Merge pull request #131 from golang-fips/dev/dagood/heap-avoidance-direct-wrappers

qmuntal · web-flow · commit 98604fd96c40 · 2024-01-11T10:43:49.000+01:00
Wrap multi-return APIs using structs: avoid heap escape
diff --git a/ecdh.go b/ecdh.go
@@ -269,12 +269,12 @@ func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
 	if C.go_openssl_EVP_PKEY_derive_set_peer(ctx, pub._pkey) != 1 {
 		return nil, newOpenSSLError("EVP_PKEY_derive_set_peer")
 	}
-	var outLen C.size_t
-	if C.go_openssl_EVP_PKEY_derive(ctx, nil, &outLen) != 1 {
+	r := C.go_openssl_EVP_PKEY_derive_wrapper(ctx, nil, 0)
+	if r.result != 1 {
 		return nil, newOpenSSLError("EVP_PKEY_derive_init")
 	}
-	out := make([]byte, outLen)
-	if C.go_openssl_EVP_PKEY_derive(ctx, base(out), &outLen) != 1 {
+	out := make([]byte, r.keylen)
+	if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(out), r.keylen).result != 1 {
 		return nil, newOpenSSLError("EVP_PKEY_derive_init")
 	}
 	return out, nil
diff --git a/ed25519.go b/ed25519.go
@@ -145,12 +145,12 @@ func NewPrivateKeyEd25519FromSeed(seed []byte) (*PrivateKeyEd25519, error) {
 }
 
 func extractPKEYPubEd25519(pkey C.GO_EVP_PKEY_PTR, pub []byte) error {
-	pubSize := C.size_t(publicKeySizeEd25519)
-	if C.go_openssl_EVP_PKEY_get_raw_public_key(pkey, base(pub), &pubSize) != 1 {
+	r := C.go_openssl_EVP_PKEY_get_raw_public_key_wrapper(pkey, base(pub), C.size_t(publicKeySizeEd25519))
+	if r.result != 1 {
 		return newOpenSSLError("EVP_PKEY_get_raw_public_key")
 	}
-	if pubSize != publicKeySizeEd25519 {
-		return errors.New("ed25519: bad public key length: " + strconv.Itoa(int(pubSize)))
+	if r.len != publicKeySizeEd25519 {
+		return errors.New("ed25519: bad public key length: " + strconv.Itoa(int(r.len)))
 	}
 	return nil
 }
@@ -159,12 +159,12 @@ func extractPKEYPrivEd25519(pkey C.GO_EVP_PKEY_PTR, priv []byte) error {
 	if err := extractPKEYPubEd25519(pkey, priv[seedSizeEd25519:]); err != nil {
 		return err
 	}
-	privSize := C.size_t(seedSizeEd25519)
-	if C.go_openssl_EVP_PKEY_get_raw_private_key(pkey, base(priv), &privSize) != 1 {
+	r := C.go_openssl_EVP_PKEY_get_raw_private_key_wrapper(pkey, base(priv), C.size_t(seedSizeEd25519))
+	if r.result != 1 {
 		return newOpenSSLError("EVP_PKEY_get_raw_private_key")
 	}
-	if privSize != seedSizeEd25519 {
-		return errors.New("ed25519: bad private key length: " + strconv.Itoa(int(privSize)))
+	if r.len != seedSizeEd25519 {
+		return errors.New("ed25519: bad private key length: " + strconv.Itoa(int(r.len)))
 	}
 	return nil
 }
@@ -190,12 +190,12 @@ func signEd25519(priv *PrivateKeyEd25519, sig, message []byte) error {
 	if C.go_openssl_EVP_DigestSignInit(ctx, nil, nil, nil, priv._pkey) != 1 {
 		return newOpenSSLError("EVP_DigestSignInit")
 	}
-	siglen := C.size_t(signatureSizeEd25519)
-	if C.go_openssl_EVP_DigestSign(ctx, base(sig), &siglen, base(message), C.size_t(len(message))) != 1 {
+	r := C.go_openssl_EVP_DigestSign_wrapper(ctx, base(sig), C.size_t(signatureSizeEd25519), base(message), C.size_t(len(message)))
+	if r.result != 1 {
 		return newOpenSSLError("EVP_DigestSign")
 	}
-	if siglen != signatureSizeEd25519 {
-		return errors.New("ed25519: bad signature length: " + strconv.Itoa(int(siglen)))
+	if r.siglen != signatureSizeEd25519 {
+		return errors.New("ed25519: bad signature length: " + strconv.Itoa(int(r.siglen)))
 	}
 	return nil
 }
diff --git a/goopenssl.h b/goopenssl.h
@@ -107,6 +107,58 @@ go_openssl_EVP_CipherUpdate_wrapper(GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *ou
     return go_openssl_EVP_CipherUpdate(ctx, out, &len, in, in_len);
 }
 
+// These wrappers also allocate length variables on the C stack to avoid escape to the heap, but do return the result.
+// A struct is returned that contains multiple return values instead of OpenSSL's approach of using pointers.
+
+typedef struct
+{
+    int result;
+    size_t keylen;
+} go_openssl_EVP_PKEY_derive_wrapper_out;
+
+static inline go_openssl_EVP_PKEY_derive_wrapper_out
+go_openssl_EVP_PKEY_derive_wrapper(GO_EVP_PKEY_CTX_PTR ctx, unsigned char *key, size_t keylen)
+{
+    go_openssl_EVP_PKEY_derive_wrapper_out r = {0, keylen};
+    r.result = go_openssl_EVP_PKEY_derive(ctx, key, &r.keylen);
+    return r;
+}
+
+typedef struct
+{
+    int result;
+    size_t len;
+} go_openssl_EVP_PKEY_get_raw_key_out;
+
+static inline go_openssl_EVP_PKEY_get_raw_key_out
+go_openssl_EVP_PKEY_get_raw_public_key_wrapper(const GO_EVP_PKEY_PTR pkey, unsigned char *pub, size_t len)
+{
+    go_openssl_EVP_PKEY_get_raw_key_out r = {0, len};
+    r.result = go_openssl_EVP_PKEY_get_raw_public_key(pkey, pub, &r.len);
+    return r;
+}
+
+static inline go_openssl_EVP_PKEY_get_raw_key_out
+go_openssl_EVP_PKEY_get_raw_private_key_wrapper(const GO_EVP_PKEY_PTR pkey, unsigned char *priv, size_t len)
+{
+    go_openssl_EVP_PKEY_get_raw_key_out r = {0, len};
+    r.result = go_openssl_EVP_PKEY_get_raw_private_key(pkey, priv, &r.len);
+    return r;
+}
+
+typedef struct
+{
+    int result;
+    size_t siglen;
+} go_openssl_EVP_DigestSign_wrapper_out;
+
+static inline go_openssl_EVP_DigestSign_wrapper_out
+go_openssl_EVP_DigestSign_wrapper(GO_EVP_MD_CTX_PTR ctx, unsigned char *sigret, size_t siglen, const unsigned char *tbs, size_t tbslen)
+{
+    go_openssl_EVP_DigestSign_wrapper_out r = {0, siglen};
+    r.result = go_openssl_EVP_DigestSign(ctx, sigret, &r.siglen, tbs, tbslen);
+    return r;
+}
 
 // These wrappers allocate out_len on the C stack, and check that it matches the expected
 // value, to avoid having to pass a pointer from Go, which would escape to the heap.
diff --git a/hkdf.go b/hkdf.go
@@ -98,7 +98,7 @@ func (c *hkdf) Read(p []byte) (int, error) {
 	}
 	c.buf = append(c.buf, make([]byte, needLen)...)
 	outLen := C.size_t(prevLen + needLen)
-	if C.go_openssl_EVP_PKEY_derive(c.ctx, base(c.buf), &outLen) != 1 {
+	if C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, base(c.buf), outLen).result != 1 {
 		return 0, newOpenSSLError("EVP_PKEY_derive")
 	}
 	n := copy(p, c.buf[prevLen:outLen])
@@ -132,15 +132,15 @@ func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
 			return nil, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_salt")
 		}
 	}
-	var outLen C.size_t
-	if C.go_openssl_EVP_PKEY_derive(c.ctx, nil, &outLen) != 1 {
+	r := C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, nil, 0)
+	if r.result != 1 {
 		return nil, newOpenSSLError("EVP_PKEY_derive_init")
 	}
-	out := make([]byte, outLen)
-	if C.go_openssl_EVP_PKEY_derive(c.ctx, base(out), &outLen) != 1 {
+	out := make([]byte, r.keylen)
+	if C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, base(out), r.keylen).result != 1 {
 		return nil, newOpenSSLError("EVP_PKEY_derive")
 	}
-	return out[:outLen], nil
+	return out[:r.keylen], nil
 }
 
 func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
diff --git a/tls1prf.go b/tls1prf.go
@@ -90,7 +90,7 @@ func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error {
 		}
 	}
 	outLen := C.size_t(len(result))
-	if C.go_openssl_EVP_PKEY_derive(ctx, base(result), &outLen) != 1 {
+	if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(result), outLen).result != 1 {
 		return newOpenSSLError("EVP_PKEY_derive")
 	}
 	// The Go standard library expects TLS1PRF to return the requested number of bytes,

Original file line number	Diff line number	Diff line change
`@@ -269,12 +269,12 @@ func ECDH(priv PrivateKeyECDH, pub PublicKeyECDH) ([]byte, error) {`
`269`	`269`	`if C.go_openssl_EVP_PKEY_derive_set_peer(ctx, pub._pkey) != 1 {`
`270`	`270`	`return nil, newOpenSSLError("EVP_PKEY_derive_set_peer")`
`271`	`271`	`}`
`272`		`- var outLen C.size_t`
`273`		`- if C.go_openssl_EVP_PKEY_derive(ctx, nil, &outLen) != 1 {`
	`272`	`+ r := C.go_openssl_EVP_PKEY_derive_wrapper(ctx, nil, 0)`
	`273`	`+ if r.result != 1 {`
`274`	`274`	`return nil, newOpenSSLError("EVP_PKEY_derive_init")`
`275`	`275`	`}`
`276`		`- out := make([]byte, outLen)`
`277`		`- if C.go_openssl_EVP_PKEY_derive(ctx, base(out), &outLen) != 1 {`
	`276`	`+ out := make([]byte, r.keylen)`
	`277`	`+ if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(out), r.keylen).result != 1 {`
`278`	`278`	`return nil, newOpenSSLError("EVP_PKEY_derive_init")`
`279`	`279`	`}`
`280`	`280`	`return out, nil`
Original file line number	Diff line number	Diff line change
`@@ -145,12 +145,12 @@ func NewPrivateKeyEd25519FromSeed(seed []byte) (*PrivateKeyEd25519, error) {`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`func extractPKEYPubEd25519(pkey C.GO_EVP_PKEY_PTR, pub []byte) error {`
`148`		`- pubSize := C.size_t(publicKeySizeEd25519)`
`149`		`- if C.go_openssl_EVP_PKEY_get_raw_public_key(pkey, base(pub), &pubSize) != 1 {`
	`148`	`+ r := C.go_openssl_EVP_PKEY_get_raw_public_key_wrapper(pkey, base(pub), C.size_t(publicKeySizeEd25519))`
	`149`	`+ if r.result != 1 {`
`150`	`150`	`return newOpenSSLError("EVP_PKEY_get_raw_public_key")`
`151`	`151`	`}`
`152`		`- if pubSize != publicKeySizeEd25519 {`
`153`		`- return errors.New("ed25519: bad public key length: " + strconv.Itoa(int(pubSize)))`
	`152`	`+ if r.len != publicKeySizeEd25519 {`
	`153`	`+ return errors.New("ed25519: bad public key length: " + strconv.Itoa(int(r.len)))`
`154`	`154`	`}`
`155`	`155`	`return nil`
`156`	`156`	`}`
`@@ -159,12 +159,12 @@ func extractPKEYPrivEd25519(pkey C.GO_EVP_PKEY_PTR, priv []byte) error {`
`159`	`159`	`if err := extractPKEYPubEd25519(pkey, priv[seedSizeEd25519:]); err != nil {`
`160`	`160`	`return err`
`161`	`161`	`}`
`162`		`- privSize := C.size_t(seedSizeEd25519)`
`163`		`- if C.go_openssl_EVP_PKEY_get_raw_private_key(pkey, base(priv), &privSize) != 1 {`
	`162`	`+ r := C.go_openssl_EVP_PKEY_get_raw_private_key_wrapper(pkey, base(priv), C.size_t(seedSizeEd25519))`
	`163`	`+ if r.result != 1 {`
`164`	`164`	`return newOpenSSLError("EVP_PKEY_get_raw_private_key")`
`165`	`165`	`}`
`166`		`- if privSize != seedSizeEd25519 {`
`167`		`- return errors.New("ed25519: bad private key length: " + strconv.Itoa(int(privSize)))`
	`166`	`+ if r.len != seedSizeEd25519 {`
	`167`	`+ return errors.New("ed25519: bad private key length: " + strconv.Itoa(int(r.len)))`
`168`	`168`	`}`
`169`	`169`	`return nil`
`170`	`170`	`}`
`@@ -190,12 +190,12 @@ func signEd25519(priv *PrivateKeyEd25519, sig, message []byte) error {`
`190`	`190`	`if C.go_openssl_EVP_DigestSignInit(ctx, nil, nil, nil, priv._pkey) != 1 {`
`191`	`191`	`return newOpenSSLError("EVP_DigestSignInit")`
`192`	`192`	`}`
`193`		`- siglen := C.size_t(signatureSizeEd25519)`
`194`		`- if C.go_openssl_EVP_DigestSign(ctx, base(sig), &siglen, base(message), C.size_t(len(message))) != 1 {`
	`193`	`+ r := C.go_openssl_EVP_DigestSign_wrapper(ctx, base(sig), C.size_t(signatureSizeEd25519), base(message), C.size_t(len(message)))`
	`194`	`+ if r.result != 1 {`
`195`	`195`	`return newOpenSSLError("EVP_DigestSign")`
`196`	`196`	`}`
`197`		`- if siglen != signatureSizeEd25519 {`
`198`		`- return errors.New("ed25519: bad signature length: " + strconv.Itoa(int(siglen)))`
	`197`	`+ if r.siglen != signatureSizeEd25519 {`
	`198`	`+ return errors.New("ed25519: bad signature length: " + strconv.Itoa(int(r.siglen)))`
`199`	`199`	`}`
`200`	`200`	`return nil`
`201`	`201`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ func (c *hkdf) Read(p []byte) (int, error) {`
`98`	`98`	`}`
`99`	`99`	`c.buf = append(c.buf, make([]byte, needLen)...)`
`100`	`100`	`outLen := C.size_t(prevLen + needLen)`
`101`		`- if C.go_openssl_EVP_PKEY_derive(c.ctx, base(c.buf), &outLen) != 1 {`
	`101`	`+ if C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, base(c.buf), outLen).result != 1 {`
`102`	`102`	`return 0, newOpenSSLError("EVP_PKEY_derive")`
`103`	`103`	`}`
`104`	`104`	`n := copy(p, c.buf[prevLen:outLen])`
`@@ -132,15 +132,15 @@ func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {`
`132`	`132`	`return nil, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_salt")`
`133`	`133`	`}`
`134`	`134`	`}`
`135`		`- var outLen C.size_t`
`136`		`- if C.go_openssl_EVP_PKEY_derive(c.ctx, nil, &outLen) != 1 {`
	`135`	`+ r := C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, nil, 0)`
	`136`	`+ if r.result != 1 {`
`137`	`137`	`return nil, newOpenSSLError("EVP_PKEY_derive_init")`
`138`	`138`	`}`
`139`		`- out := make([]byte, outLen)`
`140`		`- if C.go_openssl_EVP_PKEY_derive(c.ctx, base(out), &outLen) != 1 {`
	`139`	`+ out := make([]byte, r.keylen)`
	`140`	`+ if C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, base(out), r.keylen).result != 1 {`
`141`	`141`	`return nil, newOpenSSLError("EVP_PKEY_derive")`
`142`	`142`	`}`
`143`		`- return out[:outLen], nil`
	`143`	`+ return out[:r.keylen], nil`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error {`
`90`	`90`	`}`
`91`	`91`	`}`
`92`	`92`	`outLen := C.size_t(len(result))`
`93`		`- if C.go_openssl_EVP_PKEY_derive(ctx, base(result), &outLen) != 1 {`
	`93`	`+ if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(result), outLen).result != 1 {`
`94`	`94`	`return newOpenSSLError("EVP_PKEY_derive")`
`95`	`95`	`}`
`96`	`96`	`// The Go standard library expects TLS1PRF to return the requested number of bytes,`