Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upgrade to go1.21.9 #26

Closed
wants to merge 97 commits into from
Closed

chore: upgrade to go1.21.9 #26

wants to merge 97 commits into from

Conversation

bassosimone
Copy link
Contributor

@bassosimone bassosimone commented Apr 8, 2024

Change the approach we're using for merging, which was too fragile. We're now using gitlab.com/yawning/bsaes.git to provide constant-time AES. I am not a cryptographer or a programmer specializing in writing cryptographic code, but yawning is. Also, and really FWIW, I have reviewed the code of bsaes and it AFAICT is well written.

By using this different approach we reduce the amount of headaches caused by merging from upstream, because we can limit ourselves to the crypto/tls package and a few minimal supporting packages just to make it WAI.

Internally, bsaes switches to using assembly from crypto/aes iff there's hardware support.

Part of ooni/probe#2702.

rsc and others added 30 commits January 19, 2023 22:26
…rics

Allow GODEBUG users to report how many times a setting
resulted in non-default behavior.

Record non-default-behaviors for all existing GODEBUGs.

Also rework tests to ensure that runtime is in sync with runtime/metrics.All,
and generate docs mechanically from metrics.All.

For #56986.

Change-Id: Iefa1213e2a5c3f19ea16cd53298c487952ef05a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/453618
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Russ Cox <[email protected]>
Run-TryBot: Russ Cox <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
This is the second round to look for spelling mistakes. This time the
manual sifting of the result list was made easier by filtering out
capitalized and camelcase words.

grep -r --include '*.go' -E '^// .*$' . | aspell list | grep -E -x '[A-Za-z]{1}[a-z]*' | sort | uniq

This PR will be imported into Gerrit with the title and first
comment (this text) used to generate the subject and body of
the Gerrit change.

Change-Id: Ie8a2092aaa7e1f051aa90f03dbaf2b9aaf5664a9
GitHub-Last-Rev: fc2bd6e0c51652f13a7588980f1408af8e6080f5
GitHub-Pull-Request: golang/go#57737
Reviewed-on: https://go-review.googlesource.com/c/go/+/461595
Auto-Submit: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
Reviewed-by: Robert Griesemer <[email protected]>
This change makes it easier for clients to debug mutual TLS connection failures. Currently, there are a few situations where invalid client auth leads to a generic "bad certificate" alert. 3 specific situations have a more appropriate TLS alert code, based on the alert descriptions in the appendix of both RFC5246 and RFC8446.
  1. The server is configured to require client auth, but no client cert was provided; the appropriate alert is "certificate required". This applies only to TLS 1.3, which first defined the certificate_required alert code.
  2. The client provided a cert that was signed by an authority that is not in the server's trusted set of CAs; the appropriate alert is "unknown certificate authority".
  3. The client provided an expired (or not yet valid) cert; the appropriate alert is "expired certificate".
Otherwise, we still fall back to "bad certificate".

Fixes #52113

Change-Id: I7d5860fe911cad8a1615f16bfe488a37e936dc36
GitHub-Last-Rev: 34eeab587b38549b2ba4a778f7f9894e9b715b43
GitHub-Pull-Request: golang/go#53251
Reviewed-on: https://go-review.googlesource.com/c/go/+/410496
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
…SD ≥ 10.0

The getrandom syscall was added to NetBSD in version 10.0, see
https://man.netbsd.org/NetBSD-10.0-STABLE/getrandom.2

Change-Id: I2714c1040791f7f4728be8d869058a38cbd93d4d
Reviewed-on: https://go-review.googlesource.com/c/go/+/463123
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Tobias Klauser <[email protected]>
Reviewed-by: Benny Siegert <[email protected]>
Similar to sha256, minimize add usage by preloading
constants. This results in a small performance uplift.

Likewise, cleanup some unused macros and registers to
make room for constants.

On ppc64le/power9:

Hash8Bytes/New     22.7MB/s ± 0%  24.1MB/s ± 0%  +6.49%
Hash8Bytes/Sum384  23.4MB/s ± 0%  24.9MB/s ± 0%  +6.32%
Hash8Bytes/Sum512  23.5MB/s ± 0%  24.9MB/s ± 0%  +6.18%
Hash1K/New          422MB/s ± 0%   455MB/s ± 0%  +7.92%
Hash1K/Sum384       424MB/s ± 0%   457MB/s ± 0%  +7.78%
Hash1K/Sum512       424MB/s ± 0%   457MB/s ± 0%  +7.77%
Hash8K/New          488MB/s ± 0%   528MB/s ± 0%  +8.18%
Hash8K/Sum384       481MB/s ± 0%   528MB/s ± 0%  +9.76%
Hash8K/Sum512       488MB/s ± 0%   515MB/s ± 0%  +5.60%

Change-Id: Ic604b482e3f6a9680b89c71399f85442f06fef3f
Reviewed-on: https://go-review.googlesource.com/c/go/+/460459
Reviewed-by: Archana Ravindar <[email protected]>
Run-TryBot: Carlos Eduardo Seo <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Carlos Eduardo Seo <[email protected]>
Reviewed-by: Lynn Boger <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
The two crypto modules are both named "asm". If both are included in a
single go.work (e.g., from `go work use -r .` in the repo), builds break
from "module asm appears multiple times in workspace".

Give these modules fully-qualified names to avoid conflicts. While we
are here, also expand the name of two other testdata modules. Those
modules don't currently conflict, but they have vague names at risk of
future conflicts.

Fixes #57769.

Change-Id: I2bd8a505051e92348d49560ec698ed921f2c81be
Reviewed-on: https://go-review.googlesource.com/c/go/+/461896
Reviewed-by: Bryan Mills <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Michael Pratt <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Auto-Submit: Michael Pratt <[email protected]>
Change-Id: If092ae7c72b66f172ae32fa6c7294a7ac250362e
Reviewed-on: https://go-review.googlesource.com/c/go/+/463995
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Run-TryBot: Than McIntosh <[email protected]>
CL 463975 replaced the use of the NodeJS crypto.randomFillSync API
with a direct call to crypto.getRandomValues. This function rejects
any requests to fill a buffer larger than 65536 bytes, so we need to
batch reads larger than this size. This reuses the batching
functions used on other platforms to perform this batching.

Fixes #58145

Change-Id: Ic0acf3be7c9e994bc345d6614867c9b0c47bd26d
Reviewed-on: https://go-review.googlesource.com/c/go/+/463993
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Johan Brandhorst-Satzkorn <[email protected]>
Auto-Submit: Johan Brandhorst-Satzkorn <[email protected]>
It was mentioned after CL 463993 was merged that it
is uncommon to use shifts for numbers other than
powers of ten. Replace the shift with a base 10 constant.

Change-Id: I11c90128740109a59add40ed7b680f7bcc9715ad
Reviewed-on: https://go-review.googlesource.com/c/go/+/465275
Auto-Submit: Johan Brandhorst-Satzkorn <[email protected]>
Run-TryBot: Johan Brandhorst-Satzkorn <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
Auto-Submit: Brad Fitzpatrick <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Updates #31456

Change-Id: I68e0abfb6771c9b1d1bfcbb642db9eb5540f9cab
GitHub-Last-Rev: 17ea697c5c0bbfdfb1ad91c2c60e22f6efc78b43
GitHub-Pull-Request: golang/go#49051
Reviewed-on: https://go-review.googlesource.com/c/go/+/356516
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Return an explicit error when PrivateKey.ECDH is called with a PublicKey
which uses a different Curve. Also document this requirement, even
though it is perhaps obvious.

Fixes #58131

Change-Id: I739181a3f1283bed14fb5ee7eb78658b854d28d8
Reviewed-on: https://go-review.googlesource.com/c/go/+/464335
Reviewed-by: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Updates #58483

Tested on Linux amd64:
  type Element struct {
    l0, l1, l2, l3, l4 uint64
  }

  type PointAfter struct {
    x, y, z, t Element
    _          incomparable
  }

  type PointBefore struct {
    _          incomparable
    x, y, z, t Element
  }

  type incomparable [0]func()

  func main() {
    fmt.Println(unsafe.Sizeof(PointAfter{})) // 168
    fmt.Println(unsafe.Sizeof(PointBefore{})) // 160
  }

Change-Id: I6c4fcb586bbf3febf62b6e54608496ff81685e43
Reviewed-on: https://go-review.googlesource.com/c/go/+/467616
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Message marshalling makes use of BytesOrPanic a lot, under the
assumption that it will never panic. This assumption was incorrect, and
specifically crafted handshakes could trigger panics. Rather than just
surgically replacing the usages of BytesOrPanic in paths that could
panic, replace all usages of it with proper error returns in case there
are other ways of triggering panics which we didn't find.

In one specific case, the tree routed by expandLabel, we replace the
usage of BytesOrPanic, but retain a panic. This function already
explicitly panicked elsewhere, and returning an error from it becomes
rather painful because it requires changing a large number of APIs.
The marshalling is unlikely to ever panic, as the inputs are all either
fixed length, or already limited to the sizes required. If it were to
panic, it'd likely only be during development. A close inspection shows
no paths for a user to cause a panic currently.

This patches ends up being rather large, since it requires routing
errors back through functions which previously had no error returns.
Where possible I've tried to use helpers that reduce the verbosity
of frequently repeated stanzas, and to make the diffs as minimal as
possible.

Thanks to Marten Seemann for reporting this issue.

Fixes #58001
Fixes CVE-2022-41724

Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436
Reviewed-by: Julie Qiu <[email protected]>
TryBot-Result: Security TryBots <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468125
Run-TryBot: Michael Pratt <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Michael Pratt <[email protected]>
I had forgotten, which caused amd64 allocations to go back up
significantly. Added an allocations test.

name                    old time/op    new time/op    delta
DecryptPKCS1v15/2048-8    1.50ms ± 0%    1.48ms ± 0%   -0.95%  (p=0.000 n=9+10)
DecryptPKCS1v15/3072-8    4.64ms ± 1%    4.60ms ± 0%   -0.82%  (p=0.000 n=8+10)
DecryptPKCS1v15/4096-8    10.7ms ± 0%    10.6ms ± 1%   -0.99%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8     158µs ± 0%     157µs ± 0%   -0.63%  (p=0.000 n=10+10)
DecryptOAEP/2048-8        1.50ms ± 0%    1.48ms ± 0%   -1.09%  (p=0.000 n=9+10)
EncryptOAEP/2048-8         161µs ± 0%     160µs ± 0%   -0.34%  (p=0.000 n=9+10)
SignPKCS1v15/2048-8       1.55ms ± 0%    1.53ms ± 1%   -1.32%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8      157µs ± 0%     157µs ± 0%   -0.33%  (p=0.004 n=9+10)
SignPSS/2048-8            1.55ms ± 0%    1.54ms ± 0%   -1.14%  (p=0.000 n=10+10)
VerifyPSS/2048-8           160µs ± 0%     160µs ± 0%   -0.32%  (p=0.000 n=10+10)

name                    old alloc/op   new alloc/op   delta
DecryptPKCS1v15/2048-8    15.0kB ± 0%     0.6kB ± 0%  -95.74%  (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8    17.9kB ± 0%     3.5kB ± 0%  -80.65%  (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8    19.1kB ± 0%     4.7kB ± 0%  -75.25%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8    7.51kB ± 0%    1.17kB ± 0%  -84.39%  (p=0.000 n=10+10)
DecryptOAEP/2048-8        15.3kB ± 0%     0.9kB ± 0%  -94.29%  (p=0.000 n=10+10)
EncryptOAEP/2048-8        7.74kB ± 0%    1.40kB ± 0%  -81.86%  (p=0.000 n=10+10)
SignPKCS1v15/2048-8       21.6kB ± 0%     0.9kB ± 0%  -95.86%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8     7.25kB ± 0%    0.91kB ± 0%  -87.42%  (p=0.000 n=10+10)
SignPSS/2048-8            22.0kB ± 0%     1.3kB ± 0%  -94.12%  (p=0.000 n=10+10)
VerifyPSS/2048-8          7.46kB ± 0%    1.12kB ± 0%  -84.98%  (p=0.000 n=10+10)

name                    old allocs/op  new allocs/op  delta
DecryptPKCS1v15/2048-8      54.0 ± 0%       4.0 ± 0%  -92.59%  (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8      60.0 ± 0%      10.0 ± 0%  -83.33%  (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8      60.0 ± 0%      10.0 ± 0%  -83.33%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8      29.0 ± 0%       7.0 ± 0%  -75.86%  (p=0.000 n=10+10)
DecryptOAEP/2048-8          60.0 ± 0%      10.0 ± 0%  -83.33%  (p=0.000 n=10+10)
EncryptOAEP/2048-8          35.0 ± 0%      13.0 ± 0%  -62.86%  (p=0.000 n=10+10)
SignPKCS1v15/2048-8         77.0 ± 0%       5.0 ± 0%  -93.51%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8       28.0 ± 0%       6.0 ± 0%  -78.57%  (p=0.000 n=10+10)
SignPSS/2048-8              82.0 ± 0%      10.0 ± 0%  -87.80%  (p=0.000 n=10+10)
VerifyPSS/2048-8            33.0 ± 0%      11.0 ± 0%  -66.67%  (p=0.000 n=10+10)

Fixes #58501

Change-Id: I418c5152833787b80220b556336ec284674c2493
Reviewed-on: https://go-review.googlesource.com/c/go/+/460542
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Unlike the rest of nistec, the P-256 assembly doesn't use complete
addition formulas, meaning that p256PointAdd[Affine]Asm won't return the
correct value if the two inputs are equal.

This was (undocumentedly) ignored in the scalar multiplication loops
because as long as the input point is not the identity and the scalar is
lower than the order of the group, the addition inputs can't be the same.

As part of the math/big rewrite, we went however from always reducing
the scalar to only checking its length, under the incorrect assumption
that the scalar multiplication loop didn't require reduction.

Added a reduction, and while at it added it in P256OrdInverse, too, to
enforce a universal reduction invariant on p256OrdElement values.

Note that if the input point is the infinity, the code currently still
relies on undefined behavior, but that's easily tested to behave
acceptably, and will be addressed in a future CL.

Fixes #58647
Fixes CVE-2023-24532

(Filed with the "safe APIs like complete addition formulas are good" dept.)

Change-Id: I7b2c75238440e6852be2710fad66ff1fdc4e2b24
Reviewed-on: https://go-review.googlesource.com/c/go/+/471255
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Fixes #58789

Change-Id: I91cdd20c6d4f05baaacd6a38717aa7bed6682573
Reviewed-on: https://go-review.googlesource.com/c/go/+/472155
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
On Windows, replace tests which rely on a root that expired last year.
On Darwin fix an test which wasn't testing the expected behavior, and
fix the behavior which was broken.

Fixes #58791

Change-Id: I771175b9e123b8bb0e4efdf58cc2bb93aa94fbae
Reviewed-on: https://go-review.googlesource.com/c/go/+/472295
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Convert TestUnknownAuthorityError to use subtests, avoiding continuing
the test after an unrecoverable failure.

Skip TestIssue51759 on pre-macOS 11 builders, which don't enforce the
behavior we were testing for.

Updates #58791
Fixes #58812

Change-Id: I4e3e5bc371aa139d38052184c8232f8cb564138f
Reviewed-on: https://go-review.googlesource.com/c/go/+/472496
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Since we can't gate tests on the macOS version on normal machines,
restrict TestIssue51759 to only run on builders, where we have a way to
do this.

Change-Id: I70fc83c587689b499b6a38864973a77bb3e52596
Reviewed-on: https://go-review.googlesource.com/c/go/+/472619
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
These directives affect the next declaration, so the existing form is
valid, but can be confusing because it is easy to miss. Move then
directly above the declaration for improved readability.

CL 69120 previously moved the Gosched nosplit away to hide it from
documentation. Since CL 224737, directives are automatically excluded
from documentation.

Change-Id: I8ebf2d47fbb5e77c6f40ed8afdf79eaa4f4e335e
Reviewed-on: https://go-review.googlesource.com/c/go/+/472957
Run-TryBot: Michael Pratt <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Austin Clements <[email protected]>
Previously if PrivateKey.Sign was called for Ed25519ctx with a context
longer than 255 bytes, the error message would mention Ed25519ph.

For Ed25519ph, the order of message length vs context length errors now
matches VerifyWithOptions. A message length error will be surfaced in
preference to a context length error. It also preferences hash errors
ahead of context length errors which also matches the behaviour of
VerifyWithOptions.

Change-Id: Iae380b3d879e0a9877ea057806fcd1e0ef7f7376
Reviewed-on: https://go-review.googlesource.com/c/go/+/473595
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Change-Id: Ia110d19fe5ff3adc8bbf86dd2112f9702164d495
Reviewed-on: https://go-review.googlesource.com/c/go/+/475515
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
The assumptions of some of the assembly functions were still scarcely
documented and even disregarded: p256ScalarMult was relying on the fact
that the "undefined behavior" of p256PointAddAsm with regards to
infinity inputs was returning the infinity.

Aside from expanding comments, moving the bit window massaging into a
more easily understood p256OrdRsh function, and fixing the above, this
change folds the last iteration of p256ScalarMult into the loop to
reduce special cases and inverts the iteration order of p256BaseMult so
it matches p256ScalarMult for ease of comparison.

Updates #58647

Change-Id: Ie5712ea778aadbe5adcdb478d111c2527e83caa0
Reviewed-on: https://go-review.googlesource.com/c/go/+/471256
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Creates x509.RevocationListEntry, a new type representing a single
revoked certificate entry in a CRL. Like the existing Certificate and
RevocationList types, this new type has a field for its Raw bytes, and
exposes its mostly-commonly-used extension (ReasonCode) as a top-level
field. This provides more functionality to the user than the existing
pkix.RevokedCertificate type.

Adds a RevokedCertificateEntries field which is a []RevocationListEntry
to RevocationList. This field deprecates the RevokedCertificates field.
When the RevokedCertificates field is removed in a future release, this
will remove one of the last places where a pkix type is directly exposed
in the x509 package API.

Updates the ParseRevocationList function to populate both fields for
now, and updates the CreateRevocationList function to prefer the new
field if it is populated, but use the deprecated field if not. Finally,
also updates the x509 unit tests to use the new .ReasonCode field in
most cases.

Fixes #53573

Change-Id: Ia6de171802a5bd251938366508532e806772d7d8
Reviewed-on: https://go-review.googlesource.com/c/go/+/468875
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Emmanuel Odeke <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Fixes #56921

Change-Id: I03f9969a5146ab7becd983784d8cb5b23a3fbb18
Reviewed-on: https://go-review.googlesource.com/c/go/+/459976
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Per the updated go.dev/wiki/Deprecated, those APIs replaced by
crypto/ecdh (added in Go 1.20) can now be marked as deprecated
in Go 1.21.

Updates #52221
Updates #34648

Change-Id: Id0e11d7faa3a58a1716ce1ec6e2fff97bab96259
Reviewed-on: https://go-review.googlesource.com/c/go/+/459977
Run-TryBot: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Most of these are one-off mistakes. Only one file was all spaces.

Change-Id: I277c3ce4a4811aa4248c90676f66bc775ae8d062
Reviewed-on: https://go-review.googlesource.com/c/go/+/478976
Run-TryBot: Michael Pratt <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
… errors

Change-Id: I84533d2df1a20f6337c43b1ca00d8022909a0018
GitHub-Last-Rev: 7dcc4e7296054df7fcbaebfdbd2a9895750f56ea
GitHub-Pull-Request: golang/go#59195
Reviewed-on: https://go-review.googlesource.com/c/go/+/478816
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
This check is already done by PeekASN1Tag.

Change-Id: Ieba0e35548f7f99bce689d29adaea6b8e471cc70
GitHub-Last-Rev: b4ef3dcc2307839cb7575cf29c3e6445b6a7520e
GitHub-Pull-Request: golang/go#59197
Reviewed-on: https://go-review.googlesource.com/c/go/+/478835
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
I noticed the one in path/filepath while reading the docs,
and the other ones were found via some quick grepping.

Change-Id: I386f2f74ef816a6d18aa2f58ee6b64dbd0147c9e
Reviewed-on: https://go-review.googlesource.com/c/go/+/478795
Run-TryBot: Daniel Martí <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
rolandshoemaker and others added 15 commits June 14, 2023 18:53
Rather than using the external network and real-world chains for testing
the integrations with platform verifiers, use a synthetic test root.

This changes adds a constrained root and key pair to the tree, and adds
a test suite that verifies certificates issued from that root. These
tests are only executed if the root is detected in the trust store. For
reference, the script used to generate the root and key is attached to
the bottom of this commit message.

This change leaves the existing windows/darwin TestPlatformVerifier
tests in place, since the trybots do not currently have the test root in
place, and as such cannot run the suite. Once the builder images have
the root integrated, we can remove the old flaky tests, and the trybots
will begin running the new suite automatically.

Updates #52108

-- gen.go --
package main

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"flag"
	"log"
	"math/big"
	"net"
	"os"
	"time"
)

func writePEM(pemType string, der []byte, path string) error {
	enc := pem.EncodeToMemory(&pem.Block{
		Type:  pemType,
		Bytes: der,
	})
	return os.WriteFile(path, enc, 0666)
}

func main() {
	certPath := flag.String("cert-path", "platform_root_cert.pem", "Path to write certificate PEM")
	keyPath := flag.String("key-path", "platform_root_key.pem", "Path to write key PEM")
	flag.Parse()

	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		log.Fatalf("ecdsa.GenerateKey failed: %s", err)
	}

	now := time.Now()
	tmpl := &x509.Certificate{
		SerialNumber: big.NewInt(9009),
		Subject: pkix.Name{
			CommonName: "Go platform verifier testing root",
		},
		NotBefore:                   now.Add(-time.Hour),
		NotAfter:                    now.Add(time.Hour * 24 * 365 * 5),
		IsCA:                        true,
		BasicConstraintsValid:       true,
		PermittedDNSDomainsCritical: true,
		// PermittedDNSDomains restricts the names in certificates issued from this root to *.testing.golang.invalid.
		// The .invalid TLD is, per RFC 2606, reserved for testing, and as such anything issued for this certificate
		// should never be valid in the real world.
		PermittedDNSDomains: []string{"testing.golang.invalid"},
		// ExcludedIPRanges prevents any certificate issued from this root that contains an IP address in both the full
		// IPv4 and IPv6 ranges from being considered valid.
		ExcludedIPRanges: []*net.IPNet{{IP: make([]byte, 4), Mask: make([]byte, 4)}, {IP: make([]byte, 16), Mask: make([]byte, 16)}},
		KeyUsage:         x509.KeyUsageCertSign,
		ExtKeyUsage:      []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
	}

	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
	if err != nil {
		log.Fatalf("x509.CreateCertificate failed: %s", err)
	}

	keyDER, err := x509.MarshalECPrivateKey(key)
	if err != nil {
		log.Fatalf("x509.MarshalECPrivateKey failed: %s", err)
	}

	if err := writePEM("CERTIFICATE", certDER, *certPath); err != nil {
		log.Fatalf("failed to write certificate PEM: %s", err)
	}
	if err := writePEM("EC PRIVATE KEY", keyDER, *keyPath); err != nil {
		log.Fatalf("failed to write key PEM: %s", err)
	}
}

Change-Id: If7c4a9f18466662a60fea5443e603232a9260026
Reviewed-on: https://go-review.googlesource.com/c/go/+/488855
Reviewed-by: Filippo Valsorda <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.

Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.

Fixes #60925

Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Fixes #58637

Change-Id: I9eb3905d5b35ea22e22e1d8eb8c33594eac487fc
Reviewed-on: https://go-review.googlesource.com/c/go/+/505155
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Rename the old TestPlatformVerifier to TestPlatformVerifierLegacy, and
add TODO about removing it once the synthetic root is widely deployed on
builders.

Updates #52108

Change-Id: I6cdba268e4738804c7f76ea18c354470b3e0318c
Reviewed-on: https://go-review.googlesource.com/c/go/+/505755
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
… to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

Thanks to Mateusz Poliwczak for reporting this issue.

Updates #61460
Fixes CVE-2023-29409

Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
Reviewed-on: https://go-review.googlesource.com/c/go/+/515056
Run-TryBot: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
…an options struct

To allow for future evolution of the API, make
QUICConn.SendSessionTicket take a QUICSessionTicketOptions
rather than a single bool.

For #60107

Change-Id: I798fd0feec5c7581e3c3574e2de99611c81df47f
Reviewed-on: https://go-review.googlesource.com/c/go/+/514997
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Marten Seemann <[email protected]>
(cherry picked from commit a915b999c915eb7827396013bcb334747863e66e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/515335
Auto-Submit: Damien Neil <[email protected]>
…y size

Add a new GODEBUG setting, tlsmaxrsasize, which allows controlling the
maximum RSA key size we will accept during TLS handshakes.

Fixes #61967

Change-Id: I52f060be132014d219f4cd438f59990011a35c96
Reviewed-on: https://go-review.googlesource.com/c/go/+/517495
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Russ Cox <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/518535
Auto-Submit: Dmitri Shuralyov <[email protected]>
…post-handshake messages

The check for fragmentary post-handshake messages in QUICConn.HandleData
was reversed, resulting in a potential panic when HandleData receives
a partial message.

In addition, HandleData wasn't checking the size of buffered
post-handshake messages. Produce an error when a post-handshake
message is larger than maxHandshake.

TestQUICConnectionState was using an onHandleCryptoData hook
in runTestQUICConnection that was never being called.
(I think it was inadvertently removed at some point while
the CL was in review.) Fix this test while making the hook
more general.

For #62266
Fixes #62290

Change-Id: I210b70634e50beb456ab3977eb11272b8724c241
Reviewed-on: https://go-review.googlesource.com/c/go/+/522595
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Marten Seemann <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
(cherry picked from commit e92c0f846c54d88f479b1c48f0dbc001d2ff53e9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/523039
Auto-Submit: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
…ProcessPrng

RtlGenRandom is a semi-undocumented API, also known as
SystemFunction036, which we use to generate random data on Windows.
It's definition, in cryptbase.dll, is an opaque wrapper for the
documented API ProcessPrng. Instead of using RtlGenRandom, switch to
using ProcessPrng, since the former is simply a wrapper for the latter,
there should be no practical change on the user side, other than a minor
change in the DLLs we load.

Updates #53192
Fixes #64413

Change-Id: Ie6891bf97b1d47f5368cccbe92f374dba2c2672a
Reviewed-on: https://go-review.googlesource.com/c/go/+/536235
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Quim Muntal <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
(cherry picked from commit 693def151adff1af707d82d28f55dba81ceb08e1)
Reviewed-on: https://go-review.googlesource.com/c/go/+/545355
Auto-Submit: Dmitri Shuralyov <[email protected]>
…s-20220613

Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a
following CL, to avoid rebuilding the syso twice.

Updates #64717
Updates #62372
Updates #64719

Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce
Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-boringcrypto
Reviewed-on: https://go-review.googlesource.com/c/go/+/549695
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/553855
Auto-Submit: Matthew Dempsky <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Run-TryBot: Matthew Dempsky <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
…SL policy

This enables TLS 1.3, disables P-521, and disables non-ECDHE suites.

Updates #64717
Updates #62372
Fixes #64719

Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091
Reviewed-on: https://go-review.googlesource.com/c/go/+/549975
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/553856
Auto-Submit: Matthew Dempsky <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Fixes the gating of TestIssue51759 by shelling out to sw_vers to check
what version of macOS we are on.

For #64677
Fixes #65380

Change-Id: I5eef4fa39e5449e7b2aa73864625c3abf002aef8
Reviewed-on: https://go-review.googlesource.com/c/go/+/549195
Reviewed-by: Bryan Mills <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
(cherry picked from commit 400e24a8be852e7b20eb4af1999b28c20bb4ea21)
Reviewed-on: https://go-review.googlesource.com/c/go/+/559517
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
…e to fips-20220613" +1

This reverts CL 553855 ("crypto/internal/boring: upgrade module to
fips-20220613") and CL 553856 ("crypto/tls: align FIPS-only mode with
BoringSSL policy").

Fixes #65323
Updates #65321
Updates #64717
Updates #62372

Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508
Reviewed-on: https://go-review.googlesource.com/c/go/+/558796
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
(cherry picked from commit 09b5de48e64e67db92b31eaca054c5d096e3c057)
Reviewed-on: https://go-review.googlesource.com/c/go/+/560275
…ore interface conversion

alreadyInChain assumes all keys fit a interface which contains the
Equal method (which they do), but this ignores that certificates may
have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In
this case alreadyInChain panics.

Check that the key is non-nil as part of considerCandidate (we are never
going to build a chain containing UnknownPublicKeyAlgorithm anyway).

For #65390
Fixes #65392
Fixes CVE-2024-24783

Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569238
Auto-Submit: Michael Knyszek <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Change the approach we're using for merging, which was too fragile. We're now
using gitlab.com/yawning/bsaes to provide constant-time AES.
@bassosimone
Copy link
Contributor Author

bassosimone commented Apr 8, 2024

For the records, this is now the diff with respect to go1.21.9:

Cloning into '/tmp/tmp.0pD2LPGTdE/upstreamrepo'...
Already on 'master'
Your branch is up to date with 'origin/master'.
Already up to date.
Note: switching to 'go1.21.9'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at d8392e6997 [release-branch.go1.21] go1.21.9
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: aes
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: boring
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: cipher
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: crypto.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: des
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: dsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ecdh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ecdsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ed25519
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: elliptic
Only in .: .git
Only in .: .github
Only in .: .gitignore
Only in .: go.mod
Only in .: go.sum
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: hmac
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: alias
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: bigmod
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: aes.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: bbig
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: bcache
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: boring.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: boring_test.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build-boring.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build-goboring.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: div_test.c
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/doc.go ./internal/boring/doc.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/doc.go	2024-04-08 16:22:42.076224232 +0000
+++ ./internal/boring/doc.go	2024-04-08 15:16:17.159582786 +0000
@@ -12,8 +12,3 @@
 //
 // BoringCrypto is only available on linux/amd64 systems.
 const Enabled = available
-
-// A BigInt is the raw words from a BigInt.
-// This definition allows us to avoid importing math/big.
-// Conversion between BigInt and *big.Int is in crypto/internal/boring/bbig.
-type BigInt []uint
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: Dockerfile
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: ecdh.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: ecdsa.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: fipstls
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: goboringcrypto.h
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: hmac.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: LICENSE
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/notboring.go ./internal/boring/notboring.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/notboring.go	2024-04-08 16:22:42.076224232 +0000
+++ ./internal/boring/notboring.go	2024-04-08 15:16:17.159582786 +0000
@@ -6,117 +6,10 @@
 
 package boring
 
-import (
-	"crypto"
-	"crypto/cipher"
-	"crypto/internal/boring/sig"
-	"hash"
-)
-
 const available = false
 
 // Unreachable marks code that should be unreachable
 // when BoringCrypto is in use. It is a no-op without BoringCrypto.
 func Unreachable() {
-	// Code that's unreachable when using BoringCrypto
-	// is exactly the code we want to detect for reporting
-	// standard Go crypto.
-	sig.StandardCrypto()
-}
-
-// UnreachableExceptTests marks code that should be unreachable
-// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-func UnreachableExceptTests() {}
-
-type randReader int
-
-func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
-
-const RandReader = randReader(0)
-
-func NewSHA1() hash.Hash   { panic("boringcrypto: not available") }
-func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
-
-func SHA1([]byte) [20]byte   { panic("boringcrypto: not available") }
-func SHA224([]byte) [28]byte { panic("boringcrypto: not available") }
-func SHA256([]byte) [32]byte { panic("boringcrypto: not available") }
-func SHA384([]byte) [48]byte { panic("boringcrypto: not available") }
-func SHA512([]byte) [64]byte { panic("boringcrypto: not available") }
-
-func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
-
-func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
-func NewGCMTLS(cipher.Block) (cipher.AEAD, error)   { panic("boringcrypto: not available") }
-
-type PublicKeyECDSA struct{ _ int }
-type PrivateKeyECDSA struct{ _ int }
-
-func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
-	panic("boringcrypto: not available")
-}
-func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error) {
-	panic("boringcrypto: not available")
-}
-func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
-	panic("boringcrypto: not available")
-}
-func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
-	panic("boringcrypto: not available")
+	// nothing
 }
-
-type PublicKeyRSA struct{ _ int }
-type PrivateKeyRSA struct{ _ int }
-
-func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
-	panic("boringcrypto: not available")
-}
-func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) {
-	panic("boringcrypto: not available")
-}
-func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
-func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
-	panic("boringcrypto: not available")
-}
-func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
-	panic("boringcrypto: not available")
-}
-func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
-	panic("boringcrypto: not available")
-}
-
-type PublicKeyECDH struct{}
-type PrivateKeyECDH struct{}
-
-func ECDH(*PrivateKeyECDH, *PublicKeyECDH) ([]byte, error)      { panic("boringcrypto: not available") }
-func GenerateKeyECDH(string) (*PrivateKeyECDH, []byte, error)   { panic("boringcrypto: not available") }
-func NewPrivateKeyECDH(string, []byte) (*PrivateKeyECDH, error) { panic("boringcrypto: not available") }
-func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error)   { panic("boringcrypto: not available") }
-func (*PublicKeyECDH) Bytes() []byte                            { panic("boringcrypto: not available") }
-func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error)      { panic("boringcrypto: not available") }
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: rand.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: README.md
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: rsa.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: sha.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: sig
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: syso
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: edwards25519
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: nistec
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: randutil
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: issue21104_test.go
Only in .: LICENSE
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: md5
Only in .: PATENTS
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rand
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rc4
Only in .: README.md
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha1
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha256
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha512
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: subtle
Only in .: THEDIFF.diff
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: boring.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: boring_test.go
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/cipher_suites.go ./tls/cipher_suites.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/cipher_suites.go	2024-04-08 16:22:42.084224204 +0000
+++ ./tls/cipher_suites.go	2024-04-08 16:21:00.412586228 +0000
@@ -6,19 +6,17 @@
 
 import (
 	"crypto"
-	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
 	"crypto/hmac"
-	"crypto/internal/boring"
 	"crypto/rc4"
 	"crypto/sha1"
 	"crypto/sha256"
 	"fmt"
 	"hash"
-	"internal/cpu"
-	"runtime"
 
+	"github.com/ooni/oocrypto/internal/boring"
+	aes "gitlab.com/yawning/bsaes.git"
 	"golang.org/x/crypto/chacha20poly1305"
 )
 
@@ -354,16 +352,10 @@
 	TLS_AES_256_GCM_SHA384,
 }
 
+// Note: we always set this field to true because we're using gitlab.com/yawning/bsaes
+// to implement AES, therefore, the pure Go fallback is constant time.
 var (
-	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
-	hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-	// Keep in sync with crypto/aes/cipher_s390x.go.
-	hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
-		(cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
-	hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
-		runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
-		runtime.GOARCH == "s390x" && hasGCMAsmS390X
+	hasAESGCMHardwareSupport = true
 )
 
 var aesgcmCiphers = map[uint16]bool{
@@ -509,12 +501,7 @@
 		panic(err)
 	}
 	var aead cipher.AEAD
-	if boring.Enabled {
-		aead, err = boring.NewGCMTLS(aes)
-	} else {
-		boring.Unreachable()
-		aead, err = cipher.NewGCM(aes)
-	}
+	aead, err = cipher.NewGCM(aes)
 	if err != nil {
 		panic(err)
 	}
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: example_test.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: fipsonly
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client.go ./tls/handshake_client.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client.go	2024-04-08 16:22:42.084224204 +0000
+++ ./tls/handshake_client.go	2024-04-08 15:30:22.176676710 +0000
@@ -17,10 +17,8 @@
 	"errors"
 	"fmt"
 	"hash"
-	"internal/godebug"
 	"io"
 	"net"
-	"strconv"
 	"strings"
 	"time"
 )
@@ -942,17 +940,7 @@
 // to verify the signatures of during a TLS handshake.
 const defaultMaxRSAKeySize = 8192
 
-var tlsmaxrsasize = godebug.New("tlsmaxrsasize")
-
 func checkKeySize(n int) (max int, ok bool) {
-	if v := tlsmaxrsasize.Value(); v != "" {
-		if max, err := strconv.Atoi(v); err == nil {
-			if (n <= max) != (n <= defaultMaxRSAKeySize) {
-				tlsmaxrsasize.IncNonDefault()
-			}
-			return max, n <= max
-		}
-	}
 	return defaultMaxRSAKeySize, n <= defaultMaxRSAKeySize
 }
 
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client_test.go ./tls/handshake_client_test.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client_test.go	2024-04-08 16:22:42.084224204 +0000
+++ ./tls/handshake_client_test.go	2024-04-08 16:07:24.947552921 +0000
@@ -2783,6 +2783,7 @@
 -----END CERTIFICATE-----`
 
 func TestHandshakeRSATooBig(t *testing.T) {
+	t.Skip("test disabled for github.com/ooni/oocrypto")
 	for _, tc := range []struct {
 		name              string
 		godebug           string
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: link_test.go
Only in ./tls: stdlibwrapper.go
Only in ./tls: stdlibwrapper_test.go
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/ticket.go ./tls/ticket.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/ticket.go	2024-04-08 16:22:42.088224190 +0000
+++ ./tls/ticket.go	2024-04-08 16:21:15.112533828 +0000
@@ -5,7 +5,6 @@
 package tls
 
 import (
-	"crypto/aes"
 	"crypto/cipher"
 	"crypto/hmac"
 	"crypto/sha256"
@@ -14,6 +13,7 @@
 	"errors"
 	"io"
 
+	aes "gitlab.com/yawning/bsaes.git"
 	"golang.org/x/crypto/cryptobyte"
 )
 
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/tls_test.go ./tls/tls_test.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/tls_test.go	2024-04-08 16:22:42.088224190 +0000
+++ ./tls/tls_test.go	2024-04-08 14:46:12.256341561 +0000
@@ -12,7 +12,6 @@
 	"encoding/json"
 	"errors"
 	"fmt"
-	"internal/testenv"
 	"io"
 	"math"
 	"net"
@@ -503,8 +502,6 @@
 }
 
 func TestVerifyHostname(t *testing.T) {
-	testenv.MustHaveExternalNetwork(t)
-
 	c, err := Dial("tcp", "www.google.com:https", nil)
 	if err != nil {
 		t.Fatal(err)
Only in .: tools
Only in .: UPSTREAM
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: x509

You can see that now we're basically replacing crypto/aes with gitlab.com/yawning/bsaes.git.

@bassosimone
Copy link
Contributor Author

bassosimone commented Apr 8, 2024

These are the dependencies of the tls package:

// ~/sdk/go1.21.9/bin/go list -json ./tls | jq .Imports
[
  "bytes",
  "container/list",
  "context",
  "crypto",
  "crypto/cipher",
  "crypto/des",
  "crypto/ecdh",
  "crypto/ecdsa",
  "crypto/ed25519",
  "crypto/elliptic",
  "crypto/hmac",
  "crypto/md5",
  "crypto/rand",
  "crypto/rc4",
  "crypto/rsa",
  "crypto/sha1",
  "crypto/sha256",
  "crypto/sha512",
  "crypto/subtle",
  "crypto/tls",
  "crypto/x509",
  "encoding/binary",
  "encoding/pem",
  "errors",
  "fmt",
  "github.com/ooni/oocrypto/internal/boring",
  "gitlab.com/yawning/bsaes.git",
  "golang.org/x/crypto/chacha20poly1305",
  "golang.org/x/crypto/cryptobyte",
  "golang.org/x/crypto/hkdf",
  "hash",
  "io",
  "net",
  "os",
  "reflect",
  "runtime",
  "strconv",
  "strings",
  "sync",
  "sync/atomic",
  "time"
]

and

%  ~/sdk/go1.21.9/bin/go mod why crypto/aes

# crypto/aes
github.com/ooni/oocrypto/tls
crypto/ecdsa
crypto/aes

We still need to investigate why crypto/ecdsa needs crypto/aes and if this import is fine.

@bassosimone bassosimone marked this pull request as draft April 8, 2024 16:30
@bassosimone
Copy link
Contributor Author

bassosimone commented Apr 8, 2024

We should probably also check whether the conditions used by bsaes for selecting AES are still reasonable. An even more radical approach would call for not using assembly at all and always defaulting for using a pure Go implementation.

(But maybe doing that would be too slow.)

A possible alternative approach would be to select the proper AES implementation here, such that we can keep a logic that is similar to the existing standard library logic for deciding whether to use assembly.

🤔

There's clear a bit more to think before really landing this diff.

@bassosimone bassosimone changed the title sync: upgrade to go1.21.9 chore: upgrade to go1.21.9 Apr 8, 2024
@bassosimone
Copy link
Contributor Author

After internal discussion, it seems we don't want to proceed with this. I am going to perform a merge along the same lines with which I have been merging previously. Future work may lead us to use https://github.com/ooni/utls-light.

@bassosimone bassosimone deleted the merged-main branch April 12, 2024 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.