Skip to content

Fix: signature copy offset, CMAC slice, urandom FD #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: signature copy offset, CMAC slice, urandom FD #121

wants to merge 1 commit into from

Conversation

ariawisp
Copy link

@ariawisp ariawisp commented Sep 7, 2025

Summary

Fixes three correctness/security issues:

  • Signature copy when writing into a destination buffer with offset: always copy from source index 0 to the given destination offset (prevents truncated/garbled output).
  • OpenSSL3 CMAC update: hash only the requested slice (startIndex..endIndex) instead of the entire array.
  • Linux /dev/urandom open: treat only fd < 0 as error (0 is a valid descriptor).

Why these changes are correct

  • Signature copy offset

    • Our signIntoByteArray(destination, destinationOffset) contract writes the full signature at destinationOffset. Using copyInto(destination, destinationOffset, destinationOffset) erroneously interprets the offset as the source start index, truncating when destinationOffset > 0.
    • Correct usage is copyInto(destination, destinationOffset, 0, size), i.e. copy from the start of the signature into the requested offset.
    • References (Kotlin stdlib):

  • CMAC slice update (OpenSSL 3)

    • EVP_MAC_update(ctx, data, datalen) digests exactly the datalen bytes starting at data. Passing safeAddressOf(0) and source.size ignores the requested slice and can MAC unintended bytes.
    • Using safeAddressOf(startIndex) and (endIndex - startIndex) matches the streaming API’s update(source, startIndex, endIndex) contract.
    • Reference (OpenSSL 3.2 man page): exact quote — "EVP_MAC_update() adds datalen bytes from data to the MAC input."

  • /dev/urandom file descriptor check

    • POSIX open(2) returns a non-negative file descriptor on success; only -1 indicates error. FD 0 is valid (stdin) and can be returned depending on process state.
    • Switching from fd <= 0 to fd < 0 avoids false-positive error handling.
    • Reference (Linux open(2) man page): exact quotes —

Impact

  • Correct signatures for callers who preallocate and write at non‑zero offsets.
  • Correct CMACs for streaming/sliced updates; avoids accidental extra bytes.
  • Avoids spurious failures on systems returning fd = 0.

Validation

  • JDK provider: compiles and JVM tests pass locally.
  • Apple/OpenSSL3: common/metadata compilation succeeds.

Follow‑ups (separate PR)

  • Add constant‑time equals for MAC/CMAC/HMAC verifiers.
  • Consider aligning AES‑GCM tag size policy.
  • Provide PBKDF2 APIs that distinguish text vs binary input on JVM.

@ariawisp
Fix constant-offset signature copying; correct CMAC slice update; ura…
cf09a09 
…ndom FD check

- ECDSA/signature: copyFrom=0 when writing into destination with offset to avoid truncated/garbled output (JDK, Apple, OpenSSL3)
- JDK SignatureGenerator: same fix for signIntoByteArray
- OpenSSL3 CMAC: use startIndex/endIndex slice in EVP_MAC_update instead of whole array
- Linux URandom: consider fd<0 as error (fd==0 is valid)

Build: jvmMainClasses and jvmTest for JDK provider pass; metadata compilation for Apple/OpenSSL3 OK.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ariawisp