Skip to content

Commit ecbcc6d

Browse files
uenoueno
committed
Stop using RSA_* functions
For creating and verifying PKCS#1 v1.5 signatures in a pre-hashed manner, we used the legacy RSA_sign and RSA_verify functions, which bypass the system-wide disablement of SHA-1 and shorter RSA key length usage inconsistently with the OpenSSL 3.0 default on RHEL. This switches to using our _goboringcrypto_EVP_{sign,verify}_raw, which internally use EVP_PKEY_ functions. Signed-off-by: Daiki Ueno <[email protected]>
1 parent 5e3abca commit ecbcc6d

File tree

3 files changed

+47
-57
lines changed

3 files changed

+47
-57
lines changed

openssl/goopenssl.h

Lines changed: 6 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -554,14 +554,14 @@ DEFINEFUNC(int, EVP_DigestVerifyFinal,
554554

555555
typedef RSA GO_RSA;
556556
int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
557-
int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
558-
size_t msgLen, uint8_t *sig, size_t *slen,
559-
GO_RSA *key);
557+
int _goboringcrypto_EVP_sign_raw(EVP_MD *md, const uint8_t *msg, size_t msgLen,
558+
uint8_t *sig, size_t *slen,
559+
GO_RSA *key);
560560

561561
int _goboringcrypto_EVP_verify(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, EVP_PKEY *key);
562-
int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
563-
const uint8_t *sig, unsigned int slen,
564-
GO_RSA *key);
562+
int _goboringcrypto_EVP_verify_raw(EVP_MD *md, const uint8_t *msg, size_t msgLen,
563+
const uint8_t *sig, unsigned int slen,
564+
GO_RSA *key);
565565

566566
#if OPENSSL_VERSION_NUMBER < 0x10100000L
567567
DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
@@ -585,18 +585,6 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int
585585

586586
DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
587587
DEFINEFUNC(void, RSA_free, (GO_RSA * arg0), (arg0))
588-
DEFINEFUNC(int, RSA_private_encrypt,
589-
(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
590-
(flen, from, to, rsa, padding))
591-
DEFINEFUNC(int, RSA_public_decrypt,
592-
(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
593-
(flen, from, to, rsa, padding))
594-
DEFINEFUNC(int, RSA_sign,
595-
(int arg0, const uint8_t *arg1, unsigned int arg2, uint8_t *arg3, unsigned int *arg4, GO_RSA *arg5),
596-
(arg0, arg1, arg2, arg3, arg4, arg5))
597-
DEFINEFUNC(int, RSA_verify,
598-
(int arg0, const uint8_t *arg1, unsigned int arg2, const uint8_t *arg3, unsigned int arg4, GO_RSA *arg5),
599-
(arg0, arg1, arg2, arg3, arg4, arg5))
600588
DEFINEFUNC(int, RSA_generate_key_ex,
601589
(GO_RSA * arg0, int arg1, GO_BIGNUM *arg2, GO_BN_GENCB *arg3),
602590
(arg0, arg1, arg2, arg3))

openssl/openssl_evp.c

Lines changed: 31 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -38,19 +38,29 @@ int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
3838
return ret;
3939
}
4040

41-
int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
42-
size_t msgLen, uint8_t *sig, size_t *slen,
43-
GO_RSA *rsa_key) {
41+
int _goboringcrypto_EVP_sign_raw(EVP_MD *md, const uint8_t *msg,
42+
size_t msgLen, uint8_t *sig, size_t *slen,
43+
GO_RSA *rsa_key) {
4444
int ret = 0;
45-
GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
45+
GO_EVP_PKEY_CTX *ctx = NULL;
46+
GO_EVP_PKEY *pk = NULL;
47+
48+
pk = _goboringcrypto_EVP_PKEY_new();
49+
if (!pk)
50+
goto err;
51+
4652
_goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
4753

48-
if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
54+
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL);
55+
if (!ctx)
4956
goto err;
5057

5158
if (1 != _goboringcrypto_EVP_PKEY_sign_init(ctx))
5259
goto err;
5360

61+
if (md && 1 != _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md))
62+
goto err;
63+
5464
if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
5565
goto err;
5666

@@ -96,21 +106,31 @@ int _goboringcrypto_EVP_verify(EVP_MD *md, EVP_PKEY_CTX *ctx,
96106
return ret;
97107
}
98108

99-
int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
100-
const uint8_t *sig, unsigned int slen,
101-
GO_RSA *rsa_key) {
109+
int _goboringcrypto_EVP_verify_raw(EVP_MD *md,
110+
const uint8_t *msg, size_t msgLen,
111+
const uint8_t *sig, unsigned int slen,
112+
GO_RSA *rsa_key) {
102113

103114
int ret = 0;
104-
EVP_PKEY_CTX *ctx;
105-
GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
115+
GO_EVP_PKEY_CTX *ctx = NULL;
116+
GO_EVP_PKEY *pk = NULL;
117+
118+
pk = _goboringcrypto_EVP_PKEY_new();
119+
if (!pk)
120+
goto err;
121+
106122
_goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
107123

108-
if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
124+
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL);
125+
if (!ctx)
109126
goto err;
110127

111128
if (1 != _goboringcrypto_EVP_PKEY_verify_init(ctx))
112129
goto err;
113130

131+
if (md && 1 != _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md))
132+
goto err;
133+
114134
if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
115135
goto err;
116136

openssl/rsa.go

Lines changed: 10 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -302,7 +302,7 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
302302

303303
func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed bool) ([]byte, error) {
304304
if h == 0 && ExecutingTest() {
305-
return signRSAPKCS1v15Raw(priv, msg, C._goboringcrypto_EVP_md_null())
305+
return signRSAPKCS1v15Raw(priv, msg, nil)
306306
}
307307

308308
md := cryptoHashToMD(h)
@@ -311,18 +311,7 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
311311
}
312312

313313
if msgIsHashed {
314-
var out []byte
315-
var outLen C.uint
316-
PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
317-
nid := C._goboringcrypto_EVP_MD_type(md)
318-
if priv.withKey(func(key *C.GO_RSA) C.int {
319-
out = make([]byte, C._goboringcrypto_RSA_size(key))
320-
return C._goboringcrypto_RSA_sign(nid, base(msg), C.uint(len(msg)), base(out), &outLen, key)
321-
}) == 0 {
322-
return nil, NewOpenSSLError("RSA_sign")
323-
}
324-
runtime.KeepAlive(priv)
325-
return out[:outLen], nil
314+
return signRSAPKCS1v15Raw(priv, msg, md)
326315
}
327316

328317
var out []byte
@@ -344,7 +333,7 @@ func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byt
344333
if priv.withKey(func(key *C.GO_RSA) C.int {
345334
out = make([]byte, C._goboringcrypto_RSA_size(key))
346335
outLen = C.size_t(len(out))
347-
return C._goboringcrypto_EVP_sign_raw(md, nil, base(msg),
336+
return C._goboringcrypto_EVP_sign_raw(md, base(msg),
348337
C.size_t(len(msg)), base(out), &outLen, key)
349338
}) == 0 {
350339
return nil, NewOpenSSLError("RSA_sign")
@@ -355,14 +344,18 @@ func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byt
355344

356345
func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsHashed bool) error {
357346
if h == 0 && ExecutingTest() {
358-
return verifyRSAPKCS1v15Raw(pub, msg, sig)
347+
return verifyRSAPKCS1v15Raw(pub, msg, sig, nil)
359348
}
360349

361350
md := cryptoHashToMD(h)
362351
if md == nil {
363352
return errors.New("crypto/rsa: unsupported hash function")
364353
}
365354

355+
if msgIsHashed {
356+
return verifyRSAPKCS1v15Raw(pub, msg, sig, md)
357+
}
358+
366359
if pub.withKey(func(key *C.GO_RSA) C.int {
367360
size := int(C._goboringcrypto_RSA_size(key))
368361
if len(sig) < size {
@@ -373,17 +366,6 @@ func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsH
373366
return errors.New("crypto/rsa: verification error")
374367
}
375368

376-
if msgIsHashed {
377-
PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 verification and use HashVerifyPKCS1v15 instead of VerifyPKCS1v15")
378-
nid := C._goboringcrypto_EVP_MD_type(md)
379-
if pub.withKey(func(key *C.GO_RSA) C.int {
380-
return C._goboringcrypto_RSA_verify(nid, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
381-
}) == 0 {
382-
return NewOpenSSLError("RSA_verify failed")
383-
}
384-
return nil
385-
}
386-
387369
if pub.withKey(func(key *C.GO_RSA) C.int {
388370
return C._goboringcrypto_EVP_RSA_verify(md, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
389371
}) == 0 {
@@ -392,7 +374,7 @@ func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsH
392374
return nil
393375
}
394376

395-
func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte) error {
377+
func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte, md *C.GO_EVP_MD) error {
396378
if pub.withKey(func(key *C.GO_RSA) C.int {
397379
size := int(C._goboringcrypto_RSA_size(key))
398380
if len(sig) < size {
@@ -403,7 +385,7 @@ func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte) error {
403385
return errors.New("crypto/rsa: verification error")
404386
}
405387
if pub.withKey(func(key *C.GO_RSA) C.int {
406-
return C._goboringcrypto_EVP_verify_raw(base(msg), C.size_t(len(msg)), base(sig), C.uint(len(sig)), key)
388+
return C._goboringcrypto_EVP_verify_raw(md, base(msg), C.size_t(len(msg)), base(sig), C.uint(len(sig)), key)
407389
}) == 0 {
408390
return NewOpenSSLError("RSA_verify failed")
409391
}

0 commit comments

Comments
 (0)