhIJw6g675eeoDiwggElO2MV9rGkNYjqi8GM= + golang.org/x/net v0.25.1-0.20250304182835-b70a9e3eaa27 h1:BLroQt2NWk69+mgdbJFxbd1Y6nc8r9UCc/iPQ0FgpNs= diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go index 4bf45495afa19b..31e2c1aef5c411 100644 --- a/src/go/build/deps_test.go From ac91b6d45d8c046473c02c81b42d7d946439a2a6 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Wed, 16 Apr 2025 16:10:35 -0700 Subject: [PATCH 30/42] Port CODEOWNERS to 1.23 for infra compatibility --- .github/CODEOWNERS | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index bf3c89b27bf..b5dd7187f37 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,8 +1,9 @@ -# Require review from golang-compiler team for changes in any file. This keeps us in the loop on -# auto-merge PRs. The review bot is also an owner so that it can still trigger auto-merge for sync -# PRs on its own. We may remove this rule once auto-merges are routine. -* @microsoft/golang-compiler @microsoft-golang-review-bot +# Require review from golang-compiler team for changes in all files. -# Automatically request review from golang-compiler team for changes in the Microsoft-specific -# files. This takes precedence over earlier rules in the file. -/eng/ @microsoft/golang-compiler +* @microsoft/golang-compiler + +# Don't assign a code owner to automatically updated files to allow GitHub apps to use the +# auto-merge flow without human intervention. +/go +/MICROSOFT_REVISION +/VERSION From dd5c04ba97ce6fe93d0d6851032e2a71562c79b4 Mon Sep 17 00:00:00 2001 From: "bot-for-go[bot]" <199222863+bot-for-go[bot]@users.noreply.github.com> Date: Tue, 6 May 2025 18:37:26 +0000 Subject: [PATCH 31/42] Update submodule to latest release-branch.go1.23 (f77084d1): [release-branch.go1.23] go1.23.9 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 89431859ba0..ac50baebbbc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.8 \ No newline at end of file +go1.23.9 \ No newline at end of file diff --git a/go b/go index 7a2cfb70b01..f77084d15d5 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 7a2cfb70b01f069c2125adcf7126d7f3376cb8b7 +Subproject commit f77084d15d53e6aa09d2e7f867e69cc9766da2c5 From d66228ccc40171545654e465c779e64c3e8961bd Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Tue, 6 May 2025 14:56:48 -0700 Subject: [PATCH 32/42] Disable innerloop network isolation (cherry picked from commit 8dffa31b705261b37567ecd4e731293a8e3554a9) --- eng/pipeline/rolling-innerloop-pipeline.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/eng/pipeline/rolling-innerloop-pipeline.yml b/eng/pipeline/rolling-innerloop-pipeline.yml index 85ba25c14b2..0fe4caf6c4d 100644 --- a/eng/pipeline/rolling-innerloop-pipeline.yml +++ b/eng/pipeline/rolling-innerloop-pipeline.yml @@ -30,6 +30,10 @@ resources: extends: template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates parameters: + featureFlags: + # Network Isolation causes standard library DNS net tests on Windows to fail. + # See https://github.com/microsoft/go-lab/issues/206 + disableNetworkIsolation: true sdl: sourceAnalysisPool: name: NetCore1ESPool-Internal From 0b08711e0405c879e5a37e78d3bd336e71042763 Mon Sep 17 00:00:00 2001 From: "bot-for-go[bot]" <199222863+bot-for-go[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 20:14:35 +0000 Subject: [PATCH 33/42] Update submodule to latest release-branch.go1.23 (d375ae50): [release-branch.go1.23] go1.23.10 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index ac50baebbbc..0b29e2ece1a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.9 \ No newline at end of file +go1.23.10 \ No newline at end of file diff --git a/go b/go index f77084d15d5..d375ae50633 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit f77084d15d53e6aa09d2e7f867e69cc9766da2c5 +Subproject commit d375ae50633cdf1cd8536f2a199c382f9053b638 From 02944d0fff1a8d288c9f53a6124c96a99e8bd3c6 Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Tue, 8 Jul 2025 18:25:19 +0200 Subject: [PATCH 34/42] [release-branch.go1.23] Support for excluding OS-disabled cipher suites in TLS handshake (#1727) --- .../stages/go-builder-matrix-stages.yml | 1 + ...nt-ms_tls_config_schannel-experiment.patch | 568 ++++++++++++++++++ 2 files changed, 569 insertions(+) create mode 100644 patches/0016-implement-ms_tls_config_schannel-experiment.patch diff --git a/eng/pipeline/stages/go-builder-matrix-stages.yml b/eng/pipeline/stages/go-builder-matrix-stages.yml index 60e3b51638d..9088c780f54 100644 --- a/eng/pipeline/stages/go-builder-matrix-stages.yml +++ b/eng/pipeline/stages/go-builder-matrix-stages.yml @@ -86,6 +86,7 @@ stages: - { experiment: boringcrypto, os: linux, arch: amd64, config: test, distro: ubuntu } - { os: windows, arch: amd64, config: devscript } - { os: windows, arch: amd64, config: test } + - { experiment: ms_tls_config_schannel, os: windows, arch: amd64, config: test } - { experiment: cngcrypto, os: windows, arch: amd64, config: test } - { experiment: cngcrypto, os: windows, arch: amd64, config: test, fips: true } # Test that buildandpack works on Windows x86-32, but don't release it. diff --git a/patches/0016-implement-ms_tls_config_schannel-experiment.patch b/patches/0016-implement-ms_tls_config_schannel-experiment.patch new file mode 100644 index 00000000000..2d5d132c8c1 --- /dev/null +++ b/patches/0016-implement-ms_tls_config_schannel-experiment.patch @@ -0,0 +1,568 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: qmuntal +Date: Tue, 8 Jul 2025 16:04:25 +0200 +Subject: [PATCH] implement ms_tls_config_schannel experiment + +--- + src/cmd/go/script_test.go | 2 +- + src/crypto/tls/bogo_shim_test.go | 7 ++ + src/crypto/tls/handshake_server_test.go | 20 +++ + src/crypto/tls/handshake_test.go | 6 + + src/crypto/tls/schannel_windows.go | 118 ++++++++++++++++++ + src/crypto/tls/schannel_windows_test.go | 94 ++++++++++++++ + src/crypto/tls/tls_test.go | 11 ++ + .../exp_ms_tls_config_schannel_off.go | 8 ++ + .../exp_ms_tls_config_schannel_on.go | 8 ++ + src/internal/goexperiment/flags.go | 4 + + .../syscall/windows/security_windows.go | 28 +++++ + .../syscall/windows/syscall_windows.go | 16 +++ + .../syscall/windows/zsyscall_windows.go | 23 ++++ + 13 files changed, 344 insertions(+), 1 deletion(-) + create mode 100644 src/crypto/tls/schannel_windows.go + create mode 100644 src/crypto/tls/schannel_windows_test.go + create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_off.go + create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_on.go + +diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go +index b1dae3b592e99d..8780eb5f5eb0cc 100644 +--- a/src/cmd/go/script_test.go ++++ b/src/cmd/go/script_test.go +@@ -420,4 +420,4 @@ const disabledOnPlatform = false || + runtime.GOOS == "wasip1" || // #60971 + runtime.GOOS == "plan9" || // https://github.com/golang/go/issues/57540#issuecomment-1470766639 + // On Windows, setting a GOEXPERIMENT prevents the telemetry counters from being written. https://github.com/golang/go/issues/68579 +- goexperiment.CNGCrypto ++ goexperiment.CNGCrypto || goexperiment.MS_TLS_Config_Schannel +diff --git a/src/crypto/tls/bogo_shim_test.go b/src/crypto/tls/bogo_shim_test.go +index ce01852aeeda30..b51e59889380aa 100644 +--- a/src/crypto/tls/bogo_shim_test.go ++++ b/src/crypto/tls/bogo_shim_test.go +@@ -9,6 +9,7 @@ import ( + "flag" + "fmt" + "internal/byteorder" ++ "internal/goexperiment" + "internal/testenv" + "io" + "log" +@@ -339,6 +340,12 @@ func TestBogoSuite(t *testing.T) { + testenv.MustHaveGoRun(t) + testenv.MustHaveExec(t) + ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducible. ++ t.Skip("skipping bogo tests in Schannel mode") ++ } ++ + if testing.Short() { + t.Skip("skipping in short mode") + } +diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go +index 1d6419376f3871..1e9910f9d71c2b 100644 +--- a/src/crypto/tls/handshake_server_test.go ++++ b/src/crypto/tls/handshake_server_test.go +@@ -15,6 +15,7 @@ import ( + "encoding/pem" + "errors" + "fmt" ++ "internal/goexperiment" + "io" + "net" + "os" +@@ -434,6 +435,11 @@ func TestVersion(t *testing.T) { + } + + func TestCipherSuitePreference(t *testing.T) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducible. ++ t.Skip("skipping cipher suite preference test in Schannel mode") ++ } + serverConfig := &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, +@@ -929,6 +935,10 @@ func TestHandshakeServerKeySharePreference(t *testing.T) { + // TestHandshakeServerUnsupportedKeyShare tests a client that sends a key share + // that's not in the supported groups list. + func TestHandshakeServerUnsupportedKeyShare(t *testing.T) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // CHACHA20 is not supported in Schannel mode. ++ t.Skip("skipping test in Schannel mode") ++ } + pk, _ := ecdh.X25519().GenerateKey(rand.Reader) + clientHello := &clientHelloMsg{ + vers: VersionTLS12, +@@ -1720,6 +1730,11 @@ func TestMultipleCertificates(t *testing.T) { + } + + func TestAESCipherReordering(t *testing.T) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducible. ++ t.Skip("skipping test in Schannel mode") ++ } + currentAESSupport := hasAESGCMHardwareSupport + defer func() { hasAESGCMHardwareSupport = currentAESSupport }() + +@@ -1863,6 +1878,11 @@ func TestAESCipherReordering(t *testing.T) { + } + + func TestAESCipherReorderingTLS13(t *testing.T) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducible. ++ t.Skip("skipping test in Schannel mode") ++ } + currentAESSupport := hasAESGCMHardwareSupport + defer func() { hasAESGCMHardwareSupport = currentAESSupport }() + +diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go +index 803aa736578f8c..92b31362f3d65d 100644 +--- a/src/crypto/tls/handshake_test.go ++++ b/src/crypto/tls/handshake_test.go +@@ -13,6 +13,7 @@ import ( + "errors" + "flag" + "fmt" ++ "internal/goexperiment" + "io" + "net" + "os" +@@ -50,6 +51,11 @@ var ( + ) + + func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducable. ++ t.Skip("skipping test in Schannel mode") ++ } + success := t.Run(name, func(t *testing.T) { + if !*update && !wait { + t.Parallel() +diff --git a/src/crypto/tls/schannel_windows.go b/src/crypto/tls/schannel_windows.go +new file mode 100644 +index 00000000000000..93b7e8c912b3c1 +--- /dev/null ++++ b/src/crypto/tls/schannel_windows.go +@@ -0,0 +1,118 @@ ++// Copyright 2025 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build goexperiment.ms_tls_config_schannel ++ ++package tls ++ ++import ( ++ "internal/syscall/windows" ++ "slices" ++ "unsafe" ++) ++ ++// init modifies the default cipher suites, the preference order, and the disabled cipher suites ++// based on the cipher suites that Schannel supports. ++// ++// The user-visible behavior changes are: ++// - The cipher suites used when [Config.CipherSuites] is nil, or when using TLS 1.3, only include those that Schannel supports. ++// - The order in which cipher suites are tried, regardless of whether the user sets [Config.CipherSuites] or not, is the order that Schannel prefers. ++func init() { ++ cipherSuitesSchannel, err := cipherSuitesSchannel() ++ if err != nil { ++ panic(err) // This should never happen, as Schannel is always available on Windows. ++ } ++ ++ // cipherSuitesSchannel contains the cipher suites that Schannel supports in its preference order. ++ // We use this to filter the default cipher suites and to order the preference order. ++ ++ disableCipherSuites(CipherSuites(), cipherSuitesSchannel, disabledCipherSuites) ++ disableCipherSuites(InsecureCipherSuites(), cipherSuitesSchannel, disabledCipherSuites) ++ ++ cipherSuitesPreferenceOrder = orderCipherSuites(cipherSuitesPreferenceOrder, cipherSuitesSchannel) ++ cipherSuitesPreferenceOrderNoAES = orderCipherSuites(cipherSuitesPreferenceOrderNoAES, cipherSuitesSchannel) ++ ++ defaultCipherSuitesFIPS = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesFIPS) ++ defaultCipherSuitesTLS13 = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13) ++ defaultCipherSuitesTLS13NoAES = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13NoAES) ++ defaultCipherSuitesTLS13FIPS = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13FIPS) ++} ++ ++// cipherSuiteID returns the ID of the cipher suite with the given name. ++func cipherSuiteID(name string) (uint16, bool) { ++ for _, c := range CipherSuites() { ++ if c.Name == name { ++ return c.ID, true ++ } ++ } ++ for _, c := range InsecureCipherSuites() { ++ if c.Name == name { ++ return c.ID, true ++ } ++ } ++ return 0, false ++} ++ ++// cipherSuitesSchannel returns all the cipher suites that Schannel supports in Schannel's preference order. ++func cipherSuitesSchannel() ([]uint16, error) { ++ // Get all the cipher suites that Schannel supports in preference order. ++ var size uint32 ++ var funcs *windows.CRYPT_CONTEXT_FUNCTIONS ++ err := windows.BCryptEnumContextFunctions(windows.CRYPT_LOCAL, unsafe.SliceData(windows.SSL_CONTEXT[:]), windows.NCRYPT_SCHANNEL_INTERFACE, &size, &funcs) ++ if err != nil { ++ return nil, err ++ } ++ defer windows.BCryptFreeBuffer(unsafe.Pointer(funcs)) ++ ++ suites := make([]uint16, 0, funcs.Count) // order[i] will be the index of suites[i] in the Schannel list ++ for i := range funcs.Count { ++ name := windows.UTF16PtrToString(funcs.At(int(i))) ++ id, ok := cipherSuiteID(name) ++ if !ok { ++ continue // cipher suite not found in the provided list ++ } ++ suites = append(suites, id) ++ } ++ return suites, nil ++} ++ ++// filterCipherSuites filters the provided cipher suites, creating a new slice ++// that only includes those that are in the allowed list. ++func filterCipherSuites(suites, allowed []uint16) []uint16 { ++ out := make([]uint16, 0, len(suites)) ++ for _, suite := range suites { ++ if slices.Contains(allowed, suite) { ++ out = append(out, suite) ++ } ++ } ++ return out ++} ++ ++// orderCipherSuites returns a new slice of cipher suites ordered according to the provided order. ++// If suites contains a cipher suite that is not in the order, it will be placed ++// at the end of the returned slice in the order they appear in suites. ++func orderCipherSuites(suites []uint16, order []uint16) []uint16 { ++ out := make([]uint16, 0, len(suites)) ++ for _, id := range order { ++ if slices.Contains(suites, id) { ++ out = append(out, id) ++ } ++ } ++ for _, id := range suites { ++ if !slices.Contains(out, id) { ++ out = append(out, id) ++ } ++ } ++ return out ++} ++ ++// disableCipherSuites modifies the disabled map adding the cippher suites in supported ++// that are not in allowed. ++func disableCipherSuites(supported []*CipherSuite, allowed []uint16, disabled map[uint16]bool) { ++ for _, suite := range supported { ++ if !slices.Contains(allowed, suite.ID) { ++ disabled[suite.ID] = true ++ } ++ } ++} +diff --git a/src/crypto/tls/schannel_windows_test.go b/src/crypto/tls/schannel_windows_test.go +new file mode 100644 +index 00000000000000..88f693ddce77a6 +--- /dev/null ++++ b/src/crypto/tls/schannel_windows_test.go +@@ -0,0 +1,94 @@ ++// Copyright 2025 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build goexperiment.ms_tls_config_schannel ++ ++package tls ++ ++import ( ++ "bytes" ++ "os/exec" ++ "sync" ++ "testing" ++) ++ ++var schannelSuites = sync.OnceValue(func() []uint16 { ++ cipherSuites, err := cipherSuitesSchannel() ++ if err != nil { ++ panic(err) // This should never happen, as Schannel is always available on Windows. ++ } ++ return cipherSuites ++}) ++ ++func TestCipherSuitesSchannel(t *testing.T) { ++ cipherSuites, err := cipherSuitesSchannel() ++ if err != nil { ++ t.Fatal(err) ++ } ++ if len(cipherSuites) == 0 { ++ t.Fatal("cipherSuitesSchannel returned no cipher suites") ++ } ++ ++ for _, suite := range cipherSuites { ++ if suite == 0 { ++ t.Fatal("cipherSuitesSchannel returned a 0 cipher suite") ++ } ++ } ++ ++ // Check that all the cipher suites are present in the Get-TlsCipherSuite output. ++ output, err := exec.Command("powershell", "-Command", "Get-TlsCipherSuite").CombinedOutput() ++ if err != nil { ++ t.Fatalf("failed to get TLS cipher suites: %v\n%s", err, output) ++ } ++ for _, id := range cipherSuites { ++ name := CipherSuiteName(id) ++ if !bytes.Contains(output, []byte(name)) { ++ t.Errorf("cipher suite %s not found in PowerShell output", name) ++ } ++ } ++} ++ ++func TestCipherSuitePreferenceSchannelTLS12(t *testing.T) { ++ // Schannel should prefer AES-256 over AES-128. ++ serverConfig := &Config{ ++ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, ++ Certificates: testConfig.Certificates, ++ MaxVersion: VersionTLS12, ++ GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { ++ if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { ++ t.Error("the advertised order should not depend on Config.CipherSuites") ++ } ++ return nil, nil ++ }, ++ } ++ clientConfig := &Config{ ++ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++} ++ ++func TestCipherSuitePreferenceSchannelTLS13(t *testing.T) { ++ // Schannel should prefer AES-256 over AES-128. ++ serverConfig := &Config{ ++ Certificates: testConfig.Certificates, ++ MaxVersion: VersionTLS13, ++ } ++ clientConfig := &Config{ ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_AES_256_GCM_SHA384 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++} +diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go +index 13c5ddced2cddb..423796e36cd155 100644 +--- a/src/crypto/tls/tls_test.go ++++ b/src/crypto/tls/tls_test.go +@@ -18,6 +18,7 @@ import ( + "encoding/pem" + "errors" + "fmt" ++ "internal/goexperiment" + "internal/testenv" + "io" + "math" +@@ -1404,6 +1405,11 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) { + }, ""}, // static RSA fallback + } + for i, tt := range tests { ++ if goexperiment.MS_TLS_Config_Schannel && ++ len(tt.chi.SupportedVersions) == 1 && tt.chi.SupportedVersions[0] == VersionTLS10 { ++ // Schannel might not support TLS 1.0. ++ continue ++ } + err := tt.chi.SupportsCertificate(tt.c) + switch { + case tt.wantErr == "" && err != nil: +@@ -1417,6 +1423,11 @@ func TestClientHelloInfo_SupportsCertificate(t *testing.T) { + } + + func TestCipherSuites(t *testing.T) { ++ if goexperiment.MS_TLS_Config_Schannel { ++ // Schannel mode is not supported for these tests, ++ // as available cipher suites are not reproducible. ++ t.Skip("skipping cipher suite test in Schannel mode") ++ } + var lastID uint16 + for _, c := range CipherSuites() { + if lastID > c.ID { +diff --git a/src/internal/goexperiment/exp_ms_tls_config_schannel_off.go b/src/internal/goexperiment/exp_ms_tls_config_schannel_off.go +new file mode 100644 +index 00000000000000..db7790d1a1f1b9 +--- /dev/null ++++ b/src/internal/goexperiment/exp_ms_tls_config_schannel_off.go +@@ -0,0 +1,8 @@ ++// Code generated by mkconsts.go. DO NOT EDIT. ++ ++//go:build !goexperiment.ms_tls_config_schannel ++ ++package goexperiment ++ ++const MS_TLS_Config_Schannel = false ++const MS_TLS_Config_SchannelInt = 0 +diff --git a/src/internal/goexperiment/exp_ms_tls_config_schannel_on.go b/src/internal/goexperiment/exp_ms_tls_config_schannel_on.go +new file mode 100644 +index 00000000000000..a2dbc6187da2a0 +--- /dev/null ++++ b/src/internal/goexperiment/exp_ms_tls_config_schannel_on.go +@@ -0,0 +1,8 @@ ++// Code generated by mkconsts.go. DO NOT EDIT. ++ ++//go:build goexperiment.ms_tls_config_schannel ++ ++package goexperiment ++ ++const MS_TLS_Config_Schannel = true ++const MS_TLS_Config_SchannelInt = 1 +diff --git a/src/internal/goexperiment/flags.go b/src/internal/goexperiment/flags.go +index 8e4cf87664e28e..206d7b110cbc4e 100644 +--- a/src/internal/goexperiment/flags.go ++++ b/src/internal/goexperiment/flags.go +@@ -140,4 +140,8 @@ type Flags struct { + // Requires that gotypesalias=1 is set with GODEBUG. + // This flag will be removed with Go 1.24. + AliasTypeParams bool ++ ++ // MS_TLS_Config_Schannel enables the filtering and ordering of cipher suites ++ // according to the Windows Schannel settings. ++ MS_TLS_Config_Schannel bool + } +diff --git a/src/internal/syscall/windows/security_windows.go b/src/internal/syscall/windows/security_windows.go +index c8c5cbed747360..40d6f07b812852 100644 +--- a/src/internal/syscall/windows/security_windows.go ++++ b/src/internal/syscall/windows/security_windows.go +@@ -132,3 +132,31 @@ type UserInfo4 struct { + // + //go:linkname GetSystemDirectory + func GetSystemDirectory() string // Implemented in runtime package. ++ ++const ( ++ CRYPT_LOCAL = 0x00000001 ++ ++ CRYPT_UM = 0x00000001 ++ ++ NCRYPT_SCHANNEL_INTERFACE = 0x00010002 ++) ++ ++var SSL_CONTEXT = [...]uint16{'S', 'S', 'L', 0} ++ ++type CRYPT_CONTEXT_FUNCTIONS struct { ++ Count uint32 ++ Functions **uint16 // pointer to an array of pointers to null-terminated UTF-16 function names ++} ++ ++func (ccf *CRYPT_CONTEXT_FUNCTIONS) At(i int) *uint16 { ++ if i < 0 || i >= int(ccf.Count) { ++ panic("index out of range") ++ } ++ if ccf.Functions == nil || *ccf.Functions == nil { ++ return nil ++ } ++ return *(**uint16)(unsafe.Add(unsafe.Pointer(ccf.Functions), uintptr(i)*unsafe.Sizeof(uintptr(0)))) ++} ++ ++//sys BCryptFreeBuffer(buffer unsafe.Pointer) = bcrypt.BCryptFreeBuffer ++//sys BCryptEnumContextFunctions(table uint32, context *uint16, iface uint32, bufferSize *uint32, buffer **CRYPT_CONTEXT_FUNCTIONS) (err error) = bcrypt.BCryptEnumContextFunctions +\ No newline at end of file +diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go +index cc26a50bb0acf2..d5a8b86718e4f4 100644 +--- a/src/internal/syscall/windows/syscall_windows.go ++++ b/src/internal/syscall/windows/syscall_windows.go +@@ -499,3 +499,19 @@ func QueryPerformanceCounter() int64 // Implemented in runtime package. + // + //go:linkname QueryPerformanceFrequency + func QueryPerformanceFrequency() int64 // Implemented in runtime package. ++ ++//sys rtlNtStatusToDosErrorNoTeb(ntstatus NTStatus) (ret syscall.Errno) = ntdll.RtlNtStatusToDosErrorNoTeb ++ ++// NTStatus corresponds with NTSTATUS, error values returned by ntdll.dll and ++// other native functions. ++type NTStatus uint32 ++ ++func (s NTStatus) Errno() syscall.Errno { ++ return rtlNtStatusToDosErrorNoTeb(s) ++} ++ ++func langID(pri, sub uint16) uint32 { return uint32(sub)<<10 | uint32(pri) } ++ ++func (s NTStatus) Error() string { ++ return s.Errno().Error() ++} +\ No newline at end of file +diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go +index 414ad2647d1abd..35ee24f125928d 100644 +--- a/src/internal/syscall/windows/zsyscall_windows.go ++++ b/src/internal/syscall/windows/zsyscall_windows.go +@@ -38,6 +38,7 @@ func errnoErr(e syscall.Errno) error { + + var ( + modadvapi32 = syscall.NewLazyDLL(sysdll.Add("advapi32.dll")) ++ modbcrypt = syscall.NewLazyDLL(sysdll.Add("bcrypt.dll")) + modbcryptprimitives = syscall.NewLazyDLL(sysdll.Add("bcryptprimitives.dll")) + modiphlpapi = syscall.NewLazyDLL(sysdll.Add("iphlpapi.dll")) + modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll")) +@@ -57,6 +58,8 @@ var ( + procQueryServiceStatus = modadvapi32.NewProc("QueryServiceStatus") + procRevertToSelf = modadvapi32.NewProc("RevertToSelf") + procSetTokenInformation = modadvapi32.NewProc("SetTokenInformation") ++ procBCryptEnumContextFunctions = modbcrypt.NewProc("BCryptEnumContextFunctions") ++ procBCryptFreeBuffer = modbcrypt.NewProc("BCryptFreeBuffer") + procProcessPrng = modbcryptprimitives.NewProc("ProcessPrng") + procGetAdaptersAddresses = modiphlpapi.NewProc("GetAdaptersAddresses") + procCreateEventW = modkernel32.NewProc("CreateEventW") +@@ -84,6 +87,7 @@ var ( + procNetShareDel = modnetapi32.NewProc("NetShareDel") + procNetUserGetLocalGroups = modnetapi32.NewProc("NetUserGetLocalGroups") + procRtlGetVersion = modntdll.NewProc("RtlGetVersion") ++ procRtlNtStatusToDosErrorNoTeb = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb") + procGetProcessMemoryInfo = modpsapi.NewProc("GetProcessMemoryInfo") + procCreateEnvironmentBlock = moduserenv.NewProc("CreateEnvironmentBlock") + procDestroyEnvironmentBlock = moduserenv.NewProc("DestroyEnvironmentBlock") +@@ -183,6 +187,19 @@ func SetTokenInformation(tokenHandle syscall.Token, tokenInformationClass uint32 + return + } + ++func BCryptEnumContextFunctions(table uint32, context *uint16, iface uint32, bufferSize *uint32, buffer **CRYPT_CONTEXT_FUNCTIONS) (ntstatus error) { ++ r0, _, _ := syscall.Syscall6(procBCryptEnumContextFunctions.Addr(), 5, uintptr(table), uintptr(unsafe.Pointer(context)), uintptr(iface), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(buffer)), 0) ++ if r0 != 0 { ++ ntstatus = NTStatus(r0) ++ } ++ return ++} ++ ++func BCryptFreeBuffer(buffer unsafe.Pointer) { ++ syscall.Syscall(procBCryptFreeBuffer.Addr(), 1, uintptr(buffer), 0, 0) ++ return ++} ++ + func ProcessPrng(buf []byte) (err error) { + var _p0 *byte + if len(buf) > 0 { +@@ -398,6 +415,12 @@ func rtlGetVersion(info *_OSVERSIONINFOW) { + return + } + ++func rtlNtStatusToDosErrorNoTeb(ntstatus NTStatus) (ret syscall.Errno) { ++ r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(ntstatus), 0, 0) ++ ret = syscall.Errno(r0) ++ return ++} ++ + func GetProcessMemoryInfo(handle syscall.Handle, memCounters *PROCESS_MEMORY_COUNTERS, cb uint32) (err error) { + r1, _, e1 := syscall.Syscall(procGetProcessMemoryInfo.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(memCounters)), uintptr(cb)) + if r1 == 0 { From 72213aee95223d2a2f5cfe0bd99bfcfd533c36eb Mon Sep 17 00:00:00 2001 From: "bot-for-go[bot]" <199222863+bot-for-go[bot]@users.noreply.github.com> Date: Tue, 8 Jul 2025 17:02:14 +0000 Subject: [PATCH 35/42] Update submodule to latest release-branch.go1.23 (0a75dd7c): [release-branch.go1.23] go1.23.11 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 0b29e2ece1a..5c028aa9ad6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.10 \ No newline at end of file +go1.23.11 \ No newline at end of file diff --git a/go b/go index d375ae50633..0a75dd7c2dc 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit d375ae50633cdf1cd8536f2a199c382f9053b638 +Subproject commit 0a75dd7c2dcf7057ef200290d8f5c4c1514dba80 From 113813023e6a97741e34febe806c503771f64bf8 Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Fri, 18 Jul 2025 20:42:51 +0200 Subject: [PATCH 36/42] Set supported TLS version based on Schannel cipher suites (#1755) * set supported TLS version based on Schannel cipher suites * log cipher suites * fix tests --- ...nt-ms_tls_config_schannel-experiment.patch | 328 ++++++++++++------ 1 file changed, 224 insertions(+), 104 deletions(-) diff --git a/patches/0016-implement-ms_tls_config_schannel-experiment.patch b/patches/0016-implement-ms_tls_config_schannel-experiment.patch index 2d5d132c8c1..0d2c7e3ce2d 100644 --- a/patches/0016-implement-ms_tls_config_schannel-experiment.patch +++ b/patches/0016-implement-ms_tls_config_schannel-experiment.patch @@ -5,19 +5,19 @@ Subject: [PATCH] implement ms_tls_config_schannel experiment --- src/cmd/go/script_test.go | 2 +- - src/crypto/tls/bogo_shim_test.go | 7 ++ - src/crypto/tls/handshake_server_test.go | 20 +++ + src/crypto/tls/bogo_shim_test.go | 7 + + src/crypto/tls/handshake_server_test.go | 20 ++ src/crypto/tls/handshake_test.go | 6 + - src/crypto/tls/schannel_windows.go | 118 ++++++++++++++++++ - src/crypto/tls/schannel_windows_test.go | 94 ++++++++++++++ - src/crypto/tls/tls_test.go | 11 ++ - .../exp_ms_tls_config_schannel_off.go | 8 ++ - .../exp_ms_tls_config_schannel_on.go | 8 ++ + src/crypto/tls/schannel_windows.go | 142 +++++++++++++ + src/crypto/tls/schannel_windows_test.go | 190 ++++++++++++++++++ + src/crypto/tls/tls_test.go | 11 + + .../exp_ms_tls_config_schannel_off.go | 8 + + .../exp_ms_tls_config_schannel_on.go | 8 + src/internal/goexperiment/flags.go | 4 + - .../syscall/windows/security_windows.go | 28 +++++ - .../syscall/windows/syscall_windows.go | 16 +++ - .../syscall/windows/zsyscall_windows.go | 23 ++++ - 13 files changed, 344 insertions(+), 1 deletion(-) + .../syscall/windows/security_windows.go | 28 +++ + .../syscall/windows/syscall_windows.go | 16 ++ + .../syscall/windows/zsyscall_windows.go | 23 +++ + 13 files changed, 464 insertions(+), 1 deletion(-) create mode 100644 src/crypto/tls/schannel_windows.go create mode 100644 src/crypto/tls/schannel_windows_test.go create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_off.go @@ -143,10 +143,10 @@ index 803aa736578f8c..92b31362f3d65d 100644 t.Parallel() diff --git a/src/crypto/tls/schannel_windows.go b/src/crypto/tls/schannel_windows.go new file mode 100644 -index 00000000000000..93b7e8c912b3c1 +index 00000000000000..a77186c66d3095 --- /dev/null +++ b/src/crypto/tls/schannel_windows.go -@@ -0,0 +1,118 @@ +@@ -0,0 +1,142 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -161,78 +161,90 @@ index 00000000000000..93b7e8c912b3c1 + "unsafe" +) + -+// init modifies the default cipher suites, the preference order, and the disabled cipher suites -+// based on the cipher suites that Schannel supports. -+// -+// The user-visible behavior changes are: -+// - The cipher suites used when [Config.CipherSuites] is nil, or when using TLS 1.3, only include those that Schannel supports. -+// - The order in which cipher suites are tried, regardless of whether the user sets [Config.CipherSuites] or not, is the order that Schannel prefers. +func init() { -+ cipherSuitesSchannel, err := cipherSuitesSchannel() ++ cipherSuitesSchannel, versionsSchannel, err := getCipherSuitesSchannel() + if err != nil { + panic(err) // This should never happen, as Schannel is always available on Windows. + } ++ setSchannelCipherSuites(cipherSuitesSchannel, versionsSchannel) ++} ++ ++// loadSchannelCipherSuites modifies the default cipher suites, the preference order, and the disabled cipher suites ++// based on provided suites. ++// ++// The user-visible behavior changes are: ++// - The cipher suites used when [Config.CipherSuites] is nil, or when using TLS 1.3, only include those that Schannel supports. ++// - The order in which cipher suites are tried, regardless of whether the user sets [Config.CipherSuites] or not, is the order that Schannel prefers. ++// - The TLS supported versions are filtered to only include those that Schannel supports. ++func setSchannelCipherSuites(suites, versions []uint16) { ++ disableCipherSuites(CipherSuites(), suites, disabledCipherSuites) ++ disableCipherSuites(InsecureCipherSuites(), suites, disabledCipherSuites) + -+ // cipherSuitesSchannel contains the cipher suites that Schannel supports in its preference order. -+ // We use this to filter the default cipher suites and to order the preference order. ++ cipherSuitesPreferenceOrder = orderCipherSuites(cipherSuitesPreferenceOrder, suites) + -+ disableCipherSuites(CipherSuites(), cipherSuitesSchannel, disabledCipherSuites) -+ disableCipherSuites(InsecureCipherSuites(), cipherSuitesSchannel, disabledCipherSuites) ++ defaultCipherSuitesFIPS = filterCipherSuites(suites, defaultCipherSuitesFIPS) ++ defaultCipherSuitesTLS13 = filterCipherSuites(suites, defaultCipherSuitesTLS13) ++ defaultCipherSuitesTLS13FIPS = filterCipherSuites(suites, defaultCipherSuitesTLS13FIPS) + -+ cipherSuitesPreferenceOrder = orderCipherSuites(cipherSuitesPreferenceOrder, cipherSuitesSchannel) -+ cipherSuitesPreferenceOrderNoAES = orderCipherSuites(cipherSuitesPreferenceOrderNoAES, cipherSuitesSchannel) ++ // Schannel doesn't have a separate preference order without AES. ++ cipherSuitesPreferenceOrderNoAES = cipherSuitesPreferenceOrder ++ defaultCipherSuitesTLS13NoAES = defaultCipherSuitesTLS13 + -+ defaultCipherSuitesFIPS = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesFIPS) -+ defaultCipherSuitesTLS13 = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13) -+ defaultCipherSuitesTLS13NoAES = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13NoAES) -+ defaultCipherSuitesTLS13FIPS = filterCipherSuites(cipherSuitesSchannel, defaultCipherSuitesTLS13FIPS) ++ // Now filter the supported versions to only include those that Schannel supports. ++ supportedVersions = filterSupportedVersions(supportedVersions, versions) ++ defaultSupportedVersionsFIPS = filterSupportedVersions(defaultSupportedVersionsFIPS, versions) +} + -+// cipherSuiteID returns the ID of the cipher suite with the given name. -+func cipherSuiteID(name string) (uint16, bool) { ++// cipherSuitedByName returns the [CipherSuite] with the given name. ++func cipherSuitedByName(name string) (*CipherSuite, bool) { + for _, c := range CipherSuites() { + if c.Name == name { -+ return c.ID, true ++ return c, true + } + } + for _, c := range InsecureCipherSuites() { + if c.Name == name { -+ return c.ID, true ++ return c, true + } + } -+ return 0, false ++ return nil, false +} + -+// cipherSuitesSchannel returns all the cipher suites that Schannel supports in Schannel's preference order. -+func cipherSuitesSchannel() ([]uint16, error) { ++// getCipherSuitesSchannel returns all the cipher suites that Schannel supports in Schannel's preference order. ++func getCipherSuitesSchannel() (suites, versions []uint16, err error) { + // Get all the cipher suites that Schannel supports in preference order. + var size uint32 + var funcs *windows.CRYPT_CONTEXT_FUNCTIONS -+ err := windows.BCryptEnumContextFunctions(windows.CRYPT_LOCAL, unsafe.SliceData(windows.SSL_CONTEXT[:]), windows.NCRYPT_SCHANNEL_INTERFACE, &size, &funcs) ++ err = windows.BCryptEnumContextFunctions(windows.CRYPT_LOCAL, unsafe.SliceData(windows.SSL_CONTEXT[:]), windows.NCRYPT_SCHANNEL_INTERFACE, &size, &funcs) + if err != nil { -+ return nil, err ++ return nil, nil, err + } + defer windows.BCryptFreeBuffer(unsafe.Pointer(funcs)) + -+ suites := make([]uint16, 0, funcs.Count) // order[i] will be the index of suites[i] in the Schannel list ++ suites = make([]uint16, 0, funcs.Count) + for i := range funcs.Count { + name := windows.UTF16PtrToString(funcs.At(int(i))) -+ id, ok := cipherSuiteID(name) ++ suite, ok := cipherSuitedByName(name) + if !ok { + continue // cipher suite not found in the provided list + } -+ suites = append(suites, id) ++ for _, v := range suite.SupportedVersions { ++ if !slices.Contains(versions, v) { ++ versions = append(versions, v) ++ } ++ } ++ suites = append(suites, suite.ID) + } -+ return suites, nil ++ return suites, versions, nil +} + +// filterCipherSuites filters the provided cipher suites, creating a new slice +// that only includes those that are in the allowed list. +func filterCipherSuites(suites, allowed []uint16) []uint16 { -+ out := make([]uint16, 0, len(suites)) -+ for _, suite := range suites { -+ if slices.Contains(allowed, suite) { -+ out = append(out, suite) ++ out := make([]uint16, 0, len(allowed)) ++ for _, id := range suites { ++ if slices.Contains(allowed, id) { ++ out = append(out, id) + } + } + return out @@ -241,7 +253,7 @@ index 00000000000000..93b7e8c912b3c1 +// orderCipherSuites returns a new slice of cipher suites ordered according to the provided order. +// If suites contains a cipher suite that is not in the order, it will be placed +// at the end of the returned slice in the order they appear in suites. -+func orderCipherSuites(suites []uint16, order []uint16) []uint16 { ++func orderCipherSuites(suites, order []uint16) []uint16 { + out := make([]uint16, 0, len(suites)) + for _, id := range order { + if slices.Contains(suites, id) { @@ -265,12 +277,24 @@ index 00000000000000..93b7e8c912b3c1 + } + } +} ++ ++// filterSupportedVersions filters the provided supported versions, creating a new slice ++// that only includes those that are in the allowed list. ++func filterSupportedVersions(supported, allowed []uint16) []uint16 { ++ out := make([]uint16, 0, len(allowed)) ++ for _, v := range supported { ++ if slices.Contains(allowed, v) { ++ out = append(out, v) ++ } ++ } ++ return out ++} diff --git a/src/crypto/tls/schannel_windows_test.go b/src/crypto/tls/schannel_windows_test.go new file mode 100644 -index 00000000000000..88f693ddce77a6 +index 00000000000000..426eb120adf559 --- /dev/null +++ b/src/crypto/tls/schannel_windows_test.go -@@ -0,0 +1,94 @@ +@@ -0,0 +1,190 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -281,32 +305,70 @@ index 00000000000000..88f693ddce77a6 + +import ( + "bytes" ++ "internal/testenv" ++ "os" + "os/exec" -+ "sync" + "testing" +) + -+var schannelSuites = sync.OnceValue(func() []uint16 { -+ cipherSuites, err := cipherSuitesSchannel() ++func init() { ++ // Many tests require TLS 1.1 and TLS 1.0 to be available, so we override the ++ // supported versions previously set in Schannel init() to include them. ++ // This increases the coverage for Schannel cipher suites. ++ supportedVersions = []uint16{ ++ VersionTLS13, ++ VersionTLS12, ++ VersionTLS11, ++ VersionTLS10, ++ } ++} ++ ++// testSchannel runs the provided function in a child process with Schannel cipher suites set. ++func testSchannel(t *testing.T, ids, versions []uint16, fn func()) { ++ // We need to run this in a child process because the cipher suites are set in init(), ++ // and it is difficult to restore the original state in the same process without ++ // incurring a performance penalty for non-testing code. ++ if os.Getenv("GO_WANT_HELPER_PROCESS") == "1" { ++ setSchannelCipherSuites(ids, versions) ++ fn() ++ os.Exit(0) ++ } ++ exe, err := os.Executable() + if err != nil { -+ panic(err) // This should never happen, as Schannel is always available on Windows. ++ t.Fatalf("failed to get executable path: %v", err) + } -+ return cipherSuites -+}) ++ cmd := testenv.Command(t, exe, "-test.v", "-test.run=^"+t.Name()+"$") ++ cmd.Env = append(cmd.Environ(), "GO_WANT_HELPER_PROCESS=1") ++ output, err := cmd.CombinedOutput() ++ if err != nil { ++ t.Fatalf("failed to spawn child process: %v\n%s", err, output) ++ } ++} ++ ++func cipherSuiteFromID(id uint16) (*CipherSuite, bool) { ++ for _, c := range CipherSuites() { ++ if c.ID == id { ++ return c, true ++ } ++ } ++ for _, c := range InsecureCipherSuites() { ++ if c.ID == id { ++ return c, true ++ } ++ } ++ return nil, false ++} + +func TestCipherSuitesSchannel(t *testing.T) { -+ cipherSuites, err := cipherSuitesSchannel() ++ cipherSuites, versions, err := getCipherSuitesSchannel() + if err != nil { + t.Fatal(err) + } + if len(cipherSuites) == 0 { + t.Fatal("cipherSuitesSchannel returned no cipher suites") + } -+ -+ for _, suite := range cipherSuites { -+ if suite == 0 { -+ t.Fatal("cipherSuitesSchannel returned a 0 cipher suite") -+ } ++ if len(versions) == 0 { ++ t.Fatal("cipherSuitesSchannel returned no versions") + } + + // Check that all the cipher suites are present in the Get-TlsCipherSuite output. @@ -315,55 +377,113 @@ index 00000000000000..88f693ddce77a6 + t.Fatalf("failed to get TLS cipher suites: %v\n%s", err, output) + } + for _, id := range cipherSuites { -+ name := CipherSuiteName(id) -+ if !bytes.Contains(output, []byte(name)) { -+ t.Errorf("cipher suite %s not found in PowerShell output", name) ++ suite, ok := cipherSuiteFromID(id) ++ if !ok { ++ t.Fatalf("cipher suite with ID %d not found", id) ++ } ++ if !bytes.Contains(output, []byte(suite.Name)) { ++ t.Errorf("cipher suite %s not found in PowerShell output", suite.Name) + } + } +} + +func TestCipherSuitePreferenceSchannelTLS12(t *testing.T) { -+ // Schannel should prefer AES-256 over AES-128. -+ serverConfig := &Config{ -+ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, -+ Certificates: testConfig.Certificates, -+ MaxVersion: VersionTLS12, -+ GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { -+ if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { -+ t.Error("the advertised order should not depend on Config.CipherSuites") -+ } -+ return nil, nil -+ }, -+ } -+ clientConfig := &Config{ -+ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, -+ InsecureSkipVerify: true, -+ } -+ state, _, err := testHandshake(t, clientConfig, serverConfig) -+ if err != nil { -+ t.Fatalf("handshake failed: %s", err) -+ } -+ if state.CipherSuite != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { -+ t.Error("the preference order should not depend on Config.CipherSuites") -+ } ++ testSchannel(t, []uint16{ ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_RSA_WITH_RC4_128_SHA, ++ }, []uint16{VersionTLS12}, func() { ++ serverConfig := &Config{ ++ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, ++ Certificates: testConfig.Certificates, ++ MaxVersion: VersionTLS12, ++ GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { ++ if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { ++ t.Error("the advertised order should not depend on Config.CipherSuites") ++ } ++ return nil, nil ++ }, ++ } ++ clientConfig := &Config{ ++ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++ }) ++ +} + -+func TestCipherSuitePreferenceSchannelTLS13(t *testing.T) { -+ // Schannel should prefer AES-256 over AES-128. -+ serverConfig := &Config{ -+ Certificates: testConfig.Certificates, -+ MaxVersion: VersionTLS13, -+ } -+ clientConfig := &Config{ -+ InsecureSkipVerify: true, -+ } -+ state, _, err := testHandshake(t, clientConfig, serverConfig) -+ if err != nil { -+ t.Fatalf("handshake failed: %s", err) -+ } -+ if state.CipherSuite != TLS_AES_256_GCM_SHA384 { -+ t.Error("the preference order should not depend on Config.CipherSuites") -+ } ++func TestCipherSuitePreferenceSchannelNoTLS12(t *testing.T) { ++ testSchannel(t, []uint16{ ++ TLS_AES_256_GCM_SHA384, ++ }, []uint16{VersionTLS13}, func() { ++ serverConfig := &Config{ ++ Certificates: testConfig.Certificates, ++ } ++ clientConfig := &Config{ ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_AES_256_GCM_SHA384 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++ if state.Version != VersionTLS13 { ++ t.Error("the version should be TLS 1.3 when available") ++ } ++ }) ++} ++ ++func TestCipherSuitePreferenceSchannel(t *testing.T) { ++ testSchannel(t, []uint16{ ++ TLS_AES_256_GCM_SHA384, ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ }, []uint16{VersionTLS13, VersionTLS12}, func() { ++ serverConfig := &Config{ ++ Certificates: testConfig.Certificates, ++ MaxVersion: VersionTLS13, ++ } ++ clientConfig := &Config{ ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_AES_256_GCM_SHA384 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++ }) ++} ++ ++func TestCipherSuitePreferenceSchannelNoTLS13(t *testing.T) { ++ testSchannel(t, []uint16{ ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ }, []uint16{VersionTLS12}, func() { ++ serverConfig := &Config{ ++ Certificates: testConfig.Certificates, ++ } ++ clientConfig := &Config{ ++ InsecureSkipVerify: true, ++ } ++ state, _, err := testHandshake(t, clientConfig, serverConfig) ++ if err != nil { ++ t.Fatalf("handshake failed: %s", err) ++ } ++ if state.CipherSuite != TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 { ++ t.Error("the preference order should not depend on Config.CipherSuites") ++ } ++ if state.Version != VersionTLS12 { ++ t.Error("the version should be TLS 1.2 when TLS 1.3 is not available") ++ } ++ }) +} diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go index 13c5ddced2cddb..423796e36cd155 100644 From 6251e3b8913be789e7ca60193065a96b8a027bd0 Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Mon, 21 Jul 2025 10:53:46 +0200 Subject: [PATCH 37/42] remove curve prefix from Schannel cipher suite names (#1757) --- ...nt-ms_tls_config_schannel-experiment.patch | 58 ++++++++++++++++--- 1 file changed, 50 insertions(+), 8 deletions(-) diff --git a/patches/0016-implement-ms_tls_config_schannel-experiment.patch b/patches/0016-implement-ms_tls_config_schannel-experiment.patch index 0d2c7e3ce2d..9bc44186e3e 100644 --- a/patches/0016-implement-ms_tls_config_schannel-experiment.patch +++ b/patches/0016-implement-ms_tls_config_schannel-experiment.patch @@ -8,16 +8,16 @@ Subject: [PATCH] implement ms_tls_config_schannel experiment src/crypto/tls/bogo_shim_test.go | 7 + src/crypto/tls/handshake_server_test.go | 20 ++ src/crypto/tls/handshake_test.go | 6 + - src/crypto/tls/schannel_windows.go | 142 +++++++++++++ - src/crypto/tls/schannel_windows_test.go | 190 ++++++++++++++++++ + src/crypto/tls/schannel_windows.go | 163 ++++++++++++++ + src/crypto/tls/schannel_windows_test.go | 211 ++++++++++++++++++ src/crypto/tls/tls_test.go | 11 + .../exp_ms_tls_config_schannel_off.go | 8 + .../exp_ms_tls_config_schannel_on.go | 8 + src/internal/goexperiment/flags.go | 4 + .../syscall/windows/security_windows.go | 28 +++ .../syscall/windows/syscall_windows.go | 16 ++ - .../syscall/windows/zsyscall_windows.go | 23 +++ - 13 files changed, 464 insertions(+), 1 deletion(-) + .../syscall/windows/zsyscall_windows.go | 23 ++ + 13 files changed, 506 insertions(+), 1 deletion(-) create mode 100644 src/crypto/tls/schannel_windows.go create mode 100644 src/crypto/tls/schannel_windows_test.go create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_off.go @@ -143,10 +143,10 @@ index 803aa736578f8c..92b31362f3d65d 100644 t.Parallel() diff --git a/src/crypto/tls/schannel_windows.go b/src/crypto/tls/schannel_windows.go new file mode 100644 -index 00000000000000..a77186c66d3095 +index 00000000000000..e28d33ab093473 --- /dev/null +++ b/src/crypto/tls/schannel_windows.go -@@ -0,0 +1,142 @@ +@@ -0,0 +1,163 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -224,10 +224,14 @@ index 00000000000000..a77186c66d3095 + suites = make([]uint16, 0, funcs.Count) + for i := range funcs.Count { + name := windows.UTF16PtrToString(funcs.At(int(i))) ++ name = removeCipherSuiteCurvePrefix(name) + suite, ok := cipherSuitedByName(name) + if !ok { + continue // cipher suite not found in the provided list + } ++ if slices.Contains(suites, suite.ID) { ++ continue // already added ++ } + for _, v := range suite.SupportedVersions { + if !slices.Contains(versions, v) { + versions = append(versions, v) @@ -238,6 +242,23 @@ index 00000000000000..a77186c66d3095 + return suites, versions, nil +} + ++// removeCipherSuiteCurvePrefix removes the curve prefix from the cipher suite name. ++// Windows Schannel supports cipher suites with curve prefixes, in the form of ++// _P256, _P384, or _P521, which are not present in the Go cipher suite names. ++// This is not common, as since Windows 2016 the curve prefix is discarded by Schannel, ++// but it can still be present in case Windows was upgraded from an earlier version. ++func removeCipherSuiteCurvePrefix(name string) string { ++ const prefixLength = 5 // Length of "_P256", "_P384", or "_P521" ++ if len(name) < prefixLength { ++ return name // No curve prefix to remove ++ } ++ switch name[len(name)-prefixLength:] { ++ case "_P256", "_P384", "_P521": ++ name = name[:len(name)-prefixLength] // Remove the curve prefix ++ } ++ return name ++} ++ +// filterCipherSuites filters the provided cipher suites, creating a new slice +// that only includes those that are in the allowed list. +func filterCipherSuites(suites, allowed []uint16) []uint16 { @@ -291,10 +312,10 @@ index 00000000000000..a77186c66d3095 +} diff --git a/src/crypto/tls/schannel_windows_test.go b/src/crypto/tls/schannel_windows_test.go new file mode 100644 -index 00000000000000..426eb120adf559 +index 00000000000000..9124f7b325db5b --- /dev/null +++ b/src/crypto/tls/schannel_windows_test.go -@@ -0,0 +1,190 @@ +@@ -0,0 +1,211 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -485,6 +506,27 @@ index 00000000000000..426eb120adf559 + } + }) +} ++func TestRemoveCipherSuiteCurvePrefix(t *testing.T) { ++ tests := []struct { ++ in, want string ++ }{ ++ {"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, ++ {"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, ++ {"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P521", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, ++ {"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"}, ++ {"_P256", ""}, ++ {"_P384", ""}, ++ {"_P521", ""}, ++ {"TLS_AES_128_GCM_SHA256", "TLS_AES_128_GCM_SHA256"}, ++ {"", ""}, ++ } ++ for _, tt := range tests { ++ got := removeCipherSuiteCurvePrefix(tt.in) ++ if got != tt.want { ++ t.Errorf("removeCipherSuiteCurvePrefix(%q) = %q, want %q", tt.in, got, tt.want) ++ } ++ } ++} diff --git a/src/crypto/tls/tls_test.go b/src/crypto/tls/tls_test.go index 13c5ddced2cddb..423796e36cd155 100644 --- a/src/crypto/tls/tls_test.go From 777c0108c083d09173add4f9902179e99614e169 Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Mon, 21 Jul 2025 16:06:15 +0200 Subject: [PATCH 38/42] use correct TSA area path (#1760) --- .config/tsa/tsaoptions.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.config/tsa/tsaoptions.json b/.config/tsa/tsaoptions.json index c67efa26b34..8a0660b7893 100644 --- a/.config/tsa/tsaoptions.json +++ b/.config/tsa/tsaoptions.json @@ -8,7 +8,7 @@ ], "instanceUrl": "https://devdiv.visualstudio.com/", "projectName": "DEVDIV", - "areaPath": "DevDiv\\NET Compilers\\GoLang", + "areaPath": "DevDiv\\GoLang", "iterationPath": "DevDiv", "allTools": true } From d5eb039b4f2f6eacdd535a5394f1576310b913db Mon Sep 17 00:00:00 2001 From: Quim Muntal Date: Wed, 23 Jul 2025 15:42:14 +0200 Subject: [PATCH 39/42] make ms_tls_config_schannel no-op on Windows Server 2012 (#1768) --- ...nt-ms_tls_config_schannel-experiment.patch | 69 ++++++++++++++----- 1 file changed, 53 insertions(+), 16 deletions(-) diff --git a/patches/0016-implement-ms_tls_config_schannel-experiment.patch b/patches/0016-implement-ms_tls_config_schannel-experiment.patch index 9bc44186e3e..35b493fd305 100644 --- a/patches/0016-implement-ms_tls_config_schannel-experiment.patch +++ b/patches/0016-implement-ms_tls_config_schannel-experiment.patch @@ -8,7 +8,7 @@ Subject: [PATCH] implement ms_tls_config_schannel experiment src/crypto/tls/bogo_shim_test.go | 7 + src/crypto/tls/handshake_server_test.go | 20 ++ src/crypto/tls/handshake_test.go | 6 + - src/crypto/tls/schannel_windows.go | 163 ++++++++++++++ + src/crypto/tls/schannel_windows.go | 166 ++++++++++++++ src/crypto/tls/schannel_windows_test.go | 211 ++++++++++++++++++ src/crypto/tls/tls_test.go | 11 + .../exp_ms_tls_config_schannel_off.go | 8 + @@ -16,8 +16,10 @@ Subject: [PATCH] implement ms_tls_config_schannel experiment src/internal/goexperiment/flags.go | 4 + .../syscall/windows/security_windows.go | 28 +++ .../syscall/windows/syscall_windows.go | 16 ++ + .../syscall/windows/version_windows.go | 9 + + .../syscall/windows/version_windows_test.go | 7 + .../syscall/windows/zsyscall_windows.go | 23 ++ - 13 files changed, 506 insertions(+), 1 deletion(-) + 15 files changed, 525 insertions(+), 1 deletion(-) create mode 100644 src/crypto/tls/schannel_windows.go create mode 100644 src/crypto/tls/schannel_windows_test.go create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_off.go @@ -143,10 +145,10 @@ index 803aa736578f8c..92b31362f3d65d 100644 t.Parallel() diff --git a/src/crypto/tls/schannel_windows.go b/src/crypto/tls/schannel_windows.go new file mode 100644 -index 00000000000000..e28d33ab093473 +index 00000000000000..ed20b44ef7ee39 --- /dev/null +++ b/src/crypto/tls/schannel_windows.go -@@ -0,0 +1,163 @@ +@@ -0,0 +1,166 @@ +// Copyright 2025 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. @@ -162,6 +164,9 @@ index 00000000000000..e28d33ab093473 +) + +func init() { ++ if !windows.SupportsTLSConfigSchannel() { ++ return ++ } + cipherSuitesSchannel, versionsSchannel, err := getCipherSuitesSchannel() + if err != nil { + panic(err) // This should never happen, as Schannel is always available on Windows. @@ -224,7 +229,7 @@ index 00000000000000..e28d33ab093473 + suites = make([]uint16, 0, funcs.Count) + for i := range funcs.Count { + name := windows.UTF16PtrToString(funcs.At(int(i))) -+ name = removeCipherSuiteCurvePrefix(name) ++ name = removeCipherSuiteCurveSuffix(name) + suite, ok := cipherSuitedByName(name) + if !ok { + continue // cipher suite not found in the provided list @@ -242,19 +247,19 @@ index 00000000000000..e28d33ab093473 + return suites, versions, nil +} + -+// removeCipherSuiteCurvePrefix removes the curve prefix from the cipher suite name. -+// Windows Schannel supports cipher suites with curve prefixes, in the form of ++// removeCipherSuiteCurveSuffix removes the curve suffix from the cipher suite name. ++// Windows Schannel supports cipher suites with curve suffixes, in the form of +// _P256, _P384, or _P521, which are not present in the Go cipher suite names. -+// This is not common, as since Windows 2016 the curve prefix is discarded by Schannel, ++// This is not common, as since Windows 2016 the curve suffix is discarded by Schannel, +// but it can still be present in case Windows was upgraded from an earlier version. -+func removeCipherSuiteCurvePrefix(name string) string { -+ const prefixLength = 5 // Length of "_P256", "_P384", or "_P521" -+ if len(name) < prefixLength { -+ return name // No curve prefix to remove ++func removeCipherSuiteCurveSuffix(name string) string { ++ const suffixLength = 5 // Length of "_P256", "_P384", or "_P521" ++ if len(name) < suffixLength { ++ return name // No curve suffix to remove + } -+ switch name[len(name)-prefixLength:] { ++ switch name[len(name)-suffixLength:] { + case "_P256", "_P384", "_P521": -+ name = name[:len(name)-prefixLength] // Remove the curve prefix ++ name = name[:len(name)-suffixLength] // Remove the curve suffix + } + return name +} @@ -312,7 +317,7 @@ index 00000000000000..e28d33ab093473 +} diff --git a/src/crypto/tls/schannel_windows_test.go b/src/crypto/tls/schannel_windows_test.go new file mode 100644 -index 00000000000000..9124f7b325db5b +index 00000000000000..b6ce7ffcc3356d --- /dev/null +++ b/src/crypto/tls/schannel_windows_test.go @@ -0,0 +1,211 @@ @@ -521,7 +526,7 @@ index 00000000000000..9124f7b325db5b + {"", ""}, + } + for _, tt := range tests { -+ got := removeCipherSuiteCurvePrefix(tt.in) ++ got := removeCipherSuiteCurveSuffix(tt.in) + if got != tt.want { + t.Errorf("removeCipherSuiteCurvePrefix(%q) = %q, want %q", tt.in, got, tt.want) + } @@ -666,6 +671,38 @@ index cc26a50bb0acf2..d5a8b86718e4f4 100644 + return s.Errno().Error() +} \ No newline at end of file +diff --git a/src/internal/syscall/windows/version_windows.go b/src/internal/syscall/windows/version_windows.go +index ff21fc59e5bf53..162a4cc55f8afc 100644 +--- a/src/internal/syscall/windows/version_windows.go ++++ b/src/internal/syscall/windows/version_windows.go +@@ -111,3 +111,12 @@ var SupportUnixSocket = sync.OnceValue(func() bool { + } + return false + }) ++ ++// SupportsTLSConfigSchannel returns true if the current Windows version ++// supports getting the TLS configuration from Schannel. ++func SupportsTLSConfigSchannel() bool { ++ major, _, _ := version() ++ // Prior to Windows 10, Schannel and Go only shared a few cipher suites, ++ // which increased the risk of not being able to negotiate a secure connection. ++ return major >= 10 ++} +diff --git a/src/internal/syscall/windows/version_windows_test.go b/src/internal/syscall/windows/version_windows_test.go +index 09be2eb0807932..b74b311279e81f 100644 +--- a/src/internal/syscall/windows/version_windows_test.go ++++ b/src/internal/syscall/windows/version_windows_test.go +@@ -29,3 +29,10 @@ func TestSupportUnixSocket(t *testing.T) { + t.Errorf("SupportUnixSocket = %v; want %v", got, want) + } + } ++ ++func TestSupportsTLSConfigSchannel(t *testing.T) { ++ if !windows.SupportsTLSConfigSchannel() { ++ // Sanity check. CI only runs on Windows 10 and later, so this should never happen. ++ t.Fatal("SupportsTLSConfigSchannel should return true on Windows 10 and later") ++ } ++} diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go index 414ad2647d1abd..35ee24f125928d 100644 --- a/src/internal/syscall/windows/zsyscall_windows.go From 4dffbdcef39f0f8bfae833025e4ab3bd72787543 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Wed, 23 Jul 2025 13:31:25 -0700 Subject: [PATCH 40/42] Update MS_TLS_Config_Schannel comments (#1770) --- ...nt-ms_tls_config_schannel-experiment.patch | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/patches/0016-implement-ms_tls_config_schannel-experiment.patch b/patches/0016-implement-ms_tls_config_schannel-experiment.patch index 35b493fd305..6b69a906dee 100644 --- a/patches/0016-implement-ms_tls_config_schannel-experiment.patch +++ b/patches/0016-implement-ms_tls_config_schannel-experiment.patch @@ -13,13 +13,13 @@ Subject: [PATCH] implement ms_tls_config_schannel experiment src/crypto/tls/tls_test.go | 11 + .../exp_ms_tls_config_schannel_off.go | 8 + .../exp_ms_tls_config_schannel_on.go | 8 + - src/internal/goexperiment/flags.go | 4 + + src/internal/goexperiment/flags.go | 8 + .../syscall/windows/security_windows.go | 28 +++ .../syscall/windows/syscall_windows.go | 16 ++ - .../syscall/windows/version_windows.go | 9 + + .../syscall/windows/version_windows.go | 11 + .../syscall/windows/version_windows_test.go | 7 + .../syscall/windows/zsyscall_windows.go | 23 ++ - 15 files changed, 525 insertions(+), 1 deletion(-) + 15 files changed, 531 insertions(+), 1 deletion(-) create mode 100644 src/crypto/tls/schannel_windows.go create mode 100644 src/crypto/tls/schannel_windows_test.go create mode 100644 src/internal/goexperiment/exp_ms_tls_config_schannel_off.go @@ -597,16 +597,20 @@ index 00000000000000..a2dbc6187da2a0 +const MS_TLS_Config_Schannel = true +const MS_TLS_Config_SchannelInt = 1 diff --git a/src/internal/goexperiment/flags.go b/src/internal/goexperiment/flags.go -index 8e4cf87664e28e..206d7b110cbc4e 100644 +index 8e4cf87664e28e..a497d228390d5a 100644 --- a/src/internal/goexperiment/flags.go +++ b/src/internal/goexperiment/flags.go -@@ -140,4 +140,8 @@ type Flags struct { +@@ -140,4 +140,12 @@ type Flags struct { // Requires that gotypesalias=1 is set with GODEBUG. // This flag will be removed with Go 1.24. AliasTypeParams bool + -+ // MS_TLS_Config_Schannel enables the filtering and ordering of cipher suites -+ // according to the Windows Schannel settings. ++ // MS_TLS_Config_Schannel enables the filtering and ordering of cipher ++ // suites according to the Windows Schannel settings. ++ // ++ // Does nothing on Windows Server 2012 (Windows 8) and earlier. In these ++ // versions, very few cipher suites are implemented by both Windows and Go, ++ // so it's unlikely the resulting TLS configuration will be usable. + MS_TLS_Config_Schannel bool } diff --git a/src/internal/syscall/windows/security_windows.go b/src/internal/syscall/windows/security_windows.go @@ -672,10 +676,10 @@ index cc26a50bb0acf2..d5a8b86718e4f4 100644 +} \ No newline at end of file diff --git a/src/internal/syscall/windows/version_windows.go b/src/internal/syscall/windows/version_windows.go -index ff21fc59e5bf53..162a4cc55f8afc 100644 +index ff21fc59e5bf53..e82b54cef476fd 100644 --- a/src/internal/syscall/windows/version_windows.go +++ b/src/internal/syscall/windows/version_windows.go -@@ -111,3 +111,12 @@ var SupportUnixSocket = sync.OnceValue(func() bool { +@@ -111,3 +111,14 @@ var SupportUnixSocket = sync.OnceValue(func() bool { } return false }) @@ -684,8 +688,10 @@ index ff21fc59e5bf53..162a4cc55f8afc 100644 +// supports getting the TLS configuration from Schannel. +func SupportsTLSConfigSchannel() bool { + major, _, _ := version() -+ // Prior to Windows 10, Schannel and Go only shared a few cipher suites, -+ // which increased the risk of not being able to negotiate a secure connection. ++ // Prior to Windows 10, Schannel is implemented, however Windows 10 and Go ++ // only share a few cipher suites. This makes it infeasible to negotiate a ++ // secure connection, so we do not use Schannel even when the GOEXPERIMENT ++ // is active. + return major >= 10 +} diff --git a/src/internal/syscall/windows/version_windows_test.go b/src/internal/syscall/windows/version_windows_test.go From 76dc6061d249cc89ee5334a58bfc8559f04e5e9c Mon Sep 17 00:00:00 2001 From: "bot-for-go[bot]" <199222863+bot-for-go[bot]@users.noreply.github.com> Date: Wed, 6 Aug 2025 18:21:52 +0000 Subject: [PATCH 41/42] Update submodule to latest release-branch.go1.23 (dd8b7ad9): [release-branch.go1.23] go1.23.12 --- VERSION | 2 +- go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 5c028aa9ad6..9ada0c7bd2a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.23.11 \ No newline at end of file +go1.23.12 \ No newline at end of file diff --git a/go b/go index 0a75dd7c2dc..dd8b7ad9268 160000 --- a/go +++ b/go @@ -1 +1 @@ -Subproject commit 0a75dd7c2dcf7057ef200290d8f5c4c1514dba80 +Subproject commit dd8b7ad9268c2fbde675132a41b4e4da02eef94d From 339d9918a366375f332b5b820e9d5b1b738d0be0 Mon Sep 17 00:00:00 2001 From: Davis Goodin Date: Wed, 6 Aug 2025 12:40:30 -0700 Subject: [PATCH 42/42] Add fix for TSAN "setarch: failed to set personality to x86_64" --- ...-testsanitizers-fix-TSAN-tests-using.patch | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 patches/0017-cmd-cgo-internal-testsanitizers-fix-TSAN-tests-using.patch diff --git a/patches/0017-cmd-cgo-internal-testsanitizers-fix-TSAN-tests-using.patch b/patches/0017-cmd-cgo-internal-testsanitizers-fix-TSAN-tests-using.patch new file mode 100644 index 00000000000..43176a63698 --- /dev/null +++ b/patches/0017-cmd-cgo-internal-testsanitizers-fix-TSAN-tests-using.patch @@ -0,0 +1,78 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: qmuntal +Date: Wed, 20 Nov 2024 16:02:03 +0100 +Subject: [PATCH] cmd/cgo/internal/testsanitizers: fix TSAN tests using setarch + +Some systems don't have permissions to run setarch, for example +when running in a docker container without the --privileged flag. + +This change makes the tests skip the setarch command if it fails. + +Fixes #70463 + +Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-asan-clang15 +Change-Id: I02fbd423ba809f5229b8639c9abe6fd275f32558 +Reviewed-on: https://go-review.googlesource.com/c/go/+/630096 +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Ian Lance Taylor +(cherry picked from commit 5254e989425648ff62faa270948bb927b6568ff3) +--- + src/cmd/cgo/internal/testsanitizers/cshared_test.go | 13 ++++++++++--- + src/cmd/cgo/internal/testsanitizers/tsan_test.go | 13 ++++++++++--- + 2 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/src/cmd/cgo/internal/testsanitizers/cshared_test.go b/src/cmd/cgo/internal/testsanitizers/cshared_test.go +index 15409d0fca04fd..0cf094ead79e66 100644 +--- a/src/cmd/cgo/internal/testsanitizers/cshared_test.go ++++ b/src/cmd/cgo/internal/testsanitizers/cshared_test.go +@@ -93,12 +93,19 @@ func TestShared(t *testing.T) { + + cmdArgs := []string{dstBin} + if tc.sanitizer == "thread" && GOOS == "linux" { +- // Disable ASLR for TSAN. See #59418. +- arch, err := exec.Command("uname", "-m").Output() ++ // Disable ASLR for TSAN. See https://go.dev/issue/59418. ++ out, err := exec.Command("uname", "-m").Output() + if err != nil { + t.Fatalf("failed to run `uname -m`: %v", err) + } +- cmdArgs = []string{"setarch", strings.TrimSpace(string(arch)), "-R", dstBin} ++ arch := strings.TrimSpace(string(out)) ++ if _, err := exec.Command("setarch", arch, "-R", "true").Output(); err != nil { ++ // Some systems don't have permission to run `setarch`. ++ // See https://go.dev/issue/70463. ++ t.Logf("failed to run `setarch %s -R true`: %v", arch, err) ++ } else { ++ cmdArgs = []string{"setarch", arch, "-R", dstBin} ++ } + } + cmd = hangProneCmd(cmdArgs[0], cmdArgs[1:]...) + replaceEnv(cmd, "LD_LIBRARY_PATH", ".") +diff --git a/src/cmd/cgo/internal/testsanitizers/tsan_test.go b/src/cmd/cgo/internal/testsanitizers/tsan_test.go +index 74acde57f23d53..c8ff76b4c32246 100644 +--- a/src/cmd/cgo/internal/testsanitizers/tsan_test.go ++++ b/src/cmd/cgo/internal/testsanitizers/tsan_test.go +@@ -71,12 +71,19 @@ func TestTSAN(t *testing.T) { + + cmdArgs := []string{outPath} + if goos == "linux" { +- // Disable ASLR. See #59418. +- arch, err := exec.Command("uname", "-m").Output() ++ // Disable ASLR for TSAN. See https://go.dev/issue/59418. ++ out, err := exec.Command("uname", "-m").Output() + if err != nil { + t.Fatalf("failed to run `uname -m`: %v", err) + } +- cmdArgs = []string{"setarch", strings.TrimSpace(string(arch)), "-R", outPath} ++ arch := strings.TrimSpace(string(out)) ++ if _, err := exec.Command("setarch", arch, "-R", "true").Output(); err != nil { ++ // Some systems don't have permission to run `setarch`. ++ // See https://go.dev/issue/70463. ++ t.Logf("failed to run `setarch %s -R true`: %v", arch, err) ++ } else { ++ cmdArgs = []string{"setarch", arch, "-R", outPath} ++ } + } + cmd := hangProneCmd(cmdArgs[0], cmdArgs[1:]...) + if tc.needsRuntime {