[dev.boringcrypto] all: merge master into dev.boringcrypto

author Chressie Himpel <chressie@google.com>

Thu, 3 Feb 2022 18:10:54 +0000 (19:10 +0100)

committer Chressie Himpel <chressie@google.com>

Thu, 3 Feb 2022 18:30:02 +0000 (19:30 +0100)
author Chressie Himpel <chressie@google.com>
Thu, 3 Feb 2022 18:10:54 +0000 (19:10 +0100)
committer Chressie Himpel <chressie@google.com>
Thu, 3 Feb 2022 18:30:02 +0000 (19:30 +0100)
diff --cc src/cmd/compile/internal/amd64/versions_test.go
Simple merge
diff --cc src/cmd/compile/internal/reflectdata/reflect.go
Simple merge
diff --cc src/cmd/go/go_test.go
Simple merge
diff --cc src/cmd/go/internal/load/pkg.go
Simple merge
diff --cc src/cmd/link/internal/ld/lib.go
Simple merge
diff --cc src/crypto/ecdsa/ecdsa.go

index 4be0026b9a5dc4914041c13bf741e9d42084a678,9f9a09a8842f3172b0c11aae171871db6c0f3921..c1dd32a2d803be0ccdbdadff36d1defcfe4336e5
--- 1/src/crypto/ecdsa/ecdsa.go
--- 2/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@@@ -41,14 -34,9 +34,14 @@@ import 
         "golang.org/x/crypto/cryptobyte/asn1"
   )
   
- // A invertible implements fast inverse mod Curve.Params().N
+ +import (
+ +      "crypto/internal/boring"
+ +      "unsafe"
+ +)
+ +
+ // A invertible implements fast inverse in GF(N).
   type invertible interface {
-       // Inverse returns the inverse of k in GF(P)
+       // Inverse returns the inverse of k mod Params().N.
         Inverse(k *big.Int) *big.Int
   }
   
@@@ -120,17 -105,8 +114,17 @@@ func (priv *PrivateKey) Equal(x crypto.
   //
   // This method implements crypto.Signer, which is an interface to support keys
   // where the private part is kept in, for example, a hardware module. Common
- // uses should use the Sign function in this package directly.
+ // uses can use the SignASN1 function in this package directly.
   func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+ +      if boring.Enabled && rand == boring.RandReader {
+ +              b, err := boringPrivateKey(priv)
+ +              if err != nil {
+ +                      return nil, err
+ +              }
+ +              return boring.SignMarshalECDSA(b, digest)
+ +      }
+ +      boring.UnreachableExceptTests()
+ +
         r, s, err := Sign(rand, priv, digest)
         if err != nil {
                 return nil, err
@@@ -227,15 -194,17 +221,26 @@@ var errZeroParam = errors.New("zero par
   func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
         randutil.MaybeReadByte(rand)
   
+ +      if boring.Enabled && rand == boring.RandReader {
+ +              b, err := boringPrivateKey(priv)
+ +              if err != nil {
+ +                      return nil, nil, err
+ +              }
+ +              return boring.SignECDSA(b, hash)
+ +      }
+ +      boring.UnreachableExceptTests()
+ +
+       // This implementation derives the nonce from an AES-CTR CSPRNG keyed by:
+       //
+       //    SHA2-512(priv.D || entropy || hash)[:32]
+       //
+       // The CSPRNG key is indifferentiable from a random oracle as shown in
+       // [Coron], the AES-CTR stream is indifferentiable from a random oracle
+       // under standard cryptographic assumptions (see [Larsson] for examples).
+       //
+       // [Coron]: https://cs.nyu.edu/~dodis/ps/merkle.pdf
+       // [Larsson]: https://web.archive.org/web/20040719170906/https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf
+ 
         // Get 256 bits of entropy from rand.
         entropy := make([]byte, 32)
         _, err = io.ReadFull(rand, entropy)
@@@ -319,18 -287,9 +323,18 @@@ func SignASN1(rand io.Reader, priv *Pri
   }
   
   // Verify verifies the signature in r, s of hash using the public key, pub. Its
- // return value records whether the signature is valid.
+ // return value records whether the signature is valid. Most applications should
+ // use VerifyASN1 instead of dealing directly with r, s.
   func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
-       // See [NSA] 3.4.2
+ +      if boring.Enabled {
+ +              b, err := boringPublicKey(pub)
+ +              if err != nil {
+ +                      return false
+ +              }
+ +              return boring.VerifyECDSA(b, hash, r, s)
+ +      }
+ +      boring.UnreachableExceptTests()
+ +
         c := pub.Curve
         N := c.Params().N
   
diff --cc src/crypto/tls/cipher_suites.go
Simple merge
diff --cc src/crypto/tls/common.go
Simple merge
diff --cc src/crypto/tls/handshake_client.go
Simple merge
diff --cc src/crypto/tls/handshake_messages_test.go
Simple merge
diff --cc src/crypto/tls/handshake_server.go
Simple merge
diff --cc src/crypto/x509/verify.go
Simple merge
diff --cc src/go/build/build.go
Simple merge
diff --cc src/go/build/deps_test.go

index 9b5dabf6f144156d8f0e5be05058470bf876b9ae,7f25038d2d09da29f507b8c750611033e0cc05ab..c148f99123d63985da3d6be7560a908eb6d0c010
--- 1/src/go/build/deps_test.go
--- 2/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@@ -426,15 -428,15 +426,15 @@@ var depsRules = 
         < golang.org/x/crypto/curve25519
         < crypto/dsa, crypto/elliptic, crypto/rsa
         < crypto/ecdsa
- -      < CRYPTO-MATH;
+ +      < CRYPTO-BORING;
   
- -      CGO, net !< CRYPTO-MATH;
+ +      net !< CRYPTO-BORING;
   
         # TLS, Prince of Dependencies.
- -      CRYPTO-MATH, NET, container/list, encoding/hex, encoding/pem
+ +      CRYPTO-BORING, NET, container/list, encoding/hex, encoding/pem
         < golang.org/x/crypto/internal/subtle
         < golang.org/x/crypto/chacha20
-       < golang.org/x/crypto/poly1305
+       < golang.org/x/crypto/internal/poly1305
         < golang.org/x/crypto/chacha20poly1305
         < golang.org/x/crypto/hkdf
         < crypto/x509/internal/macos
diff --cc src/runtime/race/testdata/mop_test.go
Simple merge
author	Chressie Himpel <chressie@google.com>
	Thu, 3 Feb 2022 18:10:54 +0000 (19:10 +0100)
committer	Chressie Himpel <chressie@google.com>
	Thu, 3 Feb 2022 18:30:02 +0000 (19:30 +0100)
		1	2
src/cmd/compile/internal/amd64/versions_test.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/cmd/compile/internal/reflectdata/reflect.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/cmd/go/go_test.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/cmd/go/internal/load/pkg.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/cmd/link/internal/ld/lib.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/ecdsa/ecdsa.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/tls/cipher_suites.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/tls/common.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/tls/handshake_client.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/tls/handshake_messages_test.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/tls/handshake_server.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/crypto/x509/verify.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/go/build/build.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/go/build/deps_test.go	patch \|	diff1 \|	diff2 \|	blob \| history
src/runtime/race/testdata/mop_test.go	patch \|	diff1 \|	diff2 \|	blob \| history