From 2d98f0e494709f9b443444a88eb98ad421d5037f Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Wed, 22 May 2024 13:38:15 +0200 Subject: [PATCH] crypto: document that Verify inputs are not confidential Fixes #67043 Closes #67044 Closes #67214 Change-Id: I6ad2838864d82b32a75f7b85804c894357ad57d4 Reviewed-on: https://go-review.googlesource.com/c/go/+/587277 LUCI-TryBot-Result: Go LUCI Auto-Submit: Filippo Valsorda Reviewed-by: Carlos Amedee Reviewed-by: Roland Shoemaker --- src/crypto/ecdsa/ecdsa.go | 7 +++++++ src/crypto/ecdsa/ecdsa_legacy.go | 3 +++ src/crypto/ed25519/ed25519.go | 9 +++++++++ src/crypto/rsa/pkcs1v15.go | 3 +++ src/crypto/rsa/pss.go | 3 +++ src/crypto/rsa/rsa.go | 7 +++---- 6 files changed, 28 insertions(+), 4 deletions(-) diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go index f0b6822510..2179b01e8e 100644 --- a/src/crypto/ecdsa/ecdsa.go +++ b/src/crypto/ecdsa/ecdsa.go @@ -8,6 +8,10 @@ // Signatures generated by this package are not deterministic, but entropy is // mixed with the private key and the message, achieving the same level of // security in case of randomness source failure. +// +// Operations involving private keys are implemented using constant-time +// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224], +// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used. package ecdsa // [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm. @@ -463,6 +467,9 @@ func (zr) Read(dst []byte) (n int, err error) { // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the // public key, pub. Its return value records whether the signature is valid. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func VerifyASN1(pub *PublicKey, hash, sig []byte) bool { if boring.Enabled { key, err := boringPublicKey(pub) diff --git a/src/crypto/ecdsa/ecdsa_legacy.go b/src/crypto/ecdsa/ecdsa_legacy.go index 0b8489ab66..dc1c5d120a 100644 --- a/src/crypto/ecdsa/ecdsa_legacy.go +++ b/src/crypto/ecdsa/ecdsa_legacy.go @@ -115,6 +115,9 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er // Verify verifies the signature in r, s of hash using the public key, pub. Its // return value records whether the signature is valid. Most applications should // use VerifyASN1 instead of dealing directly with r, s. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { if r.Sign() <= 0 || s.Sign() <= 0 { return false diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go index 1dda9e5e9a..b75c5a6458 100644 --- a/src/crypto/ed25519/ed25519.go +++ b/src/crypto/ed25519/ed25519.go @@ -10,6 +10,9 @@ // representation includes a public key suffix to make multiple signing // operations with the same key more efficient. This package refers to the RFC // 8032 private key as the “seed”. +// +// Operations involving private keys are implemented using constant-time +// algorithms. package ed25519 import ( @@ -258,6 +261,9 @@ func sign(signature, privateKey, message []byte, domPrefix, context string) { // Verify reports whether sig is a valid signature of message by publicKey. It // will panic if len(publicKey) is not [PublicKeySize]. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func Verify(publicKey PublicKey, message, sig []byte) bool { return verify(publicKey, message, sig, domPrefixPure, "") } @@ -270,6 +276,9 @@ func Verify(publicKey PublicKey, message, sig []byte) bool { // message is expected to be a SHA-512 hash, otherwise opts.Hash must be // [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two // passes over messages to be signed. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error { switch { case opts.Hash == crypto.SHA512: // Ed25519ph diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go index 2705036fdd..84b19fbcb4 100644 --- a/src/crypto/rsa/pkcs1v15.go +++ b/src/crypto/rsa/pkcs1v15.go @@ -321,6 +321,9 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [ // function and sig is the signature. A valid signature is indicated by // returning a nil error. If hash is zero then hashed is used directly. This // isn't advisable except for interoperability. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error { if boring.Enabled { bkey, err := boringPublicKey(pub) diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go index b63b6eb01d..e996e7aaa3 100644 --- a/src/crypto/rsa/pss.go +++ b/src/crypto/rsa/pss.go @@ -338,6 +338,9 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, // result of hashing the input message using the given hash function. The opts // argument may be nil, in which case sensible defaults are used. opts.Hash is // ignored. +// +// The inputs are not considered confidential, and may leak through timing side +// channels, or if an attacker has control of part of the inputs. func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error { if boring.Enabled { bkey, err := boringPublicKey(pub) diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index 9342930dc1..4d78d1eaaa 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -19,10 +19,9 @@ // over the public key primitive, the PrivateKey type implements the // Decrypter and Signer interfaces from the crypto package. // -// Operations in this package are implemented using constant-time algorithms, -// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate]. -// Every other operation only leaks the bit size of the involved values, which -// all depend on the selected key size. +// Operations involving private keys are implemented using constant-time +// algorithms, except for [GenerateKey], [PrivateKey.Precompute], and +// [PrivateKey.Validate]. package rsa import ( -- 2.48.1