Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: support for server-sig-algs extension (RFC8308) #49269

Closed
Tracked by #49952
aphistic opened this issue Nov 1, 2021 · 17 comments · May be fixed by golang/crypto#197
Closed
Tracked by #49952

x/crypto/ssh: support for server-sig-algs extension (RFC8308) #49269

aphistic opened this issue Nov 1, 2021 · 17 comments · May be fixed by golang/crypto#197
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@aphistic
Copy link

aphistic commented Nov 1, 2021

This relates to:

x/crypto/ssh: publicKeyCallback cannot handshake using ssh-rsa keys signed using the ssh-rsa-sha2-256 algorithm #39885

I decided to create a new issue even though this is mentioned in the comments for that issue because this is more specifically for server-sig-algs and RFC 8308 support.

What version of Go are you using (go version)?

$ go version
go version go1.16.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/kdavidson/.cache/go-build"
GOENV="/home/kdavidson/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/kdavidson/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/kdavidson/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.3"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4051208766=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Recently, OpenSSH 8.8 deprecated support for ssh-rsa host keys and ssh-rsa pubkey auth as a default value. If users try to connect to a Go x/crypto/ssh server using OpenSSH 8.8 with ssh-rsa for pubkey auth, the client will fail to find a mutual algorithm and not even attempt to send a client's ssh-rsa pubkey auth, likely to avoid any auth penalties.

What did you expect to see?

I would expect the SSH server to send an SSH_MSG_EXT_INFO containing valid pubkey auth algorithms using the server-sig-algs extension, as defined in RFC 8308.

What did you see instead?

The x/crypto SSH server does not send any pubkey auth algorithms, so a client may end up not sending a potentially valid pubkey auth to avoid penalties.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/360195 mentions this issue: ssh: add support for extension negotiation (rfc 8308)

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 2, 2021
@seankhliao
Copy link
Member

cc @FiloSottile

rmohr pushed a commit to rmohr/crypto that referenced this issue Nov 30, 2021
This adds support for SSH extension negotiation via SSH_MSG_EXT_INFO as defined in RFC 8308 [1]. It also adds support for the `server-sig-algs` extension on both the client and server sides.

[1] https://datatracker.ietf.org/doc/html/rfc8308

Fixes golang/go#49269

Change-Id: Iab374d1254ec83eabdb5f433b95ff39a1a540cc3
GitHub-Last-Rev: 29bf9ec
GitHub-Pull-Request: golang#197
@aphistic
Copy link
Author

aphistic commented Dec 3, 2021

@rmohr

I'm moving the response to your question over here so it can be tracked in the Gerrit CL for this issue.

Do you also plan to tackle automatically setting the right algorithm for the rsa signers (which are right now hardcoded to ssh-rsa?

I'm not quite sure what you mean here. I do plan to add support for server-sig-algs on the client side to allow that to influence the pubkey auth that's sent to the server, if that's what you mean? That's not in the PR as it exists now because I wanted to solidify the plans for upstreaming the code to make sure it fit.

@aphistic
Copy link
Author

Sorry that it's taken me so long to get this out here! Holidays and other projects and stuff...

For the public API, I don't really see many changes initially because most of this is implementation and not user-interactive.

Right now the only public API change I'm proposing is to add an additional field to the ServerConfig struct to allow users to tweak the PubKey Auth Algos and remove any they don't need:

type ServerConfig struct {
	...	

	// The allowed public key auth algorithms. If unspecified then
	// a default set of algorithms is used.
	PublicKeyAuthAlgorithms []string
}

Usage would look like:

cfg := &ServerConfig {
	PublicKeyAuthAlgorithms: []string{
		KeyAlgoRSA,
		KeyAlgoDSA,
	},
}

This would allow users to enable or disable algorithms, or potentially disable this extension completely.
If PublicKeyAuthAlgorithms is nil, a default list of preferredPubKeyAuthAlgos would be used. If it's an empty slice, the server-sig-algs extension would not be sent by the server. For any other list of values, they would be compared against supportedPubKeyAuthAlgos to validate the selected algorithms against the supported ones.

I talked with my team about the potential to allow users to disable the extension negotiation completely, but we ultimately decided that since it's backward compatible it didn't make sense to include it.

The client side wouldn't have any public API changes and would either select from the server-sig-algs or, if those aren't sent, the current pubkey auth flow.

Since this is the first extension being implemented I needed to consider whether something like a map of extensions to settings in the configs would make sense, or whether using more explicit fields and concrete structs would be a better way to configure extensions. I ultimately decided it would make more sense to make them explicit fields and concrete structs to allow more flexibility (and I think better readability for users) for implementing future extensions that aren't already defined and may not fit the current set of potential values.

cc @FiloSottile since we were talking about this in Slack at one point.

DominicLavery pushed a commit to CircleCI-Public/golang-crypto that referenced this issue Jan 18, 2022
This adds support for SSH extension negotiation via SSH_MSG_EXT_INFO as defined in RFC 8308 [1]. It also adds support for the `server-sig-algs` extension on both the client and server sides.

[1] https://datatracker.ietf.org/doc/html/rfc8308

Fixes golang/go#49269

Change-Id: Iab374d1254ec83eabdb5f433b95ff39a1a540cc3
GitHub-Last-Rev: 29bf9ec
GitHub-Pull-Request: golang#197
@pete-woods
Copy link

I hate to nag on a public bug tracker, but I think a bunch of folks are hoping for this to be done before GitHub's SHA1 cutoff occurs on March 15th (https://github.blog/2021-09-01-improving-git-protocol-security-github/).

We at CircleCI are carrying your patch plus another one we yanked from somewhere else to wire in client support, as a pre-emptive measure.

Is there anything we can do to help move this towards completion?

@aphistic
Copy link
Author

Hey @pete-woods!

Right now I'm just waiting to hear back on the proposed public API before I rework the PR. There's still more work I need to do for a full client/server implementation of server-sig-algs, but since this my first PR for the package and given the sensitivity of a crypto-related package I want to be sure I'm following a good pattern before I go too far.

pete-woods pushed a commit to CircleCI-Public/golang-crypto that referenced this issue Mar 14, 2022
CL 220037 had implemented support for host authentication using
rsa-sha2-256/512, but not client public key authentication. OpenSSH
disabled the SHA-1 based ssh-rsa by default in version 8.8 (after
pre-announcing it in versions 8.2, 8.3, 8.4, 8.5, 8.6, and 8.7) although
some distributions re-enable it. GitHub will start rejecting ssh-rsa for
keys uploaded before November 2, 2021 on March 15, 2022.

https://github.blog/2021-09-01-improving-git-protocol-security-github/

The server side already worked, as long as the client selected one of
the SHA-2 algorithms, because the signature flowed freely to Verify.
There was however nothing verifying that the signature algorithm matched
the advertised one. The comment suggested the check was being performed,
but it got lost back in CL 86190043. Not a security issue because the
signature had to pass the callback's Verify method regardless, and both
values were checked to be acceptable.

Tested with OpenSSH 8.8 configured with "PubkeyAcceptedKeyTypes -ssh-rsa"
and no application-side changes.

The Signers returned by ssh/agent (when backed by an agent client)
didn't actually implement AlgorithmSigner but ParameterizedSigner, an
interface defined in an earlier version of CL 123955.

Updates golang/go#49269
Fixes golang/go#39885
For golang/go#49952

Change-Id: I13b41db8041f1112a70f106c55f077b904b12cb8
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/392394 mentions this issue: ssh: support rsa-sha2-256/512 for client authentication

gopherbot pushed a commit to golang/crypto that referenced this issue Mar 14, 2022
CL 220037 had implemented support for host authentication using
rsa-sha2-256/512, but not client public key authentication. OpenSSH
disabled the SHA-1 based ssh-rsa by default in version 8.8 (after
pre-announcing it in versions 8.2, 8.3, 8.4, 8.5, 8.6, and 8.7) although
some distributions re-enable it. GitHub will start rejecting ssh-rsa for
keys uploaded before November 2, 2021 on March 15, 2022.

https://github.blog/2021-09-01-improving-git-protocol-security-github/

The server side already worked, as long as the client selected one of
the SHA-2 algorithms, because the signature flowed freely to Verify.
There was however nothing verifying that the signature algorithm matched
the advertised one. The comment suggested the check was being performed,
but it got lost back in CL 86190043. Not a security issue because the
signature had to pass the callback's Verify method regardless, and both
values were checked to be acceptable.

Tested with OpenSSH 8.8 configured with "PubkeyAcceptedKeyTypes -ssh-rsa"
and no application-side changes.

The Signers returned by ssh/agent (when backed by an agent client)
didn't actually implement AlgorithmSigner but ParameterizedSigner, an
interface defined in an earlier version of CL 123955.

Updates golang/go#49269
Fixes golang/go#39885
For golang/go#49952

Change-Id: I13b41db8041f1112a70f106c55f077b904b12cb8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392394
Trust: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
@pete-woods
Copy link

I think this is resolved now

@FiloSottile
Copy link
Contributor

Not yet, we accept server-sig-algs on the client but we don't send it on the server yet.

@aphistic
Copy link
Author

Not yet, we accept server-sig-algs on the client but we don't send it on the server yet.

Do you have any thoughts on the public API changes I proposed? If they sound good to you I could start getting my PR updated to implement them.

@quackduck
Copy link

👋 This has been stuck for a while.

@FiloSottile do you know how long it could take to review those public API changes?

@FiloSottile
Copy link
Contributor

The API changes need this issue to be converted to a proposal. I am generally ok with them, except I wouldn't make an empty slice a way to disable the extension. Let's keep things simple and always send it.

In the meantime, I would suggest implementing the extension without an API change, with the default list. It can be as simple as this:

diff --git a/ssh/handshake.go b/ssh/handshake.go
index 653dc4d..b578cfe 100644
--- a/ssh/handshake.go
+++ b/ssh/handshake.go
@@ -615,6 +615,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
                return err
        }

+       firstKeyExchange := t.sessionID == nil
        if t.sessionID == nil {
                t.sessionID = result.H
        }
@@ -626,6 +627,13 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
        if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
                return err
        }
+
+       // If the client advertised support for RFC 8032 extensions, send a
+       // server-sig-algs extension.
+       if !isClient && firstKeyExchange && contains(serverInit.KexAlgos, "ext-info-c") {
+               // TODO
+       }
+
        if packet, err := t.conn.readPacket(); err != nil {
                return err
        } else if packet[0] != msgNewKeys {

@aphistic
Copy link
Author

aphistic commented May 6, 2022

Sounds good! I'll probably close the initial PR I opened and start a new one based on the latest code since so much has changed and the client-side is implemented now.

@owenthereal
Copy link

owenthereal commented Jun 3, 2022

👋 @aphistic @FiloSottile:

I'm following up on the progress of #49952 because it has an impact on one of my projects: #49952 (comment). This issue is the last one to tackle. I'm wondering whether there is anything that I could help to move this forward. I'm happy to propose a PR based on what is discussed here. But I want to check with you first. Cheers!

@drakkan
Copy link
Member

drakkan commented Jun 6, 2022

Hi,

take a look here, there are no api changes in this patch

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/447757 mentions this issue: ssh: support rsa-sha2-256/512 on the server side

@FiloSottile
Copy link
Contributor

https://go.dev/cl/447757 implements server-side sending of the extension, so that SHA-2-only clients will work. #56561 tracks adding the exposed APIs to configure the supported algorithms, so that SHA-1 can be turned off.

euank pushed a commit to euank/crypto that referenced this issue Nov 3, 2022
This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 12, 2022
@dmitshur dmitshur modified the milestones: Go1.21, Unreleased Nov 12, 2022
maisem pushed a commit to tailscale/golang-x-crypto that referenced this issue Nov 15, 2022
This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
maisem pushed a commit to tailscale/golang-x-crypto that referenced this issue Nov 15, 2022
This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
CL 220037 had implemented support for host authentication using
rsa-sha2-256/512, but not client public key authentication. OpenSSH
disabled the SHA-1 based ssh-rsa by default in version 8.8 (after
pre-announcing it in versions 8.2, 8.3, 8.4, 8.5, 8.6, and 8.7) although
some distributions re-enable it. GitHub will start rejecting ssh-rsa for
keys uploaded before November 2, 2021 on March 15, 2022.

https://github.blog/2021-09-01-improving-git-protocol-security-github/

The server side already worked, as long as the client selected one of
the SHA-2 algorithms, because the signature flowed freely to Verify.
There was however nothing verifying that the signature algorithm matched
the advertised one. The comment suggested the check was being performed,
but it got lost back in CL 86190043. Not a security issue because the
signature had to pass the callback's Verify method regardless, and both
values were checked to be acceptable.

Tested with OpenSSH 8.8 configured with "PubkeyAcceptedKeyTypes -ssh-rsa"
and no application-side changes.

The Signers returned by ssh/agent (when backed by an agent client)
didn't actually implement AlgorithmSigner but ParameterizedSigner, an
interface defined in an earlier version of CL 123955.

Updates golang/go#49269
Fixes golang/go#39885
For golang/go#49952

Change-Id: I13b41db8041f1112a70f106c55f077b904b12cb8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392394
Trust: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
LewiGoddard added a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
CL 220037 had implemented support for host authentication using
rsa-sha2-256/512, but not client public key authentication. OpenSSH
disabled the SHA-1 based ssh-rsa by default in version 8.8 (after
pre-announcing it in versions 8.2, 8.3, 8.4, 8.5, 8.6, and 8.7) although
some distributions re-enable it. GitHub will start rejecting ssh-rsa for
keys uploaded before November 2, 2021 on March 15, 2022.

https://github.blog/2021-09-01-improving-git-protocol-security-github/

The server side already worked, as long as the client selected one of
the SHA-2 algorithms, because the signature flowed freely to Verify.
There was however nothing verifying that the signature algorithm matched
the advertised one. The comment suggested the check was being performed,
but it got lost back in CL 86190043. Not a security issue because the
signature had to pass the callback's Verify method regardless, and both
values were checked to be acceptable.

Tested with OpenSSH 8.8 configured with "PubkeyAcceptedKeyTypes -ssh-rsa"
and no application-side changes.

The Signers returned by ssh/agent (when backed by an agent client)
didn't actually implement AlgorithmSigner but ParameterizedSigner, an
interface defined in an earlier version of CL 123955.

Updates golang/go#49269
Fixes golang/go#39885
For golang/go#49952

Change-Id: I13b41db8041f1112a70f106c55f077b904b12cb8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392394
Trust: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
@golang golang locked and limited conversation to collaborators Nov 12, 2023
awly added a commit to tailscale/golang-x-crypto that referenced this issue Jan 8, 2024
* ocsp: add Response.Raw

Fixes golang/go#38340

Change-Id: I77afc901584ac3361eafa13c9ee9f8cf9ec2ee28
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/389256
Trust: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>

* acme/autocert: support External Account Binding (EAB) tokens

Support External Account Binding (EAB) tokens to the Manager as defined
in RFC 8555, Section 7.3.4. If the ExternalAccountBinding field is set
on Manager, pass it into the acme Account during registration.

Fixes golang/go#48809

Change-Id: I64c38b05ab577acbde9f526638cc8104d15ff055
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/354189
Reviewed-by: Brad Fitzpatrick <[email protected]>
Trust: Brad Fitzpatrick <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* all: gofmt

Gofmt to update doc comments to the new formatting.

For golang/go#51082.

Change-Id: I076031b6613691eefbb0f21739366e3fd2011ec9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/399356
Run-TryBot: Russ Cox <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Russ Cox <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>

* internal/wycheproof: add ECDH tests, including point decompression

Fixes golang/go#38936

Change-Id: I231d30fcc683abd9efb36b6fd9cc05f599078ade
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/396174
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* internal/wycheproof: skip truncated SHA-512 RSAPSS tests for boring

On the boringcrypto builder, skip the RSAPSS tests that use the
truncated SHA-512 hashes, since boringcrypto does not support them.

Fixes #52670

Change-Id: I8caecd0f34eb6d2740372db2b641563e3965ac7c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/404654
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* acme/autocert/internal/acmetest: don't validate in goroutine

In the test server, rather than spawning a goroutine to validate
challenges, block on the validation before responding to the client.
This prevents a test race, where testing.T.Logf is called after the
test is completed.

While this has a slight behavioral difference to some production
ACME server implementations (although is behavior allowed in the spec),
the change has little material impact on what we are testing, since
previously the validation would happen so quickly that it would be
indistinguishable from the new blocking behavior (i.e. we would not be
sending multiple requests during polling previously.)

Fixes golang/go#52170

Change-Id: I75e3b2da69ddc2302be25a99f1b1151ed0f4af9b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/405548
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* ssh/agent: fix non-RSA certificates

The type of ssh.PublicKey.Type can be a certificate type, while the
algorithm passed to SignWithAlgorithm is going to be an underlying
algorithm.

Fixes golang/go#52185

Change-Id: I0f7c46defa83d1fd64a3c1e861734650b20cca21
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/404614
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>

* acme: add AccountKeyRollover

Add support for AccountKeyRollover. API only returns an error since acme.Error
will contain appropriate KID lookup information. Due to the requirements
of double JWS encoding jwsEncodeJSON is also modified to support a
missing Nonce header and raw string embedding in the payload.

Fixes golang/go#42516

Change-Id: I959660a1a39b2c469b959accd48fda519daf4eb3
GitHub-Last-Rev: 8e8cc5b094743262939c145f56d3a3b57a057d64
GitHub-Pull-Request: golang/crypto#215
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/400274
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>

* curve25519/internal/field: update generator to avo v0.4.0

This version generates //go:build lines.

For golang/go#46155

Change-Id: I23e4617aa96bc5c15c10f3cd0882028ca08e09e8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/388874
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Tobias Klauser <[email protected]>
Auto-Submit: Tobias Klauser <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

* acme: DeactivateReg fix panic

Currently discover is not called which results in a panic if just a key
is added to an ACME client and then deactivation is attempted.
This patch adds a discover call as well as missing unit tests for the
API.

Change-Id: I0719e5376eb2fccf62182e5f91e5b5eaa7bdd518
GitHub-Last-Rev: 501d7c6c1b75a3069dcad4254b4d4a0d2ccb02c8
GitHub-Pull-Request: golang/crypto#217
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/406734
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>

* acme/autocert: properly clean DirCache paths

Don't assume the path passed into the DirCache methods is absolute, and
clean it before further operating on it. Put and Delete are not attacker
controlled, but clean them anyway.

Fixes #53082
Fixes CVE-2022-30636

Change-Id: I755f525a737da60ccba07ebce4d41cc8faebfcca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/408694
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* curve25519: remove dependency on fmt

For golang/go#48154

Change-Id: If7e99bd1159edc2e3deeb3a4e3d8fb048bc591ab
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/348069
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>

* A+C: delete AUTHORS and CONTRIBUTORS

In 2009, Google's open-source lawyers asked us to create the AUTHORS
file to define "The Go Authors", and the CONTRIBUTORS file was in
keeping with open source best practices of the time.

Re-reviewing our repos now in 2022, the open-source lawyers are
comfortable with source control history taking the place of the
AUTHORS file, and most open source projects no longer maintain
CONTRIBUTORS files.

To ease maintenance, remove AUTHORS and CONTRIBUTORS from all repos.

For golang/go#53961.

Change-Id: Ieb32933de4f234c77f0131490d4081b6c336820c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/419094
Run-TryBot: Russ Cox <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* internal/subtle: rename to internal/alias

This avoids an import conflict in code that needs to import
crypto/subtle as well.

CL 424194 does the same for the main repo.

Change-Id: Ic54cb62bbfdcf5c2cb6f15ac47075ee1c41981ad
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424175
Reviewed-by: Cherry Mui <[email protected]>
Run-TryBot: Russ Cox <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Russ Cox <[email protected]>

* acme: gofmt code with Go 1.19 gofmt

Change-Id: Ib0fd6fcfa358df2bdb820a512b73e7cdb34120f8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424174
Run-TryBot: Russ Cox <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Russ Cox <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* cryptobyte: add ReadUint64 and AddUint64

Fixes golang/go#53481.

Change-Id: Ic00eef498d1d3b5b0ca5c9c526fac7c26de30cf2
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/421014
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Run-TryBot: hopehook <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* ssh/agent: match OpenSSH extensionAgentMsg, not IETF draft

The OpenSSH wire format just suffixes the raw extension body,
without a nested string.

Fixes golang/go#51689

Change-Id: Ic224cedb934ba0563abca9a45a6be1c67769ed6d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/412154
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Run-TryBot: hopehook <[email protected]>
Reviewed-by: Daniel Lublin <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: David Chase <[email protected]>

* internal/wycheproof: add crypto/ecdh tests

Alongside the existing ECDH tests, add tests that use the new
crypto/ecdh package. The test vectors include a number of private
that use non-standard sizes, which we reject, but aren't flagged,
so we need to skip them.

Change-Id: Iaaef225b0149a86833095f51748d230385d43bfe
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/424274
Reviewed-by: Russ Cox <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* all: replace io/ioutil with io and os package

For golang/go#45557

Change-Id: I447530cc66896aef7a8d528ccb8d095b80e3cf47
GitHub-Last-Rev: 5f385ff46487ac318bd1147cdbbd26bb0ffd0426
GitHub-Pull-Request: golang/crypto#230
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/430797
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-by: Meng Zhuo <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>

* acme/autocert: fix renewal timer issue

Block when creating the renewal timer, rather than doing it in a
goroutine. This fixes an issue where startRenew and stopRenew are called
very closely together, and due to lock ordering, stopRenew may be called
before startRenew, resulting in the appearance that the renewal timer
has been stopped before it has actually been created.

This is only an issue in tests, as that is the only place stopRenew is
actually used. In particular this issue manifests in TestGetCertiifcate
sub-tests, where a httptest server reuses a port across two of the
sub-tests. In this case, the renewal calls end up creating dirty state
for the subsequent test, which can cause confusing behavior (such as
attempting to register an account twice.)

Another solution to this problem would be introducing a bool, protected
by renewalMu, which indicates if renewal has been halted, and to check
it in startRenew to check if stopRenew has already been called, which
would allow us to continue calling startRenew in a goroutine and relying
on renewalMu locking for ordering. That said I don't see a particularly
strong reason to call startRenew concurrently, so this seems like the
simplest solution for now.

Fixes golang/go#52494

Change-Id: I95420d3fd877572a0b9e408d2f8cd353f6a4e80e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/433016
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* acme/autocert: remove TestRenewFromCache skips

Removes the skips from TestRenewFromCache and
TestRenewFromCacheAlreadyRenewed, which were added due to flakes which
may have been fixed by the renewal timer change.

Updates golang/go#51080

Change-Id: Ib953a24e610e89dfbbea450a4c257c105055ce7e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/433815
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* all: replace bytes.Compare with bytes.Equal

Change-Id: I911366b91ff2a1d02d7de202a166d876fb873142
GitHub-Last-Rev: f50e00376856fb9da36bb98ed0cdfd96c2f3b304
GitHub-Pull-Request: golang/crypto#233
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/438536
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>

* ssh: add ServerConfig.NoClientAuthCallback

It was possible to accept auth type "none" before, but not dynamically
at runtime as a function of the ConnMetadata like the other auth types'
callback hooks.

Fixes golang/go#51994

Change-Id: I83ea80901d4977d8f78523e3d1e16e0a7df5b172
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/395314
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Brad Fitzpatrick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>

* all: fix a few function names on comments

Change-Id: Iac9c8f06b874e62b56f634dede8757b87514f421
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/442135
Run-TryBot: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>

* all: use automatic RFC linking

pkgsite automatically links /RFC \d+/ to the mentioned RFC. Insert a
bunch of spaces into doc-comments for that to match.

Change-Id: I01834d7573428563f21c37e43316442e148dd8c4
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/442055
Reviewed-by: Joedian Reid <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: If840eea1cadc749ce55efd88eb7d9fc38472839e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/443996
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>

* all: use math/bits.RotateLeft

Updates golang/go#31456

Change-Id: Idf043a25632526baa190bf42ed360cb79f85e493
GitHub-Last-Rev: 59461578926a85a87cc68dac96c0b7559766b7cf
GitHub-Pull-Request: golang/crypto#195
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/356518
Auto-Submit: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

* ssh: fix typo

Change-Id: I560d7f5a62161cd88361a9fe9982d36f8e25e5af
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447475
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: Ic7c0afcece0f3d2065c7a7e08f092c4344d90655
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448755
Run-TryBot: Gopher Robot <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Jenny Rakoczy <[email protected]>

* all: remove redundant type conversion

Change-Id: Ic6b210c1e5b99eef5c6e38d96feaf40e7e6033bb
GitHub-Last-Rev: b8ecf761efe6a2eec78a805a99d778bdcdb938f9
GitHub-Pull-Request: golang/crypto#229
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/429016
Run-TryBot: Ian Lance Taylor <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>

* ssh: support rsa-sha2-256/512 on the server side

This lets clients know we support rsa-sha2-256/512 signatures from
ssh-rsa public keys. OpenSSH prefers to break the connection rather than
attempting trial and error, apparently.

We don't enable support for the "ext-info-s" because we're not
interested in any client->server extensions.

This also replaces isAcceptableAlgo which was rejecting the
rsa-sha2-256/[email protected] public key algorithms.

Tested with OpenSSH 9.1 on macOS Ventura.

Fixes golang/go#49269
Updates golang/go#49952

Co-authored-by: Nicola Murino <[email protected]>
Co-authored-by: Kristin Davidson <[email protected]>
Change-Id: I4955c3b12bb45575e9977ac657bb5805b49d00c3
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/447757
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>

* internal/wycheproof: update Go 1.20 crypto/ecdh API

For golang/go#56052

Change-Id: If34d01132e221ff525319e43d127ef14579f9054
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451095
Reviewed-by: Bryan Mills <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Run-TryBot: Joedian Reid <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* cryptobyte: add support for ReadASN1Integer into []byte

This lets us extract large integers without involving math/big.

While at it, drop some use of reflect where a type switch will do.

Change-Id: Iebe2fb2267610bf95cf9747ba1d49b5ac9e62cda
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451515
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: If72a913d54ec282d75e270409971b148df4b417c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/455436
Reviewed-by: Carlos Amedee <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* acme: eliminate arbitrary timeouts in tests

Fixes golang/go#57107.

Change-Id: I20b1f6ca85170c6b4731d7c7ea06f4db742526cc
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/456123
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Bryan Mills <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Bryan Mills <[email protected]>

* ssh: ensure that handshakeTransport goroutines have finished before Close returns

This fixes a data race in the tests for x/crypto/ssh, which expects to
be able to examine a transport's read and write counters without
locking after closing it.

(Given the number of goroutines, channels, and mutexes used in this
package, I wouldn't be surprised if other concurrency bugs remain.
I would suggest simplifying the concurrency in this package, but I
don't intend to follow up on that myself at the moment.)

Fixes golang/go#56957.

Change-Id: Ib1f1390b66707c66a3608e48f3f52483cff3c1f5
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/456758
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Bryan Mills <[email protected]>
Run-TryBot: Bryan Mills <[email protected]>

* internal/wycheproof: also use Verify in TestECDSA

Check both Verify and VerifyASN1 in the ECDSA tests.

Change-Id: Id767354484a7da18ae4e00cd6f2a01a2909e6732
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/453755
Reviewed-by: Than McIntosh <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

* bcrypt: reject passwords longer than 72 bytes

By design, bcrypt only uses the first 72 bytes of a password when
generating a hash. Most implementations, including the reference one,
simply silently ignore any trailing input when provided passwords longer
than 72 bytes. This can cause confusion for users who expect the entire
password to be used to generate the hash.

In GenerateFromPassword, reject passwords longer than 72 bytes.
CompareHashAndPassword will still accept these passwords, since we
cannot break hashes that have already been stored.

Fixes golang/go#36546

Change-Id: I039addd2a2961a7fa9d1e4a3e892a9e3c8bf4c9a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/450415
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Jason McNeil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: I25128883772569c8f729b091b0efcbc4afcbea67
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/460500
Run-TryBot: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>

* all: fix some comments

Change-Id: I11030ee466c8cac6855ce4fe2cf72e0b8d7029f8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/463796
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>

* cryptobyte: reject negative Unwrite argument

Fixes golang/go#57112

Change-Id: I7a533046a6451d7ae3704eb81e6ddeec8442cf06
GitHub-Last-Rev: 3b088d95a2feca197cc4ebd1d9d34cb28008349f
GitHub-Pull-Request: golang/crypto#249
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/464338
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Emmanuel Odeke <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: If0ff32acaae5f6a717ed4d178a88f3346ecf1600
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/466736
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>

* ssh: add support for [email protected]

Change-Id: I91caf3bda3dfd00c050f5ebf23c2a35a04c5762b
GitHub-Last-Rev: 6e71340e7960b5b6f71f7b96eeeaf8dfb268e306
GitHub-Pull-Request: golang/crypto#127
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/223518
Auto-Submit: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: Ic0f0e8147eae1918612c3d1a1c1de14af0a43294
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/473439
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

* ssh: document that ParseRawPrivateKey supports Ed25519 keys

From CL 173457 and CL 235358.

Change-Id: Ia46ab9c7e2c57472df3126ddc7050f0068fcaab9
GitHub-Last-Rev: c38e379355602fe4ff11ff65f98c296d5c326281
GitHub-Pull-Request: golang/crypto#146
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241282
Auto-Submit: Han-Wen Nienhuys <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Han-Wen Nienhuys <[email protected]>

* curve25519: use crypto/ecdh on Go 1.20

For golang/go#52221

Change-Id: I27e867d4cc89cd52c8d510f0dbab4e89b7cd4763
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/451115
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* all: fix some comments

Change-Id: Ia0410f1f3bb0a9ee68c6dbe1e6f62f65f9e00955
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/477755
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Run-TryBot: shuang cui <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: I568d040817345a10881c31b8efc296f543e59113
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/482855
Reviewed-by: Heschi Kreinick <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>

* cryptobyte: reject Object Identifiers with leading 0x80

Change-Id: Ie3a1b53e801077cd86963799e644b9783943933c
GitHub-Last-Rev: 6629bd74f1874eb9fde8e72bfb444ebf9073a1ab
GitHub-Pull-Request: golang/crypto#255
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/483955
Run-TryBot: Mateusz Poliwczak <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Ian Lance Taylor <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Ian Lance Taylor <[email protected]>

* ssh/test: skip TestValidTerminalMode on non-Bourne shells

Fixes golang/go#38037.

Change-Id: Ide77dddc9f57b3f0318a419a1474e11215623b64
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/485175
Run-TryBot: Bryan Mills <[email protected]>
Commit-Queue: Bryan Mills <[email protected]>
Auto-Submit: Bryan Mills <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* ssh: skip unsupported tests on wasip1

Updates golang/go#32840
Updates golang/go#58141

Change-Id: Ib4425c1743d417920745205586af250dbf80c7e4
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/485695
Auto-Submit: Tobias Klauser <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>
Run-TryBot: Tobias Klauser <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>

* ssh/test: enable on solaris

Change-Id: Icf9c867e64ef68f6f46dd7d4cec07cf7c315c2ad
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/490155
Reviewed-by: Bryan Mills <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Run-TryBot: Tobias Klauser <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Tobias Klauser <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: I1eb2365549b72cbad23fa7c355f427c6ed75e450
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/493575
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>

* Add support for "[email protected]"

Change-Id: I0203881afd7ad72e68f76650817451d7e292c91b
GitHub-Last-Rev: 42b4119e1987e7a46aa06a2b142d5fd3ef6f216a
GitHub-Pull-Request: golang/crypto#129
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/226982
Run-TryBot: Han-Wen Nienhuys <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
Auto-Submit: Han-Wen Nienhuys <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* x509roots: add new module

Adds the nss parser, under x509roots/nss, and the fallback
module/package, with the initial generated bundle.

Fixes golang/go#57792

Change-Id: Iebb1052e49126fa5baba1236f4ebc8dd8a823179
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/462036
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* go.mod: tell x repo tagging to ignore dep on net

CL 475438 introduced a cycle between net and crypto. This direction is
less important, so have the tagging process ignore it.

Change-Id: Ie424fef0238702a5a16aba79bb60f86f39dc66eb
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/502595
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Heschi Kreinick <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: If19e251a79af033583e6968766b7a831741cebb7
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/502518
Reviewed-by: Heschi Kreinick <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>

* ssh/test: set a timeout and WaitDelay on sshd subcommands

This uses a copy of testenv.Command copied from the main repo, with
light edits to allow the testenv helpers to build with Go 1.19.

The testenv helper revealed an exec.Command leak in TestCertLogin, so
we also fix that leak and simplify server cleanup using
testing.T.Cleanup.

For golang/go#60099.
Fixes golang/go#60343.

Change-Id: I7f79fcdb559498b987ee7689972ac53b83870aaf
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/496935
Auto-Submit: Bryan Mills <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Bryan Mills <[email protected]>

* x509roots: use "generate" build tag

Since go generate sets it automatically.

Change-Id: I4623e523392140c0472b250ac99c8c3fa31e5b15
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504595
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>

* x509roots: fix generate script argument checking

Check for supply of both arguments forgot that the URL is set by
default. Instead just let the local path supersede the URL.

Change-Id: I0499137c99c735e8e453ff1c2a925435f3cd8039
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504596
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* x509roots: remove list hash and generation date, change ordering

This makes the automated update workflow simpler.

Also switch the ordering from human readable subject (which is not
necessarily unique), to the raw SPKI (which should always be unique).
This makes it somewhat harder to read to a human (since it'll appear a
little jumbled) but results in a stable sort.

Note this results in adding two new roots, which were added since we
last generated the bundle.

Change-Id: Id4d34bf9e98164e7b2fc4f06f9b46b63c0013d23
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/504597
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* ssh: add hmac-sha2-512

This adds support for hmac-sha2-512 to ensure compatibility with SSH clients that request this MAC algorithm.

This rebases https://github.com/golang/crypto/pull/18.

Change-Id: Ia103c10a8b7e2e8dde556d5c36550eb5fa6bc1f6
GitHub-Last-Rev: 987ccae2bc7ae5e90a482d8797351c39dcb9bf33
GitHub-Pull-Request: golang/crypto#257
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/501455
Reviewed-by: Dmitri Shuralyov <[email protected]>
Commit-Queue: Han-Wen Nienhuys <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
Run-TryBot: Han-Wen Nienhuys <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* x509roots/fallback: add //go:build go1.20 to bundle.go

Package fallback has no API; its only purpose is to automatically call
x509.SetFallbackRoots with a set of fallback roots. That API was added
in Go 1.20, hence the go1.20 build constraint in fallback.go.

Add that constraint to bundle.go too, so that it fails to build rather
than quietly being a no-op in Go 1.19.

Also simplify Write(fmt.Sprintf()) into fmt.Fprintf while here.

Add a temporary workaround for go.dev/issue/52287.
It has no effect on the public API in this module.

For golang/go#57792.
For golang/go#52287.

Change-Id: I1fe13f7d54b07b0b031e8bae685cffd7a8160165
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505578
Auto-Submit: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Dmitri Shuralyov <[email protected]>

* x509roots: generate a stable sort, for real this time

Sort based on the stringified subject, then break ties based on the raw
DER (which will, actually, be unique this time).

Change-Id: I3dd912fb19b103e92fabfb4562e31c6dcec40614
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505695
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: Icede82501a3703fcaad524f6b91ff6e5452b4547
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507837
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* ssh: prefer sha256 based MAC algorithms

sha256 is more optimized than sha512 in Go and is secure enough
so prefer sha256 over sha512.

Fixes golang/go#61138

Change-Id: I7658808655367f1ab5f4ac8b52e6b20bd30ebf87
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507555
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

* ssh: fix RSA certificate and public key authentication with older clients

After adding support for rsa-sha2-256/512 on the server side some edge
cases started to arise with old clients:

1) public key authentication with gpg-agent < 2.2.6 fails because we
   receive ssh-rsa as signature format and rsa-sha2-256 or rsa-sha2-512
   as algorithm.
   This is a bug in gpg-agent fixed in this commit:

   https://github.com/gpg/gnupg/commit/80b775bdbb852aa4a80292c9357e5b1876110c00

2) certificate authentication fails with OpenSSH 7.2-7.7 because we
   receive [email protected] as algorithm and rsa-sha2-256
   or rsa-sha2-512 as signature format.

This patch is based on CL 412854 and has been tested with every version
of OpenSSH from 7.1 to 7.9 and OpenSSH 9.3.

Fixes golang/go#53391

Change-Id: Id71f596f73d84efb5c76d6d5388432cccad3e3b1
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506835
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* fix TestValidTerminalMode: missing output from echo SHELL $SHELL

add leading `echo` to have better compatibility

before

```
 go test -run ^TestValidTerminalMode -v
=== RUN   TestValidTerminalMode
    session_test.go:261: echo SHELL $SHELL && stty -a && exit:
        Last login: Thu Jul  6 12:24:38 2023 from 192.168.200.1
SHELL /bin/bashubuntu:~$
        speed 38400 baud; rows 80; columns 40;
        line = 0;
        intr = ^C; quit = ^\; erase = ^?;
        kill = ^U; eof = ^D; eol = <undef>;
        eol2 = <undef>; swtch = <undef>;
        start = ^Q; stop = ^S; susp = ^Z;
        rprnt = ^R; werase = ^W; lnext = ^V;
        discard = ^O; min = 1; time = 0;
        -parenb -parodd -cmspar cs8 -hupcl
        -cstopb cread -clocal -crtscts
        -ignbrk -brkint -ignpar -parmrk -inpck
        -istrip -inlcr -igncr icrnl ixon -ixoff
        -iuclc -ixany -imaxbel -iutf8
        opost -olcuc -ocrnl onlcr -onocr -onlret
        -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
        isig icanon iexten -echo echoe echok
        -echonl -noflsh -xcase -tostop -echoprt
        echoctl echoke -flusho -extproc
        logout
    session_test.go:266: missing output from echo SHELL $SHELL
```

after

```
 go test -run ^TestValidTerminalMode -v
=== RUN   TestValidTerminalMode
    session_test.go:261: echo SHELL $SHELL && stty -a && exit:
        Last login: Thu Jul  6 12:24:38 2023 from 192.168.200.1
        bolian@ubuntu:~$
        SHELL /bin/bash
        speed 38400 baud; rows 80; columns 40;
        line = 0;
        intr = ^C; quit = ^\; erase = ^?;
        kill = ^U; eof = ^D; eol = <undef>;
        eol2 = <undef>; swtch = <undef>;
        start = ^Q; stop = ^S; susp = ^Z;
        rprnt = ^R; werase = ^W; lnext = ^V;
        discard = ^O; min = 1; time = 0;
        -parenb -parodd -cmspar cs8 -hupcl
        -cstopb cread -clocal -crtscts
        -ignbrk -brkint -ignpar -parmrk -inpck
        -istrip -inlcr -igncr icrnl ixon -ixoff
        -iuclc -ixany -imaxbel -iutf8
        opost -olcuc -ocrnl onlcr -onocr -onlret
        -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
        isig icanon iexten -echo echoe echok
        -echonl -noflsh -xcase -tostop -echoprt
        echoctl echoke -flusho -extproc
        logout
--- PASS: TestValidTerminalMode (0.06s)
```

Change-Id: If60c040edb8c78a7d86bf58a6be47636d9e8f173
GitHub-Last-Rev: a2cc1b1af09e47df82fcb8685d829dfed945e8b0
GitHub-Pull-Request: golang/crypto#264
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508115
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Heschi Kreinick <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
Reviewed-by: Bryan Mills <[email protected]>

* ssh: disable client agent tests on Windows

ssh-agent is implemented as a Windows service and exposed on a
named pipe. We don't currently support it.

See golang/go#60981

Change-Id: Iebdc42db30b37a87ac0766231b16aff3f17b3f56
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/509035
Run-TryBot: Heschi Kreinick <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* ssh: prefer sha256 based RSA key algorithms

sha256 is more optimized than sha512 in Go and is secure enough
so prefer sha256 over sha512.

Change-Id: I3fcf7457791e3ef4539e97049aa905dcd293499d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/507556
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

* internal/wycheproof: skip all tests in short test mode

The testdata for this package is around 8 MB and downloaded dynamically
via 'go mod download' from its canonical source rather than being copied
to this repository. We're moving towards disallowing all network use in
short test mode, including proxy.golang.org, so add a corresponding test
skip.

Needing to lookup a go test flag is unfortunate, but I don't know of a
less bad available option while the test does the download in TestMain.

On balance, it becomes viable to no longer disable the checksum database
since the test will only run on builders that permit internet use and so
sum.golang.org should just work.

Change-Id: Iaffe3899351da375928aaba114c4875f5438336b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/510695
Run-TryBot: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* x509roots/fallback: update bundle

This is an automated CL which updates the NSS root bundle.

Change-Id: Ic70152e674c60e48e85d96eab244add9b4fa5eb8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/512595
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* ssh: ignore invalid MACs and KEXs just like we do for ciphers

Tighter validation could cause backwards incompatibility issues, eg
configurations with valid and invalid MACs, KEXs, ciphers currently work
if a supported algorithm is negotiated and that's also the scenario of
removing support for an existing algorithm.

Fixes golang/go#39397

Change-Id: If90253ba89e1d8f732cc1e1c3d24fe0a1e2dac71
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/512175
Run-TryBot: Han-Wen Nienhuys <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* ssh: add diffie-hellman-group16-sha512 kex

This group is disabled by default because it is a bit slower than
the others.
The group18-sha512 variant is too slow to include.

Benchstat results including diffie-hellman-group18-sha512:

name                                           time/op
Kexes/diffie-hellman-group-exchange-sha256-12  22.6ms ± 9%
Kexes/diffie-hellman-group18-sha512-12          1.15s ±11%
Kexes/ecdh-sha2-nistp384-12                    3.91ms ± 6%
Kexes/ecdh-sha2-nistp256-12                     304µs ± 5%
Kexes/[email protected]           413µs ± 7%
Kexes/ecdh-sha2-nistp521-12                    11.6ms ±13%
Kexes/curve25519-sha256-12                      361µs ± 5%
Kexes/diffie-hellman-group-exchange-sha1-12    22.9ms ± 9%
Kexes/diffie-hellman-group1-sha1-12            3.59ms ± 6%
Kexes/diffie-hellman-group14-sha1-12           22.1ms ±11%
Kexes/diffie-hellman-group14-sha256-12         21.6ms ± 8%
Kexes/diffie-hellman-group16-sha512-12          138ms ± 9%

name                                           alloc/op
Kexes/diffie-hellman-group-exchange-sha256-12  67.8kB ± 1%
Kexes/diffie-hellman-group18-sha512-12          243kB ± 9%
Kexes/ecdh-sha2-nistp384-12                    13.9kB ± 0%
Kexes/ecdh-sha2-nistp256-12                    12.1kB ± 0%
Kexes/[email protected]          8.22kB ± 0%
Kexes/ecdh-sha2-nistp521-12                    16.5kB ± 0%
Kexes/curve25519-sha256-12                     8.22kB ± 0%
Kexes/diffie-hellman-group-exchange-sha1-12    67.5kB ± 0%
Kexes/diffie-hellman-group1-sha1-12            34.9kB ± 0%
Kexes/diffie-hellman-group14-sha1-12           61.9kB ± 0%
Kexes/diffie-hellman-group14-sha256-12         62.0kB ± 0%
Kexes/diffie-hellman-group16-sha512-12          117kB ± 0%

name                                           allocs/op
Kexes/diffie-hellman-group-exchange-sha256-12     314 ± 0%
Kexes/diffie-hellman-group18-sha512-12            271 ± 4%
Kexes/ecdh-sha2-nistp384-12                       243 ± 0%
Kexes/ecdh-sha2-nistp256-12                       213 ± 0%
Kexes/[email protected]             168 ± 0%
Kexes/ecdh-sha2-nistp521-12                       245 ± 0%
Kexes/curve25519-sha256-12                        168 ± 0%
Kexes/diffie-hellman-group-exchange-sha1-12       314 ± 0%
Kexes/diffie-hellman-group1-sha1-12               255 ± 0%
Kexes/diffie-hellman-group14-sha1-12              255 ± 0%
Kexes/diffie-hellman-group14-sha256-12            255 ± 0%
Kexes/diffie-hellman-group16-sha512-12            256 ± 0%

Change-Id: Id119401fda7e417675325f37e3d442e70585206c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506839
Run-TryBot: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: David Chase <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

* ssh: fix call to Fatalf from a non-test goroutine

Also fix some redundant type declarations.

Change-Id: Iad2950b67b1ec2e2590c59393b8ad15421ed3add
GitHub-Last-Rev: 41cf552f11387208491dee7b867050475043b25e
GitHub-Pull-Request: golang/crypto#263
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/505798
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.
Once this CL is submitted, and post-submit testing succeeds on all
first-class ports across all supported Go versions, this repository
will be tagged with its next minor version.

Change-Id: Id40feba36dfc31c7033c91b952ec824a38e048ee
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/515976
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Gopher Robot <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Ib391e4f2f09056cb025de97d5d8f2640859d9163
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525335
Run-TryBot: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

* ssh: check the declared public key algo against decoded one

This check will ensure we don't accept e.g. [email protected]
algorithm with ssh-rsa public key type.
The algorithm and public key type must be consistent: both must be
certificate algorithms, or neither.

Change-Id: I1d75074fb4d6db3a8796408e98ddffe577a96ab1
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506836
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>

* ssh: support for marshaling keys using the OpenSSH format

This adds methods to marshal private keys, encrypted and unencrypted
to the OpenSSH format.

Fixes golang/go#37132

Change-Id: I1a95301f789ce04858e6b147748c6e8b7700384b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/218620
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* cryptobyte: add uint48 methods

Adds uint48 methods for cryptobyte.Builder and cryptobyte.String.
Supporting 48-bit unsigned integers is useful for working with protocols
that use them for sequence numbers, such as DTLS.

Fixes golang/go#61275

Change-Id: Ibe49422d37644b9212b28b123dc5e01850f7b05b
GitHub-Last-Rev: 11b388c240109c8f4ac23880645c901ce6d2f093
GitHub-Pull-Request: golang/crypto#265
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508675
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
Reviewed-by: qiulaidongfeng <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

* sha3: have ShakeHash extend hash.Hash

Package sha3 recommends the SHAKE functions for new uses, but this is
currently somewhat inconvenient because ShakeHash does not implement
hash.Hash. This is understandable, as SHAKE supports arbitrary-length
outputs whereas hash.Hash only supports fixed-length outputs. But
there's a natural fixed-length output to provide: the minimum output
that still provides SHAKE's full-strength generic security.

While here, tweak Sum so that its temporary buffer can be stack
allocated.

Also, tweak the panic message in Write so that the error text is more
readily understandable to Go programmers without needing to be
familiar with crypto jargon, and add a similar check in Sum.

Change-Id: Icf037d3990a71de5630f8825606614443f8c5245
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/526937
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
Auto-Submit: Matthew Dempsky <[email protected]>

* ssh: add MultiAlgorithmSigner

MultiAlgorithmSigner allows to restrict client-side, server-side and
certificate signing algorithms.

Fixes golang/go#52132
Fixes golang/go#36261

Change-Id: I295092f1bba647327aaaf294f110e9157d294159
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508398
Reviewed-by: Filippo Valsorda <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>

* ssh: add test cases for compatibility with old (buggy) clients

Improved test cases for CL 506835.

Change-Id: If4a98ae4a7b39d2e59b203d10080b71283e1a80e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525735
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>

* all: use crypto/ed25519 instead of golang.org/x/crypto/ed25519

This is a follow-up to CL 317169, which dropped go1.12 compatibility,
and made the golang.org/x/crypto/ed25519 package an alias / wrapper for
crypto/ed25519 in stdlib.

This patch updates uses within this repository to use stdlib instead of
depending on the wrapper. With this patch applied, the only remaining
use of the wrapper is in ed25519_test, which appears to be in place to
verify compatibility of the wrapper itself.

Change-Id: I0195396102a75ae20bdd82ca8ab59855c0eb5cea
GitHub-Last-Rev: 24dbec563cbd84bc47bdc7736b0245fc83dd3353
GitHub-Pull-Request: golang/crypto#238
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448238
Reviewed-by: Bryan Mills <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>

* chacha20: drop Go 1.10 compatibility for arm64

Other packages already dropped compatibility with go < 1.12, so it should be safe to remove it for this package as well.

Change-Id: Ib1424763e3aa94d0187a667ebee058100136f53b
GitHub-Last-Rev: 51df9690a5f37ba50d5ae5e84cf31b78fb6c5cd8
GitHub-Pull-Request: golang/crypto#241
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448241
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>

* ssh: add server side support for [email protected] protocol extension

Fixes golang/go#62390

Change-Id: Ie4dc577fb55b45a0c26a9e2dc5903af2bd382e00
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/524775
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

* go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Ib80d50bdd762d1ba04f9267aeddc17272ef8cd66
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/532976
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>

* ssh: add support for SSH_AGENT_CONSTRAIN_EXTENSION with id 255

it was changed in the following draft

https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-03

The id 3 is now used for SSH_AGENT_CONSTRAIN_MAXSIGN key constraint,
an OpenSSH extension to the protocol that we do not currently support.
Instead, we added a compatibility layer for
SSH_AGENT_CONSTRAIN_EXTENSION with ID 3.

Fixes golang/go#62311

Change-Id: I421aee92aee9e693e43f66e6a5515c055333cb9b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525355
Reviewed-by: Matthew Dempsky <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>

* all: update go directive to 1.18

Done with:

go get [email protected]
go mod tidy
go fix ./...

Using go1.21.3.

Also update avo to v0.5.0 in the curve25519/internal/field/_asm module.
It's newer and produces no diff in the generated code.

For golang/go#60268.

Change-Id: I9bd771ee8561595d7f68aaca76df6e3e33d35013
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/534141
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

* x509roots: check HTTP response status code and media type

The HTTP response status code is expected to be 200 OK, and
the certdata.txt file media type is expected to be plain text.
Check that it is before proceeding with parsing it.

Might help avoid repeats of CL 535735.

Change-Id: I1a7896b3e20d33a23fdc53c572ae9700c9eae1ef
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/536717
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* x509roots: catch the zero-roots case when generating the bundle

If the parser returns zero roots, don't attempt to completely remove
the bundle. This may happen if, i.e., the HTTP response is 200 but has
no content. An example of this may be http://go.dev/cl/535735.

Change-Id: I81fc2b49c8ec813cca17fd1c807296bfb053d992
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/536136
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>

* ssh: add test case against ssh CLI

These tests try to ensure better compatibility of our server implementation
with the ssh CLI.

With these tests in place:

1) before merging CL 447757 we would have noticed that our server
   implementation was broken with OpenSSH 8.8+
2) after merging CL 447757 we would have noticed that our server
   implementation was broken with OpenSSH 7.2-7.7

The ssh CLI from $PATH is used by default, but can be overridden using
the SSH_CLI_PATH environment variable.

Change-Id: I93d64be41c7613132b0364afac8397f57c2dcbca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506837
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Benny Siegert <[email protected]>
Reviewed-by: Han-Wen Nienhuys <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>

* crypto/hkdf: remove useless call to Reset

HKDF is commonly used to read keys that are the the same length (or
smaller) than the size of the hash digest, which means the loop inside
Read only runs once.

In that case, calling Reset is unnecesssary overhead.

name                  old time/op    new time/op    delta
16ByteMD5Single-8       1.39µs ± 1%    1.22µs ± 0%  -11.95%  (p=0.000 n=10+9)
20ByteSHA1Single-8       826ns ± 0%     746ns ± 0%   -9.70%  (p=0.000 n=9+10)
32ByteSHA256Single-8     838ns ± 1%     744ns ± 0%  -11.29%  (p=0.000 n=10+10)
64ByteSHA512Single-8    5.12µs ± 0%    4.57µs ± 0%  -10.78%  (p=0.000 n=8+10)
8ByteMD5Stream-8         137ns ± 0%     138ns ± 0%   +0.27%  (p=0.009 n=9+6)
16ByteMD5Stream-8        264ns ± 0%     265ns ± 0%   +0.29%  (p=0.000 n=10+10)
8ByteSHA1Stream-8       64.1ns ± 0%    64.4ns ± 0%   +0.60%  (p=0.000 n=9+9)
20ByteSHA1Stream-8       145ns ± 0%     146ns ± 1%   +0.69%  (p=0.000 n=9+10)
8ByteSHA256Stream-8     42.9ns ± 1%    43.1ns ± 0%   +0.48%  (p=0.005 n=10+10)
32ByteSHA256Stream-8     151ns ± 0%     152ns ± 0%   +0.35%  (p=0.006 n=10+8)
8ByteSHA512Stream-8      139ns ± 0%     139ns ± 0%   +0.08%  (p=0.035 n=9+10)
64ByteSHA512Stream-8    1.07µs ± 0%    1.07µs ± 0%   +0.33%  (p=0.000 n=9+10)

name                  old speed      new speed      delta
16ByteMD5Single-8     11.6MB/s ± 0%  13.1MB/s ± 0%  +13.50%  (p=0.000 n=9+9)
20ByteSHA1Single-8    24.2MB/s ± 0%  26.8MB/s ± 0%  +10.75%  (p=0.000 n=9+10)
32ByteSHA256Single-8  38.2MB/s ± 1%  43.0MB/s ± 0%  +12.72%  (p=0.000 n=10+10)
64ByteSHA512Single-8  12.5MB/s ± 0%  14.0MB/s ± 0%  +12.06%  (p=0.000 n=8+10)
8ByteMD5Stream-8      58.2MB/s ± 0%  58.1MB/s ± 0%   -0.27%  (p=0.004 n=9+9)
16ByteMD5Stream-8     60.6MB/s ± 0%  60.5MB/s ± 0%   -0.27%  (p=0.000 n=9+10)
8ByteSHA1Stream-8      125MB/s ± 0%   124MB/s ± 0%   -0.59%  (p=0.000 n=9+9)
20ByteSHA1Stream-8     138MB/s ± 0%   137MB/s ± 1%   -0.69%  (p=0.000 n=9+10)
8ByteSHA256Stream-8    186MB/s ± 1%   185MB/s ± 0%   -0.47%  (p=0.005 n=10+10)
32ByteSHA256Stream-8   211MB/s …
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

Successfully merging a pull request may close this issue.