From 04dced17f71c03d747bac91c3b2623de124f1e75 Mon Sep 17 00:00:00 2001 From: Russ Cox Date: Tue, 16 Aug 2022 10:50:02 -0400 Subject: internal/subtle: rename to internal/alias This avoids an import conflict in code that needs to import crypto/subtle as well. CL 424194 does the same for the main repo. Change-Id: Ic54cb62bbfdcf5c2cb6f15ac47075ee1c41981ad Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424175 Reviewed-by: Cherry Mui Run-TryBot: Russ Cox TryBot-Result: Gopher Robot Auto-Submit: Russ Cox --- chacha20/chacha_generic.go | 4 +-- chacha20poly1305/chacha20poly1305_amd64.go | 6 ++-- chacha20poly1305/chacha20poly1305_generic.go | 6 ++-- internal/alias/alias.go | 32 ++++++++++++++++++ internal/alias/alias_purego.go | 35 +++++++++++++++++++ internal/alias/alias_test.go | 46 +++++++++++++++++++++++++ internal/subtle/aliasing.go | 33 ------------------ internal/subtle/aliasing_purego.go | 36 -------------------- internal/subtle/aliasing_test.go | 50 ---------------------------- nacl/secretbox/secretbox.go | 6 ++-- nacl/sign/sign.go | 6 ++-- salsa20/salsa20.go | 4 +-- xts/xts.go | 6 ++-- 13 files changed, 132 insertions(+), 138 deletions(-) create mode 100644 internal/alias/alias.go create mode 100644 internal/alias/alias_purego.go create mode 100644 internal/alias/alias_test.go delete mode 100644 internal/subtle/aliasing.go delete mode 100644 internal/subtle/aliasing_purego.go delete mode 100644 internal/subtle/aliasing_test.go diff --git a/chacha20/chacha_generic.go b/chacha20/chacha_generic.go index a2ecf5c..93eb5ae 100644 --- a/chacha20/chacha_generic.go +++ b/chacha20/chacha_generic.go @@ -12,7 +12,7 @@ import ( "errors" "math/bits" - "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/internal/alias" ) const ( @@ -189,7 +189,7 @@ func (s *Cipher) XORKeyStream(dst, src []byte) { panic("chacha20: output smaller than input") } dst = dst[:len(src)] - if subtle.InexactOverlap(dst, src) { + if alias.InexactOverlap(dst, src) { panic("chacha20: invalid buffer overlap") } diff --git a/chacha20poly1305/chacha20poly1305_amd64.go b/chacha20poly1305/chacha20poly1305_amd64.go index 25959b9..0c408c5 100644 --- a/chacha20poly1305/chacha20poly1305_amd64.go +++ b/chacha20poly1305/chacha20poly1305_amd64.go @@ -10,7 +10,7 @@ package chacha20poly1305 import ( "encoding/binary" - "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/internal/alias" "golang.org/x/sys/cpu" ) @@ -56,7 +56,7 @@ func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) [] setupState(&state, &c.key, nonce) ret, out := sliceForAppend(dst, len(plaintext)+16) - if subtle.InexactOverlap(out, plaintext) { + if alias.InexactOverlap(out, plaintext) { panic("chacha20poly1305: invalid buffer overlap") } chacha20Poly1305Seal(out[:], state[:], plaintext, additionalData) @@ -73,7 +73,7 @@ func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ( ciphertext = ciphertext[:len(ciphertext)-16] ret, out := sliceForAppend(dst, len(ciphertext)) - if subtle.InexactOverlap(out, ciphertext) { + if alias.InexactOverlap(out, ciphertext) { panic("chacha20poly1305: invalid buffer overlap") } if !chacha20Poly1305Open(out, state[:], ciphertext, additionalData) { diff --git a/chacha20poly1305/chacha20poly1305_generic.go b/chacha20poly1305/chacha20poly1305_generic.go index 96b2fd8..6313898 100644 --- a/chacha20poly1305/chacha20poly1305_generic.go +++ b/chacha20poly1305/chacha20poly1305_generic.go @@ -8,8 +8,8 @@ import ( "encoding/binary" "golang.org/x/crypto/chacha20" + "golang.org/x/crypto/internal/alias" "golang.org/x/crypto/internal/poly1305" - "golang.org/x/crypto/internal/subtle" ) func writeWithPadding(p *poly1305.MAC, b []byte) { @@ -30,7 +30,7 @@ func writeUint64(p *poly1305.MAC, n int) { func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []byte) []byte { ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize) ciphertext, tag := out[:len(plaintext)], out[len(plaintext):] - if subtle.InexactOverlap(out, plaintext) { + if alias.InexactOverlap(out, plaintext) { panic("chacha20poly1305: invalid buffer overlap") } @@ -66,7 +66,7 @@ func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData [] writeUint64(p, len(ciphertext)) ret, out := sliceForAppend(dst, len(ciphertext)) - if subtle.InexactOverlap(out, ciphertext) { + if alias.InexactOverlap(out, ciphertext) { panic("chacha20poly1305: invalid buffer overlap") } if !p.Verify(tag) { diff --git a/internal/alias/alias.go b/internal/alias/alias.go new file mode 100644 index 0000000..69c17f8 --- /dev/null +++ b/internal/alias/alias.go @@ -0,0 +1,32 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !purego +// +build !purego + +// Package alias implements memory aliasing tests. +package alias + +import "unsafe" + +// AnyOverlap reports whether x and y share memory at any (not necessarily +// corresponding) index. The memory beyond the slice length is ignored. +func AnyOverlap(x, y []byte) bool { + return len(x) > 0 && len(y) > 0 && + uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && + uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) +} + +// InexactOverlap reports whether x and y share memory at any non-corresponding +// index. The memory beyond the slice length is ignored. Note that x and y can +// have different lengths and still not have any inexact overlap. +// +// InexactOverlap can be used to implement the requirements of the crypto/cipher +// AEAD, Block, BlockMode and Stream interfaces. +func InexactOverlap(x, y []byte) bool { + if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { + return false + } + return AnyOverlap(x, y) +} diff --git a/internal/alias/alias_purego.go b/internal/alias/alias_purego.go new file mode 100644 index 0000000..4775b0a --- /dev/null +++ b/internal/alias/alias_purego.go @@ -0,0 +1,35 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build purego +// +build purego + +// Package alias implements memory aliasing tests. +package alias + +// This is the Google App Engine standard variant based on reflect +// because the unsafe package and cgo are disallowed. + +import "reflect" + +// AnyOverlap reports whether x and y share memory at any (not necessarily +// corresponding) index. The memory beyond the slice length is ignored. +func AnyOverlap(x, y []byte) bool { + return len(x) > 0 && len(y) > 0 && + reflect.ValueOf(&x[0]).Pointer() <= reflect.ValueOf(&y[len(y)-1]).Pointer() && + reflect.ValueOf(&y[0]).Pointer() <= reflect.ValueOf(&x[len(x)-1]).Pointer() +} + +// InexactOverlap reports whether x and y share memory at any non-corresponding +// index. The memory beyond the slice length is ignored. Note that x and y can +// have different lengths and still not have any inexact overlap. +// +// InexactOverlap can be used to implement the requirements of the crypto/cipher +// AEAD, Block, BlockMode and Stream interfaces. +func InexactOverlap(x, y []byte) bool { + if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { + return false + } + return AnyOverlap(x, y) +} diff --git a/internal/alias/alias_test.go b/internal/alias/alias_test.go new file mode 100644 index 0000000..a68fb33 --- /dev/null +++ b/internal/alias/alias_test.go @@ -0,0 +1,46 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package alias + +import "testing" + +var a, b [100]byte + +var aliasingTests = []struct { + x, y []byte + anyOverlap, inexactOverlap bool +}{ + {a[:], b[:], false, false}, + {a[:], b[:0], false, false}, + {a[:], b[:50], false, false}, + {a[40:50], a[50:60], false, false}, + {a[40:50], a[60:70], false, false}, + {a[:51], a[50:], true, true}, + {a[:], a[:], true, false}, + {a[:50], a[:60], true, false}, + {a[:], nil, false, false}, + {nil, nil, false, false}, + {a[:], a[:0], false, false}, + {a[:10], a[:10:20], true, false}, + {a[:10], a[5:10:20], true, true}, +} + +func testAliasing(t *testing.T, i int, x, y []byte, anyOverlap, inexactOverlap bool) { + any := AnyOverlap(x, y) + if any != anyOverlap { + t.Errorf("%d: wrong AnyOverlap result, expected %v, got %v", i, anyOverlap, any) + } + inexact := InexactOverlap(x, y) + if inexact != inexactOverlap { + t.Errorf("%d: wrong InexactOverlap result, expected %v, got %v", i, inexactOverlap, any) + } +} + +func TestAliasing(t *testing.T) { + for i, tt := range aliasingTests { + testAliasing(t, i, tt.x, tt.y, tt.anyOverlap, tt.inexactOverlap) + testAliasing(t, i, tt.y, tt.x, tt.anyOverlap, tt.inexactOverlap) + } +} diff --git a/internal/subtle/aliasing.go b/internal/subtle/aliasing.go deleted file mode 100644 index 4fad24f..0000000 --- a/internal/subtle/aliasing.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego -// +build !purego - -// Package subtle implements functions that are often useful in cryptographic -// code but require careful thought to use correctly. -package subtle // import "golang.org/x/crypto/internal/subtle" - -import "unsafe" - -// AnyOverlap reports whether x and y share memory at any (not necessarily -// corresponding) index. The memory beyond the slice length is ignored. -func AnyOverlap(x, y []byte) bool { - return len(x) > 0 && len(y) > 0 && - uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && - uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) -} - -// InexactOverlap reports whether x and y share memory at any non-corresponding -// index. The memory beyond the slice length is ignored. Note that x and y can -// have different lengths and still not have any inexact overlap. -// -// InexactOverlap can be used to implement the requirements of the crypto/cipher -// AEAD, Block, BlockMode and Stream interfaces. -func InexactOverlap(x, y []byte) bool { - if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { - return false - } - return AnyOverlap(x, y) -} diff --git a/internal/subtle/aliasing_purego.go b/internal/subtle/aliasing_purego.go deleted file mode 100644 index 80ccbed..0000000 --- a/internal/subtle/aliasing_purego.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build purego -// +build purego - -// Package subtle implements functions that are often useful in cryptographic -// code but require careful thought to use correctly. -package subtle // import "golang.org/x/crypto/internal/subtle" - -// This is the Google App Engine standard variant based on reflect -// because the unsafe package and cgo are disallowed. - -import "reflect" - -// AnyOverlap reports whether x and y share memory at any (not necessarily -// corresponding) index. The memory beyond the slice length is ignored. -func AnyOverlap(x, y []byte) bool { - return len(x) > 0 && len(y) > 0 && - reflect.ValueOf(&x[0]).Pointer() <= reflect.ValueOf(&y[len(y)-1]).Pointer() && - reflect.ValueOf(&y[0]).Pointer() <= reflect.ValueOf(&x[len(x)-1]).Pointer() -} - -// InexactOverlap reports whether x and y share memory at any non-corresponding -// index. The memory beyond the slice length is ignored. Note that x and y can -// have different lengths and still not have any inexact overlap. -// -// InexactOverlap can be used to implement the requirements of the crypto/cipher -// AEAD, Block, BlockMode and Stream interfaces. -func InexactOverlap(x, y []byte) bool { - if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { - return false - } - return AnyOverlap(x, y) -} diff --git a/internal/subtle/aliasing_test.go b/internal/subtle/aliasing_test.go deleted file mode 100644 index a5b62ff..0000000 --- a/internal/subtle/aliasing_test.go +++ /dev/null @@ -1,50 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package subtle_test - -import ( - "testing" - - "golang.org/x/crypto/internal/subtle" -) - -var a, b [100]byte - -var aliasingTests = []struct { - x, y []byte - anyOverlap, inexactOverlap bool -}{ - {a[:], b[:], false, false}, - {a[:], b[:0], false, false}, - {a[:], b[:50], false, false}, - {a[40:50], a[50:60], false, false}, - {a[40:50], a[60:70], false, false}, - {a[:51], a[50:], true, true}, - {a[:], a[:], true, false}, - {a[:50], a[:60], true, false}, - {a[:], nil, false, false}, - {nil, nil, false, false}, - {a[:], a[:0], false, false}, - {a[:10], a[:10:20], true, false}, - {a[:10], a[5:10:20], true, true}, -} - -func testAliasing(t *testing.T, i int, x, y []byte, anyOverlap, inexactOverlap bool) { - any := subtle.AnyOverlap(x, y) - if any != anyOverlap { - t.Errorf("%d: wrong AnyOverlap result, expected %v, got %v", i, anyOverlap, any) - } - inexact := subtle.InexactOverlap(x, y) - if inexact != inexactOverlap { - t.Errorf("%d: wrong InexactOverlap result, expected %v, got %v", i, inexactOverlap, any) - } -} - -func TestAliasing(t *testing.T) { - for i, tt := range aliasingTests { - testAliasing(t, i, tt.x, tt.y, tt.anyOverlap, tt.inexactOverlap) - testAliasing(t, i, tt.y, tt.x, tt.anyOverlap, tt.inexactOverlap) - } -} diff --git a/nacl/secretbox/secretbox.go b/nacl/secretbox/secretbox.go index a2973e6..f3c3242 100644 --- a/nacl/secretbox/secretbox.go +++ b/nacl/secretbox/secretbox.go @@ -35,8 +35,8 @@ This package is interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html. package secretbox // import "golang.org/x/crypto/nacl/secretbox" import ( + "golang.org/x/crypto/internal/alias" "golang.org/x/crypto/internal/poly1305" - "golang.org/x/crypto/internal/subtle" "golang.org/x/crypto/salsa20/salsa" ) @@ -88,7 +88,7 @@ func Seal(out, message []byte, nonce *[24]byte, key *[32]byte) []byte { copy(poly1305Key[:], firstBlock[:]) ret, out := sliceForAppend(out, len(message)+poly1305.TagSize) - if subtle.AnyOverlap(out, message) { + if alias.AnyOverlap(out, message) { panic("nacl: invalid buffer overlap") } @@ -147,7 +147,7 @@ func Open(out, box []byte, nonce *[24]byte, key *[32]byte) ([]byte, bool) { } ret, out := sliceForAppend(out, len(box)-Overhead) - if subtle.AnyOverlap(out, box) { + if alias.AnyOverlap(out, box) { panic("nacl: invalid buffer overlap") } diff --git a/nacl/sign/sign.go b/nacl/sign/sign.go index d076270..8a6acdc 100644 --- a/nacl/sign/sign.go +++ b/nacl/sign/sign.go @@ -24,7 +24,7 @@ import ( "io" "golang.org/x/crypto/ed25519" - "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/internal/alias" ) // Overhead is the number of bytes of overhead when signing a message. @@ -48,7 +48,7 @@ func GenerateKey(rand io.Reader) (publicKey *[32]byte, privateKey *[64]byte, err func Sign(out, message []byte, privateKey *[64]byte) []byte { sig := ed25519.Sign(ed25519.PrivateKey((*privateKey)[:]), message) ret, out := sliceForAppend(out, Overhead+len(message)) - if subtle.AnyOverlap(out, message) { + if alias.AnyOverlap(out, message) { panic("nacl: invalid buffer overlap") } copy(out, sig) @@ -67,7 +67,7 @@ func Open(out, signedMessage []byte, publicKey *[32]byte) ([]byte, bool) { return nil, false } ret, out := sliceForAppend(out, len(signedMessage)-Overhead) - if subtle.AnyOverlap(out, signedMessage) { + if alias.AnyOverlap(out, signedMessage) { panic("nacl: invalid buffer overlap") } copy(out, signedMessage[Overhead:]) diff --git a/salsa20/salsa20.go b/salsa20/salsa20.go index 6f9bb10..8f4f896 100644 --- a/salsa20/salsa20.go +++ b/salsa20/salsa20.go @@ -24,7 +24,7 @@ package salsa20 // import "golang.org/x/crypto/salsa20" // TODO(agl): implement XORKeyStream12 and XORKeyStream8 - the reduced round variants of Salsa20. import ( - "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/internal/alias" "golang.org/x/crypto/salsa20/salsa" ) @@ -35,7 +35,7 @@ func XORKeyStream(out, in []byte, nonce []byte, key *[32]byte) { if len(out) < len(in) { panic("salsa20: output smaller than input") } - if subtle.InexactOverlap(out[:len(in)], in) { + if alias.InexactOverlap(out[:len(in)], in) { panic("salsa20: invalid buffer overlap") } diff --git a/xts/xts.go b/xts/xts.go index b51308e..8c16a83 100644 --- a/xts/xts.go +++ b/xts/xts.go @@ -29,7 +29,7 @@ import ( "errors" "sync" - "golang.org/x/crypto/internal/subtle" + "golang.org/x/crypto/internal/alias" ) // Cipher contains an expanded key structure. It is safe for concurrent use if @@ -75,7 +75,7 @@ func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) { if len(plaintext)%blockSize != 0 { panic("xts: plaintext is not a multiple of the block size") } - if subtle.InexactOverlap(ciphertext[:len(plaintext)], plaintext) { + if alias.InexactOverlap(ciphertext[:len(plaintext)], plaintext) { panic("xts: invalid buffer overlap") } @@ -114,7 +114,7 @@ func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) { if len(ciphertext)%blockSize != 0 { panic("xts: ciphertext is not a multiple of the block size") } - if subtle.InexactOverlap(plaintext[:len(ciphertext)], ciphertext) { + if alias.InexactOverlap(plaintext[:len(ciphertext)], ciphertext) { panic("xts: invalid buffer overlap") } -- cgit v1.3