diff --git a/go.mod b/go.mod index b3e8db778..78b2b9609 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( github.com/jmhodges/levigo v1.0.0 // indirect github.com/joho/godotenv v1.3.0 // indirect github.com/kballard/go-shellquote v0.0.0-20170619183022-cd60e84ee657 - github.com/keybase/go-crypto v0.0.0-20170605145657-00ac4db533f6 + github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4 github.com/klauspost/compress v1.9.2 github.com/lafriks/xormstore v1.3.2 github.com/lib/pq v1.2.0 diff --git a/go.sum b/go.sum index 81150c0fd..fdbc7fd56 100644 --- a/go.sum +++ b/go.sum @@ -9,8 +9,6 @@ cloud.google.com/go v0.45.0 h1:bALuGBSgE+BD4rxsopAYlqjcwqcQtye6pWG4bC3N/k0= cloud.google.com/go v0.45.0/go.mod h1:452BcPOeI9AZfbvDw0Tbo7D32wA+WX9WME8AZwMEDZU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -gitea.com/lunny/levelqueue v0.1.0 h1:7wMk0VH6mvKN6vZEZCy9nUDgRmdPLgeNrm1NkW8EHNk= -gitea.com/lunny/levelqueue v0.1.0/go.mod h1:G7hVb908t0Bl0uk7zGSg14fyzNtxgtD9Shf04wkMK7s= gitea.com/lunny/levelqueue v0.2.0 h1:lR/5EAwQtFcn5YvPEkNMw0p9pAy2/O2nSP5ImECLA2E= gitea.com/lunny/levelqueue v0.2.0/go.mod h1:G7hVb908t0Bl0uk7zGSg14fyzNtxgtD9Shf04wkMK7s= gitea.com/macaron/binding v0.0.0-20190822013154-a5f53841ed2b h1:vXt85uYV17KURaUlhU7v4GbCShkqRZDSfo0TkC0YCjQ= @@ -340,8 +338,8 @@ github.com/kballard/go-shellquote v0.0.0-20170619183022-cd60e84ee657 h1:vE7J1m7c github.com/kballard/go-shellquote v0.0.0-20170619183022-cd60e84ee657/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= -github.com/keybase/go-crypto v0.0.0-20170605145657-00ac4db533f6 h1:9mszGwKDxHEY2cy+9XxCQKWIfkGPSAEFrcN8ghzyAKg= -github.com/keybase/go-crypto v0.0.0-20170605145657-00ac4db533f6/go.mod h1:ghbZscTyKdM07+Fw3KSi0hcJm+AlEUWj8QLlPtijN/M= +github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4 h1:cTxwSmnaqLoo+4tLukHoB9iqHOu3LmLhRmgUxZo6Vp4= +github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4/go.mod h1:ghbZscTyKdM07+Fw3KSi0hcJm+AlEUWj8QLlPtijN/M= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.9.2 h1:LfVyl+ZlLlLDeQ/d2AqfGIIH4qEDu0Ed2S5GyhCWIWY= @@ -508,7 +506,6 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.4.0 h1:yXHLWeravcrgGyFSyCgdYpXQ9dR9c/WED3pg1RhxqEU= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/src-d/enry v1.7.3 h1:jG2fmEaQaURh0qqU/sn82BRzVa6d4EVHJIw6gc98bak= github.com/src-d/enry/v2 v2.1.0 h1:z1L8t+B8bh3mmjPkJrgOTnVRpFGmTPJsplHX9wAn6BI= github.com/src-d/enry/v2 v2.1.0/go.mod h1:qQeCMRwzMF3ckeGr+h0tJLdxXnq+NVZsIDMELj0t028= github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4= diff --git a/vendor/github.com/keybase/go-crypto/cast5/cast5.go b/vendor/github.com/keybase/go-crypto/cast5/cast5.go index 8c1b299bf..e0207352c 100644 --- a/vendor/github.com/keybase/go-crypto/cast5/cast5.go +++ b/vendor/github.com/keybase/go-crypto/cast5/cast5.go @@ -4,7 +4,7 @@ // Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common // OpenPGP cipher. -package cast5 +package cast5 // import "github.com/keybase/go-crypto/cast5" import "errors" diff --git a/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.h b/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.h new file mode 100644 index 000000000..b3f74162f --- /dev/null +++ b/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.h @@ -0,0 +1,8 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This code was translated into a form compatible with 6a from the public +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html + +#define REDMASK51 0x0007FFFFFFFFFFFF diff --git a/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s index 797f9b051..ee7b4bd5f 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s @@ -3,12 +3,12 @@ // license that can be found in the LICENSE file. // This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html // +build amd64,!gccgo,!appengine -DATA ·REDMASK51(SB)/8, $0x0007FFFFFFFFFFFF -GLOBL ·REDMASK51(SB), 8, $8 +// These constants cannot be encoded in non-MOVQ immediates. +// We access them directly from memory instead. DATA ·_121666_213(SB)/8, $996687872 GLOBL ·_121666_213(SB), 8, $8 diff --git a/vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s index 45484d1b5..cd793a5b5 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s @@ -2,87 +2,64 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html - // +build amd64,!gccgo,!appengine -// func cswap(inout *[5]uint64, v uint64) +// func cswap(inout *[4][5]uint64, v uint64) TEXT ·cswap(SB),7,$0 MOVQ inout+0(FP),DI MOVQ v+8(FP),SI - CMPQ SI,$1 - MOVQ 0(DI),SI - MOVQ 80(DI),DX - MOVQ 8(DI),CX - MOVQ 88(DI),R8 - MOVQ SI,R9 - CMOVQEQ DX,SI - CMOVQEQ R9,DX - MOVQ CX,R9 - CMOVQEQ R8,CX - CMOVQEQ R9,R8 - MOVQ SI,0(DI) - MOVQ DX,80(DI) - MOVQ CX,8(DI) - MOVQ R8,88(DI) - MOVQ 16(DI),SI - MOVQ 96(DI),DX - MOVQ 24(DI),CX - MOVQ 104(DI),R8 - MOVQ SI,R9 - CMOVQEQ DX,SI - CMOVQEQ R9,DX - MOVQ CX,R9 - CMOVQEQ R8,CX - CMOVQEQ R9,R8 - MOVQ SI,16(DI) - MOVQ DX,96(DI) - MOVQ CX,24(DI) - MOVQ R8,104(DI) - MOVQ 32(DI),SI - MOVQ 112(DI),DX - MOVQ 40(DI),CX - MOVQ 120(DI),R8 - MOVQ SI,R9 - CMOVQEQ DX,SI - CMOVQEQ R9,DX - MOVQ CX,R9 - CMOVQEQ R8,CX - CMOVQEQ R9,R8 - MOVQ SI,32(DI) - MOVQ DX,112(DI) - MOVQ CX,40(DI) - MOVQ R8,120(DI) - MOVQ 48(DI),SI - MOVQ 128(DI),DX - MOVQ 56(DI),CX - MOVQ 136(DI),R8 - MOVQ SI,R9 - CMOVQEQ DX,SI - CMOVQEQ R9,DX - MOVQ CX,R9 - CMOVQEQ R8,CX - CMOVQEQ R9,R8 - MOVQ SI,48(DI) - MOVQ DX,128(DI) - MOVQ CX,56(DI) - MOVQ R8,136(DI) - MOVQ 64(DI),SI - MOVQ 144(DI),DX - MOVQ 72(DI),CX - MOVQ 152(DI),R8 - MOVQ SI,R9 - CMOVQEQ DX,SI - CMOVQEQ R9,DX - MOVQ CX,R9 - CMOVQEQ R8,CX - CMOVQEQ R9,R8 - MOVQ SI,64(DI) - MOVQ DX,144(DI) - MOVQ CX,72(DI) - MOVQ R8,152(DI) - MOVQ DI,AX - MOVQ SI,DX + SUBQ $1, SI + NOTQ SI + MOVQ SI, X15 + PSHUFD $0x44, X15, X15 + + MOVOU 0(DI), X0 + MOVOU 16(DI), X2 + MOVOU 32(DI), X4 + MOVOU 48(DI), X6 + MOVOU 64(DI), X8 + MOVOU 80(DI), X1 + MOVOU 96(DI), X3 + MOVOU 112(DI), X5 + MOVOU 128(DI), X7 + MOVOU 144(DI), X9 + + MOVO X1, X10 + MOVO X3, X11 + MOVO X5, X12 + MOVO X7, X13 + MOVO X9, X14 + + PXOR X0, X10 + PXOR X2, X11 + PXOR X4, X12 + PXOR X6, X13 + PXOR X8, X14 + PAND X15, X10 + PAND X15, X11 + PAND X15, X12 + PAND X15, X13 + PAND X15, X14 + PXOR X10, X0 + PXOR X10, X1 + PXOR X11, X2 + PXOR X11, X3 + PXOR X12, X4 + PXOR X12, X5 + PXOR X13, X6 + PXOR X13, X7 + PXOR X14, X8 + PXOR X14, X9 + + MOVOU X0, 0(DI) + MOVOU X2, 16(DI) + MOVOU X4, 32(DI) + MOVOU X6, 48(DI) + MOVOU X8, 64(DI) + MOVOU X1, 80(DI) + MOVOU X3, 96(DI) + MOVOU X5, 112(DI) + MOVOU X7, 128(DI) + MOVOU X9, 144(DI) RET diff --git a/vendor/github.com/keybase/go-crypto/curve25519/curve25519.go b/vendor/github.com/keybase/go-crypto/curve25519/curve25519.go index 6918c47fc..cb8fbc57b 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/curve25519.go +++ b/vendor/github.com/keybase/go-crypto/curve25519/curve25519.go @@ -2,12 +2,16 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// We have a implementation in amd64 assembly so this code is only run on +// We have an implementation in amd64 assembly so this code is only run on // non-amd64 platforms. The amd64 assembly does not support gccgo. // +build !amd64 gccgo appengine package curve25519 +import ( + "encoding/binary" +) + // This code is a port of the public domain, "ref10" implementation of // curve25519 from SUPERCOP 20130419 by D. J. Bernstein. @@ -50,17 +54,11 @@ func feCopy(dst, src *fieldElement) { // // Preconditions: b in {0,1}. func feCSwap(f, g *fieldElement, b int32) { - var x fieldElement b = -b - for i := range x { - x[i] = b & (f[i] ^ g[i]) - } - for i := range f { - f[i] ^= x[i] - } - for i := range g { - g[i] ^= x[i] + t := b & (f[i] ^ g[i]) + f[i] ^= t + g[i] ^= t } } @@ -75,12 +73,7 @@ func load3(in []byte) int64 { // load4 reads a 32-bit, little-endian value from in. func load4(in []byte) int64 { - var r int64 - r = int64(in[0]) - r |= int64(in[1]) << 8 - r |= int64(in[2]) << 16 - r |= int64(in[3]) << 24 - return r + return int64(binary.LittleEndian.Uint32(in)) } func feFromBytes(dst *fieldElement, src *[32]byte) { diff --git a/vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go b/vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go index 5f9eebebf..a3d3a3d91 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go +++ b/vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go @@ -16,19 +16,30 @@ func copyReverse(dst []byte, src []byte) { // Curve 25519 multiplication functions expect scalars in reverse // order than PGP. To keep the curve25519Curve type consistent // with other curves, we reverse it here. - for i, j := 0, len(src)-1; j >= 0; i, j = i+1, j-1 { + for i, j := 0, len(src)-1; j >= 0 && i < len(dst); i, j = i+1, j-1 { dst[i] = src[j] } } +func copyTruncate(dst []byte, src []byte) { + lenDst, lenSrc := len(dst), len(src) + if lenDst == lenSrc { + copy(dst, src) + } else if lenDst > lenSrc { + copy(dst[lenDst-lenSrc:lenDst], src) + } else if lenDst < lenSrc { + copy(dst, src[:lenDst]) + } +} + func (cv25519Curve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) { // Assume y1 is 0 with cv25519. var dst [32]byte var x1Bytes [32]byte var scalarBytes [32]byte - copy(x1Bytes[:], x1.Bytes()[:32]) - copyReverse(scalarBytes[:], scalar[:32]) + copyTruncate(x1Bytes[:], x1.Bytes()) + copyReverse(scalarBytes[:], scalar) scalarMult(&dst, &scalarBytes, &x1Bytes) @@ -63,7 +74,7 @@ func (cv25519Curve) MarshalType40(x, y *big.Int) []byte { ret[0] = 0x40 xBytes := x.Bytes() - copy(ret[1+byteLen-len(xBytes):], xBytes) + copyTruncate(ret[1:], xBytes) return ret } @@ -91,10 +102,10 @@ func initCv25519() { // Some code relies on these parameters being available for // checking Curve coordinate length. They should not be used // directly for any calculations. - cv25519.P, _ = new (big.Int).SetString("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", 16) - cv25519.N, _ = new (big.Int).SetString("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", 16) - cv25519.Gx, _ = new (big.Int).SetString("9", 16) - cv25519.Gy, _ = new (big.Int).SetString("20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9", 16) + cv25519.P, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", 16) + cv25519.N, _ = new(big.Int).SetString("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", 16) + cv25519.Gx, _ = new(big.Int).SetString("9", 16) + cv25519.Gy, _ = new(big.Int).SetString("20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9", 16) cv25519.BitSize = 256 } diff --git a/vendor/github.com/keybase/go-crypto/curve25519/doc.go b/vendor/github.com/keybase/go-crypto/curve25519/doc.go index f7db9c1ce..78bd9fc07 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/doc.go +++ b/vendor/github.com/keybase/go-crypto/curve25519/doc.go @@ -3,8 +3,8 @@ // license that can be found in the LICENSE file. // Package curve25519 provides an implementation of scalar multiplication on -// the elliptic curve known as curve25519. See http://cr.yp.to/ecdh.html -package curve25519 +// the elliptic curve known as curve25519. See https://cr.yp.to/ecdh.html +package curve25519 // import "github.com/keybase/go-crypto/curve25519" // basePoint is the x coordinate of the generator of the curve. var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} diff --git a/vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s index 37599fac0..390816106 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s @@ -3,33 +3,22 @@ // license that can be found in the LICENSE file. // This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html // +build amd64,!gccgo,!appengine +#include "const_amd64.h" + // func freeze(inout *[5]uint64) -TEXT ·freeze(SB),7,$96-8 +TEXT ·freeze(SB),7,$0-8 MOVQ inout+0(FP), DI - MOVQ SP,R11 - MOVQ $31,CX - NOTQ CX - ANDQ CX,SP - ADDQ $32,SP - - MOVQ R11,0(SP) - MOVQ R12,8(SP) - MOVQ R13,16(SP) - MOVQ R14,24(SP) - MOVQ R15,32(SP) - MOVQ BX,40(SP) - MOVQ BP,48(SP) MOVQ 0(DI),SI MOVQ 8(DI),DX MOVQ 16(DI),CX MOVQ 24(DI),R8 MOVQ 32(DI),R9 - MOVQ ·REDMASK51(SB),AX + MOVQ $REDMASK51,AX MOVQ AX,R10 SUBQ $18,R10 MOVQ $3,R11 @@ -81,14 +70,4 @@ REDUCELOOP: MOVQ CX,16(DI) MOVQ R8,24(DI) MOVQ R9,32(DI) - MOVQ 0(SP),R11 - MOVQ 8(SP),R12 - MOVQ 16(SP),R13 - MOVQ 24(SP),R14 - MOVQ 32(SP),R15 - MOVQ 40(SP),BX - MOVQ 48(SP),BP - MOVQ R11,SP - MOVQ DI,AX - MOVQ SI,DX RET diff --git a/vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s index 3949f9cfa..9e9040b25 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s @@ -3,27 +3,16 @@ // license that can be found in the LICENSE file. // This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html // +build amd64,!gccgo,!appengine +#include "const_amd64.h" + // func ladderstep(inout *[5][5]uint64) -TEXT ·ladderstep(SB),0,$384-8 +TEXT ·ladderstep(SB),0,$296-8 MOVQ inout+0(FP),DI - MOVQ SP,R11 - MOVQ $31,CX - NOTQ CX - ANDQ CX,SP - ADDQ $32,SP - - MOVQ R11,0(SP) - MOVQ R12,8(SP) - MOVQ R13,16(SP) - MOVQ R14,24(SP) - MOVQ R15,32(SP) - MOVQ BX,40(SP) - MOVQ BP,48(SP) MOVQ 40(DI),SI MOVQ 48(DI),DX MOVQ 56(DI),CX @@ -49,89 +38,89 @@ TEXT ·ladderstep(SB),0,$384-8 SUBQ 96(DI),R11 SUBQ 104(DI),R12 SUBQ 112(DI),R13 - MOVQ SI,56(SP) - MOVQ DX,64(SP) - MOVQ CX,72(SP) - MOVQ R8,80(SP) - MOVQ R9,88(SP) - MOVQ AX,96(SP) - MOVQ R10,104(SP) - MOVQ R11,112(SP) - MOVQ R12,120(SP) - MOVQ R13,128(SP) - MOVQ 96(SP),AX - MULQ 96(SP) + MOVQ SI,0(SP) + MOVQ DX,8(SP) + MOVQ CX,16(SP) + MOVQ R8,24(SP) + MOVQ R9,32(SP) + MOVQ AX,40(SP) + MOVQ R10,48(SP) + MOVQ R11,56(SP) + MOVQ R12,64(SP) + MOVQ R13,72(SP) + MOVQ 40(SP),AX + MULQ 40(SP) MOVQ AX,SI MOVQ DX,CX - MOVQ 96(SP),AX + MOVQ 40(SP),AX SHLQ $1,AX - MULQ 104(SP) + MULQ 48(SP) MOVQ AX,R8 MOVQ DX,R9 - MOVQ 96(SP),AX + MOVQ 40(SP),AX SHLQ $1,AX - MULQ 112(SP) + MULQ 56(SP) MOVQ AX,R10 MOVQ DX,R11 - MOVQ 96(SP),AX + MOVQ 40(SP),AX SHLQ $1,AX - MULQ 120(SP) + MULQ 64(SP) MOVQ AX,R12 MOVQ DX,R13 - MOVQ 96(SP),AX + MOVQ 40(SP),AX SHLQ $1,AX - MULQ 128(SP) + MULQ 72(SP) MOVQ AX,R14 MOVQ DX,R15 - MOVQ 104(SP),AX - MULQ 104(SP) + MOVQ 48(SP),AX + MULQ 48(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 104(SP),AX + MOVQ 48(SP),AX SHLQ $1,AX - MULQ 112(SP) + MULQ 56(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 104(SP),AX + MOVQ 48(SP),AX SHLQ $1,AX - MULQ 120(SP) + MULQ 64(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 104(SP),DX + MOVQ 48(SP),DX IMUL3Q $38,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 112(SP),AX - MULQ 112(SP) + MOVQ 56(SP),AX + MULQ 56(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 112(SP),DX + MOVQ 56(SP),DX IMUL3Q $38,DX,AX - MULQ 120(SP) + MULQ 64(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 112(SP),DX + MOVQ 56(SP),DX IMUL3Q $38,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 120(SP),DX + MOVQ 64(SP),DX IMUL3Q $19,DX,AX - MULQ 120(SP) + MULQ 64(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 120(SP),DX + MOVQ 64(SP),DX IMUL3Q $38,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 128(SP),DX + MOVQ 72(SP),DX IMUL3Q $19,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -169,84 +158,84 @@ TEXT ·ladderstep(SB),0,$384-8 IMUL3Q $19,CX,CX ADDQ CX,SI ANDQ DX,R10 - MOVQ SI,136(SP) - MOVQ R8,144(SP) - MOVQ R9,152(SP) - MOVQ AX,160(SP) - MOVQ R10,168(SP) - MOVQ 56(SP),AX - MULQ 56(SP) + MOVQ SI,80(SP) + MOVQ R8,88(SP) + MOVQ R9,96(SP) + MOVQ AX,104(SP) + MOVQ R10,112(SP) + MOVQ 0(SP),AX + MULQ 0(SP) MOVQ AX,SI MOVQ DX,CX - MOVQ 56(SP),AX + MOVQ 0(SP),AX SHLQ $1,AX - MULQ 64(SP) + MULQ 8(SP) MOVQ AX,R8 MOVQ DX,R9 - MOVQ 56(SP),AX + MOVQ 0(SP),AX SHLQ $1,AX - MULQ 72(SP) + MULQ 16(SP) MOVQ AX,R10 MOVQ DX,R11 - MOVQ 56(SP),AX + MOVQ 0(SP),AX SHLQ $1,AX - MULQ 80(SP) + MULQ 24(SP) MOVQ AX,R12 MOVQ DX,R13 - MOVQ 56(SP),AX + MOVQ 0(SP),AX SHLQ $1,AX - MULQ 88(SP) + MULQ 32(SP) MOVQ AX,R14 MOVQ DX,R15 - MOVQ 64(SP),AX - MULQ 64(SP) + MOVQ 8(SP),AX + MULQ 8(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 64(SP),AX + MOVQ 8(SP),AX SHLQ $1,AX - MULQ 72(SP) + MULQ 16(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 64(SP),AX + MOVQ 8(SP),AX SHLQ $1,AX - MULQ 80(SP) + MULQ 24(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 64(SP),DX + MOVQ 8(SP),DX IMUL3Q $38,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 72(SP),AX - MULQ 72(SP) + MOVQ 16(SP),AX + MULQ 16(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 72(SP),DX + MOVQ 16(SP),DX IMUL3Q $38,DX,AX - MULQ 80(SP) + MULQ 24(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 72(SP),DX + MOVQ 16(SP),DX IMUL3Q $38,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 80(SP),DX + MOVQ 24(SP),DX IMUL3Q $19,DX,AX - MULQ 80(SP) + MULQ 24(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 80(SP),DX + MOVQ 24(SP),DX IMUL3Q $38,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 88(SP),DX + MOVQ 32(SP),DX IMUL3Q $19,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -284,11 +273,11 @@ TEXT ·ladderstep(SB),0,$384-8 IMUL3Q $19,CX,CX ADDQ CX,SI ANDQ DX,R10 - MOVQ SI,176(SP) - MOVQ R8,184(SP) - MOVQ R9,192(SP) - MOVQ AX,200(SP) - MOVQ R10,208(SP) + MOVQ SI,120(SP) + MOVQ R8,128(SP) + MOVQ R9,136(SP) + MOVQ AX,144(SP) + MOVQ R10,152(SP) MOVQ SI,SI MOVQ R8,DX MOVQ R9,CX @@ -299,16 +288,16 @@ TEXT ·ladderstep(SB),0,$384-8 ADDQ ·_2P1234(SB),CX ADDQ ·_2P1234(SB),R8 ADDQ ·_2P1234(SB),R9 - SUBQ 136(SP),SI - SUBQ 144(SP),DX - SUBQ 152(SP),CX - SUBQ 160(SP),R8 - SUBQ 168(SP),R9 - MOVQ SI,216(SP) - MOVQ DX,224(SP) - MOVQ CX,232(SP) - MOVQ R8,240(SP) - MOVQ R9,248(SP) + SUBQ 80(SP),SI + SUBQ 88(SP),DX + SUBQ 96(SP),CX + SUBQ 104(SP),R8 + SUBQ 112(SP),R9 + MOVQ SI,160(SP) + MOVQ DX,168(SP) + MOVQ CX,176(SP) + MOVQ R8,184(SP) + MOVQ R9,192(SP) MOVQ 120(DI),SI MOVQ 128(DI),DX MOVQ 136(DI),CX @@ -334,124 +323,124 @@ TEXT ·ladderstep(SB),0,$384-8 SUBQ 176(DI),R11 SUBQ 184(DI),R12 SUBQ 192(DI),R13 - MOVQ SI,256(SP) - MOVQ DX,264(SP) - MOVQ CX,272(SP) - MOVQ R8,280(SP) - MOVQ R9,288(SP) - MOVQ AX,296(SP) - MOVQ R10,304(SP) - MOVQ R11,312(SP) - MOVQ R12,320(SP) - MOVQ R13,328(SP) - MOVQ 280(SP),SI + MOVQ SI,200(SP) + MOVQ DX,208(SP) + MOVQ CX,216(SP) + MOVQ R8,224(SP) + MOVQ R9,232(SP) + MOVQ AX,240(SP) + MOVQ R10,248(SP) + MOVQ R11,256(SP) + MOVQ R12,264(SP) + MOVQ R13,272(SP) + MOVQ 224(SP),SI IMUL3Q $19,SI,AX - MOVQ AX,336(SP) - MULQ 112(SP) + MOVQ AX,280(SP) + MULQ 56(SP) MOVQ AX,SI MOVQ DX,CX - MOVQ 288(SP),DX + MOVQ 232(SP),DX IMUL3Q $19,DX,AX - MOVQ AX,344(SP) - MULQ 104(SP) + MOVQ AX,288(SP) + MULQ 48(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 256(SP),AX - MULQ 96(SP) + MOVQ 200(SP),AX + MULQ 40(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 256(SP),AX - MULQ 104(SP) + MOVQ 200(SP),AX + MULQ 48(SP) MOVQ AX,R8 MOVQ DX,R9 - MOVQ 256(SP),AX - MULQ 112(SP) + MOVQ 200(SP),AX + MULQ 56(SP) MOVQ AX,R10 MOVQ DX,R11 - MOVQ 256(SP),AX - MULQ 120(SP) + MOVQ 200(SP),AX + MULQ 64(SP) MOVQ AX,R12 MOVQ DX,R13 - MOVQ 256(SP),AX - MULQ 128(SP) + MOVQ 200(SP),AX + MULQ 72(SP) MOVQ AX,R14 MOVQ DX,R15 - MOVQ 264(SP),AX - MULQ 96(SP) + MOVQ 208(SP),AX + MULQ 40(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 264(SP),AX - MULQ 104(SP) + MOVQ 208(SP),AX + MULQ 48(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 264(SP),AX - MULQ 112(SP) + MOVQ 208(SP),AX + MULQ 56(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 264(SP),AX - MULQ 120(SP) + MOVQ 208(SP),AX + MULQ 64(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 264(SP),DX + MOVQ 208(SP),DX IMUL3Q $19,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 272(SP),AX - MULQ 96(SP) + MOVQ 216(SP),AX + MULQ 40(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 272(SP),AX - MULQ 104(SP) + MOVQ 216(SP),AX + MULQ 48(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 272(SP),AX - MULQ 112(SP) + MOVQ 216(SP),AX + MULQ 56(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 272(SP),DX + MOVQ 216(SP),DX IMUL3Q $19,DX,AX - MULQ 120(SP) + MULQ 64(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 272(SP),DX + MOVQ 216(SP),DX IMUL3Q $19,DX,AX - MULQ 128(SP) + MULQ 72(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 280(SP),AX - MULQ 96(SP) + MOVQ 224(SP),AX + MULQ 40(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 280(SP),AX - MULQ 104(SP) + MOVQ 224(SP),AX + MULQ 48(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 336(SP),AX - MULQ 120(SP) + MOVQ 280(SP),AX + MULQ 64(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 336(SP),AX - MULQ 128(SP) + MOVQ 280(SP),AX + MULQ 72(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 288(SP),AX - MULQ 96(SP) + MOVQ 232(SP),AX + MULQ 40(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 344(SP),AX - MULQ 112(SP) + MOVQ 288(SP),AX + MULQ 56(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 344(SP),AX - MULQ 120(SP) + MOVQ 288(SP),AX + MULQ 64(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 344(SP),AX - MULQ 128(SP) + MOVQ 288(SP),AX + MULQ 72(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -489,119 +478,119 @@ TEXT ·ladderstep(SB),0,$384-8 IMUL3Q $19,CX,CX ADDQ CX,SI ANDQ DX,R10 - MOVQ SI,96(SP) - MOVQ R8,104(SP) - MOVQ R9,112(SP) - MOVQ AX,120(SP) - MOVQ R10,128(SP) - MOVQ 320(SP),SI + MOVQ SI,40(SP) + MOVQ R8,48(SP) + MOVQ R9,56(SP) + MOVQ AX,64(SP) + MOVQ R10,72(SP) + MOVQ 264(SP),SI IMUL3Q $19,SI,AX - MOVQ AX,256(SP) - MULQ 72(SP) + MOVQ AX,200(SP) + MULQ 16(SP) MOVQ AX,SI MOVQ DX,CX - MOVQ 328(SP),DX + MOVQ 272(SP),DX IMUL3Q $19,DX,AX - MOVQ AX,264(SP) - MULQ 64(SP) + MOVQ AX,208(SP) + MULQ 8(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 296(SP),AX - MULQ 56(SP) + MOVQ 240(SP),AX + MULQ 0(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 296(SP),AX - MULQ 64(SP) + MOVQ 240(SP),AX + MULQ 8(SP) MOVQ AX,R8 MOVQ DX,R9 - MOVQ 296(SP),AX - MULQ 72(SP) + MOVQ 240(SP),AX + MULQ 16(SP) MOVQ AX,R10 MOVQ DX,R11 - MOVQ 296(SP),AX - MULQ 80(SP) + MOVQ 240(SP),AX + MULQ 24(SP) MOVQ AX,R12 MOVQ DX,R13 - MOVQ 296(SP),AX - MULQ 88(SP) + MOVQ 240(SP),AX + MULQ 32(SP) MOVQ AX,R14 MOVQ DX,R15 - MOVQ 304(SP),AX - MULQ 56(SP) + MOVQ 248(SP),AX + MULQ 0(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 304(SP),AX - MULQ 64(SP) + MOVQ 248(SP),AX + MULQ 8(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 304(SP),AX - MULQ 72(SP) + MOVQ 248(SP),AX + MULQ 16(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 304(SP),AX - MULQ 80(SP) + MOVQ 248(SP),AX + MULQ 24(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 304(SP),DX + MOVQ 248(SP),DX IMUL3Q $19,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 312(SP),AX - MULQ 56(SP) + MOVQ 256(SP),AX + MULQ 0(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 312(SP),AX - MULQ 64(SP) + MOVQ 256(SP),AX + MULQ 8(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 312(SP),AX - MULQ 72(SP) + MOVQ 256(SP),AX + MULQ 16(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 312(SP),DX + MOVQ 256(SP),DX IMUL3Q $19,DX,AX - MULQ 80(SP) + MULQ 24(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 312(SP),DX + MOVQ 256(SP),DX IMUL3Q $19,DX,AX - MULQ 88(SP) + MULQ 32(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 320(SP),AX - MULQ 56(SP) + MOVQ 264(SP),AX + MULQ 0(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 320(SP),AX - MULQ 64(SP) + MOVQ 264(SP),AX + MULQ 8(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 256(SP),AX - MULQ 80(SP) + MOVQ 200(SP),AX + MULQ 24(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 256(SP),AX - MULQ 88(SP) + MOVQ 200(SP),AX + MULQ 32(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 328(SP),AX - MULQ 56(SP) + MOVQ 272(SP),AX + MULQ 0(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 264(SP),AX - MULQ 72(SP) + MOVQ 208(SP),AX + MULQ 16(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 264(SP),AX - MULQ 80(SP) + MOVQ 208(SP),AX + MULQ 24(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 264(SP),AX - MULQ 88(SP) + MOVQ 208(SP),AX + MULQ 32(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -649,16 +638,16 @@ TEXT ·ladderstep(SB),0,$384-8 ADDQ ·_2P1234(SB),R11 ADDQ ·_2P1234(SB),R12 ADDQ ·_2P1234(SB),R13 - ADDQ 96(SP),SI - ADDQ 104(SP),R8 - ADDQ 112(SP),R9 - ADDQ 120(SP),AX - ADDQ 128(SP),R10 - SUBQ 96(SP),DX - SUBQ 104(SP),CX - SUBQ 112(SP),R11 - SUBQ 120(SP),R12 - SUBQ 128(SP),R13 + ADDQ 40(SP),SI + ADDQ 48(SP),R8 + ADDQ 56(SP),R9 + ADDQ 64(SP),AX + ADDQ 72(SP),R10 + SUBQ 40(SP),DX + SUBQ 48(SP),CX + SUBQ 56(SP),R11 + SUBQ 64(SP),R12 + SUBQ 72(SP),R13 MOVQ SI,120(DI) MOVQ R8,128(DI) MOVQ R9,136(DI) @@ -741,7 +730,7 @@ TEXT ·ladderstep(SB),0,$384-8 MULQ 152(DI) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -856,7 +845,7 @@ TEXT ·ladderstep(SB),0,$384-8 MULQ 192(DI) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -901,13 +890,13 @@ TEXT ·ladderstep(SB),0,$384-8 MOVQ R10,192(DI) MOVQ 184(DI),SI IMUL3Q $19,SI,AX - MOVQ AX,56(SP) + MOVQ AX,0(SP) MULQ 16(DI) MOVQ AX,SI MOVQ DX,CX MOVQ 192(DI),DX IMUL3Q $19,DX,AX - MOVQ AX,64(SP) + MOVQ AX,8(SP) MULQ 8(DI) ADDQ AX,SI ADCQ DX,CX @@ -982,11 +971,11 @@ TEXT ·ladderstep(SB),0,$384-8 MULQ 8(DI) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 56(SP),AX + MOVQ 0(SP),AX MULQ 24(DI) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 56(SP),AX + MOVQ 0(SP),AX MULQ 32(DI) ADDQ AX,R10 ADCQ DX,R11 @@ -994,19 +983,19 @@ TEXT ·ladderstep(SB),0,$384-8 MULQ 0(DI) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 64(SP),AX + MOVQ 8(SP),AX MULQ 16(DI) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 64(SP),AX + MOVQ 8(SP),AX MULQ 24(DI) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 64(SP),AX + MOVQ 8(SP),AX MULQ 32(DI) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -1049,114 +1038,114 @@ TEXT ·ladderstep(SB),0,$384-8 MOVQ R9,176(DI) MOVQ AX,184(DI) MOVQ R10,192(DI) - MOVQ 200(SP),SI + MOVQ 144(SP),SI IMUL3Q $19,SI,AX - MOVQ AX,56(SP) - MULQ 152(SP) + MOVQ AX,0(SP) + MULQ 96(SP) MOVQ AX,SI MOVQ DX,CX - MOVQ 208(SP),DX + MOVQ 152(SP),DX IMUL3Q $19,DX,AX - MOVQ AX,64(SP) - MULQ 144(SP) + MOVQ AX,8(SP) + MULQ 88(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 176(SP),AX - MULQ 136(SP) + MOVQ 120(SP),AX + MULQ 80(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 176(SP),AX - MULQ 144(SP) + MOVQ 120(SP),AX + MULQ 88(SP) MOVQ AX,R8 MOVQ DX,R9 - MOVQ 176(SP),AX - MULQ 152(SP) + MOVQ 120(SP),AX + MULQ 96(SP) MOVQ AX,R10 MOVQ DX,R11 - MOVQ 176(SP),AX - MULQ 160(SP) + MOVQ 120(SP),AX + MULQ 104(SP) MOVQ AX,R12 MOVQ DX,R13 - MOVQ 176(SP),AX - MULQ 168(SP) + MOVQ 120(SP),AX + MULQ 112(SP) MOVQ AX,R14 MOVQ DX,R15 - MOVQ 184(SP),AX - MULQ 136(SP) + MOVQ 128(SP),AX + MULQ 80(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 184(SP),AX - MULQ 144(SP) + MOVQ 128(SP),AX + MULQ 88(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 184(SP),AX - MULQ 152(SP) + MOVQ 128(SP),AX + MULQ 96(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 184(SP),AX - MULQ 160(SP) + MOVQ 128(SP),AX + MULQ 104(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 184(SP),DX + MOVQ 128(SP),DX IMUL3Q $19,DX,AX - MULQ 168(SP) + MULQ 112(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 192(SP),AX - MULQ 136(SP) + MOVQ 136(SP),AX + MULQ 80(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 192(SP),AX - MULQ 144(SP) + MOVQ 136(SP),AX + MULQ 88(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 192(SP),AX - MULQ 152(SP) + MOVQ 136(SP),AX + MULQ 96(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 192(SP),DX + MOVQ 136(SP),DX IMUL3Q $19,DX,AX - MULQ 160(SP) + MULQ 104(SP) ADDQ AX,SI ADCQ DX,CX - MOVQ 192(SP),DX + MOVQ 136(SP),DX IMUL3Q $19,DX,AX - MULQ 168(SP) + MULQ 112(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 200(SP),AX - MULQ 136(SP) + MOVQ 144(SP),AX + MULQ 80(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 200(SP),AX - MULQ 144(SP) + MOVQ 144(SP),AX + MULQ 88(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 56(SP),AX - MULQ 160(SP) + MOVQ 0(SP),AX + MULQ 104(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 56(SP),AX - MULQ 168(SP) + MOVQ 0(SP),AX + MULQ 112(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 208(SP),AX - MULQ 136(SP) + MOVQ 152(SP),AX + MULQ 80(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 64(SP),AX - MULQ 152(SP) + MOVQ 8(SP),AX + MULQ 96(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 64(SP),AX - MULQ 160(SP) + MOVQ 8(SP),AX + MULQ 104(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 64(SP),AX - MULQ 168(SP) + MOVQ 8(SP),AX + MULQ 112(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -1199,37 +1188,37 @@ TEXT ·ladderstep(SB),0,$384-8 MOVQ R9,56(DI) MOVQ AX,64(DI) MOVQ R10,72(DI) - MOVQ 216(SP),AX + MOVQ 160(SP),AX MULQ ·_121666_213(SB) SHRQ $13,AX MOVQ AX,SI MOVQ DX,CX - MOVQ 224(SP),AX + MOVQ 168(SP),AX MULQ ·_121666_213(SB) SHRQ $13,AX ADDQ AX,CX MOVQ DX,R8 - MOVQ 232(SP),AX + MOVQ 176(SP),AX MULQ ·_121666_213(SB) SHRQ $13,AX ADDQ AX,R8 MOVQ DX,R9 - MOVQ 240(SP),AX + MOVQ 184(SP),AX MULQ ·_121666_213(SB) SHRQ $13,AX ADDQ AX,R9 MOVQ DX,R10 - MOVQ 248(SP),AX + MOVQ 192(SP),AX MULQ ·_121666_213(SB) SHRQ $13,AX ADDQ AX,R10 IMUL3Q $19,DX,DX ADDQ DX,SI - ADDQ 136(SP),SI - ADDQ 144(SP),CX - ADDQ 152(SP),R8 - ADDQ 160(SP),R9 - ADDQ 168(SP),R10 + ADDQ 80(SP),SI + ADDQ 88(SP),CX + ADDQ 96(SP),R8 + ADDQ 104(SP),R9 + ADDQ 112(SP),R10 MOVQ SI,80(DI) MOVQ CX,88(DI) MOVQ R8,96(DI) @@ -1237,112 +1226,112 @@ TEXT ·ladderstep(SB),0,$384-8 MOVQ R10,112(DI) MOVQ 104(DI),SI IMUL3Q $19,SI,AX - MOVQ AX,56(SP) - MULQ 232(SP) + MOVQ AX,0(SP) + MULQ 176(SP) MOVQ AX,SI MOVQ DX,CX MOVQ 112(DI),DX IMUL3Q $19,DX,AX - MOVQ AX,64(SP) - MULQ 224(SP) + MOVQ AX,8(SP) + MULQ 168(SP) ADDQ AX,SI ADCQ DX,CX MOVQ 80(DI),AX - MULQ 216(SP) + MULQ 160(SP) ADDQ AX,SI ADCQ DX,CX MOVQ 80(DI),AX - MULQ 224(SP) + MULQ 168(SP) MOVQ AX,R8 MOVQ DX,R9 MOVQ 80(DI),AX - MULQ 232(SP) + MULQ 176(SP) MOVQ AX,R10 MOVQ DX,R11 MOVQ 80(DI),AX - MULQ 240(SP) + MULQ 184(SP) MOVQ AX,R12 MOVQ DX,R13 MOVQ 80(DI),AX - MULQ 248(SP) + MULQ 192(SP) MOVQ AX,R14 MOVQ DX,R15 MOVQ 88(DI),AX - MULQ 216(SP) + MULQ 160(SP) ADDQ AX,R8 ADCQ DX,R9 MOVQ 88(DI),AX - MULQ 224(SP) + MULQ 168(SP) ADDQ AX,R10 ADCQ DX,R11 MOVQ 88(DI),AX - MULQ 232(SP) + MULQ 176(SP) ADDQ AX,R12 ADCQ DX,R13 MOVQ 88(DI),AX - MULQ 240(SP) + MULQ 184(SP) ADDQ AX,R14 ADCQ DX,R15 MOVQ 88(DI),DX IMUL3Q $19,DX,AX - MULQ 248(SP) + MULQ 192(SP) ADDQ AX,SI ADCQ DX,CX MOVQ 96(DI),AX - MULQ 216(SP) + MULQ 160(SP) ADDQ AX,R10 ADCQ DX,R11 MOVQ 96(DI),AX - MULQ 224(SP) + MULQ 168(SP) ADDQ AX,R12 ADCQ DX,R13 MOVQ 96(DI),AX - MULQ 232(SP) + MULQ 176(SP) ADDQ AX,R14 ADCQ DX,R15 MOVQ 96(DI),DX IMUL3Q $19,DX,AX - MULQ 240(SP) + MULQ 184(SP) ADDQ AX,SI ADCQ DX,CX MOVQ 96(DI),DX IMUL3Q $19,DX,AX - MULQ 248(SP) + MULQ 192(SP) ADDQ AX,R8 ADCQ DX,R9 MOVQ 104(DI),AX - MULQ 216(SP) + MULQ 160(SP) ADDQ AX,R12 ADCQ DX,R13 MOVQ 104(DI),AX - MULQ 224(SP) + MULQ 168(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 56(SP),AX - MULQ 240(SP) + MOVQ 0(SP),AX + MULQ 184(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 56(SP),AX - MULQ 248(SP) + MOVQ 0(SP),AX + MULQ 192(SP) ADDQ AX,R10 ADCQ DX,R11 MOVQ 112(DI),AX - MULQ 216(SP) + MULQ 160(SP) ADDQ AX,R14 ADCQ DX,R15 - MOVQ 64(SP),AX - MULQ 232(SP) + MOVQ 8(SP),AX + MULQ 176(SP) ADDQ AX,R8 ADCQ DX,R9 - MOVQ 64(SP),AX - MULQ 240(SP) + MOVQ 8(SP),AX + MULQ 184(SP) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 64(SP),AX - MULQ 248(SP) + MOVQ 8(SP),AX + MULQ 192(SP) ADDQ AX,R12 ADCQ DX,R13 - MOVQ ·REDMASK51(SB),DX + MOVQ $REDMASK51,DX SHLQ $13,CX:SI ANDQ DX,SI SHLQ $13,R9:R8 @@ -1385,14 +1374,4 @@ TEXT ·ladderstep(SB),0,$384-8 MOVQ R9,96(DI) MOVQ AX,104(DI) MOVQ R10,112(DI) - MOVQ 0(SP),R11 - MOVQ 8(SP),R12 - MOVQ 16(SP),R13 - MOVQ 24(SP),R14 - MOVQ 32(SP),R15 - MOVQ 40(SP),BX - MOVQ 48(SP),BP - MOVQ R11,SP - MOVQ DI,AX - MOVQ SI,DX RET diff --git a/vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s index e48d183ee..5ce80a2e5 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s @@ -3,40 +3,28 @@ // license that can be found in the LICENSE file. // This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html // +build amd64,!gccgo,!appengine +#include "const_amd64.h" + // func mul(dest, a, b *[5]uint64) -TEXT ·mul(SB),0,$128-24 +TEXT ·mul(SB),0,$16-24 MOVQ dest+0(FP), DI MOVQ a+8(FP), SI MOVQ b+16(FP), DX - MOVQ SP,R11 - MOVQ $31,CX - NOTQ CX - ANDQ CX,SP - ADDQ $32,SP - - MOVQ R11,0(SP) - MOVQ R12,8(SP) - MOVQ R13,16(SP) - MOVQ R14,24(SP) - MOVQ R15,32(SP) - MOVQ BX,40(SP) - MOVQ BP,48(SP) - MOVQ DI,56(SP) MOVQ DX,CX MOVQ 24(SI),DX IMUL3Q $19,DX,AX - MOVQ AX,64(SP) + MOVQ AX,0(SP) MULQ 16(CX) MOVQ AX,R8 MOVQ DX,R9 MOVQ 32(SI),DX IMUL3Q $19,DX,AX - MOVQ AX,72(SP) + MOVQ AX,8(SP) MULQ 8(CX) ADDQ AX,R8 ADCQ DX,R9 @@ -111,11 +99,11 @@ TEXT ·mul(SB),0,$128-24 MULQ 8(CX) ADDQ AX,BX ADCQ DX,BP - MOVQ 64(SP),AX + MOVQ 0(SP),AX MULQ 24(CX) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 64(SP),AX + MOVQ 0(SP),AX MULQ 32(CX) ADDQ AX,R12 ADCQ DX,R13 @@ -123,19 +111,19 @@ TEXT ·mul(SB),0,$128-24 MULQ 0(CX) ADDQ AX,BX ADCQ DX,BP - MOVQ 72(SP),AX + MOVQ 8(SP),AX MULQ 16(CX) ADDQ AX,R10 ADCQ DX,R11 - MOVQ 72(SP),AX + MOVQ 8(SP),AX MULQ 24(CX) ADDQ AX,R12 ADCQ DX,R13 - MOVQ 72(SP),AX + MOVQ 8(SP),AX MULQ 32(CX) ADDQ AX,R14 ADCQ DX,R15 - MOVQ ·REDMASK51(SB),SI + MOVQ $REDMASK51,SI SHLQ $13,R9:R8 ANDQ SI,R8 SHLQ $13,R11:R10 @@ -178,14 +166,4 @@ TEXT ·mul(SB),0,$128-24 MOVQ R9,16(DI) MOVQ AX,24(DI) MOVQ R10,32(DI) - MOVQ 0(SP),R11 - MOVQ 8(SP),R12 - MOVQ 16(SP),R13 - MOVQ 24(SP),R14 - MOVQ 32(SP),R15 - MOVQ 40(SP),BX - MOVQ 48(SP),BP - MOVQ R11,SP - MOVQ DI,AX - MOVQ SI,DX RET diff --git a/vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s b/vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s index 78d1a50dd..12f73734f 100644 --- a/vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s +++ b/vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s @@ -3,28 +3,17 @@ // license that can be found in the LICENSE file. // This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html +// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html // +build amd64,!gccgo,!appengine +#include "const_amd64.h" + // func square(out, in *[5]uint64) -TEXT ·square(SB),7,$96-16 +TEXT ·square(SB),7,$0-16 MOVQ out+0(FP), DI MOVQ in+8(FP), SI - MOVQ SP,R11 - MOVQ $31,CX - NOTQ CX - ANDQ CX,SP - ADDQ $32, SP - - MOVQ R11,0(SP) - MOVQ R12,8(SP) - MOVQ R13,16(SP) - MOVQ R14,24(SP) - MOVQ R15,32(SP) - MOVQ BX,40(SP) - MOVQ BP,48(SP) MOVQ 0(SI),AX MULQ 0(SI) MOVQ AX,CX @@ -97,7 +86,7 @@ TEXT ·square(SB),7,$96-16 MULQ 32(SI) ADDQ AX,R13 ADCQ DX,R14 - MOVQ ·REDMASK51(SB),SI + MOVQ $REDMASK51,SI SHLQ $13,R8:CX ANDQ SI,CX SHLQ $13,R10:R9 @@ -140,14 +129,4 @@ TEXT ·square(SB),7,$96-16 MOVQ R9,16(DI) MOVQ AX,24(DI) MOVQ R10,32(DI) - MOVQ 0(SP),R11 - MOVQ 8(SP),R12 - MOVQ 16(SP),R13 - MOVQ 24(SP),R14 - MOVQ 32(SP),R15 - MOVQ 40(SP),BX - MOVQ 48(SP),BP - MOVQ R11,SP - MOVQ DI,AX - MOVQ SI,DX RET diff --git a/vendor/github.com/keybase/go-crypto/ed25519/ed25519.go b/vendor/github.com/keybase/go-crypto/ed25519/ed25519.go index 9c7a88807..5ba434b83 100644 --- a/vendor/github.com/keybase/go-crypto/ed25519/ed25519.go +++ b/vendor/github.com/keybase/go-crypto/ed25519/ed25519.go @@ -3,20 +3,23 @@ // license that can be found in the LICENSE file. // Package ed25519 implements the Ed25519 signature algorithm. See -// http://ed25519.cr.yp.to/. +// https://ed25519.cr.yp.to/. // // These functions are also compatible with the “Ed25519” function defined in -// https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05. +// RFC 8032. However, unlike RFC 8032's formulation, this package's private key +// representation includes a public key suffix to make multiple signing +// operations with the same key more efficient. This package refers to the RFC +// 8032 private key as the “seed”. package ed25519 // This code is a port of the public domain, “ref10” implementation of ed25519 // from SUPERCOP. import ( + "bytes" "crypto" cryptorand "crypto/rand" "crypto/sha512" - "crypto/subtle" "errors" "io" "strconv" @@ -31,6 +34,8 @@ const ( PrivateKeySize = 64 // SignatureSize is the size, in bytes, of signatures generated and verified by this package. SignatureSize = 64 + // SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032. + SeedSize = 32 ) // PublicKey is the type of Ed25519 public keys. @@ -46,6 +51,15 @@ func (priv PrivateKey) Public() crypto.PublicKey { return PublicKey(publicKey) } +// Seed returns the private key seed corresponding to priv. It is provided for +// interoperability with RFC 8032. RFC 8032's private keys correspond to seeds +// in this package. +func (priv PrivateKey) Seed() []byte { + seed := make([]byte, SeedSize) + copy(seed, priv[:32]) + return seed +} + // Sign signs the given message with priv. // Ed25519 performs two passes over messages to be signed and therefore cannot // handle pre-hashed messages. Thus opts.HashFunc() must return zero to @@ -61,19 +75,33 @@ func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOp // GenerateKey generates a public/private key pair using entropy from rand. // If rand is nil, crypto/rand.Reader will be used. -func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) { +func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) { if rand == nil { rand = cryptorand.Reader } - privateKey = make([]byte, PrivateKeySize) - publicKey = make([]byte, PublicKeySize) - _, err = io.ReadFull(rand, privateKey[:32]) - if err != nil { + seed := make([]byte, SeedSize) + if _, err := io.ReadFull(rand, seed); err != nil { return nil, nil, err } - digest := sha512.Sum512(privateKey[:32]) + privateKey := NewKeyFromSeed(seed) + publicKey := make([]byte, PublicKeySize) + copy(publicKey, privateKey[32:]) + + return publicKey, privateKey, nil +} + +// NewKeyFromSeed calculates a private key from a seed. It will panic if +// len(seed) is not SeedSize. This function is provided for interoperability +// with RFC 8032. RFC 8032's private keys correspond to seeds in this +// package. +func NewKeyFromSeed(seed []byte) PrivateKey { + if l := len(seed); l != SeedSize { + panic("ed25519: bad seed length: " + strconv.Itoa(l)) + } + + digest := sha512.Sum512(seed) digest[0] &= 248 digest[31] &= 127 digest[31] |= 64 @@ -85,10 +113,11 @@ func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, er var publicKeyBytes [32]byte A.ToBytes(&publicKeyBytes) + privateKey := make([]byte, PrivateKeySize) + copy(privateKey, seed) copy(privateKey[32:], publicKeyBytes[:]) - copy(publicKey, publicKeyBytes[:]) - return publicKey, privateKey, nil + return privateKey } // Sign signs the message with privateKey and returns a signature. It will @@ -171,11 +200,18 @@ func Verify(publicKey PublicKey, message, sig []byte) bool { edwards25519.ScReduce(&hReduced, &digest) var R edwards25519.ProjectiveGroupElement - var b [32]byte - copy(b[:], sig[32:]) - edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b) + var s [32]byte + copy(s[:], sig[32:]) + + // https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in + // the range [0, order) in order to prevent signature malleability. + if !edwards25519.ScMinimal(&s) { + return false + } + + edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &s) var checkR [32]byte R.ToBytes(&checkR) - return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1 + return bytes.Equal(sig[:32], checkR[:]) } diff --git a/vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go b/vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go index 5f8b99478..fd03c252a 100644 --- a/vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go +++ b/vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go @@ -4,6 +4,8 @@ package edwards25519 +import "encoding/binary" + // This code is a port of the public domain, “ref10” implementation of ed25519 // from SUPERCOP. @@ -1769,3 +1771,23 @@ func ScReduce(out *[32]byte, s *[64]byte) { out[30] = byte(s11 >> 9) out[31] = byte(s11 >> 17) } + +// order is the order of Curve25519 in little-endian form. +var order = [4]uint64{0x5812631a5cf5d3ed, 0x14def9dea2f79cd6, 0, 0x1000000000000000} + +// ScMinimal returns true if the given scalar is less than the order of the +// curve. +func ScMinimal(scalar *[32]byte) bool { + for i := 3; ; i-- { + v := binary.LittleEndian.Uint64(scalar[i*8:]) + if v > order[i] { + return false + } else if v < order[i] { + break + } else if i == 0 { + return false + } + } + + return true +} diff --git a/vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go b/vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go index 9513a0905..287174039 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go @@ -10,6 +10,7 @@ import ( "bufio" "bytes" "encoding/base64" + "fmt" "io" "strings" "unicode" @@ -89,50 +90,114 @@ func (l *lineReader) Read(p []byte) (n int, err error) { return } - line, _, err := l.in.ReadLine() + line, isPrefix, err := l.in.ReadLine() if err != nil { return } + // Entry-level cleanup, just trim spaces. line = bytes.TrimFunc(line, ourIsSpace) - if len(line) == 5 && line[0] == '=' { - // This is the checksum line + lineWithChecksum := false + foldedChecksum := false + if !isPrefix && len(line) >= 5 && line[len(line)-5] == '=' && line[len(line)-4] != '=' { + // This is the checksum line. Checksum should appear on separate line, + // but some bundles don't have a newline between main payload and the + // checksum, and we try to support that. + + // `=` is not a base64 character with the exception of padding, and the + // padding can only be 2 characters long at most ("=="), so we can + // safely assume that 5 characters starting with `=` at the end of the + // line can't be a valid ending of a base64 stream. In other words, `=` + // at position len-5 in base64 stream can never be a valid part of that + // stream. + + // Checksum can never appear if isPrefix is true - that is, when + // ReadLine returned non-final part of some line because it was longer + // than its buffer. + + if l.crc != nil { + // Error out early if there are multiple checksums. + return 0, ArmorCorrupt + } + var expectedBytes [3]byte var m int - m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:]) - if m != 3 || err != nil { - return + m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[len(line)-4:]) + if err != nil { + return 0, fmt.Errorf("error decoding CRC: %s", err.Error()) + } else if m != 3 { + return 0, fmt.Errorf("error decoding CRC: wrong size CRC") } + crc := uint32(expectedBytes[0])<<16 | uint32(expectedBytes[1])<<8 | uint32(expectedBytes[2]) l.crc = &crc + line = line[:len(line)-5] + + lineWithChecksum = true + + // If we've found a checksum but there is still data left, we don't + // want to enter the "looking for armor end" loop, we still need to + // return the leftover data to the reader. + foldedChecksum = len(line) > 0 + + // At this point, `line` contains leftover data or "" (if checksum + // was on separate line.) + } + + expectArmorEnd := false + if l.crc != nil && !foldedChecksum { + // "looking for armor end" loop + + // We have a checksum, and we are now reading what comes afterwards. + // Skip all empty lines until we see something and we except it to be + // ArmorEnd at this point. + + // This loop is not entered if there is more data *before* the CRC + // suffix (if the CRC is not on separate line). for { - line, _, err = l.in.ReadLine() - if err != nil && err != io.EOF { - return - } if len(strings.TrimSpace(string(line))) > 0 { break } + lineWithChecksum = false + line, _, err = l.in.ReadLine() + if err == io.EOF { + break + } + if err != nil { + return + } } - if !bytes.HasPrefix(line, armorEnd) { - return 0, ArmorCorrupt - } - - l.eof = true - return 0, io.EOF + expectArmorEnd = true } if bytes.HasPrefix(line, armorEnd) { - // Unexpected ending, there was no checksum. + if lineWithChecksum { + // ArmorEnd and checksum at the same line? + return 0, ArmorCorrupt + } l.eof = true - l.crc = nil return 0, io.EOF + } else if expectArmorEnd { + // We wanted armorEnd but didn't see one. + return 0, ArmorCorrupt } + // Clean-up line from whitespace to pass it further (to base64 + // decoder). This is done after test for CRC and test for + // armorEnd. Keys that have whitespace in CRC will have CRC + // treated as part of the payload and probably fail in base64 + // reading. + line = bytes.Map(func(r rune) rune { + if ourIsSpace(r) { + return -1 + } + return r + }, line) + n = copy(p, line) bytesToSave := len(line) - n if bytesToSave > 0 { diff --git a/vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go b/vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go index 64c18d0b3..1a87b2757 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go @@ -280,3 +280,37 @@ func Unmarshal(curve elliptic.Curve, data []byte) (x, y *big.Int) { return elliptic.Unmarshal(curve, data) } + +func GenerateKey(curve elliptic.Curve, random io.Reader) (priv *PrivateKey, err error) { + var privBytes []byte + var Vx, Vy *big.Int + + if _, ok := curve25519.ToCurve25519(curve); ok { + privBytes = make([]byte, 32) + _, err = io.ReadFull(random, privBytes) + if err != nil { + return nil, err + } + + // NOTE: PGP expect scalars in reverse order than Curve 25519 + // go library. That's why this trimming is backwards compared + // to curve25519.go + privBytes[31] &= 248 + privBytes[0] &= 127 + privBytes[0] |= 64 + + Vx,Vy = curve.ScalarBaseMult(privBytes) + } else { + privBytes, Vx, Vy, err = elliptic.GenerateKey(curve, random) + if err != nil { + return nil, err + } + } + + priv = &PrivateKey{} + priv.X = new(big.Int).SetBytes(privBytes) + priv.PublicKey.Curve = curve + priv.PublicKey.X = Vx + priv.PublicKey.Y = Vy + return priv, nil +} diff --git a/vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go b/vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go index d48c6c9b6..855fa89c1 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go @@ -70,3 +70,11 @@ type UnknownPacketTypeError uint8 func (upte UnknownPacketTypeError) Error() string { return "openpgp: unknown packet type: " + strconv.Itoa(int(upte)) } + +// DeprecatedKeyError indicates that the key was read and verified +// properly, but uses a deprecated algorithm and can't be used. +type DeprecatedKeyError string + +func (d DeprecatedKeyError) Error() string { + return "openpgp: key is deprecated: " + string(d) +} diff --git a/vendor/github.com/keybase/go-crypto/openpgp/keys.go b/vendor/github.com/keybase/go-crypto/openpgp/keys.go index e1a458879..b30315c44 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/keys.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/keys.go @@ -118,7 +118,8 @@ func (e *Entity) primaryIdentity() *Identity { func (e *Entity) encryptionKey(now time.Time) (Key, bool) { candidateSubkey := -1 - // Iterate the keys to find the newest key + // Iterate the keys to find the newest, non-revoked key that can + // encrypt. var maxTime time.Time for i, subkey := range e.Subkeys { @@ -172,13 +173,18 @@ func (e *Entity) encryptionKey(now time.Time) (Key, bool) { func (e *Entity) signingKey(now time.Time) (Key, bool) { candidateSubkey := -1 + // Iterate the keys to find the newest, non-revoked key that can + // sign. + var maxTime time.Time for i, subkey := range e.Subkeys { if (!subkey.Sig.FlagsValid || subkey.Sig.FlagSign) && subkey.PrivateKey.PrivateKey != nil && subkey.PublicKey.PubKeyAlgo.CanSign() && + !subkey.Sig.KeyExpired(now) && subkey.Revocation == nil && - !subkey.Sig.KeyExpired(now) { + (maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) { candidateSubkey = i + maxTime = subkey.Sig.CreationTime break } } @@ -504,7 +510,7 @@ EachPacket: // Only register an identity once we've gotten a valid self-signature. // It's possible therefore for us to throw away `current` in the case // no valid self-signatures were found. That's OK as long as there are - // other identies that make sense. + // other identities that make sense. // // NOTE! We might later see a revocation for this very same UID, and it // won't be undone. We've preserved this feature from the original @@ -645,6 +651,15 @@ func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *p } } } + + if subKey.Sig != nil { + if err := subKey.PublicKey.ErrorIfDeprecated(); err != nil { + // Key passed signature check but is deprecated. + subKey.Sig = nil + lastErr = err + } + } + if subKey.Sig != nil { e.Subkeys = append(e.Subkeys, subKey) } else { @@ -690,7 +705,7 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err } isPrimaryId := true e.Identities[uid.Id] = &Identity{ - Name: uid.Name, + Name: uid.Id, UserId: uid, SelfSignature: &packet.Signature{ CreationTime: currentTime, @@ -705,6 +720,17 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err }, } + // If the user passes in a DefaultHash via packet.Config, set the + // PreferredHash for the SelfSignature. + if config != nil && config.DefaultHash != 0 { + e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)} + } + + // Likewise for DefaultCipher. + if config != nil && config.DefaultCipher != 0 { + e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)} + } + e.Subkeys = make([]Subkey, 1) e.Subkeys[0] = Subkey{ PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey), @@ -756,10 +782,16 @@ func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error if err != nil { return } - // Workaround shortcoming of SignKey(), which doesn't work to reverse-sign - // sub-signing keys. So if requested, just reuse the signatures already - // available to us (if we read this key from a keyring). if e.PrivateKey.PrivateKey != nil && !config.ReuseSignatures() { + // If not reusing existing signatures, sign subkey using private key + // (subkey binding), but also sign primary key using subkey (primary + // key binding) if subkey is used for signing. + if subkey.Sig.FlagSign { + err = subkey.Sig.CrossSignKey(e.PrimaryKey, subkey.PrivateKey, config) + if err != nil { + return err + } + } err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config) if err != nil { return diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go index 58692ec8b..2a6a04168 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go @@ -83,6 +83,10 @@ func checksumKeyMaterial(key []byte) uint16 { // private key must have been decrypted first. // If config is nil, sensible defaults will be used. func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { + if priv == nil || priv.PrivateKey == nil { + return errors.InvalidArgumentError("attempting to decrypt with nil PrivateKey") + } + var err error var b []byte @@ -90,7 +94,8 @@ func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { // padding oracle attacks. switch priv.PubKeyAlgo { case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: - b, err = rsa.DecryptPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), e.encryptedMPI1.bytes) + k := priv.PrivateKey.(*rsa.PrivateKey) + b, err = rsa.DecryptPKCS1v15(config.Random(), k, padToKeySize(&k.PublicKey, e.encryptedMPI1.bytes)) case PubKeyAlgoElGamal: c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes) c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes) diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go index 48854436f..eb61eda94 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go @@ -17,6 +17,7 @@ import ( "github.com/keybase/go-crypto/cast5" "github.com/keybase/go-crypto/openpgp/errors" + "github.com/keybase/go-crypto/rsa" ) // readFull is the same as io.ReadFull except that reading zero bytes returns @@ -413,10 +414,12 @@ const ( PubKeyAlgoElGamal PublicKeyAlgorithm = 16 PubKeyAlgoDSA PublicKeyAlgorithm = 17 // RFC 6637, Section 5. - PubKeyAlgoECDH PublicKeyAlgorithm = 18 - PubKeyAlgoECDSA PublicKeyAlgorithm = 19 + PubKeyAlgoECDH PublicKeyAlgorithm = 18 + PubKeyAlgoECDSA PublicKeyAlgorithm = 19 + + PubKeyAlgoBadElGamal PublicKeyAlgorithm = 20 // Reserved (deprecated, formerly ElGamal Encrypt or Sign) // RFC -1 - PubKeyAlgoEdDSA PublicKeyAlgorithm = 22 + PubKeyAlgoEdDSA PublicKeyAlgorithm = 22 ) // CanEncrypt returns true if it's possible to encrypt a message to a public @@ -507,19 +510,17 @@ func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) { numBytes := (int(bitLength) + 7) / 8 mpi = make([]byte, numBytes) _, err = readFull(r, mpi) - return -} - -// mpiLength returns the length of the given *big.Int when serialized as an -// MPI. -func mpiLength(n *big.Int) (mpiLengthInBytes int) { - mpiLengthInBytes = 2 /* MPI length */ - mpiLengthInBytes += (n.BitLen() + 7) / 8 + // According to RFC 4880 3.2. we should check that the MPI has no leading + // zeroes (at least when not an encrypted MPI?), but this implementation + // does generate leading zeroes, so we keep accepting them. return } // writeMPI serializes a big integer to w. func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) { + // Note that we can produce leading zeroes, in violation of RFC 4880 3.2. + // Implementations seem to be tolerant of them, and stripping them would + // make it complex to guarantee matching re-serialization. _, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)}) if err == nil { _, err = w.Write(mpiBytes) @@ -551,6 +552,18 @@ func writeBig(w io.Writer, i *big.Int) error { return writeMPI(w, uint16(i.BitLen()), i.Bytes()) } +// padToKeySize left-pads a MPI with zeroes to match the length of the +// specified RSA public. +func padToKeySize(pub *rsa.PublicKey, b []byte) []byte { + k := (pub.N.BitLen() + 7) / 8 + if len(b) >= k { + return b + } + bb := make([]byte, k) + copy(bb[len(bb)-len(b):], b) + return bb +} + // CompressionAlgo Represents the different compression algorithms // supported by OpenPGP (except for BZIP2, which is not currently // supported). See Section 9.3 of RFC 4880. diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go index 27974e782..7388ead80 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go @@ -44,6 +44,10 @@ type EdDSAPrivateKey struct { seed parsedMPI } +func (e *EdDSAPrivateKey) Seed() []byte { + return e.seed.bytes +} + func (e *EdDSAPrivateKey) Sign(digest []byte) (R, S []byte, err error) { r := bytes.NewReader(e.seed.bytes) publicKey, privateKey, err := ed25519.GenerateKey(r) @@ -89,6 +93,13 @@ func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateK return pk } +func NewECDHPrivateKey(currentTime time.Time, priv *ecdh.PrivateKey) *PrivateKey { + pk := new(PrivateKey) + pk.PublicKey = *NewECDHPublicKey(currentTime, &priv.PublicKey) + pk.PrivateKey = priv + return pk +} + func (pk *PrivateKey) parse(r io.Reader) (err error) { err = (&pk.PublicKey).parse(r) if err != nil { @@ -415,8 +426,11 @@ func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) { return pk.parseECDHPrivateKey(data) case PubKeyAlgoEdDSA: return pk.parseEdDSAPrivateKey(data) + case PubKeyAlgoBadElGamal: + return errors.UnsupportedError("parsing el-gamal sign-or-encrypt privatekeys is unsupported") + default: + return errors.UnsupportedError("cannot parse this private key type") } - panic("impossible") } func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) { diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go index f9760177e..372a183cb 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go @@ -27,10 +27,13 @@ import ( "github.com/keybase/go-crypto/openpgp/ecdh" "github.com/keybase/go-crypto/openpgp/elgamal" "github.com/keybase/go-crypto/openpgp/errors" + "github.com/keybase/go-crypto/openpgp/s2k" "github.com/keybase/go-crypto/rsa" ) var ( + // NIST curve P-224 + oidCurveP224 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x21} // NIST curve P-256 oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07} // NIST curve P-384 @@ -128,6 +131,8 @@ func (f *ecdsaKey) serialize(w io.Writer) (err error) { func getCurveByOid(oid []byte) elliptic.Curve { switch { + case bytes.Equal(oid, oidCurveP224): + return elliptic.P224() case bytes.Equal(oid, oidCurveP256): return elliptic.P256() case bytes.Equal(oid, oidCurveP384): @@ -324,6 +329,30 @@ func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *Public return pk } +func getCurveOid(curve elliptic.Curve) (res []byte, err error) { + switch curve { + case elliptic.P224(): + res = oidCurveP224 + case elliptic.P256(): + res = oidCurveP256 + case elliptic.P384(): + res = oidCurveP384 + case elliptic.P521(): + res = oidCurveP521 + case brainpool.P256r1(): + res = oidCurveP256r1 + case brainpool.P384r1(): + res = oidCurveP384r1 + case brainpool.P512r1(): + res = oidCurveP512r1 + case curve25519.Cv25519(): + res = oidCurve25519 + default: + err = errors.UnsupportedError("unknown curve") + } + return +} + func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey { pk := &PublicKey{ CreationTime: creationTime, @@ -331,22 +360,34 @@ func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey PublicKey: pub, ec: new(ecdsaKey), } - switch pub.Curve { - case elliptic.P256(): - pk.ec.oid = oidCurveP256 - case elliptic.P384(): - pk.ec.oid = oidCurveP384 - case elliptic.P521(): - pk.ec.oid = oidCurveP521 - case brainpool.P256r1(): - pk.ec.oid = oidCurveP256r1 - case brainpool.P384r1(): - pk.ec.oid = oidCurveP384r1 - case brainpool.P512r1(): - pk.ec.oid = oidCurveP512r1 + oid, _ := getCurveOid(pub.Curve) + pk.ec.oid = oid + bs, bitLen := ecdh.Marshal(pub.Curve, pub.X, pub.Y) + pk.ec.p.bytes = bs + pk.ec.p.bitLength = uint16(bitLen) + + pk.setFingerPrintAndKeyId() + return pk +} + +func NewECDHPublicKey(creationTime time.Time, pub *ecdh.PublicKey) *PublicKey { + pk := &PublicKey{ + CreationTime: creationTime, + PubKeyAlgo: PubKeyAlgoECDH, + PublicKey: pub, + ec: new(ecdsaKey), + } + oid, _ := getCurveOid(pub.Curve) + pk.ec.oid = oid + bs, bitLen := ecdh.Marshal(pub.Curve, pub.X, pub.Y) + pk.ec.p.bytes = bs + pk.ec.p.bitLength = uint16(bitLen) + + hashbyte, _ := s2k.HashToHashId(crypto.SHA512) + pk.ecdh = &ecdhKdf{ + KdfHash: kdfHashFunction(hashbyte), + KdfAlgo: kdfAlgorithm(CipherAES256), } - pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) - pk.ec.p.bitLength = uint16(8 * len(pk.ec.p.bytes)) pk.setFingerPrintAndKeyId() return pk @@ -377,6 +418,9 @@ func (pk *PublicKey) parse(r io.Reader) (err error) { return err } err = pk.edk.check() + if err == nil { + pk.PublicKey = ed25519.PublicKey(pk.edk.p.bytes[1:]) + } case PubKeyAlgoECDSA: pk.ec = new(ecdsaKey) if err = pk.ec.parse(r); err != nil { @@ -393,6 +437,14 @@ func (pk *PublicKey) parse(r io.Reader) (err error) { return } pk.PublicKey, err = pk.ec.newECDH() + case PubKeyAlgoBadElGamal: + // Key has ElGamal format but nil-implementation - it will + // load but it's not possible to do any operations using this + // key. + err = pk.parseElGamal(r) + if err != nil { + pk.PublicKey = nil + } default: err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo))) } @@ -433,6 +485,8 @@ func (pk *PublicKey) parseRSA(r io.Reader) (err error) { N: new(big.Int).SetBytes(pk.n.bytes), E: 0, } + // Warning: incompatibility with crypto/rsa: keybase fork uses + // int64 public exponents instead of int32. for i := 0; i < len(pk.e.bytes); i++ { rsa.E <<= 8 rsa.E |= int64(pk.e.bytes[i]) @@ -508,7 +562,7 @@ func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) { pLength += 2 + uint16(len(pk.q.bytes)) pLength += 2 + uint16(len(pk.g.bytes)) pLength += 2 + uint16(len(pk.y.bytes)) - case PubKeyAlgoElGamal: + case PubKeyAlgoElGamal, PubKeyAlgoBadElGamal: pLength += 2 + uint16(len(pk.p.bytes)) pLength += 2 + uint16(len(pk.g.bytes)) pLength += 2 + uint16(len(pk.y.bytes)) @@ -539,7 +593,7 @@ func (pk *PublicKey) Serialize(w io.Writer) (err error) { length += 2 + len(pk.q.bytes) length += 2 + len(pk.g.bytes) length += 2 + len(pk.y.bytes) - case PubKeyAlgoElGamal: + case PubKeyAlgoElGamal, PubKeyAlgoBadElGamal: length += 2 + len(pk.p.bytes) length += 2 + len(pk.g.bytes) length += 2 + len(pk.y.bytes) @@ -587,7 +641,7 @@ func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) { return writeMPIs(w, pk.n, pk.e) case PubKeyAlgoDSA: return writeMPIs(w, pk.p, pk.q, pk.g, pk.y) - case PubKeyAlgoElGamal: + case PubKeyAlgoElGamal, PubKeyAlgoBadElGamal: return writeMPIs(w, pk.p, pk.g, pk.y) case PubKeyAlgoECDSA: return pk.ec.serialize(w) @@ -637,7 +691,7 @@ func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err erro switch pk.PubKeyAlgo { case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey) - err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes) + err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)) if err != nil { return errors.SignatureError("RSA verification failure") } @@ -694,7 +748,7 @@ func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err switch pk.PubKeyAlgo { case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: rsaPublicKey := pk.PublicKey.(*rsa.PublicKey) - if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil { + if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)); err != nil { return errors.SignatureError("RSA verification failure") } return @@ -910,7 +964,7 @@ func (pk *PublicKey) BitLength() (bitLength uint16, err error) { bitLength = pk.n.bitLength case PubKeyAlgoDSA: bitLength = pk.p.bitLength - case PubKeyAlgoElGamal: + case PubKeyAlgoElGamal, PubKeyAlgoBadElGamal: bitLength = pk.p.bitLength case PubKeyAlgoECDH: ecdhPublicKey := pk.PublicKey.(*ecdh.PublicKey) @@ -928,3 +982,12 @@ func (pk *PublicKey) BitLength() (bitLength uint16, err error) { } return } + +func (pk *PublicKey) ErrorIfDeprecated() error { + switch pk.PubKeyAlgo { + case PubKeyAlgoBadElGamal: + return errors.DeprecatedKeyError("ElGamal Encrypt or Sign (algo 20) is deprecated") + default: + return nil + } +} diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go index 52474677b..f75cbeabc 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go @@ -105,6 +105,8 @@ func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) { return } rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)} + // Warning: incompatibility with crypto/rsa: keybase fork uses + // int64 public exponents instead of int32. for i := 0; i < len(pk.e.bytes); i++ { rsa.E <<= 8 rsa.E |= int64(pk.e.bytes[i]) diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go index 46224ad66..383a8a6a3 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go @@ -10,6 +10,7 @@ import ( "crypto/dsa" "crypto/ecdsa" "encoding/binary" + "fmt" "hash" "io" "strconv" @@ -384,18 +385,20 @@ func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (r err = errors.StructuralError("empty key flags subpacket") return } - sig.FlagsValid = true - if subpacket[0]&KeyFlagCertify != 0 { - sig.FlagCertify = true - } - if subpacket[0]&KeyFlagSign != 0 { - sig.FlagSign = true - } - if subpacket[0]&KeyFlagEncryptCommunications != 0 { - sig.FlagEncryptCommunications = true - } - if subpacket[0]&KeyFlagEncryptStorage != 0 { - sig.FlagEncryptStorage = true + if subpacket[0] != 0 { + sig.FlagsValid = true + if subpacket[0]&KeyFlagCertify != 0 { + sig.FlagCertify = true + } + if subpacket[0]&KeyFlagSign != 0 { + sig.FlagSign = true + } + if subpacket[0]&KeyFlagEncryptCommunications != 0 { + sig.FlagEncryptCommunications = true + } + if subpacket[0]&KeyFlagEncryptStorage != 0 { + sig.FlagEncryptStorage = true + } } case reasonForRevocationSubpacket: // Reason For Revocation, section 5.2.3.23 @@ -624,6 +627,13 @@ func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err e return } + // Parameter check, if this is wrong we will make a signature but + // not serialize it later. + if sig.PubKeyAlgo != priv.PubKeyAlgo { + err = errors.InvalidArgumentError("signature pub key algo does not match priv key") + return + } + switch priv.PubKeyAlgo { case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: sig.RSASignature.bytes, err = rsa.SignPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), sig.Hash, digest) @@ -637,26 +647,29 @@ func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err e digest = digest[:subgroupSize] } r, s, err := dsa.Sign(config.Random(), dsaPriv, digest) - if err == nil { - sig.DSASigR.bytes = r.Bytes() - sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes)) - sig.DSASigS.bytes = s.Bytes() - sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes)) + if err != nil { + return err } + sig.DSASigR.bytes = r.Bytes() + sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes)) + sig.DSASigS.bytes = s.Bytes() + sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes)) case PubKeyAlgoECDSA: r, s, err := ecdsa.Sign(config.Random(), priv.PrivateKey.(*ecdsa.PrivateKey), digest) - if err == nil { - sig.ECDSASigR = FromBig(r) - sig.ECDSASigS = FromBig(s) + if err != nil { + return err } + sig.ECDSASigR = FromBig(r) + sig.ECDSASigS = FromBig(s) case PubKeyAlgoEdDSA: r, s, err := priv.PrivateKey.(*EdDSAPrivateKey).Sign(digest) - if err == nil { - sig.EdDSASigR = FromBytes(r) - sig.EdDSASigS = FromBytes(s) + if err != nil { + return err } + sig.EdDSASigR = FromBytes(r) + sig.EdDSASigS = FromBytes(s) default: - err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo))) + err = errors.UnsupportedError("public key algorithm for signing: " + strconv.Itoa(int(priv.PubKeyAlgo))) } return @@ -704,6 +717,28 @@ func (sig *Signature) SignKeyWithSigner(signeePubKey *PublicKey, signerPubKey *P return sig.Sign(s, nil, config) } +// CrossSignKey creates PrimaryKeyBinding signature in sig.EmbeddedSignature by +// signing `primary` key's hash using `priv` subkey private key. Primary public +// key is the `signee` here. +func (sig *Signature) CrossSignKey(primary *PublicKey, priv *PrivateKey, config *Config) error { + if len(sig.outSubpackets) > 0 { + return fmt.Errorf("outSubpackets already exists, looks like CrossSignKey was called after Sign") + } + + sig.EmbeddedSignature = &Signature{ + CreationTime: sig.CreationTime, + SigType: SigTypePrimaryKeyBinding, + PubKeyAlgo: priv.PubKeyAlgo, + Hash: sig.Hash, + } + + h, err := keySignatureHash(primary, &priv.PublicKey, sig.Hash) + if err != nil { + return err + } + return sig.EmbeddedSignature.Sign(h, priv, config) +} + // Serialize marshals sig to w. Sign, SignUserId or SignKey must have been // called first. func (sig *Signature) Serialize(w io.Writer) (err error) { @@ -832,6 +867,14 @@ func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) { subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression}) } + if sig.EmbeddedSignature != nil { + buf := bytes.NewBuffer(nil) + if err := sig.EmbeddedSignature.Serialize(buf); err == nil { + byteContent := buf.Bytes()[2:] // skip 2-byte length header + subpackets = append(subpackets, outputSubpacket{false, embeddedSignatureSubpacket, true, byteContent}) + } + } + return } diff --git a/vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go b/vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go index d2bef0ce5..b92c1d778 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go @@ -91,10 +91,10 @@ func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunc return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) } plaintextKey = plaintextKey[1:] - if l := len(plaintextKey); l == 0 || l%cipherFunc.blockSize() != 0 { - return nil, cipherFunc, errors.StructuralError("length of decrypted key not a multiple of block size") + if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() { + return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " + + "not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")") } - return plaintextKey, cipherFunc, nil } diff --git a/vendor/github.com/keybase/go-crypto/openpgp/read.go b/vendor/github.com/keybase/go-crypto/openpgp/read.go index cde27cba0..5caf7e39c 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/read.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/read.go @@ -61,6 +61,9 @@ type MessageDetails struct { Signature *packet.Signature // the signature packet itself, if v4 (default) SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature + // Does the Message include multiple signatures? Also called "nested signatures". + MultiSig bool + decrypted io.ReadCloser } @@ -158,8 +161,15 @@ FindKey: continue } if !pk.key.PrivateKey.Encrypted { + if pk.key.PrivateKey.PrivateKey == nil { + // Key is stubbed + continue + } if len(pk.encryptedKey.Key) == 0 { - pk.encryptedKey.Decrypt(pk.key.PrivateKey, config) + err := pk.encryptedKey.Decrypt(pk.key.PrivateKey, config) + if err != nil { + continue + } } if len(pk.encryptedKey.Key) == 0 { continue @@ -244,8 +254,17 @@ FindLiteralData: return nil, err } case *packet.OnePassSignature: - if !p.IsLast { - return nil, errors.UnsupportedError("nested signatures") + if md.IsSigned { + // If IsSigned is set, it means we have multiple + // OnePassSignature packets. + md.MultiSig = true + if md.SignedBy != nil { + // We've already found the signature we were looking + // for, made by key that we had in keyring and can + // check signature against. Continue with that instead + // of trying to find another. + continue FindLiteralData + } } h, wrappedHash, err = hashForSignature(p.Hash, p.SigType) @@ -329,29 +348,54 @@ func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) { n, err = scr.md.LiteralData.Body.Read(buf) scr.wrappedHash.Write(buf[:n]) if err == io.EOF { - var p packet.Packet - p, scr.md.SignatureError = scr.packets.Next() - if scr.md.SignatureError != nil { - return - } - - var ok bool - if scr.md.Signature, ok = p.(*packet.Signature); ok { - var err error - if fingerprint := scr.md.Signature.IssuerFingerprint; fingerprint != nil { - if !hmac.Equal(fingerprint, scr.md.SignedBy.PublicKey.Fingerprint[:]) { - err = errors.StructuralError("bad key fingerprint") + for { + var p packet.Packet + p, scr.md.SignatureError = scr.packets.Next() + if scr.md.SignatureError != nil { + if scr.md.MultiSig { + // If we are in MultiSig, we might have found other + // signature that cannot be verified using our key. + // Clear Signature field so it's clear for consumers + // that this message failed to verify. + scr.md.Signature = nil } + return } - if err == nil { - err = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature) + + var ok bool + if scr.md.Signature, ok = p.(*packet.Signature); ok { + var err error + if keyID := scr.md.Signature.IssuerKeyId; keyID != nil { + if *keyID != scr.md.SignedBy.PublicKey.KeyId { + if scr.md.MultiSig { + continue // try again to find a sig we can verify + } + err = errors.StructuralError("bad key id") + } + } + if fingerprint := scr.md.Signature.IssuerFingerprint; fingerprint != nil { + if !hmac.Equal(fingerprint, scr.md.SignedBy.PublicKey.Fingerprint[:]) { + if scr.md.MultiSig { + continue // try again to find a sig we can verify + } + err = errors.StructuralError("bad key fingerprint") + } + } + if err == nil { + err = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature) + } + scr.md.SignatureError = err + } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok { + scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3) + } else { + scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature") + return } - scr.md.SignatureError = err - } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok { - scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3) - } else { - scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature") - return + + // Parse only one packet by default, unless message is MultiSig. Then + // we ask for more packets after discovering non-matching signature, + // until we find one that we can verify. + break } // The SymmetricallyEncrypted packet, if any, might have an diff --git a/vendor/github.com/keybase/go-crypto/openpgp/write.go b/vendor/github.com/keybase/go-crypto/openpgp/write.go index 03b019e78..14b2f757e 100644 --- a/vendor/github.com/keybase/go-crypto/openpgp/write.go +++ b/vendor/github.com/keybase/go-crypto/openpgp/write.go @@ -458,7 +458,18 @@ func AttachedSign(out io.WriteCloser, signed Entity, hints *FileHints, return } - hasher := crypto.SHA512 + if algo := config.Compression(); algo != packet.CompressionNone { + var compConfig *packet.CompressionConfig + if config != nil { + compConfig = config.CompressionConfig + } + out, err = packet.SerializeCompressed(out, algo, compConfig) + if err != nil { + return + } + } + + hasher := config.Hash() // defaults to SHA-256 ops := &packet.OnePassSignature{ SigType: packet.SigTypeBinary, diff --git a/vendor/modules.txt b/vendor/modules.txt index daf4e7dc0..d5de9130b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -253,7 +253,7 @@ github.com/jessevdk/go-flags github.com/kballard/go-shellquote # github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd github.com/kevinburke/ssh_config -# github.com/keybase/go-crypto v0.0.0-20170605145657-00ac4db533f6 +# github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4 github.com/keybase/go-crypto/brainpool github.com/keybase/go-crypto/cast5 github.com/keybase/go-crypto/curve25519