1
0
mirror of https://github.com/golang/go synced 2024-11-23 06:10:05 -07:00
Commit Graph

48063 Commits

Author SHA1 Message Date
Tobias Klauser
82517acae8 net, runtime: drop macOS 10.12 skip conditions in tests
Go 1.17 requires macOS 10.13 or later. Thus, drop the special cases for
the darwin-amd64-10_12 builder added in CL 202618.

Updates #22019
Updates #23011
Updates #32919

Change-Id: Idef11c213dfb25fd002b7cda6d425cf2e26a2e06
Reviewed-on: https://go-review.googlesource.com/c/go/+/318329
Trust: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
2021-05-10 15:49:50 +00:00
Bryan C. Mills
031854117f cmd/go: include packages with InvalidGoFiles when filtering main packages
If a package has files with conflicting package names, go/build
empirically populates the first name encountered and puts the
remaining files in InvalidGoFiles. That foiled our check for packages
whose name is either unpopulated or "main", since the "package main"
could be found in a source file after the first.

Instead, we now treat any package with a nonzero set of InvalidGoFiles
as potentially a main package. This biases toward over-reporting
errors, but we would rather over-report than under-report.

If we fix #45999, we will be able to make these error checks more
precise.

Updates #42088
Fixes #45827
Fixes #39986

Change-Id: I588314341b17961b38660192c2130678dc03023e
Reviewed-on: https://go-review.googlesource.com/c/go/+/317300
Trust: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
2021-05-10 15:48:57 +00:00
Bryan C. Mills
a9edda3788 cmd/go: add a test that reproduces #45827
For #45827

Change-Id: I4d3268d66fb0927161f44b353faef11aa4551e40
Reviewed-on: https://go-review.googlesource.com/c/go/+/317298
Trust: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
2021-05-10 15:47:52 +00:00
Bryan C. Mills
e18a8b4fb2 go/build: avoid duplicates in InvalidGoFiles
For #45827
For #39986
Updates #45999

Change-Id: I0c919b6a2e56e7003b90425487eafe0f0eadc609
Reviewed-on: https://go-review.googlesource.com/c/go/+/317299
Trust: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
2021-05-10 15:47:41 +00:00
Keith Randall
287025925f cmd/compile,reflect: allow longer type names
Encode the length of type names and tags in a varint encoding
instead of a fixed 2-byte encoding. This allows lengths longer
than 65535 (which can happen for large unnamed structs).

Removed the alignment check for #14962, it isn't relevant any more
since we're no longer reading pointers directly out of this data
(it is encoded as an offset which is copied out bytewise).

Fixes #44155
Update #14962

Change-Id: I6084f6027e5955dc16777c87b0dd5ea2baa49629
Reviewed-on: https://go-review.googlesource.com/c/go/+/318249
Trust: Keith Randall <khr@golang.org>
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2021-05-10 13:16:56 +00:00
Joel Sing
c14ecaca81 runtime: skip TestCrashDumpsAllThreads on openbsd/arm
This test is also now flakey on this platform.

Updates #36435
Updates #42464

Change-Id: Idedb81478178ffffe7a9c125a6e8bbd83458f9ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/315794
Trust: Joel Sing <joel@sing.id.au>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-09 17:07:22 +00:00
Joel Sing
bedf2c4886 runtime,syscall: convert syscall on openbsd/arm to libc
Convert the syscall package on openbsd/arm to use libc rather than performing
direct system calls.

Updates #36435

Change-Id: Iff3a91c959292cbf4e0a09c7fd34efc8e88ff83f
Reviewed-on: https://go-review.googlesource.com/c/go/+/315793
Trust: Joel Sing <joel@sing.id.au>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-09 17:07:01 +00:00
Joel Sing
603f43cbae runtime: switch runtime to libc for openbsd/arm
Use libc rather than performing direct system calls for the runtime on
openbsd/arm.

Updates #36435

Change-Id: If64a96a61c80b9748792f8a85a8f16ed6ebca91f
Reviewed-on: https://go-review.googlesource.com/c/go/+/315792
Trust: Joel Sing <joel@sing.id.au>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-09 17:06:45 +00:00
Joel Sing
83df4a590b runtime: switch openbsd/arm locking to libc
Switch openbsd/arm to locking via libc, rather than performing direct
system calls.

Update #36435

Change-Id: I190abb1aa544d2cb406fe412960ec106c9716f87
Reviewed-on: https://go-review.googlesource.com/c/go/+/315791
Trust: Joel Sing <joel@sing.id.au>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-09 17:05:59 +00:00
Joel Sing
8ec8f6aa87 runtime: switch openbsd/arm to pthreads
This switches openbsd/arm to thread creation via pthreads, rather than doing
direct system calls.

Update #36435

Change-Id: Ia8749e3723a9967905c33b6d93dfd9be797a486c
Reviewed-on: https://go-review.googlesource.com/c/go/+/315790
Trust: Joel Sing <joel@sing.id.au>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-09 17:05:25 +00:00
Matthew Dempsky
5203357eba cmd/compile: make non-concurrent compiles deterministic again
Spreading function compilation across multiple goroutines results in
non-deterministic output. This is how cmd/compile has historically
behaved for concurrent builds, but is troublesome for non-concurrent
builds, particularly because it interferes with "toolstash -cmp".

I spent some time trying to think of a simple, unified algorithm that
can concurrently schedule work but gracefully degrades to a
deterministic build for single-worker builds, but I couldn't come up
with any. The simplest idea I found was to simply abstract away the
operation of scheduling work so that we can have alternative
deterministic vs concurrent modes.

Change-Id: I08afa00527ce1844432412f4f8553781c4e323df
Reviewed-on: https://go-review.googlesource.com/c/go/+/318229
Trust: Matthew Dempsky <mdempsky@google.com>
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
2021-05-09 02:47:29 +00:00
Filippo Valsorda
ea93e68858 crypto/elliptic: make P-521 scalar multiplication constant time
Like for P-224, we do the constant time selects to hide the
point-at-infinity special cases of addition, but not the P = Q case,
which presumably doesn't happen in normal operations.

Runtime increases by about 50%, as expected, since on average we were
able to skip half the additions, and the additions reasonably amounted
to half the runtime. Still, the Fiat code is so much faster than big.Int
that we're still more than three time faster overall than pre-CL 315271.

name                   old time/op    new time/op    delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8    4.18ms ± 3%    1.35ms ± 1%  -67.64%  (p=0.000 n=10+10)
ScalarMult/P521-8        4.17ms ± 2%    1.36ms ± 1%  -67.45%  (p=0.000 n=10+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8              4.23ms ± 1%    1.44ms ± 1%  -66.02%  (p=0.000 n=9+10)
Verify/P521-8            8.31ms ± 2%    2.73ms ± 2%  -67.08%  (p=0.000 n=9+9)
GenerateKey/P521-8       4.15ms ± 2%    1.35ms ± 2%  -67.41%  (p=0.000 n=10+10)

Updates #40171

Change-Id: I782f2b7f33dd60af9b3b75e46d920d4cb47f719f
Reviewed-on: https://go-review.googlesource.com/c/go/+/315274
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
2021-05-09 00:08:44 +00:00
Filippo Valsorda
14c3d2aa59 crypto/elliptic: import fiat-crypto P-521 field implementation
Fiat Cryptography (https://github.com/mit-plv/fiat-crypto) is a project
that produces prime order field implementations (the code that does
arithmetic modulo a prime number) based on a formally verified model.

The formal verification covers some of the most subtle and hard to test
parts of an elliptic curve implementation, like carry chains. It would
probably have prevented #20040 and #43786.

This CL imports a 64-bit implementation of the P-521 base field,
replacing the horribly slow and catastrophically variable time big.Int
CurveParams implementation.

The code in p521_fiat64.go is generated reproducibly by fiat-crypto,
building and running the Dockerfile according to the README.

The code in fiat/p521.go is a thin and idiomatic wrapper around the
fiat-crypto code. It includes an Invert method generated with the help
of github.com/mmcloughlin/addchain.

The code in elliptic/p521.go is a line-by-line port of the CurveParams
implementation. Lsh(x, N) was replaced with repeated Add(x, x) calls.
Mul(x, x) was replaced with Square(x). Mod calls were removed, as all
operations are modulo P. Likewise, Add calls to bring values back to
positive were removed. The ScalarMult ladder implementation is now
constant time, copied from p224ScalarMult. Only other notable changes
are adding a p512Point type to keep (x, y, z) together, and making
addJacobian and doubleJacobian methods on that type, with the usual
receiver semantics to save 4 allocations per step.

This amounts to a proof of concept, and is far from a mature elliptic
curve implementation. Here's a non-exhaustive list of things that need
improvement, most of which are pre-existing issues with crypto/elliptic.
Some of these can be fixed without API change, so can't.

- Marshal and Unmarshal still use the slow, variable time big.Int
  arithmetic. The Curve interface does not expose field operations, so
  we'll have to make our own abstraction.

- Point addition uses an incomplete Jacobian formula, which has variable
  time behaviors for points at infinity and equal points. There are
  better, complete formulae these days, but I wanted to keep this CL
  reviewable against the existing code.

- The scalar multiplication ladder is still heavily variable time. This
  is easy to fix and I'll do it in a follow-up CL, but I wanted to keep
  this one easier to review.

- Fundamentally, values have to go in and out of big.Int representation
  when they pass through the Curve interface, which is both slow and
  slightly variable-time.

- There is no scalar field implementation, so crypto/ecdsa ends up using
  big.Int for signing.

- Extending this to P-384 would involve either duplicating all P-521
  code, or coming up with some lower-level interfaces for the base
  field. Even better, generics, which would maybe let us save heap
  allocations due to virtual calls.

- The readability and idiomaticity of the autogenerated code can
  improve, although we have a clear abstraction and well-enforced
  contract, which makes it unlikely we'll have to resort to manually
  modifying the code. See mit-plv/fiat-crypto#949.

- We could also have a 32-bit implementation, since it's almost free to
  have fiat-crypto generate one.

Anyway, it's definitely better than CurveParams, and definitely faster.

name                   old time/op    new time/op    delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8    4.18ms ± 3%    0.86ms ± 2%  -79.50%  (p=0.000 n=10+9)
ScalarMult/P521-8        4.17ms ± 2%    0.85ms ± 6%  -79.68%  (p=0.000 n=10+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8              4.23ms ± 1%    0.94ms ± 0%  -77.70%  (p=0.000 n=9+8)
Verify/P521-8            8.31ms ± 2%    1.75ms ± 4%  -78.99%  (p=0.000 n=9+10)
GenerateKey/P521-8       4.15ms ± 2%    0.85ms ± 2%  -79.49%  (p=0.000 n=10+9)

name                   old alloc/op   new alloc/op   delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8    3.06MB ± 3%    0.00MB ± 0%  -99.97%  (p=0.000 n=10+10)
ScalarMult/P521-8        3.05MB ± 1%    0.00MB ± 0%  -99.97%  (p=0.000 n=9+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8              3.03MB ± 0%    0.01MB ± 0%  -99.74%  (p=0.000 n=10+8)
Verify/P521-8            6.06MB ± 1%    0.00MB ± 0%  -99.93%  (p=0.000 n=9+9)
GenerateKey/P521-8       3.02MB ± 0%    0.00MB ± 0%  -99.96%  (p=0.000 n=9+10)

name                   old allocs/op  new allocs/op  delta
pkg:crypto/elliptic goos:darwin goarch:arm64
ScalarBaseMult/P521-8     19.8k ± 3%      0.0k ± 0%  -99.95%  (p=0.000 n=10+10)
ScalarMult/P521-8         19.7k ± 1%      0.0k ± 0%  -99.95%  (p=0.000 n=9+10)
pkg:crypto/ecdsa goos:darwin goarch:arm64
Sign/P521-8               19.6k ± 0%      0.1k ± 0%  -99.63%  (p=0.000 n=10+10)
Verify/P521-8             39.2k ± 1%      0.1k ± 0%  -99.84%  (p=0.000 n=9+10)
GenerateKey/P521-8        19.5k ± 0%      0.0k ± 0%  -99.91%  (p=0.000 n=9+10)

Updates #40171

Change-Id: Ic898b09a2388382bf51ec007d9a79d72d44efe10
Reviewed-on: https://go-review.googlesource.com/c/go/+/315271
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
2021-05-09 00:08:05 +00:00
Filippo Valsorda
ec4efa4208 crypto/x509: check the private key passed to CreateCertificate
Unfortunately, we can't improve the function signature to refer to
crypto.PrivateKey and crypto.PublicKey, even if they are both
interface{}, because it would break assignments to function types.

Fixes #37845

Change-Id: I627f2ac1e1ba98b128dac5382f9cc2524eaef378
Reviewed-on: https://go-review.googlesource.com/c/go/+/224157
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
2021-05-09 00:07:34 +00:00
David Chase
b38b1b2f9a cmd/compile: manage Slot array better
steals idea from CL 312093

further investigation revealed additional duplicate
slots (equivalent, but not equal), so delete those too.

Rearranged Func.Names to be addresses of slots,
create canonical addresses so that split slots
(which use those addresses to refer to their parent,
and split slots can be further split)
will preserve "equivalent slots are equal".

Removes duplicates, improves metrics for "args at entry".

Change-Id: I5bbdcb50bd33655abcab3d27ad8cdce25499faaf
Reviewed-on: https://go-review.googlesource.com/c/go/+/312292
Trust: David Chase <drchase@google.com>
Run-TryBot: David Chase <drchase@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-08 17:03:18 +00:00
Alberto Donizetti
68327e1aa1 cmd/vendor: upgrade pprof to latest
This change upgrades the vendored pprof to pick up the fix for a
serious issue that made the source view in browser mode blank
(tracked upstream as google/pprof#621).

I also had to patch pprof.go, since one of the upstream commit we
included introduced a breaking change in the file interface (the Base
method is now called ObjAddr and has a different signature).

I've manually verified that the upgrade fixes the aforementioned
issues with the source view.

Fixes #45786

Change-Id: I00659ae539a2ad603758e1f06572374d483b9ddc
Reviewed-on: https://go-review.googlesource.com/c/go/+/318049
Trust: Alberto Donizetti <alb.donizetti@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
2021-05-08 14:59:49 +00:00
Alex Brainman
4c8f48ed4f syscall: do not change stdio handle inheritance
Before the CL 288297 all Go process handles had to be made
non-inheritable - otherwise they would escape into the child process.
But now this is not necessary.

This CL stops changing inheritance flag of stdint, stdout and stderr
handles.

Fixes #44876

Change-Id: Ib8fcf8066c30282293d96c34486b01b4c04f7116
Reviewed-on: https://go-review.googlesource.com/c/go/+/316269
Trust: Alex Brainman <alex.brainman@gmail.com>
Trust: Jason A. Donenfeld <Jason@zx2c4.com>
Run-TryBot: Alex Brainman <alex.brainman@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-08 05:57:31 +00:00
Filippo Valsorda
9d0819b27c crypto/tls: make cipher suite preference ordering automatic
We now have a (well, two, depending on AES hardware support) universal
cipher suite preference order, based on their security and performance.
Peer and application lists are now treated as filters (and AES hardware
support hints) that are applied to this universal order.

This removes a complex and nuanced decision from the application's
responsibilities, one which we are better equipped to make and which
applications usually don't need to have an opinion about. It also lets
us worry less about what suites we support or enable, because we can be
confident that bad ones won't be selected over good ones.

This also moves 3DES suites to InsecureCipherSuites(), even if they are
not disabled by default. Just because we can keep them as a last resort
it doesn't mean they are secure. Thankfully we had not promised that
Insecure means disabled by default.

Notable test changes:

  - TestCipherSuiteCertPreferenceECDSA was testing that we'd pick the
    right certificate regardless of CipherSuite ordering, which is now
    completely ignored, as tested by TestCipherSuitePreference. Removed.

  - The openssl command of TestHandshakeServerExportKeyingMaterial was
    broken for TLS 1.0 in CL 262857, but its golden file was not
    regenerated, so the test kept passing. It now broke because the
    selected suite from the ones in the golden file changed.

  - In TestAESCipherReordering, "server strongly prefers AES-GCM" is
    removed because there is no way for a server to express a strong
    preference anymore; "client prefers AES-GCM and AES-CBC over ChaCha"
    switched to ChaCha20 when the server lacks AES hardware; and finally
    "client supports multiple AES-GCM" changed to always prefer AES-128
    per the universal preference list.

    * this is going back on an explicit decision from CL 262857, and
      while that client order is weird and does suggest a strong dislike
      for ChaCha20, we have a strong dislike for software AES, so it
      didn't feel worth making the logic more complex

  - All Client-* golden files had to be regenerated because the
    ClientHello cipher suites have changed.
    (Even when Config.CipherSuites was limited to one suite, the TLS 1.3
    default order changed.)

Fixes #45430
Fixes #41476 (as 3DES is now always the last resort)

Change-Id: If5f5d356c0f8d1f1c7542fb06644a478d6bad1e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/314609
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
2021-05-08 05:15:48 +00:00
Filippo Valsorda
02ce411821 crypto/x509: remove GODEBUG=x509ignoreCN=0 flag
Common Name and NameConstraintsWithoutSANs are no more.

Fixes #24151 ᕕ(ᐛ)ᕗ

Change-Id: I15058f2a64f981c69e9ee620d3fab00f68967e49
Reviewed-on: https://go-review.googlesource.com/c/go/+/315209
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
2021-05-08 05:12:07 +00:00
Keith Randall
b211fe0058 cmd/compile: remove bit operations that modify memory directly
These operations (BT{S,R,C}{Q,L}modify) are quite a bit slower than
other ways of doing the same thing.

Without the BTxmodify operations, there are two fallback ways the compiler
performs these operations: AND/OR/XOR operations directly on memory, or
load-BTx-write sequences. The compiler kinda chooses one arbitrarily
depending on rewrite rule application order. Currently, it uses
load-BTx-write for the Const benchmarks and AND/OR/XOR directly to memory
for the non-Const benchmarks. TBD, someone might investigate which of
the two fallback strategies is really better. For now, they are both
better than BTx ops.

name              old time/op  new time/op  delta
BitSet-8          1.09µs ± 2%  0.64µs ± 5%  -41.60%  (p=0.000 n=9+10)
BitClear-8        1.15µs ± 3%  0.68µs ± 6%  -41.00%  (p=0.000 n=10+10)
BitToggle-8       1.18µs ± 4%  0.73µs ± 2%  -38.36%  (p=0.000 n=10+8)
BitSetConst-8     37.0ns ± 7%  25.8ns ± 2%  -30.24%  (p=0.000 n=10+10)
BitClearConst-8   30.7ns ± 2%  25.0ns ±12%  -18.46%  (p=0.000 n=10+10)
BitToggleConst-8  36.9ns ± 1%  23.8ns ± 3%  -35.46%  (p=0.000 n=9+10)

Fixes #45790
Update #45242

Change-Id: Ie33a72dc139f261af82db15d446cd0855afb4e59
Reviewed-on: https://go-review.googlesource.com/c/go/+/318149
Trust: Keith Randall <khr@golang.org>
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Ben Shi <powerman1st@163.com>
2021-05-08 03:27:59 +00:00
Dan Scales
f24eac4771 cmd/compile: improving the documentation of various fields and functions
This is only changes to comments, so should be fine to go into 1.17.

Change-Id: I01e28dc76b03fb3ca846d976f8ac84bc2acb2ea2
Reviewed-on: https://go-review.googlesource.com/c/go/+/318009
Run-TryBot: Dan Scales <danscales@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
2021-05-07 21:35:41 +00:00
Joe Tsai
3980c4db19 doc/go1.17: fill in TODO for compress/lzw package
Fixes #46005

Change-Id: I80ca21eb64d245749af62506ba960dbc1726c6c4
Reviewed-on: https://go-review.googlesource.com/c/go/+/318012
Trust: Joe Tsai <joetsai@digital-static.net>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2021-05-07 21:01:09 +00:00
Joe Tsai
d80d1427a8 doc/go1.17: fill in TODO for reflect package
Updates #46019

Change-Id: I3025927d949ff72535542e89b83dd830e969c255
Reviewed-on: https://go-review.googlesource.com/c/go/+/318011
Trust: Joe Tsai <joetsai@digital-static.net>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2021-05-07 20:44:40 +00:00
Emmanuel T Odeke
af6123a865 doc/go1.17: document encoding/binary.Uvarint max read of 10 bytes
Updates #41185
For #44513.
Fixes #46009

Change-Id: I60f4d891b897809765acc0aace037c78e95bb4f7
Reviewed-on: https://go-review.googlesource.com/c/go/+/317929
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Keith Randall <khr@golang.org>
2021-05-07 18:14:25 +00:00
Joe Tsai
b44c78b8c3 doc/go1.17: fill in TODO for strconv package
Updates #46021

Change-Id: Iaed26b5a1defa6c5d00fb7a3998db56d2f1b96b1
Reviewed-on: https://go-review.googlesource.com/c/go/+/318010
Trust: Joe Tsai <joetsai@digital-static.net>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2021-05-07 17:43:31 +00:00
Paul E. Murphy
9bfa6f75d5 cmd/internal/obj: consolidate MOVB cases with other MOV ops on ppc64
We can consolidate MOVB load handling with other MOV* loads. Only
Optab.Size bytes are copied from the slice returned by asmout. Thus,
we can an unconditionally append an extsb operation to the slice
modified by asmout. This extra instruction will only be copied into
the final instruction stream if Optab.Size is 4 bytes larger, as is
the case with MOVB loads.

This removes three extra special cases when loading a signed
byte.

Change-Id: I71f5324551a06a2c3fa28177109aafbe27f3e4cd
Reviewed-on: https://go-review.googlesource.com/c/go/+/314849
Reviewed-by: Lynn Boger <laboger@linux.vnet.ibm.com>
Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
Run-TryBot: Paul Murphy <murp@ibm.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Carlos Eduardo Seo <carlos.seo@linaro.org>
2021-05-07 16:08:24 +00:00
Dmitri Shuralyov
a0eb662d85 doc/go1.17: move language specification TODO to the right place
It was misplaced by the relnote tool.

Also add a TODO for CL 312212, per discussion in golang.org/issue/46020.

For #44513.
For #46020.

Change-Id: I8d766df969f85c351ead18df3e45adb6fb27b7a0
Reviewed-on: https://go-review.googlesource.com/c/go/+/317829
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
2021-05-07 14:16:52 +00:00
Cherry Mui
bdb8044665 cmd/link: don't include arginfo symbols in symbol table
We recently add arginfo symbols for traceback argument metadata.
Like other metadata symbols (GC bitmaps, opendefer info, etc.),
skip arginfo symbols for symbol table as well.

Fixes #45971.

Change-Id: I7a126b75f70ec88e2170e9a274d968762c7bce56
Reviewed-on: https://go-review.googlesource.com/c/go/+/317769
Trust: Cherry Mui <cherryyz@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
2021-05-07 14:13:18 +00:00
Robert Griesemer
f5423ea615 cmd/compile/internal/types2: add test case for issue 45985
This is a port of https://golang.org/cl/317471.

Updates #45985.

Change-Id: I539d0fa6f9a77eb2fc169a21c5db9921f8eceb03
Reviewed-on: https://go-review.googlesource.com/c/go/+/317732
Trust: Robert Griesemer <gri@golang.org>
Reviewed-by: Robert Findley <rfindley@google.com>
2021-05-07 03:55:29 +00:00
Andy Pan
832c70e33d internal/poll: cast off the last reference of SplicePipe in test
Updates #45059

Change-Id: I9f377abcc7b77136ae6cf4896b968f73c758b559
Reviewed-on: https://go-review.googlesource.com/c/go/+/317510
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
2021-05-07 02:45:26 +00:00
Rob Findley
d2b03111c4 go/types,cmd/compile/internal/types2: unskip std and cmd in TestStdlib
CL 276272 accidentally skipped everything in TestStdlib while trying to
skip nested submodules of std and cmd.

For now, narrow the skip to just the problematic submodule rather than
trying to generalize. We can re-evaluate if it becomes a pattern to
vendor submodules in this way.

Fixes #46027

Change-Id: Ib355ff80dfbf17c3cf37d128a2f48d4216305267
Reviewed-on: https://go-review.googlesource.com/c/go/+/317869
Trust: Robert Findley <rfindley@google.com>
Run-TryBot: Robert Findley <rfindley@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Robert Griesemer <gri@golang.org>
2021-05-07 02:17:32 +00:00
Rob Findley
9524e93adf go/types: add a test case for issue 45985
The fix for #45985 is a little subtle. Start by committing the (bad)
test case.

For #45985

Change-Id: Ia6625818e9b1c5e869b2c2f724f817c13c9944d1
Reviewed-on: https://go-review.googlesource.com/c/go/+/317471
Trust: Robert Findley <rfindley@google.com>
Run-TryBot: Robert Findley <rfindley@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Robert Griesemer <gri@golang.org>
2021-05-07 02:05:28 +00:00
Rob Findley
a11a1711b0 go/types: expose types.Info.Inferred with -tags=typeparams
Our workaround to get and set types.Info._Inferred makes it harder to
experiment with the new APIs in x/tools.

Instead, just make a copy of the types.Info struct, so that the Inferred
field is accessible when the typeparams build tag is set.

This is a trivially safe change: the only change when not building with
-tags=typeparams is that types.Info._Inferred is removed, and accessing
inferred type information goes through an additional layer of
indirection.

For #46003

Change-Id: I38f2bbb2c80aed28be31d0fe762ccead970476ca
Reviewed-on: https://go-review.googlesource.com/c/go/+/317549
Trust: Robert Findley <rfindley@google.com>
Trust: Robert Griesemer <gri@golang.org>
Run-TryBot: Robert Findley <rfindley@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Robert Griesemer <gri@golang.org>
2021-05-07 01:42:23 +00:00
Cherry Mui
4dbad79510 runtime: call unlockOSThread directly in Windows syscall functions
Windows syscall functions (e.g. syscall.Syscall9) are defined as
cgo_unsafe_args (because it takes the address of one argument and
use that to access all arguments) which makes them ABI0. In some
case we may need ABI wrappers for them. Because those functions
have a large number of arguments, the wrapper can take a
non-trivial amount of stack frame, causing nosplit overflow when
inlining is disabled. The overflow call chain involves
deferreturn.

This CL changes a deferred call to unlockOSThread to a direct
call. If the syscall functions panics, it is likely a fatal error
anyway.

Fixes #45698.

Change-Id: I280be826644de1205f9c8f5efaa4ec5e1b4eebc1
Reviewed-on: https://go-review.googlesource.com/c/go/+/316650
Trust: Cherry Mui <cherryyz@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
2021-05-06 20:30:00 +00:00
Cherry Mui
f39997b2be cmd/link: split large text sections on Darwin/ARM64 when external linking
The Darwin linker does not like text sections that are larger
than the jump limit (even if we already inserted trampolines).
Split the text section to multiple smaller sections.

Now external linking very large binaries works on Darwin/ARM64.

Updates #40492.

Change-Id: I584f1ec673170c5e4d2dc1e00c701964d6f14333
Reviewed-on: https://go-review.googlesource.com/c/go/+/316050
Trust: Cherry Mui <cherryyz@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
2021-05-06 20:23:33 +00:00
Roland Shoemaker
90d6bbbe42 crypto/tls: enforce ALPN overlap when negotiated on both sides
During the TLS handshake if the server doesn't support any of the
application protocols requested by the client, send the
no_application_protocol alert and abort the handshake on the server
side. This enforces the requirements of RFC 7301.

Change-Id: Iced2bb5c6efc607497de1c40ee3de9c2b393fa5d
Reviewed-on: https://go-review.googlesource.com/c/go/+/289209
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
2021-05-06 18:57:43 +00:00
Lynn Boger
402f177efc cmd/compile: fix intrinsic setting for mul64, add64 on ppc64le
I found a performance regression between the runtime.Hash
benchmarks when comparing Go 1.16 to latest on ppc64le. This
was due to the addition of Mul64 to runtime/internal/math
with the comments that this should be treated as an intrinsic
on platforms where available. However this is was not being
intrinsified on ppc64le because the code in ssagen/ssa.go didn't
correctly specify ppc64le. It had the argument for ArchPPC64
but should have also included ArchPPC64LE.

Treating Mul64 as an intrinsic shows this improvement, and these
results are better than Go 1.16:

Hash5        27.0ns ± 0%     14.0ns ± 0%   -48.1
Hash16       26.6ns ± 0%     14.0ns ± 0%   -47.3
Hash64       50.7ns ± 0%     17.9ns ± 0%   -64.6
Hash1024      500ns ± 0%       99ns ± 0%   -80.1
Hash65536    30.6µs ± 0%      4.0µs ± 0%   -86

Many of the Map related benchmarks in the runtime package also showed
improvement once Mul64 is intrinsified.

Change-Id: I3b5ce637b1620348d81a30cfc359c97ab63aae0f
Reviewed-on: https://go-review.googlesource.com/c/go/+/317303
Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com>
Reviewed-by: Paul Murphy <murp@ibm.com>
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
2021-05-06 18:08:01 +00:00
Roland Shoemaker
51ff3a6965 crypto/x509: rewrite certificate parser
Replaces the encoding/asn1 certificate parser with a
x/crypto/cryptobyte based parser. This provides a significant increase
in performance, mostly due to a reduction of lots of small allocs,
as well as almost entirely removing reflection.

Since this is a rather large rewrite only the certificate parser is
replaced, leaving the parsers for CSRs, CRLs, etc for follow-up work.
Since some of the functions that the other parsers use are replaced
with cryptobyte versions, they still get a not insignificant performance
boost.

name                           old time/op    new time/op    delta
ParseCertificate/ecdsa_leaf-8    44.6µs ± 9%    12.7µs ± 4%  -71.58%  (p=0.000 n=20+18)
ParseCertificate/rsa_leaf-8      46.4µs ± 4%    13.2µs ± 2%  -71.49%  (p=0.000 n=18+19)

name                           old allocs/op  new allocs/op  delta
ParseCertificate/ecdsa_leaf-8       501 ± 0%       164 ± 0%  -67.27%  (p=0.000 n=20+20)
ParseCertificate/rsa_leaf-8         545 ± 0%       182 ± 0%  -66.61%  (p=0.000 n=20+20)

Fixes #21118
Fixes #44237

Change-Id: Id653f6ae5e405c3cbf0c5c48abb30aa831e30107
Reviewed-on: https://go-review.googlesource.com/c/go/+/274234
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
2021-05-06 17:09:23 +00:00
Cherry Mui
5f9fe47dea CONTRIBUTORS: change my name
Change-Id: I4fd1cf673f5dddb8a2cedd575ad6fcc070c70e86
Reviewed-on: https://go-review.googlesource.com/c/go/+/317590
Trust: Cherry Mui <cherryyz@google.com>
Reviewed-by: Jeremy Faller <jeremy@golang.org>
2021-05-06 16:28:56 +00:00
Robert Griesemer
6c591f79b0 math/big: check for excessive exponents in Rat.SetString
Found by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284

Fixes #45910.

Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
Trust: Robert Griesemer <gri@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Robert Griesemer <gri@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
2021-05-06 16:00:55 +00:00
Dmitri Shuralyov
54e20b505d doc/go1.17: document fixes for negative rune handling
CL 317273 accidentally grouped a fix for bufio, bytes, strings
packages into a single entry, but they should be separate ones.

Fix that, and document these negative rune handling fixes.

The list of fixed functions in package unicode was computed by
taking the functions covered by the new TestNegativeRunes test,
and including those that fail when tested with Go 1.16.3.

For #44513.
Updates #43254.

Change-Id: I6f387327f83ae52543526dbdcdd0bb5775c678bd
Reviewed-on: https://go-review.googlesource.com/c/go/+/317469
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Trust: Alexander Rakoczy <alex@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Alexander Rakoczy <alex@golang.org>
2021-05-06 15:33:43 +00:00
Russ Cox
d2fd503f68 text/template: fix type bug in eq
{{eq .x 0}} where .x is a nil interface{} should be false, not a type error.

Similarly, {{eq .x .x}} should succeed, not panic in reflect.

Fixes #45982.

Change-Id: I90aba82bb2f1a9e162bde1290c94f5028f56f412
Reviewed-on: https://go-review.googlesource.com/c/go/+/317470
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
2021-05-06 13:39:39 +00:00
Russ Cox
0e7a7a68cd text/template/parse: rename DeferFuncCheck to SkipFuncCheck
The proposal as accepted in #34652 named the bit SkipFuncCheck.
It was renamed to DeferFuncCheck during the code review on a suggestion by Rob,
along with a comment to “defer type checking functions until template is executed,”
but this description is not accurate: the package has never type-checked functions,
only verified their existence. And the effect of the bit in this package is to eliminate
this check entirely, not to defer it to some later time.

I was writing code using this new bit and was very confused about when the
"type checking" was being deferred to and how to stop that entirely,
since in my use case I wanted no checks at all. What I wanted is what the bit does,
it just wasn't named accurately.

Rename back to SkipFuncCheck.

Change-Id: I8e62099c8a904ed04521eb5b86155290f6d5b12f
Reviewed-on: https://go-review.googlesource.com/c/go/+/317269
Trust: Russ Cox <rsc@golang.org>
Trust: Daniel Martí <mvdan@mvdan.cc>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
2021-05-06 13:39:37 +00:00
sivchari
ba0f8ce50f runtime: gofmt proc_test.go
Change-Id: I09a2be64e96fe85d84560728814af74b234d7210
GitHub-Last-Rev: bc881ea002
GitHub-Pull-Request: golang/go#45929
Reviewed-on: https://go-review.googlesource.com/c/go/+/316409
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Michael Pratt <mpratt@google.com>
2021-05-06 12:33:02 +00:00
David Chase
b4ca1cec69 cmd/compile: set unsayable "names" for regabi testing triggers
This disables the "testing names" for method names and
trailing input types passed to closure/interface/other calls.
The logic using the names remains, so that editing the change
to enable local testing is not too hard.

Also fixes broken build tag in reflect/abi_test.go

Updates #44816.

Change-Id: I3d222d2473c98d04ab6f1122ede9fea70c994af1
Reviewed-on: https://go-review.googlesource.com/c/go/+/300150
Trust: David Chase <drchase@google.com>
Run-TryBot: David Chase <drchase@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
2021-05-06 11:58:39 +00:00
Filippo Valsorda
1108cbe60b crypto/ecdsa,crypto/elliptic: improve tests and benchmarks
Ensured all tests and benchmarks run over all curves.

Change-Id: Idcbe14a50c60ff6c2cd56793bced6b428d049c39
Reviewed-on: https://go-review.googlesource.com/c/go/+/315272
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
2021-05-06 02:21:55 +00:00
Filippo Valsorda
43c390a1fa crypto/ed25519: skip allocations test on -noopt builder
Without optimizations, there will be unexpected allocations.

Change-Id: I90dc2636279b7fda7689eabc763251c4cdd25874
Reviewed-on: https://go-review.googlesource.com/c/go/+/317370
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
2021-05-06 02:20:28 +00:00
Rob Findley
cf73f1a8e4 go/parser: don't parse a nil IndexExpr.Index
When parsing type parameters, an empty type instantiation was parsed as
an IndexExpr with nil Index. This should be considered a breaking change
to parsing: ast.Walk previously assumed that Index was non-nil.

Back out the nil check in ast.Walk, and for now pack an empty argument
list as a non-nil ListExpr with nil Elems.

Alternatives considered:
 - Parsing the entire index expression as a BadExpr: this led to
   inferior errors while type checking.
 - Parsing the Index as a BadExpr: this seems reasonable, but encodes
   strictly less information into the AST.

We may want to opt for one of these alternatives in the future, but for
now let's just fix the breaking change.

Change-Id: I93f2b89641692ac014b8ee98bfa031ed3477afb8
Reviewed-on: https://go-review.googlesource.com/c/go/+/315851
Trust: Robert Findley <rfindley@google.com>
Trust: Robert Griesemer <gri@golang.org>
Run-TryBot: Robert Findley <rfindley@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Robert Griesemer <gri@golang.org>
2021-05-05 20:58:39 +00:00
Dmitri Shuralyov
15557af207 doc/go1.17: fill in Go 1.17 release note TODOs using relnote
For #44513.

Change-Id: I8e0b044ebe39e3406c96f219eb921518f047be3e
Reviewed-on: https://go-review.googlesource.com/c/go/+/317273
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
2021-05-05 20:34:22 +00:00
Filippo Valsorda
b0c49ae9f5 crypto/ed25519: replace internal/edwards25519 with filippo.io/edwards25519
This change replaces the crypto/ed25519/internal/edwards25519 package
with code from filippo.io/edwards25519, a significantly faster, safer,
well tested (over 1600 lines of new tests, 99% test coverage), and
better documented (600 lines of new comments) implementation.

Some highlights:

* an unsaturated 51-bit limb field implementation optimized for 64-bit
  architectures and math/bits.Mul64 intrinsics

* more efficient variable time scalar multiplication using multi-width
  non-adjacent form with a larger lookup table for fixed-base

* a safe math/big.Int-like API for the Scalar, Point, and field.Element
  types with fully abstracted reduction invariants

* a test suite including a testing/quick fuzzer that explores edge case
  values that would be impossible to hit randomly, and systematic tests
  for arguments and receiver aliasing

* point decoding rules that strictly match the original logic of
  crypto/ed25519/internal/edwards25519, to avoid consensus issues

* AssemblyPolicy-compliant assembly cores for arm64 and amd64, the
  former under 20 lines, and the latter generated by a program based on
  github.com/mmcloughlin/avo that can be reviewed line-by-line against
  the generic implementation

Intel(R) Core(TM) i5-7400 CPU @ 3.00GHz

name              old time/op    new time/op    delta
KeyGeneration-4     59.5µs ± 1%    26.1µs ± 1%  -56.20%  (p=0.000 n=10+10)
NewKeyFromSeed-4    59.3µs ± 1%    25.8µs ± 1%  -56.48%  (p=0.000 n=9+10)
Signing-4           60.4µs ± 1%    31.4µs ± 1%  -48.05%  (p=0.000 n=10+10)
Verification-4       169µs ± 1%      73µs ± 2%  -56.55%  (p=0.000 n=10+10)

Apple M1

name              old time/op    new time/op    delta
KeyGeneration-8     35.1µs ± 0%    20.2µs ± 2%  -42.46%  (p=0.000 n=8+10)
NewKeyFromSeed-8    35.1µs ± 0%    20.0µs ± 1%  -42.93%  (p=0.000 n=8+9)
Signing-8           36.2µs ± 0%    25.6µs ± 1%  -29.25%  (p=0.000 n=8+9)
Verification-8      96.1µs ± 0%    57.6µs ± 1%  -40.14%  (p=0.000 n=10+10)

The code in this CL is a copy of the filippo.io/edwards25519 module at
version v1.0.0-beta.3.0.20210405211453-c6be47d67779 with only the
following functions removed as irrelevant to crypto/ed25519:

- (*Point).BytesMontgomery()
- (*Point).MultByCofactor()
- (*Scalar).Invert()
- (*Point).MultiScalarMult()
- (*Point).VarTimeMultiScalarMult()

This codebase took a long journey outside the standard library before
making its way back here. Its oldest parts started as a faster field
implementation rewrite by George Tankersley almost four years ago,
eventually submitted as CL 71950 but never merged. That code was then
merged into github.com/gtank/ristretto255, which also started as an
internal/edwards25519 fork. There it was worked on by me, George, and
Henry de Valence as a backend for our Go ristretto255 implementation.
Finally, I extracted the edwards25519 code into a reusable package as
filippo.io/edwards25519.

Now, we're ready for the standard library to become the source of truth
for this code again, while filippo.io/edwards25519 will become a
re-packaged and extended version for external use, since we don't want
to expose unsafe curve operations in x/crypto or the standard library.

Submitted under the Google CLA on behalf of:

- Henry de Valence
  https://github.com/gtank/ristretto255/issues/34
- George Tankersley
  https://golang.org/cl/71950
  https://github.com/gtank/ristretto255-private/issues/28
- Luke Champine
  https://github.com/FiloSottile/edwards25519/pull/7
- Adrian Hamelink
  https://github.com/FiloSottile/edwards25519/pull/12

Changes 32506b5 and 18c803c are trivial and don't require a CLA.

The full history of this code since diverging from internal/edwards25519
is available at https://github.com/FiloSottile/edwards25519, and
summarized below.

+ c6be47d - edwards25519: update TestScalarSetBytesWithClamping <Filippo Valsorda>
+ c882e8e - edwards25519: rewrite amd64 assembly with avo <Filippo Valsorda>
+ 8eb02eb - edwards25519: refactor feMulGeneric and feSquareGeneric <Filippo Valsorda>
+ 8afd860 - edwards25519: remove Go 1.12 compatibility hack <Filippo Valsorda>
+ 1765c13 - edwards25519: don't clobber BP in amd64 assembly <Filippo Valsorda>
+ b73a7c8 - edwards25519: fix ScalarMult when receiver is not the identity (FiloSottile/edwards25519#12) <Adrian Hamelink>
+ 32a46d7 - edwards25519: document why this can't implement X25519 <Filippo Valsorda>
+ c547797 - edwards25519: make SqrtRatio slightly more efficient <Filippo Valsorda>
+ 700f4f4 - edwards25519: panic if an uninitialized Point is used <Filippo Valsorda>
+ d791cf8 - edwards25519: use testing.AllocsPerRun for TestAllocations <Filippo Valsorda>
+ 8cc8037 - edwards25519: smooth a couple test coverage rough edges <Filippo Valsorda>
+ 9063a14 - edwards25519: test that operations cause zero heap allocations <Filippo Valsorda>
+ 6944ac7 - edwards25519: relax the limb schedule slightly <Filippo Valsorda>
+ 21ebdac - edwards25519: rewrite carryPropagate in arm64 assembly <Filippo Valsorda>
+ a260082 - edwards25519: merge carryPropagate[12] <Filippo Valsorda>
+ dbe1792 - edwards25519: add TestScalarSetBytesWithClamping <Filippo Valsorda>
+ c1fe95a - edwards25519: add MultByCofactor <Filippo Valsorda>
+ 132d95c - edwards25519: sprinkle on-curve checks around tests <Filippo Valsorda>
+ ffb3e31 - edwards25519: specify the behavior of Invert(0) and I.BytesMontgomery() <Filippo Valsorda>
+ 9e6a931 - edwards25519: add (*Scalar).MultiplyAdd <lukechampine>
+ 3b045f3 - edwards25519: outline (*Point).Bytes (FiloSottile/edwards25519#6) <Luke Champine>
+ ec6f8a6 - edwards25519: make (*Scalar).SetCanonicalBytes return the receiver <Filippo Valsorda>
+ 77d7b31 - edwards25519: add (*Point).BytesMontgomery <Filippo Valsorda>
+ 6e8d645 - edwards25519: implement (*Point).Bytes and (*Point).SetBytes <Filippo Valsorda>
+ 1c833da - edwards25519: clarify ScalarBaseMult docs <Filippo Valsorda>
+ 3a13cf1 - edwards25519: apply gc build tag <Filippo Valsorda>
+ 90c35a7 - edwards25519: hide FieldElement and (*Point).ExtendedCoords <Filippo Valsorda>
+ 498fb1e - edwards25519: replace FillBytes with Bytes, again <Filippo Valsorda>
+ 9c7303a - edwards25519: remove (*Point).Identity and (*Point).Generator <Filippo Valsorda>
+ 2e52ce2 - edwards25519: drop unused (*Scalar).Zero <Filippo Valsorda>
+ 7c14a36 - edwards25519: rename FromBytes to SetBytes <Filippo Valsorda>
+ e3d0e45 - edwards25519: ensure only test files import math/big <Filippo Valsorda>
+ daa2507 - edwards25519: minor doc and string touch-ups <Filippo Valsorda>
+ e8698cd - edwards25519: implement (*Scalar).FromBytesWithClamping <Filippo Valsorda>
+ f28d75a - edwards25519: change constructors <Filippo Valsorda>
+ 36d8598 - edwards25519: test the invariant that Scalars are always reduced <Filippo Valsorda>
+ feed48c - edwards25519: cleanup the FieldElement API <Filippo Valsorda>
+ f6ee187 - edwards25519: make Point opaque <Filippo Valsorda>
+ 176388b - edwards25519: cleanup Scalar API to match ristretto255 <Filippo Valsorda>
+ c5c2e9e - edwards25519: rename ProjP3 to Point and unexport other point types <Filippo Valsorda>
+ 8542076 - edwards25519: add Scalar aliasing test <Filippo Valsorda>
+ 1a86a9c - edwards25519: make Scalar opaque <Filippo Valsorda>
+ 07a7683 - edwards25519: hide some more exposed symbols <Filippo Valsorda>
+ d3569cb - all: flatten the package and make FieldElement opaque <Filippo Valsorda>
+ 6f5f582 - all: expose edwards25519, base, and scalar packages <Filippo Valsorda>
+ 7ab4a68 - all: ensure compatibility with older Go versions <Filippo Valsorda>
+ e9b8baa - internal/radix51: implement (*FieldElement).Mul32 <Filippo Valsorda>
+ eac4de5 - internal/radix51: restructure according to golang.org/wiki/TargetSpecific <Filippo Valsorda>
+ 32506b5 - internal/radix51: fix !amd64 build (lightReduce -> carryPropagate) (gtank/ristretto255#29) <Sunny Aggarwal>
+ d64d989 - internal/scalar: fix FromUniformBytes <Filippo Valsorda>
+ 044bb44 - internal/scalar: address review comments <Filippo Valsorda>
+ 7dba54f - all: apply suggestions from code review <Filippo Valsorda>
+ 94bd1d9 - ristretto255: expose scalar multiplication APIs <Filippo Valsorda>
+ 5bd5476 - internal/edwards25519: fix shadowing of B in TestAddSubNegOnBasePoint <Filippo Valsorda>
+ 66bf647 - internal/scalar: replace FromBytes/IsCanonical with FromUniformBytes/FromCanonicalBytes <Filippo Valsorda>
+ 024f3f7 - internal/edwards25519,internal/scalar: apply some Go style touches <Filippo Valsorda>
+ 5e0c5c6 - internal/scalar: add scalar inversion <Henry de Valence>
+ 74fd625 - internal/ed25519: rearrange VartimeDoubleBaseMul args <Henry de Valence>
+ 81ae7ea - internal/ed25519: add benchmarks for scalar mul <Henry de Valence>
+ 9f1f939 - internal/ed25519: add variable-time multiscalar mul <Henry de Valence>
+ 7a96974 - internal/ed25519: add vartime double-base scmul <Henry de Valence>
+ 2bc256c - internal/ed25519: add precomputed NAF table for basepoint <Henry de Valence>
+ a0f0b96 - internal/ed25519: lower quickcheck size for point ops <Henry de Valence>
+ 2f385a1 - internal/ed25519: implement MultiscalarMul <Henry de Valence>
+ 8ae211b - internal/ed25519: implement BasepointMul <Henry de Valence>
+ 7b4858d - internal/ed25519: extract common test variables <Henry de Valence>
+ 16e7c48 - internal/ed25519: add a basepoint multiple table. <Henry de Valence>
+ 988e521 - internal/ed25519: add constant-time variable-base scmul. <Henry de Valence>
+ b695f6b - internal/ed25519: move basepoint constant & correct it <Henry de Valence>
+ ddd014e - internal/scalar: fix high bit check <Henry de Valence>
+ c88ea89 - internal/scalar: make casts clearer <Henry de Valence>
+ b75f989 - internal/scalar: add invariant checks on Scalar digits <Henry de Valence>
+ 36216ca - internal/scalar: use one scMulAdd for Sub <Henry de Valence>
+ 8bf40f3 - internal/scalar: fix constant-time signed radix 16 implementation <Henry de Valence>
+ e6d9ef6 - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 3aa63de - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 3e66ff0 - Update internal/radix51/fe_test.go <Filippo Valsorda>
+ 94e6c15 - internal/ed25519: add TODO note and doc ref <Henry de Valence>
+ 3647548 - internal/ed25519: rename twoD to D2 <Henry de Valence>
+ 1cf853c - internal/ed25519: add lookup tables for scalar mul. <Henry de Valence>
+ 3af304a - internal/radix51: add a conditional swap <Henry de Valence>
+ 4673217 - ristretto255: use multi-model arithmetic <Henry de Valence>
+ cca757a - internal/ed25519: remove single-model code <Henry de Valence>
+ d26e77b - internal/ed25519: add addition for Edwards points <Henry de Valence>
+ e0fbb35 - internal/ed25519: use twoD <Henry de Valence>
+ fd9b37b - internal/ed25519: add tests for multi-model point types. <Henry de Valence>
+ dacabb0 - internal/ed25519: add multi-model point types. <Henry de Valence>
+ dddc72e - internal/scalar: add constant-time signed radix 16 <Henry de Valence>
+ 92cdb35 - internal/scalar: add non-adjacent form <Henry de Valence>
+ d147963 - internal/scalar: don't zero memory that is about to be copied over <George Tankersley>
+ 8da186c - internal/scalar: add scalar field implementation <George Tankersley>
+ f38e583 - internal/radix51: add a "weird" testing/quick generation strategy <Filippo Valsorda>
+ 6454f61 - Move comment inside function <Henry de Valence>
+ 1983365 - implement Add, Sub, Neg for ed25519 and ristretto255 points. <Henry de Valence>
+ 9f25562 - internal/group: rename to internal/edwards25519 <Filippo Valsorda>
+ 48e66d3 - internal/group: restore ScalarMult code <Filippo Valsorda>
+ 0078d66 - internal/radix51: rename lightReduce to carryPropagate and touch up docs <Filippo Valsorda>
+ 05f4107 - internal/radix51: add benchmarks <Filippo Valsorda>
+ fd36334 - internal/radix51: test that operations don't exceed bounds <Filippo Valsorda>
+ 703421d - internal/radix51: make Generate produce random light-reduced elements <Filippo Valsorda>
+ f8d8297 - internal/radix51: simplify lightReduce <Filippo Valsorda>
+ 413120f - internal/radix51: minor tests cleanup <Filippo Valsorda>
+ abc8c5a - internal/radix51: make reduction an invariant and unexport Reduce <Filippo Valsorda>
+ 4fd198d - internal/radix51: actually apply go:noescape <Filippo Valsorda>
+ 18c803c - all: fix typos <Dimitris Apostolou>
+ bbfe059 - internal/radix51: test field encoding roundtrip with fixed vectors <George Tankersley>
+ c428b18 - internal/radix51: rename AppendBytes to Bytes <Filippo Valsorda>
+ c59bc1a - internal/radix51: rewrite FromBytes and AppendBytes with encoding/binary <Filippo Valsorda>
+ 57c0cd5 - internal/radix51: add docs and some light readability refactors <Filippo Valsorda>
+ cb1b734 - internal/radix51: remove unused (and a bit broken) SetInt <Filippo Valsorda>
+ beb8abd - internal/radix51: refactor ToBig and FromBig <Filippo Valsorda>
+ 87c0a53 - internal/radix51: replace ToBytes with AppendBytes <Filippo Valsorda>
+ b7e1e45 - internal/radix51: fix aliasing bug in CondNeg (gtank/ristretto255#21) <George Tankersley>
+ ed3748d - internal/radix51: actually, uhm, check the result of TestAliasing <Filippo Valsorda>
+ ec0e293 - radix51: change API of FromBytes and ToBytes to use slices <George Tankersley>
+ 29f6815 - internal/radix51: test all combinations of argument and receiver aliasing <Filippo Valsorda>
+ cd53d90 - internal/radix51: add property-based tests that multiplication distributes over addition <Henry de Valence>
+ c3bc45f - radix51: use go1.12 intrinsics for 128-bit multiplications <George Tankersley>
+ 7e7043e - internal/radix51: define a mask64Bits constant <Filippo Valsorda>
+ 4fdd06d - internal/group: set Z to 1, not 0 in FromAffine <Filippo Valsorda>
+ ffa7be7 - internal/group: fix typo <Filippo Valsorda>
+ 1f452ac - internal/group: derive twoD from D <Filippo Valsorda>
+ 2424c78 - internal/radix51: add MinusOne <Filippo Valsorda>
+ 76978fc - internal/group: make conversion APIs caller-allocated <Filippo Valsorda>
+ d17d202 - internal/group: rewrite DoubleZ1 because stack is cheaper than mental state <Filippo Valsorda>
+ 72b97c1 - internal: make all APIs chainable <Filippo Valsorda>
+ 993d979 - internal/radix51: make all APIs not consider the receiver an input <Filippo Valsorda>
+ b2a1d7d - all: refactor field API to be methods based <Filippo Valsorda>
+ cdf9b90 - internal/radix51: add constant time field operations <Filippo Valsorda>
+ e490a48 - internal/radix51: remove FeEqual <Filippo Valsorda>
+ 2de114c - internal/radix51: remove FeCSwap <Filippo Valsorda>
+ 08b80c1 - make things more generally presentable <George Tankersley>
+ 2178536 - Cache the field representation of d <George Tankersley>
+ 4135059 - Remove 32-bit code and update license. <George Tankersley>
+ 5d95cb3 - Use Bits() for FeToBig. <George Tankersley>
+ 146e33c - Implement ScalarMult using Montgomery pattern and dedicated extended-coordinates doubling. This will be slow. <George Tankersley>
+ 12a673a - use faster FeFromBig & a horrible assortment of other random changes <George Tankersley>
+ 901f40c - group logic WIP <George Tankersley>
+ a9c89cd - add equality for field elements <George Tankersley>
+ 214873b - Add radix51 FieldElement implementation <George Tankersley>
+ 8fd5cae - Implement an elliptic.Curve for ed25519 <George Tankersley>

Change-Id: Ifbcdd13e8b6304f9906c0ef2b73f1fdc493a7dfa
Co-authored-by: George Tankersley <george.tankersley@gmail.com>
Co-authored-by: Henry de Valence <hdevalence@hdevalence.ca>
Reviewed-on: https://go-review.googlesource.com/c/go/+/276272
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
2021-05-05 20:23:45 +00:00