Skip to content

Fix RSAPSS salt length conversion #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 14, 2022
Merged

Fix RSAPSS salt length conversion #37

merged 9 commits into from
Sep 14, 2022

Conversation

qmuntal
Copy link
Member

@qmuntal qmuntal commented Sep 6, 2022

Fix the conversion between our sentinel salt length variables and the OpenSSL versions in SignRSAPSS and VerifyRSAPSS . We previously set -1 (hash length equals salt length) when 0 was passed when we should've been setting -2 or -3.

This buggy behavior was inherited from BoringSSL bindings since the very beginning, but it hasn't triggered any bug yet because Go rsa.SignPSS and rsa.VerifyPSS resolved the salt length special case before passing it to boring. There is an upstream CL that will remove this handling from the Go side and fix the Boring side.

We should fix the OpenSSL bindings before that CL lands, else the sync process will fail in the test phase.

@qmuntal qmuntal mentioned this pull request Sep 7, 2022
Merged
dagood
dagood approved these changes Sep 9, 2022
View reviewed changes
Copy link
Member

@dagood dagood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionally LGTM, just a few naming/doc suggestions.

openssl/rsa.go Outdated
func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
if saltLen == 0 {
saltLen = -1 // RSA_PSS_SALTLEN_DIGEST
slen, err := saltLength(saltLen, true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a lot of things that only vary by how many letters of saltLength they chop out. 😄 This is what comes to mind:

Suggested change
slen, err := saltLength(saltLen, true)
opensslSaltLen, err := convertGoSaltLength(saltLen, true)

But... these functions are short, and the types are different, so there's not much chance to actually mix them up and I think it's fine as-is if you prefer.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Too mach chopping 🥢. I've simplified saltLength and changed a couple of names to make it clearer.

openssl/rsa_test.go
if err != nil {
t.Fatal(err)
for i, test := range saltLengthCombinations {
signed, err := openssl.SignRSAPSS(priv, crypto.SHA256, hashed, test.signSaltLength)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I saw this, I thought it was odd that it wasn't set up as a normal table test with named cases, but I see it's based on https://go-review.googlesource.com/c/go/+/426659/4/src/crypto/rsa/pss_test.go. Might be worth linking to it, https://github.com/golang/go/blob/54182ff54a687272dd7632c3a963e036ce03cb7c/src/crypto/rsa/pss_test.go#L200 ?

@qmuntal qmuntal merged commit 8cf6916 into main Sep 14, 2022
@qmuntal qmuntal deleted the dev/qmuntal/salt branch September 14, 2022 06:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dagood dagood dagood approved these changes

@chsienki chsienki chsienki approved these changes

@jaredpar jaredpar Awaiting requested review from jaredpar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@qmuntal @dagood @chsienki @Copilot