Attached is my patch for golang-go.crypto which I intend to upload tomorrow for:
* CVE-2019-11840 * CVE-2019-11841 I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can cause a panic - however I feel this is not really a security issue. -- Brian May <b...@debian.org>
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2017-04-26 17:42:23.000000000 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2020-09-07 08:29:03.000000000 +1000 @@ -1,3 +1,11 @@ +golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Fix CVE-2019-11841: reject potentially misleading headers and messages. + * Fix CVE-2019-11840: fix keystream loop in amd64 assembly when overflowing 32-bit counter. + + -- Brian May <b...@debian.org> Mon, 07 Sep 2020 08:29:03 +1000 + golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium * Reverts previous upload to permit freeze exception. diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 1970-01-01 10:00:00.000000000 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 2020-09-07 08:29:03.000000000 +1000 @@ -0,0 +1,1922 @@ +commit b7391e95e576cacdcdd422573063bc057239113d +Author: Filippo Valsorda <fili...@golang.org> +Date: Tue Mar 19 18:29:04 2019 -0400 + + salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter + + Fixes golang/go#30965 + + Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01 + Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856 + Reviewed-by: Adam Langley <a...@google.com> + Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406 + Reviewed-by: Filippo Valsorda <fili...@golang.org> + Run-TryBot: Filippo Valsorda <fili...@golang.org> + TryBot-Result: Gobot Gobot <go...@golang.org> + +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +=================================================================== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_amd64.go ++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go +@@ -6,10 +6,9 @@ + + package salsa + +-// This function is implemented in salsa2020_amd64.s. +- + //go:noescape + ++// salsa2020XORKeyStream is implemented in salsa20_amd64.s. + func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) + + // XORKeyStream crypts bytes from in to out using the given key and counters. +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa2020_amd64.s +=================================================================== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa2020_amd64.s ++++ /dev/null +@@ -1,902 +0,0 @@ +-// Copyright 2012 The Go Authors. All rights reserved. +-// Use of this source code is governed by a BSD-style +-// license that can be found in the LICENSE file. +- +-// +build amd64,!appengine,!gccgo +- +-// This code was translated into a form compatible with 6a from the public +-// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +- +-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) +-TEXT ·salsa2020XORKeyStream(SB),0,$512-40 +- MOVQ out+0(FP),DI +- MOVQ in+8(FP),SI +- MOVQ n+16(FP),DX +- MOVQ nonce+24(FP),CX +- MOVQ key+32(FP),R8 +- +- MOVQ SP,R11 +- MOVQ $31,R9 +- NOTQ R9 +- ANDQ R9,SP +- ADDQ $32,SP +- +- MOVQ R11,352(SP) +- MOVQ R12,360(SP) +- MOVQ R13,368(SP) +- MOVQ R14,376(SP) +- MOVQ R15,384(SP) +- MOVQ BX,392(SP) +- MOVQ BP,400(SP) +- MOVQ DX,R9 +- MOVQ CX,DX +- MOVQ R8,R10 +- CMPQ R9,$0 +- JBE DONE +- START: +- MOVL 20(R10),CX +- MOVL 0(R10),R8 +- MOVL 0(DX),AX +- MOVL 16(R10),R11 +- MOVL CX,0(SP) +- MOVL R8, 4 (SP) +- MOVL AX, 8 (SP) +- MOVL R11, 12 (SP) +- MOVL 8(DX),CX +- MOVL 24(R10),R8 +- MOVL 4(R10),AX +- MOVL 4(DX),R11 +- MOVL CX,16(SP) +- MOVL R8, 20 (SP) +- MOVL AX, 24 (SP) +- MOVL R11, 28 (SP) +- MOVL 12(DX),CX +- MOVL 12(R10),DX +- MOVL 28(R10),R8 +- MOVL 8(R10),AX +- MOVL DX,32(SP) +- MOVL CX, 36 (SP) +- MOVL R8, 40 (SP) +- MOVL AX, 44 (SP) +- MOVQ $1634760805,DX +- MOVQ $857760878,CX +- MOVQ $2036477234,R8 +- MOVQ $1797285236,AX +- MOVL DX,48(SP) +- MOVL CX, 52 (SP) +- MOVL R8, 56 (SP) +- MOVL AX, 60 (SP) +- CMPQ R9,$256 +- JB BYTESBETWEEN1AND255 +- MOVOA 48(SP),X0 +- PSHUFL $0X55,X0,X1 +- PSHUFL $0XAA,X0,X2 +- PSHUFL $0XFF,X0,X3 +- PSHUFL $0X00,X0,X0 +- MOVOA X1,64(SP) +- MOVOA X2,80(SP) +- MOVOA X3,96(SP) +- MOVOA X0,112(SP) +- MOVOA 0(SP),X0 +- PSHUFL $0XAA,X0,X1 +- PSHUFL $0XFF,X0,X2 +- PSHUFL $0X00,X0,X3 +- PSHUFL $0X55,X0,X0 +- MOVOA X1,128(SP) +- MOVOA X2,144(SP) +- MOVOA X3,160(SP) +- MOVOA X0,176(SP) +- MOVOA 16(SP),X0 +- PSHUFL $0XFF,X0,X1 +- PSHUFL $0X55,X0,X2 +- PSHUFL $0XAA,X0,X0 +- MOVOA X1,192(SP) +- MOVOA X2,208(SP) +- MOVOA X0,224(SP) +- MOVOA 32(SP),X0 +- PSHUFL $0X00,X0,X1 +- PSHUFL $0XAA,X0,X2 +- PSHUFL $0XFF,X0,X0 +- MOVOA X1,240(SP) +- MOVOA X2,256(SP) +- MOVOA X0,272(SP) +- BYTESATLEAST256: +- MOVL 16(SP),DX +- MOVL 36 (SP),CX +- MOVL DX,288(SP) +- MOVL CX,304(SP) +- ADDQ $1,DX +- SHLQ $32,CX +- ADDQ CX,DX +- MOVQ DX,CX +- SHRQ $32,CX +- MOVL DX, 292 (SP) +- MOVL CX, 308 (SP) +- ADDQ $1,DX +- SHLQ $32,CX +- ADDQ CX,DX +- MOVQ DX,CX +- SHRQ $32,CX +- MOVL DX, 296 (SP) +- MOVL CX, 312 (SP) +- ADDQ $1,DX +- SHLQ $32,CX +- ADDQ CX,DX +- MOVQ DX,CX +- SHRQ $32,CX +- MOVL DX, 300 (SP) +- MOVL CX, 316 (SP) +- ADDQ $1,DX +- SHLQ $32,CX +- ADDQ CX,DX +- MOVQ DX,CX +- SHRQ $32,CX +- MOVL DX,16(SP) +- MOVL CX, 36 (SP) +- MOVQ R9,408(SP) +- MOVQ $20,DX +- MOVOA 64(SP),X0 +- MOVOA 80(SP),X1 +- MOVOA 96(SP),X2 +- MOVOA 256(SP),X3 +- MOVOA 272(SP),X4 +- MOVOA 128(SP),X5 +- MOVOA 144(SP),X6 +- MOVOA 176(SP),X7 +- MOVOA 192(SP),X8 +- MOVOA 208(SP),X9 +- MOVOA 224(SP),X10 +- MOVOA 304(SP),X11 +- MOVOA 112(SP),X12 +- MOVOA 160(SP),X13 +- MOVOA 240(SP),X14 +- MOVOA 288(SP),X15 +- MAINLOOP1: +- MOVOA X1,320(SP) +- MOVOA X2,336(SP) +- MOVOA X13,X1 +- PADDL X12,X1 +- MOVOA X1,X2 +- PSLLL $7,X1 +- PXOR X1,X14 +- PSRLL $25,X2 +- PXOR X2,X14 +- MOVOA X7,X1 +- PADDL X0,X1 +- MOVOA X1,X2 +- PSLLL $7,X1 +- PXOR X1,X11 +- PSRLL $25,X2 +- PXOR X2,X11 +- MOVOA X12,X1 +- PADDL X14,X1 +- MOVOA X1,X2 +- PSLLL $9,X1 +- PXOR X1,X15 +- PSRLL $23,X2 +- PXOR X2,X15 +- MOVOA X0,X1 +- PADDL X11,X1 +- MOVOA X1,X2 +- PSLLL $9,X1 +- PXOR X1,X9 +- PSRLL $23,X2 +- PXOR X2,X9 +- MOVOA X14,X1 +- PADDL X15,X1 +- MOVOA X1,X2 +- PSLLL $13,X1 +- PXOR X1,X13 +- PSRLL $19,X2 +- PXOR X2,X13 +- MOVOA X11,X1 +- PADDL X9,X1 +- MOVOA X1,X2 +- PSLLL $13,X1 +- PXOR X1,X7 +- PSRLL $19,X2 +- PXOR X2,X7 +- MOVOA X15,X1 +- PADDL X13,X1 +- MOVOA X1,X2 +- PSLLL $18,X1 +- PXOR X1,X12 +- PSRLL $14,X2 +- PXOR X2,X12 +- MOVOA 320(SP),X1 +- MOVOA X12,320(SP) +- MOVOA X9,X2 +- PADDL X7,X2 +- MOVOA X2,X12 +- PSLLL $18,X2 +- PXOR X2,X0 +- PSRLL $14,X12 +- PXOR X12,X0 +- MOVOA X5,X2 +- PADDL X1,X2 +- MOVOA X2,X12 +- PSLLL $7,X2 +- PXOR X2,X3 +- PSRLL $25,X12 +- PXOR X12,X3 +- MOVOA 336(SP),X2 +- MOVOA X0,336(SP) +- MOVOA X6,X0 +- PADDL X2,X0 +- MOVOA X0,X12 +- PSLLL $7,X0 +- PXOR X0,X4 +- PSRLL $25,X12 +- PXOR X12,X4 +- MOVOA X1,X0 +- PADDL X3,X0 +- MOVOA X0,X12 +- PSLLL $9,X0 +- PXOR X0,X10 +- PSRLL $23,X12 +- PXOR X12,X10 +- MOVOA X2,X0 +- PADDL X4,X0 +- MOVOA X0,X12 +- PSLLL $9,X0 +- PXOR X0,X8 +- PSRLL $23,X12 +- PXOR X12,X8 +- MOVOA X3,X0 +- PADDL X10,X0 +- MOVOA X0,X12 +- PSLLL $13,X0 +- PXOR X0,X5 +- PSRLL $19,X12 +- PXOR X12,X5 +- MOVOA X4,X0 +- PADDL X8,X0 +- MOVOA X0,X12 +- PSLLL $13,X0 +- PXOR X0,X6 +- PSRLL $19,X12 +- PXOR X12,X6 +- MOVOA X10,X0 +- PADDL X5,X0 +- MOVOA X0,X12 +- PSLLL $18,X0 +- PXOR X0,X1 +- PSRLL $14,X12 +- PXOR X12,X1 +- MOVOA 320(SP),X0 +- MOVOA X1,320(SP) +- MOVOA X4,X1 +- PADDL X0,X1 +- MOVOA X1,X12 +- PSLLL $7,X1 +- PXOR X1,X7 +- PSRLL $25,X12 +- PXOR X12,X7 +- MOVOA X8,X1 +- PADDL X6,X1 +- MOVOA X1,X12 +- PSLLL $18,X1 +- PXOR X1,X2 +- PSRLL $14,X12 +- PXOR X12,X2 +- MOVOA 336(SP),X12 +- MOVOA X2,336(SP) +- MOVOA X14,X1 +- PADDL X12,X1 +- MOVOA X1,X2 +- PSLLL $7,X1 +- PXOR X1,X5 +- PSRLL $25,X2 +- PXOR X2,X5 +- MOVOA X0,X1 +- PADDL X7,X1 +- MOVOA X1,X2 +- PSLLL $9,X1 +- PXOR X1,X10 +- PSRLL $23,X2 +- PXOR X2,X10 +- MOVOA X12,X1 +- PADDL X5,X1 +- MOVOA X1,X2 +- PSLLL $9,X1 +- PXOR X1,X8 +- PSRLL $23,X2 +- PXOR X2,X8 +- MOVOA X7,X1 +- PADDL X10,X1 +- MOVOA X1,X2 +- PSLLL $13,X1 +- PXOR X1,X4 +- PSRLL $19,X2 +- PXOR X2,X4 +- MOVOA X5,X1 +- PADDL X8,X1 +- MOVOA X1,X2 +- PSLLL $13,X1 +- PXOR X1,X14 +- PSRLL $19,X2 +- PXOR X2,X14 +- MOVOA X10,X1 +- PADDL X4,X1 +- MOVOA X1,X2 +- PSLLL $18,X1 +- PXOR X1,X0 +- PSRLL $14,X2 +- PXOR X2,X0 +- MOVOA 320(SP),X1 +- MOVOA X0,320(SP) +- MOVOA X8,X0 +- PADDL X14,X0 +- MOVOA X0,X2 +- PSLLL $18,X0 +- PXOR X0,X12 +- PSRLL $14,X2 +- PXOR X2,X12 +- MOVOA X11,X0 +- PADDL X1,X0 +- MOVOA X0,X2 +- PSLLL $7,X0 +- PXOR X0,X6 +- PSRLL $25,X2 +- PXOR X2,X6 +- MOVOA 336(SP),X2 +- MOVOA X12,336(SP) +- MOVOA X3,X0 +- PADDL X2,X0 +- MOVOA X0,X12 +- PSLLL $7,X0 +- PXOR X0,X13 +- PSRLL $25,X12 +- PXOR X12,X13 +- MOVOA X1,X0 +- PADDL X6,X0 +- MOVOA X0,X12 +- PSLLL $9,X0 +- PXOR X0,X15 +- PSRLL $23,X12 +- PXOR X12,X15 +- MOVOA X2,X0 +- PADDL X13,X0 +- MOVOA X0,X12 +- PSLLL $9,X0 +- PXOR X0,X9 +- PSRLL $23,X12 +- PXOR X12,X9 +- MOVOA X6,X0 +- PADDL X15,X0 +- MOVOA X0,X12 +- PSLLL $13,X0 +- PXOR X0,X11 +- PSRLL $19,X12 +- PXOR X12,X11 +- MOVOA X13,X0 +- PADDL X9,X0 +- MOVOA X0,X12 +- PSLLL $13,X0 +- PXOR X0,X3 +- PSRLL $19,X12 +- PXOR X12,X3 +- MOVOA X15,X0 +- PADDL X11,X0 +- MOVOA X0,X12 +- PSLLL $18,X0 +- PXOR X0,X1 +- PSRLL $14,X12 +- PXOR X12,X1 +- MOVOA X9,X0 +- PADDL X3,X0 +- MOVOA X0,X12 +- PSLLL $18,X0 +- PXOR X0,X2 +- PSRLL $14,X12 +- PXOR X12,X2 +- MOVOA 320(SP),X12 +- MOVOA 336(SP),X0 +- SUBQ $2,DX +- JA MAINLOOP1 +- PADDL 112(SP),X12 +- PADDL 176(SP),X7 +- PADDL 224(SP),X10 +- PADDL 272(SP),X4 +- MOVD X12,DX +- MOVD X7,CX +- MOVD X10,R8 +- MOVD X4,R9 +- PSHUFL $0X39,X12,X12 +- PSHUFL $0X39,X7,X7 +- PSHUFL $0X39,X10,X10 +- PSHUFL $0X39,X4,X4 +- XORL 0(SI),DX +- XORL 4(SI),CX +- XORL 8(SI),R8 +- XORL 12(SI),R9 +- MOVL DX,0(DI) +- MOVL CX,4(DI) +- MOVL R8,8(DI) +- MOVL R9,12(DI) +- MOVD X12,DX +- MOVD X7,CX +- MOVD X10,R8 +- MOVD X4,R9 +- PSHUFL $0X39,X12,X12 +- PSHUFL $0X39,X7,X7 +- PSHUFL $0X39,X10,X10 +- PSHUFL $0X39,X4,X4 +- XORL 64(SI),DX +- XORL 68(SI),CX +- XORL 72(SI),R8 +- XORL 76(SI),R9 +- MOVL DX,64(DI) +- MOVL CX,68(DI) +- MOVL R8,72(DI) +- MOVL R9,76(DI) +- MOVD X12,DX +- MOVD X7,CX +- MOVD X10,R8 +- MOVD X4,R9 +- PSHUFL $0X39,X12,X12 +- PSHUFL $0X39,X7,X7 +- PSHUFL $0X39,X10,X10 +- PSHUFL $0X39,X4,X4 +- XORL 128(SI),DX +- XORL 132(SI),CX +- XORL 136(SI),R8 +- XORL 140(SI),R9 +- MOVL DX,128(DI) +- MOVL CX,132(DI) +- MOVL R8,136(DI) +- MOVL R9,140(DI) +- MOVD X12,DX +- MOVD X7,CX +- MOVD X10,R8 +- MOVD X4,R9 +- XORL 192(SI),DX +- XORL 196(SI),CX +- XORL 200(SI),R8 +- XORL 204(SI),R9 +- MOVL DX,192(DI) +- MOVL CX,196(DI) +- MOVL R8,200(DI) +- MOVL R9,204(DI) +- PADDL 240(SP),X14 +- PADDL 64(SP),X0 +- PADDL 128(SP),X5 +- PADDL 192(SP),X8 +- MOVD X14,DX +- MOVD X0,CX +- MOVD X5,R8 +- MOVD X8,R9 +- PSHUFL $0X39,X14,X14 +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X5,X5 +- PSHUFL $0X39,X8,X8 +- XORL 16(SI),DX +- XORL 20(SI),CX +- XORL 24(SI),R8 +- XORL 28(SI),R9 +- MOVL DX,16(DI) +- MOVL CX,20(DI) +- MOVL R8,24(DI) +- MOVL R9,28(DI) +- MOVD X14,DX +- MOVD X0,CX +- MOVD X5,R8 +- MOVD X8,R9 +- PSHUFL $0X39,X14,X14 +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X5,X5 +- PSHUFL $0X39,X8,X8 +- XORL 80(SI),DX +- XORL 84(SI),CX +- XORL 88(SI),R8 +- XORL 92(SI),R9 +- MOVL DX,80(DI) +- MOVL CX,84(DI) +- MOVL R8,88(DI) +- MOVL R9,92(DI) +- MOVD X14,DX +- MOVD X0,CX +- MOVD X5,R8 +- MOVD X8,R9 +- PSHUFL $0X39,X14,X14 +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X5,X5 +- PSHUFL $0X39,X8,X8 +- XORL 144(SI),DX +- XORL 148(SI),CX +- XORL 152(SI),R8 +- XORL 156(SI),R9 +- MOVL DX,144(DI) +- MOVL CX,148(DI) +- MOVL R8,152(DI) +- MOVL R9,156(DI) +- MOVD X14,DX +- MOVD X0,CX +- MOVD X5,R8 +- MOVD X8,R9 +- XORL 208(SI),DX +- XORL 212(SI),CX +- XORL 216(SI),R8 +- XORL 220(SI),R9 +- MOVL DX,208(DI) +- MOVL CX,212(DI) +- MOVL R8,216(DI) +- MOVL R9,220(DI) +- PADDL 288(SP),X15 +- PADDL 304(SP),X11 +- PADDL 80(SP),X1 +- PADDL 144(SP),X6 +- MOVD X15,DX +- MOVD X11,CX +- MOVD X1,R8 +- MOVD X6,R9 +- PSHUFL $0X39,X15,X15 +- PSHUFL $0X39,X11,X11 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X6,X6 +- XORL 32(SI),DX +- XORL 36(SI),CX +- XORL 40(SI),R8 +- XORL 44(SI),R9 +- MOVL DX,32(DI) +- MOVL CX,36(DI) +- MOVL R8,40(DI) +- MOVL R9,44(DI) +- MOVD X15,DX +- MOVD X11,CX +- MOVD X1,R8 +- MOVD X6,R9 +- PSHUFL $0X39,X15,X15 +- PSHUFL $0X39,X11,X11 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X6,X6 +- XORL 96(SI),DX +- XORL 100(SI),CX +- XORL 104(SI),R8 +- XORL 108(SI),R9 +- MOVL DX,96(DI) +- MOVL CX,100(DI) +- MOVL R8,104(DI) +- MOVL R9,108(DI) +- MOVD X15,DX +- MOVD X11,CX +- MOVD X1,R8 +- MOVD X6,R9 +- PSHUFL $0X39,X15,X15 +- PSHUFL $0X39,X11,X11 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X6,X6 +- XORL 160(SI),DX +- XORL 164(SI),CX +- XORL 168(SI),R8 +- XORL 172(SI),R9 +- MOVL DX,160(DI) +- MOVL CX,164(DI) +- MOVL R8,168(DI) +- MOVL R9,172(DI) +- MOVD X15,DX +- MOVD X11,CX +- MOVD X1,R8 +- MOVD X6,R9 +- XORL 224(SI),DX +- XORL 228(SI),CX +- XORL 232(SI),R8 +- XORL 236(SI),R9 +- MOVL DX,224(DI) +- MOVL CX,228(DI) +- MOVL R8,232(DI) +- MOVL R9,236(DI) +- PADDL 160(SP),X13 +- PADDL 208(SP),X9 +- PADDL 256(SP),X3 +- PADDL 96(SP),X2 +- MOVD X13,DX +- MOVD X9,CX +- MOVD X3,R8 +- MOVD X2,R9 +- PSHUFL $0X39,X13,X13 +- PSHUFL $0X39,X9,X9 +- PSHUFL $0X39,X3,X3 +- PSHUFL $0X39,X2,X2 +- XORL 48(SI),DX +- XORL 52(SI),CX +- XORL 56(SI),R8 +- XORL 60(SI),R9 +- MOVL DX,48(DI) +- MOVL CX,52(DI) +- MOVL R8,56(DI) +- MOVL R9,60(DI) +- MOVD X13,DX +- MOVD X9,CX +- MOVD X3,R8 +- MOVD X2,R9 +- PSHUFL $0X39,X13,X13 +- PSHUFL $0X39,X9,X9 +- PSHUFL $0X39,X3,X3 +- PSHUFL $0X39,X2,X2 +- XORL 112(SI),DX +- XORL 116(SI),CX +- XORL 120(SI),R8 +- XORL 124(SI),R9 +- MOVL DX,112(DI) +- MOVL CX,116(DI) +- MOVL R8,120(DI) +- MOVL R9,124(DI) +- MOVD X13,DX +- MOVD X9,CX +- MOVD X3,R8 +- MOVD X2,R9 +- PSHUFL $0X39,X13,X13 +- PSHUFL $0X39,X9,X9 +- PSHUFL $0X39,X3,X3 +- PSHUFL $0X39,X2,X2 +- XORL 176(SI),DX +- XORL 180(SI),CX +- XORL 184(SI),R8 +- XORL 188(SI),R9 +- MOVL DX,176(DI) +- MOVL CX,180(DI) +- MOVL R8,184(DI) +- MOVL R9,188(DI) +- MOVD X13,DX +- MOVD X9,CX +- MOVD X3,R8 +- MOVD X2,R9 +- XORL 240(SI),DX +- XORL 244(SI),CX +- XORL 248(SI),R8 +- XORL 252(SI),R9 +- MOVL DX,240(DI) +- MOVL CX,244(DI) +- MOVL R8,248(DI) +- MOVL R9,252(DI) +- MOVQ 408(SP),R9 +- SUBQ $256,R9 +- ADDQ $256,SI +- ADDQ $256,DI +- CMPQ R9,$256 +- JAE BYTESATLEAST256 +- CMPQ R9,$0 +- JBE DONE +- BYTESBETWEEN1AND255: +- CMPQ R9,$64 +- JAE NOCOPY +- MOVQ DI,DX +- LEAQ 416(SP),DI +- MOVQ R9,CX +- REP; MOVSB +- LEAQ 416(SP),DI +- LEAQ 416(SP),SI +- NOCOPY: +- MOVQ R9,408(SP) +- MOVOA 48(SP),X0 +- MOVOA 0(SP),X1 +- MOVOA 16(SP),X2 +- MOVOA 32(SP),X3 +- MOVOA X1,X4 +- MOVQ $20,CX +- MAINLOOP2: +- PADDL X0,X4 +- MOVOA X0,X5 +- MOVOA X4,X6 +- PSLLL $7,X4 +- PSRLL $25,X6 +- PXOR X4,X3 +- PXOR X6,X3 +- PADDL X3,X5 +- MOVOA X3,X4 +- MOVOA X5,X6 +- PSLLL $9,X5 +- PSRLL $23,X6 +- PXOR X5,X2 +- PSHUFL $0X93,X3,X3 +- PXOR X6,X2 +- PADDL X2,X4 +- MOVOA X2,X5 +- MOVOA X4,X6 +- PSLLL $13,X4 +- PSRLL $19,X6 +- PXOR X4,X1 +- PSHUFL $0X4E,X2,X2 +- PXOR X6,X1 +- PADDL X1,X5 +- MOVOA X3,X4 +- MOVOA X5,X6 +- PSLLL $18,X5 +- PSRLL $14,X6 +- PXOR X5,X0 +- PSHUFL $0X39,X1,X1 +- PXOR X6,X0 +- PADDL X0,X4 +- MOVOA X0,X5 +- MOVOA X4,X6 +- PSLLL $7,X4 +- PSRLL $25,X6 +- PXOR X4,X1 +- PXOR X6,X1 +- PADDL X1,X5 +- MOVOA X1,X4 +- MOVOA X5,X6 +- PSLLL $9,X5 +- PSRLL $23,X6 +- PXOR X5,X2 +- PSHUFL $0X93,X1,X1 +- PXOR X6,X2 +- PADDL X2,X4 +- MOVOA X2,X5 +- MOVOA X4,X6 +- PSLLL $13,X4 +- PSRLL $19,X6 +- PXOR X4,X3 +- PSHUFL $0X4E,X2,X2 +- PXOR X6,X3 +- PADDL X3,X5 +- MOVOA X1,X4 +- MOVOA X5,X6 +- PSLLL $18,X5 +- PSRLL $14,X6 +- PXOR X5,X0 +- PSHUFL $0X39,X3,X3 +- PXOR X6,X0 +- PADDL X0,X4 +- MOVOA X0,X5 +- MOVOA X4,X6 +- PSLLL $7,X4 +- PSRLL $25,X6 +- PXOR X4,X3 +- PXOR X6,X3 +- PADDL X3,X5 +- MOVOA X3,X4 +- MOVOA X5,X6 +- PSLLL $9,X5 +- PSRLL $23,X6 +- PXOR X5,X2 +- PSHUFL $0X93,X3,X3 +- PXOR X6,X2 +- PADDL X2,X4 +- MOVOA X2,X5 +- MOVOA X4,X6 +- PSLLL $13,X4 +- PSRLL $19,X6 +- PXOR X4,X1 +- PSHUFL $0X4E,X2,X2 +- PXOR X6,X1 +- PADDL X1,X5 +- MOVOA X3,X4 +- MOVOA X5,X6 +- PSLLL $18,X5 +- PSRLL $14,X6 +- PXOR X5,X0 +- PSHUFL $0X39,X1,X1 +- PXOR X6,X0 +- PADDL X0,X4 +- MOVOA X0,X5 +- MOVOA X4,X6 +- PSLLL $7,X4 +- PSRLL $25,X6 +- PXOR X4,X1 +- PXOR X6,X1 +- PADDL X1,X5 +- MOVOA X1,X4 +- MOVOA X5,X6 +- PSLLL $9,X5 +- PSRLL $23,X6 +- PXOR X5,X2 +- PSHUFL $0X93,X1,X1 +- PXOR X6,X2 +- PADDL X2,X4 +- MOVOA X2,X5 +- MOVOA X4,X6 +- PSLLL $13,X4 +- PSRLL $19,X6 +- PXOR X4,X3 +- PSHUFL $0X4E,X2,X2 +- PXOR X6,X3 +- SUBQ $4,CX +- PADDL X3,X5 +- MOVOA X1,X4 +- MOVOA X5,X6 +- PSLLL $18,X5 +- PXOR X7,X7 +- PSRLL $14,X6 +- PXOR X5,X0 +- PSHUFL $0X39,X3,X3 +- PXOR X6,X0 +- JA MAINLOOP2 +- PADDL 48(SP),X0 +- PADDL 0(SP),X1 +- PADDL 16(SP),X2 +- PADDL 32(SP),X3 +- MOVD X0,CX +- MOVD X1,R8 +- MOVD X2,R9 +- MOVD X3,AX +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X2,X2 +- PSHUFL $0X39,X3,X3 +- XORL 0(SI),CX +- XORL 48(SI),R8 +- XORL 32(SI),R9 +- XORL 16(SI),AX +- MOVL CX,0(DI) +- MOVL R8,48(DI) +- MOVL R9,32(DI) +- MOVL AX,16(DI) +- MOVD X0,CX +- MOVD X1,R8 +- MOVD X2,R9 +- MOVD X3,AX +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X2,X2 +- PSHUFL $0X39,X3,X3 +- XORL 20(SI),CX +- XORL 4(SI),R8 +- XORL 52(SI),R9 +- XORL 36(SI),AX +- MOVL CX,20(DI) +- MOVL R8,4(DI) +- MOVL R9,52(DI) +- MOVL AX,36(DI) +- MOVD X0,CX +- MOVD X1,R8 +- MOVD X2,R9 +- MOVD X3,AX +- PSHUFL $0X39,X0,X0 +- PSHUFL $0X39,X1,X1 +- PSHUFL $0X39,X2,X2 +- PSHUFL $0X39,X3,X3 +- XORL 40(SI),CX +- XORL 24(SI),R8 +- XORL 8(SI),R9 +- XORL 56(SI),AX +- MOVL CX,40(DI) +- MOVL R8,24(DI) +- MOVL R9,8(DI) +- MOVL AX,56(DI) +- MOVD X0,CX +- MOVD X1,R8 +- MOVD X2,R9 +- MOVD X3,AX +- XORL 60(SI),CX +- XORL 44(SI),R8 +- XORL 28(SI),R9 +- XORL 12(SI),AX +- MOVL CX,60(DI) +- MOVL R8,44(DI) +- MOVL R9,28(DI) +- MOVL AX,12(DI) +- MOVQ 408(SP),R9 +- MOVL 16(SP),CX +- MOVL 36 (SP),R8 +- ADDQ $1,CX +- SHLQ $32,R8 +- ADDQ R8,CX +- MOVQ CX,R8 +- SHRQ $32,R8 +- MOVL CX,16(SP) +- MOVL R8, 36 (SP) +- CMPQ R9,$64 +- JA BYTESATLEAST65 +- JAE BYTESATLEAST64 +- MOVQ DI,SI +- MOVQ DX,DI +- MOVQ R9,CX +- REP; MOVSB +- BYTESATLEAST64: +- DONE: +- MOVQ 352(SP),R11 +- MOVQ 360(SP),R12 +- MOVQ 368(SP),R13 +- MOVQ 376(SP),R14 +- MOVQ 384(SP),R15 +- MOVQ 392(SP),BX +- MOVQ 400(SP),BP +- MOVQ R11,SP +- RET +- BYTESATLEAST65: +- SUBQ $64,R9 +- ADDQ $64,DI +- ADDQ $64,SI +- JMP BYTESBETWEEN1AND255 +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.s +=================================================================== +--- /dev/null ++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.s +@@ -0,0 +1,896 @@ ++// Copyright 2012 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build amd64,!appengine,!gccgo ++ ++// This code was translated into a form compatible with 6a from the public ++// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html ++ ++// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte) ++TEXT ·salsa2020XORKeyStream(SB),0,$512-40 ++ MOVQ out+0(FP),DI ++ MOVQ in+8(FP),SI ++ MOVQ n+16(FP),DX ++ MOVQ nonce+24(FP),CX ++ MOVQ key+32(FP),R8 ++ ++ MOVQ SP,R11 ++ MOVQ $31,R9 ++ NOTQ R9 ++ ANDQ R9,SP ++ ADDQ $32,SP ++ ++ MOVQ R11,352(SP) ++ MOVQ R12,360(SP) ++ MOVQ R13,368(SP) ++ MOVQ R14,376(SP) ++ MOVQ R15,384(SP) ++ MOVQ BX,392(SP) ++ MOVQ BP,400(SP) ++ MOVQ DX,R9 ++ MOVQ CX,DX ++ MOVQ R8,R10 ++ CMPQ R9,$0 ++ JBE DONE ++ START: ++ MOVL 20(R10),CX ++ MOVL 0(R10),R8 ++ MOVL 0(DX),AX ++ MOVL 16(R10),R11 ++ MOVL CX,0(SP) ++ MOVL R8, 4 (SP) ++ MOVL AX, 8 (SP) ++ MOVL R11, 12 (SP) ++ MOVL 8(DX),CX ++ MOVL 24(R10),R8 ++ MOVL 4(R10),AX ++ MOVL 4(DX),R11 ++ MOVL CX,16(SP) ++ MOVL R8, 20 (SP) ++ MOVL AX, 24 (SP) ++ MOVL R11, 28 (SP) ++ MOVL 12(DX),CX ++ MOVL 12(R10),DX ++ MOVL 28(R10),R8 ++ MOVL 8(R10),AX ++ MOVL DX,32(SP) ++ MOVL CX, 36 (SP) ++ MOVL R8, 40 (SP) ++ MOVL AX, 44 (SP) ++ MOVQ $1634760805,DX ++ MOVQ $857760878,CX ++ MOVQ $2036477234,R8 ++ MOVQ $1797285236,AX ++ MOVL DX,48(SP) ++ MOVL CX, 52 (SP) ++ MOVL R8, 56 (SP) ++ MOVL AX, 60 (SP) ++ CMPQ R9,$256 ++ JB BYTESBETWEEN1AND255 ++ MOVOA 48(SP),X0 ++ PSHUFL $0X55,X0,X1 ++ PSHUFL $0XAA,X0,X2 ++ PSHUFL $0XFF,X0,X3 ++ PSHUFL $0X00,X0,X0 ++ MOVOA X1,64(SP) ++ MOVOA X2,80(SP) ++ MOVOA X3,96(SP) ++ MOVOA X0,112(SP) ++ MOVOA 0(SP),X0 ++ PSHUFL $0XAA,X0,X1 ++ PSHUFL $0XFF,X0,X2 ++ PSHUFL $0X00,X0,X3 ++ PSHUFL $0X55,X0,X0 ++ MOVOA X1,128(SP) ++ MOVOA X2,144(SP) ++ MOVOA X3,160(SP) ++ MOVOA X0,176(SP) ++ MOVOA 16(SP),X0 ++ PSHUFL $0XFF,X0,X1 ++ PSHUFL $0X55,X0,X2 ++ PSHUFL $0XAA,X0,X0 ++ MOVOA X1,192(SP) ++ MOVOA X2,208(SP) ++ MOVOA X0,224(SP) ++ MOVOA 32(SP),X0 ++ PSHUFL $0X00,X0,X1 ++ PSHUFL $0XAA,X0,X2 ++ PSHUFL $0XFF,X0,X0 ++ MOVOA X1,240(SP) ++ MOVOA X2,256(SP) ++ MOVOA X0,272(SP) ++ BYTESATLEAST256: ++ MOVL 16(SP),DX ++ MOVL 36 (SP),CX ++ MOVL DX,288(SP) ++ MOVL CX,304(SP) ++ SHLQ $32,CX ++ ADDQ CX,DX ++ ADDQ $1,DX ++ MOVQ DX,CX ++ SHRQ $32,CX ++ MOVL DX, 292 (SP) ++ MOVL CX, 308 (SP) ++ ADDQ $1,DX ++ MOVQ DX,CX ++ SHRQ $32,CX ++ MOVL DX, 296 (SP) ++ MOVL CX, 312 (SP) ++ ADDQ $1,DX ++ MOVQ DX,CX ++ SHRQ $32,CX ++ MOVL DX, 300 (SP) ++ MOVL CX, 316 (SP) ++ ADDQ $1,DX ++ MOVQ DX,CX ++ SHRQ $32,CX ++ MOVL DX,16(SP) ++ MOVL CX, 36 (SP) ++ MOVQ R9,408(SP) ++ MOVQ $20,DX ++ MOVOA 64(SP),X0 ++ MOVOA 80(SP),X1 ++ MOVOA 96(SP),X2 ++ MOVOA 256(SP),X3 ++ MOVOA 272(SP),X4 ++ MOVOA 128(SP),X5 ++ MOVOA 144(SP),X6 ++ MOVOA 176(SP),X7 ++ MOVOA 192(SP),X8 ++ MOVOA 208(SP),X9 ++ MOVOA 224(SP),X10 ++ MOVOA 304(SP),X11 ++ MOVOA 112(SP),X12 ++ MOVOA 160(SP),X13 ++ MOVOA 240(SP),X14 ++ MOVOA 288(SP),X15 ++ MAINLOOP1: ++ MOVOA X1,320(SP) ++ MOVOA X2,336(SP) ++ MOVOA X13,X1 ++ PADDL X12,X1 ++ MOVOA X1,X2 ++ PSLLL $7,X1 ++ PXOR X1,X14 ++ PSRLL $25,X2 ++ PXOR X2,X14 ++ MOVOA X7,X1 ++ PADDL X0,X1 ++ MOVOA X1,X2 ++ PSLLL $7,X1 ++ PXOR X1,X11 ++ PSRLL $25,X2 ++ PXOR X2,X11 ++ MOVOA X12,X1 ++ PADDL X14,X1 ++ MOVOA X1,X2 ++ PSLLL $9,X1 ++ PXOR X1,X15 ++ PSRLL $23,X2 ++ PXOR X2,X15 ++ MOVOA X0,X1 ++ PADDL X11,X1 ++ MOVOA X1,X2 ++ PSLLL $9,X1 ++ PXOR X1,X9 ++ PSRLL $23,X2 ++ PXOR X2,X9 ++ MOVOA X14,X1 ++ PADDL X15,X1 ++ MOVOA X1,X2 ++ PSLLL $13,X1 ++ PXOR X1,X13 ++ PSRLL $19,X2 ++ PXOR X2,X13 ++ MOVOA X11,X1 ++ PADDL X9,X1 ++ MOVOA X1,X2 ++ PSLLL $13,X1 ++ PXOR X1,X7 ++ PSRLL $19,X2 ++ PXOR X2,X7 ++ MOVOA X15,X1 ++ PADDL X13,X1 ++ MOVOA X1,X2 ++ PSLLL $18,X1 ++ PXOR X1,X12 ++ PSRLL $14,X2 ++ PXOR X2,X12 ++ MOVOA 320(SP),X1 ++ MOVOA X12,320(SP) ++ MOVOA X9,X2 ++ PADDL X7,X2 ++ MOVOA X2,X12 ++ PSLLL $18,X2 ++ PXOR X2,X0 ++ PSRLL $14,X12 ++ PXOR X12,X0 ++ MOVOA X5,X2 ++ PADDL X1,X2 ++ MOVOA X2,X12 ++ PSLLL $7,X2 ++ PXOR X2,X3 ++ PSRLL $25,X12 ++ PXOR X12,X3 ++ MOVOA 336(SP),X2 ++ MOVOA X0,336(SP) ++ MOVOA X6,X0 ++ PADDL X2,X0 ++ MOVOA X0,X12 ++ PSLLL $7,X0 ++ PXOR X0,X4 ++ PSRLL $25,X12 ++ PXOR X12,X4 ++ MOVOA X1,X0 ++ PADDL X3,X0 ++ MOVOA X0,X12 ++ PSLLL $9,X0 ++ PXOR X0,X10 ++ PSRLL $23,X12 ++ PXOR X12,X10 ++ MOVOA X2,X0 ++ PADDL X4,X0 ++ MOVOA X0,X12 ++ PSLLL $9,X0 ++ PXOR X0,X8 ++ PSRLL $23,X12 ++ PXOR X12,X8 ++ MOVOA X3,X0 ++ PADDL X10,X0 ++ MOVOA X0,X12 ++ PSLLL $13,X0 ++ PXOR X0,X5 ++ PSRLL $19,X12 ++ PXOR X12,X5 ++ MOVOA X4,X0 ++ PADDL X8,X0 ++ MOVOA X0,X12 ++ PSLLL $13,X0 ++ PXOR X0,X6 ++ PSRLL $19,X12 ++ PXOR X12,X6 ++ MOVOA X10,X0 ++ PADDL X5,X0 ++ MOVOA X0,X12 ++ PSLLL $18,X0 ++ PXOR X0,X1 ++ PSRLL $14,X12 ++ PXOR X12,X1 ++ MOVOA 320(SP),X0 ++ MOVOA X1,320(SP) ++ MOVOA X4,X1 ++ PADDL X0,X1 ++ MOVOA X1,X12 ++ PSLLL $7,X1 ++ PXOR X1,X7 ++ PSRLL $25,X12 ++ PXOR X12,X7 ++ MOVOA X8,X1 ++ PADDL X6,X1 ++ MOVOA X1,X12 ++ PSLLL $18,X1 ++ PXOR X1,X2 ++ PSRLL $14,X12 ++ PXOR X12,X2 ++ MOVOA 336(SP),X12 ++ MOVOA X2,336(SP) ++ MOVOA X14,X1 ++ PADDL X12,X1 ++ MOVOA X1,X2 ++ PSLLL $7,X1 ++ PXOR X1,X5 ++ PSRLL $25,X2 ++ PXOR X2,X5 ++ MOVOA X0,X1 ++ PADDL X7,X1 ++ MOVOA X1,X2 ++ PSLLL $9,X1 ++ PXOR X1,X10 ++ PSRLL $23,X2 ++ PXOR X2,X10 ++ MOVOA X12,X1 ++ PADDL X5,X1 ++ MOVOA X1,X2 ++ PSLLL $9,X1 ++ PXOR X1,X8 ++ PSRLL $23,X2 ++ PXOR X2,X8 ++ MOVOA X7,X1 ++ PADDL X10,X1 ++ MOVOA X1,X2 ++ PSLLL $13,X1 ++ PXOR X1,X4 ++ PSRLL $19,X2 ++ PXOR X2,X4 ++ MOVOA X5,X1 ++ PADDL X8,X1 ++ MOVOA X1,X2 ++ PSLLL $13,X1 ++ PXOR X1,X14 ++ PSRLL $19,X2 ++ PXOR X2,X14 ++ MOVOA X10,X1 ++ PADDL X4,X1 ++ MOVOA X1,X2 ++ PSLLL $18,X1 ++ PXOR X1,X0 ++ PSRLL $14,X2 ++ PXOR X2,X0 ++ MOVOA 320(SP),X1 ++ MOVOA X0,320(SP) ++ MOVOA X8,X0 ++ PADDL X14,X0 ++ MOVOA X0,X2 ++ PSLLL $18,X0 ++ PXOR X0,X12 ++ PSRLL $14,X2 ++ PXOR X2,X12 ++ MOVOA X11,X0 ++ PADDL X1,X0 ++ MOVOA X0,X2 ++ PSLLL $7,X0 ++ PXOR X0,X6 ++ PSRLL $25,X2 ++ PXOR X2,X6 ++ MOVOA 336(SP),X2 ++ MOVOA X12,336(SP) ++ MOVOA X3,X0 ++ PADDL X2,X0 ++ MOVOA X0,X12 ++ PSLLL $7,X0 ++ PXOR X0,X13 ++ PSRLL $25,X12 ++ PXOR X12,X13 ++ MOVOA X1,X0 ++ PADDL X6,X0 ++ MOVOA X0,X12 ++ PSLLL $9,X0 ++ PXOR X0,X15 ++ PSRLL $23,X12 ++ PXOR X12,X15 ++ MOVOA X2,X0 ++ PADDL X13,X0 ++ MOVOA X0,X12 ++ PSLLL $9,X0 ++ PXOR X0,X9 ++ PSRLL $23,X12 ++ PXOR X12,X9 ++ MOVOA X6,X0 ++ PADDL X15,X0 ++ MOVOA X0,X12 ++ PSLLL $13,X0 ++ PXOR X0,X11 ++ PSRLL $19,X12 ++ PXOR X12,X11 ++ MOVOA X13,X0 ++ PADDL X9,X0 ++ MOVOA X0,X12 ++ PSLLL $13,X0 ++ PXOR X0,X3 ++ PSRLL $19,X12 ++ PXOR X12,X3 ++ MOVOA X15,X0 ++ PADDL X11,X0 ++ MOVOA X0,X12 ++ PSLLL $18,X0 ++ PXOR X0,X1 ++ PSRLL $14,X12 ++ PXOR X12,X1 ++ MOVOA X9,X0 ++ PADDL X3,X0 ++ MOVOA X0,X12 ++ PSLLL $18,X0 ++ PXOR X0,X2 ++ PSRLL $14,X12 ++ PXOR X12,X2 ++ MOVOA 320(SP),X12 ++ MOVOA 336(SP),X0 ++ SUBQ $2,DX ++ JA MAINLOOP1 ++ PADDL 112(SP),X12 ++ PADDL 176(SP),X7 ++ PADDL 224(SP),X10 ++ PADDL 272(SP),X4 ++ MOVD X12,DX ++ MOVD X7,CX ++ MOVD X10,R8 ++ MOVD X4,R9 ++ PSHUFL $0X39,X12,X12 ++ PSHUFL $0X39,X7,X7 ++ PSHUFL $0X39,X10,X10 ++ PSHUFL $0X39,X4,X4 ++ XORL 0(SI),DX ++ XORL 4(SI),CX ++ XORL 8(SI),R8 ++ XORL 12(SI),R9 ++ MOVL DX,0(DI) ++ MOVL CX,4(DI) ++ MOVL R8,8(DI) ++ MOVL R9,12(DI) ++ MOVD X12,DX ++ MOVD X7,CX ++ MOVD X10,R8 ++ MOVD X4,R9 ++ PSHUFL $0X39,X12,X12 ++ PSHUFL $0X39,X7,X7 ++ PSHUFL $0X39,X10,X10 ++ PSHUFL $0X39,X4,X4 ++ XORL 64(SI),DX ++ XORL 68(SI),CX ++ XORL 72(SI),R8 ++ XORL 76(SI),R9 ++ MOVL DX,64(DI) ++ MOVL CX,68(DI) ++ MOVL R8,72(DI) ++ MOVL R9,76(DI) ++ MOVD X12,DX ++ MOVD X7,CX ++ MOVD X10,R8 ++ MOVD X4,R9 ++ PSHUFL $0X39,X12,X12 ++ PSHUFL $0X39,X7,X7 ++ PSHUFL $0X39,X10,X10 ++ PSHUFL $0X39,X4,X4 ++ XORL 128(SI),DX ++ XORL 132(SI),CX ++ XORL 136(SI),R8 ++ XORL 140(SI),R9 ++ MOVL DX,128(DI) ++ MOVL CX,132(DI) ++ MOVL R8,136(DI) ++ MOVL R9,140(DI) ++ MOVD X12,DX ++ MOVD X7,CX ++ MOVD X10,R8 ++ MOVD X4,R9 ++ XORL 192(SI),DX ++ XORL 196(SI),CX ++ XORL 200(SI),R8 ++ XORL 204(SI),R9 ++ MOVL DX,192(DI) ++ MOVL CX,196(DI) ++ MOVL R8,200(DI) ++ MOVL R9,204(DI) ++ PADDL 240(SP),X14 ++ PADDL 64(SP),X0 ++ PADDL 128(SP),X5 ++ PADDL 192(SP),X8 ++ MOVD X14,DX ++ MOVD X0,CX ++ MOVD X5,R8 ++ MOVD X8,R9 ++ PSHUFL $0X39,X14,X14 ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X5,X5 ++ PSHUFL $0X39,X8,X8 ++ XORL 16(SI),DX ++ XORL 20(SI),CX ++ XORL 24(SI),R8 ++ XORL 28(SI),R9 ++ MOVL DX,16(DI) ++ MOVL CX,20(DI) ++ MOVL R8,24(DI) ++ MOVL R9,28(DI) ++ MOVD X14,DX ++ MOVD X0,CX ++ MOVD X5,R8 ++ MOVD X8,R9 ++ PSHUFL $0X39,X14,X14 ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X5,X5 ++ PSHUFL $0X39,X8,X8 ++ XORL 80(SI),DX ++ XORL 84(SI),CX ++ XORL 88(SI),R8 ++ XORL 92(SI),R9 ++ MOVL DX,80(DI) ++ MOVL CX,84(DI) ++ MOVL R8,88(DI) ++ MOVL R9,92(DI) ++ MOVD X14,DX ++ MOVD X0,CX ++ MOVD X5,R8 ++ MOVD X8,R9 ++ PSHUFL $0X39,X14,X14 ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X5,X5 ++ PSHUFL $0X39,X8,X8 ++ XORL 144(SI),DX ++ XORL 148(SI),CX ++ XORL 152(SI),R8 ++ XORL 156(SI),R9 ++ MOVL DX,144(DI) ++ MOVL CX,148(DI) ++ MOVL R8,152(DI) ++ MOVL R9,156(DI) ++ MOVD X14,DX ++ MOVD X0,CX ++ MOVD X5,R8 ++ MOVD X8,R9 ++ XORL 208(SI),DX ++ XORL 212(SI),CX ++ XORL 216(SI),R8 ++ XORL 220(SI),R9 ++ MOVL DX,208(DI) ++ MOVL CX,212(DI) ++ MOVL R8,216(DI) ++ MOVL R9,220(DI) ++ PADDL 288(SP),X15 ++ PADDL 304(SP),X11 ++ PADDL 80(SP),X1 ++ PADDL 144(SP),X6 ++ MOVD X15,DX ++ MOVD X11,CX ++ MOVD X1,R8 ++ MOVD X6,R9 ++ PSHUFL $0X39,X15,X15 ++ PSHUFL $0X39,X11,X11 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X6,X6 ++ XORL 32(SI),DX ++ XORL 36(SI),CX ++ XORL 40(SI),R8 ++ XORL 44(SI),R9 ++ MOVL DX,32(DI) ++ MOVL CX,36(DI) ++ MOVL R8,40(DI) ++ MOVL R9,44(DI) ++ MOVD X15,DX ++ MOVD X11,CX ++ MOVD X1,R8 ++ MOVD X6,R9 ++ PSHUFL $0X39,X15,X15 ++ PSHUFL $0X39,X11,X11 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X6,X6 ++ XORL 96(SI),DX ++ XORL 100(SI),CX ++ XORL 104(SI),R8 ++ XORL 108(SI),R9 ++ MOVL DX,96(DI) ++ MOVL CX,100(DI) ++ MOVL R8,104(DI) ++ MOVL R9,108(DI) ++ MOVD X15,DX ++ MOVD X11,CX ++ MOVD X1,R8 ++ MOVD X6,R9 ++ PSHUFL $0X39,X15,X15 ++ PSHUFL $0X39,X11,X11 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X6,X6 ++ XORL 160(SI),DX ++ XORL 164(SI),CX ++ XORL 168(SI),R8 ++ XORL 172(SI),R9 ++ MOVL DX,160(DI) ++ MOVL CX,164(DI) ++ MOVL R8,168(DI) ++ MOVL R9,172(DI) ++ MOVD X15,DX ++ MOVD X11,CX ++ MOVD X1,R8 ++ MOVD X6,R9 ++ XORL 224(SI),DX ++ XORL 228(SI),CX ++ XORL 232(SI),R8 ++ XORL 236(SI),R9 ++ MOVL DX,224(DI) ++ MOVL CX,228(DI) ++ MOVL R8,232(DI) ++ MOVL R9,236(DI) ++ PADDL 160(SP),X13 ++ PADDL 208(SP),X9 ++ PADDL 256(SP),X3 ++ PADDL 96(SP),X2 ++ MOVD X13,DX ++ MOVD X9,CX ++ MOVD X3,R8 ++ MOVD X2,R9 ++ PSHUFL $0X39,X13,X13 ++ PSHUFL $0X39,X9,X9 ++ PSHUFL $0X39,X3,X3 ++ PSHUFL $0X39,X2,X2 ++ XORL 48(SI),DX ++ XORL 52(SI),CX ++ XORL 56(SI),R8 ++ XORL 60(SI),R9 ++ MOVL DX,48(DI) ++ MOVL CX,52(DI) ++ MOVL R8,56(DI) ++ MOVL R9,60(DI) ++ MOVD X13,DX ++ MOVD X9,CX ++ MOVD X3,R8 ++ MOVD X2,R9 ++ PSHUFL $0X39,X13,X13 ++ PSHUFL $0X39,X9,X9 ++ PSHUFL $0X39,X3,X3 ++ PSHUFL $0X39,X2,X2 ++ XORL 112(SI),DX ++ XORL 116(SI),CX ++ XORL 120(SI),R8 ++ XORL 124(SI),R9 ++ MOVL DX,112(DI) ++ MOVL CX,116(DI) ++ MOVL R8,120(DI) ++ MOVL R9,124(DI) ++ MOVD X13,DX ++ MOVD X9,CX ++ MOVD X3,R8 ++ MOVD X2,R9 ++ PSHUFL $0X39,X13,X13 ++ PSHUFL $0X39,X9,X9 ++ PSHUFL $0X39,X3,X3 ++ PSHUFL $0X39,X2,X2 ++ XORL 176(SI),DX ++ XORL 180(SI),CX ++ XORL 184(SI),R8 ++ XORL 188(SI),R9 ++ MOVL DX,176(DI) ++ MOVL CX,180(DI) ++ MOVL R8,184(DI) ++ MOVL R9,188(DI) ++ MOVD X13,DX ++ MOVD X9,CX ++ MOVD X3,R8 ++ MOVD X2,R9 ++ XORL 240(SI),DX ++ XORL 244(SI),CX ++ XORL 248(SI),R8 ++ XORL 252(SI),R9 ++ MOVL DX,240(DI) ++ MOVL CX,244(DI) ++ MOVL R8,248(DI) ++ MOVL R9,252(DI) ++ MOVQ 408(SP),R9 ++ SUBQ $256,R9 ++ ADDQ $256,SI ++ ADDQ $256,DI ++ CMPQ R9,$256 ++ JAE BYTESATLEAST256 ++ CMPQ R9,$0 ++ JBE DONE ++ BYTESBETWEEN1AND255: ++ CMPQ R9,$64 ++ JAE NOCOPY ++ MOVQ DI,DX ++ LEAQ 416(SP),DI ++ MOVQ R9,CX ++ REP; MOVSB ++ LEAQ 416(SP),DI ++ LEAQ 416(SP),SI ++ NOCOPY: ++ MOVQ R9,408(SP) ++ MOVOA 48(SP),X0 ++ MOVOA 0(SP),X1 ++ MOVOA 16(SP),X2 ++ MOVOA 32(SP),X3 ++ MOVOA X1,X4 ++ MOVQ $20,CX ++ MAINLOOP2: ++ PADDL X0,X4 ++ MOVOA X0,X5 ++ MOVOA X4,X6 ++ PSLLL $7,X4 ++ PSRLL $25,X6 ++ PXOR X4,X3 ++ PXOR X6,X3 ++ PADDL X3,X5 ++ MOVOA X3,X4 ++ MOVOA X5,X6 ++ PSLLL $9,X5 ++ PSRLL $23,X6 ++ PXOR X5,X2 ++ PSHUFL $0X93,X3,X3 ++ PXOR X6,X2 ++ PADDL X2,X4 ++ MOVOA X2,X5 ++ MOVOA X4,X6 ++ PSLLL $13,X4 ++ PSRLL $19,X6 ++ PXOR X4,X1 ++ PSHUFL $0X4E,X2,X2 ++ PXOR X6,X1 ++ PADDL X1,X5 ++ MOVOA X3,X4 ++ MOVOA X5,X6 ++ PSLLL $18,X5 ++ PSRLL $14,X6 ++ PXOR X5,X0 ++ PSHUFL $0X39,X1,X1 ++ PXOR X6,X0 ++ PADDL X0,X4 ++ MOVOA X0,X5 ++ MOVOA X4,X6 ++ PSLLL $7,X4 ++ PSRLL $25,X6 ++ PXOR X4,X1 ++ PXOR X6,X1 ++ PADDL X1,X5 ++ MOVOA X1,X4 ++ MOVOA X5,X6 ++ PSLLL $9,X5 ++ PSRLL $23,X6 ++ PXOR X5,X2 ++ PSHUFL $0X93,X1,X1 ++ PXOR X6,X2 ++ PADDL X2,X4 ++ MOVOA X2,X5 ++ MOVOA X4,X6 ++ PSLLL $13,X4 ++ PSRLL $19,X6 ++ PXOR X4,X3 ++ PSHUFL $0X4E,X2,X2 ++ PXOR X6,X3 ++ PADDL X3,X5 ++ MOVOA X1,X4 ++ MOVOA X5,X6 ++ PSLLL $18,X5 ++ PSRLL $14,X6 ++ PXOR X5,X0 ++ PSHUFL $0X39,X3,X3 ++ PXOR X6,X0 ++ PADDL X0,X4 ++ MOVOA X0,X5 ++ MOVOA X4,X6 ++ PSLLL $7,X4 ++ PSRLL $25,X6 ++ PXOR X4,X3 ++ PXOR X6,X3 ++ PADDL X3,X5 ++ MOVOA X3,X4 ++ MOVOA X5,X6 ++ PSLLL $9,X5 ++ PSRLL $23,X6 ++ PXOR X5,X2 ++ PSHUFL $0X93,X3,X3 ++ PXOR X6,X2 ++ PADDL X2,X4 ++ MOVOA X2,X5 ++ MOVOA X4,X6 ++ PSLLL $13,X4 ++ PSRLL $19,X6 ++ PXOR X4,X1 ++ PSHUFL $0X4E,X2,X2 ++ PXOR X6,X1 ++ PADDL X1,X5 ++ MOVOA X3,X4 ++ MOVOA X5,X6 ++ PSLLL $18,X5 ++ PSRLL $14,X6 ++ PXOR X5,X0 ++ PSHUFL $0X39,X1,X1 ++ PXOR X6,X0 ++ PADDL X0,X4 ++ MOVOA X0,X5 ++ MOVOA X4,X6 ++ PSLLL $7,X4 ++ PSRLL $25,X6 ++ PXOR X4,X1 ++ PXOR X6,X1 ++ PADDL X1,X5 ++ MOVOA X1,X4 ++ MOVOA X5,X6 ++ PSLLL $9,X5 ++ PSRLL $23,X6 ++ PXOR X5,X2 ++ PSHUFL $0X93,X1,X1 ++ PXOR X6,X2 ++ PADDL X2,X4 ++ MOVOA X2,X5 ++ MOVOA X4,X6 ++ PSLLL $13,X4 ++ PSRLL $19,X6 ++ PXOR X4,X3 ++ PSHUFL $0X4E,X2,X2 ++ PXOR X6,X3 ++ SUBQ $4,CX ++ PADDL X3,X5 ++ MOVOA X1,X4 ++ MOVOA X5,X6 ++ PSLLL $18,X5 ++ PXOR X7,X7 ++ PSRLL $14,X6 ++ PXOR X5,X0 ++ PSHUFL $0X39,X3,X3 ++ PXOR X6,X0 ++ JA MAINLOOP2 ++ PADDL 48(SP),X0 ++ PADDL 0(SP),X1 ++ PADDL 16(SP),X2 ++ PADDL 32(SP),X3 ++ MOVD X0,CX ++ MOVD X1,R8 ++ MOVD X2,R9 ++ MOVD X3,AX ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X2,X2 ++ PSHUFL $0X39,X3,X3 ++ XORL 0(SI),CX ++ XORL 48(SI),R8 ++ XORL 32(SI),R9 ++ XORL 16(SI),AX ++ MOVL CX,0(DI) ++ MOVL R8,48(DI) ++ MOVL R9,32(DI) ++ MOVL AX,16(DI) ++ MOVD X0,CX ++ MOVD X1,R8 ++ MOVD X2,R9 ++ MOVD X3,AX ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X2,X2 ++ PSHUFL $0X39,X3,X3 ++ XORL 20(SI),CX ++ XORL 4(SI),R8 ++ XORL 52(SI),R9 ++ XORL 36(SI),AX ++ MOVL CX,20(DI) ++ MOVL R8,4(DI) ++ MOVL R9,52(DI) ++ MOVL AX,36(DI) ++ MOVD X0,CX ++ MOVD X1,R8 ++ MOVD X2,R9 ++ MOVD X3,AX ++ PSHUFL $0X39,X0,X0 ++ PSHUFL $0X39,X1,X1 ++ PSHUFL $0X39,X2,X2 ++ PSHUFL $0X39,X3,X3 ++ XORL 40(SI),CX ++ XORL 24(SI),R8 ++ XORL 8(SI),R9 ++ XORL 56(SI),AX ++ MOVL CX,40(DI) ++ MOVL R8,24(DI) ++ MOVL R9,8(DI) ++ MOVL AX,56(DI) ++ MOVD X0,CX ++ MOVD X1,R8 ++ MOVD X2,R9 ++ MOVD X3,AX ++ XORL 60(SI),CX ++ XORL 44(SI),R8 ++ XORL 28(SI),R9 ++ XORL 12(SI),AX ++ MOVL CX,60(DI) ++ MOVL R8,44(DI) ++ MOVL R9,28(DI) ++ MOVL AX,12(DI) ++ MOVQ 408(SP),R9 ++ MOVL 16(SP),CX ++ MOVL 36 (SP),R8 ++ ADDQ $1,CX ++ SHLQ $32,R8 ++ ADDQ R8,CX ++ MOVQ CX,R8 ++ SHRQ $32,R8 ++ MOVL CX,16(SP) ++ MOVL R8, 36 (SP) ++ CMPQ R9,$64 ++ JA BYTESATLEAST65 ++ JAE BYTESATLEAST64 ++ MOVQ DI,SI ++ MOVQ DX,DI ++ MOVQ R9,CX ++ REP; MOVSB ++ BYTESATLEAST64: ++ DONE: ++ MOVQ 352(SP),R11 ++ MOVQ 360(SP),R12 ++ MOVQ 368(SP),R13 ++ MOVQ 376(SP),R14 ++ MOVQ 384(SP),R15 ++ MOVQ 392(SP),BX ++ MOVQ 400(SP),BP ++ MOVQ R11,SP ++ RET ++ BYTESATLEAST65: ++ SUBQ $64,R9 ++ ADDQ $64,DI ++ ADDQ $64,SI ++ JMP BYTESBETWEEN1AND255 +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64_test.go +=================================================================== +--- /dev/null ++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64_test.go +@@ -0,0 +1,31 @@ ++// Copyright 2019 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build amd64,!appengine,!gccgo ++ ++package salsa ++ ++import ( ++ "bytes" ++ "testing" ++) ++ ++func TestCounterOverflow(t *testing.T) { ++ in := make([]byte, 4096) ++ key := &[32]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, ++ 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2} ++ for n, counter := range []*[16]byte{ ++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 0, 0, 0, 0, 0, 0, 0, 0}, // zero counter ++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 0, 0, 0, 0, 0xff, 0xff, 0xff, 0xff}, // counter about to overflow 32 bits ++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff}, // counter above 32 bits ++ } { ++ out := make([]byte, 4096) ++ XORKeyStream(out, in, counter, key) ++ outGeneric := make([]byte, 4096) ++ genericXORKeyStream(outGeneric, in, counter, key) ++ if !bytes.Equal(out, outGeneric) { ++ t.Errorf("%d: assembly and go implementations disagree", n) ++ } ++ } ++} +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_noasm.go +=================================================================== +--- /dev/null ++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_noasm.go +@@ -0,0 +1,14 @@ ++// Copyright 2019 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// +build !amd64 appengine gccgo ++ ++package salsa ++ ++// XORKeyStream crypts bytes from in to out using the given key and counters. ++// In and out must overlap entirely or not at all. Counter ++// contains the raw salsa20 counter bytes (both nonce and block counter). ++func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) { ++ genericXORKeyStream(out, in, counter, key) ++} +Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_ref.go +=================================================================== +--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_ref.go ++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_ref.go +@@ -2,8 +2,6 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-// +build !amd64 appengine gccgo +- + package salsa + + const rounds = 20 +@@ -202,10 +200,9 @@ func core(out *[64]byte, in *[16]byte, k + out[63] = byte(x15 >> 24) + } + +-// XORKeyStream crypts bytes from in to out using the given key and counters. +-// In and out may be the same slice but otherwise should not overlap. Counter +-// contains the raw salsa20 counter bytes (both nonce and block counter). +-func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) { ++// genericXORKeyStream is the generic implementation of XORKeyStream to be used ++// when no assembly implementation is available. ++func genericXORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) { + var block [64]byte + var counterCopy [16]byte + copy(counterCopy[:], counter[:]) diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 1970-01-01 10:00:00.000000000 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 2020-09-07 08:27:22.000000000 +1000 @@ -0,0 +1,261 @@ +commit 6c9f9a831536511295256d4b4960fc4024ed967c +Author: Filippo Valsorda <fili...@golang.org> +Date: Tue Apr 23 15:32:34 2019 -0400 + + openpgp/clearsign: reject potentially misleading headers and messages + + Aida Mynzhasova of SEC Consult Vulnerability Lab reported that the + clearsign package accepts some malformed messages, which can make it + possible for an attacker to trick a human user (but not a Go program) + into thinking unverified text is part of the message. + + For example, if in the following message the vertical tab character is + printed as a new line, a human observer could believe that the + unverified header text is part of the signed message. + + -----BEGIN PGP SIGNED MESSAGE----- + Hash: SHA1\x0b\x0bThis text is part of the header. + + Hello world! + -----BEGIN PGP SIGNATURE----- + Version: GnuPG v1.4.10 (GNU/Linux) + + iJwEAQECAAYFAk8kMuEACgkQO9o98PRieSpMsAQAhmY/vwmNpflrPgmfWsYhk5O8 + [...] + MyTpno24AjIAGb+mH1U= + =hIJ6 + -----END PGP SIGNATURE----- + + The OpenPGP specs are delightfully vague about purpose and validation of + these headers. RFC 4880, Section 7 says + + The cleartext signed message consists of: + + - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a + single line, + + - One or more "Hash" Armor Headers, + + - Exactly one empty line not included into the message digest, + [...] + + but also + + If MD5 is the only hash used, then an + implementation MAY omit this header for improved V2.x compatibility. + + and + + If more than one message digest is used in the signature, the "Hash" + armor header contains a comma-delimited list of used message digests. + + which seems to suggest that there can be zero or more Hash headers, each + with one or more algorithms, and no other header types. + + Anyway, it's entirely unclear what security purpose, if any, the Hash + header accomplishes. If the hash is too weak to be secure or + unsupported, the verification will fail. Otherwise, the user shouldn't + care. Given its dubious function, avoid breaking abstractions to check + that it matches the signature, and just document it as unverified. + + As for valid characters, RFC 4880 is silent, except reluctantly + mentioning that the Comment header can be UTF-8, but I am going to + assume that all hash algorithms will have ASCII names, because come on. + + Even more importantly, reject non-Hash SIGNED MESSAGE headers (as opposed + to the SIGNATURE headers), to prevent a "Thank you!" message turning into + + -----BEGIN PGP SIGNED MESSAGE----- + Reminder: I need you to wire $100k to 12345566 as soon as possible. + + Thank you! + -----BEGIN PGP SIGNATURE----- + [...] + + While at it, also check for trailing characters after the signed message + delimiter, as they are invalid and can be similarly used to confuse humans. + + The Decode API is also unfortunate in that it doesn't return an error, + so we can't tell the user what's wrong with the message, but that's what + we've got. + + Change-Id: I8a72c4851075337443d7a27e0b49a6b6e39f5a41 + Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/453011 + Reviewed-by: Adam Langley <a...@google.com> + Reviewed-on: https://go-review.googlesource.com/c/crypto/+/173778 + Run-TryBot: Filippo Valsorda <fili...@golang.org> + Reviewed-by: Adam Langley <a...@golang.org> + TryBot-Result: Gobot Gobot <go...@golang.org> + +diff --git a/openpgp/clearsign/clearsign.go b/openpgp/clearsign/clearsign.go +index def4cab..4fd02a1 100644 +--- a/openpgp/clearsign/clearsign.go ++++ b/openpgp/clearsign/clearsign.go +@@ -17,6 +17,7 @@ import ( + "io" + "net/textproto" + "strconv" ++ "strings" + + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/errors" +@@ -26,7 +27,7 @@ import ( + // A Block represents a clearsigned message. A signature on a Block can + // be checked by passing Bytes into openpgp.CheckDetachedSignature. + type Block struct { +- Headers textproto.MIMEHeader // Optional message headers ++ Headers textproto.MIMEHeader // Optional unverified Hash headers + Plaintext []byte // The original message text + Bytes []byte // The signed message + ArmoredSignature *armor.Block // The signature block +@@ -68,8 +69,13 @@ func getLine(data []byte) (line, rest []byte) { + return data[0:i], data[j:] + } + +-// Decode finds the first clearsigned message in data and returns it, as well +-// as the suffix of data which remains after the message. ++// Decode finds the first clearsigned message in data and returns it, as well as ++// the suffix of data which remains after the message. Any prefix data is ++// discarded. ++// ++// If no message is found, or if the message is invalid, Decode returns nil and ++// the whole data slice. The only allowed header type is Hash, and it is not ++// verified against the signature hash. + func Decode(data []byte) (b *Block, rest []byte) { + // start begins with a newline. However, at the very beginning of + // the byte array, we'll accept the start string without it. +@@ -82,8 +88,11 @@ func Decode(data []byte) (b *Block, rest []byte) { + return nil, data + } + +- // Consume the start line. +- _, rest = getLine(rest) ++ // Consume the start line and check it does not have a suffix. ++ suffix, rest := getLine(rest) ++ if len(suffix) != 0 { ++ return nil, data ++ } + + var line []byte + b = &Block{ +@@ -102,15 +111,25 @@ func Decode(data []byte) (b *Block, rest []byte) { + break + } + ++ // Reject headers with control or Unicode characters. ++ if i := bytes.IndexFunc(line, func(r rune) bool { ++ return r < 0x20 || r > 0x7e ++ }); i != -1 { ++ return nil, data ++ } ++ + i := bytes.Index(line, []byte{':'}) + if i == -1 { + return nil, data + } + +- key, val := line[0:i], line[i+1:] +- key = bytes.TrimSpace(key) +- val = bytes.TrimSpace(val) +- b.Headers.Add(string(key), string(val)) ++ key, val := string(line[0:i]), string(line[i+1:]) ++ key = strings.TrimSpace(key) ++ if key != "Hash" { ++ return nil, data ++ } ++ val = strings.TrimSpace(val) ++ b.Headers.Add(key, val) + } + + firstLine := true +diff --git a/openpgp/clearsign/clearsign_test.go b/openpgp/clearsign/clearsign_test.go +index 2c09480..1f52cd9 100644 +--- a/openpgp/clearsign/clearsign_test.go ++++ b/openpgp/clearsign/clearsign_test.go +@@ -44,12 +44,6 @@ func TestParse(t *testing.T) { + testParse(t, clearsignInput2, "\r\n\r\n(This message has a couple of blank lines at the start and end.)\r\n\r\n", "\n\n(This message has a couple of blank lines at the start and end.)\n\n\n") + } + +-func TestParseInvalid(t *testing.T) { +- if b, _ := Decode(clearsignInput3); b != nil { +- t.Fatal("decoded a bad clearsigned message without any error") +- } +-} +- + func TestParseWithNoNewlineAtEnd(t *testing.T) { + input := clearsignInput + input = input[:len(input)-len("trailing")-1] +@@ -125,6 +119,59 @@ func TestSigning(t *testing.T) { + } + } + ++const signatureBlock = ` ++-----BEGIN PGP SIGNATURE----- ++Version: OpenPrivacy 0.99 ++ ++yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS ++vBSFjNSiVHsuAA== ++=njUN ++-----END PGP SIGNATURE----- ++` ++ ++var invalidInputs = []string{ ++ ` ++-----BEGIN PGP SIGNED MESSAGE----- ++Hash: SHA256 ++ ++(This message was truncated.) ++`, ++ ` ++-----BEGIN PGP SIGNED MESSAGE-----garbage ++Hash: SHA256 ++ ++_o/ ++` + signatureBlock, ++ ` ++garbage-----BEGIN PGP SIGNED MESSAGE----- ++Hash: SHA256 ++ ++_o/ ++` + signatureBlock, ++ ` ++-----BEGIN PGP SIGNED MESSAGE----- ++Hash: SHA` + "\x0b\x0b" + `256 ++ ++_o/ ++` + signatureBlock, ++ ` ++-----BEGIN PGP SIGNED MESSAGE----- ++NotHash: SHA256 ++ ++_o/ ++` + signatureBlock, ++} ++ ++func TestParseInvalid(t *testing.T) { ++ for i, input := range invalidInputs { ++ if b, rest := Decode([]byte(input)); b != nil { ++ t.Errorf("#%d: decoded a bad clearsigned message without any error", i) ++ } else if string(rest) != input { ++ t.Errorf("#%d: did not return all data with a bad message", i) ++ } ++ } ++} ++ + var clearsignInput = []byte(` + ;lasjlkfdsa + +@@ -167,13 +214,6 @@ qZg6BaTvOxepqOxnhVU= + + trailing`) + +-var clearsignInput3 = []byte(` +------BEGIN PGP SIGNED MESSAGE----- +-Hash: SHA256 +- +-(This message was truncated.) +-`) +- + var signingKey = `-----BEGIN PGP PRIVATE KEY BLOCK----- + Version: GnuPG v1.4.10 (GNU/Linux) + diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series --- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series 2017-04-26 17:09:27.000000000 +1000 +++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series 2020-09-07 08:29:03.000000000 +1000 @@ -1 +1,3 @@ 0001-ssh-require-host-key-checking_CVE-2017-3204.patch +CVE-2019-11841.patch +CVE-2019-11840.patch
