From fac8eb1cfcc3c6adc09fff9da4f8922990099735 Mon Sep 17 00:00:00 2001 From: Jim Minter Date: Mon, 14 Dec 2020 08:58:43 -0600 Subject: [PATCH] vendor --- go.mod | 1 + go.sum | 2 + vendor/github.com/codahale/etm/.travis.yml | 9 + vendor/github.com/codahale/etm/LICENSE | 21 ++ vendor/github.com/codahale/etm/README.md | 9 + vendor/github.com/codahale/etm/etm.go | 270 +++++++++++++++++++++ vendor/modules.txt | 3 + 7 files changed, 315 insertions(+) create mode 100644 vendor/github.com/codahale/etm/.travis.yml create mode 100644 vendor/github.com/codahale/etm/LICENSE create mode 100644 vendor/github.com/codahale/etm/README.md create mode 100644 vendor/github.com/codahale/etm/etm.go diff --git a/go.mod b/go.mod index 4321ad202..3c1308522 100644 --- a/go.mod +++ b/go.mod @@ -23,6 +23,7 @@ require ( github.com/apparentlymart/go-cidr v1.1.0 github.com/aws/aws-sdk-go v1.36.0 // indirect github.com/axw/gocov v1.0.0 + github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9 github.com/containers/image/v5 v5.8.1 github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a // indirect github.com/containers/storage v1.24.1 // indirect diff --git a/go.sum b/go.sum index 18d120855..a0d11fd69 100644 --- a/go.sum +++ b/go.sum @@ -341,6 +341,8 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9 h1:88tJLy+/ao5kPBv1EtNyduXeWrTHV47seJPgI7pWgDs= +github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9/go.mod h1:jy75q4Q7stkoOx8bCRnIm0t1Vh6Pt4OJvcwA9+oJsqI= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko= diff --git a/vendor/github.com/codahale/etm/.travis.yml b/vendor/github.com/codahale/etm/.travis.yml new file mode 100644 index 000000000..46cc6e78c --- /dev/null +++ b/vendor/github.com/codahale/etm/.travis.yml @@ -0,0 +1,9 @@ +language: go +go: + - 1.3.3 +notifications: + # See http://about.travis-ci.org/docs/user/build-configuration/ to learn more + # about configuring notification recipients and more. + email: + recipients: + - coda.hale@gmail.com diff --git a/vendor/github.com/codahale/etm/LICENSE b/vendor/github.com/codahale/etm/LICENSE new file mode 100644 index 000000000..f9835c241 --- /dev/null +++ b/vendor/github.com/codahale/etm/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Coda Hale + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/codahale/etm/README.md b/vendor/github.com/codahale/etm/README.md new file mode 100644 index 000000000..c9f2dfc25 --- /dev/null +++ b/vendor/github.com/codahale/etm/README.md @@ -0,0 +1,9 @@ +etm +=== + +[![Build Status](https://travis-ci.org/codahale/etm.png?branch=master)](https://travis-ci.org/codahale/etm) + +A Go implementation of AES/CBC/HMAC-based AEAD constructions from +[draft-mcgrew-aead-aes-cbc-hmac-sha2-02](http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-02). + +For documentation, check [godoc](http://godoc.org/github.com/codahale/etm). diff --git a/vendor/github.com/codahale/etm/etm.go b/vendor/github.com/codahale/etm/etm.go new file mode 100644 index 000000000..fc12e7306 --- /dev/null +++ b/vendor/github.com/codahale/etm/etm.go @@ -0,0 +1,270 @@ +// Package etm provides a set of Encrypt-Then-MAC AEAD implementations, which +// combine block ciphers like AES with HMACs. +// +// AEADs +// +// An AEAD (Authenticated Encryption with Associated Data) construction provides +// a unified API for sealing messages in a way which provides both +// confidentiality *and* integrity. +// +// This not only prevents malicious tampering but also eliminates online attacks +// like padding oracle attacks which can allow an attacker to recover plaintexts +// without knowledge of the secret key (e.g., Lucky 13 attack, BEAST attack, +// etc.). +// +// By rejecting ciphertexts which have been modified, these types of attacks are +// eliminated. +// +// Constructions +// +// This package implements five proposed standards: +// +// AEAD_AES_128_CBC_HMAC_SHA_256 +// AEAD_AES_192_CBC_HMAC_SHA_384 +// AEAD_AES_256_CBC_HMAC_SHA_384 +// AEAD_AES_256_CBC_HMAC_SHA_512 +// AEAD_AES_128_CBC_HMAC_SHA1 +// +// All five constructions combine AES in CBC mode with an HMAC, but vary in the +// degree of security offered and the amount of overhead required. See +// http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-02 for full +// technical details. +// +// AES-128-CBC-HMAC-SHA-256 +// +// AEAD_AES_128_CBC_HMAC_SHA_256 requires a 32-byte key, provides 128 bits of +// security for both confidentiality and integrity, and adds up to 56 bytes of +// overhead per message. +// +// AES-192-CBC-HMAC-SHA-384 +// +// AEAD_AES_192_CBC_HMAC_SHA_384 requires a 48-byte key, provides 192 bits of +// security for both confidentiality and integrity, and adds up to 64 bytes of +// overhead per message. +// +// AES-256-CBC-HMAC-SHA-384 +// +// AEAD_AES_256_CBC_HMAC_SHA_384 requires a 56-byte key, provides 256 bits of +// security for confidentiality, provides 192 bits of security for integrity, and +// adds up to 64 bytes of overhead per message. +// +// AES-256-CBC-HMAC-SHA-512 +// +// AEAD_AES_256_CBC_HMAC_SHA_512 requires a 64-byte key, provides 256 bits of +// security for both confidentiality and integrity, and adds up to 72 bytes of +// overhead per message. +// +// AES-128-CBC-HMAC-SHA1 +// +// AEAD_AES_128_CBC_HMAC_SHA1 requires a 36-byte key, provides 128 bits of +// security for confidentiality, provides 96 bits of security for integrity, and +// adds up to 52 bytes of overhead per message. (This construction uses SHA-1, +// and should only be used when the use of SHA2 is not possible.) +package etm + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/hmac" + "crypto/sha1" + "crypto/sha256" + "crypto/sha512" + "encoding/binary" + "errors" + "fmt" + "hash" +) + +// NewAES128SHA256 returns an AEAD_AES_128_CBC_HMAC_SHA_256 instance given a +// 32-byte key or an error if the key is the wrong size. +// AEAD_AES_128_CBC_HMAC_SHA_256 combines AES-128 in CBC mode with +// HMAC-SHA-256-128. +func NewAES128SHA256(key []byte) (cipher.AEAD, error) { + return create(etmParams{ + cipherParams: aesCBC, + macAlg: sha256.New, + encKeySize: 16, + macKeySize: 16, + tagSize: 16, + key: key, + }) +} + +// NewAES192SHA384 returns an AEAD_AES_192_CBC_HMAC_SHA_384 instance given a +// 48-byte key or an error if the key is the wrong size. +// AEAD_AES_192_CBC_HMAC_SHA_384 combines AES-192 in CBC mode with +// HMAC-SHA-384-192. +func NewAES192SHA384(key []byte) (cipher.AEAD, error) { + return create(etmParams{ + cipherParams: aesCBC, + macAlg: sha512.New384, + encKeySize: 24, + macKeySize: 24, + tagSize: 24, + key: key, + }) +} + +// NewAES256SHA384 returns an AEAD_AES_256_CBC_HMAC_SHA_384 instance given a +// 56-byte key or an error if the key is the wrong size. +// AEAD_AES_256_CBC_HMAC_SHA_384 combines AES-256 in CBC mode with +// HMAC-SHA-384-192. +func NewAES256SHA384(key []byte) (cipher.AEAD, error) { + return create(etmParams{ + cipherParams: aesCBC, + macAlg: sha512.New384, + encKeySize: 32, + macKeySize: 24, + tagSize: 24, + key: key, + }) +} + +// NewAES256SHA512 returns an AEAD_AES_256_CBC_HMAC_SHA_512 instance given a +// 64-byte key or an error if the key is the wrong size. +// AEAD_AES_256_CBC_HMAC_SHA_512 combines AES-256 in CBC mode with +// HMAC-SHA-512-256. +func NewAES256SHA512(key []byte) (cipher.AEAD, error) { + return create(etmParams{ + cipherParams: aesCBC, + macAlg: sha512.New, + encKeySize: 32, + macKeySize: 32, + tagSize: 32, + key: key, + }) +} + +// NewAES128SHA1 returns an AEAD_AES_128_CBC_HMAC_SHA1 instance given a 36-byte +// key or an error if the key is the wrong size. +// AEAD_AES_128_CBC_HMAC_SHA1 combines AES-128 in CBC mode with HMAC-SHA1-96. +func NewAES128SHA1(key []byte) (cipher.AEAD, error) { + return create(etmParams{ + cipherParams: aesCBC, + macAlg: sha1.New, + encKeySize: 16, + macKeySize: 20, + tagSize: 12, + key: key, + }) +} + +type etmParams struct { + cipherParams + encKeySize, macKeySize, tagSize int + + key []byte + macAlg func() hash.Hash +} + +func create(p etmParams) (cipher.AEAD, error) { + l := p.encKeySize + p.macKeySize + if len(p.key) != l { + return nil, fmt.Errorf("etm: key must be %d bytes long", l) + } + encKey, macKey := split(p.key, p.encKeySize, p.macKeySize) + return &etmAEAD{ + etmParams: p, + encKey: encKey, + macKey: macKey, + }, nil +} + +const ( + dataLenSize = 8 +) + +type etmAEAD struct { + etmParams + encKey, macKey []byte +} + +func (aead *etmAEAD) Overhead() int { + return aead.padSize + aead.tagSize + dataLenSize + aead.NonceSize() +} + +func (aead *etmAEAD) NonceSize() int { + return aead.nonceSize +} + +func (aead *etmAEAD) Seal(dst, nonce, plaintext, data []byte) []byte { + b, _ := aead.encAlg(aead.encKey) // guaranteed to work + + c := aead.encrypter(b, nonce) + i := aead.pad(plaintext, aead.blockSize) + s := make([]byte, len(i)) + c.CryptBlocks(s, i) + s = append(nonce, s...) + + t := tag(hmac.New(aead.macAlg, aead.macKey), data, s, aead.tagSize) + + return append(dst, append(s, t...)...) +} + +func (aead *etmAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { + s := ciphertext[:len(ciphertext)-aead.tagSize] + t := ciphertext[len(ciphertext)-aead.tagSize:] + t2 := tag(hmac.New(aead.macAlg, aead.macKey), data, s, aead.tagSize) + if nonce == nil { + nonce = s[:aead.NonceSize()] + } + + if !hmac.Equal(t, t2) { + return nil, errors.New("message authentication failed") + } + + b, _ := aead.encAlg(aead.encKey) // guaranteed to work + + c := aead.decrypter(b, nonce) + o := make([]byte, len(s)-len(nonce)) + c.CryptBlocks(o, s[len(nonce):]) + + return append(dst, aead.unpad(o, aead.blockSize)...), nil +} + +type cipherParams struct { + nonceSize, blockSize, padSize int + + encAlg func(key []byte) (cipher.Block, error) + encrypter func(cipher.Block, []byte) cipher.BlockMode + decrypter func(cipher.Block, []byte) cipher.BlockMode + pad func([]byte, int) []byte + unpad func([]byte, int) []byte +} + +// AES-CBC-PKCS7 +var aesCBC = cipherParams{ + encAlg: aes.NewCipher, + blockSize: aes.BlockSize, + nonceSize: aes.BlockSize, + encrypter: cipher.NewCBCEncrypter, + decrypter: cipher.NewCBCDecrypter, + padSize: aes.BlockSize, + pad: pkcs7pad, + unpad: pkcs7unpad, +} + +func tag(h hash.Hash, data, s []byte, l int) []byte { + al := make([]byte, dataLenSize) + binary.BigEndian.PutUint64(al, uint64(len(data)*8)) // in bits + h.Write(data) + h.Write(s) + h.Write(al) + return h.Sum(nil)[:l] +} + +func split(key []byte, encKeyLen, macKeyLen int) ([]byte, []byte) { + return key[0:encKeyLen], key[len(key)-macKeyLen:] +} + +func pkcs7pad(b []byte, blockSize int) []byte { + ps := make([]byte, blockSize-(len(b)%blockSize)) + for i := range ps { + ps[i] = byte(len(ps)) + } + return append(b, ps...) +} + +func pkcs7unpad(b []byte, blockSize int) []byte { + return b[:len(b)-int(b[len(b)-1])] +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 976997c9c..435d2aa0f 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -143,6 +143,9 @@ github.com/beorn7/perks/quantile github.com/bombsimon/wsl/v3 # github.com/cespare/xxhash/v2 v2.1.1 github.com/cespare/xxhash/v2 +# github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9 +## explicit +github.com/codahale/etm # github.com/containers/image v3.0.2+incompatible github.com/containers/image/docker/reference github.com/containers/image/pkg/sysregistriesv2