fix: openssl conversions

microsoft · Dec 10, 2024 · b020696 · b020696
1 parent e408c08
commit b020696
Showing 1 changed file with 33 additions and 25 deletions.
diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -14,7 +14,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  src/crypto/ecdsa/notboring.go                 |   2 +-
  src/crypto/internal/backend/bbig/big.go       |   2 +-
  .../internal/backend/bbig/big_openssl.go      |  12 +
- src/crypto/internal/backend/openssl_linux.go  | 389 ++++++++++++++++++
+ src/crypto/internal/backend/openssl_linux.go  | 397 ++++++++++++++++++
  src/crypto/internal/boring/fipstls/stub.s     |   2 +-
  src/crypto/internal/boring/fipstls/tls.go     |   2 +-
  src/crypto/rsa/boring.go                      |   2 +-
@@ -40,7 +40,7 @@ Subject: [PATCH] Add OpenSSL crypto backend
  .../goexperiment/exp_opensslcrypto_on.go      |   9 +
  src/internal/goexperiment/flags.go            |   1 +
  src/os/exec/exec_test.go                      |   9 +
- 36 files changed, 474 insertions(+), 25 deletions(-)
+ 36 files changed, 482 insertions(+), 25 deletions(-)
  create mode 100644 src/crypto/internal/backend/bbig/big_openssl.go
  create mode 100644 src/crypto/internal/backend/openssl_linux.go
  create mode 100644 src/internal/goexperiment/exp_opensslcrypto_off.go
@@ -193,10 +193,10 @@ index 00000000000000..e6695dd66b1d02
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
 new file mode 100644
-index 00000000000000..296665f9f8a896
+index 00000000000000..613a23b89dcd69
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl_linux.go
-@@ -0,0 +1,389 @@
+@@ -0,0 +1,397 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -219,6 +219,9 @@ index 00000000000000..296665f9f8a896
 +	"syscall"
 +
 +	"github.com/golang-fips/openssl/v2"
++	"github.com/golang-fips/openssl/v2/bbig"
++	"golang.org/x/crypto/cryptobyte"
++	"golang.org/x/crypto/cryptobyte/asn1"
 +)
 +
 +// Enabled controls whether FIPS crypto is enabled.
@@ -557,34 +560,39 @@ index 00000000000000..296665f9f8a896
 +		return nil, nil, err
 +	}
 +
-+	// BCRYPTSignHash generates DSA signatures in P1363 format,
-+	// which is simply (r, s), each of them exactly half of the array.
-+	if len(sig)%2 != 0 {
-+		return nil, nil, errors.New("crypto/dsa: invalid signature size from bcrypt")
++	r, s, err := parseSignature(sig)
++	if err != nil {
++		return nil, nil, err
 +	}
 +
-+	return sig[:len(sig)/2], sig[len(sig)/2:], nil
++	return bbig.Dec(r), bbig.Dec(s), nil
 +}
 +
 +func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s openssl.BigInt) bool {
-+	// As of FIPS 186-4 the maximum Q size is 32 bytes.
-+	//
-+	// See also: cbGroupSize at
-+	// https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob_v2
-+	const maxGroupSize = 32
-+
-+	sig := make([]byte, 0, 2*maxGroupSize)
-+	prependZeros := func(nonZeroBytes int) {
-+		if zeros := int(size/2) - nonZeroBytes; zeros > 0 {
-+			sig = append(sig, make([]byte, zeros)...)
-+		}
++	sig := encodeSignature(bbig.Enc(r), bbig.Enc(s))
++	return openssl.VerifyDSA(pub, hashed, sig)
++}
++
++func parseSignature(sig []byte) (r, s []byte, err error) {
++	var inner cryptobyte.String
++	input := cryptobyte.String(sig)
++	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
++		!input.Empty() ||
++		!inner.ReadASN1Integer(&r) ||
++		!inner.ReadASN1Integer(&s) ||
++		!inner.Empty() {
++		return nil, nil, errors.New("invalid ASN.1")
 +	}
-+	prependZeros(len(r))
-+	sig = append(sig, r...)
-+	prependZeros(len(s))
-+	sig = append(sig, s...)
++	return r, s, nil
++}
 +
-+	return openssl.VerifyDSA(pub, hashed, sig)
++func encodeSignature(r, s []byte) ([]byte, error) {
++	var b cryptobyte.Builder
++	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
++		addASN1IntBytes(b, r)
++		addASN1IntBytes(b, s)
++	})
++	return b.Bytes()
 +}
 diff --git a/src/crypto/internal/boring/fipstls/stub.s b/src/crypto/internal/boring/fipstls/stub.s
 index f2e5a503eaacb6..1dc7116efdff2e 100644