search

microsoft / go-crypto-openssl

Go crypto backend for Linux using OpenSSL
MIT License
55 stars 14 forks source link

Incorrect error message "decrypt/encrypt" in multiple functions #28

Closed tolginator closed 1 year ago

tolginator commented 2 years ago

The "EVP_PKEY_decrypt/encrypt failed" error is returned on error in cryptEVP and verifyEVP functions. The operation is not encrypt/decrypt, but signature verification.

Similarly, the cryptEVP function returns the same error when called by the evpSign function and fails. The failure is in signature generation, not in encrypt/decrypt.

File: openssl/evpkey.go

dagood commented 2 years ago

Thanks for pointing this out! I'm trying to see if this applies to upstream (Go boringcrypto), and if this string actually shows up when go-crypto-openssl is used as a backend for Go standard library crypto, or only when it's used directly as a module dependency.

I briefly tried it and found that the Go standard library crypto using the openssl module returns a friendlier error than direct go-crypto-openssl usage--but my attempt might have simply been incorrect.

How much have you dug into this? Are you seeing this error from usage, and what kind of use?

I see that Go boringcrypto uses the same error message at https://github.com/golang/go/blob/f771edd7f92a47c276d65fbd9619e16a786c6746/src/crypto/internal/boring/rsa.go#L198:

func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
//...
    var outLen C.size_t
    if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 {
        return nil, fail("EVP_PKEY_decrypt/encrypt")
    }
    out := make([]byte, outLen)
    if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) == 0 {
        return nil, fail("EVP_PKEY_decrypt/encrypt")
    }
    return out[:outLen], nil
}

This might not actually be a similar func--I'd need to refamiliarize myself with the context.