1
0
mirror of https://github.com/golang/go synced 2024-11-15 01:40:25 -07:00

crypto: document that Verify inputs are not confidential

Fixes #67043
Closes #67044
Closes #67214

Change-Id: I6ad2838864d82b32a75f7b85804c894357ad57d4
Reviewed-on: https://go-review.googlesource.com/c/go/+/587277
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Filippo Valsorda 2024-05-22 13:38:15 +02:00 committed by Gopher Robot
parent 56ec5d96bc
commit 2d98f0e494
6 changed files with 28 additions and 4 deletions

View File

@ -8,6 +8,10 @@
// Signatures generated by this package are not deterministic, but entropy is // Signatures generated by this package are not deterministic, but entropy is
// mixed with the private key and the message, achieving the same level of // mixed with the private key and the message, achieving the same level of
// security in case of randomness source failure. // security in case of randomness source failure.
//
// Operations involving private keys are implemented using constant-time
// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
package ecdsa package ecdsa
// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm. // [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
@ -463,6 +467,9 @@ func (zr) Read(dst []byte) (n int, err error) {
// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
// public key, pub. Its return value records whether the signature is valid. // public key, pub. Its return value records whether the signature is valid.
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool { func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
if boring.Enabled { if boring.Enabled {
key, err := boringPublicKey(pub) key, err := boringPublicKey(pub)

View File

@ -115,6 +115,9 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er
// Verify verifies the signature in r, s of hash using the public key, pub. Its // Verify verifies the signature in r, s of hash using the public key, pub. Its
// return value records whether the signature is valid. Most applications should // return value records whether the signature is valid. Most applications should
// use VerifyASN1 instead of dealing directly with r, s. // use VerifyASN1 instead of dealing directly with r, s.
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
if r.Sign() <= 0 || s.Sign() <= 0 { if r.Sign() <= 0 || s.Sign() <= 0 {
return false return false

View File

@ -10,6 +10,9 @@
// representation includes a public key suffix to make multiple signing // representation includes a public key suffix to make multiple signing
// operations with the same key more efficient. This package refers to the RFC // operations with the same key more efficient. This package refers to the RFC
// 8032 private key as the “seed”. // 8032 private key as the “seed”.
//
// Operations involving private keys are implemented using constant-time
// algorithms.
package ed25519 package ed25519
import ( import (
@ -258,6 +261,9 @@ func sign(signature, privateKey, message []byte, domPrefix, context string) {
// Verify reports whether sig is a valid signature of message by publicKey. It // Verify reports whether sig is a valid signature of message by publicKey. It
// will panic if len(publicKey) is not [PublicKeySize]. // will panic if len(publicKey) is not [PublicKeySize].
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func Verify(publicKey PublicKey, message, sig []byte) bool { func Verify(publicKey PublicKey, message, sig []byte) bool {
return verify(publicKey, message, sig, domPrefixPure, "") return verify(publicKey, message, sig, domPrefixPure, "")
} }
@ -270,6 +276,9 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
// message is expected to be a SHA-512 hash, otherwise opts.Hash must be // message is expected to be a SHA-512 hash, otherwise opts.Hash must be
// [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two // [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two
// passes over messages to be signed. // passes over messages to be signed.
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error { func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error {
switch { switch {
case opts.Hash == crypto.SHA512: // Ed25519ph case opts.Hash == crypto.SHA512: // Ed25519ph

View File

@ -321,6 +321,9 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
// function and sig is the signature. A valid signature is indicated by // function and sig is the signature. A valid signature is indicated by
// returning a nil error. If hash is zero then hashed is used directly. This // returning a nil error. If hash is zero then hashed is used directly. This
// isn't advisable except for interoperability. // isn't advisable except for interoperability.
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error { func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
if boring.Enabled { if boring.Enabled {
bkey, err := boringPublicKey(pub) bkey, err := boringPublicKey(pub)

View File

@ -338,6 +338,9 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
// result of hashing the input message using the given hash function. The opts // result of hashing the input message using the given hash function. The opts
// argument may be nil, in which case sensible defaults are used. opts.Hash is // argument may be nil, in which case sensible defaults are used. opts.Hash is
// ignored. // ignored.
//
// The inputs are not considered confidential, and may leak through timing side
// channels, or if an attacker has control of part of the inputs.
func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error { func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
if boring.Enabled { if boring.Enabled {
bkey, err := boringPublicKey(pub) bkey, err := boringPublicKey(pub)

View File

@ -19,10 +19,9 @@
// over the public key primitive, the PrivateKey type implements the // over the public key primitive, the PrivateKey type implements the
// Decrypter and Signer interfaces from the crypto package. // Decrypter and Signer interfaces from the crypto package.
// //
// Operations in this package are implemented using constant-time algorithms, // Operations involving private keys are implemented using constant-time
// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate]. // algorithms, except for [GenerateKey], [PrivateKey.Precompute], and
// Every other operation only leaks the bit size of the involved values, which // [PrivateKey.Validate].
// all depend on the selected key size.
package rsa package rsa
import ( import (