Skip to content

Commit

Permalink
address feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
@derekparker
derekparker committed Nov 14, 2024
1 parent 76a26f3 commit 3943eee
Showing 1 changed file with 168 additions and 0 deletions.
168 changes: 168 additions & 0 deletions patches/022-openssl-negative-tests.patch
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1001,3 +1001,171 @@ index b16184f32a..578d114f63 100644
test.expectedChains = nil
}
testVerify(t, test, false)
diff --git a/src/crypto/hmac/hmac_test.go b/src/crypto/hmac/hmac_test.go
index e412a29269..015f47fda0 100644
--- a/src/crypto/hmac/hmac_test.go
+++ b/src/crypto/hmac/hmac_test.go
@@ -6,6 +6,7 @@ package hmac

import (
boring "crypto/internal/backend"
+ "crypto/internal/backend/boringtest"
"crypto/internal/cryptotest"
"crypto/md5"
"crypto/sha1"
@@ -549,17 +550,21 @@ var hmacTests = []hmacTest{
}

func TestHMAC(t *testing.T) {
- for i, tt := range hmacTests {
- if boring.Enabled() && tt.size == sha1.New().Size() {
- defer func() {
- r := recover()
- if s, ok := r.(string); ok {
+ var hsh hash.Hash
+ if boring.Enabled() {
+ defer func() {
+ r := recover()
+ if s, ok := r.(string); ok {
+ if (hsh == sha1.New() && !boringtest.Supports(t, "SHA1")) || hsh == md5.New() {
if !strings.Contains(s, "unrecognized hmac in FIPS mode") {
panic(s)
}
}
- }()
- }
+ }
+ }()
+ }
+ for i, tt := range hmacTests {
+ hsh = tt.hash()
h := New(tt.hash, tt.key)
if s := h.Size(); s != tt.size {
t.Errorf("Size: got %v, want %v", s, tt.size)
@@ -587,7 +592,8 @@ func TestHMAC(t *testing.T) {

// Third and fourth iteration: make sure hmac works on
// hashes without MarshalBinary/UnmarshalBinary
- if j == 1 {
+ if j == 1 && !boring.Enabled() { // Skip in boring mode as the hash is obscured and won't be recognized.
+ fmt.Println("JUST HASH!!!")
h = New(func() hash.Hash { return justHash{tt.hash()} }, tt.key)
}
}
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
index 8af84825a2..840ddfd604 100644
--- a/src/crypto/rsa/pkcs1v15_test.go
+++ b/src/crypto/rsa/pkcs1v15_test.go
@@ -97,7 +97,7 @@ func TestEncryptPKCS1v15(t *testing.T) {

ciphertext, err := EncryptPKCS1v15(random, &rsaPrivateKey.PublicKey, in)
if err != nil {
- if boring.Enabled() && !boringtest.Supports(t, "PKCSv1.5") {
+ if boring.Enabled() && !boringtest.Supports(t, "PKCSv1.5") && rsaPrivateKey.Size() < 256 {
if strings.Contains(err.Error(), "invalid key length") {
return false
}
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
index c7efa8cea1..feae2663f6 100644
--- a/src/crypto/rsa/pss_test.go
+++ b/src/crypto/rsa/pss_test.go
@@ -236,7 +236,7 @@ func TestPSSSigning(t *testing.T) {
opts.SaltLength = test.signSaltLength
sig, err := SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, &opts)
if err != nil {
- if boring.Enabled() && !boringtest.Supports(t, "SHA1") {
+ if boring.Enabled() && hash == crypto.SHA1 && !boringtest.Supports(t, "SHA1") {
if strings.Contains(err.Error(), "invalid key length") {
continue
}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/evp.go b/src/vendor/github.com/golang-fips/openssl/v2/evp.go
index a9237a6a0c..19df5a1adb 100644
--- a/src/vendor/github.com/golang-fips/openssl/v2/evp.go
+++ b/src/vendor/github.com/golang-fips/openssl/v2/evp.go
@@ -4,9 +4,11 @@ package openssl

// #include "goopenssl.h"
import "C"
+
import (
"crypto"
"errors"
+ "fmt"
"hash"
"strconv"
"sync"
@@ -39,6 +41,7 @@ func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR {
case *sha3_512Hash:
ch = crypto.SHA3_512
}
+ fmt.Printf("CH: %#v h: %#v\n", ch, h)
if ch != 0 {
return cryptoHashToMD(ch)
}
@@ -142,14 +145,17 @@ func generateEVPPKey(id C.int, bits int, curve string) (C.GO_EVP_PKEY_PTR, error
return pkey, nil
}

-type withKeyFunc func(func(C.GO_EVP_PKEY_PTR) C.int) C.int
-type initFunc func(C.GO_EVP_PKEY_CTX_PTR) error
-type cryptFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, *C.size_t, *C.uchar, C.size_t) error
-type verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size_t) error
+type (
+ withKeyFunc func(func(C.GO_EVP_PKEY_PTR) C.int) C.int
+ initFunc func(C.GO_EVP_PKEY_CTX_PTR) error
+ cryptFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, *C.size_t, *C.uchar, C.size_t) error
+ verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size_t) error
+)

func setupEVP(withKey withKeyFunc, padding C.int,
h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
- init initFunc) (_ C.GO_EVP_PKEY_CTX_PTR, err error) {
+ init initFunc,
+) (_ C.GO_EVP_PKEY_CTX_PTR, err error) {
var ctx C.GO_EVP_PKEY_CTX_PTR
withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
@@ -272,8 +278,8 @@ func setupEVP(withKey withKeyFunc, padding C.int,

func cryptEVP(withKey withKeyFunc, padding C.int,
h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
- init initFunc, crypt cryptFunc, in []byte) ([]byte, error) {
-
+ init initFunc, crypt cryptFunc, in []byte,
+) ([]byte, error) {
ctx, err := setupEVP(withKey, padding, h, mgfHash, label, saltLen, ch, init)
if err != nil {
return nil, err
@@ -295,8 +301,8 @@ func cryptEVP(withKey withKeyFunc, padding C.int,
func verifyEVP(withKey withKeyFunc, padding C.int,
h hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
init initFunc, verify verifyFunc,
- sig, in []byte) error {
-
+ sig, in []byte,
+) error {
ctx, err := setupEVP(withKey, padding, h, nil, label, saltLen, ch, init)
if err != nil {
return err
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hmac.go b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go
index ef8116ce66..7fa99d9653 100644
--- a/src/vendor/github.com/golang-fips/openssl/v2/hmac.go
+++ b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go
@@ -4,7 +4,9 @@ package openssl

// #include "goopenssl.h"
import "C"
+
import (
+ "fmt"
"hash"
"runtime"
"sync"
@@ -26,6 +28,7 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash {
ch := h()
md := hashToMD(ch)
if md == nil {
+ fmt.Printf("MD == nil, h: %#v, md: %#v", h(), md)
return nil
}

0 comments on commit 3943eee

Please sign in to comment.