Crypto refresh support and V2 API (#182)

This squashed commit adds complete support for the OpenPGP crypto refresh. Additionally, the commit introduces an enhanced, non-backwards compatible v2 API. The API in the openpgp package remains fully backward compatible, while the new v2 API is located in a separate v2 package inside the openpgp folder.
ProtonMail · Jan 18, 2024 · 4deafc1 · 4deafc1
1 parent afb1ddc
commit 4deafc1
Show file tree

Hide file tree

Showing 96 changed files with 15,160 additions and 1,010 deletions.
diff --git a/.github/actions/build-gosop/action.yml b/.github/actions/build-gosop/action.yml
@@ -13,6 +13,16 @@ inputs:
     required: true
     default: './gosop-${{ github.sha }}'
 
+  branch-gosop: 
+    description: 'Branch of the gosop to use'
+    required: false
+    default: 'main'
+
+  gosop-build-path: 
+    description: 'Build script of the gosop to use'
+    required: false
+    default: 'build_gosop_v1.sh'
+
 runs:
   using: "composite"
   steps:
@@ -30,6 +40,7 @@ runs:
       uses: actions/checkout@v3
       with:
         repository: ProtonMail/gosop
+        ref: ${{ inputs.branch-gosop }}
         path: gosop
     - name: Cache go modules
       uses: actions/cache@v3
@@ -41,7 +52,7 @@ runs:
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Build gosop
-      run: ./.github/test-suite/build_gosop.sh
+      run: ./.github/test-suite/${{ inputs.gosop-build-path }}
       shell: bash
     # Test the binary
     - name: Print gosop version

diff --git a/.github/test-suite/build_gosop.sh b/.github/test-suite/build_gosop.sh
@@ -1,5 +1,5 @@
 cd gosop
 echo "replace github.com/ProtonMail/go-crypto => ../go-crypto" >> go.mod
 go get github.com/ProtonMail/go-crypto
-go get github.com/ProtonMail/gopenpgp/v2/crypto@latest
+go get github.com/ProtonMail/gopenpgp/v3/crypto@8acccb3915b46d8765d536ff9669bb61ec567f77 
 go build .
diff --git a/.github/test-suite/build_gosop_v1.sh b/.github/test-suite/build_gosop_v1.sh
@@ -0,0 +1,5 @@
+cd gosop
+echo "replace github.com/ProtonMail/go-crypto => ../go-crypto" >> go.mod
+go get github.com/ProtonMail/go-crypto
+go get github.com/ProtonMail/gopenpgp/v2/crypto@latest
+go build .
diff --git a/.github/test-suite/config.json.template b/.github/test-suite/config.json.template
@@ -1,8 +1,12 @@
 {
     "drivers": [
       {
-        "id": "gosop-branch",
-        "path": "__GOSOP_BRANCH__"
+        "id": "gosop-branch-v1",
+        "path": "__GOSOP_BRANCH_V1__"
+      },
+      {
+        "id": "gosop-branch-v2",
+        "path": "__GOSOP_BRANCH_V2__"
       },
       {
         "id": "gosop-main",

diff --git a/.github/test-suite/prepare_config.sh b/.github/test-suite/prepare_config.sh
@@ -1,9 +1,11 @@
 CONFIG_TEMPLATE=$1
 CONFIG_OUTPUT=$2
-GOSOP_BRANCH=$3
-GOSOP_MAIN=$4
+GOSOP_BRANCH_V1=$3
+GOSOP_BRANCH_V2=$4
+GOSOP_MAIN=$5
 cat $CONFIG_TEMPLATE \
-    | sed "s@__GOSOP_BRANCH__@${GOSOP_BRANCH}@g" \
+    | sed "s@__GOSOP_BRANCH_V1__@${GOSOP_BRANCH_V1}@g" \
+    | sed "s@__GOSOP_BRANCH_V2__@${GOSOP_BRANCH_V2}@g" \
     | sed "s@__GOSOP_MAIN__@${GOSOP_MAIN}@g" \
     | sed "s@__SQOP__@${SQOP}@g" \
     | sed "s@__GPGME_SOP__@${GPGME_SOP}@g" \

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -32,10 +32,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Set up Go 1.15
+      - name: Set up Go 1.17
         uses: actions/setup-go@v3
         with:
-          go-version: 1.15
+          go-version: 1.17
 
       - name: Short test
         run: go test -short -v ./...

diff --git a/.github/workflows/interop-test-suite.yml b/.github/workflows/interop-test-suite.yml
@@ -5,23 +5,41 @@ on:
     branches: [ main ]
 
 jobs:
-
-  build-gosop:
-    name: Build gosop from branch
+  build-gosop-v1:
+    name: Build gosop from branch v1-api
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build gosop from branch
+        uses: ./.github/actions/build-gosop
+        with: 
+          binary-location: ./gosop-${{ github.sha }}-v1
+      # Upload as artifact
+      - name: Upload gosop artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: gosop-${{ github.sha }}-v1
+          path: ./gosop-${{ github.sha }}-v1
+
+  build-gosop-v2:
+    name: Build gosop from branch v2-api
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Build gosop from branch
         uses: ./.github/actions/build-gosop
         with: 
-          binary-location: ./gosop-${{ github.sha }}
+          binary-location: ./gosop-${{ github.sha }}-v2
+          branch-gosop: gosop-gopenpgp-v3
+          gosop-build-path: build_gosop.sh
       # Upload as artifact
       - name: Upload gosop artifact
         uses: actions/upload-artifact@v3
         with:
-          name: gosop-${{ github.sha }}
-          path: ./gosop-${{ github.sha }}
+          name: gosop-${{ github.sha }}-v2
+          path: ./gosop-${{ github.sha }}-v2
 
   build-gosop-main:
     name: Build gosop from main
@@ -40,18 +58,18 @@ jobs:
         with:
           name: gosop-main
           path: ./gosop-main
-
 
   test-suite:
     name: Run interoperability test suite
     runs-on: ubuntu-latest
     container: 
-      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.1
+      image: ghcr.io/protonmail/openpgp-interop-test-docker:v.1.1.3
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
     needs: 
-      - build-gosop
+      - build-gosop-v1
+      - build-gosop-v2
       - build-gosop-main
     steps:
       - name: Checkout
@@ -66,21 +84,33 @@ jobs:
         run: chmod +x gosop-main
       - name: Print gosop-main version
         run: ./gosop-main version --extended
-      # Fetch gosop from branch
-      - name: Download gosop-branch
+      # Fetch gosop from branch v1
+      - name: Download gosop-branch-v1
+        uses: actions/download-artifact@v3
+        with:
+          name: gosop-${{ github.sha }}-v1
+      - name: Rename gosop-branch-v1
+        run: mv gosop-${{ github.sha }}-v1 gosop-branch-v1
+      # Test gosop-branch v1
+      - name: Make gosop-branch-v1 executable
+        run: chmod +x gosop-branch-v1
+      - name: Print gosop-branch-v1 version
+        run: ./gosop-branch-v1 version --extended
+      # Fetch gosop from branch v2
+      - name: Download gosop-branch-v2
         uses: actions/download-artifact@v3
         with:
-          name: gosop-${{ github.sha }}
-      - name: Rename gosop-branch
-        run: mv gosop-${{ github.sha }} gosop-branch
-      # Test gosop-branch
-      - name: Make gosop-branch executable
-        run: chmod +x gosop-branch
-      - name: Print gosop-branch version
-        run: ./gosop-branch version --extended
+          name: gosop-${{ github.sha }}-v2
+      - name: Rename gosop-branch-v2
+        run: mv gosop-${{ github.sha }}-v2 gosop-branch-v2
+      # Test gosop-branch v2
+      - name: Make gosop-branch-v2 executable
+        run: chmod +x gosop-branch-v2
+      - name: Print gosop-branch-v2 version
+        run: ./gosop-branch-v2 version --extended
       # Run test suite
       - name: Prepare test configuration
-        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch $GITHUB_WORKSPACE/gosop-main
+        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch-v1 $GITHUB_WORKSPACE/gosop-branch-v2 $GITHUB_WORKSPACE/gosop-main
         env:
          CONFIG_TEMPLATE: .github/test-suite/config.json.template
          CONFIG_OUTPUT: .github/test-suite/config.json
@@ -116,10 +146,18 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: test-suite-results.json
-      - name: Compare with baseline
-        uses: ProtonMail/openpgp-interop-test-analyzer@v1
+      - name: Compare with baseline v1
+        uses: ProtonMail/openpgp-interop-test-analyzer@5d7f4b6868ebe3bfc909302828342c461f5f4940
         with: 
           results: ${{ steps.download-test-results.outputs.download-path }}/test-suite-results.json
-          output: baseline-comparison.json
+          output: baseline-comparison-v1.json
           baseline: gosop-main
-          target: gosop-branch
+          target: gosop-branch-v1
+      - name: Compare with baseline v2
+        uses: ProtonMail/openpgp-interop-test-analyzer@5d7f4b6868ebe3bfc909302828342c461f5f4940
+        with: 
+          results: ${{ steps.download-test-results.outputs.download-path }}/test-suite-results.json
+          output: baseline-comparison-v2.json
+          baseline: gosop-main
+          target: gosop-branch-v2
+
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 # Add no patterns to .gitignore except for files generated by the build.
 last-change
-.idea
+.idea
+settings.json
diff --git a/README.md b/README.md
@@ -7,3 +7,5 @@ so you can simply replace all imports of `golang.org/x/crypto/openpgp` with
 `github.com/ProtonMail/go-crypto/openpgp`.
 
 A partial list of changes is here: https://github.com/ProtonMail/go-crypto/issues/21#issuecomment-492792917.
+
+For the more extended API for reading and writing OpenPGP messages use `github.com/ProtonMail/go-crypto/openpgp/v2`, but it is not fully backwards compatible with `golang.org/x/crypto/openpgp`. 
diff --git a/go.mod b/go.mod
@@ -1,8 +1,10 @@
 module github.com/ProtonMail/go-crypto
 
-go 1.13
+go 1.17
 
 require (
-	github.com/cloudflare/circl v1.3.3
-	golang.org/x/crypto v0.7.0
+	github.com/cloudflare/circl v1.3.7
+	golang.org/x/crypto v0.17.0
 )
+
+require golang.org/x/sys v0.16.0 // indirect
diff --git a/go.sum b/go.sum
@@ -1,20 +1,18 @@
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -23,22 +21,22 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

diff --git a/ocb/ocb.go b/ocb/ocb.go
@@ -18,8 +18,9 @@ import (
 	"crypto/cipher"
 	"crypto/subtle"
 	"errors"
-	"github.com/ProtonMail/go-crypto/internal/byteutil"
 	"math/bits"
+
+	"github.com/ProtonMail/go-crypto/internal/byteutil"
 )
 
 type ocb struct {
@@ -153,7 +154,7 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 	truncatedNonce := make([]byte, len(nonce))
 	copy(truncatedNonce, nonce)
 	truncatedNonce[len(truncatedNonce)-1] &= 192
-	Ktop := make([]byte, blockSize)
+	var Ktop []byte
 	if bytes.Equal(truncatedNonce, o.reusableKtop.noncePrefix) {
 		Ktop = o.reusableKtop.Ktop
 	} else {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7,3 +7,5 @@ so you can simply replace all imports of `golang.org/x/crypto/openpgp` with
		`github.com/ProtonMail/go-crypto/openpgp`.

		A partial list of changes is here: https://github.com/ProtonMail/go-crypto/issues/21#issuecomment-492792917.

		For the more extended API for reading and writing OpenPGP messages use `github.com/ProtonMail/go-crypto/openpgp/v2`, but it is not fully backwards compatible with `golang.org/x/crypto/openpgp`.