rpms / grafana

Clone
Source Code
GIT

Blame SOURCES/010-fips.patch

c8 c8-beta c8s c9 c9-beta
  1.   dfc4702fc87ad6995b9c30c43496b4c4f4089ace
  2.   SOURCES
  3.   010-fips.patch
Blob History Raw
dfc470 
diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go
dfc470 
new file mode 100644
dfc470 
index 0000000..a9c550e
dfc470 
--- /dev/null
dfc470 
+++ b/vendor/golang.org/x/crypto/internal/boring/boring.go
dfc470 
@@ -0,0 +1,74 @@
dfc470 
+// Copyright 2017 The Go Authors. All rights reserved.
dfc470 
+// Copyright 2021 Red Hat.
dfc470 
+// Use of this source code is governed by a BSD-style
dfc470 
+// license that can be found in the LICENSE file.
dfc470 
+
dfc470 
+// +build linux
dfc470 
+// +build !android
dfc470 
+// +build !no_openssl
dfc470 
+// +build !cmd_go_bootstrap
dfc470 
+// +build !msan
dfc470 
+
dfc470 
+package boring
dfc470 
+
dfc470 
+// #include "openssl_pbkdf2.h"
dfc470 
+// #cgo LDFLAGS: -ldl
dfc470 
+import "C"
dfc470 
+import (
dfc470 
+	"bytes"
dfc470 
+	"crypto/sha1"
dfc470 
+	"crypto/sha256"
dfc470 
+	"hash"
dfc470 
+	"unsafe"
dfc470 
+)
dfc470 
+
dfc470 
+var (
dfc470 
+	emptySha1   = sha1.Sum([]byte{})
dfc470 
+	emptySha256 = sha256.Sum256([]byte{})
dfc470 
+)
dfc470 
+
dfc470 
+func hashToMD(h hash.Hash) *C.GO_EVP_MD {
dfc470 
+	emptyHash := h.Sum([]byte{})
dfc470 
+
dfc470 
+	switch {
dfc470 
+	case bytes.Equal(emptyHash, emptySha1[:]):
dfc470 
+		return C._goboringcrypto_EVP_sha1()
dfc470 
+	case bytes.Equal(emptyHash, emptySha256[:]):
dfc470 
+		return C._goboringcrypto_EVP_sha256()
dfc470 
+	}
dfc470 
+	return nil
dfc470 
+}
dfc470 
+
dfc470 
+// charptr returns the address of the underlying array in b,
dfc470 
+// being careful not to panic when b has zero length.
dfc470 
+func charptr(b []byte) *C.char {
dfc470 
+	if len(b) == 0 {
dfc470 
+		return nil
dfc470 
+	}
dfc470 
+	return (*C.char)(unsafe.Pointer(&b[0]))
dfc470 
+}
dfc470 
+
dfc470 
+// ucharptr returns the address of the underlying array in b,
dfc470 
+// being careful not to panic when b has zero length.
dfc470 
+func ucharptr(b []byte) *C.uchar {
dfc470 
+	if len(b) == 0 {
dfc470 
+		return nil
dfc470 
+	}
dfc470 
+	return (*C.uchar)(unsafe.Pointer(&b[0]))
dfc470 
+}
dfc470 
+
dfc470 
+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
dfc470 
+	// println("[debug] using pbkdf2 from OpenSSL")
dfc470 
+	ch := h()
dfc470 
+	md := hashToMD(ch)
dfc470 
+	if md == nil {
dfc470 
+		return nil
dfc470 
+	}
dfc470 
+
dfc470 
+	out := make([]byte, keyLen)
dfc470 
+	ok := C._goboringcrypto_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out))
dfc470 
+	if ok != 1 {
dfc470 
+		panic("boringcrypto: PKCS5_PBKDF2_HMAC failed")
dfc470 
+	}
dfc470 
+	return out
dfc470 
+}
dfc470 
diff --git a/vendor/golang.org/x/crypto/internal/boring/notboring.go b/vendor/golang.org/x/crypto/internal/boring/notboring.go
dfc470 
new file mode 100644
dfc470 
index 0000000..e244fb5
dfc470 
--- /dev/null
dfc470 
+++ b/vendor/golang.org/x/crypto/internal/boring/notboring.go
dfc470 
@@ -0,0 +1,16 @@
dfc470 
+// Copyright 2017 The Go Authors. All rights reserved.
dfc470 
+// Copyright 2021 Red Hat.
dfc470 
+// Use of this source code is governed by a BSD-style
dfc470 
+// license that can be found in the LICENSE file.
dfc470 
+
dfc470 
+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
dfc470 
+
dfc470 
+package boring
dfc470 
+
dfc470 
+import (
dfc470 
+	"hash"
dfc470 
+)
dfc470 
+
dfc470 
+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
dfc470 
+	panic("boringcrypto: not available")
dfc470 
+}
dfc470 
diff --git a/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
dfc470 
new file mode 100644
dfc470 
index 0000000..6dfdf10
dfc470 
--- /dev/null
dfc470 
+++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
dfc470 
@@ -0,0 +1,5 @@
dfc470 
+#include "/usr/lib/golang/src/crypto/internal/boring/goboringcrypto.h"
dfc470 
+
dfc470 
+DEFINEFUNC(int, PKCS5_PBKDF2_HMAC,
dfc470 
+    (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out),
dfc470 
+    (pass, passlen, salt, saltlen, iter, digest, keylen, out))
dfc470 
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
dfc470 
index 593f653..799a611 100644
dfc470 
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
dfc470 
+++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
dfc470 
@@ -19,8 +19,11 @@ pbkdf2.Key.
dfc470 
 package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
dfc470
dfc470 
 import (
dfc470 
+	"crypto/boring"
dfc470 
 	"crypto/hmac"
dfc470 
 	"hash"
dfc470 
+
dfc470 
+	xboring "golang.org/x/crypto/internal/boring"
dfc470 
 )
dfc470
dfc470 
 // Key derives a key from the password, salt and iteration count, returning a
dfc470 
@@ -40,6 +43,10 @@ import (
dfc470 
 // Using a higher iteration count will increase the cost of an exhaustive
dfc470 
 // search but will also make derivation proportionally slower.
dfc470 
 func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
dfc470 
+	if boring.Enabled() {
dfc470 
+		return xboring.Pbkdf2Key(password, salt, iter, keyLen, h)
dfc470 
+	}
dfc470 
+
dfc470 
 	prf := hmac.New(h, password)
dfc470 
 	hashLen := prf.Size()
dfc470 
 	numBlocks := (keyLen + hashLen - 1) / hashLen

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation