Merge pull request #30 from ooni/merged-main

chore: sync fork with upstream

README.md

@@ -93,7 +93,7 @@ to improve hardware capability detection on `android/arm64`.
 (Adapted from ooni/oohttp instructions.)
 
 - [ ] check whether hardware capability detection has been improved upstream
-by reading [os_linux.go](https://github.com/golang/go/blob/go1.21.9/src/runtime/os_linux.go#L250)
+by reading [os_linux.go](https://github.com/golang/go/blob/go1.22.2/src/runtime/os_linux.go#L251)
 and update the link to `os_linux.go` based on the upstream version that
 we're tracking with this fork
 
@@ -125,6 +125,8 @@ the following checks (we could also use `go list` as follows
 
 5. `git grep 'boring"'`
 
+6. `git grep 'godebug"'`
+
 - [ ] double check whether we need to add more checks to the list above (you
 can get a list of packages using `tree -d`)
 

UPSTREAM

@@ -1 +1 @@
-go1.21.11
+go1.22.2

aes/aes_gcm.go

@@ -44,7 +44,7 @@ var errOpen = errors.New("cipher: message authentication failed")
 var _ gcmAble = (*aesCipherGCM)(nil)
 
 // NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
-// called by crypto/cipher.NewGCM via the gcmAble interface.
+// called by [crypto/cipher.NewGCM] via the gcmAble interface.
 func (c *aesCipherGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
 	g := &gcmAsm{ks: c.enc, nonceSize: nonceSize, tagSize: tagSize}
 	gcmAesInit(&g.productTable, g.ks)
@@ -87,7 +87,7 @@ func sliceForAppend(in []byte, n int) (head, tail []byte) {
 	return
 }
 
-// Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
+// Seal encrypts and authenticates plaintext. See the [cipher.AEAD] interface for
 // details.
 func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte {
 	if len(nonce) != g.nonceSize {
@@ -127,7 +127,7 @@ func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte {
 	return ret
 }
 
-// Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
+// Open authenticates and decrypts ciphertext. See the [cipher.AEAD] interface
 // for details.
 func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 	if len(nonce) != g.nonceSize {

aes/cipher.go

@@ -26,7 +26,7 @@ func (k KeySizeError) Error() string {
 	return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
 }
 
-// NewCipher creates and returns a new cipher.Block.
+// NewCipher creates and returns a new [cipher.Block].
 // The key argument should be the AES key,
 // either 16, 24, or 32 bytes to select
 // AES-128, AES-192, or AES-256.

go.mod

@@ -2,6 +2,6 @@ module github.com/ooni/oocrypto
 
 go 1.20
 
-require golang.org/x/crypto v0.22.0
+require golang.org/x/crypto v0.29.0
 
-require golang.org/x/sys v0.19.0
+require golang.org/x/sys v0.27.0

go.sum

@@ -1,4 +1,4 @@
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

internal/bigmod/nat_riscv64.s

@@ -0,0 +1,91 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !purego
+
+#include "textflag.h"
+
+// func addMulVVW1024(z, x *uint, y uint) (c uint)
+TEXT ·addMulVVW1024(SB),$0-32
+	MOV	$16, X30
+	JMP	addMulVVWx(SB)
+
+// func addMulVVW1536(z, x *uint, y uint) (c uint)
+TEXT ·addMulVVW1536(SB),$0-32
+	MOV	$24, X30
+	JMP	addMulVVWx(SB)
+
+// func addMulVVW2048(z, x *uint, y uint) (c uint)
+TEXT ·addMulVVW2048(SB),$0-32
+	MOV	$32, X30
+	JMP	addMulVVWx(SB)
+
+TEXT addMulVVWx(SB),NOFRAME|NOSPLIT,$0
+	MOV	z+0(FP), X5
+	MOV	x+8(FP), X7
+	MOV	y+16(FP), X6
+	MOV	$0, X29
+
+	BEQZ	X30, done
+loop:
+	MOV	0*8(X5), X10	// z[0]
+	MOV	1*8(X5), X13	// z[1]
+	MOV	2*8(X5), X16	// z[2]
+	MOV	3*8(X5), X19	// z[3]
+
+	MOV	0*8(X7), X8	// x[0]
+	MOV	1*8(X7), X11	// x[1]
+	MOV	2*8(X7), X14	// x[2]
+	MOV	3*8(X7), X17	// x[3]
+
+	MULHU	X8, X6, X9	// z_hi[0] = x[0] * y
+	MUL	X8, X6, X8	// z_lo[0] = x[0] * y
+	ADD	X8, X10, X21	// z_lo[0] = x[0] * y + z[0]
+	SLTU	X8, X21, X22
+	ADD	X9, X22, X9	// z_hi[0] = x[0] * y + z[0]
+	ADD	X21, X29, X10	// z_lo[0] = x[0] * y + z[0] + c
+	SLTU	X21, X10, X22
+	ADD	X9, X22, X29	// next c
+
+	MULHU	X11, X6, X12	// z_hi[1] = x[1] * y
+	MUL	X11, X6, X11	// z_lo[1] = x[1] * y
+	ADD	X11, X13, X21	// z_lo[1] = x[1] * y + z[1]
+	SLTU	X11, X21, X22
+	ADD	X12, X22, X12	// z_hi[1] = x[1] * y + z[1]
+	ADD	X21, X29, X13	// z_lo[1] = x[1] * y + z[1] + c
+	SLTU	X21, X13, X22
+	ADD	X12, X22, X29	// next c
+
+	MULHU	X14, X6, X15	// z_hi[2] = x[2] * y
+	MUL	X14, X6, X14	// z_lo[2] = x[2] * y
+	ADD	X14, X16, X21	// z_lo[2] = x[2] * y + z[2]
+	SLTU	X14, X21, X22
+	ADD	X15, X22, X15	// z_hi[2] = x[2] * y + z[2]
+	ADD	X21, X29, X16	// z_lo[2] = x[2] * y + z[2] + c
+	SLTU	X21, X16, X22
+	ADD	X15, X22, X29	// next c
+
+	MULHU	X17, X6, X18	// z_hi[3] = x[3] * y
+	MUL	X17, X6, X17	// z_lo[3] = x[3] * y
+	ADD	X17, X19, X21	// z_lo[3] = x[3] * y + z[3]
+	SLTU	X17, X21, X22
+	ADD	X18, X22, X18	// z_hi[3] = x[3] * y + z[3]
+	ADD	X21, X29, X19	// z_lo[3] = x[3] * y + z[3] + c
+	SLTU	X21, X19, X22
+	ADD	X18, X22, X29	// next c
+
+	MOV	X10, 0*8(X5)	// z[0]
+	MOV	X13, 1*8(X5)	// z[1]
+	MOV	X16, 2*8(X5)	// z[2]
+	MOV	X19, 3*8(X5)	// z[3]
+
+	ADD	$32, X5
+	ADD	$32, X7
+
+	SUB	$4, X30
+	BNEZ	X30, loop
+
+done:
+	MOV	X29, c+24(FP)
+	RET