9d5f021792
Bad news: the hot patch we were using breaks in Go 1.19.4: 6109c07ec4
Good news: we can now patch with an environment variable at runtime.
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
57 lines
1.6 KiB
Go
57 lines
1.6 KiB
Go
package internal
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"sync"
|
|
_ "unsafe" // for go:linkname
|
|
|
|
goversion "github.com/hashicorp/go-version"
|
|
"github.com/hashicorp/vault/sdk/version"
|
|
)
|
|
|
|
const sha1PatchVersionsBefore = "1.12.0"
|
|
|
|
var patchSha1 sync.Once
|
|
|
|
//go:linkname debugAllowSHA1 crypto/x509.debugAllowSHA1
|
|
var debugAllowSHA1 bool
|
|
|
|
// PatchSha1 patches Go 1.18+ to allow certificates with signatures containing SHA-1 hashes to be allowed.
|
|
// It is safe to call this function multiple times.
|
|
// This is necessary to allow Vault 1.10 and 1.11 to work with Go 1.18+ without breaking backwards compatibility
|
|
// with these certificates. See https://go.dev/doc/go1.18#sha1 and
|
|
// https://developer.hashicorp.com/vault/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1
|
|
// for more details.
|
|
// TODO: remove when Vault <=1.11 is no longer supported
|
|
func PatchSha1() {
|
|
patchSha1.Do(func() {
|
|
// for Go 1.19.4 and later
|
|
godebug := os.Getenv("GODEBUG")
|
|
if godebug != "" {
|
|
godebug += ","
|
|
}
|
|
godebug += "x509sha1=1"
|
|
os.Setenv("GODEBUG", godebug)
|
|
|
|
// for Go 1.19.3 and earlier, patch the variable
|
|
patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
patch := false
|
|
v, err := goversion.NewSemver(version.GetVersion().Version)
|
|
if err == nil {
|
|
patch = v.LessThan(patchBefore)
|
|
} else {
|
|
fmt.Fprintf(os.Stderr, "Cannot parse version %s; going to apply SHA-1 deprecation patch workaround\n", version.GetVersion().Version)
|
|
patch = true
|
|
}
|
|
|
|
if patch {
|
|
debugAllowSHA1 = true
|
|
}
|
|
})
|
|
}
|