-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: upgrade to go1.21.9 #26
Conversation
…rics Allow GODEBUG users to report how many times a setting resulted in non-default behavior. Record non-default-behaviors for all existing GODEBUGs. Also rework tests to ensure that runtime is in sync with runtime/metrics.All, and generate docs mechanically from metrics.All. For #56986. Change-Id: Iefa1213e2a5c3f19ea16cd53298c487952ef05a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/453618 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Russ Cox <[email protected]> Run-TryBot: Russ Cox <[email protected]> Reviewed-by: Michael Knyszek <[email protected]>
This is the second round to look for spelling mistakes. This time the manual sifting of the result list was made easier by filtering out capitalized and camelcase words. grep -r --include '*.go' -E '^// .*$' . | aspell list | grep -E -x '[A-Za-z]{1}[a-z]*' | sort | uniq This PR will be imported into Gerrit with the title and first comment (this text) used to generate the subject and body of the Gerrit change. Change-Id: Ie8a2092aaa7e1f051aa90f03dbaf2b9aaf5664a9 GitHub-Last-Rev: fc2bd6e0c51652f13a7588980f1408af8e6080f5 GitHub-Pull-Request: golang/go#57737 Reviewed-on: https://go-review.googlesource.com/c/go/+/461595 Auto-Submit: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Robert Griesemer <[email protected]>
This change makes it easier for clients to debug mutual TLS connection failures. Currently, there are a few situations where invalid client auth leads to a generic "bad certificate" alert. 3 specific situations have a more appropriate TLS alert code, based on the alert descriptions in the appendix of both RFC5246 and RFC8446. 1. The server is configured to require client auth, but no client cert was provided; the appropriate alert is "certificate required". This applies only to TLS 1.3, which first defined the certificate_required alert code. 2. The client provided a cert that was signed by an authority that is not in the server's trusted set of CAs; the appropriate alert is "unknown certificate authority". 3. The client provided an expired (or not yet valid) cert; the appropriate alert is "expired certificate". Otherwise, we still fall back to "bad certificate". Fixes #52113 Change-Id: I7d5860fe911cad8a1615f16bfe488a37e936dc36 GitHub-Last-Rev: 34eeab587b38549b2ba4a778f7f9894e9b715b43 GitHub-Pull-Request: golang/go#53251 Reviewed-on: https://go-review.googlesource.com/c/go/+/410496 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
…SD ≥ 10.0 The getrandom syscall was added to NetBSD in version 10.0, see https://man.netbsd.org/NetBSD-10.0-STABLE/getrandom.2 Change-Id: I2714c1040791f7f4728be8d869058a38cbd93d4d Reviewed-on: https://go-review.googlesource.com/c/go/+/463123 Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Tobias Klauser <[email protected]> Reviewed-by: Benny Siegert <[email protected]>
Similar to sha256, minimize add usage by preloading constants. This results in a small performance uplift. Likewise, cleanup some unused macros and registers to make room for constants. On ppc64le/power9: Hash8Bytes/New 22.7MB/s ± 0% 24.1MB/s ± 0% +6.49% Hash8Bytes/Sum384 23.4MB/s ± 0% 24.9MB/s ± 0% +6.32% Hash8Bytes/Sum512 23.5MB/s ± 0% 24.9MB/s ± 0% +6.18% Hash1K/New 422MB/s ± 0% 455MB/s ± 0% +7.92% Hash1K/Sum384 424MB/s ± 0% 457MB/s ± 0% +7.78% Hash1K/Sum512 424MB/s ± 0% 457MB/s ± 0% +7.77% Hash8K/New 488MB/s ± 0% 528MB/s ± 0% +8.18% Hash8K/Sum384 481MB/s ± 0% 528MB/s ± 0% +9.76% Hash8K/Sum512 488MB/s ± 0% 515MB/s ± 0% +5.60% Change-Id: Ic604b482e3f6a9680b89c71399f85442f06fef3f Reviewed-on: https://go-review.googlesource.com/c/go/+/460459 Reviewed-by: Archana Ravindar <[email protected]> Run-TryBot: Carlos Eduardo Seo <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Eduardo Seo <[email protected]> Reviewed-by: Lynn Boger <[email protected]> Reviewed-by: Bryan Mills <[email protected]>
The two crypto modules are both named "asm". If both are included in a single go.work (e.g., from `go work use -r .` in the repo), builds break from "module asm appears multiple times in workspace". Give these modules fully-qualified names to avoid conflicts. While we are here, also expand the name of two other testdata modules. Those modules don't currently conflict, but they have vague names at risk of future conflicts. Fixes #57769. Change-Id: I2bd8a505051e92348d49560ec698ed921f2c81be Reviewed-on: https://go-review.googlesource.com/c/go/+/461896 Reviewed-by: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Run-TryBot: Michael Pratt <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Auto-Submit: Michael Pratt <[email protected]>
Change-Id: If092ae7c72b66f172ae32fa6c7294a7ac250362e Reviewed-on: https://go-review.googlesource.com/c/go/+/463995 Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Run-TryBot: Than McIntosh <[email protected]>
CL 463975 replaced the use of the NodeJS crypto.randomFillSync API with a direct call to crypto.getRandomValues. This function rejects any requests to fill a buffer larger than 65536 bytes, so we need to batch reads larger than this size. This reuses the batching functions used on other platforms to perform this batching. Fixes #58145 Change-Id: Ic0acf3be7c9e994bc345d6614867c9b0c47bd26d Reviewed-on: https://go-review.googlesource.com/c/go/+/463993 Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Johan Brandhorst-Satzkorn <[email protected]> Auto-Submit: Johan Brandhorst-Satzkorn <[email protected]>
It was mentioned after CL 463993 was merged that it is uncommon to use shifts for numbers other than powers of ten. Replace the shift with a base 10 constant. Change-Id: I11c90128740109a59add40ed7b680f7bcc9715ad Reviewed-on: https://go-review.googlesource.com/c/go/+/465275 Auto-Submit: Johan Brandhorst-Satzkorn <[email protected]> Run-TryBot: Johan Brandhorst-Satzkorn <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> Auto-Submit: Brad Fitzpatrick <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Updates #31456 Change-Id: I68e0abfb6771c9b1d1bfcbb642db9eb5540f9cab GitHub-Last-Rev: 17ea697c5c0bbfdfb1ad91c2c60e22f6efc78b43 GitHub-Pull-Request: golang/go#49051 Reviewed-on: https://go-review.googlesource.com/c/go/+/356516 Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Reviewed-by: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]>
Return an explicit error when PrivateKey.ECDH is called with a PublicKey which uses a different Curve. Also document this requirement, even though it is perhaps obvious. Fixes #58131 Change-Id: I739181a3f1283bed14fb5ee7eb78658b854d28d8 Reviewed-on: https://go-review.googlesource.com/c/go/+/464335 Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]>
Updates #58483 Tested on Linux amd64: type Element struct { l0, l1, l2, l3, l4 uint64 } type PointAfter struct { x, y, z, t Element _ incomparable } type PointBefore struct { _ incomparable x, y, z, t Element } type incomparable [0]func() func main() { fmt.Println(unsafe.Sizeof(PointAfter{})) // 168 fmt.Println(unsafe.Sizeof(PointBefore{})) // 160 } Change-Id: I6c4fcb586bbf3febf62b6e54608496ff81685e43 Reviewed-on: https://go-review.googlesource.com/c/go/+/467616 Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]>
Message marshalling makes use of BytesOrPanic a lot, under the assumption that it will never panic. This assumption was incorrect, and specifically crafted handshakes could trigger panics. Rather than just surgically replacing the usages of BytesOrPanic in paths that could panic, replace all usages of it with proper error returns in case there are other ways of triggering panics which we didn't find. In one specific case, the tree routed by expandLabel, we replace the usage of BytesOrPanic, but retain a panic. This function already explicitly panicked elsewhere, and returning an error from it becomes rather painful because it requires changing a large number of APIs. The marshalling is unlikely to ever panic, as the inputs are all either fixed length, or already limited to the sizes required. If it were to panic, it'd likely only be during development. A close inspection shows no paths for a user to cause a panic currently. This patches ends up being rather large, since it requires routing errors back through functions which previously had no error returns. Where possible I've tried to use helpers that reduce the verbosity of frequently repeated stanzas, and to make the diffs as minimal as possible. Thanks to Marten Seemann for reporting this issue. Fixes #58001 Fixes CVE-2022-41724 Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436 Reviewed-by: Julie Qiu <[email protected]> TryBot-Result: Security TryBots <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/468125 Run-TryBot: Michael Pratt <[email protected]> Reviewed-by: Than McIntosh <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Pratt <[email protected]>
I had forgotten, which caused amd64 allocations to go back up significantly. Added an allocations test. name old time/op new time/op delta DecryptPKCS1v15/2048-8 1.50ms ± 0% 1.48ms ± 0% -0.95% (p=0.000 n=9+10) DecryptPKCS1v15/3072-8 4.64ms ± 1% 4.60ms ± 0% -0.82% (p=0.000 n=8+10) DecryptPKCS1v15/4096-8 10.7ms ± 0% 10.6ms ± 1% -0.99% (p=0.000 n=10+10) EncryptPKCS1v15/2048-8 158µs ± 0% 157µs ± 0% -0.63% (p=0.000 n=10+10) DecryptOAEP/2048-8 1.50ms ± 0% 1.48ms ± 0% -1.09% (p=0.000 n=9+10) EncryptOAEP/2048-8 161µs ± 0% 160µs ± 0% -0.34% (p=0.000 n=9+10) SignPKCS1v15/2048-8 1.55ms ± 0% 1.53ms ± 1% -1.32% (p=0.000 n=10+10) VerifyPKCS1v15/2048-8 157µs ± 0% 157µs ± 0% -0.33% (p=0.004 n=9+10) SignPSS/2048-8 1.55ms ± 0% 1.54ms ± 0% -1.14% (p=0.000 n=10+10) VerifyPSS/2048-8 160µs ± 0% 160µs ± 0% -0.32% (p=0.000 n=10+10) name old alloc/op new alloc/op delta DecryptPKCS1v15/2048-8 15.0kB ± 0% 0.6kB ± 0% -95.74% (p=0.000 n=10+10) DecryptPKCS1v15/3072-8 17.9kB ± 0% 3.5kB ± 0% -80.65% (p=0.000 n=10+10) DecryptPKCS1v15/4096-8 19.1kB ± 0% 4.7kB ± 0% -75.25% (p=0.000 n=10+10) EncryptPKCS1v15/2048-8 7.51kB ± 0% 1.17kB ± 0% -84.39% (p=0.000 n=10+10) DecryptOAEP/2048-8 15.3kB ± 0% 0.9kB ± 0% -94.29% (p=0.000 n=10+10) EncryptOAEP/2048-8 7.74kB ± 0% 1.40kB ± 0% -81.86% (p=0.000 n=10+10) SignPKCS1v15/2048-8 21.6kB ± 0% 0.9kB ± 0% -95.86% (p=0.000 n=10+10) VerifyPKCS1v15/2048-8 7.25kB ± 0% 0.91kB ± 0% -87.42% (p=0.000 n=10+10) SignPSS/2048-8 22.0kB ± 0% 1.3kB ± 0% -94.12% (p=0.000 n=10+10) VerifyPSS/2048-8 7.46kB ± 0% 1.12kB ± 0% -84.98% (p=0.000 n=10+10) name old allocs/op new allocs/op delta DecryptPKCS1v15/2048-8 54.0 ± 0% 4.0 ± 0% -92.59% (p=0.000 n=10+10) DecryptPKCS1v15/3072-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10) DecryptPKCS1v15/4096-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10) EncryptPKCS1v15/2048-8 29.0 ± 0% 7.0 ± 0% -75.86% (p=0.000 n=10+10) DecryptOAEP/2048-8 60.0 ± 0% 10.0 ± 0% -83.33% (p=0.000 n=10+10) EncryptOAEP/2048-8 35.0 ± 0% 13.0 ± 0% -62.86% (p=0.000 n=10+10) SignPKCS1v15/2048-8 77.0 ± 0% 5.0 ± 0% -93.51% (p=0.000 n=10+10) VerifyPKCS1v15/2048-8 28.0 ± 0% 6.0 ± 0% -78.57% (p=0.000 n=10+10) SignPSS/2048-8 82.0 ± 0% 10.0 ± 0% -87.80% (p=0.000 n=10+10) VerifyPSS/2048-8 33.0 ± 0% 11.0 ± 0% -66.67% (p=0.000 n=10+10) Fixes #58501 Change-Id: I418c5152833787b80220b556336ec284674c2493 Reviewed-on: https://go-review.googlesource.com/c/go/+/460542 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Michael Pratt <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]>
Unlike the rest of nistec, the P-256 assembly doesn't use complete addition formulas, meaning that p256PointAdd[Affine]Asm won't return the correct value if the two inputs are equal. This was (undocumentedly) ignored in the scalar multiplication loops because as long as the input point is not the identity and the scalar is lower than the order of the group, the addition inputs can't be the same. As part of the math/big rewrite, we went however from always reducing the scalar to only checking its length, under the incorrect assumption that the scalar multiplication loop didn't require reduction. Added a reduction, and while at it added it in P256OrdInverse, too, to enforce a universal reduction invariant on p256OrdElement values. Note that if the input point is the infinity, the code currently still relies on undefined behavior, but that's easily tested to behave acceptably, and will be addressed in a future CL. Fixes #58647 Fixes CVE-2023-24532 (Filed with the "safe APIs like complete addition formulas are good" dept.) Change-Id: I7b2c75238440e6852be2710fad66ff1fdc4e2b24 Reviewed-on: https://go-review.googlesource.com/c/go/+/471255 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Damien Neil <[email protected]>
Fixes #58789 Change-Id: I91cdd20c6d4f05baaacd6a38717aa7bed6682573 Reviewed-on: https://go-review.googlesource.com/c/go/+/472155 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]>
On Windows, replace tests which rely on a root that expired last year. On Darwin fix an test which wasn't testing the expected behavior, and fix the behavior which was broken. Fixes #58791 Change-Id: I771175b9e123b8bb0e4efdf58cc2bb93aa94fbae Reviewed-on: https://go-review.googlesource.com/c/go/+/472295 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]>
Convert TestUnknownAuthorityError to use subtests, avoiding continuing the test after an unrecoverable failure. Skip TestIssue51759 on pre-macOS 11 builders, which don't enforce the behavior we were testing for. Updates #58791 Fixes #58812 Change-Id: I4e3e5bc371aa139d38052184c8232f8cb564138f Reviewed-on: https://go-review.googlesource.com/c/go/+/472496 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Since we can't gate tests on the macOS version on normal machines, restrict TestIssue51759 to only run on builders, where we have a way to do this. Change-Id: I70fc83c587689b499b6a38864973a77bb3e52596 Reviewed-on: https://go-review.googlesource.com/c/go/+/472619 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
These directives affect the next declaration, so the existing form is valid, but can be confusing because it is easy to miss. Move then directly above the declaration for improved readability. CL 69120 previously moved the Gosched nosplit away to hide it from documentation. Since CL 224737, directives are automatically excluded from documentation. Change-Id: I8ebf2d47fbb5e77c6f40ed8afdf79eaa4f4e335e Reviewed-on: https://go-review.googlesource.com/c/go/+/472957 Run-TryBot: Michael Pratt <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Austin Clements <[email protected]>
Previously if PrivateKey.Sign was called for Ed25519ctx with a context longer than 255 bytes, the error message would mention Ed25519ph. For Ed25519ph, the order of message length vs context length errors now matches VerifyWithOptions. A message length error will be surfaced in preference to a context length error. It also preferences hash errors ahead of context length errors which also matches the behaviour of VerifyWithOptions. Change-Id: Iae380b3d879e0a9877ea057806fcd1e0ef7f7376 Reviewed-on: https://go-review.googlesource.com/c/go/+/473595 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]>
Change-Id: Ia110d19fe5ff3adc8bbf86dd2112f9702164d495 Reviewed-on: https://go-review.googlesource.com/c/go/+/475515 Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]>
The assumptions of some of the assembly functions were still scarcely documented and even disregarded: p256ScalarMult was relying on the fact that the "undefined behavior" of p256PointAddAsm with regards to infinity inputs was returning the infinity. Aside from expanding comments, moving the bit window massaging into a more easily understood p256OrdRsh function, and fixing the above, this change folds the last iteration of p256ScalarMult into the loop to reduce special cases and inverts the iteration order of p256BaseMult so it matches p256ScalarMult for ease of comparison. Updates #58647 Change-Id: Ie5712ea778aadbe5adcdb478d111c2527e83caa0 Reviewed-on: https://go-review.googlesource.com/c/go/+/471256 Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]>
Creates x509.RevocationListEntry, a new type representing a single revoked certificate entry in a CRL. Like the existing Certificate and RevocationList types, this new type has a field for its Raw bytes, and exposes its mostly-commonly-used extension (ReasonCode) as a top-level field. This provides more functionality to the user than the existing pkix.RevokedCertificate type. Adds a RevokedCertificateEntries field which is a []RevocationListEntry to RevocationList. This field deprecates the RevokedCertificates field. When the RevokedCertificates field is removed in a future release, this will remove one of the last places where a pkix type is directly exposed in the x509 package API. Updates the ParseRevocationList function to populate both fields for now, and updates the CreateRevocationList function to prefer the new field if it is populated, but use the deprecated field if not. Finally, also updates the x509 unit tests to use the new .ReasonCode field in most cases. Fixes #53573 Change-Id: Ia6de171802a5bd251938366508532e806772d7d8 Reviewed-on: https://go-review.googlesource.com/c/go/+/468875 Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Emmanuel Odeke <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]>
Fixes #56921 Change-Id: I03f9969a5146ab7becd983784d8cb5b23a3fbb18 Reviewed-on: https://go-review.googlesource.com/c/go/+/459976 TryBot-Bypass: Dmitri Shuralyov <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Per the updated go.dev/wiki/Deprecated, those APIs replaced by crypto/ecdh (added in Go 1.20) can now be marked as deprecated in Go 1.21. Updates #52221 Updates #34648 Change-Id: Id0e11d7faa3a58a1716ce1ec6e2fff97bab96259 Reviewed-on: https://go-review.googlesource.com/c/go/+/459977 Run-TryBot: Filippo Valsorda <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Most of these are one-off mistakes. Only one file was all spaces. Change-Id: I277c3ce4a4811aa4248c90676f66bc775ae8d062 Reviewed-on: https://go-review.googlesource.com/c/go/+/478976 Run-TryBot: Michael Pratt <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Cherry Mui <[email protected]>
… errors Change-Id: I84533d2df1a20f6337c43b1ca00d8022909a0018 GitHub-Last-Rev: 7dcc4e7296054df7fcbaebfdbd2a9895750f56ea GitHub-Pull-Request: golang/go#59195 Reviewed-on: https://go-review.googlesource.com/c/go/+/478816 Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]>
This check is already done by PeekASN1Tag. Change-Id: Ieba0e35548f7f99bce689d29adaea6b8e471cc70 GitHub-Last-Rev: b4ef3dcc2307839cb7575cf29c3e6445b6a7520e GitHub-Pull-Request: golang/go#59197 Reviewed-on: https://go-review.googlesource.com/c/go/+/478835 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Ian Lance Taylor <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]>
I noticed the one in path/filepath while reading the docs, and the other ones were found via some quick grepping. Change-Id: I386f2f74ef816a6d18aa2f58ee6b64dbd0147c9e Reviewed-on: https://go-review.googlesource.com/c/go/+/478795 Run-TryBot: Daniel Martí <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]>
Rather than using the external network and real-world chains for testing the integrations with platform verifiers, use a synthetic test root. This changes adds a constrained root and key pair to the tree, and adds a test suite that verifies certificates issued from that root. These tests are only executed if the root is detected in the trust store. For reference, the script used to generate the root and key is attached to the bottom of this commit message. This change leaves the existing windows/darwin TestPlatformVerifier tests in place, since the trybots do not currently have the test root in place, and as such cannot run the suite. Once the builder images have the root integrated, we can remove the old flaky tests, and the trybots will begin running the new suite automatically. Updates #52108 -- gen.go -- package main import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "flag" "log" "math/big" "net" "os" "time" ) func writePEM(pemType string, der []byte, path string) error { enc := pem.EncodeToMemory(&pem.Block{ Type: pemType, Bytes: der, }) return os.WriteFile(path, enc, 0666) } func main() { certPath := flag.String("cert-path", "platform_root_cert.pem", "Path to write certificate PEM") keyPath := flag.String("key-path", "platform_root_key.pem", "Path to write key PEM") flag.Parse() key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Fatalf("ecdsa.GenerateKey failed: %s", err) } now := time.Now() tmpl := &x509.Certificate{ SerialNumber: big.NewInt(9009), Subject: pkix.Name{ CommonName: "Go platform verifier testing root", }, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour * 24 * 365 * 5), IsCA: true, BasicConstraintsValid: true, PermittedDNSDomainsCritical: true, // PermittedDNSDomains restricts the names in certificates issued from this root to *.testing.golang.invalid. // The .invalid TLD is, per RFC 2606, reserved for testing, and as such anything issued for this certificate // should never be valid in the real world. PermittedDNSDomains: []string{"testing.golang.invalid"}, // ExcludedIPRanges prevents any certificate issued from this root that contains an IP address in both the full // IPv4 and IPv6 ranges from being considered valid. ExcludedIPRanges: []*net.IPNet{{IP: make([]byte, 4), Mask: make([]byte, 4)}, {IP: make([]byte, 16), Mask: make([]byte, 16)}}, KeyUsage: x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) if err != nil { log.Fatalf("x509.CreateCertificate failed: %s", err) } keyDER, err := x509.MarshalECPrivateKey(key) if err != nil { log.Fatalf("x509.MarshalECPrivateKey failed: %s", err) } if err := writePEM("CERTIFICATE", certDER, *certPath); err != nil { log.Fatalf("failed to write certificate PEM: %s", err) } if err := writePEM("EC PRIVATE KEY", keyDER, *keyPath); err != nil { log.Fatalf("failed to write key PEM: %s", err) } } Change-Id: If7c4a9f18466662a60fea5443e603232a9260026 Reviewed-on: https://go-review.googlesource.com/c/go/+/488855 Reviewed-by: Filippo Valsorda <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Bryan Mills <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Due to the semantics of roots, a root store may contain two valid roots that have the same subject (but different SPKIs) at the asme time. As such in testVerify it is possible that when we verify a certificate we may get two chains that has the same stringified representation. Rather than doing something fancy to include keys (which is just overly complicated), tolerate multiple matches. Fixes #60925 Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea Reviewed-on: https://go-review.googlesource.com/c/go/+/505035 Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Fixes #58637 Change-Id: I9eb3905d5b35ea22e22e1d8eb8c33594eac487fc Reviewed-on: https://go-review.googlesource.com/c/go/+/505155 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Filippo Valsorda <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]>
Rename the old TestPlatformVerifier to TestPlatformVerifierLegacy, and add TODO about removing it once the synthetic root is widely deployed on builders. Updates #52108 Change-Id: I6cdba268e4738804c7f76ea18c354470b3e0318c Reviewed-on: https://go-review.googlesource.com/c/go/+/505755 Run-TryBot: Roland Shoemaker <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]>
… to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. Updates #61460 Fixes CVE-2023-29409 Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161 Reviewed-by: Damien Neil <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> (cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7) Reviewed-on: https://go-review.googlesource.com/c/go/+/515056 Run-TryBot: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
…an options struct To allow for future evolution of the API, make QUICConn.SendSessionTicket take a QUICSessionTicketOptions rather than a single bool. For #60107 Change-Id: I798fd0feec5c7581e3c3574e2de99611c81df47f Reviewed-on: https://go-review.googlesource.com/c/go/+/514997 Reviewed-by: Roland Shoemaker <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Marten Seemann <[email protected]> (cherry picked from commit a915b999c915eb7827396013bcb334747863e66e) Reviewed-on: https://go-review.googlesource.com/c/go/+/515335 Auto-Submit: Damien Neil <[email protected]>
…y size Add a new GODEBUG setting, tlsmaxrsasize, which allows controlling the maximum RSA key size we will accept during TLS handshakes. Fixes #61967 Change-Id: I52f060be132014d219f4cd438f59990011a35c96 Reviewed-on: https://go-review.googlesource.com/c/go/+/517495 Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Russ Cox <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/518535 Auto-Submit: Dmitri Shuralyov <[email protected]>
…post-handshake messages The check for fragmentary post-handshake messages in QUICConn.HandleData was reversed, resulting in a potential panic when HandleData receives a partial message. In addition, HandleData wasn't checking the size of buffered post-handshake messages. Produce an error when a post-handshake message is larger than maxHandshake. TestQUICConnectionState was using an onHandleCryptoData hook in runTestQUICConnection that was never being called. (I think it was inadvertently removed at some point while the CL was in review.) Fix this test while making the hook more general. For #62266 Fixes #62290 Change-Id: I210b70634e50beb456ab3977eb11272b8724c241 Reviewed-on: https://go-review.googlesource.com/c/go/+/522595 Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Marten Seemann <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit e92c0f846c54d88f479b1c48f0dbc001d2ff53e9) Reviewed-on: https://go-review.googlesource.com/c/go/+/523039 Auto-Submit: Dmitri Shuralyov <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
…ProcessPrng RtlGenRandom is a semi-undocumented API, also known as SystemFunction036, which we use to generate random data on Windows. It's definition, in cryptbase.dll, is an opaque wrapper for the documented API ProcessPrng. Instead of using RtlGenRandom, switch to using ProcessPrng, since the former is simply a wrapper for the latter, there should be no practical change on the user side, other than a minor change in the DLLs we load. Updates #53192 Fixes #64413 Change-Id: Ie6891bf97b1d47f5368cccbe92f374dba2c2672a Reviewed-on: https://go-review.googlesource.com/c/go/+/536235 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Quim Muntal <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> (cherry picked from commit 693def151adff1af707d82d28f55dba81ceb08e1) Reviewed-on: https://go-review.googlesource.com/c/go/+/545355 Auto-Submit: Dmitri Shuralyov <[email protected]>
…s-20220613 Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates #64717 Updates #62372 Updates #64719 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/553855 Auto-Submit: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Run-TryBot: Matthew Dempsky <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
…SL policy This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Updates #64717 Updates #62372 Fixes #64719 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/553856 Auto-Submit: Matthew Dempsky <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]>
Fixes the gating of TestIssue51759 by shelling out to sw_vers to check what version of macOS we are on. For #64677 Fixes #65380 Change-Id: I5eef4fa39e5449e7b2aa73864625c3abf002aef8 Reviewed-on: https://go-review.googlesource.com/c/go/+/549195 Reviewed-by: Bryan Mills <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 400e24a8be852e7b20eb4af1999b28c20bb4ea21) Reviewed-on: https://go-review.googlesource.com/c/go/+/559517 Auto-Submit: Michael Pratt <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
…e to fips-20220613" +1 This reverts CL 553855 ("crypto/internal/boring: upgrade module to fips-20220613") and CL 553856 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65323 Updates #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Auto-Submit: Filippo Valsorda <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 09b5de48e64e67db92b31eaca054c5d096e3c057) Reviewed-on: https://go-review.googlesource.com/c/go/+/560275
…ore interface conversion alreadyInChain assumes all keys fit a interface which contains the Equal method (which they do), but this ignores that certificates may have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In this case alreadyInChain panics. Check that the key is non-nil as part of considerCandidate (we are never going to build a chain containing UnknownPublicKeyAlgorithm anyway). For #65390 Fixes #65392 Fixes CVE-2024-24783 Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282 Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/569238 Auto-Submit: Michael Knyszek <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
Change the approach we're using for merging, which was too fragile. We're now using gitlab.com/yawning/bsaes to provide constant-time AES.
Cloning into the current directory makes VSCode unusable.
For the records, this is now the diff with respect to go1.21.9: Cloning into '/tmp/tmp.0pD2LPGTdE/upstreamrepo'...
Already on 'master'
Your branch is up to date with 'origin/master'.
Already up to date.
Note: switching to 'go1.21.9'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at d8392e6997 [release-branch.go1.21] go1.21.9
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: aes
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: boring
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: cipher
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: crypto.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: des
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: dsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ecdh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ecdsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: ed25519
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: elliptic
Only in .: .git
Only in .: .github
Only in .: .gitignore
Only in .: go.mod
Only in .: go.sum
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: hmac
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: alias
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: bigmod
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: aes.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: bbig
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: bcache
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: boring.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: boring_test.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build-boring.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build-goboring.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: build.sh
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: div_test.c
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/doc.go ./internal/boring/doc.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/doc.go 2024-04-08 16:22:42.076224232 +0000
+++ ./internal/boring/doc.go 2024-04-08 15:16:17.159582786 +0000
@@ -12,8 +12,3 @@
//
// BoringCrypto is only available on linux/amd64 systems.
const Enabled = available
-
-// A BigInt is the raw words from a BigInt.
-// This definition allows us to avoid importing math/big.
-// Conversion between BigInt and *big.Int is in crypto/internal/boring/bbig.
-type BigInt []uint
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: Dockerfile
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: ecdh.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: ecdsa.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: fipstls
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: goboringcrypto.h
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: hmac.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: LICENSE
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/notboring.go ./internal/boring/notboring.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring/notboring.go 2024-04-08 16:22:42.076224232 +0000
+++ ./internal/boring/notboring.go 2024-04-08 15:16:17.159582786 +0000
@@ -6,117 +6,10 @@
package boring
-import (
- "crypto"
- "crypto/cipher"
- "crypto/internal/boring/sig"
- "hash"
-)
-
const available = false
// Unreachable marks code that should be unreachable
// when BoringCrypto is in use. It is a no-op without BoringCrypto.
func Unreachable() {
- // Code that's unreachable when using BoringCrypto
- // is exactly the code we want to detect for reporting
- // standard Go crypto.
- sig.StandardCrypto()
-}
-
-// UnreachableExceptTests marks code that should be unreachable
-// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-func UnreachableExceptTests() {}
-
-type randReader int
-
-func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
-
-const RandReader = randReader(0)
-
-func NewSHA1() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
-func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
-
-func SHA1([]byte) [20]byte { panic("boringcrypto: not available") }
-func SHA224([]byte) [28]byte { panic("boringcrypto: not available") }
-func SHA256([]byte) [32]byte { panic("boringcrypto: not available") }
-func SHA384([]byte) [48]byte { panic("boringcrypto: not available") }
-func SHA512([]byte) [64]byte { panic("boringcrypto: not available") }
-
-func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
-
-func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
-func NewGCMTLS(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") }
-
-type PublicKeyECDSA struct{ _ int }
-type PrivateKeyECDSA struct{ _ int }
-
-func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
- panic("boringcrypto: not available")
-}
-func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error) {
- panic("boringcrypto: not available")
-}
-func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
- panic("boringcrypto: not available")
-}
-func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
- panic("boringcrypto: not available")
+ // nothing
}
-
-type PublicKeyRSA struct{ _ int }
-type PrivateKeyRSA struct{ _ int }
-
-func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
- panic("boringcrypto: not available")
-}
-func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) {
- panic("boringcrypto: not available")
-}
-func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
-func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
- panic("boringcrypto: not available")
-}
-func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
- panic("boringcrypto: not available")
-}
-func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
- panic("boringcrypto: not available")
-}
-
-type PublicKeyECDH struct{}
-type PrivateKeyECDH struct{}
-
-func ECDH(*PrivateKeyECDH, *PublicKeyECDH) ([]byte, error) { panic("boringcrypto: not available") }
-func GenerateKeyECDH(string) (*PrivateKeyECDH, []byte, error) { panic("boringcrypto: not available") }
-func NewPrivateKeyECDH(string, []byte) (*PrivateKeyECDH, error) { panic("boringcrypto: not available") }
-func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error) { panic("boringcrypto: not available") }
-func (*PublicKeyECDH) Bytes() []byte { panic("boringcrypto: not available") }
-func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { panic("boringcrypto: not available") }
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: rand.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: README.md
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: rsa.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: sha.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: sig
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal/boring: syso
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: edwards25519
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: nistec
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/internal: randutil
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: issue21104_test.go
Only in .: LICENSE
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: md5
Only in .: PATENTS
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rand
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rc4
Only in .: README.md
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: rsa
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha1
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha256
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: sha512
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: subtle
Only in .: THEDIFF.diff
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: boring.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: boring_test.go
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/cipher_suites.go ./tls/cipher_suites.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/cipher_suites.go 2024-04-08 16:22:42.084224204 +0000
+++ ./tls/cipher_suites.go 2024-04-08 16:21:00.412586228 +0000
@@ -6,19 +6,17 @@
import (
"crypto"
- "crypto/aes"
"crypto/cipher"
"crypto/des"
"crypto/hmac"
- "crypto/internal/boring"
"crypto/rc4"
"crypto/sha1"
"crypto/sha256"
"fmt"
"hash"
- "internal/cpu"
- "runtime"
+ "github.com/ooni/oocrypto/internal/boring"
+ aes "gitlab.com/yawning/bsaes.git"
"golang.org/x/crypto/chacha20poly1305"
)
@@ -354,16 +352,10 @@
TLS_AES_256_GCM_SHA384,
}
+// Note: we always set this field to true because we're using gitlab.com/yawning/bsaes
+// to implement AES, therefore, the pure Go fallback is constant time.
var (
- hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
- hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
- // Keep in sync with crypto/aes/cipher_s390x.go.
- hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
- (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
- hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
- runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
- runtime.GOARCH == "s390x" && hasGCMAsmS390X
+ hasAESGCMHardwareSupport = true
)
var aesgcmCiphers = map[uint16]bool{
@@ -509,12 +501,7 @@
panic(err)
}
var aead cipher.AEAD
- if boring.Enabled {
- aead, err = boring.NewGCMTLS(aes)
- } else {
- boring.Unreachable()
- aead, err = cipher.NewGCM(aes)
- }
+ aead, err = cipher.NewGCM(aes)
if err != nil {
panic(err)
}
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: example_test.go
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: fipsonly
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client.go ./tls/handshake_client.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client.go 2024-04-08 16:22:42.084224204 +0000
+++ ./tls/handshake_client.go 2024-04-08 15:30:22.176676710 +0000
@@ -17,10 +17,8 @@
"errors"
"fmt"
"hash"
- "internal/godebug"
"io"
"net"
- "strconv"
"strings"
"time"
)
@@ -942,17 +940,7 @@
// to verify the signatures of during a TLS handshake.
const defaultMaxRSAKeySize = 8192
-var tlsmaxrsasize = godebug.New("tlsmaxrsasize")
-
func checkKeySize(n int) (max int, ok bool) {
- if v := tlsmaxrsasize.Value(); v != "" {
- if max, err := strconv.Atoi(v); err == nil {
- if (n <= max) != (n <= defaultMaxRSAKeySize) {
- tlsmaxrsasize.IncNonDefault()
- }
- return max, n <= max
- }
- }
return defaultMaxRSAKeySize, n <= defaultMaxRSAKeySize
}
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client_test.go ./tls/handshake_client_test.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/handshake_client_test.go 2024-04-08 16:22:42.084224204 +0000
+++ ./tls/handshake_client_test.go 2024-04-08 16:07:24.947552921 +0000
@@ -2783,6 +2783,7 @@
-----END CERTIFICATE-----`
func TestHandshakeRSATooBig(t *testing.T) {
+ t.Skip("test disabled for github.com/ooni/oocrypto")
for _, tc := range []struct {
name string
godebug string
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls: link_test.go
Only in ./tls: stdlibwrapper.go
Only in ./tls: stdlibwrapper_test.go
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/ticket.go ./tls/ticket.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/ticket.go 2024-04-08 16:22:42.088224190 +0000
+++ ./tls/ticket.go 2024-04-08 16:21:15.112533828 +0000
@@ -5,7 +5,6 @@
package tls
import (
- "crypto/aes"
"crypto/cipher"
"crypto/hmac"
"crypto/sha256"
@@ -14,6 +13,7 @@
"errors"
"io"
+ aes "gitlab.com/yawning/bsaes.git"
"golang.org/x/crypto/cryptobyte"
)
diff -ur /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/tls_test.go ./tls/tls_test.go
--- /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto/tls/tls_test.go 2024-04-08 16:22:42.088224190 +0000
+++ ./tls/tls_test.go 2024-04-08 14:46:12.256341561 +0000
@@ -12,7 +12,6 @@
"encoding/json"
"errors"
"fmt"
- "internal/testenv"
"io"
"math"
"net"
@@ -503,8 +502,6 @@
}
func TestVerifyHostname(t *testing.T) {
- testenv.MustHaveExternalNetwork(t)
-
c, err := Dial("tcp", "www.google.com:https", nil)
if err != nil {
t.Fatal(err)
Only in .: tools
Only in .: UPSTREAM
Only in /tmp/tmp.0pD2LPGTdE/upstreamrepo/src/crypto: x509
You can see that now we're basically replacing |
These are the dependencies of the // ~/sdk/go1.21.9/bin/go list -json ./tls | jq .Imports
[
"bytes",
"container/list",
"context",
"crypto",
"crypto/cipher",
"crypto/des",
"crypto/ecdh",
"crypto/ecdsa",
"crypto/ed25519",
"crypto/elliptic",
"crypto/hmac",
"crypto/md5",
"crypto/rand",
"crypto/rc4",
"crypto/rsa",
"crypto/sha1",
"crypto/sha256",
"crypto/sha512",
"crypto/subtle",
"crypto/tls",
"crypto/x509",
"encoding/binary",
"encoding/pem",
"errors",
"fmt",
"github.com/ooni/oocrypto/internal/boring",
"gitlab.com/yawning/bsaes.git",
"golang.org/x/crypto/chacha20poly1305",
"golang.org/x/crypto/cryptobyte",
"golang.org/x/crypto/hkdf",
"hash",
"io",
"net",
"os",
"reflect",
"runtime",
"strconv",
"strings",
"sync",
"sync/atomic",
"time"
] and
We still need to investigate why |
We should probably also check whether the conditions used by bsaes for selecting AES are still reasonable. An even more radical approach would call for not using assembly at all and always defaulting for using a pure Go implementation. (But maybe doing that would be too slow.) A possible alternative approach would be to select the proper AES implementation here, such that we can keep a logic that is similar to the existing standard library logic for deciding whether to use assembly. 🤔 There's clear a bit more to think before really landing this diff. |
After internal discussion, it seems we don't want to proceed with this. I am going to perform a merge along the same lines with which I have been merging previously. Future work may lead us to use https://github.com/ooni/utls-light. |
Change the approach we're using for merging, which was too fragile. We're now using gitlab.com/yawning/bsaes.git to provide constant-time AES. I am not a cryptographer or a programmer specializing in writing cryptographic code, but yawning is. Also, and really FWIW, I have reviewed the code of bsaes and it AFAICT is well written.
By using this different approach we reduce the amount of headaches caused by merging from upstream, because we can limit ourselves to the
crypto/tls
package and a few minimal supporting packages just to make it WAI.Internally, bsaes switches to using assembly from
crypto/aes
iff there's hardware support.Part of ooni/probe#2702.