Skip to content

Commit cb876ff

Browse files
qmuntalqmuntal
committed
move OpenSSL bindings to a dedicated package
1 parent 62b8e66 commit cb876ff

28 files changed

+1035
-976
lines changed

cipher.go

+54-52
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ import (
1111
"strconv"
1212
"sync"
1313
"unsafe"
14+
15+
"github.com/golang-fips/openssl/v2/internal/ossl"
1416
)
1517

1618
type cipherKind int8
@@ -74,70 +76,70 @@ type cacheCipherKey struct {
7476
}
7577

7678
// loadCipher returns a cipher object for the given k.
77-
func loadCipher(k cipherKind, mode cipherMode) (cipher _EVP_CIPHER_PTR) {
79+
func loadCipher(k cipherKind, mode cipherMode) (cipher ossl.EVP_CIPHER_PTR) {
7880
if v, ok := cacheCipher.Load(cacheCipherKey{k, mode}); ok {
79-
return v.(_EVP_CIPHER_PTR)
81+
return v.(ossl.EVP_CIPHER_PTR)
8082
}
8183
defer func() {
8284
if cipher != nil && vMajor == 3 {
8385
// On OpenSSL 3, directly operating on a EVP_CIPHER object
8486
// not created by EVP_CIPHER has negative performance
8587
// implications, as cipher operations will have
8688
// to fetch it on every call. Better to just fetch it once here.
87-
cipher, _ = go_openssl_EVP_CIPHER_fetch(nil, go_openssl_EVP_CIPHER_get0_name(cipher), nil)
89+
cipher, _ = ossl.EVP_CIPHER_fetch(nil, ossl.EVP_CIPHER_get0_name(cipher), nil)
8890
}
8991
cacheCipher.Store(cacheCipherKey{k, mode}, cipher)
9092
}()
9193
switch k {
9294
case cipherAES128:
9395
switch mode {
9496
case cipherModeECB:
95-
cipher = go_openssl_EVP_aes_128_ecb()
97+
cipher = ossl.EVP_aes_128_ecb()
9698
case cipherModeCBC:
97-
cipher = go_openssl_EVP_aes_128_cbc()
99+
cipher = ossl.EVP_aes_128_cbc()
98100
case cipherModeCTR:
99-
cipher = go_openssl_EVP_aes_128_ctr()
101+
cipher = ossl.EVP_aes_128_ctr()
100102
case cipherModeGCM:
101-
cipher = go_openssl_EVP_aes_128_gcm()
103+
cipher = ossl.EVP_aes_128_gcm()
102104
}
103105
case cipherAES192:
104106
switch mode {
105107
case cipherModeECB:
106-
cipher = go_openssl_EVP_aes_192_ecb()
108+
cipher = ossl.EVP_aes_192_ecb()
107109
case cipherModeCBC:
108-
cipher = go_openssl_EVP_aes_192_cbc()
110+
cipher = ossl.EVP_aes_192_cbc()
109111
case cipherModeCTR:
110-
cipher = go_openssl_EVP_aes_192_ctr()
112+
cipher = ossl.EVP_aes_192_ctr()
111113
case cipherModeGCM:
112-
cipher = go_openssl_EVP_aes_192_gcm()
114+
cipher = ossl.EVP_aes_192_gcm()
113115
}
114116
case cipherAES256:
115117
switch mode {
116118
case cipherModeECB:
117-
cipher = go_openssl_EVP_aes_256_ecb()
119+
cipher = ossl.EVP_aes_256_ecb()
118120
case cipherModeCBC:
119-
cipher = go_openssl_EVP_aes_256_cbc()
121+
cipher = ossl.EVP_aes_256_cbc()
120122
case cipherModeCTR:
121-
cipher = go_openssl_EVP_aes_256_ctr()
123+
cipher = ossl.EVP_aes_256_ctr()
122124
case cipherModeGCM:
123-
cipher = go_openssl_EVP_aes_256_gcm()
125+
cipher = ossl.EVP_aes_256_gcm()
124126
}
125127
case cipherDES:
126128
switch mode {
127129
case cipherModeECB:
128-
cipher = go_openssl_EVP_des_ecb()
130+
cipher = ossl.EVP_des_ecb()
129131
case cipherModeCBC:
130-
cipher = go_openssl_EVP_des_cbc()
132+
cipher = ossl.EVP_des_cbc()
131133
}
132134
case cipherDES3:
133135
switch mode {
134136
case cipherModeECB:
135-
cipher = go_openssl_EVP_des_ede3_ecb()
137+
cipher = ossl.EVP_des_ede3_ecb()
136138
case cipherModeCBC:
137-
cipher = go_openssl_EVP_des_ede3_cbc()
139+
cipher = ossl.EVP_des_ede3_cbc()
138140
}
139141
case cipherRC4:
140-
cipher = go_openssl_EVP_rc4()
142+
cipher = ossl.EVP_rc4()
141143
}
142144
return cipher
143145
}
@@ -155,7 +157,7 @@ func newEVPCipher(key []byte, kind cipherKind) (*evpCipher, error) {
155157
}
156158
c := &evpCipher{key: make([]byte, len(key)), kind: kind}
157159
copy(c.key, key)
158-
c.blockSize = int(go_openssl_EVP_CIPHER_get_block_size(cipher))
160+
c.blockSize = int(ossl.EVP_CIPHER_get_block_size(cipher))
159161
return c, nil
160162
}
161163

@@ -175,10 +177,10 @@ func (c *evpCipher) encrypt(dst, src []byte) error {
175177
if err != nil {
176178
return err
177179
}
178-
defer go_openssl_EVP_CIPHER_CTX_free(enc_ctx)
180+
defer ossl.EVP_CIPHER_CTX_free(enc_ctx)
179181

180182
var outl int32
181-
if _, err := go_openssl_EVP_EncryptUpdate(enc_ctx, base(dst), &outl, base(src), int32(c.blockSize)); err != nil {
183+
if _, err := ossl.EVP_EncryptUpdate(enc_ctx, base(dst), &outl, base(src), int32(c.blockSize)); err != nil {
182184
return err
183185
}
184186
runtime.KeepAlive(c)
@@ -201,25 +203,25 @@ func (c *evpCipher) decrypt(dst, src []byte) error {
201203
if err != nil {
202204
return err
203205
}
204-
defer go_openssl_EVP_CIPHER_CTX_free(dec_ctx)
206+
defer ossl.EVP_CIPHER_CTX_free(dec_ctx)
205207

206-
if _, err := go_openssl_EVP_CIPHER_CTX_set_padding(dec_ctx, 0); err != nil {
208+
if _, err := ossl.EVP_CIPHER_CTX_set_padding(dec_ctx, 0); err != nil {
207209
return err
208210
}
209211

210212
var outl int32
211-
go_openssl_EVP_DecryptUpdate(dec_ctx, base(dst), &outl, base(src), int32(c.blockSize))
213+
ossl.EVP_DecryptUpdate(dec_ctx, base(dst), &outl, base(src), int32(c.blockSize))
212214
runtime.KeepAlive(c)
213215
return nil
214216
}
215217

216218
type cipherCBC struct {
217-
ctx _EVP_CIPHER_CTX_PTR
219+
ctx ossl.EVP_CIPHER_CTX_PTR
218220
blockSize int
219221
}
220222

221223
func (c *cipherCBC) finalize() {
222-
go_openssl_EVP_CIPHER_CTX_free(c.ctx)
224+
ossl.EVP_CIPHER_CTX_free(c.ctx)
223225
}
224226

225227
func (x *cipherCBC) BlockSize() int { return x.blockSize }
@@ -236,7 +238,7 @@ func (x *cipherCBC) CryptBlocks(dst, src []byte) {
236238
}
237239
if len(src) > 0 {
238240
var outl int32
239-
if _, err := go_openssl_EVP_CipherUpdate(x.ctx, base(dst), &outl, base(src), int32(len(src))); err != nil {
241+
if _, err := ossl.EVP_CipherUpdate(x.ctx, base(dst), &outl, base(src), int32(len(src))); err != nil {
240242
panic("crypto/cipher: " + err.Error())
241243
}
242244
runtime.KeepAlive(x)
@@ -247,7 +249,7 @@ func (x *cipherCBC) SetIV(iv []byte) {
247249
if len(iv) != x.blockSize {
248250
panic("crypto/cipher: incorrect length IV")
249251
}
250-
if _, err := go_openssl_EVP_CipherInit_ex(x.ctx, nil, nil, nil, base(iv), int32(cipherOpNone)); err != nil {
252+
if _, err := ossl.EVP_CipherInit_ex(x.ctx, nil, nil, nil, base(iv), int32(cipherOpNone)); err != nil {
251253
panic("crypto/cipher: " + err.Error())
252254
}
253255
}
@@ -259,14 +261,14 @@ func (c *evpCipher) newCBC(iv []byte, op cipherOp) cipher.BlockMode {
259261
}
260262
x := &cipherCBC{ctx: ctx, blockSize: c.blockSize}
261263
runtime.SetFinalizer(x, (*cipherCBC).finalize)
262-
if _, err := go_openssl_EVP_CIPHER_CTX_set_padding(x.ctx, 0); err != nil {
264+
if _, err := ossl.EVP_CIPHER_CTX_set_padding(x.ctx, 0); err != nil {
263265
panic("crypto/cipher: " + err.Error())
264266
}
265267
return x
266268
}
267269

268270
type cipherCTR struct {
269-
ctx _EVP_CIPHER_CTX_PTR
271+
ctx ossl.EVP_CIPHER_CTX_PTR
270272
}
271273

272274
func (x *cipherCTR) XORKeyStream(dst, src []byte) {
@@ -280,7 +282,7 @@ func (x *cipherCTR) XORKeyStream(dst, src []byte) {
280282
return
281283
}
282284
var outl int32
283-
if _, err := go_openssl_EVP_EncryptUpdate(x.ctx, base(dst), &outl, base(src), int32(len(src))); err != nil {
285+
if _, err := ossl.EVP_EncryptUpdate(x.ctx, base(dst), &outl, base(src), int32(len(src))); err != nil {
284286
panic("crypto/cipher: " + err.Error())
285287
}
286288
runtime.KeepAlive(x)
@@ -297,7 +299,7 @@ func (c *evpCipher) newCTR(iv []byte) cipher.Stream {
297299
}
298300

299301
func (c *cipherCTR) finalize() {
300-
go_openssl_EVP_CIPHER_CTX_free(c.ctx)
302+
ossl.EVP_CIPHER_CTX_free(c.ctx)
301303
}
302304

303305
type cipherGCMTLS uint8
@@ -447,31 +449,31 @@ func (g *cipherGCM) Seal(dst, nonce, plaintext, aad []byte) []byte {
447449
if err != nil {
448450
panic(err)
449451
}
450-
defer go_openssl_EVP_CIPHER_CTX_free(ctx)
452+
defer ossl.EVP_CIPHER_CTX_free(ctx)
451453
// Encrypt additional data.
452454
// When sealing a TLS payload, OpenSSL app sets the additional data using
453455
// '_EVP_CIPHER_CTX_ctrl(g.ctx, _EVP_CTRL_AEAD_TLS1_AAD, _EVP_AEAD_TLS1_AAD_LEN, base(additionalData))'.
454456
// This makes the explicit nonce component to monotonically increase on every Seal operation without
455457
// relying in the explicit nonce being securely set externally,
456458
// and it also gives some interesting speed gains.
457459
// Unfortunately we can't use it because Go expects AEAD.Seal to honor the provided nonce.
458-
if _, err := go_openssl_EVP_EncryptInit_ex(ctx, nil, nil, nil, base(nonce)); err != nil {
460+
if _, err := ossl.EVP_EncryptInit_ex(ctx, nil, nil, nil, base(nonce)); err != nil {
459461
panic(err)
460462
}
461463
var outl, discard int32
462-
if _, err := go_openssl_EVP_EncryptUpdate(ctx, nil, &discard, baseNeverEmpty(aad), int32(len(aad))); err != nil {
464+
if _, err := ossl.EVP_EncryptUpdate(ctx, nil, &discard, baseNeverEmpty(aad), int32(len(aad))); err != nil {
463465
panic(err)
464466
}
465-
if _, err := go_openssl_EVP_EncryptUpdate(ctx, base(out), &outl, baseNeverEmpty(plaintext), int32(len(plaintext))); err != nil {
467+
if _, err := ossl.EVP_EncryptUpdate(ctx, base(out), &outl, baseNeverEmpty(plaintext), int32(len(plaintext))); err != nil {
466468
panic(err)
467469
}
468470
if len(plaintext) != int(outl) {
469471
panic("cipher: incorrect length returned from GCM EncryptUpdate")
470472
}
471-
if _, err := go_openssl_EVP_EncryptFinal_ex(ctx, base(out[outl:]), &discard); err != nil {
473+
if _, err := ossl.EVP_EncryptFinal_ex(ctx, base(out[outl:]), &discard); err != nil {
472474
panic(err)
473475
}
474-
if _, err := go_openssl_EVP_CIPHER_CTX_ctrl(ctx, _EVP_CTRL_GCM_GET_TAG, 16, unsafe.Pointer(base(out[outl:]))); err != nil {
476+
if _, err := ossl.EVP_CIPHER_CTX_ctrl(ctx, ossl.EVP_CTRL_GCM_GET_TAG, 16, unsafe.Pointer(base(out[outl:]))); err != nil {
475477
panic(err)
476478
}
477479
runtime.KeepAlive(g)
@@ -507,7 +509,7 @@ func (g *cipherGCM) Open(dst, nonce, ciphertext, aad []byte) (_ []byte, err erro
507509
if err != nil {
508510
return nil, err
509511
}
510-
defer go_openssl_EVP_CIPHER_CTX_free(ctx)
512+
defer ossl.EVP_CIPHER_CTX_free(ctx)
511513

512514
defer func() {
513515
if err != nil {
@@ -517,23 +519,23 @@ func (g *cipherGCM) Open(dst, nonce, ciphertext, aad []byte) (_ []byte, err erro
517519
}
518520
}
519521
}()
520-
if _, err := go_openssl_EVP_DecryptInit_ex(ctx, nil, nil, nil, base(nonce)); err != nil {
522+
if _, err := ossl.EVP_DecryptInit_ex(ctx, nil, nil, nil, base(nonce)); err != nil {
521523
return nil, errOpen
522524
}
523-
if _, err := go_openssl_EVP_CIPHER_CTX_ctrl(ctx, _EVP_CTRL_GCM_SET_TAG, 16, unsafe.Pointer(base(tag))); err != nil {
525+
if _, err := ossl.EVP_CIPHER_CTX_ctrl(ctx, ossl.EVP_CTRL_GCM_SET_TAG, 16, unsafe.Pointer(base(tag))); err != nil {
524526
return nil, errOpen
525527
}
526528
var outl, discard int32
527-
if _, err := go_openssl_EVP_DecryptUpdate(ctx, nil, &discard, baseNeverEmpty(aad), int32(len(aad))); err != nil {
529+
if _, err := ossl.EVP_DecryptUpdate(ctx, nil, &discard, baseNeverEmpty(aad), int32(len(aad))); err != nil {
528530
return nil, errOpen
529531
}
530-
if _, err := go_openssl_EVP_DecryptUpdate(ctx, base(out), &outl, baseNeverEmpty(ciphertext), int32(len(ciphertext))); err != nil {
532+
if _, err := ossl.EVP_DecryptUpdate(ctx, base(out), &outl, baseNeverEmpty(ciphertext), int32(len(ciphertext))); err != nil {
531533
return nil, errOpen
532534
}
533535
if len(ciphertext) != int(outl) {
534536
return nil, errOpen
535537
}
536-
if _, err := go_openssl_EVP_DecryptFinal_ex(ctx, base(out[outl:]), &discard); err != nil {
538+
if _, err := ossl.EVP_DecryptFinal_ex(ctx, base(out[outl:]), &discard); err != nil {
537539
return nil, errOpen
538540
}
539541
runtime.KeepAlive(g)
@@ -552,34 +554,34 @@ func sliceForAppend(in []byte, n int) (head, tail []byte) {
552554
return
553555
}
554556

555-
func newCipherCtx(kind cipherKind, mode cipherMode, encrypt cipherOp, key, iv []byte) (_ _EVP_CIPHER_CTX_PTR, err error) {
557+
func newCipherCtx(kind cipherKind, mode cipherMode, encrypt cipherOp, key, iv []byte) (_ ossl.EVP_CIPHER_CTX_PTR, err error) {
556558
cipher := loadCipher(kind, mode)
557559
if cipher == nil {
558560
panic("crypto/cipher: unsupported cipher: " + kind.String())
559561
}
560-
ctx, err := go_openssl_EVP_CIPHER_CTX_new()
562+
ctx, err := ossl.EVP_CIPHER_CTX_new()
561563
if err != nil {
562564
return nil, err
563565
}
564566
defer func() {
565567
if err != nil {
566-
go_openssl_EVP_CIPHER_CTX_free(ctx)
568+
ossl.EVP_CIPHER_CTX_free(ctx)
567569
}
568570
}()
569571
if kind == cipherRC4 {
570572
// RC4 cipher supports a variable key length.
571573
// We need to set the key length before setting the key,
572574
// and to do so we need to have an initialized cipher ctx.
573-
if _, err := go_openssl_EVP_CipherInit_ex(ctx, cipher, nil, nil, nil, int32(encrypt)); err != nil {
575+
if _, err := ossl.EVP_CipherInit_ex(ctx, cipher, nil, nil, nil, int32(encrypt)); err != nil {
574576
return nil, err
575577
}
576-
if _, err := go_openssl_EVP_CIPHER_CTX_set_key_length(ctx, int32(len(key))); err != nil {
578+
if _, err := ossl.EVP_CIPHER_CTX_set_key_length(ctx, int32(len(key))); err != nil {
577579
return nil, err
578580
}
579581
// Pass nil to the next call to EVP_CipherInit_ex to avoid resetting ctx's cipher.
580582
cipher = nil
581583
}
582-
if _, err := go_openssl_EVP_CipherInit_ex(ctx, cipher, nil, base(key), base(iv), int32(encrypt)); err != nil {
584+
if _, err := ossl.EVP_CipherInit_ex(ctx, cipher, nil, base(key), base(iv), int32(encrypt)); err != nil {
583585
return nil, err
584586
}
585587
return ctx, nil

0 commit comments

Comments
 (0)