open-vault/internal/go118_sha1_patch.go

60 lines
1.6 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package internal
import (
"fmt"
"os"
"sync"
_ "unsafe" // for go:linkname
goversion "github.com/hashicorp/go-version"
"github.com/hashicorp/vault/version"
)
const sha1PatchVersionsBefore = "1.12.0"
var patchSha1 sync.Once
//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1
var debugAllowSHA1 bool
// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.
// It is safe to call this function multiple times.
// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility
// with these certificates. See https://go.dev/doc/go1.18#sha1 and
// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1
// for more details.
// TODO: remove when Vault <=1.11 is no longer supported
func PatchSha1() {
patchSha1.Do(func() {
// for Go 1.19.4 and later
godebug := os.Getenv("GODEBUG")
if godebug != "" {
godebug += ","
}
godebug += "x509sha1=1"
os.Setenv("GODEBUG", godebug)
// for Go 1.19.3 and earlier, patch the variable
patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
if err != nil {
panic(err)
}
patch := false
v, err := goversion.NewSemver(version.GetVersion().Version)
if err == nil {
patch = v.LessThan(patchBefore)
} else {
fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)
patch = true
}
if patch {
debugAllowSHA1 = true
}
})
}