Re: golang-go.crypto / CVE-2019-11841
- To: Ola Lundqvist <ola@inguza.com>
- Cc: Debian LTS <debian-lts@lists.debian.org>
- Subject: Re: golang-go.crypto / CVE-2019-11841
- From: Brian May <bam@debian.org>
- Date: Mon, 05 Oct 2020 08:33:22 +1100
- Message-id: <[🔎] 87a6x1ism5.fsf@canidae.wired.pri>
- In-reply-to: <CABY6=0ku8-9tztUoYS_nU=jX_aUP_VVhyGyZefS+a3jh=tv--A@mail.gmail.com>
- References: <87k0xes8kr.fsf@canidae.wired.pri> <87pn75t6vb.fsf@canidae.wired.pri> <87eenju6qa.fsf@canidae.wired.pri> <877dtatsa2.fsf@canidae.wired.pri> <87r1refqqe.fsf@canidae.wired.pri> <CABY6=0nu1DP42xdGA-1whSZVY08fd0JSrarJijHAzAFMycfD7Q@mail.gmail.com> <874ko9p70k.fsf@canidae.wired.pri> <CABY6=0nbk71vcgXX3yHeKmm1kYZi=+PduFCbiyNCDx8WXDwEQA@mail.gmail.com> <871rjbq50z.fsf@canidae.wired.pri> <CABY6=0mSxsXpjhz-X+=p2wSSeXFuffVf=7X3AQ0GEyy1YRF9-A@mail.gmail.com> <87k0x2edaf.fsf@canidae.wired.pri> <CABY6=0=xDdOo1RH9iJiG=xS0T=GaQ48k+w-RSoLPSbTDcZxCUA@mail.gmail.com> <871rj6m8jr.fsf@canidae.wired.pri> <CABY6=0ku8-9tztUoYS_nU=jX_aUP_VVhyGyZefS+a3jh=tv--A@mail.gmail.com>
Attached is my patch for golang-go.crypto which I intend to upload
tomorrow for:
* CVE-2019-11840
* CVE-2019-11841
I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
cause a panic - however I feel this is not really a security issue.
--
Brian May <bam@debian.org>
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2017-04-26 17:42:23.000000000 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog 2020-09-07 08:29:03.000000000 +1000
@@ -1,3 +1,11 @@
+golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix CVE-2019-11841: reject potentially misleading headers and messages.
+ * Fix CVE-2019-11840: fix keystream loop in amd64 assembly when overflowing 32-bit counter.
+
+ -- Brian May <bam@debian.org> Mon, 07 Sep 2020 08:29:03 +1000
+
golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium
* Reverts previous upload to permit freeze exception.
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 1970-01-01 10:00:00.000000000 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch 2020-09-07 08:29:03.000000000 +1000
@@ -0,0 +1,1922 @@
+commit b7391e95e576cacdcdd422573063bc057239113d
+Author: Filippo Valsorda <filippo@golang.org>
+Date: Tue Mar 19 18:29:04 2019 -0400
+
+ salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter
+
+ Fixes golang/go#30965
+
+ Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
+ Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
+ Reviewed-by: Adam Langley <agl@google.com>
+ Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
+ Reviewed-by: Filippo Valsorda <filippo@golang.org>
+ Run-TryBot: Filippo Valsorda <filippo@golang.org>
+ TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go
+===================================================================
+--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_amd64.go
++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go
+@@ -6,10 +6,9 @@
+
+ package salsa
+
+-// This function is implemented in salsa2020_amd64.s.
+-
+ //go:noescape
+
++// salsa2020XORKeyStream is implemented in salsa20_amd64.s.
+ func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
+
+ // XORKeyStream crypts bytes from in to out using the given key and counters.
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa2020_amd64.s
+===================================================================
+--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa2020_amd64.s
++++ /dev/null
+@@ -1,902 +0,0 @@
+-// Copyright 2012 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-// +build amd64,!appengine,!gccgo
+-
+-// This code was translated into a form compatible with 6a from the public
+-// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
+-
+-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
+-TEXT ·salsa2020XORKeyStream(SB),0,$512-40
+- MOVQ out+0(FP),DI
+- MOVQ in+8(FP),SI
+- MOVQ n+16(FP),DX
+- MOVQ nonce+24(FP),CX
+- MOVQ key+32(FP),R8
+-
+- MOVQ SP,R11
+- MOVQ $31,R9
+- NOTQ R9
+- ANDQ R9,SP
+- ADDQ $32,SP
+-
+- MOVQ R11,352(SP)
+- MOVQ R12,360(SP)
+- MOVQ R13,368(SP)
+- MOVQ R14,376(SP)
+- MOVQ R15,384(SP)
+- MOVQ BX,392(SP)
+- MOVQ BP,400(SP)
+- MOVQ DX,R9
+- MOVQ CX,DX
+- MOVQ R8,R10
+- CMPQ R9,$0
+- JBE DONE
+- START:
+- MOVL 20(R10),CX
+- MOVL 0(R10),R8
+- MOVL 0(DX),AX
+- MOVL 16(R10),R11
+- MOVL CX,0(SP)
+- MOVL R8, 4 (SP)
+- MOVL AX, 8 (SP)
+- MOVL R11, 12 (SP)
+- MOVL 8(DX),CX
+- MOVL 24(R10),R8
+- MOVL 4(R10),AX
+- MOVL 4(DX),R11
+- MOVL CX,16(SP)
+- MOVL R8, 20 (SP)
+- MOVL AX, 24 (SP)
+- MOVL R11, 28 (SP)
+- MOVL 12(DX),CX
+- MOVL 12(R10),DX
+- MOVL 28(R10),R8
+- MOVL 8(R10),AX
+- MOVL DX,32(SP)
+- MOVL CX, 36 (SP)
+- MOVL R8, 40 (SP)
+- MOVL AX, 44 (SP)
+- MOVQ $1634760805,DX
+- MOVQ $857760878,CX
+- MOVQ $2036477234,R8
+- MOVQ $1797285236,AX
+- MOVL DX,48(SP)
+- MOVL CX, 52 (SP)
+- MOVL R8, 56 (SP)
+- MOVL AX, 60 (SP)
+- CMPQ R9,$256
+- JB BYTESBETWEEN1AND255
+- MOVOA 48(SP),X0
+- PSHUFL $0X55,X0,X1
+- PSHUFL $0XAA,X0,X2
+- PSHUFL $0XFF,X0,X3
+- PSHUFL $0X00,X0,X0
+- MOVOA X1,64(SP)
+- MOVOA X2,80(SP)
+- MOVOA X3,96(SP)
+- MOVOA X0,112(SP)
+- MOVOA 0(SP),X0
+- PSHUFL $0XAA,X0,X1
+- PSHUFL $0XFF,X0,X2
+- PSHUFL $0X00,X0,X3
+- PSHUFL $0X55,X0,X0
+- MOVOA X1,128(SP)
+- MOVOA X2,144(SP)
+- MOVOA X3,160(SP)
+- MOVOA X0,176(SP)
+- MOVOA 16(SP),X0
+- PSHUFL $0XFF,X0,X1
+- PSHUFL $0X55,X0,X2
+- PSHUFL $0XAA,X0,X0
+- MOVOA X1,192(SP)
+- MOVOA X2,208(SP)
+- MOVOA X0,224(SP)
+- MOVOA 32(SP),X0
+- PSHUFL $0X00,X0,X1
+- PSHUFL $0XAA,X0,X2
+- PSHUFL $0XFF,X0,X0
+- MOVOA X1,240(SP)
+- MOVOA X2,256(SP)
+- MOVOA X0,272(SP)
+- BYTESATLEAST256:
+- MOVL 16(SP),DX
+- MOVL 36 (SP),CX
+- MOVL DX,288(SP)
+- MOVL CX,304(SP)
+- ADDQ $1,DX
+- SHLQ $32,CX
+- ADDQ CX,DX
+- MOVQ DX,CX
+- SHRQ $32,CX
+- MOVL DX, 292 (SP)
+- MOVL CX, 308 (SP)
+- ADDQ $1,DX
+- SHLQ $32,CX
+- ADDQ CX,DX
+- MOVQ DX,CX
+- SHRQ $32,CX
+- MOVL DX, 296 (SP)
+- MOVL CX, 312 (SP)
+- ADDQ $1,DX
+- SHLQ $32,CX
+- ADDQ CX,DX
+- MOVQ DX,CX
+- SHRQ $32,CX
+- MOVL DX, 300 (SP)
+- MOVL CX, 316 (SP)
+- ADDQ $1,DX
+- SHLQ $32,CX
+- ADDQ CX,DX
+- MOVQ DX,CX
+- SHRQ $32,CX
+- MOVL DX,16(SP)
+- MOVL CX, 36 (SP)
+- MOVQ R9,408(SP)
+- MOVQ $20,DX
+- MOVOA 64(SP),X0
+- MOVOA 80(SP),X1
+- MOVOA 96(SP),X2
+- MOVOA 256(SP),X3
+- MOVOA 272(SP),X4
+- MOVOA 128(SP),X5
+- MOVOA 144(SP),X6
+- MOVOA 176(SP),X7
+- MOVOA 192(SP),X8
+- MOVOA 208(SP),X9
+- MOVOA 224(SP),X10
+- MOVOA 304(SP),X11
+- MOVOA 112(SP),X12
+- MOVOA 160(SP),X13
+- MOVOA 240(SP),X14
+- MOVOA 288(SP),X15
+- MAINLOOP1:
+- MOVOA X1,320(SP)
+- MOVOA X2,336(SP)
+- MOVOA X13,X1
+- PADDL X12,X1
+- MOVOA X1,X2
+- PSLLL $7,X1
+- PXOR X1,X14
+- PSRLL $25,X2
+- PXOR X2,X14
+- MOVOA X7,X1
+- PADDL X0,X1
+- MOVOA X1,X2
+- PSLLL $7,X1
+- PXOR X1,X11
+- PSRLL $25,X2
+- PXOR X2,X11
+- MOVOA X12,X1
+- PADDL X14,X1
+- MOVOA X1,X2
+- PSLLL $9,X1
+- PXOR X1,X15
+- PSRLL $23,X2
+- PXOR X2,X15
+- MOVOA X0,X1
+- PADDL X11,X1
+- MOVOA X1,X2
+- PSLLL $9,X1
+- PXOR X1,X9
+- PSRLL $23,X2
+- PXOR X2,X9
+- MOVOA X14,X1
+- PADDL X15,X1
+- MOVOA X1,X2
+- PSLLL $13,X1
+- PXOR X1,X13
+- PSRLL $19,X2
+- PXOR X2,X13
+- MOVOA X11,X1
+- PADDL X9,X1
+- MOVOA X1,X2
+- PSLLL $13,X1
+- PXOR X1,X7
+- PSRLL $19,X2
+- PXOR X2,X7
+- MOVOA X15,X1
+- PADDL X13,X1
+- MOVOA X1,X2
+- PSLLL $18,X1
+- PXOR X1,X12
+- PSRLL $14,X2
+- PXOR X2,X12
+- MOVOA 320(SP),X1
+- MOVOA X12,320(SP)
+- MOVOA X9,X2
+- PADDL X7,X2
+- MOVOA X2,X12
+- PSLLL $18,X2
+- PXOR X2,X0
+- PSRLL $14,X12
+- PXOR X12,X0
+- MOVOA X5,X2
+- PADDL X1,X2
+- MOVOA X2,X12
+- PSLLL $7,X2
+- PXOR X2,X3
+- PSRLL $25,X12
+- PXOR X12,X3
+- MOVOA 336(SP),X2
+- MOVOA X0,336(SP)
+- MOVOA X6,X0
+- PADDL X2,X0
+- MOVOA X0,X12
+- PSLLL $7,X0
+- PXOR X0,X4
+- PSRLL $25,X12
+- PXOR X12,X4
+- MOVOA X1,X0
+- PADDL X3,X0
+- MOVOA X0,X12
+- PSLLL $9,X0
+- PXOR X0,X10
+- PSRLL $23,X12
+- PXOR X12,X10
+- MOVOA X2,X0
+- PADDL X4,X0
+- MOVOA X0,X12
+- PSLLL $9,X0
+- PXOR X0,X8
+- PSRLL $23,X12
+- PXOR X12,X8
+- MOVOA X3,X0
+- PADDL X10,X0
+- MOVOA X0,X12
+- PSLLL $13,X0
+- PXOR X0,X5
+- PSRLL $19,X12
+- PXOR X12,X5
+- MOVOA X4,X0
+- PADDL X8,X0
+- MOVOA X0,X12
+- PSLLL $13,X0
+- PXOR X0,X6
+- PSRLL $19,X12
+- PXOR X12,X6
+- MOVOA X10,X0
+- PADDL X5,X0
+- MOVOA X0,X12
+- PSLLL $18,X0
+- PXOR X0,X1
+- PSRLL $14,X12
+- PXOR X12,X1
+- MOVOA 320(SP),X0
+- MOVOA X1,320(SP)
+- MOVOA X4,X1
+- PADDL X0,X1
+- MOVOA X1,X12
+- PSLLL $7,X1
+- PXOR X1,X7
+- PSRLL $25,X12
+- PXOR X12,X7
+- MOVOA X8,X1
+- PADDL X6,X1
+- MOVOA X1,X12
+- PSLLL $18,X1
+- PXOR X1,X2
+- PSRLL $14,X12
+- PXOR X12,X2
+- MOVOA 336(SP),X12
+- MOVOA X2,336(SP)
+- MOVOA X14,X1
+- PADDL X12,X1
+- MOVOA X1,X2
+- PSLLL $7,X1
+- PXOR X1,X5
+- PSRLL $25,X2
+- PXOR X2,X5
+- MOVOA X0,X1
+- PADDL X7,X1
+- MOVOA X1,X2
+- PSLLL $9,X1
+- PXOR X1,X10
+- PSRLL $23,X2
+- PXOR X2,X10
+- MOVOA X12,X1
+- PADDL X5,X1
+- MOVOA X1,X2
+- PSLLL $9,X1
+- PXOR X1,X8
+- PSRLL $23,X2
+- PXOR X2,X8
+- MOVOA X7,X1
+- PADDL X10,X1
+- MOVOA X1,X2
+- PSLLL $13,X1
+- PXOR X1,X4
+- PSRLL $19,X2
+- PXOR X2,X4
+- MOVOA X5,X1
+- PADDL X8,X1
+- MOVOA X1,X2
+- PSLLL $13,X1
+- PXOR X1,X14
+- PSRLL $19,X2
+- PXOR X2,X14
+- MOVOA X10,X1
+- PADDL X4,X1
+- MOVOA X1,X2
+- PSLLL $18,X1
+- PXOR X1,X0
+- PSRLL $14,X2
+- PXOR X2,X0
+- MOVOA 320(SP),X1
+- MOVOA X0,320(SP)
+- MOVOA X8,X0
+- PADDL X14,X0
+- MOVOA X0,X2
+- PSLLL $18,X0
+- PXOR X0,X12
+- PSRLL $14,X2
+- PXOR X2,X12
+- MOVOA X11,X0
+- PADDL X1,X0
+- MOVOA X0,X2
+- PSLLL $7,X0
+- PXOR X0,X6
+- PSRLL $25,X2
+- PXOR X2,X6
+- MOVOA 336(SP),X2
+- MOVOA X12,336(SP)
+- MOVOA X3,X0
+- PADDL X2,X0
+- MOVOA X0,X12
+- PSLLL $7,X0
+- PXOR X0,X13
+- PSRLL $25,X12
+- PXOR X12,X13
+- MOVOA X1,X0
+- PADDL X6,X0
+- MOVOA X0,X12
+- PSLLL $9,X0
+- PXOR X0,X15
+- PSRLL $23,X12
+- PXOR X12,X15
+- MOVOA X2,X0
+- PADDL X13,X0
+- MOVOA X0,X12
+- PSLLL $9,X0
+- PXOR X0,X9
+- PSRLL $23,X12
+- PXOR X12,X9
+- MOVOA X6,X0
+- PADDL X15,X0
+- MOVOA X0,X12
+- PSLLL $13,X0
+- PXOR X0,X11
+- PSRLL $19,X12
+- PXOR X12,X11
+- MOVOA X13,X0
+- PADDL X9,X0
+- MOVOA X0,X12
+- PSLLL $13,X0
+- PXOR X0,X3
+- PSRLL $19,X12
+- PXOR X12,X3
+- MOVOA X15,X0
+- PADDL X11,X0
+- MOVOA X0,X12
+- PSLLL $18,X0
+- PXOR X0,X1
+- PSRLL $14,X12
+- PXOR X12,X1
+- MOVOA X9,X0
+- PADDL X3,X0
+- MOVOA X0,X12
+- PSLLL $18,X0
+- PXOR X0,X2
+- PSRLL $14,X12
+- PXOR X12,X2
+- MOVOA 320(SP),X12
+- MOVOA 336(SP),X0
+- SUBQ $2,DX
+- JA MAINLOOP1
+- PADDL 112(SP),X12
+- PADDL 176(SP),X7
+- PADDL 224(SP),X10
+- PADDL 272(SP),X4
+- MOVD X12,DX
+- MOVD X7,CX
+- MOVD X10,R8
+- MOVD X4,R9
+- PSHUFL $0X39,X12,X12
+- PSHUFL $0X39,X7,X7
+- PSHUFL $0X39,X10,X10
+- PSHUFL $0X39,X4,X4
+- XORL 0(SI),DX
+- XORL 4(SI),CX
+- XORL 8(SI),R8
+- XORL 12(SI),R9
+- MOVL DX,0(DI)
+- MOVL CX,4(DI)
+- MOVL R8,8(DI)
+- MOVL R9,12(DI)
+- MOVD X12,DX
+- MOVD X7,CX
+- MOVD X10,R8
+- MOVD X4,R9
+- PSHUFL $0X39,X12,X12
+- PSHUFL $0X39,X7,X7
+- PSHUFL $0X39,X10,X10
+- PSHUFL $0X39,X4,X4
+- XORL 64(SI),DX
+- XORL 68(SI),CX
+- XORL 72(SI),R8
+- XORL 76(SI),R9
+- MOVL DX,64(DI)
+- MOVL CX,68(DI)
+- MOVL R8,72(DI)
+- MOVL R9,76(DI)
+- MOVD X12,DX
+- MOVD X7,CX
+- MOVD X10,R8
+- MOVD X4,R9
+- PSHUFL $0X39,X12,X12
+- PSHUFL $0X39,X7,X7
+- PSHUFL $0X39,X10,X10
+- PSHUFL $0X39,X4,X4
+- XORL 128(SI),DX
+- XORL 132(SI),CX
+- XORL 136(SI),R8
+- XORL 140(SI),R9
+- MOVL DX,128(DI)
+- MOVL CX,132(DI)
+- MOVL R8,136(DI)
+- MOVL R9,140(DI)
+- MOVD X12,DX
+- MOVD X7,CX
+- MOVD X10,R8
+- MOVD X4,R9
+- XORL 192(SI),DX
+- XORL 196(SI),CX
+- XORL 200(SI),R8
+- XORL 204(SI),R9
+- MOVL DX,192(DI)
+- MOVL CX,196(DI)
+- MOVL R8,200(DI)
+- MOVL R9,204(DI)
+- PADDL 240(SP),X14
+- PADDL 64(SP),X0
+- PADDL 128(SP),X5
+- PADDL 192(SP),X8
+- MOVD X14,DX
+- MOVD X0,CX
+- MOVD X5,R8
+- MOVD X8,R9
+- PSHUFL $0X39,X14,X14
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X5,X5
+- PSHUFL $0X39,X8,X8
+- XORL 16(SI),DX
+- XORL 20(SI),CX
+- XORL 24(SI),R8
+- XORL 28(SI),R9
+- MOVL DX,16(DI)
+- MOVL CX,20(DI)
+- MOVL R8,24(DI)
+- MOVL R9,28(DI)
+- MOVD X14,DX
+- MOVD X0,CX
+- MOVD X5,R8
+- MOVD X8,R9
+- PSHUFL $0X39,X14,X14
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X5,X5
+- PSHUFL $0X39,X8,X8
+- XORL 80(SI),DX
+- XORL 84(SI),CX
+- XORL 88(SI),R8
+- XORL 92(SI),R9
+- MOVL DX,80(DI)
+- MOVL CX,84(DI)
+- MOVL R8,88(DI)
+- MOVL R9,92(DI)
+- MOVD X14,DX
+- MOVD X0,CX
+- MOVD X5,R8
+- MOVD X8,R9
+- PSHUFL $0X39,X14,X14
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X5,X5
+- PSHUFL $0X39,X8,X8
+- XORL 144(SI),DX
+- XORL 148(SI),CX
+- XORL 152(SI),R8
+- XORL 156(SI),R9
+- MOVL DX,144(DI)
+- MOVL CX,148(DI)
+- MOVL R8,152(DI)
+- MOVL R9,156(DI)
+- MOVD X14,DX
+- MOVD X0,CX
+- MOVD X5,R8
+- MOVD X8,R9
+- XORL 208(SI),DX
+- XORL 212(SI),CX
+- XORL 216(SI),R8
+- XORL 220(SI),R9
+- MOVL DX,208(DI)
+- MOVL CX,212(DI)
+- MOVL R8,216(DI)
+- MOVL R9,220(DI)
+- PADDL 288(SP),X15
+- PADDL 304(SP),X11
+- PADDL 80(SP),X1
+- PADDL 144(SP),X6
+- MOVD X15,DX
+- MOVD X11,CX
+- MOVD X1,R8
+- MOVD X6,R9
+- PSHUFL $0X39,X15,X15
+- PSHUFL $0X39,X11,X11
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X6,X6
+- XORL 32(SI),DX
+- XORL 36(SI),CX
+- XORL 40(SI),R8
+- XORL 44(SI),R9
+- MOVL DX,32(DI)
+- MOVL CX,36(DI)
+- MOVL R8,40(DI)
+- MOVL R9,44(DI)
+- MOVD X15,DX
+- MOVD X11,CX
+- MOVD X1,R8
+- MOVD X6,R9
+- PSHUFL $0X39,X15,X15
+- PSHUFL $0X39,X11,X11
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X6,X6
+- XORL 96(SI),DX
+- XORL 100(SI),CX
+- XORL 104(SI),R8
+- XORL 108(SI),R9
+- MOVL DX,96(DI)
+- MOVL CX,100(DI)
+- MOVL R8,104(DI)
+- MOVL R9,108(DI)
+- MOVD X15,DX
+- MOVD X11,CX
+- MOVD X1,R8
+- MOVD X6,R9
+- PSHUFL $0X39,X15,X15
+- PSHUFL $0X39,X11,X11
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X6,X6
+- XORL 160(SI),DX
+- XORL 164(SI),CX
+- XORL 168(SI),R8
+- XORL 172(SI),R9
+- MOVL DX,160(DI)
+- MOVL CX,164(DI)
+- MOVL R8,168(DI)
+- MOVL R9,172(DI)
+- MOVD X15,DX
+- MOVD X11,CX
+- MOVD X1,R8
+- MOVD X6,R9
+- XORL 224(SI),DX
+- XORL 228(SI),CX
+- XORL 232(SI),R8
+- XORL 236(SI),R9
+- MOVL DX,224(DI)
+- MOVL CX,228(DI)
+- MOVL R8,232(DI)
+- MOVL R9,236(DI)
+- PADDL 160(SP),X13
+- PADDL 208(SP),X9
+- PADDL 256(SP),X3
+- PADDL 96(SP),X2
+- MOVD X13,DX
+- MOVD X9,CX
+- MOVD X3,R8
+- MOVD X2,R9
+- PSHUFL $0X39,X13,X13
+- PSHUFL $0X39,X9,X9
+- PSHUFL $0X39,X3,X3
+- PSHUFL $0X39,X2,X2
+- XORL 48(SI),DX
+- XORL 52(SI),CX
+- XORL 56(SI),R8
+- XORL 60(SI),R9
+- MOVL DX,48(DI)
+- MOVL CX,52(DI)
+- MOVL R8,56(DI)
+- MOVL R9,60(DI)
+- MOVD X13,DX
+- MOVD X9,CX
+- MOVD X3,R8
+- MOVD X2,R9
+- PSHUFL $0X39,X13,X13
+- PSHUFL $0X39,X9,X9
+- PSHUFL $0X39,X3,X3
+- PSHUFL $0X39,X2,X2
+- XORL 112(SI),DX
+- XORL 116(SI),CX
+- XORL 120(SI),R8
+- XORL 124(SI),R9
+- MOVL DX,112(DI)
+- MOVL CX,116(DI)
+- MOVL R8,120(DI)
+- MOVL R9,124(DI)
+- MOVD X13,DX
+- MOVD X9,CX
+- MOVD X3,R8
+- MOVD X2,R9
+- PSHUFL $0X39,X13,X13
+- PSHUFL $0X39,X9,X9
+- PSHUFL $0X39,X3,X3
+- PSHUFL $0X39,X2,X2
+- XORL 176(SI),DX
+- XORL 180(SI),CX
+- XORL 184(SI),R8
+- XORL 188(SI),R9
+- MOVL DX,176(DI)
+- MOVL CX,180(DI)
+- MOVL R8,184(DI)
+- MOVL R9,188(DI)
+- MOVD X13,DX
+- MOVD X9,CX
+- MOVD X3,R8
+- MOVD X2,R9
+- XORL 240(SI),DX
+- XORL 244(SI),CX
+- XORL 248(SI),R8
+- XORL 252(SI),R9
+- MOVL DX,240(DI)
+- MOVL CX,244(DI)
+- MOVL R8,248(DI)
+- MOVL R9,252(DI)
+- MOVQ 408(SP),R9
+- SUBQ $256,R9
+- ADDQ $256,SI
+- ADDQ $256,DI
+- CMPQ R9,$256
+- JAE BYTESATLEAST256
+- CMPQ R9,$0
+- JBE DONE
+- BYTESBETWEEN1AND255:
+- CMPQ R9,$64
+- JAE NOCOPY
+- MOVQ DI,DX
+- LEAQ 416(SP),DI
+- MOVQ R9,CX
+- REP; MOVSB
+- LEAQ 416(SP),DI
+- LEAQ 416(SP),SI
+- NOCOPY:
+- MOVQ R9,408(SP)
+- MOVOA 48(SP),X0
+- MOVOA 0(SP),X1
+- MOVOA 16(SP),X2
+- MOVOA 32(SP),X3
+- MOVOA X1,X4
+- MOVQ $20,CX
+- MAINLOOP2:
+- PADDL X0,X4
+- MOVOA X0,X5
+- MOVOA X4,X6
+- PSLLL $7,X4
+- PSRLL $25,X6
+- PXOR X4,X3
+- PXOR X6,X3
+- PADDL X3,X5
+- MOVOA X3,X4
+- MOVOA X5,X6
+- PSLLL $9,X5
+- PSRLL $23,X6
+- PXOR X5,X2
+- PSHUFL $0X93,X3,X3
+- PXOR X6,X2
+- PADDL X2,X4
+- MOVOA X2,X5
+- MOVOA X4,X6
+- PSLLL $13,X4
+- PSRLL $19,X6
+- PXOR X4,X1
+- PSHUFL $0X4E,X2,X2
+- PXOR X6,X1
+- PADDL X1,X5
+- MOVOA X3,X4
+- MOVOA X5,X6
+- PSLLL $18,X5
+- PSRLL $14,X6
+- PXOR X5,X0
+- PSHUFL $0X39,X1,X1
+- PXOR X6,X0
+- PADDL X0,X4
+- MOVOA X0,X5
+- MOVOA X4,X6
+- PSLLL $7,X4
+- PSRLL $25,X6
+- PXOR X4,X1
+- PXOR X6,X1
+- PADDL X1,X5
+- MOVOA X1,X4
+- MOVOA X5,X6
+- PSLLL $9,X5
+- PSRLL $23,X6
+- PXOR X5,X2
+- PSHUFL $0X93,X1,X1
+- PXOR X6,X2
+- PADDL X2,X4
+- MOVOA X2,X5
+- MOVOA X4,X6
+- PSLLL $13,X4
+- PSRLL $19,X6
+- PXOR X4,X3
+- PSHUFL $0X4E,X2,X2
+- PXOR X6,X3
+- PADDL X3,X5
+- MOVOA X1,X4
+- MOVOA X5,X6
+- PSLLL $18,X5
+- PSRLL $14,X6
+- PXOR X5,X0
+- PSHUFL $0X39,X3,X3
+- PXOR X6,X0
+- PADDL X0,X4
+- MOVOA X0,X5
+- MOVOA X4,X6
+- PSLLL $7,X4
+- PSRLL $25,X6
+- PXOR X4,X3
+- PXOR X6,X3
+- PADDL X3,X5
+- MOVOA X3,X4
+- MOVOA X5,X6
+- PSLLL $9,X5
+- PSRLL $23,X6
+- PXOR X5,X2
+- PSHUFL $0X93,X3,X3
+- PXOR X6,X2
+- PADDL X2,X4
+- MOVOA X2,X5
+- MOVOA X4,X6
+- PSLLL $13,X4
+- PSRLL $19,X6
+- PXOR X4,X1
+- PSHUFL $0X4E,X2,X2
+- PXOR X6,X1
+- PADDL X1,X5
+- MOVOA X3,X4
+- MOVOA X5,X6
+- PSLLL $18,X5
+- PSRLL $14,X6
+- PXOR X5,X0
+- PSHUFL $0X39,X1,X1
+- PXOR X6,X0
+- PADDL X0,X4
+- MOVOA X0,X5
+- MOVOA X4,X6
+- PSLLL $7,X4
+- PSRLL $25,X6
+- PXOR X4,X1
+- PXOR X6,X1
+- PADDL X1,X5
+- MOVOA X1,X4
+- MOVOA X5,X6
+- PSLLL $9,X5
+- PSRLL $23,X6
+- PXOR X5,X2
+- PSHUFL $0X93,X1,X1
+- PXOR X6,X2
+- PADDL X2,X4
+- MOVOA X2,X5
+- MOVOA X4,X6
+- PSLLL $13,X4
+- PSRLL $19,X6
+- PXOR X4,X3
+- PSHUFL $0X4E,X2,X2
+- PXOR X6,X3
+- SUBQ $4,CX
+- PADDL X3,X5
+- MOVOA X1,X4
+- MOVOA X5,X6
+- PSLLL $18,X5
+- PXOR X7,X7
+- PSRLL $14,X6
+- PXOR X5,X0
+- PSHUFL $0X39,X3,X3
+- PXOR X6,X0
+- JA MAINLOOP2
+- PADDL 48(SP),X0
+- PADDL 0(SP),X1
+- PADDL 16(SP),X2
+- PADDL 32(SP),X3
+- MOVD X0,CX
+- MOVD X1,R8
+- MOVD X2,R9
+- MOVD X3,AX
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X2,X2
+- PSHUFL $0X39,X3,X3
+- XORL 0(SI),CX
+- XORL 48(SI),R8
+- XORL 32(SI),R9
+- XORL 16(SI),AX
+- MOVL CX,0(DI)
+- MOVL R8,48(DI)
+- MOVL R9,32(DI)
+- MOVL AX,16(DI)
+- MOVD X0,CX
+- MOVD X1,R8
+- MOVD X2,R9
+- MOVD X3,AX
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X2,X2
+- PSHUFL $0X39,X3,X3
+- XORL 20(SI),CX
+- XORL 4(SI),R8
+- XORL 52(SI),R9
+- XORL 36(SI),AX
+- MOVL CX,20(DI)
+- MOVL R8,4(DI)
+- MOVL R9,52(DI)
+- MOVL AX,36(DI)
+- MOVD X0,CX
+- MOVD X1,R8
+- MOVD X2,R9
+- MOVD X3,AX
+- PSHUFL $0X39,X0,X0
+- PSHUFL $0X39,X1,X1
+- PSHUFL $0X39,X2,X2
+- PSHUFL $0X39,X3,X3
+- XORL 40(SI),CX
+- XORL 24(SI),R8
+- XORL 8(SI),R9
+- XORL 56(SI),AX
+- MOVL CX,40(DI)
+- MOVL R8,24(DI)
+- MOVL R9,8(DI)
+- MOVL AX,56(DI)
+- MOVD X0,CX
+- MOVD X1,R8
+- MOVD X2,R9
+- MOVD X3,AX
+- XORL 60(SI),CX
+- XORL 44(SI),R8
+- XORL 28(SI),R9
+- XORL 12(SI),AX
+- MOVL CX,60(DI)
+- MOVL R8,44(DI)
+- MOVL R9,28(DI)
+- MOVL AX,12(DI)
+- MOVQ 408(SP),R9
+- MOVL 16(SP),CX
+- MOVL 36 (SP),R8
+- ADDQ $1,CX
+- SHLQ $32,R8
+- ADDQ R8,CX
+- MOVQ CX,R8
+- SHRQ $32,R8
+- MOVL CX,16(SP)
+- MOVL R8, 36 (SP)
+- CMPQ R9,$64
+- JA BYTESATLEAST65
+- JAE BYTESATLEAST64
+- MOVQ DI,SI
+- MOVQ DX,DI
+- MOVQ R9,CX
+- REP; MOVSB
+- BYTESATLEAST64:
+- DONE:
+- MOVQ 352(SP),R11
+- MOVQ 360(SP),R12
+- MOVQ 368(SP),R13
+- MOVQ 376(SP),R14
+- MOVQ 384(SP),R15
+- MOVQ 392(SP),BX
+- MOVQ 400(SP),BP
+- MOVQ R11,SP
+- RET
+- BYTESATLEAST65:
+- SUBQ $64,R9
+- ADDQ $64,DI
+- ADDQ $64,SI
+- JMP BYTESBETWEEN1AND255
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.s
+===================================================================
+--- /dev/null
++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.s
+@@ -0,0 +1,896 @@
++// Copyright 2012 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// +build amd64,!appengine,!gccgo
++
++// This code was translated into a form compatible with 6a from the public
++// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
++
++// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
++TEXT ·salsa2020XORKeyStream(SB),0,$512-40
++ MOVQ out+0(FP),DI
++ MOVQ in+8(FP),SI
++ MOVQ n+16(FP),DX
++ MOVQ nonce+24(FP),CX
++ MOVQ key+32(FP),R8
++
++ MOVQ SP,R11
++ MOVQ $31,R9
++ NOTQ R9
++ ANDQ R9,SP
++ ADDQ $32,SP
++
++ MOVQ R11,352(SP)
++ MOVQ R12,360(SP)
++ MOVQ R13,368(SP)
++ MOVQ R14,376(SP)
++ MOVQ R15,384(SP)
++ MOVQ BX,392(SP)
++ MOVQ BP,400(SP)
++ MOVQ DX,R9
++ MOVQ CX,DX
++ MOVQ R8,R10
++ CMPQ R9,$0
++ JBE DONE
++ START:
++ MOVL 20(R10),CX
++ MOVL 0(R10),R8
++ MOVL 0(DX),AX
++ MOVL 16(R10),R11
++ MOVL CX,0(SP)
++ MOVL R8, 4 (SP)
++ MOVL AX, 8 (SP)
++ MOVL R11, 12 (SP)
++ MOVL 8(DX),CX
++ MOVL 24(R10),R8
++ MOVL 4(R10),AX
++ MOVL 4(DX),R11
++ MOVL CX,16(SP)
++ MOVL R8, 20 (SP)
++ MOVL AX, 24 (SP)
++ MOVL R11, 28 (SP)
++ MOVL 12(DX),CX
++ MOVL 12(R10),DX
++ MOVL 28(R10),R8
++ MOVL 8(R10),AX
++ MOVL DX,32(SP)
++ MOVL CX, 36 (SP)
++ MOVL R8, 40 (SP)
++ MOVL AX, 44 (SP)
++ MOVQ $1634760805,DX
++ MOVQ $857760878,CX
++ MOVQ $2036477234,R8
++ MOVQ $1797285236,AX
++ MOVL DX,48(SP)
++ MOVL CX, 52 (SP)
++ MOVL R8, 56 (SP)
++ MOVL AX, 60 (SP)
++ CMPQ R9,$256
++ JB BYTESBETWEEN1AND255
++ MOVOA 48(SP),X0
++ PSHUFL $0X55,X0,X1
++ PSHUFL $0XAA,X0,X2
++ PSHUFL $0XFF,X0,X3
++ PSHUFL $0X00,X0,X0
++ MOVOA X1,64(SP)
++ MOVOA X2,80(SP)
++ MOVOA X3,96(SP)
++ MOVOA X0,112(SP)
++ MOVOA 0(SP),X0
++ PSHUFL $0XAA,X0,X1
++ PSHUFL $0XFF,X0,X2
++ PSHUFL $0X00,X0,X3
++ PSHUFL $0X55,X0,X0
++ MOVOA X1,128(SP)
++ MOVOA X2,144(SP)
++ MOVOA X3,160(SP)
++ MOVOA X0,176(SP)
++ MOVOA 16(SP),X0
++ PSHUFL $0XFF,X0,X1
++ PSHUFL $0X55,X0,X2
++ PSHUFL $0XAA,X0,X0
++ MOVOA X1,192(SP)
++ MOVOA X2,208(SP)
++ MOVOA X0,224(SP)
++ MOVOA 32(SP),X0
++ PSHUFL $0X00,X0,X1
++ PSHUFL $0XAA,X0,X2
++ PSHUFL $0XFF,X0,X0
++ MOVOA X1,240(SP)
++ MOVOA X2,256(SP)
++ MOVOA X0,272(SP)
++ BYTESATLEAST256:
++ MOVL 16(SP),DX
++ MOVL 36 (SP),CX
++ MOVL DX,288(SP)
++ MOVL CX,304(SP)
++ SHLQ $32,CX
++ ADDQ CX,DX
++ ADDQ $1,DX
++ MOVQ DX,CX
++ SHRQ $32,CX
++ MOVL DX, 292 (SP)
++ MOVL CX, 308 (SP)
++ ADDQ $1,DX
++ MOVQ DX,CX
++ SHRQ $32,CX
++ MOVL DX, 296 (SP)
++ MOVL CX, 312 (SP)
++ ADDQ $1,DX
++ MOVQ DX,CX
++ SHRQ $32,CX
++ MOVL DX, 300 (SP)
++ MOVL CX, 316 (SP)
++ ADDQ $1,DX
++ MOVQ DX,CX
++ SHRQ $32,CX
++ MOVL DX,16(SP)
++ MOVL CX, 36 (SP)
++ MOVQ R9,408(SP)
++ MOVQ $20,DX
++ MOVOA 64(SP),X0
++ MOVOA 80(SP),X1
++ MOVOA 96(SP),X2
++ MOVOA 256(SP),X3
++ MOVOA 272(SP),X4
++ MOVOA 128(SP),X5
++ MOVOA 144(SP),X6
++ MOVOA 176(SP),X7
++ MOVOA 192(SP),X8
++ MOVOA 208(SP),X9
++ MOVOA 224(SP),X10
++ MOVOA 304(SP),X11
++ MOVOA 112(SP),X12
++ MOVOA 160(SP),X13
++ MOVOA 240(SP),X14
++ MOVOA 288(SP),X15
++ MAINLOOP1:
++ MOVOA X1,320(SP)
++ MOVOA X2,336(SP)
++ MOVOA X13,X1
++ PADDL X12,X1
++ MOVOA X1,X2
++ PSLLL $7,X1
++ PXOR X1,X14
++ PSRLL $25,X2
++ PXOR X2,X14
++ MOVOA X7,X1
++ PADDL X0,X1
++ MOVOA X1,X2
++ PSLLL $7,X1
++ PXOR X1,X11
++ PSRLL $25,X2
++ PXOR X2,X11
++ MOVOA X12,X1
++ PADDL X14,X1
++ MOVOA X1,X2
++ PSLLL $9,X1
++ PXOR X1,X15
++ PSRLL $23,X2
++ PXOR X2,X15
++ MOVOA X0,X1
++ PADDL X11,X1
++ MOVOA X1,X2
++ PSLLL $9,X1
++ PXOR X1,X9
++ PSRLL $23,X2
++ PXOR X2,X9
++ MOVOA X14,X1
++ PADDL X15,X1
++ MOVOA X1,X2
++ PSLLL $13,X1
++ PXOR X1,X13
++ PSRLL $19,X2
++ PXOR X2,X13
++ MOVOA X11,X1
++ PADDL X9,X1
++ MOVOA X1,X2
++ PSLLL $13,X1
++ PXOR X1,X7
++ PSRLL $19,X2
++ PXOR X2,X7
++ MOVOA X15,X1
++ PADDL X13,X1
++ MOVOA X1,X2
++ PSLLL $18,X1
++ PXOR X1,X12
++ PSRLL $14,X2
++ PXOR X2,X12
++ MOVOA 320(SP),X1
++ MOVOA X12,320(SP)
++ MOVOA X9,X2
++ PADDL X7,X2
++ MOVOA X2,X12
++ PSLLL $18,X2
++ PXOR X2,X0
++ PSRLL $14,X12
++ PXOR X12,X0
++ MOVOA X5,X2
++ PADDL X1,X2
++ MOVOA X2,X12
++ PSLLL $7,X2
++ PXOR X2,X3
++ PSRLL $25,X12
++ PXOR X12,X3
++ MOVOA 336(SP),X2
++ MOVOA X0,336(SP)
++ MOVOA X6,X0
++ PADDL X2,X0
++ MOVOA X0,X12
++ PSLLL $7,X0
++ PXOR X0,X4
++ PSRLL $25,X12
++ PXOR X12,X4
++ MOVOA X1,X0
++ PADDL X3,X0
++ MOVOA X0,X12
++ PSLLL $9,X0
++ PXOR X0,X10
++ PSRLL $23,X12
++ PXOR X12,X10
++ MOVOA X2,X0
++ PADDL X4,X0
++ MOVOA X0,X12
++ PSLLL $9,X0
++ PXOR X0,X8
++ PSRLL $23,X12
++ PXOR X12,X8
++ MOVOA X3,X0
++ PADDL X10,X0
++ MOVOA X0,X12
++ PSLLL $13,X0
++ PXOR X0,X5
++ PSRLL $19,X12
++ PXOR X12,X5
++ MOVOA X4,X0
++ PADDL X8,X0
++ MOVOA X0,X12
++ PSLLL $13,X0
++ PXOR X0,X6
++ PSRLL $19,X12
++ PXOR X12,X6
++ MOVOA X10,X0
++ PADDL X5,X0
++ MOVOA X0,X12
++ PSLLL $18,X0
++ PXOR X0,X1
++ PSRLL $14,X12
++ PXOR X12,X1
++ MOVOA 320(SP),X0
++ MOVOA X1,320(SP)
++ MOVOA X4,X1
++ PADDL X0,X1
++ MOVOA X1,X12
++ PSLLL $7,X1
++ PXOR X1,X7
++ PSRLL $25,X12
++ PXOR X12,X7
++ MOVOA X8,X1
++ PADDL X6,X1
++ MOVOA X1,X12
++ PSLLL $18,X1
++ PXOR X1,X2
++ PSRLL $14,X12
++ PXOR X12,X2
++ MOVOA 336(SP),X12
++ MOVOA X2,336(SP)
++ MOVOA X14,X1
++ PADDL X12,X1
++ MOVOA X1,X2
++ PSLLL $7,X1
++ PXOR X1,X5
++ PSRLL $25,X2
++ PXOR X2,X5
++ MOVOA X0,X1
++ PADDL X7,X1
++ MOVOA X1,X2
++ PSLLL $9,X1
++ PXOR X1,X10
++ PSRLL $23,X2
++ PXOR X2,X10
++ MOVOA X12,X1
++ PADDL X5,X1
++ MOVOA X1,X2
++ PSLLL $9,X1
++ PXOR X1,X8
++ PSRLL $23,X2
++ PXOR X2,X8
++ MOVOA X7,X1
++ PADDL X10,X1
++ MOVOA X1,X2
++ PSLLL $13,X1
++ PXOR X1,X4
++ PSRLL $19,X2
++ PXOR X2,X4
++ MOVOA X5,X1
++ PADDL X8,X1
++ MOVOA X1,X2
++ PSLLL $13,X1
++ PXOR X1,X14
++ PSRLL $19,X2
++ PXOR X2,X14
++ MOVOA X10,X1
++ PADDL X4,X1
++ MOVOA X1,X2
++ PSLLL $18,X1
++ PXOR X1,X0
++ PSRLL $14,X2
++ PXOR X2,X0
++ MOVOA 320(SP),X1
++ MOVOA X0,320(SP)
++ MOVOA X8,X0
++ PADDL X14,X0
++ MOVOA X0,X2
++ PSLLL $18,X0
++ PXOR X0,X12
++ PSRLL $14,X2
++ PXOR X2,X12
++ MOVOA X11,X0
++ PADDL X1,X0
++ MOVOA X0,X2
++ PSLLL $7,X0
++ PXOR X0,X6
++ PSRLL $25,X2
++ PXOR X2,X6
++ MOVOA 336(SP),X2
++ MOVOA X12,336(SP)
++ MOVOA X3,X0
++ PADDL X2,X0
++ MOVOA X0,X12
++ PSLLL $7,X0
++ PXOR X0,X13
++ PSRLL $25,X12
++ PXOR X12,X13
++ MOVOA X1,X0
++ PADDL X6,X0
++ MOVOA X0,X12
++ PSLLL $9,X0
++ PXOR X0,X15
++ PSRLL $23,X12
++ PXOR X12,X15
++ MOVOA X2,X0
++ PADDL X13,X0
++ MOVOA X0,X12
++ PSLLL $9,X0
++ PXOR X0,X9
++ PSRLL $23,X12
++ PXOR X12,X9
++ MOVOA X6,X0
++ PADDL X15,X0
++ MOVOA X0,X12
++ PSLLL $13,X0
++ PXOR X0,X11
++ PSRLL $19,X12
++ PXOR X12,X11
++ MOVOA X13,X0
++ PADDL X9,X0
++ MOVOA X0,X12
++ PSLLL $13,X0
++ PXOR X0,X3
++ PSRLL $19,X12
++ PXOR X12,X3
++ MOVOA X15,X0
++ PADDL X11,X0
++ MOVOA X0,X12
++ PSLLL $18,X0
++ PXOR X0,X1
++ PSRLL $14,X12
++ PXOR X12,X1
++ MOVOA X9,X0
++ PADDL X3,X0
++ MOVOA X0,X12
++ PSLLL $18,X0
++ PXOR X0,X2
++ PSRLL $14,X12
++ PXOR X12,X2
++ MOVOA 320(SP),X12
++ MOVOA 336(SP),X0
++ SUBQ $2,DX
++ JA MAINLOOP1
++ PADDL 112(SP),X12
++ PADDL 176(SP),X7
++ PADDL 224(SP),X10
++ PADDL 272(SP),X4
++ MOVD X12,DX
++ MOVD X7,CX
++ MOVD X10,R8
++ MOVD X4,R9
++ PSHUFL $0X39,X12,X12
++ PSHUFL $0X39,X7,X7
++ PSHUFL $0X39,X10,X10
++ PSHUFL $0X39,X4,X4
++ XORL 0(SI),DX
++ XORL 4(SI),CX
++ XORL 8(SI),R8
++ XORL 12(SI),R9
++ MOVL DX,0(DI)
++ MOVL CX,4(DI)
++ MOVL R8,8(DI)
++ MOVL R9,12(DI)
++ MOVD X12,DX
++ MOVD X7,CX
++ MOVD X10,R8
++ MOVD X4,R9
++ PSHUFL $0X39,X12,X12
++ PSHUFL $0X39,X7,X7
++ PSHUFL $0X39,X10,X10
++ PSHUFL $0X39,X4,X4
++ XORL 64(SI),DX
++ XORL 68(SI),CX
++ XORL 72(SI),R8
++ XORL 76(SI),R9
++ MOVL DX,64(DI)
++ MOVL CX,68(DI)
++ MOVL R8,72(DI)
++ MOVL R9,76(DI)
++ MOVD X12,DX
++ MOVD X7,CX
++ MOVD X10,R8
++ MOVD X4,R9
++ PSHUFL $0X39,X12,X12
++ PSHUFL $0X39,X7,X7
++ PSHUFL $0X39,X10,X10
++ PSHUFL $0X39,X4,X4
++ XORL 128(SI),DX
++ XORL 132(SI),CX
++ XORL 136(SI),R8
++ XORL 140(SI),R9
++ MOVL DX,128(DI)
++ MOVL CX,132(DI)
++ MOVL R8,136(DI)
++ MOVL R9,140(DI)
++ MOVD X12,DX
++ MOVD X7,CX
++ MOVD X10,R8
++ MOVD X4,R9
++ XORL 192(SI),DX
++ XORL 196(SI),CX
++ XORL 200(SI),R8
++ XORL 204(SI),R9
++ MOVL DX,192(DI)
++ MOVL CX,196(DI)
++ MOVL R8,200(DI)
++ MOVL R9,204(DI)
++ PADDL 240(SP),X14
++ PADDL 64(SP),X0
++ PADDL 128(SP),X5
++ PADDL 192(SP),X8
++ MOVD X14,DX
++ MOVD X0,CX
++ MOVD X5,R8
++ MOVD X8,R9
++ PSHUFL $0X39,X14,X14
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X5,X5
++ PSHUFL $0X39,X8,X8
++ XORL 16(SI),DX
++ XORL 20(SI),CX
++ XORL 24(SI),R8
++ XORL 28(SI),R9
++ MOVL DX,16(DI)
++ MOVL CX,20(DI)
++ MOVL R8,24(DI)
++ MOVL R9,28(DI)
++ MOVD X14,DX
++ MOVD X0,CX
++ MOVD X5,R8
++ MOVD X8,R9
++ PSHUFL $0X39,X14,X14
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X5,X5
++ PSHUFL $0X39,X8,X8
++ XORL 80(SI),DX
++ XORL 84(SI),CX
++ XORL 88(SI),R8
++ XORL 92(SI),R9
++ MOVL DX,80(DI)
++ MOVL CX,84(DI)
++ MOVL R8,88(DI)
++ MOVL R9,92(DI)
++ MOVD X14,DX
++ MOVD X0,CX
++ MOVD X5,R8
++ MOVD X8,R9
++ PSHUFL $0X39,X14,X14
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X5,X5
++ PSHUFL $0X39,X8,X8
++ XORL 144(SI),DX
++ XORL 148(SI),CX
++ XORL 152(SI),R8
++ XORL 156(SI),R9
++ MOVL DX,144(DI)
++ MOVL CX,148(DI)
++ MOVL R8,152(DI)
++ MOVL R9,156(DI)
++ MOVD X14,DX
++ MOVD X0,CX
++ MOVD X5,R8
++ MOVD X8,R9
++ XORL 208(SI),DX
++ XORL 212(SI),CX
++ XORL 216(SI),R8
++ XORL 220(SI),R9
++ MOVL DX,208(DI)
++ MOVL CX,212(DI)
++ MOVL R8,216(DI)
++ MOVL R9,220(DI)
++ PADDL 288(SP),X15
++ PADDL 304(SP),X11
++ PADDL 80(SP),X1
++ PADDL 144(SP),X6
++ MOVD X15,DX
++ MOVD X11,CX
++ MOVD X1,R8
++ MOVD X6,R9
++ PSHUFL $0X39,X15,X15
++ PSHUFL $0X39,X11,X11
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X6,X6
++ XORL 32(SI),DX
++ XORL 36(SI),CX
++ XORL 40(SI),R8
++ XORL 44(SI),R9
++ MOVL DX,32(DI)
++ MOVL CX,36(DI)
++ MOVL R8,40(DI)
++ MOVL R9,44(DI)
++ MOVD X15,DX
++ MOVD X11,CX
++ MOVD X1,R8
++ MOVD X6,R9
++ PSHUFL $0X39,X15,X15
++ PSHUFL $0X39,X11,X11
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X6,X6
++ XORL 96(SI),DX
++ XORL 100(SI),CX
++ XORL 104(SI),R8
++ XORL 108(SI),R9
++ MOVL DX,96(DI)
++ MOVL CX,100(DI)
++ MOVL R8,104(DI)
++ MOVL R9,108(DI)
++ MOVD X15,DX
++ MOVD X11,CX
++ MOVD X1,R8
++ MOVD X6,R9
++ PSHUFL $0X39,X15,X15
++ PSHUFL $0X39,X11,X11
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X6,X6
++ XORL 160(SI),DX
++ XORL 164(SI),CX
++ XORL 168(SI),R8
++ XORL 172(SI),R9
++ MOVL DX,160(DI)
++ MOVL CX,164(DI)
++ MOVL R8,168(DI)
++ MOVL R9,172(DI)
++ MOVD X15,DX
++ MOVD X11,CX
++ MOVD X1,R8
++ MOVD X6,R9
++ XORL 224(SI),DX
++ XORL 228(SI),CX
++ XORL 232(SI),R8
++ XORL 236(SI),R9
++ MOVL DX,224(DI)
++ MOVL CX,228(DI)
++ MOVL R8,232(DI)
++ MOVL R9,236(DI)
++ PADDL 160(SP),X13
++ PADDL 208(SP),X9
++ PADDL 256(SP),X3
++ PADDL 96(SP),X2
++ MOVD X13,DX
++ MOVD X9,CX
++ MOVD X3,R8
++ MOVD X2,R9
++ PSHUFL $0X39,X13,X13
++ PSHUFL $0X39,X9,X9
++ PSHUFL $0X39,X3,X3
++ PSHUFL $0X39,X2,X2
++ XORL 48(SI),DX
++ XORL 52(SI),CX
++ XORL 56(SI),R8
++ XORL 60(SI),R9
++ MOVL DX,48(DI)
++ MOVL CX,52(DI)
++ MOVL R8,56(DI)
++ MOVL R9,60(DI)
++ MOVD X13,DX
++ MOVD X9,CX
++ MOVD X3,R8
++ MOVD X2,R9
++ PSHUFL $0X39,X13,X13
++ PSHUFL $0X39,X9,X9
++ PSHUFL $0X39,X3,X3
++ PSHUFL $0X39,X2,X2
++ XORL 112(SI),DX
++ XORL 116(SI),CX
++ XORL 120(SI),R8
++ XORL 124(SI),R9
++ MOVL DX,112(DI)
++ MOVL CX,116(DI)
++ MOVL R8,120(DI)
++ MOVL R9,124(DI)
++ MOVD X13,DX
++ MOVD X9,CX
++ MOVD X3,R8
++ MOVD X2,R9
++ PSHUFL $0X39,X13,X13
++ PSHUFL $0X39,X9,X9
++ PSHUFL $0X39,X3,X3
++ PSHUFL $0X39,X2,X2
++ XORL 176(SI),DX
++ XORL 180(SI),CX
++ XORL 184(SI),R8
++ XORL 188(SI),R9
++ MOVL DX,176(DI)
++ MOVL CX,180(DI)
++ MOVL R8,184(DI)
++ MOVL R9,188(DI)
++ MOVD X13,DX
++ MOVD X9,CX
++ MOVD X3,R8
++ MOVD X2,R9
++ XORL 240(SI),DX
++ XORL 244(SI),CX
++ XORL 248(SI),R8
++ XORL 252(SI),R9
++ MOVL DX,240(DI)
++ MOVL CX,244(DI)
++ MOVL R8,248(DI)
++ MOVL R9,252(DI)
++ MOVQ 408(SP),R9
++ SUBQ $256,R9
++ ADDQ $256,SI
++ ADDQ $256,DI
++ CMPQ R9,$256
++ JAE BYTESATLEAST256
++ CMPQ R9,$0
++ JBE DONE
++ BYTESBETWEEN1AND255:
++ CMPQ R9,$64
++ JAE NOCOPY
++ MOVQ DI,DX
++ LEAQ 416(SP),DI
++ MOVQ R9,CX
++ REP; MOVSB
++ LEAQ 416(SP),DI
++ LEAQ 416(SP),SI
++ NOCOPY:
++ MOVQ R9,408(SP)
++ MOVOA 48(SP),X0
++ MOVOA 0(SP),X1
++ MOVOA 16(SP),X2
++ MOVOA 32(SP),X3
++ MOVOA X1,X4
++ MOVQ $20,CX
++ MAINLOOP2:
++ PADDL X0,X4
++ MOVOA X0,X5
++ MOVOA X4,X6
++ PSLLL $7,X4
++ PSRLL $25,X6
++ PXOR X4,X3
++ PXOR X6,X3
++ PADDL X3,X5
++ MOVOA X3,X4
++ MOVOA X5,X6
++ PSLLL $9,X5
++ PSRLL $23,X6
++ PXOR X5,X2
++ PSHUFL $0X93,X3,X3
++ PXOR X6,X2
++ PADDL X2,X4
++ MOVOA X2,X5
++ MOVOA X4,X6
++ PSLLL $13,X4
++ PSRLL $19,X6
++ PXOR X4,X1
++ PSHUFL $0X4E,X2,X2
++ PXOR X6,X1
++ PADDL X1,X5
++ MOVOA X3,X4
++ MOVOA X5,X6
++ PSLLL $18,X5
++ PSRLL $14,X6
++ PXOR X5,X0
++ PSHUFL $0X39,X1,X1
++ PXOR X6,X0
++ PADDL X0,X4
++ MOVOA X0,X5
++ MOVOA X4,X6
++ PSLLL $7,X4
++ PSRLL $25,X6
++ PXOR X4,X1
++ PXOR X6,X1
++ PADDL X1,X5
++ MOVOA X1,X4
++ MOVOA X5,X6
++ PSLLL $9,X5
++ PSRLL $23,X6
++ PXOR X5,X2
++ PSHUFL $0X93,X1,X1
++ PXOR X6,X2
++ PADDL X2,X4
++ MOVOA X2,X5
++ MOVOA X4,X6
++ PSLLL $13,X4
++ PSRLL $19,X6
++ PXOR X4,X3
++ PSHUFL $0X4E,X2,X2
++ PXOR X6,X3
++ PADDL X3,X5
++ MOVOA X1,X4
++ MOVOA X5,X6
++ PSLLL $18,X5
++ PSRLL $14,X6
++ PXOR X5,X0
++ PSHUFL $0X39,X3,X3
++ PXOR X6,X0
++ PADDL X0,X4
++ MOVOA X0,X5
++ MOVOA X4,X6
++ PSLLL $7,X4
++ PSRLL $25,X6
++ PXOR X4,X3
++ PXOR X6,X3
++ PADDL X3,X5
++ MOVOA X3,X4
++ MOVOA X5,X6
++ PSLLL $9,X5
++ PSRLL $23,X6
++ PXOR X5,X2
++ PSHUFL $0X93,X3,X3
++ PXOR X6,X2
++ PADDL X2,X4
++ MOVOA X2,X5
++ MOVOA X4,X6
++ PSLLL $13,X4
++ PSRLL $19,X6
++ PXOR X4,X1
++ PSHUFL $0X4E,X2,X2
++ PXOR X6,X1
++ PADDL X1,X5
++ MOVOA X3,X4
++ MOVOA X5,X6
++ PSLLL $18,X5
++ PSRLL $14,X6
++ PXOR X5,X0
++ PSHUFL $0X39,X1,X1
++ PXOR X6,X0
++ PADDL X0,X4
++ MOVOA X0,X5
++ MOVOA X4,X6
++ PSLLL $7,X4
++ PSRLL $25,X6
++ PXOR X4,X1
++ PXOR X6,X1
++ PADDL X1,X5
++ MOVOA X1,X4
++ MOVOA X5,X6
++ PSLLL $9,X5
++ PSRLL $23,X6
++ PXOR X5,X2
++ PSHUFL $0X93,X1,X1
++ PXOR X6,X2
++ PADDL X2,X4
++ MOVOA X2,X5
++ MOVOA X4,X6
++ PSLLL $13,X4
++ PSRLL $19,X6
++ PXOR X4,X3
++ PSHUFL $0X4E,X2,X2
++ PXOR X6,X3
++ SUBQ $4,CX
++ PADDL X3,X5
++ MOVOA X1,X4
++ MOVOA X5,X6
++ PSLLL $18,X5
++ PXOR X7,X7
++ PSRLL $14,X6
++ PXOR X5,X0
++ PSHUFL $0X39,X3,X3
++ PXOR X6,X0
++ JA MAINLOOP2
++ PADDL 48(SP),X0
++ PADDL 0(SP),X1
++ PADDL 16(SP),X2
++ PADDL 32(SP),X3
++ MOVD X0,CX
++ MOVD X1,R8
++ MOVD X2,R9
++ MOVD X3,AX
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X2,X2
++ PSHUFL $0X39,X3,X3
++ XORL 0(SI),CX
++ XORL 48(SI),R8
++ XORL 32(SI),R9
++ XORL 16(SI),AX
++ MOVL CX,0(DI)
++ MOVL R8,48(DI)
++ MOVL R9,32(DI)
++ MOVL AX,16(DI)
++ MOVD X0,CX
++ MOVD X1,R8
++ MOVD X2,R9
++ MOVD X3,AX
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X2,X2
++ PSHUFL $0X39,X3,X3
++ XORL 20(SI),CX
++ XORL 4(SI),R8
++ XORL 52(SI),R9
++ XORL 36(SI),AX
++ MOVL CX,20(DI)
++ MOVL R8,4(DI)
++ MOVL R9,52(DI)
++ MOVL AX,36(DI)
++ MOVD X0,CX
++ MOVD X1,R8
++ MOVD X2,R9
++ MOVD X3,AX
++ PSHUFL $0X39,X0,X0
++ PSHUFL $0X39,X1,X1
++ PSHUFL $0X39,X2,X2
++ PSHUFL $0X39,X3,X3
++ XORL 40(SI),CX
++ XORL 24(SI),R8
++ XORL 8(SI),R9
++ XORL 56(SI),AX
++ MOVL CX,40(DI)
++ MOVL R8,24(DI)
++ MOVL R9,8(DI)
++ MOVL AX,56(DI)
++ MOVD X0,CX
++ MOVD X1,R8
++ MOVD X2,R9
++ MOVD X3,AX
++ XORL 60(SI),CX
++ XORL 44(SI),R8
++ XORL 28(SI),R9
++ XORL 12(SI),AX
++ MOVL CX,60(DI)
++ MOVL R8,44(DI)
++ MOVL R9,28(DI)
++ MOVL AX,12(DI)
++ MOVQ 408(SP),R9
++ MOVL 16(SP),CX
++ MOVL 36 (SP),R8
++ ADDQ $1,CX
++ SHLQ $32,R8
++ ADDQ R8,CX
++ MOVQ CX,R8
++ SHRQ $32,R8
++ MOVL CX,16(SP)
++ MOVL R8, 36 (SP)
++ CMPQ R9,$64
++ JA BYTESATLEAST65
++ JAE BYTESATLEAST64
++ MOVQ DI,SI
++ MOVQ DX,DI
++ MOVQ R9,CX
++ REP; MOVSB
++ BYTESATLEAST64:
++ DONE:
++ MOVQ 352(SP),R11
++ MOVQ 360(SP),R12
++ MOVQ 368(SP),R13
++ MOVQ 376(SP),R14
++ MOVQ 384(SP),R15
++ MOVQ 392(SP),BX
++ MOVQ 400(SP),BP
++ MOVQ R11,SP
++ RET
++ BYTESATLEAST65:
++ SUBQ $64,R9
++ ADDQ $64,DI
++ ADDQ $64,SI
++ JMP BYTESBETWEEN1AND255
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64_test.go
+===================================================================
+--- /dev/null
++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64_test.go
+@@ -0,0 +1,31 @@
++// Copyright 2019 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// +build amd64,!appengine,!gccgo
++
++package salsa
++
++import (
++ "bytes"
++ "testing"
++)
++
++func TestCounterOverflow(t *testing.T) {
++ in := make([]byte, 4096)
++ key := &[32]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5,
++ 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2}
++ for n, counter := range []*[16]byte{
++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 0, 0, 0, 0, 0, 0, 0, 0}, // zero counter
++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 0, 0, 0, 0, 0xff, 0xff, 0xff, 0xff}, // counter about to overflow 32 bits
++ &[16]byte{0, 1, 2, 3, 4, 5, 6, 7, 1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff}, // counter above 32 bits
++ } {
++ out := make([]byte, 4096)
++ XORKeyStream(out, in, counter, key)
++ outGeneric := make([]byte, 4096)
++ genericXORKeyStream(outGeneric, in, counter, key)
++ if !bytes.Equal(out, outGeneric) {
++ t.Errorf("%d: assembly and go implementations disagree", n)
++ }
++ }
++}
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_noasm.go
+===================================================================
+--- /dev/null
++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_noasm.go
+@@ -0,0 +1,14 @@
++// Copyright 2019 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// +build !amd64 appengine gccgo
++
++package salsa
++
++// XORKeyStream crypts bytes from in to out using the given key and counters.
++// In and out must overlap entirely or not at all. Counter
++// contains the raw salsa20 counter bytes (both nonce and block counter).
++func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
++ genericXORKeyStream(out, in, counter, key)
++}
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_ref.go
+===================================================================
+--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_ref.go
++++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_ref.go
+@@ -2,8 +2,6 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-// +build !amd64 appengine gccgo
+-
+ package salsa
+
+ const rounds = 20
+@@ -202,10 +200,9 @@ func core(out *[64]byte, in *[16]byte, k
+ out[63] = byte(x15 >> 24)
+ }
+
+-// XORKeyStream crypts bytes from in to out using the given key and counters.
+-// In and out may be the same slice but otherwise should not overlap. Counter
+-// contains the raw salsa20 counter bytes (both nonce and block counter).
+-func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
++// genericXORKeyStream is the generic implementation of XORKeyStream to be used
++// when no assembly implementation is available.
++func genericXORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {
+ var block [64]byte
+ var counterCopy [16]byte
+ copy(counterCopy[:], counter[:])
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 1970-01-01 10:00:00.000000000 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11841.patch 2020-09-07 08:27:22.000000000 +1000
@@ -0,0 +1,261 @@
+commit 6c9f9a831536511295256d4b4960fc4024ed967c
+Author: Filippo Valsorda <filippo@golang.org>
+Date: Tue Apr 23 15:32:34 2019 -0400
+
+ openpgp/clearsign: reject potentially misleading headers and messages
+
+ Aida Mynzhasova of SEC Consult Vulnerability Lab reported that the
+ clearsign package accepts some malformed messages, which can make it
+ possible for an attacker to trick a human user (but not a Go program)
+ into thinking unverified text is part of the message.
+
+ For example, if in the following message the vertical tab character is
+ printed as a new line, a human observer could believe that the
+ unverified header text is part of the signed message.
+
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Hash: SHA1\x0b\x0bThis text is part of the header.
+
+ Hello world!
+ -----BEGIN PGP SIGNATURE-----
+ Version: GnuPG v1.4.10 (GNU/Linux)
+
+ iJwEAQECAAYFAk8kMuEACgkQO9o98PRieSpMsAQAhmY/vwmNpflrPgmfWsYhk5O8
+ [...]
+ MyTpno24AjIAGb+mH1U=
+ =hIJ6
+ -----END PGP SIGNATURE-----
+
+ The OpenPGP specs are delightfully vague about purpose and validation of
+ these headers. RFC 4880, Section 7 says
+
+ The cleartext signed message consists of:
+
+ - The cleartext header '-----BEGIN PGP SIGNED MESSAGE-----' on a
+ single line,
+
+ - One or more "Hash" Armor Headers,
+
+ - Exactly one empty line not included into the message digest,
+ [...]
+
+ but also
+
+ If MD5 is the only hash used, then an
+ implementation MAY omit this header for improved V2.x compatibility.
+
+ and
+
+ If more than one message digest is used in the signature, the "Hash"
+ armor header contains a comma-delimited list of used message digests.
+
+ which seems to suggest that there can be zero or more Hash headers, each
+ with one or more algorithms, and no other header types.
+
+ Anyway, it's entirely unclear what security purpose, if any, the Hash
+ header accomplishes. If the hash is too weak to be secure or
+ unsupported, the verification will fail. Otherwise, the user shouldn't
+ care. Given its dubious function, avoid breaking abstractions to check
+ that it matches the signature, and just document it as unverified.
+
+ As for valid characters, RFC 4880 is silent, except reluctantly
+ mentioning that the Comment header can be UTF-8, but I am going to
+ assume that all hash algorithms will have ASCII names, because come on.
+
+ Even more importantly, reject non-Hash SIGNED MESSAGE headers (as opposed
+ to the SIGNATURE headers), to prevent a "Thank you!" message turning into
+
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Reminder: I need you to wire $100k to 12345566 as soon as possible.
+
+ Thank you!
+ -----BEGIN PGP SIGNATURE-----
+ [...]
+
+ While at it, also check for trailing characters after the signed message
+ delimiter, as they are invalid and can be similarly used to confuse humans.
+
+ The Decode API is also unfortunate in that it doesn't return an error,
+ so we can't tell the user what's wrong with the message, but that's what
+ we've got.
+
+ Change-Id: I8a72c4851075337443d7a27e0b49a6b6e39f5a41
+ Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/453011
+ Reviewed-by: Adam Langley <agl@google.com>
+ Reviewed-on: https://go-review.googlesource.com/c/crypto/+/173778
+ Run-TryBot: Filippo Valsorda <filippo@golang.org>
+ Reviewed-by: Adam Langley <agl@golang.org>
+ TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+diff --git a/openpgp/clearsign/clearsign.go b/openpgp/clearsign/clearsign.go
+index def4cab..4fd02a1 100644
+--- a/openpgp/clearsign/clearsign.go
++++ b/openpgp/clearsign/clearsign.go
+@@ -17,6 +17,7 @@ import (
+ "io"
+ "net/textproto"
+ "strconv"
++ "strings"
+
+ "golang.org/x/crypto/openpgp/armor"
+ "golang.org/x/crypto/openpgp/errors"
+@@ -26,7 +27,7 @@ import (
+ // A Block represents a clearsigned message. A signature on a Block can
+ // be checked by passing Bytes into openpgp.CheckDetachedSignature.
+ type Block struct {
+- Headers textproto.MIMEHeader // Optional message headers
++ Headers textproto.MIMEHeader // Optional unverified Hash headers
+ Plaintext []byte // The original message text
+ Bytes []byte // The signed message
+ ArmoredSignature *armor.Block // The signature block
+@@ -68,8 +69,13 @@ func getLine(data []byte) (line, rest []byte) {
+ return data[0:i], data[j:]
+ }
+
+-// Decode finds the first clearsigned message in data and returns it, as well
+-// as the suffix of data which remains after the message.
++// Decode finds the first clearsigned message in data and returns it, as well as
++// the suffix of data which remains after the message. Any prefix data is
++// discarded.
++//
++// If no message is found, or if the message is invalid, Decode returns nil and
++// the whole data slice. The only allowed header type is Hash, and it is not
++// verified against the signature hash.
+ func Decode(data []byte) (b *Block, rest []byte) {
+ // start begins with a newline. However, at the very beginning of
+ // the byte array, we'll accept the start string without it.
+@@ -82,8 +88,11 @@ func Decode(data []byte) (b *Block, rest []byte) {
+ return nil, data
+ }
+
+- // Consume the start line.
+- _, rest = getLine(rest)
++ // Consume the start line and check it does not have a suffix.
++ suffix, rest := getLine(rest)
++ if len(suffix) != 0 {
++ return nil, data
++ }
+
+ var line []byte
+ b = &Block{
+@@ -102,15 +111,25 @@ func Decode(data []byte) (b *Block, rest []byte) {
+ break
+ }
+
++ // Reject headers with control or Unicode characters.
++ if i := bytes.IndexFunc(line, func(r rune) bool {
++ return r < 0x20 || r > 0x7e
++ }); i != -1 {
++ return nil, data
++ }
++
+ i := bytes.Index(line, []byte{':'})
+ if i == -1 {
+ return nil, data
+ }
+
+- key, val := line[0:i], line[i+1:]
+- key = bytes.TrimSpace(key)
+- val = bytes.TrimSpace(val)
+- b.Headers.Add(string(key), string(val))
++ key, val := string(line[0:i]), string(line[i+1:])
++ key = strings.TrimSpace(key)
++ if key != "Hash" {
++ return nil, data
++ }
++ val = strings.TrimSpace(val)
++ b.Headers.Add(key, val)
+ }
+
+ firstLine := true
+diff --git a/openpgp/clearsign/clearsign_test.go b/openpgp/clearsign/clearsign_test.go
+index 2c09480..1f52cd9 100644
+--- a/openpgp/clearsign/clearsign_test.go
++++ b/openpgp/clearsign/clearsign_test.go
+@@ -44,12 +44,6 @@ func TestParse(t *testing.T) {
+ testParse(t, clearsignInput2, "\r\n\r\n(This message has a couple of blank lines at the start and end.)\r\n\r\n", "\n\n(This message has a couple of blank lines at the start and end.)\n\n\n")
+ }
+
+-func TestParseInvalid(t *testing.T) {
+- if b, _ := Decode(clearsignInput3); b != nil {
+- t.Fatal("decoded a bad clearsigned message without any error")
+- }
+-}
+-
+ func TestParseWithNoNewlineAtEnd(t *testing.T) {
+ input := clearsignInput
+ input = input[:len(input)-len("trailing")-1]
+@@ -125,6 +119,59 @@ func TestSigning(t *testing.T) {
+ }
+ }
+
++const signatureBlock = `
++-----BEGIN PGP SIGNATURE-----
++Version: OpenPrivacy 0.99
++
++yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS
++vBSFjNSiVHsuAA==
++=njUN
++-----END PGP SIGNATURE-----
++`
++
++var invalidInputs = []string{
++ `
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++(This message was truncated.)
++`,
++ `
++-----BEGIN PGP SIGNED MESSAGE-----garbage
++Hash: SHA256
++
++_o/
++` + signatureBlock,
++ `
++garbage-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++_o/
++` + signatureBlock,
++ `
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA` + "\x0b\x0b" + `256
++
++_o/
++` + signatureBlock,
++ `
++-----BEGIN PGP SIGNED MESSAGE-----
++NotHash: SHA256
++
++_o/
++` + signatureBlock,
++}
++
++func TestParseInvalid(t *testing.T) {
++ for i, input := range invalidInputs {
++ if b, rest := Decode([]byte(input)); b != nil {
++ t.Errorf("#%d: decoded a bad clearsigned message without any error", i)
++ } else if string(rest) != input {
++ t.Errorf("#%d: did not return all data with a bad message", i)
++ }
++ }
++}
++
+ var clearsignInput = []byte(`
+ ;lasjlkfdsa
+
+@@ -167,13 +214,6 @@ qZg6BaTvOxepqOxnhVU=
+
+ trailing`)
+
+-var clearsignInput3 = []byte(`
+------BEGIN PGP SIGNED MESSAGE-----
+-Hash: SHA256
+-
+-(This message was truncated.)
+-`)
+-
+ var signingKey = `-----BEGIN PGP PRIVATE KEY BLOCK-----
+ Version: GnuPG v1.4.10 (GNU/Linux)
+
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series 2017-04-26 17:09:27.000000000 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/series 2020-09-07 08:29:03.000000000 +1000
@@ -1 +1,3 @@
0001-ssh-require-host-key-checking_CVE-2017-3204.patch
+CVE-2019-11841.patch
+CVE-2019-11840.patch
Reply to: