1
0
mirror of https://github.com/golang/go synced 2024-11-23 22:20:02 -07:00
Commit Graph

54938 Commits

Author SHA1 Message Date
Damien Neil
7a00f973a5 archive/tar, archive/zip: disable ErrInsecurePath by default
This change is being made late in the release cycle.
Disable it by default. Insecure path checks may be enabled by setting
GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0.
We can enable this by default in Go 1.21 after publicizing the change
more broadly and giving users a chance to adapt to the change.

For #55356.

Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/452616
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
2022-11-22 18:11:34 +00:00
Cherry Mui
28911b2891 all: update vendored golang.org/x dependencies for Go 1.20 release
The Go 1.20 code freeze has recently started. This is a time to update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

This CL updates them with x/build/cmd/updatestd.

For #36905.

Change-Id: Ie0ec91daeb848f00f64686003012297161ad02fa
Reviewed-on: https://go-review.googlesource.com/c/go/+/452766
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2022-11-22 17:16:14 +00:00
Than McIntosh
9160e15494 cmd/dist: skip -race w/ external linkage on windows 2008
Add a skip for the external-linkage part of the race detector test for
elderly versions of windows, until the underlying cause for the problem
can be determined.

Updates #56904.

Change-Id: I3e8650ff66f34efefabcd6bc343d57124539901b
Reviewed-on: https://go-review.googlesource.com/c/go/+/452763
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Than McIntosh <thanm@google.com>
Auto-Submit: Than McIntosh <thanm@google.com>
2022-11-22 16:07:28 +00:00
Bryan C. Mills
5c9a506de1 cmd/go: remove special case for prebuilt cgo library cache keys
This was an oversight from CL 452457 that I noticed while
investigating #56889.

This change essentially undoes CL 335409, which is no longer needed
after CL 450739 because we no longer attempt to use cgo by default
when no C compiler is present.

Updates #47257.
Updates #40042.
Updates #47215.

Change-Id: I29c7ce777a9ec7ba5820dc1d836b12a61b86bc37
Reviewed-on: https://go-review.googlesource.com/c/go/+/452677
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
2022-11-22 15:58:43 +00:00
Bryan C. Mills
5b1b080ca5 cmd/dist: skip the staleness check for 'cmd' when testing on aix-ppc64
The gcc toolchain on the aix-ppc64 builder apparently does not achieve
reproducible builds for packages that use cgo, which causes the
binaries in cmd that use package "net" (cmd/go, cmd/pprof, and
cmd/trace) to appear stale whenever the Go build cache is cleared.

For now, we work around the staleness by rebuilding std and simply not
checking whether cmd is stale.

For #56896.
Updates #47257.

Change-Id: I15f86e72dee53904b881710d5d5d613872361510
Reviewed-on: https://go-review.googlesource.com/c/go/+/452680
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Ayappan Perumal <ayappanec@gmail.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-22 15:58:21 +00:00
Bryan C. Mills
6ca3acc370 cmd/go: in TestScript/mod_outside, run 'go build' before checking cmd/addr2line staleness
If the build cache is cleaned (using 'go clean -cache' or similar), or
if a toolchain is freshly installed without warming the cache, the
build cache might not contain the dependencies needed to verify that
cmd/addr2line is not stale. In that case, the test should refill the
cache instead of failing.

Fixes #56889.

Change-Id: Ic6cf13b92bafa9c795e50eb0e4e1a9ae00ee8538
Reviewed-on: https://go-review.googlesource.com/c/go/+/452458
Auto-Submit: Bryan Mills <bcmills@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2022-11-22 15:58:18 +00:00
Russ Cox
86ede17272 doc/go1.20: document math/rand autoseed and deprecation of Seed
Change-Id: Ie557f3841781ac47f4044a395106a2e5b13e9695
Reviewed-on: https://go-review.googlesource.com/c/go/+/452561
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
2022-11-22 15:56:48 +00:00
Russ Cox
08c611b127 doc/go1.20: document bootstrap requirements (Go 1.20 needs Go 1.17.13)
Change-Id: I806bc79e5b5c7b57750d4a4b39828add86a34635
Reviewed-on: https://go-review.googlesource.com/c/go/+/452560
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
2022-11-22 15:56:33 +00:00
Russ Cox
9efc5a5237 cmd/go: document new architecture feature build tags
Also mention in release notes.

Change-Id: Ifddfc6d2fdaae07c0774ad917838b0fdf9c0b0fe
Reviewed-on: https://go-review.googlesource.com/c/go/+/452559
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
2022-11-22 14:09:24 +00:00
Filippo Valsorda
6a72514076 crypto/internal/boring: tolerate empty ECDSA signatures
VerifyASN1 became directly reachable without encoding/decoding in
CL 353849, so it's now possible for the signature to be empty.

Change-Id: I37d6400945ab541120180bf73335e0ec93322947
Reviewed-on: https://go-review.googlesource.com/c/go/+/452635
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-22 03:11:31 +00:00
Robert Findley
f41fdc1267 doc/go1.20: document changes to the loopclosure vet analysis
Address the release notes TODO regarding the loopclosure analyzer,
documenting the new warning for parallel subtests.

In doing so, choose a structure for the vet section, opting for h4
headings. In recent years, we have used either h4 headings or simple
paragraphs to document vet changes. This year, I thought it worthwhile
to put the timeformat and loopclosure changes into separate sections.

Also document the improvements to reference capture detection introduced
in CL 452615.

Change-Id: I05886f7025d66bb7f2609f787f69d1a769ca6f5e
Reviewed-on: https://go-review.googlesource.com/c/go/+/450735
Run-TryBot: Robert Findley <rfindley@google.com>
Reviewed-by: Tim King <taking@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-22 02:52:19 +00:00
Bryan C. Mills
14a41387ac misc/cgo/testcshared: reapply CL 451816
I accidentally reverted its edits with a bad cherry-pick in CL 452457.

This should re-fix the windows-.*-newcc builders that regressed at
that change.

Updates #47257.
Updates #35006.
Updates #53540.

Change-Id: I5818416af7c4c8c1593c36aa0198331b42b6c7d7
Reviewed-on: https://go-review.googlesource.com/c/go/+/452675
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-22 02:27:05 +00:00
Matthew Dempsky
152119990f cmd/compile: add -d=inlstaticinit debug flag
This CL adds -d=inlstaticinit to control whether static initialization
of inlined function calls (added in CL 450136) is allowed.

We've needed to fix it once already (CL 451555) and Google-internal
testing is hitting additional failure cases, so putting this
optimization behind a feature flag seems appropriate regardless.

Also, while we diagnose and fix the remaining cases, this CL also
disables the optimization to avoid miscompilations.

Updates #56894.

Change-Id: If52a358ad1e9d6aad1c74fac5a81ff9cfa5a3793
Reviewed-on: https://go-review.googlesource.com/c/go/+/452676
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
2022-11-22 01:42:49 +00:00
Tim King
1c9eba19d5 cmd: update golang.org/x/tools to 3b9d20c521
To pick up CL 452155.

Done by
        go get -d golang.org/x/tools@master
        go mod tidy
        go mod vendor

Change-Id: I4dba4ba9f17123cfe567704b0d5e5fc16f9ffd83
Reviewed-on: https://go-review.googlesource.com/c/go/+/452615
Run-TryBot: Tim King <taking@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-21 22:49:25 +00:00
Bryan C. Mills
7656cba9cc cmd/go: do not install .a files for packages in std
As of CL 450739, we do not need install targets for cgo files when a C
compiler is not present because cgo is not enabled by default.
(Without a C compiler, builds will proceed with cgo disabled.)

Fixes #47257.
Fixes #56888.

Change-Id: I274c50a60b5b1382e291df86a5464da8ad3695a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/452457
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-21 22:43:41 +00:00
Russ Cox
d58f2e741c doc: document more cgo, go command changes
Also document new cgo changes and reorder go command
section to put most important notes first.

Change-Id: I45b0c785bd8bc82c3b174800fc995312ea057f14
Reviewed-on: https://go-review.googlesource.com/c/go/+/452557
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
2022-11-21 22:21:04 +00:00
Egon Elbre
995c0f310c crypto/{sha512,sha256,sha1}: reduce Write calls in Sum
crypto/sha512:

    name                  old time/op    new time/op    delta
    Hash8Bytes/New-32        297ns ± 1%     288ns ± 1%  -3.09%  (p=0.000 n=10+10)
    Hash8Bytes/Sum384-32     288ns ± 1%     282ns ± 1%  -2.16%  (p=0.000 n=10+9)
    Hash8Bytes/Sum512-32     287ns ± 1%     278ns ± 1%  -3.18%  (p=0.000 n=9+10)
    Hash1K/New-32           2.12µs ± 0%    2.11µs ± 1%    ~     (p=0.189 n=9+10)
    Hash1K/Sum384-32        2.13µs ± 1%    2.11µs ± 1%  -1.07%  (p=0.006 n=10+10)
    Hash1K/Sum512-32        2.12µs ± 1%    2.11µs ± 1%    ~     (p=0.209 n=10+10)
    Hash8K/New-32           14.9µs ± 1%    14.9µs ± 1%    ~     (p=0.469 n=10+10)
    Hash8K/Sum384-32        15.0µs ± 1%    14.9µs ± 1%    ~     (p=0.725 n=10+10)
    Hash8K/Sum512-32        14.9µs ± 1%    15.0µs ± 1%    ~     (p=0.684 n=10+10)

crypto/sha256:

    name                  old time/op    new time/op    delta
    Hash8Bytes/New-32        190ns ± 1%     188ns ± 2%  -1.23%  (p=0.002 n=10+10)
    Hash8Bytes/Sum224-32     198ns ± 1%     190ns ± 1%  -4.07%  (p=0.000 n=10+10)
    Hash8Bytes/Sum256-32     196ns ± 1%     183ns ± 1%  -6.33%  (p=0.000 n=10+10)
    Hash1K/New-32           2.35µs ± 1%    2.35µs ± 2%    ~     (p=0.897 n=10+10)
    Hash1K/Sum224-32        2.38µs ± 1%    2.38µs ± 2%    ~     (p=0.363 n=10+10)
    Hash1K/Sum256-32        2.38µs ± 1%    2.37µs ± 1%    ~     (p=0.203 n=10+9)
    Hash8K/New-32           17.3µs ± 1%    17.3µs ± 1%    ~     (p=0.971 n=10+10)
    Hash8K/Sum224-32        17.6µs ± 1%    17.6µs ± 1%    ~     (p=0.726 n=10+10)
    Hash8K/Sum256-32        17.6µs ± 2%    17.6µs ± 1%    ~     (p=0.541 n=10+10)

crypto/sha1:

    name                 old time/op    new time/op    delta
    Hash8Bytes/New-32       140ns ± 2%     134ns ± 1%  -4.26%  (p=0.000 n=10+10)
    Hash8Bytes/Sum-32       136ns ± 1%     132ns ± 1%  -2.41%  (p=0.000 n=10+10)
    Hash320Bytes/New-32     552ns ± 1%     550ns ± 1%    ~     (p=0.211 n=10+9)
    Hash320Bytes/Sum-32     559ns ± 1%     560ns ± 2%    ~     (p=0.477 n=9+9)
    Hash1K/New-32          1.15µs ± 1%    1.15µs ± 1%    ~     (p=0.588 n=9+10)
    Hash1K/Sum-32          1.16µs ± 2%    1.15µs ± 1%    ~     (p=0.078 n=10+10)
    Hash8K/New-32          7.53µs ± 1%    7.58µs ± 3%    ~     (p=0.382 n=10+10)
    Hash8K/Sum-32          7.54µs ± 1%    7.55µs ± 1%    ~     (p=0.404 n=10+10)

Change-Id: I3fc06c9009f2eabc739102c14648ef93ea6783b4
Reviewed-on: https://go-review.googlesource.com/c/go/+/436917
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
2022-11-21 22:16:06 +00:00
David Chase
089dcd7b07 cmd/dist: add serial/small build option for GOMAXPROCS=1
If GOMAXPROCS=1, force serial execution, which is better for
debugging build problems and also minimizes footprint, if that
happens to matter.

This wasn't good when the bootstrap was 1.4 because there
default GOMAXPROCS=1, but that is no longer the bootstrap
version.

Change-Id: I637e25c8acb4758795fceef63921eda359a7be29
Reviewed-on: https://go-review.googlesource.com/c/go/+/452556
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2022-11-21 21:55:53 +00:00
Damien Neil
85a2c19b32 archive/tar, archive/zip: disable insecure file name checks with GODEBUG
Add GODEBUG=tarinsecurepath=1 and GODEBUG=zipinsecurepath=1 settings
to disable file name validation.

For #55356.

Change-Id: Iaacdc629189493e7ea3537a81660215a59dd40a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/452495
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
2022-11-21 21:14:38 +00:00
Robert Griesemer
f60c77026b go/types, types2: report empty type sets in operand descriptions
This leads to better error messages where operations are not
permitted because of empty type sets.

Fixes #51525.

Change-Id: I8d15645e2aff5145e458bdf9aaa4d2bee28d37fa
Reviewed-on: https://go-review.googlesource.com/c/go/+/452535
Auto-Submit: Robert Griesemer <gri@google.com>
Reviewed-by: Robert Findley <rfindley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Robert Griesemer <gri@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
2022-11-21 21:08:22 +00:00
Matthew Dempsky
840b346c5d cmd/compile: reject anonymous interface cycles
This CL changes cmd/compile to reject anonymous interface cycles like:

	type I interface { m() interface { I } }

We don't anticipate any users to be affected by this change in
practice. Nonetheless, this CL also adds a `-d=interfacecycles`
compiler flag to suppress the error. And assuming no issue reports
from users, we'll move the check into go/types and types2 instead.

Updates #56103.

Change-Id: I1f1dce2d7aa19fb388312cc020e99cc354afddcb
Reviewed-on: https://go-review.googlesource.com/c/go/+/445598
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Matthew Dempsky <mdempsky@google.com>
2022-11-21 20:15:23 +00:00
Cherry Mui
199d77aff0 cmd/dist: stop trying to access runtime/internal/sys.a in debug mode
Now that we don't install the .a files, the installed
runtime/internal/sys.a no longer exists. Stop trying to access it.

Change-Id: Ic437e7ad95be6109d0b2fcfb81e840f5cb476be8
Reviewed-on: https://go-review.googlesource.com/c/go/+/451360
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-by: Austin Clements <austin@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
2022-11-21 20:00:40 +00:00
Robert Griesemer
1fdae32407 go/types, types2: better variable names, cleanups in test
For #54258.

Change-Id: Ib0d326af2719bca1579f84c125f6573f87dce982
Reviewed-on: https://go-review.googlesource.com/c/go/+/452455
Run-TryBot: Robert Findley <rfindley@google.com>
Auto-Submit: Robert Griesemer <gri@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Robert Findley <rfindley@google.com>
Run-TryBot: Robert Griesemer <gri@google.com>
2022-11-21 18:58:33 +00:00
Cherry Mui
60be2b4656 go/types, cmd/compile: skip crypto/internal/bigmod/_asm in TestStdlib
Similar to CL 317869, apply to a newly added directory.

Maybe we should skip all directories starting with "_"?

Updates #46027.

Change-Id: Idcb011fda877c9f2cb3032524bebfcc0c1da70b2
Reviewed-on: https://go-review.googlesource.com/c/go/+/452437
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2022-11-21 17:46:02 +00:00
Martin Möhrmann
998949c09b cmd/dist: update to assume Go 1.17.13 as minimal Go bootstrap version
Replace explicit Go version names where possible with generic reference
to Go bootstrap version.

Updates #44505

Change-Id: I4a6439576efd40e72acd26fcc1472a1a8b0b06e7
Reviewed-on: https://go-review.googlesource.com/c/go/+/344330
Auto-Submit: Martin Möhrmann <martin@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Martin Möhrmann <moehrmann@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-21 17:16:41 +00:00
Than McIntosh
d6859465e5 testing: skip TestVectoredHandlerExceptionInNonGoThread on windows-amd64-2012-*
Modify skip rule for TestVectoredHandlerExceptionInNonGoThread to
trigger on both the base builder (windows-amd64-2012) and the newcc
canary builder (windows-amd64-2012-newcc).

Updates #49681.

Change-Id: I58109fc2e861b943cb66be0feec348671be84ab3
Reviewed-on: https://go-review.googlesource.com/c/go/+/452436
Run-TryBot: Than McIntosh <thanm@google.com>
Auto-Submit: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2022-11-21 17:11:59 +00:00
qmuntal
3732a17806 cmd/go,internal/platform: enable pie buildmode for windows/arm64
This CL adds windows/arm64 to the list of ports that supports PIE
build mode. It is probably an oversight that this port is not marked
as pie-capable because windows/arm64 only supports PIE build mode.

Fixes #56872

Change-Id: I2bdd3ac207280f47ddcf8c2582f13025dafb9278
Reviewed-on: https://go-review.googlesource.com/c/go/+/452415
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-21 16:49:48 +00:00
Than McIntosh
f0331c524e testing: skip flaky TestRaiseException on windows-amd64-2012-*
Modify skip rule for TestRaiseException to trigger on both the base
builder (windows-amd64-2012) and the newcc canary builder
(windows-amd64-2012-newcc).

Updates #49681.

Change-Id: I132f9ddd102666b68ad04cc661fdcc2cd841051a
Reviewed-on: https://go-review.googlesource.com/c/go/+/451294
Auto-Submit: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Than McIntosh <thanm@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
2022-11-21 16:27:03 +00:00
Filippo Valsorda
335e7647f5 crypto/internal/bigmod: add amd64 assembly core
With this change, we are down to 1.2x the running time of the previous
variable time implementation.

name                    old time/op  new time/op    delta
DecryptPKCS1v15/2048-4  1.37ms ± 0%    1.61ms ± 0%    +17.54%  (p=0.000 n=18+10)
DecryptPKCS1v15/3072-4  3.99ms ± 1%    5.46ms ± 1%    +36.64%  (p=0.000 n=20+10)
DecryptPKCS1v15/4096-4  8.95ms ± 1%   12.04ms ± 0%    +34.53%  (p=0.000 n=20+10)
EncryptPKCS1v15/2048-4  9.24µs ± 7%  223.34µs ± 0%  +2317.67%  (p=0.000 n=20+9)
DecryptOAEP/2048-4      1.38ms ± 1%    1.62ms ± 0%    +17.31%  (p=0.000 n=20+10)
EncryptOAEP/2048-4      11.5µs ± 6%   225.4µs ± 0%  +1851.82%  (p=0.000 n=20+10)
SignPKCS1v15/2048-4     1.38ms ± 0%    1.68ms ± 0%    +21.25%  (p=0.000 n=20+9)
VerifyPKCS1v15/2048-4   8.75µs ±11%  221.94µs ± 0%  +2435.02%  (p=0.000 n=20+9)
SignPSS/2048-4          1.39ms ± 1%    1.68ms ± 0%    +21.18%  (p=0.000 n=20+10)
VerifyPSS/2048-4        11.1µs ± 8%   224.7µs ± 0%  +1917.03%  (p=0.000 n=20+8)

Change-Id: I2a91ba99fcd0f86f2b5191d17170da755d7c4690
Reviewed-on: https://go-review.googlesource.com/c/go/+/452095
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-21 16:19:43 +00:00
Filippo Valsorda
08f2091ce0 crypto/ecdsa: use bigmod and nistec instead of math/big and crypto/elliptic
Ignoring custom curves, this makes the whole package constant-time.
There is a slight loss in performance for P-384 and P-521 because bigmod
is slower than math/big (but P-256 has an assembly scalar field
inversion, so doesn't use bigmod for anything big).

name                old time/op    new time/op    delta
Sign/P256-8           19.2µs ± 2%    19.1µs ± 2%     ~     (p=0.268 n=9+10)
Sign/P384-8            166µs ± 3%     188µs ± 2%  +13.52%  (p=0.000 n=10+10)
Sign/P521-8            337µs ± 2%     359µs ± 2%   +6.46%  (p=0.000 n=10+10)
Verify/P256-8         58.1µs ± 2%    58.1µs ± 2%     ~     (p=0.971 n=10+10)
Verify/P384-8          484µs ± 2%     569µs ±12%  +17.65%  (p=0.000 n=10+10)
Verify/P521-8         1.03ms ± 4%    1.14ms ± 2%  +11.02%  (p=0.000 n=10+10)
GenerateKey/P256-8    12.4µs ±12%    12.0µs ± 2%     ~     (p=0.063 n=10+10)
GenerateKey/P384-8     129µs ±18%     119µs ± 2%     ~     (p=0.190 n=10+10)
GenerateKey/P521-8     241µs ± 2%     240µs ± 2%     ~     (p=0.436 n=10+10)

name                old alloc/op   new alloc/op   delta
Sign/P256-8           3.08kB ± 0%    2.47kB ± 0%  -19.77%  (p=0.000 n=10+10)
Sign/P384-8           6.16kB ± 0%    2.64kB ± 0%  -57.16%  (p=0.000 n=10+10)
Sign/P521-8           7.87kB ± 0%    3.01kB ± 0%  -61.80%  (p=0.000 n=10+10)
Verify/P256-8         1.29kB ± 1%    0.48kB ± 0%  -62.69%  (p=0.000 n=10+10)
Verify/P384-8         2.49kB ± 1%    0.64kB ± 0%  -74.25%  (p=0.000 n=10+10)
Verify/P521-8         3.31kB ± 0%    0.96kB ± 0%  -71.02%  (p=0.000 n=7+10)
GenerateKey/P256-8      720B ± 0%      920B ± 0%  +27.78%  (p=0.000 n=10+10)
GenerateKey/P384-8      921B ± 0%     1120B ± 0%  +21.61%  (p=0.000 n=9+10)
GenerateKey/P521-8    1.30kB ± 0%    1.44kB ± 0%  +10.45%  (p=0.000 n=10+10)

name                old allocs/op  new allocs/op  delta
Sign/P256-8             45.0 ± 0%      33.0 ± 0%  -26.67%  (p=0.000 n=10+10)
Sign/P384-8             69.0 ± 0%      34.0 ± 0%  -50.72%  (p=0.000 n=10+10)
Sign/P521-8             71.0 ± 0%      35.0 ± 0%  -50.70%  (p=0.000 n=10+10)
Verify/P256-8           23.0 ± 0%      10.0 ± 0%  -56.52%  (p=0.000 n=10+10)
Verify/P384-8           43.0 ± 0%      14.0 ± 0%  -67.44%  (p=0.000 n=10+10)
Verify/P521-8           45.0 ± 0%      14.0 ± 0%  -68.89%  (p=0.000 n=7+10)
GenerateKey/P256-8      13.0 ± 0%      14.0 ± 0%   +7.69%  (p=0.000 n=10+10)
GenerateKey/P384-8      16.0 ± 0%      17.0 ± 0%   +6.25%  (p=0.000 n=10+10)
GenerateKey/P521-8      16.5 ± 3%      17.0 ± 0%   +3.03%  (p=0.033 n=10+10)

Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d
Reviewed-on: https://go-review.googlesource.com/c/go/+/353849
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-21 16:19:34 +00:00
Filippo Valsorda
d7812ab380 crypto/internal/bigmod: move nat implementation out of crypto/rsa
This will let us reuse it in crypto/ecdsa for the NIST scalar fields.

The main change in API is around encoding and decoding. The SetBytes +
ExpandFor sequence was hacky: SetBytes could produce a bigger size than
the modulus if leading zeroes in the top byte overflowed the limb
boundary, so ExpandFor had to check for and tolerate that. Also, the
caller was responsible for checking that the overflow was actually all
zeroes (which we weren't doing, exposing a crasher in decryption and
signature verification) and then for checking that the result was less
than the modulus. Instead, make SetBytes take a modulus and return an
error if the value overflows. Same with Bytes: we were always allocating
based on Size before FillBytes anyway, so now Bytes takes a modulus.
Finally, SetBig was almost only used for moduli, so replaced
NewModulusFromNat and SetBig with NewModulusFromBig.

Moved the constant-time bitLen to math/big.Int.BitLen. It's slower, but
BitLen is primarily used in cryptographic code, so it's safer this way.

Change-Id: Ibaf7f36d80695578cb80484167d82ce1aa83832f
Reviewed-on: https://go-review.googlesource.com/c/go/+/450055
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-21 16:19:15 +00:00
Filippo Valsorda
831c6509cc crypto/ed25519: implement Ed25519ctx and Ed25519ph with context
This is missing a test for Ed25519ph with context, since the RFC doesn't
provide one.

Fixes #31804

Change-Id: I20947374c51c6b22fb2835317d00edf816c9a2d2
Reviewed-on: https://go-review.googlesource.com/c/go/+/404274
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-21 15:23:39 +00:00
Paul E. Murphy
8614c525b3 crypto/aes: On ppc64le, use better instructions when available
Several operations emulate instructions available on power9. Use
the GOPPC64_power9 macro provided by the compiler to select the
native instructions if the minimum cpu requirements are met.

Likewise rework the LXSDX_BE to simplify usage when overriding
it. It is only used in one place.

All three configurations are tested via CI.

On POWER9:

pkg:crypto/cipher goos:linux goarch:ppc64le
AESCBCEncrypt1K   949MB/s ± 0%   957MB/s ± 0%  +0.83%
AESCBCDecrypt1K  1.82GB/s ± 0%  1.99GB/s ± 0%  +8.93%
pkg:crypto/aes goos:linux goarch:ppc64le
Encrypt          1.01GB/s ± 0%  1.05GB/s ± 0%  +4.36%
Decrypt           987MB/s ± 0%  1024MB/s ± 0%  +3.77%

Change-Id: I56d0eb845647dd3c43bcad71eb281b499e1d1789
Reviewed-on: https://go-review.googlesource.com/c/go/+/449116
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
Auto-Submit: Paul Murphy <murp@ibm.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Paul Murphy <murp@ibm.com>
2022-11-21 15:06:26 +00:00
Than McIntosh
cf93b25366 cmd/link: revise DLL import symbol handling
This patch reworks the handling of DLL import symbols in the PE host
object loader to ensure that the Go linker can deal with them properly
during internal linking.

Prior to this point the strategy was to immediately treat an import
symbol reference of the form "__imp__XXX" as if it were a reference to
the corresponding DYNIMPORT symbol XXX, except for certain special
cases. This worked for the most part, but ran into problems in
situations where the target ("XXX") wasn't a previously created
DYNIMPORT symbol (and when these problems happened, the root cause was
not always easy to see).

The new strategy is to not do any renaming or forwarding immediately,
but to delay handling until host object loading is complete. At that
point we make a scan through the newly introduced text+data sections
looking at the relocations that target import symbols, forwarding
the references to the corresponding DYNIMPORT sym where appropriate
and where there are direct refs to the DYNIMPORT syms, tagging them
for stub generation later on.

Updates #35006.
Updates #53540.

Change-Id: I2d42b39141ae150a9f82ecc334001749ae8a3b4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/451738
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
2022-11-19 23:11:11 +00:00
Than McIntosh
771a98d6b1 misc/cgo/testcshared: handle unsuffixed dlltool path
Adapt the testcshared tests to handle the case where the path output
by invoking

  gcc -print-prog-name=dlltool

is a path lacking the final ".exe" suffix (this seems to be what clang
is doing); tack it on before using if this is the case.

Updates #35006.
Updates #53540.

Change-Id: I04fb7b9fc90677880b1ced4a4ad2a8867a3f5f86
Reviewed-on: https://go-review.googlesource.com/c/go/+/451816
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2022-11-19 23:10:07 +00:00
Than McIntosh
bda0235466 cmd/link: add capturehostobjs debugging flag
Add a new debugging flag "-capturehostobjs" that instructs the linker
to capture copies of all object files loaded in during the host object
loading portion of CGO internal linking. The intent is to make it
easier to analyze the objects after the fact (as opposed to having to
dig around inside archives, which can be a "find needle in haystack"
exercise).

Change-Id: I7023a5b72b1b899ea9b3bd6501f069d1f21bbaf0
Reviewed-on: https://go-review.googlesource.com/c/go/+/451737
Run-TryBot: Than McIntosh <thanm@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2022-11-19 22:39:44 +00:00
Than McIntosh
8205d83fe2 cmd/link: improved host archive debug trace output
When ctxt.Debugvlog > 1, produce additional trace output to describe
which object files are being pulled out of host archive libraries and
why they were pulled (e.g. which symbol had a reference to something
in a library). Intended to make it easier to debug problems with cgo
internal linking.

Change-Id: Icd64aff244b9145162a00cb51642ef32f26adfba
Reviewed-on: https://go-review.googlesource.com/c/go/+/451736
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-19 22:39:30 +00:00
Filippo Valsorda
58a2db181b crypto/rsa: allocate nats on the stack for RSA 2048
With a small tweak and the help of the inliner, we preallocate enough
nat backing space to do RSA-2048 on the stack.

We keep the length of the preallocated slices at zero so they don't
silently mask missing expandFor calls.

Surprisingly enough, this doesn't move the CPU benchmark needle much,
but probably reduces GC pressure on larger applications.

name                    old time/op    new time/op    delta
DecryptPKCS1v15/2048-8    1.25ms ± 0%    1.22ms ± 1%   -1.68%  (p=0.000 n=10+9)
DecryptPKCS1v15/3072-8    3.78ms ± 0%    3.73ms ± 1%   -1.33%  (p=0.000 n=9+10)
DecryptPKCS1v15/4096-8    8.62ms ± 0%    8.45ms ± 1%   -1.98%  (p=0.000 n=8+10)
EncryptPKCS1v15/2048-8     140µs ± 1%     136µs ± 0%   -2.43%  (p=0.000 n=9+9)
DecryptOAEP/2048-8        1.25ms ± 0%    1.24ms ± 0%   -0.83%  (p=0.000 n=8+10)
EncryptOAEP/2048-8         140µs ± 0%     137µs ± 0%   -1.82%  (p=0.000 n=8+10)
SignPKCS1v15/2048-8       1.29ms ± 0%    1.29ms ± 1%     ~     (p=0.574 n=8+8)
VerifyPKCS1v15/2048-8      139µs ± 0%     136µs ± 0%   -2.12%  (p=0.000 n=9+10)
SignPSS/2048-8            1.30ms ± 0%    1.28ms ± 0%   -0.96%  (p=0.000 n=8+10)
VerifyPSS/2048-8           140µs ± 0%     137µs ± 0%   -1.99%  (p=0.000 n=10+8)

name                    old alloc/op   new alloc/op   delta
DecryptPKCS1v15/2048-8    15.0kB ± 0%     0.5kB ± 0%  -96.58%  (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8    24.6kB ± 0%     3.3kB ± 0%  -86.74%  (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8    38.9kB ± 0%     4.5kB ± 0%  -88.50%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8    18.0kB ± 0%     1.2kB ± 0%  -93.48%  (p=0.000 n=10+10)
DecryptOAEP/2048-8        15.2kB ± 0%     0.7kB ± 0%  -95.10%  (p=0.000 n=10+10)
EncryptOAEP/2048-8        18.2kB ± 0%     1.4kB ± 0%  -92.29%  (p=0.000 n=10+10)
SignPKCS1v15/2048-8       21.9kB ± 0%     0.8kB ± 0%  -96.50%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8     17.7kB ± 0%     0.9kB ± 0%  -94.85%  (p=0.000 n=10+10)
SignPSS/2048-8            22.3kB ± 0%     1.2kB ± 0%  -94.77%  (p=0.000 n=10+10)
VerifyPSS/2048-8          17.9kB ± 0%     1.1kB ± 0%  -93.75%  (p=0.000 n=10+10)

name                    old allocs/op  new allocs/op  delta
DecryptPKCS1v15/2048-8       124 ± 0%         3 ± 0%  -97.58%  (p=0.000 n=10+10)
DecryptPKCS1v15/3072-8       140 ± 0%         9 ± 0%  -93.57%  (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8       158 ± 0%         9 ± 0%  -94.30%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8      80.0 ± 0%       7.0 ± 0%  -91.25%  (p=0.000 n=10+10)
DecryptOAEP/2048-8           130 ± 0%         9 ± 0%  -93.08%  (p=0.000 n=10+10)
EncryptOAEP/2048-8          86.0 ± 0%      13.0 ± 0%  -84.88%  (p=0.000 n=10+10)
SignPKCS1v15/2048-8          162 ± 0%         4 ± 0%  -97.53%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8       79.0 ± 0%       6.0 ± 0%  -92.41%  (p=0.000 n=10+10)
SignPSS/2048-8               167 ± 0%         9 ± 0%  -94.61%  (p=0.000 n=10+10)
VerifyPSS/2048-8            84.0 ± 0%      11.0 ± 0%  -86.90%  (p=0.000 n=10+10)

Change-Id: I511a2f5f6f596bbec68a0a411e83a9d04080d72a
Reviewed-on: https://go-review.googlesource.com/c/go/+/445021
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-19 16:50:07 +00:00
Filippo Valsorda
72d2c4c635 crypto/rsa: use R*R multiplication to get into the Montgomery domain
This is faster than the current code because computing RR involves
one more shiftIn and using it involves an extra multiplication, but each
exponentiation was doing montgomeryRepresentation twice, once for x and
once for 1, and now they share the RR precomputation.

More importantly, it allows precomputing the value and attaching it to
the private key in a future CL.

name                    old time/op  new time/op  delta
DecryptPKCS1v15/2048-8  1.46ms ± 0%  1.40ms ± 7%   -3.69%  (p=0.003 n=10+9)
DecryptPKCS1v15/3072-8  4.23ms ± 0%  4.13ms ± 4%   -2.36%  (p=0.004 n=9+9)
DecryptPKCS1v15/4096-8  9.42ms ± 0%  9.08ms ± 3%   -3.69%  (p=0.000 n=9+10)
EncryptPKCS1v15/2048-8   221µs ± 0%   137µs ± 1%  -37.91%  (p=0.000 n=9+10)
DecryptOAEP/2048-8      1.46ms ± 0%  1.39ms ± 1%   -4.97%  (p=0.000 n=9+10)
EncryptOAEP/2048-8       221µs ± 0%   138µs ± 0%  -37.71%  (p=0.000 n=8+10)
SignPKCS1v15/2048-8     1.68ms ± 0%  1.53ms ± 1%   -8.85%  (p=0.000 n=9+10)
VerifyPKCS1v15/2048-8    220µs ± 0%   137µs ± 1%  -37.84%  (p=0.000 n=9+10)
SignPSS/2048-8          1.68ms ± 0%  1.52ms ± 1%   -9.16%  (p=0.000 n=8+8)
VerifyPSS/2048-8         234µs ±12%   138µs ± 1%  -40.87%  (p=0.000 n=10+9)

Change-Id: I6c650bad9019765d793fd37a529ca186cf1eeef7
Reviewed-on: https://go-review.googlesource.com/c/go/+/445019
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
2022-11-19 16:49:53 +00:00
Filippo Valsorda
5aa6313e58 crypto/rsa: precompute moduli
This change adds some private fields to PrecomputedValues.

If applications were for some reason manually computing the
PrecomputedValues, which they can't do anymore, things will still work
but revert back to the unoptimized path.

name                    old time/op  new time/op  delta
DecryptPKCS1v15/2048-8  1.40ms ± 0%  1.24ms ± 0%  -10.98%  (p=0.000 n=10+8)
DecryptPKCS1v15/3072-8  4.14ms ± 0%  3.78ms ± 1%   -8.55%  (p=0.000 n=10+10)
DecryptPKCS1v15/4096-8  9.09ms ± 0%  8.62ms ± 0%   -5.20%  (p=0.000 n=9+8)
EncryptPKCS1v15/2048-8   139µs ± 0%   138µs ± 0%     ~     (p=0.436 n=9+9)
DecryptOAEP/2048-8      1.40ms ± 0%  1.25ms ± 0%  -11.01%  (p=0.000 n=9+9)
EncryptOAEP/2048-8       139µs ± 0%   139µs ± 0%     ~     (p=0.315 n=10+10)
SignPKCS1v15/2048-8     1.53ms ± 0%  1.29ms ± 0%  -15.93%  (p=0.000 n=9+10)
VerifyPKCS1v15/2048-8    138µs ± 0%   138µs ± 0%     ~     (p=0.052 n=10+10)
SignPSS/2048-8          1.54ms ± 0%  1.29ms ± 0%  -15.89%  (p=0.000 n=9+9)
VerifyPSS/2048-8         139µs ± 0%   139µs ± 0%     ~     (p=0.442 n=8+8)

Change-Id: I843c468db96aa75b18ddff17cec3eadfb579cd0e
Reviewed-on: https://go-review.googlesource.com/c/go/+/445020
Reviewed-by: Joedian Reid <joedian@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-19 16:48:51 +00:00
Filippo Valsorda
ee5ccc9d4a crypto/rsa: deprecate and de-optimize multi-prime RSA
I have never encountered multi-prime RSA in the wild. A GitHub-wide
search reveals exactly two explicit uses of it (and a couple of tools
that leave the number configurable but defaulting to two).

https://github.com/decred/tumblebit/blob/31898baea/puzzle/puzzlekey.go#L38
https://github.com/carl-mastrangelo/pixur/blob/95d4a4208/tools/genkeys/genkeys.go#L13

Multi-prime RSA has a slight performance advantage, but has limited
compatibility and the number of primes must be chosen carefully based on
the key size to avoid security issues. It also requires a completely
separate and rarely used private key operation code path, which if buggy
or incorrect would leak the private key.

Mark it as deprecated, and remove the dedicated CRT optimization,
falling back instead to the slower but safer non-CRT fallback.

Change-Id: Iba95edc044fcf9b37bc1f4bb59c6ea273975837f
Reviewed-on: https://go-review.googlesource.com/c/go/+/445017
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
2022-11-19 16:48:39 +00:00
Lúcás Meier
8a81fdf165 crypto/rsa: replace big.Int for encryption and decryption
Infamously, big.Int does not provide constant-time arithmetic, making
its use in cryptographic code quite tricky. RSA uses big.Int
pervasively, in its public API, for key generation, precomputation, and
for encryption and decryption. This is a known problem. One mitigation,
blinding, is already in place during decryption. This helps mitigate the
very leaky exponentiation operation. Because big.Int is fundamentally
not constant-time, it's unfortunately difficult to guarantee that
mitigations like these are completely effective.

This patch removes the use of big.Int for encryption and decryption,
replacing it with an internal nat type instead. Signing and verification
are also affected, because they depend on encryption and decryption.

Overall, this patch degrades performance by 55% for private key
operations, and 4-5x for (much faster) public key operations.
(Signatures do both, so the slowdown is worse than decryption.)

name                    old time/op  new time/op    delta
DecryptPKCS1v15/2048-8  1.50ms ± 0%    2.34ms ± 0%    +56.44%  (p=0.000 n=8+10)
DecryptPKCS1v15/3072-8  4.40ms ± 0%    6.79ms ± 0%    +54.33%  (p=0.000 n=10+9)
DecryptPKCS1v15/4096-8  9.31ms ± 0%   15.14ms ± 0%    +62.60%  (p=0.000 n=10+10)
EncryptPKCS1v15/2048-8  8.16µs ± 0%  355.58µs ± 0%  +4258.90%  (p=0.000 n=10+9)
DecryptOAEP/2048-8      1.50ms ± 0%    2.34ms ± 0%    +55.68%  (p=0.000 n=10+9)
EncryptOAEP/2048-8      8.51µs ± 0%  355.95µs ± 0%  +4082.75%  (p=0.000 n=10+9)
SignPKCS1v15/2048-8     1.51ms ± 0%    2.69ms ± 0%    +77.94%  (p=0.000 n=10+10)
VerifyPKCS1v15/2048-8   7.25µs ± 0%  354.34µs ± 0%  +4789.52%  (p=0.000 n=9+9)
SignPSS/2048-8          1.51ms ± 0%    2.70ms ± 0%    +78.80%  (p=0.000 n=9+10)
VerifyPSS/2048-8        8.27µs ± 1%  355.65µs ± 0%  +4199.39%  (p=0.000 n=10+10)

Keep in mind that this is without any assembly at all, and that further
improvements are likely possible. I think having a review of the logic
and the cryptography would be a good idea at this stage, before we
complicate the code too much through optimization.

The bulk of the work is in nat.go. This introduces two new types: nat,
representing natural numbers, and modulus, representing moduli used in
modular arithmetic.

A nat has an "announced size", which may be larger than its "true size",
the number of bits needed to represent this number. Operations on a nat
will only ever leak its announced size, never its true size, or other
information about its value. The size of a nat is always clear based on
how its value is set. For example, x.mod(y, m) will make the announced
size of x match that of m, since x is reduced modulo m.

Operations assume that the announced size of the operands match what's
expected (with a few exceptions). For example, x.modAdd(y, m) assumes
that x and y have the same announced size as m, and that they're reduced
modulo m.

Nats are represented over unsatured bits.UintSize - 1 bit limbs. This
means that we can't reuse the assembly routines for big.Int, which use
saturated bits.UintSize limbs. The advantage of unsaturated limbs is
that it makes Montgomery multiplication faster, by needing fewer
registers in a hot loop. This makes exponentiation faster, which
consists of many Montgomery multiplications.

Moduli use nat internally. Unlike nat, the true size of a modulus always
matches its announced size. When creating a modulus, any zero padding is
removed. Moduli will also precompute constants when created, which is
another reason why having a separate type is desirable.

Updates #20654

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced
Reviewed-on: https://go-review.googlesource.com/c/go/+/326012
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
2022-11-19 16:48:07 +00:00
Filippo Valsorda
5f60f844be crypto/ecdsa,crypto/x509: add encoding paths for NIST crypto/ecdh keys
Fixes #56088
Updates #52221

Change-Id: Id2f806a116100a160be7daafc3e4c0be2acdd6a9
Reviewed-on: https://go-review.googlesource.com/c/go/+/450816
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Joedian Reid <joedian@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2022-11-19 16:45:10 +00:00
Joel Sing
e84ce0802d runtime: change tfork behaviour to unbreak openbsd/mips64
Currently, tfork on openbsd/mips64 returns the thread ID on success and
a negative error number on error. In CL#447175, newosproc was changed
to assume that a non-zero value is an error - return zero on success to
match this expectation.

Change-Id: I955efad49b149146165eba3d05fe40ba75caa098
Reviewed-on: https://go-review.googlesource.com/c/go/+/451257
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Joel Sing <joel@sing.id.au>
2022-11-19 03:33:26 +00:00
Damien Neil
f4f8397fed net/http: deflake TestIssue4191_InfiniteGetTimeout
This test exercises the case where a net.Conn error occurs while
writing a response body. It injects an error by setting a timeout
on the Conn. If this timeout expires before response headers are
written, the test fails. The test attempts to recover from this
failure by extending the timeout and retrying.

Set the timeout after the response headers are removed, and
remove the retry loop.

Fixes #56274.

Change-Id: I293f8bedb7b20a21d14f43ea9bb48fc56b59441c
Reviewed-on: https://go-review.googlesource.com/c/go/+/452175
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
2022-11-19 01:19:55 +00:00
Damien Neil
c6cdfd88c7 net/http: direct server logs to test output in tests
Set a logger in newClientServerTest that directs the server
log output to the testing.T's log, so log output gets properly
associated with the test that caused it.

Change-Id: I13686ca35c3e21adae16b2fc37ce36daea3df9d5
Reviewed-on: https://go-review.googlesource.com/c/go/+/452075
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
2022-11-19 01:19:45 +00:00
Dmitri Shuralyov
4f0d3bcd6d net/http: regenerate h2_bundle.go
Done with:

	go generate -run=bundle std

After CL 452096 updated the x/net version.

Change-Id: I1c1cd76d4ec9e14f45dc66c945c74e41ff689a30
Reviewed-on: https://go-review.googlesource.com/c/go/+/452195
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2022-11-18 23:57:13 +00:00
Roland Shoemaker
04d6aa6514 crypto/x509: implement SetFallbackRoots
Adds a method which allows users to set a fallback certificate pool for
usage during verification if the system certificate pool is empty.

Updates #43958

Change-Id: I279dd2f753743bce19790f2ae29f063c89c9359d
Reviewed-on: https://go-review.googlesource.com/c/go/+/449235
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
2022-11-18 23:57:10 +00:00
Filippo Valsorda
c8244489cc all: update golang.org/x/crypto to 2c476679df9a
To pick up CL 451515.

This CL also updates x/net because x/crypto's dependency was bumped
while tagging v0.3.0.

Done by
        go get -d golang.org/x/crypto@2c476679df9a
        go mod tidy
        go mod vendor

Change-Id: I432a04586be3784b1027aa9b62d86c0df6d4a97e
Reviewed-on: https://go-review.googlesource.com/c/go/+/452096
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
2022-11-18 22:32:44 +00:00
David Chase
ea2c27fe82 cmd/compile: package-annotate structs when error would be ambiguous
Before emitting a "wanted Foo but got Bar" message for an interface
type match failure, check that Foo and Bar are different.  If they
are not, add package paths to first unexported struct field seen,
because that is the cause (a cause, there could be more than one).

Replicated in go/types.

Added tests to go/types and cmd/compile/internal/types2

Fixes #54258.

Change-Id: Ifc2b2067d62fe2138996972cdf3b6cb7ca0ed456
Reviewed-on: https://go-review.googlesource.com/c/go/+/422914
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
2022-11-18 21:48:06 +00:00