diff --git a/patches/015-add-hash-sign-verify.patch b/patches/015-add-hash-sign-verify.patch new file mode 100644 index 0000000000..b73bc92885 --- /dev/null +++ b/patches/015-add-hash-sign-verify.patch @@ -0,0 +1,124 @@ +diff --git a/src/crypto/ecdsa/ecdsa_hash_sign_verify.go b/src/crypto/ecdsa/ecdsa_hash_sign_verify.go +new file mode 100644 +index 0000000000..50a39f5d0a +--- /dev/null ++++ b/src/crypto/ecdsa/ecdsa_hash_sign_verify.go +@@ -0,0 +1,45 @@ ++package ecdsa ++ ++import ( ++ "crypto" ++ "crypto/internal/randutil" ++ "io" ++ ++ boring "crypto/internal/backend" ++) ++ ++func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) ([]byte, error) { ++ randutil.MaybeReadByte(rand) ++ ++ if boring.Enabled() { ++ b, err := boringPrivateKey(priv) ++ if err != nil { ++ return nil, err ++ } ++ return boring.HashSignECDSA(b, h, msg) ++ } ++ boring.UnreachableExceptTests() ++ ++ hash := h.New() ++ hash.Write(msg) ++ d := hash.Sum(nil) ++ ++ return SignASN1(rand, priv, d) ++} ++ ++func HashVerify(pub *PublicKey, msg, sig []byte, h crypto.Hash) bool { ++ if boring.Enabled() { ++ bpk, err := boringPublicKey(pub) ++ if err != nil { ++ return false ++ } ++ return boring.HashVerifyECDSA(bpk, h, msg, sig) ++ } ++ boring.UnreachableExceptTests() ++ ++ hash := h.New() ++ hash.Write(msg) ++ d := hash.Sum(nil) ++ ++ return VerifyASN1(pub, d, sig) ++} +diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go +new file mode 100644 +index 0000000000..65ca8a4b77 +--- /dev/null ++++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go +@@ -0,0 +1,43 @@ ++package ecdsa ++ ++import ( ++ "crypto" ++ "crypto/elliptic" ++ boring "crypto/internal/backend" ++ "crypto/rand" ++ "testing" ++) ++ ++func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) { ++ priv, err := GenerateKey(c, rand.Reader) ++ if priv == nil { ++ t.Fatal(err) ++ } ++ ++ msg := []byte("testing") ++ h := crypto.SHA256 ++ hsm, err := HashSign(rand.Reader, priv, msg, h) ++ if err != nil { ++ t.Errorf("%s: error signing: %s", tag, err) ++ return ++ } ++ ++ if !HashVerify(&priv.PublicKey, msg, hsm, h) { ++ t.Errorf("%s: Verify failed", tag) ++ } ++ ++ msg[0] ^= 0xff ++ if HashVerify(&priv.PublicKey, msg, hsm, h) { ++ t.Errorf("%s: Verify should not have succeeded", tag) ++ } ++} ++ ++func TestHashSignAndHashVerify(t *testing.T) { ++ testHashSignAndHashVerify(t, elliptic.P256(), "p256") ++ ++ if testing.Short() && !boring.Enabled() { ++ return ++ } ++ testHashSignAndHashVerify(t, elliptic.P384(), "p384") ++ testHashSignAndHashVerify(t, elliptic.P521(), "p521") ++} +diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go +index 5b0e356dff..e509805288 100644 +--- a/src/crypto/internal/backend/nobackend.go ++++ b/src/crypto/internal/backend/nobackend.go +@@ -14,7 +14,6 @@ import ( + "crypto/internal/boring/sig" + "hash" + "io" +- "math/big" + ) + + func init() { +@@ -167,9 +166,9 @@ func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, er + func SupportsHKDF() bool { + panic("boringcrypto: not available") + } +-func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool { ++func HashVerifyECDSA(pub *PublicKeyECDSA, h crypto.Hash, msg, sig []byte) bool { + panic("boringcrypto: not available") + } +-func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) { ++func HashSignECDSA(priv *PrivateKeyECDSA, h crypto.Hash, msg []byte) ([]byte, error) { + panic("boringcrypto: not available") + }