Stop using ECDSA_* function for signatures

For creating and verifying ECDSA signatures in a pre-hashed manner, we
used the legacy ECDSA_sign and ECDSA_verify functions, which bypass
the system-wide restriction on ECDSA.

This switches to using our _goboringcrypto_EVP_{sign,verify}_raw,
which internally use EVP_PKEY_ functions.

Signed-off-by: Daiki Ueno <[email protected]>

Author: ueno

openssl/ecdsa.go

@@ -131,12 +131,13 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
 func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 	size := C._goboringcrypto_ECDSA_size(priv.key)
 	sig := make([]byte, size)
-	var sigLen C.size_t
+	var sigLen C.size_t = C.size_t(size)
 	md := cryptoHashToMD(h)
 	if md == nil {
 		panic("boring: invalid hash")
 	}
-	if C._goboringcrypto_ECDSA_sign(md, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
+	if C._goboringcrypto_ECDSA_sign(md, base(hash), C.size_t(len(hash)),
+		(*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
 		return nil, nil, NewOpenSSLError("ECDSA_sign failed")
 	}
 	runtime.KeepAlive(priv)
@@ -151,18 +152,19 @@ func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int,
 func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
 	size := C._goboringcrypto_ECDSA_size(priv.key)
 	sig := make([]byte, size)
-	var sigLen C.uint
-	ok := C._goboringcrypto_internal_ECDSA_sign(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) > 0
-	if !ok {
-		return nil, NewOpenSSLError(("ECDSA_sign failed"))
+	var sigLen C.size_t = C.size_t(size)
+	if C._goboringcrypto_ECDSA_sign_raw(nil, base(hash), C.size_t(len(hash)),
+		(*C.uint8_t)(unsafe.Pointer(&sig[0])), &sigLen, priv.key) == 0 {
+		return nil, NewOpenSSLError("ECDSA_sign failed")
 	}
 
 	runtime.KeepAlive(priv)
 	return sig[:sigLen], nil
 }
 
 func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
-	ok := C._goboringcrypto_internal_ECDSA_verify(0, base(hash), C.size_t(len(hash)), (*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
+	ok := C._goboringcrypto_ECDSA_verify_raw(nil, base(hash), C.size_t(len(hash)),
+		(*C.uint8_t)(unsafe.Pointer(&sig[0])), C.uint(len(sig)), pub.key) > 0
 	runtime.KeepAlive(pub)
 	return ok
 }

openssl/goopenssl.h

@@ -499,22 +499,8 @@ _goboringcrypto_EC_KEY_oct2key(GO_EC_KEY *eckey, const unsigned char *buf, size_
 
 #include <openssl/ecdsa.h>
 
-typedef ECDSA_SIG GO_ECDSA_SIG;
-
-DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_SIG_new, (void), ())
-DEFINEFUNC(void, ECDSA_SIG_free, (GO_ECDSA_SIG * arg0), (arg0))
-DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_do_sign, (const uint8_t *arg0, size_t arg1, const GO_EC_KEY *arg2), (arg0, arg1, arg2))
-DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
 DEFINEFUNC(size_t, ECDSA_size, (const GO_EC_KEY *arg0), (arg0))
 
-DEFINEFUNCINTERNAL(int, ECDSA_sign, 
-	(int type, const unsigned char *dgst, size_t dgstlen, unsigned char *sig, unsigned int *siglen, EC_KEY *eckey),
-	(type, dgst, dgstlen, sig, siglen, eckey))
-
-DEFINEFUNCINTERNAL(int, ECDSA_verify, 
-	(int type, const unsigned char *dgst, size_t dgstlen, const unsigned char *sig, unsigned int siglen, EC_KEY *eckey),
-	(type, dgst, dgstlen, sig, siglen, eckey))
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 DEFINEFUNC(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
 #else
@@ -578,6 +564,13 @@ DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
 
 int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, size_t *arg4, GO_EC_KEY *arg5);
 int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
+int _goboringcrypto_ECDSA_sign_raw(EVP_MD *md, const uint8_t *msg,
+				   size_t msgLen, uint8_t *sig, size_t *slen,
+				   GO_EC_KEY *ec_key);
+int _goboringcrypto_ECDSA_verify_raw(EVP_MD *md,
+				     const uint8_t *msg, size_t msgLen,
+				     const uint8_t *sig, unsigned int slen,
+				     GO_EC_KEY *ec_key);
 
 #include <openssl/rsa.h>
 

openssl/notboring.go

@@ -58,13 +58,16 @@ func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error)
 func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
 	panic("boringcrypto: not available")
 }
-func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s BigInt, err error) {
+func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s BigInt, err error) {
 	panic("boringcrypto: not available")
 }
-func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) ([]byte, error) {
+func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 	panic("boringcrypto: not available")
 }
-func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, r, s BigInt, h crypto.Hash) bool {
+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
+	panic("boringcrypto: not available")
+}
+func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, r, s BigInt) bool {
 	panic("boringcrypto: not available")
 }
 

openssl/openssl_ecdsa_signature.c

@@ -44,3 +44,78 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *msg, size_t msgLen,
   _goboringcrypto_EVP_PKEY_free(key);
   return result;
 }
+
+int _goboringcrypto_ECDSA_sign_raw(EVP_MD *md, const uint8_t *msg,
+				   size_t msgLen, uint8_t *sig, size_t *slen,
+				   GO_EC_KEY *ec_key) {
+  int ret = 0;
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pkey = NULL;
+
+  pkey = _goboringcrypto_EVP_PKEY_new();
+  if (!pkey)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(pkey, ec_key) != 1)
+    goto err;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL);
+  if (!ctx)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_sign_init(ctx) != 1)
+    goto err;
+
+  if (md && _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) != 1)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_sign(ctx, sig, slen, msg, msgLen) != 1)
+    goto err;
+
+  /* Success */
+  ret = 1;
+
+err:
+  _goboringcrypto_EVP_PKEY_CTX_free(ctx);
+  _goboringcrypto_EVP_PKEY_free(pkey);
+
+  return ret;
+}
+
+int _goboringcrypto_ECDSA_verify_raw(EVP_MD *md,
+				     const uint8_t *msg, size_t msgLen,
+				     const uint8_t *sig, unsigned int slen,
+				     GO_EC_KEY *ec_key) {
+  int ret = 0;
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pkey = NULL;
+
+  pkey = _goboringcrypto_EVP_PKEY_new();
+  if (!pkey)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(pkey, ec_key) != 1)
+    goto err;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL);
+  if (!ctx)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_verify_init(ctx) != 1)
+    goto err;
+
+  if (md && _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) != 1)
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, slen, msg, msgLen) != 1)
+    goto err;
+
+  /* Success */
+  ret = 1;
+
+err:
+  _goboringcrypto_EVP_PKEY_CTX_free(ctx);
+  _goboringcrypto_EVP_PKEY_free(pkey);
+
+  return ret;
+}