Skip to content

Commit

Permalink
Backport Marvin fix
Browse files Browse the repository at this point in the history
  • Loading branch information
derekparker committed Feb 9, 2024
1 parent c6b1ab9 commit 6ec85ea
Show file tree
Hide file tree
Showing 2 changed files with 1,782 additions and 30 deletions.
62 changes: 32 additions & 30 deletions patches/001-initial-openssl-for-fips.patch
Original file line number Diff line number Diff line change
Expand Up @@ -5545,7 +5545,8 @@ index 64c83c21c5..f48c57adff 100644
key := C._goboringcrypto_RSA_new()
if key == nil {
- return nil, fail("RSA_new")
- }
+ return nil, NewOpenSSLError("RSA_new failed")
}
- if !bigToBn(&key.n, N) ||
- !bigToBn(&key.e, E) ||
- !bigToBn(&key.d, D) ||
Expand All @@ -5555,8 +5556,6 @@ index 64c83c21c5..f48c57adff 100644
- !bigToBn(&key.dmq1, Dq) ||
- !bigToBn(&key.iqmp, Qinv) {
- return nil, fail("BN_bin2bn")
+ return nil, NewOpenSSLError("RSA_new failed")
+ }
+ var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM
+ n = bigToBN(N)
+ e = bigToBN(E)
Expand Down Expand Up @@ -5728,66 +5727,69 @@ index 64c83c21c5..f48c57adff 100644
return out[:outLen], nil
}

- md := cryptoHashToMD(h)
- if md == nil {
- return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
+ var out []byte
+ var outLen C.size_t
+
+ if priv.withKey(func(key *C.GO_RSA) C.int {
+ return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
+ }) == 0 {
+ return nil, NewOpenSSLError("RSA_sign")
}
- nid := C._goboringcrypto_EVP_MD_type(md)
+ }
+ return out[:outLen], nil
+}
+
+func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byte, error) {
var out []byte
- var outLen C.uint
+ var out []byte
+ var outLen C.size_t
+ PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
+
if priv.withKey(func(key *C.GO_RSA) C.int {
out = make([]byte, C._goboringcrypto_RSA_size(key))
- return C._goboringcrypto_RSA_sign(nid, base(hashed), C.uint(len(hashed)),
- base(out), &outLen, key)
+ if priv.withKey(func(key *C.GO_RSA) C.int {
+ out = make([]byte, C._goboringcrypto_RSA_size(key))
+ outLen = C.size_t(len(out))
+ return C._goboringcrypto_EVP_sign_raw(md, nil, base(msg),
+ C.size_t(len(msg)), base(out), &outLen, key)
}) == 0 {
- return nil, fail("RSA_sign")
+ }) == 0 {
+ return nil, NewOpenSSLError("RSA_sign")
}
+ }
+ runtime.KeepAlive(priv)
return out[:outLen], nil
}

-func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
- if h == 0 {
- var out []byte
- var outLen C.size_t
+ return out[:outLen], nil
+}
+
+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsHashed bool) error {
+ if h == 0 && ExecutingTest() {
+ return verifyRSAPKCS1v15Raw(pub, msg, sig)
+ }
+
+ md := cryptoHashToMD(h)
+ if md == nil {
md := cryptoHashToMD(h)
if md == nil {
- return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
+ return errors.New("crypto/rsa: unsupported hash function")
+ }
}
- nid := C._goboringcrypto_EVP_MD_type(md)
- var out []byte
- var outLen C.uint
- if priv.withKey(func(key *C.GO_RSA) C.int {
- out = make([]byte, C._goboringcrypto_RSA_size(key))
- return C._goboringcrypto_RSA_sign(nid, base(hashed), C.uint(len(hashed)),
- base(out), &outLen, key)
+
+ if pub.withKey(func(key *C.GO_RSA) C.int {
+ size := int(C._goboringcrypto_RSA_size(key))
+ if len(sig) < size {
+ return 0
+ }
+ return 1
+ }) == 0 {
}) == 0 {
- return nil, fail("RSA_sign")
+ return errors.New("crypto/rsa: verification error")
+ }
+
}
- return out[:outLen], nil
-}

-func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
- if h == 0 {
- var out []byte
- var outLen C.size_t
+ if msgIsHashed {
+ PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 verification and use HashVerifyPKCS1v15 instead of VerifyPKCS1v15")
+ nid := C._goboringcrypto_EVP_MD_type(md)
Expand Down
Loading

0 comments on commit 6ec85ea

Please sign in to comment.