| Age | Commit message (Collapse) | Author |
|---|
|
Fixing a typo, Deprected -> Deprecated.
Change-Id: Ie0ccc9a57ae6a935b4f67154ac097dba4c3832ec
GitHub-Last-Rev: 57337cc1bfa771111f229e7b899fdfdad3b1655e
GitHub-Pull-Request: golang/go#47745
Reviewed-on: https://go-review.googlesource.com/c/go/+/342791
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
CL 302489 switched crypto/rand to use getentropy on darwin, however this
function is not available on iOS. Enable getentropy only on macOS and
disable it on iOS.
Fixes #47812
Change-Id: Ib7ba5d77346aee87904bb93d60cacc845f5c0089
Reviewed-on: https://go-review.googlesource.com/c/go/+/343609
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
Change-Id: I83180c472db8795803c1b9be3a33f35959e4dcc2
Reviewed-on: https://go-review.googlesource.com/c/go/+/336889
Reviewed-by: Rob Pike <r@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
|
|
Sum224 and Sum256 didn't look the same at:
https://golang.org/pkg/crypto/sha256/
Now they match. Likewise with sha512's funcs.
Per:
https://github.com/golang/go/wiki/CodeReviewComments#named-result-parameters
Change-Id: I6b88c8ef15141c78a6cddeb0960b3ad52db34244
Reviewed-on: https://go-review.googlesource.com/c/go/+/322329
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
Change-Id: Icfafcfb62a389d9fd2e7a4d17809486ed91f15c3
Reviewed-on: https://go-review.googlesource.com/c/go/+/338629
Trust: Josh Bleecher Snyder <josharian@gmail.com>
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
Updates #38843.
Change-Id: I6e003ed03cd13d8ecf86ce05ab0e11c47e271c0b
Reviewed-on: https://go-review.googlesource.com/c/go/+/337329
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
When casting the certificate public key in generateClientKeyExchange,
check the type is appropriate. This prevents a panic when a server
agrees to a RSA based key exchange, but then sends an ECDSA (or
other) certificate.
Fixes #47143
Fixes CVE-2021-34558
Thanks to Imre Rad for reporting this issue.
Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
|
If a certificate contains an AuthorityKeyIdentifier extension that
lacks the keyIdentifier field, but contains the authorityCertIssuer
and/or the authorityCertSerialNumber fields, don't return an error and
continue parsing.
Fixes #46854
Change-Id: I82739b415441f639a722755cc1f449d73078adfc
Reviewed-on: https://go-review.googlesource.com/c/go/+/331689
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Fixes #46310
Change-Id: Idd5e30f05c439f736ae6f3904cbb9cc2ba772315
Reviewed-on: https://go-review.googlesource.com/c/go/+/325432
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
This is true since CL 315274.
Also adjust the P-256 note, since Add, Double, and IsOnCurve use the
generic, non-constant-time implementation.
Change-Id: I4b3b340f65bce91dcca30bcf86456cc8ce4dd4bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/325650
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
Change-Id: I916df584859595067e5e86c35607869397dbbd8c
Reviewed-on: https://go-review.googlesource.com/c/go/+/325651
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
|
Change-Id: I6cab3624c875d9a70441a560e84f91c9b2df17b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/320070
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Up to FreeBSD 12.1 the package ca_root_nss was needed in order to have
certificates under /usr/local/share/certs as the base system didn't have
a system trusted certificate store.
This has been fixed in FreeBSD 12.2 using /etc/ssl/certs:
https://svnweb.freebsd.org/base?view=revision&revision=357082
Fixes #46284
Change-Id: I912b1bacc30cdf20d19e3ef9d09b69bb8055ff49
GitHub-Last-Rev: 0fa5542ea3c70ecb03e621381d7c34fbadf7ea47
GitHub-Pull-Request: golang/go#46276
Reviewed-on: https://go-review.googlesource.com/c/go/+/321190
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Tobias Klauser <tobias.klauser@gmail.com>
|
|
Change-Id: I86742ae7aa4ff49a38f8e3bc1d64fb223feae73e
Reviewed-on: https://go-review.googlesource.com/c/go/+/318409
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Don't add them to files in vendor and cmd/vendor though. These will be
pulled in by updating the respective dependencies.
For #41184
Change-Id: Icc57458c9b3033c347124323f33084c85b224c70
Reviewed-on: https://go-review.googlesource.com/c/go/+/319389
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
|
|
This change alters the CurveParam methods to upgrade from the generic
curve implementation to the specific P224 or P256 implementations when
called on the embedded CurveParams. This removes the trap of using
elliptic.P224().Params() instead of elliptic.P224(), for example, which
results in using the generic implementation instead of the optimized
constant time one. For P224 this is done for all of the CurveParams
methods, except Params, as the optimized implementation covers all
these methods. For P256 this is only done for ScalarMult and
ScalarBaseMult, as despite having implementations of addition and
doubling they aren't exposed and instead the generic implementation is
used. For P256 an additional check that there actually is a specific
implementation is added, as unlike the P224 implementation the P256 one
is only available on certain platforms.
This change takes the simple, fast approach to checking this, it simply
compares pointers. This removes the most obvious class of mistakes
people make, but still allows edge cases where the embedded CurveParams
pointer has been dereferenced (as seen in the unit tests) or when someone
has manually constructed their own CurveParams that matches one of the
standard curves. A more complex approach could be taken to also address
these cases, but it would require directly comparing all of the
CurveParam fields which would, in the worst case, require comparing
against two standard CurveParam sets in the ScalarMult and
ScalarBaseMult paths, which are likely to be the hottest already.
Updates #34648
Change-Id: I82d752f979260394632905c15ffe4f65f4ffa376
Reviewed-on: https://go-review.googlesource.com/c/go/+/233939
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Like for P-224, we do the constant time selects to hide the
point-at-infinity special cases of addition, but not the P = Q case,
which presumably doesn't happen in normal operations.
Runtime increases by about 50%, as expected, since on average we were
able to skip half the additions, and the additions reasonably amounted
to half the runtime. Still, the Fiat code is so much faster than big.Int
that we're still more than three time faster overall than pre-CL 315271.
name old time/op new time/op delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8 4.18ms ± 3% 1.35ms ± 1% -67.64% (p=0.000 n=10+10)
ScalarMult/P521-8 4.17ms ± 2% 1.36ms ± 1% -67.45% (p=0.000 n=10+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8 4.23ms ± 1% 1.44ms ± 1% -66.02% (p=0.000 n=9+10)
Verify/P521-8 8.31ms ± 2% 2.73ms ± 2% -67.08% (p=0.000 n=9+9)
GenerateKey/P521-8 4.15ms ± 2% 1.35ms ± 2% -67.41% (p=0.000 n=10+10)
Updates #40171
Change-Id: I782f2b7f33dd60af9b3b75e46d920d4cb47f719f
Reviewed-on: https://go-review.googlesource.com/c/go/+/315274
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Fiat Cryptography (https://github.com/mit-plv/fiat-crypto) is a project
that produces prime order field implementations (the code that does
arithmetic modulo a prime number) based on a formally verified model.
The formal verification covers some of the most subtle and hard to test
parts of an elliptic curve implementation, like carry chains. It would
probably have prevented #20040 and #43786.
This CL imports a 64-bit implementation of the P-521 base field,
replacing the horribly slow and catastrophically variable time big.Int
CurveParams implementation.
The code in p521_fiat64.go is generated reproducibly by fiat-crypto,
building and running the Dockerfile according to the README.
The code in fiat/p521.go is a thin and idiomatic wrapper around the
fiat-crypto code. It includes an Invert method generated with the help
of github.com/mmcloughlin/addchain.
The code in elliptic/p521.go is a line-by-line port of the CurveParams
implementation. Lsh(x, N) was replaced with repeated Add(x, x) calls.
Mul(x, x) was replaced with Square(x). Mod calls were removed, as all
operations are modulo P. Likewise, Add calls to bring values back to
positive were removed. The ScalarMult ladder implementation is now
constant time, copied from p224ScalarMult. Only other notable changes
are adding a p512Point type to keep (x, y, z) together, and making
addJacobian and doubleJacobian methods on that type, with the usual
receiver semantics to save 4 allocations per step.
This amounts to a proof of concept, and is far from a mature elliptic
curve implementation. Here's a non-exhaustive list of things that need
improvement, most of which are pre-existing issues with crypto/elliptic.
Some of these can be fixed without API change, so can't.
- Marshal and Unmarshal still use the slow, variable time big.Int
arithmetic. The Curve interface does not expose field operations, so
we'll have to make our own abstraction.
- Point addition uses an incomplete Jacobian formula, which has variable
time behaviors for points at infinity and equal points. There are
better, complete formulae these days, but I wanted to keep this CL
reviewable against the existing code.
- The scalar multiplication ladder is still heavily variable time. This
is easy to fix and I'll do it in a follow-up CL, but I wanted to keep
this one easier to review.
- Fundamentally, values have to go in and out of big.Int representation
when they pass through the Curve interface, which is both slow and
slightly variable-time.
- There is no scalar field implementation, so crypto/ecdsa ends up using
big.Int for signing.
- Extending this to P-384 would involve either duplicating all P-521
code, or coming up with some lower-level interfaces for the base
field. Even better, generics, which would maybe let us save heap
allocations due to virtual calls.
- The readability and idiomaticity of the autogenerated code can
improve, although we have a clear abstraction and well-enforced
contract, which makes it unlikely we'll have to resort to manually
modifying the code. See mit-plv/fiat-crypto#949.
- We could also have a 32-bit implementation, since it's almost free to
have fiat-crypto generate one.
Anyway, it's definitely better than CurveParams, and definitely faster.
name old time/op new time/op delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8 4.18ms ± 3% 0.86ms ± 2% -79.50% (p=0.000 n=10+9)
ScalarMult/P521-8 4.17ms ± 2% 0.85ms ± 6% -79.68% (p=0.000 n=10+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8 4.23ms ± 1% 0.94ms ± 0% -77.70% (p=0.000 n=9+8)
Verify/P521-8 8.31ms ± 2% 1.75ms ± 4% -78.99% (p=0.000 n=9+10)
GenerateKey/P521-8 4.15ms ± 2% 0.85ms ± 2% -79.49% (p=0.000 n=10+9)
name old alloc/op new alloc/op delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8 3.06MB ± 3% 0.00MB ± 0% -99.97% (p=0.000 n=10+10)
ScalarMult/P521-8 3.05MB ± 1% 0.00MB ± 0% -99.97% (p=0.000 n=9+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8 3.03MB ± 0% 0.01MB ± 0% -99.74% (p=0.000 n=10+8)
Verify/P521-8 6.06MB ± 1% 0.00MB ± 0% -99.93% (p=0.000 n=9+9)
GenerateKey/P521-8 3.02MB ± 0% 0.00MB ± 0% -99.96% (p=0.000 n=9+10)
name old allocs/op new allocs/op delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8 19.8k ± 3% 0.0k ± 0% -99.95% (p=0.000 n=10+10)
ScalarMult/P521-8 19.7k ± 1% 0.0k ± 0% -99.95% (p=0.000 n=9+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8 19.6k ± 0% 0.1k ± 0% -99.63% (p=0.000 n=10+10)
Verify/P521-8 39.2k ± 1% 0.1k ± 0% -99.84% (p=0.000 n=9+10)
GenerateKey/P521-8 19.5k ± 0% 0.0k ± 0% -99.91% (p=0.000 n=9+10)
Updates #40171
Change-Id: Ic898b09a2388382bf51ec007d9a79d72d44efe10
Reviewed-on: https://go-review.googlesource.com/c/go/+/315271
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
|
|
Unfortunately, we can't improve the function signature to refer to
crypto.PrivateKey and crypto.PublicKey, even if they are both
interface{}, because it would break assignments to function types.
Fixes #37845
Change-Id: I627f2ac1e1ba98b128dac5382f9cc2524eaef378
Reviewed-on: https://go-review.googlesource.com/c/go/+/224157
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
We now have a (well, two, depending on AES hardware support) universal
cipher suite preference order, based on their security and performance.
Peer and application lists are now treated as filters (and AES hardware
support hints) that are applied to this universal order.
This removes a complex and nuanced decision from the application's
responsibilities, one which we are better equipped to make and which
applications usually don't need to have an opinion about. It also lets
us worry less about what suites we support or enable, because we can be
confident that bad ones won't be selected over good ones.
This also moves 3DES suites to InsecureCipherSuites(), even if they are
not disabled by default. Just because we can keep them as a last resort
it doesn't mean they are secure. Thankfully we had not promised that
Insecure means disabled by default.
Notable test changes:
- TestCipherSuiteCertPreferenceECDSA was testing that we'd pick the
right certificate regardless of CipherSuite ordering, which is now
completely ignored, as tested by TestCipherSuitePreference. Removed.
- The openssl command of TestHandshakeServerExportKeyingMaterial was
broken for TLS 1.0 in CL 262857, but its golden file was not
regenerated, so the test kept passing. It now broke because the
selected suite from the ones in the golden file changed.
- In TestAESCipherReordering, "server strongly prefers AES-GCM" is
removed because there is no way for a server to express a strong
preference anymore; "client prefers AES-GCM and AES-CBC over ChaCha"
switched to ChaCha20 when the server lacks AES hardware; and finally
"client supports multiple AES-GCM" changed to always prefer AES-128
per the universal preference list.
* this is going back on an explicit decision from CL 262857, and
while that client order is weird and does suggest a strong dislike
for ChaCha20, we have a strong dislike for software AES, so it
didn't feel worth making the logic more complex
- All Client-* golden files had to be regenerated because the
ClientHello cipher suites have changed.
(Even when Config.CipherSuites was limited to one suite, the TLS 1.3
default order changed.)
Fixes #45430
Fixes #41476 (as 3DES is now always the last resort)
Change-Id: If5f5d356c0f8d1f1c7542fb06644a478d6bad1e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/314609
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
|
|
Common Name and NameConstraintsWithoutSANs are no more.
Fixes #24151 ᕕ(ᐛ)ᕗ
Change-Id: I15058f2a64f981c69e9ee620d3fab00f68967e49
Reviewed-on: https://go-review.googlesource.com/c/go/+/315209
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
During the TLS handshake if the server doesn't support any of the
application protocols requested by the client, send the
no_application_protocol alert and abort the handshake on the server
side. This enforces the requirements of RFC 7301.
Change-Id: Iced2bb5c6efc607497de1c40ee3de9c2b393fa5d
Reviewed-on: https://go-review.googlesource.com/c/go/+/289209
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Replaces the encoding/asn1 certificate parser with a
x/crypto/cryptobyte based parser. This provides a significant increase
in performance, mostly due to a reduction of lots of small allocs,
as well as almost entirely removing reflection.
Since this is a rather large rewrite only the certificate parser is
replaced, leaving the parsers for CSRs, CRLs, etc for follow-up work.
Since some of the functions that the other parsers use are replaced
with cryptobyte versions, they still get a not insignificant performance
boost.
name old time/op new time/op delta
ParseCertificate/ecdsa_leaf-8 44.6µs ± 9% 12.7µs ± 4% -71.58% (p=0.000 n=20+18)
ParseCertificate/rsa_leaf-8 46.4µs ± 4% 13.2µs ± 2% -71.49% (p=0.000 n=18+19)
name old allocs/op new allocs/op delta
ParseCertificate/ecdsa_leaf-8 501 ± 0% 164 ± 0% -67.27% (p=0.000 n=20+20)
ParseCertificate/rsa_leaf-8 545 ± 0% 182 ± 0% -66.61% (p=0.000 n=20+20)
Fixes #21118
Fixes #44237
Change-Id: Id653f6ae5e405c3cbf0c5c48abb30aa831e30107
Reviewed-on: https://go-review.googlesource.com/c/go/+/274234
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
Ensured all tests and benchmarks run over all curves.
Change-Id: Idcbe14a50c60ff6c2cd56793bced6b428d049c39
Reviewed-on: https://go-review.googlesource.com/c/go/+/315272
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Without optimizations, there will be unexpected allocations.
Change-Id: I90dc2636279b7fda7689eabc763251c4cdd25874
Reviewed-on: https://go-review.googlesource.com/c/go/+/317370
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
|
|
This change replaces the crypto/ed25519/internal/edwards25519 package
with code from filippo.io/edwards25519, a significantly faster, safer,
well tested (over 1600 lines of new tests, 99% test coverage), and
better documented (600 lines of new comments) implementation.
Some highlights:
* an unsaturated 51-bit limb field implementation optimized for 64-bit
architectures and math/bits.Mul64 intrinsics
* more efficient variable time scalar multiplication using multi-width
non-adjacent form with a larger lookup table for fixed-base
* a safe math/big.Int-like API for the Scalar, Point, and field.Element
types with fully abstracted reduction invariants
* a test suite including a testing/quick fuzzer that explores edge case
values that would be impossible to hit randomly, and systematic tests
for arguments and receiver aliasing
* point decoding rules that strictly match the original logic of
crypto/ed25519/internal/edwards25519, to avoid consensus issues
* AssemblyPolicy-compliant assembly cores for arm64 and amd64, the
former under 20 lines, and the latter generated by a program based on
github.com/mmcloughlin/avo that can be reviewed line-by-line against
the generic implementation
Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz
name old time/op new time/op delta
KeyGeneration-4 59.5µs ± 1% 26.1µs ± 1% -56.20% (p=0.000 n=10+10)
NewKeyFromSeed-4 59.3µs ± 1% 25.8µs ± 1% -56.48% (p=0.000 n=9+10)
Signing-4 60.4µs ± 1% 31.4µs ± 1% -48.05% (p=0.000 n=10+10)
Verification-4 169µs ± 1% 73µs ± 2% -56.55% (p=0.000 n=10+10)
Apple M1
name old time/op new time/op delta
KeyGeneration-8 35.1µs ± 0% 20.2µs ± 2% -42.46% (p=0.000 n=8+10)
NewKeyFromSeed-8 35.1µs ± 0% 20.0µs ± 1% -42.93% (p=0.000 n=8+9)
Signing-8 36.2µs ± 0% 25.6µs ± 1% -29.25% (p=0.000 n=8+9)
Verification-8 96.1µs ± 0% 57.6µs ± 1% -40.14% (p=0.000 n=10+10)
The code in this CL is a copy of the filippo.io/edwards25519 module at
version v1.0.0-beta.3.0.20210405211453-c6be47d67779 with only the
following functions removed as irrelevant to crypto/ed25519:
- (*Point).BytesMontgomery()
- (*Point).MultByCofactor()
- (*Scalar).Invert()
- (*Point).MultiScalarMult()
- (*Point).VarTimeMultiScalarMult()
This codebase took a long journey outside the standard library before
making its way back here. Its oldest parts started as a faster field
implementation rewrite by George Tankersley almost four years ago,
eventually submitted as CL 71950 but never merged. That code was then
merged into github.com/gtank/ristretto255, which also started as an
internal/edwards25519 fork. There it was worked on by me, George, and
Henry de Valence as a backend for our Go ristretto255 implementation.
Finally, I extracted the edwards25519 code into a reusable package as
filippo.io/edwards25519.
Now, we're ready for the standard library to become the source of truth
for this code again, while filippo.io/edwards25519 will become a
re-packaged and extended version for external use, since we don't want
to expose unsafe curve operations in x/crypto or the standard library.
Submitted under the Google CLA on behalf of:
- Henry de Valence
https://github.com/gtank/ristretto255/issues/34
- George Tankersley
https://golang.org/cl/71950
https://github.com/gtank/ristretto255-private/issues/28
- Luke Champine
https://github.com/FiloSottile/edwards25519/pull/7
- Adrian Hamelink
https://github.com/FiloSottile/edwards25519/pull/12
Changes 32506b5 and 18c803c are trivial and don't require a CLA.
The full history of this code since diverging from internal/edwards25519
is available at https://github.com/FiloSottile/edwards25519, and
summarized below.
+ c6be47d - edwards25519: update TestScalarSetBytesWithClamping <Filippo Valsorda>
+ c882e8e - edwards25519: rewrite amd64 assembly with avo <Filippo Valsorda>
+ 8eb02eb - edwards25519: refactor feMulGeneric and feSquareGeneric <Filippo Valsorda>
+ 8afd860 - edwards25519: remove Go 1.12 compatibility hack <Filippo Valsorda>
+ 1765c13 - edwards25519: don't clobber BP in amd64 assembly <Filippo Valsorda>
+ b73a7c8 - edwards25519: fix ScalarMult when receiver is not the identity (FiloSottile/edwards25519#12) <Adrian Hamelink>
+ 32a46d7 - edwards25519: document why this can't implement X25519 <Filippo Valsorda>
+ c547797 - edwards25519: make SqrtRatio slightly more efficient <Filippo Valsorda>
+ 700f4f4 - edwards25519: panic if an uninitialized Point is used <Filippo Valsorda>
+ d791cf8 - edwards25519: use testing.AllocsPerRun for TestAllocations <Filippo Valsorda>
+ 8cc8037 - edwards25519: smooth a couple test coverage rough edges <Filippo Valsorda>
+ 9063a14 - edwards25519: test that operations cause zero heap allocations <Filippo Valsorda>
+ 6944ac7 - edwards25519: relax the limb schedule slightly <Filippo Valsorda>
+ 21ebdac - edwards25519: rewrite carryPropagate in arm64 assembly <Filippo Valsorda>
+ a260082 - edwards25519: merge carryPropagate[12] <Filippo Valsorda>
+ dbe1792 - edwards25519: add TestScalarSetBytesWithClamping <Filippo Valsorda>
+ c1fe95a - edwards25519: add MultByCofactor <Filippo Valsorda>
+ 132d95c - edwards25519: sprinkle on-curve checks around tests <Filippo Valsorda>
+ ffb3e31 - edwards25519: specify the behavior of Invert(0) and I.BytesMontgomery() <Filippo Valsorda>
+ 9e6a931 - edwards25519: add (*Scalar).MultiplyAdd <lukechampine>
+ 3b045f3 - edwards25519: outline (*Point).Bytes (FiloSottile/edwards25519#6) <Luke Champine>
+ ec6f8a6 - edwards25519: make (*Scalar).SetCanonicalBytes return the receiver <Filippo Valsorda>
+ 77d7b31 - edwards25519: add (*Point).BytesMontgomery <Filippo Valsorda>
+ 6e8d645 - edwards25519: implement (*Point).Bytes and (*Point).SetBytes <Filippo Valsorda>
+ 1c833da - edwards25519: clarify ScalarBaseMult docs <Filippo Valsorda>
+ 3a13cf1 - edwards25519: apply gc build tag <Filippo Valsorda>
+ 90c35a7 - edwards25519: hide FieldElement and (*Point).ExtendedCoords <Filippo Valsorda>
+ 498fb1e - edwards25519: replace FillBytes with Bytes, again <Filippo Valsorda>
+ 9c7303a - edwards25519: remove (*Point).Identity and (*Point).Generator <Filippo Valsorda>
+ 2e52ce2 - edwards25519: drop unused (*Scalar).Zero <Filippo Valsorda>
+ 7c14a36 - edwards25519: rename FromBytes to SetBytes <Filippo Valsorda>
+ e3d0e45 - edwards25519: ensure only test files import math/big <Filippo Valsorda>
+ daa2507 - edwards25519: minor doc and string touch-ups <Filippo Valsorda>
+ e8698cd - edwards25519: implement (*Scalar).FromBytesWithClamping <Filippo Valsorda>
+ f28d75a - edwards25519: change constructors <Filippo Valsorda>
+ 36d8598 - edwards25519: test the invariant that Scalars are always reduced <Filippo Valsorda>
+ feed48c - edwards25519: cleanup the FieldElement API <Filippo Valsorda>
+ f6ee187 - edwards25519: make Point opaque <Filippo Valsorda>
+ 176388b - edwards25519: cleanup Scalar API to match ristretto255 <Filippo Valsorda>
+ c5c2e9e - edwards25519: rename ProjP3 to Point and unexport other point types <Filippo Valsorda>
+ 8542076 - edwards25519: add Scalar aliasing test <Filippo Valsorda>
+ 1a86a9c - edwards25519: make Scalar opaque <Filippo Valsorda>
+ 07a7683 - edwards25519: hide some more exposed symbols <Filippo Valsorda>
+ d3569cb - all: flatten the package and make FieldElement opaque <Filippo Valsorda>
+ 6f5f582 - all: expose edwards25519, base, and scalar packages <Filippo Valsorda>
+ 7ab4a68 - all: ensure compatibility with older Go versions <Filippo Valsorda>
+ e9b8baa - internal/radix51: implement (*FieldElement).Mul32 <Filippo Valsorda>
+ eac4de5 - internal/radix51: restructure according to golang.org/wiki/TargetSpecific <Filippo Valsorda>
+ 32506b5 - internal/radix51: fix !amd64 build (lightReduce -> carryPropagate) (gtank/ristretto255#29) <Sunny Aggarwal>
+ d64d989 - internal/scalar: fix FromUniformBytes <Filippo Valsorda>
+ 044bb44 - internal/scalar: address review comments <Filippo Valsorda>
+ 7dba54f - all: apply suggestions from code review <Filippo Valsorda>
+ 94bd1d9 - ristretto255: expose scalar multiplication APIs <Filippo Valsorda>
+ 5bd5476 - internal/edwards25519: fix shadowing of B in TestAddSubNegOnBasePoint <Filippo Valsorda>
+ 66bf647 - internal/scalar: replace FromBytes/IsCanonical with FromUniformBytes/FromCanonicalBytes <Filippo Valsorda>
+ 024f3f7 - internal/edwards25519,internal/scalar: apply some Go style touches <Filippo Valsorda>
+ 5e0c5c6 - internal/scalar: add scalar inversion <Henry de Valence>
+ 74fd625 - internal/ed25519: rearrange VartimeDoubleBaseMul args <Henry de Valence>
+ 81ae7ea - internal/ed25519: add benchmarks for scalar mul <Henry de Valence>
+ 9f1f939 - internal/ed25519: add variable-time multiscalar mul <Henry de Valence>
+ 7a96974 - internal/ed25519: add vartime double-base scmul <Henry de Valence>
+ 2bc256c - internal/ed25519: add precomputed NAF table for basepoint <Henry de Valence>
+ a0f0b96 - internal/ed25519: lower quickcheck size for point ops <Henry de Valence>
+ 2f385a1 - internal/ed25519: implement MultiscalarMul <Henry de Valence>
+ 8ae211b - internal/ed25519: implement BasepointMul <Henry de Valence>
+ 7b4858d - internal/ed25519: extract common test variables <Henry de Valence>
+ 16e7c48 - internal/ed25519: add a basepoint multiple table. <Henry de Valence>
+ 988e521 - internal/ed25519: add constant-time variable-base scmul. <Henry de Valence>
+ b695f6b - internal/ed25519: move basepoint constant & correct it <Henry de Valence>
+ ddd014e - internal/scalar: fix high bit check <Henry de Valence>
+ c88ea89 - internal/scalar: make casts clearer <Henry de Valence>
+ b75f989 - internal/scalar: add invariant checks on Scalar digits <Henry de Valence>
+ 36216ca - internal/scalar: use one scMulAdd for Sub <Henry de Valence>
+ 8bf40f3 - internal/scalar: fix constant-time signed radix 16 implementation <Henry de Valence>
+ e6d9ef6 - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 3aa63de - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 3e66ff0 - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 94e6c15 - internal/ed25519: add TODO note and doc ref <Henry de Valence>
+ 3647548 - internal/ed25519: rename twoD to D2 <Henry de Valence>
+ 1cf853c - internal/ed25519: add lookup tables for scalar mul. <Henry de Valence>
+ 3af304a - internal/radix51: add a conditional swap <Henry de Valence>
+ 4673217 - ristretto255: use multi-model arithmetic <Henry de Valence>
+ cca757a - internal/ed25519: remove single-model code <Henry de Valence>
+ d26e77b - internal/ed25519: add addition for Edwards points <Henry de Valence>
+ e0fbb35 - internal/ed25519: use twoD <Henry de Valence>
+ fd9b37b - internal/ed25519: add tests for multi-model point types. <Henry de Valence>
+ dacabb0 - internal/ed25519: add multi-model point types. <Henry de Valence>
+ dddc72e - internal/scalar: add constant-time signed radix 16 <Henry de Valence>
+ 92cdb35 - internal/scalar: add non-adjacent form <Henry de Valence>
+ d147963 - internal/scalar: don't zero memory that is about to be copied over <George Tankersley>
+ 8da186c - internal/scalar: add scalar field implementation <George Tankersley>
+ f38e583 - internal/radix51: add a "weird" testing/quick generation strategy <Filippo Valsorda>
+ 6454f61 - Move comment inside function <Henry de Valence>
+ 1983365 - implement Add, Sub, Neg for ed25519 and ristretto255 points. <Henry de Valence>
+ 9f25562 - internal/group: rename to internal/edwards25519 <Filippo Valsorda>
+ 48e66d3 - internal/group: restore ScalarMult code <Filippo Valsorda>
+ 0078d66 - internal/radix51: rename lightReduce to carryPropagate and touch up docs <Filippo Valsorda>
+ 05f4107 - internal/radix51: add benchmarks <Filippo Valsorda>
+ fd36334 - internal/radix51: test that operations don't exceed bounds <Filippo Valsorda>
+ 703421d - internal/radix51: make Generate produce random light-reduced elements <Filippo Valsorda>
+ f8d8297 - internal/radix51: simplify lightReduce <Filippo Valsorda>
+ 413120f - internal/radix51: minor tests cleanup <Filippo Valsorda>
+ abc8c5a - internal/radix51: make reduction an invariant and unexport Reduce <Filippo Valsorda>
+ 4fd198d - internal/radix51: actually apply go:noescape <Filippo Valsorda>
+ 18c803c - all: fix typos <Dimitris Apostolou>
+ bbfe059 - internal/radix51: test field encoding roundtrip with fixed vectors <George Tankersley>
+ c428b18 - internal/radix51: rename AppendBytes to Bytes <Filippo Valsorda>
+ c59bc1a - internal/radix51: rewrite FromBytes and AppendBytes with encoding/binary <Filippo Valsorda>
+ 57c0cd5 - internal/radix51: add docs and some light readability refactors <Filippo Valsorda>
+ cb1b734 - internal/radix51: remove unused (and a bit broken) SetInt <Filippo Valsorda>
+ beb8abd - internal/radix51: refactor ToBig and FromBig <Filippo Valsorda>
+ 87c0a53 - internal/radix51: replace ToBytes with AppendBytes <Filippo Valsorda>
+ b7e1e45 - internal/radix51: fix aliasing bug in CondNeg (gtank/ristretto255#21) <George Tankersley>
+ ed3748d - internal/radix51: actually, uhm, check the result of TestAliasing <Filippo Valsorda>
+ ec0e293 - radix51: change API of FromBytes and ToBytes to use slices <George Tankersley>
+ 29f6815 - internal/radix51: test all combinations of argument and receiver aliasing <Filippo Valsorda>
+ cd53d90 - internal/radix51: add property-based tests that multiplication distributes over addition <Henry de Valence>
+ c3bc45f - radix51: use go1.12 intrinsics for 128-bit multiplications <George Tankersley>
+ 7e7043e - internal/radix51: define a mask64Bits constant <Filippo Valsorda>
+ 4fdd06d - internal/group: set Z to 1, not 0 in FromAffine <Filippo Valsorda>
+ ffa7be7 - internal/group: fix typo <Filippo Valsorda>
+ 1f452ac - internal/group: derive twoD from D <Filippo Valsorda>
+ 2424c78 - internal/radix51: add MinusOne <Filippo Valsorda>
+ 76978fc - internal/group: make conversion APIs caller-allocated <Filippo Valsorda>
+ d17d202 - internal/group: rewrite DoubleZ1 because stack is cheaper than mental state <Filippo Valsorda>
+ 72b97c1 - internal: make all APIs chainable <Filippo Valsorda>
+ 993d979 - internal/radix51: make all APIs not consider the receiver an input <Filippo Valsorda>
+ b2a1d7d - all: refactor field API to be methods based <Filippo Valsorda>
+ cdf9b90 - internal/radix51: add constant time field operations <Filippo Valsorda>
+ e490a48 - internal/radix51: remove FeEqual <Filippo Valsorda>
+ 2de114c - internal/radix51: remove FeCSwap <Filippo Valsorda>
+ 08b80c1 - make things more generally presentable <George Tankersley>
+ 2178536 - Cache the field representation of d <George Tankersley>
+ 4135059 - Remove 32-bit code and update license. <George Tankersley>
+ 5d95cb3 - Use Bits() for FeToBig. <George Tankersley>
+ 146e33c - Implement ScalarMult using Montgomery pattern and dedicated extended-coordinates doubling. This will be slow. <George Tankersley>
+ 12a673a - use faster FeFromBig & a horrible assortment of other random changes <George Tankersley>
+ 901f40c - group logic WIP <George Tankersley>
+ a9c89cd - add equality for field elements <George Tankersley>
+ 214873b - Add radix51 FieldElement implementation <George Tankersley>
+ 8fd5cae - Implement an elliptic.Curve for ed25519 <George Tankersley>
Change-Id: Ifbcdd13e8b6304f9906c0ef2b73f1fdc493a7dfa
Co-authored-by: George Tankersley <george.tankersley@gmail.com>
Co-authored-by: Henry de Valence <hdevalence@hdevalence.ca>
Reviewed-on: https://go-review.googlesource.com/c/go/+/276272
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
|
|
Store the precomputed P-256 basepoint table in source rather than
computing it at runtime, saving ~88kB from the heap. The flip side
is that this increases binary sizes by ~77kB.
Fixes #44992
Change-Id: Ia5421eae87b41522b0d8cecba051cba1d2ed73db
Reviewed-on: https://go-review.googlesource.com/c/go/+/315189
Run-TryBot: Roland Shoemaker <roland@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
It's useful to compare TLS AEADs. Here are the numbers on my MacBook
with an Intel(R) Core(TM) i7-7920HQ CPU @ 3.10GHz.
name speed
AESGCM/Open-128-64-8 692MB/s ± 2%
AESGCM/Seal-128-64-8 568MB/s ± 1%
AESGCM/Open-128-1350-8 3.96GB/s ± 1%
AESGCM/Seal-128-1350-8 3.17GB/s ± 4%
AESGCM/Open-128-8192-8 5.46GB/s ± 2%
AESGCM/Seal-128-8192-8 4.40GB/s ± 3%
name speed
AESGCM/Open-256-64-8 602MB/s ± 2%
AESGCM/Seal-256-64-8 508MB/s ± 1%
AESGCM/Open-256-1350-8 3.06GB/s ± 1%
AESGCM/Seal-256-1350-8 2.65GB/s ± 2%
AESGCM/Open-256-8192-8 4.02GB/s ± 3%
AESGCM/Seal-256-8192-8 3.53GB/s ± 2%
name speed
Chacha20Poly1305/Open-64-8 385MB/s ± 3%
Chacha20Poly1305/Seal-64-8 396MB/s ± 3%
Chacha20Poly1305/Open-1350-8 1.67GB/s ± 2%
Chacha20Poly1305/Seal-1350-8 1.62GB/s ± 1%
Chacha20Poly1305/Open-8192-8 2.04GB/s ± 2%
Chacha20Poly1305/Seal-8192-8 2.04GB/s ± 3%
Change-Id: I9373ab85bf132b45b41078205259100fa2d46dda
Reviewed-on: https://go-review.googlesource.com/c/go/+/314610
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
In CL 288092 we made Darwin syscall wrappers as ABIInternal, so
their addresses taken from Go using funcPC are the actual function
entries, not the wrappers.
As we introduced internal/abi.FuncPCABIxxx intrinsics, use that.
And change the assembly functions back to ABI0.
Do it on OpenBSD as well, as OpenBSD and Darwin share code
generator.
Change-Id: I408120795f7fc826637c867394248f8f373906bd
Reviewed-on: https://go-review.googlesource.com/c/go/+/313230
Trust: Cherry Zhang <cherryyz@google.com>
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
|
Change-Id: I6a4bd2544276d0638bddf07ebcf2ee636db30fea
Reviewed-on: https://go-review.googlesource.com/c/go/+/311009
Run-TryBot: Yury Smolsky <yury@smolsky.by>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
|
|
Simplified both tests significantly by removing logic for writing
the client/server side messages. The flake was likely because of a
race between the closing of the local pipe from inside the test
and closing of the pipe from within the handshakeContext goroutine.
Wait to close the local pipe in the test until after the test
has finished running.
Fixes #45106
Fixes #45299
Change-Id: If7ca75aeff7df70cda03c934fa9d8513276d465d
Reviewed-on: https://go-review.googlesource.com/c/go/+/305250
Trust: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
This follows the spelling choices that the Go project has made for English words.
https://github.com/golang/go/wiki/Spelling
Change-Id: Ie7c586d2cf23020cb492cfff58c0831d2d8d3a78
GitHub-Last-Rev: e16a32cd225a275f73d236bcb33703986d110ded
GitHub-Pull-Request: golang/go#45442
Reviewed-on: https://go-review.googlesource.com/c/go/+/308291
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
|
|
Updates #45402
Change-Id: Ifb1fa5232a0fa1be62e886643cec9deaa3b312ad
Reviewed-on: https://go-review.googlesource.com/c/go/+/308409
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
|
|
This will allow us to make changes to the internals confidently, without
risking causing issues in consensus applications. It will also prevent
architecture-specific divergence, like #40475.
Fixes #40478
Change-Id: I8c2b31406ca88add6941f14d8df8cecb96379cde
Reviewed-on: https://go-review.googlesource.com/c/go/+/304349
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
|
|
Change-Id: I1c2900d4e1c0b6108f13c4060d994d966f3e18f3
GitHub-Last-Rev: 3fde453686ab3fdeb77d2f73c09e4a679056adf3
GitHub-Pull-Request: golang/go#45295
Reviewed-on: https://go-review.googlesource.com/c/go/+/305773
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Ben Shi <powerman1st@163.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
When PSSSaltLength is set, the maximum salt length must equal:
(modulus_key_size - 1 + 7)/8 - hash_length - 2
and for example, with a 4096 bit modulus key, and a SHA-1 hash,
it should be:
(4096 -1 + 7)/8 - 20 - 2 = 490
Previously we'd encounter this error:
crypto/rsa: key size too small for PSS signature
Fixes #42741
Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
Reviewed-on: https://go-review.googlesource.com/c/go/+/302230
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
Change-Id: Ieb1900531f42acf2c8b98ac89fceb8b87c8e5d0c
Reviewed-on: https://go-review.googlesource.com/c/go/+/304609
Reviewed-by: Roland Shoemaker <roland@golang.org>
Trust: Kevin Burke <kev@inburke.com>
|
|
Fixes #44777
Corrected the documentation comment on the EncryptOAEP function from
'if a given public key is used to decrypt two types of messages' to
'if a given public key is used to encrypt two types of messages'.
Change-Id: I02aff90d0414960eae72352c0e4d8ba2e8f8eca6
GitHub-Last-Rev: ea28663f8719e8fd0dcb10cf97ffbdcf4bd9674f
GitHub-Pull-Request: golang/go#45032
Reviewed-on: https://go-review.googlesource.com/c/go/+/301714
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Robert Findley <rfindley@google.com>
|
|
The getentropy syscall is available on macOS since version 10.12, which
is the minimum required version since Go 1.15.
Change-Id: I294259af0b11df9669e4dc5fa891d2f2f039d91a
Reviewed-on: https://go-review.googlesource.com/c/go/+/302489
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
This will be reintroduced again once the source of the
flakiness has been determined and fixed.
Fixes #45084
Change-Id: I6677b27fcd71e8c9bb8edbe8e3be70e5a271ebd3
Reviewed-on: https://go-review.googlesource.com/c/go/+/302569
Trust: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
Adds the (*tls.Conn).HandshakeContext method. This allows
us to pass the context provided down the call stack to
eventually reach the tls.ClientHelloInfo and
tls.CertificateRequestInfo structs.
These contexts are exposed to the user as read-only via Context()
methods.
This allows users of (*tls.Config).GetCertificate and
(*tls.Config).GetClientCertificate to use the context for
request scoped parameters and cancellation.
Replace uses of (*tls.Conn).Handshake with (*tls.Conn).HandshakeContext
where appropriate, to propagate existing contexts.
Fixes #32406
Change-Id: I259939c744bdc9b805bf51a845a8bc462c042483
Reviewed-on: https://go-review.googlesource.com/c/go/+/295370
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
This is mostly cleanup and simplification. This removes
many unneeded register moves, loads, and bit twiddlings
which were holdovers from porting this from the amd64
version.
The updated code loads each block once per iteration
instead of once per round. Similarly, the logical
operations now match the original md5 specification.
Likewise, add extra sizes to the benchtest to give more
data points on how the implementation scales with input
size.
All in all, this is roughly a 20% improvement on ppc64le
code running on POWER9 (POWER8 is similar, but around
16%):
name old time/op new time/op delta
Hash8Bytes 297ns ± 0% 255ns ± 0% -14.14%
Hash64 527ns ± 0% 444ns ± 0% -15.76%
Hash128 771ns ± 0% 645ns ± 0% -16.35%
Hash256 1.26µs ± 0% 1.05µs ± 0% -16.68%
Hash512 2.23µs ± 0% 1.85µs ± 0% -16.82%
Hash1K 4.16µs ± 0% 3.46µs ± 0% -16.83%
Hash8K 31.2µs ± 0% 26.0µs ± 0% -16.74%
Hash1M 3.58ms ± 0% 2.98ms ± 0% -16.74%
Hash8M 26.1ms ± 0% 21.7ms ± 0% -16.81%
Hash8BytesUnaligned 297ns ± 0% 255ns ± 0% -14.08%
Hash1KUnaligned 4.16µs ± 0% 3.46µs ± 0% -16.79%
Hash8KUnaligned 31.2µs ± 0% 26.0µs ± 0% -16.78%
name old speed new speed delta
Hash8Bytes 26.9MB/s ± 0% 31.4MB/s ± 0% +16.45%
Hash64 122MB/s ± 0% 144MB/s ± 0% +18.69%
Hash128 166MB/s ± 0% 199MB/s ± 0% +19.54%
Hash256 203MB/s ± 0% 244MB/s ± 0% +20.01%
Hash512 230MB/s ± 0% 276MB/s ± 0% +20.18%
Hash1K 246MB/s ± 0% 296MB/s ± 0% +20.26%
Hash8K 263MB/s ± 0% 315MB/s ± 0% +20.11%
Hash1M 293MB/s ± 0% 352MB/s ± 0% +20.10%
Hash8M 321MB/s ± 0% 386MB/s ± 0% +20.21%
Hash8BytesUnaligned 26.9MB/s ± 0% 31.4MB/s ± 0% +16.41%
Hash1KUnaligned 246MB/s ± 0% 296MB/s ± 0% +20.19%
Hash8KUnaligned 263MB/s ± 0% 315MB/s ± 0% +20.15%
Change-Id: I269bfa6878966bb4f6a64dc349100f5dc453ab7c
Reviewed-on: https://go-review.googlesource.com/c/go/+/300613
Run-TryBot: Paul Murphy <murp@ibm.com>
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
|
|
Change-Id: Ib0469232a2b69a869e58d5d24990ad74ac96ea56
GitHub-Last-Rev: eb38e049ee1e773392ff3747e1eb2af20dd50dcd
GitHub-Pull-Request: golang/go#44805
Reviewed-on: https://go-review.googlesource.com/c/go/+/299109
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
|
|
The previous link broke, but it's available on the internet archive.
Fixes #39808
Change-Id: Ic2be74a1f0591600ca1acbe08e1bab8ba1e21abe
GitHub-Last-Rev: 6d6de5d2f451c6d53a1e55b62fb5a1fab0d49f10
GitHub-Pull-Request: golang/go#40165
Reviewed-on: https://go-review.googlesource.com/c/go/+/242103
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
The Go standard library retrofitted context support onto existing APIs
using context.Background and later offered variants that directly
supported user-defined context value specification. This commit makes
that behavior clear in documentation and suggests context-aware
alternatives if the user is looking for one.
An example motivation is supporting code for use in systems that expect
APIs to be cancelable for lifecycle correctness or load
shedding/management reasons, as alluded to in
https://blog.golang.org/context-and-structs.
Updates #44143
Change-Id: I2d7f954ddf9b48264d5ebc8d0007058ff9bddf14
Reviewed-on: https://go-review.googlesource.com/c/go/+/296152
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Jean de Klerk <deklerk@google.com>
Trust: Jean de Klerk <deklerk@google.com>
Run-TryBot: Jean de Klerk <deklerk@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
The getrandom syscall is available on Solaris and Illumos, see
https://docs.oracle.com/cd/E88353_01/html/E37841/getrandom-2.html and
https://illumos.org/man/2/getrandom
Change-Id: Id1c65d6a5b2fbc80d20b43d8b32dab137ca950ca
Reviewed-on: https://go-review.googlesource.com/c/go/+/299134
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
Since the 5.7 release, DragonFlyBSD supports as well
the getrandom function, the actual stable is 5.8.
Change-Id: I2b8fc468771b10ac12b38ea7e8e5314342de6375
GitHub-Last-Rev: c5c496f41898d58f2c6f3ccc81f754792f49edbe
GitHub-Pull-Request: golang/go#42617
Reviewed-on: https://go-review.googlesource.com/c/go/+/269999
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Trust: Ian Lance Taylor <iant@golang.org>
Trust: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
|
|
Change `Github` to `GitHub`
Change-Id: I514e8dc9a19182fcf9fcf5bc1b5fbff253c1a947
GitHub-Last-Rev: 7124c7058e0c7ff19dc8440fa79271eb6cfdaea9
GitHub-Pull-Request: golang/go#44260
Reviewed-on: https://go-review.googlesource.com/c/go/+/291950
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
|
|
Change-Id: Ib689e5793d9cb372e759c4f34af71f004010c822
GitHub-Last-Rev: d63798388e5dcccb984689b0ae39b87453b97393
GitHub-Pull-Request: golang/go#44259
Reviewed-on: https://go-review.googlesource.com/c/go/+/291949
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Trust: Matthew Dempsky <mdempsky@google.com>
Trust: Robert Griesemer <gri@golang.org>
|
|
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: Ia0534360e4957e58cd9a18429c39d0e32a6addb4
Reviewed-on: https://go-review.googlesource.com/c/go/+/294430
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
