1. 03 Apr, 2020 1 commit
  2. 23 Mar, 2020 1 commit
  3. 20 Mar, 2020 2 commits
  4. 17 Mar, 2020 1 commit
  5. 11 Mar, 2020 1 commit
  6. 02 Mar, 2020 2 commits
  7. 21 Feb, 2020 3 commits
  8. 20 Feb, 2020 1 commit
  9. 19 Feb, 2020 1 commit
  10. 14 Feb, 2020 1 commit
  11. 10 Feb, 2020 2 commits
  12. 08 Feb, 2020 1 commit
    • Alex Brainman's avatar
      ssh/terminal: adjust ReadConsole rules on windows · ecb85df2
      Alex Brainman authored
      CL 212377 changed end of input character on windows - from \n to \r.
      But CL 212377 did not adjust ReadConsole accordingly. For example,
      after CL 212377 \n was still used to end of password processing,
      and \r was ignored.
      
      This CL swaps these rules - \r is now used to end password processing,
      and \n are ignored. The change only affects windows, all non windows
      code should work as before.
      
      This CL also adjusts TestReadPasswordLineEnd to fit new rules.
      
      Fixes golang/go#36609
      
      Change-Id: I027bf80d10e7d4d4b17ff0264935d14b8bea9097
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/215417
      
      
      Run-TryBot: Alex Brainman <alex.brainman@gmail.com>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      ecb85df2
  13. 07 Feb, 2020 1 commit
  14. 06 Feb, 2020 1 commit
  15. 04 Feb, 2020 1 commit
  16. 28 Jan, 2020 1 commit
  17. 17 Jan, 2020 1 commit
  18. 15 Jan, 2020 1 commit
  19. 09 Jan, 2020 1 commit
    • Filippo Valsorda's avatar
      poly1305: drop broken arm assembly · 61a87790
      Filippo Valsorda authored
      The ARM assembly uses the reserved G register. This started causing
      frequent crashes due to async preemption, but it was already broken in
      the presence of signals, including SIGPROF.
      
      name                          old speed      new speed      delta
      Chacha20Poly1305/Open-64      2.88MB/s ± 0%  1.85MB/s ± 0%   -35.76%  (p=0.008 n=6+7)
      Chacha20Poly1305/Seal-64      3.17MB/s ± 1%  1.97MB/s ± 0%   -37.78%  (p=0.000 n=10+8)
      Chacha20Poly1305/Open-64-X    2.41MB/s ± 0%  1.61MB/s ± 0%   -33.29%  (p=0.000 n=9+9)
      Chacha20Poly1305/Seal-64-X    2.55MB/s ± 0%  1.64MB/s ± 0%   -35.61%  (p=0.000 n=10+9)
      Chacha20Poly1305/Open-1350    8.43MB/s ± 0%  4.15MB/s ± 0%   -50.78%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-1350    8.55MB/s ± 0%  4.18MB/s ± 0%   -51.12%  (p=0.000 n=9+9)
      Chacha20Poly1305/Open-1350-X  8.16MB/s ± 0%  4.06MB/s ± 0%   -50.18%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-1350-X  8.24MB/s ± 1%  4.08MB/s ± 1%   -50.53%  (p=0.000 n=10+10)
      Chacha20Poly1305/Open-8192    9.73MB/s ± 1%  4.56MB/s ± 0%   -53.15%  (p=0.000 n=9+10)
      Chacha20Poly1305/Seal-8192    9.57MB/s ± 0%  4.52MB/s ± 0%   -52.77%  (p=0.000 n=9+9)
      Chacha20Poly1305/Open-8192-X  9.65MB/s ± 0%  4.54MB/s ± 0%   -52.95%  (p=0.000 n=10+7)
      Chacha20Poly1305/Seal-8192-X  9.47MB/s ± 1%  4.50MB/s ± 0%   -52.50%  (p=0.000 n=10+9)
      
      Fixes golang/go#35511
      
      Change-Id: I5e5ca3a0499f04c5fece5bc669a417e32d2656c6
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/213880
      
      
      Run-TryBot: Filippo Valsorda <filippo@golang.org>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
      Reviewed-by: default avatarCherry Zhang <cherryyz@google.com>
      61a87790
  20. 08 Jan, 2020 1 commit
  21. 27 Dec, 2019 1 commit
  22. 19 Dec, 2019 1 commit
  23. 06 Dec, 2019 1 commit
    • Katie Hockman's avatar
      internal/wycheproof: add Wycheproof tests for verifying signatures · e9b2fee4
      Katie Hockman authored
      https://github.com/google/wycheproof provides test vectors exposing
      vulnerabilities in crypto packages. This change creates a new package
      called internal/wycheproof that runs these Wycheproof tests against
      a number of pacakages in the standard library (and in the future,
      x/crypto).
      
      Directory structure:
       - interal/wycheproof/internal/ecdsa: internal version of ecdsa package which
      includes a new function that verifies ASN encoded signatures directly
       - interal/wycheproof/internal/dsa: internal version of dsa package which
      includes a new function that verifies ASN encoded signatures directly
       - internal/wycheproof: all tests
      
      internal/wycheproof/wycheproof_test.go provides utility functions that are
      common to many tests in the package, and contains the TestMain which
      fetches github.com/google/wycheproof from the source.
      
      This change includes tests for signature verification with dsa, ecdsa,
      eddsa, and rsa (both PKCS#1 v1.5 and PSS signatures).
      
      Note that these tests download testdata from github.com/google/wycheproof
      by running `go mod download` in the TestMain. This means that internet
      access will be necessary in order to run these tests if the testdata is
      not already in your module cache.
      
      More tests will be added incrementally.
      
      Change-Id: I0378d4be24b5679fdc186e9fc94c1cc0068e81f7
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209221
      
      
      Run-TryBot: Katie Hockman <katie@golang.org>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      e9b2fee4
  24. 05 Dec, 2019 2 commits
    • edef's avatar
      acme: expect standard ASN.1 signatures from ECDSA Client.Key · e7c4368f
      edef authored
      Previously, an ECDSA crypto.Signer would have been expected to return a
      signature in RFC7518 format, which violates crypto.Signer's interface
      contract.
      
      Fixes golang/go#35829
      
      Change-Id: Id0cc2d9296cfb9f89925ab9ac02e12d68eec734b
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209537
      
      
      Run-TryBot: Filippo Valsorda <filippo@golang.org>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
      e7c4368f
    • Filippo Valsorda's avatar
      ssh: reject unencrypted keys from ParsePrivateKeyWithPassphrase · 0a08dada
      Filippo Valsorda authored
      The behavior of ParsePrivateKeyWithPassphrase when the key is
      unencrypted is unspecified. Currently, it just parses them like
      ParsePrivateKey, which is unlikely to be what anyone wants: for us to
      ignore a passphrase that they explicitly passed. It also makes the
      implementation of encrypted OpenSSH keys in the next CL more confused.
      
      Instead, make ParsePrivateKey return a PassphraseNeededError, so the
      application logic can be ParsePrivateKey -> detect encrypted key ->
      obtain passphrase -> ParsePrivateKeyWithPassphrase. That error will also
      let us return the public key for OpenSSH keys.
      
      Change-Id: Ife4fb2499ae538bef36e353adf9bc8e902662386
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/207599
      
      
      Run-TryBot: Filippo Valsorda <filippo@golang.org>
      Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarHan-Wen Nienhuys <hanwen@google.com>
      0a08dada
  25. 02 Dec, 2019 1 commit
  26. 28 Nov, 2019 1 commit
    • Fazlul Shahriar's avatar
      ssh/agent: fix TestServerResponseTooLarge on Plan 9 · b544559b
      Fazlul Shahriar authored
      First, modify the test to report a better error by waiting for the
      Marshal+Write goroutine to finish before returning from the test. If we
      return too early, a failure inside that goroutine can generate a panic.
      
      Second, we workaround plan9 not returning the actual number of bytes
      written on the connection in case of a hangup (due to closed
      connection). I've verified that syscall.Pwrite returns -1 on hangup in
      this particular case even when some data did get written.
      
      Fixes golang/go#35888
      
      Change-Id: I7998cff926295f0d577b125c137021a9adc1be5a
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/209298
      
      Reviewed-by: default avatarHan-Wen Nienhuys <hanwen@google.com>
      Run-TryBot: Han-Wen Nienhuys <hanwen@google.com>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      b544559b
  27. 22 Nov, 2019 1 commit
  28. 19 Nov, 2019 1 commit
  29. 17 Nov, 2019 1 commit
  30. 12 Nov, 2019 1 commit
  31. 11 Nov, 2019 4 commits
    • Filippo Valsorda's avatar
      chacha20: implement XChaCha20 · 16651526
      Filippo Valsorda authored
      Simply add the NonceSizeX constant, and accept 24 bytes nonces in
      NewUnauthenticatedCipher. Based on draft-irtf-cfrg-xchacha-01 and
      libsodium's implementation.
      
      Fixes golang/go#24485
      
      Change-Id: I551c8ace258bd54b95bb204c8bb34bccd1c4b615
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185991
      
      Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      16651526
    • Filippo Valsorda's avatar
      chacha20: expose internal/chacha20 package · e0829623
      Filippo Valsorda authored
      const KeySize = 32
      const NonceSize = 12
      func HChaCha20(key, nonce []byte) ([]byte, error)
      type Cipher struct {}
      func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error)
      func (s *Cipher) XORKeyStream(dst, src []byte)
      
      Small performance hit in chacha20poly1305, probably due to the loss
      of the Advance API, which we might consider adding later. No new
      allocations, thanks to the mid-stack inliner.
      
      name                            old time/op    new time/op    delta
      Chacha20Poly1305/Open-64-8        1.60µs ± 0%    1.68µs ± 1%  +4.94%  (p=0.000 n=9+10)
      Chacha20Poly1305/Seal-64-8        1.56µs ± 0%    1.64µs ± 1%  +5.21%  (p=0.000 n=8+10)
      Chacha20Poly1305/Open-64-X-8      2.10µs ± 1%    2.22µs ± 1%  +5.81%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-64-X-8      2.07µs ± 1%    2.17µs ± 0%  +4.88%  (p=0.000 n=10+10)
      Chacha20Poly1305/Open-1350-8      15.4µs ± 0%    15.7µs ± 1%  +1.65%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-1350-8      15.6µs ± 2%    15.9µs ± 1%  +1.58%  (p=0.028 n=10+9)
      Chacha20Poly1305/Open-1350-X-8    16.0µs ± 1%    16.3µs ± 2%  +2.00%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-1350-X-8    15.9µs ± 0%    16.3µs ± 1%  +1.91%  (p=0.000 n=10+8)
      Chacha20Poly1305/Open-8192-8      85.6µs ± 0%    86.6µs ± 1%  +1.21%  (p=0.000 n=10+10)
      Chacha20Poly1305/Seal-8192-8      85.7µs ± 0%    86.3µs ± 0%  +0.68%  (p=0.001 n=9+9)
      Chacha20Poly1305/Open-8192-X-8    86.4µs ± 1%    87.1µs ± 1%  +0.76%  (p=0.035 n=10+9)
      Chacha20Poly1305/Seal-8192-X-8    86.0µs ± 0%    87.0µs ± 1%  +1.14%  (p=0.000 n=9+9)
      
      Updates golang/go#24485
      
      Change-Id: I2ec2ef487a03f013049915d9063751c75a78408b
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185980
      
      Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      e0829623
    • Filippo Valsorda's avatar
      internal/chacha20: cache first round across XORKeyStream invocations · 9b708ad8
      Filippo Valsorda authored
      name                old speed     new speed     delta
      ChaCha20/64-4       428MB/s ± 1%  432MB/s ± 1%    ~     (p=0.089 n=10+10)
      ChaCha20/256-4      497MB/s ± 1%  507MB/s ± 2%  +1.94%  (p=0.000 n=9+10)
      ChaCha20/10x25-4    273MB/s ± 1%  285MB/s ± 3%  +4.37%  (p=0.000 n=10+10)
      ChaCha20/4096-4     495MB/s ± 1%  508MB/s ± 1%  +2.51%  (p=0.000 n=8+10)
      ChaCha20/100x40-4   407MB/s ± 1%  439MB/s ± 1%  +7.92%  (p=0.000 n=9+9)
      ChaCha20/65536-4    521MB/s ± 2%  537MB/s ± 1%  +3.00%  (p=0.000 n=10+10)
      ChaCha20/1000x65-4  498MB/s ± 2%  521MB/s ± 2%  +4.70%  (p=0.000 n=10+10)
      
      Curiously, even if we omit the critical s.precompDone = true step, we
      see a significant performance improvement across the board, maybe due to
      reduced register pressure. (See below. Actually using the precomputed
      values only impacts the 10x25, 100x40 and 1000x65 benchmarks, as
      expected.)
      
      name                old speed     new speed     delta
      ChaCha20/64-4       428MB/s ± 1%  428MB/s ± 1%    ~     (p=0.912 n=10+10)
      ChaCha20/256-4      497MB/s ± 1%  510MB/s ± 1%  +2.64%  (p=0.000 n=9+10)
      ChaCha20/10x25-4    273MB/s ± 1%  277MB/s ± 2%  +1.36%  (p=0.003 n=10+10)
      ChaCha20/4096-4     495MB/s ± 1%  507MB/s ± 2%  +2.28%  (p=0.000 n=8+10)
      ChaCha20/100x40-4   407MB/s ± 1%  418MB/s ± 1%  +2.69%  (p=0.000 n=9+10)
      ChaCha20/65536-4    521MB/s ± 2%  536MB/s ± 1%  +2.76%  (p=0.000 n=10+8)
      ChaCha20/1000x65-4  498MB/s ± 2%  519MB/s ± 1%  +4.15%  (p=0.000 n=10+9)
      
      Updates golang/go#24485
      
      Change-Id: I117fab938787819aae1cc4371354888701e4e54b
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185440
      
      Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      9b708ad8
    • Filippo Valsorda's avatar
      internal/chacha20: refactor for readability and consistency · 85e5e33d
      Filippo Valsorda authored
      Separated the complex buffering logic from key stream generation more
      clearly, added plenty of comments and generally refactored the Go
      implementation for readability. Made the interface with the
      generic/assembly cores smaller and more consistent, according to
      golang.org/wiki/TargetSpecific.
      
      We will recover the lost performance on unaligned calls by caching 3/4
      of the first round across XORKeyStream invocations, which we now have
      complexity budget for.
      
      name                old speed     new speed     delta
      ChaCha20/64-4       435MB/s ± 2%  429MB/s ± 2%  -1.47%  (p=0.013 n=10+9)
      ChaCha20/256-4      496MB/s ± 1%  493MB/s ± 2%    ~     (p=0.280 n=10+10)
      ChaCha20/10x25-4    283MB/s ± 1%  274MB/s ± 2%  -3.13%  (p=0.000 n=10+10)
      ChaCha20/4096-4     494MB/s ± 1%  493MB/s ± 5%    ~     (p=0.631 n=10+10)
      ChaCha20/100x40-4   421MB/s ± 3%  408MB/s ± 1%  -3.14%  (p=0.003 n=9+9)
      ChaCha20/65536-4    515MB/s ± 1%  519MB/s ± 3%    ~     (p=0.161 n=7+10)
      ChaCha20/1000x65-4  501MB/s ± 2%  501MB/s ± 3%    ~     (p=0.497 n=9+10)
      
      Also applied a fix for a lingering bug in the ppc64le assembly written
      by Lynn Boger <laboger@linux.vnet.ibm.com>.
      
      Updates golang/go#24485
      
      Change-Id: I10cf24a7f10359b1b4ae63c9bb1946735b98ac9b
      Reviewed-on: https://go-review.googlesource.com/c/crypto/+/185439
      
      Reviewed-by: default avatarMichael Munday <mike.munday@ibm.com>
      85e5e33d