From 00b60808a1ace0fb1c21c840e3e30f98a88cb2ae Mon Sep 17 00:00:00 2001 From: web3-bot <81333946+web3-bot@users.noreply.github.com> Date: Wed, 21 Sep 2022 20:15:22 +0200 Subject: [PATCH] sync: update CI config files (#34) --- .github/workflows/go-check.yml | 8 ++--- .github/workflows/go-test.yml | 12 +++---- build.go | 1 - build_static.go | 1 - cert.go | 4 +-- ctx.go | 5 ++- fips.go | 6 ++-- go.mod | 2 +- init.go | 66 ++++++++++++++++++---------------- init_posix.go | 2 -- init_windows.go | 1 - key.go | 10 +++--- key_test.go | 54 ++++++++++++++-------------- ssl_test.go | 7 ++-- 14 files changed, 89 insertions(+), 90 deletions(-) diff --git a/.github/workflows/go-check.yml b/.github/workflows/go-check.yml index 25e1afd..251f7fa 100644 --- a/.github/workflows/go-check.yml +++ b/.github/workflows/go-check.yml @@ -11,12 +11,12 @@ jobs: env: RUNGOGENERATE: false steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: - go-version: "1.18.x" + go-version: "1.19.x" - name: Run repo-specific setup uses: ./.github/actions/go-check-setup if: hashFiles('./.github/actions/go-check-setup') != '' @@ -27,7 +27,7 @@ jobs: echo "RUNGOGENERATE=true" >> $GITHUB_ENV fi - name: Install staticcheck - run: go install honnef.co/go/tools/cmd/staticcheck@d7e217c1ff411395475b2971c0824e1e7cc1af98 # 2022.1 (v0.3.0) + run: go install honnef.co/go/tools/cmd/staticcheck@376210a89477dedbe6fdc4484b233998650d7b3c # 2022.1.3 (v0.3.3) - name: Check that go.mod is tidy uses: protocol/multiple-go-modules@v1.2 with: diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index b86241a..8a1697b 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -10,16 +10,16 @@ jobs: fail-fast: false matrix: os: [ "ubuntu", "windows", "macos" ] - go: [ "1.17.x", "1.18.x" ] + go: [ "1.18.x", "1.19.x" ] env: COVERAGES: "" runs-on: ${{ format('{0}-latest', matrix.os) }} name: ${{ matrix.os }} (go ${{ matrix.go }}) steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: recursive - - uses: actions/setup-go@v2 + - uses: actions/setup-go@v3 with: go-version: ${{ matrix.go }} - name: Go information @@ -43,7 +43,7 @@ jobs: # Use -coverpkg=./..., so that we include cross-package coverage. # If package ./A imports ./B, and ./A's tests also cover ./B, # this means ./B's coverage will be significantly higher than 0%. - run: go test -v -coverprofile=module-coverage.txt -coverpkg=./... ./... + run: go test -v -shuffle=on -coverprofile=module-coverage.txt -coverpkg=./... ./... - name: Run tests (32 bit) if: ${{ matrix.os != 'macos' }} # can't run 32 bit tests on OSX. uses: protocol/multiple-go-modules@v1.2 @@ -52,7 +52,7 @@ jobs: with: run: | export "PATH=${{ env.PATH_386 }}:$PATH" - go test -v ./... + go test -v -shuffle=on ./... - name: Run tests with race detector if: ${{ matrix.os == 'ubuntu' }} # speed things up. Windows and OSX VMs are slow uses: protocol/multiple-go-modules@v1.2 @@ -62,7 +62,7 @@ jobs: shell: bash run: echo "COVERAGES=$(find . -type f -name 'module-coverage.txt' | tr -s '\n' ',' | sed 's/,$//')" >> $GITHUB_ENV - name: Upload coverage to Codecov - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2.1.0 + uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # v3.1.0 with: files: '${{ env.COVERAGES }}' env_vars: OS=${{ matrix.os }}, GO=${{ matrix.go }} diff --git a/build.go b/build.go index 990fbb4..6300d21 100644 --- a/build.go +++ b/build.go @@ -13,7 +13,6 @@ // limitations under the License. //go:build !openssl_static -// +build !openssl_static package openssl diff --git a/build_static.go b/build_static.go index dde5446..4e41d42 100644 --- a/build_static.go +++ b/build_static.go @@ -13,7 +13,6 @@ // limitations under the License. //go:build openssl_static -// +build openssl_static package openssl diff --git a/cert.go b/cert.go index 97c788f..fb482c0 100644 --- a/cert.go +++ b/cert.go @@ -19,7 +19,7 @@ import "C" import ( "errors" - "io/ioutil" + "io" "math/big" "runtime" "time" @@ -383,7 +383,7 @@ func (c *Certificate) MarshalPEM() (pem_block []byte, err error) { if int(C.PEM_write_bio_X509(bio, c.x)) != 1 { return nil, errors.New("failed dumping certificate") } - return ioutil.ReadAll(asAnyBio(bio)) + return io.ReadAll(asAnyBio(bio)) } // PublicKey returns the public key embedded in the X509 certificate. diff --git a/ctx.go b/ctx.go index 3bebf0d..7b624d9 100644 --- a/ctx.go +++ b/ctx.go @@ -20,7 +20,6 @@ import "C" import ( "errors" "fmt" - "io/ioutil" "os" "runtime" "sync" @@ -121,7 +120,7 @@ func NewCtxFromFiles(cert_file string, key_file string) (*Ctx, error) { return nil, err } - cert_bytes, err := ioutil.ReadFile(cert_file) + cert_bytes, err := os.ReadFile(cert_file) if err != nil { return nil, err } @@ -152,7 +151,7 @@ func NewCtxFromFiles(cert_file string, key_file string) (*Ctx, error) { } } - key_bytes, err := ioutil.ReadFile(key_file) + key_bytes, err := os.ReadFile(key_file) if err != nil { return nil, err } diff --git a/fips.go b/fips.go index b15b9bf..e187ebb 100644 --- a/fips.go +++ b/fips.go @@ -25,8 +25,10 @@ package openssl */ import "C" -import "errors" -import "runtime" +import ( + "errors" + "runtime" +) // FIPSModeSet enables a FIPS 140-2 validated mode of operation. // https://wiki.openssl.org/index.php/FIPS_mode_set() diff --git a/go.mod b/go.mod index f5d7268..b2f36ea 100644 --- a/go.mod +++ b/go.mod @@ -7,4 +7,4 @@ require ( require golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb // indirect -go 1.17 +go 1.18 diff --git a/init.go b/init.go index 107adee..b8c7a0d 100644 --- a/init.go +++ b/init.go @@ -18,65 +18,69 @@ Package openssl is a light wrapper around OpenSSL for Go. It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for: -Performance +# Performance OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol. On my lappytop, I get the following benchmarking speeds: - BenchmarkSHA1Large_openssl 1000 2611282 ns/op 401.56 MB/s - BenchmarkSHA1Large_stdlib 500 3963983 ns/op 264.53 MB/s - BenchmarkSHA1Small_openssl 1000000 3476 ns/op 0.29 MB/s - BenchmarkSHA1Small_stdlib 5000000 550 ns/op 1.82 MB/s - BenchmarkSHA256Large_openssl 200 8085314 ns/op 129.69 MB/s - BenchmarkSHA256Large_stdlib 100 18948189 ns/op 55.34 MB/s - BenchmarkSHA256Small_openssl 1000000 4262 ns/op 0.23 MB/s - BenchmarkSHA256Small_stdlib 1000000 1444 ns/op 0.69 MB/s - BenchmarkOpenSSLThroughput 100000 21634 ns/op 47.33 MB/s - BenchmarkStdlibThroughput 50000 58974 ns/op 17.36 MB/s -Interoperability + BenchmarkSHA1Large_openssl 1000 2611282 ns/op 401.56 MB/s + BenchmarkSHA1Large_stdlib 500 3963983 ns/op 264.53 MB/s + BenchmarkSHA1Small_openssl 1000000 3476 ns/op 0.29 MB/s + BenchmarkSHA1Small_stdlib 5000000 550 ns/op 1.82 MB/s + BenchmarkSHA256Large_openssl 200 8085314 ns/op 129.69 MB/s + BenchmarkSHA256Large_stdlib 100 18948189 ns/op 55.34 MB/s + BenchmarkSHA256Small_openssl 1000000 4262 ns/op 0.23 MB/s + BenchmarkSHA256Small_stdlib 1000000 1444 ns/op 0.69 MB/s + BenchmarkOpenSSLThroughput 100000 21634 ns/op 47.33 MB/s + BenchmarkStdlibThroughput 50000 58974 ns/op 17.36 MB/s + +# Interoperability Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices. -Greater flexibility and configuration +# Greater flexibility and configuration OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it. -Security +# Security Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now. -Usage +# Usage Starting an HTTP server that uses OpenSSL is very easy. It's as simple as: - log.Fatal(openssl.ListenAndServeTLS( - ":8443", "my_server.crt", "my_server.key", myHandler)) + + log.Fatal(openssl.ListenAndServeTLS( + ":8443", "my_server.crt", "my_server.key", myHandler)) Getting a net.Listener that uses OpenSSL is also easy: - ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key") - if err != nil { - log.Fatal(err) - } - l, err := openssl.Listen("tcp", ":7777", ctx) + + ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key") + if err != nil { + log.Fatal(err) + } + l, err := openssl.Listen("tcp", ":7777", ctx) Making a client connection is straightforward too: - ctx, err := NewCtx() - if err != nil { - log.Fatal(err) - } - err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "") - if err != nil { - log.Fatal(err) - } - conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0) + + ctx, err := NewCtx() + if err != nil { + log.Fatal(err) + } + err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "") + if err != nil { + log.Fatal(err) + } + conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0) Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library diff --git a/init_posix.go b/init_posix.go index f518d2f..8c4ffdf 100644 --- a/init_posix.go +++ b/init_posix.go @@ -13,8 +13,6 @@ // limitations under the License. //go:build (linux || darwin || solaris || freebsd || openbsd) && !windows -// +build linux darwin solaris freebsd openbsd -// +build !windows package openssl diff --git a/init_windows.go b/init_windows.go index 7356b6e..22c7e12 100644 --- a/init_windows.go +++ b/init_windows.go @@ -13,7 +13,6 @@ // limitations under the License. //go:build windows -// +build windows package openssl diff --git a/key.go b/key.go index 25be635..cb685d8 100644 --- a/key.go +++ b/key.go @@ -19,7 +19,7 @@ import "C" import ( "errors" - "io/ioutil" + "io" "runtime" "unsafe" ) @@ -242,7 +242,7 @@ func (key *pKey) MarshalPKCS1PrivateKeyPEM() (pem_block []byte, return nil, errors.New("failed dumping private key") } - return ioutil.ReadAll(asAnyBio(bio)) + return io.ReadAll(asAnyBio(bio)) } func (key *pKey) MarshalPKCS1PrivateKeyDER() (der_block []byte, @@ -257,7 +257,7 @@ func (key *pKey) MarshalPKCS1PrivateKeyDER() (der_block []byte, return nil, errors.New("failed dumping private key der") } - return ioutil.ReadAll(asAnyBio(bio)) + return io.ReadAll(asAnyBio(bio)) } func (key *pKey) MarshalPKIXPublicKeyPEM() (pem_block []byte, @@ -272,7 +272,7 @@ func (key *pKey) MarshalPKIXPublicKeyPEM() (pem_block []byte, return nil, errors.New("failed dumping public key pem") } - return ioutil.ReadAll(asAnyBio(bio)) + return io.ReadAll(asAnyBio(bio)) } func (key *pKey) MarshalPKIXPublicKeyDER() (der_block []byte, @@ -287,7 +287,7 @@ func (key *pKey) MarshalPKIXPublicKeyDER() (der_block []byte, return nil, errors.New("failed dumping public key der") } - return ioutil.ReadAll(asAnyBio(bio)) + return io.ReadAll(asAnyBio(bio)) } // LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block. diff --git a/key_test.go b/key_test.go index 2038a2e..25de69c 100644 --- a/key_test.go +++ b/key_test.go @@ -22,7 +22,7 @@ import ( "crypto/x509" "encoding/hex" pem_pkg "encoding/pem" - "io/ioutil" + "os" "testing" ) @@ -51,8 +51,8 @@ func TestMarshal(t *testing.T) { t.Fatal(err) } if !bytes.Equal(pem, certBytes) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", certBytes, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", certBytes, 0644) t.Fatal("invalid cert pem bytes") } @@ -61,8 +61,8 @@ func TestMarshal(t *testing.T) { t.Fatal(err) } if !bytes.Equal(pem, keyBytes) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", keyBytes, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", keyBytes, 0644) t.Fatal("invalid private key pem bytes") } tls_cert, err := tls.X509KeyPair(certBytes, keyBytes) @@ -94,8 +94,8 @@ func TestMarshal(t *testing.T) { t.Fatal(err) } if !bytes.Equal(der, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(der)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(der)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } @@ -106,8 +106,8 @@ func TestMarshal(t *testing.T) { tls_pem := pem_pkg.EncodeToMemory(&pem_pkg.Block{ Type: "PUBLIC KEY", Bytes: tls_der}) if !bytes.Equal(pem, tls_pem) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", tls_pem, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", tls_pem, 0644) t.Fatal("invalid public key pem bytes") } @@ -132,14 +132,14 @@ func TestMarshal(t *testing.T) { } if !bytes.Equal(new_der_from_der, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_der)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(new_der_from_der)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } if !bytes.Equal(new_der_from_pem, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_pem)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(new_der_from_pem)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } } @@ -303,8 +303,8 @@ func TestMarshalEC(t *testing.T) { t.Fatal(err) } if !bytes.Equal(pem, prime256v1CertBytes) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", prime256v1CertBytes, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", prime256v1CertBytes, 0644) t.Fatal("invalid cert pem bytes") } @@ -313,8 +313,8 @@ func TestMarshalEC(t *testing.T) { t.Fatal(err) } if !bytes.Equal(pem, prime256v1KeyBytes) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", prime256v1KeyBytes, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", prime256v1KeyBytes, 0644) t.Fatal("invalid private key pem bytes") } tls_cert, err := tls.X509KeyPair(prime256v1CertBytes, prime256v1KeyBytes) @@ -349,8 +349,8 @@ func TestMarshalEC(t *testing.T) { t.Fatal(err) } if !bytes.Equal(der, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(der)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(der)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } @@ -361,8 +361,8 @@ func TestMarshalEC(t *testing.T) { tls_pem := pem_pkg.EncodeToMemory(&pem_pkg.Block{ Type: "PUBLIC KEY", Bytes: tls_der}) if !bytes.Equal(pem, tls_pem) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", tls_pem, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", tls_pem, 0644) t.Fatal("invalid public key pem bytes") } @@ -387,14 +387,14 @@ func TestMarshalEC(t *testing.T) { } if !bytes.Equal(new_der_from_der, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_der)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(new_der_from_der)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } if !bytes.Equal(new_der_from_pem, tls_der) { - ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_pem)), 0644) - ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) + os.WriteFile("generated", []byte(hex.Dump(new_der_from_pem)), 0644) + os.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644) t.Fatal("invalid public key der bytes") } } @@ -423,8 +423,8 @@ func TestMarshalEd25519(t *testing.T) { t.Fatal(err) } if !bytes.Equal(pem, ed25519CertBytes) { - ioutil.WriteFile("generated", pem, 0644) - ioutil.WriteFile("hardcoded", ed25519CertBytes, 0644) + os.WriteFile("generated", pem, 0644) + os.WriteFile("hardcoded", ed25519CertBytes, 0644) t.Fatal("invalid cert pem bytes") } diff --git a/ssl_test.go b/ssl_test.go index dea3bdd..bad5673 100644 --- a/ssl_test.go +++ b/ssl_test.go @@ -19,7 +19,6 @@ import ( "crypto/rand" "crypto/tls" "io" - "io/ioutil" "net" "sync" "testing" @@ -283,7 +282,7 @@ func ClosingTest(t *testing.T, constructor func( go func() { defer wg.Done() - data, err := ioutil.ReadAll(sslconn2) + data, err := io.ReadAll(sslconn2) if !bytes.Equal(data, []byte("hello")) { t.Error("bytes don't match") } @@ -589,7 +588,7 @@ func LotsOfConns(t *testing.T, payload_size int64, loops, clients int, } }() for i := 0; i < loops; i++ { - _, err := io.Copy(ioutil.Discard, + _, err := io.Copy(io.Discard, io.LimitReader(conn, payload_size)) if err != nil { t.Errorf("failed reading: %s", err) @@ -635,7 +634,7 @@ func LotsOfConns(t *testing.T, payload_size int64, loops, clients int, t.Errorf("failed writing: %s", err) return } - _, err = io.Copy(ioutil.Discard, + _, err = io.Copy(io.Discard, io.LimitReader(ssl_client, payload_size)) if err != nil { t.Errorf("failed reading: %s", err)