decrypt: reduced the number of copy calls from 2n to 1.
encrypt: reduced the number of copy calls from n to 1.
Encryption is straight-forward: use dst instead of tmp when
xoring the block with the iv.
Decryption now loops backwards through the blocks abusing the
fact that the previous block's ciphertext (src) is the iv. This
means we don't need to copy the iv every time, in addition to
using dst instead of tmp like encryption.
R=golang-codereviews, agl, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/50900043
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.
Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.
We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.
[1] https://tools.ietf.org/search/rfc5746
R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
Unbreak the build - we do not have a sha512 block implementation in
386 assembly (yet).
R=golang-codereviews, dave
CC=golang-codereviews
https://golang.org/cl/48520043
Usually when a message is signed it's first hashed because RSA has low
limits on the size of messages that it can sign. However, some
protocols sign short messages directly. This isn't a great idea because
the messages that can be signed suddenly depend on the size of the RSA
key, but several people on golang-nuts have requested support for
this and it's very easy to do.
R=golang-codereviews, rsc
CC=golang-codereviews
https://golang.org/cl/44400043
Use copy rather than a hand rolled loop when moving a partial input
block to the scratch area. This results in a reasonable performance
gain when partial blocks are written.
Benchmarks on Intel(R) Xeon(R) CPU X5650 @ 2.67GHz with Go amd64:
benchmark old MB/s new MB/s speedup
SHA1 BenchmarkHash8Bytes 18.37 22.80 1.24x
SHA256 BenchmarkHash8Bytes 11.86 13.78 1.16x
SHA512 BenchmarkHash8Bytes 4.51 5.24 1.16x
benchmark old ns/op new ns/op delta
SHA1 BenchmarkHash8Bytes 435 350 -19.54%
SHA256 BenchmarkHash8Bytes 674 580 -13.95%
SHA512 BenchmarkHash8Bytes 1772 1526 -13.88%
R=agl, dave, bradfitz
CC=golang-codereviews
https://golang.org/cl/35840044
The practice of storing reference connections for testing has worked
reasonably well, but the large blocks of literal data in the .go files
is ugly and updating the tests is a real problem because their number
has grown.
This CL changes the way that reference tests work. It's now possible to
automatically update the tests and the test data is now stored in
testdata/. This should make it easier to implement changes that affect
all connections, like implementing the renegotiation extension.
R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/42060044
Since SHA-256 is now the default hash function, x509 should import it
otherwise some programs may fail because it hasn't been linked in.
R=golang-dev, dave, minux.ma
CC=golang-dev
https://golang.org/cl/44010047
Previously the hash used when signing an X.509 certificate was fixed
and, for RSA, it was fixed to SHA1. Since Microsoft have announced the
deprecation of SHA1 in X.509 certificates, this change switches the
default to SHA256.
It also allows the hash function to be controlled by the caller by
setting the SignatureAlgorithm field of the template.
[1] http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspxFixes#5302.
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/40720047
The set of certs fetched via exec'ing `security` is not quite identical
to the certs fetched via the cgo call. The cgo fetch includes
any trusted root certs that the user may have added; exec does not.
The exec fetch includes an Apple-specific root cert; the cgo fetch
does not. Other than that, they appear to be the same.
Unfortunately, os/exec depends on crypto/x509, via net/http. Break the
circular dependency by moving the exec tests to their own package.
This will not work in iOS; we'll cross that bridge when we get to it.
R=golang-dev, minux.ma, agl
CC=golang-dev
https://golang.org/cl/22020045
NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.
This change randomises the serial numbers in the certificates generated by
generate_cert.go.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
a073d65e6f8c had a couple of bugs in the CFB mode that I missed in code review:
1) The loop condition wasn't updated from the old version.
2) It wasn't safe when src and dst aliased.
Fixes#6950.
R=golang-dev, hanwen
CC=golang-dev
https://golang.org/cl/42110043
According to Wikipedia: http://en.wikipedia.org/wiki/SHA-1
there is an alternate formulation for the FUNC1 transform,
namely
f1 = d xor (b and (c xor d))
instead of
f1 = (b and c) or ((not b) and d)
This reduces the instruction count of FUNC1 from 6 to 4 and
makes about 5% speed improvement on amd64 and suprisingly 17%
on 386.
amd64 Intel(R) Core(TM) i7 CPU Q 820 @ 1.73GHz:
benchmark old ns/op new ns/op delta
BenchmarkHash8Bytes 506 499 -1.38%
BenchmarkHash1K 3099 2961 -4.45%
BenchmarkHash8K 22292 21243 -4.71%
benchmark old MB/s new MB/s speedup
BenchmarkHash8Bytes 15.80 16.00 1.01x
BenchmarkHash1K 330.40 345.82 1.05x
BenchmarkHash8K 367.48 385.63 1.05x
i386 Intel(R) Core(TM) i7 CPU Q 820 @ 1.73GHz:
benchmark old ns/op new ns/op delta
BenchmarkHash8Bytes 647 615 -4.95%
BenchmarkHash1K 3673 3161 -13.94%
BenchmarkHash8K 26141 22374 -14.41%
benchmark old MB/s new MB/s speedup
BenchmarkHash8Bytes 12.35 13.01 1.05x
BenchmarkHash1K 278.74 323.94 1.16x
BenchmarkHash8K 313.37 366.13 1.17x
The improvements on an Intel(R) Core(TM) i7-4770K CPU @
3.50GHz were almost identical.
R=golang-dev, r, hanwen
CC=golang-dev, rsc
https://golang.org/cl/19910043
The counter is not secret, so the code does not need to be
constant time.
benchmark old MB/s new MB/s speedup
BenchmarkAESGCMSeal1K 89.90 92.84 1.03x
BenchmarkAESGCMOpen1K 89.16 92.30 1.04x
R=agl
CC=golang-dev
https://golang.org/cl/40690046
(Reporter wasn't able to provide a certificate chain that uses this
feature for testing.)
Fixes#6831
R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/40340043
The code was requiring that all constraints be met, but it should be
satisfied by meeting *any* of them.
R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/15570044
Despite SHA256 support being required for TLS 1.2 handshakes, some
servers are aborting handshakes that don't offer SHA1 support.
This change adds support for signing TLS 1.2 ServerKeyExchange messages
with SHA1. It does not add support for signing TLS 1.2 client
certificates with SHA1 as that would require the handshake to be
buffered.
Fixes#6618.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/15650043
Ticket 13740047 updated the documented TLS version to 1.2.
This also updates the RFC refered to.
R=golang-dev
CC=golang-dev, rsc
https://golang.org/cl/14029043
AES-GCM cipher suites are only defined for TLS 1.2, although there's
nothing really version specific about them. However, development
versions of NSS (meaning Firefox and Chrome) have an issue where
they'll advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello
but then balk when the server selects one.
This change causes Go clients not to advertise TLS 1.2 cipher suites
unless TLS 1.2 is being used, and prevents servers from selecting them
unless TLS 1.2 has been negotiated.
https://code.google.com/p/chromium/issues/detail?id=297151https://bugzilla.mozilla.org/show_bug.cgi?id=919677
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13573047
47ec7a68b1a2 added support for ECDSA ciphersuites but didn't alter the
cipher suite selection to take that into account. Thus Go servers could
try and select an ECDSA cipher suite while only having an RSA
certificate, leading to connection failures.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13239053
With TLS 1.2, when sending client certificates the code was omitting
the new (in TLS 1.2) signature and hash fields.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/13413050
The public key serialization from CreateCertificate is factored out to be
used in MarshalPKIXPublicKey.
Testcode with one P224 ECDSA keypair has been added.
R=golang-dev, agl
CC=agl, golang-dev
https://golang.org/cl/13427044
This change allows people who want to parse or set odd X.509 extensions
to do so without having to add support for them all to the package.
I tried to make it so that only a single member: Extensions would be
needed. However, that would mean detecting when the caller had altered
the contents of it so that parsing and marshaling a certificate
wouldn't ignore all changes to the other members. This ended up being
messy, thus the current design where there are two members: one for
reading and another for writing.
As crypto/x509 adds support for more extensions in the future, the raw
extensions will still be in Extensions for older code that expects it
there. Also, future extensions will be overridden by any raw extensions
added to ExtraExtensions by code that was written before support was
added.
R=golang-dev, r
CC=golang-dev, jpsugar
https://golang.org/cl/12056043
AES-GCM is the only current TLS ciphersuite that doesn't have
cryptographic weaknesses (RC4), nor major construction issues (CBC mode
ciphers) and has some deployment (i.e. not-CCM).
R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/13249044
In the event that code tries to use a hash function that isn't compiled
in and panics, give the developer a fighting chance of figuring out
which hash function it needed.
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/12420045
This patch introduces specialized functions for initial
and final permutations, and precomputes the output of the
third permutation on the S-box elements.
benchmark old ns/op new ns/op delta
BenchmarkEncrypt 3581 1226 -65.76%
BenchmarkDecrypt 3590 1224 -65.91%
benchmark old MB/s new MB/s speedup
BenchmarkEncrypt 2.23 6.52 2.92x
BenchmarkDecrypt 2.23 6.53 2.93x
R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/12072045
