| Age | Commit message (Collapse) | Author |
|---|
|
I had forgotten, which caused amd64 allocations to go back up
significantly. Added an allocations test.
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.50ms ± 0% 1.48ms ± 0% -0.95% (p=0.000 n=9+10)
DecryptPKCS1v15/3072-8 4.64ms ± 1% 4.60ms ± 0% -0.82% (p=0.000 n=8+10)
DecryptPKCS1v15/4096-8 10.7ms ± 0% 10.6ms ± 1% -0.99% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 158µs ± 0% 157µs ± 0% -0.63% (p=0.000 n=10+10)
DecryptOAEP/2048-8 1.50ms ± 0% 1.48ms ± 0% -1.09% (p=0.000 n=9+10)
EncryptOAEP/2048-8 161µs ± 0% 160µs ± 0% -0.34% (p=0.000 n=9+10)
SignPKCS1v15/2048-8 1.55ms ± 0% 1.53ms ± 1% -1.32% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 157µs ± 0% 157µs ± 0% -0.33% (p=0.004 n=9+10)
SignPSS/2048-8 1.55ms ± 0% 1.54ms ± 0% -1.14% (p=0.000 n=10+10)
VerifyPSS/2048-8 160µs ± 0% 160µs ± 0% -0.32% (p=0.000 n=10+10)
name old alloc/op new alloc/op delta
DecryptPKCS1v15/2048-8 15.0kB ± 0% 0.6kB ± 0% -95.74% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 17.9kB ± 0% 3.5kB ± 0% -80.65% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 19.1kB ± 0% 4.7kB ± 0% -75.25% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 7.51kB ± 0% 1.17kB ± 0% -84.39% (p=0.000 n=10+10)
DecryptOAEP/2048-8 15.3kB ± 0% 0.9kB ± 0% -94.29% (p=0.000 n=10+10)
EncryptOAEP/2048-8 7.74kB ± 0% 1.40kB ± 0% -81.86% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 21.6kB ± 0% 0.9kB ± 0% -95.86% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 7.25kB ± 0% 0.91kB ± 0% -87.42% (p=0.000 n=10+10)
SignPSS/2048-8 22.0kB ± 0% 1.3kB ± 0% -94.12% (p=0.000 n=10+10)
VerifyPSS/2048-8 7.46kB ± 0% 1.12kB ± 0% -84.98% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
DecryptPKCS1v15/2048-8 54.0 ± 0% 4.0 ± 0% -92.59% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 29.0 ± 0% 7.0 ± 0% -75.86% (p=0.000 n=10+10)
DecryptOAEP/2048-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10)
EncryptOAEP/2048-8 35.0 ± 0% 13.0 ± 0% -62.86% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 77.0 ± 0% 5.0 ± 0% -93.51% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 28.0 ± 0% 6.0 ± 0% -78.57% (p=0.000 n=10+10)
SignPSS/2048-8 82.0 ± 0% 10.0 ± 0% -87.80% (p=0.000 n=10+10)
VerifyPSS/2048-8 33.0 ± 0% 11.0 ± 0% -66.67% (p=0.000 n=10+10)
Fixes #58501
Change-Id: I418c5152833787b80220b556336ec284674c2493
Reviewed-on: https://go-review.googlesource.com/c/go/+/460542
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
|
|
Message marshalling makes use of BytesOrPanic a lot, under the
assumption that it will never panic. This assumption was incorrect, and
specifically crafted handshakes could trigger panics. Rather than just
surgically replacing the usages of BytesOrPanic in paths that could
panic, replace all usages of it with proper error returns in case there
are other ways of triggering panics which we didn't find.
In one specific case, the tree routed by expandLabel, we replace the
usage of BytesOrPanic, but retain a panic. This function already
explicitly panicked elsewhere, and returning an error from it becomes
rather painful because it requires changing a large number of APIs.
The marshalling is unlikely to ever panic, as the inputs are all either
fixed length, or already limited to the sizes required. If it were to
panic, it'd likely only be during development. A close inspection shows
no paths for a user to cause a panic currently.
This patches ends up being rather large, since it requires routing
errors back through functions which previously had no error returns.
Where possible I've tried to use helpers that reduce the verbosity
of frequently repeated stanzas, and to make the diffs as minimal as
possible.
Thanks to Marten Seemann for reporting this issue.
Fixes #58001
Fixes CVE-2022-41724
Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468125
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
Updates #58483
Tested on Linux amd64:
type Element struct {
l0, l1, l2, l3, l4 uint64
}
type PointAfter struct {
x, y, z, t Element
_ incomparable
}
type PointBefore struct {
_ incomparable
x, y, z, t Element
}
type incomparable [0]func()
func main() {
fmt.Println(unsafe.Sizeof(PointAfter{})) // 168
fmt.Println(unsafe.Sizeof(PointBefore{})) // 160
}
Change-Id: I6c4fcb586bbf3febf62b6e54608496ff81685e43
Reviewed-on: https://go-review.googlesource.com/c/go/+/467616
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
Return an explicit error when PrivateKey.ECDH is called with a PublicKey
which uses a different Curve. Also document this requirement, even
though it is perhaps obvious.
Fixes #58131
Change-Id: I739181a3f1283bed14fb5ee7eb78658b854d28d8
Reviewed-on: https://go-review.googlesource.com/c/go/+/464335
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|
Updates #31456
Change-Id: I68e0abfb6771c9b1d1bfcbb642db9eb5540f9cab
GitHub-Last-Rev: 17ea697c5c0bbfdfb1ad91c2c60e22f6efc78b43
GitHub-Pull-Request: golang/go#49051
Reviewed-on: https://go-review.googlesource.com/c/go/+/356516
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
It was mentioned after CL 463993 was merged that it
is uncommon to use shifts for numbers other than
powers of ten. Replace the shift with a base 10 constant.
Change-Id: I11c90128740109a59add40ed7b680f7bcc9715ad
Reviewed-on: https://go-review.googlesource.com/c/go/+/465275
Auto-Submit: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Auto-Submit: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: David Chase <drchase@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
CL 463975 replaced the use of the NodeJS crypto.randomFillSync API
with a direct call to crypto.getRandomValues. This function rejects
any requests to fill a buffer larger than 65536 bytes, so we need to
batch reads larger than this size. This reuses the batching
functions used on other platforms to perform this batching.
Fixes #58145
Change-Id: Ic0acf3be7c9e994bc345d6614867c9b0c47bd26d
Reviewed-on: https://go-review.googlesource.com/c/go/+/463993
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Auto-Submit: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
|
|
Change-Id: If092ae7c72b66f172ae32fa6c7294a7ac250362e
Reviewed-on: https://go-review.googlesource.com/c/go/+/463995
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
|
|
The two crypto modules are both named "asm". If both are included in a
single go.work (e.g., from `go work use -r .` in the repo), builds break
from "module asm appears multiple times in workspace".
Give these modules fully-qualified names to avoid conflicts. While we
are here, also expand the name of two other testdata modules. Those
modules don't currently conflict, but they have vague names at risk of
future conflicts.
Fixes #57769.
Change-Id: I2bd8a505051e92348d49560ec698ed921f2c81be
Reviewed-on: https://go-review.googlesource.com/c/go/+/461896
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
Similar to sha256, minimize add usage by preloading
constants. This results in a small performance uplift.
Likewise, cleanup some unused macros and registers to
make room for constants.
On ppc64le/power9:
Hash8Bytes/New 22.7MB/s ± 0% 24.1MB/s ± 0% +6.49%
Hash8Bytes/Sum384 23.4MB/s ± 0% 24.9MB/s ± 0% +6.32%
Hash8Bytes/Sum512 23.5MB/s ± 0% 24.9MB/s ± 0% +6.18%
Hash1K/New 422MB/s ± 0% 455MB/s ± 0% +7.92%
Hash1K/Sum384 424MB/s ± 0% 457MB/s ± 0% +7.78%
Hash1K/Sum512 424MB/s ± 0% 457MB/s ± 0% +7.77%
Hash8K/New 488MB/s ± 0% 528MB/s ± 0% +8.18%
Hash8K/Sum384 481MB/s ± 0% 528MB/s ± 0% +9.76%
Hash8K/Sum512 488MB/s ± 0% 515MB/s ± 0% +5.60%
Change-Id: Ic604b482e3f6a9680b89c71399f85442f06fef3f
Reviewed-on: https://go-review.googlesource.com/c/go/+/460459
Reviewed-by: Archana Ravindar <aravind5@in.ibm.com>
Run-TryBot: Carlos Eduardo Seo <carlos.seo@linaro.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
|
|
The getrandom syscall was added to NetBSD in version 10.0, see
https://man.netbsd.org/NetBSD-10.0-STABLE/getrandom.2
Change-Id: I2714c1040791f7f4728be8d869058a38cbd93d4d
Reviewed-on: https://go-review.googlesource.com/c/go/+/463123
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Benny Siegert <bsiegert@gmail.com>
|
|
This change makes it easier for clients to debug mutual TLS connection failures. Currently, there are a few situations where invalid client auth leads to a generic "bad certificate" alert. 3 specific situations have a more appropriate TLS alert code, based on the alert descriptions in the appendix of both RFC5246 and RFC8446.
1. The server is configured to require client auth, but no client cert was provided; the appropriate alert is "certificate required". This applies only to TLS 1.3, which first defined the certificate_required alert code.
2. The client provided a cert that was signed by an authority that is not in the server's trusted set of CAs; the appropriate alert is "unknown certificate authority".
3. The client provided an expired (or not yet valid) cert; the appropriate alert is "expired certificate".
Otherwise, we still fall back to "bad certificate".
Fixes #52113
Change-Id: I7d5860fe911cad8a1615f16bfe488a37e936dc36
GitHub-Last-Rev: 34eeab587b38549b2ba4a778f7f9894e9b715b43
GitHub-Pull-Request: golang/go#53251
Reviewed-on: https://go-review.googlesource.com/c/go/+/410496
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
This is the second round to look for spelling mistakes. This time the
manual sifting of the result list was made easier by filtering out
capitalized and camelcase words.
grep -r --include '*.go' -E '^// .*$' . | aspell list | grep -E -x '[A-Za-z]{1}[a-z]*' | sort | uniq
This PR will be imported into Gerrit with the title and first
comment (this text) used to generate the subject and body of
the Gerrit change.
Change-Id: Ie8a2092aaa7e1f051aa90f03dbaf2b9aaf5664a9
GitHub-Last-Rev: fc2bd6e0c51652f13a7588980f1408af8e6080f5
GitHub-Pull-Request: golang/go#57737
Reviewed-on: https://go-review.googlesource.com/c/go/+/461595
Auto-Submit: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
|
|
Allow GODEBUG users to report how many times a setting
resulted in non-default behavior.
Record non-default-behaviors for all existing GODEBUGs.
Also rework tests to ensure that runtime is in sync with runtime/metrics.All,
and generate docs mechanically from metrics.All.
For #56986.
Change-Id: Iefa1213e2a5c3f19ea16cd53298c487952ef05a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/453618
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
|
Change-Id: Ic215a90d1e1daa5805dbab1dc56480281e53b341
Reviewed-on: https://go-review.googlesource.com/c/go/+/459975
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
low-level APIs
In particular, CheckSignatureFrom just can't check the path length
limit, because it might be enforced above the parent.
We don't need to document the supported signature algorithms for
CheckSignatureFrom, since we document at the constants in what contexts
they are allowed and not. That does leave CheckSignature ambiguous,
though, because that function doesn't have an explicit context.
Change-Id: I4c107440a93f60bc0de07df2b7efeb1a4a766da0
Reviewed-on: https://go-review.googlesource.com/c/go/+/460537
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Change-Id: Idcea184a5b0c205efd3c91c60b5d954424f37679
Reviewed-on: https://go-review.googlesource.com/c/go/+/460540
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
|
|
Add the text from dev.boringcrypto's README making clear what
this code is and that it is unsupported.
Change-Id: Ie49e8ccff10436f5d27ed422f159b4899193c9a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/460515
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
On macOS return the error code from SecTrustEvaluateWithError, and use
it to create typed errors that can be returned from Verify.
Fixes #56891
Change-Id: Ib597ce202abb60702f730e75da583894422e4c14
Reviewed-on: https://go-review.googlesource.com/c/go/+/452620
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
The comment copy pasted from the permuteInitialBlock and should be fixed.
Change-Id: I101f1deceadf9b0480e5b679e4e237bda601950b
GitHub-Last-Rev: 7662df772e4ac171c79467678861ac4d7547da78
GitHub-Pull-Request: golang/go#56982
Reviewed-on: https://go-review.googlesource.com/c/go/+/453995
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
|
|
Include hint from isValid, as well as CheckSignatureFrom.
Change-Id: I408f73fc5f12572f1937da50be7fa3e1109164b0
Reviewed-on: https://go-review.googlesource.com/c/go/+/454477
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
|
|
CL 353849 removed validation of signature parameters being passed to
Verify which led to two distinct problems. If passed a R or S == 0,
encodeSignature would panic since it expects them to be non-zero.
encodeSignature would also normalize (i.e. make non-negative) parameters
by zero padding them, which would result in a signature being passed to
VerifyASN1 which did not match the input signature, resulting in success
in cases where it should've failed. This change re-adds the verification
that 0 < r,s < N before calling ecnodeSignature.
This was caught because tink runs the wycheproof ECDSA vectors against
Verify, where we only run the vectors against VerifyASN1. We should be
doing both.
Change-Id: I1dcf41626b4df2b43296e8b878dc607ff316a892
Reviewed-on: https://go-review.googlesource.com/c/go/+/453675
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|
These should be deprecated, but per go.dev/wiki/Deprecated,
that should only happen two releases after the replacement is
available (so Go 1.22).
The deprecation of this package was part of the discussion
of proposal #52221. All that remains is waiting for the new
package to be widely available.
Change-Id: I580a4af6514eb77d7ec31b443d07259a4a2cf030
Reviewed-on: https://go-review.googlesource.com/c/go/+/453256
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
These should be marked deprecated, but that needs a
(likely quick) proposal review.
The proposal is #56921.
Change-Id: I013a913a7f5196a341e2dd5f49c2687c26ee8331
Reviewed-on: https://go-review.googlesource.com/c/go/+/453257
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
|
|
VerifyASN1 became directly reachable without encoding/decoding in
CL 353849, so it's now possible for the signature to be empty.
Change-Id: I37d6400945ab541120180bf73335e0ec93322947
Reviewed-on: https://go-review.googlesource.com/c/go/+/452635
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
crypto/sha512:
name old time/op new time/op delta
Hash8Bytes/New-32 297ns ± 1% 288ns ± 1% -3.09% (p=0.000 n=10+10)
Hash8Bytes/Sum384-32 288ns ± 1% 282ns ± 1% -2.16% (p=0.000 n=10+9)
Hash8Bytes/Sum512-32 287ns ± 1% 278ns ± 1% -3.18% (p=0.000 n=9+10)
Hash1K/New-32 2.12µs ± 0% 2.11µs ± 1% ~ (p=0.189 n=9+10)
Hash1K/Sum384-32 2.13µs ± 1% 2.11µs ± 1% -1.07% (p=0.006 n=10+10)
Hash1K/Sum512-32 2.12µs ± 1% 2.11µs ± 1% ~ (p=0.209 n=10+10)
Hash8K/New-32 14.9µs ± 1% 14.9µs ± 1% ~ (p=0.469 n=10+10)
Hash8K/Sum384-32 15.0µs ± 1% 14.9µs ± 1% ~ (p=0.725 n=10+10)
Hash8K/Sum512-32 14.9µs ± 1% 15.0µs ± 1% ~ (p=0.684 n=10+10)
crypto/sha256:
name old time/op new time/op delta
Hash8Bytes/New-32 190ns ± 1% 188ns ± 2% -1.23% (p=0.002 n=10+10)
Hash8Bytes/Sum224-32 198ns ± 1% 190ns ± 1% -4.07% (p=0.000 n=10+10)
Hash8Bytes/Sum256-32 196ns ± 1% 183ns ± 1% -6.33% (p=0.000 n=10+10)
Hash1K/New-32 2.35µs ± 1% 2.35µs ± 2% ~ (p=0.897 n=10+10)
Hash1K/Sum224-32 2.38µs ± 1% 2.38µs ± 2% ~ (p=0.363 n=10+10)
Hash1K/Sum256-32 2.38µs ± 1% 2.37µs ± 1% ~ (p=0.203 n=10+9)
Hash8K/New-32 17.3µs ± 1% 17.3µs ± 1% ~ (p=0.971 n=10+10)
Hash8K/Sum224-32 17.6µs ± 1% 17.6µs ± 1% ~ (p=0.726 n=10+10)
Hash8K/Sum256-32 17.6µs ± 2% 17.6µs ± 1% ~ (p=0.541 n=10+10)
crypto/sha1:
name old time/op new time/op delta
Hash8Bytes/New-32 140ns ± 2% 134ns ± 1% -4.26% (p=0.000 n=10+10)
Hash8Bytes/Sum-32 136ns ± 1% 132ns ± 1% -2.41% (p=0.000 n=10+10)
Hash320Bytes/New-32 552ns ± 1% 550ns ± 1% ~ (p=0.211 n=10+9)
Hash320Bytes/Sum-32 559ns ± 1% 560ns ± 2% ~ (p=0.477 n=9+9)
Hash1K/New-32 1.15µs ± 1% 1.15µs ± 1% ~ (p=0.588 n=9+10)
Hash1K/Sum-32 1.16µs ± 2% 1.15µs ± 1% ~ (p=0.078 n=10+10)
Hash8K/New-32 7.53µs ± 1% 7.58µs ± 3% ~ (p=0.382 n=10+10)
Hash8K/Sum-32 7.54µs ± 1% 7.55µs ± 1% ~ (p=0.404 n=10+10)
Change-Id: I3fc06c9009f2eabc739102c14648ef93ea6783b4
Reviewed-on: https://go-review.googlesource.com/c/go/+/436917
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
With this change, we are down to 1.2x the running time of the previous
variable time implementation.
name old time/op new time/op delta
DecryptPKCS1v15/2048-4 1.37ms ± 0% 1.61ms ± 0% +17.54% (p=0.000 n=18+10)
DecryptPKCS1v15/3072-4 3.99ms ± 1% 5.46ms ± 1% +36.64% (p=0.000 n=20+10)
DecryptPKCS1v15/4096-4 8.95ms ± 1% 12.04ms ± 0% +34.53% (p=0.000 n=20+10)
EncryptPKCS1v15/2048-4 9.24µs ± 7% 223.34µs ± 0% +2317.67% (p=0.000 n=20+9)
DecryptOAEP/2048-4 1.38ms ± 1% 1.62ms ± 0% +17.31% (p=0.000 n=20+10)
EncryptOAEP/2048-4 11.5µs ± 6% 225.4µs ± 0% +1851.82% (p=0.000 n=20+10)
SignPKCS1v15/2048-4 1.38ms ± 0% 1.68ms ± 0% +21.25% (p=0.000 n=20+9)
VerifyPKCS1v15/2048-4 8.75µs ±11% 221.94µs ± 0% +2435.02% (p=0.000 n=20+9)
SignPSS/2048-4 1.39ms ± 1% 1.68ms ± 0% +21.18% (p=0.000 n=20+10)
VerifyPSS/2048-4 11.1µs ± 8% 224.7µs ± 0% +1917.03% (p=0.000 n=20+8)
Change-Id: I2a91ba99fcd0f86f2b5191d17170da755d7c4690
Reviewed-on: https://go-review.googlesource.com/c/go/+/452095
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Ignoring custom curves, this makes the whole package constant-time.
There is a slight loss in performance for P-384 and P-521 because bigmod
is slower than math/big (but P-256 has an assembly scalar field
inversion, so doesn't use bigmod for anything big).
name old time/op new time/op delta
Sign/P256-8 19.2µs ± 2% 19.1µs ± 2% ~ (p=0.268 n=9+10)
Sign/P384-8 166µs ± 3% 188µs ± 2% +13.52% (p=0.000 n=10+10)
Sign/P521-8 337µs ± 2% 359µs ± 2% +6.46% (p=0.000 n=10+10)
Verify/P256-8 58.1µs ± 2% 58.1µs ± 2% ~ (p=0.971 n=10+10)
Verify/P384-8 484µs ± 2% 569µs ±12% +17.65% (p=0.000 n=10+10)
Verify/P521-8 1.03ms ± 4% 1.14ms ± 2% +11.02% (p=0.000 n=10+10)
GenerateKey/P256-8 12.4µs ±12% 12.0µs ± 2% ~ (p=0.063 n=10+10)
GenerateKey/P384-8 129µs ±18% 119µs ± 2% ~ (p=0.190 n=10+10)
GenerateKey/P521-8 241µs ± 2% 240µs ± 2% ~ (p=0.436 n=10+10)
name old alloc/op new alloc/op delta
Sign/P256-8 3.08kB ± 0% 2.47kB ± 0% -19.77% (p=0.000 n=10+10)
Sign/P384-8 6.16kB ± 0% 2.64kB ± 0% -57.16% (p=0.000 n=10+10)
Sign/P521-8 7.87kB ± 0% 3.01kB ± 0% -61.80% (p=0.000 n=10+10)
Verify/P256-8 1.29kB ± 1% 0.48kB ± 0% -62.69% (p=0.000 n=10+10)
Verify/P384-8 2.49kB ± 1% 0.64kB ± 0% -74.25% (p=0.000 n=10+10)
Verify/P521-8 3.31kB ± 0% 0.96kB ± 0% -71.02% (p=0.000 n=7+10)
GenerateKey/P256-8 720B ± 0% 920B ± 0% +27.78% (p=0.000 n=10+10)
GenerateKey/P384-8 921B ± 0% 1120B ± 0% +21.61% (p=0.000 n=9+10)
GenerateKey/P521-8 1.30kB ± 0% 1.44kB ± 0% +10.45% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
Sign/P256-8 45.0 ± 0% 33.0 ± 0% -26.67% (p=0.000 n=10+10)
Sign/P384-8 69.0 ± 0% 34.0 ± 0% -50.72% (p=0.000 n=10+10)
Sign/P521-8 71.0 ± 0% 35.0 ± 0% -50.70% (p=0.000 n=10+10)
Verify/P256-8 23.0 ± 0% 10.0 ± 0% -56.52% (p=0.000 n=10+10)
Verify/P384-8 43.0 ± 0% 14.0 ± 0% -67.44% (p=0.000 n=10+10)
Verify/P521-8 45.0 ± 0% 14.0 ± 0% -68.89% (p=0.000 n=7+10)
GenerateKey/P256-8 13.0 ± 0% 14.0 ± 0% +7.69% (p=0.000 n=10+10)
GenerateKey/P384-8 16.0 ± 0% 17.0 ± 0% +6.25% (p=0.000 n=10+10)
GenerateKey/P521-8 16.5 ± 3% 17.0 ± 0% +3.03% (p=0.033 n=10+10)
Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d
Reviewed-on: https://go-review.googlesource.com/c/go/+/353849
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
This will let us reuse it in crypto/ecdsa for the NIST scalar fields.
The main change in API is around encoding and decoding. The SetBytes +
ExpandFor sequence was hacky: SetBytes could produce a bigger size than
the modulus if leading zeroes in the top byte overflowed the limb
boundary, so ExpandFor had to check for and tolerate that. Also, the
caller was responsible for checking that the overflow was actually all
zeroes (which we weren't doing, exposing a crasher in decryption and
signature verification) and then for checking that the result was less
than the modulus. Instead, make SetBytes take a modulus and return an
error if the value overflows. Same with Bytes: we were always allocating
based on Size before FillBytes anyway, so now Bytes takes a modulus.
Finally, SetBig was almost only used for moduli, so replaced
NewModulusFromNat and SetBig with NewModulusFromBig.
Moved the constant-time bitLen to math/big.Int.BitLen. It's slower, but
BitLen is primarily used in cryptographic code, so it's safer this way.
Change-Id: Ibaf7f36d80695578cb80484167d82ce1aa83832f
Reviewed-on: https://go-review.googlesource.com/c/go/+/450055
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
This is missing a test for Ed25519ph with context, since the RFC doesn't
provide one.
Fixes #31804
Change-Id: I20947374c51c6b22fb2835317d00edf816c9a2d2
Reviewed-on: https://go-review.googlesource.com/c/go/+/404274
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Several operations emulate instructions available on power9. Use
the GOPPC64_power9 macro provided by the compiler to select the
native instructions if the minimum cpu requirements are met.
Likewise rework the LXSDX_BE to simplify usage when overriding
it. It is only used in one place.
All three configurations are tested via CI.
On POWER9:
pkg:crypto/cipher goos:linux goarch:ppc64le
AESCBCEncrypt1K 949MB/s ± 0% 957MB/s ± 0% +0.83%
AESCBCDecrypt1K 1.82GB/s ± 0% 1.99GB/s ± 0% +8.93%
pkg:crypto/aes goos:linux goarch:ppc64le
Encrypt 1.01GB/s ± 0% 1.05GB/s ± 0% +4.36%
Decrypt 987MB/s ± 0% 1024MB/s ± 0% +3.77%
Change-Id: I56d0eb845647dd3c43bcad71eb281b499e1d1789
Reviewed-on: https://go-review.googlesource.com/c/go/+/449116
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
Auto-Submit: Paul Murphy <murp@ibm.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Paul Murphy <murp@ibm.com>
|
|
With a small tweak and the help of the inliner, we preallocate enough
nat backing space to do RSA-2048 on the stack.
We keep the length of the preallocated slices at zero so they don't
silently mask missing expandFor calls.
Surprisingly enough, this doesn't move the CPU benchmark needle much,
but probably reduces GC pressure on larger applications.
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.25ms ± 0% 1.22ms ± 1% -1.68% (p=0.000 n=10+9)
DecryptPKCS1v15/3072-8 3.78ms ± 0% 3.73ms ± 1% -1.33% (p=0.000 n=9+10)
DecryptPKCS1v15/4096-8 8.62ms ± 0% 8.45ms ± 1% -1.98% (p=0.000 n=8+10)
EncryptPKCS1v15/2048-8 140µs ± 1% 136µs ± 0% -2.43% (p=0.000 n=9+9)
DecryptOAEP/2048-8 1.25ms ± 0% 1.24ms ± 0% -0.83% (p=0.000 n=8+10)
EncryptOAEP/2048-8 140µs ± 0% 137µs ± 0% -1.82% (p=0.000 n=8+10)
SignPKCS1v15/2048-8 1.29ms ± 0% 1.29ms ± 1% ~ (p=0.574 n=8+8)
VerifyPKCS1v15/2048-8 139µs ± 0% 136µs ± 0% -2.12% (p=0.000 n=9+10)
SignPSS/2048-8 1.30ms ± 0% 1.28ms ± 0% -0.96% (p=0.000 n=8+10)
VerifyPSS/2048-8 140µs ± 0% 137µs ± 0% -1.99% (p=0.000 n=10+8)
name old alloc/op new alloc/op delta
DecryptPKCS1v15/2048-8 15.0kB ± 0% 0.5kB ± 0% -96.58% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 24.6kB ± 0% 3.3kB ± 0% -86.74% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 38.9kB ± 0% 4.5kB ± 0% -88.50% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 18.0kB ± 0% 1.2kB ± 0% -93.48% (p=0.000 n=10+10)
DecryptOAEP/2048-8 15.2kB ± 0% 0.7kB ± 0% -95.10% (p=0.000 n=10+10)
EncryptOAEP/2048-8 18.2kB ± 0% 1.4kB ± 0% -92.29% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 21.9kB ± 0% 0.8kB ± 0% -96.50% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 17.7kB ± 0% 0.9kB ± 0% -94.85% (p=0.000 n=10+10)
SignPSS/2048-8 22.3kB ± 0% 1.2kB ± 0% -94.77% (p=0.000 n=10+10)
VerifyPSS/2048-8 17.9kB ± 0% 1.1kB ± 0% -93.75% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
DecryptPKCS1v15/2048-8 124 ± 0% 3 ± 0% -97.58% (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8 140 ± 0% 9 ± 0% -93.57% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 158 ± 0% 9 ± 0% -94.30% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 80.0 ± 0% 7.0 ± 0% -91.25% (p=0.000 n=10+10)
DecryptOAEP/2048-8 130 ± 0% 9 ± 0% -93.08% (p=0.000 n=10+10)
EncryptOAEP/2048-8 86.0 ± 0% 13.0 ± 0% -84.88% (p=0.000 n=10+10)
SignPKCS1v15/2048-8 162 ± 0% 4 ± 0% -97.53% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 79.0 ± 0% 6.0 ± 0% -92.41% (p=0.000 n=10+10)
SignPSS/2048-8 167 ± 0% 9 ± 0% -94.61% (p=0.000 n=10+10)
VerifyPSS/2048-8 84.0 ± 0% 11.0 ± 0% -86.90% (p=0.000 n=10+10)
Change-Id: I511a2f5f6f596bbec68a0a411e83a9d04080d72a
Reviewed-on: https://go-review.googlesource.com/c/go/+/445021
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
This is faster than the current code because computing RR involves
one more shiftIn and using it involves an extra multiplication, but each
exponentiation was doing montgomeryRepresentation twice, once for x and
once for 1, and now they share the RR precomputation.
More importantly, it allows precomputing the value and attaching it to
the private key in a future CL.
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.46ms ± 0% 1.40ms ± 7% -3.69% (p=0.003 n=10+9)
DecryptPKCS1v15/3072-8 4.23ms ± 0% 4.13ms ± 4% -2.36% (p=0.004 n=9+9)
DecryptPKCS1v15/4096-8 9.42ms ± 0% 9.08ms ± 3% -3.69% (p=0.000 n=9+10)
EncryptPKCS1v15/2048-8 221µs ± 0% 137µs ± 1% -37.91% (p=0.000 n=9+10)
DecryptOAEP/2048-8 1.46ms ± 0% 1.39ms ± 1% -4.97% (p=0.000 n=9+10)
EncryptOAEP/2048-8 221µs ± 0% 138µs ± 0% -37.71% (p=0.000 n=8+10)
SignPKCS1v15/2048-8 1.68ms ± 0% 1.53ms ± 1% -8.85% (p=0.000 n=9+10)
VerifyPKCS1v15/2048-8 220µs ± 0% 137µs ± 1% -37.84% (p=0.000 n=9+10)
SignPSS/2048-8 1.68ms ± 0% 1.52ms ± 1% -9.16% (p=0.000 n=8+8)
VerifyPSS/2048-8 234µs ±12% 138µs ± 1% -40.87% (p=0.000 n=10+9)
Change-Id: I6c650bad9019765d793fd37a529ca186cf1eeef7
Reviewed-on: https://go-review.googlesource.com/c/go/+/445019
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
This change adds some private fields to PrecomputedValues.
If applications were for some reason manually computing the
PrecomputedValues, which they can't do anymore, things will still work
but revert back to the unoptimized path.
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.40ms ± 0% 1.24ms ± 0% -10.98% (p=0.000 n=10+8)
DecryptPKCS1v15/3072-8 4.14ms ± 0% 3.78ms ± 1% -8.55% (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8 9.09ms ± 0% 8.62ms ± 0% -5.20% (p=0.000 n=9+8)
EncryptPKCS1v15/2048-8 139µs ± 0% 138µs ± 0% ~ (p=0.436 n=9+9)
DecryptOAEP/2048-8 1.40ms ± 0% 1.25ms ± 0% -11.01% (p=0.000 n=9+9)
EncryptOAEP/2048-8 139µs ± 0% 139µs ± 0% ~ (p=0.315 n=10+10)
SignPKCS1v15/2048-8 1.53ms ± 0% 1.29ms ± 0% -15.93% (p=0.000 n=9+10)
VerifyPKCS1v15/2048-8 138µs ± 0% 138µs ± 0% ~ (p=0.052 n=10+10)
SignPSS/2048-8 1.54ms ± 0% 1.29ms ± 0% -15.89% (p=0.000 n=9+9)
VerifyPSS/2048-8 139µs ± 0% 139µs ± 0% ~ (p=0.442 n=8+8)
Change-Id: I843c468db96aa75b18ddff17cec3eadfb579cd0e
Reviewed-on: https://go-review.googlesource.com/c/go/+/445020
Reviewed-by: Joedian Reid <joedian@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
I have never encountered multi-prime RSA in the wild. A GitHub-wide
search reveals exactly two explicit uses of it (and a couple of tools
that leave the number configurable but defaulting to two).
https://github.com/decred/tumblebit/blob/31898baea/puzzle/puzzlekey.go#L38
https://github.com/carl-mastrangelo/pixur/blob/95d4a4208/tools/genkeys/genkeys.go#L13
Multi-prime RSA has a slight performance advantage, but has limited
compatibility and the number of primes must be chosen carefully based on
the key size to avoid security issues. It also requires a completely
separate and rarely used private key operation code path, which if buggy
or incorrect would leak the private key.
Mark it as deprecated, and remove the dedicated CRT optimization,
falling back instead to the slower but safer non-CRT fallback.
Change-Id: Iba95edc044fcf9b37bc1f4bb59c6ea273975837f
Reviewed-on: https://go-review.googlesource.com/c/go/+/445017
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
Infamously, big.Int does not provide constant-time arithmetic, making
its use in cryptographic code quite tricky. RSA uses big.Int
pervasively, in its public API, for key generation, precomputation, and
for encryption and decryption. This is a known problem. One mitigation,
blinding, is already in place during decryption. This helps mitigate the
very leaky exponentiation operation. Because big.Int is fundamentally
not constant-time, it's unfortunately difficult to guarantee that
mitigations like these are completely effective.
This patch removes the use of big.Int for encryption and decryption,
replacing it with an internal nat type instead. Signing and verification
are also affected, because they depend on encryption and decryption.
Overall, this patch degrades performance by 55% for private key
operations, and 4-5x for (much faster) public key operations.
(Signatures do both, so the slowdown is worse than decryption.)
name old time/op new time/op delta
DecryptPKCS1v15/2048-8 1.50ms ± 0% 2.34ms ± 0% +56.44% (p=0.000 n=8+10)
DecryptPKCS1v15/3072-8 4.40ms ± 0% 6.79ms ± 0% +54.33% (p=0.000 n=10+9)
DecryptPKCS1v15/4096-8 9.31ms ± 0% 15.14ms ± 0% +62.60% (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8 8.16µs ± 0% 355.58µs ± 0% +4258.90% (p=0.000 n=10+9)
DecryptOAEP/2048-8 1.50ms ± 0% 2.34ms ± 0% +55.68% (p=0.000 n=10+9)
EncryptOAEP/2048-8 8.51µs ± 0% 355.95µs ± 0% +4082.75% (p=0.000 n=10+9)
SignPKCS1v15/2048-8 1.51ms ± 0% 2.69ms ± 0% +77.94% (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8 7.25µs ± 0% 354.34µs ± 0% +4789.52% (p=0.000 n=9+9)
SignPSS/2048-8 1.51ms ± 0% 2.70ms ± 0% +78.80% (p=0.000 n=9+10)
VerifyPSS/2048-8 8.27µs ± 1% 355.65µs ± 0% +4199.39% (p=0.000 n=10+10)
Keep in mind that this is without any assembly at all, and that further
improvements are likely possible. I think having a review of the logic
and the cryptography would be a good idea at this stage, before we
complicate the code too much through optimization.
The bulk of the work is in nat.go. This introduces two new types: nat,
representing natural numbers, and modulus, representing moduli used in
modular arithmetic.
A nat has an "announced size", which may be larger than its "true size",
the number of bits needed to represent this number. Operations on a nat
will only ever leak its announced size, never its true size, or other
information about its value. The size of a nat is always clear based on
how its value is set. For example, x.mod(y, m) will make the announced
size of x match that of m, since x is reduced modulo m.
Operations assume that the announced size of the operands match what's
expected (with a few exceptions). For example, x.modAdd(y, m) assumes
that x and y have the same announced size as m, and that they're reduced
modulo m.
Nats are represented over unsatured bits.UintSize - 1 bit limbs. This
means that we can't reuse the assembly routines for big.Int, which use
saturated bits.UintSize limbs. The advantage of unsaturated limbs is
that it makes Montgomery multiplication faster, by needing fewer
registers in a hot loop. This makes exponentiation faster, which
consists of many Montgomery multiplications.
Moduli use nat internally. Unlike nat, the true size of a modulus always
matches its announced size. When creating a modulus, any zero padding is
removed. Moduli will also precompute constants when created, which is
another reason why having a separate type is desirable.
Updates #20654
Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced
Reviewed-on: https://go-review.googlesource.com/c/go/+/326012
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
|
|
Fixes #56088
Updates #52221
Change-Id: Id2f806a116100a160be7daafc3e4c0be2acdd6a9
Reviewed-on: https://go-review.googlesource.com/c/go/+/450816
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Adds a method which allows users to set a fallback certificate pool for
usage during verification if the system certificate pool is empty.
Updates #43958
Change-Id: I279dd2f753743bce19790f2ae29f063c89c9359d
Reviewed-on: https://go-review.googlesource.com/c/go/+/449235
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Fixes #48152
Change-Id: I503f088edeb5574fd5eb5905bff7c3c23b2bc8fc
GitHub-Last-Rev: 2b0e982f3f6bca33062b0bbd64ed1804801e2c13
GitHub-Pull-Request: golang/go#56686
Reviewed-on: https://go-review.googlesource.com/c/go/+/449336
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Change-Id: I69065f8adf101fdb28682c55997f503013a50e29
Reviewed-on: https://go-review.googlesource.com/c/go/+/449757
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Joedian Reid <joedian@golang.org>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
While at it, drop P-224 benchmarks. Nobody cares about P-224.
Change-Id: I31db6fedde6026deff36de963690275dacf5fda1
Reviewed-on: https://go-review.googlesource.com/c/go/+/451196
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
|
|
Generating 8192 bit keys times out on builders relatively frequently. We
just need something that isn't a boringAllowCert allowed key size so we
can test that a non-boringAllowCert signed intermediate works, so just
use 512 instead since it'll be significantly faster.
Fixes #56798
Change-Id: I416e0d8c3aa11ff44e9870755efa95c74d1013f1
Reviewed-on: https://go-review.googlesource.com/c/go/+/451656
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
|
|
This specifically doesn't add support for X25519 certificates.
Refactored parsePublicKey not to depend on the public PublicKeyAlgorithm
values, and ParseCertificate/ParseCertificateRequest to ignore keys that
don't have a PublicKeyAlgorithm even if parsePublicKey supports them.
Updates #56088
Change-Id: I2274deadfe9bb592e3547c0d4d48166de1006df0
Reviewed-on: https://go-review.googlesource.com/c/go/+/450815
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
|
|
Fixes #56052
Change-Id: Icacba0ed0f77519bca2140c8af68407af97f9734
Reviewed-on: https://go-review.googlesource.com/c/go/+/450335
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
|
|
When PSSSaltLengthAuto is passed to SignPSS, and the key size is too
small to create a valid salt, return ErrMessageTooLong
Change-Id: I4e0d70bdd54fcd667eae10e0a70b4f540a4ebe93
Reviewed-on: https://go-review.googlesource.com/c/go/+/450796
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|
Should fix builds.
Change-Id: I309eccec8d08931b1ef8fee9327a08a97c6bf871
Reviewed-on: https://go-review.googlesource.com/c/go/+/450738
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Change-Id: I3fb4331c2b1b6adafbac3e76eaf66c79cd5ef56f
Reviewed-on: https://go-review.googlesource.com/c/go/+/428636
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
|
We already had some tests for special cases such as PSS with 513 bit
keys. The upcoming backend rewrite also happened to crash at 63 and 504
bits for different reasons. Might as well be systematic about it.
Also, make sure SignPSS returns ErrMessageTooLong like SignPKCS1v15 when
the key is too small, instead of panicking or returning an unnamed error.
-all takes a couple minutes on my M1.
Change-Id: I656239a00d0831fa7d187a6d3bb30341d41602f7
Reviewed-on: https://go-review.googlesource.com/c/go/+/443195
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Change-Id: Idee03a0c3e4bdb7d6b495f567db8bd644af480e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/433476
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
As noticed in the review of the CRL RawIssuer updates (https://go-review.googlesource.com/c/go/+/418834), the Raw field on the internal type certificate of crypto/x509 is unused and could be removed.
From looking at encoding/asn1's implementation, it appears this field would be set on unmarshal but not during marshaling. However, we unmarshal into the x509.Certificate class directly, avoiding this internal class entirely.
Change-Id: I1ab592eb939b6fe701206ba77b6727763deaeaf0
GitHub-Last-Rev: 5272e0d369ae1b9fee350c2731a6084f41011724
GitHub-Pull-Request: golang/go#56524
Reviewed-on: https://go-review.googlesource.com/c/go/+/447215
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
