Pull in https://golang.org/cl/17672, "math/big: fix carry propagation in

Int.Exp Montgomery code", to fix CVE-2015-8618.

From the oss-security posting that asked for a CVE:

"The Go open source project has received notification of an error in the
math/big library (https://golang.org/pkg/math/big/). The problem that was
identified is similar to CVE-2015-3193
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193>. The
vulnerability was introduced in the 1.5 release, and remains present in Go
1.5.1 and 1.5.2.

"A fix for the issue has been applied to the master branch of the Go repo
under CL 17672 <https://go-review.googlesource.com/#/c/17672/>. We will
also be releasing Go 1.5.3 to fix this vulnerability."

ok wiz@

5 files changed, 214 insertions, 6 deletions

diff --git a/lang/go/Makefile b/lang/go/Makefile
index 1dd4d786549..aa4939d55a7 100644
--- a/lang/go/Makefile
+++ b/lang/go/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.35 2015/12/10 20:04:54 bsiegert Exp $
+# $NetBSD: Makefile,v 1.36 2015/12/22 20:44:40 bsiegert Exp $
 
 .include "version.mk"
 
 DISTNAME=	go${GO_VERSION}.src
 PKGNAME=	go-${GO_VERSION}
+PKGREVISION=	1
 CATEGORIES=	lang
 MASTER_SITES=	https://storage.googleapis.com/golang/
 
diff --git a/lang/go/distinfo b/lang/go/distinfo
index b2c4e7929b5..81bf66abaaf 100644
--- a/lang/go/distinfo
+++ b/lang/go/distinfo
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.29 2015/12/10 20:04:54 bsiegert Exp $
+$NetBSD: distinfo,v 1.30 2015/12/22 20:44:40 bsiegert Exp $
 
 SHA1 (go1.5.2.src.tar.gz) = c7d78ba4df574b5f9a9bb5d17505f40c4d89b81c
 RMD160 (go1.5.2.src.tar.gz) = 38aec8e0f7f93c4616db58ccfc6152b3b35bbd08
 SHA512 (go1.5.2.src.tar.gz) = 7323ca7845fa4cb03d36240d759b542b142db331953f08bf8220d02465fc434478be3cb1abab52e180f29326379eab518e7b793c70c7cb440c1ab885d36bdfb8
 Size (go1.5.2.src.tar.gz) = 12056199 bytes
-SHA1 (patch-lib_time_update.bash) = d6f8e31dfefc1b4cc07bffb1f8f56d637efbdc1e
+SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1
 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
 SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a
+SHA1 (patch-src_math_big_nat.go) = 3043a3883c6dbb5d4b75a07cb18effea5069ea74
+SHA1 (patch-src_math_big_nat_test.go) = c64bdd6b7ec1d28c0af4f7cf92a40d6f8262d346
 SHA1 (patch-src_syscall_syscall__solaris.go) = 436371947897dcba574a6dfecc6bbcd04f6e25b2
diff --git a/lang/go/patches/patch-lib_time_update.bash b/lang/go/patches/patch-lib_time_update.bash
index 35bc096714b..677214f4537 100644
--- a/lang/go/patches/patch-lib_time_update.bash
+++ b/lang/go/patches/patch-lib_time_update.bash
@@ -1,4 +1,4 @@
-$NetBSD: patch-lib_time_update.bash,v 1.1 2015/12/10 20:04:54 bsiegert Exp $
+$NetBSD: patch-lib_time_update.bash,v 1.2 2015/12/22 20:44:40 bsiegert Exp $
 
 --- lib/time/update.bash.orig	2015-12-03 00:52:58.000000000 +0000
 +++ lib/time/update.bash
@@ -11,5 +11,3 @@ $NetBSD: patch-lib_time_update.bash,v 1.1 2015/12/10 20:04:54 bsiegert Exp $
  	echo Left workspace behind in work/.
  else
  	rm -rf work
-
-
diff --git a/lang/go/patches/patch-src_math_big_nat.go b/lang/go/patches/patch-src_math_big_nat.go
new file mode 100644
index 00000000000..ca272a5b6a5
--- /dev/null
+++ b/lang/go/patches/patch-src_math_big_nat.go
@@ -0,0 +1,63 @@
+$NetBSD: patch-src_math_big_nat.go,v 1.1 2015/12/22 20:44:40 bsiegert Exp $
+
+From 4306352182bf94f86f0cfc6a8b0ed461cbf1d82c Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 09 Dec 2015 11:49:53 -0500
+Subject: [PATCH] math/big: fix carry propagation in Int.Exp Montgomery code
+
+Fixes #13515.
+
+Change-Id: I7dd5fbc816e5ea135f7d81f6735e7601f636fe4f
+Reviewed-on: https://go-review.googlesource.com/17672
+Reviewed-by: Robert Griesemer <gri@golang.org>
+---
+
+diff --git a/src/math/big/nat.go b/src/math/big/nat.go
+index f0a8339..e60318d 100644
+--- src/math/big/nat.go
++++ src/math/big/nat.go
+@@ -196,23 +196,36 @@
+ 	}
+ }
+ 
+-// montgomery computes x*y*2^(-n*_W) mod m,
+-// assuming k = -1/m mod 2^_W.
++// montgomery computes z mod m = x*y*2**(-n*_W) mod m,
++// assuming k = -1/m mod 2**_W.
+ // z is used for storing the result which is returned;
+ // z must not alias x, y or m.
++// See Gueron, "Efficient Software Implementations of Modular Exponentiation".
++// https://eprint.iacr.org/2011/239.pdf
++// In the terminology of that paper, this is an "Almost Montgomery Multiplication":
++// x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result
++// z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m.
+ func (z nat) montgomery(x, y, m nat, k Word, n int) nat {
+-	var c1, c2 Word
++	// This code assumes x, y, m are all the same length, n.
++	// (required by addMulVVW and the for loop).
++	// It also assumes that x, y are already reduced mod m,
++	// or else the result will not be properly reduced.
++	if len(x) != n || len(y) != n || len(m) != n {
++		panic("math/big: mismatched montgomery number lengths")
++	}
++	var c1, c2, c3 Word
+ 	z = z.make(n)
+ 	z.clear()
+ 	for i := 0; i < n; i++ {
+ 		d := y[i]
+-		c1 += addMulVVW(z, x, d)
++		c2 = addMulVVW(z, x, d)
+ 		t := z[0] * k
+-		c2 = addMulVVW(z, m, t)
+-
++		c3 = addMulVVW(z, m, t)
+ 		copy(z, z[1:])
+-		z[n-1] = c1 + c2
+-		if z[n-1] < c1 {
++		cx := c1 + c2
++		cy := cx + c3
++		z[n-1] = cy
++		if cx < c2 || cy < c3 {
+ 			c1 = 1
+ 		} else {
+ 			c1 = 0
diff --git a/lang/go/patches/patch-src_math_big_nat_test.go b/lang/go/patches/patch-src_math_big_nat_test.go
new file mode 100644
index 00000000000..d92d8870f20
--- /dev/null
+++ b/lang/go/patches/patch-src_math_big_nat_test.go
@@ -0,0 +1,144 @@
+$NetBSD: patch-src_math_big_nat_test.go,v 1.1 2015/12/22 20:44:40 bsiegert Exp $
+
+From 4306352182bf94f86f0cfc6a8b0ed461cbf1d82c Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 09 Dec 2015 11:49:53 -0500
+Subject: [PATCH] math/big: fix carry propagation in Int.Exp Montgomery code
+
+Fixes #13515.
+
+Change-Id: I7dd5fbc816e5ea135f7d81f6735e7601f636fe4f
+Reviewed-on: https://go-review.googlesource.com/17672
+Reviewed-by: Robert Griesemer <gri@golang.org>
+---
+
+diff --git a/src/math/big/nat_test.go b/src/math/big/nat_test.go
+index 3eefffc..56b62d2 100644
+--- src/math/big/nat_test.go.orig	2015-12-03 00:53:01.000000000 +0000
++++ src/math/big/nat_test.go
+@@ -341,25 +341,57 @@ var montgomeryTests = []struct {
+ 		"0xffffffffffffffffffffffffffffffffffffffffffffffffe",
+ 		"0xffffffffffffffffffffffffffffffffffffffffffffffffe",
+ 		"0xfffffffffffffffffffffffffffffffffffffffffffffffff",
+-		0x0000000000000000,
+-		"0xffffffffffffffffffffffffffffffffffffffffff",
+-		"0xffffffffffffffffffffffffffffffffff",
++		1,
++		"0x1000000000000000000000000000000000000000000",
++		"0x10000000000000000000000000000000000",
+ 	},
+ 	{
+-		"0x0000000080000000",
+-		"0x00000000ffffffff",
++		"0x000000000ffffff5",
++		"0x000000000ffffff0",
+ 		"0x0000000010000001",
+ 		0xff0000000fffffff,
+-		"0x0000000088000000",
+-		"0x0000000007800001",
++		"0x000000000bfffff4",
++		"0x0000000003400001",
++	},
++	{
++		"0x0000000080000000",
++		"0x00000000ffffffff",
++		"0x1000000000000001",
++		0xfffffffffffffff,
++		"0x0800000008000001",
++		"0x0800000008000001",
++	},
++	{
++		"0x0000000080000000",
++		"0x0000000080000000",
++		"0xffffffff00000001",
++		0xfffffffeffffffff,
++		"0xbfffffff40000001",
++		"0xbfffffff40000001",
++	},
++	{
++		"0x0000000080000000",
++		"0x0000000080000000",
++		"0x00ffffff00000001",
++		0xfffffeffffffff,
++		"0xbfffff40000001",
++		"0xbfffff40000001",
+ 	},
+ 	{
+-		"0xffffffffffffffffffffffffffffffff00000000000022222223333333333444444444",
+-		"0xffffffffffffffffffffffffffffffff999999999999999aaabbbbbbbbcccccccccccc",
++		"0x0000000080000000",
++		"0x0000000080000000",
++		"0x0000ffff00000001",
++		0xfffeffffffff,
++		"0xbfff40000001",
++		"0xbfff40000001",
++	},
++	{
++		"0x3321ffffffffffffffffffffffffffff00000000000022222623333333332bbbb888c0",
++		"0x3321ffffffffffffffffffffffffffff00000000000022222623333333332bbbb888c0",
+ 		"0x33377fffffffffffffffffffffffffffffffffffffffffffff0000000000022222eee1",
+ 		0xdecc8f1249812adf,
+-		"0x22bb05b6d95eaaeca2bb7c05e51f807bce9064b5fbad177161695e4558f9474e91cd79",
+-		"0x14beb58d230f85b6d95eaaeca2bb7c05e51f807bce9064b5fb45669afa695f228e48cd",
++		"0x04eb0e11d72329dc0915f86784820fc403275bf2f6620a20e0dd344c5cd0875e50deb5",
++		"0x0d7144739a7d8e11d72329dc0915f86784820fc403275bf2f61ed96f35dd34dbb3d6a0",
+ 	},
+ 	{
+ 		"0x10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffff00000000000022222223333333333444444444",
+@@ -372,10 +404,27 @@ var montgomeryTests = []struct {
+ }
+ 
+ func TestMontgomery(t *testing.T) {
++	one := NewInt(1)
++	_B := new(Int).Lsh(one, _W)
+ 	for i, test := range montgomeryTests {
+ 		x := natFromString(test.x)
+ 		y := natFromString(test.y)
+ 		m := natFromString(test.m)
++		for len(x) < len(m) {
++			x = append(x, 0)
++		}
++		for len(y) < len(m) {
++			y = append(y, 0)
++		}
++
++		if x.cmp(m) > 0 {
++			_, r := nat(nil).div(nil, x, m)
++			t.Errorf("#%d: x > m (%s > %s; use %s)", i, x.decimalString(), m.decimalString(), r.decimalString())
++		}
++		if y.cmp(m) > 0 {
++			_, r := nat(nil).div(nil, x, m)
++			t.Errorf("#%d: y > m (%s > %s; use %s)", i, y.decimalString(), m.decimalString(), r.decimalString())
++		}
+ 
+ 		var out nat
+ 		if _W == 32 {
+@@ -384,7 +433,27 @@ func TestMontgomery(t *testing.T) {
+ 			out = natFromString(test.out64)
+ 		}
+ 
+-		k0 := Word(test.k0 & _M) // mask k0 to ensure that it fits for 32-bit systems.
++		// t.Logf("#%d: len=%d\n", i, len(m))
++
++		// check output in table
++		xi := &Int{abs: x}
++		yi := &Int{abs: y}
++		mi := &Int{abs: m}
++		p := new(Int).Mod(new(Int).Mul(xi, new(Int).Mul(yi, new(Int).ModInverse(new(Int).Lsh(one, uint(len(m))*_W), mi))), mi)
++		if out.cmp(p.abs.norm()) != 0 {
++			t.Errorf("#%d: out in table=%s, computed=%s", i, out.decimalString(), p.abs.norm().decimalString())
++		}
++
++		// check k0 in table
++		k := new(Int).Mod(&Int{abs: m}, _B)
++		k = new(Int).Sub(_B, k)
++		k = new(Int).Mod(k, _B)
++		k0 := Word(new(Int).ModInverse(k, _B).Uint64())
++		if k0 != Word(test.k0) {
++			t.Errorf("#%d: k0 in table=%#x, computed=%#x\n", i, test.k0, k0)
++		}
++
++		// check montgomery with correct k0 produces correct output
+ 		z := nat(nil).montgomery(x, y, m, k0, len(m))
+ 		z = z.norm()
+ 		if z.cmp(out) != 0 {