diff: hide types.Any from clients

This commit hides types.Any from the diff package's interface. Clients
(incl. imgcrypt) shouldn't aware about gogo/protobuf.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>

vendor/github.com/containerd/imgcrypt/CHANGES

@@ -1,5 +1,13 @@
 CHANGES
 
+v1.1.4:
+  - Fixed issue in CheckAuthorization() callpath for images with a ManifestList
+    - CVE-2022-24778
+    - Fix: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
+    - Added test case covering this
+  - Updated to ocicrypt 1.1.3
+  - Updated to containerd 1.6.1
+
 v1.1.3:
   - Release v1.1.3 addresses issue #62 due to re-tagging of v1.1.2
   - docs: update referenced containerd project branch to main

vendor/github.com/containerd/imgcrypt/images/encryption/any.go

@@ -18,8 +18,6 @@ package encryption
 
 import "github.com/gogo/protobuf/types"
 
-type anyMap map[string]*types.Any
-
 type any interface {
 	GetTypeUrl() string
 	GetValue() []byte

vendor/github.com/containerd/imgcrypt/images/encryption/client.go

@@ -34,19 +34,14 @@ import (
 // WithDecryptedUnpack allows to pass parameters the 'layertool' needs to the applier
 func WithDecryptedUnpack(data *imgcrypt.Payload) diff.ApplyOpt {
 	return func(_ context.Context, desc ocispec.Descriptor, c *diff.ApplyConfig) error {
-		if c.ProcessorPayloads == nil {
-			c.ProcessorPayloads = make(anyMap)
-		}
 		data.Descriptor = desc
 		any, err := typeurl.MarshalAny(data)
 		if err != nil {
 			return fmt.Errorf("failed to marshal payload: %w", err)
 		}
 
-		pbany := fromAny(any)
-
 		for _, id := range imgcrypt.PayloadToolIDs {
-			c.ProcessorPayloads[id] = pbany
+			setProcessorPayload(c, id, any)
 		}
 		return nil
 	}

vendor/github.com/containerd/imgcrypt/images/encryption/payload.go

@@ -0,0 +1,53 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package encryption
+
+import (
+	"reflect"
+
+	"github.com/containerd/containerd/diff"
+	"github.com/gogo/protobuf/types"
+)
+
+var processorPayloadsUseGogo bool
+
+func init() {
+	var c = &diff.ApplyConfig{}
+	var pbany *types.Any
+
+	pp := reflect.TypeOf(c.ProcessorPayloads)
+	processorPayloadsUseGogo = pp.Elem() == reflect.TypeOf(pbany)
+}
+
+func clearProcessorPayloads(c *diff.ApplyConfig) {
+	var empty = reflect.MakeMap(reflect.TypeOf(c.ProcessorPayloads))
+	reflect.ValueOf(&c.ProcessorPayloads).Elem().Set(empty)
+}
+
+func setProcessorPayload(c *diff.ApplyConfig, id string, value any) {
+	if c.ProcessorPayloads == nil {
+		clearProcessorPayloads(c)
+	}
+
+	var v reflect.Value
+	if processorPayloadsUseGogo {
+		v = reflect.ValueOf(fromAny(value))
+	} else {
+		v = reflect.ValueOf(value)
+	}
+	reflect.ValueOf(c.ProcessorPayloads).SetMapIndex(reflect.ValueOf(id), v)
+}