Bump Go deps

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2021 Swisscom (Switzerland) Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/algorithms/aead_aes_256_cbc_hmac_sha256.go

@@ -0,0 +1,120 @@
+package algorithms
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"fmt"
+
+	"github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/crypto"
+	"github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/encryption"
+	"github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/keys"
+)
+
+// https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05
+// https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-TDS/%5bMS-TDS%5d.pdf
+
+var _ Algorithm = &AeadAes256CbcHmac256Algorithm{}
+
+type AeadAes256CbcHmac256Algorithm struct {
+	algorithmVersion                        byte
+	deterministic                           bool
+	blockSizeBytes                          int
+	keySizeBytes                            int
+	minimumCipherTextLengthBytesNoAuthTag   int
+	minimumCipherTextLengthBytesWithAuthTag int
+	cek                                     keys.AeadAes256CbcHmac256
+	version                                 []byte
+	versionSize                             []byte
+}
+
+func NewAeadAes256CbcHmac256Algorithm(key keys.AeadAes256CbcHmac256, encType encryption.Type, algorithmVersion byte) AeadAes256CbcHmac256Algorithm {
+	const keySizeBytes = 256 / 8
+	const blockSizeBytes = 16
+	const minimumCipherTextLengthBytesNoAuthTag = 1 + 2*blockSizeBytes
+	const minimumCipherTextLengthBytesWithAuthTag = minimumCipherTextLengthBytesNoAuthTag + keySizeBytes
+
+	a := AeadAes256CbcHmac256Algorithm{
+		algorithmVersion:                        algorithmVersion,
+		deterministic:                           encType.Deterministic,
+		blockSizeBytes:                          blockSizeBytes,
+		keySizeBytes:                            keySizeBytes,
+		cek:                                     key,
+		minimumCipherTextLengthBytesNoAuthTag:   minimumCipherTextLengthBytesNoAuthTag,
+		minimumCipherTextLengthBytesWithAuthTag: minimumCipherTextLengthBytesWithAuthTag,
+		version:                                 []byte{0x01},
+		versionSize:                             []byte{1},
+	}
+
+	a.version[0] = algorithmVersion
+	return a
+}
+
+func (a *AeadAes256CbcHmac256Algorithm) Encrypt(cleartext []byte) ([]byte, error) {
+	buf := make([]byte, 0)
+	var iv []byte
+	if a.deterministic {
+		iv = crypto.Sha256Hmac(cleartext, a.cek.IvKey())
+		if len(iv) > a.blockSizeBytes {
+			iv = iv[:a.blockSizeBytes]
+		}
+	} else {
+		iv = make([]byte, a.blockSizeBytes)
+		_, err := rand.Read(iv)
+		if err != nil {
+			panic(err)
+		}
+	}
+	buf = append(buf, a.algorithmVersion)
+	aescdbc := crypto.NewAESCbcPKCS5(a.cek.EncryptionKey(), iv)
+	ciphertext := aescdbc.Encrypt(cleartext)
+	authTag := a.prepareAuthTag(iv, ciphertext)
+	buf = append(buf, authTag...)
+	buf = append(buf, iv...)
+	buf = append(buf, ciphertext...)
+	return buf, nil
+}
+
+func (a *AeadAes256CbcHmac256Algorithm) Decrypt(ciphertext []byte) ([]byte, error) {
+	// This algorithm always has the auth tag!
+	minimumCiphertextLength := a.minimumCipherTextLengthBytesWithAuthTag
+
+	if len(ciphertext) < minimumCiphertextLength {
+		return nil, fmt.Errorf("invalid ciphertext length: at least %v bytes expected", minimumCiphertextLength)
+	}
+
+	idx := 0
+	if ciphertext[idx] != a.algorithmVersion {
+		return nil, fmt.Errorf("invalid algorithm version used: %v found but %v expected", ciphertext[idx],
+			a.algorithmVersion)
+	}
+
+	idx++
+	authTag := ciphertext[idx : idx+a.keySizeBytes]
+	idx += a.keySizeBytes
+
+	iv := ciphertext[idx : idx+a.blockSizeBytes]
+	idx += len(iv)
+
+	realCiphertext := ciphertext[idx:]
+	ourAuthTag := a.prepareAuthTag(iv, realCiphertext)
+
+	// bytes.Compare is subject to timing attacks
+	if subtle.ConstantTimeCompare(ourAuthTag, authTag) != 1 {
+		return nil, fmt.Errorf("invalid auth tag")
+	}
+
+	// decrypt
+	aescdbc := crypto.NewAESCbcPKCS5(a.cek.EncryptionKey(), iv)
+	cleartext := aescdbc.Decrypt(realCiphertext)
+
+	return cleartext, nil
+}
+
+func (a *AeadAes256CbcHmac256Algorithm) prepareAuthTag(iv []byte, ciphertext []byte) []byte {
+	var input = make([]byte, 0)
+	input = append(input, a.algorithmVersion)
+	input = append(input, iv...)
+	input = append(input, ciphertext...)
+	input = append(input, a.versionSize...)
+	return crypto.Sha256Hmac(input, a.cek.MacKey())
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/algorithms/algorithm.go

@@ -0,0 +1,6 @@
+package algorithms
+
+type Algorithm interface {
+	Encrypt([]byte) ([]byte, error)
+	Decrypt([]byte) ([]byte, error)
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/crypto/aes_cbc_pkcs5.go

@@ -0,0 +1,69 @@
+package crypto
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"fmt"
+)
+
+// Inspired by: https://gist.github.com/hothero/7d085573f5cb7cdb5801d7adcf66dcf3
+
+type AESCbcPKCS5 struct {
+	key   []byte
+	iv    []byte
+	block cipher.Block
+}
+
+func NewAESCbcPKCS5(key []byte, iv []byte) AESCbcPKCS5 {
+	a := AESCbcPKCS5{
+		key:   key,
+		iv:    iv,
+		block: nil,
+	}
+	a.initCipher()
+	return a
+}
+
+func (a AESCbcPKCS5) Encrypt(cleartext []byte) (cipherText []byte) {
+	if a.block == nil {
+		a.initCipher()
+	}
+
+	blockMode := cipher.NewCBCEncrypter(a.block, a.iv)
+	paddedCleartext := PKCS5Padding(cleartext, blockMode.BlockSize())
+	cipherText = make([]byte, len(paddedCleartext))
+	blockMode.CryptBlocks(cipherText, paddedCleartext)
+	return
+}
+
+func (a AESCbcPKCS5) Decrypt(ciphertext []byte) []byte {
+	if a.block == nil {
+		a.initCipher()
+	}
+
+	blockMode := cipher.NewCBCDecrypter(a.block, a.iv)
+	var cleartext = make([]byte, len(ciphertext))
+	blockMode.CryptBlocks(cleartext, ciphertext)
+	return PKCS5Trim(cleartext)
+}
+
+func PKCS5Padding(inArr []byte, blockSize int) []byte {
+	padding := blockSize - len(inArr)%blockSize
+	padText := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(inArr, padText...)
+}
+
+func PKCS5Trim(inArr []byte) []byte {
+	padding := inArr[len(inArr)-1]
+	return inArr[:len(inArr)-int(padding)]
+}
+
+func (a *AESCbcPKCS5) initCipher() {
+	block, err := aes.NewCipher(a.key)
+	if err != nil {
+		panic(fmt.Errorf("unable to create cipher: %v", err))
+	}
+
+	a.block = block
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/crypto/utils.go

@@ -0,0 +1,12 @@
+package crypto
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+)
+
+func Sha256Hmac(input []byte, key []byte) []byte {
+	sha256Hmac := hmac.New(sha256.New, key)
+	sha256Hmac.Write(input)
+	return sha256Hmac.Sum(nil)
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/encryption/type.go

@@ -0,0 +1,37 @@
+package encryption
+
+type Type struct {
+	Deterministic bool
+	Name          string
+	Value         byte
+}
+
+var Plaintext = Type{
+	Deterministic: false,
+	Name:          "Plaintext",
+	Value:         0,
+}
+
+var Deterministic = Type{
+	Deterministic: true,
+	Name:          "Deterministic",
+	Value:         1,
+}
+
+var Randomized = Type{
+	Deterministic: false,
+	Name:          "Randomized",
+	Value:         2,
+}
+
+func From(encType byte) Type {
+	switch encType {
+	case 0:
+		return Plaintext
+	case 1:
+		return Deterministic
+	case 2:
+		return Randomized
+	}
+	return Plaintext
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/keys/aead_aes_256_cbc_hmac_256.go

@@ -0,0 +1,51 @@
+package keys
+
+import (
+	"fmt"
+
+	"github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/crypto"
+	"github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/utils"
+)
+
+var _ Key = &AeadAes256CbcHmac256{}
+
+type AeadAes256CbcHmac256 struct {
+	rootKey       []byte
+	encryptionKey []byte
+	macKey        []byte
+	ivKey         []byte
+}
+
+func NewAeadAes256CbcHmac256(rootKey []byte) AeadAes256CbcHmac256 {
+	const keySize = 256
+	const encryptionKeySaltFormat = "Microsoft SQL Server cell encryption key with encryption algorithm:%v and key length:%v"
+	const macKeySaltFormat = "Microsoft SQL Server cell MAC key with encryption algorithm:%v and key length:%v"
+	const ivKeySaltFormat = "Microsoft SQL Server cell IV key with encryption algorithm:%v and key length:%v"
+	const algorithmName = "AEAD_AES_256_CBC_HMAC_SHA256"
+
+	encryptionKeySalt := utils.ProcessUTF16LE(fmt.Sprintf(encryptionKeySaltFormat, algorithmName, keySize))
+	macKeySalt := utils.ProcessUTF16LE(fmt.Sprintf(macKeySaltFormat, algorithmName, keySize))
+	ivKeySalt := utils.ProcessUTF16LE(fmt.Sprintf(ivKeySaltFormat, algorithmName, keySize))
+
+	return AeadAes256CbcHmac256{
+		rootKey:       rootKey,
+		encryptionKey: crypto.Sha256Hmac(encryptionKeySalt, rootKey),
+		macKey:        crypto.Sha256Hmac(macKeySalt, rootKey),
+		ivKey:         crypto.Sha256Hmac(ivKeySalt, rootKey)}
+}
+
+func (a AeadAes256CbcHmac256) IvKey() []byte {
+	return a.ivKey
+}
+
+func (a AeadAes256CbcHmac256) MacKey() []byte {
+	return a.macKey
+}
+
+func (a AeadAes256CbcHmac256) EncryptionKey() []byte {
+	return a.encryptionKey
+}
+
+func (a AeadAes256CbcHmac256) RootKey() []byte {
+	return a.rootKey
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/keys/key.go

@@ -0,0 +1,5 @@
+package keys
+
+type Key interface {
+	RootKey() []byte
+}

vendor/github.com/microsoft/go-mssqldb/internal/github.com/swisscom/mssql-always-encrypted/pkg/utils/utf16.go

@@ -0,0 +1,18 @@
+package utils
+
+import (
+	"encoding/binary"
+	"unicode/utf16"
+)
+
+func ConvertUTF16ToLittleEndianBytes(u []uint16) []byte {
+	b := make([]byte, 2*len(u))
+	for index, value := range u {
+		binary.LittleEndian.PutUint16(b[index*2:], value)
+	}
+	return b
+}
+
+func ProcessUTF16LE(inputString string) []byte {
+	return ConvertUTF16ToLittleEndianBytes(utf16.Encode([]rune(inputString)))
+}