Fix: signature copy offset, CMAC slice, urandom FD

[ariawisp]

Summary

Fixes three correctness/security issues:

• Signature copy when writing into a destination buffer with offset: always copy from source index 0 to the given destination offset (prevents truncated/garbled output).
• OpenSSL3 CMAC update: hash only the requested slice (startIndex..endIndex) instead of the entire array.
• Linux /dev/urandom open: treat only fd < 0 as error (0 is a valid descriptor).

Why these changes are correct

• Signature copy offset

  • Our signIntoByteArray(destination, destinationOffset) contract writes the full signature at destinationOffset. Using copyInto(destination, destinationOffset, destinationOffset) erroneously interprets the offset as the source start index, truncating when destinationOffset > 0.
  • Correct usage is copyInto(destination, destinationOffset, 0, size), i.e. copy from the start of the signature into the requested offset.
  • References (Kotlin stdlib):
    • Doc quote: "Copies this array or its subrange into the [destination] array and returns that array."
    • Param docs: "[destinationOffset] the position in the [destination] array to copy to... [startIndex] the beginning (inclusive) of the subrange to copy... [endIndex] the end (exclusive) of the subrange to copy"
    • Source signature: public expect fun ByteArray.copyInto(destination: ByteArray, destinationOffset: Int = 0, startIndex: Int = 0, endIndex: Int = size): ByteArray
      • https://raw.githubusercontent.com/JetBrains/kotlin/2.2.20/libraries/stdlib/common/src/generated/_Arrays.kt
      • API page: https://kotlinlang.org/api/core/kotlin-stdlib/kotlin.collections/copy-into.html

• CMAC slice update (OpenSSL 3)

  • EVP_MAC_update(ctx, data, datalen) digests exactly the datalen bytes starting at data. Passing safeAddressOf(0) and source.size ignores the requested slice and can MAC unintended bytes.
  • Using safeAddressOf(startIndex) and (endIndex - startIndex) matches the streaming API’s update(source, startIndex, endIndex) contract.
  • Reference (OpenSSL 3.2 man page): exact quote — "EVP_MAC_update() adds datalen bytes from data to the MAC input."
    • https://raw.githubusercontent.com/openssl/openssl/openssl-3.2/doc/man3/EVP_MAC.pod

• /dev/urandom file descriptor check

  • POSIX open(2) returns a non-negative file descriptor on success; only -1 indicates error. FD 0 is valid (stdin) and can be returned depending on process state.
  • Switching from fd <= 0 to fd < 0 avoids false-positive error handling.
  • Reference (Linux open(2) man page): exact quotes —
    • "The return value of open() is a file descriptor, a small, [..]"
    • "On success, open() returns a file descriptor (a nonnegative integer). On error, -1 is returned"
    • https://man7.org/linux/man-pages/man2/open.2.html

Impact

• Correct signatures for callers who preallocate and write at non‑zero offsets.
• Correct CMACs for streaming/sliced updates; avoids accidental extra bytes.
• Avoids spurious failures on systems returning fd = 0.

Validation

• JDK provider: compiles and JVM tests pass locally.
• Apple/OpenSSL3: common/metadata compilation succeeds.

Follow‑ups (separate PR)

• Add constant‑time equals for MAC/CMAC/HMAC verifiers.
• Consider aligning AES‑GCM tag size policy.
• Provide PBKDF2 APIs that distinguish text vs binary input on JVM.

[whyoleg]

Fixed into ecaa965