diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch | 393 |
1 files changed, 393 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch new file mode 100644 index 0000000000..4d65180253 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch | |||
@@ -0,0 +1,393 @@ | |||
1 | From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filippo Valsorda <filippo@golang.org> | ||
3 | Date: Wed, 1 Apr 2020 17:25:40 -0400 | ||
4 | Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification | ||
5 | |||
6 | Cleaned up for readability and consistency. | ||
7 | |||
8 | There is one tiny behavioral change: when PSSSaltLengthEqualsHash is | ||
9 | used and both hash and opts.Hash were set, hash.Size() was used for the | ||
10 | salt length instead of opts.Hash.Size(). That's clearly wrong because | ||
11 | opts.Hash is documented to override hash. | ||
12 | |||
13 | Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e | ||
14 | Reviewed-on: https://go-review.googlesource.com/c/go/+/226937 | ||
15 | Run-TryBot: Filippo Valsorda <filippo@golang.org> | ||
16 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
17 | Reviewed-by: Katie Hockman <katie@golang.org> | ||
18 | |||
19 | Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255] | ||
20 | CVE: CVE-2023-45287 #Dependency Patch1 | ||
21 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
22 | --- | ||
23 | src/crypto/rsa/pss.go | 173 ++++++++++++++++++++++-------------------- | ||
24 | src/crypto/rsa/rsa.go | 9 ++- | ||
25 | 2 files changed, 96 insertions(+), 86 deletions(-) | ||
26 | |||
27 | diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go | ||
28 | index 3ff0c2f4d0076..f9844d87329a8 100644 | ||
29 | --- a/src/crypto/rsa/pss.go | ||
30 | +++ b/src/crypto/rsa/pss.go | ||
31 | @@ -4,9 +4,7 @@ | ||
32 | |||
33 | package rsa | ||
34 | |||
35 | -// This file implements the PSS signature scheme [1]. | ||
36 | -// | ||
37 | -// [1] https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf | ||
38 | +// This file implements the RSASSA-PSS signature scheme according to RFC 8017. | ||
39 | |||
40 | import ( | ||
41 | "bytes" | ||
42 | @@ -17,8 +15,22 @@ import ( | ||
43 | "math/big" | ||
44 | ) | ||
45 | |||
46 | +// Per RFC 8017, Section 9.1 | ||
47 | +// | ||
48 | +// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc | ||
49 | +// | ||
50 | +// where | ||
51 | +// | ||
52 | +// DB = PS || 0x01 || salt | ||
53 | +// | ||
54 | +// and PS can be empty so | ||
55 | +// | ||
56 | +// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2 | ||
57 | +// | ||
58 | + | ||
59 | func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) { | ||
60 | - // See [1], section 9.1.1 | ||
61 | + // See RFC 8017, Section 9.1.1. | ||
62 | + | ||
63 | hLen := hash.Size() | ||
64 | sLen := len(salt) | ||
65 | emLen := (emBits + 7) / 8 | ||
66 | @@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt | ||
67 | // 2. Let mHash = Hash(M), an octet string of length hLen. | ||
68 | |||
69 | if len(mHash) != hLen { | ||
70 | - return nil, errors.New("crypto/rsa: input must be hashed message") | ||
71 | + return nil, errors.New("crypto/rsa: input must be hashed with given hash") | ||
72 | } | ||
73 | |||
74 | // 3. If emLen < hLen + sLen + 2, output "encoding error" and stop. | ||
75 | @@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt | ||
76 | } | ||
77 | |||
78 | em := make([]byte, emLen) | ||
79 | - db := em[:emLen-sLen-hLen-2+1+sLen] | ||
80 | - h := em[emLen-sLen-hLen-2+1+sLen : emLen-1] | ||
81 | + psLen := emLen - sLen - hLen - 2 | ||
82 | + db := em[:psLen+1+sLen] | ||
83 | + h := em[psLen+1+sLen : emLen-1] | ||
84 | |||
85 | // 4. Generate a random octet string salt of length sLen; if sLen = 0, | ||
86 | // then salt is the empty string. | ||
87 | @@ -69,8 +82,8 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt | ||
88 | // 8. Let DB = PS || 0x01 || salt; DB is an octet string of length | ||
89 | // emLen - hLen - 1. | ||
90 | |||
91 | - db[emLen-sLen-hLen-2] = 0x01 | ||
92 | - copy(db[emLen-sLen-hLen-1:], salt) | ||
93 | + db[psLen] = 0x01 | ||
94 | + copy(db[psLen+1:], salt) | ||
95 | |||
96 | // 9. Let dbMask = MGF(H, emLen - hLen - 1). | ||
97 | // | ||
98 | @@ -81,47 +94,57 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt | ||
99 | // 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in | ||
100 | // maskedDB to zero. | ||
101 | |||
102 | - db[0] &= (0xFF >> uint(8*emLen-emBits)) | ||
103 | + db[0] &= 0xff >> (8*emLen - emBits) | ||
104 | |||
105 | // 12. Let EM = maskedDB || H || 0xbc. | ||
106 | - em[emLen-1] = 0xBC | ||
107 | + em[emLen-1] = 0xbc | ||
108 | |||
109 | // 13. Output EM. | ||
110 | return em, nil | ||
111 | } | ||
112 | |||
113 | func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { | ||
114 | + // See RFC 8017, Section 9.1.2. | ||
115 | + | ||
116 | + hLen := hash.Size() | ||
117 | + if sLen == PSSSaltLengthEqualsHash { | ||
118 | + sLen = hLen | ||
119 | + } | ||
120 | + emLen := (emBits + 7) / 8 | ||
121 | + if emLen != len(em) { | ||
122 | + return errors.New("rsa: internal error: inconsistent length") | ||
123 | + } | ||
124 | + | ||
125 | // 1. If the length of M is greater than the input limitation for the | ||
126 | // hash function (2^61 - 1 octets for SHA-1), output "inconsistent" | ||
127 | // and stop. | ||
128 | // | ||
129 | // 2. Let mHash = Hash(M), an octet string of length hLen. | ||
130 | - hLen := hash.Size() | ||
131 | if hLen != len(mHash) { | ||
132 | return ErrVerification | ||
133 | } | ||
134 | |||
135 | // 3. If emLen < hLen + sLen + 2, output "inconsistent" and stop. | ||
136 | - emLen := (emBits + 7) / 8 | ||
137 | if emLen < hLen+sLen+2 { | ||
138 | return ErrVerification | ||
139 | } | ||
140 | |||
141 | // 4. If the rightmost octet of EM does not have hexadecimal value | ||
142 | // 0xbc, output "inconsistent" and stop. | ||
143 | - if em[len(em)-1] != 0xBC { | ||
144 | + if em[emLen-1] != 0xbc { | ||
145 | return ErrVerification | ||
146 | } | ||
147 | |||
148 | // 5. Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and | ||
149 | // let H be the next hLen octets. | ||
150 | db := em[:emLen-hLen-1] | ||
151 | - h := em[emLen-hLen-1 : len(em)-1] | ||
152 | + h := em[emLen-hLen-1 : emLen-1] | ||
153 | |||
154 | // 6. If the leftmost 8 * emLen - emBits bits of the leftmost octet in | ||
155 | // maskedDB are not all equal to zero, output "inconsistent" and | ||
156 | // stop. | ||
157 | - if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 { | ||
158 | + var bitMask byte = 0xff >> (8*emLen - emBits) | ||
159 | + if em[0] & ^bitMask != 0 { | ||
160 | return ErrVerification | ||
161 | } | ||
162 | |||
163 | @@ -132,37 +155,30 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { | ||
164 | |||
165 | // 9. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB | ||
166 | // to zero. | ||
167 | - db[0] &= (0xFF >> uint(8*emLen-emBits)) | ||
168 | + db[0] &= bitMask | ||
169 | |||
170 | + // If we don't know the salt length, look for the 0x01 delimiter. | ||
171 | if sLen == PSSSaltLengthAuto { | ||
172 | - FindSaltLength: | ||
173 | - for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- { | ||
174 | - switch db[emLen-hLen-sLen-2] { | ||
175 | - case 1: | ||
176 | - break FindSaltLength | ||
177 | - case 0: | ||
178 | - continue | ||
179 | - default: | ||
180 | - return ErrVerification | ||
181 | - } | ||
182 | - } | ||
183 | - if sLen < 0 { | ||
184 | + psLen := bytes.IndexByte(db, 0x01) | ||
185 | + if psLen < 0 { | ||
186 | return ErrVerification | ||
187 | } | ||
188 | - } else { | ||
189 | - // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero | ||
190 | - // or if the octet at position emLen - hLen - sLen - 1 (the leftmost | ||
191 | - // position is "position 1") does not have hexadecimal value 0x01, | ||
192 | - // output "inconsistent" and stop. | ||
193 | - for _, e := range db[:emLen-hLen-sLen-2] { | ||
194 | - if e != 0x00 { | ||
195 | - return ErrVerification | ||
196 | - } | ||
197 | - } | ||
198 | - if db[emLen-hLen-sLen-2] != 0x01 { | ||
199 | + sLen = len(db) - psLen - 1 | ||
200 | + } | ||
201 | + | ||
202 | + // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero | ||
203 | + // or if the octet at position emLen - hLen - sLen - 1 (the leftmost | ||
204 | + // position is "position 1") does not have hexadecimal value 0x01, | ||
205 | + // output "inconsistent" and stop. | ||
206 | + psLen := emLen - hLen - sLen - 2 | ||
207 | + for _, e := range db[:psLen] { | ||
208 | + if e != 0x00 { | ||
209 | return ErrVerification | ||
210 | } | ||
211 | } | ||
212 | + if db[psLen] != 0x01 { | ||
213 | + return ErrVerification | ||
214 | + } | ||
215 | |||
216 | // 11. Let salt be the last sLen octets of DB. | ||
217 | salt := db[len(db)-sLen:] | ||
218 | @@ -181,19 +197,19 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { | ||
219 | h0 := hash.Sum(nil) | ||
220 | |||
221 | // 14. If H = H', output "consistent." Otherwise, output "inconsistent." | ||
222 | - if !bytes.Equal(h0, h) { | ||
223 | + if !bytes.Equal(h0, h) { // TODO: constant time? | ||
224 | return ErrVerification | ||
225 | } | ||
226 | return nil | ||
227 | } | ||
228 | |||
229 | -// signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt. | ||
230 | +// signPSSWithSalt calculates the signature of hashed using PSS with specified salt. | ||
231 | // Note that hashed must be the result of hashing the input message using the | ||
232 | // given hash function. salt is a random sequence of bytes whose length will be | ||
233 | // later used to verify the signature. | ||
234 | func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) { | ||
235 | - nBits := priv.N.BitLen() | ||
236 | - em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New()) | ||
237 | + emBits := priv.N.BitLen() - 1 | ||
238 | + em, err := emsaPSSEncode(hashed, emBits, salt, hash.New()) | ||
239 | if err != nil { | ||
240 | return | ||
241 | } | ||
242 | @@ -202,7 +218,7 @@ func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, | ||
243 | if err != nil { | ||
244 | return | ||
245 | } | ||
246 | - s = make([]byte, (nBits+7)/8) | ||
247 | + s = make([]byte, priv.Size()) | ||
248 | copyWithLeftPad(s, c.Bytes()) | ||
249 | return | ||
250 | } | ||
251 | @@ -223,16 +239,15 @@ type PSSOptions struct { | ||
252 | // PSSSaltLength constants. | ||
253 | SaltLength int | ||
254 | |||
255 | - // Hash, if not zero, overrides the hash function passed to SignPSS. | ||
256 | - // This is the only way to specify the hash function when using the | ||
257 | - // crypto.Signer interface. | ||
258 | + // Hash is the hash function used to generate the message digest. If not | ||
259 | + // zero, it overrides the hash function passed to SignPSS. It's required | ||
260 | + // when using PrivateKey.Sign. | ||
261 | Hash crypto.Hash | ||
262 | } | ||
263 | |||
264 | -// HashFunc returns pssOpts.Hash so that PSSOptions implements | ||
265 | -// crypto.SignerOpts. | ||
266 | -func (pssOpts *PSSOptions) HashFunc() crypto.Hash { | ||
267 | - return pssOpts.Hash | ||
268 | +// HashFunc returns opts.Hash so that PSSOptions implements crypto.SignerOpts. | ||
269 | +func (opts *PSSOptions) HashFunc() crypto.Hash { | ||
270 | + return opts.Hash | ||
271 | } | ||
272 | |||
273 | func (opts *PSSOptions) saltLength() int { | ||
274 | @@ -242,56 +257,50 @@ func (opts *PSSOptions) saltLength() int { | ||
275 | return opts.SaltLength | ||
276 | } | ||
277 | |||
278 | -// SignPSS calculates the signature of hashed using RSASSA-PSS [1]. | ||
279 | -// Note that hashed must be the result of hashing the input message using the | ||
280 | -// given hash function. The opts argument may be nil, in which case sensible | ||
281 | -// defaults are used. | ||
282 | -func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) ([]byte, error) { | ||
283 | +// SignPSS calculates the signature of digest using PSS. | ||
284 | +// | ||
285 | +// digest must be the result of hashing the input message using the given hash | ||
286 | +// function. The opts argument may be nil, in which case sensible defaults are | ||
287 | +// used. If opts.Hash is set, it overrides hash. | ||
288 | +func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, opts *PSSOptions) ([]byte, error) { | ||
289 | + if opts != nil && opts.Hash != 0 { | ||
290 | + hash = opts.Hash | ||
291 | + } | ||
292 | + | ||
293 | saltLength := opts.saltLength() | ||
294 | switch saltLength { | ||
295 | case PSSSaltLengthAuto: | ||
296 | - saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size() | ||
297 | + saltLength = priv.Size() - 2 - hash.Size() | ||
298 | case PSSSaltLengthEqualsHash: | ||
299 | saltLength = hash.Size() | ||
300 | } | ||
301 | |||
302 | - if opts != nil && opts.Hash != 0 { | ||
303 | - hash = opts.Hash | ||
304 | - } | ||
305 | - | ||
306 | salt := make([]byte, saltLength) | ||
307 | if _, err := io.ReadFull(rand, salt); err != nil { | ||
308 | return nil, err | ||
309 | } | ||
310 | - return signPSSWithSalt(rand, priv, hash, hashed, salt) | ||
311 | + return signPSSWithSalt(rand, priv, hash, digest, salt) | ||
312 | } | ||
313 | |||
314 | // VerifyPSS verifies a PSS signature. | ||
315 | -// hashed is the result of hashing the input message using the given hash | ||
316 | -// function and sig is the signature. A valid signature is indicated by | ||
317 | -// returning a nil error. The opts argument may be nil, in which case sensible | ||
318 | -// defaults are used. | ||
319 | -func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error { | ||
320 | - return verifyPSS(pub, hash, hashed, sig, opts.saltLength()) | ||
321 | -} | ||
322 | - | ||
323 | -// verifyPSS verifies a PSS signature with the given salt length. | ||
324 | -func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error { | ||
325 | - nBits := pub.N.BitLen() | ||
326 | - if len(sig) != (nBits+7)/8 { | ||
327 | +// | ||
328 | +// A valid signature is indicated by returning a nil error. digest must be the | ||
329 | +// result of hashing the input message using the given hash function. The opts | ||
330 | +// argument may be nil, in which case sensible defaults are used. opts.Hash is | ||
331 | +// ignored. | ||
332 | +func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error { | ||
333 | + if len(sig) != pub.Size() { | ||
334 | return ErrVerification | ||
335 | } | ||
336 | s := new(big.Int).SetBytes(sig) | ||
337 | m := encrypt(new(big.Int), pub, s) | ||
338 | - emBits := nBits - 1 | ||
339 | + emBits := pub.N.BitLen() - 1 | ||
340 | emLen := (emBits + 7) / 8 | ||
341 | - if emLen < len(m.Bytes()) { | ||
342 | + emBytes := m.Bytes() | ||
343 | + if emLen < len(emBytes) { | ||
344 | return ErrVerification | ||
345 | } | ||
346 | em := make([]byte, emLen) | ||
347 | - copyWithLeftPad(em, m.Bytes()) | ||
348 | - if saltLen == PSSSaltLengthEqualsHash { | ||
349 | - saltLen = hash.Size() | ||
350 | - } | ||
351 | - return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New()) | ||
352 | + copyWithLeftPad(em, emBytes) | ||
353 | + return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New()) | ||
354 | } | ||
355 | diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go | ||
356 | index 5a42990640164..b4bfa13defbdf 100644 | ||
357 | --- a/src/crypto/rsa/rsa.go | ||
358 | +++ b/src/crypto/rsa/rsa.go | ||
359 | @@ -2,7 +2,7 @@ | ||
360 | // Use of this source code is governed by a BSD-style | ||
361 | // license that can be found in the LICENSE file. | ||
362 | |||
363 | -// Package rsa implements RSA encryption as specified in PKCS#1. | ||
364 | +// Package rsa implements RSA encryption as specified in PKCS#1 and RFC 8017. | ||
365 | // | ||
366 | // RSA is a single, fundamental operation that is used in this package to | ||
367 | // implement either public-key encryption or public-key signatures. | ||
368 | @@ -10,13 +10,13 @@ | ||
369 | // The original specification for encryption and signatures with RSA is PKCS#1 | ||
370 | // and the terms "RSA encryption" and "RSA signatures" by default refer to | ||
371 | // PKCS#1 version 1.5. However, that specification has flaws and new designs | ||
372 | -// should use version two, usually called by just OAEP and PSS, where | ||
373 | +// should use version 2, usually called by just OAEP and PSS, where | ||
374 | // possible. | ||
375 | // | ||
376 | // Two sets of interfaces are included in this package. When a more abstract | ||
377 | // interface isn't necessary, there are functions for encrypting/decrypting | ||
378 | // with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract | ||
379 | -// over the public-key primitive, the PrivateKey struct implements the | ||
380 | +// over the public key primitive, the PrivateKey type implements the | ||
381 | // Decrypter and Signer interfaces from the crypto package. | ||
382 | // | ||
383 | // The RSA operations in this package are not implemented using constant-time algorithms. | ||
384 | @@ -111,7 +111,8 @@ func (priv *PrivateKey) Public() crypto.PublicKey { | ||
385 | |||
386 | // Sign signs digest with priv, reading randomness from rand. If opts is a | ||
387 | // *PSSOptions then the PSS algorithm will be used, otherwise PKCS#1 v1.5 will | ||
388 | -// be used. | ||
389 | +// be used. digest must be the result of hashing the input message using | ||
390 | +// opts.HashFunc(). | ||
391 | // | ||
392 | // This method implements crypto.Signer, which is an interface to support keys | ||
393 | // where the private part is kept in, for example, a hardware module. Common | ||