Skip to content
GitLab
Switch branch/tag
  1. 03 Apr, 2020 1 commit
  3. 23 Mar, 2020 1 commit
  5. 20 Mar, 2020 2 commits
  7. 17 Mar, 2020 1 commit
  9. 11 Mar, 2020 1 commit
  11. 02 Mar, 2020 2 commits
  13. 21 Feb, 2020 3 commits
  15. 20 Feb, 2020 1 commit
  17. 19 Feb, 2020 1 commit
  19. 14 Feb, 2020 1 commit
  21. 10 Feb, 2020 2 commits
  23. 08 Feb, 2020 1 commit
    • Alex Brainman's avatar
      ssh/terminal: adjust ReadConsole rules on windows · ecb85df2
      Alex Brainman authored 
      CL 212377 changed end of input character on windows - from \n to \r.
But CL 212377 did not adjust ReadConsole accordingly. For example,
after CL 212377 \n was still used to end of password processing,
and \r was ignored.

This CL swaps these rules - \r is now used to end password processing,
and \n are ignored. The change only affects windows, all non windows
code should work as before.

This CL also adjusts TestReadPasswordLineEnd to fit new rules.

Fixes golang/go#36609

Change-Id: I027bf80d10e7d4d4b17ff0264935d14b8bea9097
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/215417


Run-TryBot: Alex Brainman <alex.brainman@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      ecb85df2
  25. 07 Feb, 2020 1 commit
  27. 06 Feb, 2020 1 commit
  29. 04 Feb, 2020 1 commit
  31. 28 Jan, 2020 1 commit
  33. 17 Jan, 2020 1 commit
  35. 15 Jan, 2020 1 commit
  37. 09 Jan, 2020 1 commit
    • Filippo Valsorda's avatar
      poly1305: drop broken arm assembly · 61a87790
      Filippo Valsorda authored 
      The ARM assembly uses the reserved G register. This started causing
frequent crashes due to async preemption, but it was already broken in
the presence of signals, including SIGPROF.

name                          old speed      new speed      delta
Chacha20Poly1305/Open-64      2.88MB/s ± 0%  1.85MB/s ± 0%   -35.76%  (p=0.008 n=6+7)
Chacha20Poly1305/Seal-64      3.17MB/s ± 1%  1.97MB/s ± 0%   -37.78%  (p=0.000 n=10+8)
Chacha20Poly1305/Open-64-X    2.41MB/s ± 0%  1.61MB/s ± 0%   -33.29%  (p=0.000 n=9+9)
Chacha20Poly1305/Seal-64-X    2.55MB/s ± 0%  1.64MB/s ± 0%   -35.61%  (p=0.000 n=10+9)
Chacha20Poly1305/Open-1350    8.43MB/s ± 0%  4.15MB/s ± 0%   -50.78%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350    8.55MB/s ± 0%  4.18MB/s ± 0%   -51.12%  (p=0.000 n=9+9)
Chacha20Poly1305/Open-1350-X  8.16MB/s ± 0%  4.06MB/s ± 0%   -50.18%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350-X  8.24MB/s ± 1%  4.08MB/s ± 1%   -50.53%  (p=0.000 n=10+10)
Chacha20Poly1305/Open-8192    9.73MB/s ± 1%  4.56MB/s ± 0%   -53.15%  (p=0.000 n=9+10)
Chacha20Poly1305/Seal-8192    9.57MB/s ± 0%  4.52MB/s ± 0%   -52.77%  (p=0.000 n=9+9)
Chacha20Poly1305/Open-8192-X  9.65MB/s ± 0%  4.54MB/s ± 0%   -52.95%  (p=0.000 n=10+7)
Chacha20Poly1305/Seal-8192-X  9.47MB/s ± 1%  4.50MB/s ± 0%   -52.50%  (p=0.000 n=10+9)

Fixes golang/go#35511

Change-Id: I5e5ca3a0499f04c5fece5bc669a417e32d2656c6
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/213880


Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: default avatarCherry Zhang <cherryyz@google.com>
      61a87790
  39. 08 Jan, 2020 1 commit
  41. 27 Dec, 2019 1 commit
  43. 19 Dec, 2019 1 commit
  45. 06 Dec, 2019 1 commit
    • Katie Hockman's avatar
      internal/wycheproof: add Wycheproof tests for verifying signatures · e9b2fee4
      Katie Hockman authored 
      https://github.com/google/wycheproof provides test vectors exposing
vulnerabilities in crypto packages. This change creates a new package
called internal/wycheproof that runs these Wycheproof tests against
a number of pacakages in the standard library (and in the future,
x/crypto).

Directory structure:
 - interal/wycheproof/internal/ecdsa: internal version of ecdsa package which
includes a new function that verifies ASN encoded signatures directly
 - interal/wycheproof/internal/dsa: internal version of dsa package which
includes a new function that verifies ASN encoded signatures directly
 - internal/wycheproof: all tests

internal/wycheproof/wycheproof_test.go provides utility functions that are
common to many tests in the package, and contains the TestMain which
fetches github.com/google/wycheproof from the source.

This change includes tests for signature verification with dsa, ecdsa,
eddsa, and rsa (both PKCS#1 v1.5 and PSS signatures).

Note that these tests download testdata from github.com/google/wycheproof
by running `go mod download` in the TestMain. This means that internet
access will be necessary in order to run these tests if the testdata is
not already in your module cache.

More tests will be added incrementally.

Change-Id: I0378d4be24b5679fdc186e9fc94c1cc0068e81f7
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209221


Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      e9b2fee4
  47. 05 Dec, 2019 2 commits
    • edef's avatar
      acme: expect standard ASN.1 signatures from ECDSA Client.Key · e7c4368f
      edef authored 
      Previously, an ECDSA crypto.Signer would have been expected to return a
signature in RFC7518 format, which violates crypto.Signer's interface
contract.

Fixes golang/go#35829

Change-Id: Id0cc2d9296cfb9f89925ab9ac02e12d68eec734b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209537


Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      e7c4368f
    • Filippo Valsorda's avatar
      ssh: reject unencrypted keys from ParsePrivateKeyWithPassphrase · 0a08dada
      Filippo Valsorda authored 
      The behavior of ParsePrivateKeyWithPassphrase when the key is
unencrypted is unspecified. Currently, it just parses them like
ParsePrivateKey, which is unlikely to be what anyone wants: for us to
ignore a passphrase that they explicitly passed. It also makes the
implementation of encrypted OpenSSH keys in the next CL more confused.

Instead, make ParsePrivateKey return a PassphraseNeededError, so the
application logic can be ParsePrivateKey -> detect encrypted key ->
obtain passphrase -> ParsePrivateKeyWithPassphrase. That error will also
let us return the public key for OpenSSH keys.

Change-Id: Ife4fb2499ae538bef36e353adf9bc8e902662386
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/207599


Run-TryBot: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarHan-Wen Nienhuys <hanwen@google.com>
      0a08dada
  49. 02 Dec, 2019 1 commit
  51. 28 Nov, 2019 1 commit
    • Fazlul Shahriar's avatar
      ssh/agent: fix TestServerResponseTooLarge on Plan 9 · b544559b
      Fazlul Shahriar authored 
      First, modify the test to report a better error by waiting for the
Marshal+Write goroutine to finish before returning from the test. If we
return too early, a failure inside that goroutine can generate a panic.

Second, we workaround plan9 not returning the actual number of bytes
written on the connection in case of a hangup (due to closed
connection). I've verified that syscall.Pwrite returns -1 on hangup in
this particular case even when some data did get written.

Fixes golang/go#35888

Change-Id: I7998cff926295f0d577b125c137021a9adc1be5a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209298

Reviewed-by: default avatarHan-Wen Nienhuys <hanwen@google.com>
Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
      b544559b
  53. 22 Nov, 2019 1 commit
  55. 19 Nov, 2019 1 commit
  57. 17 Nov, 2019 1 commit
  59. 12 Nov, 2019 1 commit
  61. 11 Nov, 2019 4 commits
    • Filippo Valsorda's avatar
      chacha20: implement XChaCha20 · 16651526
      Filippo Valsorda authored 
      Simply add the NonceSizeX constant, and accept 24 bytes nonces in
NewUnauthenticatedCipher. Based on draft-irtf-cfrg-xchacha-01 and
libsodium's implementation.

Fixes golang/go#24485

Change-Id: I551c8ace258bd54b95bb204c8bb34bccd1c4b615
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185991

Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      16651526
    • Filippo Valsorda's avatar
      chacha20: expose internal/chacha20 package · e0829623
      Filippo Valsorda authored 
      const KeySize = 32
const NonceSize = 12
func HChaCha20(key, nonce []byte) ([]byte, error)
type Cipher struct {}
func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error)
func (s *Cipher) XORKeyStream(dst, src []byte)

Small performance hit in chacha20poly1305, probably due to the loss
of the Advance API, which we might consider adding later. No new
allocations, thanks to the mid-stack inliner.

name                            old time/op    new time/op    delta
Chacha20Poly1305/Open-64-8        1.60µs ± 0%    1.68µs ± 1%  +4.94%  (p=0.000 n=9+10)
Chacha20Poly1305/Seal-64-8        1.56µs ± 0%    1.64µs ± 1%  +5.21%  (p=0.000 n=8+10)
Chacha20Poly1305/Open-64-X-8      2.10µs ± 1%    2.22µs ± 1%  +5.81%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-64-X-8      2.07µs ± 1%    2.17µs ± 0%  +4.88%  (p=0.000 n=10+10)
Chacha20Poly1305/Open-1350-8      15.4µs ± 0%    15.7µs ± 1%  +1.65%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350-8      15.6µs ± 2%    15.9µs ± 1%  +1.58%  (p=0.028 n=10+9)
Chacha20Poly1305/Open-1350-X-8    16.0µs ± 1%    16.3µs ± 2%  +2.00%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-1350-X-8    15.9µs ± 0%    16.3µs ± 1%  +1.91%  (p=0.000 n=10+8)
Chacha20Poly1305/Open-8192-8      85.6µs ± 0%    86.6µs ± 1%  +1.21%  (p=0.000 n=10+10)
Chacha20Poly1305/Seal-8192-8      85.7µs ± 0%    86.3µs ± 0%  +0.68%  (p=0.001 n=9+9)
Chacha20Poly1305/Open-8192-X-8    86.4µs ± 1%    87.1µs ± 1%  +0.76%  (p=0.035 n=10+9)
Chacha20Poly1305/Seal-8192-X-8    86.0µs ± 0%    87.0µs ± 1%  +1.14%  (p=0.000 n=9+9)

Updates golang/go#24485

Change-Id: I2ec2ef487a03f013049915d9063751c75a78408b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185980

Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      e0829623
    • Filippo Valsorda's avatar
      internal/chacha20: cache first round across XORKeyStream invocations · 9b708ad8
      Filippo Valsorda authored 
      name                old speed     new speed     delta
ChaCha20/64-4       428MB/s ± 1%  432MB/s ± 1%    ~     (p=0.089 n=10+10)
ChaCha20/256-4      497MB/s ± 1%  507MB/s ± 2%  +1.94%  (p=0.000 n=9+10)
ChaCha20/10x25-4    273MB/s ± 1%  285MB/s ± 3%  +4.37%  (p=0.000 n=10+10)
ChaCha20/4096-4     495MB/s ± 1%  508MB/s ± 1%  +2.51%  (p=0.000 n=8+10)
ChaCha20/100x40-4   407MB/s ± 1%  439MB/s ± 1%  +7.92%  (p=0.000 n=9+9)
ChaCha20/65536-4    521MB/s ± 2%  537MB/s ± 1%  +3.00%  (p=0.000 n=10+10)
ChaCha20/1000x65-4  498MB/s ± 2%  521MB/s ± 2%  +4.70%  (p=0.000 n=10+10)

Curiously, even if we omit the critical s.precompDone = true step, we
see a significant performance improvement across the board, maybe due to
reduced register pressure. (See below. Actually using the precomputed
values only impacts the 10x25, 100x40 and 1000x65 benchmarks, as
expected.)

name                old speed     new speed     delta
ChaCha20/64-4       428MB/s ± 1%  428MB/s ± 1%    ~     (p=0.912 n=10+10)
ChaCha20/256-4      497MB/s ± 1%  510MB/s ± 1%  +2.64%  (p=0.000 n=9+10)
ChaCha20/10x25-4    273MB/s ± 1%  277MB/s ± 2%  +1.36%  (p=0.003 n=10+10)
ChaCha20/4096-4     495MB/s ± 1%  507MB/s ± 2%  +2.28%  (p=0.000 n=8+10)
ChaCha20/100x40-4   407MB/s ± 1%  418MB/s ± 1%  +2.69%  (p=0.000 n=9+10)
ChaCha20/65536-4    521MB/s ± 2%  536MB/s ± 1%  +2.76%  (p=0.000 n=10+8)
ChaCha20/1000x65-4  498MB/s ± 2%  519MB/s ± 1%  +4.15%  (p=0.000 n=10+9)

Updates golang/go#24485

Change-Id: I117fab938787819aae1cc4371354888701e4e54b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185440

Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      9b708ad8
    • Filippo Valsorda's avatar
      internal/chacha20: refactor for readability and consistency · 85e5e33d
      Filippo Valsorda authored 
      Separated the complex buffering logic from key stream generation more
clearly, added plenty of comments and generally refactored the Go
implementation for readability. Made the interface with the
generic/assembly cores smaller and more consistent, according to
golang.org/wiki/TargetSpecific.

We will recover the lost performance on unaligned calls by caching 3/4
of the first round across XORKeyStream invocations, which we now have
complexity budget for.

name                old speed     new speed     delta
ChaCha20/64-4       435MB/s ± 2%  429MB/s ± 2%  -1.47%  (p=0.013 n=10+9)
ChaCha20/256-4      496MB/s ± 1%  493MB/s ± 2%    ~     (p=0.280 n=10+10)
ChaCha20/10x25-4    283MB/s ± 1%  274MB/s ± 2%  -3.13%  (p=0.000 n=10+10)
ChaCha20/4096-4     494MB/s ± 1%  493MB/s ± 5%    ~     (p=0.631 n=10+10)
ChaCha20/100x40-4   421MB/s ± 3%  408MB/s ± 1%  -3.14%  (p=0.003 n=9+9)
ChaCha20/65536-4    515MB/s ± 1%  519MB/s ± 3%    ~     (p=0.161 n=7+10)
ChaCha20/1000x65-4  501MB/s ± 2%  501MB/s ± 3%    ~     (p=0.497 n=9+10)

Also applied a fix for a lingering bug in the ppc64le assembly written
by Lynn Boger <laboger@linux.vnet.ibm.com>.

Updates golang/go#24485

Change-Id: I10cf24a7f10359b1b4ae63c9bb1946735b98ac9b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185439

Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      85e5e33d