| Age | Commit message (Collapse) | Author |
|---|
|
I had forgotten, which caused amd64 allocations to go back up
significantly. Added an allocations test.
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.50ms ± 0% 1.48ms ± 0% -0.95% (p=0.000 n=9+10)
DecryptPKCS1v15/3072-8 4.64ms ± 1% 4.60ms ± 0% -0.82% (p=0.000 n=8+10)
DecryptPKCS1v15/4096-8 10.7ms ± 0% 10.6ms ± 1% -0.99% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 158µs ± 0% 157µs ± 0% -0.63% (p=0.000 n=10+10)
DecryptOAEP/2048-8 1.50ms ± 0% 1.48ms ± 0% -1.09% (p=0.000 n=9+10)
EncryptOAEP/2048-8 161µs ± 0% 160µs ± 0% -0.34% (p=0.000 n=9+10)
SignPKCS1v15/2048-8 1.55ms ± 0% 1.53ms ± 1% -1.32% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 157µs ± 0% 157µs ± 0% -0.33% (p=0.004 n=9+10)
SignPSS/2048-8 1.55ms ± 0% 1.54ms ± 0% -1.14% (p=0.000 n=10+10)
VerifyPSS/2048-8 160µs ± 0% 160µs ± 0% -0.32% (p=0.000 n=10+10)
name old alloc/op new alloc/op delta
DecryptPKCS1v15/2048-8 15.0kB ± 0% 0.6kB ± 0% -95.74% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 17.9kB ± 0% 3.5kB ± 0% -80.65% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 19.1kB ± 0% 4.7kB ± 0% -75.25% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 7.51kB ± 0% 1.17kB ± 0% -84.39% (p=0.000 n=10+10)
DecryptOAEP/2048-8 15.3kB ± 0% 0.9kB ± 0% -94.29% (p=0.000 n=10+10)
EncryptOAEP/2048-8 7.74kB ± 0% 1.40kB ± 0% -81.86% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 21.6kB ± 0% 0.9kB ± 0% -95.86% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 7.25kB ± 0% 0.91kB ± 0% -87.42% (p=0.000 n=10+10)
SignPSS/2048-8 22.0kB ± 0% 1.3kB ± 0% -94.12% (p=0.000 n=10+10)
VerifyPSS/2048-8 7.46kB ± 0% 1.12kB ± 0% -84.98% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
DecryptPKCS1v15/2048-8 54.0 ± 0% 4.0 ± 0% -92.59% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 29.0 ± 0% 7.0 ± 0% -75.86% (p=0.000 n=10+10)
DecryptOAEP/2048-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
EncryptOAEP/2048-8 35.0 ± 0% 13.0 ± 0% -62.86% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 77.0 ± 0% 5.0 ± 0% -93.51% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 28.0 ± 0% 6.0 ± 0% -78.57% (p=0.000 n=10+10)
SignPSS/2048-8 82.0 ± 0% 10.0 ± 0% -87.80% (p=0.000 n=10+10)
VerifyPSS/2048-8 33.0 ± 0% 11.0 ± 0% -66.67% (p=0.000 n=10+10)
Fixes #58501
Change-Id: I418c5152833787b80220b556336ec284674c2493
Reviewed-on: https://go-review.googlesource.com/c/go/+/460542
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
|
|
Updates #58483
Tested on Linux amd64:
type Element struct {
l0, l1, l2, l3, l4 uint64
}
type PointAfter struct {
x, y, z, t Element
_ incomparable
}
type PointBefore struct {
_ incomparable
x, y, z, t Element
}
type incomparable [0]func()
func main() {
fmt.Println(unsafe.Sizeof(PointAfter{})) // 168
fmt.Println(unsafe.Sizeof(PointBefore{})) // 160
}
Change-Id: I6c4fcb586bbf3febf62b6e54608496ff81685e43
Reviewed-on: https://go-review.googlesource.com/c/go/+/467616
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: If092ae7c72b66f172ae32fa6c7294a7ac250362e
Reviewed-on: https://go-review.googlesource.com/c/go/+/463995
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
|
|
The two crypto modules are both named "asm". If both are included in a
single go.work (e.g., from `go work use -r .` in the repo), builds break
from "module asm appears multiple times in workspace".
Give these modules fully-qualified names to avoid conflicts. While we
are here, also expand the name of two other testdata modules. Those
modules don't currently conflict, but they have vague names at risk of
future conflicts.
Fixes #57769.
Change-Id: I2bd8a505051e92348d49560ec698ed921f2c81be
Reviewed-on: https://go-review.googlesource.com/c/go/+/461896
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
This is the second round to look for spelling mistakes. This time the
manual sifting of the result list was made easier by filtering out
capitalized and camelcase words.
grep -r --include '*.go' -E '^// .*$' . | aspell list | grep -E -x '[A-Za-z]{1}[a-z]*' | sort | uniq
This PR will be imported into Gerrit with the title and first
comment (this text) used to generate the subject and body of
the Gerrit change.
Change-Id: Ie8a2092aaa7e1f051aa90f03dbaf2b9aaf5664a9
GitHub-Last-Rev: fc2bd6e0c51652f13a7588980f1408af8e6080f5
GitHub-Pull-Request: golang/go#57737
Reviewed-on: https://go-review.googlesource.com/c/go/+/461595
Auto-Submit: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
|
|
Add the text from dev.boringcrypto's README making clear what
this code is and that it is unsupported.
Change-Id: Ie49e8ccff10436f5d27ed422f159b4899193c9a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/460515
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
VerifyASN1 became directly reachable without encoding/decoding in
CL 353849, so it's now possible for the signature to be empty.
Change-Id: I37d6400945ab541120180bf73335e0ec93322947
Reviewed-on: https://go-review.googlesource.com/c/go/+/452635
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
With this change, we are down to 1.2x the running time of the previous
variable time implementation.
name old time/op new time/op delta
DecryptPKCS1v15/2048-4 1.37ms ± 0% 1.61ms ± 0% +17.54% (p=0.000 n=18+10)
DecryptPKCS1v15/3072-4 3.99ms ± 1% 5.46ms ± 1% +36.64% (p=0.000 n=20+10)
DecryptPKCS1v15/4096-4 8.95ms ± 1% 12.04ms ± 0% +34.53% (p=0.000 n=20+10)
EncryptPKCS1v15/2048-4 9.24µs ± 7% 223.34µs ± 0% +2317.67% (p=0.000 n=20+9)
DecryptOAEP/2048-4 1.38ms ± 1% 1.62ms ± 0% +17.31% (p=0.000 n=20+10)
EncryptOAEP/2048-4 11.5µs ± 6% 225.4µs ± 0% +1851.82% (p=0.000 n=20+10)
SignPKCS1v15/2048-4 1.38ms ± 0% 1.68ms ± 0% +21.25% (p=0.000 n=20+9)
VerifyPKCS1v15/2048-4 8.75µs ±11% 221.94µs ± 0% +2435.02% (p=0.000 n=20+9)
SignPSS/2048-4 1.39ms ± 1% 1.68ms ± 0% +21.18% (p=0.000 n=20+10)
VerifyPSS/2048-4 11.1µs ± 8% 224.7µs ± 0% +1917.03% (p=0.000 n=20+8)
Change-Id: I2a91ba99fcd0f86f2b5191d17170da755d7c4690
Reviewed-on: https://go-review.googlesource.com/c/go/+/452095
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Ignoring custom curves, this makes the whole package constant-time.
There is a slight loss in performance for P-384 and P-521 because bigmod
is slower than math/big (but P-256 has an assembly scalar field
inversion, so doesn't use bigmod for anything big).
name old time/op new time/op delta
Sign/P256-8 19.2µs ± 2% 19.1µs ± 2% ~ (p=0.268 n=9+10)
Sign/P384-8 166µs ± 3% 188µs ± 2% +13.52% (p=0.000 n=10+10)
Sign/P521-8 337µs ± 2% 359µs ± 2% +6.46% (p=0.000 n=10+10)
Verify/P256-8 58.1µs ± 2% 58.1µs ± 2% ~ (p=0.971 n=10+10)
Verify/P384-8 484µs ± 2% 569µs ±12% +17.65% (p=0.000 n=10+10)
Verify/P521-8 1.03ms ± 4% 1.14ms ± 2% +11.02% (p=0.000 n=10+10)
GenerateKey/P256-8 12.4µs ±12% 12.0µs ± 2% ~ (p=0.063 n=10+10)
GenerateKey/P384-8 129µs ±18% 119µs ± 2% ~ (p=0.190 n=10+10)
GenerateKey/P521-8 241µs ± 2% 240µs ± 2% ~ (p=0.436 n=10+10)
name old alloc/op new alloc/op delta
Sign/P256-8 3.08kB ± 0% 2.47kB ± 0% -19.77% (p=0.000 n=10+10)
Sign/P384-8 6.16kB ± 0% 2.64kB ± 0% -57.16% (p=0.000 n=10+10)
Sign/P521-8 7.87kB ± 0% 3.01kB ± 0% -61.80% (p=0.000 n=10+10)
Verify/P256-8 1.29kB ± 1% 0.48kB ± 0% -62.69% (p=0.000 n=10+10)
Verify/P384-8 2.49kB ± 1% 0.64kB ± 0% -74.25% (p=0.000 n=10+10)
Verify/P521-8 3.31kB ± 0% 0.96kB ± 0% -71.02% (p=0.000 n=7+10)
GenerateKey/P256-8 720B ± 0% 920B ± 0% +27.78% (p=0.000 n=10+10)
GenerateKey/P384-8 921B ± 0% 1120B ± 0% +21.61% (p=0.000 n=9+10)
GenerateKey/P521-8 1.30kB ± 0% 1.44kB ± 0% +10.45% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
Sign/P256-8 45.0 ± 0% 33.0 ± 0% -26.67% (p=0.000 n=10+10)
Sign/P384-8 69.0 ± 0% 34.0 ± 0% -50.72% (p=0.000 n=10+10)
Sign/P521-8 71.0 ± 0% 35.0 ± 0% -50.70% (p=0.000 n=10+10)
Verify/P256-8 23.0 ± 0% 10.0 ± 0% -56.52% (p=0.000 n=10+10)
Verify/P384-8 43.0 ± 0% 14.0 ± 0% -67.44% (p=0.000 n=10+10)
Verify/P521-8 45.0 ± 0% 14.0 ± 0% -68.89% (p=0.000 n=7+10)
GenerateKey/P256-8 13.0 ± 0% 14.0 ± 0% +7.69% (p=0.000 n=10+10)
GenerateKey/P384-8 16.0 ± 0% 17.0 ± 0% +6.25% (p=0.000 n=10+10)
GenerateKey/P521-8 16.5 ± 3% 17.0 ± 0% +3.03% (p=0.033 n=10+10)
Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d
Reviewed-on: https://go-review.googlesource.com/c/go/+/353849
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
This will let us reuse it in crypto/ecdsa for the NIST scalar fields.
The main change in API is around encoding and decoding. The SetBytes +
ExpandFor sequence was hacky: SetBytes could produce a bigger size than
the modulus if leading zeroes in the top byte overflowed the limb
boundary, so ExpandFor had to check for and tolerate that. Also, the
caller was responsible for checking that the overflow was actually all
zeroes (which we weren't doing, exposing a crasher in decryption and
signature verification) and then for checking that the result was less
than the modulus. Instead, make SetBytes take a modulus and return an
error if the value overflows. Same with Bytes: we were always allocating
based on Size before FillBytes anyway, so now Bytes takes a modulus.
Finally, SetBig was almost only used for moduli, so replaced
NewModulusFromNat and SetBig with NewModulusFromBig.
Moved the constant-time bitLen to math/big.Int.BitLen. It's slower, but
BitLen is primarily used in cryptographic code, so it's safer this way.
Change-Id: Ibaf7f36d80695578cb80484167d82ce1aa83832f
Reviewed-on: https://go-review.googlesource.com/c/go/+/450055
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Change-Id: I69065f8adf101fdb28682c55997f503013a50e29
Reviewed-on: https://go-review.googlesource.com/c/go/+/449757
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Joedian Reid <joedian@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
Update crypto/ecdh to use boringcrypto when enabled.
Change-Id: Idd0ce06a22b1a62289b383c46893800621c7d97b
Reviewed-on: https://go-review.googlesource.com/c/go/+/423363
Run-TryBot: Russ Cox <rsc@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
This was the last piece of ref10 code, including the infamous "Christmas
tree" in scMulAdd, that approximately all Ed25519 implementations
inherited. Replace the whole scalar field implementation with a
fiat-crypto generated one, like those in crypto/internal/nistec/fiat.
The only complexity is the wide reduction (both for the 64-byte one and
for the clamped input). For that we do a limbed reduction suggested by
Frank Denis.
Some minor housekeeping and test changes from filippo.io/edwards25519
are included, as part of syncing with downstream.
Ignoring the autogenerated file, the diff is
268 insertions(+), 893 deletions(-)
George Tankersley signed the Individual CLA and authorized me to submit
this change on his behalf at the time he contributed it to
filippo.io/edwards25519.
Co-authored-by: George Tankersley <george.tankersley@gmail.com>
Change-Id: I4084b4d3813f36e16b3d8839df75da1b4fd7846b
Reviewed-on: https://go-review.googlesource.com/c/go/+/420454
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
crypto/rsa assumes RSA OAEP uses the same hash to be used for both the label
and the mask generation function. However, implementations in other languages,
such as Java and Python, allow these parameters to be specified independently.
This change allows the MGF hash to be specified independently for decrypt
operations in order to allow decrypting ciphertexts generated in other
environments.
Fixes: #19974
Change-Id: If453d628f0da354ceb3b52863f30087471670f7b
Reviewed-on: https://go-review.googlesource.com/c/go/+/418874
Auto-Submit: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Robert Griesemer <gri@google.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Run-TryBot: Andrew Bonventre <andybons@golang.org>
|
|
Change-Id: Ic16824482142d4de4d0b949459e36505ee944ff7
Reviewed-on: https://go-review.googlesource.com/c/go/+/448175
Reviewed-by: Robert Griesemer <gri@google.com>
Run-TryBot: Dan Kortschak <dan@kortschak.io>
Auto-Submit: Robert Griesemer <gri@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Dan Kortschak <dan@kortschak.io>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
Change-Id: I92e110023739c6f8f7815c7e47ad7639c4e8812d
Reviewed-on: https://go-review.googlesource.com/c/go/+/435279
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: xie cui <523516579@qq.com>
|
|
Fix the coversion between our sentinel salt length variables and the
BoringSSL versions in SignRSAPSS. We previously set -1 (hash length
equals salt length) when 0 was passed when we should've been setting
-2. This now matches the conversion that happens in VerifyRSAPSS. Also
adds a note documenting why we do this.
Additionally in non-Boring mode, properly handle passing of salt lengths
with a negative value which aren't one of the magic constants, returning
an error instead of panicking.
See https://commondatastorage.googleapis.com/chromium-boringssl-docs/rsa.h.html#RSA_sign_pss_mgf1
for the BoringSSL docs.
Fixes #54803
Change-Id: Id1bd14dcf0ef4733867367257830ed43e25ef882
Reviewed-on: https://go-review.googlesource.com/c/go/+/426659
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|
Change-Id: I73081b85e763122be1f5c0dbab25cecc9cf809df
Reviewed-on: https://go-review.googlesource.com/c/go/+/426087
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: xie cui <523516579@qq.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
|
|
Update the version of BoringCrypto to boringssl tag
fips-20210429, for which FIPS approval is "in process".
Add GOARCH=arm64 BoringCrypto support.
Shuffle build to run as distinct steps in Docker so that
we can rerun later parts like build-goboring.sh without
rerunning all the setup.
Strip unnecessary parts of the syso using --strip-unneeded,
which cuts the amd64 syso from 10MB to 2.5MB.
The new arm64 syso is 2MB, so even though we added a new
architecture, we have half as much syso to distribute.
Change-Id: I0f7327389a3a485b82577abea9153d006418298f
Reviewed-on: https://go-review.googlesource.com/c/go/+/423362
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
Generics lets us write Cache[K, V] instead of using unsafe.Pointer,
which lets us remove all the uses of package unsafe around the
uses of the cache.
I tried to do Cache[*K, *V] instead of Cache[K, V] but that was not possible.
Change-Id: If3b54cf4c8d2a44879a5f343fd91ecff096537e9
Reviewed-on: https://go-review.googlesource.com/c/go/+/423357
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
|
|
This avoids an import conflict with crypto/subtle.
CL 424175 does the same for x/crypto.
Change-Id: Id4a319b3283b8affaaf769062388325b31fe1715
Reviewed-on: https://go-review.googlesource.com/c/go/+/424194
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
|
|
If a program only uses ecdh.P256(), the implementation of the other
curves shouldn't end up in the binary. This mostly required moving some
operations from init() time. Small performance hit in uncompressed
Bytes/SetBytes, but not big enough to show up in higher-level
benchmarks. If it becomes a problem, we can fix it by pregenerating the
p-1 bytes representation in generate.go.
For #52182
Updates #52221
Change-Id: I64460973b59ee3df787d7e967a6c2bcbc114ba65
Reviewed-on: https://go-review.googlesource.com/c/go/+/402555
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Fernando Lobato Meeser <felobato@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
We use crypto/internal/edwards25519/field to implement X25519 directly,
so that golang.org/x/crypto/curve25519 can be dropped from the src
module dependencies, and eventually replaced with a crypto/ecdh wrapper,
removing the need to keep golang.org/x/crypto/curve25519/internal/field
in sync with crypto/internal/edwards25519/field.
In crypto/internal/nistec, we add BytesX to serialize only the x
coordinate, which we'll need for the horrible ECDSA x-coord-to-scalar
operation, too.
In crypto/tls, we replace the ECDHE implementation with crypto/ecdh,
dropping the X25519 special cases and related scaffolding.
Finally, FINALLY, we deprecate the ~white whale~ big.Int-based APIs of
the crypto/elliptic package. •_•) ( •_•)>⌐■-■ (⌐■_■)
Fixes #52182
Fixes #34648
Fixes #52221
Change-Id: Iccdda210319cc892e96bb28a0e7b7123551982c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/398914
Reviewed-by: Fernando Lobato Meeser <felobato@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
So we don't have to duplicate the logic to detect noopt builder in
multiple places.
Based on khr@'s suggestion in CL 422037.
Change-Id: Idb338e8bc08cdf00460574bfc0d2f7018c79bbd5
Reviewed-on: https://go-review.googlesource.com/c/go/+/422038
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
|
|
Change-Id: I228a23754656b41843573bd4217de4df46c9df36
Reviewed-on: https://go-review.googlesource.com/c/go/+/417954
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
|
|
Requested by the maintainers of the OpenSSL-based fork of Go+BoringCrypto,
to make maintaining that fork easier.
Change-Id: I770e70ecc12b589034da31edecf59c73b2c6e1dd
Reviewed-on: https://go-review.googlesource.com/c/go/+/407135
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Russ Cox <rsc@golang.org>
|
|
This CL addresses the comments on CL 403154.
For #51940.
Change-Id: I99bb3530916d469077bfbd53095bfcd1d2aa82ef
Reviewed-on: https://go-review.googlesource.com/c/go/+/403976
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
- formatting and optimized init functionality for precomputed table
- updated formatting for comments
- further optimized init functionality
Fixes #52709
Change-Id: Ie96a8ee52f09821d5ac53115185cbc1ad8f954d2
Reviewed-on: https://go-review.googlesource.com/c/go/+/404058
Auto-Submit: Lynn Boger <laboger@linux.vnet.ibm.com>
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com>
Reviewed-by: Bill O'Farrell <billotosyr@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Pooja Shyamsundar <poojashyam@ibm.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Add support for ppc64le assembler to p256. Most of the changes
are due to the change in nistec interfaces.
There is a change to p256MovCond based on a reviewer's comment.
LXVD2X replaces the use of LXVW4X in one function.
In addition, some refactoring has been done to this file to
reduce size and improve readability:
- Eliminate the use of defines to switch between V and VSX
registers. V regs can be used for instructions some that
previously required VSX.
- Use XXPERMDI instead of VPERM to swap bytes loaded and
stored with LXVD2X and STXVD2X instructions. This eliminates
the need to load the byte swap string into a vector.
- Use VMRGEW and VMRGOW instead of VPERM in the VMULT
macros. This also avoids the need to load byte strings to
swap the high and low values.
These changes reduce the file by about 10% and shows an
improvement of about 2% at runtime.
For #52182
Change-Id: Ic48050fc81bb273b7b4023e54864f4255dcc2a4f
Reviewed-on: https://go-review.googlesource.com/c/go/+/399755
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Paul Murphy <murp@ibm.com>
|
|
This will allow us to use crypto/internal/edwards25519/field from
crypto/ecdh to implement X25519, dropping the dependency on
golang.org/x/crypto/curve25519.
For #52182
Change-Id: I3be9debc6e13bf06944b98668f34313a975914d0
Reviewed-on: https://go-review.googlesource.com/c/go/+/402556
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
So it's reachable from crypto/ecdsa and the upcoming crypto/ecdh.
No code changes.
For #52182
Change-Id: Ie3216052f46c6ef7ec64d8b87a233a9c50c4b16a
Reviewed-on: https://go-review.googlesource.com/c/go/+/398674
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Discovered running recent changes against Google internal tests.
Change-Id: Ief51eae82c9f27d2a2a70c4fb2b1086fa8b3f9d8
Reviewed-on: https://go-review.googlesource.com/c/go/+/404295
Auto-Submit: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
In the original BoringCrypto port, ecdsa and rsa's public and private
keys added a 'boring unsafe.Pointer' field to cache the BoringCrypto
form of the key. This led to problems with code that “knew” the layout
of those structs and in particular that they had no unexported fields.
In response, as an awful kludge, I changed the compiler to pretend
that field did not exist when laying out reflect data. Because we want
to merge BoringCrypto in the main tree, we need a different solution.
Using boring.Cache is that solution.
For #51940.
Change-Id: Ideb2b40b599a1dc223082eda35a5ea9abcc01e30
Reviewed-on: https://go-review.googlesource.com/c/go/+/395883
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
In the original BoringCrypto port, ecdsa and rsa's public and private
keys added a 'boring unsafe.Pointer' field to cache the BoringCrypto
form of the key. This led to problems with code that “knew” the layout
of those structs and in particular that they had no unexported fields.
In response, as an awful kludge, I changed the compiler to pretend
that field did not exist when laying out reflect data. Because we want
to merge BoringCrypto in the main tree, we need a different solution.
The different solution is this CL's boring.Cache, which is a
concurrent, GC-aware map from unsafe.Pointer to unsafe.Pointer (if
generics were farther along we could use them nicely here, but I am
afraid of breaking tools that aren't ready to see generics in the
standard library yet).
More complex approaches are possible, but a simple, fixed-size hash
table is easy to make concurrent and should be fine.
For #51940.
Change-Id: I44062a8defbd87b705a787cffc64c6a9d0132785
Reviewed-on: https://go-review.googlesource.com/c/go/+/395882
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
This API was added only for BoringCrypto, never shipped in standard
Go. This API is also not compatible with the expected future evolution
of crypto/x509, as we move closer to host verifiers on macOS and Windows.
If we want to merge BoringCrypto into the main tree, it is best not to
have differing API. So instead of a hook set by crypto/tls, move the
actual check directly into crypto/x509, eliminating the need for
exposed API.
For #51940.
Change-Id: Ia2ae98c745de818d39501777014ea8166cab0b03
Reviewed-on: https://go-review.googlesource.com/c/go/+/395878
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
One annoying difference between dev.boringcrypto and master is that
there is not a clear separation between low-level (math/big-free)
crypto and high-level crypto, because crypto/internal/boring imports
both encoding/asn1 and math/big.
This CL removes both those problematic imports and aligns the
dependency rules in the go/build test with the ones in the main
branch.
To remove encoding/asn1, the crypto/internal/boring APIs change to
accepting and returning encoded ASN.1, leaving crypto/ecdsa to do the
marshaling and unmarshaling, which it already contains code to do.
To remove math/big, the crypto/internal/boring package defines
type BigInt []uint, which is the same representation as a big.Int's
internal storage. The new package crypto/internal/boring/bbig provides
conversions between BigInt and *big.Int. The boring package can then
be in the low-level crypto set, and any package needing to use bignum
APIs (necessarily in the high-level crypto set) can import bbig to
convert.
To simplify everything we hide from the test the fact that
crypto/internal/boring imports cgo. Better to pretend it doesn't and
keep the prohibitions that other packages like crypto/aes must not use
cgo (outside of BoringCrypto).
$ git diff origin/master src/go/build/deps_test.go
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index 6ce872e297..a63979cc93 100644
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -402,9 +402,13 @@ var depsRules = `
NET, log
< net/mail;
+ NONE < crypto/internal/boring/sig;
+ sync/atomic < crypto/internal/boring/fipstls;
+ crypto/internal/boring/sig, crypto/internal/boring/fipstls < crypto/tls/fipsonly;
+
# CRYPTO is core crypto algorithms - no cgo, fmt, net.
# Unfortunately, stuck with reflect via encoding/binary.
- encoding/binary, golang.org/x/sys/cpu, hash
+ crypto/internal/boring/sig, encoding/binary, golang.org/x/sys/cpu, hash
< crypto
< crypto/subtle
< crypto/internal/subtle
@@ -413,6 +417,8 @@ var depsRules = `
< crypto/ed25519/internal/edwards25519/field, golang.org/x/crypto/curve25519/internal/field
< crypto/ed25519/internal/edwards25519
< crypto/cipher
+ < crypto/internal/boring
+ < crypto/boring
< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
crypto/sha1, crypto/sha256, crypto/sha512
< CRYPTO;
@@ -421,6 +427,7 @@ var depsRules = `
# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
CRYPTO, FMT, math/big, embed
+ < crypto/internal/boring/bbig
< crypto/rand
< crypto/internal/randutil
< crypto/ed25519
@@ -443,7 +450,8 @@ var depsRules = `
< golang.org/x/crypto/hkdf
< crypto/x509/internal/macos
< crypto/x509/pkix
- < crypto/x509
+ < crypto/x509;
+ crypto/internal/boring/fipstls, crypto/x509
< crypto/tls;
# crypto-aware packages
@@ -653,6 +661,9 @@ func findImports(pkg string) ([]string, error) {
}
var imports []string
var haveImport = map[string]bool{}
+ if pkg == "crypto/internal/boring" {
+ haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
+ }
fset := token.NewFileSet()
for _, file := range files {
name := file.Name()
For #51940.
Change-Id: I26fc752484310d77d22adb06495120a361568d04
Reviewed-on: https://go-review.googlesource.com/c/go/+/395877
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
The standard Go implementations are allocation-free.
Making the BoringCrypto ones the same helps avoid
surprises, including in some of our own tests.
For #51940.
Change-Id: Ic9c5dc46f5e29ca85f571244be2b380ec2cf89c9
Reviewed-on: https://go-review.googlesource.com/c/go/+/395876
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
conversion
The conversion via byte slices is inefficient; we can convert via word slices
and avoid the copy entirely.
For #51940.
Change-Id: I06f747e0acffffae427d9706d43bdacf146c027d
Reviewed-on: https://go-review.googlesource.com/c/go/+/395875
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
A plain make.bash in this tree will produce a working,
standard Go toolchain, not a BoringCrypto-enabled one.
The BoringCrypto-enabled one will be created with:
GOEXPERIMENT=boringcrypto ./make.bash
For #51940.
Change-Id: Ia9102ed993242eb1cb7f9b93eca97e81986a27b3
Reviewed-on: https://go-review.googlesource.com/c/go/+/395881
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
podman
The 'docker' command line tool is no longer available on my Linux laptop
due to Docker's new licensing rules. 'sudo podman' seems to work fine,
so suggest that instead.
Change-Id: Ib80211404dadb567c8741720ece2a73a6ad4040a
Reviewed-on: https://go-review.googlesource.com/c/go/+/395874
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
goboringcrypto_linux_amd64.syso references pthread functions, so
we need to pass -pthread to the C linker when external linking.
Usually it is automatically added when linking with runtime/cgo
package. But in shared linkage the runtime/cgo package may be in
a separate DSO and not part of this invocation.
Fixes #49965.
Change-Id: I3a9983e715ee804594a14006f212f76769ad71db
Reviewed-on: https://go-review.googlesource.com/c/go/+/369161
Trust: Cherry Mui <cherryyz@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: I1aa33cabd0c55fe64994b08f8a3f7b6bbfb3282c
|
|
boring-specific files
This makes the latest Go 1.18 cmd/dist happier.
Change-Id: If1894ce4f60a0b604a2bd889974ddb16c405e0c7
Reviewed-on: https://go-review.googlesource.com/c/go/+/359474
Trust: Russ Cox <rsc@golang.org>
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
|
When these packages are released as part of Go 1.18,
Go 1.16 will no longer be supported, so we can remove
the +build tags in these files.
Ran go fix -fix=buildtag std cmd and then reverted the bootstrapDirs
as defined in src/cmd/dist/buildtool.go, which need to continue
to build with Go 1.4 for now.
Also reverted src/vendor and src/cmd/vendor, which will need
to be updated in their own repos first.
Manual changes in runtime/pprof/mprof_test.go to adjust line numbers.
For #41184.
Change-Id: Ic0f93f7091295b6abc76ed5cd6e6746e1280861e
Reviewed-on: https://go-review.googlesource.com/c/go/+/344955
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
|
|
dev.boringcrypto
There used to be two BoringCrypto-specific behaviors related to cipher
suites in crypto/tls:
1. in FIPS-only mode, only a restricted set of AES ciphers is allowed
2. NOT in FIPS-only mode, AES would be prioritized over ChaCha20 even if
AES hardware was not available
The motivation of (2) is unclear, and BoringSSL doesn't have equivalent
logic. This merge drops (2), and keeps (1). Note that the list of
FIPS-only ciphers does not have priority semantics anymore, but the
default logic still sorts them the same way as they used to be.
Change-Id: I50544011085cfa2b087f323aebf5338c0bd2dd33
|
|
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: Ia0534360e4957e58cd9a18429c39d0e32a6addb4
Reviewed-on: https://go-review.googlesource.com/c/go/+/294430
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
The section doesn't survive some of the mangling of the object file we
do while building it, and ld.lld --icf=safe throws a warning on it.
Could have changed the clang invocation to add -fno-addrsig, but this
change is safer in that it doesn't affect the FIPS module build.
Change-Id: I65e097a48857f90aaa641dceb47120350ba8c073
Reviewed-on: https://go-review.googlesource.com/c/go/+/290170
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
certificate 3678
Replace the chroot scaffolding with Docker, which brings its own caching
and works on macOS.
Fixes #40188
Change-Id: I5c96417932e952cbaf1e2991d131c1d5dd7d9921
Reviewed-on: https://go-review.googlesource.com/c/go/+/263997
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
|
|
VerifyRSAPKCS1v15
This matches the new crypto/rsa behavior introduced in CL 226203.
Updates #21896
Change-Id: If04eeff933d7310c2baa0f8fd26907892c2397fd
Reviewed-on: https://go-review.googlesource.com/c/go/+/227651
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
finalizers safer
RSA key types have a finalizer that will free the underlying C value
when the Go one is garbage collected. It's important that the finalizer
doesn't run while a cgo call is using the underlying C value, so they
require runtime.KeepAlive calls after each use.
This is error prone, so replace it with a closure that provides access
to the underlying C value and then automatically calls KeepAlive.
AES, HMAC, and ECDSA also need KeepAlives, but they have much fewer call
sites, so avoid the complexity for now.
Change-Id: I6d6f38297cd1cf384a1639974d9739a939cbdbcc
Reviewed-on: https://go-review.googlesource.com/c/go/+/221822
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
