Merge pull request #119 from golang-fips/dev/dagood/empty-label

qmuntal · web-flow · commit 9783f40bfa74 · 2023-09-19T09:08:39.000+02:00
Fix RSA OAEP failure when given empty label with OpenSSL 3
diff --git a/evp.go b/evp.go
@@ -210,15 +210,27 @@ func setupEVP(withKey withKeyFunc, padding C.int,
 			clabel = (*C.uchar)(cryptoMalloc(len(label)))
 			copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
 		}
-		var ret C.int
+		var err error
 		if vMajor == 3 {
-			ret = C.go_openssl_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, unsafe.Pointer(clabel), C.int(len(label)))
+			// Docs say EVP_PKEY_CTX_set0_rsa_oaep_label accepts a null label,
+			// but it does not: https://github.com/openssl/openssl/issues/21288
+			if len(label) == 0 {
+				// cryptoMalloc can't create a zero-length array: use size 1.
+				clabel = (*C.uchar)(cryptoMalloc(1))
+			}
+			ret := C.go_openssl_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, unsafe.Pointer(clabel), C.int(len(label)))
+			if ret != 1 {
+				err = newOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
+			}
 		} else {
-			ret = C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL, C.int(len(label)), unsafe.Pointer(clabel))
+			ret := C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL, C.int(len(label)), unsafe.Pointer(clabel))
+			if ret != 1 {
+				err = newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+			}
 		}
-		if ret != 1 {
+		if err != nil {
 			cryptoFree(unsafe.Pointer(clabel))
-			return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+			return nil, err
 		}
 	case C.GO_RSA_PKCS1_PSS_PADDING:
 		md := cryptoHashToMD(ch)
diff --git a/rsa_test.go b/rsa_test.go
@@ -57,6 +57,29 @@ func TestEncryptDecryptOAEP(t *testing.T) {
 	}
 }
 
+func TestEncryptDecryptOAEP_EmptyLabel(t *testing.T) {
+	sha256 := openssl.NewSHA256()
+	msg := []byte("hi!")
+	label := []byte("")
+	priv, pub := newRSAKey(t, 2048)
+	enc, err := openssl.EncryptRSAOAEP(sha256, nil, pub, msg, label)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dec, err := openssl.DecryptRSAOAEP(sha256, nil, priv, enc, label)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(dec, msg) {
+		t.Errorf("got:%x want:%x", dec, msg)
+	}
+	sha1 := openssl.NewSHA1()
+	_, err = openssl.DecryptRSAOAEP(sha1, nil, priv, enc, label)
+	if err == nil {
+		t.Error("decrypt failure expected due to hash mismatch")
+	}
+}
+
 func TestEncryptDecryptOAEP_WithMGF1Hash(t *testing.T) {
 	sha1 := openssl.NewSHA1()
 	sha256 := openssl.NewSHA256()
