From: Chressie Himpel Date: Thu, 3 Feb 2022 18:10:54 +0000 (+0100) Subject: [dev.boringcrypto] all: merge master into dev.boringcrypto X-Git-Tag: go1.19beta1~484^2~28 X-Git-Url: http://www.git.cypherpunks.ru/?a=commitdiff_plain;h=e14fee553a4646d15123caa04f7ca6ddb7b48362;p=gostls13.git [dev.boringcrypto] all: merge master into dev.boringcrypto Change-Id: I18dbf4f9fa7e2334fccedd862a523126cf38164e --- e14fee553a4646d15123caa04f7ca6ddb7b48362 diff --cc src/crypto/ecdsa/ecdsa.go index 4be0026b9a,9f9a09a884..c1dd32a2d8 --- a/src/crypto/ecdsa/ecdsa.go +++ b/src/crypto/ecdsa/ecdsa.go @@@ -41,14 -34,9 +34,14 @@@ import "golang.org/x/crypto/cryptobyte/asn1" ) +import ( + "crypto/internal/boring" + "unsafe" +) + - // A invertible implements fast inverse mod Curve.Params().N + // A invertible implements fast inverse in GF(N). type invertible interface { - // Inverse returns the inverse of k in GF(P) + // Inverse returns the inverse of k mod Params().N. Inverse(k *big.Int) *big.Int } @@@ -120,17 -105,8 +114,17 @@@ func (priv *PrivateKey) Equal(x crypto. // // This method implements crypto.Signer, which is an interface to support keys // where the private part is kept in, for example, a hardware module. Common - // uses should use the Sign function in this package directly. + // uses can use the SignASN1 function in this package directly. func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { + if boring.Enabled && rand == boring.RandReader { + b, err := boringPrivateKey(priv) + if err != nil { + return nil, err + } + return boring.SignMarshalECDSA(b, digest) + } + boring.UnreachableExceptTests() + r, s, err := Sign(rand, priv, digest) if err != nil { return nil, err @@@ -227,15 -194,17 +221,26 @@@ var errZeroParam = errors.New("zero par func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) { randutil.MaybeReadByte(rand) + if boring.Enabled && rand == boring.RandReader { + b, err := boringPrivateKey(priv) + if err != nil { + return nil, nil, err + } + return boring.SignECDSA(b, hash) + } + boring.UnreachableExceptTests() + + // This implementation derives the nonce from an AES-CTR CSPRNG keyed by: + // + // SHA2-512(priv.D || entropy || hash)[:32] + // + // The CSPRNG key is indifferentiable from a random oracle as shown in + // [Coron], the AES-CTR stream is indifferentiable from a random oracle + // under standard cryptographic assumptions (see [Larsson] for examples). + // + // [Coron]: https://cs.nyu.edu/~dodis/ps/merkle.pdf + // [Larsson]: https://web.archive.org/web/20040719170906/https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf + // Get 256 bits of entropy from rand. entropy := make([]byte, 32) _, err = io.ReadFull(rand, entropy) @@@ -319,18 -287,9 +323,18 @@@ func SignASN1(rand io.Reader, priv *Pri } // Verify verifies the signature in r, s of hash using the public key, pub. Its - // return value records whether the signature is valid. + // return value records whether the signature is valid. Most applications should + // use VerifyASN1 instead of dealing directly with r, s. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { + if boring.Enabled { + b, err := boringPublicKey(pub) + if err != nil { + return false + } + return boring.VerifyECDSA(b, hash, r, s) + } + boring.UnreachableExceptTests() + - // See [NSA] 3.4.2 c := pub.Curve N := c.Params().N diff --cc src/go/build/deps_test.go index 9b5dabf6f1,7f25038d2d..c148f99123 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@@ -426,15 -428,15 +426,15 @@@ var depsRules = < golang.org/x/crypto/curve25519 < crypto/dsa, crypto/elliptic, crypto/rsa < crypto/ecdsa - < CRYPTO-MATH; + < CRYPTO-BORING; - CGO, net !< CRYPTO-MATH; + net !< CRYPTO-BORING; # TLS, Prince of Dependencies. - CRYPTO-MATH, NET, container/list, encoding/hex, encoding/pem + CRYPTO-BORING, NET, container/list, encoding/hex, encoding/pem < golang.org/x/crypto/internal/subtle < golang.org/x/crypto/chacha20 - < golang.org/x/crypto/poly1305 + < golang.org/x/crypto/internal/poly1305 < golang.org/x/crypto/chacha20poly1305 < golang.org/x/crypto/hkdf < crypto/x509/internal/macos