Stop using RSA_* functions for signatures

For creating and verifying PKCS#1 v1.5 signatures in a pre-hashed
manner, we used the legacy RSA_sign and RSA_verify functions, which
bypass the system-wide disablement of SHA-1 and shorter RSA key length
usage inconsistently with the OpenSSL 3.0 default on RHEL.

This switches to using our _goboringcrypto_EVP_{sign,verify}_raw,
which internally use EVP_PKEY_ functions.

Signed-off-by: Daiki Ueno <[email protected]>

Author: ueno

openssl/goopenssl.h

@@ -557,15 +557,9 @@ DEFINEFUNC(int, EVP_DigestVerifyFinal,
 	(ctx, sig, siglen))
 
 typedef RSA GO_RSA;
-int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
-int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-                                                              size_t msgLen, uint8_t *sig, size_t *slen,
-                                                              GO_RSA *key);
 
+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
 int _goboringcrypto_EVP_verify(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, EVP_PKEY *key);
-int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
-                               const uint8_t *sig, unsigned int slen,
-                               GO_RSA *key);
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
@@ -584,23 +578,18 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
 // Note: order of struct fields here is unchecked.
 typedef BN_GENCB GO_BN_GENCB;
 
-int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
-int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
+int _goboringcrypto_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
+int _goboringcrypto_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
+
+int _goboringcrypto_RSA_sign_raw(EVP_MD *md, const uint8_t *msg, size_t msgLen,
+				 uint8_t *sig, size_t *slen,
+				 GO_RSA *key);
+int _goboringcrypto_RSA_verify_raw(EVP_MD *md, const uint8_t *msg, size_t msgLen,
+				   const uint8_t *sig, unsigned int slen,
+				   GO_RSA *key);
 
 DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
 DEFINEFUNC(void, RSA_free, (GO_RSA * arg0), (arg0))
-DEFINEFUNC(int, RSA_private_encrypt,
-	(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
-	(flen, from, to, rsa, padding))
-DEFINEFUNC(int, RSA_public_decrypt,
-	(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding),
-	(flen, from, to, rsa, padding))
-DEFINEFUNC(int, RSA_sign,
-	(int arg0, const uint8_t *arg1, unsigned int arg2, uint8_t *arg3, unsigned int *arg4, GO_RSA *arg5),
-	(arg0, arg1, arg2, arg3, arg4, arg5))
-DEFINEFUNC(int, RSA_verify,
-	(int arg0, const uint8_t *arg1, unsigned int arg2, const uint8_t *arg3, unsigned int arg4, GO_RSA *arg5),
-	(arg0, arg1, arg2, arg3, arg4, arg5))
 DEFINEFUNC(int, RSA_generate_key_ex,
 	(GO_RSA * arg0, int arg1, GO_BIGNUM *arg2, GO_BN_GENCB *arg3),
 	(arg0, arg1, arg2, arg3))

openssl/notboring.go

@@ -71,7 +71,7 @@ func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, r, s BigInt, h crypto.Hash) b
 type PublicKeyECDH struct{ _ int }
 type PrivateKeyECDH struct{ _ int }
 
-func (pc *PublicKeyECDH) Bytes() []byte { panic("boringcrypto: not available") }
+func (pc *PublicKeyECDH) Bytes() []byte                       { panic("boringcrypto: not available") }
 func (pc *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { panic("boringcrypto: not available") }
 
 func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {

openssl/openssl_evp.c

@@ -38,35 +38,6 @@ int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
   return ret;
 }
 
-int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-                             size_t msgLen, uint8_t *sig, size_t *slen,
-                             GO_RSA *rsa_key) {
-  int ret = 0;
-  GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
-  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
-
-  if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
-    goto err;
-
-  if (1 != _goboringcrypto_EVP_PKEY_sign_init(ctx))
-    goto err;
-
-  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-    goto err;
-
-  if (1 != _goboringcrypto_EVP_PKEY_sign(ctx, sig, slen, msg, msgLen))
-    goto err;
-
-  /* Success */
-  ret = 1;
-
-err:
-  if (ctx)
-    _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-
-  return ret;
-}
-
 int _goboringcrypto_EVP_verify(EVP_MD *md, EVP_PKEY_CTX *ctx,
                                const uint8_t *msg, size_t msgLen,
                                const uint8_t *sig, unsigned int slen,
@@ -95,34 +66,3 @@ int _goboringcrypto_EVP_verify(EVP_MD *md, EVP_PKEY_CTX *ctx,
 
   return ret;
 }
-
-int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
-                               const uint8_t *sig, unsigned int slen,
-                               GO_RSA *rsa_key) {
-
-  int ret = 0;
-  EVP_PKEY_CTX *ctx;
-  GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
-  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
-
-  if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
-    goto err;
-
-  if (1 != _goboringcrypto_EVP_PKEY_verify_init(ctx))
-    goto err;
-
-  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-    goto err;
-
-  if (1 != _goboringcrypto_EVP_PKEY_verify(ctx, sig, slen, msg, msgLen))
-    goto err;
-
-  /* Success */
-  ret = 1;
-
-err:
-  if (ctx)
-    _goboringcrypto_EVP_PKEY_CTX_free(ctx);
-
-  return ret;
-}

openssl/openssl_port_rsa.c

@@ -182,9 +182,9 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
   return ret;
 }
 
-int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
-                                 unsigned int msgLen, uint8_t *sig,
-                                 size_t *slen, RSA *rsa) {
+int _goboringcrypto_RSA_sign(EVP_MD *md, const uint8_t *msg,
+			     unsigned int msgLen, uint8_t *sig,
+			     size_t *slen, RSA *rsa) {
   int result;
   EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
   if (!key) {
@@ -200,9 +200,9 @@ int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
   return result;
 }
 
-int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
-                                   unsigned int msgLen, const uint8_t *sig,
-                                   unsigned int slen, GO_RSA *rsa) {
+int _goboringcrypto_RSA_verify(EVP_MD *md, const uint8_t *msg,
+			       unsigned int msgLen, const uint8_t *sig,
+			       unsigned int slen, GO_RSA *rsa) {
   int result;
   EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
   if (!key) {
@@ -217,3 +217,84 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
   _goboringcrypto_EVP_PKEY_free(key);
   return result;
 }
+
+int _goboringcrypto_RSA_sign_raw(EVP_MD *md, const uint8_t *msg,
+				 size_t msgLen, uint8_t *sig, size_t *slen,
+				 GO_RSA *rsa_key) {
+  int ret = 0;
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pk = NULL;
+
+  pk = _goboringcrypto_EVP_PKEY_new();
+  if (!pk)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key))
+    goto err;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL);
+  if (!ctx)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_sign_init(ctx))
+    goto err;
+
+  if (md && 1 != _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md))
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_sign(ctx, sig, slen, msg, msgLen))
+    goto err;
+
+  /* Success */
+  ret = 1;
+
+err:
+  if (ctx)
+    _goboringcrypto_EVP_PKEY_CTX_free(ctx);
+
+  return ret;
+}
+
+int _goboringcrypto_RSA_verify_raw(EVP_MD *md,
+				   const uint8_t *msg, size_t msgLen,
+				   const uint8_t *sig, unsigned int slen,
+				   GO_RSA *rsa_key) {
+  int ret = 0;
+  GO_EVP_PKEY_CTX *ctx = NULL;
+  GO_EVP_PKEY *pk = NULL;
+
+  pk = _goboringcrypto_EVP_PKEY_new();
+  if (!pk)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key))
+    goto err;
+
+  ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL);
+  if (!ctx)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_verify_init(ctx))
+    goto err;
+
+  if (md && 1 != _goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md))
+    goto err;
+
+  if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
+    goto err;
+
+  if (1 != _goboringcrypto_EVP_PKEY_verify(ctx, sig, slen, msg, msgLen))
+    goto err;
+
+  /* Success */
+  ret = 1;
+
+err:
+  if (ctx)
+    _goboringcrypto_EVP_PKEY_CTX_free(ctx);
+
+  return ret;
+}

openssl/rsa.go

@@ -326,7 +326,7 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
 
 func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed bool) ([]byte, error) {
 	if h == 0 && ExecutingTest() {
-		return signRSAPKCS1v15Raw(priv, msg, C._goboringcrypto_EVP_md_null())
+		return signRSAPKCS1v15Raw(priv, msg, nil)
 	}
 
 	md := cryptoHashToMD(h)
@@ -335,25 +335,16 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
 	}
 
 	if msgIsHashed {
-		var out []byte
-		var outLen C.uint
-		PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
-		nid := C._goboringcrypto_EVP_MD_type(md)
-		if priv.withKey(func(key *C.GO_RSA) C.int {
-			out = make([]byte, C._goboringcrypto_RSA_size(key))
-			return C._goboringcrypto_RSA_sign(nid, base(msg), C.uint(len(msg)), base(out), &outLen, key)
-		}) == 0 {
-			return nil, NewOpenSSLError("RSA_sign")
-		}
-		runtime.KeepAlive(priv)
-		return out[:outLen], nil
+		return signRSAPKCS1v15Raw(priv, msg, md)
 	}
 
 	var out []byte
 	var outLen C.size_t
 
 	if priv.withKey(func(key *C.GO_RSA) C.int {
-		return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
+		out = make([]byte, C._goboringcrypto_RSA_size(key))
+		outLen = C.size_t(len(out))
+		return C._goboringcrypto_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
 	}) == 0 {
 		return nil, NewOpenSSLError("RSA_sign")
 	}
@@ -368,7 +359,7 @@ func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byt
 	if priv.withKey(func(key *C.GO_RSA) C.int {
 		out = make([]byte, C._goboringcrypto_RSA_size(key))
 		outLen = C.size_t(len(out))
-		return C._goboringcrypto_EVP_sign_raw(md, nil, base(msg),
+		return C._goboringcrypto_RSA_sign_raw(md, base(msg),
 			C.size_t(len(msg)), base(out), &outLen, key)
 	}) == 0 {
 		return nil, NewOpenSSLError("RSA_sign")
@@ -379,14 +370,18 @@ func signRSAPKCS1v15Raw(priv *PrivateKeyRSA, msg []byte, md *C.GO_EVP_MD) ([]byt
 
 func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsHashed bool) error {
 	if h == 0 && ExecutingTest() {
-		return verifyRSAPKCS1v15Raw(pub, msg, sig)
+		return verifyRSAPKCS1v15Raw(pub, msg, sig, nil)
 	}
 
 	md := cryptoHashToMD(h)
 	if md == nil {
 		return errors.New("crypto/rsa: unsupported hash function")
 	}
 
+	if msgIsHashed {
+		return verifyRSAPKCS1v15Raw(pub, msg, sig, md)
+	}
+
 	if pub.withKey(func(key *C.GO_RSA) C.int {
 		size := int(C._goboringcrypto_RSA_size(key))
 		if len(sig) < size {
@@ -397,26 +392,16 @@ func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte, msgIsH
 		return errors.New("crypto/rsa: verification error")
 	}
 
-	if msgIsHashed {
-		PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 verification and use HashVerifyPKCS1v15 instead of VerifyPKCS1v15")
-		nid := C._goboringcrypto_EVP_MD_type(md)
-		if pub.withKey(func(key *C.GO_RSA) C.int {
-			return C._goboringcrypto_RSA_verify(nid, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
-		}) == 0 {
-			return NewOpenSSLError("RSA_verify failed")
-		}
-		return nil
-	}
-
 	if pub.withKey(func(key *C.GO_RSA) C.int {
-		return C._goboringcrypto_EVP_RSA_verify(md, base(msg), C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
+		return C._goboringcrypto_RSA_verify(md, base(msg),
+			C.uint(len(msg)), base(sig), C.uint(len(sig)), key)
 	}) == 0 {
 		return NewOpenSSLError("RSA_verify failed")
 	}
 	return nil
 }
 
-func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte) error {
+func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte, md *C.GO_EVP_MD) error {
 	if pub.withKey(func(key *C.GO_RSA) C.int {
 		size := int(C._goboringcrypto_RSA_size(key))
 		if len(sig) < size {
@@ -427,7 +412,8 @@ func verifyRSAPKCS1v15Raw(pub *PublicKeyRSA, msg, sig []byte) error {
 		return errors.New("crypto/rsa: verification error")
 	}
 	if pub.withKey(func(key *C.GO_RSA) C.int {
-		return C._goboringcrypto_EVP_verify_raw(base(msg), C.size_t(len(msg)), base(sig), C.uint(len(sig)), key)
+		return C._goboringcrypto_RSA_verify_raw(md, base(msg),
+			C.size_t(len(msg)), base(sig), C.uint(len(sig)), key)
 	}) == 0 {
 		return NewOpenSSLError("RSA_verify failed")
 	}