From acaa1c9126a6bca9cce4d5308261c3fa5ea7e543 Mon Sep 17 00:00:00 2001 From: james pickett Date: Thu, 11 Apr 2024 15:10:03 -0700 Subject: [PATCH 01/18] add size enforcement and tests --- boxer.go | 12 ++- cross_language_tests/boxer_cross_test.go | 90 ++++++++++++++++++++ cross_language_tests/challenge_cross_test.go | 34 ++++++++ lib/krypto/boxer.rb | 4 + lib/krypto/challenge.rb | 7 ++ lib/krypto/challenge_response.rb | 4 + pkg/challenge/challenge.go | 4 + pkg/challenge/response.go | 4 + png.go | 20 +++-- 9 files changed, 168 insertions(+), 11 deletions(-) diff --git a/boxer.go b/boxer.go index 50e9867..cb89f02 100644 --- a/boxer.go +++ b/boxer.go @@ -47,8 +47,6 @@ type boxMaker struct { counterparty *rsa.PublicKey } -const maxBoxSize = 4 * 1024 * 1024 - func NewBoxer(key *rsa.PrivateKey, counterparty *rsa.PublicKey) boxMaker { return boxMaker{ key: key, @@ -172,6 +170,10 @@ func (boxer boxMaker) DecodeUnverified(b64 string) (*Box, error) { return nil, fmt.Errorf("decoding base64: %w", err) } + if len(data) > V0MaxSize { + return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) + } + return boxer.DecodeRawUnverified(data) } @@ -199,7 +201,7 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { return nil, fmt.Errorf("decoding png: %w", err) } - if data.Len() > maxBoxSize { + if data.Len() > V0MaxSize { return nil, errors.New("looks to be larger than max box size") } @@ -207,6 +209,10 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { } func (boxer boxMaker) DecodeRaw(data []byte) (*Box, error) { + if len(data) > V0MaxSize { + return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) + } + var outer outerBox if err := msgpack.Unmarshal(data, &outer); err != nil { return nil, fmt.Errorf("unmarshalling outer: %w", err) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index 7f69e12..a21f711 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -301,3 +301,93 @@ func TestBoxerRuby(t *testing.T) { }) } } + +func TestBoxerMaxSize(t *testing.T) { + t.Parallel() + + // + // Setup keys and similar. + // + aliceKey, err := krypto.RsaRandomKey() + require.NoError(t, err) + var alicePubPem bytes.Buffer + require.NoError(t, krypto.RsaPublicKeyToPem(aliceKey, &alicePubPem)) + + bobKey, err := krypto.RsaRandomKey() + require.NoError(t, err) + var bobPem bytes.Buffer + require.NoError(t, krypto.RsaPrivateKeyToPem(bobKey, &bobPem)) + + malloryKey, err := krypto.RsaRandomKey() + require.NoError(t, err) + var malloryPem bytes.Buffer + require.NoError(t, krypto.RsaPrivateKeyToPem(malloryKey, &malloryPem)) + + aliceBoxer := krypto.NewBoxer(aliceKey, bobKey.Public().(*rsa.PublicKey)) + + tooBigBytes := mkrand(t, krypto.V0MaxSize+1) + tooBigBytesB64 := base64.StdEncoding.EncodeToString(tooBigBytes) + + t.Run("max size enforced in go", func(t *testing.T) { + t.Parallel() + + _, err = aliceBoxer.Decode(tooBigBytesB64) + require.ErrorContains(t, err, "data too big") + + _, err = aliceBoxer.DecodeUnverified(tooBigBytesB64) + require.ErrorContains(t, err, "data too big") + }) + + t.Run("max size enforced in ruby", func(t *testing.T) { + t.Parallel() + dir := t.TempDir() + + responseTo := ulid.New() + ciphertext, err := aliceBoxer.Encode(responseTo, tooBigBytes) + require.NoError(t, err) + + var png bytes.Buffer + pngFile := path.Join(dir, ulid.New()+".png") + require.NoError(t, krypto.ToPngNoMaxSize(&png, tooBigBytes)) + require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) + + tests := []boxerCrossTestCase{ + {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: ciphertext, cmd: "decode"}, + {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: ciphertext, cmd: "decodeunverified"}, + {Key: bobPem.Bytes(), Ciphertext: ciphertext, cmd: "decodeunverified"}, + {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), PngFile: pngFile, cmd: "decodepng"}, + } + + for _, tt := range tests { + tt := tt + + t.Run("", func(t *testing.T) { + t.Parallel() + + if runtime.GOOS == "windows" && tt.cmd == "decodepng" { + t.Skip("skip png decode test on windows because ruby library chunky_png is looking for CRLF png signature") + } + + testfile := path.Join(dir, ulid.New()+".msgpack") + rubyout := path.Join(dir, ulid.New()+"ruby-out") + + // + // Setup + // + b, err := msgpack.Marshal(tt) + require.NoError(t, err) + require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + //#nosec G204 -- No taint on hardcoded input + cmd := exec.CommandContext(ctx, "ruby", boxerRB, tt.cmd, testfile, rubyout) + out, err := cmd.CombinedOutput() + + require.Error(t, err) + require.Contains(t, string(out), "box too large", "actual out: ", string(out)) + }) + } + }) +} diff --git a/cross_language_tests/challenge_cross_test.go b/cross_language_tests/challenge_cross_test.go index 2846421..9fc4ff6 100644 --- a/cross_language_tests/challenge_cross_test.go +++ b/cross_language_tests/challenge_cross_test.go @@ -225,6 +225,40 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) { } } +func TestChallenge_MaxSize(t *testing.T) { + t.Parallel() + + tooBigBytes := mkrand(t, krypto.V0MaxSize+1) + + t.Run("max size enforced in go", func(t *testing.T) { + t.Parallel() + _, err := challenge.UnmarshalChallenge(tooBigBytes) + require.ErrorContains(t, err, "exceeds max size", "should get an error due to size") + }) + + t.Run("max size enforced in ruby", func(t *testing.T) { + t.Parallel() + + dir := t.TempDir() + rubyPrivateSigningKey := ecdsaKey(t) + + rubyChallengeCmdData := rubyChallengeCmd{ + RubyPrivateSigningKey: privateEcKeyToPem(t, rubyPrivateSigningKey), + } + + out, err := rubyChallengeExec("generate", dir, rubyChallengeCmdData) + require.NoError(t, err, string(out)) + + rubyChallengeCmdData = rubyChallengeCmd{ + ResponsePack: tooBigBytes, + } + + out, err = rubyChallengeExec("open_response_png", dir, rubyChallengeCmdData) + require.Error(t, err, string(out)) + require.Contains(t, string(out), "response too large", "should get an error due to size") + }) +} + // #nosec G306 -- Need readable files func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, error) { testCaseBytes, err := msgpack.Marshal(inputData) diff --git a/lib/krypto/boxer.rb b/lib/krypto/boxer.rb index 9770748..0c69bd2 100644 --- a/lib/krypto/boxer.rb +++ b/lib/krypto/boxer.rb @@ -82,6 +82,10 @@ def decode_unverified(data) end def decode(data, verify: true, raw: false, png: false) + if data.size > MAX_CHALLENGE_SIZE + raise "box too large" + end + data = unpng(data) if png data = Base64.strict_decode64(data) unless raw || png outer = Outer.new(MessagePack.unpack(data).slice(*OUTER_FIELDS.map(&:to_s))) diff --git a/lib/krypto/challenge.rb b/lib/krypto/challenge.rb index 35a0136..841af04 100644 --- a/lib/krypto/challenge.rb +++ b/lib/krypto/challenge.rb @@ -5,6 +5,9 @@ require "openssl" module Krypto + + MAX_CHALLENGE_SIZE = 4 * 1024 * 1024 + class Challenge def self.generate(signing_key, challenge_id, challenge_data, request_data, timestamp: Time.now) private_encryption_key = RbNaCl::PrivateKey.generate @@ -29,6 +32,10 @@ def self.generate(signing_key, challenge_id, challenge_data, request_data, times end def self.unmarshal(data, png: false, base64: true) + if data.size > MAX_CHALLENGE_SIZE + raise "challenge too large" + end + data = ::Krypto::Png.decode_blob(data) if png data = Base64.strict_decode64(data) if base64 OuterChallenge.new(MessagePack.unpack(data).slice(*OUTER_CHALLENGE_FIELDS.map(&:to_s))) diff --git a/lib/krypto/challenge_response.rb b/lib/krypto/challenge_response.rb index d173eea..0b93100 100644 --- a/lib/krypto/challenge_response.rb +++ b/lib/krypto/challenge_response.rb @@ -7,6 +7,10 @@ module Krypto class ChallengeResponse def self.unmarshal(data, png: false, base64: true) + if data.size > MAX_CHALLENGE_SIZE + raise "response too large" + end + data = ::Krypto::Png.decode_blob(data) if png data = Base64.strict_decode64(data) if base64 diff --git a/pkg/challenge/challenge.go b/pkg/challenge/challenge.go index 8d0e644..0477a1d 100644 --- a/pkg/challenge/challenge.go +++ b/pkg/challenge/challenge.go @@ -144,6 +144,10 @@ func (o *OuterChallenge) RespondPng(signer crypto.Signer, signer2 crypto.Signer, } func UnmarshalChallenge(outerChallengeBytes []byte) (*OuterChallenge, error) { + if len(outerChallengeBytes) > krypto.V0MaxSize { + return nil, fmt.Errorf("challenge exceeds max size: %d, max is %d", len(outerChallengeBytes), krypto.V0MaxSize) + } + var outerChallenge OuterChallenge if err := msgpack.Unmarshal(outerChallengeBytes, &outerChallenge); err != nil { return nil, err diff --git a/pkg/challenge/response.go b/pkg/challenge/response.go index d994084..e8fbbf8 100644 --- a/pkg/challenge/response.go +++ b/pkg/challenge/response.go @@ -84,6 +84,10 @@ type InnerResponse struct { } func UnmarshalResponse(outerResponseBytes []byte) (*OuterResponse, error) { + if len(outerResponseBytes) > krypto.V0MaxSize { + return nil, fmt.Errorf("response to large: is %d, max is %d", len(outerResponseBytes), krypto.V0MaxSize) + } + var outerResponse OuterResponse if err := msgpack.Unmarshal(outerResponseBytes, &outerResponse); err != nil { return nil, err diff --git a/png.go b/png.go index 81920bb..19f2c5a 100644 --- a/png.go +++ b/png.go @@ -16,16 +16,10 @@ const ( pixelsInHeader = 2 alphaValue = 0xFF - v0MaxSize = 1 << 24 + V0MaxSize = 4 * 1024 * 1024 ) -func ToPng(w io.Writer, data []byte) error { - dataSize := len(data) - - if dataSize > v0MaxSize { - return fmt.Errorf("data too big: %d is bigger than %d", dataSize, v0MaxSize) - } - +func ToPngNoMaxSize(w io.Writer, data []byte) error { pixelCount := divCeil(len(data), usableBytesPerPixel) pixelCount = pixelCount + pixelsInHeader + 1 @@ -65,6 +59,16 @@ func ToPng(w io.Writer, data []byte) error { return encoder.Encode(w, img) } +func ToPng(w io.Writer, data []byte) error { + dataSize := len(data) + + if dataSize > V0MaxSize { + return fmt.Errorf("data too big: %d is bigger than %d", dataSize, V0MaxSize) + } + + return ToPngNoMaxSize(w, data) +} + func FromPng(r io.Reader, w io.Writer) error { imgRaw, _, err := image.Decode(r) if err != nil { From c7048f9531b2fd8c045a4e71aa7ad660397feade Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 07:51:21 -0700 Subject: [PATCH 02/18] comments --- boxer.go | 3 +++ lib/krypto/boxer.rb | 1 + lib/krypto/challenge.rb | 1 + pkg/challenge/challenge.go | 1 + pkg/challenge/response.go | 1 + png.go | 1 + 6 files changed, 8 insertions(+) diff --git a/boxer.go b/boxer.go index cb89f02..580db44 100644 --- a/boxer.go +++ b/boxer.go @@ -170,6 +170,7 @@ func (boxer boxMaker) DecodeUnverified(b64 string) (*Box, error) { return nil, fmt.Errorf("decoding base64: %w", err) } + // Limit size to prevent garbage from filling memory if len(data) > V0MaxSize { return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) } @@ -201,6 +202,7 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { return nil, fmt.Errorf("decoding png: %w", err) } + // Limit size to prevent garbage from filling memory if data.Len() > V0MaxSize { return nil, errors.New("looks to be larger than max box size") } @@ -209,6 +211,7 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { } func (boxer boxMaker) DecodeRaw(data []byte) (*Box, error) { + // Limit size to prevent garbage from filling memory if len(data) > V0MaxSize { return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) } diff --git a/lib/krypto/boxer.rb b/lib/krypto/boxer.rb index 0c69bd2..893f537 100644 --- a/lib/krypto/boxer.rb +++ b/lib/krypto/boxer.rb @@ -82,6 +82,7 @@ def decode_unverified(data) end def decode(data, verify: true, raw: false, png: false) + # Limit size to prevent garbage from filling memory if data.size > MAX_CHALLENGE_SIZE raise "box too large" end diff --git a/lib/krypto/challenge.rb b/lib/krypto/challenge.rb index 841af04..1036d58 100644 --- a/lib/krypto/challenge.rb +++ b/lib/krypto/challenge.rb @@ -32,6 +32,7 @@ def self.generate(signing_key, challenge_id, challenge_data, request_data, times end def self.unmarshal(data, png: false, base64: true) + # Limit size to prevent garbage from filling memory if data.size > MAX_CHALLENGE_SIZE raise "challenge too large" end diff --git a/pkg/challenge/challenge.go b/pkg/challenge/challenge.go index 0477a1d..9a3dc93 100644 --- a/pkg/challenge/challenge.go +++ b/pkg/challenge/challenge.go @@ -144,6 +144,7 @@ func (o *OuterChallenge) RespondPng(signer crypto.Signer, signer2 crypto.Signer, } func UnmarshalChallenge(outerChallengeBytes []byte) (*OuterChallenge, error) { + // Limit size to prevent garbage from filling memory if len(outerChallengeBytes) > krypto.V0MaxSize { return nil, fmt.Errorf("challenge exceeds max size: %d, max is %d", len(outerChallengeBytes), krypto.V0MaxSize) } diff --git a/pkg/challenge/response.go b/pkg/challenge/response.go index e8fbbf8..4351ab9 100644 --- a/pkg/challenge/response.go +++ b/pkg/challenge/response.go @@ -84,6 +84,7 @@ type InnerResponse struct { } func UnmarshalResponse(outerResponseBytes []byte) (*OuterResponse, error) { + // Limit size to prevent garbage from filling memory if len(outerResponseBytes) > krypto.V0MaxSize { return nil, fmt.Errorf("response to large: is %d, max is %d", len(outerResponseBytes), krypto.V0MaxSize) } diff --git a/png.go b/png.go index 19f2c5a..e394c19 100644 --- a/png.go +++ b/png.go @@ -62,6 +62,7 @@ func ToPngNoMaxSize(w io.Writer, data []byte) error { func ToPng(w io.Writer, data []byte) error { dataSize := len(data) + // Limit size to prevent garbage from filling memory if dataSize > V0MaxSize { return fmt.Errorf("data too big: %d is bigger than %d", dataSize, V0MaxSize) } From 6d7bc5376edac7e961d065874836b1451eb81910 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 08:27:13 -0700 Subject: [PATCH 03/18] lint --- lib/krypto/challenge.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/krypto/challenge.rb b/lib/krypto/challenge.rb index 1036d58..f0523e1 100644 --- a/lib/krypto/challenge.rb +++ b/lib/krypto/challenge.rb @@ -5,7 +5,6 @@ require "openssl" module Krypto - MAX_CHALLENGE_SIZE = 4 * 1024 * 1024 class Challenge From 404eea4597741778d9451772ec0ca713c38da4b9 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:25:31 -0700 Subject: [PATCH 04/18] more lint --- cross_language_tests/aes_cross_test.go | 1 + cross_language_tests/boxer_cross_test.go | 3 +++ 2 files changed, 4 insertions(+) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index 8503c76..ed449ee 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -60,6 +60,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index a21f711..058d32d 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -93,6 +93,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -160,6 +161,7 @@ func TestBoxerRuby(t *testing.T) { var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") require.NoError(t, aliceBoxer.EncodePng(responseTo, message, &png)) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) tests := []boxerCrossTestCase{ @@ -200,6 +202,7 @@ func TestBoxerRuby(t *testing.T) { // b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) From fe593d5f4b337c098be8701fb1c5c9e231d35ab1 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:29:18 -0700 Subject: [PATCH 05/18] lintage --- cross_language_tests/aes_cross_test.go | 4 ++-- cross_language_tests/boxer_cross_test.go | 12 ++++++------ cross_language_tests/rsa_cross_test.go | 2 +- rsa.go | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index ed449ee..296e053 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -40,7 +40,7 @@ func TestAesRuby(t *testing.T) { {AuthData: mkrand(t, 32), Plaintext: mkrand(t, 1024)}, } - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -60,7 +60,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index 058d32d..e1bc9a8 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -70,7 +70,7 @@ func TestBoxerRuby(t *testing.T) { } // Ruby Decrypt Tests - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files for _, message := range testMessages { message := message @@ -93,7 +93,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -161,7 +161,7 @@ func TestBoxerRuby(t *testing.T) { var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") require.NoError(t, aliceBoxer.EncodePng(responseTo, message, &png)) - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) tests := []boxerCrossTestCase{ @@ -202,13 +202,13 @@ func TestBoxerRuby(t *testing.T) { // b, err := msgpack.Marshal(tt) require.NoError(t, err) - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() - //#nosec G204 -- No taint on hardcoded input + // #nosec G204 -- No taint on hardcoded input cmd := exec.CommandContext(ctx, "ruby", boxerRB, tt.cmd, testfile, rubyout) out, err := cmd.CombinedOutput() @@ -384,7 +384,7 @@ func TestBoxerMaxSize(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() - //#nosec G204 -- No taint on hardcoded input + // #nosec G204 -- No taint on hardcoded input cmd := exec.CommandContext(ctx, "ruby", boxerRB, tt.cmd, testfile, rubyout) out, err := cmd.CombinedOutput() diff --git a/cross_language_tests/rsa_cross_test.go b/cross_language_tests/rsa_cross_test.go index c85b701..cf32839 100644 --- a/cross_language_tests/rsa_cross_test.go +++ b/cross_language_tests/rsa_cross_test.go @@ -37,7 +37,7 @@ func TestRsaRuby(t *testing.T) { {Plaintext: mkrand(t, 128)}, } - //#nosec G306 -- Need readable files + // #nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { diff --git a/rsa.go b/rsa.go index b7fe4bd..fe9c0fc 100644 --- a/rsa.go +++ b/rsa.go @@ -4,7 +4,7 @@ import ( "crypto" "crypto/rand" "crypto/rsa" - "crypto/sha1" //#nosec G505 -- Need compatibility + "crypto/sha1" // #nosec G505 -- Need compatibility "crypto/sha256" "crypto/x509" "encoding/pem" @@ -18,7 +18,7 @@ func RsaEncrypt(key *rsa.PublicKey, secretMessage []byte) ([]byte, error) { return nil, errors.New("Cannot encrypt with a nil key") } - //#nosec G401 -- Need compatibility + // #nosec G401 -- Need compatibility return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, secretMessage, nil) } @@ -27,7 +27,7 @@ func RsaDecrypt(key *rsa.PrivateKey, ciphertext []byte) ([]byte, error) { return nil, errors.New("Cannot decrypt with a nil key") } - //#nosec G401 -- Need compatibility + // #nosec G401 -- Need compatibility return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, ciphertext, nil) } From 59e7ebb44cef774a5496d36c766c82cd1d16259d Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:37:15 -0700 Subject: [PATCH 06/18] lint gods please accept my humble offering --- cross_language_tests/aes_cross_test.go | 4 ++-- cross_language_tests/boxer_cross_test.go | 12 ++++++------ cross_language_tests/rsa_cross_test.go | 2 +- rsa.go | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index 296e053..ed449ee 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -40,7 +40,7 @@ func TestAesRuby(t *testing.T) { {AuthData: mkrand(t, 32), Plaintext: mkrand(t, 1024)}, } - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -60,7 +60,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index e1bc9a8..058d32d 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -70,7 +70,7 @@ func TestBoxerRuby(t *testing.T) { } // Ruby Decrypt Tests - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files for _, message := range testMessages { message := message @@ -93,7 +93,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -161,7 +161,7 @@ func TestBoxerRuby(t *testing.T) { var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") require.NoError(t, aliceBoxer.EncodePng(responseTo, message, &png)) - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) tests := []boxerCrossTestCase{ @@ -202,13 +202,13 @@ func TestBoxerRuby(t *testing.T) { // b, err := msgpack.Marshal(tt) require.NoError(t, err) - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() - // #nosec G204 -- No taint on hardcoded input + //#nosec G204 -- No taint on hardcoded input cmd := exec.CommandContext(ctx, "ruby", boxerRB, tt.cmd, testfile, rubyout) out, err := cmd.CombinedOutput() @@ -384,7 +384,7 @@ func TestBoxerMaxSize(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() - // #nosec G204 -- No taint on hardcoded input + //#nosec G204 -- No taint on hardcoded input cmd := exec.CommandContext(ctx, "ruby", boxerRB, tt.cmd, testfile, rubyout) out, err := cmd.CombinedOutput() diff --git a/cross_language_tests/rsa_cross_test.go b/cross_language_tests/rsa_cross_test.go index cf32839..c85b701 100644 --- a/cross_language_tests/rsa_cross_test.go +++ b/cross_language_tests/rsa_cross_test.go @@ -37,7 +37,7 @@ func TestRsaRuby(t *testing.T) { {Plaintext: mkrand(t, 128)}, } - // #nosec G306 -- Need readable files + //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { diff --git a/rsa.go b/rsa.go index fe9c0fc..b7fe4bd 100644 --- a/rsa.go +++ b/rsa.go @@ -4,7 +4,7 @@ import ( "crypto" "crypto/rand" "crypto/rsa" - "crypto/sha1" // #nosec G505 -- Need compatibility + "crypto/sha1" //#nosec G505 -- Need compatibility "crypto/sha256" "crypto/x509" "encoding/pem" @@ -18,7 +18,7 @@ func RsaEncrypt(key *rsa.PublicKey, secretMessage []byte) ([]byte, error) { return nil, errors.New("Cannot encrypt with a nil key") } - // #nosec G401 -- Need compatibility + //#nosec G401 -- Need compatibility return rsa.EncryptOAEP(sha1.New(), rand.Reader, key, secretMessage, nil) } @@ -27,7 +27,7 @@ func RsaDecrypt(key *rsa.PrivateKey, ciphertext []byte) ([]byte, error) { return nil, errors.New("Cannot decrypt with a nil key") } - // #nosec G401 -- Need compatibility + //#nosec G401 -- Need compatibility return rsa.DecryptOAEP(sha1.New(), rand.Reader, key, ciphertext, nil) } From e3a4b2595be5256a5738daad6706301428fa5ff1 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:39:23 -0700 Subject: [PATCH 07/18] trying again --- cross_language_tests/aes_cross_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index ed449ee..26282ae 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -60,8 +60,8 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) - //#nosec G306 -- Need readable files - require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) + + require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) // #nosec G306 -- Need readable files }) t.Run("ruby decrypt go", func(t *testing.T) { From a90e10c8d5f434aff1e8b3dd6acb6cea18535bce Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:42:59 -0700 Subject: [PATCH 08/18] tryin more stuff --- cross_language_tests/aes_cross_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index 26282ae..f04ac0c 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -49,6 +49,7 @@ func TestAesRuby(t *testing.T) { dir := t.TempDir() testfile := path.Join(dir, "testcase.msgpack") + // #nosec G306 -- Need readable files t.Run("setup", func(t *testing.T) { if tt.Key == nil { tt.Key = mkrand(t, 32) @@ -61,7 +62,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) - require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) // #nosec G306 -- Need readable files + require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) t.Run("ruby decrypt go", func(t *testing.T) { From fa49ed444844d7783229eb7de72a0979cc98737e Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:46:04 -0700 Subject: [PATCH 09/18] please --- cross_language_tests/aes_cross_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index f04ac0c..3dd83a0 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -25,6 +25,7 @@ var ( aesRB = "./aes.rb" ) +// #nosec G306 -- Need readable files func TestAesRuby(t *testing.T) { t.Parallel() @@ -49,7 +50,6 @@ func TestAesRuby(t *testing.T) { dir := t.TempDir() testfile := path.Join(dir, "testcase.msgpack") - // #nosec G306 -- Need readable files t.Run("setup", func(t *testing.T) { if tt.Key == nil { tt.Key = mkrand(t, 32) From 0b329b5275ea5dbc5575d2f2f6ce1c7ba57d0fc7 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 09:53:56 -0700 Subject: [PATCH 10/18] try upgrading go --- go.mod | 2 +- go.sum | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d92de16..c93b134 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/kolide/krypto -go 1.19 +go 1.21 require ( github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab diff --git a/go.sum b/go.sum index 587da71..579673b 100644 --- a/go.sum +++ b/go.sum @@ -55,6 +55,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-sev-guest v0.5.2 h1:dlCehnxU9aJWEIcTb0j7oZ/yM4qeno7AO6zWokb4mu0= +github.com/google/go-sev-guest v0.5.2/go.mod h1:UEi9uwoPbLdKGl1QHaq1G8pfCbQ4QP0swWX4J0k6r+Q= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= @@ -64,8 +65,10 @@ github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N github.com/google/go-tpm-tools v0.3.11 h1:imObhmECgDS+ua4aAVPkMfCzE9LTZjS/MmVMCrAG4VY= github.com/google/go-tpm-tools v0.3.11/go.mod h1:5UcOsOyG5B2hWhKsqNI3TtOjTcZs5sh+3913uMN29Y8= github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= +github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= @@ -98,9 +101,11 @@ github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/opencensus-integrations/ocsql v0.1.1/go.mod h1:ozPYpNVBHZsX33jfoQPO5TlI5lqh0/3R36kirEqJKAM= github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -223,6 +228,7 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= From 67b03204e06ae886ef0f9656b04958b8e48219e8 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 10:22:12 -0700 Subject: [PATCH 11/18] fix lint, I hope --- .golangci.yml | 4 +--- cross_language_tests/aes_cross_test.go | 3 +-- cross_language_tests/boxer_cross_test.go | 4 +++- cross_language_tests/challenge_cross_test.go | 5 +++-- cross_language_tests/rsa_cross_test.go | 8 +++++++- 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index e40fc47..37afe75 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,6 +1,4 @@ run: - skip-dirs: - - test-cmds timeout: 5m linters: @@ -36,4 +34,4 @@ issues: # False positive: https://github.com/kunwardeep/paralleltest/issues/8. - linters: - paralleltest - text: "does not use range value in test Run" \ No newline at end of file + text: "does not use range value in test Run" diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index 3dd83a0..533ea77 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -25,7 +25,6 @@ var ( aesRB = "./aes.rb" ) -// #nosec G306 -- Need readable files func TestAesRuby(t *testing.T) { t.Parallel() @@ -41,7 +40,6 @@ func TestAesRuby(t *testing.T) { {AuthData: mkrand(t, 32), Plaintext: mkrand(t, 1024)}, } - //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -62,6 +60,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index 058d32d..9065dbf 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -70,7 +70,6 @@ func TestBoxerRuby(t *testing.T) { } // Ruby Decrypt Tests - //#nosec G306 -- Need readable files for _, message := range testMessages { message := message @@ -251,6 +250,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -352,6 +352,7 @@ func TestBoxerMaxSize(t *testing.T) { var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") require.NoError(t, krypto.ToPngNoMaxSize(&png, tooBigBytes)) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) tests := []boxerCrossTestCase{ @@ -379,6 +380,7 @@ func TestBoxerMaxSize(t *testing.T) { // b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) diff --git a/cross_language_tests/challenge_cross_test.go b/cross_language_tests/challenge_cross_test.go index 9fc4ff6..4acd3d4 100644 --- a/cross_language_tests/challenge_cross_test.go +++ b/cross_language_tests/challenge_cross_test.go @@ -259,7 +259,6 @@ func TestChallenge_MaxSize(t *testing.T) { }) } -// #nosec G306 -- Need readable files func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, error) { testCaseBytes, err := msgpack.Marshal(inputData) if err != nil { @@ -270,7 +269,9 @@ func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, inFilePath := filepath.Join(dir, "in") - if err := os.WriteFile(inFilePath, testCaseBytesBase64, 0644); err != nil { + //#nosec G306 -- Need readable files + err = os.WriteFile(inFilePath, testCaseBytesBase64, 0644) + if err != nil { return nil, err } diff --git a/cross_language_tests/rsa_cross_test.go b/cross_language_tests/rsa_cross_test.go index c85b701..e2685ec 100644 --- a/cross_language_tests/rsa_cross_test.go +++ b/cross_language_tests/rsa_cross_test.go @@ -37,7 +37,6 @@ func TestRsaRuby(t *testing.T) { {Plaintext: mkrand(t, 128)}, } - //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -72,6 +71,7 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "decrypt", testfile, path.Join(dir, "ruby-decrypt")) @@ -98,6 +98,8 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "encrypt", testfile, path.Join(dir, "ruby-encrypt")) @@ -130,6 +132,8 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "verify", testfile, path.Join(dir, "ruby-verify")) @@ -157,6 +161,8 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "sign", testfile, path.Join(dir, "ruby-signed")) From 58f828eb7c5c08137aa700b63ce6021b249dc592 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 13:03:57 -0700 Subject: [PATCH 12/18] more linting (kill me) --- go.mod | 4 ++-- go.sum | 4 ++++ pkg/secureenclave/secureenclave.go | 6 ++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index c93b134..c0ee8d2 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab github.com/stretchr/testify v1.8.0 github.com/vmihailenco/msgpack/v5 v5.3.5 - golang.org/x/crypto v0.17.0 + golang.org/x/crypto v0.22.0 ) require ( @@ -16,6 +16,6 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect - golang.org/x/sys v0.15.0 // indirect + golang.org/x/sys v0.19.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 579673b..582143a 100644 --- a/go.sum +++ b/go.sum @@ -162,6 +162,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -196,6 +198,8 @@ golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/pkg/secureenclave/secureenclave.go b/pkg/secureenclave/secureenclave.go index 0991f51..20c9643 100644 --- a/pkg/secureenclave/secureenclave.go +++ b/pkg/secureenclave/secureenclave.go @@ -133,6 +133,9 @@ func findKey(publicKeySha1 []byte) (*ecdsa.PublicKey, error) { func rawToEcdsa(raw []byte) *ecdsa.PublicKey { ecKey := new(ecdsa.PublicKey) ecKey.Curve = elliptic.P256() + // lint here suggestest using ecdh package, but we are using ecdsa key through out the code + // have found a straight forward to go from ecdh.P256().NewPublicKey(raw) -> ecdsa.PublicKey + //nolint:staticcheck ecKey.X, ecKey.Y = elliptic.Unmarshal(ecKey.Curve, raw) return ecKey } @@ -142,6 +145,9 @@ func publicKeyLookUpHash(key *ecdsa.PublicKey) ([]byte, error) { return nil, errors.New("public key has nil XY coordinates") } + // lint here suggestest using ecdh package, but we are using ecdsa key through out the code + // have found a straight forward to go from ecdh.P256().NewPublicKey(raw) -> ecdsa.PublicKey + //nolint:staticcheck keyBytes := elliptic.Marshal(elliptic.P256(), key.X, key.Y) hash := sha1.New() hash.Write(keyBytes) From 29cbe74f3305b070c56097085e11907570880c31 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 13:07:09 -0700 Subject: [PATCH 13/18] undo mod, sum changes --- go.mod | 6 +++--- go.sum | 10 ---------- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index c0ee8d2..d92de16 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,12 @@ module github.com/kolide/krypto -go 1.21 +go 1.19 require ( github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab github.com/stretchr/testify v1.8.0 github.com/vmihailenco/msgpack/v5 v5.3.5 - golang.org/x/crypto v0.22.0 + golang.org/x/crypto v0.17.0 ) require ( @@ -16,6 +16,6 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect - golang.org/x/sys v0.19.0 // indirect + golang.org/x/sys v0.15.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 582143a..587da71 100644 --- a/go.sum +++ b/go.sum @@ -55,7 +55,6 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-sev-guest v0.5.2 h1:dlCehnxU9aJWEIcTb0j7oZ/yM4qeno7AO6zWokb4mu0= -github.com/google/go-sev-guest v0.5.2/go.mod h1:UEi9uwoPbLdKGl1QHaq1G8pfCbQ4QP0swWX4J0k6r+Q= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= @@ -65,10 +64,8 @@ github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N github.com/google/go-tpm-tools v0.3.11 h1:imObhmECgDS+ua4aAVPkMfCzE9LTZjS/MmVMCrAG4VY= github.com/google/go-tpm-tools v0.3.11/go.mod h1:5UcOsOyG5B2hWhKsqNI3TtOjTcZs5sh+3913uMN29Y8= github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= -github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/uuid v0.0.0-20161128191214-064e2069ce9c/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= @@ -101,11 +98,9 @@ github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/opencensus-integrations/ocsql v0.1.1/go.mod h1:ozPYpNVBHZsX33jfoQPO5TlI5lqh0/3R36kirEqJKAM= github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= -github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -162,8 +157,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -198,8 +191,6 @@ golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -232,7 +223,6 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= From 23e99a04bbc115663975343c4e9b9207182c4204 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 13:19:07 -0700 Subject: [PATCH 14/18] moar lint --- pkg/secureenclave/secureenclave_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/secureenclave/secureenclave_test.go b/pkg/secureenclave/secureenclave_test.go index a5e25aa..2b571e5 100644 --- a/pkg/secureenclave/secureenclave_test.go +++ b/pkg/secureenclave/secureenclave_test.go @@ -111,14 +111,13 @@ func TestSecureEnclaveErrors(t *testing.T) { require.Error(t, err, "new secure enclave keyer should error with nil existing key") } -// #nosec G306 -- Need readable files func copyFile(t *testing.T, source, destination string) { bytes, err := os.ReadFile(source) require.NoError(t, err) + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(destination, bytes, 0700)) } -// #nosec G204 -- This triggers due to using env var in cmd, making exception for test func signApp(t *testing.T, appRootDir string) { codeSignId := os.Getenv("MACOS_CODESIGN_IDENTITY") require.NotEmpty(t, codeSignId, "need MACOS_CODESIGN_IDENTITY env var to sign app, such as [Mac Developer: Jane Doe (ABCD123456)]") @@ -126,6 +125,7 @@ func signApp(t *testing.T, appRootDir string) { ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() + // #nosec G204 -- This triggers due to using env var in cmd, making exception for test cmd := exec.CommandContext( ctx, "codesign", From 47e3fc08993ed7da86b01e464d2650ad8a93bb68 Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 13:29:40 -0700 Subject: [PATCH 15/18] move around comments --- lib/krypto/challenge.rb | 1 + pkg/challenge/challenge.go | 1 - png.go | 3 +-- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/krypto/challenge.rb b/lib/krypto/challenge.rb index f0523e1..e08e34a 100644 --- a/lib/krypto/challenge.rb +++ b/lib/krypto/challenge.rb @@ -5,6 +5,7 @@ require "openssl" module Krypto + # Limit size to prevent garbage from filling memory MAX_CHALLENGE_SIZE = 4 * 1024 * 1024 class Challenge diff --git a/pkg/challenge/challenge.go b/pkg/challenge/challenge.go index 9a3dc93..0477a1d 100644 --- a/pkg/challenge/challenge.go +++ b/pkg/challenge/challenge.go @@ -144,7 +144,6 @@ func (o *OuterChallenge) RespondPng(signer crypto.Signer, signer2 crypto.Signer, } func UnmarshalChallenge(outerChallengeBytes []byte) (*OuterChallenge, error) { - // Limit size to prevent garbage from filling memory if len(outerChallengeBytes) > krypto.V0MaxSize { return nil, fmt.Errorf("challenge exceeds max size: %d, max is %d", len(outerChallengeBytes), krypto.V0MaxSize) } diff --git a/png.go b/png.go index e394c19..ec6dcdd 100644 --- a/png.go +++ b/png.go @@ -16,6 +16,7 @@ const ( pixelsInHeader = 2 alphaValue = 0xFF + // Limit size to prevent garbage from filling memory V0MaxSize = 4 * 1024 * 1024 ) @@ -61,8 +62,6 @@ func ToPngNoMaxSize(w io.Writer, data []byte) error { func ToPng(w io.Writer, data []byte) error { dataSize := len(data) - - // Limit size to prevent garbage from filling memory if dataSize > V0MaxSize { return fmt.Errorf("data too big: %d is bigger than %d", dataSize, V0MaxSize) } From a324923c87e2af1c176adf8114e460dab19a2a2e Mon Sep 17 00:00:00 2001 From: james pickett Date: Fri, 12 Apr 2024 13:36:20 -0700 Subject: [PATCH 16/18] more comments --- boxer.go | 3 --- pkg/challenge/response.go | 1 - 2 files changed, 4 deletions(-) diff --git a/boxer.go b/boxer.go index 580db44..cb89f02 100644 --- a/boxer.go +++ b/boxer.go @@ -170,7 +170,6 @@ func (boxer boxMaker) DecodeUnverified(b64 string) (*Box, error) { return nil, fmt.Errorf("decoding base64: %w", err) } - // Limit size to prevent garbage from filling memory if len(data) > V0MaxSize { return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) } @@ -202,7 +201,6 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { return nil, fmt.Errorf("decoding png: %w", err) } - // Limit size to prevent garbage from filling memory if data.Len() > V0MaxSize { return nil, errors.New("looks to be larger than max box size") } @@ -211,7 +209,6 @@ func (boxer boxMaker) DecodePngUnverified(r io.Reader) (*Box, error) { } func (boxer boxMaker) DecodeRaw(data []byte) (*Box, error) { - // Limit size to prevent garbage from filling memory if len(data) > V0MaxSize { return nil, fmt.Errorf("data too big, is %d, max is %d", len(data), V0MaxSize) } diff --git a/pkg/challenge/response.go b/pkg/challenge/response.go index 4351ab9..e8fbbf8 100644 --- a/pkg/challenge/response.go +++ b/pkg/challenge/response.go @@ -84,7 +84,6 @@ type InnerResponse struct { } func UnmarshalResponse(outerResponseBytes []byte) (*OuterResponse, error) { - // Limit size to prevent garbage from filling memory if len(outerResponseBytes) > krypto.V0MaxSize { return nil, fmt.Errorf("response to large: is %d, max is %d", len(outerResponseBytes), krypto.V0MaxSize) } From 013d6650f564dbbe2bd0679f0be8e679d62e6c22 Mon Sep 17 00:00:00 2001 From: james pickett Date: Tue, 16 Apr 2024 08:39:20 -0700 Subject: [PATCH 17/18] remove PngNoMaxSizeFunc, update tests --- cross_language_tests/boxer_cross_test.go | 14 ++++---------- png.go | 16 ++++++---------- 2 files changed, 10 insertions(+), 20 deletions(-) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index 9065dbf..b08fcf5 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -345,20 +345,14 @@ func TestBoxerMaxSize(t *testing.T) { t.Parallel() dir := t.TempDir() - responseTo := ulid.New() - ciphertext, err := aliceBoxer.Encode(responseTo, tooBigBytes) - require.NoError(t, err) - - var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") - require.NoError(t, krypto.ToPngNoMaxSize(&png, tooBigBytes)) //#nosec G306 -- Need readable files - require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) + require.NoError(t, os.WriteFile(pngFile, []byte(tooBigBytesB64), 0644)) tests := []boxerCrossTestCase{ - {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: ciphertext, cmd: "decode"}, - {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: ciphertext, cmd: "decodeunverified"}, - {Key: bobPem.Bytes(), Ciphertext: ciphertext, cmd: "decodeunverified"}, + {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: tooBigBytesB64, cmd: "decode"}, + {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), Ciphertext: tooBigBytesB64, cmd: "decodeunverified"}, + {Key: bobPem.Bytes(), Ciphertext: tooBigBytesB64, cmd: "decodeunverified"}, {Key: bobPem.Bytes(), Counterparty: alicePubPem.Bytes(), PngFile: pngFile, cmd: "decodepng"}, } diff --git a/png.go b/png.go index ec6dcdd..f541c3a 100644 --- a/png.go +++ b/png.go @@ -20,7 +20,12 @@ const ( V0MaxSize = 4 * 1024 * 1024 ) -func ToPngNoMaxSize(w io.Writer, data []byte) error { +func ToPng(w io.Writer, data []byte) error { + dataSize := len(data) + if dataSize > V0MaxSize { + return fmt.Errorf("data too big: %d is bigger than %d", dataSize, V0MaxSize) + } + pixelCount := divCeil(len(data), usableBytesPerPixel) pixelCount = pixelCount + pixelsInHeader + 1 @@ -60,15 +65,6 @@ func ToPngNoMaxSize(w io.Writer, data []byte) error { return encoder.Encode(w, img) } -func ToPng(w io.Writer, data []byte) error { - dataSize := len(data) - if dataSize > V0MaxSize { - return fmt.Errorf("data too big: %d is bigger than %d", dataSize, V0MaxSize) - } - - return ToPngNoMaxSize(w, data) -} - func FromPng(r io.Reader, w io.Writer) error { imgRaw, _, err := image.Decode(r) if err != nil { From de317875d9804a287b0c78405b67e4043ac95846 Mon Sep 17 00:00:00 2001 From: james pickett Date: Wed, 17 Apr 2024 07:20:36 -0700 Subject: [PATCH 18/18] add test-cmds to exclude dirs, add test-cmds to .gitignore --- .gitignore | 1 + .golangci.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index ab479ba..414d680 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ coverage.out /Gemfile.lock /.vscode +/test-cmds/ diff --git a/.golangci.yml b/.golangci.yml index 37afe75..3f95eea 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -30,6 +30,8 @@ linters-settings: simplify: false issues: + exclude-dirs: + - test-cmds exclude-rules: # False positive: https://github.com/kunwardeep/paralleltest/issues/8. - linters: