diff options
Diffstat (limited to 'src/pkg')
-rw-r--r-- | src/pkg/compress/gzip/gzip.go | 3 | ||||
-rw-r--r-- | src/pkg/compress/zlib/writer.go | 3 | ||||
-rw-r--r-- | src/pkg/crypto/rsa/pkcs1v15.go | 43 | ||||
-rw-r--r-- | src/pkg/crypto/rsa/pkcs1v15_test.go | 20 | ||||
-rw-r--r-- | src/pkg/crypto/subtle/constant_time.go | 9 | ||||
-rw-r--r-- | src/pkg/net/dnsconfig_unix.go | 10 | ||||
-rw-r--r-- | src/pkg/net/fd_unix.go | 18 | ||||
-rw-r--r-- | src/pkg/net/fd_windows.go | 9 | ||||
-rw-r--r-- | src/pkg/net/sock_posix.go | 22 | ||||
-rw-r--r-- | src/pkg/net/testdata/resolv.conf | 1 | ||||
-rw-r--r-- | src/pkg/runtime/sys_windows_386.s | 5 | ||||
-rw-r--r-- | src/pkg/runtime/sys_windows_amd64.s | 5 | ||||
-rw-r--r-- | src/pkg/runtime/traceback_arm.c | 9 | ||||
-rw-r--r-- | src/pkg/runtime/traceback_x86.c | 2 |
14 files changed, 115 insertions, 44 deletions
diff --git a/src/pkg/compress/gzip/gzip.go b/src/pkg/compress/gzip/gzip.go index 3a0bf54e1..5131d128e 100644 --- a/src/pkg/compress/gzip/gzip.go +++ b/src/pkg/compress/gzip/gzip.go @@ -245,7 +245,8 @@ func (z *Writer) Flush() error { return z.err } -// Close closes the Writer. It does not close the underlying io.Writer. +// Close closes the Writer, flushing any unwritten data to the underlying +// io.Writer, but does not close the underlying io.Writer. func (z *Writer) Close() error { if z.err != nil { return z.err diff --git a/src/pkg/compress/zlib/writer.go b/src/pkg/compress/zlib/writer.go index fac7e15a7..3b4313a8b 100644 --- a/src/pkg/compress/zlib/writer.go +++ b/src/pkg/compress/zlib/writer.go @@ -174,7 +174,8 @@ func (z *Writer) Flush() error { return z.err } -// Calling Close does not close the wrapped io.Writer originally passed to NewWriter. +// Close closes the Writer, flushing any unwritten data to the underlying +// io.Writer, but does not close the underlying io.Writer. func (z *Writer) Close() error { if !z.wroteHeader { z.err = z.writeHeader() diff --git a/src/pkg/crypto/rsa/pkcs1v15.go b/src/pkg/crypto/rsa/pkcs1v15.go index d9957aec1..59e8bb5b7 100644 --- a/src/pkg/crypto/rsa/pkcs1v15.go +++ b/src/pkg/crypto/rsa/pkcs1v15.go @@ -53,11 +53,14 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (out [ if err := checkPub(&priv.PublicKey); err != nil { return nil, err } - valid, out, err := decryptPKCS1v15(rand, priv, ciphertext) - if err == nil && valid == 0 { - err = ErrDecryption + valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext) + if err != nil { + return } - + if valid == 0 { + return nil, ErrDecryption + } + out = out[index:] return } @@ -80,21 +83,32 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by } k := (priv.N.BitLen() + 7) / 8 if k-(len(key)+3+8) < 0 { - err = ErrDecryption - return + return ErrDecryption } - valid, msg, err := decryptPKCS1v15(rand, priv, ciphertext) + valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext) if err != nil { return } - valid &= subtle.ConstantTimeEq(int32(len(msg)), int32(len(key))) - subtle.ConstantTimeCopy(valid, key, msg) + if len(em) != k { + // This should be impossible because decryptPKCS1v15 always + // returns the full slice. + return ErrDecryption + } + + valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key))) + subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):]) return } -func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, msg []byte, err error) { +// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if +// rand is not nil. It returns one or zero in valid that indicates whether the +// plaintext was correctly structured. In either case, the plaintext is +// returned in em so that it may be read independently of whether it was valid +// in order to maintain constant memory access patterns. If the plaintext was +// valid then index contains the index of the original message in em. +func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) { k := (priv.N.BitLen() + 7) / 8 if k < 11 { err = ErrDecryption @@ -107,7 +121,7 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid return } - em := leftPad(m.Bytes(), k) + em = leftPad(m.Bytes(), k) firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2) @@ -115,8 +129,7 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid // octets, followed by a 0, followed by the message. // lookingForIndex: 1 iff we are still looking for the zero. // index: the offset of the first zero byte. - var lookingForIndex, index int - lookingForIndex = 1 + lookingForIndex := 1 for i := 2; i < len(em); i++ { equals0 := subtle.ConstantTimeByteEq(em[i], 0) @@ -129,8 +142,8 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid validPS := subtle.ConstantTimeLessOrEq(2+8, index) valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1) & validPS - msg = em[index+1:] - return + index = subtle.ConstantTimeSelect(valid, index+1, 0) + return valid, em, index, nil } // nonZeroRandomBytes fills the given slice with non-zero random octets. diff --git a/src/pkg/crypto/rsa/pkcs1v15_test.go b/src/pkg/crypto/rsa/pkcs1v15_test.go index 37c14d1d9..2dc5dbc2c 100644 --- a/src/pkg/crypto/rsa/pkcs1v15_test.go +++ b/src/pkg/crypto/rsa/pkcs1v15_test.go @@ -227,6 +227,26 @@ func TestUnpaddedSignature(t *testing.T) { } } +func TestShortSessionKey(t *testing.T) { + // This tests that attempting to decrypt a session key where the + // ciphertext is too small doesn't run outside the array bounds. + ciphertext, err := EncryptPKCS1v15(rand.Reader, &rsaPrivateKey.PublicKey, []byte{1}) + if err != nil { + t.Fatalf("Failed to encrypt short message: %s", err) + } + + var key [32]byte + if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, ciphertext, key[:]); err != nil { + t.Fatalf("Failed to decrypt short message: %s", err) + } + + for _, v := range key { + if v != 0 { + t.Fatal("key was modified when ciphertext was invalid") + } + } +} + // In order to generate new test vectors you'll need the PEM form of this key: // -----BEGIN RSA PRIVATE KEY----- // MIIBOgIBAAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0 diff --git a/src/pkg/crypto/subtle/constant_time.go b/src/pkg/crypto/subtle/constant_time.go index de1a4e8c5..9c4b14a65 100644 --- a/src/pkg/crypto/subtle/constant_time.go +++ b/src/pkg/crypto/subtle/constant_time.go @@ -49,9 +49,14 @@ func ConstantTimeEq(x, y int32) int { return int(z & 1) } -// ConstantTimeCopy copies the contents of y into x iff v == 1. If v == 0, x is left unchanged. -// Its behavior is undefined if v takes any other value. +// ConstantTimeCopy copies the contents of y into x (a slice of equal length) +// if v == 1. If v == 0, x is left unchanged. Its behavior is undefined if v +// takes any other value. func ConstantTimeCopy(v int, x, y []byte) { + if len(x) != len(y) { + panic("subtle: slices have different lengths") + } + xmask := byte(v - 1) ymask := byte(^(v - 1)) for i := 0; i < len(x); i++ { diff --git a/src/pkg/net/dnsconfig_unix.go b/src/pkg/net/dnsconfig_unix.go index af288253e..db45716f1 100644 --- a/src/pkg/net/dnsconfig_unix.go +++ b/src/pkg/net/dnsconfig_unix.go @@ -75,19 +75,19 @@ func dnsReadConfig(filename string) (*dnsConfig, error) { for i := 1; i < len(f); i++ { s := f[i] switch { - case len(s) >= 6 && s[0:6] == "ndots:": + case hasPrefix(s, "ndots:"): n, _, _ := dtoi(s, 6) if n < 1 { n = 1 } conf.ndots = n - case len(s) >= 8 && s[0:8] == "timeout:": + case hasPrefix(s, "timeout:"): n, _, _ := dtoi(s, 8) if n < 1 { n = 1 } conf.timeout = n - case len(s) >= 8 && s[0:9] == "attempts:": + case hasPrefix(s, "attempts:"): n, _, _ := dtoi(s, 9) if n < 1 { n = 1 @@ -103,3 +103,7 @@ func dnsReadConfig(filename string) (*dnsConfig, error) { return conf, nil } + +func hasPrefix(s, prefix string) bool { + return len(s) >= len(prefix) && s[:len(prefix)] == prefix +} diff --git a/src/pkg/net/fd_unix.go b/src/pkg/net/fd_unix.go index b82ecd11c..e22861abb 100644 --- a/src/pkg/net/fd_unix.go +++ b/src/pkg/net/fd_unix.go @@ -68,16 +68,19 @@ func (fd *netFD) name() string { return fd.net + ":" + ls + "->" + rs } -func (fd *netFD) connect(la, ra syscall.Sockaddr) error { +func (fd *netFD) connect(la, ra syscall.Sockaddr, deadline time.Time) error { // Do not need to call fd.writeLock here, // because fd is not yet accessible to user, // so no concurrent operations are possible. - if err := fd.pd.PrepareWrite(); err != nil { - return err - } switch err := syscall.Connect(fd.sysfd, ra); err { case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR: case nil, syscall.EISCONN: + if !deadline.IsZero() && deadline.Before(time.Now()) { + return errTimeout + } + if err := fd.init(); err != nil { + return err + } return nil case syscall.EINVAL: // On Solaris we can see EINVAL if the socket has @@ -92,6 +95,13 @@ func (fd *netFD) connect(la, ra syscall.Sockaddr) error { default: return err } + if err := fd.init(); err != nil { + return err + } + if !deadline.IsZero() { + fd.setWriteDeadline(deadline) + defer fd.setWriteDeadline(noDeadline) + } for { // Performing multiple connect system calls on a // non-blocking socket under Unix variants does not diff --git a/src/pkg/net/fd_windows.go b/src/pkg/net/fd_windows.go index a1f6bc5f8..d1129dccc 100644 --- a/src/pkg/net/fd_windows.go +++ b/src/pkg/net/fd_windows.go @@ -313,10 +313,17 @@ func (fd *netFD) setAddr(laddr, raddr Addr) { runtime.SetFinalizer(fd, (*netFD).Close) } -func (fd *netFD) connect(la, ra syscall.Sockaddr) error { +func (fd *netFD) connect(la, ra syscall.Sockaddr, deadline time.Time) error { // Do not need to call fd.writeLock here, // because fd is not yet accessible to user, // so no concurrent operations are possible. + if err := fd.init(); err != nil { + return err + } + if !deadline.IsZero() { + fd.setWriteDeadline(deadline) + defer fd.setWriteDeadline(noDeadline) + } if !canUseConnectEx(fd.net) { return syscall.Connect(fd.sysfd, ra) } diff --git a/src/pkg/net/sock_posix.go b/src/pkg/net/sock_posix.go index a6ef874c9..c80c7d6a2 100644 --- a/src/pkg/net/sock_posix.go +++ b/src/pkg/net/sock_posix.go @@ -107,24 +107,18 @@ func (fd *netFD) dial(laddr, raddr sockaddr, deadline time.Time, toAddr func(sys } } } - if err := fd.init(); err != nil { - return err - } var rsa syscall.Sockaddr if raddr != nil { if rsa, err = raddr.sockaddr(fd.family); err != nil { return err - } else if rsa != nil { - if !deadline.IsZero() { - fd.setWriteDeadline(deadline) - } - if err := fd.connect(lsa, rsa); err != nil { - return err - } - fd.isConnected = true - if !deadline.IsZero() { - fd.setWriteDeadline(noDeadline) - } + } + if err := fd.connect(lsa, rsa, deadline); err != nil { + return err + } + fd.isConnected = true + } else { + if err := fd.init(); err != nil { + return err } } lsa, _ = syscall.Getsockname(fd.sysfd) diff --git a/src/pkg/net/testdata/resolv.conf b/src/pkg/net/testdata/resolv.conf index b5972e09c..3841bbf90 100644 --- a/src/pkg/net/testdata/resolv.conf +++ b/src/pkg/net/testdata/resolv.conf @@ -3,3 +3,4 @@ domain Home nameserver 192.168.1.1 options ndots:5 timeout:10 attempts:3 rotate +options attempts 3 diff --git a/src/pkg/runtime/sys_windows_386.s b/src/pkg/runtime/sys_windows_386.s index e0c0631cf..576831d2c 100644 --- a/src/pkg/runtime/sys_windows_386.s +++ b/src/pkg/runtime/sys_windows_386.s @@ -88,6 +88,10 @@ TEXT runtime·sigtramp(SB),NOSPLIT,$0-0 // fetch g get_tls(DX) + CMPL DX, $0 + JNE 3(PC) + MOVL $0, AX // continue + JMP done MOVL m(DX), AX CMPL AX, $0 JNE 2(PC) @@ -100,6 +104,7 @@ TEXT runtime·sigtramp(SB),NOSPLIT,$0-0 CALL runtime·sighandler(SB) // AX is set to report result back to Windows +done: // restore callee-saved registers MOVL 24(SP), DI MOVL 20(SP), SI diff --git a/src/pkg/runtime/sys_windows_amd64.s b/src/pkg/runtime/sys_windows_amd64.s index 94845903e..d161be6a5 100644 --- a/src/pkg/runtime/sys_windows_amd64.s +++ b/src/pkg/runtime/sys_windows_amd64.s @@ -120,6 +120,10 @@ TEXT runtime·sigtramp(SB),NOSPLIT,$0-0 // fetch g get_tls(DX) + CMPQ DX, $0 + JNE 3(PC) + MOVQ $0, AX // continue + JMP done MOVQ m(DX), AX CMPQ AX, $0 JNE 2(PC) @@ -132,6 +136,7 @@ TEXT runtime·sigtramp(SB),NOSPLIT,$0-0 CALL runtime·sighandler(SB) // AX is set to report result back to Windows +done: // restore registers as required for windows callback MOVQ 24(SP), R15 MOVQ 32(SP), R14 diff --git a/src/pkg/runtime/traceback_arm.c b/src/pkg/runtime/traceback_arm.c index d15244c2a..30f43d54c 100644 --- a/src/pkg/runtime/traceback_arm.c +++ b/src/pkg/runtime/traceback_arm.c @@ -128,9 +128,14 @@ runtime·gentraceback(uintptr pc0, uintptr sp0, uintptr lr0, G *gp, int32 skip, frame.lr = *(uintptr*)frame.sp; flr = runtime·findfunc(frame.lr); if(flr == nil) { - runtime·printf("runtime: unexpected return pc for %s called from %p\n", runtime·funcname(f), frame.lr); - if(callback != nil) + // This happens if you get a profiling interrupt at just the wrong time. + // In that context it is okay to stop early. + // But if callback is set, we're doing a garbage collection and must + // get everything, so crash loudly. + if(callback != nil) { + runtime·printf("runtime: unexpected return pc for %s called from %p\n", runtime·funcname(f), frame.lr); runtime·throw("unknown caller pc"); + } } } diff --git a/src/pkg/runtime/traceback_x86.c b/src/pkg/runtime/traceback_x86.c index 851504f52..7359cfcc9 100644 --- a/src/pkg/runtime/traceback_x86.c +++ b/src/pkg/runtime/traceback_x86.c @@ -214,7 +214,7 @@ runtime·gentraceback(uintptr pc0, uintptr sp0, uintptr lr0, G *gp, int32 skip, // the SP is two words lower than normal. sparg = frame.sp; if(wasnewproc) - sparg += 2*sizeof(uintreg); + sparg += 2*sizeof(uintptr); // Determine frame's 'continuation PC', where it can continue. // Normally this is the return address on the stack, but if sigpanic |