aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/rsa/boring_test.go
AgeCommit message (Collapse)Author
2022-04-29[dev.boringcrypto] crypto/ecdsa, crypto/rsa: use boring.CacheRuss Cox
In the original BoringCrypto port, ecdsa and rsa's public and private keys added a 'boring unsafe.Pointer' field to cache the BoringCrypto form of the key. This led to problems with code that “knew” the layout of those structs and in particular that they had no unexported fields. In response, as an awful kludge, I changed the compiler to pretend that field did not exist when laying out reflect data. Because we want to merge BoringCrypto in the main tree, we need a different solution. Using boring.Cache is that solution. For #51940. Change-Id: Ideb2b40b599a1dc223082eda35a5ea9abcc01e30 Reviewed-on: https://go-review.googlesource.com/c/go/+/395883 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-04-29[dev.boringcrypto] all: add boringcrypto build tagsRuss Cox
A plain make.bash in this tree will produce a working, standard Go toolchain, not a BoringCrypto-enabled one. The BoringCrypto-enabled one will be created with: GOEXPERIMENT=boringcrypto ./make.bash For #51940. Change-Id: Ia9102ed993242eb1cb7f9b93eca97e81986a27b3 Reviewed-on: https://go-review.googlesource.com/c/go/+/395881 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2020-05-07[dev.boringcrypto] crypto/internal/boring: reject short signatures in ↵Filippo Valsorda
VerifyRSAPKCS1v15 This matches the new crypto/rsa behavior introduced in CL 226203. Updates #21896 Change-Id: If04eeff933d7310c2baa0f8fd26907892c2397fd Reviewed-on: https://go-review.googlesource.com/c/go/+/227651 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
2018-07-03[dev.boringcrypto] all: merge master into dev.boringcryptoFilippo Valsorda
Add a couple of skips for slow js/wasm tests. Change-Id: Ic95256b1d3c6e5e2f0cc536fad51e914d31cda9e
2018-06-13[dev.boringcrypto] crypto/rsa: drop random source reading emulationFilippo Valsorda
Now that the standard library behavior in reading from the randomness source is not reliable thanks to randutil.MaybeReadByte, we don't need to emulate its behavior. Also, since boring.RandReader is never deterministic, add an early exit to randutil.MaybeReadByte. Change-Id: Ie53e45ee64af635595181f71abd3c4340c600907 Reviewed-on: https://go-review.googlesource.com/117555 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
2017-09-20[dev.boringcrypto] crypto/internal/boring: fix finalizer-induced crashesRuss Cox
All the finalizer-enabled C wrappers must be careful to use runtime.KeepAlive to ensure the C wrapper object (a Go object) lives through the end of every C call using state that the wrapper's finalizer would free. This CL makes the wrappers appropriately careful. The test proves that this is the bug I was chasing in a separate real program, and that the KeepAlives fix it. I did not write a test of every possible operation. Change-Id: I627007e480f16adf8396e7f796b54e5525d9ea80 Reviewed-on: https://go-review.googlesource.com/64870 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-18[dev.boringcrypto] crypto/rsa: fix boring GenerateKey to set non-nil ↵Russ Cox
Precomputed.CRTValues This matches the standard GenerateKey and more importantly Precompute, so that if you generate a key and then store it, read it back, call Precompute on the new copy, and then do reflect.DeepEqual on the two copies, they will match. Before this CL, the original key had CRTValues == nil and the reconstituted key has CRTValues != nil (but len(CRTValues) == 0). Change-Id: I1ddc64342a50a1b65a48d827e4d564f1faab1945 Reviewed-on: https://go-review.googlesource.com/63914 Reviewed-by: Adam Langley <agl@golang.org>
2017-09-18[dev.boringcrypto] crypto/rsa: add test for, fix observable reads from ↵Russ Cox
custom randomness In routines like GenerateKey, where bits from the randomness source have a visible effect on the output, we bypass BoringCrypto if given a non-standard randomness source (and also assert that this happens only during tests). In the decryption paths, the randomness source is only for blinding and has no effect on the output, so we unconditionally invoke BoringCrypto, letting it use its own randomness source as it sees fit. This in turn lets us verify that the non-BoringCrypto decryption function is never called, not even in tests. Unfortunately, while the randomness source has no visible effect on the decrypt operation, the decrypt operation does have a visible effect on the randomness source. If decryption doesn't use the randomness source, and it's a synthetic stream, then a future operation will read a different position in the stream and may produce different output. This happens in tests more often than you'd hope. To keep behavior of those future operations unchanged while still ensuring that the original decrypt is never called, this CL adds a simulation of the blinding preparation, to discard the right amount from the random source before invoking BoringCrypto. Change-Id: If2f87b856c811b59b536187c93efa99a97721419 Reviewed-on: https://go-review.googlesource.com/63912 Reviewed-by: Adam Langley <agl@golang.org>
2017-09-18[dev.boringcrypto] crypto/internal/boring: handle RSA verification of short ↵Russ Cox
signatures The standard Go crypto/rsa allows signatures to be shorter than the RSA modulus and assumes leading zeros. BoringCrypto does not, so supply the leading zeros explicitly. This fixes the golang.org/x/crypto/openpgp tests. Change-Id: Ic8b18d6beb0e02992a0474f5fdb2b73ccf7098cf Reviewed-on: https://go-review.googlesource.com/62170 Reviewed-by: Adam Langley <agl@golang.org>
2017-08-30[dev.boringcrypto] cmd/compile: hide new boring fields from reflectionRuss Cox
This is terrible but much simpler, cleaner, and more effective than all the alternatives I have come up with. Lots of code assumes that reflect.DeepEqual is meaningful on rsa.PublicKey etc, because previously they consisted only of exported meaningful fields. Worse, there exists code that assumes asn1.Marshal can be passed an rsa.PublicKey, because that struct has historically matched exactly the form that would be needed to produce the official ASN.1 DER encoding of an RSA public key. Instead of tracking down and fixing all of that code (and probably more), we can limit the BoringCrypto-induced damage by ensliting the compiler to hide the new field from reflection. Then nothing can get at it and nothing can be disrupted by it. Kill two birds with one cannon ball. I'm very sorry. Change-Id: I0ca4d6047c7e98f880cbb81904048c1952e278cc Reviewed-on: https://go-review.googlesource.com/60271 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion