[dev.boringcrypto] crypto/ecdsa, crypto/rsa: use boring.Cache

In the original BoringCrypto port, ecdsa and rsa's public and private
keys added a 'boring unsafe.Pointer' field to cache the BoringCrypto
form of the key. This led to problems with code that “knew” the layout
of those structs and in particular that they had no unexported fields.

In response, as an awful kludge, I changed the compiler to pretend
that field did not exist when laying out reflect data. Because we want
to merge BoringCrypto in the main tree, we need a different solution.
Using boring.Cache is that solution.

For #51940.

Change-Id: Ideb2b40b599a1dc223082eda35a5ea9abcc01e30
Reviewed-on: https://go-review.googlesource.com/c/go/+/395883
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

1 files changed, 24 insertions, 21 deletions

diff --git a/src/crypto/rsa/boring_test.go b/src/crypto/rsa/boring_test.go
index 1373da9937..6223244283 100644
--- a/src/crypto/rsa/boring_test.go
+++ b/src/crypto/rsa/boring_test.go
@@ -13,13 +13,10 @@ import (
 	"crypto"
 	"crypto/rand"
 	"encoding/asn1"
-	"reflect"
 	"runtime"
 	"runtime/debug"
 	"sync"
-	"sync/atomic"
 	"testing"
-	"unsafe"
 )
 
 func TestBoringASN1Marshal(t *testing.T) {
@@ -27,28 +24,12 @@ func TestBoringASN1Marshal(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	// This used to fail, because of the unexported 'boring' field.
-	// Now the compiler hides it [sic].
 	_, err = asn1.Marshal(k.PublicKey)
 	if err != nil {
 		t.Fatal(err)
 	}
 }
 
-func TestBoringDeepEqual(t *testing.T) {
-	k, err := GenerateKey(rand.Reader, 128)
-	if err != nil {
-		t.Fatal(err)
-	}
-	k.boring = nil // probably nil already but just in case
-	k2 := *k
-	k2.boring = unsafe.Pointer(k) // anything not nil, for this test
-	if !reflect.DeepEqual(k, &k2) {
-		// compiler should be hiding the boring field from reflection
-		t.Fatalf("DeepEqual compared boring fields")
-	}
-}
-
 func TestBoringVerify(t *testing.T) {
 	// Check that signatures that lack leading zeroes don't verify.
 	key := &PublicKey{
@@ -73,6 +54,28 @@ func TestBoringVerify(t *testing.T) {
 	}
 }
 
+func BenchmarkBoringVerify(b *testing.B) {
+	// Check that signatures that lack leading zeroes don't verify.
+	key := &PublicKey{
+		N: bigFromHex("c4fdf7b40a5477f206e6ee278eaef888ca73bf9128a9eef9f2f1ddb8b7b71a4c07cfa241f028a04edb405e4d916c61d6beabc333813dc7b484d2b3c52ee233c6a79b1eea4e9cc51596ba9cd5ac5aeb9df62d86ea051055b79d03f8a4fa9f38386f5bd17529138f3325d46801514ea9047977e0829ed728e68636802796801be1"),
+		E: 65537,
+	}
+
+	hash := fromHex("019c5571724fb5d0e47a4260c940e9803ba05a44")
+
+	// signature is one byte shorter than key.N.
+	sig := fromHex("5edfbeb6a73e7225ad3cc52724e2872e04260d7daf0d693c170d8c4b243b8767bc7785763533febc62ec2600c30603c433c095453ede59ff2fcabeb84ce32e0ed9d5cf15ffcbc816202b64370d4d77c1e9077d74e94a16fb4fa2e5bec23a56d7a73cf275f91691ae1801a976fcde09e981a2f6327ac27ea1fecf3185df0d56")
+
+	b.ReportAllocs()
+
+	for i := 0; i < b.N; i++ {
+		err := VerifyPKCS1v15(key, crypto.SHA1, hash, sig)
+		if err == nil {
+			b.Fatalf("sha1: expected verification error")
+		}
+	}
+}
+
 func TestBoringGenerateKey(t *testing.T) {
 	k, err := GenerateKey(rand.Reader, 2048) // 2048 is smallest size BoringCrypto might kick in for
 	if err != nil {
@@ -103,8 +106,8 @@ func TestBoringFinalizers(t *testing.T) {
 	// about 30 iterations.
 	defer debug.SetGCPercent(debug.SetGCPercent(10))
 	for n := 0; n < 200; n++ {
-		// Clear the underlying BoringCrypto object.
-		atomic.StorePointer(&k.boring, nil)
+		// Clear the underlying BoringCrypto object cache.
+		privCache.Clear()
 
 		// Race to create the underlying BoringCrypto object.
 		// The ones that lose the race are prime candidates for