crypto/ed25519: fix TestAllocations in FIPS mode

Change-Id: Ic36e95dba29d43e73ddf105d538c4795bc4ce557 Reviewed-on: https://go-review.googlesource.com/c/go/+/630097 Reviewed-by: Russ Cox <rsc@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2024-11-22 09:14:40 -07:00 · 2024-11-20 16:11:49 +01:00 · 2024-11-20 16:11:49 +01:00 · c483fdbfcf
commit c483fdbfcf
parent 93fcd8fb18
1 changed files with 16 additions and 10 deletions
--- a/src/crypto/internal/fips/ed25519/cast.go
+++ b/src/crypto/internal/fips/ed25519/cast.go
@ -14,19 +14,25 @@ import (

 func fipsPCT(k *PrivateKey) error {
 	return fips.PCT("Ed25519 sign and verify PCT", func() error {
-		msg := []byte("PCT")
-		sig := Sign(k, msg)
-		// Note that this runs pub.a.SetBytes. If we wanted to make key generation
-		// in FIPS mode faster, we could reuse A from GenerateKey. But another thing
-		// that could make it faster is just _not doing a useless self-test_.
-		pub, err := NewPublicKey(k.PublicKey())
-		if err != nil {
-			return err
-		}
-		return Verify(pub, msg, sig)
+		return pairwiseTest(k)
 	})
 }

+// pairwiseTest needs to be a top-level function declaration to let the calls
+// inline and their allocations not escape.
+func pairwiseTest(k *PrivateKey) error {
+	msg := []byte("PCT")
+	sig := Sign(k, msg)
+	// Note that this runs pub.a.SetBytes. If we wanted to make key generation
+	// in FIPS mode faster, we could reuse A from GenerateKey. But another thing
+	// that could make it faster is just _not doing a useless self-test_.
+	pub, err := NewPublicKey(k.PublicKey())
+	if err != nil {
+		return err
+	}
+	return Verify(pub, msg, sig)
+}
+
 func signWithoutSelfTest(priv *PrivateKey, message []byte) []byte {
 	signature := make([]byte, signatureSize)
 	return signWithDom(signature, priv, message, domPrefixPure, "")