ProtonMail · lubux · Jan 18, 2024 · Apr 11, 2023 · Mar 24, 2023 · Mar 27, 2023
diff --git a/.github/actions/build-gosop/action.yml b/.github/actions/build-gosop/action.yml
@@ -13,6 +13,16 @@ inputs:
     required: true
     default: './gosop-${{ github.sha }}'
 
+  branch-gosop: 
+    description: 'Branch of the gosop to use'
+    required: false
+    default: 'main'
+
+  gosop-build-path: 
+    description: 'Build script of the gosop to use'
+    required: false
+    default: 'build_gosop_v1.sh'
+
 runs:
   using: "composite"
   steps:
@@ -30,6 +40,7 @@ runs:
       uses: actions/checkout@v3
       with:
         repository: ProtonMail/gosop
+        ref: ${{ inputs.branch-gosop }}
         path: gosop
     - name: Cache go modules
       uses: actions/cache@v3
@@ -41,7 +52,7 @@ runs:
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Build gosop
-      run: ./.github/test-suite/build_gosop.sh
+      run: ./.github/test-suite/${{ inputs.gosop-build-path }}
       shell: bash
     # Test the binary
     - name: Print gosop version

diff --git a/.github/test-suite/build_gosop.sh b/.github/test-suite/build_gosop.sh
@@ -1,5 +1,5 @@
 cd gosop
 echo "replace github.com/ProtonMail/go-crypto => ../go-crypto" >> go.mod
 go get github.com/ProtonMail/go-crypto
-go get github.com/ProtonMail/gopenpgp/v2/crypto@latest
+go get github.com/ProtonMail/gopenpgp/v3/crypto@8acccb3915b46d8765d536ff9669bb61ec567f77 
 go build .
diff --git a/.github/test-suite/build_gosop_v1.sh b/.github/test-suite/build_gosop_v1.sh
@@ -0,0 +1,5 @@
+cd gosop
+echo "replace github.com/ProtonMail/go-crypto => ../go-crypto" >> go.mod
+go get github.com/ProtonMail/go-crypto
+go get github.com/ProtonMail/gopenpgp/v2/crypto@latest
+go build .
diff --git a/.github/test-suite/config.json.template b/.github/test-suite/config.json.template
@@ -1,8 +1,12 @@
 {
     "drivers": [
       {
-        "id": "gosop-branch",
-        "path": "__GOSOP_BRANCH__"
+        "id": "gosop-branch-v1",
+        "path": "__GOSOP_BRANCH_V1__"
+      },
+      {
+        "id": "gosop-branch-v2",
+        "path": "__GOSOP_BRANCH_V2__"
       },
       {
         "id": "gosop-main",

diff --git a/.github/test-suite/prepare_config.sh b/.github/test-suite/prepare_config.sh
@@ -1,9 +1,11 @@
 CONFIG_TEMPLATE=$1
 CONFIG_OUTPUT=$2
-GOSOP_BRANCH=$3
-GOSOP_MAIN=$4
+GOSOP_BRANCH_V1=$3
+GOSOP_BRANCH_V2=$4
+GOSOP_MAIN=$5
 cat $CONFIG_TEMPLATE \
-    | sed "s@__GOSOP_BRANCH__@${GOSOP_BRANCH}@g" \
+    | sed "s@__GOSOP_BRANCH_V1__@${GOSOP_BRANCH_V1}@g" \
+    | sed "s@__GOSOP_BRANCH_V2__@${GOSOP_BRANCH_V2}@g" \
     | sed "s@__GOSOP_MAIN__@${GOSOP_MAIN}@g" \
     | sed "s@__SQOP__@${SQOP}@g" \
     | sed "s@__GPGME_SOP__@${GPGME_SOP}@g" \

diff --git a/.github/workflows/interop-test-suite.yml b/.github/workflows/interop-test-suite.yml
@@ -5,23 +5,41 @@ on:
     branches: [ main ]
 
 jobs:
-
-  build-gosop:
-    name: Build gosop from branch
+  build-gosop-v1:
+    name: Build gosop from branch v1-api
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Build gosop from branch
+        uses: ./.github/actions/build-gosop
+        with: 
+          binary-location: ./gosop-${{ github.sha }}-v1
+      # Upload as artifact
+      - name: Upload gosop artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: gosop-${{ github.sha }}-v1
+          path: ./gosop-${{ github.sha }}-v1
+
+  build-gosop-v2:
+    name: Build gosop from branch v2-api
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Build gosop from branch
         uses: ./.github/actions/build-gosop
         with: 
-          binary-location: ./gosop-${{ github.sha }}
+          binary-location: ./gosop-${{ github.sha }}-v2
+          branch-gosop: gosop-gopenpgp-v3
+          gosop-build-path: build_gosop.sh
       # Upload as artifact
       - name: Upload gosop artifact
         uses: actions/upload-artifact@v3
         with:
-          name: gosop-${{ github.sha }}
-          path: ./gosop-${{ github.sha }}
+          name: gosop-${{ github.sha }}-v2
+          path: ./gosop-${{ github.sha }}-v2
 
   build-gosop-main:
     name: Build gosop from main
@@ -40,18 +58,18 @@ jobs:
         with:
           name: gosop-main
           path: ./gosop-main
-
 
   test-suite:
     name: Run interoperability test suite
     runs-on: ubuntu-latest
     container: 
-      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.1
+      image: ghcr.io/protonmail/openpgp-interop-test-docker:v.1.1.3
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
     needs: 
-      - build-gosop
+      - build-gosop-v1
+      - build-gosop-v2
       - build-gosop-main
     steps:
       - name: Checkout
@@ -66,21 +84,33 @@ jobs:
         run: chmod +x gosop-main
       - name: Print gosop-main version
         run: ./gosop-main version --extended
-      # Fetch gosop from branch
-      - name: Download gosop-branch
+      # Fetch gosop from branch v1
+      - name: Download gosop-branch-v1
+        uses: actions/download-artifact@v3
+        with:
+          name: gosop-${{ github.sha }}-v1
+      - name: Rename gosop-branch-v1
+        run: mv gosop-${{ github.sha }}-v1 gosop-branch-v1
+      # Test gosop-branch v1
+      - name: Make gosop-branch-v1 executable
+        run: chmod +x gosop-branch-v1
+      - name: Print gosop-branch-v1 version
+        run: ./gosop-branch-v1 version --extended
+      # Fetch gosop from branch v2
+      - name: Download gosop-branch-v2
         uses: actions/download-artifact@v3
         with:
-          name: gosop-${{ github.sha }}
-      - name: Rename gosop-branch
-        run: mv gosop-${{ github.sha }} gosop-branch
-      # Test gosop-branch
-      - name: Make gosop-branch executable
-        run: chmod +x gosop-branch
-      - name: Print gosop-branch version
-        run: ./gosop-branch version --extended
+          name: gosop-${{ github.sha }}-v2
+      - name: Rename gosop-branch-v2
+        run: mv gosop-${{ github.sha }}-v2 gosop-branch-v2
+      # Test gosop-branch v2
+      - name: Make gosop-branch-v2 executable
+        run: chmod +x gosop-branch-v2
+      - name: Print gosop-branch-v2 version
+        run: ./gosop-branch-v2 version --extended
       # Run test suite
       - name: Prepare test configuration
-        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch $GITHUB_WORKSPACE/gosop-main
+        run: ./.github/test-suite/prepare_config.sh $CONFIG_TEMPLATE $CONFIG_OUTPUT $GITHUB_WORKSPACE/gosop-branch-v1 $GITHUB_WORKSPACE/gosop-branch-v2 $GITHUB_WORKSPACE/gosop-main
         env:
          CONFIG_TEMPLATE: .github/test-suite/config.json.template
          CONFIG_OUTPUT: .github/test-suite/config.json
@@ -116,10 +146,18 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: test-suite-results.json
-      - name: Compare with baseline
-        uses: ProtonMail/openpgp-interop-test-analyzer@v1
+      - name: Compare with baseline v1
+        uses: ProtonMail/openpgp-interop-test-analyzer@5d7f4b6868ebe3bfc909302828342c461f5f4940
         with: 
           results: ${{ steps.download-test-results.outputs.download-path }}/test-suite-results.json
-          output: baseline-comparison.json
+          output: baseline-comparison-v1.json
           baseline: gosop-main
-          target: gosop-branch
+          target: gosop-branch-v1
+      - name: Compare with baseline v2
+        uses: ProtonMail/openpgp-interop-test-analyzer@5d7f4b6868ebe3bfc909302828342c461f5f4940
+        with: 
+          results: ${{ steps.download-test-results.outputs.download-path }}/test-suite-results.json
+          output: baseline-comparison-v2.json
+          baseline: gosop-main
+          target: gosop-branch-v2
+
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 # Add no patterns to .gitignore except for files generated by the build.
 last-change
-.idea
+.idea
+settings.json
diff --git a/README.md b/README.md
@@ -7,3 +7,5 @@ so you can simply replace all imports of `golang.org/x/crypto/openpgp` with
 `github.com/ProtonMail/go-crypto/openpgp`.
 
 A partial list of changes is here: https://github.com/ProtonMail/go-crypto/issues/21#issuecomment-492792917.
+
+For the more extended API for reading and writing OpenPGP messages use `github.com/ProtonMail/go-crypto/openpgp/v2`, but it is not fully backwards compatible with `golang.org/x/crypto/openpgp`. 
diff --git a/go.mod b/go.mod
@@ -4,5 +4,5 @@ go 1.13
 
 require (
 	github.com/cloudflare/circl v1.3.3
-	golang.org/x/crypto v0.7.0
+	golang.org/x/crypto v0.9.0
 )
diff --git a/go.sum b/go.sum
@@ -5,16 +5,16 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -26,19 +26,19 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

diff --git a/ocb/ocb.go b/ocb/ocb.go
@@ -18,8 +18,9 @@ import (
 	"crypto/cipher"
 	"crypto/subtle"
 	"errors"
-	"github.com/ProtonMail/go-crypto/internal/byteutil"
 	"math/bits"
+
+	"github.com/ProtonMail/go-crypto/internal/byteutil"
 )
 
 type ocb struct {
@@ -153,7 +154,7 @@ func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 	truncatedNonce := make([]byte, len(nonce))
 	copy(truncatedNonce, nonce)
 	truncatedNonce[len(truncatedNonce)-1] &= 192
-	Ktop := make([]byte, blockSize)
+	var Ktop []byte
 	if bytes.Equal(truncatedNonce, o.reusableKtop.noncePrefix) {
 		Ktop = o.reusableKtop.Ktop
 	} else {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7,3 +7,5 @@ so you can simply replace all imports of `golang.org/x/crypto/openpgp` with
		`github.com/ProtonMail/go-crypto/openpgp`.

		A partial list of changes is here: https://github.com/ProtonMail/go-crypto/issues/21#issuecomment-492792917.

		For the more extended API for reading and writing OpenPGP messages use `github.com/ProtonMail/go-crypto/openpgp/v2`, but it is not fully backwards compatible with `golang.org/x/crypto/openpgp`.