use paramBuilder everywhere

golang-fips · Oct 29, 2024 · 90cd135 · 90cd135
1 parent 6a75451
commit 90cd135
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 150 deletions.
diff --git a/dsa.go b/dsa.go
@@ -9,14 +9,6 @@ import (
 	"unsafe"
 )
 
-var (
-	OSSL_PKEY_PARAM_FFC_PBITS = C.CString("pbits")
-	OSSL_PKEY_PARAM_FFC_QBITS = C.CString("qbits")
-	OSSL_PKEY_PARAM_FFC_P     = C.CString("p")
-	OSSL_PKEY_PARAM_FFC_Q     = C.CString("q")
-	OSSL_PKEY_PARAM_FFC_G     = C.CString("g")
-)
-
 // SupportsDSA returns true if the OpenSSL library supports DSA.
 func SupportsDSA() bool {
 	ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_DSA, nil)
@@ -110,9 +102,9 @@ func GenerateDSAParameters(l, n int) (DSAParameters, error) {
 			C.go_openssl_BN_free(q)
 			C.go_openssl_BN_free(g)
 		}()
-		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p) != 1 ||
-			C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_Q, &q) != 1 ||
-			C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g) != 1 {
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_P, &p) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_Q, &q) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_G, &g) != 1 {
 			return DSAParameters{}, newOpenSSLError("EVP_PKEY_get_bn_param")
 		}
 	default:
@@ -174,8 +166,8 @@ func GenerateKeyDSA(params DSAParameters) (*PrivateKeyDSA, error) {
 			C.go_openssl_BN_clear_free(x)
 			C.go_openssl_BN_free(y)
 		}()
-		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &y) != 1 ||
-			C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &x) != 1 {
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PUB_KEY, &y) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &x) != 1 {
 			return nil, newOpenSSLError("EVP_PKEY_get_bn_param")
 		}
 	default:
@@ -264,44 +256,28 @@ func newDSA1(params DSAParameters, x, y BigInt) (pkey C.GO_EVP_PKEY_PTR, err err
 func newDSA3(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) {
 	checkMajorVersion(3)
 
-	bld := C.go_openssl_OSSL_PARAM_BLD_new()
-	if bld == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_new")
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
 	}
-	defer C.go_openssl_OSSL_PARAM_BLD_free(bld)
-	p, q, g := bigToBN(params.P), bigToBN(params.Q), bigToBN(params.G)
-	defer func() {
-		C.go_openssl_BN_free(p)
-		C.go_openssl_BN_free(q)
-		C.go_openssl_BN_free(g)
-	}()
-	if C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 ||
-		C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1 ||
-		C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) != 1 {
+	defer bld.finalize()
 
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_push_BN")
-	}
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_P, params.P, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_Q, params.Q, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_G, params.G, false)
 	selection := C.int(C.GO_EVP_PKEY_KEYPAIR)
 	if y != nil {
-		pub := bigToBN(y)
-		defer C.go_openssl_BN_free(pub)
-		if C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub) != 1 {
-			return nil, newOpenSSLError("OSSL_PARAM_BLD_push_BN")
-		}
+		bld.addBigInt(_OSSL_PKEY_PARAM_PUB_KEY, y, false)
 		if x == nil {
 			selection = C.int(C.GO_EVP_PKEY_PUBLIC_KEY)
 		}
 	}
 	if x != nil {
-		priv := bigToBN(x)
-		defer C.go_openssl_BN_clear_free(priv)
-		if C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1 {
-			return nil, newOpenSSLError("OSSL_PARAM_BLD_push_BN")
-		}
+		bld.addBigInt(_OSSL_PKEY_PARAM_PRIV_KEY, x, true)
 	}
-	bldparams := C.go_openssl_OSSL_PARAM_BLD_to_param(bld)
-	if bldparams == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_to_param")
+	bldparams, err := bld.build()
+	if err != nil {
+		return nil, err
 	}
 	defer C.go_openssl_OSSL_PARAM_free(bldparams)
 	pkey, err := newEvpFromParams(C.GO_EVP_PKEY_DSA, selection, bldparams)

diff --git a/ec.go b/ec.go
@@ -5,14 +5,6 @@ package openssl
 // #include "goopenssl.h"
 import "C"
 
-var (
-	OSSL_PKEY_PARAM_PUB_KEY    = C.CString("pub")
-	OSSL_PKEY_PARAM_PRIV_KEY   = C.CString("priv")
-	OSSL_PKEY_PARAM_GROUP_NAME = C.CString("group")
-	OSSL_PKEY_PARAM_EC_PUB_X   = C.CString("qx")
-	OSSL_PKEY_PARAM_EC_PUB_Y   = C.CString("qy")
-)
-
 func curveNID(curve string) (C.int, error) {
 	switch curve {
 	case "P-224":

diff --git a/ecdh.go b/ecdh.go
@@ -167,32 +167,24 @@ func newECDHPkey1(nid C.int, bytes []byte, isPrivate bool) (pkey C.GO_EVP_PKEY_P
 func newECDHPkey3(nid C.int, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, error) {
 	checkMajorVersion(3)
 
-	bld := C.go_openssl_OSSL_PARAM_BLD_new()
-	if bld == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_new")
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
 	}
-	defer C.go_openssl_OSSL_PARAM_BLD_free(bld)
-	C.go_openssl_OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
 	var selection C.int
 	if isPrivate {
-		priv := C.go_openssl_BN_bin2bn(base(bytes), C.int(len(bytes)), nil)
-		if priv == nil {
-			return nil, newOpenSSLError("BN_bin2bn")
-		}
-		defer C.go_openssl_BN_clear_free(priv)
-		if C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1 {
-			return nil, newOpenSSLError("OSSL_PARAM_BLD_push_BN")
-		}
+		bld.addBin(_OSSL_PKEY_PARAM_PRIV_KEY, bytes, true)
 		selection = C.GO_EVP_PKEY_KEYPAIR
 	} else {
-		cbytes := C.CBytes(bytes)
-		defer C.free(cbytes)
-		C.go_openssl_OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, cbytes, C.size_t(len(bytes)))
+		bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, bytes)
 		selection = C.GO_EVP_PKEY_PUBLIC_KEY
 	}
-	params := C.go_openssl_OSSL_PARAM_BLD_to_param(bld)
-	if params == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_to_param")
+
+	params, err := bld.build()
+	if err != nil {
+		return nil, err
 	}
 	defer C.go_openssl_OSSL_PARAM_free(params)
 	return newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params)
@@ -233,7 +225,7 @@ func deriveEcdhPublicKey(pkey C.GO_EVP_PKEY_PTR, curve string) error {
 		}
 	case 3:
 		var priv C.GO_BIGNUM_PTR
-		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 {
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 {
 			return newOpenSSLError("EVP_PKEY_get_bn_param")
 		}
 		defer C.go_openssl_BN_clear_free(priv)
@@ -298,7 +290,7 @@ func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
 			return nil, nil, newOpenSSLError("EC_KEY_get0_private_key")
 		}
 	case 3:
-		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 {
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 {
 			return nil, nil, newOpenSSLError("EVP_PKEY_get_bn_param")
 		}
 		defer C.go_openssl_BN_clear_free(priv)

diff --git a/ecdsa.go b/ecdsa.go
@@ -91,9 +91,9 @@ func GenerateKeyECDSA(curve string) (x, y, d BigInt, err error) {
 		// Get Z. We don't need to free it, get0 does not increase the reference count.
 		bd = C.go_openssl_EC_KEY_get0_private_key(key)
 	case 3:
-		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bx) != 1 ||
-			C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &by) != 1 ||
-			C.go_openssl_EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &bd) != 1 {
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_EC_PUB_X, &bx) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_EC_PUB_Y, &by) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &bd) != 1 {
 			return nil, nil, nil, newOpenSSLError("EVP_PKEY_get_bn_param")
 		}
 		defer C.go_openssl_BN_clear_free(bd)
@@ -188,27 +188,23 @@ func newECDSAKey3(nid C.int, bx, by, bd C.GO_BIGNUM_PTR) (C.GO_EVP_PKEY_PTR, err
 		return nil, err
 	}
 	// Construct the parameters.
-	bld := C.go_openssl_OSSL_PARAM_BLD_new()
-	if bld == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_new")
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
 	}
-	defer C.go_openssl_OSSL_PARAM_BLD_free(bld)
-	C.go_openssl_OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
-	cbytes := C.CBytes(pubBytes)
-	defer C.free(cbytes)
-	C.go_openssl_OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, cbytes, C.size_t(len(pubBytes)))
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
+	bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, pubBytes)
 	var selection C.int
 	if bd != nil {
-		if C.go_openssl_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, bd) != 1 {
-			return nil, newOpenSSLError("OSSL_PARAM_BLD_push_BN")
-		}
+		bld.addBN(_OSSL_PKEY_PARAM_PRIV_KEY, bd)
 		selection = C.GO_EVP_PKEY_KEYPAIR
 	} else {
 		selection = C.GO_EVP_PKEY_PUBLIC_KEY
 	}
-	params := C.go_openssl_OSSL_PARAM_BLD_to_param(bld)
-	if params == nil {
-		return nil, newOpenSSLError("OSSL_PARAM_BLD_to_param")
+	params, err := bld.build()
+	if err != nil {
+		return nil, err
 	}
 	defer C.go_openssl_OSSL_PARAM_free(params)
 	return newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params)

diff --git a/hmac.go b/hmac.go
@@ -11,8 +11,6 @@ import (
 	"unsafe"
 )
 
-var OSSL_MAC_PARAM_DIGEST = C.CString("digest")
-
 // NewHMAC returns a new HMAC using OpenSSL.
 // The function h must return a hash implemented by
 // OpenSSL (for example, h could be openssl.NewSHA256).
@@ -99,14 +97,14 @@ var fetchHMAC3 = sync.OnceValue(func() C.GO_EVP_MAC_PTR {
 	return mac
 })
 
-func buildHMAC3Params(digest *C.char) C.GO_OSSL_PARAM_PTR {
-	bld := C.go_openssl_OSSL_PARAM_BLD_new()
-	if bld == nil {
-		panic(newOpenSSLError("OSSL_PARAM_BLD_new"))
+func buildHMAC3Params(digest *C.char) (C.GO_OSSL_PARAM_PTR, error) {
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
 	}
-	defer C.go_openssl_OSSL_PARAM_BLD_free(bld)
-	C.go_openssl_OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_MAC_PARAM_DIGEST, digest, 0)
-	return C.go_openssl_OSSL_PARAM_BLD_to_param(bld)
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_MAC_PARAM_DIGEST, digest, 0)
+	return bld.build()
 }
 
 func isHMAC3DigestSupported(digest string) bool {
@@ -121,9 +119,9 @@ func isHMAC3DigestSupported(digest string) bool {
 
 	cdigest := C.CString(digest)
 	defer C.free(unsafe.Pointer(cdigest))
-	params := buildHMAC3Params(cdigest)
-	if params == nil {
-		panic(newOpenSSLError("OSSL_PARAM_BLD_to_param"))
+	params, err := buildHMAC3Params(cdigest)
+	if err != nil {
+		panic(err)
 	}
 	defer C.go_openssl_OSSL_PARAM_free(params)
 
@@ -141,9 +139,9 @@ func newHMAC3(key []byte, md C.GO_EVP_MD_PTR) hmacCtx3 {
 		// See https://github.com/golang-fips/openssl/issues/153.
 		return hmacCtx3{}
 	}
-	params := buildHMAC3Params(digest)
-	if params == nil {
-		panic(newOpenSSLError("OSSL_PARAM_BLD_to_param"))
+	params, err := buildHMAC3Params(digest)
+	if err != nil {
+		panic(err)
 	}
 	defer C.go_openssl_OSSL_PARAM_free(params)