updated vendor
This commit is contained in:
+2
@@ -69,6 +69,8 @@ func (l *lineReader) Read(p []byte) (n int, err error) {
|
||||
if isPrefix {
|
||||
return 0, ArmorCorrupt
|
||||
}
|
||||
// Trim the line to remove any whitespace
|
||||
line = bytes.TrimSpace(line)
|
||||
|
||||
if bytes.HasPrefix(line, armorEnd) {
|
||||
l.eof = true
|
||||
|
||||
+7
-1
@@ -17,6 +17,7 @@ import (
|
||||
"hash"
|
||||
"io"
|
||||
"net/textproto"
|
||||
"slices"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
@@ -49,6 +50,8 @@ var endText = []byte("-----BEGIN PGP SIGNATURE-----")
|
||||
// end is a marker which denotes the end of the armored signature.
|
||||
var end = []byte("\n-----END PGP SIGNATURE-----")
|
||||
|
||||
var allowedHashHeaderValues = []string{"MD5", "SHA1", "RIPEMD160", "SHA224", "SHA256", "SHA384", "SHA512", "SHA3-256", "SHA3-512"}
|
||||
|
||||
var crlf = []byte("\r\n")
|
||||
var lf = byte('\n')
|
||||
|
||||
@@ -131,7 +134,10 @@ func Decode(data []byte) (b *Block, rest []byte) {
|
||||
key = strings.TrimSpace(key)
|
||||
if key == hashHeader {
|
||||
for _, val := range strings.Split(val, ",") {
|
||||
val = strings.TrimSpace(val)
|
||||
val = strings.ToUpper(strings.TrimSpace(val))
|
||||
if !slices.Contains(allowedHashHeaderValues, val) {
|
||||
return nil, data
|
||||
}
|
||||
b.Headers.Add(key, val)
|
||||
}
|
||||
} else {
|
||||
|
||||
+8
-2
@@ -125,7 +125,10 @@ func (c *curve25519) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecr
|
||||
// "VB = convert point V to the octet string"
|
||||
// sharedPoint corresponds to `VB`.
|
||||
var sharedPoint x25519lib.Key
|
||||
x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
|
||||
ok := x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
|
||||
if !ok {
|
||||
return nil, nil, errors.KeyInvalidError("ecc: the public key is a low order point")
|
||||
}
|
||||
|
||||
return ephemeralPublic[:], sharedPoint[:], nil
|
||||
}
|
||||
@@ -146,7 +149,10 @@ func (c *curve25519) Decaps(vsG, secret []byte) (sharedSecret []byte, err error)
|
||||
// RFC6637 §8: "Note that the recipient obtains the shared secret by calculating
|
||||
// S = rV = rvG, where (r,R) is the recipient's key pair."
|
||||
// sharedPoint corresponds to `S`.
|
||||
x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
|
||||
ok := x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
|
||||
if !ok {
|
||||
return nil, errors.KeyInvalidError("ecc: the public key is a low order point")
|
||||
}
|
||||
|
||||
return sharedPoint[:], nil
|
||||
}
|
||||
|
||||
+4
-1
@@ -78,7 +78,7 @@ func (c *genericCurve) GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err
|
||||
func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
|
||||
xP, yP := elliptic.Unmarshal(c.Curve, point)
|
||||
if xP == nil {
|
||||
panic("invalid point")
|
||||
return nil, nil, errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
|
||||
}
|
||||
|
||||
d, x, y, err := elliptic.GenerateKey(c.Curve, rand)
|
||||
@@ -99,6 +99,9 @@ func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSe
|
||||
|
||||
func (c *genericCurve) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
|
||||
x, y := elliptic.Unmarshal(c.Curve, ephemeral)
|
||||
if x == nil {
|
||||
return nil, errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
|
||||
}
|
||||
zbBig, _ := c.Curve.ScalarMult(x, y, secret)
|
||||
byteLen := (c.Curve.Params().BitSize + 7) >> 3
|
||||
zb := make([]byte, byteLen)
|
||||
|
||||
+26
@@ -178,6 +178,18 @@ type Config struct {
|
||||
// When set to true, a key without flags is treated as if all flags are enabled.
|
||||
// This behavior is consistent with GPG.
|
||||
InsecureAllowAllKeyFlagsWhenMissing bool
|
||||
// InsecureGenerateNonCriticalKeyFlags causes the "Key Flags" signature subpacket
|
||||
// to be non-critical in newly generated signatures.
|
||||
// This may be needed for keys to be accepted by older clients who do not recognize
|
||||
// the subpacket.
|
||||
// For example, rpm 4.14.3-150400.59.3.1 in OpenSUSE Leap 15.4 does not recognize it.
|
||||
InsecureGenerateNonCriticalKeyFlags bool
|
||||
// InsecureGenerateNonCriticalSignatureCreationTime causes the "Signature Creation Time" signature subpacket
|
||||
// to be non-critical in newly generated signatures.
|
||||
// This may be needed for keys to be accepted by older clients who do not recognize
|
||||
// the subpacket.
|
||||
// For example, yum 3.4.3-168 in CentOS 7 and yum 3.4.3-158 in Amazon Linux 2 do not recognize it.
|
||||
InsecureGenerateNonCriticalSignatureCreationTime bool
|
||||
|
||||
// MaxDecompressedMessageSize specifies the maximum number of bytes that can be
|
||||
// read from a compressed packet. This serves as an upper limit to prevent
|
||||
@@ -420,6 +432,20 @@ func (c *Config) AllowAllKeyFlagsWhenMissing() bool {
|
||||
return c.InsecureAllowAllKeyFlagsWhenMissing
|
||||
}
|
||||
|
||||
func (c *Config) GenerateNonCriticalKeyFlags() bool {
|
||||
if c == nil {
|
||||
return false
|
||||
}
|
||||
return c.InsecureGenerateNonCriticalKeyFlags
|
||||
}
|
||||
|
||||
func (c *Config) GenerateNonCriticalSignatureCreationTime() bool {
|
||||
if c == nil {
|
||||
return false
|
||||
}
|
||||
return c.InsecureGenerateNonCriticalSignatureCreationTime
|
||||
}
|
||||
|
||||
func (c *Config) DecompressedMessageSizeLimit() *int64 {
|
||||
if c == nil {
|
||||
return nil
|
||||
|
||||
+4
-4
@@ -933,7 +933,7 @@ func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err e
|
||||
}
|
||||
sig.Notations = append(sig.Notations, ¬ation)
|
||||
}
|
||||
sig.outSubpackets, err = sig.buildSubpackets(priv.PublicKey)
|
||||
sig.outSubpackets, err = sig.buildSubpackets(priv.PublicKey, config)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -1254,11 +1254,11 @@ type outputSubpacket struct {
|
||||
contents []byte
|
||||
}
|
||||
|
||||
func (sig *Signature) buildSubpackets(issuer PublicKey) (subpackets []outputSubpacket, err error) {
|
||||
func (sig *Signature) buildSubpackets(issuer PublicKey, config *Config) (subpackets []outputSubpacket, err error) {
|
||||
creationTime := make([]byte, 4)
|
||||
binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix()))
|
||||
// Signature Creation Time
|
||||
subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, true, creationTime})
|
||||
subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, !config.GenerateNonCriticalSignatureCreationTime(), creationTime})
|
||||
// Signature Expiration Time
|
||||
if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 {
|
||||
sigLifetime := make([]byte, 4)
|
||||
@@ -1357,7 +1357,7 @@ func (sig *Signature) buildSubpackets(issuer PublicKey) (subpackets []outputSubp
|
||||
if sig.FlagGroupKey {
|
||||
flags |= KeyFlagGroupKey
|
||||
}
|
||||
subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, true, []byte{flags}})
|
||||
subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, !config.GenerateNonCriticalKeyFlags(), []byte{flags}})
|
||||
}
|
||||
// Signer's User ID
|
||||
if sig.SignerUserId != nil {
|
||||
|
||||
Reference in New Issue
Block a user