x/crypto/ed25519 moved to the standard library in Go 1.13. This change
drops the compatibility wrapper we were keeping around to make Go 1.12
and earlier work.
Change-Id: I860ed963a0660753d01c89014c21360b239a38ac
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/317169
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Expose the previously private KID field of the Client type. This allows
callers which have locally cached their key identity to avoid needing
to make a call to the ACME service every time they construct a new
client.
Fixesgolang/go#46303
Change-Id: I219167c5b941f56a2028c4bc253ff56386845549
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/354697
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Let's Encrypt is revoking all certificates verified with TLS-ALPN-01
beofre January 26th due to a compliance issue. Detect them and force a
renewal.
Also, fix the tests which were not testing if expired certificates were
renewed anymore, as the test certificates were always invalid due to not
having SANs.
Change-Id: If9d0632b2edfe0b7fb70f6cfd7e65e46e2d047dc
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/381114
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Use a net.Pipe, rather than setting up a local TCP connection,
for testing malformed SSH requests, since we don't need the
complex intricacies of a real connection to test this protocol
behavior.
Fixesgolang/go#50161
Change-Id: I5e46c42041ddd03b06725469216b82b801990e64
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/371874
Reviewed-by: Bryan Mills <bcmills@google.com>
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
This test downloads JSON test files from GitHub. If the network
connection flakes, the test may hang indefinitely, and builders with
flaky network connections might want to avoid unnecessary downloading
anyway.
Fixesgolang/go#50076
Change-Id: I0655a34fce8a003794290c0c82ae75492eda4429
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/370659
Trust: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
When reading GCM and ChaChaPoly1305 packets, don't make assumptions
about the size of the enciphered plaintext. This fixes two panics
caused by standards non-compliant malformed packets.
Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.
Fixesgolang/go#49932
Fixes CVE-2021-43565
Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Update acme/autocert test to not depend on whether idna.Lookup uses
transitional processing (Go 1.17 and earlier) or nontransitional
processing (Go 1.18 and later).
Change-Id: I29ca0aaca0ac75a932919a4c7cf8e9fca033b497
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/364014
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
This change adds support for RSA SHA-2 based signatures for host keys and certificates. It also switches the default certificate signature algorithm for RSA to use SHA-512. This is implemented by treating ssh.Signer specially when the key type is `ssh-rsa` by also allowing SHA-256 and SHA-512 signatures.
Fixesgolang/go#37278
Change-Id: I2ee1ac4ae4c9c1de441a2d6cf1e806357ef18910
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/220037
Trust: Jason A. Donenfeld <Jason@zx2c4.com>
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This test suite should really be completely re-written, but for now
we can just substitute the tests which relied on certificates that
were signed with SHA1-RSA.
Fixes#49443
Change-Id: Ibe4ae3b3062956a56e6e3579144312747df3ef9a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/362334
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Katie Hockman <katie@golang.org>
Let's Encrypt is defaulting to a longer cross-signed chain on May 4th,
2021 but will offer the ability to download the shorter chain via an
alternate URL via a link header [1]. The shorter chain can be selected
to workaround a validation bug in legacy versions of OpenSSL, GnuTLS,
and LibreSSL. The alternate relation is described in section 7.4.2 of
RFC 8555.
ListCertAlternates should be passed the original certificate chain URL
and will return a list of alternate chain URLs that can be passed to
FetchCert to download.
Fixesgolang/go#42437
[1] https://community.letsencrypt.org/t/production-chain-changes/150739
Change-Id: Iaa32e49cb1322ac79ac1a5b4b7980d5401f4b86e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/277294
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
When methods that use POSTs are called on a acme.Client which has a
nil Key field it will cause a deadlock due to an infinite loop in
the code that looks up the account KID. This change adds a check for
the key being nil, and errors out if that is the case. Also adds a
test for this behavior.
Fixesgolang/go#38790
Change-Id: I65ff6bbbade7ed2d85306895904a976089730bbf
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/233164
Trust: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Fixes the referenced issue and removes an unnecessary word.
Change-Id: Icbf8bd26bccbc603e7dd360d817900ac2ca63a69
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/342049
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
The generator submodule needs a module dependency on golang.org/x/crypto
to find the type information it needs.
This removes the Comment call from CL 319469 because it does not seem to
generate the intended output. See golang/go#46155.
Fixesgolang/go#46133
Change-Id: Iec21c6379d81271047ebf370a76329ed3fdac85c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/319471
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
This imports the crypto/ed25519/internal/edwards25519/field package from
CL 276272, and uses it in x/crypto/curve25519.
The ScalarMult code was ported 1:1 from curve25519_generic.go.
old code lines new code lines
Go 896 463
Assembly (manually written) 1772 (1772) 362 (34)
43% performance loss on amd64, 33% loss on 386, and 45% gain on arm64.
Feels worth it to remove 1700 lines of manually written assembly.
Apple M1
name old time/op new time/op delta
X25519Basepoint-8 85.0µs ± 1% 46.4µs ± 0% -45.39% (p=0.000 n=10+9)
X25519-8 84.4µs ± 0% 46.7µs ± 2% -44.76% (p=0.000 n=8+9)
Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz
name old time/op new time/op delta
X25519Basepoint-4 42.6µs ± 1% 60.9µs ± 1% +43.22% (p=0.000 n=9+10)
X25519-4 42.5µs ± 1% 60.9µs ± 0% +43.17% (p=0.000 n=9+9)
Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz [GOARCH=386]
name old time/op new time/op delta
X25519Basepoint-4 530µs ± 1% 703µs ± 1% +32.81% (p=0.000 n=10+10)
X25519-4 530µs ± 1% 706µs ± 1% +33.18% (p=0.000 n=10+10)
Change-Id: I1dc62a6a3a3e417a1366ff873c475087a0395124
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/315269
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
This change was produced using 'go mod tidy -go=1.17'
with a go command built at CL 315210.
This activates lazy loading, and updates the go.mod file to maintain
the lazy-loading invariants (namely, including an explicit requirement
for every package transitively imported by the main module).
Note that this does *not* prevent users with earlier go versions from
successfully building packages from this module.
For golang/go#36460.
Change-Id: I28a6f54b1e41e9e18b726cacba25a52069b8a4e9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/316109
Trust: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Add support for RFC 8555 subproblems. The type naming is real bike-shed
territory, but I think I've mostly matched the existing style of the
package. In a similar vein the format of how to print subproblems
when stringing an acme.Error is up for debate (it could just be
completely ignored, and require clients to inspect Error.Subproblems
themselves).
Fixesgolang/go#38978
Change-Id: Ice803079bab621ae9410de79e7e75e11c1af21b6
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/233165
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
There is some implicit R0 == $0 here which may not be desired.
"CMP $0, Rx" translates to "cmpd r0, rX" which is less preferred
than "cmpdi r0, 0". Likewise, "ADDE $0, Rx" also turns into
"adde R0, Rx, Rx" which can be simplified to a similar instruction
which adds to zero with carry, "ADDZE Rx, Rx".
Change-Id: I5de17ff5b02c7c9d57daf014c7fe9420bfbeeeab
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/311372
Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
Trust: Carlos Eduardo Seo <carlos.seo@linaro.org>
Trust: Lynn Boger <laboger@linux.vnet.ibm.com>
More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).
Fixesgolang/go#39746.
Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c545
GitHub-Pull-Request: golang/crypto#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Not strictly necessary but will avoid spurious changes
as files are edited.
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: I70526bf588bf4078887e567795867ece785d666b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294415
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
HMAC-SHA256 is a perfectly fine MAC algorithm, and there is no need to
ask the user to choose one.
This does break compatibility with the previous API, but it had been
live only for a weekend, so hopefully still in a window in which we can
make changes with a limited blast radius.
Updates golang/go#41430
Change-Id: I03741a545b25b9fcc147760cd20e9d7029844a6c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/279453
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: James Kasten <jdkasten@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
The ability to trigger the 'gssapi-with-mic' authentication method is
not properly gated by the presence of the GSSAPIWithMICConfig field of
the ServerConfig type. If this field is not set and a client sends a
'gssapi-with-mic' request, regardless of if the server advertises it,
the server will panic.
This issue was discovered and reported by Joern Schneewesiz, GitLab
Security Research Team.
Fixes CVE-2020-29652
Change-Id: Ie25de2766e442c8ab46680aae3ac89b0823cdeed
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/278852
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
appengine is obsolete and superseded by purego, and gc is a more
precise tag for files that use gc-syntax assembly.
Change-Id: I716f59de772ebeee4adf4d2a432edf300122cef0
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/269920
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Uses only the test vectors that use the same MGF and label hashes.
Change-Id: I971f78556e7b8fdbc785978dca7a613728676697
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/234917
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>