crypto: document that Verify inputs are not confidential

Fixes #67043 Closes #67044 Closes #67214 Change-Id: I6ad2838864d82b32a75f7b85804c894357ad57d4 Reviewed-on: https://go-review.googlesource.com/c/go/+/587277 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2024-11-14 22:40:40 -07:00 · 2024-05-22 13:38:15 +02:00 · 2024-05-22 13:38:15 +02:00 · 2d98f0e494
commit 2d98f0e494
parent 56ec5d96bc
6 changed files with 28 additions and 4 deletions
--- a/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@ -8,6 +8,10 @@
 // Signatures generated by this package are not deterministic, but entropy is
 // mixed with the private key and the message, achieving the same level of
 // security in case of randomness source failure.
+//
+// Operations involving private keys are implemented using constant-time
+// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
+// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
 package ecdsa

 // [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
@ -463,6 +467,9 @@ func (zr) Read(dst []byte) (n int, err error) {

 // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
 // public key, pub. Its return value records whether the signature is valid.
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
 	if boring.Enabled {
 		key, err := boringPublicKey(pub)
--- a/src/crypto/ecdsa/ecdsa_legacy.go
+++ b/src/crypto/ecdsa/ecdsa_legacy.go
@ -115,6 +115,9 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er
 // Verify verifies the signature in r, s of hash using the public key, pub. Its
 // return value records whether the signature is valid. Most applications should
 // use VerifyASN1 instead of dealing directly with r, s.
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	if r.Sign() <= 0 || s.Sign() <= 0 {
 		return false
--- a/src/crypto/ed25519/ed25519.go
+++ b/src/crypto/ed25519/ed25519.go
@ -10,6 +10,9 @@
 // representation includes a public key suffix to make multiple signing
 // operations with the same key more efficient. This package refers to the RFC
 // 8032 private key as the “seed”.
+//
+// Operations involving private keys are implemented using constant-time
+// algorithms.
 package ed25519

 import (
@ -258,6 +261,9 @@ func sign(signature, privateKey, message []byte, domPrefix, context string) {

 // Verify reports whether sig is a valid signature of message by publicKey. It
 // will panic if len(publicKey) is not [PublicKeySize].
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func Verify(publicKey PublicKey, message, sig []byte) bool {
 	return verify(publicKey, message, sig, domPrefixPure, "")
 }
@ -270,6 +276,9 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
 // message is expected to be a SHA-512 hash, otherwise opts.Hash must be
 // [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two
 // passes over messages to be signed.
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error {
 	switch {
 	case opts.Hash == crypto.SHA512: // Ed25519ph
--- a/src/crypto/rsa/pkcs1v15.go
+++ b/src/crypto/rsa/pkcs1v15.go
@ -321,6 +321,9 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
 // function and sig is the signature. A valid signature is indicated by
 // returning a nil error. If hash is zero then hashed is used directly. This
 // isn't advisable except for interoperability.
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
 	if boring.Enabled {
 		bkey, err := boringPublicKey(pub)
--- a/src/crypto/rsa/pss.go
+++ b/src/crypto/rsa/pss.go
@ -338,6 +338,9 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
 // result of hashing the input message using the given hash function. The opts
 // argument may be nil, in which case sensible defaults are used. opts.Hash is
 // ignored.
+//
+// The inputs are not considered confidential, and may leak through timing side
+// channels, or if an attacker has control of part of the inputs.
 func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
 	if boring.Enabled {
 		bkey, err := boringPublicKey(pub)
--- a/src/crypto/rsa/rsa.go
+++ b/src/crypto/rsa/rsa.go
@ -19,10 +19,9 @@
 // over the public key primitive, the PrivateKey type implements the
 // Decrypter and Signer interfaces from the crypto package.
 //
-// Operations in this package are implemented using constant-time algorithms,
-// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate].
-// Every other operation only leaks the bit size of the involved values, which
-// all depend on the selected key size.
+// Operations involving private keys are implemented using constant-time
+// algorithms, except for [GenerateKey], [PrivateKey.Precompute], and
+// [PrivateKey.Validate].
 package rsa

 import (