From: Filippo Valsorda Date: Fri, 4 Aug 2023 13:47:36 +0000 (+0200) Subject: doc/go1.21: update crypto release notes X-Git-Tag: go1.22rc1~1414 X-Git-Url: http://www.git.cypherpunks.ru/?a=commitdiff_plain;h=c0eea2d16dc944305927de06e2a9f6bdc92b4697;p=gostls13.git doc/go1.21: update crypto release notes Left out the following commits that felt more bug-fixy. * f0de4b4f03 - crypto/x509: fix certificate validation with FQDN on Windows * 20e08fe68c - crypto/tls: advertise correct ciphers in TLS 1.3 only mode * 295c237b4d - crypto/tls: enforce 1.3 record version semantics Change-Id: Idd38b5c6897130424a0e8b857f371d7d384fc143 Reviewed-on: https://go-review.googlesource.com/c/go/+/515955 Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot Reviewed-by: Dmitri Shuralyov Run-TryBot: Filippo Valsorda Auto-Submit: Filippo Valsorda --- diff --git a/doc/go1.21.html b/doc/go1.21.html index a31956869e..3e98e1fa15 100644 --- a/doc/go1.21.html +++ b/doc/go1.21.html @@ -488,6 +488,17 @@ Do not send CLs removing the interior tags from such phrases. + +
crypto/ecdsa
+
+

+ PublicKey.Equal and + PrivateKey.Equal + now execute in constant time. +

+
+
+
crypto/elliptic

@@ -512,6 +523,11 @@ Do not send CLs removing the interior tags from such phrases.

Due to the addition of private fields to PrecomputedValues, PrivateKey.Precompute must be called for optimal performance even if deserializing (for example from JSON) a previously-precomputed private key.

+

+ PublicKey.Equal and + PrivateKey.Equal + now execute in constant time. +

The GenerateMultiPrimeKey function and the PrecomputedValues.CRTValues field have been deprecated. PrecomputedValues.CRTValues will still be populated when PrivateKey.Precompute is called, but the values will not be used during decryption operations.

@@ -533,6 +549,16 @@ Do not send CLs removing the interior tags from such phrases.
crypto/tls
+

+ Servers now skip verifying client certificates (including not running + Config.VerifyPeerCertificate) + for resumed connections, besides checking the expiration time. This makes + session tickets larger when client certificates are in use. Clients were + already skipping verification on resumption, but now check the expiration + time even if Config.InsecureSkipVerify + is set. +

+

Applications can now control the content of session tickets.

    @@ -548,7 +574,7 @@ Do not send CLs removing the interior tags from such phrases.
  • The Config.WrapSession and Config.UnwrapSession - hooks convert a SessionState to and from a ticket. + hooks convert a SessionState to and from a ticket on the server side.
  • The Config.EncryptTicket @@ -560,25 +586,31 @@ Do not send CLs removing the interior tags from such phrases. The ClientSessionState.ResumptionState method and NewResumptionState function may be used by a ClientSessionCache implementation to store and - resume sessions. + resume sessions on the client side.

+

+ To reduce the potential for session tickets to be used as a tracking + mechanism across connections, the server now issues new tickets on every + resumption (if they are supported and not disabled) and tickets don't bear + an identifier for the key that encrypted them anymore. If passing a large + number of keys to Conn.SetSessionTicketKeys, + this might lead to a noticeable performance cost. +

+

- The package now supports the extended master secret extension (RFC 7627), - and enables it by default. Additionally, the deprecation of - ConnectionState.TLSUnique - has been reverted, and it is populated when a connection which uses - extended master secret is resumed. Session tickets produced by - Go pre-1.21 are not interoperable with Go 1.21, meaning connections - resumed across versions will fall back to full handshakes. + Both clients and servers now implement the Extended Master Secret extension (RFC 7627). + The deprecation of ConnectionState.TLSUnique + has been reverted, and is now set for resumed connections that support Extended Master Secret.

The new QUICConn type - provides support for QUIC implementations. Note that this is not itself - a QUIC implementation. + provides support for QUIC implementations, including 0-RTT support. Note + that this is not itself a QUIC implementation, and 0-RTT is still not + supported in TLS.

@@ -588,8 +620,8 @@ Do not send CLs removing the interior tags from such phrases.

The TLS alert codes sent from the server for client authentication failures have - been improved. Prior to Go 1.21, these failures always resulted in a "bad certificate" alert. - Starting from Go 1.21, certain failures will result in more appropriate alert codes, + been improved. Previously, these failures always resulted in a "bad certificate" alert. + Now, certain failures will result in more appropriate alert codes, as defined by RFC 5246 and RFC 8446: